Sync BIND 9 version with 9-STABLE, to 9.8.4-P1.

644 files changed, 80120 insertions, 17780 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 6e8b138a8716..6d1ee3109994 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,4 +1,9 @@
-	--- 9.6-ESV-R8 released ---
+	--- 9.8.4-P1 released ---
+
+3407.	[security]	Named could die on specific queries with dns64 enabled.
+			[Addressed in change #3388 for BIND 9.8.5 and 9.9.3.]
+
+	--- 9.8.4 released ---
 
 3383.	[security]	A certain combination of records in the RBT could
                         cause named to hang while populating the additional
@@ -9,19 +14,26 @@
 3364.	[security]	Named could die on specially crafted record.
 			[RT #30416]
 
-	--- 9.6-ESV-R8rc1 released ---
+	--- 9.8.4rc1 released ---
 
 3369.	[bug]		nsupdate terminated unexpectedly in interactive mode
 			if built with readline support. [RT #29550]
 
 3368.	[bug]		<dns/iptable.h> and <dns/zone.h> were not C++ safe.
 
+3367.	[bug]		dns_dnsseckey_create() result was not being checked.
+			[RT #30685]
+
 3366.	[bug]		Fixed Read-After-Write dependency violation for IA64
 			atomic operations. [RT #25181]
 
 3365.	[bug]		Removed spurious newlines from log messages in
 			zone.c [RT #30675]
 
+3363.	[bug]		Need to allow "forward" and "fowarders" options
+			in static-stub zones; this had been overlooked.
+			[RT #30482]
+
 3362.	[bug]		Setting some option values to 0 in named.conf
 			could trigger an assertion failure on startup.
 			[RT #27730]
@@ -31,18 +43,26 @@
 3359.	[bug]		An improperly-formed TSIG secret could cause a
 			memory leak. [RT #30607]
 
-3358.	[bug]		Fix declaration of fatal in bin/named/server.c
-			and bin/nsupdate/main.c. [RT #30522]
-
 3357.	[port]		Add support for libxml2-2.8.x [RT #30440]
 
-	--- 9.6-ESV-R8b1 released ---
+3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are
+			approaching their expiry, so they don't remain
+			in caches after expiry. [RT #26429]
+
+	--- 9.8.4b1 released ---
 
 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
 
+3353.	[bug]		Use a single task for task exclusive operations.
+			[RT #29872]
+
 3352.	[bug]		Ensure that learned server attributes timeout of the
 			adb cache. [RT #29856]
 
+3351.	[bug]		isc_mem_put and isc_mem_putanddetach didn't report
+			caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX
+			memory debugging flags are set. [RT #30243]
+
 3350.	[bug]		Memory read overrun in isc___mem_reallocate if
 			ISC_MEM_DEBUGCTX memory debugging flag is set.
 			[RT #30240]
@@ -53,11 +73,13 @@
 			the cache since change 3218 -- this prevents it
 			being inserted into the cache as well. [RT #26809]
 
+3347.	[bug]		dnssec-settime: Issue a warning when writing a new
+			private key file would cause a change in the
+			permissions of the existing file. [RT #27724]
+
 3346.	[security]	Bad-cache data could be used before it was
 			initialized, causing an assert. [RT #30025]
 
-3343.	[bug]		Relax isc_random_jitter() REQUIRE tests. [RT #29821]
-
 3342.	[bug]		Change #3314 broke saving of stub zones to disk
 			resulting in excessive cpu usage in some cases.
 			[RT #29952]
@@ -68,11 +90,30 @@
 3335.	[func]		nslookup: return a nonzero exit code when unable
 			to get an answer. [RT #29492]
 
+3333.	[bug]		Setting resolver-query-timeout too low can cause
+			named to not recover if it loses connectivity.
+			[RT #29623]
+
 3332.	[bug]		Re-use cached DS rrsets if possible. [RT #29446]
 
 3331.	[security]	dns_rdataslab_fromrdataset could produce bad
 			rdataslabs. [RT #29644]
 
+3330.	[func]		Fix missing signatures on NOERROR results despite
+			RPZ rewriting.  Also
+			 - add optional "recursive-only yes|no" to the
+			   response-policy statement
+			 - add optional "max-policy-ttl" to the response-policy
+			    statement to limit the false data that
+			    "recursive-only no" can introduce into
+			    resolvers' caches
+			 - add a RPZ performance test to bin/tests/system/rpz
+			     when queryperf is available.
+			 - the encoding of PASSTHRU action to "rpz-passthru".
+			     (The old encoding is still accepted.)
+		       [RT #26172]
+
+
 3329.	[bug]		Handle RRSIG signer-name case consistently: We
 			generate RRSIG records with the signer-name in
 			lower case.  We accept them with any case, but if
@@ -82,7 +123,9 @@
 3328.	[bug]		Fixed inconsistent data checking in dst_parse.c.
 			[RT #29401]
 
-	--- 9.6-ESV-R7 released ---
+3317.	[func]		Add ECDSA support (RFC 6605). [RT #21918]
+
+	--- 9.8.3 released ---
 
 3318.	[tuning]	Reduce the amount of work performed while holding a
 			bucket lock when finshed with a fetch context.
@@ -93,6 +136,9 @@
 
 3313.	[protocol]	Add TLSA record type. [RT #28989]
 
+3312.	[bug]		named-checkconf didn't detect a bad dns64 clients acl.
+			[RT #27631]
+
 3311.	[bug]		Abort the zone dump if zone->db is NULL in
 			zone.c:zone_gotwritehandle. [RT #29028]
 
@@ -104,9 +150,17 @@
 3307.	[bug]		Add missing ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS.
 			[RT #28956]
 
+3306.	[bug]		Improve DNS64 reverse zone performance. [RT #28563]
+
+3305.	[func]		Add wire format lookup method to sdb. [RT #28563]
+
 3304.	[bug]		Use hmctx, not mctx when freeing rbtdb->heaps.
 			[RT #28571]
 
+3302.	[bug]		dns_dnssec_findmatchingkeys could fail to find
+			keys if the zone name contained character that
+			required special mappings. [RT #28600]
+
 3301.	[contrib]	Update queryperf to build on darwin.  Add -R flag
 			for non-recursive queries. [RT #28565]
 
@@ -119,10 +173,12 @@
 3232.	[bug]		Zero zone->curmaster before return in
 			dns_zone_setmasterswithkeys(). [RT #26732]
 
+3183.	[bug]		Added RTLD_GLOBAL flag to dlopen call. [RT #26301]
+
 3197.	[bug]		Don't try to log the filename and line number when
 			the config parser can't open a file. [RT #22263]
 
-	--- 9.6-ESV-R6 released ---
+	--- 9.8.2 released ---
 
 3298.	[bug]		Named could dereference a NULL pointer in
 			zmgr_start_xfrin_ifquota if the zone was being removed.
@@ -141,9 +197,15 @@
 
 3290.	[bug]		<isc/hmacsha.h> was not being installed. [RT #28169]
 
+3288.	[bug]		dlz_destroy() function wasn't correctly registered
+			by the DLZ dlopen driver. [RT #28056]
+
 3287.	[port]		Update ans.pl to work with Net::DNS 0.68. [RT #28028]
 
-	--- 9.6-ESV-R6rc2 released ---
+3286.	[bug]		Managed key maintenance timer could fail to start
+			after 'rndc reconfig'. [RT #26786]
+
+	--- 9.8.2rc2 released ---
 
 3285.	[bug]		val-frdataset was incorrectly disassociated in
 			proveunsecure after calling startfinddlvsep.
@@ -163,9 +225,27 @@
 			despite succeeding over the loopback interface.
 			[RT #27782]
 
-3374.	[bug]		Log when a zone is not reusable.  Only set loadtime
+3280.	[bug]		Potential double free of a rdataset on out of memory
+			with DNS64. [RT #27762]
+
+3278.	[bug]		Make sure automatic key maintenance is started
+			when "auto-dnssec maintain" is turned on during
+			"rndc reconfig". [RT #26805]
+
+3276.	[bug]		win32: ns_os_openfile failed to return NULL on
+			safe_open failure. [RT #27696]
+
+3274.	[bug]		Log when a zone is not reusable.  Only set loadtime
 			on successful loads.  [RT #27650]
 
+3273.	[bug]		AAAA responses could be returned in the additional
+			section even when filter-aaaa-on-v4 was in use.
+			[RT #27292]
+
+3271.	[port]		darwin: mksymtbl is not always stable, loop several
+			times before giving up.  mksymtbl was using non
+			portable perl to covert 64 bit hex strings. [RT #27653]
+
 3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
 			out the earliest expiry time. [RT #23311]
 
@@ -177,7 +257,10 @@
 			DNSKEY RRset was not being properly computed.
 			[RT #26543]
 
-	--- 9.6-ESV-R6rc1 released ---
+3262.	[bug]		Signed responses were handled incorrectly by RPZ.
+			[RT #27316]
+
+	--- 9.8.2rc1 released ---
 
 3260.	[bug]		"rrset-order cyclic" could appear not to rotate
 			for some query patterns.  [RT #27170/27185]
@@ -185,6 +268,9 @@
 3259.	[bug]		named-compilezone: Suppress "dump zone to <file>"
 			message when writing to stdout. [RT #27109]
 
+3258.	[test]		Add "forcing full sign with unreadable keys" test.
+			[RT #27153]
+
 3257.	[bug]		Do not generate a error message when calling fsync()
 			in a pipe or socket. [RT #27109]
 
@@ -208,6 +294,10 @@
 3249.	[bug]		Update log message when saving slave zones files for
 			analysis after load failures. [RT #27087]
 
+3248.	[bug]		Configure options --enable-fixed-rrset and
+			--enable-exportlib were incompatible with each
+			other. [RT #27087]
+
 3247.	[bug]		'raw' format zones failed to preserve load order
 			breaking 'fixed' sort order. [RT #27087]
 
@@ -217,11 +307,18 @@
 3241.	[bug]		Address race conditions in the resolver code.
 			[RT #26889]
 
+3240.	[bug]		DNSKEY state change events could be missed. [RT #26874]
+
+3239.	[bug]		dns_dnssec_findmatchingkeys needs to use a consistent
+			timestamp. [RT #26883]
+
 3238.	[bug]		keyrdata was not being reinitialized in
 			lib/dns/rbtdb.c:iszonesecure. [RT#26913]
 
 3237.	[bug]		dig -6 didn't work with +trace. [RT #26906]
 
+	--- 9.8.2b1 released ---
+
 3234.	[bug]		'make depend' produced invalid makefiles. [RT #26830]
 
 3231.	[bug]		named could fail to send a uncompressable zone.
@@ -230,6 +327,9 @@
 3230.	[bug]		'dig axfr' failed to properly handle a multi-message
 			axfr with a serial of 0. [RT #26796]
 
+3229.	[bug]		Fix local variable to struct var assignment
+			found by CLANG warning.
+
 3228.	[tuning]	Dynamically grow symbol table to improve zone
 			loading performance. [RT #26523]
 
@@ -238,16 +338,20 @@
 
 3226.	[bug]		Address minor resource leakages. [RT #26624]
 
-	--- 9.6-ESV-R6b1 released ---
-
 3221.	[bug]		Fixed a potential coredump on shutdown due to
 			referencing fetch context after it's been freed.
 			[RT #26720]
 
+3220.	[bug]		Change #3186 was incomplete; dns_db_rpz_findips()
+			could fail to set the database version correctly,
+			causing an assertion failure. [RT #26180]
+
 3218.	[security]	Cache lookup could return RRSIG data associated with
 			nonexistent records, leading to an assertion
 			failure. [RT #26590]
 
+3217.	[cleanup]	Fix build problem with --disable-static. [RT #26476]
+
 3216.	[bug]		resolver.c:validated() was not thread-safe. [RT #26478]
 
 3213.	[doc]		Clarify ixfr-from-differences behavior. [RT #25188]
@@ -256,6 +360,8 @@
 			list prior to adding a reference to it leading a
 			possible assertion failure. [RT #23219]
 
+3209.	[func]		Add "dnssec-lookaside 'no'".  [RT #24858]
+
 3208.	[bug]		'dig -y' handle unknown tsig alorithm better.
 			[RT #25522]
 
@@ -273,9 +379,15 @@
 3200.	[doc]		Some rndc functions were undocumented or were
 			missing from 'rndc -h' output. [RT #25555]
 
+3198.	[doc]		Clarified that dnssec-settime can alter keyfile
+			permissions. [RT #24866]
+
 3196.	[bug]		nsupdate: return nonzero exit code when target zone
 			doesn't exist. [RT #25783]
 
+3195.	[cleanup]	Silence "file not found" warnings when loading
+			managed-keys zone. [RT #26340]
+
 3194.	[doc]		Updated RFC references in the 'empty-zones-enable'
 			documentation. [RT #25203]
 
@@ -292,8 +404,14 @@
 
 3189.	[test]		Added a summary report after system tests. [RT #25517]
 
+3188.	[bug]		zone.c:zone_refreshkeys() could fail to detach
+			references correctly when errors occurred, causing
+			a hang on shutdown. [RT #26372]
+
 3187.	[port]		win32: support for Visual Studio 2008.  [RT #26356]
 
+3186.	[bug]		Version/db mis-match in rpz code. [RT #26180]
+
 3179.	[port]		kfreebsd: build issues. [RT #26273]
 
 3175.	[bug]		Fix how DNSSEC positive wildcard responses from a
@@ -301,8 +419,25 @@
 			unnecessary NSEC3 record when generating such
 			responses. [RT #26200]
 
+3174.	[bug]		Always compute to revoked key tag from scratch.
+			[RT #26186]
+
 3173.	[port]		Correctly validate root DS responses. [RT #25726]
 
+3171.	[bug]		Exclusively lock the task when adding a zone using
+			'rndc addzone'.  [RT #25600]
+
+3170.	[func]		RPZ update:
+			- fix precedence among competing rules
+			- improve ARM text including documenting rule precedence
+			- try to rewrite CNAME chains until first hit
+			- new "rpz" logging channel
+			- RDATA for CNAME rules can include wildcards
+			- replace "NO-OP" named.conf policy override with
+			  "PASSTHRU" and add "DISABLED" override ("NO-OP"
+			  is still recognized)
+			[RT #25172]
+
 3169.	[func]		Catch db/version mis-matches when calling dns_db_*().
 			[RT #26017]
 
@@ -314,26 +449,24 @@
 			ns*/ subdirectory to override stock arguments to
 			named. Largely from RT#26044, but no separate ticket.
 
+3161.	[bug]		zone.c:del_sigs failed to always reset rdata leading
+			assertion failures. [RT #25880]
+
 3157.	[tuning]	Reduce the time spent in "rndc reconfig" by parsing
 			the config file before pausing the server. [RT #21373]
 
-3156.	[bug]		Reconfiguring the server with an incorrectly
-			formatted TSIG key could cause a crash during
-			subsequent zone transfers.  [RT #20391]
+3155.	[bug]		Fixed a build failure when using contrib DLZ
+			drivers (e.g., mysql, postgresql, etc). [RT #25710]
 
 3154.	[bug]		Attempting to print an empty rdataset could trigger
 			an assert. [RT #25452]
 
+3152.	[cleanup]	Some versions of gcc and clang failed due to
+			incorrect use of __builtin_expect. [RT #25183]
+
 3151.	[bug]		Queries for type RRSIG or SIG could be handled
 			incorrectly.  [RT #21050]
 
-3149.	[tuning]	Improve scalability by allocating one zone
-			task per 100 zones at startup time.  (The
-			BIND9_ZONE_TASKS_HINT environment variable
-			which was established as a temporary measure
-			in change #3132 is no longer needed or
-			used.) [rt25541]
-
 3148.	[bug]		Processing of normal queries could be stalled when
 			forwarding a UPDATE message. [RT #24711]
 
@@ -347,15 +480,17 @@
 
 3143.	[bug]		Silence clang compiler warnings. [RT #25174]
 
-3142.	[bug]		NAPTR is class agnostic. [RT #25429]
-
-3141.	[bug]		Silence spurious "zone serial unchanged" messages
-			associated with empty zones. [RT #25079]
-
 3139.	[test]		Added tests from RFC 6234, RFC 2202, and RFC 1321
 			for the hashing algorithms (md5, sha1 - sha512, and
 			their hmac counterparts).  [RT #25067]
 
+	--- 9.8.1 released ---
+
+	--- 9.8.1rc1 released ---
+
+3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
+			associated with empty zones. [RT #25079]
+
 3138.	[bug]		Address memory leaks and out-of-order operations when
 			shutting named down. [RT #25210]
 
@@ -363,30 +498,38 @@
 			empty zones switched on by the 'empty-zones-enable'
 			option. [RT #24990]
 
-3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
-			statistics. [RT #16030]
-
-	--- 9.6-ESV-R5 released ---
+			Note: empty-zones-enable must be "yes;" or a empty
+			zone needs to be disabled in named.conf for RFC 1918
+			zones to be activated.  This requirement may be
+			removed in future releases.
 
 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 			[RT #24950]
 
-3132.	[bug]		Workaround for excessive startup time with large
-			number of zones; allow setting of an environment
-			variable to tune the number of tasks, default is 8,
-			recommends 200 zones per task.  If you have 200000
-			zones set the BIND9_ZONE_TASKS_HINT environment
-			variable to 1000 before starting named:
+3134.	[bug]		Improve the accuracy of dnssec-signzone's signing
+			statistics. [RT #16030]
+
+	--- 9.8.1b3 released ---
+
+3133.	[bug]		Change #3114 was incomplete. [RT #24577]
+
+3131.	[tuning]	Improve scalability by allocating one zone task
+			per 100 zones at startup time, rather than using a
+			fixed-size task table. [RT #24406]
 
-			csh: setenv BIND9_ZONE_TASKS_HINT 1000
-			sh:  BIND9_ZONE_TASKS_HINT=1000;
-			     export BIND9_ZONE_TASKS_HINT
+3129.	[bug]		Named could crash on 'rndc reconfig' when
+			allow-new-zones was set to yes and named ACLs
+			were used. [RT #22739]
 
-			Applicable to 9.7, 9.6, auto-tuned in 9.8 and up.
-			[RT #25084]
+	--- 9.8.1b2 released ---
 
-	--- 9.6-ESV-R5rc1 released ---
+3126.	[security]	Using DNAME record to generate replacements caused
+			RPZ to exit with a assertion failure. [RT #24766]
+
+3125.	[security]	Using wildcard CNAME records as a replacement with
+			RPZ caused named to exit with a assertion failure.
+			[RT #24715]
 
 3124.	[bug]		Use an rdataset attribute flag to indicate
 			negative-cache records rather than using rrtype 0;
@@ -397,6 +540,8 @@
 			dns_rdataset_totext() that could cause named to
 			crash with an assertion failure. [RT #24777]
 
+3122.	[cleanup]	dnssec-settime: corrected usage message. [RT #24664]
+
 3121.	[security]	An authoritative name server sending a negative
 			response containing a very large RRset could
 			trigger an off-by-one error in the ncache code
@@ -406,40 +551,105 @@
 			that validated insecure without using DLV and had
 			DS records in the parent zone. [RT #24631]
 
+3119.	[bug]		When rolling to a new DNSSEC key, a private-type
+			record could be created and never marked complete.
+			[RT #23253]
+
 3118.	[bug]		nsupdate could dump core on shutdown when using
 			SIG(0) keys. [RT #24604]
 
+3117.	[cleanup]	Remove doc and parser references to the
+			never-implemented 'auto-dnssec create' option.
+			[RT #24533]
+
+3115.	[bug]		Named could fail to return requested data when
+			following a CNAME that points into the same zone.
+			[RT #24455]
+
+3114.	[bug]		Retain expired RRSIGs in dynamic zones if key is
+			inactive and there is no replacement key. [RT #23136]
+
 3113.	[doc]		Document the relationship between serial-query-rate
 			and NOTIFY messages.
 
+	--- 9.8.1b1 released ---
+
 3112.	[doc]		Add missing descriptions of the update policy name
 			types "ms-self", "ms-subdomain", "krb5-self" and
 			"krb5-subdomain", which allow machines to update
 			their own records, to the BIND 9 ARM.
 
+3111.	[bug]		Improved consistency checks for dnssec-enable and
+			dnssec-validation, added test cases to the
+			checkconf system test. [RT #24398]
+
 3110.	[bug]		dnssec-signzone: Wrong error message could appear
 			when attempting to sign with no KSK. [RT #24369]
 
+3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
+			when using -x. [RT #20852]
+
+3105.	[bug]		GOST support can be suppressed by "configure
+			--without-gost" [RT #24367]
+
 3104.	[bug]		Better support for cross-compiling. [RT #24367]
 
+3103.	[bug]		Configuring 'dnssec-validation auto' in a view
+			instead of in the options statement could trigger
+			an assertion failure in named-checkconf. [RT #24382]
+
+3101.	[bug]		Zones using automatic key maintenance could fail
+			to check the key repository for updates. [RT #23744]
+
+3100.	[security]	Certain response policy zone configurations could
+			trigger an INSIST when receiving a query of type
+			RRSIG. [RT #24280]
+
 3099.	[test]		"dlz" system test now runs but gives R:SKIPPED if
 			not compiled with --with-dlz-filesystem.  [RT #24146]
 
+3098.	[bug]		DLZ zones were answering without setting the AA bit.
+			[RT #24146]
+
 3097.	[test]		Add a tool to test handling of malformed packets.
 			[RT #24096]
 
-	--- 9.6-ESV-R5b1 released ---
+3096.	[bug]		Set KRB5_KTNAME before calling log_cred() in
+			dst_gssapi_acceptctx(). [RT #24004]
 
 3095.	[bug]		Handle isolated reserved ports in the port range.
 			[RT #23957]
 
+3094.	[doc]		Expand dns64 documentation.
+
+3093.	[bug]		Fix gssapi/kerberos dependencies [RT #23836]
+
+3092.	[bug]		Signatures for records at the zone apex could go
+			stale due to an incorrect timer setting. [RT #23769]
+
+3091.	[bug]		Fixed a bug in which zone keys that were published
+			and then subsequently activated could fail to trigger
+			automatic signing. [RT #22911]
+
+3090.	[func]		Make --with-gssapi default [RT #23738]
+
 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 			and add setup.sh in order to resolve changing
 			named.conf issue.  [RT #23687]
 
+3087.	[bug]		DDNS updates using SIG(0) with update-policy match
+			type "external" could cause a crash. [RT #23735]
+
+3086.	[bug]		Running dnssec-settime -f on an old-style key will
+			now force an update to the new key format even if no
+			other change has been specified, using "-P now -A now"
+			as default values.  [RT #22474]
+
 3083.	[bug]		NOTIFY messages were not being sent when generating
 			a NSEC3 chain incrementally. [RT #23702]
 
+3082.	[port]		strtok_r is threads only. [RT #23747]
+
 3081.	[bug]		Failure of DNAME substitution did not return
 			YXDOMAIN. [RT #23591]
 
@@ -449,13 +659,32 @@
 3079.	[bug]		Handle isc_event_allocate failures in t_tasks.
 			[RT #23572]
 
+3078.	[func]		Added a new include file with function typedefs
+			for the DLZ "dlopen" driver. [RT #23629]
+
+3077.	[bug]		zone.c:zone_refreshkeys() incorrectly called
+			dns_zone_attach(), use zone->irefs instead. [RT #23303]
+
+3075.	[bug]		dns_dnssec_findzonekeys{2} used a inconsistant
+			timestamp when determining which keys are active.
+			[RT #23642]
+
 3074.	[bug]		Make the adb cache read through for zone data and
 			glue learn for zone named is authoritative for.
 			[RT #22842]
 
+3073.	[bug]		managed-keys changes were not properly being recorded.
+			[RT #20256]
+
+3072.	[bug]		dns_dns64_aaaaok() potential NULL pointer dereference.
+			[RT #20256]
+
 3071.	[bug]		has_nsec could be used unintialised in
 			update.c:next_active. [RT #20256]
 
+3070.	[bug]		dnssec-signzone potential NULL pointer dereference.
+			[RT #20256]
+
 3069.	[cleanup]	Silence warnings messages from clang static analysis.
 			[RT #20256]
 
@@ -465,6 +694,11 @@
 3067.	[bug]		ixfr-from-differences {master|slave}; failed to
 			select the master/slave zones.  [RT #23580]
 
+3066.	[func]		The DLZ "dlopen" driver is now built by default,
+			no longer requiring a configure option.  To
+			disable it, use "configure --without-dlopen".
+			(Note: driver not supported on win32.) [RT #23467]
+
 3065.	[bug]		RRSIG could have time stamps too far in the future.
 			[RT #23356]
 
@@ -479,13 +713,34 @@
 			reload to fail, if a log file specified in the conf
 			file isn't a plain file. [RT #22771]
 
+3057.	[bug]		"rndc secroots" would abort after the first error
+			and so could miss some views. [RT #23488]
+
+3054.	[bug]		Added elliptic curve support check in
+			GOST OpenSSL engine detection. [RT #23485]
+
 3053.	[bug]		Under a sustained high query load with a finite
 			max-cache-size, it was possible for cache memory
 			to be exhausted and not recovered. [RT #23371]
 
+3052.	[test]		Fixed last autosign test report. [RT #23256]
+
 3051.	[bug]		NS records obsure DNAME records at the bottom of the
 			zone if both are present. [RT #23035]
 
+3050.	[bug]		The autosign system test was timing dependent.
+			Wait for the initial autosigning to complete
+			before running the rest of the test. [RT #23035]
+
+3049.	[bug]		Save and restore the gid when creating creating
+			named.pid at startup. [RT #23290]
+
+3048.	[bug]		Fully separate view key mangement. [RT #23419]
+
+3047.	[bug]		DNSKEY NODATA responses not cached fixed in
+			validator.c. Tests added to dnssec system test.
+			[RT #22908]
+
 3046.	[bug]		Use RRSIG original TTL to compute validated RRset
 			and RRSIG TTL. [RT #23332]
 
@@ -509,6 +764,8 @@
 			with a CNAME existed between the trust anchor and the
 			top of the zone. [RT #23338]
 
+3038.	[bug]		Install <dns/rpz.h>.  [RT #23342]
+
 3037.	[doc]		Update COPYRIGHT to contain all the individual
 			copyright notices that cover various parts.
 
@@ -544,47 +801,108 @@
 			after calling grow_headerspace() and if not
 			re-call grow_headerspace() until we do. [RT #22521]
 
+	--- 9.8.0 released ---
+
 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
 			[RT #22964]
 
+3024.	[func]		RTT Banding removed due to minor security increase
+			but major impact on resolver latency. [RT #23310]
+
 3023.	[bug]		Named could be left in an inconsistent state when
 			receiving multiple AXFR response messages that were
 			not all TSIG-signed. [RT #23254]
 
+3022.	[bug]		Fixed rpz SERVFAILs after failed zone transfers
+			[RT #23246]
+
+3021.	[bug]		Change #3010 was incomplete. [RT #22296]
+
+3020.	[bug]		auto-dnssec failed to correctly update the zone when
+			changing the DNSKEY RRset. [RT #23232]
+
 3019.	[test]		Test: check apex NSEC3 records after adding DNSKEY
 			record via UPDATE. [RT #23229]
 
+	--- 9.8.0rc1 released ---
+
 3018.	[bug]		Named failed to check for the "none;" acl when deciding
 			if a zone may need to be re-signed. [RT #23120]
 
+3017.	[doc]		dnssec-keyfromlabel -I was not properly documented.
+			[RT #22887]
+
 3016.	[bug]		rndc usage missing '-b'. [RT #22937]
 
 3015.	[port]		win32: fix IN6_IS_ADDR_LINKLOCAL and
 			IN6_IS_ADDR_SITELOCAL macros. [RT #22724]
 
-3014.	[bug]		Fix the zonechecks system test to match expected
-			behaviour for 9.6 and to fail on error. [RT #22905]
+3013.	[bug]		The DNS64 ttl was not always being set as expected.
+			[RT #23034]
 
 3012.	[bug]		Remove DNSKEY TTL change pairs before generating
 			signing records for any remaining DNSKEY changes.
 			[RT #22590]
 
-	--- 9.6-ESV-R4 released ---
+3011.	[func]		Allow setting this in named.conf using the new
+			'resolver-query-timeout' option, which specifies a max
+			time in seconds.  0 means 'default' and anything longer
+			than 30 will be silently set to 30. [RT #22852]
 
-	--- 9.6.3 released ---
+3010.	[bug]		Fixed a bug where "rndc reconfig" stopped the timer
+			for refreshing managed-keys. [RT #22296]
 
 3009.	[bug]		clients-per-query code didn't work as expected with
 			particular query patterns. [RT #22972]
 
-	--- 9.6.3rc1 released ---
+	--- 9.8.0b1 released ---
+
+3008.	[func]		Response policy zones (RPZ) support. [RT #21726]
 
 3007.	[bug]		Named failed to preserve the case of domain names in
 			rdata which is not compressible when writing master
 			files.  [RT #22863]
 
+3006.	[func]		Allow dynamically generated TSIG keys to be preserved
+			across restarts of named.  Initially this is for
+			TSIG keys generated using GSSAPI. [RT #22639]
+
+3005.	[port]		Solaris: Work around the lack of
+			gsskrb5_register_acceptor_identity() by setting
+			the KRB5_KTNAME environment variable to the
+			contents of tkey-gssapi-keytab.  Also fixed
+			test errors on MacOSX.  [RT #22853]
+
+3004.	[func]		DNS64 reverse support. [RT #22769]
+
+3003.	[experimental]	Added update-policy match type "external",
+			enabling named to defer the decision of whether to
+			allow a dynamic update to an external daemon.
+			(Contributed by Andrew Tridgell.) [RT #22758]
+
 3002.	[bug]		isc_mutex_init_errcheck() failed to destroy attr.
 			[RT #22766]
 
+3001.	[func]		Added a default trust anchor for the root zone, which
+			can be switched on by setting "dnssec-validation auto;"
+			in the named.conf options. [RT #21727]
+
+3000.	[bug]		More TKEY/GSS fixes:
+			 - nsupdate can now get the default realm from
+			   the user's Kerberos principal
+			 - corrected gsstest compilation flags
+			 - improved documentation
+			 - fixed some NULL dereferences
+			[RT #22795]
+
+2999.	[func]		Add GOST support (RFC 5933). [RT #20639]
+
+2998.	[func]		Add isc_task_beginexclusive and isc_task_endexclusive
+			to the task api. [RT #22776]
+
+2997.	[func]		named -V now reports the OpenSSL and libxml2 verions
+			it was compiled against. [RT #22687]
+
 2996.	[security]	Temporarily disable SO_ACCEPTFILTER support.
 			[RT #22589]
 
@@ -595,13 +913,52 @@
 			do not use threads on earlier versions.  Also kill
 			the unproven-pthreads, mit-pthreads, and ptl2 support.
 
+2993.	[func]		Dynamically grow adb hash tables. [RT #21186]
+
+2992.	[contrib]	contrib/check-secure-delegation.pl:  A simple tool
+			for looking at a secure delegation. [RT #22059]
+
+2991.	[contrib]	contrib/zone-edit.sh: A simple zone editing tool for
+			dynamic zones. [RT #22365]
+
+2990.	[bug]		'dnssec-settime -S' no longer tests prepublication
+			interval validity when the interval is set to 0.
+			[RT #22761]
+
+2989.	[func]		Added support for writable DLZ zones. (Contributed
+			by Andrew Tridgell of the Samba project.) [RT #22629]
+
+2988.	[experimental]	Added a "dlopen" DLZ driver, allowing the creation
+			of external DLZ drivers that can be loaded as
+			shared objects at runtime rather than linked with
+			named.  Currently this is switched on via a
+			compile-time option, "configure --with-dlz-dlopen".
+			Note: the syntax for configuring DLZ zones
+			is likely to be refined in future releases.
+			(Contributed by Andrew Tridgell of the Samba
+			project.) [RT #22629]
+
+2987.	[func]		Improve ease of configuring TKEY/GSS updates by
+			adding a "tkey-gssapi-keytab" option.  If set,
+			updates will be allowed with any key matching
+			a principal in the specified keytab file.
+			"tkey-gssapi-credential" is no longer required
+			and is expected to be deprecated.  (Contributed
+			by Andrew Tridgell of the Samba project.)
+			[RT #22629]
+
+2986.	[func]		Add new zone type "static-stub".  It's like a stub
+			zone, but the nameserver names and/or their IP
+			addresses are statically configured. [RT #21474]
+
+2985.	[bug]		Add a regression test for change #2896. [RT #21324]
+
 2984.	[bug]		Don't run MX checks when the target of the MX record
 			is ".".  [RT #22645]
 
-2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
-			[RT #20768]
+2983.	[bug]		Include "loadkeys" in rndc help output. [RT #22493]
 
-	--- 9.6.3b1 released ---
+	--- 9.8.0a1 released ---
 
 2982.	[bug]		Reference count dst keys.  dst_key_attach() can be used
 			increment the reference count.
@@ -610,12 +967,20 @@
 			always call dst_key_free() rather than setting it
 			to NULL on success. [RT #22672]
 
+2981.	[func]		Partial DNS64 support (AAAA synthesis). [RT #21991]
+
+2980.	[bug]		named didn't properly handle UPDATES that changed the
+			TTL of the NSEC3PARAM RRset. [RT #22363]
+
 2979.	[bug]		named could deadlock during shutdown if two
 			"rndc stop" commands were issued at the same
 			time. [RT #22108]
 
 2978.	[port]		hpux: look for <devpoll.h> [RT #21919]
 
+2977.	[bug]		'nsupdate -l' report if the session key is missing.
+			[RT #21670]
+
 2976.	[bug]		named could die on exit after negotiating a GSS-TSIG
 			key. [RT #22573]
 
@@ -623,21 +988,82 @@
 			wrong lock which could lead to server deadlock.
 			[RT #22614]
 
+2974.	[bug]		Some valid UPDATE requests could fail due to a
+			consistency check examining the existing version
+			of the zone rather than the new version resulting
+			from the UPDATE. [RT #22413]
+
+2973.	[bug]		bind.keys.h was being removed by the "make clean"
+			at the end of configure resulting in build failures
+			where there is very old version of perl installed.
+			Move it to "make maintainer-clean". [RT #22230]
+
+2972.	[bug]		win32: address windows socket errors. [RT #21906]
+
+2971.	[bug]		Fixed a bug that caused journal files not to be
+			compacted on Windows systems as a result of
+			non-POSIX-compliant rename() semantics. [RT #22434]
+
+2970.	[security]	Adding a NO DATA negative cache entry failed to clear
+			any matching RRSIG records.  A subsequent lookup of
+			of NO DATA cache entry could trigger a INSIST when the
+			unexpected RRSIG was also returned with the NO DATA
+			cache entry.
+
+			CVE-2010-3613, VU#706148. [RT #22288]
+
+2969.	[security]	Fix acl type processing so that allow-query works
+			in options and view statements.  Also add a new
+			set of tests to verify proper functioning.
+
+			CVE-2010-3615, VU#510208. [RT #22418]
+
+2968.	[security]	Named could fail to prove a data set was insecure
+			before marking it as insecure.  One set of conditions
+			that can trigger this occurs naturally when rolling
+			DNSKEY algorithms.
+
+			CVE-2010-3614, VU#837744. [RT #22309]
+
+2967.	[bug]		'host -D' now turns on debugging messages earlier.
+			[RT #22361]
+
+2966.	[bug]		isc_print_vsnprintf() failed to check if there was
+			space available in the buffer when adding a left
+			justified character with a non zero width,
+			(e.g. "%-1c"). [RT #22270]
+
 2965.	[func]		Test HMAC functions using test data from RFC 2104 and
 			RFC 4634. [RT #21702]
 
+2964.	[placeholder]
+
+2963.	[security]	The allow-query acl was being applied instead of the
+			allow-query-cache acl to cache lookups. [RT #22114]
+
+2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
+			[RT #22062]
+
+2961.	[bug]		Be still more selective about the non-authoritative
+			answers we apply change 2748 to. [RT #22074]
+
 2960.	[func]		Check that named accepts non-authoritative answers.
 			[RT #21594]
 
 2959.	[func]		Check that named starts with a missing masterfile.
 			[RT #22076]
 
+2958.	[bug]		named failed to start with a missing master file.
+			[RT #22076]
+
 2957.	[bug]		entropy_get() and entropy_getpseudo() failed to match
 			the API for RAND_bytes() and RAND_pseudo_bytes()
 			respectively. [RT #21962]
 
 2956.	[port]		Enable atomic operations on the PowerPC64. [RT #21899]
 
+2955.	[func]		Provide more detail in the recursing log. [RT #22043]
+
 2954.	[bug]		contrib: dlz_mysql_driver.c bad error handling on
 			build_sqldbinstance failure. [RT #21623]
 
@@ -645,10 +1071,26 @@
 			exact match" message when returning a wildcard
 			no data response. [RT #21744]
 
+2952.	[port]		win32: named-checkzone and named-checkconf failed
+			to initialise winsock. [RT #21932]
+
+2951.	[bug]		named failed to generate a correct signed response
+			in a optout, delegation only zone with no secure
+			delegations. [RT #22007]
+
 2950.	[bug]		named failed to perform a SOA up to date check when
 			falling back to TCP on UDP timeouts when
 			ixfr-from-differences was set. [RT #21595]
 
+2949.	[bug]		dns_view_setnewzones() contained a memory leak if
+			it was called multiple times. [RT #21942]
+
+2948.	[port]		MacOS: provide a mechanism to configure the test
+			interfaces at reboot. See bin/tests/system/README
+			for details.
+
+2947.	[placeholder]
+
 2946.	[doc]		Document the default values for the minimum and maximum
 			zone refresh and retry values in the ARM. [RT #21886]
 
@@ -657,12 +1099,59 @@
 2944.	[maint]		Remove ORCHID prefix from built in empty zones.
 			[RT #21772]
 
+2943.	[func]		Add support to load new keys into managed zones
+			without signing immediately with "rndc loadkeys".
+			Add support to link keys with "dnssec-keygen -S"
+			and "dnssec-settime -S".  [RT #21351]
+
 2942.	[contrib]	zone2sqlite failed to setup the entropy sources.
 			[RT #21610]
 
 2941.	[bug]		sdb and sdlz (dlz's zone database) failed to support
 			DNAME at the zone apex.  [RT #21610]
 
+2940.	[port]		Remove connection aborted error message on
+			Windows. [RT #21549]
+
+2939.	[func]		Check that named successfully skips NSEC3 records
+			that fail to match the NSEC3PARAM record currently
+			in use. [RT# 21868]
+
+2938.	[bug]		When generating signed responses, from a signed zone
+			that uses NSEC3, named would use a uninitialised
+			pointer if it needed to skip a NSEC3 record because
+			it didn't match the selected NSEC3PARAM record for
+			zone. [RT# 21868]
+
+2937.	[bug]		Worked around an apparent race condition in over
+			memory conditions.  Without this fix a DNS cache DB or
+			ADB could incorrectly stay in an over memory state,
+			effectively refusing further caching, which
+			subsequently made a BIND 9 caching server unworkable.
+			This fix prevents this problem from happening by
+			polling the state of the memory context, rather than
+			making a copy of the state, which appeared to cause
+			a race.  This is a "workaround" in that it doesn't
+			solve the possible race per se, but several experiments
+			proved this change solves the symptom.  Also, the
+			polling overhead hasn't been reported to be an issue.
+			This bug should only affect a caching server that
+			specifies a finite max-cache-size.  It's also quite
+			likely that the bug happens only when enabling threads,
+			but it's not confirmed yet. [RT #21818]
+
+2936.	[func]		Improved configuration syntax and multiple-view
+			support for addzone/delzone feature (see change
+			#2930).  Removed "new-zone-file" option, replaced
+			with "allow-new-zones (yes|no)".  The new-zone-file
+			for each view is now created automatically, with
+			a filename generated from a hash of the view name.
+			It is no longer necessary to "include" the
+			new-zone-file in named.conf; this happens
+			automatically.  Zones that were not added via
+			"rndc addzone" can no longer be removed with
+			"rndc delzone". [RT #19447]
+
 2935.	[bug]		nsupdate: improve 'file not found' error message.
 			[RT #21871]
 
@@ -683,6 +1172,17 @@
 			revisit the issue and complete the fix later.
 			[RT #21710]
 
+2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads
+			allow dynamic addition and deletion of zones.
+			To enable this feature, specify a "new-zone-file"
+			option at the view or options level in named.conf.
+			Zone configuration information for the new zones
+			will be written into that file.  To make the new
+			zones persist after a restart, "include" the file
+			into named.conf in the appropriate view.  (Note:
+			This feature is not yet documented, and its syntax
+			is expected to change.) [RT #19447]
+
 2929.	[bug]		Improved handling of GSS security contexts:
 			 - added LRU expiration for generated TSIGs
 			 - added the ability to use a non-default realm
@@ -692,19 +1192,49 @@
 			   smaller)
 			[RT #19737]
 
+2928.	[bug]		Be more selective about the non-authoritative
+			answer we apply change 2748 to. [RT #21594]
+
+2927.	[placeholder]
+
+2926.	[placeholder]
+
+2925.	[bug]		Named failed to accept uncachable negative responses
+			from insecure zones. [RT# 21555]
+
+2924.	[func]		'rndc  secroots'  dump a combined summary of the
+			current managed keys combined with trusted keys.
+			[RT #20904]
+
 2923.	[bug]		'dig +trace' could drop core after "connection
 			timeout". [RT #21514]
 
 2922.	[contrib]	Update zkt to version 1.0.
 
+2921.	[bug]		The resolver could attempt to destroy a fetch context
+			too soon.  [RT #19878]
+
+2920.	[func]		Allow 'filter-aaaa-on-v4' to be applied selectively
+			to IPv4 clients.  New acl 'filter-aaaa' (default any).
+
+2919.	[func]		Add autosign-ksk and autosign-zsk virtual time tests.
+			[RT #20840]
+
 2918.	[maint]		Add AAAA address for I.ROOT-SERVERS.NET.
 
+2917.	[func]		Virtual time test framework. [RT #20801]
+
 2916.	[func]		Add framework to use IPv6 in tests.
 			fd92:7065:b8e:ffff::1 ... fd92:7065:b8e:ffff::7
 
 2915.	[cleanup]	Be smarter about which objects we attempt to compile
 			based on configure options. [RT #21444]
 
+2914.	[bug]		Make the "autosign" system test more portable.
+			[RT #20997]
+
+2913.	[func]		Add pkcs#11 system tests. [RT #20784]
+
 2912.	[func]		Windows clients don't like UPDATE responses that clear
 			the zone section. [RT #20986]
 
@@ -713,9 +1243,17 @@
 
 2910.	[func]		Sanity check Kerberos credentials. [RT #20986]
 
+2909.	[bug]		named-checkconf -p could die if "update-policy local;"
+			was specified in named.conf. [RT #21416]
+
 2908.	[bug]		It was possible for re-signing to stop after removing
 			a DNSKEY. [RT #21384]
 
+2907.	[bug]		The export version of libdns had undefined references.
+			[RT #21444]
+
+2906.	[bug]		Address RFC 5011 implementation issues. [RT #20903]
+
 2905.	[port]		aix: set use_atomic=yes with native compiler.
 			[RT #21402]
 
@@ -724,23 +1262,55 @@
 			secure leading to negative proofs failing.  This was
 			a unintended outcome from change 2890. [RT# 21392]
 
+2903.	[bug]		managed-keys-directory missing from namedconf.c.
+			[RT #21370]
+
+2902.	[func]		Add regression test for change 2897. [RT #21040]
+
 2901.	[port]		Use AC_C_FLEXIBLE_ARRAY_MEMBER. [RT #21316]
 
+2900.	[bug]		The placeholder negative caching element was not
+			properly constructed triggering a INSIST in
+			dns_ncache_towire(). [RT #21346]
+
 2899.	[port]		win32: Support linking against OpenSSL 1.0.0.
 
 2898.	[bug]		nslookup leaked memory when -domain=value was
 			specified. [RT #21301]
 
+2897.	[bug]		NSEC3 chains could be left behind when transitioning
+			to insecure. [RT #21040]
+
+2896.	[bug]		"rndc sign" failed to properly update the zone
+			when adding a DNSKEY for publication only. [RT #21045]
+
+2895.	[func]		genrandom: add support for the generation of multiple
+			files.  [RT #20917]
+
 2894.	[contrib]	DLZ LDAP support now use '$' not '%'. [RT #21294]
 
+2893.	[bug]		Improve managed keys support.  New named.conf option
+			managed-keys-directory. [RT #20924]
+
+2892.	[bug]		Handle REVOKED keys better. [RT #20961]
+
 2891.	[maint]		Update empty-zones list to match
 			draft-ietf-dnsop-default-local-zones-13. [RT# 21099]
 
+2890.	[bug]		Handle the introduction of new trusted-keys and
+			DS, DLV RRsets better. [RT #21097]
+
 2889.	[bug]		Elements of the grammar where not properly reported.
 			[RT #21046]
 
 2888.	[bug]		Only the first EDNS option was displayed. [RT #21273]
 
+2887.	[bug]		Report the keytag times in UTC in the .key file,
+			local time is presented as a comment within the
+			comment.  [RT #21223]
+
+2886.	[bug]		ctime() is not thread safe. [RT #21223]
+
 2885.	[bug]		Improve -fno-strict-aliasing support probing in
 			configure. [RT #21080]
 
@@ -756,12 +1326,21 @@
 2881.	[bug]		Reduce the amount of time the rbtdb write lock
 			is held when closing a version. [RT #21198]
 
+2880.	[cleanup]	Make the output of dnssec-keygen and dnssec-revoke
+			consistent. [RT #21078]
+
 2879.	[contrib]	DLZ bdbhpt driver fails to close correct cursor.
 			[RT #21106]
 
+2878.	[func]		Incrementally write the master file after performing
+			a AXFR.  [RT #21010]
+
 2877.	[bug]		The validator failed to skip obviously mismatching
 			RRSIGs. [RT #21138]
 
+2876.	[bug]		Named could return SERVFAIL for negative responses
+			from unsigned zones. [RT #21131]
+
 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 			[RT #21033]
 
@@ -769,8 +1348,22 @@
 			successfully responds to the query using plain DNS.
 			[RT #20930]
 
+2873.	[bug]		Cancelling a dynamic update via the dns/client module
+			could trigger an assertion failure. [RT #21133]
+
+2872.	[bug]		Modify dns/client.c:dns_client_createx() to only
+			require one of IPv4 or IPv6 rather than both.
+			[RT #21122]
+
+2871.	[bug]		Type mismatch in mem_api.c between the definition and
+			the header file, causing build failure with
+			--enable-exportlib. [RT #21138]
+
 2870.	[maint]		Add AAAA address for L.ROOT-SERVERS.NET.
 
+2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
+			[RT #20877]
+
 2868.	[cleanup]	Run "make clean" at the end of configure to ensure
 			any changes made by configure are integrated.
 			Use --with-make-clean=no to disable.  [RT #20994]
@@ -792,6 +1385,11 @@
 2862.	[bug]		nsupdate didn't default to the parent zone when
 			updating DS records. [RT #20896]
 
+2861.	[doc]		dnssec-settime man pages didn't correctly document the
+			inactivation time. [RT #21039]
+
+2860.	[bug]		named-checkconf's usage was out of date. [RT #21039]
+
 2859.	[bug]		When cancelling validation it was possible to leak
 			memory. [RT #20800]
 
@@ -804,173 +1402,244 @@
 2856.	[bug]		The size of a memory allocation was not always properly
 			recorded. [RT #20927]
 
-2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
-
-2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
-			source as it produced bad nroff.  [RT #21007]
-
-	--- 9.6-ESV-R3 released ---
-
-2972.	[bug]		win32: address windows socket errors. [RT #21906]
-
-2971.	[bug]		Fixed a bug that caused journal files not to be
-			compacted on Windows systems as a result of
-			non-POSIX-compliant rename() semantics. [RT #22434]
-
-2970.	[security]	Adding a NO DATA negative cache entry failed to clear
-			any matching RRSIG records.  A subsequent lookup of
-			of NO DATA cache entry could trigger a INSIST when the
-			unexpected RRSIG was also returned with the NO DATA
-			cache entry.
-
-			CVE-2010-3613, VU#706148. [RT #22288]
-
-2969.	[security]	Fix acl type processing so that allow-query works
-			in options and view statements.  Also add a new
-			set of tests to verify proper functioning.
-
-			CVE-2010-3615, VU#510208. [RT #22418]
-
-2968.	[security]	Named could fail to prove a data set was insecure
-			before marking it as insecure.  One set of conditions
-			that can trigger this occurs naturally when rolling
-			DNSKEY algorithms.
-
-			CVE-2010-3614, VU#837744. [RT #22309]
+2855.	[func]		nsupdate will now preserve the entered case of domain
+			names in update requests it sends. [RT #20928]
 
-2967.	[bug]		'host -D' now turns on debugging messages earlier.
-			[RT #22361]
-
-2966.	[bug]		isc_print_vsnprintf() failed to check if there was
-			space available in the buffer when adding a left
-			justified character with a non zero width,
-			(e.g. "%-1c"). [RT #22270]
-
-2964.	[bug]		view->queryacl was being overloaded.  Seperate the
-			usage into view->queryacl, view->cacheacl and
-			view->queryonacl. [RT #22114]
-
-2962.	[port]		win32: add more dependencies to BINDBuild.dsw.
-			[RT #22062]
+2854.	[func]		dig: allow the final soa record in a axfr response to
+			be suppressed, dig +onesoa. [RT #20929]
 
-2952.	[port]		win32: named-checkzone and named-checkconf failed
-			to initialise winsock. [RT #21932]
+2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
 
-2951.	[bug]		named failed to generate a correct signed response
-			in a optout, delegation only zone with no secure
-			delegations. [RT #22007]
+2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 
-	--- 9.6-ESV-R2 released ---
+2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
+			source as it produced bad nroff.  [RT #21007]
 
-2939.	[func]		Check that named successfully skips NSEC3 records
-			that fail to match the NSEC3PARAM record currently
-			in use. [RT# 21868]
+2850.	[bug]		If isc_heap_insert() failed due to memory shortage
+			the heap would have corrupted entries. [RT #20951]
 
-2937.	[bug]		Worked around an apparent race condition in over
-			memory conditions.  Without this fix a DNS cache DB or
-			ADB could incorrectly stay in an over memory state,
-			effectively refusing further caching, which
-			subsequently made a BIND 9 caching server unworkable.
-			This fix prevents this problem from happening by
-			polling the state of the memory context, rather than
-			making a copy of the state, which appeared to cause
-			a race.  This is a "workaround" in that it doesn't
-			solve the possible race per se, but several experiments
-			proved this change solves the symptom.  Also, the
-			polling overhead hasn't been reported to be an issue.
-			This bug should only affect a caching server that
-			specifies a finite max-cache-size.  It's also quite
-			likely that the bug happens only when enabling threads,
-			but it's not confirmed yet. [RT #21818]
+2849.	[bug]		Don't treat errors from the xml2 library as fatal.
+			[RT #20945]
 
-2925.	[bug]		Named failed to accept uncachable negative responses
-			from insecure zones. [RT# 21555]
+2848.	[doc]		Moved README.dnssec, README.libdns, README.pkcs11 and
+			README.rfc5011 into the ARM. [RT #20899]
 
-2921.	[bug]		The resolver could attempt to destroy a fetch context
-			too soon.  [RT #19878]
+2847.	[cleanup]	Corrected usage message in dnssec-settime. [RT #20921]
 
-2900.	[bug]		The placeholder negative caching element was not
-			properly constructed triggering a INSIST in
-			dns_ncache_towire(). [RT #21346]
+2846.	[bug]		EOF on unix domain sockets was not being handled
+			correctly. [RT #20731]
 
-2890.	[bug]		Handle the introduction of new trusted-keys and
-			DS, DLV RRsets better. [RT #21097]
+2845.	[bug]		RFC 5011 client could crash on shutdown. [RT #20903]
 
-2869.	[bug]		Fix arguments to dns_keytable_findnextkeynode() call.
-			[RT #20877]
+2844.	[doc]		notify-delay default in ARM was wrong.  It should have
+			been five (5) seconds.
 
-	--- 9.6-ESV-R1 released ---
+2843.	[func]		Prevent dnssec-keygen and dnssec-keyfromlabel from
+			creating key files if there is a chance that the new
+			key ID will collide with an existing one after
+			either of the keys has been revoked.  (To override
+			this in the case of dnssec-keyfromlabel, use the -y
+			option.  dnssec-keygen will simply create a
+			different, non-colliding key, so an override is
+			not necessary.) [RT #20838]
 
-2876.	[bug]		Named could return SERVFAIL for negative responses
-			from unsigned zones. [RT #21131]
+2842.	[func]		Added "smartsign" and improved "autosign" and
+			"dnssec" regression tests. [RT #20865]
 
-	--- 9.6-ESV released ---
+2841.	[bug]		Change 2836 was not complete. [RT #20883]
 
-2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
+2840.	[bug]		Temporary fixed pkcs11-destroy usage check.
+			[RT #20760]
 
-	--- 9.6.2 released ---
+2839.	[bug]		A KSK revoked by named could not be deleted.
+			[RT #20881]
 
-2850.	[bug]		If isc_heap_insert() failed due to memory shortage
-			the heap would have corrupted entries. [RT #20951]
+2838.	[placeholder]
 
-2849.	[bug]		Don't treat errors from the xml2 library as fatal.
-			[RT #20945]
+2837.	[port]		Prevent Linux spurious warnings about fwrite().
+			[RT #20812]
 
-2846.	[bug]		EOF on unix domain sockets was not being handled
-			correctly. [RT #20731]
+2836.	[bug]		Keys that were scheduled to become active could
+			be delayed. [RT #20874]
 
-2844.	[doc]		notify-delay default in ARM was wrong.  It should have
-			been five (5) seconds.
+2835.	[bug]		Key inactivity dates were inadvertently stored in
+			the private key file with the outdated tag
+			"Unpublish" rather than "Inactive".  This has been
+			fixed; however, any existing keys that had Inactive
+			dates set will now need to have them reset, using
+			'dnssec-settime -I'. [RT #20868]
 
-	--- 9.6.2rc1 released ---
+2834.	[bug]		HMAC-SHA* keys that were longer than the algorithm
+			digest length were used incorrectly, leading to
+			interoperability problems with other DNS
+			implementations.  This has been corrected.
+			(Note: If an oversize key is in use, and
+			compatibility is needed with an older release of
+			BIND, the new tool "isc-hmac-fixup" can convert
+			the key secret to a form that will work with all
+			versions.) [RT #20751]
 
-2838.	[func]		Backport support for SHA-2 DNSSEC algorithms,
-			RSASHA256 and RSASHA512, from BIND 9.7.  (This
-			incorporates changes 2726 and 2738 from that
-			release branch.) [RT #20871]
+2833.	[cleanup]	Fix usage messages in dnssec-keygen and dnssec-settime.
+			[RT #20851]
 
-2837.	[port]		Prevent Linux spurious warnings about fwrite().
-			[RT #20812]
+2832.	[bug]		Modify "struct stat" in lib/export/samples/nsprobe.c
+			to avoid redefinition in some OSs [RT 20831]
 
 2831.	[security]	Do not attempt to validate or cache
 			out-of-bailiwick data returned with a secure
 			answer; it must be re-fetched from its original
 			source and validated in that context. [RT #20819]
 
+2830.	[bug]		Changing the OPTOUT setting could take multiple
+			passes. [RT #20813]
+
+2829.	[bug]		Fixed potential node inconsistency in rbtdb.c.
+			[RT #20808]
+
 2828.	[security]	Cached CNAME or DNAME RR could be returned to clients
 			without DNSSEC validation. [RT #20737]
 
 2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
 
+2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
+			being released.  [RT #20740]
+
 2825.	[bug]		Changing the setting of OPTOUT in a NSEC3 chain that
 			was in the process of being created was not properly
 			recorded in the zone. [RT #20786]
 
+2824.	[bug]		"rndc sign" was not being run by the correct task.
+			[RT #20759]
+
 2823.	[bug]		rbtdb.c:getsigningtime() was missing locks. [RT #20781]
 
+2822.	[bug]		rbtdb.c:loadnode() could return the wrong result.
+			[RT #20802]
+
+2821.	[doc]		Add note that named-checkconf doesn't automatically
+			read rndc.key and bind.keys [RT #20758]
+
+2820.	[func]		Handle read access failure of OpenSSL configuration
+			file more user friendly (PKCS#11 engine patch).
+			[RT #20668]
+
 2819.	[cleanup]	Removed unnecessary DNS_POINTER_MAXHOPS define.
 			[RT #20771]
 
 2818.	[cleanup]	rndc could return an incorrect error code
 			when a zone was not found. [RT #20767]
 
+2817.	[cleanup]	Removed unnecessary isc_task_endexclusive() calls.
+			[RT #20768]
+
+2816.	[bug]		previous_closest_nsec() could fail to return
+			data for NSEC3 nodes [RT #29730]
+
 2815.	[bug]		Exclusively lock the task when freezing a zone.
 			[RT #19838]
 
 2814.	[func]		Provide a definitive error message when a master
 			zone is not loaded. [RT #20757]
 
-	--- 9.6.2b1 released ---
+2813.	[bug]		Better handling of unreadable DNSSEC key files.
+			[RT #20710]
+
+2812.	[bug]		Make sure updates can't result in a zone with
+			NSEC-only keys and NSEC3 records. [RT #20748]
+
+2811.	[cleanup]	Add "rndc sign" to list of commands in rndc usage
+			output. [RT #20733]
+
+2810.	[doc]		Clarified the process of transitioning an NSEC3 zone
+			to insecure. [RT #20746]
+
+2809.	[cleanup]	Restored accidentally-deleted text in usage output
+			in dnssec-settime and dnssec-revoke [RT #20739]
+
+2808.	[bug]		Remove the attempt to install atomic.h from lib/isc.
+			atomic.h is correctly installed by the architecture
+			specific subdirectories.  [RT #20722]
+
+2807.	[bug]		Fixed a possible ASSERT when reconfiguring zone
+			keys. [RT #20720]
+
+	--- 9.7.0rc1 released ---
+
+2806.	[bug]		"rdnc sign" could delay re-signing the DNSKEY
+			when it had changed. [RT #20703]
+
+2805.	[bug]		Fixed namespace problems encountered when building
+			external programs using non-exported BIND9 libraries
+			(i.e., built without --enable-exportlib). [RT #20679]
+
+2804.	[bug]		Send notifies when a zone is signed with "rndc sign"
+			or as a result of a scheduled key change. [RT #20700]
+
+2803.	[port]		win32: Install named-journalprint, nsec3hash, arpaname
+			and genrandom under windows. [RT #20670]
+
+2802.	[cleanup]	Rename journalprint to named-journalprint. [RT #20670]
+
+2801.	[func]		Detect and report records that are different according
+			to DNSSEC but are semantically equal according to plain
+			DNS.  Apply plain DNS comparisons rather than DNSSEC
+			comparisons when processing UPDATE requests.
+			dnssec-signzone now removes such semantically duplicate
+			records prior to signing the RRset.
+
+			named-checkzone -r {ignore|warn|fail} (default warn)
+			named-compilezone -r {ignore|warn|fail} (default warn)
+
+			named.conf: check-dup-records {ignore|warn|fail};
+
+2800.	[func]		Reject zones which have NS records which refer to
+			CNAMEs, DNAMEs or don't have address record (class IN
+			only).  Reject UPDATEs which would cause the zone
+			to fail the above checks if committed. [RT #20678]
+
+2799.	[cleanup]	Changed the "secure-to-insecure" option to
+			"dnssec-secure-to-insecure", and "dnskey-ksk-only"
+			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
+
+2798.	[bug]		Addressed bugs in managed-keys initialization
+			and rollover. [RT #20683]
 
 2797.	[bug]		Don't decrement the dispatch manager's maxbuffers.
 			[RT #20613]
 
+2796.	[bug]		Missing dns_rdataset_disassociate() call in
+			dns_nsec3_delnsec3sx(). [RT #20681]
+
+2795.	[cleanup]	Add text to differentiate "update with no effect"
+			log messages. [RT #18889]
+
+2794.	[bug]		Install <isc/namespace.h>.  [RT #20677]
+
+2793.	[func]		Add "autosign" and "metadata" tests to the
+			automatic tests. [RT #19946]
+
+2792.	[func]		"filter-aaaa-on-v4" can now be set in view
+			options (if compiled in).  [RT #20635]
+
+2791.	[bug]		The installation of isc-config.sh was broken.
+			[RT #20667]
+
 2790.	[bug]		Handle DS queries to stub zones. [RT #20440]
 
 2789.	[bug]		Fixed an INSIST in dispatch.c [RT #20576]
 
+2788.	[bug]		dnssec-signzone could sign with keys that were
+			not requested [RT #20625]
+
+2787.	[bug]		Spurious log message when zone keys were
+			dynamically reconfigured. [RT #20659]
+
 2786.	[bug]		Additional could be promoted to answer. [RT #20663]
 
+	--- 9.7.0b3 released ---
+
+2785.	[bug]		Revoked keys could fail to self-sign [RT #20652]
+
 2784.	[bug]		TC was not always being set when required glue was
 			dropped. [RT #20655]
 
@@ -980,15 +1649,65 @@
 2782.	[port]		win32: use getaddrinfo() for hostname lookups.
 			[RT #20650]
 
+2781.	[bug]		Inactive keys could be used for signing. [RT #20649]
+
+2780.	[bug]		dnssec-keygen -A none didn't properly unset the
+			activation date in all cases. [RT #20648]
+
+2779.	[bug]		Dynamic key revocation could fail. [RT #20644]
+
+2778.	[bug]		dnssec-signzone could fail when a key was revoked
+			without deleting the unrevoked version. [RT #20638]
+
 2777.	[contrib]	DLZ MYSQL auto reconnect support discovery was wrong.
 
+2776.	[bug]		Change #2762 was not correct. [RT #20647]
+
+2775.	[bug]		Accept RSASHA256 and RSASHA512 as NSEC3 compatible
+			in dnssec-keyfromlabel. [RT #20643]
+
+2774.	[bug]		Existing cache DB wasn't being reused after
+			reconfiguration. [RT #20629]
+
+2773.	[bug]		In autosigned zones, the SOA could be signed
+			with the KSK. [RT #20628]
+
 2772.	[security]	When validating, track whether pending data was from
 			the additional section or not and only return it if
 			validates as secure. [RT #20438]
 
+2771.	[bug]		dnssec-signzone: DNSKEY records could be
+			corrupted when importing from key files [RT #20624]
+
+2770.	[cleanup]	Add log messages to resolver.c to indicate events
+			causing FORMERR responses. [RT #20526]
+
+2769.	[cleanup]	Change #2742 was incomplete. [RT #19589]
+
+2768.	[bug]		dnssec-signzone: -S no longer implies -g [RT #20568]
+
+2767.	[bug]		named could crash on startup if a zone was
+			configured with auto-dnssec and there was no
+			key-directory. [RT #20615]
+
+2766.	[bug]		isc_socket_fdwatchpoke() should only update the
+			socketmgr state if the socket is not pending on a
+			read or write.  [RT #20603]
+
 2765.	[bug]		Skip masters for which the TSIG key cannot be found.
 			[RT #20595]
 
+2764.	[bug]		"rndc-confgen -a" could trigger a REQUIRE. [RT #20610]
+
+2763.	[bug]		"rndc sign" didn't create an NSEC chain. [RT #20591]
+
+2762.	[bug]		DLV validation failed with a local slave DLV zone.
+			[RT #20577]
+
+2761.	[cleanup]	Enable internal symbol table for backtrace only for
+			systems that are known to work.  Currently, BSD
+			variants, Linux and Solaris are supported. [RT# 20202]
+
 2760.	[cleanup]	Corrected named-compilezone usage summary. [RT #20533]
 
 2759.	[doc]		Add information about .jbk/.jnw files to
@@ -1001,27 +1720,115 @@
 2757.	[bug]		dig: assertion failure could occur in connect
 			timeout. [RT #20599]
 
-2755.	[doc]		Clarify documentation of keyset- files in
-			dnssec-signzone man page. [RT #19810]
+2756.	[bug]		Fixed corrupt logfile message in update.c. [RT# 20597]
+
+2755.	[placeholder]
 
 2754.	[bug]		Secure-to-insecure transitions failed when zone
 			was signed with NSEC3. [RT #20587]
 
+2753.	[bug]		Removed an unnecessary warning that could appear when
+			building an NSEC chain. [RT #20589]
+
+2752.	[bug]		Locking violation. [RT #20587]
+
+2751.	[bug]		Fixed a memory leak in dnssec-keyfromlabel. [RT #20588]
+
 2750.	[bug]		dig: assertion failure could occur when a server
 			didn't have an address. [RT #20579]
 
 2749.	[bug]		ixfr-from-differences generated a non-minimal ixfr
 			for NSEC3 signed zones. [RT #20452]
 
+2748.	[func]		Identify bad answers from GTLD servers and treat them
+			as referrals. [RT #18884]
+
 2747.	[bug]		Journal roll forwards failed to set the re-signing
 			time of RRSIGs correctly. [RT #20541]
 
+2746.	[port]		hpux: address signed/unsigned expansion mismatch of
+			dns_rbtnode_t.nsec. [RT #20542]
+
+2745.	[bug]		configure script didn't probe the return type of
+			gai_strerror(3) correctly. [RT #20573]
+
+2744.	[func]		Log if a query was over TCP. [RT #19961]
+
 2743.	[bug]		RRSIG could be incorrectly set in the NSEC3 record
 			for a insecure delegation.
 
+	--- 9.7.0b2 released ---
+
+2742.	[cleanup]	Clarify some DNSSEC-related log messages in
+			validator.c. [RT #19589]
+
+2741.	[func]		Allow the dnssec-keygen progress messages to be
+			suppressed (dnssec-keygen -q).  Automatically
+			suppress the progress messages when stdin is not
+			a tty. [RT #20474]
+
+2740.	[placeholder]
+
+2739.	[cleanup]	Clean up API for initializing and clearing trust
+			anchors for a view. [RT #20211]
+
+2738.	[func]		Add RSASHA256 and RSASHA512 tests to the dnssec system
+			test. [RT #20453]
+
+2737.	[func]		UPDATE requests can leak existence information.
+			[RT #17261]
+
+2736.	[func]		Improve the performance of NSEC signed zones with
+			more than a normal amount of glue below a delegation.
+			[RT #20191]
+
+2735.	[bug]		dnssec-signzone could fail to read keys
+			that were specified on the command line with
+			full paths, but weren't in the current
+			directory. [RT #20421]
+
+2734.	[port]		cygwin: arpaname did not compile. [RT #20473]
+
+2733.	[cleanup]	Clean up coding style in pkcs11-* tools. [RT #20355]
+
+2732.	[func]		Add optional filter-aaaa-on-v4 option, available
+			if built with './configure --enable-filter-aaaa'.
+			Filters out AAAA answers to clients connecting
+			via IPv4.  (This is NOT recommended for general
+			use.) [RT #20339]
+
+2731.	[func]		Additional work on change 2709.  The key parser
+			will now ignore unrecognized fields when the
+			minor version number of the private key format
+			has been increased.  It will reject any key with
+			the major version number increased. [RT #20310]
+
+2730.	[func]		Have dnssec-keygen display a progress indication
+			a la 'openssl genrsa' on standard error. Note
+			when the first '.' is followed by a long stop
+			one has the choice between slow generation vs.
+			poor random quality, i.e., '-r /dev/urandom'.
+			[RT #20284]
+
 2729.	[func]		When constructing a CNAME from a DNAME use the DNAME
 			TTL. [RT #20451]
 
+2728.	[bug]		dnssec-keygen, dnssec-keyfromlabel and
+			dnssec-signzone now warn immediately if asked to
+			write into a nonexistent directory. [RT #20278]
+
+2727.	[func]		The 'key-directory' option can now specify a relative
+			path. [RT #20154]
+
+2726.	[func]		Added support for SHA-2 DNSSEC algorithms,
+			RSASHA256 and RSASHA512. [RT #20023]
+
+2725.	[doc]		Added information about the file "managed-keys.bind"
+			to the ARM. [RT #20235]
+
+2724.	[bug]		Updates to a existing node in secure zone using NSEC
+			were failing. [RT #20448]
+
 2723.	[bug]		isc_base32_totext(), isc_base32hex_totext(), and
 			isc_base64_totext(), didn't always mark regions of
 			memory as fully consumed after conversion.  [RT #20445]
@@ -1033,11 +1840,24 @@
 2721.	[port]		Have dst__entropy_status() prime the random number
 			generator. [RT #20369]
 
+2720.	[bug]		RFC 5011 trust anchor updates could trigger an
+			assert if the DNSKEY record was unsigned. [RT #20406]
+
+2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
+			[RT #20392]
+
 2718.	[bug]		The space calculations in opensslrsa_todns() were
 			incorrect. [RT #20394]
 
+2717.	[bug]		named failed to update the NSEC/NSEC3 record when
+			the last private type record was removed as a result
+			of completing the signing the zone with a key.
+			[RT #20399]
+
 2716.	[bug]		nslookup debug mode didn't return the ttl. [RT #20414]
 
+	--- 9.7.0b1 released ---
+
 2715.	[bug]		Require OpenSSL support to be explicitly disabled.
 			[RT #20288]
 
@@ -1047,19 +1867,63 @@
 2713.	[bug]		powerpc: atomic operations missing asm("ics") /
 			__isync() calls.
 
+2712.	[func]		New 'auto-dnssec' zone option allows zone signing
+			to be fully automated in zones configured for
+			dynamic DNS.  'auto-dnssec allow;' permits a zone
+			to be signed by creating keys for it in the
+			key-directory and using 'rndc sign <zone>'.
+			'auto-dnssec maintain;' allows that too, plus it
+			also keeps the zone's DNSSEC keys up to date
+			according to their timing metadata. [RT #19943]
+
+2711.	[port]		win32: Add the bin/pkcs11 tools into the full
+			build. [RT #20372]
+
+2710.	[func]		New 'dnssec-signzone -x' flag and 'dnskey-ksk-only'
+			zone option cause a zone to be signed with only KSKs
+			signing the DNSKEY RRset, not ZSKs.  This reduces
+			the size of a DNSKEY answer.  [RT #20340]
+
+2709.	[func]		Added some data fields, currently unused, to the
+			private key file format, to allow implementation
+			of explicit key rollover in a future release
+			without impairing backward or forward compatibility.
+			[RT #20310]
+
+2708.	[func]		Insecure to secure and NSEC3 parameter changes via
+			update are now fully supported and no longer require
+			defines to enable.  We now no longer overload the
+			NSEC3PARAM flag field, nor the NSEC OPT bit at the
+			apex.  Secure to insecure changes are controlled by
+			by the named.conf option 'secure-to-insecure'.
+
+			Warning: If you had previously enabled support by
+			adding defines at compile time to BIND 9.6 you should
+			ensure that all changes that are in progress have
+			completed prior to upgrading to BIND 9.7.  BIND 9.7
+			is not backwards compatible.
+
+2707.	[func]		dnssec-keyfromlabel no longer require engine name
+			to be specified in the label if there is a default
+			engine or the -E option has been used.  Also, it
+			now uses default algorithms as dnssec-keygen does
+			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+			[RT #20371]
+
 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 			trigger an assert. [RT #20368]
 
-2705.	[bug]		Reconcile the XML stats version number with a later
-			BIND9 release, by adding a "name" attribute to
-			"cache" elements and increasing the version number
-			to 2.2.  (This is a minor version change, but may
-			affect XML parsers if they assume the cache element
-			doesn't take an attribute.)
+2705.	[placeholder]
 
 2704.	[bug]		Serial of dynamic and stub zones could be inconsistent
 			with their SOA serial.  [RT #19387]
 
+2703.	[func]		Introduce an OpenSSL "engine" argument with -E
+			for all binaries which can take benefit of
+			crypto hardware. [RT #20230]
+
+2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
+
 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only
 			supported TSIG key algorithm. [RT #18046]
 
@@ -1068,6 +1932,8 @@
 
 2699.	[bug]		Missing lock in rbtdb.c. [RT #20037]
 
+2698.	[placeholder]
+
 2697.	[port]		win32: ensure that S_IFMT, S_IFDIR, S_IFCHR and
 			S_IFREG are defined after including <isc/stat.h>.
 			[RT #20309]
@@ -1075,8 +1941,25 @@
 2696.	[bug]		named failed to successfully process some valid
 			acl constructs. [RT #20308]
 
+2695.	[func]		DHCP/DDNS - update fdwatch code for use by
+			DHCP.  Modify the api to isc_sockfdwatch_t (the
+			callback functon for isc_socket_fdwatchcreate)
+			to include information about the direction (read
+			or write) and add isc_socket_fdwatchpoke.
+			[RT #20253]
+
+2694.	[bug]		Reduce default NSEC3 iterations from 100 to 10.
+			[RT #19970]
+
+2693.	[port]		Add some noreturn attributes. [RT #20257]
+
 2692.	[port]		win32: 32/64 bit cleanups. [RT #20335]
 
+2691.	[func]		dnssec-signzone: retain the existing NSEC or NSEC3
+			chain when re-signing a previously-signed zone.
+			Use -u to modify NSEC3 parameters or switch
+			between NSEC and NSEC3. [RT #20304]
+
 2690.	[bug]		win32: fix isc_thread_key_getspecific() prototype.
 			[RT #20315]
 
@@ -1085,25 +1968,102 @@
 2688.	[bug]		Use INTERFACE_F_POINTTOPOINT, not IFF_POINTOPOINT,
 			to decide to fetch the destination address. [RT #20305]
 
+2687.	[bug]		Fixed dnssec-signzone -S handling of revoked keys.
+			Also, added warnings when revoking a ZSK, as this is
+			not defined by protocol (but is legal).  [RT #19943]
+
 2686.	[bug]		dnssec-signzone should clean the old NSEC chain when
 			signing with NSEC3 and vice versa. [RT #20301]
 
+2685.	[contrib]	Update contrib/zkt to version 0.99c. [RT #20054]
+
+2684.	[cleanup]	dig: formalize +ad and +cd as synonyms for
+			+adflag and +cdflag.  [RT #19305]
+
 2683.	[bug]		dnssec-signzone should clean out old NSEC3 chains when
 			the NSEC3 parameters used to sign the zone change.
 			[RT #20246]
 
+2682.	[bug]		"configure --enable-symtable=all" failed to
+			build. [RT #20282]
+
 2681.	[bug]		IPSECKEY RR of gateway type 3 was not correctly
 			decoded. [RT #20269]
 
+2680.	[func]		Move contrib/pkcs11-keygen to bin/pkcs11. [RT #20067]
+
+2679.	[func]		dig -k can now accept TSIG keys in named.conf
+			format.  [RT #20031]
+
 2678.	[func]		Treat DS queries as if "minimal-response yes;"
 			was set. [RT #20258]
 
+2677.	[func]		Changes to key metadata behavior:
+			- Keys without "publish" or "active" dates set will
+			  no longer be used for smart signing.  However,
+			  those dates will be set to "now" by default when
+			  a key is created; to generate a key but not use
+			  it yet, use dnssec-keygen -G.
+			- New "inactive" date (dnssec-keygen/settime -I)
+			  sets the time when a key is no longer used for
+			  signing but is still published.
+			- The "unpublished" date (-U) is deprecated in
+			  favour of "deleted" (-D).
+			[RT #20247]
+
+2676.	[bug]		--with-export-installdir should have been
+			--with-export-includedir. [RT #20252]
+
+2675.	[bug]		dnssec-signzone could crash if the key directory
+			did not exist. [RT #20232]
+
+	--- 9.7.0a3 released ---
+
+2674.	[bug]		"dnssec-lookaside auto;" crashed if named was built
+			without openssl. [RT #20231]
+
+2673.	[bug]		The managed-keys.bind zone file could fail to
+			load due to a spurious result from sync_keyzone()
+			[RT #20045]
+
 2672.	[bug]		Don't enable searching in 'host' when doing reverse
 			lookups. [RT #20218]
 
+2671.	[bug]		Add support for PKCS#11 providers not returning
+			the public exponent in RSA private keys
+			(OpenCryptoki for instance) in
+			dnssec-keyfromlabel. [RT #19294]
+
 2670.	[bug]		Unexpected connect failures failed to log enough
 			information to be useful. [RT #20205]
 
+2669.	[func]		Update PKCS#11 support to support Keyper HSM.
+			Update PKCS#11 patch to be against openssl-0.9.8i.
+
+2668.	[func]		Several improvements to dnssec-* tools, including:
+			- dnssec-keygen and dnssec-settime can now set key
+			  metadata fields 0 (to unset a value, use "none")
+			- dnssec-revoke sets the revocation date in
+			  addition to the revoke bit
+			- dnssec-settime can now print individual metadata
+			  fields instead of always printing all of them,
+			  and can print them in unix epoch time format for
+			  use by scripts
+			[RT #19942]
+
+2667.	[func]		Add support for logging stack backtrace on assertion
+			failure (not available for all platforms). [RT #19780]
+
+2666.	[func]		Added an 'options' argument to dns_name_fromstring()
+			(API change from 9.7.0a2). [RT #20196]
+
+2665.	[func]		Clarify syntax for managed-keys {} statement, add
+			ARM documentation about RFC 5011 support. [RT #19874]
+
+2664.	[bug]		create_keydata() and minimal_update() in zone.c
+			didn't properly check return values for some
+			functions.  [RT #19956]
+
 2663.	[func]		win32:  allow named to run as a service using
 			"NT AUTHORITY\LocalService" as the account. [RT #19977]
 
@@ -1114,19 +2074,40 @@
 2661.	[bug]		Check whether socket fd exceeds FD_SETSIZE when
 			creating lwres context. [RT #20029]
 
+2660.	[func]		Add a new set of DNS libraries for non-BIND9
+			applications.  See README.libdns. [RT #19369]
+
 2659.	[doc]		Clarify dnssec-keygen doc: key name must match zone
 			name for DNSSEC keys. [RT #19938]
 
+2658.	[bug]		dnssec-settime and dnssec-revoke didn't process
+			key file paths correctly. [RT #20078]
+
+2657.	[cleanup]	Lower "journal file <path> does not exist, creating it"
+			log level to debug 1. [RT #20058]
+
 2656.	[func]		win32: add a "tools only" check box to the installer
 			which causes it to only install dig, host, nslookup,
 			nsupdate and relevant DLLs.  [RT #19998]
 
 2655.	[doc]		Document that key-directory does not affect
-			rndc.key.  [RT #20155]
+			bind.keys, rndc.key or session.key.  [RT #20155]
+
+2654.	[bug]		Improve error reporting on duplicated names for
+			deny-answer-xxx. [RT #20164]
 
 2653.	[bug]		Treat ENGINE_load_private_key() failures as key
 			not found rather than out of memory.  [RT #18033]
 
+2652.	[func]		Provide more detail about what record is being
+			deleted. [RT #20061]
+
+2651.	[bug]		Dates could print incorrectly in K*.key files on
+			64-bit systems. [RT #20076]
+
+2650.	[bug]		Assertion failure in dnssec-signzone when trying
+			to read keyset-* files. [RT #20075]
+
 2649.	[bug]		Set the domain for forward only zones. [RT #19944]
 
 2648.	[port]		win32: isc_time_seconds() was broken. [RT #19900]
@@ -1139,37 +2120,99 @@
 2645.	[port]		"gcc -m32" didn't work on amd64 and x86_64 platforms
 			which default to 64 bits. [RT #19927]
 
+	--- 9.7.0a2 released ---
+
+2644.	[bug]		Change #2628 caused a regression on some systems;
+			named was unable to write the PID file and would
+			fail on startup. [RT #20001]
+
 2643.	[bug]		Stub zones interacted badly with NSEC3 support.
 			[RT #19777]
 
 2642.	[bug]		nsupdate could dump core on solaris when reading
 			improperly formatted key files.  [RT #20015]
 
+2641.	[bug]		Fixed an error in parsing update-policy syntax,
+			added a regression test to check it. [RT #20007]
+
 2640.	[security]	A specially crafted update packet will cause named
 			to exit. [RT #20000]
 
 2639.	[bug]		Silence compiler warnings in gssapi code. [RT #19954]
 
+2638.	[bug]		Install arpaname. [RT #19957]
+
 2637.	[func]		Rationalize dnssec-signzone's signwithkey() calling.
 			[RT #19959]
 
+2636.	[func]		Simplify zone signing and key maintenance with the
+			dnssec-* tools.  Major changes:
+			- all dnssec-* tools now take a -K option to
+			  specify a directory in which key files will be
+			  stored
+			- DNSSEC can now store metadata indicating when
+			  they are scheduled to be published, activated,
+			  revoked or removed; these values can be set by
+			  dnssec-keygen or overwritten by the new
+			  dnssec-settime command
+			- dnssec-signzone -S (for "smart") option reads key
+			  metadata and uses it to determine automatically
+			  which keys to publish to the zone, use for
+			  signing, revoke, or remove from the zone
+			[RT #19816]
+
 2635.	[bug]		isc_inet_ntop() incorrectly handled 0.0/16 addresses.
 			[RT #19716]
 
+2634.	[port]		win32: Add support for libxml2, enable
+			statschannel. [RT #19773]
+
 2633.	[bug]		Handle 15 bit rand() functions. [RT #19783]
 
 2632.	[func]		util/kit.sh: warn if documentation appears to be out of
 			date.  [RT #19922]
 
+2631.	[bug]		Handle "//", "/./" and "/../" in mkdirpath().
+			[RT #19926 ]
+
+2630.	[func]		Improved syntax for DDNS autoconfiguration:  use
+			"update-policy local;" to switch on local DDNS in a
+			zone. (The "ddns-autoconf" option has been removed.)
+			[RT #19875]
+
+2629.	[port]		Check for seteuid()/setegid(), use setresuid()/
+			setresgid() if not present. [RT #19932]
+
+2628.	[port]		linux: Allow /var/run/named/named.pid to be opened
+			at startup with reduced capabilities in operation.
+			[RT #19884]
+
+2627.	[bug]		Named aborted if the same key was included in
+			trusted-keys more than once. [RT #19918]
+
+2626.	[bug]		Multiple trusted-keys could trigger an assertion
+			failure. [RT #19914]
+
 2625.	[bug]		Missing UNLOCK in rbtdb.c. [RT #19865]
 
+2624.	[func]		'named-checkconf -p' will print out the parsed
+			configuration. [RT #18871]
+
 2623.	[bug]		Named started searches for DS non-optimally. [RT #19915]
 
+2622.	[bug]		Printing of named.conf grammar was broken. [RT #19919]
+
 2621.	[doc]		Made copyright boilerplate consistent.  [RT #19833]
 
 2620.	[bug]		Delay thawing the zone until the reload of it has
 			completed successfully.  [RT #19750]
 
+2619.	[func]		Add support for RFC 5011, automatic trust anchor
+			maintenance.  The new "managed-keys" statement can
+			be used in place of "trusted-keys" for zones which
+			support this protocol.  (Note: this syntax is
+			expected to change prior to 9.7.0 final.) [RT #19248]
+
 2618.	[bug]		The sdb and sdlz db_interator_seek() methods could
 			loop infinitely. [RT #19847]
 
@@ -1185,11 +2228,33 @@
 2614.	[port]		win32: 'named -v' should automatically be executed
 			in the foreground. [RT #19844]
 
-2613.	[bug]		Option argument validation was missing for
-			dnssec-dsfromkey. [RT #19828]
+2613.	[placeholder]
+
+	--- 9.7.0a1 released ---
+
+2612.	[func]		Add default values for the arguments to
+			dnssec-keygen.  Without arguments, it will now
+			generate a 1024-bit RSASHA1 zone-signing key,
+			or with the -f KSK option, a 2048-bit RSASHA1
+			key-signing key. [RT #19300]
+
+2611.	[func]		Add -l option to dnssec-dsfromkey to generate
+			DLV records instead of DS records. [RT #19300]
 
 2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
 
+2609.	[func]		Simplify the configuration of dynamic zones:
+			- add ddns-confgen command to generate
+			  configuration text for named.conf
+			- add zone option "ddns-autoconf yes;", which
+			  causes named to generate a TSIG session key
+			  and allow updates to the zone using that key
+			- add '-l' (localhost) option to nsupdate, which
+			  causes nsupdate to connect to a locally-running
+			  named process using the session key generated
+			  by named
+			[RT #19284]
+
 2608.	[func]		Perform post signing verification checks in
 			dnssec-signzone.  These can be disabled with -P.
 
@@ -1199,27 +2264,6 @@
 			self signed.  That all records in the zone are signed
 			by the algorithm.  [RT #19653]
 
-2601.	[doc]		Mention file creation mode mask in the
-			named manual page.
-
-2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
-
-2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
-			[RT #19626]
-
-2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
-			Requires MySQL 5.0.19 or later. [RT #19084]
-
-2580.	[bug]		UpdateRej statistics counter could be incremented twice
-			for one rejection. [RT #19476]
-
-2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
-
-2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
-			function. [RT #18582]
-
-	--- 9.6.1 released ---
-
 2607.	[bug]		named could incorrectly delete NSEC3 records for
 			empty nodes when processing a update request.
 			[RT #19749]
@@ -1230,6 +2274,11 @@
 2605.	[bug]		Accept DS responses from delegation only zones.
 			[RT # 19296]
 
+2604.	[func]		Add support for DNS rebinding attack prevention through
+			new options, deny-answer-addresses and
+			deny-answer-aliases.  Based on contributed code from
+			JD Nurmi, Google. [RT #18192]
+
 2603.	[port]		win32: handle .exe extension of named-checkzone and
 			named-comilezone argv[0] names under windows.
 			[RT #19767]
@@ -1237,11 +2286,17 @@
 2602.	[port]		win32: fix debugging command line build of libisccfg.
 			[RT #19767]
 
-	--- 9.6.1rc1 released ---
+2601.	[doc]		Mention file creation mode mask in the
+			named manual page.
+
+2600.	[doc]		ARM: miscellaneous reformatting for different
+			page widths. [RT #19574]
 
 2599.	[bug]		Address rapid memory growth when validation fails.
 			[RT #19654]
 
+2598.	[func]		Reserve the -F flag. [RT #19657]
+
 2597.	[bug]		Handle a validation failure with a insecure delegation
 			from a NSEC3 signed master/slave zone.  [RT #19464]
 
@@ -1251,16 +2306,31 @@
 
 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
 
+2594.	[func]		Have rndc warn if using its default configuration
+			file when the key file also exists. [RT #19424]
+
+2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
+
 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
 
 2591.	[bug]		named could die when processing a update in
 			removed_orphaned_ds(). [RT #19507]
 
+2590.	[func]		Report zone/class of "update with no effect".
+			[RT #19542]
+
+2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
+			[RT #19626]
+
 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
 			of bind(2) call.  This should be rare and mostly
 			harmless, but may cause interference with other
 			processes that happen to use the same port. [RT #19642]
 
+2587.	[func]		Improve logging by reporting serial numbers for
+			when zone serial has gone backwards or unchanged.
+			[RT #19506]
+
 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
 			or SDB. [RT #19577]
 
@@ -1277,28 +2347,57 @@
 2582.	[bug]		Don't emit warning log message when we attempt to
 			remove non-existent journal. [RT #19516]
 
+2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+			Requires MySQL 5.0.19 or later. [RT #19084]
+
+2580.	[bug]		UpdateRej statistics counter could be incremented twice
+			for one rejection. [RT #19476]
+
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
 2578.	[bug]		Changed default sig-signing-type to 65534, because
 			65535 turns out to be reserved.  [RT #19477]
 
-2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
-			[RT #18837]
-
-	--- 9.6.1b1 released ---
-
 2577.	[doc]		Clarified some statistics counters. [RT #19454]
 
 2576.	[bug]		NSEC record were not being correctly signed when
 			a zone transitions from insecure to secure.
 			Handle such incorrectly signed zones. [RT #19114]
 
+2575.	[func]		New functions dns_name_fromstring() and
+			dns_name_tostring(), to simplify conversion
+			of a string to a dns_name structure and vice
+			versa. [RT #19451]
+
 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
 
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 			single transaction in a signed zone failed. [RT #19397]
 
+2572.	[func]		Simplify DLV configuration, with a new option
+			"dnssec-lookaside auto;"  This is the equivalent
+			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+			plus setting a trusted-key for dlv.isc.org.
+
+			Note: The trusted key is hard-coded into named,
+			but is also stored in (and can be overridden
+			by) $sysconfdir/bind.keys.  As the ISC DLV key
+			rolls over it can be kept up to date by replacing
+			the bind.keys file with a key downloaded from
+			https://www.isc.org/solutions/dlv. [RT #18685]
+
+2571.	[func]		Add a new tool "arpaname" which translates IP addresses
+			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
+			[RT #18976]
+
+2570.	[func]		Log the destination address the query was sent to.
+			[RT #19209]
+
+2569.	[func]		Move journalprint, nsec3hash, and genrandom
+			commands from bin/tests into bin/tools;
+			"make install" will put them in $sbindir. [RT #19301]
+
 2568.	[bug]		Report when the write to indicate a otherwise
 			successful start fails. [RT #19360]
 
@@ -1307,6 +2406,15 @@
 			dnssec-dsfromkey could miss write errors.
 			[RT #19360]
 
+2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
+			response arrives from a zone thought to be secure:
+			"insecurity proof failed" instead of "not
+			insecure". [RT #19400]
+
+2565.	[func]		Add support for HIP record.  Includes new functions
+			dns_rdata_hip_first(), dns_rdata_hip_next()
+			and dns_rdata_hip_current().  [RT #19384]
+
 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
 			[RT #19405]
 
@@ -1323,6 +2431,10 @@
 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
 			reading from a K* files.  [RT #19357]
 
+2558.	[func]		Set the ownership of missing directories created
+			for pid-file if -u has been specified on the command
+			line. [RT #19328]
+
 2557.	[cleanup]	PCI compliance:
 			* new libisc log module file
 			* isc_dir_chroot() now also changes the working
@@ -1334,6 +2446,9 @@
 			error checks in the correct order resulting in the
 			wrong error code sometimes being returned. [RT #19249]
 
+2555.	[func]		dig: when emitting a hex dump also display the
+			corresponding characters. [RT #19258]
+
 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
 			fail. [RT #19297]
 
@@ -1357,6 +2472,10 @@
 			function isc_mem_reallocate() was introduced to address
 			this bug. [RT #19313]
 
+2546.	[func]		Add --enable-openssl-hash configure flag to use
+			OpenSSL (in place of internal routine) for hash
+			functions (MD5, SHA[12] and HMAC). [RT #18815]
+
 2545.	[doc]		ARM: Legal hostname checking (check-names) is
 			for SRV RDATA too. [RT #19304]
 
@@ -1369,6 +2488,8 @@
 2541.	[bug]		Conditionally update dispatch manager statistics.
 			[RT #19247]
 
+2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
+
 2539.	[security]	Update the interaction between recursion, allow-query,
 			allow-query-cache and allow-recursion.  [RT #19198]
 
@@ -1376,7 +2497,7 @@
 			especially with threads and smaller max-cache-size
 			values. [RT #19240]
 
-2537.	[experimental]	Added more statistics counters including those on socket
+2537.	[func]		Added more statistics counters including those on socket
 			I/O events and query RTT histograms. [RT #18802]
 
 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
@@ -1384,6 +2505,12 @@
 
 2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
 
+2534.	[func]		Check NAPTR records regular expressions and
+			replacement strings to ensure they are syntactically
+			valid and consistant. [RT #18168]
+
+2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
+
 2532.	[bug]		dig: check the question section of the response to
 			see if it matches the asked question. [RT #18495]
 
@@ -1398,8 +2525,12 @@
 2528.	[cleanup]	Silence spurious configure warning about
 			--datarootdir [RT #19096]
 
-2527.	[bug]		named could reuse cache on reload with
-			enabling/disabling validation. [RT #19119]
+2527.	[placeholder]
+
+2526.	[func]		New named option "attach-cache" that allows multiple
+			views to share a single cache to save memory and
+			improve lookup efficiency.  Based on contributed code
+			from Barclay Osborn, Google. [RT #18905]
 
 2525.	[func]		New logging category "query-errors" to provide detailed
 			internal information about query failures, especially
@@ -1414,10 +2545,17 @@
 
 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
 
+2520.	[bug]		Update xml statistics version number to 2.0 as change
+			#2388 made the schema incompatible to the previous
+			version. [RT #19080]
+
 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
 			nameserver addresses of the excluded address family
 			preceded in resolv.conf. [RT #19081]
 
+2518.	[func]		Add support for the new CERT types from RFC 4398.
+			[RT #19077]
+
 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
 			nameserver address of the excluded address type.
 			[RT #18843]
@@ -1425,45 +2563,56 @@
 2516.	[bug]		glue sort for responses was performed even when not
 			needed. [RT #19039]
 
+2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+			[RT #19063]
+
 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
 			a nameserver of the excluded address family.
 			[RT #18848]
 
+2513.	[bug]		Fix windows cli build. [RT #19062]
+
+2512.	[func]		Print a summary of the cached records which make up
+			the negative response.  [RT #18885]
+
 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
 			[RT #18885]
 
+2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
+			[RT #19033]
+
+2509.	[bug]		Specifying a fixed query source port was broken.
+			[RT #19051]
+
+2508.	[placeholder]
+
+2507.	[func]		Log the recursion quota values when killing the
+			oldest query or refusing to recurse due to quota.
+			[RT #19022]
+
 2506.	[port]		solaris: Check at configure time if
 			hack_shutup_pthreadonceinit is needed. [RT #19037]
 
 2505.	[port]		Treat amd64 similarly to x86_64 when determining
 			atomic operation support. [RT #19031]
 
+2504.	[bug]		Address race condition in the socket code. [RT #18899]
+
 2503.	[port]		linux: improve compatibility with Linux Standard
 			Base. [RT #18793]
 
 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
 			document function in <isc/radix.h>. [RT #18534]
 
-	--- 9.6.0 released ---
-
-2520.	[bug]		Update xml statistics version number to 2.0 as change
-			#2388 made the schema incompatible to the previous
-			version. [RT #19080]
-
-	--- 9.6.0rc2 released ---
-
-2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
-			[RT #19063]
+2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
+			rdata types need to be quoted.  See the ARM for
+			details. [RT #18368]
 
-2513.	[bug]		Fix windows cli build. [RT #19062]
-
-2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
-			[RT #19033]
-
-2509.	[bug]		Specifying a fixed query source port was broken.
-			[RT #19051]
+2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
+			function. [RT #18582]
 
-2504.	[bug]		Address race condition in the socket code. [RT #18899]
+2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
+			[RT #18837]
 
 	--- 9.6.0rc1 released ---
 
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
index f283b2aabfe9..6f2c8e5aa226 100644
--- a/contrib/bind9/COPYRIGHT
+++ b/contrib/bind9/COPYRIGHT
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id$
+$Id: COPYRIGHT,v 1.17.14.2 2012/01/04 23:46:18 tbox Exp $
 
 	Portions of this code release fall under one or more of the
 	following Copyright notices.  Please see individual source
diff --git a/contrib/bind9/FAQ.xml b/contrib/bind9/FAQ.xml
index 729530bc08b5..7b21689ce905 100644
--- a/contrib/bind9/FAQ.xml
+++ b/contrib/bind9/FAQ.xml
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -30,7 +30,6 @@
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/HISTORY b/contrib/bind9/HISTORY
new file mode 100644
index 000000000000..e98f9b41460d
--- /dev/null
+++ b/contrib/bind9/HISTORY
@@ -0,0 +1,313 @@
+Summary of functional enhancements from prior major releases of BIND 9:
+
+BIND 9.6.0
+
+        Full NSEC3 support
+
+        Automatic zone re-signing
+
+	New update-policy methods tcp-self and 6to4-self
+
+        The BIND 8 resolver library, libbind, has been removed from the
+        BIND 9 distribution and is now available as a separate download.
+
+	Change the default pid file location from /var/run to
+	/var/run/{named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+	GSS-TSIG support (RFC 3645).
+
+	DHCID support.
+
+	Experimental http server and statistics support for named via xml.
+
+	More detailed statistics counters including those supported in BIND 8.
+
+	Faster ACL processing.
+
+	Use Doxygen to generate internal documentation.
+
+        Efficient LRU cache-cleaning mechanism.
+
+        NSID support.
+
+BIND 9.4.0
+
+	Implemented "additional section caching (or acache)", an
+	internal cache framework for additional section content to
+	improve response performance.  Several configuration options
+	were provided to control the behavior.
+
+	New notify type 'master-only'.  Enable notify for master
+	zones only.
+
+	Accept 'notify-source' style syntax for query-source.
+
+	rndc now allows addresses to be set in the server clauses.
+
+	New option "allow-query-cache".  This lets "allow-query"
+	be used to specify the default zone access level rather
+	than having to have every zone override the global value.
+	"allow-query-cache" can be set at both the options and view
+	levels.  If "allow-query-cache" is not set then "allow-recursion"
+	is used if set, otherwise "allow-query" is used if set
+	unless "recursion no;" is set in which case "none;" is used,
+	otherwise the default (localhost; localnets;) is used.
+
+	rndc: the source address can now be specified.
+
+	ixfr-from-differences now takes master and slave in addition
+	to yes and no at the options and view levels.
+
+	Allow the journal's name to be changed via named.conf.
+
+	'rndc notify zone [class [view]]' resend the NOTIFY messages
+	for the specified zone.
+
+	'dig +trace' now randomly selects the next servers to try.
+	Report if there is a bad delegation.
+
+	Improve check-names error messages.
+
+	Make public the function to read a key file, dst_key_read_public().
+
+	dig now returns the byte count for axfr/ixfr.
+			
+	allow-update is now settable at the options / view level.
+
+	named-checkconf now checks the logging configuration.
+
+	host now can turn on memory debugging flags with '-m'.
+
+	Don't send notify messages to self.
+
+	Perform sanity checks on NS records which refer to 'in zone' names.
+
+	New zone option "notify-delay".  Specify a minimum delay
+	between sets of NOTIFY messages.
+
+	Extend adjusting TTL warning messages.
+
+	Named and named-checkzone can now both check for non-terminal
+	wildcard records.
+
+	"rndc freeze/thaw" now freezes/thaws all zones.
+
+	named-checkconf now check acls to verify that they only
+	refer to existing acls.
+
+	The server syntax has been extended to support a range of
+	servers.
+
+	Report differences between hints and real NS rrset and
+	associated address records.
+
+	Preserve the case of domain names in rdata during zone
+	transfers.
+
+	Restructured the data locking framework using architecture
+	dependent atomic operations (when available), improving
+	response performance on multi-processor machines significantly.
+	x86, x86_64, alpha, powerpc, and mips are currently supported.
+
+	UNIX domain controls are now supported.
+
+	Add support for additional zone file formats for improving
+	loading performance.  The masterfile-format option in
+	named.conf can be used to specify a non-default format.  A
+	separate command named-compilezone was provided to generate
+	zone files in the new format.  Additionally, the -I and -O
+	options for dnssec-signzone specify the input and output
+	formats.
+
+	dnssec-signzone can now randomize signature end times
+	(dnssec-signzone -j jitter).
+
+	Add support for CH A record.
+
+	Add additional zone data constancy checks.  named-checkzone
+	has extended checking of NS, MX and SRV record and the hosts
+	they reference.  named has extended post zone load checks.
+	New zone options: check-mx and integrity-check.
+
+
+	edns-udp-size can now be overridden on a per server basis.
+
+	dig can now specify the EDNS version when making a query.
+
+	Added framework for handling multiple EDNS versions.
+
+	Additional memory debugging support to track size and mctx
+	arguments.
+
+	Detect duplicates of UDP queries we are recursing on and
+	drop them.  New stats category "duplicates".
+
+	"USE INTERNAL MALLOC" is now runtime selectable.
+
+	The lame cache is now done on a <qname,qclass,qtype> basis
+	as some servers only appear to be lame for certain query
+	types.
+
+	Limit the number of recursive clients that can be waiting
+	for a single query (<qname,qtype,qclass>) to resolve.  New
+	options clients-per-query and max-clients-per-query.
+
+	dig: report the number of extra bytes still left in the
+	packet after processing all the records.
+
+	Support for IPSECKEY rdata type.
+
+	Raise the UDP recieve buffer size to 32k if it is less than 32k.
+
+	x86 and x86_64 now have seperate atomic locking implementations.
+
+	named-checkconf now validates update-policy entries.
+
+	Attempt to make the amount of work performed in a iteration
+	self tuning.  The covers nodes clean from the cache per
+	iteration, nodes written to disk when rewriting a master
+	file and nodes destroyed per iteration when destroying a
+	zone or a cache.
+
+	ISC string copy API.
+
+	Automatic empty zone creation for D.F.IP6.ARPA and friends.
+	Note: RFC 1918 zones are not yet covered by this but are
+	likely to be in a future release.
+
+	New options: empty-server, empty-contact, empty-zones-enable
+	and disable-empty-zone.
+
+	dig now has a '-q queryname' and '+showsearch' options.
+
+	host/nslookup now continue (default)/fail on SERVFAIL.
+
+	dig now warns if 'RA' is not set in the answer when 'RD'
+	was set in the query.  host/nslookup skip servers that fail
+	to set 'RA' when 'RD' is set unless a server is explicitly
+	set.
+
+	Integrate contibuted DLZ code into named.
+
+	Integrate contibuted IDN code from JPNIC.
+
+	libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+	DNSSEC is now DS based (RFC 3658).
+	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
+
+	DNSSEC lookaside validation.
+
+	check-names is now implemented.
+	rrset-order in more complete.
+
+	IPv4/IPv6 transition support, dual-stack-servers.
+
+	IXFR deltas can now be generated when loading master files,
+	ixfr-from-differences.
+
+	It is now possible to specify the size of a journal, max-journal-size.
+
+	It is now possible to define a named set of master servers to be
+	used in masters clause, masters.
+
+	The advertised EDNS UDP size can now be set, edns-udp-size.
+
+	allow-v6-synthesis has been obsoleted.
+
+	NOTE:
+	* Zones containing MD and MF will now be rejected.
+	* dig, nslookup name. now report "Not Implemented" as
+	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
+	  that are looking for NOTIMPL.
+
+	libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+	The size of the cache can now be limited using the
+        "max-cache-size" option.
+
+	The server can now automatically convert RFC1886-style recursive
+	lookup requests into RFC2874-style lookups, when enabled using the
+	new option "allow-v6-synthesis".  This allows stub resolvers that
+	support AAAA records but not A6 record chains or binary labels to
+	perform lookups in domains that make use of these IPv6 DNS
+	features.
+
+	Performance has been improved.
+
+	The man pages now use the more portable "man" macros rather than
+	the "mandoc" macros, and are installed by "make install".
+
+	The named.conf parser has been completely rewritten.  It now
+	supports "include" directives in more places such as inside "view"
+	statements, and it no longer has any reserved words.
+
+	The "rndc status" command is now implemented.
+
+	rndc can now be configured automatically.
+
+	A BIND 8 compatible stub resolver library is now included in
+	lib/bind.
+
+	OpenSSL has been removed from the distribution.  This means that to
+	use DNSSEC, OpenSSL must be installed and the --with-openssl option
+	must be supplied to configure.  This does not apply to the use of
+	TSIG, which does not require OpenSSL.
+
+	The source distribution now builds on Windows.  See
+	win32utils/readme1.txt and win32utils/win32-build.txt for details.
+
+	This distribution also includes a new lightweight stub
+	resolver library and associated resolver daemon that fully
+	support forward and reverse lookups of both IPv4 and IPv6
+	addresses.  This library is considered experimental and
+	is not a complete replacement for the BIND 8 resolver library.
+	Applications that use the BIND 8 res_* functions to perform
+	DNS lookups or dynamic updates still need to be linked against
+	the BIND 8 libraries.  For DNS lookups, they can also use the
+	new "getrrsetbyname()" API.
+
+	BIND 9.2 is capable of acting as an authoritative server
+	for DNSSEC secured zones.  This functionality is believed to
+	be stable and complete except for lacking support for
+	verifications involving wildcard records in secure zones.
+
+	When acting as a caching server, BIND 9.2 can be configured
+	to perform DNSSEC secure resolution on behalf of its clients.
+	This part of the DNSSEC implementation is still considered
+	experimental.  For detailed information about the state of the
+	DNSSEC implementation, see the file doc/misc/dnssec.
+
+	There are a few known bugs:
+
+	    On some systems, IPv6 and IPv4 sockets interact in
+	    unexpected ways.  For details, see doc/misc/ipv6.
+	    To reduce the impact of these problems, the server
+	    no longer listens for requests on IPv6 addresses
+	    by default.  If you need to accept DNS queries over
+	    IPv6, you must specify "listen-on-v6 { any; };"
+	    in the named.conf options statement.
+
+	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+	    and OpenBSD prior to 2.8 log messages like
+	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+	    This is due to a bug in "/dev/random" and impacts the
+	    server's DNSSEC support.
+
+	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+	    OS X 10.2 (Darwin 6.0) reports errors like
+	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
+	    This is due to a bug in "/dev/random" and impacts the
+	    server's DNSSEC support.
+
+	    --with-libtool does not work on AIX.
+
+	A bug in some versions of the Microsoft DNS server can cause zone
+        transfers from a BIND 9 server to a W2K server to fail.  For details,
+	see the "Zone Transfers" section in doc/misc/migration.
diff --git a/contrib/bind9/KNOWN-DEFECTS b/contrib/bind9/KNOWN-DEFECTS
deleted file mode 100644
index 83d71759740e..000000000000
--- a/contrib/bind9/KNOWN-DEFECTS
+++ /dev/null
@@ -1,15 +0,0 @@
-dnssec-signzone was designed so that it could sign a zone partially, using
-only a subset of the DNSSEC keys needed to produce a fully-signed zone.
-This permits a zone administrator, for example, to sign a zone with one
-key on one machine, move the resulting partially-signed zone to a second
-machine, and sign it again with a second key.
-
-An unfortunate side-effect of this flexibility is that dnssec-signzone
-does not check to make sure it's signing a zone with any valid keys at
-all.  An attempt to sign a zone without any keys will appear to succeed,
-producing a "signed" zone with no signatures.  There is no warning issued
-when a zone is not signed.
-
-This will be corrected in a future release.  In the meantime, ISC
-recommends examining the output of dnssec-signzone to confirm that
-the zone is properly signed by all keys before using it.
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
index 7de78511fe37..05d9c43174f0 100644
--- a/contrib/bind9/Makefile.in
+++ b/contrib/bind9/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.58.250.4 2011/09/06 04:06:11 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,13 +21,13 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-SUBDIRS =	make unit lib bin doc
+SUBDIRS =	make unit lib bin doc @LIBEXPORT@
 TARGETS =
 
 MANPAGES =	isc-config.sh.1
- 
+
 HTMLPAGES =	isc-config.sh.html
- 
+
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
@@ -54,7 +54,8 @@ installdirs:
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
 
 tags:
 	rm -f TAGS
diff --git a/contrib/bind9/NSEC3-NOTES b/contrib/bind9/NSEC3-NOTES
deleted file mode 100644
index 3f8d8f905c00..000000000000
--- a/contrib/bind9/NSEC3-NOTES
+++ /dev/null
@@ -1,128 +0,0 @@
-
-			DNSSEC and UPDATE
-
-		Converting from insecure to secure
-
-As of BIND 9.6.0 it is possible to move a zone between being insecure
-to secure and back again.  A secure zone can be using NSEC or NSEC3.
-
-To move a zone from insecure to secure you need to configure named
-so that it can see the K* files which contain the public and private
-parts of the keys that will be used to sign the zone.  These files
-will have been generated by dnssec-keygen.  You can do this by
-placing them in the key-directory as specified in named.conf.
-
-	zone example.net {
-		type master;
-		allow-update { .... };
-		file "dynamic/example.net/example.net";
-		key-directory "dynamic/example.net";
-	};
-
-Assuming one KSK and one ZSK DNSKEY key have been generated.  Then
-this will cause the zone to be signed with the ZSK and the DNSKEY
-RRset to be signed with the KSK DNSKEY.  A NSEC chain will also be
-generated as part of the initial signing process.
-
-	% nsupdate
-	> ttl 3600
-	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-	> send
-
-While the update request will complete almost immediately the zone
-will not be completely signed until named has had time to walk the
-zone and generate the NSEC and RRSIG records.  Initially the NSEC
-record at the zone apex will have the OPT bit set.  When the NSEC
-chain is complete the OPT bit will be cleared.  Additionally when
-the zone is fully signed the private type (default TYPE65534) records
-will have a non zero value for the final octet. 
-
-The private type record has 5 octets.
-	algorithm (octet 1)
-	key id in network order (octet 2 and 3)
-	removal flag (octet 4)
-	complete flag (octet 5)
-
-If you wish to go straight to a secure zone using NSEC3 you should
-also add a NSEC3PARAM record to the update request with the flags
-field set to indicate whether the NSEC3 chain will have the OPTOUT
-bit set or not.
-
-	% nsupdate
-	> ttl 3600
-	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
-	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
-	> update add example.net NSEC3PARAM 1 1 100 1234567890
-	> send
-
-Again the update request will complete almost immediately however the
-NSEC3PARAM record will have additional flag bits set indicating that the
-NSEC3 chain is under construction.  When the NSEC3 chain is complete the
-flags field will be set to zero. 
-
-While the initial signing and NSEC/NSEC3 chain generation is happening
-other updates are possible.
-
-		DNSKEY roll overs via UPDATE
-
-It is possible to perform key rollovers via update.  You need to
-add the K* files for the new keys so that named can find them.  You
-can then add the new DNSKEY RRs via update.  Named will then cause
-the zone to be signed with the new keys.  When the signing is
-complete the private type records will be updated so that the last
-octet is non zero.
-
-If this is for a KSK you need to inform the parent and any trust
-anchor repositories of the new KSK.
-
-You should then wait for the maximum TLL in the zone before removing the
-old DNSKEY.  If it is a KSK that is being updated you also need to wait
-for the DS RRset in the parent to be updated and its TTL to expire.
-This ensures that all clients will be able to verify at least a signature
-when you remove the old DNSKEY.
-
-The old DNSKEY can be removed via UPDATE.  Take care to specify
-the correct key.  Named will clean out any signatures generated by
-the old key after the update completes.
-
-		NSEC3PARAM rollovers via UPDATE.
-
-Add the new NSEC3PARAM record via update.  When the new NSEC3 chain
-has been generated the NSEC3PARAM flag field will be zero.  At this
-point you can remove the old NSEC3PARAM record.  The old chain will
-be removed after the update request completes.
-
-		Converting from NSEC to NSEC3
-
-To do this you just need to add a NSEC3PARAM record.  When the
-conversion is complete the NSEC chain will have been removed and
-the NSEC3PARAM record will have a zero flag field.  The NSEC3 chain
-will be generated before the NSEC chain is destroyed.
-
-		Converting from NSEC3 to NSEC
-
-To do this remove all NSEC3PARAM records with a zero flag field.  The
-NSEC chain will be generated before the NSEC3 chain is removed.
-
-		Converting from secure to insecure
-
-To do this remove all the DNSKEY records.  Any NSEC or NSEC3 chains
-will be removed as well as associated NSEC3PARAM records.  This will
-take place after the update requests completes.
-
-		Periodic re-signing.
-
-Named will periodically re-sign RRsets which have not been re-signed
-as a result of some update action.  The signature lifetimes will
-be adjusted so as to spread the re-sign load over time rather than
-all at once.
-
-		NSEC3 and OPTOUT
-
-Named only supports creating new NSEC3 chains where all the NSEC3
-records in the zone have the same OPTOUT state.  Named supports
-UPDATES to zones where the NSEC3 records in the chain have mixed
-OPTOUT state.  Named does not support changing the OPTOUT state of
-an individual NSEC3 record, the entire chain needs to be changed if
-the OPTOUT state of an individual NSEC3 needs to be changed.
diff --git a/contrib/bind9/README b/contrib/bind9/README
index 23c48ea5e66b..f79763978754 100644
--- a/contrib/bind9/README
+++ b/contrib/bind9/README
@@ -42,392 +42,123 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+	For a summary of functional enhancements in previous
+	releases, see the HISTORY file.
+
 	For a detailed list of user-visible changes from
 	previous releases, see the CHANGES file.
 
         For up-to-date release notes and errata, see
         http://www.isc.org/software/bind9/releasenotes
 
-BIND 9.6-ESV-R8 (Extended Support Version)
+BIND 9.8.4
 
-        BIND 9.6-ESV-R8 includes several bug fixes and patches security
+        BIND 9.8.4 includes several bug fixes and patches security
         flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244.
 
-BIND 9.6-ESV-R7 (Extended Support Version)
-
-	BIND 9.6-ESV-R7 is a maintenance release, fixing bugs in BIND
-	9.6-ESV-R6.
-
-BIND 9.6-ESV-R6 (Extended Support Version)
-
-	BIND 9.6-ESV-R6 includes a number of bug fixes and prevents a
-	security problem described in CVE-2011-4313
-
-BIND 9.6-ESV-R5 (Extended Support Version)
-
-	BIND 9.6-ESV-R5 is a maintenance release, fixing bugs in BIND
-	9.6-ESV-R4.
-
-BIND 9.6.3/BIND 9.6-ESV-R4
-
-	BIND 9.6.3/BIND 9.6-ESV-R4 is a maintenance release, fixing bugs
-	in 9.6.2.
-
-BIND 9.6.2
-
-	BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
-        It also introduces support for the SHA-2 DNSSEC algorithms,
-        RSASHA256 and RSASHA512.
-
-        Known issues in this release:
-
-        - A validating resolver that has been incorrectly configured with
-          an invalid trust anchor will be unable to resolve names covered
-          by that trust anchor.  In all current versions of BIND 9, such a
-          resolver will also generate significant unnecessary DNS traffic
-          while trying to validate.  The latter problem will be addressed
-          in future BIND 9 releases.  In the meantime, to avoid these
-          problems, exercise caution when configuring "trusted-keys":
-          make sure all keys are correct and current when you add them,
-          and update your configuration in a timely manner when keys
-          roll over.
-
-BIND 9.6.1
-
-	BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
-
-BIND 9.6.0
-
-        BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
-        releases, including:
-
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
-	BIND 9.5.0 has a number of new features over 9.4,
-	including:
-
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
-
-BIND 9.4.0
-
-	BIND 9.4.0 has a number of new features over 9.3,
-	including:
-
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
-	BIND 9.3.0 has a number of new features over 9.2,
-	including:
-
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-	BIND 9.2.0 has a number of new features over 9.1,
-	including:
-
-	  - The size of the cache can now be limited using the
-            "max-cache-size" option.
-
-	  - The server can now automatically convert RFC1886-style
-	    recursive lookup requests into RFC2874-style lookups, 
-	    when enabled using the new option "allow-v6-synthesis".
-            This allows stub resolvers that support AAAA records
-            but not A6 record chains or binary labels to perform
-            lookups in domains that make use of these IPv6 DNS
-            features.
-
-	  - Performance has been improved.
-
-	  - The man pages now use the more portable "man" macros
-	    rather than the "mandoc" macros, and are installed
-            by "make install".
-
-          - The named.conf parser has been completely rewritten.
-            It now supports "include" directives in more
-            places such as inside "view" statements, and it no
-            longer has any reserved words.
-
-          - The "rndc status" command is now implemented.
-
-	  - rndc can now be configured automatically.
-
-	  - A BIND 8 compatible stub resolver library is now
-	    included in lib/bind.
-
-	  - OpenSSL has been removed from the distribution.  This
-	    means that to use DNSSEC, OpenSSL must be installed and
-	    the --with-openssl option must be supplied to configure.
-	    This does not apply to the use of TSIG, which does not
-	    require OpenSSL.
-
-	  - The source distribution now builds on Windows.
-	    See win32utils/readme1.txt and win32utils/win32-build.txt
-	    for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-		On some systems, IPv6 and IPv4 sockets interact in
-		unexpected ways.  For details, see doc/misc/ipv6.
-		To reduce the impact of these problems, the server
-		no longer listens for requests on IPv6 addresses
-		by default.  If you need to accept DNS queries over
-		IPv6, you must specify "listen-on-v6 { any; };"
-		in the named.conf options statement.
-
-		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-		and OpenBSD prior to 2.8 log messages like
-		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-		OS X 10.2 (Darwin 6.0) reports errors like
-		"fcntl(3, F_SETFL, 4): Operation not supported by device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		--with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
-
+BIND 9.8.3
+
+	BIND 9.8.3 is a maintenance release.
+
+BIND 9.8.2
+
+	BIND 9.8.2 includes a number of bug fixes and prevents a security
+	problem described in CVE-2011-4313
+
+BIND 9.8.1
+
+        BIND 9.8.1 includes a number of bug fixes and enhancements from
+	BIND 9.8 and earlier releases.  New features include:
+
+	- The DLZ "dlopen" driver is now built by default.
+	- Added a new include file with function typedefs
+          for the DLZ "dlopen" driver.
+	- Made "--with-gssapi" default.
+	- More verbose error reporting from DLZ LDAP.
+
+BIND 9.8.0
+
+        BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+        releases.  New features include:
+
+        - Built-in trust anchor for the root zone, which can be
+          switched on via "dnssec-validation auto;"
+        - Support for DNS64.
+        - Support for response policy zones (RPZ).
+        - Support for writable DLZ zones.
+        - Improved ease of configuration of GSS/TSIG for
+          interoperability with Active Directory
+        - Support for GOST signing algorithm for DNSSEC.
+        - Removed RTT Banding from server selection algorithm.
+        - New "static-stub" zone type.
+        - Allow configuration of resolver timeouts via
+          "resolver-query-timeout" option.
+
+BIND 9.7.0
+
+	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+	releases.  Most are intended to simplify DNSSEC configuration.
+
+	New features include:
+
+	- Fully automatic signing of zones by "named".
+	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
+	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+	  command line tool or the "local" update-policy option.  (As a side
+	  effect, this also makes it easier to configure automatic zone
+	  re-signing.)
+	- New named option "attach-cache" that allows multiple views to
+	  share a single cache.
+	- DNS rebinding attack prevention.
+	- New default values for dnssec-keygen parameters.
+	- Support for RFC 5011 automated trust anchor maintenance
+	- Smart signing: simplified tools for zone signing and key
+	  maintenance.
+	- The "statistics-channels" option is now available on Windows.
+	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
+	- On some platforms, named and other binaries can now print out
+	  a stack backtrace on assertion failure, to aid in debugging.
+	- A "tools only" installation mode on Windows, which only installs
+	  dig, host, nslookup and nsupdate.
+	- Improved PKCS#11 support, including Keyper support and explicit
+	  OpenSSL engine selection.
+
+	Known issues in this release:
+
+	- In rare cases, DNSSEC validation can leak memory.  When this 
+	  happens, it will cause an assertion failure when named exits,
+	  but is otherwise harmless.  A fix exists, but was too late for
+	  this release; it will be included in BIND 9.7.1.
+
+	Compatibility notes:
+
+	- If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE,
+	  ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then
+	  you should ensure that all changes that are in progress have
+	  completed prior to upgrading to BIND 9.7.  BIND 9.7 implements
+	  those features in a way which is not backwards compatible.
+
+	- Prior releases had a bug which caused HMAC-SHA* keys with long
+	  secrets to be used incorrectly.  Fixing this bug means that older
+	  versions of BIND 9 may fail to interoperate with this version
+	  when using TSIG keys.  If this occurs, the new "isc-hmac-fixup"
+	  tool will convert a key with a long secret into a form that works
+	  correctly with all versions of BIND 9.  See the "isc-hmac-fixup"
+	  man page for additional details.
+
+	- Revoking a DNSSEC key with "dnssec-revoke" changes its key ID.
+	  It is possible for the new key ID to collide with that of a
+	  different key.  Newly generated keys will not have this problem,
+	  as "dnssec-keygen" looks for potential collisions before
+	  generating keys, but exercise caution if using key revokation
+	  with keys that were generated by older versions of BIND 9.  See
+	  the Administrator's Reference Manual, section 4.10 ("Dynamic
+	  Trust Anchor Management") for more details.
+
+	- A bug was fixed in which a key's scheduled inactivity date was
+	  stored incorectly.  Users who participated in the 9.7.0 BETA test
+	  and had DNSSEC keys with scheduled inactivity dates will need to
+	  reset those keys' dates using "dnssec-settime -I".
 
 Building
 
@@ -441,7 +172,7 @@ Building
 		FreeBSD 4.10, 5.2.1, 6.2
 		HP-UX 11.11
 		Mac OS X 10.5
-		NetBSD 3.x and 4.0-beta
+		NetBSD 3.x, 4.0-beta, 5.0-beta
 		OpenBSD 3.3 and up
 		Solaris 8, 9, 9 (x86), 10
 		Ubuntu 7.04, 7.10
@@ -600,6 +331,7 @@ Building
 	libraries.  sh-utils-1.16 provides a "printf" which compiles
 	on SunOS 4.
 
+
 Documentation
 
 	The BIND 9 Administrator Reference Manual is included with the
@@ -618,6 +350,51 @@ Documentation
 	Frequently asked questions and their answers can be found in
 	FAQ.
 
+        Additional information on various subjects can be found
+        in the other README files.
+
+
+Change Log
+
+	A detailed list of all changes to BIND 9 is included in the 
+	file CHANGES, with the most recent changes listed first.
+	Change notes include tags indicating the category of the
+	change that was made; these categories are:
+
+	   [func]	  New feature
+
+	   [bug]	  General bug fix
+
+	   [security]	  Fix for a significant security flaw
+
+	   [experimental] Used for new features when the syntax
+	   		  or other aspects of the design are still
+			  in flux and may change
+
+	   [port]	  Portability enhancement
+
+	   [maint]	  Updates to built-in data such as root
+			  server addresses and keys
+
+	   [tuning]	  Changes to built-in configuration defaults
+	   		  and constants to improve performanceo
+
+	   [protocol]	  Updates to the DNS protocol such as new
+			  RR types
+
+           [test]         Changes to the automatic tests, not
+                          affecting server functionality
+
+           [cleanup]      Minor corrections and refactoring
+
+	   [doc]	  Documentation
+
+	In general, [func] and [experimental] tags will only appear
+	in new-feature releases (i.e., those with version numbers
+	ending in zero).  Some new functionality may be backported to
+	older releases on a case-by-case basis.  All other change
+	types may be applied to all currently-supported releases.
+
 
 Bug Reports and Mailing Lists
 
diff --git a/contrib/bind9/README.idnkit b/contrib/bind9/README.idnkit
deleted file mode 100644
index e5dc6122cecb..000000000000
--- a/contrib/bind9/README.idnkit
+++ /dev/null
@@ -1,112 +0,0 @@
-
-			BIND-9 IDN patch
-
-	       Japan Network Information Center (JPNIC)
-
-
-* What is this patch for?
-
-This patch adds internationalized domain name (IDN) support to BIND-9.
-You'll get internationalized version of dig/host/nslookup commands.
-
-    + internationalized dig/host/nslookup
-	dig/host/nslookup accepts non-ASCII domain names in the local
-	codeset (such as Shift JIS, Big5 or ISO8859-1) determined by
-	the locale information.  The domain names are normalized and
-	converted to the encoding on the DNS protocol, and sent to DNS
-	servers.  The replies are converted back to the local codeset
-	and displayed.
-
-
-* Compilation & installation
-
-0. Prerequisite
-
-You have to build and install idnkit before building this patched version
-of bind-9.
-
-1. Running configure script
-
-Run `configure' in the top directory.  See `README' for the
-configuration options.
-
-This patch adds the following 4 options to `configure'.  You should
-at least specify `--with-idn' option to enable IDN support.
-
-    --with-idn[=IDN_PREFIX]
-	To enable IDN support, you have to specify `--with-idn' option.
-	The argument IDN_PREFIX is the install prefix of idnkit.  If
-	IDN_PREFIX is omitted, PREFIX (derived from `--prefix=PREFIX')
-	is assumed.
-
-    --with-libiconv[=LIBICONV_PREFIX]
-	Specify this option if idnkit you have installed links GNU
-	libiconv.  The argument LIBICONV_PREFIX is install prefix of
-	GNU libiconv.  If the argument is omitted, PREFIX (derived
-	from `--prefix=PREFIX') is assumed.
-
-	`--with-libiconv' is shorthand option for GNU libiconv.
-
-	    --with-libiconv=/usr/local
-
-	This is equivalent to:
-
-	    --with-iconv='-L/usr/local/lib -R/usr/local/lib -liconv'
-
-	`--with-libiconv' assumes that your C compiler has `-R'
-	option, and that the option adds the specified run-time path
-	to an executable binary.  If `-R' option of your compiler has
-	different meaning, or your compiler lacks the option, you
-	should use `--with-iconv' option instead.  Binary command
-	without run-time path information might be unexecutable.
-	In that case, you would see an error message like:
-
-	    error in loading shared libraries: libiconv.so.2: cannot
-	    open shared object file
-
-	If both `--with-libiconv' and `--with-iconv' options are
-	specified, `--with-iconv' is prior to `--with-libiconv'.
-
-    --with-iconv=ICONV_LIBSPEC
-	If your libc doesn't provide iconv(), you need to specify the
-	library containing iconv() with this option.  `ICONV_LIBSPEC'
-	is the argument(s) to `cc' or `ld' to link the library, for
-	example, `--with-iconv="-L/usr/local/lib -liconv"'.
-	You don't need to specify the header file directory for "iconv.h"
-	to the compiler, as it isn't included directly by bind-9 with
-	this patch.
-
-    --with-idnlib=IDN_LIBSPEC
-	With this option, you can explicitly specify the argument(s)
-	to `cc' or `ld' to link the idnkit's library, `libidnkit'.  If
-	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
-	assumed, where ${PREFIX} is the installation prefix specified
-	with `--with-idn' option above.  You may need to use this
-	option to specify extra arguments, for example,
-	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
-
-Please consult `README' for other configuration options.
-
-Note that if you want to specify some extra header file directories,
-you should use the environment variable STD_CINCLUDES instead of
-CFLAGS, as described in README.
-
-2. Compilation and installation
-
-After running "configure", just do
-
-	make
-	make install
-
-for compiling and installing.
-
-
-* Contact information
-
-Please see http//www.nic.ad.jp/en/idn/ for the latest news
-about idnkit and this patch.
-
-Bug reports and comments on this kit should be sent to
-mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
-
-; $Id$
diff --git a/contrib/bind9/README.pkcs11 b/contrib/bind9/README.pkcs11
deleted file mode 100644
index b58640de1c5a..000000000000
--- a/contrib/bind9/README.pkcs11
+++ /dev/null
@@ -1,61 +0,0 @@
-
-			BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
-and some improvements, including user friendly PIN management.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
-   define: PKCS11_SO_PATH
-   default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
-   define: PKCS11_MODULE_PATH
-   default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
-	openssl_conf = openssl_def
- - at any place these sections:
-	[ openssl_def ]
-	engines = engine_section
-	[ engine_section ]
-	pkcs11 = pkcs11_section
-	[ pkcs11_section ]
-	PIN = put__your__pin__value__here
-
-Note
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
index 9988d4ffaa22..3d412d93c878 100644
--- a/contrib/bind9/acconfig.h
+++ b/contrib/bind9/acconfig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if OpenSSL includes DSA support */
 #undef HAVE_OPENSSL_DSA
 
+/* Define if OpenSSL includes ECDSA support */
+#undef HAVE_OPENSSL_ECDSA
+
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T
 
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
index bb908a52e416..89b4673edd35 100644
--- a/contrib/bind9/bin/Makefile.in
+++ b/contrib/bind9/bin/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,13 +13,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tests nsupdate check
+SUBDIRS =	named rndc dig dnssec tests tools nsupdate \
+		check confgen @PKCS11_TOOLS@
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
index 0a9d57cb42fa..c191605605b1 100644
--- a/contrib/bind9/bin/check/Makefile.in
+++ b/contrib/bind9/bin/check/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -32,6 +32,7 @@ CWARNINGS =
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
@@ -39,7 +40,8 @@ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-LIBS =		@LIBS@
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
 
 SUBDIRS =
 
@@ -69,14 +71,14 @@ named-checkzone.@O@: named-checkzone.c
 
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
 		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
-	${DNSLIBS} ${ISCLIBS} ${LIBS}
+	export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
+	export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
-	${ISCLIBS} ${LIBS}
+	export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
+	export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
index cb330f2f7db2..2bf16a686c55 100644
--- a/contrib/bind9/bin/check/check-tool.c
+++ b/contrib/bind9/bin/check/check-tool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: check-tool.c,v 1.41 2010/09/07 23:46:59 tbox Exp $ */
 
 /*! \file */
 
@@ -601,8 +601,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	origin = dns_fixedname_name(&fixorigin);
-	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
-				ISC_FALSE, NULL));
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
 	CHECK(dns_zone_setorigin(zone, origin));
 	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
 	CHECK(dns_zone_setfile2(zone, filename, fileformat));
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
index 140406fe8108..e988597a740d 100644
--- a/contrib/bind9/bin/check/check-tool.h
+++ b/contrib/bind9/bin/check/check-tool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: check-tool.h,v 1.16 2010/09/07 23:46:59 tbox Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
index 331820f516be..67a8f4a3da6a 100644
--- a/contrib/bind9/bin/check/named-checkconf.8
+++ b/contrib/bind9/bin/check/named-checkconf.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -33,11 +33,29 @@
 named\-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a named configuration file.
+checks the syntax, but not the semantics, of a
+\fBnamed\fR
+configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
+\fI/etc/named.conf\fR
+is read by default.
+.PP
+Note: files that
+\fBnamed\fR
+reads in separate parser contexts, such as
+\fIrndc.key\fR
+and
+\fIbind.keys\fR, are not automatically read by
+\fBnamed\-checkconf\fR. Configuration errors in these files may cause
+\fBnamed\fR
+to fail to run, even if
+\fBnamed\-checkconf\fR
+was successful.
+\fBnamed\-checkconf\fR
+can be run on these files explicitly, however.
 .SH "OPTIONS"
 .PP
 \-h
@@ -59,6 +77,13 @@ Print the version of the
 program and exit.
 .RE
 .PP
+\-p
+.RS 4
+Print out the
+\fInamed.conf\fR
+and included files in canonical form if no errors were detected.
+.RE
+.PP
 \-z
 .RS 4
 Perform a test load of all master zones found in
@@ -88,7 +113,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
index 12e0ab4679ee..a342dd9fbd9a 100644
--- a/contrib/bind9/bin/check/named-checkconf.c
+++ b/contrib/bind9/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: named-checkconf.c,v 1.54.62.2 2011/03/12 04:59:13 tbox Exp $ */
 
 /*! \file */
 
@@ -64,7 +64,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 
 static void
 usage(void) {
-	fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+	fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
 		"[named.conf]\n", program);
 	exit(1);
 }
@@ -206,6 +206,24 @@ configure_zone(const char *vclass, const char *view,
 	zfile = cfg_obj_asstring(fileobj);
 
 	obj = NULL;
+	if (get_maps(maps, "check-dup-records", &obj)) {
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+			zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
+			zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+		} else
+			INSIST(0);
+	} else {
+		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+		zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+	}
+
+	obj = NULL;
 	if (get_maps(maps, "check-mx", &obj)) {
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
 			zone_options |= DNS_ZONEOPT_CHECKMX;
@@ -390,6 +408,15 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
 	return (result);
 }
 
+static void
+output(void *closure, const char *text, int textlen) {
+	UNUSED(closure);
+	if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
+		perror("fwrite");
+		exit(1);
+	}
+}
+
 /*% The main processing routine */
 int
 main(int argc, char **argv) {
@@ -402,10 +429,11 @@ main(int argc, char **argv) {
 	int exit_status = 0;
 	isc_entropy_t *ectx = NULL;
 	isc_boolean_t load_zones = ISC_FALSE;
+	isc_boolean_t print = ISC_FALSE;
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
+	while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
 		switch (c) {
 		case 'd':
 			debug++;
@@ -424,6 +452,10 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 'p':
+			print = ISC_TRUE;
+			break;
+
 		case 'v':
 			printf(VERSION "\n");
 			exit(0);
@@ -488,6 +520,8 @@ main(int argc, char **argv) {
 			exit_status = 1;
 	}
 
+	if (print && exit_status == 0)
+		cfg_print(config, output, NULL);
 	cfg_obj_destroy(parser, &config);
 
 	cfg_parser_destroy(&parser);
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
index 8040d9fa0126..9535e28430cf 100644
--- a/contrib/bind9/bin/check/named-checkconf.docbook
+++ b/contrib/bind9/bin/check/named-checkconf.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: named-checkconf.docbook,v 1.22 2009/12/28 23:21:16 each Exp $ -->
 <refentry id="man.named-checkconf">
   <refentryinfo>
     <date>June 14, 2000</date>
@@ -35,7 +35,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
-      <year>2012</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -59,6 +59,7 @@
       <arg><option>-j</option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg choice="req">filename</arg>
+      <arg><option>-p</option></arg>
       <arg><option>-z</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -66,8 +67,21 @@
   <refsect1>
     <title>DESCRIPTION</title>
     <para><command>named-checkconf</command>
-      checks the syntax, but not the semantics, of a named
-      configuration file.
+      checks the syntax, but not the semantics, of a
+      <command>named</command> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <filename>/etc/named.conf</filename> is read
+      by default.
+    </para>
+    <para>
+      Note: files that <command>named</command> reads in separate
+      parser contexts, such as <filename>rndc.key</filename> and
+      <filename>bind.keys</filename>, are not automatically read
+      by <command>named-checkconf</command>.  Configuration
+      errors in these files may cause <command>named</command> to
+      fail to run, even if <command>named-checkconf</command> was
+      successful.  <command>named-checkconf</command> can be run
+      on these files explicitly, however.
     </para>
   </refsect1>
 
@@ -88,8 +102,7 @@
         <term>-t <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
-            Chroot to <filename>directory</filename> so that
-            include
+            Chroot to <filename>directory</filename> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </para>
@@ -107,6 +120,16 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-p</term>
+        <listitem>
+          <para>
+	    Print out the <filename>named.conf</filename> and included files
+	    in canonical form if no errors were detected.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-z</term>
         <listitem>
           <para>
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
index b0ca777aac05..aa80c7cbe888 100644
--- a/contrib/bind9/bin/check/named-checkconf.html
+++ b/contrib/bind9/bin/check/named-checkconf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,17 +29,30 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543390"></a><h2>DESCRIPTION</h2>
+<a name="id2543396"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
-      checks the syntax, but not the semantics, of a named
-      configuration file.
+      checks the syntax, but not the semantics, of a
+      <span><strong class="command">named</strong></span> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <code class="filename">/etc/named.conf</code> is read
+      by default.
+    </p>
+<p>
+      Note: files that <span><strong class="command">named</strong></span> reads in separate
+      parser contexts, such as <code class="filename">rndc.key</code> and
+      <code class="filename">bind.keys</code>, are not automatically read
+      by <span><strong class="command">named-checkconf</strong></span>.  Configuration
+      errors in these files may cause <span><strong class="command">named</strong></span> to
+      fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
+      successful.  <span><strong class="command">named-checkconf</strong></span> can be run
+      on these files explicitly, however.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543402"></a><h2>OPTIONS</h2>
+<a name="id2543445"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -47,8 +60,7 @@
           </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-            Chroot to <code class="filename">directory</code> so that
-            include
+            Chroot to <code class="filename">directory</code> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </p></dd>
@@ -57,6 +69,11 @@
             Print the version of the <span><strong class="command">named-checkconf</strong></span>
             program and exit.
           </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+	    Print out the <code class="filename">named.conf</code> and included files
+	    in canonical form if no errors were detected.
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
 	    Perform a test load of all master zones found in
@@ -74,21 +91,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543510"></a><h2>RETURN VALUES</h2>
+<a name="id2543569"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543522"></a><h2>SEE ALSO</h2>
+<a name="id2543580"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543552"></a><h2>AUTHOR</h2>
+<a name="id2543610"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
index df0233a719c5..92c8bdcffcf1 100644
--- a/contrib/bind9/bin/check/named-checkzone.8
+++ b/contrib/bind9/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -33,9 +33,9 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
-\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
+\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkzone\fR
@@ -201,6 +201,15 @@ then write to standard out. This is mandatory for
 \fBnamed\-compilezone\fR.
 .RE
 .PP
+\-r \fImode\fR
+.RS 4
+Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
+\fB"fail"\fR,
+\fB"warn"\fR
+(default) and
+\fB"ignore"\fR.
+.RE
+.PP
 \-s \fIstyle\fR
 .RS 4
 Specify the style of the dumped zone file. Possible styles are
@@ -272,7 +281,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
index 2d37ddf78d0a..11491b580862 100644
--- a/contrib/bind9/bin/check/named-checkzone.c
+++ b/contrib/bind9/bin/check/named-checkzone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: named-checkzone.c,v 1.61.62.2 2011/12/22 23:45:54 tbox Exp $ */
 
 /*! \file */
 
@@ -80,12 +80,13 @@ usage(void) {
 		"[-f inputformat] [-F outputformat] "
 		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
 		"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
+		"[-r (ignore|warn|fail)] "
 		"[-i (full|full-sibling|local|local-sibling|none)] "
 		"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
 		"[-W (ignore|warn)] "
 		"%s zonename filename\n",
 		prog_name,
-		progmode == progmode_check ? "[-o filename]" : "{-o filename}");
+		progmode == progmode_check ? "[-o filename]" : "-o filename");
 	exit(1);
 }
 
@@ -144,17 +145,19 @@ main(int argc, char **argv) {
 	if (progmode == progmode_compile) {
 		zone_options |= (DNS_ZONEOPT_CHECKNS |
 				 DNS_ZONEOPT_FATALNS |
+				 DNS_ZONEOPT_CHECKDUPRR |
 				 DNS_ZONEOPT_CHECKNAMES |
 				 DNS_ZONEOPT_CHECKNAMESFAIL |
 				 DNS_ZONEOPT_CHECKWILDCARD);
-	}
+	} else
+		zone_options |= DNS_ZONEOPT_CHECKDUPRR;
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((c = isc_commandline_parse(argc, argv,
-					 "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+				       "c:df:hi:jk:m:n:qr:s:t:o:vw:DF:M:S:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@@ -266,16 +269,27 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 'o':
+			output_filename = isc_commandline_argument;
+			break;
+
 		case 'q':
 			quiet++;
 			break;
 
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
-					isc_commandline_argument,
-					isc_result_totext(result));
+		case 'r':
+			if (ARGCMP("warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKDUPRR;
+				zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
+			} else if (ARGCMP("fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKDUPRR |
+						DNS_ZONEOPT_CHECKDUPRRFAIL;
+			} else if (ARGCMP("ignore")) {
+				zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
+						  DNS_ZONEOPT_CHECKDUPRRFAIL);
+			} else {
+				fprintf(stderr, "invalid argument to -r: %s\n",
+					isc_commandline_argument);
 				exit(1);
 			}
 			break;
@@ -293,8 +307,14 @@ main(int argc, char **argv) {
 			}
 			break;
 
-		case 'o':
-			output_filename = isc_commandline_argument;
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+					isc_commandline_argument,
+					isc_result_totext(result));
+				exit(1);
+			}
 			break;
 
 		case 'v':
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
index b6df56dd6eed..33dc15e47095 100644
--- a/contrib/bind9/bin/check/named-checkzone.docbook
+++ b/contrib/bind9/bin/check/named-checkzone.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: named-checkzone.docbook,v 1.40 2010/01/16 23:48:15 tbox Exp $ -->
 <refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
@@ -37,7 +37,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2009</year>
-      <year>2012</year>
+      <year>2010</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -70,6 +70,8 @@
       <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
       <arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -93,7 +95,7 @@
       <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
@@ -321,6 +323,19 @@
       </varlistentry>
 
       <varlistentry>
+	<term>-r <replaceable class="parameter">mode</replaceable></term>
+        <listitem>
+	  <para>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.  
+            Possible modes are <command>"fail"</command>,
+            <command>"warn"</command> (default) and
+            <command>"ignore"</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
 	<term>-s <replaceable class="parameter">style</replaceable></term>
 	<listitem>
 	  <para>
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
index 3886658df1d1..2be53a7b3498 100644
--- a/contrib/bind9/bin/check/named-checkzone.html
+++ b/contrib/bind9/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,11 +29,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543677"></a><h2>DESCRIPTION</h2>
+<a name="id2543696"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,7 +53,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543713"></a><h2>OPTIONS</h2>
+<a name="id2543731"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -177,6 +177,14 @@
 	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.  
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
 <dd><p>
 	    Specify the style of the dumped zone file.
@@ -239,14 +247,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544333"></a><h2>RETURN VALUES</h2>
+<a name="id2544446"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544345"></a><h2>SEE ALSO</h2>
+<a name="id2544458"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -254,7 +262,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544446"></a><h2>AUTHOR</h2>
+<a name="id2544491"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/confgen/Makefile.in b/contrib/bind9/bin/confgen/Makefile.in
new file mode 100644
index 000000000000..8b3e5aa1c4de
--- /dev/null
+++ b/contrib/bind9/bin/confgen/Makefile.in
@@ -0,0 +1,101 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8 2009/12/05 23:31:40 each Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc-confgen.c ddns-confgen.c
+
+SUBDIRS =	unix
+
+TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
+
+MANPAGES =	rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES =	rndc-confgen.html ddns-confgen.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.8 b/contrib/bind9/bin/confgen/ddns-confgen.8
new file mode 100644
index 000000000000..fd2670e5ff4e
--- /dev/null
+++ b/contrib/bind9/bin/confgen/ddns-confgen.8
@@ -0,0 +1,143 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: ddns\-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jan 29, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+ddns\-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
+.SH "DESCRIPTION"
+.PP
+\fBddns\-confgen\fR
+generates a key for use by
+\fBnsupdate\fR
+and
+\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
+\fBnsupdate\fR
+and
+\fBnamed.conf\fR
+syntax that will be needed to use it, including an example
+\fBupdate\-policy\fR
+statement.
+.PP
+If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
+\fBnamed.conf\fR
+syntax. For example,
+\fBddns\-confgen example.com\fR
+would generate a key called "ddns\-key.example.com", and sample
+\fBnamed.conf\fR
+command that could be used in the zone definition for "example.com".
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBddns\-confgen\fR.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e.g.,
+\fBddns\-key.example.com.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode: Print only the key, with no explanatory text or usage examples.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+Single host mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
+\fB\-z\fR
+option.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+zone mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR. This option cannot be used with the
+\fB\-s\fR
+option.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.c b/contrib/bind9/bin/confgen/ddns-confgen.c
new file mode 100644
index 000000000000..826b500d950c
--- /dev/null
+++ b/contrib/bind9/bin/confgen/ddns-confgen.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ddns-confgen.c,v 1.9.308.2 2011/03/12 04:59:13 tbox Exp $ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYNAME		"ddns-key"
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -k keyname:    name of the key as it will be used in named.conf\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s name:       domain name to be updated using the created key\n\
+  -z zone:       name of the zone as it will be used in named.conf\n\
+  -q:            quiet mode: print the key, with no explanatory text\n",
+		 progname);
+
+	exit (status);
+}
+
+int
+main(int argc, char **argv) {
+	isc_boolean_t show_final_mem = ISC_FALSE;
+	isc_boolean_t quiet = ISC_FALSE;
+	isc_buffer_t key_txtbuffer;
+	char key_txtsecret[256];
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *randomfile = NULL;
+	const char *keyname = NULL;
+	const char *zone = NULL;
+	const char *self_domain = NULL;
+	char *keybuf = NULL;
+	dns_secalg_t alg = DST_ALG_HMACSHA256;
+	const char *algname = alg_totext(alg);
+	int keysize = 256;
+	int len = 0;
+	int ch;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memcpy(program, "ddns-confgen", 13);
+	progname = program;
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:hk:Mmr:qs:Vy:z:")) != -1) {
+		switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN)
+				fatal("Unsupported algorithm '%s'", algname);
+			keysize = alg_bits(alg);
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y':
+			keyname = isc_commandline_argument;
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+		case 'm':
+			show_final_mem = ISC_TRUE;
+			break;
+		case 'q':
+			quiet = ISC_TRUE;
+			break;
+		case 'r':
+			randomfile = isc_commandline_argument;
+			break;
+		case 's':
+			self_domain = isc_commandline_argument;
+			break;
+		case 'V':
+			verbose = ISC_TRUE;
+			break;
+		case 'z':
+			zone = isc_commandline_argument;
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else
+				usage(0);
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	POST(argv);
+
+	if (self_domain != NULL && zone != NULL)
+		usage(1);	/* -s and -z cannot coexist */
+
+	if (argc > 0)
+		usage(1);
+
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+	if (keyname == NULL) {
+		const char *suffix = NULL;
+
+		keyname = DEFAULT_KEYNAME;
+		if (self_domain != NULL)
+			suffix = self_domain;
+		else if (zone != NULL)
+			suffix = zone;
+		if (suffix != NULL) {
+			len = strlen(keyname) + strlen(suffix) + 2;
+			keybuf = isc_mem_get(mctx, len);
+			if (keybuf == NULL)
+				fatal("failed to allocate memory for keyname");
+			snprintf(keybuf, len, "%s.%s", keyname, suffix);
+			keyname = (const char *) keybuf;
+		}
+	}
+
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+	if (!quiet)
+		printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+	printf("\
+key \"%s\" {\n\
+	algorithm %s;\n\
+	secret \"%.*s\";\n\
+};\n",
+	       keyname, algname,
+	       (int)isc_buffer_usedlength(&key_txtbuffer),
+	       (char *)isc_buffer_base(&key_txtbuffer));
+
+	if (!quiet) {
+		if (self_domain != NULL) {
+			printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s name %s ANY;\n\
+};\n",
+			       self_domain, keyname, self_domain);
+		} else if (zone != NULL) {
+			printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s zonesub ANY;\n\
+};\n",
+			       zone, keyname);
+		} else {
+			printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key.  For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+	grant %s zonesub ANY;\n\
+};\n",
+			       keyname);
+		}
+
+		printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+
+	}
+
+	if (keybuf != NULL)
+		isc_mem_put(mctx, keybuf, len);
+
+	if (show_final_mem)
+		isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.docbook b/contrib/bind9/bin/confgen/ddns-confgen.docbook
new file mode 100644
index 000000000000..cedfbf5726c8
--- /dev/null
+++ b/contrib/bind9/bin/confgen/ddns-confgen.docbook
@@ -0,0 +1,218 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
+<refentry id="man.ddns-confgen">
+  <refentryinfo>
+    <date>Jan 29, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>ddns-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>ddns-confgen</application></refname>
+    <refpurpose>ddns key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>ddns-confgen</command>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <group>
+        <arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
+        <arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
+      </group>
+      <arg><option>-q</option></arg>
+      <arg choice="opt">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>ddns-confgen</command>
+      generates a key for use by <command>nsupdate</command>
+      and <command>named</command>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <command>nsupdate</command> and <command>named.conf</command>
+      syntax that will be needed to use it, including an example
+      <command>update-policy</command> statement.
+    </para>
+
+    <para>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <command>named.conf</command> syntax.  For example,
+      <command>ddns-confgen example.com</command> would
+      generate a key called "ddns-key.example.com", and sample
+      <command>named.conf</command> command that could be used
+      in the zone definition for "example.com".
+    </para>
+
+    <para>
+      Note that <command>named</command> itself can configure a
+      local DDNS key for use with <command>nsupdate -l</command>.
+      <command>ddns-confgen</command> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <command>nsupdate</command> is to be used from a remote system.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of the options and arguments to
+	    <command>ddns-confgen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <constant>ddns-key</constant> when neither
+	    the <option>-s</option> nor <option>-z</option> option is
+	    specified; otherwise, the default
+	    is <constant>ddns-key</constant> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <constant>ddns-key.example.com.</constant>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r <replaceable class="parameter">randomfile</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <filename>/dev/random</filename> or equivalent device, the
+            default source of randomness is keyboard input.
+            <filename>randomdev</filename> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard input
+            should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">name</replaceable></term>
+	<listitem>
+	  <para>
+	    Single host mode: The example <command>named.conf</command> text
+	    shows how to set an update policy for the specified
+	    <replaceable class="parameter">name</replaceable>
+	    using the "name" nametype.
+	    The default key name is
+	    ddns-key.<replaceable class="parameter">name</replaceable>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <option>-z</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-z <replaceable class="parameter">zone</replaceable></term>
+	<listitem>
+	  <para>
+	    zone mode:  The example <command>named.conf</command> text
+            shows how to set an update policy for the specified
+	    <replaceable class="parameter">zone</replaceable>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <replaceable class="parameter">zone</replaceable>.
+	    This option cannot be used with the <option>-s</option> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/confgen/ddns-confgen.html b/contrib/bind9/bin/confgen/ddns-confgen.html
new file mode 100644
index 000000000000..6b2f7dc5d563
--- /dev/null
+++ b/contrib/bind9/bin/confgen/ddns-confgen.html
@@ -0,0 +1,141 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543396"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+      generates a key for use by <span><strong class="command">nsupdate</strong></span>
+      and <span><strong class="command">named</strong></span>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+      syntax that will be needed to use it, including an example
+      <span><strong class="command">update-policy</strong></span> statement.
+    </p>
+<p>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <span><strong class="command">named.conf</strong></span> syntax.  For example,
+      <span><strong class="command">ddns-confgen example.com</strong></span> would
+      generate a key called "ddns-key.example.com", and sample
+      <span><strong class="command">named.conf</strong></span> command that could be used
+      in the zone definition for "example.com".
+    </p>
+<p>
+      Note that <span><strong class="command">named</strong></span> itself can configure a
+      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543456"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Prints a short summary of the options and arguments to
+	    <span><strong class="command">ddns-confgen</strong></span>.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <code class="filename">/dev/random</code> or equivalent device, the
+            default source of randomness is keyboard input.
+            <code class="filename">randomdev</code> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard input
+            should be used.
+	  </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+	    Single host mode: The example <span><strong class="command">named.conf</strong></span> text
+	    shows how to set an update policy for the specified
+	    <em class="replaceable"><code>name</code></em>
+	    using the "name" nametype.
+	    The default key name is
+	    ddns-key.<em class="replaceable"><code>name</code></em>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <code class="option">-z</code> option.
+	  </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <code class="option">-s</code> option.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543643"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543682"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/confgen/include/confgen/os.h b/contrib/bind9/bin/confgen/include/confgen/os.h
new file mode 100644
index 000000000000..2019701fa62d
--- /dev/null
+++ b/contrib/bind9/bin/confgen/include/confgen/os.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <isc/lang.h>
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+int set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ *   0 		success
+ *   -1 	insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/bin/confgen/keygen.c b/contrib/bind9/bin/confgen/keygen.c
new file mode 100644
index 000000000000..a5db317700d8
--- /dev/null
+++ b/contrib/bind9/bin/confgen/keygen.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		return "hmac-md5";
+	    case DST_ALG_HMACSHA1:
+		return "hmac-sha1";
+	    case DST_ALG_HMACSHA224:
+		return "hmac-sha224";
+	    case DST_ALG_HMACSHA256:
+		return "hmac-sha256";
+	    case DST_ALG_HMACSHA384:
+		return "hmac-sha384";
+	    case DST_ALG_HMACSHA512:
+		return "hmac-sha512";
+	    default:
+		return "(unknown)";
+	}
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+	if (strcmp(name, "hmac-md5") == 0)
+		return DST_ALG_HMACMD5;
+	if (strcmp(name, "hmac-sha1") == 0)
+		return DST_ALG_HMACSHA1;
+	if (strcmp(name, "hmac-sha224") == 0)
+		return DST_ALG_HMACSHA224;
+	if (strcmp(name, "hmac-sha256") == 0)
+		return DST_ALG_HMACSHA256;
+	if (strcmp(name, "hmac-sha384") == 0)
+		return DST_ALG_HMACSHA384;
+	if (strcmp(name, "hmac-sha512") == 0)
+		return DST_ALG_HMACSHA512;
+	return DST_ALG_UNKNOWN;
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		return 128;
+	    case DST_ALG_HMACSHA1:
+		return 160;
+	    case DST_ALG_HMACSHA224:
+		return 224;
+	    case DST_ALG_HMACSHA256:
+		return 256;
+	    case DST_ALG_HMACSHA384:
+		return 384;
+	    case DST_ALG_HMACSHA512:
+		return 512;
+	    default:
+		return 0;
+	}
+}
+
+/*%
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+	     int keysize, isc_buffer_t *key_txtbuffer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_entropysource_t *entropy_source = NULL;
+	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+	int entropy_flags = 0;
+	isc_entropy_t *ectx = NULL;
+	isc_buffer_t key_rawbuffer;
+	isc_region_t key_rawregion;
+	char key_rawsecret[64];
+	dst_key_t *key = NULL;
+
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		if (keysize < 1 || keysize > 512)
+			fatal("keysize %d out of range (must be 1-512)\n",
+			      keysize);
+		break;
+	    case DST_ALG_HMACSHA256:
+		if (keysize < 1 || keysize > 256)
+			fatal("keysize %d out of range (must be 1-256)\n",
+			      keysize);
+		break;
+	    default:
+		fatal("unsupported algorithm %d\n", alg);
+	}
+
+
+	DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		randomfile = NULL;
+		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+	}
+	DO("start entropy source", isc_entropy_usebestsource(ectx,
+							     &entropy_source,
+							     randomfile,
+							     open_keyboard));
+
+	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+	DO("generate key", dst_key_generate(dns_rootname, alg,
+					    keysize, 0, 0,
+					    DNS_KEYPROTO_ANY,
+					    dns_rdataclass_in, mctx, &key));
+
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+						     key_txtbuffer));
+
+	/*
+	 * Shut down the entropy source now so the "stop typing" message
+	 * does not muck with the output.
+	 */
+	if (entropy_source != NULL)
+		isc_entropy_destroysource(&entropy_source);
+
+	if (key != NULL)
+		dst_key_free(&key);
+
+	isc_entropy_detach(&ectx);
+	dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'.  If 'user' is non-NULL,
+ * make that user the owner of the file.  The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user,
+	       const char *keyname, isc_buffer_t *secret,
+	       dns_secalg_t alg) {
+	isc_result_t result;
+	const char *algname = alg_totext(alg);
+	FILE *fd = NULL;
+
+	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+	if (user != NULL) {
+		if (set_user(fd, user) == -1)
+			fatal("unable to set file owner\n");
+	}
+
+	fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n",
+		keyname, algname,
+		(int)isc_buffer_usedlength(secret),
+		(char *)isc_buffer_base(secret));
+	fflush(fd);
+	if (ferror(fd))
+		fatal("write to %s failed\n", keyfile);
+	if (fclose(fd))
+		fatal("fclose(%s) failed\n", keyfile);
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
diff --git a/contrib/bind9/bin/confgen/keygen.h b/contrib/bind9/bin/confgen/keygen.h
new file mode 100644
index 000000000000..a9ded4092f54
--- /dev/null
+++ b/contrib/bind9/bin/confgen/keygen.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+		  int keysize, isc_buffer_t *key_txtbuffer);
+
+void write_key_file(const char *keyfile, const char *user,
+		    const char *keyname, isc_buffer_t *secret,
+		    dns_secalg_t alg);
+
+const char *alg_totext(dns_secalg_t alg);
+dns_secalg_t alg_fromtext(const char *name);
+int alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/confgen/rndc-confgen.8
index e434179f31fa..faffdac4b5e3 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.8
+++ b/contrib/bind9/bin/confgen/rndc-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -205,7 +205,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001, 2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/confgen/rndc-confgen.c
index f2478d0e6b4a..1ad14a99aa15 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.c
+++ b/contrib/bind9/bin/confgen/rndc-confgen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rndc-confgen.c,v 1.5.308.2 2011/03/12 04:59:13 tbox Exp $ */
 
 /*! \file */
 
@@ -52,9 +52,10 @@
 #include <dns/name.h>
 
 #include <dst/dst.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
 
 #include "util.h"
+#include "keygen.h"
 
 #define DEFAULT_KEYLENGTH	128		/*% Bits. */
 #define DEFAULT_KEYNAME		"rndc-key"
@@ -78,72 +79,36 @@ usage(int status) {
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
 [-s addr] [-t chrootdir] [-u user]\n\
-  -a:		generate just the key clause and write it to keyfile (%s)\n\
-  -b bits:	from 1 through 512, default %d; total length of the secret\n\
-  -c keyfile:	specify an alternate key file (requires -a)\n\
-  -k keyname:	the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	the port named will listen on and rndc will connect to\n\
-  -r randomfile: a file containing random data\n\
-  -s addr:	the address to which rndc should connect\n\
-  -t chrootdir:	write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	set the keyfile owner to \"user\" (requires -a)\n",
-		progname, keydef, DEFAULT_KEYLENGTH);
+  -a:		 generate just the key clause and write it to keyfile (%s)\n\
+  -b bits:	 from 1 through 512, default %d; total length of the secret\n\
+  -c keyfile:	 specify an alternate key file (requires -a)\n\
+  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	 the port named will listen on and rndc will connect to\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s addr:	 the address to which rndc should connect\n\
+  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
+		 progname, keydef, DEFAULT_KEYLENGTH);
 
 	exit (status);
 }
 
-/*%
- * Write an rndc.key file to 'keyfile'.  If 'user' is non-NULL,
- * make that user the owner of the file.  The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-static void
-write_key_file(const char *keyfile, const char *user,
-	       const char *keyname, isc_buffer_t *secret )
-{
-	FILE *fd;
-
-	fd = safe_create(keyfile);
-	if (fd == NULL)
-		fatal( "unable to create \"%s\"\n", keyfile);
-	if (user != NULL) {
-		if (set_user(fd, user) == -1)
-			fatal("unable to set file owner\n");
-	}
-	fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
-		"\tsecret \"%.*s\";\n};\n", keyname,
-		(int)isc_buffer_usedlength(secret),
-		(char *)isc_buffer_base(secret));
-	fflush(fd);
-	if (ferror(fd))
-		fatal("write to %s failed\n", keyfile);
-	if (fclose(fd))
-		fatal("fclose(%s) failed\n", keyfile);
-	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
 int
 main(int argc, char **argv) {
 	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_buffer_t key_rawbuffer;
 	isc_buffer_t key_txtbuffer;
-	isc_region_t key_rawregion;
+	char key_txtsecret[256];
 	isc_mem_t *mctx = NULL;
-	isc_entropy_t *ectx = NULL;
-	isc_entropysource_t *entropy_source = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *key = NULL;
 	const char *keyname = NULL;
 	const char *randomfile = NULL;
 	const char *serveraddr = NULL;
-	char key_rawsecret[64];
-	char key_txtsecret[256];
+	dns_secalg_t alg = DST_ALG_HMACMD5;
+	const char *algname = alg_totext(alg);
 	char *p;
 	int ch;
 	int port;
 	int keysize;
-	int entropy_flags = 0;
-	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
 	struct in_addr addr4_dummy;
 	struct in6_addr addr6_dummy;
 	char *chrootdir = NULL;
@@ -241,53 +206,13 @@ main(int argc, char **argv) {
 		usage(1);
 
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
-
-	DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		randomfile = NULL;
-		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
-	}
-	DO("start entropy source", isc_entropy_usebestsource(ectx,
-							     &entropy_source,
-							     randomfile,
-							     open_keyboard));
-
-	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
-	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
-	DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
-					    keysize, 0, 0,
-					    DNS_KEYPROTO_ANY,
-					    dns_rdataclass_in, mctx, &key));
-
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
-	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
-	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
-						     &key_txtbuffer));
-
-	/*
-	 * Shut down the entropy source now so the "stop typing" message
-	 * does not muck with the output.
-	 */
-	if (entropy_source != NULL)
-		isc_entropy_destroysource(&entropy_source);
-
-	if (key != NULL)
-		dst_key_free(&key);
 
-	isc_entropy_detach(&ectx);
-	dst_lib_destroy();
+	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
 
 	if (keyonly) {
 		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
-			       keyname, &key_txtbuffer);
+			       keyname, &key_txtbuffer, alg);
 
 		if (chrootdir != NULL) {
 			char *buf;
@@ -298,14 +223,14 @@ main(int argc, char **argv) {
 			snprintf(buf, len, "%s%s%s", chrootdir,
 				 (*keyfile != '/') ? "/" : "", keyfile);
 
-			write_key_file(buf, user, keyname, &key_txtbuffer);
+			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
 			isc_mem_put(mctx, buf, len);
 		}
 	} else {
 		printf("\
 # Start of rndc.conf\n\
 key \"%s\" {\n\
-	algorithm hmac-md5;\n\
+	algorithm %s;\n\
 	secret \"%.*s\";\n\
 };\n\
 \n\
@@ -318,7 +243,7 @@ options {\n\
 \n\
 # Use with the following in named.conf, adjusting the allow list as needed:\n\
 # key \"%s\" {\n\
-# 	algorithm hmac-md5;\n\
+# 	algorithm %s;\n\
 # 	secret \"%.*s\";\n\
 # };\n\
 # \n\
@@ -327,11 +252,11 @@ options {\n\
 # 		allow { %s; } keys { \"%s\"; };\n\
 # };\n\
 # End of named.conf\n",
-		       keyname,
+		       keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
 		       (char *)isc_buffer_base(&key_txtbuffer),
 		       keyname, serveraddr, port,
-		       keyname,
+		       keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
 		       (char *)isc_buffer_base(&key_txtbuffer),
 		       serveraddr, port, serveraddr, keyname);
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/confgen/rndc-confgen.docbook
index d3fdc75ff34a..af2cc4321dda 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.docbook
+++ b/contrib/bind9/bin/confgen/rndc-confgen.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
 <refentry id="man.rndc-confgen">
   <refentryinfo>
     <date>Aug 27, 2001</date>
@@ -40,7 +40,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
-      <year>2012</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/confgen/rndc-confgen.html
index 585ec0fa5191..03ee5199a116 100644
--- a/contrib/bind9/bin/rndc/rndc-confgen.html
+++ b/contrib/bind9/bin/confgen/rndc-confgen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543432"></a><h2>DESCRIPTION</h2>
+<a name="id2543433"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -48,7 +48,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543477"></a><h2>OPTIONS</h2>
+<a name="id2543478"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -155,7 +155,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543790"></a><h2>EXAMPLES</h2>
+<a name="id2543792"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -172,7 +172,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543832"></a><h2>SEE ALSO</h2>
+<a name="id2543833"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -180,7 +180,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543870"></a><h2>AUTHOR</h2>
+<a name="id2543872"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/confgen/unix/Makefile.in
index 03c9dc8b1b4e..2ab6d922d555 100644
--- a/contrib/bind9/bin/rndc/unix/Makefile.in
+++ b/contrib/bind9/bin/confgen/unix/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/confgen/unix/os.c
index b582649faf68..3901350d7705 100644
--- a/contrib/bind9/bin/rndc/unix/os.c
+++ b/contrib/bind9/bin/confgen/unix/os.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
-#include <rndc/os.h>
+#include <confgen/os.h>
 
 #include <fcntl.h>
 #include <unistd.h>
@@ -42,29 +41,3 @@ set_user(FILE *fd, const char *user) {
 	}
 	return (fchown(fileno(fd), pw->pw_uid, -1));
 }
-
-FILE *
-safe_create(const char *filename) {
-	int fd;
-	FILE *f;
-	struct stat sb;
-	int flags = O_WRONLY;
-
-	if (stat(filename, &sb) == -1) {
-		if (errno != ENOENT)
-			return (NULL);
-		flags = O_WRONLY | O_CREAT | O_EXCL;
-	} else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = EOPNOTSUPP;
-		return (NULL);
-	} else
-		flags = O_WRONLY | O_TRUNC;
-
-	fd = open(filename, flags, S_IRUSR | S_IWUSR);
-	if (fd == -1)
-		return (NULL);
-	f = fdopen(fd, "w");
-	if (f == NULL)
-		close(fd);
-	return (f);
-}
diff --git a/contrib/bind9/bin/confgen/util.c b/contrib/bind9/bin/confgen/util.c
new file mode 100644
index 000000000000..5f5f817a5d3d
--- /dev/null
+++ b/contrib/bind9/bin/confgen/util.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fputs("\n", stderr);
+	}
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
diff --git a/contrib/bind9/bin/confgen/util.h b/contrib/bind9/bin/confgen/util.h
new file mode 100644
index 000000000000..f3b2ec9dee18
--- /dev/null
+++ b/contrib/bind9/bin/confgen/util.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT		953
+
+#undef DO
+#define DO(name, function) \
+	do { \
+		result = function; \
+		if (result != ISC_R_SUCCESS) \
+			fatal("%s: %s", name, isc_result_totext(result)); \
+		else \
+			notify("%s", name); \
+	} while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
index eaac0ae2bded..2a3bc5d6fe8b 100644
--- a/contrib/bind9/bin/dig/Makefile.in
+++ b/contrib/bind9/bin/dig/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.47 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES}
+		${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
 
 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
@@ -33,6 +33,7 @@ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
@@ -44,8 +45,11 @@ LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 		${LWRESDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCLIBS} @IDNLIBS@ @LIBS@
+
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+		${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
 
@@ -66,16 +70,16 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
 
 dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="nslookup.@O@ dighost.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
index fb3cc2ebc91b..6e3bfb6c0c6e 100644
--- a/contrib/bind9/bin/dig/dig.1
+++ b/contrib/bind9/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -455,6 +455,11 @@ Print records like the SOA records in a verbose multi\-line format with human\-r
 output.
 .RE
 .PP
+\fB+[no]onesoa\fR
+.RS 4
+Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
+.RE
+.PP
 \fB+[no]fail\fR
 .RS 4
 Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
@@ -562,7 +567,7 @@ RFC1035.
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
index 2553fa461c0e..5e5ec0fa48d4 100644
--- a/contrib/bind9/bin/dig/dig.c
+++ b/contrib/bind9/bin/dig/dig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dig.c,v 1.237.124.4 2011/12/07 17:23:55 each Exp $ */
 
 /*! \file */
 
@@ -66,7 +66,8 @@ static char domainopt[DNS_NAME_MAXTEXT];
 
 static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
-	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
+	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE,
+	onesoa = ISC_FALSE;
 
 /*% opcode text */
 static const char * const opcodetext[] = {
@@ -223,6 +224,7 @@ help(void) {
 #endif
 #endif
 "                 +[no]multiline      (Print records in an expanded format)\n"
+"                 +[no]onesoa         (AXFR prints only one soa record)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
 "        -h                           (print help and exit)\n"
@@ -469,6 +471,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
 		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
 	}
+	if (onesoa && query->lookup->rdtype == dns_rdatatype_axfr)
+		flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA :
+						   DNS_MESSAGETEXTFLAG_OMITSOA;
 	if (!query->lookup->comments)
 		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
 
@@ -672,19 +677,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
-static isc_uint32_t
-parse_uint(char *arg, const char *desc, isc_uint32_t max) {
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	result = isc_parse_uint32(&tmp, arg, 10);
-	if (result == ISC_R_SUCCESS && tmp > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS)
-		fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
-	return (tmp);
-}
-
 /*%
  * We're not using isc_commandline_parse() here since the command line
  * syntax of dig is quite a bit different from that which can be described
@@ -696,8 +688,10 @@ static void
 plus_option(char *option, isc_boolean_t is_batchfile,
 	    dig_lookup_t *lookup)
 {
+	isc_result_t result;
 	char option_store[256];
 	char *cmd, *value, *ptr;
+	isc_uint32_t num;
 	isc_boolean_t state = ISC_TRUE;
 #ifdef DIG_SIGCHASE
 	size_t n;
@@ -745,6 +739,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				lookup->section_additional = state;
 				break;
 			case 'f': /* adflag */
+			case '\0': /* +ad is a synonym for +adflag */
 				FULLCHECK("adflag");
 				lookup->adflag = state;
 				break;
@@ -786,8 +781,11 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			lookup->udpsize = (isc_uint16_t) parse_uint(value,
-						    "buffer size", COMMSIZE);
+			result = parse_uint(&num, value, COMMSIZE,
+					    "buffer size");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse buffer size");
+			lookup->udpsize = num;
 			break;
 		default:
 			goto invalid_option;
@@ -796,8 +794,15 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	case 'c':
 		switch (cmd[1]) {
 		case 'd':/* cdflag */
-			FULLCHECK("cdflag");
-			lookup->cdflag = state;
+			switch (cmd[2]) {
+			case 'f': /* cdflag */
+			case '\0': /* +cd is a synonym for +cdflag */
+				FULLCHECK("cdflag");
+				lookup->cdflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
 			break;
 		case 'l': /* cl */
 			FULLCHECK("cl");
@@ -852,7 +857,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		}
 		if (value == NULL)
 			goto need_value;
-		lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+		result = parse_uint(&num, value, 255, "edns");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse edns");
+		lookup->edns = num;
 		break;
 	case 'f': /* fail */
 		FULLCHECK("fail");
@@ -882,7 +890,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			ndots = parse_uint(value, "ndots", MAXNDOTS);
+			result = parse_uint(&num, value, MAXNDOTS, "ndots");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse ndots");
+			ndots = num;
 			break;
 		case 's':
 			switch (cmd[2]) {
@@ -917,6 +928,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			goto invalid_option;
 		}
 		break;
+	case 'o':
+		FULLCHECK("onesoa");
+		onesoa = state;
+		break;
 	case 'q':
 		switch (cmd[1]) {
 		case 'r': /* qr */
@@ -947,8 +962,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					goto need_value;
 				if (!state)
 					goto invalid_option;
-				lookup->retries = parse_uint(value, "retries",
-						       MAXTRIES - 1);
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES - 1, "retries");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse retries");
 				lookup->retries++;
 				break;
 			default:
@@ -1024,7 +1041,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			timeout = parse_uint(value, "timeout", MAXTIMEOUT);
+			result = parse_uint(&timeout, value, MAXTIMEOUT,
+					    "timeout");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse timeout");
 			if (timeout == 0)
 				timeout = 1;
 			break;
@@ -1057,8 +1077,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					goto need_value;
 				if (!state)
 					goto invalid_option;
-				lookup->retries = parse_uint(value, "tries",
-							     MAXTRIES);
+				result = parse_uint(&lookup->retries, value,
+						    MAXTRIES, "tries");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse tries");
 				if (lookup->retries == 0)
 					lookup->retries = 1;
 				break;
@@ -1124,6 +1146,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	struct in6_addr in6;
 	in_port_t srcport;
 	char *hash, *cmd;
+	isc_uint32_t num;
 
 	while (strpbrk(option, single_dash_opts) == &option[0]) {
 		/*
@@ -1139,6 +1162,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				have_ipv6 = ISC_FALSE;
 			} else {
 				fatal("can't find IPv4 networking");
+				/* NOTREACHED */
 				return (ISC_FALSE);
 			}
 			break;
@@ -1148,6 +1172,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				have_ipv4 = ISC_FALSE;
 			} else {
 				fatal("can't find IPv6 networking");
+				/* NOTREACHED */
 				return (ISC_FALSE);
 			}
 			break;
@@ -1198,9 +1223,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'b':
 		hash = strchr(value, '#');
 		if (hash != NULL) {
-			srcport = (in_port_t)
-				parse_uint(hash + 1,
-					   "port number", MAXPORT);
+			result = parse_uint(&num, hash + 1, MAXPORT,
+					    "port number");
+			if (result != ISC_R_SUCCESS)
+				fatal("Couldn't parse port number");
+			srcport = num;
 			*hash = '\0';
 		} else
 			srcport = 0;
@@ -1244,7 +1271,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		keyfile[sizeof(keyfile)-1]=0;
 		return (value_from_next);
 	case 'p':
-		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
+		result = parse_uint(&num, value, MAXPORT, "port number");
+		if (result != ISC_R_SUCCESS)
+			fatal("Couldn't parse port number");
+		port = num;
 		return (value_from_next);
 	case 'q':
 		if (!config_only) {
@@ -1287,11 +1317,14 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 						"extra type option\n");
 			}
 			if (rdtype == dns_rdatatype_ixfr) {
+				isc_uint32_t serial;
 				(*lookup)->rdtype = dns_rdatatype_ixfr;
 				(*lookup)->rdtypeset = ISC_TRUE;
-				(*lookup)->ixfr_serial =
-					parse_uint(&value[5], "serial number",
-						MAXSERIAL);
+				result = parse_uint(&serial, &value[5],
+					   MAXSERIAL, "serial number");
+				if (result != ISC_R_SUCCESS)
+					fatal("Couldn't parse serial number");
+				(*lookup)->ixfr_serial = serial;
 				(*lookup)->section_question = plusquest;
 				(*lookup)->comments = pluscomm;
 				(*lookup)->tcp_mode = ISC_TRUE;
@@ -1319,65 +1352,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			usage();
 		ptr3 = next_token(&value,":"); /* secret or NULL */
 		if (ptr3 != NULL) {
-			if (strcasecmp(ptr, "hmac-md5") == 0) {
-				hmacname = DNS_TSIG_HMACMD5_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
-				hmacname = DNS_TSIG_HMACMD5_NAME;
-				digestbits = parse_uint(&ptr[9],
-							"digest-bits [0..128]",
-							128);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
-				hmacname = DNS_TSIG_HMACSHA1_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
-				hmacname = DNS_TSIG_HMACSHA1_NAME;
-				digestbits = parse_uint(&ptr[10],
-							"digest-bits [0..160]",
-							160);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
-				hmacname = DNS_TSIG_HMACSHA224_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA224_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..224]",
-							224);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
-				hmacname = DNS_TSIG_HMACSHA256_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA256_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..256]",
-							256);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
-				hmacname = DNS_TSIG_HMACSHA384_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA384_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..384]",
-							384);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
-				hmacname = DNS_TSIG_HMACSHA512_NAME;
-				digestbits = 0;
-			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
-				hmacname = DNS_TSIG_HMACSHA512_NAME;
-				digestbits = parse_uint(&ptr[12],
-							"digest-bits [0..512]",
-							512);
-				digestbits = (digestbits + 7) & ~0x7U;
-			} else {
-				fprintf(stderr, ";; Warning, ignoring "
-					"invalid TSIG algorithm %s\n", ptr);
-				return (value_from_next);
-			}
+			parse_hmac(ptr);
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
@@ -1421,6 +1396,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		fprintf(stderr, "Invalid option: -%s\n", option);
 		usage();
 	}
+	/* NOTREACHED */
 	return (ISC_FALSE);
 }
 
@@ -1600,13 +1576,18 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 							"extra type option\n");
 					}
 					if (rdtype == dns_rdatatype_ixfr) {
+						isc_uint32_t serial;
 						lookup->rdtype =
 							dns_rdatatype_ixfr;
 						lookup->rdtypeset = ISC_TRUE;
-						lookup->ixfr_serial =
-							parse_uint(&rv[0][5],
-								"serial number",
-								MAXSERIAL);
+						result = parse_uint(&serial,
+								    &rv[0][5],
+								    MAXSERIAL,
+							      "serial number");
+						if (result != ISC_R_SUCCESS)
+							fatal("Couldn't parse "
+							      "serial number");
+						lookup->ixfr_serial = serial;
 						lookup->section_question =
 							plusquest;
 						lookup->comments = pluscomm;
diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook
index 0337ce26e677..d64d038b500d 100644
--- a/contrib/bind9/bin/dig/dig.docbook
+++ b/contrib/bind9/bin/dig/dig.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: dig.docbook,v 1.47 2010/03/04 23:50:34 tbox Exp $ -->
 <refentry id="man.dig">
 
   <refentryinfo>
@@ -44,7 +44,7 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
-      <year>2012</year>
+      <year>2010</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -767,6 +767,17 @@
           </listitem>
         </varlistentry>
 
+	<varlistentry>
+	  <term><option>+[no]onesoa</option></term>
+	  <listitem>
+	    <para>
+	      Print only one (starting) SOA record when performing
+	      an AXFR. The default is to print both the starting and
+	      ending SOA records.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
         <varlistentry>
           <term><option>+[no]fail</option></term>
           <listitem>
diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html
index 8ba0f47c1d28..ceef3fa8d988 100644
--- a/contrib/bind9/bin/dig/dig.html
+++ b/contrib/bind9/bin/dig/dig.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -34,7 +34,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543522"></a><h2>DESCRIPTION</h2>
+<a name="id2543524"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -80,7 +80,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543595"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543597"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -126,7 +126,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543686"></a><h2>OPTIONS</h2>
+<a name="id2543688"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -230,7 +230,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544035"></a><h2>QUERY OPTIONS</h2>
+<a name="id2544037"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -499,6 +499,12 @@
               each record on a single line, to facilitate machine parsing
               of the <span><strong class="command">dig</strong></span> output.
             </p></dd>
+<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
+<dd><p>
+	      Print only one (starting) SOA record when performing
+	      an AXFR. The default is to print both the starting and
+	      ending SOA records.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
               Do not try the next server if you receive a SERVFAIL.  The
@@ -555,7 +561,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545170"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545186"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -601,7 +607,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545232"></a><h2>IDN SUPPORT</h2>
+<a name="id2545248"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -615,14 +621,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545322"></a><h2>FILES</h2>
+<a name="id2545338"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545339"></a><h2>SEE ALSO</h2>
+<a name="id2545355"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -630,7 +636,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545377"></a><h2>BUGS</h2>
+<a name="id2545393"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c
index ab56e528b840..9695de0dbc4c 100644
--- a/contrib/bind9/bin/dig/dighost.c
+++ b/contrib/bind9/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dighost.c,v 1.336.22.9 2011/12/07 17:23:55 each Exp $ */
 
 /*! \file
  *  \note
@@ -53,6 +53,7 @@
 #include <ctype.h>
 #endif
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
@@ -72,10 +73,12 @@
 #include <isc/entropy.h>
 #include <isc/file.h>
 #include <isc/lang.h>
+#include <isc/log.h>
 #include <isc/netaddr.h>
 #ifdef DIG_SIGCHASE
 #include <isc/netdb.h>
 #endif
+#include <isc/parseint.h>
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/result.h>
@@ -86,6 +89,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <isccfg/namedconf.h>
+
 #include <lwres/lwres.h>
 #include <lwres/net.h>
 
@@ -123,6 +128,7 @@ in_port_t port = 53;
 unsigned int timeout = 0;
 unsigned int extrabytes;
 isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
 isc_taskmgr_t *taskmgr = NULL;
 isc_task_t *global_task = NULL;
 isc_timermgr_t *timermgr = NULL;
@@ -356,6 +362,8 @@ connect_timeout(isc_task_t *task, isc_event_t *event);
 static void
 launch_next_query(dig_query_t *query, isc_boolean_t include_question);
 
+static void
+send_tcp_connect(dig_query_t *query);
 
 static void *
 mem_alloc(void *arg, size_t size) {
@@ -395,7 +403,7 @@ count_dots(char *string) {
 
 static void
 hex_dump(isc_buffer_t *b) {
-	unsigned int len;
+	unsigned int len, i;
 	isc_region_t r;
 
 	isc_buffer_usedregion(b, &r);
@@ -403,11 +411,29 @@ hex_dump(isc_buffer_t *b) {
 	printf("%d bytes\n", r.length);
 	for (len = 0; len < r.length; len++) {
 		printf("%02x ", r.base[len]);
-		if (len % 16 == 15)
+		if (len % 16 == 15) {
+			fputs("         ", stdout);
+			for (i = len - 15; i <= len; i++) {
+				if (r.base[i] >= '!' && r.base[i] <= '}')
+					putchar(r.base[i]);
+				else
+					putchar('.');
+			}
 			printf("\n");
+		}
 	}
-	if (len % 16 != 0)
+	if (len % 16 != 0) {
+		for (i = len; (i % 16) != 0; i++)
+			fputs("   ", stdout);
+		fputs("         ", stdout);
+		for (i = ((len>>4)<<4); i < len; i++) {
+			if (r.base[i] >= '!' && r.base[i] <= '}')
+				putchar(r.base[i]);
+			else
+				putchar('.');
+		}
 		printf("\n");
+	}
 }
 
 /*%
@@ -765,6 +791,7 @@ make_empty_lookup(void) {
 	looknew->new_search = ISC_FALSE;
 	looknew->done_as_is = ISC_FALSE;
 	looknew->need_search = ISC_FALSE;
+	dns_fixedname_init(&looknew->fdomain);
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->my_server_list);
@@ -840,6 +867,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->tsigctx = NULL;
 	looknew->need_search = lookold->need_search;
 	looknew->done_as_is = lookold->done_as_is;
+	dns_name_copy(dns_fixedname_name(&lookold->fdomain),
+		      dns_fixedname_name(&looknew->fdomain), NULL);
 
 	if (servers)
 		clone_server_list(lookold->my_server_list,
@@ -908,8 +937,7 @@ setup_text_key(void) {
 		goto failure;
 	}
 
-	result = dns_name_fromtext(&keyname, namebuf, dns_rootname, ISC_FALSE,
-				   namebuf);
+	result = dns_name_fromtext(&keyname, namebuf, dns_rootname, 0, namebuf);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -928,14 +956,164 @@ setup_text_key(void) {
 	isc_buffer_free(&namebuf);
 }
 
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	isc_uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc,
+		       value, isc_result_totext(result));
+		return (result);
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_uint32_t
+parse_bits(char *arg, const char *desc, isc_uint32_t max) {
+	isc_result_t result;
+	isc_uint32_t tmp;
+
+	result = parse_uint(&tmp, arg, max, desc);
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't parse digest bits");
+	tmp = (tmp + 7) & ~0x7U;
+	return (tmp);
+}
+
+
+/*
+ * Parse HMAC algorithm specification
+ */
+void
+parse_hmac(const char *hmac) {
+	char buf[20];
+	int len;
+
+	REQUIRE(hmac != NULL);
+
+	len = strlen(hmac);
+	if (len >= (int) sizeof(buf))
+		fatal("unknown key type '%.*s'", len, hmac);
+	strncpy(buf, hmac, sizeof(buf));
+
+	digestbits = 0;
+
+	if (strcasecmp(buf, "hmac-md5") == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
+	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = 0;
+	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
+	} else if (strcasecmp(buf, "hmac-sha224") == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+	} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
+	} else if (strcasecmp(buf, "hmac-sha256") == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+	} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
+	} else if (strcasecmp(buf, "hmac-sha384") == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+	} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
+	} else if (strcasecmp(buf, "hmac-sha512") == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+	} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
+	} else {
+		fprintf(stderr, ";; Warning, ignoring "
+			"invalid TSIG algorithm %s\n", buf);
+	}
+}
+
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_confkey(void) {
+	isc_log_t *lctx = NULL;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *file = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *keyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+
+	if (! isc_file_exists(keyfile))
+		return (ISC_R_FILENOTFOUND);
+
+	result = cfg_parser_create(mctx, lctx, &pctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
+				&file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_map_get(file, "key", &key);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(void) cfg_map_get(key, "secret", &secretobj);
+	(void) cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	strncpy(keynametext, keyname, sizeof(keynametext));
+	strncpy(keysecret, secretstr, sizeof(keysecret));
+	parse_hmac(algorithm);
+	setup_text_key();
+
+ cleanup:
+	if (pctx != NULL) {
+		if (file != NULL)
+			cfg_obj_destroy(pctx, &file);
+		cfg_parser_destroy(&pctx);
+	}
+
+	return (result);
+}
+
 static void
 setup_file_key(void) {
 	isc_result_t result;
 	dst_key_t *dstkey = NULL;
 
 	debug("setup_file_key()");
-	result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
-				       mctx, &dstkey);
+
+	/* Try reading the key from a K* pair */
+	result = dst_key_fromnamedfile(keyfile, NULL,
+				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+				       &dstkey);
+
+	/* If that didn't work, try reading it as a session.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_confkey();
+		if (result == ISC_R_SUCCESS)
+			return;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "Couldn't read key from %s: %s\n",
 			keyfile, isc_result_totext(result));
@@ -1123,6 +1301,7 @@ set_search_domain(char *domain) {
 void
 setup_libs(void) {
 	isc_result_t result;
+	isc_logconfig_t *logconfig = NULL;
 
 	debug("setup_libs()");
 
@@ -1139,6 +1318,18 @@ setup_libs(void) {
 	result = isc_mem_create(0, 0, &mctx);
 	check_result(result, "isc_mem_create");
 
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	check_result(result, "isc_log_create");
+
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(lctx, 0);
+
 	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
 	check_result(result, "isc_taskmgr_create");
 
@@ -1609,7 +1800,6 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				lookup->trace_root = ISC_FALSE;
 				if (lookup->ns_search_only)
 					lookup->recurse = ISC_FALSE;
-				dns_fixedname_init(&lookup->fdomain);
 				domain = dns_fixedname_name(&lookup->fdomain);
 				dns_name_copy(name, domain, NULL);
 			}
@@ -1677,12 +1867,10 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
  * Return ISC_TRUE iff there was another searchlist entry.
  */
 static isc_boolean_t
-next_origin(dns_message_t *msg, dig_query_t *query) {
+next_origin(dig_query_t *query) {
 	dig_lookup_t *lookup;
 	dig_searchlist_t *search;
 
-	UNUSED(msg);
-
 	INSIST(!free_now);
 
 	debug("next_origin()");
@@ -1899,7 +2087,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		isc_buffer_init(&b, lookup->origin->origin, len);
 		isc_buffer_add(&b, len);
 		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
-					   ISC_FALSE, &lookup->onamebuf);
+					   0, &lookup->onamebuf);
 		if (result != ISC_R_SUCCESS) {
 			dns_message_puttempname(lookup->sendmsg,
 						&lookup->name);
@@ -1916,7 +2104,7 @@ setup_lookup(dig_lookup_t *lookup) {
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   lookup->oname, ISC_FALSE,
+						   lookup->oname, 0,
 						   &lookup->namebuf);
 		}
 		if (result != ISC_R_SUCCESS) {
@@ -1940,16 +2128,14 @@ setup_lookup(dig_lookup_t *lookup) {
 			isc_buffer_init(&b, idn_textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname,
-						   ISC_FALSE,
+						   dns_rootname, 0,
 						   &lookup->namebuf);
 #else
 			len = strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
 			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname,
-						   ISC_FALSE,
+						   dns_rootname, 0,
 						   &lookup->namebuf);
 #endif
 		}
@@ -2159,7 +2345,7 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	query->waiting_senddone = ISC_FALSE;
 	l = query->lookup;
 
-	if (l->ns_search_only && !l->trace_root) {
+	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
 		debug("sending next, since searching");
 		next = ISC_LIST_NEXT(query, link);
 		if (next != NULL)
@@ -3197,7 +3383,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	if (!l->doing_xfr || l->xfr_q == query) {
 		if (msg->rcode != dns_rcode_noerror &&
 		    (l->origin != NULL || l->need_search)) {
-			if (!next_origin(msg, query) || showsearch) {
+			if (!next_origin(query) || showsearch) {
 				printmessage(query, msg, ISC_TRUE);
 				received(b->used, &sevent->address, query);
 			}
@@ -3603,9 +3789,11 @@ destroy_libs(void) {
 		free_name(&chase_signame, mctx);
 #endif
 
-	debug("Destroy memory");
-
 #endif
+	debug("Removing log context");
+	isc_log_destroy(&lctx);
+
+	debug("Destroy memory");
 	if (memdebugging != 0)
 		isc_mem_stats(mctx, stderr);
 	if (mctx != NULL)
@@ -4094,7 +4282,7 @@ get_trusted_key(isc_mem_t *mctx)
 			return (ISC_R_FAILURE);
 		}
 		fclose(fptemp);
-		result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
+		result = dst_key_fromnamedfile(filetemp, NULL, DST_TYPE_PUBLIC,
 					       mctx, &key);
 		removetmpkey(mctx, filetemp);
 		isc_mem_free(mctx, filetemp);
@@ -4129,7 +4317,7 @@ nameFromString(const char *str, dns_name_t *p_ret) {
 
 	dns_fixedname_init(&fixedname);
 	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
-				   dns_rootname, ISC_TRUE, NULL);
+				   dns_rootname, DNS_NAME_DOWNCASE, NULL);
 	check_result(result, "nameFromString");
 
 	if (dns_name_dynamic(p_ret))
diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1
index 69e9262c2ba1..b6eb81ba40f6 100644
--- a/contrib/bind9/bin/dig/host.1
+++ b/contrib/bind9/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -213,7 +213,7 @@ runs.
 \fBdig\fR(1),
 \fBnamed\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c
index beee5874a584..82eea056c0d1 100644
--- a/contrib/bind9/bin/dig/host.c
+++ b/contrib/bind9/bin/dig/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: host.c,v 1.124.40.3 2011/03/11 06:46:59 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook
index 9663da6b17b8..bc435f92f11c 100644
--- a/contrib/bind9/bin/dig/host.docbook
+++ b/contrib/bind9/bin/dig/host.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
 <refentry id="man.host">
 
   <refentryinfo>
@@ -43,7 +43,6 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html
index a2d2ad706ce5..d5fb6e735fb1 100644
--- a/contrib/bind9/bin/dig/host.html
+++ b/contrib/bind9/bin/dig/host.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543437"></a><h2>DESCRIPTION</h2>
+<a name="id2543436"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -184,7 +184,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543803"></a><h2>IDN SUPPORT</h2>
+<a name="id2543802"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -198,12 +198,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543826"></a><h2>FILES</h2>
+<a name="id2543825"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543837"></a><h2>SEE ALSO</h2>
+<a name="id2543836"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h
index cfd22577a79f..6c186dec5e4b 100644
--- a/contrib/bind9/bin/dig/include/dig/dig.h
+++ b/contrib/bind9/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dig.h,v 1.111.306.3 2011/12/07 17:23:55 each Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -329,6 +329,13 @@ setup_libs(void);
 void
 setup_system(void);
 
+isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc);
+
+void
+parse_hmac(const char *hmacstr);
+
 dig_lookup_t *
 requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
 
diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1
index c713a2f10f2a..f988995ba86e 100644
--- a/contrib/bind9/bin/dig/nslookup.1
+++ b/contrib/bind9/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -254,5 +254,5 @@ Try the next nameserver if a nameserver responds with SERVFAIL or a referral (no
 .PP
 Andrew Cherenson
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c
index ba586195e167..2ef8f84ea2a7 100644
--- a/contrib/bind9/bin/dig/nslookup.c
+++ b/contrib/bind9/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nslookup.c,v 1.127.38.2 2011/02/28 01:19:58 tbox Exp $ */
 
 #include <config.h>
 
@@ -542,22 +542,6 @@ testclass(char *typetext) {
 	}
 }
 
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
-	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
-	if (result == ISC_R_SUCCESS && n > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS) {
-		printf("invalid %s '%s': %s\n", desc,
-		       value, isc_result_totext(result));
-		return result;
-	}
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
 static void
 set_port(const char *value) {
 	isc_uint32_t n;
diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook
index 7dea2ff84d2b..f4d497b3998b 100644
--- a/contrib/bind9/bin/dig/nslookup.docbook
+++ b/contrib/bind9/bin/dig/nslookup.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: nslookup.docbook,v 1.18 2010/02/22 23:49:11 tbox Exp $ -->
 <!--
  - Copyright (c) 1985, 1989
  -    The Regents of the University of California.  All rights reserved.
@@ -74,7 +74,6 @@
       <year>2006</year>
       <year>2007</year>
       <year>2010</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html
index 8f38fceb39dc..4bf6aab5c43c 100644
--- a/contrib/bind9/bin/dig/nslookup.html
+++ b/contrib/bind9/bin/dig/nslookup.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -21,7 +21,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476276"></a><div class="titlepage"></div>
+<a name="id2476277"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>nslookup &#8212; query Internet name servers interactively</p>
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543362"></a><h2>DESCRIPTION</h2>
+<a name="id2543361"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">Nslookup</strong></span>
       is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
       has two modes: interactive and non-interactive.  Interactive mode allows
@@ -43,7 +43,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543378"></a><h2>ARGUMENTS</h2>
+<a name="id2543377"></a><h2>ARGUMENTS</h2>
 <p>
       Interactive mode is entered in the following cases:
       </p>
@@ -78,7 +78,7 @@ nslookup -query=hinfo  -timeout=10
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543421"></a><h2>INTERACTIVE COMMANDS</h2>
+<a name="id2543420"></a><h2>INTERACTIVE COMMANDS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
 <dd>
@@ -288,19 +288,19 @@ nslookup -query=hinfo  -timeout=10
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2546288"></a><h2>FILES</h2>
+<a name="id2546286"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2546299"></a><h2>SEE ALSO</h2>
+<a name="id2546298"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2546333"></a><h2>Author</h2>
+<a name="id2546332"></a><h2>Author</h2>
 <p>
       Andrew Cherenson
     </p>
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
index a82ade228444..0bca14155724 100644
--- a/contrib/bind9/bin/dnssec/Makefile.in
+++ b/contrib/bind9/bin/dnssec/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.42 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,11 +25,12 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =	-DVERSION=\"${VERSION}\" 
+CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
@@ -38,44 +39,56 @@ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
+NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
 # Alphabetically
 TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
-		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
+		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@
 
 OBJS =		dnssectool.@O@
 
 SRCS =		dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
-		dnssec-signzone.c dnssectool.c
+		dnssec-revoke.c dnssec-settime.c dnssec-signzone.c dnssectool.c
 
 MANPAGES =	dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
-		dnssec-signzone.8
+		dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8
 
 HTMLPAGES =	dnssec-dsfromkey.html dnssec-keyfromlabel.html \
-		dnssec-keygen.html dnssec-signzone.html 
+		dnssec-keygen.html dnssec-revoke.html \
+		dnssec-settime.html dnssec-signzone.html 
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
 dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-keygen.@O@ ${OBJS} ${LIBS}
+	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
 
 dnssec-signzone.@O@: dnssec-signzone.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-signzone.c
 
 dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+	${FINALBUILDCMD}
+
+dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-revoke.@O@ ${OBJS} ${LIBS}
+
+dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-signzone.@O@ ${OBJS} ${LIBS}
+	dnssec-settime.@O@ ${OBJS} ${LIBS}
 
 doc man:: ${MANOBJS}
 
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8 b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
index 9525b40c31cb..ae9bb54000c6 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -19,11 +19,11 @@
 .\"     Title: dnssec\-dsfromkey
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: November 29, 2008
+.\"      Date: August 26, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
+.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -32,9 +32,9 @@
 dnssec\-dsfromkey \- DNSSEC DS RR generation tool
 .SH "SYNOPSIS"
 .HP 17
-\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] {keyfile}
 .HP 17
-\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-dsfromkey\fR
@@ -55,31 +55,49 @@ Use SHA\-256 as the digest algorithm.
 .RS 4
 Select the digest algorithm. The value of
 \fBalgorithm\fR
-must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
+must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
 .RE
 .PP
-\-v \fIlevel\fR
+\-K \fIdirectory\fR
 .RS 4
-Sets the debugging level.
+Look for key files (or, in keyset mode,
+\fIkeyset\-\fR
+files) in
+\fBdirectory\fR.
+.RE
+.PP
+\-f \fIfile\fR
+.RS 4
+Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
+\fBfile\fR. If the zone name is the same as
+\fBfile\fR, then it may be omitted.
+.RE
+.PP
+\-A
+.RS 4
+Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
+.RE
+.PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set instead of a DS set. The specified
+\fBdomain\fR
+is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
 .RE
 .PP
 \-s
 .RS 4
-Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
 .RE
 .PP
 \-c \fIclass\fR
 .RS 4
-Specifies the DNS class (default is IN), useful only in the keyset mode.
+Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
 .RE
 .PP
-\-d \fIdirectory\fR
+\-v \fIlevel\fR
 .RS 4
-Look for
-\fIkeyset\fR
-files in
-\fBdirectory\fR
-as the directory, ignored when not in the keyset mode.
+Sets the debugging level.
 .RE
 .SH "EXAMPLE"
 .PP
@@ -115,10 +133,11 @@ A keyfile error can give a "file not found" even if the file exists.
 \fBdnssec\-signzone\fR(8),
 BIND 9 Administrator Reference Manual,
 RFC 3658,
+RFC 4431.
 RFC 4509.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
index 6cffeb641b33..93d789b06264 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssec-dsfromkey.c,v 1.19.14.2 2011/09/05 23:45:53 tbox Exp $ */
 
 /*! \file */
 
@@ -36,6 +36,8 @@
 #include <dns/ds.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
+#include <dns/keyvalues.h>
+#include <dns/master.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -48,54 +50,40 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-dsfromkey";
 int verbose;
 
 static dns_rdataclass_t rdclass;
-static dns_fixedname_t  fixed;
-static dns_name_t       *name = NULL;
-static dns_db_t         *db = NULL;
-static dns_dbnode_t     *node = NULL;
-static dns_rdataset_t   keyset;
-static isc_mem_t        *mctx = NULL;
+static dns_fixedname_t	fixed;
+static dns_name_t	*name = NULL;
+static isc_mem_t	*mctx = NULL;
 
-static void
-loadkeys(char *dirname, char *setname)
-{
-	isc_result_t     result;
-	char             filename[1024];
-	isc_buffer_t     buf;
+static isc_result_t
+initname(char *setname) {
+	isc_result_t result;
+	isc_buffer_t buf;
 
-	dns_rdataset_init(&keyset);
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
 
 	isc_buffer_init(&buf, setname, strlen(setname));
 	isc_buffer_add(&buf, strlen(setname));
-	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't convert DNS name %s", setname);
+	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
+	return (result);
+}
 
-	isc_buffer_init(&buf, filename, sizeof(filename));
-	if (dirname != NULL) {
-		if (isc_buffer_availablelength(&buf) < strlen(dirname))
-			fatal("directory name '%s' too long", dirname);
-		isc_buffer_putstr(&buf, dirname);
-		if (dirname[strlen(dirname) - 1] != '/') {
-			if (isc_buffer_availablelength(&buf) < 1)
-				fatal("directory name '%s' too long", dirname);
-			isc_buffer_putstr(&buf, "/");
-		}
-	}
+static isc_result_t
+loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
+	isc_result_t	 result;
+	dns_db_t	 *db = NULL;
+	dns_dbnode_t	 *node = NULL;
+	char setname[DNS_NAME_FORMATSIZE];
 
-	if (isc_buffer_availablelength(&buf) < strlen("keyset-"))
-		fatal("directory name '%s' too long", dirname);
-	isc_buffer_putstr(&buf, "keyset-");
-	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
-	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&buf) == 0)
-		fatal("name %s too long", setname);
-	isc_buffer_putuint8(&buf, 0);
+	dns_name_format(name, setname, sizeof(setname));
 
 	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
 			       rdclass, 0, NULL, &db);
@@ -111,11 +99,49 @@ loadkeys(char *dirname, char *setname)
 		fatal("can't find %s node in %s", setname, filename);
 
 	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
-				     0, 0, &keyset, NULL);
+				     0, 0, rdataset, NULL);
+
 	if (result == ISC_R_NOTFOUND)
 		fatal("no DNSKEY RR for %s in %s", setname, filename);
 	else if (result != ISC_R_SUCCESS)
 		fatal("dns_db_findrdataset");
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+static isc_result_t
+loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
+	isc_result_t	 result;
+	char		 filename[PATH_MAX + 1];
+	isc_buffer_t	 buf;
+
+	dns_rdataset_init(rdataset);
+
+	isc_buffer_init(&buf, filename, sizeof(filename));
+	if (dirname != NULL) {
+		/* allow room for a trailing slash */
+		if (strlen(dirname) >= isc_buffer_availablelength(&buf))
+			return (ISC_R_NOSPACE);
+		isc_buffer_putstr(&buf, dirname);
+		if (dirname[strlen(dirname) - 1] != '/')
+			isc_buffer_putstr(&buf, "/");
+	}
+
+	if (isc_buffer_availablelength(&buf) < 7)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(&buf, "keyset-");
+
+	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
+	check_result(result, "dns_name_tofilenametext()");
+	if (isc_buffer_availablelength(&buf) == 0)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint8(&buf, 0);
+
+	return (loadsetfromfile(filename, rdataset));
 }
 
 static void
@@ -127,20 +153,20 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
 	isc_buffer_t  keyb;
 	isc_region_t  r;
 
-	dns_rdataset_init(&keyset);
 	dns_rdata_init(rdata);
 
 	isc_buffer_init(&keyb, key_buf, key_buf_size);
 
-	result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
+	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
+				       mctx, &key);
 	if (result != ISC_R_SUCCESS)
 		fatal("invalid keyfile name %s: %s",
 		      filename, isc_result_totext(result));
 
 	if (verbose > 2) {
-		char keystr[KEY_FORMATSIZE];
+		char keystr[DST_KEY_FORMATSIZE];
 
-		key_format(key, keystr, sizeof(keystr));
+		dst_key_format(key, keystr, sizeof(keystr));
 		fprintf(stderr, "%s: %s\n", program, keystr);
 	}
 
@@ -169,7 +195,7 @@ logkey(dns_rdata_t *rdata)
 	isc_result_t result;
 	dst_key_t    *key = NULL;
 	isc_buffer_t buf;
-	char         keystr[KEY_FORMATSIZE];
+	char	     keystr[DST_KEY_FORMATSIZE];
 
 	isc_buffer_init(&buf, rdata->data, rdata->length);
 	isc_buffer_add(&buf, rdata->length);
@@ -177,49 +203,80 @@ logkey(dns_rdata_t *rdata)
 	if (result != ISC_R_SUCCESS)
 		return;
 
-	key_format(key, keystr, sizeof(keystr));
+	dst_key_format(key, keystr, sizeof(keystr));
 	fprintf(stderr, "%s: %s\n", program, keystr);
 
 	dst_key_free(&key);
 }
 
 static void
-emitds(unsigned int dtype, dns_rdata_t *rdata)
+emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
+     dns_rdata_t *rdata)
 {
-	isc_result_t   result;
-	unsigned char  buf[DNS_DS_BUFFERSIZE];
-	char           text_buf[DST_KEY_MAXTEXTSIZE];
-	char           class_buf[10];
-	isc_buffer_t   textb, classb;
-	isc_region_t   r;
-	dns_rdata_t    ds;
+	isc_result_t result;
+	unsigned char buf[DNS_DS_BUFFERSIZE];
+	char text_buf[DST_KEY_MAXTEXTSIZE];
+	char name_buf[DNS_NAME_MAXWIRE];
+	char class_buf[10];
+	isc_buffer_t textb, nameb, classb;
+	isc_region_t r;
+	dns_rdata_t ds;
+	dns_rdata_dnskey_t dnskey;
 
 	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
 	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
 
 	dns_rdata_init(&ds);
 
+	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't convert DNSKEY");
+
+	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
+		return;
+
 	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't build DS");
+		fatal("can't build record");
+
+	result = dns_name_totext(name, ISC_FALSE, &nameb);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't print name");
+
+	/* Add lookaside origin, if set */
+	if (lookaside != NULL) {
+		if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
+			fatal("DLV origin '%s' is too long", lookaside);
+		isc_buffer_putstr(&nameb, lookaside);
+		if (lookaside[strlen(lookaside) - 1] != '.') {
+			if (isc_buffer_availablelength(&nameb) < 1)
+				fatal("DLV origin '%s' is too long", lookaside);
+			isc_buffer_putstr(&nameb, ".");
+		}
+	}
 
 	result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS rdata");
+		fatal("can't print rdata");
 
 	result = dns_rdataclass_totext(rdclass, &classb);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS class");
+		fatal("can't print class");
 
-	result = dns_name_print(name, stdout);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS name");
+	isc_buffer_usedregion(&nameb, &r);
+	printf("%.*s ", (int)r.length, r.base);
 
 	isc_buffer_usedregion(&classb, &r);
-	printf(" %.*s", (int)r.length, r.base);
+	printf("%.*s", (int)r.length, r.base);
+
+	if (lookaside == NULL)
+		printf(" DS ");
+	else
+		printf(" DLV ");
 
 	isc_buffer_usedregion(&textb, &r);
-	printf(" DS %.*s\n", (int)r.length, r.base);
+	printf("%.*s\n", (int)r.length, r.base);
 }
 
 ISC_PLATFORM_NORETURN_PRE static void
@@ -228,36 +285,47 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr,	"    %s options keyfile\n\n", program);
-	fprintf(stderr, "    %s options [-c class] [-d dir] -s dnsname\n\n",
+	fprintf(stderr,	"    %s options [-K dir] keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-K dir] [-c class] -s dnsname\n\n",
 		program);
+	fprintf(stderr, "    %s options -f zonefile (as zone name)\n\n", program);
+	fprintf(stderr, "    %s options -f zonefile zonename\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -K <directory>: directory in which to find "
+			"key file or keyset file\n");
+	fprintf(stderr, "    -a algorithm: digest algorithm "
+			"(SHA-1, SHA-256, GOST or SHA-384)\n");
 	fprintf(stderr, "    -1: use SHA-1\n");
 	fprintf(stderr, "    -2: use SHA-256\n");
-	fprintf(stderr, "    -a algorithm: use algorithm\n");
-	fprintf(stderr, "Keyset options:\n");
-	fprintf(stderr, "    -s: keyset mode\n");
-	fprintf(stderr, "    -c class\n");
-	fprintf(stderr, "    -d directory\n");
-	fprintf(stderr, "Output: DS RRs\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
+	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
+	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -f file: read keyset from zone file\n");
+	fprintf(stderr, "    -A: when used with -f, "
+			"include all keys in DS set, not just KSKs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
 
 int
 main(int argc, char **argv) {
-	char           *algname = NULL, *classname = NULL, *dirname = NULL;
-	char           *endp;
-	int            ch;
-	unsigned int   dtype = DNS_DSDIGEST_SHA1;
-	isc_boolean_t  both = ISC_TRUE;
-	isc_boolean_t  usekeyset = ISC_FALSE;
-	isc_result_t   result;
-	isc_log_t      *log = NULL;
-	isc_entropy_t  *ectx = NULL;
-	dns_rdata_t    rdata;
+	char		*algname = NULL, *classname = NULL;
+	char		*filename = NULL, *dir = NULL, *namestr;
+	char		*lookaside = NULL;
+	char		*endp;
+	int		ch;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	isc_boolean_t	both = ISC_TRUE;
+	isc_boolean_t	usekeyset = ISC_FALSE;
+	isc_boolean_t	showall = ISC_FALSE;
+	isc_result_t	result;
+	isc_log_t	*log = NULL;
+	isc_entropy_t	*ectx = NULL;
+	dns_rdataset_t	rdataset;
+	dns_rdata_t	rdata;
 
 	dns_rdata_init(&rdata);
 
@@ -273,7 +341,7 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "12a:c:d:sv:h")) != -1) {
+					   "12Aa:c:d:Ff:K:l:sv:h")) != -1) {
 		switch (ch) {
 		case '1':
 			dtype = DNS_DSDIGEST_SHA1;
@@ -283,6 +351,9 @@ main(int argc, char **argv) {
 			dtype = DNS_DSDIGEST_SHA256;
 			both = ISC_FALSE;
 			break;
+		case 'A':
+			showall = ISC_TRUE;
+			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			both = ISC_FALSE;
@@ -291,7 +362,21 @@ main(int argc, char **argv) {
 			classname = isc_commandline_argument;
 			break;
 		case 'd':
-			dirname = isc_commandline_argument;
+			fprintf(stderr, "%s: the -d option is deprecated; "
+					"use -K\n", program);
+			/* fall through */
+		case 'K':
+			dir = isc_commandline_argument;
+			if (strlen(dir) == 0U)
+				fatal("directory must be non-empty string");
+			break;
+		case 'f':
+			filename = isc_commandline_argument;
+			break;
+		case 'l':
+			lookaside = isc_commandline_argument;
+			if (strlen(lookaside) == 0U)
+				fatal("lookaside must be a non-empty string");
 			break;
 		case 's':
 			usekeyset = ISC_TRUE;
@@ -301,11 +386,14 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* Falls into */
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
@@ -323,13 +411,27 @@ main(int argc, char **argv) {
 		else if (strcasecmp(algname, "SHA256") == 0 ||
 			 strcasecmp(algname, "SHA-256") == 0)
 			dtype = DNS_DSDIGEST_SHA256;
+#ifdef HAVE_OPENSSL_GOST
+		else if (strcasecmp(algname, "GOST") == 0)
+			dtype = DNS_DSDIGEST_GOST;
+#endif
+		else if (strcasecmp(algname, "SHA384") == 0 ||
+			 strcasecmp(algname, "SHA-384") == 0)
+			dtype = DNS_DSDIGEST_SHA384;
 		else
 			fatal("unknown algorithm %s", algname);
 	}
 
 	rdclass = strtoclass(classname);
 
-	if (argc < isc_commandline_index + 1)
+	if (usekeyset && filename != NULL)
+		fatal("cannot use both -s and -f");
+
+	/* When not using -f, -A is implicit */
+	if (filename == NULL)
+		showall = ISC_TRUE;
+
+	if (argc < isc_commandline_index + 1 && filename == NULL)
 		fatal("the key file name was not specified");
 	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
@@ -342,28 +444,50 @@ main(int argc, char **argv) {
 	result = dst_lib_init(mctx, ectx,
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	setup_logging(verbose, mctx, &log);
 
-	if (usekeyset) {
-		loadkeys(dirname, argv[isc_commandline_index]);
+	dns_rdataset_init(&rdataset);
+
+	if (usekeyset || filename != NULL) {
+		if (argc < isc_commandline_index + 1 && filename != NULL) {
+			/* using zone name as the zone file name */
+			namestr = filename;
+		} else
+			namestr = argv[isc_commandline_index];
+
+		result = initname(namestr);
+		if (result != ISC_R_SUCCESS)
+			fatal("could not initialize name %s", namestr);
+
+		if (usekeyset)
+			result = loadkeyset(dir, &rdataset);
+		else
+			result = loadsetfromfile(filename, &rdataset);
+
+		if (result != ISC_R_SUCCESS)
+			fatal("could not load DNSKEY set: %s\n",
+			      isc_result_totext(result));
 
-		for (result = dns_rdataset_first(&keyset);
+		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&keyset)) {
+		     result = dns_rdataset_next(&rdataset)) {
 			dns_rdata_init(&rdata);
-			dns_rdataset_current(&keyset, &rdata);
+			dns_rdataset_current(&rdataset, &rdata);
 
 			if (verbose > 2)
 				logkey(&rdata);
 
 			if (both) {
-				emitds(DNS_DSDIGEST_SHA1, &rdata);
-				emitds(DNS_DSDIGEST_SHA256, &rdata);
+				emit(DNS_DSDIGEST_SHA1, showall, lookaside,
+				     &rdata);
+				emit(DNS_DSDIGEST_SHA256, showall, lookaside,
+				     &rdata);
 			} else
-				emitds(dtype, &rdata);
+				emit(dtype, showall, lookaside, &rdata);
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -372,18 +496,14 @@ main(int argc, char **argv) {
 			DST_KEY_MAXSIZE, &rdata);
 
 		if (both) {
-			emitds(DNS_DSDIGEST_SHA1, &rdata);
-			emitds(DNS_DSDIGEST_SHA256, &rdata);
+			emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
+			emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
 		} else
-			emitds(dtype, &rdata);
+			emit(dtype, showall, lookaside, &rdata);
 	}
 
-	if (dns_rdataset_isassociated(&keyset))
-		dns_rdataset_disassociate(&keyset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
 	cleanup_logging(&log);
 	dst_lib_destroy();
 	isc_hash_destroy();
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
index b992fd2d3df7..d7050335107a 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,10 +17,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010/12/23 23:47:08 tbox Exp $ -->
 <refentry id="man.dnssec-dsfromkey">
   <refentryinfo>
-    <date>November 29, 2008</date>
+    <date>August 26, 2009</date>
   </refentryinfo>
 
   <refmeta>
@@ -37,6 +37,8 @@
   <docinfo>
     <copyright>
       <year>2008</year>
+      <year>2009</year>
+      <year>2010</year>
       <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
@@ -49,17 +51,22 @@
       <arg><option>-1</option></arg>
       <arg><option>-2</option></arg>
       <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg choice="req">keyfile</arg>
     </cmdsynopsis>
     <cmdsynopsis>
       <command>dnssec-dsfromkey</command>
       <arg choice="req">-s</arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg><option>-1</option></arg>
       <arg><option>-2</option></arg>
       <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg><option>-s</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
+      <arg><option>-A</option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg choice="req">dnsname</arg>
    </cmdsynopsis>
   </refsynopsisdiv>
@@ -100,17 +107,56 @@
         <listitem>
           <para>
             Select the digest algorithm. The value of
-            <option>algorithm</option> must be one of SHA-1 (SHA1) or
-            SHA-256 (SHA256). These values are case insensitive.
+            <option>algorithm</option> must be one of SHA-1 (SHA1),
+            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+            These values are case insensitive.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
-            Sets the debugging level.
+            Look for key files (or, in keyset mode,
+            <filename>keyset-</filename> files) in
+            <option>directory</option>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f <replaceable class="parameter">file</replaceable></term>
+        <listitem>
+          <para>
+            Zone file mode: in place of the keyfile name, the argument is
+            the DNS domain name of a zone master file, which can be read
+            from <option>file</option>.  If the zone name is the same as
+            <option>file</option>, then it may be omitted.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A</term>
+        <listitem>
+          <para>
+            Include ZSK's when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode. 
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Generate a DLV set instead of a DS set.  The specified
+            <option>domain</option> is appended to the name for each
+            record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           </para>
         </listitem>
       </varlistentry>
@@ -120,8 +166,7 @@
         <listitem>
           <para>
             Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file. Following options make sense
-            only in this mode.
+            the DNS domain name of a keyset file.
           </para>
         </listitem>
       </varlistentry>
@@ -130,23 +175,20 @@
         <term>-c <replaceable class="parameter">class</replaceable></term>
         <listitem>
           <para>
-            Specifies the DNS class (default is IN), useful only
-            in the keyset mode.
+            Specifies the DNS class (default is IN).  Useful only
+            in keyset or zone file mode.
           </para>
 	  </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-d <replaceable class="parameter">directory</replaceable></term>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
         <listitem>
           <para>
-            Look for <filename>keyset</filename> files in
-            <option>directory</option> as the directory, ignored when
-            not in the keyset mode.
+            Sets the debugging level.
           </para>
         </listitem>
       </varlistentry>
-
     </variablelist>
   </refsect1>
 
@@ -198,6 +240,7 @@
       </citerefentry>,
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
       <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4431</citetitle>.
       <citetitle>RFC 4509</citetitle>.
     </para>
   </refsect1>
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
index 8f4bfc45d031..24bc0c133896 100644
--- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
+++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -28,18 +28,18 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543427"></a><h2>DESCRIPTION</h2>
+<a name="id2543468"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543438"></a><h2>OPTIONS</h2>
+<a name="id2543480"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -53,34 +53,55 @@
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
             Select the digest algorithm. The value of
-            <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
-            SHA-256 (SHA256). These values are case insensitive.
+            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+            These values are case insensitive.
           </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-            Sets the debugging level.
+            Look for key files (or, in keyset mode,
+            <code class="filename">keyset-</code> files) in
+            <code class="option">directory</code>.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
+<dd><p>
+            Zone file mode: in place of the keyfile name, the argument is
+            the DNS domain name of a zone master file, which can be read
+            from <code class="option">file</code>.  If the zone name is the same as
+            <code class="option">file</code>, then it may be omitted.
+          </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+            Include ZSK's when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode. 
+          </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set instead of a DS set.  The specified
+            <code class="option">domain</code> is appended to the name for each
+            record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd><p>
             Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file. Following options make sense
-            only in this mode.
+            the DNS domain name of a keyset file.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-            Specifies the DNS class (default is IN), useful only
-            in the keyset mode.
+            Specifies the DNS class (default is IN).  Useful only
+            in keyset or zone file mode.
           </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
-            Look for <code class="filename">keyset</code> files in
-            <code class="option">directory</code> as the directory, ignored when
-            not in the keyset mode.
+            Sets the debugging level.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543566"></a><h2>EXAMPLE</h2>
+<a name="id2543667"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -95,7 +116,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543596"></a><h2>FILES</h2>
+<a name="id2543697"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -109,22 +130,23 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543632"></a><h2>CAVEAT</h2>
+<a name="id2543732"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543641"></a><h2>SEE ALSO</h2>
+<a name="id2543741"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
       <em class="citetitle">RFC 4509</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543677"></a><h2>AUTHOR</h2>
+<a name="id2543781"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
index 73586d140c8d..9867ff7e80c2 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -32,18 +32,22 @@
 dnssec\-keyfromlabel \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 20
-\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keyfromlabel\fR
 gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+.PP
+The
+\fBname\fR
+of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
 .SH "OPTIONS"
 .PP
 \-a \fIalgorithm\fR
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
 .sp
 If no algorithm is specified, then RSASHA1 will be used by default, unless the
 \fB\-3\fR
@@ -56,9 +60,19 @@ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA
 Note 2: DH automatically sets the \-k flag.
 .RE
 .PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
+.RE
+.PP
 \-l \fIlabel\fR
 .RS 4
-Specifies the label of keys in the crypto hardware (PKCS#11 device).
+Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
 .RE
 .PP
 \-n \fInametype\fR
@@ -68,6 +82,15 @@ Specifies the owner type of the key. The value of
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
 .RE
 .PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata. By default,
+\fBdnssec\-keyfromlabel\fR
+will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them.
+.RE
+.PP
 \-c \fIclass\fR
 .RS 4
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
@@ -75,13 +98,23 @@ Indicates that the DNS record containing the key should have the specified class
 .PP
 \-f \fIflag\fR
 .RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
 .RE
 .PP
 \-h
 .RS 4
 Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
+\fBdnssec\-keyfromlabel\fR.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written.
 .RE
 .PP
 \-k
@@ -91,7 +124,7 @@ Generate KEY records rather than DNSKEY records.
 .PP
 \-p \fIprotocol\fR
 .RS 4
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
 .RE
 .PP
 \-t \fItype\fR
@@ -105,6 +138,39 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
 .RS 4
 Sets the debugging level.
 .RE
+.PP
+\-y
+.RS 4
+Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
 .SH "GENERATED KEY FILES"
 .PP
 When
@@ -138,7 +204,7 @@ file contains a DNS KEY record that can be inserted into a zone file (directly o
 .PP
 The
 \fI.private\fR
-file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
+file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
 .SH "SEE ALSO"
 .PP
 \fBdnssec\-keygen\fR(8),
@@ -149,5 +215,5 @@ RFC 4034.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
index bf5b09032833..e91e02dda5ae 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssec-keyfromlabel.c,v 1.32.14.4 2011/11/30 00:51:38 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
+#include <ctype.h>
 #include <stdlib.h>
 
 #include <isc/buffer.h>
@@ -27,9 +28,11 @@
 #include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/region.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
@@ -47,9 +50,13 @@
 const char *program = "dnssec-keyfromlabel";
 int verbose;
 
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
+
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1 |"
-			  " RSASHA256 | RSASHA512";
+			  " RSASHA256 | RSASHA512 | ECCGOST |"
+			  " ECDSAP256SHA256 | ECDSAP384SHA384";
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
@@ -57,42 +64,69 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -l label [options] name\n\n",
+	fprintf(stderr, "    %s -l label [options] name\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "    -l label: label of the key\n");
+	fprintf(stderr, "    -l label: label of the key pair\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "       (default: RSASHA1, or "
+			       "NSEC3RSASHA1 if using -3)\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
+	fprintf(stderr, "    -c class (default: IN)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+#else
+	fprintf(stderr, "    -E enginename\n");
+#endif
+	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
+	fprintf(stderr, "    -K directory: directory in which to place "
+			"key files\n");
+	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -c <class> (default: IN)\n");
-	fprintf(stderr, "    -f keyflag: KSK\n");
-	fprintf(stderr, "    -t <type>: "
+	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
+	fprintf(stderr, "    -t type: "
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -p <protocol>: "
-	       "default: 3 [dnssec]\n");
-	fprintf(stderr, "    -v <verbose level>\n");
-	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "    -y: permit keys that might collide\n");
+	fprintf(stderr, "    -v verbose level\n");
+	fprintf(stderr, "Date options:\n");
+	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
+	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
+			" all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-		"K<name>+<alg>+<id>.private\n");
+			"K<name>+<alg>+<id>.private\n");
 
 	exit (-1);
 }
 
 int
 main(int argc, char **argv) {
-	char		*algname = NULL, *nametype = NULL, *type = NULL;
+	char		*algname = NULL, *freeit = NULL;
+	char		*nametype = NULL, *type = NULL;
+	const char	*directory = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	char		*classname = NULL;
 	char		*endp;
-	dst_key_t	*key = NULL, *oldkey;
+	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	isc_uint16_t	flags = 0, ksk = 0;
+	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
+	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch;
 	int		protocol = -1, signatory = 0;
@@ -105,6 +139,20 @@ main(int argc, char **argv) {
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	char		*label = NULL;
+	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
+	isc_stdtime_t	now;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
+	isc_boolean_t   avoid_collisions = ISC_TRUE;
+	isc_boolean_t	exact;
+	unsigned char	c;
 
 	if (argc == 1)
 		usage();
@@ -115,28 +163,49 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = ISC_FALSE;
 
+	isc_stdtime_get(&now);
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					 "a:c:f:kl:n:p:t:v:h")) != -1)
+				"3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
+		case '3':
+			use_nsec3 = ISC_TRUE;
+			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
+		case 'C':
+			oldstyle = ISC_TRUE;
+			break;
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'f':
-			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
-				ksk = DNS_KEYFLAG_KSK;
+			c = (unsigned char)(isc_commandline_argument[0]);
+			if (toupper(c) == 'K')
+				kskflag = DNS_KEYFLAG_KSK;
+			else if (toupper(c) == 'R')
+				revflag = DNS_KEYFLAG_REVOKE;
 			else
 				fatal("unknown flag '%s'",
 				      isc_commandline_argument);
 			break;
+		case 'K':
+			directory = isc_commandline_argument;
+			ret = try_dir(directory);
+			if (ret != ISC_R_SUCCESS)
+				fatal("cannot open directory %s: %s",
+				      directory, isc_result_totext(ret));
+			break;
 		case 'k':
 			options |= DST_TYPE_KEY;
 			break;
 		case 'l':
-			label = isc_commandline_argument;
+			label = isc_mem_strdup(mctx, isc_commandline_argument);
 			break;
 		case 'n':
 			nametype = isc_commandline_argument;
@@ -155,11 +224,80 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
-
+		case 'y':
+			avoid_collisions = ISC_FALSE;
+			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
+		case 'P':
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setpub = ISC_TRUE;
+				publish = strtotime(isc_commandline_argument,
+						    now, now);
+			} else {
+				unsetpub = ISC_TRUE;
+			}
+			break;
+		case 'A':
+			if (setact || unsetact)
+				fatal("-A specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setact = ISC_TRUE;
+				activate = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+				unsetact = ISC_TRUE;
+			}
+			break;
+		case 'R':
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setrev = ISC_TRUE;
+				revoke = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetrev = ISC_TRUE;
+			}
+			break;
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setinact = ISC_TRUE;
+				inactive = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+				unsetinact = ISC_TRUE;
+			}
+			break;
+		case 'D':
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setdel = ISC_TRUE;
+				delete = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetdel = ISC_TRUE;
+			}
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
@@ -172,10 +310,11 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
-			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	ret = dst_lib_init2(mctx, ectx, engine,
+			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 
@@ -186,8 +325,33 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
 
-	if (algname == NULL)
-		fatal("no algorithm was specified");
+	if (strchr(label, ':') == NULL &&
+	    engine != NULL && strlen(engine) != 0U) {
+		char *l;
+		int len;
+
+		len = strlen(label) + strlen(engine) + 2;
+		l = isc_mem_allocate(mctx, len);
+		if (l == NULL)
+			fatal("cannot allocate memory");
+		snprintf(l, len, "%s:%s", engine, label);
+		isc_mem_free(mctx, label);
+		label = l;
+	}
+
+	if (algname == NULL) {
+		if (use_nsec3)
+			algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+		else
+			algname = strdup(DEFAULT_ALGORITHM);
+		if (algname == NULL)
+			fatal("strdup failed");
+		freeit = algname;
+		if (verbose > 0)
+			fprintf(stderr, "no algorithm specified; "
+				"defaulting to %s\n", algname);
+	}
+
 	if (strcasecmp(algname, "RSA") == 0) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
@@ -203,6 +367,15 @@ main(int argc, char **argv) {
 			options |= DST_TYPE_KEY;
 	}
 
+	if (use_nsec3 &&
+	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+	    alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
+	    alg != DST_ALG_ECCGOST &&
+	    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+		fatal("%s is incompatible with NSEC3; "
+		      "do not use the -3 option", algname);
+	}
+
 	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
 		if (strcasecmp(type, "NOAUTH") == 0)
 			flags |= DNS_KEYTYPE_NOAUTH;
@@ -236,10 +409,15 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
+	if (directory == NULL)
+		directory = ".";
+
 	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
 		flags |= signatory;
-	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
-		flags |= ksk;
+	else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+		flags |= kskflag;
+		flags |= revflag;
+	}
 
 	if (protocol == -1)
 		protocol = DNS_KEYPROTO_DNSSEC;
@@ -262,7 +440,7 @@ main(int argc, char **argv) {
 	isc_buffer_init(&buf, argv[isc_commandline_index],
 			strlen(argv[isc_commandline_index]));
 	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 	if (ret != ISC_R_SUCCESS)
 		fatal("invalid key name %s: %s", argv[isc_commandline_index],
 		      isc_result_totext(ret));
@@ -271,44 +449,101 @@ main(int argc, char **argv) {
 
 	/* associate the key */
 	ret = dst_key_fromlabel(name, alg, flags, protocol,
-				rdclass, "", label, NULL, mctx, &key);
+				rdclass, engine, label, NULL, mctx, &key);
 	isc_entropy_stopcallbacksources(ectx);
 
 	if (ret != ISC_R_SUCCESS) {
 		char namestr[DNS_NAME_FORMATSIZE];
-		char algstr[ALG_FORMATSIZE];
+		char algstr[DNS_SECALG_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
-		alg_format(alg, algstr, sizeof(algstr));
-		fatal("failed to generate key %s/%s: %s\n",
+		dns_secalg_format(alg, algstr, sizeof(algstr));
+		fatal("failed to get key %s/%s: %s\n",
 		      namestr, algstr, isc_result_totext(ret));
+		/* NOTREACHED */
 		exit(-1);
 	}
 
 	/*
-	 * Try to read a key with the same name, alg and id from disk.
-	 * If there is one we must continue generating a new one
-	 * unless we were asked to generate a null key, in which
-	 * case we return failure.
+	 * Set key timing metadata (unless using -C)
+	 *
+	 * Publish and activation dates are set to "now" by default, but
+	 * can be overridden.  Creation date is always set to "now".
 	 */
-	ret = dst_key_fromfile(name, dst_key_id(key), alg,
-			       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
-	/* do not overwrite an existing key  */
-	if (ret == ISC_R_SUCCESS) {
+	if (!oldstyle) {
+		dst_key_settime(key, DST_TIME_CREATED, now);
+
+		if (genonly && (setpub || setact))
+			fatal("cannot use -G together with -P or -A options");
+
+		if (setpub)
+			dst_key_settime(key, DST_TIME_PUBLISH, publish);
+		else if (setact)
+			dst_key_settime(key, DST_TIME_PUBLISH, activate);
+		else if (!genonly && !unsetpub)
+			dst_key_settime(key, DST_TIME_PUBLISH, now);
+
+		if (setact)
+			dst_key_settime(key, DST_TIME_ACTIVATE, activate);
+		else if (!genonly && !unsetact)
+			dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
+		if (setrev) {
+			if (kskflag == 0)
+				fprintf(stderr, "%s: warning: Key is "
+					"not flagged as a KSK, but -R "
+					"was used. Revoking a ZSK is "
+					"legal, but undefined.\n",
+					program);
+			dst_key_settime(key, DST_TIME_REVOKE, revoke);
+		}
+
+		if (setinact)
+			dst_key_settime(key, DST_TIME_INACTIVE, inactive);
+
+		if (setdel)
+			dst_key_settime(key, DST_TIME_DELETE, delete);
+	} else {
+		if (setpub || setact || setrev || setinact ||
+		    setdel || unsetpub || unsetact ||
+		    unsetrev || unsetinact || unsetdel || genonly)
+			fatal("cannot use -C together with "
+			      "-P, -A, -R, -I, -D, or -G options");
+		/*
+		 * Compatibility mode: Private-key-format
+		 * should be set to 1.2.
+		 */
+		dst_key_setprivateformat(key, 1, 2);
+	}
+
+	/*
+	 * Do not overwrite an existing key.  Warn LOUDLY if there
+	 * is a risk of ID collision due to this key or another key
+	 * being revoked.
+	 */
+	if (key_collision(key, name, directory, mctx, &exact)) {
 		isc_buffer_clear(&buf);
-		ret = dst_key_buildfilename(key, 0, NULL, &buf);
+		ret = dst_key_buildfilename(key, 0, directory, &buf);
 		if (ret != ISC_R_SUCCESS)
 			fatal("dst_key_buildfilename returned: %s\n",
 			      isc_result_totext(ret));
-		fprintf(stderr, "%s: %s already exists\n",
-			program, filename);
-		dst_key_free(&key);
-		exit (1);
+		if (exact)
+			fatal("%s: %s already exists\n", program, filename);
+
+		if (avoid_collisions)
+			fatal("%s: %s could collide with another key upon "
+			      "revokation\n", program, filename);
+
+		fprintf(stderr, "%s: WARNING: Key %s could collide with "
+				"another key upon revokation.  If you plan "
+				"to revoke keys, destroy this key and "
+				"generate a different one.\n",
+				program, filename);
 	}
 
-	ret = dst_key_tofile(key, options, NULL);
+	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
 	}
@@ -327,7 +562,11 @@ main(int argc, char **argv) {
 	dns_name_destroy();
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
+	isc_mem_free(mctx, label);
 	isc_mem_destroy(&mctx);
 
+	if (freeit != NULL)
+		free(freeit);
+
 	return (0);
 }
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
index 021a83c55451..4662e870a8ef 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.2 2011/02/28 01:19:58 tbox Exp $ -->
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
     <date>February 8, 2008</date>
@@ -37,7 +37,9 @@
   <docinfo>
     <copyright>
       <year>2008</year>
+      <year>2009</year>
       <year>2010</year>
+      <year>2011</year>
       <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
@@ -46,15 +48,25 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keyfromlabel</command>
-      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
       <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg><option>-3</option></arg>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-G</option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-k</option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-y</option></arg>
       <arg choice="req">name</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -66,6 +78,11 @@
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     </para>
+    <para>
+      The <option>name</option> of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    </para>
   </refsect1>
 
   <refsect1>
@@ -77,9 +94,9 @@
         <listitem>
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
-	    <option>algorithm</option> must be one of RSAMD5,
- 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
- 	    RSASHA512 or DH (Diffie Hellman).
+            <option>algorithm</option> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </para>
           <para>
@@ -100,11 +117,34 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-3</term>
+        <listitem>
+          <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to "pkcs11".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-l <replaceable class="parameter">label</replaceable></term>
         <listitem>
           <para>
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           </para>
         </listitem>
       </varlistentry>
@@ -118,8 +158,22 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-C</term>
+        <listitem>
+          <para>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keyfromlabel</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <option>-C</option> option suppresses them.
           </para>
         </listitem>
       </varlistentry>
@@ -139,7 +193,17 @@
         <listitem>
           <para>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-G</term>
+        <listitem>
+          <para>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </para>
         </listitem>
       </varlistentry>
@@ -149,7 +213,16 @@
         <listitem>
           <para>
             Prints a short summary of the options and arguments to
-            <command>dnssec-keygen</command>.
+            <command>dnssec-keyfromlabel</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which the key files are to be written.
           </para>
         </listitem>
       </varlistentry>
@@ -167,7 +240,7 @@
         <term>-p <replaceable class="parameter">protocol</replaceable></term>
         <listitem>
           <para>
-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -196,6 +269,93 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-y</term>
+        <listitem>
+          <para>
+            Allows DNSSEC key files to be generated even if the key ID
+	    would collide with that of an existing key, in the event of
+	    either key being revoked.  (This is only safe to use if you
+            are sure you won't be using RFC 5011 trust anchor maintenance
+            with either of the keys involved.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>TIMING OPTIONS</title>
+
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -215,8 +375,7 @@
       </listitem>
       <listitem>
         <para><filename>aaa</filename> is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         </para>
       </listitem>
       <listitem>
@@ -230,8 +389,7 @@
       on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
       contains the public key, and
       <filename>Knnnn.+aaa+iiiii.private</filename> contains the
-      private
-      key.
+      private key.
     </para>
     <para>
       The <filename>.key</filename> file contains a DNS KEY record
@@ -240,8 +398,8 @@
       statement).
     </para>
     <para>
-      The <filename>.private</filename> file contains algorithm
-      specific
+      The <filename>.private</filename> file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </para>
diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
index e7440e42a95b..0fa3affa277b 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
+++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008, 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -28,26 +28,31 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543419"></a><h2>DESCRIPTION</h2>
+<a name="id2543498"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     </p>
+<p>
+      The <code class="option">name</code> of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543431"></a><h2>OPTIONS</h2>
+<a name="id2543516"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
 	    Selects the cryptographic algorithm.  The value of
-	    <code class="option">algorithm</code> must be one of RSAMD5,
- 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
- 	    RSASHA512 or DH (Diffie Hellman).
+            <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </p>
 <p>
@@ -65,10 +70,23 @@
             Note 2: DH automatically sets the -k flag.
           </p>
 </dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to "pkcs11".
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd><p>
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
@@ -77,8 +95,17 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
@@ -88,12 +115,21 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keygen</strong></span>.
+            <span><strong class="command">dnssec-keyfromlabel</strong></span>.
+          </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to be written.
           </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
@@ -101,7 +137,7 @@
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -117,10 +153,65 @@
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-y</span></dt>
+<dd><p>
+            Allows DNSSEC key files to be generated even if the key ID
+	    would collide with that of an existing key, in the event of
+	    either key being revoked.  (This is only safe to use if you
+            are sure you won't be using RFC 5011 trust anchor maintenance
+            with either of the keys involved.)
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543880"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543635"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2544046"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -132,8 +223,7 @@
 <li><p><code class="filename">nnnn</code> is the key name.
         </p></li>
 <li><p><code class="filename">aaa</code> is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         </p></li>
 <li><p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
@@ -144,8 +234,7 @@
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private
-      key.
+      private key.
     </p>
 <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
@@ -154,14 +243,14 @@
       statement).
     </p>
 <p>
-      The <code class="filename">.private</code> file contains algorithm
-      specific
+      The <code class="filename">.private</code> file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543707"></a><h2>SEE ALSO</h2>
+<a name="id2544119"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -169,7 +258,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543740"></a><h2>AUTHOR</h2>
+<a name="id2544152"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
index d94ce4f83808..689f23df4edb 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.8
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8
@@ -33,11 +33,11 @@
 dnssec\-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
+generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
 .PP
 The
 \fBname\fR
@@ -48,16 +48,28 @@ of the key is specified on the command line. For DNSSEC keys, this must match th
 .RS 4
 Selects the cryptographic algorithm. For DNSSEC keys, the value of
 \fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
+.sp
+If no algorithm is specified, then RSASHA1 will be used by default, unless the
+\fB\-3\fR
+option is specified, in which case NSEC3RSASHA1 will be used instead. (If
+\fB\-3\fR
+is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
-Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
+Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
 .RE
 .PP
 \-b \fIkeysize\fR
 .RS 4
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits.
+Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
+.sp
+The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
+\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
+\fB\-a\fR, then there is no default key size, and the
+\fB\-b\fR
+must be used.
 .RE
 .PP
 \-n \fInametype\fR
@@ -67,11 +79,30 @@ Specifies the owner type of the key. The value of
 must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
 .RE
 .PP
+\-3
+.RS 4
+Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
+.RE
+.PP
+\-C
+.RS 4
+Compatibility mode: generates an old\-style key, without any metadata. By default,
+\fBdnssec\-keygen\fR
+will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
+\fB\-C\fR
+option suppresses them.
+.RE
+.PP
 \-c \fIclass\fR
 .RS 4
 Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
 .RE
 .PP
+\-E \fIengine\fR
+.RS 4
+Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.PP
 \-e
 .RS 4
 If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -79,7 +110,12 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
 .PP
 \-f \fIflag\fR
 .RS 4
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
+.RE
+.PP
+\-G
+.RS 4
+Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
 .RE
 .PP
 \-g \fIgenerator\fR
@@ -93,9 +129,14 @@ Prints a short summary of the options and arguments to
 \fBdnssec\-keygen\fR.
 .RE
 .PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to be written.
+.RE
+.PP
 \-k
 .RS 4
-Generate KEY records rather than DNSKEY records.
+Deprecated in favor of \-T KEY.
 .RE
 .PP
 \-p \fIprotocol\fR
@@ -103,6 +144,15 @@ Generate KEY records rather than DNSKEY records.
 Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
 .RE
 .PP
+\-q
+.RS 4
+Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
+\fBdnssec\-keygen\fR
+is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
+\fIstderr\fR
+indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
+.RE
+.PP
 \-r \fIrandomdev\fR
 .RS 4
 Specifies the source of randomness. If the operating system does not provide a
@@ -114,11 +164,24 @@ specifies the name of a character device or file containing random data to be us
 indicates that keyboard input should be used.
 .RE
 .PP
+\-S \fIkey\fR
+.RS 4
+Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+.RE
+.PP
 \-s \fIstrength\fR
 .RS 4
 Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
 .RE
 .PP
+\-T \fIrrtype\fR
+.RS 4
+Specifies the resource record type to use for the key.
+\fBrrtype\fR
+must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
+Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
+.RE
+.PP
 \-t \fItype\fR
 .RS 4
 Indicates the use of the key.
@@ -130,6 +193,43 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
 .RS 4
 Sets the debugging level.
 .RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+.RE
 .SH "GENERATED KEYS"
 .PP
 When
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
index feef3b3d84dc..8af100c7bdea 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.c
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,13 +29,15 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssec-keygen.c,v 1.115.14.4 2011/11/30 00:51:38 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
+#include <ctype.h>
 #include <stdlib.h>
+#include <unistd.h>
 
 #include <isc/buffer.h>
 #include <isc/commandline.h>
@@ -45,6 +47,7 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
@@ -62,107 +65,228 @@
 const char *program = "dnssec-keygen";
 int verbose;
 
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | RSASHA256 |"
-			  " RSASHA512 | NSEC3DSA | NSEC3RSASHA1 | HMAC-MD5 |"
-			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
-			  " HMAC-SHA384 | HMAC-SHA512";
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 
+static void progress(int p);
+
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -b bits [-n type] [options] name\n\n",
-		program);
+	fprintf(stderr, "    %s [options] name\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "    -b key size, in bits:\n");
-	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "	 RSASHA256:\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "	 RSASHA512:\t[1024..%d]\n", MAX_RSA);
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -K <directory>: write keys into directory\n");
+	fprintf(stderr, "    -a <algorithm>:\n");
+	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
+				" | NSEC3DSA |\n");
+	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
+	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
+	fprintf(stderr, "        DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | "
+				"HMAC-SHA256 | \n");
+	fprintf(stderr, "        HMAC-SHA384 | HMAC-SHA512\n");
+	fprintf(stderr, "       (default: RSASHA1, or "
+			       "NSEC3RSASHA1 if using -3)\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
+	fprintf(stderr, "    -b <key size in bits>:\n");
+	fprintf(stderr, "        RSAMD5:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA256:\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA512:\t[1024..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
-	fprintf(stderr, "        NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
+	fprintf(stderr, "        NSEC3DSA:\t[512..1024] and divisible "
+				"by 64\n");
+	fprintf(stderr, "        ECCGOST:\tignored\n");
+	fprintf(stderr, "        ECDSAP256SHA256:\tignored\n");
+	fprintf(stderr, "        ECDSAP384SHA384:\tignored\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
 	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
 	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
 	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
 	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
 	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "        (if using the default algorithm, key size\n"
+			"        defaults to 2048 for KSK, or 1024 for all "
+			"others)\n");
+	fprintf(stderr, "    -n <nametype>: ZONE | HOST | ENTITY | "
+					    "USER | OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
+	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
-	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
-	fprintf(stderr, "    -f keyflag: KSK\n");
-	fprintf(stderr, "    -g <generator> use specified generator "
-		"(DH only)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E <engine name> (default \"pkcs11\")\n");
+#else
+	fprintf(stderr, "    -E <engine name>\n");
+#endif
+	fprintf(stderr, "    -e: use large exponent (RSAMD5/RSASHA1 only)\n");
+	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
+	fprintf(stderr, "    -g <generator>: use specified generator "
+			"(DH only)\n");
+	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
+	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
+			"records with (default: 0)\n");
+	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
+			"use KEY for SIG(0))\n");
+	fprintf(stderr, "        ECCGOST:\tignored\n");
 	fprintf(stderr, "    -t <type>: "
-		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -p <protocol>: "
-	       "default: 3 [dnssec]\n");
-	fprintf(stderr, "    -s <strength> strength value this key signs DNS "
-		"records with (default: 0)\n");
+			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+			"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
-	fprintf(stderr, "    -v <verbose level>\n");
-	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+
+	fprintf(stderr, "    -h: print usage and exit\n");
+	fprintf(stderr, "    -m <memory debugging mode>:\n");
+	fprintf(stderr, "       usage | trace | record | size | mctx\n");
+	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
+	fprintf(stderr, "Timing options:\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set key publication date "
+						"(default: now)\n");
+	fprintf(stderr, "    -A date/[+-]offset/none: set key activation date "
+						"(default: now)\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set key "
+						     "revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set key "
+						     "inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set key deletion date\n");
+	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
+	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
+			"all dates\n");
+	fprintf(stderr, "    -S <key>: generate a successor to an existing "
+				      "key\n");
+	fprintf(stderr, "    -i <interval>: prepublication interval for "
+					   "successor key "
+					   "(default: 30 days)\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-		"K<name>+<alg>+<id>.private\n");
+			"K<name>+<alg>+<id>.private\n");
 
 	exit (-1);
 }
 
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+progress(int p)
+{
+	char c = '*';
+
+	switch (p) {
+	case 0:
+		c = '.';
+		break;
+	case 1:
+		c = '+';
+		break;
+	case 2:
+		c = '*';
+		break;
+	case 3:
+		c = ' ';
+		break;
+	default:
+		break;
+	}
+	(void) putc(c, stderr);
+	(void) fflush(stderr);
+}
+
 int
 main(int argc, char **argv) {
 	char		*algname = NULL, *freeit = NULL;
 	char		*nametype = NULL, *type = NULL;
 	char		*classname = NULL;
 	char		*endp;
-	dst_key_t	*key = NULL, *oldkey;
+	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
-	isc_uint16_t	flags = 0, ksk = 0;
+	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
 	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
+	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch, rsa_exp = 0, generator = 0, param = 0;
 	int		protocol = -1, size = -1, signatory = 0;
 	isc_result_t	ret;
 	isc_textregion_t r;
 	char		filename[255];
+	const char	*directory = NULL;
+	const char	*predecessor = NULL;
+	dst_key_t	*prevkey = NULL;
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
 	isc_entropy_t	*ectx = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
+	isc_boolean_t	use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
+	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
+	isc_stdtime_t	inactive = 0, delete = 0;
+	isc_stdtime_t	now;
+	int		prepub = -1;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	quiet = ISC_FALSE;
+	isc_boolean_t	show_progress = ISC_FALSE;
+	unsigned char	c;
 
 	if (argc == 1)
 		usage();
 
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((ch = isc_commandline_parse(argc, argv,
-					 "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
-	{
+	/*
+	 * Process memory debugging argument first.
+	 */
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:km:n:P:p:qR:r:S:s:T:t:v:"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			if (strcasecmp(isc_commandline_argument, "size") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	isc_stdtime_get(&now);
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 	    switch (ch) {
+		case '3':
+			use_nsec3 = ISC_TRUE;
+			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
@@ -171,6 +295,9 @@ main(int argc, char **argv) {
 			if (*endp != '\0' || size < 0)
 				fatal("-b requires a non-negative number");
 			break;
+		case 'C':
+			oldstyle = ISC_TRUE;
+			break;
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
@@ -179,12 +306,18 @@ main(int argc, char **argv) {
 			if (*endp != '\0' || dbits < 0)
 				fatal("-d requires a non-negative number");
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
 		case 'f':
-			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
-				ksk = DNS_KEYFLAG_KSK;
+			c = (unsigned char)(isc_commandline_argument[0]);
+			if (toupper(c) == 'K')
+				kskflag = DNS_KEYFLAG_KSK;
+			else if (toupper(c) == 'R')
+				revflag = DNS_KEYFLAG_REVOKE;
 			else
 				fatal("unknown flag '%s'",
 				      isc_commandline_argument);
@@ -195,14 +328,22 @@ main(int argc, char **argv) {
 			if (*endp != '\0' || generator <= 0)
 				fatal("-g requires a positive number");
 			break;
+		case 'K':
+			directory = isc_commandline_argument;
+			ret = try_dir(directory);
+			if (ret != ISC_R_SUCCESS)
+				fatal("cannot open directory %s: %s",
+				      directory, isc_result_totext(ret));
+			break;
 		case 'k':
-			options |= DST_TYPE_KEY;
+			fatal("The -k option has been deprecated.\n"
+			      "To generate a key-signing key, use -f KSK.\n"
+			      "To generate a key with TYPE=KEY, use -T KEY.\n");
 			break;
 		case 'n':
 			nametype = isc_commandline_argument;
 			break;
-		case 't':
-			type = isc_commandline_argument;
+		case 'm':
 			break;
 		case 'p':
 			protocol = strtol(isc_commandline_argument, &endp, 10);
@@ -210,6 +351,12 @@ main(int argc, char **argv) {
 				fatal("-p must be followed by a number "
 				      "[0..255]");
 			break;
+		case 'q':
+			quiet = ISC_TRUE;
+			break;
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
+			break;
 		case 's':
 			signatory = strtol(isc_commandline_argument,
 					   &endp, 10);
@@ -217,8 +364,19 @@ main(int argc, char **argv) {
 				fatal("-s must be followed by a number "
 				      "[0..15]");
 			break;
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
+		case 'T':
+			if (strcasecmp(isc_commandline_argument, "KEY") == 0)
+				options |= DST_TYPE_KEY;
+			else if (strcasecmp(isc_commandline_argument,
+				 "DNSKEY") == 0)
+				/* default behavior */
+				;
+			else
+				fatal("unknown type '%s'",
+				      isc_commandline_argument);
+			break;
+		case 't':
+			type = isc_commandline_argument;
 			break;
 		case 'v':
 			endp = NULL;
@@ -226,11 +384,86 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'z':
+			/* already the default */
+			break;
+		case 'G':
+			genonly = ISC_TRUE;
+			break;
+		case 'P':
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
 
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setpub = ISC_TRUE;
+				publish = strtotime(isc_commandline_argument,
+						    now, now);
+			} else {
+				unsetpub = ISC_TRUE;
+			}
+			break;
+		case 'A':
+			if (setact || unsetact)
+				fatal("-A specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setact = ISC_TRUE;
+				activate = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+				unsetact = ISC_TRUE;
+			}
+			break;
+		case 'R':
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setrev = ISC_TRUE;
+				revoke = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetrev = ISC_TRUE;
+			}
+			break;
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setinact = ISC_TRUE;
+				inactive = strtotime(isc_commandline_argument,
+						     now, now);
+			} else {
+				unsetinact = ISC_TRUE;
+			}
+			break;
+		case 'D':
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
+
+			if (strcasecmp(isc_commandline_argument, "none")) {
+				setdel = ISC_TRUE;
+				delete = strtotime(isc_commandline_argument,
+						   now, now);
+			} else {
+				unsetdel = ISC_TRUE;
+			}
+			break;
+		case 'S':
+			predecessor = isc_commandline_argument;
+			break;
+		case 'i':
+			prepub = strtottl(isc_commandline_argument);
+			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
@@ -241,73 +474,225 @@ main(int argc, char **argv) {
 		}
 	}
 
+	if (!isatty(0))
+		quiet = ISC_TRUE;
+
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
-			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	ret = dst_lib_init2(mctx, ectx, engine,
+			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 
-	if (argc < isc_commandline_index + 1)
-		fatal("the key name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("extraneous arguments");
-
-	if (algname == NULL)
-		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "RSA") == 0) {
-		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
-				"If you still wish to use RSA (RSAMD5) please "
-				"specify \"-a RSAMD5\"\n");
-		return (1);
-	} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACMD5;
-	} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACSHA1;
-	} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACSHA224;
-	} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACSHA256;
-	} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACSHA384;
-	} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACSHA512;
-	} else {
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
+	if (predecessor == NULL) {
+		if (prepub == -1)
+			prepub = 0;
+
+		if (argc < isc_commandline_index + 1)
+			fatal("the key name was not specified");
+		if (argc > isc_commandline_index + 1)
+			fatal("extraneous arguments");
+
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		isc_buffer_init(&buf, argv[isc_commandline_index],
+				strlen(argv[isc_commandline_index]));
+		isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+		ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
 		if (ret != ISC_R_SUCCESS)
-			fatal("unknown algorithm %s", algname);
-		if (alg == DST_ALG_DH)
-			options |= DST_TYPE_KEY;
-	}
+			fatal("invalid key name %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(ret));
 
-	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-		if (strcasecmp(type, "NOAUTH") == 0)
-			flags |= DNS_KEYTYPE_NOAUTH;
-		else if (strcasecmp(type, "NOCONF") == 0)
-			flags |= DNS_KEYTYPE_NOCONF;
-		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
-			if (size < 0)
-				size = 0;
+		if (algname == NULL) {
+			use_default = ISC_TRUE;
+			if (use_nsec3)
+				algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+			else
+				algname = strdup(DEFAULT_ALGORITHM);
+			if (algname == NULL)
+				fatal("strdup failed");
+			freeit = algname;
+			if (verbose > 0)
+				fprintf(stderr, "no algorithm specified; "
+						"defaulting to %s\n", algname);
 		}
-		else if (strcasecmp(type, "AUTHCONF") == 0)
-			/* nothing */;
-		else
-			fatal("invalid type %s", type);
-	}
 
-	if (size < 0)
-		fatal("key size not specified (-b option)");
+		if (strcasecmp(algname, "RSA") == 0) {
+			fprintf(stderr, "The use of RSA (RSAMD5) is not "
+					"recommended.\nIf you still wish to "
+					"use RSA (RSAMD5) please specify "
+					"\"-a RSAMD5\"\n");
+			return (1);
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
+			alg = DST_ALG_HMACMD5;
+		else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+			alg = DST_ALG_HMACSHA1;
+		else if (strcasecmp(algname, "HMAC-SHA224") == 0)
+			alg = DST_ALG_HMACSHA224;
+		else if (strcasecmp(algname, "HMAC-SHA256") == 0)
+			alg = DST_ALG_HMACSHA256;
+		else if (strcasecmp(algname, "HMAC-SHA384") == 0)
+			alg = DST_ALG_HMACSHA384;
+		else if (strcasecmp(algname, "HMAC-SHA512") == 0)
+			alg = DST_ALG_HMACSHA512;
+		else {
+			r.base = algname;
+			r.length = strlen(algname);
+			ret = dns_secalg_fromtext(&alg, &r);
+			if (ret != ISC_R_SUCCESS)
+				fatal("unknown algorithm %s", algname);
+			if (alg == DST_ALG_DH)
+				options |= DST_TYPE_KEY;
+		}
+
+		if (use_nsec3 &&
+		    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
+		    alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&
+		    alg != DST_ALG_ECCGOST &&
+		    alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
+			fatal("%s is incompatible with NSEC3; "
+			      "do not use the -3 option", algname);
+		}
+
+		if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+			if (strcasecmp(type, "NOAUTH") == 0)
+				flags |= DNS_KEYTYPE_NOAUTH;
+			else if (strcasecmp(type, "NOCONF") == 0)
+				flags |= DNS_KEYTYPE_NOCONF;
+			else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+				flags |= (DNS_KEYTYPE_NOAUTH |
+					  DNS_KEYTYPE_NOCONF);
+				if (size < 0)
+					size = 0;
+			}
+			else if (strcasecmp(type, "AUTHCONF") == 0)
+				/* nothing */;
+			else
+				fatal("invalid type %s", type);
+		}
+
+		if (size < 0) {
+			if (use_default) {
+				if ((kskflag & DNS_KEYFLAG_KSK) != 0)
+					size = 2048;
+				else
+					size = 1024;
+				if (verbose > 0)
+					fprintf(stderr, "key size not "
+							"specified; defaulting"
+							" to %d\n", size);
+			} else if (alg != DST_ALG_ECCGOST &&
+				   alg != DST_ALG_ECDSA256 &&
+				   alg != DST_ALG_ECDSA384)
+				fatal("key size not specified (-b option)");
+		}
+
+		if (!oldstyle && prepub > 0) {
+			if (setpub && setact && (activate - prepub) < publish)
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
+
+			if (!setpub && !setact) {
+				setpub = setact = ISC_TRUE;
+				publish = now;
+				activate = now + prepub;
+			} else if (setpub && !setact) {
+				setact = ISC_TRUE;
+				activate = publish + prepub;
+			} else if (setact && !setpub) {
+				setpub = ISC_TRUE;
+				publish = activate - prepub;
+			}
+
+			if ((activate - prepub) < now)
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+		}
+	} else {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t when;
+		int major, minor;
+
+		if (prepub == -1)
+			prepub = (30 * 86400);
+
+		if (algname != NULL)
+			fatal("-S and -a cannot be used together");
+		if (size >= 0)
+			fatal("-S and -b cannot be used together");
+		if (nametype != NULL)
+			fatal("-S and -n cannot be used together");
+		if (type != NULL)
+			fatal("-S and -t cannot be used together");
+		if (setpub || unsetpub)
+			fatal("-S and -P cannot be used together");
+		if (setact || unsetact)
+			fatal("-S and -A cannot be used together");
+		if (use_nsec3)
+			fatal("-S and -3 cannot be used together");
+		if (oldstyle)
+			fatal("-S and -C cannot be used together");
+		if (genonly)
+			fatal("-S and -G cannot be used together");
+
+		ret = dst_key_fromnamedfile(predecessor, directory,
+					    DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+					    mctx, &prevkey);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Invalid keyfile %s: %s",
+			      filename, isc_result_totext(ret));
+		if (!dst_key_isprivate(prevkey))
+			fatal("%s is not a private key", filename);
+
+		name = dst_key_name(prevkey);
+		alg = dst_key_alg(prevkey);
+		size = dst_key_size(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+			fatal("Key %s has incompatible format version %d.%d\n\t"
+			      "It is not possible to generate a successor key.",
+			      keystr, major, minor);
+
+		ret = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Key %s has no activation date.\n\t"
+			      "You must use dnssec-settime -A to set one "
+			      "before generating a successor.", keystr);
+
+		ret = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &activate);
+		if (ret != ISC_R_SUCCESS)
+			fatal("Key %s has no inactivation date.\n\t"
+			      "You must use dnssec-settime -I to set one "
+			      "before generating a successor.", keystr);
+
+		publish = activate - prepub;
+		if (publish < now)
+			fatal("Key %s becomes inactive\n\t"
+			      "sooner than the prepublication period "
+			      "for the new key ends.\n\t"
+			      "Either change the inactivation date with "
+			      "dnssec-settime -I,\n\t"
+			      "or use the -i option to set a shorter "
+			      "prepublication interval.", keystr);
+
+		ret = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		if (ret != ISC_R_SUCCESS)
+			fprintf(stderr, "%s: WARNING: Key %s has no removal "
+					"date;\n\t it will remain in the zone "
+					"indefinitely after rollover.\n\t "
+					"You can use dnssec-settime -D to "
+					"change this.\n", program, keystr);
+
+		setpub = setact = ISC_TRUE;
+	}
 
 	switch (alg) {
 	case DNS_KEYALG_RSAMD5:
@@ -330,7 +715,12 @@ main(int argc, char **argv) {
 		if (size != 0 && !dsa_size_ok(size))
 			fatal("invalid DSS key size: %d", size);
 		break;
+	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+		break;
 	case DST_ALG_HMACMD5:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 512)
 			fatal("HMAC-MD5 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 80 || dbits > 128))
@@ -340,6 +730,7 @@ main(int argc, char **argv) {
 			      dbits);
 		break;
 	case DST_ALG_HMACSHA1:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 160)
 			fatal("HMAC-SHA1 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 80 || dbits > 160))
@@ -349,6 +740,7 @@ main(int argc, char **argv) {
 			      dbits);
 		break;
 	case DST_ALG_HMACSHA224:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 224)
 			fatal("HMAC-SHA224 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 112 || dbits > 224))
@@ -358,6 +750,7 @@ main(int argc, char **argv) {
 			      dbits);
 		break;
 	case DST_ALG_HMACSHA256:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 256)
 			fatal("HMAC-SHA256 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 128 || dbits > 256))
@@ -367,6 +760,7 @@ main(int argc, char **argv) {
 			      dbits);
 		break;
 	case DST_ALG_HMACSHA384:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 384)
 			fatal("HMAC-384 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 192 || dbits > 384))
@@ -376,6 +770,7 @@ main(int argc, char **argv) {
 			      dbits);
 		break;
 	case DST_ALG_HMACSHA512:
+		options |= DST_TYPE_KEY;
 		if (size < 1 || size > 512)
 			fatal("HMAC-SHA512 key size %d out of range", size);
 		if (dbits != 0 && (dbits < 256 || dbits > 512))
@@ -388,7 +783,9 @@ main(int argc, char **argv) {
 
 	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
 	      alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 ||
-	      alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0)
+	      alg == DNS_KEYALG_RSASHA512 || alg == DST_ALG_ECCGOST ||
+	      alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384) &&
+	    rsa_exp != 0)
 		fatal("specified RSA exponent for a non-RSA key");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
@@ -413,10 +810,15 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
+	if (directory == NULL)
+		directory = ".";
+
 	if ((options & DST_TYPE_KEY) != 0)  /* KEY / HMAC */
 		flags |= signatory;
-	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
-		flags |= ksk;
+	else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
+		flags |= kskflag;
+		flags |= revflag;
+	}
 
 	if (protocol == -1)
 		protocol = DNS_KEYPROTO_DNSSEC;
@@ -439,16 +841,6 @@ main(int argc, char **argv) {
 		fatal("a key with algorithm '%s' cannot be a zone key",
 		      algname);
 
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, argv[isc_commandline_index],
-			strlen(argv[isc_commandline_index]));
-	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
-	if (ret != ISC_R_SUCCESS)
-		fatal("invalid key name %s: %s", argv[isc_commandline_index],
-		      isc_result_totext(ret));
-
 	switch(alg) {
 	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
@@ -456,12 +848,21 @@ main(int argc, char **argv) {
 	case DNS_KEYALG_RSASHA256:
 	case DNS_KEYALG_RSASHA512:
 		param = rsa_exp;
+		show_progress = ISC_TRUE;
 		break;
+
 	case DNS_KEYALG_DH:
 		param = generator;
 		break;
+
 	case DNS_KEYALG_DSA:
 	case DNS_KEYALG_NSEC3DSA:
+	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+		show_progress = ISC_TRUE;
+		/* fall through */
+
 	case DST_ALG_HMACMD5:
 	case DST_ALG_HMACSHA1:
 	case DST_ALG_HMACSHA224:
@@ -479,63 +880,138 @@ main(int argc, char **argv) {
 
 	do {
 		conflict = ISC_FALSE;
-		oldkey = NULL;
 
-		/* generate the key */
-		ret = dst_key_generate(name, alg, size, param, flags, protocol,
-				       rdclass, mctx, &key);
+		if (!quiet && show_progress) {
+			fprintf(stderr, "Generating key pair.");
+			ret = dst_key_generate2(name, alg, size, param, flags,
+						protocol, rdclass, mctx, &key,
+						&progress);
+			putc('\n', stderr);
+			fflush(stderr);
+		} else {
+			ret = dst_key_generate2(name, alg, size, param, flags,
+						protocol, rdclass, mctx, &key,
+						NULL);
+		}
+
 		isc_entropy_stopcallbacksources(ectx);
 
 		if (ret != ISC_R_SUCCESS) {
 			char namestr[DNS_NAME_FORMATSIZE];
-			char algstr[ALG_FORMATSIZE];
+			char algstr[DNS_SECALG_FORMATSIZE];
 			dns_name_format(name, namestr, sizeof(namestr));
-			alg_format(alg, algstr, sizeof(algstr));
+			dns_secalg_format(alg, algstr, sizeof(algstr));
 			fatal("failed to generate key %s/%s: %s\n",
 			      namestr, algstr, isc_result_totext(ret));
+			/* NOTREACHED */
 			exit(-1);
 		}
 
 		dst_key_setbits(key, dbits);
 
 		/*
-		 * Try to read a key with the same name, alg and id from disk.
-		 * If there is one we must continue generating a new one
-		 * unless we were asked to generate a null key, in which
-		 * case we return failure.
+		 * Set key timing metadata (unless using -C)
+		 *
+		 * Creation date is always set to "now".
+		 *
+		 * For a new key without an explicit predecessor, publish
+		 * and activation dates are set to "now" by default, but
+		 * can both be overridden.
+		 *
+		 * For a successor key, activation is set to match the
+		 * predecessor's inactivation date.  Publish is set to 30
+		 * days earlier than that (XXX: this should be configurable).
+		 * If either of the resulting dates are in the past, that's
+		 * an error; the inactivation date of the predecessor key
+		 * must be updated before a successor key can be created.
+		 */
+		if (!oldstyle) {
+			dst_key_settime(key, DST_TIME_CREATED, now);
+
+			if (genonly && (setpub || setact))
+				fatal("cannot use -G together with "
+				      "-P or -A options");
+
+			if (setpub)
+				dst_key_settime(key, DST_TIME_PUBLISH, publish);
+			else if (setact)
+				dst_key_settime(key, DST_TIME_PUBLISH,
+						activate);
+			else if (!genonly && !unsetpub)
+				dst_key_settime(key, DST_TIME_PUBLISH, now);
+
+			if (setact)
+				dst_key_settime(key, DST_TIME_ACTIVATE,
+						activate);
+			else if (!genonly && !unsetact)
+				dst_key_settime(key, DST_TIME_ACTIVATE, now);
+
+			if (setrev) {
+				if (kskflag == 0)
+					fprintf(stderr, "%s: warning: Key is "
+						"not flagged as a KSK, but -R "
+						"was used. Revoking a ZSK is "
+						"legal, but undefined.\n",
+						program);
+				dst_key_settime(key, DST_TIME_REVOKE, revoke);
+			}
+
+			if (setinact)
+				dst_key_settime(key, DST_TIME_INACTIVE,
+						inactive);
+
+			if (setdel)
+				dst_key_settime(key, DST_TIME_DELETE, delete);
+		} else {
+			if (setpub || setact || setrev || setinact ||
+			    setdel || unsetpub || unsetact ||
+			    unsetrev || unsetinact || unsetdel || genonly)
+				fatal("cannot use -C together with "
+				      "-P, -A, -R, -I, -D, or -G options");
+			/*
+			 * Compatibility mode: Private-key-format
+			 * should be set to 1.2.
+			 */
+			dst_key_setprivateformat(key, 1, 2);
+		}
+
+		/*
+		 * Do not overwrite an existing key, or create a key
+		 * if there is a risk of ID collision due to this key
+		 * or another key being revoked.
 		 */
-		ret = dst_key_fromfile(name, dst_key_id(key), alg,
-				       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
-		/* do not overwrite an existing key  */
-		if (ret == ISC_R_SUCCESS) {
-			dst_key_free(&oldkey);
+		if (key_collision(key, name, directory, mctx, NULL)) {
 			conflict = ISC_TRUE;
-			if (null_key)
+			if (null_key) {
+				dst_key_free(&key);
 				break;
-		}
-		if (conflict == ISC_TRUE) {
+			}
+
 			if (verbose > 0) {
 				isc_buffer_clear(&buf);
-				ret = dst_key_buildfilename(key, 0, NULL, &buf);
+				ret = dst_key_buildfilename(key, 0,
+							    directory, &buf);
 				if (ret == ISC_R_SUCCESS)
 					fprintf(stderr,
-						"%s: %s already exists, "
-						"generating a new key\n",
+						"%s: %s already exists, or "
+						"might collide with another "
+						"key upon revokation.  "
+						"Generating a new key\n",
 						program, filename);
 			}
+
 			dst_key_free(&key);
 		}
-
 	} while (conflict == ISC_TRUE);
 
 	if (conflict)
-		fatal("cannot generate a null key when a key with id 0 "
-		      "already exists");
+		fatal("cannot generate a null key due to possible key ID "
+		      "collision");
 
-	ret = dst_key_tofile(key, options, NULL);
+	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
 	}
@@ -547,6 +1023,8 @@ main(int argc, char **argv) {
 		      isc_result_totext(ret));
 	printf("%s\n", filename);
 	dst_key_free(&key);
+	if (prevkey != NULL)
+		dst_key_free(&prevkey);
 
 	cleanup_logging(&log);
 	cleanup_entropy(&ectx);
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
index d35a9b7c986c..0a1926bd839a 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.36 2010/12/23 04:07:59 marka Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -58,20 +58,34 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keygen</command>
-      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
-      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
-      <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg><option>-3</option></arg>
+      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-C</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-e</option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-G</option></arg>
       <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
       <arg><option>-h</option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-k</option></arg>
+      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
       <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-z</option></arg>
       <arg choice="req">name</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -81,7 +95,8 @@
     <para><command>dnssec-keygen</command>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures), as defined in RFC 2845.
+      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+      (Transaction Key) as defined in RFC 2930.
     </para>
     <para>
       The <option>name</option> of the key is specified on the command
@@ -100,19 +115,28 @@
           <para>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-            DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
-            For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
           </para>
           <para>
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the <option>-3</option> option is specified,
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            <option>-3</option> is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
+          </para>
+          <para>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
           </para>
           <para>
-            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
+            automatically set the -T KEY option.
           </para>
         </listitem>
       </varlistentry>
@@ -126,7 +150,17 @@
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits.
+            between 1 and 512 bits. Elliptic curve algorithms don't need
+            this parameter.
+          </para>
+          <para>
+            The key size does not need to be specified if using a default
+            algorithm.  The default key size is 1024 bits for zone signing
+            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
+            generated with <option>-f KSK</option>).  However, if an
+            algorithm is explicitly specified with the <option>-a</option>,
+            then there is no default key size, and the <option>-b</option>
+            must be used.
           </para>
         </listitem>
       </varlistentry>
@@ -147,6 +181,35 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-3</term>
+        <listitem>
+          <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
+	    are NSEC3-capable.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-C</term>
+        <listitem>
+          <para>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <command>dnssec-keygen</command>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <option>-C</option> option suppresses them.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-c <replaceable class="parameter">class</replaceable></term>
         <listitem>
           <para>
@@ -157,6 +220,18 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pkcs11; the empty name resets it to
+            no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-e</term>
         <listitem>
           <para>
@@ -170,7 +245,17 @@
         <listitem>
           <para>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-G</term>
+        <listitem>
+          <para>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </para>
         </listitem>
       </varlistentry>
@@ -198,10 +283,19 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which the key files are to be written.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-k</term>
         <listitem>
           <para>
-            Generate KEY records rather than DNSKEY records.
+            Deprecated in favor of -T KEY.
           </para>
         </listitem>
       </varlistentry>
@@ -219,6 +313,25 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-q</term>
+        <listitem>
+          <para>
+            Quiet mode: Suppresses unnecessary output, including
+            progress indication.  Without this option, when
+            <command>dnssec-keygen</command> is run interactively
+            to generate an RSA or DSA key pair, it will print a string
+            of symbols to <filename>stderr</filename> indicating the
+            progress of the key generation.  A '.' indicates that a
+            random number has been found which passed an initial
+            sieve test; '+' means a number has passed a single
+            round of the Miller-Rabin primality test; a space
+            means that the number has passed all the tests and is
+            a satisfactory key.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
         <listitem>
           <para>
@@ -236,6 +349,21 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-S <replaceable class="parameter">key</replaceable></term>
+        <listitem>
+          <para>
+            Create a new key which is an explicit successor to an
+            existing key.  The name, algorithm, size, and type of the
+            key will be set to match the existing key.  The activation
+            date of the new key will be set to the inactivation date of
+            the existing one.  The publication date will be set to the
+            activation date minus the prepublication interval, which
+            defaults to 30 days.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-s <replaceable class="parameter">strength</replaceable></term>
         <listitem>
           <para>
@@ -247,6 +375,22 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-T <replaceable class="parameter">rrtype</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the resource record type to use for the key.
+            <option>rrtype</option> must be either DNSKEY or KEY.  The
+            default is DNSKEY when using a DNSSEC algorithm, but it can be
+            overridden to KEY for use with SIG(0).
+          <para>
+          </para>
+            Using any TSIG algorithm (HMAC-* or DH) forces this option
+            to KEY.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-t <replaceable class="parameter">type</replaceable></term>
         <listitem>
           <para>
@@ -271,6 +415,109 @@
   </refsect1>
 
   <refsect1>
+    <title>TIMING OPTIONS</title>
+
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">interval</replaceable></term>
+        <listitem>
+          <para>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </para>
+          <para>
+            If the key is being created as an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </para>
+          <para>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+
+  <refsect1>
     <title>GENERATED KEYS</title>
     <para>
       When <command>dnssec-keygen</command> completes
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
index 70b881ef4d73..3bdfa0739f2c 100644
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.html
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html
@@ -29,14 +29,15 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543486"></a><h2>DESCRIPTION</h2>
+<a name="id2543582"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures), as defined in RFC 2845.
+      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+      (Transaction Key) as defined in RFC 2930.
     </p>
 <p>
       The <code class="option">name</code> of the key is specified on the command
@@ -45,37 +46,58 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543505"></a><h2>OPTIONS</h2>
+<a name="id2543601"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-            DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
-            For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
           </p>
 <p>
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the <code class="option">-3</code> option is specified,
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            <code class="option">-3</code> is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
+          </p>
+<p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
           </p>
 <p>
-            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
+            automatically set the -T KEY option.
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+<p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits.
-          </p></dd>
+            between 1 and 512 bits. Elliptic curve algorithms don't need
+            this parameter.
+          </p>
+<p>
+            The key size does not need to be specified if using a default
+            algorithm.  The default key size is 1024 bits for zone signing
+            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
+            generated with <code class="option">-f KSK</code>).  However, if an
+            algorithm is explicitly specified with the <code class="option">-a</code>,
+            then there is no default key size, and the <code class="option">-b</code>
+            must be used.
+          </p>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
@@ -86,11 +108,37 @@
             These values are case insensitive.  Defaults to ZONE for DNSKEY
 	    generation.
           </p></dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
+	    are NSEC3-capable.
+          </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pkcs11; the empty name resets it to
+            no engine.
+          </p></dd>
 <dt><span class="term">-e</span></dt>
 <dd><p>
             If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -98,7 +146,12 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
@@ -112,9 +165,13 @@
             Prints a short summary of the options and arguments to
             <span><strong class="command">dnssec-keygen</strong></span>.
           </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to be written.
+          </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
-            Generate KEY records rather than DNSKEY records.
+            Deprecated in favor of -T KEY.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
@@ -123,6 +180,20 @@
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
           </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+            Quiet mode: Suppresses unnecessary output, including
+            progress indication.  Without this option, when
+            <span><strong class="command">dnssec-keygen</strong></span> is run interactively
+            to generate an RSA or DSA key pair, it will print a string
+            of symbols to <code class="filename">stderr</code> indicating the
+            progress of the key generation.  A '.' indicates that a
+            random number has been found which passed an initial
+            sieve test; '+' means a number has passed a single
+            round of the Miller-Rabin primality test; a space
+            means that the number has passed all the tests and is
+            a satisfactory key.
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
@@ -135,12 +206,37 @@
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+            Create a new key which is an explicit successor to an
+            existing key.  The name, algorithm, size, and type of the
+            key will be set to match the existing key.  The activation
+            date of the new key will be set to the inactivation date of
+            the existing one.  The publication date will be set to the
+            activation date minus the prepublication interval, which
+            defaults to 30 days.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
 <dd><p>
             Specifies the strength value of the key.  The strength is
             a number between 0 and 15, and currently has no defined
             purpose in DNSSEC.
           </p></dd>
+<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
+<dd>
+<p>
+            Specifies the resource record type to use for the key.
+            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
+            default is DNSKEY when using a DNSSEC algorithm, but it can be
+            overridden to KEY for use with SIG(0).
+          </p>
+<p>
+          </p>
+<p>
+            Using any TSIG algorithm (HMAC-* or DH) forces this option
+            to KEY.
+          </p>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd><p>
             Indicates the use of the key.  <code class="option">type</code> must be
@@ -155,7 +251,78 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543840"></a><h2>GENERATED KEYS</h2>
+<a name="id2544169"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </p>
+<p>
+            If the key is being created as an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </p>
+<p>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2544359"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -201,7 +368,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543922"></a><h2>EXAMPLE</h2>
+<a name="id2544441"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -222,7 +389,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544034"></a><h2>SEE ALSO</h2>
+<a name="id2544485"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -231,7 +398,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544065"></a><h2>AUTHOR</h2>
+<a name="id2544584"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.8 b/contrib/bind9/bin/dnssec/dnssec-revoke.8
new file mode 100644
index 000000000000..2af719e249df
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-revoke.8
@@ -0,0 +1,88 @@
+.\" Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-revoke
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 1, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
+.SH "SYNOPSIS"
+.HP 14
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-revoke\fR
+reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-r
+.RS 4
+After writing the new keyset files remove the original keyset files.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.PP
+\-f
+.RS 4
+Force overwrite: Causes
+\fBdnssec\-revoke\fR
+to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
+.RE
+.PP
+\-R
+.RS 4
+Print the key tag of the key with the REVOKE bit set but do not revoke the key.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.c b/contrib/bind9/bin/dnssec/dnssec-revoke.c
new file mode 100644
index 000000000000..8346f1c91182
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-revoke.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-revoke.c,v 1.22.124.2 2011/10/20 23:46:27 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-revoke";
+int verbose;
+
+static isc_mem_t	*mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E engine:    specify OpenSSL engine "
+					   "(default \"pkcs11\")\n");
+#else
+	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
+#endif
+	fprintf(stderr, "    -f:	   force overwrite\n");
+	fprintf(stderr, "    -K directory: use directory for key files\n");
+	fprintf(stderr, "    -h:	   help\n");
+	fprintf(stderr, "    -r:	   remove old keyfiles after "
+					   "creating revoked version\n");
+	fprintf(stderr, "    -v level:	   set level of verbosity\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
+			     "K<name>+<alg>+<new id>.private\n");
+
+	exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
+	char *filename = NULL, *dir = NULL;
+	char newname[1024], oldname[1024];
+	char keystr[DST_KEY_FORMATSIZE];
+	char *endp;
+	int ch;
+	isc_entropy_t *ectx = NULL;
+	dst_key_t *key = NULL;
+	isc_uint32_t flags;
+	isc_buffer_t buf;
+	isc_boolean_t force = ISC_FALSE;
+	isc_boolean_t remove = ISC_FALSE;
+	isc_boolean_t id = ISC_FALSE;
+
+	if (argc == 1)
+		usage();
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("Out of memory");
+
+	dns_result_register();
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
+		switch (ch) {
+		    case 'E':
+			engine = isc_commandline_argument;
+			break;
+		    case 'f':
+			force = ISC_TRUE;
+			break;
+		    case 'K':
+			/*
+			 * We don't have to copy it here, but do it to
+			 * simplify cleanup later
+			 */
+			dir = isc_mem_strdup(mctx, isc_commandline_argument);
+			if (dir == NULL) {
+				fatal("Failed to allocate memory for "
+				      "directory");
+			}
+			break;
+		    case 'r':
+			remove = ISC_TRUE;
+			break;
+		    case 'R':
+			id = ISC_TRUE;
+			break;
+		    case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+		    case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			/* Falls into */
+		    case 'h':
+			usage();
+
+		    default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (argc < isc_commandline_index + 1 ||
+	    argv[isc_commandline_index] == NULL)
+		fatal("The key file name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("Extraneous arguments");
+
+	if (dir != NULL) {
+		filename = argv[isc_commandline_index];
+	} else {
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &dir, &filename);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
+		if (strcmp(dir, ".") == 0) {
+			isc_mem_free(mctx, dir);
+			dir = NULL;
+		}
+	}
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		fatal("Could not initialize hash");
+	result = dst_lib_init2(mctx, ectx, engine,
+			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	if (result != ISC_R_SUCCESS)
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
+	isc_entropy_stopcallbacksources(ectx);
+
+	result = dst_key_fromnamedfile(filename, dir,
+				       DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+				       mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		fatal("Invalid keyfile name %s: %s",
+		      filename, isc_result_totext(result));
+
+	if (id) {
+		fprintf(stdout, "%u\n", dst_key_rid(key));
+		goto cleanup;
+	}
+	dst_key_format(key, keystr, sizeof(keystr));
+
+	if (verbose > 2)
+		fprintf(stderr, "%s: %s\n", program, keystr);
+
+	if (force)
+		set_keyversion(key);
+	else
+		check_keyversion(key, keystr);
+
+
+	flags = dst_key_flags(key);
+	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+		isc_stdtime_t now;
+
+		if ((flags & DNS_KEYFLAG_KSK) == 0)
+			fprintf(stderr, "%s: warning: Key is not flagged "
+					"as a KSK. Revoking a ZSK is "
+					"legal, but undefined.\n",
+					program);
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_REVOKE, now);
+
+		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
+
+		isc_buffer_init(&buf, newname, sizeof(newname));
+		dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+
+		if (access(newname, F_OK) == 0 && !force) {
+			fatal("Key file %s already exists; "
+			      "use -f to force overwrite", newname);
+		}
+
+		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					dir);
+		if (result != ISC_R_SUCCESS) {
+			dst_key_format(key, keystr, sizeof(keystr));
+			fatal("Failed to write key %s: %s", keystr,
+			      isc_result_totext(result));
+		}
+
+		isc_buffer_clear(&buf);
+		dst_key_buildfilename(key, 0, dir, &buf);
+		printf("%s\n", newname);
+
+		/*
+		 * Remove old key file, if told to (and if
+		 * it isn't the same as the new file)
+		 */
+		if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
+			isc_buffer_init(&buf, oldname, sizeof(oldname));
+			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
+			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+			if (strcmp(oldname, newname) == 0)
+				goto cleanup;
+			if (access(oldname, F_OK) == 0)
+				unlink(oldname);
+			isc_buffer_clear(&buf);
+			dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+			if (access(oldname, F_OK) == 0)
+				unlink(oldname);
+		}
+	} else {
+		dst_key_format(key, keystr, sizeof(keystr));
+		fatal("Key %s is already revoked", keystr);
+	}
+
+cleanup:
+	dst_key_free(&key);
+	dst_lib_destroy();
+	isc_hash_destroy();
+	cleanup_entropy(&ectx);
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	if (dir != NULL)
+		isc_mem_free(mctx, dir);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.docbook b/contrib/bind9/bin/dnssec/dnssec-revoke.docbook
new file mode 100644
index 000000000000..99518bb2f2fa
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-revoke.docbook
@@ -0,0 +1,161 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+               [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-revoke.docbook,v 1.7.266.2 2011/10/20 23:46:27 tbox Exp $ -->
+<refentry id="man.dnssec-revoke">
+  <refentryinfo>
+    <date>June 1, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-revoke</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-revoke</application></refname>
+    <refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2011</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-revoke</command>
+      <arg><option>-hr</option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg><option>-f</option></arg>
+      <arg><option>-R</option></arg>
+      <arg choice="req">keyfile</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dnssec-revoke</command>
+      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+      in RFC 5011, and creates a new pair of key files containing the
+      now-revoked key.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-h</term>
+        <listitem>
+	  <para>
+	    Emit usage message and exit.
+	  </para>
+        </listitem>
+      </varlistentry>
+  
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which the key files are to reside.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r</term>
+        <listitem>
+	  <para>
+	    After writing the new keyset files remove the original keyset
+	    files.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f</term>
+        <listitem>
+          <para>
+            Force overwrite: Causes <command>dnssec-revoke</command> to
+            write the new key pair even if a file already exists matching
+            the algorithm and key ID of the revoked key.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R</term>
+        <listitem>
+          <para>
+	    Print the key tag of the key with the REVOKE bit set but do
+	    not revoke the key.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5011</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-revoke.html b/contrib/bind9/bin/dnssec/dnssec-revoke.html
new file mode 100644
index 000000000000..b3b71b961cf4
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-revoke.html
@@ -0,0 +1,92 @@
+<!--
+ - Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-revoke</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543382"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-revoke</strong></span>
+      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+      in RFC 5011, and creates a new pair of key files containing the
+      now-revoked key.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543394"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Emit usage message and exit.
+	  </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to reside.
+          </p></dd>
+<dt><span class="term">-r</span></dt>
+<dd><p>
+	    After writing the new keyset files remove the original keyset
+	    files.
+	  </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+            Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
+            write the new key pair even if a file already exists matching
+            the algorithm and key ID of the revoked key.
+          </p></dd>
+<dt><span class="term">-R</span></dt>
+<dd><p>
+	    Print the key tag of the key with the REVOKE bit set but do
+	    not revoke the key.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543512"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543537"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.8 b/contrib/bind9/bin/dnssec/dnssec-settime.8
new file mode 100644
index 000000000000..8a5e2e789005
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-settime.8
@@ -0,0 +1,166 @@
+.\" Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-settime
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: July 15, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-settime \- Set the key timing metadata for a DNSSEC key
+.SH "SYNOPSIS"
+.HP 15
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-settime\fR
+reads a DNSSEC private key file and sets the key timing metadata as specified by the
+\fB\-P\fR,
+\fB\-A\fR,
+\fB\-R\fR,
+\fB\-I\fR, and
+\fB\-D\fR
+options. The metadata can then be used by
+\fBdnssec\-signzone\fR
+or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
+.PP
+If none of these options is set on the command line, then
+\fBdnssec\-settime\fR
+simply prints the key timing metadata already stored in the key.
+.PP
+When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
+and
+\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
+.SH "OPTIONS"
+.PP
+\-f
+.RS 4
+Force an update of an old\-format key with no metadata fields. Without this option,
+\fBdnssec\-settime\fR
+will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
+.PP
+\-S \fIpredecessor key\fR
+.RS 4
+Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
+.RE
+.PP
+\-i \fIinterval\fR
+.RS 4
+Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
+.sp
+If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
+.sp
+As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
+.RE
+.SH "PRINTING OPTIONS"
+.PP
+\fBdnssec\-settime\fR
+can also be used to print the timing metadata associated with a key.
+.PP
+\-u
+.RS 4
+Print times in UNIX epoch format.
+.RE
+.PP
+\-p \fIC/P/A/R/I/D/all\fR
+.RS 4
+Print a specific metadata value or set of metadata values. The
+\fB\-p\fR
+option may be followed by one or more of the following letters to indicate which value or values to print:
+\fBC\fR
+for the creation date,
+\fBP\fR
+for the publication date,
+\fBA\fR
+for the activation date,
+\fBR\fR
+for the revocation date,
+\fBI\fR
+for the inactivation date, or
+\fBD\fR
+for the deletion date. To print all of the metadata, use
+\fB\-p all\fR.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.c b/contrib/bind9/bin/dnssec/dnssec-settime.c
new file mode 100644
index 000000000000..f7f4486eefe7
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-settime.c
@@ -0,0 +1,590 @@
+/*
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-settime.c,v 1.28.16.3 2011/06/02 20:24:11 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+#include <dns/log.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-settime";
+int verbose;
+
+static isc_mem_t	*mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E engine:          specify OpenSSL engine "
+						 "(default \"pkcs11\")\n");
+#else
+	fprintf(stderr, "    -E engine:          specify OpenSSL engine\n");
+#endif
+	fprintf(stderr, "    -f:                 force update of old-style "
+						 "keys\n");
+	fprintf(stderr, "    -K directory:       set key file location\n");
+	fprintf(stderr, "    -v level:           set level of verbosity\n");
+	fprintf(stderr, "    -h:                 help\n");
+	fprintf(stderr, "Timing options:\n");
+	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
+						     "publication date\n");
+	fprintf(stderr, "    -A date/[+-]offset/none: set/unset key "
+						     "activation date\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set/unset key "
+						     "revocation date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set/unset key "
+						     "inactivation date\n");
+	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
+						     "deletion date\n");
+	fprintf(stderr, "Printing options:\n");
+	fprintf(stderr, "    -p C/P/A/R/I/D/all: print a particular time "
+						"value or values\n");
+	fprintf(stderr, "    -u:                 print times in unix epoch "
+						"format\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
+			     "K<name>+<alg>+<new id>.private\n");
+
+	exit (-1);
+}
+
+static void
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
+	  FILE *stream)
+{
+	isc_result_t result;
+	const char *output = NULL;
+	isc_stdtime_t when;
+
+	if (tag != NULL)
+		fprintf(stream, "%s: ", tag);
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND) {
+		fprintf(stream, "UNSET\n");
+	} else if (epoch) {
+		fprintf(stream, "%d\n", (int) when);
+	} else {
+		time_t time = when;
+		output = ctime(&time);
+		fprintf(stream, "%s", output);
+	}
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t	result;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
+	char		*filename = NULL, *directory = NULL;
+	char		newname[1024];
+	char		keystr[DST_KEY_FORMATSIZE];
+	char		*endp, *p;
+	int		ch;
+	isc_entropy_t	*ectx = NULL;
+	const char	*predecessor = NULL;
+	dst_key_t	*prevkey = NULL;
+	dst_key_t	*key = NULL;
+	isc_buffer_t	buf;
+	dns_name_t	*name = NULL;
+	dns_secalg_t 	alg = 0;
+	unsigned int 	size = 0;
+	isc_uint16_t	flags = 0;
+	int		prepub = -1;
+	isc_stdtime_t	now;
+	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
+	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
+	isc_boolean_t	setdel = ISC_FALSE;
+	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+	isc_boolean_t	unsetdel = ISC_FALSE;
+	isc_boolean_t	printcreate = ISC_FALSE, printpub = ISC_FALSE;
+	isc_boolean_t	printact = ISC_FALSE,  printrev = ISC_FALSE;
+	isc_boolean_t	printinact = ISC_FALSE, printdel = ISC_FALSE;
+	isc_boolean_t	force = ISC_FALSE;
+	isc_boolean_t   epoch = ISC_FALSE;
+	isc_boolean_t   changed = ISC_FALSE;
+	isc_log_t       *log = NULL;
+
+	if (argc == 1)
+		usage();
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("Out of memory");
+
+	setup_logging(verbose, mctx, &log);
+
+	dns_result_register();
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	isc_stdtime_get(&now);
+
+#define CMDLINE_FLAGS "A:D:E:fhI:i:K:P:p:R:S:uv:"
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
+		case 'f':
+			force = ISC_TRUE;
+			break;
+		case 'p':
+			p = isc_commandline_argument;
+			if (!strcasecmp(p, "all")) {
+				printcreate = ISC_TRUE;
+				printpub = ISC_TRUE;
+				printact = ISC_TRUE;
+				printrev = ISC_TRUE;
+				printinact = ISC_TRUE;
+				printdel = ISC_TRUE;
+				break;
+			}
+
+			do {
+				switch (*p++) {
+				case 'C':
+					printcreate = ISC_TRUE;
+					break;
+				case 'P':
+					printpub = ISC_TRUE;
+					break;
+				case 'A':
+					printact = ISC_TRUE;
+					break;
+				case 'R':
+					printrev = ISC_TRUE;
+					break;
+				case 'I':
+					printinact = ISC_TRUE;
+					break;
+				case 'D':
+					printdel = ISC_TRUE;
+					break;
+				case ' ':
+					break;
+				default:
+					usage();
+					break;
+				}
+			} while (*p != '\0');
+			break;
+		case 'u':
+			epoch = ISC_TRUE;
+			break;
+		case 'K':
+			/*
+			 * We don't have to copy it here, but do it to
+			 * simplify cleanup later
+			 */
+			directory = isc_mem_strdup(mctx,
+						   isc_commandline_argument);
+			if (directory == NULL) {
+				fatal("Failed to allocate memory for "
+				      "directory");
+			}
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+		case 'P':
+			if (setpub || unsetpub)
+				fatal("-P specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetpub = ISC_TRUE;
+			} else {
+				setpub = ISC_TRUE;
+				pub = strtotime(isc_commandline_argument,
+						now, now);
+			}
+			break;
+		case 'A':
+			if (setact || unsetact)
+				fatal("-A specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetact = ISC_TRUE;
+			} else {
+				setact = ISC_TRUE;
+				act = strtotime(isc_commandline_argument,
+						now, now);
+			}
+			break;
+		case 'R':
+			if (setrev || unsetrev)
+				fatal("-R specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetrev = ISC_TRUE;
+			} else {
+				setrev = ISC_TRUE;
+				rev = strtotime(isc_commandline_argument,
+						now, now);
+			}
+			break;
+		case 'I':
+			if (setinact || unsetinact)
+				fatal("-I specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetinact = ISC_TRUE;
+			} else {
+				setinact = ISC_TRUE;
+				inact = strtotime(isc_commandline_argument,
+						now, now);
+			}
+			break;
+		case 'D':
+			if (setdel || unsetdel)
+				fatal("-D specified more than once");
+
+			changed = ISC_TRUE;
+			if (!strcasecmp(isc_commandline_argument, "none")) {
+				unsetdel = ISC_TRUE;
+			} else {
+				setdel = ISC_TRUE;
+				del = strtotime(isc_commandline_argument,
+						now, now);
+			}
+			break;
+		case 'S':
+			predecessor = isc_commandline_argument;
+			break;
+		case 'i':
+			prepub = strtottl(isc_commandline_argument);
+			break;
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			/* Falls into */
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (argc < isc_commandline_index + 1 ||
+	    argv[isc_commandline_index] == NULL)
+		fatal("The key file name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("Extraneous arguments");
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		fatal("Could not initialize hash");
+	result = dst_lib_init2(mctx, ectx, engine,
+			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	if (result != ISC_R_SUCCESS)
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
+	isc_entropy_stopcallbacksources(ectx);
+
+	if (predecessor != NULL) {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t when;
+		int major, minor;
+
+		if (prepub == -1)
+			prepub = (30 * 86400);
+
+		if (setpub || unsetpub)
+			fatal("-S and -P cannot be used together");
+		if (setact || unsetact)
+			fatal("-S and -A cannot be used together");
+
+		result = dst_key_fromnamedfile(predecessor, directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &prevkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("Invalid keyfile %s: %s",
+			      filename, isc_result_totext(result));
+		if (!dst_key_isprivate(prevkey))
+			fatal("%s is not a private key", filename);
+
+		name = dst_key_name(prevkey);
+		alg = dst_key_alg(prevkey);
+		size = dst_key_size(prevkey);
+		flags = dst_key_flags(prevkey);
+
+		dst_key_format(prevkey, keystr, sizeof(keystr));
+		dst_key_getprivateformat(prevkey, &major, &minor);
+		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+			fatal("Predecessor has incompatible format "
+			      "version %d.%d\n\t", major, minor);
+
+		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		if (result != ISC_R_SUCCESS)
+			fatal("Predecessor has no activation date. "
+			      "You must set one before\n\t"
+			      "generating a successor.");
+
+		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
+		if (result != ISC_R_SUCCESS)
+			fatal("Predecessor has no inactivation date. "
+			      "You must set one before\n\t"
+			      "generating a successor.");
+
+		pub = act - prepub;
+		if (pub < now && prepub != 0)
+			fatal("Predecessor will become inactive before the\n\t"
+			      "prepublication period ends.  Either change "
+			      "its inactivation date,\n\t"
+			      "or use the -i option to set a shorter "
+			      "prepublication interval.");
+
+		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		if (result != ISC_R_SUCCESS)
+			fprintf(stderr, "%s: WARNING: Predecessor has no "
+					"removal date;\n\t"
+					"it will remain in the zone "
+					"indefinitely after rollover.\n",
+					program);
+
+		changed = setpub = setact = ISC_TRUE;
+		dst_key_free(&prevkey);
+	} else {
+		if (prepub < 0)
+			prepub = 0;
+
+		if (prepub > 0) {
+			if (setpub && setact && (act - prepub) < pub)
+				fatal("Activation and publication dates "
+				      "are closer together than the\n\t"
+				      "prepublication interval.");
+
+			if (setpub && !setact) {
+				setact = ISC_TRUE;
+				act = pub + prepub;
+			} else if (setact && !setpub) {
+				setpub = ISC_TRUE;
+				pub = act - prepub;
+			}
+
+			if ((act - prepub) < now)
+				fatal("Time until activation is shorter "
+				      "than the\n\tprepublication interval.");
+		}
+	}
+
+	if (directory != NULL) {
+		filename = argv[isc_commandline_index];
+	} else {
+		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+					    &directory, &filename);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot process filename %s: %s",
+			      argv[isc_commandline_index],
+			      isc_result_totext(result));
+	}
+
+	result = dst_key_fromnamedfile(filename, directory,
+				       DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+				       mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		fatal("Invalid keyfile %s: %s",
+		      filename, isc_result_totext(result));
+
+	if (!dst_key_isprivate(key))
+		fatal("%s is not a private key", filename);
+
+	dst_key_format(key, keystr, sizeof(keystr));
+
+	if (predecessor != NULL) {
+		if (!dns_name_equal(name, dst_key_name(key)))
+			fatal("Key name mismatch");
+		if (alg != dst_key_alg(key))
+			fatal("Key algorithm mismatch");
+		if (size != dst_key_size(key))
+			fatal("Key size mismatch");
+		if (flags != dst_key_flags(key))
+			fatal("Key flags mismatch");
+	}
+
+	if (force)
+		set_keyversion(key);
+	else
+		check_keyversion(key, keystr);
+
+	if (verbose > 2)
+		fprintf(stderr, "%s: %s\n", program, keystr);
+
+	/*
+	 * Set time values.
+	 */
+	if (setpub)
+		dst_key_settime(key, DST_TIME_PUBLISH, pub);
+	else if (unsetpub)
+		dst_key_unsettime(key, DST_TIME_PUBLISH);
+
+	if (setact)
+		dst_key_settime(key, DST_TIME_ACTIVATE, act);
+	else if (unsetact)
+		dst_key_unsettime(key, DST_TIME_ACTIVATE);
+
+	if (setrev) {
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+			fprintf(stderr, "%s: warning: Key %s is already "
+					"revoked; changing the revocation date "
+					"will not affect this.\n",
+					program, keystr);
+		if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
+			fprintf(stderr, "%s: warning: Key %s is not flagged as "
+					"a KSK, but -R was used.  Revoking a "
+					"ZSK is legal, but undefined.\n",
+					program, keystr);
+		dst_key_settime(key, DST_TIME_REVOKE, rev);
+	} else if (unsetrev) {
+		if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+			fprintf(stderr, "%s: warning: Key %s is already "
+					"revoked; removing the revocation date "
+					"will not affect this.\n",
+					program, keystr);
+		dst_key_unsettime(key, DST_TIME_REVOKE);
+	}
+
+	if (setinact)
+		dst_key_settime(key, DST_TIME_INACTIVE, inact);
+	else if (unsetinact)
+		dst_key_unsettime(key, DST_TIME_INACTIVE);
+
+	if (setdel)
+		dst_key_settime(key, DST_TIME_DELETE, del);
+	else if (unsetdel)
+		dst_key_unsettime(key, DST_TIME_DELETE);
+
+	/*
+	 * No metadata changes were made but we're forcing an upgrade
+	 * to the new format anyway: use "-P now -A now" as the default
+	 */
+	if (force && !changed) {
+		dst_key_settime(key, DST_TIME_PUBLISH, now);
+		dst_key_settime(key, DST_TIME_ACTIVATE, now);
+		changed = ISC_TRUE;
+	}
+
+	/*
+	 * Print out time values, if -p was used.
+	 */
+	if (printcreate)
+		printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
+
+	if (printpub)
+		printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
+
+	if (printact)
+		printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
+
+	if (printrev)
+		printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
+
+	if (printinact)
+		printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
+
+	if (printdel)
+		printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
+
+	if (changed) {
+		isc_buffer_init(&buf, newname, sizeof(newname));
+		result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
+					       &buf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Failed to build public key filename: %s",
+			      isc_result_totext(result));
+		}
+
+		result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					directory);
+		if (result != ISC_R_SUCCESS) {
+			dst_key_format(key, keystr, sizeof(keystr));
+			fatal("Failed to write key %s: %s", keystr,
+			      isc_result_totext(result));
+		}
+
+		printf("%s\n", newname);
+
+		isc_buffer_clear(&buf);
+		result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
+					       &buf);
+		if (result != ISC_R_SUCCESS) {
+			fatal("Failed to build private key filename: %s",
+			      isc_result_totext(result));
+		}
+		printf("%s\n", newname);
+	}
+
+	dst_key_free(&key);
+	dst_lib_destroy();
+	isc_hash_destroy();
+	cleanup_entropy(&ectx);
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	cleanup_logging(&log);
+	isc_mem_free(mctx, directory);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.docbook b/contrib/bind9/bin/dnssec/dnssec-settime.docbook
new file mode 100644
index 000000000000..3d89b651b473
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-settime.docbook
@@ -0,0 +1,323 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+               [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-settime.docbook,v 1.11.70.3 2011/11/03 20:21:30 each Exp $ -->
+<refentry id="man.dnssec-settime">
+  <refentryinfo>
+    <date>July 15, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-settime</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-settime</application></refname>
+    <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-settime</command>
+      <arg><option>-f</option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+      <arg choice="req">keyfile</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dnssec-settime</command>
+      reads a DNSSEC private key file and sets the key timing metadata
+      as specified by the <option>-P</option>, <option>-A</option>,
+      <option>-R</option>, <option>-I</option>, and <option>-D</option>
+      options.  The metadata can then be used by
+      <command>dnssec-signzone</command> or other signing software to
+      determine when a key is to be published, whether it should be
+      used for signing a zone, etc.
+    </para>
+    <para>
+      If none of these options is set on the command line,
+      then <command>dnssec-settime</command> simply prints the key timing
+      metadata already stored in the key.
+    </para>
+    <para>
+      When key metadata fields are changed, both files of a key
+      pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
+      <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
+      Metadata fields are stored in the private file.  A human-readable
+      description of the metadata is also placed in comments in the key
+      file.  The private file's permissions are always set to be
+      inaccessible to anyone other than the owner (mode 0600).
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-f</term>
+        <listitem>
+	  <para>
+	    Force an update of an old-format key with no metadata fields.
+            Without this option, <command>dnssec-settime</command> will
+            fail when attempting to update a legacy key.  With this option,
+            the key will be recreated in the new format, but with the
+            original key data retained.  The key's creation date will be
+            set to the present time.  If no other values are specified, 
+            then the key's publication and activation dates will also 
+            be set to the present time.
+	  </para>
+        </listitem>
+      </varlistentry>
+  
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Sets the directory in which the key files are to reside.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+        <listitem>
+	  <para>
+	    Emit usage message and exit.
+	  </para>
+        </listitem>
+      </varlistentry>
+  
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>TIMING OPTIONS</title>
+    <para>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+        <listitem>
+          <para>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-S <replaceable class="parameter">predecessor key</replaceable></term>
+        <listitem>
+          <para>
+            Select a key for which the key being modified will be an
+            explicit successor.  The name, algorithm, size, and type of the
+            predecessor key must exactly match those of the key being
+            modified.  The activation date of the successor key will be set
+            to the inactivation date of the predecessor.  The publication
+            date will be set to the activation date minus the prepublication
+            interval, which defaults to 30 days.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">interval</replaceable></term>
+        <listitem>
+          <para>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </para>
+          <para>
+            If the key is being set to be an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </para>
+          <para>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PRINTING OPTIONS</title>
+    <para>
+      <command>dnssec-settime</command> can also be used to print the
+      timing metadata associated with a key.
+    </para>
+
+    <variablelist>
+      <varlistentry>
+	<term>-u</term>
+        <listitem>
+	  <para>
+	    Print times in UNIX epoch format.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
+        <listitem>
+	  <para>
+	    Print a specific metadata value or set of metadata values.
+            The <option>-p</option> option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+            <option>C</option> for the creation date,
+            <option>P</option> for the publication date,
+            <option>A</option> for the activation date,
+            <option>R</option> for the revocation date,
+            <option>I</option> for the inactivation date, or
+            <option>D</option> for the deletion date.
+            To print all of the metadata, use <option>-p all</option>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5011</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-settime.html b/contrib/bind9/bin/dnssec/dnssec-settime.html
new file mode 100644
index 000000000000..0ac82bcbd3da
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-settime.html
@@ -0,0 +1,211 @@
+<!--
+ - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-settime</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-settime"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-settime</strong></span>
+      reads a DNSSEC private key file and sets the key timing metadata
+      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
+      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
+      options.  The metadata can then be used by
+      <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
+      determine when a key is to be published, whether it should be
+      used for signing a zone, etc.
+    </p>
+<p>
+      If none of these options is set on the command line,
+      then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
+      metadata already stored in the key.
+    </p>
+<p>
+      When key metadata fields are changed, both files of a key
+      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+      Metadata fields are stored in the private file.  A human-readable
+      description of the metadata is also placed in comments in the key
+      file.  The private file's permissions are always set to be
+      inaccessible to anyone other than the owner (mode 0600).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543472"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+	    Force an update of an old-format key with no metadata fields.
+            Without this option, <span><strong class="command">dnssec-settime</strong></span> will
+            fail when attempting to update a legacy key.  With this option,
+            the key will be recreated in the new format, but with the
+            original key data retained.  The key's creation date will be
+            set to the present time.  If no other values are specified, 
+            then the key's publication and activation dates will also 
+            be set to the present time.
+	  </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to reside.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Emit usage message and exit.
+	  </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543563"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
+<dd><p>
+            Select a key for which the key being modified will be an
+            explicit successor.  The name, algorithm, size, and type of the
+            predecessor key must exactly match those of the key being
+            modified.  The activation date of the successor key will be set
+            to the inactivation date of the predecessor.  The publication
+            date will be set to the activation date minus the prepublication
+            interval, which defaults to 30 days.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </p>
+<p>
+            If the key is being set to be an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </p>
+<p>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543770"></a><h2>PRINTING OPTIONS</h2>
+<p>
+      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
+      timing metadata associated with a key.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-u</span></dt>
+<dd><p>
+	    Print times in UNIX epoch format.
+	  </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
+<dd><p>
+	    Print a specific metadata value or set of metadata values.
+            The <code class="option">-p</code> option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+            <code class="option">C</code> for the creation date,
+            <code class="option">P</code> for the publication date,
+            <code class="option">A</code> for the activation date,
+            <code class="option">R</code> for the revocation date,
+            <code class="option">I</code> for the inactivation date, or
+            <code class="option">D</code> for the deletion date.
+            To print all of the metadata, use <code class="option">-p all</code>.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543848"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543881"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8
index 1596bfdbc950..028068803cdb 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.8
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -20,11 +20,11 @@
 .\"     Title: dnssec\-signzone
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 08, 2009
+.\"      Date: June 05, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "DNSSEC\-SIGNZONE" "8" "June 08, 2009" "BIND9" "BIND9"
+.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -33,15 +33,13 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
-signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. It also generates a
-\fIkeyset\-\fR
-file containing the key\-signing keys for the zone, and if signing a zone which contains delegations, it can optionally generate DS records for the child zones from their
-\fIkeyset\-\fR
-files.
+signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
+\fIkeyset\fR
+file for each child zone.
 .SH "OPTIONS"
 .PP
 \-a
@@ -54,30 +52,53 @@ Verify all generated signatures.
 Specifies the DNS class of the zone.
 .RE
 .PP
-\-k \fIkey\fR
-.RS 4
-Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.RE
-.PP
-\-l \fIdomain\fR
+\-C
 .RS 4
-Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
+Compatibility mode: Generate a
+\fIkeyset\-\fR\fI\fIzonename\fR\fR
+file in addition to
+\fIdsset\-\fR\fI\fIzonename\fR\fR
+when signing a zone, for use by older versions of
+\fBdnssec\-signzone\fR.
 .RE
 .PP
 \-d \fIdirectory\fR
 .RS 4
 Look for
-\fIkeyset\fR
+\fIdsset\-\fR
+or
+\fIkeyset\-\fR
 files in
-\fBdirectory\fR
-as the directory
+\fBdirectory\fR.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
 .RE
 .PP
 \-g
 .RS 4
-If the zone contains any delegations, and there are
+Generate DS records for child zones from
+\fIdsset\-\fR
+or
 \fIkeyset\-\fR
-files for any of the child zones, then DS records for the child zones will be generated from the keys in those files. Existing DS records will be removed.
+file. Existing DS records will be removed.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
+.RE
+.PP
+\-k \fIkey\fR
+.RS 4
+Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
+.RE
+.PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
 .RE
 .PP
 \-s \fIstart\-time\fR
@@ -93,6 +114,9 @@ Specify the date and time when the generated RRSIG records expire. As with
 \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
 \fBend\-time\fR
 is specified, 30 days from the start time is used as a default.
+\fBend\-time\fR
+must be later than
+\fBstart\-time\fR.
 .RE
 .PP
 \-f \fIoutput\-file\fR
@@ -208,34 +232,94 @@ specifies the name of a character device or file containing random data to be us
 indicates that keyboard input should be used.
 .RE
 .PP
+\-S
+.RS 4
+Smart signing: Instructs
+\fBdnssec\-signzone\fR
+to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
+.sp
+When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
+.RS 4
+.PP
+.RS 4
+If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
+.RE
+.PP
+.RS 4
+If the key's publication date is set and is in the past, the key is published in the zone.
+.RE
+.PP
+.RS 4
+If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
+.RE
+.PP
+.RS 4
+If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
+.RE
+.PP
+.RS 4
+If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
+.RE
+.RE
+.RE
+.PP
+\-T \fIttl\fR
+.RS 4
+Specifies the TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the minimum TTL value from the zone's SOA record. This option is ignored when signing without
+\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them.
+.RE
+.PP
 \-t
 .RS 4
 Print statistics at completion.
 .RE
 .PP
+\-u
+.RS 4
+Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
+\fBdnssec\-signzone\fR
+will retain the existing chain when re\-signing.
+.RE
+.PP
 \-v \fIlevel\fR
 .RS 4
 Sets the debugging level.
 .RE
 .PP
+\-x
+.RS 4
+Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
+\fBdnssec\-dnskey\-kskonly yes;\fR
+zone option in
+\fBnamed\fR.)
+.RE
+.PP
 \-z
 .RS 4
-Ignore KSK flag on key when determining what to sign.
+Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
+\fBupdate\-check\-ksk no;\fR
+zone option in
+\fBnamed\fR.)
 .RE
 .PP
 \-3 \fIsalt\fR
 .RS 4
-Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
+Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
 .RE
 .PP
 \-H \fIiterations\fR
 .RS 4
-When generating a NSEC3 chain use this many interations. The default is 100.
+When generating an NSEC3 chain, use this many interations. The default is 10.
 .RE
 .PP
 \-A
 .RS 4
-When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+.sp
+Using this option twice (i.e.,
+\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
+\fB\-u\fR
+option to modify an NSEC3 chain which previously had OPTOUT set.
 .RE
 .PP
 zonefile
@@ -253,9 +337,11 @@ The following command signs the
 \fBexample.com\fR
 zone with the DSA key generated by
 \fBdnssec\-keygen\fR
-(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
-\fIkeyset\fR
-files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
+(Kexample.com.+003+17247). Because the
+\fB\-S\fR
+option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
+\fIdsset\fR
+files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
 .sp
 .RS 4
 .nf
@@ -283,18 +369,6 @@ db.example.com.signed
 %
 .fi
 .RE
-.SH "KNOWN BUGS"
-.PP
-\fBdnssec\-signzone\fR
-was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key.
-.PP
-An unfortunate side\-effect of this flexibility is that
-\fBdnssec\-signzone\fR
-does not check to make sure it's signing a zone with any valid keys at all. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures. There is no warning issued when a zone is not fully signed.
-.PP
-This will be corrected in a future release. In the meantime, ISC recommends examining the output of
-\fBdnssec\-signzone\fR
-to confirm that the zone is properly signed by all keys before using it.
 .SH "SEE ALSO"
 .PP
 \fBdnssec\-keygen\fR(8),
@@ -304,7 +378,7 @@ RFC 4033.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
index 4b2188699772..237624948a26 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.c
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssec-signzone.c,v 1.262.110.9 2011/07/19 23:47:12 tbox Exp $ */
 
 /*! \file */
 
@@ -87,6 +87,10 @@
 
 #include "dnssectool.h"
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024   /* AIX, WIN32, and others don't define this. */
+#endif
+
 const char *program = "dnssec-signzone";
 int verbose;
 
@@ -97,22 +101,11 @@ static int nsec_datatype = dns_rdatatype_nsec;
 #define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
 #define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
 
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+
 #define BUFSIZE 2048
 #define MAXDSKEYS 8
 
-typedef struct signer_key_struct signer_key_t;
-
-struct signer_key_struct {
-	dst_key_t *key;
-	isc_boolean_t issigningkey;
-	isc_boolean_t isdsk;
-	isc_boolean_t isksk;
-	isc_boolean_t wasused;
-	isc_boolean_t commandline;
-	unsigned int position;
-	ISC_LINK(signer_key_t) link;
-};
-
 #define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
 #define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
 #define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
@@ -128,7 +121,7 @@ struct signer_event {
 	dns_dbnode_t *node;
 };
 
-static ISC_LIST(signer_key_t) keylist;
+static dns_dnsseckeylist_t keylist;
 static unsigned int keycount = 0;
 isc_rwlock_t keylist_lock;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
@@ -138,7 +131,8 @@ static isc_boolean_t tryverify = ISC_FALSE;
 static isc_boolean_t printstats = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
 static isc_entropy_t *ectx = NULL;
-static dns_ttl_t zonettl;
+static dns_ttl_t zone_soa_min_ttl;
+static dns_ttl_t soa_ttl;
 static FILE *fp;
 static char *tempfile = NULL;
 static const dns_master_style_t *masterstyle;
@@ -146,7 +140,7 @@ static dns_masterformat_t inputformat = dns_masterformat_text;
 static dns_masterformat_t outputformat = dns_masterformat_text;
 static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
 static unsigned int nverified = 0, nverifyfailed = 0;
-static const char *directory;
+static const char *directory = NULL, *dsdir = NULL;
 static isc_mutex_t namelock, statslock;
 static isc_taskmgr_t *taskmgr = NULL;
 static dns_db_t *gdb;			/* The database */
@@ -155,13 +149,18 @@ static dns_dbiterator_t *gdbiter;	/* The database iterator */
 static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
 static int nsec3flags = 0;
+static dns_iterations_t nsec3iter = 10U;
+static unsigned char saltbuf[255];
+static unsigned char *salt = saltbuf;
+static size_t salt_length = 0;
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
 static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
 static isc_boolean_t nokeys = ISC_FALSE;
 static isc_boolean_t removefile = ISC_FALSE;
 static isc_boolean_t generateds = ISC_FALSE;
-static isc_boolean_t ignoreksk = ISC_FALSE;
+static isc_boolean_t ignore_kskflag = ISC_FALSE;
+static isc_boolean_t keyset_kskonly = ISC_FALSE;
 static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
@@ -169,6 +168,9 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
 static unsigned int hash_length = 0;
 static isc_boolean_t unknownalg = ISC_FALSE;
 static isc_boolean_t disable_zone_check = ISC_FALSE;
+static isc_boolean_t update_chain = ISC_FALSE;
+static isc_boolean_t set_keyttl = ISC_FALSE;
+static dns_ttl_t keyttl;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -195,48 +197,23 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 	check_result(result, "dns_master_dumpnodetostream");
 }
 
-static signer_key_t *
-newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
-	signer_key_t *key;
-
-	key = isc_mem_get(mctx, sizeof(signer_key_t));
-	if (key == NULL)
-		fatal("out of memory");
-	key->key = dstkey;
-	if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) {
-		key->issigningkey = signwithkey;
-		key->isksk = ISC_TRUE;
-		key->isdsk = ISC_FALSE;
-	} else {
-		key->issigningkey = signwithkey;
-		key->isksk = ISC_FALSE;
-		key->isdsk = ISC_TRUE;
-	}
-	key->wasused = ISC_FALSE;
-	key->commandline = ISC_FALSE;
-	key->position = keycount++;
-	ISC_LINK_INIT(key, link);
-	return (key);
-}
-
 /*%
  * Sign the given RRset with given key, and add the signature record to the
  * given tuple.
  */
-
 static void
 signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 	    dns_ttl_t ttl, dns_diff_t *add, const char *logmsg)
 {
 	isc_result_t result;
 	isc_stdtime_t jendtime;
-	char keystr[KEY_FORMATSIZE];
+	char keystr[DST_KEY_FORMATSIZE];
 	dns_rdata_t trdata = DNS_RDATA_INIT;
 	unsigned char array[BUFSIZE];
 	isc_buffer_t b;
 	dns_difftuple_t *tuple;
 
-	key_format(key, keystr, sizeof(keystr));
+	dst_key_format(key, keystr, sizeof(keystr));
 	vbprintf(1, "\t%s %s\n", logmsg, keystr);
 
 	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
@@ -245,8 +222,8 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 				 mctx, &b, &trdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
+		char keystr[DST_KEY_FORMATSIZE];
+		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("dnskey '%s' failed to sign data: %s",
 		      keystr, isc_result_totext(result));
 	}
@@ -272,31 +249,43 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,
 }
 
 static inline isc_boolean_t
-issigningkey(signer_key_t *key) {
-	return (key->issigningkey);
+issigningkey(dns_dnsseckey_t *key) {
+	return (key->force_sign || key->hint_sign);
 }
 
 static inline isc_boolean_t
-iszonekey(signer_key_t *key) {
+iszonekey(dns_dnsseckey_t *key) {
 	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
 		       dst_key_iszonekey(key->key)));
 }
 
+static inline isc_boolean_t
+isksk(dns_dnsseckey_t *key) {
+	return (key->ksk);
+}
+
+static inline isc_boolean_t
+iszsk(dns_dnsseckey_t *key) {
+	return (ignore_kskflag || !key->ksk);
+}
+
 /*%
- * Find the key if it is in our list.  If it is, return it, otherwise null.
+ * Find the key that generated an RRSIG, if it is in the key list.  If
+ * so, return a pointer to it, otherwise return NULL.
+ *
  * No locking is performed here, this must be done by the caller.
  */
-static signer_key_t *
+static dns_dnsseckey_t *
 keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
-	signer_key_t *key;
+	dns_dnsseckey_t *key;
 
-	key = ISC_LIST_HEAD(keylist);
-	while (key != NULL) {
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
 		if (rrsig->keyid == dst_key_id(key->key) &&
 		    rrsig->algorithm == dst_key_alg(key->key) &&
 		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
 			return (key);
-		key = ISC_LIST_NEXT(key, link);
 	}
 	return (NULL);
 }
@@ -305,11 +294,11 @@ keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
  * Finds the key that generated a RRSIG, if possible.  First look at the keys
  * that we've loaded already, and then see if there's a key on disk.
  */
-static signer_key_t *
+static dns_dnsseckey_t *
 keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *privkey = NULL;
-	signer_key_t *key;
+	dns_dnsseckey_t *key = NULL;
 
 	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
 	key = keythatsigned_unlocked(rrsig);
@@ -325,7 +314,6 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	 * after all.
 	 */
 	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
-
 	key = keythatsigned_unlocked(rrsig);
 	if (key != NULL) {
 		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
@@ -334,7 +322,7 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 
 	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
 				  rrsig->algorithm, DST_TYPE_PUBLIC,
-				  NULL, mctx, &pubkey);
+				  directory, mctx, &pubkey);
 	if (result != ISC_R_SUCCESS) {
 		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
 		return (NULL);
@@ -343,12 +331,15 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
 				  rrsig->algorithm,
 				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-				  NULL, mctx, &privkey);
+				  directory, mctx, &privkey);
 	if (result == ISC_R_SUCCESS) {
 		dst_key_free(&pubkey);
-		key = newkeystruct(privkey, ISC_FALSE);
-	} else
-		key = newkeystruct(pubkey, ISC_FALSE);
+		dns_dnsseckey_create(mctx, &privkey, &key);
+	} else {
+		dns_dnsseckey_create(mctx, &pubkey, &key);
+	}
+	key->force_publish = ISC_FALSE;
+	key->force_sign = ISC_FALSE;
 	ISC_LIST_APPEND(keylist, key, link);
 
 	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
@@ -383,15 +374,16 @@ expecttofindkey(dns_name_t *name) {
 	dns_name_format(name, namestr, sizeof(namestr));
 	fatal("failure looking for '%s DNSKEY' in database: %s",
 	      namestr, isc_result_totext(result));
+	/* NOTREACHED */
 	return (ISC_FALSE); /* removes a warning */
 }
 
 static inline isc_boolean_t
-setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
+setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	    dns_rdata_t *rrsig)
 {
 	isc_result_t result;
-	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
+	result = dns_dnssec_verify(name, set, key, ISC_FALSE, mctx, rrsig);
 	if (result == ISC_R_SUCCESS) {
 		INCSTAT(nverified);
 		return (ISC_TRUE);
@@ -413,7 +405,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	dns_rdataset_t sigset;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdata_rrsig_t rrsig;
-	signer_key_t *key;
+	dns_dnsseckey_t *key;
 	isc_result_t result;
 	isc_boolean_t nosigs = ISC_FALSE;
 	isc_boolean_t *wassignedby, *nowsignedby;
@@ -483,8 +475,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 				 "invalid validity period\n",
 				 sigstr);
 		} else if (key == NULL && !future &&
-			 expecttofindkey(&rrsig.signer))
-		{
+			   expecttofindkey(&rrsig.signer)) {
 			/* rrsig is dropped and not replaced */
 			vbprintf(2, "\trrsig by %s dropped - "
 				 "private dnskey not found\n",
@@ -496,34 +487,32 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 				keep = ISC_TRUE;
 		} else if (issigningkey(key)) {
 			if (!expired && rrsig.originalttl == set->ttl &&
-			    setverifies(name, set, key, &sigrdata)) {
+			    setverifies(name, set, key->key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
-				wassignedby[key->position] = ISC_TRUE;
-				nowsignedby[key->position] = ISC_TRUE;
-				key->wasused = ISC_TRUE;
+				wassignedby[key->index] = ISC_TRUE;
+				nowsignedby[key->index] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr, expired ? "expired" :
 					 rrsig.originalttl != set->ttl ?
 					 "ttl change" : "failed to verify");
-				wassignedby[key->position] = ISC_TRUE;
+				wassignedby[key->index] = ISC_TRUE;
 				resign = ISC_TRUE;
 			}
 		} else if (iszonekey(key)) {
 			if (!expired && rrsig.originalttl == set->ttl &&
-			    setverifies(name, set, key, &sigrdata)) {
+			    setverifies(name, set, key->key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
-				wassignedby[key->position] = ISC_TRUE;
-				nowsignedby[key->position] = ISC_TRUE;
-				key->wasused = ISC_TRUE;
+				wassignedby[key->index] = ISC_TRUE;
+				nowsignedby[key->index] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr, expired ? "expired" :
 					 rrsig.originalttl != set->ttl ?
 					 "ttl change" : "failed to verify");
-				wassignedby[key->position] = ISC_TRUE;
+				wassignedby[key->index] = ISC_TRUE;
 			}
 		} else if (!expired) {
 			vbprintf(2, "\trrsig by %s retained\n", sigstr);
@@ -534,7 +523,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 
 		if (keep) {
 			if (key != NULL)
-				nowsignedby[key->position] = ISC_TRUE;
+				nowsignedby[key->index] = ISC_TRUE;
 			INCSTAT(nretained);
 			if (sigset.ttl != ttl) {
 				vbprintf(2, "\tfixing ttl %s\n", sigstr);
@@ -569,8 +558,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 
 			signwithkey(name, set, key->key, ttl, add,
 				    "resigning with dnskey");
-			nowsignedby[key->position] = ISC_TRUE;
-			key->wasused = ISC_TRUE;
+			nowsignedby[key->index] = ISC_TRUE;
 		}
 
 		dns_rdata_reset(&sigrdata);
@@ -588,20 +576,37 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	     key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
-		if (nowsignedby[key->position])
+		if (nowsignedby[key->index])
 			continue;
 
-		if (!key->issigningkey)
-			continue;
-		if (!(ignoreksk || key->isdsk ||
-		      (key->isksk &&
-		       set->type == dns_rdatatype_dnskey &&
-		       dns_name_equal(name, gorigin))))
+		if (!issigningkey(key))
 			continue;
 
-		signwithkey(name, set, key->key, ttl, add,
-			    "signing with dnskey");
-		key->wasused = ISC_TRUE;
+		if (set->type == dns_rdatatype_dnskey &&
+		     dns_name_equal(name, gorigin)) {
+			isc_boolean_t have_ksk;
+			dns_dnsseckey_t *tmpkey;
+
+			have_ksk = isksk(key);
+			for (tmpkey = ISC_LIST_HEAD(keylist);
+			     tmpkey != NULL;
+			     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
+				if (dst_key_alg(key->key) !=
+				    dst_key_alg(tmpkey->key))
+					continue;
+				if (REVOKE(tmpkey->key))
+					continue;
+				if (isksk(tmpkey))
+					have_ksk = ISC_TRUE;
+			}
+			if (isksk(key) || !have_ksk ||
+			    (iszsk(key) && !keyset_kskonly))
+				signwithkey(name, set, key->key, ttl, add,
+					    "signing with dnskey");
+		} else if (iszsk(key)) {
+			signwithkey(name, set, key->key, ttl, add,
+				    "signing with dnskey");
+		}
 	}
 
 	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
@@ -775,16 +780,21 @@ static void
 opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
        dns_db_t **dbp)
 {
-	char filename[256];
+	char filename[PATH_MAX];
 	isc_buffer_t b;
 	isc_result_t result;
 
 	isc_buffer_init(&b, filename, sizeof(filename));
-	if (directory != NULL) {
-		isc_buffer_putstr(&b, directory);
-		if (directory[strlen(directory) - 1] != '/')
+	if (dsdir != NULL) {
+		/* allow room for a trailing slash */
+		if (strlen(dsdir) >= isc_buffer_availablelength(&b))
+			fatal("path '%s' is too long", dsdir);
+		isc_buffer_putstr(&b, dsdir);
+		if (dsdir[strlen(dsdir) - 1] != '/')
 			isc_buffer_putstr(&b, "/");
 	}
+	if (strlen(prefix) > isc_buffer_availablelength(&b))
+		fatal("path '%s' is too long", dsdir);
 	isc_buffer_putstr(&b, prefix);
 	result = dns_name_tofilenametext(name, ISC_FALSE, &b);
 	check_result(result, "dns_name_tofilenametext()");
@@ -799,13 +809,15 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 			       rdclass, 0, NULL, dbp);
 	check_result(result, "dns_db_create()");
 
-	result = dns_db_load(*dbp, filename);
+	result = dns_db_load3(*dbp, filename, inputformat, DNS_MASTER_HINT);
 	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
 		dns_db_detach(dbp);
 }
 
 /*%
- * Loads the key set for a child zone, if there is one, and builds DS records.
+ * Load the DS set for a child zone, if a dsset-* file can be found.
+ * If not, try to find a keyset-* file from an earlier version of
+ * dnssec-signzone, and build DS records from that.
  */
 static isc_result_t
 loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
@@ -819,29 +831,49 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 	dns_diff_t diff;
 	dns_difftuple_t *tuple = NULL;
 
+	opendb("dsset-", name, gclass, &db);
+	if (db != NULL) {
+		result = dns_db_findnode(db, name, ISC_FALSE, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_init(dsset);
+			result = dns_db_findrdataset(db, node, NULL,
+						     dns_rdatatype_ds, 0, 0,
+						     dsset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result == ISC_R_SUCCESS) {
+				vbprintf(2, "found DS records\n");
+				dsset->ttl = ttl;
+				dns_db_detach(&db);
+				return (result);
+			}
+		}
+		dns_db_detach(&db);
+	}
+
+	/* No DS records found; try again, looking for DNSKEY records */
 	opendb("keyset-", name, gclass, &db);
-	if (db == NULL)
+	if (db == NULL) {
 		return (ISC_R_NOTFOUND);
+	}
 
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS) {
 		dns_db_detach(&db);
-		return (DNS_R_BADDB);
+		return (result);
 	}
+
 	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0,
-				     0, &keyset, NULL);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     &keyset, NULL);
 	if (result != ISC_R_SUCCESS) {
 		dns_db_detachnode(db, &node);
 		dns_db_detach(&db);
 		return (result);
 	}
-
 	vbprintf(2, "found DNSKEY records\n");
 
 	result = dns_db_newversion(db, &ver);
 	check_result(result, "dns_db_newversion");
-
 	dns_diff_init(mctx, &diff);
 
 	for (result = dns_rdataset_first(&keyset);
@@ -870,6 +902,7 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 		check_result(result, "dns_difftuple_create");
 		dns_diff_append(&diff, &tuple);
 	}
+
 	result = dns_diff_apply(&diff, db, ver);
 	check_result(result, "dns_diff_apply");
 	dns_diff_clear(&diff);
@@ -1113,17 +1146,15 @@ active_node(dns_dbnode_t *node) {
 }
 
 /*%
- * Extracts the TTL from the SOA.
+ * Extracts the minimum TTL from the SOA record, and the SOA record's TTL.
  */
-static dns_ttl_t
-soattl(void) {
+static void
+get_soa_ttls(void) {
 	dns_rdataset_t soaset;
 	dns_fixedname_t fname;
 	dns_name_t *name;
 	isc_result_t result;
-	dns_ttl_t ttl;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
@@ -1137,11 +1168,9 @@ soattl(void) {
 	result = dns_rdataset_first(&soaset);
 	check_result(result, "dns_rdataset_first");
 	dns_rdataset_current(&soaset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-	ttl = soa.minimum;
+	zone_soa_min_ttl = dns_soa_getminimum(&rdata);
+	soa_ttl = soaset.ttl;
 	dns_rdataset_disassociate(&soaset);
-	return (ttl);
 }
 
 /*%
@@ -1379,7 +1408,7 @@ verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node,
 		for (i = 0; i < 256; i++)
 			if ((ksk_algorithms[i] != 0) &&
 			    (set_algorithms[i] == 0)) {
-				alg_format(i, algbuf, sizeof(algbuf));
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
 				fprintf(stderr, "Missing %s signature for "
 					"%s %s\n", algbuf, namebuf, typebuf);
 				bad_algorithms[i] = 1;
@@ -1422,14 +1451,14 @@ verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation,
 /*%
  * Verify that certain things are sane:
  *
- *   The apex has a DNSKEY record with at least one KSK and at least
- *   one ZSK.
+ *   The apex has a DNSKEY RRset with at least one KSK, and at least
+ *   one ZSK if the -x flag was not used.
  *
- *   The DNSKEY record was signed with at least one of the KSKs in this
- *   set.
+ *   The DNSKEY record was signed with at least one of the KSKs in
+ *   the DNSKEY RRset.
  *
  *   The rest of the zone was signed with at least one of the ZSKs
- *   present in the DNSKEY RRSET.
+ *   present in the DNSKEY RRset.
  */
 static void
 verifyzone(void) {
@@ -1440,15 +1469,17 @@ verifyzone(void) {
 	dns_name_t *name, *nextname, *zonecut;
 	dns_rdata_dnskey_t dnskey;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_rdataset_t sigrdataset;
+	dns_rdataset_t keyset, soaset;
+	dns_rdataset_t keysigs, soasigs;
 	int i;
 	isc_boolean_t done = ISC_FALSE;
 	isc_boolean_t first = ISC_TRUE;
 	isc_boolean_t goodksk = ISC_FALSE;
 	isc_result_t result;
-	unsigned char revoked[256];
-	unsigned char standby[256];
+	unsigned char revoked_ksk[256];
+	unsigned char revoked_zsk[256];
+	unsigned char standby_ksk[256];
+	unsigned char standby_zsk[256];
 	unsigned char ksk_algorithms[256];
 	unsigned char zsk_algorithms[256];
 	unsigned char bad_algorithms[256];
@@ -1465,20 +1496,34 @@ verifyzone(void) {
 		fatal("failed to find the zone's origin: %s",
 		      isc_result_totext(result));
 
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&sigrdataset);
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&keysigs);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
+
 	result = dns_db_findrdataset(gdb, node, gversion,
 				     dns_rdatatype_dnskey,
-				     0, 0, &rdataset, &sigrdataset);
-	dns_db_detachnode(gdb, &node);
+				     0, 0, &keyset, &keysigs);
 	if (result != ISC_R_SUCCESS)
 		fatal("cannot find DNSKEY rrset\n");
 
-	if (!dns_rdataset_isassociated(&sigrdataset))
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_soa,
+				     0, 0, &soaset, &soasigs);
+	dns_db_detachnode(gdb, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("cannot find SOA rrset\n");
+
+	if (!dns_rdataset_isassociated(&keysigs))
 		fatal("cannot find DNSKEY RRSIGs\n");
 
-	memset(revoked, 0, sizeof(revoked));
-	memset(standby, 0, sizeof(revoked));
+	if (!dns_rdataset_isassociated(&soasigs))
+		fatal("cannot find SOA RRSIGs\n");
+
+	memset(revoked_ksk, 0, sizeof(revoked_ksk));
+	memset(revoked_zsk, 0, sizeof(revoked_zsk));
+	memset(standby_ksk, 0, sizeof(standby_ksk));
+	memset(standby_zsk, 0, sizeof(standby_zsk));
 	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
 	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
 	memset(bad_algorithms, 0, sizeof(bad_algorithms));
@@ -1487,13 +1532,14 @@ verifyzone(void) {
 #endif
 
 	/*
-	 * Check that the DNSKEY RR has at least one self signing KSK and
-	 * one ZSK per algorithm in it.
+	 * Check that the DNSKEY RR has at least one self signing KSK
+	 * and one ZSK per algorithm in it (or, if -x was used, one
+	 * self-signing KSK).
 	 */
-	for (result = dns_rdataset_first(&rdataset);
+	for (result = dns_rdataset_first(&keyset);
 	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
+	     result = dns_rdataset_next(&keyset)) {
+		dns_rdataset_current(&keyset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
 		check_result(result, "dns_rdata_tostruct");
 
@@ -1501,8 +1547,8 @@ verifyzone(void) {
 			;
 		else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
 			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			    !dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
-						  &sigrdataset, ISC_FALSE,
+			    !dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+						  &keysigs, ISC_FALSE,
 						  mctx)) {
 				char namebuf[DNS_NAME_FORMATSIZE];
 				char buffer[1024];
@@ -1518,20 +1564,23 @@ verifyzone(void) {
 				      (int)isc_buffer_usedlength(&buf), buffer);
 			}
 			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
-			     revoked[dnskey.algorithm] != 255)
-				revoked[dnskey.algorithm]++;
+			     revoked_ksk[dnskey.algorithm] != 255)
+				revoked_ksk[dnskey.algorithm]++;
+			else if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 &&
+				 revoked_zsk[dnskey.algorithm] != 255)
+				revoked_zsk[dnskey.algorithm]++;
 		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
-			if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
-					      &sigrdataset, ISC_FALSE, mctx)) {
+			if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+					      &keysigs, ISC_FALSE, mctx)) {
 				if (ksk_algorithms[dnskey.algorithm] != 255)
 					ksk_algorithms[dnskey.algorithm]++;
 				goodksk = ISC_TRUE;
 			} else {
-				if (standby[dnskey.algorithm] != 255)
-					standby[dnskey.algorithm]++;
+				if (standby_ksk[dnskey.algorithm] != 255)
+					standby_ksk[dnskey.algorithm]++;
 			}
-		} else if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
-						&sigrdataset, ISC_FALSE,
+		} else if (dns_dnssec_selfsigns(&rdata, gorigin, &keyset,
+						&keysigs, ISC_FALSE,
 						mctx)) {
 #ifdef ALLOW_KSKLESS_ZONES
 			if (self_algorithms[dnskey.algorithm] != 255)
@@ -1539,9 +1588,13 @@ verifyzone(void) {
 #endif
 			if (zsk_algorithms[dnskey.algorithm] != 255)
 				zsk_algorithms[dnskey.algorithm]++;
-		} else {
+		} else if (dns_dnssec_signs(&rdata, gorigin, &soaset,
+					    &soasigs, ISC_FALSE, mctx)) {
 			if (zsk_algorithms[dnskey.algorithm] != 255)
 				zsk_algorithms[dnskey.algorithm]++;
+		} else {
+			if (standby_zsk[dnskey.algorithm] != 255)
+				standby_zsk[dnskey.algorithm]++;
 #ifdef ALLOW_KSKLESS_ZONES
 			allzsksigned = ISC_FALSE;
 #endif
@@ -1549,44 +1602,58 @@ verifyzone(void) {
 		dns_rdata_freestruct(&dnskey);
 		dns_rdata_reset(&rdata);
 	}
-	dns_rdataset_disassociate(&sigrdataset);
+	dns_rdataset_disassociate(&keysigs);
+	dns_rdataset_disassociate(&soaset);
+	dns_rdataset_disassociate(&soasigs);
 
-	if (!goodksk) {
 #ifdef ALLOW_KSKLESS_ZONES
-		if (!goodzsk)
-			fatal("no self signing keys found");
-		fprintf(stderr, "No self signing KSK found. Using self signed "
-			"ZSK's for active algorithm list.\n");
+	if (!goodksk) {
+		if (!ignore_kskflag)
+			fprintf(stderr, "No self signing KSK found. Using "
+					"self signed ZSK's for active "
+					"algorithm list.\n");
 		memcpy(ksk_algorithms, self_algorithms, sizeof(ksk_algorithms));
 		if (!allzsksigned)
 			fprintf(stderr, "warning: not all ZSK's are self "
 				"signed.\n");
+	}
 #else
-		fatal("no self signed KSK's found");
-#endif
+	if (!goodksk) {
+		fatal("No self signed KSK's found");
 	}
+#endif
 
 	fprintf(stderr, "Verifying the zone using the following algorithms:");
 	for (i = 0; i < 256; i++) {
-		if (ksk_algorithms[i] != 0) {
-			alg_format(i, algbuf, sizeof(algbuf));
+#ifdef ALLOW_KSKLESS_ZONES
+		if (ksk_algorithms[i] != 0 || zsk_algorithms[i] != 0)
+#else
+		if (ksk_algorithms[i] != 0)
+#endif
+		{
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, " %s", algbuf);
 		}
 	}
 	fprintf(stderr, ".\n");
 
-	for (i = 0; i < 256; i++) {
-		/*
-		 * The counts should both be zero or both be non-zero.
-		 * Mark the algorithm as bad if this is not met.
-		 */
-		if ((ksk_algorithms[i] != 0) == (zsk_algorithms[i] != 0))
-			continue;
-		alg_format(i, algbuf, sizeof(algbuf));
-		fprintf(stderr, "Missing %s for algorithm %s\n",
-			(ksk_algorithms[i] != 0) ? "ZSK" : "self signing KSK",
-			algbuf);
-		bad_algorithms[i] = 1;
+	if (!ignore_kskflag && !keyset_kskonly) {
+		for (i = 0; i < 256; i++) {
+			/*
+			 * The counts should both be zero or both be non-zero.
+			 * Mark the algorithm as bad if this is not met.
+			 */
+			if ((ksk_algorithms[i] != 0) ==
+			    (zsk_algorithms[i] != 0))
+				continue;
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, "Missing %s for algorithm %s\n",
+				(ksk_algorithms[i] != 0)
+				   ? "ZSK"
+				   : "self signing KSK",
+				algbuf);
+			bad_algorithms[i] = 1;
+		}
 	}
 
 	/*
@@ -1626,7 +1693,7 @@ verifyzone(void) {
 			dns_name_copy(name, zonecut, NULL);
 			isdelegation = ISC_TRUE;
 		}
-		verifynode(name, node, isdelegation, &rdataset,
+		verifynode(name, node, isdelegation, &keyset,
 			   ksk_algorithms, bad_algorithms);
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
@@ -1663,13 +1730,13 @@ verifyzone(void) {
 	     result = dns_dbiterator_next(dbiter) ) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
-		verifynode(name, node, ISC_FALSE, &rdataset,
+		verifynode(name, node, ISC_FALSE, &keyset,
 			   ksk_algorithms, bad_algorithms);
 		dns_db_detachnode(gdb, &node);
 	}
 	dns_dbiterator_destroy(&dbiter);
 
-	dns_rdataset_disassociate(&rdataset);
+	dns_rdataset_disassociate(&keyset);
 
 	/*
 	 * If we made it this far, we have what we consider a properly signed
@@ -1680,7 +1747,7 @@ verifyzone(void) {
 			if (first)
 				fprintf(stderr, "The zone is not fully signed "
 					"for the following algorithms:");
-			alg_format(i, algbuf, sizeof(algbuf));
+			dns_secalg_format(i, algbuf, sizeof(algbuf));
 			fprintf(stderr, " %s", algbuf);
 			first = ISC_FALSE;
 		}
@@ -1690,21 +1757,30 @@ verifyzone(void) {
 		fatal("DNSSEC completeness test failed.");
 	}
 
-	if (goodksk) {
+	if (goodksk || ignore_kskflag) {
 		/*
 		 * Print the success summary.
 		 */
 		fprintf(stderr, "Zone signing complete:\n");
 		for (i = 0; i < 256; i++) {
-			if ((zsk_algorithms[i] != 0) ||
-			    (ksk_algorithms[i] != 0) ||
-			    (revoked[i] != 0) || (standby[i] != 0)) {
-				alg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "Algorithm: %s: ZSKs: %u, "
-					"KSKs: %u active, %u revoked, %u "
-					"stand-by\n", algbuf,
-					zsk_algorithms[i], ksk_algorithms[i],
-					revoked[i], standby[i]);
+			if ((ksk_algorithms[i] != 0) ||
+			    (standby_ksk[i] != 0) ||
+			    (revoked_zsk[i] != 0) ||
+			    (zsk_algorithms[i] != 0) ||
+			    (standby_zsk[i] != 0) ||
+			    (revoked_zsk[i] != 0)) {
+				dns_secalg_format(i, algbuf, sizeof(algbuf));
+				fprintf(stderr, "Algorithm: %s: KSKs: "
+					"%u active, %u stand-by, %u revoked\n",
+					algbuf, ksk_algorithms[i],
+					standby_ksk[i], revoked_ksk[i]);
+				fprintf(stderr, "%*sZSKs: "
+					"%u active, %u %s, %u revoked\n",
+					(int) strlen(algbuf) + 13, "",
+					zsk_algorithms[i],
+					standby_zsk[i],
+					keyset_kskonly ? "present" : "stand-by",
+					revoked_zsk[i]);
 			}
 		}
 	}
@@ -1929,6 +2005,7 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
 					       dns_rdatatype_ds, 0);
 		check_result(result, "dns_db_deleterdataset");
 	}
+
 	result = loadds(name, nsttl, &dsset);
 	if (result == ISC_R_SUCCESS) {
 		result = dns_db_addrdataset(gdb, node, gversion, 0,
@@ -1959,7 +2036,7 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 	dns_rdataset_init(&rdataset);
 
 	/*
-	 * Delete any NSEC records at the apex.
+	 * Delete any records of the given type at the apex.
 	 */
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
@@ -1971,6 +2048,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == which || covers == which) {
+			if (which == dns_rdatatype_nsec && !update_chain)
+				fatal("Zone contains NSEC records.  Use -u "
+				      "to update to NSEC3.");
+			if (which == dns_rdatatype_nsec3param && !update_chain)
+				fatal("Zone contains NSEC3 chains.  Use -u "
+				      "to update to NSEC.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
 						       type, covers);
 			check_result(result, "dns_db_deleterdataset()");
@@ -2094,8 +2177,9 @@ nsecify(void) {
 		} else if (result != ISC_R_SUCCESS)
 			fatal("iterating through the database failed: %s",
 			      isc_result_totext(result));
+		dns_dbiterator_pause(dbiter);
 		result = dns_nsec_build(gdb, gversion, node, nextname,
-					zonettl);
+					zone_soa_min_ttl);
 		check_result(result, "dns_nsec_build()");
 		dns_db_detachnode(gdb, &node);
 	}
@@ -2327,6 +2411,97 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 		check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))");
 }
 
+static void
+rrset_remove_duplicates(dns_name_t *name, dns_rdataset_t *rdataset,
+			dns_diff_t *diff)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	unsigned int count1 = 0;
+	dns_rdataset_t tmprdataset;
+
+	dns_rdataset_init(&tmprdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		unsigned int count2 = 0;
+
+		count1++;
+		dns_rdataset_current(rdataset, &rdata1);
+		dns_rdataset_clone(rdataset, &tmprdataset);
+		for (result = dns_rdataset_first(&tmprdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&tmprdataset)) {
+			dns_rdata_t rdata2 = DNS_RDATA_INIT;
+			count2++;
+			if (count1 >= count2)
+				continue;
+			dns_rdataset_current(&tmprdataset, &rdata2);
+			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
+				result = dns_difftuple_create(mctx,
+							      DNS_DIFFOP_DEL,
+							      name,
+							      rdataset->ttl,
+							      &rdata2, &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(diff, &tuple);
+			}
+		}
+		dns_rdataset_disassociate(&tmprdataset);
+	}
+}
+
+static void
+remove_duplicates(void) {
+	isc_result_t result;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_diff_t diff;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	dns_diff_init(mctx, &diff);
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_createiterator(gdb, 0, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter)) {
+
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_dns_dbiterator_current(result);
+		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			rrset_remove_duplicates(name, &rdataset, &diff);
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result != ISC_R_NOMORE)
+			fatal("rdatasets iteration failed.");
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(gdb, &node);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("zone iteration failed.");
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		result = dns_diff_applysilently(&diff, gdb, gversion);
+		check_result(result, "dns_diff_applysilently");
+	}
+	dns_diff_clear(&diff);
+	dns_dbiterator_destroy(&dbiter);
+}
+
 /*
  * Generate NSEC3 records for the zone.
  */
@@ -2553,7 +2728,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 		 */
 		dns_dbiterator_pause(dbiter);
 		addnsec3(name, node, salt, salt_length, iterations,
-			 hashlist, zonettl);
+			 hashlist, zone_soa_min_ttl);
 		dns_db_detachnode(gdb, &node);
 		/*
 		 * Add NSEC3's for empty nodes.  Use closest encloser logic.
@@ -2564,7 +2739,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 			count--;
 			dns_name_split(nextname, count, NULL, nextname);
 			addnsec3(nextname, NULL, salt, salt_length,
-				 iterations, hashlist, zonettl);
+				 iterations, hashlist, zone_soa_min_ttl);
 		}
 	}
 	dns_dbiterator_destroy(&dbiter);
@@ -2587,7 +2762,7 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed converting name '%s' to dns format: %s",
 		      origin, isc_result_totext(result));
@@ -2607,90 +2782,169 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
  * private keys from disk.
  */
 static void
-loadzonekeys(dns_db_t *db) {
+loadzonekeys(isc_boolean_t preserve_keys, isc_boolean_t load_public) {
 	dns_dbnode_t *node;
-	dns_dbversion_t *currentversion;
+	dns_dbversion_t *currentversion = NULL;
 	isc_result_t result;
-	dst_key_t *keys[20];
-	unsigned int nkeys, i;
-
-	currentversion = NULL;
-	dns_db_currentversion(db, &currentversion);
+	dns_rdataset_t rdataset, keysigs, soasigs;
 
 	node = NULL;
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		fatal("failed to find the zone's origin: %s",
 		      isc_result_totext(result));
 
-	result = dns_dnssec_findzonekeys(db, currentversion, node, gorigin,
-					 mctx, 20, keys, &nkeys);
-	if (result == ISC_R_NOTFOUND)
-		result = ISC_R_SUCCESS;
+	dns_db_currentversion(gdb, &currentversion);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keysigs);
+
+	/* Make note of the keys which signed the SOA, if any */
+	result = dns_db_findrdataset(gdb, node, currentversion,
+				     dns_rdatatype_soa, 0, 0,
+				     &rdataset, &soasigs);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Preserve the TTL of the DNSKEY RRset, if any */
+	dns_rdataset_disassociate(&rdataset);
+	result = dns_db_findrdataset(gdb, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0,
+				     &rdataset, &keysigs);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (set_keyttl && keyttl != rdataset.ttl) {
+		fprintf(stderr, "User-specified TTL (%d) conflicts "
+				"with existing DNSKEY RRset TTL.\n",
+				keyttl);
+		fprintf(stderr, "Imported keys will use the RRSet "
+				"TTL (%d) instead.\n",
+				rdataset.ttl);
+	}
+	keyttl = rdataset.ttl;
+
+	/* Load keys corresponding to the existing DNSKEY RRset. */
+	result = dns_dnssec_keylistfromrdataset(gorigin, directory, mctx,
+						&rdataset, &keysigs, &soasigs,
+						preserve_keys, load_public,
+						&keylist);
 	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone keys: %s",
+		fatal("failed to load the zone keys: %s",
 		      isc_result_totext(result));
 
-	for (i = 0; i < nkeys; i++) {
-		signer_key_t *key;
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&keysigs))
+		dns_rdataset_disassociate(&keysigs);
+	if (dns_rdataset_isassociated(&soasigs))
+		dns_rdataset_disassociate(&soasigs);
+	dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, &currentversion, ISC_FALSE);
+}
 
-		key = newkeystruct(keys[i], dst_key_isprivate(keys[i]));
-		ISC_LIST_APPEND(keylist, key, link);
+static void
+loadexplicitkeys(char *keyfiles[], int n, isc_boolean_t setksk) {
+	isc_result_t result;
+	int i;
+
+	for (i = 0; i < n; i++) {
+		dns_dnsseckey_t *key = NULL;
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(keyfiles[i], directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load dnskey %s: %s", keyfiles[i],
+			      isc_result_totext(result));
+
+		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+			fatal("key %s not at origin\n", keyfiles[i]);
+
+		if (!dst_key_isprivate(newkey))
+			fatal("cannot sign zone with non-private dnskey %s",
+			      keyfiles[i]);
+
+		/* Skip any duplicates */
+		for (key = ISC_LIST_HEAD(keylist);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (dst_key_id(key->key) == dst_key_id(newkey) &&
+			    dst_key_alg(key->key) == dst_key_alg(newkey))
+				break;
+		}
+
+		if (key == NULL) {
+			/* We haven't seen this key before */
+			dns_dnsseckey_create(mctx, &newkey, &key);
+			ISC_LIST_APPEND(keylist, key, link);
+			key->source = dns_keysource_user;
+		} else {
+			dst_key_free(&key->key);
+			key->key = newkey;
+		}
+
+		key->force_publish = ISC_TRUE;
+		key->force_sign = ISC_TRUE;
+
+		if (setksk)
+			key->ksk = ISC_TRUE;
 	}
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
 }
 
-/*%
- * Finds all public zone keys in the zone.
- */
 static void
-loadzonepubkeys(dns_db_t *db) {
-	dns_dbversion_t *currentversion = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey;
-	signer_key_t *key;
+report(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	putc('\n', stderr);
+}
+
+static void
+build_final_keylist() {
 	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_dnsseckeylist_t matchkeys;
+	char name[DNS_NAME_FORMATSIZE];
 
-	dns_db_currentversion(db, &currentversion);
+	/*
+	 * Find keys that match this zone in the key repository.
+	 */
+	ISC_LIST_INIT(matchkeys);
+	result = dns_dnssec_findmatchingkeys(gorigin, directory,
+					     mctx, &matchkeys);
+	if (result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+	check_result(result, "dns_dnssec_findmatchingkeys");
 
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
+	result = dns_db_newversion(gdb, &ver);
+	check_result(result, "dns_db_newversion");
 
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0, &rdataset,
-				     NULL);
+	dns_diff_init(mctx, &diff);
+
+	/*
+	 * Update keylist with information from from the key repository.
+	 */
+	dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
+			      &diff, ignore_kskflag, mctx, report);
+
+	dns_name_format(gorigin, name, sizeof(name));
+
+	result = dns_diff_applysilently(&diff, gdb, ver);
 	if (result != ISC_R_SUCCESS)
-		fatal("failed to find keys at the zone apex: %s",
-		      isc_result_totext(result));
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	while (result == ISC_R_SUCCESS) {
-		pubkey = NULL;
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
-						 &pubkey);
-		if (result != ISC_R_SUCCESS)
-			goto next;
-		if (!dst_key_iszonekey(pubkey)) {
-			dst_key_free(&pubkey);
-			goto next;
-		}
+		fatal("failed to update DNSKEY RRset at node '%s': %s",
+		      name, isc_result_totext(result));
 
-		key = newkeystruct(pubkey, ISC_FALSE);
-		ISC_LIST_APPEND(keylist, key, link);
- next:
-		result = dns_rdataset_next(&rdataset);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
+	dns_db_closeversion(gdb, &ver, ISC_TRUE);
+
+	dns_diff_clear(&diff);
 }
 
 static void
@@ -2734,15 +2988,109 @@ warnifallksk(dns_db_t *db) {
 	dns_rdataset_disassociate(&rdataset);
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-	if (!have_non_ksk && !ignoreksk) {
+	if (!have_non_ksk && !ignore_kskflag) {
 		if (disable_zone_check)
-			fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
-				"Supply non-KSK dnskey or use '-z'.\n",
+			fprintf(stderr, "%s: warning: No non-KSK DNSKEY found; "
+				"supply a ZSK or use '-z'.\n",
 				program);
 		else
-			fatal("No non-KSK dnskey found. "
-			      "Supply non-KSK dnskey or use '-z'.");
+			fatal("No non-KSK DNSKEY found; "
+			      "supply a ZSK or use '-z'.");
+	}
+}
+
+static void
+set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
+		isc_boolean_t set_optout, isc_boolean_t set_iter)
+{
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	dns_fixedname_t fname;
+	dns_name_t *hashname;
+	unsigned char orig_salt[256];
+	size_t orig_saltlen;
+	dns_hash_t orig_hash;
+	isc_uint16_t orig_iter;
+
+	dns_db_currentversion(gdb, &ver);
+	dns_rdataset_init(&rdataset);
+
+	orig_saltlen = sizeof(orig_salt);
+	result = dns_db_getnsec3parameters(gdb, ver, &orig_hash, NULL,
+					   &orig_iter, orig_salt,
+					   &orig_saltlen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	nsec_datatype = dns_rdatatype_nsec3;
+
+	if (!update_chain && set_salt) {
+		if (salt_length != orig_saltlen ||
+		    memcmp(saltbuf, orig_salt, salt_length) != 0)
+			fatal("An NSEC3 chain exists with a different salt. "
+			      "Use -u to update it.");
+	} else if (!set_salt) {
+		salt_length = orig_saltlen;
+		memcpy(saltbuf, orig_salt, orig_saltlen);
+		salt = saltbuf;
 	}
+
+	if (!update_chain && set_iter) {
+		if (nsec3iter != orig_iter)
+			fatal("An NSEC3 chain exists with different "
+			      "iterations. Use -u to update it.");
+	} else if (!set_iter)
+		nsec3iter = orig_iter;
+
+	/*
+	 * Find an NSEC3 record to get the current OPTOUT value.
+	 * (This assumes all NSEC3 records agree.)
+	 */
+
+	dns_fixedname_init(&fname);
+	hashname = dns_fixedname_name(&fname);
+	result = dns_nsec3_hashname(&fname, NULL, NULL,
+				    gorigin, gorigin, dns_hash_sha1,
+				    orig_iter, orig_salt, orig_saltlen);
+	check_result(result, "dns_nsec3_hashname");
+
+	result = dns_db_findnsec3node(gdb, hashname, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_db_findrdataset(gdb, node, ver, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	if (!update_chain && set_optout) {
+		if (nsec3flags != nsec3.flags)
+			fatal("An NSEC3 chain exists with%s OPTOUT. "
+			      "Use -u -%s to %s it.",
+			      OPTOUT(nsec3.flags) ? "" : "out",
+			      OPTOUT(nsec3.flags) ? "AA" : "A",
+			      OPTOUT(nsec3.flags) ? "clear" : "set");
+	} else if (!set_optout)
+		nsec3flags = nsec3.flags;
+
+	dns_rdata_freestruct(&nsec3);
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(gdb, &node);
+	dns_db_closeversion(gdb, &ver, ISC_FALSE);
 }
 
 static void
@@ -2762,7 +3110,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	isc_buffer_t namebuf;
 	isc_region_t r;
 	isc_result_t result;
-	signer_key_t *key;
+	dns_dnsseckey_t *key, *tmpkey;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 	unsigned char keybuf[DST_KEY_MAXSIZE];
 	unsigned int filenamelen;
@@ -2774,13 +3122,13 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	check_result(result, "dns_name_tofilenametext");
 	isc_buffer_putuint8(&namebuf, 0);
 	filenamelen = strlen(prefix) + strlen(namestr);
-	if (directory != NULL)
-		filenamelen += strlen(directory) + 1;
+	if (dsdir != NULL)
+		filenamelen += strlen(dsdir) + 1;
 	filename = isc_mem_get(mctx, filenamelen + 1);
 	if (filename == NULL)
 		fatal("out of memory");
-	if (directory != NULL)
-		sprintf(filename, "%s/", directory);
+	if (dsdir != NULL)
+		sprintf(filename, "%s/", dsdir);
 	else
 		filename[0] = 0;
 	strcat(filename, prefix);
@@ -2788,22 +3136,6 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 
 	dns_diff_init(mctx, &diff);
 
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (!key->isksk) {
-			have_non_ksk = ISC_TRUE;
-			break;
-		}
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (key->isksk) {
-			have_ksk = ISC_TRUE;
-			break;
-		}
-
 	if (type == dns_rdatatype_dlv) {
 		dns_name_t tname;
 		unsigned int labels;
@@ -2822,7 +3154,28 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 	     key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
-		if (have_ksk && have_non_ksk && !key->isksk)
+		if (REVOKE(key->key))
+			continue;
+		if (isksk(key)) {
+			have_ksk = ISC_TRUE;
+			have_non_ksk = ISC_FALSE;
+		} else {
+			have_ksk = ISC_FALSE;
+			have_non_ksk = ISC_TRUE;
+		}
+		for (tmpkey = ISC_LIST_HEAD(keylist);
+		     tmpkey != NULL;
+		     tmpkey = ISC_LIST_NEXT(tmpkey, link)) {
+			if (dst_key_alg(key->key) != dst_key_alg(tmpkey->key))
+				continue;
+			if (REVOKE(tmpkey->key))
+				continue;
+			if (isksk(tmpkey))
+				have_ksk = ISC_TRUE;
+			else
+				have_non_ksk = ISC_TRUE;
+		}
+		if (have_ksk && have_non_ksk && !isksk(key))
 			continue;
 		dns_rdata_init(&rdata);
 		dns_rdata_init(&ds);
@@ -2855,7 +3208,7 @@ writeset(const char *prefix, dns_rdatatype_t type) {
 
 		} else
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      gorigin, zonettl,
+						      gorigin, zone_soa_min_ttl,
 						      &rdata, &tuple);
 		check_result(result, "dns_difftuple_create");
 		dns_diff_append(&diff, &tuple);
@@ -2913,14 +3266,18 @@ usage(void) {
 	fprintf(stderr, "Version: %s\n", VERSION);
 
 	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-d directory\n");
-	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
+	fprintf(stderr, "\t-S:\tsmart signing: automatically finds key files\n"
+			"\t\tfor the zone and determines how they are to "
+			"be used\n");
+	fprintf(stderr, "\t-K directory:\n");
+	fprintf(stderr, "\t\tdirectory to find key files (.)\n");
+	fprintf(stderr, "\t-d directory:\n");
+	fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
 	fprintf(stderr, "\t-g:\t");
-	fprintf(stderr, "generate DS records from keyset files\n");
+	fprintf(stderr, "update DS records based on child zones' "
+			"dsset-* files\n");
 	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG start time - absolute|offset "
-				"(now - 1 hour)\n");
+	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
 	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
 	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
 				"(now + 30 days)\n");
@@ -2928,8 +3285,7 @@ usage(void) {
 	fprintf(stderr, "\t\tcycle interval - resign "
 				"if < interval from end ( (end-start)/4 )\n");
 	fprintf(stderr, "\t-j jitter:\n");
-	fprintf(stderr, "\t\trandomize signature end time up to jitter "
-				"seconds\n");
+	fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
 	fprintf(stderr, "\t-v debuglevel (0)\n");
 	fprintf(stderr, "\t-o origin:\n");
 	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
@@ -2946,20 +3302,33 @@ usage(void) {
 	fprintf(stderr,	"\t\ta file containing random data\n");
 	fprintf(stderr, "\t-a:\t");
 	fprintf(stderr, "verify generated signatures\n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "\t-p:\t");
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-P:\t");
 	fprintf(stderr, "disable post-sign verification\n");
+	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
+	fprintf(stderr, "\t-u:\t");
+	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
+	fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
+	fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
+	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
+			"\t\twith older versions of dnssec-signzone -g\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
-	fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
-	fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
-	fprintf(stderr, "\t-A (NSEC3 optout)\n");
-	fprintf(stderr, "\t-z:\t");
-	fprintf(stderr, "ignore KSK flag in DNSKEYs");
+	fprintf(stderr, "\t-3 NSEC3 salt\n");
+	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");
+	fprintf(stderr, "\t-A NSEC3 optout\n");
 
 	fprintf(stderr, "\n");
 
@@ -3020,10 +3389,15 @@ main(int argc, char *argv[]) {
 	char *endp;
 	isc_time_t timer_start, timer_finish;
 	isc_time_t sign_start, sign_finish;
-	signer_key_t *key;
+	dns_dnsseckey_t *key;
 	isc_result_t result;
 	isc_log_t *log = NULL;
 	isc_boolean_t pseudorandom = ISC_FALSE;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	unsigned int eflags;
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
@@ -3031,13 +3405,15 @@ main(int argc, char *argv[]) {
 	isc_task_t **tasks = NULL;
 	isc_buffer_t b;
 	int len;
-	unsigned int iterations = 100U;
-	const unsigned char *salt = NULL;
-	size_t salt_length = 0;
-	unsigned char saltbuf[255];
 	hashlist_t hashlist;
+	isc_boolean_t smartsign = ISC_FALSE;
+	isc_boolean_t make_keyset = ISC_FALSE;
+	isc_boolean_t set_salt = ISC_FALSE;
+	isc_boolean_t set_optout = ISC_FALSE;
+	isc_boolean_t set_iter = ISC_FALSE;
 
-#define CMDLINE_FLAGS "3:aAc:d:e:f:FghH:i:I:j:k:l:m:n:N:o:O:pPr:s:StUv:z"
+#define CMDLINE_FLAGS \
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:xz"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3077,7 +3453,9 @@ main(int argc, char *argv[]) {
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case '3':
-			if (strcmp(isc_commandline_argument, "-")) {
+			set_salt = ISC_TRUE;
+			nsec_datatype = dns_rdatatype_nsec3;
+			if (strcmp(isc_commandline_argument, "-") != 0) {
 				isc_buffer_t target;
 				char *sarg;
 
@@ -3087,29 +3465,42 @@ main(int argc, char *argv[]) {
 				result = isc_hex_decodestring(sarg, &target);
 				check_result(result,
 					     "isc_hex_decodestring(salt)");
-				salt = saltbuf;
 				salt_length = isc_buffer_usedlength(&target);
-			} else {
-				salt = saltbuf;
-				salt_length = 0;
 			}
-			nsec_datatype = dns_rdatatype_nsec3;
 			break;
 
 		case 'A':
-			nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
+			set_optout = ISC_TRUE;
+			if (OPTOUT(nsec3flags))
+				nsec3flags &= ~DNS_NSEC3FLAG_OPTOUT;
+			else
+				nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
 			break;
 
 		case 'a':
 			tryverify = ISC_TRUE;
 			break;
 
+		case 'C':
+			make_keyset = ISC_TRUE;
+			break;
+
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
 
 		case 'd':
-			directory = isc_commandline_argument;
+			dsdir = isc_commandline_argument;
+			if (strlen(dsdir) == 0U)
+				fatal("DS directory must be non-empty string");
+			result = try_dir(dsdir);
+			if (result != ISC_R_SUCCESS)
+				fatal("cannot open directory %s: %s",
+				      dsdir, isc_result_totext(result));
+			break;
+
+		case 'E':
+			engine = isc_commandline_argument;
 			break;
 
 		case 'e':
@@ -3125,11 +3516,11 @@ main(int argc, char *argv[]) {
 			break;
 
 		case 'H':
-			iterations = strtoul(isc_commandline_argument,
-					     &endp, 0);
+			set_iter = ISC_TRUE;
+			nsec3iter = strtoul(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
 				fatal("iterations must be numeric");
-			if (iterations > 0xffffU)
+			if (nsec3iter  > 0xffffU)
 				fatal("iterations too big");
 			break;
 
@@ -3137,6 +3528,10 @@ main(int argc, char *argv[]) {
 			usage();
 			break;
 
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -3145,10 +3540,6 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
-		case 'I':
-			inputformatstr = isc_commandline_argument;
-			break;
-
 		case 'j':
 			endp = NULL;
 			jitter = strtol(isc_commandline_argument, &endp, 0);
@@ -3156,6 +3547,10 @@ main(int argc, char *argv[]) {
 				fatal("jitter must be numeric and positive");
 			break;
 
+		case 'K':
+			directory = isc_commandline_argument;
+			break;
+
 		case 'k':
 			if (ndskeys == MAXDSKEYS)
 				fatal("too many key-signing keys specified");
@@ -3169,14 +3564,18 @@ main(int argc, char *argv[]) {
 
 			dns_fixedname_init(&dlv_fixed);
 			dlv = dns_fixedname_name(&dlv_fixed);
-			result = dns_name_fromtext(dlv, &b, dns_rootname,
-						   ISC_FALSE, NULL);
+			result = dns_name_fromtext(dlv, &b, dns_rootname, 0,
+						   NULL);
 			check_result(result, "dns_name_fromtext(dlv)");
 			break;
 
 		case 'm':
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'n':
 			endp = NULL;
 			ntasks = strtol(isc_commandline_argument, &endp, 0);
@@ -3184,38 +3583,38 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
-		case 'N':
-			serialformatstr = isc_commandline_argument;
+		case 'O':
+			outputformatstr = isc_commandline_argument;
 			break;
 
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
-		case 'O':
-			outputformatstr = isc_commandline_argument;
+		case 'P':
+			disable_zone_check = ISC_TRUE;
 			break;
 
 		case 'p':
 			pseudorandom = ISC_TRUE;
 			break;
 
-		case 'P':
-			disable_zone_check = ISC_TRUE;
-			break;
-
 		case 'r':
 			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
+		case 'S':
+			smartsign = ISC_TRUE;
+			break;
+
 		case 's':
 			startstr = isc_commandline_argument;
 			break;
 
-		case 'S':
-			/* This is intentionally undocumented */
-			/* -S: simple output style */
-			masterstyle = &dns_master_style_simple;
+		case 'T':
+			endp = NULL;
+			set_keyttl = ISC_TRUE;
+			keyttl = strtottl(isc_commandline_argument);
 			break;
 
 		case 't':
@@ -3226,6 +3625,10 @@ main(int argc, char *argv[]) {
 			unknownalg = ISC_TRUE;
 			break;
 
+		case 'u':
+			update_chain = ISC_TRUE;
+			break;
+
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -3233,8 +3636,12 @@ main(int argc, char *argv[]) {
 				fatal("verbose level must be numeric");
 			break;
 
+		case 'x':
+			keyset_kskonly = ISC_TRUE;
+			break;
+
 		case 'z':
-			ignoreksk = ISC_TRUE;
+			ignore_kskflag = ISC_TRUE;
 			break;
 
 		case 'F':
@@ -3264,20 +3671,21 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("could not create hash context");
 
-	result = dst_lib_init(mctx, ectx, eflags);
+	result = dst_lib_init2(mctx, ectx, engine, eflags);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 
 	isc_stdtime_get(&now);
 
-	if (startstr != NULL)
+	if (startstr != NULL) {
 		starttime = strtotime(startstr, now, now);
-	else
+	} else
 		starttime = now - 3600;  /* Allow for some clock skew. */
 
-	if (endstr != NULL)
+	if (endstr != NULL) {
 		endtime = strtotime(endstr, now, starttime);
-	else
+	} else
 		endtime = starttime + (30 * 24 * 60 * 60);
 
 	if (cycle == -1)
@@ -3289,6 +3697,9 @@ main(int argc, char *argv[]) {
 
 	rdclass = strtoclass(classname);
 
+	if (directory == NULL)
+		directory = ".";
+
 	setup_logging(verbose, mctx, &log);
 
 	argc -= isc_commandline_index;
@@ -3354,7 +3765,19 @@ main(int argc, char *argv[]) {
 	loadzone(file, origin, rdclass, &gdb);
 	gorigin = dns_db_origin(gdb);
 	gclass = dns_db_class(gdb);
-	zonettl = soattl();
+	get_soa_ttls();
+
+	if (!set_keyttl)
+		keyttl = soa_ttl;
+
+	/*
+	 * Check for any existing NSEC3 parameters in the zone,
+	 * and use them as defaults if -u was not specified.
+	 */
+	if (update_chain && !set_optout && !set_iter && !set_salt)
+		nsec_datatype = dns_rdatatype_nsec;
+	else
+		set_nsec3params(update_chain, set_salt, set_optout, set_iter);
 
 	if (IS_NSEC3) {
 		isc_boolean_t answer;
@@ -3375,95 +3798,42 @@ main(int argc, char *argv[]) {
 	ISC_LIST_INIT(keylist);
 	isc_rwlock_init(&keylist_lock, 0, 0);
 
-	if (argc == 0) {
-		loadzonekeys(gdb);
-	} else {
-		for (i = 0; i < argc; i++) {
-			dst_key_t *newkey = NULL;
-
-			result = dst_key_fromnamedfile(argv[i],
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &newkey);
-			if (result != ISC_R_SUCCESS)
-				fatal("cannot load dnskey %s: %s", argv[i],
-				      isc_result_totext(result));
-
-			if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-				fatal("key %s not at origin\n", argv[i]);
-
-			key = ISC_LIST_HEAD(keylist);
-			while (key != NULL) {
-				dst_key_t *dkey = key->key;
-				if (dst_key_id(dkey) == dst_key_id(newkey) &&
-				    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-				    dns_name_equal(dst_key_name(dkey),
-						   dst_key_name(newkey)))
-				{
-					if (!dst_key_isprivate(dkey))
-						fatal("cannot sign zone with "
-						      "non-private dnskey %s",
-						      argv[i]);
-					break;
-				}
-				key = ISC_LIST_NEXT(key, link);
-			}
-			if (key == NULL) {
-				key = newkeystruct(newkey, ISC_TRUE);
-				key->commandline = ISC_TRUE;
-				ISC_LIST_APPEND(keylist, key, link);
-			} else
-				dst_key_free(&newkey);
-		}
-
-		loadzonepubkeys(gdb);
-	}
-
-	for (i = 0; i < ndskeys; i++) {
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(dskeyfile[i],
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", dskeyfile[i],
-			      isc_result_totext(result));
+	/*
+	 * Fill keylist with:
+	 * 1) Keys listed in the DNSKEY set that have
+	 *    private keys associated, *if* no keys were
+	 *    set on the command line.
+	 * 2) ZSKs set on the command line
+	 * 3) KSKs set on the command line
+	 * 4) Any keys remaining in the DNSKEY set which
+	 *    do not have private keys associated and were
+	 *    not specified on the command line.
+	 */
+	if (argc == 0 || smartsign)
+		loadzonekeys(!smartsign, ISC_FALSE);
+	loadexplicitkeys(argv, argc, ISC_FALSE);
+	loadexplicitkeys(dskeyfile, ndskeys, ISC_TRUE);
+	loadzonekeys(!smartsign, ISC_TRUE);
 
-		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
-			fatal("key %s not at origin\n", dskeyfile[i]);
+	/*
+	 * If we're doing smart signing, look in the key repository for
+	 * key files with metadata, and merge them with the keylist
+	 * we have now.
+	 */
+	if (smartsign)
+		build_final_keylist();
 
-		key = ISC_LIST_HEAD(keylist);
-		while (key != NULL) {
-			dst_key_t *dkey = key->key;
-			if (dst_key_id(dkey) == dst_key_id(newkey) &&
-			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(dkey),
-					   dst_key_name(newkey)))
-			{
-				/* Override key flags. */
-				key->issigningkey = ISC_TRUE;
-				key->isksk = ISC_TRUE;
-				key->isdsk = ISC_FALSE;
-				dst_key_free(&dkey);
-				key->key = newkey;
-				break;
-			}
-			key = ISC_LIST_NEXT(key, link);
-		}
-		if (key == NULL) {
-			/* Override dnskey flags. */
-			key = newkeystruct(newkey, ISC_TRUE);
-			key->isksk = ISC_TRUE;
-			key->isdsk = ISC_FALSE;
-			ISC_LIST_APPEND(keylist, key, link);
-		}
+	/* Now enumerate the key list */
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		key->index = keycount++;
 	}
 
-	if (ISC_LIST_EMPTY(keylist)) {
+	if (keycount == 0) {
 		if (disable_zone_check)
 			fprintf(stderr, "%s: warning: No keys specified "
-				"or found\n", program);
+					"or found\n", program);
 		else
 			fatal("No signing keys specified or found.");
 		nokeys = ISC_TRUE;
@@ -3475,7 +3845,7 @@ main(int argc, char *argv[]) {
 		unsigned int max;
 		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
 		check_result(result, "dns_nsec3_maxiterations()");
-		if (iterations > max)
+		if (nsec3iter > max)
 			fatal("NSEC3 iterations too big for weakest DNSKEY "
 			      "strength. Maximum iterations allowed %u.", max);
 	}
@@ -3497,15 +3867,18 @@ main(int argc, char *argv[]) {
 			break;
 	}
 
+	remove_duplicates();
+
 	if (IS_NSEC3)
-		nsec3ify(dns_hash_sha1, iterations, salt, salt_length,
+		nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,
 			 &hashlist);
 	else
 		nsecify();
 
 	if (!nokeys) {
-		writeset("keyset-", dns_rdatatype_dnskey);
 		writeset("dsset-", dns_rdatatype_ds);
+		if (make_keyset)
+			writeset("keyset-", dns_rdatatype_dnskey);
 		if (dlv != NULL) {
 			writeset("dlvset-", dns_rdatatype_dlv);
 		}
@@ -3615,8 +3988,7 @@ main(int argc, char *argv[]) {
 	while (!ISC_LIST_EMPTY(keylist)) {
 		key = ISC_LIST_HEAD(keylist);
 		ISC_LIST_UNLINK(keylist, key, link);
-		dst_key_free(&key->key);
-		isc_mem_put(mctx, key, sizeof(signer_key_t));
+		dns_dnsseckey_destroy(mctx, &key);
 	}
 
 	isc_mem_put(mctx, tempfile, tempfilelen);
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
index 60b1224c7240..128ebe96341b 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,10 +18,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.44 2009/12/03 23:18:16 each Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
-    <date>June 08, 2009</date>
+    <date>June 05, 2009</date>
   </refentryinfo>
 
   <refmeta>
@@ -43,7 +43,6 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -61,10 +60,12 @@
       <arg><option>-a</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
       <arg><option>-g</option></arg>
       <arg><option>-h</option></arg>
+      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
       <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
@@ -76,9 +77,13 @@
       <arg><option>-p</option></arg>
       <arg><option>-P</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-S</option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+      <arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
       <arg><option>-t</option></arg>
+      <arg><option>-u</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-x</option></arg>
       <arg><option>-z</option></arg>
       <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
       <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
@@ -93,10 +98,10 @@
     <para><command>dnssec-signzone</command>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
-      zone.  It also generates a <filename>keyset-</filename> file containing
-      the key-signing keys for the zone, and if signing a zone which
-      contains delegations, it can optionally generate DS records for
-      the child zones from their <filename>keyset-</filename> files.
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <filename>keyset</filename> file for each child zone.
     </para>
   </refsect1>
 
@@ -123,31 +128,37 @@
       </varlistentry>
 
       <varlistentry>
-        <term>-k <replaceable class="parameter">key</replaceable></term>
+        <term>-C</term>
         <listitem>
           <para>
-            Treat specified key as a key signing key ignoring any
-            key flags.  This option may be specified multiple times.
+            Compatibility mode: Generate a
+            <filename>keyset-<replaceable>zonename</replaceable></filename>
+            file in addition to
+            <filename>dsset-<replaceable>zonename</replaceable></filename>
+            when signing a zone, for use by older versions of
+            <command>dnssec-signzone</command>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-l <replaceable class="parameter">domain</replaceable></term>
+        <term>-d <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
-            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-            The domain is appended to the name of the records.
+            Look for <filename>dsset-</filename> or
+            <filename>keyset-</filename> files in <option>directory</option>.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-d <replaceable class="parameter">directory</replaceable></term>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Look for <filename>keyset</filename> files in
-            <option>directory</option> as the directory
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
           </para>
         </listitem>
       </varlistentry>
@@ -156,10 +167,39 @@
         <term>-g</term>
         <listitem>
           <para>
-            If the zone contains any delegations, and there are
-            <filename>keyset-</filename> files for any of the child zones,
-            then DS records for the child zones will be generated from the
-            keys in those files.  Existing DS records will be removed.
+            Generate DS records for child zones from
+            <filename>dsset-</filename> or <filename>keyset-</filename>
+            file.  Existing DS records will be removed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-K <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Key repository: Specify a directory to search for DNSSEC keys.
+            If not specified, defaults to the current directory.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">key</replaceable></term>
+        <listitem>
+          <para>
+            Treat specified key as a key signing key ignoring any
+            key flags.  This option may be specified multiple times.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+            The domain is appended to the name of the records.
           </para>
         </listitem>
       </varlistentry>
@@ -191,6 +231,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no <option>end-time</option> is
             specified, 30 days from the start time is used as a default.
+            <option>end-time</option> must be later than
+            <option>start-time</option>.
           </para>
         </listitem>
       </varlistentry>
@@ -397,6 +439,89 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-S</term>
+        <listitem>
+          <para>
+            Smart signing: Instructs <command>dnssec-signzone</command> to
+            search the key repository for keys that match the zone being
+            signed, and to include them in the zone if appropriate.
+          </para>
+          <para>
+            When a key is found, its timing metadata is examined to
+            determine how it should be used, according to the following
+            rules.  Each successive rule takes priority over the prior
+            ones:
+          </para>
+          <variablelist>
+	    <varlistentry>
+              <listitem>
+                <para>
+                  If no timing metadata has been set for the key, the key is
+                  published in the zone and used to sign the zone.
+                </para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+              <listitem>
+                <para>
+                  If the key's publication date is set and is in the past, the
+                  key is published in the zone.
+                </para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+              <listitem>
+                <para>
+                  If the key's activation date is set and in the past, the
+                  key is published (regardless of publication date) and
+                  used to sign the zone.  
+                </para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+              <listitem>
+                <para>
+                  If the key's revocation date is set and in the past, and the
+                  key is published, then the key is revoked, and the revoked key
+                  is used to sign the zone.
+                </para>
+	      </listitem>
+            </varlistentry>
+
+	    <varlistentry>
+              <listitem>
+                <para>
+                  If either of the key's unpublication or deletion dates are set
+                  and in the past, the key is NOT published or used to sign the
+                  zone, regardless of any other metadata.
+                </para>
+	      </listitem>
+            </varlistentry>
+	 </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-T <replaceable class="parameter">ttl</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            <option>-S</option>, since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-t</term>
         <listitem>
           <para>
@@ -406,6 +531,20 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-u</term>
+        <listitem>
+          <para>
+            Update NSEC/NSEC3 chain when re-signing a previously signed
+            zone.  With this option, a zone signed with NSEC can be
+            switched to NSEC3, or a zone signed with NSEC3 can
+            be switch to NSEC or to NSEC3 with different parameters.
+            Without this option, <command>dnssec-signzone</command> will
+            retain the existing chain when re-signing.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-v <replaceable class="parameter">level</replaceable></term>
         <listitem>
           <para>
@@ -415,10 +554,26 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-x</term>
+        <listitem>
+          <para>
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.  (This is similar to the
+            <command>dnssec-dnskey-kskonly yes;</command> zone option in
+            <command>named</command>.)
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-z</term>
         <listitem>
           <para>
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.  (This is similar to the
+            <command>update-check-ksk no;</command> zone option in
+            <command>named</command>.)
           </para>
         </listitem>
       </varlistentry>
@@ -427,7 +582,7 @@
         <term>-3 <replaceable class="parameter">salt</replaceable></term>
         <listitem>
           <para>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<replaceable class="parameter">salt</replaceable>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
           </para>
@@ -438,8 +593,8 @@
         <term>-H <replaceable class="parameter">iterations</replaceable></term>
         <listitem>
           <para>
-	    When generating a NSEC3 chain use this many interations.  The
-	    default is 100.
+	    When generating an NSEC3 chain, use this many interations.  The
+	    default is 10.
           </para>
         </listitem>
       </varlistentry>
@@ -448,10 +603,16 @@
         <term>-A</term>
         <listitem>
           <para>
-	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
           </para>
+          <para>
+	    Using this option twice (i.e., <option>-AA</option>)
+	    turns the OPTOUT flag off for all records.  This is useful
+	    when using the <option>-u</option> option to modify an NSEC3
+	    chain which previously had OPTOUT set.
+          </para>
         </listitem>
       </varlistentry>
 
@@ -485,10 +646,11 @@
     <para>
       The following command signs the <userinput>example.com</userinput>
       zone with the DSA key generated by <command>dnssec-keygen</command>
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (<filename>db.example.com</filename>).  This invocation looks
-      for <filename>keyset</filename> files, in the current directory,
-      so that DS records can be generated from them (<command>-g</command>).
+      (Kexample.com.+003+17247).  Because the <command>-S</command> option
+      is not being used, the zone's keys must be in the master file
+      (<filename>db.example.com</filename>).  This invocation looks
+      for <filename>dsset</filename> files, in the current directory,
+      so that DS records can be imported from them (<command>-g</command>).
     </para>
 <programlisting>% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -511,33 +673,6 @@ db.example.com.signed
   </refsect1>
 
   <refsect1>
-    <title>KNOWN BUGS</title>
-    <para>
-        <command>dnssec-signzone</command> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </para>
-    <para>
-        An unfortunate side-effect of this flexibility is that
-        <command>dnssec-signzone</command> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </para>
-
-    <para>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <command>dnssec-signzone</command>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </para>
-  </refsect1>
-
-  <refsect1>
     <title>SEE ALSO</title>
     <para><citerefentry>
         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html
index 1a84044e36d3..82185c6477d5 100644
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.html
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,21 +29,21 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543561"></a><h2>DESCRIPTION</h2>
+<a name="id2543597"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
-      zone.  It also generates a <code class="filename">keyset-</code> file containing
-      the key-signing keys for the zone, and if signing a zone which
-      contains delegations, it can optionally generate DS records for
-      the child zones from their <code class="filename">keyset-</code> files.
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <code class="filename">keyset</code> file for each child zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543579"></a><h2>OPTIONS</h2>
+<a name="id2543612"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -53,6 +53,38 @@
 <dd><p>
             Specifies the DNS class of the zone.
           </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+            Compatibility mode: Generate a
+            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
+            file in addition to
+            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
+            when signing a zone, for use by older versions of
+            <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">dsset-</code> or
+            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+            Generate DS records for child zones from
+            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
+            file.  Existing DS records will be removed.
+          </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Key repository: Specify a directory to search for DNSSEC keys.
+            If not specified, defaults to the current directory.
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
             Treat specified key as a key signing key ignoring any
@@ -63,18 +95,6 @@
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
           </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for <code class="filename">keyset</code> files in
-            <code class="option">directory</code> as the directory
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            If the zone contains any delegations, and there are
-            <code class="filename">keyset-</code> files for any of the child zones,
-            then DS records for the child zones will be generated from the
-            keys in those files.  Existing DS records will be removed.
-          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
 <dd><p>
             Specify the date and time when the generated RRSIG records
@@ -95,6 +115,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no <code class="option">end-time</code> is
             specified, 30 days from the start time is used as a default.
+            <code class="option">end-time</code> must be later than
+            <code class="option">start-time</code>.
           </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
 <dd><p>
@@ -229,35 +251,119 @@
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
+<dt><span class="term">-S</span></dt>
+<dd>
+<p>
+            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
+            search the key repository for keys that match the zone being
+            signed, and to include them in the zone if appropriate.
+          </p>
+<p>
+            When a key is found, its timing metadata is examined to
+            determine how it should be used, according to the following
+            rules.  Each successive rule takes priority over the prior
+            ones:
+          </p>
+<div class="variablelist"><dl>
+<dt></dt>
+<dd><p>
+                  If no timing metadata has been set for the key, the key is
+                  published in the zone and used to sign the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's publication date is set and is in the past, the
+                  key is published in the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's activation date is set and in the past, the
+                  key is published (regardless of publication date) and
+                  used to sign the zone.  
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's revocation date is set and in the past, and the
+                  key is published, then the key is revoked, and the revoked key
+                  is used to sign the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If either of the key's unpublication or deletion dates are set
+                  and in the past, the key is NOT published or used to sign the
+                  zone, regardless of any other metadata.
+                </p></dd>
+</dl></div>
+</dd>
+<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd><p>
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            <code class="option">-S</code>, since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
+          </p></dd>
 <dt><span class="term">-t</span></dt>
 <dd><p>
             Print statistics at completion.
           </p></dd>
+<dt><span class="term">-u</span></dt>
+<dd><p>
+            Update NSEC/NSEC3 chain when re-signing a previously signed
+            zone.  With this option, a zone signed with NSEC can be
+            switched to NSEC3, or a zone signed with NSEC3 can
+            be switch to NSEC or to NSEC3 with different parameters.
+            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
+            retain the existing chain when re-signing.
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.  (This is similar to the
+            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
+            <span><strong class="command">named</strong></span>.)
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.  (This is similar to the
+            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
+            <span><strong class="command">named</strong></span>.)
           </p></dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
 <dd><p>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
           </p></dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
 <dd><p>
-	    When generating a NSEC3 chain use this many interations.  The
-	    default is 100.
+	    When generating an NSEC3 chain, use this many interations.  The
+	    default is 10.
           </p></dd>
 <dt><span class="term">-A</span></dt>
-<dd><p>
-	    When generating a NSEC3 chain set the OPTOUT flag on all
+<dd>
+<p>
+	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
-          </p></dd>
+          </p>
+<p>
+	    Using this option twice (i.e., <code class="option">-AA</code>)
+	    turns the OPTOUT flag off for all records.  This is useful
+	    when using the <code class="option">-u</code> option to modify an NSEC3
+	    chain which previously had OPTOUT set.
+          </p>
+</dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
@@ -273,14 +379,15 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544506"></a><h2>EXAMPLE</h2>
+<a name="id2544965"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (<code class="filename">db.example.com</code>).  This invocation looks
-      for <code class="filename">keyset</code> files, in the current directory,
-      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
+      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
+      is not being used, the zone's keys must be in the master file
+      (<code class="filename">db.example.com</code>).  This invocation looks
+      for <code class="filename">dsset</code> files, in the current directory,
+      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
     </p>
 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -302,39 +409,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544557"></a><h2>KNOWN BUGS</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </p>
-<p>
-        An unfortunate side-effect of this flexibility is that
-        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </p>
-<p>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2544720"></a><h2>SEE ALSO</h2>
+<a name="id2545020"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544744"></a><h2>AUTHOR</h2>
+<a name="id2545045"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c
index 0223d9638a2d..882b042f1b8e 100644
--- a/contrib/bind9/bin/dnssec/dnssectool.c
+++ b/contrib/bind9/bin/dnssec/dnssectool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssectool.c,v 1.60.162.3 2011/10/21 03:56:32 marka Exp $ */
 
 /*! \file */
 
@@ -28,6 +28,7 @@
 #include <stdlib.h>
 
 #include <isc/buffer.h>
+#include <isc/dir.h>
 #include <isc/entropy.h>
 #include <isc/list.h>
 #include <isc/mem.h>
@@ -36,6 +37,8 @@
 #include <isc/util.h>
 #include <isc/print.h>
 
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdatastruct.h>
@@ -111,39 +114,16 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
 }
 
 void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_secalg_totext(alg, &b);
-	check_result(result, "dns_secalg_totext()");
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-}
-
-void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
 	char namestr[DNS_NAME_FORMATSIZE];
 	char algstr[DNS_NAME_FORMATSIZE];
 
 	dns_name_format(&sig->signer, namestr, sizeof(namestr));
-	alg_format(sig->algorithm, algstr, sizeof(algstr));
+	dns_secalg_format(sig->algorithm, algstr, sizeof(algstr));
 	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
 }
 
 void
-key_format(const dst_key_t *key, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
-	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
-}
-
-void
 setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
 	isc_result_t result;
 	isc_logdestination_t destination;
@@ -265,32 +245,92 @@ cleanup_entropy(isc_entropy_t **ectx) {
 	isc_entropy_detach(ectx);
 }
 
+static isc_stdtime_t
+time_units(isc_stdtime_t offset, char *suffix, const char *str) {
+	switch (suffix[0]) {
+	    case 'Y': case 'y':
+		return (offset * (365 * 24 * 3600));
+	    case 'M': case 'm':
+		switch (suffix[1]) {
+		    case 'O': case 'o':
+			return (offset * (30 * 24 * 3600));
+		    case 'I': case 'i':
+			return (offset * 60);
+		    case '\0':
+			fatal("'%s' ambiguous: use 'mi' for minutes "
+			      "or 'mo' for months", str);
+		    default:
+			fatal("time value %s is invalid", str);
+		}
+		/* NOTREACHED */
+		break;
+	    case 'W': case 'w':
+		return (offset * (7 * 24 * 3600));
+	    case 'D': case 'd':
+		return (offset * (24 * 3600));
+	    case 'H': case 'h':
+		return (offset * 3600);
+	    case 'S': case 's': case '\0':
+		return (offset);
+	    default:
+		fatal("time value %s is invalid", str);
+	}
+	/* NOTREACHED */
+	return(0); /* silence compiler warning */
+}
+
+dns_ttl_t
+strtottl(const char *str) {
+	const char *orig = str;
+	dns_ttl_t ttl;
+	char *endp;
+
+	ttl = strtol(str, &endp, 0);
+	if (ttl == 0 && endp == str)
+		fatal("TTL must be numeric");
+	ttl = time_units(ttl, endp, orig);
+	return (ttl);
+}
+
 isc_stdtime_t
 strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
 	isc_int64_t val, offset;
 	isc_result_t result;
+	const char *orig = str;
 	char *endp;
 
-	if (str[0] == '+') {
+	if ((str[0] == '0' || str[0] == '-') && str[1] == '\0')
+		return ((isc_stdtime_t) 0);
+
+	if (strncmp(str, "now", 3) == 0) {
+		base = now;
+		str += 3;
+	}
+
+	if (str[0] == '\0')
+		return ((isc_stdtime_t) base);
+	else if (str[0] == '+') {
 		offset = strtol(str + 1, &endp, 0);
-		if (*endp != '\0')
-			fatal("time value %s is invalid", str);
+		offset = time_units((isc_stdtime_t) offset, endp, orig);
 		val = base + offset;
-	} else if (strncmp(str, "now+", 4) == 0) {
-		offset = strtol(str + 4, &endp, 0);
-		if (*endp != '\0')
-			fatal("time value %s is invalid", str);
-		val = now + offset;
+	} else if (str[0] == '-') {
+		offset = strtol(str + 1, &endp, 0);
+		offset = time_units((isc_stdtime_t) offset, endp, orig);
+		val = base - offset;
 	} else if (strlen(str) == 8U) {
 		char timestr[15];
 		sprintf(timestr, "%s000000", str);
 		result = dns_time64_fromtext(timestr, &val);
 		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid", str);
+			fatal("time value %s is invalid: %s", orig,
+			      isc_result_totext(result));
+	} else if (strlen(str) > 14U) {
+		fatal("time value %s is invalid", orig);
 	} else {
 		result = dns_time64_fromtext(str, &val);
 		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid", str);
+			fatal("time value %s is invalid: %s", orig,
+			      isc_result_totext(result));
 	}
 
 	return ((isc_stdtime_t) val);
@@ -311,3 +351,119 @@ strtoclass(const char *str) {
 		fatal("unknown class %s", str);
 	return (rdclass);
 }
+
+isc_result_t
+try_dir(const char *dirname) {
+	isc_result_t result;
+	isc_dir_t d;
+
+	isc_dir_init(&d);
+	result = isc_dir_open(&d, dirname);
+	if (result == ISC_R_SUCCESS) {
+		isc_dir_close(&d);
+	}
+	return (result);
+}
+
+/*
+ * Check private key version compatibility.
+ */
+void
+check_keyversion(dst_key_t *key, char *keystr) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+	INSIST(major <= DST_MAJOR_VERSION); /* invalid private key */
+
+	if (major < DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force upgrade to new version.",
+		      keystr, major, minor);
+	if (minor > DST_MINOR_VERSION)
+		fatal("Key %s has incompatible format version %d.%d, "
+		      "use -f to force downgrade to current version.",
+		      keystr, major, minor);
+}
+
+void
+set_keyversion(dst_key_t *key) {
+	int major, minor;
+	dst_key_getprivateformat(key, &major, &minor);
+	INSIST(major <= DST_MAJOR_VERSION);
+
+	if (major != DST_MAJOR_VERSION || minor != DST_MINOR_VERSION)
+		dst_key_setprivateformat(key, DST_MAJOR_VERSION,
+					 DST_MINOR_VERSION);
+
+	/*
+	 * If the key is from a version older than 1.3, set
+	 * set the creation date
+	 */
+	if (major < 1 || (major == 1 && minor <= 2)) {
+		isc_stdtime_t now;
+		isc_stdtime_get(&now);
+		dst_key_settime(key, DST_TIME_CREATED, now);
+	}
+}
+
+isc_boolean_t
+key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir,
+	      isc_mem_t *mctx, isc_boolean_t *exact)
+{
+	isc_result_t result;
+	isc_boolean_t conflict = ISC_FALSE;
+	dns_dnsseckeylist_t matchkeys;
+	dns_dnsseckey_t *key = NULL;
+	isc_uint16_t id, oldid;
+	isc_uint32_t rid, roldid;
+	dns_secalg_t alg;
+
+	if (exact != NULL)
+		*exact = ISC_FALSE;
+
+	id = dst_key_id(dstkey);
+	rid = dst_key_rid(dstkey);
+	alg = dst_key_alg(dstkey);
+
+	ISC_LIST_INIT(matchkeys);
+	result = dns_dnssec_findmatchingkeys(name, dir, mctx, &matchkeys);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_FALSE);
+
+	while (!ISC_LIST_EMPTY(matchkeys) && !conflict) {
+		key = ISC_LIST_HEAD(matchkeys);
+		if (dst_key_alg(key->key) != alg)
+			goto next;
+
+		oldid = dst_key_id(key->key);
+		roldid = dst_key_rid(key->key);
+
+		if (oldid == rid || roldid == id || id == oldid) {
+			conflict = ISC_TRUE;
+			if (id != oldid) {
+				if (verbose > 1)
+					fprintf(stderr, "Key ID %d could "
+						"collide with %d\n",
+						id, oldid);
+			} else {
+				if (exact != NULL)
+					*exact = ISC_TRUE;
+				if (verbose > 1)
+					fprintf(stderr, "Key ID %d exists\n",
+						id);
+			}
+		}
+
+ next:
+		ISC_LIST_UNLINK(matchkeys, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+
+	/* Finish freeing the list */
+	while (!ISC_LIST_EMPTY(matchkeys)) {
+		key = ISC_LIST_HEAD(matchkeys);
+		ISC_LIST_UNLINK(matchkeys, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+
+	return (conflict);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h
index ef8fce35b831..e6dfe51aeed3 100644
--- a/contrib/bind9/bin/dnssec/dnssectool.h
+++ b/contrib/bind9/bin/dnssec/dnssectool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dnssectool.h,v 1.31.162.2 2011/10/20 23:46:27 tbox Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -45,16 +45,8 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
 #define TYPE_FORMATSIZE 20
 
 void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
-#define ALG_FORMATSIZE 20
-
-void
 sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
-#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
-
-void
-key_format(const dst_key_t *key, char *cp, unsigned int size);
-#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
+#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
 
 void
 setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
@@ -68,10 +60,25 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
 void
 cleanup_entropy(isc_entropy_t **ectx);
 
+dns_ttl_t strtottl(const char *str);
+
 isc_stdtime_t
 strtotime(const char *str, isc_int64_t now, isc_int64_t base);
 
 dns_rdataclass_t
 strtoclass(const char *str);
 
+isc_result_t
+try_dir(const char *dirname);
+
+void
+check_keyversion(dst_key_t *key, char *keystr);
+
+void
+set_keyversion(dst_key_t *key);
+
+isc_boolean_t
+key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
+	      isc_mem_t *mctx, isc_boolean_t *exact);
+
 #endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in
index 382849b4a77d..ea919ae5e2da 100644
--- a/contrib/bind9/bin/named/Makefile.in
+++ b/contrib/bind9/bin/named/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.114.14.2 2011/03/10 23:47:25 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -43,9 +43,9 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
+		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =      @USE_DLZ@
+CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
 
 CWARNINGS =
 
@@ -53,6 +53,7 @@ DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
@@ -70,6 +71,10 @@ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
 		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+
 SUBDIRS =	unix
 
 TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
@@ -84,12 +89,14 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
 		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
 
-UOBJS =		unix/os.@O@
+UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
+
+SYMOBJS =	symtbl.@O@
 
 SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c statschannel.c \
+		query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -111,15 +118,20 @@ main.@O@: main.c
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
-config.@O@: config.c
+bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
+	${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
+config.@O@: config.c bind.keys.h
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
+		-DNS_SYSCONFDIR=\"${sysconfdir}\" \
 		-c ${srcdir}/config.c
 
 named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	${OBJS} ${UOBJS} ${LIBS}
+	export MAKE_SYMTABLE="yes"; \
+	export BASEOBJS="${OBJS} ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 lwresd@EXEEXT@: named@EXEEXT@
 	rm -f lwresd@EXEEXT@
@@ -133,7 +145,10 @@ docclean manclean maintainer-clean::
 clean distclean maintainer-clean::
 	rm -f ${TARGETS} ${OBJS}
 
-bind9.xsl.h: bind9.xsl convertxsl.pl
+maintainer-clean::
+	rm -f bind.keys.h
+
+bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
 	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
 
 depend: bind9.xsl.h
diff --git a/contrib/bind9/bin/named/bind.keys.h b/contrib/bind9/bin/named/bind.keys.h
new file mode 100644
index 000000000000..61e3f700c6cf
--- /dev/null
+++ b/contrib/bind9/bin/named/bind.keys.h
@@ -0,0 +1,99 @@
+/*
+ * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp  
+ * From bind.keys 1.7 2011/01/03 23:45:07 each Exp  
+ */
+#define TRUSTED_KEYS "\
+# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+# which are included as part of BIND 9.  As of the current release, the only\n\
+# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
+# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
+# for any other zones MUST be configured elsewhere; if they are configured\n\
+# here, they will not be recognized or used by named.\n\
+#\n\
+# The built-in trust anchors are provided for convenience of configuration.\n\
+# They are not activated within named.conf unless specifically switched on.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
+# named.conf options.  To use the built-in DLV key, set\n\
+# \"dnssec-lookaside auto;\".  Without these options being set,\n\
+# the keys in this file are ignored.\n\
+#\n\
+# This file is NOT expected to be user-configured.\n\
+#\n\
+# These keys are current as of January 2011.  If any key fails to\n\
+# initialize correctly, it may have expired.  In that event you should\n\
+# replace this file with a current version.  The latest version of\n\
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+\n\
+trusted-keys {\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+        # in named.conf.\n\
+	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+		TDN0YUuWrBNh\";\n\
+\n\
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+	# for current trust anchor information.\n\
+        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # in named.conf.\n\
+	. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+		QxA+Uk1ihz0=\";\n\
+};\n\
+"
+
+#define MANAGED_KEYS "\
+# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+# which are included as part of BIND 9.  As of the current release, the only\n\
+# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
+# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
+# for any other zones MUST be configured elsewhere; if they are configured\n\
+# here, they will not be recognized or used by named.\n\
+#\n\
+# The built-in trust anchors are provided for convenience of configuration.\n\
+# They are not activated within named.conf unless specifically switched on.\n\
+# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
+# named.conf options.  To use the built-in DLV key, set\n\
+# \"dnssec-lookaside auto;\".  Without these options being set,\n\
+# the keys in this file are ignored.\n\
+#\n\
+# This file is NOT expected to be user-configured.\n\
+#\n\
+# These keys are current as of January 2011.  If any key fails to\n\
+# initialize correctly, it may have expired.  In that event you should\n\
+# replace this file with a current version.  The latest version of\n\
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+\n\
+managed-keys {\n\
+	# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+        # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+        # in named.conf.\n\
+	dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+		brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+		1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+		ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+		Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+		QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+		TDN0YUuWrBNh\";\n\
+\n\
+	# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+	# for current trust anchor information.\n\
+        # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
+        # in named.conf.\n\
+	. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+		QxA+Uk1ihz0=\";\n\
+};\n\
+"
diff --git a/contrib/bind9/bin/named/bind9.xsl b/contrib/bind9/bin/named/bind9.xsl
index a357c01cd1c2..8063cc666a24 100644
--- a/contrib/bind9/bin/named/bind9.xsl
+++ b/contrib/bind9/bin/named/bind9.xsl
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
- - Copyright (C) 2006-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2006-2009  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp $ -->
 
 <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
diff --git a/contrib/bind9/bin/named/bind9.xsl.h b/contrib/bind9/bin/named/bind9.xsl.h
index e759b96c1ff1..19a58ff17c7e 100644
--- a/contrib/bind9/bin/named/bind9.xsl.h
+++ b/contrib/bind9/bin/named/bind9.xsl.h
@@ -1,11 +1,11 @@
 /*
  * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
- * From unknown
+ * From bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp 
  */
 static char xslmsg[] =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
 	"<!--\n"
-	" - Copyright (C) 2006-2009, 2012 Internet Systems Consortium, Inc. (\"ISC\")\n"
+	" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
 	" -\n"
 	" - Permission to use, copy, modify, and/or distribute this software for any\n"
 	" - purpose with or without fee is hereby granted, provided that the above\n"
@@ -20,7 +20,7 @@ static char xslmsg[] =
 	" - PERFORMANCE OF THIS SOFTWARE.\n"
 	"-->\n"
 	"\n"
-	"<!-- $Id$ -->\n"
+	"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
 	"\n"
 	"<xsl:stylesheet version=\"1.0\"\n"
 	" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c
index 7c397d49b5c8..14204cd295c6 100644
--- a/contrib/bind9/bin/named/builtin.c
+++ b/contrib/bind9/bin/named/builtin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: builtin.c,v 1.20.14.3 2012/01/11 20:19:40 ckb Exp $ */
 
 /*! \file
  * \brief
@@ -47,6 +47,7 @@ static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
 static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_dns64_lookup(dns_sdblookup_t *lookup);
 
 /*
  * We can't use function pointers as the db_data directly
@@ -65,8 +66,218 @@ static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
 static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
 static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
 static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
+static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL };
 
 static dns_sdbimplementation_t *builtin_impl;
+static dns_sdbimplementation_t *dns64_impl;
+
+/*
+ * Pre computed HEX * 16 or 1 table.
+ */
+static const unsigned char hex16[256] = {
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*00*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,	/*10*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*20*/
+	 0, 16, 32, 48, 64, 80, 96,112,128,144,  1,  1,  1,  1,  1,  1,	/*30*/
+	 1,160,176,192,208,224,240,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*40*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*50*/
+	 1,160,176,192,208,224,240,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*60*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*70*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*80*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*90*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*A0*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*B0*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*C0*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*D0*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1, /*E0*/
+	 1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1  /*F0*/
+};
+
+const unsigned char decimal[] = "0123456789";
+
+static size_t
+dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) {
+	size_t i, j = 0;
+
+	for (i = 0; i < 4U; i++) {
+		unsigned char c = v[start++];
+		if (start == 7U)
+			start++;
+		if (c > 99) {
+			rdata[j++] = 3;
+			rdata[j++] = decimal[c/100]; c = c % 100;
+			rdata[j++] = decimal[c/10]; c = c % 10;
+			rdata[j++] = decimal[c];
+		} else if (c > 9) {
+			rdata[j++] = 2;
+			rdata[j++] = decimal[c/10]; c = c % 10;
+			rdata[j++] = decimal[c];
+		} else {
+			rdata[j++] = 1;
+			rdata[j++] = decimal[c];
+		}
+	}
+	memcpy(&rdata[j], "\07in-addr\04arpa", 14);
+	return (j + 14);
+}
+
+static isc_result_t
+dns64_cname(const dns_name_t *zone, const dns_name_t *name,
+	    dns_sdblookup_t *lookup)
+{
+	size_t zlen, nlen, j, len;
+	unsigned char v[16], n;
+	unsigned int i;
+	unsigned char rdata[sizeof("123.123.123.123.in-addr.arpa.")];
+	unsigned char *ndata;
+
+	/*
+	 * The combined length of the zone and name is 74.
+	 *
+	 * The minimum zone length is 10 ((3)ip6(4)arpa(0)).
+	 *
+	 * The length of name should always be even as we are expecting
+	 * a series of nibbles.
+	 */
+	zlen = zone->length;
+	nlen = name->length;
+	if ((zlen + nlen) > 74U || zlen < 10U || (nlen % 2) != 0U)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * We assume the zone name is well formed.
+	 */
+
+	/*
+	 * XXXMPA We could check the dns64 suffix here if we need to.
+	 */
+	/*
+	 * Check that name is a series of nibbles.
+	 * Compute the byte values that correspond to the nibbles as we go.
+	 *
+	 * Shift the final result 4 bits, by setting 'i' to 1, if we if we
+	 * have a odd number of nibbles so that "must be zero" tests below
+	 * are byte aligned and we correctly return ISC_R_NOTFOUND or
+	 * ISC_R_SUCCESS.  We will not generate a CNAME in this case.
+	 */
+	ndata = name->ndata;
+	i = (nlen % 4) == 2U ? 1 : 0;
+	j = nlen;
+	memset(v, 0, sizeof(v));
+	while (j != 0U) {
+		INSIST((i/2) < sizeof(v));
+		if (ndata[0] != 1)
+			return (ISC_R_NOTFOUND);
+		n = hex16[ndata[1]&0xff];
+		if (n == 1)
+			return (ISC_R_NOTFOUND);
+		v[i/2] = n | (v[i/2]>>4);
+		j -= 2;
+		ndata += 2;
+		i++;
+	}
+
+	/*
+	 * If we get here then we know name only consisted of nibbles.
+	 * Now we need to determine if the name exists or not and whether
+	 * it corresponds to a empty node in the zone or there should be
+	 * a CNAME.
+	 */
+#define ZLEN(x) (10 + (x)/2)
+	switch (zlen) {
+	case ZLEN(32):	/* prefix len 32 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 16U && v[(nlen-1)/4 - 4] != 0)
+			return (ISC_R_NOTFOUND);
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 8, rdata);
+		break;
+	case ZLEN(40):	/* prefix len 40 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 12U && v[(nlen-1)/4 - 3] != 0)
+			return (ISC_R_NOTFOUND);
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 6, rdata);
+		break;
+	case ZLEN(48):	/* prefix len 48 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 8U && v[(nlen-1)/4 - 2] != 0)
+			return (ISC_R_NOTFOUND);
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 5, rdata);
+		break;
+	case ZLEN(56):	/* prefix len 56 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (nlen > 4U && v[(nlen-1)/4 - 1] != 0)
+			return (ISC_R_NOTFOUND);
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 4, rdata);
+		break;
+	case ZLEN(64):	/* prefix len 64 */
+		/*
+		 * The nibbles that map to this byte must be zero for 'name'
+		 * to exist in the zone.
+		 */
+		if (v[(nlen-1)/4] != 0)
+			return (ISC_R_NOTFOUND);
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 3, rdata);
+		break;
+	case ZLEN(96):	/* prefix len 96 */
+		/*
+		 * If the total length is not 74 then this is a empty node
+		 * so return success.
+		 */
+		if (nlen + zlen != 74U)
+			return (ISC_R_SUCCESS);
+		len = dns64_rdata(v, 0, rdata);
+		break;
+	default:
+		/*
+		 * This should never be reached unless someone adds a
+		 * zone declaration with this internal type to named.conf.
+		 */
+		return (ISC_R_NOTFOUND);
+	}
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_cname, 600, rdata, len));
+}
 
 static isc_result_t
 builtin_lookup(const char *zone, const char *name, void *dbdata,
@@ -83,6 +294,18 @@ builtin_lookup(const char *zone, const char *name, void *dbdata,
 }
 
 static isc_result_t
+dns64_lookup(const dns_name_t *zone, const dns_name_t *name, void *dbdata,
+	     dns_sdblookup_t *lookup)
+{
+	builtin_t *b = (builtin_t *) dbdata;
+
+	if (name->labels == 0 && name->length == 0)
+		return (b->do_lookup(lookup));
+	else
+		return (dns64_cname(zone, name, lookup));
+}
+
+static isc_result_t
 put_txt(dns_sdblookup_t *lookup, const char *text) {
 	unsigned char buf[256];
 	unsigned int len = strlen(text);
@@ -140,6 +363,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
 		"Danny Mayer",
 		"Damien Neil",
 		"Matt Nelson",
+		"Jeremy C. Reed",
 		"Michael Sawyer",
 		"Brian Wellington",
 		NULL
@@ -177,6 +401,12 @@ do_id_lookup(dns_sdblookup_t *lookup) {
 }
 
 static isc_result_t
+do_dns64_lookup(dns_sdblookup_t *lookup) {
+	UNUSED(lookup);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 do_empty_lookup(dns_sdblookup_t *lookup) {
 
 	UNUSED(lookup);
@@ -223,7 +453,7 @@ builtin_create(const char *zone, int argc, char **argv,
 	UNUSED(zone);
 	UNUSED(driverdata);
 
-	if (strcmp(argv[0], "empty") == 0) {
+	if (strcmp(argv[0], "empty") == 0 || strcmp(argv[0], "dns64") == 0) {
 		if (argc != 3)
 			return (DNS_R_SYNTAX);
 	} else if (argc != 1)
@@ -237,7 +467,8 @@ builtin_create(const char *zone, int argc, char **argv,
 		*dbdata = &authors_builtin;
 	else if (strcmp(argv[0], "id") == 0)
 		*dbdata = &id_builtin;
-	else if (strcmp(argv[0], "empty") == 0) {
+	else if (strcmp(argv[0], "empty") == 0 ||
+		 strcmp(argv[0], "dns64") == 0) {
 		builtin_t *empty;
 		char *server;
 		char *contact;
@@ -249,7 +480,10 @@ builtin_create(const char *zone, int argc, char **argv,
 		server = isc_mem_strdup(ns_g_mctx, argv[1]);
 		contact = isc_mem_strdup(ns_g_mctx, argv[2]);
 		if (empty == NULL || server == NULL || contact == NULL) {
-			*dbdata = &empty_builtin;
+			if (strcmp(argv[0], "empty") == 0)
+				*dbdata = &empty_builtin;
+			else
+				*dbdata = &dns64_builtin;
 			if (server != NULL)
 				isc_mem_free(ns_g_mctx, server);
 			if (contact != NULL)
@@ -257,7 +491,12 @@ builtin_create(const char *zone, int argc, char **argv,
 			if (empty != NULL)
 				isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
 		} else {
-			memcpy(empty, &empty_builtin, sizeof (empty_builtin));
+			if (strcmp(argv[0], "empty") == 0)
+				memcpy(empty, &empty_builtin,
+				       sizeof (empty_builtin));
+			else
+				memcpy(empty, &dns64_builtin,
+				       sizeof (empty_builtin));
 			empty->server = server;
 			empty->contact = contact;
 			*dbdata = empty;
@@ -279,7 +518,7 @@ builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
 	 */
 	if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
 	    *dbdata == &authors_builtin || *dbdata == &id_builtin ||
-	    *dbdata == &empty_builtin)
+	    *dbdata == &empty_builtin || *dbdata == &dns64_builtin)
 		return;
 
 	isc_mem_free(ns_g_mctx, b->server);
@@ -292,7 +531,17 @@ static dns_sdbmethods_t builtin_methods = {
 	builtin_authority,
 	NULL,		/* allnodes */
 	builtin_create,
-	builtin_destroy
+	builtin_destroy,
+	NULL
+};
+
+static dns_sdbmethods_t dns64_methods = {
+	NULL,
+	builtin_authority,
+	NULL,		/* allnodes */
+	builtin_create,
+	builtin_destroy,
+	dns64_lookup,
 };
 
 isc_result_t
@@ -302,10 +551,17 @@ ns_builtin_init(void) {
 				       DNS_SDBFLAG_RELATIVERDATA,
 				       ns_g_mctx, &builtin_impl)
 		      == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_sdb_register("_dns64", &dns64_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+				       DNS_SDBFLAG_RELATIVERDATA |
+				       DNS_SDBFLAG_DNS64,
+				       ns_g_mctx, &dns64_impl)
+		      == ISC_R_SUCCESS);
 	return (ISC_R_SUCCESS);
 }
 
 void
 ns_builtin_deinit(void) {
 	dns_sdb_unregister(&builtin_impl);
+	dns_sdb_unregister(&dns64_impl);
 }
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
index d599af5974e5..606cc2d4dad4 100644
--- a/contrib/bind9/bin/named/client.c
+++ b/contrib/bind9/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: client.c,v 1.271.10.4 2012/01/31 23:46:39 tbox Exp $ */
 
 #include <config.h>
 
@@ -919,7 +919,7 @@ ns_client_send(ns_client_t *client) {
 	dns_compress_t cctx;
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
 	unsigned char sendbuf[SEND_BUFFER_SIZE];
-	unsigned int dnssec_opts;
+	unsigned int render_opts;
 	unsigned int preferred_glue;
 	isc_boolean_t opt_included = ISC_FALSE;
 
@@ -931,9 +931,9 @@ ns_client_send(ns_client_t *client) {
 		client->message->flags |= DNS_MESSAGEFLAG_RA;
 
 	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
-		dnssec_opts = 0;
+		render_opts = 0;
 	else
-		dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+		render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
 
 	preferred_glue = 0;
 	if (client->view != NULL) {
@@ -943,6 +943,24 @@ ns_client_send(ns_client_t *client) {
 			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
 	}
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	/*
+	 * filter-aaaa-on-v4 yes or break-dnssec option to suppress
+	 * AAAA records
+	 * We already know that request came via IPv4,
+	 * that we have both AAAA and A records,
+	 * and that we either have no signatures that the client wants
+	 * or we are supposed to break DNSSEC.
+	 *
+	 * Override preferred glue if necessary.
+	 */
+	if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) {
+		render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
+		if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+	}
+#endif
+
 	/*
 	 * XXXRTH  The following doesn't deal with TCP buffer resizing.
 	 */
@@ -978,7 +996,7 @@ ns_client_send(ns_client_t *client) {
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ANSWER,
 					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
+					   render_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -988,7 +1006,7 @@ ns_client_send(ns_client_t *client) {
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_AUTHORITY,
 					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
+					   render_opts);
 	if (result == ISC_R_NOSPACE) {
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
@@ -997,7 +1015,7 @@ ns_client_send(ns_client_t *client) {
 		goto done;
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ADDITIONAL,
-					   preferred_glue | dnssec_opts);
+					   preferred_glue | render_opts);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
 		goto done;
  renderend:
@@ -1362,7 +1380,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	dns_name_t *signame;
 	isc_boolean_t ra;	/* Recursion available. */
 	isc_netaddr_t netaddr;
-	isc_netaddr_t destaddr;
 	int match;
 	dns_messageid_t id;
 	unsigned int flags;
@@ -1480,7 +1497,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	/*
 	 * Silently drop multicast requests for the present.
-	 * XXXMPA look at when/if mDNS spec stabilizes.
+	 * XXXMPA revisit this as mDNS spec was published.
 	 */
 	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
 		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
@@ -1654,24 +1671,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * etc), we regard this as an error for safety.
 	 */
 	if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
-		isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
+		isc_netaddr_fromsockaddr(&client->destaddr,
+					 &client->interface->addr);
 	else {
+		isc_sockaddr_t sockaddr;
 		result = ISC_R_FAILURE;
 
-		if (TCP_CLIENT(client)) {
-			isc_sockaddr_t destsockaddr;
-
+		if (TCP_CLIENT(client))
 			result = isc_socket_getsockname(client->tcpsocket,
-							&destsockaddr);
-			if (result == ISC_R_SUCCESS)
-				isc_netaddr_fromsockaddr(&destaddr,
-							 &destsockaddr);
-		}
+							&sockaddr);
+		if (result == ISC_R_SUCCESS)
+			isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr);
 		if (result != ISC_R_SUCCESS &&
 		    client->interface->addr.type.sa.sa_family == AF_INET6 &&
 		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
-			isc_uint32_t zone = 0;
-
 			/*
 			 * XXXJT technically, we should convert the receiving
 			 * interface ID to a proper scope zone ID.  However,
@@ -1680,12 +1693,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			 * interface index as link ID.  Despite the assumption,
 			 * it should cover most typical cases.
 			 */
-			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
-				zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
-
-			isc_netaddr_fromin6(&destaddr,
+			isc_netaddr_fromin6(&client->destaddr,
 					    &client->pktinfo.ipi6_addr);
-			isc_netaddr_setzone(&destaddr, zone);
+			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
+				isc_netaddr_setzone(&client->destaddr,
+						client->pktinfo.ipi6_ifindex);
 			result = ISC_R_SUCCESS;
 		}
 		if (result != ISC_R_SUCCESS) {
@@ -1715,7 +1727,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
 				tsig = dns_tsigkey_identity(client->message->tsigkey);
 
 			if (allowed(&netaddr, tsig, view->matchclients) &&
-			    allowed(&destaddr, tsig, view->matchdestinations) &&
+			    allowed(&client->destaddr, tsig,
+				    view->matchdestinations) &&
 			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
 			      == 0 && view->matchrecursiveonly))
 			{
@@ -1778,9 +1791,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	}
 	if (result == ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(&client->signername, namebuf, sizeof(namebuf));
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request has valid signature");
+			      "request has valid signature: %s", namebuf);
 		client->signer = &client->signername;
 	} else if (result == ISC_R_NOTFOUND) {
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -1868,10 +1883,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	    ns_client_checkaclsilent(client, NULL,
 				     client->view->cacheacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->interface->addr,
+	    ns_client_checkaclsilent(client, &client->destaddr,
 				     client->view->recursiononacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->interface->addr,
+	    ns_client_checkaclsilent(client, &client->destaddr,
 				     client->view->cacheonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
@@ -2101,6 +2116,9 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->recursionquota = NULL;
 	client->interface = NULL;
 	client->peeraddr_valid = ISC_FALSE;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	client->filter_aaaa = dns_v4_aaaa_ok;
+#endif
 	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
 		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
 		       NULL, NULL);
@@ -2608,12 +2626,12 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
 			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
+	isc_netaddr_t tmpnetaddr;
 	int match;
-	isc_netaddr_t netaddr;
 
 	if (acl == NULL) {
 		if (default_allow)
@@ -2622,15 +2640,13 @@ ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
 			goto deny;
 	}
 
+	if (netaddr == NULL) {
+		isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);
+		netaddr = &tmpnetaddr;
+	}
 
-	if (sockaddr == NULL)
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-	else
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-
-	result = dns_acl_match(&netaddr, client->signer, acl,
-			       &ns_g_server->aclenv,
-			       &match, NULL);
+	result = dns_acl_match(netaddr, client->signer, acl,
+			       &ns_g_server->aclenv, &match, NULL);
 
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
@@ -2650,8 +2666,14 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
-	isc_result_t result =
-		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+
+	if (sockaddr != NULL)
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+
+	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
+					  acl, default_allow);
 
 	if (result == ISC_R_SUCCESS)
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -2761,9 +2783,14 @@ void
 ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 	ns_client_t *client;
 	char namebuf[DNS_NAME_FORMATSIZE];
+	char original[DNS_NAME_FORMATSIZE];
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
 	const char *name;
 	const char *sep;
+	const char *origfor;
+	dns_rdataset_t *rdataset;
 
 	REQUIRE(VALID_MANAGER(manager));
 
@@ -2781,8 +2808,31 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
 			sep = "";
 		}
 		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-		fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",
-			peerbuf, sep, name, namebuf, client->requesttime);
+		if (client->query.qname != client->query.origqname &&
+		    client->query.origqname != NULL) {
+			origfor = " for ";
+			dns_name_format(client->query.origqname, original,
+					sizeof(original));
+		} else {
+			origfor = "";
+			original[0] = '\0';
+		}
+		rdataset = ISC_LIST_HEAD(client->query.qname->list);
+		if (rdataset == NULL && client->query.origqname != NULL)
+			rdataset = ISC_LIST_HEAD(client->query.origqname->list);
+		if (rdataset != NULL) {
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+		} else {
+			strcpy(typebuf, "-");
+			strcpy(classbuf, "-");
+		}
+		fprintf(f, "; client %s%s%s: id %u '%s/%s/%s'%s%s "
+			"requesttime %d\n", peerbuf, sep, name,
+			client->message->id, namebuf, typebuf, classbuf,
+			origfor, original, client->requesttime);
 		client = ISC_LIST_NEXT(client, link);
 	}
 	UNLOCK(&manager->lock);
diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c
index 79889cedc91a..9e453ade3bc6 100644
--- a/contrib/bind9/bin/named/config.c
+++ b/contrib/bind9/bin/named/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: config.c,v 1.113.16.2 2011/02/28 01:19:58 tbox Exp $ */
 
 /*! \file */
 
@@ -42,9 +42,13 @@
 #include <dns/tsig.h>
 #include <dns/zone.h>
 
+#include <dst/dst.h>
+
 #include <named/config.h>
 #include <named/globals.h>
 
+#include "bind.keys.h"
+
 /*% default configuration */
 static char defaultconf[] = "\
 options {\n\
@@ -55,7 +59,10 @@ options {\n\
 	files unlimited;\n\
 	stacksize default;\n"
 #endif
-"	deallocate-on-exit true;\n\
+"#	session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\
+	session-keyname local-ddns;\n\
+	session-keyalg hmac-sha256;\n\
+	deallocate-on-exit true;\n\
 #	directory <none>\n\
 	dump-file \"named_dump.db\";\n\
 	fake-iquery no;\n\
@@ -70,8 +77,10 @@ options {\n\
 	multiple-cnames no;\n\
 #	named-xfer <obsolete>;\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
+	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
 	port 53;\n\
 	recursing-file \"named.recursing\";\n\
+	secroots-file \"named.secroots\";\n\
 "
 #ifdef PATH_RANDOMDEV
 "\
@@ -80,6 +89,7 @@ options {\n\
 #endif
 "\
 	recursive-clients 1000;\n\
+	resolver-query-timeout 10;\n\
 	rrset-order {type NS order random; order cyclic; };\n\
 	serial-queries 20;\n\
 	serial-query-rate 20;\n\
@@ -102,6 +112,9 @@ options {\n\
 	request-nsid false;\n\
 	reserved-sockets 512;\n\
 \n\
+	/* DLV */\n\
+	dnssec-lookaside . trust-anchor dlv.isc.org;\n\
+\n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
@@ -135,6 +148,7 @@ options {\n\
 	check-names master fail;\n\
 	check-names slave warn;\n\
 	check-names response ignore;\n\
+	check-dup-records warn;\n\
 	check-mx warn;\n\
 	acache-enable no;\n\
 	acache-cleaning-interval 60;\n\
@@ -146,7 +160,13 @@ options {\n\
 	max-clients-per-query 100;\n\
 	zero-no-soa-ttl-cache no;\n\
 	nsec3-test-zone no;\n\
+	allow-new-zones no;\n\
+"
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+"	filter-aaaa-on-v4 no;\n\
+	filter-aaaa { any; };\n\
 "
+#endif
 
 "	/* zone */\n\
 	allow-query {any;};\n\
@@ -174,6 +194,7 @@ options {\n\
 	max-refresh-time 2419200; /* 4 weeks */\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
+	dnssec-secure-to-insecure no;\n\
 	sig-validity-interval 30; /* days */\n\
 	sig-signing-nodes 100;\n\
 	sig-signing-signatures 10;\n\
@@ -188,6 +209,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
+	dnssec-dnskey-kskonly no;\n\
 	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
@@ -198,6 +220,7 @@ options {\n\
 view \"_bind\" chaos {\n\
 	recursion no;\n\
 	notify no;\n\
+	allow-new-zones no;\n\
 \n\
 	zone \"version.bind\" chaos {\n\
 		type master;\n\
@@ -213,11 +236,24 @@ view \"_bind\" chaos {\n\
 		type master;\n\
 		database \"_builtin authors\";\n\
 	};\n\
+\n\
 	zone \"id.server\" chaos {\n\
 		type master;\n\
 		database \"_builtin id\";\n\
 	};\n\
 };\n\
+"
+"#\n\
+#  Default trusted key(s) for builtin DLV support\n\
+#  (used if \"dnssec-lookaside auto;\" is set and\n\
+#  sysconfdir/bind.keys doesn't exist).\n\
+#\n\
+# BEGIN MANAGED KEYS\n"
+
+/* Imported from bind.keys.h: */
+MANAGED_KEYS
+
+"# END MANAGED KEYS\n\
 ";
 
 isc_result_t
@@ -339,6 +375,8 @@ ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
 		ztype = dns_zone_slave;
 	else if (strcasecmp(str, "stub") == 0)
 		ztype = dns_zone_stub;
+	else if (strcasecmp(str, "static-stub") == 0)
+		ztype = dns_zone_staticstub;
 	else
 		INSIST(0);
 	return (ztype);
@@ -615,7 +653,7 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
 		isc_buffer_add(&b, strlen(keystr));
 		dns_fixedname_init(&fname);
 		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
+					   dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
@@ -747,23 +785,31 @@ struct keyalgorithms {
 	const char *str;
 	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
 	       hmacsha256, hmacsha384, hmacsha512 } hmac;
+	unsigned int type;
 	isc_uint16_t size;
 } algorithms[] = {
-	{ "hmac-md5", hmacmd5, 128 },
-	{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
-	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
-	{ "hmac-sha1", hmacsha1, 160 },
-	{ "hmac-sha224", hmacsha224, 224 },
-	{ "hmac-sha256", hmacsha256, 256 },
-	{ "hmac-sha384", hmacsha384, 384 },
-	{ "hmac-sha512", hmacsha512, 512 },
-	{  NULL, hmacnone, 0 }
+	{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
+	{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
+	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+	{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
+	{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
+	{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
+	{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
+	{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
+	{  NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
 };
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			  isc_uint16_t *digestbits)
 {
+	return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
+}
+
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+			   unsigned int *typep, isc_uint16_t *digestbits)
+{
 	int i;
 	size_t len = 0;
 	isc_uint16_t bits;
@@ -801,6 +847,8 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			INSIST(0);
 		}
 	}
+	if (typep != NULL)
+		*typep = algorithms[i].type;
 	if (digestbits != NULL)
 		*digestbits = bits;
 	return (ISC_R_SUCCESS);
diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c
index 1273fbed7f24..ff084fc7d5a9 100644
--- a/contrib/bind9/bin/named/control.c
+++ b/contrib/bind9/bin/named/control.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: control.c,v 1.41 2010/12/03 22:05:19 each Exp $ */
 
 /*! \file */
 
@@ -158,6 +158,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
 		ns_server_dumpdb(ns_g_server, command);
 		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
+		result = ns_server_dumpsecroots(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_TRACE)) {
 		result = ns_server_setdebuglevel(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
@@ -192,6 +194,13 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_notifycommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
 		result = ns_server_validation(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_SIGN) ||
+		   command_compare(command, NS_COMMAND_LOADKEYS)) {
+		result = ns_server_rekey(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
+		result = ns_server_add_zone(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_DELZONE)) {
+		result = ns_server_del_zone(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c
index 98f2f1516a55..daf00d04ed65 100644
--- a/contrib/bind9/bin/named/controlconf.c
+++ b/contrib/bind9/bin/named/controlconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: controlconf.c,v 1.60.544.3 2011/12/22 08:10:09 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h b/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
new file mode 100644
index 000000000000..7af325a13b30
--- /dev/null
+++ b/contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlz_dlopen_driver.h,v 1.1.4.4 2011/03/17 09:41:06 fdupont Exp $ */
+
+#ifndef DLZ_DLOPEN_DRIVER_H
+#define DLZ_DLOPEN_DRIVER_H
+
+isc_result_t
+dlz_dlopen_init(isc_mem_t *mctx);
+
+void
+dlz_dlopen_clear(void);
+#endif
diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h
index d66f33fbfdae..109d160b456b 100644
--- a/contrib/bind9/bin/named/include/named/client.h
+++ b/contrib/bind9/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: client.h,v 1.91.278.2 2012/01/31 23:46:39 tbox Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -138,8 +138,12 @@ struct ns_client {
 	ns_interface_t		*interface;
 	isc_sockaddr_t		peeraddr;
 	isc_boolean_t		peeraddr_valid;
+	isc_netaddr_t		destaddr;
 	struct in6_pktinfo	pktinfo;
 	isc_event_t		ctlevent;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	dns_v4_aaaa_t		filter_aaaa;
+#endif
 	/*%
 	 * Information about recent FORMERR response(s), for
 	 * FORMERR loop avoidance.  This is separate for each
@@ -167,6 +171,10 @@ struct ns_client {
 #define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
 #define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
 #define NS_CLIENTATTR_WANTNSID          0x20 /*%< include nameserver ID */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+#define NS_CLIENTATTR_FILTER_AAAA	0x40 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC	0x80 /*%< recursing for A against AAAA */
+#endif
 
 extern unsigned int ns_client_requests;
 
@@ -274,10 +282,8 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client,
-			 isc_sockaddr_t *sockaddr,
-			 dns_acl_t *acl,
-			 isc_boolean_t default_allow);
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow);
 
 /*%
  * Convenience function for client request ACL checking.
@@ -296,12 +302,12 @@ ns_client_checkaclsilent(ns_client_t *client,
  *
  * Requires:
  *\li	'client' points to a valid client.
- *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'netaddr' points to a valid address, or is NULL.
  *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
  *\li	ISC_R_SUCCESS	if the request should be allowed
- * \li	ISC_R_REFUSED	if the request should be denied
+ * \li	DNS_R_REFUSED	if the request should be denied
  *\li	No other return values are possible.
  */
 
diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h
index a90e19d050a3..c16c800fe126 100644
--- a/contrib/bind9/bin/named/include/named/config.h
+++ b/contrib/bind9/bin/named/include/named/config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: config.h,v 1.16 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -75,5 +75,8 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			  isc_uint16_t *digestbits);
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+			   unsigned int *typep, isc_uint16_t *digestbits);
 
 #endif /* NAMED_CONFIG_H */
diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h
index 06f61e6c932e..24e59093b4d1 100644
--- a/contrib/bind9/bin/named/include/named/control.h
+++ b/contrib/bind9/bin/named/include/named/control.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: control.h,v 1.31 2010/08/16 22:21:06 marka Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -42,6 +42,7 @@
 #define NS_COMMAND_DUMPSTATS	"stats"
 #define NS_COMMAND_QUERYLOG	"querylog"
 #define NS_COMMAND_DUMPDB	"dumpdb"
+#define NS_COMMAND_SECROOTS	"secroots"
 #define NS_COMMAND_TRACE	"trace"
 #define NS_COMMAND_NOTRACE	"notrace"
 #define NS_COMMAND_FLUSH	"flush"
@@ -57,6 +58,10 @@
 #define NS_COMMAND_NULL		"null"
 #define NS_COMMAND_NOTIFY	"notify"
 #define NS_COMMAND_VALIDATION	"validation"
+#define NS_COMMAND_SIGN 	"sign"
+#define NS_COMMAND_LOADKEYS 	"loadkeys"
+#define NS_COMMAND_ADDZONE	"addzone"
+#define NS_COMMAND_DELZONE	"delzone"
 
 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h
index 94ec0216f53b..842931677b55 100644
--- a/contrib/bind9/bin/named/include/named/globals.h
+++ b/contrib/bind9/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: globals.h,v 1.89.54.2 2011/06/17 23:47:10 tbox Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -26,10 +26,13 @@
 #include <isc/log.h>
 #include <isc/net.h>
 
+#include <isccfg/aclconf.h>
 #include <isccfg/cfg.h>
 
 #include <dns/zone.h>
 
+#include <dst/dst.h>
+
 #include <named/types.h>
 
 #undef EXTERN
@@ -86,8 +89,13 @@ EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
 EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
+EXTERN cfg_obj_t *		ns_g_bindkeys		INIT(NULL);
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
 							     "/rndc.key");
+
+EXTERN dns_tsigkey_t *		ns_g_sessionkey		INIT(NULL);
+EXTERN dns_name_t		ns_g_sessionkeyname;
+
 EXTERN const char *		lwresd_g_conffile	INIT(NS_SYSCONFDIR
 							     "/lwresd.conf");
 EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
@@ -95,6 +103,7 @@ EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
 EXTERN isc_boolean_t		ns_g_conffileset	INIT(ISC_FALSE);
 EXTERN isc_boolean_t		lwresd_g_useresolvconf	INIT(ISC_FALSE);
 EXTERN isc_uint16_t		ns_g_udpsize		INIT(4096);
+EXTERN cfg_aclconfctx_t *	ns_g_aclconfctx		INIT(NULL);
 
 /*
  * Initial resource limits.
@@ -112,6 +121,10 @@ EXTERN const char *		ns_g_chrootdir		INIT(NULL);
 EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
 
+EXTERN const char *		ns_g_defaultsessionkeyfile
+					INIT(NS_LOCALSTATEDIR "/run/named/"
+							      "session.key");
+
 #if NS_RUN_PID_DIR
 EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
 							     "/run/named/"
@@ -128,6 +141,12 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 
 EXTERN const char *		ns_g_username		INIT(NULL);
 
+#ifdef USE_PKCS11
+EXTERN const char *		ns_g_engine		INIT("pkcs11");
+#else
+EXTERN const char *		ns_g_engine		INIT(NULL);
+#endif
+
 EXTERN int			ns_g_listen		INIT(3);
 EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h
index 9652c9e210b5..032743acbfb2 100644
--- a/contrib/bind9/bin/named/include/named/log.h
+++ b/contrib/bind9/bin/named/include/named/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: log.h,v 1.27 2009/01/07 23:47:46 tbox Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h
index f16270a7fccc..c345176a2127 100644
--- a/contrib/bind9/bin/named/include/named/lwdclient.h
+++ b/contrib/bind9/bin/named/include/named/lwdclient.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lwdclient.h,v 1.20 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h
index 52e3b823da11..44251fa825c6 100644
--- a/contrib/bind9/bin/named/include/named/main.h
+++ b/contrib/bind9/bin/named/include/named/main.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: main.h,v 1.17 2009/09/29 23:48:03 tbox Exp $ */
 
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h
index 69bba829465a..4e0a57e519c8 100644
--- a/contrib/bind9/bin/named/include/named/notify.h
+++ b/contrib/bind9/bin/named/include/named/notify.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: notify.h,v 1.16 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h
index 20aff40187c4..6dfe96bc9d4d 100644
--- a/contrib/bind9/bin/named/include/named/query.h
+++ b/contrib/bind9/bin/named/include/named/query.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -26,6 +26,8 @@
 #include <isc/buffer.h>
 #include <isc/netaddr.h>
 
+#include <dns/rdataset.h>
+#include <dns/rpz.h>
 #include <dns/types.h>
 
 #include <named/types.h>
@@ -34,6 +36,7 @@
 typedef struct ns_dbversion {
 	dns_db_t			*db;
 	dns_dbversion_t			*version;
+	isc_boolean_t			acl_checked;
 	isc_boolean_t			queryok;
 	ISC_LINK(struct ns_dbversion)	link;
 } ns_dbversion_t;
@@ -54,9 +57,16 @@ struct ns_query {
 	isc_boolean_t			isreferral;
 	isc_mutex_t			fetchlock;
 	dns_fetch_t *			fetch;
+	dns_rpz_st_t *			rpz_st;
 	isc_bufferlist_t		namebufs;
 	ISC_LIST(ns_dbversion_t)	activeversions;
 	ISC_LIST(ns_dbversion_t)	freeversions;
+	dns_rdataset_t *		dns64_aaaa;
+	dns_rdataset_t *		dns64_sigaaaa;
+	isc_boolean_t *			dns64_aaaaok;
+	unsigned int			dns64_aaaaoklen;
+	unsigned int			dns64_options;
+	unsigned int			dns64_ttl;
 };
 
 #define NS_QUERYATTR_RECURSIONOK	0x0001
@@ -73,6 +83,9 @@ struct ns_query {
 #define NS_QUERYATTR_NOADDITIONAL	0x0800
 #define NS_QUERYATTR_CACHEACLOKVALID	0x1000
 #define NS_QUERYATTR_CACHEACLOK		0x2000
+#define NS_QUERYATTR_DNS64		0x4000
+#define NS_QUERYATTR_DNS64EXCLUDE	0x8000
+
 
 isc_result_t
 ns_query_init(ns_client_t *client);
diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h
index 4e8d4dfcb0b9..25aa641ad37e 100644
--- a/contrib/bind9/bin/named/include/named/server.h
+++ b/contrib/bind9/bin/named/include/named/server.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: server.h,v 1.110 2010/08/16 23:46:52 tbox Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -54,6 +54,8 @@ struct ns_server {
 	dns_acl_t		*blackholeacl;
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
+	char *			secrootsfile;	/*%< Secroots file name */
+	char *			bindkeysfile;	/*%< bind.keys file name */
 	char *			recfile;	/*%< Recursive file name */
 	isc_boolean_t		version_set;	/*%< User has set version */
 	char *			version;	/*%< User-specified version */
@@ -91,13 +93,14 @@ struct ns_server {
 	isc_boolean_t		flushonshutdown;
 	isc_boolean_t		log_queries;	/*%< For BIND 8 compatibility */
 
-	isc_stats_t *		nsstats;	/*%< Server statistics */
-	dns_stats_t *		rcvquerystats;	/*% Incoming query statistics */
-	dns_stats_t *		opcodestats;	/*%< Incoming message statistics */
-	isc_stats_t *		zonestats;	/*% Zone management statistics */
-	isc_stats_t *		resolverstats;	/*% Resolver statistics */
+	ns_cachelist_t		cachelist;	/*%< Possibly shared caches */
+	isc_stats_t *		nsstats;	/*%< Server stats */
+	dns_stats_t *		rcvquerystats;	/*% Incoming query stats */
+	dns_stats_t *		opcodestats;	/*%< Incoming message stats */
+	isc_stats_t *		zonestats;	/*% Zone management stats */
+	isc_stats_t  *		resolverstats;	/*% Resolver stats */
+	isc_stats_t *		sockstats;	/*%< Socket stats */
 
-	isc_stats_t *		sockstats;	/*%< Socket statistics */
 	ns_controls_t *		controls;	/*%< Control channels */
 	unsigned int		dispatchgen;
 	ns_dispatchlist_t	dispatches;
@@ -105,6 +108,12 @@ struct ns_server {
 	dns_acache_t		*acache;
 
 	ns_statschannellist_t	statschannels;
+
+	dns_tsigkey_t		*sessionkey;
+	char			*session_keyfile;
+	dns_name_t		*session_keyname;
+	unsigned int		session_keyalg;
+	isc_uint16_t		session_keybits;
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
@@ -237,6 +246,12 @@ isc_result_t
 ns_server_dumpdb(ns_server_t *server, char *args);
 
 /*%
+ * Dump the current security roots to the secroots file.
+ */
+isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args);
+
+/*%
  * Change or increment the server debug level.
  */
 isc_result_t
@@ -280,6 +295,16 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 		 isc_buffer_t *text);
 
 /*%
+ * Update a zone's DNSKEY set from the key repository.  If
+ * the command that triggered the call to this function was "sign",
+ * then force a full signing of the zone.  If it was "loadkeys",
+ * then don't sign the zone; any needed changes to signatures can
+ * take place incrementally.
+ */
+isc_result_t
+ns_server_rekey(ns_server_t *server, char *args);
+
+/*%
  * Dump the current recursive queries.
  */
 isc_result_t
@@ -297,4 +322,16 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
 isc_result_t
 ns_server_validation(ns_server_t *server, char *args);
 
+/*%
+ * Add a zone to a running process
+ */
+isc_result_t
+ns_server_add_zone(ns_server_t *server, char *args);
+
+/*%
+ * Deletes a zone from a running process
+ */
+isc_result_t
+ns_server_del_zone(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */
diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h
index 92d78b92d7da..30bdf319d318 100644
--- a/contrib/bind9/bin/named/include/named/tsigconf.h
+++ b/contrib/bind9/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: tsigconf.h,v 1.18 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -36,8 +36,9 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  *
  *	Requires:
  *	\li	'config' is not NULL.
+ *	\li	'vconfig' is not NULL.
  *	\li	'mctx' is not NULL
- *	\li	'ring' is not NULL, and '*ring' is NULL
+ *	\li	'ringp' is not NULL, and '*ringp' is NULL
  *
  *	Returns:
  *	\li	ISC_R_SUCCESS
diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h
index 202e6bb77096..7a7886e2b634 100644
--- a/contrib/bind9/bin/named/include/named/types.h
+++ b/contrib/bind9/bin/named/include/named/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: types.h,v 1.31 2009/01/09 23:47:45 tbox Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
@@ -24,6 +24,8 @@
 
 #include <dns/types.h>
 
+typedef struct ns_cache			ns_cache_t;
+typedef ISC_LIST(ns_cache_t)		ns_cachelist_t;
 typedef struct ns_client		ns_client_t;
 typedef struct ns_clientmgr		ns_clientmgr_t;
 typedef struct ns_query			ns_query_t;
diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h
index b973013c22da..ebaad684ae7a 100644
--- a/contrib/bind9/bin/named/include/named/zoneconf.h
+++ b/contrib/bind9/bin/named/include/named/zoneconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.26 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: zoneconf.h,v 1.28 2010/12/20 23:47:20 tbox Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
@@ -58,6 +58,21 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
  * and recreated, return ISC_FALSE.
  */
 
+
+isc_result_t
+ns_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
+				dns_rdataclass_t rdclass, dns_name_t *name);
+/*%>
+ * configure a DLZ zone, setting up the database methods and calling
+ * postload to load the origin values
+ *
+ * Require:
+ * \li	'dlzdatabase' to be a valid dlz database
+ * \li	'zone' to be initialized.
+ * \li	'rdclass' to be a valid rdataclass
+ * \li	'name' to be a valid zone origin name
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* NS_ZONECONF_H */
diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c
index 60e01070395f..d194d2b877cf 100644
--- a/contrib/bind9/bin/named/interfacemgr.c
+++ b/contrib/bind9/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: interfacemgr.c,v 1.95.426.2 2011/03/12 04:59:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c
index c3287d521409..5d19dcb205c6 100644
--- a/contrib/bind9/bin/named/log.c
+++ b/contrib/bind9/bin/named/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: log.c,v 1.49 2009/01/07 01:46:40 jinmei Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c
index f5a427062b32..5d17ab0e6016 100644
--- a/contrib/bind9/bin/named/logconf.c
+++ b/contrib/bind9/bin/named/logconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: logconf.c,v 1.42.816.3 2011/03/05 23:52:06 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c
index 4f7c18b5b934..c4b598beb13a 100644
--- a/contrib/bind9/bin/named/lwdgabn.c
+++ b/contrib/bind9/bin/named/lwdgabn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lwdgabn.c,v 1.24 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -619,7 +619,7 @@ ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) {
 	dns_fixedname_init(&client->target_name);
 	dns_fixedname_init(&client->query_name);
 	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
+				   &namebuf, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto out;
 	ns_lwsearchctx_init(&client->searchctx,
diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c
index 1244e2572854..5c858cbedacd 100644
--- a/contrib/bind9/bin/named/lwdgrbn.c
+++ b/contrib/bind9/bin/named/lwdgrbn.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lwdgrbn.c,v 1.22 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file */
 
@@ -472,7 +472,7 @@ ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) {
 
 	dns_fixedname_init(&client->query_name);
 	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
+				   &namebuf, NULL, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto out;
 	ns_lwsearchctx_init(&client->searchctx,
diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8
index c37de822bb93..47a6b782b68a 100644
--- a/contrib/bind9/bin/named/lwresd.8
+++ b/contrib/bind9/bin/named/lwresd.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -217,7 +217,7 @@ The default process\-id file.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007\-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c
index b769697fd3df..11198a4324f2 100644
--- a/contrib/bind9/bin/named/lwresd.c
+++ b/contrib/bind9/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lwresd.c,v 1.60 2009/09/02 23:48:01 tbox Exp $ */
 
 /*! \file
  * \brief
@@ -372,8 +372,7 @@ ns_lwdmanager_create(isc_mem_t *mctx, const cfg_obj_t *lwres,
 					strlen(searchstr));
 			isc_buffer_add(&namebuf, strlen(searchstr));
 			result = dns_name_fromtext(name, &namebuf,
-						   dns_rootname, ISC_FALSE,
-						   NULL);
+						   dns_rootname, 0, NULL);
 			if (result != ISC_R_SUCCESS) {
 				isc_log_write(ns_g_lctx,
 					      NS_LOGCATEGORY_GENERAL,
diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook
index f66d6addaa12..dddfe5e51784 100644
--- a/contrib/bind9/bin/named/lwresd.docbook
+++ b/contrib/bind9/bin/named/lwresd.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: lwresd.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
 <refentry>
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -42,7 +42,6 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html
index 152dff63f09c..5dc01be1dfb7 100644
--- a/contrib/bind9/bin/named/lwresd.html
+++ b/contrib/bind9/bin/named/lwresd.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
+<a name="id2476274"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543470"></a><h2>DESCRIPTION</h2>
+<a name="id2543469"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">lwresd</strong></span>
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
@@ -67,7 +67,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543517"></a><h2>OPTIONS</h2>
+<a name="id2543516"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -197,7 +197,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543934"></a><h2>FILES</h2>
+<a name="id2543933"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -210,14 +210,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543974"></a><h2>SEE ALSO</h2>
+<a name="id2543973"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544008"></a><h2>AUTHOR</h2>
+<a name="id2544007"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c
index fd6747af9539..30c6ef9cac56 100644
--- a/contrib/bind9/bin/named/main.c
+++ b/contrib/bind9/bin/named/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: main.c,v 1.180.14.4 2011/11/05 00:45:52 each Exp $ */
 
 /*! \file */
 
@@ -26,6 +26,7 @@
 #include <string.h>
 
 #include <isc/app.h>
+#include <isc/backtrace.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
@@ -50,6 +51,8 @@
 
 #include <dst/result.h>
 
+#include <dlz/dlz_dlopen_driver.h>
+
 /*
  * Defining NS_MAIN provides storage declarations (rather than extern)
  * for variables in named/globals.h.
@@ -69,24 +72,38 @@
 #include <named/ns_smf_globals.h>
 #endif
 
+#ifdef OPENSSL
+#include <openssl/opensslv.h>
+#endif
+#ifdef HAVE_LIBXML2
+#include <libxml/xmlversion.h>
+#endif
 /*
  * Include header files for database drivers here.
  */
 /* #include "xxdb.h" */
 
+#ifdef CONTRIB_DLZ
 /*
- * Include DLZ drivers if appropriate.
+ * Include contributed DLZ drivers if appropriate.
  */
-#ifdef DLZ
 #include <dlz/dlz_drivers.h>
 #endif
 
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif
+
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
 static char		saved_command_line[512];
 static char		version[512];
 static unsigned int	maxsocks = 0;
+static int		maxudp = 0;
 
 void
 ns_main_earlywarning(const char *format, ...) {
@@ -137,6 +154,12 @@ static void
 assertion_failed(const char *file, int line, isc_assertiontype_t type,
 		 const char *cond)
 {
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	isc_result_t result;
+	const char *logsuffix = "";
+	const char *fname;
+
 	/*
 	 * Handle assertion failures.
 	 */
@@ -148,10 +171,40 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type,
 		 */
 		isc_assertion_setcallback(NULL);
 
+		result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME,
+						&nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0)
+			logsuffix = ", back trace";
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: %s(%s) failed", file, line,
-			      isc_assertion_typetotext(type), cond);
+			      "%s:%d: %s(%s) failed%s", file, line,
+			      isc_assertion_typetotext(type), cond, logsuffix);
+		if (result == ISC_R_SUCCESS) {
+			for (i = 0; i < nframes; i++) {
+				unsigned long offset;
+
+				fname = NULL;
+				result = isc_backtrace_getsymbol(tracebuf[i],
+								 &fname,
+								 &offset);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in %s()+0x%lx", i,
+						      tracebuf[i], fname,
+						      offset);
+				} else {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_MAIN,
+						      ISC_LOG_CRITICAL,
+						      "#%d %p in ??", i,
+						      tracebuf[i]);
+				}
+			}
+		}
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
 			      "exiting (due to assertion failure)");
@@ -253,8 +306,9 @@ usage(void) {
 	}
 	fprintf(stderr,
 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
-		"[-f|-g] [-n number_of_cpus]\n"
-		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
+		"[-E engine] [-f|-g]\n"
+		"             [-n number_of_cpus] [-p port] [-s] "
+		"[-t chrootdir] [-u username]\n"
 		"             [-m {usage|trace|record|size|mctx}]\n");
 }
 
@@ -363,7 +417,7 @@ parse_command_line(int argc, char *argv[]) {
 
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:fgi:lm:n:N:p:P:"
+					   "46c:C:d:E:fFgi:lm:n:N:p:P:"
 					   "sS:t:T:u:vVx:")) != -1) {
 		switch (ch) {
 		case '4':
@@ -399,6 +453,9 @@ parse_command_line(int argc, char *argv[]) {
 			ns_g_debuglevel = parse_int(isc_commandline_argument,
 						    "debug level");
 			break;
+		case 'E':
+			ns_g_engine = isc_commandline_argument;
+			break;
 		case 'f':
 			ns_g_foreground = ISC_TRUE;
 			break;
@@ -456,12 +513,16 @@ parse_command_line(int argc, char *argv[]) {
 			 * clienttest: make clients single shot with their
 			 * 	       own memory context.
 			 */
-			if (strcmp(isc_commandline_argument, "clienttest") == 0)
+			if (!strcmp(isc_commandline_argument, "clienttest"))
 				ns_g_clienttest = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "nosoa"))
 				ns_g_nosoa = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "noaa"))
 				ns_g_noaa = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "maxudp512"))
+				maxudp = 512;
+			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
+				maxudp = 1460;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
@@ -475,13 +536,25 @@ parse_command_line(int argc, char *argv[]) {
 		case 'V':
 			printf("BIND %s built with %s\n", ns_g_version,
 				ns_g_configargs);
+#ifdef OPENSSL
+			printf("using OpenSSL version: %s\n",
+			       OPENSSL_VERSION_TEXT);
+#endif
+#ifdef HAVE_LIBXML2
+			printf("using libxml2 version: %s\n",
+			       LIBXML_DOTTED_VERSION);
+#endif
 			exit(0);
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			usage();
 			if (isc_commandline_option == '?')
 				exit(0);
 			ns_main_earlyfatal("unknown option '-%c'",
 					   isc_commandline_option);
+			/* FALLTHROUGH */
 		default:
 			ns_main_earlyfatal("parsing options returned %d", ch);
 		}
@@ -535,6 +608,7 @@ create_managers(void) {
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
+	isc__socketmgr_maxudp(ns_g_socketmgr, maxudp);
 	result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &socks);
 	if (result == ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -585,6 +659,34 @@ destroy_managers(void) {
 }
 
 static void
+dump_symboltable() {
+	int i;
+	isc_result_t result;
+	const char *fname;
+	const void *addr;
+
+	if (isc__backtrace_nsymbols == 0)
+		return;
+
+	if (!isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(99)))
+		return;
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_DEBUG(99), "Symbol table:");
+
+	for (i = 0, result = ISC_R_SUCCESS; result == ISC_R_SUCCESS; i++) {
+		addr = NULL;
+		fname = NULL;
+		result = isc_backtrace_getsymbolfromindex(i, &addr, &fname);
+		if (result == ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_MAIN, ISC_LOG_DEBUG(99),
+				      "[%d] %p %s", i, addr, fname);
+		}
+	}
+}
+
+static void
 setup(void) {
 	isc_result_t result;
 	isc_resourcevalue_t old_openfiles;
@@ -710,6 +812,8 @@ setup(void) {
 		      ISC_LOG_NOTICE,
 		      "----------------------------------------------------");
 
+	dump_symboltable();
+
 	/*
 	 * Get the initial resource limits.
 	 */
@@ -748,8 +852,8 @@ setup(void) {
 					       absolute_conffile,
 					       sizeof(absolute_conffile));
 		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("could not construct absolute path of "
-					   "configuration file: %s",
+			ns_main_earlyfatal("could not construct absolute path "
+					   "of configuration file: %s",
 					   isc_result_totext(result));
 		ns_g_conffile = absolute_conffile;
 	}
@@ -774,9 +878,19 @@ setup(void) {
 	 */
 	/* xxdb_init(); */
 
-#ifdef DLZ
+#ifdef ISC_DLZ_DLOPEN
 	/*
-	 * Register any DLZ drivers.
+	 * Register the DLZ "dlopen" driver.
+	 */
+	result = dlz_dlopen_init(ns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("dlz_dlopen_init() failed: %s",
+				   isc_result_totext(result));
+#endif
+
+#if CONTRIB_DLZ
+	/*
+	 * Register any other contributed DLZ drivers.
 	 */
 	result = dlz_drivers_init();
 	if (result != ISC_R_SUCCESS)
@@ -800,12 +914,18 @@ cleanup(void) {
 	 */
 	/* xxdb_clear(); */
 
-#ifdef DLZ
+#ifdef CONTRIB_DLZ
 	/*
-	 * Unregister any DLZ drivers.
+	 * Unregister contributed DLZ drivers.
 	 */
 	dlz_drivers_clear();
 #endif
+#ifdef ISC_DLZ_DLOPEN
+	/*
+	 * Unregister "dlopen" DLZ driver.
+	 */
+	dlz_dlopen_clear();
+#endif
 
 	dns_name_destroy();
 
@@ -921,6 +1041,9 @@ main(int argc, char *argv[]) {
 	if (strcmp(program_name, "lwresd") == 0)
 		ns_g_lwresdonly = ISC_TRUE;
 
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("failed to build internal symbol table");
+
 	isc_assertion_setcallback(assertion_failed);
 	isc_error_setfatal(library_fatal_error);
 	isc_error_setunexpected(library_unexpected_error);
diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8
index 1d7c2446da8b..222ff426cabd 100644
--- a/contrib/bind9/bin/named/named.8
+++ b/contrib/bind9/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -33,7 +33,7 @@
 named \- Internet domain name server
 .SH "SYNOPSIS"
 .HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-E\ \fR\fB\fIengine\-name\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\fR
@@ -83,6 +83,13 @@ Set the daemon's debug level to
 become more verbose as the debug level increases.
 .RE
 .PP
+\-E \fIengine\-name\fR
+.RS 4
+Use a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance re\-signing with private keys from a secure key store. When compiled with PKCS#11 support
+\fIengine\-name\fR
+defaults to pkcs11, the empty name resets it to no engine.
+.RE
+.PP
 \-f
 .RS 4
 Run the server in the foreground (i.e. do not daemonize).
@@ -260,7 +267,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5
index df813e4b757a..4356c192e6b6 100644
--- a/contrib/bind9/bin/named/named.conf.5
+++ b/contrib/bind9/bin/named/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -102,6 +102,15 @@ trusted\-keys {
 };
 .fi
 .RE
+.SH "MANAGED\-KEYS"
+.sp
+.RS 4
+.nf
+managed\-keys {
+	\fIdomain_name\fR \fBinitial\-key\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
+};
+.fi
+.RE
 .SH "CONTROLS"
 .sp
 .RS 4
@@ -186,6 +195,7 @@ options {
 	tcp\-listen\-queue \fIinteger\fR;
 	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
 	tkey\-gssapi\-credential \fIquoted_string\fR;
+	tkey\-gssapi\-keytab \fIquoted_string\fR;
 	tkey\-domain \fIquoted_string\fR;
 	transfers\-per\-ns \fIinteger\fR;
 	transfers\-in \fIinteger\fR;
@@ -214,6 +224,7 @@ options {
 	queryport\-pool\-ports \fIinteger\fR;
 	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
+	resolver\-query\-timeout \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
 	max\-ncache\-ttl \fIinteger\fR;
@@ -243,9 +254,19 @@ options {
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
+	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-accept\-expired \fIboolean\fR;
+	dns64\-server \fIstring\fR;
+	dns64\-contact \fIstring\fR;
+	dns64 \fIprefix\fR {
+		clients { <replacable>acl</replacable>; };
+		exclude { <replacable>acl</replacable>; };
+		mapped { <replacable>acl</replacable>; };
+		break\-dnssec \fIboolean\fR;
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
+	};
 	empty\-server \fIstring\fR;
 	empty\-contact \fIstring\fR;
 	empty\-zones\-enable \fIboolean\fR;
@@ -260,6 +281,7 @@ options {
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
 	update\-check\-ksk \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -299,9 +321,18 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	managed\-keys\-directory \fIquoted_string\fR;
+	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBcreate\fR|\fBoff\fR;
 	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
+	deny\-answer\-addresses {
+		\fIaddress_match_list\fR
+	} [ except\-from { \fInamelist\fR } ];
+	deny\-answer\-aliases {
+		\fInamelist\fR
+	} [ except\-from { \fInamelist\fR } ];
 	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
@@ -337,7 +368,8 @@ view \fIstring\fR \fIoptional_class\fR {
 		...
 	};
 	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
+		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR;
+		[...]
 	};
 	allow\-recursion { \fIaddress_match_element\fR; ... };
 	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
@@ -361,6 +393,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	queryport\-pool\-ports \fIinteger\fR;
 	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
+	resolver\-query\-timeout \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
 	max\-ncache\-ttl \fIinteger\fR;
@@ -390,9 +423,19 @@ view \fIstring\fR \fIoptional_class\fR {
 	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
 	dnssec\-enable \fIboolean\fR;
 	dnssec\-validation \fIboolean\fR;
-	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
+	dnssec\-lookaside ( \fIauto\fR | \fIno\fR | \fIdomain\fR trust\-anchor \fIdomain\fR );
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
 	dnssec\-accept\-expired \fIboolean\fR;
+	dns64\-server \fIstring\fR;
+	dns64\-contact \fIstring\fR;
+	dns64 \fIprefix\fR {
+		clients { <replacable>acl</replacable>; };
+		exclude { <replacable>acl</replacable>; };
+		mapped { <replacable>acl</replacable>; };
+		break\-dnssec \fIboolean\fR;
+		recursive\-only \fIboolean\fR;
+		suffix \fIipv6_address\fR;
+	};
 	empty\-server \fIstring\fR;
 	empty\-contact \fIstring\fR;
 	empty\-zones\-enable \fIboolean\fR;
@@ -407,6 +450,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
 	update\-check\-ksk \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -445,6 +489,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	key\-directory \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	fetch\-glue \fIboolean\fR; // obsolete
 	maintain\-ixfr\-base \fIboolean\fR; // obsolete
@@ -476,19 +521,22 @@ zone \fIstring\fR \fIoptional_class\fR {
 	ixfr\-from\-differences \fIboolean\fR;
 	journal \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
+	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
 	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-policy {
-		( grant | deny ) \fIstring\fR
+	update\-policy \fIlocal\fR | \fI {
+		( grant | deny ) \fR\fI\fIstring\fR\fR\fI
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
-		  tcp\-self | 6to4\-self ) \fIstring\fR
-		\fIrrtypelist\fR; ...
-	};
+		  tcp\-self | zonesub | 6to4\-self ) \fR\fI\fIstring\fR\fR\fI
+		\fR\fI\fIrrtypelist\fR\fR\fI;
+		\fR\fI[...]\fR\fI
+	}\fR;
 	update\-check\-ksk \fIboolean\fR;
+	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	masterfile\-format ( text | raw );
 	notify \fInotifytype\fR;
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
@@ -544,5 +592,5 @@ zone \fIstring\fR \fIoptional_class\fR {
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2011 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook
index e07d54e94443..c6ee1db1ca49 100644
--- a/contrib/bind9/bin/named/named.conf.docbook
+++ b/contrib/bind9/bin/named/named.conf.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: named.conf.docbook,v 1.49.14.2 2011/11/07 00:31:47 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -41,7 +41,9 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
-      <year>2012</year>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -133,6 +135,15 @@ trusted-keys {
   </refsect1>
 
   <refsect1>
+    <title>MANAGED-KEYS</title>
+    <literallayout>
+managed-keys {
+	<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
+};
+</literallayout>
+  </refsect1>
+
+  <refsect1>
     <title>CONTROLS</title>
     <literallayout>
 controls {
@@ -215,6 +226,7 @@ options {
 	tcp-listen-queue <replaceable>integer</replaceable>;
 	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
 	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
+	tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
 	tkey-domain <replaceable>quoted_string</replaceable>;
 	transfers-per-ns <replaceable>integer</replaceable>;
 	transfers-in <replaceable>integer</replaceable>;
@@ -243,6 +255,7 @@ options {
 	queryport-pool-ports <replaceable>integer</replaceable>;
 	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
+	resolver-query-timeout <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
 	max-ncache-ttl <replaceable>integer</replaceable>;
@@ -272,10 +285,21 @@ options {
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
 	dnssec-validation <replaceable>boolean</replaceable>;
-	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 
+	dns64-server <replaceable>string</replaceable>;
+	dns64-contact <replaceable>string</replaceable>;
+	dns64 <replaceable>prefix</replaceable> {
+		clients { <replacable>acl</replacable>; };
+		exclude { <replacable>acl</replacable>; };
+		mapped { <replacable>acl</replacable>; };
+		break-dnssec <replaceable>boolean</replaceable>;
+		recursive-only <replaceable>boolean</replaceable>;
+		suffix <replaceable>ipv6_address</replaceable>;
+	};
+
 	empty-server <replaceable>string</replaceable>;
 	empty-contact <replaceable>string</replaceable>;
 	empty-zones-enable <replaceable>boolean</replaceable>;
@@ -292,6 +316,7 @@ options {
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
 	update-check-ksk <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;
@@ -338,9 +363,18 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	managed-keys-directory <replaceable>quoted_string</replaceable>;
+	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
+	deny-answer-addresses {
+		<replaceable>address_match_list</replaceable>
+	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
+	deny-answer-aliases {
+		<replaceable>namelist</replaceable>
+	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
 
 	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
 
@@ -382,7 +416,8 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	};
 
 	trusted-keys {
-		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
+		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
+		<optional>...</optional>
 	};
 
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
@@ -407,6 +442,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	queryport-pool-ports <replaceable>integer</replaceable>;
 	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
+	resolver-query-timeout <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
 	max-ncache-ttl <replaceable>integer</replaceable>;
@@ -436,10 +472,21 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
 	dnssec-enable <replaceable>boolean</replaceable>;
 	dnssec-validation <replaceable>boolean</replaceable>;
-	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
 	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
 	dnssec-accept-expired <replaceable>boolean</replaceable>;
 
+	dns64-server <replaceable>string</replaceable>;
+	dns64-contact <replaceable>string</replaceable>;
+	dns64 <replaceable>prefix</replaceable> {
+		clients { <replacable>acl</replacable>; };
+		exclude { <replacable>acl</replacable>; };
+		mapped { <replacable>acl</replacable>; };
+		break-dnssec <replaceable>boolean</replaceable>;
+		recursive-only <replaceable>boolean</replaceable>;
+		suffix <replaceable>ipv6_address</replaceable>;
+	};
+
 	empty-server <replaceable>string</replaceable>;
 	empty-contact <replaceable>string</replaceable>;
 	empty-zones-enable <replaceable>boolean</replaceable>;
@@ -456,6 +503,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
 	update-check-ksk <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;
@@ -500,6 +548,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	key-directory <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 
 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	fetch-glue <replaceable>boolean</replaceable>; // obsolete
@@ -534,20 +583,23 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>boolean</replaceable>;
 	journal <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
+	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-policy {
+	update-policy <replaceable>local</replaceable> | <replaceable> {
 		( grant | deny ) <replaceable>string</replaceable>
 		( name | subdomain | wildcard | self | selfsub | selfwild |
                   krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-		  tcp-self | 6to4-self ) <replaceable>string</replaceable>
-		<replaceable>rrtypelist</replaceable>; ...
-	};
+		  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
+		<replaceable>rrtypelist</replaceable>;
+		<optional>...</optional>
+	}</replaceable>;
 	update-check-ksk <replaceable>boolean</replaceable>;
+	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
 
 	masterfile-format ( text | raw );
 	notify <replaceable>notifytype</replaceable>;
diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html
index a31412776886..71bd94669503 100644
--- a/contrib/bind9/bin/named/named.conf.html
+++ b/contrib/bind9/bin/named/named.conf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +31,7 @@
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543346"></a><h2>DESCRIPTION</h2>
+<a name="id2543353"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">named.conf</code> is the configuration file
       for
       <span><strong class="command">named</strong></span>.  Statements are enclosed
@@ -50,14 +50,14 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543373"></a><h2>ACL</h2>
+<a name="id2543381"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543389"></a><h2>KEY</h2>
+<a name="id2543397"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key <em class="replaceable"><code>domain_name</code></em> {<br>
 	algorithm <em class="replaceable"><code>string</code></em>;<br>
@@ -66,7 +66,7 @@ key <em class="replaceable"><code>domain_name</code></em> {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543409"></a><h2>MASTERS</h2>
+<a name="id2543416"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
 	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
@@ -75,7 +75,7 @@ masters <em class="replaceable"><code>string</code></em> [<span class="optional"
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543454"></a><h2>SERVER</h2>
+<a name="id2543462"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em> | <em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em> ) {<br>
 	bogus <em class="replaceable"><code>boolean</code></em>;<br>
@@ -97,7 +97,7 @@ server ( <em class="replaceable"><code>ipv4_address[<span class="optional">/pref
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543523"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543530"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys {<br>
 	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
@@ -105,7 +105,15 @@ trusted-keys {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543548"></a><h2>CONTROLS</h2>
+<a name="id2543556"></a><h2>MANAGED-KEYS</h2>
+<div class="literallayout"><p><br>
+managed-keys {<br>
+	<em class="replaceable"><code>domain_name</code></em> <code class="constant">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
+};<br>
+</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543585"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls {<br>
 	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
@@ -117,7 +125,7 @@ controls {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543584"></a><h2>LOGGING</h2>
+<a name="id2543620"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging {<br>
 	channel <em class="replaceable"><code>string</code></em> {<br>
@@ -135,7 +143,7 @@ logging {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543622"></a><h2>LWRES</h2>
+<a name="id2543658"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres {<br>
 	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
@@ -148,7 +156,7 @@ lwres {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543664"></a><h2>OPTIONS</h2>
+<a name="id2543700"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options {<br>
 	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
@@ -184,6 +192,7 @@ options {<br>
 	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
 	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
 	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
+	tkey-gssapi-keytab <em class="replaceable"><code>quoted_string</code></em>;<br>
 	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
 	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
 	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
@@ -212,6 +221,7 @@ options {<br>
 	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
 	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -241,10 +251,21 @@ options {<br>
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
+		clients { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		exclude { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		mapped { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+<br>
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -261,6 +282,7 @@ options {<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	masterfile-format ( text | raw );<br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
@@ -307,9 +329,18 @@ options {<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	managed-keys-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>;<br>
 	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
+	deny-answer-addresses {<br>
+		<em class="replaceable"><code>address_match_list</code></em><br>
+	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
+	deny-answer-aliases {<br>
+		<em class="replaceable"><code>namelist</code></em><br>
+	} [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];<br>
 <br>
 	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
 <br>
@@ -329,7 +360,7 @@ options {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544455"></a><h2>VIEW</h2>
+<a name="id2544574"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -350,7 +381,8 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	};<br>
 <br>
 	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ...<br>
+		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>;<br>
+		[<span class="optional">...</span>]<br>
 	};<br>
 <br>
 	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -375,6 +407,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
 	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
+	resolver-query-timeout <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
@@ -404,10 +437,21 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
 	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-validation <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
+	dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | <em class="replaceable"><code>no</code></em> | <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> );<br>
 	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
+	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
+	dns64 <em class="replaceable"><code>prefix</code></em> {<br>
+		clients { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		exclude { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		mapped { <font color="red">&lt;replacable&gt;acl&lt;/replacable&gt;</font>; };<br>
+		break-dnssec <em class="replaceable"><code>boolean</code></em>;<br>
+		recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
+		suffix <em class="replaceable"><code>ipv6_address</code></em>;<br>
+	};<br>
+<br>
 	empty-server <em class="replaceable"><code>string</code></em>;<br>
 	empty-contact <em class="replaceable"><code>string</code></em>;<br>
 	empty-zones-enable <em class="replaceable"><code>boolean</code></em>;<br>
@@ -424,6 +468,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	masterfile-format ( text | raw );<br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
@@ -468,6 +513,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
 	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
@@ -477,7 +523,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545116"></a><h2>ZONE</h2>
+<a name="id2545284"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint |<br>
@@ -501,20 +547,23 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
 	journal <em class="replaceable"><code>quoted_string</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy {<br>
+	update-policy <em class="replaceable"><code>local</code></em> | <em class="replaceable"><code> {<br>
 		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
 		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
                   krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
-		  tcp-self | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>; ...<br>
-	};<br>
+		  tcp-self | zonesub | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
+		<em class="replaceable"><code>rrtypelist</code></em>;<br>
+		[<span class="optional">...</span>]<br>
+	}</code></em>;<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
+	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	masterfile-format ( text | raw );<br>
 	notify <em class="replaceable"><code>notifytype</code></em>;<br>
@@ -569,12 +618,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545413"></a><h2>FILES</h2>
+<a name="id2545664"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545425"></a><h2>SEE ALSO</h2>
+<a name="id2545675"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook
index a4c54b734070..c748911e24a1 100644
--- a/contrib/bind9/bin/named/named.docbook
+++ b/contrib/bind9/bin/named/named.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: named.docbook,v 1.26 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.named">
   <refentryinfo>
     <date>May 21, 2009</date>
@@ -43,7 +43,6 @@
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -61,6 +60,7 @@
       <arg><option>-6</option></arg>
       <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
       <arg><option>-f</option></arg>
       <arg><option>-g</option></arg>
       <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
@@ -117,6 +117,7 @@
           </para>
         </listitem>
       </varlistentry>
+
       <varlistentry>
         <term>-c <replaceable class="parameter">config-file</replaceable></term>
         <listitem>
@@ -146,6 +147,19 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-E <replaceable class="parameter">engine-name</replaceable></term>
+        <listitem>
+          <para>
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            <replaceable class="parameter">engine-name</replaceable>
+            defaults to pkcs11, the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-f</term>
         <listitem>
           <para>
diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html
index 87db6ae4ab0c..cf3cb2678f39 100644
--- a/contrib/bind9/bin/named/named.html
+++ b/contrib/bind9/bin/named/named.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,10 +29,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543475"></a><h2>DESCRIPTION</h2>
+<a name="id2543482"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543499"></a><h2>OPTIONS</h2>
+<a name="id2543507"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -79,6 +79,14 @@
             Debugging traces from <span><strong class="command">named</strong></span> become
             more verbose as the debug level increases.
           </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
+<dd><p>
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            <em class="replaceable"><code>engine-name</code></em>
+            defaults to pkcs11, the empty name resets it to no engine.
+          </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
             Run the server in the foreground (i.e. do not daemonize).
@@ -220,7 +228,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543934"></a><h2>SIGNALS</h2>
+<a name="id2543964"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -241,7 +249,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543982"></a><h2>CONFIGURATION</h2>
+<a name="id2544012"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -258,7 +266,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544019"></a><h2>FILES</h2>
+<a name="id2544049"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -271,7 +279,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544195"></a><h2>SEE ALSO</h2>
+<a name="id2544088"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -284,7 +292,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544265"></a><h2>AUTHOR</h2>
+<a name="id2544295"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index 2897a6365976..9e67f2d2187f 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: query.c,v 1.353.8.24 2012/02/07 01:14:39 marka Exp $ */
 
 /*! \file */
 
@@ -25,15 +25,15 @@
 
 #include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/serial.h>
 #include <isc/stats.h>
 #include <isc/util.h>
 
 #include <dns/adb.h>
 #include <dns/byaddr.h>
 #include <dns/db.h>
-#ifdef DLZ
 #include <dns/dlz.h>
-#endif
+#include <dns/dns64.h>
 #include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/message.h>
@@ -62,6 +62,17 @@
 #include <named/sortlist.h>
 #include <named/xfrout.h>
 
+#if 0
+/*
+ * It has been recommended that DNS64 be changed to return excluded
+ * AAAA addresses if DNS64 synthesis does not occur.  This minimises
+ * the impact on the lookup results.  While most DNS AAAA lookups are
+ * done to send IP packets to a host, not all of them are and filtering
+ * excluded addresses has a negative impact on those uses.
+ */
+#define dns64_bis_return_excluded_addresses 1
+#endif
+
 /*% Partial answer? */
 #define PARTIALANSWER(c)	(((c)->query.attributes & \
 				  NS_QUERYATTR_PARTIALANSWER) != 0)
@@ -92,6 +103,12 @@
 /*% Secure? */
 #define SECURE(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_SECURE) != 0)
+/*% DNS64 A lookup? */
+#define DNS64(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_DNS64) != 0)
+
+#define DNS64EXCLUDE(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_DNS64EXCLUDE) != 0)
 
 /*% No QNAME Proof? */
 #define NOQNAME(r)		(((r)->attributes & \
@@ -116,6 +133,7 @@
 #define DNS_GETDB_NOEXACT 0x01U
 #define DNS_GETDB_NOLOG 0x02U
 #define DNS_GETDB_PARTIAL 0x04U
+#define DNS_GETDB_IGNOREACL 0x08U
 
 #define PENDINGOK(x)	(((x) & DNS_DBFIND_PENDINGOK) != 0)
 
@@ -141,6 +159,9 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 static inline void
 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
 
+static void
+rpz_st_clear(ns_client_t *client);
+
 /*%
  * Increment query statistics counters.
  */
@@ -252,6 +273,19 @@ ns_query_cancel(ns_client_t *client) {
 }
 
 static inline void
+query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset = *rdatasetp;
+
+	CTRACE("query_putrdataset");
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		dns_message_puttemprdataset(client->message, rdatasetp);
+	}
+	CTRACE("query_putrdataset: done");
+}
+
+static inline void
 query_reset(ns_client_t *client, isc_boolean_t everything) {
 	isc_buffer_t *dbuf, *dbuf_next;
 	ns_dbversion_t *dbversion, *dbversion_next;
@@ -285,6 +319,18 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 	if (client->query.authzone != NULL)
 		dns_zone_detach(&client->query.authzone);
 
+	if (client->query.dns64_aaaa != NULL)
+		query_putrdataset(client, &client->query.dns64_aaaa);
+	if (client->query.dns64_sigaaaa != NULL)
+		query_putrdataset(client, &client->query.dns64_sigaaaa);
+	if (client->query.dns64_aaaaok != NULL) {
+		isc_mem_put(client->mctx, client->query.dns64_aaaaok,
+			    client->query.dns64_aaaaoklen *
+			    sizeof(isc_boolean_t));
+		client->query.dns64_aaaaok =  NULL;
+		client->query.dns64_aaaaoklen =  0;
+	}
+
 	query_freefreeversions(client, everything);
 
 	for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
@@ -310,13 +356,22 @@ query_reset(ns_client_t *client, isc_boolean_t everything) {
 				    NS_QUERYATTR_SECURE);
 	client->query.restarts = 0;
 	client->query.timerset = ISC_FALSE;
+	if (client->query.rpz_st != NULL) {
+		rpz_st_clear(client);
+		if (everything) {
+			isc_mem_put(client->mctx, client->query.rpz_st,
+				    sizeof(*client->query.rpz_st));
+			client->query.rpz_st = NULL;
+		}
+	}
 	client->query.origqname = NULL;
-	client->query.qname = NULL;
 	client->query.dboptions = 0;
 	client->query.fetchoptions = 0;
 	client->query.gluedb = NULL;
 	client->query.authdbset = ISC_FALSE;
 	client->query.isreferral = ISC_FALSE;
+	client->query.dns64_options = 0;
+	client->query.dns64_ttl = ISC_UINT32_MAX;
 }
 
 static void
@@ -473,20 +528,6 @@ query_newrdataset(ns_client_t *client) {
 	return (rdataset);
 }
 
-static inline void
-query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
-	dns_rdataset_t *rdataset = *rdatasetp;
-
-	CTRACE("query_putrdataset");
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, rdatasetp);
-	}
-	CTRACE("query_putrdataset: done");
-}
-
-
 static inline isc_result_t
 query_newdbversion(ns_client_t *client, unsigned int n) {
 	unsigned int i;
@@ -540,6 +581,7 @@ ns_query_init(ns_client_t *client) {
 	ISC_LIST_INIT(client->query.freeversions);
 	client->query.restarts = 0;
 	client->query.timerset = ISC_FALSE;
+	client->query.rpz_st = NULL;
 	client->query.qname = NULL;
 	result = isc_mutex_init(&client->query.fetchlock);
 	if (result != ISC_R_SUCCESS)
@@ -549,6 +591,10 @@ ns_query_init(ns_client_t *client) {
 	client->query.authzone = NULL;
 	client->query.authdbset = ISC_FALSE;
 	client->query.isreferral = ISC_FALSE;
+	client->query.dns64_aaaa = NULL;
+	client->query.dns64_sigaaaa = NULL;
+	client->query.dns64_aaaaok = NULL;
+	client->query.dns64_aaaaoklen = 0;
 	query_reset(client, ISC_FALSE);
 	result = query_newdbversion(client, 3);
 	if (result != ISC_R_SUCCESS) {
@@ -563,8 +609,7 @@ ns_query_init(ns_client_t *client) {
 }
 
 static inline ns_dbversion_t *
-query_findversion(ns_client_t *client, dns_db_t *db,
-		  isc_boolean_t *newzonep)
+query_findversion(ns_client_t *client, dns_db_t *db)
 {
 	ns_dbversion_t *dbversion;
 
@@ -590,12 +635,11 @@ query_findversion(ns_client_t *client, dns_db_t *db,
 			return (NULL);
 		dns_db_attach(db, &dbversion->db);
 		dns_db_currentversion(db, &dbversion->version);
+		dbversion->acl_checked = ISC_FALSE;
 		dbversion->queryok = ISC_FALSE;
 		ISC_LIST_APPEND(client->query.activeversions,
 				dbversion, link);
-		*newzonep = ISC_TRUE;
-	} else
-		*newzonep = ISC_FALSE;
+	}
 
 	return (dbversion);
 }
@@ -607,7 +651,6 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 		     dns_dbversion_t **versionp)
 {
 	isc_result_t result;
-	isc_boolean_t check_acl, new_zone;
 	dns_acl_t *queryacl;
 	ns_dbversion_t *dbversion;
 
@@ -623,7 +666,17 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	if (!client->view->additionalfromauth &&
 	    client->query.authdbset &&
 	    db != client->query.authdb)
-		goto refuse;
+		return (DNS_R_REFUSED);
+
+	/*
+	 * Non recursive query to a static-stub zone is prohibited; its
+	 * zone content is not public data, but a part of local configuration
+	 * and should not be disclosed.
+	 */
+	if (dns_zone_gettype(zone) == dns_zone_staticstub &&
+	    !RECURSIONOK(client)) {
+		return (DNS_R_REFUSED);
+	}
 
 	/*
 	 * If the zone has an ACL, we'll check it, otherwise
@@ -633,24 +686,19 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	 * Also, get the database version to use.
 	 */
 
-	check_acl = ISC_TRUE;	/* Keep compiler happy. */
-	POST(check_acl);
-	queryacl = NULL;
-
 	/*
 	 * Get the current version of this database.
 	 */
-	dbversion = query_findversion(client, db, &new_zone);
-	if (dbversion == NULL) {
-		result = DNS_R_SERVFAIL;
-		goto fail;
-	}
-	if (new_zone) {
-		check_acl = ISC_TRUE;
-	} else if (!dbversion->queryok) {
-		goto refuse;
-	} else {
-		check_acl = ISC_FALSE;
+	dbversion = query_findversion(client, db);
+	if (dbversion == NULL)
+		return (DNS_R_SERVFAIL);
+
+	if ((options & DNS_GETDB_IGNOREACL) != 0)
+		goto approved;
+	if (dbversion->acl_checked) {
+		if (!dbversion->queryok)
+			return (DNS_R_REFUSED);
+		goto approved;
 	}
 
 	queryacl = dns_zone_getqueryacl(zone);
@@ -664,88 +712,69 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 			 * allowed to make queries, otherwise the query should
 			 * be refused.
 			 */
-			check_acl = ISC_FALSE;
+			dbversion->acl_checked = ISC_TRUE;
 			if ((client->query.attributes &
-			     NS_QUERYATTR_QUERYOK) == 0)
-				goto refuse;
-		} else {
-			/*
-			 * We haven't evaluated the view's queryacl yet.
-			 */
-			check_acl = ISC_TRUE;
+			     NS_QUERYATTR_QUERYOK) == 0) {
+				dbversion->queryok = ISC_FALSE;
+				return (DNS_R_REFUSED);
+			}
+			dbversion->queryok = ISC_TRUE;
+			goto approved;
 		}
 	}
 
-	if (check_acl) {
-		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-
-		result = ns_client_checkaclsilent(client, NULL, queryacl,
-						  ISC_TRUE);
-		if (log) {
-			char msg[NS_CLIENT_ACLMSGSIZE("query")];
-			if (result == ISC_R_SUCCESS) {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     ISC_LOG_DEBUG(3)))
-				{
-					ns_client_aclmsg("query", name, qtype,
-							 client->view->rdclass,
-							 msg, sizeof(msg));
-					ns_client_log(client,
-						      DNS_LOGCATEGORY_SECURITY,
-						      NS_LOGMODULE_QUERY,
-						      ISC_LOG_DEBUG(3),
-						      "%s approved", msg);
-				}
-			} else {
+	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+	if ((options & DNS_GETDB_NOLOG) == 0) {
+		char msg[NS_CLIENT_ACLMSGSIZE("query")];
+		if (result == ISC_R_SUCCESS) {
+			if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) {
 				ns_client_aclmsg("query", name, qtype,
 						 client->view->rdclass,
 						 msg, sizeof(msg));
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-					      "%s denied", msg);
+				ns_client_log(client,
+					      DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_DEBUG(3),
+					      "%s approved", msg);
 			}
+		} else {
+			ns_client_aclmsg("query", name, qtype,
+					 client->view->rdclass,
+					 msg, sizeof(msg));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s denied", msg);
 		}
+	}
 
-		if (queryacl == client->view->queryacl) {
-			if (result == ISC_R_SUCCESS) {
-				/*
-				 * We were allowed by the default
-				 * "allow-query" ACL.  Remember this so we
-				 * don't have to check again.
-				 */
-				client->query.attributes |=
-					NS_QUERYATTR_QUERYOK;
-			}
+	if (queryacl == client->view->queryacl) {
+		if (result == ISC_R_SUCCESS) {
 			/*
-			 * We've now evaluated the view's query ACL, and
-			 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+			 * We were allowed by the default
+			 * "allow-query" ACL.  Remember this so we
+			 * don't have to check again.
 			 */
-			client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+			client->query.attributes |= NS_QUERYATTR_QUERYOK;
 		}
-
-		if (result != ISC_R_SUCCESS)
-			goto refuse;
+		/*
+		 * We've now evaluated the view's query ACL, and
+		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+		 */
+		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
 	}
 
-	/* Approved. */
-
-	/*
-	 * Remember the result of the ACL check so we
-	 * don't have to check again.
-	 */
+	dbversion->acl_checked = ISC_TRUE;
+	if (result != ISC_R_SUCCESS) {
+		dbversion->queryok = ISC_FALSE;
+		return (DNS_R_REFUSED);
+	}
 	dbversion->queryok = ISC_TRUE;
 
+ approved:
 	/* Transfer ownership, if necessary. */
 	if (versionp != NULL)
 		*versionp = dbversion->version;
-
 	return (ISC_R_SUCCESS);
-
- refuse:
-	return (DNS_R_REFUSED);
-
- fail:
-	return (result);
 }
 
 static inline isc_result_t
@@ -801,6 +830,79 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	return (result);
 }
 
+static void
+rpz_log_rewrite(ns_client_t *client, const char *disabled,
+		dns_rpz_policy_t policy, dns_rpz_type_t type,
+		dns_name_t *rpz_qname) {
+	char qname_buf[DNS_NAME_FORMATSIZE];
+	char rpz_qname_buf[DNS_NAME_FORMATSIZE];
+
+	if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
+		return;
+
+	dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
+	dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf));
+
+	ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
+		      DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
+		      disabled,
+		      dns_rpz_type2str(type), dns_rpz_policy2str(policy),
+		      qname_buf, rpz_qname_buf);
+}
+
+static void
+rpz_log_fail(ns_client_t *client, int level,
+	     dns_rpz_type_t rpz_type, dns_name_t *name,
+	     const char *str, isc_result_t result)
+{
+	char namebuf1[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+
+	if (!isc_log_wouldlog(ns_g_lctx, level))
+		return;
+
+	dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
+	dns_name_format(name, namebuf2, sizeof(namebuf2));
+	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
+		      NS_LOGMODULE_QUERY, level,
+		      "rpz %s rewrite %s via %s %sfailed: %s",
+		      dns_rpz_type2str(rpz_type),
+		      namebuf1, namebuf2, str, isc_result_totext(result));
+}
+
+/*
+ * Get a policy rewrite zone database.
+ */
+static isc_result_t
+rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname,
+	  dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
+{
+	char namebuf1[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+	dns_dbversion_t *rpz_version = NULL;
+	isc_result_t result;
+
+	result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
+				 DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
+			dns_name_format(client->query.qname, namebuf1,
+					sizeof(namebuf1));
+			dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
+			ns_client_log(client, DNS_LOGCATEGORY_RPZ,
+				      NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
+				      "try rpz %s rewrite %s via %s",
+				      dns_rpz_type2str(rpz_type),
+				      namebuf1, namebuf2);
+		}
+		*versionp = rpz_version;
+		return (ISC_R_SUCCESS);
+	}
+	rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
+		     "query_getzonedb() ", result);
+	return (result);
+}
+
 static inline isc_result_t
 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 		 dns_db_t **dbp, unsigned int options)
@@ -906,7 +1008,6 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 {
 	isc_result_t result;
 
-#ifdef DLZ
 	isc_result_t tresult;
 	unsigned int namelabels;
 	unsigned int zonelabels;
@@ -972,16 +1073,10 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 			result = tresult;
 		}
 	}
-#else
-	result = query_getzonedb(client, name, qtype, options,
-				 zonep, dbp, versionp);
-#endif
 
 	/* If successful, Transfer ownership of zone. */
 	if (result == ISC_R_SUCCESS) {
-#ifdef DLZ
 		*zonep = zone;
-#endif
 		/*
 		 * If neither attempt above succeeded, return the cache instead
 		 */
@@ -1246,6 +1341,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	}
 
 	if (qtype == dns_rdatatype_a) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		isc_boolean_t have_a = ISC_FALSE;
+#endif
+
 		/*
 		 * We now go looking for A and AAAA records, along with
 		 * their signatures.
@@ -1284,6 +1383,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		}
 		if (result == ISC_R_SUCCESS) {
 			mname = NULL;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+			have_a = ISC_TRUE;
+#endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
 				if (mname != fname) {
@@ -1332,6 +1434,17 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		}
 		if (result == ISC_R_SUCCESS) {
 			mname = NULL;
+			/*
+			 * There's an A; check whether we're filtering AAAA
+			 */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+			if (have_a &&
+			    (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+			    (client->filter_aaaa == dns_v4_aaaa_filter &&
+			     (!WANTDNSSEC(client) || sigrdataset == NULL ||
+			      !dns_rdataset_isassociated(sigrdataset)))))
+				goto addname;
+#endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
 				if (mname != fname) {
@@ -1974,6 +2087,323 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 	CTRACE("query_addrdataset: done");
 }
 
+static isc_result_t
+query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset, isc_buffer_t *dbuf,
+	    dns_section_t section)
+{
+	dns_name_t *name, *mname;
+	dns_rdata_t *dns64_rdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t *dns64_rdatalist;
+	dns_rdataset_t *dns64_rdataset;
+	dns_rdataset_t *mrdataset;
+	isc_buffer_t *buffer;
+	isc_region_t r;
+	isc_result_t result;
+	dns_view_t *view = client->view;
+	isc_netaddr_t netaddr;
+	dns_dns64_t *dns64;
+	unsigned int flags = 0;
+
+	/*%
+	 * To the current response for 'client', add the answer RRset
+	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+	 * owner name '*namep', to section 'section', unless they are
+	 * already there.  Also add any pertinent additional data.
+	 *
+	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+	 * when it returns the name will either have been kept or released.
+	 */
+	CTRACE("query_dns64");
+	name = *namep;
+	mname = NULL;
+	mrdataset = NULL;
+	buffer = NULL;
+	dns64_rdata = NULL;
+	dns64_rdataset = NULL;
+	dns64_rdatalist = NULL;
+	result = dns_message_findname(client->message, section,
+				      name, dns_rdatatype_aaaa,
+				      rdataset->covers,
+				      &mname, &mrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 * There's nothing else to do;
+		 */
+		CTRACE("query_dns64: dns_message_findname succeeded: done");
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The name doesn't exist.
+		 */
+		if (dbuf != NULL)
+			query_keepname(client, name, dbuf);
+		dns_message_addname(client->message, name, section);
+		*namep = NULL;
+		mname = name;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+	}
+
+	if (rdataset->trust != dns_trust_secure &&
+	    (section == DNS_SECTION_ANSWER ||
+	     section == DNS_SECTION_AUTHORITY))
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+	result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
+				     16 * dns_rdataset_count(rdataset));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdatalist(client->message,
+					      &dns64_rdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_rdataset_init(dns64_rdataset);
+	dns_rdatalist_init(dns64_rdatalist);
+	dns64_rdatalist->rdclass = dns_rdataclass_in;
+	dns64_rdatalist->type = dns_rdatatype_aaaa;
+	if (client->query.dns64_ttl != ISC_UINT32_MAX)
+		dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
+					       client->query.dns64_ttl);
+	else
+		dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
+
+	if (RECURSIONOK(client))
+		flags |= DNS_DNS64_RECURSIVE;
+
+	/*
+	 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC
+	 * as this provides a easy way to see if the answer was signed.
+	 */
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
+		flags |= DNS_DNS64_DNSSEC;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		for (dns64 = ISC_LIST_HEAD(client->view->dns64);
+		     dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
+
+			dns_rdataset_current(rdataset, &rdata);
+			isc__buffer_availableregion(buffer, &r);
+			INSIST(r.length >= 16);
+			result = dns_dns64_aaaafroma(dns64, &netaddr,
+						     client->signer,
+						     &ns_g_server->aclenv,
+						     flags, rdata.data, r.base);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_reset(&rdata);
+				continue;
+			}
+			isc_buffer_add(buffer, 16);
+			isc_buffer_remainingregion(buffer, &r);
+			isc_buffer_forward(buffer, 16);
+			result = dns_message_gettemprdata(client->message,
+							  &dns64_rdata);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_rdata_init(dns64_rdata);
+			dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in,
+					     dns_rdatatype_aaaa, &r);
+			ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata,
+					link);
+			dns64_rdata = NULL;
+			dns_rdata_reset(&rdata);
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup;
+
+	if (ISC_LIST_EMPTY(dns64_rdatalist->rdata))
+		goto cleanup;
+
+	result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
+	dns64_rdataset->trust = rdataset->trust;
+	query_addrdataset(client, mname, dns64_rdataset);
+	dns64_rdataset = NULL;
+	dns64_rdatalist = NULL;
+	dns_message_takebuffer(client->message, &buffer);
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (buffer != NULL)
+		isc_buffer_free(&buffer);
+
+	if (dns64_rdata != NULL)
+		dns_message_puttemprdata(client->message, &dns64_rdata);
+
+	if (dns64_rdataset != NULL)
+		dns_message_puttemprdataset(client->message, &dns64_rdataset);
+
+	if (dns64_rdatalist != NULL) {
+		for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata);
+		     dns64_rdata != NULL;
+		     dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata))
+		{
+			ISC_LIST_UNLINK(dns64_rdatalist->rdata,
+					dns64_rdata, link);
+			dns_message_puttemprdata(client->message, &dns64_rdata);
+		}
+		dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
+	}
+
+	CTRACE("query_dns64: done");
+	return (result);
+}
+
+static void
+query_filter64(ns_client_t *client, dns_name_t **namep,
+	       dns_rdataset_t *rdataset, isc_buffer_t *dbuf,
+	       dns_section_t section)
+{
+	dns_name_t *name, *mname;
+	dns_rdata_t *myrdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t *myrdatalist;
+	dns_rdataset_t *myrdataset;
+	isc_buffer_t *buffer;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int i;
+
+	CTRACE("query_filter64");
+
+	INSIST(client->query.dns64_aaaaok != NULL);
+	INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
+
+	name = *namep;
+	mname = NULL;
+	buffer = NULL;
+	myrdata = NULL;
+	myrdataset = NULL;
+	myrdatalist = NULL;
+	result = dns_message_findname(client->message, section,
+				      name, dns_rdatatype_aaaa,
+				      rdataset->covers,
+				      &mname, &myrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 * There's nothing else to do;
+		 */
+		CTRACE("query_filter64: dns_message_findname succeeded: done");
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+		return;
+	} else if (result == DNS_R_NXDOMAIN) {
+		mname = name;
+		*namep = NULL;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+		dbuf = NULL;
+	}
+
+	if (rdataset->trust != dns_trust_secure &&
+	    (section == DNS_SECTION_ANSWER ||
+	     section == DNS_SECTION_AUTHORITY))
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+
+	result = isc_buffer_allocate(client->mctx, &buffer,
+				     16 * dns_rdataset_count(rdataset));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(client->message, &myrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdatalist(client->message, &myrdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_rdataset_init(myrdataset);
+	dns_rdatalist_init(myrdatalist);
+	myrdatalist->rdclass = dns_rdataclass_in;
+	myrdatalist->type = dns_rdatatype_aaaa;
+	myrdatalist->ttl = rdataset->ttl;
+
+	i = 0;
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		if (!client->query.dns64_aaaaok[i++])
+			continue;
+		dns_rdataset_current(rdataset, &rdata);
+		INSIST(rdata.length == 16);
+		isc_buffer_putmem(buffer, rdata.data, rdata.length);
+		isc_buffer_remainingregion(buffer, &r);
+		isc_buffer_forward(buffer, rdata.length);
+		result = dns_message_gettemprdata(client->message, &myrdata);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_rdata_init(myrdata);
+		dns_rdata_fromregion(myrdata, dns_rdataclass_in,
+				     dns_rdatatype_aaaa, &r);
+		ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link);
+		myrdata = NULL;
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup;
+
+	result = dns_rdatalist_tordataset(myrdatalist, myrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
+	if (mname == name) {
+		if (dbuf != NULL)
+			query_keepname(client, name, dbuf);
+		dns_message_addname(client->message, name, section);
+		dbuf = NULL;
+	}
+	myrdataset->trust = rdataset->trust;
+	query_addrdataset(client, mname, myrdataset);
+	myrdataset = NULL;
+	myrdatalist = NULL;
+	dns_message_takebuffer(client->message, &buffer);
+
+ cleanup:
+	if (buffer != NULL)
+		isc_buffer_free(&buffer);
+
+	if (myrdata != NULL)
+		dns_message_puttemprdata(client->message, &myrdata);
+
+	if (myrdataset != NULL)
+		dns_message_puttemprdataset(client->message, &myrdataset);
+
+	if (myrdatalist != NULL) {
+		for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata);
+		     myrdata != NULL;
+		     myrdata = ISC_LIST_HEAD(myrdatalist->rdata))
+		{
+			ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link);
+			dns_message_puttemprdata(client->message, &myrdata);
+		}
+		dns_message_puttemprdatalist(client->message, &myrdatalist);
+	}
+	if (dbuf != NULL)
+		query_releasename(client, &name);
+
+	CTRACE("query_filter64: done");
+}
+
 static void
 query_addrrset(ns_client_t *client, dns_name_t **namep,
 	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
@@ -2052,7 +2482,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 
 static inline isc_result_t
 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
-	     isc_boolean_t zero_ttl, isc_boolean_t isassociated)
+	     unsigned int override_ttl, isc_boolean_t isassociated)
 {
 	dns_name_t *name;
 	dns_dbnode_t *node;
@@ -2135,10 +2565,11 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 
-		if (zero_ttl) {
-			rdataset->ttl = 0;
+		if (override_ttl != ISC_UINT32_MAX &&
+		    override_ttl < rdataset->ttl) {
+			rdataset->ttl = override_ttl;
 			if (sigrdataset != NULL)
-				sigrdataset->ttl = 0;
+				sigrdataset->ttl = override_ttl;
 		}
 
 		/*
@@ -2262,67 +2693,79 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
 	return (eresult);
 }
 
-static inline isc_result_t
-query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
-		   dns_rdataset_t *dname, dns_name_t **anamep,
-		   dns_rdatatype_t type)
+static isc_result_t
+query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
+		dns_trust_t trust, dns_ttl_t ttl)
 {
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
-	isc_result_t result;
 	isc_region_t r;
+	dns_name_t *aname;
+	isc_result_t result;
 
 	/*
 	 * We assume the name data referred to by tname won't go away.
 	 */
 
-	REQUIRE(anamep != NULL);
+	aname = NULL;
+	result = dns_message_gettempname(client->message, &aname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_name_dup(qname, client->mctx, aname);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
+		return (result);
+	}
 
 	rdatalist = NULL;
 	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
 		return (result);
+	}
 	rdata = NULL;
 	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(client->message, &aname);
+		dns_message_puttemprdatalist(client->message, &rdatalist);
 		return (result);
+	}
 	rdataset = NULL;
 	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-	result = dns_name_dup(qname, client->mctx, *anamep);
 	if (result != ISC_R_SUCCESS) {
-		dns_message_puttemprdataset(client->message, &rdataset);
+		dns_message_puttempname(client->message, &aname);
+		dns_message_puttemprdatalist(client->message, &rdatalist);
+		dns_message_puttemprdata(client->message, &rdata);
 		return (result);
 	}
-
-	rdatalist->type = type;
+	dns_rdataset_init(rdataset);
+	rdatalist->type = dns_rdatatype_cname;
 	rdatalist->covers = 0;
 	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = dname->ttl;
+	rdatalist->ttl = ttl;
 
 	dns_name_toregion(tname, &r);
 	rdata->data = r.base;
 	rdata->length = r.length;
 	rdata->rdclass = client->message->rdclass;
-	rdata->type = type;
+	rdata->type = dns_rdatatype_cname;
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
 		      == ISC_R_SUCCESS);
-	rdataset->trust = dname->trust;
+	rdataset->trust = trust;
 
-	query_addrrset(client, anamep, &rdataset, NULL, NULL,
+	query_addrrset(client, &aname, &rdataset, NULL, NULL,
 		       DNS_SECTION_ANSWER);
-
 	if (rdataset != NULL) {
 		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
 		dns_message_puttemprdataset(client->message, &rdataset);
 	}
+	if (aname != NULL)
+		dns_message_puttempname(client->message, &aname);
 
 	return (ISC_R_SUCCESS);
 }
@@ -2333,11 +2776,12 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
  */
 static void
 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    isc_uint32_t ttl, dns_rdataset_t *rdataset,
+	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
 	    dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
+	isc_stdtime_t now;
 
 	rdataset->trust = dns_trust_secure;
 	sigrdataset->trust = dns_trust_secure;
@@ -2348,17 +2792,10 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	result = dns_db_findnode(db, name, ISC_TRUE, &node);
 	if (result != ISC_R_SUCCESS)
 		return;
-	/*
-	 * Bound the validated ttls then minimise.
-	 */
-	if (sigrdataset->ttl > ttl)
-		sigrdataset->ttl = ttl;
-	if (rdataset->ttl > ttl)
-		rdataset->ttl = ttl;
-	if (rdataset->ttl > sigrdataset->ttl)
-		rdataset->ttl = sigrdataset->ttl;
-	else
-		sigrdataset->ttl = rdataset->ttl;
+
+	isc_stdtime_get(&now);
+	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
+			     client->view->acceptexpired);
 
 	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
 				 0, NULL);
@@ -2483,8 +2920,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 				   client->view->acceptexpired)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name,
-					    rrsig.originalttl,
+				mark_secure(client, db, name, &rrsig,
 					    rdataset, sigrdataset);
 				return (ISC_TRUE);
 			}
@@ -2876,7 +3312,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *  j.example -> z.i.example NSEC example
 	 *	owner common example
 	 *	next common example
-	 *	wild *.f.example
+	 *	wild *.example
 	 */
 	options = client->query.dboptions | DNS_DBFIND_NOWILD;
 	dns_fixedname_init(&wfixed);
@@ -3218,8 +3654,9 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 }
 
 static isc_result_t
-query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
-	      dns_rdataset_t *nameservers, isc_boolean_t resuming)
+query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+	      dns_name_t *qdomain, dns_rdataset_t *nameservers,
+	      isc_boolean_t resuming)
 {
 	isc_result_t result;
 	dns_rdataset_t *rdataset, *sigrdataset;
@@ -3251,7 +3688,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 					      NS_LOGMODULE_QUERY,
 					      ISC_LOG_WARNING,
 					      "recursive-clients soft limit "
-					      "exceeded, aborting oldest query");
+					      "exceeded (%d/%d/%d), "
+					      "aborting oldest query",
+					      client->recursionquota->used,
+					      client->recursionquota->soft,
+					      client->recursionquota->max);
 			}
 			ns_client_killoldestquery(client);
 			result = ISC_R_SUCCESS;
@@ -3264,7 +3705,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 					      NS_LOGMODULE_QUERY,
 					      ISC_LOG_WARNING,
-					      "no more recursive clients: %s",
+					      "no more recursive clients "
+					      "(%d/%d/%d): %s",
+					      ns_g_server->recursionquota.used,
+					      ns_g_server->recursionquota.soft,
+					      ns_g_server->recursionquota.max,
 					      isc_result_totext(result));
 			}
 			ns_client_killoldestquery(client);
@@ -3311,8 +3756,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	else
 		peeraddr = NULL;
 	result = dns_resolver_createfetch2(client->view->resolver,
-					   client->query.qname,
-					   qtype, qdomain, nameservers,
+					   qname, qtype, qdomain, nameservers,
 					   NULL, peeraddr, client->message->id,
 					   client->query.fetchoptions,
 					   client->task,
@@ -3335,6 +3779,1004 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	return (result);
 }
 
+static inline void
+rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_rdataset_t **rdatasetp)
+{
+	if (nodep != NULL && *nodep != NULL) {
+		REQUIRE(dbp != NULL && *dbp != NULL);
+		dns_db_detachnode(*dbp, nodep);
+	}
+	if (dbp != NULL && *dbp != NULL)
+		dns_db_detach(dbp);
+	if (zonep != NULL && *zonep != NULL)
+		dns_zone_detach(zonep);
+	if (rdatasetp != NULL && *rdatasetp != NULL &&
+	    dns_rdataset_isassociated(*rdatasetp))
+		dns_rdataset_disassociate(*rdatasetp);
+}
+
+static void
+rpz_match_clear(dns_rpz_st_t *st)
+{
+	rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
+	st->m.version = NULL;
+}
+
+static inline isc_result_t
+rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
+	  dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp)
+{
+	REQUIRE(rdatasetp != NULL);
+
+	rpz_clean(zonep, dbp, nodep, rdatasetp);
+	if (*rdatasetp == NULL) {
+		*rdatasetp = query_newrdataset(client);
+		if (*rdatasetp == NULL)
+			return (DNS_R_SERVFAIL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpz_st_clear(ns_client_t *client) {
+	dns_rpz_st_t *st = client->query.rpz_st;
+
+	if (st->m.rdataset != NULL)
+		query_putrdataset(client, &st->m.rdataset);
+	rpz_match_clear(st);
+
+	rpz_clean(NULL, &st->r.db, NULL, NULL);
+	if (st->r.ns_rdataset != NULL)
+		query_putrdataset(client, &st->r.ns_rdataset);
+	if (st->r.r_rdataset != NULL)
+		query_putrdataset(client, &st->r.r_rdataset);
+
+	rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
+	if (st->q.rdataset != NULL)
+		query_putrdataset(client, &st->q.rdataset);
+	if (st->q.sigrdataset != NULL)
+		query_putrdataset(client, &st->q.sigrdataset);
+	st->state = 0;
+	st->m.type = DNS_RPZ_TYPE_BAD;
+	st->m.policy = DNS_RPZ_POLICY_MISS;
+}
+
+/*
+ * Get NS, A, or AAAA rrset for response policy zone checks.
+ */
+static isc_result_t
+rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type,
+	       dns_name_t *name, dns_rdatatype_t type,
+	       dns_db_t **dbp, dns_dbversion_t *version,
+	       dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+{
+	dns_rpz_st_t *st;
+	isc_boolean_t is_zone;
+	dns_dbnode_t *node;
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	if ((st->state & DNS_RPZ_RECURSING) != 0) {
+		INSIST(st->r.r_type == type);
+		INSIST(dns_name_equal(name, st->r_name));
+		INSIST(*rdatasetp == NULL ||
+		       !dns_rdataset_isassociated(*rdatasetp));
+		st->state &= ~DNS_RPZ_RECURSING;
+		*dbp = st->r.db;
+		st->r.db = NULL;
+		if (*rdatasetp != NULL)
+			query_putrdataset(client, rdatasetp);
+		*rdatasetp = st->r.r_rdataset;
+		st->r.r_rdataset = NULL;
+		result = st->r.r_result;
+		if (result == DNS_R_DELEGATION) {
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+				     rpz_type, name,
+				     "rpz_rrset_find(1) ", result);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			result = DNS_R_SERVFAIL;
+		}
+		return (result);
+	}
+
+	result = rpz_ready(client, NULL, NULL, NULL, rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		st->m.policy = DNS_RPZ_POLICY_ERROR;
+		return (result);
+	}
+	if (*dbp != NULL) {
+		is_zone = ISC_FALSE;
+	} else {
+		dns_zone_t *zone;
+
+		version = NULL;
+		zone = NULL;
+		result = query_getdb(client, name, type, 0, &zone, dbp,
+				     &version, &is_zone);
+		if (result != ISC_R_SUCCESS) {
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+				     rpz_type, name,
+				     "rpz_rrset_find(2) ", result);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+			return (result);
+		}
+		if (zone != NULL)
+			dns_zone_detach(&zone);
+	}
+
+	node = NULL;
+	dns_fixedname_init(&fixed);
+	found = dns_fixedname_name(&fixed);
+	result = dns_db_find(*dbp, name, version, type, DNS_DBFIND_GLUEOK,
+			     client->now, &node, found, *rdatasetp, NULL);
+	if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
+		/*
+		 * Try the cache if we're authoritative for an
+		 * ancestor but not the domain itself.
+		 */
+		rpz_clean(NULL, dbp, &node, rdatasetp);
+		version = NULL;
+		dns_db_attach(client->view->cachedb, dbp);
+		result = dns_db_find(*dbp, name, version, dns_rdatatype_ns,
+				     0, client->now, &node, found,
+				     *rdatasetp, NULL);
+	}
+	rpz_clean(NULL, dbp, &node, NULL);
+	if (result == DNS_R_DELEGATION) {
+		rpz_clean(NULL, NULL, NULL, rdatasetp);
+		/*
+		 * Recurse for NS rrset or A or AAAA rrset for an NS.
+		 * Do not recurse for addresses for the query name.
+		 */
+		if (rpz_type == DNS_RPZ_TYPE_IP) {
+			result = DNS_R_NXRRSET;
+		} else {
+			dns_name_copy(name, st->r_name, NULL);
+			result = query_recurse(client, type, st->r_name,
+					       NULL, NULL, resuming);
+			if (result == ISC_R_SUCCESS) {
+				st->state |= DNS_RPZ_RECURSING;
+				result = DNS_R_DELEGATION;
+			}
+		}
+	}
+	return (result);
+}
+
+/*
+ * Check the IP address in an A or AAAA rdataset against
+ * the IP or NSIP response policy rules of a view.
+ */
+static isc_result_t
+rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
+	       dns_rpz_type_t rpz_type)
+{
+	dns_rpz_st_t *st;
+	dns_dbversion_t *version;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_rpz_zone_t *rpz;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	if (st->m.rdataset == NULL) {
+		st->m.rdataset = query_newrdataset(client);
+		if (st->m.rdataset == NULL)
+			return (DNS_R_SERVFAIL);
+	}
+	zone = NULL;
+	db = NULL;
+	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link)) {
+		if (!RECURSIONOK(client) && rpz->recursive_only)
+			continue;
+
+		/*
+		 * Do not check policy zones that cannot replace a policy
+		 * already known to match.
+		 */
+		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+			if (st->m.rpz->num < rpz->num)
+				break;
+			if (st->m.rpz->num == rpz->num &&
+			    st->m.type < rpz_type)
+				continue;
+		}
+
+		/*
+		 * Find the database for this policy zone to get its radix tree.
+		 */
+		version = NULL;
+		result = rpz_getdb(client, rpz_type, &rpz->origin,
+				   &zone, &db, &version);
+		if (result != ISC_R_SUCCESS) {
+			rpz_clean(&zone, &db, NULL, NULL);
+			continue;
+		}
+		/*
+		 * Look for a better (e.g. longer prefix) hit for an IP address
+		 * in this rdataset in this radix tree than than the previous
+		 * hit, if any.  Note the domain name and quality of the
+		 * best hit.
+		 */
+		dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
+				   rdataset, st, client->query.rpz_st->qname);
+		rpz_clean(&zone, &db, NULL, NULL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Look for an A or AAAA rdataset
+ * and check for IP or NSIP rewrite policy rules.
+ */
+static isc_result_t
+rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
+		  dns_rdatatype_t type, dns_name_t *name,
+		  dns_db_t **dbp, dns_dbversion_t *version,
+		  dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+{
+	isc_result_t result;
+
+	result = rpz_rrset_find(client, rpz_type, name, type, dbp, version,
+				rdatasetp, resuming);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
+		break;
+	case DNS_R_EMPTYNAME:
+	case DNS_R_EMPTYWILD:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NXRRSET:
+	case DNS_R_NCACHENXRRSET:
+	case ISC_R_NOTFOUND:
+		result = ISC_R_SUCCESS;
+		break;
+	case DNS_R_DELEGATION:
+	case DNS_R_DUPLICATE:
+	case DNS_R_DROP:
+		break;
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type,
+			     name, "NS address rewrite rrset ", result);
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
+			client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
+				     name, "NS address rewrite rrset ", result);
+		}
+		break;
+	}
+	return (result);
+}
+
+/*
+ * Look for both A and AAAA rdatasets
+ * and check for IP or NSIP rewrite policy rules.
+ * Look only for addresses that will be in the ANSWER section
+ * when checking for IP rules.
+ */
+static isc_result_t
+rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
+		   dns_name_t *name, dns_rdatatype_t type,
+		   dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
+{
+	dns_rpz_st_t *st;
+	dns_dbversion_t *version;
+	dns_db_t *ipdb;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	version = NULL;
+	ipdb = NULL;
+	if ((st->state & DNS_RPZ_DONE_IPv4) == 0 &&
+	    ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
+	     (st->state & DNS_RPZ_HAVE_NSIPv4) :
+	     (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
+	    (type == dns_rdatatype_any || type == dns_rdatatype_a)) {
+		result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a,
+					   name, &ipdb, version, rdatasetp,
+					   resuming);
+		if (result == ISC_R_SUCCESS)
+			st->state |= DNS_RPZ_DONE_IPv4;
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_SUCCESS &&
+	    ((rpz_type == DNS_RPZ_TYPE_NSIP) ?
+	     (st->state & DNS_RPZ_HAVE_NSIPv6) :
+	     (st->state & DNS_RPZ_HAVE_IP)) != 0 &&
+	    (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) {
+		result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa,
+					   name, &ipdb, version, rdatasetp,
+					   resuming);
+	}
+	if (ipdb != NULL)
+		dns_db_detach(&ipdb);
+	return (result);
+}
+
+/*
+ * Get the rrset from a response policy zone.
+ */
+static isc_result_t
+rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
+	 dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+	 dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
+	 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
+	 dns_rpz_policy_t *policyp)
+{
+	dns_rpz_policy_t policy;
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	isc_result_t result;
+
+	result = rpz_ready(client, zonep, dbp, nodep, rdatasetp);
+	if (result != ISC_R_SUCCESS) {
+		*policyp = DNS_RPZ_POLICY_ERROR;
+		return (result);
+	}
+
+	/*
+	 * Try to get either a CNAME or the type of record demanded by the
+	 * request from the policy zone.
+	 */
+	*versionp = NULL;
+	result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp);
+	if (result != ISC_R_SUCCESS) {
+		*policyp = DNS_RPZ_POLICY_MISS;
+		return (DNS_R_NXDOMAIN);
+	}
+
+	dns_fixedname_init(&fixed);
+	found = dns_fixedname_name(&fixed);
+	result = dns_db_find(*dbp, qnamef, *versionp, dns_rdatatype_any, 0,
+			     client->now, nodep, found, *rdatasetp, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_t *rdsiter;
+
+		rdsiter = NULL;
+		result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0,
+					     &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(*dbp, nodep);
+			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
+				     qnamef, "allrdatasets() ", result);
+			*policyp = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		}
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, *rdatasetp);
+			if ((*rdatasetp)->type == dns_rdatatype_cname ||
+			    (*rdatasetp)->type == qtype)
+				break;
+			dns_rdataset_disassociate(*rdatasetp);
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			if (result != ISC_R_NOMORE) {
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+					     rpz_type, qnamef, "rdatasetiter ",
+					     result);
+				*policyp = DNS_RPZ_POLICY_ERROR;
+				return (DNS_R_SERVFAIL);
+			}
+			/*
+			 * Ask again to get the right DNS_R_DNAME/NXRRSET/...
+			 * result if there is neither a CNAME nor target type.
+			 */
+			if (dns_rdataset_isassociated(*rdatasetp))
+				dns_rdataset_disassociate(*rdatasetp);
+			dns_db_detachnode(*dbp, nodep);
+
+			if (qtype == dns_rdatatype_rrsig ||
+			    qtype == dns_rdatatype_sig)
+				result = DNS_R_NXRRSET;
+			else
+				result = dns_db_find(*dbp, qnamef, *versionp,
+						     qtype, 0, client->now,
+						     nodep, found, *rdatasetp,
+						     NULL);
+		}
+	}
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if ((*rdatasetp)->type != dns_rdatatype_cname) {
+			policy = DNS_RPZ_POLICY_RECORD;
+		} else {
+			policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname);
+			if ((policy == DNS_RPZ_POLICY_RECORD ||
+			     policy == DNS_RPZ_POLICY_WILDCNAME) &&
+			    qtype != dns_rdatatype_cname &&
+			    qtype != dns_rdatatype_any)
+				result = DNS_R_CNAME;
+		}
+		break;
+	case DNS_R_DNAME:
+		/*
+		 * DNAME policy RRs have very few if any uses that are not
+		 * better served with simple wildcards.  Making the work would
+		 * require complications to get the number of labels matched
+		 * in the name or the found name to the main DNS_R_DNAME case
+		 * in query_find(). So fall through to treat them as NODATA.
+		 */
+	case DNS_R_NXRRSET:
+		policy = DNS_RPZ_POLICY_NODATA;
+		break;
+	case DNS_R_NXDOMAIN:
+	case DNS_R_EMPTYNAME:
+		/*
+		 * If we don't get a qname hit,
+		 * see if it is worth looking for other types.
+		 */
+		dns_db_rpz_enabled(*dbp, client->query.rpz_st);
+		dns_db_detach(dbp);
+		dns_zone_detach(zonep);
+		policy = DNS_RPZ_POLICY_MISS;
+		break;
+	default:
+		dns_db_detach(dbp);
+		dns_zone_detach(zonep);
+		rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
+			     "", result);
+		policy = DNS_RPZ_POLICY_ERROR;
+		result = DNS_R_SERVFAIL;
+		break;
+	}
+
+	*policyp = policy;
+	return (result);
+}
+
+/*
+ * Build and look for a QNAME or NSDNAME owner name in a response policy zone.
+ */
+static isc_result_t
+rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
+		 dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp)
+{
+	dns_rpz_st_t *st;
+	dns_rpz_zone_t *rpz;
+	dns_fixedname_t prefixf, rpz_qnamef;
+	dns_name_t *prefix, *suffix, *rpz_qname;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	dns_dbnode_t *node;
+	dns_rpz_policy_t policy;
+	unsigned int labels;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	zone = NULL;
+	db = NULL;
+	node = NULL;
+
+	for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
+	     rpz != NULL;
+	     rpz = ISC_LIST_NEXT(rpz, link)) {
+		if (!RECURSIONOK(client) && rpz->recursive_only)
+			continue;
+
+		/*
+		 * Do not check policy zones that cannot replace a policy
+		 * already known to match.
+		 */
+		if (st->m.policy != DNS_RPZ_POLICY_MISS) {
+			if (st->m.rpz->num < rpz->num)
+				break;
+			if (st->m.rpz->num == rpz->num &&
+			    st->m.type < rpz_type)
+				continue;
+		}
+		/*
+		 * Construct the policy's owner name.
+		 */
+		dns_fixedname_init(&prefixf);
+		prefix = dns_fixedname_name(&prefixf);
+		dns_name_split(qname, 1, prefix, NULL);
+		if (rpz_type == DNS_RPZ_TYPE_NSDNAME)
+			suffix = &rpz->nsdname;
+		else
+			suffix = &rpz->origin;
+		dns_fixedname_init(&rpz_qnamef);
+		rpz_qname = dns_fixedname_name(&rpz_qnamef);
+		for (;;) {
+			result = dns_name_concatenate(prefix, suffix,
+						      rpz_qname, NULL);
+			if (result == ISC_R_SUCCESS)
+				break;
+			INSIST(result == DNS_R_NAMETOOLONG);
+			labels = dns_name_countlabels(prefix);
+			if (labels < 2) {
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+					     rpz_type, suffix,
+					     "concatentate() ", result);
+				return (ISC_R_SUCCESS);
+			}
+			if (labels+1 == dns_name_countlabels(qname)) {
+				rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
+					     rpz_type, suffix,
+					     "concatentate() ", result);
+			}
+			dns_name_split(prefix, labels - 1, NULL, prefix);
+		}
+
+		/*
+		 * See if the policy record exists and get its policy.
+		 */
+		result = rpz_find(client, qtype, rpz_qname, qname, rpz,
+				  rpz_type, &zone, &db, &version, &node,
+				  rdatasetp, &policy);
+		switch (result) {
+		case DNS_R_NXDOMAIN:
+		case DNS_R_EMPTYNAME:
+			break;
+		case DNS_R_SERVFAIL:
+			rpz_clean(&zone, &db, &node, rdatasetp);
+			st->m.policy = DNS_RPZ_POLICY_ERROR;
+			return (DNS_R_SERVFAIL);
+		default:
+			/*
+			 * We are dealing with names here.
+			 * With more than one applicable policy, prefer
+			 * the earliest configured policy,
+			 * QNAME over IP over NSDNAME over NSIP,
+			 * and the smallest name.
+			 * Because of the testing above,
+			 * we known st->m.rpz->num >= rpz->num  and either
+			 * st->m.rpz->num > rpz->num or st->m.type >= rpz_type
+			 */
+			if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+			    rpz->num == st->m.rpz->num &&
+			    (st->m.type < rpz_type ||
+			     (st->m.type == rpz_type &&
+			      0 >= dns_name_compare(rpz_qname, st->qname))))
+				continue;
+
+			/*
+			 * Merely log DNS_RPZ_POLICY_DISABLED hits.
+			 */
+			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
+				rpz_log_rewrite(client, "disabled ",
+						policy, rpz_type, rpz_qname);
+				continue;
+			}
+
+			rpz_match_clear(st);
+			st->m.rpz = rpz;
+			st->m.type = rpz_type;
+			st->m.prefix = 0;
+			st->m.policy = policy;
+			st->m.result = result;
+			dns_name_copy(rpz_qname, st->qname, NULL);
+			if (*rdatasetp != NULL &&
+			    dns_rdataset_isassociated(*rdatasetp)) {
+				dns_rdataset_t *trdataset;
+
+				trdataset = st->m.rdataset;
+				st->m.rdataset = *rdatasetp;
+				*rdatasetp = trdataset;
+				st->m.ttl = ISC_MIN(st->m.rdataset->ttl,
+						    rpz->max_policy_ttl);
+			} else {
+				st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT,
+						    rpz->max_policy_ttl);
+			}
+			st->m.node = node;
+			node = NULL;
+			st->m.db = db;
+			db = NULL;
+			st->m.version = version;
+			st->m.zone = zone;
+			zone = NULL;
+		}
+	}
+
+	rpz_clean(&zone, &db, &node, rdatasetp);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
+		    isc_result_t result, int level, const char *str)
+{
+	dns_rpz_st_t *st;
+
+	st = client->query.rpz_st;
+
+	if (str != NULL)
+		rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname,
+			     str, result);
+	if (st->r.ns_rdataset != NULL &&
+	    dns_rdataset_isassociated(st->r.ns_rdataset))
+		dns_rdataset_disassociate(st->r.ns_rdataset);
+
+	st->r.label--;
+}
+
+/*
+ * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
+ */
+static isc_result_t
+rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
+	    isc_boolean_t resuming)
+{
+	dns_rpz_st_t *st;
+	dns_rdataset_t *rdataset;
+	dns_fixedname_t nsnamef;
+	dns_name_t *nsname;
+	isc_boolean_t ck_ip;
+	isc_result_t result;
+
+	st = client->query.rpz_st;
+	if (st == NULL) {
+		st = isc_mem_get(client->mctx, sizeof(*st));
+		if (st == NULL)
+			return (ISC_R_NOMEMORY);
+		st->state = 0;
+		memset(&st->m, 0, sizeof(st->m));
+		st->m.type = DNS_RPZ_TYPE_BAD;
+		st->m.policy = DNS_RPZ_POLICY_MISS;
+		memset(&st->r, 0, sizeof(st->r));
+		memset(&st->q, 0, sizeof(st->q));
+		dns_fixedname_init(&st->_qnamef);
+		dns_fixedname_init(&st->_r_namef);
+		dns_fixedname_init(&st->_fnamef);
+		st->qname = dns_fixedname_name(&st->_qnamef);
+		st->r_name = dns_fixedname_name(&st->_r_namef);
+		st->fname = dns_fixedname_name(&st->_fnamef);
+		client->query.rpz_st = st;
+	}
+
+	/*
+	 * There is nothing to rewrite if the main query failed.
+	 */
+	switch (qresult) {
+	case ISC_R_SUCCESS:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		ck_ip = ISC_TRUE;
+		break;
+	case DNS_R_EMPTYNAME:
+	case DNS_R_NXRRSET:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_EMPTYWILD:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		ck_ip = ISC_FALSE;
+		break;
+	case DNS_R_DELEGATION:
+	case ISC_R_NOTFOUND:
+		return (ISC_R_SUCCESS);
+	case ISC_R_FAILURE:
+	case ISC_R_TIMEDOUT:
+	case DNS_R_BROKENCHAIN:
+		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
+			     client->query.qname,
+			     "stop on qresult in rpz_rewrite() ",
+			     qresult);
+		return (ISC_R_SUCCESS);
+	default:
+		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
+			     client->query.qname,
+			     "stop on unrecognized qresult in rpz_rewrite() ",
+			     qresult);
+		return (ISC_R_SUCCESS);
+	}
+
+	rdataset = NULL;
+	if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
+		/*
+		 * Check rules for the query name if this it the first time
+		 * for the current qname, i.e. we've not been recursing.
+		 * There is a first time for each name in a CNAME chain.
+		 */
+		result = rpz_rewrite_name(client, qtype, client->query.qname,
+					  DNS_RPZ_TYPE_QNAME, &rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		st->r.label = dns_name_countlabels(client->query.qname);
+
+		st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
+		st->state |= DNS_RPZ_DONE_QNAME;
+	}
+
+	/*
+	 * Check known IP addresses for the query name.
+	 * Any recursion required for the query has already happened.
+	 * Do not check addresses that will not be in the ANSWER section.
+	 */
+	if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 &&
+	    (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) {
+		result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP,
+					    client->query.qname, qtype,
+					    &rdataset, resuming);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		st->state &= ~DNS_RPZ_DONE_IPv4;
+		st->state |= DNS_RPZ_DONE_QNAME_IP;
+	}
+
+	/*
+	 * Stop looking for rules if there are none of the other kinds.
+	 */
+	if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
+			  DNS_RPZ_HAVE_NSDNAME)) == 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	dns_fixedname_init(&nsnamef);
+	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
+	while (st->r.label > 1) {
+		/*
+		 * Get NS rrset for each domain in the current qname.
+		 */
+		if (st->r.label == dns_name_countlabels(client->query.qname)) {
+			nsname = client->query.qname;
+		} else {
+			nsname = dns_fixedname_name(&nsnamef);
+			dns_name_split(client->query.qname, st->r.label,
+				       NULL, nsname);
+		}
+		if (st->r.ns_rdataset == NULL ||
+		    !dns_rdataset_isassociated(st->r.ns_rdataset)) {
+			dns_db_t *db = NULL;
+			result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME,
+						nsname, dns_rdatatype_ns,
+						&db, NULL, &st->r.ns_rdataset,
+						resuming);
+			if (db != NULL)
+				dns_db_detach(&db);
+			if (st->m.policy == DNS_RPZ_POLICY_ERROR)
+				goto cleanup;
+			switch (result) {
+			case ISC_R_SUCCESS:
+				result = dns_rdataset_first(st->r.ns_rdataset);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+				st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+					       DNS_RPZ_DONE_IPv4);
+				break;
+			case DNS_R_DELEGATION:
+				goto cleanup;
+			case DNS_R_EMPTYNAME:
+			case DNS_R_NXRRSET:
+			case DNS_R_EMPTYWILD:
+			case DNS_R_NXDOMAIN:
+			case DNS_R_NCACHENXDOMAIN:
+			case DNS_R_NCACHENXRRSET:
+			case ISC_R_NOTFOUND:
+			case DNS_R_CNAME:
+			case DNS_R_DNAME:
+				rpz_rewrite_ns_skip(client, nsname, result,
+						    0, NULL);
+				continue;
+			case ISC_R_TIMEDOUT:
+			case DNS_R_BROKENCHAIN:
+			case ISC_R_FAILURE:
+				rpz_rewrite_ns_skip(client, nsname, result,
+						DNS_RPZ_DEBUG_LEVEL3,
+						"NS db_find() ");
+				continue;
+			default:
+				rpz_rewrite_ns_skip(client, nsname, result,
+						DNS_RPZ_INFO_LEVEL,
+						"unrecognized NS db_find() ");
+				continue;
+			}
+		}
+		/*
+		 * Check all NS names.
+		 */
+		do {
+			dns_rdata_ns_t ns;
+			dns_rdata_t nsrdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(st->r.ns_rdataset, &nsrdata);
+			result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
+			dns_rdata_reset(&nsrdata);
+			if (result != ISC_R_SUCCESS) {
+				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
+					     DNS_RPZ_TYPE_NSIP, nsname,
+					     "rdata_tostruct() ", result);
+				st->m.policy = DNS_RPZ_POLICY_ERROR;
+				goto cleanup;
+			}
+			/*
+			 * Do nothing about "NS ."
+			 */
+			if (dns_name_equal(&ns.name, dns_rootname)) {
+				dns_rdata_freestruct(&ns);
+				result = dns_rdataset_next(st->r.ns_rdataset);
+				continue;
+			}
+			/*
+			 * Check this NS name if we did not handle it
+			 * during a previous recursion.
+			 */
+			if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 &&
+			    (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) {
+				result = rpz_rewrite_name(client, qtype,
+							&ns.name,
+							DNS_RPZ_TYPE_NSDNAME,
+							&rdataset);
+				if (result != ISC_R_SUCCESS) {
+					dns_rdata_freestruct(&ns);
+					goto cleanup;
+				}
+				st->state |= DNS_RPZ_DONE_NSDNAME;
+			}
+			/*
+			 * Check all IP addresses for this NS name.
+			 */
+			result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP,
+						    &ns.name, dns_rdatatype_any,
+						    &rdataset, resuming);
+			dns_rdata_freestruct(&ns);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			st->state &= ~(DNS_RPZ_DONE_NSDNAME |
+				       DNS_RPZ_DONE_IPv4);
+			result = dns_rdataset_next(st->r.ns_rdataset);
+		} while (result == ISC_R_SUCCESS);
+		dns_rdataset_disassociate(st->r.ns_rdataset);
+		st->r.label--;
+	}
+
+	/*
+	 * Use the best, if any, hit.
+	 */
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+	    st->m.policy != DNS_RPZ_POLICY_ERROR &&
+	    st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
+		st->m.policy = st->m.rpz->policy;
+	if (st->m.policy == DNS_RPZ_POLICY_MISS ||
+	    st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
+	    st->m.policy == DNS_RPZ_POLICY_ERROR) {
+		if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
+		    result != DNS_R_DELEGATION)
+			rpz_log_rewrite(client, "", st->m.policy, st->m.type,
+					st->qname);
+		rpz_match_clear(st);
+	}
+	if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
+		st->m.type = DNS_RPZ_TYPE_BAD;
+		result = DNS_R_SERVFAIL;
+	}
+	query_putrdataset(client, &rdataset);
+	if ((st->state & DNS_RPZ_RECURSING) == 0)
+		rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset);
+
+	return (result);
+}
+
+/*
+ * See if response policy zone rewriting is allowed a lack of interest
+ * by the client in DNSSEC or a lack of signatures.
+ */
+static isc_boolean_t
+rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_fixedname_t fixed;
+	dns_name_t *found;
+	dns_rdataset_t trdataset;
+	dns_rdatatype_t type;
+
+	if (client->view->rpz_break_dnssec)
+		return (ISC_TRUE);
+	/*
+	 * sigrdataset == NULL if and only !WANTDNSSEC(client)
+	 */
+	if (sigrdataset == NULL)
+		return (ISC_TRUE);
+	if (dns_rdataset_isassociated(sigrdataset))
+		return (ISC_FALSE);
+
+	/*
+	 * We are happy to rewrite nothing.
+	 */
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset))
+		return (ISC_TRUE);
+	/*
+	 * Do not rewrite if there is any sign of signatures.
+	 */
+	if (rdataset->type == dns_rdatatype_nsec ||
+	    rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->type == dns_rdatatype_rrsig)
+		return (ISC_FALSE);
+
+	/*
+	 * Look for a signature in a negative cache rdataset.
+	 */
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0)
+		return (ISC_TRUE);
+	dns_fixedname_init(&fixed);
+	found = dns_fixedname_name(&fixed);
+	dns_rdataset_init(&trdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_ncache_current(rdataset, found, &trdataset);
+		type = trdataset.type;
+		dns_rdataset_disassociate(&trdataset);
+		if (type == dns_rdatatype_nsec ||
+		    type == dns_rdatatype_nsec3 ||
+		    type == dns_rdatatype_rrsig)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+/*
+ * Add a CNAME to the query response, including translating foo.evil.com and
+ *	*.evil.com CNAME *.example.com
+ * to
+ *	foo.evil.com CNAME foo.evil.com.example.com
+ */
+static isc_result_t
+rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
+	      dns_name_t *cname, dns_name_t *fname, isc_buffer_t *dbuf)
+{
+	dns_fixedname_t prefix, suffix;
+	unsigned int labels;
+	isc_result_t result;
+
+	labels = dns_name_countlabels(cname);
+	if (labels > 2 && dns_name_iswildcard(cname)) {
+		dns_fixedname_init(&prefix);
+		dns_name_split(client->query.qname, 1,
+			       dns_fixedname_name(&prefix), NULL);
+		dns_fixedname_init(&suffix);
+		dns_name_split(cname, labels-1,
+			       NULL, dns_fixedname_name(&suffix));
+		result = dns_name_concatenate(dns_fixedname_name(&prefix),
+					      dns_fixedname_name(&suffix),
+					      fname, NULL);
+		if (result == DNS_R_NAMETOOLONG)
+			client->message->rcode = dns_rcode_yxdomain;
+	} else {
+		result = dns_name_copy(cname, fname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	query_keepname(client, fname, dbuf);
+	result = query_add_cname(client, client->query.qname,
+				 fname, dns_trust_authanswer, st->m.ttl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
+	ns_client_qnamereplace(client, fname);
+	/*
+	 * Turn off DNSSEC because the results of a
+	 * response policy zone cannot verify.
+	 */
+	client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+				DNS_MESSAGEFLAG_AD);
+	return (ISC_R_SUCCESS);
+}
+
 #define MAX_RESTARTS 16
 
 #define QUERY_ERROR(r) \
@@ -3720,6 +5162,103 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 	return;
 }
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+static isc_boolean_t
+is_v4_client(ns_client_t *client) {
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
+		return (ISC_TRUE);
+	if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+#endif
+
+static isc_uint32_t
+dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_uint32_t ttl = ISC_UINT32_MAX;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	ttl = ISC_MIN(rdataset.ttl, soa.minimum);
+
+cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (ttl);
+}
+
+static isc_boolean_t
+dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset)
+{
+	isc_netaddr_t netaddr;
+	dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
+	unsigned int flags = 0;
+	unsigned int i, count;
+	isc_boolean_t *aaaaok;
+
+	INSIST(client->query.dns64_aaaaok == NULL);
+	INSIST(client->query.dns64_aaaaoklen == 0);
+	INSIST(client->query.dns64_aaaa == NULL);
+	INSIST(client->query.dns64_sigaaaa == NULL);
+
+	if (dns64 == NULL)
+		return (ISC_TRUE);
+
+	if (RECURSIONOK(client))
+		flags |= DNS_DNS64_RECURSIVE;
+
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
+		flags |= DNS_DNS64_DNSSEC;
+
+	count = dns_rdataset_count(rdataset);
+	aaaaok = isc_mem_get(client->mctx, sizeof(isc_boolean_t) * count);
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	if (dns_dns64_aaaaok(dns64, &netaddr, client->signer,
+			     &ns_g_server->aclenv, flags, rdataset,
+			     aaaaok, count)) {
+		for (i = 0; i < count; i++) {
+			if (aaaaok != NULL && !aaaaok[i]) {
+				client->query.dns64_aaaaok = aaaaok;
+				client->query.dns64_aaaaoklen = count;
+				break;
+			}
+		}
+		if (i == count && aaaaok != NULL)
+			isc_mem_put(client->mctx, aaaaok,
+				    sizeof(isc_boolean_t) * count);
+		return (ISC_TRUE);
+	}
+	if (aaaaok != NULL)
+		isc_mem_put(client->mctx, aaaaok,
+			    sizeof(isc_boolean_t) * count);
+	return (ISC_FALSE);
+}
+
 /*
  * Do the bulk of query processing for the current query of 'client'.
  * If 'event' is non-NULL, we are returning from recursion and 'qtype'
@@ -3738,6 +5277,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdatasetiter_t *rdsiter;
 	isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
+	isc_boolean_t is_staticstub_zone;
 	unsigned int n, nlabels;
 	dns_namereln_t namereln;
 	int order;
@@ -3753,8 +5293,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	unsigned int options;
 	isc_boolean_t empty_wild;
 	dns_rdataset_t *noqname;
+	dns_rpz_st_t *rpz_st;
 	isc_boolean_t resuming;
 	int line = -1;
+	isc_boolean_t dns64_exclude, dns64;
 
 	CTRACE("query_find");
 
@@ -3780,28 +5322,65 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	zone = NULL;
 	need_wildcardproof = ISC_FALSE;
 	empty_wild = ISC_FALSE;
+	dns64_exclude = dns64 = ISC_FALSE;
 	options = 0;
 	resuming = ISC_FALSE;
 	is_zone = ISC_FALSE;
+	is_staticstub_zone = ISC_FALSE;
 
 	if (event != NULL) {
 		/*
 		 * We're returning from recursion.  Restore the query context
 		 * and resume.
 		 */
-
 		want_restart = ISC_FALSE;
-		authoritative = ISC_FALSE;
 
-		qtype = event->qtype;
+		rpz_st = client->query.rpz_st;
+		if (rpz_st != NULL &&
+		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
+			is_zone = rpz_st->q.is_zone;
+			authoritative = rpz_st->q.authoritative;
+			zone = rpz_st->q.zone;
+			rpz_st->q.zone = NULL;
+			node = rpz_st->q.node;
+			rpz_st->q.node = NULL;
+			db = rpz_st->q.db;
+			rpz_st->q.db = NULL;
+			rdataset = rpz_st->q.rdataset;
+			rpz_st->q.rdataset = NULL;
+			sigrdataset = rpz_st->q.sigrdataset;
+			rpz_st->q.sigrdataset = NULL;
+			qtype = rpz_st->q.qtype;
+
+			rpz_st->r.db = event->db;
+			if (event->node != NULL)
+				dns_db_detachnode(event->db, &event->node);
+			rpz_st->r.r_type = event->qtype;
+			rpz_st->r.r_rdataset = event->rdataset;
+			query_putrdataset(client, &event->sigrdataset);
+		} else {
+			authoritative = ISC_FALSE;
+
+			qtype = event->qtype;
+			db = event->db;
+			node = event->node;
+			rdataset = event->rdataset;
+			sigrdataset = event->sigrdataset;
+		}
+
 		if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
 			type = dns_rdatatype_any;
 		else
 			type = qtype;
-		db = event->db;
-		node = event->node;
-		rdataset = event->rdataset;
-		sigrdataset = event->sigrdataset;
+
+		if (DNS64(client)) {
+			client->query.attributes &= ~NS_QUERYATTR_DNS64;
+			dns64 = ISC_TRUE;
+		}
+		if (DNS64EXCLUDE(client)) {
+			client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
+			dns64_exclude = ISC_TRUE;
+		}
 
 		/*
 		 * We'll need some resources...
@@ -3816,16 +5395,26 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
-		tname = dns_fixedname_name(&event->foundname);
+		if (rpz_st != NULL &&
+		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
+			tname = rpz_st->fname;
+		} else {
+			tname = dns_fixedname_name(&event->foundname);
+		}
 		result = dns_name_copy(tname, fname, NULL);
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
-
-		result = event->result;
+		if (rpz_st != NULL &&
+		    (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
+			rpz_st->r.r_result = event->result;
+			result = rpz_st->q.result;
+			isc_event_free(ISC_EVENT_PTR(&event));
+		} else {
+			result = event->result;
+		}
 		resuming = ISC_TRUE;
-
 		goto resume;
 	}
 
@@ -3924,22 +5513,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		goto cleanup;
 	}
 
-	if (is_zone)
+	is_staticstub_zone = ISC_FALSE;
+	if (is_zone) {
 		authoritative = ISC_TRUE;
+		if (zone != NULL &&
+		    dns_zone_gettype(zone) == dns_zone_staticstub)
+			is_staticstub_zone = ISC_TRUE;
+	}
 
 	if (event == NULL && client->query.restarts == 0) {
 		if (is_zone) {
-#ifdef DLZ
 			if (zone != NULL) {
 				/*
 				 * if is_zone = true, zone = NULL then this is
 				 * a DLZ zone.  Don't attempt to attach zone.
 				 */
-#endif
 				dns_zone_attach(zone, &client->query.authzone);
-#ifdef DLZ
 			}
-#endif
 			dns_db_attach(db, &client->query.authdb);
 		}
 		client->query.authdbset = ISC_TRUE;
@@ -3978,6 +5568,147 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
  resume:
 	CTRACE("query_find: resume");
+
+	if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
+	    (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
+	    rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
+	    !RECURSING(client) &&
+	    (client->query.rpz_st == NULL ||
+	     (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
+	    !dns_name_equal(client->query.qname, dns_rootname)) {
+		isc_result_t rresult;
+
+		rresult = rpz_rewrite(client, qtype, result, resuming);
+		rpz_st = client->query.rpz_st;
+		switch (rresult) {
+		case ISC_R_SUCCESS:
+			break;
+		case DNS_R_DELEGATION:
+			/*
+			 * recursing for NS names or addresses,
+			 * so save the main query state
+			 */
+			rpz_st->q.qtype = qtype;
+			rpz_st->q.is_zone = is_zone;
+			rpz_st->q.authoritative = authoritative;
+			rpz_st->q.zone = zone;
+			zone = NULL;
+			rpz_st->q.db = db;
+			db = NULL;
+			rpz_st->q.node = node;
+			node = NULL;
+			rpz_st->q.rdataset = rdataset;
+			rdataset = NULL;
+			rpz_st->q.sigrdataset = sigrdataset;
+			sigrdataset = NULL;
+			dns_name_copy(fname, rpz_st->fname, NULL);
+			rpz_st->q.result = result;
+			client->query.attributes |= NS_QUERYATTR_RECURSING;
+			goto cleanup;
+		default:
+			RECURSE_ERROR(rresult);
+			goto cleanup;
+		}
+		if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS)
+			rpz_st->state |= DNS_RPZ_REWRITTEN;
+		if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
+		    rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
+		    rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
+			if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) {
+				result = dns_name_copy(client->query.qname,
+						       fname, NULL);
+				RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			}
+			rpz_clean(&zone, &db, &node, NULL);
+			if (rpz_st->m.rdataset != NULL) {
+				query_putrdataset(client, &rdataset);
+				rdataset = rpz_st->m.rdataset;
+				rpz_st->m.rdataset = NULL;
+			} else if (rdataset != NULL &&
+				   dns_rdataset_isassociated(rdataset)) {
+				dns_rdataset_disassociate(rdataset);
+			}
+			node = rpz_st->m.node;
+			rpz_st->m.node = NULL;
+			db = rpz_st->m.db;
+			rpz_st->m.db = NULL;
+			version = rpz_st->m.version;
+			rpz_st->m.version = NULL;
+			zone = rpz_st->m.zone;
+			rpz_st->m.zone = NULL;
+
+			switch (rpz_st->m.policy) {
+			case DNS_RPZ_POLICY_NXDOMAIN:
+				result = DNS_R_NXDOMAIN;
+				break;
+			case DNS_RPZ_POLICY_NODATA:
+				result = DNS_R_NXRRSET;
+				break;
+			case DNS_RPZ_POLICY_RECORD:
+				result = rpz_st->m.result;
+				if (qtype == dns_rdatatype_any &&
+				    result != DNS_R_CNAME) {
+					/*
+					 * We will add all of the rdatasets of
+					 * the node by iterating, setting the
+					 * TTL then.
+					 */
+					if (dns_rdataset_isassociated(rdataset))
+					    dns_rdataset_disassociate(rdataset);
+				} else {
+					/*
+					 * We will add this rdataset.
+					 */
+					rdataset->ttl = ISC_MIN(rdataset->ttl,
+							    rpz_st->m.ttl);
+				}
+				break;
+			case DNS_RPZ_POLICY_WILDCNAME:
+				result = dns_rdataset_first(rdataset);
+				RUNTIME_CHECK(result == ISC_R_SUCCESS);
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tostruct(&rdata, &cname,
+							    NULL);
+				RUNTIME_CHECK(result == ISC_R_SUCCESS);
+				dns_rdata_reset(&rdata);
+				result = rpz_add_cname(client, rpz_st,
+						       &cname.cname,
+						       fname, dbuf);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+				fname = NULL;
+				want_restart = ISC_TRUE;
+				goto cleanup;
+			case DNS_RPZ_POLICY_CNAME:
+				/*
+				 * Add overridding CNAME from a named.conf
+				 * response-policy statement
+				 */
+				result = rpz_add_cname(client, rpz_st,
+						       &rpz_st->m.rpz->cname,
+						       fname, dbuf);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+				fname = NULL;
+				want_restart = ISC_TRUE;
+				goto cleanup;
+			default:
+				INSIST(0);
+			}
+
+			/*
+			 * Turn off DNSSEC because the results of a
+			 * response policy zone cannot verify.
+			 */
+			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
+						DNS_MESSAGEFLAG_AD);
+			query_putrdataset(client, &sigrdataset);
+			is_zone = ISC_TRUE;
+			rpz_log_rewrite(client, "", rpz_st->m.policy,
+					rpz_st->m.type, rpz_st->qname);
+		}
+	}
+
 	switch (result) {
 	case ISC_R_SUCCESS:
 		/*
@@ -4030,11 +5761,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 */
 			if (RECURSIONOK(client)) {
 				result = query_recurse(client, qtype,
+						       client->query.qname,
 						       NULL, NULL, resuming);
-				if (result == ISC_R_SUCCESS)
+				if (result == ISC_R_SUCCESS) {
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
-				else
+					if (dns64)
+						client->query.attributes |=
+							NS_QUERYATTR_DNS64;
+					if (dns64_exclude)
+						client->query.attributes |=
+						      NS_QUERYATTR_DNS64EXCLUDE;
+				} else
 					RECURSE_ERROR(result);
 				goto cleanup;
 			} else {
@@ -4165,12 +5903,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			}
 		} else {
 			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
+			    (!dns_name_issubdomain(fname, zfname) ||
+			     (is_staticstub_zone &&
+			      dns_name_equal(fname, zfname)))) {
 				/*
-				 * We've already got a delegation from
-				 * authoritative data, and it is better
-				 * than what we found in the cache.  Use
-				 * it instead of the cache delegation.
+				 * In the following cases use "authoritative"
+				 * data instead of the cache delegation:
+				 * 1. We've already got a delegation from
+				 *    authoritative data, and it is better
+				 *    than what we found in the cache.
+				 * 2. The query name matches the origin name
+				 *    of a static-stub zone.  This needs to be
+				 *    considered for the case where the NS of
+				 *    the static-stub zone and the cached NS
+				 *    are different.  We still need to contact
+				 *    the nameservers configured in the
+				 *    static-stub zone.
 				 */
 				query_releasename(client, &fname);
 				fname = zfname;
@@ -4205,15 +5953,31 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 */
 				if (dns_rdatatype_atparent(type))
 					result = query_recurse(client, qtype,
-							       NULL, NULL,
-							       resuming);
+							 client->query.qname,
+							 NULL, NULL, resuming);
+				else if (dns64)
+					result = query_recurse(client,
+							 dns_rdatatype_a,
+							 client->query.qname,
+							 NULL, NULL, resuming);
 				else
 					result = query_recurse(client, qtype,
-							       fname, rdataset,
-							       resuming);
-				if (result == ISC_R_SUCCESS)
+							 client->query.qname,
+							 fname, rdataset,
+							 resuming);
+
+				if (result == ISC_R_SUCCESS) {
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
+					if (dns64)
+						client->query.attributes |=
+							NS_QUERYATTR_DNS64;
+					if (dns64_exclude)
+						client->query.attributes |=
+						      NS_QUERYATTR_DNS64EXCLUDE;
+				} else if (result == DNS_R_DUPLICATE ||
+					 result == DNS_R_DROP)
+					QUERY_ERROR(result);
 				else
 					RECURSE_ERROR(result);
 			} else {
@@ -4253,10 +6017,73 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			}
 		}
 		goto cleanup;
+
 	case DNS_R_EMPTYNAME:
-		/* FALLTHROUGH */
 	case DNS_R_NXRRSET:
+	iszone_nxrrset:
 		INSIST(is_zone);
+
+#ifdef dns64_bis_return_excluded_addresses
+		if (dns64)
+#else
+		if (dns64 && !dns64_exclude)
+#endif
+		{
+			/*
+			 * Restore the answers from the previous AAAA lookup.
+			 */
+			if (rdataset != NULL)
+				query_putrdataset(client, &rdataset);
+			if (sigrdataset != NULL)
+				query_putrdataset(client, &sigrdataset);
+			rdataset = client->query.dns64_aaaa;
+			sigrdataset = client->query.dns64_sigaaaa;
+			client->query.dns64_aaaa = NULL;
+			client->query.dns64_sigaaaa = NULL;
+			if (fname == NULL) {
+				dbuf = query_getnamebuf(client);
+				if (dbuf == NULL) {
+					QUERY_ERROR(DNS_R_SERVFAIL);
+					goto cleanup;
+				}
+				fname = query_newname(client, dbuf, &b);
+				if (fname == NULL) {
+					QUERY_ERROR(DNS_R_SERVFAIL);
+					goto cleanup;
+				}
+			}
+			dns_name_copy(client->query.qname, fname, NULL);
+			dns64 = ISC_FALSE;
+#ifdef dns64_bis_return_excluded_addresses
+			/*
+			 * Resume the diverted processing of the AAAA response?
+			 */
+			if (dns64_excluded)
+				break;
+#endif
+		} else if (result == DNS_R_NXRRSET &&
+			   !ISC_LIST_EMPTY(client->view->dns64) &&
+			   client->message->rdclass == dns_rdataclass_in &&
+			   qtype == dns_rdatatype_aaaa)
+		{
+			/*
+			 * Look to see if there are A records for this
+			 * name.
+			 */
+			INSIST(client->query.dns64_aaaa == NULL);
+			INSIST(client->query.dns64_sigaaaa == NULL);
+			client->query.dns64_aaaa = rdataset;
+			client->query.dns64_sigaaaa = sigrdataset;
+			client->query.dns64_ttl = dns64_ttl(db, version);
+			query_releasename(client, &fname);
+			dns_db_detachnode(db, &node);
+			rdataset = NULL;
+			sigrdataset = NULL;
+			type = qtype = dns_rdatatype_a;
+			dns64 = ISC_TRUE;
+			goto db_find;
+		}
+
 		/*
 		 * Look for a NSEC3 record if we don't have a NSEC record.
 		 */
@@ -4280,10 +6107,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * instead? If so add the nearest to the
 				 * closest provable encloser.
 				 */
-				if (found &&
-				    dns_rdataset_isassociated(rdataset) &&
-				    !dns_name_equal(qname, found))
-				{
+				if (dns_rdataset_isassociated(rdataset) &&
+				    !dns_name_equal(qname, found)) {
 					unsigned int count;
 					unsigned int skip;
 
@@ -4350,7 +6175,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Add SOA.
 		 */
-		result = query_addsoa(client, db, version, ISC_FALSE,
+		result = query_addsoa(client, db, version, ISC_UINT32_MAX,
 				      dns_rdataset_isassociated(rdataset));
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
@@ -4396,14 +6221,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * resolver and not have it cached.
 		 */
 		if (qtype == dns_rdatatype_soa &&
-#ifdef DLZ
 		    zone != NULL &&
-#endif
 		    dns_zone_getzeronosoattl(zone))
-			result = query_addsoa(client, db, version, ISC_TRUE,
+			result = query_addsoa(client, db, version, 0,
 					  dns_rdataset_isassociated(rdataset));
 		else
-			result = query_addsoa(client, db, version, ISC_FALSE,
+			result = query_addsoa(client, db, version,
+					      ISC_UINT32_MAX,
 					  dns_rdataset_isassociated(rdataset));
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
@@ -4434,6 +6258,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 	case DNS_R_NCACHENXDOMAIN:
 	case DNS_R_NCACHENXRRSET:
+	ncache_nxrrset:
 		INSIST(!is_zone);
 		authoritative = ISC_FALSE;
 		/*
@@ -4449,6 +6274,74 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		    client->message->rdclass == dns_rdataclass_in &&
 		    dns_name_countlabels(fname) == 7)
 			warn_rfc1918(client, fname, rdataset);
+
+#ifdef dns64_bis_return_excluded_addresses
+		if (dns64)
+#else
+		if (dns64 && !dns64_exclude)
+#endif
+		{
+			/*
+			 * Restore the answers from the previous AAAA lookup.
+			 */
+			if (rdataset != NULL)
+				query_putrdataset(client, &rdataset);
+			if (sigrdataset != NULL)
+				query_putrdataset(client, &sigrdataset);
+			rdataset = client->query.dns64_aaaa;
+			sigrdataset = client->query.dns64_sigaaaa;
+			client->query.dns64_aaaa = NULL;
+			client->query.dns64_sigaaaa = NULL;
+			if (fname == NULL) {
+				dbuf = query_getnamebuf(client);
+				if (dbuf == NULL) {
+					QUERY_ERROR(DNS_R_SERVFAIL);
+					goto cleanup;
+				}
+				fname = query_newname(client, dbuf, &b);
+				if (fname == NULL) {
+					QUERY_ERROR(DNS_R_SERVFAIL);
+					goto cleanup;
+				}
+			}
+			dns_name_copy(client->query.qname, fname, NULL);
+			dns64 = ISC_FALSE;
+#ifdef dns64_bis_return_excluded_addresses
+			if (dns64_excluded)
+				break;
+#endif
+		} else if (result == DNS_R_NCACHENXRRSET &&
+			   !ISC_LIST_EMPTY(client->view->dns64) &&
+			   client->message->rdclass == dns_rdataclass_in &&
+			   qtype == dns_rdatatype_aaaa)
+		{
+			/*
+			 * Look to see if there are A records for this
+			 * name.
+			 */
+			INSIST(client->query.dns64_aaaa == NULL);
+			INSIST(client->query.dns64_sigaaaa == NULL);
+			client->query.dns64_aaaa = rdataset;
+			client->query.dns64_sigaaaa = sigrdataset;
+			/*
+			 * If the ttl is zero we need to workout if we have just
+			 * decremented to zero or if there was no negative cache
+			 * ttl in the answer.
+			 */
+			if (rdataset->ttl != 0)
+				client->query.dns64_ttl = rdataset->ttl;
+			else if (dns_rdataset_first(rdataset) == ISC_R_SUCCESS)
+				client->query.dns64_ttl = 0;
+			query_releasename(client, &fname);
+			dns_db_detachnode(db, &node);
+			rdataset = NULL;
+			sigrdataset = NULL;
+			fname = NULL;
+			type = qtype = dns_rdatatype_a;
+			dns64 = ISC_TRUE;
+			goto db_find;
+		}
+
 		/*
 		 * We don't call query_addrrset() because we don't need any
 		 * of its extra features (and things would probably break!).
@@ -4585,11 +6478,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			dns_message_puttempname(client->message, &tname);
 			goto cleanup;
 		}
-		dns_name_init(tname, NULL);
 		dns_name_clone(&dname.dname, tname);
 		dns_rdata_freestruct(&dname);
 		/*
-		 * Construct the new qname.
+		 * Construct the new qname consisting of
+		 * <found name prefix>.<dname target>
 		 */
 		dns_fixedname_init(&fixed);
 		prefix = dns_fixedname_name(&fixed);
@@ -4606,6 +6499,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			goto cleanup;
 		}
 		result = dns_name_concatenate(prefix, tname, fname, NULL);
+		dns_message_puttempname(client->message, &tname);
 
 		/*
 		 * RFC2672, section 4.1, subsection 3c says
@@ -4614,18 +6508,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		if (result == DNS_R_NAMETOOLONG)
 			client->message->rcode = dns_rcode_yxdomain;
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		}
 
 		query_keepname(client, fname, dbuf);
 		/*
-		 * Synthesize a CNAME for this DNAME.
+		 * Synthesize a CNAME consisting of
+		 *   <old qname> <dname ttl> CNAME <new qname>
+		 *	    with <dname trust value>
 		 *
-		 * We want to synthesize a CNAME since if we don't
-		 * then older software that doesn't understand DNAME
-		 * will not chain like it should.
+		 * Synthesize a CNAME so old old clients that don't understand
+		 * DNAME can chain.
 		 *
 		 * We do not try to synthesize a signature because we hope
 		 * that security aware servers will understand DNAME.  Also,
@@ -4633,12 +6526,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * on-the-fly is costly, and not really legitimate anyway
 		 * since the synthesized CNAME is NOT in the zone.
 		 */
-		dns_name_init(tname, NULL);
-		(void)query_addcnamelike(client, client->query.qname, fname,
-					 trdataset, &tname,
-					 dns_rdatatype_cname);
-		if (tname != NULL)
-			dns_message_puttempname(client->message, &tname);
+		result = query_add_cname(client, client->query.qname, fname,
+					 trdataset->trust, trdataset->ttl);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
 		/*
 		 * Switch to the new qname and restart.
 		 */
@@ -4664,7 +6555,33 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		need_wildcardproof = ISC_TRUE;
 	}
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
+	    is_v4_client(client) &&
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->v4_aaaa_acl,
+				     ISC_TRUE) == ISC_R_SUCCESS)
+		client->filter_aaaa = client->view->v4_aaaa;
+	else
+		client->filter_aaaa = dns_v4_aaaa_ok;
+
+#endif
+
 	if (type == dns_rdatatype_any) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		isc_boolean_t have_aaaa, have_a, have_sig;
+
+		/*
+		 * The filter-aaaa-on-v4 option should
+		 * suppress AAAAs for IPv4 clients if there is an A.
+		 * If we are not authoritative, assume there is a A
+		 * even in if it is not in our cache.  This assumption could
+		 * be wrong but it is a good bet.
+		 */
+		have_aaaa = ISC_FALSE;
+		have_a = !authoritative;
+		have_sig = ISC_FALSE;
+#endif
 		/*
 		 * XXXRTH  Need to handle zonecuts with special case
 		 * code.
@@ -4676,6 +6593,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
+
 		/*
 		 * Calling query_addrrset() with a non-NULL dbuf is going
 		 * to either keep or release the name.  We don't want it to
@@ -4692,6 +6610,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, rdataset);
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+			/*
+			 * Notice the presence of A and AAAAs so
+			 * that AAAAs can be hidden from IPv4 clients.
+			 */
+			if (client->filter_aaaa != dns_v4_aaaa_ok) {
+				if (rdataset->type == dns_rdatatype_aaaa)
+					have_aaaa = ISC_TRUE;
+				else if (rdataset->type == dns_rdatatype_a)
+					have_a = ISC_TRUE;
+			}
+#endif
 			if (is_zone && qtype == dns_rdatatype_any &&
 			    !dns_db_issecure(db) &&
 			    dns_rdatatype_isdnssec(rdataset->type)) {
@@ -4703,10 +6633,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				dns_rdataset_disassociate(rdataset);
 			} else if ((qtype == dns_rdatatype_any ||
 			     rdataset->type == qtype) && rdataset->type != 0) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+				if (dns_rdatatype_isdnssec(rdataset->type))
+					have_sig = ISC_TRUE;
+#endif
 				if (NOQNAME(rdataset) && WANTDNSSEC(client))
 					noqname = rdataset;
 				else
 					noqname = NULL;
+				rpz_st = client->query.rpz_st;
+				if (rpz_st != NULL)
+					rdataset->ttl = ISC_MIN(rdataset->ttl,
+							    rpz_st->m.ttl);
 				query_addrrset(client,
 					       fname != NULL ? &fname : &tname,
 					       &rdataset, NULL,
@@ -4733,6 +6671,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			result = dns_rdatasetiter_next(rdsiter);
 		}
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		/*
+		 * Filter AAAAs if there is an A and there is no signature
+		 * or we are supposed to break DNSSEC.
+		 */
+		if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
+			client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
+		else if (client->filter_aaaa != dns_v4_aaaa_ok &&
+			 have_aaaa && have_a &&
+			 (!have_sig || !WANTDNSSEC(client)))
+			  client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
+#endif
 		if (fname != NULL)
 			dns_message_puttempname(client->message, &fname);
 
@@ -4771,6 +6721,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			} else
 				result = DNS_R_SERVFAIL;
 		}
+
 		dns_rdatasetiter_destroy(&rdsiter);
 		if (result != ISC_R_NOMORE) {
 			QUERY_ERROR(DNS_R_SERVFAIL);
@@ -4781,6 +6732,116 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * This is the "normal" case -- an ordinary question to which
 		 * we know the answer.
 		 */
+
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+		/*
+		 * Optionally hide AAAAs from IPv4 clients if there is an A.
+		 * We add the AAAAs now, but might refuse to render them later
+		 * after DNSSEC is figured out.
+		 * This could be more efficient, but the whole idea is
+		 * so fundamentally wrong, unavoidably inaccurate, and
+		 * unneeded that it is best to keep it as short as possible.
+		 */
+		if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+		    (client->filter_aaaa == dns_v4_aaaa_filter &&
+		     (!WANTDNSSEC(client) || sigrdataset == NULL ||
+		     !dns_rdataset_isassociated(sigrdataset))))
+		{
+			if (qtype == dns_rdatatype_aaaa) {
+				trdataset = query_newrdataset(client);
+				result = dns_db_findrdataset(db, node, version,
+							dns_rdatatype_a, 0,
+							client->now,
+							trdataset, NULL);
+				if (dns_rdataset_isassociated(trdataset))
+					dns_rdataset_disassociate(trdataset);
+				query_putrdataset(client, &trdataset);
+
+				/*
+				 * We have an AAAA but the A is not in our cache.
+				 * Assume any result other than DNS_R_DELEGATION
+				 * or ISC_R_NOTFOUND means there is no A and
+				 * so AAAAs are ok.
+				 * Assume there is no A if we can't recurse
+				 * for this client, although that could be
+				 * the wrong answer. What else can we do?
+				 * Besides, that we have the AAAA and are using
+				 * this mechanism suggests that we care more
+				 * about As than AAAAs and would have cached
+				 * the A if it existed.
+				 */
+				if (result == ISC_R_SUCCESS) {
+					client->attributes |=
+						    NS_CLIENTATTR_FILTER_AAAA;
+
+				} else if (authoritative ||
+					   !RECURSIONOK(client) ||
+					   (result != DNS_R_DELEGATION &&
+					    result != ISC_R_NOTFOUND)) {
+					client->attributes &=
+						    ~NS_CLIENTATTR_FILTER_AAAA;
+				} else {
+					/*
+					 * This is an ugly kludge to recurse
+					 * for the A and discard the result.
+					 *
+					 * Continue to add the AAAA now.
+					 * We'll make a note to not render it
+					 * if the recursion for the A succeeds.
+					 */
+					result = query_recurse(client,
+							dns_rdatatype_a,
+							client->query.qname,
+							NULL, NULL, resuming);
+					if (result == ISC_R_SUCCESS) {
+					    client->attributes |=
+						    NS_CLIENTATTR_FILTER_AAAA_RC;
+					    client->query.attributes |=
+							NS_QUERYATTR_RECURSING;
+					}
+				}
+
+			} else if (qtype == dns_rdatatype_a &&
+				   (client->attributes &
+					    NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
+				client->attributes &=
+					    ~NS_CLIENTATTR_FILTER_AAAA_RC;
+				client->attributes |=
+					    NS_CLIENTATTR_FILTER_AAAA;
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+					dns_rdataset_disassociate(sigrdataset);
+				goto cleanup;
+			}
+		}
+#endif
+		/*
+		 * Check to see if the AAAA RRset has non-excluded addresses
+		 * in it.  If not look for a A RRset.
+		 */
+		INSIST(client->query.dns64_aaaaok == NULL);
+
+		if (qtype == dns_rdatatype_aaaa && !dns64_exclude &&
+		    !ISC_LIST_EMPTY(client->view->dns64) &&
+		    client->message->rdclass == dns_rdataclass_in &&
+		    !dns64_aaaaok(client, rdataset, sigrdataset)) {
+			/*
+			 * Look to see if there are A records for this
+			 * name.
+			 */
+			client->query.dns64_aaaa = rdataset;
+			client->query.dns64_sigaaaa = sigrdataset;
+			client->query.dns64_ttl = rdataset->ttl;
+			query_releasename(client, &fname);
+			dns_db_detachnode(db, &node);
+			rdataset = NULL;
+			sigrdataset = NULL;
+			type = qtype = dns_rdatatype_a;
+			dns64_exclude = dns64 = ISC_TRUE;
+			goto db_find;
+		}
+
 		if (sigrdataset != NULL)
 			sigrdatasetp = &sigrdataset;
 		else
@@ -4796,8 +6857,42 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		    dns_name_equal(client->query.qname, dns_rootname))
 			client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
 
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
+		if (dns64) {
+			qtype = type = dns_rdatatype_aaaa;
+			result = query_dns64(client, &fname, rdataset,
+					     sigrdataset, dbuf,
+					     DNS_SECTION_ANSWER);
+			dns_rdataset_disassociate(rdataset);
+			dns_message_puttemprdataset(client->message, &rdataset);
+			if (result == ISC_R_NOMORE) {
+#ifndef dns64_bis_return_excluded_addresses
+				if (dns64_exclude) {
+					if (!is_zone)
+						goto cleanup;
+					/*
+					 * Add a fake SOA record.
+					 */
+					(void)query_addsoa(client, db, version,
+							   600, ISC_FALSE);
+					goto cleanup;
+				}
+#endif
+				if (is_zone)
+					goto iszone_nxrrset;
+				else
+					goto ncache_nxrrset;
+			} else if (result != ISC_R_SUCCESS) {
+				eresult = result;
+				goto cleanup;
+			}
+		} else if (client->query.dns64_aaaaok != NULL) {
+			query_filter64(client, &fname, rdataset, dbuf,
+				       DNS_SECTION_ANSWER);
+			query_putrdataset(client, &rdataset);
+		} else
+			query_addrrset(client, &fname, &rdataset,
+				       sigrdatasetp, dbuf, DNS_SECTION_ANSWER);
+
 		if (noqname != NULL)
 			query_addnoqnameproof(client, noqname);
 		/*
@@ -4840,6 +6935,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	/*
 	 * General cleanup.
 	 */
+	rpz_st = client->query.rpz_st;
+	if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0) {
+		rpz_match_clear(rpz_st);
+		rpz_st->state &= ~DNS_RPZ_DONE_QNAME;
+	}
 	if (rdataset != NULL)
 		query_putrdataset(client, &rdataset);
 	if (sigrdataset != NULL)
@@ -4947,6 +7047,7 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char typename[DNS_RDATATYPE_FORMATSIZE];
 	char classname[DNS_RDATACLASS_FORMATSIZE];
+	char onbuf[ISC_NETADDR_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	int level = ISC_LOG_INFO;
 
@@ -4958,14 +7059,18 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
 	dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
 	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
+	isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
 
 	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s%s%s", namebuf, classname,
-		      typename, WANTRECURSION(client) ? "+" : "-",
+		      level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf,
+		      classname, typename, WANTRECURSION(client) ? "+" : "-",
 		      (client->signer != NULL) ? "S": "",
 		      (client->opt != NULL) ? "E" : "",
+		      ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
+				 "T" : "",
 		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
-		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "");
+		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
+		      onbuf);
 }
 
 static inline void
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
index 85cf67f0c7a1..c3eb1ea0ae67 100644
--- a/contrib/bind9/bin/named/server.c
+++ b/contrib/bind9/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: server.c,v 1.599.8.19 2012/02/22 00:33:32 each Exp $ */
 
 /*! \file */
 
@@ -23,6 +23,10 @@
 
 #include <stdlib.h>
 #include <unistd.h>
+#include <limits.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 
 #include <isc/app.h>
 #include <isc/base64.h>
@@ -36,7 +40,9 @@
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/resource.h>
+#include <isc/sha2.h>
 #include <isc/socket.h>
+#include <isc/stat.h>
 #include <isc/stats.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -54,12 +60,12 @@
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
-#ifdef DLZ
 #include <dns/dlz.h>
-#endif
+#include <dns/dns64.h>
 #include <dns/forward.h>
 #include <dns/journal.h>
 #include <dns/keytable.h>
+#include <dns/keyvalues.h>
 #include <dns/lib.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
@@ -102,6 +108,10 @@
 #include <stdlib.h>
 #endif
 
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
 /*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
@@ -143,6 +153,14 @@
 			fatal(msg, result);			  \
 	} while (0)						  \
 
+/*%
+ * Maximum ADB size for views that share a cache.  Use this limit to suppress
+ * the total of memory footprint, which should be the main reason for sharing
+ * a cache.  Only effective when a finite max-cache-size is specified.
+ * This is currently defined to be 8MB.
+ */
+#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608
+
 struct ns_dispatch {
 	isc_sockaddr_t			addr;
 	unsigned int			dispatchgen;
@@ -150,6 +168,14 @@ struct ns_dispatch {
 	ISC_LINK(struct ns_dispatch)	link;
 };
 
+struct ns_cache {
+	dns_cache_t			*cache;
+	dns_view_t			*primaryview;
+	isc_boolean_t			needflush;
+	isc_boolean_t			adbsizeadjusted;
+	ISC_LINK(ns_cache_t)		link;
+};
+
 struct dumpcontext {
 	isc_mem_t			*mctx;
 	isc_boolean_t			dumpcache;
@@ -176,6 +202,19 @@ struct zonelistentry {
 	ISC_LINK(struct zonelistentry)	link;
 };
 
+/*%
+ * Configuration context to retain for each view that allows
+ * new zones to be added at runtime.
+ */
+struct cfg_context {
+	isc_mem_t *			mctx;
+	cfg_parser_t *			parser;
+	cfg_obj_t *			config;
+	cfg_parser_t *			nzparser;
+	cfg_obj_t *			nzconfig;
+	cfg_aclconfctx_t *		actx;
+};
+
 /*
  * These zones should not leak onto the Internet.
  */
@@ -254,19 +293,25 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 static isc_result_t
 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       cfg_aclconfctx_t *aclconf);
+	       cfg_aclconfctx_t *aclconf, isc_boolean_t added);
+
+static isc_result_t
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
 
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
 
+static void
+newzone_cfgctx_destroy(void **cfgp);
+
 /*%
  * Configure a single view ACL at '*aclp'.  Get its configuration from
  * 'vconfig' (for per-view configuration) and maybe from 'config'
  */
 static isc_result_t
 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		   const char *aclname, cfg_aclconfctx_t *actx,
-		   isc_mem_t *mctx, dns_acl_t **aclp)
+		   const char *aclname, const char *acltuplename,
+		   cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
 	const cfg_obj_t *maps[3];
@@ -292,13 +337,21 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		 */
 		return (ISC_R_SUCCESS);
 
+	if (acltuplename != NULL) {
+		/*
+		 * If the ACL is given in an optional tuple, retrieve it.
+		 * The parser should have ensured that a valid object be
+		 * returned.
+		 */
+		aclobj = cfg_tuple_get(aclobj, acltuplename);
+	}
+
 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
 				    actx, mctx, 0, aclp);
 
 	return (result);
 }
 
-
 /*%
  * Configure a sortlist at '*aclp'.  Essentially the same as
  * configure_view_acl() except it calls cfg_acl_fromconfig with a
@@ -343,8 +396,88 @@ configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 }
 
 static isc_result_t
-configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
-			 dns_keytable_t *keytable, isc_mem_t *mctx)
+configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			 const char *confname, const char *conftuplename,
+			 isc_mem_t *mctx, dns_rbt_t **rbtp)
+{
+	isc_result_t result;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
+	int i = 0;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	const char *str;
+	const cfg_obj_t *nameobj;
+
+	if (*rbtp != NULL)
+		dns_rbt_destroy(rbtp);
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i] = NULL;
+
+	(void)ns_config_get(maps, confname, &obj);
+	if (obj == NULL)
+		/*
+		 * No value available.	*rbtp == NULL.
+		 */
+		return (ISC_R_SUCCESS);
+
+	if (conftuplename != NULL) {
+		obj = cfg_tuple_get(obj, conftuplename);
+		if (cfg_obj_isvoid(obj))
+			return (ISC_R_SUCCESS);
+	}
+
+	result = dns_rbt_create(mctx, NULL, NULL, rbtp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		nameobj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(nameobj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		/*
+		 * We don't need the node data, but need to set dummy data to
+		 * avoid a partial match with an empty node.  For example, if
+		 * we have foo.example.com and bar.example.com, we'd get a match
+		 * for baz.example.com, which is not the expected result.
+		 * We simply use (void *)1 as the dummy data.
+		 */
+		result = dns_rbt_addname(*rbtp, name, (void *)1);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
+				    "failed to add %s for %s: %s",
+				    str, confname, isc_result_totext(result));
+			goto cleanup;
+		}
+
+	}
+
+	return (result);
+
+  cleanup:
+	dns_rbt_destroy(rbtp);
+	return (result);
+
+}
+
+static isc_result_t
+dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
+		  isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
 {
 	dns_rdataclass_t viewclass;
 	dns_rdata_dnskey_t keystruct;
@@ -361,12 +494,28 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	isc_result_t result;
 	dst_key_t *dstkey = NULL;
 
+	INSIST(target != NULL && *target == NULL);
+
 	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
 	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
 	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
 	keyname = dns_fixedname_name(&fkeyname);
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 
+	if (managed) {
+		const char *initmethod;
+		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+		if (strcasecmp(initmethod, "initial-key") != 0) {
+			cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+				    "managed key '%s': "
+				    "invalid initialization method '%s'",
+				    keynamestr, initmethod);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+	}
+
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
@@ -406,7 +555,8 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	     keystruct.algorithm == DST_ALG_RSAMD5) &&
 	    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
 		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "trusted key '%s' has a weak exponent",
+			    "%s key '%s' has a weak exponent",
+			    managed ? "managed" : "trusted",
 			    keynamestr);
 
 	CHECK(dns_rdata_fromstruct(NULL,
@@ -416,25 +566,28 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	dns_fixedname_init(&fkeyname);
 	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
 	isc_buffer_add(&namebuf, strlen(keynamestr));
-	CHECK(dns_name_fromtext(keyname, &namebuf,
-				dns_rootname, ISC_FALSE,
-				NULL));
+	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
 	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
 			      mctx, &dstkey));
 
-	CHECK(dns_keytable_add(keytable, &dstkey));
-	INSIST(dstkey == NULL);
+	*target = dstkey;
 	return (ISC_R_SUCCESS);
 
  cleanup:
 	if (result == DST_R_NOCRYPTO) {
 		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "ignoring trusted key for '%s': no crypto support",
+			    "ignoring %s key for '%s': no crypto support",
+			    managed ? "managed" : "trusted",
 			    keynamestr);
-		result = ISC_R_SUCCESS;
+	} else if (result == DST_R_UNSUPPORTEDALG) {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+			    "skipping %s key for '%s': %s",
+			    managed ? "managed" : "trusted",
+			    keynamestr, isc_result_totext(result));
 	} else {
 		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "configuring trusted key for '%s': %s",
+			    "configuring %s key for '%s': %s",
+			    managed ? "managed" : "trusted",
 			    keynamestr, isc_result_totext(result));
 		result = ISC_R_FAILURE;
 	}
@@ -445,63 +598,215 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	return (result);
 }
 
+static isc_result_t
+load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
+	       dns_view_t *view, isc_boolean_t managed,
+	       dns_name_t *keyname, isc_mem_t *mctx)
+{
+	const cfg_listelt_t *elt, *elt2;
+	const cfg_obj_t *key, *keylist;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	dns_keytable_t *secroots = NULL;
+
+	CHECK(dns_view_getsecroots(view, &secroots));
+
+	for (elt = cfg_list_first(keys);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		keylist = cfg_listelt_value(elt);
+
+		for (elt2 = cfg_list_first(keylist);
+		     elt2 != NULL;
+		     elt2 = cfg_list_next(elt2)) {
+			key = cfg_listelt_value(elt2);
+			result = dstkey_fromconfig(vconfig, key, managed,
+						   &dstkey, mctx);
+			if (result ==  DST_R_UNSUPPORTEDALG) {
+				result = ISC_R_SUCCESS;
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/*
+			 * If keyname was specified, we only add that key.
+			 */
+			if (keyname != NULL &&
+			    !dns_name_equal(keyname, dst_key_name(dstkey)))
+			{
+				dst_key_free(&dstkey);
+				continue;
+			}
+
+			CHECK(dns_keytable_add(secroots, managed, &dstkey));
+		}
+	}
+
+ cleanup:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	if (result == DST_R_NOCRYPTO)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
 /*%
- * Configure DNSSEC keys for a view.  Currently used only for
- * the security roots.
+ * Configure DNSSEC keys for a view.
  *
  * The per-view configuration values and the server-global defaults are read
- * from 'vconfig' and 'config'.	 The variable to be configured is '*target'.
+ * from 'vconfig' and 'config'.
  */
 static isc_result_t
-configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-			  isc_mem_t *mctx, dns_keytable_t **target)
+configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
+			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
+			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
+			  isc_mem_t *mctx)
 {
-	isc_result_t result;
-	const cfg_obj_t *keys = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *view_keys = NULL;
+	const cfg_obj_t *global_keys = NULL;
+	const cfg_obj_t *view_managed_keys = NULL;
+	const cfg_obj_t *global_managed_keys = NULL;
+	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
-	const cfg_listelt_t *element, *element2;
-	const cfg_obj_t *keylist;
-	const cfg_obj_t *key;
-	dns_keytable_t *keytable = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj = NULL;
+	const char *directory;
+	int i = 0;
 
-	CHECK(dns_keytable_create(mctx, &keytable));
+	/* We don't need trust anchors for the _bind view */
+	if (strcmp(view->name, "_bind") == 0 &&
+	    view->rdclass == dns_rdataclass_chaos) {
+		return (ISC_R_SUCCESS);
+	}
 
-	if (vconfig != NULL)
+	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
+		if (voptions != NULL) {
+			(void) cfg_map_get(voptions, "trusted-keys",
+					   &view_keys);
+			(void) cfg_map_get(voptions, "managed-keys",
+					   &view_managed_keys);
+			maps[i++] = voptions;
+		}
+	}
 
-	keys = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "trusted-keys", &keys);
-	if (keys == NULL)
-		(void)cfg_map_get(config, "trusted-keys", &keys);
+	if (config != NULL) {
+		(void)cfg_map_get(config, "trusted-keys", &global_keys);
+		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
+		}
+	}
 
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			key = cfg_listelt_value(element2);
-			CHECK(configure_view_dnsseckey(vconfig, key,
-						       keytable, mctx));
+	maps[i++] = ns_g_defaults;
+	maps[i] = NULL;
+
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "couldn't create keytable");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
+		const cfg_obj_t *builtin_keys = NULL;
+		const cfg_obj_t *builtin_managed_keys = NULL;
+
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "using built-in DLV key for view %s",
+			      view->name);
+
+		/*
+		 * If bind.keys exists, it overrides the managed-keys
+		 * clause hard-coded in ns_g_config.
+		 */
+		if (bindkeys != NULL) {
+			(void)cfg_map_get(bindkeys, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(bindkeys, "managed-keys",
+					  &builtin_managed_keys);
+		} else {
+			(void)cfg_map_get(ns_g_config, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(ns_g_config, "managed-keys",
+					  &builtin_managed_keys);
 		}
+
+		if (builtin_keys != NULL)
+			CHECK(load_view_keys(builtin_keys, vconfig, view,
+					     ISC_FALSE, view->dlv, mctx));
+		if (builtin_managed_keys != NULL)
+			CHECK(load_view_keys(builtin_managed_keys, vconfig,
+					     view, ISC_TRUE, view->dlv, mctx));
 	}
 
-	dns_keytable_detach(target);
-	*target = keytable; /* Transfer ownership. */
-	keytable = NULL;
-	result = ISC_R_SUCCESS;
+	if (auto_root && view->rdclass == dns_rdataclass_in) {
+		const cfg_obj_t *builtin_keys = NULL;
+		const cfg_obj_t *builtin_managed_keys = NULL;
 
- cleanup:
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "using built-in root key for view %s",
+			      view->name);
+
+		/*
+		 * If bind.keys exists, it overrides the managed-keys
+		 * clause hard-coded in ns_g_config.
+		 */
+		if (bindkeys != NULL) {
+			(void)cfg_map_get(bindkeys, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(bindkeys, "managed-keys",
+					  &builtin_managed_keys);
+		} else {
+			(void)cfg_map_get(ns_g_config, "trusted-keys",
+					  &builtin_keys);
+			(void)cfg_map_get(ns_g_config, "managed-keys",
+					  &builtin_managed_keys);
+		}
+
+		if (builtin_keys != NULL)
+			CHECK(load_view_keys(builtin_keys, vconfig, view,
+					     ISC_FALSE, dns_rootname, mctx));
+		if (builtin_managed_keys != NULL)
+			CHECK(load_view_keys(builtin_managed_keys, vconfig,
+					     view, ISC_TRUE, dns_rootname,
+					     mctx));
+	}
+
+	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
+			     NULL, mctx));
+	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
+			     NULL, mctx));
+
+	if (view->rdclass == dns_rdataclass_in) {
+		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
+				     NULL, mctx));
+		CHECK(load_view_keys(global_managed_keys, vconfig, view,
+				     ISC_TRUE, NULL, mctx));
+	}
+
+	/*
+	 * Add key zone for managed-keys.
+	 */
+	obj = NULL;
+	(void)ns_config_get(maps, "managed-keys-directory", &obj);
+	directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
+	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
+
+  cleanup:
 	return (result);
 }
 
 static isc_result_t
-mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
-{
+mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *obj;
 	const char *str;
@@ -521,8 +826,7 @@ mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver)
 		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname,
-					ISC_FALSE, NULL));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
 		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
 	}
@@ -677,7 +981,7 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
 	isc_buffer_add(&b, strlen(str));
 	dns_fixedname_init(&fixed);
 	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -861,7 +1165,7 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 
 	algorithms = cfg_tuple_get(disabled, "algorithms");
 	for (element = cfg_list_first(algorithms);
@@ -914,7 +1218,7 @@ on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(name, &b, dns_rootname,
-					   ISC_TRUE, NULL);
+					   0, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (dns_name_equal(name, zonename))
 			return (ISC_TRUE);
@@ -972,6 +1276,20 @@ setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
 	return (ISC_R_SUCCESS);
 }
 
+static ns_cache_t *
+cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
+	ns_cache_t *nsc;
+
+	for (nsc = ISC_LIST_HEAD(*cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
+			return (nsc);
+	}
+
+	return (NULL);
+}
+
 static isc_boolean_t
 cache_reusable(dns_view_t *originview, dns_view_t *view,
 	       isc_boolean_t new_zero_no_soattl)
@@ -989,6 +1307,250 @@ cache_reusable(dns_view_t *originview, dns_view_t *view,
 	return (ISC_TRUE);
 }
 
+static isc_boolean_t
+cache_sharable(dns_view_t *originview, dns_view_t *view,
+	       isc_boolean_t new_zero_no_soattl,
+	       unsigned int new_cleaning_interval,
+	       isc_uint32_t new_max_cache_size)
+{
+	/*
+	 * If the cache cannot even reused for the same view, it cannot be
+	 * shared with other views.
+	 */
+	if (!cache_reusable(originview, view, new_zero_no_soattl))
+		return (ISC_FALSE);
+
+	/*
+	 * Check other cache related parameters that must be consistent among
+	 * the sharing views.
+	 */
+	if (dns_cache_getcleaninginterval(originview->cache) !=
+	    new_cleaning_interval ||
+	    dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
+/*
+ * Callback from DLZ configure when the driver sets up a writeable zone
+ */
+static isc_result_t
+dlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdataclass_t zclass = view->rdclass;
+	isc_result_t result;
+
+	result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
+	if (result != ISC_R_SUCCESS)
+		return result;
+	dns_zone_setstats(zone, ns_g_server->zonestats);
+
+	return ns_zone_configure_writeable_dlz(view->dlzdatabase,
+					       zone, zclass, origin);
+}
+
+static isc_result_t
+dns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
+	      unsigned int prefixlen, const char *server,
+	      const char *contact)
+{
+	char *cp;
+	char reverse[48+sizeof("ip6.arpa.")];
+	const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
+	const char *sep = ": view ";
+	const char *viewname = view->name;
+	const unsigned char *s6;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_zone_t *zone = NULL;
+	int dns64_dbtypec = 4;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
+		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
+
+	if (!strcmp(viewname, "_default")) {
+		sep = "";
+		viewname = "";
+	}
+
+	/*
+	 * Construct the reverse name of the zone.
+	 */
+	cp = reverse;
+	s6 = na->type.in6.s6_addr;
+	while (prefixlen > 0) {
+		prefixlen -= 8;
+		sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
+			(s6[prefixlen/8] >> 4) & 0xf);
+		cp += 4;
+	}
+	strcat(cp, "ip6.arpa.");
+
+	/*
+	 * Create the actual zone.
+	 */
+	if (server != NULL)
+		dns64_dbtype[2] = server;
+	if (contact != NULL)
+		dns64_dbtype[3] = contact;
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	isc_buffer_init(&b, reverse, strlen(reverse));
+	isc_buffer_add(&b, strlen(reverse));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+	CHECK(dns_zone_create(&zone, mctx));
+	CHECK(dns_zone_setorigin(zone, name));
+	dns_zone_setview(zone, view);
+	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+	dns_zone_setclass(zone, view->rdclass);
+	dns_zone_settype(zone, dns_zone_master);
+	dns_zone_setstats(zone, ns_g_server->zonestats);
+	CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
+	if (view->queryacl != NULL)
+		dns_zone_setqueryacl(zone, view->queryacl);
+	if (view->queryonacl != NULL)
+		dns_zone_setqueryonacl(zone, view->queryonacl);
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
+	CHECK(setquerystats(zone, mctx, ISC_FALSE));	/* XXXMPA */
+	CHECK(dns_view_addzone(view, zone));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
+		      viewname, reverse);
+
+cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	return (result);
+}
+
+static isc_result_t
+configure_rpz(dns_view_t *view, const cfg_listelt_t *element,
+	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
+{
+	const cfg_obj_t *rpz_obj, *policy_obj, *obj;
+	const char *str;
+	dns_rpz_zone_t *old, *new;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	new = isc_mem_get(view->mctx, sizeof(*new));
+	if (new == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	memset(new, 0, sizeof(*new));
+	dns_name_init(&new->origin, NULL);
+	dns_name_init(&new->nsdname, NULL);
+	dns_name_init(&new->cname, NULL);
+	dns_name_init(&new->passthru, NULL);
+	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
+
+	rpz_obj = cfg_listelt_value(element);
+	policy_obj = cfg_tuple_get(rpz_obj, "policy");
+	if (cfg_obj_isvoid(policy_obj)) {
+		new->policy = DNS_RPZ_POLICY_GIVEN;
+	} else {
+		str = cfg_obj_asstring(cfg_tuple_get(policy_obj,
+						     "policy name"));
+		new->policy = dns_rpz_str2policy(str);
+		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
+	}
+
+	obj = cfg_tuple_get(rpz_obj, "recursive-only");
+	if (cfg_obj_isvoid(obj)) {
+		new->recursive_only = recursive_only_def;
+	} else {
+		new->recursive_only = cfg_obj_asboolean(obj);
+	}
+	if (!new->recursive_only)
+		view->rpz_recursive_only = ISC_FALSE;
+
+	obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
+	if (cfg_obj_isuint32(obj)) {
+		new->max_policy_ttl = cfg_obj_asuint32(obj);
+	} else {
+		new->max_policy_ttl = ttl_def;
+	}
+
+	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
+	result = dns_name_fromstring(&new->origin, str, DNS_NAME_DOWNCASE,
+				     view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
+	result = dns_name_fromstring2(&new->nsdname, DNS_RPZ_NSDNAME_ZONE,
+				      &new->origin, DNS_NAME_DOWNCASE,
+				      view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
+	result = dns_name_fromstring(&new->passthru, DNS_RPZ_PASSTHRU_ZONE,
+				     DNS_NAME_DOWNCASE, view->mctx);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "invalid zone '%s'", str);
+		goto cleanup;
+	}
+
+	result = dns_view_findzone(view, &new->origin, &zone);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			    "unknown zone '%s'", str);
+		goto cleanup;
+	}
+	if (dns_zone_gettype(zone) != dns_zone_master &&
+	    dns_zone_gettype(zone) != dns_zone_slave) {
+		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+			     "zone '%s' is neither master nor slave", str);
+		dns_zone_detach(&zone);
+		result = DNS_R_NOTMASTER;
+		goto cleanup;
+	}
+	dns_zone_detach(&zone);
+
+	for (old = ISC_LIST_HEAD(view->rpz_zones);
+	     old != new;
+	     old = ISC_LIST_NEXT(old, link)) {
+		++new->num;
+		if (dns_name_equal(&old->origin, &new->origin)) {
+			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "duplicate '%s'", str);
+			result = DNS_R_DUPLICATE;
+			goto cleanup;
+		}
+	}
+
+	if (new->policy == DNS_RPZ_POLICY_CNAME) {
+		str = cfg_obj_asstring(cfg_tuple_get(policy_obj, "cname"));
+		result = dns_name_fromstring(&new->cname, str,
+					     DNS_NAME_DOWNCASE, view->mctx);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
+				    "invalid cname '%s'", str);
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_rpz_view_destroy(view);
+	return (result);
+}
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -997,23 +1559,23 @@ cache_reusable(dns_view_t *originview, dns_view_t *view,
  * global defaults in 'config' used exclusively.
  */
 static isc_result_t
-configure_view(dns_view_t *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
-	       cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
+configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+	       ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
+	       isc_mem_t *mctx, cfg_aclconfctx_t *actx,
+	       isc_boolean_t need_hints)
 {
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *optionmaps[3];
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *forwardtype;
 	const cfg_obj_t *forwarders;
 	const cfg_obj_t *alternates;
 	const cfg_obj_t *zonelist;
-#ifdef DLZ
 	const cfg_obj_t *dlz;
 	unsigned int dlzargc;
 	char **dlzargv;
-#endif
 	const cfg_obj_t *disabled;
 	const cfg_obj_t *obj;
 	const cfg_listelt_t *element;
@@ -1021,6 +1583,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
 	isc_uint32_t max_adb_size;
+	unsigned int cleaning_interval;
 	isc_uint32_t max_cache_size;
 	isc_uint32_t max_acache_size;
 	isc_uint32_t lame_ttl;
@@ -1030,8 +1593,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_dispatch_t *dispatch4 = NULL;
 	dns_dispatch_t *dispatch6 = NULL;
 	isc_boolean_t reused_cache = ISC_FALSE;
-	int i;
+	isc_boolean_t shared_cache = ISC_FALSE;
+	int i = 0, j = 0, k = 0;
 	const char *str;
+	const char *cachename = NULL;
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
 	unsigned int resopts = 0;
@@ -1045,29 +1610,41 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const cfg_obj_t *disablelist = NULL;
 	isc_stats_t *resstats = NULL;
 	dns_stats_t *resquerystats = NULL;
+	isc_boolean_t auto_dlv = ISC_FALSE;
+	isc_boolean_t auto_root = ISC_FALSE;
+	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
+	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
+	unsigned int query_timeout;
+	struct cfg_context *nzctx;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	if (config != NULL)
 		(void)cfg_map_get(config, "options", &options);
 
-	i = 0;
+	/*
+	 * maps: view options, options, defaults
+	 * cfgmaps: view options, config
+	 * optionmaps: view options, options
+	 */
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		maps[i++] = voptions;
+		optionmaps[j++] = voptions;
+		cfgmaps[k++] = voptions;
 	}
-	if (options != NULL)
+	if (options != NULL) {
 		maps[i++] = options;
+		optionmaps[j++] = options;
+	}
+
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
-
-	i = 0;
-	if (voptions != NULL)
-		cfgmaps[i++] = voptions;
+	optionmaps[j] = NULL;
 	if (config != NULL)
-		cfgmaps[i++] = config;
-	cfgmaps[i] = NULL;
+		cfgmaps[k++] = config;
+	cfgmaps[k] = NULL;
 
 	if (!strcmp(viewname, "_default")) {
 		sep = "";
@@ -1129,12 +1706,12 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		dns_acache_setcachesize(view->acache, max_acache_size);
 	}
 
-	CHECK(configure_view_acl(vconfig, config, "allow-query", actx,
+	CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
 				 ns_g_mctx, &view->queryacl));
-
 	if (view->queryacl == NULL) {
-		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query", actx,
-					 ns_g_mctx, &view->queryacl));
+		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
+					 NULL, actx, ns_g_mctx,
+					 &view->queryacl));
 	}
 
 	/*
@@ -1155,10 +1732,35 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	{
 		const cfg_obj_t *zconfig = cfg_listelt_value(element);
 		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
-				     actx));
+				     actx, ISC_FALSE));
+	}
+
+	/*
+	 * If we're allowing added zones, then load zone configuration
+	 * from the newzone file for zones that were added during previous
+	 * runs.
+	 */
+	nzctx = view->new_zone_config;
+	if (nzctx != NULL && nzctx->nzconfig != NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "loading additional zones for view '%s'",
+			      view->name);
+
+		zonelist = NULL;
+		cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
+
+		for (element = cfg_list_first(zonelist);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *zconfig = cfg_listelt_value(element);
+			CHECK(configure_zone(config, zconfig, vconfig,
+					     mctx, view, actx,
+					     ISC_TRUE));
+		}
 	}
 
-#ifdef DLZ
 	/*
 	 * Create Dynamically Loadable Zone driver.
 	 */
@@ -1193,14 +1795,47 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
+
+			/*
+			 * If the dlz backend supports configuration,
+			 * then call its configure method now.
+			 */
+			result = dns_dlzconfigure(view, dlzconfigure_callback);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
 		}
 	}
-#endif
 
 	/*
 	 * Obtain configuration parameters that affect the decision of whether
 	 * we can reuse/share an existing cache.
 	 */
+	obj = NULL;
+	result = ns_config_get(maps, "cleaning-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	cleaning_interval = cfg_obj_asuint32(obj) * 60;
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-cache-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		INSIST(strcasecmp(str, "unlimited") == 0);
+		max_cache_size = ISC_UINT32_MAX;
+	} else {
+		isc_resourcevalue_t value;
+		value = cfg_obj_asuint64(obj);
+		if (value > ISC_UINT32_MAX) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "'max-cache-size "
+				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
+				    value);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		max_cache_size = (isc_uint32_t)value;
+	}
+
 	/* Check-names. */
 	obj = NULL;
 	result = ns_checknames_get(maps, "response", &obj);
@@ -1225,6 +1860,109 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	zero_no_soattl = cfg_obj_asboolean(obj);
 
 	obj = NULL;
+	result = ns_config_get(maps, "dns64", &obj);
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
+	    strcmp(view->name, "_meta")) {
+		const cfg_listelt_t *element;
+		isc_netaddr_t na, suffix, *sp;
+		unsigned int prefixlen;
+		const char *server, *contact;
+		const cfg_obj_t *myobj;
+
+		myobj = NULL;
+		result = ns_config_get(maps, "dns64-server", &myobj);
+		if (result == ISC_R_SUCCESS)
+			server = cfg_obj_asstring(myobj);
+		else
+			server = NULL;
+
+		myobj = NULL;
+		result = ns_config_get(maps, "dns64-contact", &myobj);
+		if (result == ISC_R_SUCCESS)
+			contact = cfg_obj_asstring(myobj);
+		else
+			contact = NULL;
+
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const cfg_obj_t *map = cfg_listelt_value(element);
+			dns_dns64_t *dns64 = NULL;
+			unsigned int dns64options = 0;
+
+			cfg_obj_asnetprefix(cfg_map_getname(map), &na,
+					    &prefixlen);
+
+			obj = NULL;
+			(void)cfg_map_get(map, "suffix", &obj);
+			if (obj != NULL) {
+				sp = &suffix;
+				isc_netaddr_fromsockaddr(sp,
+						      cfg_obj_assockaddr(obj));
+			} else
+				sp = NULL;
+
+			clients = mapped = excluded = NULL;
+			obj = NULL;
+			(void)cfg_map_get(map, "clients", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &clients);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "mapped", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &mapped);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+			obj = NULL;
+			(void)cfg_map_get(map, "exclude", &obj);
+			if (obj != NULL) {
+				result = cfg_acl_fromconfig(obj, config,
+							    ns_g_lctx, actx,
+							    mctx, 0, &excluded);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+
+			obj = NULL;
+			(void)cfg_map_get(map, "recursive-only", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj))
+				dns64options |= DNS_DNS64_RECURSIVE_ONLY;
+
+			obj = NULL;
+			(void)cfg_map_get(map, "break-dnssec", &obj);
+			if (obj != NULL && cfg_obj_asboolean(obj))
+				dns64options |= DNS_DNS64_BREAK_DNSSEC;
+
+			result = dns_dns64_create(mctx, &na, prefixlen, sp,
+						  clients, mapped, excluded,
+						  dns64options, &dns64);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_dns64_append(&view->dns64, dns64);
+			view->dns64cnt++;
+			result = dns64_reverse(view, mctx, &na, prefixlen,
+					       server, contact);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			if (clients != NULL)
+				dns_acl_detach(&clients);
+			if (mapped != NULL)
+				dns_acl_detach(&mapped);
+			if (excluded != NULL)
+				dns_acl_detach(&excluded);
+		}
+	}
+
+	obj = NULL;
 	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->acceptexpired = cfg_obj_asboolean(obj);
@@ -1232,7 +1970,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-validation", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	view->enablevalidation = cfg_obj_asboolean(obj);
+	if (cfg_obj_isboolean(obj)) {
+		view->enablevalidation = cfg_obj_asboolean(obj);
+	} else {
+		/* If dnssec-validation is not boolean, it must be "auto" */
+		view->enablevalidation = ISC_TRUE;
+		auto_root = ISC_TRUE;
+	}
 
 	obj = NULL;
 	result = ns_config_get(maps, "max-cache-ttl", &obj);
@@ -1247,65 +1991,121 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		view->maxncachettl = 7 * 24 * 3600;
 
 	/*
-	 * Configure the view's cache.  Try to reuse an existing
-	 * cache if possible, otherwise create a new cache.
-	 * Note that the ADB is not preserved in either case.
-	 * When a matching view is found, the associated statistics are
-	 * also retrieved and reused.
+	 * Configure the view's cache.
+	 *
+	 * First, check to see if there are any attach-cache options.  If yes,
+	 * attempt to lookup an existing cache at attach it to the view.  If
+	 * there is not one, then try to reuse an existing cache if possible;
+	 * otherwise create a new cache.
+	 *
+	 * Note that the ADB is not preserved or shared in either case.
+	 *
+	 * When a matching view is found, the associated statistics are also
+	 * retrieved and reused.
 	 *
-	 * XXX Determining when it is safe to reuse a cache is tricky.
+	 * XXX Determining when it is safe to reuse or share a cache is tricky.
 	 * When the view's configuration changes, the cached data may become
 	 * invalid because it reflects our old view of the world.  We check
-	 * some of the configuration parameters that could invalidate the cache,
-	 * but there are other configuration options that should be checked.
-	 * For example, if a view uses a forwarder, changes in the forwarder
-	 * configuration may invalidate the cache.  At the moment, it's the
-	 * administrator's responsibility to ensure these configuration options
-	 * don't invalidate reusing.
+	 * some of the configuration parameters that could invalidate the cache
+	 * or otherwise make it unsharable, but there are other configuration
+	 * options that should be checked.  For example, if a view uses a
+	 * forwarder, changes in the forwarder configuration may invalidate
+	 * the cache.  At the moment, it's the administrator's responsibility to
+	 * ensure these configuration options don't invalidate reusing/sharing.
 	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist,
-				   view->name, view->rdclass,
-				   &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL) {
-		if (cache_reusable(pview, view, zero_no_soattl)) {
-			INSIST(pview->cache != NULL);
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
-				      "reusing existing cache");
-			reused_cache = ISC_TRUE;
-			dns_cache_attach(pview->cache, &cache);
-		} else {
+	obj = NULL;
+	result = ns_config_get(maps, "attach-cache", &obj);
+	if (result == ISC_R_SUCCESS)
+		cachename = cfg_obj_asstring(obj);
+	else
+		cachename = view->name;
+	cache = NULL;
+	nsc = cachelist_find(cachelist, cachename);
+	if (nsc != NULL) {
+		if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
+				    cleaning_interval, max_cache_size)) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
-				      "cache cannot be reused for view %s "
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "views %s and %s can't share the cache "
 				      "due to configuration parameter mismatch",
-				      view->name);
+				      nsc->primaryview->name, view->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
 		}
-		dns_view_getresstats(pview, &resstats);
-		dns_view_getresquerystats(pview, &resquerystats);
-		dns_view_detach(&pview);
-	}
-	if (cache == NULL) {
-		/*
-		 * Create a cache.
-		 *
-		 * We use two separate memory contexts for the
-		 * cache, for the main cache memory and the heap
-		 * memory.
-		 */
-		CHECK(isc_mem_create(0, 0, &cmctx));
-		isc_mem_setname(cmctx, "cache", NULL);
-		CHECK(isc_mem_create(0, 0, &hmctx));
-		isc_mem_setname(hmctx, "cache_heap", NULL);
-		CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
-					ns_g_timermgr, view->rdclass,
-					NULL, "rbt", 0, NULL, &cache));
-		isc_mem_detach(&cmctx);
-		isc_mem_detach(&hmctx);
+		dns_cache_attach(nsc->cache, &cache);
+		shared_cache = ISC_TRUE;
+	} else {
+		if (strcmp(cachename, view->name) == 0) {
+			result = dns_viewlist_find(&ns_g_server->viewlist,
+						   cachename, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+				goto cleanup;
+			if (pview != NULL) {
+				if (!cache_reusable(pview, view,
+						    zero_no_soattl)) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(1),
+						      "cache cannot be reused "
+						      "for view %s due to "
+						      "configuration parameter "
+						      "mismatch", view->name);
+				} else {
+					INSIST(pview->cache != NULL);
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(3),
+						      "reusing existing cache");
+					reused_cache = ISC_TRUE;
+					dns_cache_attach(pview->cache, &cache);
+				}
+				dns_view_getresstats(pview, &resstats);
+				dns_view_getresquerystats(pview,
+							  &resquerystats);
+				dns_view_detach(&pview);
+			}
+		}
+		if (cache == NULL) {
+			/*
+			 * Create a cache with the desired name.  This normally
+			 * equals the view name, but may also be a forward
+			 * reference to a view that share the cache with this
+			 * view but is not yet configured.  If it is not the
+			 * view name but not a forward reference either, then it
+			 * is simply a named cache that is not shared.
+			 *
+			 * We use two separate memory contexts for the
+			 * cache, for the main cache memory and the heap
+			 * memory.
+			 */
+			CHECK(isc_mem_create(0, 0, &cmctx));
+			isc_mem_setname(cmctx, "cache", NULL);
+			CHECK(isc_mem_create(0, 0, &hmctx));
+			isc_mem_setname(hmctx, "cache_heap", NULL);
+			CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
+						ns_g_timermgr, view->rdclass,
+						cachename, "rbt", 0, NULL,
+						&cache));
+			isc_mem_detach(&cmctx);
+			isc_mem_detach(&hmctx);
+		}
+		nsc = isc_mem_get(mctx, sizeof(*nsc));
+		if (nsc == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		nsc->cache = NULL;
+		dns_cache_attach(cache, &nsc->cache);
+		nsc->primaryview = view;
+		nsc->needflush = ISC_FALSE;
+		nsc->adbsizeadjusted = ISC_FALSE;
+		ISC_LINK_INIT(nsc, link);
+		ISC_LIST_APPEND(*cachelist, nsc, link);
 	}
-	dns_view_setcache(view, cache);
+	dns_view_setcache2(view, cache, shared_cache);
 
 	/*
 	 * cache-file cannot be inherited if views are present, but this
@@ -1315,35 +2115,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ns_config_get(maps, "cache-file", &obj);
 	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
 		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
-		if (!reused_cache)
+		if (!reused_cache && !shared_cache)
 			CHECK(dns_cache_load(cache));
 	}
 
-	obj = NULL;
-	result = ns_config_get(maps, "cleaning-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		INSIST(strcasecmp(str, "unlimited") == 0);
-		max_cache_size = ISC_UINT32_MAX;
-	} else {
-		isc_resourcevalue_t value;
-		value = cfg_obj_asuint64(obj);
-		if (value > ISC_UINT32_MAX) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
-				    value);
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		max_cache_size = (isc_uint32_t)value;
-	}
+	dns_cache_setcleaninginterval(cache, cleaning_interval);
 	dns_cache_setcachesize(cache, max_cache_size);
 
 	dns_cache_detach(&cache);
@@ -1381,13 +2157,23 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_view_setresquerystats(view, resquerystats);
 
 	/*
-	 * Set the ADB cache size to 1/8th of the max-cache-size.
+	 * Set the ADB cache size to 1/8th of the max-cache-size or
+	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
 	 */
 	max_adb_size = 0;
 	if (max_cache_size != 0) {
 		max_adb_size = max_cache_size / 8;
 		if (max_adb_size == 0)
 			max_adb_size = 1;	/* Force minimum. */
+		if (view != nsc->primaryview &&
+		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
+			max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
+			if (!nsc->adbsizeadjusted) {
+				dns_adb_setadbsize(nsc->primaryview->adb,
+						   MAX_ADB_SIZE_FOR_CACHESHARE);
+				nsc->adbsizeadjusted = ISC_TRUE;
+			}
+		}
 	}
 	dns_adb_setadbsize(view->adb, max_adb_size);
 
@@ -1403,6 +2189,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
 	/*
+	 * Set the resolver's query timeout.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "resolver-query-timeout", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	query_timeout = cfg_obj_asuint32(obj);
+	dns_resolver_settimeout(view->resolver, query_timeout);
+
+	/* Specify whether to use 0-TTL for negative response for SOA query */
+	dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
+
+	/*
 	 * Set the resolver's EDNS UDP size.
 	 */
 	obj = NULL;
@@ -1493,8 +2291,28 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * Configure the view's TSIG keys.
 	 */
 	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
+	if (ns_g_server->sessionkey != NULL) {
+		CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
+					  ns_g_server->sessionkey));
+	}
 	dns_view_setkeyring(view, ring);
-	ring = NULL;		/* ownership transferred */
+	dns_tsigkeyring_detach(&ring);
+
+	/*
+	 * See if we can re-use a dynamic key ring.
+	 */
+	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
+				   view->rdclass, &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (pview != NULL) {
+		dns_view_getdynamickeyring(pview, &ring);
+		if (ring != NULL)
+			dns_view_setdynamickeyring(view, ring);
+		dns_tsigkeyring_detach(&ring);
+		dns_view_detach(&pview);
+	} else
+		dns_view_restorekeyring(view);
 
 	/*
 	 * Configure the view's peer list.
@@ -1551,10 +2369,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	/*
 	 * Configure the "match-clients" and "match-destinations" ACL.
 	 */
-	CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
+	CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
 				 ns_g_mctx, &view->matchclients));
-	CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
-				 ns_g_mctx, &view->matchdestinations));
+	CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
+				 actx, ns_g_mctx, &view->matchdestinations));
 
 	/*
 	 * Configure the "match-recursive-only" option.
@@ -1626,20 +2444,20 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * "allow-recursion", and "allow-recursion-on" acls if
 	 * configured in named.conf.
 	 */
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
 				 actx, ns_g_mctx, &view->cacheacl));
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
 				 actx, ns_g_mctx, &view->cacheonacl));
 	if (view->cacheonacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-query-cache-on", actx,
+					 "allow-query-cache-on", NULL, actx,
 					 ns_g_mctx, &view->cacheonacl));
 	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx,
+					 NULL, actx, ns_g_mctx,
 					 &view->recursionacl));
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
-					 actx, ns_g_mctx,
+					 NULL, actx, ns_g_mctx,
 					 &view->recursiononacl));
 	}
 
@@ -1651,8 +2469,14 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->cacheacl == NULL && view->recursionacl != NULL)
 		dns_acl_attach(view->recursionacl, &view->cacheacl);
+	/*
+	 * XXXEACH: This call to configure_view_acl() is redundant.  We
+	 * are leaving it as it is because we are making a minimal change
+	 * for a patch release.  In the future this should be changed to
+	 * dns_acl_attach(view->queryacl, &view->cacheacl).
+	 */
 	if (view->cacheacl == NULL && view->recursion)
-		CHECK(configure_view_acl(vconfig, config, "allow-query",
+		CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
 					 actx, ns_g_mctx, &view->cacheacl));
 	if (view->recursion &&
 	    view->recursionacl == NULL && view->cacheacl != NULL)
@@ -1664,24 +2488,44 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->recursionacl == NULL && view->recursion)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion",
+					 "allow-recursion", NULL,
 					 actx, ns_g_mctx,
 					 &view->recursionacl));
 	if (view->recursiononacl == NULL && view->recursion)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion-on",
+					 "allow-recursion-on", NULL,
 					 actx, ns_g_mctx,
 					 &view->recursiononacl));
 	if (view->cacheacl == NULL) {
 		if (view->recursion)
 			CHECK(configure_view_acl(NULL, ns_g_config,
-						 "allow-query-cache", actx,
-						 ns_g_mctx, &view->cacheacl));
+						 "allow-query-cache", NULL,
+						 actx, ns_g_mctx,
+						 &view->cacheacl));
 		else
-			CHECK(dns_acl_none(ns_g_mctx, &view->cacheacl));
+			CHECK(dns_acl_none(mctx, &view->cacheacl));
 	}
 
 	/*
+	 * Filter setting on addresses in the answer section.
+	 */
+	CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
+				 "acl", actx, ns_g_mctx, &view->denyansweracl));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
+				       "except-from", ns_g_mctx,
+				       &view->answeracl_exclude));
+
+	/*
+	 * Filter setting on names (CNAME/DNAME targets) in the answer section.
+	 */
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "name", ns_g_mctx,
+				       &view->denyanswernames));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "except-from", ns_g_mctx,
+				       &view->answernames_exclude));
+
+	/*
 	 * Configure sortlist, if set
 	 */
 	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
@@ -1694,19 +2538,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->notifyacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-notify", actx,
+					 "allow-notify", NULL, actx,
 					 ns_g_mctx, &view->notifyacl));
 	if (view->transferacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-transfer", actx,
+					 "allow-transfer", NULL, actx,
 					 ns_g_mctx, &view->transferacl));
 	if (view->updateacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update", actx,
+					 "allow-update", NULL, actx,
 					 ns_g_mctx, &view->updateacl));
 	if (view->upfwdacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update-forwarding", actx,
+					 "allow-update-forwarding", NULL, actx,
 					 ns_g_mctx, &view->upfwdacl));
 
 	obj = NULL;
@@ -1736,13 +2580,52 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 					cfg_obj_asuint32(obj),
 					max_clients_per_query);
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	obj = NULL;
+	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			view->v4_aaaa = dns_v4_aaaa_filter;
+		else
+			view->v4_aaaa = dns_v4_aaaa_ok;
+	} else {
+		const char *v4_aaaastr = cfg_obj_asstring(obj);
+		if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
+			view->v4_aaaa = dns_v4_aaaa_break_dnssec;
+		else
+			INSIST(0);
+	}
+	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
+				 actx, ns_g_mctx, &view->v4_aaaa_acl));
+#endif
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-enable", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->enablednssec = cfg_obj_asboolean(obj);
 
 	obj = NULL;
-	result = ns_config_get(maps, "dnssec-lookaside", &obj);
+	result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
+	if (result == ISC_R_SUCCESS) {
+		/* If set to "auto", use the version from the defaults */
+		const cfg_obj_t *dlvobj;
+		const char *dom;
+		dlvobj = cfg_listelt_value(cfg_list_first(obj));
+		dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
+		if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
+			/* If "no", skip; if "auto", use global default */
+			if (!strcasecmp(dom, "no"))
+				result = ISC_R_NOTFOUND;
+			else if (!strcasecmp(dom, "auto")) {
+				auto_dlv = ISC_TRUE;
+				obj = NULL;
+				result = cfg_map_get(ns_g_defaults,
+						     "dnssec-lookaside", &obj);
+			}
+		}
+	}
+
 	if (result == ISC_R_SUCCESS) {
 		for (element = cfg_list_first(obj);
 		     element != NULL;
@@ -1753,31 +2636,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			dns_name_t *dlv;
 
 			obj = cfg_listelt_value(element);
-#if 0
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-
-			/*
-			 * When we support multiple dnssec-lookaside
-			 * entries this is how to find the domain to be
-			 * checked. XXXMPA
-			 */
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "domain"));
-			isc_buffer_init(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			CHECK(dns_name_fromtext(name, &b, dns_rootname,
-						ISC_TRUE, NULL));
-#endif
 			str = cfg_obj_asstring(cfg_tuple_get(obj,
 							     "trust-anchor"));
 			isc_buffer_init(&b, str, strlen(str));
 			isc_buffer_add(&b, strlen(str));
 			dlv = dns_fixedname_name(&view->dlv_fixed);
 			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
-						ISC_TRUE, NULL));
+						DNS_NAME_DOWNCASE, NULL));
 			view->dlv = dns_fixedname_name(&view->dlv_fixed);
 		}
 	} else
@@ -1787,8 +2652,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-					&view->secroots));
+	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
+					auto_dlv, auto_root, mctx));
 	dns_resolver_resetmustbesecure(view->resolver);
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
@@ -1829,7 +2694,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 				isc_buffer_init(&b, str, strlen(str));
 				isc_buffer_add(&b, strlen(str));
 				CHECK(dns_name_fromtext(name, &b, dns_rootname,
-							ISC_FALSE, NULL));
+							0, NULL));
 				CHECK(dns_view_excludedelegationonly(view,
 								     name));
 			}
@@ -1882,8 +2747,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			str = cfg_obj_asstring(obj);
 			isc_buffer_init(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			isc_buffer_init(&buffer, server, sizeof(server) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			server[isc_buffer_usedlength(&buffer)] = 0;
@@ -1897,8 +2762,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			str = cfg_obj_asstring(obj);
 			isc_buffer_init(&buffer, str, strlen(str));
 			isc_buffer_add(&buffer, strlen(str));
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
 			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
 			contact[isc_buffer_usedlength(&buffer)] = 0;
@@ -1924,8 +2789,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			/*
 			 * Look for zone on drop list.
 			 */
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 			if (disablelist != NULL &&
 			    on_disable_list(disablelist, name))
 				continue;
@@ -1996,7 +2861,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			CHECK(dns_zone_create(&zone, mctx));
 			CHECK(dns_zone_setorigin(zone, name));
 			dns_zone_setview(zone, view);
-			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
+						     zone));
 			dns_zone_setclass(zone, view->rdclass);
 			dns_zone_settype(zone, dns_zone_master);
 			dns_zone_setstats(zone, ns_g_server->zonestats);
@@ -2020,11 +2886,60 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		}
 	}
 
+	/*
+	 * Make the list of response policy zone names for views that
+	 * are used for real lookups and so care about hints.
+	 */
+	obj = NULL;
+	if (view->rdclass == dns_rdataclass_in && need_hints &&
+	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
+		const cfg_obj_t *recursive_only_obj;
+		const cfg_obj_t *break_dnssec_obj, *ttl_obj;
+		isc_boolean_t recursive_only_def;
+		dns_ttl_t ttl_def;
+
+		recursive_only_obj = cfg_tuple_get(obj, "recursive-only");
+		if (!cfg_obj_isvoid(recursive_only_obj) &&
+		    !cfg_obj_asboolean(recursive_only_obj))
+			recursive_only_def = ISC_FALSE;
+		else
+			recursive_only_def = ISC_TRUE;
+
+		break_dnssec_obj = cfg_tuple_get(obj, "break-dnssec");
+		if (!cfg_obj_isvoid(break_dnssec_obj) &&
+		    cfg_obj_asboolean(break_dnssec_obj))
+			view->rpz_break_dnssec = ISC_TRUE;
+		else
+			view->rpz_break_dnssec = ISC_FALSE;
+
+		ttl_obj = cfg_tuple_get(obj, "max-policy-ttl");
+		if (cfg_obj_isuint32(ttl_obj))
+			ttl_def = cfg_obj_asuint32(ttl_obj);
+		else
+			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
+
+		for (element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			result = configure_rpz(view, element,
+					       recursive_only_def, ttl_def);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_rpz_set_need(ISC_TRUE);
+		}
+	}
+
 	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (clients != NULL)
+		dns_acl_detach(&clients);
+	if (mapped != NULL)
+		dns_acl_detach(&mapped);
+	if (excluded != NULL)
+		dns_acl_detach(&excluded);
 	if (ring != NULL)
-		dns_tsigkeyring_destroy(&ring);
+		dns_tsigkeyring_detach(&ring);
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (dispatch4 != NULL)
@@ -2117,8 +3032,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 			isc_buffer_add(&buffer, strlen(str));
 			dns_fixedname_init(&fixed);
 			name = dns_fixedname_name(&fixed);
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
+						NULL));
 
 			portobj = cfg_tuple_get(alternate, "port");
 			if (cfg_obj_isuint32(portobj)) {
@@ -2346,7 +3261,7 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
 static isc_result_t
 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-	       cfg_aclconfctx_t *aclconf)
+	       cfg_aclconfctx_t *aclconf, isc_boolean_t added)
 {
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
@@ -2379,7 +3294,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	isc_buffer_add(&buffer, strlen(zname));
 	dns_fixedname_init(&fixorigin);
 	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
-				&buffer, dns_rootname, ISC_FALSE, NULL));
+				&buffer, dns_rootname, 0, NULL));
 	origin = dns_fixedname_name(&fixorigin);
 
 	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
@@ -2409,7 +3324,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	ztypestr = cfg_obj_asstring(typeobj);
 
 	/*
-	 * "hints zones" aren't zones.  If we've got one,
+	 * "hints zones" aren't zones.	If we've got one,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
@@ -2560,6 +3475,11 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	}
 
 	/*
+	 * Mark whether the zone was originally added at runtime or not
+	 */
+	dns_zone_setadded(zone, added);
+
+	/*
 	 * Configure the zone.
 	 */
 	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
@@ -2569,6 +3489,12 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	 */
 	CHECK(dns_view_addzone(view, zone));
 
+	/*
+	 * Ensure that zone keys are reloaded on reconfig
+	 */
+	if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
+		dns_zone_rekey(zone, ISC_FALSE);
+
  cleanup:
 	if (zone != NULL)
 		dns_zone_detach(&zone);
@@ -2579,6 +3505,96 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 }
 
 /*
+ * Configure built-in zone for storing managed-key data.
+ */
+
+#define KEYZONE "managed-keys.bind"
+#define MKEYS ".mkeys"
+
+static isc_result_t
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_view_t *pview = NULL;
+	dns_zone_t *zone = NULL;
+	dns_acl_t *none = NULL;
+	char filename[PATH_MAX];
+	char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
+	int n;
+
+	REQUIRE(view != NULL);
+
+	/* See if we can re-use an existing keydata zone. */
+	result = dns_viewlist_find(&ns_g_server->viewlist,
+				   view->name, view->rdclass,
+				   &pview);
+	if (result != ISC_R_NOTFOUND &&
+	    result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pview != NULL && pview->managed_keys != NULL) {
+		dns_zone_attach(pview->managed_keys, &view->managed_keys);
+		dns_zone_setview(pview->managed_keys, view);
+		dns_view_detach(&pview);
+		dns_zone_synckeyzone(view->managed_keys);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* No existing keydata zone was found; create one */
+	CHECK(dns_zone_create(&zone, mctx));
+	CHECK(dns_zone_setorigin(zone, dns_rootname));
+
+	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
+	strcat(buffer, MKEYS);
+	n = snprintf(filename, sizeof(filename), "%s%s%s",
+		     directory ? directory : "", directory ? "/" : "",
+		     strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
+	if (n < 0 || (size_t)n >= sizeof(filename)) {
+		result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
+		goto cleanup;
+	}
+	CHECK(dns_zone_setfile(zone, filename));
+
+	dns_zone_setview(zone, view);
+	dns_zone_settype(zone, dns_zone_key);
+	dns_zone_setclass(zone, view->rdclass);
+
+	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+
+	if (view->acache != NULL)
+		dns_zone_setacache(zone, view->acache);
+
+	CHECK(dns_acl_none(mctx, &none));
+	dns_zone_setqueryacl(zone, none);
+	dns_zone_setqueryonacl(zone, none);
+	dns_acl_detach(&none);
+
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
+	dns_zone_setjournalsize(zone, 0);
+
+	dns_zone_setstats(zone, ns_g_server->zonestats);
+	CHECK(setquerystats(zone, mctx, ISC_FALSE));
+
+	if (view->managed_keys != NULL)
+		dns_zone_detach(&view->managed_keys);
+	dns_zone_attach(zone, &view->managed_keys);
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "set up managed keys zone for view %s, file '%s'",
+		      view->name, filename);
+
+cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (none != NULL)
+		dns_acl_detach(&none);
+
+	return (result);
+}
+
+/*
  * Configure a single server quota.
  */
 static void
@@ -2974,6 +3990,291 @@ removed(dns_zone_t *zone, void *uap) {
 	return (ISC_R_SUCCESS);
 }
 
+static void
+cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
+	if (server->session_keyfile != NULL) {
+		isc_file_remove(server->session_keyfile);
+		isc_mem_free(mctx, server->session_keyfile);
+		server->session_keyfile = NULL;
+	}
+
+	if (server->session_keyname != NULL) {
+		if (dns_name_dynamic(server->session_keyname))
+			dns_name_free(server->session_keyname, mctx);
+		isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
+		server->session_keyname = NULL;
+	}
+
+	if (server->sessionkey != NULL)
+		dns_tsigkey_detach(&server->sessionkey);
+
+	server->session_keyalg = DST_ALG_UNKNOWN;
+	server->session_keybits = 0;
+}
+
+static isc_result_t
+generate_session_key(const char *filename, const char *keynamestr,
+		     dns_name_t *keyname, const char *algstr,
+		     dns_name_t *algname, unsigned int algtype,
+		     isc_uint16_t bits, isc_mem_t *mctx,
+		     dns_tsigkey_t **tsigkeyp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *key = NULL;
+	isc_buffer_t key_txtbuffer;
+	isc_buffer_t key_rawbuffer;
+	char key_txtsecret[256];
+	char key_rawsecret[64];
+	isc_region_t key_rawregion;
+	isc_stdtime_t now;
+	dns_tsigkey_t *tsigkey = NULL;
+	FILE *fp = NULL;
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "generating session key for dynamic DNS");
+
+	/* generate key */
+	result = dst_key_generate(keyname, algtype, bits, 1, 0,
+				  DNS_KEYPROTO_ANY, dns_rdataclass_in,
+				  mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Dump the key to the buffer for later use.  Should be done before
+	 * we transfer the ownership of key to tsigkey.
+	 */
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+	CHECK(dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+	CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
+
+	/* Store the key in tsigkey. */
+	isc_stdtime_get(&now);
+	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
+					ISC_FALSE, NULL, now, now, mctx, NULL,
+					&tsigkey));
+
+	/* Dump the key to the key file. */
+	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
+	if (fp == NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "could not create %s", filename);
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	fprintf(fp, "key \"%s\" {\n"
+		"\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
+		(int) isc_buffer_usedlength(&key_txtbuffer),
+		(char*) isc_buffer_base(&key_txtbuffer));
+
+	RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
+
+	dst_key_free(&key);
+
+	*tsigkeyp = tsigkey;
+
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed to generate session key "
+		      "for dynamic DNS: %s", isc_result_totext(result));
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+	if (key != NULL)
+		dst_key_free(&key);
+
+	return (result);
+}
+
+static isc_result_t
+configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
+		      isc_mem_t *mctx)
+{
+	const char *keyfile, *keynamestr, *algstr;
+	unsigned int algtype;
+	dns_fixedname_t fname;
+	dns_name_t *keyname, *algname;
+	isc_buffer_t buffer;
+	isc_uint16_t bits;
+	const cfg_obj_t *obj;
+	isc_boolean_t need_deleteold = ISC_FALSE;
+	isc_boolean_t need_createnew = ISC_FALSE;
+	isc_result_t result;
+
+	obj = NULL;
+	result = ns_config_get(maps, "session-keyfile", &obj);
+	if (result == ISC_R_SUCCESS) {
+		if (cfg_obj_isvoid(obj))
+			keyfile = NULL; /* disable it */
+		else
+			keyfile = cfg_obj_asstring(obj);
+	} else
+		keyfile = ns_g_defaultsessionkeyfile;
+
+	obj = NULL;
+	result = ns_config_get(maps, "session-keyname", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	keynamestr = cfg_obj_asstring(obj);
+	dns_fixedname_init(&fname);
+	isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&buffer, strlen(keynamestr));
+	keyname = dns_fixedname_name(&fname);
+	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = NULL;
+	result = ns_config_get(maps, "session-keyalg", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	algstr = cfg_obj_asstring(obj);
+	algname = NULL;
+	result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
+	if (result != ISC_R_SUCCESS) {
+		const char *s = " (keeping current key)";
+
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
+			    "unsupported or unknown algorithm '%s'%s",
+			    algstr,
+			    server->session_keyfile != NULL ? s : "");
+		return (result);
+	}
+
+	/* See if we need to (re)generate a new key. */
+	if (keyfile == NULL) {
+		if (server->session_keyfile != NULL)
+			need_deleteold = ISC_TRUE;
+	} else if (server->session_keyfile == NULL)
+		need_createnew = ISC_TRUE;
+	else if (strcmp(keyfile, server->session_keyfile) != 0 ||
+		 !dns_name_equal(server->session_keyname, keyname) ||
+		 server->session_keyalg != algtype ||
+		 server->session_keybits != bits) {
+		need_deleteold = ISC_TRUE;
+		need_createnew = ISC_TRUE;
+	}
+
+	if (need_deleteold) {
+		INSIST(server->session_keyfile != NULL);
+		INSIST(server->session_keyname != NULL);
+		INSIST(server->sessionkey != NULL);
+
+		cleanup_session_key(server, mctx);
+	}
+
+	if (need_createnew) {
+		INSIST(server->sessionkey == NULL);
+		INSIST(server->session_keyfile == NULL);
+		INSIST(server->session_keyname == NULL);
+		INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
+		INSIST(server->session_keybits == 0);
+
+		server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (server->session_keyname == NULL)
+			goto cleanup;
+		dns_name_init(server->session_keyname, NULL);
+		CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
+
+		server->session_keyfile = isc_mem_strdup(mctx, keyfile);
+		if (server->session_keyfile == NULL)
+			goto cleanup;
+
+		server->session_keyalg = algtype;
+		server->session_keybits = bits;
+
+		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+					   algname, algtype, bits, mctx,
+					   &server->sessionkey));
+	}
+
+	return (result);
+
+  cleanup:
+	cleanup_session_key(server, mctx);
+	return (result);
+}
+
+static isc_result_t
+setup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+	       cfg_parser_t *parser, cfg_aclconfctx_t *actx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t allow = ISC_FALSE;
+	struct cfg_context *nzcfg = NULL;
+	cfg_parser_t *nzparser = NULL;
+	cfg_obj_t *nzconfig = NULL;
+	const cfg_obj_t *maps[4];
+	const cfg_obj_t *options = NULL, *voptions = NULL;
+	const cfg_obj_t *nz = NULL;
+	int i = 0;
+
+	REQUIRE (config != NULL);
+
+	if (vconfig != NULL)
+		voptions = cfg_tuple_get(vconfig, "options");
+	if (voptions != NULL)
+		maps[i++] = voptions;
+	result = cfg_map_get(config, "options", &options);
+	if (result == ISC_R_SUCCESS)
+		maps[i++] = options;
+	maps[i++] = ns_g_defaults;
+	maps[i] = NULL;
+
+	result = ns_config_get(maps, "allow-new-zones", &nz);
+	if (result == ISC_R_SUCCESS)
+		allow = cfg_obj_asboolean(nz);
+
+	if (!allow) {
+		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
+		return (ISC_R_SUCCESS);
+	}
+
+	nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
+	if (nzcfg == NULL) {
+		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
+		return (ISC_R_NOMEMORY);
+	}
+
+	dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
+
+	memset(nzcfg, 0, sizeof(*nzcfg));
+	isc_mem_attach(view->mctx, &nzcfg->mctx);
+	cfg_obj_attach(config, &nzcfg->config);
+	cfg_parser_attach(parser, &nzcfg->parser);
+	cfg_aclconfctx_attach(actx, &nzcfg->actx);
+
+	/*
+	 * Attempt to create a parser and parse the newzones
+	 * file.  If successful, preserve both; otherwise leave
+	 * them NULL.
+	 */
+	result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
+	if (result == ISC_R_SUCCESS)
+		result = cfg_parse_file(nzparser, view->new_zone_file,
+					&cfg_type_newzones, &nzconfig);
+	if (result == ISC_R_SUCCESS) {
+		cfg_parser_attach(nzparser, &nzcfg->nzparser);
+		cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
+	}
+
+	if (nzparser != NULL) {
+		if (nzconfig != NULL)
+			cfg_obj_destroy(nzparser, &nzconfig);
+		cfg_parser_destroy(&nzparser);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
 static int
 count_zones(const cfg_obj_t *conf) {
 	const cfg_obj_t *zonelist = NULL;
@@ -2995,9 +4296,8 @@ static isc_result_t
 load_configuration(const char *filename, ns_server_t *server,
 		   isc_boolean_t first_time)
 {
-	cfg_aclconfctx_t aclconfctx;
-	cfg_obj_t *config;
-	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL, *bindkeys = NULL;
+	cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
 	const cfg_listelt_t *element;
 	const cfg_obj_t *builtin_views;
 	const cfg_obj_t *maps[3];
@@ -3008,7 +4308,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	dns_view_t *view = NULL;
 	dns_view_t *view_next;
 	dns_viewlist_t tmpviewlist;
-	dns_viewlist_t viewlist;
+	dns_viewlist_t viewlist, builtin_viewlist;
 	in_port_t listen_port, udpport_low, udpport_high;
 	int i;
 	isc_interval_t interval;
@@ -3020,12 +4320,21 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_uint32_t interface_interval;
 	isc_uint32_t reserved;
 	isc_uint32_t udpsize;
+	ns_cachelist_t cachelist, tmpcachelist;
 	unsigned int maxsocks;
+	ns_cache_t *nsc;
+	struct cfg_context *nzctx;
 	int num_zones = 0;
 	isc_boolean_t exclusive = ISC_FALSE;
 
-	cfg_aclconfctx_init(&aclconfctx);
 	ISC_LIST_INIT(viewlist);
+	ISC_LIST_INIT(builtin_viewlist);
+	ISC_LIST_INIT(cachelist);
+
+	/* Create the ACL configuration context */
+	if (ns_g_aclconfctx != NULL)
+		cfg_aclconfctx_detach(&ns_g_aclconfctx);
+	CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
 
 	/*
 	 * Parse the global default pseudo-config file.
@@ -3033,8 +4342,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	if (first_time) {
 		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
 		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
-					  &ns_g_defaults) ==
-			      ISC_R_SUCCESS);
+					  &ns_g_defaults) == ISC_R_SUCCESS);
 	}
 
 	/*
@@ -3051,10 +4359,10 @@ load_configuration(const char *filename, ns_server_t *server,
 			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 			      ISC_LOG_INFO, "loading configuration from '%s'",
 			      filename);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		cfg_parser_setcallback(parser, directory_callback, NULL);
-		result = cfg_parse_file(parser, filename, &cfg_type_namedconf,
-					&config);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+		cfg_parser_setcallback(conf_parser, directory_callback, NULL);
+		result = cfg_parse_file(conf_parser, filename,
+					&cfg_type_namedconf, &config);
 	}
 
 	/*
@@ -3069,10 +4377,10 @@ load_configuration(const char *filename, ns_server_t *server,
 			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 			      ISC_LOG_INFO, "loading configuration from '%s'",
 			      lwresd_g_resolvconffile);
-		if (parser != NULL)
-			cfg_parser_destroy(&parser);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser,
+		if (conf_parser != NULL)
+			cfg_parser_destroy(&conf_parser);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+		result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
 						    &config);
 	}
 	CHECK(result);
@@ -3093,6 +4401,31 @@ load_configuration(const char *filename, ns_server_t *server,
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 
+	/*
+	 * If bind.keys exists, load it.  If "dnssec-lookaside auto"
+	 * is turned on, the keys found there will be used as default
+	 * trust anchors.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "bindkeys-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->bindkeysfile,
+	       cfg_obj_asstring(obj)), "strdup");
+
+	if (access(server->bindkeysfile, R_OK) == 0) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reading built-in trusted "
+			      "keys from file '%s'", server->bindkeysfile);
+
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
+					&bindkeys_parser));
+
+		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
+					&cfg_type_bindkeys, &bindkeys);
+		CHECK(result);
+	}
+
 	/* Ensure exclusive access to configuration data. */
 	if (!exclusive) {
 		result = isc_task_beginexclusive(server->task);
@@ -3107,7 +4440,7 @@ load_configuration(const char *filename, ns_server_t *server,
 
 	/*
 	 * Check if max number of open sockets that the system allows is
-	 * sufficiently large.  Failing this condition is not necessarily fatal,
+	 * sufficiently large.	Failing this condition is not necessarily fatal,
 	 * but may cause subsequent runtime failures for a busy recursive
 	 * server.
 	 */
@@ -3160,8 +4493,9 @@ load_configuration(const char *filename, ns_server_t *server,
 	else
 		isc_quota_soft(&server->recursionquota, 0);
 
-	CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx,
-				 ns_g_mctx, &server->blackholeacl));
+	CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
+				 ns_g_aclconfctx, ns_g_mctx,
+				 &server->blackholeacl));
 	if (server->blackholeacl != NULL)
 		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
 					     server->blackholeacl);
@@ -3171,7 +4505,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
 
-	CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
+	CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
 	       "configuring statistics server(s)");
 
 	/*
@@ -3301,8 +4635,8 @@ load_configuration(const char *filename, ns_server_t *server,
 		if (clistenon != NULL) {
 			/* check return code? */
 			(void)ns_listenlist_fromconfig(clistenon, config,
-						       &aclconfctx, ns_g_mctx,
-						       &listenon);
+						       ns_g_aclconfctx,
+						       ns_g_mctx, &listenon);
 		} else if (!ns_g_lwresdonly) {
 			/*
 			 * Not specified, use default.
@@ -3328,8 +4662,8 @@ load_configuration(const char *filename, ns_server_t *server,
 		if (clistenon != NULL) {
 			/* check return code? */
 			(void)ns_listenlist_fromconfig(clistenon, config,
-						       &aclconfctx, ns_g_mctx,
-						       &listenon);
+						       ns_g_aclconfctx,
+						       ns_g_mctx, &listenon);
 		} else if (!ns_g_lwresdonly) {
 			isc_boolean_t enable;
 			/*
@@ -3397,6 +4731,31 @@ load_configuration(const char *filename, ns_server_t *server,
 	CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
 			      &interval, ISC_FALSE));
 
+	/*
+	 * Write the PID file.
+	 */
+	obj = NULL;
+	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+		if (cfg_obj_isvoid(obj))
+			ns_os_writepidfile(NULL, first_time);
+		else
+			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
+	else if (ns_g_lwresdonly)
+		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
+	else
+		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
+
+	/*
+	 * Configure the server-wide session key.  This must be done before
+	 * configure views because zone configuration may need to know
+	 * session-keyname.
+	 *
+	 * Failure of session key generation isn't fatal at this time; if it
+	 * turns out that a session key is really needed but doesn't exist,
+	 * we'll treat it as a fatal error then.
+	 */
+	(void)configure_session_key(maps, server, ns_g_mctx);
+
 	views = NULL;
 	(void)cfg_map_get(config, "view", &views);
 
@@ -3416,7 +4775,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *vconfig = cfg_listelt_value(element);
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
 		const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
 		view = NULL;
 
@@ -3424,6 +4783,13 @@ load_configuration(const char *filename, ns_server_t *server,
 		INSIST(view != NULL);
 
 		num_zones += count_zones(voptions);
+		CHECK(setup_newzones(view, config, vconfig, conf_parser,
+				     ns_g_aclconfctx));
+
+		nzctx = view->new_zone_config;
+		if (nzctx != NULL && nzctx->nzconfig != NULL)
+			num_zones += count_zones(nzctx->nzconfig);
+
 		dns_view_detach(&view);
 	}
 
@@ -3436,6 +4802,14 @@ load_configuration(const char *filename, ns_server_t *server,
 		INSIST(view != NULL);
 
 		num_zones = count_zones(config);
+
+		CHECK(setup_newzones(view, config, NULL,  conf_parser,
+				     ns_g_aclconfctx));
+
+		nzctx = view->new_zone_config;
+		if (nzctx != NULL && nzctx->nzconfig != NULL)
+			num_zones += count_zones(nzctx->nzconfig);
+
 		dns_view_detach(&view);
 	}
 
@@ -3456,13 +4830,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *vconfig = cfg_listelt_value(element);
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
 
 		view = NULL;
 		CHECK(find_view(vconfig, &viewlist, &view));
 		CHECK(configure_view(view, config, vconfig,
-				     ns_g_mctx, &aclconfctx, ISC_TRUE));
-
+				     &cachelist, bindkeys, ns_g_mctx,
+				     ns_g_aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
@@ -3472,22 +4846,17 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * were no explicit views.
 	 */
 	if (views == NULL) {
-		/*
-		 * No explicit views; there ought to be a default view.
-		 * There may already be one created as a side effect
-		 * of zone statements, or we may have to create one.
-		 * In either case, we need to configure and freeze it.
-		 */
+		view = NULL;
 		CHECK(find_view(NULL, &viewlist, &view));
-		CHECK(configure_view(view, config, NULL, ns_g_mctx,
-				     &aclconfctx, ISC_TRUE));
+		CHECK(configure_view(view, config, NULL,
+				     &cachelist, bindkeys,
+				     ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
 
 	/*
-	 * Create (or recreate) the built-in views.  Currently
-	 * there is only one, the _bind view.
+	 * Create (or recreate) the built-in views.
 	 */
 	builtin_views = NULL;
 	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
@@ -3496,25 +4865,38 @@ load_configuration(const char *filename, ns_server_t *server,
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
-		const cfg_obj_t *vconfig = cfg_listelt_value(element);
-		CHECK(create_view(vconfig, &viewlist, &view));
-		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
-				     &aclconfctx, ISC_FALSE));
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+
+		CHECK(create_view(vconfig, &builtin_viewlist, &view));
+		CHECK(configure_view(view, config, vconfig,
+				     &cachelist, bindkeys,
+				     ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 		view = NULL;
 	}
 
-	/*
-	 * Swap our new view list with the production one.
-	 */
+	/* Now combine the two viewlists into one */
+	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
+
+	/* Swap our new view list with the production one. */
 	tmpviewlist = server->viewlist;
 	server->viewlist = viewlist;
 	viewlist = tmpviewlist;
 
-	/*
-	 * Load the TKEY information from the configuration.
-	 */
+	/* Make the view list available to each of the views */
+	view = ISC_LIST_HEAD(server->viewlist);
+	while (view != NULL) {
+		view->viewlist = &server->viewlist;
+		view = ISC_LIST_NEXT(view, link);
+	}
+
+	/* Swap our new cache list with the production one. */
+	tmpcachelist = server->cachelist;
+	server->cachelist = cachelist;
+	cachelist = tmpcachelist;
+
+	/* Load the TKEY information from the configuration. */
 	if (options != NULL) {
 		dns_tkeyctx_t *t = NULL;
 		CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
@@ -3529,7 +4911,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Bind the control port(s).
 	 */
 	CHECKM(ns_controls_configure(ns_g_server->controls, config,
-				     &aclconfctx),
+				     ns_g_aclconfctx),
 	       "binding control channel(s)");
 
 	/*
@@ -3679,16 +5061,6 @@ load_configuration(const char *filename, ns_server_t *server,
 		}
 	}
 
-	obj = NULL;
-	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
-		if (cfg_obj_isvoid(obj))
-			ns_os_writepidfile(NULL, first_time);
-		else
-			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
-	else if (ns_g_lwresdonly)
-		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
-	else
-		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
 
 	obj = NULL;
 	if (options != NULL &&
@@ -3719,6 +5091,12 @@ load_configuration(const char *filename, ns_server_t *server,
 	       "strdup");
 
 	obj = NULL;
+	result = ns_config_get(maps, "secroots-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
 	result = ns_config_get(maps, "recursing-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
@@ -3775,12 +5153,16 @@ load_configuration(const char *filename, ns_server_t *server,
 	if (v6portset != NULL)
 		isc_portset_destroy(ns_g_mctx, &v6portset);
 
-	cfg_aclconfctx_destroy(&aclconfctx);
-
-	if (parser != NULL) {
+	if (conf_parser != NULL) {
 		if (config != NULL)
-			cfg_obj_destroy(parser, &config);
-		cfg_parser_destroy(&parser);
+			cfg_obj_destroy(conf_parser, &config);
+		cfg_parser_destroy(&conf_parser);
+	}
+
+	if (bindkeys_parser != NULL) {
+		if (bindkeys  != NULL)
+			cfg_obj_destroy(bindkeys_parser, &bindkeys);
+		cfg_parser_destroy(&bindkeys_parser);
 	}
 
 	if (view != NULL)
@@ -3803,6 +5185,13 @@ load_configuration(const char *filename, ns_server_t *server,
 		dns_view_detach(&view);
 	}
 
+	/* Same cleanup for cache list. */
+	while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
+		ISC_LIST_UNLINK(cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
 	/*
 	 * Adjust the listening interfaces in accordance with the source
 	 * addresses specified in views and zones.
@@ -3837,6 +5226,8 @@ load_zones(ns_server_t *server, isc_boolean_t stop) {
 	     view = ISC_LIST_NEXT(view, link))
 	{
 		CHECK(dns_view_load(view, stop));
+		if (view->managed_keys != NULL)
+			CHECK(dns_zone_load(view->managed_keys));
 	}
 
 	/*
@@ -3866,11 +5257,14 @@ load_new_zones(ns_server_t *server, isc_boolean_t stop) {
 	     view = ISC_LIST_NEXT(view, link))
 	{
 		CHECK(dns_view_loadnew(view, stop));
+
+		/* Load managed-keys data */
+		if (view->managed_keys != NULL)
+			CHECK(dns_zone_loadnew(view->managed_keys));
 	}
+
 	/*
-	 * Force zone maintenance.  Do this after loading
-	 * so that we know when we need to force AXFR of
-	 * slave zones whose master files are missing.
+	 * Resume zone XFRs.
 	 */
 	dns_zonemgr_resumexfrs(server->zonemgr);
  cleanup:
@@ -3949,6 +5343,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	dns_view_t *view, *view_next;
 	ns_server_t *server = (ns_server_t *)event->ev_arg;
 	isc_boolean_t flush = server->flushonshutdown;
+	ns_cache_t *nsc;
 
 	UNUSED(task);
 	INSIST(task == server->task);
@@ -3963,6 +5358,10 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	ns_statschannels_shutdown(server);
 	ns_controls_shutdown(server->controls);
 	end_reserved_dispatches(server, ISC_TRUE);
+	cleanup_session_key(server, server->mctx);
+
+	if (ns_g_aclconfctx != NULL)
+		cfg_aclconfctx_detach(&ns_g_aclconfctx);
 
 	cfg_obj_destroy(ns_g_parser, &ns_g_config);
 	cfg_parser_destroy(&ns_g_parser);
@@ -3978,6 +5377,12 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 			dns_view_detach(&view);
 	}
 
+	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
+		ISC_LIST_UNLINK(server->cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
 	isc_timer_detach(&server->interface_timer);
 	isc_timer_detach(&server->heartbeat_timer);
 	isc_timer_detach(&server->pps_timer);
@@ -3989,6 +5394,11 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 
 	dns_zonemgr_shutdown(server->zonemgr);
 
+	if (ns_g_sessionkey != NULL) {
+		dns_tsigkey_detach(&ns_g_sessionkey);
+		dns_name_free(&ns_g_sessionkeyname, server->mctx);
+	}
+
 	if (server->blackholeacl != NULL)
 		dns_acl_detach(&server->blackholeacl);
 
@@ -4047,7 +5457,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "allocating reload event");
 
-	CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
+	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+				 ns_g_engine, ISC_ENTROPY_GOODONLY),
 		   "initializing DST");
 
 	server->tkeyctx = NULL;
@@ -4057,11 +5468,13 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 
 	/*
 	 * Setup the server task, which is responsible for coordinating
-	 * startup and shutdown of the server.
+	 * startup and shutdown of the server, as well as all exclusive
+	 * tasks.
 	 */
 	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
 		   "creating server task");
 	isc_task_setname(server->task, "server", server);
+	isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
 	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
 		   "isc_task_onshutdown");
 	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
@@ -4094,10 +5507,20 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   "isc_stats_create");
 	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
 
+	server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
+	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
+						  ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 
+	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
+	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
+						  ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
 	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
 	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
@@ -4139,6 +5562,14 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 
 	ISC_LIST_INIT(server->statschannels);
 
+	ISC_LIST_INIT(server->cachelist);
+
+	server->sessionkey = NULL;
+	server->session_keyfile = NULL;
+	server->session_keyname = NULL;
+	server->session_keyalg = DST_ALG_UNKNOWN;
+	server->session_keybits = 0;
+
 	server->magic = NS_SERVER_MAGIC;
 	*serverp = server;
 }
@@ -4158,7 +5589,9 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_stats_detach(&server->sockstats);
 
 	isc_mem_free(server->mctx, server->statsfile);
+	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 
 	if (server->version != NULL)
@@ -4179,6 +5612,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_event_free(&server->reload_event);
 
 	INSIST(ISC_LIST_EMPTY(server->viewlist));
+	INSIST(ISC_LIST_EMPTY(server->cachelist));
 
 	dns_aclenv_destroy(&server->aclenv);
 
@@ -4410,7 +5844,9 @@ next_token(char **stringp, const char *delim) {
  * set '*zonep' to NULL.
  */
 static isc_result_t
-zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
+zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
+	       const char **zonename)
+{
 	char *input, *ptr;
 	const char *zonetxt;
 	char *classtxt;
@@ -4434,6 +5870,8 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 	zonetxt = next_token(&input, " \t");
 	if (zonetxt == NULL)
 		return (ISC_R_SUCCESS);
+	if (zonename)
+		*zonename = zonetxt;
 
 	/* Look for the optional class name. */
 	classtxt = next_token(&input, " \t");
@@ -4446,7 +5884,7 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 	isc_buffer_add(&buf, strlen(zonetxt));
 	dns_fixedname_init(&name);
 	result = dns_name_fromtext(dns_fixedname_name(&name),
-				   &buf, dns_rootname, ISC_FALSE, NULL);
+				   &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto fail1;
 
@@ -4494,7 +5932,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) {
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -4518,7 +5956,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zonetype_t type;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -4578,7 +6016,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zone_t *zone = NULL;
 	const unsigned char msg[] = "zone notify queued";
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -4603,7 +6041,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	const unsigned char msg2[] = "not a slave or stub zone";
 	dns_zonetype_t type;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -4841,15 +6279,23 @@ dumpdone(void *arg, isc_result_t result) {
  nextview:
 	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
  resume:
-	if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) {
+	if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
+		fprintf(dctx->fp,
+			";\n; Cache of view '%s' is shared as '%s'\n",
+			dctx->view->view->name,
+			dns_cache_getname(dctx->view->view->cache));
+	} else if (dctx->zone == NULL && dctx->cache == NULL &&
+		   dctx->dumpcache)
+	{
 		style = &dns_master_style_cache;
 		/* start cache dump */
 		if (dctx->view->view->cachedb != NULL)
 			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
 		if (dctx->cache != NULL) {
-
-			fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n",
-				dctx->view->view->name);
+			fprintf(dctx->fp,
+				";\n; Cache dump of view '%s' (cache %s)\n;\n",
+				dctx->view->view->name,
+				dns_cache_getname(dctx->view->view->cache));
 			result = dns_master_dumptostreaminc(dctx->mctx,
 							    dctx->cache, NULL,
 							    style, dctx->fp,
@@ -5012,6 +6458,69 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
 }
 
 isc_result_t
+ns_server_dumpsecroots(ns_server_t *server, char *args) {
+	dns_view_t *view;
+	dns_keytable_t *secroots = NULL;
+	isc_result_t result;
+	char *ptr;
+	FILE *fp = NULL;
+	isc_time_t now;
+	char tbuf[64];
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	ptr = next_token(&args, " \t");
+
+	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
+		"could not open secroots dump file", server->secrootsfile);
+	TIME_NOW(&now);
+	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
+	fprintf(fp, "%s\n", tbuf);
+
+	do {
+		for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (ptr != NULL && strcmp(view->name, ptr) != 0)
+				continue;
+			if (secroots != NULL)
+				dns_keytable_detach(&secroots);
+			result = dns_view_getsecroots(view, &secroots);
+			if (result == ISC_R_NOTFOUND) {
+				result = ISC_R_SUCCESS;
+				continue;
+			}
+			fprintf(fp, "\n Start view %s\n\n", view->name);
+			result = dns_keytable_dump(secroots, fp);
+			if (result != ISC_R_SUCCESS)
+				fprintf(fp, " dumpsecroots failed: %s\n",
+					isc_result_totext(result));
+		}
+		if (ptr != NULL)
+			ptr = next_token(&args, " \t");
+	} while (ptr != NULL);
+
+ cleanup:
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	if (fp != NULL)
+		(void)isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpsecroots complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpsecroots failed: %s",
+			      dns_result_totext(result));
+	return (result);
+}
+
+isc_result_t
 ns_server_dumprecursing(ns_server_t *server) {
 	FILE *fp = NULL;
 	isc_result_t result;
@@ -5129,6 +6638,7 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 	isc_boolean_t flushed;
 	isc_boolean_t found;
 	isc_result_t result;
+	ns_cache_t *nsc;
 
 	/* Skip the command name. */
 	ptr = next_token(&args, " \t");
@@ -5142,22 +6652,96 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	flushed = ISC_TRUE;
 	found = ISC_FALSE;
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
+
+	/*
+	 * Flushing a cache is tricky when caches are shared by multiple views.
+	 * We first identify which caches should be flushed in the local cache
+	 * list, flush these caches, and then update other views that refer to
+	 * the flushed cache DB.
+	 */
+	if (viewname != NULL) {
+		/*
+		 * Mark caches that need to be flushed.  This is an O(#view^2)
+		 * operation in the very worst case, but should be normally
+		 * much more lightweight because only a few (most typically just
+		 * one) views will match.
+		 */
+		for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (strcasecmp(viewname, view->name) != 0)
+				continue;
+			found = ISC_TRUE;
+			for (nsc = ISC_LIST_HEAD(server->cachelist);
+			     nsc != NULL;
+			     nsc = ISC_LIST_NEXT(nsc, link)) {
+				if (nsc->cache == view->cache)
+					break;
+			}
+			INSIST(nsc != NULL);
+			nsc->needflush = ISC_TRUE;
+		}
+	} else
 		found = ISC_TRUE;
-		result = dns_view_flushcache(view);
+
+	/* Perform flush */
+	for (nsc = ISC_LIST_HEAD(server->cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		if (viewname != NULL && !nsc->needflush)
+			continue;
+		nsc->needflush = ISC_TRUE;
+		result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 				      "flushing cache in view '%s' failed: %s",
-				      view->name, isc_result_totext(result));
+				      nsc->primaryview->name,
+				      isc_result_totext(result));
+		}
+	}
+
+	/*
+	 * Fix up views that share a flushed cache: let the views update the
+	 * cache DB they're referring to.  This could also be an expensive
+	 * operation, but should typically be marginal: the inner loop is only
+	 * necessary for views that share a cache, and if there are many such
+	 * views the number of shared cache should normally be small.
+	 * A worst case is that we have n views and n/2 caches, each shared by
+	 * two views.  Then this will be a O(n^2/4) operation.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (!dns_view_iscacheshared(view))
+			continue;
+		for (nsc = ISC_LIST_HEAD(server->cachelist);
+		     nsc != NULL;
+		     nsc = ISC_LIST_NEXT(nsc, link)) {
+			if (!nsc->needflush || nsc->cache != view->cache)
+				continue;
+			result = dns_view_flushcache2(view, ISC_TRUE);
+			if (result != ISC_R_SUCCESS) {
+				flushed = ISC_FALSE;
+				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+					      "fixing cache in view '%s' "
+					      "failed: %s", view->name,
+					      isc_result_totext(result));
+			}
 		}
 	}
+
+	/* Cleanup the cache list. */
+	for (nsc = ISC_LIST_HEAD(server->cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		nsc->needflush = ISC_FALSE;
+	}
+
 	if (flushed && found) {
 		if (viewname != NULL)
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -5208,7 +6792,7 @@ ns_server_flushname(ns_server_t *server, char *args) {
 	isc_buffer_add(&b, strlen(target));
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -5226,6 +6810,11 @@ ns_server_flushname(ns_server_t *server, char *args) {
 		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
 			continue;
 		found = ISC_TRUE;
+		/*
+		 * It's a little inefficient to try flushing name for all views
+		 * if some of the views share a single cache.  But since the
+		 * operation is lightweight we prefer simplicity here.
+		 */
 		result = dns_view_flushname(view, name);
 		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
@@ -5540,6 +7129,46 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
 }
 
 /*
+ * Act on a "sign" or "loadkeys" command from the command channel.
+ */
+isc_result_t
+ns_server_rekey(ns_server_t *server, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	isc_uint16_t keyopts;
+	isc_boolean_t fullsign = ISC_FALSE;
+
+	if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
+	    fullsign = ISC_TRUE;
+
+	result = zone_from_args(server, args, &zone, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);   /* XXX: or do all zones? */
+
+	type = dns_zone_gettype(zone);
+	if (type != dns_zone_master) {
+		dns_zone_detach(&zone);
+		return (DNS_R_NOTMASTER);
+	}
+
+	keyopts = dns_zone_getkeyopts(zone);
+
+	/* "rndc loadkeys" requires "auto-dnssec maintain". */
+	if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
+		result = ISC_R_NOPERM;
+	else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
+		result = ISC_R_NOPERM;
+	else
+		dns_zone_rekey(zone, fullsign);
+
+	dns_zone_detach(&zone);
+	return (result);
+}
+
+/*
  * Act on a "freeze" or "thaw" command from the command channel.
  */
 isc_result_t
@@ -5557,7 +7186,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 	isc_boolean_t frozen;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -5583,7 +7212,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 	type = dns_zone_gettype(zone);
 	if (type != dns_zone_master) {
 		dns_zone_detach(&zone);
-		return (ISC_R_NOTFOUND);
+		return (DNS_R_NOTMASTER);
 	}
 
 	result = isc_task_beginexclusive(server->task);
@@ -5634,8 +7263,8 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 				  strlen(msg) + 1);
 
 	view = dns_zone_getview(zone);
-	if (strcmp(view->name, "_bind") == 0 ||
-	    strcmp(view->name, "_default") == 0)
+	if (strcmp(view->name, "_default") == 0 ||
+	    strcmp(view->name, "_bind") == 0)
 	{
 		vname = "";
 		sep = "";
@@ -5675,3 +7304,381 @@ ns_smf_add_message(isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 #endif /* HAVE_LIBSCF */
+
+/*
+ * Act on an "addzone" command from the command channel.
+ */
+isc_result_t
+ns_server_add_zone(ns_server_t *server, char *args) {
+	isc_result_t	     result;
+	isc_buffer_t	     argbuf;
+	size_t		     arglen;
+	cfg_parser_t	    *parser = NULL;
+	cfg_obj_t	    *config = NULL;
+	const cfg_obj_t	    *vconfig = NULL;
+	const cfg_obj_t	    *views = NULL;
+	const cfg_obj_t     *parms = NULL;
+	const cfg_obj_t     *obj = NULL;
+	const cfg_listelt_t *element;
+	const char	    *zonename;
+	const char	    *classname = NULL;
+	const char	    *argp;
+	const char	    *viewname = NULL;
+	dns_rdataclass_t     rdclass;
+	dns_view_t	    *view = 0;
+	isc_buffer_t	     buf, *nbuf = NULL;
+	dns_name_t	     dnsname;
+	dns_zone_t	    *zone = NULL;
+	FILE		    *fp = NULL;
+	struct cfg_context  *cfg = NULL;
+
+	/* Try to parse the argument string */
+	arglen = strlen(args);
+	isc_buffer_init(&argbuf, args, arglen);
+	isc_buffer_add(&argbuf, strlen(args));
+	CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
+	CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
+			       &config));
+	CHECK(cfg_map_get(config, "addzone", &parms));
+
+	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
+	isc_buffer_init(&buf, zonename, strlen(zonename));
+	isc_buffer_add(&buf, strlen(zonename));
+	dns_name_init(&dnsname, NULL);
+	isc_buffer_allocate(server->mctx, &nbuf, 256);
+	dns_name_setbuffer(&dnsname, nbuf);
+	CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
+
+	/* Make sense of optional class argument */
+	obj = cfg_tuple_get(parms, "class");
+	CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
+	if (rdclass != dns_rdataclass_in && obj)
+		classname = cfg_obj_asstring(obj);
+
+	/* Make sense of optional view argument */
+	obj = cfg_tuple_get(parms, "view");
+	if (obj && cfg_obj_isstring(obj))
+		viewname = cfg_obj_asstring(obj);
+	if (viewname == NULL || *viewname == '\0')
+		viewname = "_default";
+	CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
+
+	/* Are we accepting new zones? */
+	if (view->new_zone_file == NULL) {
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	cfg = (struct cfg_context *) view->new_zone_config;
+	if (cfg == NULL) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* Zone shouldn't already exist */
+	result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS) {
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	} else if (result == DNS_R_PARTIALMATCH) {
+		/* Create our sub-zone anyway */
+		dns_zone_detach(&zone);
+		zone = NULL;
+	}
+	else if (result != ISC_R_NOTFOUND)
+		goto cleanup;
+
+	/* Find the view statement */
+	cfg_map_get(cfg->config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+		vconfig = cfg_listelt_value(element);
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		if (vname && !strcasecmp(vname, viewname))
+			break;
+		vconfig = NULL;
+	}
+
+	/* Open save file for write configuration */
+	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
+
+	/* Mark view unfrozen so that zone can be added */
+	isc_task_beginexclusive(server->task);
+	dns_view_thaw(view);
+	result = configure_zone(cfg->config, parms, vconfig,
+				server->mctx, view, cfg->actx, ISC_FALSE);
+	dns_view_freeze(view);
+	isc_task_endexclusive(server->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Is it there yet? */
+	CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
+
+	/*
+	 * Load the zone from the master file.  If this fails, we'll
+	 * need to undo the configuration we've done already.
+	 */
+	result = dns_zone_loadnew(zone);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_t *dbp = NULL;
+
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "addzone failed; reverting.");
+
+		/* If the zone loaded partially, unload it */
+		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+			dns_db_detach(&dbp);
+			dns_zone_unload(zone);
+		}
+
+		/* Remove the zone from the zone table */
+		dns_zt_unmount(view->zonetable, zone);
+		goto cleanup;
+	}
+
+	/* Flag the zone as having been added at runtime */
+	dns_zone_setadded(zone, ISC_TRUE);
+
+	/* Emit just the zone name from args */
+	CHECK(isc_stdio_write("zone ", 5, 1, fp, NULL));
+	CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, NULL));
+	CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
+
+	/* Classname, if not default */
+	if (classname != NULL && *classname != '\0') {
+		CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
+				      NULL));
+		CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
+	}
+
+	/* Find beginning of option block from args */
+	for (argp = args; *argp; argp++, arglen--) {
+		if (*argp == '{') {	/* Assume matching '}' */
+			/* Add that to our file */
+			CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
+
+			/* Make sure we end with a LF */
+			if (argp[arglen-1] != '\n') {
+				CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
+			}
+			break;
+		}
+	}
+
+	CHECK(isc_stdio_close(fp));
+	fp = NULL;
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				  "zone %s added to view %s via addzone",
+				  zonename, viewname);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (fp != NULL)
+		isc_stdio_close(fp);
+	if (parser != NULL) {
+		if (config != NULL)
+			cfg_obj_destroy(parser, &config);
+		cfg_parser_destroy(&parser);
+	}
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (nbuf != NULL)
+		isc_buffer_free(&nbuf);
+
+	return (result);
+}
+
+/*
+ * Act on a "delzone" command from the command channel.
+ */
+isc_result_t
+ns_server_del_zone(ns_server_t *server, char *args) {
+	isc_result_t	       result;
+	dns_zone_t	      *zone = NULL;
+	dns_view_t	      *view = NULL;
+	dns_db_t	      *dbp = NULL;
+	const char	      *filename = NULL;
+	char		      *tmpname = NULL;
+	char		       buf[1024];
+	const char	      *zonename = NULL;
+	size_t		       znamelen = 0;
+	FILE		      *ifp = NULL, *ofp = NULL;
+
+	/* Parse parameters */
+	CHECK(zone_from_args(server, args, &zone, &zonename));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	/*
+	 * Was this zone originally added at runtime?
+	 * If not, we can't delete it now.
+	 */
+	if (!dns_zone_getadded(zone)) {
+		result = ISC_R_NOPERM;
+		goto cleanup;
+	}
+
+	if (zonename != NULL)
+		znamelen = strlen(zonename);
+
+	/* Dig out configuration for this zone */
+	view = dns_zone_getview(zone);
+	filename = view->new_zone_file;
+	if (filename == NULL) {
+		/* No adding zones in this view */
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/* Rewrite zone list */
+	result = isc_stdio_open(filename, "r", &ifp);
+	if (ifp != NULL && result == ISC_R_SUCCESS) {
+		char *found = NULL, *p = NULL;
+		size_t n;
+
+		/* Create a temporary file */
+		CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
+					(long)getpid()));
+		if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		CHECK(isc_stdio_open(tmpname, "w", &ofp));
+
+		/* Look for the entry for that zone */
+		while (fgets(buf, 1024, ifp)) {
+			/* A 'zone' line */
+			if (strncasecmp(buf, "zone", 4)) {
+				fputs(buf, ofp);
+				continue;
+			}
+			p = buf+4;
+
+			/* Locate a name */
+			while (*p &&
+			       ((*p == '"') || isspace((unsigned char)*p)))
+				p++;
+
+			/* Is that the zone we're looking for */
+			if (strncasecmp(p, zonename, znamelen)) {
+				fputs(buf, ofp);
+				continue;
+			}
+
+			/* And nothing else? */
+			p += znamelen;
+			if (isspace((unsigned char)*p) ||
+			    *p == '"' || *p == '{') {
+				/* This must be the entry */
+				found = p;
+				break;
+			}
+
+			/* Spit it out, keep looking */
+			fputs(buf, ofp);
+		}
+
+		/* Skip over an option block (matching # of braces) */
+		if (found) {
+			int obrace = 0, cbrace = 0;
+			for (;;) {
+				while (*p) {
+					if (*p == '{') obrace++;
+					if (*p == '}') cbrace++;
+					p++;
+				}
+				if (obrace && (obrace == cbrace))
+					break;
+				if (!fgets(buf, 1024, ifp))
+					break;
+				p = buf;
+			}
+
+			/* Just spool the remainder of the file out */
+			result = isc_stdio_read(buf, 1, 1024, ifp, &n);
+			while (n > 0U) {
+				if (result == ISC_R_EOF)
+					result = ISC_R_SUCCESS;
+				CHECK(result);
+				isc_stdio_write(buf, 1, n, ofp, NULL);
+				result = isc_stdio_read(buf, 1, 1024, ifp, &n);
+			}
+
+			/* Move temporary into place */
+			CHECK(isc_file_rename(tmpname, view->new_zone_file));
+		} else {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "deleted zone %s was missing from "
+				      "new zone file", zonename);
+			goto cleanup;
+		}
+	}
+
+	/* Stop answering for this zone */
+	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
+		dns_db_detach(&dbp);
+		dns_zone_unload(zone);
+	}
+
+	CHECK(dns_zt_unmount(view->zonetable, zone));
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				  "zone %s removed via delzone", zonename);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (ifp != NULL)
+		isc_stdio_close(ifp);
+	if (ofp != NULL) {
+		isc_stdio_close(ofp);
+		isc_file_remove(tmpname);
+	}
+	if (tmpname != NULL)
+		isc_mem_free(server->mctx, tmpname);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+static void
+newzone_cfgctx_destroy(void **cfgp) {
+	struct cfg_context *cfg;
+
+	REQUIRE(cfgp != NULL && *cfgp != NULL);
+
+	cfg = *cfgp;
+
+	if (cfg->actx != NULL)
+		cfg_aclconfctx_detach(&cfg->actx);
+
+	if (cfg->parser != NULL) {
+		if (cfg->config != NULL)
+			cfg_obj_destroy(cfg->parser, &cfg->config);
+		cfg_parser_destroy(&cfg->parser);
+	}
+	if (cfg->nzparser != NULL) {
+		if (cfg->nzconfig != NULL)
+			cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
+		cfg_parser_destroy(&cfg->nzparser);
+	}
+
+	isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
+	*cfgp = NULL;
+}
diff --git a/contrib/bind9/bin/named/statschannel.c b/contrib/bind9/bin/named/statschannel.c
index 8d8f108fd383..6ea0be505191 100644
--- a/contrib/bind9/bin/named/statschannel.c
+++ b/contrib/bind9/bin/named/statschannel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: statschannel.c,v 1.26.150.2 2011/03/12 04:59:14 tbox Exp $ */
 
 /*! \file */
 
@@ -29,6 +29,7 @@
 #include <isc/stats.h>
 #include <isc/task.h>
 
+#include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/opcode.h>
 #include <dns/resolver.h>
@@ -858,9 +859,9 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 			TRY0(xmlTextWriterStartElement(writer,
 						       ISC_XMLCHAR "cache"));
 			TRY0(xmlTextWriterWriteAttribute(writer,
-							 ISC_XMLCHAR "name",
-							 ISC_XMLCHAR
-							 view->name));
+					 ISC_XMLCHAR "name",
+					 ISC_XMLCHAR
+					 dns_cache_getname(view->cache)));
 			dumparg.result = ISC_R_SUCCESS;
 			dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
 					       &dumparg, 0);
@@ -1440,7 +1441,15 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 		if (strcmp(view->name, "_default") == 0)
 			fprintf(fp, "[View: default]\n");
 		else
-			fprintf(fp, "[View: %s]\n", view->name);
+			fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
+				dns_cache_getname(view->cache));
+		if (dns_view_iscacheshared(view)) {
+			/*
+			 * Avoid dumping redundant statistics when the cache is
+			 * shared.
+			 */
+			continue;
+		}
 		dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg,
 				       0);
 	}
diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c
index 8e726b8318ae..6d852a0871c0 100644
--- a/contrib/bind9/bin/named/tkeyconf.c
+++ b/contrib/bind9/bin/named/tkeyconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: tkeyconf.c,v 1.33 2010/12/20 23:47:20 tbox Exp $ */
 
 /*! \file */
 
@@ -77,8 +77,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname,
-					 ISC_FALSE, NULL));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY;
 		RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH,
 					type, NULL, mctx, &tctx->dhkey));
@@ -92,8 +91,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
 		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
 		if (tctx->domain == NULL) {
 			result = ISC_R_NOMEMORY;
@@ -112,12 +110,22 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
-		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE,
-					      &tctx->gsscred));
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE, &tctx->gsscred));
 	}
 
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-gssapi-keytab", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+		tctx->gssapi_keytab = isc_mem_strdup(mctx, s);
+		if (tctx->gssapi_keytab == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+	}
+
+
 	*tctxp = tctx;
 	return (ISC_R_SUCCESS);
 
diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c
index 9ce9e4595172..776b1b9f837d 100644
--- a/contrib/bind9/bin/named/tsigconf.c
+++ b/contrib/bind9/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: tsigconf.c,v 1.35 2011/01/11 23:47:12 tbox Exp $ */
 
 /*! \file */
 
@@ -82,7 +82,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
 		isc_buffer_add(&keynamesrc, strlen(keyid));
 		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
 		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
-					ISC_TRUE, &keynamebuf);
+					DNS_NAME_DOWNCASE, &keynamebuf);
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
 
@@ -178,6 +178,6 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	return (ISC_R_SUCCESS);
 
  failure:
-	dns_tsigkeyring_destroy(&ring);
+	dns_tsigkeyring_detach(&ring);
 	return (result);
 }
diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in
index c1bd53eaeef2..ff2eccea86a4 100644
--- a/contrib/bind9/bin/named/unix/Makefile.in
+++ b/contrib/bind9/bin/named/unix/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.13.244.2 2011/03/10 23:47:26 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -22,14 +22,15 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
 		${DNS_INCLUDES} ${ISC_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
-OBJS =		os.@O@
+OBJS =		os.@O@ dlz_dlopen_driver.@O@
 
-SRCS =		os.c
+SRCS =		os.c dlz_dlopen_driver.c
 
 TARGETS =	${OBJS}
 
diff --git a/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c b/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c
new file mode 100644
index 000000000000..edd394656d28
--- /dev/null
+++ b/contrib/bind9/bin/named/unix/dlz_dlopen_driver.c
@@ -0,0 +1,618 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlz_dlopen_driver.c,v 1.1.4.6 2012/02/22 23:46:35 tbox Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <dlfcn.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/dlz_dlopen.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <named/globals.h>
+
+#include <dlz/dlz_dlopen_driver.h>
+
+#ifdef ISC_DLZ_DLOPEN
+static dns_sdlzimplementation_t *dlz_dlopen = NULL;
+
+
+typedef struct dlopen_data {
+	isc_mem_t *mctx;
+	char *dl_path;
+	char *dlzname;
+	void *dl_handle;
+	void *dbdata;
+	unsigned int flags;
+	isc_mutex_t lock;
+	int version;
+	isc_boolean_t in_configure;
+
+	dlz_dlopen_version_t *dlz_version;
+	dlz_dlopen_create_t *dlz_create;
+	dlz_dlopen_findzonedb_t *dlz_findzonedb;
+	dlz_dlopen_lookup_t *dlz_lookup;
+	dlz_dlopen_authority_t *dlz_authority;
+	dlz_dlopen_allnodes_t *dlz_allnodes;
+	dlz_dlopen_allowzonexfr_t *dlz_allowzonexfr;
+	dlz_dlopen_newversion_t *dlz_newversion;
+	dlz_dlopen_closeversion_t *dlz_closeversion;
+	dlz_dlopen_configure_t *dlz_configure;
+	dlz_dlopen_ssumatch_t *dlz_ssumatch;
+	dlz_dlopen_addrdataset_t *dlz_addrdataset;
+	dlz_dlopen_subrdataset_t *dlz_subrdataset;
+	dlz_dlopen_delrdataset_t *dlz_delrdataset;
+	dlz_dlopen_destroy_t *dlz_destroy;
+} dlopen_data_t;
+
+/* Modules can choose whether they are lock-safe or not. */
+#define MAYBE_LOCK(cd) \
+	do { \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    cd->in_configure == ISC_FALSE) \
+			LOCK(&cd->lock); \
+	} while (0)
+
+#define MAYBE_UNLOCK(cd) \
+	do { \
+		if ((cd->flags & DNS_SDLZFLAG_THREADSAFE) == 0 && \
+		    cd->in_configure == ISC_FALSE) \
+			UNLOCK(&cd->lock); \
+	} while (0)
+
+/*
+ * Log a message at the given level.
+ */
+static void dlopen_log(int level, const char *fmt, ...)
+{
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		       DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(level),
+		       fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * SDLZ methods
+ */
+
+static isc_result_t
+dlopen_dlz_allnodes(const char *zone, void *driverarg, void *dbdata,
+		    dns_sdlzallnodes_t *allnodes)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_allnodes == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allnodes(zone, cd->dbdata, allnodes);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+
+static isc_result_t
+dlopen_dlz_allowzonexfr(void *driverarg, void *dbdata, const char *name,
+			const char *client)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+
+	if (cd->dlz_allowzonexfr == NULL) {
+		return (ISC_R_NOPERM);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_allowzonexfr(cd->dbdata, name, client);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_authority(const char *zone, void *driverarg, void *dbdata,
+		   dns_sdlzlookup_t *lookup)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_authority == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_authority(zone, cd->dbdata, lookup);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+static isc_result_t
+dlopen_dlz_findzonedb(void *driverarg, void *dbdata, const char *name)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_findzonedb(cd->dbdata, name);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+
+static isc_result_t
+dlopen_dlz_lookup(const char *zone, const char *name, void *driverarg,
+		  void *dbdata, dns_sdlzlookup_t *lookup)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_lookup(zone, name, cd->dbdata, lookup);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Load a symbol from the library
+ */
+static void *
+dl_load_symbol(dlopen_data_t *cd, const char *symbol, isc_boolean_t mandatory) {
+	void *ptr = dlsym(cd->dl_handle, symbol);
+	if (ptr == NULL && mandatory) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: library '%s' is missing "
+			   "required symbol '%s'", cd->dl_path, symbol);
+	}
+	return (ptr);
+}
+
+/*
+ * Called at startup for each dlopen zone in named.conf
+ */
+static isc_result_t
+dlopen_dlz_create(const char *dlzname, unsigned int argc, char *argv[],
+		  void *driverarg, void **dbdata)
+{
+	dlopen_data_t *cd;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_FAILURE;
+	int dlopen_flags = 0;
+
+	UNUSED(driverarg);
+
+	if (argc < 2) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen driver for '%s' needs a path to "
+			   "the shared library", dlzname);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_mem_create(0, 0, &mctx);
+
+	cd = isc_mem_get(mctx, sizeof(*cd));
+	if (cd == NULL) {
+		isc_mem_destroy(&mctx);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(cd, 0, sizeof(*cd));
+
+	cd->mctx = mctx;
+
+	cd->dl_path = isc_mem_strdup(cd->mctx, argv[1]);
+	if (cd->dl_path == NULL) {
+		goto failed;
+	}
+
+	cd->dlzname = isc_mem_strdup(cd->mctx, dlzname);
+	if (cd->dlzname == NULL) {
+		goto failed;
+	}
+
+	/* Initialize the lock */
+	isc_mutex_init(&cd->lock);
+
+	/* Open the library */
+	dlopen_flags = RTLD_NOW|RTLD_GLOBAL;
+
+#ifdef RTLD_DEEPBIND
+	/*
+	 * If RTLD_DEEPBIND is available then use it. This can avoid
+	 * issues with a module using a different version of a system
+	 * library than one that bind9 uses. For example, bind9 may link
+	 * to MIT kerberos, but the module may use Heimdal. If we don't
+	 * use RTLD_DEEPBIND then we could end up with Heimdal functions
+	 * calling MIT functions, which leads to bizarre results (usually
+	 * a segfault).
+	 */
+	dlopen_flags |= RTLD_DEEPBIND;
+#endif
+
+	cd->dl_handle = dlopen(cd->dl_path, dlopen_flags);
+	if (cd->dl_handle == NULL) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen failed to open library '%s' - %s",
+			   cd->dl_path, dlerror());
+		goto failed;
+	}
+
+	/* Find the symbols */
+	cd->dlz_version = (dlz_dlopen_version_t *)
+		dl_load_symbol(cd, "dlz_version", ISC_TRUE);
+	cd->dlz_create = (dlz_dlopen_create_t *)
+		dl_load_symbol(cd, "dlz_create", ISC_TRUE);
+	cd->dlz_lookup = (dlz_dlopen_lookup_t *)
+		dl_load_symbol(cd, "dlz_lookup", ISC_TRUE);
+	cd->dlz_findzonedb = (dlz_dlopen_findzonedb_t *)
+		dl_load_symbol(cd, "dlz_findzonedb", ISC_TRUE);
+
+	if (cd->dlz_create == NULL ||
+	    cd->dlz_lookup == NULL ||
+	    cd->dlz_findzonedb == NULL)
+	{
+		/* We're missing a required symbol */
+		goto failed;
+	}
+
+	cd->dlz_allowzonexfr = (dlz_dlopen_allowzonexfr_t *)
+		dl_load_symbol(cd, "dlz_allowzonexfr", ISC_FALSE);
+	cd->dlz_allnodes = (dlz_dlopen_allnodes_t *)
+		dl_load_symbol(cd, "dlz_allnodes",
+			       ISC_TF(cd->dlz_allowzonexfr != NULL));
+	cd->dlz_authority = (dlz_dlopen_authority_t *)
+		dl_load_symbol(cd, "dlz_authority", ISC_FALSE);
+	cd->dlz_newversion = (dlz_dlopen_newversion_t *)
+		dl_load_symbol(cd, "dlz_newversion", ISC_FALSE);
+	cd->dlz_closeversion = (dlz_dlopen_closeversion_t *)
+		dl_load_symbol(cd, "dlz_closeversion",
+			       ISC_TF(cd->dlz_newversion != NULL));
+	cd->dlz_configure = (dlz_dlopen_configure_t *)
+		dl_load_symbol(cd, "dlz_configure", ISC_FALSE);
+	cd->dlz_ssumatch = (dlz_dlopen_ssumatch_t *)
+		dl_load_symbol(cd, "dlz_ssumatch", ISC_FALSE);
+	cd->dlz_addrdataset = (dlz_dlopen_addrdataset_t *)
+		dl_load_symbol(cd, "dlz_addrdataset", ISC_FALSE);
+	cd->dlz_subrdataset = (dlz_dlopen_subrdataset_t *)
+		dl_load_symbol(cd, "dlz_subrdataset", ISC_FALSE);
+	cd->dlz_delrdataset = (dlz_dlopen_delrdataset_t *)
+		dl_load_symbol(cd, "dlz_delrdataset", ISC_FALSE);
+	cd->dlz_destroy = (dlz_dlopen_destroy_t *)
+		dl_load_symbol(cd, "dlz_destroy", ISC_FALSE);
+
+	/* Check the version of the API is the same */
+	cd->version = cd->dlz_version(&cd->flags);
+	if (cd->version != DLZ_DLOPEN_VERSION) {
+		dlopen_log(ISC_LOG_ERROR,
+			   "dlz_dlopen: incorrect version %d "
+			   "should be %d in '%s'",
+			   cd->version, DLZ_DLOPEN_VERSION, cd->dl_path);
+		goto failed;
+	}
+
+	/*
+	 * Call the library's create function. Note that this is an
+	 * extended version of dlz create, with the addition of
+	 * named function pointers for helper functions that the
+	 * driver will need. This avoids the need for the backend to
+	 * link the BIND9 libraries
+	 */
+	MAYBE_LOCK(cd);
+	result = cd->dlz_create(dlzname, argc-1, argv+1,
+				&cd->dbdata,
+				"log", dlopen_log,
+				"putrr", dns_sdlz_putrr,
+				"putnamedrr", dns_sdlz_putnamedrr,
+				"writeable_zone", dns_dlz_writeablezone,
+				NULL);
+	MAYBE_UNLOCK(cd);
+	if (result != ISC_R_SUCCESS)
+		goto failed;
+
+	*dbdata = cd;
+
+	return (ISC_R_SUCCESS);
+
+failed:
+	dlopen_log(ISC_LOG_ERROR, "dlz_dlopen of '%s' failed", dlzname);
+	if (cd->dl_path)
+		isc_mem_free(mctx, cd->dl_path);
+	if (cd->dlzname)
+		isc_mem_free(mctx, cd->dlzname);
+	if (dlopen_flags)
+		(void) isc_mutex_destroy(&cd->lock);
+#ifdef HAVE_DLCLOSE
+	if (cd->dl_handle)
+		dlclose(cd->dl_handle);
+#endif
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+	return (result);
+}
+
+
+/*
+ * Called when bind is shutting down
+ */
+static void
+dlopen_dlz_destroy(void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_mem_t *mctx;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_destroy) {
+		MAYBE_LOCK(cd);
+		cd->dlz_destroy(cd->dbdata);
+		MAYBE_UNLOCK(cd);
+	}
+
+	if (cd->dl_path)
+		isc_mem_free(cd->mctx, cd->dl_path);
+	if (cd->dlzname)
+		isc_mem_free(cd->mctx, cd->dlzname);
+
+#ifdef HAVE_DLCLOSE
+	if (cd->dl_handle)
+		dlclose(cd->dl_handle);
+#endif
+
+	(void) isc_mutex_destroy(&cd->lock);
+
+	mctx = cd->mctx;
+	isc_mem_put(mctx, cd, sizeof(*cd));
+	isc_mem_destroy(&mctx);
+}
+
+/*
+ * Called to start a transaction
+ */
+static isc_result_t
+dlopen_dlz_newversion(const char *zone, void *driverarg, void *dbdata,
+		      void **versionp)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_newversion(zone, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+	return (result);
+}
+
+/*
+ * Called to end a transaction
+ */
+static void
+dlopen_dlz_closeversion(const char *zone, isc_boolean_t commit,
+			void *driverarg, void *dbdata, void **versionp)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_newversion == NULL) {
+		*versionp = NULL;
+		return;
+	}
+
+	MAYBE_LOCK(cd);
+	cd->dlz_closeversion(zone, commit, cd->dbdata, versionp);
+	MAYBE_UNLOCK(cd);
+}
+
+/*
+ * Called on startup to configure any writeable zones
+ */
+static isc_result_t
+dlopen_dlz_configure(dns_view_t *view, void *driverarg, void *dbdata) {
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_configure == NULL)
+		return (ISC_R_SUCCESS);
+
+	MAYBE_LOCK(cd);
+	cd->in_configure = ISC_TRUE;
+	result = cd->dlz_configure(view, cd->dbdata);
+	cd->in_configure = ISC_FALSE;
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+
+/*
+ * Check for authority to change a name
+ */
+static isc_boolean_t
+dlopen_dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
+		    const char *type, const char *key, isc_uint32_t keydatalen,
+		    unsigned char *keydata, void *driverarg, void *dbdata)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_boolean_t ret;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_ssumatch == NULL)
+		return (ISC_FALSE);
+
+	MAYBE_LOCK(cd);
+	ret = cd->dlz_ssumatch(signer, name, tcpaddr, type, key, keydatalen,
+			       keydata, cd->dbdata);
+	MAYBE_UNLOCK(cd);
+
+	return (ret);
+}
+
+
+/*
+ * Add an rdataset
+ */
+static isc_result_t
+dlopen_dlz_addrdataset(const char *name, const char *rdatastr,
+		       void *driverarg, void *dbdata, void *version)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_addrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_addrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+ * Subtract an rdataset
+ */
+static isc_result_t
+dlopen_dlz_subrdataset(const char *name, const char *rdatastr,
+		       void *driverarg, void *dbdata, void *version)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_subrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_subrdataset(name, rdatastr, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+/*
+  delete a rdataset
+ */
+static isc_result_t
+dlopen_dlz_delrdataset(const char *name, const char *type,
+		       void *driverarg, void *dbdata, void *version)
+{
+	dlopen_data_t *cd = (dlopen_data_t *) dbdata;
+	isc_result_t result;
+
+	UNUSED(driverarg);
+
+	if (cd->dlz_delrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	MAYBE_LOCK(cd);
+	result = cd->dlz_delrdataset(name, type, cd->dbdata, version);
+	MAYBE_UNLOCK(cd);
+
+	return (result);
+}
+
+
+static dns_sdlzmethods_t dlz_dlopen_methods = {
+	dlopen_dlz_create,
+	dlopen_dlz_destroy,
+	dlopen_dlz_findzonedb,
+	dlopen_dlz_lookup,
+	dlopen_dlz_authority,
+	dlopen_dlz_allnodes,
+	dlopen_dlz_allowzonexfr,
+	dlopen_dlz_newversion,
+	dlopen_dlz_closeversion,
+	dlopen_dlz_configure,
+	dlopen_dlz_ssumatch,
+	dlopen_dlz_addrdataset,
+	dlopen_dlz_subrdataset,
+	dlopen_dlz_delrdataset
+};
+#endif
+
+/*
+ * Register driver with BIND
+ */
+isc_result_t
+dlz_dlopen_init(isc_mem_t *mctx) {
+#ifndef ISC_DLZ_DLOPEN
+	UNUSED(mctx);
+	return (ISC_R_NOTIMPLEMENTED);
+#else
+	isc_result_t result;
+
+	dlopen_log(2, "Registering DLZ_dlopen driver");
+
+	result = dns_sdlzregister("dlopen", &dlz_dlopen_methods, NULL,
+				  DNS_SDLZFLAG_RELATIVEOWNER |
+				  DNS_SDLZFLAG_THREADSAFE,
+				  mctx, &dlz_dlopen);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_sdlzregister() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+	}
+
+	return (result);
+#endif
+}
+
+
+/*
+ * Unregister the driver
+ */
+void
+dlz_dlopen_clear(void) {
+#ifdef ISC_DLZ_DLOPEN
+	dlopen_log(2, "Unregistering DLZ_dlopen driver");
+	if (dlz_dlopen != NULL)
+		dns_sdlzunregister(&dlz_dlopen);
+#endif
+}
diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h
index b26ad9be8d88..c979e53871d7 100644
--- a/contrib/bind9/bin/named/unix/include/named/os.h
+++ b/contrib/bind9/bin/named/unix/include/named/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: os.h,v 1.31 2009/08/05 23:47:43 tbox Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
@@ -51,8 +51,12 @@ ns_os_adjustnofile(void);
 void
 ns_os_minprivs(void);
 
+FILE *
+ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user);
+
 void
 ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
+
 void
 ns_os_shutdown(void);
 
diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c
index a7ddee5f86af..9637ded473e5 100644
--- a/contrib/bind9/bin/named/unix/os.c
+++ b/contrib/bind9/bin/named/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: os.c,v 1.104.38.3 2011/03/02 00:04:01 marka Exp $ */
 
 /*! \file */
 
@@ -291,6 +291,12 @@ linux_initialprivs(void) {
 	 */
 	SET_CAP(CAP_SYS_RESOURCE);
 
+	/*
+	 * We need to be able to set the ownership of the containing
+	 * directory of the pid file when we create it.
+	 */
+	SET_CAP(CAP_CHOWN);
+
 	linux_setcaps(caps);
 
 #ifdef HAVE_LIBCAP
@@ -631,7 +637,7 @@ ns_os_minprivs(void) {
 }
 
 static int
-safe_open(const char *filename, isc_boolean_t append) {
+safe_open(const char *filename, mode_t mode, isc_boolean_t append) {
 	int fd;
 	struct stat sb;
 
@@ -644,13 +650,11 @@ safe_open(const char *filename, isc_boolean_t append) {
 	}
 
 	if (append)
-		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND,
-			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, mode);
 	else {
 		if (unlink(filename) < 0 && errno != ENOENT)
 			return (-1);
-		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL,
-			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
 	}
 	return (fd);
 }
@@ -686,6 +690,15 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) {
 			}
 			if (mkdirpath(filename, report) == -1)
 				goto error;
+			/*
+			 * Handle "//", "/./" and "/../" in path.
+			 */
+			if (!strcmp(slash + 1, "") ||
+			    !strcmp(slash + 1, ".") ||
+			    !strcmp(slash + 1, "..")) {
+				*slash = '/';
+				return (0);
+			}
 			mode = S_IRUSR | S_IWUSR | S_IXUSR;	/* u=rwx */
 			mode |= S_IRGRP | S_IXGRP;		/* g=rx */
 			mode |= S_IROTH | S_IXOTH;		/* o=rx */
@@ -695,6 +708,13 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) {
 					  strbuf);
 				goto error;
 			}
+			if (runas_pw != NULL &&
+			    chown(filename, runas_pw->pw_uid,
+				  runas_pw->pw_gid) == -1) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't chown '%s': %s", filename,
+					  strbuf);
+			}
 		}
 		*slash = '/';
 	}
@@ -705,11 +725,130 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) {
 	return (-1);
 }
 
+static void
+setperms(uid_t uid, gid_t gid) {
+	char strbuf[ISC_STRERRORSIZE];
+#if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID)
+	gid_t oldgid, tmpg;
+#endif
+#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID)
+	uid_t olduid, tmpu;
+#endif
+#if defined(HAVE_SETEGID)
+	if (getegid() != gid && setegid(gid) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlywarning("unable to set effective gid to %ld: %s",
+				     (long)gid, strbuf);
+	}
+#elif defined(HAVE_SETRESGID)
+	if (getresgid(&tmpg, &oldgid, &tmpg) == -1 || oldgid != gid) {
+		if (setresgid(-1, gid, -1) == -1) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlywarning("unable to set effective "
+					     "gid to %d: %s", gid, strbuf);
+		}
+	}
+#endif
+
+#if defined(HAVE_SETEUID)
+	if (geteuid() != uid && seteuid(uid) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlywarning("unable to set effective uid to %ld: %s",
+				     (long)uid, strbuf);
+	}
+#elif defined(HAVE_SETRESUID)
+	if (getresuid(&tmpu, &olduid, &tmpu) == -1 || olduid != uid) {
+		if (setresuid(-1, uid, -1) == -1) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlywarning("unable to set effective "
+					     "uid to %d: %s", uid, strbuf);
+		}
+	}
+#endif
+}
+
+FILE *
+ns_os_openfile(const char *filename, mode_t mode, isc_boolean_t switch_user) {
+	char strbuf[ISC_STRERRORSIZE], *f;
+	FILE *fp;
+	int fd;
+
+	/*
+	 * Make the containing directory if it doesn't exist.
+	 */
+	f = strdup(filename);
+	if (f == NULL) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlywarning("couldn't strdup() '%s': %s",
+				     filename, strbuf);
+		return (NULL);
+	}
+	if (mkdirpath(f, ns_main_earlywarning) == -1) {
+		free(f);
+		return (NULL);
+	}
+	free(f);
+
+	if (switch_user && runas_pw != NULL) {
+#ifndef HAVE_LINUXTHREADS
+		gid_t oldgid = getgid();
+#endif
+		/* Set UID/GID to the one we'll be running with eventually */
+		setperms(runas_pw->pw_uid, runas_pw->pw_gid);
+
+		fd = safe_open(filename, mode, ISC_FALSE);
+
+#ifndef HAVE_LINUXTHREADS
+		/* Restore UID/GID to root */
+		setperms(0, oldgid);
+#endif /* HAVE_LINUXTHREADS */
+
+		if (fd == -1) {
+#ifndef HAVE_LINUXTHREADS
+			fd = safe_open(filename, mode, ISC_FALSE);
+			if (fd != -1) {
+				ns_main_earlywarning("Required root "
+						     "permissions to open "
+						     "'%s'.", filename);
+			} else {
+				ns_main_earlywarning("Could not open "
+						     "'%s'.", filename);
+			}
+			ns_main_earlywarning("Please check file and "
+					     "directory permissions "
+					     "or reconfigure the filename.");
+#else /* HAVE_LINUXTHREADS */
+			ns_main_earlywarning("Could not open "
+					     "'%s'.", filename);
+			ns_main_earlywarning("Please check file and "
+					     "directory permissions "
+					     "or reconfigure the filename.");
+#endif /* HAVE_LINUXTHREADS */
+		}
+	} else {
+		fd = safe_open(filename, mode, ISC_FALSE);
+	}
+
+	if (fd < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlywarning("could not open file '%s': %s",
+				     filename, strbuf);
+		return (NULL);
+	}
+
+	fp = fdopen(fd, "w");
+	if (fp == NULL) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlywarning("could not fdopen() file '%s': %s",
+				     filename, strbuf);
+	}
+
+	return (fp);
+}
+
 void
 ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
-	int fd;
 	FILE *lockfile;
-	size_t len;
 	pid_t pid;
 	char strbuf[ISC_STRERRORSIZE];
 	void (*report)(const char *, ...);
@@ -725,40 +864,16 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 	if (filename == NULL)
 		return;
 
-	len = strlen(filename);
-	pidfile = malloc(len + 1);
+	pidfile = strdup(filename);
 	if (pidfile == NULL) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("couldn't malloc '%s': %s", filename, strbuf);
+		(*report)("couldn't strdup() '%s': %s", filename, strbuf);
 		return;
 	}
 
-	/* This is safe. */
-	strcpy(pidfile, filename);
-
-	/*
-	 * Make the containing directory if it doesn't exist.
-	 */
-	if (mkdirpath(pidfile, report) == -1) {
-		free(pidfile);
-		pidfile = NULL;
-		return;
-	}
-
-	fd = safe_open(filename, ISC_FALSE);
-	if (fd < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("couldn't open pid file '%s': %s", filename, strbuf);
-		free(pidfile);
-		pidfile = NULL;
-		return;
-	}
-	lockfile = fdopen(fd, "w");
+	lockfile = ns_os_openfile(filename, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH,
+				  first_time);
 	if (lockfile == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("could not fdopen() pid file '%s': %s",
-			  filename, strbuf);
-		(void)close(fd);
 		cleanup_pidfile();
 		return;
 	}
diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c
index 70292ade7ca9..6fb6a8536721 100644
--- a/contrib/bind9/bin/named/update.c
+++ b/contrib/bind9/bin/named/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: update.c,v 1.186.16.7 2011/11/03 02:55:34 each Exp $ */
 
 #include <config.h>
 
@@ -38,6 +38,7 @@
 #include <dns/message.h>
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
+#include <dns/private.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
@@ -45,6 +46,7 @@
 #include <dns/rdatatype.h>
 #include <dns/soa.h>
 #include <dns/ssu.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -281,6 +283,47 @@ inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
 }
 
 /*%
+ * Check if we could have queried for the contents of this zone or
+ * if the zone is potentially updateable.
+ * If the zone can potentially be updated and the check failed then
+ * log a error otherwise we log a informational message.
+ */
+static isc_result_t
+checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
+	      dns_acl_t *updateacl, dns_ssutable_t *ssutable)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level;
+	isc_result_t result;
+
+	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(zonename, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(client->view->rdclass, classbuf,
+				      sizeof(classbuf));
+
+		level = (updateacl == NULL && ssutable == NULL) ?
+				ISC_LOG_INFO : ISC_LOG_ERROR;
+
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level,
+			      "update '%s/%s' denied due to allow-query",
+			      namebuf, classbuf);
+	} else if (updateacl == NULL && ssutable == NULL) {
+		dns_name_format(zonename, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(client->view->rdclass, classbuf,
+				      sizeof(classbuf));
+
+		result = DNS_R_REFUSED;
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "update '%s/%s' denied", namebuf, classbuf);
+	}
+	return (result);
+}
+
+/*%
  * Override the default acl logging when checking whether a client
  * can update the zone or whether we can forward the request to the
  * master based on IP address.
@@ -809,6 +852,9 @@ typedef struct {
 
 	/* The ssu table to check against. */
 	dns_ssutable_t *table;
+
+	/* the key used for TKEY requests */
+	dst_key_t *key;
 } ssu_check_t;
 
 static isc_result_t
@@ -825,14 +871,14 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) {
 		return (ISC_R_SUCCESS);
 	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
 					 ssuinfo->name, ssuinfo->tcpaddr,
-					 rrset->type);
+					 rrset->type, ssuinfo->key);
 	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
 }
 
 static isc_boolean_t
 ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	     dns_ssutable_t *ssutable, dns_name_t *signer,
-	     isc_netaddr_t *tcpaddr)
+	     isc_netaddr_t *tcpaddr, dst_key_t *key)
 {
 	isc_result_t result;
 	ssu_check_t ssuinfo;
@@ -841,6 +887,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	ssuinfo.table = ssutable;
 	ssuinfo.signer = signer;
 	ssuinfo.tcpaddr = tcpaddr;
+	ssuinfo.key = key;
 	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
@@ -889,7 +936,7 @@ temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
 		       b->op == DNS_DIFFOP_EXISTS);
 		INSIST(a->rdata.type == b->rdata.type);
 		INSIST(dns_name_equal(&a->name, &b->name));
-		if (dns_rdata_compare(&a->rdata, &b->rdata) != 0)
+		if (dns_rdata_casecompare(&a->rdata, &b->rdata) != 0)
 			return (DNS_R_NXRRSET);
 		a = ISC_LIST_NEXT(a, link);
 		b = ISC_LIST_NEXT(b, link);
@@ -917,7 +964,7 @@ temp_order(const void *av, const void *bv) {
 	r = (b->rdata.type - a->rdata.type);
 	if (r != 0)
 		return (r);
-	r = dns_rdata_compare(&a->rdata, &b->rdata);
+	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
 	return (r);
 }
 
@@ -1146,7 +1193,7 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 	 *         dns_rdata_equal() (that used dns_name_equal()), since it
 	 *         would be faster.  Not a priority.
 	 */
-	return (dns_rdata_compare(update_rr, db_rr) == 0 ?
+	return (dns_rdata_casecompare(update_rr, db_rr) == 0 ?
 		ISC_TRUE : ISC_FALSE);
 }
 
@@ -1208,11 +1255,10 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 			return (ISC_FALSE);
 		INSIST(db_rr->length >= 4 && update_rr->length >= 4);
 		/*
-		 * Replace records added in this UPDATE request.
+		 * Replace NSEC3PARAM records that only differ by the
+		 * flags field.
 		 */
 		if (db_rr->data[0] == update_rr->data[0] &&
-		    db_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
-		    update_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
 		    memcmp(db_rr->data+2, update_rr->data+2,
 			   update_rr->length - 2) == 0)
 			return (ISC_TRUE);
@@ -1293,7 +1339,7 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	 * If the update RR is a "duplicate" of the update RR,
 	 * the update should be silently ignored.
 	 */
-	equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
+	equal = ISC_TF(dns_rdata_casecompare(&rr->rdata, ctx->update_rr) == 0);
 	if (equal && rr->ttl == ctx->update_rr_ttl) {
 		ctx->ignore_add = ISC_TRUE;
 		return (ISC_R_SUCCESS);
@@ -1715,35 +1761,6 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
-static isc_boolean_t
-has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_boolean_t has_bit = ISC_FALSE;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				  dns_rdatatype_none, 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-	has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt);
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (has_bit);
-}
-
-static void
-set_bit(unsigned char *array, unsigned int index) {
-	unsigned int shift, bit;
-
-	shift = 7 - (index % 8);
-	bit = 1 << shift;
-
-	array[index / 8] |= bit;
-}
-
 /*%
  * Add a NSEC record for "name", recording the change in "diff".
  * The existing NSEC is removed.
@@ -1775,24 +1792,6 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	dns_rdata_init(&rdata);
 	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
-	/*
-	 * Preserve the status of the OPT bit in the origin's NSEC record.
-	 */
-	if (dns_name_equal(dns_db_origin(db), name) &&
-	    has_opt_bit(db, ver, node))
-	{
-			isc_region_t region;
-			dns_name_t next;
-
-			dns_name_init(&next, NULL);
-			dns_rdata_toregion(&rdata, &region);
-			dns_name_fromregion(&next, &region);
-			isc_region_consume(&region, next.length);
-			INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
-			       region.base[0] == 0 &&
-			       region.base[1] > dns_rdatatype_opt / 8);
-			set_bit(region.base + 2, dns_rdatatype_opt);
-	}
 	dns_db_detachnode(db, &node);
 
 	/*
@@ -1854,44 +1853,6 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
-static isc_boolean_t
-ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
-	isc_boolean_t ret = ISC_FALSE;
-	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t dnskey;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
-		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-				 == DNS_KEYOWNER_ZONE) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
-				have_ksk = ISC_TRUE;
-			else
-				have_nonksk = ISC_TRUE;
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (have_ksk && have_nonksk)
-		ret = ISC_TRUE;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (ret);
-}
-
 /*%
  * Add RRSIG records for an RRset, recording the change in "diff".
  */
@@ -1900,7 +1861,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
 	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
 	 isc_stdtime_t inception, isc_stdtime_t expire,
-	 isc_boolean_t check_ksk)
+	 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1908,7 +1869,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
 	isc_buffer_t buffer;
 	unsigned char data[1024]; /* XXX */
-	unsigned int i;
+	unsigned int i, j;
 	isc_boolean_t added_sig = ISC_FALSE;
 	isc_mem_t *mctx = client->mctx;
 
@@ -1924,13 +1885,52 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				  (isc_stdtime_t) 0, &rdataset, NULL));
 	dns_db_detachnode(db, &node);
 
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ALG(x) dst_key_alg(x)
+
+	/*
+	 * If we are honoring KSK flags then we need to check that we
+	 * have both KSK and non-KSK keys that are not revoked per
+	 * algorithm.
+	 */
 	for (i = 0; i < nkeys; i++) {
+		isc_boolean_t both = ISC_FALSE;
 
-		if (check_ksk && type != dns_rdatatype_dnskey &&
-		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
+		if (!dst_key_isprivate(keys[i]))
 			continue;
 
-		if (!dst_key_isprivate(keys[i]))
+		if (check_ksk && !REVOKE(keys[i])) {
+			isc_boolean_t have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = ISC_TRUE;
+				have_nonksk = ISC_FALSE;
+			} else {
+				have_ksk = ISC_FALSE;
+				have_nonksk = ISC_TRUE;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = ISC_TRUE;
+				else
+					have_nonksk = ISC_TRUE;
+				both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (KSK(keys[i]))
+				continue;
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
 			continue;
 
 		/* Calculate the signature, creating a RRSIG RDATA. */
@@ -1948,7 +1948,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	}
 	if (!added_sig) {
 		update_log(client, zone, ISC_LOG_ERROR,
-			   "found no private keys, "
+			   "found no active private keys, "
 			   "unable to generate any signatures");
 		result = ISC_R_NOTFOUND;
 	}
@@ -2042,7 +2042,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
 		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
 		 isc_stdtime_t inception, isc_stdtime_t expire,
-		 isc_boolean_t check_ksk)
+		 isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node;
@@ -2088,7 +2088,8 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (flag)
 			continue;;
 		result = add_sigs(client, zone, db, ver, name, type, diff,
-				  keys, nkeys, inception, expire, check_ksk);
+					  keys, nkeys, inception, expire,
+					  check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_iterator;
 	}
@@ -2118,8 +2119,7 @@ add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 static isc_result_t
 update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval,
-		  isc_boolean_t *deleted_zsk)
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
 {
 	isc_result_t result;
 	dns_difftuple_t *t;
@@ -2128,7 +2128,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_t sig_diff;
 	dns_diff_t nsec_diff;
 	dns_diff_t nsec_mindiff;
-	isc_boolean_t flag;
+	isc_boolean_t flag, build_nsec, build_nsec3;
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
 	unsigned int nkeys = 0;
 	unsigned int i;
@@ -2138,9 +2138,10 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	dns_dbnode_t *node = NULL;
-	isc_boolean_t check_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly;
 	isc_boolean_t unsecure;
 	isc_boolean_t cut;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
@@ -2170,27 +2171,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 */
 	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
 			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
-	/*
-	 * If we are not checking the ZSK flag then all DNSKEY's are
-	 * already signing all RRsets so we don't need to trigger special
-	 * changes.
-	 */
-	if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver)))
-		*deleted_zsk = ISC_FALSE;
-
-	if (check_ksk) {
-		check_ksk = ksk_sanity(db, newver);
-		if (!check_ksk && ksk_sanity(db, oldver))
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "disabling update-check-ksk");
-	}
-
-	/*
-	 * If we have deleted a ZSK and we we still have some ZSK's
-	 * we don't need to convert the KSK's to a ZSK's.
-	 */
-	if (*deleted_zsk && check_ksk)
-		*deleted_zsk = ISC_FALSE;
+	keyset_kskonly = ISC_TF((dns_zone_getoptions(zone) &
+				DNS_ZONEOPT_DNSKEYKSKONLY) != 0);
 
 	/*
 	 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
@@ -2257,7 +2239,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 				CHECK(add_sigs(client, zone, db, newver, name,
 					       type, &sig_diff, zone_keys,
 					       nkeys, inception, expire,
-					       check_ksk));
+					       check_ksk, keyset_kskonly));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -2287,12 +2269,11 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		   "removed any orphaned NSEC records");
 
 	/*
-	 * If we don't have a NSEC record at the origin then we need to
-	 * update the NSEC3 records.
+	 * See if we need to build NSEC or NSEC3 chains.
 	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec,
-			   0, &flag));
-	if (!flag)
+	CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec)
 		goto update_nsec3;
 
 	update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
@@ -2396,16 +2377,25 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					dns_rdatatype_any, 0, NULL, diff));
 		} else {
 			/*
-			 * This name is not obscured.  It should have a NSEC.
+			 * This name is not obscured.  It needs to have a
+			 * NSEC unless it is the at the origin, in which
+			 * case it should already exist if there is a complete
+			 * NSEC chain and if there isn't a complete NSEC chain
+			 * we don't want to add one as that would signal that
+			 * there is a complete NSEC chain.
 			 */
-			CHECK(rrset_exists(db, newver, name,
-					   dns_rdatatype_nsec, 0, &flag));
-			if (! flag)
-				CHECK(add_placeholder_nsec(db, newver, name,
-							   diff));
+			if (!dns_name_equal(name, dns_db_origin(db))) {
+				CHECK(rrset_exists(db, newver, name,
+						   dns_rdatatype_nsec, 0,
+						   &flag));
+				if (!flag)
+					CHECK(add_placeholder_nsec(db, newver,
+								   name, diff));
+			}
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, &sig_diff, zone_keys, nkeys,
-					       inception, expire, check_ksk));
+					       inception, expire, check_ksk,
+					       keyset_kskonly));
 		}
 	}
 
@@ -2467,7 +2457,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			CHECK(add_sigs(client, zone, db, newver, &t->name,
 				       dns_rdatatype_nsec, &sig_diff,
 				       zone_keys, nkeys, inception, expire,
-				       check_ksk));
+				       check_ksk, keyset_kskonly));
 		} else {
 			INSIST(0);
 		}
@@ -2489,13 +2479,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
 	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
 
-	/*
-	 * Check if we have any active NSEC3 chains by looking for a
-	 * NSEC3PARAM RRset.
-	 */
-	CHECK(rrset_exists(db, newver, dns_db_origin(db),
-			   dns_rdatatype_nsec3param, 0, &flag));
-	if (!flag) {
+	if (!build_nsec3) {
 		update_log(client, zone, ISC_LOG_DEBUG(3),
 			   "no NSEC3 chains to rebuild");
 		goto failure;
@@ -2519,6 +2503,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 		isc_boolean_t ns_existed, dname_existed;
 		isc_boolean_t ns_exists, dname_exists;
+		isc_boolean_t exists, existed;
 
 		if (t->rdata.type == dns_rdatatype_nsec ||
 		    t->rdata.type == dns_rdatatype_rrsig) {
@@ -2537,7 +2522,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
 				   &dname_exists));
 
-		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
+		exists = ns_exists || dname_exists;
+		existed = ns_existed || dname_existed;
+		if (exists == existed)
 			goto nextname;
 		/*
 		 * There was a delegation change.  Mark all subdomains
@@ -2561,14 +2548,16 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		if (!flag) {
 			CHECK(delete_if(rrsig_p, db, newver, name,
 					dns_rdatatype_any, 0, NULL, diff));
-			CHECK(dns_nsec3_delnsec3s(db, newver, name,
-						  &nsec_diff));
+			CHECK(dns_nsec3_delnsec3sx(db, newver, name,
+						   privatetype, &nsec_diff));
 		} else {
 			CHECK(add_exposed_sigs(client, zone, db, newver, name,
 					       cut, &sig_diff, zone_keys, nkeys,
-					       inception, expire, check_ksk));
-			CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl,
-						  unsecure, &nsec_diff));
+					       inception, expire, check_ksk,
+					       keyset_kskonly));
+			CHECK(dns_nsec3_addnsec3sx(db, newver, name, nsecttl,
+						   unsecure, privatetype,
+						   &nsec_diff));
 		}
 	}
 
@@ -2599,7 +2588,8 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			CHECK(add_sigs(client, zone, db, newver, &t->name,
 				       dns_rdatatype_nsec3,
 				       &sig_diff, zone_keys, nkeys,
-				       inception, expire, check_ksk));
+				       inception, expire, check_ksk,
+				       keyset_kskonly));
 		} else {
 			INSIST(0);
 		}
@@ -2732,6 +2722,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 
 	switch(dns_zone_gettype(zone)) {
 	case dns_zone_master:
+	case dns_zone_dlz:
 		/*
 		 * We can now fail due to a bad signature as we now know
 		 * that we are the master.
@@ -2941,7 +2932,7 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t myrdata = DNS_RDATA_INIT;
 		dns_rdataset_current(&rdataset, &myrdata);
-		if (!dns_rdata_compare(&myrdata, rdata))
+		if (!dns_rdata_casecompare(&myrdata, rdata))
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);
@@ -2959,7 +2950,9 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 static isc_result_t
-get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
+get_iterations(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype,
+	       unsigned int *iterationsp)
+{
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdataset_t rdataset;
@@ -2973,7 +2966,33 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 		return (result);
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (nsec3param.iterations > iterations)
+			iterations = nsec3param.iterations;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
 		goto success;
 	if (result != ISC_R_SUCCESS)
@@ -2982,8 +3001,14 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
 		dns_rdata_t rdata = DNS_RDATA_INIT;
+
 		dns_rdataset_current(&rdataset, &rdata);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
 		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
 			continue;
@@ -2998,6 +3023,8 @@ get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
 	result = ISC_R_SUCCESS;
 
  failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	return (result);
@@ -3011,77 +3038,83 @@ static isc_result_t
 check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	     dns_dbversion_t *ver, dns_diff_t *diff)
 {
-	dns_diff_t temp_diff;
-	dns_diffop_t op;
-	dns_difftuple_t *tuple, *newtuple = NULL, *next;
-	isc_boolean_t flag;
+	dns_difftuple_t *tuple;
+	isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
 	isc_result_t result;
 	unsigned int iterations = 0, max;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
-	dns_diff_init(diff->mctx, &temp_diff);
-
-	CHECK(dns_nsec_nseconly(db, ver, &flag));
+	/* Scan the tuples for an NSEC-only DNSKEY or an NSEC3PARAM */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->op != DNS_DIFFOP_ADD)
+			continue;
 
-	if (flag)
-		CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag));
-	if (flag) {
-		update_log(client, zone, ISC_LOG_WARNING,
-			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
-	} else {
-		CHECK(get_iterations(db, ver, &iterations));
-		CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
-		if (max != 0 && iterations > max) {
-			flag = ISC_TRUE;
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "too many NSEC3 iterations (%u) for "
-				   "weakest DNSKEY (%u)", iterations, max);
+		if (tuple->rdata.type == dns_rdatatype_dnskey) {
+			isc_uint8_t alg;
+			alg = tuple->rdata.data[3];
+			if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+			    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+				nseconly = ISC_TRUE;
+				break;
+			}
+		} else if (tuple->rdata.type == dns_rdatatype_nsec3param) {
+			nsec3 = ISC_TRUE;
+			break;
 		}
 	}
-	if (flag) {
-		for (tuple = ISC_LIST_HEAD(diff->tuples);
-		     tuple != NULL;
-		     tuple = next) {
-			next = ISC_LIST_NEXT(tuple, link);
-			if (tuple->rdata.type != dns_rdatatype_dnskey &&
-			    tuple->rdata.type != dns_rdatatype_nsec3param)
-				continue;
-			op = (tuple->op == DNS_DIFFOP_DEL) ?
-			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
-			CHECK(dns_difftuple_create(temp_diff.mctx, op,
-						   &tuple->name, tuple->ttl,
-						   &tuple->rdata, &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
-			INSIST(newtuple == NULL);
-		}
-		for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-		     tuple != NULL;
-		     tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			dns_diff_appendminimal(diff, &tuple);
-		}
+
+	/* Check existing DB for NSEC-only DNSKEY */
+	if (!nseconly)
+		CHECK(dns_nsec_nseconly(db, ver, &nseconly));
+
+	/* Check existing DB for NSEC3 */
+	if (!nsec3)
+		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
+					privatetype, &nsec3));
+
+	/* Refuse to allow NSEC3 with NSEC-only keys */
+	if (nseconly && nsec3) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+		result = DNS_R_REFUSED;
+		goto failure;
 	}
 
+	/* Verify NSEC3 params */
+	CHECK(get_iterations(db, ver, privatetype, &iterations));
+	CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
+	if (max != 0 && iterations > max) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "too many NSEC3 iterations (%u) for "
+			   "weakest DNSKEY (%u)", iterations, max);
+		result = DNS_R_REFUSED;
+		goto failure;
+	}
 
  failure:
-	dns_diff_clear(&temp_diff);
 	return (result);
 }
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 /*
  * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
  */
 static isc_result_t
 add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-		       dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff)
+		       dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_difftuple_t *tuple, *newtuple = NULL, *next;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
 	dns_diff_t temp_diff;
 	dns_diffop_t op;
 	isc_boolean_t flag;
+	dns_name_t *name = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+	isc_uint32_t ttl = 0;
+	isc_boolean_t ttl_good = ISC_FALSE;
 
 	update_log(client, zone, ISC_LOG_DEBUG(3),
 		    "checking for NSEC3PARAM changes");
@@ -3092,7 +3125,8 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 * Extract NSEC3PARAM tuples from list.
 	 */
 	for (tuple = ISC_LIST_HEAD(diff->tuples);
-	     tuple != NULL; tuple = next) {
+	     tuple != NULL;
+	     tuple = next) {
 
 		next = ISC_LIST_NEXT(tuple, link);
 
@@ -3103,55 +3137,143 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
 	}
 
+	/*
+	 * Extract TTL changes pairs, we don't need to convert these to
+	 * delayed changes.
+	 */
 	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
 	     tuple != NULL; tuple = next) {
-
 		if (tuple->op == DNS_DIFFOP_ADD) {
+			if (!ttl_good) {
+				/*
+				 * Any adds here will contain the final
+				 * NSEC3PARAM RRset TTL.
+				 */
+				ttl = tuple->ttl;
+				ttl_good = ISC_TRUE;
+			}
+			/*
+			 * Walk the temp_diff list looking for the
+			 * corresponding delete.
+			 */
+			next = ISC_LIST_HEAD(temp_diff.tuples);
+			while (next != NULL) {
+				unsigned char *next_data = next->rdata.data;
+				unsigned char *tuple_data = tuple->rdata.data;
+				if (next->op == DNS_DIFFOP_DEL &&
+				    next->rdata.length == tuple->rdata.length &&
+				    !memcmp(next_data, tuple_data,
+					    next->rdata.length)) {
+					ISC_LIST_UNLINK(temp_diff.tuples, next,
+							link);
+					ISC_LIST_APPEND(diff->tuples, next,
+							link);
+					break;
+				}
+				next = ISC_LIST_NEXT(next, link);
+			}
+			/*
+			 * If we have not found a pair move onto the next
+			 * tuple.
+			 */
+			if (next == NULL) {
+				next = ISC_LIST_NEXT(tuple, link);
+				continue;
+			}
+			/*
+			 * Find the next tuple to be processed before
+			 * unlinking then complete moving the pair to 'diff'.
+			 */
 			next = ISC_LIST_NEXT(tuple, link);
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			ISC_LIST_APPEND(diff->tuples, tuple, link);
+		} else
+			next = ISC_LIST_NEXT(tuple, link);
+	}
+
+	/*
+	 * Preserve any ongoing changes from a BIND 9.6.x upgrade.
+	 *
+	 * Any NSEC3PARAM records with flags other than OPTOUT named
+	 * in managing and should not be touched so revert such changes
+	 * taking into account any TTL change of the NSEC3PARAM RRset.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
+			/*
+			 * If we havn't had any adds then the tuple->ttl must
+			 * be the original ttl and should be used for any
+			 * future changes.
+			 */
+			if (!ttl_good) {
+				ttl = tuple->ttl;
+				ttl_good = ISC_TRUE;
+			}
+			op = (tuple->op == DNS_DIFFOP_DEL) ?
+			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+			CHECK(dns_difftuple_create(diff->mctx, op, name,
+						   ttl, &tuple->rdata,
+						   &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+		}
+	}
+
+	/*
+	 * We now have just the actual changes to the NSEC3PARAM RRset.
+	 * Convert the adds to delayed adds and the deletions into delayed
+	 * deletions.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tuple != NULL; tuple = next) {
+		/*
+		 * If we havn't had any adds then the tuple->ttl must be the
+		 * original ttl and should be used for any future changes.
+		 */
+		if (!ttl_good) {
+			ttl = tuple->ttl;
+			ttl_good = ISC_TRUE;
+		}
+		if (tuple->op == DNS_DIFFOP_ADD) {
+			/*
+			 * Look for any deletes which match this ADD ignoring
+			 * OPTOUT.  We don't need to explictly remove them as
+			 * they will be removed a side effect of processing
+			 * the add.
+			 */
+			next = ISC_LIST_HEAD(temp_diff.tuples);
 			while (next != NULL) {
 				unsigned char *next_data = next->rdata.data;
 				unsigned char *tuple_data = tuple->rdata.data;
-				if (next_data[0] != tuple_data[0] ||
-					/* Ignore flags. */
+				if (next->op != DNS_DIFFOP_DEL ||
+				    next->rdata.length != tuple->rdata.length ||
+				    next_data[0] != tuple_data[0] ||
 				    next_data[2] != tuple_data[2] ||
 				    next_data[3] != tuple_data[3] ||
-				    next_data[4] != tuple_data[4] ||
-				    !memcmp(&next_data[5], &tuple_data[5],
-					    tuple_data[4])) {
+				    memcmp(next_data + 4, tuple_data + 4,
+					   tuple->rdata.length - 4)) {
 					next = ISC_LIST_NEXT(next, link);
 					continue;
 				}
-				op = (next->op == DNS_DIFFOP_DEL) ?
-				     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
-				CHECK(dns_difftuple_create(diff->mctx, op,
-							   name, next->ttl,
-							   &next->rdata,
-							   &newtuple));
-				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 				ISC_LIST_UNLINK(temp_diff.tuples, next, link);
-				dns_diff_appendminimal(diff, &next);
-				next = ISC_LIST_NEXT(tuple, link);
+				ISC_LIST_APPEND(diff->tuples, next, link);
+				next = ISC_LIST_HEAD(temp_diff.tuples);
 			}
-
-			INSIST(tuple->rdata.data[1] & DNS_NSEC3FLAG_UPDATE);
-
 			/*
 			 * See if we already have a CREATE request in progress.
 			 */
-			dns_rdata_clone(&tuple->rdata, &rdata);
-			INSIST(rdata.length <= sizeof(buf));
-			memcpy(buf, rdata.data, rdata.length);
-			buf[1] |= DNS_NSEC3FLAG_CREATE;
-			buf[1] &= ~DNS_NSEC3FLAG_UPDATE;
-			rdata.data = buf;
-
+			dns_nsec3param_toprivate(&tuple->rdata, &rdata,
+						 privatetype, buf, sizeof(buf));
+			buf[2] |= DNS_NSEC3FLAG_CREATE;
 			CHECK(rr_exists(db, ver, name, &rdata, &flag));
 
 			if (!flag) {
 				CHECK(dns_difftuple_create(diff->mctx,
 							   DNS_DIFFOP_ADD,
-							   name, tuple->ttl,
-							   &rdata,
+							   name, 0, &rdata,
 							   &newtuple));
 				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 			}
@@ -3161,26 +3283,26 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * otherwise indentical chain with a reversed
 			 * OPTOUT state.
 			 */
-			buf[1] ^= DNS_NSEC3FLAG_OPTOUT;
+			buf[2] ^= DNS_NSEC3FLAG_OPTOUT;
 			CHECK(rr_exists(db, ver, name, &rdata, &flag));
 
 			if (flag) {
 				CHECK(dns_difftuple_create(diff->mctx,
 							   DNS_DIFFOP_DEL,
-							   name, tuple->ttl,
-							   &rdata,
+							   name, 0, &rdata,
 							   &newtuple));
 				CHECK(do_one_tuple(&newtuple, db, ver, diff));
 			}
 
 			/*
-			 * Remove the temporary add record.
+			 * Find the next tuple to be processed and remove the
+			 * temporary add record.
 			 */
+			next = ISC_LIST_NEXT(tuple, link);
 			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-						   name, tuple->ttl,
-						   &tuple->rdata, &newtuple));
+						   name, ttl, &tuple->rdata,
+						   &newtuple));
 			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			next = ISC_LIST_NEXT(tuple, link);
 			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
 			dns_diff_appendminimal(diff, &tuple);
 			dns_rdata_reset(&rdata);
@@ -3188,50 +3310,33 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			next = ISC_LIST_NEXT(tuple, link);
 	}
 
-	/*
-	 * Reverse any pending changes.
-	 */
 	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
 	     tuple != NULL; tuple = next) {
-		next = ISC_LIST_NEXT(tuple, link);
-		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
-			op = (tuple->op == DNS_DIFFOP_DEL) ?
-			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
-			CHECK(dns_difftuple_create(diff->mctx, op, name,
-						   tuple->ttl, &tuple->rdata,
-						   &newtuple));
-			CHECK(do_one_tuple(&newtuple, db, ver, diff));
-			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
-			dns_diff_appendminimal(diff, &tuple);
-		}
-	}
 
-	/*
-	 * Convert deletions into delayed deletions.
-	 */
-	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
-	     tuple != NULL; tuple = next) {
+		INSIST(ttl_good);
+
 		next = ISC_LIST_NEXT(tuple, link);
 		/*
 		 * See if we already have a REMOVE request in progress.
 		 */
-		dns_rdata_clone(&tuple->rdata, &rdata);
-		INSIST(rdata.length <= sizeof(buf));
-		memcpy(buf, rdata.data, rdata.length);
-		buf[1] |= DNS_NSEC3FLAG_REMOVE;
-		rdata.data = buf;
+		dns_nsec3param_toprivate(&tuple->rdata, &rdata, privatetype,
+					 buf, sizeof(buf));
+
+		buf[2] |= DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
 
 		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (!flag) {
+			buf[2] &= ~DNS_NSEC3FLAG_NONSEC;
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		}
 
 		if (!flag) {
 			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   name, tuple->ttl, &rdata,
-						   &newtuple));
+						   name, 0, &rdata, &newtuple));
 			CHECK(do_one_tuple(&newtuple, db, ver, diff));
 		}
 		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-					   tuple->ttl, &tuple->rdata,
-					   &newtuple));
+					   ttl, &tuple->rdata, &newtuple));
 		CHECK(do_one_tuple(&newtuple, db, ver, diff));
 		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
 		dns_diff_appendminimal(diff, &tuple);
@@ -3243,15 +3348,73 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_clear(&temp_diff);
 	return (result);
 }
-#endif
+
+static isc_result_t
+rollback_private(dns_db_t *db, dns_rdatatype_t privatetype,
+		 dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_name_t *name = dns_db_origin(db);
+	isc_mem_t *mctx = diff->mctx;
+	isc_result_t result;
+
+	if (privatetype == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &temp_diff);
+
+	/*
+	 * Extract the changes to be rolled back.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL; tuple = next) {
+
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != privatetype ||
+		    !dns_name_equal(name, &tuple->name))
+			continue;
+
+		/*
+		 * Allow records which indicate that a zone has been
+		 * signed with a DNSKEY to be be removed.
+		 */
+		if (tuple->op == DNS_DIFFOP_DEL &&
+		    tuple->rdata.length == 5 &&
+		    tuple->rdata.data[0] != 0 &&
+		    tuple->rdata.data[4] != 0)
+			continue;
+
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_PREPEND(temp_diff.tuples, tuple, link);
+	}
+
+	/*
+	 * Rollback the changes.
+	 */
+	while ((tuple = ISC_LIST_HEAD(temp_diff.tuples)) != NULL) {
+		op = (tuple->op == DNS_DIFFOP_DEL) ?
+		      DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+		CHECK(dns_difftuple_create(mctx, op, name, tuple->ttl,
+					   &tuple->rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
+	}
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
 
 /*
  * Add records to cause the delayed signing of the zone by added DNSKEY
  * to remove the RRSIG records generated by a deleted DNSKEY.
  */
 static isc_result_t
-add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
-		    dns_rdatatype_t privatetype, dns_diff_t *diff)
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff)
 {
 	dns_difftuple_t *tuple, *newtuple = NULL, *next;
 	dns_rdata_dnskey_t dnskey;
@@ -3261,6 +3424,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_uint16_t keyid;
 	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
 	dns_diff_t temp_diff;
 
 	dns_diff_init(diff->mctx, &temp_diff);
@@ -3343,6 +3507,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 			continue;
 
 		dns_rdata_toregion(&tuple->rdata, &r);
+
 		keyid = dst_region_computeid(&r, dnskey.algorithm);
 
 		buf[0] = dnskey.algorithm;
@@ -3381,83 +3546,19 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 	return (result);
 }
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-/*
- * Mark all NSEC3 chains for deletion without creating a NSEC chain as
- * a side effect of deleting the last chain.
- */
-static isc_result_t
-delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
-	      dns_diff_t *diff)
-{
-	dns_dbnode_t *node = NULL;
-	dns_difftuple_t *tuple = NULL;
-	dns_name_t next;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	isc_boolean_t flag;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-
-	dns_name_init(&next, NULL);
-	dns_rdataset_init(&rdataset);
-
-	result = dns_db_getoriginnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Cause all NSEC3 chains to be deleted.
-	 */
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
-				     0, (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto success;
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		INSIST(rdata.length <= sizeof(buf));
-		memcpy(buf, rdata.data, rdata.length);
-
-		if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
-			dns_rdata_reset(&rdata);
-			continue;
-		}
-
-		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
-					   origin, 0, &rdata, &tuple));
-		CHECK(do_one_tuple(&tuple, db, ver, diff));
-		INSIST(tuple == NULL);
-
-		buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
-		rdata.data = buf;
-
-		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+static isc_boolean_t
+isdnssec(dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_t privatetype) {
+	isc_result_t result;
+	isc_boolean_t build_nsec, build_nsec3;
 
-		if (!flag) {
-			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
-						   origin, 0, &rdata, &tuple));
-			CHECK(do_one_tuple(&tuple, db, ver, diff));
-			INSIST(tuple == NULL);
-		}
-		dns_rdata_reset(&rdata);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
- success:
-	result = ISC_R_SUCCESS;
+	if (dns_db_issecure(db))
+		return (ISC_TRUE);
 
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	return (result);
+	result = dns_private_chains(db, ver, privatetype,
+				    &build_nsec, &build_nsec3);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	return (build_nsec || build_nsec3);
 }
-#endif
 
 static void
 update_action(isc_task_t *task, isc_event_t *event) {
@@ -3481,15 +3582,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
 	unsigned int options;
-	isc_boolean_t deleted_zsk;
 	dns_difftuple_t *tuple;
 	dns_rdata_dnskey_t dnskey;
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
-#endif
-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
 	isc_boolean_t had_dnskey;
-#endif
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -3500,6 +3596,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	zonename = dns_db_origin(db);
 	zoneclass = dns_db_class(db);
 	dns_zone_getssutable(zone, &ssutable);
+
+	/*
+	 * Update message processing can leak record existance information
+	 * so check that we are allowed to query this zone.  Additionally
+	 * if we would refuse all updates for this zone we bail out here.
+	 */
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
+			    dns_zone_getupdateacl(zone), ssutable));
+
+	/*
+	 * Get old and new versions now that queryacl has been checked.
+	 */
 	dns_db_currentversion(db, &oldver);
 	CHECK(dns_db_newversion(db, &ver));
 
@@ -3592,7 +3700,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
-
 	/*
 	 * Perform the final check of the "rrset exists (value dependent)"
 	 * prerequisites.
@@ -3685,31 +3792,31 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				   update_class);
 			FAIL(DNS_R_FORMERR);
 		}
+
 		/*
 		 * draft-ietf-dnsind-simple-secure-update-01 says
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NSEC records."
 		 */
-		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nsec3) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC3 updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_nsec) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC updates are not allowed "
-				      "in secure zones");
-			} else if (rdata.type == dns_rdatatype_rrsig &&
-				   !dns_name_equal(name, zonename)) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit RRSIG updates are currently "
-				      "not supported in secure zones except "
-				      "at the apex");
-			}
+		if (rdata.type == dns_rdatatype_nsec3) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC3 updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_nsec) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit NSEC updates are not allowed "
+			      "in secure zones");
+		} else if (rdata.type == dns_rdatatype_rrsig &&
+			   !dns_name_equal(name, zonename)) {
+			FAILC(DNS_R_REFUSED,
+			      "explicit RRSIG updates are currently "
+			      "not supported in secure zones except "
+			      "at the apex");
 		}
 
 		if (ssutable != NULL) {
 			isc_netaddr_t *tcpaddr, netaddr;
+			dst_key_t *tsigkey = NULL;
 			/*
 			 * If this is a TCP connection then pass the
 			 * address of the client through for tcp-self
@@ -3722,16 +3829,22 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				tcpaddr = &netaddr;
 			} else
 				tcpaddr = NULL;
+
+			if (client->message->tsigkey != NULL)
+				tsigkey = client->message->tsigkey->key;
+
 			if (rdata.type != dns_rdatatype_any) {
 				if (!dns_ssutable_checkrules(ssutable,
 							     client->signer,
 							     name, tcpaddr,
-							     rdata.type))
+							     rdata.type,
+							     tsigkey))
 					FAILC(DNS_R_REFUSED,
 					      "rejected by secure update");
 			} else {
 				if (!ssu_checkall(db, ver, name, ssutable,
-						  client->signer, tcpaddr))
+						  client->signer, tcpaddr,
+						  tsigkey))
 					FAILC(DNS_R_REFUSED,
 					      "rejected by secure update");
 			}
@@ -3840,7 +3953,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				soa_serial_changed = ISC_TRUE;
 			}
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
+			if (rdata.type == privatetype) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add a private type "
+					   "(%u) record rejected internal "
+					   "use only", privatetype);
+				continue;
+			}
+
 			if (rdata.type == dns_rdatatype_nsec3param) {
 				/*
 				 * Ignore attempts to add NSEC3PARAM records
@@ -3854,27 +3974,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						   "flag");
 					continue;
 				}
-
-				/*
-				 * Set the NSEC3CHAIN creation flag.
-				 */
-				INSIST(rdata.length <= sizeof(buf));
-				memcpy(buf, rdata.data, rdata.length);
-				buf[1] |= DNS_NSEC3FLAG_UPDATE;
-				rdata.data = buf;
-				/*
-				 * Force the TTL to zero for NSEC3PARAM records.
-				 */
-				ttl = 0;
 			}
-#else
-			if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add NSEC3PARAM "
-					   "record ignored");
-				continue;
-			};
-#endif
 
 			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
 			    dns_name_internalwildcard(name)) {
@@ -3951,13 +4051,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				}
-#ifndef ALLOW_NSEC3PARAM_UPDATE
-			} else if (rdata.type == dns_rdatatype_nsec3param) {
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to delete a NSEC3PARAM "
-					   "records ignored");
-				continue;
-#endif
 			} else if (dns_name_equal(name, zonename) &&
 				   (rdata.type == dns_rdatatype_soa ||
 				    rdata.type == dns_rdatatype_ns)) {
@@ -3986,6 +4079,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						&diff));
 			}
 		} else if (update_class == dns_rdataclass_none) {
+			char namestr[DNS_NAME_FORMATSIZE];
+			char typestr[DNS_RDATATYPE_FORMATSIZE];
+
 			/*
 			 * The (name == zonename) condition appears in
 			 * RFC2136 3.4.2.4 but is missing from the pseudocode.
@@ -4013,11 +4109,13 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					}
 				}
 			}
-			update_log(client, zone,
-				   LOGLEVEL_PROTOCOL,
-				   "deleting an RR");
-			CHECK(delete_if(rr_equal_p, db, ver, name,
-					rdata.type, covers, &rdata, &diff));
+			dns_name_format(name, namestr, sizeof(namestr));
+			dns_rdatatype_format(rdata.type, typestr,
+					     sizeof(typestr));
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "deleting an RR at %s %s", namestr, typestr);
+			CHECK(delete_if(rr_equal_p, db, ver, name, rdata.type,
+					covers, &rdata, &diff));
 		}
 	}
 	if (result != ISC_R_NOMORE)
@@ -4031,6 +4129,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (! ISC_LIST_EMPTY(diff.tuples))
 		CHECK(check_dnssec(client, zone, db, ver, &diff));
 
+	if (! ISC_LIST_EMPTY(diff.tuples)) {
+		unsigned int errors = 0;
+		CHECK(dns_zone_nscheck(zone, db, ver, &errors));
+		if (errors != 0) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: post update name server "
+				   "sanity check failed");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+	}
+
 	/*
 	 * If any changes were made, increment the SOA serial number,
 	 * update RRSIGs and NSECs (if zone is secure), and write the update
@@ -4056,37 +4166,29 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
 				   0, &has_dnskey));
 
-#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
-		CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
-				   0, &had_dnskey));
+#define ALLOW_SECURE_TO_INSECURE(zone) \
+	((dns_zone_getoptions(zone) & DNS_ZONEOPT_SECURETOINSECURE) != 0)
 
-#ifndef ALLOW_SECURE_TO_INSECURE
-		if (had_dnskey && !has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: all DNSKEY records "
-				   "removed");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-#endif
-#ifndef ALLOW_INSECURE_TO_SECURE
-		if (!had_dnskey && has_dnskey) {
-			update_log(client, zone, LOGLEVEL_PROTOCOL,
-				   "update rejected: DNSKEY record added");
-			result = DNS_R_REFUSED;
-			goto failure;
+		if (!ALLOW_SECURE_TO_INSECURE(zone)) {
+			CHECK(rrset_exists(db, oldver, zonename,
+					   dns_rdatatype_dnskey, 0,
+					   &had_dnskey));
+			if (had_dnskey && !has_dnskey) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "update rejected: all DNSKEY "
+					   "records removed and "
+					   "'dnssec-secure-to-insecure' "
+					   "not set");
+				result = DNS_R_REFUSED;
+				goto failure;
+			}
 		}
-#endif
-#endif
 
-		CHECK(add_signing_records(db, zonename, ver,
-					  dns_zone_getprivatetype(zone),
-					  &diff));
+		CHECK(rollback_private(db, privatetype, ver, &diff));
+
+		CHECK(add_signing_records(db, privatetype, ver, &diff));
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-		CHECK(add_nsec3param_records(client, zone, db, zonename,
-					     ver, &diff));
-#endif
+		CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
 
 		if (!has_dnskey) {
 			/*
@@ -4095,15 +4197,13 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			 * the last signature for the DNSKEY records are
 			 * remove any NSEC chain present will also be removed.
 			 */
-#ifdef ALLOW_NSEC3PARAM_UPDATE
-			 CHECK(delete_chains(db, ver, zonename, &diff));
-#endif
-		} else if (has_dnskey && dns_db_isdnssec(db)) {
+			 CHECK(dns_nsec3param_deletechains(db, ver, zone,
+							   &diff));
+		} else if (has_dnskey && isdnssec(db, ver, privatetype)) {
 			isc_uint32_t interval;
 			interval = dns_zone_getsigvalidityinterval(zone);
 			result = update_signatures(client, zone, db, oldver,
-						   ver, &diff, interval,
-						   &deleted_zsk);
+						   ver, &diff, interval);
 			if (result != ISC_R_SUCCESS) {
 				update_log(client, zone,
 					   ISC_LOG_ERROR,
@@ -4189,7 +4289,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			}
 		}
 
-#ifdef ALLOW_NSEC3PARAM_UPDATE
 		/*
 		 * Cause the zone to add/delete NSEC3 chains for the
 		 * deferred NSEC3PARAM changes.
@@ -4199,13 +4298,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		for (tuple = ISC_LIST_HEAD(diff.tuples);
 		     tuple != NULL;
 		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
 			dns_rdata_nsec3param_t nsec3param;
 
-			if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+			if (tuple->rdata.type != privatetype ||
 			    tuple->op != DNS_DIFFOP_ADD)
 				continue;
 
-			dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL);
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+						   buf, sizeof(buf)))
+				continue;
+			dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 			if (nsec3param.flags == 0)
 				continue;
 
@@ -4216,7 +4320,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   dns_result_totext(result));
 			}
 		}
-#endif
 	} else {
 		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
 		dns_db_closeversion(db, &ver, ISC_TRUE);
diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c
index 01c67fb073ad..6cda6589e1c9 100644
--- a/contrib/bind9/bin/named/xfrout.c
+++ b/contrib/bind9/bin/named/xfrout.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: xfrout.c,v 1.139.16.4 2011/12/01 01:00:50 marka Exp $ */
 
 #include <config.h>
 
@@ -28,9 +28,7 @@
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
-#ifdef DLZ
 #include <dns/dlz.h>
-#endif
 #include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
@@ -40,6 +38,7 @@
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/result.h>
+#include <dns/rriterator.h>
 #include <dns/soa.h>
 #include <dns/stats.h>
 #include <dns/timer.h>
@@ -112,43 +111,6 @@
 	} while (0)
 
 /**************************************************************************/
-/*%
- * A db_rr_iterator_t is an iterator that iterates over an entire database,
- * returning one RR at a time, in some arbitrary order.
- */
-
-typedef struct db_rr_iterator db_rr_iterator_t;
-
-/*% db_rr_iterator structure */
-struct db_rr_iterator {
-	isc_result_t		result;
-	dns_db_t		*db;
-	dns_dbiterator_t 	*dbit;
-	dns_dbversion_t 	*ver;
-	isc_stdtime_t		now;
-	dns_dbnode_t		*node;
-	dns_fixedname_t		fixedname;
-	dns_rdatasetiter_t 	*rdatasetit;
-	dns_rdataset_t 		rdataset;
-	dns_rdata_t		rdata;
-};
-
-static isc_result_t
-db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
-		    isc_stdtime_t now);
-
-static isc_result_t
-db_rr_iterator_first(db_rr_iterator_t *it);
-
-static isc_result_t
-db_rr_iterator_next(db_rr_iterator_t *it);
-
-static void
-db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
-		       isc_uint32_t *ttl, dns_rdata_t **rdata);
-
-static void
-db_rr_iterator_destroy(db_rr_iterator_t *it);
 
 static inline void
 inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
@@ -160,145 +122,6 @@ inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
 	}
 }
 
-static isc_result_t
-db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
-		    isc_stdtime_t now)
-{
-	isc_result_t result;
-	it->db = db;
-	it->dbit = NULL;
-	it->ver = ver;
-	it->now = now;
-	it->node = NULL;
-	result = dns_db_createiterator(it->db, 0, &it->dbit);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	it->rdatasetit = NULL;
-	dns_rdata_init(&it->rdata);
-	dns_rdataset_init(&it->rdataset);
-	dns_fixedname_init(&it->fixedname);
-	INSIST(! dns_rdataset_isassociated(&it->rdataset));
-	it->result = ISC_R_SUCCESS;
-	return (it->result);
-}
-
-static isc_result_t
-db_rr_iterator_first(db_rr_iterator_t *it) {
-	it->result = dns_dbiterator_first(it->dbit);
-	/*
-	 * The top node may be empty when out of zone glue exists.
-	 * Walk the tree to find the first node with data.
-	 */
-	while (it->result == ISC_R_SUCCESS) {
-		it->result = dns_dbiterator_current(it->dbit, &it->node,
-				    dns_fixedname_name(&it->fixedname));
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_db_allrdatasets(it->db, it->node,
-						 it->ver, it->now,
-						 &it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_rdatasetiter_first(it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS) {
-			/*
-			 * This node is empty. Try next node.
-			 */
-			dns_rdatasetiter_destroy(&it->rdatasetit);
-			dns_db_detachnode(it->db, &it->node);
-			it->result = dns_dbiterator_next(it->dbit);
-			continue;
-		}
-		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
-		it->result = dns_rdataset_first(&it->rdataset);
-		return (it->result);
-	}
-	return (it->result);
-}
-
-
-static isc_result_t
-db_rr_iterator_next(db_rr_iterator_t *it) {
-	if (it->result != ISC_R_SUCCESS)
-		return (it->result);
-
-	INSIST(it->dbit != NULL);
-	INSIST(it->node != NULL);
-	INSIST(it->rdatasetit != NULL);
-
-	it->result = dns_rdataset_next(&it->rdataset);
-	if (it->result == ISC_R_NOMORE) {
-		dns_rdataset_disassociate(&it->rdataset);
-		it->result = dns_rdatasetiter_next(it->rdatasetit);
-		/*
-		 * The while loop body is executed more than once
-		 * only when an empty dbnode needs to be skipped.
-		 */
-		while (it->result == ISC_R_NOMORE) {
-			dns_rdatasetiter_destroy(&it->rdatasetit);
-			dns_db_detachnode(it->db, &it->node);
-			it->result = dns_dbiterator_next(it->dbit);
-			if (it->result == ISC_R_NOMORE) {
-				/* We are at the end of the entire database. */
-				return (it->result);
-			}
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_dbiterator_current(it->dbit,
-				    &it->node,
-				    dns_fixedname_name(&it->fixedname));
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_db_allrdatasets(it->db, it->node,
-					 it->ver, it->now,
-					 &it->rdatasetit);
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_rdatasetiter_first(it->rdatasetit);
-		}
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
-		it->result = dns_rdataset_first(&it->rdataset);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-	}
-	return (it->result);
-}
-
-static void
-db_rr_iterator_pause(db_rr_iterator_t *it) {
-	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
-}
-
-static void
-db_rr_iterator_destroy(db_rr_iterator_t *it) {
-	if (dns_rdataset_isassociated(&it->rdataset))
-		dns_rdataset_disassociate(&it->rdataset);
-	if (it->rdatasetit != NULL)
-		dns_rdatasetiter_destroy(&it->rdatasetit);
-	if (it->node != NULL)
-		dns_db_detachnode(it->db, &it->node);
-	dns_dbiterator_destroy(&it->dbit);
-}
-
-static void
-db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
-		      isc_uint32_t *ttl, dns_rdata_t **rdata)
-{
-	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(it->result == ISC_R_SUCCESS);
-	*name = dns_fixedname_name(&it->fixedname);
-	*ttl = it->rdataset.ttl;
-	dns_rdata_reset(&it->rdata);
-	dns_rdataset_current(&it->rdataset, &it->rdata);
-	*rdata = &it->rdata;
-}
-
 /**************************************************************************/
 
 /*% Log an RR (for debugging) */
@@ -488,7 +311,7 @@ static rrstream_methods_t ixfr_rrstream_methods = {
 
 typedef struct axfr_rrstream {
 	rrstream_t		common;
-	db_rr_iterator_t	it;
+	dns_rriterator_t	it;
 	isc_boolean_t		it_valid;
 } axfr_rrstream_t;
 
@@ -516,7 +339,7 @@ axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
 	s->common.methods = &axfr_rrstream_methods;
 	s->it_valid = ISC_FALSE;
 
-	CHECK(db_rr_iterator_init(&s->it, db, ver, 0));
+	CHECK(dns_rriterator_init(&s->it, db, ver, 0));
 	s->it_valid = ISC_TRUE;
 
 	*sp = (rrstream_t *) s;
@@ -531,7 +354,7 @@ static isc_result_t
 axfr_rrstream_first(rrstream_t *rs) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
 	isc_result_t result;
-	result = db_rr_iterator_first(&s->it);
+	result = dns_rriterator_first(&s->it);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	/* Skip SOA records. */
@@ -539,11 +362,11 @@ axfr_rrstream_first(rrstream_t *rs) {
 		dns_name_t *name_dummy = NULL;
 		isc_uint32_t ttl_dummy;
 		dns_rdata_t *rdata = NULL;
-		db_rr_iterator_current(&s->it, &name_dummy,
-				      &ttl_dummy, &rdata);
+		dns_rriterator_current(&s->it, &name_dummy,
+				       &ttl_dummy, NULL, &rdata);
 		if (rdata->type != dns_rdatatype_soa)
 			break;
-		result = db_rr_iterator_next(&s->it);
+		result = dns_rriterator_next(&s->it);
 		if (result != ISC_R_SUCCESS)
 			break;
 	}
@@ -560,11 +383,11 @@ axfr_rrstream_next(rrstream_t *rs) {
 		dns_name_t *name_dummy = NULL;
 		isc_uint32_t ttl_dummy;
 		dns_rdata_t *rdata = NULL;
-		result = db_rr_iterator_next(&s->it);
+		result = dns_rriterator_next(&s->it);
 		if (result != ISC_R_SUCCESS)
 			break;
-		db_rr_iterator_current(&s->it, &name_dummy,
-				      &ttl_dummy, &rdata);
+		dns_rriterator_current(&s->it, &name_dummy,
+				       &ttl_dummy, NULL, &rdata);
 		if (rdata->type != dns_rdatatype_soa)
 			break;
 	}
@@ -576,20 +399,20 @@ axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
 		      dns_rdata_t **rdata)
 {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	db_rr_iterator_current(&s->it, name, ttl, rdata);
+	dns_rriterator_current(&s->it, name, ttl, NULL, rdata);
 }
 
 static void
 axfr_rrstream_pause(rrstream_t *rs) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	db_rr_iterator_pause(&s->it);
+	dns_rriterator_pause(&s->it);
 }
 
 static void
 axfr_rrstream_destroy(rrstream_t **rsp) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
 	if (s->it_valid)
-		db_rr_iterator_destroy(&s->it);
+		dns_rriterator_destroy(&s->it);
 	isc_mem_put(s->common.mctx, s, sizeof(*s));
 }
 
@@ -927,9 +750,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
 	char keyname[DNS_NAME_FORMATSIZE];
 	isc_boolean_t is_poll = ISC_FALSE;
-#ifdef DLZ
 	isc_boolean_t is_dlz = ISC_FALSE;
-#endif
 
 	switch (reqtype) {
 	case dns_rdatatype_axfr:
@@ -981,9 +802,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
 
-	if (result != ISC_R_SUCCESS)
-#ifdef DLZ
-	{
+	if (result != ISC_R_SUCCESS) {
 		/*
 		 * Normal zone table does not have a match.
 		 * Try the DLZ database
@@ -1011,10 +830,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 				goto failure;
 			}
 			if (result != ISC_R_SUCCESS)
-#endif
-			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-				  question_name, question_class);
-#ifdef DLZ
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				      question_name, question_class);
 			is_dlz = ISC_TRUE;
 			/*
 			 * DLZ only support full zone transfer, not incremental
@@ -1034,19 +851,17 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 		}
 	} else {
 		/* zone table has a match */
-#endif
 		switch(dns_zone_gettype(zone)) {
 			case dns_zone_master:
 			case dns_zone_slave:
+			case dns_zone_dlz:
 				break;	/* Master and slave zones are OK for transfer. */
 			default:
 				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
 			}
 		CHECK(dns_zone_getdb(zone, &db));
 		dns_db_currentversion(db, &ver);
-#ifdef DLZ
 	}
-#endif
 
 	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
 		    "%s question section OK", mnemonic);
@@ -1100,22 +915,15 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 		    "%s authority section OK", mnemonic);
 
 	/*
-	 * Decide whether to allow this transfer.
-	 */
-#ifdef DLZ
-	/*
-	 * if not a DLZ zone decide whether to allow this transfer.
+	 * If not a DLZ zone, decide whether to allow this transfer.
 	 */
 	if (!is_dlz) {
-#endif
 		ns_client_aclmsg("zone transfer", question_name, reqtype,
 				 client->view->rdclass, msg, sizeof(msg));
 		CHECK(ns_client_checkacl(client, NULL, msg,
 					 dns_zone_getxfracl(zone),
 					 ISC_TRUE, ISC_LOG_ERROR));
-#ifdef DLZ
 	}
-#endif
 
 	/*
 	 * AXFR over UDP is not possible.
@@ -1139,10 +947,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	/*
 	 * Get a dynamically allocated copy of the current SOA.
 	 */
-#ifdef DLZ
 	if (is_dlz)
 		dns_db_currentversion(db, &ver);
-#endif
+
 	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
 				    &current_soa_tuple));
 
@@ -1228,7 +1035,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 
 
-#ifdef DLZ
 	if (is_dlz)
 		CHECK(xfrout_ctx_create(mctx, client, request->id,
 					question_name, reqtype, question_class,
@@ -1241,7 +1047,6 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 					ISC_TRUE : ISC_FALSE,
 					&xfr));
 	else
-#endif
 		CHECK(xfrout_ctx_create(mctx, client, request->id,
 					question_name, reqtype, question_class,
 					zone, db, ver, quota, stream,
diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c
index 108ebf1a9d84..6eef28ae131f 100644
--- a/contrib/bind9/bin/named/zoneconf.c
+++ b/contrib/bind9/bin/named/zoneconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: zoneconf.c,v 1.170.14.7 2012/01/31 23:46:39 tbox Exp $ */
 
 /*% */
 
@@ -30,10 +30,16 @@
 #include <isc/util.h>
 
 #include <dns/acl.h>
+#include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 #include <dns/name.h>
+#include <dns/rdata.h>
 #include <dns/rdatatype.h>
+#include <dns/rdataset.h>
+#include <dns/rdatalist.h>
+#include <dns/result.h>
+#include <dns/sdlz.h>
 #include <dns/ssu.h>
 #include <dns/stats.h>
 #include <dns/view.h>
@@ -55,16 +61,18 @@ typedef enum {
 	allow_update_forwarding
 } acl_type_t;
 
-/*%
- * These are BIND9 server defaults, not necessarily identical to the
- * library defaults defined in zone.c.
- */
 #define RETERR(x) do { \
 	isc_result_t _r = (x); \
 	if (_r != ISC_R_SUCCESS) \
 		return (_r); \
 	} while (0)
 
+#define CHECK(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
 /*%
  * Convenience function for configuring a single zone ACL.
  */
@@ -133,8 +141,11 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	}
 
 	/* Check for default ACLs that haven't been parsed yet */
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (vconfig != NULL) {
+		const cfg_obj_t *options = cfg_tuple_get(vconfig, "options");
+		if (options != NULL)
+			maps[i++] = options;
+	}
 	if (config != NULL) {
 		const cfg_obj_t *options = NULL;
 		(void)cfg_map_get(config, "options", &options);
@@ -169,19 +180,29 @@ parse_acl:
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+			const char *zname)
+{
 	const cfg_obj_t *updatepolicy = NULL;
 	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
 	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	isc_boolean_t autoddns = ISC_FALSE;
 	isc_result_t result;
 
 	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
+
 	if (updatepolicy == NULL) {
 		dns_zone_setssutable(zone, NULL);
 		return (ISC_R_SUCCESS);
 	}
 
+	if (cfg_obj_isstring(updatepolicy) &&
+	    strcmp("local", cfg_obj_asstring(updatepolicy)) == 0) {
+		autoddns = ISC_TRUE;
+		updatepolicy = NULL;
+	}
+
 	result = dns_ssutable_create(mctx, &table);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -198,6 +219,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
 		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
+		isc_boolean_t usezone = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
 		dns_fixedname_t fname, fident;
 		isc_buffer_t b;
@@ -237,6 +259,11 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 			mtype = DNS_SSUMATCHTYPE_TCPSELF;
 		else if (strcasecmp(str, "6to4-self") == 0)
 			mtype = DNS_SSUMATCHTYPE_6TO4SELF;
+		else if (strcasecmp(str, "zonesub") == 0) {
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+			usezone = ISC_TRUE;
+		} else if (strcasecmp(str, "external") == 0)
+			mtype = DNS_SSUMATCHTYPE_EXTERNAL;
 		else
 			INSIST(0);
 
@@ -245,7 +272,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
-					   dns_rootname, ISC_FALSE, NULL);
+					   dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS) {
 			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
 				    "'%s' is not a valid name", str);
@@ -253,15 +280,27 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		}
 
 		dns_fixedname_init(&fname);
-		str = cfg_obj_asstring(dname);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			goto cleanup;
+		if (usezone) {
+			result = dns_name_copy(dns_zone_getorigin(zone),
+					       dns_fixedname_name(&fname),
+					       NULL);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+					    "error copying origin: %s",
+					    isc_result_totext(result));
+				goto cleanup;
+			}
+		} else {
+			str = cfg_obj_asstring(dname);
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			result = dns_name_fromtext(dns_fixedname_name(&fname),
+						   &b, dns_rootname, 0, NULL);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				goto cleanup;
+			}
 		}
 
 		n = ns_config_listcount(typelist);
@@ -311,7 +350,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
 		}
+	}
+
+	/*
+	 * If "update-policy local;" and a session key exists,
+	 * then use the default policy, which is equivalent to:
+	 * update-policy { grant <session-keyname> zonesub any; };
+	 */
+	if (autoddns) {
+		dns_rdatatype_t any = dns_rdatatype_any;
+
+		if (ns_g_server->session_keyname == NULL) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "failed to enable auto DDNS policy "
+				      "for zone %s: session key not found",
+				      zname);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+
+		result = dns_ssutable_addrule(table, ISC_TRUE,
+					      ns_g_server->session_keyname,
+					      DNS_SSUMATCHTYPE_SUBDOMAIN,
+					      dns_zone_getorigin(zone),
+					      1, &any);
 
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
 	}
 
 	result = ISC_R_SUCCESS;
@@ -322,6 +388,325 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 	return (result);
 }
 
+/*
+ * This is the TTL used for internally generated RRsets for static-stub zones.
+ * The value doesn't matter because the mapping is static, but needs to be
+ * defined for the sake of implementation.
+ */
+#define STATICSTUB_SERVER_TTL 86400
+
+/*%
+ * Configure an apex NS with glues for a static-stub zone.
+ * For example, for the zone named "example.com", the following RRs will be
+ * added to the zone DB:
+ * example.com. NS example.com.
+ * example.com. A 192.0.2.1
+ * example.com. AAAA 2001:db8::1
+ */
+static isc_result_t
+configure_staticstub_serveraddrs(const cfg_obj_t *zconfig, dns_zone_t *zone,
+				 dns_rdatalist_t *rdatalist_ns,
+				 dns_rdatalist_t *rdatalist_a,
+				 dns_rdatalist_t *rdatalist_aaaa)
+{
+	const cfg_listelt_t *element;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	isc_region_t region, sregion;
+	dns_rdata_t *rdata;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(zconfig);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const isc_sockaddr_t* sa;
+		isc_netaddr_t na;
+		const cfg_obj_t *address = cfg_listelt_value(element);
+		dns_rdatalist_t *rdatalist;
+
+		sa = cfg_obj_assockaddr(address);
+		if (isc_sockaddr_getport(sa) != 0) {
+			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+				    "port is not configurable for "
+				    "static stub server-addresses");
+			return (ISC_R_FAILURE);
+		}
+		isc_netaddr_fromsockaddr(&na, sa);
+		if (isc_netaddr_getzone(&na) != 0) {
+			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+					    "scoped address is not allowed "
+					    "for static stub "
+					    "server-addresses");
+			return (ISC_R_FAILURE);
+		}
+
+		switch (na.family) {
+		case AF_INET:
+			region.length = sizeof(na.type.in);
+			rdatalist = rdatalist_a;
+			break;
+		default:
+			INSIST(na.family == AF_INET6);
+			region.length = sizeof(na.type.in6);
+			rdatalist = rdatalist_aaaa;
+			break;
+		}
+
+		rdata = isc_mem_get(mctx, sizeof(*rdata) + region.length);
+		if (rdata == NULL)
+			return (ISC_R_NOMEMORY);
+		region.base = (unsigned char *)(rdata + 1);
+		memcpy(region.base, &na.type, region.length);
+		dns_rdata_init(rdata);
+		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
+				     rdatalist->type, &region);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	}
+
+	/*
+	 * If no address is specified (unlikely in this context, but possible),
+	 * there's nothing to do anymore.
+	 */
+	if (ISC_LIST_EMPTY(rdatalist_a->rdata) &&
+	    ISC_LIST_EMPTY(rdatalist_aaaa->rdata)) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Add to the list an apex NS with the ns name being the origin name */
+	dns_name_toregion(dns_zone_getorigin(zone), &sregion);
+	rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
+	if (rdata == NULL) {
+		/*
+		 * Already allocated data will be freed in the caller, so
+		 * we can simply return here.
+		 */
+		return (ISC_R_NOMEMORY);
+	}
+	region.length = sregion.length;
+	region.base = (unsigned char *)(rdata + 1);
+	memcpy(region.base, sregion.base, region.length);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
+			     dns_rdatatype_ns, &region);
+	ISC_LIST_APPEND(rdatalist_ns->rdata, rdata, link);
+
+	return (result);
+}
+
+/*%
+ * Configure an apex NS with an out-of-zone NS names for a static-stub zone.
+ * For example, for the zone named "example.com", something like the following
+ * RRs will be added to the zone DB:
+ * example.com. NS ns.example.net.
+ */
+static isc_result_t
+configure_staticstub_servernames(const cfg_obj_t *zconfig, dns_zone_t *zone,
+				 dns_rdatalist_t *rdatalist, const char *zname)
+{
+	const cfg_listelt_t *element;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_rdata_t *rdata;
+	isc_region_t sregion, region;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(zconfig);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *obj;
+		const char *str;
+		dns_fixedname_t fixed_name;
+		dns_name_t *nsname;
+		isc_buffer_t b;
+
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+
+		dns_fixedname_init(&fixed_name);
+		nsname = dns_fixedname_name(&fixed_name);
+
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(nsname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+					    "server-name '%s' is not a valid "
+					    "name", str);
+			return (result);
+		}
+		if (dns_name_issubdomain(nsname, dns_zone_getorigin(zone))) {
+			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+				    "server-name '%s' must not be a "
+				    "subdomain of zone name '%s'",
+				    str, zname);
+			return (ISC_R_FAILURE);
+		}
+
+		dns_name_toregion(nsname, &sregion);
+		rdata = isc_mem_get(mctx, sizeof(*rdata) + sregion.length);
+		if (rdata == NULL)
+			return (ISC_R_NOMEMORY);
+		region.length = sregion.length;
+		region.base = (unsigned char *)(rdata + 1);
+		memcpy(region.base, sregion.base, region.length);
+		dns_rdata_init(rdata);
+		dns_rdata_fromregion(rdata, dns_zone_getclass(zone),
+				     dns_rdatatype_ns, &region);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	}
+
+	return (result);
+}
+
+/*%
+ * Configure static-stub zone.
+ */
+static isc_result_t
+configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone,
+		     const char *zname, const char *dbtype)
+{
+	int i = 0;
+	const cfg_obj_t *obj;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_db_t *db = NULL;
+	dns_dbversion_t *dbversion = NULL;
+	dns_dbnode_t *apexnode = NULL;
+	dns_name_t apexname;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatalist_t rdatalist_ns, rdatalist_a, rdatalist_aaaa;
+	dns_rdatalist_t* rdatalists[] = {
+		&rdatalist_ns, &rdatalist_a, &rdatalist_aaaa, NULL
+	};
+	dns_rdata_t *rdata;
+	isc_region_t region;
+
+	/* Create the DB beforehand */
+	RETERR(dns_db_create(mctx, dbtype, dns_zone_getorigin(zone),
+			     dns_dbtype_stub, dns_zone_getclass(zone),
+			     0, NULL, &db));
+	dns_zone_setdb(zone, db);
+
+	dns_rdatalist_init(&rdatalist_ns);
+	rdatalist_ns.rdclass = dns_zone_getclass(zone);
+	rdatalist_ns.type = dns_rdatatype_ns;
+	rdatalist_ns.ttl = STATICSTUB_SERVER_TTL;
+
+	dns_rdatalist_init(&rdatalist_a);
+	rdatalist_a.rdclass = dns_zone_getclass(zone);
+	rdatalist_a.type = dns_rdatatype_a;
+	rdatalist_a.ttl = STATICSTUB_SERVER_TTL;
+
+	dns_rdatalist_init(&rdatalist_aaaa);
+	rdatalist_aaaa.rdclass = dns_zone_getclass(zone);
+	rdatalist_aaaa.type = dns_rdatatype_aaaa;
+	rdatalist_aaaa.ttl = STATICSTUB_SERVER_TTL;
+
+	/* Prepare zone RRs from the configuration */
+	obj = NULL;
+	result = cfg_map_get(zconfig, "server-addresses", &obj);
+	if (result == ISC_R_SUCCESS) {
+		INSIST(obj != NULL);
+		result = configure_staticstub_serveraddrs(obj, zone,
+							  &rdatalist_ns,
+							  &rdatalist_a,
+							  &rdatalist_aaaa);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	obj = NULL;
+	result = cfg_map_get(zconfig, "server-names", &obj);
+	if (result == ISC_R_SUCCESS) {
+		INSIST(obj != NULL);
+		result = configure_staticstub_servernames(obj, zone,
+							  &rdatalist_ns,
+							  zname);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/*
+	 * Sanity check: there should be at least one NS RR at the zone apex
+	 * to trigger delegation.
+	 */
+	if (ISC_LIST_EMPTY(rdatalist_ns.rdata)) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "No NS record is configured for a "
+			      "static-stub zone '%s'", zname);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	/*
+	 * Now add NS and glue A/AAAA RRsets to the zone DB.
+	 * First open a new version for the add operation and get a pointer
+	 * to the apex node (all RRs are of the apex name).
+	 */
+	result = dns_db_newversion(db, &dbversion);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_name_init(&apexname, NULL);
+	dns_name_clone(dns_zone_getorigin(zone), &apexname);
+	result = dns_db_findnode(db, &apexname, ISC_FALSE, &apexnode);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Add NS RRset */
+	dns_rdataset_init(&rdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_ns, &rdataset)
+		      == ISC_R_SUCCESS);
+	result = dns_db_addrdataset(db, apexnode, dbversion, 0, &rdataset,
+				    0, NULL);
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Add glue A RRset, if any */
+	if (!ISC_LIST_EMPTY(rdatalist_a.rdata)) {
+		RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_a, &rdataset)
+			      == ISC_R_SUCCESS);
+		result = dns_db_addrdataset(db, apexnode, dbversion, 0,
+					    &rdataset, 0, NULL);
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/* Add glue AAAA RRset, if any */
+	if (!ISC_LIST_EMPTY(rdatalist_aaaa.rdata)) {
+		RUNTIME_CHECK(dns_rdatalist_tordataset(&rdatalist_aaaa,
+						       &rdataset)
+			      == ISC_R_SUCCESS);
+		result = dns_db_addrdataset(db, apexnode, dbversion, 0,
+					    &rdataset, 0, NULL);
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	result = ISC_R_SUCCESS;
+
+  cleanup:
+	if (apexnode != NULL)
+		dns_db_detachnode(db, &apexnode);
+	if (dbversion != NULL)
+		dns_db_closeversion(db, &dbversion, ISC_TRUE);
+	if (db != NULL)
+		dns_db_detach(&db);
+	for (i = 0; rdatalists[i] != NULL; i++) {
+		while ((rdata = ISC_LIST_HEAD(rdatalists[i]->rdata)) != NULL) {
+			ISC_LIST_UNLINK(rdatalists[i]->rdata, rdata, link);
+			dns_rdata_toregion(rdata, &region);
+			isc_mem_put(mctx, rdata,
+				    sizeof(*rdata) + region.length);
+		}
+	}
+
+	return (result);
+}
+
 /*%
  * Convert a config file zone type into a server zone type.
  */
@@ -503,6 +888,19 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (result == ISC_R_SUCCESS)
 		filename = cfg_obj_asstring(obj);
 
+	/*
+	 * Unless we're using some alternative database, a master zone
+	 * will be needing a master file.
+	 */
+	if (ztype == dns_zone_master && cpval == default_dbtype &&
+	    filename == NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "zone '%s': 'file' not specified",
+			      zname);
+		return (ISC_R_FAILURE);
+	}
+
 	masterformat = dns_masterformat_text;
 	obj = NULL;
 	result= ns_config_get(maps, "masterfile-format", &obj);
@@ -577,7 +975,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	 * to primary masters (type "master") and slaves
 	 * acting as masters (type "slave"), but not to stubs.
 	 */
-	if (ztype != dns_zone_stub) {
+	if (ztype != dns_zone_stub && ztype != dns_zone_staticstub) {
 		obj = NULL;
 		result = ns_config_get(maps, "notify", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
@@ -731,6 +1129,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	 */
 	if (ztype == dns_zone_master) {
 		dns_acl_t *updateacl;
+
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  allow_update, ac, zone,
 					  dns_zone_setupdateacl,
@@ -744,7 +1143,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "address, which is insecure",
 				      zname);
 
-		RETERR(configure_zone_ssutable(zoptions, zone));
+		RETERR(configure_zone_ssutable(zoptions, zone, zname));
 
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
@@ -774,12 +1173,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		result = ns_config_get(maps, "key-directory", &obj);
 		if (result == ISC_R_SUCCESS) {
 			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
 			RETERR(dns_zone_setkeydirectory(zone, filename));
 		}
 
@@ -804,6 +1197,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
 				   cfg_obj_asboolean(obj));
 
+		obj = NULL;
+		result = ns_config_get(maps, "dnssec-dnskey-kskonly", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
+				   cfg_obj_asboolean(obj));
 	} else if (ztype == dns_zone_slave) {
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  allow_update_forwarding, ac, zone,
@@ -811,11 +1209,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 					  dns_zone_clearforwardacl));
 	}
 
-
 	/*%
 	 * Primary master functionality.
 	 */
 	if (ztype == dns_zone_master) {
+		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
+
 		obj = NULL;
 		result = ns_config_get(maps, "check-wildcard", &obj);
 		if (result == ISC_R_SUCCESS)
@@ -825,6 +1224,21 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKWILDCARD, check);
 
 		obj = NULL;
+		result = ns_config_get(maps, "check-dup-records", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = ISC_FALSE;
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRR, check);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKDUPRRFAIL, fail);
+
+		obj = NULL;
 		result = ns_config_get(maps, "check-mx", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
 		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
@@ -874,6 +1288,28 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
+
+		obj = NULL;
+		result = ns_config_get(maps, "dnssec-secure-to-insecure", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		dns_zone_setoption(zone, DNS_ZONEOPT_SECURETOINSECURE,
+				   cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (result == ISC_R_SUCCESS) {
+			const char *arg = cfg_obj_asstring(obj);
+			if (strcasecmp(arg, "allow") == 0)
+				allow = ISC_TRUE;
+			else if (strcasecmp(arg, "maintain") == 0)
+				allow = maint = ISC_TRUE;
+			else if (strcasecmp(arg, "off") == 0)
+				;
+			else
+				INSIST(0);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
+			dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
+		}
 	}
 
 	/*
@@ -985,6 +1421,11 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				   cfg_obj_asboolean(obj));
 		break;
 
+	case dns_zone_staticstub:
+		RETERR(configure_staticstub(zoptions, zone, zname,
+					    default_dbtype));
+		break;
+
 	default:
 		break;
 	}
@@ -992,6 +1433,29 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	return (ISC_R_SUCCESS);
 }
 
+
+/*
+ * Set up a DLZ zone as writeable
+ */
+isc_result_t
+ns_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
+				dns_rdataclass_t rdclass, dns_name_t *name)
+{
+	dns_db_t *db = NULL;
+	isc_time_t now;
+	isc_result_t result;
+
+	TIME_NOW(&now);
+
+	dns_zone_settype(zone, dns_zone_dlz);
+	result = dns_sdlz_setdb(dlzdatabase, rdclass, name, &db);
+	if (result != ISC_R_SUCCESS)
+		return result;
+	result = dns_zone_dlzpostload(zone, db);
+	dns_db_detach(&db);
+	return result;
+}
+
 isc_boolean_t
 ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 	const cfg_obj_t *zoptions = NULL;
@@ -1003,7 +1467,17 @@ ns_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
 
 	if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			"not reusable: type mismatch");
+			     "not reusable: type mismatch");
+		return (ISC_FALSE);
+	}
+
+	/*
+	 * We always reconfigure a static-stub zone for simplicity, assuming
+	 * the amount of data to be loaded is small.
+	 */
+	if (zonetype_fromconfig(zoptions) == dns_zone_staticstub) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "not reusable: staticstub");
 		return (ISC_FALSE);
 	}
 
diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in
index 4baa11afa3ad..f62ee348663c 100644
--- a/contrib/bind9/bin/nsupdate/Makefile.in
+++ b/contrib/bind9/bin/nsupdate/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} @DST_GSSAPI_INC@
+		${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
 
 CDEFINES =	@USE_GSSAPI@
 CWARNINGS =
@@ -33,6 +33,7 @@ LWRESLIBS =	../../lib/lwres/liblwres.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
@@ -43,7 +44,9 @@ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 
 DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
 
 SUBDIRS =
 
@@ -63,8 +66,14 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
+nsupdate.@O@: nsupdate.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DSESSION_KEYFILE=\"${localstatedir}/run/named/session.key\" \
+		-c ${srcdir}/nsupdate.c
+
 nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
+	export BASEOBJS="nsupdate.@O@ ${UOBJS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.1 b/contrib/bind9/bin/nsupdate/nsupdate.1
index 71d1e540112d..58675975233e 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.1
+++ b/contrib/bind9/bin/nsupdate/nsupdate.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -20,11 +20,11 @@
 .\"     Title: nsupdate
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Jun 30, 2000
+.\"      Date: Aug 25, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NSUPDATE" "1" "Jun 30, 2000" "BIND9" "BIND9"
+.TH "NSUPDATE" "1" "Aug 25, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -33,11 +33,11 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
+is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
 .PP
 Zones that are under dynamic control via
 \fBnsupdate\fR
@@ -60,7 +60,11 @@ option makes
 report additional debugging information to
 \fB\-d\fR.
 .PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
+The
+\fB\-L\fR
+option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled.
+.PP
+Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645. TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
 and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
 \fBkey\fR
@@ -71,22 +75,22 @@ statements would be added to
 so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
 \fBnsupdate\fR
 does not read
-\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
+\fI/etc/named.conf\fR.
+.PP
+GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched on with the
+\fB\-g\fR
+flag. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
+\fB\-o\fR
+flag.
 .PP
 \fBnsupdate\fR
 uses the
 \fB\-y\fR
 or
 \fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR, whose name is of the form
-\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
-\fIK{name}.+157.+{random}.key\fR
-must also be present. When the
+option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive.
+.PP
+When the
 \fB\-y\fR
 option is used, a signature is generated from
 [\fIhmac:\fR]\fIkeyname:secret.\fR
@@ -99,17 +103,37 @@ option is discouraged because the shared secret is supplied as a command line ar
 \fBps\fR(1)
 or in a history file maintained by the user's shell.
 .PP
-The
+With the
+\fB\-k\fR
+option,
+\fBnsupdate\fR
+reads the shared secret from the file
+\fIkeyfile\fR. Keyfiles may be in two formats: a single file containing a
+\fInamed.conf\fR\-format
+\fBkey\fR
+statement, which may be generated automatically by
+\fBddns\-confgen\fR, or a pair of files whose names are of the format
+\fIK{name}.+157.+{random}.key\fR
+and
+\fIK{name}.+157.+{random}.private\fR, which can be generated by
+\fBdnssec\-keygen\fR. The
 \fB\-k\fR
 may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
 .PP
-The
-\fB\-g\fR
-and
-\fB\-o\fR
-specify that GSS\-TSIG is to be used. The
-\fB\-o\fR
-should only be used with old Microsoft Windows 2000 servers.
+\fBnsupdate\fR
+can be run in a local\-host only mode using the
+\fB\-l\fR
+flag. This sets the server address to localhost (disabling the
+\fBserver\fR
+so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
+\fI/var/run/named/session.key\fR, which is automatically generated by
+\fBnamed\fR
+if any local master zone has set
+\fBupdate\-policy\fR
+to
+\fBlocal\fR. The location of this key file can be overridden with the
+\fB\-k\fR
+option.
 .PP
 By default,
 \fBnsupdate\fR
@@ -120,6 +144,10 @@ option makes
 use a TCP connection. This may be preferable when a batch of update requests is made.
 .PP
 The
+\fB\-p\fR
+sets the default port number to use for connections to a name server. The default is 53.
+.PP
+The
 \fB\-t\fR
 option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
 .PP
@@ -367,7 +395,7 @@ with IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86
 .sp
 .PP
 The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
+\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
 .SH "FILES"
 .PP
 \fB/etc/resolv.conf\fR
@@ -375,6 +403,11 @@ The prerequisite condition gets the name server to check that there are no resou
 used to identify default name server
 .RE
 .PP
+\fB/var/run/named/session.key\fR
+.RS 4
+sets the default TSIG key for use in local\-only mode
+.RE
+.PP
 \fBK{name}.+157.+{random}.key\fR
 .RS 4
 base\-64 encoding of HMAC\-MD5 key created by
@@ -388,20 +421,21 @@ base\-64 encoding of HMAC\-MD5 key created by
 .RE
 .SH "SEE ALSO"
 .PP
-\fBRFC2136\fR(),
-\fBRFC3007\fR(),
-\fBRFC2104\fR(),
-\fBRFC2845\fR(),
-\fBRFC1034\fR(),
-\fBRFC2535\fR(),
-\fBRFC2931\fR(),
+RFC 2136,
+RFC 3007,
+RFC 2104,
+RFC 2845,
+RFC 1034,
+RFC 2535,
+RFC 2931,
 \fBnamed\fR(8),
+\fBddns\-confgen\fR(8),
 \fBdnssec\-keygen\fR(8).
 .SH "BUGS"
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
index 5f25d3c68848..1f5e3e96c9ef 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.c
+++ b/contrib/bind9/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nsupdate.c,v 1.193.12.4 2011/11/03 04:30:09 each Exp $ */
 
 /*! \file */
 
@@ -33,6 +33,7 @@
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/event.h>
+#include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
 #include <isc/log.h>
@@ -50,6 +51,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <isccfg/namedconf.h>
+
 #include <dns/callbacks.h>
 #include <dns/dispatch.h>
 #include <dns/dnssec.h>
@@ -78,6 +81,7 @@
 
 #ifdef GSSAPI
 #include <dst/gssapi.h>
+#include ISC_PLATFORM_KRB5HEADER
 #endif
 #include <bind9/getaddresses.h>
 
@@ -106,6 +110,8 @@ extern int h_errno;
 
 #define DNSDEFAULTPORT 53
 
+static isc_uint16_t dnsport = DNSDEFAULTPORT;
+
 #ifndef RESOLV_CONF
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
@@ -119,6 +125,7 @@ static isc_boolean_t usevc = ISC_FALSE;
 static isc_boolean_t usegsstsig = ISC_FALSE;
 static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
 static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
+static isc_boolean_t local_only = ISC_FALSE;
 static isc_taskmgr_t *taskmgr = NULL;
 static isc_task_t *global_task = NULL;
 static isc_event_t *global_event = NULL;
@@ -138,7 +145,7 @@ static dns_name_t tmpzonename;
 static dns_name_t restart_master;
 static dns_tsig_keyring_t *gssring = NULL;
 static dns_tsigkey_t *tsigkey = NULL;
-static dst_key_t *sig0key;
+static dst_key_t *sig0key = NULL;
 static lwres_context_t *lwctx = NULL;
 static lwres_conf_t *lwconf;
 static isc_sockaddr_t *servers;
@@ -148,7 +155,8 @@ static isc_sockaddr_t *userserver = NULL;
 static isc_sockaddr_t *localaddr = NULL;
 static isc_sockaddr_t *serveraddr = NULL;
 static isc_sockaddr_t tempaddr;
-static char *keystr = NULL, *keyfile = NULL;
+static const char *keyfile = NULL;
+static char *keystr = NULL;
 static isc_entropy_t *entropy = NULL;
 static isc_boolean_t shuttingdown = ISC_FALSE;
 static FILE *input;
@@ -174,6 +182,7 @@ typedef struct nsu_requestinfo {
 static void
 sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 	    dns_message_t *msg, dns_request_t **request);
+
 ISC_PLATFORM_NORETURN_PRE static void
 fatal(const char *format, ...)
 ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
@@ -407,7 +416,7 @@ reset_system(void) {
 		if (tsigkey != NULL)
 			dns_tsigkey_detach(&tsigkey);
 		if (gssring != NULL)
-			dns_tsigkeyring_destroy(&gssring);
+			dns_tsigkeyring_detach(&gssring);
 		tried_other_gsstsig = ISC_FALSE;
 	}
 }
@@ -480,6 +489,19 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
 	return (digestbits);
 }
 
+static int
+basenamelen(const char *file) {
+	int len = strlen(file);
+
+	if (len > 1 && file[len - 1] == '.')
+		len -= 1;
+	else if (len > 8 && strcmp(file + len - 8, ".private") == 0)
+		len -= 8;
+	else if (len > 4 && strcmp(file + len - 4, ".key") == 0)
+		len -= 4;
+	return (len);
+}
+
 static void
 setup_keystr(void) {
 	unsigned char *secret = NULL;
@@ -521,8 +543,7 @@ setup_keystr(void) {
 	isc_buffer_add(&keynamesrc, n - name);
 
 	debug("namefromtext");
-	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 
 	secretlen = strlen(secretstr) * 3 / 4;
@@ -554,21 +575,67 @@ setup_keystr(void) {
 		isc_mem_free(mctx, secret);
 }
 
-static int
-basenamelen(const char *file) {
-	int len = strlen(file);
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_sessionkey(isc_mem_t *mctx, isc_log_t *lctx) {
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *sessionkey = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *keyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+	int len;
 
-	if (len > 1 && file[len - 1] == '.')
-		len -= 1;
-	else if (len > 8 && strcmp(file + len - 8, ".private") == 0)
-		len -= 8;
-	else if (len > 4 && strcmp(file + len - 4, ".key") == 0)
-		len -= 4;
-	return (len);
+	if (! isc_file_exists(keyfile))
+		return (ISC_R_FILENOTFOUND);
+
+	result = cfg_parser_create(mctx, lctx, &pctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_sessionkey,
+				&sessionkey);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_map_get(sessionkey, "key", &key);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(void) cfg_map_get(key, "secret", &secretobj);
+	(void) cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
+	keystr = isc_mem_allocate(mctx, len);
+	snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
+	setup_keystr();
+
+ cleanup:
+	if (pctx != NULL) {
+		if (sessionkey != NULL)
+			cfg_obj_destroy(pctx, &sessionkey);
+		cfg_parser_destroy(&pctx);
+	}
+
+	if (keystr != NULL)
+		isc_mem_free(mctx, keystr);
+
+	return (result);
 }
 
 static void
-setup_keyfile(void) {
+setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 	dns_name_t *hmacname = NULL;
@@ -578,15 +645,25 @@ setup_keyfile(void) {
 	if (sig0key != NULL)
 		dst_key_free(&sig0key);
 
-	result = dst_key_fromnamedfile(keyfile,
+	/* Try reading the key from a K* pair */
+	result = dst_key_fromnamedfile(keyfile, NULL,
 				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
 				       &dstkey);
+
+	/* If that didn't work, try reading it as a session.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_sessionkey(mctx, lctx);
+		if (result == ISC_R_SUCCESS)
+			return;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not read key from %.*s.{private,key}: "
 				"%s\n", basenamelen(keyfile), keyfile,
 				isc_result_totext(result));
 		return;
 	}
+
 	switch (dst_key_alg(dstkey)) {
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
@@ -749,7 +826,7 @@ setup_system(void) {
 		if (servers == NULL)
 			fatal("out of memory");
 		localhost.s_addr = htonl(INADDR_LOOPBACK);
-		isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
+		isc_sockaddr_fromin(&servers[0], &localhost, dnsport);
 	} else {
 		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
 		if (servers == NULL)
@@ -758,12 +835,12 @@ setup_system(void) {
 			if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
 				struct in_addr in4;
 				memcpy(&in4, lwconf->nameservers[i].address, 4);
-				isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
+				isc_sockaddr_fromin(&servers[i], &in4, dnsport);
 			} else {
 				struct in6_addr in6;
 				memcpy(&in6, lwconf->nameservers[i].address, 16);
 				isc_sockaddr_fromin6(&servers[i], &in6,
-						     DNSDEFAULTPORT);
+						     dnsport);
 			}
 		}
 	}
@@ -830,8 +907,13 @@ setup_system(void) {
 
 	if (keystr != NULL)
 		setup_keystr();
-	else if (keyfile != NULL)
-		setup_keyfile();
+	else if (local_only) {
+		result = read_sessionkey(mctx, lctx);
+		if (result != ISC_R_SUCCESS)
+			fatal("can't read key from %s: %s\n",
+			      keyfile, isc_result_totext(result));
+	} else if (keyfile != NULL)
+		setup_keyfile(mctx, lctx);
 }
 
 static void
@@ -848,7 +930,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }
 
-#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
 
 static void
 pre_parse_args(int argc, char **argv) {
@@ -865,10 +947,11 @@ pre_parse_args(int argc, char **argv) {
 			break;
 
 		case '?':
+		case 'h':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					argv[0], isc_commandline_option);
-			fprintf(stderr, "usage: nsupdate [-d] "
+			fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
 				"[-g | -o | -y keyname:secret | -k keyfile] "
 				"[-v] [filename]\n");
 			exit(1);
@@ -900,6 +983,9 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 		case 'M':
 			break;
 		case 'l':
+			local_only = ISC_TRUE;
+			break;
+		case 'L':
 			result = isc_parse_uint32(&i, isc_commandline_argument,
 						  10);
 			if (result != ISC_R_SUCCESS) {
@@ -926,6 +1012,15 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 			usegsstsig = ISC_TRUE;
 			use_win2k_gsstsig = ISC_TRUE;
 			break;
+		case 'p':
+			result = isc_parse_uint16(&dnsport,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad port number "
+					"'%s'\n", isc_commandline_argument);
+				exit(1);
+			}
+			break;
 		case 't':
 			result = isc_parse_uint32(&timeout,
 						  isc_commandline_argument, 10);
@@ -971,6 +1066,22 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 		exit(1);
 	}
 
+	if (local_only) {
+		struct in_addr localhost;
+
+		if (keyfile == NULL)
+			keyfile = SESSION_KEYFILE;
+
+		if (userserver == NULL) {
+			userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+			if (userserver == NULL)
+				fatal("out of memory");
+		}
+
+		localhost.s_addr = htonl(INADDR_LOOPBACK);
+		isc_sockaddr_fromin(userserver, &localhost, dnsport);
+	}
+
 #ifdef GSSAPI
 	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
 		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
@@ -979,7 +1090,7 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 	}
 #else
 	if (usegsstsig) {
-		fprintf(stderr, "%s: cannot specify -g  or -o, " \
+		fprintf(stderr, "%s: cannot specify -g	or -o, " \
 			"program not linked with GSS API Library\n",
 			argv[0]);
 		exit(1);
@@ -1025,8 +1136,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
 	dns_message_takebuffer(msg, &namebuf);
 	isc_buffer_init(&source, word, strlen(word));
 	isc_buffer_add(&source, strlen(word));
-	result = dns_name_fromtext(*namep, &source, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(*namep, &source, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 	isc_buffer_invalidate(&source);
 	return (STATUS_MORE);
@@ -1233,6 +1343,11 @@ evaluate_server(char *cmdline) {
 	char *word, *server;
 	long port;
 
+	if (local_only) {
+		fprintf(stderr, "cannot reset server in localhost-only mode\n");
+		return (STATUS_SYNTAX);
+	}
+
 	word = nsu_strsep(&cmdline, " \t\r\n");
 	if (word == NULL || *word == 0) {
 		fprintf(stderr, "could not read server name\n");
@@ -1242,7 +1357,7 @@ evaluate_server(char *cmdline) {
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
 	if (word == NULL || *word == 0)
-		port = DNSDEFAULTPORT;
+		port = dnsport;
 	else {
 		char *endp;
 		port = strtol(word, &endp, 10);
@@ -1348,7 +1463,7 @@ evaluate_key(char *cmdline) {
 
 	isc_buffer_init(&b, namestr, strlen(namestr));
 	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not parse key name\n");
 		return (STATUS_SYNTAX);
@@ -1405,8 +1520,7 @@ evaluate_zone(char *cmdline) {
 	userzone = dns_fixedname_name(&fuserzone);
 	isc_buffer_init(&b, word, strlen(word));
 	isc_buffer_add(&b, strlen(word));
-	result = dns_name_fromtext(userzone, &b, dns_rootname, ISC_FALSE,
-				   NULL);
+	result = dns_name_fromtext(userzone, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		userzone = NULL; /* Lest it point to an invalid name */
 		fprintf(stderr, "could not parse zone name\n");
@@ -1866,9 +1980,9 @@ get_next_command(void) {
 "server address [port]     (set master server for zone)\n"
 "send                      (send the update request)\n"
 "show                      (show the update request)\n"
-"answer	                   (show the answer to the last request)\n"
+"answer                    (show the answer to the last request)\n"
 "quit                      (quit, any pending update is not sent\n"
-"help			   (display this message_\n"
+"help                      (display this message_\n"
 "key [hmac:]keyname secret (use TSIG to sign the request)\n"
 "gsstsig                   (use GSS_TSIG to sign the request)\n"
 "oldgsstsig                (use Microsoft's GSS_TSIG to sign the request)\n"
@@ -2029,7 +2143,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 {
 	isc_result_t result;
 	dns_request_t *request = NULL;
-	unsigned int options = 0;
+	unsigned int options = DNS_REQUESTOPT_CASE;
 
 	ddebug("send_update()");
 
@@ -2264,7 +2378,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		result = dns_name_totext(&master, ISC_TRUE, &buf);
 		check_result(result, "dns_name_totext");
 		serverstr[isc_buffer_usedlength(&buf)] = 0;
-		get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
+		get_address(serverstr, dnsport, &tempaddr);
 		serveraddr = &tempaddr;
 	}
 	dns_rdata_freestruct(&soa);
@@ -2335,9 +2449,60 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 }
 
 #ifdef GSSAPI
+
+/*
+ * Get the realm from the users kerberos ticket if possible
+ */
 static void
-start_gssrequest(dns_name_t *master)
+get_ticket_realm(isc_mem_t *mctx)
 {
+	krb5_context ctx;
+	krb5_error_code rc;
+	krb5_ccache ccache;
+	krb5_principal princ;
+	char *name, *ticket_realm;
+
+	rc = krb5_init_context(&ctx);
+	if (rc != 0)
+		return;
+
+	rc = krb5_cc_default(ctx, &ccache);
+	if (rc != 0) {
+		krb5_free_context(ctx);
+		return;
+	}
+
+	rc = krb5_cc_get_principal(ctx, ccache, &princ);
+	if (rc != 0) {
+		krb5_cc_close(ctx, ccache);
+		krb5_free_context(ctx);
+		return;
+	}
+
+	rc = krb5_unparse_name(ctx, princ, &name);
+	if (rc != 0) {
+		krb5_free_principal(ctx, princ);
+		krb5_cc_close(ctx, ccache);
+		krb5_free_context(ctx);
+		return;
+	}
+
+	ticket_realm = strrchr(name, '@');
+	if (ticket_realm != NULL) {
+		realm = isc_mem_strdup(mctx, ticket_realm);
+	}
+
+	free(name);
+	krb5_free_principal(ctx, princ);
+	krb5_cc_close(ctx, ccache);
+	krb5_free_context(ctx);
+	if (realm != NULL && debugging)
+		fprintf(stderr, "Found realm from ticket: %s\n", realm+1);
+}
+
+
+static void
+start_gssrequest(dns_name_t *master) {
 	gss_ctx_id_t context;
 	isc_buffer_t buf;
 	isc_result_t result;
@@ -2348,12 +2513,13 @@ start_gssrequest(dns_name_t *master)
 	dns_fixedname_t fname;
 	char namestr[DNS_NAME_FORMATSIZE];
 	char keystr[DNS_NAME_FORMATSIZE];
+	char *err_message = NULL;
 
 	debug("start_gssrequest");
 	usevc = ISC_TRUE;
 
 	if (gssring != NULL)
-		dns_tsigkeyring_destroy(&gssring);
+		dns_tsigkeyring_detach(&gssring);
 	gssring = NULL;
 	result = dns_tsigkeyring_create(mctx, &gssring);
 
@@ -2368,13 +2534,16 @@ start_gssrequest(dns_name_t *master)
 			fatal("out of memory");
 	}
 	if (userserver == NULL)
-		get_address(namestr, DNSDEFAULTPORT, kserver);
+		get_address(namestr, dnsport, kserver);
 	else
 		(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
 
 	dns_fixedname_init(&fname);
 	servname = dns_fixedname_name(&fname);
 
+	if (realm == NULL)
+		get_ticket_realm(mctx);
+
 	result = isc_string_printf(servicename, sizeof(servicename),
 				   "DNS/%s%s", namestr, realm ? realm : "");
 	if (result != ISC_R_SUCCESS)
@@ -2382,8 +2551,7 @@ start_gssrequest(dns_name_t *master)
 		      isc_result_totext(result));
 	isc_buffer_init(&buf, servicename, strlen(servicename));
 	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_name_fromtext(servname) failed: %s",
 		      isc_result_totext(result));
@@ -2400,8 +2568,7 @@ start_gssrequest(dns_name_t *master)
 	isc_buffer_init(&buf, keystr, strlen(keystr));
 	isc_buffer_add(&buf, strlen(keystr));
 
-	result = dns_name_fromtext(keyname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_name_fromtext(keyname) failed: %s",
 		      isc_result_totext(result));
@@ -2418,9 +2585,11 @@ start_gssrequest(dns_name_t *master)
 	/* Build first request. */
 	context = GSS_C_NO_CONTEXT;
 	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
-					&context, use_win2k_gsstsig);
+					&context, use_win2k_gsstsig,
+					mctx, &err_message);
 	if (result == ISC_R_FAILURE)
-		fatal("Check your Kerberos ticket, it may have expired.");
+		fatal("tkey query failed: %s",
+		      err_message != NULL ? err_message : "unknown error");
 	if (result != ISC_R_SUCCESS)
 		fatal("dns_tkey_buildgssquery failed: %s",
 		      isc_result_totext(result));
@@ -2469,6 +2638,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t buf;
 	dns_name_t *servname;
 	dns_fixedname_t fname;
+	char *err_message = NULL;
 
 	UNUSED(task);
 
@@ -2551,14 +2721,14 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	servname = dns_fixedname_name(&fname);
 	isc_buffer_init(&buf, servicename, strlen(servicename));
 	isc_buffer_add(&buf, strlen(servicename));
-	result = dns_name_fromtext(servname, &buf, dns_rootname,
-				   ISC_FALSE, NULL);
+	result = dns_name_fromtext(servname, &buf, dns_rootname, 0, NULL);
 	check_result(result, "dns_name_fromtext");
 
 	tsigkey = NULL;
 	result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
 				       &context, &tsigkey, gssring,
-				       use_win2k_gsstsig);
+				       use_win2k_gsstsig,
+				       &err_message);
 	switch (result) {
 
 	case DNS_R_CONTINUE:
@@ -2601,7 +2771,9 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 		break;
 
 	default:
-		fatal("dns_tkey_negotiategss: %s", isc_result_totext(result));
+		fatal("dns_tkey_negotiategss: %s %s",
+		      isc_result_totext(result),
+		      err_message != NULL ? err_message : "");
 	}
 
  done:
@@ -2711,8 +2883,8 @@ cleanup(void) {
 		dns_tsigkey_detach(&tsigkey);
 	}
 	if (gssring != NULL) {
-		ddebug("Destroying GSS-TSIG keyring");
-		dns_tsigkeyring_destroy(&gssring);
+		ddebug("Detaching GSS-TSIG keyring");
+		dns_tsigkeyring_detach(&gssring);
 	}
 	if (kserver != NULL) {
 		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook
index a0c71d608692..6378df7a7f1e 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.docbook
+++ b/contrib/bind9/bin/nsupdate/nsupdate.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,10 +18,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id$ -->
+<!-- $Id: nsupdate.docbook,v 1.44 2010/07/09 23:46:51 tbox Exp $ -->
 <refentry id="man.nsupdate">
   <refentryinfo>
-    <date>Jun 30, 2000</date>
+    <date>Aug 25, 2009</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle><application>nsupdate</application></refentrytitle>
@@ -42,7 +42,6 @@
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
-      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -62,6 +61,7 @@
       <group>
 	<arg><option>-g</option></arg>
 	<arg><option>-o</option></arg>
+	<arg><option>-l</option></arg>
         <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
         <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
       </group>
@@ -77,7 +77,7 @@
   <refsect1>
     <title>DESCRIPTION</title>
     <para><command>nsupdate</command>
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -113,10 +113,14 @@
       report additional debugging information to <option>-d</option>.
     </para>
     <para>
+      The <option>-L</option> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </para>
+    <para>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       <command>nsupdate</command> and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -133,46 +137,61 @@
       record in a zone served by the name server.
       <command>nsupdate</command> does not read
       <filename>/etc/named.conf</filename>.
-      GSS-TSIG uses Kerberos credentials.
+    </para>
+    <para>
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the <option>-g</option> flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the <option>-o</option> flag.
     </para>
     <para><command>nsupdate</command>
       uses the <option>-y</option> or <option>-k</option> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <option>-k</option> option, <command>nsupdate</command> reads
-      the shared secret from the file <parameter>keyfile</parameter>,
-      whose name is of the form
-      <filename>K{name}.+157.+{random}.private</filename>.  For
-      historical reasons, the file
-      <filename>K{name}.+157.+{random}.key</filename> must also be
-      present.  When the <option>-y</option> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </para>
+    <para>
+      When the <option>-y</option> option is used, a signature is
+      generated from
       <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
       <parameter>keyname</parameter> is the name of the key, and
-      <parameter>secret</parameter> is the base64 encoded shared
-      secret.  Use of the <option>-y</option> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
+      <parameter>secret</parameter> is the base64 encoded shared secret.
+      Use of the <option>-y</option> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
       <citerefentry>
-	<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry> or in a history file maintained by the user's
-      shell.
+        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>
+      or in a history file maintained by the user's shell.
     </para>
     <para>
+      With the
+      <option>-k</option> option, <command>nsupdate</command> reads
+      the shared secret from the file <parameter>keyfile</parameter>.
+      Keyfiles may be in two formats: a single file containing
+      a <filename>named.conf</filename>-format <command>key</command>
+      statement, which may be generated automatically by
+      <command>ddns-confgen</command>, or a pair of files whose names are
+      of the format <filename>K{name}.+157.+{random}.key</filename> and
+      <filename>K{name}.+157.+{random}.private</filename>, which can be
+      generated by <command>dnssec-keygen</command>.
       The <option>-k</option> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </para>
     <para>
-      The <option>-g</option> and <option>-o</option> specify that
-      GSS-TSIG is to be used.  The <option>-o</option> should only
-      be used with old Microsoft Windows 2000 servers.
+      <command>nsupdate</command> can be run in a local-host only mode
+      using the <option>-l</option> flag.  This sets the server address to
+      localhost (disabling the <command>server</command> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <filename>/var/run/named/session.key</filename>,
+      which is automatically generated by <command>named</command> if any
+      local master zone has set <command>update-policy</command> to
+      <command>local</command>.  The location of this key file can be
+      overridden with the <option>-k</option> option.
     </para>
     <para>
-      By default,
-      <command>nsupdate</command>
+      By default, <command>nsupdate</command>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -183,6 +202,10 @@
       This may be preferable when a batch of update requests is made.
     </para>
     <para>
+      The <option>-p</option> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </para>
+    <para>
       The <option>-t</option> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -651,9 +674,9 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </para>
   </refsect1>
@@ -672,6 +695,15 @@
       </varlistentry>
 
       <varlistentry>
+        <term><constant>/var/run/named/session.key</constant></term>
+        <listitem>
+          <para>
+            sets the default TSIG key for use in local-only mode
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><constant>K{name}.+157.+{random}.key</constant></term>
         <listitem>
           <para>
@@ -700,36 +732,26 @@
 
   <refsect1>
     <title>SEE ALSO</title>
-    <para><citerefentry>
-        <refentrytitle>RFC2136</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC3007</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2104</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2845</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC1034</refentrytitle>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>RFC2535</refentrytitle>
-      </citerefentry>,
+    <para>
+      <citetitle>RFC 2136</citetitle>,
+      <citetitle>RFC 3007</citetitle>,
+      <citetitle>RFC 2104</citetitle>,
+      <citetitle>RFC 2845</citetitle>,
+      <citetitle>RFC 1034</citetitle>,
+      <citetitle>RFC 2535</citetitle>,
+      <citetitle>RFC 2931</citetitle>,
       <citerefentry>
-        <refentrytitle>RFC2931</refentrytitle>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
-        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+        <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
     </para>
-
   </refsect1>
+
   <refsect1>
     <title>BUGS</title>
     <para>
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html
index 731f94ef11f5..5c108e374611 100644
--- a/contrib/bind9/bin/nsupdate/nsupdate.html
+++ b/contrib/bind9/bin/nsupdate/nsupdate.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -29,12 +29,12 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543456"></a><h2>DESCRIPTION</h2>
+<a name="id2543459"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -70,10 +70,14 @@
       report additional debugging information to <code class="option">-d</code>.
     </p>
 <p>
+      The <code class="option">-L</code> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -90,44 +94,59 @@
       record in a zone served by the name server.
       <span><strong class="command">nsupdate</strong></span> does not read
       <code class="filename">/etc/named.conf</code>.
-      GSS-TSIG uses Kerberos credentials.
+    </p>
+<p>
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the <code class="option">-g</code> flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the <code class="option">-o</code> flag.
     </p>
 <p><span><strong class="command">nsupdate</strong></span>
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
-      whose name is of the form
-      <code class="filename">K{name}.+157.+{random}.private</code>.  For
-      historical reasons, the file
-      <code class="filename">K{name}.+157.+{random}.key</code> must also be
-      present.  When the <code class="option">-y</code> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </p>
+<p>
+      When the <code class="option">-y</code> option is used, a signature is
+      generated from
       [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
       <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
-      secret.  Use of the <code class="option">-y</code> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
-      shell.
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
+      Use of the <code class="option">-y</code> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in a history file maintained by the user's shell.
     </p>
 <p>
+      With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
+      Keyfiles may be in two formats: a single file containing
+      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
+      statement, which may be generated automatically by
+      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
+      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
+      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
+      generated by <span><strong class="command">dnssec-keygen</strong></span>.
       The <code class="option">-k</code> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </p>
 <p>
-      The <code class="option">-g</code> and <code class="option">-o</code> specify that
-      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
-      be used with old Microsoft Windows 2000 servers.
+      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
+      using the <code class="option">-l</code> flag.  This sets the server address to
+      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
+      which is automatically generated by <span><strong class="command">named</strong></span> if any
+      local master zone has set <span><strong class="command">update-policy</strong></span> to
+      <span><strong class="command">local</strong></span>.  The location of this key file can be
+      overridden with the <code class="option">-k</code> option.
     </p>
 <p>
-      By default,
-      <span><strong class="command">nsupdate</strong></span>
+      By default, <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -138,6 +157,10 @@
       This may be preferable when a batch of update requests is made.
     </p>
 <p>
+      The <code class="option">-p</code> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </p>
+<p>
       The <code class="option">-t</code> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -169,7 +192,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543733"></a><h2>INPUT FORMAT</h2>
+<a name="id2543790"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -457,7 +480,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544645"></a><h2>EXAMPLES</h2>
+<a name="id2544702"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -504,19 +527,23 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544689"></a><h2>FILES</h2>
+<a name="id2544746"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
             used to identify default name server
           </p></dd>
+<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
+<dd><p>
+            sets the default TSIG key for use in local-only mode
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
@@ -530,20 +557,22 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544758"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
+<a name="id2544829"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">RFC 2136</em>,
+      <em class="citetitle">RFC 3007</em>,
+      <em class="citetitle">RFC 2104</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 1034</em>,
+      <em class="citetitle">RFC 2535</em>,
+      <em class="citetitle">RFC 2931</em>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2542166"></a><h2>BUGS</h2>
+<a name="id2542156"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in
index fc43f9bca336..f6100df9e16c 100644
--- a/contrib/bind9/bin/rndc/Makefile.in
+++ b/contrib/bind9/bin/rndc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.49 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -32,6 +32,7 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCLIBS =	../../lib/isc/libisc.@A@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 
@@ -41,26 +42,23 @@ ISCDEPLIBS =	../../lib/isc/libisc.@A@
 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
 
-RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
 RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
 
-CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
-SRCS=		rndc.c rndc-confgen.c
-
-SUBDIRS =	unix
+SRCS=		rndc.c
 
-TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
+TARGETS =	rndc@EXEEXT@
 
-MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
+MANPAGES =	rndc.8 rndc.conf.5
 
-HTMLPAGES =	rndc.html rndc-confgen.html rndc.conf.html
+HTMLPAGES =	rndc.html rndc.conf.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
-UOBJS =		unix/os.@O@
-
 @BIND9_MAKE_RULES@
 
 rndc.@O@: rndc.c
@@ -70,18 +68,10 @@ rndc.@O@: rndc.c
 		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
 		-c ${srcdir}/rndc.c
 
-rndc-confgen.@O@: rndc-confgen.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc-confgen.c
-
 rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
-		${RNDCLIBS}
-
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
-		${UOBJS} ${CONFLIBS}
+	export BASEOBJS="rndc.@O@ util.@O@"; \
+	export LIBS0="${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS}"; \
+	${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
 
@@ -93,11 +83,9 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 
-install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
+install:: rndc@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
 
 clean distclean maintainer-clean::
diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h
index 03029f15bc9c..3f2c7767e859 100644
--- a/contrib/bind9/bin/rndc/include/rndc/os.h
+++ b/contrib/bind9/bin/rndc/include/rndc/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
 
 /*! \file */
 
@@ -27,12 +27,6 @@
 
 ISC_LANG_BEGINDECLS
 
-FILE *safe_create(const char *filename);
-/*%<
- * Open 'filename' for writing, truncate if necessary.  If the file was
- * created ensure that only the owner can read/write it.
- */
-
 int set_user(FILE *fd, const char *user);
 /*%<
  * Set the owner of the file referenced by 'fd' to 'user'.
diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c
index 4e68c55057ca..5811cfa141fa 100644
--- a/contrib/bind9/bin/rndc/rndc.c
+++ b/contrib/bind9/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rndc.c,v 1.131.20.3 2011/11/03 22:06:31 each Exp $ */
 
 /*! \file */
 
@@ -79,6 +79,7 @@ static unsigned char databuf[2048];
 static isccc_ccmsg_t ccmsg;
 static isccc_region_t secret;
 static isc_boolean_t failed = ISC_FALSE;
+static isc_boolean_t c_flag = ISC_FALSE;
 static isc_mem_t *mctx;
 static int sends, recvs, connects;
 static char *command;
@@ -116,10 +117,16 @@ command is one of the following:\n\
   notify zone [class [view]]\n\
 		Resend NOTIFY messages for the zone.\n\
   reconfig	Reload configuration file and new zones only.\n\
+  sign zone [class [view]]\n\
+		Update zone keys, and sign as needed.\n\
+  loadkeys zone [class [view]]\n\
+		Update keys without signing immediately.\n\
   stats		Write server statistics to the statistics file.\n\
   querylog	Toggle query logging.\n\
   dumpdb [-all|-cache|-zones] [view ...]\n\
 		Dump cache(s) to the dump file (named_dump.db).\n\
+  secroots [view ...]\n\
+		Write security roots to the secroots file.\n\
   stop		Save pending updates to master files and stop the server.\n\
   stop -p	Save pending updates to master files and stop the server\n\
 		reporting process id.\n\
@@ -137,10 +144,14 @@ command is one of the following:\n\
   recursing	Dump the queries that are currently recursing (named.recursing)\n\
   tsig-list	List all currently active TSIG keys, including both statically\n\
 		configured and TKEY-negotiated keys.\n\
-  tsig-delete keyname [view]\n\
+  tsig-delete keyname [view]	\n\
 		Delete a TKEY-negotiated TSIG key.\n\
   validation newstate [view]\n\
 		Enable / disable DNSSEC validation.\n\
+  addzone [\"file\"] zone [class [view]] { zone-options }\n\
+		Add zone to given view. Requires new-zone-file option.\n\
+  delzone [\"file\"] zone [class [view]]\n\
+		Removes zone from given view. Requires new-zone-file option.\n\
   *restart	Restart the server.\n\
 \n\
 * == not yet implemented\n\
@@ -462,6 +473,10 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 			fatal("neither %s nor %s was found",
 			      admin_conffile, admin_keyfile);
 		key_only = ISC_TRUE;
+	} else if (! c_flag && isc_file_exists(admin_keyfile)) {
+		fprintf(stderr, "WARNING: key file (%s) exists, but using "
+			"default configuration file (%s)\n",
+			admin_keyfile, admin_conffile);
 	}
 
 	DO("create parser", cfg_parser_create(mctx, log, pctxp));
@@ -716,6 +731,7 @@ main(int argc, char **argv) {
 
 		case 'c':
 			admin_conffile = isc_commandline_argument;
+			c_flag = ISC_TRUE;
 			break;
 
 		case 'k':
diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html
index 5a4b94d06e80..b0f904b2ab37 100644
--- a/contrib/bind9/bin/rndc/rndc.conf.html
+++ b/contrib/bind9/bin/rndc/rndc.conf.html
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543353"></a><h2>DESCRIPTION</h2>
+<a name="id2543354"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -117,7 +117,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543501"></a><h2>EXAMPLE</h2>
+<a name="id2543502"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -191,7 +191,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543593"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2543594"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -201,7 +201,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543614"></a><h2>SEE ALSO</h2>
+<a name="id2543616"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543653"></a><h2>AUTHOR</h2>
+<a name="id2543654"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html
index fc86326ba9f6..4195c4e07e9f 100644
--- a/contrib/bind9/bin/rndc/rndc.html
+++ b/contrib/bind9/bin/rndc/rndc.html
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543414"></a><h2>DESCRIPTION</h2>
+<a name="id2543415"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543449"></a><h2>OPTIONS</h2>
+<a name="id2543450"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -133,7 +133,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543657"></a><h2>LIMITATIONS</h2>
+<a name="id2543658"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -147,7 +147,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543684"></a><h2>SEE ALSO</h2>
+<a name="id2543685"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -157,7 +157,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543739"></a><h2>AUTHOR</h2>
+<a name="id2543740"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h
index ba7effbf3366..d7277148ffa7 100644
--- a/contrib/bind9/bin/rndc/util.h
+++ b/contrib/bind9/bin/rndc/util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: util.h,v 1.12 2009/09/29 23:48:03 tbox Exp $ */
 
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
@@ -23,9 +23,9 @@
 /*! \file */
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 
 #include <isc/formatcheck.h>
-#include <isc/platform.h>
 
 #define NS_CONTROL_PORT		953
 
diff --git a/contrib/bind9/bin/tools/Makefile.in b/contrib/bind9/bin/tools/Makefile.in
new file mode 100644
index 000000000000..a3960051c252
--- /dev/null
+++ b/contrib/bind9/bin/tools/Makefile.in
@@ -0,0 +1,103 @@
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.13 2010/01/07 23:48:53 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
+ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+
+LIBS =		${ISCLIBS} @LIBS@
+NOSYMLIBS =	${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS = 
+
+TARGETS =	arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
+		genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
+SRCS =		arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
+		isc-hmac-fixup.c
+
+MANPAGES =	arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
+		isc-hmac-fixup.8
+HTMLPAGES =	arpaname.html named-journalprint.html nsec3hash.html \
+		genrandom.html isc-hmac-fixup.html
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
+		${ISCLIBS} ${LIBS}
+
+named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="named-journalprint.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	export BASEOBJS="nsec3hash.@O@"; \
+	export LIBS0="${DNSLIBS}"; \
+	${FINALBUILDCMD}
+
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+	export BASEOBJS="isc-hmac-fixup.@O@"; \
+	export LIBS0="${ISCLIBS}"; \
+	${FINALBUILDCMD}
+
+genrandom@EXEEXT@: genrandom.@O@
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/tools/arpaname.1 b/contrib/bind9/bin/tools/arpaname.1
new file mode 100644
index 000000000000..5b582514224f
--- /dev/null
+++ b/contrib/bind9/bin/tools/arpaname.1
@@ -0,0 +1,48 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: arpaname
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: March 4, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "ARPANAME" "1" "March 4, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+arpaname \- translate IP addresses to the corresponding ARPA names
+.SH "SYNOPSIS"
+.HP 9
+\fBarpaname\fR {\fIipaddress\ \fR...}
+.SH "DESCRIPTION"
+.PP
+\fBarpaname\fR
+translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR.ARPA or IP6.ARPA names.
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/tools/arpaname.c b/contrib/bind9/bin/tools/arpaname.c
new file mode 100644
index 000000000000..356a883a45da
--- /dev/null
+++ b/contrib/bind9/bin/tools/arpaname.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: arpaname.c,v 1.4 2009/10/27 03:05:33 marka Exp $ */
+
+#include "config.h"
+
+#include <isc/net.h>
+
+#include <stdio.h>
+
+#define UNUSED(x) (void)(x)
+
+int
+main(int argc, char *argv[]) {
+	unsigned char buf[16];
+	int i;
+
+	UNUSED(argc);
+
+	while (argv[1]) {
+		if (inet_pton(AF_INET6, argv[1], buf) == 1) {
+			for (i = 15; i >= 0; i--)
+				fprintf(stdout, "%X.%X.", buf[i] & 0xf,
+					(buf[i] >> 4) & 0xf);
+			fprintf(stdout, "IP6.ARPA\n");
+			argv++;
+			continue;
+		}
+		if (inet_pton(AF_INET, argv[1], buf) == 1) {
+			fprintf(stdout, "%u.%u.%u.%u.IN-ADDR.ARPA\n",
+				buf[3], buf[2], buf[1], buf[0]);
+			argv++;
+			continue;
+		}
+		return (1);
+	}
+	fflush(stdout);
+	return(ferror(stdout));
+}
diff --git a/contrib/bind9/bin/tools/arpaname.docbook b/contrib/bind9/bin/tools/arpaname.docbook
new file mode 100644
index 000000000000..6fb3ca29e5a2
--- /dev/null
+++ b/contrib/bind9/bin/tools/arpaname.docbook
@@ -0,0 +1,76 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: arpaname.docbook,v 1.1 2009/03/04 01:30:27 marka Exp $ -->
+<refentry id="man.arpaname">
+  <refentryinfo>
+    <date>March 4, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>arpaname</application></refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>arpaname</application></refname>
+    <refpurpose>translate IP addresses to the corresponding ARPA names</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>arpaname</command>
+      <arg choice="req" rep="repeat"><replaceable class="parameter">ipaddress </replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>arpaname</command> translates IP addresses (IPv4 and
+      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/tools/arpaname.html b/contrib/bind9/bin/tools/arpaname.html
new file mode 100644
index 000000000000..92f46b4f71f6
--- /dev/null
+++ b/contrib/bind9/bin/tools/arpaname.html
@@ -0,0 +1,52 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>arpaname</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.arpaname"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543347"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
+      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543360"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543373"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/tools/genrandom.8 b/contrib/bind9/bin/tools/genrandom.8
new file mode 100644
index 000000000000..38c1ccd67c24
--- /dev/null
+++ b/contrib/bind9/bin/tools/genrandom.8
@@ -0,0 +1,69 @@
+.\" Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: genrandom
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 19, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "GENRANDOM" "8" "Feb 19, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+genrandom \- generate a file containing random data
+.SH "SYNOPSIS"
+.HP 10
+\fBgenrandom\fR [\fB\-n\ \fR\fB\fInumber\fR\fR] {\fIsize\fR} {\fIfilename\fR}
+.SH "DESCRIPTION"
+.PP
+\fBgenrandom\fR
+generates a file or a set of files containing a specified quantity of pseudo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
+.SH "ARGUMENTS"
+.PP
+\-n \fInumber\fR
+.RS 4
+In place of generating one file, generates
+\fBnumber\fR
+(from 2 to 9) files, appending
+\fBnumber\fR
+to the name.
+.RE
+.PP
+size
+.RS 4
+The size of the file, in kilobytes, to generate.
+.RE
+.PP
+filename
+.RS 4
+The file name into which random data should be written.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBrand\fR(3),
+\fBarc4random\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009\-2012 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/tools/genrandom.c b/contrib/bind9/bin/tools/genrandom.c
new file mode 100644
index 000000000000..675e5043d601
--- /dev/null
+++ b/contrib/bind9/bin/tools/genrandom.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: genrandom.c,v 1.7 2010/05/17 23:51:04 tbox Exp $ */
+
+/*! \file */
+#include <config.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+#include <stdio.h>
+#include <string.h>
+
+const char *program = "genrandom";
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: %s [-n 2..9] k file\n", program);
+	exit(1);
+}
+
+static void
+generate(char *filename, unsigned int bytes) {
+	FILE *fp;
+
+	fp = fopen(filename, "w");
+	if (fp == NULL) {
+		printf("failed to open %s\n", filename);
+		exit(1);
+	}
+
+	while (bytes > 0) {
+#ifndef HAVE_ARC4RANDOM
+		unsigned short int x = (rand() & 0xFFFF);
+#else
+		unsigned short int x = (arc4random() & 0xFFFF);
+#endif
+		unsigned char c = x & 0xFF;
+		if (putc(c, fp) == EOF) {
+			printf("error writing to %s\n", filename);
+			exit(1);
+		}
+		c = x >> 8;
+		if (putc(c, fp) == EOF) {
+			printf("error writing to %s\n", filename);
+			exit(1);
+		}
+		bytes -= 2;
+	}
+	fclose(fp);
+}
+
+int
+main(int argc, char **argv) {
+	unsigned int bytes;
+	unsigned int k;
+	char *endp;
+	int c, i, n = 1;
+	size_t len;
+	char *name;
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, "hn:")) != EOF) {
+		switch (c) {
+		case 'n':
+			n = strtol(isc_commandline_argument, &endp, 10);
+			if ((*endp != 0) || (n <= 1) || (n > 9))
+				usage();
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (isc_commandline_index + 2 != argc)
+		usage();
+
+	k = strtoul(argv[isc_commandline_index++], &endp, 10);
+	if (*endp != 0)
+		usage();
+	bytes = k << 10;
+
+#ifndef HAVE_ARC4RANDOM
+	srand(0x12345678);
+#endif
+	if (n == 1) {
+		generate(argv[isc_commandline_index], bytes);
+		return (0);
+	}
+
+	len = strlen(argv[isc_commandline_index]) + 2;
+	name = (char *) malloc(len);
+	if (name == NULL) {
+		perror("malloc");
+		exit(1);
+	}
+
+	for (i = 1; i <= n; i++) {
+		snprintf(name, len, "%s%d", argv[isc_commandline_index], i);
+		generate(name, bytes);
+	}
+	free(name);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/tools/genrandom.docbook b/contrib/bind9/bin/tools/genrandom.docbook
new file mode 100644
index 000000000000..730aab99bb56
--- /dev/null
+++ b/contrib/bind9/bin/tools/genrandom.docbook
@@ -0,0 +1,121 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id$ -->
+<refentry id="man.genrandom">
+  <refentryinfo>
+    <date>Feb 19, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>genrandom</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>genrandom</application></refname>
+    <refpurpose>generate a file containing random data</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <year>2010</year>
+      <year>2011</year>
+      <year>2012</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>genrandom</command>
+      <arg><option>-n <replaceable class="parameter">number</replaceable></option></arg>
+      <arg choice="req"><replaceable class="parameter">size</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">filename</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>genrandom</command>
+      generates a file or a set of files containing a specified quantity
+      of pseudo-random data, which can be used as a source of entropy for
+      other commands on systems with no random device.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <variablelist>
+      <varlistentry>
+        <term>-n <replaceable class="parameter">number</replaceable></term>
+        <listitem>
+          <para>
+            In place of generating one file, generates <option>number</option>
+            (from 2 to 9) files, appending <option>number</option> to the name.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>size</term>
+        <listitem>
+          <para>
+            The size of the file, in kilobytes, to generate.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+        <listitem>
+          <para>
+            The file name into which random data should be written.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/tools/genrandom.html b/contrib/bind9/bin/tools/genrandom.html
new file mode 100644
index 000000000000..f69b7ca2da21
--- /dev/null
+++ b/contrib/bind9/bin/tools/genrandom.html
@@ -0,0 +1,73 @@
+<!--
+ - Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>genrandom</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.genrandom"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543370"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">genrandom</strong></span>
+      generates a file or a set of files containing a specified quantity
+      of pseudo-random data, which can be used as a source of entropy for
+      other commands on systems with no random device.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543383"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
+<dd><p>
+            In place of generating one file, generates <code class="option">number</code>
+            (from 2 to 9) files, appending <code class="option">number</code> to the name.
+          </p></dd>
+<dt><span class="term">size</span></dt>
+<dd><p>
+            The size of the file, in kilobytes, to generate.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The file name into which random data should be written.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543444"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543470"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.8 b/contrib/bind9/bin/tools/isc-hmac-fixup.8
new file mode 100644
index 000000000000..c02ed03f4fb0
--- /dev/null
+++ b/contrib/bind9/bin/tools/isc-hmac-fixup.8
@@ -0,0 +1,61 @@
+.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: isc\-hmac\-fixup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: January 5, 2010
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+isc\-hmac\-fixup \- fixes HMAC keys generated by older versions of BIND
+.SH "SYNOPSIS"
+.HP 15
+\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
+.SH "DESCRIPTION"
+.PP
+Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations.
+.PP
+This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys.
+\fBisc\-hmac\-fixup\fR
+modifies those keys to restore compatibility.
+.PP
+To modify a key, run
+\fBisc\-hmac\-fixup\fR
+and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret. (If the secret did not require conversion, then it will be printed without modification.)
+.SH "SECURITY CONSIDERATIONS"
+.PP
+Secrets that have been converted by
+\fBisc\-hmac\-fixup\fR
+are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength."
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 2104.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.c b/contrib/bind9/bin/tools/isc-hmac-fixup.c
new file mode 100644
index 000000000000..daf391a81cd6
--- /dev/null
+++ b/contrib/bind9/bin/tools/isc-hmac-fixup.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: isc-hmac-fixup.c,v 1.4 2010/03/10 02:17:52 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/md5.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+
+#define HMAC_LEN	64
+
+int
+main(int argc, char **argv)  {
+	isc_buffer_t buf;
+	unsigned char key[1024];
+	char secret[1024];
+	char base64[(1024*4)/3];
+	isc_region_t r;
+	isc_result_t result;
+
+	if (argc != 3) {
+		fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+		fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
+				"SHA256 | SHA384 | SHA512)\n");
+		return (1);
+	}
+
+	isc_buffer_init(&buf, secret, sizeof(secret));
+	result = isc_base64_decodestring(argv[2], &buf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "error: %s\n", isc_result_totext(result));
+		return (1);
+	}
+	isc__buffer_usedregion(&buf, &r);
+
+	if (!strcasecmp(argv[1], "md5") ||
+	    !strcasecmp(argv[1], "hmac-md5")) {
+		if (r.length > HMAC_LEN) {
+			isc_md5_t md5ctx;
+			isc_md5_init(&md5ctx);
+			isc_md5_update(&md5ctx, r.base, r.length);
+			isc_md5_final(&md5ctx, key);
+
+			r.base = key;
+			r.length = ISC_MD5_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha1") ||
+		   !strcasecmp(argv[1], "hmac-sha1")) {
+		if (r.length > ISC_SHA1_DIGESTLENGTH) {
+			isc_sha1_t sha1ctx;
+			isc_sha1_init(&sha1ctx);
+			isc_sha1_update(&sha1ctx, r.base, r.length);
+			isc_sha1_final(&sha1ctx, key);
+
+			r.base = key;
+			r.length = ISC_SHA1_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha224") ||
+		   !strcasecmp(argv[1], "hmac-sha224")) {
+		if (r.length > ISC_SHA224_DIGESTLENGTH) {
+			isc_sha224_t sha224ctx;
+			isc_sha224_init(&sha224ctx);
+			isc_sha224_update(&sha224ctx, r.base, r.length);
+			isc_sha224_final(key, &sha224ctx);
+
+			r.base = key;
+			r.length = ISC_SHA224_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha256") ||
+		   !strcasecmp(argv[1], "hmac-sha256")) {
+		if (r.length > ISC_SHA256_DIGESTLENGTH) {
+			isc_sha256_t sha256ctx;
+			isc_sha256_init(&sha256ctx);
+			isc_sha256_update(&sha256ctx, r.base, r.length);
+			isc_sha256_final(key, &sha256ctx);
+
+			r.base = key;
+			r.length = ISC_SHA256_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha384") ||
+		   !strcasecmp(argv[1], "hmac-sha384")) {
+		if (r.length > ISC_SHA384_DIGESTLENGTH) {
+			isc_sha384_t sha384ctx;
+			isc_sha384_init(&sha384ctx);
+			isc_sha384_update(&sha384ctx, r.base, r.length);
+			isc_sha384_final(key, &sha384ctx);
+
+			r.base = key;
+			r.length = ISC_SHA384_DIGESTLENGTH;
+		}
+	} else if (!strcasecmp(argv[1], "sha512") ||
+		   !strcasecmp(argv[1], "hmac-sha512")) {
+		if (r.length > ISC_SHA512_DIGESTLENGTH) {
+			isc_sha512_t sha512ctx;
+			isc_sha512_init(&sha512ctx);
+			isc_sha512_update(&sha512ctx, r.base, r.length);
+			isc_sha512_final(key, &sha512ctx);
+
+			r.base = key;
+			r.length = ISC_SHA512_DIGESTLENGTH;
+		}
+	} else {
+		fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
+		return (1);
+	}
+
+	isc_buffer_init(&buf, base64, sizeof(base64));
+	result = isc_base64_totext(&r, 0, "", &buf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "error: %s\n", isc_result_totext(result));
+		return (1);
+	}
+	fprintf(stdout, "%.*s\n", (int)isc_buffer_usedlength(&buf), base64);
+	return (0);
+}
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.docbook b/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
new file mode 100644
index 000000000000..c298a85861d7
--- /dev/null
+++ b/contrib/bind9/bin/tools/isc-hmac-fixup.docbook
@@ -0,0 +1,109 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
+<refentry id="man.isc-hmac-fixup">
+  <refentryinfo>
+    <date>January 5, 2010</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>isc-hmac-fixup</application></refname>
+    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2010</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>isc-hmac-fixup</command>
+      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </para>
+    <para>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <command>isc-hmac-fixup</command>
+      modifies those keys to restore compatibility.
+    </para>
+    <para>
+      To modify a key, run <command>isc-hmac-fixup</command> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SECURITY CONSIDERATIONS</title>
+    <para>
+      Secrets that have been converted by <command>isc-hmac-fixup</command>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2104</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/tools/isc-hmac-fixup.html b/contrib/bind9/bin/tools/isc-hmac-fixup.html
new file mode 100644
index 000000000000..d39ebf0fa166
--- /dev/null
+++ b/contrib/bind9/bin/tools/isc-hmac-fixup.html
@@ -0,0 +1,83 @@
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543352"></a><h2>DESCRIPTION</h2>
+<p>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </p>
+<p>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
+      modifies those keys to restore compatibility.
+    </p>
+<p>
+      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543376"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543389"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2104</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543406"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/tools/named-journalprint.8 b/contrib/bind9/bin/tools/named-journalprint.8
new file mode 100644
index 000000000000..670cd5d3dda0
--- /dev/null
+++ b/contrib/bind9/bin/tools/named-journalprint.8
@@ -0,0 +1,60 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: named\-journalprint
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NAMED\-JOURNALPRINT" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+named\-journalprint \- print zone journal in human\-readable form
+.SH "SYNOPSIS"
+.HP 19
+\fBnamed\-journalprint\fR {\fIjournal\fR}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-journalprint\fR
+prints the contents of a zone journal file in a human\-readable form.
+.PP
+Journal files are automatically created by
+\fBnamed\fR
+when changes are made to dynamic zones (e.g., by
+\fBnsupdate\fR). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re\-applied to the zone when the server is restarted after a shutdown or crash. By default, the name of the journal file is formed by appending the extension
+\fI.jnl\fR
+to the name of the corresponding zone file.
+.PP
+\fBnamed\-journalprint\fR
+converts the contents of a given journal file into a human\-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master\-file format.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnsupdate\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/tools/named-journalprint.c b/contrib/bind9/bin/tools/named-journalprint.c
new file mode 100644
index 000000000000..36d1acd3136d
--- /dev/null
+++ b/contrib/bind9/bin/tools/named-journalprint.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-journalprint.c,v 1.2 2009/12/04 21:59:23 marka Exp $ */
+
+/*! \file */
+#include <config.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+#include <stdlib.h>
+
+/*
+ * Setup logging to use stderr.
+ */
+static isc_result_t
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+
+	destination.file.stream = errout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
+					    ISC_LOG_TOFILEDESC,
+					    ISC_LOG_DYNAMIC,
+					    &destination, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
+
+	*logp = log;
+	return (ISC_R_SUCCESS);
+}
+
+int
+main(int argc, char **argv) {
+	char *file;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_log_t *lctx = NULL;
+
+	if (argc != 2) {
+		printf("usage: %s journal\n", argv[0]);
+		return(1);
+	}
+
+	file = argv[1];
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(setup_logging(mctx, stderr, &lctx) == ISC_R_SUCCESS);
+
+	result = dns_journal_print(mctx, file, stdout);
+	if (result == DNS_R_NOJOURNAL)
+		fprintf(stderr, "%s\n", dns_result_totext(result));
+	isc_log_destroy(&lctx);
+	isc_mem_detach(&mctx);
+	return(result != ISC_R_SUCCESS ? 1 : 0);
+}
diff --git a/contrib/bind9/bin/tools/named-journalprint.docbook b/contrib/bind9/bin/tools/named-journalprint.docbook
new file mode 100644
index 000000000000..d0bea2c483ad
--- /dev/null
+++ b/contrib/bind9/bin/tools/named-journalprint.docbook
@@ -0,0 +1,101 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-journalprint.docbook,v 1.2 2009/12/04 21:59:23 marka Exp $ -->
+<refentry id="man.named-journalprint">
+  <refentryinfo>
+    <date>Feb 18, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-journalprint</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named-journalprint</application></refname>
+    <refpurpose>print zone journal in human-readable form</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named-journalprint</command>
+      <arg choice="req"><replaceable class="parameter">journal</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>named-journalprint</command>
+      prints the contents of a zone journal file in a human-readable
+      form. 
+    </para>
+    <para>
+      Journal files are automatically created by <command>named</command> 
+      when changes are made to dynamic zones (e.g., by
+      <command>nsupdate</command>).  They record each addition
+      or deletion of a resource record, in binary format, allowing the
+      changes to be re-applied to the zone when the server is
+      restarted after a shutdown or crash.  By default, the name of
+      the journal file is formed by appending the extension
+      <filename>.jnl</filename> to the name of the corresponding
+      zone file.
+    </para>
+    <para>
+      <command>named-journalprint</command> converts the contents of a given
+      journal file into a human-readable text format.  Each line begins
+      with "add" or "del", to indicate whether the record was added or
+      deleted, and continues with the resource record in master-file
+      format.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>nsupdate</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/tools/named-journalprint.html b/contrib/bind9/bin/tools/named-journalprint.html
new file mode 100644
index 000000000000..8639ee885a86
--- /dev/null
+++ b/contrib/bind9/bin/tools/named-journalprint.html
@@ -0,0 +1,73 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-journalprint</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.named-journalprint"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543344"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">named-journalprint</strong></span>
+      prints the contents of a zone journal file in a human-readable
+      form. 
+    </p>
+<p>
+      Journal files are automatically created by <span><strong class="command">named</strong></span> 
+      when changes are made to dynamic zones (e.g., by
+      <span><strong class="command">nsupdate</strong></span>).  They record each addition
+      or deletion of a resource record, in binary format, allowing the
+      changes to be re-applied to the zone when the server is
+      restarted after a shutdown or crash.  By default, the name of
+      the journal file is formed by appending the extension
+      <code class="filename">.jnl</code> to the name of the corresponding
+      zone file.
+    </p>
+<p>
+      <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
+      journal file into a human-readable text format.  Each line begins
+      with "add" or "del", to indicate whether the record was added or
+      deleted, and continues with the resource record in master-file
+      format.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543379"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543410"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/bin/tools/nsec3hash.8 b/contrib/bind9/bin/tools/nsec3hash.8
new file mode 100644
index 000000000000..324391042c90
--- /dev/null
+++ b/contrib/bind9/bin/tools/nsec3hash.8
@@ -0,0 +1,70 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: nsec3hash
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NSEC3HASH" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+nsec3hash \- generate NSEC3 hash
+.SH "SYNOPSIS"
+.HP 10
+\fBnsec3hash\fR {\fIsalt\fR} {\fIalgorithm\fR} {\fIiterations\fR} {\fIdomain\fR}
+.SH "DESCRIPTION"
+.PP
+\fBnsec3hash\fR
+generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone.
+.SH "ARGUMENTS"
+.PP
+salt
+.RS 4
+The salt provided to the hash algorithm.
+.RE
+.PP
+algorithm
+.RS 4
+A number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number 1; consequently "1" is the only useful value for this argument.
+.RE
+.PP
+iterations
+.RS 4
+The number of additional times the hash should be performed.
+.RE
+.PP
+domain
+.RS 4
+The domain name to be hashed.
+.RE
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 5155.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/contrib/bind9/bin/tools/nsec3hash.c b/contrib/bind9/bin/tools/nsec3hash.c
new file mode 100644
index 000000000000..6a54163e689f
--- /dev/null
+++ b/contrib/bind9/bin/tools/nsec3hash.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2006, 2008, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/types.h>
+
+const char *program = "nsec3hash";
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", program);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", message, isc_result_totext(result));
+}
+
+static void
+usage() {
+	printf("Usage: %s salt algorithm iterations domain\n", program);
+	exit(1);
+}
+
+int
+main(int argc, char **argv) {
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_region_t region;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
+	unsigned char text[1024];
+	unsigned int hash_alg;
+	unsigned int length;
+	unsigned int iterations;
+	unsigned int salt_length;
+
+	if (argc != 5)
+		usage();
+
+	if (strcmp(argv[1], "-") == 0) {
+		salt_length = 0;
+		salt[0] = 0;
+	} else {
+		isc_buffer_init(&buffer, salt, sizeof(salt));
+		result = isc_hex_decodestring(argv[1], &buffer);
+		check_result(result, "isc_hex_decodestring(salt)");
+		salt_length = isc_buffer_usedlength(&buffer);
+		if (salt_length > DNS_NSEC3_SALTSIZE)
+			fatal("salt too long");
+	}
+	hash_alg = atoi(argv[2]);
+	if (hash_alg > 255U)
+		fatal("hash algorithm too large");
+	iterations = atoi(argv[3]);
+	if (iterations > 0xffffU)
+		fatal("iterations to large");
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	isc_buffer_init(&buffer, argv[4], strlen(argv[4]));
+	isc_buffer_add(&buffer, strlen(argv[4]));
+	result = dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext() failed");
+
+	dns_name_downcase(name, name, NULL);
+	length = isc_iterated_hash(hash, hash_alg, iterations,  salt,
+				   salt_length, name->ndata, name->length);
+	if (length == 0)
+		fatal("isc_iterated_hash failed");
+	region.base = hash;
+	region.length = length;
+	isc_buffer_init(&buffer, text, sizeof(text));
+	isc_base32hex_totext(&region, 1, "", &buffer);
+	fprintf(stdout, "%.*s (salt=%s, hash=%u, iterations=%u)\n",
+		(int)isc_buffer_usedlength(&buffer), text, argv[1], hash_alg, iterations);
+	return(0);
+}
diff --git a/contrib/bind9/bin/tools/nsec3hash.docbook b/contrib/bind9/bin/tools/nsec3hash.docbook
new file mode 100644
index 000000000000..d20eb83b990b
--- /dev/null
+++ b/contrib/bind9/bin/tools/nsec3hash.docbook
@@ -0,0 +1,125 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsec3hash.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
+<refentry id="man.nsec3hash">
+  <refentryinfo>
+    <date>Feb 18, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>nsec3hash</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>nsec3hash</application></refname>
+    <refpurpose>generate NSEC3 hash</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nsec3hash</command>
+      <arg choice="req"><replaceable class="parameter">salt</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">iterations</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">domain</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>nsec3hash</command> generates an NSEC3 hash based on
+      a set of NSEC3 parameters.  This can be used to check the validity
+      of NSEC3 records in a signed zone.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <variablelist>
+      <varlistentry>
+        <term>salt</term>
+        <listitem>
+          <para>
+            The salt provided to the hash algorithm.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>algorithm</term>
+        <listitem>
+          <para>
+            A number indicating the hash algorithm.  Currently the
+            only supported hash algorithm for NSEC3 is SHA-1, which is
+            indicated by the number 1; consequently "1" is the only
+            useful value for this argument.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>iterations</term>
+        <listitem>
+          <para>
+            The number of additional times the hash should be performed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>domain</term>
+        <listitem>
+          <para>
+            The domain name to be hashed.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5155</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/tools/nsec3hash.html b/contrib/bind9/bin/tools/nsec3hash.html
new file mode 100644
index 000000000000..e5b5a14842a4
--- /dev/null
+++ b/contrib/bind9/bin/tools/nsec3hash.html
@@ -0,0 +1,78 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nsec3hash</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.nsec3hash"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543369"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
+      a set of NSEC3 parameters.  This can be used to check the validity
+      of NSEC3 records in a signed zone.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543382"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">salt</span></dt>
+<dd><p>
+            The salt provided to the hash algorithm.
+          </p></dd>
+<dt><span class="term">algorithm</span></dt>
+<dd><p>
+            A number indicating the hash algorithm.  Currently the
+            only supported hash algorithm for NSEC3 is SHA-1, which is
+            indicated by the number 1; consequently "1" is the only
+            useful value for this argument.
+          </p></dd>
+<dt><span class="term">iterations</span></dt>
+<dd><p>
+            The number of additional times the hash should be performed.
+          </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+            The domain name to be hashed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543444"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5155</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543461"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/contrib/bind9/config.guess b/contrib/bind9/config.guess
index c79aebcb5668..f8d6eac4e842 100644
--- a/contrib/bind9/config.guess
+++ b/contrib/bind9/config.guess
@@ -3,7 +3,7 @@
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
 #   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
 
-timestamp='2004-09-07'
+timestamp='2009-01-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
diff --git a/contrib/bind9/config.h.in b/contrib/bind9/config.h.in
index 2495b0e3d84e..e2f5999dabce 100644
--- a/contrib/bind9/config.h.in
+++ b/contrib/bind9/config.h.in
@@ -1,6 +1,6 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -138,6 +138,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if OpenSSL includes DSA support */
 #undef HAVE_OPENSSL_DSA
 
+/* Define if OpenSSL includes ECDSA support */
+#undef HAVE_OPENSSL_ECDSA
+
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T
 
@@ -147,6 +150,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if building universal (internal helper macro) */
 #undef AC_APPLE_UNIVERSAL_BUILD
 
+/* Define to enable the "filter-aaaa-on-v4" option. */
+#undef ALLOW_FILTER_AAAA_ON_V4
+
 /* define if ATF unit tests are to be built. */
 #undef ATF_TEST
 
@@ -160,6 +166,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to enable "rrset-order fixed" syntax. */
 #undef DNS_RDATASET_FIXED
 
+/* Define to enable rpz-nsdname rules. */
+#undef ENABLE_RPZ_NSDNAME
+
+/* Define to enable rpz-nsip rules. */
+#undef ENABLE_RPZ_NSIP
+
 /* Solaris hack to get select_large_fdset. */
 #undef FD_SETSIZE
 
@@ -178,27 +190,42 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <devpoll.h> header file. */
 #undef HAVE_DEVPOLL_H
 
+/* Define to 1 if you have the `dlclose' function. */
+#undef HAVE_DLCLOSE
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
+/* Define to 1 if you have the `dlopen' function. */
+#undef HAVE_DLOPEN
+
+/* Define to 1 if you have the `dlsym' function. */
+#undef HAVE_DLSYM
+
 /* Define to 1 if you have the `EVP_sha256' function. */
 #undef HAVE_EVP_SHA256
 
+/* Define to 1 if you have the `EVP_sha384' function. */
+#undef HAVE_EVP_SHA384
+
 /* Define to 1 if you have the `EVP_sha512' function. */
 #undef HAVE_EVP_SHA512
 
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 
-/* Define to 1 if you have the `getenv' function. */
-#undef HAVE_GETENV
-
 /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
 #undef HAVE_GSSAPI_GSSAPI_H
 
+/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_KRB5_H
+
 /* Define to 1 if you have the <gssapi.h> header file. */
 #undef HAVE_GSSAPI_H
 
+/* Define to 1 if you have the <gssapi_krb5.h> header file. */
+#undef HAVE_GSSAPI_KRB5_H
+
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
@@ -217,6 +244,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `cap' library (-lcap). */
 #undef HAVE_LIBCAP
 
+/* if system have backtrace function */
+#undef HAVE_LIBCTRACE
+
 /* Define to 1 if you have the `c_r' library (-lc_r). */
 #undef HAVE_LIBC_R
 
@@ -253,9 +283,27 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <net/if6.h> header file. */
 #undef HAVE_NET_IF6_H
 
+/* Define if your OpenSSL version supports GOST. */
+#undef HAVE_OPENSSL_GOST
+
+/* Define to 1 if you have the <regex.h> header file. */
+#undef HAVE_REGEX_H
+
+/* Define to 1 if you have the `setegid' function. */
+#undef HAVE_SETEGID
+
+/* Define to 1 if you have the `seteuid' function. */
+#undef HAVE_SETEUID
+
 /* Define to 1 if you have the `setlocale' function. */
 #undef HAVE_SETLOCALE
 
+/* Define to 1 if you have the `setresgid' function. */
+#undef HAVE_SETRESGID
+
+/* Define to 1 if you have the `setresuid' function. */
+#undef HAVE_SETRESUID
+
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
 
@@ -310,6 +358,18 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <unistd.h> header file. */
 #undef HAVE_UNISTD_H
 
+/* return type of gai_strerror */
+#undef IRS_GAISTRERROR_RETURN_T
+
+/* Define to the buffer length type used by getnameinfo(3). */
+#undef IRS_GETNAMEINFO_BUFLEN_T
+
+/* Define to the flags type used by getnameinfo(3). */
+#undef IRS_GETNAMEINFO_FLAGS_T
+
+/* Define to allow building of objects for dlopen(). */
+#undef ISC_DLZ_DLOPEN
+
 /* Defined if extern char *optarg is not declared. */
 #undef NEED_OPTARG
 
@@ -370,11 +430,8 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to empty if `const' does not conform to ANSI C. */
 #undef const
 
-/* Define to `__inline__' or `__inline' if that's what the C compiler
-   calls it, or to nothing if 'inline' is not supported under any name.  */
-#ifndef __cplusplus
+/* Define to empty if your compiler does not support "static inline". */
 #undef inline
-#endif
 
 /* Define to `unsigned int' if <sys/types.h> does not define. */
 #undef size_t
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
index 7e7079b62185..a0ec70020cc3 100644
--- a/contrib/bind9/configure.in
+++ b/contrib/bind9/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.457.26.40 $)
+AC_REVISION($Revision: 1.512.8.15 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -36,6 +36,7 @@ case $build_os in
 sunos*)
     # Just set the maximum command line length for sunos as it otherwise
     # takes a exceptionally long time to work it out. Required for libtool.
+     
     lt_cv_sys_max_cmd_len=4096;
     ;;
 esac
@@ -61,7 +62,6 @@ It is available from http://www.isc.org as a separate download.])
 		;;
 esac
 
-
 AC_ARG_ENABLE(developer, [  --enable-developer     enable developer build settings])
 case "$enable_developer" in
 yes)
@@ -130,6 +130,8 @@ AC_SUBST(ETAGS)
 
 #
 # Perl is optional; it is used only by some of the system test scripts.
+# Note: the backtrace feature (see below) uses perl to build the symbol table,
+# but it still compiles without perl, in which case an empty table will be used.
 #
 AC_PATH_PROGS(PERL, perl5 perl)
 AC_SUBST(PERL)
@@ -296,7 +298,7 @@ esac
 
 AC_HEADER_STDC
 
-AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
@@ -310,9 +312,10 @@ AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
 AC_C_FLEXIBLE_ARRAY_MEMBER
 
 #
-# Check for getenv()
+# Older versions of HP/UX don't define seteuid() and setegid()
 #
-AC_CHECK_FUNCS(getenv)
+AC_CHECK_FUNCS(seteuid setresuid)
+AC_CHECK_FUNCS(setegid setresgid)
 
 #
 # UnixWare 7.1.1 with the feature supplement to the UDK compiler
@@ -332,7 +335,7 @@ AC_TRY_COMPILE(, [
 	],
 	[AC_MSG_RESULT(no)],
 	[AC_MSG_RESULT(yes)
-	 AC_DEFINE(inline, )])
+	 AC_DEFINE(inline, ,[Define to empty if your compiler does not support "static inline".])])
 
 AC_TYPE_SIZE_T
 AC_CHECK_TYPE(ssize_t, int)
@@ -540,6 +543,8 @@ then
 		fi
 	done
 fi
+OPENSSL_ECDSA=""
+OPENSSL_GOST=""
 case "$use_openssl" in
 	no)
 		AC_MSG_RESULT(no)
@@ -694,7 +699,96 @@ esac
 		else
 			AC_MSG_RESULT(no)
 		fi
-		AC_CHECK_FUNCS(EVP_sha256 EVP_sha512)
+
+		AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
+
+		AC_MSG_CHECKING(for OpenSSL ECDSA support)
+		have_ecdsa=""
+		AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+int main() {
+	EC_KEY *ec256, *ec384;
+
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+	return (1);
+#endif
+	ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+	ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+	if (ec256 == NULL || ec384 == NULL)
+		return (2);
+	return (0);
+}
+],
+		[AC_MSG_RESULT(yes)
+		have_ecdsa="yes"],
+		[AC_MSG_RESULT(no)
+		have_ecdsa="no"])
+		case $have_ecdsa in
+		yes)
+			OPENSSL_ECDSA="yes"
+			AC_DEFINE(HAVE_OPENSSL_ECDSA)
+			;;
+		*)
+			;;
+		esac
+
+		AC_MSG_CHECKING(for OpenSSL GOST support)
+		have_gost=""
+		AC_TRY_RUN([
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+	ENGINE *e;
+	EC_KEY *ek;
+
+	ek = NULL;
+	OPENSSL_config(NULL);
+
+	e = ENGINE_by_id("gost");
+	if (e == NULL)
+		return (1);
+	if (ENGINE_init(e) <= 0)
+		return (1);
+	return (0);
+#else
+	return (1);
+#endif
+}
+],
+		[AC_MSG_RESULT(yes)
+		have_gost="yes"],
+		[AC_MSG_RESULT(no)
+		have_gost="no"],
+		[AC_MSG_RESULT(using --with-gost)])
+		AC_ARG_WITH(gost, , with_gost="$withval", with_gost="auto")
+		case "$with_gost" in
+		yes)
+		    case "$have_gost" in
+		    no)  AC_MSG_ERROR([gost not supported]) ;;
+		    *)  have_gost=yes ;;
+		    esac
+		    ;;
+		no)
+		    have_gost=no ;;
+		*)
+		    case "$have_gost" in
+		    yes|no) ;;
+		    *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
+		    esac
+		    ;;
+		esac
+		case $have_gost in
+		yes)
+			OPENSSL_GOST="yes"
+			AC_DEFINE(HAVE_OPENSSL_GOST, 1,
+				  [Define if your OpenSSL version supports GOST.])
+			;;
+		*)
+			;;
+		esac
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
 		OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
@@ -712,9 +806,36 @@ AC_SUBST(USE_OPENSSL)
 AC_SUBST(DST_OPENSSL_INC)
 AC_SUBST(OPENSSLLINKOBJS)
 AC_SUBST(OPENSSLLINKSRCS)
+AC_SUBST(OPENSSL_ECDSA)
+AC_SUBST(OPENSSL_GOST)
+
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
+# Use OpenSSL for hash functions
+#
+
+AC_ARG_ENABLE(openssl-hash,
+	[  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
+	want_openssl_hash="$enableval", want_openssl_hash="no")
+case $want_openssl_hash in
+	yes)
+		if test "$USE_OPENSSL" = ""
+		then
+			AC_MSG_ERROR([No OpenSSL for hash functions])
+		fi
+		ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+		ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+		;;
+	no)
+		ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+		ISC_OPENSSL_INC=""
+		;;
+esac
+AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
+AC_SUBST(ISC_OPENSSL_INC)
+
+#
 # PKCS11 (aka crypto hardware) support
 #
 # This works only with the right OpenSSL with PKCS11 engine!
@@ -722,38 +843,76 @@ DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 AC_MSG_CHECKING(for PKCS11 support)
 AC_ARG_WITH(pkcs11,
-[  --with-pkcs11           Build with PKCS11 support],
-   use_pkcs11="yes", use_pkcs11="no")
+[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
+                          (PATH is for the PKCS11 provider)],
+   use_pkcs11="$withval", use_pkcs11="no")
 
 case "$use_pkcs11" in
-	no)
+	no|'')
 		AC_MSG_RESULT(disabled)
-		USE_PKCS11=""
+		USE_PKCS11=''
+		PKCS11_TOOLS=''
 		;;
-	yes)
+	yes|*)
 		AC_MSG_RESULT(using OpenSSL with PKCS11 support)
 		USE_PKCS11='-DUSE_PKCS11'
+		PKCS11_TOOLS=pkcs11
 		;;
 esac
-
 AC_SUBST(USE_PKCS11)
+AC_SUBST(PKCS11_TOOLS)
+
+AC_MSG_CHECKING(for PKCS11 tools)
+case "$use_pkcs11" in
+	no|yes|'')
+		AC_MSG_RESULT(disabled)
+		PKCS11_PROVIDER="undefined"
+		;;
+       *)
+		AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
+		PKCS11_PROVIDER="$use_pkcs11"
+		;;
+esac
+AC_SUBST(PKCS11_PROVIDER)
 
 AC_MSG_CHECKING(for GSSAPI library)
 AC_ARG_WITH(gssapi,
-[  --with-gssapi=PATH      Specify path for system-supplied GSSAPI],
-    use_gssapi="$withval", use_gssapi="no")
-
-gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr"
+[  --with-gssapi=PATH      Specify path for system-supplied GSSAPI [[default=yes]]],
+    use_gssapi="$withval", use_gssapi="yes")
+
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
 if test "$use_gssapi" = "yes"
 then
-	for d in $gssapidirs
-	do
-		if test -f $d/include/gssapi/gssapi.h -o -f $d/include/gssapi.h
+	# first, deal with the obvious
+	if test \( -f /usr/include/kerberosv5/krb5.h -o \
+		   -f /usr/include/krb5/krb5.h -o \
+		   -f /usr/include/krb5.h \)   -a \
+		\( -f /usr/include/gssapi.h -o \
+		   -f /usr/include/gssapi/gssapi.h \)
+	then
+		use_gssapi=/usr
+	else
+	    krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+	    for d in $krb5dirs
+	    do
+		if test -f $d/include/gssapi/gssapi_krb5.h -o \
+		        -f $d/include/krb5.h
 		then
-			use_gssapi=$d
-			break
+			if test -f $d/include/gssapi/gssapi.h -o \
+			        -f $d/include/gssapi.h
+			then
+				use_gssapi=$d
+				break
+			fi
 		fi
-	done
+		use_gssapi="no"
+	    done
+	fi
 fi
 
 case "$use_gssapi" in
@@ -776,6 +935,9 @@ case "$use_gssapi" in
 		    AC_MSG_ERROR([gssapi.h not found])
 		fi
 
+		AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
+		    [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
+
 		AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
 		    [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
 
@@ -820,7 +982,12 @@ case "$use_gssapi" in
 		    # -L/usr/local/lib to LIBS, which can make the
 		    # -lgssapi_krb5 test succeed with shared libraries even
 		    # when you are trying to build with KTH in /usr/lib.
-		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
+		    if test "$use_gssapi" = "/usr"
+		    then
+			    LIBS="$TRY_LIBS"
+		    else
+			    LIBS="-L$use_gssapi/lib $TRY_LIBS"
+		    fi
 		    AC_MSG_CHECKING(linking as $TRY_LIBS)
 		    AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
 				gssapi_linked=yes, gssapi_linked=no)
@@ -884,6 +1051,7 @@ esac
 
 AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
 AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
 AC_SUBST(ISC_PLATFORM_KRB5HEADER)
 
 AC_SUBST(USE_GSSAPI)
@@ -1323,9 +1491,9 @@ case $use_libtool in
 		O=lo
 		A=la
 		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
-		LIBTOOL_MODE_COMPILE='--mode=compile'
-		LIBTOOL_MODE_INSTALL='--mode=install'
-		LIBTOOL_MODE_LINK='--mode=link'
+		LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
+		LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
+		LIBTOOL_MODE_LINK='--mode=link --tag=CC'
 		case "$host" in
 		*) LIBTOOL_ALLOW_UNDEFINED= ;;
 		esac
@@ -1349,6 +1517,65 @@ case $use_libtool in
 esac
 
 #
+# enable/disable dumping stack backtrace.  Also check if the system supports
+# glibc-compatible backtrace() function.
+#
+AC_ARG_ENABLE(backtrace,
+[  --enable-backtrace      log stack backtrace on abort [[default=yes]]],
+	      want_backtrace="$enableval",  want_backtrace="yes")
+case $want_backtrace in
+yes)
+	ISC_PLATFORM_USEBACKTRACE="#define ISC_PLATFORM_USEBACKTRACE 1"
+	AC_TRY_LINK([#include <execinfo.h>],
+	[return (backtrace((void **)0, 0));],
+	[AC_DEFINE([HAVE_LIBCTRACE], [], [if system have backtrace function])],)
+	;;
+*)
+	ISC_PLATFORM_USEBACKTRACE="#undef ISC_PLATFORM_USEBACKTRACE"
+	;;
+esac
+AC_SUBST(ISC_PLATFORM_USEBACKTRACE)
+
+AC_ARG_ENABLE(symtable,
+[  --enable-symtable       use internal symbol table for backtrace
+                          [[all|minimal(default)|none]]],
+		want_symtable="$enableval",  want_symtable="minimal")
+case $want_symtable in
+yes|all|minimal)     # "yes" is a hidden value equivalent to "minimal"
+	if test "$PERL" = ""
+	then
+		AC_MSG_ERROR([Internal symbol table requires perl but no perl is found.
+Install perl or explicitly disable the feature by --disable-symtable.])
+	fi
+	if test "$use_libtool" = "yes"; then
+		AC_MSG_WARN([Internal symbol table does not work with libtool.  Disabling symbol table.])
+	else
+		# we generate the internal symbol table only for those systems
+		# known to work to avoid unexpected build failure.  Also, warn
+		# about unsupported systems when the feature is enabled
+		#  manually.
+		case $host_os in
+		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
+			MKSYMTBL_PROGRAM="$PERL"
+			if test $want_symtable = all; then
+				ALWAYS_MAKE_SYMTABLE="yes"
+			fi
+			;;
+		*)
+			if test $want_symtable = yes -o $want_symtable = all
+			then
+				AC_MSG_WARN([this system is not known to generate internal symbol table safely; disabling it])
+			fi
+		esac
+	fi
+	;;
+*)
+	;;
+esac
+AC_SUBST(MKSYMTBL_PROGRAM)
+AC_SUBST(ALWAYS_MAKE_SYMTABLE)
+
+#
 # File name extension for static archive files, for those few places
 # where they are treated differently from dynamic ones.
 #
@@ -1365,6 +1592,54 @@ AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
 AC_SUBST(LIBTOOL_IN_MAIN)
 
 #
+# build exportable DNS library?
+#
+AC_ARG_ENABLE(exportlib,
+	[  --enable-exportlib	build exportable library (GNU make required)
+                        [[default=no]]])
+case "$enable_exportlib" in
+	yes)
+		gmake=
+		for x in gmake gnumake make; do
+			if $x --version 2>/dev/null | grep GNU > /dev/null; then
+				gmake=$x
+				break;
+			fi
+		done
+		if test -z "$gmake"; then
+			AC_MSG_ERROR([exportlib requires GNU make.  Install it or disable the feature.])
+		fi
+		LIBEXPORT=lib/export
+		AC_SUBST(LIBEXPORT)
+		BIND9_CO_RULE="%.$O:  \${srcdir}/%.c"
+		;;
+	no|*)
+		BIND9_CO_RULE=".c.$O:"
+		;;
+esac
+AC_SUBST(BIND9_CO_RULE)
+
+AC_ARG_WITH(export-libdir,
+	[  --with-export-libdir[=PATH]
+                        installation directory for the export library
+                        [[EPREFIX/lib/bind9]]],
+	export_libdir="$withval",)
+if test -z "$export_libdir"; then
+	export_libdir="\${exec_prefix}/lib/bind9/"
+fi
+AC_SUBST(export_libdir)
+
+AC_ARG_WITH(export-includedir,
+	[  --with-export-includedir[=PATH]
+                        installation directory for the header files of the
+                        export library [[PREFIX/include/bind9]]],
+	export_includedir="$withval",)
+if test -z "$export_includedir"; then
+	export_includedir="\${prefix}/include/bind9/"
+fi
+AC_SUBST(export_includedir)
+
+#
 # Here begins a very long section to determine the system's networking
 # capabilities.  The order of the tests is significant.
 #
@@ -1742,10 +2017,13 @@ AC_TRY_COMPILE([
 [struct addrinfo a; return (0);],
 	[AC_MSG_RESULT(yes)
 	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
+	ISC_IRS_NEEDADDRINFO="#undef ISC_IRS_NEEDADDRINFO"
 	AC_DEFINE(HAVE_ADDRINFO)],
 	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"])
+	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"
+	ISC_IRS_NEEDADDRINFO="#define ISC_IRS_NEEDADDRINFO 1"])
 AC_SUBST(ISC_LWRES_NEEDADDRINFO)
+AC_SUBST(ISC_IRS_NEEDADDRINFO)
 
 #
 # Check for rrsetinfo
@@ -1832,6 +2110,53 @@ AC_TRY_COMPILE([
 	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
 AC_SUBST(ISC_LWRES_NEEDHERRNO)
 
+#
+# Sadly, the definitions of system-supplied getnameinfo(3) vary.  Try to catch
+# known variations here:
+#
+AC_MSG_CHECKING(for getnameinfo prototype definitions)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                socklen_t, char *, socklen_t, unsigned int);],
+[ return (0);],
+	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
+		   [Define to the buffer length type used by getnameinfo(3).])
+	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+		   [Define to the flags type used by getnameinfo(3).])],
+[AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+                size_t, char *, size_t, int);],
+[ return (0);],
+	[AC_MSG_RESULT(size_t for buflen; int for flags)
+	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
+[AC_MSG_RESULT(not match any subspecies; assume standard definition)
+AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])
+
+#
+# ...and same for gai_strerror().
+#
+AC_MSG_CHECKING(for gai_strerror prototype definitions)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+char *gai_strerror(int ecode);],
+[ return (0); ],
+	[AC_MSG_RESULT(returning char *)
+	 AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [char *],
+	 [return type of gai_strerror])],
+[AC_MSG_RESULT(not match any subspecies; assume standard definition)
+AC_DEFINE([IRS_GAISTRERROR_RETURN_T], [const char *])])
+
 AC_CHECK_FUNC(getipnodebyname,
 	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
 	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
@@ -1846,6 +2171,7 @@ AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
 AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
 AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
 AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
+AC_SUBST(ISC_IRS_GETNAMEINFOSOCKLEN)
 
 AC_ARG_ENABLE(getifaddrs,
 [  --enable-getifaddrs     Enable the use of getifaddrs() [[yes|no]].],
@@ -2180,6 +2506,8 @@ AC_SUBST(ISC_PLATFORM_USEDECLSPEC)
 ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
 AC_SUBST(LWRES_PLATFORM_USEDECLSPEC)
 LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
+AC_SUBST(IRS_PLATFORM_USEDECLSPEC)
+IRS_PLATFORM_USEDECLSPEC="#undef IRS_PLATFORM_USEDECLSPEC"
 
 #
 # Random remaining OS-specific issues involving compiler warnings.
@@ -2496,6 +2824,61 @@ case "$enable_fixed" in
 esac
 
 #
+# Enable response policy rewriting using NS IP addresses
+#
+AC_ARG_ENABLE(rpz-nsip,
+	[  --enable-rpz-nsip	  enable rpz-nsip rules [[default=no]]],
+			enable_nsip="$enableval",
+			enable_nsip="no")
+case "$enable_nsip" in
+	yes)
+		AC_DEFINE(ENABLE_RPZ_NSIP, 1,
+			  [Define to enable rpz-nsip rules.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
+# Enable response policy rewriting using NS name
+#
+AC_ARG_ENABLE(rpz-nsdname,
+	[  --enable-rpz-nsdname	  enable rpz-nsdname rules [[default=no]]],
+			enable_nsdname="$enableval",
+			enable_nsdname="no")
+case "$enable_nsdname" in
+	yes)
+		AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
+			  [Define to enable rpz-nsdname rules.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
+# Activate "filter-aaaa-on-v4" or not?
+#
+AC_ARG_ENABLE(filter-aaaa,
+	[  --enable-filter-aaaa    enable filtering of AAAA records over IPv4
+			  [[default=no]]],
+			enable_filter="$enableval",
+			enable_filter="no")
+case "$enable_filter" in
+	yes)
+		AC_DEFINE(ALLOW_FILTER_AAAA_ON_V4, 1,
+			  [Define to enable the "filter-aaaa-on-v4" option.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
 #  The following sets up how non-blocking i/o is established.
 #  Sunos, cygwin and solaris 2.x (x<5) require special handling.
 #
@@ -2843,32 +3226,105 @@ LIBBIND9_API=$srcdir/lib/bind9/api
 AC_SUBST_FILE(LIBLWRES_API)
 LIBLWRES_API=$srcdir/lib/lwres/api
 
+AC_SUBST_FILE(LIBIRS_API)
+LIBIRS_API=$srcdir/lib/irs/api
+
 #
 # Configure any DLZ drivers.
 #
 # If config.dlz.in selects one or more DLZ drivers, it will set
-# USE_DLZ to a non-empty value, which will be our clue to
-# enable the DLZ core functions.
+# CONTRIB_DLZ to a non-empty value, which will be our clue to
+# build DLZ drivers in contrib.
 #
 # This section has to come after the libtool stuff because it needs to
 # know how to name the driver object files.
 #
 
-USE_DLZ=""
+CONTRIB_DLZ=""
 DLZ_DRIVER_INCLUDES=""
 DLZ_DRIVER_LIBS=""
 DLZ_DRIVER_SRCS=""
 DLZ_DRIVER_OBJS=""
 DLZ_SYSTEM_TEST=""
 
-sinclude(contrib/dlz/config.dlz.in)
+# 
+# Configure support for building a shared library object
+#
+# Even when libtool is available it can't always be relied upon
+# to build an object that can be dlopen()'ed, but this is necessary
+# for building the dlzexternal system test, so we'll try it the
+# old-fashioned way.
+#
+SO="so"
+SO_CFLAGS=""
+SO_LD=""
+SO_TARGETS=""
+
+AC_ARG_WITH(dlopen,
+	[  --with-dlopen=ARG       Support dynamically loadable DLZ drivers],
+	dlopen="$withval", dlopen="yes")
+
+if test "$dlopen" = "yes"; then
+	AC_CHECK_LIB(dl, dlopen, have_dl=yes, have_dl=no)
+	if test "$have_dl" = "yes"; then
+		LIBS="-ldl $LIBS"
+	fi
+        AC_CHECK_FUNCS(dlopen dlclose dlsym,,dlopen=no)
+fi
 
-AC_MSG_CHECKING(for DLZ)
+if test "$dlopen" = "yes"; then
+	case $host in
+		*-linux*)
+			SO_CFLAGS="-fPIC"
+			if test "$have_dl" = "yes"
+			then
+				SO_LD="${CC} -shared"
+			else
+				SO_LD="ld -shared"
+			fi
+			;;
+		*-freebsd*|*-openbsd*|*-netbsd*)
+			SO_CFLAGS="-fpic"
+			SO_LD="ld -Bshareable -x"
+			;;
+		*-solaris*)
+			SO_CFLAGS="-KPIC"
+			SO_LD="ld -G -z text"
+                        ;;
+		*-hp-hpux*)
+			SO=sl
+			SO_CFLAGS="+z"
+			SO_LD="ld -b"
+                        ;;
+		*)
+			SO_CFLAGS="-fPIC"
+			;;
+	esac
+
+	if test "X$GCC" = "Xyes"; then
+		SO_CFLAGS="-fPIC"
+                test -n "$SO_LD" || SO_LD="${CC} -shared"
+	fi
+
+	# If we still don't know how to make shared objects, don't make any.
+	if test -n "$SO_LD"; then
+		SO_TARGETS="\${SO_TARGETS}"
+		AC_DEFINE(ISC_DLZ_DLOPEN, 1,
+			  [Define to allow building of objects for dlopen().])
+	fi
+fi
 
-if test -n "$USE_DLZ"
+AC_SUBST(SO)
+AC_SUBST(SO_CFLAGS)
+AC_SUBST(SO_LD)
+AC_SUBST(SO_TARGETS)
+
+sinclude(contrib/dlz/config.dlz.in)
+AC_MSG_CHECKING(contributed DLZ drivers)
+
+if test -n "$CONTRIB_DLZ"
 then
 	AC_MSG_RESULT(yes)
-	USE_DLZ="-DDLZ $USE_DLZ"
 	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
 	AC_CONFIG_FILES([$DLZ_DRIVER_RULES])
 else
@@ -2876,7 +3332,7 @@ else
 	DLZ_DRIVER_RULES=/dev/null
 fi
 
-AC_SUBST(USE_DLZ)
+AC_SUBST(CONTRIB_DLZ)
 AC_SUBST(DLZ_DRIVER_INCLUDES)
 AC_SUBST(DLZ_DRIVER_LIBS)
 AC_SUBST(DLZ_DRIVER_SRCS)
@@ -3010,39 +3466,122 @@ AC_CONFIG_COMMANDS(
 #
 
 AC_CONFIG_FILES([
+  make/Makefile
+  make/mkdep
 	Makefile
-	make/Makefile
-	make/mkdep
+	bin/Makefile
+	bin/check/Makefile
+	bin/confgen/Makefile
+	bin/confgen/unix/Makefile
+	bin/dig/Makefile
+	bin/dnssec/Makefile
+	bin/named/Makefile
+	bin/named/unix/Makefile
+	bin/nsupdate/Makefile
+	bin/pkcs11/Makefile
+	bin/rndc/Makefile
+	bin/tests/Makefile
+	bin/tests/atomic/Makefile
+	bin/tests/db/Makefile
+	bin/tests/dst/Makefile
+	bin/tests/hashes/Makefile
+	bin/tests/headerdep_test.sh
+	bin/tests/master/Makefile
+	bin/tests/mem/Makefile
+	bin/tests/names/Makefile
+	bin/tests/net/Makefile
+	bin/tests/rbt/Makefile
+	bin/tests/resolver/Makefile
+	bin/tests/sockaddr/Makefile
+	bin/tests/system/Makefile
+	bin/tests/system/conf.sh
+	bin/tests/system/dlz/prereq.sh
+	bin/tests/system/dlzexternal/Makefile
+	bin/tests/system/dlzexternal/ns1/named.conf
+	bin/tests/system/ecdsa/prereq.sh
+	bin/tests/system/filter-aaaa/Makefile
+	bin/tests/system/gost/prereq.sh
+	bin/tests/system/lwresd/Makefile
+	bin/tests/system/rpz/Makefile
+	bin/tests/system/tkey/Makefile
+	bin/tests/system/tsiggss/Makefile
+	bin/tests/tasks/Makefile
+	bin/tests/timers/Makefile
+	bin/tests/virtual-time/Makefile
+	bin/tests/virtual-time/conf.sh
+	bin/tools/Makefile
+	contrib/check-secure-delegation.pl
+	contrib/zone-edit.sh
+	doc/Makefile
+	doc/arm/Makefile
+	doc/doxygen/Doxyfile
+	doc/doxygen/Makefile
+	doc/doxygen/doxygen-input-filter
+	doc/misc/Makefile
+	doc/xsl/Makefile
+	doc/xsl/isc-docbook-chunk.xsl
+	doc/xsl/isc-docbook-html.xsl
+	doc/xsl/isc-docbook-latex.xsl
+	doc/xsl/isc-manpage.xsl
+	isc-config.sh
 	lib/Makefile
+	lib/bind9/Makefile
+	lib/bind9/include/Makefile
+	lib/bind9/include/bind9/Makefile
+	lib/dns/Makefile
+	lib/dns/include/Makefile
+	lib/dns/include/dns/Makefile
+	lib/dns/include/dst/Makefile
+	lib/dns/tests/Makefile
+	lib/export/Makefile
+	lib/export/dns/Makefile
+	lib/export/dns/include/Makefile
+	lib/export/dns/include/dns/Makefile
+	lib/export/dns/include/dst/Makefile
+	lib/export/irs/Makefile
+	lib/export/irs/include/Makefile
+	lib/export/irs/include/irs/Makefile
+	lib/export/isc/$thread_dir/Makefile
+	lib/export/isc/$thread_dir/include/Makefile
+	lib/export/isc/$thread_dir/include/isc/Makefile
+	lib/export/isc/Makefile
+	lib/export/isc/include/Makefile
+	lib/export/isc/include/isc/Makefile
+	lib/export/isc/nls/Makefile
+	lib/export/isc/unix/Makefile
+	lib/export/isc/unix/include/Makefile
+	lib/export/isc/unix/include/isc/Makefile
+	lib/export/isccfg/Makefile
+	lib/export/isccfg/include/Makefile
+	lib/export/isccfg/include/isccfg/Makefile
+	lib/export/samples/Makefile
+	lib/export/samples/Makefile-postinstall
+	lib/irs/Makefile
+	lib/irs/include/Makefile
+	lib/irs/include/irs/Makefile
+	lib/irs/include/irs/netdb.h
+	lib/irs/include/irs/platform.h
+	lib/isc/$arch/Makefile
+	lib/isc/$arch/include/Makefile
+	lib/isc/$arch/include/isc/Makefile
+	lib/isc/$thread_dir/Makefile
+	lib/isc/$thread_dir/include/Makefile
+	lib/isc/$thread_dir/include/isc/Makefile
 	lib/isc/Makefile
 	lib/isc/include/Makefile
 	lib/isc/include/isc/Makefile
 	lib/isc/include/isc/platform.h
 	lib/isc/tests/Makefile
+	lib/isc/nls/Makefile
 	lib/isc/unix/Makefile
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
-	lib/isc/nls/Makefile
-	lib/isc/$thread_dir/Makefile
-	lib/isc/$thread_dir/include/Makefile
-	lib/isc/$thread_dir/include/isc/Makefile
-	lib/isc/$arch/Makefile
-	lib/isc/$arch/include/Makefile
-	lib/isc/$arch/include/isc/Makefile
 	lib/isccc/Makefile
 	lib/isccc/include/Makefile
 	lib/isccc/include/isccc/Makefile
 	lib/isccfg/Makefile
 	lib/isccfg/include/Makefile
 	lib/isccfg/include/isccfg/Makefile
-	lib/dns/Makefile
-	lib/dns/include/Makefile
-	lib/dns/include/dns/Makefile
-	lib/dns/include/dst/Makefile
-	lib/dns/tests/Makefile
-	lib/bind9/Makefile
-	lib/bind9/include/Makefile
-	lib/bind9/include/bind9/Makefile
 	lib/lwres/Makefile
 	lib/lwres/include/Makefile
 	lib/lwres/include/lwres/Makefile
@@ -3057,45 +3596,6 @@ AC_CONFIG_FILES([
 	lib/tests/include/tests/Makefile
 	unit/Makefile
 	unit/unittest.sh
-	bin/Makefile
-	bin/check/Makefile
-	bin/named/Makefile
-	bin/named/unix/Makefile
-	bin/rndc/Makefile
-	bin/rndc/unix/Makefile
-	bin/dig/Makefile
-	bin/nsupdate/Makefile
-	bin/tests/Makefile
-	bin/tests/names/Makefile
-	bin/tests/master/Makefile
-	bin/tests/rbt/Makefile
-	bin/tests/db/Makefile
-	bin/tests/tasks/Makefile
-	bin/tests/timers/Makefile
-	bin/tests/dst/Makefile
-	bin/tests/mem/Makefile
-	bin/tests/hashes/Makefile
-	bin/tests/net/Makefile
-	bin/tests/sockaddr/Makefile
-	bin/tests/system/Makefile
-	bin/tests/system/conf.sh
-	bin/tests/system/dlz/prereq.sh
-	bin/tests/system/lwresd/Makefile
-	bin/tests/system/tkey/Makefile
-	bin/tests/headerdep_test.sh
-	bin/dnssec/Makefile
-	doc/Makefile
-	doc/arm/Makefile
-	doc/misc/Makefile
-	isc-config.sh
-	doc/xsl/Makefile
-	doc/xsl/isc-docbook-chunk.xsl
-	doc/xsl/isc-docbook-html.xsl
-	doc/xsl/isc-docbook-latex.xsl
-	doc/xsl/isc-manpage.xsl
-	doc/doxygen/Doxyfile
-	doc/doxygen/Makefile
-	doc/doxygen/doxygen-input-filter
 ])
 
 #
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
index 5d179d9a0192..f3f862af7523 100644
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ b/contrib/bind9/doc/arm/Bv9ARM-book.xml
@@ -71,7 +71,7 @@
       </para>
 
       <para>
-        This version of the manual corresponds to BIND version 9.6.
+        This version of the manual corresponds to BIND version 9.8.
       </para>
 
     </sect1>
@@ -646,9 +646,9 @@
       <para>
         ISC <acronym>BIND</acronym> 9 compiles and runs on a large
         number
-        of Unix-like operating systems and on NT-derived versions of
-        Microsoft Windows such as Windows 2000 and Windows XP.  For an
-        up-to-date
+        of Unix-like operating systems and on 
+        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+        For an up-to-date
         list of supported systems, see the README file in the top level
         directory
         of the BIND 9 source distribution.
@@ -682,10 +682,13 @@
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
-     directory "/etc/namedb";           // Working directory
+     // Working directory
+     directory "/etc/namedb";
+
      allow-query { corpnets; };
 };
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -705,13 +708,18 @@ zone "0.0.127.in-addr.arpa" {
 
 <programlisting>
 options {
-     directory "/etc/namedb";           // Working directory
-     allow-query-cache { none; };       // Do not allow access to cache
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
+     // Working directory
+     directory "/etc/namedb";
+     // Do not allow access to cache
+     allow-query-cache { none; };
+     // This is the default
+     allow-query { any; };
+     // Do not provide recursive service
+     recursion no;
 };
 
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -721,7 +729,8 @@ zone "0.0.127.in-addr.arpa" {
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
+     // IP addresses of slave servers allowed to
+     // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
@@ -1164,7 +1173,62 @@ zone "eng.example.com" {
                   </varlistentry>
 
                   <varlistentry>
+                    <term><userinput>sign <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        <command>key-directory</command> in
+                        <xref linkend="options"/>).  If they are within
+                        their publication period, merge them into the
+                        zone's DNSKEY RRset.  If the DNSKEY RRset
+                        is changed, then the zone is automatically
+                        re-signed with the new key set.
+                      </para>
+                      <para>
+                        This command requires that the
+                        <command>auto-dnssec</command> zone option be set
+                        to <literal>allow</literal> or
+                        <literal>maintain</literal>,
+                        and also requires the zone to be configured to
+                        allow dynamic DNS.
+                        See <xref linkend="dynamic_update_policies"/> for
+                        more details.
+                      </para>
+                    </listitem>
+                  </varlistentry>
 
+                  <varlistentry>
+                    <term><userinput>loadkeys <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        <command>key-directory</command> in
+                        <xref linkend="options"/>).  If they are within
+                        their publication period, merge them into the
+                        zone's DNSKEY RRset.  Unlike <command>rndc
+                        sign</command>, however, the zone is not
+                        immediately re-signed by the new keys, but is
+                        allowed to incrementally re-sign over time.
+                      </para>
+                      <para>
+                        This command requires that the
+                        <command>auto-dnssec</command> zone option
+                        be set to <literal>maintain</literal>,
+                        and also requires the zone to be configured to
+                        allow dynamic DNS.
+                        See <xref linkend="dynamic_update_policies"/> for
+                        more details.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
                     <term><userinput>freeze
                         <optional><replaceable>zone</replaceable>
        <optional><replaceable>class</replaceable>
@@ -1273,6 +1337,19 @@ zone "eng.example.com" {
                   </varlistentry>
 
                   <varlistentry>
+                    <term><userinput>secroots
+                        <optional><replaceable>view ...</replaceable></optional></userinput></term>
+                    <listitem>
+                      <para>
+                        Dump the server's security roots to the secroots
+                        file for the specified views.  If no view is
+                        specified, security roots for all
+                        views are dumped.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
                     <term><userinput>stop <optional>-p</optional></userinput></term>
                     <listitem>
                       <para>
@@ -1361,32 +1438,7 @@ zone "eng.example.com" {
                   </varlistentry>
 
                   <varlistentry>
-                   <term><userinput>tsig-list</userinput></term>
-                   <listitem>
-                     <para>
-                       List the names of all TSIG keys currently configured
-                       for use by <command>named</command> in each view.  The
-                       list both statically configured keys and dynamic
-                       TKEY-negotiated keys.
-                     </para>
-                   </listitem>
-                 </varlistentry>
-
-                 <varlistentry>
-                  <term><userinput>tsig-delete</userinput>
-                    <replaceable>keyname</replaceable>
-                    <optional><replaceable>view</replaceable></optional></term>
-                   <listitem>
-                     <para>
-                       Delete a given TKEY-negotated key from the server.
-                       (This does not apply to statically configured TSIG
-                       keys.)
-                     </para>
-                   </listitem>
-                 </varlistentry>
-
-                 <varlistentry>
-                   <term><userinput>recursing</userinput></term>
+                    <term><userinput>recursing</userinput></term>
                     <listitem>
                       <para>
                         Dump the list of queries <command>named</command> is currently recursing
@@ -1410,6 +1462,90 @@ zone "eng.example.com" {
                     </listitem>
                   </varlistentry>
 
+                  <varlistentry>
+                    <term><userinput>tsig-list</userinput></term>
+                    <listitem>
+                      <para>
+                        List the names of all TSIG keys currently configured
+                        for use by <command>named</command> in each view.  The
+                        list both statically configured keys and dynamic
+                        TKEY-negotiated keys.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>tsig-delete</userinput>
+                     <replaceable>keyname</replaceable>
+                     <optional><replaceable>view</replaceable></optional></term>
+                    <listitem>
+                      <para>
+                        Delete a given TKEY-negotated key from the server.
+                        (This does not apply to statically configured TSIG
+                        keys.)
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>addzone
+                        <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+                        <optional><replaceable>view</replaceable></optional></optional>
+                        <replaceable>configuration</replaceable>
+                    </userinput></term>
+                    <listitem>
+                      <para>
+                        Add a zone while the server is running.  This
+                        command requires the
+                        <command>allow-new-zones</command> option to be set
+                        to <userinput>yes</userinput>.  The
+                        <replaceable>configuration</replaceable> string
+                        specified on the command line is the zone
+                        configuration text that would ordinarily be
+                        placed in <filename>named.conf</filename>.
+                      </para>
+                      <para>
+                        The configuration is saved in a file called
+                       <filename><replaceable>hash</replaceable>.nzf</filename>,
+                        where <replaceable>hash</replaceable> is a
+                        cryptographic hash generated from the name of
+                        the view.  When <command>named</command> is
+                        restarted, the file will be loaded into the view
+                        configuration, so that zones that were added
+                        can persist after a restart.
+                      </para>
+                      <para>
+                        This sample <command>addzone</command> command
+                        would add the zone <literal>example.com</literal>
+                        to the default view:
+                      </para>
+                      <para>
+<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
+                      </para>
+                      <para>
+                        (Note the brackets and semi-colon around the zone
+                        configuration text.)
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><userinput>delzone
+                        <replaceable>zone</replaceable>
+                        <optional><replaceable>class</replaceable>
+                        <optional><replaceable>view</replaceable></optional></optional>
+                    </userinput></term>
+                    <listitem>
+                      <para>
+                        Delete a zone while the server is running.
+                        Only zones that were originally added via
+                        <command>rndc addzone</command> can be deleted
+                        in this matter.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
                 </variablelist>
 
                 <para>
@@ -1515,7 +1651,8 @@ zone "eng.example.com" {
 <programlisting>
 key rndc_key {
      algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+     secret
+       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
      default-server 127.0.0.1;
@@ -1541,7 +1678,8 @@ options {
 
 <programlisting>
 controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+        inet 127.0.0.1
+            allow { localhost; } keys { rndc_key; };
 };
 </programlisting>
 
@@ -1668,14 +1806,27 @@ controls {
 
       <para>
 	Dynamic update is enabled by including an
-	<command>allow-update</command> or <command>update-policy</command>
-	clause in the <command>zone</command> statement.  The
-	<command>tkey-gssapi-credential</command> and
-	<command>tkey-domain</command> clauses in the
-	<command>options</command>        statement enable the
-	server to negotiate keys that can be matched against those
-	in <command>update-policy</command> or
-	<command>allow-update</command>.
+	<command>allow-update</command> or an <command>update-policy</command>
+	clause in the <command>zone</command> statement.
+      </para>
+      
+      <para>
+	If the zone's <command>update-policy</command> is set to
+	<userinput>local</userinput>, updates to the zone
+	will be permitted for the key <varname>local-ddns</varname>,
+        which will be generated by <command>named</command> at startup.
+	See <xref linkend="dynamic_update_policies"/> for more details.
+      </para>
+
+      <para>
+	Dynamic updates using Kerberos signed requests can be made
+	using the TKEY/GSS protocol by setting either the
+	<command>tkey-gssapi-keytab</command> option, or alternatively
+	by setting both the <command>tkey-gssapi-credential</command>
+	and <command>tkey-domain</command> options. Once enabled,
+	Kerberos signed requests will be matched against the update
+	policies for the zone, using the Kerberos principal as the
+	signer for the request.
       </para>
 
       <para>
@@ -1687,7 +1838,7 @@ controls {
       </para>
 
       <sect2 id="journal">
-        <title>The journal file</title>
+	<title>The journal file</title>
 
         <para>
           All changes made to a zone using dynamic update are stored
@@ -1843,7 +1994,7 @@ controls {
         and <filename>site2.example.com</filename>, to the servers
         in the
         DMZ. These internal servers will have complete sets of information
-        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
+        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>,
         and <filename>site2.internal</filename>.
       </para>
       <para>
@@ -1956,26 +2107,32 @@ options {
     ...
     ...
     forward only;
-    forwarders {                                // forward to external servers
+    // forward to external servers
+    forwarders {
         <varname>bastion-ips-go-here</varname>;
     };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
+    // sample allow-transfer (no one)
+    allow-transfer { none; };
+    // restrict query access
+    allow-query { internals; externals; };
+    // restrict recursion
+    allow-recursion { internals; };
     ...
     ...
 };
 
-zone "site1.example.com" {                      // sample master zone
+// sample master zone
+zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
+  // do normal iterative resolution (do not forward)
+  forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -2014,15 +2171,20 @@ acl externals { bastion-ips-go-here; };
 options {
   ...
   ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { any; };                         // default query access
-  allow-query-cache { internals; externals; };  // restrict cache access
-  allow-recursion { internals; externals; };    // restrict recursion
+  // sample allow-transfer (no one)
+  allow-transfer { none; };
+  // default query access
+  allow-query { any; };
+  // restrict cache access
+  allow-query-cache { internals; externals; };
+  // restrict recursion
+  allow-recursion { internals; externals; };
   ...
   ...
 };
 
-zone "site1.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
   allow-transfer { internals; externals; };
@@ -2216,9 +2378,8 @@ allow-update { key host1-host2. ;};
 	</para>
 
 	<para>
-	  You may want to read about the more powerful
-	  <command>update-policy</command> statement in
-	  <xref linkend="dynamic_update_policies"/>.
+	  See <xref linkend="dynamic_update_policies"/> for a discussion of
+          the more flexible <command>update-policy</command> statement.
 	</para>
 
       </sect2>
@@ -2482,12 +2643,23 @@ allow-update { key host1-host2. ;};
 
 	<para>
 	  To enable <command>named</command> to validate answers from
-	  other servers, the <command>dnssec-enable</command> and
-	  <command>dnssec-validation</command> options must both be
-          set to yes (the default setting in <acronym>BIND</acronym> 9.5
-          and later), and at least one trust anchor must be configured
-          with a <command>trusted-keys</command> statement in
-          <filename>named.conf</filename>.
+	  other servers, the <command>dnssec-enable</command> option
+          must be set to <userinput>yes</userinput>, and the
+          <command>dnssec-validation</command> options must be set to 
+          <userinput>yes</userinput> or <userinput>auto</userinput>.
+        </para>
+	  
+	<para>
+          If <command>dnssec-validation</command> is set to
+          <userinput>auto</userinput>, then a default
+          trust anchor for the DNS root zone will be used.
+          If it is set to <userinput>yes</userinput>, however,
+          then at least one trust anchor must be configured
+          with a <command>trusted-keys</command> or
+          <command>managed-keys</command> statement in
+          <filename>named.conf</filename>, or DNSSEC validation
+          will not occur.  The default setting is
+          <userinput>yes</userinput>.
         </para>
 	  
 	<para>
@@ -2500,7 +2672,14 @@ allow-update { key host1-host2. ;};
 	</para>
 
 	<para>
-	  <command>trusted-keys</command> are described in more detail
+	  <command>managed-keys</command> are trusted keys which are
+          automatically kept up to date via RFC 5011 trust anchor
+          maintenance.
+	</para>
+
+	<para>
+	  <command>trusted-keys</command> and
+          <command>managed-keys</command> are described in more detail
 	  later in this document.
 	</para>
 
@@ -2513,45 +2692,59 @@ allow-update { key host1-host2. ;};
 
 	<para>
 	  After DNSSEC gets established, a typical DNSSEC configuration
-	  will look something like the following.  It has a one or
+	  will look something like the following.  It has one or
 	  more public keys for the root.  This allows answers from
 	  outside the organization to be validated.  It will also
 	  have several keys for parts of the namespace the organization
-	  controls.  These are here to ensure that <command>named</command> is immune
-	  to compromises in the DNSSEC components of the security
-	  of parent zones.
+          controls.  These are here to ensure that <command>named</command>
+          is immune to compromises in the DNSSEC components of the security
+          of parent zones.
 	</para>
 
 <programlisting>
-trusted-keys {
-
+managed-keys {
 	/* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-	     E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-	     zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-	     MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-	     /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-	     iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-	     Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
-
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-	              OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-		      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-		      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-		      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-		      SCThlHf3xiYleDbt/o1OTQ09A0=";
-
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-				tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-				yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-				4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-			        zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-				7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-				52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+                                 dgxbcDTClU0CRBdiieyLMNzXG3";
+};
+
+trusted-keys {
+        /* Key for our organization's forward zone */
+        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                              1OTQ09A0=";
+
+        /* Key for our reverse zone. */
+        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                                       xOdNax071L18QqZnQQQAVVr+i
+                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
+                                       gy3WwNT6kZo6c0tszYqbtvchm
+                                       gQC8CzKojM/W16i6MG/eafGU3
+                                       siaOdS0yOI6BgPsw+YZdzlYMa
+                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
+                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
+                                       IQXmdqgOJGq+vsevG06zW+1xg
+                                       YJh9rCIfnm1GX/KMgxLPG2vXT
+                                       D/RnLX+D3T3UL7HJYHJhAZD5L
+                                       59VvjSPsZJHeDCUyWYrvPZesZ
+                                       DIRvhDD52SKvbheeTJUm6Ehkz
+                                       ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -2604,6 +2797,13 @@ options {
       </sect2>
 
     </sect1>
+
+    <xi:include href="dnssec.xml"/>
+
+    <xi:include href="managed-keys.xml"/>
+
+    <xi:include href="pkcs11.xml"/>
+
     <sect1>
       <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
 
@@ -2682,7 +2882,8 @@ host            3600    IN      AAAA    2001:db8::1
 
 <programlisting>
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                                    host.example.com. )
 </programlisting>
 
       </sect2>
@@ -2860,6 +3061,19 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             <row rowsep="0">
               <entry colname="1">
                 <para>
+                  <varname>namelist</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A list of one or more <varname>domain_name</varname>
+                  elements.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
                   <varname>dotted_decimal</varname>
                 </para>
               </entry>
@@ -3253,7 +3467,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
           <para>
             <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
             <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
+            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells
+# and perl</programlisting>
           </para>
         </sect3>
         <sect3>
@@ -3468,6 +3683,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             </row>
             <row rowsep="0">
               <entry colname="1">
+                <para><command>managed-keys</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  lists DNSSEC keys to be kept up to date
+                  using RFC 5011 trust anchor maintenance.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
                 <para><command>view</command></para>
               </entry>
               <entry colname="2">
@@ -3588,10 +3814,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         <title><command>controls</command> Statement Grammar</title>
 
 <programlisting><command>controls</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
+   [ inet ( ip_addr | * ) [ port ip_port ]
+                allow { <replaceable> address_match_list </replaceable> }
                 keys { <replaceable>key_list</replaceable> }; ]
    [ inet ...; ]
-   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
+   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable>
+     keys { <replaceable>key_list</replaceable> }; ]
    [ unix ...; ]
 };
 </programlisting>
@@ -4060,32 +4288,30 @@ notrace</command>. All debugging messages in the server have a debug
           </para>
 
 <programlisting>channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
+    // send to syslog's daemon facility
+    syslog daemon;
+    // only send priority info and higher
+    severity info;
 
 channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
+    // write to named.run in the working directory
+    // Note: stderr is used instead of "named.run" if
+    // the server is started with the '-f' option.
+    file "named.run";
+    // log at the server's current debug level
+    severity dynamic;
 };
 
 channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
+    // writes to stderr
+    stderr;
+    // only send priority info and higher
+    severity info;
 };
 
 channel null {
-   null;                                // toss anything sent to
-                                        // this channel
+   // toss anything sent to this channel
+   null;
 };
 </programlisting>
 
@@ -4337,12 +4563,14 @@ category notify { null; };
 		    <para>
 		      The query log entry reports the client's IP
 		      address and port number, and the query name,
-		      class and type.  It also reports whether the
+		      class and type.  Next it reports whether the
 		      Recursion Desired flag was set (+ if set, -
 		      if not set), if the query was signed (S),
-		      EDNS was in use (E), if DO (DNSSEC Ok) was
-		      set (D), or if CD (Checking Disabled) was set
-		      (C).
+		      EDNS was in use (E), if TCP was used (T), if
+		      DO (DNSSEC Ok) was set (D), or if CD (Checking
+		      Disabled) was set (C).  After this the
+		      destination address the query was sent to is
+		      reported.
 		    </para>
 
                     <para>
@@ -4445,6 +4673,19 @@ category notify { null; };
 		    </para>
 		  </entry>
 		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>RPZ</command></para>
+                  </entry>
+		  <entry colname="2">
+		    <para>
+		      Information about errors in response policy zone files,
+		      rewritten responses, and at the highest
+		      <command>debug</command> levels, mere rewriting
+		      attempts.
+		    </para>
+		  </entry>
+		</row>
 	      </tbody>
 	    </tgroup>
 	  </informaltable>
@@ -4482,7 +4723,13 @@ category notify { null; };
 	    The log message will look like as follows:
 	  </para>
 	  <para>
-	    <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
+<!-- NOTE: newlines and some spaces added so this would fit on page -->
+            <programlisting>
+fetch completed at resolver.c:2970 for www.example.com/A
+in 30.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+badresp:1,adberr:0,findfail:0,valfail:0]
+            </programlisting>
 	  </para>
 	  <para>
 	    The first part before the colon shows that a recursive
@@ -4514,8 +4761,8 @@ category notify { null; };
 
           <informaltable colsep="0" rowsep="0">
             <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" />
-              <colspec colname="2" colnum="2" colsep="0" />
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
               <tbody>
                 <row rowsep="0">
                   <entry colname="1">
@@ -4680,7 +4927,8 @@ category notify { null; };
         </para>
 
 <programlisting><command>lwres</command> {
-    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> view <replaceable>view_name</replaceable>; </optional>
     <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
     <optional> ndots <replaceable>number</replaceable>; </optional>
@@ -4747,7 +4995,8 @@ category notify { null; };
         <title><command>masters</command> Statement Grammar</title>
 
 <programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | 
+      <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
 </programlisting>
 
       </sect2>
@@ -4770,17 +5019,25 @@ category notify { null; };
         </para>
 
 <programlisting><command>options</command> {
+    <optional> attach-cache <replaceable>cache_name</replaceable>; </optional>
     <optional> version <replaceable>version_string</replaceable>; </optional>
     <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
     <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
     <optional> directory <replaceable>path_name</replaceable>; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> managed-keys-directory <replaceable>path_name</replaceable>; </optional>
     <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
+    <optional> tkey-gssapi-keytab <replaceable>path_name</replaceable>; </optional>
     <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
     <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
     <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
     <optional> cache-file <replaceable>path_name</replaceable>; </optional>
     <optional> dump-file <replaceable>path_name</replaceable>; </optional>
+    <optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
+    <optional> secroots-file <replaceable>path_name</replaceable>; </optional>
+    <optional> session-keyfile <replaceable>path_name</replaceable>; </optional>
+    <optional> session-keyname <replaceable>key_name</replaceable>; </optional>
+    <optional> session-keyalg <replaceable>algorithm_id</replaceable>; </optional>
     <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
     <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> pid-file <replaceable>path_name</replaceable>; </optional>
@@ -4805,8 +5062,10 @@ category notify { null; };
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
     <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
+    <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
+    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
+			<replaceable>no</replaceable> |
+                        <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
     <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
@@ -4817,12 +5076,14 @@ category notify { null; };
         ... }; </optional>
     <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
         ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> check-dup-records ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
     <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
     <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
     <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
     <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
     <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
     <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
@@ -4834,6 +5095,8 @@ category notify { null; };
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
     <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
@@ -4845,12 +5108,12 @@ category notify { null; };
     <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
         <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
-	<optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+        <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
     <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
-	<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
+        <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
     <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
     <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
@@ -4871,13 +5134,15 @@ category notify { null; };
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
     <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
     <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
@@ -4913,12 +5178,25 @@ category notify { null; };
     <optional> random-device <replaceable>path_name</replaceable> ; </optional>
     <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
     <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
+    <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> dns64 <replaceable>IPv6-prefix</replaceable> {
+	<optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
+	<optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
+        <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
+	<optional> suffix IPv6-address; </optional>
+	<optional> recursive-only <replaceable>yes_or_no</replaceable>; </optional>
+	<optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional>
+    }; </optional>;
+    <optional> dns64-server <replaceable>name</replaceable> </optional>
+    <optional> dns64-contact <replaceable>name</replaceable> </optional>
     <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
     <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
     <optional> max-udp-size <replaceable>number</replaceable>; </optional>
     <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
     <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
+    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>;
+                                <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
     <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
     <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
@@ -4931,6 +5209,14 @@ category notify { null; };
     <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
     <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
+    <optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
+    <optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
+    <optional> response-policy { <replaceable>zone_name</replaceable>
+	<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
+	<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
+    } <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
+	<optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> ; </optional>
 };
 </programlisting>
 
@@ -4952,6 +5238,102 @@ category notify { null; };
 
         <variablelist>
 
+            <varlistentry>
+              <term><command>attach-cache</command></term>
+              <listitem>
+                <para>
+		  Allows multiple views to share a single cache
+		  database.
+		  Each view has its own cache database by default, but
+		  if multiple views have the same operational policy
+		  for name resolution and caching, those views can
+		  share a single cache to save memory and possibly
+		  improve resolution efficiency by using this option.
+                </para>
+
+                <para>
+                  The <command>attach-cache</command> option
+                  may also be specified in <command>view</command>
+                  statements, in which case it overrides the
+                  global <command>attach-cache</command> option.
+                </para>
+
+		<para>
+		  The <replaceable>cache_name</replaceable> specifies
+		  the cache to be shared.
+		  When the <command>named</command> server configures
+		  views which are supposed to share a cache, it
+		  creates a cache with the specified name for the
+		  first view of these sharing views.
+		  The rest of the views will simply refer to the
+		  already created cache.
+		</para>
+
+		<para>
+		  One common configuration to share a cache would be to
+		  allow all views to share a single cache.
+		  This can be done by specifying
+		  the <command>attach-cache</command> as a global
+		  option with an arbitrary name.
+		</para>
+
+		<para>
+		  Another possible operation is to allow a subset of
+		  all views to share a cache while the others to
+		  retain their own caches.
+		  For example, if there are three views A, B, and C,
+		  and only A and B should share a cache, specify the
+		  <command>attach-cache</command> option as a view A (or
+		  B)'s option, referring to the other view name:
+		</para>
+
+<programlisting>
+  view "A" {
+    // this view has its own cache
+    ...
+  };
+  view "B" {
+    // this view refers to A's cache
+    attach-cache "A";
+  };
+  view "C" {
+    // this view has its own cache
+    ...
+  };
+</programlisting>
+
+		<para>
+		  Views that share a cache must have the same policy
+		  on configurable parameters that may affect caching.
+		  The current implementation requires the following
+		  configurable options be consistent among these
+		  views:
+		  <command>check-names</command>,
+		  <command>cleaning-interval</command>,
+		  <command>dnssec-accept-expired</command>,
+		  <command>dnssec-validation</command>,
+		  <command>max-cache-ttl</command>,
+		  <command>max-ncache-ttl</command>,
+		  <command>max-cache-size</command>, and
+		  <command>zero-no-soa-ttl</command>.
+		</para>
+
+		<para>
+		  Note that there may be other parameters that may
+		  cause confusion if they are inconsistent for
+		  different views that share a single cache.
+		  For example, if these views define different sets of
+		  forwarders that can return different answers for the
+		  same question, sharing the answer does not make
+		  sense or could even be harmful.
+		  It is administrator's responsibility to ensure
+		  configuration differences in different views do
+		  not cause disruption with a shared cache.
+		</para>
+              </listitem>
+
+            </varlistentry>
+
           <varlistentry>
             <term><command>directory</command></term>
             <listitem>
@@ -4979,10 +5361,24 @@ category notify { null; };
                 When performing dynamic update of secure zones, the
                 directory where the public and private DNSSEC key files
                 should be found, if different than the current working
-                directory.  The directory specified must be an absolute
-                path.  (Note that this option has no effect on the paths
-                for files containing non-DNSSEC keys such as the
-                <filename>rndc.key</filename>.
+                directory.  (Note that this option has no effect on the
+                paths for files containing non-DNSSEC keys such as
+                <filename>bind.keys</filename>,
+                <filename>rndc.key</filename> or
+                <filename>session.key</filename>.)
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>managed-keys-directory</command></term>
+            <listitem>
+              <para>
+		The directory used to hold the files used to track managed keys.
+		By default it is the working directory.  It there are no
+		views then the file <filename>managed-keys.bind</filename>
+		otherwise a SHA256 hash of the view name is used with
+		<filename>.mkeys</filename> extension added.
               </para>
             </listitem>
           </varlistentry>
@@ -5002,19 +5398,33 @@ category notify { null; };
 	  </varlistentry>
 
 	  <varlistentry>
+	    <term><command>tkey-gssapi-keytab</command></term>
+	    <listitem>
+	      <para>
+		The KRB5 keytab file to use for GSS-TSIG updates. If
+		this option is set and tkey-gssapi-credential is not
+		set, then updates will be allowed with any key
+		matching a principal in the specified keytab.
+	      </para>
+	    </listitem>
+	  </varlistentry>
+
+	  <varlistentry>
 	    <term><command>tkey-gssapi-credential</command></term>
 	    <listitem>
 	      <para>
 		The security credential with which the server should
 		authenticate keys requested by the GSS-TSIG protocol.
 		Currently only Kerberos 5 authentication is available
-		and the credential is a Kerberos principal which
-		the server can acquire through the default system
-		key file, normally <filename>/etc/krb5.keytab</filename>.
-		Normally this principal is of the form
-		"<userinput>DNS/</userinput><varname>server.domain</varname>".
-		To use GSS-TSIG, <command>tkey-domain</command>
-		must also be set.
+		and the credential is a Kerberos principal which the
+		server can acquire through the default system key
+		file, normally <filename>/etc/krb5.keytab</filename>.
+		The location keytab file can be overridden using the
+		tkey-gssapi-keytab option. Normally this principal is
+		of the form "<userinput>DNS/</userinput><varname>server.domain</varname>".
+		To use GSS-TSIG, <command>tkey-domain</command> must
+		also be set if a specific keytab is not set with
+		tkey-gssapi-keytab.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -5036,7 +5446,8 @@ category notify { null; };
 		should be the server's domain name, or an otherwise
 		non-existent subdomain like
 		"_tkey.<varname>domainname</varname>".  If you are
-		using GSS-TSIG, this variable must be defined.
+		using GSS-TSIG, this variable must be defined, unless
+		you specify a specific keytab using tkey-gssapi-keytab.
 	      </para>
 	    </listitem>
 	  </varlistentry>
@@ -5135,6 +5546,72 @@ category notify { null; };
           </varlistentry>
 
           <varlistentry>
+            <term><command>bindkeys-file</command></term>
+            <listitem>
+              <para>
+                The pathname of a file to override the built-in trusted
+		keys provided by <command>named</command>.
+		See the discussion of <command>dnssec-lookaside</command>
+                and <command>dnssec-validation</command> for details. 
+                If not specified, the default is
+		<filename>/etc/bind.keys</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>secroots-file</command></term>
+            <listitem>
+              <para>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <command>rndc secroots</command>.
+                If not specified, the default is
+		<filename>named.secroots</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>session-keyfile</command></term>
+            <listitem>
+              <para>
+                The pathname of the file into which to write a TSIG
+                session key generated by <command>named</command> for use by
+                <command>nsupdate -l</command>.  If not specified, the
+                default is <filename>/var/run/named/session.key</filename>.
+                (See <xref linkend="dynamic_update_policies"/>, and in
+                particular the discussion of the
+                <command>update-policy</command> statement's
+                <userinput>local</userinput> option for more
+                information about this feature.)
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>session-keyname</command></term>
+            <listitem>
+              <para>
+                The key name to use for the TSIG session key.
+                If not specified, the default is "local-ddns".
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><command>session-keyalg</command></term>
+            <listitem>
+              <para>
+                The algorithm to use for the TSIG session key.
+                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
+                hmac-sha384, hmac-sha512 and hmac-md5.  If not
+                specified, the default is hmac-sha256.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
             <term><command>port</command></term>
             <listitem>
               <para>
@@ -5196,14 +5673,14 @@ category notify { null; };
 	      <para>
 		DS queries are expected to be made to and be answered by
 		delegation only zones.  Such queries and responses are
-		treated as a exception to delegation-only processing
+		treated as an exception to delegation-only processing
 		and are not converted to NXDOMAIN responses provided
 		a CNAME is not discovered at the query name.
 	      </para>
 	      <para>
 		If a delegation only zone server also serves a child
 		zone it is not always possible to determine whether
-		a answer comes from the delegation only zone or the
+		an answer comes from the delegation only zone or the
 		child zone.  SOA NS and DNSKEY records are apex
 		only records and a matching response that contains
 		these records or DS is treated as coming from a
@@ -5252,21 +5729,51 @@ options {
             <term><command>dnssec-lookaside</command></term>
             <listitem>
               <para>
-                When set, <command>dnssec-lookaside</command>
-                provides the
-                validator with an alternate method to validate DNSKEY records
-                at the
-                top of a zone.  When a DNSKEY is at or below a domain
-                specified by the
-                deepest <command>dnssec-lookaside</command>, and
-                the normal DNSSEC validation
-                has left the key untrusted, the trust-anchor will be append to
-                the key
-                name and a DLV record will be looked up to see if it can
-                validate the
-                key.  If the DLV record validates a DNSKEY (similarly to the
-                way a DS
+		When set, <command>dnssec-lookaside</command> provides the
+		validator with an alternate method to validate DNSKEY
+		records at the top of a zone.  When a DNSKEY is at or
+		below a domain specified by the deepest
+		<command>dnssec-lookaside</command>, and the normal DNSSEC
+		validation has left the key untrusted, the trust-anchor
+		will be appended to the key name and a DLV record will be
+		looked up to see if it can validate the key.  If the DLV
+		record validates a DNSKEY (similarly to the way a DS
                 record does) the DNSKEY RRset is deemed to be trusted.
+	      </para>
+	      <para>
+		If <command>dnssec-lookaside</command> is set to
+		<userinput>auto</userinput>, then built-in default
+		values for the DLV domain and trust anchor will be
+		used, along with a built-in key for validation.
+	      </para>
+	      <para>
+		If <command>dnssec-lookaside</command> is set to
+		<userinput>no</userinput>, then dnssec-lookaside
+		is not used.
+	      </para>
+              <para>
+                The default DLV key is stored in the file
+                <filename>bind.keys</filename>;
+                <command>named</command> will load that key at
+                startup if <command>dnssec-lookaside</command> is set to
+                <constant>auto</constant>.  A copy of the file is
+                installed along with <acronym>BIND</acronym> 9, and is
+                current as of the release date.  If the DLV key expires, a
+                new copy of <filename>bind.keys</filename> can be downloaded
+                from <ulink>https://www.isc.org/solutions/dlv</ulink>.
+              </para>
+              <para>
+                (To prevent problems if <filename>bind.keys</filename> is
+                not found, the current key is also compiled in to
+                <command>named</command>.  Relying on this is not
+                recommended, however, as it requires <command>named</command>
+                to be recompiled with a new key when the DLV key expires.)
+              </para>
+              <para>
+                NOTE: <command>named</command> only loads certain specific
+                keys from <filename>bind.keys</filename>:  those for the
+                DLV zone and for the DNS root zone.  The file cannot be
+                used to store keys for other zones.
               </para>
             </listitem>
           </varlistentry>
@@ -5275,21 +5782,104 @@ options {
             <term><command>dnssec-must-be-secure</command></term>
             <listitem>
               <para>
-                Specify hierarchies which must be or may not be secure (signed and
-                validated).
-                If <userinput>yes</userinput>, then <command>named</command> will only accept
-                answers if they
-                are secure.
-                If <userinput>no</userinput>, then normal DNSSEC validation
-                applies
-                allowing for insecure answers to be accepted.
-                The specified domain must be under a <command>trusted-key</command> or
-                <command>dnssec-lookaside</command> must be
-                active.
+                Specify hierarchies which must be or may not be secure
+                (signed and validated).  If <userinput>yes</userinput>,
+                then <command>named</command> will only accept answers if
+                they are secure.  If <userinput>no</userinput>, then normal
+                DNSSEC validation applies allowing for insecure answers to
+                be accepted.  The specified domain must be under a
+                <command>trusted-keys</command> or
+                <command>managed-keys</command> statement, or
+                <command>dnssec-lookaside</command> must be active.
               </para>
             </listitem>
           </varlistentry>
 
+	  <varlistentry>
+	    <term><command>dns64</command></term>
+            <listitem>
+	      <para>
+		This directive instructs <command>named</command> to
+		return mapped IPv4 addresses to AAAA queries when
+		there are no AAAA records.  It is intended to be
+		used in conjunction with a NAT64.  Each
+		<command>dns64</command> defines one DNS64 prefix.
+		Multiple DNS64 prefixes can be defined.
+	      </para>
+	      <para>
+		Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
+		64 and 96 as per RFC 6052.
+	      </para>
+	      <para>
+		Additionally a reverse IP6.ARPA zone will be created for
+		the prefix to provide a mapping from the IP6.ARPA names
+		to the corresponding IN-ADDR.ARPA names using synthesized
+		CNAMEs.  <command>dns64-server</command> and
+		<command>dns64-contact</command> can be used to specify
+		the name of the server and contact for the zones. These
+		are settable at the view / options level.  These are
+		not settable on a per-prefix basis.
+	      </para>
+	      <para>
+		Each <command>dns64</command> supports an optional
+		<command>clients</command> ACL that determines which
+                clients are affected by this directive.  If not defined,
+                it defaults to <userinput>any;</userinput>.
+	      </para>
+	      <para>
+		Each <command>dns64</command> supports an optional
+		<command>mapped</command> ACL that selects which
+		IPv4 addresses are to be mapped in the corresponding	
+		A RRset.  If not defined it defaults to
+		<userinput>any;</userinput>.
+	      </para>
+	      <para>
+		Normally, DNS64 won't apply to a domain name that
+		owns one or more AAAA records; these records will
+		simply be returned.  The optional
+		<command>exclude</command> ACL allows specification
+		of a list of IPv6 addresses that will be ignored
+		if they appear in a domain name's AAAA records, and
+		DNS64 will be applied to any A records the domain
+		name owns.  If not defined, <command>exclude</command>
+		defaults to none.
+	      </para>
+	      <para>
+		A optional <command>suffix</command> can also
+		be defined to set the bits trailing the mapped
+		IPv4 address bits.  By default these bits are
+		set to <userinput>::</userinput>.  The bits
+		matching the prefix and mapped IPv4 address
+		must be zero.
+	      </para>
+	      <para>
+		If <command>recursive-only</command> is set to
+		<command>yes</command> the DNS64 synthesis will
+		only happen for recursive queries.  The default
+		is <command>no</command>.
+	      </para>
+	      <para>
+		If <command>break-dnssec</command> is set to
+		<command>yes</command> the DNS64 synthesis will
+		happen even if the result, if validated, would
+		cause a DNSSEC validation failure.  If this option
+		is set to <command>no</command> (the default), the DO
+		is set on the incoming query, and there are RRSIGs on
+		the applicable records, then synthesis will not happen.
+	      </para>
+<programlisting>
+	acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+        dns64 64:FF9B::/96 {
+                clients { any; };
+                mapped { !rfc1918; any; };
+                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+</programlisting>
+            </listitem>
+	  </varlistentry>
+
         </variablelist>
 
         <sect3 id="boolean_options">
@@ -5298,6 +5888,18 @@ options {
           <variablelist>
 
             <varlistentry>
+              <term><command>allow-new-zones</command></term>
+              <listitem>
+                <para>
+                  If <userinput>yes</userinput>, then zones can be
+                  added at runtime via <command>rndc addzone</command>
+                  or deleted via <command>rndc delzone</command>.
+                  The default is <userinput>no</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><command>auth-nxdomain</command></term>
               <listitem>
                 <para>
@@ -5784,6 +6386,7 @@ options {
                   off
                   on a per-zone basis by specifying <command>zone-statistics no</command>
                   in the <command>zone</command> statement).
+                  The default is <userinput>no</userinput>.
                   These statistics may be accessed
                   using <command>rndc stats</command>, which will
                   dump them to the file listed
@@ -5957,6 +6560,60 @@ options {
             </varlistentry>
 
             <varlistentry>
+              <term><command>filter-aaaa-on-v4</command></term>
+              <listitem>
+                <para>
+                  This option is only available when
+                  <acronym>BIND</acronym> 9 is compiled with the
+                  <userinput>--enable-filter-aaaa</userinput> option on the
+                  "configure" command line.  It is intended to help the
+                  transition from IPv4 to IPv6 by not giving IPv6 addresses
+                  to DNS clients unless they have connections to the IPv6
+                  Internet.  This is not recommended unless absolutely
+                  necessary.  The default is <userinput>no</userinput>.
+                  The <command>filter-aaaa-on-v4</command> option
+                  may also be specified in <command>view</command> statements
+                  to override the global <command>filter-aaaa-on-v4</command>
+                  option.
+                </para>
+                <para>
+                  If <userinput>yes</userinput>,
+                  the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
+                  and if the response does not include DNSSEC signatures, 
+                  then all AAAA records are deleted from the response.
+                  This filtering applies to all responses and not only
+                  authoritative responses.
+                </para>
+                <para>
+                  If <userinput>break-dnssec</userinput>,
+                  then AAAA records are deleted even when dnssec is enabled.
+                  As suggested by the name, this makes the response not verify,
+                  because the DNSSEC protocol is designed detect deletions.
+                </para>
+                <para>
+                  This mechanism can erroneously cause other servers to 
+		  not give AAAA records to their clients.  
+		  A recursing server with both IPv6 and IPv4 network connections
+		  that queries an authoritative server using this mechanism
+		  via IPv4 will be denied AAAA records even if its client is
+		  using IPv6.
+                </para>
+                <para>
+                  This mechanism is applied to authoritative as well as
+		  non-authoritative records.
+		  A client using IPv4 that is not allowed recursion can
+		  erroneously be given AAAA records because the server is not
+		  allowed to check for A records.
+                </para>
+                <para>
+		  Some AAAA records are given to IPv4 clients in glue records.
+		  IPv4 clients that are servers can then erroneously
+		  answer requests for AAAA records received via IPv4.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><command>ixfr-from-differences</command></term>
               <listitem>
                 <para>
@@ -6025,7 +6682,15 @@ options {
                   Enable DNSSEC validation in <command>named</command>.
 		  Note <command>dnssec-enable</command> also needs to be
 		  set to <userinput>yes</userinput> to be effective.
-                  The default is <userinput>yes</userinput>.
+                  If set to <userinput>no</userinput>, DNSSEC validation
+                  is disabled.  If set to <userinput>auto</userinput>,
+                  DNSSEC validation is enabled, and a default
+                  trust-anchor for the DNS root zone is used.  If set to
+                  <userinput>yes</userinput>, DNSSEC validation is enabled,
+                  but a trust anchor must be manually configured using
+                  a <command>trusted-keys</command> or
+                  <command>managed-keys</command> statement.  The default
+                  is <userinput>yes</userinput>.
                 </para>
               </listitem>
             </varlistentry>
@@ -6036,7 +6701,9 @@ options {
                 <para>
 		  Accept expired signatures when verifying DNSSEC signatures.
                   The default is <userinput>no</userinput>.
-		  Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
+		  Setting this option to <userinput>yes</userinput>
+		  leaves <command>named</command> vulnerable to
+		  replay attacks.
                 </para>
               </listitem>
             </varlistentry>
@@ -6086,6 +6753,19 @@ options {
             </varlistentry>
 
 	    <varlistentry>
+	      <term><command>check-dup-records</command></term>
+	      <listitem>
+		<para>
+		  Check master zones for records that are treated as different
+		  by DNSSEC but are semantically equal in plain DNS.  The
+		  default is to <command>warn</command>.  Other possible
+		  values are <command>fail</command> and
+		  <command>ignore</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
 	      <term><command>check-mx</command></term>
 	      <listitem>
 		<para>
@@ -6190,13 +6870,49 @@ options {
 	      <term><command>update-check-ksk</command></term>
 	      <listitem>
 	        <para>
-		  When regenerating the RRSIGs following a UPDATE
-		  request to a secure zone, check the KSK flag on
-		  the DNSKEY RR to determine if this key should be
-		  used to generate the RRSIG.  This flag is ignored
-		  if there are not DNSKEY RRs both with and without
-		  a KSK.
-		  The default is <command>yes</command>.
+                  When set to the default value of <literal>yes</literal>,
+                  check the KSK bit in each key to determine how the key
+                  should be used when generating RRSIGs for a secure zone.
+		</para>
+		<para>
+                  Ordinarily, zone-signing keys (that is, keys without the
+                  KSK bit set) are used to sign the entire zone, while
+                  key-signing keys (keys with the KSK bit set) are only
+                  used to sign the DNSKEY RRset at the zone apex.
+                  However, if this option is set to <literal>no</literal>,
+                  then the KSK bit is ignored; KSKs are treated as if they
+                  were ZSKs and are used to sign the entire zone.  This is
+                  similar to the <command>dnssec-signzone -z</command>
+                  command line option.
+		</para>
+		<para>
+                  When this option is set to <literal>yes</literal>, there
+                  must be at least two active keys for every algorithm
+                  represented in the DNSKEY RRset: at least one KSK and one
+                  ZSK per algorithm.  If there is any algorithm for which
+                  this requirement is not met, this option will be ignored
+                  for that algorithm.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>dnssec-dnskey-kskonly</command></term>
+	      <listitem>
+	        <para>
+                  When this option and <command>update-check-ksk</command>
+                  are both set to <literal>yes</literal>, only key-signing
+                  keys (that is, keys with the KSK bit set) will be used
+                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
+                  keys (keys without the KSK bit set) will be used to sign
+                  the remainder of the zone, but not the DNSKEY RRset.
+                  This is similar to the
+                  <command>dnssec-signzone -x</command> command line option.
+		</para>
+		<para>
+		  The default is <command>no</command>.  If
+                  <command>update-check-ksk</command> is set to
+                  <literal>no</literal>, this option is ignored.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -6212,6 +6928,34 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>dnssec-secure-to-insecure</command></term>
+	      <listitem>
+	        <para>
+		  Allow a dynamic zone to transition from secure to
+                  insecure (i.e., signed to unsigned) by deleting all
+                  of the DNSKEY records.  The default is <command>no</command>.
+                  If set to <command>yes</command>, and if the DNSKEY RRset
+                  at the zone apex is deleted, all RRSIG and NSEC records
+                  will be removed from the zone as well.
+		</para>
+	        <para>
+                  If the zone uses NSEC3, then it is also necessary to
+                  delete the NSEC3PARAM RRset from the zone apex; this will
+                  cause the removal of all corresponding NSEC3 records.
+                  (It is expected that this requirement will be eliminated
+                  in a future release.)
+		</para>
+	        <para>
+                  Note that if a zone has been configured with
+                  <command>auto-dnssec maintain</command> and the
+                  private keys remain accessible in the key repository,
+                  then the zone will be automatically signed again the
+                  next time <command>named</command> is started.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
           </variablelist>
 
         </sect3>
@@ -6524,6 +7268,29 @@ options {
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><command>filter-aaaa</command></term>
+              <listitem>
+                <para>
+                  Specifies a list of addresses to which
+		  <command>filter-aaaa-on-v4</command>
+                  is applies.  The default is <userinput>any</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><command>resolver-query-timeout</command></term>
+              <listitem>
+                <para>
+		  The amount of time the resolver will spend attempting
+		  to resolve a recursive query before failing.  The default
+		  and minimum is <literal>10</literal> and the maximum is
+		  <literal>30</literal>.  Setting it to <literal>0</literal>
+		  will result in the default being used.
+                </para>
+              </listitem>
+            </varlistentry>
           </variablelist>
 
         </sect3>
@@ -7576,20 +8343,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
           </para>
 
 <programlisting>sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
+    // IF the local host
+    // THEN first fit on the following nets
+    { localhost;
+        { localnets;
+            192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+    // IF on class C 192.168.1 THEN use .1, or .2 or .3
+    { 192.168.1/24;
+        { 192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+    // IF on class C 192.168.2 THEN use .2, or .1 or .3
+    { 192.168.2/24;
+        { 192.168.2/24;
             { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+    // IF on class C 192.168.3 THEN use .3, or .1 or .2
+    { 192.168.3/24;
+        { 192.168.3/24;
             { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    // IF .4 or .5 THEN prefer that net
+    { { 192.168.4/24; 192.168.5/24; };
     };
 };</programlisting>
 
@@ -7806,7 +8579,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  DNSSEC signatures automatically generated as a
 		  result of dynamic updates (<xref
 		  linkend="dynamic_update"/>) will expire.  There
-		  is a optional second field which specifies how
+		  is an optional second field which specifies how
 		  long before expiry that the signatures will be
 		  regenerated.  If not specified, the signatures will
 		  be regenerated at 1/4 of base interval.  The second
@@ -7919,24 +8692,36 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  firewalls that block fragmented packets and/or
 		  block UDP packets that are greater than 512 bytes.
                 </para>
+		<para>
+		  <command>named</command> will fallback to using 512 bytes
+		  if it get a series of timeout at the initial value.  512
+		  bytes is not being offered to encourage sites to fix their
+	          firewalls.  Small EDNS UDP sizes will result in the
+		  excessive use of TCP.
+		</para>
               </listitem>
             </varlistentry>
 
             <varlistentry>
               <term><command>max-udp-size</command></term>
-              <listitem>
-                <para>
-		  Sets the maximum EDNS UDP message size <command>named</command> will
-		  send in bytes.  Valid values are 512 to 4096 (values outside
-		  this range will be silently adjusted).  The default
+	      <listitem>
+		<para>
+		  Sets the maximum EDNS UDP message size
+		  <command>named</command> will send in bytes.
+		  Valid values are 512 to 4096 (values outside this
+		  range will be silently adjusted).  The default
 		  value is 4096.  The usual reason for setting
-		  <command>max-udp-size</command> to a non-default value is to get UDP
-		  answers to pass through broken firewalls that
-		  block fragmented packets and/or block UDP packets
-		  that are greater than 512 bytes.
+		  <command>max-udp-size</command> to a non-default
+		  value is to get UDP answers to pass through broken
+		  firewalls that block fragmented packets and/or
+		  block UDP packets that are greater than 512 bytes.
 		  This is independent of the advertised receive
 		  buffer (<command>edns-udp-size</command>).
 		</para>
+		<para>
+		  Setting this to a low value will encourage additional
+		  TCP traffic to the nameserver.
+		</para>
 	      </listitem>
 	    </varlistentry>
 
@@ -8120,7 +8905,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	  <para>
 	    Named will attempt to determine if a built-in zone already exists
 	    or is active (covered by a forward-only forwarding declaration)
-	    and will not create a empty zone in that case.
+	    and will not create an empty zone in that case.
 	  </para>
 	  <para>
 	    The current list of empty zones is:
@@ -8345,6 +9130,400 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
         </sect3>
 
+        <sect3>
+          <title>Content Filtering</title>
+	  <para>
+	    <acronym>BIND</acronym> 9 provides the ability to filter
+	    out DNS responses from external DNS servers containing
+	    certain types of data in the answer section.
+	    Specifically, it can reject address (A or AAAA) records if
+	    the corresponding IPv4 or IPv6 addresses match the given
+	    <varname>address_match_list</varname> of the
+	    <command>deny-answer-addresses</command> option.
+	    It can also reject CNAME or DNAME records if the "alias"
+	    name (i.e., the CNAME alias or the substituted query name
+	    due to DNAME) matches the
+	    given <varname>namelist</varname> of the
+	    <command>deny-answer-aliases</command> option, where
+	    "match" means the alias name is a subdomain of one of
+	    the <varname>name_list</varname> elements.
+	    If the optional <varname>namelist</varname> is specified
+	    with <command>except-from</command>, records whose query name
+	    matches the list will be accepted regardless of the filter
+	    setting.
+	    Likewise, if the alias name is a subdomain of the
+	    corresponding zone, the <command>deny-answer-aliases</command>
+	    filter will not apply;
+	    for example, even if "example.com" is specified for
+	    <command>deny-answer-aliases</command>,
+	  </para>
+<programlisting>www.example.com. CNAME xxx.example.com.</programlisting>
+
+	  <para>
+	    returned by an "example.com" server will be accepted.
+	  </para>
+
+	  <para>
+	    In the <varname>address_match_list</varname> of the
+	    <command>deny-answer-addresses</command> option, only
+            <varname>ip_addr</varname>
+	    and <varname>ip_prefix</varname>
+	    are meaningful;
+	    any <varname>key_id</varname> will be silently ignored.
+	  </para>
+
+	  <para>
+	    If a response message is rejected due to the filtering,
+	    the entire message is discarded without being cached, and
+	    a SERVFAIL error will be returned to the client.
+	  </para>
+
+	  <para>
+	    This filtering is intended to prevent "DNS rebinding attacks," in
+	    which an attacker, in response to a query for a domain name the
+	    attacker controls, returns an IP address within your own network or
+	    an alias name within your own domain.
+	    A naive web browser or script could then serve as an
+	    unintended proxy, allowing the attacker
+	    to get access to an internal node of your local network
+	    that couldn't be externally accessed otherwise.
+	    See the paper available at
+	    <ulink>
+	    http://portal.acm.org/citation.cfm?id=1315245.1315298
+	    </ulink>
+	    for more details about the attacks.
+	  </para>
+
+	  <para>
+	    For example, if you own a domain named "example.net" and
+	    your internal network uses an IPv4 prefix 192.0.2.0/24,
+	    you might specify the following rules:
+	  </para>
+
+<programlisting>deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+deny-answer-aliases { "example.net"; };
+</programlisting>
+
+	  <para>
+	    If an external attacker lets a web browser in your local
+	    network look up an IPv4 address of "attacker.example.com",
+	    the attacker's DNS server would return a response like this:
+	  </para>
+
+<programlisting>attacker.example.com. A 192.0.2.1</programlisting>
+
+	  <para>
+	    in the answer section.
+	    Since the rdata of this record (the IPv4 address) matches
+	    the specified prefix 192.0.2.0/24, this response will be
+	    ignored.
+	  </para>
+
+	  <para>
+	    On the other hand, if the browser looks up a legitimate
+	    internal web server "www.example.net" and the
+	    following response is returned to
+	    the <acronym>BIND</acronym> 9 server
+	  </para>
+
+<programlisting>www.example.net. A 192.0.2.2</programlisting>
+
+	  <para>
+	    it will be accepted since the owner name "www.example.net"
+	    matches the <command>except-from</command> element,
+	    "example.net".
+	  </para>
+
+	  <para>
+	    Note that this is not really an attack on the DNS per se.
+	    In fact, there is nothing wrong for an "external" name to
+	    be mapped to your "internal" IP address or domain name
+	    from the DNS point of view.
+	    It might actually be provided for a legitimate purpose,
+	    such as for debugging.
+	    As long as the mapping is provided by the correct owner,
+	    it is not possible or does not make sense to detect
+	    whether the intent of the mapping is legitimate or not
+	    within the DNS.
+	    The "rebinding" attack must primarily be protected at the
+	    application that uses the DNS.
+	    For a large site, however, it may be difficult to protect
+	    all possible applications at once.
+	    This filtering feature is provided only to help such an
+	    operational environment;
+	    it is generally discouraged to turn it on unless you are
+	    very sure you have no other choice and the attack is a
+	    real threat for your applications.
+	  </para>
+
+	  <para>
+	    Care should be particularly taken if you want to use this
+	    option for addresses within 127.0.0.0/8.
+	    These addresses are obviously "internal", but many
+	    applications conventionally rely on a DNS mapping from
+	    some name to such an address.
+	    Filtering out DNS records containing this address
+	    spuriously can break such applications.
+	  </para>
+	</sect3>
+
+        <sect3>
+	  <title>Response Policy Zone (RPZ) Rewriting</title>
+	  <para>
+	    <acronym>BIND</acronym> 9 includes a limited
+	    mechanism to modify DNS responses for requests
+	    analogous to email anti-spam DNS blacklists.
+	    Responses can be changed to deny the existence of domains(NXDOMAIN),
+	    deny the existence of IP addresses for domains (NODATA),
+	    or contain other IP addresses or data.
+	  </para>
+
+	  <para>
+	    Response policy zones are named in the
+	    <command>response-policy</command> option for the view or among the
+	    global options if there is no response-policy option for the view.
+	    RPZs are ordinary DNS zones containing RRsets
+	    that can be queried normally if allowed.
+	    It is usually best to restrict those queries with something like
+	    <command>allow-query { localhost; };</command>.
+	  </para>
+
+	  <para>
+	    Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
+	    and NSDNAME.
+	    QNAME RPZ records triggered by query names of requests and targets
+	    of CNAME records resolved to generate the response.
+	    The owner name of a QNAME RPZ record is the query name relativized
+	    to the RPZ.
+	  </para>
+
+	  <para>
+	    The second kind of RPZ trigger is an IP address in an A and AAAA
+	    record in the ANSWER section of a response.
+	    IP address triggers are encoded in records that have owner names
+	    that are subdomains of <userinput>rpz-ip</userinput> relativized
+	    to the RPZ origin name and encode an IP address or address block.
+	    IPv4 trigger addresses are represented as
+	    <userinput>prefixlength.B4.B3.B2.B1.rpz-ip</userinput>.
+	    The prefix length must be between 1 and 32.
+	    All four bytes, B4, B3, B2, and B1, must be present.
+	    B4 is the decimal value of the least significant byte of the
+	    IPv4 address as in IN-ADDR.ARPA.
+	    IPv6 addresses are encoded in a format similar to the standard
+	    IPv6 text representation,
+	    <userinput>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</userinput>.
+	    Each of W8,...,W1 is a one to four digit hexadecimal number
+	    representing 16 bits of the IPv6 address as in the standard text
+	    representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
+	    All 8 words must be present except when consecutive
+	    zero words are replaced with <userinput>.zz.</userinput>
+	    analogous to double colons (::) in standard IPv6 text encodings.
+	    The prefix length must be between 1 and 128.
+	  </para>
+
+	  <para>
+	    NSDNAME triggers match names of authoritative servers
+	    for the query name, a parent of the query name, a CNAME for
+	    query name, or a parent of a CNAME.
+	    They are encoded as subdomains of
+	    <userinput>rpz-nsdomain</userinput> relativized
+	    to the RPZ origin name.
+	  </para>
+
+	  <para>
+	    NSIP triggers match IP addresses in A and
+	    AAAA RRsets for domains that can be checked against NSDNAME
+	    policy records.
+	    NSIP triggers are encoded like IP triggers except as subdomains of
+	    <userinput>rpz-nsip</userinput>.
+	  </para>
+
+	  <para>
+	    The query response is checked against all RPZs, so
+	    two or more policy records can be triggered by a response.
+	    Because DNS responses can be rewritten according to at most one
+	    policy record, a single record encoding an action (other than
+	    <command>DISABLED</command> actions) must be chosen.
+	    Triggers or the records that encode them are chosen in
+	    the following order:
+	    <itemizedlist>
+	      <listitem>Choose the triggered record in the zone that appears
+		first in the response-policy option.
+	      </listitem>
+	      <listitem>Prefer QNAME to IP to NSDNAME to NSIP triggers
+		in a single zone.
+	      </listitem>
+	      <listitem>Among NSDNAME triggers, prefer the
+		trigger that matches the smallest name under the DNSSEC ordering.
+	      </listitem>
+	      <listitem>Among IP or NSIP triggers, prefer the trigger
+		with the longest prefix.
+	      </listitem>
+	      <listitem>Among triggers with the same prefex length,
+		prefer the IP or NSIP trigger that matches
+		the smallest IP address.
+	      </listitem>
+	    </itemizedlist>
+	  </para>
+
+	  <para>
+	    When the processing of a response is restarted to resolve
+	    DNAME or CNAME records and a policy record set has
+	    not been triggered,
+	    all RPZs are again consulted for the DNAME or CNAME names
+	    and addresses.
+	  </para>
+
+	  <para>
+	    Authority verification issues and variations in authority data
+	    can cause inconsistent results for NSIP and NSDNAME policy records.
+	    Glue NS records often differ from authoritative NS records.
+	    So they are available
+	    only when <acronym>BIND</acronym> is built with the
+	    <userinput>--enable-rpz-nsip</userinput> or
+	    <userinput>--enable-rpz-nsdname</userinput> options
+	    on the "configure" command line.
+	  </para>
+
+	  <para>
+	    RPZ record sets are sets of any types of DNS record except
+	    DNAME or DNSSEC that encode actions or responses to queries.
+	    <itemizedlist>
+	      <listitem>The <command>NXDOMAIN</command> response is encoded
+		by a CNAME whose target is the root domain (.)
+	      </listitem>
+	      <listitem>A CNAME whose target is the wildcard top-level
+		domain (*.) specifies the <command>NODATA</command> action,
+		which rewrites the response to NODATA or ANCOUNT=1.
+	      </listitem>
+	      <listitem>The <command>Local Data</command> action is
+		represented by a set ordinary DNS records that are used
+		to answer queries.  Queries for record types not the
+		set are answered with NODATA.
+
+		A special form of local data is a CNAME whose target is a
+		wildcard such as *.example.com.
+		It is used as if were an ordinary CNAME after the astrisk (*)
+		has been replaced with the query name.
+		The purpose for this special form is query logging in the
+		walled garden's authority DNS server.
+	      </listitem>
+	      <listitem>The <command>PASSTHRU</command> policy is specified
+		by a CNAME whose target is <command>rpz_passthru.</command>
+		It causes the response to not be rewritten
+		and is most often used to "poke holes" in policies for
+		CIDR blocks.
+		(A CNAME whose target is the variable part of its owner name
+		is an obsolete specification of the PASSTHRU policy.)
+	      </listitem>
+	    </itemizedlist>
+	  </para>
+
+	  <para>
+	    The actions specified in an RPZ can be overridden with a
+	    <command>policy</command> clause in the
+	    <command>response-policy</command> option.
+	    An organization using an RPZ provided by another organization might
+	    use this mechanism to redirect domains to its own walled garden.
+	    <itemizedlist>
+	      <listitem><command>GIVEN</command> says "do not override but
+		perform the action specified in the zone."
+	      </listitem>
+	      <listitem><command>DISABLED</command> causes policy records to do
+		nothing but log what they might have done.
+		The response to the DNS query will be written according to
+		any triggered policy records that are not disabled.
+		Disabled policy zones should appear first,
+		because they will often not be logged
+		if a higher precedence trigger is found first.
+	      </listitem>
+	      <listitem><command>PASSTHRU</command> causes all policy records
+		to act as if they were CNAME records with targets the variable
+		part of their owner name.  They protect the response from
+		being changed.
+	      </listitem>
+	      <listitem><command>NXDOMAIN</command> causes all RPZ records
+		to specify NXDOMAIN policies.
+	      </listitem>
+	      <listitem><command>NODATA</command> overrides with the
+		NODATA policy
+	      </listitem>
+	      <listitem><command>CNAME domain</command> causes all RPZ
+		policy records to act as if they were "cname domain" records.
+	      </listitem>
+	    </itemizedlist>
+	  </para>
+
+	  <para>
+	    By default, the actions encoded in an RPZ are applied
+	    only to queries that ask for recursion (RD=1).
+	    That default can be changed for a single RPZ or all RPZs in a view
+	    with a <command>recursive-only no</command> clause.
+	    This feature is useful for serving the same zone files
+	    both inside and outside an RFC 1918 cloud and using RPZ to
+	    delete answers that would otherwise contain RFC 1918 values
+	    on the externally visible name server or view.
+	  </para>
+
+	  <para>
+	    Also by default, RPZ actions are applied only to DNS requests that
+	    either do not request DNSSEC metadata (DO=0) or when no DNSSEC
+	    records are available for request name in the original zone (not
+	    the response policy zone).
+	    This default can be changed for all RPZs in a view with a
+	    <command>break-dnssec yes</command> clause.
+	    In that case, RPZ actions are applied regardless of DNSSEC.
+	    The name of the clause option reflects the fact that results
+	    rewritten by RPZ actions cannot verify.
+	  </para>
+
+	  <para>
+	    The TTL of a record modified by RPZ policies is set from the
+	    TTL of the relevant record in policy zone.  It is then limited
+	    to a maximum value.
+	    The <command>max-policy-ttl</command> clause changes that
+	    maximum from its default of 5.
+	  </para>
+
+	  <para>
+	    For example, you might use this option statement
+          </para>
+<programlisting>    response-policy { zone "badlist"; };</programlisting>
+          <para>
+            and this zone statement
+          </para>
+<programlisting>    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</programlisting>
+          <para>
+            with this zone file
+          </para>
+<programlisting>$TTL 1H
+@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+                        NS  LOCALHOST.
+
+; QNAME policy records.  There are no periods (.) after the owner names.
+nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
+nodata.domain.com       CNAME   *.              ; NODATA policy
+bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
+                        AAAA    2001:2::1
+
+; do not rewrite (PASSTHRU) OK.DOMAIN.COM
+ok.domain.com           CNAME   rpz-passthru.
+
+bzone.domain.com        CNAME   garden.example.com.
+
+; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
+*.bzone.domain.com      CNAME   *.garden.example.com.
+
+
+; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
+8.0.0.0.127.rpz-ip      CNAME   .
+32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
+
+; NSDNAME and NSIP policy records
+ns.domain.com.rpz-nsdname   CNAME   .
+48.zz.2.2001.rpz-nsip       CNAME   .
+</programlisting>
+        </sect3>
       </sect2>
 
       <sect2 id="server_statement_grammar">
@@ -8364,8 +9543,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+                  <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+                     <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
     <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
     <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
@@ -8563,7 +9744,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
         <title><command>statistics-channels</command> Statement Grammar</title>
 
 <programlisting><command>statistics-channels</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
+   [ inet ( ip_addr | * ) [ port ip_port ]
+   [ allow { <replaceable> address_match_list </replaceable> } ]; ]
    [ inet ...; ]
 };
 </programlisting>
@@ -8627,7 +9809,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
       </sect2>
 
-        <sect2>
+	<sect2 id="trusted-keys">
           <title><command>trusted-keys</command> Statement Grammar</title>
 
 <programlisting><command>trusted-keys</command> {
@@ -8669,6 +9851,136 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    in the key data, so the configuration may be split up into
 	    multiple lines.
 	  </para>
+	  <para>
+	    <command>trusted-keys</command> may be set at the top level
+	    of <filename>named.conf</filename> or within a view.  If it is
+	    set in both places, they are additive: keys defined at the top
+	    level are inherited by all views, but keys defined in a view
+	    are only used within that view.
+	  </para>
+	</sect2>
+
+        <sect2>
+          <title><command>managed-keys</command> Statement Grammar</title>
+
+<programlisting><command>managed-keys</command> {
+    <replaceable>string</replaceable> initial-key <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
+    <optional> <replaceable>string</replaceable> initial-key <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
+};
+</programlisting>
+
+        </sect2>
+	<sect2 id="managed-keys">
+	  <title><command>managed-keys</command> Statement Definition
+	    and Usage</title>
+	  <para>
+	    The <command>managed-keys</command> statement, like 
+            <command>trusted-keys</command>, defines DNSSEC
+            security roots.  The difference is that
+            <command>managed-keys</command> can be kept up to date
+            automatically, without intervention from the resolver
+            operator.
+	  </para>
+	  <para>
+            Suppose, for example, that a zone's key-signing
+            key was compromised, and the zone owner had to revoke and
+            replace the key.  A resolver which had the old key in a
+            <command>trusted-keys</command> statement would be
+            unable to validate this zone any longer; it would
+            reply with a SERVFAIL response code.  This would
+            continue until the resolver operator had updated the
+            <command>trusted-keys</command> statement with the new key.
+	  </para>
+	  <para>
+            If, however, the zone were listed in a
+            <command>managed-keys</command> statement instead, then the
+            zone owner could add a "stand-by" key to the zone in advance.
+            <command>named</command> would store the stand-by key, and
+            when the original key was revoked, <command>named</command>
+            would be able to transition smoothly to the new key.  It would
+            also recognize that the old key had been revoked, and cease
+            using that key to validate answers, minimizing the damage that
+            the compromised key could do.
+	  </para>
+          <para>
+            A <command>managed-keys</command> statement contains a list of
+            the keys to be managed, along with information about how the
+            keys are to be initialized for the first time.  The only
+            initialization method currently supported (as of
+            <acronym>BIND</acronym> 9.7.0) is <literal>initial-key</literal>.
+            This means the <command>managed-keys</command> statement must
+            contain a copy of the initializing key.  (Future releases may
+            allow keys to be initialized by other methods, eliminating this
+            requirement.)
+	  </para>
+          <para>
+            Consequently, a <command>managed-keys</command> statement
+            appears similar to a <command>trusted-keys</command>, differing
+            in the presence of the second field, containing the keyword
+            <literal>initial-key</literal>.  The difference is, whereas the
+            keys listed in a <command>trusted-keys</command> continue to be
+            trusted until they are removed from
+            <filename>named.conf</filename>, an initializing key listed 
+            in a <command>managed-keys</command> statement is only trusted
+            <emphasis>once</emphasis>: for as long as it takes to load the
+            managed key database and start the RFC 5011 key maintenance
+            process.
+	  </para>
+          <para>
+            The first time <command>named</command> runs with a managed key
+            configured in <filename>named.conf</filename>, it fetches the
+            DNSKEY RRset directly from the zone apex, and validates it
+            using the key specified in the <command>managed-keys</command>
+            statement.  If the DNSKEY RRset is validly signed, then it is
+            used as the basis for a new managed keys database.
+	  </para>
+          <para>
+            From that point on, whenever <command>named</command> runs, it
+            sees the <command>managed-keys</command> statement, checks to
+            make sure RFC 5011 key maintenance has already been initialized
+            for the specified domain, and if so, it simply moves on.  The
+            key specified in the <command>managed-keys</command> is not
+            used to validate answers; it has been superseded by the key or
+            keys stored in the managed keys database.
+          </para>
+          <para>
+            The next time <command>named</command> runs after a name
+            has been <emphasis>removed</emphasis> from the
+            <command>managed-keys</command> statement, the corresponding
+            zone will be removed from the managed keys database,
+            and RFC 5011 key maintenance will no longer be used for that
+            domain.
+	  </para>
+	  <para>
+	    <command>named</command> only maintains a single managed keys
+            database; consequently, unlike <command>trusted-keys</command>,
+            <command>managed-keys</command> may only be set at the top
+            level of <filename>named.conf</filename>, not within a view.
+	  </para>
+          <para>
+            In the current implementation, the managed keys database is
+            stored as a master-format zone file called
+            <filename>managed-keys.bind</filename>.  When the key database
+            is changed, the zone is updated.  As with any other dynamic
+            zone, changes will be written into a journal file,
+            <filename>managed-keys.bind.jnl</filename>.  They are committed
+            to the master file as soon as possible afterward; in the case
+            of the managed key database, this will usually occur within 30
+            seconds.  So, whenever <command>named</command> is using
+            automatic key maintenance, those two files can be expected to
+            exist in the working directory.  (For this reason among others,
+            the working directory should be always be writable by
+            <command>named</command>.)
+	  </para>
+	  <para>
+	    If the <command>dnssec-lookaside</command> option is
+	    set to <userinput>auto</userinput>, <command>named</command>
+	    will automatically initialize a managed key for the
+	    zone <literal>dlv.isc.org</literal>.  The key that is
+	    used to initialize the key maintenance process is built
+	    into <command>named</command>, and can be overridden
+	    from <command>bindkeys-file</command>.
+	  </para>
 	</sect2>
 
         <sect2 id="view_statement_grammar">
@@ -8783,11 +10095,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
-      // Provide recursive service to internal clients only.
+      // Provide recursive service to internal
+      // clients only.
       recursion yes;
 
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
+      // Provide a complete view of the example.com
+      // zone including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
@@ -8795,14 +10108,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 };
 
 view "external" {
-      // Match all clients not matched by the previous view.
+      // Match all clients not matched by the
+      // previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
+      // Provide a restricted view of the example.com
+      // zone containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
@@ -8821,8 +10135,9 @@ view "external" {
     <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
@@ -8858,6 +10173,7 @@ view "external" {
     <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
     <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
 };
 
@@ -8869,8 +10185,12 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
+    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
@@ -8883,7 +10203,9 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
+                              <optional>port <replaceable>ip_port</replaceable></optional>
+                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
@@ -8896,7 +10218,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -8914,7 +10237,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     type hint;
     file <replaceable>string</replaceable> ;
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
+    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> // Not Implemented.
 };
 
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
@@ -8928,14 +10251,18 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
+                              <optional>port <replaceable>ip_port</replaceable></optional>
+                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                         <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                            <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
@@ -8947,6 +10274,14 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 };
 
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
+    type static-stub;
+    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> server-addresses { <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional>
+    <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional>  
+    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
+};
+
+zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type forward;
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -9093,6 +10428,55 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                   <row rowsep="0">
                     <entry colname="1">
                       <para>
+                        <varname>static-stub</varname>
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+			A static-stub zone is similar to a stub zone
+			with the following exceptions:
+			the zone data is statically configured, rather
+			than transferred from a master server;
+			when recursion is necessary for a query that
+			matches a static-stub zone, the locally
+			configured data (nameserver names and glue addresses)
+			is always used even if different authoritative
+			information is cached.
+                      </para>
+                      <para>
+			Zone data is configured via the
+			<command>server-addresses</command> and
+			<command>server-names</command> zone options.
+                      </para>
+		      <para>
+			The zone data is maintained in the form of NS
+			and (if necessary) glue A or AAAA RRs
+			internally, which can be seen by dumping zone
+			databases by <command>rndc dumpdb -all</command>.
+			The configured RRs are considered local configuration
+			parameters rather than public data.
+			Non recursive queries (i.e., those with the RD
+			bit off) to a static-stub zone are therefore
+			prohibited and will be responded with REFUSED.
+		      </para>
+		      <para>
+			Since the data is statically configured, no
+			zone maintenance action takes place for a static-stub
+			zone.
+			For example, there is no periodic refresh
+			attempt, and an incoming notify message
+			will be rejected with an rcode of NOTAUTH.
+		      </para>
+		      <para>
+			Each static-stub zone is configured with
+			internally generated NS and (if necessary)
+			glue A or AAAA RRs 
+		      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
                         <varname>forward</varname>
                       </para>
                     </entry>
@@ -9307,6 +10691,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                     received from the
                     network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
                     zones the default is <command>warn</command>.
+                    It is not implemented for <command>hint</command> zones.
                   </para>
                 </listitem>
               </varlistentry>
@@ -9372,6 +10757,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
 	      <varlistentry>
+	        <term><command>dnssec-dnskey-kskonly</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+	      <varlistentry>
 	        <term><command>try-tcp-refresh</command></term>
                 <listitem>
                   <para>
@@ -9606,6 +11001,84 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>server-addresses</command></term>
+                <listitem>
+                  <para>
+                    Only meaningful for static-stub zones.
+		    This is a list of IP addresses to which queries
+		    should be sent in recursive resolution for the
+		    zone.
+		    A non empty list for this option will internally
+		    configure the apex NS RR with associated glue A or
+		    AAAA RRs.
+                  </para>
+		  <para>
+		    For example, if "example.com" is configured as a
+		    static-stub zone with 192.0.2.1 and 2001:db8::1234
+		    in a <command>server-addresses</command> option,
+		    the following RRs will be internally configured.
+		  </para>
+<programlisting>example.com. NS example.com.
+example.com. A 192.0.2.1
+example.com. AAAA 2001:db8::1234</programlisting>
+		  <para>
+		    These records are internally used to resolve
+		    names under the static-stub zone.
+		    For instance, if the server receives a query for
+		    "www.example.com" with the RD bit on, the server
+		    will initiate recursive resolution and send
+		    queries to 192.0.2.1 and/or 2001:db8::1234.
+		  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>server-names</command></term>
+                <listitem>
+                  <para>
+                    Only meaningful for static-stub zones.
+		    This is a list of domain names of nameservers that
+		    act as authoritative servers of the static-stub
+		    zone.
+		    These names will be resolved to IP addresses when
+		    <command>named</command> needs to send queries to
+		    these servers.
+		    To make this supplemental resolution successful,
+		    these names must not be a subdomain of the origin
+		    name of static-stub zone.
+		    That is, when "example.net" is the origin of a
+		    static-stub zone, "ns.example" and
+		    "master.example.com" can be specified in the
+		    <command>server-names</command> option, but
+		    "ns.example.net" cannot, and will be rejected by
+		    the configuration parser.
+		  </para>
+		  <para>
+		    A non empty list for this option will internally
+		    configure the apex NS RR with the specified names.
+		    For example, if "example.com" is configured as a
+		    static-stub zone with "ns1.example.net" and
+		    "ns2.example.net"
+		    in a <command>server-names</command> option,
+		    the following RRs will be internally configured.
+		  </para>
+<programlisting>example.com. NS ns1.example.net.
+example.com. NS ns2.example.net.
+</programlisting>
+		  <para>
+		    These records are internally used to resolve
+		    names under the static-stub zone.
+		    For instance, if the server receives a query for
+		    "www.example.com" with the RD bit on, the server
+		    initiate recursive resolution,
+		    resolve "ns1.example.net" and/or
+		    "ns2.example.net" to IP addresses, and then send
+		    queries to (one or more of) these addresses.
+		  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>sig-validity-interval</command></term>
                 <listitem>
                   <para>
@@ -9753,6 +11226,56 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>auto-dnssec</command></term>
+                <listitem>
+                  <para>
+                    Zones configured for dynamic DNS may also use this
+                    option to allow varying levels of automatic DNSSEC key
+                    management. There are three possible settings:
+                  </para>
+                  <para>
+                    <command>auto-dnssec allow;</command> permits
+                    keys to be updated and the zone fully re-signed
+                    whenever the user issues the command <command>rndc sign
+                    <replaceable>zonename</replaceable></command>.
+                  </para>
+                  <para>
+                    <command>auto-dnssec maintain;</command> includes the
+                    above, but also automatically adjusts the zone's DNSSEC
+                    keys on schedule, according to the keys' timing metadata
+                    (see <xref linkend="man.dnssec-keygen"/> and
+                    <xref linkend="man.dnssec-settime"/>).  The command
+                    <command>rndc sign
+                    <replaceable>zonename</replaceable></command> causes
+                    <command>named</command> to load keys from the key
+                    repository and sign the zone with all keys that are
+                    active. 
+                    <command>rndc loadkeys
+                    <replaceable>zonename</replaceable></command> causes
+                    <command>named</command> to load keys from the key
+                    repository and schedule key maintenance events to occur
+                    in the future, but it does not sign the full zone
+                    immediately.  Note: once keys have been loaded for a
+                    zone the first time, the repository will be searched
+                    for changes periodically, regardless of whether
+                    <command>rndc loadkeys</command> is used.  The recheck
+                    interval is hard-coded to
+                    one hour.
+                  </para>
+                  <para>
+                    <command>auto-dnssec create;</command> includes the
+                    above, but also allows <command>named</command>
+                    to create new keys in the key repository when needed.
+                    (NOTE: This option is not yet implemented; the syntax is
+                    being reserved for future use.)
+                  </para>
+                  <para>
+                    The default setting is <command>auto-dnssec off</command>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>multi-master</command></term>
                 <listitem>
                   <para>
@@ -9772,6 +11295,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		</listitem>
 	      </varlistentry>
 
+              <varlistentry>
+                <term><command>dnssec-secure-to-insecure</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
             </variablelist>
 
           </sect3>
@@ -9790,15 +11323,14 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      record of any name in the zone.
 	    </para>
 	    <para>
-	      The <command>update-policy</command> clause is new
-	      in <acronym>BIND</acronym> 9 and allows more fine-grained
-	      control over what updates are allowed.  A set of rules
-	      is specified, where each rule either grants or denies
-	      permissions for one or more names to be updated by
-	      one or more identities.  If the dynamic update request
-	      message is signed (that is, it includes either a TSIG
-	      or SIG(0) record), the identity of the signer can be
-	      determined.
+	      The <command>update-policy</command> clause
+	      allows more fine-grained control over what updates are
+	      allowed.  A set of rules is specified, where each rule
+	      either grants or denies permissions for one or more
+	      names to be updated by one or more identities.  If
+	      the dynamic update request message is signed (that is,
+	      it includes either a TSIG or SIG(0) record), the
+	      identity of the signer can be determined.
 	    </para>
 	    <para>
 	      Rules are specified in the <command>update-policy</command>
@@ -9810,24 +11342,53 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      only examines the signer of a message; the source
 	      address is not relevant.
 	    </para>
+	    <para>
+              There is a pre-defined <command>update-policy</command>
+              rule which can be switched on with the command
+              <command>update-policy local;</command>.
+              Switching on this rule in a zone causes
+              <command>named</command> to generate a TSIG session
+              key and place it in a file, and to allow that key
+              to update the zone.  (By default, the file is
+              <filename>/var/run/named/session.key</filename>, the key
+              name is "local-ddns" and the key algorithm is HMAC-SHA256,
+              but these values are configurable with the
+              <command>session-keyfile</command>,
+              <command>session-keyname</command> and
+              <command>session-keyalg</command> options, respectively).
+            </para>
+	    <para>
+              A client running on the local system, and with appropriate
+              permissions, may read that file and use the key to sign update
+              requests.  The zone's update policy will be set to allow that
+              key to change any record within the zone.  Assuming the
+              key name is "local-ddns", this policy is equivalent to:
+            </para>
+
+            <programlisting>update-policy { grant local-ddns zonesub any; };
+            </programlisting>
+
+	    <para>
+              The command <command>nsupdate -l</command> sends update
+              requests to localhost, and signs them using the session key.
+	    </para>
 
 	    <para>
-              This is how a rule definition looks:
+              Other rule definitions look like this:
             </para>
 
 <programlisting>
-( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
+( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
 </programlisting>
 
             <para>
               Each rule grants or denies privileges.  Once a message has
               successfully matched a rule, the operation is immediately
-              granted
-              or denied and no further rules are examined.  A rule is matched
-              when the signer matches the identity field, the name matches the
-              name field in accordance with the nametype field, and the type
-              matches
-              the types specified in the type field.
+              granted or denied and no further rules are examined.  A rule
+              is matched when the signer matches the identity field, the
+              name matches the name field in accordance with the nametype
+              field, and the type matches the types specified in the type
+              field.
             </para>
             <para>
 	      No signer is required for <replaceable>tcp-self</replaceable>
@@ -9860,7 +11421,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      the Windows or Kerberos realm of the machine belongs to.
 	    </para>
             <para>
-              The <replaceable>nametype</replaceable> field has 12
+              The <replaceable>nametype</replaceable> field has 13
               values:
               <varname>name</varname>, <varname>subdomain</varname>,
               <varname>wildcard</varname>, <varname>self</varname>,
@@ -9868,7 +11429,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
 	      <varname>krb5-subdomain</varname>,
 	      <varname>ms-subdomain</varname>,
-	      <varname>tcp-self</varname> and <varname>6to4-self</varname>.
+	      <varname>tcp-self</varname>, <varname>6to4-self</varname>,
+	      <varname>zonesub</varname>, and <varname>external</varname>.
             </para>
             <informaltable>
               <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@@ -9906,6 +11468,28 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
+			<varname>zonesub</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule is similar to subdomain, except that
+			it matches when the name being updated is a
+			subdomain of the zone in which the
+			<command>update-policy</command> statement
+			appears.  This obviates the need to type the zone
+			name twice, and enables the use of a standard
+			<command>update-policy</command> statement in
+			multiple zones without modification.
+		      </para>
+		      <para>
+                        When this rule is used, the
+                        <replaceable>name</replaceable> field is omitted.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
 			<varname>wildcard</varname>
 		      </para>
 		    </entry> <entry colname="2">
@@ -10057,7 +11641,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		    </entry> <entry colname="2">
 		      <para>
 			Allow the 6to4 prefix to be update by any TCP
-			conection from the 6to4 network or from the
+			connection from the 6to4 network or from the
 			corresponding IPv4 address.  This is intended
 			to allow NS or DNAME RRsets to be added to the
 			reverse tree.
@@ -10068,14 +11652,56 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		      </note>
 		    </entry>
 		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>external</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule allows <command>named</command>
+			to defer the decision of whether to allow a
+			given update to an external daemon.
+		      </para>
+		      <para>
+			The method of communicating with the daemon is
+			specified in the <replaceable>identity</replaceable>
+			field, the format of which is
+			"<constant>local:</constant><replaceable>path</replaceable>",
+			where <replaceable>path</replaceable> is the location
+                        of a UNIX-domain socket.  (Currently, "local" is the
+                        only supported mechanism.)
+		      </para>
+		      <para>
+			Requests to the external daemon are sent over the
+			UNIX-domain socket as datagrams with the following
+			format:
+		      </para>
+		      <programlisting>
+   Protocol version number (4 bytes, network byte order, currently 1)
+   Request length (4 bytes, network byte order)
+   Signer (null-terminated string)
+   Name (null-terminated string)
+   TCP source address (null-terminated string)
+   Rdata type (null-terminated string)
+   Key (null-terminated string)
+   TKEY token length (4 bytes, network byte order)
+   TKEY token (remainder of packet)</programlisting>
+		      <para>
+			The daemon replies with a four-byte value in
+			network byte order, containing either 0 or 1; 0
+			indicates that the specified update is not
+			permitted, and 1 indicates that it is.
+		      </para>
+		    </entry>
+		  </row>
                 </tbody>
               </tgroup>
             </informaltable>
 
             <para>
               In all cases, the <replaceable>name</replaceable>
-              field must
-              specify a fully-qualified domain name.
+              field must specify a fully-qualified domain name.
             </para>
 
 	    <para>
@@ -11488,7 +13114,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
           </para>
 
 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</programlisting>
 
           <para>
@@ -11503,6 +13129,32 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </programlisting>
 
+	   <para>
+	    Generate a set of A and MX records.  Note the MX's right hand
+	    side is a quoted string.  The quotes will be stripped when the
+	    right hand side is processed.
+	   </para>
+
+<programlisting>
+$ORIGIN EXAMPLE.
+$GENERATE 1-127 HOST-$ A 1.2.3.$
+$GENERATE 1-127 HOST-$ MX "0 ."</programlisting>
+
+          <para>
+            is equivalent to
+          </para>
+
+<programlisting>HOST-1.EXAMPLE.   A  1.2.3.1
+HOST-1.EXAMPLE.   MX 0 .
+HOST-2.EXAMPLE.   A  1.2.3.2
+HOST-2.EXAMPLE.   MX 0 .
+HOST-3.EXAMPLE.   A  1.2.3.3
+HOST-3.EXAMPLE.   MX 0 .
+...
+HOST-127.EXAMPLE. A  1.2.3.127
+HOST-127.EXAMPLE. MX 0 .
+</programlisting>
+
           <informaltable colsep="0" rowsep="0">
             <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
                         <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
@@ -11552,20 +13204,30 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 
 		      Available output forms are decimal
                       (<command>d</command>), octal
-                      (<command>o</command>) and hexadecimal
+                      (<command>o</command>), hexadecimal
                       (<command>x</command> or <command>X</command>
-                      for uppercase).  The default modifier is
+                      for uppercase) and nibble
+		      (<command>n</command> or <command>N</command>\
+		      for uppercase).  The default modifier is
                       <command>${0,0,d}</command>.  If the
                       <command>lhs</command> is not absolute, the
                       current <command>$ORIGIN</command> is appended
                       to the name.
                     </para>
-                    <para>
-                      For compatibility with earlier versions, <command>$$</command> is still
-                      recognized as indicating a literal $ in the output.
-                    </para>
-                  </entry>
-                </row>
+		    <para>
+		      In nibble mode the value will be treated as
+		      if it was a reversed hexadecimal string
+		      with each hexadecimal digit as a separate
+		      label.  The width field includes the label
+		      separator.
+		    </para>
+		    <para>
+		      For compatibility with earlier versions,
+		      <command>$$</command> is still recognized as
+		      indicating a literal $ in the output.
+		    </para>
+		  </entry>
+		</row>
                 <row rowsep="0">
                   <entry colname="1">
                     <para><command>ttl</command></para>
@@ -11604,8 +13266,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                   </entry>
                   <entry colname="2">
                     <para>
-                      At present the only supported types are
-                      PTR, CNAME, DNAME, A, AAAA and NS.
+		      Any valid type.
                     </para>
                   </entry>
                 </row>
@@ -11615,8 +13276,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                   </entry>
                   <entry colname="2">
                     <para>
-                      <command>rhs</command> is a domain name. It is processed
-                      similarly to lhs.
+                      <command>rhs</command>, optionally, quoted string.
                     </para>
                   </entry>
                 </row>
@@ -11775,9 +13435,12 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                 </entry>
                 <entry colname="2">
                   <para>
-                    The number of RRsets per RR type (positive
-                    or negative) and nonexistent names stored in the
-                    cache database.
+		    The number of RRsets per RR type and nonexistent
+		    names stored in the cache database.
+		    If the exclamation mark (!) is printed for a RR
+		    type, it means that particular type of RRset is
+		    known to be nonexistent (this is also known as
+		    "NXRRSET").
 		    Maintained per view.
                   </para>
                 </entry>
@@ -12746,6 +14409,13 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 		    <entry colname="3">
 		      <para>
 			Mismatch responses received.
+			The DNS ID, response's source address,
+			and/or the response's source port does not
+			match what was expected.
+			(The port must be 53 or as defined by
+			the <command>port</command> option.)
+			This may be an indication of a cache
+			poisoning attempt.
 		      </para>
 		    </entry>
 		  </row>
@@ -13213,14 +14883,16 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
         </para>
 
 <programlisting>
-// Set up an ACL named "bogusnets" that will block RFC1918 space
-// and some reserved space, which is commonly used in spoofing attacks.
+// Set up an ACL named "bogusnets" that will block
+// RFC1918 space and some reserved space, which is
+// commonly used in spoofing attacks.
 acl bogusnets {
-	0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
-	10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+        0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
+        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
 
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
+// Set up an ACL called our-nets. Replace this with the
+// real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
@@ -14863,8 +16535,12 @@ zone "example.com" {
           </bibliography>
         </sect2>
       </sect1>
+
+      <xi:include href="libdns.xml"/>
+
     </appendix>
 
+
     <reference id="Bv9ARM.ch10">
       <title>Manual pages</title>
       <xi:include href="../../bin/dig/dig.docbook"/>
@@ -14872,15 +16548,23 @@ zone "example.com" {
       <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-revoke.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-settime.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
       <xi:include href="../../bin/check/named-checkconf.docbook"/>
       <xi:include href="../../bin/check/named-checkzone.docbook"/>
       <xi:include href="../../bin/named/named.docbook"/>
+      <xi:include href="../../bin/tools/named-journalprint.docbook"/>
       <!-- named.conf.docbook and others? -->
       <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
       <xi:include href="../../bin/rndc/rndc.docbook"/>
       <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
-      <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
+      <xi:include href="../../bin/confgen/rndc-confgen.docbook"/>
+      <xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
+      <xi:include href="../../bin/tools/arpaname.docbook"/>
+      <xi:include href="../../bin/tools/genrandom.docbook"/>
+      <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
+      <xi:include href="../../bin/tools/nsec3hash.docbook"/>
     </reference>
 
   </book>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
index 1634bbcec13f..420d7b355996 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch01.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
@@ -45,17 +45,17 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564374">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564397">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564537">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564718">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564375">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564398">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564538">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564720">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564740">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564774">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567179">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567256">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567429">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567559">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564741">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564775">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567180">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567257">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567430">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567560">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -71,7 +71,7 @@
     </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564374"></a>Scope of Document</h2></div></div></div>
+<a name="id2564375"></a>Scope of Document</h2></div></div></div>
 <p>
         The Berkeley Internet Name Domain
         (<acronym class="acronym">BIND</acronym>) implements a
@@ -82,12 +82,12 @@
         system administrators.
       </p>
 <p>
-        This version of the manual corresponds to BIND version 9.6.
+        This version of the manual corresponds to BIND version 9.8.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564397"></a>Organization of This Document</h2></div></div></div>
+<a name="id2564398"></a>Organization of This Document</h2></div></div></div>
 <p>
         In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
         the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
@@ -116,7 +116,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564537"></a>Conventions Used in This Document</h2></div></div></div>
+<a name="id2564538"></a>Conventions Used in This Document</h2></div></div></div>
 <p>
         In this document, we use the following general typographic
         conventions:
@@ -243,7 +243,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564718"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<a name="id2564720"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
 <p>
         The purpose of this document is to explain the installation
         and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@@ -253,7 +253,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564740"></a>DNS Fundamentals</h3></div></div></div>
+<a name="id2564741"></a>DNS Fundamentals</h3></div></div></div>
 <p>
           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
@@ -275,7 +275,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564774"></a>Domains and Domain Names</h3></div></div></div>
+<a name="id2564775"></a>Domains and Domain Names</h3></div></div></div>
 <p>
           The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
@@ -321,7 +321,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567179"></a>Zones</h3></div></div></div>
+<a name="id2567180"></a>Zones</h3></div></div></div>
 <p>
           To properly operate a name server, it is important to understand
           the difference between a <span class="emphasis"><em>zone</em></span>
@@ -374,7 +374,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567256"></a>Authoritative Name Servers</h3></div></div></div>
+<a name="id2567257"></a>Authoritative Name Servers</h3></div></div></div>
 <p>
           Each zone is served by at least
           one <span class="emphasis"><em>authoritative name server</em></span>,
@@ -391,7 +391,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567280"></a>The Primary Master</h4></div></div></div>
+<a name="id2567281"></a>The Primary Master</h4></div></div></div>
 <p>
             The authoritative server where the master copy of the zone
             data is maintained is called the
@@ -411,7 +411,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567378"></a>Slave Servers</h4></div></div></div>
+<a name="id2567379"></a>Slave Servers</h4></div></div></div>
 <p>
             The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
             servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@@ -427,7 +427,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567399"></a>Stealth Servers</h4></div></div></div>
+<a name="id2567400"></a>Stealth Servers</h4></div></div></div>
 <p>
             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
@@ -462,7 +462,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567429"></a>Caching Name Servers</h3></div></div></div>
+<a name="id2567430"></a>Caching Name Servers</h3></div></div></div>
 <p>
           The resolver libraries provided by most operating systems are
           <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@@ -489,7 +489,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567532"></a>Forwarding</h4></div></div></div>
+<a name="id2567533"></a>Forwarding</h4></div></div></div>
 <p>
             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
@@ -516,7 +516,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567559"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<a name="id2567560"></a>Name Servers in Multiple Roles</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> name server can
           simultaneously act as
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
index 1b24a5a2de4b..296578197166 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch02.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
@@ -45,16 +45,16 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567593">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567633">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567728">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567738">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567594">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567634">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567729">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567739">Supported Operating Systems</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567593"></a>Hardware requirements</h2></div></div></div>
+<a name="id2567594"></a>Hardware requirements</h2></div></div></div>
 <p>
         <acronym class="acronym">DNS</acronym> hardware requirements have
         traditionally been quite modest.
@@ -73,7 +73,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567620"></a>CPU Requirements</h2></div></div></div>
+<a name="id2567621"></a>CPU Requirements</h2></div></div></div>
 <p>
         CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
         i486-class machines
@@ -84,7 +84,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567633"></a>Memory Requirements</h2></div></div></div>
+<a name="id2567634"></a>Memory Requirements</h2></div></div></div>
 <p>
         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
@@ -107,7 +107,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567728"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<a name="id2567729"></a>Name Server Intensive Environment Issues</h2></div></div></div>
 <p>
         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
@@ -124,13 +124,13 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567738"></a>Supported Operating Systems</h2></div></div></div>
+<a name="id2567739"></a>Supported Operating Systems</h2></div></div></div>
 <p>
         ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
         number
-        of Unix-like operating systems and on NT-derived versions of
-        Microsoft Windows such as Windows 2000 and Windows XP.  For an
-        up-to-date
+        of Unix-like operating systems and on 
+        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+        For an up-to-date
         list of supported systems, see the README file in the top level
         directory
         of the BIND 9 source distribution.
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
index 0828f81c87c0..32000b188659 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch03.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
@@ -47,14 +47,14 @@
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567770">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567991">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568013">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568368">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568373">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570119">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -68,7 +68,7 @@
 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567770"></a>A Caching-only Name Server</h3></div></div></div>
+<a name="id2567771"></a>A Caching-only Name Server</h3></div></div></div>
 <p>
           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
@@ -82,10 +82,13 @@
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
-     directory "/etc/namedb";           // Working directory
+     // Working directory
+     directory "/etc/namedb";
+
      allow-query { corpnets; };
 };
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -95,7 +98,7 @@ zone "0.0.127.in-addr.arpa" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567991"></a>An Authoritative-only Name Server</h3></div></div></div>
+<a name="id2567992"></a>An Authoritative-only Name Server</h3></div></div></div>
 <p>
           This sample configuration is for an authoritative-only server
           that is the master server for "<code class="filename">example.com</code>"
@@ -103,13 +106,18 @@ zone "0.0.127.in-addr.arpa" {
         </p>
 <pre class="programlisting">
 options {
-     directory "/etc/namedb";           // Working directory
-     allow-query-cache { none; };       // Do not allow access to cache
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
+     // Working directory
+     directory "/etc/namedb";
+     // Do not allow access to cache
+     allow-query-cache { none; };
+     // This is the default
+     allow-query { any; };
+     // Do not provide recursive service
+     recursion no;
 };
 
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -119,7 +127,8 @@ zone "0.0.127.in-addr.arpa" {
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
+     // IP addresses of slave servers allowed to
+     // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
@@ -137,7 +146,7 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568013"></a>Load Balancing</h2></div></div></div>
+<a name="id2568014"></a>Load Balancing</h2></div></div></div>
 <p>
         A primitive form of load balancing can be achieved in
         the <acronym class="acronym">DNS</acronym> by using multiple records
@@ -280,10 +289,10 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568368"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568369"></a>Name Server Operations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2568373"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568374"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
 <p>
           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -463,6 +472,60 @@ zone "eng.example.com" {
 <dd><p>
                         Retransfer the given zone from the master.
                       </p></dd>
+<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
+           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd>
+<p>
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        <span><strong class="command">key-directory</strong></span> in
+                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
+          Usage&#8221;</a>).  If they are within
+                        their publication period, merge them into the
+                        zone's DNSKEY RRset.  If the DNSKEY RRset
+                        is changed, then the zone is automatically
+                        re-signed with the new key set.
+                      </p>
+<p>
+                        This command requires that the
+                        <span><strong class="command">auto-dnssec</strong></span> zone option be set
+                        to <code class="literal">allow</code> or
+                        <code class="literal">maintain</code>,
+                        and also requires the zone to be configured to
+                        allow dynamic DNS.
+                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
+                        more details.
+                      </p>
+</dd>
+<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
+           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
+<dd>
+<p>
+                        Fetch all DNSSEC keys for the given zone
+                        from the key directory (see
+                        <span><strong class="command">key-directory</strong></span> in
+                        <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
+          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
+          Usage&#8221;</a>).  If they are within
+                        their publication period, merge them into the
+                        zone's DNSKEY RRset.  Unlike <span><strong class="command">rndc
+                        sign</strong></span>, however, the zone is not
+                        immediately re-signed by the new keys, but is
+                        allowed to incrementally re-sign over time.
+                      </p>
+<p>
+                        This command requires that the
+                        <span><strong class="command">auto-dnssec</strong></span> zone option
+                        be set to <code class="literal">maintain</code>,
+                        and also requires the zone to be configured to
+                        allow dynamic DNS.
+                        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for
+                        more details.
+                      </p>
+</dd>
 <dt><span class="term"><strong class="userinput"><code>freeze
                         [<span class="optional"><em class="replaceable"><code>zone</code></em>
        [<span class="optional"><em class="replaceable"><code>class</code></em>
@@ -536,6 +599,14 @@ zone "eng.example.com" {
                         specified, all
                         views are dumped.
                       </p></dd>
+<dt><span class="term"><strong class="userinput"><code>secroots
+                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
+<dd><p>
+                        Dump the server's security roots to the secroots
+                        file for the specified views.  If no view is
+                        specified, security roots for all
+                        views are dumped.
+                      </p></dd>
 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
 <dd><p>
                         Stop the server, making sure any recent changes
@@ -584,21 +655,6 @@ zone "eng.example.com" {
                         hint zone if there is not an
                         explicit root zone configured.
                       </p></dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
-<dd><p>
-                       List the names of all TSIG keys currently configured
-                       for use by <span><strong class="command">named</strong></span> in each view.  The
-                       list both statically configured keys and dynamic
-                       TKEY-negotiated keys.
-                     </p></dd>
-<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
-                    <em class="replaceable"><code>keyname</code></em>
-                    [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
-<dd><p>
-                       Delete a given TKEY-negotated key from the server.
-                       (This does not apply to statically configured TSIG
-                       keys.)
-                     </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
 <dd><p>
                         Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
@@ -614,6 +670,72 @@ zone "eng.example.com" {
                         set to <strong class="userinput"><code>yes</code></strong> to be effective.
                         It defaults to enabled.
                       </p></dd>
+<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
+<dd><p>
+                        List the names of all TSIG keys currently configured
+                        for use by <span><strong class="command">named</strong></span> in each view.  The
+                        list both statically configured keys and dynamic
+                        TKEY-negotiated keys.
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong>
+                     <em class="replaceable"><code>keyname</code></em>
+                     [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
+<dd><p>
+                        Delete a given TKEY-negotated key from the server.
+                        (This does not apply to statically configured TSIG
+                        keys.)
+                      </p></dd>
+<dt><span class="term"><strong class="userinput"><code>addzone
+                        <em class="replaceable"><code>zone</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
+                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
+                        <em class="replaceable"><code>configuration</code></em>
+                    </code></strong></span></dt>
+<dd>
+<p>
+                        Add a zone while the server is running.  This
+                        command requires the
+                        <span><strong class="command">allow-new-zones</strong></span> option to be set
+                        to <strong class="userinput"><code>yes</code></strong>.  The
+                        <em class="replaceable"><code>configuration</code></em> string
+                        specified on the command line is the zone
+                        configuration text that would ordinarily be
+                        placed in <code class="filename">named.conf</code>.
+                      </p>
+<p>
+                        The configuration is saved in a file called
+                       <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
+                        where <em class="replaceable"><code>hash</code></em> is a
+                        cryptographic hash generated from the name of
+                        the view.  When <span><strong class="command">named</strong></span> is
+                        restarted, the file will be loaded into the view
+                        configuration, so that zones that were added
+                        can persist after a restart.
+                      </p>
+<p>
+                        This sample <span><strong class="command">addzone</strong></span> command
+                        would add the zone <code class="literal">example.com</code>
+                        to the default view:
+                      </p>
+<p>
+<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
+                      </p>
+<p>
+                        (Note the brackets and semi-colon around the zone
+                        configuration text.)
+                      </p>
+</dd>
+<dt><span class="term"><strong class="userinput"><code>delzone
+                        <em class="replaceable"><code>zone</code></em>
+                        [<span class="optional"><em class="replaceable"><code>class</code></em>
+                        [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
+                    </code></strong></span></dt>
+<dd><p>
+                        Delete a zone while the server is running.
+                        Only zones that were originally added via
+                        <span><strong class="command">rndc addzone</strong></span> can be deleted
+                        in this matter.
+                      </p></dd>
 </dl></div>
 <p>
                   A configuration file is required, since all
@@ -714,7 +836,8 @@ zone "eng.example.com" {
 <pre class="programlisting">
 key rndc_key {
      algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+     secret
+       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
      default-server 127.0.0.1;
@@ -736,7 +859,8 @@ options {
                 </p>
 <pre class="programlisting">
 controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+        inet 127.0.0.1
+            allow { localhost; } keys { rndc_key; };
 };
 </pre>
 <p>
@@ -764,7 +888,7 @@ controls {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570119"></a>Signals</h3></div></div></div>
+<a name="id2570421"></a>Signals</h3></div></div></div>
 <p>
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
index 2fa3b2b911e2..8e77a6b42b30 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch04.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
@@ -49,29 +49,59 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570544">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570562">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571065">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571207">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571218">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571254">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571380">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571496">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571510">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571696">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571764">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571843">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571924">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572162">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572224">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572245">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571475">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571512">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563493">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563575">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563612">DNSKEY rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563762">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563795">Automatic key rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563821">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563909">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563922">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571605">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571614">NSEC3 and OPTOUT</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607510">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571692">Authoritative Server</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610637">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608477">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608602">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2634916">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635114">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635160">Running named with automatic zone re-signing</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -113,14 +143,25 @@
       </p>
 <p>
         Dynamic update is enabled by including an
-        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
-        clause in the <span><strong class="command">zone</strong></span> statement.  The
-        <span><strong class="command">tkey-gssapi-credential</strong></span> and
-        <span><strong class="command">tkey-domain</strong></span> clauses in the
-        <span><strong class="command">options</strong></span>        statement enable the
-        server to negotiate keys that can be matched against those
-        in <span><strong class="command">update-policy</strong></span> or
-        <span><strong class="command">allow-update</strong></span>.
+        <span><strong class="command">allow-update</strong></span> or an <span><strong class="command">update-policy</strong></span>
+        clause in the <span><strong class="command">zone</strong></span> statement.
+      </p>
+<p>
+        If the zone's <span><strong class="command">update-policy</strong></span> is set to
+        <strong class="userinput"><code>local</code></strong>, updates to the zone
+        will be permitted for the key <code class="varname">local-ddns</code>,
+        which will be generated by <span><strong class="command">named</strong></span> at startup.
+        See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for more details.
+      </p>
+<p>
+        Dynamic updates using Kerberos signed requests can be made
+        using the TKEY/GSS protocol by setting either the
+        <span><strong class="command">tkey-gssapi-keytab</strong></span> option, or alternatively
+        by setting both the <span><strong class="command">tkey-gssapi-credential</strong></span>
+        and <span><strong class="command">tkey-domain</strong></span> options. Once enabled,
+        Kerberos signed requests will be matched against the update
+        policies for the zone, using the Kerberos principal as the
+        signer for the request.
       </p>
 <p>
         Updating of secure zones (zones using DNSSEC) follows RFC
@@ -217,7 +258,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570544"></a>Split DNS</h2></div></div></div>
+<a name="id2570934"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -247,7 +288,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570562"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570952"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
@@ -277,7 +318,7 @@
         and <code class="filename">site2.example.com</code>, to the servers
         in the
         DMZ. These internal servers will have complete sets of information
-        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
+        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
         and <code class="filename">site2.internal</code>.
       </p>
 <p>
@@ -375,26 +416,32 @@ options {
     ...
     ...
     forward only;
-    forwarders {                                // forward to external servers
+    // forward to external servers
+    forwarders {
         <code class="varname">bastion-ips-go-here</code>;
     };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
+    // sample allow-transfer (no one)
+    allow-transfer { none; };
+    // restrict query access
+    allow-query { internals; externals; };
+    // restrict recursion
+    allow-recursion { internals; };
     ...
     ...
 };
 
-zone "site1.example.com" {                      // sample master zone
+// sample master zone
+zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
+  // do normal iterative resolution (do not forward)
+  forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -431,15 +478,20 @@ acl externals { bastion-ips-go-here; };
 options {
   ...
   ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { any; };                         // default query access
-  allow-query-cache { internals; externals; };  // restrict cache access
-  allow-recursion { internals; externals; };    // restrict recursion
+  // sample allow-transfer (no one)
+  allow-transfer { none; };
+  // default query access
+  allow-query { any; };
+  // restrict cache access
+  allow-query-cache { internals; externals; };
+  // restrict recursion
+  allow-recursion { internals; externals; };
   ...
   ...
 };
 
-zone "site1.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
   allow-transfer { internals; externals; };
@@ -493,7 +545,7 @@ nameserver 172.16.72.4
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571065"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2564012"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -501,7 +553,7 @@ nameserver 172.16.72.4
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571082"></a>Automatic Generation</h4></div></div></div>
+<a name="id2564029"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-SHA256
             key as described above. Longer keys are better, but shorter keys
@@ -525,7 +577,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571121"></a>Manual Generation</h4></div></div></div>
+<a name="id2564068"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -540,7 +592,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571207"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2564086"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -548,7 +600,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571218"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571811"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
@@ -575,7 +627,7 @@ key host1-host2. {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571254"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571847"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -607,7 +659,7 @@ server 10.1.2.3 {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571380"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571905"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
@@ -628,14 +680,13 @@ allow-update { key host1-host2. ;};
           was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
         </p>
 <p>
-          You may want to read about the more powerful
-          <span><strong class="command">update-policy</strong></span> statement in
-          <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+          See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a> for a discussion of
+          the more flexible <span><strong class="command">update-policy</strong></span> statement.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571496"></a>Errors</h3></div></div></div>
+<a name="id2571954"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -661,7 +712,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571510"></a>TKEY</h2></div></div></div>
+<a name="id2571968"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -697,7 +748,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571696"></a>SIG(0)</h2></div></div></div>
+<a name="id2572153"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -758,7 +809,7 @@ allow-update { key host1-host2. ;};
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571764"></a>Generating Keys</h3></div></div></div>
+<a name="id2572221"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
@@ -814,7 +865,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571843"></a>Signing the Zone</h3></div></div></div>
+<a name="id2572300"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
           to sign a zone.
@@ -856,7 +907,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571924"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572381"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -865,12 +916,22 @@ allow-update { key host1-host2. ;};
         </p>
 <p>
           To enable <span><strong class="command">named</strong></span> to validate answers from
-          other servers, the <span><strong class="command">dnssec-enable</strong></span> and
-          <span><strong class="command">dnssec-validation</strong></span> options must both be
-          set to yes (the default setting in <acronym class="acronym">BIND</acronym> 9.5
-          and later), and at least one trust anchor must be configured
-          with a <span><strong class="command">trusted-keys</strong></span> statement in
-          <code class="filename">named.conf</code>.
+          other servers, the <span><strong class="command">dnssec-enable</strong></span> option
+          must be set to <strong class="userinput"><code>yes</code></strong>, and the
+          <span><strong class="command">dnssec-validation</strong></span> options must be set to 
+          <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>auto</code></strong>.
+        </p>
+<p>
+          If <span><strong class="command">dnssec-validation</strong></span> is set to
+          <strong class="userinput"><code>auto</code></strong>, then a default
+          trust anchor for the DNS root zone will be used.
+          If it is set to <strong class="userinput"><code>yes</code></strong>, however,
+          then at least one trust anchor must be configured
+          with a <span><strong class="command">trusted-keys</strong></span> or
+          <span><strong class="command">managed-keys</strong></span> statement in
+          <code class="filename">named.conf</code>, or DNSSEC validation
+          will not occur.  The default setting is
+          <strong class="userinput"><code>yes</code></strong>.
         </p>
 <p>
           <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
@@ -881,7 +942,13 @@ allow-update { key host1-host2. ;};
           to validated the DNSKEY RRset that they are from.
         </p>
 <p>
-          <span><strong class="command">trusted-keys</strong></span> are described in more detail
+          <span><strong class="command">managed-keys</strong></span> are trusted keys which are
+          automatically kept up to date via RFC 5011 trust anchor
+          maintenance.
+        </p>
+<p>
+          <span><strong class="command">trusted-keys</strong></span> and
+          <span><strong class="command">managed-keys</strong></span> are described in more detail
           later in this document.
         </p>
 <p>
@@ -892,44 +959,58 @@ allow-update { key host1-host2. ;};
         </p>
 <p>
           After DNSSEC gets established, a typical DNSSEC configuration
-          will look something like the following.  It has a one or
+          will look something like the following.  It has one or
           more public keys for the root.  This allows answers from
           outside the organization to be validated.  It will also
           have several keys for parts of the namespace the organization
-          controls.  These are here to ensure that <span><strong class="command">named</strong></span> is immune
-          to compromises in the DNSSEC components of the security
+          controls.  These are here to ensure that <span><strong class="command">named</strong></span>
+          is immune to compromises in the DNSSEC components of the security
           of parent zones.
         </p>
 <pre class="programlisting">
-trusted-keys {
-
+managed-keys {
         /* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+        "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+                                 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+                                 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+                                 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+                                 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+                                 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+                                 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+                                 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+                                 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+                                 dgxbcDTClU0CRBdiieyLMNzXG3";
+};
 
-/* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-                      SCThlHf3xiYleDbt/o1OTQ09A0=";
+trusted-keys {
+        /* Key for our organization's forward zone */
+        example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                              5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                              GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                              4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                              kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                              g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                              TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                              FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                              F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                              /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                              1OTQ09A0=";
 
-/* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+        /* Key for our reverse zone. */
+        2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                                       xOdNax071L18QqZnQQQAVVr+i
+                                       LhGTnNGp3HoWQLUIzKrJVZ3zg
+                                       gy3WwNT6kZo6c0tszYqbtvchm
+                                       gQC8CzKojM/W16i6MG/eafGU3
+                                       siaOdS0yOI6BgPsw+YZdzlYMa
+                                       IJGf4M4dyoKIhzdZyQ2bYQrjy
+                                       Q4LB0lC7aOnsMyYKHHYeRvPxj
+                                       IQXmdqgOJGq+vsevG06zW+1xg
+                                       YJh9rCIfnm1GX/KMgxLPG2vXT
+                                       D/RnLX+D3T3UL7HJYHJhAZD5L
+                                       59VvjSPsZJHeDCUyWYrvPZesZ
+                                       DIRvhDD52SKvbheeTJUm6Ehkz
+                                       ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -981,7 +1062,751 @@ options {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572162"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="dnssec.dynamic.zones"></a>DNSSEC, Dynamic Zones, and Automatic Signing</h2></div></div></div>
+<p>As of BIND 9.7.0 it is possible to change a dynamic zone
+  from insecure to signed and back again. A secure zone can use
+  either NSEC or NSEC3 chains.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2571475"></a>Converting from insecure to secure</h3></div></div></div></div>
+<p>Changing a zone from insecure to secure can be done in two
+  ways: using a dynamic DNS update, or the 
+  <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
+<p>For either method, you need to configure 
+  <span><strong class="command">named</strong></span> so that it can see the 
+  <code class="filename">K*</code> files which contain the public and private
+  parts of the keys that will be used to sign the zone. These files
+  will have been generated by 
+  <span><strong class="command">dnssec-keygen</strong></span>. You can do this by placing them
+  in the key-directory, as specified in 
+  <code class="filename">named.conf</code>:</p>
+<pre class="programlisting">
+        zone example.net {
+                type master;
+                update-policy local;
+                file "dynamic/example.net/example.net";
+                key-directory "dynamic/example.net";
+        };
+</pre>
+<p>If one KSK and one ZSK DNSKEY key have been generated, this
+  configuration will cause all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
+  well. An NSEC chain will be generated as part of the initial
+  signing process.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2571512"></a>Dynamic DNS update method</h3></div></div></div></div>
+<p>To insert the keys via dynamic update:</p>
+<pre class="screen">
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; send
+</pre>
+<p>While the update request will complete almost immediately,
+  the zone will not be completely signed until 
+  <span><strong class="command">named</strong></span> has had time to walk the zone and
+  generate the NSEC and RRSIG records. The NSEC record at the apex
+  will be added last, to signal that there is a complete NSEC
+  chain.</p>
+<p>If you wish to sign using NSEC3 instead of NSEC, you should
+  add an NSEC3PARAM record to the initial update request. If you
+  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+  flags field of the NSEC3PARAM record.</p>
+<pre class="screen">
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
+        &gt; send
+</pre>
+<p>Again, this update request will complete almost
+  immediately; however, the record won't show up until 
+  <span><strong class="command">named</strong></span> has had a chance to build/remove the
+  relevant chain. A private type record will be created to record
+  the state of the operation (see below for more details), and will
+  be removed once the operation completes.</p>
+<p>While the initial signing and NSEC/NSEC3 chain generation
+  is happening, other updates are possible as well.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563493"></a>Fully automatic zone signing</h3></div></div></div></div>
+<p>To enable automatic signing, add the 
+  <span><strong class="command">auto-dnssec</strong></span> option to the zone statement in 
+  <code class="filename">named.conf</code>. 
+  <span><strong class="command">auto-dnssec</strong></span> has two possible arguments: 
+  <code class="constant">allow</code> or 
+  <code class="constant">maintain</code>.</p>
+<p>With 
+  <span><strong class="command">auto-dnssec allow</strong></span>, 
+  <span><strong class="command">named</strong></span> can search the key directory for keys
+  matching the zone, insert them into the zone, and use them to
+  sign the zone. It will do so only when it receives an 
+  <span><strong class="command">rndc sign &lt;zonename&gt;</strong></span> or 
+  <span><strong class="command">rndc loadkeys &lt;zonename&gt;</strong></span> command.</p>
+<p>
+  
+  <span><strong class="command">auto-dnssec maintain</strong></span> includes the above
+  functionality, but will also automatically adjust the zone's
+  DNSKEY records on schedule according to the keys' timing metadata.
+  (See <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+  <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a> for more information.) 
+  If keys are present in the key directory the first time the zone
+  is loaded, it will be signed immediately, without waiting for an 
+  <span><strong class="command">rndc sign</strong></span> or <span><strong class="command">rndc loadkeys</strong></span>
+  command. (Those commands can still be used when there are unscheduled
+  key changes, however.)
+  </p>
+<p>Using the 
+  <span><strong class="command">auto-dnssec</strong></span> option requires the zone to be
+  configured to allow dynamic updates, by adding an 
+  <span><strong class="command">allow-update</strong></span> or 
+  <span><strong class="command">update-policy</strong></span> statement to the zone
+  configuration. If this has not been done, the configuration will
+  fail.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563575"></a>Private-type records</h3></div></div></div></div>
+<p>The state of the signing process is signaled by
+  private-type records (with a default type value of 65534). When
+  signing is complete, these records will have a nonzero value for
+  the final octet (for those records which have a nonzero initial
+  octet).</p>
+<p>The private type record format: If the first octet is
+  non-zero then the record indicates that the zone needs to be
+  signed with the key matching the record, or that all signatures
+  that match the record should be removed.</p>
+<p>
+    </p>
+<div class="literallayout"><p><br>
+<br>
+  algorithm (octet 1)<br>
+  key id in network order (octet 2 and 3)<br>
+  removal flag (octet 4)<br>
+  complete flag (octet 5)<br>
+</p></div>
+<p>
+  </p>
+<p>Only records flagged as "complete" can be removed via
+  dynamic update. Attempts to remove other private type records
+  will be silently ignored.</p>
+<p>If the first octet is zero (this is a reserved algorithm
+  number that should never appear in a DNSKEY record) then the
+  record indicates changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record. The flag field
+  tells what operation to perform based on the flag bits.</p>
+<p>
+    </p>
+<div class="literallayout"><p><br>
+<br>
+  0x01 OPTOUT<br>
+  0x80 CREATE<br>
+  0x40 REMOVE<br>
+  0x20 NONSEC<br>
+</p></div>
+<p>
+  </p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563612"></a>DNSKEY rollovers</h3></div></div></div></div>
+<p>As with insecure-to-secure conversions, rolling DNSSEC
+  keys can be done in two ways: using a dynamic DNS update, or the 
+  <span><strong class="command">auto-dnssec</strong></span> zone option.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563762"></a>Dynamic DNS update method</h3></div></div></div></div>
+<p> To perform key rollovers via dynamic update, you need to add
+  the <code class="filename">K*</code> files for the new keys so that 
+  <span><strong class="command">named</strong></span> can find them. You can then add the new
+  DNSKEY RRs via dynamic update. 
+  <span><strong class="command">named</strong></span> will then cause the zone to be signed
+  with the new keys. When the signing is complete the private type
+  records will be updated so that the last octet is non
+  zero.</p>
+<p>If this is for a KSK you need to inform the parent and any
+  trust anchor repositories of the new KSK.</p>
+<p>You should then wait for the maximum TTL in the zone before
+  removing the old DNSKEY. If it is a KSK that is being updated,
+  you also need to wait for the DS RRset in the parent to be
+  updated and its TTL to expire. This ensures that all clients will
+  be able to verify at least one signature when you remove the old
+  DNSKEY.</p>
+<p>The old DNSKEY can be removed via UPDATE. Take care to
+  specify the correct key. 
+  <span><strong class="command">named</strong></span> will clean out any signatures generated
+  by the old key after the update completes.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563795"></a>Automatic key rollovers</h3></div></div></div></div>
+<p>When a new key reaches its activation date (as set by
+  <span><strong class="command">dnssec-keygen</strong></span> or <span><strong class="command">dnssec-settime</strong></span>),
+  if the <span><strong class="command">auto-dnssec</strong></span> zone option is set to 
+  <code class="constant">maintain</code>, <span><strong class="command">named</strong></span> will
+  automatically carry out the key rollover.  If the key's algorithm
+  has not previously been used to sign the zone, then the zone will
+  be fully signed as quickly as possible.  However, if the new key
+  is replacing an existing key of the same algorithm, then the
+  zone will be re-signed incrementally, with signatures from the
+  old key being replaced with signatures from the new key as their
+  signature validity periods expire.  By default, this rollover
+  completes in 30 days, after which it will be safe to remove the
+  old key from the DNSKEY RRset.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563821"></a>NSEC3PARAM rollovers via UPDATE</h3></div></div></div></div>
+<p>Add the new NSEC3PARAM record via dynamic update. When the
+  new NSEC3 chain has been generated, the NSEC3PARAM flag field
+  will be zero. At this point you can remove the old NSEC3PARAM
+  record. The old chain will be removed after the update request
+  completes.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563899"></a>Converting from NSEC to NSEC3</h3></div></div></div></div>
+<p>To do this, you just need to add an NSEC3PARAM record. When
+  the conversion is complete, the NSEC chain will have been removed
+  and the NSEC3PARAM record will have a zero flag field. The NSEC3
+  chain will be generated before the NSEC chain is
+  destroyed.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563909"></a>Converting from NSEC3 to NSEC</h3></div></div></div></div>
+<p>To do this, use <span><strong class="command">nsupdate</strong></span> to
+  remove all NSEC3PARAM records with a zero flag
+  field. The NSEC chain will be generated before the NSEC3 chain is
+  removed.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2563922"></a>Converting from secure to insecure</h3></div></div></div></div>
+<p>To convert a signed zone to unsigned using dynamic DNS,
+  delete all the DNSKEY records from the zone apex using
+  <span><strong class="command">nsupdate</strong></span>. All signatures, NSEC or NSEC3 chains,
+  and associated NSEC3PARAM records will be removed automatically.
+  This will take place after the update request completes.</p>
+<p> This requires the 
+  <span><strong class="command">dnssec-secure-to-insecure</strong></span> option to be set to 
+  <strong class="userinput"><code>yes</code></strong> in 
+  <code class="filename">named.conf</code>.</p>
+<p>In addition, if the <span><strong class="command">auto-dnssec maintain</strong></span>
+  zone statement is used, it should be removed or changed to
+  <span><strong class="command">allow</strong></span> instead (or it will re-sign).
+  </p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2571605"></a>Periodic re-signing</h3></div></div></div></div>
+<p>In any secure zone which supports dynamic updates, named
+  will periodically re-sign RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes will be
+  adjusted so as to spread the re-sign load over time rather than
+  all at once.</p>
+<div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title">
+<a name="id2571614"></a>NSEC3 and OPTOUT</h3></div></div></div></div>
+<p>
+  <span><strong class="command">named</strong></span> only supports creating new NSEC3 chains
+  where all the NSEC3 records in the zone have the same OPTOUT
+  state. 
+  <span><strong class="command">named</strong></span> supports UPDATES to zones where the NSEC3
+  records in the chain have mixed OPTOUT state. 
+  <span><strong class="command">named</strong></span> does not support changing the OPTOUT
+  state of an individual NSEC3 record, the entire chain needs to be
+  changed if the OPTOUT state of an individual NSEC3 needs to be
+  changed.</p>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="rfc5011.support"></a>Dynamic Trust Anchor Management</h2></div></div></div>
+<p>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
+  anchor management. Using this feature allows 
+  <span><strong class="command">named</strong></span> to keep track of changes to critical
+  DNSSEC keys without any need for the operator to make changes to
+  configuration files.</p>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2607510"></a>Validating Resolver</h3></div></div></div>
+<p>To configure a validating resolver to use RFC 5011 to
+    maintain a trust anchor, configure the trust anchor using a 
+    <span><strong class="command">managed-keys</strong></span> statement. Information about
+    this can be found in 
+    <a href="Bv9ARM.ch06.html#managed-keys" title="managed-keys Statement Definition
+            and Usage">the section called &#8220;<span><strong class="command">managed-keys</strong></span> Statement Definition
+            and Usage&#8221;</a>.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2571692"></a>Authoritative Server</h3></div></div></div>
+<p>To set up an authoritative zone for RFC 5011 trust anchor
+    maintenance, generate two (or more) key signing keys (KSKs) for
+    the zone. Sign the zone with one of them; this is the "active"
+    KSK. All KSK's which do not sign the zone are "stand-by"
+    keys.</p>
+<p>Any validating resolver which is configured to use the
+    active KSK as an RFC 5011-managed trust anchor will take note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
+    for future reference. The resolver will recheck the zone
+    periodically, and after 30 days, if the new key is still there,
+    then the key will be accepted by the resolver as a valid trust
+    anchor for the zone. Any time after this 30-day acceptance
+    timer has completed, the active KSK can be revoked, and the
+    zone can be "rolled over" to the newly accepted key.</p>
+<p>The easiest way to place a stand-by key in a zone is to
+    use the "smart signing" features of 
+    <span><strong class="command">dnssec-keygen</strong></span> and 
+    <span><strong class="command">dnssec-signzone</strong></span>. If a key with a publication
+    date in the past, but an activation date which is unset or in
+    the future, " 
+    <span><strong class="command">dnssec-signzone -S</strong></span>" will include the DNSKEY
+    record in the zone, but will not sign with it:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</code></strong>
+$ <strong class="userinput"><code>dnssec-signzone -S -K keys example.net</code></strong>
+</pre>
+<p>To revoke a key, the new command 
+    <span><strong class="command">dnssec-revoke</strong></span> has been added. This adds the
+    REVOKED bit to the key flags and re-generates the 
+    <code class="filename">K*.key</code> and 
+    <code class="filename">K*.private</code> files.</p>
+<p>After revoking the active key, the zone must be signed
+    with both the revoked KSK and the new active KSK. (Smart
+    signing takes care of this automatically.)</p>
+<p>Once a key has been revoked and used to sign the DNSKEY
+    RRset in which it appears, that key will never again be
+    accepted as a valid trust anchor by the resolver. However,
+    validation can proceed using the new active key (which had been
+    accepted by the resolver when it was a stand-by key).</p>
+<p>See RFC 5011 for more details on key rollover
+    scenarios.</p>
+<p>When a key has been revoked, its key ID changes,
+    increasing by 128, and wrapping around at 65535. So, for
+    example, the key "<code class="filename">Kexample.com.+005+10000</code>" becomes
+    "<code class="filename">Kexample.com.+005+10128</code>".</p>
+<p>If two keys have ID's exactly 128 apart, and one is
+    revoked, then the two key ID's will collide, causing several
+    problems. To prevent this, 
+    <span><strong class="command">dnssec-keygen</strong></span> will not generate a new key if
+    another key is present which may collide. This checking will
+    only occur if the new keys are written to the same directory
+    which holds all other keys in use for that zone.</p>
+<p>Older versions of BIND 9 did not have this precaution.
+    Exercise caution if using key revocation on keys that were
+    generated by previous releases, or if using keys stored in
+    multiple directories or on multiple machines.</p>
+<p>It is expected that a future release of BIND 9 will
+    address this problem in a different way, by storing revoked
+    keys with their original unrevoked key ID's.</p>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="pkcs11"></a>PKCS #11 (Cryptoki) support</h2></div></div></div>
+<p>PKCS #11 (Public Key Cryptography Standard #11) defines a
+  platform- independent API for the control of hardware security
+  modules (HSMs) and other cryptographic support devices.</p>
+<p>BIND 9 is known to work with two HSMs: The Sun SCA 6000
+  cryptographic acceleration board, tested under Solaris x86, and
+  the AEP Keyper network-attached key storage device, tested with
+  Debian Linux, Solaris x86 and Windows Server 2003.</p>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2610637"></a>Prerequisites</h3></div></div></div>
+<p>See the HSM vendor documentation for information about
+    installing, initializing, testing and troubleshooting the
+    HSM.</p>
+<p>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
+    does not yet fully support PKCS #11. However, a PKCS #11 engine
+    for OpenSSL is available from the OpenSolaris project. It has
+    been modified by ISC to work with with BIND 9, and to provide
+    new features such as PIN management and key by
+    reference.</p>
+<p>The patched OpenSSL depends on a "PKCS #11 provider".
+    This is a shared library object, providing a low-level PKCS #11
+    interface to the HSM hardware. It is dynamically loaded by
+    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
+    vendor, and and is specific to the HSM to be controlled.</p>
+<p>There are two "flavors" of PKCS #11 support provided by
+    the patched OpenSSL, one of which must be chosen at
+    configuration time. The correct choice depends on the HSM
+    hardware:</p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>Use 'crypto-accelerator' with HSMs that have hardware
+        cryptographic acceleration features, such as the SCA 6000
+        board. This causes OpenSSL to run all supported
+        cryptographic operations in the HSM.</p></li>
+<li><p>Use 'sign-only' with HSMs that are designed to
+        function primarily as secure key storage devices, but lack
+        hardware acceleration. These devices are highly secure, but
+        are not necessarily any faster at cryptography than the
+        system CPU &#8212; often, they are slower. It is therefore
+        most efficient to use them only for those cryptographic
+        functions that require access to the secured private key,
+        such as zone signing, and to use the system CPU for all
+        other computationally-intensive operations. The AEP Keyper
+        is an example of such a device.</p></li>
+</ul></div>
+<p>The modified OpenSSL code is included in the BIND 9 release,
+        in the form of a context diff against the latest verions of
+        OpenSSL.  OpenSSL 0.9.8 and 1.0.0 are both supported; there are
+        separate diffs for each version.  In the examples to follow,
+        we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0.
+    </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+      The latest OpenSSL versions at the time of the BIND release
+      are 0.9.8s and 1.0.0f.
+      ISC will provide an updated patch as new versions of OpenSSL
+      are released. The version number in the following examples
+      is expected to change.</div>
+<p>
+    Before building BIND 9 with PKCS #11 support, it will be
+    necessary to build OpenSSL with this patch in place and inform
+    it of the path to the HSM-specific PKCS #11 provider
+    library.</p>
+<p>Obtain OpenSSL 0.9.8s:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>wget <a href="" target="_top">http://www.openssl.org/source/openssl-0.9.8s.tar.gz</a></code></strong>
+</pre>
+<p>Extract the tarball:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>tar zxf openssl-0.9.8s.tar.gz</code></strong>
+</pre>
+<p>Apply the patch from the BIND 9 release:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>patch -p1 -d openssl-0.9.8s \
+            &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</code></strong>
+</pre>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>(Note that the patch file may not be compatible with the
+    "patch" utility on all operating systems. You may need to
+    install GNU patch.)</div>
+<p>When building OpenSSL, place it in a non-standard
+    location so that it does not interfere with OpenSSL libraries
+    elsewhere on the system. In the following examples, we choose
+    to install into "/opt/pkcs11/usr". We will use this location
+    when we configure BIND 9.</p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608071"></a>Building OpenSSL for the AEP Keyper on Linux</h4></div></div></div>
+<p>The AEP Keyper is a highly secure key storage device,
+      but does not provide hardware cryptographic acceleration. It
+      can carry out cryptographic operations, but it is probably
+      slower than your system's CPU. Therefore, we choose the
+      'sign-only' flavor when building OpenSSL.</p>
+<p>The Keyper-specific PKCS #11 provider library is
+      delivered with the Keyper software. In this example, we place
+      it /opt/pkcs11/usr/lib:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+</pre>
+<p>This library is only available for Linux as a 32-bit
+      binary. If we are compiling on a 64-bit Linux system, it is
+      necessary to force a 32-bit build, by specifying -m32 in the
+      build options.</p>
+<p>Finally, the Keyper library requires threads, so we
+      must specify -pthread.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
+$ <strong class="userinput"><code>./Configure linux-generic32 -m32 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</code></strong>
+</pre>
+<p>After configuring, run "<span><strong class="command">make</strong></span>"
+      and "<span><strong class="command">make test</strong></span>". If "<span><strong class="command">make
+      test</strong></span>" fails with "pthread_atfork() not found", you forgot to
+      add the -pthread above.</p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608140"></a>Building OpenSSL for the SCA 6000 on Solaris</h4></div></div></div>
+<p>The SCA-6000 PKCS #11 provider is installed as a system
+      library, libpkcs11. It is a true crypto accelerator, up to 4
+      times faster than any CPU, so the flavor shall be
+      'crypto-accelerator'.</p>
+<p>In this example, we are building on Solaris x86 on an
+      AMD64 system.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
+$ <strong class="userinput"><code>./Configure solaris64-x86_64-cc \
+            --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --pk11-flavor=crypto-accelerator \
+            --prefix=/opt/pkcs11/usr</code></strong>
+</pre>
+<p>(For a 32-bit build, use "solaris-x86-cc" and
+      /usr/lib/libpkcs11.so.)</p>
+<p>After configuring, run 
+      <span><strong class="command">make</strong></span> and 
+      <span><strong class="command">make test</strong></span>.</p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608189"></a>Building OpenSSL for SoftHSM</h4></div></div></div>
+<p>SoftHSM is a software library provided by the OpenDNSSEC
+      project (http://www.opendnssec.org) which provides a PKCS#11
+      interface to a virtual HSM, implemented in the form of encrypted
+      data on the local filesystem.  It uses the Botan library for
+      encryption and SQLite3 for data storage.  Though less secure
+      than a true HSM, it can provide more secure key storage than
+      traditional key files, and can allow you to experiment with
+      PKCS#11 when an HSM is not available.</p>
+<p>The SoftHSM cryptographic store must be installed and
+      initialized before using it with OpenSSL, and the SOFTHSM_CONF
+      environment variable must always point to the SoftHSM configuration
+      file:</p>
+<pre class="screen">
+$ <strong class="userinput"><code> cd softhsm-1.3.0 </code></strong>
+$ <strong class="userinput"><code> configure --prefix=/opt/pkcs11/usr </code></strong>
+$ <strong class="userinput"><code> make </code></strong>
+$ <strong class="userinput"><code> make install </code></strong>
+$ <strong class="userinput"><code> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </code></strong>
+$ <strong class="userinput"><code> echo "0:/opt/pkcs11/softhsm.db" &gt; $SOFTHSM_CONF </code></strong>
+$ <strong class="userinput"><code> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </code></strong>
+</pre>
+<p>SoftHSM can perform all cryptographic operations, but
+      since it only uses your system CPU, there is no need to use it
+      for anything but signing.  Therefore, we choose the 'sign-only'
+      flavor when building OpenSSL.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd openssl-0.9.8s</code></strong>
+$ <strong class="userinput"><code>./Configure linux-x86_64 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</code></strong>
+</pre>
+<p>After configuring, run "<span><strong class="command">make</strong></span>"
+      and "<span><strong class="command">make test</strong></span>".</p>
+</div>
+<p>Once you have built OpenSSL, run
+    "<span><strong class="command">apps/openssl engine pkcs11</strong></span>" to confirm
+    that PKCS #11 support was compiled in correctly. The output
+    should be one of the following lines, depending on the flavor
+    selected:</p>
+<pre class="screen">
+        (pkcs11) PKCS #11 engine support (sign only)
+</pre>
+<p>Or:</p>
+<pre class="screen">
+        (pkcs11) PKCS #11 engine support (crypto accelerator)
+</pre>
+<p>Next, run
+    "<span><strong class="command">apps/openssl engine pkcs11 -t</strong></span>". This will
+    attempt to initialize the PKCS #11 engine. If it is able to
+    do so successfully, it will report
+    &#8220;<span class="quote"><code class="literal">[ available ]</code></span>&#8221;.</p>
+<p>If the output is correct, run
+    "<span><strong class="command">make install</strong></span>" which will install the
+    modified OpenSSL suite to 
+    <code class="filename">/opt/pkcs11/usr</code>.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608477"></a>Building BIND 9 with PKCS#11</h3></div></div></div>
+<p>When building BIND 9, the location of the custom-built
+    OpenSSL library must be specified via configure.</p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608486"></a>Configuring BIND 9 for Linux with the AEP Keyper</h4></div></div></div>
+<p>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</p>
+<p>The PKCS #11 library for the AEP Keyper is currently
+      only available as a 32-bit binary. If we are building on a
+      64-bit host, we must force a 32-bit build by adding "-m32" to
+      the CC options on the "configure" command line.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd ../bind9</code></strong>
+$ <strong class="userinput"><code>./configure CC="gcc -m32" --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+</pre>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608518"></a>Configuring BIND 9 for Solaris with the SCA 6000</h4></div></div></div>
+<p>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</p>
+<pre class="screen">
+$ <strong class="userinput"><code>cd ../bind9</code></strong>
+$ <strong class="userinput"><code>./configure CC="cc -xarch=amd64" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr \
+            --with-pkcs11=/usr/lib/64/libpkcs11.so</code></strong>
+</pre>
+<p>(For a 32-bit build, omit CC="cc -xarch=amd64".)</p>
+<p>If configure complains about OpenSSL not working, you
+      may have a 32/64-bit architecture mismatch. Or, you may have
+      incorrectly specified the path to OpenSSL (it should be the
+      same as the --prefix argument to the OpenSSL
+      Configure).</p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608554"></a>Configuring BIND 9 for SoftHSM</h4></div></div></div>
+<pre class="screen">
+$ <strong class="userinput"><code>cd ../bind9</code></strong>
+$ <strong class="userinput"><code>./configure --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</code></strong>
+</pre>
+</div>
+<p>After configuring, run
+    "<span><strong class="command">make</strong></span>",
+    "<span><strong class="command">make test</strong></span>" and
+    "<span><strong class="command">make install</strong></span>".</p>
+<p>(Note: If "make test" fails in the "pkcs11" system test, you may
+    have forgotten to set the SOFTHSM_CONF environment variable.)</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608602"></a>PKCS #11 Tools</h3></div></div></div>
+<p>BIND 9 includes a minimal set of tools to operate the
+    HSM, including 
+    <span><strong class="command">pkcs11-keygen</strong></span> to generate a new key pair
+    within the HSM, 
+    <span><strong class="command">pkcs11-list</strong></span> to list objects currently
+    available, and 
+    <span><strong class="command">pkcs11-destroy</strong></span> to remove objects.</p>
+<p>In UNIX/Linux builds, these tools are built only if BIND
+    9 is configured with the --with-pkcs11 option. (NOTE: If
+    --with-pkcs11 is set to "yes", rather than to the path of the
+    PKCS #11 provider, then the tools will be built but the
+    provider will be left undefined. Use the -m option or the
+    PKCS11_PROVIDER environment variable to specify the path to the
+    provider.)</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2634916"></a>Using the HSM</h3></div></div></div>
+<p>First, we must set up the runtime environment so the
+    OpenSSL and PKCS #11 libraries can be loaded:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</code></strong>
+</pre>
+<p>When operating an AEP Keyper, it is also necessary to
+    specify the location of the "machine" file, which stores
+    information about the Keyper for use by PKCS #11 provider
+    library. If the machine file is in 
+    <code class="filename">/opt/Keyper/PKCS11Provider/machine</code>,
+    use:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</code></strong>
+</pre>
+<p>These environment variables must be set whenever running
+    any tool that uses the HSM, including 
+    <span><strong class="command">pkcs11-keygen</strong></span>, 
+    <span><strong class="command">pkcs11-list</strong></span>, 
+    <span><strong class="command">pkcs11-destroy</strong></span>, 
+    <span><strong class="command">dnssec-keyfromlabel</strong></span>, 
+    <span><strong class="command">dnssec-signzone</strong></span>, 
+    <span><strong class="command">dnssec-keygen</strong></span>(which will use the HSM for
+    random number generation), and 
+    <span><strong class="command">named</strong></span>.</p>
+<p>We can now create and use keys in the HSM. In this case,
+    we will create a 2048 bit key and give it the label
+    "sample-ksk":</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-keygen -b 2048 -l sample-ksk</code></strong>
+</pre>
+<p>To confirm that the key exists:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-list</code></strong>
+Enter PIN:
+object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
+object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+</pre>
+<p>Before using this key to sign a zone, we must create a
+    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+    does this. In this case, we will be using the HSM key
+    "sample-ksk" as the key-signing key for "example.net":</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</code></strong>
+</pre>
+<p>The resulting K*.key and K*.private files can now be used
+    to sign the zone. Unlike normal K* files, which contain both
+    public and private key data, these files will contain only the
+    public key data, plus an identifier for the private key which
+    remains stored within the HSM. The HSM handles signing with the
+    private key.</p>
+<p>If you wish to generate a second key in the HSM for use
+    as a zone-signing key, follow the same procedure above, using a
+    different keylabel, a smaller key size, and omitting "-f KSK"
+    from the dnssec-keyfromlabel arguments:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>pkcs11-keygen -b 1024 -l sample-zsk</code></strong>
+$ <strong class="userinput"><code>dnssec-keyfromlabel -l sample-zsk example.net</code></strong>
+</pre>
+<p>Alternatively, you may prefer to generate a conventional
+    on-disk key, using dnssec-keygen:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-keygen example.net</code></strong>
+</pre>
+<p>This provides less security than an HSM key, but since
+    HSMs can be slow or cumbersome to use for security reasons, it
+    may be more efficient to reserve HSM keys for use in the less
+    frequent key-signing operation. The zone-signing key can be
+    rolled more frequently, if you wish, to compensate for a
+    reduction in key security.</p>
+<p>Now you can sign the zone. (Note: If not using the -S
+    option to 
+    <span><strong class="command">dnssec-signzone</strong></span>, it will be necessary to add
+    the contents of both 
+    <code class="filename">K*.key</code> files to the zone master file before
+    signing it.)</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-signzone -S example.net</code></strong>
+Enter PIN:
+Verifying the zone using the following algorithms:
+NSEC3RSASHA1.
+Zone signing complete:
+Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+example.net.signed
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2635114"></a>Specifying the engine on the command line</h3></div></div></div>
+<p>The OpenSSL engine can be specified in 
+    <span><strong class="command">named</strong></span> and all of the BIND 
+    <span><strong class="command">dnssec-*</strong></span> tools by using the "-E
+    &lt;engine&gt;" command line option. If BIND 9 is built with
+    the --with-pkcs11 option, this option defaults to "pkcs11".
+    Specifying the engine will generally not be necessary unless
+    for some reason you wish to use a different OpenSSL
+    engine.</p>
+<p>If you wish to disable use of the "pkcs11" engine &#8212;
+    for troubleshooting purposes, or because the HSM is unavailable
+    &#8212; set the engine to the empty string. For example:</p>
+<pre class="screen">
+$ <strong class="userinput"><code>dnssec-signzone -E '' -S example.net</code></strong>
+</pre>
+<p>This causes 
+    <span><strong class="command">dnssec-signzone</strong></span> to run as if it were compiled
+    without the --with-pkcs11 option.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2635160"></a>Running named with automatic zone re-signing</h3></div></div></div>
+<p>If you want 
+    <span><strong class="command">named</strong></span> to dynamically re-sign zones using HSM
+    keys, and/or to to sign new records inserted via nsupdate, then
+    named must have access to the HSM PIN. This can be accomplished
+    by placing the PIN into the openssl.cnf file (in the above
+    examples, 
+    <code class="filename">/opt/pkcs11/usr/ssl/openssl.cnf</code>).</p>
+<p>The location of the openssl.cnf file can be overridden by
+    setting the OPENSSL_CONF environment variable before running
+    named.</p>
+<p>Sample openssl.cnf:</p>
+<pre class="programlisting">
+        openssl_conf = openssl_def
+        [ openssl_def ]
+        engines = engine_section
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+        [ pkcs11_section ]
+        PIN = <em class="replaceable"><code>&lt;PLACE PIN HERE&gt;</code></em>
+</pre>
+<p>This will also allow the dnssec-* tools to access the HSM
+    without PIN entry. (The pkcs11-* tools access the HSM directly,
+    not via OpenSSL, so a PIN will still be required to use
+    them.)</p>
+<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Warning</h3>
+<p>Placing the HSM's PIN in a text file in
+      this manner may reduce the security advantage of using an
+      HSM. Be sure this is what you want to do before configuring
+      OpenSSL in this way.</p>
+</div>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="id2572669"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6 name to address and address to name
@@ -1019,7 +1844,7 @@ options {
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572224"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572868"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -1038,7 +1863,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572245"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572889"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
@@ -1050,7 +1875,8 @@ host            3600    IN      AAAA    2001:db8::1
         </p>
 <pre class="programlisting">
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                                    host.example.com. )
 </pre>
 </div>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
index 3b9f4828f15d..0779c970ddce 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch05.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572278">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572922">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572278"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572922"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
index ba8f9e10d2ca..bda489d25f19 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
@@ -48,55 +48,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573725">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574356"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574614"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574974"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574992"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575015"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575038"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575129"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575255"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577316"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577389"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577453"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577565"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577580"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587027"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587181"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587233"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589742"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589858"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587315"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590352"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588788"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591902"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591403">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595170">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593702">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597537">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594249">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594444">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594786"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598084">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598211">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598552"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -193,6 +196,19 @@
 <tr>
 <td>
                 <p>
+                  <code class="varname">namelist</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more <code class="varname">domain_name</code>
+                  elements.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
                   <code class="varname">dotted_decimal</code>
                 </p>
               </td>
@@ -461,7 +477,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573424"></a>Syntax</h4></div></div></div>
+<a name="id2574099"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -470,7 +486,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573520"></a>Definition and Usage</h4></div></div></div>
+<a name="id2574126"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -554,7 +570,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573725"></a>Comment Syntax</h3></div></div></div>
+<a name="id2574332"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -564,7 +580,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573740"></a>Syntax</h4></div></div></div>
+<a name="id2574347"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -573,13 +589,14 @@
 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
 <p>
             </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
+<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
+# and perl</pre>
 <p>
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573770"></a>Definition and Usage</h4></div></div></div>
+<a name="id2574377"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -792,6 +809,17 @@
 </tr>
 <tr>
 <td>
+                <p><span><strong class="command">managed-keys</strong></span></p>
+              </td>
+<td>
+                <p>
+                  lists DNSSEC keys to be kept up to date
+                  using RFC 5011 trust anchor maintenance.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
                 <p><span><strong class="command">view</strong></span></p>
               </td>
 <td>
@@ -820,7 +848,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574356"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574986"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -902,12 +930,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574614"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575176"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
+   [ inet ( ip_addr | * ) [ port ip_port ]
+                allow { <em class="replaceable"><code> address_match_list </code></em> }
                 keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ inet ...; ]
-   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
+   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
+     keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ unix ...; ]
 };
 </pre>
@@ -1024,12 +1054,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574974"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575467"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574992"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2575484"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -1044,7 +1074,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575015"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575576"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1053,7 +1083,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575038"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575600"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1100,7 +1130,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575129"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575758"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1124,7 +1154,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575255"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575884"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1158,7 +1188,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575376"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2576005"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1342,32 +1372,30 @@ notrace</strong></span>. All debugging messages in the server have a debug
             used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
           </p>
 <pre class="programlisting">channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
+    // send to syslog's daemon facility
+    syslog daemon;
+    // only send priority info and higher
+    severity info;
 
 channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
+    // write to named.run in the working directory
+    // Note: stderr is used instead of "named.run" if
+    // the server is started with the '-f' option.
+    file "named.run";
+    // log at the server's current debug level
+    severity dynamic;
 };
 
 channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
+    // writes to stderr
+    stderr;
+    // only send priority info and higher
+    severity info;
 };
 
 channel null {
-   null;                                // toss anything sent to
-                                        // this channel
+   // toss anything sent to this channel
+   null;
 };
 </pre>
 <p>
@@ -1610,12 +1638,14 @@ category notify { null; };
                     <p>
                       The query log entry reports the client's IP
                       address and port number, and the query name,
-                      class and type.  It also reports whether the
+                      class and type.  Next it reports whether the
                       Recursion Desired flag was set (+ if set, -
                       if not set), if the query was signed (S),
-                      EDNS was in use (E), if DO (DNSSEC Ok) was
-                      set (D), or if CD (Checking Disabled) was set
-                      (C).
+                      EDNS was in use (E), if TCP was used (T), if
+                      DO (DNSSEC Ok) was set (D), or if CD (Checking
+                      Disabled) was set (C).  After this the
+                      destination address the query was sent to is
+                      reported.
                     </p>
 
                     <p>
@@ -1718,12 +1748,25 @@ category notify { null; };
                     </p>
                   </td>
 </tr>
+<tr>
+<td>
+                    <p><span><strong class="command">RPZ</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Information about errors in response policy zone files,
+                      rewritten responses, and at the highest
+                      <span><strong class="command">debug</strong></span> levels, mere rewriting
+                      attempts.
+                    </p>
+                  </td>
+</tr>
 </tbody>
 </table></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2576871"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2577322"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
 <p>
             The <span><strong class="command">query-errors</strong></span> category is
             specifically intended for debugging purposes: To identify
@@ -1754,7 +1797,15 @@ category notify { null; };
             The log message will look like as follows:
           </p>
 <p>
-            <code class="computeroutput">fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</code>
+
+            </p>
+<pre class="programlisting">
+fetch completed at resolver.c:2970 for www.example.com/A
+in 30.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+badresp:1,adberr:0,findfail:0,valfail:0]
+            </pre>
+<p>
           </p>
 <p>
             The first part before the colon shows that a recursive
@@ -1943,13 +1994,14 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577316"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577910"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
-    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
     [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
     [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
@@ -1958,7 +2010,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577389"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577984"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -2009,14 +2061,15 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577453"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2578116"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
+<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
+      <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577565"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2578160"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -2025,23 +2078,31 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577580"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2578174"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">options</strong></span> {
+    [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
     [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
     [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
     [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
     [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
     [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
     [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
     [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
+    [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
     [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
@@ -2066,8 +2127,10 @@ category notify { null; };
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
     [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
+    [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
+    [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
+                        <em class="replaceable"><code>no</code></em> |
+                        <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
     [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
@@ -2078,12 +2141,14 @@ category notify { null; };
         ... }; </span>]
     [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
         ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+    [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
     [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
@@ -2095,6 +2160,8 @@ category notify { null; };
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
     [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
@@ -2132,13 +2199,15 @@ category notify { null; };
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
@@ -2174,12 +2243,25 @@ category notify { null; };
     [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
     [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
     [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
+    [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> {
+        [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+        [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+        [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+        [<span class="optional"> suffix IPv6-address; </span>]
+        [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+        [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    }; </span>];
+    [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
+    [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
     [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
     [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
     [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
+    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
+                                [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
     [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
@@ -2192,6 +2274,14 @@ category notify { null; };
     [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
+    [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
+    [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em>
+        [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
+        [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
+    } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
+        [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] ; </span>]
 };
 </pre>
 </div>
@@ -2209,6 +2299,91 @@ category notify { null; };
           be used.
         </p>
 <div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
+<dd>
+<p>
+                  Allows multiple views to share a single cache
+                  database.
+                  Each view has its own cache database by default, but
+                  if multiple views have the same operational policy
+                  for name resolution and caching, those views can
+                  share a single cache to save memory and possibly
+                  improve resolution efficiency by using this option.
+                </p>
+<p>
+                  The <span><strong class="command">attach-cache</strong></span> option
+                  may also be specified in <span><strong class="command">view</strong></span>
+                  statements, in which case it overrides the
+                  global <span><strong class="command">attach-cache</strong></span> option.
+                </p>
+<p>
+                  The <em class="replaceable"><code>cache_name</code></em> specifies
+                  the cache to be shared.
+                  When the <span><strong class="command">named</strong></span> server configures
+                  views which are supposed to share a cache, it
+                  creates a cache with the specified name for the
+                  first view of these sharing views.
+                  The rest of the views will simply refer to the
+                  already created cache.
+                </p>
+<p>
+                  One common configuration to share a cache would be to
+                  allow all views to share a single cache.
+                  This can be done by specifying
+                  the <span><strong class="command">attach-cache</strong></span> as a global
+                  option with an arbitrary name.
+                </p>
+<p>
+                  Another possible operation is to allow a subset of
+                  all views to share a cache while the others to
+                  retain their own caches.
+                  For example, if there are three views A, B, and C,
+                  and only A and B should share a cache, specify the
+                  <span><strong class="command">attach-cache</strong></span> option as a view A (or
+                  B)'s option, referring to the other view name:
+                </p>
+<pre class="programlisting">
+  view "A" {
+    // this view has its own cache
+    ...
+  };
+  view "B" {
+    // this view refers to A's cache
+    attach-cache "A";
+  };
+  view "C" {
+    // this view has its own cache
+    ...
+  };
+</pre>
+<p>
+                  Views that share a cache must have the same policy
+                  on configurable parameters that may affect caching.
+                  The current implementation requires the following
+                  configurable options be consistent among these
+                  views:
+                  <span><strong class="command">check-names</strong></span>,
+                  <span><strong class="command">cleaning-interval</strong></span>,
+                  <span><strong class="command">dnssec-accept-expired</strong></span>,
+                  <span><strong class="command">dnssec-validation</strong></span>,
+                  <span><strong class="command">max-cache-ttl</strong></span>,
+                  <span><strong class="command">max-ncache-ttl</strong></span>,
+                  <span><strong class="command">max-cache-size</strong></span>, and
+                  <span><strong class="command">zero-no-soa-ttl</strong></span>.
+                </p>
+<p>
+                  Note that there may be other parameters that may
+                  cause confusion if they are inconsistent for
+                  different views that share a single cache.
+                  For example, if these views define different sets of
+                  forwarders that can return different answers for the
+                  same question, sharing the answer does not make
+                  sense or could even be harmful.
+                  It is administrator's responsibility to ensure
+                  configuration differences in different views do
+                  not cause disruption with a shared cache.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
 <dd><p>
                 The working directory of the server.
@@ -2229,10 +2404,19 @@ category notify { null; };
                 When performing dynamic update of secure zones, the
                 directory where the public and private DNSSEC key files
                 should be found, if different than the current working
-                directory.  The directory specified must be an absolute
-                path.  (Note that this option has no effect on the paths
-                for files containing non-DNSSEC keys such as the
-                <code class="filename">rndc.key</code>.
+                directory.  (Note that this option has no effect on the
+                paths for files containing non-DNSSEC keys such as
+                <code class="filename">bind.keys</code>,
+                <code class="filename">rndc.key</code> or
+                <code class="filename">session.key</code>.)
+              </p></dd>
+<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
+<dd><p>
+                The directory used to hold the files used to track managed keys.
+                By default it is the working directory.  It there are no
+                views then the file <code class="filename">managed-keys.bind</code>
+                otherwise a SHA256 hash of the view name is used with
+                <code class="filename">.mkeys</code> extension added.
               </p></dd>
 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
 <dd><p>
@@ -2243,18 +2427,27 @@ category notify { null; };
                 <span><strong class="command">named-xfer</strong></span> program is needed;
                 its functionality is built into the name server.
               </p></dd>
+<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
+<dd><p>
+                The KRB5 keytab file to use for GSS-TSIG updates. If
+                this option is set and tkey-gssapi-credential is not
+                set, then updates will be allowed with any key
+                matching a principal in the specified keytab.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
 <dd><p>
                 The security credential with which the server should
                 authenticate keys requested by the GSS-TSIG protocol.
                 Currently only Kerberos 5 authentication is available
-                and the credential is a Kerberos principal which
-                the server can acquire through the default system
-                key file, normally <code class="filename">/etc/krb5.keytab</code>.
-                Normally this principal is of the form
-                "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
-                To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
-                must also be set.
+                and the credential is a Kerberos principal which the
+                server can acquire through the default system key
+                file, normally <code class="filename">/etc/krb5.keytab</code>.
+                The location keytab file can be overridden using the
+                tkey-gssapi-keytab option. Normally this principal is
+                of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
+                To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
+                also be set if a specific keytab is not set with
+                tkey-gssapi-keytab.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
 <dd><p>
@@ -2271,7 +2464,8 @@ category notify { null; };
                 should be the server's domain name, or an otherwise
                 non-existent subdomain like
                 "_tkey.<code class="varname">domainname</code>".  If you are
-                using GSS-TSIG, this variable must be defined.
+                using GSS-TSIG, this variable must be defined, unless
+                you specify a specific keytab using tkey-gssapi-keytab.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
 <dd><p>
@@ -2331,6 +2525,47 @@ category notify { null; };
                 described
                 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
               </p></dd>
+<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
+<dd><p>
+                The pathname of a file to override the built-in trusted
+                keys provided by <span><strong class="command">named</strong></span>.
+                See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
+                and <span><strong class="command">dnssec-validation</strong></span> for details. 
+                If not specified, the default is
+                <code class="filename">/etc/bind.keys</code>.
+              </p></dd>
+<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
+<dd><p>
+                The pathname of the file the server dumps
+                security roots to when instructed to do so with
+                <span><strong class="command">rndc secroots</strong></span>.
+                If not specified, the default is
+                <code class="filename">named.secroots</code>.
+              </p></dd>
+<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
+<dd><p>
+                The pathname of the file into which to write a TSIG
+                session key generated by <span><strong class="command">named</strong></span> for use by
+                <span><strong class="command">nsupdate -l</strong></span>.  If not specified, the
+                default is <code class="filename">/var/run/named/session.key</code>.
+                (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
+                particular the discussion of the
+                <span><strong class="command">update-policy</strong></span> statement's
+                <strong class="userinput"><code>local</code></strong> option for more
+                information about this feature.)
+              </p></dd>
+<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
+<dd><p>
+                The key name to use for the TSIG session key.
+                If not specified, the default is "local-ddns".
+              </p></dd>
+<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
+<dd><p>
+                The algorithm to use for the TSIG session key.
+                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
+                hmac-sha384, hmac-sha512 and hmac-md5.  If not
+                specified, the default is hmac-sha256.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
 <dd><p>
                 The UDP/TCP port number the server uses for
@@ -2379,14 +2614,14 @@ category notify { null; };
 <p>
                 DS queries are expected to be made to and be answered by
                 delegation only zones.  Such queries and responses are
-                treated as a exception to delegation-only processing
+                treated as an exception to delegation-only processing
                 and are not converted to NXDOMAIN responses provided
                 a CNAME is not discovered at the query name.
               </p>
 <p>
                 If a delegation only zone server also serves a child
                 zone it is not always possible to determine whether
-                a answer comes from the delegation only zone or the
+                an answer comes from the delegation only zone or the
                 child zone.  SOA NS and DNSKEY records are apex
                 only records and a matching response that contains
                 these records or DS is treated as coming from a
@@ -2423,42 +2658,161 @@ options {
                 Only the most specific will be applied.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
-<dd><p>
-                When set, <span><strong class="command">dnssec-lookaside</strong></span>
-                provides the
-                validator with an alternate method to validate DNSKEY records
-                at the
-                top of a zone.  When a DNSKEY is at or below a domain
-                specified by the
-                deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
-                the normal DNSSEC validation
-                has left the key untrusted, the trust-anchor will be append to
-                the key
-                name and a DLV record will be looked up to see if it can
-                validate the
-                key.  If the DLV record validates a DNSKEY (similarly to the
-                way a DS
+<dd>
+<p>
+                When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
+                validator with an alternate method to validate DNSKEY
+                records at the top of a zone.  When a DNSKEY is at or
+                below a domain specified by the deepest
+                <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
+                validation has left the key untrusted, the trust-anchor
+                will be appended to the key name and a DLV record will be
+                looked up to see if it can validate the key.  If the DLV
+                record validates a DNSKEY (similarly to the way a DS
                 record does) the DNSKEY RRset is deemed to be trusted.
-              </p></dd>
+              </p>
+<p>
+                If <span><strong class="command">dnssec-lookaside</strong></span> is set to
+                <strong class="userinput"><code>auto</code></strong>, then built-in default
+                values for the DLV domain and trust anchor will be
+                used, along with a built-in key for validation.
+              </p>
+<p>
+                If <span><strong class="command">dnssec-lookaside</strong></span> is set to
+                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
+                is not used.
+              </p>
+<p>
+                The default DLV key is stored in the file
+                <code class="filename">bind.keys</code>;
+                <span><strong class="command">named</strong></span> will load that key at
+                startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
+                <code class="constant">auto</code>.  A copy of the file is
+                installed along with <acronym class="acronym">BIND</acronym> 9, and is
+                current as of the release date.  If the DLV key expires, a
+                new copy of <code class="filename">bind.keys</code> can be downloaded
+                from <a href="" target="_top">https://www.isc.org/solutions/dlv</a>.
+              </p>
+<p>
+                (To prevent problems if <code class="filename">bind.keys</code> is
+                not found, the current key is also compiled in to
+                <span><strong class="command">named</strong></span>.  Relying on this is not
+                recommended, however, as it requires <span><strong class="command">named</strong></span>
+                to be recompiled with a new key when the DLV key expires.)
+              </p>
+<p>
+                NOTE: <span><strong class="command">named</strong></span> only loads certain specific
+                keys from <code class="filename">bind.keys</code>:  those for the
+                DLV zone and for the DNS root zone.  The file cannot be
+                used to store keys for other zones.
+              </p>
+</dd>
 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
 <dd><p>
-                Specify hierarchies which must be or may not be secure (signed and
-                validated).
-                If <strong class="userinput"><code>yes</code></strong>, then <span><strong class="command">named</strong></span> will only accept
-                answers if they
-                are secure.
-                If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation
-                applies
-                allowing for insecure answers to be accepted.
-                The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-                <span><strong class="command">dnssec-lookaside</strong></span> must be
-                active.
+                Specify hierarchies which must be or may not be secure
+                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
+                then <span><strong class="command">named</strong></span> will only accept answers if
+                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
+                DNSSEC validation applies allowing for insecure answers to
+                be accepted.  The specified domain must be under a
+                <span><strong class="command">trusted-keys</strong></span> or
+                <span><strong class="command">managed-keys</strong></span> statement, or
+                <span><strong class="command">dnssec-lookaside</strong></span> must be active.
               </p></dd>
+<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
+<dd>
+<p>
+                This directive instructs <span><strong class="command">named</strong></span> to
+                return mapped IPv4 addresses to AAAA queries when
+                there are no AAAA records.  It is intended to be
+                used in conjunction with a NAT64.  Each
+                <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
+                Multiple DNS64 prefixes can be defined.
+              </p>
+<p>
+                Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
+                64 and 96 as per RFC 6052.
+              </p>
+<p>
+                Additionally a reverse IP6.ARPA zone will be created for
+                the prefix to provide a mapping from the IP6.ARPA names
+                to the corresponding IN-ADDR.ARPA names using synthesized
+                CNAMEs.  <span><strong class="command">dns64-server</strong></span> and
+                <span><strong class="command">dns64-contact</strong></span> can be used to specify
+                the name of the server and contact for the zones. These
+                are settable at the view / options level.  These are
+                not settable on a per-prefix basis.
+              </p>
+<p>
+                Each <span><strong class="command">dns64</strong></span> supports an optional
+                <span><strong class="command">clients</strong></span> ACL that determines which
+                clients are affected by this directive.  If not defined,
+                it defaults to <strong class="userinput"><code>any;</code></strong>.
+              </p>
+<p>
+                Each <span><strong class="command">dns64</strong></span> supports an optional
+                <span><strong class="command">mapped</strong></span> ACL that selects which
+                IPv4 addresses are to be mapped in the corresponding    
+                A RRset.  If not defined it defaults to
+                <strong class="userinput"><code>any;</code></strong>.
+              </p>
+<p>
+                Normally, DNS64 won't apply to a domain name that
+                owns one or more AAAA records; these records will
+                simply be returned.  The optional
+                <span><strong class="command">exclude</strong></span> ACL allows specification
+                of a list of IPv6 addresses that will be ignored
+                if they appear in a domain name's AAAA records, and
+                DNS64 will be applied to any A records the domain
+                name owns.  If not defined, <span><strong class="command">exclude</strong></span>
+                defaults to none.
+              </p>
+<p>
+                A optional <span><strong class="command">suffix</strong></span> can also
+                be defined to set the bits trailing the mapped
+                IPv4 address bits.  By default these bits are
+                set to <strong class="userinput"><code>::</code></strong>.  The bits
+                matching the prefix and mapped IPv4 address
+                must be zero.
+              </p>
+<p>
+                If <span><strong class="command">recursive-only</strong></span> is set to
+                <span><strong class="command">yes</strong></span> the DNS64 synthesis will
+                only happen for recursive queries.  The default
+                is <span><strong class="command">no</strong></span>.
+              </p>
+<p>
+                If <span><strong class="command">break-dnssec</strong></span> is set to
+                <span><strong class="command">yes</strong></span> the DNS64 synthesis will
+                happen even if the result, if validated, would
+                cause a DNSSEC validation failure.  If this option
+                is set to <span><strong class="command">no</strong></span> (the default), the DO
+                is set on the incoming query, and there are RRSIGs on
+                the applicable records, then synthesis will not happen.
+              </p>
+<pre class="programlisting">
+        acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
+
+        dns64 64:FF9B::/96 {
+                clients { any; };
+                mapped { !rfc1918; any; };
+                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
+                suffix ::;
+        };
+</pre>
+</dd>
 </dl></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
 <div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong>, then zones can be
+                  added at runtime via <span><strong class="command">rndc addzone</strong></span>
+                  or deleted via <span><strong class="command">rndc delzone</strong></span>.
+                  The default is <strong class="userinput"><code>no</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
@@ -2863,6 +3217,7 @@ options {
                   off
                   on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
                   in the <span><strong class="command">zone</strong></span> statement).
+                  The default is <strong class="userinput"><code>no</code></strong>.
                   These statistics may be accessed
                   using <span><strong class="command">rndc stats</strong></span>, which will
                   dump them to the file listed
@@ -3006,6 +3361,57 @@ options {
                   internally.  The use of this option is discouraged.
                 </p>
 </dd>
+<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
+<dd>
+<p>
+                  This option is only available when
+                  <acronym class="acronym">BIND</acronym> 9 is compiled with the
+                  <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
+                  "configure" command line.  It is intended to help the
+                  transition from IPv4 to IPv6 by not giving IPv6 addresses
+                  to DNS clients unless they have connections to the IPv6
+                  Internet.  This is not recommended unless absolutely
+                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
+                  The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
+                  may also be specified in <span><strong class="command">view</strong></span> statements
+                  to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
+                  option.
+                </p>
+<p>
+                  If <strong class="userinput"><code>yes</code></strong>,
+                  the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
+                  and if the response does not include DNSSEC signatures, 
+                  then all AAAA records are deleted from the response.
+                  This filtering applies to all responses and not only
+                  authoritative responses.
+                </p>
+<p>
+                  If <strong class="userinput"><code>break-dnssec</code></strong>,
+                  then AAAA records are deleted even when dnssec is enabled.
+                  As suggested by the name, this makes the response not verify,
+                  because the DNSSEC protocol is designed detect deletions.
+                </p>
+<p>
+                  This mechanism can erroneously cause other servers to 
+                  not give AAAA records to their clients.  
+                  A recursing server with both IPv6 and IPv4 network connections
+                  that queries an authoritative server using this mechanism
+                  via IPv4 will be denied AAAA records even if its client is
+                  using IPv6.
+                </p>
+<p>
+                  This mechanism is applied to authoritative as well as
+                  non-authoritative records.
+                  A client using IPv4 that is not allowed recursion can
+                  erroneously be given AAAA records because the server is not
+                  allowed to check for A records.
+                </p>
+<p>
+                  Some AAAA records are given to IPv4 clients in glue records.
+                  IPv4 clients that are servers can then erroneously
+                  answer requests for AAAA records received via IPv4.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
 <dd>
 <p>
@@ -3060,13 +3466,23 @@ options {
                   Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
                   Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
                   set to <strong class="userinput"><code>yes</code></strong> to be effective.
-                  The default is <strong class="userinput"><code>yes</code></strong>.
+                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
+                  is disabled.  If set to <strong class="userinput"><code>auto</code></strong>,
+                  DNSSEC validation is enabled, and a default
+                  trust-anchor for the DNS root zone is used.  If set to
+                  <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
+                  but a trust anchor must be manually configured using
+                  a <span><strong class="command">trusted-keys</strong></span> or
+                  <span><strong class="command">managed-keys</strong></span> statement.  The default
+                  is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
 <dd><p>
                   Accept expired signatures when verifying DNSSEC signatures.
                   The default is <strong class="userinput"><code>no</code></strong>.
-                  Setting this option to "yes" leaves <span><strong class="command">named</strong></span> vulnerable to replay attacks.
+                  Setting this option to <strong class="userinput"><code>yes</code></strong>
+                  leaves <span><strong class="command">named</strong></span> vulnerable to
+                  replay attacks.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
 <dd><p>
@@ -3104,6 +3520,14 @@ options {
                   (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
                 </p>
 </dd>
+<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
+<dd><p>
+                  Check master zones for records that are treated as different
+                  by DNSSEC but are semantically equal in plain DNS.  The
+                  default is to <span><strong class="command">warn</strong></span>.  Other possible
+                  values are <span><strong class="command">fail</strong></span> and
+                  <span><strong class="command">ignore</strong></span>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
 <dd><p>
                   Check whether the MX record appears to refer to a IP address.
@@ -3166,26 +3590,86 @@ options {
                   The default is <span><strong class="command">no</strong></span>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
-<dd><p>
-                  When regenerating the RRSIGs following a UPDATE
-                  request to a secure zone, check the KSK flag on
-                  the DNSKEY RR to determine if this key should be
-                  used to generate the RRSIG.  This flag is ignored
-                  if there are not DNSKEY RRs both with and without
-                  a KSK.
-                  The default is <span><strong class="command">yes</strong></span>.
-                </p></dd>
+<dd>
+<p>
+                  When set to the default value of <code class="literal">yes</code>,
+                  check the KSK bit in each key to determine how the key
+                  should be used when generating RRSIGs for a secure zone.
+                </p>
+<p>
+                  Ordinarily, zone-signing keys (that is, keys without the
+                  KSK bit set) are used to sign the entire zone, while
+                  key-signing keys (keys with the KSK bit set) are only
+                  used to sign the DNSKEY RRset at the zone apex.
+                  However, if this option is set to <code class="literal">no</code>,
+                  then the KSK bit is ignored; KSKs are treated as if they
+                  were ZSKs and are used to sign the entire zone.  This is
+                  similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
+                  command line option.
+                </p>
+<p>
+                  When this option is set to <code class="literal">yes</code>, there
+                  must be at least two active keys for every algorithm
+                  represented in the DNSKEY RRset: at least one KSK and one
+                  ZSK per algorithm.  If there is any algorithm for which
+                  this requirement is not met, this option will be ignored
+                  for that algorithm.
+                </p>
+</dd>
+<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
+<dd>
+<p>
+                  When this option and <span><strong class="command">update-check-ksk</strong></span>
+                  are both set to <code class="literal">yes</code>, only key-signing
+                  keys (that is, keys with the KSK bit set) will be used
+                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
+                  keys (keys without the KSK bit set) will be used to sign
+                  the remainder of the zone, but not the DNSKEY RRset.
+                  This is similar to the
+                  <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
+                </p>
+<p>
+                  The default is <span><strong class="command">no</strong></span>.  If
+                  <span><strong class="command">update-check-ksk</strong></span> is set to
+                  <code class="literal">no</code>, this option is ignored.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
 <dd><p>
                   Try to refresh the zone using TCP if UDP queries fail.
                   For BIND 8 compatibility, the default is
                   <span><strong class="command">yes</strong></span>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
+<dd>
+<p>
+                  Allow a dynamic zone to transition from secure to
+                  insecure (i.e., signed to unsigned) by deleting all
+                  of the DNSKEY records.  The default is <span><strong class="command">no</strong></span>.
+                  If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
+                  at the zone apex is deleted, all RRSIG and NSEC records
+                  will be removed from the zone as well.
+                </p>
+<p>
+                  If the zone uses NSEC3, then it is also necessary to
+                  delete the NSEC3PARAM RRset from the zone apex; this will
+                  cause the removal of all corresponding NSEC3 records.
+                  (It is expected that this requirement will be eliminated
+                  in a future release.)
+                </p>
+<p>
+                  Note that if a zone has been configured with
+                  <span><strong class="command">auto-dnssec maintain</strong></span> and the
+                  private keys remain accessible in the key repository,
+                  then the zone will be automatically signed again the
+                  next time <span><strong class="command">named</strong></span> is started.
+                </p>
+</dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581838"></a>Forwarding</h4></div></div></div>
+<a name="id2583675"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3229,7 +3713,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581897"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2583734"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3422,11 +3906,25 @@ options {
                   from these addresses will not be responded to. The default
                   is <strong class="userinput"><code>none</code></strong>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
+<dd><p>
+                  Specifies a list of addresses to which
+                  <span><strong class="command">filter-aaaa-on-v4</strong></span>
+                  is applies.  The default is <strong class="userinput"><code>any</code></strong>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
+<dd><p>
+                  The amount of time the resolver will spend attempting
+                  to resolve a recursive query before failing.  The default
+                  and minimum is <code class="literal">10</code> and the maximum is
+                  <code class="literal">30</code>.  Setting it to <code class="literal">0</code>
+                  will result in the default being used.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582471"></a>Interfaces</h4></div></div></div>
+<a name="id2584422"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -3885,7 +4383,7 @@ avoid-v6-udp-ports {};
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583749"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2585495"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -3927,7 +4425,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583809"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2585555"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4089,7 +4587,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584231"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2586114"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
@@ -4259,20 +4757,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             their directly connected networks.
           </p>
 <pre class="programlisting">sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
+    // IF the local host
+    // THEN first fit on the following nets
+    { localhost;
+        { localnets;
+            192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+    // IF on class C 192.168.1 THEN use .1, or .2 or .3
+    { 192.168.1/24;
+        { 192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+    // IF on class C 192.168.2 THEN use .2, or .1 or .3
+    { 192.168.2/24;
+        { 192.168.2/24;
             { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+    // IF on class C 192.168.3 THEN use .3, or .1 or .2
+    { 192.168.3/24;
+        { 192.168.3/24;
             { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    // IF .4 or .5 THEN prefer that net
+    { { 192.168.4/24; 192.168.5/24; };
     };
 };</pre>
 <p>
@@ -4463,7 +4967,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   Specifies the number of days into the future when
                   DNSSEC signatures automatically generated as a
                   result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
-                  is a optional second field which specifies how
+                  is an optional second field which specifies how
                   long before expiry that the signatures will be
                   regenerated.  If not specified, the signatures will
                   be regenerated at 1/4 of base interval.  The second
@@ -4544,7 +5048,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
-<dd><p>
+<dd>
+<p>
                   Sets the advertised EDNS UDP buffer size in bytes
                   to control the size of packets received.
                   Valid values are 512 to 4096 (values outside this range
@@ -4554,20 +5059,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   value is to get UDP answers to pass through broken
                   firewalls that block fragmented packets and/or
                   block UDP packets that are greater than 512 bytes.
-                </p></dd>
+                </p>
+<p>
+                  <span><strong class="command">named</strong></span> will fallback to using 512 bytes
+                  if it get a series of timeout at the initial value.  512
+                  bytes is not being offered to encourage sites to fix their
+                  firewalls.  Small EDNS UDP sizes will result in the
+                  excessive use of TCP.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
-<dd><p>
-                  Sets the maximum EDNS UDP message size <span><strong class="command">named</strong></span> will
-                  send in bytes.  Valid values are 512 to 4096 (values outside
-                  this range will be silently adjusted).  The default
+<dd>
+<p>
+                  Sets the maximum EDNS UDP message size
+                  <span><strong class="command">named</strong></span> will send in bytes.
+                  Valid values are 512 to 4096 (values outside this
+                  range will be silently adjusted).  The default
                   value is 4096.  The usual reason for setting
-                  <span><strong class="command">max-udp-size</strong></span> to a non-default value is to get UDP
-                  answers to pass through broken firewalls that
-                  block fragmented packets and/or block UDP packets
-                  that are greater than 512 bytes.
+                  <span><strong class="command">max-udp-size</strong></span> to a non-default
+                  value is to get UDP answers to pass through broken
+                  firewalls that block fragmented packets and/or
+                  block UDP packets that are greater than 512 bytes.
                   This is independent of the advertised receive
                   buffer (<span><strong class="command">edns-udp-size</strong></span>).
-                </p></dd>
+                </p>
+<p>
+                  Setting this to a low value will encourage additional
+                  TCP traffic to the nameserver.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
 <dd><p>Specifies
                   the file format of zone files (see
@@ -4719,7 +5239,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <p>
             Named will attempt to determine if a built-in zone already exists
             or is active (covered by a forward-only forwarding declaration)
-            and will not create a empty zone in that case.
+            and will not create an empty zone in that case.
           </p>
 <p>
             The current list of empty zones is:
@@ -4905,6 +5425,385 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 </p></dd>
 </dl></div>
 </div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2588152"></a>Content Filtering</h4></div></div></div>
+<p>
+            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
+            out DNS responses from external DNS servers containing
+            certain types of data in the answer section.
+            Specifically, it can reject address (A or AAAA) records if
+            the corresponding IPv4 or IPv6 addresses match the given
+            <code class="varname">address_match_list</code> of the
+            <span><strong class="command">deny-answer-addresses</strong></span> option.
+            It can also reject CNAME or DNAME records if the "alias"
+            name (i.e., the CNAME alias or the substituted query name
+            due to DNAME) matches the
+            given <code class="varname">namelist</code> of the
+            <span><strong class="command">deny-answer-aliases</strong></span> option, where
+            "match" means the alias name is a subdomain of one of
+            the <code class="varname">name_list</code> elements.
+            If the optional <code class="varname">namelist</code> is specified
+            with <span><strong class="command">except-from</strong></span>, records whose query name
+            matches the list will be accepted regardless of the filter
+            setting.
+            Likewise, if the alias name is a subdomain of the
+            corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
+            filter will not apply;
+            for example, even if "example.com" is specified for
+            <span><strong class="command">deny-answer-aliases</strong></span>,
+          </p>
+<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
+<p>
+            returned by an "example.com" server will be accepted.
+          </p>
+<p>
+            In the <code class="varname">address_match_list</code> of the
+            <span><strong class="command">deny-answer-addresses</strong></span> option, only
+            <code class="varname">ip_addr</code>
+            and <code class="varname">ip_prefix</code>
+            are meaningful;
+            any <code class="varname">key_id</code> will be silently ignored.
+          </p>
+<p>
+            If a response message is rejected due to the filtering,
+            the entire message is discarded without being cached, and
+            a SERVFAIL error will be returned to the client.
+          </p>
+<p>
+            This filtering is intended to prevent "DNS rebinding attacks," in
+            which an attacker, in response to a query for a domain name the
+            attacker controls, returns an IP address within your own network or
+            an alias name within your own domain.
+            A naive web browser or script could then serve as an
+            unintended proxy, allowing the attacker
+            to get access to an internal node of your local network
+            that couldn't be externally accessed otherwise.
+            See the paper available at
+            <a href="" target="_top">
+            http://portal.acm.org/citation.cfm?id=1315245.1315298
+            </a>
+            for more details about the attacks.
+          </p>
+<p>
+            For example, if you own a domain named "example.net" and
+            your internal network uses an IPv4 prefix 192.0.2.0/24,
+            you might specify the following rules:
+          </p>
+<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+deny-answer-aliases { "example.net"; };
+</pre>
+<p>
+            If an external attacker lets a web browser in your local
+            network look up an IPv4 address of "attacker.example.com",
+            the attacker's DNS server would return a response like this:
+          </p>
+<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
+<p>
+            in the answer section.
+            Since the rdata of this record (the IPv4 address) matches
+            the specified prefix 192.0.2.0/24, this response will be
+            ignored.
+          </p>
+<p>
+            On the other hand, if the browser looks up a legitimate
+            internal web server "www.example.net" and the
+            following response is returned to
+            the <acronym class="acronym">BIND</acronym> 9 server
+          </p>
+<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
+<p>
+            it will be accepted since the owner name "www.example.net"
+            matches the <span><strong class="command">except-from</strong></span> element,
+            "example.net".
+          </p>
+<p>
+            Note that this is not really an attack on the DNS per se.
+            In fact, there is nothing wrong for an "external" name to
+            be mapped to your "internal" IP address or domain name
+            from the DNS point of view.
+            It might actually be provided for a legitimate purpose,
+            such as for debugging.
+            As long as the mapping is provided by the correct owner,
+            it is not possible or does not make sense to detect
+            whether the intent of the mapping is legitimate or not
+            within the DNS.
+            The "rebinding" attack must primarily be protected at the
+            application that uses the DNS.
+            For a large site, however, it may be difficult to protect
+            all possible applications at once.
+            This filtering feature is provided only to help such an
+            operational environment;
+            it is generally discouraged to turn it on unless you are
+            very sure you have no other choice and the attack is a
+            real threat for your applications.
+          </p>
+<p>
+            Care should be particularly taken if you want to use this
+            option for addresses within 127.0.0.0/8.
+            These addresses are obviously "internal", but many
+            applications conventionally rely on a DNS mapping from
+            some name to such an address.
+            Filtering out DNS records containing this address
+            spuriously can break such applications.
+          </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2588343"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
+<p>
+            <acronym class="acronym">BIND</acronym> 9 includes a limited
+            mechanism to modify DNS responses for requests
+            analogous to email anti-spam DNS blacklists.
+            Responses can be changed to deny the existence of domains(NXDOMAIN),
+            deny the existence of IP addresses for domains (NODATA),
+            or contain other IP addresses or data.
+          </p>
+<p>
+            Response policy zones are named in the
+            <span><strong class="command">response-policy</strong></span> option for the view or among the
+            global options if there is no response-policy option for the view.
+            RPZs are ordinary DNS zones containing RRsets
+            that can be queried normally if allowed.
+            It is usually best to restrict those queries with something like
+            <span><strong class="command">allow-query { localhost; };</strong></span>.
+          </p>
+<p>
+            Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
+            and NSDNAME.
+            QNAME RPZ records triggered by query names of requests and targets
+            of CNAME records resolved to generate the response.
+            The owner name of a QNAME RPZ record is the query name relativized
+            to the RPZ.
+          </p>
+<p>
+            The second kind of RPZ trigger is an IP address in an A and AAAA
+            record in the ANSWER section of a response.
+            IP address triggers are encoded in records that have owner names
+            that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized
+            to the RPZ origin name and encode an IP address or address block.
+            IPv4 trigger addresses are represented as
+            <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
+            The prefix length must be between 1 and 32.
+            All four bytes, B4, B3, B2, and B1, must be present.
+            B4 is the decimal value of the least significant byte of the
+            IPv4 address as in IN-ADDR.ARPA.
+            IPv6 addresses are encoded in a format similar to the standard
+            IPv6 text representation,
+            <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
+            Each of W8,...,W1 is a one to four digit hexadecimal number
+            representing 16 bits of the IPv6 address as in the standard text
+            representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
+            All 8 words must be present except when consecutive
+            zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
+            analogous to double colons (::) in standard IPv6 text encodings.
+            The prefix length must be between 1 and 128.
+          </p>
+<p>
+            NSDNAME triggers match names of authoritative servers
+            for the query name, a parent of the query name, a CNAME for
+            query name, or a parent of a CNAME.
+            They are encoded as subdomains of
+            <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
+            to the RPZ origin name.
+          </p>
+<p>
+            NSIP triggers match IP addresses in A and
+            AAAA RRsets for domains that can be checked against NSDNAME
+            policy records.
+            NSIP triggers are encoded like IP triggers except as subdomains of
+            <strong class="userinput"><code>rpz-nsip</code></strong>.
+          </p>
+<p>
+            The query response is checked against all RPZs, so
+            two or more policy records can be triggered by a response.
+            Because DNS responses can be rewritten according to at most one
+            policy record, a single record encoding an action (other than
+            <span><strong class="command">DISABLED</strong></span> actions) must be chosen.
+            Triggers or the records that encode them are chosen in
+            the following order:
+            </p>
+<div class="itemizedlist"><ul type="disc">
+<li>Choose the triggered record in the zone that appears
+                first in the response-policy option.
+              </li>
+<li>Prefer QNAME to IP to NSDNAME to NSIP triggers
+                in a single zone.
+              </li>
+<li>Among NSDNAME triggers, prefer the
+                trigger that matches the smallest name under the DNSSEC ordering.
+              </li>
+<li>Among IP or NSIP triggers, prefer the trigger
+                with the longest prefix.
+              </li>
+<li>Among triggers with the same prefex length,
+                prefer the IP or NSIP trigger that matches
+                the smallest IP address.
+              </li>
+</ul></div>
+<p>
+          </p>
+<p>
+            When the processing of a response is restarted to resolve
+            DNAME or CNAME records and a policy record set has
+            not been triggered,
+            all RPZs are again consulted for the DNAME or CNAME names
+            and addresses.
+          </p>
+<p>
+            Authority verification issues and variations in authority data
+            can cause inconsistent results for NSIP and NSDNAME policy records.
+            Glue NS records often differ from authoritative NS records.
+            So they are available
+            only when <acronym class="acronym">BIND</acronym> is built with the
+            <strong class="userinput"><code>--enable-rpz-nsip</code></strong> or
+            <strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options
+            on the "configure" command line.
+          </p>
+<p>
+            RPZ record sets are sets of any types of DNS record except
+            DNAME or DNSSEC that encode actions or responses to queries.
+            </p>
+<div class="itemizedlist"><ul type="disc">
+<li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded
+                by a CNAME whose target is the root domain (.)
+              </li>
+<li>A CNAME whose target is the wildcard top-level
+                domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action,
+                which rewrites the response to NODATA or ANCOUNT=1.
+              </li>
+<li>The <span><strong class="command">Local Data</strong></span> action is
+                represented by a set ordinary DNS records that are used
+                to answer queries.  Queries for record types not the
+                set are answered with NODATA.
+
+                A special form of local data is a CNAME whose target is a
+                wildcard such as *.example.com.
+                It is used as if were an ordinary CNAME after the astrisk (*)
+                has been replaced with the query name.
+                The purpose for this special form is query logging in the
+                walled garden's authority DNS server.
+              </li>
+<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
+                by a CNAME whose target is <span><strong class="command">rpz_passthru.</strong></span>
+                It causes the response to not be rewritten
+                and is most often used to "poke holes" in policies for
+                CIDR blocks.
+                (A CNAME whose target is the variable part of its owner name
+                is an obsolete specification of the PASSTHRU policy.)
+              </li>
+</ul></div>
+<p>
+          </p>
+<p>
+            The actions specified in an RPZ can be overridden with a
+            <span><strong class="command">policy</strong></span> clause in the
+            <span><strong class="command">response-policy</strong></span> option.
+            An organization using an RPZ provided by another organization might
+            use this mechanism to redirect domains to its own walled garden.
+            </p>
+<div class="itemizedlist"><ul type="disc">
+<li>
+<span><strong class="command">GIVEN</strong></span> says "do not override but
+                perform the action specified in the zone."
+              </li>
+<li>
+<span><strong class="command">DISABLED</strong></span> causes policy records to do
+                nothing but log what they might have done.
+                The response to the DNS query will be written according to
+                any triggered policy records that are not disabled.
+                Disabled policy zones should appear first,
+                because they will often not be logged
+                if a higher precedence trigger is found first.
+              </li>
+<li>
+<span><strong class="command">PASSTHRU</strong></span> causes all policy records
+                to act as if they were CNAME records with targets the variable
+                part of their owner name.  They protect the response from
+                being changed.
+              </li>
+<li>
+<span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records
+                to specify NXDOMAIN policies.
+              </li>
+<li>
+<span><strong class="command">NODATA</strong></span> overrides with the
+                NODATA policy
+              </li>
+<li>
+<span><strong class="command">CNAME domain</strong></span> causes all RPZ
+                policy records to act as if they were "cname domain" records.
+              </li>
+</ul></div>
+<p>
+          </p>
+<p>
+            By default, the actions encoded in an RPZ are applied
+            only to queries that ask for recursion (RD=1).
+            That default can be changed for a single RPZ or all RPZs in a view
+            with a <span><strong class="command">recursive-only no</strong></span> clause.
+            This feature is useful for serving the same zone files
+            both inside and outside an RFC 1918 cloud and using RPZ to
+            delete answers that would otherwise contain RFC 1918 values
+            on the externally visible name server or view.
+          </p>
+<p>
+            Also by default, RPZ actions are applied only to DNS requests that
+            either do not request DNSSEC metadata (DO=0) or when no DNSSEC
+            records are available for request name in the original zone (not
+            the response policy zone).
+            This default can be changed for all RPZs in a view with a
+            <span><strong class="command">break-dnssec yes</strong></span> clause.
+            In that case, RPZ actions are applied regardless of DNSSEC.
+            The name of the clause option reflects the fact that results
+            rewritten by RPZ actions cannot verify.
+          </p>
+<p>
+            The TTL of a record modified by RPZ policies is set from the
+            TTL of the relevant record in policy zone.  It is then limited
+            to a maximum value.
+            The <span><strong class="command">max-policy-ttl</strong></span> clause changes that
+            maximum from its default of 5.
+          </p>
+<p>
+            For example, you might use this option statement
+          </p>
+<pre class="programlisting">    response-policy { zone "badlist"; };</pre>
+<p>
+            and this zone statement
+          </p>
+<pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
+<p>
+            with this zone file
+          </p>
+<pre class="programlisting">$TTL 1H
+@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
+                        NS  LOCALHOST.
+
+; QNAME policy records.  There are no periods (.) after the owner names.
+nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
+nodata.domain.com       CNAME   *.              ; NODATA policy
+bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
+                        AAAA    2001:2::1
+
+; do not rewrite (PASSTHRU) OK.DOMAIN.COM
+ok.domain.com           CNAME   rpz-passthru.
+
+bzone.domain.com        CNAME   garden.example.com.
+
+; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
+*.bzone.domain.com      CNAME   *.garden.example.com.
+
+
+; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
+8.0.0.0.127.rpz-ip      CNAME   .
+32.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
+
+; NSDNAME and NSIP policy records
+ns.domain.com.rpz-nsdname   CNAME   .
+48.zz.2.2001.rpz-nsip       CNAME   .
+</pre>
+</div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -4923,8 +5822,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+                  [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+                     [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
@@ -5104,14 +6005,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
+   [ inet ( ip_addr | * ) [ port ip_port ]
+   [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
    [ inet ...; ]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587027"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2589534"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">statistics-channels</strong></span> statement
@@ -5162,7 +6064,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587181"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5171,7 +6073,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587233"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2589742"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -5201,6 +6103,135 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             in the key data, so the configuration may be split up into
             multiple lines.
           </p>
+<p>
+            <span><strong class="command">trusted-keys</strong></span> may be set at the top level
+            of <code class="filename">named.conf</code> or within a view.  If it is
+            set in both places, they are additive: keys defined at the top
+            level are inherited by all views, but keys defined in a view
+            are only used within that view.
+          </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2589858"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
+    <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
+    [<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
+};
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
+            and Usage</h3></div></div></div>
+<p>
+            The <span><strong class="command">managed-keys</strong></span> statement, like 
+            <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
+            security roots.  The difference is that
+            <span><strong class="command">managed-keys</strong></span> can be kept up to date
+            automatically, without intervention from the resolver
+            operator.
+          </p>
+<p>
+            Suppose, for example, that a zone's key-signing
+            key was compromised, and the zone owner had to revoke and
+            replace the key.  A resolver which had the old key in a
+            <span><strong class="command">trusted-keys</strong></span> statement would be
+            unable to validate this zone any longer; it would
+            reply with a SERVFAIL response code.  This would
+            continue until the resolver operator had updated the
+            <span><strong class="command">trusted-keys</strong></span> statement with the new key.
+          </p>
+<p>
+            If, however, the zone were listed in a
+            <span><strong class="command">managed-keys</strong></span> statement instead, then the
+            zone owner could add a "stand-by" key to the zone in advance.
+            <span><strong class="command">named</strong></span> would store the stand-by key, and
+            when the original key was revoked, <span><strong class="command">named</strong></span>
+            would be able to transition smoothly to the new key.  It would
+            also recognize that the old key had been revoked, and cease
+            using that key to validate answers, minimizing the damage that
+            the compromised key could do.
+          </p>
+<p>
+            A <span><strong class="command">managed-keys</strong></span> statement contains a list of
+            the keys to be managed, along with information about how the
+            keys are to be initialized for the first time.  The only
+            initialization method currently supported (as of
+            <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
+            This means the <span><strong class="command">managed-keys</strong></span> statement must
+            contain a copy of the initializing key.  (Future releases may
+            allow keys to be initialized by other methods, eliminating this
+            requirement.)
+          </p>
+<p>
+            Consequently, a <span><strong class="command">managed-keys</strong></span> statement
+            appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
+            in the presence of the second field, containing the keyword
+            <code class="literal">initial-key</code>.  The difference is, whereas the
+            keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
+            trusted until they are removed from
+            <code class="filename">named.conf</code>, an initializing key listed 
+            in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
+            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
+            managed key database and start the RFC 5011 key maintenance
+            process.
+          </p>
+<p>
+            The first time <span><strong class="command">named</strong></span> runs with a managed key
+            configured in <code class="filename">named.conf</code>, it fetches the
+            DNSKEY RRset directly from the zone apex, and validates it
+            using the key specified in the <span><strong class="command">managed-keys</strong></span>
+            statement.  If the DNSKEY RRset is validly signed, then it is
+            used as the basis for a new managed keys database.
+          </p>
+<p>
+            From that point on, whenever <span><strong class="command">named</strong></span> runs, it
+            sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
+            make sure RFC 5011 key maintenance has already been initialized
+            for the specified domain, and if so, it simply moves on.  The
+            key specified in the <span><strong class="command">managed-keys</strong></span> is not
+            used to validate answers; it has been superseded by the key or
+            keys stored in the managed keys database.
+          </p>
+<p>
+            The next time <span><strong class="command">named</strong></span> runs after a name
+            has been <span class="emphasis"><em>removed</em></span> from the
+            <span><strong class="command">managed-keys</strong></span> statement, the corresponding
+            zone will be removed from the managed keys database,
+            and RFC 5011 key maintenance will no longer be used for that
+            domain.
+          </p>
+<p>
+            <span><strong class="command">named</strong></span> only maintains a single managed keys
+            database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
+            <span><strong class="command">managed-keys</strong></span> may only be set at the top
+            level of <code class="filename">named.conf</code>, not within a view.
+          </p>
+<p>
+            In the current implementation, the managed keys database is
+            stored as a master-format zone file called
+            <code class="filename">managed-keys.bind</code>.  When the key database
+            is changed, the zone is updated.  As with any other dynamic
+            zone, changes will be written into a journal file,
+            <code class="filename">managed-keys.bind.jnl</code>.  They are committed
+            to the master file as soon as possible afterward; in the case
+            of the managed key database, this will usually occur within 30
+            seconds.  So, whenever <span><strong class="command">named</strong></span> is using
+            automatic key maintenance, those two files can be expected to
+            exist in the working directory.  (For this reason among others,
+            the working directory should be always be writable by
+            <span><strong class="command">named</strong></span>.)
+          </p>
+<p>
+            If the <span><strong class="command">dnssec-lookaside</strong></span> option is
+            set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
+            will automatically initialize a managed key for the
+            zone <code class="literal">dlv.isc.org</code>.  The key that is
+            used to initialize the key maintenance process is built
+            into <span><strong class="command">named</strong></span>, and can be overridden
+            from <span><strong class="command">bindkeys-file</strong></span>.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -5217,7 +6248,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587315"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2590352"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -5306,11 +6337,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
-      // Provide recursive service to internal clients only.
+      // Provide recursive service to internal
+      // clients only.
       recursion yes;
 
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
+      // Provide a complete view of the example.com
+      // zone including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
@@ -5318,14 +6350,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 };
 
 view "external" {
-      // Match all clients not matched by the previous view.
+      // Match all clients not matched by the
+      // previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
+      // Provide a restricted view of the example.com
+      // zone containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
@@ -5343,8 +6376,9 @@ view "external" {
     [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@@ -5380,6 +6414,7 @@ view "external" {
     [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
 };
 
@@ -5391,8 +6426,12 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
+    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
@@ -5405,7 +6444,9 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
+                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
+                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
@@ -5418,7 +6459,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -5436,7 +6478,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     type hint;
     file <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
+    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
@@ -5450,14 +6492,18 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
+                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
+                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                         [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                            [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
@@ -5469,6 +6515,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+    type static-stub;
+    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
+    [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]  
+    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+};
+
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type forward;
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
@@ -5483,10 +6537,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588788"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2591902"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2588795"></a>Zone Types</h4></div></div></div>
+<a name="id2591910"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -5615,6 +6669,55 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <tr>
 <td>
                       <p>
+                        <code class="varname">static-stub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        A static-stub zone is similar to a stub zone
+                        with the following exceptions:
+                        the zone data is statically configured, rather
+                        than transferred from a master server;
+                        when recursion is necessary for a query that
+                        matches a static-stub zone, the locally
+                        configured data (nameserver names and glue addresses)
+                        is always used even if different authoritative
+                        information is cached.
+                      </p>
+                      <p>
+                        Zone data is configured via the
+                        <span><strong class="command">server-addresses</strong></span> and
+                        <span><strong class="command">server-names</strong></span> zone options.
+                      </p>
+                      <p>
+                        The zone data is maintained in the form of NS
+                        and (if necessary) glue A or AAAA RRs
+                        internally, which can be seen by dumping zone
+                        databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
+                        The configured RRs are considered local configuration
+                        parameters rather than public data.
+                        Non recursive queries (i.e., those with the RD
+                        bit off) to a static-stub zone are therefore
+                        prohibited and will be responded with REFUSED.
+                      </p>
+                      <p>
+                        Since the data is statically configured, no
+                        zone maintenance action takes place for a static-stub
+                        zone.
+                        For example, there is no periodic refresh
+                        attempt, and an incoming notify message
+                        will be rejected with an rcode of NOTAUTH.
+                      </p>
+                      <p>
+                        Each static-stub zone is configured with
+                        internally generated NS and (if necessary)
+                        glue A or AAAA RRs 
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
                         <code class="varname">forward</code>
                       </p>
                     </td>
@@ -5697,7 +6800,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589291"></a>Class</h4></div></div></div>
+<a name="id2592455"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -5719,7 +6822,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589324"></a>Zone Options</h4></div></div></div>
+<a name="id2592488"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -5784,6 +6887,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     received from the
                     network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
                     zones the default is <span><strong class="command">warn</strong></span>.
+                    It is not implemented for <span><strong class="command">hint</strong></span> zones.
                   </p></dd>
 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
 <dd><p>
@@ -5815,6 +6919,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
 <dd><p>
                     See the description of
@@ -5958,6 +7067,78 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     <span><strong class="command">statistics-file</strong></span> defined in
                     the server options.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
+<dd>
+<p>
+                    Only meaningful for static-stub zones.
+                    This is a list of IP addresses to which queries
+                    should be sent in recursive resolution for the
+                    zone.
+                    A non empty list for this option will internally
+                    configure the apex NS RR with associated glue A or
+                    AAAA RRs.
+                  </p>
+<p>
+                    For example, if "example.com" is configured as a
+                    static-stub zone with 192.0.2.1 and 2001:db8::1234
+                    in a <span><strong class="command">server-addresses</strong></span> option,
+                    the following RRs will be internally configured.
+                  </p>
+<pre class="programlisting">example.com. NS example.com.
+example.com. A 192.0.2.1
+example.com. AAAA 2001:db8::1234</pre>
+<p>
+                    These records are internally used to resolve
+                    names under the static-stub zone.
+                    For instance, if the server receives a query for
+                    "www.example.com" with the RD bit on, the server
+                    will initiate recursive resolution and send
+                    queries to 192.0.2.1 and/or 2001:db8::1234.
+                  </p>
+</dd>
+<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
+<dd>
+<p>
+                    Only meaningful for static-stub zones.
+                    This is a list of domain names of nameservers that
+                    act as authoritative servers of the static-stub
+                    zone.
+                    These names will be resolved to IP addresses when
+                    <span><strong class="command">named</strong></span> needs to send queries to
+                    these servers.
+                    To make this supplemental resolution successful,
+                    these names must not be a subdomain of the origin
+                    name of static-stub zone.
+                    That is, when "example.net" is the origin of a
+                    static-stub zone, "ns.example" and
+                    "master.example.com" can be specified in the
+                    <span><strong class="command">server-names</strong></span> option, but
+                    "ns.example.net" cannot, and will be rejected by
+                    the configuration parser.
+                  </p>
+<p>
+                    A non empty list for this option will internally
+                    configure the apex NS RR with the specified names.
+                    For example, if "example.com" is configured as a
+                    static-stub zone with "ns1.example.net" and
+                    "ns2.example.net"
+                    in a <span><strong class="command">server-names</strong></span> option,
+                    the following RRs will be internally configured.
+                  </p>
+<pre class="programlisting">example.com. NS ns1.example.net.
+example.com. NS ns2.example.net.
+</pre>
+<p>
+                    These records are internally used to resolve
+                    names under the static-stub zone.
+                    For instance, if the server receives a query for
+                    "www.example.com" with the RD bit on, the server
+                    initiate recursive resolution,
+                    resolve "ns1.example.net" and/or
+                    "ns2.example.net" to IP addresses, and then send
+                    queries to (one or more of) these addresses.
+                  </p>
+</dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
 <dd><p>
                     See the description of
@@ -6035,6 +7216,53 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
           Usage&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
+<dd>
+<p>
+                    Zones configured for dynamic DNS may also use this
+                    option to allow varying levels of automatic DNSSEC key
+                    management. There are three possible settings:
+                  </p>
+<p>
+                    <span><strong class="command">auto-dnssec allow;</strong></span> permits
+                    keys to be updated and the zone fully re-signed
+                    whenever the user issues the command <span><strong class="command">rndc sign
+                    <em class="replaceable"><code>zonename</code></em></strong></span>.
+                  </p>
+<p>
+                    <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
+                    above, but also automatically adjusts the zone's DNSSEC
+                    keys on schedule, according to the keys' timing metadata
+                    (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
+                    <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
+                    <span><strong class="command">rndc sign
+                    <em class="replaceable"><code>zonename</code></em></strong></span> causes
+                    <span><strong class="command">named</strong></span> to load keys from the key
+                    repository and sign the zone with all keys that are
+                    active. 
+                    <span><strong class="command">rndc loadkeys
+                    <em class="replaceable"><code>zonename</code></em></strong></span> causes
+                    <span><strong class="command">named</strong></span> to load keys from the key
+                    repository and schedule key maintenance events to occur
+                    in the future, but it does not sign the full zone
+                    immediately.  Note: once keys have been loaded for a
+                    zone the first time, the repository will be searched
+                    for changes periodically, regardless of whether
+                    <span><strong class="command">rndc loadkeys</strong></span> is used.  The recheck
+                    interval is hard-coded to
+                    one hour.
+                  </p>
+<p>
+                    <span><strong class="command">auto-dnssec create;</strong></span> includes the
+                    above, but also allows <span><strong class="command">named</strong></span>
+                    to create new keys in the key repository when needed.
+                    (NOTE: This option is not yet implemented; the syntax is
+                    being reserved for future use.)
+                  </p>
+<p>
+                    The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
+                  </p>
+</dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">multi-master</strong></span> in
@@ -6045,6 +7273,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of <span><strong class="command">masterfile-format</strong></span>
                     in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
@@ -6063,15 +7296,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               record of any name in the zone.
             </p>
 <p>
-              The <span><strong class="command">update-policy</strong></span> clause is new
-              in <acronym class="acronym">BIND</acronym> 9 and allows more fine-grained
-              control over what updates are allowed.  A set of rules
-              is specified, where each rule either grants or denies
-              permissions for one or more names to be updated by
-              one or more identities.  If the dynamic update request
-              message is signed (that is, it includes either a TSIG
-              or SIG(0) record), the identity of the signer can be
-              determined.
+              The <span><strong class="command">update-policy</strong></span> clause
+              allows more fine-grained control over what updates are
+              allowed.  A set of rules is specified, where each rule
+              either grants or denies permissions for one or more
+              names to be updated by one or more identities.  If
+              the dynamic update request message is signed (that is,
+              it includes either a TSIG or SIG(0) record), the
+              identity of the signer can be determined.
             </p>
 <p>
               Rules are specified in the <span><strong class="command">update-policy</strong></span>
@@ -6084,20 +7316,47 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               address is not relevant.
             </p>
 <p>
-              This is how a rule definition looks:
+              There is a pre-defined <span><strong class="command">update-policy</strong></span>
+              rule which can be switched on with the command
+              <span><strong class="command">update-policy local;</strong></span>.
+              Switching on this rule in a zone causes
+              <span><strong class="command">named</strong></span> to generate a TSIG session
+              key and place it in a file, and to allow that key
+              to update the zone.  (By default, the file is
+              <code class="filename">/var/run/named/session.key</code>, the key
+              name is "local-ddns" and the key algorithm is HMAC-SHA256,
+              but these values are configurable with the
+              <span><strong class="command">session-keyfile</strong></span>,
+              <span><strong class="command">session-keyname</strong></span> and
+              <span><strong class="command">session-keyalg</strong></span> options, respectively).
+            </p>
+<p>
+              A client running on the local system, and with appropriate
+              permissions, may read that file and use the key to sign update
+              requests.  The zone's update policy will be set to allow that
+              key to change any record within the zone.  Assuming the
+              key name is "local-ddns", this policy is equivalent to:
+            </p>
+<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
+            </pre>
+<p>
+              The command <span><strong class="command">nsupdate -l</strong></span> sends update
+              requests to localhost, and signs them using the session key.
+            </p>
+<p>
+              Other rule definitions look like this:
             </p>
 <pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
+( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
 </pre>
 <p>
               Each rule grants or denies privileges.  Once a message has
               successfully matched a rule, the operation is immediately
-              granted
-              or denied and no further rules are examined.  A rule is matched
-              when the signer matches the identity field, the name matches the
-              name field in accordance with the nametype field, and the type
-              matches
-              the types specified in the type field.
+              granted or denied and no further rules are examined.  A rule
+              is matched when the signer matches the identity field, the
+              name matches the name field in accordance with the nametype
+              field, and the type matches the types specified in the type
+              field.
             </p>
 <p>
               No signer is required for <em class="replaceable"><code>tcp-self</code></em>
@@ -6130,7 +7389,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               the Windows or Kerberos realm of the machine belongs to.
             </p>
 <p>
-              The <em class="replaceable"><code>nametype</code></em> field has 12
+              The <em class="replaceable"><code>nametype</code></em> field has 13
               values:
               <code class="varname">name</code>, <code class="varname">subdomain</code>,
               <code class="varname">wildcard</code>, <code class="varname">self</code>,
@@ -6138,7 +7397,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
               <code class="varname">krb5-subdomain</code>,
               <code class="varname">ms-subdomain</code>,
-              <code class="varname">tcp-self</code> and <code class="varname">6to4-self</code>.
+              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
+              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
@@ -6179,6 +7439,29 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <tr>
 <td>
                       <p>
+                        <code class="varname">zonesub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to subdomain, except that
+                        it matches when the name being updated is a
+                        subdomain of the zone in which the
+                        <span><strong class="command">update-policy</strong></span> statement
+                        appears.  This obviates the need to type the zone
+                        name twice, and enables the use of a standard
+                        <span><strong class="command">update-policy</strong></span> statement in
+                        multiple zones without modification.
+                      </p>
+                      <p>
+                        When this rule is used, the
+                        <em class="replaceable"><code>name</code></em> field is omitted.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
                         <code class="varname">wildcard</code>
                       </p>
                     </td>
@@ -6340,7 +7623,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <td>
                       <p>
                         Allow the 6to4 prefix to be update by any TCP
-                        conection from the 6to4 network or from the
+                        connection from the 6to4 network or from the
                         corresponding IPv4 address.  This is intended
                         to allow NS or DNAME RRsets to be added to the
                         reverse tree.
@@ -6352,12 +7635,55 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                       </div>
                     </td>
 </tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">external</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule allows <span><strong class="command">named</strong></span>
+                        to defer the decision of whether to allow a
+                        given update to an external daemon.
+                      </p>
+                      <p>
+                        The method of communicating with the daemon is
+                        specified in the <em class="replaceable"><code>identity</code></em>
+                        field, the format of which is
+                        "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
+                        where <em class="replaceable"><code>path</code></em> is the location
+                        of a UNIX-domain socket.  (Currently, "local" is the
+                        only supported mechanism.)
+                      </p>
+                      <p>
+                        Requests to the external daemon are sent over the
+                        UNIX-domain socket as datagrams with the following
+                        format:
+                      </p>
+                      <pre class="programlisting">
+   Protocol version number (4 bytes, network byte order, currently 1)
+   Request length (4 bytes, network byte order)
+   Signer (null-terminated string)
+   Name (null-terminated string)
+   TCP source address (null-terminated string)
+   Rdata type (null-terminated string)
+   Key (null-terminated string)
+   TKEY token length (4 bytes, network byte order)
+   TKEY token (remainder of packet)</pre>
+                      <p>
+                        The daemon replies with a four-byte value in
+                        network byte order, containing either 0 or 1; 0
+                        indicates that the specified update is not
+                        permitted, and 1 indicates that it is.
+                      </p>
+                    </td>
+</tr>
 </tbody>
 </table></div>
 <p>
               In all cases, the <em class="replaceable"><code>name</code></em>
-              field must
-              specify a fully-qualified domain name.
+              field must specify a fully-qualified domain name.
             </p>
 <p>
               If no types are explicitly specified, this rule matches
@@ -6373,7 +7699,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2591403"></a>Zone File</h2></div></div></div>
+<a name="id2595170"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -6386,7 +7712,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591421"></a>Resource Records</h4></div></div></div>
+<a name="id2595188"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -7123,7 +8449,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593181"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2596880"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7326,7 +8652,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593702"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2597537"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7582,7 +8908,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594249"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2598084"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -7643,7 +8969,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594444"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2598211"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7658,7 +8984,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594467"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<a name="id2598233"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
 <p>
               When used in the label (or name) field, the asperand or
               at-sign (@) symbol represents the current origin.
@@ -7669,7 +8995,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594551"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2598249"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -7698,7 +9024,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594680"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2598446"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -7734,7 +9060,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594749"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2598516"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -7753,7 +9079,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594786"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2598552"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
@@ -7773,7 +9099,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
             Classless IN-ADDR.ARPA delegation.
           </p>
 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</pre>
 <p>
             is equivalent to
@@ -7785,6 +9111,28 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </pre>
+<p>
+            Generate a set of A and MX records.  Note the MX's right hand
+            side is a quoted string.  The quotes will be stripped when the
+            right hand side is processed.
+           </p>
+<pre class="programlisting">
+$ORIGIN EXAMPLE.
+$GENERATE 1-127 HOST-$ A 1.2.3.$
+$GENERATE 1-127 HOST-$ MX "0 ."</pre>
+<p>
+            is equivalent to
+          </p>
+<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
+HOST-1.EXAMPLE.   MX 0 .
+HOST-2.EXAMPLE.   A  1.2.3.2
+HOST-2.EXAMPLE.   MX 0 .
+HOST-3.EXAMPLE.   A  1.2.3.3
+HOST-3.EXAMPLE.   MX 0 .
+...
+HOST-127.EXAMPLE. A  1.2.3.127
+HOST-127.EXAMPLE. MX 0 .
+</pre>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -7835,8 +9183,10 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 
                       Available output forms are decimal
                       (<span><strong class="command">d</strong></span>), octal
-                      (<span><strong class="command">o</strong></span>) and hexadecimal
+                      (<span><strong class="command">o</strong></span>), hexadecimal
                       (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
+                      for uppercase) and nibble
+                      (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
                       for uppercase).  The default modifier is
                       <span><strong class="command">${0,0,d}</strong></span>.  If the
                       <span><strong class="command">lhs</strong></span> is not absolute, the
@@ -7844,8 +9194,16 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                       to the name.
                     </p>
                     <p>
-                      For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-                      recognized as indicating a literal $ in the output.
+                      In nibble mode the value will be treated as
+                      if it was a reversed hexadecimal string
+                      with each hexadecimal digit as a separate
+                      label.  The width field includes the label
+                      separator.
+                    </p>
+                    <p>
+                      For compatibility with earlier versions,
+                      <span><strong class="command">$$</strong></span> is still recognized as
+                      indicating a literal $ in the output.
                     </p>
                   </td>
 </tr>
@@ -7887,8 +9245,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                   </td>
 <td>
                     <p>
-                      At present the only supported types are
-                      PTR, CNAME, DNAME, A, AAAA and NS.
+                      Any valid type.
                     </p>
                   </td>
 </tr>
@@ -7898,8 +9255,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                   </td>
 <td>
                     <p>
-                      <span><strong class="command">rhs</strong></span> is a domain name. It is processed
-                      similarly to lhs.
+                      <span><strong class="command">rhs</strong></span>, optionally, quoted string.
                     </p>
                   </td>
 </tr>
@@ -8049,9 +9405,12 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                 </td>
 <td>
                   <p>
-                    The number of RRsets per RR type (positive
-                    or negative) and nonexistent names stored in the
-                    cache database.
+                    The number of RRsets per RR type and nonexistent
+                    names stored in the cache database.
+                    If the exclamation mark (!) is printed for a RR
+                    type, it means that particular type of RRset is
+                    known to be nonexistent (this is also known as
+                    "NXRRSET").
                     Maintained per view.
                   </p>
                 </td>
@@ -8144,7 +9503,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2595714"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2599437"></a>Name Server Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -8701,7 +10060,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597187"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2601047"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -8855,7 +10214,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597638"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2601498"></a>Resolver Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -9007,6 +10366,13 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 <td>
                       <p>
                         Mismatch responses received.
+                        The DNS ID, response's source address,
+                        and/or the response's source port does not
+                        match what was expected.
+                        (The port must be 53 or as defined by
+                        the <span><strong class="command">port</strong></span> option.)
+                        This may be an indication of a cache
+                        poisoning attempt.
                       </p>
                     </td>
 </tr>
@@ -9231,7 +10597,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2598725"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2602588"></a>Socket I/O Statistics Counters</h4></div></div></div>
 <p>
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9386,7 +10752,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2599098"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2602962"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
 <p>
               Most statistics counters that were available
               in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
index 8f0b0cf0995d..3e0dc2257a73 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599409"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603136"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599490">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599549">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603285">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603345">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -80,14 +80,16 @@
           Here is an example of how to properly apply ACLs:
         </p>
 <pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space
-// and some reserved space, which is commonly used in spoofing attacks.
+// Set up an ACL named "bogusnets" that will block
+// RFC1918 space and some reserved space, which is
+// commonly used in spoofing attacks.
 acl bogusnets {
         0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
         10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 };
 
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
+// Set up an ACL called our-nets. Replace this with the
+// real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
@@ -119,7 +121,7 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599409"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2603136"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@@ -145,7 +147,7 @@ zone "example.com" {
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599490"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2603285"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -173,7 +175,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599549"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2603345"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
index 61331549ee89..7205d5bec045 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch08.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599629">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599635">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599646">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599732">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603561">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2603566">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603578">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603595">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599629"></a>Common Problems</h2></div></div></div>
+<a name="id2603561"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599635"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2603566"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599646"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2603578"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599732"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2603595"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
index 503527c37a81..3a4245f30170 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch09.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
@@ -45,21 +45,31 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599794">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603657">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600034">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603761">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2603382">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607177">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608265">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608275">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608299">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608330">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608680">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608707">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609611">Library References</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599794"></a>Acknowledgments</h2></div></div></div>
+<a name="id2603657"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -162,7 +172,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2600034"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2603761"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -250,17 +260,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2600221"></a>Bibliography</h4></div></div></div>
+<a name="id2604017"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2600232"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2604027"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600256"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2604051"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600279"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2604074"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -268,42 +278,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2600315"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2604110"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600342"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2604137"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600368"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2604163"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600392"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2604187"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600416"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2604211"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600471"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2604266"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600498"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2604293"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600524"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2604320"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600586"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2604381"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600616"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2604411"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600646"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2604441"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600673"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2604468"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -312,19 +322,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2600823"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2604618"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600850"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2604645"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600886"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2604681"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600951"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2604746"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601016"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2604811"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -332,146 +342,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2601090"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2604885"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601184"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2604910"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601252"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2605047"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601287"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2605082"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2601333"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2605128"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601459"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2605186"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601496"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2605223"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601531"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2605258"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601586"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2605313"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601624"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2605351"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601650"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2605377"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601675"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605402"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601702"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605429"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601729"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605456"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601768"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605495"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601866"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2605525"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601896"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2605555"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601939"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2605597"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601972"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2605630"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601998"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2605657"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602022"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2605681"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602080"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2605738"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2602112"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2605770"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602137"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2605796"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602160"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2605818"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602183"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2605842"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602229"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2605888"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602252"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2605911"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2602310"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2605969"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602333"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2605992"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602360"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2606019"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602387"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2606045"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602423"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2606082"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2602469"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2606128"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602501"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2606160"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602547"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2606205"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602582"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2606241"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -487,47 +497,47 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2602627"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2606354"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602649"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2606376"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602675"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2606402"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602700"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2606427"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602724"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2606451"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602770"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2606497"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602793"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2606520"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602820"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2606547"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602845"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2606572"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2602889"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2606616"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602947"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2606674"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602973"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2606700"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -541,39 +551,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2603021"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2606748"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603061"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2606788"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603088"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2606814"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603117"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2606844"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603143"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2606870"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603170"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2606897"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603206"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2606933"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603242"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2607037"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603269"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2607064"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603296"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2607091"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2603340"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2607136"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -594,16 +604,481 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2603382"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2607177"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2603392"></a>Bibliography</h4></div></div></div>
+<a name="id2607187"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2603394"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2607189"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="bind9.library"></a>BIND 9 DNS Library Support</h2></div></div></div>
+<p>This version of BIND 9 "exports" its internal libraries so
+  that they can be used by third-party applications more easily (we
+  call them "export" libraries in this document). In addition to
+  all major DNS-related APIs BIND 9 is currently using, the export
+  libraries provide the following features:</p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>The newly created "DNS client" module. This is a higher
+      level API that provides an interface to name resolution,
+      single DNS transaction with a particular server, and dynamic
+      update. Regarding name resolution, it supports advanced
+      features such as DNSSEC validation and caching. This module
+      supports both synchronous and asynchronous mode.</p></li>
+<li><p>The new "IRS" (Information Retrieval System) library.
+      It provides an interface to parse the traditional resolv.conf
+      file and more advanced, DNS-specific configuration file for
+      the rest of this package (see the description for the
+      dns.conf file below).</p></li>
+<li><p>As part of the IRS library, newly implemented standard
+      address-name mapping functions, getaddrinfo() and
+      getnameinfo(), are provided. They use the DNSSEC-aware
+      validating resolver backend, and could use other advanced
+      features of the BIND 9 libraries such as caching. The
+      getaddrinfo() function resolves both A and AAAA RRs
+      concurrently (when the address family is unspecified).</p></li>
+<li><p>An experimental framework to support other event
+      libraries than BIND 9's internal event task system.</p></li>
+</ul></div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608265"></a>Prerequisite</h3></div></div></div>
+<p>GNU make is required to build the export libraries (other
+  part of BIND 9 can still be built with other types of make). In
+  the reminder of this document, "make" means GNU make. Note that
+  in some platforms you may need to invoke a different command name
+  than "make" (e.g. "gmake") to indicate it's GNU make.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608275"></a>Compilation</h3></div></div></div>
+<pre class="screen">
+$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags]</code></em></code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+</pre>
+<p>
+  This will create (in addition to usual BIND 9 programs) and a
+  separate set of libraries under the lib/export directory. For
+  example, <code class="filename">lib/export/dns/libdns.a</code> is the archive file of the
+  export version of the BIND 9 DNS library. Sample application
+  programs using the libraries will also be built under the
+  lib/export/samples directory (see below).</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608299"></a>Installation</h3></div></div></div>
+<pre class="screen">
+$ <strong class="userinput"><code>cd lib/export</code></strong>
+$ <strong class="userinput"><code>make install</code></strong>
+</pre>
+<p>
+  This will install library object files under the directory
+  specified by the --with-export-libdir configure option (default:
+  EPREFIX/lib/bind9), and header files under the directory
+  specified by the --with-export-includedir configure option
+  (default: PREFIX/include/bind9).
+  Root privilege is normally required.
+  "<span><strong class="command">make install</strong></span>" at the top directory will do the
+  same.
+  </p>
+<p>
+  To see how to build your own
+  application after the installation, see
+  <code class="filename">lib/export/samples/Makefile-postinstall.in</code>.</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608330"></a>Known Defects/Restrictions</h3></div></div></div>
+<div class="itemizedlist"><ul type="disc">
+<li><p>Currently, win32 is not supported for the export
+      library. (Normal BIND 9 application can be built as
+      before).</p></li>
+<li>
+<p>The "fixed" RRset order is not (currently) supported in
+      the export library. If you want to use "fixed" RRset order
+      for, e.g. <span><strong class="command">named</strong></span> while still building the
+      export library even without the fixed order support, build
+      them separately:
+      </p>
+<pre class="screen">
+$ <strong class="userinput"><code>./configure --enable-fixed-rrset <em class="replaceable"><code>[other flags, but not --enable-exportlib]</code></em></code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+$ <strong class="userinput"><code>./configure --enable-exportlib <em class="replaceable"><code>[other flags, but not --enable-fixed-rrset]</code></em></code></strong>
+$ <strong class="userinput"><code>cd lib/export</code></strong>
+$ <strong class="userinput"><code>make</code></strong>
+</pre>
+<p>
+    </p>
+</li>
+<li><p>The client module and the IRS library currently do not
+      support DNSSEC validation using DLV (the underlying modules
+      can handle it, but there is no tunable interface to enable
+      the feature).</p></li>
+<li><p>RFC 5011 is not supported in the validating stub
+      resolver of the export library. In fact, it is not clear
+      whether it should: trust anchors would be a system-wide
+      configuration which would be managed by an administrator,
+      while the stub resolver will be used by ordinary applications
+      run by a normal user.</p></li>
+<li><p>Not all common <code class="filename">/etc/resolv.conf</code>
+      options are supported
+      in the IRS library. The only available options in this
+      version are "debug" and "ndots".</p></li>
+</ul></div>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608680"></a>The dns.conf File</h3></div></div></div>
+<p>The IRS library supports an "advanced" configuration file
+  related to the DNS library for configuration parameters that
+  would be beyond the capability of the
+  <code class="filename">resolv.conf</code> file.
+  Specifically, it is intended to provide DNSSEC related
+  configuration parameters. By default the path to this
+  configuration file is <code class="filename">/etc/dns.conf</code>.
+  This module is very
+  experimental and the configuration syntax or library interfaces
+  may change in future versions. Currently, only the
+  <span><strong class="command">trusted-keys</strong></span>
+  statement is supported, whose syntax is the same as the same name
+  of statement for <code class="filename">named.conf</code>. (See
+  <a href="Bv9ARM.ch06.html#trusted-keys" title="trusted-keys Statement Grammar">the section called &#8220;<span><strong class="command">trusted-keys</strong></span> Statement Grammar&#8221;</a> for details.)</p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2608707"></a>Sample Applications</h3></div></div></div>
+<p>Some sample application programs using this API are
+  provided for reference. The following is a brief description of
+  these applications.
+  </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608715"></a>sample: a simple stub resolver utility</h4></div></div></div>
+<p>
+  It sends a query of a given name (of a given optional RR type) to a
+  specified recursive server, and prints the result as a list of
+  RRs. It can also act as a validating stub resolver if a trust
+  anchor is given via a set of command line options.</p>
+<p>
+  Usage: sample [options] server_address hostname
+  </p>
+<p>
+  Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -t RRtype
+  </span></dt>
+<dd><p>
+        specify the RR type of the query.  The default is the A RR.
+  </p></dd>
+<dt><span class="term">
+  [-a algorithm] [-e] -k keyname -K keystring
+  </span></dt>
+<dd>
+<p>
+        specify a command-line DNS key to validate the answer.  For
+        example, to specify the following DNSKEY of example.com:
+</p>
+<div class="literallayout"><p><br>
+                example.com. 3600 IN DNSKEY 257 3 5 xxx<br>
+</p></div>
+<p>
+        specify the options as follows:
+</p>
+<pre class="screen">
+<strong class="userinput"><code>
+          -e -k example.com -K "xxx"
+</code></strong>
+</pre>
+<p>
+        -e means that this key is a zone's "key signing key" (as known
+        as "secure Entry point").
+        When -a is omitted rsasha1 will be used by default.
+  </p>
+</dd>
+<dt><span class="term">
+  -s domain:alt_server_address
+  </span></dt>
+<dd><p>
+         specify a separate recursive server address for the specific
+        "domain".  Example: -s example.com:2001:db8::1234
+  </p></dd>
+<dt><span class="term">server_address</span></dt>
+<dd><p>
+        an IP(v4/v6) address of the recursive server to which queries
+        are sent.
+  </p></dd>
+<dt><span class="term">hostname</span></dt>
+<dd><p>
+        the domain name for the query
+  </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608806"></a>sample-async: a simple stub resolver, working asynchronously</h4></div></div></div>
+<p>
+  Similar to "sample", but accepts a list
+  of (query) domain names as a separate file and resolves the names
+  asynchronously.</p>
+<p>
+    Usage: sample-async [-s server_address] [-t RR_type] input_file</p>
+<p>
+ Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+   -s server_address
+   </span></dt>
+<dd>
+   an IPv4 address of the recursive server to which queries are sent.
+  (IPv6 addresses are not supported in this implementation)
+  </dd>
+<dt><span class="term">
+   -t RR_type
+  </span></dt>
+<dd>
+  specify the RR type of the queries. The default is the A
+  RR.
+  </dd>
+<dt><span class="term">
+   input_file
+  </span></dt>
+<dd>
+   a list of domain names to be resolved. each line
+  consists of a single domain name. Example:
+  <div class="literallayout"><p><br>
+  www.example.com<br>
+  mx.examle.net<br>
+  ns.xxx.example<br>
+</p></div>
+</dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608859"></a>sample-request: a simple DNS transaction client</h4></div></div></div>
+<p>
+  It sends a query to a specified server, and
+  prints the response with minimal processing. It doesn't act as a
+  "stub resolver": it stops the processing once it gets any
+  response from the server, whether it's a referral or an alias
+  (CNAME or DNAME) that would require further queries to get the
+  ultimate answer. In other words, this utility acts as a very
+  simplified <span><strong class="command">dig</strong></span>.
+  </p>
+<p>
+  Usage: sample-request [-t RRtype] server_address hostname
+  </p>
+<p>
+    Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+   -t RRtype
+  </span></dt>
+<dd><p>
+  specify the RR type of
+  the queries. The default is the A RR.
+  </p></dd>
+<dt><span class="term">
+  server_address
+  </span></dt>
+<dd><p>
+   an IP(v4/v6)
+  address of the recursive server to which the query is sent.
+  </p></dd>
+<dt><span class="term">
+  hostname
+  </span></dt>
+<dd><p>
+  the domain name for the query
+  </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2608992"></a>sample-gai: getaddrinfo() and getnameinfo() test code</h4></div></div></div>
+<p>
+  This is a test program
+  to check getaddrinfo() and getnameinfo() behavior. It takes a
+  host name as an argument, calls getaddrinfo() with the given host
+  name, and calls getnameinfo() with the resulting IP addresses
+  returned by getaddrinfo(). If the dns.conf file exists and
+  defines a trust anchor, the underlying resolver will act as a
+  validating resolver, and getaddrinfo()/getnameinfo() will fail
+  with an EAI_INSECUREDATA error when DNSSEC validation fails.
+  </p>
+<p>
+  Usage: sample-gai hostname
+  </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2609006"></a>sample-update: a simple dynamic update client program</h4></div></div></div>
+<p>
+  It accepts a single update command as a
+  command-line argument, sends an update request message to the
+  authoritative server, and shows the response from the server. In
+  other words, this is a simplified <span><strong class="command">nsupdate</strong></span>.
+  </p>
+<p>
+   Usage: sample-update [options] (add|delete) "update data"
+  </p>
+<p>
+  Options and Arguments:
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -a auth_server
+   </span></dt>
+<dd><p>
+        An IP address of the authoritative server that has authority
+        for the zone containing the update name.  This should normally
+        be the primary authoritative server that accepts dynamic
+        updates.  It can also be a secondary server that is configured
+        to forward update requests to the primary server.
+   </p></dd>
+<dt><span class="term">
+  -k keyfile
+   </span></dt>
+<dd><p>
+        A TSIG key file to secure the update transaction.  The keyfile
+        format is the same as that for the nsupdate utility.
+   </p></dd>
+<dt><span class="term">
+  -p prerequisite
+   </span></dt>
+<dd><p>
+        A prerequisite for the update (only one prerequisite can be
+        specified).  The prerequisite format is the same as that is
+        accepted by the nsupdate utility.
+   </p></dd>
+<dt><span class="term">
+  -r recursive_server
+   </span></dt>
+<dd><p>
+        An IP address of a recursive server that this utility will
+        use.  A recursive server may be necessary to identify the
+        authoritative server address to which the update request is
+        sent.
+   </p></dd>
+<dt><span class="term">
+  -z zonename
+   </span></dt>
+<dd><p>
+        The domain name of the zone that contains
+   </p></dd>
+<dt><span class="term">
+  (add|delete)
+   </span></dt>
+<dd><p>
+        Specify the type of update operation.  Either "add" or "delete"
+        must be specified.
+   </p></dd>
+<dt><span class="term">
+  "update data"
+   </span></dt>
+<dd><p>
+        Specify the data to be updated.  A typical example of the data
+        would look like "name TTL RRtype RDATA".
+  </p></dd>
+</dl></div>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>In practice, either -a or -r must be specified.  Others can
+   be optional; the underlying library routine tries to identify the
+   appropriate server and the zone name for the update.</div>
+<p>
+   Examples: assuming the primary authoritative server of the
+   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+   </p>
+<pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</code></strong></pre>
+<p>
+     adds an A RR for foo.dynamic.example.com using the given key.
+   </p>
+<pre class="screen">
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</code></strong></pre>
+<p>
+     removes all A RRs for foo.dynamic.example.com using the given key.
+   </p>
+<pre class="screen">   
+$ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</code></strong></pre>
+<p>
+     removes all RRs for foo.dynamic.example.com using the given key.
+   </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2609138"></a>nsprobe: domain/name server checker in terms of RFC 4074</h4></div></div></div>
+<p>
+  It checks a set
+  of domains to see the name servers of the domains behave
+  correctly in terms of RFC 4074. This is included in the set of
+  sample programs to show how the export library can be used in a
+  DNS-related application.
+  </p>
+<p>
+ Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+  </p>
+<p>
+   Options
+  </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+  -d
+  </span></dt>
+<dd><p>
+        run in the "debug" mode.  with this option nsprobe will dump
+        every RRs it receives.
+  </p></dd>
+<dt><span class="term">
+  -v
+  </span></dt>
+<dd><p>
+        increase verbosity of other normal log messages.  This can be
+        specified multiple times
+  </p></dd>
+<dt><span class="term">
+  -c cache_address
+  </span></dt>
+<dd><p>
+        specify an IP address of a recursive (caching) name server.
+        nsprobe uses this server to get the NS RRset of each domain and
+        the A and/or AAAA RRsets for the name servers.  The default
+        value is 127.0.0.1.
+  </p></dd>
+<dt><span class="term">
+  input_file
+  </span></dt>
+<dd><p>
+        a file name containing a list of domain (zone) names to be
+        probed.  when omitted the standard input will be used.  Each
+        line of the input file specifies a single domain name such as
+        "example.com".  In general this domain name must be the apex
+        name of some DNS zone (unlike normal "host names" such as
+        "www.example.com").  nsprobe first identifies the NS RRsets for
+        the given domain name, and sends A and AAAA queries to these
+        servers for some "widely used" names under the zone;
+        specifically, adding "www" and "ftp" to the zone name.
+  </p></dd>
+</dl></div>
 </div>
 </div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2609611"></a>Library References</h3></div></div></div>
+<p>As of this writing, there is no formal "manual" of the
+  libraries, except this document, header files (some of them
+  provide pretty detailed explanations), and sample application
+  programs.</p>
 </div>
 </div>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch10.html b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
index add9d5703867..1484ecf469be 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch10.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch10.html
@@ -64,6 +64,12 @@
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
 </dt>
 <dt>
@@ -76,6 +82,9 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
@@ -87,6 +96,21 @@
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
+</dt>
 </dl>
 </div>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
index af7fbe75081a..b66cccce481d 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.html
@@ -40,7 +40,7 @@
 <div class="titlepage">
 <div>
 <div><h1 class="title">
-<a name="id2563174"></a>BIND 9 Administrator Reference Manual</h1></div>
+<a name="id2563175"></a>BIND 9 Administrator Reference Manual</h1></div>
 <div><p class="copyright">Copyright © 2004-2012 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -51,39 +51,39 @@
 <dl>
 <dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564374">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564397">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564537">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564718">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564375">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564398">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564538">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564720">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564740">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564774">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567179">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567256">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567429">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567559">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564741">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564775">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567180">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567257">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567430">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567560">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567593">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567633">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567728">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567738">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567594">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567621">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567634">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567729">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567739">Supported Operating Systems</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567770">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567991">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567771">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567992">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568013">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568368">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568014">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568369">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568373">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570119">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568374">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570421">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,64 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570544">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570562">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570934">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570952">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571065">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571207">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571218">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571254">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571380">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571496">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564012">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564086">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571811">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571847">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571905">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571954">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571510">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571696">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571968">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572153">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571764">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571843">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571924">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572221">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572300">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572381">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572162">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dnssec.dynamic.zones">DNSSEC, Dynamic Zones, and Automatic Signing</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572224">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572245">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571475">Converting from insecure to secure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571512">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563493">Fully automatic zone signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563575">Private-type records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563612">DNSKEY rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563762">Dynamic DNS update method</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563795">Automatic key rollovers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563821">NSEC3PARAM rollovers via UPDATE</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563899">Converting from NSEC to NSEC3</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563909">Converting from NSEC3 to NSEC</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563922">Converting from secure to insecure</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571605">Periodic re-signing</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571614">NSEC3 and OPTOUT</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#rfc5011.support">Dynamic Trust Anchor Management</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2607510">Validating Resolver</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571692">Authoritative Server</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#pkcs11">PKCS #11 (Cryptoki) support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2610637">Prerequisites</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608477">Building BIND 9 with PKCS#11</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2608602">PKCS #11 Tools</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2634916">Using the HSM</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635114">Specifying the engine on the command line</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2635160">Running named with automatic zone re-signing</a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572669">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572868">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572889">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572278">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572922">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,55 +157,58 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573725">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574356"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574614"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574974"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574992"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575015"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575038"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575129"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575255"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577316"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577389"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577453"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577565"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577580"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587027"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587181"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587233"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589742"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+            and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589858"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587315"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590352"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588788"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591902"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591403">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595170">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593702">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597537">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594249">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594444">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594786"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598084">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598211">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598552"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -184,31 +217,41 @@
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599409"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603136"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599490">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599549">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603285">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603345">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599629">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599635">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599646">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599732">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603561">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2603566">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603578">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2603595">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599794">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603657">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600034">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2603761">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2603382">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2607177">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bind9.library">BIND 9 DNS Library Support</a></span></dt>
+<dd><dl>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608265">Prerequisite</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608275">Compilation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608299">Installation</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608330">Known Defects/Restrictions</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608680">The dns.conf File</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2608707">Sample Applications</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2609611">Library References</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
@@ -229,6 +272,12 @@
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.dnssec-revoke.html"><span class="application">dnssec-revoke</span></a></span><span class="refpurpose"> &#8212; Set the REVOKED bit on a DNSSEC key</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-settime.html"><span class="application">dnssec-settime</span></a></span><span class="refpurpose"> &#8212; Set the key timing metadata for a DNSSEC key</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.dnssec-signzone.html"><span class="application">dnssec-signzone</span></a></span><span class="refpurpose"> &#8212; DNSSEC zone signing tool</span>
 </dt>
 <dt>
@@ -241,6 +290,9 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.named-journalprint.html"><span class="application">named-journalprint</span></a></span><span class="refpurpose"> &#8212; print zone journal in human-readable form</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
 </dt>
 <dt>
@@ -252,6 +304,21 @@
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.arpaname.html"><span class="application">arpaname</span></a></span><span class="refpurpose"> &#8212; translate IP addresses to the corresponding ARPA names</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.genrandom.html"><span class="application">genrandom</span></a></span><span class="refpurpose"> &#8212; generate a file containing random data</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.isc-hmac-fixup.html"><span class="application">isc-hmac-fixup</span></a></span><span class="refpurpose"> &#8212; fixes HMAC keys generated by older versions of BIND</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.nsec3hash.html"><span class="application">nsec3hash</span></a></span><span class="refpurpose"> &#8212; generate NSEC3 hash</span>
+</dt>
 </dl></dd>
 </dl>
 </div>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.pdf b/contrib/bind9/doc/arm/Bv9ARM.pdf
index 60a5658c1551..98d816b499a6 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.pdf
+++ b/contrib/bind9/doc/arm/Bv9ARM.pdf
@@ -321,738 +321,1074 @@ endobj
 << /S /GoTo /D (section.4.9) >>
 endobj
 220 0 obj
-(4.9 IPv6 Support in BIND 9)
+(4.9 DNSSEC, Dynamic Zones, and Automatic Signing)
 endobj
 221 0 obj
 << /S /GoTo /D (subsection.4.9.1) >>
 endobj
 224 0 obj
-(4.9.1 Address Lookups Using AAAA Records)
+(4.9.1 Converting from insecure to secure)
 endobj
 225 0 obj
 << /S /GoTo /D (subsection.4.9.2) >>
 endobj
 228 0 obj
-(4.9.2 Address to Name Lookups Using Nibble Format)
+(4.9.2 Dynamic DNS update method)
 endobj
 229 0 obj
-<< /S /GoTo /D (chapter.5) >>
+<< /S /GoTo /D (subsection.4.9.3) >>
 endobj
 232 0 obj
-(5 The BIND 9 Lightweight Resolver)
+(4.9.3 Fully automatic zone signing)
 endobj
 233 0 obj
-<< /S /GoTo /D (section.5.1) >>
+<< /S /GoTo /D (subsection.4.9.4) >>
 endobj
 236 0 obj
-(5.1 The Lightweight Resolver Library)
+(4.9.4 Private-type records)
 endobj
 237 0 obj
-<< /S /GoTo /D (section.5.2) >>
+<< /S /GoTo /D (subsection.4.9.5) >>
 endobj
 240 0 obj
-(5.2 Running a Resolver Daemon)
+(4.9.5 DNSKEY rollovers)
 endobj
 241 0 obj
-<< /S /GoTo /D (chapter.6) >>
+<< /S /GoTo /D (subsection.4.9.6) >>
 endobj
 244 0 obj
-(6 BIND 9 Configuration Reference)
+(4.9.6 Dynamic DNS update method)
 endobj
 245 0 obj
-<< /S /GoTo /D (section.6.1) >>
+<< /S /GoTo /D (subsection.4.9.7) >>
 endobj
 248 0 obj
-(6.1 Configuration File Elements)
+(4.9.7 Automatic key rollovers)
 endobj
 249 0 obj
-<< /S /GoTo /D (subsection.6.1.1) >>
+<< /S /GoTo /D (subsection.4.9.8) >>
 endobj
 252 0 obj
-(6.1.1 Address Match Lists)
+(4.9.8 NSEC3PARAM rollovers via UPDATE)
 endobj
 253 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.1) >>
+<< /S /GoTo /D (subsection.4.9.9) >>
 endobj
 256 0 obj
-(6.1.1.1 Syntax)
+(4.9.9 Converting from NSEC to NSEC3)
 endobj
 257 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.2) >>
+<< /S /GoTo /D (subsection.4.9.10) >>
 endobj
 260 0 obj
-(6.1.1.2 Definition and Usage)
+(4.9.10 Converting from NSEC3 to NSEC)
 endobj
 261 0 obj
-<< /S /GoTo /D (subsection.6.1.2) >>
+<< /S /GoTo /D (subsection.4.9.11) >>
 endobj
 264 0 obj
-(6.1.2 Comment Syntax)
+(4.9.11 Converting from secure to insecure)
 endobj
 265 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.1) >>
+<< /S /GoTo /D (subsection.4.9.12) >>
 endobj
 268 0 obj
-(6.1.2.1 Syntax)
+(4.9.12 Periodic re-signing)
 endobj
 269 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.2) >>
+<< /S /GoTo /D (subsection.4.9.13) >>
 endobj
 272 0 obj
-(6.1.2.2 Definition and Usage)
+(4.9.13 NSEC3 and OPTOUT)
 endobj
 273 0 obj
-<< /S /GoTo /D (section.6.2) >>
+<< /S /GoTo /D (section.4.10) >>
 endobj
 276 0 obj
-(6.2 Configuration File Grammar)
+(4.10 Dynamic Trust Anchor Management)
 endobj
 277 0 obj
-<< /S /GoTo /D (subsection.6.2.1) >>
+<< /S /GoTo /D (subsection.4.10.1) >>
 endobj
 280 0 obj
-(6.2.1 acl Statement Grammar)
+(4.10.1 Validating Resolver)
 endobj
 281 0 obj
-<< /S /GoTo /D (subsection.6.2.2) >>
+<< /S /GoTo /D (subsection.4.10.2) >>
 endobj
 284 0 obj
-(6.2.2 acl Statement Definition and Usage)
+(4.10.2 Authoritative Server)
 endobj
 285 0 obj
-<< /S /GoTo /D (subsection.6.2.3) >>
+<< /S /GoTo /D (section.4.11) >>
 endobj
 288 0 obj
-(6.2.3 controls Statement Grammar)
+(4.11 PKCS \04311 \(Cryptoki\) support)
 endobj
 289 0 obj
-<< /S /GoTo /D (subsection.6.2.4) >>
+<< /S /GoTo /D (subsection.4.11.1) >>
 endobj
 292 0 obj
-(6.2.4 controls Statement Definition and Usage)
+(4.11.1 Prerequisites)
 endobj
 293 0 obj
-<< /S /GoTo /D (subsection.6.2.5) >>
+<< /S /GoTo /D (subsubsection.4.11.1.1) >>
 endobj
 296 0 obj
-(6.2.5 include Statement Grammar)
+(4.11.1.1 Building OpenSSL for the AEP Keyper on Linux)
 endobj
 297 0 obj
-<< /S /GoTo /D (subsection.6.2.6) >>
+<< /S /GoTo /D (subsubsection.4.11.1.2) >>
 endobj
 300 0 obj
-(6.2.6 include Statement Definition and Usage)
+(4.11.1.2 Building OpenSSL for the SCA 6000 on Solaris)
 endobj
 301 0 obj
-<< /S /GoTo /D (subsection.6.2.7) >>
+<< /S /GoTo /D (subsubsection.4.11.1.3) >>
 endobj
 304 0 obj
-(6.2.7 key Statement Grammar)
+(4.11.1.3 Building OpenSSL for SoftHSM)
 endobj
 305 0 obj
-<< /S /GoTo /D (subsection.6.2.8) >>
+<< /S /GoTo /D (subsection.4.11.2) >>
 endobj
 308 0 obj
-(6.2.8 key Statement Definition and Usage)
+(4.11.2 Building BIND 9 with PKCS\04311)
 endobj
 309 0 obj
-<< /S /GoTo /D (subsection.6.2.9) >>
+<< /S /GoTo /D (subsubsection.4.11.2.1) >>
 endobj
 312 0 obj
-(6.2.9 logging Statement Grammar)
+(4.11.2.1 Configuring BIND 9 for Linux with the AEP Keyper)
 endobj
 313 0 obj
-<< /S /GoTo /D (subsection.6.2.10) >>
+<< /S /GoTo /D (subsubsection.4.11.2.2) >>
 endobj
 316 0 obj
-(6.2.10 logging Statement Definition and Usage)
+(4.11.2.2 Configuring BIND 9 for Solaris with the SCA 6000)
 endobj
 317 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.1) >>
+<< /S /GoTo /D (subsubsection.4.11.2.3) >>
 endobj
 320 0 obj
-(6.2.10.1 The channel Phrase)
+(4.11.2.3 Configuring BIND 9 for SoftHSM)
 endobj
 321 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.2) >>
+<< /S /GoTo /D (subsection.4.11.3) >>
 endobj
 324 0 obj
-(6.2.10.2 The category Phrase)
+(4.11.3 PKCS \04311 Tools)
 endobj
 325 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.3) >>
+<< /S /GoTo /D (subsection.4.11.4) >>
 endobj
 328 0 obj
-(6.2.10.3 The query-errors Category)
+(4.11.4 Using the HSM)
 endobj
 329 0 obj
-<< /S /GoTo /D (subsection.6.2.11) >>
+<< /S /GoTo /D (subsection.4.11.5) >>
 endobj
 332 0 obj
-(6.2.11 lwres Statement Grammar)
+(4.11.5 Specifying the engine on the command line)
 endobj
 333 0 obj
-<< /S /GoTo /D (subsection.6.2.12) >>
+<< /S /GoTo /D (subsection.4.11.6) >>
 endobj
 336 0 obj
-(6.2.12 lwres Statement Definition and Usage)
+(4.11.6 Running named with automatic zone re-signing)
 endobj
 337 0 obj
-<< /S /GoTo /D (subsection.6.2.13) >>
+<< /S /GoTo /D (section.4.12) >>
 endobj
 340 0 obj
-(6.2.13 masters Statement Grammar)
+(4.12 IPv6 Support in BIND 9)
 endobj
 341 0 obj
-<< /S /GoTo /D (subsection.6.2.14) >>
+<< /S /GoTo /D (subsection.4.12.1) >>
 endobj
 344 0 obj
-(6.2.14 masters Statement Definition and Usage)
+(4.12.1 Address Lookups Using AAAA Records)
 endobj
 345 0 obj
-<< /S /GoTo /D (subsection.6.2.15) >>
+<< /S /GoTo /D (subsection.4.12.2) >>
 endobj
 348 0 obj
-(6.2.15 options Statement Grammar)
+(4.12.2 Address to Name Lookups Using Nibble Format)
 endobj
 349 0 obj
-<< /S /GoTo /D (subsection.6.2.16) >>
+<< /S /GoTo /D (chapter.5) >>
 endobj
 352 0 obj
-(6.2.16 options Statement Definition and Usage)
+(5 The BIND 9 Lightweight Resolver)
 endobj
 353 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.1) >>
+<< /S /GoTo /D (section.5.1) >>
 endobj
 356 0 obj
-(6.2.16.1 Boolean Options)
+(5.1 The Lightweight Resolver Library)
 endobj
 357 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.2) >>
+<< /S /GoTo /D (section.5.2) >>
 endobj
 360 0 obj
-(6.2.16.2 Forwarding)
+(5.2 Running a Resolver Daemon)
 endobj
 361 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.3) >>
+<< /S /GoTo /D (chapter.6) >>
 endobj
 364 0 obj
-(6.2.16.3 Dual-stack Servers)
+(6 BIND 9 Configuration Reference)
 endobj
 365 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.4) >>
+<< /S /GoTo /D (section.6.1) >>
 endobj
 368 0 obj
-(6.2.16.4 Access Control)
+(6.1 Configuration File Elements)
 endobj
 369 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.5) >>
+<< /S /GoTo /D (subsection.6.1.1) >>
 endobj
 372 0 obj
-(6.2.16.5 Interfaces)
+(6.1.1 Address Match Lists)
 endobj
 373 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.6) >>
+<< /S /GoTo /D (subsubsection.6.1.1.1) >>
 endobj
 376 0 obj
-(6.2.16.6 Query Address)
+(6.1.1.1 Syntax)
 endobj
 377 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.7) >>
+<< /S /GoTo /D (subsubsection.6.1.1.2) >>
 endobj
 380 0 obj
-(6.2.16.7 Zone Transfers)
+(6.1.1.2 Definition and Usage)
 endobj
 381 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.8) >>
+<< /S /GoTo /D (subsection.6.1.2) >>
 endobj
 384 0 obj
-(6.2.16.8 UDP Port Lists)
+(6.1.2 Comment Syntax)
 endobj
 385 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.9) >>
+<< /S /GoTo /D (subsubsection.6.1.2.1) >>
 endobj
 388 0 obj
-(6.2.16.9 Operating System Resource Limits)
+(6.1.2.1 Syntax)
 endobj
 389 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.10) >>
+<< /S /GoTo /D (subsubsection.6.1.2.2) >>
 endobj
 392 0 obj
-(6.2.16.10 Server Resource Limits)
+(6.1.2.2 Definition and Usage)
 endobj
 393 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.11) >>
+<< /S /GoTo /D (section.6.2) >>
 endobj
 396 0 obj
-(6.2.16.11 Periodic Task Intervals)
+(6.2 Configuration File Grammar)
 endobj
 397 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.12) >>
+<< /S /GoTo /D (subsection.6.2.1) >>
 endobj
 400 0 obj
-(6.2.16.12 Topology)
+(6.2.1 acl Statement Grammar)
 endobj
 401 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.13) >>
+<< /S /GoTo /D (subsection.6.2.2) >>
 endobj
 404 0 obj
-(6.2.16.13 The sortlist Statement)
+(6.2.2 acl Statement Definition and Usage)
 endobj
 405 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.14) >>
+<< /S /GoTo /D (subsection.6.2.3) >>
 endobj
 408 0 obj
-(6.2.16.14 RRset Ordering)
+(6.2.3 controls Statement Grammar)
 endobj
 409 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.15) >>
+<< /S /GoTo /D (subsection.6.2.4) >>
 endobj
 412 0 obj
-(6.2.16.15 Tuning)
+(6.2.4 controls Statement Definition and Usage)
 endobj
 413 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.16) >>
+<< /S /GoTo /D (subsection.6.2.5) >>
 endobj
 416 0 obj
-(6.2.16.16 Built-in server information zones)
+(6.2.5 include Statement Grammar)
 endobj
 417 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.17) >>
+<< /S /GoTo /D (subsection.6.2.6) >>
 endobj
 420 0 obj
-(6.2.16.17 Built-in Empty Zones)
+(6.2.6 include Statement Definition and Usage)
 endobj
 421 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.18) >>
+<< /S /GoTo /D (subsection.6.2.7) >>
 endobj
 424 0 obj
-(6.2.16.18 Additional Section Caching)
+(6.2.7 key Statement Grammar)
 endobj
 425 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
+<< /S /GoTo /D (subsection.6.2.8) >>
 endobj
 428 0 obj
-(6.2.17 server Statement Grammar)
+(6.2.8 key Statement Definition and Usage)
 endobj
 429 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
+<< /S /GoTo /D (subsection.6.2.9) >>
 endobj
 432 0 obj
-(6.2.18 server Statement Definition and Usage)
+(6.2.9 logging Statement Grammar)
 endobj
 433 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
+<< /S /GoTo /D (subsection.6.2.10) >>
 endobj
 436 0 obj
-(6.2.19 statistics-channels Statement Grammar)
+(6.2.10 logging Statement Definition and Usage)
 endobj
 437 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
+<< /S /GoTo /D (subsubsection.6.2.10.1) >>
 endobj
 440 0 obj
-(6.2.20 statistics-channels Statement Definition and Usage)
+(6.2.10.1 The channel Phrase)
 endobj
 441 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
+<< /S /GoTo /D (subsubsection.6.2.10.2) >>
 endobj
 444 0 obj
-(6.2.21 trusted-keys Statement Grammar)
+(6.2.10.2 The category Phrase)
 endobj
 445 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
+<< /S /GoTo /D (subsubsection.6.2.10.3) >>
 endobj
 448 0 obj
-(6.2.22 trusted-keys Statement Definition and Usage)
+(6.2.10.3 The query-errors Category)
 endobj
 449 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
+<< /S /GoTo /D (subsection.6.2.11) >>
 endobj
 452 0 obj
-(6.2.23 view Statement Grammar)
+(6.2.11 lwres Statement Grammar)
 endobj
 453 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
+<< /S /GoTo /D (subsection.6.2.12) >>
 endobj
 456 0 obj
-(6.2.24 view Statement Definition and Usage)
+(6.2.12 lwres Statement Definition and Usage)
 endobj
 457 0 obj
-<< /S /GoTo /D (subsection.6.2.25) >>
+<< /S /GoTo /D (subsection.6.2.13) >>
 endobj
 460 0 obj
-(6.2.25 zone Statement Grammar)
+(6.2.13 masters Statement Grammar)
 endobj
 461 0 obj
-<< /S /GoTo /D (subsection.6.2.26) >>
+<< /S /GoTo /D (subsection.6.2.14) >>
 endobj
 464 0 obj
-(6.2.26 zone Statement Definition and Usage)
+(6.2.14 masters Statement Definition and Usage)
 endobj
 465 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.1) >>
+<< /S /GoTo /D (subsection.6.2.15) >>
 endobj
 468 0 obj
-(6.2.26.1 Zone Types)
+(6.2.15 options Statement Grammar)
 endobj
 469 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.2) >>
+<< /S /GoTo /D (subsection.6.2.16) >>
 endobj
 472 0 obj
-(6.2.26.2 Class)
+(6.2.16 options Statement Definition and Usage)
 endobj
 473 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.3) >>
+<< /S /GoTo /D (subsubsection.6.2.16.1) >>
 endobj
 476 0 obj
-(6.2.26.3 Zone Options)
+(6.2.16.1 Boolean Options)
 endobj
 477 0 obj
-<< /S /GoTo /D (subsubsection.6.2.26.4) >>
+<< /S /GoTo /D (subsubsection.6.2.16.2) >>
 endobj
 480 0 obj
-(6.2.26.4 Dynamic Update Policies)
+(6.2.16.2 Forwarding)
 endobj
 481 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.16.3) >>
 endobj
 484 0 obj
-(6.3 Zone File)
+(6.2.16.3 Dual-stack Servers)
 endobj
 485 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.4) >>
 endobj
 488 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.2.16.4 Access Control)
 endobj
 489 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.5) >>
 endobj
 492 0 obj
-(6.3.1.1 Resource Records)
+(6.2.16.5 Interfaces)
 endobj
 493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsubsection.6.2.16.6) >>
 endobj
 496 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.2.16.6 Query Address)
 endobj
 497 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.2.16.7) >>
 endobj
 500 0 obj
-(6.3.2 Discussion of MX Records)
+(6.2.16.7 Zone Transfers)
 endobj
 501 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsubsection.6.2.16.8) >>
 endobj
 504 0 obj
-(6.3.3 Setting TTLs)
+(6.2.16.8 UDP Port Lists)
 endobj
 505 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsubsection.6.2.16.9) >>
 endobj
 508 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.2.16.9 Operating System Resource Limits)
 endobj
 509 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsubsection.6.2.16.10) >>
 endobj
 512 0 obj
-(6.3.5 Other Zone File Directives)
+(6.2.16.10 Server Resource Limits)
 endobj
 513 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.11) >>
 endobj
 516 0 obj
-(6.3.5.1 The @ \(at-sign\))
+(6.2.16.11 Periodic Task Intervals)
 endobj
 517 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsubsection.6.2.16.12) >>
 endobj
 520 0 obj
-(6.3.5.2 The \044ORIGIN Directive)
+(6.2.16.12 Topology)
 endobj
 521 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.2.16.13) >>
 endobj
 524 0 obj
-(6.3.5.3 The \044INCLUDE Directive)
+(6.2.16.13 The sortlist Statement)
 endobj
 525 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.4) >>
+<< /S /GoTo /D (subsubsection.6.2.16.14) >>
 endobj
 528 0 obj
-(6.3.5.4 The \044TTL Directive)
+(6.2.16.14 RRset Ordering)
 endobj
 529 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.2.16.15) >>
 endobj
 532 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.2.16.15 Tuning)
 endobj
 533 0 obj
-<< /S /GoTo /D (subsection.6.3.7) >>
+<< /S /GoTo /D (subsubsection.6.2.16.16) >>
 endobj
 536 0 obj
-(6.3.7 Additional File Formats)
+(6.2.16.16 Built-in server information zones)
 endobj
 537 0 obj
-<< /S /GoTo /D (section.6.4) >>
+<< /S /GoTo /D (subsubsection.6.2.16.17) >>
 endobj
 540 0 obj
-(6.4 BIND9 Statistics)
+(6.2.16.17 Built-in Empty Zones)
 endobj
 541 0 obj
-<< /S /GoTo /D (subsubsection.6.4.0.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.18) >>
 endobj
 544 0 obj
-(6.4.0.1 The Statistics File)
+(6.2.16.18 Additional Section Caching)
 endobj
 545 0 obj
-<< /S /GoTo /D (subsection.6.4.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.19) >>
 endobj
 548 0 obj
-(6.4.1 Statistics Counters)
+(6.2.16.19 Content Filtering)
 endobj
 549 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.1) >>
+<< /S /GoTo /D (subsubsection.6.2.16.20) >>
 endobj
 552 0 obj
-(6.4.1.1 Name Server Statistics Counters)
+(6.2.16.20 Response Policy Zone \(RPZ\) Rewriting)
 endobj
 553 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.2) >>
+<< /S /GoTo /D (subsection.6.2.17) >>
 endobj
 556 0 obj
-(6.4.1.2 Zone Maintenance Statistics Counters)
+(6.2.17 server Statement Grammar)
 endobj
 557 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.3) >>
+<< /S /GoTo /D (subsection.6.2.18) >>
 endobj
 560 0 obj
-(6.4.1.3 Resolver Statistics Counters)
+(6.2.18 server Statement Definition and Usage)
 endobj
 561 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.4) >>
+<< /S /GoTo /D (subsection.6.2.19) >>
 endobj
 564 0 obj
-(6.4.1.4 Socket I/O Statistics Counters)
+(6.2.19 statistics-channels Statement Grammar)
 endobj
 565 0 obj
-<< /S /GoTo /D (subsubsection.6.4.1.5) >>
+<< /S /GoTo /D (subsection.6.2.20) >>
 endobj
 568 0 obj
-(6.4.1.5 Compatibility with BIND 8 Counters)
+(6.2.20 statistics-channels Statement Definition and Usage)
 endobj
 569 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsection.6.2.21) >>
 endobj
 572 0 obj
-(7 BIND 9 Security Considerations)
+(6.2.21 trusted-keys Statement Grammar)
 endobj
 573 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (subsection.6.2.22) >>
 endobj
 576 0 obj
-(7.1 Access Control Lists)
+(6.2.22 trusted-keys Statement Definition and Usage)
 endobj
 577 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (subsection.6.2.23) >>
 endobj
 580 0 obj
-(7.2 Chroot and Setuid)
+(6.2.23 managed-keys Statement Grammar)
 endobj
 581 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (subsection.6.2.24) >>
 endobj
 584 0 obj
-(7.2.1 The chroot Environment)
+(6.2.24 managed-keys Statement Definition and Usage)
 endobj
 585 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (subsection.6.2.25) >>
 endobj
 588 0 obj
-(7.2.2 Using the setuid Function)
+(6.2.25 view Statement Grammar)
 endobj
 589 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (subsection.6.2.26) >>
 endobj
 592 0 obj
-(7.3 Dynamic Update Security)
+(6.2.26 view Statement Definition and Usage)
 endobj
 593 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsection.6.2.27) >>
 endobj
 596 0 obj
-(8 Troubleshooting)
+(6.2.27 zone Statement Grammar)
 endobj
 597 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (subsection.6.2.28) >>
 endobj
 600 0 obj
-(8.1 Common Problems)
+(6.2.28 zone Statement Definition and Usage)
 endobj
 601 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (subsubsection.6.2.28.1) >>
 endobj
 604 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(6.2.28.1 Zone Types)
 endobj
 605 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (subsubsection.6.2.28.2) >>
 endobj
 608 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(6.2.28.2 Class)
 endobj
 609 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (subsubsection.6.2.28.3) >>
 endobj
 612 0 obj
-(8.3 Where Can I Get Help?)
+(6.2.28.3 Zone Options)
 endobj
 613 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (subsubsection.6.2.28.4) >>
 endobj
 616 0 obj
-(A Appendices)
+(6.2.28.4 Dynamic Update Policies)
 endobj
 617 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (section.6.3) >>
 endobj
 620 0 obj
-(A.1 Acknowledgments)
+(6.3 Zone File)
 endobj
 621 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
 endobj
 624 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(6.3.1 Types of Resource Records and When to Use Them)
 endobj
 625 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
 endobj
 628 0 obj
-(A.2 General DNS Reference Information)
+(6.3.1.1 Resource Records)
 endobj
 629 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
 endobj
 632 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(6.3.1.2 Textual expression of RRs)
 endobj
 633 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
 endobj
 636 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(6.3.2 Discussion of MX Records)
 endobj
 637 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
 endobj
 640 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(6.3.3 Setting TTLs)
 endobj
 641 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
 endobj
 644 0 obj
-(A.3.2 Internet Drafts)
+(6.3.4 Inverse Mapping in IPv4)
 endobj
 645 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
 endobj
 648 0 obj
-(A.3.3 Other Documents About BIND)
+(6.3.5 Other Zone File Directives)
 endobj
 649 0 obj
-<< /S /GoTo /D (appendix.B) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
 endobj
 652 0 obj
-(B Manual pages)
+(6.3.5.1 The @ \(at-sign\))
 endobj
 653 0 obj
-<< /S /GoTo /D (section.B.1) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
 endobj
 656 0 obj
-(B.1 dig)
+(6.3.5.2 The \044ORIGIN Directive)
 endobj
 657 0 obj
-<< /S /GoTo /D (section.B.2) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
 endobj
 660 0 obj
-(B.2 host)
+(6.3.5.3 The \044INCLUDE Directive)
 endobj
 661 0 obj
-<< /S /GoTo /D (section.B.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.4) >>
 endobj
 664 0 obj
-(B.3 dnssec-dsfromkey)
+(6.3.5.4 The \044TTL Directive)
 endobj
 665 0 obj
-<< /S /GoTo /D (section.B.4) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
 endobj
 668 0 obj
-(B.4 dnssec-keyfromlabel)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
 endobj
 669 0 obj
-<< /S /GoTo /D (section.B.5) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
 endobj
 672 0 obj
-(B.5 dnssec-keygen)
+(6.3.7 Additional File Formats)
 endobj
 673 0 obj
-<< /S /GoTo /D (section.B.6) >>
+<< /S /GoTo /D (section.6.4) >>
 endobj
 676 0 obj
-(B.6 dnssec-signzone)
+(6.4 BIND9 Statistics)
 endobj
 677 0 obj
-<< /S /GoTo /D (section.B.7) >>
+<< /S /GoTo /D (subsubsection.6.4.0.1) >>
 endobj
 680 0 obj
-(B.7 named-checkconf)
+(6.4.0.1 The Statistics File)
 endobj
 681 0 obj
-<< /S /GoTo /D (section.B.8) >>
+<< /S /GoTo /D (subsection.6.4.1) >>
 endobj
 684 0 obj
-(B.8 named-checkzone)
+(6.4.1 Statistics Counters)
 endobj
 685 0 obj
-<< /S /GoTo /D (section.B.9) >>
+<< /S /GoTo /D (subsubsection.6.4.1.1) >>
 endobj
 688 0 obj
-(B.9 named)
+(6.4.1.1 Name Server Statistics Counters)
 endobj
 689 0 obj
-<< /S /GoTo /D (section.B.10) >>
+<< /S /GoTo /D (subsubsection.6.4.1.2) >>
 endobj
 692 0 obj
-(B.10 nsupdate)
+(6.4.1.2 Zone Maintenance Statistics Counters)
 endobj
 693 0 obj
-<< /S /GoTo /D (section.B.11) >>
+<< /S /GoTo /D (subsubsection.6.4.1.3) >>
 endobj
 696 0 obj
-(B.11 rndc)
+(6.4.1.3 Resolver Statistics Counters)
 endobj
 697 0 obj
-<< /S /GoTo /D (section.B.12) >>
+<< /S /GoTo /D (subsubsection.6.4.1.4) >>
 endobj
 700 0 obj
-(B.12 rndc.conf)
+(6.4.1.4 Socket I/O Statistics Counters)
 endobj
 701 0 obj
-<< /S /GoTo /D (section.B.13) >>
+<< /S /GoTo /D (subsubsection.6.4.1.5) >>
 endobj
 704 0 obj
-(B.13 rndc-confgen)
+(6.4.1.5 Compatibility with BIND 8 Counters)
 endobj
 705 0 obj
-<< /S /GoTo /D [706 0 R  /FitH ] >>
+<< /S /GoTo /D (chapter.7) >>
+endobj
+708 0 obj
+(7 BIND 9 Security Considerations)
+endobj
+709 0 obj
+<< /S /GoTo /D (section.7.1) >>
+endobj
+712 0 obj
+(7.1 Access Control Lists)
+endobj
+713 0 obj
+<< /S /GoTo /D (section.7.2) >>
+endobj
+716 0 obj
+(7.2 Chroot and Setuid)
+endobj
+717 0 obj
+<< /S /GoTo /D (subsection.7.2.1) >>
+endobj
+720 0 obj
+(7.2.1 The chroot Environment)
+endobj
+721 0 obj
+<< /S /GoTo /D (subsection.7.2.2) >>
+endobj
+724 0 obj
+(7.2.2 Using the setuid Function)
+endobj
+725 0 obj
+<< /S /GoTo /D (section.7.3) >>
+endobj
+728 0 obj
+(7.3 Dynamic Update Security)
+endobj
+729 0 obj
+<< /S /GoTo /D (chapter.8) >>
+endobj
+732 0 obj
+(8 Troubleshooting)
+endobj
+733 0 obj
+<< /S /GoTo /D (section.8.1) >>
+endobj
+736 0 obj
+(8.1 Common Problems)
+endobj
+737 0 obj
+<< /S /GoTo /D (subsection.8.1.1) >>
+endobj
+740 0 obj
+(8.1.1 It's not working; how can I figure out what's wrong?)
+endobj
+741 0 obj
+<< /S /GoTo /D (section.8.2) >>
+endobj
+744 0 obj
+(8.2 Incrementing and Changing the Serial Number)
+endobj
+745 0 obj
+<< /S /GoTo /D (section.8.3) >>
+endobj
+748 0 obj
+(8.3 Where Can I Get Help?)
+endobj
+749 0 obj
+<< /S /GoTo /D (appendix.A) >>
+endobj
+752 0 obj
+(A Appendices)
+endobj
+753 0 obj
+<< /S /GoTo /D (section.A.1) >>
+endobj
+756 0 obj
+(A.1 Acknowledgments)
+endobj
+757 0 obj
+<< /S /GoTo /D (subsection.A.1.1) >>
+endobj
+760 0 obj
+(A.1.1 A Brief History of the DNS and BIND)
+endobj
+761 0 obj
+<< /S /GoTo /D (section.A.2) >>
+endobj
+764 0 obj
+(A.2 General DNS Reference Information)
+endobj
+765 0 obj
+<< /S /GoTo /D (subsection.A.2.1) >>
+endobj
+768 0 obj
+(A.2.1 IPv6 addresses \(AAAA\))
+endobj
+769 0 obj
+<< /S /GoTo /D (section.A.3) >>
+endobj
+772 0 obj
+(A.3 Bibliography \(and Suggested Reading\))
+endobj
+773 0 obj
+<< /S /GoTo /D (subsection.A.3.1) >>
+endobj
+776 0 obj
+(A.3.1 Request for Comments \(RFCs\))
+endobj
+777 0 obj
+<< /S /GoTo /D (subsection.A.3.2) >>
+endobj
+780 0 obj
+(A.3.2 Internet Drafts)
+endobj
+781 0 obj
+<< /S /GoTo /D (subsection.A.3.3) >>
+endobj
+784 0 obj
+(A.3.3 Other Documents About BIND)
+endobj
+785 0 obj
+<< /S /GoTo /D (section.A.4) >>
+endobj
+788 0 obj
+(A.4 BIND 9 DNS Library Support)
+endobj
+789 0 obj
+<< /S /GoTo /D (subsection.A.4.1) >>
+endobj
+792 0 obj
+(A.4.1 Prerequisite)
+endobj
+793 0 obj
+<< /S /GoTo /D (subsection.A.4.2) >>
+endobj
+796 0 obj
+(A.4.2 Compilation)
+endobj
+797 0 obj
+<< /S /GoTo /D (subsection.A.4.3) >>
+endobj
+800 0 obj
+(A.4.3 Installation)
+endobj
+801 0 obj
+<< /S /GoTo /D (subsection.A.4.4) >>
+endobj
+804 0 obj
+(A.4.4 Known Defects/Restrictions)
+endobj
+805 0 obj
+<< /S /GoTo /D (subsection.A.4.5) >>
+endobj
+808 0 obj
+(A.4.5 The dns.conf File)
+endobj
+809 0 obj
+<< /S /GoTo /D (subsection.A.4.6) >>
+endobj
+812 0 obj
+(A.4.6 Sample Applications)
 endobj
-709 0 obj <<
+813 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.1) >>
+endobj
+816 0 obj
+(A.4.6.1 sample: a simple stub resolver utility)
+endobj
+817 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.2) >>
+endobj
+820 0 obj
+(A.4.6.2 sample-async: a simple stub resolver, working asynchronously)
+endobj
+821 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.3) >>
+endobj
+824 0 obj
+(A.4.6.3 sample-request: a simple DNS transaction client)
+endobj
+825 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.4) >>
+endobj
+828 0 obj
+(A.4.6.4 sample-gai: getaddrinfo\(\) and getnameinfo\(\) test code)
+endobj
+829 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.5) >>
+endobj
+832 0 obj
+(A.4.6.5 sample-update: a simple dynamic update client program)
+endobj
+833 0 obj
+<< /S /GoTo /D (subsubsection.A.4.6.6) >>
+endobj
+836 0 obj
+(A.4.6.6 nsprobe: domain/name server checker in terms of RFC 4074)
+endobj
+837 0 obj
+<< /S /GoTo /D (subsection.A.4.7) >>
+endobj
+840 0 obj
+(A.4.7 Library References)
+endobj
+841 0 obj
+<< /S /GoTo /D (appendix.B) >>
+endobj
+844 0 obj
+(B Manual pages)
+endobj
+845 0 obj
+<< /S /GoTo /D (section.B.1) >>
+endobj
+848 0 obj
+(B.1 dig)
+endobj
+849 0 obj
+<< /S /GoTo /D (section.B.2) >>
+endobj
+852 0 obj
+(B.2 host)
+endobj
+853 0 obj
+<< /S /GoTo /D (section.B.3) >>
+endobj
+856 0 obj
+(B.3 dnssec-dsfromkey)
+endobj
+857 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+860 0 obj
+(B.4 dnssec-keyfromlabel)
+endobj
+861 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+864 0 obj
+(B.5 dnssec-keygen)
+endobj
+865 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+868 0 obj
+(B.6 dnssec-revoke)
+endobj
+869 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+872 0 obj
+(B.7 dnssec-settime)
+endobj
+873 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+876 0 obj
+(B.8 dnssec-signzone)
+endobj
+877 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+880 0 obj
+(B.9 named-checkconf)
+endobj
+881 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+884 0 obj
+(B.10 named-checkzone)
+endobj
+885 0 obj
+<< /S /GoTo /D (section.B.11) >>
+endobj
+888 0 obj
+(B.11 named)
+endobj
+889 0 obj
+<< /S /GoTo /D (section.B.12) >>
+endobj
+892 0 obj
+(B.12 named-journalprint)
+endobj
+893 0 obj
+<< /S /GoTo /D (section.B.13) >>
+endobj
+896 0 obj
+(B.13 nsupdate)
+endobj
+897 0 obj
+<< /S /GoTo /D (section.B.14) >>
+endobj
+900 0 obj
+(B.14 rndc)
+endobj
+901 0 obj
+<< /S /GoTo /D (section.B.15) >>
+endobj
+904 0 obj
+(B.15 rndc.conf)
+endobj
+905 0 obj
+<< /S /GoTo /D (section.B.16) >>
+endobj
+908 0 obj
+(B.16 rndc-confgen)
+endobj
+909 0 obj
+<< /S /GoTo /D (section.B.17) >>
+endobj
+912 0 obj
+(B.17 ddns-confgen)
+endobj
+913 0 obj
+<< /S /GoTo /D (section.B.18) >>
+endobj
+916 0 obj
+(B.18 arpaname)
+endobj
+917 0 obj
+<< /S /GoTo /D (section.B.19) >>
+endobj
+920 0 obj
+(B.19 genrandom)
+endobj
+921 0 obj
+<< /S /GoTo /D (section.B.20) >>
+endobj
+924 0 obj
+(B.20 isc-hmac-fixup)
+endobj
+925 0 obj
+<< /S /GoTo /D (section.B.21) >>
+endobj
+928 0 obj
+(B.21 nsec3hash)
+endobj
+929 0 obj
+<< /S /GoTo /D [930 0 R  /FitH ] >>
+endobj
+933 0 obj <<
 /Length 240       
 /Filter /FlateDecode
 >>
@@ -1060,32 +1396,32 @@ stream
 xÚ•�OKAÅïó)rl›N2Éü9ZªRA¡27ñ°´[)¸[ºÖïïlWË‚^$�0ïý˜y[Š *Z—BTK
 ÛÖXx+Þ½¡oFÔ¡Šsåð‡[	LÁ+T\@1M±_8±Eo=C¥BÈÌ~À—Ù,CyÄŠƒÂ•Ë»—Ùrý´š——ì,�ãf׺Ãǹ¯ÏÇ~”ž›}Ó7ݶ™¿æ a$/¾äKc¼\óXwŸõûà›Û|
§â1'p®äðqH'`Ôð3‹zšüßÚ±y±n	VG³1°™ž07l(%tî[þM^Xúendstream
 endobj
-706 0 obj <<
+930 0 obj <<
 /Type /Page
-/Contents 709 0 R
-/Resources 708 0 R
+/Contents 933 0 R
+/Resources 932 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
+/Parent 939 0 R
 >> endobj
-707 0 obj <<
+931 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (./isc-logo.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 716 0 R 
+/PTEX.InfoDict 940 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 612.00000000 792.00000000]
 /PieceInfo <<
-/Illustrator 717 0 R
+/Illustrator 941 0 R
 >>
 /Resources <<
 /ColorSpace <<
-/CS0 718 0 R
+/CS0 942 0 R
 >>/Properties <<
-/MC0 719 0 R
+/MC0 943 0 R
 >>/ExtGState <<
-/GS0 720 0 R
+/GS0 944 0 R
 >>>>
 /Length 843
 /Filter /FlateDecode
@@ -1101,7 +1437,7 @@ BqÕ•l9uš
 !=§ ¨Œø†vGc	£I#/'~<1‚ÀÔRPy±´ýl1½Ͷw1	чd

}¡þa
 Ë9b	�:žÎÞF"‹>64”~0IGD˜ËØ°$ÙtMâ¯%Z½Gð¾¥Úñ§a�ÑÌ‘I¼ý—/øýzü+À
 endobj
-716 0 obj
+940 0 obj
 <<
 /CreationDate (D:20100303120319-08'00')
 /Creator (Adobe Illustrator CS3)
@@ -1110,24 +1446,24 @@ endobj
 /Title (ISC_logo_only_RGB)
 >>
 endobj
-717 0 obj
+941 0 obj
 <<
-/Private 721 0 R
+/Private 945 0 R
 /LastModified (D:20100412113400-07'00')
 >>
 endobj
-718 0 obj
-[/ICCBased 722 0 R]
+942 0 obj
+[/ICCBased 946 0 R]
 endobj
-719 0 obj
+943 0 obj
 <<
-/Intent 723 0 R
-/Usage 724 0 R
+/Intent 947 0 R
+/Usage 948 0 R
 /Name (Layer 1)
 /Type /OCG
 >>
 endobj
-720 0 obj
+944 0 obj
 <<
 /OPM 1
 /BM /Normal
@@ -1141,22 +1477,22 @@ endobj
 /SA true
 >>
 endobj
-721 0 obj
+945 0 obj
 <<
 /RoundtripVersion 13
 /ContainerVersion 11
 /CreatorVersion 13
-/AIMetaData 725 0 R
-/AIPrivateData1 726 0 R
-/AIPrivateData2 727 0 R
-/AIPrivateData3 728 0 R
-/AIPrivateData4 729 0 R
-/AIPrivateData5 730 0 R
+/AIMetaData 949 0 R
+/AIPrivateData1 950 0 R
+/AIPrivateData2 951 0 R
+/AIPrivateData3 952 0 R
+/AIPrivateData4 953 0 R
+/AIPrivateData5 954 0 R
 /NumBlock 5
 /RoundtripStreamType 1
 >>
 endobj
-722 0 obj
+946 0 obj
 <<
 /Length 281
 /Filter /FlateDecode
@@ -1167,10 +1503,10 @@ H‰b``2ptqre``ÈÍ+)
 rwRˆˆŒR`?ÏÀÆÀÌ
 ò‹KRS€j!îAˆBPˆi
 endobj
-723 0 obj
+947 0 obj
 [/View/Design]
 endobj
-724 0 obj
+948 0 obj
 <<
 /CreatorInfo <<
 /Subtype /Artwork
@@ -1178,21 +1514,21 @@ endobj
 >>
 >>
 endobj
-725 0 obj
+949 0 obj
 <<
 /Length 981
 >>
 stream
 %!PS-Adobe-3.0 
%%Creator: Adobe Illustrator(R) 13.0
%%AI8_CreatorVersion: 13.0.2
%%For: (Brian Reid) ()
%%Title: (ISC_logo_only_RGB.ai)
%%CreationDate: 4/12/10 11:34 AM
%%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%%DocumentProcessColors: Cyan Magenta Yellow Black
%AI5_FileFormat 9.0
%AI12_BuildNumber: 434
%AI3_ColorUsage: Color
%AI7_ImageSettings: 0
%%RGBProcessColor: 0 0.658824 0.8 (ISC logo blue)
%%+ 0.372549 0.376471 0.384314 (PANTONE 425 U)
%%+ 0 0 0 ([Registration])
%AI3_TemplateBox: 306.5 395.5 306.5 395.5
%AI3_TileBox: 18 33.1201 594 786.96
%AI3_DocumentPreview: None
%AI5_ArtSize: 612 792
%AI5_RulerUnits: 3
%AI9_ColorModel: 1
%AI5_ArtFlags: 0 0 0 1 0 0 0 0 0
%AI5_TargetResolution: 800
%AI5_NumLayers: 1
%AI9_OpenToView: -381 793 0.92 1268 743 26 0 0 117 75 0 0 1 1 1 0 1
%AI5_OpenViewLayers: 7
%%PageOrigin:0 0
%AI7_GridSettings: 72 8 72 8 1 0 0.8 0.8 0.8 0.9 0.9 0.9
%AI9_Flatten: 1
%AI12_CMSettings: 00.MS
%%EndComments
endstream
 endobj
-726 0 obj
+950 0 obj
 <<
 /Length 11082
 >>
 stream
 %%BoundingBox: 247 367 366 413
%%HiResBoundingBox: 247.0869 367.5654 365.0859 412.583
%AI7_Thumbnail: 128 52 8
%%BeginData: 10932 Hex Bytes
%0000330000660000990000CC0033000033330033660033990033CC0033FF
%0066000066330066660066990066CC0066FF009900009933009966009999
%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66
%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333
%3333663333993333CC3333FF3366003366333366663366993366CC3366FF
%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99
%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033
%6600666600996600CC6600FF6633006633336633666633996633CC6633FF
%6666006666336666666666996666CC6666FF669900669933669966669999
%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33
%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF
%9933009933339933669933999933CC9933FF996600996633996666996699
%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33
%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF
%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399
%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933
%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF
%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC
%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699
%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33
%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100
%000011111111220000002200000022222222440000004400000044444444
%550000005500000055555555770000007700000077777777880000008800
%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB
%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF
%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF
%524C45FD1F52285252A8FD04FFFD05A8FFFFFFA87DFD4F52285252522852
%525228525252285252522852525228525252285252522852277DA8FFFFA8
%7D7D525227FD04527DA8FFFFA85252275252522852525228525252285252
%522852525228525252285252522852525228525252285252522852525228
%52525228525252285252522852525228525252285252522852525228FD21
%52A8FFFF7D7D525227FD0752275252A8FFFF7DFD215227FD2A522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227527DFFFFA85252
%27522E5227522E5227522E5227522752A8FF7D5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E522752277D7D7D275227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%2E5227FD1A52277DA8FFA87D2EFD11522E527DFFA853FD1D52A8FFFFFF7D
%28FD285228525252285252522852525228525252285252522852277DFFFF
%7D522752525228525252285252522852525228525252275252FFA8522752
%285252522852525228525252285252522852525228525252277DFFA852A8
%FF5227525252285252522852525228525252285252522852525228525252
%285252522852525228FD1852277DFFFFFD1B52FFA8FD1A527DFFA8275252
%FF7DFD265227522E5227522E5227522E5227522E5227522E522752277DFF
%FF525227522E5227522E5227522E5227522E5227522E5227522E52275252
%FFA852275227522E5227522E5227522E5227522E5227522E522752A8A827
%522E527DA9275227522E5227522E5227522E5227522E5227522E52275227
%5227522E5227522E5227522EFD17527DFFA8FD1E527DFFA8FD17527DFFFD
%0452287DFFFD155228FD075228FD08522852525228525252285252522852
%5252285252522852527D2752525228525252285252522852525228525252
%2852525228525252285252527DFF7D522852525228525252285252522852
%525228FD0452FF7D5228FD0452FF52522852525228525252285252522752
%2752527DA1A8A8FFCACFA8CAA17D5252275228FD3C52A8FFFD145228A8FF
%53FD0652FFA82EFD0C527D7DCAFD04FFAFAF85AF85AFAFFFFFFFA87DFD05
%522E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522752A8
%FF275227522E5227522E5227522E5227522E522752FFA827522E5227522E
%FF7D522E5227522E522752275252A8FFFFAFAF603CFD041413FD04143C60
%AFFFFF535227FD3A52277DFFA827FD11527DFFFD0852A8FFFD0952A8CFFF
%FFAF3C3D1414141A141A141A141A141A14141461AFFFA8FD045228525252
%285252522852525228525252285252522852525228525252285252522852
%5252285252522852525228525252285252522852525227A8FF5227525252
%2852525228525252285252522EFFA85227525252285228A87D5252522852
%27527DFFFFAF603CFD07141A1414141A1414141AFD041460FFA8FD3D52FF
%A8FD10527DFF7DFD0F527DFFFFA9611414141A141A141A141A141A141A14
%1A141A141A141A14143CFFA827522E5227522E5227522E5227522E522752
%2E5227522E5227522E5227522E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522E527DFF525227522E5227522E5227522E522752
%A8FF27522E5227522E5227522852275252A8FFFF3C1413FD191436FFFD3C
%5259FFA828FD0E52FF7DFD0D527DFFFF8B1414141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141460285252522852525228525252
%285252522852525228525252275227522752275227525252285252522852
%52522852525228525252285252522852525227A8FF7D2752525228525252
%2852525227A8FF52275252522852525228522752A8FFA93CFD05141A1414
%141A1414141A1414141A1414141A1414141A1414141A1414FD1552285252
%7D527D597D527DFD065227FD1852FFA8FD0D52FFFFFD0A52277DFFFF601A
%141A141A141A141A141A141A141A141A141A141A141A141A141A141A141A
%141A142E5227522E5227522E5227522E5227522752527D7DA8A8FD09FFA8
%FFA8A87D532852275227522E5227522E5227522E5227522E5227522E527D
%FF525227522E5227522E52275252FF7D522E5227522E522752277DFFFF36
%FD2314FD0E527D7DFD07FFA8A87DA87DA87DFD04A8FD05FFA87DFD15527D
%FFA827FD0A52A8FF7DFD0952A8FFAF1414141A141A141A141A141A141A14
%1A141A141A141A141A141A141A141A141A141A141A145252285252522852
%525227527DA8FFFFFFA87D7D52522752275227522752275227522752527D
%A8FFFFFFA87E52522752525228525252285252522852525227A8FF522752
%5252285252522752FFA8275252522852525227A8FF85FD05141A1414141A
%1414141A1414141A1414141A1414141A1414141A1414141A1414141AFD07
%52275253A8FFFFFFA8FD045227FD0F522EFD04527D7DFFFFFFA87DFD1052
%7DFF7DFD0A52FF7DFD0852A8FF8B1414141A141A141A141A141A141A141A
%141A141A141A141A141A141A141A141A141A141A141A1427522E52275227
%7DA8FFFFA85252275227522E5227522E5227522E5227522E5227522E5227
%522E52275227527DFFFFFF7D52275227522E5227522E5227522752A8A827
%5227522E52275227A8FF5227522752525227A8FF6113FD2714FD0652A8FF
%FF7D7D28FD22527DA8FFFF7DFD0C5227A8FF7DFD0852A8FFFD06522EA8FF
%61141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A141A141A14285227527DFFFF7D52522752285252522852
%525228525252285252522852525228525252285252522852525228522752
%52FFFFA8525228522852525228FD0452FF7D5228525252285252FF7D5252
%52285227A8FF611414141A1414141A1414141A1414141A1414141A141414
%1A1414141A1414141A1414141A1414141A141452277DFFFFA87D28FD2952
%287DFFFF7EFD0B52A8FFFD065227A8FF7D2752525227A8FF8B141A141A14
%1A141A141A141A141A141A141A141A141A141A141A141A141A141A141A14
%1A141A141A141A1428A8FFFF525227522E5227522E5227522E5227522E52
%27522E5227522E5227522E5227522E5227522E5227522E5227522E522752
%7DFFA87D275227522E522752277EFF52275227522852A8FF52522752277D
%FF8BFD121413FD0F1413FD0914FFFFA8FD3352FFFFA8FD0952FF7DFD0652
%FFA8FD04527DFFAF141A141A141A141A141A141A141A141A141A14613C3C
%141A141A141A141A141A141A143D3C3C141A141A141A14FF7D2752525228
%525252285252522852525228525252285252522852525228525252285252
%522852525228525252285252522852525227A8FFA8FD045228525252A8A8
%27522852277DFF7D27522752A8FFFD051461A9AF848B1414141A141436AF
%AFFFFFFFAFAF36FD04141A14141461A9FFAFFFAFAF601A1414141A7D2EFD
%3552277DFFFFFD0752A8FFFD05527DFFFD04527DFF3C14141A141484FFFF
%FFAF1A141A141A85FD09FF841A141A141A14AFFD08FF841A141A1427522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522E5227522E5227522E5227522E5227522E5227522E52277DA8FF52522E
%5227527DFF52522E5227FFA852275252FF60FD061485FFFFFFAFFD041460
%FD0BFF36FD0414AFFD0AFF60141414FD3A5253FFFF7DFD04527DFFA85252
%527DFFA8285252FFAF1A141A141A141A84FFFFFFAF3D141A14FD05FF603D
%60FD04FFAF141A1461FD04FFA96136AFFD04FF141A142852525228525252
%285252522852525228525252285252522852525228525252285252522852
%52522852525228525252285252522852525228522752A8FF5252285252FF
%A8FD0452FF7D5227A8FF3C141AFD051485FFFFFFAF14141460FD04FF3614
%141460FFFFFFA91A141484FFFFFFA91A141414FD04FF611414FD3D52A8FF
%FD0452A8FF525228A8FF7D277DFF8B141A141A141A141A85FFFFFFAF1A14
%1A60FD04FF3C141A1461FD04FF141A14FD04FF8B141A141AAFFFFFFF601A
%142E5227522E5227522E5227522E5227522E5227522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FF5252277DFF7D2752A8FF2752A8FFFD08141385FFFFFFAF1414
%1361FD04FF36FD04148584856014133CFD04FF60FD0414FD04FF851314FD
%3D52287DFFFF525252FF7D5252FFA8527DFF3C1A141A141A141A141A85FF
%FFFFAF1A141A60FD04FFAF141A141A141A141A141A3CFD04FF61141A141A
%3C616061361A145252285252522852525228525252285252522852525228
%525252285252522852525228525252285252522852525228525252275252
%522752525228525252277DFF7E2752FFA82753FF7E27FFA914141A141414
%1A1414148BFFFFFFAF1414143CAFFD04FFAFFD091461FD04FF3614141AFD
%07141AFD2B522852285227FD075227FD075227A8FF7D27FFA8527DFF7D7D
%FF3D141A141A141A141A141484FFFFFFA91A141A1485FD06FF603C141A14
%1A14143CFD04FF61141A141A141A141A141A1427522E5227522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E522752275227
%FD04527D7DA8A8FFA8FFA8FFA8A87D7D52522752275227FFA8527DFF277D
%FF52A8AF13FD0A1485FFFFFFAFFD0414138BFD06FFA860FD05143CFD04FF
%36FD0B14FD2852A8A8FD07FFA8FFA8FFA8FD06FFA87D5227527DFF7D7DFF
%7DA8FF7DFF3C1A141A141A141A141A141A84FFFFFFAF3D141A141A148BFD
%07FF8B141A141A3CFD04FF61141A141A141A141A141A1428525252285252
%522852525228525252285252522852525228525252285252522752275252
%A8A8FFFFFFA8A87D7DFD065227FD04527D7DA8FFFFA87D2752A8FF52FF7D
%A8A8CAA914141A1414141A1414141A1485FFFFFFAFFD071460A8FD06FF8B
%1414143CFD04FF36FD04141A1414141A1414FD2252A8FD04FF7D7D525228
%5227FD0B52275252527DFFFFFF5253FFA8A8A8FFA8FF61141A141A141A14
%1A141A141A85FFFFFFAF1A141A141A141A141A60FD06FF85141A3CFD04FF
%61141A141A141A141A141A142E5227522E5227522E5227522E5227522E52
%27522E5227522E5227522752277DA8FFFFA859522752275227522E522752
%2E5227522E5227522E5227522752277DA8FF7DA8FFFFA8FFFFAFFD0C1413
%85FFFFFFAFFD061413FD0414AFFD04FFA9141360FD04FF36FD051413FD05
%14FD1D527DFFFFFF7D7DFD1E52A8FFA8FD05FF601A141A141A141A141A14
%1A141A85FFFFFFAF1A141A143D363D141A141A14FD05FF3C1A3CFD04FF61
%141A141A60AF85AF601A1452522852525228525252285252522852525228
%52525228525252277DFFFFA87D2E52275252522852525228525252285252
%52285252522852525228525252285228527DFD06FF3C141A1414141A1414
%141A1414148BFFFFFFAF141414AFFFFFAF8BFD04143CFD04FF3C143CFD04
%FF60FD04148BFFFFFFAF1414FD1752285259FFFFA9525227FD2352A8FD04
%FFAF141A141A141A141A141A141A141484FFFFFFA91A141484FFFFFFA91A
%141A1461FD04FF3C1414FD04FF8B141A141AA9FFFFFF85141427522E5227
%522E5227522E5227522E5227522E52275227527DFFA87D27522E5227522E
%5227522E5227522E5227522E5227522E5227522E5227522E5227522E5227
%522752A8FFFFFF60FD0E1485FFFFFFAF14141485FD04FFFD041436FD04FF
%3C141484FFFFFFA8FD0414FD04FF611414FD16527DFFFF7D5228FD275227
%A8FFFFFF3D141A141A141A141A141A141A141A84FFFFFFAF3D141460FD04
%FFAF363C3CFD05FF141A1461FD04FF853C148BFD04FF3C1A142752275227
%52275227522752275227522752275227A8FFA82852275227522752275227
%522752275227522752275227522752275227522752275227522752275227
%52275252FFFFAFFD0F1485FFFFFFAFFD0414A8FD05FFAFFD05FF36FD0414
%AFFD0AFF841414147D527D527D527D527D527D527D527D527D527D52A8FF
%FF527D527D527D527D527D527D527D527D527D527D527D527D527D527D52
%7D527D527D527D527D527D527D527D527DA8FF853C363D3C3C363D3C3C36
%3D3C3C363D85FFFFFFAF3D363D3685FD0AFFAF3C363D3C3C60FD0AFF6136
%3D3CFD16FFA8FD49FFAFFD11FFAFFD09FFAFFFFFFF
%%EndData
endstream
 endobj
-727 0 obj
+951 0 obj
 <<
 /Length 65536
 >>
@@ -1466,7 +1802,7 @@ sÓ
·ÓíÑ·OÒ„ŸuMÊ’ÏyÒ�ÁQÊ—*V€)-z=¦Hèªmƈœ~ÅñÓ×z…Sý[t¸c&4 ŽªªAj^råº;ņÜ�(�cçç
 Dx^QÜ×}Ì
 ˜ØyY‰Ÿ‹©
¨zŽ…N¬V¥%™­‚¨™@“£=HU˜ü¢³l0¼Tq_PIÐ/u,dÆö¶fý"íŒØ¾MMæu [endstream
 endobj
-728 0 obj
+952 0 obj
 <<
 /Length 65536
 >>
@@ -1708,7 +2044,7 @@ qlÞ¯­ò�×âô`>
 ¶“¬ûVG=#	[ül&wJ΂fkíY”&{öñß1øÀ	ÛÄ%'DSì
  F?؆Fß®U
E2,„Ò-[‰Ðð~Eô׈bˆ¨<Þë‹uAhÜš:®—Ú[ɬëxÏ*}ñ
 endobj
-729 0 obj
+953 0 obj
 <<
 /Length 65536
 >>
@@ -1931,7 +2267,7 @@ uALŽk‹Š=ŽÉÀÇš?éì•ëðå0ƒ¨Ua¦7S“«ÙŽ®&éÀ­Ó˜çÈî¹m(‚4„Ð�‹z35Ãùd2pnSø׸®÷—fSµNP™š
 ]×g1Í�¼‘ôAÚF¥5³ò(ª®
Í
 
 endobj
-730 0 obj
+954 0 obj
 <<
 /Length 53114
 >>
@@ -2128,18 +2464,18 @@ Y‘φ㧻Ç'ÇÕpV�—	´Š›·§/	óü8
 œ;ø#ñ<
Ý°'€å‰íöÐ"W€­
 Ö^IY�ïc­
 endobj
-710 0 obj <<
-/D [706 0 R /XYZ 85.0394 794.5015 null]
+934 0 obj <<
+/D [930 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-711 0 obj <<
-/D [706 0 R /XYZ 85.0394 769.5949 null]
+935 0 obj <<
+/D [930 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-708 0 obj <<
-/Font << /F21 714 0 R >>
-/XObject << /Im1 707 0 R >>
+932 0 obj <<
+/Font << /F21 938 0 R >>
+/XObject << /Im1 931 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-733 0 obj <<
+957 0 obj <<
 /Length 1065      
 /Filter /FlateDecode
 >>
@@ -2150,22 +2486,22 @@ xÚÅV]�ªH}Ÿ_Á㘌m@Cl\À;ÙìÝFq$™#Ì5óïoA7 j&û¶ñ¡«écÕ©SÕDÃð#šÁTh¦Ð‘�‰¡m>
 ܹïÍÝÀq‡‘ÂÆsÍÞÔ"ÃrËfŒFÌ„|Ãu|R9¶#/î¤×É�IxŘîã~[tûô”µÞø‚‘¡ˆ+7‚ÎYÚ}>³ï¶ÌÍUB	GD˜H¼’o¯’<¾@ß^%”DLKt>k¢÷^×]“&¥°Ýê/¬ÀûôŽ”—JžßY¥úž#“˜W
 EÙö\êüuòjp99é{Í!Oº
oPvÓ§¶tÏj÷tHl_UÇ?&“óù\+ŒòrƒŠ†ÔÛäæÖV\f ú	ûŸŸ·¿
—�~endstream
 endobj
-732 0 obj <<
+956 0 obj <<
 /Type /Page
-/Contents 733 0 R
-/Resources 731 0 R
+/Contents 957 0 R
+/Resources 955 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
+/Parent 939 0 R
 >> endobj
-734 0 obj <<
-/D [732 0 R /XYZ 56.6929 794.5015 null]
+958 0 obj <<
+/D [956 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-731 0 obj <<
-/Font << /F22 737 0 R /F14 740 0 R >>
+955 0 obj <<
+/Font << /F22 961 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-743 0 obj <<
-/Length 2885      
+967 0 obj <<
+/Length 2886      
 /Filter /FlateDecode
 >>
 stream
@@ -2173,1351 +2509,1783 @@ xÚí�]wÛ¸†ïó+tWûB(¾	^:Ž“u·ÉæÄÎé×ö‚GflõX¤KQ¾ 	€#œÍn²±tö´¥áÌÎû
 x6$a»N9pšÛCcÓ®³ŒhÉ\HŸE�.õ]y<çö°þ4ü|U/6+›Íã¹2ù±?l¾žå™Éÿß$5>Ó;²}Ž`¸+äîù?CO$Œ"Ôy H«î*ÖŽ"î(ú©9fæ躨–ÿ-ú+j¨Ë›åú1ZRdûÌ$)>›É¤
 êœqNLžYç<'\_³È¾já6Vü�„×›êªè†ˆâ¶3ŒØ»*䉘øL&c1L R&‘00LPç#&,#LQ0á“~$q7“¢ºŠ�/ös¡å³¤bŸ±d€!†TÁ!†ê|Ä�Ú)¢â"à ¯«^lÊŸõ¬æŒ.>ãÉ8
C'¨(‚S$'ÔyÀIåœäJ†r¥/X:œN6íMÝ,[;ã¹/wÊ•²¹/›þž”íc]²–Š4D�ØREL"AwΔ$Y–å3e(1J�uÉP™Xžo–«¢y~y[Øâµ±9|¯†�¨d
 €!F
¡ F
ê|¤@’©L
-¸£àⶸ<(nöçNñ9.|ê’¹
-¿Z×U½n—÷Ð̈ƒ2f�ûHBÎ’�
-0ÄP�j±é®ÓX*¨÷€ŠoTn|Eä[S.în—-,�>ÔB¿åpäeHfbŒA™1Æ"q`Œ¡ÞÇ{£Ä¦/÷�…{ÙÙ/`Ó~ý˜¹îoe»¹ëJ$±Ïpøô%Ã
18 <lº%*êÝ@,7DRæëßuyqþæxn¿|˜‰}µE‘ E*gÐálKj6½ß‹á÷!f4T(Z„Þ”U·#çwNnÜ£n¥äÇòáñ6ÌY±p;/ï‹e³ý>´êuÛ?ö©¿�®Ë �ÏN²öÀÓfÓ>¦=ê=¬­³ÌΠ¨â£öa³ådÓÖ«"ìµ8†÷Üé}¹ð}z’ņ˜ø0ýlz§-&>ê}_ÛÉ3Í€ö~_åmQmü<
-Ÿµ_¿ËP²ü£¦>È?&þn˜ö˜ëqÌW”PßmØiï÷TN뻇Ð`öÏ�ý¥›0»²´­]kPí·Þßöƒ]+¾â;ñ}n’U†˜ì0÷˜î‘80áQï£ò"#¹­$ƒòþEQ畽�¯"ÚÃÇlýÝ<|j«€?¸ÏÎ~Y®Û²êžÄ̘úÎ4÷YIÖbšÃ¬cšGâÀ4G½�šsEŒo'ì4—AóuÛ›£î•ÐÂo_à¡ÑÐMGôóYÖ
-ÙJf
b,@50"q`, ÞG˜ “
ÿRŽa^=ÃkjO‹r½Ï´ÃƒW}… ŸwÃ]PÍå-ŠÑc¨Â¦,"A`D`®G (#ÚwúuDø7-œ5ƒÊÃØx}à¯Ì“O{2PÀ#
-ÊŠ!‰c
-õî×®LNË|�¡ýÒÕ�gëšuÄaéê«-‘z%R)vdPg„±Hb¨kOX–éítÖïÎœ¿évæè°-'i~@ì«
h^‘TÒ€BÔ›ÓIÒ"A`ÿê
-æz|§?ܽ‹߯òîââìÔNtöã
˜o•K~*S£‚!j7‚ Â¿ò3ç91±÷�wªëAœ;ýM.‚u/Dbjæ¾ÔŶD¾ðgòÞþàª;endstream
+¸£àⶸ<(nöçNñ9.|ê’¹
+¿Z×U½n—÷Ð̈ƒ2f�ûHBÎ’�
+‹µÁPá_ù™óœ˜ØûÆ»
Õõ Î…�~‰‰&Áº"15s_êb["_ø3yoÿ>ªendstream
 endobj
-742 0 obj <<
+966 0 obj <<
 /Type /Page
-/Contents 743 0 R
-/Resources 741 0 R
+/Contents 967 0 R
+/Resources 965 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
-/Annots [ 746 0 R 747 0 R 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R ]
+/Parent 939 0 R
+/Annots [ 970 0 R 971 0 R 972 0 R 973 0 R 974 0 R 975 0 R 976 0 R 977 0 R 978 0 R 979 0 R 980 0 R 981 0 R 982 0 R 983 0 R 984 0 R 985 0 R 986 0 R 987 0 R 988 0 R 989 0 R 990 0 R 991 0 R 992 0 R 993 0 R 994 0 R 995 0 R 996 0 R 997 0 R 998 0 R 999 0 R 1000 0 R 1001 0 R 1002 0 R 1003 0 R 1004 0 R 1005 0 R 1006 0 R 1007 0 R 1008 0 R 1009 0 R 1010 0 R 1011 0 R 1012 0 R 1013 0 R 1014 0 R 1015 0 R 1016 0 R 1017 0 R 1018 0 R 1019 0 R ]
 >> endobj
-746 0 obj <<
+970 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 688.709 539.579 697.4212]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.1) >>
 >> endobj
-747 0 obj <<
+971 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 676.5858 539.579 685.5919]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.1) >>
 >> endobj
-748 0 obj <<
+972 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 664.4876 539.579 673.4937]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.2) >>
 >> endobj
-749 0 obj <<
+973 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 652.3894 539.579 661.3954]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.3) >>
 >> endobj
-750 0 obj <<
+974 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 640.2911 539.579 649.1477]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.4) >>
 >> endobj
-751 0 obj <<
+975 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 628.1929 539.579 637.0495]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.1) >>
 >> endobj
-752 0 obj <<
+976 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 616.0946 539.579 624.9512]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.2) >>
 >> endobj
-753 0 obj <<
+977 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 603.9964 539.579 612.853]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.3) >>
 >> endobj
-754 0 obj <<
+978 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 591.7985 539.579 600.7547]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.4) >>
 >> endobj
-755 0 obj <<
+979 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 579.7002 539.579 588.6565]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.1) >>
 >> endobj
-756 0 obj <<
+980 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 567.6019 539.579 576.5582]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.2) >>
 >> endobj
-757 0 obj <<
+981 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 555.5037 539.579 564.46]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.3) >>
 >> endobj
-758 0 obj <<
+982 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 543.5051 539.579 552.5112]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.5) >>
 >> endobj
-759 0 obj <<
+983 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 531.4069 539.579 540.413]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.5.1) >>
 >> endobj
-760 0 obj <<
+984 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 519.3086 539.579 528.3147]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.6) >>
 >> endobj
-761 0 obj <<
+985 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 496.5559 539.579 505.288]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.2) >>
 >> endobj
-762 0 obj <<
+986 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 484.4775 539.579 493.4338]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.1) >>
 >> endobj
-763 0 obj <<
+987 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 472.3792 539.579 481.3355]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.2) >>
 >> endobj
-764 0 obj <<
+988 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 460.281 539.579 469.2373]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.3) >>
 >> endobj
-765 0 obj <<
+989 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 448.1827 539.579 457.139]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.4) >>
 >> endobj
-766 0 obj <<
+990 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 436.0845 539.579 445.0408]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.5) >>
 >> endobj
-767 0 obj <<
+991 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 413.5759 539.579 422.1635]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.3) >>
 >> endobj
-768 0 obj <<
+992 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 401.4527 539.579 410.3093]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.1) >>
 >> endobj
-769 0 obj <<
+993 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 389.3544 539.579 398.2111]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.1) >>
 >> endobj
-770 0 obj <<
+994 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 377.2562 539.579 386.1128]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.2) >>
 >> endobj
-771 0 obj <<
+995 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 365.0583 539.579 374.0146]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.2) >>
 >> endobj
-772 0 obj <<
+996 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 352.96 539.579 361.9163]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.3) >>
 >> endobj
-773 0 obj <<
+997 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 340.8618 539.579 349.818]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.1) >>
 >> endobj
-774 0 obj <<
+998 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 328.7635 539.579 337.7198]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.1) >>
 >> endobj
-775 0 obj <<
+999 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 316.6653 539.579 325.6216]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.2) >>
 >> endobj
-776 0 obj <<
+1000 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 304.6667 539.579 313.6728]
+/Rect [527.6238 304.567 539.579 313.6728]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.2) >>
 >> endobj
-777 0 obj <<
+1001 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 281.9139 539.579 290.7706]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.4) >>
 >> endobj
-778 0 obj <<
+1002 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 269.8356 539.579 278.9413]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.1) >>
 >> endobj
-779 0 obj <<
+1003 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 257.7373 539.579 266.8431]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.2) >>
 >> endobj
-780 0 obj <<
+1004 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 245.6391 539.579 254.7448]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.2.1) >>
 >> endobj
-781 0 obj <<
+1005 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 233.6405 539.579 242.6465]
+/Rect [527.6238 233.5408 539.579 242.6465]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.3) >>
 >> endobj
-782 0 obj <<
+1006 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 221.5422 539.579 230.5483]
+/Rect [527.6238 221.4426 539.579 230.5483]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.4) >>
 >> endobj
-783 0 obj <<
+1007 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 209.3443 539.579 218.4501]
+/Rect [527.6238 209.444 539.579 218.4501]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.4.1) >>
 >> endobj
-784 0 obj <<
+1008 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 197.3457 539.579 206.3518]
+/Rect [527.6238 197.2461 539.579 206.3518]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.5) >>
 >> endobj
-785 0 obj <<
+1009 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 185.2475 539.579 194.2536]
+/Rect [527.6238 185.1478 539.579 194.1041]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.1) >>
 >> endobj
-786 0 obj <<
+1010 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 173.0496 539.579 182.1553]
+/Rect [527.6238 173.0496 539.579 182.0058]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.1) >>
 >> endobj
-787 0 obj <<
+1011 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 160.9513 539.579 170.0571]
+/Rect [527.6238 160.9513 539.579 169.9076]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.2) >>
 >> endobj
-788 0 obj <<
+1012 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 148.8531 539.579 157.9588]
+/Rect [527.6238 148.8531 539.579 157.8094]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.2) >>
 >> endobj
-789 0 obj <<
+1013 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 136.7548 539.579 145.8606]
+/Rect [527.6238 136.7548 539.579 145.7111]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.3) >>
 >> endobj
-790 0 obj <<
+1014 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 124.6566 539.579 133.7623]
+/Rect [527.6238 124.7562 539.579 133.7623]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.4) >>
 >> endobj
-791 0 obj <<
+1015 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 112.5583 539.579 121.6641]
+/Rect [527.6238 112.658 539.579 121.6641]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.5) >>
 >> endobj
-792 0 obj <<
+1016 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 100.4601 539.579 109.5658]
+/Rect [527.6238 100.5597 539.579 109.5658]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.6) >>
 >> endobj
-793 0 obj <<
+1017 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 88.3618 539.579 97.4676]
+/Rect [527.6238 88.4615 539.579 97.4676]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.6) >>
 >> endobj
-794 0 obj <<
+1018 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 76.2636 539.579 85.2199]
+/Rect [527.6238 76.3632 539.579 85.2199]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.7) >>
 >> endobj
-795 0 obj <<
+1019 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 64.1653 539.579 73.1216]
+/Rect [527.6238 64.265 539.579 73.1216]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.8) >>
 >> endobj
-744 0 obj <<
-/D [742 0 R /XYZ 85.0394 794.5015 null]
+968 0 obj <<
+/D [966 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-745 0 obj <<
-/D [742 0 R /XYZ 85.0394 711.9273 null]
+969 0 obj <<
+/D [966 0 R /XYZ 85.0394 711.9273 null]
 >> endobj
-741 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R >>
+965 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-798 0 obj <<
-/Length 3163      
+1022 0 obj <<
+/Length 3273      
 /Filter /FlateDecode
 >>
 stream
-xÚí�[wÛ¸Çßý)ôh?Åýò˜ûɶM²±÷¥Û}`dÆÖ‰$z%9©ûéŠ8´À‘ÐÆili÷ìÚ‰9œñüÂ`@�d#êÿe#¥‰vÜ�Œ“DQ¦F“ù	]ùŸ½9aí1ãpÐõüâä/¯…9â4×£‹Ï#©ájs2K¨µltqùûé‹÷ï.^½»8?ûãâ—“Wñ¬Ð3£¢>åŸ'¿ÿAG—>€_N(ΪÑ7ÿJ˜s|4?‘J%…3;9?ù5žütcšüM%\hžøU8¿JýCÅFF9¢›_DKØÙ˜qJOß”‹rY¬§‹«³1Wôô¯åÝêll5?%gcåx|_¤sßíd÷¥¦>ëFè.Ÿ[Ú,¯FÍ7¡ZÁn
·ÕÚ>­§[qõSq`¬ Þ+ÒM©Ž¬ð–•óéÕ"‚²¾.›oþQ-üw†ê#1(1!«ÙÄ
-9Îb
-eÉÅ)̳ËË峧åjÕ�ò·ªúr{Óþá·Uzžùšï>–“jcs¹™ì˜Ç@À æ!/ÙšCLs˜w.†5OÄ�iŽzo5×Îi„‹šó!Í×Uóõ]1/q
-ÞM?}šµÇ¼®–ób3⸟]昊\™¡!"s/Ո̩8™·½3è½m�´1„ù2²q®êÊàsqf˜½°‘vzu½þVÖÿŸçU5óÓŠáì>Œý²qo�w“55œ5p:,[[^S•TkE˜d¶ÉÖf¬+iÌ×pzÚZË;_N¥|Ê%s�…�¾ìO0Ä>IPŒ‰D¨÷Ȇ„1Ê[6xËÆÇÛE׺)*^å¼ò“.gÔÁͪI	ÉÌ&b¤@±0Rq`¤lyOŽ¹‚K]ƒ©nÇÜ­¡¶ëàŠõ´Zr>—Ër1)‡3N¾÷x°ñÍÍpÆÀé°LmyM~¦˜%Æ´«€:Ž·ÉÔ¼ž†¹Å«Y9/k?
QÌj¿2ÈGHiö'bŸ,(ÆI"ŒÔ{˜´RMŒÔ*à2ܨü½XO®CQ^Õ¨hÃ�=í=TB:³Q
†*P.n‡QIÄ�¡‚zg\)˜)�aÒv°lpõzÈÝb]üël,œ:.­î
JLe.(Ð
¥'J*Ü{ŠåD[Á
-�
-0Ä@�Ra $âÀ@A½w HM”íšʱ®l3²”Í
-©Í¦¦³Ã 
ÂaÌl�!ƒ¹Äpωa2n'2³êêªÞI–(TÆyNíZÏQò vÆg£1v „<‰80zPï
&ýáNwK�ô¡øÙc¢óÿÙeõÝî�ËlN€!Æ	Ô
-ã$Æ	ê=^e’”N�¤Ô×#m»myM}W-ìwr],ejÕÏrR)Ý÷ázY¬<ZðÚՄôfÃ1x |BÓˆƒõáÎÃb@;UŸ ?�\UËÔLGR¢­¹�¤ö *TLo.<Ð�§'ŸÐƒð¤â@àÁ½wðK˜”°FÕ·§îÏŸ·åòn\.—Õ2µø§,q҆ſ�4/´Ôr2™Í	0Ä8�J‰áýu©80NPïíLÆ÷ê„1êÓî«š³oË2Å÷ó˜8¨Mƒ¹Ò|}<¦;%`ˆ¡åÄPJÄ�¡„z()I¨e¼C‰?J»gÄ’¹'T¥BZ³‘
†2P61¼+†ê= #9¡Ò©™ÝW4çÅj]&kRÝGI§wöáú°f9!ÇÙü
-ƒo¼j�ý«Î{ß”qx­2ö¶+Ìuxo€"‚ƒ&Â>>û<ï)ôœm>óßÝÌÐ7·tZaïm¹Á"ñ]¿cî¼´É–øÿqJñÿýÕÂÝ�e}k‘ØžÅ-%J+5~þ*š±t:Eî‰ÙBÿkTïendstream
+xÚí�msÛ6ÇßûShæÞØ3'ñ¼t§×6q|‘r3wm_¨6ãhªW–’ºŸþ@‘®$pmä’4¶ÕÎD´ÄÕ®öÿ#vA‚ïáÞÓ†/|ÏzÅtÁuïbzPô®ÂkßðfŸ>ìÔÇ{=üã…´=ϼ¦7|×SZ3¡×oæXáï
/:<y}6<=Ž~þpp:ŒïŠ=óBVoùûÁO¿½ËÀ“ÞéÞÇðGÁ¸÷¢7=PZ2­¤„g&ƒƒÅ7D¯®M“Ÿ„LH#EôQª5ïY홑B®?ˆbŽñ£>Eqø]9+£åxvuÔº8ü±¼½9ê;#ÙQ_‡Þƒòþ³½Ù¶ÔEȺ•¦ÍçŽ6‹«^½ñ«v}l¸«ÖîûWz	±¨ŸŠƒb…ô¬(ËLQ˜ÈŠhXŒ¯f”åû²Þøï|¶laöÄ�Ä@V³‰A†1X5!»‰IÄACzb¤fÚ8‰‘
1'óÙÏE!®V‹ÈÍ \|(ÕÃåSE¥“Èc6#È�bëD1’ˆƒb„ônyrL(�"T5iE‰ˆ�‡çgƒÁéÉßk8žßÎFÓñE;°Ü4/Œf—õÆñj9Ÿ†zÕì‡$eÕ7
@§ä�•lÉ‘!%9κÐÝ’'â $'½Ã°ÀyèL4›Ž0,„1 m:Þ-Ž¸;œOë¿Æ³›òbµ~ª)1ËyýˆŸ÷V>ØÑ HX6È�‚
BÁ�ˆƒ‚�ôÞÀ`¼gÊJa€®b㘣A½±º¾-ù§åòý<ÿÖ˧Qb®r9À†ZÓÉA*‚Ú;pà,SJÄ2{…«Éä¶í7ù?×æz
+ED"ŠÒ;a5S¡ˆD¨†ˆóÅøCúËÛëFÿz𿘯/Ci�Ý7‘[¨@:³QA†*X.
+•D*¤w@ÅH&­k‹ˆ†"r6øñô?’ùd2¯ç¶û)išÈf6)È�"«%l7)‰8(RHï@ŠæLªv¶Á̾Ýèä
+�D ¤w
+É„@S^T�ã}0�»<n UÙ C
+,…A"
+Ò{ƒ�öœqçÚZÀù}0è:]¹y"ó1ž°Œ	Ë…
0lBÀ�Šƒ€�ö0Ø ¿¶miࢆá¼\Œç—Ð8ÖòöÛ3SÜ=ñ¡�°@B³aA†,X0
+–D,¤w€ÅØÀ‡V-,²†•ˆx
ëõù°‚æõÛaŒßŸ�
+,H"
+Ò;\þÔZ³ÂÇyFÕ`èí+žÃ#_
(îpu³l.wÎ.ÞÏõö«ÑltUNËÙ²’Ã>J^:Ñ€ìe£�)4°:‰8(4Hï0v(É
+ç Á¸é:þ]M>G“ñ%ZŸõ¦¼™OB/rÔ—BïÏk¦a�„fÂ)X°`,‰8(XHï
+t^Ïnê_�oÆ˲:ïéðbÏ¿®,A–³	B†AXEYt”ˆƒ"ˆôÎ…aJrÕS�%/ã¨b¨¢È…ñäÙj<¹ŒÌëër6¼lN¤@s—ŸžÇ•è×eóê|V?¾ÏV„7•ê¯iCã‡Ì•n$QòN	SqÒÞ[	�`¾�K(>AÂÁÉq½aŠ¢Øp0ŸŒã0„x)þÒá<~Öl%‘!¥$Î%¥d"JIÒ{«¤-˜‹¿×BÊû9˜¿[þsðªZeår“YÈ–¸µ£F9–Ýwh$‚ ô¥\7ÕZiÇœ*d«n3ØÔöÙ÷gÏë-_?|/ß×[U'X÷€F=�~?æ,›dHÁ€5¡hHÄAá@zowe˜+PÃÏÔÞÄ;`Ä¿)¯›°tWf£ÌW+¼ð	³õC†”~8ƒ”~‰8(ýHï­~R1k7äŸ _,®nÕå{Ìî>·ŠÍç̱µ£4DY”Ý7·$‚ ¤\·
+Á¬ÒxH†‚›© T^®æ8‰È–RãDS"'â T&½CÝ
»[.M+rs�'qbeX�º�Ï'á`4…ÛO�7dH¡ƒå£ÐIÄA¡CzoБÞ1ã¸oÑQ5:oovo¨­
+ Ò;Œº�:žàpÁæøò²>ÖošiàËùü·Õuóê6ŽÃ°¢
+ÎÆ¿þ:iöy1_„ÚQmûo^fHE¶ÌÈ�’§š’9%óŽwŽ½7_#%¹aBÈš±êþÆ"äbMÜιƒ—ã«÷Ë�eõïÖ
+¡Îì�ƒÆý²†qï¼ï:kÝwñà·£²µã5YI‹p(x^/×ëo˜¨¾U$æ«;=ÍË¿.F‹ÛPNÈR‡Ï}$Aú²�$dHIXŠ‰D¤w`CøPµw
¢ac£�¥¨x>*§ÕôÉ[½_ÿÒ(“™K
+6$HÙ‹ %AÊ®÷Ô˜+ŒgNûSÓŒ¹;Cm{*7̱`zý¦|W.ÊÙEÙ�9xóûŽ·Ø€o7‚–Ý+†ðÛQ™Úñš<¦´eNØZ&ÇÛdj^Œ¡·8�¬×-W÷ÓrûTç+�|@J³�,dHYX2Š“D/¤÷¦iJ3ë
\âW@í4­¯FË‹÷P”o*TŒû9í*�ÎlT�!…
+–Ku/!KÅA¡Bz�WÑ„”Ì¥[XÖ¸Èê|Èíl9úã¨/½ÞŸ¿(�ÊlP�!
+–Š%
+é½Epf¥pÑ€ò¼¬êÐlÜV¡xÊûíÍèªüF5�K#1KÙ CŠ
¬‚ê^â–Šƒb€ôu¥ð̼­+"Þ·?­ï�hÔÐÎîG
Hg6*È�BËE¡’ˆƒB…ô‡î-3Æ«–}]ùDPb*sAÁ†(R ¤â @¡½· 8f9Í¢”}]Ùe
+$ ÅÎn:”k Gh¦¬o+˜úbèÜ£…Öâ!�Ò‰ä2›dHA‚µRª›’D&¤wà„K¦”m+“¾““ñìb²º,S˜f=¿«Ûq\<­FRœ�2¤ðÁRø$â ð!½>gŠ›H�ùRôÜ=È|í‹úŸyÅd2’ÖŽb餺Å&‚ ¡\7€8ϤS2bï¤úÆæDã*�wòŽ¡EJ·?é)Ï%	Ù$aA	’A$‘®áW‡,“Z´C�û$Ý=ÌèâñM¡ µÙ?OÔÚQ¿N„„#ˆIAý6å:þV
 endobj
-797 0 obj <<
+1021 0 obj <<
 /Type /Page
-/Contents 798 0 R
-/Resources 796 0 R
+/Contents 1022 0 R
+/Resources 1020 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
-/Annots [ 803 0 R 804 0 R 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R 849 0 R 850 0 R 851 0 R 852 0 R 853 0 R 854 0 R 855 0 R 856 0 R 857 0 R 858 0 R 859 0 R ]
+/Parent 939 0 R
+/Annots [ 1027 0 R 1028 0 R 1029 0 R 1030 0 R 1031 0 R 1032 0 R 1033 0 R 1034 0 R 1035 0 R 1036 0 R 1037 0 R 1038 0 R 1039 0 R 1040 0 R 1041 0 R 1042 0 R 1043 0 R 1044 0 R 1045 0 R 1046 0 R 1047 0 R 1048 0 R 1049 0 R 1050 0 R 1051 0 R 1052 0 R 1053 0 R 1054 0 R 1055 0 R 1056 0 R 1057 0 R 1058 0 R 1059 0 R 1060 0 R 1061 0 R 1062 0 R 1063 0 R 1064 0 R 1065 0 R 1066 0 R 1067 0 R 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R 1073 0 R 1074 0 R 1075 0 R 1076 0 R 1077 0 R 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R ]
 >> endobj
-803 0 obj <<
+1027 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 758.4766 511.2325 767.4329]
+/Rect [499.2773 758.5763 511.2325 767.4329]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.1) >>
 >> endobj
-804 0 obj <<
+1028 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 746.5446 511.2325 755.5507]
+/Rect [499.2773 746.445 511.2325 755.4012]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.2) >>
 >> endobj
-805 0 obj <<
+1029 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 734.5129 511.2325 743.519]
+/Rect [499.2773 734.4133 511.2325 743.3696]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.3) >>
 >> endobj
-806 0 obj <<
+1030 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 722.4813 511.2325 731.3379]
+/Rect [499.2773 722.3816 511.2325 731.3379]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.9) >>
 >> endobj
-807 0 obj <<
+1031 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 710.3499 511.2325 719.3062]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.1) >>
 >> endobj
-808 0 obj <<
+1032 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 698.3182 511.2325 707.2745]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.2) >>
 >> endobj
-809 0 obj <<
+1033 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 686.2866 511.2325 695.2428]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.3) >>
+>> endobj
+1034 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 674.2549 511.2325 683.2112]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.4) >>
+>> endobj
+1035 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 662.3229 511.2325 671.1795]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.5) >>
+>> endobj
+1036 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 650.2912 511.2325 659.1478]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.6) >>
+>> endobj
+1037 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 638.2595 511.2325 647.1161]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.7) >>
+>> endobj
+1038 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 626.1282 511.2325 635.0845]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.8) >>
+>> endobj
+1039 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 614.0965 511.2325 623.0528]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.9) >>
+>> endobj
+1040 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 602.0648 511.2325 611.0211]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.10) >>
+>> endobj
+1041 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 590.0331 511.2325 598.9894]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.11) >>
+>> endobj
+1042 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 578.0015 511.2325 586.9578]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.12) >>
+>> endobj
+1043 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 565.9698 511.2325 574.9261]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.9.13) >>
+>> endobj
+1044 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 553.9381 511.2325 562.8944]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.10) >>
+>> endobj
+1045 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 541.9064 511.2325 550.8627]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.10.1) >>
+>> endobj
+1046 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 529.8748 511.2325 538.831]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.10.2) >>
+>> endobj
+1047 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 517.8431 511.2325 526.7994]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.11) >>
+>> endobj
+1048 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 505.8114 511.2325 514.7677]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.1) >>
+>> endobj
+1049 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 493.7797 511.2325 502.8855]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.1.1) >>
+>> endobj
+1050 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 481.7481 511.2325 490.8538]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.1.2) >>
+>> endobj
+1051 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 469.7164 511.2325 478.6727]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.1.3) >>
+>> endobj
+1052 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 457.6847 511.2325 466.641]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.2) >>
+>> endobj
+1053 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 445.653 511.2325 454.6093]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.2.1) >>
+>> endobj
+1054 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 433.6213 511.2325 442.5776]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.2.2) >>
+>> endobj
+1055 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 675.998 511.2325 684.7301]
+/Rect [499.2773 421.5897 511.2325 430.5459]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.4.11.2.3) >>
+>> endobj
+1056 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 409.558 511.2325 418.5143]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.3) >>
+>> endobj
+1057 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 397.5263 511.2325 406.4826]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.4) >>
+>> endobj
+1058 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 385.4946 511.2325 394.4509]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.5) >>
+>> endobj
+1059 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 373.4629 511.2325 382.4192]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.11.6) >>
+>> endobj
+1060 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 361.4313 511.2325 370.3876]
+/Subtype /Link
+/A << /S /GoTo /D (section.4.12) >>
+>> endobj
+1061 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 349.3996 511.2325 358.3559]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.12.1) >>
+>> endobj
+1062 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 337.3679 511.2325 346.3242]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.4.12.2) >>
+>> endobj
+1063 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [499.2773 315.0477 511.2325 323.7798]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.5) >>
 >> endobj
-810 0 obj <<
+1064 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 663.9862 511.2325 672.9425]
+/Rect [499.2773 303.0359 511.2325 311.9922]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.1) >>
 >> endobj
-811 0 obj <<
+1065 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 651.9545 511.2325 660.9108]
+/Rect [499.2773 291.0042 511.2325 299.9605]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.2) >>
 >> endobj
-812 0 obj <<
+1066 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 629.7788 511.2325 638.3664]
+/Rect [499.2773 268.684 511.2325 277.4161]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.6) >>
 >> endobj
-813 0 obj <<
+1067 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 617.7222 511.2325 626.5788]
+/Rect [499.2773 256.6722 511.2325 265.6285]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.1) >>
 >> endobj
-814 0 obj <<
+1068 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 605.5908 511.2325 614.5471]
+/Rect [499.2773 244.6405 511.2325 253.7462]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.1) >>
 >> endobj
-815 0 obj <<
+1069 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 593.5591 511.2325 602.5154]
+/Rect [499.2773 232.6088 511.2325 241.7146]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.1) >>
 >> endobj
-816 0 obj <<
+1070 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 581.5275 511.2325 590.4837]
+/Rect [499.2773 220.6768 511.2325 229.6829]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.2) >>
 >> endobj
-817 0 obj <<
+1071 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 569.4958 511.2325 578.4521]
+/Rect [499.2773 208.6451 511.2325 217.6512]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.2) >>
 >> endobj
-818 0 obj <<
+1072 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 557.4641 511.2325 566.4204]
+/Rect [499.2773 196.6134 511.2325 205.6195]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.1) >>
 >> endobj
-819 0 obj <<
+1073 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 545.4324 511.2325 554.3887]
+/Rect [499.2773 184.5818 511.2325 193.5878]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.2) >>
 >> endobj
-820 0 obj <<
+1074 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 533.4007 511.2325 542.357]
+/Rect [499.2773 172.5501 511.2325 181.5562]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.2) >>
 >> endobj
-821 0 obj <<
+1075 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 521.3691 511.2325 530.4748]
+/Rect [499.2773 160.4187 511.2325 169.5245]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.1) >>
 >> endobj
-822 0 obj <<
+1076 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 509.3374 511.2325 518.4431]
+/Rect [499.2773 148.3871 511.2325 157.4928]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.2) >>
 >> endobj
-823 0 obj <<
+1077 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 497.3057 511.2325 506.4115]
+/Rect [499.2773 136.3554 511.2325 145.4611]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.3) >>
 >> endobj
-824 0 obj <<
+1078 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 485.274 511.2325 494.2303]
+/Rect [499.2773 124.4234 511.2325 133.4295]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.4) >>
 >> endobj
-825 0 obj <<
+1079 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 473.2424 511.2325 482.1986]
+/Rect [499.2773 112.3917 511.2325 121.3978]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.5) >>
 >> endobj
-826 0 obj <<
+1080 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 461.2107 511.2325 470.167]
+/Rect [499.2773 100.2604 511.2325 109.3661]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.6) >>
 >> endobj
-827 0 obj <<
+1081 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 449.179 511.2325 458.1353]
+/Rect [499.2773 88.2287 511.2325 97.3344]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.7) >>
 >> endobj
-828 0 obj <<
+1082 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 437.1473 511.2325 446.1036]
+/Rect [499.2773 76.197 511.2325 85.3027]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.8) >>
 >> endobj
-829 0 obj <<
+1083 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 425.1157 511.2325 434.0719]
+/Rect [499.2773 64.1653 511.2325 73.2711]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.9) >>
 >> endobj
-830 0 obj <<
+1023 0 obj <<
+/D [1021 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1020 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1086 0 obj <<
+/Length 3426      
+/Filter /FlateDecode
+>>
+stream
+xÚí�KSIÇï|
+æ
+Ñʼn‘„óé·ZÝU•
Õ)j×0 GØw*Sùÿ©YUÝl@ý6°ŠPáäÀ8Iej0¾Ø¡ƒ3ÿovX{Í0\4„W½<ÙùÇkaŽ8Íõàäx/K¨µlprúëî«·G'G'ï÷~?ùqçà$¾)t̨¨ßñÏ�_§ƒSïÿÇJ„³jðÅÿ@	sŽ.v¤DI!Âo¦;ïw~‰oþwmšû JX¢,7™OÂ9ø$Œsb�ñÑ)G´àbýQ4á>Ôúƒø˸\0b-•ÞG}Ùt~v6™�µ×Á·†ít{ÝûÕhU]T³ÕÞ�+º»_ýF)ŸMV“ù¬ùÍhvÚ¼ø°�U{CÇÌ.Ù*JïçéÜÿbwMhÅ-Ñœ²”ËÊ,ÎÍ‹c¨U°BÛZÝ|ÿ:¹R߈#hŸ‹#õΔ$Æ70Ò­™¤¶ç¿:t÷ä¼Ê@£)¡Lš†ñùh6«¦9h,‘J…ëÞ�/FKÏ‚�è^Y¸NÊà	é-†bð@ù0x2q`ð Þ<Bí¨‚ððx|Cr6_|ËÐ#)Ñö:<’ÚϽ´<!½Åð
+¤y‰ø£¥¦—“�ÉbN€!Æ	TJÑ~N2q`œ ÞÓX†1b¤o"'lóXæË¢ÊQÁýHÆ–ɼYŒ..F‹úý°Û™ïÒ�õÒò]L0Äh‚z*ÖOS&Œ&Ô{¤I;×4?‘&~74mK涧¯Šy-¥"ÔttC¨ÉÅ�Pƒ{OÔXC,M�ØÍÅh¹ª²]S=�’}Ó©Ø™‡Þ}o€Úó“ì0|€€Š÷Ós3ÌubÇ(b…f	yWðÜf.î+½�„\S1L V'™80PPï‰-ˆÕŠ'RÔFRæ—µØYR´‡“™
ÍŒeìi53!ÇÅ
CŒ ¨!FP&Œ Ô{"Hy8œu?}WÝ¢­1òQ·5!—Ť
+cúg ¹80*Pï	姟Üpˆ…m°ø°ÿ®¡âÝ|ÑÖ~š,W5ò¹¥H™+æb\@eLA+Æê=q!%aJÂq
o/«Åhµž”®'ß–«ê¢y}\-çWëe\b.&52VªÇµP,/0Ää…	ÆäÍÄ�É‹zOò
+¯¨UªS…¢~g“›5LoÉ÷¼—€�£b€!F
+gâÀ$F½'�¥%ºN��™œÆ—«¶dý±QT?„Ô½t!IÅ
++ÓÉt
+
4D éȆ@“‹�÷ž ±”N
ñÍEÛz‰=
5nÓ]0”µOxy'¦»&`ˆÁåtýGKrq`0¡ÞL~<bÁÙvnï„¥Í
�Ql{z­�Õbd’FÐÌõ/e‚ÀxÁ\ÇÕ@®4±J�Òœ
7Ƹv@íÛeµ>„$žê¦°^6B
+‹á
+úyD?>™@0~P÷	 a“ñÞ<¢ž¾®
:œÕ·
mG?�./#Má Ýá»ÏþbnÅóT$f±`ˆAUB!É‚A‚ºO�pE˜Q2B¢ZHÞ®ÎÃqÙë³ßõrʤ”ŒW“ÏõtEHö”{¡�ÅbH€!	T‰ÑþÓø¹@0HP÷i¸ÊüØ„J• ‰Ó—ÛÜÞã_™µ:ÿJðpA}Bk´.'g³æ”–Rì¹{ŠY/†
+bPAUQ¨2�`P¡îTÔOz„Ð
+™,åØ!˜@�0J2Q � ¾Ó3+
áŽ9Àˆ,aÄO¦rÛJ4±Òõða”zRÃá�áRv€ÂÔ�Ñþmù™(°Gb¾Á³yˆà,¢£ÛqðËãý0Sªúu} |ðuUÍêRÍ?ý ˜ÑÝU4f´'T…Í‘?¼98:8~Q—úNrM’„R!óÈé{*øô!Ð&ª”€d†
+endobj
+1085 0 obj <<
+/Type /Page
+/Contents 1086 0 R
+/Resources 1084 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 939 0 R
+/Annots [ 1088 0 R 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R 1095 0 R 1096 0 R 1097 0 R 1098 0 R 1099 0 R 1100 0 R 1101 0 R 1102 0 R 1103 0 R 1104 0 R 1105 0 R 1106 0 R 1107 0 R 1108 0 R 1109 0 R 1110 0 R 1111 0 R 1112 0 R 1113 0 R 1114 0 R 1115 0 R 1116 0 R 1117 0 R 1118 0 R 1119 0 R 1120 0 R 1121 0 R 1122 0 R 1123 0 R 1124 0 R 1125 0 R 1126 0 R 1127 0 R 1128 0 R 1129 0 R 1130 0 R 1131 0 R 1132 0 R 1133 0 R 1134 0 R 1135 0 R 1136 0 R 1137 0 R 1138 0 R 1139 0 R 1140 0 R 1141 0 R 1142 0 R 1143 0 R 1144 0 R 1145 0 R 1146 0 R ]
+>> endobj
+1088 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 413.084 511.2325 422.0403]
+/Rect [527.6238 758.4766 539.579 767.5824]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.10) >>
 >> endobj
-831 0 obj <<
+1089 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 401.0523 511.2325 410.158]
+/Rect [527.6238 746.5057 539.579 755.6115]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.1) >>
 >> endobj
-832 0 obj <<
+1090 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 389.0206 511.2325 397.9769]
+/Rect [527.6238 734.5349 539.579 743.6406]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.2) >>
 >> endobj
-833 0 obj <<
+1091 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 376.9889 511.2325 385.9452]
+/Rect [527.6238 722.564 539.579 731.5203]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.3) >>
 >> endobj
-834 0 obj <<
+1092 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 364.9573 511.2325 373.9135]
+/Rect [527.6238 710.5931 539.579 719.6988]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.11) >>
 >> endobj
-835 0 obj <<
+1093 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 352.9256 511.2325 361.8819]
+/Rect [527.6238 698.6222 539.579 707.728]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.12) >>
 >> endobj
-836 0 obj <<
+1094 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 340.8939 511.2325 349.8502]
+/Rect [527.6238 686.6513 539.579 695.6076]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.13) >>
 >> endobj
-837 0 obj <<
+1095 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 328.8622 511.2325 337.8185]
+/Rect [527.6238 674.6804 539.579 683.6367]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.14) >>
 >> endobj
-838 0 obj <<
+1096 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 316.8305 511.2325 325.7868]
+/Rect [527.6238 662.7096 539.579 671.6658]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.15) >>
 >> endobj
-839 0 obj <<
+1097 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 304.8985 511.2325 313.9046]
+/Rect [527.6238 650.7387 539.579 659.695]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.16) >>
 >> endobj
-840 0 obj <<
+1098 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 292.8669 511.2325 301.873]
+/Rect [527.6238 638.7678 539.579 647.7241]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.1) >>
 >> endobj
-841 0 obj <<
+1099 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 280.7355 511.2325 289.8413]
+/Rect [527.6238 626.7969 539.579 635.7532]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.2) >>
 >> endobj
-842 0 obj <<
+1100 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 268.7038 511.2325 277.8096]
+/Rect [527.6238 614.826 539.579 623.7823]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.3) >>
 >> endobj
-843 0 obj <<
+1101 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 256.6722 511.2325 265.7779]
+/Rect [527.6238 602.8551 539.579 611.8114]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.4) >>
 >> endobj
-844 0 obj <<
+1102 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 244.6405 511.2325 253.7462]
+/Rect [527.6238 590.8843 539.579 599.8405]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.5) >>
 >> endobj
-845 0 obj <<
+1103 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 232.6088 511.2325 241.5651]
+/Rect [527.6238 578.9134 539.579 587.8696]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.6) >>
 >> endobj
-846 0 obj <<
+1104 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 220.5771 511.2325 229.5334]
+/Rect [527.6238 566.9425 539.579 575.8988]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.7) >>
 >> endobj
-847 0 obj <<
+1105 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 208.5455 511.2325 217.5017]
+/Rect [527.6238 555.0713 539.579 563.9279]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.8) >>
 >> endobj
-848 0 obj <<
+1106 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 196.5138 511.2325 205.4701]
+/Rect [527.6238 543.1004 539.579 551.957]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.9) >>
 >> endobj
-849 0 obj <<
+1107 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 184.4821 511.2325 193.4384]
+/Rect [527.6238 531.0298 539.579 539.9861]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.10) >>
 >> endobj
-850 0 obj <<
+1108 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 172.4504 511.2325 181.4067]
+/Rect [527.6238 519.0589 539.579 528.0152]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.11) >>
 >> endobj
-851 0 obj <<
+1109 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 160.4187 511.2325 169.375]
+/Rect [527.6238 507.1877 539.579 516.1938]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.12) >>
 >> endobj
-852 0 obj <<
+1110 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 148.3871 511.2325 157.3433]
+/Rect [527.6238 495.1172 539.579 504.0735]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.13) >>
 >> endobj
-853 0 obj <<
+1111 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 136.3554 511.2325 145.3117]
+/Rect [527.6238 483.1463 539.579 492.1026]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.14) >>
 >> endobj
-854 0 obj <<
+1112 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 124.3237 511.2325 133.28]
+/Rect [527.6238 471.2751 539.579 480.1317]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.15) >>
 >> endobj
-855 0 obj <<
+1113 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 112.292 511.2325 121.2483]
+/Rect [527.6238 459.2045 539.579 468.1608]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.16) >>
 >> endobj
-856 0 obj <<
+1114 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 100.2604 511.2325 109.2166]
+/Rect [527.6238 447.2336 539.579 456.1899]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.17) >>
 >> endobj
-857 0 obj <<
+1115 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 88.2287 511.2325 97.3344]
+/Rect [527.6238 435.2628 539.579 444.3685]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.18) >>
 >> endobj
-858 0 obj <<
+1116 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 76.197 511.2325 85.1533]
+/Rect [527.6238 423.2919 539.579 432.3976]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.17) >>
+/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
 >> endobj
-859 0 obj <<
+1117 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 64.1653 511.2325 73.1216]
+/Rect [527.6238 411.321 539.579 420.2773]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.18) >>
+/A << /S /GoTo /D (subsubsection.6.2.16.20) >>
 >> endobj
-799 0 obj <<
-/D [797 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-796 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R >>
-/ProcSet [ /PDF /Text ]
+1118 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 399.3501 539.579 408.3064]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.17) >>
 >> endobj
-862 0 obj <<
-/Length 3452      
-/Filter /FlateDecode
->>
-stream
-xÚí�[SÛHÇßù~ت…zúªîÞ}Ø%@2LMH˜š­�™ÇV@,1¾Àd?ý¶,uë·Žé�É@ÀIUpŒŽÎñùÿtú¦–Ù€º¿l`¡ÂÊ�¶’(ÊÔ`4Ù¡ƒK÷»7;¬=fß´�zu±óÍk¡–ØŒgƒ‹�à\†PcØàbüÓîá»Ó‹ãÓ‹ó½_.¾Û9¾'…ŽõÝùé:;ÿßíP"¬Qƒ;÷J˜µ|0Ù‘J%…ðï\ïœïü+œüviû J¢בOÂ9ø$Œsb¬vÑ)K2ÁÅò£d„;Çõq‡3p¸`Ä*��ú°Ù|8/fób4Û]
Ë2¿žµ6|5YRÛÚœ;›|’—ó½}®èî›ép2N÷ö%×»do_Qúˆ?¤µ;òžÄŠ’qʺ,®i2½4/ΠJÞn®«´~þ¥JÙZ^õX#¨÷Ž©‰R”F8ý39ʦ”—ż¨Êæ�a9n^ü0^æNûˆHô²à³•Ì0ÄXXQa!Æê½cA8É2X`Y˜O³y>Þÿ”ŽA ±Üd
-…‘ôñEj½x 1>§ÉÄ
-.â~=ywS·5:|[F‚n>sÉ\
-À…l¸8ú\'ŨíAÜŒ]g£yý¾º.FEÝêH¥ž­ì>1ɲCLv˜x­úe�Ä�ÉŽzwk„dÌ�\¥öª»BÀèJ%x]\דçÊ~õ-È“îÂz’†cPf�›#q`Œ¡Þ»qåDe*@V÷_§+ÝÖšµêcóó,ŸU‹é3»£Ü¿3ª–oŒg÷4?^åíg^ù!Žï_å7ÔÑâéMÒ†Œ$ë
1½aÆ1½#q`z£ÞCS¢,%Òˆ¬Ó{©¸Ø,­ì%ö,BÂRq€†+‚ 8Äâ@pÀ½w8hC$eÞâà
-
-/û“æ~zAð©J
b @)0"q`  Þ;”v¬A· ŒÇË;Éüm‡Àëj:ÎÝh(ÓÙvà˜Œ0Äð€Ù�G$Ô»_'–Ò5,Öß„&ÛeâºF؆…ó°‡Ëå‰oW„7Mm“aêì0–€œJëA`$a®»‹D2¿,	]\¯±ÔUkøKû|%ƒÐÙa 
-¸/ÿaµ(]¤^¦ö…W�^J|2“1
†'P,”H)¨÷®fPK¸â
-I¨�µ‡Õ7ØG¦ó-J¿í8Ÿ/ŠqìTÆõö¥i{áGþb½¨ÉÄCŒX�í_³ŒÅ�‹z?‚rÂx&<²Ýv�è’bŽKã™õâëÆŠuím;.o›Å£ªlöÅ‹L¼œ‚ØË•Ï|2WÀã
-*‹q‰ã
-õ¸rÅÒ‘";®üæ?ÌÂ
ŸñUJ�¹30_úf½e�MÃÚùëE9jž° õKhlû 
-iO…
-"P­ÈŠ@‹�
-÷î›W®uýo™òû#{wÄvÝ[­²í\uŸÓd`€!Ô&Ìš÷Ø(ˆ+EÚçY™vt±ÇÛ�V‹×ùìʵ^u5êMNcÿÐ�Nw82Ì
1Ùþ)ÝîTXîù‹^3RÁÛ祘0À9¬&¿Çç}Ó6»„Lê
¼”ÛñLúeäÓœ|
Cì2‚2bÜDâÀB½w�yÝŸ“*@:‰'󿶣ä²j'ïªé'wMý½ùßUu×¼
ýîŽæGýP¤Ëfói[­«…?ÃÕ0œö®í7^þÃqfžRKës’¬80ć9Ç�Ä�)ŽzUÃ�-YÖ>Å,ûnuÕ8)G�bu7>tãÂöïëay¹Ò»ók�…¿_ét1ùP/3ˆÌ>ƒ.|HS2Àc
-èÔðØúj*í«i‘·Ûô¿-fójúyuï~hˆ�NÏïµØÍŠPFÙ3BÁ'+`ˆ¡
-�A‰�`ÍwlŽ'SDðf]ëU݈ݷÃ2<Jðfx›èiÃnm7Móø\t‡Ç&yVÏÙdy~s8×ZÂ×6îsK¢÷‰×ÿ2®�ß÷-‘ÝwYÖ�1}_Ï%¨&2ãjP‰—hÚ‡¢(úoïh±ÿ†.Êendstream
-endobj
-861 0 obj <<
-/Type /Page
-/Contents 862 0 R
-/Resources 860 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
-/Annots [ 864 0 R 865 0 R 866 0 R 867 0 R 868 0 R 869 0 R 870 0 R 871 0 R 872 0 R 873 0 R 874 0 R 875 0 R 876 0 R 877 0 R 878 0 R 879 0 R 880 0 R 881 0 R 882 0 R 883 0 R 884 0 R 885 0 R 886 0 R 887 0 R 888 0 R 889 0 R 890 0 R 891 0 R 892 0 R 893 0 R 894 0 R 895 0 R 896 0 R 900 0 R 901 0 R 902 0 R 903 0 R 904 0 R 905 0 R 906 0 R 907 0 R 908 0 R 909 0 R 910 0 R 911 0 R 912 0 R 913 0 R 914 0 R 915 0 R 916 0 R 917 0 R 918 0 R 919 0 R 920 0 R 921 0 R ]
+1119 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 387.3792 539.579 396.3355]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.18) >>
 >> endobj
-864 0 obj <<
+1120 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 758.4766 539.579 767.4329]
+/Rect [527.6238 375.4083 539.579 384.3646]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.19) >>
 >> endobj
-865 0 obj <<
+1121 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.3946 539.579 755.3509]
+/Rect [527.6238 363.4374 539.579 372.3937]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.20) >>
 >> endobj
-866 0 obj <<
+1122 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 734.3125 539.579 743.2688]
+/Rect [527.6238 351.4666 539.579 360.4228]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.21) >>
 >> endobj
-867 0 obj <<
+1123 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 722.2305 539.579 731.1868]
+/Rect [527.6238 339.4957 539.579 348.452]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.22) >>
 >> endobj
-868 0 obj <<
+1124 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 710.1484 539.579 719.1047]
+/Rect [527.6238 327.5248 539.579 336.4811]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.23) >>
 >> endobj
-869 0 obj <<
+1125 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 698.0664 539.579 707.0227]
+/Rect [527.6238 315.5539 539.579 324.5102]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.24) >>
 >> endobj
-870 0 obj <<
+1126 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 685.9843 539.579 694.9406]
+/Rect [527.6238 303.583 539.579 312.5393]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.25) >>
 >> endobj
-871 0 obj <<
+1127 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.002 539.579 683.008]
+/Rect [527.6238 291.6121 539.579 300.5684]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.26) >>
 >> endobj
-872 0 obj <<
+1128 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 279.6413 539.579 288.5975]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.2.27) >>
+>> endobj
+1129 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 661.9199 539.579 670.926]
+/Rect [527.6238 267.6704 539.579 276.6267]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.1) >>
+/A << /S /GoTo /D (subsection.6.2.28) >>
 >> endobj
-873 0 obj <<
+1130 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 649.8379 539.579 658.6945]
+/Rect [527.6238 255.6995 539.579 264.6558]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.2) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.1) >>
 >> endobj
-874 0 obj <<
+1131 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 637.6562 539.579 646.6124]
+/Rect [527.6238 243.7286 539.579 252.8343]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.3) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.2) >>
 >> endobj
-875 0 obj <<
+1132 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 625.5741 539.579 634.5304]
+/Rect [527.6238 231.7577 539.579 240.714]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.26.4) >>
+/A << /S /GoTo /D (subsubsection.6.2.28.3) >>
 >> endobj
-876 0 obj <<
+1133 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 219.7868 539.579 228.7431]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.28.4) >>
+>> endobj
+1134 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 613.5917 539.579 622.4483]
+/Rect [522.6425 207.8159 539.579 216.9217]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.3) >>
 >> endobj
-877 0 obj <<
+1135 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 601.5097 539.579 610.3663]
+/Rect [522.6425 195.845 539.579 204.9508]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.1) >>
 >> endobj
-878 0 obj <<
+1136 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 589.4276 539.579 598.2842]
+/Rect [522.6425 183.8742 539.579 192.9799]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.1) >>
 >> endobj
-879 0 obj <<
+1137 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 577.2459 539.579 586.2022]
+/Rect [522.6425 171.9033 539.579 181.009]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.2) >>
 >> endobj
-880 0 obj <<
+1138 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 565.1639 539.579 574.2696]
+/Rect [522.6425 159.9324 539.579 169.0381]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.2) >>
 >> endobj
-881 0 obj <<
+1139 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 553.0818 539.579 562.1876]
+/Rect [522.6425 147.9615 539.579 157.0673]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.3) >>
 >> endobj
-882 0 obj <<
+1140 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 540.9998 539.579 550.1055]
+/Rect [522.6425 135.9906 539.579 145.0964]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.4) >>
 >> endobj
-883 0 obj <<
+1141 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 528.9177 539.579 537.874]
+/Rect [522.6425 124.0197 539.579 133.1255]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.5) >>
 >> endobj
-884 0 obj <<
+1142 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 516.8357 539.579 525.792]
+/Rect [522.6425 112.0489 539.579 121.1546]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.1) >>
 >> endobj
-885 0 obj <<
+1143 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 504.7536 539.579 513.7099]
+/Rect [522.6425 100.078 539.579 109.1837]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.2) >>
 >> endobj
-886 0 obj <<
+1144 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 492.6716 539.579 501.6279]
+/Rect [522.6425 88.1071 539.579 97.2128]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.3) >>
 >> endobj
-887 0 obj <<
+1145 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 480.5895 539.579 489.5458]
+/Rect [522.6425 76.1362 539.579 85.242]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.4) >>
 >> endobj
-888 0 obj <<
+1146 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 468.5075 539.579 477.4638]
+/Rect [522.6425 64.1653 539.579 73.2711]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.6) >>
 >> endobj
-889 0 obj <<
+1087 0 obj <<
+/D [1085 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1084 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1149 0 obj <<
+/Length 3427      
+/Filter /FlateDecode
+>>
+stream
+xÚí�[sÛ6Çßý)ô¶öÌ
+Á• vvl§é¦—´k»³3Ûí-Ñ2'éŠR<ÙO¿ @Gxj$iÇj¦cÙâá9:ÿq#ÅFÔþc#•‘Ìp3ÒFE™MGt4³ï}}ÄÜ1cÐuvuôâ•Ð#CLƳÑÕÍH*E¸Úœ,'4ÏÙèjúóñùo®¾zsuyòËÕ7G_]…³BÏŒŠî”¿ýüMm
+ê~[9#‚JÀJ¨oŠ…/åò]¹Œ—‘-C’çOAïA¡}&’…†˜Ð0ӨБ@0¡Q÷AèÌÂ9:s§óšÚéü}QY-뢞”¿%¶ÑòsÑuHPÿ‰Sõvˆœ0ŸŒ±A5#Q b¢¾·ZæšØ[)…“ò¢l›ù#šjžñ§W¨u,s0ÃTÞfy/LcÄñVb­UÚ
+z~»lšU¤Î
+I¨äžFÎÄJKwÌe¹ZWÓØ™r’ô%ûL~jb½¦ÉÄCŒXÈcÙ0±‘@0bQ÷n²ÇvïÓZy`ÃdO7ñ·�œb–Ê\8–&ƒðÚá¡æþ°¯êwU_@ëEYÛ®§ÈÄ󩎃XùÌ'c1¬ ²(V‘@0¬P÷+e8¡Fm±â«ŸÚªžõ—ÑU”0�‘ÜøêØÖ4J4
5íÕºžt�«Š~ÎH…¬§"
¤vTÅ�Š‚ …»÷×V•SB™�Ž)áºj/ß×Å¢šôLýt7-VåÃÞ­VÙ¡7'Æç4™`ˆ5C‰‰‚³ç>6
+RÊŽh3ÆýXu3
+º:aŒ/›õõ¼loíõ«+Hƒùñgxì` ƒ��È^à�çÃò±ç6Ú‚¤"B—�0Ø9o‹®xv�æÇþBms³è†óRÆ6é�ʧ9¹Q
C¬QAQx"�`¡îý•]…fž¡Ða|½ú‹0×�›^¼o–omëú{ÿÛmsß¿˜¶×ý�ÿRÊgë
x®t7k†Û"œöÞõ!gÿ°�僂ûœ$1ÁaÎQÁ#�`‚£îCÕà¶7Ï”Wœ»ªñºžô’u}úЩëFªý¬ÉmQÏvúz~-°ò»—Þ¬×Ýbƒuò„JÁ >MÉ
+A$Ô}€€„pø¾×¿oKØlÏ4ì¯ý:Ã?Ëù�mµR®#�BÉ%;™¤­�åh?
+£‡¾c2™gÄvÝò�ïS[Æ9?>½»+ëi5)‡§œƒÙc{aÐ
+¦uK&M}Ÿ�åúP8Pd|V“‘
†2P5ƇäCuï‘¡ŠE·Èd=2—ÅâÎ?×çôîn^MÜ-Yc%³Ã‚ïB|“	
†!P$”�H !¨ûpg'7‚ð,ß"ÒïÚ´évCÉßN,kô¸èii«-9íj}Ý¿r«=àÖîõÊݪ¤~"‹v>©2;De˜fLäHˆÆ¨ï­Ä9#,Ï€Ä|GâqѾ¯'ÉBkyü×�m˜nõ¯;Ù­ÛJÙ¬Ûùûn_ÿHqÜGHgk‡‰Äøð†¥H˜8˜ï­8™ég€:bW?1a»vÃ…I®Õ²¨ÛbâÇôx2¯6÷D*þ¤†å?a²xÀSf•/¦ê~+ Ò„r”»ΊÊ	7+WÝâxUß4ÝjV¿’µ³OÆQ‹rÿˆUX›4S+ºê÷Wδdå€!¦Lª\$L9ÔýV9)‰^ûÔ®rëÍÝ>ín
+o
Zƒ[ƒ|£ë^ßõµp¶,'c½³lù©¶‡O’,0Ä„‚™bbøÙ@±@0¡P÷[¡'¹ÒP¨Ì	U·.½×^¦i³(ªúEžÕ‚§CMnËÉ[ÿKUû¦µ\´»;Ù.^�÷/$Õ2ýþ®A�üIÖ	b:ÁD11¼e,¦êÞ�68§Dk¥ƒJºmì,»ìl³I×T6šÆYñéLfb¬@¹PV"�`¬ì¹�mÔf&'œ‹~	ù¬ÛÎ!Ž¿/êµß[xWÌ�ýÚÁú±ûµ¡
²_{'*&†Ÿ©χäbßmlÓv	“î1Ng›e)aŽ§ÕìËØñðäæ„‚©-"-oGo”²H m¨û@›–„*ãiã=m·M×½Tú€Û�›$7`ˆágbxî!†ê>à–1b´7áŠ[ݶåd<moúÞÛâmi;"Ï4}0F>ÑÉ
C#($“Ãc€X F¨û€‘4$7Êc$w0²ðxŽæÅu9âÏþØñÙMfbì@õ˜ÞccuØšäþ†Ä³ÍºÙ;³²Û·!Õáºö‰hòùN¦	b4A=™”Ã4EÁhBÝš¸"Z¸'kœm–Ô¶4õCÛwÍÛníU±QŸˆ(Ÿód¢€!FÔ”I¤‹	#
+uˆb‚dÒx¢ôQm¹ZUÝTÖ¡@}:œ|“q†NPP{�Æ)†ê>àDQ™{˜ÇÉwqªfõÿ6T—R@úX�|ª“A†HPJ¦†çèb�` ¡î=H¹!2Wž#ÓsÔÍ«OÇ›yô~³Q¦ø
 ȧ8•`‡àdjøIµ‘(xPßá+¤4‘Ô÷¸íöEï°ãj�:ŸÿB�>ÅÉ_Ì°/ÙÊÇÔðmû!`_‚8�7VÄo–³Ø0€�Óu˜Žüý§#�É�
fØ#c·ò25Ü-Úa«ð¥ˆcnHžGœcÿgÄ(Å?þ;·_)5ùÐ\qm§T�º¯ÁrÔêr³Áæ(úÿ
ð^ä“endstream
+endobj
+1148 0 obj <<
+/Type /Page
+/Contents 1149 0 R
+/Resources 1147 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 939 0 R
+/Annots [ 1151 0 R 1152 0 R 1153 0 R 1154 0 R 1155 0 R 1156 0 R 1157 0 R 1158 0 R 1162 0 R 1163 0 R 1164 0 R 1165 0 R 1166 0 R 1167 0 R 1168 0 R 1169 0 R 1170 0 R 1171 0 R 1172 0 R 1173 0 R 1174 0 R 1175 0 R 1176 0 R 1177 0 R 1178 0 R 1179 0 R 1180 0 R 1181 0 R 1182 0 R 1183 0 R 1184 0 R 1185 0 R 1186 0 R 1187 0 R 1188 0 R 1189 0 R 1190 0 R 1191 0 R 1192 0 R 1193 0 R 1194 0 R 1195 0 R 1196 0 R 1197 0 R 1198 0 R 1199 0 R 1200 0 R 1201 0 R 1202 0 R 1203 0 R 1204 0 R 1205 0 R 1206 0 R 1207 0 R 1208 0 R ]
+>> endobj
+1151 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 456.4254 539.579 465.5312]
+/Rect [494.296 758.4766 511.2325 767.5824]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.7) >>
 >> endobj
-890 0 obj <<
+1152 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 444.3434 539.579 453.4491]
+/Rect [494.296 746.3946 511.2325 755.5003]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.4) >>
 >> endobj
-891 0 obj <<
+1153 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 432.2613 539.579 441.2176]
+/Rect [494.296 734.3125 511.2325 743.4183]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.0.1) >>
 >> endobj
-892 0 obj <<
+1154 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 420.1793 539.579 429.1356]
+/Rect [494.296 722.2305 511.2325 731.3362]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.4.1) >>
 >> endobj
-893 0 obj <<
+1155 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 408.0972 539.579 417.0535]
+/Rect [494.296 710.1484 511.2325 719.2542]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.1.1) >>
 >> endobj
-894 0 obj <<
+1156 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 396.0152 539.579 404.9715]
+/Rect [494.296 698.1661 511.2325 707.1721]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.1.2) >>
 >> endobj
-895 0 obj <<
+1157 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 383.9331 539.579 392.8894]
+/Rect [494.296 686.084 511.2325 695.0901]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.1.3) >>
 >> endobj
-896 0 obj <<
+1158 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 371.8511 539.579 380.8074]
+/Rect [494.296 674.002 511.2325 683.008]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.1.4) >>
 >> endobj
-900 0 obj <<
+1162 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 359.769 539.579 368.7253]
+/Rect [494.296 661.8203 511.2325 670.926]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.4.1.5) >>
 >> endobj
-901 0 obj <<
+1163 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 337.1969 539.579 346.0536]
+/Rect [494.296 639.2482 511.2325 648.1048]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.7) >>
 >> endobj
-902 0 obj <<
+1164 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 325.1348 539.579 334.2405]
+/Rect [494.296 627.186 511.2325 636.2917]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.1) >>
 >> endobj
-903 0 obj <<
+1165 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 313.0527 539.579 322.009]
+/Rect [494.296 615.1039 511.2325 624.2097]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.2) >>
 >> endobj
-904 0 obj <<
+1166 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 300.9707 539.579 309.9269]
+/Rect [494.296 603.0219 511.2325 612.1276]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.1) >>
 >> endobj
-905 0 obj <<
+1167 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 288.8886 539.579 297.8449]
+/Rect [494.296 590.9398 511.2325 600.0456]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.2) >>
 >> endobj
-906 0 obj <<
+1168 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 276.8066 539.579 285.7628]
+/Rect [494.296 578.8578 511.2325 587.9635]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.3) >>
 >> endobj
-907 0 obj <<
+1169 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 254.2345 539.579 262.9666]
+/Rect [494.296 556.2857 511.2325 565.1423]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.8) >>
 >> endobj
-908 0 obj <<
+1170 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 242.1723 539.579 251.1286]
+/Rect [494.296 544.2235 511.2325 553.3293]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.1) >>
 >> endobj
-909 0 obj <<
+1171 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 230.0903 539.579 239.0465]
+/Rect [494.296 532.1415 511.2325 541.2472]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.8.1.1) >>
 >> endobj
-910 0 obj <<
+1172 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 218.0082 539.579 226.9645]
+/Rect [494.296 520.0594 511.2325 529.1652]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.2) >>
 >> endobj
-911 0 obj <<
+1173 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 205.9262 539.579 214.8824]
+/Rect [494.296 507.9774 511.2325 517.0831]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.3) >>
 >> endobj
-912 0 obj <<
+1174 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 183.3541 539.579 192.0862]
+/Rect [494.296 485.5497 511.2325 494.2619]
 /Subtype /Link
 /A << /S /GoTo /D (appendix.A) >>
 >> endobj
-913 0 obj <<
+1175 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 171.2919 539.579 180.2482]
+/Rect [494.296 473.4428 511.2325 482.4488]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.1) >>
 >> endobj
-914 0 obj <<
+1176 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 159.2098 539.579 168.1661]
+/Rect [494.296 461.3607 511.2325 470.3668]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.1.1) >>
 >> endobj
-915 0 obj <<
+1177 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 147.1278 539.579 156.0841]
+/Rect [494.296 449.2787 511.2325 458.2847]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.2) >>
 >> endobj
-916 0 obj <<
+1178 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 135.0457 539.579 144.002]
+/Rect [494.296 437.1966 511.2325 446.2027]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.2.1) >>
 >> endobj
-917 0 obj <<
+1179 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 122.9637 539.579 131.92]
+/Rect [494.296 425.1146 511.2325 434.1207]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.3) >>
 >> endobj
-918 0 obj <<
+1180 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 110.8816 539.579 119.8379]
+/Rect [494.296 413.0325 511.2325 422.0386]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.1) >>
 >> endobj
-919 0 obj <<
+1181 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 98.7996 539.579 107.9053]
+/Rect [494.296 400.8508 511.2325 409.9566]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.2) >>
 >> endobj
-920 0 obj <<
+1182 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 86.7175 539.579 95.8233]
+/Rect [494.296 388.7688 511.2325 397.8745]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.3) >>
 >> endobj
-921 0 obj <<
+1183 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 64.1455 539.579 73.0021]
+/Rect [494.296 376.6867 511.2325 385.7925]
 /Subtype /Link
-/A << /S /GoTo /D (appendix.B) >>
+/A << /S /GoTo /D (section.A.4) >>
 >> endobj
-863 0 obj <<
-/D [861 0 R /XYZ 85.0394 794.5015 null]
+1184 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 364.7043 511.2325 373.7104]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.1) >>
 >> endobj
-860 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F39 899 0 R >>
-/ProcSet [ /PDF /Text ]
+1185 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 352.6223 511.2325 361.6284]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.2) >>
 >> endobj
-924 0 obj <<
-/Length 885       
-/Filter /FlateDecode
->>
-stream
-xÚíÙOOÛ0
-‚¶e›¶O?'�Í+uŸ(œ"„ÀÏ~ñûÉØ	”<|A©
3^øÒzÅ4]N/çáoŸèÚT±Q…[OŠ£SiKϼ¦œÜ”Jk&tÛ™cÜ9('³Ëѧ/ç““óÉÅøjrVœLR¯xdà²éògqyÅËYHà¬àLz§Ë?áÎÀ{Q.
-¥%ÓJÊø›‡â¢øš:DmC³wœ	iDæV„@·b�iBrÚ‡!Û;9f0®¼ô£ÙÝ<\x1bãJs>|´ÊûƒuöŠòA–eHõØ)îã¼Ü\|CåNqÜ-÷nÿM½ƒÊ´ÑO.J9|Ò¦,3ÖB§Ml´Ý®ÖOa^ìÀíã¹Å‚ôæ†)n¸àÀÝ~n™D(näð‰›ÔÌ
-ð7Ù-nËõºžV³õÍãÜhµ¸¯ÿŽ+éÜ éÕŒâD÷f„)F¸�
-endobj
-923 0 obj <<
-/Type /Page
-/Contents 924 0 R
-/Resources 922 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 715 0 R
-/Annots [ 926 0 R 927 0 R 928 0 R 929 0 R 930 0 R 931 0 R 932 0 R 933 0 R 934 0 R 935 0 R 936 0 R 940 0 R 941 0 R ]
+1186 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 340.5402 511.2325 349.5463]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.3) >>
 >> endobj
-926 0 obj <<
+1187 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 758.4766 511.2325 767.5824]
+/Rect [494.296 328.4582 511.2325 337.4643]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.4) >>
+>> endobj
+1188 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 316.2765 511.2325 325.3822]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.5) >>
+>> endobj
+1189 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 304.1944 511.2325 313.3002]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.6) >>
+>> endobj
+1190 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 292.1124 511.2325 301.2181]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.1) >>
+>> endobj
+1191 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 280.0303 511.2325 289.1361]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.2) >>
+>> endobj
+1192 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 267.9483 511.2325 277.054]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.3) >>
+>> endobj
+1193 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 255.8662 511.2325 264.972]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.4) >>
+>> endobj
+1194 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 243.7842 511.2325 252.8899]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.5) >>
+>> endobj
+1195 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 231.7021 511.2325 240.8079]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.A.4.6.6) >>
+>> endobj
+1196 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 219.6201 511.2325 228.7258]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.A.4.7) >>
+>> endobj
+1197 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 197.048 511.2325 205.9046]
+/Subtype /Link
+/A << /S /GoTo /D (appendix.B) >>
+>> endobj
+1198 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 184.9858 511.2325 194.0916]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.1) >>
 >> endobj
-927 0 obj <<
+1199 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 746.5215 511.2325 755.6272]
+/Rect [494.296 172.9038 511.2325 182.0095]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.2) >>
 >> endobj
-928 0 obj <<
+1200 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 734.5663 511.2325 743.672]
+/Rect [494.296 160.8217 511.2325 169.9275]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.3) >>
 >> endobj
-929 0 obj <<
+1201 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 722.7108 511.2325 731.7169]
+/Rect [494.296 148.8393 511.2325 157.8454]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.4) >>
 >> endobj
-930 0 obj <<
+1202 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 710.656 511.2325 719.7617]
+/Rect [494.296 136.7573 511.2325 145.7634]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.5) >>
 >> endobj
-931 0 obj <<
+1203 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 698.7008 511.2325 707.8065]
+/Rect [494.296 124.5756 511.2325 133.6813]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.6) >>
 >> endobj
-932 0 obj <<
+1204 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 686.7456 511.2325 695.8514]
+/Rect [494.296 112.4935 511.2325 121.5993]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.7) >>
 >> endobj
-933 0 obj <<
+1205 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 674.7905 511.2325 683.8962]
+/Rect [494.296 100.4115 511.2325 109.5172]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.8) >>
 >> endobj
-934 0 obj <<
+1206 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 662.935 511.2325 671.941]
+/Rect [494.296 88.3294 511.2325 97.4352]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.9) >>
 >> endobj
-935 0 obj <<
+1207 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 650.8801 511.2325 659.9859]
+/Rect [494.296 76.2474 511.2325 85.3531]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.10) >>
 >> endobj
-936 0 obj <<
+1208 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 638.925 511.2325 648.0307]
+/Rect [494.296 64.1653 511.2325 73.2711]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.11) >>
 >> endobj
-940 0 obj <<
+1150 0 obj <<
+/D [1148 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1147 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1211 0 obj <<
+/Length 765       
+/Filter /FlateDecode
+>>
+stream
+xÚíÙÍOÛ0
+Áø é¡‰Ò<¾å³Þ,ëêyæ6G‹�æè®Þâå0˜WˆñŠŠ÷óJ‚ñBÓ^\ÍÀz^¢ãµjê©;ó¿Ó:´·¼ùŽöbÞ⎃ÒýÞ…`ÞÐôÁ›+C+e¼7Ù¦?½�eŒXmŠvPK‘LÍ]7òÕ¬
+ÚÉôvähô }§;Œ1‡±P¦ßa¢Ì!š>8 @y‡jwÞ+Zl÷³fRpàã9î°¨ü¶Fb¨â¶‚¦ý¨…`¨Ðô•rF*áQéU]7ë*£ô¨é0šÂ~Õ"š^õtÿ•ªDž>h2šX
+áÆÑtšªÕ²jo'Sã•Ø1?
CóŠ1^qƒA÷_ù§
+Áx¡é/-‰*ÜXÚŽ—;G­ª¦^ÌÛ�?5ú:
+,¿õƒaE�¬¸µ(¬D!,4}€¥8±–ú[JF;X�ëiñ0¯¦ÅwJÙŸÍÒù²0Š:�(¿çƒEE�˜¨¸§ E¿¨D!˜(4}%¡\ú›FþØlʪõä°œ�§ª£Àò[?VˆÁŠ[ZöÃJ²+<¿/(¢¨‹K<Âw¿@¬”ðþ/v_kM¸1,½\N�c®tÎ%içjû«w©ÛAQå
hÉì‹endstream
+endobj
+1210 0 obj <<
+/Type /Page
+/Contents 1211 0 R
+/Resources 1209 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1226 0 R
+/Annots [ 1213 0 R 1214 0 R 1215 0 R 1219 0 R 1220 0 R 1221 0 R 1222 0 R 1223 0 R 1224 0 R 1225 0 R ]
+>> endobj
+1213 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 626.9698 511.2325 636.0755]
+/Rect [522.6425 758.4766 539.579 767.5824]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.12) >>
 >> endobj
-941 0 obj <<
+1214 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [494.296 615.0146 511.2325 624.1204]
+/Rect [522.6425 746.5215 539.579 755.6272]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.13) >>
 >> endobj
-925 0 obj <<
-/D [923 0 R /XYZ 56.6929 794.5015 null]
+1215 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 734.5663 539.579 743.672]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.14) >>
 >> endobj
-922 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R >>
+1219 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 722.6111 539.579 731.7169]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.15) >>
+>> endobj
+1220 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 710.656 539.579 719.7617]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.16) >>
+>> endobj
+1221 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 698.8005 539.579 707.8065]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.17) >>
+>> endobj
+1222 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 686.7456 539.579 695.8514]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.18) >>
+>> endobj
+1223 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 674.7905 539.579 683.8962]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.19) >>
+>> endobj
+1224 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 662.935 539.579 671.941]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.20) >>
+>> endobj
+1225 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [522.6425 650.8801 539.579 659.9859]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.21) >>
+>> endobj
+1212 0 obj <<
+/D [1210 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1209 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-944 0 obj <<
-/Length 2175      
+1229 0 obj <<
+/Length 2174      
 /Filter /FlateDecode
 >>
 stream
@@ -3525,55 +4293,56 @@ xÚÝYÝoã6÷_áGXëø%‘ìãî¶ÅÅî’¢½>(ckK®>’ºý
9C[ŠåÍö6ÀE€ˆ¤†äpæ7¿Ê|Éà�/M–2iÕR
 ìn+×í
7Éz[­‹Žî‹º3k•¼�
iPÿ¦½1É°ó›ûE†Î•8þдØ(ÝÎmŠ¾ª7´ÏÐo›¶êAÍ#Ž4�ŽdÃáh‡¢¦•h+F
 žœˆ‡UûÃÎíÁEðëJ€¢ý¶ðîÒYR¬û¡ØíŽ8¾/¶¢)A$؆F~öË2XÂu�ëRPÂȼŠ¢eÑ(Vuqå
 4¨joßñË`wÖj†Ž‚÷f|SHÚê~èÃ"Ùœ?ü¨ßü¾ZEÌs•J•B±b©È%bž§
-
<ð|߬o¹ù`&͵�KÞºö85ØÓNBƒÅp€ñs�°o?||Oñ
-†A8Bs]ÜÖá®—0F4•Ò`„LC�‹ÖîÐGî˜('˜NY.ÔœvâEí BÖÀ^Q1òc3 a2ZI-RÃa‹	šQö·¡ÂF¤-	|Щ¦®1|¡O$ˆieòX´U3Ð<W?âbMVóaøj±8ùÒJˆ<WúÒ2‘WìÀu\.iS£x”è‹îÓ
-Ò (L¹^ŒùÉë¸sÕwhC%yª³\Omx ƒ�¡„
-5
-(ÁÝîx‰�kàXÛòä¾)�Óò³�B£:Ò96&'ȉj\@4@a&
-²MáÓŽ‚Ëx¿õŸC ®•’p¹gbçN"ùéß?¾AÉmÓõ#IàµP�Ï|>Ø
‘¢wI>Ü‚éž_»'‚€k÷ÓWT¾^Gôè”_g¸¢Ÿ[Ì3‡è‘徫~÷›ý>Ue¿½ÞWÓ÷/ÞèèWäB¡Êò—ÀËeʤˆëÏiX¥�9ï0|?£�^�Ÿ+¯Ì,~ÆÊ�
+
<ð|߬o¹ù`&͵�KÞºö85ØÓNBƒÅp€ñs�°o?||Oñ
+½¢|, äÊ“d?|˔ȆzR笸µÀù³`™P¯7¢

+
•"$D‡N=¥JsN¶ä±ú%=%hÓqžr™r£Í…¡`Z6	FØ|†Œ‰ °'X�IvÕfÛ?9ÿŸh‚å)ãz–&ºf÷ˆå¨j©©6ÉlpQô°Æzîyî/L\&äóŠq%I{I0TÐÖÁ²¾�œõ€u‰
+ý“NWA÷yŒ)
ÄgM>�)¬º¿¬Ú”TmBqþèÙ·©©´ü©‹×»ªþʲ3”Ñqî¹ìÝ'Šuð÷³‚1H\Â’�«øPèx@¯à'`'ªÿ�×jñíÝéû�Í¡
¤ðÌ@Ý(…ÿxóÛâ—_Ù²\°å–Jk²åtX*ÅýBIh²ÌÄ‘Ýâvñ¯ÿqVÔcT(\Õ
+Í·Í®¼¥WSýo
%«Sf¹}	I®i¶8ÙðeId£¡ÿˆF[¼†žk}…‚ÆZ_@èp^MÝ¿
+nܱ™æP;ƒa¤jüÛßÅo€"P°¿½‚úƘÙ
+ãïp[Kýω³è‘�R0µ$¡P‡_˜=þäx^)îö_ó]endstream
 endobj
-943 0 obj <<
+1228 0 obj <<
 /Type /Page
-/Contents 944 0 R
-/Resources 942 0 R
+/Contents 1229 0 R
+/Resources 1227 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
+/Parent 1226 0 R
 >> endobj
 6 0 obj <<
-/D [943 0 R /XYZ 85.0394 769.5949 null]
+/D [1228 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-945 0 obj <<
-/D [943 0 R /XYZ 85.0394 582.8476 null]
+1230 0 obj <<
+/D [1228 0 R /XYZ 85.0394 582.8476 null]
 >> endobj
 10 0 obj <<
-/D [943 0 R /XYZ 85.0394 512.9824 null]
+/D [1228 0 R /XYZ 85.0394 512.9824 null]
 >> endobj
-946 0 obj <<
-/D [943 0 R /XYZ 85.0394 474.7837 null]
+1231 0 obj <<
+/D [1228 0 R /XYZ 85.0394 474.7837 null]
 >> endobj
 14 0 obj <<
-/D [943 0 R /XYZ 85.0394 399.5462 null]
+/D [1228 0 R /XYZ 85.0394 399.5462 null]
 >> endobj
-947 0 obj <<
-/D [943 0 R /XYZ 85.0394 363.8828 null]
+1232 0 obj <<
+/D [1228 0 R /XYZ 85.0394 363.8828 null]
 >> endobj
 18 0 obj <<
-/D [943 0 R /XYZ 85.0394 223.0066 null]
+/D [1228 0 R /XYZ 85.0394 223.0066 null]
 >> endobj
-948 0 obj <<
-/D [943 0 R /XYZ 85.0394 190.9009 null]
+1233 0 obj <<
+/D [1228 0 R /XYZ 85.0394 190.9009 null]
 >> endobj
-949 0 obj <<
-/D [943 0 R /XYZ 85.0394 170.4169 null]
+1234 0 obj <<
+/D [1228 0 R /XYZ 85.0394 170.4169 null]
 >> endobj
-950 0 obj <<
-/D [943 0 R /XYZ 85.0394 158.4617 null]
+1235 0 obj <<
+/D [1228 0 R /XYZ 85.0394 158.4617 null]
 >> endobj
-942 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F48 953 0 R >>
+1227 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-957 0 obj <<
+1241 0 obj <<
 /Length 3187      
 /Filter /FlateDecode
 >>
@@ -3591,63 +4360,63 @@ H•²/hÊ
 ®£fw"®höx׺©;°Çn|>”°�ÃÓ¶PˇýjÎÖ�zýÁ”rþ!È£+Œ�­$üE™Bö‘Q�™…­Ê"ôãÇœ/Áò±r=?5M[ô°ÌÏ[€Ì°u¸Âz
Æm�Üo<)¶ó=P¿+{’‘OíRzw�dîØPÖ6ôV`0ÐhõðlÓã>§¦|êv=£lÁá“xý1‡š[ÚÍ„C9ßšÞ4â¦Å7ɵkù ’ßÿe¬ˆ¦¯¸Çÿ¤ùâãý×þ{Ôñ¿Ä T0iª_ð‡)¶ˆÌ€
 @Ÿ!þ�êó
4Ï©Êendstream
 endobj
-956 0 obj <<
+1240 0 obj <<
 /Type /Page
-/Contents 957 0 R
-/Resources 955 0 R
+/Contents 1241 0 R
+/Resources 1239 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
-/Annots [ 963 0 R 964 0 R ]
+/Parent 1226 0 R
+/Annots [ 1247 0 R 1248 0 R ]
 >> endobj
-963 0 obj <<
+1247 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [272.8897 207.1951 329.1084 219.2548]
 /Subtype /Link
 /A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
 >> endobj
-964 0 obj <<
+1248 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [190.6691 179.6723 249.6573 189.0819]
 /Subtype /Link
 /A << /S /GoTo /D (rfcs) >>
 >> endobj
-958 0 obj <<
-/D [956 0 R /XYZ 56.6929 756.8229 null]
+1242 0 obj <<
+/D [1240 0 R /XYZ 56.6929 756.8229 null]
 >> endobj
-959 0 obj <<
-/D [956 0 R /XYZ 56.6929 744.8677 null]
+1243 0 obj <<
+/D [1240 0 R /XYZ 56.6929 744.8677 null]
 >> endobj
 22 0 obj <<
-/D [956 0 R /XYZ 56.6929 651.295 null]
+/D [1240 0 R /XYZ 56.6929 651.295 null]
 >> endobj
-960 0 obj <<
-/D [956 0 R /XYZ 56.6929 612.4036 null]
+1244 0 obj <<
+/D [1240 0 R /XYZ 56.6929 612.4036 null]
 >> endobj
 26 0 obj <<
-/D [956 0 R /XYZ 56.6929 555.4285 null]
+/D [1240 0 R /XYZ 56.6929 555.4285 null]
 >> endobj
-961 0 obj <<
-/D [956 0 R /XYZ 56.6929 530.6703 null]
+1245 0 obj <<
+/D [1240 0 R /XYZ 56.6929 530.6703 null]
 >> endobj
 30 0 obj <<
-/D [956 0 R /XYZ 56.6929 416.0112 null]
+/D [1240 0 R /XYZ 56.6929 416.0112 null]
 >> endobj
-962 0 obj <<
-/D [956 0 R /XYZ 56.6929 391.253 null]
+1246 0 obj <<
+/D [1240 0 R /XYZ 56.6929 391.253 null]
 >> endobj
 34 0 obj <<
-/D [956 0 R /XYZ 56.6929 164.815 null]
+/D [1240 0 R /XYZ 56.6929 164.815 null]
 >> endobj
-965 0 obj <<
-/D [956 0 R /XYZ 56.6929 137.4068 null]
+1249 0 obj <<
+/D [1240 0 R /XYZ 56.6929 137.4068 null]
 >> endobj
-955 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F21 714 0 R >>
+1239 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-970 0 obj <<
+1254 0 obj <<
 /Length 3415      
 /Filter /FlateDecode
 >>
@@ -3667,60 +4436,60 @@ txÕÁ(1Âùãqt0úØÇ‘C×µLm›§:ÂÄ$è’y¦
 ·o
¾Àbº¦
úž&\Õ=¯d‚Ó÷aŠKѨðÀæ@pð
 –þvA•c«ÇøÀ†û,¤ÆAg€hCõoœ€}¼ew8ýš*çÐð‡#çô/�œÿn1]/‚0Péú\í8°ef´>+sŒBO�D‡+^ .ùRéØ{
 endobj
-969 0 obj <<
+1253 0 obj <<
 /Type /Page
-/Contents 970 0 R
-/Resources 968 0 R
+/Contents 1254 0 R
+/Resources 1252 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
-/Annots [ 973 0 R 974 0 R ]
+/Parent 1226 0 R
+/Annots [ 1257 0 R 1258 0 R ]
 >> endobj
-973 0 obj <<
+1257 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 463.1122 539.579 475.1718]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-974 0 obj <<
+1258 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 451.8246 133.308 463.2167]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-971 0 obj <<
-/D [969 0 R /XYZ 85.0394 794.5015 null]
+1255 0 obj <<
+/D [1253 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 38 0 obj <<
-/D [969 0 R /XYZ 85.0394 570.5252 null]
+/D [1253 0 R /XYZ 85.0394 570.5252 null]
 >> endobj
-972 0 obj <<
-/D [969 0 R /XYZ 85.0394 541.3751 null]
+1256 0 obj <<
+/D [1253 0 R /XYZ 85.0394 541.3751 null]
 >> endobj
 42 0 obj <<
-/D [969 0 R /XYZ 85.0394 434.1868 null]
+/D [1253 0 R /XYZ 85.0394 434.1868 null]
 >> endobj
-975 0 obj <<
-/D [969 0 R /XYZ 85.0394 406.5769 null]
+1259 0 obj <<
+/D [1253 0 R /XYZ 85.0394 406.5769 null]
 >> endobj
 46 0 obj <<
-/D [969 0 R /XYZ 85.0394 301.1559 null]
+/D [1253 0 R /XYZ 85.0394 301.1559 null]
 >> endobj
-976 0 obj <<
-/D [969 0 R /XYZ 85.0394 276.6843 null]
+1260 0 obj <<
+/D [1253 0 R /XYZ 85.0394 276.6843 null]
 >> endobj
 50 0 obj <<
-/D [969 0 R /XYZ 85.0394 200.1512 null]
+/D [1253 0 R /XYZ 85.0394 200.1512 null]
 >> endobj
-977 0 obj <<
-/D [969 0 R /XYZ 85.0394 175.6796 null]
+1261 0 obj <<
+/D [1253 0 R /XYZ 85.0394 175.6796 null]
 >> endobj
-968 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F21 714 0 R >>
+1252 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-981 0 obj <<
+1265 0 obj <<
 /Length 2457      
 /Filter /FlateDecode
 >>
@@ -3739,39 +4508,39 @@ S¦…€Äüœº
ã2±öŠ�
41ÑÍ–,÷úBäí]¨u›«˜úDOâ‚
ÙLë–3žatÙ±º÷5vxn�ïH‘šªmÝóìAߌå
 M­
  ZãŠÜƒ[æž.ÇñS!�L%:P–ô˜¥Hé!”·i"®"!G­š¼ü…3Ãø(M¶æÒ?/ÕºðõwÕNïÉzê-çÕÃÿ­@úÂ?Dþ		ÇD÷ÿï2ýý¥�Ê2¹ü—ŠÌ OÕÈŠ%ºaÜÿ?sËù
y;:»endstream
 endobj
-980 0 obj <<
+1264 0 obj <<
 /Type /Page
-/Contents 981 0 R
-/Resources 979 0 R
+/Contents 1265 0 R
+/Resources 1263 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
+/Parent 1226 0 R
 >> endobj
-982 0 obj <<
-/D [980 0 R /XYZ 56.6929 794.5015 null]
+1266 0 obj <<
+/D [1264 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 54 0 obj <<
-/D [980 0 R /XYZ 56.6929 717.7272 null]
+/D [1264 0 R /XYZ 56.6929 717.7272 null]
 >> endobj
-983 0 obj <<
-/D [980 0 R /XYZ 56.6929 690.4227 null]
+1267 0 obj <<
+/D [1264 0 R /XYZ 56.6929 690.4227 null]
 >> endobj
 58 0 obj <<
-/D [980 0 R /XYZ 56.6929 550.0786 null]
+/D [1264 0 R /XYZ 56.6929 550.0786 null]
 >> endobj
-984 0 obj <<
-/D [980 0 R /XYZ 56.6929 525.2967 null]
+1268 0 obj <<
+/D [1264 0 R /XYZ 56.6929 525.2967 null]
 >> endobj
 62 0 obj <<
-/D [980 0 R /XYZ 56.6929 393.0502 null]
+/D [1264 0 R /XYZ 56.6929 393.0502 null]
 >> endobj
-985 0 obj <<
-/D [980 0 R /XYZ 56.6929 363.1913 null]
+1269 0 obj <<
+/D [1264 0 R /XYZ 56.6929 363.1913 null]
 >> endobj
-979 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F39 899 0 R >>
+1263 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-988 0 obj <<
+1272 0 obj <<
 /Length 2097      
 /Filter /FlateDecode
 >>
@@ -3787,402 +4556,494 @@ hZã|jY/ýE‰áÝN6“dy 8xp]7b~{é0h”~�’e±½„3×rÓ,�Ã,*r¸2Ư{ë³½ŸØøÎê±×꛼cµ¬Ë"
 Ìk
 âþî^̲EÑÅk˜èP<sgÕ1BÚÖP�!žÅj˜K±dx	’;mêá6¨BÐ¾I½�Ÿp
 endobj
-987 0 obj <<
+1271 0 obj <<
 /Type /Page
-/Contents 988 0 R
-/Resources 986 0 R
+/Contents 1272 0 R
+/Resources 1270 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
-/Annots [ 994 0 R 995 0 R ]
+/Parent 1226 0 R
+/Annots [ 1278 0 R 1279 0 R ]
 >> endobj
-994 0 obj <<
+1278 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 268.1131 539.579 280.1727]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-995 0 obj <<
+1279 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 256.1579 143.5361 268.2175]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-989 0 obj <<
-/D [987 0 R /XYZ 85.0394 794.5015 null]
+1273 0 obj <<
+/D [1271 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 66 0 obj <<
-/D [987 0 R /XYZ 85.0394 769.5949 null]
+/D [1271 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-990 0 obj <<
-/D [987 0 R /XYZ 85.0394 574.3444 null]
+1274 0 obj <<
+/D [1271 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
 70 0 obj <<
-/D [987 0 R /XYZ 85.0394 574.3444 null]
+/D [1271 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
-991 0 obj <<
-/D [987 0 R /XYZ 85.0394 540.5052 null]
+1275 0 obj <<
+/D [1271 0 R /XYZ 85.0394 540.5052 null]
 >> endobj
 74 0 obj <<
-/D [987 0 R /XYZ 85.0394 447.7637 null]
+/D [1271 0 R /XYZ 85.0394 447.7637 null]
 >> endobj
-992 0 obj <<
-/D [987 0 R /XYZ 85.0394 410.3389 null]
+1276 0 obj <<
+/D [1271 0 R /XYZ 85.0394 410.3389 null]
 >> endobj
 78 0 obj <<
-/D [987 0 R /XYZ 85.0394 348.7624 null]
+/D [1271 0 R /XYZ 85.0394 348.7624 null]
 >> endobj
-993 0 obj <<
-/D [987 0 R /XYZ 85.0394 311.223 null]
+1277 0 obj <<
+/D [1271 0 R /XYZ 85.0394 311.223 null]
 >> endobj
 82 0 obj <<
-/D [987 0 R /XYZ 85.0394 189.9853 null]
+/D [1271 0 R /XYZ 85.0394 189.9853 null]
 >> endobj
-996 0 obj <<
-/D [987 0 R /XYZ 85.0394 156.0037 null]
+1280 0 obj <<
+/D [1271 0 R /XYZ 85.0394 156.0037 null]
 >> endobj
-986 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R >>
+1270 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1000 0 obj <<
-/Length 605       
+1284 0 obj <<
+/Length 591       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥TÛr›0}ç+x3EÕ�ô˜I�;ŽÁÓvÒ<8FI˜bD¹8ÉßW “Ä}ê0Ú=»«³GZ°‹ôƒ]ÂPáF"€aænwr5vé`ã�Aþ4ê4u¾^ÐÈP„$tÓ‡I-çØM³[@ ƒž®€@²^.¯W�@Ÿ{>a\/ãÕ‰ �-.�+ù™¤ñ<ñ|*ξ�,Óxe b�Î6'×ëÕY<Z7ëÙ*žÇ‹4ñîÒ+'Nßz˜ö‰íøãÜÞ!7Óí^9RÁ™û¬
±ÄÝ9
£�”ŽžÂIœ›·‚tH=ªF�Ð�Ž`�œ*Ç$<"£rž�ÒštU¥êVfVµJÖ›6/­b¯M+wMß±®K&‚\ŸpF‚gÉ™–•P+ %ãت]•²1Ö¦ÌÌ¢ö8èJëU¥IÙ³ØÔæàQ³ìv÷²¶‘æ».ó¿ÈK“¨´{´±´ßoiv¡`‘zŒ
?“u¾×}ëÞún0†‚1#Ï^ÖM®zv„Þ„S0Ï·/Õ¨‡Ö@ßûJy™©çÆÄ4ÝöÉ@ëù
+xÚ¥TKs›0¾ó+t3AÕ�tt’:3Nƒû˜4Ç()SŒ\ÀIóï+!°Iâž:³«}|ì~Ú…
+ÕºÕõ«3uE�ó»$�hô®ËZ«
¤iëâa׺BÿÚ*Æ‘]…#;`ÞþÒþ{ã¿¡0FLzX¦ñÐS�‘ŒÙ¾(Klô¡ða3?VþP%6endstream
 endobj
-999 0 obj <<
+1283 0 obj <<
 /Type /Page
-/Contents 1000 0 R
-/Resources 998 0 R
+/Contents 1284 0 R
+/Resources 1282 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 954 0 R
+/Parent 1287 0 R
 >> endobj
-1001 0 obj <<
-/D [999 0 R /XYZ 56.6929 794.5015 null]
+1285 0 obj <<
+/D [1283 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 86 0 obj <<
-/D [999 0 R /XYZ 56.6929 769.5949 null]
+/D [1283 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1002 0 obj <<
-/D [999 0 R /XYZ 56.6929 744.7247 null]
+1286 0 obj <<
+/D [1283 0 R /XYZ 56.6929 744.7247 null]
 >> endobj
-998 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R >>
+1282 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1005 0 obj <<
-/Length 1215      
+1290 0 obj <<
+/Length 1159      
 /Filter /FlateDecode
 >>
 stream
-xÚÍWÉŽã6½÷W}’�ˆæ¢}êt$‡ @Ì!“-Ó¶0²¨H”�N0ÿž"‹”í¶fæ0‡>ˆK±êÕ«â“Å~lQ¤„Š2YäeBRÊÒEu| ‹=ìýøÀ¼M’
-’&BÀdf7NEAÒ‚ç‹øÚÉ·ë‡Õœ-8%YÆÓÅz7ÅÊr8 àÀzû{ôr��Qý2æ)�Äò�õÏx,!y‘3{ŒBˆŒ°R8û_äQ¡ñoª?…ƒ/º}O)ß�½4µn½¾(I™ñÌ{É¡yž87?µp0g‘9ÔƒѨš€ÀòYá³ë—¬ˆô©Þ*´ôÑo
ã~¯£¶8­nx§²ÑíÞ»¬Í
GûÜ5u«¼ÑN÷
ŒªýpYÆ"çÑ»eÉ£KÌØæf³aŒ”iÊ]6áð*9èVnOÔI6£‹•†X0¨TodÝâDwŽ57”1u»ÈT–‘dܳ˜0’Ñ’¹¸‚°eÌ(…bÈcâ½¼¥br ;G‚žù.
-\·Ðš­lÀ0M#£í3q‘S¿ï4B‡žÉx=7ÞòÏQõµ­½�ì0�#Îôh×ÖÖSív$6Np¼°[4¤Ñâ
-ê­½>k„’)œã¦U–~;9ûÅs=pdü)G%§ÂÚÉ®×GrÛ6H–¬šK¼K„ðÁJNXV�„ÐOžnóëÅ�OsM‰Õš|Z^’¢ÈË[»mÝC	4ÔßY>®”©Vörl7�6€]½ÓýW;¹œËíª¯®³
-©ÞB�g‘Íç°üÚ{áwÜ㣇fé¿vm˜Àº{íªuðÛ�ÖÝFV¼ƒí¶Wƒg‹qà~l.³¿uë=<:°­ÛØž'²ïäã	7¯Ý„ÞPýl–»º	Q]Éæ C ½Ç§9L­6õÎÝê/s:£÷	tÜ×IïyÐ{ÿâyÍA÷pëìÝþJÙwâÍJ'ôNåáêÞ«< aáU¤ß�3h¬á$å`cÒàjˆçjoHüý‘)Î{ΓáHhJroEDõ—K (bؼ!¼E¿§„夼ð~\4¼Ök�ô:×È“zóßà"¥ãf«�Óß„O`fPYJE0·{pÏc+JøO(®±Íi(„Lá¯H¨×RöÿR�ؾñÕ�ö´ps/ºo°«ßé`cîÔ\VÕ$
AìÑûÌÅý”ðÉöõ*v‘\ÅÆaGá9‰ÔVíäؘ¹@@ÃØk3ñÙœºkÉôçOá%× ®Ô¬t°7rÌ)Mþ9~ø~=}Ü„O‘û
4÷ùLâ‹
~û\w¼ %
æ&G6¯üm°éCê>Ú¿x>—Ãendstream
+xÚÍWÉŽã6½÷W}’�ˆæ¢}êt$‡ @Ì!“-Ó–0²èH”�N�O‘EÊ›2sÈ%ðA\ŠU¯^-¤Ù‚Â�-Š”PQ&‹¼LHJYº¨Ot±‡½ïŸ˜—IRAÒD˜ÌìÆ©(HZð|_+ùzý´úŽ³§$ËxºXï&[YXo�Þjy4ª_Æ<¥‘Xþ¶þ�%$/rf�Q0‘V
+'ÿ“<(þEõ§pðMw)åû±—¦Ñ�WÃ%)3žy-#4ϧæ‡æ,2u3Ø�ª	,Ÿ~�ý’‘>5[…Rƒ>ø­aÜïÕ`Ô§Õ-¯T¶ºÛ{•�©q´A]ÛtÊítÀ¨ÆÇA‘e,r}X–<ºØŒ­oÖÆH™¦Üyc� ¯’ƒîä¦õD�d;:[i°ƒJõF6Nôѱæƃ2¦éö™bÁ"’Œ{F2Z2gW¶Œ¥y8{o÷TLŠd§H0Â3Ÿ hRõêµÈª±îÚw\yýl”yj“yY×p@d)¸Ý¶úÜØXØé
+¦ÝŽÄ$Â	Žw
+xfŒE_aNX0˜ÀSš¨�¿S•/ŽJ�í‡/bƒ¦Nʯzßœ–±1—²é�Lœ¥åK­ˆÆV…BIØm
+JxI1|«ÄR{}Ö8!S8ÆM§,ývrö‹çf¨qdü)G%§ÀÚÉ®×r›6H–¬Ú‹½‹…¿ðÃJNXV�„ÐO^nóëÅ¿_æ’£5é´¼$E‘—·rÁûºÿäøµ“mÓC\4&Å=î˦“}^)S­l9m7Ï.HÉhò�d×.¿oýˆï`¢Ñy'øŸ{¸@েÌé¿v€F1yçŠÜ…®öÛ­ÖÇ�¬>}ΆÜn{5xB‡À�Íô§î¼Þg'²MÛóDöGùüŘ˜÷ã„.±~Ö÷]Ó+­®d[ëÁpúùeS§M³óôwzži~ÅôÌ•�@2BIOWW‚¿›^GSë
+Ó–ÿ¼\g¥»ÜE
+¾qÂôr�œº=ȘZ\
ö\FØ
ÿxd²ó‘ód¦·$4%9‡‹{¦úÃ9šfؼ!¼‚¦ÿH	ËI)xáõ8kØ;ߥo…­<©»çÃ¥ÛŽ›­>L/‰ÁÌ ²”Š,`îö$àžÇV”ðl×ØæÚ,˜Lá5]Ö·[öhLs&¾Ñ¡0ÌC/—U5U}hõö5¡æ^uº…®û]}á¦×=}»ž^êáý-Rb_ósoù _dð!AK"8�YXù½±é_Á£µ
 endobj
-1004 0 obj <<
+1289 0 obj <<
 /Type /Page
-/Contents 1005 0 R
-/Resources 1003 0 R
+/Contents 1290 0 R
+/Resources 1288 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
+/Parent 1287 0 R
 >> endobj
-1006 0 obj <<
-/D [1004 0 R /XYZ 85.0394 794.5015 null]
+1291 0 obj <<
+/D [1289 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 90 0 obj <<
-/D [1004 0 R /XYZ 85.0394 769.5949 null]
+/D [1289 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1007 0 obj <<
-/D [1004 0 R /XYZ 85.0394 575.896 null]
+1292 0 obj <<
+/D [1289 0 R /XYZ 85.0394 575.896 null]
 >> endobj
 94 0 obj <<
-/D [1004 0 R /XYZ 85.0394 529.2011 null]
+/D [1289 0 R /XYZ 85.0394 529.2011 null]
 >> endobj
-1008 0 obj <<
-/D [1004 0 R /XYZ 85.0394 492.9468 null]
+1293 0 obj <<
+/D [1289 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
 98 0 obj <<
-/D [1004 0 R /XYZ 85.0394 492.9468 null]
+/D [1289 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
-1009 0 obj <<
-/D [1004 0 R /XYZ 85.0394 466.0581 null]
+1294 0 obj <<
+/D [1289 0 R /XYZ 85.0394 466.0581 null]
 >> endobj
 102 0 obj <<
-/D [1004 0 R /XYZ 85.0394 237.1121 null]
+/D [1289 0 R /XYZ 85.0394 201.2466 null]
 >> endobj
-1010 0 obj <<
-/D [1004 0 R /XYZ 85.0394 206.4074 null]
+1295 0 obj <<
+/D [1289 0 R /XYZ 85.0394 170.5419 null]
 >> endobj
-1003 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1288 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1014 0 obj <<
-/Length 1861      
+1298 0 obj <<
+/Length 1768      
 /Filter /FlateDecode
 >>
 stream
-xÚÍÉnÛFô®¯ r¢€h2ÉasrÖ:HœTQji45²ˆpQHÊ®[ôßûfÞ�¢d*v[-x˜íÍÛæ­d…�yAH˜Ç^KPxi1¡Þ%œ½ž03ë€fC¨g‹É“W"òb‡<ô«
.E¨RÌ[,?û‚2Ô?;y÷r:ã
õ?¾œOƒÀÿ»~ÿáåüdIqúþìãtÑXúÏ<ù°è îÆñüýÙ«Óןvx¦_o&/½CIF„o“Ï_¨·�ßL(±
-¼kXPÂâ˜{ÅD‚Rˆn'Ÿ|œüÔ#œÚ«£šc”pòÕI6¦º &¡àªî÷ªÔÓYH©ÿˆ`�G$+gÉrY“¤Þ$�ðì#¨Çc¢TOĉƒ€[íÍÆ!(’¦ÕõSJ÷�VYÞQÉ«4É×UÓ’Z_=:€Æç,«6[Ý |Y!Èl”øŸ£Ôž<Á»çŽfR»I»Þcç�®¯ºùªrý[RlrMÒªãp µ
äÃ+k€œ,/ƵÕI{úÁIo§›F7¸¬VNÌ<¹ÒC‰Ýy’çÕµ^:Un¬“²Yé»”�üZ³ý+ßÑ
‹9a¡"à!rT   �¸ÇãßÏ2Ø÷-#9¢¤C³(/ÉÚšÆ>ôß1ËȨCëØÇO.¾>ú®?XȾ}ŠvÌOFð#TÓ‰g‡Á+ó§¸uä½Øཞ¼âÌc’	áB
-8á,važOgŒª·U²Ä�ü,É“2ÍÊKw�Ü抄QŒ¡îd:*ð7uVdmfÞÙ,ámœM˜1·ÈÍì¢Gn—iRº}w7I×™¾Ò:s§6ʘÉ“g,ü
ŽÛ¦ÇUló6Û䲞2åë´²ã²ÁÍ_i@›mºv´šQÕ÷hŒ2Np8ÀxX;6k£fR&…&=âˆÄ‚Gñ+ªDçü�as?[™]éßTSæoq¾¶>c`Û5’Öxp~~Žû}À1‹ë¬]ãy©ÛëªþŠÛÆ(íe]æ¼Zá3™	r“ãÁ-¹»W.Úm‹Ç£1
-”H%0Òâľ5Œ·o Pé0KìN÷¤°±ªL°ÃW„e¡!èá´]'wšgºlÝöu–çn»*K�:hͨ“ŽTaŒ©tdªnÒ®3d
ùèØ6üŒHÙf…þá°&‰ íG”{"dD„Pܧ(aPv(¥ö‹’v«ãcÇŽr€÷(àrÓNº}T³N¦™�1‘4îž=ÿW‚P
-O@‰ã ´::‹ŸÎ¤Ì_,Þ‹ŠBÿùÛ“�ÆWeÄýÅ/ ü“Œ‡þ\7ÕÖê?uþ2ïm×ÆGçó�‡½HÚäð
¤‚€ÒÀ0ûïÄ7Šf1Ô—ýë? FED êTã5d¯RÉ`B¥Uéõõ5TΗ>„yc Lø§g°%¹�I!å¬wâãÚþ«‡DÆ*W +¡Lz’UÎ-;­ÈC­Ð],;ª•
½‡Õʃº!³mJp—V Ã0PÄ=µ"Žke@ï¡´²ë°þ‹èÈ)#Š	àH€â"tƒ®Õ»Õòñ*+m!Ì€ÿˆññص|<
-$dî0x^Ý&YŽ'UéÆN}¶x3P;³ƒŠÓˆ	,]ëô+;ó²-ÉΣ8xq¨8±ÆVCI9«ê%vF‡îq€Ké`›íŬ1ŽP Á
uûÈGiÅŒ0ó‹¯W›6VGȈ‚Aud:V¤
-1j Ô»³¤ºïß�»Éˆ¥Ž$vÈ
+xÚÍXYSãF~÷¯Pñ$Wáa�áɈkˆqB¥6û ¤1V­,y%ÇI忧ç’d#›�JJsõôñMOw�ˆ…á#–ë!/¤¡å‡r1q­x9ÀÖ¬}M32D£.Õ»Ùàä‚ùVˆB�zÖlÞá Äš%Ÿl†(l_]�χ#êbûÝøj<9»œ|Žq©oŸ}?¾™½ŸªU¦é'ã�ïÕÌ-,¹®ý³¡8»ž\\~øi:úŽ=»¼ž?Ï~¼Ÿ5w­"˜	u¿>}ÆVÆý0Àˆ…�km`€	Cj-ŽË�ë0ff²ÁíàdžagUníE‰`D™G{`rH¦ÀCn€ËwCä1Ê$L''ч±=[¤•ê™¶^pÕIø<Zgµ°r(t]*wGYVlF_×¼Ü*Ú?TåÛSÕûó´oŸ‘z^¨6/jÕY•ÅcšhÁ%�×e•>êaÅËÇ4æ»üÔakÊ"7ì”Ô
Qøá®ðV%ÊP(Ž©«ÒMWƒÈ(òÈËJÏ-£Õ*ÍÔ`^”{heE±º�â/Ï™%IÉ+�3¡>Â𑾿¹æ{$i€6ÍGb?ŠÊUtdP[÷ŒUÈÔÛU£wUó²÷8æif¤dEe‹¢ª}ÔK
‡•Î·Ï#Mö�îCá΀\ò=•ªí©›~ƒ6ÿ-Z®2ŽâbùjÊ·«Ã%÷GÏZ{y³sö\Ÿ~1×ffQ×ÏÁÝ4¹¸a<Ñ
+tèErÆ)LÌìÔ)ÂpÉ!è©n½ˆ4ï8Ky^ëéMšezºÈsk¿²å‘µΔk1…éÔ‹T©¦ô0j}z¬¬Ó%ÿn¿�ô¡�ô1µ(Ô¾ç{¯ª$	ÔŠAìV’o—Ñ££ëA
Ô>¼t×ìØe526�¨CP@¨Ó”©;
 `;³¨ã‚D&àñÑ0bÏfW£|Ï>»ߊ»êøÔžýr5»C¨gOyU¬%þ±¾/ÓÆWÔXÜÑé´½açQí€@Àó°kieÝn¿@š„Pnþ�Šøìúì@åo e9S˜n6xïøÔ±!Î%̾œÀ”CePò0%Í->OGðÿ%Áž~xˆïFL0† ÒœÄÇ â죂Û`v•Ž¼·E…¼%*ØE¡ã¿
+¡¦cÞ+Aa‡AiŽ&í«ø¿Ž‹ÐÀˆ¬w dÝçù“g:õ¡°
+˜8I wÝ�öÇ?ó
b
+|HÜï\*“I�v‹LÖ»bF¼ÂS‘…Å@
¢IG<\Û-MÚ„ÄÌ<Ï~w99Wë:ëÊ¢ŽjÞ0Yjé"qwä¯
+3!“£¢mõÙ΢z0«=9ðIF§~(K3ÑFªI Œ�UñZÄy-*¨ŠÔ¥M)~Ë ö¥Þ,Õ]i–÷Å£¬Ž¿ÍübAa zð2JŠe¶Õ#¥ —hg¢_ãF¨Q®Tº’ã¾Ç
=ÖÿŸNUÛŒuKô¼*šºº?ºÁöGx¶«™Ö&h› ·®tFT
+ÊTˆiivíÚÔ�«×eΓ=5’´Š£.mÃU;GÝ©ÔE^à9�"–J�ØCàxy¥™Zÿqdkà“µ› jÝ
+Na>¤¯xÁã/jY»—|‘´7ŠÂ-Ý M¤³•PQŽŠ2Q£ýëq€:Ž¦­Ö÷£J\„¥r8�.ù ¬� "~AªíŪNAÕ1̃`àùFŒ!Mr¡äå‡~-zP©Ä¢VÊKu¦}?N[êÃ�FÓ=¦SYl‹3¼îb¿§”Cˆ¹Ê[öOÂ]Có¬ûœ„è�éÌEc½â°õbz|í/×<ÇG,„i¸Ï(ôY«•P=x¢ºù7Û£û_`#~›endstream
 endobj
-1013 0 obj <<
+1297 0 obj <<
 /Type /Page
-/Contents 1014 0 R
-/Resources 1012 0 R
+/Contents 1298 0 R
+/Resources 1296 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
-/Annots [ 1019 0 R ]
+/Parent 1287 0 R
+/Annots [ 1303 0 R ]
 >> endobj
-1019 0 obj <<
+1303 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 190.8043 126.3509 202.8639]
+/Rect [55.6967 61.5153 126.3509 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1015 0 obj <<
-/D [1013 0 R /XYZ 56.6929 794.5015 null]
+1299 0 obj <<
+/D [1297 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 106 0 obj <<
-/D [1013 0 R /XYZ 56.6929 480.2651 null]
+/D [1297 0 R /XYZ 56.6929 372.6686 null]
 >> endobj
-1016 0 obj <<
-/D [1013 0 R /XYZ 56.6929 441.7923 null]
+1300 0 obj <<
+/D [1297 0 R /XYZ 56.6929 334.1957 null]
 >> endobj
-1017 0 obj <<
-/D [1013 0 R /XYZ 56.6929 373.7178 null]
+1301 0 obj <<
+/D [1297 0 R /XYZ 56.6929 266.1213 null]
 >> endobj
-1018 0 obj <<
-/D [1013 0 R /XYZ 56.6929 361.7627 null]
+1302 0 obj <<
+/D [1297 0 R /XYZ 56.6929 254.1661 null]
+>> endobj
+1296 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1307 0 obj <<
+/Length 2693      
+/Filter /FlateDecode
+>>
+stream
+xÚÕZK“Û¸¾Ï¯Ð%NÅDˆ9­×��·*öÆ–³ÇUáˆ�ĬDjEjÆ“Ê�O
@$Žìò)5�`³»ÑÏÀÐEt‘K’ðB,²B™P¹Xío’ÅÞýtC-Mìˆâ!Õ�Ë›?¿æÙ¢ EÊÒÅr=à•“$ÏébY}Š^üõù/ËWïoc&“ˆ“ÛX¦Iôöùß^áÌx%eôGñâÝÛ×o~úøþùm&¢å›wooã,)|yýÛw¿¼:÷áöóòç›WK¿ŠáJiÂõ~¿ùô9YT°àŸo‹\.à!!´(Øb#$'Rpîfv7nþîÞšOC–“<'2gYÀtŒ.¨ \¤ld;Y
+ XݷǺÙàs�«64÷e½3|As­«7èÚ·“¥w�]¯ö8Ht–ó&\µM¼¥yÔîvFªù@«£•º;m6~Þso¼a»�a+cXâ½;²,‡8Îr~v®wïKo!d3p÷¼�2ë"�F’Hª£ZÓTõ&À‚¹<·4Ï\Éó¬°[Ð/Ä¥ <͘ç3A�õ.Ù1X?Ë…%mº]Ûþv:x
+	)E3Kx@çlŽå^G?Ï£ÒÌhósŠÝgWí~�nƒð¤Â‘�MŠ.‡9 ;Áw�øôûIÑÃðdËëØÎxb�e¤`	G˜ÿѺ¾^k­Ö.êƆGÿ¸S“ jOýáÔû8Ü—=¹¨~	xJ²ÌÁÀI’†ë¼%Š‡T®X]ÖyO5Š¡Ì>É9{Z¦#
+ÈÅEá•
+9º4é“dQÕîKc!¨uƒ60õE¿Ü ÇÆ”ðüÏD&¡ ‚@´ñoˆràD‘§.lZxï4Úëø6#ítÐÆx
(Ðk0
vØ©ÞÒ·kÏ ³S6 ÍØ„t@V¤ÑËx[v6–$hžðtRÁZ]ç(¨ö/·± ,êj-ç릇B»rE	qdBÌ•øÜA<»ÏL|›Š¢ë/®ÖÒè®ìWÛ)«‡mí&Õµ:õXç©c�ìØWTU®¶ã$(ñgWw6ê�õLñ´½C? gKÙ(m>N“èùîò}{À6ŠÜ}=Ы•êºúÎ%݃i?©ßçja¥]f €"–C6ˆŒP‘ñMIÁS	ãPªØ
+�q‡\1Äl3J2>²ŸÆ¦ã�òS|ݸõf^PØ(¸ª¿Î-ÕôW]ö9P¯¡6
+ˆe“ÒÊ5°É�òT°§18ƒ‚�øŠzèR÷ÛÊHí€:ê[ýGu8eÒ¦^y‹™´m“D0ef «tNdô£%®Ôº<ízí|³ßÄYØBA\÷~u§ú¥|µEXÓX[ü#`ž&l\­|€½Ñ0§Q½ÛºUÖ]§\ÐÝ9ð\÷nC|j̵´K×áëâèÎF¨úÒ«¦RVÊÃåfyXD†¡>
DƒŒ~Wò˜‡žê*4àEJ(
‡è×ê4ä1
<•Mlqù¢Ú5ÇnùpïzF¼
+u"yŸ×çº(+`:mBñÛ«
+v‚_Ñ&-Ë÷
–Ðùs’LŒ“é¨úc­º¯ç½¿ªîzWnBˇ¢—ålÊOøQ‚x#£cÇl»„“¬ðܯb¼o�càÁ
+°‡åþßv×ùö�Kð_×^9ø>KRñt{RÍ·WO5=öµXFO2ö´dOuE4åv-¹œ—}yäøÐ9é�zÌ2Ž[r=p[r.³ñ6\¿DçÁ i›xðV÷ÎÜö³!=îµÍ—»]ûàdmí$´¡#öÉ´ ”3ß'éù 3Ë4H„¶n6Äðd�­`ds€F>ã¶<ËÎ1ïLØÂ\yך^
+Ã{˜.�u{²ßéh²C»ÀÔ‚V;‹|S¯ÐákÇ©glÀ„IÏ4px€P˜aúp+È
+#si¿X�ô
ªGfœ¥V˜ž2G·ð{Þ÷觑²†l=âà¶VfªÅß;ûFç�­sIË«'eóÍ…–
+(>pGÊìéóÉ¥ñ7Þ“†>ïÏê‡]ùè�¸Cø½Úø«‰CyìÇWþÔ
+p¬xJ´§¹�=vrB þ²¡ðÙ£,ˆ†—
+N8çŒd¬`—·Àvÿ¤?í.îü›¾ü2õÃ%0
'üµµQ†Ìè‘2ÂÒTúÄ„íû&·×�ˆã<dÏÄŸ¼÷?²œÿ¿Gd„çùÌ9#×çŒ,ñJiõ‹©âþ^.5ÿ+Lendstream
+endobj
+1306 0 obj <<
+/Type /Page
+/Contents 1307 0 R
+/Resources 1305 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1287 0 R
+>> endobj
+1308 0 obj <<
+/D [1306 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 110 0 obj <<
-/D [1013 0 R /XYZ 56.6929 167.4388 null]
+/D [1306 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1020 0 obj <<
-/D [1013 0 R /XYZ 56.6929 126.8733 null]
+1309 0 obj <<
+/D [1306 0 R /XYZ 85.0394 744.949 null]
 >> endobj
 114 0 obj <<
-/D [1013 0 R /XYZ 56.6929 126.8733 null]
+/D [1306 0 R /XYZ 85.0394 744.949 null]
 >> endobj
-1021 0 obj <<
-/D [1013 0 R /XYZ 56.6929 98.4089 null]
+1310 0 obj <<
+/D [1306 0 R /XYZ 85.0394 721.0357 null]
 >> endobj
-1012 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F21 714 0 R /F22 737 0 R >>
+118 0 obj <<
+/D [1306 0 R /XYZ 85.0394 672.3079 null]
+>> endobj
+1262 0 obj <<
+/D [1306 0 R /XYZ 85.0394 647.0603 null]
+>> endobj
+122 0 obj <<
+/D [1306 0 R /XYZ 85.0394 136.5325 null]
+>> endobj
+1314 0 obj <<
+/D [1306 0 R /XYZ 85.0394 113.5963 null]
+>> endobj
+1305 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1025 0 obj <<
-/Length 2719      
-/Filter /FlateDecode
->>
-stream
-xÚÕZÝsÛ¸÷_¡—NåéÅA°O—Ë%×ÜÌ%×ÄiÒÌ”– ‰w©);Îô�ïÀ$EJÎø©ã
àrw¹Ø�f3
-l¦SBE.gY.IJY:[ì®èl
Ï~ºbž&	DI—ꇛ«¿¾Ù,'¹âjv³êðÒ„jÍf7ËOó—ñëÍ«÷×	Oé\�ë$UtþöÅ/¯på<JÓù?ÅËwo_¿ùéãû×™œß¼y÷ö:Éh.áÍËï¾ûõÕã{®?ßü|õê&~E÷Köþ¸úô™Î–ðÁ?_Q"r�ÎîaB	Ës>Û]ÉT�T
-V¶W®þvžºWÇ,—
-MRͳÓq6fº4'JpáLg¿™v�0JéüDzXWuÓ–üÚ›kÆؼ®·�ýRàÇ;üè,áŠä<˧›�ñD]¡,'4eVWK³,×#Œ˜$¹ÚÓ|7ÂE­Al@Á1.9*ã‘KÂ%›Õr„‡ÝáZzÒªÙÖõïÇýO™‚õYæ	÷‡k¦çõúPì`/ô¼p+ÆNòy±Ýâê¢Þí¬`7Ù–•ÁQëìèHWõ
×€îï=àì�£9<”ÕgU±óœs¸3‡†X
g	ãX�ÂÎ3Fò4åÁü¸iËreµZ™ÎË
-›öakpˆÚÁ >¶ûc‹cPjW´äħ)ì šÒ98WÎÆ£×%]ªiŒT§èÊÌá-øy™�hDfÏ/(¸—’i_¨õÖ„Ól¾¬w…³Õ`)´AYWøp�;¾w¦„ù¿iJÇœ\JÞ&¾ÁË�CžeƒÂÛ ÑÎú·ÙMmÜ®
ƒí·¦õôõ*2hü’wh7vny�çjþÆ3Þ�÷¥4§Bõ}©½¯¯A¨²4Íß®Éø¼)­P\/«ÖŠE[Þ™GB9×�K
-œ7àÏá5çß.¥@x
-&ñ‹ì“Û¢]l†¬î7eX4_ÌâØšgE—�ýÚ×Ã\Ú–A7
-üÙ–�÷zg=¬]lq‚œ=ee¬ù£óÛÓçõÞºKã¹Ç|`'‹…išò6Ý
-�i‡3Ün<f/í4¡Ôq
Ñ ÊáH40ÈÄB¥0P"º<Nã“QKõ(ÉZócS¬Í¤NB‘jõ,�:<œNrT§@B,QàeŸ¾ÇPKEç‘­ÒÔ‡fO$ëqŠp[Oöy„Qp*ט*NIF´�ѧF)ɳLyç=Iû°7#¼ 8gYª£Rø•cºA\÷x.¶EÓŒ0U)ÉR!Lÿ2•’[äÒåŠ.>Â6c$=ûÍ!]Åïä§ä²qËõ´ q£üé¢þ6¶LÕ^ܲÏ#ùrcN$…µ ðõX7 R�Í1d‹�qÙļ2R(¨¨¦óó…"#RÈà½÷eH:mñ»ä[®FÄ
-µSR¥ÎK�T#bù ¯
-‹ª{r§Q<“ü<
-Ä”-À4�ÿà‰—fU·­Ý|
ªÅÕE]�[·
¾ukÚ{c*|´ALËU{ð#áÈ¥(©
-
ì�Å8•ñÎY,—èÖMc‚ÓÝä\¶Þ;WÇjaݲðŸnÝ7øÑ­÷Pó¥5ÕÒx)÷e»u7…t]}¤”ª`'ŸQƒ»<¦qA¤ºˆdÆ…CÖstêò˜Æ‘*º&V‡¤x¹ÜV‡ææþ.Œd1V†Ľ–¡8N•PžÃtX�’·ÑGµ¬ÛI~ñL¶Nà†~á‹üþu™_¹3p|B�ô,ß�°„²¯‰Ê¹ì×ýƒi¥ižÎ{wQÝÕ¶X�}>$½Ló!?Gjßõ
-°Lªœ0Áù EàTÊ,D„ªîÃ0ó-+ù€ó?ÎñHže�>ÏœÛÂZq[»R
-Ã;X.e}ôïYoòCÿ�ÊCV¿Š|UTh€oÇ¥W|À‚‚È´×8Àâ�@˜cø/Èþ³ùÛ¾Y‘Ðh]VÀnK9�àIЖ~;6~䫽&³B1úÄC,Älnüê ØyèrÀþ�õ@<â±ÁÜCú“(Bdê {Šèò˜F‘ê"ŠŠ’”«gu<º<¦QD¤ê…¨¯˜	!PMŸ:�KA¤êb䤭“U:Ðý“³&Œ†@ÿ/ÊI¼8�ÏãÕ
Òhªò^qèG¶ÎƒSÂÈ9%üKâ¼j‰÷‡Œs
-ÙW°uµ>ÚórÓ]ò¬ÖÀ¾Â¡í‚¢ÿÂÄCqœxgÖ¡eí…áFçâ.]tÄqÑ]£Š*"c+˜òºu_a¤ÃÌ]ôÂtó°G)ªüŸäϾëji\°u™7ÎËK¼‘Ür¯ƒ"!‚sT]uŽ#)¦s�Tfü	Üh0a&ç$2r»ŽŒNò‘àihžÂÈ*l1ÙÔŽÜG®¼0»äº¶ðûxê±³ž²ŽlÕãVn©Æß[ÿĆPmCÉÊ+G³np-	üE3ÃàqËíÓζ¸¡öýx†1êZ20‹›9xË?Ý›Ei9›¡8¿«0òû Ñ4\ªÁÎI>µÆÜø	ûèè~<Z{1,ö×&í
-�°L³ø<qu¹UJ
-?°ú4`ƒ‚À•°qâI
[„4Ú´áb+Þ³œÆsì–Ä»ÀËíéÜ”ΞuU9œ¹¼Ešé0ô›-Rbÿ³hD �wsÏþ¦ÇÿëWZóq'ö2‚Ó¨”U>*ÿÑéTóÿ
Q”mFendstream
+1317 0 obj <<
+/Length 3508      
+/Filter /FlateDecode
+>>
+stream
+xÚÝ[Ýsܶ×_qo=Íøâ‹
+©œä‹ëÛ
/‰2)ñâzó~IE—À![¾}ù·W—+³åÕ«w—œ/ÿ
?¦ÿÓϯ޽¼lyý槷W—+‘)¶üî//¾öçy|÷ÓÛ×o~ø¥çsùáúÇ‹W×aÕâŒê%üvñþC¶ØÀ‚¼ÈU’/¡“!¬Yì.§ˆ3JýÈöâêâï�áà©y5¥9Æ3Ä9ã‹eHÂü)*œ#Esí
rcI ÁÊ)¡Aù”/1âJñE ÒÊÿ¥-îÊ‘"€@b±L \ü%"
X‘XR$O¥Eª‹]¹Y­ïËõ§uSß^®ò,[¾_}|øüÁ·;-ñ7¯9ðÂ9-3	h.›êP®»æðdI£i9C9áØQz®)žI<ËÛj[jáA~I²<p<U(Fã|!€¡ „¤Ï�#Z
©ÆÛ¬ÔS�èìsS�6S	Šæl^€@•�€µÂÀ¬E.b®ï�b"i±B8Ê)&!æ	oÉ`©ßšýáËesw(vö›W[Û.ìÏ®h»ò`Û¿fÙ–¶}Û¸Áö©îŠßÝ;õÆ1j궂ëõÓ%Æx‰¦Î@®Œð/8CÓÇ2P�=–¹µKA¿D¤
‹éc¨R{çŽâæão߇ƒ¹N"ððÜíèz[´mâ
+³¡oÂH²p¤>&˜§™9‚ÇâP'¸Š”ŠÏär[T[�
+Omµ<]dý.rlÏÿL
+‘Hd’yCÁÿ•å>SÐÄùuÖk)z¿=Ã&K9RBäÏ
¥â\(Í)Õ±χÒ!Õt(
T?×ìö c2˜2ˆi˜‹yUB†(˜Â¡Ï@ŸHˆ«jWmÀ(_vM"°2Ž²OÖ©ÈšƒE½Þ€Ï4Ì+óË–Åö±xjíØæ¸Û·v¸»/í˜õùzB'ÄÍ.Èf_·Ýv_®+…Ë�a±"C$Ïpì‡qZÛy÷´¯ÖÅvûd‡ª:Šð›êVÀÛÒ 
;µ
ð»¢Óf�¦Œ„+‚2zn
ˆ¦MÄiéõf}:£€s¸š�ÑÓŒgŒö‰ Ì æg¼6» ÉÒj`×t®oδðrSÀpmGõYä´µZÇ)p«ËX8Ú~]'‘iy‚Æ–gŒÍ`
+QëO­e¿¾/êºÜZæ»fS‚qQ°ú7·Öf5òËsžÇ[ðÔ­ã:\Êå1%…,˜H~ÆÞ4©û±êî›cç³ç@›½>.OªÜÓÇJ[£u¨í~[<ENöh2›Q•mß)ZïmÍñþóTRÂ!yÄ"—_�”YLçI�êlžÄIŽ
ÿ"
XLçI�*lÛL:Ä)JzûÖŽê.•¾äˆQJO
d{&;——äH#§÷g9꣔‚|XüžÎòûT¦’ ˜«üÙ@ÔyÒ‚”ˆ`…Ÿ‹Eg”íÈBRî–J@Bh„#�’J<»Mû@�(!~¥•;‚�éÆ­ýµQ6Ϊ¾OoÉL€R¤˜·ö
‘5v™0vOdl½Ü6Åf�A,‡H=7i Í;`pwŒå,šö��Ör4š¼;z<pZ
+%�`[4© °Ê&À|¯¡
ÕŒŠ<U¬#0B>™Ã
ò*9•,¿Op1¦œª®ÈÉó7ÉÆŸˆ‡ª|LÉøQjF ~e`ßóºTceÆqN£%q¬ÍáÖó¿«ʺßäé=C• göx@5³ÇžÊîñ-
+õuä%¸`5«Ë@4Rf{@=ŠSiÓ…ð€F
+­y`â„ÒzÇÙøëÎš“„èÿ|Ùòendstream
 endobj
-1024 0 obj <<
+1316 0 obj <<
 /Type /Page
-/Contents 1025 0 R
-/Resources 1023 0 R
+/Contents 1317 0 R
+/Resources 1315 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
+/Parent 1287 0 R
+/Annots [ 1322 0 R 1323 0 R 1324 0 R 1325 0 R ]
 >> endobj
-1026 0 obj <<
-/D [1024 0 R /XYZ 85.0394 794.5015 null]
+1322 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [219.3839 342.7466 281.1025 354.8062]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
 >> endobj
-118 0 obj <<
-/D [1024 0 R /XYZ 85.0394 769.5949 null]
+1323 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [401.2123 288.8914 470.1877 300.951]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-978 0 obj <<
-/D [1024 0 R /XYZ 85.0394 749.3395 null]
+1324 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [243.8464 235.0361 306.1963 247.0958]
+/Subtype /Link
+/A << /S /GoTo /D (options) >>
 >> endobj
-122 0 obj <<
-/D [1024 0 R /XYZ 85.0394 221.8894 null]
+1325 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [368.2917 181.1809 436.8984 193.2405]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1030 0 obj <<
-/D [1024 0 R /XYZ 85.0394 197.4323 null]
+1318 0 obj <<
+/D [1316 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1023 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R >>
+1315 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F53 1313 0 R /F22 961 0 R /F14 964 0 R /F48 1238 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1033 0 obj <<
-/Length 3426      
+1330 0 obj <<
+/Length 2924      
 /Filter /FlateDecode
 >>
 stream
-xÚå[Ý“Û¶¿¿BoáÍX>H‚lŸœÄN�™Ú‰ïÒ´ãø�'RwŒ)R©;Ë“?¾»øâ(y’δ“Î=€‹ÅbñÃîÇVþØ*ŠIœòt%Ó�D”E«Íîá·o¯˜¡Y[¢õ�ê«Û«/_
-¹JIóxu»ðJM¶ºÍß‚r
hðúùß_\¯yDƒ›o¯£(ø|TýÍ÷/Þ>¿–apûêÍë›ëµ¤i|ý·çßßZŠË<¾~óúå«oìù\¿¿ýîêÅ­›Åp¦Œ
-œÂ¯WïÞÓUþ&Ñê	*”°4å«ÝU	…BØ–êêæêÇpð«êêÓ\QEa´Z‹�$0¾�ŠÅ$qe	r³„C!JI,¸pÊÙ@ù	#QšF+G…ʯ³]‘¯7Åæç¦.®×1¥Á»uþ˯�ß¼·µ
jêË—‘pcÖ
%B.›*k[M4’§$Idj¨¿ÆÃOD0ûÈ2lŽÝþØy8ŽÉÇî"Ǽ<›®9œ<L£�Ä<bS¦O¦°J¸¦L®ÖŒ‘4Šøïåþá¢È?Óˆ–÷us(4)¤!#I(,×_<Ì8‘±
ÁSv¨=\¸ )šúgrÙfeR±¥¥N¦“¬ÿ„“œÛóO^Cá	‘4	džòŸžîg
-êÙ¿F(M¡öþ%6ï<l"’J[Í•U�€âáJ’p*‡� —ÉX¼’4"RJÿchÖ"…rœùŽC4
-K�ïʺl»C'ŸnRæã“(b 5ª´6„Åf_
-
-yV™àHG©;¯¾h5ûÍCV×E¥™ïš¼
-èÁ¶dQAàæ°–ñ¼†TgTd©Æ:#Œ£·AD•,…Éï<\”)ûò*Éâþ[dcwÄcY<ùdoøYPÆáü¢`ßçué¨æÊŸsè]¤	ks¸ôÎüïËÇ¢îyq�Ô@À»`Hµ¼ÆŽJ¯ñšß"�âØs‹<›—翼Ê!8 )ÀâYm:ª¹:'« )ÁUéó"Ùühwð'|»¬ÄØ3S>¼‰
¯-€¯ËS).Ø€êŒ-X*màÔíÖžÁ£ˆ!Ä�\ôOa0÷”Ãî<«PG5×èØ@A)&ÁF*}Û«ôìb›Ð�änB»Ë 5¡à’MJDÄÃ61 :c–J%ºEñÉ&Ëÿ”(á�‰Ø°ô¼RÕ\«c»
-´6•ƒ‰tèÏͳ5m.l…J«…/rÌL°<Fåç%á ‘�ÕÖÇÌp*ò²3Í:ow…þi—åÅð��K\ÚJ5¦Ë0ņs¡ãÐTë	zwÂ/C¥AÌmôuM„ÒÆêvšXßXÚdÇV©Ë ßë
-SÙ<l4IüÒuVéŠuÕ�²3¬îa{ 7R
ð7†Ê¤†èxÌþ^sn}>nóP|0&Vœ{e¥/ ¼3u›a{Tƒ#?¯L7gEXÑÚÐ}³®+v{µ6ÜÅÙœNxnA?F¬§‡²òN¡UgÖû7°ö©¨ñ6‰’89�_CªeürTZ¬ìi½Æˆò‡Ùÿð²>êY�öžìL¥~Ov¤Óuv§Œ0Nzìâqª-3]í×]7÷V?,q¬°¯›þ'ÝRƈeÊDB„Nn%Ë
–I‡eÒb™Ëu‡mrˆm˜£Ç¹)dk·È–8ŒÀ&E,mÂB76šP33®þ�Øâ™óÐ!/ÛÏ|Ц 
-}çŒAº!ŠÔÞ—ÆAÞªÆ4Œ 
-êÅDzíÊú¾ç1µ57Ì<äc¨*t0“¦A‰Xž&8�“nyÈݦ}+…­Ql±û´ú÷­õƒ 
 ¦Ö­™nØ
?æyI.8	cwK3LY�4/„¯îþééÁÊr:øOÍ�Í™®VúlP7
-ÐZwwZÀ3™úš81gËÇ(h�mêìßhd�M™·˯‹Âæ‡D
M­;ÕǃM®Î»Í oØ•;;à,Ç:Æ,åòþ¢à%¾�[R�Ù_–Jåö»¬kçéVg¹ŒÎë¨æãŽ7‹Á
-¦ÐÄ�îʼ	�SÜ»·k£Ùãúpwdö�C|wÙDˆÔ]ƒ™Uä
+xÚ­ZÛrÛ8}÷Wèm誃+/µOÙÄžñT­3{o•É-Qw)Ò#Rv¼•�ßn4
+îo>Ü^.c–*øòü·~½:~wwùùþ—‹«{?‹îL9“8…?.>}f‹5Lø—Ê4Ñ‹x`!OS±Ø](-C­¤t=åÅÝÅo~ÀÎ[óé”å´LB�ˆxÂtBtLÇ%“H&‹X§a$…4¶ËªõåR
+ì/yä˼ÊʼÁ>¬_«lW¬pxZg-½A¶ió=�ÚmN}e�Ù±¶™`UïžÊ¼Í×hX¡ƒ·î3�þü§®rÂvèv›½äëáA1Ð`‰F†™.9S­…ÑÚª…+âÕ‡—¢,©UÕô·¬«G‰í‡œþÒT7‡õ,!g
+,¦âEÌ£PÈ8™´¹G-»0cs•tmΠ­¢ã`Fùº-6¯(ø͵Ö´‚R… ÌXÆ€zCŠ4L’8µ OÃè0�ãÈVeÖ4ÃH
Î
+õÝ竺Ú�#Ñ:ã(:'Ú¡Æ¢ûщ0ez¢?æ£BFÖÐ
+&A½!{ˆH…‚§Þ ܳDãèm•
§ÑCÑÒßì¹.ÖÍÀõ«<·
ÓZšÌ¿
+2¤£V])±‘¸O�‡,í†
fM$$z²‰¨×¼ùÓÔ,á#Îã®ål\NZN¥‘Kšê'4HsbLÆ£‘åˆ3'-§•Pßb9ÈÝãX;#Ïðƒat–<h†ƒÒÖ‡ÝÓúár1|Zfeùu¹ÊVÛüë‰ÿ³}1‘Jò(eì'h’IÃp"«T1,1sæ%•¶XΣhnŽ3œc�`¡X
+Étg’ïa’—KžZnƆ#r`÷ê2ó¶íß™fë|“Êšœ:!izƒ~�mÚig$Š÷yc´¬�Ç}àTk"!n?GÓ¦ÌÅ‚›Mÿ(Df7ÉA3úüG›.¸ó“Èöù¼Åj6wlRi
+<XÌ{^vÚ÷<ʆѾ®ag?éfýØø6/‹Oy™€³�ŒÏÏÈ£Æ3ê]D‚GsÕŸùšT‰=D«tèkø&~€¬â•žÌb��®ÓÀ çBøÖ¸P_`Ç…Œ‹¦°9
•ö=ô{ýê8
+8ÔX�An”„±Ð
¹µc‰sð,—ì²—<0¹ƒµ=8ã!:«^©asœ¼j陎K
=ì²uîÄÐ:·Ôq,ÁÕ]¨
ëG;0ì{d
+L~O
+|Øiì¾/Äñh	�Åì]€ãÃ!’ê
+uÂþU¬ß¥Y¦RãÀ5goóØ’bǤpvßS�[M’MªÂD³y®Qaì‹¿$ =G5XÑ�å7QMÔ¡¹ô8$•ñÜ<©àÔl%
@ŽT˜
wµ=±á©•ƒhîKîC:tcŠùÓtÃÇúܤe¨%»lƒcÙÆ<bpÏó
+
+‹ø¹t¶›á‡29ÿ>[å'«Tór}•j$wºJÕ|SQ‚˜ïˆzç	ãã�[Ž‡ƒ­­˜›”ü9·éÙƒÍãf+è"
-�EΘ®;m:�ê™n�ÿ÷ï4Hß¡v±£4Ug´s¨±v}',Œ–ôÕ»ËÛfÒ®>«Ÿ·®‡¬rµY*RÙÔ8+sV×I(q®¬Ú…ÍXÝ¡ìµÕ¤Ë	AÅÏHv¨±ä¾Eug8¦ú¢ÿ_e3vLYž«˜ta3vs(T~SšíÉ@Ÿ—ë}$w:Ð{‚¯Qpþ
†3ŌӦᩆ³«:—[ua§MãQÞ4ÈàS‡ù(IÒM£G
+¦,äJË3
+:ÔXÁ¾
á-Ñ@Ãi>t
…‡`TŒN±>ãø^{CÎÏ¢s[N5cmr×"‡ñ½ˆÒXÿÔóRh$u¼rw‘ôľ/š§2Ã
ƒ	§ƒi›Û#æ’Z&:§YslSÁmÝÚWí6k]Ëvù+2‚†þþ	šEµ*k÷ä¿*ªc~2<ƨ©ÇU–ŠjýæÝÏ©$¾n7qŽ¸×Ãz•'¤B†”jæö¬ðÍÍí„D
.Ì”Ky¶…Û·�"‹ãU\·^â
+2t{rOqõ˜á¨Ç«a3æLá…ƒŠQÌÎÑg6ãµe¯ËûÆÞL½æeû£×HöôÑ«'ü½¯Ãú¥,‹¦í_º[Ÿ‰T•%aš¤Éÿ”«º5ƒi“Ù+s=uüኳ‡MÁN/
+$%Bòs¼ÝA�^2µÀ¬,ÖöFØœ‹ëêk½ÙÌÕÿPªð×XßYÿÇdKÄRÏÎσFóëGÌ„Vio‚Wæª�j÷®†¿.šcçûÛ»»«wÔ>Zð#Öšð…kҹºjš|em5É1éࢀ®5ÝþàøôàwœÖ¿ï[•¿z{Í›i¾QÇ#Öpü|ƒn¸Á[­çÜÕ„ÛÑ
4³w¯á©ßËAâŽ?r›XGøo§ÿÝ¿¥;þÄüK&ɉœ^²¼/��Rh
·šûÝ�Uÿ/�Ý—endstream
 endobj
-1032 0 obj <<
+1329 0 obj <<
 /Type /Page
-/Contents 1033 0 R
-/Resources 1031 0 R
+/Contents 1330 0 R
+/Resources 1328 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
+/Parent 1287 0 R
 >> endobj
-1034 0 obj <<
-/D [1032 0 R /XYZ 56.6929 794.5015 null]
+1331 0 obj <<
+/D [1329 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1031 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F53 1029 0 R /F14 740 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R /F55 1037 0 R >>
+1328 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F48 1238 0 R /F55 1321 0 R /F21 938 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1040 0 obj <<
-/Length 3817      
+1334 0 obj <<
+/Length 4158      
 /Filter /FlateDecode
 >>
 stream
-xÚ­[Y“ã¶~Ÿ_¡·hªVXœ$˜<Ù{Ø“cíìN®²÷�#RcŠ‹ÔŽ'•Ÿn\â
IãrjkK Ø@�>¾npØ‚Â?¶ÐŠP‘ÉEšI¢(S‹õþ†.¶ðî›æhVžh5¤úúþæõ{‘.2’%<YÜosiBµf‹ûâ‡å›o¿úþþÝÇÛWt)ÈíJ%tùá«¿¼³=Ÿà•RË¿{Š7ß}x÷Íß>~u›ÊåýÝwnW)Í$Œ¼>ö»ïß�Æ}ºý|ÿÇ›w÷aÃ�2*p?ßüð™.
-Øðo(™V‹'x „e_ìo¤DI!|O}óéæ¯aÂÁ[34&9%4Qš§Ñq>ŒèDèEª2’.Œìªâv%¹¬:üUËÃ-Ó˲?š²
-nÍ:$òN	óÛ[6¶‹Ñ–q"%ŸXó˜3øgT	ü¸|<ãng„‹«ÞF©¥zœóämÌ#÷E¿’€ˆKù¿2$;ïW.©?äërƼŸx…¯§šó�hh©�ß5k{´{ëð
-Ø(SÔÇ,òúîC„#D8}vv•�Ø'–Õ&pôÐÛt;½3ü|d±úÛÎf]·
¢ÎíÑÎY\Ð\•‚ûÑ×2¯!ÙÍõT&ØwÕvUW]6éºÌ;$]3Þñ¤kÄüÏÈwů¥Ð@³ïlÓ¨]ÂÛŽûOwßØÖOå³#ZVzM_?»®‰XmïÆäV0ݱs¬
-÷q(Á;tˆ[Ïù¶Ë¼ƒo›ñŽû¶ó·Çýã$L�̼uñäçcy¨ìaLpªI¦3ý«2p�¦NÑÇ  —Xžw
-~móßv³ùìž"¦Ì¸"€ÅИ
1!ÄU�†\
ghN“³V­3ÂS¡.o1PÍ·8¶êL®d6Þã»&¨áÐ
"›’þUwê|ûáÓ§wolû$ƒË¨Åe�Èä,^!Š¦ëÊõª´œb(JÁÊ8&†ÃúZ^wÎ�›²,&¥¡‡€¬ûðb._¼_�Ìã¸ç ½D%Oå£éüå•qS®{puXõbty×� Üdev›…‹¦LR
-©WÙXjVcFxŠ38L‘-8„,*µ)vÛ—‡íÂ6>‘•§_
D çl^[Í]Ÿ¬>!
-YBš¦/�Äa�èU(Ï2O†P#f‰Ìè©~bª‰±¹°3é�à$3Œ,˜gîJ_Í9½Ãgyº#Ç—O¥@+ïºv�u{66­1·E¨t2Æ4:õåxc
-hXÂGGï´‘ù"/&Xþ+èµp[ŽürŸ¯mÔ‡GS…ÇÕµǾò»ÉbÕ��ªÕ#ýEƒ�wªašSØ7–Byk>©Ú»š«‚Xà.駘|;™†�{¥šOŽGIÏS…;1å
-H6o‚G[Äg·�ªwc‡ÇäR
-ª¬“„O*æC5�øh�üæ1͉‹0ΕŒ™Î|@LXbú…v“ÅCø”Ѹ]X‘AÃ·]­ýµ9rV¸Ô”^Ëá@Áy¾»öX;I�²6
-ø…ˆa2¿Ô
ðE¸Ò/8ÚŒyý³Y“a~*àØÚ©¡‚3Ó¡”PLâòÇbipú�DeË»Þm¶{¯÷‹O4P�r’gt6¯ïd–e¾´cî£?zHB.Ji®IJiäH·X>f˜¥á~õW iÜ4ÞpØoÍ•Æ“5‘š#œ_¢³ËžR"ÊÃçI^F›?¢³_0Ú¼{óÀÔ>ãÂ_ù„Xƒ
è±sô(Žëåþh‚$wån>ÍÃSǵ͢ÝçÆ�ÊNíjeþÐliî†�Ë°®Õº.ˆxGwÁ2ಫ 
6ZïðÌÿ`Ë`ýîh!ü:ºþ`Õ×ÕOe
þȹŒ•ÎI¦™˜XÉôë)”\@v'8{ÉgÜæÔ:þ÷*Ì·:M¹G��ÊrÉ=×
-ê(@4»Õ“rûè�JÚãqeª¸'ËÐq_õd«ÐsO,ÎE?þÔÚžK¦JdÀ
+xÚÝ[[sãÆ•~Ÿ_¡rmU¨ª!Üw42Ocg<«$;ÎÎ(v9¶k$!5$ àÈJ*ÿ}ÏéÓݸ°)iw߶ôÀF÷A_Îõ;§!~Åà�_i“™BWy¡2͸¾Z^±«-Œ½Å=Í2-ÇTßܾúú;™_Ya„¹º½Íe3f-¿ºÝü¼�™Ì®a¶øðö?Þ]/…f‹Oï>^k½ø
~Üó÷y÷ñíu®·7ßøt½ÌY¡ßþûÛ¿ÜŠççøöûßݼÿë0Ïõ¯·|õî6žb|RÎ$áï¯~þ•]màÀ|Å2YX}õ
+}©�½}Wo—ûºëçÇåRör{5žôléHu¾¶£µ¹‚CæŸ.þg\w)Œ\ô»ŠMy¨:j¶wø+å~O·ŸnÞSësõè‰Ö§ãñšÛEÕôûGßÕ6¿0&¶'ØPï]{¤éN�_jõˆg†�òÑFE^d\ÇÃâv6žl|'–HU74cU®wÔúRW×…Xdø.JN-Œ†ñ¬ÐZ¸×nÝ¡A÷öÄh­Ú~G­®/ûz
g¤çÄ© ×3Zeã»6�°ézM·z÷îcÙTÛ¶¯Ë~üb6—yP¤œçY.FÛFTOh[ ŠÚ¶©öU_Sµ½bl&”âž©°Cä~BFJeRJëé~NÌNƒçÚ8Y$$-³혈~�óBûùÓ̈Tçܘè‹E–3�°ãĉ¥(ø¢¤Ÿmý¥j¨9•�ôc¨qçT¡=Й4ºêø¥:¢§dñÓìvW£¢Àt›Ìi%&ãÖäS­lZ¯‹åý}P¾¾ýŸ(¥·Ó e°<¿¤i&×™åºxZÓÆT—5-Rá)ÊÍæm“Ò2•gV°ÜË} šÌ	â²6/žP1�yn<Áz_v]bðŽÖhýÒiM�nfª©¿&¦
­*¤&
b¹«A( ¬¶™³^‚Ô�eúiÞGªsæÏ!ÏF¨	÷ßn@$g¨Õø㸼”¬X<ìê}E�Na±áÖµQKñ÷xm§¦©¯ù¢Ùz/*„͸RjîE�f›Ž}8�4fAù÷SM
O‚kž»Ö::Ðïö
¬îa‰ûîîßB@*ˆ­½w|¦ZZ~UÑsWõÔ
ç’Õ-¬
jö˜\‹DôLZŽ¹
çÐr¬(:S̘KZ0›d\dkÂÏ®?ÖÍ6�ƒdî«u�îL;çwÌÜË;žçÇßíD2¦#
À®Ág”žm0ÜW¿õá�²§¾‡ö´÷·Nˆ›º)�µó=0¼r€³úÝ“K½ß—ëà‡jj5	Ì?²ÜÅ÷9•`@•<×6ržœ&™a
+�&¦È‹!”KOj;û�^ÃoW~©`pã{ý(š‰,øæ>LZ ÇDÈÜ™Ep»²Û%Ž9õYó�Ô
‰( ˜×¨Z,´"“I¬-
¸ÅÈ‘aéé¬y&({lÔMŽ¸>>Þ÷íöXÞï£àH˜’�+v�¶USCø³“¨gCÔ³N’Ôr¸q<4€±%`îÅ�»ªIá
ƲÜXû<ò+Ÿ—ðN¦/�°Ï×#ÿ†ƒA¬Ø~¨š…–óE¾Ø·å&œ­nÈM€¯ÀŸK–Oµ»ˆÑi‚�¶½ö�ÚloMš\p7ï|¢¦€¿ÙÓY—
5î«cÑiy×£ŸvMú�;‹æ8±‹Ú/Ú•‡û}Êùj�™œ§5‰ÛÆ+ž		*œ[ð;xï)èá�Õpð„�p™gÊÊ üÕonà
+‰µ§È´ogKlª»ò´ïÑü>± h7x
+¼!ôÓÆõb}��{æ
+¡ŸæLù2ôafØ·ëø‚òÕ/h¤ Ø`¶©'€@gfFIæ|cj€:Ю»D´y&uÐü¯«~ý5.v	�[	I¨ :uWX¶Pfª*«ž[‹`L匦¢î;"¼�î`rÓD¼(T1plŠ¯Ë”ˆ°e™â¸<¥¢«¥,1#lxs7L~!â©!Àv°~*Ï@ÇFÐ×	a:ìh
+¦º$T™©\„M<üC‰­}Û~¦V2¡ÊU¦
×g"Å2U2sÎYŒ…$Ú#Mþ
+ßÜ|øÃ�…ÍgÐ{uªÆDw…³
+{^þBp‚‘ˆ‰!AWóBƒQJŽììŸ4¸bòÈ'¯ÞYãâã´ºW�ô;ÄÄd¡CC
+�ÍÀy‘)NWA4vÜ^Qããhòå˜þgœÍŠ‹ªÖƒÉ›FÎ.9
+œy£YÊ
+ø…�ár‘þÒ…ƒª
+m_ Û‚¤¼É->Tqè¶ÐÊXÆ9S"€Å"ÚÄÅ‹ü“£{NÅŠÅMïÛ=‚Ûû-¤ÈÈÙ5p¸8÷䶅i,ç„‚ýeÌùÖ eÌðçD’3–‰[-•k¬y2ý¿¹b\*üðƒ.ÆÝ—Ö$*¹ ?c‹§]�àÀúX3<ºkñ†ÛAuN™c¼«÷Ÿ—à3nüuH‰-��U«<Žvq8¹()|AE¸².þ|)÷õ†š›öP:{*šÚÌÚÓvGÝuO¤MUù——á|ëþ䋲£Uv5¤ÀŽAëÊü
ÂúÝÉ¥R†}ÄKmxy_®Rð!T‚Í*+,—3+™$‘0	Ã[|
Í‘|(ðâߦ?\Æ—ã)Ï/+8w.Ì+?¡Æ“ÏÜY'u¥’ƒÀ	É—«Òþ¬@ÿý¬?c…à	ÜEwþÐRÏS@¦2*B�r¿m�àoR·u�†K�êb¶%uL1©©R!UpBŒ>¾
+-Ó;òYû°—ÉÇ…�Ñ…ÛöL°ÂJšRñ¼L‚ã0±,í—àãÀ%|àîÓI)˜OÕ°ƒrl¹â2’©~	.äEˆf±ø‘¿
+(s^ŒÜš±üG@aÍ�
\@áDœŽ%qÆvMŽî>6uMhx1å¾ä9yPëzZêXùwÔb�¯áçj|‰öàé.ÒMé+>pF8´M€ðõì³…ÅÇ,*ænبK²¢˜ñcò]M¸xò }ü�-²ìîq–èŒVš‚xPV?{o>ç,?£['ŸŸ�6p–d�mž’ž2Méjý£ÂØÛɇ>äÏë¦>¸ÜKuÄ›�±[÷¿dí]êcæjà¶xTK÷rà¿âÓ?ÝvÃç¹ø�¾‰	áë«7©
+û“_ì7³JòéÌÿzséÿP¤ÎðŸG,nòÿü?*Ã¿î ¨²V\øÌ#·ø1•›Â�sq¶sÎ2!
¥žoý¿
EË:
endstream
 endobj
-1039 0 obj <<
+1333 0 obj <<
 /Type /Page
-/Contents 1040 0 R
-/Resources 1038 0 R
+/Contents 1334 0 R
+/Resources 1332 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
-/Annots [ 1042 0 R ]
+/Parent 1337 0 R
+/Annots [ 1336 0 R ]
 >> endobj
-1042 0 obj <<
+1336 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 238.8931 176.3563 248.1085]
+/Rect [91.7912 411.2559 148.0099 420.4713]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1041 0 obj <<
-/D [1039 0 R /XYZ 85.0394 794.5015 null]
+1335 0 obj <<
+/D [1333 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1038 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R /F41 939 0 R /F55 1037 0 R >>
+1332 0 obj <<
+/Font << /F37 1026 0 R /F48 1238 0 R /F22 961 0 R /F21 938 0 R /F55 1321 0 R /F53 1313 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1046 0 obj <<
-/Length 2216      
+1341 0 obj <<
+/Length 1558      
 /Filter /FlateDecode
 >>
 stream
-xÚÝY[oÛ8~ϯ0û`Ë‹(’;Om�f2‹I;‰ÛÝÎER¡²äµäfƒÅü÷9¼É’L'Ál°,ü ’"Ïå;7™Ì0üÈŒ'(QTÍ„ŠDŽϲõ	ž­àÝù	q{"¿)îz»<yýŽ‰™B*¡Ély; %–’Ì–ùÏs†Z
-6>ÔÕCÆý¶.í
-g?¦Yl›¬„%Í*UF>XþR<Øy^h¾kÃ8¬ïZ+»0OŠ#"s·i:‡
ãR�¡ƒÝŠF¼8ÁÀCµ‘0sF²\Þ7ÆLy
-*•¦/3¸Öƒî¾±ƒ¬JwmÑþ5t#eˆb,·‘Æ5i�E1(Vˆ±çnšmwÄæDy›ƒFIŽh
-‹Z‰tZArx5ºTH¿ycq»Ú¦k{ƒkùT¢aùµ¨Kß•Á;×怡ìŽ4d"`Òþ�™c1fÁ{¶ûTi뛚Ý+]È+‡,}iÕ6V_Œ%(¦dâ$yÙnªTsL¨óÂ@×c¶›¦Î]#9­VH@öÕJï•�òZB­B]’¹2íì�À¼]ª“K`ÉD5X�‚¿_è<ðpsâò£JTPUs¹¯•µþÞT]±­¡ŽùZ€í!�q¬ÊÀú1ñXe–ÑaýgC_j|�†�fÎEi€E
¹÷vîIß.ï6¾]>Ô„ŽCI_ª0…Šƒ[¦XVÌuã.\7¹®`o“TåÏQ{BM’¾åéú,Žz¥õÖ͆š[
-¼WvŸ-~	gm¶-ol�D枟þ¶Q†Ôäoª…ò/´u¾ûˆhEÚ>7øG» (�{Gþ¢#Z°Éä¬ï]­…¦éb?4®bÞ¨»õœlÂÌ@>É'ì”çc µ£Øsh¹¡?1Ih^¦ˆ&PC`)öŸ‡ZT	)äLáPÊ=]_œ÷ñÃTKD@J`Ë�âÇdO2ÀåØŒ	"Ú7FlžšáFqÔMºŒ–‡¢0abñÂ�9ûâuÂJž‚G¤mq€·*BÔ*’)† ÈýgäÿC‚H8Àœ “ÄxyvõÃqï)¾€§L†ñ;äòÙøͪÂÊ>�zôÿ.»ã
-žÍ¤da8@ïµ£3°в�=¡fúÿý¶
ó¿=q5[endstream
+xÚÝXKoÛF¾ëWðЃ„ë}?š“8‰ÔIm¥(�#ÒŠtE:®Qä¿w–³¤(ŠnÜÔ(‚Bícfvvæ›Ç’E~,²ŠPáddœ$Š2­63]ÁÞ‹4qG©~XÎŽž9â4×Ñòr Ëj-‹–é»ù³—Ço–'狘+:d+MçgÇ?žàÊl)5ÿ¹£xöúìùé‹·çÇ#çËÓ×g‹ØP'�ó˼¯ßœìø.ï—¯f'ËþÛ2*ü~Ÿ½{O£.üjF‰pVE·0¡„9Ç£ÍL*A”¢[)f³Ÿz�ƒÝ–uÊrJX¢,7¦“l`:Fa,ud”#ZpÑš®ºnòª¬±¦tþ§¿Oıָ(fŒ8¥xK—f—ÉMÑÄu¶ý”m‘œqC(üØÓ–�Ns|ÌîÀtè·eºú
¦H�ÎAW~n7�žs>ÐœbÛ’,×y�Îø•R^dOp’_†ÿ²n’¢ÈRœ&5
+™‚GÁA´•x”5«#¯YUåå„Vm5äáÀÛê¦è)Šê‡Í:ÃÁªÚl’2ý~âø˜Yp”Õ
+F†8
¾ór¿¤v@ªˆ3F‡ƒ½ŠhúmVTI:¡i‚`´XS�JF�Je™­œt‹½qz]m�Sp‹ÀŸÜÔYà^‡A™l¨ƒÆPøvÁì¼ÕÕÍ2ô’—ùwÜU9:¤¨VI±2„Ë&Y­ó2Xü6Ããp¶]ØùMYæåUØÍ›5Ž.+ï®~¬Ò´ŒUp
+E¶­
ÖUÝ<Åùgüƒxª÷èvQ†d!Ú#F°lè{V
þ¯“óeØHÁP¹÷O;Åp±3úv*-%œs6ø(§
+&‰6|JQ"™¶ɪœ8ƒÉœ÷ã¡ÈÄ) †4iOåUô÷;4Zmx
WD+f÷£ü¼¥3-ÂQÚð`eÁ(B
ŒûÄt••GkA¸±2_#’¯¶ÉO¸Íï§=P?ee)îpo…ñ~BŠdÊC ÓZ”¹/K*MŒ%&g<È;¿=ᮺ�D ¨óðaó·“¢®ÐdBh"9ENš××Eâ•f<$&à>[Ô¿¾®ÊÔ›ôÐ’Œi€rgÉ>Tu‡ª…ë‡Øm�L<ôÇ¥2k,µ©V’t·0aF	f |ŸöÒ{Íèˆ�Ýc©5ÑqÑdÛ2iòOx�1U-þ—ÜÈ}‹¡ž>¹uaŠép
+lŠΧ°ÖòÅÉ„Šê!í=ÝZÀG|býæ:¤ˆ	CøÔ¨�Âi:¤ ècbŒ¦6ó„TVáÀM•æ—w§YH´Ž«‡˜]sÂ}´#iÒô•�ôFë-uVRF„
	±P„1ª[6ßBòEý´ŽùU™L‚ͧX	½“ؾfÛ&É[{³ùÛ³Ó_pT~˜ð¾ôÂzè0XW<=iW<ýv…Mò±Û½ÎV¹7à
+çɪíùž ]RãjšÕ«mþ
û&(Ôåè´½ªéÅ(22Õø-×Y<5¸Â
+
48ûžÂ)(¼wà½AS
+²ð™ÏÄ�»O†Ù@ù¿
 endobj
-1045 0 obj <<
+1340 0 obj <<
 /Type /Page
-/Contents 1046 0 R
-/Resources 1044 0 R
+/Contents 1341 0 R
+/Resources 1339 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1011 0 R
+/Parent 1337 0 R
 >> endobj
-1047 0 obj <<
-/D [1045 0 R /XYZ 56.6929 794.5015 null]
+1342 0 obj <<
+/D [1340 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 126 0 obj <<
-/D [1045 0 R /XYZ 56.6929 341.1394 null]
+/D [1340 0 R /XYZ 85.0394 490.579 null]
 >> endobj
-1048 0 obj <<
-/D [1045 0 R /XYZ 56.6929 313.8349 null]
+1343 0 obj <<
+/D [1340 0 R /XYZ 85.0394 463.2745 null]
 >> endobj
-1049 0 obj <<
-/D [1045 0 R /XYZ 56.6929 284.3175 null]
+1344 0 obj <<
+/D [1340 0 R /XYZ 85.0394 433.7571 null]
 >> endobj
-1050 0 obj <<
-/D [1045 0 R /XYZ 56.6929 272.3624 null]
+1345 0 obj <<
+/D [1340 0 R /XYZ 85.0394 421.802 null]
 >> endobj
-1044 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F48 953 0 R /F21 714 0 R /F41 939 0 R >>
+1339 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F48 1238 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1054 0 obj <<
-/Length 2369      
+1348 0 obj <<
+/Length 69        
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsã6¾ûWè¶TÕÁ‹
-D%턱 -¸îBYt.xj�(´:þÆ©ò|"¥u#
Lüá£èªW~ãž~ÁÂa¤kƦ=Ÿâò¤ñTtÞôÀ¢)sðjA/á]�ÞÁmrèIújº}:£“
Šûþ<‰Ž¼bÆî,µý–Îa„–½"–NÕH8� QÕCyjŽ“
-Wþóæ×ßù¦ýü|Ùʳtó>8Fh¹9Üh!Yž§:Œ´7·7ÿ‰
Â2ÅŒOÖyÑ>¼<v,Yí‚t;¥9ÜL-,/»ßäˆ/¼YSRÓ›ý0Óqj´Ë4g),ð:þe»3"¹ƒÿ2y{©à©ˆ¦¦&ܽÒÍŸÁ¸ÎsE‹f´»ë¤7ðÝûƒÜ¼éáF›Ù¥ãÝœ³»”‘дŒ[
d€5)÷¹:A–¹X?-·ÒV¦df“¯[
àÞ;,(‹Îo€MÔ}=ca§°C£_ÒrœVN�÷+Ò«QsP3�
-ŸRéÄ�ëÂ-|ÔøAWv
8qùššéW5#ý¶}Q9Í
-¤B$·ø@÷OM÷°¦)y/—±Ðññ–
-­a­ ƒE9×Ü�ª``M¾6ãÿP}@’±ŒÐ.ˆ`•\?ô³â.ëîðÐ(y
â><¨b,ó)@+Ã6õáÕ5«þ
±Ÿg1»þ¦?¦,µS%ºêà‚e&ÕóÁ@D1f3¯kXJZ¾qÀÔ2B‹5xy-
-@
 ¿Ž† ci:†/†a|nþ�y›Ö³ÐçÙ­Ý	ÜìÔ|õ�—9¨ßCðË0åº;E9­š‡[˜Ô€»ˆ%ÁÕë¿Žà“�wëx- ½³’À±:AÕ¡†—2ô@eì‚Æ0öG>u!bjŸÉ°øœÒ‹].�õ eŠí¼ª¦azцB­‰ý­4«)1™"—Û͆Ñ÷¹*š¤ÈhB+ÎL½MX<»‹ñwÁ¨--\—̆=3?†>¶jܹã	•”$Šw:¸÷$
Ñ:@y¬»‹i<üä
->H
�±”ôu€;ŠON«@bî„×�yæ­ƒ˜�åà`~Ƥ`ë'š‹7Ià‹iŒ»ŽöyzÞñX‡4
-†}Ó(OënˆÝ"½ì'BMmMˆ©ì�n-àaï8�E¡s“x
+xÚ3T0
 endobj
-1053 0 obj <<
+1347 0 obj <<
 /Type /Page
-/Contents 1054 0 R
-/Resources 1052 0 R
+/Contents 1348 0 R
+/Resources 1346 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
-/Annots [ 1058 0 R 1059 0 R ]
+/Parent 1337 0 R
 >> endobj
-1051 0 obj <<
+1349 0 obj <<
+/D [1347 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1346 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+1353 0 obj <<
+/Length 2407      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YK�Û8¾÷¯ðme RÄ·¸{ÚÍ™
:Øtïa03Z’»…±%Ç’“éüú­b‘²d«ÓÄY,Ö‹U_±Ù*‡lU¨,V®Œ•™Ê™Z•û›|õ
+
«©E¦
+nVé”Éîo^¿çlÅóLk®V÷Ûñ,mT¦)V÷կɛGwêã:å*Oäú÷ûŸh›ÌLanËá›å’I¿áßÕW×–uE;ÞÞÞÑà}í†Ó±îGLfBj8h“å$C2cë”åyžÜvC³}
+[øÊfVsv‘I%éLŠ:¹ýtÿñý/4nzü5‰£Ï}]>º¶é÷ô9<º!¬ïvÝ·>¹Þ+‹ã¾>~­�aa舸%‰‹º‰´;÷µ¾Úf’nK“xôC}ÁË¡b¨
+c™UŠ{U¾wmý äB%•\´¹J>¶4u\³"©ûC×ö5Í 7üu£eÏfb\g‚™AÞÁ:×æ”,ÓR˜@¶õ‡tûÈ×ÿDËà˜T\™¼Â‰-VÈ8üÖìv4*ëò�¹°}¥÷nÀQ3­ÑzMô¢‘R
b5H0ó’Ò¹]h5¡×ñw\*OG2Z;ÐÄ™?|¸¶z6né<gÚfhÜø¸Ë“†£kû-Ù!‹®ä,c… ¨|ßatä&Ùw$
}5í¶;îÝàeÀ	·éN
1�ܨ@g.ÍKn69ÌÙ+béM�oTu_›ÃY
+W6©BpÂ
+¢I[ÃäÚ9�1Àáh‰(ü��3Ò§Ó
×6¹æ;sªœc®D*°Z̺rM yIˆN(‚ϱEr¿þPé´1ò/¤P#sÈ”B‡®ìv¤™ÏKàÂþP—ÍoyΡBúÌ&´«z^š�Ÿ>¿Cf­Î.Í2Fã™Ö Ê_n~ý=_U`ŸŸnòLØB­¾ÁGž
¾Úß ­µJÆ™ÝÍÝÍGŽ�Â
+‘éœéçyѾx…!íP¬Ò(]*8à1÷Ȩìve1¿Àª°6“¹¥;{;±±ÒÒ#
–gJðèŠOëT³äþçÉ»KË
+SDôçÃÃ@x´»'¡w˜+
"1f¼ù¤È,Üì£�ù™0Ž–ïé3€>5áwâ„K¤`Á.ä›&‘¿——0*«í*
{ÿvÖœ¦º3±ž¶X“N'ÒqåZ±ÐïðÐï¼}W6%eüÿ*Ÿ/7?ã&mã&?ö%~ýìëá±C
+ƒ·¡Å/øx#}o›žž‹$ͳ"·± z_?ǘ«ŒÉoˆazèvM¹„0
Ò(SØ@]î|›‹=Ój(íjØåQï5k€cy!£~ý€rP•� Œâv^RöÐ÷]8ƒ
+×j¤�‡
+΄£Màõ¿|ŒÜHÖôA-08×I@t98ÔÌÁˆÏùMã혽B†·Ã�³å`æp„²Þ"°q—o—^ÇãsÇM´^„|UÀ1øXžÆÛŒØ<âr“ü–«üû¦GŒ—¼{÷Ö-m»ðhŽ|€Jä¹ùç_4’ÏŸï>~xEë·°•z…)AÃK,¹pÝ׶�½ÿ¬&TdÍ9³à¤Õ‚w:|d…êäÛ£dZK&œÈªVŸ±*Œ£�_KSÐ=5m8#<ÌÁ,–JÍ#D±”îI—€-`ñcóÝ�Ó|Ä—×Ç:—üK³›”Œüs
+ý1àÖº@TÿyÀp�.ª…aGØ…~æII¨L>óznvFš¥Â¦
ˆBE	D¨3SÏ>º^÷µµ^endstream
+endobj
+1352 0 obj <<
+/Type /Page
+/Contents 1353 0 R
+/Resources 1351 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1337 0 R
+/Annots [ 1357 0 R 1358 0 R 1366 0 R ]
+>> endobj
+1350 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 1069 0 R 
+/PTEX.InfoDict 1367 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 27.00000000 27.00000000]
 /Resources <<
 /ProcSet [ /PDF ]
 /ExtGState <<
-/R4 1070 0 R
+/R4 1368 0 R
 >>>>
-/Length 1071 0 R
+/Length 1369 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -4195,12 +5056,12 @@ q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
 n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
 þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
 endobj
-1069 0 obj
+1367 0 obj
 <<
 /Producer (AFPL Ghostscript 6.50)
 >>
 endobj
-1070 0 obj
+1368 0 obj
 <<
 /Type /ExtGState
 /Name /R4
@@ -4210,669 +5071,1186 @@ endobj
 /SA true
 >>
 endobj
-1071 0 obj
+1369 0 obj
 1049
 endobj
-1058 0 obj <<
+1357 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 477.3512 539.579 489.4108]
+/Rect [470.3398 467.2776 539.579 479.3373]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1059 0 obj <<
+1358 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 465.396 385.3363 477.4557]
+/Rect [316.7164 455.3224 385.3363 467.3821]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1055 0 obj <<
-/D [1053 0 R /XYZ 85.0394 794.5015 null]
+1366 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [304.6433 163.6578 373.3153 175.7175]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
+>> endobj
+1354 0 obj <<
+/D [1352 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 130 0 obj <<
-/D [1053 0 R /XYZ 85.0394 769.5949 null]
+/D [1352 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1056 0 obj <<
-/D [1053 0 R /XYZ 85.0394 580.0302 null]
+1355 0 obj <<
+/D [1352 0 R /XYZ 85.0394 576.3463 null]
 >> endobj
 134 0 obj <<
-/D [1053 0 R /XYZ 85.0394 580.0302 null]
+/D [1352 0 R /XYZ 85.0394 576.3463 null]
 >> endobj
-1057 0 obj <<
-/D [1053 0 R /XYZ 85.0394 539.9341 null]
+1356 0 obj <<
+/D [1352 0 R /XYZ 85.0394 533.5444 null]
 >> endobj
 138 0 obj <<
-/D [1053 0 R /XYZ 85.0394 315.9171 null]
->> endobj
-1066 0 obj <<
-/D [1053 0 R /XYZ 85.0394 282.0038 null]
->> endobj
-142 0 obj <<
-/D [1053 0 R /XYZ 85.0394 146.7217 null]
+/D [1352 0 R /XYZ 85.0394 299.6823 null]
 >> endobj
-1067 0 obj <<
-/D [1053 0 R /XYZ 85.0394 117.3479 null]
+1365 0 obj <<
+/D [1352 0 R /XYZ 85.0394 263.0631 null]
 >> endobj
-1052 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F41 939 0 R >>
-/XObject << /Im2 1051 0 R >>
+1351 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F62 1361 0 R /F63 1364 0 R /F48 1238 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1076 0 obj <<
-/Length 3362      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsã6~÷¯ÐÛÒU#†ÄA�»OÎŒ½™Ô®“µµGåx IÊb†"‘´FùõÛ�nð�8IÕn¹\ÄÑh
-„÷Rdiß2³n—ò§¦¯rbøâ:›†
-mÕœ˜jWÔTJ—vS¥ÇÛ0ö^‘�Hœ< d÷ßQ\PÙZââ×ä›A5öi�ë¶+ÒV,¤ba‹ØÃC›óË‹*=;~/g7	}í!À7ÔôÝ—uß­å*Aa`WeýJ}iž—�Ušù¾ÈŠiÙ-­‚ØÂ7ýd×e¼C•f…]ºô>ôGf»…›aá±w°{n²¢¥u€”�iÝ– " …à©X½¡ôÂ"ÈHf°šÛÐËU·›MŸAiÑZÜÎW*œ˜—hV`©voþ/õ‰ˆf6¸vT³Në|�a˜øÆÈx`øòi�¡�~‚HCD
i…Òëëœt7ô»³¼¬Óã™T,+mSÖïÛ.­3{r¨°K§¿, DJKòÙ7oV+&*²tÐ8è8&vælžgÀmR{Z[}
-««³æxhŽiW¸êŠ,“<`
-ûý.­_¯'cñö×	ˆš=Ÿ lsO6L5V)0Q+�ÙÔÖz·Å‘ç üsË'—%meÓ2e
-ÖŸr_"tÚÊ)uP¸°!r‚Z+À€fëŸôþ™¶¥vÐgr)Ðzºg©Ù~ |é¶�©mGö §ÎšáLxðdÛ’}´¾ö)H§+ˆ�D=ZÐt°©H95Þ¾±Çœ8}Í ¡>ñlà�‡†ð熚»]CM–•¦&§i¼«	GíGNƒWV	Ë|6úd�'aÓ€
-×s¼�
j”§È-´òM:è>Ö9ÏÖvÍa
Ä•ð¥‡ô„� 
-ñbÙÁuoÕ�åÝô4a̶½;Ð^7ïuˆ‡èKÍñÓŸ
ûcí}(Ûô¥Z<Ça% ‚ÈdH‚ÆF»
-ƒ8(°Dæ´e\¡¶�.sº‰�TîOKDˆKIÂh!ª¥¥D>ä	Š‰œžãF€[…Ð!N0#¸·Ð³çžœwKÞ@ˆÑ>ex÷99¹	­<g”¡÷´l
Db¢¹
Xvéiá”ñu˜?8†ÈÅ`Wä&]pR5i~±`Òÿürõ„»ÃÀuQª¹FùA„_Pщ¯õ‡M‡pl
-¤
ÕÖÂ�¥Ñ.O½]‡Àbïì8sv?À³±¶6÷x³DõZ0�T¾B1ñ_ñ’[�ˆ‹ÃÁ­Rû<Æ6è®Ék!F¦T%„†Â¶a&mÅøpÈÅm‚‹)ë¡4
ƒ<ÓwKÐPRÆ‚2Ñã"Çš¡8šN£]ðÍ …rt¢ÚŠµ’öùÚCPébû0ž"ÂC‘•¨ôät#5´÷ôðž w×–sä=Åå½€Š4d÷:Z)„úHÙ�:�¯+*<MRú�~=p�Ò_óE©ýø=mä
-Dø±ÃbØp±Ÿø-˜ß‰>a£ ”J§Ô¦S�Z¾¸™±™®	+`ŸŠ”:cPÁµqÍÈgtA„U6…Çl¬fÖ[ÇÇ��#¼XÇÂ쪤òÅ€pCR–ÍÛÞ†*R9�„®	”@;‚äƒ$_œ0`H:DÂ*f7ÍŒrH°ežl°ë`UàÚ]Jû&P.Â(?Sö´Þ›ý:>P�E˜°/8„
H»²lÙ¬Tä+\Ä
m1d‡„ijØ"¡™Óyq¶Ðø	`è<^…\>V ö‘lØ–[þÒ§­ ‡“}G—zdÁ"hÁØï®#a@×ûCGº
”eNPàƒÁ¦r·–˜”L^ò¤ÅçCUfeGטÒË)2Í©öVò¢8÷¾8&‚D�¢¼fk»µ»¸sîÃð(d˜ø&BÖ‹5öÂA9Ð`7ˆ-à
¯—”
-mþWÅѾŒÃI`ÅŠ'Ü7}
bÐ�¾4}G”$EBiCNõõ´w·k$ëÅñ\-ó¢ÍŽ%Ëaš¶-Ÿ„
ùé$¾8ˆ/[k?
-‡+«\¶ýG“hãK­\nÀwJ×ìÁ£…Qäl¦í
-Ø
]ð)^kÚâ1-¯¦2¤×´.cÂV÷<
-V%½7ICM�Œ°ø2‚ôE‡øgôô¸±×ê(|ÛfÏ-yñB0K¹×ƒ±7ãÝΆjPiøkoï�šÄ2å
-Ž‘ƒ#¬
0APâ/mìãhe‘f{Œ.Qª"ýÔR‘àÙÑwooŒ±§ÂDâX·‡•¢3ža™Ø)BâÂe¤øœâ­>?¡BÙ;2··‹XjÓ··E[Æ
'žfŸ€3ŸŽNìƒ
-ø˜Þd=@Žvq÷Œ9'á
5Æá‚'€½p¼øÆÖ‹ÊÈ€fÏGî�±oÝ’»ØwÇ m²Z-=gÍ4êðlþå8
/“ãÔ�;NÿK¿‘ÚÇ},Ü·À?ŸëÿýÛ’ñ8
-ÂÜ8Ë7ÂľŠ�	/
-ª«•»¡\/ý¿]ñƒðendstream
+1374 0 obj <<
+/Length 3442      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ËrãÆñ®¯à-PÕf0˜Ar’w¥X®Dv$åQ¶÷0@^ 	P\íק{º
+öV%Åü{zúÝ
Æ«~ñJ¥aš‰l¥³$TQ¬Vùî"Z=ÃÚ_/bÞ³ö›ÖÓ]ß>^|s#õ*³T¤«ÇÍ–	#câÕcñs�„2¼Qp{÷þþúï×w�—:	®þv¹*
+~úáîšz�÷Ww7×÷4ü%RÑínî¡�/×R'"xÿÝÕ��×÷´ž0Ô«ÿºŒã8¸º{ý�–>Ü1Œ›ë+¼ëñŸ÷×—¿¿¸~5}xI|Ño?ŒV¼ÿû‹(”™Q«¢0Î2±Ú]$J†*‘ÒÏÔÿ
+Ž@Õ¦.»Ž†Ý¾Ì+\'^"Ö±Qa¦AžgÔh�{‡ª(Ê'þŠž¸~Å—�dF$óQðT5öÀôDÛž—›‚‘ڶǚûMË«O´,*2èïlstx£™
+fa¢#å°&$S=ŠôO•SRèÙºk©×æ¹Eþ±Hã®CÕóa´˜¿‘ÇÝ[²œ¸Ò{øy»Û×e?Œ�‡¾cØ›³Í$Ï
˜O©!¦ÃL庥É8‘Ê+p&ßÍ Sh\Ú�(Wp©{]vÓ;rÀZió-ïÉwÀìH
+M§œìW� ’bb0JjjþyoGó Ïì†!¼B‡M>R±þÀì蔇J2ز?Ÿ:å¢1><y¶ô~^ÏGÔéK'QŽd¬uÉ|Ä›é`×:6g^^s2�Ù4¤†mch+àÏ5M÷Û–,Ä4ІAÛ�ÓÔÁ›GéÏ&au1Ñ|vúä”'cÕ€	0¶G¾há‰1÷b<JÐ4Ì"ö
r1áâô„ÆœŸsºÃÛ9»wø•Ã¥
SËFyj¹…JBˆg½é>4ß)É~Áˆ'"”2ʼ¥'Û£L蹨Þâ[Œ^Û#u¶öÑ3ìAafGÔLù¿li÷H3„Xîð$b|7å&œÙ´£w‡½ƒ×-Žƒ8˜!zÄ^{øôg°ýFªÎ>Õ‹|0
Œ†#hD'Ø!<q‰²Á·¤�SHs�Ñ3ÒãÑÍ¡,¿p~ªÔ´t�„à3ðåºYac8°DàôdÄ‹¬Î�.súˆ8òiçR¨dqúÕ<(ËD›¼œã
F€[‰1æúS¿:$‰Bx÷$€ßy!&i/dù×9¹É^xÎvÆÁý²DÀˆL§spàìi�
‰•‰ôWØ�†±ôŠÜ¤NêÖg“üçØ“Ý®Ëf͵ÐIEQü;":ñµáðèØ–¤‚‹‰
+“ÞÍ(.šÜ‚Û9»ŸÃóètmîñf%¨ÅšŠŒÂL9ñ_fÉ­šÁÄ™xp«4?/sá+tßæ-Ÿu&NZ’…6.-¥NW³ý‰8äâdm¢³+ÙÖCod
lzÚwK¦¡¢Œ…J4dÆS´xG¨¡Z4¹F©±ÂT¨¦%!$ÅPÖá9$
õΞ?TyÔX˜×’Tpóž&â,Sr<”åyÅ/IUg*]I
¶<RÖÞhñð¼¢Îý¤X7ì_OP±næ8ÞÀEªýü#=dîÚ[„È„*rÎdBÞH
+råE÷ñé8J
+‘ŽPéuñ¶Xƒïz¯B.o%óòT:ìú·Ôt5¤àÀÙwTÔ#
©@
Æu_Ž„}_îö=
¨(Êœ ÃŒÁ)_Á o¯øÒòó¾®òª§2¦
+ŠL½TŒçÞglJb ¨CTƒe¶®_û°‹çª�¬\ aj3„2,`î©à µ79ZÑq<à[”2°«BéÿUpT(M<	lS“�ââ…»v°�Z�1˜°Oí±§�DE²Òšœê;ZéJ>î«keë376EÙ凊é0MÛ–9
O«Ìœ1âwˆ­T˜ÆC‚•×>ÛþÚ%J‡R%>7àšÒ[ð‹Åiêu¦ëÁÚb
+ž|G“Œ…–œ4hv—š
·Æx©`ð›‘"ìÓ:ÕsÃ+CiqéÛœÇBýKjH늾7I
CC“lañËî/{´ZMÙ�«NF¡íÚÏåET
+endstream
 endobj
-1075 0 obj <<
+1373 0 obj <<
 /Type /Page
-/Contents 1076 0 R
-/Resources 1074 0 R
+/Contents 1374 0 R
+/Resources 1372 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
-/Annots [ 1079 0 R 1080 0 R ]
+/Parent 1337 0 R
+/Annots [ 1378 0 R 1379 0 R ]
 >> endobj
-1079 0 obj <<
+1378 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 438.5589 511.2325 450.6185]
+/Rect [464.1993 375.6003 511.2325 387.6599]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1080 0 obj <<
+1379 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 427.6199 105.4 438.6633]
+/Rect [55.6967 364.6613 105.4 375.7047]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1077 0 obj <<
-/D [1075 0 R /XYZ 56.6929 794.5015 null]
+1375 0 obj <<
+/D [1373 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+142 0 obj <<
+/D [1373 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1376 0 obj <<
+/D [1373 0 R /XYZ 56.6929 748.7225 null]
 >> endobj
 146 0 obj <<
-/D [1075 0 R /XYZ 56.6929 513.3809 null]
+/D [1373 0 R /XYZ 56.6929 444.9381 null]
 >> endobj
-1078 0 obj <<
-/D [1075 0 R /XYZ 56.6929 474.5196 null]
+1377 0 obj <<
+/D [1373 0 R /XYZ 56.6929 409.3397 null]
 >> endobj
 150 0 obj <<
-/D [1075 0 R /XYZ 56.6929 287.3173 null]
+/D [1373 0 R /XYZ 56.6929 234.0098 null]
 >> endobj
-1081 0 obj <<
-/D [1075 0 R /XYZ 56.6929 246.2466 null]
+1380 0 obj <<
+/D [1373 0 R /XYZ 56.6929 196.2021 null]
 >> endobj
-1074 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R /F55 1037 0 R /F48 953 0 R /F39 899 0 R >>
+1372 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F55 1321 0 R /F48 1238 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1085 0 obj <<
-/Length 3173      
+1384 0 obj <<
+/Length 3163      
 /Filter /FlateDecode
 >>
 stream
-xÚå]sãÆíÝ¿Bo¡3'v¿¹LŸ®9§¹Lr¹äÜ6Ó$3¥%Þ™=™TDÚ:ç×Xì’KŠ’ìfúÔуö°
-ú[5w—<Ùµ_®‹»rMeaäøÎr
¨£çìÅå„‘¼®WéN¯÷�üÂ4# X€d*yЖ„6E®fðé4ÓR
ø8ñ|[„Õå®ØÐdÕì¶Í®èJj«®ô`ÝmÑ…'JZ+j$b":Wz±ì´ªº+w5b™Nê²Û7»�4ÙWÝ-�v—Ü&e[î@‚nåµ{¬D­e&yë
-–³/êÕ+ò¤¢��´†Ë«MUö0Èþß”JLÇ;^›ÍæÁƒ
-ÀíÛ¦íð®x|N]Ã㽺-êéÈ…ì+p=RÙ�4Y²-wáqŒJÀ'>·@ºÏgŒH®Ã2\aRlÚ†FA"0¬úÁ ˜EGÜy€Î?ì/"\­ÊÖíÚ~wUªçl+PX6õæ‘´Ž†ÙNM¦ âÞ®šnÖ€zàÍÆÛ#I`lœ½yE·t0Ö´çr°¯×(YÎð"
-¶z[­n=�Þ0,y¨-¹ÍO�ÎGÍÖ!šÚתð.¬+6Çîè¦q}©SP�}]UOl
üëœeÑ¥Ô£›3¯`œØ MX¾ñÀ«¦þ…1ñážÎ¾¦UgŽðÿ¾ÙíI*kBP„ç»/wUélÓ*t9å¶íôæ¯ÉRiLp yÚ³}èo­„„ÂþbãRiž2�™O¬Ä,þæ,å—#NO§
-œ�Ÿå6ïq.UFö{ˆ\Øl-–ƒxö	rT—†LD�¯è•Ž«h@Ñ®üŠH%ä€Aj<XR <�ýÎz´8![Âyl9çUve
- °®‚ê¯÷ȃrP1¡N^~8¢¸ƒP‰Áp_„5WÔÈdÓ4éP°ˆ•©ÃáÂ#:�}]nª‡€Ãómwp^O4.´Å n’\j�PGèújIŒÕ1"&ºx1)¶3!ßuUœß\‡,`®ï4¨MSÝé	„²sT/Þ–~4ª»¨6ôµb=¦3î;�ð_{.?Ý2�¦Œ»¼“ŽÛÄŽ5Ýü‹ì‹™»‹M`ÁÂ
’ÿܱ¾0ÇN8O3%5ù™7—KÃ3þsFÿÁPGYÿ\'n�ŽÜ×´/)uh·ºQùH#ì*mý*iG.aq÷å¶Ø¼÷kþÝE\šUu�1,ôY“ÔQñ.µ€†¬&¾m€CŸ¹ËõÜ
téË“�µ;Ëéúô]#f‡ëƒ‹þLýv>Ê~û4p©¬!?�=�q7
-3ƒ¾ý4ÆEýùa[î6—<yt/Q\Þ­†VÕ´ÍÚG,?Ö>:¸/íôö99�»*Þ€góÊù×#·tÒ¾sõ
u¤CÞC—rò¤?Þ=ò<¹x¤½ú¼ßJ�ÁŽ¼˜•qC7CKú&zÚvùÜy¤ÿ>×cRw‘‡Þ,EˆOÿÜj<3Ë9Íg]aä°‚ÜoŠÕǾuzDîÑÛ¤HÐM}Ή¶ÇZ«AdÌ8¥srík1n¼U»QCÿ¾K	£í¥Ë
2(ƒy‚¶Ý¶2–2Àöm}‡‚dÂu0н“>ph =”vÚyœyA
éF*m_»îöLö“§ÖÈ�’èxTùR>Ê0ÛSöP³O²wo?)5€}âá.Õ)®_ÞNne‰=<ï*XÆCUr|åóà!Q6`×ç3†pª±î£¾‡îÚ™KÑ~Bt¥v1º„Á…5ϼ~ÔY
-åk~ðú1yA
ä!
Qwìeë»7Ê�ùÅ/µ¾8ö–Y
-CEÕ0´2ÂE¥ϦD1ÑÎ�ÊNSí¡ÉNÒv+3&û-¤�thÊYÈ6ÙÈ[NÚã3õˆÔ©6Lž¯ñefõj.õÌ‚NgÆ5þ1
J“f"³g4A�Ð`€:¯ÁST#
NÉÎk0&û¿Ôà™~ ÏŒ}Fùü”# ÌÇ-Æ㊧Q÷œ"#¨ŠPçyŠj¤È)ÙyEÆdŸ®Èw>B8*+µ<øIYÅPÇeÕC�•ÕIªƒ¬ÈÎÊjDöjè)MjÇðÞox8Ž”£igc¡ÜKùдΘ1ãóë!G>*ÿcYÛ“B7?¿1gtA�ÐQ€:¯£ST#MÉÎë(&ûÿZ¸Â¯¡Ä™êb¨Pç5xŠj¤Á)Ùy
ÆdÏß2Ð(}’t^‹Z¤�áeOÒ¢yvTù/µ¸XJ ˜³<Ÿ\ö²ÿD!SÔïË”ÿNKEݘôµ4þ�+®SVŸ…Îb¦ü—|n¸÷Kÿv¯Âp´.ÛÕ®º¡¯3€ÔMó€_
A=’¼iº2 *º0
-L…ÿ1NÌÑlyÙó¨G¯‰ÿ<©EFo�c§wòæPdNŠ-Z|lîwçAQÙQ†Î_[–S“V «¤]púÒô1'mî>,hðcdÜ=ü2~àиñ¢ ÞÅ_ÁÉ”pã>3sp¿Ð9¦¸¢WÄÒ²Tkk¦oâð4©ßÇ‚?QÀqâw¬3|³þÕ?ü¹ìàØÔoÖŠy	HfR+ò,0…gäzÊyÿ]í!ëÿ
•p|endstream
+xÚåZÝ“Û¶¿¿Boáe,Ÿ$˜77¾4Î8Ž_ÛLãÌ”'ñ,Ž%R©“/}w±
+ÛI´»æ&*ò†ú:º¯wô¢)Ú¶¬>Òè~KϜ޽߮˖FˆŸ8ÿñšGM[l¨[6ô¾­©Ÿ¯×õ�†Êª-vU¾¦^U´‡z÷©¡ií*w„sÚ
ß«²Z¢€sÎãLkaö�1±zð½LE„»ÇgYÑó—ï¾Å�xÆ

5Û|QPóÓŒ–iŠÝC±¤Ñ×/®çŠ‰(wô—õb¿)à
+\®UŠŽÑ¬H‘pë.ÃÄÑm±(ÉرèÇ_iðHî8h£{W§á±–FÍØ1›—Z¨�™[.º¨Í3Âæß_åÁ¥¦À¥¢m
nÊÕx¥óÊÛrØrxël9x+íͺ
G©*Š¥õKøY±È÷ÖËÀ„ÀƒÀ+¯
+ªSï‰gisáSeáø‡-rLÐð¹4¹³i�ŒÖuý‰ƒ¶p�4¨ê)\f$ ^—ž†/…ö¯[8¯[4̵EÏžDÿ¼Ö:¢ª¬ëò%1ÇÄ
G²x1J·úº¬Ë.ƒ‚®ßµ¦jO½Ø4ežn
Ÿx2ÆUáZƒÄ‹²C—-Žê¾ÃÒÃiÿ½ÛæW¾dæèa©wTv
Y“’àsȳo&”+Á˜œfvù¯ížÀfxAÃãTIª¸½~{=OQÆ'gôôHÄýSÕ¸¹':(ä½E€I¼ð š«m�ÔÂÊÒÖ�’x±e#«0«|}ïÆÜ�n].õì-ƒô%™ÁŠì¯PÐdꤟԇEÐq•lº¨È~XL"ÔÆC,‹>UöT,#ýé
+GÌôúƒƒîLÝëlÿv�à\™„=–u†){ïä+PCZTÒÁ–K¶Ån}Í£G{·g#oÕW«Æ¥>_AbÙ©;–#…iÆêgù4,¬8
+ס
yË&üà¡Ý,mÅó8qM

G,M—Û÷Dü“Å&‘>($Þñ ù¥ˆ”a¼§F±þ“
ï
+'®‰ '€ðãÞïíLŸ¡�ó—ž�áÝÖ7§þþÀ
‹›<ûgŽp–ý·$Aš
+wŒƒî¯±Ç[ÿâ=l†endstream
 endobj
-1084 0 obj <<
+1383 0 obj <<
 /Type /Page
-/Contents 1085 0 R
-/Resources 1083 0 R
+/Contents 1384 0 R
+/Resources 1382 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
-/Annots [ 1088 0 R ]
->> endobj
-1088 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 110.3446 466.5943 122.4042]
-/Subtype /Link
-/A << /S /GoTo /D (sample_configuration) >>
+/Parent 1337 0 R
 >> endobj
-1086 0 obj <<
-/D [1084 0 R /XYZ 85.0394 794.5015 null]
+1385 0 obj <<
+/D [1383 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 154 0 obj <<
-/D [1084 0 R /XYZ 85.0394 769.5949 null]
+/D [1383 0 R /XYZ 85.0394 714.7215 null]
 >> endobj
-1087 0 obj <<
-/D [1084 0 R /XYZ 85.0394 749.3028 null]
+1386 0 obj <<
+/D [1383 0 R /XYZ 85.0394 685.6298 null]
 >> endobj
-1083 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F14 740 0 R >>
+1382 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R /F41 1218 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1091 0 obj <<
-/Length 816       
+1389 0 obj <<
+/Length 974       
 /Filter /FlateDecode
 >>
 stream
-xÚÕWKsÚ0¾ûWx8ÁÁB/¿Ê‰&¤m¦“IƒÛK’ƒk”„cÙyÐNþ{%9ÈIÚN;Ì€µ¬¾]}ûI^!Š²]x!m?¤À…ȵ“…íkñß­}œÚÉѽÞGÖðˆøvB{vt¥a
-
ö§§Ÿ?E»°x28( nÐ?ø8>�&gÊ^»Ž¿
BýñÉÁäP›"Ž&ã�OûÑ׳Étp[“¨ÉT_
‚D¦yk�_B{&ulA@ÂÀµÄ
-åé]ÙTV*rƒY¶öa#OÇŒ¹‡L;EoÜsÝUikô&�à]5R¤ñ=ÛM"Õ”×R·Ó1Ò£×õn!ÔâWÔÕy
+xÚ½WKSÛ0¾ûWx893µ¢‡ŸÍ‰Bèc:LKÒ^ ãHDZRË!¥ÿ½’e;–C§”Nf"iµÚýv÷[ÙF6?dû
bÛaì
"ßNW´¯ÅÞ[Õ:®VrÛZoæÖø„„vâ
+HÖ>+;
:Dá~î©Ú¿"zª{HäKa¾kM´àY¢s×g6±ÿ-+*WÆ°[¤àã¾câdžFdo«ýa…Ñ\-/[á^k›Ïî^4Ô½�‡Éë¥ç÷Îs‹ÿ*±¦ÀC
Ðͫ鳈ø@~ËÞ.aƒäÙŸL�_‹âýS¼bbók*#àEÂH
J…¢rýmÕ‡þþÏÄÔendstream
 endobj
-1090 0 obj <<
+1388 0 obj <<
 /Type /Page
-/Contents 1091 0 R
-/Resources 1089 0 R
+/Contents 1389 0 R
+/Resources 1387 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
+/Parent 1392 0 R
+/Annots [ 1391 0 R ]
 >> endobj
-1092 0 obj <<
-/D [1090 0 R /XYZ 56.6929 794.5015 null]
+1391 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [389.5011 743.8714 438.2478 755.9311]
+/Subtype /Link
+/A << /S /GoTo /D (sample_configuration) >>
 >> endobj
-1089 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R >>
+1390 0 obj <<
+/D [1388 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1387 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1095 0 obj <<
-/Length 1702      
+1395 0 obj <<
+/Length 1076      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]�Ó8𽿢⩕¨×v¾ái�–“ÇöîrSg‘&%Nvé�î¿ßŒÇi“’² ´Òz<Ï÷Œ§SbŒ{‰?�Ÿ\Ót;áÓ[8{5ŽfÑ-úTÏ–“‹—^4MXÊpºÌz¼bÆãXL—ë³ç¯/ß-¯ÞÏ2à3ŸÍAÈg—/þž!f—oŸ_½ £ooxyu9�üÙò¯÷Wˆ2Á{�»¹¼¹~5ÿ´|3¹ZôëÛ ¸‡Ê}�|øħk0åÍ„3/‰ƒé=l8I"§Û‰x,ð=¯Ã“›ÉŸ†½S{uÌ'�³ –шS|1æ?ba‘Sª]“W¥™/BÎgÿ¢=S!Xrºè
-Ÿy~(](BŸEIÛÛð~Aµc_îž×‘ÐùLºŠXnrH>†³nU´˜MU7³Û6_kÂ6•;ÕM“—·´iw´.çð¼cú©Ô
� D©š¶ž‹x¦�
-jç	" nzíDœr0ØHófïÔtØg×o_0¯›1¯¯µIë|…2=ÌÒ�*o»
šaWÌ{Z•9—·m­H0"S8ånÞë¢8ÁlT3"B‘Å´!˜€5a3LmÖy†x¬Z<.¿L÷xÌļL‹vMqèWÁÎ^ªì£Gu’Ñš7Õï¼
ˆ/zï.©rM@kΓ›üv^ÀÝç͆ 
-R׈™XÍñ
-�Ó¬®À‚^ˬkœ0°>T,aÒjòlo§ÛQÿ“‡bîâkß{|Kå ¡œ�‚Ä
-¾€(µ
¡¯ß-\Äð‚dOZàanÜZšÖ86”4‡úW„	¤7)
Ôû]SÝÖj·!U~d‰œ¤+÷;èÒk¬ö´Rü²º@zdªvæµ;]ç•Mw«NdÕé˜Þë-<æÅøŠ^'ãœôýËâ,–Iä�V`Ôö Ñ•öPµ»\0>=`›$±tl_F$‹€Ežì$cYŽL!ÞxÿÀf?Âf
“ü„A`ð c?94Ã"/]—=üð³7¥äå‘
+xÚ¥WÝs£6÷_Áä	ÏYˆ�æ)wq®¹‡ÌõBûrw“Q@ØL18â¸�þï•�°Á–}I3ž1Ëj?»Ò
+dAñCVH
+"ˆˆ•¬&ÐZˆµO¤eœ^ÈJ}ˆ'³7°"ùØ·âl`+0‘§ßì�¿]}‰ç_§&ÐöÀÔ!>´¯®ÿœ"„ì«»�ókµt}w¯ˆ›ùÕ4ðìø�¯sÉA8’zDkÆ÷·Ÿ¦?âÏ“y¼‹o˜‚®îiòí´R‘Êç	nk#^ @Q„­ÕÄ#. žëöœbr?ù}gp°Ú©š0!nHˆ(€ù Š<b$¾‹Ý”å
«ùÔñ!´ÿQ`€| þÝKÅù÷Rf*Ü9�ˆÜéfU½¡uz¨n¦EQmœ§–ÕÛ‘t^
+ÿ%-¸Y
”›š–<cµY¿µÓßi�bPÆg7`®\|ßëDæ/Êœê€ï�ÀG�P^•Š±¬x#˜è S8«Ÿe\’Nªò;„xñ«ò5*ÁΗN+)Œ Õ
ΰ§óC‘d†
+ú ÄQÐ%ÑEÑaä»Ï‘ãÐÿ�Ô”fendstream
 endobj
-1094 0 obj <<
+1394 0 obj <<
 /Type /Page
-/Contents 1095 0 R
-/Resources 1093 0 R
+/Contents 1395 0 R
+/Resources 1393 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
+/Parent 1392 0 R
 >> endobj
-1096 0 obj <<
-/D [1094 0 R /XYZ 85.0394 794.5015 null]
+1396 0 obj <<
+/D [1394 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 158 0 obj <<
-/D [1094 0 R /XYZ 85.0394 344.3754 null]
->> endobj
-1097 0 obj <<
-/D [1094 0 R /XYZ 85.0394 303.9367 null]
+/D [1394 0 R /XYZ 85.0394 146.2062 null]
 >> endobj
-162 0 obj <<
-/D [1094 0 R /XYZ 85.0394 128.6173 null]
->> endobj
-1098 0 obj <<
-/D [1094 0 R /XYZ 85.0394 95.7891 null]
+1397 0 obj <<
+/D [1394 0 R /XYZ 85.0394 108.682 null]
 >> endobj
-1093 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R /F39 899 0 R >>
+1393 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1101 0 obj <<
-/Length 2115      
+1400 0 obj <<
+/Length 2431      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[sÛ¶~÷¯Ðô¥Ô$D	€à¥™>¨Ž“¸mÒœJ=/M(‰’˜òâ”÷LÿûÙÅ)ѱÛZ3&°X,»ß^H>	àÇ'*bQ*ÒIœ†L\MVÕE0ÙÂÚëny|Çä÷¹¾_\|óJÆ“”¥‘ˆ&‹MOV‚$á“Åú76°)H¼ÅüúõÔ\¤�wùfö~qõLU
-#yU
-JÑb×
-ËTâtŽ‡½G±R]BÀ±˜ƒÍíÆ̉Ò:ÛºŶ&DÅh¥ÕQKü ô|¬1B”Ê ¤Vpt±¹§1¡
-ÞL‡åŽAççkD��bh?ÕZŸJ±×ÄñòLEðüXºq·j‡ve:¹ ý�B8Lç¿êü¼ >^ûlb‘Aâ>À½¶Wéà�—y{—ç5MÚ»†˜©ínÓY“»
}Ò(é`…ãê [’¿´«mSÚîvNü*µ�S…ž®£�>f±õÁÓË¢ýhpú~Ït‘ü§%ÐçýX“Á™Œ!ìi28Sqâ¸loUœ6A×ﻋYÛ¥ó“È<RôÛñh{ãLÇ|­er´¸Ë�³H©tP�ûÍg,»û¥½í˜h^üõx©ûÌoéømxä£pÐéò¯?A¿¹‡1“I"Ž_—6Žâ‡«jΓ3ÍÝ·êsÕÿ§¡endstream
+xÚ¥ËvÛ6vï¯Ðé¦ÔIˆ
+²˜ð¡”Íœù÷¹¤(™yÌŒ½ p
Þ÷“â³
+‡Öÿ8A™G,‘¢§Œaù�X†šÃ?9‹0q;…s§ðª¢P�0¾¬ªÙu.2qÓÒ³¨�Ð
+ø„
+ÇRÀQÀUµ7�sN}ôE»0Ã%[†ðJÓ9Ã#
Ã&|ì,Cˆ=ž}lð²Å¾k*(Â9!qN1󇡲ƒ<…R€–eóPÔw´7EYÒênðfhY°l �‹Ô}Óæ}
+«æ^³©Ôü{Sßa“„ÈÐÊy+mÀY»¡É�‘t•N ¢µÝ7ÞÖÊý
+éšµFw‹bïMÓ¹ËÝVuýÊ�*õ¹¨öÕ@ƒ¥®ïÐÔˆ­
+Ži#ââèqØ—SÌÀ¶‹‡„Nû®¿�E¼œ*T™„ôrü¿�xÂcù$À?}ÏýtùäiÄ$8æ1{„’£9·6
+jʳ©d)Y†ÓJ0$4BJ­æ(EéÏ�6ó®çgC�Eu–¿œ]ìz¨Ö{Ó¿¥\YSN¨Q
±û¡=›ÈçIÂx*³S—µ‚Yoû]ýt]~x•ýñ¤1üç@‰ëÅ/¿|¯ç�©ùz�ÇNì¿ ÉCÉÂX|[Õ�õu¬_ÔØTaðy=Ì‘SB¸ñZÕ{UþOÕAÈä”#Ÿ´xnã
áEµ³ñ0E˜õÖÖƒìk0«Õ¹Cj;€bÖ¼Ž£AÆ”àž‹;ÔDÞëÆ8¢‹ÛË›‡ØZÔ8ÂCn„ͽ*‹õTn=F¡LOßǦŒÙWä$Ò�0xÔ§of$g
+õ¾ìŠ]y"[ê9ü%¯I=©cÌsÐ.F��SñöX
 endobj
-1100 0 obj <<
+1399 0 obj <<
 /Type /Page
-/Contents 1101 0 R
-/Resources 1099 0 R
+/Contents 1400 0 R
+/Resources 1398 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1068 0 R
+/Parent 1392 0 R
 >> endobj
-1102 0 obj <<
-/D [1100 0 R /XYZ 56.6929 794.5015 null]
+1401 0 obj <<
+/D [1399 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+162 0 obj <<
+/D [1399 0 R /XYZ 56.6929 662.3153 null]
+>> endobj
+1402 0 obj <<
+/D [1399 0 R /XYZ 56.6929 634.3021 null]
 >> endobj
 166 0 obj <<
-/D [1100 0 R /XYZ 56.6929 769.5949 null]
+/D [1399 0 R /XYZ 56.6929 587.9857 null]
 >> endobj
-1103 0 obj <<
-/D [1100 0 R /XYZ 56.6929 752.1493 null]
+1403 0 obj <<
+/D [1399 0 R /XYZ 56.6929 564.9659 null]
 >> endobj
 170 0 obj <<
-/D [1100 0 R /XYZ 56.6929 604.1835 null]
+/D [1399 0 R /XYZ 56.6929 418.0778 null]
 >> endobj
-1104 0 obj <<
-/D [1100 0 R /XYZ 56.6929 580.9481 null]
+1404 0 obj <<
+/D [1399 0 R /XYZ 56.6929 395.0579 null]
 >> endobj
 174 0 obj <<
-/D [1100 0 R /XYZ 56.6929 491.318 null]
+/D [1399 0 R /XYZ 56.6929 306.0653 null]
 >> endobj
-1105 0 obj <<
-/D [1100 0 R /XYZ 56.6929 460.4393 null]
+1405 0 obj <<
+/D [1399 0 R /XYZ 56.6929 275.4022 null]
 >> endobj
 178 0 obj <<
-/D [1100 0 R /XYZ 56.6929 413.6322 null]
+/D [1399 0 R /XYZ 56.6929 229.0858 null]
 >> endobj
-1106 0 obj <<
-/D [1100 0 R /XYZ 56.6929 385.4035 null]
->> endobj
-182 0 obj <<
-/D [1100 0 R /XYZ 56.6929 187.2693 null]
->> endobj
-1107 0 obj <<
-/D [1100 0 R /XYZ 56.6929 159.0406 null]
+1406 0 obj <<
+/D [1399 0 R /XYZ 56.6929 201.0727 null]
 >> endobj
-1099 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R /F41 939 0 R /F39 899 0 R >>
+1398 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F39 1161 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1110 0 obj <<
-/Length 3135      
+1409 0 obj <<
+/Length 2729      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Ù’ã¶ñ}¾BoÑT­�øivwÖ^kgWNÊeû�#rFôJäX¤vv’Ê¿§/P$Åñ8•Ò€Ðèn4ú¢ÌBÃÏ,R¯´Ë¢E’EÊkã›ý…^ÜÁÜ—F֬¢ÕpÕËõÅ_߸d‘©,¶ñb};À•*�¦f±.~^¾úêê‡õõûË•õz©Ë•�õòêõ?.�1Ë«w¯®_óÔëw¸óæúê2‰–ëß_#Dg°.R±ì\sýÓå¯ë¯/®×=}CŒvHÜï?ÿª°òõ…V.Kýâ
Z™,³‹ýEä�ò‘s
²»øpñ÷á`–¶ÎÉÄ»TùÔ&3B±vN(>S±³Ž„òÝq×U÷»øK²åÇò±Å^ºÜç�º‘©ûÃ¥I—e[ÖÝ€¤~ysìxª©w²¸Û–¼ý­í¡•ùªåöØ–Ïeñr½­ä ¢bÄ›®ú$GM);ê¦ãU›¦îòªfh^Ëqm¹áÍ]K4Å˶Á+
¹¬ŒQ™÷–˜¬:¾Pf
-:Ä´„Úœ›‡æ°+VŒ2/ò›�,Cnv¥
-¨­V$I¨ßÞ"Ô/H:S‘KáÎhŶi;ËF×a#å"€ð*�kAL'DÞ@Ù¶ù]É°n›wÜrËyÈÄþ~,[‘T×LwäE!wÇRŠN×4:ã¡Úí¸w#ÓmuW—E˜í¶rÂV6´÷å¦BÙÀÍÊ9•¤Úáó³�¢¦f’EŒŸ—”Ž3/«„L¸–ò3 WË:
aõ¾©[Ò"
-ã¸j¦ó½ôFÌ-VÜiæÌXE®ø¹´Õ¾ÚåtyWîá-ñpl¥G@;xn
-ŸvÖM½šK�„æü!ïU†my
-ZÞ"É"©Ë!{‹UŠŸ$²tlsƒ€u$z÷6Øl½|
9Ÿár~¹úªÜíöô¸¤üŒ:qW*—ãm ëtI
-Ÿ$q§£/DBè•TB/d.ÛºSH	
z	þ†cÚŒsú>DH#3
-
-ÒnC¥CùSÕÛP
ê
•TVŒu*ŽýäƒÇ¼Nã
-,Â?gQí£9•vž
&µXKfƒ‰CÊbŽ�a¸ÙUôú°O¶Ôg§¸/,'X]�ì=½�)ù	<­ÿýnTx&¼ø& OÜåDÏŸ1ù%úTù8ÎÆz•ßû÷‡Š
-ƒ`ÐäÉG'ù½ãü¢)³ËÕ0æ¥òÂ)¿[ycøAf¨ßÇ2`!œAOà"ªùálÕI"ÛpÅ�p0&‹C¼šœ¾×2y³ÁȨñä30ÐqžYi�Ê
-H8ÖCÈTn8‹Ul*§ÄË«ÛŽ¬˜Æ<’ô‚{Á%”vb°ñ>?@XSÝçäbq);(œ+kq'
+xÚ¥YYsÛF~ׯà[¨*s2ƒ\›'Ù–%k'‘è­ÚÊæ
$@			(hZ»µÿ=}
²*•âæìéùº§/š™†Ÿ™%¡Ò6u³8u*Ô&œ­wzvsß^Y³ð‹ÃU¯—_¿³ñ,UiD³åf@+Q:IÌl™ÿ2óÝÕOËëÛËEê¹S—‹0Òó«·ÿº4Æ̯>¼¹~ËSo?ÜqãÝõÕeìæË�·×8¢SXçT$;—?\ÿûò×å÷×ËŽ¿áŒ¶ÈÜ¿üªg9\åû­lš„³#t´2iÌv.´*tÖú‘íÅÝÅÏÁÁ,m�Â$´‰
+“ ž
+Û	Œ<ý{ñÄ
¿ji’y±®ï«ò¿E�Ø �/…H4ßY%+Û‡LÎ(7~D¨6ÅþS±ç¶,ÊO…lÌ<©¦ÉîýŽò¾*rž_=�²Ž\¢0_¡\
+TE¡,EÛŠD6õž×ƒ´ûõÖ(›TÖ#�f‚j`T'~Õ+¹ÇæDæ7?u-–›Ö›‰““TÅ6H'S';¥£ÔßÇCgÀ.ª@ÙL *mT†)èZª’$fåöò�t¿�{ÿ#™y��¾žÆ/¢
´ f�|óÿohÿâ„
+8¶éÚ“±pnÂêà<
+%ZÞÝ|ÛG3Ôx�5^+¯(¦ãö0ŽûzûrÄóúæ&‰™g�<vœ8ÖË…@À¡*çÆ>«XÏ
+¢Î@‘,þe‡�LŸ­öZ–¦’ë¤R‡¯`E˜ C{Þ�5ôÜ/
-[j5°&
+˜Òb,ÜðIË�HU¯7õï¯
þe;‘:è.¢þÛÿ÷…»XÙ$y&
˯’ �=Sh`N9ïþB>gýOJ|endstream
 endobj
-1109 0 obj <<
+1408 0 obj <<
 /Type /Page
-/Contents 1110 0 R
-/Resources 1108 0 R
+/Contents 1409 0 R
+/Resources 1407 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
-/Annots [ 1113 0 R ]
+/Parent 1392 0 R
+/Annots [ 1413 0 R ]
 >> endobj
-1113 0 obj <<
+1413 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [418.3461 479.9323 487.0181 491.9919]
+/Rect [101.3082 326.601 169.9802 338.5012]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1111 0 obj <<
-/D [1109 0 R /XYZ 85.0394 794.5015 null]
+1410 0 obj <<
+/D [1408 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+182 0 obj <<
+/D [1408 0 R /XYZ 85.0394 718.5038 null]
+>> endobj
+1411 0 obj <<
+/D [1408 0 R /XYZ 85.0394 691.1994 null]
 >> endobj
 186 0 obj <<
-/D [1109 0 R /XYZ 85.0394 660.0386 null]
+/D [1408 0 R /XYZ 85.0394 491.8561 null]
 >> endobj
-1112 0 obj <<
-/D [1109 0 R /XYZ 85.0394 629.3979 null]
+1412 0 obj <<
+/D [1408 0 R /XYZ 85.0394 464.5517 null]
 >> endobj
 190 0 obj <<
-/D [1109 0 R /XYZ 85.0394 460.4175 null]
+/D [1408 0 R /XYZ 85.0394 313.1885 null]
 >> endobj
-1114 0 obj <<
-/D [1109 0 R /XYZ 85.0394 432.7417 null]
+1414 0 obj <<
+/D [1408 0 R /XYZ 85.0394 288.6895 null]
 >> endobj
 194 0 obj <<
-/D [1109 0 R /XYZ 85.0394 260.4641 null]
+/D [1408 0 R /XYZ 85.0394 127.0564 null]
 >> endobj
-1115 0 obj <<
-/D [1109 0 R /XYZ 85.0394 225.0222 null]
+1415 0 obj <<
+/D [1408 0 R /XYZ 85.0394 94.9508 null]
 >> endobj
-1108 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R /F21 714 0 R /F14 740 0 R /F41 939 0 R >>
+1407 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F39 1161 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1120 0 obj <<
-/Length 3106      
+1418 0 obj <<
+/Length 3319      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝ“Û6ß¿Â7Sï\¬ðC”¨öi›lÚ´w¹^v{7Ó�Ùâ®5•%×’³Ùþõ -ÙÚÞÍÜd&"A�@ð€^¹ðO.L–d…*y‘&FH³Øì®Äâƾ¹’̳
-L«1××÷W¯ßé|Q$E¦²ÅýÃh-›kåâ¾úy™&yr
+ˆåÝûo~FøO^¯”Èu¾|óíÍ÷·¡k°ãÍÛ]K)—7Þܾ¥¡·î¨ñîöæ:O—÷?~¼½»þõþ»«Ûû(çX)4
-ùûÕÏ¿ŠE*}w%]X³x‚ŽHdQ¨Åî*5:1©Ö�Ò\Ý]ý3.8õSgm#E¢t¦fŒ£äB¦‰NaplS$Êæ*Xçz%…8³(ÓÕȶb±Ò^
-š÷õû`�gË‚>ûò0ÔeÓ<c7_öÇýµ\î»ÃÐ
xwû†x§�”áP¶}¹ê®%B_?¶åp<\K»t=ÑJ^ªß»Mý‹ÊU4Pó¤�ïxe´á9mE“p´B=¤L
-cHUh	§žåÅ…Tzyìik½Ü×M½y½?ÔŸÊÁí7÷Ì£CGßò8l];ԛȳs}_>ºž·¸Ùl€@C›®¼z]ƒ„tYƒÁzjîÝá¡;ìH?ÍúÁ>[7§C_î9ç®l[w 6Z¿÷ µP௨‰ŠÔ�{tÌ´)[j¬y¥G8�
÷ÇNÇKV®­m]öq˜ç¢xa#j´ YE.àR€ÿ¡Èÿ;
‹6Ë?éùÝ„
ô
-Å
ÑÛF‘äYžO�3&•|ŽY5\yhê˜.ÆSGîM·ÛˆQ`˜Dà˜a
-€XÆ|�uúlF­²$Ë„ŽUÈeò�G…;ûTÕöpµW 83Kfà¤iòWN& IßMïÌ1VΡ¨5Ë©Ng'´6Éd>uA%&9öÙàJ�Q¿1”ÞÂ*˜\ñ™"_7?ŸÁ
‚×f£Ôâ’UQ¢J­2�‚+@szýd¹R
ã^Íy¥È��ñ9¿¶Ì"…æBƒ¥“&H'9 sûL�‰Ád.¿?^ÕVE±üif=¶*´¶å'w&
-
-MU8|EËQì·1AkÍ;{Ž6„«ÏŠJŒxRWžéýÙêx¾»�k+Çp^->^Ìh3&•äç…M”¶gIÞæ¬ÈµPE5�DÖ펺P~ùwBÚT’É�þ‹Rét-)™C’¿jð­wûÆ� òiX°êuÔ~{ÿî+jŽœ&p6~²ð­Ù·¹pç?ÞÝÜ}{#ÿü
„Š¡\hј¬�Þ‡¦`QÒ'Ï,ÕÃd³3˜~cùeˆÕÂ{UÈM}j”¸Ï%Úkƽ¬°µžñ—¼¨q­´EEs3Õx
-¤«�fUÒ7Êî‰kú‚vL`nïó¾5‘3™Çù‰±¯0&i]@²2ì�>ΊXtø
²6¶|…
_Fóê¸qÕ—3æ“™H
-(ÈØ ßOåú«æ¯RéÔ$x3ÉKž%¹Áúxì3Y�€’/{i.	LǨ¦^xÚ=¼`ÏH X)¾sásÎÓ¨ö¿ñ+ ±
-ïÖÚ‡|ê?ñDÿ
+xÚ¥ZÝsÜ6÷_á·[O³*ÅIlžÜÄiÓÎäz±ïn®Ú]Ú«©VRWZ;î_
+!Ýú{Wׇ²!ößÝ3±¸OÛ}Ù<8°�6ÅêÛvØǾ퇞xÊ#ÎÂQû�SE�±-�*yí’Ë" Ã�7ÿÁ
+GQÖþ== tÊ‚ŠUO}Kü¡¯ib)4v{¡á¹qô쨷w
«ê(éñgÛ8ô¾ÈVw`fP
+qj_ÆÉ�_áÇ}ûþÃ[([Yzø…˺öbâ™î tíÑ#7 
+š*Ð6eÄm`€‹Q£
É’(ò˜ÜùÌ+CxVŸWTÐ1#ô²©ƒµ�ÜáyÅ`{ J!ÈÔ6t
+Ò6,ì\
î1„Y6Ïã,K;äSäë33…ÄIˆÏ‹Œ6kC•ÃàÝ0ÇeuKÎåšÝ×ak˺ÚÅžÙN`
º´	g6G�Àæ‚qWïÙ§
+¦<�ÁÇ`’_Œ¾oŽÏÝÐÂíöÕ–É$öT”®3ÚBkøÎÁf3€A„žž]Û÷Õ¦vô6@$ÚSl"l‚´=wÆÉnÝöt¬†gzC3“àÊNíg3Ð8Ö ¤àzm=»XP
+Å	‘
+!!’<Ëóù)YL“‰L>EÐ@
Wë*‚Ÿ+Ó̽mÄ0ʳ
DÚ!�ŸÇ©1Ñ�‹dá^¼)\Ge>3\÷pjÆTfL\:$"·ƒâœÒ}{ì©“@Ë„©+§âeÌËì«zGlòx$Ëâ+’ Ê…ãÉ
Z‹Õ5f?íÇÿÍçREá”ó¢†Pe÷°Î@õšZoBvL~&2'[5Ÿ×¡ž{¯�Jz�ÇHÛ²+9™«p%ÓÖ„5¡T\P*@Úp‘ǨÐN‰Ç>!	N0ގ͆1ÅS¯²·n^N”›)‘áf¹t¶
+Õ—¿%¤ES29ЕR@×’À’üQƒguèj‚ÈC¤M`Á¢×QûýÍÝ»×Ôœ
 endobj
-1119 0 obj <<
+1417 0 obj <<
 /Type /Page
-/Contents 1120 0 R
-/Resources 1118 0 R
+/Contents 1418 0 R
+/Resources 1416 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
+/Parent 1392 0 R
 >> endobj
-1121 0 obj <<
-/D [1119 0 R /XYZ 56.6929 794.5015 null]
+1419 0 obj <<
+/D [1417 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 198 0 obj <<
-/D [1119 0 R /XYZ 56.6929 769.5949 null]
+/D [1417 0 R /XYZ 56.6929 626.8646 null]
 >> endobj
-1122 0 obj <<
-/D [1119 0 R /XYZ 56.6929 746.5 null]
+1420 0 obj <<
+/D [1417 0 R /XYZ 56.6929 593.5117 null]
 >> endobj
 202 0 obj <<
-/D [1119 0 R /XYZ 56.6929 613.8079 null]
+/D [1417 0 R /XYZ 56.6929 468.186 null]
 >> endobj
-1123 0 obj <<
-/D [1119 0 R /XYZ 56.6929 579.9833 null]
+1421 0 obj <<
+/D [1417 0 R /XYZ 56.6929 436.0669 null]
 >> endobj
 206 0 obj <<
-/D [1119 0 R /XYZ 56.6929 375.4945 null]
+/D [1417 0 R /XYZ 56.6929 238.9445 null]
 >> endobj
-1124 0 obj <<
-/D [1119 0 R /XYZ 56.6929 346.4711 null]
+1422 0 obj <<
+/D [1417 0 R /XYZ 56.6929 211.6265 null]
 >> endobj
-1118 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F48 953 0 R >>
+1416 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R /F41 1218 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1127 0 obj <<
-/Length 3297      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYWã:~çWpúå†éƱ$¯3O!¤	„5Kî̃c;‰ÁKð’mþü”6cs»ï™Ãƒe©\*ÕòU•:Vá[º¢[;6mMÑU¤»Ñ‘z¼€µ‹#$hN%Ñi•êl|ÔþIÌc[±
l�ç^–¢Z:{¶ºýÎý¸7<9źÚÒ”“SÝP[�óÇ„P«sÛí�ó¥óÛüìuNL­5ž{0ƒl]'ð�%¾²Q¯{òŸñÕQo\JX=R	ïýèÏÿ¨ÇæêHUˆméÇxQdÛø8:Òt¢è!r&<=”+«ìÓ&­èÄRt›
jÁè!DÇ5½è¶bL˜^è‘0œOUÕÖ(XÄA¼àçÏ—>L“اv¸¢eõV
é6ã3^J"T!B¶‚ÓbJãÅY滧l³ofjš A½JO�ÕJ©qA‚Œ?‹Ì÷„Œ	RŽ|äðe¯Pþǧ¶¡D8EpP]7ïN¼ã»kUi1ÁºØÿÍße~Þ $èÛÒm)æ¿U‡>ˆFTÔr“”Iíg«$ö‚Ô¢ê¤+TTúœ„¾ƒèÅŒ
-+¾Ï–Iz|eæó¹•àèÇ98Ÿf ¦k¶Ä´ÈÙ€ü”Ïn‚0䣅“Nbø
Ç=5TÅÖ0ÄSé$pž[áׇÆD±©KóCÿh`§+Ä"–  \H“î°bZH9±×À|<T2G—_1R
AÅUÚ§O�ú‰­¶æð
-$\Ùænñƒ«ÆDŸ*‹Ž`¦AMUTvæûœ�DACš)»Ê
-C±T¢	¢@$[ùn@�Ñ÷¨›ܺlÚá”تb™K«£_l¥©¨ºWœä"ì>¶üQ‚†Äs
£Ã!‘ø�«¦Š-Õh ïRUú‡ªè†þaÀϽãyr)râÂ	ÃtûBüZèóà±
�&“
Ã;úê&QD’½ÐpÊø0çô¦tªY'ËŠ¨ü2ÈÅ3ã„AÌßþà
-¬njVëlÇÏ®0¯ÉN_‰nÏŸ;E˜s9Ì÷…²ùˆ¢m–�»äÃ¥³–
-—8»v‚Й…bz•k'ÿ`!ˆª¦ýŒÚ�üwrá
™"tdÕ3NÕ�‡ÙàLm�&üY×›ú-�ìqGù"ˆ®¤ÈWEÎÇÒ tLmNŸ"Yy…ë{ÿl°¯n"ò¥}†à^#¼ØŠÎóafîã¥Üº*ŽÌt<s\£sŸ?c×—ë»F¼3ÍÔ%¸ÄNDá„;FŠf¤îPnÏNvöAÌ”I‡Rúf|(óøA]ÑÙ¿U^èºm
-±xžÄ–	q�%|T±£XâQð)ŠØ¢‰¦œ+«€
-�ÙJVy�Ä•ªÌ¼p}ð!ElÌ{&÷-c6b±ÃŒ OP³
«-�.…_…¤	ì¢+‚]œóQ8ÀŠã
�Y�˜¤_Ýù’¯æ˦Â
UÑ4K:	ÔƒÞKÖ oM2ËBIW©�ß å›”L
-A,¨iõî¢vr\«|,[!†v
-”žÐ, (œØ]´IŸªÀ×ggvK@aA%J0Žð¼an°¸©jëÒy
-\}†Ÿ-¡[Š�KäÍr8_äKLâ¦NÑPLà µã‹:B‡fÐ,%i.l¢è†aÔ£ë×Bk*‘"”ˆƒ |w“Uà³Ú
-"dÎçxŠãcèhø€•+”J´*tŽå6ªñäÅ/¥¥®%>Žä'‚ˆÚ)ÍrNñŸ¦NU£sÓÝ*§÷"+¨Ð¹ÛËãÔK³¥C¿¥Í&=ë„…±‘´:¼÷E²ê‡QPµ‰5nrÈ –eý¦o
-ÛÂo1`à9`h
-Œç(¹ºž]Ø#÷Ý5CSœ¿‡ëç!¹iB‘v8™<goþ]Þ_�/�鮆Kíy4˜½úmM

-·¿ˆ7ýÕŸßä$ÞÃë÷›&ƒF�ùäÑ7Û~Ú�¯A;ïáö|¹}yxÀêÏÛ}¿LÆ«÷›C³3&íG}9|ØŽÜË&Ž·ïw¯½¾¼OÏñüÁ[lgîù¸NÔîðÌw}s»¾ ßþU^[qóþm'ÇU7¥®Í\Ž�#$…¤h÷GVRmœÔû¸þe|1±é�³+0°A‘ƒ{7yuëÒº­1Bt!�M¯Óq¶÷7îoÕþìáQ{ò§gFÒ;þžª7†>˜-ǯéš:�at¿ìM§\\D�¢«†UwòbóE¯x7×Óöþb:ñz·O»ïWÓ}‘©ád•o¯›åd„tÝêÏ´«Ád6k2åÝؽ±V›çðUíÏ$9ÿù½öï4M[\¿�ÝñL“y;êšýõ|óÒoŸù_ÄÝ&vaă«º[h»ÍþÎ~Z„7oæëlþDÈb2X鸟býâÚ�&û³™>ɶySXá"Þ�'ýåäjÓ}Ñ—ƒ©Ñ}ÿ¹�:�Ó{¬‹q°
â6ºvÓÅs{pÓ»ðÚ�GŠõOíýª»óŠÀïoÅékÏ7wø}8˜1¾œÜ¯£v²{ZgOíå“·¿[Ç_ýÂOt…þ,ßð{¼Z:îÿýëÿÇ?<@’ –…?~د¥Nz;
-Õ‰Š£CÉËø,úÿ
+1425 0 obj <<
+/Length 3360      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsã¶÷_á‡ÎDž±àÐ7çìK.m¯­íëL›æ�i‹s”¨�”ß_ß]ì")øΙŽ/ÀÅb±¿]JœÇð'ÎuÅÊ$ç¹I¢4éùz{Ÿ?ÂÜ�g‚×,Ý¢åxÕ÷gß¿Wù¹‰L&³óû‡/ÅZ‹óûò—Å»Ÿ®þqs{±”i¼H¢‹ešÅ‹«ë]!WßÝ\ÓÔõÇ;¼¿¹ºÈ“Åý§Û “¦
+ÞÓü&,»»ywñëýÏg7÷^Âñ)D¬P¼ßÎ~ù5>/á0?ŸÅ‘2:=†âH#Ï·gIª¢4QÊQš³»³z†£YûjH+©ÒQªeP‹”!µ¤&Ê”TV-»b[],U¢ÿ�ÓÏóýûDŒÞR"RKØ
+—¯7uSFÕïÅvßT-Ÿn¢¢Lg‚—Oq	ìs¹(šÇ¶«‡ÍwËínŠ6®{"]ß]]E�&ôâöîêo×)óIOæî~ºr›TÃ:ï¹+iõ°áC~®^˜R<¢ôçK!àRE¢pÁ%K'x,¤J`7)Å¢ÞáSÜ)뢯p'0Ç‹{Ü
+6H( NÐxž*y¢O0»€&³ÄÐÞcXJˆã9ˆzz}K¥cç±vŒ1Ljp÷M{Àƒ#uÅ+ë]FZ•î?T!®«/íŽG¤~ýŽ°ne½{<¾ÈRE*NÕ7œ>�2z{}O»zÜáT“	3ïüéÃÇwýt}à½Lâ82y¬§~Ðàä[ð´>òÜý­? s@´K
¯Æ¼/
Äêï ÒØS»@gÿA]�î| ¢ÅJ&_w2‘åfjо„™æ9@… {c¤u
‘4*è�ìÙ¨L©D˜ØÔÕî%p¥R¨’Î(ÑÄÀmO…P¢ScNî4†ÜÙvœwöí®¬!.Z#Š)WáàC9¦×þ°Baù}oÌ1s,XU7
+žšd‚=¦ØŒcÒ
+üÍ
YEqú2À.�”V.6"Ò�Œrí’ Æ®
+_éÌttQÔM)ö®)ÐÕÉ­�Ã:Z/¹ãè_üíPõ
+·d«KþJÿ�üSVÕÖÉf<«ßk›æp­cÝînIÈP¥L̬zqàÉvÚ†¨]“bõj'Á
�rÇœ¡øF”›/ü(Ø«pè(dà3÷­p‚?·k¸Ïݽ
ŽFºF¹¾'o`ÆÛBLXS=I/íö̶%&û�òT4¸}ÿŽi,ÄTÞ€bº½*’{ö}
*
+ߎÛ*=
!ÊûuW¯œu¸/¹Ûvºh(j6´”×Mó—íú°µ½xÊéIe ½éé?íšú3CÚ>|Ä`@¤ÖŒªE-M”mŸœÂ;�ðïÃâIkŒh¡!U·EÉl{†ýÜ̃Iö"Äû-ã{°¢
þZ
é‰W¹N+Ì–-‘PŒÉ'VrÕ×±£Vð\q®µë1�Ëk¾û3ûjK)ãê�.Af£ê0Ã/©=� –„‚£î7Ô}V¶W$„æ±xÙ£ŸÐÿã×O¥
+O#Õ\rÿ³SÑÿÎ)Bendstream
 endobj
-1126 0 obj <<
+1424 0 obj <<
 /Type /Page
-/Contents 1127 0 R
-/Resources 1125 0 R
+/Contents 1425 0 R
+/Resources 1423 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
+/Parent 1392 0 R
 >> endobj
-1128 0 obj <<
-/D [1126 0 R /XYZ 85.0394 794.5015 null]
+1426 0 obj <<
+/D [1424 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 210 0 obj <<
-/D [1126 0 R /XYZ 85.0394 769.5949 null]
+/D [1424 0 R /XYZ 85.0394 626.7436 null]
 >> endobj
-1129 0 obj <<
-/D [1126 0 R /XYZ 85.0394 749.2922 null]
+1427 0 obj <<
+/D [1424 0 R /XYZ 85.0394 595.698 null]
 >> endobj
 214 0 obj <<
-/D [1126 0 R /XYZ 85.0394 552.4547 null]
+/D [1424 0 R /XYZ 85.0394 395.3576 null]
 >> endobj
-1130 0 obj <<
-/D [1126 0 R /XYZ 85.0394 524.6758 null]
+1428 0 obj <<
+/D [1424 0 R /XYZ 85.0394 366.9621 null]
 >> endobj
-1125 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F48 953 0 R >>
+1423 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1133 0 obj <<
-/Length 2422      
+1431 0 obj <<
+/Length 1600      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sâ8ò=¿‚Ú's³}ø³¦î!2	$!H2ÉÎ>8Ø€cÛ��­ýïÛRKà0NÝ]Í\Q…ÚêV©ÕÝmøц혎Ïü†ë[¦M¨Ý˜,Hc¸“ªhZš¨U¥ú2>hånÃ7}‡9�ñ´ÂË3‰çÑÆ8üðLßlbt7N³ÅlbŒ®ƒË«&w�1Ntû8~éö;ùÍ¥áÆÑéá`||…³–buعiRJ�ÃþѱZÐé�øz|Øt-c|}u<jþ9î�·–T­¥„3žþø“4B0ºw@Lî{vã>ˆI}Ÿ5–ÍMÛâ\Ï$£ƒá–a+—Öz�“q‡Õ¸Ï¢÷QÏ"¼†kû¦Ã—þ�çÉ锿ÆwIÔy(Û½‰HþýÛga_£E9¶ìã¦O‰%¶%Ò6}×u€Æt-ŽˆI¥¦oÛ¬QAœE›fË!Ęf9ÙJ
y´Žò"Â�·,�LdbÛ¦E]VÃ_	®Ì·•¶®or&u’*`˜0Sø—™Ý~ë°Ó¹šý㱉ò˜í"Àq°qøípx™Ž¬×´Ý�]^/¿zü!›½½L^/Ã~ðJ\zN½áó}:Q]ŸšÌc®ͤ蛛üS|>?§ý“%?Ín‡ç×Ý·³¼wsÏßf³
¿}é��§ûÌ™Ɇ¼__owÏåz2_̆GÞÑÛYöxѾ¥Nì\œ´£@ùôäšqpŽö˜ ý›Ë®óe6(^>Ý݇oÉÝEÐí�L­+ÜdgÝù[x¿²‡»aþ¸Ö)a�!É‘\¦ÅÅæîìôô.ºZ£äÁëcwøm>Ï.{'ÏŸÖE´>!N“·ÛOôuv×›ûùQwš.èÉ·öÙÅìõ|pÂÖßÆ�öUzþíS‡�ùõy�îiïî´7?¼ïØ綳~
ŠûÞiÔ9ºÞÜÞåëÁ}TÜwºWëy§S'ßf£³õÃ<ŠÆ½ë…s<zÛ”ý>õ}gxõä=¶ã®?lþv7ÿþ¬9ãaÀS”-Ë8KtÈ_’ÂrM�‘½Õ¦iÖ¦EMZQ<$êl¢âs�
Št$q¡{ä­Z¹¨u]ª²)

-Éô¿ÉU@ëû¶UŸ«@Q˜Z„}Ì×à¥@½â=«]E°¸mr×õ·)�±mj�œæ0ÀR§aAIp=וÆö…­’Ò7mr H~Ä´9Í%Å%8�Šâà0ãxß3À“¸°í–m™Ž
D7ž!ÓË÷9U`iëÎr¢Ý]°F'‹£4ãV•³4Êa•<-La`Šå€lê£M�¡þ¸¾‘MÅèå\M<51"ñ·)•ÄE…ˆ�SM8591^ƒÅ2‰äŠÓºÉlC$FnÙF7Åùe
-V5~.®DÛ¾(e»‚úsQ_
UèE WCõÇæÅ¢°÷Ì“¦ßÎ#áaæ‰îbt|„põh‹oé?1;„ø¤€½É›ÔƒüåI“J—Ãä$K¿Âf+‰ŒB±[œ©Ý‚Õ8]d	T]œy‰“¤Š{Œ&¥–´Ñ@ñE%LQì¢.›ñ,E™(�¬”ø-Š{�àË<žÌœq‚P™á¨¼)6h¯X„Š„\ËUžª®º8Û6n¾Šöì°{þžÚÀ$‰£´Ü¥a%Å,~KÈâR?Ï2Á
¥�g#7˜ÑÚ)¼èg€¾@R /D_$8‰
-ˆVùç$Y…q:S㢀‰dFôºŒ+ûäZLœJùJx;hÕ6ÊñRšå�lãI´aÐþ0̤і%O©œZ¥Æ¢ï
-»ÿ¡¤rHT¤üʒʘe2ÈD¿¾¤V9\R™O E;´š}¹Ž]níjQPÊX\M¢XÎËÂ1%b¦°ršËå*¸a\¥˜ÿÖ¤¶�5\
-J„æA•«¥rgÝi†XÅ8µ@—–si“cUÈ/G§}¡¹@IŠ—¸œ#VZ)¦�“ž«-z§ª x_BI�ŠÓVBe
-’dƒø$š*«´õq5wŒ®0ÛÞæÛÑ}	Ì=èž
`t8ÂãéF%E¸™¯ã
+xÚ¥WI“ªÈÞׯ0îæUµ!�™Œqã-(œ˜TèèÊ ¨t¼ÿÞVQU]ÕM¿žÂ…ižé;'ó;'âþ
ŠÆhr†#1Š
+~|$1{º{ ŹiJÂÓp……_Z’ñ4‚qWêTxqõ
+~x¼«~EqéÜjaÓY#ì~.°ÇüÍï§ý.Þˆa0†`éw,ðoØ·Îq’'—ÄK_2è6 ÅtôåëÛxî�·r=¹°S‡Â& ÊÕ¦q²Â¿0gIÚih›¾ìY7³K‡ä0qôרu)ju]¸WzÂ,[õŠK\T“¶
+Ðæ27>ö1
+°KEÞ�§ÞêâT<Í)—?î�¨/z¼Ò;)-³é!ðÚ®.3.„œ0â39{Œmà~(*ͱÏ•¬­ÍÚLèMV¨S_æÌíiˤ¡‰§´Úh†§¶½2üCØ—A&KÕL‚LCn#¤iLnLÍ߇8I™Úu«Dùͦöánv9õE§éH+}?œ%<üÎ^…Ì•ãÖ­5½×í”Öb\;º‰g½ÏœcÌáT³­£¾=AÆ`xá+*6ôÚÜNæ§Û¶%÷ÎÉáNïDµ¿-!µ	ÁI6ÓÙ¼ÝÈèÛ÷Á }§þ—°ÿûþî
"Œ{é/»—òz¾üîQĽN ½bW”Ý¢¸¾/ÊÈË“Ö»$EþŸó‡ÖÍ+ƒîG[äÝéAĽt2Ôò3_©Ï|…4€~“@X{Ù1
±m‘aýD¥ÞˆÊß$ž÷êålkÀšP|}E®CwL’¸–„>£»”¸w;šýzD”æÇÖ¾\×ã�lK®"‡Kv‘t=1•‹·}÷Bví@’çëf¨ºíõL¤öñr‹öò-¶M@Q¬â÷Y‘ªfûþÂÚÎØãm“î	)Ù B|^e{eA’d4í»D‡ñÂÖìž	ŒRínŽ‚�Cå\HË$×Ô#XôÅŠÈæÖ.¸u”ÎÌÞß­Šl­JJK)!%O³ÏÊÒívìSö¹¾°i”7–­œÁ©7Á¡bÍ¥…SÂç:ãWîId%u’ã`º-£
®Í$9ÀýäZõÅz&OªÐ×$T®‡«ƒr3ã·Æ°N<˜Oìe•õYáE³6Øñ�×A»¨rS°âTÙ¡:qÒPô/xч,,�àx⿼û¸ÃÈ8°þiÊ°
+Ësø+A°Î	Ea$¸�Ó¿1Ñ
+­VìgøÐ	=“ñÐÛÉ6êS>'Þ"0‰f1¡ÇÑò|:nЦÎÌëƒ1Qå9#ƒ¦Ð&q¸�}G/÷MŸg�œŽ‰T`¼E~ž5Ž¦(NhTËzߧ<Ñ7YpŠª|Vç°’	º]AÝ[
G�¹R˜ìòÈ/܉êéR†ÕÆêó,âF>ÝEd!{Ê(ª£¨1ïŠÔ´ws«jo.Ï®ª„¢`7k§¬–nxvû`ˆ£ŠE‘‚¦VùqZª�ÑR|èíƒÍe>‡æœ£uãÀîñdÂ&þ;Å B€ûWF[q|->Õ0ë�³ùùnGaîùéášðü½ñ›jå¥Ið:Ï~£>ê�Û¡î{º£;›ê{hýâ_?ëý'sG‡X~¼Ø!üôb‡‹‘ìÝɨ×&Aþùûûÿ÷Ð
Ï~�endstream
 endobj
-1132 0 obj <<
+1430 0 obj <<
+/Type /Page
+/Contents 1431 0 R
+/Resources 1429 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1433 0 R
+>> endobj
+1432 0 obj <<
+/D [1430 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1429 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1436 0 obj <<
+/Length 2638      
+/Filter /FlateDecode
+>>
+stream
+xÚµYÝsÛ6÷_¡éuS!
+Q¤q:™¯Y¹�y®&óå¯ÑÅwç?Î/ßNg±‘Q"¦3“ÊèüÅÏS¥Tt~}qù‚¦^\ßÐàååù4K¢ùOo/o¦:Í¬*x0Ý\^|Í+Þ]ŸÿpuA?~ys}yÃç×,óü§ùTåÑ›H¢ç½¹zu}uýjúÛüû³Ëù`fè
+%5ÚøûÙ¯¿ÉÉ<òý™ºÈÍä~H¡Š"žÜŸ%F“hí)õÙÍÙß�Á¬[:æÚ�4Zõ_m«bQ&ßVÂ9¥"Mdü´,Z'AýŠcQ‡“O‹X“ÆÃÉÇñD)QãÑRd
+N<3à�ÒÑ_£‡g!Lš(dTRƒæŽãÍt–ªhÿÇÑåéy€ÌD¡j°O®ÝΓß'JȤ(4ñcgêÁŽðìê>ž¼hÁ I`“—;;“Ò8
+Ôa
X«8ÀÓ:@:¬`Ó“sHŠL¤:Õ“Ÿ+°)Òb2;\�Ïý1R•É²©ŸÆ¨4‹E"eælÿûÚ¢‹ãœ�Ðe_µ<ç_Û”·µ;WøQ6n
+—l�Vnç¢Þ-«æŽ7¬º~¸É8²lªàü€ÝoS5nÞ¼]ÎÆ®VÏŽw»%iTâÇDìžÞÿ0\¶Îè$q×Ô‘îËÞÏ’ï`ð↾oßv–Ù\€	y0Zà®MOñÀY
§?°”�_{„ °Âîˆ2
+E/ÖU½<$£ÐçN�+L!ÊcS™lºû˜š
+@2ƒÕËj
×#ŒÌ)°
Ùgb£ËqŽ¶Á½!š$Pо—Fþˆ&@MÔn‰	Ï	}{…í8Ž
+‘
&´G%’¼‹p
»ɇX?pŸOš‚¦·˜UÑPæÌ×¾ÑÙZç:ë¡oON|¸S|u¸=zÀ$ÀRõdƒfôϬþŸR"s
�ú!GÇj¢¡“4[$�æB«‚`’ˆŽWÊÓ7˜}SÞW~ƒÁ–â´O8ßõ-”°žç²Ö�‡2ƇD8Ú¸€ §žì¼£D…×@ë
F@
	IDR U̼i¡p¿Å†g�ºX—ÍÓJ"-½Þøã#åX˜=¹NêQYJô9ÇÎRœ¼-˜t¹Ÿ¬2°4�4cÜ•\áî:¦X¨\wãkjN
'0¦h^ºÆ(ص*¬%a{�B„’¹?L¡ø8/ÚZ£~¨Í¹~ÂêüN‚š�iãçgD–pO}�N'©ZSQ{;�´ZŸ6 @qÛÁŠS:ù.üÃrYñLÿØÒà±Üwß`QàÍSU �a°Ûø^Ws›„×vpꑽᑖ€óÙ²é@áç˜CÁùþpÚík8N¾ÌsÔ	¿t:@)? 
+w³­èiÁ¸·7W/
+Ç_�®g¿³ÏŸÄ‹g'V‘Âÿz>âYfÍŽÝv岺æîÚí×7¯‰Âé4ñS:ú…¦ŒÒ¯¡í¹|G?Ýû2Ð=@ݤ
÷
+çLè<�Çÿ² e
+@/²A+t\lNu7SXœ�)ÿobd”endstream
+endobj
+1435 0 obj <<
 /Type /Page
-/Contents 1133 0 R
-/Resources 1131 0 R
+/Contents 1436 0 R
+/Resources 1434 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
+/Parent 1433 0 R
 >> endobj
-1134 0 obj <<
-/D [1132 0 R /XYZ 56.6929 794.5015 null]
+1437 0 obj <<
+/D [1435 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 218 0 obj <<
-/D [1132 0 R /XYZ 56.6929 125.7897 null]
+/D [1435 0 R /XYZ 85.0394 386.1448 null]
 >> endobj
-1138 0 obj <<
-/D [1132 0 R /XYZ 56.6929 92.6461 null]
+1441 0 obj <<
+/D [1435 0 R /XYZ 85.0394 353.5014 null]
 >> endobj
-1131 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F62 1062 0 R /F65 1137 0 R /F21 714 0 R >>
-/XObject << /Im2 1051 0 R >>
+222 0 obj <<
+/D [1435 0 R /XYZ 85.0394 310.2645 null]
+>> endobj
+1442 0 obj <<
+/D [1435 0 R /XYZ 85.0394 279.5106 null]
+>> endobj
+1434 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F65 1440 0 R /F21 938 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1141 0 obj <<
-/Length 1866      
+1445 0 obj <<
+/Length 2874      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XËvÛ6Ýë+´è‚:ÇBñàôÎIìÄ9­ãÊrºH² EÈbC‘*IYM¿¾3�¦(ÚYÔ^`
-M¡Ð^‘l
Qµ©@Xí&M–çDæe’õoY8Þ¯œËÜ8ÞUY4IV€%4'÷êÖ›ž,å¶0K
µW
-|]LELïM•µ7�wOE¿9Ñ‹T8Ûì¢�	@5\·¶×ÁŒn@æ!ß‘u0¿p%~’ž­
-‹•Ô½	 Ó͋ö:ÚÐV¯TBÕ™ÛøÀ¶Ë²š)§a´O³&+‹$§�¯RúEöð�¤ˆ	ŒÚ&
íC¤´šNÄÆfàdÜ+t¥¤öÁ´ Û…,©v	qA‚
-€Q:¾´Ü‚“(s|Àî*	mˆ¤w06³"Õ­�U@”yÚKg�•Ý/ëSm…/˜AÜÓ6+šeeÌ‚`«¯-VQyŸì¥ö~ø´&õ,\Àª‹	P1m¸˜X‡öÕGÏ?dERý ¾<y0¹
‡u‹ˆ8‹"-�Óô+x*Éëƒxß‹òPIX:©MÝT�ƒ8�‚X(Àg„
-û†V{À�0vz�ÄJUslè&à1Æݽ*·»Ü4† )BSàí¬Ëà0âñÎ :£ýÐû=)¬é%»]žA(�‹a…r±sq(Û´OKšeCľ€(Õ�ƒãÖé@<&ÉáD>ç>ÜÛŽ¹Ûì4ÚRùš3çòVú
ÑoÄ,ânöU�¶
Ž»Ñ¢a¹ã4[Óø(ŒiòÈ»v¬»¤j²Õ>OÚDWX	­¼#ü¶Kä¤b±‘"Ä&ÚjLûè2$¸­XÔ�"üCÍ!ÜuîÚº÷5¤Cü,h„T©ž2sp³µÝ�éð–Âc�8 †Ÿio¿ÿZ?ŸuŠÒ”êÚXàijÆ*i¦!§¡ÔLÈÀÇÖ†6«Ç)‹^/ÔñÏûN{¡S¹è�;xÎ ±Ý#Á$C}|@L­ ³ë‹?éÈ:®Ÿhq*
µ`ûÄ´KÛ5X
-)…p«w‚sÐ÷Ã33fð‹OC?G .ô|=G=æ¶Y³	|SÂ×ZשœŸ¯áï\Ä€'¡f¾ƒ•�ñ}í%õ
-(ÖðIàGÎ;¯S°(PíLJ_e0
o¿£œÿköÀR…�IvÊaZÆ_û‡òÓp…ð}Äß°¿·Ë†€“—ØÌÇ~[‚êÆ„FúÞáÁÿþÝéù'9?bJkùBÅC¦eµJÙh©¡æÝT§ªÿørfendstream
+xÚí]sÛFîÝ¿B/7‘¦Íý —¼»vFu×Mâ8¶œ8iû@‰k‹Š”MÊŽýëXìR¤DÇ™ë=ÜÃMfB‹Å ¾2øð�
‚ÐcT,½ÀgÁ`¾Üó×°v´Ç,ÍØ�ÛT¿L÷ö_	5ˆ½8äá`zÕây~±Á4ý}(½Ø
øòäüüðàÇјðòédòöø€^>¿;9<·““—¸˜ŽX4|÷v2Rr8u´çÇG'Ç'G#ª`xðëätzxF+Òž3yùaÄN‡–MÀ«Câvqvx>úsúÛÞá´Q³m
+æÔñfï÷?ýA
+ùmÏ÷Dƒ{xñ=Ç|°Ü“�ð)„Ãä{ç{U³µ×´Ì÷¸y�m90æÅAÀ;Æ
b/\4Æå£1ó}Ðñ¡H–Ù|Káõ*MjMðR׋2Eµ�9o}8
+?ÌXtç×úõT>LŽ®~¹zé÷Q’‹àñQX¦Çl¹>yÿË×ã›·Woêãû›�§éu½¨Ö"L�ÞO.£ŸþËZ¨'µH÷U™^쇲äoŽªìjö¦~¿¬ßEé«—õtòùòü’ÿp)ôþÅI~ÿz#>ù´û²>ð�×É}¾ó%yýáë¥æyÔ?¤oýx8¸ùòÓ7¾Y¥‹>—w=�ÅfÏÇE–£�ùÂ:
+
¢ûL!„F!P#Ñ"ÁÈR>
+p‡ÓHX�\ó…ö´$¥5|#Žh‰ÓjΫÞÂëz¿Ø¥ïØo¯˜ê¿)·øBÍKDißU¥xS•â¦2Æ1Ü*z.’ÕJ#+Ô"±4=„Y¢�²tIÓXÀ˪¬ªl–÷æýÄ6÷:ϽÆã[—7 �ÇB5×6a¯m¯Ö¹é)±gY×åäµ·(ÛÓÍ¿ÿæñ¡.’™1h$:œaÉòÃ�mç�hÛAl…+C/`"¶�ˆ¬ÆiQUzÞ#ÜReÄ]3[®¬ñ‘yI¢Ð·„UPÆ¿—#²¢§$3é{±Š¤ål’†7/‹«>!bOÁ5Ù’z=:�F2îhD±)!ç‚G¨îç}R[Á½˜…²Óºc÷qo;ÖÆgèówº^£¦Ußå˜q1'WŽáÛ{ªPÍ…
⹇ó¢0p‚-!"êÄ™µÃË›–©Ð£„Çü˜¹øŒ(>GA
+åÖRÍMÿ§Vš>Çî�)›£`á‹~  ÍlÚ­ËÛ"¢<ID¡ næjó
ßpA÷Åü!D3#±§,ÉŠL†žqÔ­vð%L‘rò
+̈nwƒS©o%æs�‰Æ Y1ÏשqåœOEÃdFà®ÖÅ3~’gu3k
Ó@CV…uKÜ–‡\SœS	Íbú¯uUo„v{QÙà"Ñ‚np¹K†ÛíjEH,Fø¬æ�®11K
§Í™	s$À`3Ï…&
+7³RÀõ
c#¼?Õ‹rí8$Ðõ›F_ÙŠŒ@o%âØCDM3dÓµjW¢®«B³4™¸¿
+}��Rñ&í—uáR]ÚütÓL@‹k]ÙkëÞï¹8Ù¾ ]Tö£DOÜÀ¸��¾ÿ¢
+QÒÒ®ñš@¸ k_¯ioÚ&Œlj7?W
Þ^úŒ+ÃÙ‘ÀµÈÞ¹¨Üø,d[×¾>�dBÞîáÇ›‰á¶ç¨÷>Æ¡¼9$NãU™gó‡~WäAì©ÖÅJ0*jæI=llm)°InG	i4%#Ú�UÑ6˜H3Ó¦‰(uqØÌ¢Ç,@�T°=蜶ýsÀU’}÷5ZÚkô)ÍjÆ4¦1c^,þiõ—fK7g�ë�$K7H–­áC m.纪ˆœ~u�ö'
+Š5Iž4s¤F6±Ûœ &̃ô–Ð#ÕWÉ:¯i›c ‡wI¾¶ 5!1v½¾ÅGJ*
+&CÁâ®ÀJ6™>hæþ$6 Š²x¤¬TÞ	k6£;ã��~Ú
l9¯Íï
ø-êò)iz†¬÷‹l¾°¹�„Ûü(Ô.h�™àÅœßر¯}
Ä_õ{:¿ñÖ¿üÇ›îîè"ŠxË
ùË“0±B¡î<Ü‘Üý•Á®èÿì#Á
 endobj
-1140 0 obj <<
+1444 0 obj <<
 /Type /Page
-/Contents 1141 0 R
-/Resources 1139 0 R
+/Contents 1445 0 R
+/Resources 1443 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
-/Annots [ 1143 0 R ]
+/Parent 1433 0 R
+/Annots [ 1452 0 R 1453 0 R ]
 >> endobj
-1143 0 obj <<
+1452 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [377.8384 625.595 436.8266 636.3794]
+/Rect [411.5778 224.7212 489.9929 236.7808]
 /Subtype /Link
-/A << /S /GoTo /D (ipv6addresses) >>
->> endobj
-1142 0 obj <<
-/D [1140 0 R /XYZ 85.0394 794.5015 null]
+/A << /S /GoTo /D (man.dnssec-keygen) >>
 >> endobj
-222 0 obj <<
-/D [1140 0 R /XYZ 85.0394 611.4059 null]
+1453 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 212.766 134.1116 224.8256]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-settime) >>
 >> endobj
-1144 0 obj <<
-/D [1140 0 R /XYZ 85.0394 582.8262 null]
+1446 0 obj <<
+/D [1444 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 226 0 obj <<
-/D [1140 0 R /XYZ 85.0394 455.7125 null]
+/D [1444 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1145 0 obj <<
-/D [1140 0 R /XYZ 85.0394 427.1328 null]
+1447 0 obj <<
+/D [1444 0 R /XYZ 56.6929 749.3199 null]
 >> endobj
-1139 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R /F21 714 0 R /F41 939 0 R >>
+230 0 obj <<
+/D [1444 0 R /XYZ 56.6929 358.1001 null]
+>> endobj
+1448 0 obj <<
+/D [1444 0 R /XYZ 56.6929 327.7578 null]
+>> endobj
+234 0 obj <<
+/D [1444 0 R /XYZ 56.6929 131.9404 null]
+>> endobj
+1454 0 obj <<
+/D [1444 0 R /XYZ 56.6929 104.2481 null]
+>> endobj
+1443 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F11 1451 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1149 0 obj <<
-/Length 69        
+1459 0 obj <<
+/Length 2589      
 /Filter /FlateDecode
 >>
 stream
-xÚ3T0
+xÚ¥Y_“Û6ßOá·“ob•")‰º77qÒ4Ínn×éM®íƒÖ–ךȒkÉû§Ÿþ
++¯amÛ¢W[Öër&¶nVÞ�Íú«©¹WźÅÝ
Í¢(ÌâXÚõv SÉ,¸-°5A[ÞÕÅšhe·%ª•ˆ¤¯ÅQ`Á«mYß™ÇÍ™�<Jg
|±´ùóªêÕåÝ‘¦µN±±’�†Œ5L£ w’Ûms¬Ö~-#+¥‰»æ¾X‡8þÃ[�Dƒc�i&FQ4äÕ]s
+±Öp¼''Þ±‹Ze¨ôÆØmÀ4¾ù¶­£g­îÈŒŒkl­‰Ÿ¦„èõüãXX�!*\—bÁçÇ÷e�;c㲨*ƒT
+ ×ì‹CÞ•
«CaT,Z§y[°Ï7¦í¶ìÚïÎœâQD”=®>-¯
+Æì éiHz_ìn‰î™ɺŽID±@Š?Íп¾niÔnRüFÙóa7*YœÒI¨“È°¹ß·(
+6­Ùœ© í$#Gqb6T�ФÊÜñ
+ã}°£!68PL×…Ü�J›±Õ�û’ä#ö	`?rSÛþ®,µ?AŠ¯ÔØYU%Æø *Â–ï¶âžµZ(dåæ‰ä9iUAçwÓEÀà®Îâ9ÖœßU6¸Tõ¢1*F
+*e6¸`r±	[ñðpÂß(Á}ÖbÀÔ�³OÞa¤’Á6o©S7uè}¢¸/›ckmT
+’e_	HÞmèQR—6
0…ʲ´;…UR%#œ�’XW3$×lŽä–ët9#ÿ<–«¯Î¨¼Ëò€wÚ*¿füÔ<ì2®Û¹'u8ë
9[g¾ö3‚ªòc€Ì?§�eÛyªŸÙœo!@8Ñ9Ç¿ò,õsKµž©Ø·ƒ×ïÙézY¯¸&AQ¶á……â=“õìÏßÁ
›PtíΞØzæ6î-Þƒ¡ÞôÍóGüïÓ1²<¾Zð%žÝyc/Žå¡¿žœ¢ ÝçU¹.;ž×é²YóÄ
ÆÑR?>ÑÀºØäǪÃÝȇáÍðÚÍÛ• ¾ËÔÔ*Á‚ò§–¥P1‰Ê‡m‰ÿ/Xœß½ø|›oŠá�`
 endobj
-1148 0 obj <<
+1458 0 obj <<
 /Type /Page
-/Contents 1149 0 R
-/Resources 1147 0 R
+/Contents 1459 0 R
+/Resources 1457 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1116 0 R
+/Parent 1433 0 R
 >> endobj
-1150 0 obj <<
-/D [1148 0 R /XYZ 56.6929 794.5015 null]
+1460 0 obj <<
+/D [1458 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1147 0 obj <<
+238 0 obj <<
+/D [1458 0 R /XYZ 85.0394 464.1469 null]
+>> endobj
+1461 0 obj <<
+/D [1458 0 R /XYZ 85.0394 435.7636 null]
+>> endobj
+242 0 obj <<
+/D [1458 0 R /XYZ 85.0394 385.2856 null]
+>> endobj
+1462 0 obj <<
+/D [1458 0 R /XYZ 85.0394 356.7468 null]
+>> endobj
+246 0 obj <<
+/D [1458 0 R /XYZ 85.0394 181.1837 null]
+>> endobj
+1463 0 obj <<
+/D [1458 0 R /XYZ 85.0394 152.645 null]
+>> endobj
+1457 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1466 0 obj <<
+/Length 2407      
+/Filter /FlateDecode
+>>
+stream
+xÚ­YKsãF¾ûWèHW�zûÁçQ±5Éd˯-o*•ä@‹”ĉԈÔ8ί_ �æC¢=®JJ5Ñh
+}¯Ùä8¼2&
+«A¬h‡K{ù²²ÿ¼’ôÂÊì¥LwÅ’¨Ç}–69š	Œ÷Ë&/j|§& 5D[nÒ‚ù6iMƒ§œ–Þ:/s«wŠÛÂ�´„�€²ìh3Štœí
+lO¼ú¤¸à¸‚	¦ríˆîl{™ªÃC�„@¾z;&𜴧T7yÊÑò»dÅ`/šÓ𠧘€Q�&ù)?¿ô5§ú»üPT™Mž(“äuùë�dnÏ9
+!¡¼ÐÀ‚ž/*|检Ñó¦Xn˜é¸ßW‡¦¦§6sã…1æ)_FF^NÕŒöl­M–Òóîï!rê¾Þ‘RŒª<í‡^Y¡cýȵWþ@¤Í[@²=þ/§ˆã¶!rµ¢ÿºÚåÄѦ$\´Ä0TòP‰€¼ý4N¤m±Ê›b—³2>jkKÊ°šwFÕͦõØ}äòI½'TmÖx	ÛÊñ`/ÍÜÅα§°²Í¼)¯ISÆgU.ówצßÓ³œ’mø|·øü¸	¯“>ˆprŽVãß—®8¬J
+w‰jlÊ°òÉADµ÷¡H»7/g6I²‰x0k ɾ'�ç¢ÌŠoEvL·DïIØz$â82o½ÁKMiÖA7_Ñ"Uv=B’Ø7
5Qññÿ©ã¢ë
ùì�-e's
+h!j‰Q¸°Ý†Æ²ó]Ï@Êè¯-
ªk뱃+\‡F:¸RhdSžs‡†1äã²|ÛpËù©$ízçœ>YØQ�ãÚÂ¥«t\_¶ªŽ®D¡~¤ÿmÅÄpEE¾ž„�€žàGš;¬'4¸ï}iÙ§=~ú(2ˆ¾S©¸�‡|Ù™
+
MЩ5¾INQßš³/3-ÓÛ6œÉj»À±oKøAhDŸl£çowê>ÉùЅƱ·\G±ðcÂF¡á:>³Ü} :7ýÿ:¬*íendstream
+endobj
+1465 0 obj <<
+/Type /Page
+/Contents 1466 0 R
+/Resources 1464 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1433 0 R
+/Annots [ 1476 0 R ]
+>> endobj
+1476 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [379.778 61.5153 440.978 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (managed-keys) >>
+>> endobj
+1467 0 obj <<
+/D [1465 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+250 0 obj <<
+/D [1465 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1468 0 obj <<
+/D [1465 0 R /XYZ 56.6929 752.3958 null]
+>> endobj
+254 0 obj <<
+/D [1465 0 R /XYZ 56.6929 692.682 null]
+>> endobj
+1469 0 obj <<
+/D [1465 0 R /XYZ 56.6929 665.3376 null]
+>> endobj
+258 0 obj <<
+/D [1465 0 R /XYZ 56.6929 608.5887 null]
+>> endobj
+1470 0 obj <<
+/D [1465 0 R /XYZ 56.6929 581.2442 null]
+>> endobj
+262 0 obj <<
+/D [1465 0 R /XYZ 56.6929 536.4505 null]
+>> endobj
+1471 0 obj <<
+/D [1465 0 R /XYZ 56.6929 509.106 null]
+>> endobj
+266 0 obj <<
+/D [1465 0 R /XYZ 56.6929 404.482 null]
+>> endobj
+1472 0 obj <<
+/D [1465 0 R /XYZ 56.6929 377.1376 null]
+>> endobj
+270 0 obj <<
+/D [1465 0 R /XYZ 56.6929 320.3887 null]
+>> endobj
+1473 0 obj <<
+/D [1465 0 R /XYZ 56.6929 296.0091 null]
+>> endobj
+274 0 obj <<
+/D [1465 0 R /XYZ 56.6929 211.2169 null]
+>> endobj
+1474 0 obj <<
+/D [1465 0 R /XYZ 56.6929 175.5135 null]
+>> endobj
+278 0 obj <<
+/D [1465 0 R /XYZ 56.6929 119.4006 null]
+>> endobj
+1475 0 obj <<
+/D [1465 0 R /XYZ 56.6929 92.0561 null]
+>> endobj
+1464 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1480 0 obj <<
+/Length 3064      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛÈñ»…€ÕD,—ä’Ëë'_ì\rn×òÝáp¹4I[D(R©(ê¯ï¼–™F-x‡³»³3³ó\E-<ø§F»^�„‹8	]í)½È¶Þâ	æ~¸P²fe­Æ«¾¿¿øë» ^$nùÑâþqD˸ž1jqŸÿæ¼}y{}·\ùÚsBw¹Ò‘ç\^ý¼TJ9—ß^_ñÔÕÇ5ï®/—qèÜÿtw
˜8Ñ>lSJvÞÞ¼•uRŠ�ÏžöÞÞ-ƒØùõö~©ŒóéæàdvýÓíí'š½_þ~ÿãÅõ}/×Xvå(Ô¿.~ûÝ[ä ‚/<7HŒ^áÃsU’ø‹íE¨W‡A`1ÕÅúâŸ=ÁÑ,m�Ó¥Œ«�Ï(ÓW�3ÑÚŸhS'nø
iuýåJyhñÐmš}Ù¥]ùµi‹ý×b�‚9t7Þbå×6ѹ_&¾Ó,WA;mÑ1pØñ˜Ö2Né#êßM-Ðc³gàîÝ[@ÅP·_çÐv–\¶±‹·iYwE
¨â
`’Èy*êbŸvBµ;
+Sx©ý&
+Ÿ¸z
+(sáÀecàI	ö„&rÓ*†Jü‚BÁ‘;/ÂPFQ�Tù3XÊ:É[¸²”©t·+Ò=Î	¥Ý„I‰á3�¯.¸¶� MzJ9±†|шJ)Àr”Э´­l)mÎKeK”NŒ“xqÖöÅ!•:tÞ7ÇB0ýLß/6ÂSÆ	];;.³‚ùÒp0Þý©mm8<xŒ‚�öF½ñ&•ð#ÑðYIùp:ë”Ïú$�¥…ÝZŠ‰Sksb²Cɼ áÍ©ëBŽá¾
+ W»¯=O¿Æ7o&º« vC†“¢ŽíöÚö¡Úw�éSÃÜ¡ ²?v¨$” ¨Öc{÷¨\7Š_×|c«DmRò$€>\½ð‘uÔˆº4Ʀ;ˆÔ¨V#m!"9¿©½�:·clënl–
+S™åš0¶TÌÏ%ôhÚЭfÛ‰-J!•™ïú¾2óo…�·¶­ºü¶$U!, G y×ëo
Ôš,
pM–ö—ʺ—²�:JYËRã÷F¤·/»Žì@)éŸÕÐ6·éVÖå¥48]³—cYˆ™¬·iªÜ†câä(M÷6®¹?‘ûõqÀåkßIgãæ§*'Š!äÊbßB&kù‹
+¿ÿðñŠ¡„‡œjÊÝFœ,Ô¶j	m,À¬1;Êóïõ7~öÊÊV6È<”räAb+€l¡î¯o¶‘ź_ÔΧVßDαèoËoò9Rü6=Ë_ËæÐò#*öœ
+AÕ‘/=4TE‘1ýoXJ~Ázé×¼ýi×AÏ3üŠ×v»fÿrƒ%ÿ°%C_(€o銿oØe|‡�y‚dC˜ÀYc=—Ú·¡"\ÀG^`ûV“)ÂgÊîJ;ˆ(Û–u^ì
+øC—·à°
+¹¹»²½ÎFX:N:!ÈG«'[;懪¯7@ä÷ë´ƒûv|!³A~ÒÍHÏR€~-³b¾œ”¨¹(áeSÓ—º9Öòô!9÷Øì¿0ƾÊ}ˆB6¿ÃWÅPr
·>Ô¼jýö’1V_„:g“)ö,i3ÀÑ¥2MÑ¢gÏ$¨5I��ʲ‚ò™ÊÜÄùf"ÜJׇó|k0w¹TÎõ-Ã`L;K .:u•vòXÁþð/=é“Ð`ÝÒže�&DE°þªx(©]ìßËúðm¶ð¸†®Ï®û—¥ÆX’7Çvò1Á¾çîK¿ŠCÅ�?eÏü†íõ?Sÿß¿˜ÿµ ŒÝÀø1|ìä�¹êË
+î'çœ÷?­?gý?�û”ƒendstream
+endobj
+1479 0 obj <<
+/Type /Page
+/Contents 1480 0 R
+/Resources 1478 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1433 0 R
+>> endobj
+1481 0 obj <<
+/D [1479 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+282 0 obj <<
+/D [1479 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1482 0 obj <<
+/D [1479 0 R /XYZ 85.0394 750.8067 null]
+>> endobj
+286 0 obj <<
+/D [1479 0 R /XYZ 85.0394 180.7476 null]
+>> endobj
+1483 0 obj <<
+/D [1479 0 R /XYZ 85.0394 140.0669 null]
+>> endobj
+1478 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1486 0 obj <<
+/Length 2645      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]oÛ8ò=¿ÂÀPˆQßêÝKšf¯ÙÞµ¹&=à°ÝZ¢m]eÉ•ä¸î¯¿ÎP¢¥[\ ‡Ã™á|‘3þÄ,ŠÝ8ó³Y’…nä‰h–oϼÙæþ~&˜faˆ6Õ«û³‹_ƒd–¹Yìdzû•Å+u½4³ûâw't…pçÀÂsnß^ÝÍ~ä9¿AÀ'/ò®>̃ÄùÏíý\¤Îû·7€ãÙ»�··ïõìýöŽ|çêÍåíýõš™ïåëÏ…Î廫ë×4õúïôëõå<	�û�®ïæÜÿvv}?èeë.¼
+§EüWŠ¾u®&½ó^»oš9;Ùç0‘ŒnƒBÁ¨èh€‘†_8|?ƒ„éû!» )�"³QõIà�BÒæ¦d6æ+éÓm$‰YÛª\¶²=ò–K<g‚8Ï…30§ z9e€
+ܸŸ­Ð«�§žÏ~
+¨²îU»’¹"¼>8@“ß
B'$Ä°xÅ�ÅD}â�œè´[Yq¬å¶Ì¥5œ¨Y N8¹dÜ€”Ì¡�§Î¾îË­uJ–*÷&ÉLÔ,ÛÖ„É›­N‘P�s
œi)¨¡½ë(™U·S¹Ž£œ™5Ï153Keä©9§V•*žsC²,¬
+kóÔ>*À®öuÎ.Ø][n¡Ò
Lj7
t§òýÈ*¡
	 al¡‡ l¡ }€ëMu·ºÅŒ„SIÝaFâO·ÝZ'¬
+”
tcó3Á]IÊ&IÉ$ 9RëSsŠ
+�ƒ~i·§&¶nlë®|`†c¾Ã¶ÏËtižðµËë[òØ·ê¸3½˜éž$gõUnw»¶n%Lþ'2;€¨S+¹™ǦaJ­Ž0IíÛ��™b=o
+&Órà·Î«}aˆuê†oo¸ñe–f„ ­”ìt”¦ÑÓ5x§5ZŸDßñƒ}ŸúÚÓ (µgŠµÄúÈiª—x?GƒÄЧ¶ì¥0 ³ÅFUG‰¥8Lynæ¦r#;Âõ\�qc‚‰¡‚RÍOÆÚ÷Wgc´N¬êÔN¶äÞ02Ú±„änÀQÉÇ•�|ôé(u†1Ü=ñ¦ê™¯7xIÇ膾+蟛Ã<óõ
Rî�Éu `Ý-<²�¦ô)µžlÑÉ­¢;|±x7ßbøâë
×]‹ñÄ1i³>[áƒ4rÃðdz„ïBM
§³`×L¸AB
à4/Zç
/ÍŠSVcgág¡ëÅ¡°‹¼õæû°\ij ñ]_øtUyg=mE¸…çF�’kŠ÷óE,ð�0ö�ëdž
ž^¬?rý´…­g_f`Å0Ë"²`­ëh�¸¸Ùú³×
h4³”2Œ6g­Tlw.$ˆÕYf®—†Öý2„zebáÁ™pð0÷#‡œ¶#Œd²Þ¬ÅËA 'S”VB/vZÊ%Ì¢e@»ªá[ϺÙjxXZ£ â¨3‡sz
+ÙpI:çg¤ž°äˆH¸ä=LËz¤¡nZp·&ÔXµNöìé—o�ð¯’;Š]%ÍkÀøfSsQF¸?m6†×
à¼yþ)gñø½ç‡žžÌöz“=ï—½4’[›«U÷’’+¸ßÉï�I+£Ký_ ¢°6­ñi¡Mßï^^\Zµºë*·i×]³osuÁ¨ñw{ÙºëoÓ¿NØ»\í[i^\»Àê%´ˆß‘2°er¾}]ðJs¹ÛÑ¥çôøL×øÌ+ûtD>yv3÷ã†æ}\ìÅ”:„û$‚PŸ<\Ì“@œ:í߈fYÖEv
ÿ/vŸóNˆG§´œ~²¥€Ž"¦nïÞP¼ú·³1Õ„‰¤©?�i }uØ°P¨cà=‘ÜüÈöTôÿ
Z’SLendstream
+endobj
+1485 0 obj <<
+/Type /Page
+/Contents 1486 0 R
+/Resources 1484 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1487 0 obj <<
+/D [1485 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+290 0 obj <<
+/D [1485 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1488 0 obj <<
+/D [1485 0 R /XYZ 56.6929 749.1444 null]
+>> endobj
+1484 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F14 964 0 R /F62 1361 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1492 0 obj <<
+/Length 2124      
+/Filter /FlateDecode
+>>
+stream
+xÚ½koã6ò{~…�;`e bøÒë€~H“ì^ºm6Ýx[Ýâ Ër,D–¼–œ¬ÿýÍpHYr”6w‹;‡œáp8oJL8üÄ$W‰žD‰f
Á$[ŸðÉ=àÞ�Kã;"¿Oõýìäì­Š&	KBNf˯˜ñ8“ÙâwïâŸç·³«�S_ÜÓlê!÷Î/™
+!¼ó›‹«KB]ÞÜðöê|ioöéã¬DI a›vçíûK÷7!øÌ~ñqª"ï·ÛÙTÄÞ‡÷×°f±wŸno?ìlúÇ쇓«Yw¯þÝWx©/'¿ÿÁ'PÁ'œ©$&O0áL$‰œ¬Ot X •r+åÉÝÉÏÃÖlÓeGãë˜I
<^s¬�,I=~,ÃD,Ã?¹íãÀË‚nÇ�ÕÁÔa³P„�¥¥œ€’ �hꄳH€…#¥Ç%°ô
ê×&,µ@:ÁY $Èm(>LýP€üPzWÇÖ
+eÏw…Œ�4è…Ã-5ˆŒ£kÝÔm>õµV^»J[„4@vi“¶ÙŠÀÏœË2'ü:�*îí	QÕ-
s»)«×°¯˜O%÷ÜŽ§¢]¹S,Ùg)µá�
+2]
�…Ýg4tòÏÓ¹QP4ààF�€…­Ú×»­Å›
+¦¡à¶ÊqªܽOvùØåma–l†ÁŒ2MdŸ¹åÒšXÎéê!-Þõ¡ ¨š£Õm·PÛi±vU`™6mÞé7µZL+›ë¡M<*�†_³JÝ3gîzD’ÖïꃤoF+Ûuuü6êz«AQJû/¡awyìfò5‡XwÇóŸ.C«÷’üÿÕ²†D„~äûYö§uKŒÖ-W¬Býªz%GêÕ˜�þ—…Ô[ç4ÑFuïeÌ\Vc¨/P–ÍÝÆœ6ñŒ–îîSѱ»¹:xcÛjZ&S@ÇÊ&‡»+U/•Í’$,Š8Â)a*ˆô°va
+cKÎ^ú¼¬†ß{G>óî“ê7z>|ÇÒpÑ8–ã…Jñ�Å2‰œP(¸zöá.P1b�ˆþo½Ò�endstream
+endobj
+1491 0 obj <<
+/Type /Page
+/Contents 1492 0 R
+/Resources 1490 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1493 0 obj <<
+/D [1491 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+294 0 obj <<
+/D [1491 0 R /XYZ 85.0394 603.0093 null]
+>> endobj
+1494 0 obj <<
+/D [1491 0 R /XYZ 85.0394 576.4312 null]
+>> endobj
+298 0 obj <<
+/D [1491 0 R /XYZ 85.0394 268.713 null]
+>> endobj
+1495 0 obj <<
+/D [1491 0 R /XYZ 85.0394 242.1348 null]
+>> endobj
+1490 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F21 938 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1498 0 obj <<
+/Length 2224      
+/Filter /FlateDecode
+>>
+stream
+xÚ½Xmoã¸þî_aÜp2Ñ"©×®@Ö›ííí6Ém¼-Š½ÅA¶éX�,©’'ýõ7Ã!eÙ‘Ó
+Ã9C‡Ã™g†äc~|„,LD2ŽŸÆËíÈßïÏ#nƸv�Ûõv>š¾—Ñ8aI(Âñ|Ý“3/Žùx¾úêøŒs6
žsûqv7qEà9ßsN�ß¼À›}žÈÈùûí|Âcçæã îÝ—ÛÛÍ�O`í@8³Ÿ/oçWŸ‰í¹—ïþ:áœ;—׳«wÄzwmVzu9‰|gþåóÕÝäÛü—ÑÕ¼ÛWïÜ“¸©Ž¾~óÆ+0Á/#�É$Æ{èxŒ'‰oG~ YàKi)ùènôk'°ÇÕSmÉ=&d(Œ)ø�1ƒ„…Rȃ19“—{žç¼Ýeù*+îi«7•*îî>Qg]ÖƆåºýùî/¸wXAôVðÆ0€ù"µl;Е‰ïd
~'¥O¼}Zã
)�g‹:­Ÿ‰]iNù˜­ÔŠØÃi7Š¨ÊÝÕŒ˜)ÿPË– 'lÚ¶z3�î÷ûI"VÂœUÑ4jÉJ=ü^»ìuK$A ´îûM¶Ü€Ïïë‚{ðhÀ@ïÓ~‡�¬hU½N—Š†´%‘ÍÐǬnwiN<°É…™´­rµU0ue¥˜éz—@
+ö4±³,tÐû]�šøÕ)]ö

¼ßO!nA:ÂT#!çð˜ü$
Éc	G±}Ól]H+Ì:‘nBY¬3X[Ñ<×­jµÎž~š–U;­–
çÓ]SÁš±MÔkKh¾–ŽNøÚ`ˆ°²ni¸q–ßñ4Ž2»c¨ükš©å¦$Qßyo†¬ßÿOôù¡¿äkjž˜gºÈ
++ÔÃÊmË„¤x–Ñäe{B
+%'¤
8ÖD£,FÔÙí—¢‚·w ‚¢“I�9ª¼Biðá,H�…ˆ uà&ya#-žÛ
!°Im 7Ù}
TÌd	Gä¤Õ-”¡V"töŠFƒg”vÊô@üe¸¸Ù‰a(ÓG»0Á:¶¶Fp>ˆl v½Aöb+£¦É]�%,nÎxdÓÙqÔæY±{rŸâð÷Ð7.Uµ›Z¥Fòo\úZ^ÄY$ù±PùÎ]¨+Št«N
+tü…5å‰Ä“Íaë­öSgÎs“:
΂ÎI¸v};^®¡î;S8�¢érÄ⪾Û?îÌ“>$-Ð"ÚÉâ�*/Ì -Ê$ùÕ«Ò%g1÷¾pÊ
+ÇËe|É|&½e¨4phÉ1åõK„
+V‘Pµ‚�MúhHè§-5{yzÖ&RÄgmLÄp$=Òªj¦ÆEI†*î³Â,D‡6°."–ð˜
gè8‡¯91
YHÞ¤FaºX¢‚Tà©ÙU:;�5É„Çã“KCŠð$¡º+·UFÅŽ¨¨×Ôšà`Ù‚WâýR_7}SiÁˆr×VR`Våp¾"º.¤$B¡¸&Bkg®K¬#	˜€A©kNDÅ•Â[OÇ*�6fjpÀ™Áz;mÕj¨ð#/:¼tÑyÐ¥C�Œ‰-mLlØãÓIÇ–ÂæcäT‚ðµ7´Ó`\þ¦þ¿jJ©�úér	Æ‚´VÖÿ•Ê×ê©E°ˆãXÄgÃ9€™"
+ã§Yu±mâB·Ý¡`ç2dìÇÑw1<Rßb¼eäFtÚB¢­Zêè²2özõ»¡oLÃ<ÍÄöi.~ Ü@=½w>¬�#Ódi
+‘ôLǸ1Þ¬_�±`÷°ø	+ÉS«v÷ÖË«[j|TÏp}xÍÌ
½_à“Ÿ�ȇg%¼"÷ž‡j|í½°SÈéª9½~/”½³#4˜š,+N–z±yí
ìÜ;²„íH9ôêëu^ü?¿1ã!?É8Ã�"Š™ƒ£šXŠšÛÇè—ªÿ
::,±endstream
+endobj
+1497 0 obj <<
+/Type /Page
+/Contents 1498 0 R
+/Resources 1496 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1499 0 obj <<
+/D [1497 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+302 0 obj <<
+/D [1497 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1500 0 obj <<
+/D [1497 0 R /XYZ 56.6929 749.8188 null]
+>> endobj
+306 0 obj <<
+/D [1497 0 R /XYZ 56.6929 169.0885 null]
+>> endobj
+1501 0 obj <<
+/D [1497 0 R /XYZ 56.6929 140.0535 null]
+>> endobj
+310 0 obj <<
+/D [1497 0 R /XYZ 56.6929 106.2012 null]
+>> endobj
+1502 0 obj <<
+/D [1497 0 R /XYZ 56.6929 80.934 null]
+>> endobj
+1496 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1505 0 obj <<
+/Length 1981      
+/Filter /FlateDecode
+>>
+stream
+xÚÕXKsã6¾ûW¨’¨ª!„_HÕ��8“µ½¶œÊV&Š‚,Æ|hEÊýûm 
Š¢9“Ì&—Œk
+Pènôãëل›$!¡B“X$¤,œdå�<ÂÚ÷gÌîñÝ&¿¿ë»ÅÙìRÄIdÄ£ÉbÝã•š$l²XýêÍ8¿]\ÜM}R/ S?Œ¨wþîç)cÌ;¿ž_¼Ã¥w×÷8¹¼8ŸÆ�·x¸»
+öÈ+Eô®ÙeÀza
g#,¦‘9óÍÔ�(õ²Ž„ÌÀ
+9ÆÞn%3Pg�ƒ2
+	óùÛ¯³èke§¾ªÀëÊo7;•®¤~`•�B‡"8•áû/y»ñë­ªš¦x;Û̶OYÃØlßì:ýXÿ,n�AtëÿH!M�¦á}Óø�J�$"
+�­ÁNøÔgT߶ó…q·6õwW׃$˜<;ê"Ý™�Z;œaNéõù9Nà^ÔjÄO�Å#’ð0Æì�JîÕ�Ÿ>Éwä¶&vêç|¹ðøÆÁ˜2þÑL=[ZfèEVy5õêò&7>yñßy]à}LwÙæmZ®¢àÏ`ÌH,Øh}aüñ±øsAcq×÷²ï4é›G¥KG)N:3['Ö¥£‚E`døSÅ@™5Œ^#¦´9ý%á,�Dƒ³`´qÄr[¤¹†).…—.ë}‹+7`«ûûŸðGU[êK½{‚ÑK…w¨÷H.Ó2ؤϖsŠƒà3ІjõÎ[•µ=M„WæM™¶Ù†Œùঋí8²Rc'5fN*Ìò*«mÉÊ°d
±Ùª,×w7ÑŒr˜lS“cšTãx¼6ÐÎ2šk&›z_ØóK5àÓ¤¥�™Ø_ßD[ð ÂGäŒvxÜûcˆWB¹µéXÒò¨^ØÇ,Ë>ddÿt‚Æ$ ‰ìŸøÿ€oÝþpÿ¯O @Bâ„Ê¿þu†�Ö™~Ÿ¯[e­—õMms|7M¼½_×
+êÄkî� �ˆ’w‹`®/ù„°D 'Š
ÄiÓ¢‘F„…’õ$!"èÔ'\²äÝtŠ^×­úø&Ô€“¨JÓ¿ô¥Pgýk
mkƒS]ö̆�:žC÷7‡¦Uå‘“¶+åCšf`HO†Œl5ë¶UNDm¹©v óþæra“ªÿ
+	'qÄØ„'�X.þ'Þ!œÈ$IÆ_!~ÇÑï³|ýÄr åQ²y°Ý\_¢'AIQyš{ªzα©Ž
+¦Ç¯ÝßâÔ¾°#¥5Rl$ÃLâ�[ƒžn…TûrÐÒŒc�“îBLyƒ‡*Ú
+éøH%cõÐ ëÍâB#+4_¦�„±ãÔ±‰í÷1`‚íThðô ?4®"%̃èݘš¨7nÒªÄ}™€‰kÎÌÆþ’E˜}íT{%&´+T¥;Ü:øv"/9T$hc°Á3#z§v‚Ox˜œH4Ç€w
+µ¶ÇöÕÊ4€•‚W”C÷üШ
G¿Ä½bç;äØmÒwglX- ¶	Mâ
+P`ÐCÓõÄã®ýý\é¹ÌwØ'èw¼¾À1K`²ß˜c7Øæe÷F±PóÙGAב�TOü˜+ûM K«ÓOE�®ÔêÛO}!	0
+†_/igÑ¿ü­ôøQ9ˆ‰H>uº’&\ÆN)mu!^õPî£êkÕÿy”¼Üendstream
+endobj
+1504 0 obj <<
+/Type /Page
+/Contents 1505 0 R
+/Resources 1503 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1506 0 obj <<
+/D [1504 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+314 0 obj <<
+/D [1504 0 R /XYZ 85.0394 638.5372 null]
+>> endobj
+1507 0 obj <<
+/D [1504 0 R /XYZ 85.0394 609.0615 null]
+>> endobj
+318 0 obj <<
+/D [1504 0 R /XYZ 85.0394 430.1605 null]
+>> endobj
+1508 0 obj <<
+/D [1504 0 R /XYZ 85.0394 403.4942 null]
+>> endobj
+322 0 obj <<
+/D [1504 0 R /XYZ 85.0394 256.4314 null]
+>> endobj
+1509 0 obj <<
+/D [1504 0 R /XYZ 85.0394 229.5399 null]
+>> endobj
+326 0 obj <<
+/D [1504 0 R /XYZ 85.0394 110.5453 null]
+>> endobj
+1510 0 obj <<
+/D [1504 0 R /XYZ 85.0394 81.3565 null]
+>> endobj
+1503 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1513 0 obj <<
+/Length 2308      
+/Filter /FlateDecode
+>>
+stream
+xÚ­YmoãFþî_aà
+T.ÖŠfôà>d7ÙÛ4½ÔM¼=,v…l�c5²äzdg³‡ûïG9²l+m}W�8j†ä�9²è{ð'úaäF©Lûq¸¡'ÂþtÙóú0÷�ž`™¡¶¥^�{goý¸Ÿºi$£þxÞZ+q½$ýñ죸B¸XÂsF7oîCzÎß„ â“zoî~ì|�"q~¼¹ÏÞ¿�~4³ã
ìJçÍ»‹Ñøꎦ^÷âòç�¹¸}suIS—·¼ÓÛ«‹A8ã÷wW÷ƒÏãï{WãÆ®¶íÂóѨßz?{ý¸àûžçúiöŸ`à¹"MeÙBß
ß·œ¢wßû©Y°5k^íô¥ð\éG²Ã™�èrf»Q“3¿#ÏsÔ—Uµ®‰þáò—®_ß]Ü}øet1~÷÷³jUŸ­§Zˆ³�^Ÿùäü›Hý]qöVÊÖ†^(a©Ùê_U‚#áT+µÎê¼| aÆì‹«7ê$Ð˯�8yM¹Æ§t²BWÄ)ÕTi�­ŸiX3[¯Ô4Ÿ[æBQTSض²ZÌ÷¦¥óIÊ`™My©�¤ÙOž'Åz<-òé-EÛ 
+Ó0”Æ6]Wk6
+ú¾tòr^­—¼2²Iµ©‘ôi?ä±™†q"6šg'Ïô¤ÇMŒ#keöª¶ù̾g²F'`Ðb‡‘s=?ØŽM£
™ÅÊ6JÓ!îEM
+Ea¿½>d-/Ç—Áa—7¦j¶±5ÀÇÆmRm
ÞÅaƒj!51ð˜ås”�+zÅ\mÈ‹6Ì{‘Ö�B…¹ÅØo¸ùW»>e8ðªe^×Í^ˆ^1HÄ0Nb+Ê�#¸”„clš!¬+€k÷§†õ°Áë™þKú%á¡š°ù•ú¥CÇŸ¾_-øž„µ4@%4ç[U4ƒö›�Fb™qëEA¢æ¶­¯«½öžó%kZº-âBUfìЪÎrÔ±�UÍU�³ÓÛ¿Åü/%ªñû‰5‡¾`¤í#?Ì$a
+vÙ¬©Eðͽº$>=mÒ£��‘çLèÓ
,
+ú¨"æF¥«%K€ñ-&
+}ãGšÛ4ŽUÿ/¬TÜendstream
+endobj
+1512 0 obj <<
+/Type /Page
+/Contents 1513 0 R
+/Resources 1511 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1514 0 obj <<
+/D [1512 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1511 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1518 0 obj <<
+/Length 2186      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛFò»~�; TRûà3èàØJã¦gë,µ‡kµ²‰P¤"’rÕ_ß™�%EILS 0àÎÎÎkçµâƒ?nE¾ËdìYaì¹>㾕nFÌz„½FÜÐ8-‘Ó§z½MÞÈЊÝ8�µX÷xE.‹"n-Vïíë·W³ÅôaìŸÙž;vü€ÙW7¿Œ9çöÕÝõô†¶nîæ¼™^�CÏ^üü0LûŽqnNÎÞ]ºpNÀæ³ë‡±íÿÏcÙ÷ïn
gvç?Ïf÷zw1þ¸øq4]tvõmçL¢QŸGï?2k.øqÄ\G¾õÌåq,¬ÍÈó¥ë{R¶˜|4ý·cØÛÕG‡|éËÈõ#8ÓãCÎôB7Cræ?ÇNÀ˜½*ªJ¥N•=”…"¤3§Uýžl¶¹rU£Á Õ
ïž/4‹iQ«QÎnï^�’�”_Ô.[²â‘Èê'#á(«©.w×ež—Ï>ÉË]V?mªWCjÜͧ×òa~5{W;@ðk'Íìئ%W«AůZ™¯ˆ¸/Ä ~�¿«È_Òú®‡2º§u¶Wf›Ñ²Sûò“Z�"«:)VÎò0d@ï\4A­�jòFp«#[ã!¢%€€ÀC:Òý±ÃpŸoUÚ^†²v5ªxÌ
+—ÅÙ&xhZÑGŽt$Vô‚¤ŠÀ•Q,µÔž•�h÷[UÌç?á‡ì¤àFš,mV¨ÛƘ¥7²¢3ï(‡Cs�að£œ"Ùt^è«#1<ÏPiå‘e’ç$¬\¢~2Ò_ßÞÝˆ‹¥+X$
“%ß
ô8æTKX—e^ó$ÀxO¨°?á9SâÆûba�`æI4~? 8tC/
+�\ãàK†"vý°#û÷×ø bpÝP4�wút÷]në¬, ‚ÊHÚ·kBjj(&ú¬¢Ïe“å5�Ï�L´Iá( ÚÙ~J+]‚;
�"â@š�¹]Ñ9Ú!ª•Z'M^W:[
+\ðÓ¤©Käj“H
+oUånZ¬Û÷]Ñ�·Ev>a%Ër¯NJ\Ìeí�Ø~(Ú±f©0¡Ô˜4Õn2'}Ù—�„Ó“„‡LÛæ
tMïä>ÔÈÓ¼ãRí¼LÓv%§ª/[ýå¹Å@ÑY,™ñ<
+ ^qœcÍ~UžÌ¾]6þÒ#Y.»BQŸ#su:×uó4h¹qõ=_ø]‡ã³Œ…Þßúa‡Cµ‰}o¸Ú€"éF,¾Ì‹Î1àeÀöÄYá:þ˜ÆÜ�±¨_¶zÓQ»<‚�	ÞªœIúyà½Ðô¨Ø%8v™À4‰+ˆca?èÿÓܾí`aÿpî*�âqÐ5Ü8dÚSÖgðAÌ=Ojš>¬m?úD#&·iÝ”`¡Õ3²åëôk#ƒ“µîí†~‡TØfmC—Âä
+]
+Í+wF!èèšÇÖ ’Ïí8>ICr¥®æi‘ä6˜Öm÷¢éÇ¡@Ûµz‘þm¹ƒYêÇAl9Ç_X¿9³%
lüZˬ¶ã|óoÃǼ‡V"£H�+’ÐhâÐ’¾¼¨ÕIÿܵݯÈ-YOù?
Ø­ùwendstream
+endobj
+1517 0 obj <<
+/Type /Page
+/Contents 1518 0 R
+/Resources 1516 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1489 0 R
+>> endobj
+1515 0 obj <<
+/Type /XObject
+/Subtype /Form
+/FormType 1
+/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
+/PTEX.PageNumber 1
+/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
+/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
+/Resources <<
 /ProcSet [ /PDF ]
+>>
+/Length 557
+/Filter [/FlateDecode]
+>>
+stream
+xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
+ä
+6\>RgÈbÏWÖ¹j[†�›
+WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
+endobj
+1519 0 obj <<
+/D [1517 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1153 0 obj <<
+330 0 obj <<
+/D [1517 0 R /XYZ 85.0394 646.4943 null]
+>> endobj
+1520 0 obj <<
+/D [1517 0 R /XYZ 85.0394 614.9326 null]
+>> endobj
+334 0 obj <<
+/D [1517 0 R /XYZ 85.0394 450.402 null]
+>> endobj
+1521 0 obj <<
+/D [1517 0 R /XYZ 85.0394 421.6496 null]
+>> endobj
+1516 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R /F11 1451 0 R /F62 1361 0 R >>
+/XObject << /Im3 1515 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1524 0 obj <<
+/Length 2039      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XIwÛ6¾ëWèÐõž…bãæ››8©ûZǵ•öÐä@‹P̆"U.VÓ_ßH‘í*0
+½

ÜÜRûÃÍí[¢âÕZÁ•÷æÇ«»Íõ=�j'êêío+˜ö®nß\»ooˆxw}µ
+µ·ùxý°ú¼ùiq½é�2<.Çsüµøã3_¦pꟜ©8ò—Gèp&âX.÷í+æk¥º‘|ñ°øµ8˜µKgÍ'8“*�3ö“b)4S&‡ôcêû½
Áœ£
Ÿ;¶‡CY5ÔÉŠsãÁ¹Aºx‡/×2bA++Ö1ó-�Í®ÍóoH^MÒkšHòœˆm[U+y¦hˆ3ôRó‰sY˜ÔÉ(«}M2Ê
9��*’½!ª)�ä4%�µ[”éìÌiÉIH^–_ÛCÍð¨x8!XìûÒîÆYæ˜YÝ�Jòº$ª­�‹¹ÞšƒÝLMC�ãÞ'_û_­©²núødœÑ«UäµE‘_¨_ºñ¤˜î²MÉcî¤ÕßêÆìOʇ,V2²Ê¿++à‘
+­yL¬b)
¸#_`/ê<ã15Îm+áÕ4PÖO@]Á�(:è¶$¹`¾µâ»÷†¦•
+Q©9€$Çž4ÆéÐ<"ÈŽ¸ËÎíÌîp1v¡9:ˆ½mžA8­ë,54P÷‘
��5V6´Ù4xL‘l»p‡=z¿d_>·åÎŽ”{è…}ÒÀxŒ¶BïÇòhžM…‚–†&i›§²Êš¤ÉžÍ\¼u®ˆÈQ¦@Õ¦aµë4�@æe’õOY8^Ì¥Ü8ÞmY4IæúdÞ¨7
9'$+HÈÎÒeç³ÁµW
+l]ME‹OA²îŒèyÏÉ�ç0À·[spy掀ySÁv;»ôhdžò�Ný« K§IxŽ$$H ºÜ
+ºehhCSƒT	Tïd{­àô
+M¾w°&ƒÅˆÇ3ɇèŒöÕ�÷KRX)ÒK‡<W:ÃÅboâ@vaŸ–Ô-ʆˆ¶
+<[lïNl
!¦;v³µ_
+3¡“7Âo;D¦A*¦†)Bl¢©€°óh2$¸­XjÔ�"üž»ï¦p×›hkÞú•R`PM@¨TÏ™9ºÞÎ�î“éñ–Üc—8 †Çeöµv¯}¡
+ºpk�™–ÐÊçLG‘„j5f:‹Yš¬¾,‰¸T¿=ÿz¸€ªß1ðMå¢à:˺šêŠI&¦úhÂ:À¯¡ø³¼çú-Î¥¡ÌaTë]Øîèdal�Èà©œÞ;ÂìW`R*aAûŸéJ¢ÎÇútõQmÔ=^|pŸÏïšÅÚ鳡"Ìï¼Èyþ䥱¬¦6¡æ€•%æ®Mm°/¶ÙxãIíÍJµÕ…
3GµEž}5#!zz×�ªÁ+òêƒÙf˜H¦žƒŠ>Ô¡j̆ñ<Çã÷‘+BÐò]>V
¡UðSÖ™¿ìrˆ‡Ä,ŠÂتõ݇û›÷øˆ
x¿Œ
ÜϾNžÊr4”Àª€öÒœžÀØíâ
Ç€E\¦�Ñå¥x!(:|ÄÚG)mS[)rà:+ÖdœÙÃ]�^@zòèÁ¡¬¦…„u0Йg¿7pQ¤öñ­¼›�“@
×Ù+ÏÎÔRáÔ`7gߧ÷ÉÂâå«a#຾NE‹]t/¾æiÆ]Bð>ï+•ËËü.E©DL;X™Øñ@GnQROÐvp¦y€�J2í‡r!äBt�Î[z=¼‚·¶&uß;ôÿ4~·oVÅéiEa§=P›¸ÉQúà@æ&
+·'Ò}‰¤àb
2»¸‹Æõ“.c±Sg�%߈Ôï©•x¶6¬¸¶†wŠÌ½õ!Æœ"xå�û^CE-b5)½ÙŒÁ|…HtŒ�Î�2ü¤ºGû3»·yã,ªm)
©¢C%ÈÖCÉØb»2ÏËcï‹cÙæn#‚ÍòÆTçrÍ b&uîøჹÑÇ=�æb”³}ÂœáæLż	tè¬ó:2>}Õe›‡Ï2耵_ÆQÎÆÿˆ=²Za{’�\9
ÁøkH?Ä_¡5°ˆ
+_V8¼†ÆÐŽ³Ø[µíCâ…ø±p¦Bá=rüïo’§ïµ:d
+KªÙRž‚Xê¨N)ûÀÎ4ï>^ž«þ/»œdendstream
+endobj
+1523 0 obj <<
+/Type /Page
+/Contents 1524 0 R
+/Resources 1522 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1530 0 R
+/Annots [ 1527 0 R ]
+>> endobj
+1527 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [349.4919 566.941 408.4801 577.7254]
+/Subtype /Link
+/A << /S /GoTo /D (ipv6addresses) >>
+>> endobj
+1525 0 obj <<
+/D [1523 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+338 0 obj <<
+/D [1523 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1526 0 obj <<
+/D [1523 0 R /XYZ 56.6929 745.0977 null]
+>> endobj
+342 0 obj <<
+/D [1523 0 R /XYZ 56.6929 552.7519 null]
+>> endobj
+1528 0 obj <<
+/D [1523 0 R /XYZ 56.6929 524.1722 null]
+>> endobj
+346 0 obj <<
+/D [1523 0 R /XYZ 56.6929 397.0585 null]
+>> endobj
+1529 0 obj <<
+/D [1523 0 R /XYZ 56.6929 368.4788 null]
+>> endobj
+1522 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1534 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
 stream
-xÚ�X_�Û8ï§È£h\KòßÇöfoÑÅ]±èÎ>]ïA±•‰P[ÊFöäæÛ)JNœqºE€˜¦(Š"©)³M?¶©‹4M¾©š<-2VlÚá]¶y†±_ß± “"-r!àeet[ˆ:-j^m¶×J>=½ûðOÎ6<KË’›§ý¼VYÕi#òfóÔý'ùÇAGuzØò"KŠ‡ÿ>ýFÓò´ª+†Ó2X¢H«&«ý„§ƒ"áOŸ¿<ÕÐã_úù0žþã«r¶
åQ+ËS‘—<h-EZ•™Q¤ìa˲,»è¿¯.ïNòôtóM“6%/ƒj^§eÕ2ø¡É’“ìô¨­‘}ÿ
-5e"�Ç^·™Ž8ù¢�ª’�R†x½6ßUGôY�—Äpã´#êôÀêd6�&’y^~<È1LQ¦s×sÚéä4­[&�_þ 	MꤕÃÍávK›¢à~;£¥ýKzô¶•=‘­lÚ<Ó‹‘Cð£S'´ªÊ“tÖWA@Æ ¾Ï¿¿”[
«[Ó*¤ªD›Ñ[g»©ÅÝã¨QglípìÕÿôøJ lid<(bÍî˜Ð½Ä;’ÆV9÷þa霸©=ÐDéHfoûÞžý�ý1Ö¤6.ˆšnÍ+�_>þûØ/¯£_­v¸Üσá*qz˜úQe'Gzk¿OGµ{â�Wr¢æ‰ä(Ï꺰C§\
-veÒÖNϬ—ê¼g�¸rÞÊ.ÎèŒÈ¢h¡Á¾¨îý<æBh%�ÒË�Þ:z³á˜èáh�Ó»>HÅôÑhÇ L8[Ú,²j¼œ—�D>Õ/…T¿—T„
¬ñØ€0š&îm´Ù­4DÈÞY¢Bž¼è.ÈÜ&ò0§5¤RP¦†³à÷öÆ'çSʯ†í°ÓF^b ®Æû+ìY‰Óò¸ó†_Ž;oDHàJz+ÞI©!úê`Dñ:™Œ¡£Q�’â™Þ
R-ÅãT!pº 
-M&PÄqíèÙi7jÓŽ4¾§Y�yŸ"A¦͠ì‚d,"û©ì±‰kkÒ;¥)ÏR^Š:”&JÓ×9*—“²,J�ן©IW؃È!6Š‚O
-q¿–D"mX•
‘¹ÈjmËúÿ@CH®2#¶¦È²&RØš8"u�£
-:åô³¡&Ä«»Û†ý5é˜âB€û}Ye¡ødÉ �°]B楖x¬†Í@”üizT(þ¶Úxe訳vTn3o-òÁa^¨ª1ü8Háã=ô6³¶µ{Ó‘¡š»hW”P·Šj‰v¢æwЮ„Z[Š´»ƒhM	5ƒ©º¡s?‡+ì
-ïp,'èñ+)jä‘jåQúk ©ï¯‘ÙYºÝÕ¡�Eâ¦Á§âÛð´â·I-§Ñ;ÀÍÍ$b®»Ö¬Ý‰ÜQµ㩺›{JýÐà4;,ÿ‰f`¨º


��‡W$‚7€Úù«1[Ë/¥nÆÏX	 «EšQS£»»·ž;šWïP{“øÄDN�)�ój=u”ö¬ÊùßC;»òÕ]Û Ñ_;Œ`ÝÄF
-q…7ÉGb†N0bèKNôJ…$ȳÈBÏ"g¥OØêåýµ	G’^—=Ys{}ñJE½Ó6l`‘“TÈ‹«Ã}%­JüŠÆ‹ŸêIÙmS:_Óß	Р*çóýÃì(š´ªŠúºWy÷ËÓü-1~!EŠß×¾6F‘íE†>5.NF�¸áb¼¸]mþpùv¹ÿ`)�iendstream
+xÚ�XQ�Û8~ï¯È£h\K²-û±½Ù[tqW,º³O×{Ple"Ô¶²‘=¹ù÷GŠ’gœn ¦)Š¢Hê#e¶ÉàÇ6U‘f¢Î7²ÎÓ"cŦéße›gûõ2y!Ò"^VF·…¨Ò¢âr³½Vòéé݇r¶áYZ–¼Ø<íçµJY¥µÈëÍSûŸäuõéaË‹,)þûôMËSYI†Ó2X¢He�U~ÂÓA“ð§Ï_‰ªéñ/ó|Ïÿ‰ñU;Û½€ò¨•å©ÈK´–"•eFf){ز,Ë.úï«û“:½Ý|S§uÉË šWi)kA?ÔYrR­�T×½ÂBu™¨ã±3�B¦#ÎA½h¤d²Óz ^g†ïº%úlÆ�+b¸qÚuz`U2›GÉ</?Ô¦è¡u×sšéä­[&�_þ 	Múd´ÃÍávKë¢à~;£¥ý+zt¶Q‘�jfx¦—AõÁ�NŸÐ*™'é¬OB@Æ ¾Ï¿¿”[
«Û¡ÑHÉÄ£·Î¶Sƒ»ÇÑAŸi°±ý±Óÿ3ã+
€°¥‘ñ ‰5»cB÷ïHíÜû‡-¤sâ¦æ@•#™½í:{ö{@öÇ`XsPfpAth×¼òøåã¿�ýò*úÕúg‹‹qÁý<–‰3ýÔ�jÐvr4¡³öût¤Q»'x%'jžHŽò¬¶
;tÚ¥`WÆ!míô| ñÞºq©Î{‰+ç­ì⌎À˜�ü@-ÔÛݾŸÇ\­¢Qz9Ð[Ko6Ó­sfש˜>íèõΖY5^ÎKH"ŸêƒBªßK*ÂV{lÀM÷6ÚŒìF
D¨ÎY¢Bž¼˜6ÈÜ&ò0§
¤RP¦†³àwöÆ'çSʯ†m¿3ƒº(Ä@]�wWس§åqç5¿w^‹�2ÀUôþV¼UÒ�諃Å«d:Ê )‰@ žyà ÕR<N�Ó
Ø^?
ˆnšÄ‚¼qË
1¿!çÓ
39Kþ|ü}»SNû=ÔѼÑ6¶ƒLDCêäçùµ«üüån‘s­§ÐdE7Žž­q£š‘Æ÷4«§1ïS$ÈÔ t« ‹È~êB{lEâÚšôNiʳ”—¢
+¥‰‡ÒôuŽÊå¤,‹Ò#ÅõgjÄö rˆ�&‚à€qéR¹q)p
+q¿–D"­Y•
‘¹ÈjmËêÿ@CH®FlM‘e‡Hakâˆ4A~ŒJ
+í,7
>ßš§’ß&µšF;Ønn 1ûpݵÃÚ�Èuc0žº½¹§T?
+¯“�Ä�`ÄЖœè•
+H�g‘…žEÎJŸ°ÕËûkŽ½.{²úöúâ-Tšz§mØÀ"'©�3V‡+úJZ•ø�?Õ“²Û¦t¾¦¿
 �,çóýÃì(êTÊ¢ºîUÞýò4KŒ_E‘â÷Ƶ¯�Qd{‘¡O�‹“‘
ä
 endobj
-1152 0 obj <<
+1533 0 obj <<
 /Type /Page
-/Contents 1153 0 R
-/Resources 1151 0 R
+/Contents 1534 0 R
+/Resources 1532 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
+/Parent 1530 0 R
 >> endobj
-1154 0 obj <<
-/D [1152 0 R /XYZ 85.0394 794.5015 null]
+1535 0 obj <<
+/D [1533 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-230 0 obj <<
-/D [1152 0 R /XYZ 85.0394 769.5949 null]
+350 0 obj <<
+/D [1533 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1155 0 obj <<
-/D [1152 0 R /XYZ 85.0394 576.7004 null]
+1536 0 obj <<
+/D [1533 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-234 0 obj <<
-/D [1152 0 R /XYZ 85.0394 576.7004 null]
+354 0 obj <<
+/D [1533 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1156 0 obj <<
-/D [1152 0 R /XYZ 85.0394 544.8207 null]
+1537 0 obj <<
+/D [1533 0 R /XYZ 85.0394 544.8207 null]
 >> endobj
-238 0 obj <<
-/D [1152 0 R /XYZ 85.0394 403.9445 null]
+358 0 obj <<
+/D [1533 0 R /XYZ 85.0394 403.9445 null]
 >> endobj
-1157 0 obj <<
-/D [1152 0 R /XYZ 85.0394 368.2811 null]
+1538 0 obj <<
+/D [1533 0 R /XYZ 85.0394 368.2811 null]
 >> endobj
-1151 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1532 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1161 0 obj <<
+1541 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1160 0 obj <<
+1540 0 obj <<
 /Type /Page
-/Contents 1161 0 R
-/Resources 1159 0 R
+/Contents 1541 0 R
+/Resources 1539 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
+/Parent 1530 0 R
 >> endobj
-1162 0 obj <<
-/D [1160 0 R /XYZ 56.6929 794.5015 null]
+1542 0 obj <<
+/D [1540 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1159 0 obj <<
+1539 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1165 0 obj <<
-/Length 3113      
-/Filter /FlateDecode
->>
-stream
-xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
-Waƒš)m%ÂÌ ™æLZEBµL€ap~ƽ¯Wq/¿£ÍïòI:pH^”ïÛÕª}Žòâäv -©YÕ]O½`ùÐV	sø·ëª¨ý’XP»ëÓXu¬,óݤÔ_´ó.>¿Eúï¾û8øoAè…žh!™å^¢óÿíîç_ùd
±âû;Δwfò8
-h\±›f¢š%žfÊÁ¾x燈v œ0“)¥ÌDsͤæEؾr¾:–‘�‚9«üð„$™wÎå™�
gc”!�:à€D´‰œ 8À‚¢|D]QÜxè¡Ê)
ºØdlµ�Ì9íâìr±ØV]w,
-e5¨.·’DBxEÊLØcA€š/OHô³ÚÝ’Æ„ñ
-‘šC^¢@Èº[”ÔsŸÄÝÑ-*4Ý}
-{Häí¶–Y
@ªùîj
-&1è�I �Û§	u~�Mð§4)Ú1^¤ç§j¾Ïˆ!чTÿX½`Œ(Ä
=''$Ô*N±
ÕH>ÀŽB×­l2¹/G™fœ
°PÛx	±éJ€5 
-2Æ­®¯¶Â+�Þ0¸/…Ö=�gb”�Œ»Á�!h
gAó1S:Æ/‰4¶¿BgK —â—PaÙó~]yÅ8™ßH@¾‹RÞ@"jÕX@ç"X™JÖNgC�÷
šY¹Êðl3ÎúóÞp%º¶·âyÀw‘gÃj­óœuíà:<ÓÎeÏe³ø*ëà•cZ€EŸÛbé=D<n]k¦¡¦x½[Ogc”™mæPÞq m
-h4:‰[q=`¼Âµ®�•ú�ë3ö¼pÃåÀÔ^VØiÝÌW»E…ŠiÎ|3‘]8~½ÑXQÎDzLe=HF
}Ü7Pƒˆq6F™‰î*ÓÂíNòÈlATq®ðãcµ| …ˆ×E�ãJQß²R×À…,®2È…�Ñ&ð¼h×eÝœD2åYám±‡}u,Kgc”¹h&!e0GTž;â–q<3â™ÔvúÛî^€‡SFøÛõ[:ªÔfú¼¬Ã?×álù1ŒÄƒI/4]q@óí?Ñ8’ñ†Æ1b§ú½\ÏrGþ›t<ù‹”:cPÒ5رdŒ/¬¯ºží÷ãˆW°>ëlŠMˆó‚ºŽá�{°!H€K}E]%L°Z‹¨®=nì9u`o§®c”Ôõ�Êj^¯ËÕu�ý{È®Àëâ%…¨V»-�ÔM_=¡g
ãŸËÕ.$ið…Ç)ûÓs‚‘ÆЗ®Ú”Û²'x�Ø
-”]—»Íùb¿؟¡©°¡k8<Óï2§r<¬3Ék
-©rŒjæµò‡•ñ

-'öuð8Z¿›·CHU™îá|éAæshQ‰P¼××ãÞÍcoY~®°ç¦åú¡~ÚÕý}À£/­ê-uÊüo<»ÓŽþ­w]D÷På¢à¢î;N-xœZ¼L¤v³¡�»ÙÖ%¾4©h<,z¾¥™äut¼×
-Ÿ6ô’fŽ&û@d	!{A¹I1ùO!&Ó
-²>Ÿ2˜ÄáÎG9ü)¿²ÁrÔ™½ã7àã~€ª;'è¼UðB4²nÃÑ2–'ÁN;ú3Þ*ü?ÚªŠª•YZêð€rõ\¾ÄE^í…
-�¶ÍÍ^f"|-Ô—0zp™=Ÿ?¬†3©­ÒŠI®åÍØ^fSiÓ¿ŒËX9\+ÒGêý:ƒÑZ0)-Ø �ºÈÙ"{Kšž‡ã$¾6Ï_Ôri;�B]œ°�ž¤ïQ¥åþ_"ÑÔendstream
+1545 0 obj <<
+/Length 3198      
+/Filter /FlateDecode
+>>
+stream
+xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
+ŸiÇð€ÏͶz¬Ïpª¹!�åTE€O� ³êÀí(NoÇjÂx�Ußkqä9êE.îF¿šØœY¨÷Úm†]Ì¥ÑÖô¡3Τâ�*ÐÌ­ƒŽ‘¯f|À8£<e\€Ú¢™'°)Ä
+=XdJdßPÞÙUÕ‰…š‚IzcèåöiB�G{ü)ÍGŠvŒéù©šï3bHô!Õ?V/X#
+q@ÏÉÉ
+»[ƒbä]Ža«”ç�±|4š�Ä­¸0^áZ×ÆJ}Èõû^¸áràj/+ì´næ«Ý¢Â‡bÚ†=ßLdN�ŸAo4V”3‘SY’Q@÷Å
Ô bœ�Qf¢»‡Ê´pû‰“<r[Uœ+üx[-ÈF!âuQç¸RÔ·¬Á5p!‹k�rac´	</ÚuY7'‘LyVx[ìa_ËÆÙe.šIHÌ•çöƒ¸e÷L†x&µ�þ¶» Æa—»~K[•ÚLŸ—u8`€áç:ìíÂ`Ø7†‘¸1©ãღ#h¾ýá'G2ÞÐØ#ÆCìT¿—ëYnË“¶'‘RgJBº+–Œñ…õU׳ýzñ
+Ög�M±	q^Pב"Ü*ïJ¬}9ÊôÅ9u•½Ma®¨«„¬ÖbP„sÉ
dKFè±2dw£CF:ñPïBFã!¤C‘Ÿ·(9˜p@Ê@èë‹òˆq6F™‰xT¨âTD_ZÈœW¡¸8öõëýGz<i=Ô°…¼¦BNƒñø¸ˆ=º†s/�ÞÎß�0^pw$Vóz]®®;¼¿‡ä‚6žq)�^i·¥‘ºé«'Ìaüs¹Ú…ÞðøÉþð…`¤1ô¦«6å¶ì	ÞÆÚ×åüÜ/�Rü‹ý‘êb:ÅÅ#¡.³©k @;“‚®�*kÌÌkå7V°
+*3ëÛk
 endobj
-1164 0 obj <<
+1544 0 obj <<
 /Type /Page
-/Contents 1165 0 R
-/Resources 1163 0 R
+/Contents 1545 0 R
+/Resources 1543 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
-/Annots [ 1171 0 R ]
+/Parent 1530 0 R
+/Annots [ 1551 0 R ]
 >> endobj
-1171 0 obj <<
+1551 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [356.2946 363.7923 412.5133 376.6291]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1166 0 obj <<
-/D [1164 0 R /XYZ 85.0394 794.5015 null]
+1546 0 obj <<
+/D [1544 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-242 0 obj <<
-/D [1164 0 R /XYZ 85.0394 769.5949 null]
+362 0 obj <<
+/D [1544 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1167 0 obj <<
-/D [1164 0 R /XYZ 85.0394 576.7004 null]
+1547 0 obj <<
+/D [1544 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-246 0 obj <<
-/D [1164 0 R /XYZ 85.0394 479.565 null]
+366 0 obj <<
+/D [1544 0 R /XYZ 85.0394 479.565 null]
 >> endobj
-1168 0 obj <<
-/D [1164 0 R /XYZ 85.0394 441.8891 null]
+1548 0 obj <<
+/D [1544 0 R /XYZ 85.0394 441.8891 null]
 >> endobj
-1169 0 obj <<
-/D [1164 0 R /XYZ 85.0394 424.9629 null]
+1549 0 obj <<
+/D [1544 0 R /XYZ 85.0394 424.9629 null]
 >> endobj
-1170 0 obj <<
-/D [1164 0 R /XYZ 85.0394 413.0077 null]
+1550 0 obj <<
+/D [1544 0 R /XYZ 85.0394 413.0077 null]
 >> endobj
-1163 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1543 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1175 0 obj <<
-/Length 4063      
+1555 0 obj <<
+/Length 4062      
 /Filter /FlateDecode
 >>
 stream
@@ -4903,3357 +6281,3786 @@ s–Ö*hîžm­™â‰µ
 ÚŒ8‹Áµñ.pÃ\bŸ®šîN N!‚š æP³‡yã�KΨ
©ÐCËxMU›U×ܯ°ÔùÒ¨0	D¬x/DyHvkͬ”ÚHI�0×¥™¿bjïJÚMÿÖÅº½8‹A¼¤_âÛ5±ŒêmšSØQ-1ØÅÇüͦé¦î²]K×Fm4PÕ]½H©0u?º‡ŒŒyÏh)ÓánŤ ÷JìøßLŸÁc®ã‡âÃ�r
F×Ѐӟƒs)Ýõçvg»ëR<|×?š_0ÃéÁB
m!3Î5¿LñÄ},Øh‚«¶–) '%’�¹
 ÇÉ}((º™dàâ^ì¢
€Ë*§2¤Ô™üuC{2
 Ó�æÉ
-›¬s짼h "”IŒ)%F*<zé“'â¡jÿÿÍ”àxÒ‡BvÉ
+›¬s짼h "”IŒ)%F*<zé“'â¡jÿÿÍ”àxÒ‡BvÉ
 endobj
-1174 0 obj <<
+1554 0 obj <<
 /Type /Page
-/Contents 1175 0 R
-/Resources 1173 0 R
+/Contents 1555 0 R
+/Resources 1553 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
+/Parent 1530 0 R
 >> endobj
-1176 0 obj <<
-/D [1174 0 R /XYZ 56.6929 794.5015 null]
+1556 0 obj <<
+/D [1554 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-250 0 obj <<
-/D [1174 0 R /XYZ 56.6929 165.9801 null]
+370 0 obj <<
+/D [1554 0 R /XYZ 56.6929 165.9801 null]
 >> endobj
-1172 0 obj <<
-/D [1174 0 R /XYZ 56.6929 136.242 null]
+1552 0 obj <<
+/D [1554 0 R /XYZ 56.6929 136.242 null]
 >> endobj
-254 0 obj <<
-/D [1174 0 R /XYZ 56.6929 136.242 null]
+374 0 obj <<
+/D [1554 0 R /XYZ 56.6929 136.242 null]
 >> endobj
-1177 0 obj <<
-/D [1174 0 R /XYZ 56.6929 106.2766 null]
+1557 0 obj <<
+/D [1554 0 R /XYZ 56.6929 106.2766 null]
 >> endobj
-1173 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R >>
+1553 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1180 0 obj <<
-/Length 3096      
+1560 0 obj <<
+/Length 3065      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsÛ6÷_¡Î=Dn,˜øà×õ)u�Ö�ÖÉ%ÎÜÍ4�”–`‹cŠTHÊŽçîþ÷ÛÅ.(R¢å~Üè�àb±X,v¿%'
üä$	E S3‰S#Â@†“ùê(˜ÜBß÷G’yfžiÖçúöêèôµŽ'©H#M®nz²$‰œ\-~™žýðêíÕù»ã™
-ƒi$ŽgaL¿½¸üŽ()=ÎÞ\¾¾øþûWDZ™^]¼¹$ò»ó×çïÎ/ÏÎáDÃxÉžðúâ§sj�ÿtþóùåÕûã_¯~<:¿êÓ_°4®äóÑ/¿“¬ûÇ£@è4	'ð™¦j²:2¡¡ÑÚSŠ£÷GÿèözÝÐ1†:a¢âÙ³ ”Hc%'q˜ŠH+íLxg�gQ`ãS¾ öè‘Í‹Oe¶²⿹o±¨mÓ|Zeí|ù©È›–èÿ¥ÇÇ ”h�Óת¯ÃLÆ"Õ¨«
s±r: å¥PÇ3ÀÐïìÇ PeÞæUIæÎÊ5>4Ù­e±ª'6˜@7X(4NÞ+ÐíX&SÐÆÅzꔤ&jê¨jšÑ×u¾Êê¼x¤×McÔj+z.lkëU^Z<ŸwâçUÙ:YUA„›ª¦Æ=ˆ¬6<_cë{ËÕÚÖ®°
ŸÓq:½ZÂFÀÊp-RŠ4É6=%aÒ¢©¨µ9–SVQMó’žíÒŽØ<IÀ³"p!'×o˘vߌF‹ 
cæD«ïK“©c#™§©êÖíý¾0m„Ò‰Ö´YkW¶li½!®—”¶Ñéía™ÓNI´jÓæí¦õ‹çUfÃÝU¼»h»™„”�I¼
e·fr yÆ.um½k=R£º¡g»äž›ª(ª‡¼¼ýûSQ™*Ž§µ>—JizVJ¡™èž,Ô÷c ãÝIaU0Èćgí¸ö§lŽ m¢á´Þ6oÙ6C‡.¨ƒ‹·÷†-V{öûȇû¨™T,b&Ϙ©ÇuÀLžëy3šµg¦ÝiÇÍÔŸv×Lk2&­/[;åÌõÛéj”Uëþ ©`>“êôSõ¸˜Ês=oªC³öLµ;í¸©úÓf´twÆ8“}w®Åµ \o9¿_?nƒp$õ@î1FúÜsG	sW�rX¢wÓÎSS8xB˜æ Åû\O[¼ãzÖâgÝZ|oÚQ‹¦íÒ�ÛýÌæýv/¬ýéÍm¦ÜÙ™‡¼]Ú¥ŒHbú³c^ŒíM(”TÉïÞ›Î#†Qö¦Çu`o<×ó{shÖÞÞìN;¾7ýi9J'ðâ�ì…-çEÕø1>³\×@:÷ÀúiEx
-e$EßùödÕš�>h¸£O+Ðã6#E€Èû­Œ…ÍpøÑ‹ý2/²UƈLã‘[ßQæºß¾z�Y
c[GŒÖ ‹|Qoá—Ö~QÐBmHÚGð8ˆñádÄŽRV¥%Ò
-ÀQâ�ÏŠæædXDùC=™(L„6Aô;Jn)B-=öÝÝØÎ`ƒ,ÐKØÀâq9cÁUµV"ƒd¸§œ “û„2®köÒ-І·$@ða¼=àÈŸma	ž>í�H,ǽøN¬ñë;OŒ_Ø2·ÝøÙX¸ PÌÛ*<«Lº�zõ‘SVôîäŸP»SªÇç&E\¡ƒÔË
·ÍŒ6R‘ñ(—<ƒÂ1¿+uÂÊ¡8î¶{_ Â8Òj<I›|ÔMc)àÌŠžhÆ’I!’‘£†¦� eÌaÜăù>ol=j�¢DÉç„%ûÂÆc6„JÂäÏÈ›góåØ5e¢EFZ⸞iõvšþ1©pŽ”Í
¸ö¾¼È™$PKÚzeHËpxºnÖ~�§+sÐÝB‘èáî“°ä^lóЭð0ÞúÐÑ×™*ÄÅxë]R¸[Vض&i¥[m0Q¤S‡›5dˆ
`Á€AÓ]:#t�Ñô}¾Ê‹¬�!¥ôÊ=qá‘D"Nõﹺ�©…D“ÃÎWPS=@„ÖœÑ>4¹F‹¶—ÓH¬èÉ8 cF_¤
-/^,Ý "áfGä*Cða_ð€ž�¼ÛÍÏ	ÙŽ]Ñ?U/¡=FÑÆñb1œ±°H�71·eŽç< o
¬¼à!«m)#
-§ßZöa§Ú
Ÿ<�A¤»–³¾6^“™79�®í2»Ï«È3tÁ®íÎÂ/Zëî^Œefôh6×�e^çnØ®L
-K徃ÿ°
$V	>)J¹•š·U
†XÑ+gP©ºä„<.ÿÁ¨¢ªî6k"ÒÀ=½\b•j?¡É�Y�©K-Ýtú¡¯BdÁ¹Ô]¼~EÜ[SΔJ¶‚G`N,’T›^°~qÙYÆìô
-œ…ËãkЈºÜE=<1z\y	íþR8J«ù�ƒá=v6lLžá|â?Û‘$qºãçþÊ"ó7Õ¶€¡Ù¾¦¼™ñ5mÇÜ»ü�á:ù®~Ó‘�lç?BûOÐgÕj[½Ç®/Ïuæ/šÆÿ

&å[ªN¼4$Ž.–|Môî›1s7ý;(ƒw6cp¹‡^]ûü„-8R[Û¬éÆÃ}ú~Ü`ö®ATw?Å^}hÍñkU n7µ¿ú�ç"ÞƒèHN¯ŽS<~\‡›  ‘Nkx²ãÜÖ¬©nˆèò
(˜û.‡êþ„¾ú¶KwK
Ýt·ÝîÆ
žŠ­ebÎê�K
áì„Ÿ/_žP^ªê± k–¶(N׶î®Rq9£õ½,nÿ£ „déû„‘OûÄ©Ó€¿±Î¤ˆ�&oûÚuxë÷:®Üq…¡ðÏŒ´-ØêÜÉõzî’žg$8
%‡wçdezôSþ†¤B
„b©ÓS’û—õzùrìŠñoÿéØYqûÃåÅ¿¨å¶ÚË+ù¿-nçŸøâ¤C�¶ùòt{õ—ÿÓ³ýt%…N5þ	ICbOT{¥ÐZ*ÝÕ¼ûóϾêÿ®4~»endstream
+xÚ¥ZÝsÛ6÷_¡>En,˜ø 
^ŸR×iÝi“\âÎ=4�”–`‹cŠTHÊŽ§wÿûíb
’’(¹£
+éLxoŸNgIaåS¾ ú©Èæŧ2[Ù-â¾o±¨mÓ|Zeí|ù©È›–èÿ£âcs´Îùk1ÔaÆ5K%êª@iÎS§Zž3q:ãýÎ~Œ"Qæm^•dî¬\På—&»³^¬ˆ�&3‘0såä½ÝN¹™‚~0NË©S’ª¨©£ŠiFLD_×ù*«ó≚›Æ.¨ÖVT.lkëU^Z?x>ïÄÏ«²u²ª‚·UM•Ymü|�­¬ï¨Ö¶Îp…
øœÔéôz	
+õpÎÒ8n-%aÒ¢©¨¶9åS¯¢˜æ%•íÒŽØÜð¬\ÈÉÃõÛr¦Ý7£’,Jcí9ÑêûÒxÊb­¸çiªºu{¿/L*&¤	š6kíÊ–-­7Æõ’Ò¶ :µ—9íG«6mÞnÚ°x¿Êl{w…ß]´ÝŒÃ	ä‘2Á†¼[39Ð<ó.ucƒk=Q¥º¥²]úžÛª(ªÇ¼¼ûסSž(ÎtªÓãamÈå%8io¥ªFd¡¾#®w'…UÁ ¥�ÏÚqíO»µ9<‚ºJ¶§
¶¹zçm³eèØêèê݃ò«ûCŽû¨™„`FjñŒ™\G̸ž7Ó±YfÚ�vÜLÃiwÍ´&#aÐúÒÛ)÷\¿Ÿ¿ JYµîÀ5U$™ÑÉ3å�눩×ó¦:6ëÀT»ÓŽ›j8mFKwwŒ3ÙwgÞµ¼G-(Ö[ßožúC8z ö(ÅC칧€¹«G
+1ÌÈÝ°sÈâ±�åñØ·ø�ë°Å;®g-~tÖÞâ{ÓŽZ|kÚ.|ѽ=ŒlÁo÷Žu¸¡ÚGÊ��yÌÛå±½BÁ¶«8Üóblob&¸0zo’˜bøñ½pÙ›ÀõüÞ›u°7»ÓŽïÍpZJ7ðâ¯ì…-çEÕ„1!²ÜÔ@º÷Àúi”$x
‚ùÂe³Jé¯>¨¸«O
+Ðã.#E€è÷j…ÍpùQÃ~™Ù*óˆLâ•[ßSƺ߿z�Q
϶L<Zƒ.òEÙÃ/)â †Ú�´�à=pcádhG)«Òiù-„Ž¢šgŲjZ?P	?¹LyÏPÚ¶Á‘;8…
¹;Wh¢A³Ÿ«ž	Í
h.¬G…²…©½ ¿¬:3cåÆ÷ÝV› SÞ�´cPoa›y�¯{Ü»‡IðX¹JwvX'Èm¼v‚[Å	ºW£/.â’—“)ìî¦ñÄU¶°;|!–	tå
Õš§²Íæm>§1Íù¾je�ÓyÑ`pF¬«¼)�¡Æ$Ë]fÚäå|Ô4��oê¼õàôvÐOy§ÖÞ©¸]u¸ý!+òEF RmÁvôùjÓRƒ¶üŽücGDFºux¾õX¹“€¢ÃYFhî`®áÓ7àÄ`Ç&=·µ˜\xô€§á™¸@í¢A<"/¼slºPÑ.)-ÙÜù…�iQÍ7¸WεGýè?K‹æ5d
(îrXÛC :
+"è1þ(¹q$1o*?¾Íî­¹. Púù˱`’­IÓê䀭ÅP
+>}‹±�;¼æÚm¾²øB Äô‡êÑ>t®+eJgIŠh HCÃhŸ7yUPÖ2kCÍ“(4b

+Š"?GÊMVg0­Û_lnJØuªfcÞålæÏß
+� –^P‘p»#r•!ø°/ü€��‚ŒðÚÕ…Ÿ¢Uº¤QïçKý³î(ÚxK žÀ�öÀBËxÃx€ !é¸+s¼ç!™
+¬_²Õº°n–Ô§X;‘LjÉRÓaXΓçB}ƒY™š~E•qùÍX|ë$Œ¤Ï\tc©ÕƒZN‰
+覷=èv/P>ÂQl­'æ^r) \œùòåË3ŠKU=ú”¸´Eq¾¶u÷”ú„ËÍïe‚€=éýƒqï!C§Pü°Sœ;bH›4†.¦•¤ÿ(|í:‚bƒŽkw_á(B™QAû‚µÎŸ\oà.©¼ ÁÒ¡ÈÁÁÝ9½2ú¹ÿˆ¥L
 endobj
-1179 0 obj <<
+1559 0 obj <<
 /Type /Page
-/Contents 1180 0 R
-/Resources 1178 0 R
+/Contents 1560 0 R
+/Resources 1558 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
+/Parent 1530 0 R
 >> endobj
-1181 0 obj <<
-/D [1179 0 R /XYZ 85.0394 794.5015 null]
+1561 0 obj <<
+/D [1559 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-258 0 obj <<
-/D [1179 0 R /XYZ 85.0394 731.767 null]
+378 0 obj <<
+/D [1559 0 R /XYZ 85.0394 730.0812 null]
 >> endobj
-1182 0 obj <<
-/D [1179 0 R /XYZ 85.0394 703.7216 null]
+1562 0 obj <<
+/D [1559 0 R /XYZ 85.0394 700.9798 null]
 >> endobj
-262 0 obj <<
-/D [1179 0 R /XYZ 85.0394 229.6467 null]
+382 0 obj <<
+/D [1559 0 R /XYZ 85.0394 216.5924 null]
 >> endobj
-1183 0 obj <<
-/D [1179 0 R /XYZ 85.0394 201.8883 null]
+1563 0 obj <<
+/D [1559 0 R /XYZ 85.0394 187.7778 null]
 >> endobj
-266 0 obj <<
-/D [1179 0 R /XYZ 85.0394 144.1965 null]
+386 0 obj <<
+/D [1559 0 R /XYZ 85.0394 127.6814 null]
 >> endobj
-1184 0 obj <<
-/D [1179 0 R /XYZ 85.0394 118.9605 null]
+1564 0 obj <<
+/D [1559 0 R /XYZ 85.0394 101.3894 null]
 >> endobj
-1178 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F21 714 0 R /F22 737 0 R /F14 740 0 R /F39 899 0 R >>
+1558 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R /F14 964 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1188 0 obj <<
-/Length 2472      
+1567 0 obj <<
+/Length 2310      
 /Filter /FlateDecode
 >>
 stream
-xÚ½koã6ò{~…�~¨½�>õh?ew“4Åí¶Í¦8Ú§È\[¨,¹’œ4ýõ7ä�•(�6¹"@ÄÇp8œ÷ŒÙŒÂ›©ˆD)Ogq*‰¢LÍòí
�­aïì€9˜¥Z†Po/ŽNE<KIñhvù9À•š$lv¹úyN€�Îß}ÿñôü짋ãE,ç—çß\,¹¢óÓó�àèìâøÇã‹Å’%ŠÍß}{üÃåÉnEÇÛó�ïq%ÅÏH/NNO.N>¾;YüzùÝÁÉeÿ–ð½Œ
-ó�ß~þ•ÎVðìï(i¢f70¡„¥)Ÿm¤DI!üJyðéàÇa°k�Nò�QÂEÄ'ÈÙUJ"Á…c rà
-¥tþ^ÿB)¯Š®¨+|jV­pðS›­µy/`å
V:[rIRɤÅ÷®ÞnuÕµxh›Ý:4»�Î�òöf£›KæWºMÖáèfStºÝe¹~AáiÃÏ µ¼®ýë}“
/0+¥&†tC,‹I*x‚Ä.Û«„àpØS.„˜·]Öt¸qSt\ì6¶»©q%ßdM–wºiqãè
®ÿBmˬÝÂ\!:Xce™jÀ4Â;ÞáŠÅ
-Œ4žgžÑfoÜ•ºÓ¥Û\é²ØÇW8uTÐÈœoý™þ‰†�_°y�>Ï*\9p ÈaëêþRÃXœÔ•¿;ÃÏ®nPVv÷³ß½‰Û7•Eå´¢vŠ`n0_P'ìí¾ìŠ]éà̉öŽäã±äùHò\0ó¢ªîpçÊA
-ðö‰�rü´û„V5~˺Zƒ³uDûGÜNPé€8ÿjî„‚%ç1a2�HÄS’$qŠ¶öÕW½µÉ4´6˜9%1C§Á0B
6ãgí¡ÀÏšùÑ~C?kÑy‰SŒ^öR°©jïÑÖwîÑΨÕhg·¹m—S–WäYiüad½ŒñÈ"
1X¿‹Þ‹˜±u�fͱÂi–[#¯Ûçƒï23sñøŽöGý*¬m²k[WnPÖëáÌàwab]䄹M8ÌCë,ß«Þ½zw‚^+ô6V$ÊØhaƒ–ñ–Œ:oið¡·|Ž:Bí|™oY2nqhoŒ¸ö9¬ð×ö¦îÞŒ0âL_ëÊUï×w¶ãp�˜7¡BþÂG¼Ú®Ñ×E½oï›ëDØܧ�.ËÐꌡxIìtãöœÕNëo뽃ÀðóY7ƒ-=e·½.„æ:!lH!ˆŒÀ�PKé�I
-ÞÍ'ŸÈŸ¿£÷±cÅ?«ö<¼õÓú/^ ôSµ–H"¢€£Ï*¶'iªät±„&œÄ)•ãÂsp¹¡?1F5µ�1’„ªd¨ÉxŸi€
-Dœˆ˜E3ÀÇ•eÑ¿›P¨
-
Jv€‚ûeL¨ÀGþgÁ$<Ž¤C¼4c[$V!8hõ¶ÈëÒ”	fj\¿ù½€Œ©õ70:ô9x¶vGM
£¹Cž¹û|p´0{êìn‹ßÛ·´M„‰sQ½/MWÒú
Sœe8ýsÁ”‹Ç0ÃÚÓ,™!fh—f'x‘9]T+°(}q·ó`X €­Œ`Á]3TºöÙ®‚ÂB³Ó“	ˤÉ(%<I“™SÓôåšolìTèY¼Ì.ÇÆ$i,ÓDȈ‡I �õ-"×Ýx7Õ8-|òsÖdÛmÖ<\Å©ðÆÇÁÊ\ß
F)~î·"aÛ¢µa@lœ�¯“§‘ë Ž!ŠÈxþéœöp.蚣£W¨ð䃊`£¸òÑS�‚»zf₺r¥»éRЮ{c°Ø2Ü ðÝJë½…0úœ—u‹µ1ì]A– í[i:ÿ`˳pg‚~é³;= «²Î‡òvµöý%ŸÕfa*+[Ÿèf[T™í‰ŒëjwUÀè‰ÆÂ¥O Â.€¢c�ß½½ÝïLD¯¾¾kŸ	øKÏXœFUô[)Ø^�léï�
-"#°ÿXKóžð'î³{Ò’)pJL7+SAD"ÀºcJb�¼ÍòrÂ8M èŒ]`\aÓ:Ò(µîâC•mmÕ+ç?àR¶Z¡ZºÍº|cåe¶K°YÓïJS�dã�å9BǶÕØaùVNéhß6­»�nú’©½ï€A²
-ªîYÈŽ—1؈R±((z>Jâ!™IA¸¤ì	™Éˆ$<Š{kmê²}†äòÒYEÛ·s{ã²]¶ãîß•îùë˜~u;dóxmH&K©)@|*ÕT«|‚8¨RÒHxâö]QÝí‚16D†
{^Æðÿ§ƒ�/Ó'd($Ib†©Z
^{¿ÒOŠÐÁµ#ôߧ™ÐóZL{}gEcÈÓeôӌҰ³„ßôí“kw:/ƒ,Ï"j
× $¯Àílû<‚¢2;Øy‰\
-ßlzÅoÞg5¾ñå6ëåTÛiоíCÕå§ó³GÄpâµüÈ×Wib$ùãÒJ¡b¡þ´P¯×æýM^"†|Âæ>0rÝûòƒæÚº|X¼6ó�¾Qa�¿}
ç,,"ØB�1¿µ±y‹>W˜ˆ3ídRïe°áuEõŠ–¥€V%žðF±"4UPÊ›F?MÂÉF”ûq@¦$Š"ßfÂá>ZðƒQ,�m½šLÀ¦‹6�0¿
+xÚ½koã6ò{~…�~8{3|èÙ~Êf“\ŠÛ´—õâîÐ8EæÆBeɵäMÓ_3R¢låÑf{ñ1ç=c1áð'&aÄ¢T¦“8
XÈE8É×G|r{—GÂÂÌÐ܇z»8:¹Pñ$ei$£ÉⓇ+a<IÄd±üq1Éf€�OϾ¿¾¸ºüxs:‹ƒéâêûëÙ\†|zqõ�s]Þœ¾z3›‹$Ó³¿Ÿþ°8¿¡­Èâx{uýŽVRú<‚ôæüâüæüúì|öó⻣óE÷ÿ½‚+|ȯG?þÌ'KxöwGœ©4	'÷0áL¤©œ¬�‚P±0PÊ­”GŽþÙ!ôvÍÑQþ	ΤŠä1ÆÀ0e‘’Ê0ð«Ù<â|ºX
�Ü7£±Gy½^몵»ºê7k;þx}õo5+]–
2	(�ÁÒ0”þµYµ¤ÁFoK„;¹�>ÉpJ)&D'm
ò– BgÞéŸ8—UÑx3ÊÅ ÃÁÇ&»ÓŸâ“
K|gô¤†­³‹f³ÑÙÖ¡|¸_éíL$SM+í*kit¿*ZÝl²\?� p´Ñ§W±¼®�þ»Ý6ë_€+¥fËb–*™±ó¦}(á*¥¤Fƒ35mÚlÛÒÆ}Ñ®h±]YØö¾¦•|•m³¼ÕÛ†6NÞÐúO<äM™5«c˜‡„ÖA¦"˜¦�Ç›Z1àš‰C‚ÚV˜Lßê<Û5z¨$V §x<Í£qoÜ”ºÕ¥Ý\ê²XÇ—4µTðÏ7îL÷D$CÂãgbڡϳŠ·²ØÚº»”´'uåîÎ賩·$+³ûÉí�(xYTV+j«x~Aa¬°×»²-6¥…ÃÍžäã¡äå@òR	|QU·´sk!
+LHE(ã�Íã{¦˜…“«µš¼«á‰ï•ïÜClùÖœdC¶ïŽùøÿÌD
+̽·%1
SA$ýfŒ)‹Eœ¸n–ímœ�5.
+—ú\n³õ:Û>ZÅÖ:Áö$™í:À(¥Ïaó!R¸Ø�	š
+Œ[†,Šñ6ËËãgÛ¸¸¤þ¥q¤QjÜ%ć*[›šV®~ ¥l¹$4t�µùÊÈ·K°Yìv¥)Hrk‘å9AǦÑØRñVŽéh×4­Û•ÞvSsè€ãsqÏŽ×ñ%Š(î	z9Jwâ‘AQ”<#2òqh›†M5µ«Ÿ‘[^Z›hºVnÇaZXAŽ ËfØù»Õw-ËoúLþ°û-RŽÅ‡Ë£¶Õ2!*”ÕŽ€vmQíÃL1}\‚w^Çî¿P‚	DC!¢§%˜@ôLÛä
+ós.ÔÓ‹c–Šš¿è‡g¹Õlt^ wÃ"n
Ë ¯Àݬ»ü�“÷Áê·D¶î„o¶
‡’7ï²×î²›õhøß¿{éÏ®éBÔâÃÕåã²òøð:Æ`[‰â	È*bI”¨±ßßøäYÕé¯}}öÄ ­Dú…˜gñq‚�¨�!.dU JN÷³ …òHÿ’ Q>endstream
 endobj
-1187 0 obj <<
+1566 0 obj <<
 /Type /Page
-/Contents 1188 0 R
-/Resources 1186 0 R
+/Contents 1567 0 R
+/Resources 1565 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1158 0 R
+/Parent 1573 0 R
 >> endobj
-1185 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
-/PTEX.PageNumber 1
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
->>
-/Length 557
-/Filter [/FlateDecode]
->>
-stream
-xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
-ä
-6\>RgÈbÏWÖ¹j[†�›
-WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
-endobj
-1189 0 obj <<
-/D [1187 0 R /XYZ 56.6929 794.5015 null]
+1568 0 obj <<
+/D [1566 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-270 0 obj <<
-/D [1187 0 R /XYZ 56.6929 769.5949 null]
+390 0 obj <<
+/D [1566 0 R /XYZ 56.6929 730.9277 null]
 >> endobj
-1190 0 obj <<
-/D [1187 0 R /XYZ 56.6929 749.9737 null]
+1569 0 obj <<
+/D [1566 0 R /XYZ 56.6929 704.9004 null]
 >> endobj
-274 0 obj <<
-/D [1187 0 R /XYZ 56.6929 282.0726 null]
+394 0 obj <<
+/D [1566 0 R /XYZ 56.6929 236.9993 null]
 >> endobj
-1191 0 obj <<
-/D [1187 0 R /XYZ 56.6929 250.2286 null]
+1570 0 obj <<
+/D [1566 0 R /XYZ 56.6929 205.1553 null]
 >> endobj
-1192 0 obj <<
-/D [1187 0 R /XYZ 56.6929 191.4593 null]
+1571 0 obj <<
+/D [1566 0 R /XYZ 56.6929 146.386 null]
 >> endobj
-1193 0 obj <<
-/D [1187 0 R /XYZ 56.6929 179.5041 null]
+1572 0 obj <<
+/D [1566 0 R /XYZ 56.6929 134.4308 null]
 >> endobj
-1186 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F62 1062 0 R >>
-/XObject << /Im3 1185 0 R >>
+1565 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R /F62 1361 0 R >>
+/XObject << /Im3 1515 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1196 0 obj <<
-/Length 2134      
+1576 0 obj <<
+/Length 2383      
 /Filter /FlateDecode
 >>
 stream
-xÚÍYMsã6½ûWè¶òVˆàƒˆääx<§fœÄvN“©)Z¢$f(Ò+RV¼»ùïÛ�$ʦ,;ÖTmù  
4¯�×´pøƒ4a\Ùx`lÌ.’Áh~ÄS{w$üœ(LŠº³~¸>úö­2ˬ–zp=éèJOS1¸žþxòËõÙåq$>Ôì8J4þp~ñ†$–~N¾x{þî·Ë“c¯Ï¾ ñåÙ۳˳‹Ó³ãH¤‰€õÒkرàíùû3j½»<ùðáäòøÓõOGg×ë³tÏ+¸Âƒüëèã'>ñ:âLÙ4¬ Ã™°VæGq¢X+$åÑÕѯk…�Q·´¿X*&¥Uƒ(á,b÷®´‡]}VZ´s{ÓHˆ„©D¡Kâ˜qË7.‘¢ã!3Ò&“X¦•TÎ'ó¬ióEƒØÀ|Ù�ÏS&bƒûàÄqþ;ç²Ê›ãH™d˜áO<¬²y>&IÐä:eÑ´4cR/HTT£rÙuº4޴˯²òšš2»ËÑ"ØŽÇl’Hgÿë*'—®7ÃΨ̖MÞ°‡N¸a©ábÐæu`++Y"´DaÂ!ý'afÊå>ÿ©Â:HêÛ }†ÿFuÕ.ŽE:¬K„ͦÃiYßd%¶í°Éwù‚ä0]=].²Ö¹'„}Üç)l4yÛÐø8Ÿd˲m¶ÝF÷Þ…
-üÍ©^ÔW½2:�™Àö€¯­ei¢cBÒS1j¢Ñ,«ª¼|Vúƒ,ã@Ä˜h
N˜Ï—U1ò.p¢ ÎõÚš~§yK�l4Ê7hp�öìÚ+cÁ¸„ÌL{Rr}lZ´ž·uÍ6çÚíÕ.^ÿÇWJ	-»ïNi“0k:~»X›0Ž¾ä÷/{Îð2@jL‡n=õß\\]��R>�hÇÔC]”¯�¨ºÁcµQ
Þ¶œÞ–»"_½IŸqÜZ+‡O
-Á‰‰`% ¤â"pT’¾«`�¯ŸÙ|žyºwÏËñ-‚,`§@“¦_/êýÇ‘ÂðŽl1úl<^À›øyžµ£ÙgW5àÜèÁdÊð}ßw0°!†ÈÑþîá�äž½¡›WlÈ1ZhüÖdÓ¾»ûऻCI¤!”p÷ž$
-¶.5³J·ñEÝ”xfV J;€P²excp�ù‡(�/¯ãÆKBΓxU´³>gRfù:Ñï
A‡p“c•„ÖÑF…ßx¬'4?&	Í|5#fŸ�¥³Vµ¿?‚Õˆn�-VDb}´ÓÚ‰×
‰%¼EÁ×)Ëz•�{ñÆ{à&Mjœ…™ÓuÑI=ªn–EÙFEõÝÃNˆ˜c$dYÈGJ<ï5‚ª^óÒרoU°ƒ”|ù3E
-¨Ž0� vr‘(¯‚bFKŸK«ûž ±
-è{¡ÀkŸ•þ¾ÌꦷªFæ
-‚*oWõâuŠªÍ“Ž†Uß'¥6ä�抶ùžë@òÚ‚7xèF*ùKjè°b§ç¤Ñ,NíÞhXð
-³q]•·Íó]'lì4”‹y!¢!!§º‘ý’Oqlí/OÂøjVàSŠœkPF®éûŽ;ËйBwrãwF߯jÇD`)ihÚ¸&aU·Ô¸%¢páRŒýŠŒ~VŽDC£…A¿nœÃ6ó¢êý¸L!%c¯Ô=ô’¤Ì+P2mg
õ]£=@MôÐÚ
-zGºÄð¼¢±féØ�$+A0Êšü›Þ/A†ià’ëªd·«£õÜ­²©æÝ„·¾8ÁvhzÛ·ùZÞ|C²?	"Æö¥�õJ,Neªº¶îÈ(1§ï54s÷­í^‡×]±Í­}I™{xb! æ‰Lð?@npúÌ2W*°ß¨­”Þ)~Âÿ°D
-Utb75�ò%�ûìOŸü_XØ)°3ñdd£eSϸu‰>Ò¸b-µ�±{Ùíg^®ó_R!KLŒ™�™X%NÅ?ý)í é§Õ~—ÛzÑ®uo:Ÿ|
Š„4	Éy_µIk1´u$÷=1¨ÁøµØƒ¢ÔïêTÃOõö]|„
-clkïEqYú“fPgPµªåü&÷pÖ«*4»âé¢^Þ>¿èDûL{x_¤}¥{ß_UÂb
-€öÒÊçþgvóokp±JÓ_�Ö×Î…–+ñ(K©”%©4=¦ÿüÑU&endstream
+xÚÍZ_sÛ6÷§ÐÛÉ7	 }r'çNâö÷)Ídh‰–x¡HŸHÅõÝõ»ß.¤(‡’ìF7“ñ�°Xì.vYŒ8ü‰‘3Œ+¯GÖkf¸0£éò„�æ0öúDÄ9“vÒ¤?ëÇë“¿½Rvä™Od2º¾íñrŒ;'F׳÷ã?ûåúüêt"
'ìtb>þñâò%Q<}^ü|ùêâõ¯Wg§V�¯/~¾$òÕù«ó«óËç§ጀõ2rرàÕÅ›sj½¾:{ûöìêôÃõO'ç×ÝYúç\áAþuòþÍàØ?�p¦¼3£{èp&¼—£å‰6Š­TK)NÞ�ü£cØ
K‡ô§¥bRz5šδ»w¥8ì›°Ò£œÛ›N„0L…&ÑšqÏ7&‘¢g!³Ò›‘5ž%Jª`“¢šÏórŽº�ù²?Ÿ;&´Å}pb}—Móß8—Y
ZUv|¿Hj5‹n\g«ÏÙŠˆÀ¸þšš�ÓrÖ.�QáÆÙÖº0—,³S1®ëtN›¸qçƒx œ•yc$	”•
{lSÃ-s–‹Q__§_å%3"±£I;á˜&“0ÓqyÈdÊ@Cx2Ùý
+ÔsÐ`ÓªDsÍפÂvEŸ¿GH”é2›
ðUš%VÅIMu:Q‰§E�-Ö�6‘TÇ/Ñ‹|¾h&÷~h 
+RÁI�2K³I°íÄi¦B\!SÀXV%Ýà߸áòKÃœ–>Šô2x
+F'ÏVMšÇÐ÷¥‰P»�‰°‰)}î(ÇN:;í&­ó}ÚïëëTõÿ½4*aÚëCÊ7p�q¤Tð=ˆOù´žLiYfÅ“â„™6kÄLÀËåºÌ§Ñ�Ô²=L‹ø�g
5Òé4«Ã ÅÁ�Ü¥ãRªÉwÒÍÛ?ݹöXu£®oùJI¨#”;”É	&’FY­!'Ì&Ÿ²‡ç¥3¼Ý8¬§þËËwïÎ_PîQhOÔoùšpÎ@]s‹H˜°\ElPè~ªF1å£6mO{Ví¯Rn2êÊîj­ïh„fp@€MF
+LçG«
%�´œ.Ú¼³„ÀÙd%�²=†ìiè¾Æ9DÞ‡²�
¤ñ”m>çÙý³¯DÌa­—ãÝŠëKt¬Ðþc*Î&Ì
+w¨ª26áÚm
+¿�oÊ2(3Ûʱì /eºúv7Ȇl기-Zë@mwZ4V´­étÝ¢aGt6„ëX'YÙnÑ¥%ƒŠ\Z&§BŸ¾ ,
+αú.ˆß»V øæµJ—Ë4ÂNÝ?/GLÁ¼¤àÀ !ND!ÔûO´mÔÛ·³ÚõÇeÚLCùJøG“©„ÿ㇡ƒ�<'‰(
$è%ݼ|‚©4�Ưø`4`±G'ÝíJµ®„»
P~¢ücÓãëÔ²u�ÏסVÆOý°¼©Š|J=Ò*¶BÖÃieü‚*	g†õÉ8è”ÆP±ªdîÆq«9•ÐÊÛƆ÷-•|Ë-AîV9xÁu r&K)ͤ“nÛ¬ÕmTë–LÁµI&Ã)ñB	>>‹7¼Ùn*N"¼‰!¾Ýœ½xSwï.!}C]«¤
_V
”õ„'E¥’  ¤l	ƒQCaþɤ¤.×uäq)mÌžù>oCxÜ:(µ»@¿ÃpZÝÆ€›Ë]zÏÄ�ò¸ñ´•ž$HPñ3¢@Á�u¯ ?àˆ—U¼?œÅõ=#ÑÛiímä
�¥ÍEÝÓ*vŠ¢ºÏfƒú¾^ÄI·Î"Ô]4Ò
+�ÿ¡ 6k„ÌjE¥Õ_ã1í
 è§Õq—»jÕt¼7��[غã
˶§˜ÉùP	JE.z—Œëñ„¸{P¢öe°t^¼_GŒ±þ²¡ÿ+�’]ÓSÙc_ᣃØë©ÿs²ù‡Ð�rnÇÛJçœQ(<“V_\eðHã¤ý|[moendstream
 endobj
-1195 0 obj <<
+1575 0 obj <<
 /Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
+/Contents 1576 0 R
+/Resources 1574 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
+/Parent 1573 0 R
 >> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 85.0394 794.5015 null]
+1577 0 obj <<
+/D [1575 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-278 0 obj <<
-/D [1195 0 R /XYZ 85.0394 585.0446 null]
+398 0 obj <<
+/D [1575 0 R /XYZ 85.0394 513.3136 null]
 >> endobj
-1198 0 obj <<
-/D [1195 0 R /XYZ 85.0394 560.705 null]
+1578 0 obj <<
+/D [1575 0 R /XYZ 85.0394 488.974 null]
 >> endobj
-282 0 obj <<
-/D [1195 0 R /XYZ 85.0394 491.9365 null]
+402 0 obj <<
+/D [1575 0 R /XYZ 85.0394 420.2055 null]
 >> endobj
-1199 0 obj <<
-/D [1195 0 R /XYZ 85.0394 461.8226 null]
+1579 0 obj <<
+/D [1575 0 R /XYZ 85.0394 390.0916 null]
 >> endobj
-1200 0 obj <<
-/D [1195 0 R /XYZ 85.0394 384.4846 null]
+1580 0 obj <<
+/D [1575 0 R /XYZ 85.0394 312.7536 null]
 >> endobj
-1201 0 obj <<
-/D [1195 0 R /XYZ 85.0394 372.5294 null]
+1581 0 obj <<
+/D [1575 0 R /XYZ 85.0394 300.7984 null]
 >> endobj
-286 0 obj <<
-/D [1195 0 R /XYZ 85.0394 206.4979 null]
+406 0 obj <<
+/D [1575 0 R /XYZ 85.0394 159.3 null]
 >> endobj
-1202 0 obj <<
-/D [1195 0 R /XYZ 85.0394 171.8379 null]
+1582 0 obj <<
+/D [1575 0 R /XYZ 85.0394 131.3824 null]
 >> endobj
-1194 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1574 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1206 0 obj <<
-/Length 4496      
-/Filter /FlateDecode
->>
-stream
-xÚµ[_sÛ8’ϧÐÛ)W	 ó”Í$sÙÚÍÌ&žª½š™Z¢-V$Ò'Rñø>ýu£
�” Û[É•HP£Ñhtÿºæ|¡Ë¢tÂ-ŒS…f\/Öûlq}?½àaÌ*ZMGýõêÅ_ÞK³p…+E¹¸º™Ð²³–/®6¿-ËB/�[¾ýùãû?ýúéÍK£–W~þør%4[¾ÿð÷wôöÓ§7ÿøÇ›O/WÜj¾|û_o~¹z÷‰ºÊ@ã¯>þH-Žˆ~z÷þݧwß¾{ùÇÕß^¼»Jk™®—3‰ùŸ¿ýÁXöß^°B:«÷ðÁ
-îœXì_(-­¤Œ-»Ÿ_ü3œôúŸfåÇY!d)2|Áyá´3	jW”RÈ$ABaŒ-×];º]O«ü<TC½¯Û�>¬gL´ÍÐt-µTí†^~í«Ûe
3ŠÉ–±ÅJ
-ú½X¤p…TÜF¹�r$e"Ö‡CS­©¥íÚÕ�?O»ûãnjzCrØ�?!)ÂÛTŠ8=è$·…qÜøiß´Ip]Xà8,²ië!#	¯–‹©Þ¦
IÝðÃ.›ž+ú¼zû}÷ÝúK=Ðûô«n›ö–ÆT¡™ú»zÝà„ÝÌœ"UÂÑבå»SË$•+³rQ:VaÄsl“€Z›·L«Dq5%ÍÎD­4ì²3|œ9¼ë9¡
-^0m�?#Ï��ßZ./Š@i0Êt÷»‰ Q|BJ›‚—¥™‹ ÚlD yXÅ+X¸”Ëûm³ÞÒéQЯ™²s«²®PVÖz{&,hZøþðËWE-Ý!µ”ôæ𧩣„¾pÀŽqaÔEÁ
-0òVXž�“õäš®&ÏÅ
-ºQXî.ŽzLª²pLE±‚ÕõCÔl�¼"7Ê£¤òÿ3CÊVƒUŸŒú�iVÁé=4ýxç$^èAðM=wÁ¬ySŒ²ïéIº
£âFÙå}³Û¬É‚oÂfŽõi�à´@–s
-F¨­×è\¼—ÓHÊ;%E~Zªõº¾È×i°·jBÃ
==[øB^ð?zGLz:#K5jOi
 ½tbÙQ?Y3úÍ2!J*×ÍóD¯'ÓÀQ�\ 7ƒ†è#o”Õ梪riر„“kKð
ߪª‘àjJñ\U¹â`
œ'~LWUÁx©ŸÐU6yý:矂ip
ZvCÂ{莠ZÎE
�¦®Ý=Њø\´ÎRñ$<PÚê‰
G‚¤ä0Û®[Waºm×iK½×;ÙÝ]Wë/a¯G5ú¯qWÊ+ˆç0#,YHn"O`É
-<Ã=
-€†1–8ÑcX�föß‘õ8Ýxœðãîn×øæ!y:2dAûh¬O¿CǦ	aÃÐ�þ©ExñMG$mƒ÷fèëÝ
‰‹ÃA!�@£ÇO?ËÀQQºåÝ¡ÙWžGø¨ŽÃ¶;4ÿ›RÞn¹¯ñ 7ýžÒ”
�Y>ŸP÷p5|¤3þ|„¡¨‰¬»„ý2¾ 4ø!4ÁB´R}‡$h¤¸š’̘`¸Þ‚¤Ò°gcÖ
-0%ÿÁÄaTôð´ü[LÌXIL—ªœïpFHà,¬³r¡ ¼
“ýÍ"ŠôV‚ç2àv0|‹ƒ.B	üF+å
†²ËwùÛ³Ô3X4æ.+fo¦o¾×bÁÇW‹Û±Ò=½\øB«2•"0;rÉÞýõ†Q	Ý÷[m$øøj
-ø˜T›à‹ÂÜ(,x1'€AÆ%(Ñ纾TÏUVLK‹ë£¾Ãí‚^>å*ÙÓñ$‘©d§Q¸Ôß>Õ{r{F,?RùÊÈå�4·ÔúvÆ?tz²ö¦õ�³¸@묓œñ~V;N£ž`¶¤à|ÏxnÚ³Y
¯k.øs%–Æ?5ÿ]ïÎ)n'é@ÌW
-8u@7I� "[ç�6
-ð/õ�5-å4!‹
Y?ZÚñµÎP4*HÒ7žAån0¸9§_
-X½ŽwïÃÃN¢c¼�ÓÇYë–ÞÂE.l‹�×Çf7 ¡.è–N,Vbßšô³"÷Ë¢âÍø¦¢tiN"ÊÇ¥!‰LâÁ]{+@vyŒb·S]ƒ9dÂpH|…ò¹Å…�¬—«*W�Æ|�4sÏQ³RÏ�|º‚¥N"v�%íç(N9¦©o@bÇ"båº
-%ïQ ¡ÜMiM}=+|ÃË¡jûx«Ì:Š¡�ò*�àä€@WØ^x³¯Bs‹U
- ÁèM¦%£-Þ¨x¹V¥Ü|7Ím3Pe&†H7-�,3¡’iƒ±ff<ÔØ:–Kàc¿º�?Lc†í14yî°És‡/dòüðl	Å¥RO>˜í¸7ylÁ|ˆø¾úBlá:‚½6àkÁhŸØë®ï›kŸà’
lKC•wlðwK$¢oð“ä%¡;l
-´[zŒ0' iÆÌh�øKã¯]BñE‰ÞR¡Rºp7:`:o}ahÜѳb®§o±A@"Ò�Ãûîð%,5Z^
-Ú�¥[,><P›OÂ(
-}Hú*fOÔ˜=9·-<8þïÈO¥bvu3ø°j¦ƒ]¾ß@ì«Í	r
iþ¦È°Û�%�È.}nÚuM)Ô!k¢¢Z‰g™(;^Vš™(¤îQé¶÷×s¨ïgïèI…ÊÄ�‰�ï>\V
Éíï@¯ý)ÁQG–hßГ$„¿´Ô
-oD„«Tþp`J“FЕ±íŽ»
5¢É£·œOåë—0­×*<ù«!R&lußøÒ
-IX‘”2W‚`É(|ó?
NêP3‚âBMÅØBY ˜Â•Ë³úIúïÂsÖÿb]+endstream
+1585 0 obj <<
+/Length 4330      
+/Filter /FlateDecode
+>>
+stream
+xÚ­[_sÛ¸÷§Ð[åŽÅÃ_‚HžÒ\rõM›»&¾™vîn:´D[œH¤+Rçs;ýîÝÅ )A–;ÉøA$
+lþö‡ﯿûéã›K£æ7×?|¸\Íæï¯ÿòŽž¾ûøæ¯}óñrÁÍçoÿüæÇ›w©+÷4þtýá[j±ôs‚èÇwïß}|÷áí»Ë_o¾¿xw×2^/gò¯‹Ÿe³,ûû–I[èÙ#¼°Œ[+fÛ¥e¦•”¡esñéâo‘à¨×}š”g™�¹HPñ‘
+Ó‰�4-sû“Á13Ó½lAÏJ/ÃÜÌÛ;ü-ÜG®¡)·5uÕî7P,8ŠÎ$P~�ï›LŠŸ
«Ãn/
+ꢥá.-Lv¼’�.0Ž„wÍj™Ø!3.ãvíûzS÷OD%BŒ7~Âe»Ý‚–x® ßÉE
+›IÅ´5jñÞïêê·ŠZš¶Y|ûáÓ¸»Ûoz¯§w$ˆ­WJÿ	‰žÆbÄéA)¹Í”…5à´oš„(¸Î
+àØ/²nª>!	 b.ÆŠwDD}×b^wÔXÒëÍÛé½k—Ÿ«žžÑ&TMÝÜÓ˜Ò7“f@C÷P-k<ƒ°�‰c¤r0†:°üph«¥²c…œ�ÕÈ
+åÖZÀ
+‹"m«‘âbLÒâ©^iØekø03røÐîRB<c6h—;$/��o.OŠ@ipSÆ_O‘â(m2žçf*‚rµÚ��§ð
+.åüq]/×tzôk¦Š©YY–(«¢pM iþýúÇßµ´»Ø’Ó“cÀ�¦LŒúÄi
+&Ó`ÙG£~aš•p€wu÷ž9IØ�{�}Ý@σ·lΣø;ú%õ†Qa¯Šùc½Y-ÉŠ¯ü~{õšA€Ó×LæS3
+v¨©–è`œ§ÓHÊ9&E¾ZÊå²zèÉßiwÈ°·lž|Ãý:¶ð�<á:GL::K*P^
+epc	.ѯs±“YGþóêpŒÕr:q#"OÎr'tå-½ý"„JÈVÆr°‹ç¬¨Î€õ|bE‘¢£
­i=k·ÕÀÑ ©„zÂ
+?��lžY
SiàP
&ùr(.Æ$ÈÂ3‡ÅÇaÏ` Þ…ÛáÔhÎÀ`ÎoyC*²Å·ˆ£±í½
®»nïû$îL<"bºŽ&aŒð«£tÉçþ[
Ÿ/£¹}¬{"°P`ïòx¦Êͦ}LÙ
‹»Ž†É` TØaZ'm§ÉU8ìî�"ôÒÓ@âÄh¼;M¡%…2Zx[
Sx�
Þð!Þ‚L$Ô=yyx½-½Ö
+³H=8*l;š;oê&*œ
+¡ûW“A¤xFR�ÎñC¤†a™.
+	œEaÀLf
+¥ b¾b/ƺsÈã�øås�û_‹2U™ÆÄ�4SÏX³<Q<Hl6ì	Ö¶_¢8ù�¯¾‰íc¬ˆ%ìÒ×¾�úº7å?,4uÕ¤»²é³ÂR`í”`ñGºüöÂSqåë™k,W¸H	F¯j?-hqFÅÉÅ°L(up¤Võ}ÝS‰&†�7.�,3¾¤YxcÍÌp¨±u¨›ÀË,~y>ŒcúõÞ79î°Éq‡dòÜðd-Åd¹Rç+ ÌvÜ™<¶à®{"¾-?[¸o¯
øZ0ÚSq<´]WߺL—ô`[*Ácƒ»g"}ƒŸ$/	Ý~S ½ Ÿ
æ$Í�Bƒ
µ§¾4îR*4ì”è=U,¥õ÷Ä ¦sÖ††=ªº9\¦Î€"ˆHD¼ÑöØî>û¥Ë
+9ѽ1W·.ýU¥Q^^‡«ltsiçÛ×þzÖ`šX°ÏxÀíQºº¢¶ª;Ïòxš!ºÄ¢W‘ƒpÇ€~1\Má�™$�¿ »à…Kq˜x•Ò/Lå6I“«“4ý­€ûdè»"ÃÞ¿N©+Žåã8èð?aR‹ÌXéÊ™T~oñ?b´ÿ�@"›ýªJþCÌw»¤�
+kþï%A\uWo*´>¯O¦—u†ÿ
•HL²Èüÿ£Õ��†xB…8‘i5EAƒLáj”:â<üGÖ1ëÿnI”endstream
 endobj
-1205 0 obj <<
+1584 0 obj <<
 /Type /Page
-/Contents 1206 0 R
-/Resources 1204 0 R
+/Contents 1585 0 R
+/Resources 1583 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
-/Annots [ 1208 0 R 1209 0 R ]
+/Parent 1573 0 R
+/Annots [ 1587 0 R 1588 0 R ]
 >> endobj
-1208 0 obj <<
+1587 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 480.2482 256.3816 492.3078]
+/Rect [55.6967 387.5149 256.3816 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
-1209 0 obj <<
+1588 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 480.2482 332.4306 492.3078]
+/Rect [268.5158 387.5149 332.4306 399.5745]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-1207 0 obj <<
-/D [1205 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-290 0 obj <<
-/D [1205 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1043 0 obj <<
-/D [1205 0 R /XYZ 56.6929 749.0409 null]
+1586 0 obj <<
+/D [1584 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-294 0 obj <<
-/D [1205 0 R /XYZ 56.6929 209.5509 null]
+410 0 obj <<
+/D [1584 0 R /XYZ 56.6929 692.9565 null]
 >> endobj
-1210 0 obj <<
-/D [1205 0 R /XYZ 56.6929 183.9497 null]
+1338 0 obj <<
+/D [1584 0 R /XYZ 56.6929 660.5438 null]
 >> endobj
-298 0 obj <<
-/D [1205 0 R /XYZ 56.6929 147.0778 null]
+414 0 obj <<
+/D [1584 0 R /XYZ 56.6929 112.3379 null]
 >> endobj
-1211 0 obj <<
-/D [1205 0 R /XYZ 56.6929 116.7981 null]
+1589 0 obj <<
+/D [1584 0 R /XYZ 56.6929 85.6994 null]
 >> endobj
-1204 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F48 953 0 R /F14 740 0 R >>
+1583 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1215 0 obj <<
-/Length 2349      
+1593 0 obj <<
+/Length 2372      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ8îÝ¿Â�ÊLÅòC¥ÉS·›ô²w›½K½OÝNG‘[³¶äµäd|·ûß$HY²ä:½Î�’ €
-ÞÿíÝ?7W!—4ˆÉU(cüpwÿ#ΤøyÿËýí݇_Þ]©(XÜýr�Ó7·77÷ïo®B–Hû¹£pfÃíÝ?núððîçŸß=\}^ü4»Yt²ôåeTAþ˜}úLçˆýÓŒ‘&rþJXšòùfIAd$„ŸYÏ>ÎþÕì­Ú­Sú“"!2ájB�œÍ#©”| A™’Xpa5h„V 
-”ö†‹»å�‡ž�vøah_à1]#øG�£ö
G`ß#n¤$à½é€›‘“tX—xQ3<€"2àõÖ®œÞò\l£P”$ŒË¡5櫬ªôÍæŒNYÄà¶c5�iJø%�vØá},Ë)Í�61`r�8IAlóHz¤ÍçëçŸPòš$¨,Æ(Q±0ÊJH"hú
Å È|Í_
-ÀK¢¨<•
-*žÊàïúÐà	…�
ÆŠ€�ECÄhaB—0œáä
QÔ1wJÁ£rAãiDGo�:ª€G�_ˆ5$Äÿ5Ná�I€$N&‹ÖêªÀMc–£3”cJ»\I"˜Šspkí®^7RÀó™˜gæÔn¬6#0Rˆ	rø�sb‘˜I5—qL"•$—ÜØã‡ý
Ž4¢ûJW– ZÁ¬O~ìÌë#jÇÐhXØì÷jÚ‡¯¤Ü‹™¹et%XÀ¡J˜ q.*Hqb`îC(€sHˆâx.#xZ"•¾&#ã$M@¸É|,ì(†}’VYCÖ¸$Q*£ãɆŲ˜ò"ç¦(ÅcÒ<£©
â*ø½ª_*³¿¨@³fÓU¶Ñv'J‡”áJQo²Òí7Xí«ò�½^paªj˧dU¸ip
-I}*ÔèݳÞMy)dnŒOwÇ0BäY0í
G(Ÿ¢·«Ì͸Sq¶îG-ØW.»À‰Iî-]�ò*²êÇaâŠyiþ&kó•. zl^Ñ~lY—Èr¢�•$	€7¸7‡LTV�{à•
ΉÀ°¾Êž5®=j]á\'ÀN˜Äf�f­	
-û'!K°˜Ä�0GxHâïŽXž^Ø#8XÌK¦,éŽÅ'ÔFŸÉtXÉDöb–Q+^kÊ-»P»kpë.Éï]ŒÛJûo¶n Õ6àzB¾Áb�6Y"žç-”bd¾.ÛÌÆ4<Š…GDÉ™^ÊX”v½ Ôõ‚ÖõréÌùé„aÛ§#rì€1ÙªiÓõ¥ý„]‹ 7ø‚éZ�€ÛwRØIŠHOåÚ¡o³v…»':o¬.d
„GGZÞ_
ü'~öպܔö.Cèó”ƒ:úMùo=‚à…ëï'år§6‡TÙ‡¿<ey¹†gpªMèwµ…Þí¦øúÓË·^å¸îóÁ¦Ñ&	kGEå0„xº(	N­‡j{ÉvUgþôvj?eÎvaf KY=Õƒm…~Ü;BŽ+ק@]PpýeÞ±¯ñáqA·à2mhÞpV'îA;ñ²Uõõå»GJCŽšSjKï—¨L[Ô_¯ày(·]òDÖoóõ�¯—uv�ò�Ü
-¸ucØ·uÃ}Eü?¶Ä©PþÝñL¾O\¤l¢-.T¯9‡5—™Åî¸0�iÇè9Û•Úؤ˜|Ä`uBÛÉm‹qÑ°[.\ámpñÍ”+Ud²©L�ÜL5ûdJ 'ñ)£�÷cñ }SDªää�íj—amkÞ¿¦ÎK�»Á^A½o·û×6º]ÕEókM`|“¹•N"Û^°W&úqÍŒl<q(/¦
-Ár“+Xw
A»Ú™ù6ŸM„¥3;vNÌÕUž®4¡¬”Pé3æÎ%'Š(¯ÒNCÒ%%&
Ðk�;»]Õ/˜Ë¯÷.‡È× M혙%6Æ’}šqL‚Ñ3tAÎýñ'$1ÿÖM´Ùhç{ßý§àñS¨ÆD’œi¿C­–*Ï”Q’§œwÿŽYÿ/%Ž\endstream
+xÚµËrã6òî¯ÐQ®
+<,Ÿ&ÛëìÆÙxœÓdjŠ&a‹>‘²W»É¿§�)R¤,ﺶt`h4ºýB‹-(üØBKBE.TI™\¤å]<ÁÚõó8A‡±¾»?ûöJ¨ELâˆG‹ûÇ
-M¨ÖlqŸ}^~üÛ‡Þ_Þ�\ÒeDÎÑåw7·ßãLŒŸ�?Ý^Ý\ÿr÷á\…Ëû›ŸnqúîòêòîòöãåyÀ´d°Ÿ{
+G6\Ýüã¡ë»?þøáîüËýg—÷½,CyV�ßÏ>¡‹ÄþáŒk¹x�
%,Žù¢<¥ 2¢›)Î>�ýܬº­sú“B©¹šQ gÆH,%iPÆ$\8
Z¡#P
+Îq³æ_I¹.Ì70âùrD÷ú±Dà’ŠWzg±óëMþˆ8øÍìÎÙ²éxIüÞÄÛ”‹Žo´“>y(¼÷ÕU±CèÁQU
+gRLöõ„ÝáÉC)’g~.™‘	R
‹ë„zÎÍË\D€úQQy($-ËåßÍ®Á2x{Œ
{Çöˆ‘ÃU?–3ü‚¼
Š:åN)"B®Ni<éDã
RG•ð`ðqgÄ
+·Önꢙ+ƒ4x¿d»qÚÁH!>Èq;æÐ4$“j*A4„”SÝáÃ
3®4¡ûF‡– Z�mH~êÐÖ).&ÔöaÒ²PnŸA|UÒ%,Ÿ=“ö ~AÀ¡–8åÇ¢‚ö'¢)€sxE‘ñ‘ŽÂ·¼Ã8‰µÖó¯° §I:e�Yƒz Œ¡êèÑ\-žÍy‘wS”âkÒ<£©
âjù[U¿T&
~Q�vÍ•0<r• ÛÉña‘q%«Ë$÷û}½жÊßWXÂÂTÕæ�;,¹y4>€1¶t®É—7-N£kðÐѳ®�U:Ø!c|}^sT¸D!iWùBvÆK)¡ŒÏ=�lÑ&}hÀdlºÇ`3AÇ‚ÜÎøSq¶F-Ø—?õ�&Ü›û Õ©È©‹…QˆË2ä¥ñøeÒ¦+\@ôÈfÒal)rdžBŽ­—ÀÜŽŸC¦
‚gG]úW’>ÖWɳÁµc*œë…
Ø£]%i'К
+¢b-N‘Ò¤8gˆE·8½™/.££ÄäKLèYÎ kF}Yêýä€P…ò€ždü(½.ú‡#Ù]ÉTˆƒVÑÐb¶6îÏc
+q„Ìc–!l4+׬‘¢oT¸oFˆ'|7búz
EF˜öÉ],m“¨Ü–ˆTmË`aÁUÔr¢óþùêÈæ.~Áúçƒq\Á ™,c߉�WÙaìÛÖ
ؽ!OdFÙ1ÔÇLðC
4�ѶbD‰®6´�"ÈÍG¢Vy,ê3ö.B–`‰ `ΠryoÈêCŠÓ�%lK0fz0fQ€f+b%µ„-«Y¼Ù˜�:n¡ö7á×}�?¸¿•Óvr Ú.æmµï·¸£m¡èÛbm_Jú…ÄœIc‚(Ä�m f"ÊøÖ¦Xì[CEýôä-úiŒaïhìûaLA½jÛóCa?#Fß0¾bÁ6 à÷<í$E¤Ç¼ðèë¤]áî£}8.Ô
„„G{Z�ÇZøül«"/sw—!ôe.õ{úMþo3� Ç
w³rùS›]ªÂ_}oz7º]mf6›9¾þèä+Š½C>ؼ Æ–aín¯¨ÔöžÓ¤)	N­Çj{I6UoÝé5ì4Ý”=Ûš‘,yõX�¶eæaë	y®|§u9BÝÁõçéPÄ¡ÆÇÇ�]ƒÇ´�Íà«^Ü�ñÒÉVÕ§ï)�÷fJlJ©Í;w8EeÞ¢þ|Ïc¹»Ñ)Odæß
+­ù|ƒAЊËXuLYÎÃIï·ÿ“sÊú_—0‰Äendstream
 endobj
-1214 0 obj <<
+1592 0 obj <<
 /Type /Page
-/Contents 1215 0 R
-/Resources 1213 0 R
+/Contents 1593 0 R
+/Resources 1591 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
-/Annots [ 1219 0 R 1220 0 R 1221 0 R ]
+/Parent 1573 0 R
+/Annots [ 1598 0 R 1599 0 R 1600 0 R ]
 >> endobj
-1219 0 obj <<
+1598 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.6264 617.3695 456.8481 629.4292]
+/Rect [406.6264 524.1437 456.8481 536.2033]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1220 0 obj <<
+1599 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [140.5805 606.0819 196.7992 617.474]
+/Rect [140.5805 512.856 196.7992 524.2481]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1221 0 obj <<
+1600 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [103.6195 562.6731 159.8382 574.7328]
+/Rect [103.6195 470.0794 159.8382 482.1391]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1216 0 obj <<
-/D [1214 0 R /XYZ 85.0394 794.5015 null]
+1594 0 obj <<
+/D [1592 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-302 0 obj <<
-/D [1214 0 R /XYZ 85.0394 769.5949 null]
+418 0 obj <<
+/D [1592 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1217 0 obj <<
-/D [1214 0 R /XYZ 85.0394 749.0225 null]
+1595 0 obj <<
+/D [1592 0 R /XYZ 85.0394 749.3189 null]
 >> endobj
-306 0 obj <<
-/D [1214 0 R /XYZ 85.0394 668.2594 null]
+422 0 obj <<
+/D [1592 0 R /XYZ 85.0394 679.8163 null]
 >> endobj
-1218 0 obj <<
-/D [1214 0 R /XYZ 85.0394 636.8261 null]
+1596 0 obj <<
+/D [1592 0 R /XYZ 85.0394 652.1211 null]
 >> endobj
-310 0 obj <<
-/D [1214 0 R /XYZ 85.0394 425.0299 null]
+426 0 obj <<
+/D [1592 0 R /XYZ 85.0394 573.4726 null]
 >> endobj
-1222 0 obj <<
-/D [1214 0 R /XYZ 85.0394 396.4061 null]
+1597 0 obj <<
+/D [1592 0 R /XYZ 85.0394 542.9681 null]
 >> endobj
-314 0 obj <<
-/D [1214 0 R /XYZ 85.0394 136.3155 null]
+430 0 obj <<
+/D [1592 0 R /XYZ 85.0394 335.1831 null]
 >> endobj
-1223 0 obj <<
-/D [1214 0 R /XYZ 85.0394 104.8822 null]
+1601 0 obj <<
+/D [1592 0 R /XYZ 85.0394 307.4879 null]
 >> endobj
-1213 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F41 939 0 R /F22 737 0 R /F53 1029 0 R >>
+1591 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1226 0 obj <<
-/Length 3704      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñݿ“—Ê3'†
-‹ÏÖZŽJ�ࢮ:K:Ž›’{¼ ÞÊ)×YÔ©yÁ¦à}% ›0�¼+ö�Ua§t2¡ÝÉ„™ex2%gUO3G‹&¦Ô€&ô¬k-#Rÿ\Ë%ª/:œÕœ1¸’gf�[Ý“cü�óý�˜YÞÁ¸+÷À2Iö©Ž	nl¢HV&*ÁMö=‰þvÈ
.
-ÈÙ¹9öíž½DKO8r³bª	âɤ¿ÕúÄ­ü,eðÂHˆ
™“×<$QG-±ˆˆ¨ÝÈ'Y‡‹”íÊe…§Gñ>W£¹H“Èh¢TI”«Lù¨
AK@,ŽÁæïÕÌúóãf_teØॎÒ$Î,²7Î=‚à™ÒC¿;ô4~hËnÊ̶)§\Þ¶l´v+•�y¡1ŽÇ‚™á£QÀtkþ^â§öÀç*˜oÛâ‘7wäP‡ä2ÜN×x<Ñ"²‘å‘Ð�M¼þ-Ø¢3鈗Ƹ0[±az{èzš«še}X•.ÜúL¬–/ë‚7Mö›¢'hW<uoh#+áöFg•u¹ìK°õ
Ö-¯c×sÆ`M¦­5á³ç'˜684—<™ÎYoÓWËC]ìé?.¯‹eUWýÓ�bvò:¾057Ønlnv
iL±enbÈ?àϪꖌÅ:¿<á]OQ#Á’l\
-Q�8ê‰SÙ¬®¶èåHtŒùLЮÙãÉh9ü«Ýr+.
-“yý·iDÐL„Ô&Äl•jÏl•"GˆªeßÑ$©&®r´ã2k3©õ™ø
-W¶ô\”ËvkÀI¸:(nj\a×±\áŸ
µç6d/i±Ó³+>¸�Ëb¹áw­�Fž%;èßÁ™¬‚ú�ªJr
-ö
-Š$šäg2tc¢$VNsüùžë¨¹1&2yÂêSVŸÚ¡…¤Ö•5�ýrÈ�’/ùÎN¤œç Vân¤“}aÓikPh›8C2ÂÑ¢X>v4?ÈgÚõÀ	;=
-ä‚�zÉ8=ñ“ËT*yc —²ýTr~…#.á`„r�¨õi:{k5€Ë�àámš
¬¶I6BIB0XnÚ–ÌN²=ÉÙcYîÜ>´7/hë
FGCðÚS…5ñ
“Ü=>µ�- ŠPžÏÅ ó(M}:Š‚MR,xÈlö›üáhQ®[_²ÂÿŠá¶Ø‚')l¨’
-tˆûF{ëñ¥5à¬\¢Ôuí²¢¼é;V[G™‘á‚7ª!îœÅ‘ŽOÒ²}H!N¢Ôš³HÃÍ.­¸FÖì"Æ)�¢L/JÆbœ§°àòã²,WÝÉ‹U³ª–| X„œÁæ¬LgïZZá"
-»s;:ZH™iM¼"ð¥é¶øXm[çÀȹŠQwuÒ:X”›âCåûÇç	.@Žk`ëÐN[–c_ô”·”KÓº÷­Npª¥Pc½èJEž¸E>;:uÉJ§ê"+G6Õº.xï&RbH²é9}•�·YEó+׿Nà|!§¢o‰'ò\WÈ$\ô¿ŠÙÕ\þSô yàHÆÛ×Ák¤}ÕôsªXqÝSÙïêhÝôÆί�ɽäJîl�Ô™o}p“62 °äâLŸIŽúLrÚú@
-¾aÖàÍÒLœvó_õ­­ŽÏVü)$øIž¼È0Aþäj­mÁ8w`qXßÆföǦ=2”ûáö"ÿã«�©¸¨�”· Çrß„›‚ñi
6m[DRGHnêv�­šT^Še[TuØ+$žÜ³Hœþ­
-pÕ¡ÙÌDf—S öŸ#æâ#�®Ì"P¢ôR<õ.È_}ò@ó?)À\gâ 9LpiŠ$	‘8½=–»™,É^ÂâÒ†å>(,Ðœ\êKIAY�Ëû’zŽ¹Gr)¦u¿;ÇçX\Š¤n—Eª¢%¨ ‰åoÂ#þw<zŒG~&zÔg“|¦séÏD�	áÁ«Yß²:›�$FecTé$Í¥QØß.ýÇIŒ½¾D�~ºdC•p÷-bâé턯7àOwØíÚ=÷ÄŒ‚«ÄxF.·
ÓvC”š}K=þÓ›
W:R·OÅ÷ÌŸ�›ï°DìUÍä�¿+âk
-I;¥Ž©‡]n›$ÊÓL�6|öEõ°ÁÝeNÚOTt5êÓ
œ}m‚Ë6–6ºáµiêšE"Kcre;7jöýà{dî-Qæã†�+œÊϺ,:Ú
-W¹*
+1604 0 obj <<
+/Length 3489      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z_“ã¶
ßO±“'ïÌYÿJê=]’½tÓæ’^6Óé$™ŒlË»êYÒÖ’ooÛéw/@€”ä¥ïÜöÆ"A
+@ø�²¸Lá'.�Ml!‹Ë¬Ð‰I…¹\7éåŒ}{!xÎÒOZNg}u{ñåk•]Ia¥½¼ÝNxåIšçâòvóËÂ&2¹éâëÞ¼¾ùöç·¯®2½¸½ùáÍÕRštñúæÏ×Ôúöí«ï¿õöj)r#_ÿñÕ�·×oiÈ2�¯nÞ|C”‚'˜¾½~}ýöúÍ××W¿Ý~wq}t™ê+R…Šüãâ—ßÒË
¨ýÝEš¨"7—�ÐIQò²¹ÐF%F+å)»‹Ÿ.þNFÝ«Qû‰4‘Êʈ
¥¸")Œ‘3š"±Jª`A‘‚UÒ4]캻»º½#-Ê¡jªv î7Õ¯i*Ûz¨»–(e»¡ÆÏ}yW¡-`E9Ù²ô†“ãò°Ôí½Ÿ$&“dš¤*30çx	ž3S9hYž×�Â)•-Ö]‹ÒÝöW"_T=RóEIƒ�õ¦¢Öûr_WÃuº-Í
+J;âê×SgÛí©1ÜW4·-fÕWû÷Õý�'“‹›¡�h§ÀÖ*‹½¾/Û¶ÚEÔ[j‘%&ËÕå2l¼ðp¿/{XR*°wßwëôî±/Ýax84ÖTÃ}·é_`O£àMÉ#A#|…¶¨}Ò×h
+ìí ·ã)�õ•
+09¤ …@Ã&tž™‰è¯øìÜáÀV¸ÚÕ½	�.v`+ð…Ý­½o�d�”O¸/y�UÌfÆãZî{çÁ&ÍH3a¼fÂ.rÔLÉE=ÐÈ£ãsi�@fÑwNŽ	%Ï$z/¦í3r[*U$µÁ�~�™%ÃÁø
+›0©j‡òµ«½ìöüJÝÒ“ó¨Šl*Œ†M…ö]Çot³7u8\‘}öQŽƒ&ïYR ð±ÔD	bR·ÞE•_¥Ô‘P!¬ •ûýZÆvÔËES#êa’JÎ4ýCµ®Q{Î0Gn´™N¬Á¸ª
+¨}ùÔ
‚¡Ë«Ä{Ä"8É
š
+Žú†šbƒ#ω³
+‡H¿nê�ˆ$'ÐØÎD�¢âœP±ŸN°7÷8h+~©\¯«‡ÁA2_=-0îPMMFNÀ‘º�ÂÆ<)„)øDÔí¶‹Åš<ÉEbMjÄro­³$SFÌ]ÃÁ?%²Ñß°ã-<ƒ'c§Œ!7a’\ûœ†•Á&v’Ó¤(”
!²j+õ¯<Ô
¯
+Ð]’Fâ$F˜ü]¡PÐ^"…<­˜Æ1¤vDtþýÙƒ «dê6q(/@�¡‹€Îy
y˜
+’˜ÈT&ya—�~&[a‹Ë7há¶Àtú,[¼vQÈÕïc€©ÀF*í4Ö÷]G§Nòq’‹wUõàסµyB·ÛPc¢’·A*l¨Y˜áöôøè4À(Áý|¾
¦H²,@QÜX�ñM—’ùâïùakUm»P®B¿fº+´àIþ«"`§m–†+� 
 úçò@P™÷AÏ<ì�K¬@ºÈJŠ†,²ŽŒ­I‰ ösf(Ôœ™Ïð.Ø~~^q¡4æçš
 8…ÒâH¡ô´BPNÈ3-7×̤\œ{Îê!‹b§Ÿv¨
+0sÈèi.AëÆò9¤}kÂé	e5ð¬=Lò×å’�oŸG\d¹Ø-ÆRˆoÍÒĤG †o¹�=
+ˆÒ†�–/º°µáúØpˆD ;&9^UÌÅúHáÈÕ‡uUmú£ëvS¯Y!˜„–Á{Y™-Þt4Ãg
+
+̉ˆµ·üƹ|Aƒ*ŒEN( #Ëì§Ñ�0Ai‡(ö*›•�Ã~èÐx!”J´qŠ¯
|½…„°�ІX
+íISÓkè K¿q:Ö©J”ÍåÜF‘#%�ón·#w‘|×+±vXïëU ¯º÷üWÖÒ•ðh«Gj€¢‚ØJ8ñw‡Ã`aØ©äôs
+vk^)úåDa%“…Kå�ãVYH13øŠmG+4ÝtÝM9”\k
+ü“Ål7·5Ú'}Á¯"´ú‚HcÀÀž¢í¶dÚ¼Œ~?Ú×í°¤jç=U}ô#Í›ªs—QqÏùw2Eš<\{ðõl$a@Z)ĉ+&9¹b’ók$0L’Óë#Ép2
+kî²Úc¯0¹¿C8_Pø;v! ¹(Éï3S|µŒ@x"BÉ_–
IJ,Ç÷xc$†âÖ•Æ'Ëýн.ô'
&
 endobj
-1225 0 obj <<
+1603 0 obj <<
 /Type /Page
-/Contents 1226 0 R
-/Resources 1224 0 R
+/Contents 1604 0 R
+/Resources 1602 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
+/Parent 1573 0 R
 >> endobj
-1227 0 obj <<
-/D [1225 0 R /XYZ 56.6929 794.5015 null]
+1605 0 obj <<
+/D [1603 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-318 0 obj <<
-/D [1225 0 R /XYZ 56.6929 607.7662 null]
+434 0 obj <<
+/D [1603 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1228 0 obj <<
-/D [1225 0 R /XYZ 56.6929 584.6557 null]
+1606 0 obj <<
+/D [1603 0 R /XYZ 56.6929 749.2381 null]
 >> endobj
-1224 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R /F39 899 0 R >>
+438 0 obj <<
+/D [1603 0 R /XYZ 56.6929 540.3599 null]
+>> endobj
+1607 0 obj <<
+/D [1603 0 R /XYZ 56.6929 517.4049 null]
+>> endobj
+1602 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1231 0 obj <<
-/Length 2890      
-/Filter /FlateDecode
->>
-stream
-xÚ½ZÝoãÆ÷_aäådà´ÙOry÷tIíä‚äÒ:îS4EÉD)R!©SÔ"ÿ{gvv)RZÛ)
-‡÷{çó73+‹kÿĵ5Œ«L_§™f†s]l¯øõæ¾¹~Í2,ZNW}õpõå�J¯3–%2¹~XOβŒ[+®V?/¾þöÃ_nïo–ÒðEÂn–&ዯ>~ú�dôùúÇOw¿ùûý‡›T/>þø‰†ïoïnïo?}}{³ÖØ/ý	Ïl¸ûøý-µ¾¹ÿðÃîo~yøîêöaäeʯà
-ùíêç_øõ
-ØþîŠ3•Ys}€g"ËäõöJÅŒV*ŒÔW?]ým<p2ë¶Æäg”eÆÊ4"@)c4K”TN€M;G�%}û².‹¡\QoÝvÔžü|ñ”7MY¿§Þ¶ìû|SöÔk×ô}ª6OeÎû\vÕp¤^
½Ú¯>Tu=¿;/Šrw3”+0jaIf¥£ô#®E¶8¶{jäÝ�°‹’:û±è«fƒ;�o1á;µLÉÅ…ÇôǾnò©x¤e©©_öŽM²ÝÐ(€Ë³µe6Qfv6+Úf¹À¦R.ýÚ]Wµ —
-e‡ç“4_ußbË.VåPvÛªñ<žò�Z ÅfØçu}¤þ.ï{8¥¶”B0¥µ
é	–CÒžœ´Úýæ	l<±bq‡ªU`ßåïùvW—È17pç?8—
ŠfÕ"§E^íÔYçEU;�b/oV´ô¤j7ÜG䥸
-0^
†,/r�Ð,5:êó–J’2	JrN§zÈËv\e„\—×$€rz$—l,ÆâKR­çÎph÷µ

-ÿQüC“fôÂ~X•]³ÙŒ	-Ó*zP’7ؾ(jòl¯*Oî€\$#uÙ	±ƒÖê¾a¶/»Ïó@oüÎ~
-‡Í›Ó=ô
dÃP³ÙwùrÔø4d�~ž5¸Wœ˜Š¼ñƒûݱËßAz=ØMMé€.\·
v
-“…)RÑ\_­%@+Ò¬\u¤1ðŠÎc$ôâi•’I¥’×±P:8¿—÷éîÖñ|=K	9Ä0R±eìla˜�< ?ªÊ=É붮ÛBÙ”­œ>»Â�38ì¡÷‚´7'dV† &ÃΉ^Jb)!�QÚª¹„»fUx
-Ï2.œ;­‚¾q8F‡Ö«¯’§ZO
-·{¡ÝdžØúø¹ÇŠK1d€RJœêÿfX:-Gä`™MÁÖhé“KÌ´
-êÙ$à¼ÇW	ÿÀ¹Ïð2°/ÿž‚�]ì‘«`·¯š"š¦¤‚q‘þ9:DHTè}Ï…ÕþŸ5f^aH)ç@ʤL7+¡–*;WM
çlÚî¡&I™Hm£>ƒ[j�0-ùYD!ðøm“«—1¯÷fÐBT§f1Þæzî05§iï=´É[?úi²:j;SO±j¯b¤›wP«¡fBÈÁ
-&&¥%³b|O 9œ=wÌä
-z
k ép_ˆÓÊQØñ1Z�~$xßRgÉ3õ®TS2Ñ3Ÿ)xù˜ýµ;¬qzOD~œ_Ⱥ¢–&"!�%ÚöÑWÊo=n&�„)Hºç.êlr[¯\H5óú�{uŠ†1Gné—ºTJ+�YÊ«)ñ¢4Ù=�vïè]Ý
-ÓeôNÿì^¡áù¥/AJ0lajçFÜ&´œÓ6º²³Z3œ3þ0≙-•‘¢Ÿ .¨¡ß&ætùŸ‹&ÛbÔÈ5yØìëL_ó`hPgü1P$Bý¼Ô'uTTèâ¼>sNÊ
-/?/ü¿=9ög
+1610 0 obj <<
+/Length 3318      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZYoãF~÷¯ò220êôÁ£9ó4™µ“	6“]Çû”
-Q‰THÊŠv±ÿ}«ºªyÈm{‚…a°/v×ùUUSj&áOÍl,¤É¢YšE"–*ž-÷Wr¶�¹o¯¯YøE‹ñªo¾5é,Y¢“Ùýz´—ÒZ5»_ý<ÿø݇ÜßÜ]/t,牸^ĉœóéóßh$£ÇÇ?ß~úö_w®Óh~ÿéÇÏ4|ws{swóùãÍõBÙXÁûšwxæ…ÛO¿¡Ö·w~øáÃÝõ¯÷ß_ÝÜ÷¼ŒùUÒ #\ýü«œ­€íﯤ0™�g'èH¡²LÏöWQlDãGvW?]ý³ßp4ë^
É/6VÄV§

j`œ‰ÄhãXÕp”©y¾ÛQc�/Ë]Ù•EË͵²ó‚:íñp¨›®XQ·®&/Ëy}(š¼+«
/?·]±oAªÀÃü»ú„²Ôˆ,�Æ"†0ƒÁ+»zÃëÆä%+ý²SééÝæÕjÇä틶Í7žò¶¨˜¹®æç¶lqëÙÂÈTè4
«SJdq¬Ý®Ìû•læ%îGóUÑ.›òÁ1�Ã=»m`G©X¨46vIJ®Ö
ž@»©V)¯Ýç¼ó
x
+eÓô¯É=UšùöÀÞ‘¬ž9 ŽðGù¹+ò–›õšÖ Õ»�Þ0xåc±£æ¦|,˜„$ª4

+³ÒÔàÁbØžÛbW,	Á¡·®›ÁÕÈöALU±{O½¢¢¯é¹á�߯'zŽH^Í=:;_¢õx—‘SWA¨‹TFV��^pØ9^ ‡Õ–n
+Ò‘'ö±Ìƒ�KÄÚD_fL„ˆÞZÉxf–ŒÔ#ßÄ	ôM½ˆ&S|SrD¿iY­ë�Ÿ(aMoòaÕ@
+$mR_
+8”\Rá°y3œC@65›c“/z��õó¬)pÇL

”Yr
êÒp,þéµå#¯Ó
]¸fïí
+Sÿ&t«�&b_­À’‰ÌG)MœJH•œÃBÇe^0�CÉóèX
è ùÂl�Âd 0�—AÎÚ¢#h-Jʯ�‚£Î4^Ñ0FBï¹*YC	g’×±Pº/“HÞ=¤»Sûý£IJ(!†Å>Y„öÆ:]K�þ`¨&g’×õnWŸÊÆlåô8Ô~œÁa½¤½�ÙÄÙ0éß¹a ÂÖ�À˜h¨pÈ7šjµd
+ˆü"Š¤{'BEc„LåEiÇ3¢�å Y=ˆ&Òñü¹D6u;iÖXûÖŽp5ów/ÖÂÙÁg¸:sNjYR0ß×I�µ|à†ÀË¢9�¡\ˆy˜°õB^î|�­�ÝáØ¡æ•œ¤àå/Pú«—öP,Ë5Wgùh¡yIýÞ@FÕœRjþö¢Fdôp¸ïCi"=	åò7wÎolƒ8óÇ«6�‡]jw]b˜ÁE_­ëú«÷¡
+au–z¢�³(½¤¼ÿµÕSÒÿ:[)Žendstream
 endobj
-1230 0 obj <<
+1609 0 obj <<
 /Type /Page
-/Contents 1231 0 R
-/Resources 1229 0 R
+/Contents 1610 0 R
+/Resources 1608 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
-/Annots [ 1233 0 R ]
+/Parent 1573 0 R
+/Annots [ 1612 0 R ]
 >> endobj
-1233 0 obj <<
+1612 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 333.9221 242.2981 343.3317]
+/Rect [173.6261 273.4719 242.2981 282.8815]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
-1232 0 obj <<
-/D [1230 0 R /XYZ 85.0394 794.5015 null]
+1611 0 obj <<
+/D [1609 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1229 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R >>
+1608 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1237 0 obj <<
-/Length 2569      
+1616 0 obj <<
+/Length 2400      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿BÓ—H3B€	žŸÜÄιsIz®ûpÓv24IœP¤Ê»êÍý÷ÛÅü�iÙ½äÆ‹Åb¿4ŸyðÇg2da,âYLz\ÎÒÝ™7ÛÀÚû3nq–i9ÄúþöìÍ•Íb‡"œÝ®´ó”â³ÛÕ/ó�	¶
-Þüí§�W×ï¾¹XDÁüöúÓÇÅRHo~uý�K½¿¹øðáâf±äJòùÛ¿_üx{yCK¡¥ñýõÇw‰éç	¢7—W—7—ß^.~»ýáìò¶»Ëð¾Üóñ"¿Ÿýò›7[Áµ8ó˜+9{€‰Çx‹Ùî,�>“�ï;H~öÓÙ?;‚ƒU³uR~ÜcÂÅ„
-s’+j²ÒoT¿m­W†7i8šàçP¾L摈�Ãvœ–Z‰4zeYBÓ%ÁF‚	.Ž‚G²n@M¡A0Å•25åv«¥r"4ž&ddüoc8�ÊÚaäLCÍý@�Ÿ¯ß½¦ÉÖ j¤óÕy‚7ºÐ•½�D‡Ëò©ÀÒf�Š£¿Ä~f¹¯›¤j¬¡ªy»·â‹�¤ø‘øã`äu“aÎÀaµ€]EA`n¤Yc-K¼IäÓi
-RšP±	ËÍK
-(vžƒ
‹ŒÁ³ÞÝG
-Y@°#ˆ®H´Õ‰À碋ÏD ¹.Ê°ñ©H­ã–8ìóÂȵ$¨)Ö›)9 <ÜÒŽï4°œ» Ö !	·–ie´9œ'y£|^Ñ̆/ Ùfy³4
7k5!õ²É)ˆ¾žÒÛ]kEGÇš`e½+WÙúp»]%@Ù¨Ülº¨}gQ÷eV44‡Ü”Uæ2Ob·x¾M:
=öaÏh‹óAÝ‹eT\ÔE·[=:Ü2öã¶JjýD=°8à�«‡œóø1ÄŸ~¢æ;„Ü_tør^—´`F��oE Jý
-E@‰4vAGÇ©1•²xÕé“Œ)ÒÀªE‹z4[&ã@	YÂYm‰”둯Xƒ\Sžîð;í�q‚ã
„lÚN×u²Ñ–笘ºŸ-Ë„¨Ü1ˆ/ÂÑûBÅ6BŒ”
ÒL–¿<�P
Hÿq
|œ'$‹]Ì®€ÕºÑ	:¸Gi"”4çZi"¬“&‚uŽ†°G¢
-”ã¡8äc`uäØë2ÏˇÎ1œŽ|×Nú0ëêI,Jþ6Á½q`ìHGš£!ìs}¨A™çc Éáö’&åÝE@FŸá\ÿ‘ìö¹6²€2K7¯jZ¨“aZA‡Î±
-™=J;•®Ëü¾{²Z¼ï>þ´XJ(HÉaW‹b~�ß}£yݦ[\¦×iD3q
öE±áßkZËËòK»¯i}Oya2Ý`yëjO§RltóõØCÒ<£6|ø¨˜ôq©Sû£ gºå§t>�æ×)(ð€’€šËN¡ääghoöl{éGïþ?‚ˆùJ
rÕ¨U‹
®�ŠÜ}’w_Ç-Ö€õÿî@+(endstream
+xÚ­]sÛ6òÝ¿BÓ—H3B€	^žÒÔιÓ$=ŸûpÓv2´IœR¤JRqÕ›ûï·‹]ðC¦ß%ã�‹Åb¿?`9àOÎt,âT¥³$�„¤ž­öÁl{o/$ã,=ÒrˆõÝíÅË«0™¥"�U<»Ýh#g·ë_æ±Pb
‚ù›ﯮßþ|óz‘DóÛëïK¥ƒùÕõ�—´z{óúÝ»×7‹¥4ZÎßüýõO·—7´3�ï®ßO�”~!zsyuysùþÍåâ·Û..o;Y†òÊ DAþ¸øå·`¶±¸D˜=»‡�@È4U³ýE¤C¡£0ô�ââŸÿèvÝÑIýÉ@¨0V
+Œä@�&q
+NØ5©q»°)$xë±Ìöv-êc9¡qÈAʘ”1ó’/Ýñc¹‰¹ªþÝ~¬s'Ž]µU}ZH)ç‚´±ˆ’$öžž8úWÐRitWG
+kü"YS•Í·<Ê&À=b¿*MÈ*£P˜TJ–`yœÒ[ˆP!GrUí÷.áG‘—î&
^Ôæ_ïL¿ÇÆ®oÚq4Á‡Ë“±~žÎ•úhí,:¸mÅiíšYB×%Å&J(©¢±ße›–òçy^PÂH£†LM…”
m¼
+]¤)�¸øÛ:´a?L¼k˜yiï	òóõ÷ßÒŠt	{�-	ÒŃé"Á[[Úš¥Ópy1•Õ@Û"2iò?±Ÿ3÷M›Õ-;ª™¬¾HªHž©Ï1NÞ´9–\Ö8U–D
¾�VvÖªBI’�nè:oV™ÛZƒÝÁQŒš_ohïTiQZË÷8mÂï*;´G26Ñ£:‚[¤/Ô¬	zûcÓùcrÎ(È?Ç+®ïóv7®BTܺà~$¢”„”�ú”°Ü>7 €b9:ðÎpt÷™‚3K¬1‚@gáT[?‘ø|v	…Š´ìË(²ñ¡\q
+ù§ÿ0ó½KBî›G¡ž7m8Y×)!Ô³"ˆJ?€@s
�òU†í®ÚŠ¶ËØ÷ž#†N1šßÓ
¯%‹€_ÐÕÊsê\¥*_´CzÎ%SÊ4°ËhI�Æm’sÔÎ&RmF±Â¹¡:ÝáwÖ!ç„Àq
+*		Ø$´½mšlk™ç¼œ’�Û2e&U
+*ÁÄ‹pŒ>„P“�§e€´“½¯Œ4t
+ª÷.k}ü
“sgó'í—<œ_÷§�^G4Ξ�ÅÄñÛ+‡ôÍð8‚¿yõ5§î!�±×õæû¯ò½šª†ç.;ÁÁ™O	ðôÜ=4­³ªŸzºf�KeÁ“Þ bœ–£æ<5LzÇD/µHÂ~šÃŒ‡ìB׎çæ)Ïù ±'2ÄŸ[/±<
S½]’À¹AÆ4 rb=Eáé4r5ÈŠAÔ×vü 0Bè§,/²».†ŒºÄpm(,î
+;Ízm×c?Ú¾@´€Ú6âÁÃO�B¤3Ç"ÔÐÚ?ãéê–H‚äì¥ñÿ;åÁ^ju¬õãй
 endobj
-1236 0 obj <<
+1615 0 obj <<
 /Type /Page
-/Contents 1237 0 R
-/Resources 1235 0 R
+/Contents 1616 0 R
+/Resources 1614 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1203 0 R
+/Parent 1620 0 R
 >> endobj
-1238 0 obj <<
-/D [1236 0 R /XYZ 56.6929 794.5015 null]
+1617 0 obj <<
+/D [1615 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-322 0 obj <<
-/D [1236 0 R /XYZ 56.6929 556.3324 null]
+442 0 obj <<
+/D [1615 0 R /XYZ 56.6929 520.4669 null]
 >> endobj
-1234 0 obj <<
-/D [1236 0 R /XYZ 56.6929 531.5504 null]
+1613 0 obj <<
+/D [1615 0 R /XYZ 56.6929 495.6849 null]
 >> endobj
-1239 0 obj <<
-/D [1236 0 R /XYZ 56.6929 214.5791 null]
+1618 0 obj <<
+/D [1615 0 R /XYZ 56.6929 178.7136 null]
 >> endobj
-1240 0 obj <<
-/D [1236 0 R /XYZ 56.6929 202.6239 null]
+1619 0 obj <<
+/D [1615 0 R /XYZ 56.6929 166.7584 null]
 >> endobj
-1235 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R >>
+1614 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1243 0 obj <<
-/Length 2985      
+1623 0 obj <<
+/Length 3175      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝsÛ¸÷_¡™>=W±ø"@æͱåÔ7;µÝ™¶w÷@‹°Í	EêDÊ>ß_ßv!Q
-e6M2“x&Xâc
,»¿]ˆOüñIšÄLfjb2'Œ'“ùâˆM íݧ>ÓÐiÚïõööèoçÒL²8ÓBOnï{¼Ò˜¥)ŸÜ¿D§?ùp;»>žŠ„E:>ž&šEo/.Ï°&ÃâôêòüâÝ?¯OŽ�Šn/®.±úzv>»ž]žÎŽ§<M8ŒÄáÀ€ó‹ŸgH½»>yÿþäúø·ÛŸŽf·›½ô÷Ë™tùýè—ßؤ€mÿtÄb™¥Éä>X̳LLG*‘q¢¤5ÕÑÍÑ?6{­~è�üã1‰œLe«$IO‹S0˜–HÎã,Iög�ri€“qg’è˜
¹9Á{g•ŒS)“‰I²XK!ý¡üqoWÇ<�¦eícDoˆÆ$ÊÀD®ïšÚ¢H»U^·0²¥ÏGªoíê	øyº¤FÏÞÎmùTÖñþ)(8£µ˜ôÿe‘*�%hˆ†:|M+³Œ%c2V&ÖÆð]7ëî	¹µuñºx{ëþžÅ+EÌe"ÇÄ+a[‚g^buÓ•÷/£‚½
ò»¼º½8ÿ7ÒK0M×Ì›êááªÔ÷.<
=S&Æ„'¤ÛVê¥2¯J[�kå”Óܶ-¨Ê®¹Ç’Xô.ûïkÛví+òì-ôkÉŒš1ŸeOȃòԚŊ)5&OX[ʹö‚Z׋¼›?ÚbT¤ïA–ùƒ…œp
·;§ÐŸD;S
kÁ!u¾d,ÁtfJP¯çœx®ëü®²Ä¿Á²°�]-Ê:TÃ¥
-{Ÿ¯+bYú�Àšw–Ôs7táý„ä�>•P^PJÔw]UCâá±ÂyÌëÚ¾b‰ûWòË®ù7µÄ˜+•�Yb�À 	ZâÚvÏÍêã¨Ý¸¤~hƒ—v•weS¿bmû‹ùŽ½—+¦²1c«ƒˆ‚‘±]p3F%vö†³œ£ÄpÌkâÚ®ã{–X»D¦é˜¸œí`|¶âš¶v¾^•Ý8b:Y<zÊ+^^H¶.CeÀ
tŸ�ú›øj²Ö&–
-Ö`2“mÍëb‰f5îå.j9Z}ò;—
óäÖËÁ‡„=EfB4Üß
QkÛ,,ÖÜçeµÆŽ‡aFs_fg¯f�?aF>1>v
-!
-Þ¹WT´wö_KE!�žŸåýiÄAåBÄàÜFUTdâjŠ—ÁgLÂéã†ÍGŸL÷ô�é ,	úu¤@íèŸëÝ`_»¸Še•—Ô×Å=ž(ÖvÐîx�ŸE]¹°€ýœ]……474`	¾ê¾óóC•cåë6ƒQ©w¬ªïÐ3e™�í”öÎR
¢ÎóS$
-"ÇE	:‹•~SP9Cщ¾i€jtïn0…ÍPgÿ
-e‡Ó=X„ó.©Ða¹=:�}„j‡íihƒ%²eã£Ó楹Ÿ>#Æ;ˆ´hꨒ¶
2Lç\‚¢½q©3²«RR:Ç|ÊÃ�y^#�™GÝQ“×f)A‹�A”H"äÛ6’î[KÑ){&{©TÁLõ„˜¡Ûðµ5Ø_Tu¨%U‡ê êóá‹Šò1½”£Î¨›
-™òm4uOyU
@Â7=¬»ná9…2£Ä„ÜP÷à m£Ùý ‘~�ìõp4¾õq¯ã}Ìòe8h­¶?žû5žc˜Ùû5Þÿ7*,„ë_�¦‰†nøŒ~Å÷ɯù„à±É
+xÚÍZKsã6¾ûW¨j‘+ƒ
�ssü˜u*cÏÚÚªÝMr EØf
E*"e�óë·
H”L‰™OUìšx£Ñ�¯â#ÿ|”¨ˆÉ4™4Žãj4›±Ñ´½?â¾Ï$tšt{ý4=úñBšQ¥ZèÑô¾3W±$á£iþëøôŸ'§ç7Ç¡ØXGÇ¥Ùø§Ë«3ªI©8½¾º¸|ÿc�§—×WT}s~q~s~uz~<á‰â0^øö¸¸ü在÷7'>œÜÿ>ýùè|º>K÷¼œI<ÈG¿þÎF9ûç#É4Q£gø`OS1šÅJF*–2Ô”G·GÿZOØiuCûø3q¡äh"“(V*Ù¿,-Á`YOr¥Jí®:áÒÀLïDéˆ
¹¾Á;wÂc%Rª‘Qi¤¥�îRfuõcâ
¹Dg
+&€9Lû3<ö¹ç ½°N}'@Öš¥ã:�€ÛJ£6ª…}Ș1.‹@5«ù<[¾Ð‡³ŸPfeSûŽõÃC†¸æJbÓ®p£Éšï{UI$WágYkjXžsN€¶p;•‰ØfþôÑmNªÍøÒãP{JF5
éÔ¹
C™QÃøBÞ—ëÜævéàÎX‘J‚¹½ÏV¥Ÿ²hûPXÇÛx…wzçôšC
+ð¥”<ˆïª,ûØÃ#˜ó˜U•=d‰;*ùujþm-1‘Jä %æ:↑%®lû\/?
Ú�+ß�l0`f貶�Íü�]?c‘É°Ò,Ž÷Ú½Zä ÃËXÎbF,£1‡øÕÙÈߘ_*I x“r€_*‘PiÚáפÁ ¬h‡1Óɤ§¬Ü‰˜s[¡2 
_€º‡x3^§<‰ø"yCör[¦†ƒàv«°˜"+8ü²
+µ½Uë!‹0)Î~ÌÇä¨SwN‚žð±ªJ@O}&±H:|�‘=;„3qðLõÂ'‹`îÇÌAð‹ÖV¥‰L¶¡…c zX›÷²�˜Èí‚HÜ‹#À�†:ºîE½lýÂmHˆâ;_}ù‘6˜å¹Ï¼øÔÉžõqFtæïüÎn\¾òZ,…_Jòõ±7 LßÏã?¬ÝyYX@^ åàŠ>ïÀâ€À};'Ã
+n‡݇[‰Ê	áàç™m
+™SðXf~†ÌOÕØ^„òSì{بVã­’FtÔâqt:žP5(×=`÷½B3ñšo Î-S;¨Ä5o×èñ9fÈzöFƒ€ÎŠÊUc‰ÀÎÃLÒ ~zú‘ˆõP’oÆL×cÄzÌÙõ¦6r{~Js^ÂÎ}×E<$�<"¡±~nlpXêq
ü>=Ûô;}´³ON3±å¬hPƒs·–ë³;{J£°C¿µºo]rÃI'a]äã—¦-ª�Û…–mm؈´Øˆ4÷샺€”´?
+ÁwUÅ/‚á†Ð¨Í³úÉn€]Ê]æ	Kz]G*¥´¬"
+P2a¤k*ɱ÷8µö±n¶ÞH¼7Ï!Ú
YëíGË"Ó¹�¯»áo*4,f"Ó!™a
+‚-åíª-탻ÎI]•ÃI€³u7äØ
¢ìåDB<òKýÐPËÆÙœP�Ù“%Ê…TŽÂô1\ÄŒ2­r»úÏÙõ‡“K÷[	ã”…Òá!Ìt¼(}SÂÐ{¯~uP×ö§^3j{d(ë‰*�Ù&IJÃÜ3qÇ,ÄÈEµõ
NÊgNkÿ‚×´«;¢þ\¿üå"/R¹ýÚ¹ú·PÁôü¢Ÿ"øQ"¥M ì3²i¼Å$÷qÄ°Qs5Óác:SAø ÎP[‡½kêëã1=^”Yáûº_; ‘¯z­¹útÜs¨m*œ($ï¡�JðR×TT…S¹ºõ`’è-‹ê:tÌXêâÕ‰½³>/¢Æ7§D
 endobj
-1242 0 obj <<
+1622 0 obj <<
 /Type /Page
-/Contents 1243 0 R
-/Resources 1241 0 R
+/Contents 1623 0 R
+/Resources 1621 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
+/Parent 1620 0 R
 >> endobj
-1244 0 obj <<
-/D [1242 0 R /XYZ 85.0394 794.5015 null]
+1624 0 obj <<
+/D [1622 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1241 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1621 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1248 0 obj <<
-/Length 3540      
+1627 0 obj <<
+/Length 2903      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[msÛ6þî_¡™ûpòŒ…
-F0c¦,’�ìÚKXÎùôæAÓ?®uý8Óu]Õ�]‹¬Õ÷UýˆsÉ�'™Of�b©ÊÈD!TÉï^¤,	T•±Î@þ®D"mݹëy&E4ÍúmVzžÿÆy0ϊ••­.zA_wU�‰pºÐ·ëûû¼¼§üÕº^U�nÎOgJÓ›Ó4˜VVÀB—m~gÅml"+­È‡jƒ£Å¥f*HãÉL–†a`Ú	–L…f’¹ÆõSÑ´>ÉT7뢥¼䯪²¡ª!ô›Ï¨4/9Ο
-2ÛFŸŠimÂ
š€_ÉÓé+Ý4Ù½“RÝQåö!·9ýBb~F=SQû éÍeGÓª,ŒÂQÅ4S²»¢º¿ÇeF`lòöaDßaÈB!«C£‚EKÁ‚’T«ÐŸtÑ0Zâ$bq"è8f©S㢥N[Tl’ÔšÒfòð+ìgM¿ù=N–ìŒ2tfVR¾¼‰
{3•æÕB{yL†Ó__¢ä‹«Ÿ(7·cñ+³ywUQT€ Y%†ÖD3Ž	ýE˜<�E`ž"ˆ‡ÿâ/‘y
-\èVÏ[có(¾¥â"/5嘱šj›jMz´5Ðb°(=¢™( Ëd@[l>2w%X¢¤°õÀ ãPNªî	Ë*ˆ˜JD<´¢eo¯˜¬½:@;,6µÊê6Ÿ¯‹¬FÖ3 ÖÅÊ"®£¯
jçÙº9
-±wÎNÑàïº}¨ê¼ÍÚü“•Ðèú“¶¬ã ²m ‘´�Gª3PÈë²Í@ / Ó1d
4ŠQ½ÒXm^
Ãÿa»ÈKï†V•C™¦ùºnhÔ]VSk¬nÇÐ>dí àG=)DßïcèHÆÂÛJ!—VÝÛ
--ªêƒMåôçÓ­û�n‘ÉÐJÁ˜Á¦[GÎxkœ>¨ìv.~€
.(�%Ðç"‘ŽsÚ|	ŒpEµnŸ5ëù&KMß-ªe–—çžô³Zß

dÅy
-Ét‚ý©‘™ÉÁáCXãÈŽ˜9ìmˆC¾ªš&ï6h+šul—·gŽ}W~~UŽwo²èØÇWÛCÿPÏÅèÈø9^t¿ÃàcuÊ’´?àûœÅÜk7> ¿²Ý|MÆS¡8‘âi»‘
-f,¢ã”(ŽT¢·:ß²ã€%AœPb1ÐPHŽ’õÓG(ÅúÝB>©D+Åy=y9×_´£ºó¥Ìm^¾å?¥oâßòæq–ÄàÆŒê'T0‘XO˜ÒÍž�YXóåGé¦ØbÂææEó‡ÍME,áB~ñt±ËÒÎÇŽÃÑý­Þž—Î{?üöqxÜ›—&ˆÜw!Ò�»ÝvP‘Ž!üµ¬ªëÕЗÇ+Öô¯®ýbaÛº9dàÓg�î·Å‹ßãÖùoÚwÛö(kàÚÍMÀô”5x0û–ÙJ%,q´‡­RÆU“	rEašŽÀ+
-X5�±–ÀXͶº?ǃÓå¼Z—­ÕßV„7pt{ÜÓö$!JO�¾Øž^;oÜù¥ó¤æóqóßv>‡•·Ž¶Bˆã8¾ÚåÕóW??!|+l·÷OaÞÓ·Œy¡
-Õ�Zq<Û5ªµ×£Í
ã">*<Y—ú�•G¦ÛWô–›¼
0�rŒïAâ\»=ÛS A\ugHÛ.ûÀ zÏîöñ ¢ž¶
+˜¦"üºÎŸ§³oÙ¹Àà±<@§AÂÂT¶èÂid}D,X+·Ž/³¼X[]iΣõD÷™x[ãîýð¨k!ðÉŒŸO…{Û`çe”:@’»÷Öù¡�awαš:¯ F•›{w`ý�}êõq�±uöX=|Ë<($P] ž<ó“"¢—
-æ6ØÞ‰Ž

-lªÆV ·H¡kùcTä„EþëMÌw/#÷ gÜÓ‘«Ð.\07ì!9¯&µý^m]FÓkCø¶jK©RßÛGaøµå!cV³ÆƒfL™—z(æ/^¿º¸º¶¹Ý%:J«Z_Ð=ÒK^O‚7ò‘y¹Ã�Ñ»ìÏÕ°úk8ø¯iXuVã†ì_Jz{F•mÂÞ¯Iór¸±)óˆRuŤÄQêÍß´îô«úáKåže«
„Ô„ØØŽ]o¢{µ1p÷„oý�ÅÜÅÕîtl‘ßaót»;Ær»ˆ÷Â8¿k1�¼|ǘuï¡;­˜÷gR±$QýŸ.aßÝ›Úm™oÛ¬ÕË.Êû¡ÎðVü˜W÷»î·录1F_éCĪÂ.–¡q�„¬1ëÅ6Ãû‹´»óÅàpÅN<ºú6¯Ê»ñS*
-ѪÑY힇ÚÙ‘Ïñ;E[»ÙW|ä˜Ë[.ªÖꂼ}¿ÍØÛ
p{ð�^FþÚ…Oz×Çþm�÷¦ÑœãþBçVØAá¼d²3r÷G8»Cÿ7?â[4endstream
+xÚÅZKsÛF¾ëW°jKU‰ãya
+Xd‚àh×…à1ð?�‰’L¨@u2‘b !¦£p13J*+“Û_ÿƒïSå`*¼HèøãœëjUï6I[Ô<iΓ婘×û–zùnw*¢y½k¨_ØYfn©y³­«&§‘m]é�þYWŽú;ç²Ì›3<츂ÅA íÖÄã°+Ú6¶*Ò#¶°h¡¡›T
&-}ÛuN�uq¿Î›ÖÝqôg17‘»d–/÷÷O
Oj¸ŸTæ_óÒ�t!ˆ[èh|âMN$ðõç/ª{"%p•Í¶mØ1u2-bÐ@Œß
¥#¦@ÿf‹’Ïaׄ<<Âøÿ¶ÊD˜˜© ·�!ãáX7éˆ#
+íEÈb%#;㢥M[Tbl›´šÚöò𮻣¯µoöÉΈ�'ö¥;ÛÓÙ_±ñnvRZgùx—àmƒ`þÛr¾¸~GÔÂ�eøX‰£­ê²¬
+•Oœ"xÿhd¶X:qw-X¤•pó@!Ã@ÍßÕ÷„e-
Øh;¿N_`rúê
í±XºÖ6ÙµEº/“Z=ê¼Ü:Äuæk„Ú4Ù7/BìÊë‰54øÝ·ëÜ1D3_‡&ß}Í�ÕñP9VP£ÜæFw
+
+´NA�l4I»±ÑG
+jB¯ƒ4NKk°ð¸-ŠQ 5àI`J÷»†NÝ‘šºÜãtw†v�´£a€í¤}vï%ŠŽÆX\)P©áÄ},в®?»Vñ9ÿ+fB‚K�ÂØžl•·hÉPKA™A§[o¼òîðú :Ð_ð\ük0iP%q²#ĹˆÔ9õÛbãwƒ8÷U³OS¸+>fõ&)ªó
óéØ5_�MHÊsy'm
åçáÙ—ÝC�>�Îpà}œ•É&?çgÜp·ƒÆ”œ–IL¶çâ,É–4m®­#4¿&%µ>=Ìà»F],³�ÜX#±k.<´:HäåÐarã`SÒº´°ZQCã‡Ç"!Â1T;’‡*ÑH1a™µÐÕ´{æø[
€i MŒj†�z¦
RLGñŠXôâ%r»T¸vl(„“ìM‘‚/S%%Q‡QÒ…±Uæ~a퇃ÇJ…Ó¬�Ça4ð»
Øs·¾chM<¶,œ' å�ÝÐàcŸR¨	�
+"ˆŒcoì{…™ŽPÃ0ˆ:{oͼ�@ÈÀûAÜW)§Í”Ú(íQ!ÊÛM¥~
ÉÝ#cgJÂT+“Áb°´é5nt<[Ñ«
+ÇNq¿µUR6¥æ�¤áɆ"°~È»šñm‘RÕí(G×6áñ	*‚ÎBZÙ‘žçUZB®•Ýæ<ðm¾ìûìúË]’~ÎÛÆ�:m€å
F
Ä;�g0tùeéÕ$RÎNFÊQî,/Ko^'
ÐÙ\ú[[…ˆú¤vd0¢�…ª«w�§›ÊrÐ,HŸÏ¢.çeF»øËjï;4Æ<ù–ÔWw• ;ça[ù(y´fŠ†:PåÙ?�q´cDYà`qÏùà³?gÆ Zå�Rcuáä t!ÈÙ(oÀŽã!LºòNôú
+]èz×Dœjýü#°v”4‡Ø'ó“	[ûûõ¤‚RUÇÅñãp	hΖ¡+rè»®Ž–%Ëú«k:Ÿâ'=à&l©t…_£Aó8,anê¦í£y¯¹ÄÊÁv™=]ÚŠñG•6}àòr–~Å“hQÌx¬Í3hÓ‰|l…!þËÀïÑ�
Û6ü¦i‰Ù3¶É8RË-ãÍí
+Z?¸©Û|
+f�#%P
'ì<v
´ÛÄæ9
+rö¦ÜaYNXX´g>…ß}1�Þû]èëÌp<ª§QõÉ×ôuu7h}®lh„K(�B¢+2çUÏyºZ68Ï7]p`äèýŸR»!ž¿OGzµ“ŠÅâ/i2­PßP;0iùmµÃn°ÂjËW”N¿ÐÄÕ›x#»êJ_ÕîË<êظL+W]I5¡Ç”<`Jéø9
ZtGF”ƒ7ú¾w?¥ú¡¢ÔXWñ3¢‹àŽ¹làe²„dª“%´)ì’žICÔ¦¨R7¹õ«ŽäÚQ:§H/×GÁtâ]áÐ|CVƒGøQ²"½Œ¤·‹ÓqôŒ¤”d1„Ðî6ù�0½£ôÒ,Ké’ÉÓ
õÈÓÁP_=À^ÒNÉgZ!µ!ÈgSšRŽýÖû. à¼ÆYplÛ$Ýæ5]©óÌn5–ШO—ÄV^8?xb?ÊCìïzr¾| ¯ýMA`vh³["ŽÏAJí–Ù_`z2šhë#vÚŠ¾X—Ýo=ç©Ä¿©ˆÿn+À5Ë'G€,;Y&vs%­Ç½xû=áQú¤ºÊ__ÉNÆS?ÄCÍÔfyOëSÔæÖƒ€6iÈÍä_jÀî˜ßýw!ýÍè�©(êýÛ€îgo…/òÂç	ø£¿ZœIe¤Ÿ58ú
EQendstream
 endobj
-1247 0 obj <<
+1626 0 obj <<
 /Type /Page
-/Contents 1248 0 R
-/Resources 1246 0 R
+/Contents 1627 0 R
+/Resources 1625 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
->> endobj
-1249 0 obj <<
-/D [1247 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-326 0 obj <<
-/D [1247 0 R /XYZ 56.6929 769.5949 null]
+/Parent 1620 0 R
 >> endobj
-1250 0 obj <<
-/D [1247 0 R /XYZ 56.6929 749.9737 null]
+1628 0 obj <<
+/D [1626 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1251 0 obj <<
-/D [1247 0 R /XYZ 56.6929 433.0023 null]
+446 0 obj <<
+/D [1626 0 R /XYZ 56.6929 689.473 null]
 >> endobj
-1252 0 obj <<
-/D [1247 0 R /XYZ 56.6929 421.0471 null]
+1629 0 obj <<
+/D [1626 0 R /XYZ 56.6929 661.8816 null]
 >> endobj
-330 0 obj <<
-/D [1247 0 R /XYZ 56.6929 173.1316 null]
+1630 0 obj <<
+/D [1626 0 R /XYZ 56.6929 297.0896 null]
 >> endobj
-1253 0 obj <<
-/D [1247 0 R /XYZ 56.6929 148.792 null]
+1631 0 obj <<
+/D [1626 0 R /XYZ 56.6929 285.1344 null]
 >> endobj
-1246 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1625 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1256 0 obj <<
-/Length 1976      
+1634 0 obj <<
+/Length 2618      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKsã6¾ëWèHW­0Àçæ4™±'N%ή휗‹&!	>’²ãd÷¿o7 D‰öj<5UÃf³Ñϯ€Ìç>üãó$d¾Lƒyœ,ôy8Ï«™?_Á·/3neNh±/õýíìÃ…Œç)K#Ío—{ºæ'	ŸßwÞ§>þëöüúl!Bß‹ØÙ"Œ|ïûË«ÏÄIéñé—«‹Ë/¿^<‹ïöò—+b_Ÿ_œ_Ÿ_}:?[ð$ä°^X
¯,¸¸ü霨/×þùãõÙýí�³óÛ!–ýx¹/1�?fw÷þ¼€°œùL¦I8†Ÿñ4ój„’…�”ŽSÎnfÿî}5K§òÊ„…‰ˆ'ð©†)‹¤�&�ÿýcøp!øœs–†¡@Q¾b–D24B˜. K¾ï{ås«:ÊÂMŸõªRuO¯ŸÕo¾/jÝë¦&NVDüÚe+e-‰=ŸÀ�™HylÝ®ÕàÎNˆ§,‰ŒeÈþ±*
°H¥°RÝÎ5)¸—75ú¶Ú¶g<ñÐäö`ÎuVÊ÷:Õ>©Ö~n處�£r«/³2z”zµîŸþOk¦)­²A1à	1&¤÷›ú7JB(>K°LQ± Ž9“>¶«9×ûÕwò‹ý¦ú£ôëÅ4ݨ|�@½eÈ’ùb
-Œ›ÖŽ³lM}¾º!7†ÎMÈ€!�Æ…Ød¹ÂÜÉÄÃMB@#´…
¹"ÂúµiêN‘¼/éåÑŠÁ�éúö,ñ¶9UÊ4…Ój…:³W!Ueumâľ숗ѣnÚ*³Ú)`@Ú·´Ï×f’	ׂ#”‰]!Sav,Ÿ[¬Vƒ1V¥çØ;tJéÛ]>j™Á˜&Ê>Rnv…é�”Î
æÛ`rÿû†¨ƒ}ÍrðÚšÏj’Q-
Òv°:qßêÕÊš*¾bÖþy�ÆÛ*kóõDHÎDLÌZ$&(|B#맬ø¶Ajò8atFÑîÜó>Óv[�Ãh·-|P}þ¡5�Å
-…×ROMÑÝÞ1Ø5S,™�w;¦¡}Š×i$˜ˆ"ç
®TÿœP	7aŸ…i��äCb©	qøÉRü
j4‚îHo¤Ó{/pî„ã í©û©£‘]½nº~7ÜÛéëéJ¼ÐÅþëƒ.ÞÔ0ò¿Ð­Êû¦µ³
éúp‚q˜#‹oXnŠ¸øïí§¬yÝ£íU×e½È[U
+xÚÍkoã¸ñ{~…¿UÎ<¾ôê~Ên’m·Ùk’=HÅ¢m¡¶ä³ä¤Ûâþ{g8¤,ÉJ²�kQ,Ž†Ãá�ó¦WL8ü“$d\¥z§š…\„“ùæ„O–0÷öD8š™'šu©^ßžüx¡âIÊÒHF“ÛE‡WÂx’ˆÉm~¼ùËé/·ç×Ó™y±é,ŒxðúòêŒ0)
oÞ_]\¾ýp}:�up{ùþŠÐ×çç×çWoΧ3‘„ÖKÇ቗?ŸôöúôÝ»ÓëéÇÛŸNÎoÛ³tÏ+¸Âƒüvr÷‘Or8öO'œ©4	'�ðÁ™HS9ÙœèP±P+å1ë“›“¿¶;³véØýi.˜�¡‚›„ÄQøô¶´‡m¦,ŽÃd°ëL¨˜é0F�ð„IyP‰•­X¢T8‰�O¤¤²:)Mcv;¼š/¤ì�åġŽa$»]™éLi”ûͽÙ\-hD"	ªÒTûšPaêýºqˆf•5²¬”§©Öž¡)g(	ì9‚¥a(íæój_‚”–<G•FAQÒX›©ʼ(—ôýÛÞì
+SÓîˆ#îhØ¿�0f‘VÒ�0¯6p=¾•0
WìÈþ§»S2Þ—–-ÈšFŒ‡Q:”z³©J<˜æYm*jÝ-hw›ªqßµÙ¹ûðÄa°/‰*›¯²ûµ#ÌʼYädÄXEÃëm1sS<à
�)
+Ó—|(JS–„‘¶ç¾Ïò�©·_æDQµN„0:ŽûÒüskæ
Z8~;õm«²Fm!êï<äè×­—*Gìz`ëlcF$“Š¥ôH2à,¦3-DÐT4¶Ž„µ)‚î?;2<
+}+CLÖHF¼.LK½äu3ÉC¦”8¹ßS&ÖUÞ÷ÄÁÆtÌÉã¯`éW<mcR§æ/ØX:Jyjžå÷_§/²b½w:�옆6R†)—.P"ºvðÛ‡$Íòܱ¨=´RœWê <J“$M:¡
+×VFÅ•‹]€8={ÍõÞÓ´á�.œÖ¦ »ÒÆJnc¦
Ê~¯Ap´Y(JÝV
+(¡K”my¨¹K¡
+-ÜF
 endobj
-1255 0 obj <<
+1633 0 obj <<
 /Type /Page
-/Contents 1256 0 R
-/Resources 1254 0 R
+/Contents 1634 0 R
+/Resources 1632 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
-/Annots [ 1259 0 R 1260 0 R ]
+/Parent 1620 0 R
+/Annots [ 1638 0 R 1639 0 R ]
 >> endobj
-1259 0 obj <<
+1638 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 682.6714 539.579 694.731]
+/Rect [519.8432 183.6871 539.579 195.7468]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1260 0 obj <<
+1639 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 670.7162 117.8035 682.7759]
+/Rect [84.0431 171.732 117.8035 183.7916]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1257 0 obj <<
-/D [1255 0 R /XYZ 85.0394 794.5015 null]
+1635 0 obj <<
+/D [1633 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-334 0 obj <<
-/D [1255 0 R /XYZ 85.0394 731.9325 null]
+450 0 obj <<
+/D [1633 0 R /XYZ 85.0394 402.0723 null]
 >> endobj
-1258 0 obj <<
-/D [1255 0 R /XYZ 85.0394 701.4683 null]
+1636 0 obj <<
+/D [1633 0 R /XYZ 85.0394 375.8082 null]
 >> endobj
-338 0 obj <<
-/D [1255 0 R /XYZ 85.0394 475.6865 null]
+454 0 obj <<
+/D [1633 0 R /XYZ 85.0394 235.594 null]
 >> endobj
-1261 0 obj <<
-/D [1255 0 R /XYZ 85.0394 450.9966 null]
+1637 0 obj <<
+/D [1633 0 R /XYZ 85.0394 203.5557 null]
 >> endobj
-342 0 obj <<
-/D [1255 0 R /XYZ 85.0394 393.3855 null]
+1632 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1262 0 obj <<
-/D [1255 0 R /XYZ 85.0394 362.9213 null]
+1642 0 obj <<
+/Length 1423      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X[sÛ(~÷¯ð£ó 
+èÊö)m�n:Ût7uŸÒŒKØbª[Ê¥»ûßR¤DÉÚÎxÆÐá;÷šCõCs?
+aw4–f)§R§Ÿ^ÍÊòGS™å
Û–6»$j�B}aê‡]âVTZŠemdÄ	
ú<èý´Õ\ }gG®êÖB¥¢�¬¶�_‡ÁW}½¦y®Ä<Í
+ÙlY+2ÚõÔ_eaÛçSg[“lºúÎö­³ËJ»r�t¹ê‘OW)ïšzgmj•ÛYŒ‘cži¯(žïù6
+§þ
+endobj
+1641 0 obj <<
+/Type /Page
+/Contents 1642 0 R
+/Resources 1640 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1620 0 R
 >> endobj
-346 0 obj <<
-/D [1255 0 R /XYZ 85.0394 329.3761 null]
+1643 0 obj <<
+/D [1641 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1263 0 obj <<
-/D [1255 0 R /XYZ 85.0394 301.8169 null]
+458 0 obj <<
+/D [1641 0 R /XYZ 56.6929 687.8224 null]
 >> endobj
-1254 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F21 714 0 R /F22 737 0 R >>
+1644 0 obj <<
+/D [1641 0 R /XYZ 56.6929 663.4753 null]
+>> endobj
+462 0 obj <<
+/D [1641 0 R /XYZ 56.6929 594.6899 null]
+>> endobj
+1645 0 obj <<
+/D [1641 0 R /XYZ 56.6929 564.5686 null]
+>> endobj
+466 0 obj <<
+/D [1641 0 R /XYZ 56.6929 531.8042 null]
+>> endobj
+1646 0 obj <<
+/D [1641 0 R /XYZ 56.6929 504.5879 null]
+>> endobj
+1640 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1266 0 obj <<
-/Length 1168      
+1649 0 obj <<
+/Length 1194      
 /Filter /FlateDecode
 >>
 stream
-xÚ½XÛnã6}÷WèÑ.@V÷ö)›:iÝlëzŸÒÀ %*&B‰Z’rìnößKYK‰ÝJŽ�$J<3çpf8¦¡éêÏк�h^`CG7-LFºö Þ]�ŒêPÚ_}œ�~¾²<-€�kºÚ<naùP÷}C›Gwcšp¢ôñå—Û«›ë¯³‹‰g�ç7_n'ÀtôñÕÍoÓòîzvñùóÅlß1Æ—¿^ü>ŸÎÊWn…ññæö—r$(/G@gÓ«élz{9�ÜÏ?�¦ó†K›¯¡[‘o£»{]‹íO#Z�ïhOêA‡F˜Z2²:¶eÕ#tôçè�°õv7õ ~†MË5h-
}ºº‚òœ
-CœIU�3ÂqtBucü	ñh¿¼å]‘%�ÅŒ	²ùÊè�Œy;ßËKdÙEQ¥ã]ƸlÆ‹‡ûò©2!¬íí.?úè“«2¥j]ø¨äæëÆ�£¶¾ïÀLŶÞa´×¥\­EQ¹þîyW£tàúq/d®U( À¬’m#MWp�G%M¸ÂJ•VõÝó;–Æ�‘ºø·üì!�
-†´RˆÐÎ
-z¶eïPê´ª­Mk׃–gÚõßSlo1¯{a:žmT¶�c¶�½í¶nÏ•'¦38ÜÙV¢öRÂò íÛöpoŽZ,Nñßé
â›÷'©¶Zß7›s@Ól�šž¯È)�Ê©‚‚­¿ò¼>U|íú?ËØ̈endstream
+xÚ½X[s£6~÷¯à1îŒTnâ2û”M�4;ÝlëºOiÆC@Äš
+G¾NîT%nš¨Ðp¤lDC…šëêJ<1‘
‘iUO4ùsòG
Øz»›Ú§2ˆÝîÐÔZjª]Óµ¹Ð2tc§àýXªz“„Ä^æ)M8æ²{‹ù’²eB?ÈöCá±04
ºéˆ<ÊHaà'^|@B3n÷æÉæwùÀ/iD|’u:c�g˜
šDÛ~#ZÛÃ~Î8¡Ép~,ôuCu@¶M±6|zÎ1 
H)�NšÜ¡{$ÉÄ? /!�ÇÃ	즆ŒÆ  aˆNüj™þV‘Ú/¹T·ÓÅ#o�Åí›AÂ9ö
N¼Çw»œ¾ö"xY½jÇézyF‡Q‹(}ö8	pÝ@UØŠ¦¹Pг»`IgÌž
-ÖMÈXÎ3à%þŠ–r¶ßpýæºÜãò^5>D%¤çû8Í€Øi„á`øŠ…”m<ì‹YìÎÎB…„ñìˆïýKdÌʘý&Up§K/JeïSʲº¿h<ÈViBXÙÛ=þ=EŸ\¤Gžyþ³�›­kGm}Û�ét‹£ £U£‹\­e‘1ÿ®
+BI¬Ãð4ß™+ÊëÁª¥éjzý(¥ñWX¨ÒÊú�ÇÒG§§:tZ<{¤Ó÷¤Á�tCÊ#Q§ƒ<%”ác¬¾ãQ�§â@ô)üz£qõã—e¬ÇÅ
‰¿Þ¯Cò…œ/N%üÄH¶ž)*oe½ðŽ>s¶~›ä1"ÉÓp•¼(¢�à
ø‡&¸›úöŽÀS²X	ת´J¬"�`Η±—ù«eDªä|:è׳7ajG0Auì�KøžX›‡üFÚ=jdÌKxX¥ÓÑ8ï•Äã㎯DžŠrp쵓  ¬3êÝ:~‰,SÁ3>»�g¼- š‚êŒ"OÖ‹ £"·kǽ„òá5¨LÄyæd(tY�›ÙÖàÛ$[aNøhz?F¢L[Ñh¼)>ÞÖ&ȃ%U—jÑ34Œ×T|¾ñ�¡5^ÉÐÏçb4n’Á}Ô)W;•ùKW›μ¯eypš3ÿ Öh~‘Ôl•ïe™o»ÐÐm$`¡mæõ§Î@ëE]1Ͳ¡aëf¯þ�‹mã-Ï«O"ÛÔJÛè˜mÔØnëö½d¢#ˆt·¿¼.E=I	ƦcšÃÙH¦Mõziœ'È)‹Ñ¤ýÝõ5íXèÔqÛ=Ö¡f®
uKÕh&9¢5¢XgEOß•ª�`qÚs
ªÖÀo¾nmî¢M±�G¯oRu½u“j¨tt×®Hž cŸy}/{Hý?=š
+endstream
 endobj
-1265 0 obj <<
+1648 0 obj <<
 /Type /Page
-/Contents 1266 0 R
-/Resources 1264 0 R
+/Contents 1649 0 R
+/Resources 1647 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
+/Parent 1620 0 R
 >> endobj
-1267 0 obj <<
-/D [1265 0 R /XYZ 56.6929 794.5015 null]
+1650 0 obj <<
+/D [1648 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1264 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R >>
+1647 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1270 0 obj <<
-/Length 1164      
+1653 0 obj <<
+/Length 1155      
 /Filter /FlateDecode
 >>
 stream
-xÚµXMsÛ6½ëWðhu(>’˜œWv�iœVUOªFÃ���†"r¢4ýï?$‘e‘t<>˜¹oßb`™?ly"ÊmËå6d3+X��uoÞÝŒpõ
Ø}ê_½��~¾¦®Å!wˆcÍV5,"ÏÃÖ,œ_\ýzùûl2ÂÐ…Ç€9èâííÝ/å/ÿ]}¸»¾½ùkz9ví‹Ù퇻rx:¹žL'wW“1ÀÃÆžT'®o›”O7ÓË÷ï/§ãÅìÝh2ÛûR÷#š;òy4_ +4n¿!H¹Ç¬/悘sb­G6£�Ù”îF¢ÑŸ£?ö€µ·…i›~Œz�yÄmÐÆ5
1%Ðs¶\Æ¡C	-œ��ƒÐEš(]>ý�*Ÿdº<Ï}µ06|\0tmÊ
-ˆŸªW�3†­Ú…KëÅ»x³ÏM
¶9´)wÌS�BêÔ>o„Ú‚,Ù¨@€Gç)Ë:_g釡jæ.$Ž	Å)ÂäˆpÉÈ„’"ó¶�Ñ0±ìSsÛíb}¯˜átÇ×™äîŠ,ë¤u¡íÙ¬è·èG­òãWÏ& XA9�&ITŽoE¶LÔ2NX¨Uå¦=ÈŸ*ÉãÍú£PíäˆMúZÈXõèG=±ÖþW •g+¡€–k
d|?‘lôKhÈ0êFãD'
Wt�‚ ’"î“9F~šÚ|̃�Êä£è>}ƒ¸™\úQ¹8�2Ë¡çü5{)ú’ÏU‹d¦EœlD_ÑwA[%jíå~`>ø"ö¨
-w¼­Æ%wa[M—K“^žîm¬­½mj|�{‹¼S©Ü¼*ÉÔ>®Ï.‡”¸mõ™AîºN{mœŠlUq­5²ÜÏpž�M¶Ã¦jŸ j£J…„º¼}Ë4è%k
íd%ˆC‚k•µ…ëYi	Á»Èy%ºÄ…ØöÈÉ�ò¤¼}¶Ë8Ñrµ¡ˆüí®TIf-”Ú§Bè”6Ž©KìS‚±—¥�K!µ9?Ïò|Ò2ð’sIq8�®þ“xvŽ‰e	(‘Ê�÷¬®žc;`!l´�ÿul,äוQr2ùMè�þ1q�Í{0ÏŸ–Y*‚‚Ä´Ç–�å6ý¡ßÓ¾áÁJF»¦ ÿä™öƒO/aDÂ�e|º·¸
öÂWú£ð5Ø#f+?C
ŒÚôG2Ȇú “41˯™-Õ�miš¦àa™w`Õ¢^¼yŽŒIŠÃ·/‚R*$*ÜõfZ1räù³oŸ¦æ!COËùæ´¡õ�COøÁÃPã¶Í6]Þ|J½m]
-•På�E÷“yeº/²$NÂf?%ÿïë�ê…OAém*ñY˨$é}˜Ê›�¼`÷Ø�äS•<Ê°£ÓQ΂2=ÐZ«¼P
-øÈRÿ¨eêìD!žX™
+xÚµXËrÛ6Ýë+¸”:
+×#d=š¹Û®Ö€Ý"P_õv>úñƦV
+PLmh;A{€6X^ΤCZ~�¤0$>¡çÌ©¥áÊŽüÙÙ',Î$(‘Ê�¿÷¬ªža›#û6ôü¼n±fWœâBØèÿmZãè;'�ˆøºR –� ßø€Fæ/ãòÄlÈñüi™¥<ì°Õ„Ò´#§’�=aúIöù•ˆwMD'áf+£Yøé5_cΑ<‚�-ñgJäL÷
+°d);é¦:+Q�¯ŒŸŠCü0˜XÒÂD›ƒìeˆ¶›7Û…ùuYË=Ú_
½úVîpeé˜öÐ÷ÉþÂ��Ú…¡>t|R‘ÊÕt�æ»ë»Sêÿ
¶%Œàendstream
 endobj
-1269 0 obj <<
+1652 0 obj <<
 /Type /Page
-/Contents 1270 0 R
-/Resources 1268 0 R
+/Contents 1653 0 R
+/Resources 1651 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
+/Parent 1655 0 R
 >> endobj
-1271 0 obj <<
-/D [1269 0 R /XYZ 85.0394 794.5015 null]
+1654 0 obj <<
+/D [1652 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1268 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R >>
+1651 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1274 0 obj <<
-/Length 2424      
+1658 0 obj <<
+/Length 1536      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]s›HòÝ¿Bo‡«af>*OÞÄÉyïÖ¹³½uI*‡ÐH¢‚@�ÁŽr»ÿýº§ö*Žý@ÓÓÓÝÓ߃Ø̇6“¡&<™EIàIŸÉY¶9óg+X{wÆ,�Û¹Cª_îÎ^¾Ñ,ñ’�‡³»å€WìùqÌfw‹Nèqï8øÎë÷×o¯Þý~sqÎÝÕûës—Kßy{õÏK‚ÞÝ\üöÛÅ͹Ëbɜ׿ø×Ýå
-…–Ç/W×o“Ðã¦7—o/o.¯__žºûõìò®?Ëð¼Ìx�¯g>ù³û×3ßI,gðâ{,IølsHáÉ@ˆSœÝžý»g8X5['íÇ|�‹�O0`ƾúÀ*’‰
-.Œ
?œ»¡ï;›¼tk¥ë�«ó�"\Ùnæª&ø=>á�AªË˜—HÉG,Òo?Ëb[Õš |û_¦÷°ážt±Èu^•iá.ëj㦭^ÓÊN5Ÿ«úsY�,ÿ�W–fkõ\fuZ.€ÇBÝç™e²Mõús™vÖ9áthT£…Ûäßí6„>7[•ý€kt¶v7év«.²VM£šƒƒ�âŸZ-U]“UÑZm>úÒ'è‚Ø7ø!®ß__ö[Ø	gW‹²qÛÅvptŠ§ƒñ™[ëªÒàµB­RŒ·*‹­tz}ËŠvaÙþÏr§yc£÷ÏNÊ©nþÚªzWT«çÆÚ"oÒy¡Ü´XUu®×ë\À4/Gšö$¯F‡:D[Ýÿ<%k(@U‰*üÀ	Ø“¬Pi™—+7/µªïÓâ~O>a²"W¥nÜ­ª]ã›SËÙqò>—ÓÁ±0Ç2/«ÒyŸ{Z}ÓÔé&ÕÉüÔf«wnî”ø¡ªDÛ³ªÔi¦OÛ?!þ{UªæÇÃf2ð÷	�Ð�UÚ类ܲr›*uµ.ž«Ð
›S[ˆË…—0?ó„ìƒÅ—o9›õè%
-–Ì‹ƒ Ÿ€XS�̪-–¬†¦”[�jµ�è£×7ê£ïóÒ48Â@ƒ"à÷&])+Š&�Ä#χÉȺ[«^Ÿ=‹½$I" FšNƒcff#!¤¥kÊ	á4J7µ[z®ŠjŽé�ðþXð¢+|Î\Ù
�Z4ßÑÇ8�À»un·ܤ–›bZ[9¦Ô”)rŒ”¨6;kªC'ÅGä@& mWm�’uq
1…=B™8WKBê5$‹EQ9DCLL6Œ½8IØ_[6Ð�-ûx'¼L²z#¢ÀyQe_|Èq`B
-±J8¢%\CËhxD亱1ë‡^,“dœOµLÛÂÝC^wÁÝåÍÍÌ‹g‚^Gâ‘9—ˆÜ!•sGfëfðžÊ(•×*Ó”ßÉIä…A?-¹#š�<ôó9ÄŠÏÇ¢1k\Á¥óPÕ_ µÑ(dâ
-à{ßU´¢M"´?1—1fŽ”0k ¤è"@€vjÂt=6U£	2¦
ãÙ…ªÕÛÖ.Ñ¡šîEúÊ[y”8£ÑA'@ã-¼º-'rîapñä6ǨÙrp‹)/QwN„&Ï)bnj
-¥~Q;÷ÑbÅXäÉ(xZzG4!}T¬8‡U)Æâÿ³6©Íà®ó&ŒšT°üÄYì =òŒÛí"5e`S³€ QYÛ÷6F#Xó‚j9—ùGÔà%›žtÛ΋NN*p>:(>ðT�ß“:‚;o®oo/_Æ$`_Û,Ìí®eÕ–˜bB
-'_n

-6§‰�»ó„;i
‚bZÄÒ‹DŽƒº‹áÅ5ˆ½PF]m5ÕâQ]Bü­‹wdz£EÑTãï�ÒÞc?ãÁdŒ¿½M¿ÿ ÷Ó?ñíÿÄæÇ|ºRñ<«ž+àÇEÚþx¬úÿ
[@•¿endstream
+xÚµ]s›8ðÝ¿‚GgæDßLŸÜÖé¥sMz©ûÔv<2Ȇ)
+²÷zÿýv`°‰CÜ^ò õ²»Úo­D
þ©âZªfx¦âx¦jiÔRüõHSVðííˆV4¤&"mªW³Ñ‹kÃQ<Õ³u[™-[²\Us]ªÌ‚Ïã×N>̦÷WD·´±­^ËÖƯnnßHŒ'—×w·×7o?ÝO®s<»¹»•èûéõô~zûzzE¨kQà×+	�0\ßü5•ÐÛûÉû÷“û«¯³w£é¬±¥m/Õ4äûèóWM	Àìw#M5<×RvðCS©çéÊzdZ†j™†QcâÑÇÑß�ÀÖ×’µÏ–᪖«;=4iË�TsUÏôű<Õ6t£ôàç+bkÚxÍHÎE¾'"Zs‰K6ëÏ%üR._ÑbØ–Pªz–¥·Edi.$esü1€‡A$¢4a1Yæéš°�å—=/æi>OÒsûÓs²|æ‡üÂ:Šå,	@FÀ·‘_	ɘç	«½3@:µÔ‚Ñ�Š
¡y‘q°]k&ü�¬Y–ñ€€‘9/
+^6@›ež$MÈÖ”è/š¥õzé§\9gßH�À¦~ÃAŸ·ŸDüÓÄ	M˜—vÍ㨨²æß
¾
+þ ~æl‡7X_gbÿH[ÒÃKöGºËàí¤	/žŸ6z_U$J<BógÙôƒç)IRR¤Œ_ªÐ‘˜_œÏx‘ÆÛ:sÊ¡5݈‹r1àÉž°¤Øá°Ò¯ž:„�;#ÏD9{èŽ/ÏÆ®­R±c…zEþ~5Àè,M
+N²4Žü}GÜ!�z¦.Ú½˜W0R$�ƒ±JÓ ƒÌXQˆ0ßt�ÉC»¡×È4`‚uPþ!¹Û�;�îßê_Ò®CE´Ó®9üÎ9�ÿƒOÅåÌŒöø	NLGuuÍ>Øàã‹k�*
z‰¾¶4Õu4«$Âë5µá®­�´4Ãñ¢�·é�‚	¾†Ã@þ|ÿhšž”—9‰�˘>lÅ«½ôÖݶÒmÕ¦ºÔgòF¡Öî¿žg1ÒÔœ
+3@’aX]ÑRÎ0ÆÇB›L®«8]àiŒðÁ,ø!R\Íñ‚W¦9B‹½\ñ¥B•à,Œ*¶£
׬"ÆËË«}Ê$‘�/K�XªM»‘Áì7l{ÌpqÆp0¡oW›œIïâ7ÄÄô°-o|³”HB&QwÌ%#*‡hÈ�ÇÚ®êz}Ú³€šsìÙ?@¶gA”å^�qÃEœúß$¸‹ðq
+Ÿøzâ©5íô—_ϬÐÁ
×Õû3ÃÀJÑ=§V
+lYÇš7OŽ§ªÿò¯¿Žendstream
 endobj
-1273 0 obj <<
+1657 0 obj <<
 /Type /Page
-/Contents 1274 0 R
-/Resources 1272 0 R
+/Contents 1658 0 R
+/Resources 1656 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1245 0 R
+/Parent 1655 0 R
 >> endobj
-1275 0 obj <<
-/D [1273 0 R /XYZ 56.6929 794.5015 null]
+1659 0 obj <<
+/D [1657 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-350 0 obj <<
-/D [1273 0 R /XYZ 56.6929 418.3076 null]
+470 0 obj <<
+/D [1657 0 R /XYZ 85.0394 179.8868 null]
 >> endobj
-1276 0 obj <<
-/D [1273 0 R /XYZ 56.6929 386.0953 null]
+1326 0 obj <<
+/D [1657 0 R /XYZ 85.0394 148.102 null]
 >> endobj
-1272 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F48 953 0 R >>
+1656 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1279 0 obj <<
-/Length 3843      
+1662 0 obj <<
+/Length 3141      
 /Filter /FlateDecode
 >>
 stream
-xÚµZ_sÛ6÷§ðÛÉsC
-@_ÌsëzH*bkÝvÓkÓ6óêkÝõÖ0‘±Û?†Êgëú÷ŠÃMoà=¿J™Er¡ÁÏ€!5¢çÈ^2Ê�1Ó¹kîGœ‡CNÄ}
	L¨ü Ùm9Gˆcã�°MF:ë8»?:�²L»˜‡+ÇP,br0—¿´{j°Ð˾«›'Nö÷÷óÅýí‡oèµ_Õµž‹]]<¬ù‹Í

[L)«_ãX6U
ÎÆ©Ž£<Ó¯¤ì�ëtÊö\‡Y¡Çû¬²(N“ó¢Ó„èaÆ–Qe(Ûfl	Ñõº~D�¢ªùwÕz½±öìB1²ì;Œ;Hz`Jï¾vÞ‚�˜Þ‘æò3QÃÐ…½”ÇeΉÛòPôîœ4ÚÔܸ
-!tS¶U:Js˜Û0^€Ö[½�1ÖØÌ¿´»ß½³”
–}»óÞºFñ[.ƒ‰Q²ÂM§òœãh
-¤•Ç8éu:O£4ɲó^r�ö:Ïe¡B±\UsÒÖ‘ßÁ¦§ƒ/&ÏqMˆx˜m*ãl(áC“{ZàeÕðÑoRÛ¬{sݲÖÚÞE¿3ÚK¡PzE{
×í9.Æ÷›íIåå‘I_‘í˜&dU—D&‘#ᇇ¶E¿rp)=†K<¿�xUHÄUt£�Ê¢/ŠÎ}Ö2À¢Z
-¬-­%JW5ü}W?5źóÝyjLJ/Òè™ÍYMC¸Â$3´Û:Àfè—"™ÝÓ‘²N fˆD™†:"[¬ÊÝÉÊ[
-èN‡PÌËÑó!4à:B—ÅQÕr¿ÃÚñT Mt9&=?Ï51…A<€bZ©Ñ(Ýj¦[ÍV
ÏþJ̇·Yíü@ëCÆ…6CÔAÿç=¨ïêÊw=µ‚c==ÐkÓ¯_ˆÄõ)ˆHÙRlÄcI3´‡ÚµÙ·u›Íx“Ÿ'Юˆ¡€NR—‚0×oÔô)¡ÎÂSÂÿÒ5hpnN�UêÏ�O6¤©ÈdòùN¶ç²8èU$‰'<1lÜÙ)x®‰9Ï‹R€ì©N‚2]œ„
Þ,FˆÙD‘àó´=Ñcà,¶[Hgw˜Ñ~ÑÒ“«.`W]
SÉO[u
ë¾›N\s<'KâQÀ#{T)Mb
-&	¤® ßk®ø	!üvˆTlЯ¨ë€TRuÂAÓ"CK<5À÷*Ë|>hHKSãƒìÂ
-v©öqäp‡@vÈeÕ-wõC�%F+5‹JJ0¶”®C©s÷tI�O�ízþyøÁ±í�‹ó¿‡×mã. “ŠÑ£ÚV@Çb0£#ò\¯Ìãx´ó¡#N#�€mœ
×™Ðá¸,Hkéîk-°2Ò&=/ÕsMˆ•£³T£ ÐÈåhaf?_ÿôfñî'z±³� ýýæ�‚«$ qˆaG¬öpIl»UýlS’,n£O›ÒS¯ïîéSFÙ}»l×,kWø3ã%â5@ŒÎøøb:²ü ›dlÝf¦æ%%ýI^6k·ÎÀÌÌÑðºƒÒ/–:=߃cŸ÷§çx)Ngƒ·TX7bð—™ë%}bŸ½z""`‚ÆÍÓ®+
_‚°a:u§¶‡k—ê—íf³oê%I»\?
-ÑR‡3,Ò$nƃÕ=·»zSìê5“›ª*ݨ|µo7èþæÃ>øÌŒn£Û-ÞÝ€1ÛKX!gÝ~¹Bç
óèèiïKlÜ©é
-\;ºe�„€7x½�/ûmi-Û„¨”­˜ù?PuèŽ:g§²œ[X¹Kýù”AÛì‹\Â¥C�É×l`б
"ÂÁ z÷+öí˪¶‹…�,È
-Î"°½ÂÝÃÞ,!kõuUì»ÞÖ®*ヹ̅†ìig®
ÞClÌð–u½gI“PG%Y”àÙ0ÊÀþ¼á_#L@%‰C^¼{d±BGy’Œ�ªäƒÎh_e’;m$ùðÇ*–BÕ~’Såm[þêõç.'Œw‰¹nôkŠ ‘Å‘Ö®”ñ¤õÅﶂƒfeÓÑ#
-=]ý‹Š	j:›B®ÓIÀsY¤³««Ý®*çOh‰GY F\hÎË÷\f
£Äpt¨-Ç.“û+_5[ã¯Aø¦·ÙòE0Zø[b Ÿ”ÈÙ[øÃÆTw¦å.˜Õ¬ÚàéUéˆÁ™
Â`
-Që@¾bQÂ9Äö†�aYm¨ðºÍ¹7a8qK¬y�Å×±£ŠûvKäuõ\­ùsûžŽ³§áX�_P²r·9?B�ìÉæø1ˆ,œMmCs«¾.×û’÷}&òI2C*éöïúžÊ4Àºâ†/ÕWpÅ£cƒîÝe5ìaðr`
tó¥:üð{^øìÁk’ÏAH�ÐòX&S³{ÆN‡INà’*‡îƒË‘"XŽD´EX„V„½uô
-j«8ËXö–ÈÇ›.ãðR†@‡‡‰RuH›b wxá|û0B&wÿºþøãÛÛ»ã€Ð…Þ>×¥K'GÞݽýñæDx(ënÙ>Wƒ,äRš¯C‚@4ýÃW ë¬=á“ð�÷åOÿ&üðƒy
+xÚ½ZÝ�Û6ß¿ÂèK´@ÄðC”¨öi7Ý´)Úä.Ù»{hœl˱[r%y7ÛÃýï7Ã!õá¥7	
+ü j8‡3?ÎP?±Ð)Ks™/²<aš½Xí/øâôýp!Oì™â)×õíÅ‹W*[ä,Oeº¸ÝLdÆ�‹Ûõ¯QÊ$»	<zùöÍ«×?üãÝÕe–D·¯ß¾¹Œ¥æÑ«×?ßPë‡wW¿ürõî2F‹èå�W»½yG]©“qýúÍ÷DÉéqFè»›W7ïnÞ¼¼¹üýö§‹›Ûa-Óõ
+®p!\üú;_¬aÙ?]p¦r£÷ð™Ès¹Ø_$Z1�(å)»‹÷NzíРýgR¥2`@)'4‚é<׋Lç,URYõÖÄÓhU¬¶Uýá9¼‰4ê·MWRÇ]UÞwž§ÆFuÛ¢½&r,…£ÂøÝ¥ jf%:†¾qÅ�£ìË}Ó>¸á¤Cš®«–;G®ö;IsçÒ”]³;öUS£íÁ
+e7r7¤5DZº÷!\×75‹þµ-ëqxÀ¹
+‰]55*ùáèb–ôñPäsäI¹‰ùÜ‘F|Ñ ÿñ
+§LA‡¯““Ëo=¹/0:JÑ.«¾-Z§)ú®ÃPˆD8àüŸnåUÝ€òà#Jç0ÚJ¦0O9l%t¢y�lí
ï~[¤Í�Ò—]ÙSýÕvÙ‚ß±‰„鎡@êõN

+ˆD‘ó�Í0~P^‹éK¿¥7÷ê	Í«çô¼vO›ì`ãå)¡©1d혓žë0rP¨HÐ|
+…†ò1£G(Ìï©ÔqÆM“ζ¯HmDš¤§©
H·.;jáÀÐØeáã7®¹ÅOๆñ¬£â`ËÁ#ªÝР1á)‰öv¡’Àù±ÇÆÑý¿¥U$³5;ƒ(0-9æRq
+ÙÎ7WßPã?vB?Íl^¼ J)±5ŽßŽTõ®a=/å|ÌHN÷•1§'³Ñêþû]hÌDã뿦q‹&wT´7>¯žugu�}Å[î»à2ä—-ãåSËÿWÃO5>	‚8è?ÿ¼Ô:r rЯè©5:x-è1
+ˆœ½—±iðÜ°±�ôGê
ñ
+UO¿F‰ëª?C]j”ð£~.ËZ‡Š\Èó”ñSÿY¶M\7q×çT…MÐÒ‹öéYúq9ËÎÞ4½Í,§éHâ"èKGðù�f80âFaB|ìÜ@¯Í±£8JpPùð(ó�«ž„£íÆâ(—ëÊAÍ: 2øA-ÌÖ§9|B9¼¦~žÀÇI&]ÞÄ1oS0Ø*nÅ
+Ì'[—ˆ7µë8£¤±ŽÝ汜q-ïIé5Ù9ç~A¹ ZI.)=¶î=4qŽþÕÝ;1‚ªM’WRÃÐúã¥!eM}c99c'in¦tb!ãíÓ¾øhÓH˜¥¬;פ|
OŸsò¨¼³wÆÕGÝv¿9îpWàœ}ÝÕ–SFDÅz_Õà'PK ´LEÏ\�; èGËj‡˜ß?P¥|0YÝÇ—?*2¿ÀßV¥+¥*W!LRP¯]­Œ–r%¡�ݵ—&:†‹0W÷.§…ôìÒX°Lˆt!ÓÎ.Î\òS<å¢;^¸$¸È-œïxÝz2sžÁyfÌÓ3{¦ÀÌS,R¸5›šR©¡®o?’cÂËÚå�tÀñÞ>•JEíK<í/”
+{Ñ@“Ü°ÏK‹eU¯]b?ôÌöÏ
+|ôQ,ü¤*JÎV1m½^1Üñ
+`hŒñš›3ñª¥ó4lHÄáu¼w†ÁuCDŸB{}2ߘu�¸¡Ì$ø„ɆÊ|Üe†qðFÀûáÃÖ¼÷Uç•s�—eLbþ2™÷?^I�Rb€²}âûÚx‡ì*ˆÎÿ¡Àgö6õVž²D	Ÿ9°ý™hW†)�
+ÇV~‚bºÊŠb½.×gcˆG%?S3Œ<çÌñ©`ü	±ÿ4¤8@˜€óõ‰YžÓiU>ƒHºr
 endobj
-1278 0 obj <<
+1661 0 obj <<
 /Type /Page
-/Contents 1279 0 R
-/Resources 1277 0 R
+/Contents 1662 0 R
+/Resources 1660 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
-/Annots [ 1281 0 R ]
+/Parent 1655 0 R
 >> endobj
-1281 0 obj <<
+1663 0 obj <<
+/D [1661 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1660 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F53 1313 0 R /F41 1218 0 R /F39 1161 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1666 0 obj <<
+/Length 3769      
+/Filter /FlateDecode
+>>
+stream
+xÚ½[ÝsÛ6÷_á·“ç"Ÿ$1÷”&nêöšölÝÜÜ´} DÚæD"‘Jâÿþv±
+|Ú_ñ|Ñ>싼»”jqÓà+æA‹ù¼‚ß”/š–ž»ê©Ø}…okðx
•%Rj”
goŠ]U.¿ÞW{ÇË£AX£�c�¡UêŽ~›ª*«òo(‚XÔ½£ÞšM_·M±­ûçx€Y¬õ¶w¤¦w2÷�VÜË¥`<1ÔÆáWkä¤�íªýg�¶=9Ù\–0
v—ñ,ɸÓÆ옖1íŸ2fÏ…Rô«çåC×Oõš}±‹À3žÈT¿ Càšb`YšH•Ž¤X�¦–’§‹n¿ÑÔrÂØö¯Œ‰­ã@åâ„lqßî‰òþîn¹º»yïúŸJ0—�‹å‹›{7úw[ín%µ=­«zš³hJÇ�ê¡MLÓD1¦†›è4·±†6Óôu±…]U‚LCI°àž 0_ôh×Jƒ ðP5Ôãd¥‡/õÖÍ°®ˆRl·í—ª$â—†¹y&ÈH”]Ñoëæ�ÈŸöu³©Ÿ‚XnMoœÌ¿·î©ÚÔ¨o»'íìa¦©LriÎÛeÄ4o–žil•›}ÐëØ2ah¦ÎËàyNeX¥aI& <ÅBX£„ظÍao]ŸÆ{�4ÚÛz¬7®ÙÇ[ÿ¦öc{Ø–Ô.À³l0®Y
+¼vG-ZäÓ¡êzØ	k€ Î,KåÐ
+¡œóH'–†ˆ¥�RÞ}¸{=¡k!ƒ°‡˜È’²ÝèNõœAÒayê¸qaû6ébueÄ¢%ÉljÁ†÷¥W¨ÃˆDKágŠò„b:±Ð2¶ïY�$`mü4»Cçì¯Øv-µÖ
%¸®úþè+H÷{lÇÚy[íG“¸4‚öb
³Á^g*aÆÈóÑ>æš÷�+¨ï¨£A�W2áú…µ=ÓÄÚƒ0¯ò Çhqr3ÀkN
+ Ô"™„e©gª¾n‹æÁFL0Ë­·+ž©Ñîi¹@°vŠ
kÔ÷ÏÔíi
+º«ƒ^-¿ÅÐœ¢	‘3FmÎù¦=n ’)#V¼ý+Rg,Ñ"K‡
+¢}6™[[v›á7t
¶Ùä”(°ƒ0¶ÖÕDÌâ©N¸2¾bñ{‘2çÍ÷5Έ�Pôôjæ g•ëÌMð׉5 ed‡§ÙÒdZFÉ'ƒäó¼åþKÝUNK2ƒr0çf×HÒï„”NK2=v
´¤%èpZ‚ÖŒ–`EBìpE»#µ<V_©QÖXžMhˆ)h}VCàæ�iH§Æ­(ü®Å �o¶)ºª{Ežíðõȉ–R±Dq9J¬´°ÕáÄâ"
4àßÄH‘J
¹‹IHðJÉ¿tDòA
ùp�W„Ñ]�dq°µ~»é±i›eõµ„†‰ŒÝa}œÊ,¶õGWÜzñ/äSú ’s
~†¡œ«D
+ÐÁï8ª‰Éó|ú bf\ÆSNÄ}ž'š¬l~Ë]„˜€°M¹ðÖqv´
\®ó!¦àûr3‹çö€82v
+6òÄ\èUîÛPßO�½WÍfÛvþ^Õ—e{ ’ÚŸ­½²ž	¡¸FÉô|�¹æChà²8
+/8±vœ¤J'�cÒó®	ñ@Ø‘#(Ýj§[í¬~û+¾ðÁfµ÷­£Ë?í!ê ÿÓ
�ó÷u:ŠžZÇCxØŒ.GµvfêD$‹lÝeÌ|h#´k³oë7ÛáÍ6º…™ª²¡€V©OÁG˜6júŒRgñåÿéæhpN¦�UN¡g
/é™P/vÌ5oØ�Ëâ ‘$žð0ظ³"®	†çE`Ñyª‡BP¦c*Æðd1s&Š„�ÿ˜:F
+!¤‚c‡HÅ}w)}D*©œ±DÐ4g|h‰sÒ
+\/Èq:ÛùÐ!�K³N˜c®3¡ÃsÙkê¦ÄSÄó)Ñœ pMH0‘ÅPʉ™ŒsbF�©=+’Í3ðë¾üpz?�ýJqi‘2ÛàÐQ’Ê”?3Åõc®Kß·~žº¥æÞÇÇãýdñE$¦%¨^ïªH4:¦6"
ÝRèݺÎY Ÿ>“ÖxÕÉ|â+›®«6ËmÛ~,:TÁDVÂû^æ/Ôº§`Œá³7éçb[—ô%ÎĬ
+qák'w0ÉÁ¡û¢Þv6+—�¹ÏÇâ$ûSnèŠò1Ÿ‰‚hà*\=�­×ð$´éÄnóK_Æ̈š%"Kùß¡™Î|†ê˜è³�;mûYg“&)àîs«¦Óå‡9Z%�™óÁú+ÿ
XäiŠÊxúfÌ‚¯ÅÄ
+ŽÉ¢FœÑš9#•*‘Œ�î6ŽàÑ+yú
+Så©üŸ’&gDzéXÉé?UŸ0øëÌÿOüïø©y>wB$Yšä^Ñ	…‚ël,yøtþTôÿ
+Oendstream
+endobj
+1665 0 obj <<
+/Type /Page
+/Contents 1666 0 R
+/Resources 1664 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1655 0 R
+/Annots [ 1668 0 R ]
+>> endobj
+1668 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 335.8063 314.5963 345.2159]
+/Rect [250.9056 159.9586 314.5963 169.3682]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1280 0 obj <<
-/D [1278 0 R /XYZ 85.0394 794.5015 null]
+1667 0 obj <<
+/D [1665 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1277 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1664 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1286 0 obj <<
-/Length 3459      
+1672 0 obj <<
+/Length 3345      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿Âs/•g" Aœ>¹±“K¯qîlçz�¶´YœP¤*Rv|7÷ßo»€@‰R’¹ñŒ	,‹Åb±_�<ð'ÏÓ,ÊŠ¸8Ï¥B¦ç³Õ™8„±·g’q¦ibýxöý›$?/¢"‹³óûE@KGBky~?ÿm’Eqt
Ääõ‡›7ïÞ~¼½¼ÈÕäþ݇›‹iœŠÉ›w?_Sëííåû÷—·S©S9yý×Ë¿ß_ßÒPÆ4~|wsE�‚>GˆÞ^¿¹¾½¾y}}ñÇýOg×÷~/á~¥Hp#žýö‡8ŸÃ¶:QRèôü:"’EŸ¯ÎTšD©J©ÏîÎþá	£vê¨ü¤ˆâ$‹GÇ�
-ÙCðbs!õ¤]Ñ
-'{™aÇ*(¶Ìçu‡éõí#VXš—:]õèç>X=äräDYé©M"*;lBi=¹GBP¹í—í¦ê_³33¾}бwqè–
d·	„÷­›ÄÄp°7�˜阧jnš™qHxê–Î’AîÂXZÝØžvç”ÄOŒµ¿ê
-úUo¡¬kh¨Â_���™}ê<x§;dêðÛõrRÙ¹)Ù¨Ô™ºª®pð…`킾8xC$kš¬…Å°vÍØñ”Ž¾8Þvl<¾ul´ç‘§¤#)‰ä®ZUu¹±æ_)Ç
-6�cË,qƒ�YÙP£ÜT+87è™ÕÚj¸JàdænÞï"MK탫léõô%=ÃÉåÊÀ,Iàª«Ð„�‡­æ@(V�¶E&n͆ñú—õžð¬^aãòæ×)ådOx´ÒMkUE�Ý
-
g.Ž²¼Œ"RqîŽqMþ#œŽÖ¡3‚ÆSYWó²·Ñ*tŸA/¨U2Ge
1HS’Í–“d휉´;¬œR+XXMáœf§‰‹ðm{$>M覤îV
-ù&¾‚HfC_ww³æíª¬˜Ðð.ÂtkGœ¦ÏtæƬM×�œä¨Bùûô'—C/³‚' ÇÊÕ.Eò+6ífUÖÔö¦ø<}¢¶´	ÔfÑÈÓød8‡Û6�•è	¸+3ç‰N4‘è§äÞÎZ6³¥�àEη:¨³²µAÖ±M
yîꌖG:ÆwÈ%¡\‘ï&ØPaŽ-‰²5<º]‡Kgœˆœs�œnøb�6âÃY˜f„q
-o ]‘T&
-H™”ØóH­«Í]Ùç
ÌÛEÿÌä^ˆVÁ³äœ³1û‘É.|éýÀˆÔðUHëäÔõh€Ž5´øÂ=°NÜs‡eí�A70>m›©ù\õ‡I*šÛB�æÁc�01¬ƒØz‰rÁ50,Á®Ù[a&OÎØ�@ÅC»CM(¨Ý-5MÃ5WöeWòqx¶fÕR­QBòR~r‹3uƒ-=HZˆj#ü„Œ‡*Åï•'µ|­÷êá~(„JwOn¶m6ÀÖj•µ�êƒÔ`± —:­!Öq}ðXÖ�™fª®¯f‡%10‚™*ŠÓË{¬‘õª'Q–€Dü‚O¾*ù)òƒ'kº
o¶ïŽ›Kž‚A‡=ÿBíE!0øð2F
-é"s1À@S&7ÄÏ+wum
-)­¸}\ö4àæãû1~�Å¢pÑç@|ôX5pçqCˆ<£á런Ţ7Ž�]Ùr›W–ü‚#›~,¯1Œ3ëí#±ÂDŠ/+1
 [–�/¿µ"Ä>ŒYt[Î’)>´Î`�
×|¤{–ÌÃ(¾ÇH�Ð
+xÚ¥ZÝsÛ6÷_¡¹—£g*š 
~LŸÜXÉ¥W;=Ûé\§é%B§üPIÊŽïæþ÷ÛÅ.(’¢œ¹¹d‹°Üýa?@‰…ÅB…n˜øÉ"J¤«<¡›òÂ[<Á؇Á<KË´rýðxqõ>ˆ‰›„~¸xÜÖŠ]/ŽÅâ1ûÍ	]ß½„<çݧ»÷?|¾¿¾Œ¤óøñÓÝåÒWžóþãO+j}¸¿¾½½¾¿\ŠX	çÝß®~\ÝÓPÈküðñî†(	=Î,z¿z¿º_ݽ[]þþøãÅê±—áû
+/Àùóâ·ß½E¯ýã…çI¬/Ðñ\‘$þ¢¼�*p•K)..þÑ/85Sçô'Uì*_† ÉÀ
‘ÌkY¸‘ÀIáŠ0	{-ûbNË–µÜê¶Íëjù‡~ýây~¡§ï-|‰Ò‹áâ'"ô\32ø„Ÿ¸"ö±�;}¹„ïìÓnW¥%÷ê-=;;Ìšv^u5µ^vùfÇœ–Ôäó¥ôx|øø�ZüÆÔ�צƓ®t“v:£îúõ0Q` <×}xcå̘køŠË ‰ÜP¨á&Jù†}[7°´ò�C«©1»‡L\?Œ#»G{ØgiÇ–ÅÌvÊÅ+É
+§¥]äP,!•ë!þh›«ç´¹jÕ•Q«ÔEmžJ(”r¥ˆü±ˆ_<å=è¸ÅÂUI¢‘ˆ\_%æœÑXó´ Æý
+‚	'­|>B›dÚ§M—oEÚ�LYÞnÅ> #Ã)¤D”¸Qä[ý¢–ûºÈ7sæ
+AqÈÌm¼¥®º¿ZTÄCìÀ*-öŠz“Î!4\/ñ,tê½Q:°áIIÜ؇rzRЗб£©—W0P¦d2$¤ëúÐQ³Ûå-µ¶:í4͈‰7ξ2Œ¤Çp˜ßt¨C®óµçš8Tãɦx
+$¬�ÄoÐsÍH0ÂS
+�”™Â,Î'Ðá8Å5Ÿ€.°q
xŽq
ørã¾À*,(¥˜ÙÎLE€Ë3éY�¯
ÓyxY&Üy_7ÝtÇH�íaæ[;ZžÓGáÎseÈÑŽ”cy±óùæç«Çw?SÇÈ
­È©åZ7Dí,o«›gK¸µÄJ©�$�?çÕ‘Èrfj•õÔ›»šº7Sê®ÞÔïÕ¤[¤¡7è[bidEsAŠè…p}‰ŠÈ—¨Ø�@„Ö‡4�Ad㌶´2Í«â•iUb¾‡#s¢þ�‘¥Óm¯ð=ôB�‰ä”áК7D2�’>q¬%òšÝ.­¬œs0|É‹‚¢9Sh¬µ�q·Œã†ç¦.ËC•oLVˆ„ð6
+2驨×)/	ª?�mðO±
+ão€{Àõº-¾Q0¨Ëe¦ŸóÍlE…‘x{ûžkfÿiE
hÆ´‹ÄsÚš²�
÷1UÂ'¤4Åý+P¿ø\3#À=cŠåè×$@Ýèb(óœÕt1>÷M^¦M^0¹Ò:³«Äaô°zÇîΫŒ“1âë=V&
+ÑMÌ�ÑcÁ
1çEºi‰UÜÕ{"úY<½Æœ¶åèÛÊ	fP°ª;ÂS§BLë4ã§Idj1µÂM݇Œí�gÆíƒ D†Ð�Ì‚7Tø#
+G‘nY=ªdñ¹æÑ2Íôx„“—#d7/º÷}fä•žGMRŸÕ	­>—‰ç�s§£�3ù9Ü(Ÿ–Hýë`§ã\„>ŽZ.ÍcÔ›¶aùkzžX‰\m°b7
'JŽ’Œ¶å\ ÁÁ£ß–ŸIMîþyóéöúãÝ©Gh‡G¼~Î3OØ‘¼»»¾]�ñxY?ëQJ»I!2ðDx5“©…fÏ c3†ž5cH))µú²˲¢­Ôv°Äà]^dÄwœ�wüli„.pRñ’¾òû¬`Š/ì8á:Ý”y¥gSÀ�f7(€y¼š6”nFåÐ<&¹Ø#}AcøòØgp@‹Ä7´f2‰_Òr™|I9Ÿ®‰†¥·„% @Á�åÂ'o•µ<¯G^
+Öñ×Ñèeª�¶Lhu³ÎŽIöÀ˜µf½ó @ô{ß÷ghl)%•sm–k-¯Ù˜�AÉOŽ§š§›w¦5�7Œ�k
b¿]l•ì'ãeù’2zi^þóÒ\
Ý@?··>©É?©$i™¶ÙéÍmO}<arÛõwMìãÉÑå~ùë^Çùä¬ÎåXeüÒsŸ/`17w®¬$|j¬×†�µæ#Ç.;›
y™icœ¿”Vl‚ÄàÂ…CÒ eƒÞi“[®�Ñ §Ë½�·Ä™�‡YUUSûä›õ:zÈ$}HádÈy5å 3Àe—9R
+WÅg‚æ1Ç>‰¿×w¿ò}ÇŒòîjƒ	N£.¹Eɤ/‡È´ 4F±ú,-´PMÚ}bâ瘛Õºá7ÃÐü	?%üÒcCüü€ÿóžTá÷íç‡Õç[lQÉÀ>�42ù%µ,¥â<v‚6¾+
 ¸3Àxøå9”û°`èyοÍr2rcß‹Æ‹ÎÖfRŸÓ
+æñ—Lÿå{nÏ}óÐöÍòÐêCi»ÿù¾ÿprº5
ÎUOQäúQø�âiÀôƯ?˜ÉÜ¥ç-^0/ûLíéçoPå©7è™N%üŽ\)E<á†DÀ+vûÁ0}K¤¾$5ƒi͘IB®�a­‹úå[+R>º”pn¡
+¶…w¨ÜXúÁøàî‹Ùïê¡+db?«Ïërúa&v!\ûÓ�ë|¶Ó¡Ç_¿Ð- DÂO½ëèÝDY·ö
+ɾÛÆsÖÇ÷Ÿöû"gG;÷£¦@¹øK¤ãÂ?èÿýƒ§ã¯Á
+e“+cX„…BM©øô``­ú3¢ÿ•MÇÚendstream
 endobj
-1285 0 obj <<
+1671 0 obj <<
 /Type /Page
-/Contents 1286 0 R
-/Resources 1284 0 R
+/Contents 1672 0 R
+/Resources 1670 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
+/Parent 1655 0 R
+/Annots [ 1674 0 R ]
 >> endobj
-1287 0 obj <<
-/D [1285 0 R /XYZ 56.6929 794.5015 null]
+1674 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [80.6033 713.4536 149.9876 725.5132]
+/Subtype /Link
+/A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-354 0 obj <<
-/D [1285 0 R /XYZ 56.6929 333.8409 null]
+1673 0 obj <<
+/D [1671 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1072 0 obj <<
-/D [1285 0 R /XYZ 56.6929 308.7186 null]
+1670 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1284 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R /F48 953 0 R >>
+1677 0 obj <<
+/Length 3944      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[së¶~÷¯ð[噈 .$“Ngœs|R·‰“ú¸ítÒ>Ðŭ"‘²âüúîbàÅ”í¤öƒ@\‹½|»€<ð/ÏS	•éó$Ó‘Òœ¯¶gâü3´}s&¹ÏÒwZ{}}wöî£Jγ(³±=¿ÛæJ#‘¦òünýãâýŸ/¸»º½XÆF,lt±4V,¾¾¾ù@5ý¼ÿþæãõ7¿½¼Hôâîúûª¾½úxu{uóþêb)S#a|Ì3œðñúÛ+*}s{ùÝw—·ÿ¹ûËÙÕ]ØËp¿R(ÜÈÏg?þGœ¯aÛ9‘ÊRs~„É,‹Ï·gÚ¨Èh¥|MuöéìoaÂA«:Ç?mÒÈÄÚž/�Ž”QzžË"¸¶L4¬¤¡ä¹Ë9.û^ÈåuݶÅjY5ÍOy[®‹é¶¥U0¹UçùŸQzÍ�H�X%vLÃ?Šx¯ãE[t_ ʵ‰2
‰“$OÖ
Žè8ñvû™.šGèÛÒ:ÝCA…Ǽ*×y×ìéóXvTÊ™¢¼êŠ}�w®¿\l‹î¡Yó$M?lj
+÷‡²ê–%­‹M~¨:ú€“<¸c„õ7¨	XI'…^p[ìêäÜue¾±¶)t£óé•Lyï9hIk¡˜WMýÙ÷s–+¹{Ø~±ê	¢½åxû
f‘´Æþ&·dDbç‡+9›??Àú£©çNOŽÄ‚yѱ[Ï		uÝt=#oô’H„CÜ95A]òƒîõ
+Zˆ­Pp³ÃoÛ‘:µ�ÞŽÿ^‡c§ç"®˜Wz¤‰Š”ÔÞÜ—õ:‚éÛ™ýƒ“
äèYôÕ€ˆ,
+¤c*|oÚnYŽ¤ÆÓ³c'þÐu»öËwïŽÇ#î.*ÛUDZùù]ÛT´yí»uõHäÈ‘ÔZ%Bzzþ8
âxŸYtëHd™¢ð€š:÷¥¿>ÂÈåp¨F<_
	ùÓtŒ�&ArI6’„b¯‘%Cpq‡¼@D!Å#‰˜Ô>b¸¯ŠmK]ʹs•ЪPæ-çj£,–CÓ�³:ã‹nšC�^¬W*¨K>t'‰„?>¯Ú†û6Û]Iº†ÔÖTT|ÄQ°D1€Ü×졈€ÛvÌO[ˆÛìX×n‹ê©tŽ7±‡¼4–Î$†|
Ô�§�‚ÇgÛ­CÇè°ÒxñÐáö–sMÎËѸŸ^çö
&Äiñë¶>ÑÒsÀa9˜ß!Š!}ÌQÜã‰Ä�M·Ð}R:
¬Hã	OÀ8?ÜÃÌÔ�ÈÀÊD#¤:Ü›ï﮾œÙ6ìÇXó†M[í7ÝÔ•RçàZ*®Š}GQ |„(pEßN²]ihu¦*au$ã€7ßDƒ†bÓ´¯â ˆqP@ÆIÇ8øÀ˜JÒw&qj"0º§a>h
+†:Pçý–Á°4Ÿã€  žp¼íi6@Ⱦ_²�ž¥š8Ÿ£-xìØÆ/'}†½N'}B¯
øØb{_,¡|Ø?Ïü¤I”é8y™ŒÐk†ŽFÍb0€:>¡„mPãdñPûܱnÅ–*�åê�ŠH-•óá×1[rž‚ŽgÐÃíÌŸFì£Êϵ;4ø&É�‚HרylëR 8IǾԇ
#ˆ
+jc/ÇOÅœ¬Kà€™
DO‚è36™1é´9•c´š
+¯ÖPÊW«bç,'à•º=û–\ìŸ:{ä»%Ù€gÞ1¿çX(0´±|=.‘3›v«†N*úNJ‘Ø…\xl,œA™„„!Çè4ßí*mÀ#VÍ‘œ‘戀E‡¢€K´åT{
+pÍG’³ó(*m~oì˼XÒ|Õ•�Åi[(`||êš!ØÂA¯l¡ïŤ[ýÌö
ûL–%//zͬ;Ö�ö@Ñ4�8�!vû«¤x@µ=¹ÜȪkgsG2j©^³¨<‰
+ðaݵó(Zš�î¼|ÿ­Wfd4®±.ºb¿-ë‚×怛ü¬D“g)¶äüØ€G÷fâþ‰Z\V„¯Š (ÇÚ°€Cîà®7“ƒ
+v›
gê]^¾}á6AZ€"‰Šƒ¾=}õêu�O¥eŽÖ%©ßpÆ
+eb^;ã4²·?;d—Yw7鋇GIl“€q‚™9ãŸ¨áÓ%ïSüªXùu}Ä	õ„ƒ1c„�½‰”l‰à¸¾{Zè S@>ãƒ.§I¡#�Õ—ƒÛÈWåá7‹ClDiú;ÄÁåeS—
T.¦«èzøNª,Q›ú1jC¥Ð)5]ãb*¬"3Œ%VIhoŽhÞ°Ž5Ví©br/øÅU›)Žü
+³øî’¿-æüì³·ˆg
+¥iÈýáÕŽð‚/;ܳoR¡éÃ÷C:ROG²ð†˜6N’hš·*ëU³
à5!@ÁQj§O>Hoo?]ÓŽ£Ðàp�Ï^õaê>~ŠÍèùXpÈ$?Ñ©÷Þh•šËÿŠ`¾ÿï·àýCy
Ž=MO\¢)a£0‚'
+9n²)åì¢Iãd†ôÿ
Îxendstream
+endobj
+1676 0 obj <<
+/Type /Page
+/Contents 1677 0 R
+/Resources 1675 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1655 0 R
+/Annots [ 1679 0 R ]
+>> endobj
+1679 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [278.4002 570.2936 280.3928 582.3532]
+/Subtype/Link/A<</Type/Action/S/URI/URI()>>
+>> endobj
+1678 0 obj <<
+/D [1676 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1675 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F41 1218 0 R /F11 1451 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1290 0 obj <<
-/Length 3312      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sã¶ñÝ¿Bo•fŽñE�—‹}u¦çkg:i’Z¢,6©ˆ”}î¯ï.° A‰’®éÍôÆãá
-\»‹ýØ$�?6Ñ*N„‘“ÌÈX%LM曫dòïÞ_1‰<Rb}ûpõÍ�È&&6)O'Ë`.'Z³ÉÃâ—黿¾ýûÃõý,â*™¦ñ,Ri2ýööî;7bÜãÝÇ»›Û÷?Ý¿�erúpûñÎ
ß_ß\ß_ß½»žEL+ßsšáÄ7·»vÐûû·>¼½ŸýöðýÕõCÇKÈ/K2òÇÕ/¿%“°ýýU£Õä~$13†O6WR‰XI!üÈúêÇ«º	ƒ·öÓ1ù)¡c¥y6"@Î
²`™N2eâTpax»œEB«i»*ðïº"¨lÜ3w�MÞ´Å®Gz3‹$3øau0ESìž=æK¹^ûÑjá zßf¾ûøp{ó³ƒw3¦§Åû¢!œ¶&\?O¿Ì:.Ü�CÄXl”â–©_•,Še¾_·
-cÏHP0” _³hP/ý
-Ð(„@Ã\•Å3šƒ}uÏ}C}s#u¨ÍYóT^¶:_&¡ÉâÄnsB®vŽà
hUþT4oFW‡ð¥!ô„«;e
OžÆ™éPnÛ¼iÀïŒÙšŠ¹Pì€B™ttIÖÓÞ.÷Æ*›ÅŒÁ¿tþ^V |ÖçàCê”Ø!��ñ
-ßÄJi¯R;ø?;fäˆsrÄÌ1�8æICøˆ4¤`3‡ol¬À1˵�ÑÉèäÇ�aâgn�››�˜wõߘ[Ô}4`:0¼7w¼SW©XkchÅ3J"c!D6Tœö_û†¢Ì¢lòÇuAÑÇ‹µ·Ó@288k|˜ø1Ü$‚MRðA@Åg¥~"3±fÊS¿?÷•'$º')pß%0�~+†SESQš0p“?‘XróæIÈ?�pÞl
i“
 ½M½°I›Tç%-&œ"E¨I'°X&²#¬Þ¥…û9|ÈÁÿ&”¿d�tü
¦'*�3“³22x�’71
-{&Ø…ࢊ�3Ç€’¯Y`�qÁÄ%�A¼Ö,3¢ú	�}–û
-ùš-’C%™¥ý¿à±N©j lúÏ‹í¬a})¹õ­¬ÿG‚ÄL†
ŠpÒ€ôÔŽzk‚
ÿàú"iÀ	j¦Ï·Ö$.-õoê¶ë²ôYJŸý„µáaÖvF`ƒ)'^"Ò²˜·g» J$(ƒý†Sv¬°µ:Ëtصô2A<J3È¥5ðfNôn	)
-±Ž5×÷E;,ÛÈ/¢KŽ£´�	³Ôdçï°FV&Cà,®~‹Å<¤AÔ,Örª±ô0vËJ•[*úámQa¹°p/šr³_ç­Û*ß“D¬ú±©×…ÝwþîîG8&-Fûº¥··?üt}?ƒTöçc6`@�š*�EŒ–8¨—ªÂõw°Ž©}
Ìç:jDd]�ÞÛ$�Y’¤ö6À:³·ËîmÑÎWÑÓz_omŸBntvíkdñÁÖ
-[r‚«»N/Ou¿ƒØÌñc´GØÔL…S&Á¤G{P{J-|#`ª£äD	¾Pؽ·ßÌó}c5Ö Ö[ôê45–ô4oÛb³mÃn“v+R¯)Íb-ÌP'-Üh*˜šzo�ù`t^Û'v
pûÐø\”‹ê/¯\ß j¸
4¯«¦ÝÍôt?'­7ž
-r†9ùÄœ~Ãû¼o&XàèdhÔ�Êö¤Áy„I/8Ãë´ÁtX®FKľYEØtm¢ºŠšÕ¾]Ô/Õ!%B3—Üœ'¥Ã¡eÀl8 ‰ù‡;Ó‚ZbrÑ|Stç:ð¢øT¶�{µØnŒ4¬(ŸÝ9¼ûñöýÃõý‡7�˜t¯jšiQÓ
-æB,«êèË4*F^½Rؤìá
Ç®l‹æðЂJàN£FzþØ%eBvuó™=9tLÇ©‘¬Ï²FŠrbáBÀ‰Ž¥Ì.8å댎y,Û¡Ë�‹õ"š¯Ë¢j�’>‘±Á„à,
Öf¡‚ìŠ
I 3¸,í<3Â/9
–36­ÀE‘&µ¶çŒã›íºØ
-1
-§¶#çr�7…ç»'“v)ùÁ2˘䂟
±N[^‡e-¯¬ÊM¾ŽvTq{Ú(„ |ž„k„†a Nc�ùà€ˆÛåˆðäœ:ýŒ°®ƒ°®2ñC)_§
ô:¶ó�	•j¬Æ¡�¿U�—õ×´ðº…
cPÕ9à¸r<§ˆÁtùžNô�„°ßŸð:UnW5$å83¤ú®lX8
-îGÁ|áظqbPØhá'qd¹a·¢ì+Bán¦ñ“µ1ô4ëâÉöC¬êf…¿mµ+øPVîÞØÙ¢t“¿v¡†nxÞª¢‹,y5/†÷¥úÛ[nÈÏ\,WŠÃÁD¢ä¨9Ô‹þ<áŒÙXgÌÎcY³JˆÄÑÜV�Ç‘ŽÅÂpuž€k„‚
³i‹Lè!	´c&èç
ì"„I}¬‚¡’^‘«H;«ëF¹xºe¿‹ò£:|ßIQ�æ»»·®�±@•$9VS¡ŽŽ:ΧÏeíºznØj÷w¹`À59Þ;Ëik]ŠoÁëÐÕK>X(_¿ä¯�ŸcWº2ßÕ²¦žRs°jÏRrÈ‹žî»Ìñ±nWÃtÌ_+E
-nÞ¡vM›Å+H¶œS´Úâå³&>uóV¨¯ËŽhQ2¹xÀõ¹·rû+ËP"
-­OÜ‹	Ä
+1682 0 obj <<
+/Length 3076      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝsÛ¸÷_¡>�<"ø"
+™1-¹œXm™±–,˜ÏVç‰á|ºYÌD&Ýü›.‚¿t¯™I&Œ{)L°8ðRÈpÿŸ×h
P)‘Še¸{?¯£‰ÁèWWWÙ›W¯^f&®‚3@'¹�$B°,M¥Ÿ7[•EµmÚäÕÓÁZý9ëüþ¾˜¦ü!ìêõsÈÅÇÙj7/"új‡É¯^-àï‡?ÿ_÷d\±f·X”ã\bIF·Mó_^ÉþÁ%`i+­‚9)ãV©úÂ0
€¦oêzUä
ôýý¶¬«æ
+´\#È>žUÆúÆ@…·² v}Vð�^äYžH³}q–eJÚÀóâ<QNL·ËLªR3¥

™NgyEÄmA×|>GÜyrK×͹›îªm¹.húC™�œ¬È8ãZé°è¦šÏZ‰¸àˆšÎ=ÓqF½!þy±*¶Q‡ñµ`¢PFô—"ræVfDxD
•²Ìê,È�È©ŸÞ,BÞ¼Xä»Õ–nÊfä,Œ_.
ó«zì(‚"q‰c0Ö3­{ÅÓ	&�áÝv™Tçõ:/«K1 vjí–épñ!~Ó\êÁê£ð͘U­ÅO¡×õÐ+[ôr‡Ô$ œHm#$..Æä:–YnK„7·x²þš¯ó§@7Å–«+¸þûwïß]¼½¦»Í¹pÓ¢¹‡¸T4AÁ⡼傮¨¨Ò›‡bÓ®æ¡*´`Òº½˜YÕ7—A*Ûî =…;8Çz
+pÊò¡
+o˜ªfù¶Hê*)>ÂŽr•e
+ªÓ:´\#Jö«%ÓNf Å
á,Yû„Môcîœq<�2<ê
+TG,ˆîšÈ¢ÊoW!
+Ï–ÅìWÜ-0Kø³-Öõæ‰Ø¡Xø5.¤£|<´�Ç”áÌ!‡.Êãò®ªƒ[@Ä4ÐßO^…]Ä`�ô}±
µÖûó¼âÍq<hÀ–2ö<ô¸Nà!rùÒ±X7[Ͷœ–-�βÓË·\#ë 
+%ÁÔ÷tð_VöNÂó÷Ñøù]¤4ŠYë>³‹œ$Ò¦ÐL)¬gB¡B¬íÎ!¡»ØwuAr¿!–Ìé,6´m哹PKc8 ÃÐmA×½í(Å„è5¢Jê ~l»æ‡²xÑD¦Lp—ö
+¬y}¢+½y1e-“F?ïøY¡mpcÉ
‚ép�Â]7D¶�è5 *¿Ã·›c«s¦œ6ƒÕCnTÐEÙlÿü}Þ4wÆ|-eR¥bOCÍ[½´èôÒ¼Õ‹žP	­ù~¹çRüÖ]‡ƒÄÔ‚˜€Çö
+s ÝkSð¦â´Ã�ì\ôw$²Cq,ª†ô�j8’Íæ„V-¼…òÉFG'·Ž‰7�¡«äGÜMiÇRןänI;iØuŽ÷¢{qvhÜ4eÎe±*=
Í”RvûÏ]²Ì¼lð�asX¸XÆ¿³˜õà5E¦àÐ�™ƒH—Ÿôõ[Y(GEš
¿~ÿ¾YQ�^ì=ª
Íã +�qÆPT÷”@ƒ~Íù™e”ÝD*ÊzxßþÔs_±éô´™Ì&%£#\Â*{ÀÕųþ¡h+ñsݤ¯ÿÿf4¾Vw.û­¬”ørüÕUkdÍO�9ùžPˆˆü½B?®@áŒo–Ç¡ý		vDAÔ¨ñ:µ¾¬í¾(B±iÆ=c<éð—)úÄë5üˆÔUr­y:‹=~Ùo-ÕSâ+6I©æSá¯+´“§«…¡µF`uÊZ==¾bkqÎ7úkqpºL=“ðŸÅÖ	'$5Ò¯ÛXÎ1“
+uÚV™„úÍfÏ$ð#¶ú„xÕSâëµ”Å/Fœ¶”ãLºÐ6†’ù÷ì„'ö”ùRë~±÷ÿ(‚ð³‚3ʘ
B�~½á“g�õS¨ØýŠS[¨þœ/”¤…2Ä)‰¿"Òñ‡lüðƒWøEcàê©þ_ì¶Aendstream
 endobj
-1289 0 obj <<
+1681 0 obj <<
 /Type /Page
-/Contents 1290 0 R
-/Resources 1288 0 R
+/Contents 1682 0 R
+/Resources 1680 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
+/Parent 1686 0 R
 >> endobj
-1291 0 obj <<
-/D [1289 0 R /XYZ 85.0394 794.5015 null]
+1683 0 obj <<
+/D [1681 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1292 0 obj <<
-/D [1289 0 R /XYZ 85.0394 625.316 null]
+474 0 obj <<
+/D [1681 0 R /XYZ 56.6929 636.8504 null]
 >> endobj
-1293 0 obj <<
-/D [1289 0 R /XYZ 85.0394 613.3608 null]
+1370 0 obj <<
+/D [1681 0 R /XYZ 56.6929 609.3387 null]
 >> endobj
-1288 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R /F39 899 0 R >>
+1684 0 obj <<
+/D [1681 0 R /XYZ 56.6929 172.736 null]
+>> endobj
+1685 0 obj <<
+/D [1681 0 R /XYZ 56.6929 160.7808 null]
+>> endobj
+1680 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1296 0 obj <<
-/Length 3798      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g"Ÿ8÷”&NÎ�‹sg»3½iû@S´Í‰,*"×÷ëoPü’äN;™1A`¹»Xì71ãðOÌLÂ’T¦3›jf¸0³üéŒÏ`íÓ™0‹´èBýx{öö£²³”¥‰Lf·÷\ŽqçÄìvùë<a’�>ÿåêã姟¯ß�[=¿½üru¾�†Ï?^þë‚FŸ®ß}þüîú|!œó÷ÿ|÷ïÛ‹kZJŽ/¯>ÐLJ�H¯/>^\_\½¿8ÿýö§³‹Ûv/Ýý
-®p#ßÎ~ý�Ï–°íŸÎ8S©3³gxáL¤©œ=�i£˜ÑJÅ™ÕÙÍÙZ„�Uÿé”ü´qÌH�ÌJ3ô§¥,˜€¬IY¢¤j¥,Å””#Jy]5åýËp³N3•87ë"‘�@de‡¬K™‚£ï“½¼G’o?j×�œIcSÀŽ /EM0=lR0#Œ0¿qÛÇâ|¡àˆ—Å}¶[50'ÞÀŒ³óW700éüêËíåÇÿØSQ×Ù ÷+Ùö\¸yÀPë†FÏ�Å:
-NYG‡ËÐOñBÒpê«x,Èâ6Zé ›
-Ï�eþHÃ<«?eCÏ
-tc.¦>ÆÍã:}Í¢­£ø]zX\‰e­î´,¢Ó–Éü²¡�Ÿ«ÝjICÒjéœ�Ç\äèÒ·/ôŠÞ—›Ýv>¹Ç“¿Ë�eà(ž—aµólW{½‡µz•}/ê¹WbºçÞòmV?²Qž’©LÏ}<áê
-&PyñÙB`¨Åçõu]4ôuö�•ëº
- Š³øIÈÜ$xÕ˜ûá8¤ôâÕ
-ž´�6JHIÙÎ0 `21ð·ó_®/?]^ap¦÷, /›>±z·ÙT¤©ˆ¿"zy”Å<óB’*Zí> ÓŽP¨
-ê×z¦0ˆÑ~o]hoXˆ¢YôNF�Ù
--Ž»§.ÔaÿÔBᦶE¾ÛÖèf”S¶\Úã”#ÐåžsâšI§û”ä‡ÆqsÔ9�K•t�Œ«|©ôj�
-ªñýÛ®ðq†”^ÀDÝÔ²~À›¶ X<Q*Ûd?y&•AJ
DB,pÚkL.Ó´"’çjû5dËØ°ƒª"2WÒ
-ݲ�ä6yU5�JpH\GÑ4ÓɶŒó¥m礛N’
…mb—1ÞÂ`C;ÿŽáŠÊ¨å…4j�߬J€ðÎÔÌïý7Õ½=vá%™/³&›
-žÓ´Z
-?µµ#Ú¬CÊrt=�ªúºÛÔ¡»)Šzêj²ô€ìÈɨ‚÷E“?.V»©D;¦Eô¥ÙC�Æž�H�G Ðá
-ˆ]Ì~SIß’K`Ï3e$KdêhSUHÀ_Î%Ÿá¥|Ú¬|¿ äöá~Féèèu’Bºx»Âýkç¥à ’”ƒ“Øß¾ü5m‚Œ‹9‡†$
0)’㎊2`LÉãž±…B‰‚ËX”ËŦªV#ÇÈ!gàÖ̺hÇž1B�©«´g‰p ¸Ñù[êÀ‰·}2wš»««UÑLÅ›6É ƒ8º�ËVÏÙKÝÖPU¥Zx�9;/?„¹Nö€ÐEs0^IKEÇÑcé
-lÙ:—z–á:'£¤YøÅ"Ü×ÁÌ]V—áèî%Ü
!Õû—ÝqP­ÙéÔvØ#˜`œ1Æu¯™&:ÓŽAš.Ntƒ5XŸvZ±Çä¯ÈRŒÀu¼îpˆ‰-uËÁ‹ki½Oߊ5vžåØŠ¥fDrðÂÀ�;èXì—9}�D§´K+¦S©»m~»Öø]Ð) ¸Ü=mhäôF­…–ˆõ7_«‚&÷½z'‡zÜ’C¬å"íÈ�´ø&*/x‰éz*Õ¦×I›^Oe%RùÄÙœ¸œmÓ„.üÄ•ùkïj–~Ö _Ï
-�¼L­íñ3ö7êcl“™Yë`Aೌã¶uÄÅF¨6ðý
Ø’hDî8á4&Ü‹yi‚7/¢O˜Bž²û«·s‡C^*™Ý�—¤Ö·c”ãÔ²DëÂßYºÁ粬³;Tu|¹üåãu9£Ç&Û‚ïVÙ–‚óP<À«¿á´ñ÷	ØñÕBøŸ²Ð[†t
-ûÜl«ïårVC벶Ìàš-4A‡¿3€šUƒÓ‚Ê}êG|Ñ…Ÿø½Áë„]I&Ü�p~,I„é±3Ò´êcl�¼hTÌ÷øH lhþj±´ð§8á	F35JË…
÷ OH¥…:ÁÃÛQg>sRŸh?t¡;›jJ‰ûýH
ØõQê-Ôù~ÁÚ˜@1Ø£ß*@³/¯ë|[vÌ¥ºŸ0Äü–ÔÊ“}ª24?ˆ@	Mo£Çì/ŸØòïk-P&l÷¬&-0B�`cŒí¸®)É‡ü縮u ŽèZ„¢n°¿}˜Ö5õ$@§ÞBM�ïëšfÖ[W—þߣkÃ]u
¼°yX׬
-ÃcNœ{u‚�1¶ãºÆA5]bNèZꈮE(¤Øl‹¬YäTeõ¢Þdùødž2…4(ÇÙh¡&øè)�ÒÌHnúŒ„>‚û
-0�…çÕ-=ýÖàùáË

žüíݺùe
+1689 0 obj <<
+/Length 3726      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZÝsã¶÷_á·È3'	LŸ.ßÕ�ž¯ñ9ÓI“<ÐeqŽ"‘:�û×w@¤DÉÉ´ãñÀûõÛ%Å5‡?qm4ãÊ&×™M˜æB_ë+~ýc®„§™¢ù�êûÇ«¿¼WÙµe6•éõãr°–aÜqý¸øeöîooÿùxûp3—šÏRv3×)Ÿ}wÿõXúy÷éþý݇ŸÞÞdÉìñîÓ=u?ܾ¿}¸½w{3F˜/ý
+g&¼¿ûÇ-µ><¼ýøñíÃÍo�¿º}ŒgžWp…ùýê—ßøõŽý÷+Δ5úzœ	kåõú*ÑŠéD©ÐS_}¾ú1.8uS§îO
+ˤµÙõ\%̤°Æ€ê„Z!µQpÛÚ²TIo[ÊÁmí$½Î
TIânû¾íK:¿Ê{j5ív�×Ô¾ÿôx÷þgjo¶7ÂÌڢ캪y¦¾ªsüä|‰D˲èËõ<½à�3bÀŒL4KlšÁ	��E•×»�§2--3Yf<;‘g\ƒâdÎdD2­�žh>¤¢ûSÚ¨pÇeþ¥œW¿ïÊíËñÞB&RÒÅÍ#ÕÄî#é$Š	-Æ»ß5p…Fõ7É̼�_›€´ÜÍÃX»é«¶¡Ñ²ÉŸjwï0ÐUë]�÷$*xîW%QµO][—NîÐýÃýgjÐ!Eÿ²ñ£w?þ¶¨²ÙÏ7BÀˆ
æ·*¨˜äN+˜ÕZ:æ›òk¹%X´¥×“Ázî90Ù6ge›¦–e™’—e;¤:/ÛHåd[öÅjþ\ïÊSÑr˜ššË{Gª‰ÍG¢UoxÜý‘$˜šƒÓlû¼ŒàÂUªH Û_<´@œµ$f¸“«2*õæ28à<å|öR851“2¥Ñ¹9E¾ëœÁ¤1ÀUWnI–ØÙÒoÞ÷åzÓAèt;’J@73ÊŽu‚x‘ÖÌœ/)»vçŨ·hÝΪ§ßEµh¾óíUþÕOٯʆZEÛtýöÆÌv…×zÎ
+Æ­ûôi¶%g‰Œv‡"œØÞB,ÍB,Ý.©¸™#œS—%™‰w5m�	\¿¶ž¤‚øVæ‹óF	,Þ|)
©.e rro»~Þõ€Óº¾*N�2
32ir™�H5ÁÁØ(Ai–�Yp2ºCttPz<†Á_ ¿”åÆ»]AQ~gpDËvë§~%ðM<ì8%E`,†ã—
+˜ÚhYÛ¼ ‹
+NÎ7D½?[÷†žw]9U8€
+œH¨l¶íWÀФ°§VV2Iú:à¯
žD&L¥	/ÛÛ€ê‚Å*gsUS­óz¾õYÆ©wÍ€CÄ—YˆT<ŒƒoÊbÀwˉ˳€3MúB¹„r�¡³tÆ Cn­gбm(Fèt”WuDâ}¬xVX¡ªkšÑ6õõA&G�ÓlèHË廹‡é€ñ¬=ªRô«€8®ðžr0%ÆÉ"¦”,*’ÅŽúý
•‹ab‹º©ýû®:d�@ò+×¼dÏÎÆÐÓÔ峫�8ÕWÌ
+Ÿ]†Ô£»‚©‚MÙä!]ç/1¼PÉîk¬ñ•!'Ù.±Ê×ÁR—G^Þϼš¢ŒG‚=(®“ÿCž¡2Î4W¯„¹!Õy³‹TÎìàDßyá²ÆÓ'˜²R_f RMp0:lš2•)3fÁKÌjxЦaÓ« «òCÞÕCˉÓuxÌëÚ°I?ñ:*�Y 7Їꉎ×@”ïîß~¼%c�Ì(‘˜A
uìÔà¤"}­ZªäQ·Ó(è&�‚*4B€°f‘û5œ
DX£àuüÍ>m”×ûü¥kl+J½p¤l–­¯#uG»ŽtT¸q…¢ˆŸÚ~5†`ëÀ¶/»@’-#i,Ô,^àf«ÂG«
øÌçÏ)²HYª¬}E‘T9P‘uõ˜7ë¯�,Z]Þ7RMl<6ÖŒ¥6MÇ;O
ÁÄ
+]4¸}¾¦ÆÃP.�~>œ0!—“u‘¯Ï¡ž‰¼%LœTç‡Ùš7§Õ¹@õ
+§«y
+ÃÕ‰·"XI¥MÔ‘cs
ù[á0¹RI()&Ñ`ûPZL°nÛôúÇ’¢„b4õó§·Ôøè\�kº	õ"¨7¢“ÆÏw‡‡_W7<l×ÑC<üÑN§
+CÌ
+G°»½žHŸ1aW”tº(¾ì•ÉÏ„op
›—ß6uUTý—IÆŒäÙŸà2ð&#¿J¾�'tŒå¥‹Á#ðR{à¤Mi‚æ‰RØ]¦3êQåœ@TÕI6ÈŽ
ÑMßRb�” czÞzÄÁñš\´ŒhX“oöê…EýLÈ ^Ö#¢É”�³TêdgΨ�q1Òe8(Àˆ±�—D­§’~]Ù1š±ÇZ80m\XBÄô›¸€2ß4ÓJN°æäR^,þ*wدªbEÍ«,®…ïºð ûvN¦»Ä
$ìŠñ$㸪£siìùëJ3ô1‹è¶eJu˜¼owõ‚š>ý2Æ]�[¹Ä/
rzgl	[Âp¿Û6~
+U˜ý°am/¬Í¬ò£•ß0¾}„±®”ÚÅÅ�ÖÓ#C*¶y·:»D†…(þJItHuvEªƒÎûvÞµùiA_æssyûH5±ÿ¸l˜@2b`Òz
\�—Á:ú6|¯%¹ñŸo@£X•ÅlZ¡q0¾Vë¨ÃAdnÙÃïÃCWö4;ÆTDèb"6\Ld~¶ûÞ„â¾K‡ø,�_¦ª�_£ ï'DA•‡ýtŽ,0
pzyȤç
>.cãìÿôp÷áîc4=ç~ñªoÖí6›–Ô×oi¿¢m° HÙ—TÁt�ã²OÊTJ‰’J=ƒ*›aJ¶vï:°ÛǸPðÓ³Ïíº‚’Šv¶j÷¥OÕ}ON3�
QÓ±K×øòÊÇxt';l�ú»�F¸E¯±�xU-
+Ó!mŒÔÎ&ð“4´‰óþ‰
 endobj
-1295 0 obj <<
+1688 0 obj <<
 /Type /Page
-/Contents 1296 0 R
-/Resources 1294 0 R
+/Contents 1689 0 R
+/Resources 1687 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
-/Annots [ 1298 0 R 1299 0 R 1300 0 R 1301 0 R 1302 0 R 1303 0 R ]
+/Parent 1686 0 R
+/Annots [ 1691 0 R ]
 >> endobj
-1298 0 obj <<
+1691 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [154.2681 743.8714 203.5396 755.9311]
+/Rect [182.6146 300.8791 231.8861 312.9387]
 /Subtype /Link
 /A << /S /GoTo /D (notify) >>
 >> endobj
-1299 0 obj <<
+1690 0 obj <<
+/D [1688 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1687 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F48 1238 0 R /F39 1161 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1694 0 obj <<
+/Length 3742      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sã¶ñÝ¿Bo¥gŽñA|tîìÔ�ž¯µ�i:IhŠ²9G‘ŠHYq}w±
+o¿Ü]†"Ž‚›Û^Sí‡û«ÏŸ¯î/Cnb|üûÕ¿¯ïiH»9¾¿½ûD=)'&½¿¾¹¾¿¾ûx}ùëã?.®ûµ×Ë#‰ùíâç_£Å–ý�‹ˆÉÔÄ‹=4"ÆÓT,Ö*–,VRúžêâáâßý„ƒQûé,ÿxÄ„Ôb†�Bh8‹Ó4^$qÊ´Ò20«aI2ŠÕ%7ÁªÈ;lë YQ^•Eíú~Û—<Ø–Eü’‘>fùKY?ä:{£JÛ•UåfÉóÝ–z³Ö•5
�ÆA÷RÐ@[l_ø8þ7÷MYwŶÎ*j5›b›ueSÀv´»ü7¸rÎÒ8´´–vëîËãíÍ©ž-—[Ä[´n°jš¯»�]�‚‡¢ppUÛàœÀB>`!ך¥F(@…VE—¿„Ïð…`‡ìV†)n¸Ížš×‚Mä…³„s½H8Ì+sb	(BÑöò9ýðPˆv»Ê…ŒLؽm
+~Œ�ó„E\Ëóè{¨üÃõr
¼O=&à¡è:+"2J`�ËÖÕw•Ì Kt;Ž½íWE�ú
Ø[IÃ	ól×KAâé%É!´e[ÔKªÝ=PIò�7¶\¶ôiV5žè}Ù½Œ&N‚‡/W6þÖ
+aÈ…f\%éXWÍ–$«.žAx_½œÕí¾Øzñ{|qÝËb•íªŽe;Ã+JœðÔ‹WÝÌðÊã'�‰ðy{ ÁŒ0ú[¬•4Öøšyk¡Œ0éøô\ô]s¹ªÿb<Uè©uÄ™ ê©ë9V-a kb¡�!1è¦]ëÝ€±VÜr#b±ìU÷Ëe¨yðÿE01ãléBó˜)­¢^ü¶à,Ri*	hP·k=ðÀv|w»‹O
¬h1\”›8Îl¥Çª$ÁB+¹ÐB€AÆÙE5(‰	Þ.E®Q®7U±],]GM¥sfPK'[¯tÊ„IÍbÈÜ?·_6B§àóƒ«úsÒŠ”ƒŠ$À0$<9oãD³(æéyëØC!GÁd„å2Ü4M5±�‘aI”Ä‹á´SÛ衦Øe:ÒDØP\èý£5‡¨âÍýY¯îÔ÷Ô6UÑ͹`›ŠµéÛ�Ið’Uûì­õõªÉ³®pMðäÛ7ªÞ~r}+kÄšµû€
+dÍI¯«˜ÉHèwöe
+ö/eþBß¹ Xîà<°ÞP6dM
+–äI¶{IŸÎ
+n·6„8Äûý"¶„nÞéÀª¤Œ
ä$¸Ùˆ7”‡G)S2±‘·Ïέß­‹‡‡ÌX—ɼ烯0œM¢s¡$ÈØ›!‚‰•ë¡Þ¡c:ÛlLè­¶J8¬÷$C¨Ó¦½‡ê]îïàkŽ§îÅÜœGì�¦ˆGÞ6ÕéI>FLÎV&iïl±Þ÷�v¶©`’�­NôñDÁ[³£	êÂ
+5Ô¬ôC¹,ÛìÉJ=4nº¹gTl²-ˆò®Ê¶4ak�Øtl�&žŒ<Gʨ8‡–›Ö)"Ç‘“²†cÇ:;ˆš/çÎÄ�¹un¶Ík¹<ìÕ±‚
:£¼M…/õD�áЬbA§ãLnøŒfyðp?#ÐdzÎè•`ÜS#Áúƒu‹GäL$­‡z‡Šélßjp¤6,VÑ7³¥‡�¢É¼Æ(&'8�@ñWz¨wh˜ÎvÞØÈõR¾clPgŒ�‡šâqò³
½>‹½‡šA?öð �NŸ#ü½
+oAŒ$¦ÂØ*Ë˪Ä3-µ«&[Ò
Ì`ou “NñX£#”Cm7I¡âǻ۟¹oph[�/YèѽÐþÀB(CPP빨ñ–†dÁå. ;såÝ#•viP~úò@•µ½R*ì“	n¸!¤¨|j0+�5G%ÔNí?O(Ùù�û_Ïì?ìªéS�[ÎÒ¯ç;·„øIÌàØ•þA)¯d(…Ñ:\.B2påGLJºØWeís†Y¿½Ç¹Å</6°Óü•ÆòÈÍe7ËçšnMŠåi[
+‡£Óô[:€:cK=”½Œ[.K$)«ÂÕ¶Y‡Ù®{ùÐ_Ž†r�lj™1¸¥DšóöP3$ŽO2–ù|L£O¥Êñ¯¥FÞÔdL¤ÒeYRL½d¯¥=1âG+*Qãl	kl¶hðò‰�F°(ÆHo¸ëÞ+�YŸ¢ÆwUÖ�à
+\Ó‡£‘¡<Ø•0ÚoòQ¤j;{ãA76‰
ý.mOÅœ`XVQš;¥$5.7j»|>Ý/< „RóæHUìhŸj7ξAßð{ã“üi`-ø/Çä¿ ¯mÖn´-»]æÄ�>³1M]vùøî†`¾Üb&ÉÞ&Hzî
+q�#g´
+¼›Ý^k³ÿ€ªIŸhÌwÛ–>˜d)œœØø±â°{å‡(iÛÅàQÅ€
‡ÓeϧH˜´Ž“£pø >ÃókÕ<�ÞÂì³mM±4Ö`ÿ²çbV˜ÎqCf¸ö'‚ùã&DºâÔK‚„qÝÛÇ,‡h’xÀ•U^
¡B,SÂÅÖƒ‘¶Î
Õ~:RLå™tóÄ“g3…—®3'á¨
+ï<Uö­¸˜&ÜËéâÿëpendstream
+endobj
+1693 0 obj <<
+/Type /Page
+/Contents 1694 0 R
+/Resources 1692 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1686 0 R
+/Annots [ 1696 0 R 1697 0 R 1698 0 R 1699 0 R 1700 0 R ]
+>> endobj
+1696 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [80.6033 237.2629 144.294 246.4782]
+/Rect [180.4479 508.2615 244.1386 517.691]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1300 0 obj <<
+1697 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 191.3384 326.6578 203.3981]
+/Rect [265.4578 462.9269 326.6578 474.9865]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1301 0 obj <<
+1698 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 191.3384 416.2908 203.3981]
+/Rect [367.5441 462.9269 416.2908 474.9865]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1302 0 obj <<
+1699 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 160.0192 342.1692 172.0789]
+/Rect [280.9692 432.1776 342.1692 444.2372]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1303 0 obj <<
+1700 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 128.7 338.8219 140.7596]
+/Rect [277.6219 401.4283 338.8219 413.4879]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1297 0 obj <<
-/D [1295 0 R /XYZ 56.6929 794.5015 null]
+1695 0 obj <<
+/D [1693 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1294 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R /F62 1062 0 R /F39 899 0 R /F14 740 0 R >>
-/XObject << /Im2 1051 0 R >>
+1692 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F48 1238 0 R /F62 1361 0 R /F39 1161 0 R /F14 964 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1307 0 obj <<
-/Length 3849      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯ðm媈!
-“Ûæ×0Ô�ƒßÇ«Cãt(±ôà™¾º™
-ÈŽ4§Ä
ã!�ç
€w<ÖÏ?Wµ,°±K’�dÖ5Q˜#…øÍVCG|C�ìÀ‘_A±Ç�¹®Ð(²¢“ÑFŸÎÏ„`
-.Å$Éê¶îZ”Nð…ÅS[mY4w…	J$Û
b4ôwpÜY“»Ëô\¸3å„FD^
Ö-‘ÀáÈ_gkq¸=Ú“\²ç/Ƕë*Û?Ž¶édˆ®êÚ›é…kpšËÕµõ“èÛyO;c«ê­h%
-Ö¹ê¬W=úYž*¾+€TÍTíg•û¢ìKöú=
-
p¶âp$y×!èÅ¡ZE«ˆÍ¢ûÒqk×Þ¨•ÌF�‡ßþÃ_‘ìÖ	®µs[íÛ®Û>
´1Ašå©Øí]ÛBTP‚¿´óY$‰É_('ÁÅ]ˆ¸ïKZ�öÁá‰	Xm•âù•ýªu´@k䙊dg<t†+ò÷PTµ'½±ýéÊ(SG;îBôëUÓžE]·CwºR‘šŽ
óS	ýÈ­Làó…«[øc‡=ѪKÖkp«©óª3ú…9q¤1„–3]\>¬Ž×"º¨"`ø^0@ȦÂ÷lëÙ
- ‚¾4í¹˜}"“PpÃ#Ú	EõY–ñf:MÛs£òsdd*T@“°gølûMÚä‹S£=1,®Ì"áT&ÓFXÑ´K’:‚|…Q¶U‡^§ã
ÄÖÁêcœ‰p1ÎnêˈkæíRØ�'èÔºjVF˜Ù
-+š�›!6d	DÈl`Û2Æ+•˜0’:î8=·=Q>‹·�™„ÐBƒdô¶!QÁÑ��¡óãø�Û`˜ìš�Câ(Ñ�ÆìFÊÍ<òð³ÌꩲçIŒ;9ümßÛñÇ#꘭ºN8r%ÀÞüÐK¡Pa¤Æ¼-˜…ys®Pàeõ<©lx´eµ{y]ؚΚžl9œ:Žø`‘ÅM!LáâçŠÈeAÌÆ-ùÚ
æ¥l€ê±i½
-2D‘2d^z�ꋹÂFÝ>
-Dbqj8X€Î
Ì_ñh…éó[܈² S‰K	–Nuõ+·¡Ò@%ÊÙÇ¢„p²æàXOU6rj
fY¤%¸žŒÌvë©q˱bF¢˜ Ȭ›œU$q�§šÈ
-kd]ûe8¢Å§¡¼ ”å[²â brR`ŒÈIRâË`“ƒžR.C•¬>tÂ
ú‰5ûì‰Óã„ã^I©–Ô�ƒ‘4Š“ÆP{𼌥]V3ÃBÆog™PÌGb	týnX–0ÎmÉÓ°ëiŠƒøO¤’€<P³ªPõž,�8BßÇ÷
ÐBfÉšèØ
-çÂ:ÙÏù´�…ÔÝ»?¡éhÿàWlž'Ôm—˜ŽÖÍ¢ÉÈ|NìycŽ´CÌ_\†ã¹ðQùÐ;{:5ÅO
-%¹;B¦¿cdN„ÈOœÀkî$áÈÅóQ'3ÊÒ©l†ÐvæBŒÈ	¶º¶ü‚™LÏ]©§ÊûH®–ÏxIT{‹²Ø…oaƇÞr{&V&ô²‡c(V2cºÇ†'å«ÐCÎ9ÌŸB6®øÝUÍcBk
-ß·gûÄqåWKÞ$Oƒ$2.ÈF¼]ôo^Š xÍ+VÕ¼À»ànb†]ͬ‘¢8G)…�®Q!&¤b™]Õm"ÝR£p�±#ä
-s¶"1Ä‘‚˜<è�ä
”ÈsH±«ÔãÈtñÍ3ÃS#x«y
-.a\N(αºÉ±xHF@‡XÔ…Å˵v˹��žOIµ7ùˆÆZf!ã:rä=
!eQ—C]ôÎP~õƒ>³#_�bÌA{IÖ,NcÖÑWPdͱ|”³g^0”uûøÈojR"Œ\‰0Š‰�ÿèø_Pl®ŽAÇÝ	¶%”ŒbçUÆ"|!m­,Q²ÁFÖ§Ë9T}ï( Gß-¤+ûI[d‰Ž'Ýr´éŒÚ…HÌtS‘Xôàß`Ä�²è_†±÷rU/hz"h�t[þnd˜Nq¾Û(ÀÛg°ñUÉhô,…Á”ñÏs¨SÎÖ¢f`ö¤i½Äˆsµ¥54ô”ƒ_NhøÇÊK}hƳâÍêÝÇŸd…F {h)3„6DÝp²ö‰œ�áêI”äô‰ô †²ïuR¥Xç^z(b?¤Yñ°á;ì”4GÚß°D9汶=Wb3ª
-½ØÀ¶Øhzœ<©ÆzÜz®Ì´-Õ
-fH\óô$™e¥D2:6fã·Ý,àëª?-‡{l£8“�ÆŒBCŽ›ªq!¥›8®(ˆøë
TºèRØ;¾º{'™¥Çô»�å¨|áLZÞE\FæßêíáØžŠSåªZ¨b%YA®k²„M§ì[÷8Æî^]ÔqÉkW1냅
-±wÞÂ�ˆjžB2È×¥µ•Wa|0ŠÔÅ{Ä…UBÊSŒ»Ë=Xiú=äÄ‹ÕüUfœü½òË‚Ý	Œò¯X¯¥‘ø[ƒX_¼u
™\aKSy‡JSÇòÔY’_úNUá&‡
ñÚíqL6°M÷‹s‡Ðä%d­ÀV†ñø²Ã®‘~òò|:cèöÞ8`”Eî€åpr×á<оè.³^Ñ;¯¡¿¿BfôæÛ¥£¯ý¾Õ@êh)ôKüß¿}¥�É2½¬’&„쌽#
-	�ÒKÊc�÷üÐéÿÝÁ’endstream
+1704 0 obj <<
+/Length 3806      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ërã6òî¯ðm媈K
+Bã…�1R]}¹úÏ°àd”¦®ñ/4‰&:^a Ö*ÚAt‡©mˆ�EÖe7[g®šæ©?¶Ð	ÓÍCß14«Ú†[ç½­y1Ëú‘Áý‘�ÝÞÊŒº=Û2˜™ts¿/[*eõ¾í³ªzaà0±°myºQÉÆB„ÝgÏes’ɵ[¹Gß*å¥a¨éYßí›SÙe]ùl·M�«ãEµöôÔPNÀës—6ÆFÞœžwµm[6»%V–ï‘2l3×°U
+:P%ý¶·Þ@aâÜRøñO«`ƒS•ÙÔÙÁ2`  ´ Àê¦Þ
+Uý©…Cщ
+›3Þ#`Á{2KSƒ';Ä?úÑÜ"”mÉÔä	šªÇ›™‘”ƒ¡ô.ÜŸïù!xf°úž¯ýxÝÝÒvŠÅÞJ­¸û
sȺ|¿=dÇ£-¶ 1' .aA†ö}/J‚ôm:¬B¦‚¦ýЋ¢ÈÌ)¹Û±LÉ”f/	ý@ú…	[:áØK�N%P“b’kHØ�À÷îÓs çD@Š€HPàØ|/-Dn
‰ØãzaØú©*ÛŽäo«´†ÈÁ„sekç„ÜwZn…UJZCÑ
‚ñ"‰#«îqÔ•æè¤
Ζ	°RHðŠ>g�M­<7§'FgqoúZ02þ<ÙSm+§¸%c§d~I9rš´µ½Q›|
+¼î&fX¢¼º‘¢8G)…�®Q>pÊYæÖ.ƒH·Ô(ÜcìX”mÞô§ìÔ+&5´gT¾mR§X¯›Ô
�ŽŽ±ê80ÞfðÁó®fA‡
+QWMô6!Ö
+%3+/ÀöÎH`ôÈ%h3‡cz€dÏ )œ`—lIâ­”ç¸õ j:–Ù
œÀîÚh4-̸ŽS/H#gÈ·[[ãnÛ]‰ŒÚ²Å4F{iš…ÁߊØéÈK “‡Ó¥ÁÆ}Ù�BC^0x-�=«GÁ8ç8ddÜ S•5†™
DHwƒè¼øù¬+ˆd'á»·Õq±›r$gŒ)±'Ö;
q	:µ;ÈÒä¡oò£ÍÞ�K¤
€Çò™M)´Z<73<H4Â÷»�_'¯Jp?2Ú×û/èÀˆì­l	¢e”‰‘<Y‘Ï:ÛÿŽÔ×vÞš
{ê�ûr`ºà/A¸‹@G¶³
+–(W£™ã¤ì4˜‰HEl&p´°»¬¯ºa³KI4*
+¤h¬�Ϻ‡¦¼Î«¾°b†BÅÓxn‡€_nßÃe'ñÃŽ¬ŠçÓiäâlÎ(d†Æ;øã–Sî1¥B¼!‚Na+K�v&–z,dÃ*|4ÎZ;·ƒŽwlqùã±*—q$k—f¦tLÆhå¡èT,2»±ð5+ˆ­¬°„¿"ŸqªŒ\æÃÉfOÛ¢Ë�¯i„òâ!Ë×\T?e„ßغà7~cgà7¤úþd	)D"“AíRV`_�™~�&›wmûÇGÛvõnå…Z/|79¯HÉ]J‡j�à`ô�=Ùv†¨LSéB`LQ¹có/K=XÎûç{
²@	7»&o*)QÈŽc8�s
+àNÞ­%!Ä9t…o¦ZÑæ`ó}V—-…µ!ø5Ã-'s�“4}ËmÙ€(52„µ5ì°Ð†NÉÿ[n‰¢Áॢ
3IEKYY¬dK_k¸Ì5=™ÔHI«ô¤œ
+m‰õ õи–�x³é!Ò�„’Oê`TèÀe€Ð@Ð!¾áz¢t@´Ó;€
+=+ÄKR6Of—âƒ+Ì–¹´«T�N¶°uéü«ã´¿Æi_‰±d'¥s ÎL““	‰È·…@EÓ�	Ñ	íXIt`¶sÅ´˜¨–Šð\ɲuµ©æ@¬ˆ_ÌQËC⤋ïxÎà±VI'Y¹…I˜Ë×-Ž¤�$C,v2Ђ¡¡ãÈÙé4.u€tOðE}�P[®)]Sšáô-
]¼Ž¢Í$®fp#Á“Ð(ßÛüiQî[–UËñ…+%jð›€zI½šúMø¸C+	Ê¥¾Å�1Îp)h�UoWWÇÂjš¾6ݽy,öMNp%¶NÊÒKÛ¹bû†G­YõÔ¶NoFV¾­z´å³»—™r¿šüƒÛðT¬ÞÎý'H¯§þ	ZþÉ1×Û°ÐÙÙ“­óËšª‚},~¾EË€tIÌ,šj_ψùex$˜§â)ÖøÍ›Á±V�­…s˜JHfÂd|í
+é2„€s
£(ÐòKUÃL4•Œ–G2`ò ?’P"Ï!�U¨(
Æ‘éâÐ L°Ð~BÍ[aÚDoJ0.'W{ä*›‹‡ä�ÈDTLqúµ¸rXŸ8ÒÓ)éRí3éˆÆÑŽ}.AÝxHÈI\Ê€åÖ*ï+ÈöÎЖj›Ðgv¤›Q†ù­.§"f‡’s¯£ÈšCäÉÄ­¾2W
„‘¨ºAÀ¶*pµ” $6þ£eà›ëƒÜqw‚myA
+_3®
+ö�\Ρì:G
Sø͹n¹<n³ƒìƒ"ÑòĬ]dréøB$È"Ažc"«>á[ªÊ…ìo8V€Þ媃 é‰ µÒmøû Ã\gÆ)®dŒmàâ¢ò2g4\�r;”+)†“â!h†p
f?€4m×.õ\ô0íN–}ydžýóh9+õùe�ÃÙ2)‡›ÍûO?Ë
+µ@öÐЃ0´!Œlûƒ�µ²Oàÿh"ˆÀÃ	&hZW¢ì:	>¬Ü½ªxšªNgnŠ‡®Ek~ÑÃ
K�5ä")&\ìǫ́*7dÅJã:œ¤¿®��¹2Ó¶ô�éíH’YWJD £³"»î½f7{çiË¿,¿ò°�’ñä©HhHᡬÝK’›8®(ˆpÄʽ%¹G%ao:°p°pò <`»�¿BIWÎ$�›]k�=›Sv*‡(T,'+ÈyKØtÊ^È�æî^ÝcÃ’×î‡2\]eÿÛ˜aá›ÓÄ3c%HŠƒi,�Xíʆa©yèJž¢—ã™4Š&N¥rÁƒJŠì$WkóÚ7‹ãWÐ�U"¡%ÞAl`ZîT�OUÒ>ïK²îi<y \¶ÈxzóÛÿjÆÆ^»Rn·(¹J
dœfÕZñ3I½X
7ô:¿µ—êÈmØœÖØ­¼$
+ƒ¿cwèÅƸˆŽ,ø¼:…ù6ýÚiò²v·HJf�œúÅåÀTN5Š†“j£ÌÛQôéõ(Ú!Ç`Ër;òm4Æ‹’$ysë
érïYÐ$^ûj¶ùýP–~`i„Y)BÉ´^šžqäáZx€cåzt�–‘XtТñGÞ`âܯš²xÓÊb;2|‘Þ�°Ò¯ƒÅìÒ,!å1ÞùÌ4U€RõJ}2�»‹¾îg+vÇ3*2ó|ª‡C:"e˜Ø½wŘ_<rCX;KS¥¬ÌÜ„þð@|�v3G³
lÓýâÂüþEhòÈ­[é‡ñâ5îŒqåÊãO
+!D!á‘YR>ü<÷’ôÿ
ÚßÌtendstream
 endobj
-1306 0 obj <<
+1703 0 obj <<
 /Type /Page
-/Contents 1307 0 R
-/Resources 1305 0 R
+/Contents 1704 0 R
+/Resources 1702 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
+/Parent 1686 0 R
 >> endobj
-1308 0 obj <<
-/D [1306 0 R /XYZ 85.0394 794.5015 null]
+1705 0 obj <<
+/D [1703 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1305 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R /F41 939 0 R >>
+1702 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1311 0 obj <<
-/Length 3367      
-/Filter /FlateDecode
->>
-stream
-xÚÅZÝsÛ6÷_áGy&B‰/|t§çN㤶{×™¶ŒDٜȤ*RqÜ¿þv±Š” )¹væâ™\,°‹Åû
Rž'ð'Ïm*Ò\åçYn„M¤=Ÿ=�%çÐ÷Ùdži`š¹¾¿?ûî­ÎÎs‘§*=¿_ær"qNžßÏ›¤B‰˜!™¼~óöú‡_n//23¹¿~s1U6™¼½þéŠZ?Ü^¾{wy{1•ÎÊÉë]~¸¿º¥®”çøþúæ
Qrú90éíÕÛ«Û«›×WÜÿxvu߯e¸^™h\ÈŸg¿ý‘œÏaÙ?ž%BçΞ?ÃC"dž«ó§3cµ°Fë@YžÝ�ýÜO8èõCcö3Ö	«L
-–ÔB¥RÇ­,E&%0eF
-eÕ[Yɘ•Zy^·m9›–uñqYî®YªD¸L†ÄÄ÷\ùj _*+œÕj¬ÀIž*§&onîî®^S»Ý¬Vͺ£‡ªFÕvÖ#•&
»&~¢ºx*çÌ6«‘ç
-=WD‡Ñr
Éyë) ­uÖCÛ­üsÕ :ý
-°ì¢ÚfrrÓtedJ
-þ¹)×/ËæaWpž‰Ôºü¸àÀ<Ú£D‰3�‘ä»U9
-Ìf�ŸiÎÑ)åœöm”1oÚâ
�&m
-<𙚼…	ö±�%PÞ¦–!ˈ"’��\ýÕÔ>}ÏÂaÊ!©U,Ú8Å“
.kQTËXð³Âär�j˜;®º‚Ó–g�µ]B�‹%fò¢Ôýƒš?ë:&<²Qͽ�¢nŸËuËàK¡:ÎíŽOƒ}Ò<#¿ÅàáhŸØ$Zc*(ÿ\ÈÆ׌Ә+÷e|pZ0�ÜÍOG°ÔÜúGÈ”šut+r•y6t�ç0iÎ5ÁÂÏ�"Š=	ÊNØÄM6þªTOÞš@^–Å’h�MÛñùÆï �þ„øò$ò<
-î
GNƆ‡�±�ïöík"Ã6ñÈš¹KOœ’,”'jæÕt|*[£Ý8RÑ4Ð� ±j22ÉŽoß­} vÆ›.~V«%¹ŽÌ�·Í4û 4ϵwr@Ž©ú½|E]—ð�(äs�ôîW"0PÙ!aB‘:9¹îˆ‹+/¸UC³Æ«á7>¨<2TðÚ*³A9lŸY;¹}C×_øß%‘|x‡ß›»WÔ¸{É­w¿rƒöûn/¬�ü›ö×£�õëñcüzT–âz.ä„–„Ï>ó=­UÄK¸Ç[>³'šˆÏ˜62JM˜¼qØDÛP«ªçæ.óÀ\tÜ~yÖb(*�–'X6ͧ͊%,F¼álÑzš]"Pg~,zë9'kgw×7ÓË7onÅå퇋\y¨yò‡t—ä:w]ßÜ£W:˜Ne ÷s4�rN§z®í‘{ú²WHäÂYÈyŽ
-LÁãB€û]F’_£d´€”VŸLGÇø!À´,Ö-�h†Œ‹~"&ôsý�çsÎjü)�y¸¥ÐÃ( 9×ý½É8]¶‰È·×›_.AÚ{¿TŠ‘P‰i·›¡­š¶­úÒós±Ü”Œ±àØ#ÑR
-ÓßžÊ;2
A00¡ŸˆÄTˆ_6ÓÿC˜‹ÁVgNäRGí€é0hÓ³ÏÕr>+Öû÷/*ªÆc²Ͼ쑽´„íQz$œ
-
-úA‡¦>|p%L˜»¯´†\GŽnàڞݪîÊØÝ—ýÃÅyb�ËLùãã›åR=VàC¹ÛzT%èj=ž!ãiŠ9Ñ	ÔÚjéY¼ê-uùs¿
BØ „»Æ^8¶£dH\€êcüò¹�}²FG؉ԥ.Z:mÓ(¼‡„<­_þËaŒ#‚÷’šTãKŸüqdtvÊŠuP[ËMI#ödD§(¿T-%Hk,I°¶éè6o÷4÷¬C•¥KÉ\.cs
a›Ûu?ÁŽ¦^¾PwUOyO�<,¥pÂÞgAŸß*ï¿¡-¶ò›M7mý4Ù`šHz¸ic!¢o"¥ÞfN½D?ë¾Ópþí•8
|-˜¶J"'xI£’ÈÞa'¯ºÃr�ø±\6ÏDíš3.ˆÀ‹ƒÖÖ(‰z¶FÁ�£xØâk6©óý\9¤/Áˆü�$ì
-¯�"�Ò"K•þ¶
-â
-�Êt€é:Î�!ö:÷qDÆUßM¸B‰
‘÷peånÞþÿƹ²Ù	\
¸Žà*p
pe.&ü{ïqœ�	è{T|Ï‘?~�£Eâ ^ŒøíºI'+J©ð0Ù(ë3œ´¯¨�ïÉ RuÓû †õx29 ûˆ2ÃP\
+1708 0 obj <<
+/Length 3567      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ6÷_áGy&BñMðÑMœž;'g»w�iûÀH”­‰Dº"ÇýëoðC‚¤xz3Ï„àb�],~û
ˆâœÃŸ87–Ù\æçY®™áÂœÏÖgüü
ú~:�g™¦C®ïÏ~x¯²óœåVÚóûÅ`.Ǹsâü~þÛÄ2É.`>yûñæýõO¿Ü^^dzrýñæb*
Ÿ¼¿þçµ~º½üðáòöb*œ“·ÿ¸ütuK]6ÌñãõÍ;¢äô80éíÕû«Û«›·WÜÿ|vuß­e¸^Á.äϳßþàçsXöÏgœ©Ü™ógxáLä¹<_Ÿi£˜ÑJEÊêìîì_Ý„ƒ^?4e?m3R[°¤b™i#–	
<™æ,s¼72H9r¡‘çUÓ”³iYŸWåî’…äÌeb0$%¾ãJÈ—ùB挒c®HòT:9ywswwõ–ÚÍöé©Þ´ô²¬Pµ�õ©™æ`Vî'ªŠu9lC±Š³<´ As;ù¥Z•M$•AJ[ÓpííaÆä*)›„‘±\É(âMBWÃT–ŸRT1Ç¥\ŸËÇâkT,Âs¹Ï ñ¼ŽUÝâ”çS%%LM…`¹1ÒÏÕÛ
+êíB
+�¡2sî¸WB�Ñ’-ØÅr1VäÒk€QUL¼rŸ4ˇªhšbz~,+êýZn–‹Âtô	HìĤ
Õ²ßCìíý^’{U<³âóAßM\îʶõŠ!JÚG@¡U?… ŠÔT,È¡©»œt0sh©b’[•¾xÚ÷™³ÌºÓ•˜v:BõëvU•›P¥’ŠþIf|Z/ô^´m1ûÒD­É
+þ¹-7/«úaWpž1k\~\pdJí'—Ìjˆ¤#ÉwOåÀë×!yaƒI*'�ˆš=Ю½y¬·«9uø¼Ž´¶Ø´å¼›%UI
ELÎÅé�SŽë>\mÚÆçe‹i'eÓÖF˜
¹31ˆW¦+l=rAY¬ºi	`ˆiH9à$Fíæœ%f
+’ÒLÊ?·>ŒKK
 c$1ê¤t
+‘Ç«?5¬–T8­ª4Bá8+é~°ûn„‚4B(Õ’ygüÝ“Ì
+ªõ¦¥NF‡ÆpÅDYíì‘nv¼jõfÙ>®I
+ðràÈ&UKÿE@ãÕo>>¬Åß•x¸ŒÍó+Фâ€óݽ†®VâqL2+L>ÎÜdtük¶!¨ôÀ°¦>ì¾àæ:ß;î¾®#î¹z÷]Vmù
+|*7`[�*Ž
×ãNu1'ý쇭^KÏâUo¨‹~>å„°?Bw-D	àèG‰XäÕg8x¿ÝÁ†\Š g]ò¢aP%*1L|JÉð£¶f:" x/©I7bÂ	Š829;� UT[«mI#öd$§(¿-›0” ­ðüŽ
-Ý}ï±:GëÐ=Œ³d.—s
¡?uÿ0uåËU‡_(LÞyxï€v1úüVùø
=h±E”_oÛi½è¦ÉÓ$Ò¶I˜ãBèáÝÿÔKô³î
ç¿Ê0ƒ �eu®ƒU¸˜à•¦ä‰½Ãΰ~èŽËâçrU?µ­Ÿã‚aqÐê�ÂÅÀ(ÐÓŒâa›C�'T¾®ŒELŒG"_W

+�æ
õ…{dhÅò\w1ˆq%ž�}ÝCÕ`<P
 endobj
-1310 0 obj <<
+1707 0 obj <<
 /Type /Page
-/Contents 1311 0 R
-/Resources 1309 0 R
+/Contents 1708 0 R
+/Resources 1706 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1282 0 R
+/Parent 1686 0 R
 >> endobj
-1312 0 obj <<
-/D [1310 0 R /XYZ 56.6929 794.5015 null]
+1709 0 obj <<
+/D [1707 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1309 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R >>
+1706 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1315 0 obj <<
-/Length 3178      
+1712 0 obj <<
+/Length 3339      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZÝsÛ8Ï_á·Ufj­ø¥�Çn›ö²½íöœtnvv÷A¶e[YÊZrr¹¿þ
-à¹&$Ö˜P
$¸¿Î¢à
-¹?RìÕ!]š
-7>q]€ÂmA¾äu†Ü;Ï»rµ£.ã®Ë{ m)@'?š‡²Ï~b~B}ƒª.ÆìVÙÃåóº}öË×Üv<ÑÚðE7*	
`ËëÞ續àžõDN»>Cn)B“ˆìõ�=×ÄÎP’qh¤‹ƒ­)p«LÍcWZÇÍDàitÁ@Ùy
6°9V4b:s€„ð�
-KúÒœ?#9¦×e8[ëbù£
-M¬å‰ƒçŸ÷'LDí³u‡©ˆFŠ±<FAÆ�(Ù_þ|=×R¸ Ò4Œ£ÌklÄE——U;´á>Èõ}ÂÖ�›ÛØQ—a�¼í.~ì
-¬7žéû\—£™ç²NŒeÀrG”pÇÀItš¼±»çšØ~øü§£ý‡ÅŸþñMJ˜zú
èVf*{¸„–�`ø&éßF8[ÆçDâh+
-•P†™÷ù­Î¯Å)‡Ah{D°‰Ëv.ƒP2Œ´v? X¹'ÞHL¨�g‚ˆÈ
-õ˜.ƒ�c:Ù<=YžA|*ô«;{¦ó­‡
+xÚ­]sã¶ñÝ¿Bo•g"–
+oùO»mu³h›bÑuÕøÔBÇQ–‹lÖ_ú�j‚Ùã@heF‰!ÿ~´5\½óí¹Èæ¶Ûmëò\Ìë»î±Ù–]Ñ•ÏQñ¼¶áÍOkŸšºµ-¡º†o?^â��Ý–4Ï[Û1Ù#/xw÷aš5!xD¸àRPQ.
žVD¹ÖÄ;m½lÜsE
+t<…eLYÓ“Àé@¯­]veã‰z‚dp¡ôV!‡~îÊ®‹]ÕñÊ-27´4I$Q!bÇãÁz¢�,’(OTÆ4Ñug�Jó4Jóܼ®x}ªÓŠ¨&o±,–p±ú™ŒMg¯³¨&ø9KÀ½1d„ÔOäÉY(QëD®æ᎚†o}M#2”Ž0¹Ó7Ä£¾ç´

'~tÚæ0<»'k™’5⽬�‚TE"‚’—œT€<JEmÝLI_D
+wÜ=­ŠÎ.@äËO‹Oí§‚OÁSˆô
ÕƒÓš82¹ñ@‚WŠ%¤”vò@„“ÁØpô¹¨vŒ7á.5“Ê"£Ó7ìÎD¹’†i¾‚å´ž»{`üÖßß~OÀ}Éû—Ì®=%è“=_ÙÎn7emIe¤4cb9tZ�Í~ä�Ü:Î=6»Š½Ö=îZïÇöä©
z°µÝ‚a8�ñöæöêCKð¼!y¹àÝvd8ìØšÚ:�ƒ;
+	G:Õú/øë¬ç¯3§9Gÿ�Ì7»¶£
ï-=Þ·²…êö
�-)¡Àqï¥4yMÐV4ZT˜%>nh„¶|Z�‚A„�’bÙDBÚ‚è�ËÊŠ™�i
+¸Á
ÇwÃù”çˆ9Æw7Ãé)ŽóŽ	†²A7�b‚IŽ«†¸0Åu7^t£ÝÙ“D‘|Â@$e2÷IB½ì%ïe`øB[äœ�!@Ì{MrÄqžÀäªËM öWeP”õ
+ý¢\Mߧ¡dl"K»ßu#wRäpq.ÛNC]#i¯šŸŽ¤Ô,Ε8Iaæâó”€zšÜG®¿@1êG±‘é0�~AW!•‘Îý%U¥» «õÄb"‰L’¤_dö=Nì«^.-ºpÍ/í\A†(Sùv†({f~201ÃÁig/$°go8ûÕ+ÎÞS!‡Ýö°è–O‹­]omû8Õ®S
+üñ«ª	Æí:%ô�ƒ»ó­KP—C>ü®9ùxäAªŒ|U \)Éœ˜ß½û‰
+)…4â=eH‚›À8'#èÿ£÷e…-µP7†üÕ5ïTšý×Û*Ùj"ÒôÿÑGSie(ÎW5¢OuZ#Ußg`‘m]³(k‚ÇœÈXDª’×Y	T¼ô�-ã4’ñˆ—‹ªÂÖ‚9ÖþJ‚[9ÔŦ\Žõ@Pí‰Ãݶ¨Û’óvÀ“5í7Â,xò	ýPb¸)#¡Ø¹ré¯ôža¶ÈSì‰5`W%—ý™™ß£bgèFe©»�Ø#Íš†9—6½\ÚŒzÁ-&¿R’‡¥%QÝ Ôîè}Rã\–e_æeqʱ
W<Èb3¥Ð ¬4d[E¡áFXžÓ~*\ñ,KÈ_Ülˆ–R…4@—fHÉQU*Ÿfà¤9GO'»B§,3’
-w{õ�縘Àõíå;Zy$æTBr*!C–Ð<[^á¨yøæO7ÑÄá|ŸƒÁÞVÕd…zåZ©ï1¤¡5âò´–pȶrm	Úéœz)÷  
«Ú†0µ]Ú¶-¶^›ÑtQƒý4­ýÓy.ç7?Ò —€½ó¾àrªé|�ªà££Jýµ"´,vØG�L#í]qÁDÎxàY„YÍöØP_‘µ¥$LÕ_£oR)·Æ®:¢ ^’¹ýü¦e—Tö¦	×fÄ™ÚøL'kÆ—% ­ §«]sgðA‡;œë]7èpŒu´�œo(ˆÛüºA‰a+†�S²-ÀôÊî�¨nˆº·®ï
¨eSÿÇòa*SweÄDšKìEy—Qì LPÜ Å0[îàoÊÄqdâØ»ò±oSÖOÛò¹ðgáv �i¸O?!�ÓñèóY±D….ï±
+õ*|Ö­¨J
+võ¢ä“"ÒFä¯o¨&v¸{™FZ+5Üšz
+r‰ÐdÏé;�Ñ€
³±6ƒÖ»ŠF\@Ë}%ˆžã!3
+í«iãCªL¹ÎŸÿdÚ'¥
 endobj
-1314 0 obj <<
+1711 0 obj <<
 /Type /Page
-/Contents 1315 0 R
-/Resources 1313 0 R
+/Contents 1712 0 R
+/Resources 1710 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
-/Annots [ 1318 0 R 1321 0 R ]
+/Parent 1686 0 R
 >> endobj
-1318 0 obj <<
+1713 0 obj <<
+/D [1711 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+478 0 obj <<
+/D [1711 0 R /XYZ 85.0394 227.0652 null]
+>> endobj
+1714 0 obj <<
+/D [1711 0 R /XYZ 85.0394 197.3345 null]
+>> endobj
+1710 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1717 0 obj <<
+/Length 2753      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZKsã6¾ûWè¶rÕC<’ÇÉŒ'ëÔffÖã=l%9Ðm³†"Q²×ûë÷k4@ñ%;µIªR®2ÁF£Ñht÷×
+ÏjDYì“L…ŽmæX?TÅ*^®óšyÕ6Ür‹¥®¦&{ÝØ*¦6�Ÿk¸i¶yé»nò¶lß ­#ˆ­š§n6¶l4îªæ&¯ºÞ‰~ÍþlêÖ�jÜꢡœ¾V/›Çb·+7›‚Ô°féÔ
=çÇc¾+gnô5·L|ÊŸ[ì™F8þûoLg³€±-öLyÈwûr}¨ò¿ó‚[ær~"üÃ÷–·´Ž[¶NQ·B„
™ÈÚ¥³	:ïóÇb¸>ÎN9§‹©HðŽâÎ$"Aˆ@B/àxxSWÏoi?wmÙšT	k2éGÞP¦„bHXoüø?ëfÏ�ÞZ˜�ûl¹ÓÅ8Ôµ¡EÁÅÂDYF1Ì�»»7®zAßñ¯ú¦A?•ë‚¾X“û„ü¬„J&
+eø�(4É=×kjL¤‘bf«°2E¹T»„k£¤¤´B`¢(Z~8äÕªÝçëo¼†¯ÅîÑ'ÐÑÌp‹Øãäôjm±x.—ëÞyç
+~á´¦5¢ºí±3oì‚…ˆUN9Š(>O6»=÷�ÿý©Ù}ëËoõ†ßhnGº©Š­Ÿ…"”ž,._ßç7eURŒ’°ÍÁ«GÉb&î«Î*.šÉßN'ïŸÜ(JðíË/�fèÏ Ø!üäÜ„Æ}ÓzY[èVÖ…˜ µ‡Cii^ÆÌ>×iÌì¸h�›nWíqëØ©3!
í/ª˜fT §AÁ�CÈ©Mìí¢�]Öù6Éžô¡(q9ÿA—·¢ð„máþ|½7S�'�vÓpoì·Ì‰v΄N·g笱4éÐ1ö»¼nÉ(µÛü¤@’R&ÕIæô'Í™H¨LT
+ä-#=@SÛœû··jPo
+¦äpe¦8­A	qQ=†Ž{Ïæ£yJÄá½QZæÖ	/ïOLÕ²ôÏûœg¢Ä-Ž(ì¶hx3{þ–ŸäHÔÒKçMn©*sÎ^ÇOÓ¼_d:UæýqŒ%±P±C¬¹\Uƒgá�lí×r¨+Ú·¡ˆw!ÓÌŒ Ð{ˆÏÆÃŒíÙ‡b6÷l7EQàli§6'¢|Ýl·Î³è¥báEeX!îæR·JQW&‘õ¤­õÃWfÆñŸê`Ž®H›à
ۦ
+	Ê`úá
PÉåÓ}¹¾§¦rˆà©]aDt§2Ÿ|üaO¿Ç°¿/ý8G¾`V	�àÔòŸ'¹(
+ñùIц•Îõ8#âÔ«”¡
Nð
I­-ª4ä幓¥"K2ŸˆÆÛ1²¡�„–:%¶ù3Kçc"µnü|mg×
\Uçu›ê µBia‚`§÷tv¤/›Ä3
p�pä!|†�Â~©¹FVòöBºL2™
V:ìVá�芼î
ųj&(Îm´ìN¡4æÃÁÈÒÚ‰êTŠ$¨f¼¥ð°]ä5Ráí¡¢wÃàæã‡s$n’Ñ‚¼[&ѱÌ-_&Ø”nú
+Úa+$*g«úqØy!¼)*�Ÿk•¡÷×ÁŸz†BYº­ŽPwiyÃ>#ÁÊå5þ«åäŠ>µ„¤G�º¥î&zñëBÚ²L3S¯íÖz´�#¼½ÜªÅ‡+Zôå¯ú’Ý¢�Iz^©´°ØD±6VIÃçGkç“tdX>¯Öùú�àÜvpRËè»@H
·ph­Y¿ø+oÈ¥ç±È¤#u8[ôØCå5š�5ñ,c3�T•.ú{÷ûÜAcŸm! Ž_9~Ÿ³ú÷Ì]§km^)‰•
ÞhýÊ'‘Žk”tW\ï
ðH‘3@»¾ä)®x¤6’C
†x¤�x„fլݥ�N&ßFtê‹š]àaÏí�Â`=0Â
Ï.¯¹tÖT±~BK/ç¡iýG�8¢S±âJ[â@ÿ†*ãë$Cu'rl½t¾IÊB&¤f—	é…Qô,k*‹]�W«Û|íN£ž^ì@ü7‡=7è>á(ξ
+,þ³gis×9a®˜ŠÖ'uºk>—×ÅT¾+CAõ­ßPúùß)XçU´§Û×Pb
6lþ£á·¡©'ŽÜ±‘É 
+endobj
+1716 0 obj <<
+/Type /Page
+/Contents 1717 0 R
+/Resources 1715 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1723 0 R
+/Annots [ 1719 0 R 1722 0 R ]
+>> endobj
+1719 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 410.6007 428.747 422.5009]
+/Rect [339.2005 701.7636 400.4005 713.6638]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-1321 0 obj <<
+1722 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 196.7586 539.579 208.8182]
+/Rect [455.0966 503.2689 511.2325 515.3285]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1316 0 obj <<
-/D [1314 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-358 0 obj <<
-/D [1314 0 R /XYZ 85.0394 649.9934 null]
->> endobj
-1317 0 obj <<
-/D [1314 0 R /XYZ 85.0394 622.3077 null]
+1718 0 obj <<
+/D [1716 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-362 0 obj <<
-/D [1314 0 R /XYZ 85.0394 392.0307 null]
+482 0 obj <<
+/D [1716 0 R /XYZ 56.6929 686.5799 null]
 >> endobj
-1319 0 obj <<
-/D [1314 0 R /XYZ 85.0394 366.8157 null]
+1720 0 obj <<
+/D [1716 0 R /XYZ 56.6929 663.4862 null]
 >> endobj
-366 0 obj <<
-/D [1314 0 R /XYZ 85.0394 245.2415 null]
+486 0 obj <<
+/D [1716 0 R /XYZ 56.6929 548.1865 null]
 >> endobj
-1320 0 obj <<
-/D [1314 0 R /XYZ 85.0394 220.1859 null]
+1721 0 obj <<
+/D [1716 0 R /XYZ 56.6929 525.2522 null]
 >> endobj
-1313 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1715 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F63 1364 0 R /F62 1361 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1326 0 obj <<
-/Length 2907      
+1727 0 obj <<
+/Length 3497      
 /Filter /FlateDecode
 >>
 stream
-xÚÍËnãFòî¯Ð-20êôû�œ&OÖÁÆÉ:ÞS’-Ñ#b$Ò©qœÅþûVu5)’¢d“2FÅêêêêêz6)fþÄÌXfƒ343\˜Ùr{Ág`ìÛ‘h-Ñ¢OõõÝÅ—ï•›¬´³»‡/ϸ÷bv·úyn™d—À�Ï¿ùáæýõ·ÿ¾}{éôüîú‡›Ë…4|þþúŸW}{ûöûïßÞ^.„7bþÍ?ÞþxwuKC6ñøúúæaýœ`z{õþêöê曫Ë_ï¾»¸ºëöÒ߯à
-7òÛÅÏ¿òÙ
-¶ýÝg*x3{‚ÎDr¶½ÐF1£•j1›‹Ÿ.þÕ1ì�Æ©SúÓÒ3«¬È3)€Ç+–U>jÑO/Ëá0³ÚêÓ¼h^	lgY-¼`&3[X§ANºã•r&ÆH<_ï˜tØ(Å8¢àxoPÁ‘00cµ@:Á™QRs¤øáraÅüþ—ó£ãð–8Š™…ÍáqáÙo3Á¸AMŽ;=h "¾¼ÞÊÙ»
-ö3ëo)ñ]ôÇYÕ3X!ìW«™
†	"£ÀÙfS]
-3Zü¶Ïw`�|þ¼XfËK
-üÁr1”à'<Ì_8—9¢òó§u±\¸©–ÙA7ÏV«Ý¥ðs8ë–p™• 	<6W‘jU”Ùî™0ïn~"°Ëº)ª²†€¨¸�ß­‹Äi›}l™‰ÏcU/P ^87ËA½�;ƒÔuq¿Éß
-~«OùnW¬¢¡Áã	iœeÆ@•@U�Ñ`Éä]%�kÏS¼ZoÎY;�Óv4�…ŠD×éH«d=�¾Á*Èö›DW¤Ã���€ÌÁÎôÉðºñSÖ2Hu)Ë
•TÓ@ƒ2�pò…À(΂Rê¯,4
-Ä`APŒ‰abí”8Nži®}϶•‘Z¨ó€€å„4ÖaÛèÂìòå~WÓá^ƒá„0ZŽ\	¡â¡[7Ö) !Xy÷TÔ“ùb‘2Îëbbiã™7\½fiÔ|_nЃ�—…2†3εæºÃ¾�À€¿š�Âjð«.UG)€–Ö ˆ“mgk€Š¹úXˆÀ™oõXBY0µ¸)§àÚ_·ŒÊµ¡§Ü8BVËwi±¿p甯
-~0Û(£<(ä…@t 9†ÍdšjBŒ�)ý¹õ;š#
QÈB¬u�c{Û¶ýàÇíŒRû
cŠO9¡ºðƒèCøÁ!JL€nÃ�–ê,¤:uÕgž§íÐþtñE±éLV>Õao&,RB!ß�-rÂ
-¡¸|mÒäÚœ]šŠ¨=çb	’@èʇDsº?;•ht��&
Î:›h¢XVM?�M)ÒCû`ÕI¥OuÚ_;ª	›J+œLx}^†ŽjBˆa�ëXÁ
¥º¬ì’‹’]rAì(¹àhL.q,Ým!rì®ÒµîŠå¬æ1Ÿ !—r”ObÝ‘®fà³P–òQ
ûÚ|2’äsûûÎ44«ØŸ7‡Õsh©æ°\eÍqŸ#”šPîŸ]½£šX^Ž®“‚wn¸þ¨Ê8\rBÎO±±]ìŽmìF¢x€¬÷÷Ûx¡ð»ç2ÛK" [NÀÒ&Û¯&»Íê&O0^qÕ©¹kÍ
,DyÊ ’¥Ð”Ì
žWy,
-{u~l+Þ0‡©E‚9(°Ñhp÷!]©Üö­¦¥_ô'LXÍßh5ù²)ZWrL�¥‘J2í¥Hsd¹Õ2H¥¡«EÏéË@óH“›Ó¾+ ‡BwoÏûnŸê´ïvTcß]€8OÙn…†2>'0?ªó‚tT’ÈÑ=¬óým»±U�غ1€7ƇÎ�á�|GÜàƒãCtc
-ßѳñ¸Òèµã­8<“â⻑(^8T‰t�hR� šN	£Céå…¶…üò½ö}ë‘¥nkùÿ@QÈyj›#øß©ÚG1
nšó†Ø·:E�r訒°)
-S`’„B�ÒõÄÐz8“
-õXôÿ
@««hendstream
+xÚ­ZMsã6½ûWø¶rUÄà‹
+¥¯— ¬µ•ùUf+aÕ–F±¢’BÄU<·ÊA
+W¹Þnûçå‡fÿ²\Õ«M3Ÿ7× ‚-“×r*D©Œ"Ñ�˜´ÑfªÄ§ÇfÕþʘh†›¥”|ñ¼iW*núaôµõþ†W‹Æ? âÍØbì©ò¡}k7<7{ÿÞ½{¯ßÑÓ¸ñ=¸é"*J¹x�óž-˜dº�J—0ÅùR¡ôõRj6FÀüyaË’f—q6wQŠ©Ê÷Ö¢r¥XtýH…¡ñP°Ëh£
Z��(³oV‡ýÐö]f8£Šª²v6Üapk¥ö>Žû”¬Œ¼n‡&3:ç
+Q‰†QñâÄz?£
Z‚ŸsùÁ¥Rç�Q”Ê:£%!{â�*ð 0�ËZD©ŒT¡ƒezªÇÄ	fF@�›jëõš<Ò0� uÔöÐ>5T]V]69`upEÂjtE®Ñ9l¢6€%·g”6Ò-£Î €EDá"ÑCâ¯[b*’ŸrE\ò¶ñ¢hUN´{ñ…ã<¿È SH^pŪ9:3`T¢¨L´¥º[çÀnÑÑL°ŽØÎõÆ
+«t0ðópýÀsòWàšH]€k�:ãƒ'H-u¡Ä+ã¡ÌøœjÁCÈ©Ó¸©«èË â&�qbÜ„7áwWÿî›IÔÍèÉWEp¸76„àÃÃ&T´¾ihöOÍi Yë2T—%̤Ôr
+ÞÏ
+g¬R&q°Âpo$Ƈ¬9=ÑËñL$?­+ Œ¥å³ñ(†á€ð†Â§0ærø*Á%Ÿ>™*/MôœWÅŸ.¥W
ùrœÈ:ˆs!‡k`§\eB¾u1ä8µ´˜„œÔ].À�–¯—Tê¼µF©Är¡ÅðBj`huˆR%¦T×±G>Õbj²"†)bhÁÚYhÁVZ\ÛjÕ<ŽT97WhöæŠÄV1MP�h¦˜EÇ@FÂ?¸ pE'púÜh2Óä|TÙnO¢
+j{Ž[¢|Åy§Rऎp8<®ëñôÌ£JˆAÂ^=Je†Ÿ
+¹=€Êáp·kG*ûÒÕ»vEß~øDµ4ÉÀ@ú=Õîêal|ù_ÀjÏ?n ¼‚‡çà
+öÏm÷@õÇ¡é®&gˆ¼ºó:l|´`€½aÄ©B8ú›ëýOnblzŽ8œ‚¼íijkónohN°"€?3£ÊëNHð`Ô¸¸¦ÂÇ5Q~™¾pŠšÓ~jšÕØS2…<ÑFÃYETf¢Í	r£Ôk:hYHŽ–“ê@rqd¬ÛíyÛUÆB¨·¯¸òTê¼íF©¹í.A�çz¿F Ìƒ1 ¦ºº¬H”Êh2YV‚õ¦Ó:5c-£C1˜1�fŒÑŒá�lGÍÊG3ÆgÆPHl*ym[?y{µ _%fîÛY6n—NÝw
=Ó¡^k§¦z/ºñ2ÞI§“Ü8ïàZ’¸“_¾ƒ¨˜,˜Ðã*0ù)dÌ ]ñ?9î#c«À¾ îÚ¢B
œ§¼²ä) ²ój{oîZ¥05Ÿ©°gøÞi!LŸœŒ‚`Ü:ç¤*Z$¨ylöÐÓ	ËR2»¸½±bÑ“LÓÕw[/‡V&]Xèùvq÷þ%·NÎO¥�n˜7Ì#ÈN6Ù/-ØÂÊ~uvie<.-a¿÷/n0“öTo”…óüÑ'Ø6u—QÌó׶Ø`’7è
Û”éWZ«Y·Éôr½ÂÂ
+«å`­iç§wAê”Â|¶”S"9Øõé’¿F$œy¹‘â2UH¥ÎS…(uô¦Oz9¼t
+’w~.Ú릃n¹©üÜDHM‰'¿ný霒ϑ²yr4°ú¸
P¦
p‡Ò¡@Mûr¤ÆìøÛ…CoûÐy˜{·áÝ5zƒ~ׄQö]ôJ;ð*õÃ…/8ñ¢dF¿b	‰ÔKRGKpÀ¹oö§G^[Q]>e†ŸxU!˜•Óñ'LY‰2°:,z¦¬„>2e¬�Loøë÷§qy¬@ŽëEüì|_G«p�/•&*3·~eYh¼ªNé˜'
+àv+—ú™`+YÒ¹Ÿ6H¹B¾Û…7!m€”Í„ß$+Cx;…¿ã&›NÎ,2Ðd·
+¯A¿}j‚ºtd‚©Y­¦6K©wÎùƒéç4W™DSQH¡ÏoüœÇ؈8¼kÒ”(Ö!>Œ½ïö2OCÌ@f’è3Ǝߥ¼r&ÜE%¼¤R@¤(ÍÏÄv¤½¬á/‡V]ñê²
+Q*£Ã±ZK>Ubš�Á
óײ.üߟÝÉ`ìä3nNó¢ñJädÂ˾[>©ÜÕj•~‰á4x|ÜRžþ/â�3[”ÂTñ5w‡ÄÁuÊx0?¤«Òhu©Ôy8D)úBÃY"­Ý´�í®éã	.,Ã4‘¹¬K”Ê(3™·U…µšOµq«‹é›z‡9
+]	œŽbÁ7•ñã™ÄO?&§ðFùS3Žñ õ×ã
_ô™AJ[#âscTà1b†Èm¨ÿ†ÃY•Ë'GSì.QŠ»&2üx»9¿ø†@d™Öȃ
 endobj
-1325 0 obj <<
+1726 0 obj <<
 /Type /Page
-/Contents 1326 0 R
-/Resources 1324 0 R
+/Contents 1727 0 R
+/Resources 1725 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
-/Annots [ 1328 0 R 1329 0 R ]
+/Parent 1723 0 R
+/Annots [ 1729 0 R 1730 0 R ]
 >> endobj
-1328 0 obj <<
+1729 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 214.5925 233.4785 225.3769]
+/Rect [213.0783 507.6843 261.825 518.4687]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1329 0 obj <<
+1730 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 92.1907 418.5625 104.2503]
+/Rect [398.1622 385.1227 446.9089 397.1824]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1327 0 obj <<
-/D [1325 0 R /XYZ 56.6929 794.5015 null]
+1728 0 obj <<
+/D [1726 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1324 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F63 1065 0 R /F62 1062 0 R /F21 714 0 R /F48 953 0 R >>
-/XObject << /Im2 1051 0 R >>
+490 0 obj <<
+/D [1726 0 R /XYZ 85.0394 131.4374 null]
+>> endobj
+1731 0 obj <<
+/D [1726 0 R /XYZ 85.0394 107.8521 null]
+>> endobj
+1725 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1333 0 obj <<
-/Length 2684      
+1735 0 obj <<
+/Length 2819      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B÷&ÏDñAHžÜœ�ºsIS×�{hú@I´¥‰D:"m×wsÿ½»ØER”ã›fô@p±Xì.ö”œ$ð“—ŠD{3±Þˆ4‘éd±=I&·0÷þD2Î,"ͺX?\Ÿ¼¾Ðvâ…ÏT6¹¾éÐr"qNN®—¿Oßýxöéúüêt¦Òdš‰ÓYš%Ó.?þ“ žï~þxqùþ·«³Sk¦×—?$ðÕùÅùÕùÇwç§3éR	ëS8²àâò_ç4zuöáÃÙÕé×?�œ_·²t啉FA¾žüþG2Y‚Ø?�$B{—Ná%Ò{5Ùž˜T‹Ôh!›“_O~i	vfÃÒ1ý¥Ú‰Ô);¢@¥:
-”	ŒM6±©™V:(ð³R¦\Ï盳Ùt“Ï‹M�Pzo*|Úé|]滧.¨J;?ý±z,Š*êL;=­×å‚©Í«fE£³Œžy¹<F�Æ�@Kº)hVEIøËâŽ&yS,_¡æAü™”§©
-²4«uMÇSÝ5몤ñcÎÀ|SW4êÓBAd2½lh2Ò(«GÜ–¡/™â:H£ºÚq—]¹.oée[Ôu~[€Š†ö‘ˆ$Óµ26MŽø#ͺXtœrÌ"ª ßlªÇY³ËËú9Ø^/”rÏo‘F¶ïYSj„J¼îïÿë]±XNU€�J§�«õbEÃUU7

-VÏá�gÔ-¾ ½á“ϧX?0Öª’GQ:¦uP«-O®«.vl–áÊÓi*2ô”¤£¶`S3í½p™qÛê¨t 	mÄ$Ϥ¶9µöÑÜ`4/èY·ÊY`]Ò™>äQ*-¤ÑŠ	îHÞJÉHu½-Ê}ÑÈv>.òù1`Ø
A*PÔn½Ä#{†ë„J]ÔyXEí¨/®­´Q}òêó‰5C
¢WÞDod÷ì(ñA‘“[ßä÷›�7UôþMtèŽ

0hõ¨ïf>½ÔÙó¾ÛÅ:î»-Š>ßä‹/«jS¸­B‹üÆÎidçžÛj#œQƒ­{n«•šæôجë†FÕ
O,—äšuq›UÞÄQAv¾0~\£^qÎ0Y,Š;½/vëHjïËaO¦p_²:œ˜ƒjóPDvƒí)�Íg¦ï¹¸ÁÓ©”rÊ&õKÜÏz¿#›RÍÆ4”â~´�ÖçŒÍ¨wU¹ŒY¢©x¿ëcö|
MÇÀŒM,;CyÜ屺 ¤±ð™Šg3gÂkKÉ™‰ê�$
ß*›bw“/ŠzdÈ­
-<SgäÀ$„LjÒ.‚wÅ	&îª]SÓ�,g›¸,ZŽY�aqý¡­!àKçX
-mô±Nùé–ÿ�„ÿ|#Ñ.|®—PI"ß,çîÍ›×Z½ßá%í„NÒ¶�Ð	7¤vA­�4˜%ÀøÚ XŸ"$X€°/ÁÜЗ`#-}d	Ä+2Ò‹k4ì'ºÀéÆ„¸Q(ñý>«Oz,!ÄŽ¼!Eœ\3$dÑ
-dæ §3ñÖÓtn=�ìt¤K
-ª/!´¦Fã¹’ÏŒÐÖ?+âYâ¤{ÉM+G_“éCãg¥u/b?ޱƯv­„0Ž€
-ù§HÔå¼ýÿÂ!ë
d�¤$endstream
+xÚµ]sÛ¸ñÝ¿B}:¹!ø$€äÉ—8©o_Îu§Ó¹»Z¢-Ž%R'Jöe:ýïÝÅIÑŽÓkG‹Åb±ß¢˜pø‰‰ÉX楟X¯™áÂLæë>¹ƒ¹�'"âÌÒ¬‹õýõÉëÊN<ó™Ì&×·ZŽqçÄäzñó4c’�>}÷ã凋�¿:;µzz}ñãåéL>ýpñ×s}¼:ûôéìêt&œÓw9û|}~ESY¤ñýÅå{‚xz<AôêüÃùÕùå»óÓ_¯89¿nÏÒ=¯à
+òÛÉÏ¿òÉŽýÃ	gÊ;3y„΄÷r²>ÑF1£•J�ÕÉßN~j	vfÃÒQù	ΤÊäˆ
+NšSTùÍ
+`Õt·,XåëjŠíC±%(ò…0â!F䶎(-…‹Ï4“/$⦉KH¯ðÍOójñm:3Âê[‚äÕ4i1í>"Öu>_–U¼ä²¢gUìh
+£p]�™<-»øü “xvÅö6Ÿ
v–f-zÀŽ†_/ÇlRxÆ3}tØÙC6r^4x¡r½Ù•�)…¯ütß‚ìj‚iÜ~‰À Ý嘰H¥Z€ 
+”>…é.¿àîsJ‡cA´sa?O�¯%$ZQ°®Â�
JBÅ£s„DjÑI°0‘ =QƳ,!-C…„!íž7Å2@_–¹>?±¡\@y3v°CØ¿MjϨ[>ÃÔP’ÑÂH„Ô! ü»r¾_�
+’æo¾s¡ xý“ÿe	ñ¤×´¢E&¯™·Ø*R|ÿ¶Â[¦´r}MëñÓÍü;Ñþù¢]ø\!9o7îÍ›×J¾ßá%•„⦭$�u
+%t+eMHjUÛðˆÈ,.©)·@hŒ:-͘”u‘­yJ³¦ÞoçÅÈ�g-z?ijU/%‹E”ÊLßq†ââ¥õ8FqÍ>¤y0Û ð™±”J BÛUØ¡«€Ø5‰`1qV_RƒqÊÄIZ|H�5¤{Ê®lƽ_j‡t½£+5U­w긡0´%Ë´'tL	JmLÄøókŒk“8ÚƒnËæ>;¨Uð^.ƒø¾.w;òÒ$.œì§ˆšœÙ°!	
+?®(ÊÛÔF	*
UuP	¨v*ª:šÜ‚M×kBØ„"tG/Õ~}SD
+·A7Z\¾”ÿè=îö‡
+�€î]ÑßSB‚· Ø~iUE ›Ø���à•4`bKÕ§F‰·©¾yR
‡»ÕF…./ñ�e‰¯ÐÙˆ¶Ó2hS
�~¥ˆ(UB)F“Ô˒U
+–@„Túàö&I¹;mgSzÈê¬Y…-i›uQb&¬bÏŽÙÓŠiücøÿËÝ0‹‚¡“ö¨
+‹;F8ñM^	T´?F”E2)Ú
+%zž—Ó¤Þ&¤�U¯”ñpY×£>Y¨(¨ÜÚ?b
òóe1¿ÇaFÝjgR¿Õôºç0߶|aŠBZ]™7T‹‡rÜ›2!	U©óQßmó5ýs†sXé@8� $Ôð$Ùm±å[<¤Éev`fý]Ü$z†¸œ+.£7òÓ0(6Ëb�y2Ô\	·¾»ÐTÙ
+¿‡ù‚·Zý‡?»8|“‚>Ñ99þE…´Rg ™
+…ž;â<}ŸqÌú
 endobj
-1332 0 obj <<
+1734 0 obj <<
 /Type /Page
-/Contents 1333 0 R
-/Resources 1331 0 R
+/Contents 1735 0 R
+/Resources 1733 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
+/Parent 1723 0 R
 >> endobj
-1334 0 obj <<
-/D [1332 0 R /XYZ 85.0394 794.5015 null]
+1736 0 obj <<
+/D [1734 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-370 0 obj <<
-/D [1332 0 R /XYZ 85.0394 625.1831 null]
+494 0 obj <<
+/D [1734 0 R /XYZ 56.6929 291.4983 null]
 >> endobj
-1335 0 obj <<
-/D [1332 0 R /XYZ 85.0394 599.8772 null]
+1737 0 obj <<
+/D [1734 0 R /XYZ 56.6929 263.1273 null]
 >> endobj
-1331 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R /F41 939 0 R >>
+1733 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1338 0 obj <<
-/Length 2990      
+1740 0 obj <<
+/Length 2567      
 /Filter /FlateDecode
 >>
 stream
-xÚµZßsã¶~÷_¡·È�‹ß${ONâK�iœÄufÚIò@I�Í9‰TDÊεÓÿ½»ØEÊ”ÎwiǤ`±Øýöh9ð''Ö%.Wù$ÍMb…´“ÅæBL í›É:³¨4ëk}yñçw:�äIܯzce‰È29¹_þ<u‰J.a1ýêûÛw7ßütwu™šéýÍ÷·—3eÅôÝÍß®éí›»«ï¾»º»œÉÌÊéW½úáþúŽš�ñåÍí×$Ééqbлëw×w×·_]_þzÿíÅõ}·–þz¥Ð¸�ß.~þUL–°ìo/D¢óÌNžá‡Hdž«ÉæÂX�X£u”¬/þ~ñc7`¯5tõŸ‰ÒN�8PÉ1Ú<qZéÎ�À-Bˆé�{¿û@‹¼Z.w¾ip‰0�ê
$&3•'&•4ÄÍêr¦¡Cûèé¥ñ»'¿Ãw9]Ö¾©¾h©á}U?éUóLº ¬©OA?Ûû¦-ëê
üLí´äAžËõºS@c±K
ò(U±ØÑ$¼„¾/4xJ+›ÃZp	a¤YSïw?²àY§>“2É­U¡W³õ‹ò!”o`BçxUÎNðݥ̦è¿ÐRTKzÙÖ»–tö�gÙªÞÑK³_<R#Tz0}æl:}XÌÚ¾â¡jr7Èn~xrè¯ÜNƒGÐÒ)£%±ó¶Ø­ñ�ˆ«”/|3{r#îImâÒ4c_Ö[Ü´„¶
-w�Öõ†¶—€B˜Ûø£ÚoæžGX…ðˆjÜsK13[ÔÈÞ~/I	Æ}ðÃù·åâ=5gÓý–ǪXÀ.ÑÜóVdI®­î!N°‰–—N}�ˆƒ"S	‹ƒÔ…²3½d¶¼¬”ìÂøn8}:S€›¢%É
y¶²Š*cp£
-øY(c�MÑJ(&S´RŒŠ
Æ�Χþ÷Åz¿,«j¤º
}‚ƒ܈�èƨ=âF…<‹–Ou¹ü˜s
©ÕùqÜYàáòt8lç.HªÐå(ÌÎù’L‚¤_*Ð)£°ì¶|òëŒ4÷ÀE(ô\úU±_·
ýªWô÷à\j¥|]áw€+";ë ™'Ú¦fd¼“ÅÒvØÉ {©¼ø¿P'ÓŸdÈœ
-¦R¹†Ý�2	»Ô
ß$nW¯!"ë¨]–¥ùH/›äiêú�ÞÒîÈT'ÇQp쉗æ�d­ÿ_뎩œÌ¡ f*R…3•î\å±2“Ÿ„K¤½
-2-*Q2͇Øóú1ØfÀ«:¼Ã8×ÇT¤ÄË1†¥“L»ß\E`øÅ£_¼ÇW7-W$
-…/õÖoÐ…íÍ Tj¢¢V38€“›‡ÅS¹
-x¸*0²Qð¤$iw%4û§ØøÈ/ÁhÙ|Á“04p_€WìF¿©áÅoýÉò´X“$ìF8:Þ€�LÎÑð*’—~™@“Ù^§Å°Upl)žŠr]Ì×~l›rÈÐÔÙ�oSª23Ü&˜‡æ Í
É¢ÞE­+ª/ØÞm¨tÁ†PoÞâî¥t„z.�pœ‰pÞB�‘ùJ
-UX?¤£æè\T?WC\ƒ´#ê÷"½^ü›̇ðUB¹¥7g­¶oéý?o‡;¢ÆÓë3Æ|yôíÃÆmÝ^mpÓMñãJ¤(ݹKdš";ÔvxŸ³¬Ù¯PóxQÂqný�äkª<"E*êûÅ~W¶ž–™é5AZaJì0ÔX¹ü—�m[_-yçS±+ë=·Ål̃�“¢:Th#§ó=Æð—g�V€k4Å´îE½Ùø@MA£ä@tÛ"Aø˜"4®=ÇH$�Î½ò^¡*ÉâyIÒœ
-<´‚Ã;¶�há‘S¸°'<ͺ©é-�Ó‘œ¥Ä‘Æ4
-c0»\ûEÂhùqô‘*í rw	Ç�ª„AôP�µfZùgV‰f�Ð\Ó�bßÖ¨ ŽP�sßb»]—«}5z\
-¼®é².œ¥‹ŠÞ�„
-"ãFÆG<‚Ú¡¨•=ıVÀü*<ÜVX>µ›˜Röø\oB‘£K¤«-ý2^
+xÚµY_sÛF÷§ÐÛÑ3§íþ'Ù<¥‰“s§ur®2s3m(‘²9•HE$íúnî»°
+•¦z²>³Îg�é)«³_Îþ¹8˜
KÇüçL"\¢ãj=æ@—
+o´	,«¶Ø.³E
û‚½–
~]”Ýeå*›¯Š¿ãA�J�p±· %Tٺșk¨Îë¤çº/W+RÑ5éhoYé¢ÞnÏUͦ®ò²º¡ùæ¡i‹5±äÅ2ëV-Ml³ê¦xã$Žj�²½/0~˨dž}eÛ ™“©Ò©0Ò&0R"uNëûŠÎ–u5ßÓ¦ìpër2ÕZèD§a
ÈžÞÙi—o¦›zò§^Êè?ô	fÒPImiä�3î
�ÿû&Ø#í2ýëdh0Vh“Wu[|>µÚGëì�fd5
þJèhpô54ž3­é–Èú›”zQU»z ú*"nXâ²Þ2±è¶eûp®”Š Álb£·4•My®@D3—ÿ.ú¹MQ嬻®è{—m˺câ&›Ž9p
	AÝ`DXÍ;	“F÷
¬Šm¶B³‘Lû^Ôë5¨#Ž’W,êªÍÊŠ~d-M®Š¬áyåMbiÈG…¿IÈA&ÏK¢¦Q½¤YpXÐXo€Q	ÜŠgÂjVMM£öTì�0�òFyN�¿¡R¦8N�~[TD„ÈÊi´Îhr΢ں&B³ÎBâ
+ïcÇ0,Fœ …ôÎ…úõ¼ øü¼(	l`
o‡B�F
v˜ãl¿KÀ@e„Ñq|˜Ncp†e`
+kRÓ‚,\W`¸*AÐW4Â& ”].yÏÝâ–û¯„�(?p4Úí#ÙhèüªÅªË	- WªˆÊIÍئX”?ÄaC•&s¨·‹¶È± ÑlS´4…ÇŠ„¯]±} R°
+Ôø„7kèÐÈpQì/ðȼ	
+¡ô�šš««P¦�½&J°	Ç:ðvèÍ	Hòê3Üä+À27Ö´âKz¸>…‘гÅxëÝ°LºÎæDÞíàQžÚ4ÌšSáuÙ…iìRŸN¦û?•¼:õ
š<îý[ÈŠ½ð1ÄÞËwÚ¯8…#)^C ðŸ†åbaµÖßF”‚~<Iô·‡‘¡ä'`Di‡ºƒþR‡ÖTQïoA(EÃðn‡ƒ‚y ‹¶DÉë‚ùCÓŽº¹ôy(EËï1?[*u±¤¡/ü±ƒ
+ü�I7òZÑÔÌø?ð¿¢å,=•!ƒC~]Øü_Äá;YbÇê¿Üã«ÿ
+ºy3ŒŽÃç8éE¢Óš-�²Ð×>=öìîÏ¥Ì50ý9”©
+endstream
 endobj
-1337 0 obj <<
+1739 0 obj <<
 /Type /Page
-/Contents 1338 0 R
-/Resources 1336 0 R
+/Contents 1740 0 R
+/Resources 1738 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
+/Parent 1723 0 R
 >> endobj
-1339 0 obj <<
-/D [1337 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-374 0 obj <<
-/D [1337 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1340 0 obj <<
-/D [1337 0 R /XYZ 56.6929 748.5275 null]
+1741 0 obj <<
+/D [1739 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1336 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+1738 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F62 1361 0 R /F63 1364 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1343 0 obj <<
-/Length 2667      
+1744 0 obj <<
+/Length 3435      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZÝsÛ¸÷_¡·£f">Iâ1—8©ozvêè¦ÓÞÝ-Q'©ˆ”}¾¿¾»X€"eJN›tzÓÉL¸
-7òùâ—ßød	Ûþñ‚3eS3y„
gÂZ9Ù\h£˜ÑJ…™òâãÅß:�½·né˜ÿ:°Œ)nÄ©’Ykô¸Z§¢X¬•=-‹Öq�åÉ°b(êp¼1PÆÈÃñJ9‚Y˜Ãóµœ%Ž51Î<¦ó½F;NËL¬2
-ÎŒ’`¹ã¸™ÎbÍá]ŸÈÔLK@Oª¤óÌäóD0®­UÄÔ£Ý^>pß_määm
;šô6Ïú’ݦbÙì�	ã‰6í,ž¯óéLKeËå.o¨¨Ùæ‹âWÎe¾¤·EEÏØ�bÕ—¬4‹ÁíÞŸ÷ùPÌ£§YSïwSÉ£EXÖ7(N˜T:ø®Þ¶EíÕÞŽ}XM�ê
îêvMÔÏo?gV-QÀŽƒ
-³|î*èùRš@³¥ã°ÖÃã*m!ªÏÑV¬^ªÏ€®Œ_q:<ú'üu ùöá1Ä¡äú
-È™mÖæ4õ‡3Å1uV¸!eZ  eQ›¢õok¯„R(²oê}åë•_PgKÒÒ®³v,wöt¢7¼ÉH¢|RDóÔ´ù 
-ô[¾$Ž°~ ï;¯éúãX0�é‹Ú=—
-L®‰ÏwEVÎð7¹§Ù¿°£*æLÚØœÕß1=7`€©Ø0™@CÕ·àc™= ¿”<|˜€—!™Àôl¬—ÅÂ]ËÝ;g.½ÜdMëR•ýõ’î·ðtŽ–ÄP»ß8a²XÑ„OŠ¤»È¼Âj¿¹ó_6'3c˜R‡&‹Pµ&›SáwÌ{‡/-ãè/ûn¾Ù*価Ÿ<­û¤
- �؉ċ?Kã-XŠðçÀc{"›#™W$Ý«{\ãuqᢇèÇ`d	߆pÐÐUV†»rS€�økeþùÅHy÷³ËWÿ%Hï«zÂTšÊq¸+³TÚ$…î7êØr£RWõdÄô
fŽ¢õendstream
+xÚÝZÝsÛ6÷_¡·£f*Ÿ$ø˜6NÏ�«ÓK|Ó¹kû@K´Å‰D*"×ýëo» H‰rÒëÃÍt<c€À»Xüö€ÔLŸš¹T¤¹ÎgYn…“ÊÍ–Û+9{„¾ï®Ó,"ÑbHõÍÝÕ×oL6ËEžêtv÷0˜Ë齚ݭ~NR¡Åf�É·ooßÜ|÷¯w¯æ™MînÞÞÎÚÉäÍÍ?®©öÝ»W?üðêÝ|¡¼SÉ·õãÝõ;êJyŽonn_SKNÅ…Iß]¿¹~w}ûíõü׻ﯮïúµ׫¤Á…|¼úùW9[Á²¿¿’ÂäÞÍžàC
+•çz¶½²Îg�‰-›«÷Wÿì'ô†¡Súëi@6a¤S_ÄVi‘çÎN³•°J¤©²—ç¢qæâj1žê¸½iž	gŽ»«õL)‘;§q{S-L¦ÒYælyJÛ{‹
+”¹p©UH¨$Ì¢Að@ñv¾HUrÿur¶0§Ìt’)á�Fγ�3%¤ÍsC4ƒzXéQ¡áë›­ž½n`=³Á’⼋ÁÄaI©
+DÈ*>Mƒ¼ïË0”ù¤Ø´
­.5ƒAVÁê
+€9bþÏ¡yAeÒ
Õ„‡
© âÓÞèTdà7¤”Éšº$'p7WJ%aƒÊ};
+S$ú²	å
+p	Â
Òƒ|Î%ër³ãj�ʲn½Z±�´
5XyU2uX{èe2”…ûžªÍ†jÕòÚ
¯Qµ0ó#�	*€–Xlº5ÐòÅ”i¿
¦Xl`Jtq Wm6Ù5ûŽjÛâ™*÷%•í®\VQT%6<UÈke±\³‹™–
+OIRG|ŽW§Eêòl¬�¸d0˜r�U�VS#³��/ŠÃ&’>P#$g q™'7Ô
ÃΡR/´vé—*"ÓR1-Ù<Î\µÄò±úT²lUMMÅOˆ¿ØcdVuÎKƒÿqýµ}¶`÷_Ñ´s&,bK¨ÚW«’ôi”CéØ\Pa*È„V2¦&}80V
Ô
!pJ#9$N�I‰i½×ÉOkT‡±rR
>6“ùP
�éeõ§ yÆŒFa�f©)úB¥k¦ØZC¦OÄ&ø€Ê ñŽÞ-5ì	`ÒàØ­<qì¤uKÒ:£8ø5g€
+ŽsÑ\I’Õ_†ELÛõ‹89{'¨ÁPªÜ¾:Æ
héãÔ�v‰_Í>J[01îl¨Í=åØÖ[~Tíq�Aà¼à<	éïHåv×qnÁ¦µ_`GkÎ4b@Å:®=Ú² PG
½º˜~Xi¨»pZëÓ�!Õåô£§BÑ·Åo‹˜ýàž/ºj[.ªú,qpFò/ËÁ4bŒ0§1—NGrÜÔ÷�2b¼ô6ZÔ†i¨7}r¨ë�áa÷¦©CÐGÒà=©öÍc<©Ÿi䶪]ÉÍŒ$Oq&)÷ÛjA{œ�U�8ìLrušo½³£Ì
K¥%Uz–
šªk8µ´Ûãé`/ªíaKŸŠÍ¡Ϭ=³-ž³ZiN8¾Œ$“a|ôŸAÒ€ê$EªI$U«Í$’l&<$­/KÒSMˆ2F“Y®üX–#šT�&5F“Bt| $)ŒçTî‚ìÍã1ÀVrt=²T�,åPéà \ªO¢ƒK�€KÁqVð?‚+½„-uÄÖÿ
Z&w¸êeh
©.C«§ºì¤šCwî¥R¡T®^¥§š�e„-8´Ã	Ý�…y{è\²w>Câ1`pz…Ï¡«Âï
€„½U ¦\/Ô*B˜
+µ~{áƒ3!¨ÝGVC@å� ×økz+¹n*3ûH
¨^€T¤ºì­&!ed?Ÿ¥§š�e쮼0�º�…9BÊÈ)#åÈ_IuôWR‘¿‚rÂ_ÁÀà¯dÄ�
þJ¶æˆ!îa%	^a«„
–Š¼Ø`0É_ÄgÁª¬6Ùg
+eÓ—£Á€èr0ˆD'Z®èFe
+ùÑþCËÑdñ… š,t“ÕÁ8–‡=mwØæ0
‡Ã9‰‚cÔYìó°ˆÞ<Œ
ï�OBá"zÂU9”!Ó�âVÛ
J(­BêŽ:([2ýÅ'öᡯÿ2Þ ?§bÕ?ÏwS@ÎA °]3¿¸jì‡UO„‘‘Dä©Y
gþ<€§�uÃþá&.C=lmîÌØZ%u:ÚZ75^üS¬Òtc;
+Qñžd9
Q–�žîÆm§á,¿à0ŽË½ìŠ6fžô�ÅhûWÀKWÃ^8PÉóƒ™Íü‰B.8e2!ÝgžD—I$¾�†ôü¡Ùo‹óóŠv0‚ÑKôDç"ŒK)Ò̦#è¹Zånx<ÁÏ%†o¬Üs?íÖx; §†*+¼z÷	¯¦'¥Uµ_MÅ.�Âç6æ Çx‚	&.‘-l¯S§?\8±áe/¥ñ„ÄóMšÄM×›…~LMƒ§á÷np9xÊ^ yŠ8%\êϼ«óœ„d!e¤–ØÃÖã�0ëSÛ@ÐP¹*Ã5BÍä},Îx˜—øFaód]Fá¦øÁž°j¤G”»±n.îa´ê“ÊçMXVxrÌ’×·ï©…³j
鶲lè4üÔ¡o�¯¨4$ªžúVSkÒ`{ ¿ýBdäªþÑkW,?°ìá7À1œ½)AŸùà;ÈÄ[ïPv­²Ó`j,¸Ü5m[Ýo˜òå†û©`‰IjL
+ë‡*æý§ž|Ê(¦Ôor!}­Þ.ñˆÔRÉé¸4­†Ô–£þ
+•ö‡åÁ+ô…_‰'ðg›1_ö¿ŒüÓ¿ =þøÍfÂx!{Ð�bY“°P¸‚Lž'LR€6ô„èÿ=?}endstream
 endobj
-1342 0 obj <<
+1743 0 obj <<
 /Type /Page
-/Contents 1343 0 R
-/Resources 1341 0 R
+/Contents 1744 0 R
+/Resources 1742 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
+/Parent 1723 0 R
 >> endobj
-1344 0 obj <<
-/D [1342 0 R /XYZ 85.0394 794.5015 null]
+1745 0 obj <<
+/D [1743 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-378 0 obj <<
-/D [1342 0 R /XYZ 85.0394 460.4475 null]
+498 0 obj <<
+/D [1743 0 R /XYZ 56.6929 676.1712 null]
 >> endobj
-1073 0 obj <<
-/D [1342 0 R /XYZ 85.0394 437.5053 null]
+1371 0 obj <<
+/D [1743 0 R /XYZ 56.6929 654.351 null]
 >> endobj
-1341 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R >>
-/XObject << /Im2 1051 0 R >>
+1742 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F63 1364 0 R /F21 938 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1347 0 obj <<
-/Length 3520      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo'ÏD(ñM<¦‰ÓËÍÕÉ%îÜܵ} %ÊæT"]‘²ëþúÛÅ.)’¢dgz£Àb¿wA9Kà'gÖ	T˜ù`„M¤�-·ÉìÆ~¸�³h�}¨ïo.¾û ý,ˆà”›Ý¬{k¥"IS9»Yý<wB‰KX!™¿ûtýáã?}y{éÍüæã§ëË…²ÉüÃÇ^Që‡/oüñí—Ë…L­œ¿ûûÛÏ7W_hÈñß¼~O=�'ýrõáêËÕõ»«Ë_oþqquÓ�¥^™h<Èï?ÿšÌVpì\$B‡ÔΞà%25Û^«…5Z·=›‹¯ÿêì�Æ©“ô“‰PÚ©	*Õ#`*…
Áμ
Âi¥#
«5)Qóæ>ÇÃÀÙ›¢LÁ�´ÎwE¶Yü¾ÏwÏ‹]Ö´ú{x/”³<¡zhŠª|H9ÏJÚ¨(›ü.ß!Ay¤¨qDF"È6û£Øî·ôRî··
-V€bøoã—S ¨4#ÛÔ­ß;KMÔÓ$è0 �ƧƒVƤ|º/–÷Ô¼þtóñè½Íë:»Ë™Î‡óÁ3ZD’jKo·UÃm³º‰<Ʃ劧m²G^áϪÌkq¤”Rx)ÝÌ¥NøÔ™JD@‹>é�œ0BÔˆÐȹÑö$Ƚ°;ÃLlÞg–TZ8#õp÷(”*´ÆK¥óKë:í¬H´L�…„qmêŒPƘ�JÓ†uÞÐ~$ÐsP\èí¢âª¨"ËýŽ˜™—Aº9VV/b9·¸ž½è”Dë
-lvCxÄ3rÄtÀ…Uñe0RýÈFe¸5ßÙ\94‡ãž6¯ò_’D•9«ý¾&Bó5|*,�äÛ¬¡7>ä”9
'a¼µ/˜“ÔsÒBEêì²²^ç‘‹uµÛ’±Øea"„g‘è &°Ø�ç�¢ñ_0¦,Û!TÓë]96nyœx…-fJœôTQcU¬ñ$| ”V¿™òcÚ‹4˜6î
-ÔC;ìe3Xícc™÷{—d$W4¥%=�­¦Î¤@ÿ
-šû|rœ�@žGÒŠ»¼\rgdNd
͘„£éÈè")Në‚…|@ù‘a$ã3|Ö¬âpÜü `±±©²ÕPi{C˘IañaÑö¤§E0ú…b@ê´uPCÂC¢w\0ÂȦÏnßAMì?”“ ¼·~ˆ@Ô #{Ù8¾´dT™†}€ «¾‘
-a«§BN*„Q…°qË�}BÐ*Dš“
-éÝÈûS’yØZuª'Å% Y«›ºzæ,!èaþ¯Çü§Œ<ÖŸŠÍfhò¹Ü†¡´ GÓÎ
Yƒ¹x¬ÁÚjH³»ÈêU*|J
-DþDè¼ö ÎHa5”ÂÖ“•Ç…)•
-c´<�E5�Æ0‰ÔÂ@æ3ă(,“^i^5].
Éä`Îñ…d[=YŒ¯÷±,b×-CÉÞ`þŽ�f$kªÆÁI¯â(€W†°IËn«Xê€wŒœ¨Å.,4jøÈ¡/Tá Tá„P):ïdk¾Õ”ÍÁ{×ó
-:y•W
-x¯%"¸XÛ�õTQô‘êA
-	‚1äø¡FÕ–žÖyCµ¦”4œG‡…®?uæßN¯z5®�‘Õ¢a.Wµ‘c:¤É`n¿Þï|@ئG 7S•z¾br\‘Ë6Ñ©À;¯íç?½ÿL=˜‘¿–êb}m
-0”h»o×ÌòlG½EÉûÜóZõ5®ý·ÉZ‰tÂJº{ÖMõ´è4¢ç…IÔ¸ Œ; L±†˜_‚¹ž¸�Õº� 4ÒŸ/£
o ïPùâM¡›kè&ÅBt€Ë_Xò£˜91L´8Öšnš2VŸ»wÔ	¤ÎÊNqΙ=•t‘6él�‘SmÜÀÔ
-;§†’ÏÑßZ
-‹0RxkŽ…ž¿m=FýM£)Žendstream
+1748 0 obj <<
+/Length 3130      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZßsÛ6~÷_¡·“f"
+¾Þ·'¤ãHj‘^Þ¾£Ùh@i$†8Ò2;Xu‚i%Ü¥Ñô&D=6!jõLˆÈÙ„h™5î<eß„ˆôŒ	±å€YkÔðæÿë6uwè7å/ñû¾hÚ&(?‹?EãÇè Ãû/7Ð4×|*×^îŠþš«}S,#ROÁ¢¢©Î‚©ã-Øm:fÁ1\¯È¤ú>§…¸iÇò-ìQ]ÐÂ@5ÔÂ-Ûì¼jN”11‘M3s™‹Žj„�Á‰�Œ¬Ù�–°e¤NPF%2¾C)îœ:¬‹Ôêé¢ë:]¤÷œ.ÒÐ�§<ѽÁû;ï4
œpÀJgC¾rïÕÄ_&¦9?îËÇ¢â&/»©Û‚ûU¾ñ­¦Ø‘[„‡&G­2䬯TÙA©²3J¥´Ž¬‘
Ԙώ2kMbñY¨
+›À.û›*Ž>ÒxZ?’R.—¤a4^ûgÎÓaiÏ¿ŠKn|ó™Éö
‡/j9D9âš%±‰�`„aØ­ÑY Ü>ìX¸ÄÛŠwßb›±h2´(Ïøé61‚_c¿MÓæ€iìY™d
+©z
©ûTç}dGÕ—˹ÞïÅ©‹TQ¦ôLtT/p!e"ù<6Žµ	R³iꥶ,Úb·)a4°L¸�§‡rñÀÍÅrš/—¬òM cLŒ½Ó¤§÷¹ nkºùø¨¹uûö#7`ÆU±hËš�.`Í82ÿ¦p�YÊká¹*ZÇšÎÄýlðÉŽ9ÿÊÁÿ'™SoGÉ
+ú~m;ýéÛ�<²­wí+b°ÓU½Лƒø]xaήd¶ÍaO¼ü”;ÂeXoù—U.x~¿]Ât’‡Â¡VLRÕíð$Áw tñ‘R
�î¹SÎûЃƒgnãò[FÇõÚ1‚±€fhÕ£&«Zûfï…¥Øã¹=|c¨—Šý‹Rð/39e¢ú€ë\åÿÎ/Jéźnæc÷„(‘¤€j¢£¶ßŽnEEñ_YÜ>8
+š
KD´Ù‡5óí¶Èw<ZV~Ÿ¿Öpí˜ÖþG3â#ci¢Dš€ÃNý4ï,ÿÔÜ��´PÁ³úñ¤S‚ã(C.uNN~q{ƒ0+ß¹+L(d²GÆGZ›i¹bBŽ»@V6<
+‘Ý!Ã`Í÷áDâói�10@`êûùœ»
�ËâÉì˜ Ìø¢f2S󙉢¬÷KFgç£J
P_*	eô1|�@Сӣ°ì©lÊ^ª|ʉ¶‘MD³;ñéÎ
+Q¡²�Ûz7²vMM˜sò]GØ,²w
+O³.]Œ‘e]xz‚:×höÛ-Ù¦†êø‘¢mÙôÐagM£lS¼>;{tV39Þ¯AÇ@–¢ˆÅL‰éoô�˜:ÑA�Y$N¶û·üuŠƒ4,2™ˆ'óCUøëÔ©\D“sØaŠSž«±»FòO9ÁŨº£:ãÅæ�æD'
^1X­¿Ãi`¨FhÄmu|ÄIWÝi8YG+ÃæÄDReò‹¼0ð9M»*î«Cijë‹Hž¶|ÍŠC:?$
¦m
+_ÏôÙ5¤š³)
+Å&¯¬òrÝx¦«åÆ"úÉtðØHæ$m�Ûl1‹“ñBË!Rl;Ì-½šÁž…HåÌEÈ¿"SªÄÙxºðÆ9ˆ”´%N÷D*ú&²ôoÅH…˜âü_€dé(‰ød–íàÆ}_Óg‚�zÏ�%•Ã„ô
+Ÿf[Ñ
µÇ�I¤‘”]|^Gܧ:ÒR«!89ÆÇÁ	®Ò
+Û'6
§œ*«�¿×ž
ŽÙ€ó]Mù8…°E*4Œx¡ÜÛ§º E�êÔ]Žoèê
]ý%f:ªnŠ„äÈèÔÙùÉ}×Nƒ“H³�J¥i_¥Ò¬§R
O×~~Í}xJ¸ˆJß¿dlb¼WÊáÙ–+9iÚ/Òx=Vå‡ÕX¡ÌPªzì㧆Ê]ªq¾
+ÚƲ4݉¹ÕÓñŠ¯ÉèLJïpô£ŸÝbúEW¬Žjfc¿4£’P<š)‹.@þê_¡~¢§mØWãN
!!€
ÙšgŠx·ò˜ó„üaý/´5ݲendstream
 endobj
-1346 0 obj <<
+1747 0 obj <<
 /Type /Page
-/Contents 1347 0 R
-/Resources 1345 0 R
+/Contents 1748 0 R
+/Resources 1746 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1322 0 R
+/Parent 1723 0 R
 >> endobj
-1348 0 obj <<
-/D [1346 0 R /XYZ 56.6929 794.5015 null]
+1749 0 obj <<
+/D [1747 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1345 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R /F62 1062 0 R >>
-/XObject << /Im2 1051 0 R >>
+1746 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F62 1361 0 R /F63 1364 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1351 0 obj <<
-/Length 3023      
+1752 0 obj <<
+/Length 3275      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZßsÛ6~÷_¡·£gB¿I^žÒÔɹ“:9Ç}¸iû@‰”Å	Eª"eU½¹ÿýv±
-£öÓ)ÿ)‘DFšxJX�Q_2«L¬“éYlŠŒŒ’ée]ô]®é¿«
-9ƒ-Tfšv7•¦ß]!fœG©Ö·—s¡âY¬À‰,vïÐÃV4�´QÜJ²HK¡@=J¼¿
à_Üœî*•B'³˜±(‰¥ÀÉg¿ÏxÄTšJ’´íj�^°ßÝ®Åì‡Ö4.Ëk‡ªíºŒD-×°Ä„�<1Ma{»¼%cÁáZ° ÙÑKÞà“uÓQǾlWÔêV5²ª+¶‚A�u®¯Û^s©Ûåµd
£–¶Ùm^¢¡çܽïÚ"�M3¶ ]5»*wí¢#ß9XÕ»=ƒu€¢L
-»­�žÛéAaˆ³c, %#Ÿp	­c·ƒÙf³m6`6×A	«ª×Ó1¬(ÇÚÈÓ ¹æÁŽ¼™Ø¶ÎÂF^lŠÚuî6M�ó¢±n*g6¹ÿ±èº²~?Æ	LãŸ-úoïVaûæÙWñ‰ÞÐ�ö‰»��_Û¶£—m±Ü¸aøòûŽö
mgF§�©ÒϬœ
OÅ·4™€Ê@'<bÅ·Á@( da0*’šl<Go1<F�°€·ààÝKÙ�ï#œÅŠšE>™³sœpX›™
'9³ÄM˜2Š¾ÄD&ŽåØ–W6
-Ü
£³…¯½yöÍF5º°£<(—NjåÄ›Ú5ª²íŠœÚeí@lèÁ’ˆCtº3pÙ
'Ö'*R\ùÏ–YYµÎpþói`eÌüIÃãJçB
*'"Vãã|aC¦Ì
-ñ¦36ççC ñ(‘¤£�ÂþcHÁà1¤ZnÜ
-Úú²£ç`FͦgbÅ"ÕNÑ
V>1W)©¼Ì¯L³¥õŒÒ»„‹f½Éºr^Vew
-ð5Bü%UlŒTO|
¹ö_\ªb‘8A½øl«b©”§i‹•¾Ôqò?¨b‡ª?SÅ* ”R@)€FlªÌ•mhÓ@D:âÔ¤Ô
-'O¥.4ÚÝfƒgQAô¸_£á‹ƒèôXÕâ
-�%
n]ƸÞ/{ùpøÁù9>×k“D±p¹Œsñ~(ir"â‘Ig€ÒK=cH�iÑSRÎæ�?ø«fBT²§¬¬²yå^½ƒq¤¯´mqëʦ½ËYðÆפÅÙzSb�¹�Ì°l�›wœ`F6pß´J€/ÉùôA
-
D‚Óc›Õ�5¥ˆMBM£
o^Rû?/§2ãÄ	ªU€IìåÙ»Ý	šâd+úU¸Ë[ŠÞÃRp{ê°‹öqû	w±i÷¢YOWȽ"é/¤êl]äSÕfã¥\A*ÜÅ8Ì`k-áîñ†Æ
AŽûˆýÖ-íß�¸hî}�b¶r…q™Â/LP>ë“›t2çEQüY¬Ñäê9»ÁSÙ·è\l¾ס�T‰÷Ì4ü‚Î$–æ+áÔút±°wíŒ2ᱎ‘ðgCçí	7ýÜ‚…>¦ÿK»Uë1¿�;ÏbÕ4-C˜Í",ô–ö¸CìgN
†Å0(à#cð�±"0¦æ•:\€–­$ái‹%»dåÊJè< FÛ²¿'ØõïmEŒ}a•°£éε;oTÛK:g²�…E›ö¥ûn90<µ¿Y¦`bO'PA†´%¹2á°+£Çè®ÈNé×l_ƒ¯ÌÉ‚_É>
-ÕíÞÖÐÞ»_¦à#* ï±è†ZÍñËSG’¶ü(5±JŒ&¼xàýå�Ô¢ŸºWt;¤Ýé†'yÌÊe�YYãMWÁ]Ó
-DBÿySWnf»Ó0Û/ ‹P0ѱ�„‰¿�ÝÙë»üÒµ†Q"Äg¦Ž9,Oq¯šn [ÒÛgm|qnßÕyfãº,ÎsOÑ°|Û/Ýö®ŠÃXá·»’“ËJÚšæ©Ì‹ÜgzÇ	æÙâÓž4äÕ'øîA}Ó´m9¯Üp[­è’žMlúú ¿ü§£}!PÍ‘kŽÔÕï7rOL>Ú®X»¿�(|¹M•ÈºœÜâ¾0¡Âíaå8îøÕÑÞìÑ�Z²
dv�Õ'阮¶øÑ�#ÐM	žGWhÑ1$»‹¬òäù)«vþ³#‰ÃLà$•ûUá4ºÒ
+xÚ¥Z_sÛ8ϧðÛ935—ÿE]ŸºmÚëÎnÚK³O{û ÛJ¢©my-9ÞìÍ}÷P–m9ÍNÛ™ˆ"A
+m¼0 Ö=%\ž»Qærá�6Ñ€³E±mÊˉ1v\oèY­ðiÆÅ
+×\T�‹Ï…õʃhœ^,õn²ªÛêû"AR–ÇÄ$+ÚZ�oª†Ä5mÑ–ËrÕòkÙò@ûP( ¬2÷‰)Éž4õv3+TðFxSߥ5‚âÔø«^•Í+h;;žnY‡-}„fy�v4QJäÎéÈe
+ÓY×�åfSÍçåŠßã3ôº.7—*Œ'(‚	6‡#�U¹£)Ó¢A{ààô‰žÕj¶ØΫÕ=½¶Ðœ3gýËm!s™¨{vGþ»ª}¨x
ÖkdB[0Â�5âòN…i+d–'a°ò�­T"xg™$c��×YÚî颞}%/ŒÊ•��Y½ú�”ú~»)ÚªæQìYÀ¡;òÔΤ
üæ%®jBDž0ìªüÜ?­Ïò¢yxq3Í8d5IÚMÀBKúÝÙ\ö#z临ͣ…®{6tÞªhh)œÑÉП.'è€ðW�O ,x‘£=¼u”Œþ�ËÙ<7DÓkÇ•î-;~ø¸Ô£w5¬gÔ_ó�ôÇùþf+
îj¬y—	dˆ
+©xŽrãˆ>ká„¢f±šS£dšEUn¨g^—LžA�f»^£Z87ÜS¶mt2|‰g)ö’‘„ù|S6ÌéîÒH>͸å}G¸}û™\©©g—ZŽ¿âD3Pêä
+f„çO׬$ŠžŒ»4½S ZHèŒ4ã/ey‚qÖ`þy±†(«lLˆipsÏ
ã¦çÇý¤?áÔ‘OùÆ(QÎ8ìƒr|ÞOð¤K–ûžI©ŸW$AÒ—ó¦Mëäøõî(G)‹jQLüšŒ#ä×ô2/Ûr³¬Vå­« Ž‰æ‡‘òÏb¹^”1˜´I¸«1'§´q )Š×öÏ:¸»QàkYv$DÕñé±)V÷%5�Î| ¦wθ×Ôþßë¡Ð8àA}¶0I¾>á°›Eô(HÄÑV­"žR£;­¢×a9öìqû	w±ÿ.îE½ÊY!øBÜN¸´*–å|@‰yð†©È-Qº%Jˆ5¼ÇÒ ¯e ¨Ã~±?š¥ù'd.P½²í‘CŽ›þ½"0Ñpmæ²Ã=@#«Ã¸bi�¿ˆ5ŽL}D7x(Úà6CA˜ãÛ‹�&Ø�L3Œ¿*@VåÿßÃß[¬à&Z*ÂA©ØI²ö¬Éáq×O5È!=s]°8»ÍPQI™Š“îØD9³‡ºnÈAZ„Xè­¢¿ClèœNVRH�mØ
[Bcja@±¡×Á
+¦ÅìëŽ8ÌSØ_®Á§Õ¢jŸŽ
+ìUð˜s@œÔÂì¯û”„èmUÐvèV�N&oŠl»Š	_ŠÞªi©1?Bé+Ö/¦Om9Xi…·RzÐvÅ›8 ”ÍDZ³R´	
+oéý7ƒƒ… b»{èó›b2!Ý7nó{DÏl	EµŠ¶8³#Fšç¤&šS©Gû‘Y§¤’sÕÛx¡@Kí¸!¹Œú1i¹¬±œÂv›æwîyñ(}°¶Fïåì·^·¿gyæþöv� Ã_Æ÷Ì
5s-²à�¾»Æµ8¨»¼?ßhFćç~]¶·pG2Ê„Šõãõ±1ú“ ii
aÖ—`ª†©j
+“é³_‘NUÿ?Õ!¿$endstream
 endobj
-1350 0 obj <<
+1751 0 obj <<
 /Type /Page
-/Contents 1351 0 R
-/Resources 1349 0 R
+/Contents 1752 0 R
+/Resources 1750 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
-/Annots [ 1354 0 R ]
+/Parent 1758 0 R
+/Annots [ 1755 0 R 1757 0 R ]
 >> endobj
-1354 0 obj <<
+1755 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [471.1233 308.3434 539.579 320.4031]
+/Rect [442.7768 519.0086 511.2325 531.0682]
 /Subtype /Link
 /A << /S /GoTo /D (query_address) >>
 >> endobj
-1352 0 obj <<
-/D [1350 0 R /XYZ 85.0394 794.5015 null]
+1757 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [361.118 239.5449 409.8647 251.6045]
+/Subtype /Link
+/A << /S /GoTo /D (configuration_file_elements) >>
 >> endobj
-382 0 obj <<
-/D [1350 0 R /XYZ 85.0394 365.2634 null]
+1753 0 obj <<
+/D [1751 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1353 0 obj <<
-/D [1350 0 R /XYZ 85.0394 342.301 null]
+502 0 obj <<
+/D [1751 0 R /XYZ 56.6929 578.6855 null]
 >> endobj
-386 0 obj <<
-/D [1350 0 R /XYZ 85.0394 118.4352 null]
+1754 0 obj <<
+/D [1751 0 R /XYZ 56.6929 554.0828 null]
 >> endobj
-1355 0 obj <<
-/D [1350 0 R /XYZ 85.0394 93.0022 null]
+506 0 obj <<
+/D [1751 0 R /XYZ 56.6929 323.1321 null]
 >> endobj
-1349 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R /F41 939 0 R >>
-/XObject << /Im2 1051 0 R >>
+1756 0 obj <<
+/D [1751 0 R /XYZ 56.6929 296.0587 null]
+>> endobj
+1750 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F62 1361 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1359 0 obj <<
-/Length 3265      
+1761 0 obj <<
+/Length 3222      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWè¹jĈÉÚÓÌÄ3;©d’µµ•C6Š‚lîP¤"Rvœ_Ÿn4@‚%e²år�&º
tý øŒÁŸ)é,ÎfI&#ŸšÛ6{„¹�7ÜÑ,<Ñ"¤z·¼ùÇ‘̲(Ó±ž-7ÁZiÄҔϖë_æ:Š£[X�Íßÿøùç�ÿ¹{›ÈùòÓ�Ÿo±b󟾿£ÖÇû·?üðöþvÁSÅçïÿõö§åÝ=Mi·Æ»OŸ¿¥‘Œg½¿ûpw÷ùýÝí¯Ëïnî–ý^Âýr&p#¿Ýüò+›­aÛßÝ°Hd©š½@‡E<ËâÙöF*))„©nnþÝ/ÌÚW'Ï�³(:ž8À˜O Ê"-baðPWå¶ìÌ·/ÄÁ2‰Îà‚”û[žÎÍoÓv-ƒPÁ»ÔmÍl¥ófO#Ý“¡Æ6ÿ½Ü¶ÔÉŸó²ÊW•›Ë·Í¡î"Ç?8Ö<JµTN€µÙ䇪›TÈ(KSOr´Gü­œ~,w­—Ü‘•5®9[	ǧAéœG™R±]nÓØ�†îþåÉÔÔ¢Õ¡Ñšý³Ù»i»(vùŽ4Kp60æ襵i‹}¹ëÊÆ-×l¦Ž@±H‰Äo­-ÿ0Ç:'b$<™%p_:Iø_Ѻ,�Ö¹E¿â"\òT¡DœF*fjàleÜ™bâŽâ8’Len#tä£mè8â\ŠÑ6hrÿ8£Æ} õ=ý„�#Ý8Yù?˜b8yñci$KAõR9’æÄòzª+2œ®†2DNë˜(Z—EŠsš\’ê
-P¿ªj^Êú‘º�Õ«¸¯ó£fŸw=QûÚvfKm2Û¶9ZoZƒh=‡=5:ϳηÆspª
£;»BS˜¶E­frþÐxºA
-ƒE‘1Ú5ºsçÛ¨íÇöt‰¦z¥>¨Ýæ€Ø­Å<w49=^rGcý…vn‚0_{ï�äÎBREŽÅš¬àj_©yƸc‚ìÀ†¾Ù|upÑ%Å›z^ä55p1CMâ€-{œ@½ÏËÖMzú‘OW�O×Þ^¡å 6quâjrGô6�£ßæVMPžWšsFh]ºF}Ÿ¸»×æ
-J€³�!h¾è“Bªó>©§B)þËX\™ö˜oq?ƒÄð"_O4Á7ÜvÊ"™
-=æë¢Ú$L“y}Ø®(ÈLH]àé%´�ο6„£‰4È6Ÿ½ðå�ÍÍ U45ÜAGÝ
x@\=·*®!�i•ˆH¢ÿeW“e…ž-×ÂÅà>T¦¯\i@uáJ=•E¢./¾LÆ�r€Ï¼ÌÙMp7ÉYi߈õtô׃@ÿY!­Çƒs™4Ý/ÅÒ_
-Á¢”©ôGÇ
Yä¹Z+´}ȥݗž8¤ŽìvÁÃ�ýÞ&\¾dð=%[§¼
eã$ŠƒSqf|�aˆ�s6ãÆOà,EMc�_Á# è7îÅ>
/Ôg‚8
–ÒB
-Ôãv
6;ÿÙ–ˆQBä3'HÑdÌ#-!<g°;WlÃP=ñA4°ÀZâ6ˆÆ
¸;Œ–Sáªh8h]nøZS­MÛ¹Á}^·yáCQ±F’÷cÇ%—ÐZ¹éüÐ5[
-ÎÁF©½t4í>AB+§ÉM^îi`Uvá®ú’+†UÄÓþ`¸�Ãðt¬ÙäS¸ýÊŠåM<eÁ	ðq8fÔÿRVÍêµ3øDø�¡8ñœW¿Ä††¦k+<Å`”é“BÈùbG’@¤g£b±²@Œ¼(]Ç!4nY¹þÚt®9UàpSî(b
é–j¬$"­×±î)øã­>8ܳ֎Ûdq&.[{HuÞÚ{*{SÅî¬�C‘0ˆ˜/2ï©&¸�Óò4Òi¢Æì—¾–Ôÿõ`çЦ³>¶sé•ÚË÷?¹Á¦®M4d}¡q¨'£ºñP’¦Ä}ð„”—¥GJý±�Ž!1êÀ'M™'QIëµb—2Ò,¹R_©.ܼ§"S±ç°^´MñÅLÃ|¦.ów4ì�!>\ŒùÛã„
-ºn^&2ª¾ráoÞ&Pþ�´ÿ÷Oë†ßÊ®%�§
Ž?d/”Õc}êQÜoðNEÿ˜"0Ûendstream
+xÚ¥]sÛ6òÝ¿BoGÏT,¾‚sOIÎ鹓¦=ǽ>ôú@Q�ÍEª"Çýõ·‹ R¦ävn2ÀXì÷.Åþñ…ÉR&µÈ•fŒg‹j{Å°öÝ÷8Ë€´c½½¿úö½ÌEZh¡÷›Ñ^&eÆðÅýú×äÝ?ßütsw½Ktz½Ì4KÞÞ~üÍôx÷ãÇ÷·ßý|÷æ:WÉýí�iúîæýÍÝÍÇw7×Kn2ï¿Ã™Þß~¸!è»»7?üðæîú·ûï¯nîã]Æ÷åLâE~¿úõ7¶Xõ¿¿b©,L¶x‚
KyQˆÅöJe2Í””a¦¹útõ¯¸áhÕ½:Ç?•™4J/–€Ì„”ó\f)Ë€kË\ñTåFD.>Ç倅\þc¢±ýémᆩQ&_Œ·|qpÄš9YŒNæ̤FN¾´Ào™'Ûòk½=liж+»'¸ÛÐ3�èCx­·û/
s[>#`’Çò‹_îv¶%¨êÚê°ß_s“Øvhž¯9ç	(ƒdÙ‘ˆµÝ”‡f ]êkž8Ž|û^�(s™*-
\oph›z[vM¨“ƒ¸@™…ÇL_(“—XÎy*µ)^ëë‚XžØeõ¹¯ÿ°/+²´È3}ùèˆ5söD°’¥E¦‹éáÄU0¥£haPn»C;ìDOG¦ÇµÛnÿLð6ˆBv›ùÕCoQ|œ:Šõ¬ì€Rìô	/¼”è¨Q’�%wÂð¥â`•Zƒ[“ ÿ™Q]×àÀå0Æ’O#Úïlßö•§öªM?s6[Àz*´ÎŽ|”¢H6]ÓtOuû€Cº=Ô]ÛÓZoÚ•0ZšÂ�‘àóþæ_$‹è;Pöƒƒ+�ӶKéÏ(é%:Ķ›Î¿¸¦åºì¾-027^=ã%ñZ E–‘åÏJw_Âô>ˆ¿lO
Ì0Ü›Ïý`·gÍJsð¸y¡/›Õë¼YE,$zYݸ[/›îa9kbš§¹aÅe2"ÖÓ:Í5LM¹¬QŒ…ôÊ€°Hâܪï;Ø¿_/•VI=L—˪²»Á	
GíÚ/?´$Ï°‚âu
+^\foÄz…Š—»Qr•qL;
K~y´žòÉg8èlG
+žj•Sã)w;g�ˆÀeCyȆ
+$îûš6uìhrå÷ýÁe¬eò±È„4�¡ó«_½Ý5v{9#ù‹q@åÄÁ_‰c¬ó�XÎ(,”'}ýÅ.«¦â^ÖbY‘æ*Ä‹$D¬¦�@¥9+Š)s);?
+iœ²Ãr3”­í=a‘UûKRÓuŸ»~’ÄñI¾ç½™oB¡ì
+vû3'6¶ïÑ®FgŸáÆX]/?ùÂ÷e
,…ÈJ¯=°ò´�J/š¨Ûãí|fÁ@sò“ªss¨;hÓXÑA…›)>êCQ‡îØ_y,ûw‡¡ñnÜnp›
D‹i…õËu,l×ÝÓùr
+Òþ´
+˜
+«éùþ~r)d~ñðˆôòô‰Fg&eyÆ'ÇS{W™qÓ¥ˆmr\p©"øÞ8®»	æ\Š€ïÍ„f/Ìœ6{aÊ]“¾\:ÉãœKA‹4XWhOG}P fQœ8’ØÄ×—m"Y—CI�Ó)xú’Oбú,Î÷.4$§:°ä²3Ìsuv|5f

+í²A¾e`ð¶lÑUÏt]|û^ñ—,ÃÉcO_
Ÿâ×€—nÃu»»-a{%ãA´v­køôäÕÈáÕ{Úàþþƒ?ê(דÉà‚kû㪿½ôÙ>?y:½s5Ó%c±]ìå©.ŠL�M=µ²é&™̆B¨ b§¤X®BýÐöõCK
rî’‹»÷¢kf_ÉË]þÝ7&J"ŽÕ®£êèx¦�ÚÐÅ´Oª•Lè$З[��,ŽÑã“ÑÃ^«üê¿r¶¶[•þ�þ°Ûu{?ØvQ9Lø.ƒ�ô\Ñ'Cí
÷FpU¸Õò.ü0ÀHz¶#¸ëúz¨©ø“Ä|Ü�+‚"Ž;3Ä�øá-
OH?ºPµ¨N>ap³×ÁoÕÑ4ì’ÒÌmK3%
ƒ×Á)*qK¡z×*kûD4‹ÞòD!£½3lÛ6”Z¹öâ®D—Ñ„�ÝÉw®à0G
ß`
+Š¶9³2†ø·¦¹º�³ãp{Á9™=�Oeí?Ú€ŠD 
+ò8­çÀýO
 endobj
-1358 0 obj <<
+1760 0 obj <<
 /Type /Page
-/Contents 1359 0 R
-/Resources 1357 0 R
+/Contents 1761 0 R
+/Resources 1759 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
-/Annots [ 1361 0 R 1363 0 R ]
->> endobj
-1361 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.118 743.8714 409.8647 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (configuration_file_elements) >>
+/Parent 1758 0 R
+/Annots [ 1764 0 R ]
 >> endobj
-1363 0 obj <<
+1764 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [347.1258 350.3535 404.2417 362.4131]
+/Rect [375.4723 564.3095 432.5882 576.3691]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1360 0 obj <<
-/D [1358 0 R /XYZ 56.6929 794.5015 null]
+1762 0 obj <<
+/D [1760 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-390 0 obj <<
-/D [1358 0 R /XYZ 56.6929 484.9636 null]
+510 0 obj <<
+/D [1760 0 R /XYZ 85.0394 692.8552 null]
 >> endobj
-1362 0 obj <<
-/D [1358 0 R /XYZ 56.6929 460.3339 null]
+1763 0 obj <<
+/D [1760 0 R /XYZ 85.0394 670.2188 null]
 >> endobj
-1357 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+514 0 obj <<
+/D [1760 0 R /XYZ 85.0394 102.3833 null]
+>> endobj
+1765 0 obj <<
+/D [1760 0 R /XYZ 85.0394 77.0969 null]
+>> endobj
+1759 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1366 0 obj <<
-/Length 3380      
+1768 0 obj <<
+/Length 2691      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Ërã6òî¯Ðm媃'G'ñd�J&³Ž³{Èæ@K�ÅŠÔˆ”=Ê×o7ºÁ‡DiR•-W™�F£Ñhô€äLÀŸœ¥6:3³$3‘ÒΖÛ1{�¾n$Ó,ÑbHõíÓÍ7ïu2Ë¢,Vñìi=à•F"Måìiõûü»Þ}|º¼](+æqt»°±˜ûðá{Âdôùî—ï~øíñî61ó§‡_>úñþýýãý‡ïîo2µÆ+æpaÀû‡Ÿî	úáñîçŸïoÿxúñæþ©[Ëp½Rh\Èç›ßÿ³,ûÇé,µ³7hˆHf™šmoŒÕ‘5ZLyóëÍ¿:†ƒ^?tJƦ‘U&ž-´‰ÒxLjYD‚։͢X+ÝiYÉ)-*Ôò6ÿ²XæË�[4ÅŸîtÑdìÕ�óÙüÕ„
-ñe�2åPJØ7£ÐX±Ü9ŽÄMû`�}´ØMþŠ¦‚W
-ú Qãw›WÀVW®	¬rÑv»zÏ�mÝñx­èza^Y8"„*dµË—¸Ó‰°ÓÇ)ÛÜÕMÑ~AR“ò‘¡4óÒ5µ�ÔÏ
õ󷼡ü°ñìè{ïˆ#5×2«šÐÀ%"ÌCE˜œš!ê ê­h7„ÝʶؕAʽ5Kµè¢å‰Avþ;°Û•…�yÐhÜ.Ç�Q©íÕ!Pˆ.`ZÁn/|Ì$'¾ûð¢Êˆ_¹uR£à©Dt–È9[ÆÆD‰òzJR]N©•4ËÝ¢,šÖU‹Ïw˜HªY$‘]— £ša”Tc¨G,äÒ‘œT³9	B0I³Ð^W»vã“^ÚÓv
-ô	¸Z°-*Ž¬VDjû°%ÝÖ¾r%ÁìC

í2ª5‘±>ɨË%ˆ„“@ªl½ýaK)ƒ¹•3çêˆê¢Ü‰P^bÚAhYW-…ê’û6õ
Û¼:ôôÝÇŽº‚(QÔUXæ,e[„¼[¥)éoE8ÈñV¯¤$·'ð-ä¾Pñõ–û¹t�
-¦Zw±{ž]7n—7”q
ö_Òì…Ê’ù¿Ñ)8t`'…Oî#Bš¢JÂOÈÂ¥«Úr2:íó¢ÁÄLYehÿe¢LÄXŸ&T׉§Çb[Æ‘”P|zݾ¨WÅ’<òéV¢äÍ'j>@òØCÄk.ù©Õ*26Ö×ýtHuÙO;*sYR±°(X„3G�ZR}]„ŽjB†±£&‘I³x,Ä›°šwRP‹±}&ƒôàë@ÖÏM]B0—sÊ+ñü#ÍkQ B
cf•6dǾ’Dø­>”+¹"¬_™¬/NV]ö…cJ|b”Pj*’–>ªd… …“
�€P8
è@®ã„uÉÄFʘŒ‹–Éý:Qr*#abÊœ¢:pq¯>;â„}*
-3Iòs’
ƒàûã}3³\ƒ@W_ƒ@#ŒŽµþc]ÞÔUþ\òЮl¸?ÍÁpX
-Ø34…	/§jƒ±aWd{@�
tØåòpÝqÇU¦¿r5¤ºì‰Êè�c
ÕÒOÔQ,ÍuÑ„ã<œF6³z,Ÿ"²Á…K¯À.é$

²‡káhþ‰(»%PVÝ]ÊmJH«P
ˆ+*8OnÒ¦g¹Mkªá}ÊÒ‰ˆ´�³±Mw^%³ØÛ'~Ñ«ðÛsRP@zExt0o	µ%›÷p8š7~ɼ˜÷€/›7òFóÆoÞ y#{oÞž|>í4‰=¨øó6´=iÆW/*fì‘tƒí
-1ÀÓÁÉ;ÙžÝKÁ3ñ©pj-”¼µå{L
-´_‰yª+1/Pá²›–‹•as5è	EˆŽjBŠÓ°'dr"ƺ2Ôî„Ãvw†žg¦.ëºéåò=ƒ:'S!`]XñD
k{äLª¹H}‘@O›Èª$9ñ'6€Xœ^õiï’ÂýrcäÓ6^‘PÚ¶b”¶‘Á8mï‡u¨qÛñ…–x7®’‡Š[ö3KAŠ=³G)@E&ž©ÄDq&ì_y~BišN??Aü�‚4ñ^4N
-„´Q¬L2S±ŒL,h§>¬ÀÆFzJHŽZ¶‚_ Þ“ó'ø¯æ÷gš
¦ZAZT*Wû¬?û<Ã`–i¢À~±½<⛇­š}_Ã’fÃU΋!k¿®xü¬KLH öÂвüÃT›Ç[Ç#nÛ]鶮òÇA�¨èË›
-‡ú×»5=µÄšoð
²r
“3qhH�Ųú‘º–%.¬
ýLß6®\ãÑÊtåäi²`56÷1íå
2vy÷½Éó|øŠñɱty51§‰“àýùjÁ/±:ƒú79¹8^íñšs"\Ì	RêHÿWàÅWÍÛp–éYžÛ·”*‚NÛÏL¯ìírs&¤à(Bý…¿&¤�“RœÉ±�Þ<Ï÷b_¢U¸R£++�P¥Åé¯ø׆>üÆþNšý‹&4ú’ka9¿÷Ï:Ø
æ´(¡–(i,9v¸2˜²æ©ò¦{�Ä} nñ L÷]‹$Ž 0JÇõ懺ZTî…/ä”ì‘/êÿF¦¼Ïb;°$$?z#è+r%º^@Ñ+^èðJPá©XQÉêßËüѤ+¸UxÁZï™û$�‹f*ZxÖ)�
+xÚ­]sÛ6òÝ¿‚÷tôLÄà‹$8yrS'çÎÕé¹¾§¶´IœP¤"Rv|�ûï·‹(P¢”Îä&ãX,»‹ý„xÄà�Ò,É
+QDy¡’”ñ4šo®X´‚µ�WÜáÌ<Ò,Äúáñêí™GERd"‹—
-�0­yô¸ø-Α\¿ÿtÿáîã¿n®s?Þ}º¿ž‰”ÅîþyK£�7?ÿ|óp=ã:åñûÜüòxû@K™£ñÃÝý�)ès†èÃí‡Û‡Ûû÷·×<þtuû8ÈÊË™DA¾\ýö‹ öOW,‘…N£˜°„…ˆ6W*•Iª¤ô�úê׫
ƒU»uJ*ÕI*TͤJ4œ?­ežäœRžI&…´,ø”–=jy^›²©šÕ¬jz³{.ëc¹9œÌ3®£�ø	Ö"à�Ë"áJò1�못žI-â�š9¨Y^s/ͼ¯žMýJÀö©kkÓ_óØÀç,‹Ù!šy®Ú}XœóøÍõLñ4î׆6u@ÝìhüÒîë
iã¦}vhæë¶"Øõ
*Îñ®@Åœ'Eš
+Ë6atíÞæ¸7-tÞÚï¢#àÒÎÚ
͈Ì˹àë;º5ž§‰Pª
+¸šÂHºk
Î;çŠÎpH–fv>ßäëìLº>xb€uÁ=òh�cYÎÍO„L�åée¬	&ÆžÈ ¯h=æ‚÷D‘ôÐyÙШ÷ˆ�é_ÚÝg„ µÂ>�Îe7!$Ö"wž6­„ÓôÆS}’ݤԖ}›´dB¥ùØ·âEf
¿èVø=… =X°·o^äÞ¾Ãíhßø%ûÆQ`ß
]gßHíW¬}ã
+Ó̦•²·LÉcqðe9Þ4©¨
+9w4
'uݾxJO£';ÎZ£/¥Î&�€ÀíTÊð¸#Á�®­å
…$[�£T×·[ÑICõâë�Pn
+{eïK–gÿV<ñ„—’Šå³A/…ìžkþ�ò#Ä:ô,»ëA\,
»‹ýG¦‹o01`MpqÜd9;bã¾ÜैÌáÜ$¸òä°ëvµ²Âôùú½H¡¿>^�‘x¢‚Ïdzã”–®J`‡*�( y>Ž
¾˜ÍHÎ||gAÞ†‰ÏÛh:n‡ÍÛðuy;e£¼�ÆyhÛ¼m‹\gl½+‹Ù›q™*vlÙOŽRì‰=‚ZÒ¢H#Uð$Ë@ƿЄ£¿1
yn²	‡ø“-–¥çiÑ>´ÜÐï“šyî ZBm›B‘˜ààìp¹y"r-"•ëDI¥É+H3Å­é@n”B9+ø�៼Nè,)òBE@/�h¬ñèèK„�`QHB
+ÆVÖƒ,àíÝFD?¶ Q
+åÏBÊV¨läWBB;¯d¤O¤¢bâ¾µœŽ_¯4GnRm¶µÙ˜Æ6ƒÐÐ×=ÑÀ¨8¹y•	¤…ºý¾ë‚2"ƒ–åð
+ƒÁ}‹á˜ ~ChxW£·æpǘ1pX¯9ŒÃ�N^ªÖpnyEÅ)O€åbáÞ®¶–œ!Ñc°iB¸—u…zÏå~GÌ5.�oƒ^}˜±ï�Üó+ôqãämëÁ�˜#á*ÚþÝÈ|-±jyCQBñq<ÑÆ)a–AÿÓ
+
µQ�?�l—³·úÝ”NþÆ¡�o…š\ý“Î[ž½£‰DJvôßwîÍ~êDZ<-#Bö}Ã΃DKs—ŽéÎ6š
+È*KdJ¥ l¿¦ebæëÜø‡ÀÄ ‚`Ϩ¢7\
+(*˨¤á˜M@ôlZV}c�§;Û‡=•£}ÐyøãÓ‘Lµ)½Á·®ã‚²føu#¼Í¡Û^¾¨-ó&êüîÔ¨û¹dÚöS·PT¡zÞs�¿YäÔ©2Mð×ωnž
ÝÒwÿÈzøZåTkO>lÅ4qL¡¸¹:}a‰€:q‚õÿ
)æÈ÷endstream
 endobj
-1365 0 obj <<
+1767 0 obj <<
 /Type /Page
-/Contents 1366 0 R
-/Resources 1364 0 R
+/Contents 1768 0 R
+/Resources 1766 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
->> endobj
-1367 0 obj <<
-/D [1365 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-394 0 obj <<
-/D [1365 0 R /XYZ 85.0394 590.4054 null]
+/Parent 1758 0 R
 >> endobj
-1368 0 obj <<
-/D [1365 0 R /XYZ 85.0394 563.4931 null]
+1769 0 obj <<
+/D [1767 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-398 0 obj <<
-/D [1365 0 R /XYZ 85.0394 179.4044 null]
+518 0 obj <<
+/D [1767 0 R /XYZ 56.6929 390.3986 null]
 >> endobj
-1369 0 obj <<
-/D [1365 0 R /XYZ 85.0394 153.6629 null]
+1770 0 obj <<
+/D [1767 0 R /XYZ 56.6929 360.9106 null]
 >> endobj
-1364 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R /F62 1062 0 R >>
-/XObject << /Im2 1051 0 R >>
+1766 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F62 1361 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1372 0 obj <<
-/Length 3131      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B÷tôLDŸ'Oiâ¤î´NëøæÚ>Ðes"‘ŽHÅñdúßoP Ù¹I&ãàk±Xì.ö‹b³þ±™Ò©.x1Ë™ªŒ©Ùbs’ÍnaíÝ	s0s4¡~º>9{+òY‘šëÙõ*ÀeÒÌ6»^þ™è”§§€!K^¿¿|{ñî?W¯Ns™\_¼¿<�s•%o/~=§Þ»«W¿ýöêêtÎŒbÉëŸ_ý~}~EKÚáøéâò
ÍÔAzuþöüêüòõùéß׿œœ_w	ïË2�ùtòçßÙl	×þå$KEaÔì
YÊŠ‚Ï6'R‰TI!üÌúäÃÉÂ`Õn�ò�e)šG(YŒ�ªHµàÂ2°oïÛu{ûx:×Y–|Å͸H–ÉÙœ±´PŠ[@–�™—v9/ü‹�Ä—“UÐWB0gL¿¤�@L¶÷í™GO¤Å³·œ—@ôyZn,ÌC½^ƒLKî·§Ì$ÕªÚÒ¸«¶Ÿ«m‡ž´
M6UÿÐn?Ò€eÔöwAmÚ®�Ý"YµëuûP-	âæ‘Ú;
-]¿`”–PAÝ1™
-K®ážX;À™å :%ÀHe™Á£gŸf,ÍdQ
-úö®{؉³‹
Ÿ½iáF³àRñ<Äl/¥C[
-ÞoYõÞÄI³î^@NĽá}nvˆ/Ë�êŠ:½³cõb©QÊÛ¡í蘷[‡x¢2
- Ƹƒíå²è�îÉ3Ûj]¨™
-³
-N‹Û[g›®‚
-èäMÙyàÖá€éÿîhH­"G?Sw~«å�ñjúiW;X‡iàq <ÅšÔ¨A¶¹Är^$_
-c]„꽑Ù
nÍZKoæ/yhã¤vÌèC'ÀÍ¢aµö7¤.Î5 ¼ò#ÞWÊ&F�
-©Ü”=$#XVˆFÌ�£qÀø�Ä(s¡ÇD‘$(…Ђy~cʇ©!–Ü:ÓÔ;�Õ=ÉìMC3›Ö[u÷Õ¢Fu^XOO†×
-ƒiÅ7¥Ùw‹J ‹<#�¨—"Çóµ€{ÙÚgÉjä¡ßÍ d4 C
-E
-øžó»~nˆùÝ)ޱ߼ßå‡zÍArW‡GDü®ƒzŽ’l�ß�1Ÿ—6‡F1´÷ÔYƒp×Ä´	7ë'%Æ$èQ1d+O›&¤Üì:�¿ïªõŠ´Ff€-“z¬5hËEÎmÌécR}¹_׋º��£e
-	
ÚŠ0H”�lEH�ˆÎåw¿Ð
ã<DyøB™‚7Wùþä£f„™Ò@0ˆ?ŽH�ñ9"±ÄÀ�yÌŒH’‡@µ!”UÛT$,Œ#p¢h©SQÆŠ>SçŠb@D²E¥€üŠÊ\Ý×l6…�·“ô‚'¿“1ÅS,kŒc¾½·* °ÛT�Ûlë¬Òñeòêõ¯Ô¡t{ö^ЖØ@J^u=Už¦Žƒc)C=ãØ 8Nµ
R<ðà4Æyˆ2æ4TŠ2 Ž;60º…
-!]:‚��!ù˜°<
-w8rø®t@7•
 gé©–øX4¤æãÍÜñWÎÅ’„Œ0„8¸GƹãmÔŒ[Ñ|D’gð@î‚xÁ€=‹~‡iƒ`˜VÕ›º¯?W4Ü–¹Ì§å4ðŒøÃØ„?Œ‘B
-¬¾�ÚÒ¤\—Õ—žà6örøáÒì+n8XÎcvtLlf_Úu%P“°sM“²3.iÉQ„¦ši§×
+1773 0 obj <<
+/Length 2947      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sÛ6òÝ¿BoGÏD4>Ipò”&NêNë´Žoî¡í-Q6'©�TO§ÿýv±
+àÜb|<�'<º†ÿEt>ÖÐTܲÆc#ž<û2ã1SY&	'€íU÷"°g1{WÃ…fÁ�<Ýy@Ø^)�År‘Æ,Ux¼‰MÆ¥eøú® K%2ÄPjw§®ÞÖëúöÁá…4•‚ó¸G¬·]YW`’©‰Ê–ƪîÜÄf».6EÕK7á0Ýû
+OÔ!ÑÑŪ ±Z¸=Ö™ 1 ÒL²“�¯üXß(!
+´‚.Q`�)[¿ÕÊÇx3ý²+®£ÔK�$žbýé¤7FV­IBä"ý@ú ó!ŽØlãžHO=å%I¢|²Õ‡ÈC'!w‡,úÐÁIˆ±èU­3Å�›b]ß»¸”�òòÏxw\É«)$&OYâ(£lA®‡þ	’àÔ¤3­8¦és²È1Œ1GrŒžâ<$y˜dHð—:Iõþdds“w‹»&){ß‘IOñ)&UÁø�É#ªäi ÷¯–¤�2ÉÆù¦Îi¬ìH‰àp*šÙÔÞ-àW»-%ÚóÂÆyò¼z%ð­ø¨~$Ø¢@r:™!¸Ç'¸˜ˆ´@{YÛwµšäAÔ•”
+ŒƒƒRÉSa×ãÏÃ
q÷€î0ð&¼¼âаYl¸°4w	é	>hQ,):ÏÁfIõ–€5hvM‰²|T]Nf}¡ò¸ãà²÷0›]ëéwm±^‘É(Ô˜ÒC·‡ž\¦Â¦{‚añm».e7ÁN¢b¨�ûnaPHkx
ÂdêÅϳ§8I>OnÒ8 –í¨h%Fgß�ÉžâL
+Œ)ZqÈä1b ô5þ¹bâNºª«‚”…YNt÷5
«1Á›Rˆˆè=4Š
+ݾ×”ܘªí­�&lýîð
+n­‚
+.f¿]CÁ±ÉkÒ!.¹$E§C²6ÑÐ>ê±>,QYõX!TŸxùL˜Ó^Z:KKžñ¾àqÒ¼º¢ÇXÖŸ®Üé¾Xš@ÑciÙ‹ÐøŒp_ž9afN˜Ê¿etˆUïˆÀe9èccÓ4xÁØ^
%vö^ñáCï¹ÿ‹bÂXô—eJÈ8ßX;;#”‹÷4Zy àºÞZÁN(Éï½þñü’ UÙø3W¥ð¦Ê�#ÇÏ
+[zBû+à9x}ü!*’QÕ�çðݼ~äØД_§ä~êïѺF¶ç™>.j/˜Å:ÇÀ�àÛáI|,ß]ëdóWŽHã&Äè[Nilt¹½ë1lõ¿ÿ/'ŽNŒÇÜ#—{®àÄ1Á=¢”ÿ“ÅÉã‚“O	N<Cpò˜àøs°Õ3ìó˜¾Hp±ÝU�å´m(�§Ë»Þ·=òGü«Cþõ€ÿ#?ù’:Æß`MtçYÿ+§ÿlÿÃl¯#ŽôùYâÌRÏÞ6ÕcÎ5ÔpÚˆt‚õˆ^§—endstream
 endobj
-1371 0 obj <<
+1772 0 obj <<
 /Type /Page
-/Contents 1372 0 R
-/Resources 1370 0 R
+/Contents 1773 0 R
+/Resources 1771 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
-/Annots [ 1375 0 R 1376 0 R ]
+/Parent 1758 0 R
+/Annots [ 1776 0 R 1777 0 R ]
 >> endobj
-1375 0 obj <<
+1776 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 432.1255 286.8984 444.1851]
+/Rect [242.0197 604.364 315.2448 616.4237]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1376 0 obj <<
+1777 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 354.4169 283.4678 366.4765]
+/Rect [238.0484 525.4389 311.8142 537.4985]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1373 0 obj <<
-/D [1371 0 R /XYZ 56.6929 794.5015 null]
+1774 0 obj <<
+/D [1772 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-402 0 obj <<
-/D [1371 0 R /XYZ 56.6929 498.9148 null]
+522 0 obj <<
+/D [1772 0 R /XYZ 85.0394 674.157 null]
 >> endobj
-1374 0 obj <<
-/D [1371 0 R /XYZ 56.6929 477.595 null]
+1775 0 obj <<
+/D [1772 0 R /XYZ 85.0394 651.0501 null]
 >> endobj
-1370 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R >>
-/XObject << /Im2 1051 0 R >>
+1771 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F63 1364 0 R /F21 938 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1379 0 obj <<
-/Length 2398      
+1780 0 obj <<
+/Length 2656      
 /Filter /FlateDecode
 >>
 stream
-xÚÅÛrã¶õÝ_¡Ù'¹Á¸Ø<9[{ãLãmµÎd:›} %Êæ„"‘Z¯Òé¿÷àF‚e«u2�† xpn887˜L0ü‘‰3Í'‰æH`"&‹õž<À·÷gÄÃÌÐ,†úîîìâš%�´¤rr·Šp)„•"“»å§é»ï/ÿ~w5?ŸQ�§�Ï„ÄÓïnnÿêf´{¼ûp{}óþ§ùåy§w7nÝôüêúj~uûîê|F” °žzG\ßüíÊ�ÞÏ/üñr~þù«»V–X^‚™ä·³OŸñd	bÿp†ÓJLžà#¢5�¬Ï¸`HpÆÂLqöñì-Âè«]:¦?ÁŠ&#
-ä$R %	î„F’Qf5ø¯ó™ÄxJ4ED*D/(ÿ¶?ź©>A“O�¢8 i!è3˜á&/.ÜÇ›k£{T¥›Xi]»á»ÁzKŠ2¤	Èp
-%©"Jwß_ݺѮÎÜ
-¢ý³º†)G‰úSffêt�õ°‚ð÷÷>‚ÈψÑ;ÚRx‚QY5npŸ¹§±¡l‰Ü1íÅÒö˜&·
,òº	È�—%‚�{\k!F©ßFï SÝ÷sxÔu
ž�l�Ì€{™JÂ\
-`ò"
—G0 œÏëÌkâÃv	ª¯3ê©($N¸Eòócf½‚˜®wE“·ÎÉ›GeŸËÚ�¤n6†hvÛÒÚ|ÎËà{<xY?Ù½3ß¼_Z§{7qïÑ@xZí
-7gÏ.<ÁÁ˜>ìbzÞ߉©ç)ó~Ðú³øñë#[²)Ò…åš3àÚ’åÜc€)oÒÖ8�¿
[5ýpG#œ�üív;0«ŒòG4/0	Õ¶nÒ&[;·$7Ùv�ÛÃ
-Œtò§MnÏ@X9áÙrÙêÁ…Xw
-H@„a=ÃÎÝbë àY¼õñÄs�’ž~Ì<|ZÔ•5ãzS	äÇ\]„sx¨4Ɔ‰�ξfðLp$1á&©š˜TÚ}Û>LÜ`åÞ
|ÃÛÔ»O|ˆÕ0ñ¼¤Û[»¸3Ȇq*cBõ8:¨
Z¨9Äf8An?#Ô’÷S�ËrLïÒ:‰Wgk¨1ã„0
-N1‚e'UCi¥Ôx-4k1Îb”NÈsTÃ^óŽ°ÝòM¶1JÇ"œ»ÜÇ„efŽ�óGÆ
-ý´KÂê·Þß‚*5æýHðÉ%â–�`1!‰ ²$žPÕÓ§PÙ�aŠ¤fòõg1J«±sĆ޶隉¶#ó¹¬ä³Ó̧f¿ÉF¤·F$
v€b¡)iÜé&t‹ñ¡)M�äL¿Bê¸/µ€!úͲZ§yyàiÀJµÐú�¼Åø‚àŒ
h3&¹FJ%º/y:G¤§ˆ*%cß0žAWoÌS÷Î�É…d¸&s*”¶f*?'S?4ç97§4[BeÆ”�ëfÁ2[¥uü’zÔ}�÷“I8ö—·ÿw
Ró`»È¡sÌ)Ϥ×{`i“µ´ìÇ£¼é˜7u„·„!NÛ�öoòyÞ¬uF„@á.™"²ŸÄôÙ
ÁÖ;BÏ®y	Þñ8acŒc–Òž‘¿Œ°ÍA2ÈP€Eãb�Óº
;©…1ññˆ†fÉXI«Šì!õ™û—´Øe­“ÞŽ0§`ìe£„˜è6¹ò‰êÛWÍÄxL¨ŸP‚µ:åð2®
-²ž H\Þgè«+ü*…ÂÄÚšSé¼Wpœ‹
ølóIl@â´ÝÍïõC8,`ÁÓß«2Ëèͪ"Ci˜�HI'±j^§n³±P¨.}>eXq|1ìçì¥Ä°€aíªŽ´\ºÖƱ�"Ö{›Í·(p[ÔÕ:À8BƒH’ðé3j�äy�Ž:µ‡.âé(Ê£j‡RÏ(ðŽ«�j�x"\ʸØ/Š|ñ§©Ý×ažJ\íÊåÌ�îìáf�Ç�¯}3Í”½öÓa­í‹â§¼yÔ’ÆïÃOf¶59ó~cfk^LQº	+�¦£ÍÕEµÞ䶰dp®Mj°ÎLüb¶
-aBe_§iñ”îë~‹ø¸ß}&ÈÙ×eh;G�éC5žîçcÄ�GFnýxÜž;L™¹p~rKRš³7h¯	6›,µ¼tõÅ~D¸¶
û
-1)H;˜|'XT3p¸@¤È³»“‡¢Ü\¤�tÏðäÅìÔûú©´=ÒÍ3e”&ô�óöbÿ�õÿ
+xÚÅ]sÛ¸ñÝ¿‚“'ºsBðIÉ“/g§¾¹sZÅ�N'—Z¢mÎQ¢"Rqt™þ÷.°
+Ñ9{–&Á‡S@8Ÿ7…“Ä»íD¾gÒ_q0'ÉÉ?ïëT¼ÚUmÙ¹(§!µ}.Éq6„hwÛµUø\®½ràëæÁž�ùæ¼Ó*ßãÄ�C³kŠÛ]…sÖ‚�Sí©×¿QÊïvá–Îñ©Ø‘U8‡h�‹Y„ú‰SÙTùÂ.nw–Òa€)§ØV?�ã
u5®ýðP˜`¼Oø
ÚíaVùO_Q¢RˆÛ´y[¬ÐÁ–›b»*­É!‹Žÿ¼-­U
„åž•�0ÎÀº�)Q@Ìg$ã:Šý.µn�BÀÛO8׉Ñø}áàóª©qÔNË-K!”KåeáMñPhB
+#™ý0N6O¶Š,à‚7„}ü¸½‹p0ò„~.°yÂpû¼†Ž÷à.ñ\l„–(hÒàm2-4d,Ôc”`3”<R!Au"‡îl=%ú„PÀå$ÚéjH8ì”dY)€åIš>%uã@\–M'n3�pbD¤QÈÊÒTõÛCß‹	ÅàœHª¼5•.0,c8蔌ºiÌÇšWÎé™jª†Âú°¨ò¦Á�”7JäÃÌmÔA…cL�T
+"yÔ¾E[òmÚ¬r�¼!`ŠŒ%Ø=$ׇ[ç¹æÅ{Çß8—S„ÓJt$ê/dKàLx²h!U4oZP“æw3ŽŒ÷T¤SÕ1¬ªŠ»Ü¥ïŸójWtNz;A\–
%×I�©îÒ+—­¾:pZT"	¦.ãO±]!3’Bê=´Þÿn•'„ö}†£à:
+¸ÜWˆ¿é™šIP	åÕ‘
+rä|›¯—ØàøŽóS¡Ø»l¾;?E»‚ ©W7…‘TÆÇ¥²ó<õR—)”/ô{PúÇ¥®+IÔ·….4¤D,ŦÀb¿¨ÊÅÿLè®
+s»ôÀõn½œáèÆÃÅØ6.]]èzj¦èµ6̃JÓ’âJ⇲½U’ÆçÃoRØåÌ9�™­x]<0%éÆ׫<ÎÛ)RõjSÚ²R€Q›´`U˜Ø%lù½vóvWqy]¶¥�‚Žë]ŽM¸
¼ï‚ˆ®E“«¼]ÜOu—º`i\
+êzP‡çÑ�þÑÁ>æp�zžšöšß7¾ÿ‹%šˆ’Ï$–ðLÃzö ®åiV#¸©µû<›®ký5� �fXÖ^Ô®ëç:篎´ó oa�p�{/AGÏ' C%ÄÄÔ@]^áÓ8vt†ÌÁÌè…iúG	
~�óÁ^è_O¶0{(´f×ù›$ìØ%ƒ $M4Æëþþ`‘ïšÂwÝöaó«o­&ipu`y4£³£}¾¤kä9!™¡’ÁÔbW×\/äþê¢Ï)§Ã5ea>o‹p‚M­H"Ù(Ç4¬9"r|4»[C­u@Æq¤Ì÷Ž!IÎe|ÔØÊ«‡|ß›ÄÇï7bœmq�ùÆsК>ãÓ}èá�8ò@É­#»s‡ù²„˜ÖW°�v$¡Õ¸»æ9ØlŠÜÒÒû	æº<œ+%Ï!œ`:rž QíÈãÂ&UY4äØí!S’)ŸÔƒ’Šl­äÑ„; bB‡Kö+F.¹¿¦ätàÚ:݃\ÀÚ@1i2‰¾í*8�Q‚{Ýî‚Å×ð—Çת€2¿4Ò&…Çâ!ú1B¥Öa‚±å´—€�xy¹âÑO5ð,y¼³
 endobj
-1378 0 obj <<
+1779 0 obj <<
 /Type /Page
-/Contents 1379 0 R
-/Resources 1377 0 R
+/Contents 1780 0 R
+/Resources 1778 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
-/Annots [ 1381 0 R ]
+/Parent 1758 0 R
+/Annots [ 1782 0 R ]
 >> endobj
-1381 0 obj <<
+1782 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 434.7534 427.332 446.813]
+/Rect [325.3322 530.3947 398.9856 542.4544]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1380 0 obj <<
-/D [1378 0 R /XYZ 85.0394 794.5015 null]
+1781 0 obj <<
+/D [1779 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-406 0 obj <<
-/D [1378 0 R /XYZ 85.0394 505.3435 null]
+526 0 obj <<
+/D [1779 0 R /XYZ 56.6929 600.9849 null]
 >> endobj
-1022 0 obj <<
-/D [1378 0 R /XYZ 85.0394 477.7522 null]
+1304 0 obj <<
+/D [1779 0 R /XYZ 56.6929 573.3935 null]
 >> endobj
-1382 0 obj <<
-/D [1378 0 R /XYZ 85.0394 352.0635 null]
+1783 0 obj <<
+/D [1779 0 R /XYZ 56.6929 447.7048 null]
 >> endobj
-1383 0 obj <<
-/D [1378 0 R /XYZ 85.0394 340.1083 null]
+1784 0 obj <<
+/D [1779 0 R /XYZ 56.6929 435.7497 null]
 >> endobj
-1377 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R /F53 1029 0 R >>
+1778 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R /F53 1313 0 R /F62 1361 0 R /F63 1364 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1386 0 obj <<
-/Length 3099      
+1787 0 obj <<
+/Length 3112      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsÜ6÷_±�Ú™Já—HñÑM�œ{=çÎöÝÌMÛy—v4Ù•6’6Žû×H€úØ·½Ôž±(@ø€Ì~ù"×™¶Â.ŒUYÎx¾Xm/Øâ	ÆÞ_p¢I#Q:¥úþþâÍ;i6³ZèÅýã„W‘±¢à‹ûõωÎD¶,yûáæÝõûß^.�Jî¯?Ü,S‘³äÝõOWØz{ù�\Þ.S^ä<yû·ËÞ_Ýâ�&ß_ßü€=g˜Þ^½»º½ºy{µüõþÇ‹«ûa-Óõr&ýB>_üü+[¬aÙ?^°LÚ"_<Ã˸µb±½P¹Ìr%eìÙ\Ü]ük`8
SOíß@ºe’åü‰å"³6W§Å²EZÈL+iÏóÂyxQ3Θ³�Wy–çb<^!œgúüùj‘IÃõÂä9œ¹Æó½ñ;(m–kÅ=!gY.h(>,SÍ“{ø+’£ó
-
-_×ËTñ<é?V¶Z·qeçð¥yÄ'Ú¢oÙïà©,Lp¸ZNDpÅ2&´¥íhÛ%Lé\Ÿ6íR°díZš4Õ+W™áJÓœ®/{·uu�òÖ�#ÅꆺºýnüRÅêùEõcâëR²Ä­ý«—³H9˜¾

-hųMëIabU?�i›<xõ^°½v�žO¹ßôàŠRñä]Eœ‘àÄüUY#‡OW—�ç&N*{¢l¶»jCT}µuÇ
-t;·ª_<s¿
-µG+‹B�ÒÉÚÓ¶…ý;�
-S$M�O^¡á‡VMí§<í[7R‚bÛ²^ã˦ª�?»ìЈ•¶™(l±˜:зù¤÷þ܂Ѥ#®|bÌÝœÙàåüˆkNÎ
ß#ˆs
“à€càÌ\Ød_ÓiÌ
-«¸�
-|NçòÀó`t‘i> G°!“}¬Pí%ê9‚ô¡Æ=X%ú”Ÿ‡ž­Ç¦¥®�®£>Z¾Tõ0eÅýˆƒjf�þ&F­gk%P5¨oä|Äò?²96|Üœc<´™.”‰hÈNᄹQìÄå
‚#6?6ûvDÆÍQ˜ÿŸæP†€×Kq_W!Æ$†ö«|!m¼ý"*CÔÂü=6»Ðž«
�ÊAMÑgÝo^GÚe
Ñ
\ć fèº#I#h¡R‰�'rŸ>B¼˜Îâ‘Ò
-À„¿G¢óh‰â6ŸÇ"Ø"k!cyMö@t,|ŽD€ŒžI§¸)×ÙõôªÎ£‹A7º4ž?V«�³9tñãt€z¼Lt‚€³®ê²}Áo”»¦«ú
-B¥/.zÄŸTŠp¢µ@¢&MÁçî8†6Ý“ðlj/´È“gç>a—f°éÍ
-º×aöox	7Ø»-_°±*÷Q–a¡@úyï誄ޞf`íÛßï®n—°Uÿyç«!—×?}‡sr<‘8yM¤„ܦézß²¸£öâ¨ôûݺuvŒ#··]8Vßö+ïöþÀ<mI½7wøw‰x
-Ë÷]—ðóæÛ1¸Äã
-•Iuè„åjåv=F¯¿Ÿw³ýÒY‘›‚®qâ’ɳ�àÈp
-‰8\z2„õÅÉÄe* ÅÙÚ�
¦Æò?Q'ÀGI}ÔüœÃMW˜3µ»Ò‰,8X�ÉÿŠÚ]
w‚�dQؘËü/«ÝEÆé”óqíÎÇÇZ*p,& ™c÷Þ+3`ÄÛÝ&ÍÕo**ûPZö|)gºŸßvDö^[&ÿL)çu‚}ÉŠÂØPOVpżfp{f‚öu0¨BlW=¥!½¬ú—4 ?¼
›2^ºYL[¤:¡Çì4Á¿ ùŸëqç«~>1	7Ÿ‰á€1#¶AgÀ63€Ð*7ØG ¸Ø÷û!å5>Æp5’95ôÂÂ벟dÑ0^îûfÙfÄ©aY!äAùtµ¿½•Nž\íZ
-áµìè‰⌠¥Hwx®_êr[­ðe¿ƒ¼ÞÑD½n=X; š3U2¾Ú
-ò€Àopšgʘhû4+Üý†>­çªÿ8ªÝ36 püûÕ—œ‡q¾çO|�˜Z.†’ëIð6™•¢8—šuÈäɳcCøÍÿè2~?†[ò“3ŸN!­ÊT
LH)üØwlöl²¹cÕÿ¿�íîendstream
+xÚ½ZKsã6¾ûWèHW…<€<:3žYgOÖönÕV’-Á6k$R#Rö8¿~è_¢ä¤¦jíA �n4>ô‹âÿ|‘©„É<]˜<Mãj±Üœ±Å#Œ}:ãD¢xHõãÝÙ»�Ò,ò$×B/îke	Ë2¾¸[ý½ÿÇůw—7ç±P,ÒÉy¬4‹~¼ºþ€=9>Þ¾þxõéß7ç&�î®>_c÷ÍåÇË›Ëë÷—ç1χù‚V82áãÕÏ—ØútsñË/7çÜýtvy×íe¸_ΤÛÈ׳ßþ`‹lû§3–È<S‹xa	Ïs±Øœ¥J&*•2ô¬ÏnÏþÕ-8õSçô§d–¨L˜
+>§@•'Z
+éèöÌuÂè€1Ý�s‘Gûª¬6Ǧ@ï†Ã|
�ÙÃ$¢xHuB–@ådY·ízʘ–¤©–§9wT3¬Å€5*I…ÑcÞ·¶màhSµOÖ5dTí7÷v‡�õ>»¬«Uƒm��Ëb‰sDTàˆÛI˜°{‹”Õª\mYW
+œt–�6ICªã&©£
+š>n‘Rpú©ÈN³ï¨fø�-¢"åc
(xR:˜x=ô×*Ü5èÆ»�—§rù4š303nœŽQ÷^EGhyVeUì^±ÇAs[7e[ÂÕ{¶!‚н!Š¥ðN1“‚ø&›@¦�o2r˜ð¬+Ç4SÑ‹µ_°Ë13Øt Ák§\FØâ’Œ<Ìþ½q�½›âËbßeá7
+¤_÷–|&ô¶4ƒ,×~Wáû-$; ªÿ|t™ÉÅÕÏ?àÜ{‹+Ž<;š'‰”Y´®›ÖµrÔhƒ½8šƒoìª4ãÈÍMã�ÕµÝΛ½;0G[Pïõ->½Sq�~û®ëþÞ]`;D˜xxå!O$ð
++ÇÃ¥ý¾ôØáÀ3pP˜ÄøÚãÌ
+âB©L­A/¥
+Ìaôž¨&Ì‘Ìoù»3Â,_;p$Á~øò¹Açí¹¢þ}»×´›ÐA§f¢*gþpëæd&TÕ �Bø¡`Äð�&Œ“4o^<V`Èà£_¼†Uw/e·`;^j$,rħϊ]à‘ø]0F}जÙØ@æ<›ÏÞS“n2r×r.wçi’ Ú¬÷X>»:¾o;Û”:áØÁ¡á­<
Nàï¾»e•¤=B_ŸåÁ‹Ï~ˆs_Ÿ„_æ…¥^m±k¨8".s3†®¯3hÍú<¼/Á²P}FÃBŒq�]eå"I*ôˆ®Ð#¨x$\ö¨,ÑPx“Þ×�”%€Ðp§‹­á…÷¤AŠå~‡ýU;e–N΂„‚ÓÌÍ¥ªÂºÜ”]m¢«*³Ëu½üB•‰/öÅU�êè°HÃóD(ª.G£€	ÂréÒþA7 ’õ*õ.Õ,*(áXÛ¢i©¯±�x`ÁÀnC¹Åï]ºªŒÐqûù{z›�ï($øa¥�P N= 8„‡Ê˜	¢(MaQ¨u‰߯ç·lÜž/µ�ìW“bõs±+ë}(Dùî&ß(‚ÙGЂO?š™r<Á뽑™©ŽsU8FºÒqU¯ìa†ª5ÙRŸ¡£š‘ado 
+†.ṧb2>4|ÑAÛŸ? ¼8©Æ®{8kšn¿AÈTùë
+†uK™NÀ¬›ÓrtT3‚Œö9˜ÈÆrôHrŸècÆÅ.Oõš¾ath‚¶G“+ÃOƒ{?ÕÛ&"ßgw€+_ìò?úºB£gìFPÊ
+&ôØ™½��T‚©ÓÁKC®#Ó¹ïÞ®°Ð•Ëèk G²T�#ˆ+ÇŒSMœ+çé MDcœ†kå[�b[ìŠ�ÅX›‡z74¼ÂxØö¦~ÆE(„æxðeð0슈蟹+É/m`h‡TȽ[¤iÁ7cJ\Ü	&Ç~¬#Uâ~a35Öݘïþ!Oÿ+'ˆç¥+–Ì'Æ®–	±rÊ�‚1SÉ»_üŠþ?¿õ5Dendstream
 endobj
-1385 0 obj <<
+1786 0 obj <<
 /Type /Page
-/Contents 1386 0 R
-/Resources 1384 0 R
+/Contents 1787 0 R
+/Resources 1785 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1356 0 R
-/Annots [ 1389 0 R ]
+/Parent 1758 0 R
+/Annots [ 1790 0 R ]
 >> endobj
-1389 0 obj <<
+1790 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [289.8576 239.4581 338.5646 251.5177]
+/Rect [315.1789 349.0138 363.5077 361.0735]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1387 0 obj <<
-/D [1385 0 R /XYZ 56.6929 794.5015 null]
+1788 0 obj <<
+/D [1786 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-410 0 obj <<
-/D [1385 0 R /XYZ 56.6929 661.3973 null]
+530 0 obj <<
+/D [1786 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1388 0 obj <<
-/D [1385 0 R /XYZ 56.6929 635.5371 null]
+1789 0 obj <<
+/D [1786 0 R /XYZ 85.0394 748.9943 null]
 >> endobj
-1384 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R /F41 939 0 R /F48 953 0 R >>
-/XObject << /Im2 1051 0 R >>
+1785 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F62 1361 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1392 0 obj <<
-/Length 3978      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ksã¶ñ»…¿Už91xò1ÓéÌ%çK¯m.©ÏéL'ÉZ¤dö(R'Rö9¿¾»ØDR”œNçƧ°
-,˜Í‹GX3gªÐeÚ¨ñ!@#;`3ܶE»ëA5VmÓ“µ¬©£d´®Ü?¡ÀýùSGÊ¥RX:MÕXŸÊÇü©jQW´^8)Ã/	víÍ<]èÏé‡-¨6‹_…_7rQî_È/÷éÇ·¬ófSv€-y£ýp£>LÖ‹u^ÕN1
î÷yÓ­Aýàfja?w¸!5
-Ú ëÔ…Du¼=Ãe©óínNê½AH³
8á–‹eÜBaÔqËɸÅÚâ\¨Ç;ôÈ¿
-¡JžKú}F7�'	œµÁi°±÷Œ
æ»]à y¿¡©–ÚF&•)»¿©‘žñ—à àöñ’‚¶éÀ{7°ðtÑÑùú-&n	Q›’<A™©É6dHµµQb¦Á'ZBÃaeY~v¶nŽ,aúøáɇ¾eBTœEƤžQ	ròòç?Ý)��Ì‘Ç'^l²S^VÄ]*‘œݨ�U“ƒžõëVšH
-Ý{¨ó¹B/^Sã�wèÀÿ7½óí¸yñŸC‡ç)R4w)äc8nØfÍù·u*­äÍ+@ß¡;ä5�tμsQ´Éˆ
-± Mf	QH
-cƒ¯0‚´�e4£ß´$Êl‘Z$l;‹„À‹¤’(M@yĬ6N
’‰¬MìÀ"áê9ýŒ,vøãpº�¿~Š³H�Ná"l‘FhÎö8™BtOÒÑ‘EBÿ5´HJ˜S‹„H\At².-ÎF½EÍ1ÞOë1òqù£
ä¡
šq:ç-pë‰UªHôÛån	ÐÌiÛz¥�Œà;çÎÃŽÕftÂç(ƒõG½Vð¼×ºîiGVëì²Qb�7ª
‹Ôsg~].álÉGŒlk¬£Xéô2
k†ŠqÙÒ
¢‘ñ)¤IN¯¹Š€
-¿ð—¤í2øauÓ
Ávd¶�$wœ–Ã}Α¿x¸Ô,ÞW$}\·¡ß–Ê’ît´�3!§ÕÞéDůœ4‰B\zt•HêË®Z¹‡k–_—>¯�£8=¼É-…js•÷„+ïI¨²Ó°¥ŠWêq'9¿ƒŸŒâ‡åªÝî€îvœ!³‘z§¶Fã™êÅÇÖ½$áA)	Åÿ„^‹ ƒ{Ðá/'öVc¤¢
-9Ôô>‚N#›™l¬þb«DŸ“
\°,É+¢
FkíSmgÿaźÍ¬9ÎÔ ÀKC)ãlä¥ñ�EÇÿB˶ۊ9ÔµÛ’ûÖþÌ•Õc¹úÌt°â;ž¶Xp­Yü<{Wî‘^+0(!—‹(QÉ$JÃÜLE`8Õåë4ÃA¥2”-ÎsPã�¹pnø�Wßåà*W‡:ç’ë)[3é£Áp,X"s»9(ÁyélˆÛÑ>EK§jÚž:¨ôåÀµ¯)ÎU*‰yš¿ûüyî¨"Ò:™;©!èê&p�e“*q™»:¥¥Â½UáéSå
°“‡Õçˆ6Jc“½F¤±ÂŽ¨¤E·˜¾»Íx»¡Õ€¦„õe
èêò-CŽÑÖåSYbÞy‚ý.Ãú%é¢Ó;)Ò‘æé3
--¦Íâׯ™‘6hBÛඛÃ>'ŠËsCé¸âb1x�¾ÜRxg\u¼»DŽLñ9Px³!ÐLSÄuáÚ3UYÆgz×ÀŠs΄?ð˧V„¥‡ˆ¯ûª(œ™Õ	?¥ô(”Ž
-팰�¸z»yÈ;*¥ä4 «jVõ¡àg \tF>6‰ {RÿC Ե‹k(Øu¯âcÌa	v:&‘ã«uÆa)‰$hÙÅ©T%Ü&민cÉì:±
-ŽÏ'(.G˜¤§úgEп3Q:–‡2
fçb”>Ä:¥,wê
-_”–^à_åþeðŠ:;>¥RÅ�À‚^&3`ÍÐ9Ž‚¸0Ü#BýsŽˆù½NX_T��ÇU_¹š )/öc¬Î/Xü�)ü«
Œ†W,lðç0ì�‚8™„Îc5”R¸Ã¾£$Î@·óæMÙøŽ0ßh˜_W3Øú…€
Lm$Ž†r,©–]"Ðg›„2Οç^¢äøäðíà›/øzÿæ˪æü}²h
-Æ6
Ê_έ™rH®"“×þ™Tž?áà®CÉ€‡Á‡ñqMpµ*w΀!)×í±D˜-
-ªìvüýØ”¢¨ð’8ÙÚÀÖÙ*8Q|´½|��CÍŸ4áN=X"Œ+å_†ë5Aý¡a"¹,nCvãfÓ^æŸÍ}H* k’“"˜ß“ëçøÜn6Xëç*ÃÜWK¡JoŸ¬*Åä	Q
-1ÿHŸ{Ä�l
-{&øáëÙÿûcïã—ð’?ü:n¾n*â(U®béˆr_vÊ)åC«T%3¤ÿpV$Uendstream
+1793 0 obj <<
+/Length 3955      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥:Ûnãȱïþ
+¿EVܾò˜ìÎl&Hf73Þ¼$y Ä¶Í3©){¼_Ÿª®êIQrXÕÍbWuuÝ›òVÀŸ¼µi’ª¸Í
+“X!íívw#náÙO7’qÖ
i=ÆúÓýÍ÷tv[$EªÒÛû‡ÑZy"ò\ÞÞWÿ\¥‰Jî`±úáçO>þôëçww™YÝüùÓÝZY±úðñ¯ï	úéó»¿ýíÝ绵̭\ýðçw¿Ü¿ÿL�R^ãO?ýH3ý\Xôóûï?¿ÿôÃû»ßÿåæý}ÜËx¿RhÜÈo7ÿü·¸­`Û¹‰.r{û‘È¢P·»cub�Öa¦¹ùró÷¸àè©uI~Ææ‰U&½]k“ä@YÊ2ɤ¤ÌIª•ŽRVrIÊ
¥¼«ÛõÁ=\ÿ´ê�ûŽÄ°+¿-N{ìáðzŽ&çrÓ©LR‘šÛ1sg[ˆX{P£=è4MlžeÓMÜ?¹ÞÁébÕ퇺k{l»v8ÜÉ|Õ541<1ZïÏîp·†³ÿC�,ß®Un’•o-eRX«üÒ÷T>× *­W]K¿~Q�ÿéŸêö‘æKúù½kBfõ/aÅ�\ývt‡WÆ2«‡°Ü—Ÿß°}*ÛG׶dB‡1¡!¾¬WeݸŠàáP¶ýƒ;ô äZØÕ¯ýˆ•MóJ„p»¸71Ý‘-ŠÕsÙ]O01Uä$#œá]
+µòÓ–”ѨÕcÓm¼rI8#¯ry.‚ƒÓÑÃ
+5#CT[›dF›©Î¡4$»ç¾z'·Ä–I“L3Ùù8¨Ì˜J‹Ä˜<Ê"Cþ¼Â¾ã‰ŸSÊ€lb"€+”2
GœfŒ.•(Ò5àFÕl£ÉYÁ±:•yRhùF@c]èË›xÕöëcµ_÷õïgÁ˜OòL×ÉG¬úcÁHe“Üj5eà‹CUWB±
PVàg‡º÷6ã÷?~úBЯ?þBÀæø€Fùན
+žt.=¯°‚
!Ñ
+0wì�eC í³ì}îcòà
+]¼­‰lÛ—·�±:Ú€]tS(éŠ&)k(V®ÝvG8rGþ&:#T�o<2Îb®PȯÎV_v¥—. °ÃˆTÛ/þ{XœO
 ÎwÈX`ì}'ÑZʛܷ­ëûú™ÕçØ3àe
¿÷?ür'U±ºÅL‘%JÛëAl„t9†¤‘/F05RBÝw�tD:§=�_:…N'Ä)|éœs@
^ópÐ)JÅaL§�(d«
+áà5AóaÊŸ)dá‰Ñ©šžé$xaÞ3^J˜óà…H¼<:"ÇÁßeP:¯É;&äszŠ|Zþ®
+UÈ ›ì…o	ø<n�ü7vu¾.)Ûƒ8JHƒÎøÉ¡ÔZ_—mÄz‹‹³ÕN6
Zb‚ÏGq
+΃Æ.ÞÃÂŽRCþ•p`ÓØå7PÀÑì‡qï?€hŽ­�Y*ïóSŸ‡{ê"|ÒR‘H<¸i¥Kþ���ÇG¼Õâ&	ÏžîPâ6·ÆRÌnÊ¥Ó«nîQp\“iäÀþ	RÆŠ`Z|‘†‚¦ž|ÇB¢µxÍÕ•:üÒ‚7ÛñBÞÑÁ/©º¤û
+÷¤10ÅìÀT0@šŸŸŽGŸÐ7^´šOÞ}¤ôHÓÑëx^H=P| k.x83uxÈ«·Ô'F�.3§FHkkÿUOø(	ç\zù6×mN†4ž¯Á/¶„±ágM÷rº&¾ä‡JÐâÉÑßá$Þ…y$æî	ó\Ïœ_bWÖ-§·3U=¶ä&ª¥oR@®¥O¢„
+™åÅ°|žJ�\<)“á
+§6Ýåƒ 7 èý²%Ôz·ï|—Ü#¿.åÆRZˆGj�!�	›^Ê ÁÍ‹à¿.fªY–¨’¼ëŸ¼ž�®|ñÊH|©[?¼®+×”¯ç—‹*±˜Æ5Òéœöä,eyÓcâŽ3ð�ž<~††’sž¥ãï—rìº/ÎÅG-—HYêG€¨Ÿ“òÆhŽ¯#ùêœÂ(L—ôƒ^Û7ÓŠ1C!?€Aì,ؤÈ̬)ˆõE¸.ÁÓr6wú*¹ôí4~ܦ?
 endobj
-1391 0 obj <<
+1792 0 obj <<
 /Type /Page
-/Contents 1392 0 R
-/Resources 1390 0 R
+/Contents 1793 0 R
+/Resources 1791 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
-/Annots [ 1394 0 R ]
+/Parent 1796 0 R
+/Annots [ 1795 0 R ]
 >> endobj
-1394 0 obj <<
+1795 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.2799 352.7282 410.176 364.7879]
+/Rect [324.9335 395.6435 381.8296 407.7032]
 /Subtype /Link
 /A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1393 0 obj <<
-/D [1391 0 R /XYZ 85.0394 794.5015 null]
+1794 0 obj <<
+/D [1792 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1390 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F11 1397 0 R >>
+1791 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F11 1451 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1402 0 obj <<
-/Length 3114      
+1800 0 obj <<
+/Length 3069      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsã¶÷_¡·Ê3K|‘Dóäœ}©2=]j«�´Ih‘¶8¡IE¤ì¨}w±
-¸Š™L]H�ª…–Æ©’«¨‹zÁ_æ0„¸=e»0{ÁX¸_Y3*°ò%m‹ºòM|?p;‡eSÒÛq"é…‰„Íwäˆ×"C/™ÞúÅòmór÷t(‰1+ÒçªnÚbC�ƒY ¡Ý’¨Ãó–F¤D¯/�NnP¤=vÆaË.2ªxÝžñ¶Zk&/âù®ÉY½hëÝ¢Ì_ór‘Õ/)H2æKßÑLð Rqb×ⱨ²	'ñ8à1–ÉL	´ º÷KÇuÀ…Û
€¶Ÿ&Ê0ÐIâ¸6eÚ4Å1Çh¬Îd‘ô;ÙX—î[ªWa75=�AëµÈߨîÉóS Á`’qD&êÛ?Ϩr?u\ùüï‘ì�T´ð!ßØ­È´ÙÅ\¼ÇSH)’Át&ðÔr]˜Å{i„Ez`¡4®ŸŠjˆ8‰.,#p%ŒKËõ¶-6[kPÊ&‡Å"Ìâ
-
ZµnŠ0êÔy˜2ê€g¹š˜ œ>,–ܲ|Û)¦í„@ˆ%ž<š§Õ‘žËú1-¦¼	»Hcåj4سåm¨ÑŒ4Ssf!ž¸p
-(ùHJ³OèÊd
-HO+*ó?ve±)Zj¹qŠ0(§¶å‚G*ˆ­†î9ƒ„Œi­ý©§ÆfÛäî Þ”ã”1 Ì&y
-öL¤/$‚Óé<Ð1§åûÑk¤T‡�TçuZ–÷*}h8áE,*m¢•tºM£uÔ.þ°¾­eFuŠç]½oíè"¥Š-(ÔL•ò@Of•¾ä'$�!ƒÂA¡�Op⤌ñ&*‡ˆE»µZŽ»©ÃRª@íðiýÓz
-à*œÄo(%‡,hœižJ‰G<¿„å1$ŸÝ‘Œù®æ6‚J‡ÑØ@tDzu½äö´¤V·dØè2¨›Ð1㜻ŽpÉ…±ˆæ»|i9FãÄ¡B¦–Ä£¥°z
-!§{	Ó”<“d³â<¸£äÓÂ-ÓôºÀ´]g$œ€[ÄOÅ‚.oƒ‡»ûÞÝO]S,b4LyPð©”GÀÅ´ËÇ¿bQÜÉì&Æþeõ‹"×䃰G ¤v„=ä.f)�ÈÛ–R�1Ü!'¨†²Ç%lY\ª
k(S*<$ô:$ÂF‡DF°-{$"þ‰°IH„µ‰dt
‰ÂÉû®�I€•ø4I¸o…lGfÌx�FIaì’ÉØ›e¬øùYr›)ñžÇ“t:5Q¸vD\wÛ¶,iÈ&=4'r@Á†k�Ò§ò!
ƒ¤ÛÃf'hi/ÆZ8k¥z9mˆjÏW$™{ªvWb Lž¯fP¾Æ2t¹»ìr÷‰óFr¸Ÿi9éÀ‰»ª„{¿vATLÞ~%g�bc
+xÚ­Zmsã¶þî_¡o•gN,^ùÒ|rξT™žîj«�´I>Ð"mqB“ŠHÙq}w±
+š{»r"	„tã
|¹P± ‰c§µ)Ó¦Á
+*ìxg¹q�]DJX•ï:ô��ñû

…ó´z%…Dz¾OKa©�Ý$�\¤qGrÄ4	àÙáÒ6Tif
+’hžŽùÌbÇÖ!àßú…¨rÄy°,Y§›Õd¡ª[*¤»]ùJ¶h*AÖRô`ÑDTóåÉ^ëò¼ìzÐUnXEÖRV4é}ÙÙL	áD”QØ'cfR†ñü`BX)ËHPè&I*=¿Ï
öe"æFÂxOò-ì _Ò#ë/®L|ŽjxÀŽgI
G~%£Yþc¢*ªG’§}ó?ve±)Zª¹~š8$§¶åB„:ˆâD÷§g‚	9Oµu856Ûîwçô¦,ào‚7TÆ
+BÑ�ÎÀ!263‚BG×XA¢ÇoëZiÚÓ’jÝ’a¥Kr l¢Èôs#Øu„´F2œßíòMñðŠ�9r>1
D4X
+k˜h2¤12ìS¹e9i6ÕÛ@mÁ$à.㶙4n�"?…Zc~«’é(ôµNGa§…¾n!·t{³†�tIÈÏ&
;¥ý=ù¶HÔÀ2a]0µÖ‰»(IJ‹B ö^BE!ìÇE!Í4ûcžŠÂ˜9„‰]zçЩ0„ù–a?ÑÈxB~
ÑkÙß#ß�ÐWŸÎ§ áL¾;ð`È5…HºÈkHŽÇ´ùÒ•Å_Ó5¢kÖp¢l¶Eåéґ竸ޡwýÑ6“��ùV¬úDóPÃm¦TEæ@ʱ(óÖ¹„¸M>AãáP™t
²Äî-è°ÛO©ÙX9ìwµIf”ehÚôJÅ.I\دÉ\ òˆªî ©ËKiœ‘{îEðãÑÞÍvT56áiá&mZªÐ¼ 9“YÔØ´8¢_�~ó¾ö€*ä\{*u´
	Õ9zƒ½%b¡{œÆA~ûnìÀ�Ó™…õy�ÒØDL±
÷ý_ØNEQÀáhœf;_ë4ÛuZ^’
.Šì-å!;ÅbÚ|§5b¿Ozn­�³õ �Góå5}['èèËŽîâ
ÝŸõòÊoÙäÅ3Í4ˆRú¬ha¡tç�º4[SS'ÁZÝ-¯m�„È“sŽìƒ9|½w#›E
+ª·æ–qyB/
<±K�‚Œ‹ª¹ÛŒËëàîæöŸ7·cW¸l&a?çÁ�Oå<2ÐIwˆËâp'Ó›7ù·±lxdYrMsÀŽ$„ÒŽ„°…¦‹[B‰#!šíN•21ÃÝL[Ã÷HMX³Ô„EÃ×ðMéã‘Q¯Õ‘V:22Ûï‘ŒH¿##¬aéHF*<CF¶ì‡%0Ktš‘D?{ÃH¦Ï�{PFYaä²ÉÈó2ÒbÚKÁa3ÅÞ+äÐIG¢cŽ&°oEÒmÛ²¤.›ôÐœHd
+²oç´ËÍQFN ÆœZz@�~ÕÁ|=ˬÇM×v|y…ÛOI§Yl­w2Åie´@fõ\GpxÂÚð×æul·¥eSS÷¢Ú”‡,ïÐQ¡�Ú(ä˯Ï!•ÌÆ´.±‘
+kùB–-�äÆö‹§ÓÝA²2¼½ùÝÌf»þ”Úy€ñ¾‹ZîÇÑÔÎn~<
+ß°&{÷µÌÅ@/q�b,½±èg8‡÷%IH¨¢i«�Ö[³£¿X÷Ìr,W‹«ëëÛàêö+¾ï_�„Ž?ÌH�œ�îiM@wZç¡OYõ ÍŽC÷ÍšD|3| Ø ŠÕ4zOé4x§tû”É#ô¡ÍQä¾M½x¤%!«›FîiM@wZç±OYõÀÍŽ£÷ÍW¼¾†jÌäøžÖ|§uþ”UþÐì8|ß,ÜÍßÿRDœÝ÷žÖ|§uþ”UþÐì8|߬`ïƒú2
+Ã3ð=­	øNë<ü)«ü¡Ùqø¾Y¸Ý½>
êÌqçkMÀwZçáOYõàÍŽÃ÷Í
+ñ.ø±BØ9Óè=¥Óà�ÒYìS&�Ї6G‘û6…|ðPgÿ¨s¶Õ9‹zÂÞôÀà(fÏ Pï‚,ñˆå[øßÞ+þç¿@<ΞŠÇ'ž¶%ƒX$‘s
+áDÉÐóîOߺþ_,ÉF–endstream
 endobj
-1401 0 obj <<
+1799 0 obj <<
 /Type /Page
-/Contents 1402 0 R
-/Resources 1400 0 R
+/Contents 1800 0 R
+/Resources 1798 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
-/Annots [ 1405 0 R ]
+/Parent 1796 0 R
+/Annots [ 1803 0 R ]
 >> endobj
-1405 0 obj <<
+1803 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 621.3356 116.59 633.3952]
+/Rect [84.0431 671.8392 144.9365 683.8988]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1403 0 obj <<
-/D [1401 0 R /XYZ 56.6929 794.5015 null]
+1801 0 obj <<
+/D [1799 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-414 0 obj <<
-/D [1401 0 R /XYZ 56.6929 690.8195 null]
+534 0 obj <<
+/D [1799 0 R /XYZ 85.0394 740.6547 null]
 >> endobj
-1404 0 obj <<
-/D [1401 0 R /XYZ 56.6929 667.4949 null]
+1802 0 obj <<
+/D [1799 0 R /XYZ 85.0394 717.7278 null]
 >> endobj
-418 0 obj <<
-/D [1401 0 R /XYZ 56.6929 349.0534 null]
+538 0 obj <<
+/D [1799 0 R /XYZ 85.0394 401.004 null]
 >> endobj
-1406 0 obj <<
-/D [1401 0 R /XYZ 56.6929 320.6279 null]
+1804 0 obj <<
+/D [1799 0 R /XYZ 85.0394 372.9762 null]
 >> endobj
-1400 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F14 740 0 R >>
+1798 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1410 0 obj <<
-/Length 1699      
+1808 0 obj <<
+/Length 2192      
 /Filter /FlateDecode
 >>
 stream
-xÚ½š]sÚ8…ïùL¯ÌLQõaÉòîiH—Î6ÍRöªí…¦ñ±)&ÉfýJH‚7Ž�`:³“É ËG:zŽ%Ù&!}¬~H_r„Yžö³<EÞŸß÷pÿ‡:÷¡G¬fèDC¨º˜õÞ]±¬Ÿ£\PÑŸ-A_a)I¶øš¼ÿct3OCÊq"Ð`ÈN.&×—¦&7ï?__M>ü=
²4™M>_›êéøj<_¿†Dr¢ÚSÛÑW“?Ǧôa:úôi4|Ÿ}ì�g{ÈK0Ó ?{_¿ãþBaìaÄrÉûOê
-à;U?ä
-ð»¶~|hK³óðG™È#[Tð�*Žrø][?>´¥ò<|¢å‘­ªøNǹü®­ÚÒü,|®ž6RI"[TÇß«¢øA×þ+[/þ[†ÏÃÏ’LF¶>¨
-à;U?ä
-ð»¶~|hËÈyøêñ�äiÁª
-ð;Uœ?ä
-ø»¶~~hK0F\mù¹<=õ€À‰lyPˆÀ©â„\A][Ж¦&
Åìô°DBf‘­ª	8U<��+H këO
-äåTñÀB® ±®­?2hKþ�ÌR�2.bS¨™9U<³�+ȬkëÏÚJt�.õ-g—
-uq_Úºª6ŸªëÖµYHRÌËV¯®Œ%_SoF-U:®yaKm1ßìÖð¼*VžA<•p|uY.vSC÷ÑøàníBY”ëUóìÖänoÔËð®¨ëÝv
-•NôÙ®ª¦°MŠ§ÂÖ�
¶:£:e	ÐÑGCõXåÿã—úµ0¿üð+-¤^�¼1,ÔSNž¹Aé뎜3‰¸¤™gèÿ
µÐ„¬endstream
+xÚ½š]oÛ8†ïó+„¹Y¨Y~ˆ¹{•6N׃�´›z¯fæBµåF€-¹–�læ×ï¡HJ´,“1
+,‚ÀùŠ/ŸÃOK&†?ñ¥’Ê(“	â˜ðh¹½ÁÑw(ûtCŒfjESWõaqóþže‘D2¥i´X;u	„… Ñbõ{œ"Š&PŽ?~~¸ŸúÏãí$KâÅüóÃdJ9ŽïçÿšéÔ§ÇÛß~»}œL‰à$þøÏÛ/‹Ù£.JMæw:Gê�•>Îîg�³‡�³ÉŸ‹_of‹ŽÅå%˜)�7¿ÿ‰£`ÿzƒ“‚G/p�‘’FÛ›„3ÄÆlÎææëÍ¿»
+�ÒöÖ±øuš)K�
+S °*å?0Ɇ¨ÔG�ÜêÎL­èÜ”RÇTĥ䧦”#’Q4˜ÞÞÝ=¢ÛÇ/IãÛ‹!O¢‚‡à•Þª‚ð>Ó~h:ïšÒô:xJ‘d"ï¨<ðV„÷™öðCÓqx×”f×ÁcX6$	Á;*¼Uá}¦=üÐtÞ5¥â*øTÀ˜$
xWu¾S…སü™é(ü‰)•×Á§2#
xGå�·ª ¼Ï´‡šŽÃ»¦_ŸHÄa»À;*¼Uá}¦=üÐtÞ5eä:xÐSÌBðŽÊoUAxŸi?4‡wMI
+“^^AO(<
À÷"»Ñ=Ž=ùÀqÜqÄo&æíÑPú‰Ñeb+
+û;â¡ã(±ëH`o{33Ø�4°²;"³™=Ž=óÀqœÙq¤é|;7‡E1ô]Áy¸�(Èíq칎ãÜŽ#EøªYÍ™DIš…¹£ò�[UÝgÚ³MÇá]S‚1Ⱘ÷µ7€‚žg¹£òÀª‚
ð™ö
šŽÀ5%„Á
+‰HPBÓ@\Õå(tªP¼¦]ÎLG£pbŠÑÏýÍ¿¤áˆ¥)™�ˆ9*OĬ*1Ÿi±¡éxÄ\SòÿˆX’¡ŒÑPÄ•'bVŒ˜Ï´�ØÐt<b®©@Ð�ÚlZ~ú¶ÀW-&x(ŽÊ
«
+FÀgÚG`h:
×ôÝ+Ú·‘ˆY€ÜQyÈ­*Hî3íɇ¦ã䮩@³+ØGRIì®ê2{§
+±{M;ö3ÓQöSy{– ó&Àî¨<ìVd÷™öìCÓqv×ôö:vØ¥ÌBìŽÊÃnUAvŸiÏ>4gwM?\d�¦4A§i4%‚ež¬Ì¶»ÃëdJ	�ÿª«¢QÉ$Î÷"âBç7Åá�Û˜«ü %‡'“ñ\/:µ)ž‹�© Z鼺ژêóÝN'áÞº¿µ1ºµ.ZnòÆdÍ�NÜ•�ò_iE1ÒbÞµX‘b@$HróÀØ4�ñ¸¬žŠ}yhkbi¼nï©·º°ÞʺjtQ¹Ö™@Ù…²û¸@YUëÌUß<ȵ̓Û<ÈmvŲücj½Û0j�aÂÈL
�a/TÿŸú¹ØïËÕ€Qw£®†c‡.6es0Ùkýé´®Ú¾Óé×ú¨˼:Ñê‹Î@Ǭ>ô5èT~
�j†26ëz¯ÅóínSü]Ѽ¿OÈétÊL†ÃTw¢iÌ´
ïTۦǿ _þ¡«8™Ó±:æ*25¨ÒíN¸8NHÜ”Õw}¥1”fµÒªvXBÆ>¯¾&½T}Ò–®t†.ïT÷e½SóT7F“o´&_©q"yü”?3]
+)"w&ýÜäTË
+ÇW
#]�ca–^xÅÛ>�¹>Í2D³ÔyÓDÆ~/cDªôÁB¯„Ãø@�(IÕ«í¾Ö3ëNtîíÎ\B	JõjÛ1ÿªŽ‡kµa2¿´›�J™Ö´iµ©™òvü¨”Þ§uZõ¶úÔ»2$ôçR»ŠÊùúùÖ-ZÖí§)lwO•0£Z%ÛÓ‡ú
8<µß"˜DÖµÓÉ[uÇÀÒ=�ï»n#ª[’ªÿoæͧRf~@ÊnŽprY¡Ë_à�ú…ÏH—ànøé9O?2ÄÄ¥ßlÀ,C‰€JL£ÚÇø¬å°ÑÀ�žŽ4ýU„oendstream
 endobj
-1409 0 obj <<
+1807 0 obj <<
 /Type /Page
-/Contents 1410 0 R
-/Resources 1408 0 R
+/Contents 1808 0 R
+/Resources 1806 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
+/Parent 1796 0 R
 >> endobj
-1411 0 obj <<
-/D [1409 0 R /XYZ 85.0394 794.5015 null]
+1809 0 obj <<
+/D [1807 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1408 0 obj <<
-/Font << /F37 802 0 R /F14 740 0 R /F22 737 0 R /F41 939 0 R >>
+1806 0 obj <<
+/Font << /F37 1026 0 R /F14 964 0 R /F22 961 0 R /F41 1218 0 R /F62 1361 0 R /F21 938 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1414 0 obj <<
-/Length 3224      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¶RÕÁ“$Ž“Œ'q*ñìzœÊ!É�–(›µ©ˆ”=ž_¿Ýè2å™ì”«Lh
-'•›­vrvc?^(¦YF¢å�êûÛ‹ïÞ›tæ…Ot2»ÝÖÊ„Ì25»]ÿ1O„XAÎøpýþêÇßnÞ.R;¿½úp½Xj'çï¯~¹¤Ö�7oýõíÍb©2§æ?üôöß·—74”ðß_]¿£O�3‹Þ\¾¿¼¹¼þárñ×íÏ—·ÝY†çUÒàAþ¾øã/9[ñ¾�ÂøÌÍžàE
-彞í.¬3ÂYcbÏöâãź£aê”ü:àMéÔWm«´ðÞÙémål™Á¢©Õç×¢yÖâfœ1^ªWo’9‘h­;õBS)á�Ó¨ßD“ªd–::OH¿×(á@é…K¬BB%…38ËDÍoá¿ž¿Ð¬)S�ÎRØ'3açÙß3%¤õÞÍ ŽÚ‹ t|wµÓ³w5h68S\w9X8)Ñ‹C"ØÝH‘&Ö~o
-0¢4›Š|‹-?ß燢j©·)‹¥‘óÇ…vóâÐPïf
]õ�ÈÛ‡¢á5>/”›×UÁdÍC}Ü®‰j]6ùÝBËù–ióí–Ånß>QœOÇj]¨	{ ,Ñ:
ó§™Î…7œ
-óʆˆâ“ΖÙy8ñ±Ü¶Ë²¢¡xÚ
Ç
14q¾[ZðTvâªÆr®wܪ£&Û#ÉÍ«ØV%�¹fL¿.Š}tYõ§Æ¡(:þ†¶l/tæ³ÙÐ�¾Í518Ÿ€oöáåÛÇÒ
-Ÿ)
-EVy=ð•
-€éëÛwTû�­Â‰,1ãý;£ÀDF�ñ&2ºYjÐÍRƒ¾hØŽñŠƒ¢=±
-
-VÑõV�ƒ›z¡æ‡“˜g;ðÊv†a­Ð‰±ßbjmþû¿Á¥à‘L_7„!ÕyCè¨zCg^bÜÞ/¬Áf¹ԿÎCG5ÁÄÈzs#..iç ‡�ëàÒqìÌ£´¢¢ØÃPQ2Æ÷Ü·.6ùqÛöÒçþœ€×»½"l
iü„= zEØ‘
-�ÉGZöB)ìDdPÛ«<tTLŒ…
X+…Ì3ââ]'X£À‰Öåc¹>8
ïQ¾Ðìä+-Éúò5.z
-É£‡¨Æ¬,g¬…,ÇËáà
-–+Þ ¬ClÙÔD²Û†£½<€Ê $‚ˆÄ°=Ó'xÑ�µR`„Èx}y`¨¢]ʪ-ÌsBmM]åntX?òQÚHAªmöuÕð`±
…Ò%)N++¤(?
-�»¼Z›ë
×®^„�Öá³ùï!aeæÑiº:ñáŒk#Œ eCMvg†ºƒè“‡Œ§ÆÎœ×ìŶ{¨írulÇH—ì0`Q�rº�ÆP×Zgfa3
x	øp@ÄyÕ<Ü{s#¨q]·EÜ$o'L¼C€ƒ¸/™„
#·*šDp?d˜y8éÅ
-C»bõ�We³c@$Sð!D§C½eºQñÏ
7¯ÖãŒX…âdDÛ¼�^Ä9Lï®?R£gS*ÃDloŽU�p_ˆxÀ›ŠÅБMêž74Z^×Xýawà.ŒÃ¡ïj“ݧþÔîÑ€`=0РW|ÿS:Y|ZûödêÍMS´¼	cŽâ@°3àô3%ãÈ®LCBÌE++¨û®ØÖOÀ�
-éüîØÒ
-Œ²ž»5¹Î˔ȼ:)ÐnBÑk3ÿ©~*�
	%Ar’Û††ä††#ˆ4?…èï¢a
-Ïÿ†ª
[ÁºqýãjU¡ŽÓ†i§á�©ïžn\ÖÛ¢ixÓ͈Û…ã8úE”w8À”e}XÓ‡‚›µÔ”(Ûs0
ºøPÉÈÁ�J©ÆQ	yžø©
{ïxE2cÌüad>Øá�¢ò'±&±
-�‰¤÷ñœ«
�lÀôQS‡D±h‹¦Þ
ô—õp^ Š¼r¥i<šæøìý·¿zµ:†l'Îý.Ê8�?Tš°Ùýè›3ÕÿâÈ‚éeÙ™%�°,ÂL…ï)ö¥·I(û=Áúÿ
+1812 0 obj <<
+/Length 3381      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ZKsÛF¾ëWð¶TUˆ�'€9*Žœ(•ØYY©’ 
+4ãz•î¯Øê	ú¾¿ânÌÆÚŒG}ûpõÏ÷2Z™À„"\=lGkÅ
‹c¾zÈ~_¿ûáæ—‡Ûûë�Ðlײõ·w¾#Š¡Ç»�Þß}ÿëýÍu¤Öw?ùþöýíýí‡w·×kó…[áÌ„÷w?ÝRëûû›Ÿ¾¹¿þóáÇ«Û‡þ,ãór&ñ ]ýþ'[epì¯X M¬W/ðÂnŒXí¯”–�VRzJyõéê_ý‚£^;uI~JÇ�*\m`°dB-K™LƒÔ6‘â¸ï¥,ø’”ý(”r¾?´§MZWm’¶ó3se!`åñ¯¶ïG-ì/Fûs­Áæ|:äi±=�ìcµ~Ù%-¶ôÚsdÉU²Ï‰üR”%Ñ’Ã!OŽÔ.*êmw9Ž×<^çmw¬òŒº>}¼w¥µ}ºÎmí²Ò æ—ºÊ°ÅÕún‹’
uÀ
B	æÌy`´ö
+"RÀÕ0ð0à1äÆØú&ËŠ8Jœ}}ÊÓ–Ä“¤»¢zr‹�%Ë`y„QH"}Àø#•^'£å¤RëÆ/‡�),—ƒèdƒA75
IÁ¶áh¯ÀcH8"†<a÷Hìô^„	â(2n˜[Enªh—¢jó£cËqBmM¤b°:¬ŸÝQZ?‚TÛêªq]‡ü¸¥8º!Å	®ÆB1ÕÜ>©RÔRdÖõƒkŸÆ�bÐ:L¼þ�"$ô¡ìÀ<zm
+¹´÷X˜Ü ‡=U6òŠmyºæœ¯mL×ë;·Evˆɱ-Ò®LŽ0náLùwÜâIžsùr‡Þœ
Í
ð_ãÀ^ã(•{ïZðÑ¢Mü:z°èîñ\B}_(AÅŠÊÒv‰[{"R–—ùS‚Bv]/E»£.;hr 2·§²svºž$ùÎÚžôO¯6Þ"ù±M
+7ÄÙ
²ô¹Øw{z™¨	#}îÉ�¸%’›3É?‘&Û
E’#hï`2ŠaoÛù�OóÛø´Ã²›í±ÞoÎÅÎT*ésœu!­‰ äÆǦª^ZFZÇãð%�î
üŸÙx¯
+U�C&ôËô	† ®¤É„4cRTÖ
+ ñóñÓѲ¤M£åGn!˜ásQw
½ pËžÁÙ“'ß½$$.Y`”�_‘…Ô®ã,K:O„Vឤ«¿ºÂ…%¢î;›+±UèS¼Ÿ¨‡üÝ.êå6x³œeîp½,6<”
�æÊyØu
¢'
+ª‹àÍÂ<SK�D—°!š@ǃ
‘Su‡ƒ‡*e±/fNÞÛ­žéÝú´¯z“‘÷>žüÍÀ²T…æ�–2ôJK>oœd›âË’\#	E©Žz‰ÐY NÒ¡‘Óìu³B(Û
zœ¥Ï¬’²/¼ï‹ŠüS�ò?uÑJ="Ñ„˜ˆ6Le¸}{ü2…HÚsçÀÉo×B~»Û,%îºk
4ˆ"]©÷¥Öë…
+LИ$|6†½ØéVzÉËrJ¡ùœõuˆí´!
+e�ú5]�‡—7XIOÃâ&½�ëê—Ñ@[„³Ü66$=6$èA¤ùÙFí
†Ì¬A÷ÀÑêx˜ylÚaÍÜU‡Ú!Gã
Lû[¿ñ&Èäf1¤zÎ͇£‘Q©ãQ‡0rÝÐe¥yeÁFù"Ô(
+¡ðü�­°e­×ïÒ4Ïm
ì§�ÓNã6&ÚݸdeÞ4nÓí„Õ‡cßû&Ê;aʦ>¢%¾¶YCMÙƒ2¼TÓ ‹N\òˆjŽ‰Ùš3P
+-s¿‹«þÆ‹¿ì
+@–Œ{Íãܵ<†™îÃÐÍ[º[„“~Ém]BUÚ¯ç¯
‡k»ý>ñ9ÐçÅúà¯3׉Â5ã2úïÂõÙû^�÷ŽZðË÷½ãQçï{ûQ‹8gú�% ÌÅíûQûOK&‰ø-ž2p·äõ&à¡ö á
+_€N
+
+MѾè/êpžåyu•&¨œœ}øöW§ig³ÝY›å`p³‹6;uÞfûQgª…‰©ê8`‘~ƒ�~Ôå@ÁÍt8c�À“£k/xIöugïm M	U53´)Ó�UžZJž’îÔàÙ5nA‡“¥Çɲ÷�õ?Ü,:=~é
�ûá§XÝADåœÍ>úzî>RSöf�ZE5
–jTÎy0‡ï=Æ-\Ë–‹ßíçWß=~„–µ/jŽîEp«§'¨Ê“[¤ö{%íÀÛB]ÔW¬Ü…oá1
+q
+ÔñW:¾~.òN`Œ; o™eArÁÉ 
 endobj
-1413 0 obj <<
+1811 0 obj <<
 /Type /Page
-/Contents 1414 0 R
-/Resources 1412 0 R
+/Contents 1812 0 R
+/Resources 1810 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
+/Parent 1796 0 R
 >> endobj
-1415 0 obj <<
-/D [1413 0 R /XYZ 56.6929 794.5015 null]
+1813 0 obj <<
+/D [1811 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-422 0 obj <<
-/D [1413 0 R /XYZ 56.6929 508.2158 null]
+542 0 obj <<
+/D [1811 0 R /XYZ 85.0394 637.344 null]
 >> endobj
-997 0 obj <<
-/D [1413 0 R /XYZ 56.6929 481.2174 null]
+1281 0 obj <<
+/D [1811 0 R /XYZ 85.0394 611.827 null]
 >> endobj
-1412 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F21 714 0 R >>
-/XObject << /Im2 1051 0 R >>
+546 0 obj <<
+/D [1811 0 R /XYZ 85.0394 133.1815 null]
+>> endobj
+1814 0 obj <<
+/D [1811 0 R /XYZ 85.0394 105.0145 null]
+>> endobj
+1810 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1418 0 obj <<
-/Length 2886      
+1817 0 obj <<
+/Length 3447      
 /Filter /FlateDecode
 >>
 stream
-xÚµksÛ¸ñ»…¾UîDˆ	L>årNê›&i}¾ig|ž-Q2'©#)?®½ÿÞ],À—éØnæÆ,ûÂîbr4ãðÍŒf\Z5K¬bšGz¶ÜñÙÖ>Eg�}¬Î�^¿—ÉÌ2‹xv¾îÑ2ŒÍÎWów{û�ó“³ã…Ð|³ã…Žùü‡ÓO?ÄÒçÝçOïO?üröö8QóóÓÏŸ|vòþäìäÓ»“ãEdtû…§ðȆ÷§?¡Ñ‡³·?¾=;¾<ÿéèä¼Õ¥¯oÄ%*òÛÑÅ%Ÿ­@ퟎ8“ÖèÙ-L8‹¬³Ý‘Ò’i%e€l�~>úgK°·ê¶NÙOiôPñl!31И´2g\ƒÕ‰¶,–B¶VÑ”•Zy—Þ-Òeº¼Îuþ{6Ö:
x¢£YŸô
Z¬		DO‚(– i<áü:;^H.Q–|wØÑ$Ý•‡¢¡q¹öÙ®¬îiœô½ºo²š†MIßCí	®ËʯuVÝd
-�³¹&èî°mòý6£ÙMžÝÖ¯Ç+õY¦ûý6'» Á}Z¥�×A¸ãEx»±³ªÀChC9ÍLQ�œ�­˜;Ù9ùÂWÙ:i‘×ïU?l" (E$€6’Œâ�„4ôì„Y)ŒÇaâ'˜v�Q™#æÌ–	+µÃÅÌ%�¦8ç=òùÏ
è¾Ë
-/Û‡*ÝíÒjB@ÐYÄ,I…S ½|ÿ%]­ª‹×û*[çwÛ¬¸¤…ÿ8k	É,æ²�\ÆU¹9Ô4¼Ïê/eõ¥(iú†>—Sîã7ï«ò&_e‹ün]½€FÔ§Qe¿²ºy)��Ùª¨¿gïâ°ÚS^t â°»
-¦}†˜[_J` BS¥E½Îªú»v/ 
î0ìø+לFe‘-
-¼>HNŠ9à×é2`Ö�½©d”QêÅ̆6‘F0k5éb}›´g÷r³Àe
-wØ”÷ž“î÷=fÑ/f64‹âœ)k¦“T¯gd¾Ø—åvtƒ=#!÷/p4¸Cžqy�HöPÞfyÑ@u‘n¥µ˜,)þx3U
_
!£LÜBæéBèÇìWÎE‘7yY$-V4ø¥N7ÙDu6ª�ί³Vž^	gXl¸ö%œà!-
�KbC5X÷dãT“N6WÁÂty
ìL–×M¾ô@WÆÂ÷*£oZ×å22+šûÚ™Sa
*çweã6@=žîüV/$43PÖBE9?]vîi+ÊtG{¡�æÅ8�#&µ¥,W÷K ¾Ï–9îÍVX²Kד É¥p
-έÛÃ
-Z@›ÄÖŸ9ÚÅ–e±žphláƳýF
-5kO/ê�	•žß—¬òšÒ£›Ñ�T±³1
-ï8JpoGmþiÝsðˆ1ÉQ`\»ødîPÖ©Ö½� 7…ÁÒ8p×æ¹UÖàm9ßå—
-Ì
u�4,ºü]Z7=¤(œ3 ø7Ã=°-1‡8¦®q
-2´Î�8¬Š¥wRp'�ç¿»¼‰£ÐôâL£"…‡_{ðÞ
-1H“ÁÓê„ÚšÙÎ'Ú‚ÛÊL>-	ui	½-¢�–6`a»´„xN+CÍâú Æç1¢Þ´k2êàX·zh5ÊA"‰‡~¬çkŠ¶�_$oÖ!!lèØz¤‡—𺌊‘ib™±÷V·³yÕ·¬o…ÕrÝÉ0‘™À
•h/­§�ÍÄú�·õܧo¨9¡&²ò‘V(”‘Ü׺¼óa„µ>“àÃô£‰ûRuä¼ôùÞzúï÷ø¯T£4a@ÙFª~GÙþ€Ë+¿L–F¼ÃžÞkpµ#ì]	`é¡)wÐÇ€wRó©ækJu0ºJ�B=¾o�£áùµo_×¾ v
±ÿ®—CÔüZÌ»ð5ó"sqÀr¬8Yà6Ï©ÿÅÛ>w¿[IÛWÞô5´­†Öý°ÞÛG%=ŽV�}Ù¼�‘
-é–Ú㕦W•áî©RLI¨X¬Õß¼(-Ö µ××åa‹RBšnoSü�
-�Ø>–Î�`JJýìt®ŠD´Úd¢Ôª
¢§#.±v�'½^¹ÿº“v…÷W§�qU·ÓÒßè-UÐ&CÌŒ^d EH	Õ„Ó3þgnL,tåµ>£Œ™‘¾ÞB¬«Ò½+’–“ïÀÀe_ÂMò�gVúÕÖó`B¿QÛˆ~_wüîÒ–ŽAÆÜKD	ØÈVÄG~uî¼¼—P®›Íýè…oY¥õuh1B–Z–Uulæ‡}ãÂ/ñ<¨#oœQÂb�ý›‡ÔèXSÿíÀÛ7Ìïþ�îÿcT¤1búß& reFØ$å^KõXr��‡¿?<ýW
-<xendstream
+xÚ­ksã¶ñ»…&_BÏœx$Àg®�q.öÕiâ¤wn¿$ù@I�Åš"‘²ìvúß»/P DÝ]›ŒÇ`
,vûNø'qâ'¹Ê'iùqÆ“ùú"˜<ÀÜ»‹PÖLí¢©»êëû‹×7:�ä~ž¨dr¿tpe~�eáä~ñ“—øÊ¿�÷ö‡»›Ûwu™FÞýíw—SÞÍíw×Ü{÷þêûï¯Þ_NÃ,½·¹úñþú=O%‚ãëÛ»o’sséûë›ë÷×wo¯/¹ÿöâú¾çÅå742òëÅO¿“°ýíEàë<‹'{~˜çj²¾ˆbíÇ‘ÖR]|¸ø[�Й¥­£ò_éD�P©1
ƹŸh¥I€Í¦+›ø�‚À»í€¿,ðæE��Ð+ª¶aÐö2Ì<óO3—%o﮾¿æn³åö›ˆWÏj-Ë%·ÝÊpçg¥¢¢*‹;ª‹µá£â ô�ÿ
+‡éa“s0íuiiÜ	f†~ÇŠ¸lw³¶+»]g°nú×�Ù¾pWŽLBo±3ên‰# $äáºèæ+ÓÊš•ìz(ŸL�‡¾¾‰BGÜ*‰ý,ÈS IÀcª²íxåðb?
+u(›åá
+
+Qz~Ʋù’Fu=„HIÚç’¨#tõ2¢
1$;ijÝH¹9­¡ óþÝdÛ#ü¸pu
6
+ÓÃÉt�‹1õ�üä)\œ:ʶ¬ I«Äë–5§-Ös‚à?N¢äȃb2‡57‡ÐM9@Ö`ŽÅƒ(ë—aÝE)X&U
+v°JÑRóPÇa¸(0Ö¨OŠ`
+è-ûLþÜY‹²�KÚcÃ|¯Ùu<˜™3IƼ€<lñÊj†„¥‚›PeDZ÷�¬¡¯n¿c¨áÜ¥9�NÃUe±­¼ 3¯Jàk®ˆžû±”DÂ
+ÄFÁ!ÔƒF¤íÐ>˜Ž×azFµˆ3IDÀ’°Å
+� u³”” ½Ð
+Ò[-ÍSveôÏyÃýß�7åÙûƒÔ¤mùÁ]§©óÀçž>|”Ày‡ Î9&uübNsÑ“ÿèf~À»Vö#t(ìa7ñVàøðP->Õ]6LH`1*{Ës¨íØÜTæ¡ìJˆlu|'ìãÀ½RB|¿ß_æê ÷—Œ¨É%«ôÜW“_x,©¡?š«Ÿ|ZJÏkýÉûÐ>®îêÓ�f%:}Hmån•æ»…ÖyüU
+J;Òvœ�[ÒùX¤Ú¦¤Ðû„pµó±Hp�>Ðhû*íŸÍ>ñlžøQœ$èX*ëƒîÔ~%ýTÑð6
+GJ¦»¦ë½e‚Qî	¿LçòœÛß8g}8aŸÙGq¿©-ãºN€l¬ß¤¼P‡�</æÞ²˜w½‰7×qHXõ*¹g¢!î¶iÒð%”-…®f4w¥"	\<•\)ç¼8^›
û˜Xæl&�=Äg­PÊ?XG%ÌK¤”k
\Ð×giÿ) Kfd-„¬„.=a~Ó”T’"¢%·O¥aõC?á·Ûæl¾“@Ñ6ïvraIÎêP)PžÊ¿Ÿgöuž
+J<îØm7
ÙHµ×î°Ê%ü-o“ýøˆ0Û=<È7‘$ö®ZAÈ÷…'D¾¥f$ñÒΖíG**K0bQã…»Œ(�ßFè{uj�˜o•æì`Hjó¬Ù
 endobj
-1417 0 obj <<
+1816 0 obj <<
 /Type /Page
-/Contents 1418 0 R
-/Resources 1416 0 R
+/Contents 1817 0 R
+/Resources 1815 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
+/Parent 1796 0 R
+/Annots [ 1819 0 R ]
 >> endobj
-1419 0 obj <<
-/D [1417 0 R /XYZ 85.0394 794.5015 null]
+1819 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[0 1 1]
+/Rect [63.4454 494.9289 65.4379 504.5687]
+/Subtype/Link/A<</Type/Action/S/URI/URI()>>
 >> endobj
-426 0 obj <<
-/D [1417 0 R /XYZ 85.0394 705.4897 null]
+1818 0 obj <<
+/D [1816 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1420 0 obj <<
-/D [1417 0 R /XYZ 85.0394 676.6631 null]
+1815 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F11 1451 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-430 0 obj <<
-/D [1417 0 R /XYZ 85.0394 400.4739 null]
+1822 0 obj <<
+/Length 3643      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]Sã8ò�_Á£©t–eËöìSø˜9¶v˜YàŠ«ÝÙ“˜Ä5Ž��øõ×­nÙ²ãÀUÝA�õÑê–Z­þ’䱿ò8‰„¯Òð8NCù2:ž¯�üã%ô}>’sj�N]¨³»£|Rñq*Rèã»GW"ü$‘Çw‹?½óξÝ]Þœœ‘ïiqriß;»º¾ –”>ç_¯?]}þ×Íì$½»«¯×Ô|sùéòæòúüòäT&‘„ñ
c80àÓÕo—Tú|3ûòevsò×ݯG—wÝZÜõJ_áBþ>úó/ÿx
ËþõÈ*M¢ãg¨øB¦ip¼>
+#%¢P)ÛRÝýÞ!tzÍÐ)þE*QÄä£Th(Ã@\³„>ðÀ÷�'y³©«&§e~«ËbþBå?êŠ[¿û‘óíøHfdþ¼-Ú¢Z"?€jàPõ�O-"å=ÚåǸ7ø)ªy¹[ä
Õ2ú”źhóVo�ÏWYU4kêkkú®ëEñøBå‹ë[*lOdâñåc½uûþÞåMk©UYY/ë]ãb˜uVœH¯¤ZVµÅ).—"¥H£(0Ki6Ù×ù 
+½‡2›ÿ( 
+�$RÚ2¥S&²/ëqöc†¯7mQ3
B¢d¦ôTäÏÔd»²u
'hµ,뇬d¸
‰!ðC‹X‡r(ŽH™¦àLá.ªÄ3¦…›fî®júº‡Å.ÊŒ³3G Ún(�È@ÁÌ<
<q_{ 	oÖKpUPYU¶}¡n:%Pà�Á"Kª3êæ¦ÉátNJlÖLêó!J%"h€#½-Ì!‚JUo×YY¾PÍp@¡¥~Î0åPIïŠ1†Àw×ììÄÚp·9�ðe>µÛbn{VµQ‘
+u
ÖÑDá×1QÈ
+|½Î€øIÖ@”çñÝ÷ƒŸÔBÈ©¼Þ‘±
ј›µƒD‡j¸ø‡¼}Îsä¸L=IÚ((¶
•YYRË#™(=¼´¹±àlœ…¦ ½3e[nép�I9}Ž2½³�zŒ²€/Éù¼Xg<™§¬Üq»Ñ9�Hû–yfˆªÈkŠeU ÓÀÛá&\
+•Yù�:)
+ÇÂᦛ/I5€^ŸÎ..nÄìæ:q3ÑaÐ<`(^¦©³ÎPé­³ƒ5£Ï#i‰Épimô
+’ÙŒ½Ì‘½€–Î^@Ùî„Ï;á÷–
+œ�2ÚÜÔƒdäRŠ]t³R7�¨)sd¡h½ö�7bÞAè·-PbÁÃ~Ê©µÉ·O
+õCk
 `
F‰2‡æÄCˆwÝhyK©ÝyÆB˸�jt“.>À"…íI…`Ñ`{y ;	¬÷²ï¼°Z*aöŠ1ö•Þ{LŒ¯a¾ŽŸg1ï‹p`FR9ž	¤m.»!„BùBIyÐõ;=ØL¹~6a+`qŽäÇx}‰ëMcÍ
+	 ¨/`bC­F;
ÔŒ>ä~`�¢(q&Ä”I¤`XÇJCÚxÖX2,WVùü‡Ñˆ8ƒ%Ži§D¨?�“;ÔØéG'ˆí²¡ßY6Œìýèêýè1yÓL#ƒÁHÕ©Mƒ…Û\‘Áöÿ‡ÈLZì@‰³ôƒ†mì÷�5kö(«psQKÁîRÏ}tȘûT1*0iflxz55µÏ\ ¸!òÖuïv…ýà_qn<bœšÀ®ë®ÌotA¤N|ï,Ÿg;³<PX”d�Õ^’šˆxÌÄ;¼hsîÊæó.)¸$(ãåÀ×2€¬kÃ)h!G(vÖ�¥øú¤G
®
¤eþ~Þ†³5?lxÙ\gsÎ{Bš·.E�ù’¬šJëDH?°ÑÓÅÕíìì·Ë‹)ÝA˜Úè•(5ö
+eßÅ€ýÄc%èLÜ�`²Ü1ÿßMlà0̇ž‹Ñ$× Ø±ŽåС³
-«Ä5ÛÏÞñyœ¶©FÚó±Æ”%3Ò·Iß|ûñÐ͘’J€‹¡Þ¾	t¡ÌEÖ {™B1Q.\Éw_Æc¢Òa¸FoRí öÉ]Ê¡’=_Õu“�¸2:y“`cn¾vWlœ5Á½ØlòlÛù\~°µÐÞðé|>n‹Éç‹C{á·ðu�¾½'.Ôá=é ÞÝ“7©ö{²GvrOd¿#m¶ÒIJZóooœl½3„ÃÆÌ9z=ã9çÉš§ÛÁÃ|Ž¡&ú>;PoðÙB½Ïç·¨:|“�æ³KvFV�ÔÿdÔq}MÐ]w;¤½Ô”ºO¸R«‘xÉN”Él!
ƒ™Ä[ºš‘Ú戡}W-…º½<ŸÌ›Z{vxŸB¦ø½ãн±Kôþ&½AÒÙ£Íé-rhÚr$Þ^¨î÷‡A
+âã7Íysؘ3Ì»¦ü
z½!œ4ãÁ»é·`©�º»|¶/í&Scþ(M9H÷I¥}ùÐgKñ¾"Šó>y^õáe÷,äÀ
+R5uë>ÏësõÂ$…å‘ÀW¦Œ„?–�ÿù1k/a,T’Ó{¢|-’ �í¤��‰ϼ{õº?õÿ
+endobj
+1821 0 obj <<
+/Type /Page
+/Contents 1822 0 R
+/Resources 1820 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1796 0 R
 >> endobj
-1304 0 obj <<
-/D [1417 0 R /XYZ 85.0394 368.5231 null]
+1823 0 obj <<
+/D [1821 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1416 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+550 0 obj <<
+/D [1821 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1824 0 obj <<
+/D [1821 0 R /XYZ 85.0394 749.4664 null]
+>> endobj
+1820 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F14 964 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1423 0 obj <<
-/Length 3541      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ6òÝ¿B�òMÄÃ'ANŸÒÆIݹ¦¹Ä¹››¶Ó¡EÚæ•"‘ŠãÞõ¿ß.vA‘;íÃ�.€Åb¿°»€\øÉ…�£8UéÂ¥&²BÚÅzs&·Ð÷êLò˜U´Žúúêì¯/µ[¤Q«xqu3À•D"Iäâ*ÿqG*:bùͯ_^¾zÿöù¹3Ë«Ë^Ÿ¯”Ë——» Ö«·Ï¿ÿþùÛó•L¬\~óíó7Wo©+f__¾~A�”þN }{ñòâíÅëo.ξúîìâªßËp¿RhÜȇ³‹¶ýÝ™ˆtšØÅ=|ˆH¦©ZlΌՑ5ZHuöîìï=ÂA¯Ÿ:Ë?)"¥c5Ã@¥æhÓ(ÖJ{^ݸ	*Ce%F&€ÇyÝò !>e"gt̃ÖU¶o‹ó•–É2/ºb·)ë¢Åo·¼¿+º»bG�Ð"hÕ¬³Š`m±ûúï˪¢
Y×›mÇÓúçEÜòâÅëw<㮨	¶n6›}]®³®¬o‘äÅÊ
-ÞÂãÍXY§‚��Ç1s`@"—L`OÙ”§(˜|l	-p@éH:)çά¶ÙûÆ¥K†®ÿŸ#Lô»¦¾<šó
-$lï=êÞØ\0'‘	C·Ùú×––ÎZZg‰ù<‰“ÉÛ¦mË늇–µ·SìgÜÄ ¹-€zhp�v̥Ƿ¢âyµ7 …¦·£–…?ÒP)Ö%X4Æ,¯÷
¦I
-„ém h�5
=õ
-‹L+8J€\S°ô€Å˧ÔpT”&I2_ÁYõWC”Tžï\xLJ•½±ÌUREÉALy�»®½ë0ì:LzBÂp´$ÚN0e²@ßtä6Ð:Íé^JY+ü“c‹Î
-\'[s
-b0Ø{-!LêH1@A1Ô¤,ƒAúÕ»ËWϦRI’(†ìfaEž*I‘ƒÔ·»]Pãí "†¯†ã�bGX‘†wE ;qp¨Ú))RÇ‘‹c;¢å¨&×�z„„clÌIpæžÄË.«(nG°—
þS€ëÆÕ=ò_N‰å?‘óy?ã$D
üéç§ÖÝçW
9òBn°Ð3’l‚c8aƒÁ6�¬i1µ¼­³nß—[l_þ³¬`ð[ÔÅt0§Ï}Kl°¡¢
-â¿ý-„rF0‘ظÝe›
ä‡þOÞÐ;wÔ¥ Å6~ÄwÛHȾ¬|7b…|µ¹o©í�66ûª+·Aœ˜péÃr�×Â}�ݨƒ¡ÔÀS‹z™¿Ø.¹² c¹DNÂÌAXQ19å hʼ“•	Éý\Dˆ©Óz®€ãÐë§!
-@M�Å«e_Ä�Á»úÏ †ˆZÆÎ�8ïs{H
-”áú/B/ß|4âŃbž2LþpHžsVÈ8)EŠ9E²tBÓS…Uè‰Û§sC˜�Õ;Ìê
Ή©‚eÆ:†~È_
-0I[tç‹*èÿÊÀö’´KŸ
6Ú/BÆxÍ1^ŸÎå:“¾Œð4‘¯úYc%Ì|mˆÿ¯æ+Mjù¢¾*Û
J¢ZrITÅKšï‚Ì
-fM=îÃÇÏ<È'}�â•T‚,¬ð—
^†üR•˜WûŽßyêW
Y#d”V¥z¬uG{Œ¢h2ϳfRÃýý«9É
-|^)!“^¢J|¡D_P}®<ÄStÄC㽿<VÇ^Ôî‘ç
Iµ:GÍL�	^ßõŠ>¼�
-âæ5_Ó«5|OåKb`´‡­â
-Å@)ùC-Û‡Ö v–oʈÜe+–„°Qb“‰»f׎«·ƒŠ6=ƒÎÃι‚RÓ­Ë0ü'xY}üÊk6»÷Y…ŸeÝuÎ}žéÈ]À7ˆ[Ÿøʳï�C%�>å
üš0A[ªuͺ©Ú°*#ô�oö¡xöŒ^Ð&¾„#øêtÝŠ+Ά{Nh}{uõ†Z=£¡]òÿ ‚™ëòÒˆñ´BÅ£ùí
´øâZ)ýyFÁ?ìz[Vtçbã<hUåõ§M¥ÀjUrêrÑH
mm�ÕŸ�¤Ð?N­O›†Ñ๕<6
•Ð37…åÎŽ^…
+1827 0 obj <<
+/Length 3566      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ko7ò»…Qpr±KîE�Sl'q‘؉­múa-­¬EV»ÊîÊŠ{è¿Îp%õîÄä‡äp^œJž;ðOžû�bŸ‡±'|Gúç³Õ™sþcoÏ$ãŒ
Ò¸�õzzöÃ7<�E¨à|ºè­	'ŠäùtþÛ(J\À
+ÎèòîöÍÍÛ_î'¡7šÞÜÝ^Œ•ïŒÞܼ¿¦ÞÛûɇ“û‹±Œ|9º|7ù8½¾§¡€×x}s{E�˜š‹Þ_¿¹¾¿¾½¼¾ø}úóÙõ´=Kÿ¼Òqñ _Ï~ûÝ9ŸÃ±>s„Gþù>!ãX�¯Î<߾纒Ÿ=œ}jì�ê©6þµ8c×ì‚Ë~,W¹-—¥×ãr(a0€,äògG†»G
a=©óþr{›¤ýM•êmIáDZ?Üt¼v@·“(AGŽ¶Ë²N	Ú$Õ…ŒFOiCCYÍð%#l³|>#¤9¡4åzœ§ÏiNór•d
}v|ç{
%|Çî¨^§³ì³ã¨´·,œÈ–=²]¥D¤BgE‚oï®&±MñÏ„ñûÇôB¡œÀgôdÖdeñ
+6�@î2›-q
+1t„ã‚ê�¥±ï+�­O’n«¬Ñ4ùæ¨Ð¡¡z]5Cš’ZMj.þ™¬¬¨�Ü^Þýr;ýIŠƒJ¬@1r\�zXGÔÉ`�T§c›vê´»©]�ú›N­"” :
‹ä}9K@=$Èï*i›cúžˆ�& bKÒX³PÒ¢Iç4ðøBmBM�ª‹�’”4+’Š1®núk̓7h–	Ï$õNécS›�Púz¸¨·iEý¯›´ÊÒZ�Š‘p=/jØ'B¹» ðTìI Xó²6xEÙ0µ;ú\*Ž;êÊ´ €ÙfÍ’zC-œðjh‰(&jE½rAmNÃî¦{ 	<¥cŽG7z¡q'Øew‚ݾ;q½Há<ièLRofKF©iÊ÷"ý–¬Öy*få
+€_¹i'c’Q7F¼CÚrG¨ÆàL$2ãC`ð¢AYc—Âê¦Êê/ô¡}»8ø\"ØyLÓ‚z¬¹y2C*B2¬‰ŠôBÝ"Y¥(-èNiXŽÖ›j]^ÈQÍßZ�h�Œ74"µœ‡ŒÞ)c'g¶óQÖOOYñÄãÅŽÜ&y®É†þ‹*-þÎË$›fY‚ï䥴�a§N«g`èÝA/®ˆ¢88îûX‡½`‹uÊÝ´õ‚{›Z½à`S»TŽð#ãÔ>j3|x˜¾»ÿÅâ
áŠv‚@2òºÌ³pÕeˆmw{Î	ðÈ	5ÆãöFGèÀi5¡Ê^{¼{µþc—ƒž#…
+£`ÀÂS1˜qEölÜ®háwŸ6Ïñ„
+BoÈðuR×ͲÚûeAḃ¹áƒÏpÌJŽ;0(�"e8ôiÛßubíû±e¿ƒySÛÅ
Ú;‚’bN-8hWeͳÊE‹Å>«·ög�ºüÂ/Ë<­Ÿ’ÁZ1ø:‰Íu�.o®î™0ðÝ_øBÚqèª0Z	ýÎÃùmôÚ9ˆþ`ˆ\‹o¼”?zNª,yÌùk�T
MÄ{COhxF¹-ÈmúÚ�õ—ó´ÖH�5²áÑV½g	ÝþeÑQ`9ÑG²MiÏÆ#¥Qà©Åê
ÑJ9•t½ÖfáFUn q`:+ÃQíõµOíýÇ_	sf �¼N	>¯Êæó”áìæ
5±ÙœŠP)hñûÚìJ!]ǘæ,G5îS&DÑ>„`ž2Þ§buÜ'„$ÇkP¹Fžp\ËåI5´’‰–‘	´ž’"û£•œý¦K%dÎ
ˆ8
+ÌœôVÔ,Aœ)ïÈÉ÷,[ÝgZÌL�„y9H9å¦`ãeÒúL/„{Òiö±›j‹uÊT�nÚšêÞ¦VSlz*ðÇ0 wÍÕ‡t•dõ4#´h¡ÏÚ죢7<•HšQ«ýŒá&<´0‡0¸Bš=Éó†:(³óYŠÁ
#úy
+}*4°ûΪö‚5*c2`©3`N.9hhÒYs²P· \¾QÓ6¿Åàà‰­ÑªyA€>èD©·�uDóÖIÍ;¶i§y»›Ú5¯¿éí¿®î>Lnl×6äR1de{Zç­s8\ó›ft
’¾™,£vÃ.7Õ1+·½²F�àvë·
ÖInÛ´ãöî¦vn÷7ý+uêÐqÏM,Äü4–ÖÓk[™¹ß­uá9�ÇghëC
ÖI†Û´cèî¦v†ö7m�Sûª`ÉZ ×÷Tô—ô¸s£'t:1.&á�¬sW<¿ïF)Ø�q¢ÛRKÉ»e3Ϊ¤ã	ǃ³²Ò×/T«œ§‹d“ãõËÀ^Ð媈7n97¥O]!@Œ‚¾õ±uÕ³+�Aä™™R9ï¦k0üµ-V{&¶¡²ê§‚ƒ×Þ›ªÖ1:‚°¼põ“Ä´ÛZ˜r¸™ÃáGÈy4@u8-;i¥J'@j0­ÌñÂ3-\�Z4-vüøkMKdÅ`…ç,ÝÒ
+{OL¨!_…=~×ÓC_»"ŒZ§óX¥É—ñ¼¨ëtÆ…nƒ0�éKZ[˜Ä(¾}¼íXŒn4§c“öBo–Ô)æ ‘oê{=…Ö�pãN¡UhjSCÿÄ3¨è³ÞB槰¸{‡Çb�ºâ(ê&ß´| ËË?xF2ŠÝ·ÿEÒeI3H3@ÈuÐU|²ôAÌѱ³�¤hKaàK0lÖ…ê¡÷p{Õiáäô=v$W)ºÆäÞ2­ÊyW%MŽ25k
+øîr;æ¤^©€=~üó¿?i?óÛ?*…n–sîèÂß´‘âÖò�Íœþq1–nÃwÂ{w9yÿîîa*èë|¼zªú¿¸ !¼7%¯¾äÖç1×™SG-Û7é¹ï¼é_ߨáÆäž
6±‡ÎÃ|üD9 vûšV¡‡ÁLŠV#¯X\‰é`ô¡§�£-1Ò0á¤idúuG`~hƒ®CŽÔÖÊmñ�r<Á�æ”ët¿«“Èj /FŸ¥«ŽôŽcUQbœ5XÚë~²§ùK¡"�=ˆÐs}=í{=ä‹8ƒó¨ˆ¼wW“éd�†±ŒC¡­œ=Z@ë„ýˆH$�ÿ€™^ÔmPá;›®Ò«jVSc^Ï°7?¾•¨e¸¾À_ZŠ
+ðŸ)ü¿Ú+Š„Â�"eÿÍÂÛ™‰BÎDû/MFPä}Òÿ#Îë.endstream
 endobj
-1422 0 obj <<
+1826 0 obj <<
 /Type /Page
-/Contents 1423 0 R
-/Resources 1421 0 R
+/Contents 1827 0 R
+/Resources 1825 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1398 0 R
-/Annots [ 1425 0 R 1426 0 R ]
+/Parent 1829 0 R
 >> endobj
-1425 0 obj <<
+1828 0 obj <<
+/D [1826 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1825 0 obj <<
+/Font << /F37 1026 0 R /F14 964 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1832 0 obj <<
+/Length 1742      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥X[WÛ8~ϯÈcسºX–Ô>Q
+-ݺ�>QN�k+Á§ŽíÚ·Ýþ÷Yrb§„¬Œæúi4‰Œ1ü“±ä3å�…òÇ„�£Å�ç0÷nD�×2y]®7ÓÑþ1c…T@ƒñtÖÑ%–’Œ§ñÕäðýÁÇéÑÅžG9žhÏã
ž¼99{k)Ê~ÏÏŽOÞ}º8Øþdzr~fÉGÇGGg‡G{‘œ€<u¶Ÿü}dGï.NO.ö®§FGÓU,Ýx	f&�k<Ž!ì#Œ˜’||?0"JÑñbäs†¸ÏXKIG—£V
+;³�è~œIÄ%
+ºÎ}}Ì3ÝÓáË
ó°Œu†ô}¸(Rm˜64±n˜¥Ž“RG.Æ{ôÔ€¡×ù¶yôÔÜ*p†%ƒÆÚ
‘#%D0&HøÌÆ3`�­A12�·ˆ
 o-¶Uݶà=¢¢
Äî1ŽdÀy„“�ö[äi=´ÀDyW.þ›p(Â4uƒ¬ºÓ¥cžå¥*ö¥êûHõŠŒ0ü“¡‘ÍL“Ɇ¤è!b—õ%i#É("OEñîÖË‹³Ë·Vʆ·ÔŸA5àTVusÅϪ8Ú¹ólT¾D��PµÌÎuò&.Ÿ	ïS2^IÏŒ.N‘¤T5ºLõ#(•.ouikÝeÖz¡³Ú•¾2\,ÂÒj샕€’¡D£°Õa@HŠ/a—WûE©gÉ}ª³k;ñoVq/¸+Ëñ5Ÿ/]î<èêK^~ÉÜ~s‹q=”)N¸(óÛ$Ö^r?+_ £ç@©¿/uUÿ–g¿ƒ‘õ–qáUÉ£ÛZÙrñµ…vë‹ðþ÷Ô%ìáÙj?/M†¤=Øû‹¶T˜3ÂŽ Äy¶DØßÿµNg^¯t¬�’ÖèÏ|þ¦ª6ÇšOU—I6ï)¸Ú>ƒºv9úãÅ8yU¾,£Îi˜~³
Ú›Ú-bJô–ÚÍ»µ{ûU‘—õjW™×þy�“á'+býônƒ®«ÁSWWçCãßrÌð_s•b†(jRè0’ÙÃn€1Aý�×*‚Ÿõñy0_rf¿ÜMEmºÁ�u‡BVö±tÆG]U›[Ó•í®÷”8&p0�
+-2ƒ¹Ðºç+ä3⸎°çšì
+×=
WKÇÖñ
“Il}Ó•ýÝ„e
dIU'‘#šŽù~Õör% &¶¿ï’úÆÍØO¹GäD/òº ÛÓšç$\«áªM›œÌz’…5>Ý[ÙTï‘I6ÍjAË˸ýÕJŒ£´:JŒ¬Žÿ4wm g´1
+»Ž†#IÔÆ[QS±†,q±5{4™gùz×ú7+аY†Ûª‰1m~¬a3p%ÀG(ž’ï€O $‡ac3Fz±mÚ">´n>ýU[x@݉Ù¾@xŒ›6V‘~ÒÅz.ÓºBÛ^4Gæràý¯Èß~í\?ûÐÉKIW™ñpÃàœj^†ø¦ç«gѧ®ÿQÀœendstream
+endobj
+1831 0 obj <<
+/Type /Page
+/Contents 1832 0 R
+/Resources 1830 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1829 0 R
+>> endobj
+1833 0 obj <<
+/D [1831 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+554 0 obj <<
+/D [1831 0 R /XYZ 85.0394 525.2179 null]
+>> endobj
+1834 0 obj <<
+/D [1831 0 R /XYZ 85.0394 495.5406 null]
+>> endobj
+558 0 obj <<
+/D [1831 0 R /XYZ 85.0394 193.8668 null]
+>> endobj
+1701 0 obj <<
+/D [1831 0 R /XYZ 85.0394 161.2246 null]
+>> endobj
+1830 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1837 0 obj <<
+/Length 3988      
+/Filter /FlateDecode
+>>
+stream
+xÚÅËrã¸ñî¯ðQ®1Ä‹
+7òŸ«þœ^¯`Û?^¥‰Ê�¹~„�4y.¯wWÚ¨Äh¥d{õåêÏa¯×O�äŸH©29Á@)§hò$SRyÞ®oæJ›ÙSs¤Æªj—ÍCy ¯î¾è°•Í
+n„›•»¦+é»-qpÕÒï¦z¨ê
µ›#Ï_+^ èŠwÐÌòÙ®8|�#«Ž~Ʋh6Gn>VÛ-µö´þCY3ÚõñÐÝ
pÀ�¹InŒô[ûϱ<TeKGÖ5ô[upÖJ¤³»û’ «r]·}<Û#Û5"Š…v‰q©…µp	¢‘†õY­à0³,ŒªÚ	LpB9Q7H`/ÐR<$ñ[œƒŒ$¹³æz.e"´ ­âfΗ�i¢5
!Øš‡jUΫoëÃÄj6–™°Úr[[<b›ƒ:`°˜íª¹‰ ÇûÒsÝt÷~ ›m›e±%‹h
µvËŽN:ý	Ãø]Ñv½A"œ3¡cn÷°lS¯xѪ»g51ÃæIŠL{U/YHAH<=i6ûoS—ÔêEÝ®=í©Á�Ô¿ç
 ½
6vøìJ‰Ü+·ÅC‰ ™ò�½¶k©×‹œ¶–tÍ£éxÍfâÔ”Kks>ˆ§rJ¾„Nr­Â^y¼qÏ"•›ÄJ´®Ä#2›'&H«˜íÒÊÙ¢$©™——�
F•aƾiÛj±-:HÜ‚ýÆÏäƤ²`�Rýz™‡Øܬ òT$»åφ½*òýó"zãM*Þ¤ê91Iê<ôõ9AÂC”‚öê,Ìî¨
›F:s!+͆‡w“*¬IŒ0ù+UÔ& ¡AŸ›}W55a¯êÓ*DAU>2
úÝl›jƒ‡ù©-},@m¿2�ꯘ3J�%Ëõ�3Õb`A“`„_¶L"O´S’wr u¹¸m“ä'™–I:I–‰Í’tâd–°“y!‚YBØ@�e~2K8Îï
+<–•Zº<�“}õ¦Y“ZǪÓÜ•Žl�´ÙPŽÍlMÚ¶ãN’f†‚mFû`šaÜÉ¢¢fºŒ53ciõ3»w}þ@_�VèmÖ'&, –Ñi½|l.3gÒ
+Ø+6ßZ¨¸«†ÂÕÇÌ2Œ®ø@¿Q†e>‚£ƒg�—a’Ò×Këíß?bH¨ôÈŒƒ�µ�â}Ka÷Š»‰Ó8î¸ß7î=!fQXqìš]ÑU �Û'ê\“©ƒÖ¢ðê­ûP$Ô¼C!GúÖ
ýâ‘*¯þô=yƨí.üºY]z
„VÀp¬>ZÀ›W^ÄzûjyOÍÞæ]‡yÜ!zçõ÷æ5¤£ÐZ…å›î·ÐÒÁ|CW<^è>Ee8{*Ó
+"–<7Ï:Êy5PÅö¾9n‘JB‹ícñÔRû±9|EÍÉ2Ž
¶?ÀÝñ‡W�,¿dÎ�L X7¯6çÚÊ$"×&
¥ÑQ‰^Ö8›ç;Éûªøן´¼¿ú
9uû]²G�ã(z&
�9FH
+êÂéA#ZeryQæ¡U’!sŠã-µh0šC-ß&Ù�†·¾4vRíx±†{£äÁGEþWÌÖ
c)¿;�SDëñªr’òžAY7›'¶$5›–å¡hïCŠ¬Ô²9nÜì¸ï¸3jñö¡Å̬·¹P§E°Å媞©«£<Æ ^¸�ëTÂö"zè¤X !¢XLô Íq:(º®Üí;žÖÐ//bg¾ÿô…gPœ
°e³Ûk0zÞñ’€¬Õ5TQŠö}êÂÀÂ÷É>›ÓM¦_"³I*…~C˜20Tb¦ôÊLF•ÄCšWûy[ý·œXHÊ�E#�©¬�1}ÎÒy ¿|ÿ�B´¾Åi;úÚ– Å
+XÕUÞ)â÷âiŠ\8	•™˜•»r5•Ý¢TÅ€Œ�pbÂýÄY^Œ!ÀˆdhèÔȈr+‘Ó
+8x£Ñ‘hÁÄ‘téX	$
vGúÉé‡fÀ
yü;‚­ƒEôöx[¾ÁS¼2°„l,ÿ•¦’º),®î%›P…‡f}ŽQ"…ûðµ%)Úí·UÙ¾Í
+[“+²+¾=«ß\�éwšýi(C ‹þVíŽ;ú†4eeÇþ²m‹
î-8̸qƾ¬Ï©�ZÏr頻W˜õ:7TÆ4(#©·
#çä8EŒ+%©¨„äÙûo
+ëÆ–CÂá¤&ZŽú‰75ˆd.Ñ1«€Ì°¥¥}fËáì>1Ï“8šÜ�ü±œA9‚ð2‹¸‰?S[˜‹\�ù3C.½¼È0N•qŸ5ZBZ‹(Ë
+´݆†Œop0M‚<£özÔÄš€žzÍE>ø>Ö+ £kšßÎW=
+¹jóØRÛlìŽÛ®ÚoyâÄdK9Ë἞î“ìF™è
¥z-êeþb»âª‚Ètb�…™½°bË\äìó­µs
‰ýTDˆ©Órªx9¨’¹{é¶F‰XÀ�À;È&PCD-2kÏ.nðyUH
+¤7Ã
+´Zò©Ž�hÌà�‰©z¥G/gÌø匋|Ðœ?”Û ÿs
.ìcïs|jØh¿âÕçx}R8•ëp&.{Ó‘Ï㬡¾.Ä„ßžUóU&9ûQ߶8ôÊ¡*\OÉlFóm839ºß—£‡F8÷¶¤� ÄHóf‰SIn3^±Ÿ�Dº=%ê?*I�
+PÓ†~à¡,°@Yy-ü+‰—b 8|Þ€œaÄ@ôvÌD)czðâ;³Ò§ç,Šƒž§âW¿Pˆ×aø(äµvW¨ø
+„Sè5TöÒª˜Ë¡JæÏ]½úTM6tå¸Ø¢õ0£S7*VÿH¢ýµæõfà\³×ªÏÔÿb(ƒo²¦Ü_z„åWÿŸÆéŸX´M”srÚ‘Jëðá«
+Dá¦\vFyø‡ŽsÒÿj¤Q©endstream
+endobj
+1836 0 obj <<
+/Type /Page
+/Contents 1837 0 R
+/Resources 1835 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1829 0 R
+/Annots [ 1839 0 R 1840 0 R ]
+>> endobj
+1839 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 504.5633 137.7628 516.6229]
+/Rect [87.6538 269.6318 137.7628 281.6914]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1426 0 obj <<
+1840 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.941 394.4938 439.613 406.5534]
+/Rect [370.941 153.6184 439.613 165.678]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1424 0 obj <<
-/D [1422 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-434 0 obj <<
-/D [1422 0 R /XYZ 56.6929 291.246 null]
->> endobj
-1427 0 obj <<
-/D [1422 0 R /XYZ 56.6929 265.0901 null]
->> endobj
-438 0 obj <<
-/D [1422 0 R /XYZ 56.6929 180.2304 null]
->> endobj
-1428 0 obj <<
-/D [1422 0 R /XYZ 56.6929 148.3001 null]
+1838 0 obj <<
+/D [1836 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1421 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R >>
+1835 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1431 0 obj <<
-/Length 2892      
+1843 0 obj <<
+/Length 3264      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsÛ6÷_¡·Ò7Ž
-7¸Î›/@S´°½ø`û¼„‘-»ð¢ùü"¼�ËŸ•
-öy±ÌRË¿tçÙŸÕ+£€
-ÜNÖæU	Ò#)Œ¨ÂPÜBÃô¤Y¦·VÓ2—ÌŒ¦å£ë¸Ç¯UËÍ#ìkóCƒ|¨¤•Ó«¤
€bÁâ4aA…ãèÑp®2Š(t
-ö{5;ýŽ§‰ËœaôÙ5‰t
-®qB””O»Bs’ÐÜ
-¿ÖC[Ê‚¾ï{vÈ£Â1/Ñ©{ëw€øùööR.6ÌD4n×þ8ÝýÁÖ'ÆøĦ#‡É³wT�DÊxtG�DÔ
-°ín´½ÇÂeãÆL`‰aÆ
ŽšM^fñ¦1¾�ðح٦¹[¶Øämþ`'1L‡Ìõ¶ƒyi.¬4‡æ¡z»€“„¤u¾Z�H£²YµÙèré]y[
Ñë¸ušjgG3×®\ ­ñuRÜêéO°ÚÖyÚjP„Rê\jøTp�¸òš/[z{Î}˜œÊ?
ߢÖ™£a×Æy^	#²«3žBW÷GqŸúc.‰q‹™8à“±Go¸ÍfWæYÚÛ®�ø^�îˆ
Á,‚º=Væ‚'à\œÍÌsƒ<š†!œV½ƒä`9ÿ¢ÝînÆ›~[§›MZO$p,†­&(v,)Ùÿµfªófqàòkä[¹Û,týmzÈÿj
-Í�ùþ¼\ûùHùüÙ•cÝÑüñjÊØ �€DÆ$P�‘Ù÷ù'mÒ¿2ï6-ÝEû½IWz@Ö¿�zpSx,=œGjLäu€¦ÄöU,QCÝ`ó§w77—H7:ÛÕyûˆ-¼¸Uk+ß�Ž8óÆk²:_`½ÝåÑ‹BÌ Nq5㢶qöŽp°^Í�¸<Uuüóá„㧪c¹f«7�7e8QÇ	(X†'#eŽ_ËÓ3Éò±`rîí9÷/6%8,D½±#Ú[˜	Òî¬lûµõ$‘.@lw‹"Ï�4 �)~ʪœ§»v]Áz©‹1ÐýŸªÔ(د÷¥¬ö6�D"Xìœ2]%
-Ã[á×ÃßKp
-U¬ŸÛ˜4oHâçÿ�¬Y€¯.v›<úM-%Q’‰1ÁcFéʬqáýR[eUáºÒbeÙzcÛÜù0æC¯Sˆ¼1ÇÑ ÓwȌهÜáLôæLXdþÕÊßlÓL{}ÚtáÉRï‹ÜÞ3Óh1á9³´†Êg5ò–í®ön¬‡«ñu«²ê"ÅÐùu…Šs�g¾8;`ê£ÎÀ×bÑ9À^³-|©¸Ûúå|-8€´ì.É©òQ=¹Tù!×û—Õ!(!v²îp¬‰#AT,ÄAÙ�iÓ|Ö+Çer¶žgEštu�ý¸'¤;ËqgAlÿ¯¦r”™/`?uodÿ‡°¡Rµ	_
$fsto†ÿQ7wU}g›Ÿ«•¬yðAЕ>¦ò™ÒÝM0^þ®s
-‡sæ“~¦XR=øsxI‘¤¾í!K|Án—Ÿxtâ$VÓ±{ˆ1­€d±Úëú~gý·î!ë‚Tj×ßYg�Óÿ¢ Æ_—’:™…nÇR-�íìF×.o2¤Ùw4~\>_wº~Dr	y,¯ïAsnª[y²`S6TJð¿z«}2#Ýû*|÷ë
-	»miþßö˜L˜K¢àªB´kólçs
-¯ëô
ÅŒª`årÊQ¡9ÑUMýèpm~)1Qô…¦_üƒŒþ×*\’H)6]>FaLO甲·G¬þ—ǪÿÇ1ë&endstream
+xÚµ]sÛ6òÝ¿Bo•o,”ø 	$Oiê´î]Óœí>Ü$™EÑ'©�”]ß]ÿû-°~HTìNz£.¾»‹Å~A|À�ÏtÈiÔ,6Š…
géö,˜­aì‡3Ns~Òb8ë»Û³oßÈxf˜‰D4»½àÒ,КÏnWïç¯|õîöòú|!Â`±óEóï®Þ~�=?¯yûæê‡_¯_�Çj~{õË[ì¾¾|sy}ùöõåù‚ë�ÃzAN,xsõ�K„~¸~õóϯ®Ï?ÞþtvyÛñ2ä—Ò2òùìýÇ`¶¶:˜4:œ=@#`Ü1Ûž©P²PIé{Š³›³v£né”üB©Y¨E<!@Ágœ3†b$ÁаH
+é$h™æ 'Á¼i“6oÚ<mé&)ˬh�ßȶYÙûu²Ý&µeÿÛ7ŠN)˜-„bFqå°O"Œ`§ÿص33#-å•°æ=ÎÈˬEèCÔ·û-Y­jlüQp�P4,8‹•ÄmÿFCˆt0
+¾Àõ./¬ÆØÖCÞn*òåïÛBÀ­Z;n�µ_ñ
+“ï£ÇL†JÏBÉ™2`žwàPëé¨cÑa\Qú�¢§Lj@­À”wÓ,…ÎVUp˜ÈÎZ<_1,ÖàUNÉ@i
žZÉ¿NÆ'd  ¬
+¹äc¸0eZÒ_U{W¤œ?lòtCªãa â±ÙK�ʃAqæG›¹o_½»WØ·À÷D9œUkÀê)ž¸p/byR°"�°—"ÅøjÁvC”Ç‚¡f<ŒM¿ó—+™	”¿±à8�CSi$A�bØŠ‡¡xö ž
fÙ
+»Ž;ü:²,€QÎ7
ÎC"žž¤Ì*P¤!:7b^á8Z4\…»�¢�=¯}°ÍšuÄ:;¬®‘a:ŽO›BAôÉ!`W&d‘ˆÕWkk‡q1Dy¬­<Ï&ªßùËÚÂ?¡­BÅ~Ê‹S^ŠT§0Ÿ²Àe1RŽãÁ+Š$K
+=)œ³A'Ÿó{q8Gã¹,[èÎ
+ÀøRpЄÇnÏ6ÉiC`±ÉÛüÞ-Ùëí]UãdJ�åò8ù�OÚäë�Ëð
Fbm¹!+WÞ–ûJÊÐê”Lš
+
+i6®©Œ„Ö¡ø¼,´{²£JÆ®Î!§.0Á�,·ÜëÄ�`ÑÔŸ«v�‚‡�r5㲜—Îúe‹»Tã”zIp·Zù蟲qÇmf��ǽäÆ%Ÿ‘ÏŸ(E‚ñU,Œ´½áŠÅÞƒ¹’$§’d[ï!<X->e�_YqcêKÍ6A°%ùÑ5²c½œ�Vî·Ë¬þ2<œÿrJ�ßÏûóx±>ÍûHußIÚŸ_÷Ïòÿ±à«¢Ø«óˆŒ‰ÈÎ
+‘}Q”"†ÂRðG8X¯g\^bºù‹át`£ŠÝ^ËêMgŽ€Åôq
+’QfDÌñcMz‚‚#\Þ9‚š¼òòôIŒ	sQ/lÉ;acCAÞ�•‹ƒùÃÆYé½
+{Ë5]Òv»ÉxN6 WœrfiUS»ª\Q;=i¨r%c,ÞЊ|²*hBpÔqôL‹­a²ñ¥Š>Oì«,Ûú�0‹çÙïî]Ô‚8uM¢Ÿ ÓÐlFB3š�.1„˜ÂÄ>Ññ	T4o¯AVhæ7ù6/’ÚE“0ŠF
 endobj
-1430 0 obj <<
+1842 0 obj <<
 /Type /Page
-/Contents 1431 0 R
-/Resources 1429 0 R
+/Contents 1843 0 R
+/Resources 1841 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
-/Annots [ 1435 0 R ]
+/Parent 1829 0 R
+/Annots [ 1849 0 R ]
 >> endobj
-1435 0 obj <<
+1849 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 446.9131 510.2452 458.9728]
+/Rect [461.1985 234.8652 510.2452 246.9249]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1432 0 obj <<
-/D [1430 0 R /XYZ 85.0394 794.5015 null]
+1844 0 obj <<
+/D [1842 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-442 0 obj <<
-/D [1430 0 R /XYZ 85.0394 609.5647 null]
+562 0 obj <<
+/D [1842 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1433 0 obj <<
-/D [1430 0 R /XYZ 85.0394 580.4619 null]
+1845 0 obj <<
+/D [1842 0 R /XYZ 85.0394 752.4085 null]
 >> endobj
-446 0 obj <<
-/D [1430 0 R /XYZ 85.0394 498.6081 null]
+566 0 obj <<
+/D [1842 0 R /XYZ 85.0394 660.0457 null]
 >> endobj
-1434 0 obj <<
-/D [1430 0 R /XYZ 85.0394 466.6958 null]
+1846 0 obj <<
+/D [1842 0 R /XYZ 85.0394 629.9318 null]
 >> endobj
-450 0 obj <<
-/D [1430 0 R /XYZ 85.0394 295.8979 null]
+570 0 obj <<
+/D [1842 0 R /XYZ 85.0394 388.2848 null]
 >> endobj
-1407 0 obj <<
-/D [1430 0 R /XYZ 85.0394 269.7599 null]
+1847 0 obj <<
+/D [1842 0 R /XYZ 85.0394 360.9804 null]
 >> endobj
-454 0 obj <<
-/D [1430 0 R /XYZ 85.0394 137.1206 null]
+574 0 obj <<
+/D [1842 0 R /XYZ 85.0394 283.5376 null]
 >> endobj
-1436 0 obj <<
-/D [1430 0 R /XYZ 85.0394 105.2083 null]
+1848 0 obj <<
+/D [1842 0 R /XYZ 85.0394 253.4237 null]
 >> endobj
-1429 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R >>
+1841 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1440 0 obj <<
-/Length 2684      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsÛÈ~ׯ`ù%P•	Ï…+~’½²W[±ÖÑ*IUv÷
‡Ê$À%@ÉJjÿ{º§{pP EÇ*—=zúøúˆr&àŸœEqg*›%™	#!£Y±>³O°öþDòž¹ß4îzs}òê�NfY˜Å*ž]/¼ÒP¤©œ]/~
âP…§ÀAo¾|wñþWg§‰	®/~¾<�«Hï.þvNÔû«³ήNç2�dðödz�×çW´3�7—?ÐLF�L¯Îß�_�_¾=?ýýú§“óëN—¡¾RhTä�“_³¨ýÓ‰u–F³{ˆPf™š­OL¤ÃÈhígV'¿œü½c8Xu¯NÚOŠPéXMP©)FYk¥�
Ïóâµ€½r°W8/Â#pÓ]iïyÓ�¡ŠBedÊ›š6oíÚVíé\K,ìoB¨Ê68”AN³Ž“£ê%-´·–&~¸ü…fª|m›M^ð|{›3Ëûrµ¢-7¼ÖX[uó0:§ÙÝ4¶ŸT¬J�®
_›,
-ÎP¡�`‹À'e˜E‘rªÐNðušë¼-nQäøHA‹S "8(—´V¶¼©©wÛS™¨
-{	ŠU¾kÚÓ ¯D8¨!±°M[Vy[ÖM ÖÜÖ!Öp¢Ã`
M£îäƒX‹B¡âd–èÌ*³gÀsœYNa
¿Œâþ䯀-ÅD¨žQHÏñ)!3šl,â!¨%¡H29€š÷�#B-aœêø¨Ò ™Â Wf©á
ëa”(“ÖAU·D4[”˜×íâ%ÌD&¸©Û©ú!µ!S9ò0æc(—q–xä
Î'J8&�ÆŸP-ÃWÀ	‚í°Ìw+Ö¤­ééø”Õ'2 Ä]h”VãXͱì(°Ç ª,Ö­ãà¢êÖJŠC!{|BÌŸ‘½¹J°ÏgJU(¿I
-ýÑÖÓ¡ÑB}Õz2�‰¢o±^Š¯¨.å^ÑUÃʵùg;qÔ\g€l¯‘?Û‡©S@Õ82~÷·%D3øÁg¢ú®\`@Ä:@
pam‹Û¼*›5
—õ–Ö)r`Æ—o¤�Ÿa±±+[ø9¿Ñu#™
-À•1ô„g´•{dä�$�‘ºaa‘À[¦9÷Ú�’¬¿µÅnÛ”wv^W«‡)ôB	N}E�pSIìí£	fÈ«†Hj‘T"ÇÊÍÀøˆáÔ;p;¿¸$¯™£�ÇÊãÍ-QëÕmëâ†Eù{`\-¢àÚ•Pµ;sa·<\Ò³«I#B¯ŸÂê}¨	M’ì·¡
ñ-ùÙ”Ÿ*ç0pjKS¿)• e\_]ßôÀX4Á&
-ãUºÃª0à¥L
-m›IžW…ï´	ð¬àþðæ�Î`õ%’_dТ£‚IBÿ
Ã"%¨ÜÇþúD·Zª˜’N8³†²UnV<‹R6X~á
-±€Û€pi	‹”õúsd°ÈÛœ˜p2ãËL|‚ÄÀS”%å4».¸33—pQU1VÑ~É× ãK1Ô°°¿­òÒ4ë:X¿q±·Ü»ñZñ;ôh6+�`wSts¶ÝmB/ÌÁò
-ýiÊ/‘öá*xnÀ6@²¬ú�À6q(#ãcÏ3™hßã0ÕJM`xsÕ]ÕmxB×µ ª‹1Ü7%
-ôÁIš¨§Ó@Ô5`�Î=Æ;Âi[ùÞ'†6Bíw³qA˜e>�º¿uFªO�T7`
-Ræ¶téw‚.H¥>*anPL”ÿê˜Uu¿aÞØ‚'óÕÎY2sç¼—ƒÏûûª)œð/ÜûLã_qo÷Ý	çf†Å2Þ“™ë	èIn@Qo£‚3€ÀKª�®¸¥gÆí·ù�± �S•÷Žú'
¿;­î<ÒpÛé¿{Èã+J§õk
-B8 áÊõØq0É"sT»žÑQîPìÂVÏÕw®-p\kÏÕ'‚iM´Â»œQG¦��Ú®ƒ:•ØiŸFèëØ?O#(ê�n1×GAN"Ó
-N²�w8Ç"$9•7eïJ
ìG\\úÜM: —œ‰¢^oÊ•]̽{øòaÍdövæ‹ðÓŸí,ýyo~XÓN\�5øX‘�ɦúEàK¢ú„`5tí'!ÉEN‘ÕÔP+ÿ…“8ä<×èר2ɾÛÄSýâ®­awY€W™iŠ7·½´\�)@tw™‘Ø2“Þ
8uqqV=L¶j&„
-à�årЄ±àn™¥é„±�ó(ëàñuEÎzŽ¨7´²²wvEsX’›dgâÝ–?eá*YšèÎó¼»)ŒŒ…o©“0‰öîí®;L•XxnòmK}×C;çCd&}…zIßi©X¦‡2�Ld ì¨Ú!²lâ{9òæ¶(_rñÀº?x æ)€‹ÆÃZ*²¨˜�ýmSQ¶“wS
ü,K¾§p "³Kì�ï6„KQvƒšWý
-(8/oÃBñ£Z ôfá´Ç­1ºõµíãý‰&—ù"”År½køÞ±¯�{3ôVÿŸž�ø6ZëP¤fOmJv1 ï…oö_Ðø¿ÎX:‚Ûe�öêm¹vÁ‡Ts[ïV¢ùΆ$þÅž7�*ÛÞ×ÛÏ}éÆüø[‹âR„îß«ô5Müùº«=ÐáŸë†Ò}Üò§'lû)N^»½+`Œ>r$
–ÍIi™/¦<Ü÷`›ãeÊù AÑòd„a�Ÿ{pÂܾPþ4(û«ÝÂõõî<ú{€mÆüÇjC×ÖN;†z\•�$O£âÃzd4pÔë)æËrµÇ|îå
-7/^säŽùÓ«N/Êábç³�z‡=õz|»ÎíXÜÇö.,‡þ}säÎÍÖÞ•õ®éýþ�ñ
+1852 0 obj <<
+/Length 3794      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[wܶ~ׯÐ[Wçx\HhžGJ•&N++íéqü@íR#.¹Yr-+=ýï�ÁxYQöÆíÙb‡¸sùf@u*á§NS+¬×þ4ó‰H¥JOW›yúÞ}w¢¸Ï2vZŽ{}s}òÕ…ÉN½ðVÛÓëÛÑ\NHçÔéõúíÂ
+-Î`¹xõÓë‹Ëï~¾zy–%‹ëËŸ^Ÿ-u*—?œS뻫—?þøòêl©\ª¯þòòo×çWôÊòß\¾þ–(žÏLzu~q~uþúÕùÙ»ëïOίû½Œ÷«¤Á�üvòö�<]ö¿?‘Âx—ž>À)”÷úts’¤F¤‰1‘R�¼9ù{?áèm:+?%…6VÏP«S¥„OS=‘`ê…5ÚôÔ¤"¥\lò:_¬—÷ÅcK[}Óå]±)ꎅ¸Ë7›|‡ûþê"Q£ã‘§K�Ÿ¨$L;�ÉÂÜÿÆA§Ú¯drºìù‚Îm·+ë÷Ô­¬Ë®Ì+H„z¿¹)vŸn�'ø:¬#ã
+¤'oŸöû?,o…ïÞ…E—³»ûÏ×$®éa
+=’&²§k9ÀÀ«U‘·<Õ¾¥èC9\‘§ÍÈùaä|5ÎÓ‚‘¶<ëÐë¦ü�§±‘Ë`Æñß¡+¤•&å ÐÞ…ß’
+™^IyoÆ@Š›±âÓóп5u@j2"Üî3PË
<ãT„°€&ê`ãÙ˜u|»)
+Nô‡µ”Ö†8T�‚ëãx"4ú²/´NC>šK£‘^¶ÌâÿÊÛƒm±§#M‚%Öiœž:¤€»¼ž?>Þ˜£³$3ø¥Qb
+<9`al¢=S‹xð_]?ÁJØ4‹È±a“9Xü�ó:vú3™RŒÝ¼*ú°K¦”ÌW—ßL"`	È¢ÉY4ìÅ}Ü9ýàs‚5YŸNeH-¿	oRŽyìa×ÕÅ+j¤R©еɱ�SçT•´UѶbÎÛ{T^ 
ÿ h˜9XP§ÔZó9ìù¤´Q¸á¼0㼘T°ÇðèE¤XýB´ÙyÏá�_ƒÊÍx¤L	gÓ/³-“p¤8ûmÑ­î
+泋Rùöõ›¿žÿ‹ÚWWmÁ�ÎèD(eüÁrx[V²n\C³1-„§…ãNññÁ.:s EàÞÒß sÖEÔ?™ˆÎí¶X•ÁÅó$Á>ísÀÇh†™;ÚDScž”jŠ@Nt!
Äk•ž…4²—dÐà Iª;r…:lºb-Æ_ÀÛ¬÷\‘,Æìû¤#olL)öº�¥˜ü 22O¹jåÑgÍå¢?P£eŸ}�™5eÍͦF?é3fÔ¡t2À
©¾˜ñ¬%�–¹ß°%ñì%/×E¹™Å¸F@šš�‘dªõLQ—ûXÝÇÅznòP
+EF"%mP	–êíT‚ëÂZ"¹.,„ö͉ë¢*hK]òŠ�Àú1V"CÂœè)fÅWTVJ§zjøfÝàR¸'ókœé–Þ¶
¿)¹
+hËŽ3ɆkdQaF…øÆ{Æ7*j¡1]_qåV™gÎKY)Riþ@Râdôµ%sS75ÈBÂb
=GU
ebU
+ÿ3`E�Ö¤Šãð(\п*±J}—×\ÛÍbÈ|CÙwTñþŽzÉùR¶GêHÕ²p„=“Ó4áô¦\¡QÒU花ÄJKtò“Ø
+Uh¤ìʮۃ?àjåôøµÙïÂU
þ!¡¿˜«¤™Ð*�þAÒâ׺š“¶†”^{=ªåØPËyd&b-ÃÈp-CƒÓ"K2Ý
ncÍ%®fRêòQŸ1ªN¨¾ÅÒ\
+ìÚ÷”mÓ¶åMßcñ±³FGg3®§ù¡ž¶â›.Q�KmƒëÔ>^©LbŒIÜL•“ô–c›Ã\m¾¶šØ(5{«‡¶‘ô¤"~f’ètñá§öÙ§²mœÆWhÎ&j
‰3
+ÊÐì?¡¿�ñÀn¸i‹XeK…ñòàò¿{h(ÄÒ™ñ—0ô¹Jêý¢øX¸‹1œn6�ZÒeg­™‚þC³»ïQÄ�_7»¡î-UÃé„O'Ìˇ
³‘o¨ ¯‚‘¶ŒºøiO\mLצpr7ÜpÅ“Wyħ‘††Ëו„Œg@¿Ë„tV}îH¥ðÞÄH7TЗZ9!3ï¦À2sˆ"깯
ð¢¯Ò­ëqY5Í=¤Îë¹¢™ƒÐ§úëéfË7F°@8<)ÀÒ ä{Ü_Z!mtب|ó±Üã—�Ï£†D8í“Ïë>têïÈÉ.ñc‘É·PÄ{ŸArzAÒ¨xÁaÞ RŠÒ©JÍT[Bø˜ñ¾Ð×öwßëêƒ(Û•hvï�©ž#f»Ž¥EN§|�7]_+� ”K“øf¼Åq�’gq‡eC?.N+±7
 endobj
-1439 0 obj <<
+1851 0 obj <<
 /Type /Page
-/Contents 1440 0 R
-/Resources 1438 0 R
+/Contents 1852 0 R
+/Resources 1850 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
+/Parent 1829 0 R
 >> endobj
-1441 0 obj <<
-/D [1439 0 R /XYZ 56.6929 794.5015 null]
+1853 0 obj <<
+/D [1851 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1438 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R >>
+578 0 obj <<
+/D [1851 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1854 0 obj <<
+/D [1851 0 R /XYZ 56.6929 749.4437 null]
+>> endobj
+582 0 obj <<
+/D [1851 0 R /XYZ 56.6929 672.0805 null]
+>> endobj
+1477 0 obj <<
+/D [1851 0 R /XYZ 56.6929 641.9666 null]
+>> endobj
+1850 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F22 961 0 R /F39 1161 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1444 0 obj <<
-/Length 1128      
+1857 0 obj <<
+/Length 2928      
 /Filter /FlateDecode
 >>
 stream
-xÚÍXÛnã6}÷Wè1)@®îä)›:iÝlëuŸ\Ã`$Êa#‰Z’ŽãÔûï¥DÉ–{#9.°0I¼žÎghhºüšï@Ý
-lÍlè膣…é@×æ²ïf`Tc@=4G}>\[žÀÀ5]m7°|¨û¾¡�£ÉÙÕo—Œ‡£s`:ú™Ï�ãêgoï~U-�z\}¹»¾½ùktyîÙgãÛ/wªy4¼Ž†wWÃs`øŽ!ç›Â�	×·¿ÕÛÍèòóçËÑùtüi0odiÊkèV!È·Ádªk‘ûÓ@‡Và;ÚR~èÐSK¶cAǶ¬º%|ü¹
lô–S÷éϱ|èø¦·G�¦¡ÇliÐ	 k™V©ÁBhÓ‘Ðuýì…fX	øU �Sœ‰J^†Ò±BÞ׶ÑØ]–=ÏS¢Ü
-k–¡´úœ„	â|ª>þ-€4Ó‚A¡%°á(
Ä*¯f¤ˆÌ.Ê¡z=H­2Q#P’Ð%ø¶ÀlUãªö(b˜óYŠDø0Kªýû…zNÛ˜æ
L@³Ã
-†2cöØ=Xä‘Ü­“qUp §		ÛŠU=3Õ3c‹¤Þ\á´�28$nÓ|Vð®0sÊĦ½ø¨V¨˜1GÒ¬ÙuVqø€ÃGP2W
뎾D,[Lj$k2Ï(òÍh­ô#ñbú|R¸%I¢±Hµ­0ŸQ6Ëhg
I&ðœ±Ú
èL#"(YäÍ÷Í©}¨BLj{â‚‘lþ£‰-	T¤(¦ƒ˜2iò[Í
-ü,Ö-{iôº`Jºr1Û\žA5pòR$ßf<Çai¤ËÍF2Ð,Y­c¸è%E…ƒo9Ùÿè7­åÉsÌÀ=âÇmi9;f4‰eÄÄYXû߶ýš„HsÐǶvöSz†üƒy:9ˆ±k%HBç
ÓÈé}}"t´¯ú
$’&OâýH‚¤½�Z’5CùŽ^Öê�ŸsydÑjTn
-óîLZ-"œ jÇ!Í"ÞAPÀ)ê-óÅý#^½VÓ¡÷žæV±ã2‚„xHn7Üu]®-Ï”‰³
=ÛrJ˜_Ê.žçj�ömäxË×;`x”sßäžÜ&M÷5M™vZrõŠ¦}€¦}$ÍÀ€f™üîÙ«"\f²2ý!!?ödãdžPB"y:–ç${ª‡æNOÔÇ´®ügÒ>d6Õñ­§ó5QŠ'Öê ¡mÞDfˆèè°ŸÊ@Ëp,x(CÒÑ�íý %!«€>Æk}!Z,d¨‘ á u�“#ñPÖU¦¿`V$ÚE¤B$o;
-YU�ü±WzO˜×þÜàç¬5÷]Y,nzö\ñè›[œw_(moÛl™=ø¾¹½+2·:–îBß¼šTySì2ßÜ<½¦þ:éEHendstream
+xÚ­ZYsÛF~ׯ`ùe¡*Ì�cý¤$r¢ÔZÉ:ÊnÕ:.D-”I€!@)Ú­ýïÛ=݃ƒšÚ$Åôèéîù¦�
“™€_2ËM,T¡gY¡c#3[lÎÄìŒ}{–𜹟4ÏúêæìÕ•ÍŠ¸He:»Y�xå±Èódv³|}ýÝÅ�7—ïÎçÒˆ(�Ïç&ÑWW×ßPOA�¯¸~sõíÏï.Î3Ý\ýpMÝï.ß\¾»¼þúò|žä&�÷%s8ò›«¿]õí»‹·o/Þ�¸ùþìò¦×e¬o"*òëÙûb¶µ¿?±*r3{€†ˆ“¢�³Í™6*6Z)ß³>ûéìï=ÃѨ{5d?£òØä2P&³$‰cäÄ‚¦ˆS%•³ *-
X@ÝWö�ü©+;»±uÇúîÊͦܡ¾¯Þèd´-bbcò̱#)óúX—‹/Í”‰óÔ˜Ù¼—&¿_¬Ë¶ý@óÿãæ‰éŒMÙ-îæ‹u’´~ž{”ËåζíG7ããºj;êÿïë)ŸdÄgiÛ®ªË®jêßÇl,ÔÎ.ö»¶º·ó¦^?ÒüGÛ~lv놚Á·ß�ÌÓlQ–×ÔÇñ‡�ìü¿›Ú~lý¶¾3˜ä?Ä
ð×y¬3
+¦ž²^ñs[~²¼�<�›;ÛK3LJŠXÊÁÜÃç)'©ã4ÏsžÔŽ%K£ª¥gI�mó`w«ý[Y´²ewžDûÝy’G–úšÍô~"%?‘FÝ]É<׶›ru@vo·vwow<X·=M�o®"â×½Ý=¹¬V¸üÊ:)æ´aZÅE’Ó½¥K2Ë£¥ÝÚzYÕŸ¨é¬χ»†§6<Ëö3LÇ¥
+]uÓÁm¹ëªÅ~]î<Û}kÉ8@¯šOßl×΢ýrív]1/Òûl·ß2㇪»kö]àwå=±
ht
=wç°2ãf³_w¬G-2g÷œòXrM—åâ.€
+•H°¬ƒ²m±™àÆa/!)Ät
+•ÎŒ”q¢À<#&ʸp§=ç=Çù˜¥wù` 6…ÔÃʽï>RèD)ÅŸ&dÏñ„�Z&±Ha“'Bº
+H8¬!1
+¶Ô�`sSÇ`ÃŽlØ8647ýÊGÁ¦b•)93	lKùã`cŽó1ËØÒX¥£…¿€µ4Îu–ýy2öOÈþ0Îq÷&BÃZøíÃ2ù©Ü{Äü8ÖR
‘X?k“”ì©
+ñ7Ë¡¸y¦õT¬•�_´
+ÅþVb…û’1!¬èïêr�ôÁuvÁ±8¶áê¯@¸†åb¯I¨üT,‡ªÚ·eí®ßC(¸ cËWSØ` YÕÃÄ
+ª<Á<CO¼È?Î�Á‹WLTö÷›3…²åþAc
X5á€ôtnÅO�]™èñðÕõtì7vÉ|¯›ŽW÷!.åÒÄ-VÏýë÷ƒÐ›½K_P
+ÈDÊð™`n‡=,"’y[
ÛC€÷ÂW×Þs“È¥dbÑl¶ÕÚ.ç~ôòbÁIg=ƒv¸PNFÖ‡1°l ,V°Ãâ~Që"”+_’Ô»è
+êÊâé'
^bâspù¦¦
g=G4[YÛ{»¦>È£IIoâýŽï±p”,Mt¿ó<»­–ŒŒ¥O§³835»K
sA
žxKO]ê!ˆ�áó10³!>½¤[Z
+•ù1ÿ“düOñ¬È!Š"ôyxsΔ¸¹è5àËG/æ9€‹ÚãH*dQ3ûäL‹ªÖ¥Šû¢È%Û³#
 endobj
-1443 0 obj <<
+1856 0 obj <<
 /Type /Page
-/Contents 1444 0 R
-/Resources 1442 0 R
+/Contents 1857 0 R
+/Resources 1855 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
+/Parent 1829 0 R
 >> endobj
-1445 0 obj <<
-/D [1443 0 R /XYZ 85.0394 794.5015 null]
+1858 0 obj <<
+/D [1856 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-458 0 obj <<
-/D [1443 0 R /XYZ 85.0394 769.5949 null]
+586 0 obj <<
+/D [1856 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1323 0 obj <<
-/D [1443 0 R /XYZ 85.0394 748.6299 null]
+1805 0 obj <<
+/D [1856 0 R /XYZ 85.0394 752.2115 null]
 >> endobj
-1442 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F41 939 0 R /F22 737 0 R >>
+590 0 obj <<
+/D [1856 0 R /XYZ 85.0394 622.2614 null]
+>> endobj
+1859 0 obj <<
+/D [1856 0 R /XYZ 85.0394 591.5303 null]
+>> endobj
+1855 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1448 0 obj <<
-/Length 1089      
+1862 0 obj <<
+/Length 1239      
 /Filter /FlateDecode
 >>
 stream
-xÚÝX[sâ6~çWø:#E’ï³OÙ”¤Ùé²-¥O”a[NÔõm%±	Yúß+_
-~ÉDòå¹<΃XD’�rÏ;Õ!Ï”§ )v. etº¸XvkŒTýTͱÎ{ó Ù†Ï<?wUéGž›Ú¯Xsš`å2«$T=ú®ÉûJÜ1H#zïåg´Z¡ÐÊräü³äÅEù¥UFÞÆYDcšHÀÀÎB.îÏ‹¢ô|YP¾Ü©Üó¥Š
-1WÇPÿ¡Vµ·)¬k˜`}p~ØW9ìã×=ì¿Rìý0wÿÝSûÿø�ÚíxÙt±§›0¿�k¸†SÿjÒ³/ý¶7¢†ª¿‡lîó©ÝçÛ�†£@*R¹²6zÁ|};ø’ú¿ôÙ�Iendstream
+xÚµX[sÛ(~÷¯Ðä)Ùˆ.Ömú”v�n:›´ëzŸ²�"¡”­$TÀvܺÿ}A€-Ùj"§Ýñx>¾s87äX¶ø9–À vc+ŒÇзßJË‘m=ˆwoGŽžÌ$Оõz6:¿ôB+†qàÖ,oaEÐŽ"Çše·§
tá™@°Oß¼¿¹¼zû÷ôâ,ŸÎ®Þßœ
×·O/¯þœ¨ÖÛéÅõõÅô8‘ùãâÃl2U¯�ñúêæw5«Ç@§“ËÉtrófrv7{7šÌ¶²´åulO
+òet{g[™ûÝȆ^ùÖJtlèık•£±ïAìyf¤}ýµl½m–öêϱ¡ën�ÇNŸýžë5
+üþJÊ €€ëÁرÇÍè£Õlûô=rD«¤8QýoÍtχQàûpû¾:‹ós5å:áé'ÕLŠB5Ò£Š3Õ©W�RÎD™êܯՓB†’Bw;è5EKLJ…}ÓhÐÙö›æT­_©Ö¾ì^g£)Ê©6Eé‚2¼Ô]†è§ºÃ‰zEuîå¦ÑHeÔñ$�”,q¦7KÆ)N¹ÑÝî¼H¾Ó¢¦•”u�`JʧÔú•TzAJ*žà
+W±*ôÉÔ‹û§¦—¤)bßzÝ'ÂäU†±Ã>i±é”Ã(
+ã.7¾®‘1&”ûªO€{àÀœÌîOÔ°‡ï´mìY³Ûzy~é:Öv8—›�Các¡·
?n(BŠ½U¡ŒyÂQ)Î_Gš”eB^Ç%å‘ûÐñ|oOQ²5¯’RwoÓ"a쮣1m*‰iìvë›d¾,]wý#Ë„y±yãAó3¾õ–æy7ó~¬sËiR±Ñ_ÌvQgâ´~¨‚5®¢[�Ô„…Mg5w®æÎéÂXò-„ðîõ0DPÅy÷$q=—’hÌšP¾—½ƒ²‘ȃA$sH�HCqš‡ n÷
+d¨HÖ¦ìµaÆŽ$8
Œ$ÇGKQn~FëC5ý¨ý¼¹õÉÇD1¥¼
¸·ÜuÓ
 endobj
-1447 0 obj <<
+1861 0 obj <<
 /Type /Page
-/Contents 1448 0 R
-/Resources 1446 0 R
+/Contents 1862 0 R
+/Resources 1860 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
+/Parent 1864 0 R
 >> endobj
-1449 0 obj <<
-/D [1447 0 R /XYZ 56.6929 794.5015 null]
+1863 0 obj <<
+/D [1861 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1446 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R >>
+594 0 obj <<
+/D [1861 0 R /XYZ 56.6929 540.8995 null]
+>> endobj
+1724 0 obj <<
+/D [1861 0 R /XYZ 56.6929 513.5566 null]
+>> endobj
+1860 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1452 0 obj <<
-/Length 2113      
+1867 0 obj <<
+/Length 1226      
 /Filter /FlateDecode
 >>
 stream
-xÚµYÝsÛ6÷_¡Gé&DðÉ�ñ““Ú9w.nÏQ_êf<”Y¼£HAYQ¯ýß»ÀeÓ‰OÇX.‹Åîo™�(ü±Qª™%™$Š25š¯Oèèæ>œ0/¡¨/õnzòöB$£Œd1�GÓeOWJhš²Ñtq3~ÿϳŸ§çדˆ+:ŽÉ$R1¿»¼ú
9ﺺ¸üðËõÙ$‘ãéåOWȾ>¿8¿>¿z>‰Xª¬ç^Ã..ÿuŽÔ‡ë³�Ï®'Ÿ§?žœO»³ôÏ˨°ùßÉÍg:ZÀ±<¡Dd©íàƒ–e|´>‘J%…œòäÓÉ¿;…½Y·tÈJ¤D¥<p d=2š’LfÉ(Q‰΃7“(¦t¼Î¿Dm“Wf©›¨-Ö:**œ©¶ë™n�>Åá³=7l1F2¥x_Ñf;û¯Þ?^úmÚ¦¨îž­¾³ÑÔÛf®‘ùU´ØÈÛ|±ðZÿp*X’ÁšH"…tŠþá¦É’$õø „áâ›MÝ´H›[ûñyÀ>‹"`Q°“}ÅÎè>î›?65K�
2hªzÂTõ}¦r*I6èÒ¼l£¹µ§ío±5#œ)õ\[¿éZÎa	�ÿpž&S>ˆ‚­ÑÑ“îÝks[7·UýØÿ^W:2mÞ¦-ææ�‚ggÏ"oóYnôsSïè0뢊½l´Y¹
-ñ]åÁÖ™×+q–´ÍþE*Øc;^ªâØŠmÙÑ:7mXôµ€D\�Œ¹ï©úó4l¦-×Fû÷Û*ÞÌËÜ�Ãÿ#º‡Ô¶û�_±¬›]Þ,N¿â
-/rH¢º*÷,‹Æ´‡lx†?¼ݘ`ÚÜåÐ!1¿•[„�°Ÿþ|¶u©ï Aê*²xyDØ`Däk#ÂDä��§ßDÇÛÎF{iMƒœrTl›�Qo6(Ÿ Vèµ®ZüüAÿF)¯
-»-ròj�Ä/&¿ÓÝ>‡vÁz@BÃÀdoÂüN¿v;M'øy£ÍÃfˆ1J(ñH(I’$•Ïj‡ànQ™:kQ0£—[Oî�ë(¨òdXq¬*êŽ	AIC:ÜjI¸!Ó4	I³Ô¹Ð—
-t5ï‰'àBÔ‰MWÖ³àT£›{[Z,½Ê!«xš�süeÇÒóz³Gª^¢PTØ‚�d'Ýœ‹Õé°
-ºãñv	ä—8‡të‰Ã.�‹
Àã�Þ{NÀû$ øÛªTå²óÒÔCw¤a$ÀµöÂ1HÚMÝ»6–L»H9¾ÝË€¡ñ»=òz™C·ò£ºQ¿ n0=dÈó|
æ&lŒ×7OøX	ä¸kFt> §°åÊ
øxdX9ó‚óU^Ýé~`u
-�‘ãw»«£ ["Ê¿«nvÊÌWzí¥}3Å»Æ_xP¸û‚`J^ �ë/ƒaË×›R¿9t—P®»Ö£`ãvi¨ò©ß×5ÇÍ�b$…§ƒoô·
XtqJ”Jyè:Š»U‹»lÊ|®Ãý¡ÃÏ-”HÅ<”|&C]†Ë½ÅûÕ~•+@å8tiEáŽ�°^rB®:ëß~ý
+xÚµX]s£6}÷¯à1îŒT$ñ¥ÉS6uÒìt³[×}r="¡ÁˆEò&Îzÿ{;¸';ÆB £s¯î¹W¦ú!ó¡I¨e¸Ô‚¶‰l#XLã^=» êP¿šo}˜~½"®A!u°cL¢–MÏCÆ$œž]þ~ñe2
¶Í3�í˜gnnÓ=Tÿ]~¾½º¹þ{|1t­³ÉÍç[Ý=]�Æ£ÛËÑ ÏFj<®¸ºùc¤[×ã‹OŸ.ÆÃÙäã`4ÙØÒ´™¤0äë`:3�P™ýq`BB=ÛxR7&D”bc1°lm‹�º'ü5øsØxZmóŸM<h{Ømq …D¦©E]õ)t&¥§Cà˜æ™ˆï�ºÒ8½r•1Ý›.w,×ísý7+lV„ µmÜ	}éßù¢,d®Ð:^Ä)ÈY”3ñ
+²:5ö÷¢ŸÞ¦ž8›Ë[É6ã¹Üô7³ša�ìèxnµ¸+Nù!¬·Ø›gÇHE¦Û0PA›®#?NÖj½yΊÅî^ób?YfÍöœg2®¥Ûaµ£89±búB²¼^HOÉkk’dÏr�ûO½Lù—/óÔOºryUx«ñjñR¤Zs‘± ÃìUöØÚPhgŹ�½¬¨pX.v"õý­Ýñs”ƒ“7Aåè(çUú#•¨YÔ‘ÚG®%Œ\d Olí­§NŠ`Ïžþ¹GG©8âñﯳr9¬Q/Ö»+ẌlZÈÝ×zË$m–ª½ÙjͶy~Dz©Š�ö4s`î­JÏ%ü¾¡‡v‘uÉq¨t^W©¶Å»@|)ßN©ØÛö t¨¥ãšei/<«�aÏYñné
+Ý�´ž
+„,ñ«Aª.ó4}d¹¥î¿3È–w›¨mºéP»gúÙ,ˆP©<hì”âÌjä͵ŸK!Á®­� k»ú¥|dC꺎Ñèß
+ëXҭ奾¥‰Ô…'øæ4©:¯©Rb§ü|((Y¨Z§QÅ&�˜¸ôÀ~^‚^nm ý·b“B¬R×�]Þ+®G]‹1‚È5�îtK®]ÓsŽ'î¶Ð°(´uÚ¿}Þ§†VJí¤Ç…ÄÅÖ!ØoS‚K ±(=Îò¸¶¢ú	:@A\Dµ¬Kñ‰„ô¥ªçq NÝMt;bj;“#ª\Òv‚¦®j¢7Ÿ×m3-ž‡7Gq7Žâˆé@S·&UHÑ>óÍÁÞkêÿ
qA”½endstream
 endobj
-1451 0 obj <<
+1866 0 obj <<
 /Type /Page
-/Contents 1452 0 R
-/Resources 1450 0 R
+/Contents 1867 0 R
+/Resources 1865 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
+/Parent 1864 0 R
 >> endobj
-1453 0 obj <<
-/D [1451 0 R /XYZ 85.0394 794.5015 null]
+1868 0 obj <<
+/D [1866 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-462 0 obj <<
-/D [1451 0 R /XYZ 85.0394 421.6574 null]
+1865 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1454 0 obj <<
-/D [1451 0 R /XYZ 85.0394 391.5435 null]
+1871 0 obj <<
+/Length 1013      
+/Filter /FlateDecode
+>>
+stream
+xÚÍX]sÚ8}çWøvFŠ>,Ûš<¥Y’Òii˲O,Ã8 O�M%Ñ”–ü÷•±
6˜‚¡;ÙÉd,®¬sÏ=ºâ^„-dþ°ÅèpÂ-—Û�!̬ñ¬�¬G3wßÀÙ; 	ßzÓo\ÝQ×â�;ıúÓ–‘ça«?4H`Ë  æíÇî]çþïÞM˵›ýÎÇn†šw�÷íttß»ùðá¦×Øc¸yûöæS¿ÝK§œãM§ûgjáéã
+õt0©5ZÌ„LÇ×éc˜„lüŒ!gŒ”@üï¿
dÍDËe-¼Ï£.D™Å"Ô
˜ùJç‹–B�b9Šâ“1~ƒ(*ö�Öáq@(äÙå ^®sùtbýGYdÉhùy ƒqè+5L?ü\/­„ÕËy¶â)ˆôuUÓ Ì^QZÑcNùpÈŠG_qâ(\ÖP®´�ã'1þ’˜Tjø1ôìËh5õƒp<F±Ɔw×�««ôÙ�u:èÌ桘‰H‹	¬Ô™TêL/Õ™ìè¬ôâáWâùa?ƒ¯!—9jjŸLÌ‘R£™¯ÇO£0PY\/'(YÀ4;r	,ùô‹Ì	üp1/ŽGñ<I¤““æüÜ+9”ô'|û%_Ér0�¥Qu«ŒßõJúÏÇ)Åc@Œ¢“-JÕjH¥k)›á©JÛŸÍóQ’™mK½±'†%7ÂÒQ{9YuÄÁÏm˜¥e…¼\•	'1cÐÆ.ÙѯÂI¿/"K3nü—…˜�+ƒ»¾÷*¡–~¤¦B‚`bR"ˆÎ.e ¤šÕ
+endobj
+1870 0 obj <<
+/Type /Page
+/Contents 1871 0 R
+/Resources 1869 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1864 0 R
 >> endobj
-466 0 obj <<
-/D [1451 0 R /XYZ 85.0394 391.5435 null]
+1872 0 obj <<
+/D [1870 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1455 0 obj <<
-/D [1451 0 R /XYZ 85.0394 367.1321 null]
+1869 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1456 0 obj <<
-/D [1451 0 R /XYZ 85.0394 367.1321 null]
+1875 0 obj <<
+/Length 2961      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ¸ñÝ¿B�ôLÄ€	’“§\ÎN}Óø®Žï¥i&K�ÅEª"E×éï~
¢lú¦×LÆÃÅb±X,öJ2Sð/™•y¬t•ÍŠ*‹s•ä³ÅæBÍaîýE"4sO4SýpñúZ³*®Ljf÷«¯2Ve™Ìî—Ÿ¢wyûËýÕÝå<ÍUdâËynTôÃÍí�Œ©øóîçÛë›÷¿Þ½½,²èþæç[Fß]]_Ý]ݾ»ºœ'ežÀúT8¼°àúæ¯W½¿{ûáÃÛ»ËÏ÷?]\݇³ŒÏ›(�ù×ŧÏj¶„cÿt¡b]•ùì
+þ•=+Û2Ú6}7åpà†s
ªÅ„Ó3ˆ›ÒvÝ!X†›"<îÕƒpCÑGÆ-ÝÊî›áßþ°�\…Ö«]“Á,'=Å~¾
q‹$âô�i”kÆPZ�/«
+„óâ'OâZ)Ü7Ú#³œ¨&L‰%rê«Žúq=ð.ÛÆ.œÏNêŠTÅYž>é®Ä“!.Cr8¿â¨n)0
+Å ¬Ãº&3ÑGÑãSÛ–ð�™0Î)Dü¶“Äjyɳ]2…$έ¥¢YIöS>ŒâÇÛ�oêȸ÷Àtåì°ãCiµ˜Ôcçs©¸ÉéY³Æx†�U“ñÔjÒ
+„–ú&B¯Àb€)(� ê±Ù¾éìÉMO]
+½UXùÇ
+ʱ)×Mœóð#ñ Š?Ae)‡VþiÁ™¢B¢Dˆ˜S1¾Ég¶O•�Ε�|žû(j8µ<ß(™°Æ×*=é
+¥)̼ôJÆ™eü,}ª?Cîë%þª`ˆˆä3å*œ)WÏÎôGÙQ•!;ªR²#
+¥^ì©ìÃ1å0\€¢Ýùã>ÓÐeNêèšó¼ñ
à+~+“Š
+endobj
+1874 0 obj <<
+/Type /Page
+/Contents 1875 0 R
+/Resources 1873 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1864 0 R
 >> endobj
-1457 0 obj <<
-/D [1451 0 R /XYZ 85.0394 355.1769 null]
+1876 0 obj <<
+/D [1874 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1450 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F21 714 0 R /F22 737 0 R >>
+598 0 obj <<
+/D [1874 0 R /XYZ 85.0394 648.8056 null]
+>> endobj
+1877 0 obj <<
+/D [1874 0 R /XYZ 85.0394 618.6917 null]
+>> endobj
+602 0 obj <<
+/D [1874 0 R /XYZ 85.0394 618.6917 null]
+>> endobj
+1878 0 obj <<
+/D [1874 0 R /XYZ 85.0394 594.2803 null]
+>> endobj
+1879 0 obj <<
+/D [1874 0 R /XYZ 85.0394 594.2803 null]
+>> endobj
+1880 0 obj <<
+/D [1874 0 R /XYZ 85.0394 582.3251 null]
+>> endobj
+1873 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1460 0 obj <<
-/Length 3497      
+1883 0 obj <<
+/Length 3404      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÙrãÆñ]_Á·@Uâì\¸*OòZZË•Õ:Z¥’*Û	Š°I€&@i™¯O_‚$ä#[[Úiô\=Ý=}
ÍDÃ?3‰•ä6Ÿ¤¹W±6ñd¶¾Ð“gèûpadÌ4šG}óxñîÖ¥“\å‰M&�‹ÁZ™ÒYf&�ó£DYu	+èèý§ûÛ»ÿz¸¾L}ôx÷éþrjcÝÞýㆡ×?^?\NM›èýw×?<Þ<pW"k|swÿ-crnÞXôáæöæáæþýÍåÏ�ß_Ü<ögž×h‡ùíâÇŸõdÇþþB+—gñä>´2yn'ë;{çfuñùâŸý‚ƒ^š:Æ?o3'9@6ËUl¼{_ÞCþÚÄ)m€ÑÇûN3£’$Eéh¯ò  oB1V«š¤q®gI¥ívOÈšw·Ö'™J½ÅíqÐ5ðÒ¥< $úoS—Œ«Zé«ÖÕªØrw×0²�¾UñR&^!˜Gå—Y¹éxD·,ª:¸½4YTnVÕ¬èJÙ£©W{¤¨š£ò8¶D^·„Õ�Í£ûÏØf2yÖP;o¹³YpgÁŸë¢íÊ-£ø8ˆ­jÀóãýúeÝU¼öaê£O¢ÏÂÇSÚp’¯MT„©Vë¨n:ÁòwÛõœG̹cSl;îC:Ct âÛûÏïQ{Æ
Vï]”E·âÛM9«~ÒÚÎŽiåJbƒ;ÃûÄÃKV­7«r
ç/ºª©ÕØI‰ÀÎìlÍŠšqO%#vm9grªSƒ”½ .yd-š-£žW;Y†%íO$=FV…ÒEgä*M©;F‹è¡§
-H÷÷ø²'‰Êl–ÊÆÅæjÖÔ‹‘»æ › CAŸ�sÑã²’õwmñ,”
-�2µŒ§öÉ1§I¥ÜÓ ”5(Ìœ„H"
-ì4ÞVYjÁÃ>ÖFê
û<lÄž”sӳ̲™aæ&1ªw”-‹–
Ó‰¢ŸÚÎî<­;G:�‹ŠÕŠûÅÅù>fÐA–-ãY˜Ã‘G4B‡Ð=ŪmƤʞ…<�x¼%o6ô}­Ø_Ý+""ùL±îÏë³3ýžwÔYï
dï
-´uiô\½ ApÞ ›C8#.!n‡žÐ³/Å#”j¶£°¿É‡á$�Æíºe³­0hx)Ãæèm»e?Ÿ€ç-0Þ@‡àã€Ã(@tJÃþ¡^?ðƒÎiÙ*ÔͶz‘Ц”Ýk³ý•?vít<\Àõ“$z¸}or“ñÇÀíÊ
-þ&
9ñØB SnëbÅ£„¥40°4$gR²û›4Dz¦ÛÒ_\øà‹ëà“
-Ä#¯ú„PÀ\‚#¦ÄåÇG:½ÌΧ‰“ŸòèÚ)£ñ#Š]¬·�Iïðp;f� ‡Ådxh	`g]Ë=§qEÈr÷’º(c�@)Ð!ù9g`ž)›%^¸Òl(E»Í‰Ê{>÷š�qqC\¼›-x³}³càµà¤Œí£oɪ7ϦƟV™*qed¦Öç’¬‡�QΖEý|SÂð§Í*8Â0¹9ŸWÀùæ	ÜñÈM
-Ë
!2[&‘(Ç$¡r“HìNPÈ QoRVx^!·�&Æ�z  Õ§Á6lF½ •Õû3q’,Cô3Ðÿ·Cža$ñ•ÑÉ!äI
8Õ¿EÉ„7Ã
ý>wPg†¨ öI‰Eà5º?¬3?ëª®"ÞÁ—Æ
-Nœ€Ñ{�Ôq>s¹„ ˜Óš¡»{™EeÄÔ
·O»jÕM¹„{*B!UœŽìø¦áÜɯºå³‘C
-³>ùß3¾…¸Pg}
-]à�Jœ�îºcÎ<Ñ.‹Aì1�3•ç‡$_$3$
u´x˜€ÜàK±­
-nP!÷mW®[îÁ·Ë'yéuøÓ‘ÖiºŒ ·_ê…\—ϱۄá›-½-ÈÊœ�À|æÂC2õÎHʘ_Ëýëàg¿ÿ òÝç±
+xÚ¥ÙrãÆñ]_Á·@UË1æÀ1É“¼«µåÊj­\IÅöH‚"l 	PZæëÓ×€ 	Åvv·TÓè鞣»§�êIÿõ$IUê�ŸdÞ©$ÖÉd¾¹Š'OÐ÷Í•ši š©¾~¼úê½Í&^ùÔ¤“Çå`¬\Åy®'�‹£Tu
#ÄÑÛ�÷ïï¾ùááæ:sÑãÝÇûë©IâèýÝßoúæáæÇ›‡ë©Î½ýöæûÇÛîJeŒ¯ïîß1ÆsóÊ ·ïonïßÞ^ÿüøÝÕíc¿—á~ulq#¿]ýøs<YÀ¶¿»Š•õy2y��XiïÍdså«gmÀ¬¯>]ý£pÐK¬còs&WIê
2Y¦’yu^ž#†y4‰Vq�§óNs­Ò4CíèTygl¯§Jñ
+8sÔ‹„‚�¸eFe>ÉÎNýøÔÀyžů`¬Ëùl¢2ãòÓý`D¾j`H/Ćn.‹ûŒÈ¥Ás
Tl·tæ]‘P!s*¡Ìr¢oô$£8“°N°7@>U\

+0Ž€¡�(N«¨T	1�fÎ4žŽy¹îºâ*e[ïZî�³9(ÐÒ|¸2Î)SOåö�×`>W&OC5%%ÍØi†Ñ˹·|L,Ò’è}˜lÉ“š=/¹•”ý#b ¢Ó‡“g2íÎÒœU(EÉÿL
zJ‰}ÇÚ‹Ãr’䧀[	ù¬\ÏU‚�™»)\‚ä›Y±;	°&—œÔ˜<<±ïåÖ;(§\æÝ©ÁHÂï8ù–§Á1ÿrî2ì`/F‘]ÛqäAæ®!r+†Jã�16õú€28	ÐÏ%�ÀÕp[¼³¤ÙžŽ[*zCˆÜ´{*± ÷"UØ-m@ÊOk”öZ2Ä�y P—”
¦aç0^@lË9eŠgê$]|jÿêÕ”g˜I|avrLy2
AUÿ‰!…áÕt¼r»×Ò+ÃL,ä8M=‰h…¹æ¥µ¦¹Êœ	þ�j^¥|UW]Ūfu!Àñ_
+ɦlMÊfBQ6
!-é-–K_
æÂ×›0PÁ4IZ}…¤j4ýþ'¸wt
+
·¸p¾¦ó¼ÚsÚýHÁѯ*M%]à‰$	~‘
+vœ‚Ó{‹«£Käå{ùž¡»{á*èâ#åÛÙ¾Zw¸¸ÊR%èÈŒ¯:ŽÁ™ü¢S~t@Qð��ÈöUÇat�]Ñ¥ãÈ¡ÓY3±q¢ [ó"„uùDSSŒ#.DÇ0¼îó§G	Ó&
+­ÜT'F‚³‰ÊZ²wŠ;I0&è9ŸŽ�˜Uìe0Úï©wEÛí®!o˜wûÁ%܈�#o¬)Æâ
‡z¢Ü×Eo?~xÃ]÷·TöÓW}|øC’â¾J¢b¼:h_ÈÒcb¹‰u€«g¬éŒÄ|½ÙwcæEÆ	™[ùy»®æt�UcÈ«Í{‹ôÖ'ù`Þßäß–ó@œ÷h†èØý¯œ/´7§µ·Ñý¿Þ}üpsw¯ÍšEhÑ”BRãé$.gD-c-ìj˜ªüL²×<Ú˜
 endobj
-1459 0 obj <<
+1882 0 obj <<
 /Type /Page
-/Contents 1460 0 R
-/Resources 1458 0 R
+/Contents 1883 0 R
+/Resources 1881 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1437 0 R
-/Annots [ 1462 0 R ]
+/Parent 1864 0 R
+/Annots [ 1885 0 R ]
 >> endobj
-1462 0 obj <<
+1885 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [251.8681 205.1117 347.399 217.8489]
+/Rect [251.8681 217.0669 347.399 229.8041]
 /Subtype /Link
 /A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
-1461 0 obj <<
-/D [1459 0 R /XYZ 56.6929 794.5015 null]
+1884 0 obj <<
+/D [1882 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-470 0 obj <<
-/D [1459 0 R /XYZ 56.6929 162.5022 null]
+606 0 obj <<
+/D [1882 0 R /XYZ 56.6929 167.2075 null]
 >> endobj
-1463 0 obj <<
-/D [1459 0 R /XYZ 56.6929 137.1661 null]
+1886 0 obj <<
+/D [1882 0 R /XYZ 56.6929 139.8789 null]
 >> endobj
-1458 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R >>
+1881 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1467 0 obj <<
-/Length 2969      
+1890 0 obj <<
+/Length 2820      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[[sÛ6~÷¯Ð£<S!¸‘
->_ÞÞß™î‡ë›ë‡ë»÷×—"ÏS+áÌ7·¿\›Ö‡‡«_½z¸üsùóÅõÒùÒ÷—`¦ùzñÇŸx¶·¾Àˆ)™Ìžá#¢�í.xÂPÂëz¶/þíöî¶�ŽÅ/a%’Š‘
-ÏEódZZ/<ù^l„KgIuÿÑ€¼
-£€	ó<�ñ­ÃO8Ê}}†S	Oß¡¦	¤Åù)`Pã|ë¡"|ëP§‘:`…œ‡lƒÌ•P×îP#ê}¾A~cœúúß’o'/†l£HbÐ|žm\ ~˜£l³ø	—C¹ß±vÓ´Ài<ö5eH -Î6äÄjŠm=T„mJk4#´8”Ûb5²z“ˆPÊãêjD¿O7¦7ÎÂ7à£ÛÎÕ&þ™ùó	$~,v‡­%!ŒÑÑì7Íõï­áe®­„ˆ"¬¯pKäáÂ�0Xóõ-�ѪÃO¸Ê¥{iB',}Y<Æ5aH(-J+.9ª8­ú¨ó´r¨áô_Àÿ9«ÖÅþóЊ!n°}ŒâP#–ô�§8
"öÝúÿä³�CCš�%ÉÙÜÆÖWå9!¡ÃO¸Ê}ýÊ
œM‰äñqp¨)CiqB^`’M‘°‡Š�°C™1«ËsEK-Å'”;ÔˆvoȬïD2P¿ß¾@Ø©šïòldÙ·æºã¸
-jÐhžºÛ—û\gEÌæË'«óÆ4€ýÆÊlõTìóº{8³÷Ÿ‹­µÛäßUîTe#å6š&ˆÙ½ÛºkËmB‚!#ñ®¨gj¼w÷ËÛ›ÿŒÕã$‚Àwõ¸]^×Ùç\{`ýÓ
ãòõÏô™íÌÚöæ¯vSc3í�yÜ"¶EÝ–0u{Ÿílo�WßòÊ*ø„l‹©æÑl?r¨Š]fjz`¬÷
-˜»ÔT ‰ÀœZ? adpÖ¹
]‡í±6­lÿb·¿ÙŽõÚŒC]çµyÎ+‰jL[
)FaÙE“ô”Ó¼ùÌbÀò®ä¡‹çR̯¬yeÕ˜Ö.³æ=æ[.ÉÌ1á€0À¢+ñãaê¶:º90oÄ\X1A“WY›PØÒ§�µ½
MÙ
ê~m{ÌÀÉn¦ÖžyI½"iGØ8�uÜ2A†L�ðzÙdÇmݘ»�ÆÊÉJ¢TŸx“bÂS‚Ox?
@f¸ix¹®M6ÐuóæøhZšfµ]$-O/Ekµ¾è¤ºWf¾;4/¦©gËÙ\ÎG›Ó‘ó¹¼�:ŸËª­È?å«/=;ëp•ÊP*Õ„r‡Ñî×aHtžòÔ/Mªá�Fìº�Ù0é¾cÝN<°ÒôXö5U±jì3Éx’U�®[éaÉa¢XLÖ’0õ˾Éþ2�-ƒôsyÕd…Õ¼.w¦ÍMʪ­A{—åƒ\kò
-¶váÁ‡·®HâújÄ
-#M`Ñ5À¡F,ð)'õ‡!Ò7á-)ç92äAÓ瘀
“dž¯1Îuø	¯C¹ßÁ9ŽR*D<ü5aH(-Î9ý•	“Sœë¡"œëP§¡ª‹ÇíH5®ý–ƒÃ+0ªÞ¡FôûŒ#ˆS¥|Þæ°>pcx¼À�TJEŽô§WÔ÷4z¼`ñ>‡r_ÿVUQ�}š2c(+J6¢€›ú 5J¶>ê<Ùª]“æ•ÞÇ.ê2[4Í6LpF‰È¸
5b�O7ðU0â›ð6tqdH8‰�žÂ6ƒS©<W£ùÍâ'œå~ßô¹«äñè;Ô”!�´8å`‚&„NQ®‡ŠP®CõŽ³L~øR	8—KH:a�C�˜àqN`$”Øð6/Õ1O†}ÂÆ,‘àt¹OôÍ›:í²ø	·C¹¯«ÂnL%©ŠÇß¡&	¥ÅY§?òä@™8ëz¨ë:”ÖØT/‹fuXTù¦Ê맱D;u7À¡F,&:>Ï‚·És#~óœ@"²[eŒ€m°Ðë»Ís?ás(÷;ò,
H‹ß¡¦	¤Å‡aá+Ó‰|û¨ã:”Ö¨?Ÿ~ÌêðÊá-Ûú¨f‡QíQ�*$SX¬zºÛû¶bλ²&SmAÎt™‚%>Ùhî—¦÷Ñ¢lÍ”Û
-µ†ÔMY™ Ìqw(÷µÀöw5EýÌé‘M©i=	c_pC›$Ô/,öã«Â›Í}?þ%y¶µJÐB…©
ë¿°ý©Ì7ò¹9M¢ržÙ›™ù£Kç¦ÕÆ
+xÚµ[[sÛ6~÷¯Ð£<³Bp%€G7µ³î´v×Qv›>0k"‰ªHÇõþú= @ˆ$HÀ™j'“~<7|88
+iš-x³:ÊCÑYÏQûðøef—=>ár(׺¼:9gA 0�I0¨TëDì=*eH Í‚&ÙÆLtABœmT„m-ê4N>DzAvS„Ç•{Ôˆö>Ùb¤Ãžús’Í;1äšDŠ�âi®ÁtÁƒ G¹æð	�C¹oçš4‹©Ìâ¡÷¨”!�´8×°€ŒÈU‚kT„k-j0L‹2"€ VŒ¨~�1 G·h‰!Ù÷,ø{tS!Ýœå’")31Í8HÐTÕs5ƸŸp:”ûfÆq,‘–‚Å£ïQ	CBiQÆ	iÊ)™XK»¨iÆyÔi¤êc¾¯¡š
+œF”ª¸ú4¢¾Ç7ÁÅšõõŸ“o]/ʳetOò�j¨{	ëyã[‹O8Ê}{†ÓI…Á÷¨”!�´8ß`ž(‚«iá[‹:�Ôó
Jä"dd.Au\»G�¨ïó
òã´¯ÿœ|;y1dE
+ƒæi¶p�ôÃe›Ã'\å~Gí+ ,ñØ{TÊ�@Zœm†4ζ*¶e4ÚZÊíf5R½)D(åqõ5¢¿O7fvβoÀG¿Ÿ«lüsûñ	$~Üì[GB£g»á´ßk7(ûÝy@�(B}…"ÇVt æëZ£U‹O¸Ê¥ìÃE“f0þ°‘ŒÆØ£†„Ò¢´âPÕ1&‹f5M+�Nÿlñ_òãz³ÿ2´ƒbˆlã†xÔˆ%]ç)
+„vÝúÿä³�CCš‰„Vd2·q†ÍÆU÷œŽ�Ðãî‡rß^¹�³Q<>•2$�'!ÏLÀ+i!a‹²cV•S‡ J-ÍÊ=jD{oÈÔwRÔßï·¯vªç»"ßYŸ·öûfŒoàŒ^[ðOžz@¹¤…lw­ÍáHÌa�¿¶mOÔ Q?µ�ÿ[î“1›/Ÿ¬*jÛ
+˜(“7äLõº¯ó¿lgà ó^q¬ó�Ó¼.w¶ÍmʪœA{Ÿ$åƒ\kó
+[ÅLF~’g e×¼Ôý›Ã'Üå¾}U…ݘ™ŽÇߣ†„Òâ¬ÃaÂ÷o]T„u-Êh\﫪X-àãkñj«4—CêÁöŸ©,a†G�ØÑ£°…™Áïržt7éÎÐP­˜œN{ÜÃØu}‰Ý½µø„ó¡Ü·PQ„¡ö�BJ™1”eŸ”0i²Ä*Û
Ms¯uõñuQ¯‹cñx,ª§±5–AÕîA¡úá
+Ë`§ÑUÂ�81\_a§9%aŒ€iPUwˆ.¯w8�ú‹+ì;4‹…݃Ve�³¬=Ƈ™Áؘ>øïŽÿöSœþÒ„CRSµÌl´)Lg”1\‹¡åþ¯.BÓÿã yendstream
 endobj
-1466 0 obj <<
+1889 0 obj <<
 /Type /Page
-/Contents 1467 0 R
-/Resources 1465 0 R
+/Contents 1890 0 R
+/Resources 1888 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
-/Annots [ 1470 0 R 1471 0 R 1472 0 R 1473 0 R 1474 0 R 1475 0 R 1476 0 R 1477 0 R 1478 0 R 1479 0 R 1480 0 R 1481 0 R 1482 0 R 1483 0 R ]
+/Parent 1864 0 R
+/Annots [ 1893 0 R 1894 0 R 1895 0 R 1896 0 R 1897 0 R 1898 0 R 1899 0 R 1900 0 R 1901 0 R 1902 0 R 1903 0 R 1904 0 R 1905 0 R 1906 0 R 1907 0 R ]
 >> endobj
-1470 0 obj <<
+1893 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.6233 667.7189 381.2953 679.7785]
+/Rect [312.6233 664.9538 381.2953 677.0134]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1471 0 obj <<
+1894 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [310.4119 636.5559 379.0839 648.6156]
+/Rect [310.4119 633.2165 379.0839 645.2761]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1472 0 obj <<
+1895 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [340.2996 605.393 408.9716 617.4526]
+/Rect [340.2996 601.4792 408.9716 613.5388]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1473 0 obj <<
+1896 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.1051 574.23 396.7771 586.2897]
+/Rect [328.1051 569.7418 396.7771 581.8015]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1474 0 obj <<
+1897 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.3548 543.0671 389.0268 555.1267]
+/Rect [320.3548 538.0045 389.0268 550.0642]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1475 0 obj <<
+1898 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1386 511.9042 427.8106 523.9638]
+/Rect [359.1386 506.2672 427.8106 518.3268]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1476 0 obj <<
+1899 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [429.9426 480.7412 498.6146 492.8008]
+/Rect [429.9426 474.5299 498.6146 486.5895]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1477 0 obj <<
+1900 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [286.0435 315.5214 354.7155 327.581]
+/Rect [286.0435 295.6317 354.7155 307.6914]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1478 0 obj <<
+1901 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [339.144 284.3584 407.816 296.4181]
+/Rect [339.144 263.8944 407.816 275.954]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1479 0 obj <<
+1902 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [336.952 253.1955 405.624 265.2551]
+/Rect [336.952 232.1571 405.624 244.2167]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1480 0 obj <<
+1903 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [322.5463 222.0326 391.2183 234.0922]
+/Rect [322.5463 200.4198 391.2183 212.4794]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1481 0 obj <<
+1904 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [331.4327 190.8696 400.1047 202.9292]
+/Rect [331.4327 168.6824 400.1047 180.7421]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1482 0 obj <<
+1905 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.2812 159.7067 429.9532 171.7663]
+/Rect [361.2812 136.9451 429.9532 149.0047]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1483 0 obj <<
+1906 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.3165 128.5437 398.9885 140.6034]
+/Rect [414.4213 105.2078 483.0933 117.2674]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1468 0 obj <<
-/D [1466 0 R /XYZ 85.0394 794.5015 null]
+1907 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.3165 73.4705 398.9885 85.5301]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-474 0 obj <<
-/D [1466 0 R /XYZ 85.0394 726.6924 null]
+1891 0 obj <<
+/D [1889 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1469 0 obj <<
-/D [1466 0 R /XYZ 85.0394 700.1172 null]
+610 0 obj <<
+/D [1889 0 R /XYZ 85.0394 725.3455 null]
 >> endobj
-1465 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R >>
+1892 0 obj <<
+/D [1889 0 R /XYZ 85.0394 697.9265 null]
+>> endobj
+1888 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1487 0 obj <<
-/Length 3113      
+1910 0 obj <<
+/Length 2986      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[ÛrÜ6}×WLå%£ªB
-;Ì΃v}Ô7÷W_¿¡b£�â„oî½¾$Š¤Ä›ûôç-G]CÑöõ»·on¿ûéîÕµˆ·÷·ïÞ^onÿycKßݽúá‡Ww×;,Þ¾þÇ«ïoîlw}|sûö[[£ìÏB§w7onînÞ¾¾¹þõþû«›ûÖ–¾½8¢Ú�ÿ^ýük´IÁìï¯"D•d›gxˆVŠlŽW1£ˆÅ”úšâêýÕ¿Ú{­æÕÙñÃ"”“™
$¤7€#¦Û¦§„š
¼ÊÀ¦oÓì�\ŠÆ>䵶ìë7±ì½Ï	¢8 T¿øÅù¡ù¢RˆBR
-åP_éþ¨XèY}y�·µ-—I“tâórwÌŽÕùÅ>ž¯±Üféî¡Höv�}ôš&Mò�Ô|4	° 7ýEmƒƒU™—S5ZÑÍNcÉ7;Œ‘bŒ›äCf?kbÄ<^ŽYÙÔȼ
V"¢˜­wÍSv±4Þ~LŠ‹@)u/f¶áTÕuþPd¶)?ØÚ$Mó&¯Ê¤°õ�®º5=Ã@œ]oOÉGWý�e¥­+òòC–ÚÚ¼l*[Û<9`��á}MRÃd¼}_³Ö€ž±ur<ÎÜVhg»kÉË}qIµ<ýôœ7O¶dä™Wóº9çm‘­�²-”U™Íté
°Ý»w^\o–zhâM	Œù†K�°àx�ý´ë£,ùñLôhQz4Ò>âi,VrÄð<(ÖƒfÄö½A�Ï1Pd ö}–�Ç3«÷çüÔ
gup®Õ·A	pÉh¤üH&?å+,{d

-6¼+¾ý%Šhò¨Ëlk”1µÉéTä&LƒŽ*ú÷	Œ&ej«êæò`KŸÀ½!6îâXlo®5sxèa:m€NÇ0„–�/Y=ÃY,�¢Dv³†Žìà¥SÍ›ñÉF�õœ…3¢¨�æ6æÁË
-EJÊQ ·ñ(i|J\ìÓ1Úüº–û˜h;Ö%ï¦Ãj�øåä¼X+7;m´¿‡Ðž4uÇŒˆc$#Ä%À'ÁÖ<³Åïú/LÙ9íWku®ªf·ÂQB%¢qDMÓ£fôFˆqoAÇdŠ£˜Ä+ŽÙG-;f‹ÒÕù99§c¹Š"BËõ ¹ƒÀŸ?âr(÷�!
¥l{Ì’2/—ÂÍé[ïft戮›ž’ÚV%öÇ*¯©œº”!†ÙµnÌÌ�ŸNÀ7$"î“7ÿ©'ßâ¦Àd2+sŸ\êÌÉjU,ªêL@VïÊ6’¼°>H`êÃã¡&‡F'PD€ßœ_`t;ÿ†Ê±qºÑF!h|Ìš¦}¥¬leRÖÏ6õѹ¦àÛ秼˜Œ¸”ÔY
‘œëfnL®íGṺN~RÕ³ÓÉÖ”Õù¨3:]å‡ÃØVÙ:�ˆ °fáñ8 åYºÌþ˜ Âa	f`¿GõدÇw"Èj"í
!Ù-jFø ¦ƒ­±Ô>ЗþSmÂ/v�àKW�…žó4sµO® 9mKÕÁ‹êÁŒ6Ô
‰‚tüWvB‚Æܽh9@ôÀTÔ§lŸë/ïu0©( û覗V¦°Ñ}J&
-k(A`Í�Ê8ƒ±¢„·›¡Lç0%¶ëK7×ô,³dïÍHi›\j”C~êï2µµ#§SK“fÎ¥ýv˜ 
-ðÒ£L¦úûÁh³3ë¢qlæˆ2ªÂÒ=hFú€˜F´ÈPü¿¯1)
†ìâbXŠUl¢kìV—¤mÐôÕ�†S‡û`F\·–É1³UšI½&(œ!f%.+ÖØ¢z´-¿D,ú­ºœa•Eì+#R¸^ÍWוéÈ÷NÙ¬&]¤ÁÀKÊÄ(êBÀ²ðö?oî�-º%9·{P‘?B43l¨m…e÷Œ±•mW{àdTr{Ù7ã¬ñºÊ¸Qׄ·Î<‹ó¦é³ÔN§¬ṫÇ_‰]RÙ'PLâLyÿCÞ¯\íÀúßÊb5ã4b¬ÏT#ßqÆØEÙ’ËYK}&Ž’J�°ÏôQË>Ó¢>ÓO;7œã c!c¶¢D‹šÑbÔ9’„�Ôh}džEʴڛ͟pW½®ßèöܤÞÐÁÑö¶%bºUË#�,—øʬÙGFÚ£‹qÇ›
-F
"HP®ÍÈäŒ�¥å¾rI‡ôN$Io¯N¶õem-	i
kø,M*b~Ýl›f¥^ÅEÌ-%öjfýºoÕ\_’avˆlø�ìX(5tÀ%F0&±÷ày/…ŒTé�Ô±—Ú(¡g)C·Ø_»é•í>yð›]~i:Z	Äyìu8&µÎNgwTT7Ùë8Ó—‚¹GxMëBoâÍØà <S/Ð-¦¨LEq¼2Ïö@ËDö käï;G™]�š†JaNK÷˜©ôᎄD â?ÏÞל#éB"ɨXÜ£ð)€Y¢oh`©ÝÂÃ6Oz]Ü‹&
-Aö"xÌ‚#ß‚VÔ÷\gÓ˜"¬"¶Â´*@5�òŸÉd;‡ÌÍRù1ÛÍì{Àê”É°3£Æ€sŒ!Æ1êñùH·dÍ8’C"*D€|<B˜á¡É!öyüŠùÓ~—ø'Æ*é5‰¤˜„¿B‹ZQdÚ[˜�"l¼Â¿`ŸÅÌ~­<-f¹s€Ä `@‡3QbÈ=‚„Òƒßiñ71¯g˘yñH’eæ±qLDÏÜï<:hø¸Ï?Á9Œˆ‚¾cßb‚*Œ{
-²
RÄ¥Z‰w}Ô2ãZÔr„¨.Í4àÁ€«Ò¢ft�c˜O€žeþΠçLšYW+ÌÕ2ù|%
ÍÑÏãW`Úï§ …u`¤VHÑ¢V™ö&"DŒ˜ªv 
-3�b˜PW6”{ 
+xÚµZ[�Û6~Ÿ_aô¥ æò"ÞÓî$;Å6éN¦Øš>ȶ<Q#K®%w:ýõ{x“u¥Z4E˜"�Î�Ï…²Âð�¬¸@BS½’:A¾Úoðê	ÖÞÜO³	D›.Õ×�7ÿxÍäJ#-¨X=:¼ÂJ‘Õãþǵ@ݼþæÝÛ×÷o~xxu+“õãý»··Êñúõý¿ïÜèÍëï¾{õp»!Š“õ7ÿzõýã݃[žÇ×÷oÿéf´û™aúp÷úîáîí7w·?=~{s÷ØÚÒµ—`fùåæÇŸðjf{ƒÓŠ¯žá
#¢5]oÎO3ÅÍû›ÿ´;«öÕ)ÿ%\!N±Ú°)�?íe‚$!@$¹F‚QÖz™’)/*ãå}ڤ۴Άæj�8cɪËr$8M¦ÁÄI"û’ߟ²]~x¹Óðºù˜Á€éuórÊÜTup¿­†n½r³[Ou©³½ª³#©›êœ—O]Æ0ø½*=ÃРBáõc[7×WUQTÏ=àœ�37Æ„S¤9†Þ8!a
+µ[A²Þg‡ôR4î
€`Á“¨xEŒ`éÁóÅyÛ|1
1ª‘RR{ª¯?pÖ_Þ’uíÆeÚä¿zñy¹9fÇêüâ�ö›m‘î>m÷4õ–!³±,È-¿žÉ†¬Ê‚œªq0Òb }5é'ï¤Þ†Nzë¸×ðdýkZ\Œ
+Ÿ�Äúcî2"9S@erÙº‘©`LO¹¾?øÕÌÓ‡qÚ
+/ô]ªÈÁTF"TéÏéy?j7¢”ó¸Ü@4!·ø¢X¨¾Üw4Œñõ1KK(î—Âçôƒ›÷�·�Bå@í¦R÷ã”·•ª/[ŒÛÌŸØ?N€7$±Å[ØêÑþ@Ü”ÄÙ
+ÇÉÜ¥ÐâxY­ŠEU}‚äô®Üâ!Íw)¤>ÂéŸÁôИŠJ87çÛÞPIüù–xdœYtQŸ²¦i_)+7™–õ³+}L­)…iCŠi$”bÞºÐzLxÁöÂÁÏÕ¥ðòSÓ’y�ÜLY��¦¢3SÁÖ¶ÊÍ…€D%EX‰¤_ðC	•ígÑŸH�ƒ E—jý-UýÆ¿Ãøƒ¡ªÁ
+bœé¸ô@4!}xA‹öÅÿ÷VS[¨.Ü�щEˆ™q-¬)·`àkëp…d¬ÇÍj™37e�ÔY‚ÁbVê«bC[TOnåæøçêr†.†$LbZx®v×Íäþä;¯ì	ºIi ì€‚Wö�´…÷ÿ{ý€ÜзäÂÝEÂDþTº[Š”E@Œ›lYí
+ˆ‡ñ3Ó¥š?3-UïÌ4ÇÓÆ»sÔÁ*áJ´TZôƒº@ŠŠ�íÙqáÇG‘r_íìeJ(¸«N‡.
®wâÊ\è¼¾o�¸Ÿ#Õóž†RW,äÌ+MÄËŽÆâÇCvxM ‘2eBDb IìUŠP›K�t%¾ò…†
+GÑÎýœjOÑ—µ{tï�
+´ÃÊ–ö×gØ}VšÎ
sß*Òçj³Œy=¬|ÏÉ°·B.ä@E,µ\ÎÎœ[þH©�>™P…jóqcx2]d0™ÉÂÄßûuû5ÓÍîÒm¸à
+íè ’Hˆ$èpLkS‘NÞ¢èk‚7ao‚—†|#ƒ¦ua.î&ìá’Yèè9øb¨Ó5[p‡*á@åìümãQ³©óßÇQ‚1„ù‚�hB�þU„B˜�_z|ž[¯);â¥BŠ39{ÿÅ`C
+1†Êü5 êh<œ¢6_¢Úz}*-spéÍÊŽ|Áú×?
B
+u %º-Õ‚cnq&æ_±v¨" T1÷eÃv:1_­U\l šÛµT™¾“¾ØÏ·«òÃ]†ÊKˆÈWw*‘¤àô®ê±¯î�~ÁÖ1ß?ñÕ=A	V:îó–jI‘·8¼°FË…�{]ª¼Õu‡Ì‡ÍtüÉ�PÄ5Uqé-Õ„øþ]˜D\&¤/ÿóäסÑ& j,æÑ'…H™ô�¡-Ð/˜<æ;‹6>.79ôP�F�ßR-h2æ…›”ˆJ±p
Û!Šüåª'êìRSmê*ƒÍ|uOXTvK4Þ‡šFRqÙ“þY‘vµa ZJ�)‰@M

¤•Ž
Q¤yò¸Á#®8ª`ÀÙ�9Ý“Ä5ð™FW¸jãÈüõ„,øïoEÿòßj_ÿ�ÚP¦ÔÜ•
+%
+˜x¥ŒâZŒÏ†ÒXÐ	Õÿ#¦
Èendstream
 endobj
-1486 0 obj <<
+1909 0 obj <<
 /Type /Page
-/Contents 1487 0 R
-/Resources 1485 0 R
+/Contents 1910 0 R
+/Resources 1908 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
-/Annots [ 1489 0 R 1490 0 R 1491 0 R 1492 0 R 1493 0 R 1494 0 R 1495 0 R 1496 0 R 1497 0 R 1498 0 R ]
+/Parent 1922 0 R
+/Annots [ 1912 0 R 1913 0 R 1914 0 R 1915 0 R 1916 0 R 1917 0 R 1918 0 R 1919 0 R 1920 0 R 1921 0 R ]
 >> endobj
-1489 0 obj <<
+1912 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [231.137 683.3704 299.809 695.4301]
+/Rect [231.137 624.1678 299.809 636.2275]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1490 0 obj <<
+1913 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [143.8055 623.0288 239.3365 634.8294]
+/Rect [143.8055 560.4651 239.3365 572.2657]
 /Subtype /Link
 /A << /S /GoTo /D (root_delegation_only) >>
 >> endobj
-1491 0 obj <<
+1914 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [324.1075 369.6354 397.7608 381.695]
+/Rect [324.1075 296.9881 397.7608 309.0477]
 /Subtype /Link
 /A << /S /GoTo /D (server_resource_limits) >>
 >> endobj
-1492 0 obj <<
+1915 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1555 339.3849 427.8275 351.4445]
+/Rect [359.1555 265.057 427.8275 277.1166]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1493 0 obj <<
+1916 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6164 309.1343 422.2884 321.194]
+/Rect [353.6164 233.1259 422.2884 245.1855]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1494 0 obj <<
+1917 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.2338 278.8838 438.9058 290.9435]
+/Rect [370.2338 201.1948 438.9058 213.2544]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1495 0 obj <<
+1918 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6948 248.6333 433.3668 260.693]
+/Rect [364.6948 169.2637 433.3668 181.3234]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1496 0 obj <<
+1919 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [226.7331 218.3828 295.4051 230.4425]
+/Rect [226.7331 137.3326 295.4051 149.3923]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1497 0 obj <<
+1920 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [283.1811 188.1323 356.8344 200.192]
+/Rect [283.1811 105.4015 356.8344 117.4612]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1498 0 obj <<
+1921 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [287.6042 157.8818 356.2762 169.9414]
+/Rect [287.6042 73.4705 356.2762 85.5301]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1488 0 obj <<
-/D [1486 0 R /XYZ 56.6929 794.5015 null]
+1911 0 obj <<
+/D [1909 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1485 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F48 953 0 R /F21 714 0 R /F41 939 0 R >>
+1908 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1501 0 obj <<
-/Length 2954      
+1925 0 obj <<
+/Length 2961      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[Msã6½ûWè(WEX|¬=MϬS›IÖqjI‰²Y‘H‡¤<Ñþúm D$¨©855%|j¼î~
-¼–èv#$^}ÿñ[;’Ø�o~øøþþÃÏïn_?ÞÿðÑ?ܽ¿{¸ûøÍÝí†hAàûÔY˜ùÂûûßÙ«ï¾ÿþÝÃío�ßÝÜ=z_úþÌŒ#Üüò^íÀíïn0b‰«ÏpƒIº:ÞpÁ�àŒu#‡›Ÿnþã
öž¶_�Š	Êåj`"ŸŽ2FX@Ô6ŠÄ\uQ¦d*ÊÊD¹ÎŸ6¯é!ßåÍy“MVÁÝØw¢RZÓU‚€†GMð =ø*™ˆ!‘Ÿ²ÌÆ¿yv»¬ÞVùK“—…(÷†ØÈ«D!L¹
-QwF†(
-ö[y1ö˜iŠ(%jà±}X=­ìÅCÏw�_ð=´k}ß^¼4R%1ædáñ,xÔ“Кa‚Ù;m)BÌÒLØCEØ¡ºŒÁÿ"/ž6E	9Ä'%bšÉ8�šà0Ÿo%O†$þšø’žøWFókˆ:óߘždˆ:ô6&¼¿àwh÷„Ç qŠñx<j�Ih-*<	š%2.¼>j^x5ΖùL›S5¡>
aI´Šóð¨	"õ%Q=äñvß´7c
-˜!5¿ñqxL9úÑŸÇ/xÚýý)ŽÌD<µÄ$°ןÀH$öÀ�诇Šè¯C�3Öœ_²@y"�²
Ë8�š 0H»„²EÑ!…·—^çÈhv%‘ä$²ëñ,Ê¡¯±]¯Ã/xÚýÕQŒ¤V<�Z`Z‹«àŒ“Ñ]@Í9�™®©Ò¢ÞgÕ-ÑëM]žªí„ê(J(�3ð �Â@sBÁJCo£¹OƲƒiÌ?+;&OÌVpq#¦ºw;°:§95µùÅ¢±ï0qcKQ±�N (�ª­�š—›GÍdió*§
-<%é�š 2.ðg#&›êœ?ã*�#JXDxf76-Pß—h•çð·v¯×ƒÓ
-Óh:Ð�ÀV\~p„iNÅ‚üz¨ˆü:”™1=4›k¶<©�:ΣMðª�šš‚
‰¼�ú"îŒå'Ã@b^~Ð,IÂ.GåçðÞ‡v¿@~aŽU<µ@$´W MàLftA�=TD�*’²©MP$¡�Ré@T†/X ÜR°û¸ü­"œÞ¨M¹Šè0á´>Ñvø…
-“Â
-…I>Šy2¹³L Šœt;Õ’[ak�	�µ†#l×}—¢­…Ã/Ä ´;P£q·ScØZÀ ¤,ž�Z Z³zÜHÁ׿b�?–�ÏLÚØÔ˜…©Ø0
œ‰Ùä	�CÐkS'Óà¬ÒŠºŒÓº�’<LìÊ0]K‹Ý„%õ©ð}c}H_§
-,F¡Îñýö¹Ì
¯vóL[âSÓ�¾¦ù!ýtpãi3:’ÿWîê�½fQ$³ë›Aø9]¨Vú¨ÈúîPÆ�ß³3ĺA•Õyª:N(æñé=jbþquœ`(Þ¦T	ÜWÇ’GT¤:¦úF:ð4Z;ü‚Ï¡Ý™:%<qÍ»¦â¡÷¨%�µøi‚ÒÉ’Ø. ˆÖ¨]£§C“o.+u¨4†¤Ö::µ…stÆ5’
-“Áäoó`ìÂXe‚‹É¼Ê´(f½Ð�iÌ¡ãÞŽmÎþÄ1TG
-CS¹-�ÛŠÊ‹*�$g?
-¢‰ûyöã´‹	RL\é`[„tuæö�žjS2cµþ\V¿×öÒö5pQ§Çîiz¶©Ãä¦ôÇrýb½xÍË“{òšU58é̧‘$²—÷�ýluå`O�Â^vêjã ‚ŽÊt¿§�¾Žy]ûß
-	>O½U“ç~¸·eû¹ó{àT´›«¼˜¨•‘WèrV4Jß\!è3“Q^(c뼶ŸEöÙ
bŒv‹Fûaäj/ŒÜ׎¥oàÎ,Ÿ"Û@äó"shXUM‹)Öp	´�>·m”¹º¬Wcß™´âÀ“a†ZÙÎ$œ²õ;@±®³¶ýà.ê2¢×§ƒí`„uFÍ‚È
Ñl×.	4`óÉ.
ŽXgéöy`Ã
ç�­Ê>èÔÕNXÙ绬È37vÑŽØw(×]¾æc8Øžlò�`Œ
-¬ú4_Êì½�ÙÎ
ží 5n.*û — Í�b“7ÀbÇ	_ßï-ÌÊ—mÔOaÖ̧¬nìC V§OîiîHš_[³œDÛ3·�òĶ›×n—Ê›n=l§]×n^"
‹Ç~<þtÿÁ­*÷
+xÚÅZKs#·¾ëWèHU-a¼ßäµäÈ•¬­r²}‘Ci²$Gæ�++¿>Ýh`8/½åMÅ[.`€ÐÝøºñ
”¸äðO\ºŒqåõ¥õše\d—‹Í¿|‚¾.D”™'¡y[껇‹on•½ôÌi.V­¹ãΉˇå/³÷»þùáæþj.3>3ìjž>ûîîÃ÷Ôâ©xÿÓ‡Û»þu}eõìáî§Ô|s{sóáýÍÕ\¸LÀxg81àöîï7Tûáþúÿ¸¾¿úíáÇ‹›‡Æ–¶½‚+4ä÷‹_~ã—K0ûÇΔwÙå+|p&¼——›�)–i¥RËúâãÅ?›	[½aè˜ÿtæX&µ¹œ+Íœ�9F½ÌÏÀks›yf”T�—¥ór’B/¿?o}c…€a”jÏ8X·‘YX¶”wÞuW¾Û‚¿aâ–BͽƒÒ‰Ùþ¹¬©¥zÙ—U”{Ícc¹ÝÛe±Ä¯l¶ªvÔ\¿‹rõVnŸè;§\—ªÿ§Ú4
+mMÍðÏÅ®ü•s¹È�KV+’®Ë§m>G'�Ñšy­ZÏ|–É`Ëþ°»nV †5¤òû?Þ¼§:Ît–¤G}}.¢ðþ9赜&£�u•/Ó¸Uè¨6ôµ,ëO
+†Òëëë•—36ˆ0 °Pš»ÿžÊÇrO•€Ieô¸>„C¬•Ûr�ùbÌ”~úxÒg›âAŽµ”À)*â‰ßŠá8ì›”�º€9y"k/˜õ*›>‘ÛR§OäFªú„•
„CÈÁ­kRƒFjD….„SÛhÛÕ�Nc—Íöi¬LBttNcìI§±��¤Ó[K
+Û±˜:wO—T¹oÙÞÈŸ±}8/Ù¾8Z‰¿È	ÃDÖ×	÷fÓ»ÐH�Ñd8jr€˜ä�Ðg
+‚)£}W‰¿>ßßÀ”Þú¼®š#À¢¨…ìZ;¼$Æîá¼_
+|IþŒåÃyO�ÏŽeaaÕô$¡3jæšž7Œuw-¡Ó°KB'6jþÙŒ1=kä´�ÐP‹>ϳZuÕøŸ¡.ÓçzšI¡&€‡9/B-K&©^Ÿ¶|0ëŸG�âÌ
7�r’™Ö¡?Ó$äLÆ”<ƒ¸£ÌÄ �®•¯÷ó?“éŒe.sS$‘�]°I`õÀ$Z*|¬MÒ,ͽš
 endobj
-1500 0 obj <<
+1924 0 obj <<
 /Type /Page
-/Contents 1501 0 R
-/Resources 1499 0 R
+/Contents 1925 0 R
+/Resources 1923 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
-/Annots [ 1503 0 R 1504 0 R 1505 0 R 1506 0 R 1507 0 R 1508 0 R 1509 0 R 1510 0 R 1511 0 R 1512 0 R 1513 0 R 1514 0 R 1515 0 R 1516 0 R 1517 0 R 1518 0 R ]
+/Parent 1922 0 R
+/Annots [ 1927 0 R 1928 0 R 1929 0 R 1930 0 R 1931 0 R 1932 0 R 1933 0 R ]
 >> endobj
-1503 0 obj <<
+1927 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.2254 737.5325 454.8788 749.5921]
+/Rect [381.2254 245.6678 454.8788 257.7275]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1504 0 obj <<
+1928 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.4163 707.2832 436.0696 719.3428]
+/Rect [362.4163 214.9757 436.0696 227.0354]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1505 0 obj <<
+1929 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [402.2465 677.0339 475.8998 689.0936]
+/Rect [402.2465 184.2837 475.8998 196.3433]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1506 0 obj <<
+1930 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [348.0303 646.7846 421.6837 658.8443]
+/Rect [348.0303 153.5916 421.6837 165.6512]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1507 0 obj <<
+1931 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [335.4973 616.5353 404.1693 628.595]
+/Rect [335.4973 122.8995 404.1693 134.9591]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1508 0 obj <<
+1932 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [363.1733 586.2861 431.8453 598.3457]
+/Rect [363.1733 92.2074 431.8453 104.267]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1509 0 obj <<
+1933 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [365.365 556.0368 434.037 568.0964]
+/Rect [365.365 61.5153 434.037 73.5749]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1510 0 obj <<
+1926 0 obj <<
+/D [1924 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1923 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1936 0 obj <<
+/Length 3435      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[Ýsã6Ï_‘·:3k?Eª}Ún³{é´Û^6}¹¶Z[‰uµ¥Ô’“æþúøeÑ’©Ìto:[Q$Ä� 
+û8ÃôöúýõíõÇw×W¿ß}q}têK	GEþ¼øõwr¹µ¿¿ /´¼|†’Ñ¢`—»!y&ç¾g{ñéâ_�á`Ô|:µ~BêL2‘ÃJrà‘ŸYeš)J�H	šqr\dF§Ùá—Û~Ùï˦»¯öWT/–]{دªåS~ª>
¸(äå`Ž‘ �h,	HBA+ΉŽDùTUÖýÆ5ÖU·Ú×�}Ý6¶£½G©NÔ*TF˜(@€y…Nä(ŠŒ
+Åܧusª3Ï%,Ù@NÐÆŽí.mãv } Ok?âjµ_õDäÓ<S§òÎ2®
+Õùy*
+Åãé¿Œû)q2wÎ2Máè=5Vp`Çu¤hj�~Fç1ßWC�Ë"?ÅÓk¨fsK£M’LH¥gÐ6 J ÍS�5uÜr’i)Òx¢	
"Àq™i.y,Áÿ
pÓ§¬ý%=�9ðÖ°@…ŽtM¹7O?£ö˜ïë1§ŽO/ šdÄ-�9�›*0ksªæ<θ«›å¾ºßWÝfÙ×»ê�]„]ù×d·¡î÷/cZß9Ž—h–“\¤UT:ÄqRžI­T¬„�--l±Á;Æ0%Í©ŽK@,Ðψ8æA…q£rdnÀÆi{{ªIÆÜ’“ºÈtÁÓ�G˜'2{û¯{ëÜïÛÝr]ßãÄ?U³ªºq8Ç2¢OʈÆÂÄ	8%)óHƒ¶-Rx.b¤àȤƒ£„f²Þ_Íé4Î)�Ïç@[:T;™S8òôŒ¸F8DU=Ç9…‚�@ê¤QZŠ/‹Ap�bñ‘äcÛ“”½µ	gl8ÏA`ˆÑ1ªÊ
+)Ùk�
[ :«tÈïve×C,>6‡ŒA枬lÖœh
4Ê›µÛ–OSá•É©B$¿Ú´5Êe<giw'-œš®÷©¬·åç­ë/û“#ù¿mãZÛê©Úf°Šôìž
+Ú¹scH•ØÕž
+õø£z�µÞšÚýËTd,•HÏî‰&f�#c–I	�J4ý—ÉÉFJœFÆ�*ª‘1di¢‰¡
+ÉÈØÑÏè<æ{&JÇÅXkQ<½ò�jFŒ1·ôùA1¤™;?ŽD	¤9"³õ}»\7]W­Æ0#<9s OÁŒJЕåÑÜÿ†�[•ƒ«ZµÍo„°‡ƒÝ²kÛ{ßîmcýÒ”»ze_¾ûø	¼Ë‹í)·]k[‡®²�~S;Ö­?|°·õlÛgÛ|*÷/uó`9n¯è7}g_-ÆÁ¢òNcLj+·+{”
+R}º~gÛ
+©›þ}3Y¥Â¨�›Õö°6ÚÇV{úÜ>™\�©ÅçCoGíŽ0-ÓÒXÃ|±þÏ¡ëc>Ô¨û•ë`fÄ"ÁX$șĸLÆÝjS­[/J¹ZµÆìk³»�¢o£)™aý•ë«w�nWõ%`¬´oÅtÕ8ñ�Dœaª)Ðjr6¨óäË
ý„O>åŠZ{-AÚ‡ªAqôTL dµ�Guž(-† :+8
+’ˆ¾§ÉUDi9F¼Pœ4³x»h¦eì—ïºK¸ÈrÕ*vðÅ9· 3&5›w’d’žïªgÖMLÏ)œ…Ôg;Èk=Ø¡C˜lÍÞ
·m¹¶-롱eôvgßz¯¿=…uÞΓÚbfÐ8î¡Î—¸kAO
+eͫ}
+Hˆ!‰µNåûž~Fÿ1ßW{@¡(äè\§
¨æq;[_ƒ:SV.2Á•
+?`e:WKJY|çëƨÂ/¦piÛ?·ÛzUOÞ&Ü,�Ç;¹û«ÈÍ�XáÑÛ½)Ÿ	¹èŸ[Û]nÁÓ4%f¹¶cñ{»î싉êáù°/›¾¾¢§@Çj[Û|
_,Р±¯6½ëkíD�G ³�¡Ž/¶ Û
ÉAœ©Ìs£7¾fzZp7ÉÍËñS·´
+üøÙÔ¸°/ì=ÃÈÒLfò/VðÅ[ûaW¹ïpµð¹¿Ò‹Ã¶:šHáo´ãä%.ä¢{ÄË©U�²Vë73σû$ ©ÊVæ
+á»îڔ̀‡
+ö·®o]5uåúŽ@èì -k µIà¡Çw×{ÑÞŽ‡
t}vóû+£	—d<ŽRŽ96�¹ÒCæÐ[ƒˆ}݃”ˆü‚-nîí€+Oª�K„—€Zå3Ð?U×ÛA³+<ãÎ>ýÕ~�ɲ/c"ú-L=ÌtkðÖ>,§Û»O7Üqõ!èÀ)ˆIo'6ö¿9Ù2n
^â͆�ø¾üT6q©j]õhÔÆ{¦þÂbuü³ˆ‰³þ9sýí¿¾8þiŠP×úÜWà˜8¡p=ŽE!mà9›ýR†K‰endstream
+endobj
+1935 0 obj <<
+/Type /Page
+/Contents 1936 0 R
+/Resources 1934 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1922 0 R
+/Annots [ 1938 0 R 1939 0 R 1940 0 R 1941 0 R 1942 0 R 1943 0 R 1944 0 R 1945 0 R 1946 0 R 1947 0 R 1948 0 R 1949 0 R ]
+>> endobj
+1938 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.041 525.7875 461.713 537.8471]
+/Rect [364.6945 737.4993 433.3665 749.559]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1511 0 obj <<
+1939 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [402.9837 495.5382 471.6557 507.5979]
+/Rect [374.6372 707.2169 443.3092 719.2766]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1512 0 obj <<
+1940 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.374 465.2889 389.046 477.3486]
+/Rect [292.0276 676.9345 360.6996 688.9942]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1513 0 obj <<
+1941 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [348.05 435.0397 416.722 447.0993]
+/Rect [319.7036 646.6521 388.3756 658.7117]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1514 0 obj <<
+1942 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [488.512 404.7904 561.5676 416.85]
+/Rect [460.1655 616.3697 533.2211 628.4293]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1515 0 obj <<
+1943 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [397.3443 374.5411 467.1586 386.6007]
+/Rect [368.9978 586.0873 438.8121 598.1469]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1516 0 obj <<
+1944 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [321.49 332.3366 382.69 344.3963]
+/Rect [293.1435 543.8497 354.3435 555.9093]
 /Subtype /Link
 /A << /S /GoTo /D (options) >>
 >> endobj
-1517 0 obj <<
+1945 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [317.0267 302.0873 385.6987 314.147]
+/Rect [329.3035 441.0473 407.7186 453.1069]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-keygen) >>
+>> endobj
+1946 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [427.0093 441.0473 505.4243 453.1069]
+/Subtype /Link
+/A << /S /GoTo /D (man.dnssec-settime) >>
+>> endobj
+1947 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [288.6803 278.469 357.3523 290.5287]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1518 0 obj <<
+1948 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.8967 271.8381 430.5501 283.8977]
+/Rect [328.5503 248.1866 402.2036 260.2462]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1502 0 obj <<
-/D [1500 0 R /XYZ 85.0394 794.5015 null]
+1949 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [403.748 217.9042 472.42 229.9638]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-478 0 obj <<
-/D [1500 0 R /XYZ 85.0394 256.8016 null]
+1937 0 obj <<
+/D [1935 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1117 0 obj <<
-/D [1500 0 R /XYZ 85.0394 231.4888 null]
+614 0 obj <<
+/D [1935 0 R /XYZ 56.6929 202.79 null]
 >> endobj
-1499 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F48 953 0 R >>
+1327 0 obj <<
+/D [1935 0 R /XYZ 56.6929 177.4286 null]
+>> endobj
+1934 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1521 0 obj <<
-/Length 3198      
+1952 0 obj <<
+/Length 3565      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZ[oÛF~÷¯Š}�ù÷©iëdÓKºëxQ,Ú>Ðmq#‘ªHÅ	°?~Ï™3$‡i9±,yîgnß¹rØ,†?6S:Ò	Of&‘‘Š™š-·gñìÚ^Ÿ1ßgÑtZ„½¾¹>{ñJ˜Y%šëÙõm@ËF±µlv½úu®#�…xþíÏo_½yý¯«—çFίßüüö|ÁU<õæÇKʽ¾zùÓO/¯ÎÌ*6ÿöï/ÿq}yEMÚÓøæÍÛï¨&¡d‚èÕå«Ë«Ë·ß^žÿ~ýýÙåu»—p¿,¸‘?Î~ý=ž­`ÛߟőH¬šÝC!ŽX’ðÙöL*))DS³9{wöÏ–`Ðꆎž‹#.49@ÎÇP%‘\¸¼^çmªI×å=eRJöçv~ØdTXe¿Å1/ò:/ªÙ”åûêox/^ILÏ<‰¬µnžßbŸ/tÏïöiQSö¿”¬²âå £\•u^ûú"Ýfõ§]Ö•(÷+%ØTQöwZIoãÍJLâ–r™.×°v­ƒ­AÁ­«¢|¹ÇÔàÊòÌ×íöù‡|“Ýe E(;ÿ¹Xú¡)%Û¬ªÒ»Œ†®S?®:,—Ðp{Øl>ù~i½\g«ÞX¿”(ØÐÚS.wÙ>õ‡
DáŽ`{¸!Æ¢D)î6”o·Ù*OëÌM`ÚŠ›ÀZÚTº½¬(Ÿ>S””Þö0çžFøµT¾ïþœÙyF…ìcºÍ‹lG ¹ž¿¤Úî¡àpTº]Båý:+(G[ƒL•ß0co?ÄÔ4ÉHãûK «†ÙfuAmm'‚vˆ´í¦m·

ªÎªL—ËÒmw•ÒåBÛ}^¯G¨J~)x´#wDca•rÝ
-UÜo÷uÕ.[æŽúʳh1Ò™r~Q;·‰Á�›ûm‰€e͉Cž»[Â:ºÜ?9eVÔz[î‰�”øˆ1Y¡€¼ÛÑr·¨²ÍíÃ)	ÎŒï8N‹GÖ¨¦‹®K9IÌD<I„ï	Ò)û@›`t¸Þª†c' ®Â}AÏÊwÙ¦»]^ÜQëJvÔÏî£;¸&–Þ»¼eY ¥VæmUÜáàR N^ŒõÂwÛIM€Àc9¥N’ƒCMJÅû|³Z¶gÑ0Ê,öÛcl~AãjR
¸Œ>»ô&¹4]¿{óº??T ”��aë÷ìOÄÉüP9œA®.iYˆL_ã®;íV Ñ(߀4«j< \~qòÛRJ®¸ü7å²�ËuZÜù¡Nã7Ù9›»AP¬
-6»ÿz]�Wå6Í‹¯F$‹M¤ÝZ8hžpùf!ÇU&‘3É$hŽã˜:ô3ZJß±•5H8”5N
-0(¥•qˆ‚Æê¡ ±¤ñX€T^S'²ð˜nþ“-kêW—TùÝÛwã¤4 l—(q=ï‡xó!´Ý,êè͆ªAÊ“¤ÛY¶‡M�ïš®þdr4ãFÐ}=z¶,‰˜óñäá*°ÓÃÃí+
P'uÚèroe;ópñÇ!Ýô4>�„ò$Æݽh¸kÎBOÍ¿BA,ÀhlÌ“jÄ*7°@0,ýßïoÔ¤Þ¸ZÍV.FhéHv¤¶Õ!É"+{,!ZÓáÆoý˜ž‘¶àî4ô
-7Ù¦,îšÙÊQÓq‚l¤L{¬­5<.k˜ÐDz&&ÅŒÆ)ý�n@Á�y’VFœ·v§³IŽ§â"JÐåžFúÆ-Âiä÷HyáµÛ¿‰,�Í£5Î@´5ù9T`{_ĉG„psOßØÓäÌB¸©Ç1O‘82Jl+¦?[✠wJΰÈ<~q¹YNÙ4¸—€ ¹„2â1~Vï¢ah‹Å á\}©ôc‚[BÚÈÄfÜú²QÍB0šãy}r4.Z>ÛŒè“Z´›ZH©Ñ·m謊àùJkfRsÔì!AÇ“pÑ€åòcº¬ÞMF
-î±�==ö±²Å~ØÃG>¡g:
-¶5FÛ@
£…YÉNÚÆpbÃP†5p}éûÌק”ô"ÚØ¥�Kckðù
‹(ö·é¨Ÿêýåë«Ë—?þÔ<¢Ç�U,ä ­
-ʺþÔ×=„Áº6Fãè\²½³$™t߶kéGAÔ›#:‘ž‡êv5Xðz³í‡n×g1¦ïÓ µi½Â6ûÂ;dÂ�½'L÷Ža!íik$€ºÓ�µ†¯�>óë×4Ç„P|¼ÿ\Ž´+{˜að;¯Œ-T
-endstream
+xÚ­ZÝsÛ6÷_áéËÉ3ƒO¼¾œ›:iÚKr—ø¦sÓö�’h›‰TD*Žïã¿]ì‚%ÊvšŽFC
+1ZŠ=Ë&W£|Y—(!õ(Lžå#|e*¨D¦'åçbUÕ^¡¡â›Ûê¦ö
+��¯©­ êªlÛâ¦üWf¢ÍÖ¯c^R·b±àuµÔ¡â9ê¦c•R:Éñ
+ú”‹Ä¤
+ëe1|w£ü£’,Ës’¦Ò*1@v �D
Œ�ç	ž¸é¶è¨D“[Õ÷bÀàn\@qá—f¶â»{j^”×Åvé‘ͪ]obŽÊ‹Ö$Ë-UP�gŸŠÍ³Í¶~æeüŒ…“ k‡ò–Ö&FfŠÇžï8õ²0toO¯üµ~±äÙò-¿‚®zµ›.u‹5j÷ÂÂ_Žè‰Ë›fÇaEÕ@é‡×ϧï¸P6ž´J'³m×ÓhK*~*–Û’GôÆÉGø?[–=~D«à#hÅø×y"l@Y–á¸æÝ
ˆ\ˆÔô‚<$i’ÜÉ’^Ž‡�H,œš`F±AÂÎÛÌÒ±Žñ˜'»#H>C{NR`”參>•KX§•	àÄ¥&

+=cÁ)€
+;[•‡•À^ó�KÕ‡r§Gö6–5Zƃ½ü/=eÍÛ�0E¥
+»ªãvÔËî~]Rí—]#•~´cÇ6¼xT	.ïí¥i´z¨x.[Žµ8 –ª’Û
+	Þ(RêQvµm»h÷6%RÔG6æjL·óX5]¤¬ËuÚi²?àÐRP<’ż—E8ì¼i6«��Ä9�c»Žl�Ë`’ë½W½EóCb¾ð�>r¬)d
+"[äžù¿¥Ø‰Í'–#ó‰Ààâ3Zþ]ÁNÛO—ÿ¤Rù9¸RXó0ŒSÌÐÏóƒ¤Øç
+†OcÙÝ6*WXšqðýòýû)êGÒ!?EÐ
+&:Mr£˜^M¹Û*™ÛÉOåfF©¨¦¥°ôõ¼Zc¤ƒU”'>û2!s›÷[j.BlïbœsY’æ"ÄößÀb7A/Y4«¢ª¿‹é„¢y:Hð(VùÀÈ!¢ˆ
uˆN{qR‡~YjBÇk�pŒ5œ˜2‰q&j
+"K‡'ækg�ÊýbÄy„Þc8#“ìéÌ=f=e"JYOPùˆTHÁ=.ú>©5ÎB-Ø/?wå¦.–G×™öîÐÞ·b6ƒIt•ÊÄj¡žòõ�6.ÉD¶÷õÁïÁ<£ÐQhœ
+D®`$ÿ\é Ç—Ÿ‹y7åVãÝo¹*0ÀWê ð�!¾é�-¬ôy¬PbGg|…ŒMaò}�{VöÉK
+îÃ2YSº`ˆ2¤Ý.g[we¨±m;´P
+&V;C}Ìf€ãÑ›±8P�ÕËàešâNí6âë6ÕH炾˜?T_$œe‘ÛÇôE割R?j
‡JsÅ—
+Içaú/þŠöæ�R!2NòHsvT…¤‰PÚ<¦B<f#±cúcÒèê
+¡±­VÕA¨ÐM½oÚ	Ûi¥ÂD¹îèݨaïŠ[‚*ŽÝX…ÌøÜjTÌ3PÔªõº¹K–*ŸÂlcZ|Õç[0éhú¯)Æòô8Àé�ÏÐN¹»;&ñ»¶'~Ù’&.ï/®£O„p.ˆ‡Ëbƒˆž	Ú›Ù§j>à
EÏòýï%:ñ*dYfq¼@íŒúüó }J‚M,Z|yWÍ11 5_=`cYãÕ~K£ŽÜãÒ=¯±œ~´”ã´Ã|ï¡ü2
 endobj
-1520 0 obj <<
+1951 0 obj <<
 /Type /Page
-/Contents 1521 0 R
-/Resources 1519 0 R
+/Contents 1952 0 R
+/Resources 1950 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
+/Parent 1922 0 R
 >> endobj
-1522 0 obj <<
-/D [1520 0 R /XYZ 56.6929 794.5015 null]
+1953 0 obj <<
+/D [1951 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1523 0 obj <<
-/D [1520 0 R /XYZ 56.6929 483.0993 null]
+1954 0 obj <<
+/D [1951 0 R /XYZ 85.0394 273.8839 null]
 >> endobj
-1524 0 obj <<
-/D [1520 0 R /XYZ 56.6929 471.1442 null]
+1955 0 obj <<
+/D [1951 0 R /XYZ 85.0394 261.9287 null]
 >> endobj
-1519 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R /F48 953 0 R >>
+1950 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F53 1313 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1527 0 obj <<
-/Length 2585      
+1958 0 obj <<
+/Length 2360      
 /Filter /FlateDecode
 >>
 stream
-xÚÍY[sÛ¶~÷¯à#5!¸òÒ§£ÚrêžVqeuÎœ6} $8âD’ŠãóëÏ.¤(‰Ž“&™éxÆ
-å@öÙ*¯@Ϛ˰$á~mýW�½³ÍHæÛÛrnË�H¢Úd‹U¾m&íÊ|»ÈwÙ÷…†B°Ôé¶zÃ
_UýÒÏù×t<úåW ŠÁ0‘*¼/Jê´k&R‡ù@„[ê:~bɶ˾-Åöƒ-kNS^cG)èÛ¯ËÜ	l¶ÞÐp¶^ùö-1Õ+{Ä}¼Ä~·Ìj{¼5A¾U9l®d÷ØFç›"”5Å[bð§Â9¸’æ–¾7Y½XÙÞ“â­¡T;»Èßp.�ÍàÎ]‹çp—Ðì\~ÂâTiùùÒnë¼~ìA‰
Ø
-¡<£Û`½d§§Áäâ(’A¨_‡}¥¦À� ¤Lró%k¶Sž4(¥Œ‹ô9‹ŠÒ”%&Òîðõb7¬ìúþY[!�ÀÒÔã�$Mà*²šÈ«ìƒ¥ÞÜÚ-�VpDû�gÔ™]ÞRam åa•/VÔõ7|Äfen	…HÞíßðqOö»¡/B»’
-ºçjVv—v犺Æ$MÎIè âØtℾ©1ô+çðàX†¢´u¾
-$mmýP”N‰OÌZ¥÷Å»b»t®Çon?hbÈ–Ã>°·Re„Ïù$µÎ©ÛíÒ¥hbµé&wDB	±½šŒ~ÓÐtZÙº:ž9·}Ê€XÒd)Ž±ëÚIDHÞªÆÃÅ>íÄ
¬
nÐüS½¸VÐK�z΋k¨œÀJÄ7õâÚ€s‰…ø^¼»ô'¼¸Ž"Æ£T}/.¿Ò‹wïæîÅÓoêÅ?_Hœóø¤4þ{³A¤ß*†Ju(A ©’nI}VZ+18LE6OEÔ5¥ó'•(&LBaâÆ×A
-�‚}‡"f©’>‚’Rr(‡jëÇ�Ë–±B'oItûq·Îy�–…ß�Ï/`&E
-ÿºîðÚ"¶šÏ‚m„^'iãöéyEñ¸«ƒŠÆ2ÏR,-ÞM¢Â1]œ'Ro•³Ce@º;â�:‚Pó-¸†MÖà]ÊÆ‹â Ê—eØ¢ÿ{c¬Ï
Óê~sè¸ÍµèÛ\óîæÄÖõˆøMÑ�P³ËJÈ\÷h“îÛë
z°æ¢Ø@:Û,Ðì_Y˜é*JüâS0hr¶ê-—¼•aäPPg’
-S^èе‘¥
-Þ蚢¶ÛªüíÖ]&$Or vLÖ.OØIÏm�\Ùòƒãv¯G
-zª‹6wmºÕðºC+ùÁ,ʾs¢:]~AÎG6å:¼
é'ðtEcº$&«¢ô¡£3s³_×ùní§;]I¯$ìl¹Ék²XîŸUq¼ØÕù&ÿŸG�ãÜ—x…•ß¬å´3´ûÞØßøý£üÏGóC&Ø…�KûlVÎ=3©“úó¶Îƒ—XV5£Û¸³ö´ÀQZ2‰jFÅ ørE
–o}‰7í¦Ø
ÿ°;á<Å>_Ï{ç>üÏ|È5âYÑ%¤ñP¿v·8ÿ­ázF
{€›Ç’ø s\ëñÜ|®*Zþç8[÷IUèS™�™Â㓪h¹ž‘ä|5”ÄWPå2™Šä¸„˜5¡Éy¨-xù“D'ëæ;�›lK'/óaì‡Ó#¶o{1g&�åß/5ú�LãA@ñ"Ò²Og¼Mï¾úGßÃßÔ›$ò	‹hŠS�
-×BíÆñÙ…«kø–«#úÿ
‰M“(endstream
+xÚÕZKsã6¾ûWð°i+‚ñ&x[elÏ:Éx¼Š·ö�Í�’èk$Réqüï·
R”DùQÖTeËUÐh¼¿¯»
JDþDd,³‰L¢8ÑÌpa¢ÙêŒG_ îã™:£FiÔÕúñîìüJÅQÂ+mtwßéË1îæ¿
,“l=ðÁ‡Ï7W×ÿ=c=¸»þ|3IÃW׿\RîãdüéÓx2	gÄàÃ?Ç·w—ª²¡�¯o.H’Pr¤ÓÉåÕåäòæÃåð÷»ŸÎ.ïÚµt×+¸Â…üqöÛï<šÃ²:ãL%ÎD�PàL$‰ŒVgÚ(f´R�dyöëÙ¿Ú;µ¾ißþi.˜�FE#! gÝñqiㆬSÌ:»?ìHð„Aop(Öi¦„ŽÛCÑ¢s(B¦]Å&aVIå¥Ê–÷¸3çWRvtcΩptTº[äœE6C7xXfX°ƒUZÏY¨y\dåêE¨/ÒUF¢i–_Hø°ž§u6'ùNØfcÂæ°Ä韕E�5()©å=¥Aùü
+ör;m›0)D¦�Ï¡]^?õ¬ÏÆu¢‚â9—ÙrŽÈRVÛ×µŽaótÓÂ/í°[3¡’Ý^i¾y˜þ¥(7CáÙü¿ZXºf{ÞYõô¡†ÖªEùà;�ü4ÔO•~‡1—V”öï‹Ðœ°zÍÆhœÃþÆX£·³+
èãq³è#xI�À¶Y¥h·±~Zã´ =Òr°*«š$Uvÿ°$)
¥érY>z@‘NÈÊAY„ž¾fO$Yg›>L2•ƒ­,1U
–?GZx,Ó�EÈP· ½ðÛÝ­
+'
uÛ¾»JG'!•ÔC1();
¢‡5È<S`ó·GP)„ËÝ+Œˆm˜ñH˜òÂ8aÌj�Írä¾Îƒêð¼Ë·x�,ÖJûþþÞ{ä`g¸Ñ-Ñ’ exZ�mN«:ÛäÕW�	’䡦ös³´ÊؾíÖØ6#êZ¼÷YQ¥Sà«`ÞŠ%‚ë7tI-Ô3†Ùr¦¹VÏf–h+Z"UÓWÚf	±µÍ°ñƒFXå«|™nH`ï9OT9ù<¥e:±�ýÈþœe뚨iM½Ãlçå*Í‹0tyß3š·ÿ­æ"¸‚8˪¤œç¤Á­<ƒ”μïX÷‘¢NŠ…;­_
+sÆè‘’ÀR÷�âûôHÁ\Y,ŸÂ Ìøš>ÌŒ„Ô,‰Íž‹|ª\„ñ[ļ'Û8LÀƱyK¤×´8
+[`íó8‘£M²Ñ«jô†`ÏÅjÃé¥_³ O)ùÏÐ0Øóò±"•U:[äEFµëM^Ìòuº¤"šýU:ê
ð°Ñßþ1¹ÿò‰<�$ÜC˜µí9x«‚²^ŸtÓbN²6AãÞXdU¿eI
+ˆÄŒ¢íŸ‘ÇO—+ªî D~Äíl°ü6f	W�Îñun‡Áh3Þ¯�”rÍz”Š)(Q1Å{ª	“çTð|…tÇ[cè;}ëÞHao2ÏG
+JˆƒØøaºP|¼÷“œ”1“–/¸`ca
+àéZÆ4öéÿ�6J
+¢�’¼T�zh@Ú`²ž*¨TiX�š5¥ä
+^ZRÚóëß³@¼êIãň8ÜÓ¼BXfý(&æÞm™ƒB
+)Ý^œk<szÆ?r•²ˆQûª€ûM4êàó´4:©ãÁù
+kÍ4⎙XQÄÿu35oq=pYí„(¾XäóiHÎ6Sº¦•MU8_ÚR©ÉH¬Ü3ÏC›.�œTÄ#ÌlÙ‰·wr?˜
 C¤R~ˆa0¿àD~çÖÐõŠjº®Ç5®Çu]
Ó‡u¯qh8÷³Ç¿ƒ
+
{l8Øc;~t£Øõ;=»½Áõ±GÆÝ{ÄéØÓ…å_˜=*‰¡5á�NÃâ$N:ìy£úÎ’ߟB¢yûÌ‘ „Ì‘RLeoä†Õo$Cä&»³èv¼QÏêvn&2�¶—OFóÇ�BëcC'éQË
Ÿz†kž;ö|�O1"Eé“ó©ÔSñI¨„InìúMÌqF�ûfø‘àyF)—0.%�ªž­_çŽÆ$|›n¢ÿPíÂEÅ‹ô[F¹iFÏß]À�ì[žRæîÃ-e¼K@%Ï
”<.òÙ‚²Gž	«Z¥nþY‘¼^¾¡pOü]Q‰ÐÁQ^äužÖ­Úõ-¥é|NÈ­*ä…ç¶-èÞôú”ñÅÅ„�'·ÃDÆá¦(½¾µÝ*�ø×Íj�β
 endobj
-1526 0 obj <<
+1957 0 obj <<
 /Type /Page
-/Contents 1527 0 R
-/Resources 1525 0 R
+/Contents 1958 0 R
+/Resources 1956 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
-/Annots [ 1531 0 R 1532 0 R ]
+/Parent 1922 0 R
 >> endobj
-1531 0 obj <<
+1959 0 obj <<
+/D [1957 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1956 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F53 1313 0 R /F62 1361 0 R >>
+/XObject << /Im2 1350 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1962 0 obj <<
+/Length 2898      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZKsÜ6¾ëWÌ‘ªò xñ•=9Š”(IÉÞѤvó:P$¤a…�	É‘¬üúíFR¢,;>lé@ Ñ
+ýCKæÖt´ü°3ž–—}Ù6Ôkoiøag€£#"L‡@!<-j	-ÁÒ–ÇÅ­ ä}îÊ{ÓPó°/²ÁP¥°\nlÔ�황ۆÙ�ø|‡-ʪÃ4¨A¨¶€6x!JŠ´¼­ëCSæÙP6wDz(‡1
~&­NmT7ö{“¯çûQà”¿s.A­ëXª lè‹KY=ƒ—õ®“rí­Q¦ÊáqÁ !„…”Â1Ú
ªâÍé:Ñ‚¤Ä=nÛ®Îjãùðû°+ó6%
+Nv	8P<WÒïRjÚwæœè¸B¹m«6Ϫ¯Ž¡B–DaèØöèïù$œ#š�û�üa*ÐYºS‘K
+Ò!KãqÒK+§Lˆ(òZû„NãÐ�VìÁºhèƒÔŒº?_]þwíô¢R–@èÏôR´u†6Ô:	ú6ÿÓ�ÆR®À!?;t$y3T�§Bˆ
+-Í;Ö·-&
+kÛt–XRTeš;<û²8$ñG¶~n{RÀuy×LOÙªj
ö®Ë&C‡²ýÐ�~�b^AÖ_’ñ“Øž½wí¡Ë×ÊŠ¢3}ÿ™’mÐ_–Î9<îÍg®õ£yü²Cþxþµ†öOã¼Ê™ñ…uÿ‰Q÷ZÐ
+¿�*�0x~µ>bß×À4ΉyüLÿ³Y^
ð0‚ðš
ÀM¦ üW<b‰L
Ÿè8ª“7ÏÛW
+:„E•$\º»P%5ò¬·±èïœ–
+$ÖY᧶D)Leürt<•¸äž»tÛ»ÑÐZI—ŸÝ’€Ž,YÊ)|Üœ¹$wtEº��©�+ز|çK·²FÈ7Ðí6acõ*4Sr#"Çj²‚¢àˆ˜:…Âá׶q»_”•9Nõ§°SgQ,Æ©L¸ÉSOébµ¯Æ
×ÞÆIúŸ�/V}�úsï&À][/ä�CBŽ\=-ࡲ„y"ȱTAçN¢ "­ÞŒiä¸i©àhP»*L‚[ê×4¾¹8#2ZÚ-R˜>ïÊÓÓUî¶òmÈÙ‘j÷­o»tp\9wÜ›‰��ãj³!c'>½¥{ÆØW�épo!�c+¡œ/ ­tc‡ÞŒª§kjCT’&ì7Uéë8±׎
d	FV<HoÌ-±Ù¸­vÙ½[þÆx�¨övÉf	Ïz{—õ¾250{ÿöy|Œo¯®Ùè
+³? êYA#Àx©g2=y÷\¯H¢aHÓb.‰»tfÛª®x~ª*Fþ×x¶î‹ªÐOe
+y
+”UÅÈõŠ$ÏWCI\¡¥d2„3+!¶þj²ª�,ÿèdS¼ãÓäx±Lp™»Æ¾~zÄñÇ¡¡Ž�¹þÕš“ØüôÚç¥Áp'"|Á"ã/8v)%ò‡ÆÇ4%N(%â£)ž–€î�t|ŸcŠÍÆ¿xP}hŠ—¦ò~™Žoô~ÿY¿Œ¹ÿ—ÕÊSúýãµÊ�iÅÓ—@…Á[T_¦É
‹Ø-D´¾±ï,0࣠éò10«ÊÞy»4òظ˜‘Qè	<Qä_³ëìiàÌ‹š�Xj¢‚/SëÑR:†œÊ£ÏX’f|ä'ÌH2žèWýŸªÈÕ5ÛŸð	1åÎçcPgY›5\—"XWå½#Z]Ç^×q¾ÎˆB•’Ž/.@öÄŒºJ:ƒ©X~g£ùš—ÍuhJ›�Tüö`­¦°7¿öõ�KǶïÊ:ëJûºÝCoÃ�£ÌP‘l½³€}à¨8)‚jà´¡&!C¸r�¾€dUˆ�I
‡Ý�ýÅ4âAÕZ$Y�J‹øujܘ%Èb·-<à¸m§9Ç?Rö»öPsPR”}ž9€ú§žxË—9 æœÅ2Âì±(„Koáæä«W3þ§þ³Àñ&@ •$ò\Ä5\Á©À>q-ûöËų{_%,LdìÙ&²ÿΞk‹endstream
+endobj
+1961 0 obj <<
+/Type /Page
+/Contents 1962 0 R
+/Resources 1960 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1922 0 R
+/Annots [ 1966 0 R 1967 0 R ]
+>> endobj
+1966 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 99.8874 414.8187 111.947]
+/Rect [341.1654 175.0606 414.8187 187.1202]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1532 0 obj <<
+1967 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 99.8874 508.3275 111.947]
+/Rect [434.6742 175.0606 508.3275 187.1202]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1528 0 obj <<
-/D [1526 0 R /XYZ 85.0394 794.5015 null]
+1963 0 obj <<
+/D [1961 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-482 0 obj <<
-/D [1526 0 R /XYZ 85.0394 310.1977 null]
+618 0 obj <<
+/D [1961 0 R /XYZ 85.0394 385.3709 null]
 >> endobj
-1529 0 obj <<
-/D [1526 0 R /XYZ 85.0394 278.0921 null]
+1964 0 obj <<
+/D [1961 0 R /XYZ 85.0394 353.2653 null]
 >> endobj
-486 0 obj <<
-/D [1526 0 R /XYZ 85.0394 278.0921 null]
+622 0 obj <<
+/D [1961 0 R /XYZ 85.0394 353.2653 null]
 >> endobj
-966 0 obj <<
-/D [1526 0 R /XYZ 85.0394 248.2364 null]
+1250 0 obj <<
+/D [1961 0 R /XYZ 85.0394 323.4096 null]
 >> endobj
-490 0 obj <<
-/D [1526 0 R /XYZ 85.0394 191.5785 null]
+626 0 obj <<
+/D [1961 0 R /XYZ 85.0394 266.7517 null]
 >> endobj
-1530 0 obj <<
-/D [1526 0 R /XYZ 85.0394 169.2672 null]
+1965 0 obj <<
+/D [1961 0 R /XYZ 85.0394 244.4404 null]
 >> endobj
-1533 0 obj <<
-/D [1526 0 R /XYZ 85.0394 82.9509 null]
+1968 0 obj <<
+/D [1961 0 R /XYZ 85.0394 158.1241 null]
 >> endobj
-1534 0 obj <<
-/D [1526 0 R /XYZ 85.0394 70.9957 null]
+1969 0 obj <<
+/D [1961 0 R /XYZ 85.0394 146.1689 null]
 >> endobj
-1525 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F53 1029 0 R /F62 1062 0 R /F21 714 0 R >>
-/XObject << /Im2 1051 0 R >>
+1960 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1537 0 obj <<
-/Length 3082      
+1972 0 obj <<
+/Length 2922      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[ÝsÛ¸÷_¡Gz&Bñ
°}òù#ñ]ÎqmÝLÛ»{ %Úâœ,º"e_ú×wR”c‘I­L�LBp	€à~þv
‰‡¿bd,³©LG.ÕÌpaFÓû>ºƒgïDì3n:�»½~˜üåL¹QÊR+íhrÛ™Ë3î½Mf¿&–)v3ðä_Ÿ.NÇÒðäìü#´„ÒF&ÇŽ.'§WôÀÆ®?œ_œ%¥Ëñ§‹³ó÷¿\:�LÎ?]ùêôìôêôâøôð÷É�§“vÉÝÏ\ázÿ}ðëï|4ƒ¯ûñ€3•z3z‚ÎDšÊÑý�6Š­TCY\ü½�°ó4}‰Mš&¤Q£±ÒÌÃû¿æµJ{æ¸ÛñZ>ÁRczæ¢qæŠÍfÄöTcÁS&à?£vÌ:'Z1JÙ£†iïFÎ&-HÅX>-ó1}™ÝçÐò©K&óœh³ò>+–[Ï¡õ4‡1Â'ñ¶nz_Eq]oËõrÆžËPÇ´Ha!�徎Èlª9KÅÒ^ÅøbÊfÄn®Bg­àªJq	&pµþü
-¤µœUïàNó$[Έ\Än«â>[‹Ït»®òØá&RHâU¹xÌWq3­¡õIäàáSq�É4›†Ï†æÕUß­´ŒüR`!6fy5]7Acáv^>aƒ'‹ryG¤¬™¤™wI�›|{
ôùáµ3ÒÔ›ü¶ìºœÀK¸Vór½hûDŸUTÓŒT:ïQꮶ¼N¿«÷±F2®Ì€÷±Ö1ãyŸé"«@ViÝOÚu?¾ã~Ò�ûñ­ûI“b–/ëŽÿñAtðà!ðµ¬Ëi¹ Êmv�ú¶S‰Ë]ŠeUgËÆó}†kF—î´=ë°b_nˆ:è½JLz„z@bZ1�1éê„
-%Øú�ŽÎ¤'rÜçèc`ƒD´Â&ZM{„×áʾ„·Álÿ{†">„FP"ǸÛ�_€Hé<È]
_-çÌj¿C?„k¼dª,…©aÝ–‹EùT‡Šæ}"00{Ú™Æã’=¬¼Å#õÚzpØHac¯Æ(Á%³ÑU}.ÒVÓ
:3ýŸÀ¿‹ù4L-e¿ùýA†È7°Xë´Å«’
-_US+›Í¢ñbÔ42MΗô„¬çt
õC+šl°P ÒU£›ÄÛE„�—/¼í×éì÷$ÆæY㌣xÏŽ©
1»m·Ë’}Ùn5ö˜þ%˜õCé��/•.¦?Gðü­úh£Um‰M	>Ì>ïmû:ëÚWžá­1ß0e3b'ût
-=Ðô³$«DÌsŽ€cV‚êïfžh2†�lÙ…j¢
ÿÙª.²ÅP§œb Yßâ#5nÂÁ`œn¹ÛŠå¬ˆùN]”h†"`¯Á¡A9.¶:9®2bÓ#®­¦»e»l­	¸z|úÂ&Ô“w¿XIL‚F`\c=V<MNÿ|È
ã:Ë‘ÔÕMmI7áJº	
é�;u³+ô×)ÒwÅTÚ
ß„pÊð�i£H5Ï®O~
-ÎSŸœóá=±¾yf¾D¢ÊÅíç�"!ái^LçÔ„).©5]Ð-Žˆ“
þ.§˜Ä,,êùn)Ô-¨AI%LÔŽ‹Ñux²ß*«Ýg•@
S&0!•
-æ… (pMÈ€Ê_å‹lJe%—Ôà`¨|í6{
ÐŽæ­M%|F„ —Ћ«ç¡�º5@ÝN±!¦R©LeùN¨R•¬Þœ�ä
\Þ"@|̱†Š=ƒ¹m
-wKƒJÖÂC W뛚îsê€aJÀð…Úfû­\5+ç
-�ÛýÒ7r¥ÖÌY5 ¯àÚ‡Ï>¿¼>=ÑDÂç%—´-ö ¶ÚòE÷y=/£W‰Ð\
¸´{
ÌTågÕ’ïÁU­B©
ïPÑ1½¢v¬¹ì“Õ†	o8”HÞÈ!o¤,¼CSÒ}~}rq86Ü8Ä´1˜`Á‚*MFRuÐ`­žºÊ­ò`ŽI €;Ÿ;í±½¿ÖÔýÒ}	ä;£¸©Ô»
&…„«&ŸìX´�”
-Vƒ—&‚c;Dðð¬Áñž"xgT@^؈‰ž±&ù¥jº=%g0Ç»b‚ÍÆý7º¡å…LhF:¡aZ8)iòÎЛ"œûP>¹Y×/¡øª.1òE¿ŒgµUBëúü=£9–š‘FÕ}ÌV‘H©êIb»rÛo=y¯ö.¬`ÜÙ
è(œeVx‚Ž?ý £Pây ûU6ß {ìŸSHÙèŒ�‰Å	l4Eá¼qmõ@mƒ KŸfmr.©x�0:_ù†¡ ÐÐh0 H ÷
¯�%nIÎsÁc¶áOÊ â5Q‹åm6JÔ¡KPvé#/� ¼³±ë¶GÞÉÞκß𾞊Ic\©Ðœ9£È“üºnRñ…®cË Q,¨Õ(;Ý‘®7;Ü8 -u
-6çãT�GËj@<qw
îé
-Œâ/�#Œœ€VɯLãR§ß}Ó6|W�ûò­ßÃœ¹€Év‰
+xÚÍZÝsÛ¸÷_¡Gz&Âá`ûäØrâkNq%g¦íÝ=Ðms"‹®HÛqÿúîbA‰’-1©•©“c	øÛïD�ÃÑ3–ÙT¦=—jf¸0½Éí
ï]û"Žé7ƒúíQï/~9U®—²ÔJÛ»¸j­å÷^ô.¦¿'–)v+ðä_Ÿ‡ƒÃ¾4<9=û”PÚÈäøãÑùÅ`D/lúþlxB=)5ÇŸ‡§g¾ŒŽ�N.Î>©{48ŒÃãÁ៿.–[n–à
+÷ûïƒßÿä½)|ݯœ©Ô›Þ#<p&ÒTön´QÌh¥šžÙÁøàïË[oÃÔ—`Ò\0!�À8ÓBlÿUú¿I©XŠû\ÿѾà)ð�ךñ”¯�—²…¼†iïzΤÌ*©ò“YVU‡}«´NŽæ
+Ù‚âuð*í™Iíõ›
û䘄‘žËŽ)Ãœi
+ö	VU[ä£1`Öiæ×
þÀaDúªœÍÊÇb~Õ‡dA“œ¶–ñ¸e;ó‘Ó�Zû1@ØHaã¨F)Á$ÓhgGÕ_6Yº”t‹F‡;ýÿb
+N¶½ÀÚî±w�oqc|]')èÉÛ_PH@� ½*ïçSÄ’§ÉàÛ]¾
+ÃÇ|öD#ƒ¶a
+Osšƒ2¶¡¿º¿¬é9§
!,L),\üHz–ßÊU³s�Ç]ªcйÈâ§q41YšÅq°ŸY3�"Ú2´SzŸUôŽ~¡±QÐ1Áç…8´Iûë¦ÈmåÿŒˆ.á–ÖÉÂݛ׉âϵK’C©;„[YÆáË¢p�ÿ6ø'p[¥<×er0ôN๻¿œ¢¿æOÑ5·ì
¾ˆ‚½šU×ómøêüO9_Y›þvûÔaˆ¸Ú‘´@دÙ«+W©…8Su¤�Ø3¡L4DcÌV¥Yã“H£†ˆÔ$7YuCê¶�hXˆ]�…áÝšËБ…ËYfÉB¤‘…[
Ó[_û6*ûM%öäBðìò
€òž
»H¢?œöiíxéª
Ãu=+/›8÷®¬
+Lú"®ãû»ÜÍb†Û˨ŠŸ>ï@´µÕ7Ù*Ë™“^t ê,“6¥3‡�gÃÓÏ
+Äñù"¨ÌjƒŒÀŠ¿�
+H
+:$‚G,€2:j‹3¼	â_⶿ô
‡¸
+¼„®#[V�”*“ÚðÝgçãÁqð&Ò)�œÓ™ØÄ´Õš1ºÍë›2š•ù‚­
›£^+UùÊZ-»oÁV-B¡
Ÿ�Ñ2½¢p¬¹ÜŬ
+o™Yà&Rîºì‘ôLC˜NÌŸû†‡Amt'X° B“‘T4X©§¡r­:˜c(žŎзŹËïpî»KMí/ÝC~B-Z:1VÇ	ªâšåÉš½
„Ö£0¥‚Ö`Ó¸p¤ƒïZ.ŸÉ…·f…ȉ˜çk’/U3¼˜oç¨ãu1ÞˆÖ
åþ+=ÐöB&4¥ž`@i
+<øõ’eº‘
+Øm8Ú_÷†��²6í’q
ã¥p‘ƒãPòM@®b¡]ÆÌôîy@Y1]¢¤˜0-ð 4Ž`‘�âÔ˜
+öçÈb-ï¡Áýáf°'£^3ê“ËQ"	¦í
ó\f\¥¬‰È¿U½¹Þá?–ñ�ÅR¬ŽDëÛà鑾
¨ÑˆZº¤[Þ#ý­l–:‚ÔÒÒÔ†Mõ_ò�Ë›‰?r.¶³¤Ù�׉#æ ¬Ç;ÕL*ºp±yO“÷:Mø÷Þ_Ýž‡
)ï·¤³Ò“-ºl\‹J`òÙÅvÁqÓ²ÖÚû
�"Üendstream
 endobj
-1536 0 obj <<
+1971 0 obj <<
 /Type /Page
-/Contents 1537 0 R
-/Resources 1535 0 R
+/Contents 1972 0 R
+/Resources 1970 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1484 0 R
+/Parent 1976 0 R
 >> endobj
-1538 0 obj <<
-/D [1536 0 R /XYZ 56.6929 794.5015 null]
+1973 0 obj <<
+/D [1971 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1539 0 obj <<
-/D [1536 0 R /XYZ 56.6929 579.9063 null]
+1974 0 obj <<
+/D [1971 0 R /XYZ 56.6929 671.961 null]
 >> endobj
-1540 0 obj <<
-/D [1536 0 R /XYZ 56.6929 567.9511 null]
+1975 0 obj <<
+/D [1971 0 R /XYZ 56.6929 660.0058 null]
 >> endobj
-1535 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R >>
+1970 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1543 0 obj <<
-/Length 2760      
-/Filter /FlateDecode
->>
-stream
-xÚíZmsÛ¸þî_¡oGÍD8¼’`ûÉç؉¯Ç•um¦w÷�’h‹=ITEÊŽû뻋)JE§væ<ÓŽgÌ%@À¾<xvIÑãð'zÖ0®bÝ‹bÍ¦7YœðÞ<{w"|ŸAÕiÐìõÃèäûõb‡2ì�nsYÆ­½Ñô—àìýéõè|ØHÃ�õ&äÁ—Wo©%¦ËÙÇ«‹Ëw?Oû‘F—¯¨yx~q><¿:;ï„ÒFÂÊOñ��WçÔéâò§óþo£OÎGõ’›Û\ázÿuòËo¼7…Ýýx™Š­é=À
g"Žeoq¢�bF+UµÌOnNþZOØxê†R“æ‚	ièI3%Å‘Ÿ¥Ÿàð³^Ô³’G{¿
-»Ž˜6ª^BOËe­z)ªZ1«”éE&f¡’Êéþêæü¬?ÐVÛàç"�ö
-¤lI×·W7ðxœt[æt-ÒÉfÝ6Hç�Õ€i6IÊÔ÷›%%Iáú�•3’’%¢Û��Áå¤[Lþ°L×°)‚e²HQ’n1Ø’Ðe’®Ë„ÚdÝK@¯2]ß'sjŸæ~–¼$!ýœåþ|¸¾»‚çKÜ„	a�S{ƒ»ÚHÃ!]ËÇUŠ»4Q��V¨}E7Eºônóu55]Ý¢»Ë ˆÈ–w丸Aðf%xð6-&ëlŒ6Â'¸
çÿg$h®4Ûwr
^…¡ì5}ãyþFd
-bb^±Ð†_3e5¢Õ…C2
AÙáÁ ++DX{°“ªÿy¯Ã…åÖ…µ¬]\©6ˆÓìç¾M×5ܺßÊtwÕ
!“ä~»Üŵø«_à=,°8Îp`¤ËÍ"]ÃxÐs¾¤¶ñ¦$ÁyG¤‚E^ïZ'ùbµ)“ú'sç&Ð%ý¼J—EvŸR½›ì2Î�«¸%§ÔT€iÑ1P&»€àŸò`2ÏHÇ®1ñÓ ºuh¿r®rh·5aL;4bìya»E©X|ôýbÊjD;ÉŒòp
-Biñ@Õ[(¸îÇ28ž~èÂ0¬ !ô�îBBè!
¯é|î%g’M9Ë×úÀ½oªíòÃ,›ÌÚ¡À{;d2ƒx/H®#ÌÝÜ'Ù<Ïý-®¯›â©¨ßaꆟg˜­­�=D@!¾bJaÛm
c–G¶ËÖ\3)|¬]}
ËÓBykPØÊÂÔ†*Åë.âSï
-]?�â£@ˆ�Òÿÿ©ˆ/c]!¾ÖÒÛ�çÆ*€xºË–¸gl%Ký™nè·WódR
?Ò•XªŸæÀO×!ýĨ
~$jšîø<ÿ¦i
-ˆ)Xûm:89ä·Çm{?f£Ææ_
-Ù¾…�
-2:å¡Ñaª2é	[(�¼¢(8ŠéÆ
Úí“-
-yÝ4%Ésdi2UÀÓ|ý»´‹”[Eæ6ôldëŽÕÑv<·:ž¿©g(X®V¦3!‰•¤üÌ£±qÜƳ[Ï×QÞ‹Dlª"e"”‘¯
-D@‰kBÙ~˜U$S	³G2• ’‰O<X`“#5ÐT£Ä¸WÂW CQf.[„>\Ñ
 ·kì¿rÃ9ü�€]l	ªÏ—¾�gÑî4Ms¼”×|W¡
-ÝÅ‚”QL˜�XÐÍõ²j²æ6ÀòZå›t9u‰1È×ù<›<’|±†LÁã,ǪLƒGaƒ‹’vÅße÷©�™˜ÓœÄ-‹zJ¹~âˆíJyÅœH	dGw�°’1“:$ÝÝûÆÃ40Ô»4V…�!ŒsrXߪ+b¿/ñ€ub}HVÕ°l’úJ¢\^‹vnô÷¿Üx4DSt&‘•GLÕÐÁ+3Èî€#é.*¥¸apõÈwóþâ¹	pÍýdÐ8|³að�<Ò½+BÃn¥Ÿ¬6ãyVÌèqBmÛ^~ÔÌYýž>~WP+bíòHr—®WëlY>5èä±jeSE/eÉÊëž>eµ½vKÂáÐ×aH	Yl—ðr䊕!0ˆV§ÓÏ%éÃóRzí0}jõêø±ÓXÞóvümÃ
Ž“<¬K‹aÌ4Dw… ELœwPÎØ
-µP¤ª<ˆ¡0lô
-ÊÎlIè˜A×È߆/C
-8Ðûô4EÝZí^òB¶µg€¨NôèfšÞ§ó|E¥K/i#ç“.m
+1979 0 obj <<
+/Length 2985      
+/Filter /FlateDecode
+>>
+stream
+xÚíZÝsã¶÷_¡·P3'_$ÀöÉñÙwNî|®¬´7Mò@I°ÅF"U‘²Ïý뻋%Jч/öMýÐñŒ¹X|ØÅþ°»€èpø3®RÝ1©f1qg4;á�;¨{w"B›^Ó¨×nõÃàäûe:)K™t·­±,ãÖŠÎ`üKtöþôzpÞïödÌ£„u{q£.¯Þ'¥ÏÙ§«‹Ëw?÷O»FGƒËOWÄîŸ_œ÷ϯÎλ=¡t,a
+·€ÙHÙÌ!%ýd�“ÑgäuF<¹j% Uí÷Ù”øã2ŒRÖD¸/yUo�‡óà›3øOYà"âæ9&¢µ6(=ÐÚ€ê÷é[?ή26QFR!þœ
+•+B‡ÛrÑM_?©Þæ4È&òâ'Éýa?[ U
9Îoqì[·¨ˆqë«œQéª+"hLZ.Jñœð
¼‡	Vd
öæŠåÌ- ?ȹ,ˆ7\ÖDøÝaT4+W«͗uVCûlê·	4q_殨ò{·ëçüÀ —aé·ŠŸ²#VªÅ��4éˆPË£Ñ4'{f†Aq1jðÖU£E>t¡c^ìyÿâŒÐ"q̶áB^˜¬¯mdÏ3\0¦
+\ƒ?5ž¨ë–Ÿ§˜µ®
|�‰¿÷›ûuÍ9K¤��é:–päÁ@^ºŸpJj¡‚†µM	)l£aâ¡Hñ»	ùÔº�EߎÐ(ùHä#õÈ*äËT7�¯µºA¦ß¹©ŠÀžîò׌\ÒÔ_©@¿=Ÿf£¦Óð‘¾W^�a˜X™ô­<˜CVÓÚŽÏÛâÛ©^!c“0#¬<b5q*™ŒÓÔêzÐGßR¥Ñ):3:š—~R�Ü#
º†¬aγEMTyšy|b\Î2ò´tØÕHUsP º° í·®·ßrëÖ~@GíÅ¿²}ƒS–Ê,7ö˜Ž˜ƒNÒÑg8¹`‡F×äÝçc´UiM4Ëæs0³PºúÁ¹‚
+$7 ¬”Dx0@â3œ
<ðÆã`á•«Ø~Õ5 ‘¨Êi­úe•ó²$-³©9vìÄZ3­RLÿÚ+GF—@ãÌ»‡ #£æ;Ÿ¶ô‡=‚°çÀÈ锦ÇT	Þ¤7$ä�!!x�ƒ�éûí4�€µ3@èlúD¸ÂÒVK¯Y[aÍQ¸“œÁŠîúý›Ëwp
âEgeQ“¦­h;�ÚʨÊ^6G!²ÆY��|çq[ÀXE~†ôÞkBš+}@è­Õ¼”Ð
/m�›{…®“â}q,"èb‰°„_ý®2Ñ
+»±#*8?è¦iˆU
PËÅï¡j*{¶1͵íYcW'Ü–3ôƒlýyŠü¶{C)p,’c©!1±"±xsŒmš¶ÌÑ`€<v¤·lY�-"M.¥	‰
Nñʥܜ5n¦ñ–›	¡°w3±&À²¼[¬N¼�²!i
+Ñàˆƒç
ÜóopIÊÌ™Cf€0$W†-{s SµÄá¼3ܳ›�ƒë®�iô&dî)^Áí£ˆèj9Ÿ—‹ºQîû¼ªÁûa±W…-Ù¼bL“p®€pDƒà¸2e¹ñ²ü,côbõ]+ÝÜ@VQž¾Ÿ6Ej}ä@a;03<Ý
+ÌþtZëp\ÖZìK©d}Õ~ìîûn¶îîÿ\¯f"Me¤B=2n6ïüÿp÷¯x¬LMEÅÔ¾À¯y— •dZ†´Ù`n¸nËé´|ÀФüýHsÝ3Ñ0I«á×°Ëhš¡‚©ÝÆ/ ¬*˜µó>ý
+H«’δ‘Û	¯;®àà¤bQûÓX÷Ù4ßÚ"u³
+@_ð¸“<fJs1%iDTÊåU·—àuÑJñ—xÍ
+ù©ÚC:ç5U|¼ÃoÐæÒ‰Y>î‰ÔðCéý~Ör…¢PMnX¹ÏÄ
1Y�VTž/ó²r¸É)‚lpÇ@øê»jW~d¸Ì§uouH†›u²ºvrÂWá¨u쎽!XТ-{z@!X€±*èÎ0Ó¸C¯J„¶û÷d[Û¯8'”bGS*Â$nBøܨDÀþyï@Lc­Õþ’b­-ù›U˜G…±»wÓrN‰K—´ÆoI4
+õMØ
+u÷Ù"/—a¤ê±Ú™¡­Ý,˜]fÕjƒýÑÛƒÙ,šÚ»�Êž7þø‡LÙº*¼å€=¸{­ôöR›ëÕ8	ãÂè':‚&-{Ï}¡Ö>�
+Ï/TxjFí"¨¼­]X³ù4åµÏãÚh‘…nzXá–ò×Xh˜¨Ý»Â–Âu¸|㑸‘ýð\ë¢#»/ü¬¿9ËŠÇ];‘æ�öG¢{¿«ÂÛ3¬ÄÉU“!8jç�¸“Œ|ˆì¡��–£&‰^­ý'¡kë—ñÒþ
=ÑÇšž-QKÿ(y%=Ü£BQŽ½®…öÙñ4ƒf€±Ý÷há¡H-½(+b­=2ݤt�ÀÜÃ3Ðzâ2ŸM¤Š˜ãœ°Vä*z0ø€‰%jâ@잇_áUlUû.X&¡@ƒÌ'?üôš±HÚ?ãÁ&ˆ+þ±Öž§¸
+S†Jìz9Ë;GóO}§»~«¬
„Uû€(®ñ8aVMºz{î±²
 endobj
-1542 0 obj <<
+1978 0 obj <<
 /Type /Page
-/Contents 1543 0 R
-/Resources 1541 0 R
+/Contents 1979 0 R
+/Resources 1977 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
+/Parent 1976 0 R
 >> endobj
-1544 0 obj <<
-/D [1542 0 R /XYZ 85.0394 794.5015 null]
+1980 0 obj <<
+/D [1978 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1545 0 obj <<
-/D [1542 0 R /XYZ 85.0394 181.7991 null]
+1981 0 obj <<
+/D [1978 0 R /XYZ 85.0394 229.6198 null]
 >> endobj
-1546 0 obj <<
-/D [1542 0 R /XYZ 85.0394 169.844 null]
+1982 0 obj <<
+/D [1978 0 R /XYZ 85.0394 217.6646 null]
 >> endobj
-1541 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R >>
+1977 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1550 0 obj <<
-/Length 2988      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ6÷_¡Gy&ÆüÀÝSêØ­;­Ós̵ܻ} HZâ…"U‘´âþõ·‹]P”L%¹Ös×ÉL,‹Åb?~€,g
ü“³0‘Uv[#Â@†³l}Ì–0öõ™džÏt1æúêþì/×:žYa#ÍîF²$‰œÝç?Í#¡Å9Hæÿz{{u~¡Â`~}ó´¤6¡š_~óú‡û«;ˆ˜õ«›Û7D±ô¹|{{}óõ�w¯Ïc3¿¿y{K仫뫻«ÛË«ó_î¿=»ºToKõýõì§_‚Y»ûö,Ú&ál�@HkÕl}fB-B£µ§TgïÎþ>�º©SfRZŠ8Ô³mDË�™ž3lj0‰V`ÔЊH+=U©)£	
:£Þ¯Šó­‚y³«‹-5ëtÍIJåÁ‡®¨™´ÞTeVv¯ «“ù6íV~^·J™é¡Ù®ËzIO,ë®XnÓŠz›tÛyá~:¯zw'¨qÝ°äâc
-˼æ:­Ÿð˜`ûR
-†Êí…ôV‰™·Åö±Ø¶Ø	ݺÛ:­ª'Då¨ÕmÏe2/
-âÃÅ�ºJÛQZ`Hæ}ÖõÄØxþŠ§ŽVÞ¤ꩬ†�çDÌViYçÝ�]ƒÈêÔM^´°i#�;‘ƒÍ‘÷“kä«ŒYøUΔ-‘Rb£©?�:—ó�ENýU‘æxhÈôsÝÓÆélô<«Ò¶åöýýw0*‰o·*³M/y±¬©Û²Ïè¨Ov
°µ×ÐË"[ †Äò˜nËtQSçH®�Q‰Êݽ¡PÅÿ^³>¡s¶�)Pnÿ!û6ê¢È™†þu0ƇÙЩfL]dXhÂadÛrQäbP/V«x2 ÍºHé0t’ÇìH
--‘±é1»˜@Î=¯½ð“uý>ðQ®øä|Ó`vòº£GNlŽ¤XãT›@FäS�›å£Â0nÛrY;å€ê4±f/#Í!ÕA@&téÊr‚À©Qk‡é’bt$F{»
	º,ë´s!†Xù窬&sBÆÇ H$jÝR˹6}ûÖÅ}Bdž_Tx]þVø	Ú5±>iQ Âç7R·–¡Æ†¨«rQví”Î�’O*­Ê®,˜ÓE$|o\f.&pSl1Q§u檂š·ýrY´u(ú©U´Ì�.Ô2óªé]ÈA{ÁÃ.¬hœj9•/ÅuHÁI<±:ÇñÈ”eF%ÒhÓv3T4¿á¹)} á×ËÉÜF
«,k…öîÀa7pÜ9–7“øÅ,{"4žM"›æ}æ¼›mIºZŠM5ÃÊŒíÈ°WÖC*Ïžˆ”÷[.àt”ÞGr_QÊ$·¡,[S¤òÙ“bŽM³ÌÖ0“ÏÜxØ®&Aû1­ú“«ªÙ
™yÈá´øQ~NöùY
ö£�–«¾‘¯ˆ@8(*Dj‹¬+›š:ÎC‘ϕ눲t»-Ýv “2‘WÉšõ—¥ÈA
-R·O¼L‡†õk–”7ëÔ+‰`¢SÎsïw?°‡„Ö؆ûê�–£Î¯=Ôg}€Ö'‘ò”Ÿ•2›ÆA¤Û‡§Ó¸sK’1C6æø,ÞܾsêÞ”#¼	Êk-¤Áw) õ ÀòRJÀu]�Ñ„RŠ�›m
©¶©Ë6
	W‡Â•
-Û'~Ή]“5Æràa�•‡zõmÏpô´’N�‰¨[•Ë•›Ù9„+
-:6þ¶p”[Š¥QjÝßPžÝ@8Ú˦o}–Ôø
-µ¥¦?«ãÌηq®±UŸû¤N°á†“æé¢ÜõäríäÉ]ïË+Æ6994È(ô˜Çl4ß1½*³JyÅ$ºF"¿Ë{Hs÷I–ùp4“îùиÜ3
Qµú¶8š¸®‹uS—Ùd|åÆ}=ÔèEóè‚#òÙ8ò06
-†²žríuoäxÆÍ`÷1z Ý°Åw;܇‘”±îcoˆœ>6¥×
-�²ǣ9À'l-ChtQ\f*Mºmhã�‹Í½I\wï/ÐÉËößXâQ¬NüUᘋ·î.ì:Þ/B»Æíz´öB²!J«v9cCh¬ÃÉ
ønnÇZO”¶
CÒñx ø™hàÛ
@Õgí!ÅP™¦p‹C=T亣·Ðq{"p@¦™zL
-�´1\-‡§]3†Ú2°"¬™i-òÑ›w7âêÍ�ø裓`þýûó‹XÇ
-ðP
-Ç`ÑÑÚl?h9ðÁ}Ø¿¤…”qËi)ˆÄF°
-irÛç&yý~0Èi{ŒVzQ{¼¬Ç€O$€à>ç1R$ôkÀ¡G Z¿�l[´‘J„ ’:m™Ñš^Ë(‹$ŠâÏyJ …	aZf0,6OÛ`,ýÏ-*	…•2úŒw¨Ä
-cªÁ
0oì )˜EŧÍ2ZðO챎È|Æ5Tãox‡žáÃCŸ¶ÁHúÙ`ÿ#âÿ£ÖÉ’©±
'‚øð×ÌS?T¢™M$Llͧ¨T`Ñ®Ôã*µËÙZB
HX¥�<DϤϰ
X;ü[²òÃ'‹¢'`Mϸf.£‹…ûÅHu¿^ÐK±æGIz{å_ü$=¼Íá>°ˆ)¨;¼ä¥yÎH¬=CîÚ3@p·®sƒŒ�n~8!ƒžŸòð) =ÂTZÑþ0ŒoñÇ"?
C¾^@¿=ÌcmÚòã°5�鎎ê횣}{Å‹4[_Ÿ÷¿×N=‚N"Ówô‚ä_@§iQ<C“6‘Öf&£P„‘²_`öw˜ý�I¿§jq|*÷‡"l8“aò8˽/¾»|'¾¿¹gH	eŽ®t› È¢Pº2€ÿŒyž¡(Z
-´/\ö¿�Uxª
-ÀØ°²„›†Ò–"úò›±)ä|o)¤*£‚Ó6-÷B6ùoÊÂË{­Œ
º²b™²É–›õéª
+1985 0 obj <<
+/Length 3016      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ]sÛ6òÝ¿B�ôŒÍ
+¼›Û·
+¸Y—Ymç¨$²« ²£ÞÈ»¿K䯬
+j˜–z3mÖ<¼2kÓ²©é¹jvÜ×Ð*¡—Õ„™Ï©�g<vÁd>”¦bꃕò,_•`Sqª`Ž
ZÕmRø:Š¤ÝdÑ”vˆðêÆ¼l³©ž×5Œê»U³5]֙ǒºŠ¬Ë"ï�¦.Û¿Ÿ_†
+p÷1ñ¬j™J¢ dÓw0<Þ¢çµna’®Óá«rÅjÞ¦©LnïÍöpsäˆDE‡–5�I
+Ö*àHošU¥•—µ­YÖ–9ÀZNt¸§‘kS›¶Ûf¬fQ¨Ã…Ú­Jbú€Œrrtiê¬+[Ëšôþµ2U9¥¤„�N�
+äº%Èšhøì[ä!T>‘áµù£tr”߶4XÎèñ±ÛË°!ìÊ,L×NÑ!o4í6«LgÕ‚(ë‘ð¼­»r[—“¸)· ÆuV£*)½¶_.˶£y?AeË#ЄZ¼jzër
+l<ª”F=mJoãâò
+„É4ŽfÚ=#pµ4LDbõmy4q]—ë¦6y;¥¡¢D¿¯‡½h­sÄ.Ç®ŒÅÂ`HÄœæÁ·—d¨ã‡f�û¸z Þâw;ÜG((4bÞß;¼!töØÇT
+ËUsPŸ€³µ\B£‰â2„¶¡B'\÷"±Í½½@£0í0Å#Y•ºW…ãQ¼õÖŽJö‹Ð® ]�ÃVD2DjÕÎVÎcX« äà
+öÇhá¸Ô�ö£@‡°y
wB‘ðöÝ­ýæg<ôQiàýðþü2Q‰„ú0PƒÿóúîzþʆI4Œ0œ€DGkÿµý äÀ÷fö%%”D~”DjZBR~ªcØL¢}m%ô\$¯Þ9-�ÑJ_±<€ÝXâS'¾brãC‹Àjì¢U¢QF2õµ,ÉÓ’¡5åW.™H€ÿFŸ2”(òe$b+˜A°ˆ zA{â_±”ö“@§Ÿ²�PùRÇôŠ}àPä�-8©Èä´TF~Åb‘‰ŸDaü)ËP‡rOZ†óuZD>ù‚BØ_Áü?R�€@¨B­g(ü 9¼zv'Á³•s€Æ’$/ß	ÉTõP�.]¤²![É�ŠD¬²Gî¢SÒg¥v
¥6v+“¯h(Ÿ{2):
VtŠz"¾\Ø@ÕýzAÅŠÏ$éè•/Ü$5Íaž¯¼|�—bíQ-dßzFõ¼Z×Õ‚\ Ýþt‚�0žäáI@vTR)Iûja<Š?&ùBõñÛÕAå·¯ò˜›Ö|¶æÊBzEGövÍѾãe–¯Žßž‰§Sg “/¸ïè
+wà��”p×*
+fŸŒÿŸûUÓþË®ÂVšÊé8$¡äµi‘™BuˆàYÆãïŸÔïÿWfendstream
 endobj
-1549 0 obj <<
+1984 0 obj <<
 /Type /Page
-/Contents 1550 0 R
-/Resources 1548 0 R
+/Contents 1985 0 R
+/Resources 1983 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
+/Parent 1976 0 R
 >> endobj
-1551 0 obj <<
-/D [1549 0 R /XYZ 56.6929 794.5015 null]
+1986 0 obj <<
+/D [1984 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-494 0 obj <<
-/D [1549 0 R /XYZ 56.6929 568.2876 null]
+630 0 obj <<
+/D [1984 0 R /XYZ 56.6929 622.0858 null]
 >> endobj
-1552 0 obj <<
-/D [1549 0 R /XYZ 56.6929 543.5853 null]
+1987 0 obj <<
+/D [1984 0 R /XYZ 56.6929 597.3835 null]
 >> endobj
-1553 0 obj <<
-/D [1549 0 R /XYZ 56.6929 358.0411 null]
+1988 0 obj <<
+/D [1984 0 R /XYZ 56.6929 411.8393 null]
 >> endobj
-1554 0 obj <<
-/D [1549 0 R /XYZ 56.6929 346.0859 null]
+1989 0 obj <<
+/D [1984 0 R /XYZ 56.6929 399.8842 null]
 >> endobj
-1555 0 obj <<
-/D [1549 0 R /XYZ 56.6929 177.9166 null]
+1990 0 obj <<
+/D [1984 0 R /XYZ 56.6929 231.7148 null]
 >> endobj
-1556 0 obj <<
-/D [1549 0 R /XYZ 56.6929 165.9614 null]
+1991 0 obj <<
+/D [1984 0 R /XYZ 56.6929 219.7596 null]
 >> endobj
-1548 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F41 939 0 R >>
+634 0 obj <<
+/D [1984 0 R /XYZ 56.6929 131.5008 null]
+>> endobj
+1992 0 obj <<
+/D [1984 0 R /XYZ 56.6929 107.0349 null]
+>> endobj
+1983 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1559 0 obj <<
-/Length 3282      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sä¶íÝ¿bú ÏܪüÔGߜė:“ó]w&Ó\ä]Ú«‰VÚJÚ󹿾
-h&ñ¯÷—ç„ôöâÇóÓ_¯89¿¶<>–÷ûï“_~‹5œî‡ë<³‹{èˆXæ¹ZlOŒÕ±5ZHuòÓÉ?‚£Q?uŽMVg±ÍT:Ã'%RƹµjÂ(›Ç‰VÚ3
-�¦àœBˆè»²[í»®lj:bsKßw?3_ܪiמh«ÑˆÅR™87Òx¢gÝéR'*Z»nÕ–7n�]7Í'÷Ú¹ˆÖͶ(k‚w®ýäZžÓõM{*³ÈÑXYß6í¶èý¦p¼`¼b˜[:á~Fó»fï+G£]õuç÷!#W¬6ÓÙ÷›@pF<ÕÀ>8Õª©{Ø3,¦´Äõñ³+Ú¾\í«¢å~épAlzöÁwr?õ¦Ù÷Ø�Ê]ùÉñ``¶ëbË´>
-+hcD’7±ïöEU=œJ)£7²Ñ
‘†É
7Šê¾x€óNŽDj‚L”:Ú4]+Hr“§ÑõƼ+·»Êu=öTTÜ7è7eý�<ó¤
-¯®¨‹ûÄ~¾<ñaçe »¢l	H$t´.ú/Ge
}�%–`8
-ì€dJ÷e¿	«ÌÜ]å>5òÅ\h¿E®õš€ƒøqŸ¨ú‘Æ_´ŠõºÄÛ,*ìk™^5
-t*ƒŒŽW©š{Ô°™ƒÔûí�óf%‹��mw¼Ô"‰.¼eÉ£þ¾¡a>“·„Øn;~)DïPwÈP6`_B(yú
-Ù£,j�ÛÍ–mÌdýLܯÝó—>ƒiËœŸ³DÃŽ³Á€ïšz]Öw¸ß\ñ12Ó¯‡Í
VÛS·¸s^·3TÛŠqnj™è¦XýÆóþ’µûÌ4*ÚÈ�·z84lšÏo¤ˆ>"„Sèž:B_7³Wém1X´Mñ	—T9ñ�Š›®©ö½£ÞÖ5œ™p>*•vÐF
‘Qƒá¦®10Ñ­ú2,êŽX@¯¥¦ÜR#�ƒ`ÍÂúþZ
�Õkî�¬lJ±²YsPFh³é†Ë6½¦XÃú`ñvWo=´¡oй)¢×=.YÒF2伧‹ž��ð‡baRt¦ðÛ}×ϸ7àÛ‘'ŒDwˆËÄ�	p=m’‰t×5«²èýSÆž
¾“‰õ>>„áCÆîWKß3ø‡¯3#�L ÷zyöî|ú�œA£Ûß"Q4«Ò=z2¿Á·~…„T59¨*4éÞPóRxÅo	è…†…º~QøÞ4þ‰LÒ@'l,ÉW«‡}½>BæÅIGŸÄo…l4ö]K6½EÇÞÒ~ÙÃÖ\Rü–wus2QÛ]x#/	[�<"˜ò˜ÈD	DV'çù
-6YñdÚ�­J`¿™YŒ÷óeGDfÊT«?„k2‰A¢óy®Á냗–/¬Ìã,M¬ç³('×ÌíÙ£^É\9ÿ“sG8¿É^âŽ
-
-£æa3ú¬o8ha߃à8K@V'ŽIɉÆÚ•˜Œ²�=£Á«]­œ¦±7b¬Oð-
q@#;âÛÁ„αMÅÒšÀg¾,Ënúðá²bž<É°‚ï)ã$K4ÔÆnlȱjαþäúžâ; v}ýã+²©×ä®%Q_nݲo–Ås
--E¸T
!vU5÷ƒHôZƒG1µØMõ�Ž‡²8ì:«=…<pkkeô|xÈ	ý‚>ÿij¢M¡@Ù�Ÿ
-Œ?¼pR›ys.•÷IÛ…–6¶‰%·õ§÷ðn°%áæLT>G®ÙHÛ43Û�Ô4Uq®
} P»»‚“3–„�åÀqLH×›0oš«Ä1i¸Ä’´M”ŠÅÜÚ!ÝÍCª´3Ø7;h4ëf	vv³
-
-ǤG•^5ü€…f·e¿œó{WûJyûŽË0E(Âp½�ê0¾…òÅåÚÈ‘x*–/�`!c…ñ¹'À±ð“—+�<LÓ¡Ps|ñŠ¥~XhæHÖÄœN|<Ýç4Õàõg�DÏC¤i‡Brˆê3^ì?þõ?®5¦ðìrf%ãßk pËdCæ€ßÉñf(Í‚~ÎýNÛ»6ó£5±x1YúÚŸÈ~&.¹Î²'^§áãMád�óÃá·t�·þ_†8üÊendstream
+1995 0 obj <<
+/Length 3209      
+/Filter /FlateDecode
+>>
+stream
+xÚÍËrãÆñ®¯àÁ¨ÊDæ	|“m­C—W»‘•*Wl Q

†
+Á[ Æ¹Œ<Ë{Òâl[ì?Ð.±Œ-7Më9Ú{ v³­Î¥”ÑhÕ
#ö8ÂÞésd©	¬§üÄe�'vš9¢Ý5õª¬ïð¼™âk8Ñ®ƒÃ
Ô¾£n~WxÙv(¶ìsj™è6_þ›×5ü
(ëâ#ã¨è wø&~ª?4ßßH½ïY—Ð;µ¾j¦x²n›rÑ&ÿ€[ª˜ø�†òÛ¶©]A½m‘×pg‚ùM©”†á¤
¼'
+ðí©‰âˆj !p´YØß?+À±xMñ+›R,lÖ…Ú8O-æ	lzI±†åÁâë.7^!úц¾AæÆ€^ölxll݆mII‘ó™^ÈÀ¤fS
f"&EƒWØZ†@"KˆÞ·É‰À`�m’ž°tÛ6Ë2ï¼)
e
fƒßd¤½�ŠÇ~V\PÓÓ¾ðÃ’
ˆ'Ц_]¼½Ûâ3h´‡5"Eµ±,‹GÆ!õ|ãwHHT“£¨B“Þ
%/UQ¹¦AÏ4Ì|Ðõ›Â÷¶ñ&2Ižp°Ä=¾"îV÷
úz|Ì›“Œ>	5<
+éhì{Òé{tw<"í·�àZÖ™ð̃ßò®nŽ¬c€ç5ØìÜ+q°$¬5² ˆ`Éc$#¤!Ò:¯‡�^õf'fÒŸ¢æU ±ÃO‚l‚q`l×”u7ØjBÝ>sÐ
Åìåv+>æÛ]U|sêòei,-¤!UŸäó©,¶©LÇ>ßÿ·*œcð~Ož€Ö	ÀÅÍ°bŒjî4·.	V½?iä@üÁÁ���zf3¥K<5™Nñ²Ù¢†Ñàµ-À­ÖJ
+ð
+²,y‰-„‰“àPRy÷\áTG—9&X•²4©,ÛBh„œµõÔ„Qû-}I¡)ËÎ
+EÝ㟩„<mÿ,êX„Ó9Š~8ÿ'ð£:Ú‚ò/w/ Ë@ãqI:ãbdÿs
+´@¢à¯•¼`cÝ4Ï×Äe{¾eþ\GݤLbо¥IÒ©ŸŠÙ‹¯÷©?@<þB{í¯7ò$0ŽÒàUÎÀwC\Þöѳ„Ÿ*2ØàìÿRý'ûendstream
 endobj
-1558 0 obj <<
+1994 0 obj <<
 /Type /Page
-/Contents 1559 0 R
-/Resources 1557 0 R
+/Contents 1995 0 R
+/Resources 1993 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
+/Parent 1976 0 R
 >> endobj
-1560 0 obj <<
-/D [1558 0 R /XYZ 85.0394 794.5015 null]
+1996 0 obj <<
+/D [1994 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-498 0 obj <<
-/D [1558 0 R /XYZ 85.0394 769.5949 null]
+1997 0 obj <<
+/D [1994 0 R /XYZ 85.0394 613.3608 null]
 >> endobj
-1561 0 obj <<
-/D [1558 0 R /XYZ 85.0394 752.4085 null]
+1998 0 obj <<
+/D [1994 0 R /XYZ 85.0394 601.4057 null]
 >> endobj
-1562 0 obj <<
-/D [1558 0 R /XYZ 85.0394 552.554 null]
+638 0 obj <<
+/D [1994 0 R /XYZ 85.0394 465.8716 null]
 >> endobj
-1563 0 obj <<
-/D [1558 0 R /XYZ 85.0394 540.5988 null]
+1999 0 obj <<
+/D [1994 0 R /XYZ 85.0394 438.5672 null]
 >> endobj
-502 0 obj <<
-/D [1558 0 R /XYZ 85.0394 405.0647 null]
+2000 0 obj <<
+/D [1994 0 R /XYZ 85.0394 397.0946 null]
 >> endobj
-1564 0 obj <<
-/D [1558 0 R /XYZ 85.0394 377.7603 null]
+2001 0 obj <<
+/D [1994 0 R /XYZ 85.0394 385.1395 null]
 >> endobj
-1565 0 obj <<
-/D [1558 0 R /XYZ 85.0394 336.2877 null]
+642 0 obj <<
+/D [1994 0 R /XYZ 85.0394 216.4249 null]
 >> endobj
-1566 0 obj <<
-/D [1558 0 R /XYZ 85.0394 324.3326 null]
+2002 0 obj <<
+/D [1994 0 R /XYZ 85.0394 186.4354 null]
 >> endobj
-506 0 obj <<
-/D [1558 0 R /XYZ 85.0394 157.8838 null]
+2003 0 obj <<
+/D [1994 0 R /XYZ 85.0394 97.1422 null]
 >> endobj
-1567 0 obj <<
-/D [1558 0 R /XYZ 85.0394 127.8944 null]
+2004 0 obj <<
+/D [1994 0 R /XYZ 85.0394 85.1871 null]
 >> endobj
-1557 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R >>
+1993 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1570 0 obj <<
-/Length 2395      
+2007 0 obj <<
+/Length 2116      
 /Filter /FlateDecode
 >>
 stream
-xÚÅYÝoÛ8Ï_¡‡{��5—¢H.‡Í¦N/‹&é¥ÞëaÛ>(¶’�%×’›fÿúrHY²•�n÷p(PMÈápf8ó›!Í"
-ÿX$S’n"e")“ÑbuD£[˜{}Ä<Ï40Mû\¿Ì�~<*2Ĥ<�æ7=YšP­Y4_~ˆS"È$Ðø÷Ë‹ÙdÊ%�OÏÞ
-jôyT\GA–'Ê¡¨i0iª8%RjÝHÂz
b81ZEŠCð&2qüÛåÕÙë3ˆ{É�9aפ¨¦Ùr¹!Ùf�í»/Q �+f·×÷©o% ³ƒGØ_éªIJ
OžôÃ
ÅŒ“©Vàë””RÌ
KÜÔ5éEyÜ3½=ÿ*Ïìðáÿ¬Ì0¢!n¢)WÄÐ!P
-%œ5Ñ爚PÄ1õhgëÎnàdz�^Õ`QÔ3*žö%;£Ò~�€
-\*‚ä LB‚X�ç
-4›ÕÑøˆ©\@ëMC³ò�‘ s—h8ìaßÔeYß»ˆ³ñà]¹ÉŠÒõx‡lmH�‘¤�6úB£äXrðýäèîYƒ*ñ|‘x÷PµÙןFö·])Kå¢È~—("çž/ÅÓ�›§
-ó¦Yq!Lcbñ}�%…ùrÀ]gËœç¬ñ›UHl«ÏÐÆU–¸b¯Û²‰€`V"®iË|†2—¾›¦EX
¦p
Egn#霱îéÄ7øu(2�èíŠEÑŽ•-L’ˆ±
-οÒ Ù‡×pï,؆¶½¶Õü¾hò=~®Àé«ä[u
-ÆÛK•¿Î	¥ å¢z£
-‰'ãh×$DAböî80ÓU }¿ò|É7žËyd'G£C”	ƒ8z—ùýÖ›ÂÝÐö–ŽàMʈRòaÀ›$	qUW‹| Ö¾7¥DC2¬	ý@ÂG÷��Wýg‰lIû�PÇþ°7ò‹�žýå祿î¶ìákÍÇäJ“Dƒ¯”µOóÍÃ�‡ªÿ’ÍGendstream
+xÚµXÝsÛ6×_Á‡{ fJßnn:u9§N,÷µ¾i’Z¢mÎP¤"RqÜ¿þ_)ÓqziÇ3æ
+X,v±»¿]€DþH$$’šê(Õ	LD´ÞNpts¯'Äó$�)ésý´š|ÁÒH#-©ŒV·=Y
+a¥H´Ú¼‹%bh
+püûÕb6M¨ÀñÅü
P„qAãóŸý²š-Ý„ô¬?ͯ܈vŸó«ÅÅüõ¯Ë³iÊãÕüjᆗ³‹Ùr¶8ŸM?¬~žÌV�Ê}³fFß�“wp´
ë~ž`Ä´ÑüÀˆhM£í„†g,Œ”“·“ÿt{³véØ1QFP*X”0ŽlßgzÊL�YcÃÍÕZ~•Ž„"­×G‰b°3œü³²Ü:²<VE].9E\rÙ¹œÒˆ¤… Æç’"–¥„ÁASn}¾0î°œ	ɉa$	óØr\MIâü§ñç�LœÒ4’RAl)n¶Ž>Fa®5sL=ÚÚz<;ðý|K£W5XõŒ
+‚“¾dk”¤½8†ð.Ø_¥(å0e4^ÝçÎ*Éz¬àD,H°êWËùë¹·~ ’CD,=_YTy3M˜ÆqQ¹oâ-‘OŽ?gÛ]X²½Ÿº5SõÞýØíë)ñ§bSTwnh]W­[Þz¡õ—„ƒ–piL£¤s)¨WWå#ð¿§4u”AqìÇ7µûVuë‰|�7Mº�NEXžív¹c„8CIÐÅL®ÛCV:úÐdw¹1òŸslû¸›;
+„–�¡GDú6øæ<–’sžôs>ð	
é­
+8”¦“œti—P¥âËŽzïh/Jéø¢Þo­Gaô!kQTE[d¥‰ós“¿Ç˜VÖOvÖ-]^œ»
¨ÂQYåyî�(7‡›&ÿxÈ«6H»ÉóÊQùç6¯6ùÆÄ,ÄÈõ½Ñj$&]´€Ý�	ƒÓèL
+Hòr\ßÛ°cÔAPÌùFœ£€(³›¼tsfƒHf¸ÿÙ]ü¦y¹1¶2Ö²8kvùÞ%
+ñ¦Ú�B˜vå‡Ä…«'Ä×j;8Sã<gí¾YõèˆCõz¸ÂBÊÆ­8©DÈôk,À—‘èV†œ%>=‰ÍÝ}Ó:L
¦@Á‰ÎìFÂW7‹`nÂ7î›ÙiÐØ뢫7$p6 ƒÜ1ÚHF¿	"\DEÊ"©Êû0"HLú"G@B¤
+Ñ#kó˜8�àÉÿSÜÜóææù¥_ΖÐY¸}±4v=dm^ÜŒo!•ïïFÂ…@¬
+ÎÕWQTg~›_°µÍ/øýp¬)fÖ]Y¼zEe!bD/;�µa²ðÂw5,1Іe<¿»Z†°ê@óy7A—Ç™ölA|“\ñÄæµI§Ï\C;e{8Ò;ò€lE{?Z4Á‹ŒÒ?	iÐ�œÂk¸ôBÏ^›jþP4ù	¿TÀû)ÿ³:ãÍ�ÊßåXšBË…Õ0F(p<ci®<D
×'˜é*оßÊñ|Ê÷žËžÈQŽrÒ8™0øèFï3¿ßn_ØëÙÉÒ¼‘¥©øŠ[0à
ç!®êj�ÄšÇ&i
 endobj
-1569 0 obj <<
+2006 0 obj <<
 /Type /Page
-/Contents 1570 0 R
-/Resources 1568 0 R
+/Contents 2007 0 R
+/Resources 2005 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
->> endobj
-1571 0 obj <<
-/D [1569 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1976 0 R
 >> endobj
-1572 0 obj <<
-/D [1569 0 R /XYZ 56.6929 744.8677 null]
->> endobj
-1573 0 obj <<
-/D [1569 0 R /XYZ 56.6929 732.9125 null]
+2008 0 obj <<
+/D [2006 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-510 0 obj <<
-/D [1569 0 R /XYZ 56.6929 543.6554 null]
+646 0 obj <<
+/D [2006 0 R /XYZ 56.6929 617.17 null]
 >> endobj
-1574 0 obj <<
-/D [1569 0 R /XYZ 56.6929 520.4617 null]
+2009 0 obj <<
+/D [2006 0 R /XYZ 56.6929 591.42 null]
 >> endobj
-514 0 obj <<
-/D [1569 0 R /XYZ 56.6929 454.9346 null]
+650 0 obj <<
+/D [2006 0 R /XYZ 56.6929 518.3317 null]
 >> endobj
-1575 0 obj <<
-/D [1569 0 R /XYZ 56.6929 428.471 null]
+2010 0 obj <<
+/D [2006 0 R /XYZ 56.6929 489.3118 null]
 >> endobj
-518 0 obj <<
-/D [1569 0 R /XYZ 56.6929 382.3129 null]
+654 0 obj <<
+/D [2006 0 R /XYZ 56.6929 437.3327 null]
 >> endobj
-1576 0 obj <<
-/D [1569 0 R /XYZ 56.6929 358.6389 null]
+2011 0 obj <<
+/D [2006 0 R /XYZ 56.6929 411.1024 null]
 >> endobj
-522 0 obj <<
-/D [1569 0 R /XYZ 56.6929 169.2073 null]
+658 0 obj <<
+/D [2006 0 R /XYZ 56.6929 208.889 null]
 >> endobj
-1577 0 obj <<
-/D [1569 0 R /XYZ 56.6929 142.7239 null]
+2012 0 obj <<
+/D [2006 0 R /XYZ 56.6929 179.8493 null]
 >> endobj
-1568 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R /F11 1397 0 R /F53 1029 0 R >>
-/XObject << /Im2 1051 0 R >>
+2005 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F63 1364 0 R /F21 938 0 R /F11 1451 0 R /F41 1218 0 R /F53 1313 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1580 0 obj <<
-/Length 2939      
+2015 0 obj <<
+/Length 1853      
 /Filter /FlateDecode
 >>
 stream
-xÚµ]sÛ6òÝ¿B~ g,_$ˆ¾¹‰’s'uzŽÚé\šJ¢lÎQ¤"RqÜ_»X€¢lØu/w“™`	,ØOì®,&þ‰Iž2®¬ž«YÊE:YnNøäÖÞ��3
HÓ1Ö�ó“Wo•™Xf3™Mæë­œñ<“ùêSòú¿Ìg×gS™ò$cgÓ4ãÉ�—WohÆÒðúÃÕÛËw¿^_œ�Ì/?\Ñôõìíìzvõzv6J§(Oâ_®f„ôöòýììóü§“Ù|¸ò˜-ÁÞ÷ËɧÏ|²î~:áLÙ<�ÜÁgÂZ9ÙœèT±T+fê“�'ÿŽVÝÖ˜˜œ©Î™@ã%Ç
-ɬMuüX>™ZŤÌìÓ´hZ;ŽI´˜Á=y
-G-J9‚Ù4•¨FË™ =£M:-^¡€¢ei¦â	ÎR%áâãÃÙ4Éþ—É#u
-~½£ÉEÛßÔ®i„ëmüÞùmåÑ–t
·£SMדÞöåŠh½ aUž)ž|­
-=¥ˆÖW(iòd½k79cB
-™È™Jsådˆq<e´À9}•ÊOçó÷½©v岯¾–£À(‚>¤fVrä�÷M_|ûÁ#Ž�V)KE"”#î�Ò±ÃÉŒåÚ[•ëb_÷Ó¾¯#'g×µ^õ)BM�e›Ô#,ÛÍå1!-àP}&·€�Ìx­
-"JÓè­�™#ßòA hn¼-ð©Úè\eÚÐLkV‹hš™åT}$uRu�:Æ$;f	>1˜¹Üù4
-þ3ÒM}ÛEn
a çò¥Î÷° Åàî¸-Ë„LMp´ºèb7’–å¹±c7{@&…+çáÎýýÖ3¸‹2¨Aßàÿÿ÷ ¨©‚LEÁÕ�bADaÇñI2“fjlàž¹ÎÙ6@=†™%KrÉ¢/i¾ ¡+wUé79G…‘0»vï€eIÇ	¤î²%·¹©ï	ZUkDY;Û‡ïµÛážM SË[¿ƒò~kÑÐX�ãðôcióýiàú(’ü¥¨ 0Ȇi‰‡©,£,!3^f8ƒ2ñ, Cº'ø¦lðN×y-Nweßä’Xz$'\¤É/ûŠ€£s„äí¶Ýõžâ~AÀ+©Ç›¿–»Î'S�‘#îWe]Þ˜©A®[îªÅ3AN„^£3ÕeçwBzñæÍ5»¸þ…yè…¼Jt4{³ýp}ùîjºb"g˜NH6¢{Ábo�× Æ?Ü'¦Ò áê#�g׿ͮOÙì÷‹Ÿy?{)(<¥áõÕÅÏ~ñ”ñx„sÞÔâׂgü%>#
zœP
-ž‚	¨%†ý9>�ðº*·Çheá–žP¦½i–\Ô5MPfké’ž¢g
(Í*,Ò›}çi.ʘ­oÛ®Â|ï‘a¦��ÊÊý±
-¿Ï,Ð
-ENÈcO#LçL b
+¹U[×Å.нi¨¬s_÷›E[wô�U>óûjë¡èÁ|”ICö—¹È���Òvý8!¢C]‡oëb	)†ËK¤”ÌŠC¿ŠŒÚ%w&8«1‡ìÎMÃ[º/ѯ­:Ô²0ãÜ/4U>ÛøU5¨µû~»Gï“yšÜ·{ZnJ—÷Àzïé�Á.×÷›ãå8ƒˆjFf<TûŽ#­ë"Á°(–ÿî —º¥­P›�¶B
€L{›X‰Àl.Ô¡§´MJvÃ"Ä 5b¨™š3Ž˜~ÆÈŽNû6®+󘼟–sý¬ÁŽÄ²)îIí“Å¢®ý·s!×`Íí�K‚qöÞ·B ¤Xì´)aÓ®¨=»ëH w·JƒßÞRyŠÓäÚÚÅd,>\ðÆïCõ�[´q…�¢6ʽ!¥kâ1ÕÊuµuq<«E‡fk°Ò‡Kž‰äpOkF®b30Úž®±Ú/߀€n�kED½Â@º’‰`,ë¨È­Ù(FÔåº'Š‹¸¤pP%骂€UûAþÓÐ~2VæÇ2å8ÖZ>á)Ú²T¤ÏY<øs!],	ªcGR8²ÐõS6Šÿtî´÷éUôùs„²…³³¡•póïPÜ$o]È¡”ߊͶ.Ï#WÊR&Ô;ŸäJ¿”«©äçê|
–)õG€¢Ò«\æv�̱Ê{0,d%—‰ä8ªqÝÎ¥�·0�?8Óv¬¸
-…´lãɈ£G'•¾Îy*™S›`é_år:µGíA ×´=
Å¢kë}ïÜ÷POé#'�i%‡®zèõDx2pº4N/@ŸÍjHAŸÆÞ ÿ‹[ë»+¡=ŽÙ|4ávQYIü•o³-újQÕUï2íÆÀŲØÕ•3	˜ÆVöÉb
\Ãrk‡·-ö¸	UИ+<¡ë+¬‘~($nšêOJsRú½[›Íª
-¯/<CÜ>ìb.�÷úbò½w—­øèszÜÎDaìéÊq(Ⱦ³Ä/ÇŸA_
+xÚµX[oã¶~÷¯Š
+õ}î}üÄ£X÷k�3•g&úœ‰<—Ѳ§�bF+ÕÌ,zw½í
+ÉòÜèn±<JrŤLó·±h¬@6;¡öQL­�˜åû(J	Árc$†1çÌ
+ˆž5È–RGèaÏ™3“j�Œ‚3£$hî9nûI*â	ü—ñ«x
+O•	MBYƒMBA_ëMÞ¯ëG¢ÖsA½eØ;y,Û”Ôð;\3µªjŠÛÖÍ»ì
3×W<þ\äz~èòºD÷H›ÅóÍzI”O&$0™~ ²LˆåŠz»q}�1spD;ØËzѹe©‚´h×ê·•?6PQ²oaßÖœ;Š±bßPDDZ
+ÔiÓ¡<¸g2íz“)ËtÞ”ÛÌÍ‹í¢NêzÑ!9͘Ժ)ª�h
+ÛšÀ0]/—X'¯�À™V
Ð'ª
+ØȬ…ã
+(–+™‘y
+MæœÊ‰ #}LúJx隯\Æk¢oÐ{žú“Æà hbj{_¹ç­/füÞôE»éÚ�³Š&¿”XjHmW3‡íq…uãåMn*¨9
þ;Š.ek)JÓX¬�1¥z@±z¹À)´Õ™Jµ¥™
+[Í*Öi~è³}¨¼N¡n¼Ž-aÛ&Á'ö2ùð
„Tp¶ìd¶NʤÁK Ñ„àé.µÓ�Øû‹Îû¢òmßßX Ñ5ü«v«
+ÚÉ�ÐwDb,„«áh×!pédø·WD“Ÿ‡R^'sª窩ŸVl�U‡F²ŒËS‹£»Âš(6…áÅuaåLHc›B[U—F2gYfóv™½€1 rÖè\}
+n:
Ôo¨ÿ¤ü_*Q<g
+Tymß
+Øa’ÌšTµ\Â)WùܪÆÖ ÓxJ%YÔŽæ*·)]ØäFâ¬Ö[OL
¼îˆî/K~ójñ•¨Y9G–¹Ï}øžûþÔWLúf y¶+K(œN~|tÕ~ÒX}pHÿWWÁË ÝÝ�¦(L¥)]R|†3è3]
¤¯D?¸êx}ÕâtåêŠ('�¥W~ÂEš|Þ–DȱВŸžÖ›: nï‰x'u{óg·©Â]ª1äÀú™[¸‡/*»&WM7åý‘&'lhBçXLW…�pÿ\\ŒÙ`ü
�9hð
!$º³‡´½__]ã.…žÈÞ&$káX×5+Dûî‰$â'Fw4Þ
Ç¿ÇgløÇàý‡›áiPð  òŒ†óÑà}X<c¼»Ã¶-jÎŒâç‚îÍø
A<â
:œÐ
].è°J¼a•ø_�äQ÷ˆc@-×߉á“'‚ÊÓ@Édƺ
À÷Ýi&Î7äuœ«áA1W»²—ôVÀ¡ò÷3K5�ƒ°¼šñþ_ôÐMei<Z7xtøû
ßW	¬ð¶|w�U9¼>÷Ê<o
nFìðÈ)W^Œ	Wì†#À)‹.wÞ‡Sžžšž
oÁÐ5v×”MPÈ î"å°Ë„*y¢¦?…ž‚Ï»Î
+iûù _üuýËíÝ$	Å=h²WÂÕì¬+­NÃÁ@âø§‘}w¬QdßÐ(¨ÉxÙ­�ˆŒ¬rgŽèrK÷ÆFýFû7wÊã"e—»7ž,R©Nßx\äÑ.Bnƒ±‡L_;2ãô½]Ú´úBÀµÝXYxð[•�ò*Wð·ܾñK%R.2xðKx«ò¬ë§J¾{Å|ó£û
´e*ËdûWÅÖ½˜k¦<•à
‚X¾isûÒFeÌd�þ�­¥û
 endobj
-1579 0 obj <<
+2014 0 obj <<
 /Type /Page
-/Contents 1580 0 R
-/Resources 1578 0 R
+/Contents 2015 0 R
+/Resources 2013 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
+/Parent 1976 0 R
 >> endobj
-1581 0 obj <<
-/D [1579 0 R /XYZ 85.0394 794.5015 null]
+2016 0 obj <<
+/D [2014 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-526 0 obj <<
-/D [1579 0 R /XYZ 85.0394 632.4903 null]
+662 0 obj <<
+/D [2014 0 R /XYZ 85.0394 655.4043 null]
 >> endobj
-1582 0 obj <<
-/D [1579 0 R /XYZ 85.0394 610.2141 null]
+2017 0 obj <<
+/D [2014 0 R /XYZ 85.0394 633.1281 null]
 >> endobj
-530 0 obj <<
-/D [1579 0 R /XYZ 85.0394 529.2753 null]
+666 0 obj <<
+/D [2014 0 R /XYZ 85.0394 552.1893 null]
 >> endobj
-1583 0 obj <<
-/D [1579 0 R /XYZ 85.0394 502.1142 null]
+2018 0 obj <<
+/D [2014 0 R /XYZ 85.0394 525.0283 null]
 >> endobj
-1584 0 obj <<
-/D [1579 0 R /XYZ 85.0394 294.2616 null]
+2019 0 obj <<
+/D [2014 0 R /XYZ 85.0394 90.0274 null]
 >> endobj
-1585 0 obj <<
-/D [1579 0 R /XYZ 85.0394 282.3064 null]
+2020 0 obj <<
+/D [2014 0 R /XYZ 85.0394 78.0723 null]
 >> endobj
-1578 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F63 1065 0 R /F21 714 0 R /F53 1029 0 R /F41 939 0 R /F14 740 0 R >>
-/XObject << /Im2 1051 0 R >>
+2013 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F62 1361 0 R /F63 1364 0 R /F21 938 0 R /F53 1313 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1588 0 obj <<
-/Length 3114      
-/Filter /FlateDecode
->>
-stream
-xÚåZKsÛF¾ëWð°UKU™Øya
-iÄж%rf
-of¤‚$ñhœs·ÎÅyU|Ú>æ¶R¬òY[ÏÊâÉöÔK,Y?å!¯òMÚæ57ç<žæ‹Ú”Y’”,š^/i´ª[ª4Ý‘™;²h�P iÆ9Q‡´=eIR¾Ï©,ªÇ|SÐ�ÐÜ6Eõ@U¢	*U½Y¥vÙ|þÃκ´ZØY›óxº-s ‘ä³r@Å¢L›f„�B,LBËÇ´ÊF¶âI ÃHÙ9ãòà"PJ:y,Òj÷ÊyÕæÄØÌÝÅpç
Õ-Ë¡	ÊUAEpO
-UºÊ�aÓë�®“´ëEÞ4N�šbU”éem<^MeùØ�w¹oãW/‚>þy- Â5‹
Õ[åáÈ]°þ ÁIÇQâb{
™ˆâ@Å`¥fZÂvœ¦“˜ÅH«ÁªñØÂ}þ˜�ÛF®a’îß>^Ý\APšˆéüj€Ƥ³¤YaýGKA•'p�>îÍkóª)êj qG!DÒ�­ÕËAÔ@¨“‘ÊÛUÆí˜:�ÒÖ—,µ> põ,ÓŒƒ‰’"6÷ôÄ¿y3 ÄZ�

õºâ÷B±î—?\ÜÝõ$åeæEc�Õ1n
Œ9çLÛÜÐq>㌱éE–þ!
-w±æbcÊ	Û�LWf»k`¯”@–ÝŠZ¨[¦4&Vj†@>[<ÄG´��±;±‹‰?Í`Ïô¾(‹öe÷DÂGj
ÿhÊl»ZïÎ#yb�ä9@£�‘"œÖäq±J”bÜÊ°G¸ÚA8c
SÚ9 Mú<FpD‹�B»Ò	h,Û
]¦j�{‚®ô)v�B2M;3µd¦ž8{Z-©×ƒíS*î‹*ݼøó	Ìè<»AäyÒ.ðòÍ¿»0#˜[YÚ¦N¹Lö°h·Î§šñNµá¶œóé»NhàþÅ¥ØZ¥›/À	ÛW¬¬½ÚOhÊ:ÍúÞ=†µ§§*¬PJÅzS¬cDW¾y¢!ʺIÖ(@­3
-P7Þ)¡x‘„¸¯ónÀÁÀ&z€³yCeþ„>|º ÀO«©¼·Tøq74—ÄŸ]ÈÒßéàèe�þ‹ØX5O1Œ,
-s((0³Ëâ¡šÙ@Z\@Ì¿#Ô•Y$”˜65•ícj{
-Wš7Xi#l¯¶4PÃø‘'l¹ñuÝ4Å=�L©Á6.(L�¡ÈåZ«¬¿UÖßB¹mÜH
YG–;s"©
xXòÁn•ù˜Â6/`ÛW YZk
-¬u¼Ãj�Pü
-Ý@ŒI°/¥.ÒB‡3hØkbX\8
-°-AZôb4æÀÄÀ¦&¾†CVé—|‡–žßØyŸ.¾l×ö>ËžÓÑé9d²F8j´Á+G�º„j,EýA0
”Úêú@Ãý¬mOý÷Ó½ÞÐv§õ£æ%[
-âí’-Å¡eì>äØTËÿ�ƒëˆ2¥Wq
-m_JÀ`uL»ÍÝæ
½°ø<“,
-B
Ï?áÝ–¯P-94(/Ÿl‚P”L«íêÞ 5"#Ž}E'h½¿¹£a‚§½ Bã1¢/yJQ›~ú|ùéýÕ>„XŒ±ü„ì@°
-({DbëW{!Ó0+u#Ÿoío(ð³Ïa$žŒ	 žìtÄ�Š¿byžŠ+ú&ôiÛ>Ôob¿ÿ7~Ïì�xŒäˆ;4 *Æ; b�hÊîB�#ö@Ä!D¬ìQt@…¦ï›¦F_-CyyfÆcNÝýc+vÛPµ.Ÿ¼OÃC¸ÿhCIçé×.y*ògü sDNÅÿ¿²1/ÊYòŠ5æ
-’«Ð~½¡$s÷ª¹—/ŒëƒwÖÉ,óQú{�ð/à‘
-Y½6A8EàØJïA)¨ê™i©ýxaL¼o¹°ä*OÆ…?,Õ)aÉx3&_�%dR	2ÿîÞe�ÉÈ«þw`oÁ¦wàÉ°yô=6ý[ì`Sï`S;>ØG
-aï„S…G‰î
+2023 0 obj <<
+/Length 3601      
+/Filter /FlateDecode
+>>
+stream
+xÚÝËrÛÈñ®¯àÁU�ªDì¼€
rÓ:’£-GNl¥*¯ 
’(ƒ
+·ûí‚ù2Ž‚Ù˜ÏãX̶*�~ ¤t3ÅŇ‹´
+,ŠcÏ í¡ÎÒ+
+
+»!±jÒl™o“‚Æ}™o*÷5#”æ»$M�}‡„¡U[rc2§¾ØÅD*î]£oyLò"Y™]m\-3Á(u[ÕÅ5-vtVÀ¦¤I5Z—žNp#„´H‹N]ù±C2Œ¨øH«ec"õÉ#5HpìĨš81ðO„„"ö6 ½Éetê�ú:	û2i‚¤jtcBÇ…¯e«gÿšŠ5ÀÐ
nNPÃðևݎx½¶¦LÚ�¿—ùÂpñ…¸
+ås,¡àû’qWŽ?Bþ[ S+­-¦¹§¼°&da?6]êBŒ!†ùŠÆyCã'ú �…††ö=BlC;#4"ó©ì§gYL.ìRfršÍÀÁÜÐÁ§4_à[b3»Ä‚Êv	l6ž˜�ƒI·1ëØW8ô=òrYÒ¬Ñß@¤®=ŠbÃÉÏRÞ²Úî’&_äEÞ˜ W¹{ÂÇ,Ù¹IFa‰Áp=3p­ý(n�ù«©xŠKÓÿN¦ð„º!Õæ®ë2ÿJ‘u@$„6/ÓÜ|ù°8TÃû,á&àC9µô0
²¥È+GºÑÈž.Vô‹
+ÐHŸcîgFS|³Vña’mDϘ$[}0�|›Í›j^ä�vÆ„-ŠuKÖY‰ù‰1êYeÂÆ£d;¹³u $í‘©;’|Âså(,k™ãí&Ûç�³O6µš(ˆ�œD<<¼ìKÊ¥]µ¿Œ¼C‘Õþ·ì%dÊS](0€±‹¡mú5Öˆ~íTfšÀ1¥¤ã&{W#OÎ6K‡ò��
+ŸŠ"N$Ï:c0)é}úYe¹ÿ� «È×±>_”Sj¬¢³,:'ê�p2#í~3gd¼ÿ­/ã0?!ã\»Â2,·µSX¹Mšå†&H»¼¯Xiž°Ö-Ì8:Ó6¶µó=Å9+·üÿNn{ñ³äÖÑþå ÝŽ“r+C?Rã�•[Å|a5ö¸ûö£…)Õ"± jÊ]`Ï�«‡È�ÝmL.þ3É‚E:<O.ašTd‘õ<d3½‰L¤Vñ®2i$¬«îqÐì쇪u"þ�¡fÏŸEÍî�î¿{}û±7;¯ Í—(²�|F¼ÿXøìÑPh`AŠ>—J$Ä01ñ¶
+v`ZÃ<]©ëÂCݦ(onîoÞ›ºÇÃÍTMBBî-�-Jsk�
+KzæÑÆ„ÝÓlö¥ÉJŒgí÷2u!‚5¬AÛ^µ…5)•X쮯ôDh#õÂö± “46'Š øÒ�;Î…ÀªÙៈš´rq}‹H
)uåpéW+»£`¦½Çë·×>’‡^<Óúã0)ÔP»o}9çŒ1ï:Móþ!·¹»Ø­¹Ø”šá“/�ಗó
Z�̃”d.çÔ|þ¨¼ãèhŠ?Ž…8ÛÍDŸz3iSšÞ‰6}´‡P©ˆ~Øî†ëˆŸØ#~N† ¦ÐÉIE>»„)zþ@�„«�„3æ3Õ>£ì“§)GÌQZº’@µ™�͈zy>=N@²Ô•û¹SbÑLzììpµ¨Þ�À'Ô,ò2Ùûëmø	®G¾}N³ÅRÀ¬�À{‰ø“d0he+Mš¤5¹/›C[ÃÄï­j�µ!=~X]ðŽ£m²ÿ”°sù–pªŸ§E•¤ÝlîJl¨§T7+”P³ÛCÆ�„1&öûǬ}†aí"k ×è›P'î=K…CKˆœ¸>/Ì�dŽ¤Ã
+åx!‹«ƒ“—±É¸òVÄr`x
3]ê¿jß°j”α
+
ÖÅÅ¿ã"'f&ÂYyX»sá­‰3B¤± 
+ú&Ú7JƒV¯¡ïæ	0N˜G¶Pžz
�cüO“n.kÐ*âмSØq,$|Á"·‡<‰­PÃ�Oø‡’‰g!L
Úö	ÐXŵ{ÕEÃjïEv:mŽcB‰h”šT`ÌŒñg«Æå��möIY¯zy‚iŸè�0T¨,Ž­Rƒ®º%‡Ø›Øw*nË“èå	Sî4¦:å…¾QÞn‘3�ØoÕúøt_SD•tû¶Ú�ŪªD)㒤̳¯íÀfŠx„9ëtå#ÈN¶'�…¥Šº�Na->ÄqÊ{��'üsEø�ÊÙ«‰÷”4ˆþfh È2«k¢‡„ ¹zS¨Â©½µ©-‡¶Æ¬�µÖæ†Ô#®/¹õÒN¸/„œ£—©¦•—Ž"ma§*Û-›mLgg�ݲ)Å„ðY1ñ�”ä2RÒJô:ÉKß=F~H=ôP×E7_cáVòÎ%~Kþ­ÀlŸG
+1�—àŸgB‡R�³èêœ�QÅîÿ
1‹TÈendstream
 endobj
-1587 0 obj <<
+2022 0 obj <<
 /Type /Page
-/Contents 1588 0 R
-/Resources 1586 0 R
+/Contents 2023 0 R
+/Resources 2021 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1547 0 R
->> endobj
-1589 0 obj <<
-/D [1587 0 R /XYZ 56.6929 794.5015 null]
+/Parent 2025 0 R
 >> endobj
-534 0 obj <<
-/D [1587 0 R /XYZ 56.6929 576.2576 null]
->> endobj
-1399 0 obj <<
-/D [1587 0 R /XYZ 56.6929 551.918 null]
->> endobj
-538 0 obj <<
-/D [1587 0 R /XYZ 56.6929 341.6876 null]
->> endobj
-1590 0 obj <<
-/D [1587 0 R /XYZ 56.6929 309.582 null]
+2024 0 obj <<
+/D [2022 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1591 0 obj <<
-/D [1587 0 R /XYZ 56.6929 247.2548 null]
+670 0 obj <<
+/D [2022 0 R /XYZ 56.6929 306.3415 null]
 >> endobj
-1592 0 obj <<
-/D [1587 0 R /XYZ 56.6929 235.2997 null]
+1797 0 obj <<
+/D [2022 0 R /XYZ 56.6929 275.1221 null]
 >> endobj
-1586 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R >>
+2021 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F14 964 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1595 0 obj <<
-/Length 2730      
-/Filter /FlateDecode
->>
-stream
-xÚÍËrã6òî¯Ð‘®1
-ü().î/~ivv‰tHia¤|­B3¡kàñ¬c¥o„>U
-´^ñ&©Ù¯,éï"«ªã]Ñ  EEŠøçM¾E´(ò*d…^™=¦2É;i9·[U™}Íë&+Þ)ÓeV÷ùrÕ
°ƒ³3 âÐËKþmð>¸˜±Ep9O›tšÖ„‰‘Êû9ÍËþ
é€ÀtO´ß6Ïv—‰òücF�
ýEúMˆ.£GãCðü£°xi,©
-*P¤æ@‚SôÊÌ�å]WK[ÞgPH¬X�+ùGyÙSxÕ2oØ5àƒmÞe0ÏÒMÑ²«U—­×Žo ;ºÀ�ÙfÍŸeSì'ì*ÞÛÔèH¸ÊQ•éåÄï¦bÔG´*ñœÁ^oÓº$.¦
³AyŸJ»“׎¿=Ú‘¬Š”aÀ&ûj
,Óf¨²Ï7ËiJÇt¼Ò‰U”ÆVC¨Â®ëU6ËÀ؉7Ý[*À>u}ißHí|ÿp‘±ezê§Qâë q³ªDÌÇÍ(«’ϪV¸FÖ7S(IÕ,(n
�‚~Ù2˪Ɋ=#±žó)
™Nj?€\Þ‹ãmžvVÁÕ

-B¨kB$§*°l†‚’¦1Jwh²%õgxÝÅêÙ"f/À
¶
-z¢=ØmÍ	ØEÖYvnN‰tèC3bfç½õãˆwCcYÿ|%h±¨rCúfÑh,SP˜Ž¥‘aè«P'=qNêQ‹õ„§Ü(Rc|j½1¸#ôŽö'¾”v–ÄñJèåX
-!¬öû%ú¾Î=[¾ÐOB¦
ÊL¨6Ya r<bŠ¡Ê«iö˜—u?òYø) ×~ë–_²ïîv”åÞ¼y3|��í‰-
-úMb°“0é¨N
±ï=Ðä´C®)G	tR—D± ÕvÓþ¦üŠ(çŒ7gª_Ëü+”Ò}a979‚&]®àâ�’Þ2KëÍab
ŠÔ²¬3�¹ûÈË™åðSZnÒõž‘åÛ¡"/#0õí]C÷Qíòò”bò%›	)ŸW«ð›2
-Wqø¦v~{Ö„¼ÄB¢SÀ¢
ÃC›Òá7ƒŒð�È_û@˜Ú�yVÏÖù”Àxî´Úf>_î
-¦³Á±®‚¯îTŒnÛ:ô.×_
x`?éGtÈÛ¦#·ÄŽ¿¬�UÍ[¤^øE�k”X^Ö.΢l8œª)¥é[C¶conÓbcñÈð¤cÀ¢ÐÜ�Ž�¼Iþ`ƒ¬õ¶Œ¡Z¨Œ
·XãÒØž`é6Í‹tZXךYÒk‡6e_ßb{*¥ôðâFv;9mœ—ú"ÝfKàn¨­
$,BÛW
¬¬†º>`Tz´q5ðø¢ÇIŒkÐQ³ÕÍ*îÑÀ¦M|¸“qèŒ=aÜù(ccA»NÛÖÅh�âN
aùrO>C£nÅàÆ	Ó£�ø,{<cò¨�Û£Hÿ9jC³¯�§Šo‡+äw¥ÌS‰ù€s.3CuÑ	01H)L[Î\1;>ãƒsžçÕ± Àñª
-‡:b1ÒŽÁèÔlœ¤,×Û¡¤È8]öÐ,«Å�(^±Y–¼C¾#]Ó
›é´�@HÏ ƒ9ÃëýrZŒ\R"ÄI#¥»£lG.|@öñ…Bºù7™ImOjw8I¤Òñ|F&\m–mg-l{Ì3Sbû`X¤vûÇÉä3Czœ`Çö²˜‘‚ص4‰·ÎV{„EžA
-ÄÏÇ|›YIì°!žL—œÒ(=×érªŽ²ži‹¦±
3`§E]1Äe.c›æ.«ÞÕŒ<ôËFQtM7
¡;¤¹Å�W³
6êV†UE³Æž7m9‚º@½¹Ý²šSK?³F	¢€s.¦YCÕ×ì
-;®ìvó>÷ ÊV7—ÞqAÙeàñqn»ŸüÁöE«U
UcjkÙi"?žd›hŸ×uÓow&J„/b¯ñÏ`Iò¬÷Â0ðC­þæ{áQçéÚéêù/ Žâè”ïCœò£(4‡¿ë%Ý—kÐ`¤q Ô¾%¿%ÞÛäªÃD‘­Í<Àú#gŠ©“ç\0QèQ÷ì—]µ&4°|½§}§û:쎶rH?
8Z¬Ùëî²?70mC¨(&½»_†ã)´7Ÿ=´i†8ÔÄÀBfáRAKï2Ì÷—cÅ6Y §äAAXóºdÇ€SÚ­{¢ÞXE¼ðíýÈXá«+	}Pø¦’ÂW ¸ž©ôß3•þw›ê †×2Ôkg�XùÆÄñ·-k?ÐQèu5/kñ´yîZƒôê«�·÷ØLþƒìA›ÎZç´É²&¯™¤^[�Fø±
-Ì·ÕiB?D#[%½O稒ÿÒÜ
-Åð+vSÖ›ÕªZ·ÿÈÖ¾ñCmß9ž§íÎU^ªí؇ܢhð
-¡‡Þ0Åȵ‚/þCo²ø'–8Vgþ˜êþˆR!/êy¢SuÄ~««#úÿ
«GØendstream
+2028 0 obj <<
+/Length 2797      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝsÛ6÷_¡{“§ƒ ïžòa÷œ™Ú­íÎÜ\ÛJ‚-N(R);Î_»X€%ZNÍ\&“q-‹Åâ·‹Å1øÇGi1™Å#�ÅQÂx2š-OØèê~<áŽgâ™&!×ÛÛ“×çR�²(SB�nïYiÄÒ”�nç¿�ßýûÍÏ·gק‘°±ŠN'‰bã·—ÑçÝÕåùÅ�¿^¿9Õñøöâê’È×gçg×g—ïÎN'Y–
+h\Û›[läZÞÜ^¼»9ýãöÃÉÙm7€p�œIÔþÏ“ßþ`£9ŒõÃ	‹d–&£GøÁ"žeb´<‰%±”žRžÜœüÒ	jmÓ!£%2�’Tè
«	>âq$c%zfK2š$Öl0ÒÓ	g¬?Ò6o‹¦-f
ŽäˆÀúl4i¤t&­
+`�L�o©&çyQæÓr�‘~Õ¬ÜÌ=oYsÍêMu
+’®@hyK¥GcG>Ü[QÑ×YR"�Ý°àZniòª¨îï6%Mµ–ô<å}Ij0ÈÚs‡S§2V5ô�ÕUóE8	0ÐaÔ飣L`Q2)ðô¬3ÔU×AÞšûz]|öÒ
µ×Æ	»«Ë²~„q:Ùf†ršhÀa³$)-£T}™»òH3Õ÷Ö¿ÕÈ«€î$£ì`¸ vD¹¢oÑ5qÙ¨Ü5Îô6„œ‰Hʘ�”J¢8ã±�‡‹jV/;ƒ]›?7¦i›]{I	=pž�¾NçNäZËXD"MûZzt6®6Ë©©N)Îhë…~Hðëýå
U2ÝølÆ�
W1ùlAæ¸úùÝÕû³=ô$RGB%êˆÖ@¨H¦Õh²�øÿGLÆGĤH"³ôLÆ<â)Òö0ùËƬs
+37$Snê²9̧£¡^~r‰¤_çW>y(Ìãi&ÆÏ{Áñ&àÈGLXHÙKN�¤,R,£\í2_ºüêƬülô7Ãþ°íêX‘ù öÞzÚz‚eÓoʽñW>‡ b¤¥
+Ó…>HiÛé¶(¸§€&y,|Ç€ŒY{Sñ"ãg™µþëÊ!ÒSåÕÌ|9,ƒ�†Ëƒƒè€¢LÕ¦òø»§-Ýœ`©ôø³92Øý¶™EÐÀ5DO»™r»¨fã“ÛÜQ>w¶l×yÕÜ�à|4Ó}Çi‹a§’¼„g	–	Š&×~Müb}-Ó8¨wáPﱊÇ*ñ±+*»„ ±K
6v‹?€^@,
àò/5·'RJ)ˆàS
+üµŸRL|0.L†÷ßÍ,Žfðoø©ŒTªþʈ|‹g€Åœ%‡�VŒ´ð§·�iºèóþ­;ƒ¸nÌ�ˆ°“¯S{‹üÊ{ä÷§;K¶9v¦(Çš‚¥­¨2±É3~)yÆ*<iŠÞ�?�WÙÔZ3f�¤©Ïëî„
«Ð9�n�	3kÐ
ÜÏó6Ÿæ
l!a¾ØøU•îèæÓ¬Ìý¹–ùú#•~g	ûüÇ©iÑzíý+õ'²PÈéc÷°ðűã1cšŽ‹–Hx0Ù¸Z:T„Ò*_CP\Û6en7ÌÚRº“¤X»S±h¨êcU?VŽ¿&ÒÔÐokçÁá�/
¾]Xq‚#ñ›—
J¼ë@Њj›_þçúúæì‹h¹cotŽçßo^)3qÆ_8
�aFT,é\ñ¦ž}4î`ûâõÕ/ÇaWÇÊ(«ß¥žúárœ…eœén9†ŠÊ´�µuo S@)sôÞ¡ãÐð…)áñÆþm@Q€k¥Æ3:✫ðömïN2¥¶š�“§Q’ûþ|ùK8™ÀÖ4ÖtPó
+l�?f›5ý¬Úò	IÐÃcMux-K¥ðæVº[Zdµ·´2¸¥ÝV:HÊÞ2&ù±_U®¦h¼|×µo²*s¢á}ë'×	]0źùf¹²–R©»Av©~gL”®Ü¬Ì¬@qgãé“kEÙ×ô9ìû5WûÛ�LœÐ}œ&Y¤dæ[Ìê
+9ï7ëî¾Òž–°¯¢+1ÐÄ_Ûƒu対–ukÊ'b";SêBW‘„`Þóã‡"²8Ñw
 ÏyU™’*­Ó»4nÐ1,lxô±g'fÈY!jj-TÐÆ,mf†ýØÑ¡Z½¹H	XA3‡ŠîYj»éLòcž{×!´ˆ2hƒ¡�êÖ÷#*\=c	ùŸ_
+:.»tÓUµÆ"`eÚÕ†Çq$b•õÔÙ[�:®´Ø—fã¡Mó÷gopL'˜ D|û†$‚%Ô½#énôov"èy1pLùb
+{hˆÅyµÉ×OÄÌ_
EJžiæ^Çœ�.b¼fA㻧+î¥KN,´ˆÃo›íì>‘‰Ý#�SPÝú+N`¼ÍRyý7!±;Ô„Š¹ifëbjüØiý`"ÜÙÞåE»&ôÀ£ƒŠØ_¼IqøzGgôH�ë@o®è=p€*k^ø¢Â
j,¤Ý
+ÎË]ÓsÏ6%¬?`v
+ùû®y˜È)íQ
+ì‹üÁ-'‚¡rs]Z´ªn‰êÓ@¥håQÚ/�»N³Äh	z.×BïM{m¤Ð.ða�!×!i”øí|I�AÖrt
H¤îXæn±§˜Ù³UA)’[¯L¯
øgÕ“™’ÛXD
ŒUú×Nj>Aœ*É…†V^HèñäÀBNöW¿¶Ü.ܘ‡§Ï­˜’Å‘”÷JÙ0Ȳý�±{—¹¯ûÿ
 endobj
-1594 0 obj <<
+2027 0 obj <<
 /Type /Page
-/Contents 1595 0 R
-/Resources 1593 0 R
+/Contents 2028 0 R
+/Resources 2026 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
-/Annots [ 1597 0 R ]
+/Parent 2025 0 R
+/Annots [ 2033 0 R ]
 >> endobj
-1597 0 obj <<
+2033 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 561.2463 145.2431 572.6384]
+/Rect [84.0431 269.7901 145.2431 281.1822]
 /Subtype /Link
 /A << /S /GoTo /D (statschannels) >>
 >> endobj
-1596 0 obj <<
-/D [1594 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-542 0 obj <<
-/D [1594 0 R /XYZ 85.0394 547.0572 null]
->> endobj
-1283 0 obj <<
-/D [1594 0 R /XYZ 85.0394 524.0784 null]
+2029 0 obj <<
+/D [2027 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-546 0 obj <<
-/D [1594 0 R /XYZ 85.0394 321.1969 null]
+674 0 obj <<
+/D [2027 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1598 0 obj <<
-/D [1594 0 R /XYZ 85.0394 296.6182 null]
+2030 0 obj <<
+/D [2027 0 R /XYZ 85.0394 748.5408 null]
 >> endobj
-550 0 obj <<
-/D [1594 0 R /XYZ 85.0394 189.1747 null]
+2031 0 obj <<
+/D [2027 0 R /XYZ 85.0394 686.2137 null]
 >> endobj
-1599 0 obj <<
-/D [1594 0 R /XYZ 85.0394 166.8635 null]
+2032 0 obj <<
+/D [2027 0 R /XYZ 85.0394 674.2585 null]
 >> endobj
-1600 0 obj <<
-/D [1594 0 R /XYZ 85.0394 166.8635 null]
+678 0 obj <<
+/D [2027 0 R /XYZ 85.0394 255.5751 null]
 >> endobj
-1601 0 obj <<
-/D [1594 0 R /XYZ 85.0394 154.9084 null]
+1669 0 obj <<
+/D [2027 0 R /XYZ 85.0394 232.5802 null]
 >> endobj
-1593 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R /F39 899 0 R >>
+2026 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1605 0 obj <<
-/Length 3011      
+2036 0 obj <<
+/Length 2917      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ[[sÛ6~÷¯Ð£<Saq¿ì[Û]wZ;–•�ζ} %:QW’Šãýõ{p!	I”(ÛjFãÄõàùéaø#=!‘4Ôô”áH`"zãùî}‚ºŸÎHh3¨
âV?ŽÎþqÅTÏ #©ì�£±4ÂZ“Þhò{_"ŽÎaÜÿñúæÂœ¨Àýûѹâýwößèú~týþþ|`Œ¦ý÷ÿz÷at9ô­dÔÑ—„îïoo®®ú8ÜÞøâáåÕåðòæýåùŸ£ŸÏ.GõâEÌ,õ_Î~ÿ÷&°ÖŸÏ0bF‹Þ|`DŒ¡½ù	ÎXU2;»?»«Œj]×6Ð8×€ 3`q!ôîiý¦
YB�bsÖ�$H1#*XæBÕû@I´RÃ*�ê)a�d”¹}¦_F÷×?Yh 9�šm€PÃaŽÐp•eá1}š–Ÿ}Îõv¹üœè~:N§_Ó	ÚÂs¤Œ"½˜Æ·-›s†°d¢7¨IÎ6Xt É’J‘
- €¿IèýÃ?ò"D#ZOQFa‚u ÊR”˜
-¨“É›¸sºøšÌ¦ÿaÑmØ5Ë·ao /¦ŸI¹ò;°{¿*~âØSh¨1íÀž2¤¤Ôµ^xÿÁ*Z¥ûÃs!úö³s\Ÿ†uãM9�™#ROP¬¥]Ú
FÑ„HÌ»Uùù.¦�ƒâç¢?üx×
§í•åÓ2)
µ†‰Ùb
ÓU^@}ü
-*xß;°l‚ƒ#êNXÆ	EB³.ãN$"
-³™CƒØnG±XFTKË5Å/²ê±Kp'!6ê²4°&J„7åàuÞ¯Æã´8ÀÀÜUþ%3¦ÒŽ«™Ó—Û Ö×$>)ü°�«Y(^OàQ)ÞGç%tôyZøžó4ñ&ª¥ÔÎX~vs®í³Ï>}žŽÝ&Ò@„¿‹Â×%>¹¹½o‡þ#Vãa„Àо\ŸÕc2K“¢¢…ê;�Ðfõ�—ýáùB¿›gy3Ï$–YHaÜx;(„2˜À-vî n¹†Í8[-ÊÊEÍ}ºôT|�f«Àò_Sˆ²E±Þ.:”ÜÍó7½�?ÿNuHcÕ¡‚…�0çÏÛˆõ §ên;¦ªxÞÜø4ÙŽ€c~߉pDüéZ9
΀
-šJ\¿åy‘–/‘Oª6åJœ|BÚØà¦YíŠAQ0Â�[d>�$e‚ڸų1Û¬å
--3¹´•™
-ëÚ8Ü_­îø÷•=²wý€
Ñfÿþ*™ÎŽf"ì$0<Lb¯k¯Ùu´ˆÓ�”¸PˆHÙqRÇ%FJ°Ú\ÝQ´�H_‚á0ö`#’�keù­,ÙtH°\ÛE™Zcþvqûë»ëÐYø~‰Á%lÓà’`p¡¦ùÏ`\!·h§
wO-úa¬e­'Ù<�Y·	·‡YT“ïf\ãM8]ãÊŒ‚θKÝQŽ´V²qÈÜEMævט_=Mî^È,!îuL�¬
-Ï1̇È6S¤ùW¡ÚÂ̧Ë4ÌòyÌm!-ã˜�{å-'n0Žý`PüÆt1	enÖªÐ;…xÃ)TUˆoÛmó­ù•|›ÇëØd\
›€ùwcܘ%Že§…AJ½èÑMÕc'ã2…$á^!Ä”ÖÆãbµœMÇQ&úC(x	ãRiêÈúóÈTÌjóIY¦ó¥·-¶MæÓ†]CŸ‡Ué3“i1hcœqÜ1"%�}š~›åtñÉÙ³¤sÒö_Þµ9GœÍÉ<ä®?„�&“À½Åm3/³¼ü
ˆc¼>©¢¦}áÊ V…
Cuù¼L}mbeÉÖŽgIQ„²™Ÿ&™<ûº‡Ô‘m³žg³AÛ‰•=9²eiêS)Õ&tÊãëÒv1µ/¥Ta#'õþ·ÈH¤’[Ñ—äÇ;ÄF l_š­£uTé‹øúm¢ÒHP-9yI˜WõØ%}”ÃúëpÝ5ˆrY{Éy¶\r�=`*z`?3·)¤6 ªRß
-7Fò Vkdû$­†"ýfÎOÇh±š?¸Aq{gË‘³_k@|ÆF¨÷4B&0å&{‰TV¢$Œ¢d�(ÙL¥µ²§°"ÿU¬
-{Ó¼(gÏmKórî`q"0ðò$
-NˆXÝ@§
-<[oúîP¬ZÀ–Óae
+xÚÍ[ÝsÛ6÷_¡Gj&Âá“ îÍ�íÔ�ÖId¥×¹¦´HÇìH¤JRv}ý-° EÉ’iÙjFã\‹Å‹ý
+£„‹�oA�³m¨)CBÁ…Cí+çÚCUÇuVÕÙ´Â÷³å|�¥U�¯TQ£àn¤�f
pÝ0FŒRÜöC#¡cT·ó†#FéÓ>Þ˼NËʳái�—ÄH&—É]:	ÁƒÛb6dÁ¬xÈòoH©ã›YZa¹ZÂÇù<.³ÿùúU§K!X0mºÄ¶wq�tœ{K3HX”CÅ}–¤•Õ¥‚‹¢Ä*i<½ÃZXé
ÉÅ-ëFXí�ž‚„êŠu
fém=/*+³âÍ–ó¿d>}UÄ77®¿ô>‹ëFš ½zœß
+'ñM6ËêG»Ø
ü�™à4I2Û8žaͼ¨Ýòƒâ<~Ä"�<ñÙYN	R2ß=ŽÎ–Pùm7œÿ¹K}…xÛ\ͳ$q¨qÝ.[Nÿl+,ÃxÒÔ}-þ•¯_?݆•EVkV#µQlÔÔ,‘jQ䉳=HFµp/¸ôlÉ©�í¨iî¬Ë–QDhW*ñ	Ù->ãÅb–M­!­©]³‘B€¥íx@ÖÚÚ+”ÆZö´¼w2ªç-pד…Œh!Â�Ò`Ê#¾È•IA$ø¡5OöªF�´vö�í(°òŦÅ:«Q3"ðôü¥”«ØÂt0
#ðÜFƒ·IÄØko_Ci¸›J?m
]pɃ34,nYm†Tm´�V]¿m46
+^Ról¬ñ„eÓb'@ÂÛF´
+mzU†p.UǼI;³ü>žeÉjŸd¥®EùöôUö-�ë%ÎÀ3ØwFuÄØï0â=±ˆ”šðЈÖ.¼ÿd7àtŒ‡Jöµw\›ÍØ`/eîˆzÄæA@‰ëžhA
+E“-œ.ë»Ïåã8ý2“Hª`üåá�mU”™MïÓ•çÞk	í>]i¯
Ò²t
ø?Óiý,ð�!±&3C´æ}!�B51Å´�]*Æ
ö—„ÕãÓ×ãÙ‘ôˆñ„€6bº/b
+Œ~»-š¡‚müå·‹q?œÿ-r�d]ÆyuÛì{ì²½àvÄ>^pD¶Q؃­0†H	¡¼ÅéË"‰ë•5äàJ?¼g�y<Ϧ>ðu<Þ†¯—üÈC
+
�¬¡aOH!"M¤MHaw
+íŽ#Ø\ŸæÕKŒ
6òVi^?]G¨#†NÛ
+¬'"ZjQ˜¸´¬\æÓØæUýáÀÐX•‹‚¦EG÷Á´#íc
+±«1¡êÁ4DE‚µ˜Ú¼”î­„Ïn"ô ‰r¹§‡•P{Îø<šŠ‘�G+}a¶°ËUvÐaG¸#†P„„ö; aH¨;¾4‹Ý�áÓ4¶ËŽ”‡Â2™ˆÓ}ìEÓb–<Š 9R}‹›k¢™FgaçõÒ�¬ö£ù¹	0!hìãræ,¦¤þ€¾Äø¨�ííræÉyõÐ Û½Ý	îíBËy£‹{rªŠ‡µbµ¡+ÚÃSŽ�
+N¨E»\ÿ.Ë*­÷YŸ\o®O dþ2Íʯªµ±�¼¶w_ü�š$®c²M[Pµ˜yªZŽh•É=·*€�ë¥ÏwS"µb›Êd9[%±Ïue²{9Hx%lÄ@!#
³½N¼ZÛ:óø6Õø'�3’Ùã˜�¥Êhë®ÏÇÖvüza7íO/0"
+>â"Îfs¶`�Ø‹¼—?;ˆãõÃ,¢$ìÛIb‘£¨Z_pñqü¬D‹H¨
àó²<Àž÷3¸®$>^ËTH éÙfbšA©jíåog9½¼Úö
+Y„è3v
+|®´Õ·¹YÖXH²jëüiác1ÜŽ
+ÝìÓÝêv·®í›ÝH²àß0µ%'œ-Tîî³-]~òŒ’Ä+ïöŸcØû[î¸l·©¸	.Ï
Uá?×�‹¿Æv)Ù¯ÓY\Už6k.Î?â·›/‹‹Fe‹í#w?‹°WßM»%¥·­9�øºçöU†+Cí'2içË2ƒ©Ã'©—å
Ë£a{gÎþ
 endobj
-1604 0 obj <<
+2035 0 obj <<
 /Type /Page
-/Contents 1605 0 R
-/Resources 1603 0 R
+/Contents 2036 0 R
+/Resources 2034 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
-/Annots [ 1607 0 R ]
+/Parent 2025 0 R
 >> endobj
-1607 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.1296 253.7095 384.9596 265.7692]
-/Subtype /Link
-/A << /S /GoTo /D (clients-per-query) >>
+2037 0 obj <<
+/D [2035 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1606 0 obj <<
-/D [1604 0 R /XYZ 56.6929 794.5015 null]
+682 0 obj <<
+/D [2035 0 R /XYZ 56.6929 741.8766 null]
 >> endobj
-1603 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R >>
+2038 0 obj <<
+/D [2035 0 R /XYZ 56.6929 717.2979 null]
+>> endobj
+686 0 obj <<
+/D [2035 0 R /XYZ 56.6929 609.8545 null]
+>> endobj
+2039 0 obj <<
+/D [2035 0 R /XYZ 56.6929 587.5432 null]
+>> endobj
+2040 0 obj <<
+/D [2035 0 R /XYZ 56.6929 587.5432 null]
+>> endobj
+2041 0 obj <<
+/D [2035 0 R /XYZ 56.6929 575.5881 null]
+>> endobj
+2034 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1611 0 obj <<
-/Length 2258      
+2044 0 obj <<
+/Length 2524      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ›]sÚȆïý+¸„æÌ÷Ç¥cC[œ
-ÛéÌ–ÓÙèfÚûköËÕ`vøþ—$˜Yï¯þøwð]¹Âˆ-:ßá
FÄÚY]qÁ�àŒíÏ,¯¦WŸzŸîL_ƒÆ¹VTuúL#.„~û²î.[‚Œ§Wí\a„D˜uJ¼Q0
-í1ß
›� Ñ^Ÿ`Œ»ÿËÒ‚û‡(Ió8�ÒyqbšGy²É“y1ª7Ù¬7§ƒB˜‚pRpÅUÚÔAÈ ôV¬Ã×­öŽàN?Èg‡ÅáKõ¥$æH9•˜ñ猪f>RrdìÊaOŸWgË^_rC»·ñf¾Nò$KOÑq!%!(ü‹œç¸EÄ`iý9,¸AL¾n%AmGnugyrÿ|·ÍŸø+k
-,·JpU,)£�Ðhl)Xý‰1Ý/)›8ÍÑÛø<¿ÚŒÏÆBø8Fþœà“uðÉÂçùuY|ä¢ø`±ãBÓ>XB1H«‡o”ž|N�æqò/*(zîµ9	$&8ƒDA"aä1ÄsB°&ÄÒ»63Ä’;¥C±@„qîAœÄÿ„¦ól•¤_ª8ºäª‚£ça‹§´°)¥¡*
-$5
­ˆBD¥vª|ýy8™Ä��‚ÐÚøSHn*ç°ïX›ç0ìtU!YB!F˜>â×$›óóksüq‚Tˆ	íyôá7jŒ¯ô«Íô ÛÓD†¤ØV8fü_“èkŽÏs¬Í³=
Ù^ˆ%rj§ÀŸï×Óí|o6A€e}!_Géæ>^¿€¸×Ûc¼¨DêùÚæ�„´Ï`”dl7Œì‘£dyAž¶ŽV	ÓóòR0ë—Ð~Fý‡€B3zÙ°ˆÆ 1†UÑ8§ Æ„zE4VÑ&ñ&[>퇢nÝÌ•j9…Ô–õÿ©;^²dV”ž9|L4¯×Ëö¥gN ¬!/Ëe¶l¯’ÅyFye­(ËŽí‹”…ååù0y$}+Ú|0õ.Ûü9÷³Õq!¤ìN‡ßŸÂåùRùÃ)û
 ïÜe
’Ë
Ô
-QÅi5@­µÄÊ(”Í
zε6a½cÄø)
ò \¾	ÜC–nbQKÕ�Lš '×E�jPI³ô´µ0%CðOhJ	�w`4e3šò\šž«­Å) ÏÄ°Í©Æ)82F8-¾½ûp=ƒN0.ºxÆY5àç|S­æÇ ©LøÙës\¨ï`boŒÿ>ì	ѽý
-A)4ïNÞÈGO@Zk°k{‡ÝZ7
-ºžç—¢ËÒR4‰ü½ÅtA¹
—¡e:áö)ÈÝi6ÿVO㇞Š<LºIê^³‡8uàR÷áüúŽs�|NÞ½Û•Ÿáô<[­²ÂÔõm\e®,*º%éÞ&rÄ0[áÿj�èQ.á>K6î“Ƚõ¸óÙ½ûàà¥×8�¿»÷ÎUwÒÆË‘3NuöÑSDÎ2Y%ùnÉsï÷¯ö�‹åaYt…GH'+¢Ë¹óBáçÍ])�1„WGt„„ÒepÍìþ.YÅÙ6o´æΦZáP«•ƒhŽ0“
å Z!I©SŽ÷Ëm<Œ!ñ³õ/¦ïN§Ï›F%Ûñ´ÓÅ¢˜&û»:¶ßý™¤OÙ·*Eñ�o-`Eá•…(�$äk'€ecÀò²€=çÛšE	Íh@SˆdHÙV'
\OUênå�Éjépkƒ–kØbãÀ’‚”½%|´µ¡ÊBõ<n-U&aÏ-B¡ÊÒ˜:=ÿ}·‹Œ–×y¯jÔíx:Ü8fOÑ2Yxê¹N*1z.¶vÂSÛlØ6ª�æŠa¼ûvÁ·â(	zÞ]Š eö·¼A—΂½Eƒ©À!M"�ÁbŽŽã/M *nŽ ª"	µçÓÝnü)vg“Ôî½fÀºÿZŠ
+xÚÍ›[Sã8€ßùy4Uc­î—}£˜ejº³Õ5—‡�˜Æ³‰�Žhö×ï9–+äâÒU)"˺}::G:2¬Gá�õ¬"T8Ù3NE™ê
''´÷Þý|Âê2qS(K}¸;ùÇ¥0=Gœæºw÷´e	µ–õîFDÿuöéî¢sE#MNc¥iôáêúÜç8ÿóñæúòêçßúg§FFwW7×>»qyÑ¿¸þxq;g9Ô—AuÝÛ;¬T×¼½»úx{ú×Ý/'w‹
„ƒdT ôßNþø‹öF0Ö_N(ΪÞ3<PÂœã½É‰T‚()D“3>¹=ù¼h0x[U]MJ¬¸éÅŒsÂ$ßÜ­ï‚B·uÒ)¢%¯z�®½XN„rí,pÌ‚HJ³žQŽhÁE5Ÿg/ç³|:MFÈjð ³$>´*ÛO†óY‘>%§±04ú6OfiRø‡‡|†	=?¦ÃGŸW>Ö%‹dö”Ì|z”ߘ� ÓªÎ ÃΡ—˜1â”âUwÉ÷aRÔÝ	eóÉ}Õˆ`Qþàó’ïiQ¦ÙWÿäÛle„‚­ŒðÞË	lM‡Å`Õ×Q©Ÿ éTT¾LëÌA6ò‰áxP¯òžëù§b~_$ÐwVŽ_–{òº?ª
+WØAmw�)¶	„šß
+&š‘cGŽ¿A˜ÑŽt͸Fó„ˆÊýø«/ó È3ÿ"ù>ÒÛÄ×ÏiùØÖðújÓ‚-jõŽSpO=Š%zY£UqSmIH$¹ÚgÄr¦ë&ƒïñ®½0*‰ãÕêÁªù´LóÈJg¢?©¢E’àƒõ00w”ÃY:�+„0)š…«*œ8lˆ@µÁ}>/_Û!$‘––¶†8Ê*‹â_ξö|¢˜‚Eù8¬°ºtWÛÝ
+<I2°	ÔÙ%‘VmRSj� !ÕÕÖP@@T²Vc4Ìg^½Šiž�êÌJk諳]AR¾R�ÑF%áB5s<ÌçY‰�?.ü�z!žÒ|^ø0>…×…°\àyÈk†J°ÓBõBû>‹
ƒ$TC“qSàPN@P\fùv' a
:G]ã.éx>Kº�À
LšQ­"¯o�ÔÑCUÝO7X4­t­	XnE°j¾\¯	œQb´tu§¥‹%—Tf¡
+à‹«)–`ö—U
ß´ª€ï}9Q«æ€*ÀÇF×y™ü†ePÞ´XgÒ=¢C«Fnšó§tÔ¸º	˜×ñ‹»ð™÷ƒáŸUÙ‘5Ì'ÓA™Þ§ãx�EOKl‚ÉÚBcÊ;[H,�R°v”¸C¢3›Æ㺅�ÿ™ä�ÿ§?)åY²¶ë¯³ÆAÓºðOÅ=?¦Å:o
¶T¯Q¤³yùŠ×Oþ^3­°EáÔšºèzßÀ`Ã�j7'[‹™c°œŒ~eÌ%.y=çóqåó€Ç¸È}æ@òyiVÖy¥7oJ…Æ*5ððM8é?a–n°²áÀ5@›V1Õj]H…É,/}â>ñ¿Õ~'sAu”ž²¨ª[­´²ÎÌ|±él0\;�e:L6ۻЖÊÞ5½ïÞdScƒ½Ó€ØnàXœ®ÆüåaÖO¾�çY²Ëž¬\Qú�þ‡•ªT9dŃ×}xÄ;NJÜÏm„Ù
+ú¾�ÿ@–ŠK�퀩ÀK;)+@¿MGƒ2
L—Ï;!|i�Ìkj…·†±1ƒ[AR-II‰…£@I	û:áøÉbúF”è^‹dO–�œ‡eÉÇ’[b�é8Ö*Á‰´’p€#îkºYž¿À‰/zró
+æpÚ4Lt¹e\¥l‰ß>*¸7¿P°#Ö?nà@£l—Cæ–ã}­wÈWoп«½ù‚3?ØïY*º\17Љuf‰ß>ú·?¿@°c^¿°Ó³�g:®,‘B.nunçCüd¨“ßï+·8›n$
+l1m%ÚŠzÌ
+	›>ëx'Q©‰4N6D7D,ߊsC
+Àzo€z€�pG«�Õw…ªãJ’1î�¹úËß�*%©6Q¿¿�®¹2ßjq¢-N
+Uí¸¡dT'êë—N½Ný^œ�¨ÇŠÓZüÞÅm§é 	˼+¾þr~óëÙÕ5~n.UÔ‡çn˜m¥ÝéU’õÊ6¿péø¢ÈBY®kÏ{ÑÇÿØøÏå©RÑÙÕ¿ñ»b+£þn—çXêAmü׬½;Ì@Ôc¥©%~ãÒᨵ%Ô0ï§/oú¿^ÀRŽe¥ˆ—³Y7ÄE¥ÝÙ‚½—ì—¨äÕ†™*¦×}¯N{�`wý��ö˜¤�³xøÝtHHPI„p¬'Á¶cl•‡%ÊrÓdÿ?ûÞÿendstream
 endobj
-1610 0 obj <<
+2043 0 obj <<
 /Type /Page
-/Contents 1611 0 R
-/Resources 1609 0 R
+/Contents 2044 0 R
+/Resources 2042 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
+/Parent 2025 0 R
+/Annots [ 2046 0 R ]
 >> endobj
-1612 0 obj <<
-/D [1610 0 R /XYZ 85.0394 794.5015 null]
+2046 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [333.4761 684.0956 413.3061 696.1552]
+/Subtype /Link
+/A << /S /GoTo /D (clients-per-query) >>
 >> endobj
-554 0 obj <<
-/D [1610 0 R /XYZ 85.0394 710.7531 null]
+2045 0 obj <<
+/D [2043 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1613 0 obj <<
-/D [1610 0 R /XYZ 85.0394 685.6325 null]
+690 0 obj <<
+/D [2043 0 R /XYZ 85.0394 447.7394 null]
 >> endobj
-1614 0 obj <<
-/D [1610 0 R /XYZ 85.0394 685.6325 null]
+2047 0 obj <<
+/D [2043 0 R /XYZ 85.0394 422.6188 null]
 >> endobj
-1615 0 obj <<
-/D [1610 0 R /XYZ 85.0394 673.6774 null]
+2048 0 obj <<
+/D [2043 0 R /XYZ 85.0394 422.6188 null]
 >> endobj
-558 0 obj <<
-/D [1610 0 R /XYZ 85.0394 460.614 null]
+2049 0 obj <<
+/D [2043 0 R /XYZ 85.0394 410.6637 null]
 >> endobj
-1616 0 obj <<
-/D [1610 0 R /XYZ 85.0394 435.4933 null]
+694 0 obj <<
+/D [2043 0 R /XYZ 85.0394 197.6003 null]
 >> endobj
-1617 0 obj <<
-/D [1610 0 R /XYZ 85.0394 435.4933 null]
+2050 0 obj <<
+/D [2043 0 R /XYZ 85.0394 172.4796 null]
 >> endobj
-1618 0 obj <<
-/D [1610 0 R /XYZ 85.0394 423.5382 null]
+2051 0 obj <<
+/D [2043 0 R /XYZ 85.0394 172.4796 null]
 >> endobj
-1609 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R >>
+2052 0 obj <<
+/D [2043 0 R /XYZ 85.0394 160.5245 null]
+>> endobj
+2042 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1621 0 obj <<
-/Length 3199      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[ëoã6ÿž¿Â\­òýÀØf“6º�ÄîÐöƒb+�PÇòYvÒýïo†¤$*¦í¤ñÅk‰"‡œ™ß¼H†Žü£#©re™i+rI¨MïOÈèwøöý	
}Æm§qÜë»ÉÉ·\�lnS£ÉmDËäÄ:šÌ~ÉT.òS @²ï.?¼·§c&Iv=9Õ"{‡ÿM.¯'—gקck
ËÎ~x÷ir~å{©h o	ÃÏ>~¸¸üþç«@àãß|u~q~uþáìüô·É�'ç“Ž�˜IJ8®þ'¿üFF3àõÇ’skäè^HN­e£û!y.çmËüäúäsG0úꆦ„&„
Y�dÆ”‹œXÍvÏëç 0ox¤DçÒ*ùdÞ±¢¹æh*ErAï4Áh¤	e€O«GZÚ\qÆ�&>¯¾\�J™M&‹JÆ°h5ÖkL„½/V§Ôdåÿ6åbúäky¶.n楬ø+2שÞ,f¡ÇªZ†§ê¾lüã¯D’«S®aâSK²Þi rë©À$«ªlr\L?¦4·R2·ŽóbzVsÈD.0æ›fHæ\(º4ËrZýJÃeqXõú®Ä›Më•çµYÖ‹YµøÝ¿€Rš!©Ì.~À�¹Í
1v¸îÆ�Ä9„FN·y
-ÆóÖ30D�æ2׌Úç
-yžb–1»¹µ<·†�Û–â!n­Ê-!vÈî}‚]“©ô�]o+BeÅ|³ÒŠ¾4Û)
-ž›@ðc­
-�Åt¾iª‡2N²‚N€:W‚ÐÝQâ˜=,ÄPª^o�-ÅqL2åoh®(zó¶Û.
-Ögºåb½‚L‰ž5wõf>ÃgáéA›·ñeH5 s:MR¾"g}ØIɸÔLB®§Á³S~ùŠã˜dJ¾`c
-¾vÝ\(ùGÊ�EnºŒb	OXAFçDr_‹à_©èÆSþ•IÓùWpà>k„¶Î¿bcð¯Ø>ô¯ø±ó¯øò²bîÛQåØä`Žm]<ÉH·uÁ4
-›Ò‘‚øg-y}Të(Žc’Ûº`’ÓÏ»+¨Ãú!f·h:�§Å¹¶™éKŒW–-Bðœ(ÐꦃŒ�( ¿4¨S…Ð. ,‚¢#×Ĩ¸n۪ߘ6m¡Æ+Nrê·m´Å¥´:§ÚöU/ÍÅé˜ån=ý£\û"õòÛ�¡^ëªYWÓ&µPF­ËU“Ð
-ì7fiÞ×÷EµðÄ]
žÎ¡,͵iÃâÅûÇbÝ•àƒºr=­E4“Pã'«—¥ƒ˜{Þ¬›jVú—¾n»’”<QAÓ‹ÌîëÙfî²Ìq˜rµ7“ª
2»­çóúÑí®ÝmQ¸µÒA8E*»¼ð_	®A´r›ü÷Óy‚ƒ\‰Ö�þ;�º‚`Ûy¶b~ãW]øÕƬ¢Á&?Ôkÿ½˜ÏýÇÞ˜Ýè>œAŸ‡¢š·\ƒŸ s>LMn}„#-EMlýŸþRÍr¹®êEðJÑ\$[Ô.iÁÇjÆÞ…o³²™®*7Ô7¸½–ùl+¾Pbs
-ÿ�$ƒ’€Ã|F0À$[Í_
Ò£Ú…Daý.Œxà:¦Æž˜ä}¼†Ç8ûNR†;Òûó/÷7õ³M˲÷‘Ÿ¦|`þ‚BüŠçxݺQBœ`NÍp�¼$Ø·#vŠ«G.x_
M²!¹1’ï7LýÃOs'•�Ë2µc(Á£a('Q˜uÞŒFÞlg3�–Ms»™Ï»�AA8T
-Uã{{õC«@báÌŠår
-c2´ÓiØaEê{K¥£ÏñÑ7GB‰ã|Ì.TÅêzž¢JU
-+ÎÙ~TAý—[-ßTàŒ;mBLÀÒ݆-#âPæ7 ¡1DS—1
\Ø©vª.üšû€+ÒÚ±ÀÕZν·6ÚÐà’XÎý–è:›c�û|ŸÚ�â�Ù�DÌ+Œ|…ˆ*8•ŒÙ:ϼÞÔâ¿«³¿`ñ¨¿‰A²›*9õIY³Gc‘(þÎ9J•Í~�AÕF¥xÓÀV/¯ÔØH”Óõ”Iã¸J;®ëƒÊÁíOïWÕžÞ+í Â΂ZºÊ¥l°¬š»¶dI¤m;UÉâX*ã27JÊ�lGìT×('}(Z™3!ÞRcï¦XEþC“\8C“œg…#âì›«Å´¾ïÞ¦�ºý{wX߬Ó÷BrN…ËŸNiæósxoÛ}~N¹O¡Úl	>¸l	ÚÓÙ•�iZ%úªô¦S¼Ý]Ho»PtÄá´kÌ bbè8µƒ«âwC:ÆÊëð÷u!
aÜzÀAÖ™smäÛcú ž/;˜*®#˜6Ø`:'
-̮I)
ñÎ^0©
“
4wõ㢛!H¡=|Ô"’?9|,nê‡v�eâîVQ’ýPÆç`[‡bíaÙM½	gj5L´j7úÃ;ÔàNÌêŽ@¾\–Åjë|­y² §÷5 �ÃÛdTÜ”4éü¡Ó8îµÛº^ÎC_<ή¾¹Æÿ·Îò AÔûgö]óNM9$‘†ŠáÄÏ;Þ;� o=¨„;ßÐc
-^oÊi±i’©¯u܇Ñ,U, 9«Ë°„0«ÌŠY½ènÉ¢kLj€Ïm2<„¬–ÑÞj¸­Wáž$ÞÁ]Ûaüy,Vn“0±H…�­Iß$ÑZE_”ï€V³Ýh�à ²mQ¯=hk{9´½ûÏÅÎ,ˆ‹r»Ö¶SbÖ˜U+¡Ì–l8kÈ$&�mc኶ª;?Ù:ýî«>|ûÜßL#�4¸úo§$¡.gxof¯ £N»åØvrb¼üütB�ун¶}¶'Ü›Dôâ_DW‚Wa+ç€ã�¯àã$"£ƒÛÛÏý›Ÿþ¯ °‚0†¥eÓ]‹röd¶•µ0^wÜ^úÿ
€Šj³endstream
+2056 0 obj <<
+/Length 3512      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ\[oÛ8~ϯðÛ*Ø5Ë;Eìb�N.³ì&mâY`13Š­4Bmɵì¤ý÷{ŽHI´#[ÎØ-‚
j‰"Éï|<’6 ð(M´åv`¬$Š25ÏNèà|ûù„ù:úÒ0¬õÓèäÝ¥0K¬æz0zdÅ„Æ1Œ&¿EšHr
+hôÓÕõ¹=rE£»Ñ©‘Ñ{ügtu7º:»;Zóèì_ï?Œ.n]-4t%¾ùÙÍõåÕÏ¿Þz
7×®øöâòâöâúìâô�Ñ/'£fá$8ú/'¿ýA˜ë/'”«Á3¼P¬åƒÙ‰T‚()D]2=¹;ùØ¾VM»@“2¬
+Eg¶ç?Y9K–ãG ¥U&º=_Íoû!m[qÃ<Ëy‘—)²Ól²s(�F�©ûêpí®ÎÿöRÀ_Jìúñ<sê.§£1Ê,J&ߨDBEI>ywÊ"\`XaùèknÈ®Ê6¥Í‹ÅÒ=MŠt£^õŸXA먞6<>?&¾ð9)ÝCúužŽ—nÊ*Ž�unÚðÍw‚2V¥º¯¾™H	÷^,º:¯¤[MÒß)åy:ÁWÝsÅ8U§±PÛƆ^À)¬êü¥Z90‡�‰r•Šù2+râ–‰4F�Yéúš%¾³jÄð›äîC–O²q2¬†=d”K©\×
+uk­xp¿‰û'ã
+xœYYäYþÉWX.ÓÙ|¹}=†L?lñ|O»¦
'BÙ»¦�"VjÖè”�wX¬òq<ê_‰£S‹«-Žê�shWäÞþ"ñÛõZS"©=¸jA¬¥ÎÎý;™
ÕE×[=÷"ëZ t“tš~J�ƯÃ2åq±dÇÄ%)-ïÁRqBÁ¤UÈܦKôž˜wà0>öƒù±u¸¼å"«™9OÅb¶Ê`�o˜–Âm˜òn$%…ðœê–÷÷Ýƹ³ÛÔ«}²òD]uxS,k[äK8NwÀÛüXèBŒkõ;R·ØŠ.8Íã>cÊá�+ÙÂ{WŒ?ï(^¡  GÑ»¹ßbžzçDÛà‘b 1þœ.!n_(£›<uÅãb6+|S'/
ïÖåÚ0^aVDå
+Ã
+fùZ@ê¾e¥û’¸× ‚+G·ŠšQ•óôÙ½»¡ºB$LG�UÓÇSgšÍ²exoÿ‹AÈ´1�åx‘Í—�–ì W ¹ÃÈð=W¯ŠcH/D�SQ–®¬mù5:U*Êfi±Z¾Ê.]›¸…#z»D
AdÜã@T]PéÈÏÓUz™B ý$172º»ûVîáF®>`D¯Ê!�«m"àó9”[›É,*>ïr,áàß®cQ†«û˜	BZ½�°~5Âú¸·cÃ
+ê1Ì>ýúbö³l:ÍÊt÷s•Ñ¥;L¦­c²–h*͆cJ>#Ó´;ßÄ_ò”æ™÷VPðìëÜ.K'A¡Úèíd„>µÔ$ø—‡“±–8Ev�‘Aä(ahM5!í4uª�n'ã¤ïýä)À
+Tr
°`š”Kp¬FglØ4¯Î™D,¢ò±XM'ø,�<(sk|îC
¨œú
+IÙ‰¯$¼u;]øÂ,
W‰§Øh™Ç×K†"»ð…5¦ahMµÊ•üµk!Ó›ˆ|	4K˜áîB2K“ÜÛWf$šq¾±ÅïÜãƾ‚
÷Çòqk_±ÐÛW,_·¯ø±±¯øâ²dêÊÝ	BìnaàïSºèÐÅæ劺àÁf`]Œ�˜_îÕ‰ÃPäK]pHÀô4•¶9u?øìšMëÆc[*¦¦-m.ÔÞ�ë½Tm Ä_èO5jÔÄÀµKH‹ éÀ´È„Wñ^\Éã&†é�@6‚u« ¾/(Àkq¥š{ŒŒÈS¼bB£;–…ùçÕ»«ϪÊe6ö›~g�E-ÓEÙ¡<à¸ë³~×�yqøPâð}\‹«Þ’öümí^¾ÎÓ…È]~›§ÕU%ÊëÊéˆM,þèÚñþzþAv]ౘñ°ÀµAÅw¸ÕŒž­+¢V VXÕŠÕ¯«·‰KÙ¡0ñúÒ�uÛ@ÖmL *î¶
.Ô.*ë×HÕ{Iý5ϾvI¦è8„ë
98šób–d¹^åßÝ!”eÄĵW¼<®®�u¤Eâd#ƒžüñ²ëOw«|^-Ël’º—6mæ1o^�«‹ŠfÅd5­‚q¸®Ro®tíTôPL§Å³¿ˆ¥ýE5V¶æMÑœª&,üG×40
q�Ûè.:Äpˆ¿µ¬­è?»#W
+ë;™ßN[>nœ¬gá±{:}¹Óƨ%þ`FÅ÷sbjÄë|Aw«zôˆÍœ†œsÜ|h½µ°k^Ø%pˆd!ˆtæüÛ쾘b¬iytÀ¸ðÁê—Ìbë¶�ÃÆ�	ŠµÛ–‡o·P0ð0ÞöÐg}EÖP
+¡Þ¡ü@Rm9žX'Öúµ-A­ß0¢í…(,lïj�[òäÂJ
¹°Ræ%Tä¯o•\�ÖŽE®£LäÒ0w%{¸¥5aÒ߈üAä:›bv»¿É›”Ød²C%í\�åD¾ƒ?e
+·cÛ£éVìs¯¤’Ÿ²|ò'Ö{øw÷™?nj#²r‡Â(Ž«±ã®!
›¦Gc’.èuûgEž¨±1ˆHÇËW(-@ã-+�k¢ã¸'Vc�°qócÝ**­Wag^-MÚ’–˜	fåc�¯tm[U`q,•ízy«2ˆpâà"P·Â€ùÛ¿?HaïǘAþ‰u¦„¬Ö™"J*!Õ2Ãâ,³æmÜhÛ½7çôå²û
+��Ì™¬‚§S¹àÞërœ3áâ§:T‚U¨åÝ¡SšX«e»;Õ½!õ¨wº·\@OÖÊþ˜/ô®äF~_eðÛÝRå0ò}W>ƒ·ÊôX ˜©ü�ÖÊç^._5ÕÂ-± nì�¯2AU¡cyõç—LVršuþ5iòKãB~ü­(‹!eñ)[ýn¡,ío»›²xW ¹9ÓMYÎÌ!þN”
ØpàŸ`@ï†kt›–(.;ÿüžz}ê¾ìßþï¤!€Op†¶¾÷«`ÅÃ3eU§áŒ¿8‹ÁýD<óÕ‚±ÿôW
 endobj
-1620 0 obj <<
+2055 0 obj <<
 /Type /Page
-/Contents 1621 0 R
-/Resources 1619 0 R
+/Contents 2056 0 R
+/Resources 2054 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
+/Parent 2025 0 R
 >> endobj
-1622 0 obj <<
-/D [1620 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-562 0 obj <<
-/D [1620 0 R /XYZ 56.6929 615.1118 null]
->> endobj
-1623 0 obj <<
-/D [1620 0 R /XYZ 56.6929 589.9912 null]
+2057 0 obj <<
+/D [2055 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1624 0 obj <<
-/D [1620 0 R /XYZ 56.6929 533.5628 null]
+698 0 obj <<
+/D [2055 0 R /XYZ 56.6929 328.1878 null]
 >> endobj
-1625 0 obj <<
-/D [1620 0 R /XYZ 56.6929 521.6076 null]
+2058 0 obj <<
+/D [2055 0 R /XYZ 56.6929 303.0671 null]
 >> endobj
-566 0 obj <<
-/D [1620 0 R /XYZ 56.6929 236.6167 null]
+2059 0 obj <<
+/D [2055 0 R /XYZ 56.6929 246.6387 null]
 >> endobj
-1629 0 obj <<
-/D [1620 0 R /XYZ 56.6929 208.2484 null]
+2060 0 obj <<
+/D [2055 0 R /XYZ 56.6929 234.6836 null]
 >> endobj
-1619 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F11 1397 0 R /F39 899 0 R /F67 1628 0 R >>
+2054 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F11 1451 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1632 0 obj <<
-/Length 439       
+2063 0 obj <<
+/Length 1362      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥SMs›0½ëW趫O¤cââ„쫧4ÓÆ3‰!Oþ~D.ué©Ã0Ë®öí¾}ZEÿ0j °’¦V‚B¦hùJ�þòg7„
9ɘ”L³®ù²)µ`5×ÔýœÔ2€Æ0êvÑâöêÞeEœp…‘†8Q£ë|õ5Dl0‹õj™ß|/®âTF._¯B¸È–Y‘­YœXk¸ÇËI…
»q=h@n\¾ØÄ�îŽdî<ÀtH†¢gÿF‘îü¬wAX£è»w˜µœ¾©()Äy!òí\prú	�M*ŠKM!Áh_cVZT^ª$U´àâ,-gsÒŽY½´ÅºéÚËY“ ”ï6-øWÛsÖL_>é˘!QÿÙØ=ïÛ }YŸ]uÎ<Ô]øhOMS»jܧªÜžÚªg|1Ó¼
-©'××ÿ\��5%Ã=4cÒpû»ººl[n�13Q¼íS}òû`ë¦Ûׇ
¶?Û=€ˆüØ�æe[Vð¯…
-ú-˜QØ¿¬Rüÿ—í÷ï'SÆðù«¨Áp›Ž¤z�Œ½d®„ßJÃÓê¨!ã½endstream
+xÚ½XmoÛ6þî_¡�60±|§ÒÔn] y±]`C׊Ì$Âɵäý÷;Š”,Ù²³,à "¥ç^x÷Ü`ø!A$fšJs$0Aò4ÀÁ|û8 Ö °�z¿¼›0h¤%•Áâ¾¥+B8ŠH°X~^~º¸YŒg£�
+<”h
+‰‡ï§WÜí—×W“éǯ³‹‘âÃÅôúʽž�'ãÙøêr<
+µŽ(Èó–/;_X!/9_L/ç£ï‹Ïƒñ¢9@û�3ëý�Á·ï8XÂY?0b:Á6­ið4à‚!Á«ß¬óÁm£°õµíÇ*X
+Œ8!§­:¬ú%eH[?»FCÂâBÙ<pŽ°Æû<€ú}g(bLJh$eU"~µQy7¡m¤BŠG
+´[Àâ�›±Ãt´Q�¸ä̃~;¥%ò€¹É–ãÍÆÃh1Sšj�³
óM1
+™bÃ4³O>,òä/Sºwèr«|m6q™æY
ù—.S/˜äÛ¬4'�äN­	­`*$i!he³XçÙ²p¬)óž“p8+­rQ¥ÿ”B:EµÆ¼Ušß÷)UˆIRǧ¢~�RÈnR¡C
+sà°’’íÔ¿�NŒGˆA�ÂJ HŠ×¨¬%N3GˆÒ	
+z%úÿ$èÌ$ϯ%(ÅŽ Ó† ö�ãZbÒgã>vxJ5÷<uòÉj»4~göÚ{ˆ
+<>)_
+jga�åeú'Æ@“®OßýtŽ3÷œ^~¹q«ÆU·}2E?˜3ݧþmlÚtßf_êÛVFauзÿ�Tí‘1m4¤
+aÕí÷G}Ÿa‰"ªU`û”%^SNÖ3IB{�T»°ó� 1
+	Æ0ó§5äü.]¥¥ÏÎ.-se{òpÌ&ò¨Åtê$B‚ÀÒ·?x]û*zÊ!$B",™„ss¤9á•à—¼°í™B%”à]Q¦‰íĔԭ°p_ËÇØãvÆÕ‰CÅÏqºŠïVÆ}„²êqÛž)ÅùžÉ •”îÏcÕÅS«"÷®n×ë|SÕÇI£Ç9£¯0ª½Q€â1ße�SU›�NÐYÔ-ôø.¯Z‡H6&¶m0‚‡Ÿš�U5ÙÞ@?Ã@z[úɆ|�îÓP©­Ò`W˼QàÅ×k{¡4«á¦8pèð2…p¹°ˆ¸àý7F
+Û¨ÓEРª=Ù-g¿ÌíïCÛD€
+¡´d\w¹¹‹7Ë4{èsRœÕc9.úNK�Ô’¼êÒãiš.OsŽiŒ½À¹êçjTŹ‹ß'Çl#Ð÷%æçÍ6¨»¶Aeœ¨®a?Ø—­/Ǻ“ÆmZu˃2õc:Kò'›¥jw»5›´î\€§ƒ‰5"„¿TÀ-Ô™`Ö¨*˜ÓÛ£Pbè~XÊóFT�ÕN(á+‹”îšýoC93?¶¦(ÿa,¹Òpç‘â|,Û¨Ó±lPU,¯×eqLL ’€{ÊY³
ªÇn'š–Àö®á¢Ù‘Vÿ³Û3ýnQõš– ëÉeÍ&�™Ø„Sk…þXß–{rmïÁ›Â‹¬Wqr|Ÿ­Ó
—Sû—~O„qP·Ë7ÿCaÿ/û×bÑþT1(Æ4©�²1"„º×5U=¾ÿ
1Ž.Ëendstream
 endobj
-1631 0 obj <<
+2062 0 obj <<
 /Type /Page
-/Contents 1632 0 R
-/Resources 1630 0 R
+/Contents 2063 0 R
+/Resources 2061 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
+/Parent 2025 0 R
 >> endobj
-1633 0 obj <<
-/D [1631 0 R /XYZ 85.0394 794.5015 null]
+2064 0 obj <<
+/D [2062 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1630 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R >>
+702 0 obj <<
+/D [2062 0 R /XYZ 85.0394 665.5626 null]
+>> endobj
+2068 0 obj <<
+/D [2062 0 R /XYZ 85.0394 637.9713 null]
+>> endobj
+2061 0 obj <<
+/Font << /F37 1026 0 R /F11 1451 0 R /F21 938 0 R /F22 961 0 R /F67 2067 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1636 0 obj <<
+2071 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1635 0 obj <<
+2070 0 obj <<
 /Type /Page
-/Contents 1636 0 R
-/Resources 1634 0 R
+/Contents 2071 0 R
+/Resources 2069 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1602 0 R
+/Parent 2073 0 R
 >> endobj
-1637 0 obj <<
-/D [1635 0 R /XYZ 56.6929 794.5015 null]
+2072 0 obj <<
+/D [2070 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1634 0 obj <<
+2069 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1640 0 obj <<
-/Length 1324      
+2076 0 obj <<
+/Length 1242      
 /Filter /FlateDecode
 >>
 stream
-xÚ•WÝoÛ6Ï_aäÉ
*Z$EJZžÚtÝ2ðfOëh™¶…È¢¦�¦ÙÐÿ}<)[±à.0�Çßï‹]ÄöG™ 1Ï“Eš'DÄT,ŠÃU¼ØÙµŸ®¨—I'"áÜNfV#Á3"2–.¢S�wW«Œ.XL¤dbñ°uÉ4%”³lñ°ùsy·WM¯Û›ˆ‰x™ÞüõðnKHš¥¶ÅVEJDÎr·áÝý¯ïQ:Çá“.†¶ìŸqvgê®ÜèVõ¥¥F<šžHæñ¤ BrgM¹‰hÇË·E¡»nDé[SáäcÙõ
‰-r’K&=§„3)RØϹÄý74[0Ã’bù9ñÛ»��).*'ªýd³ÁiÀ:¨¾Ø#YQú½ê‘ùl$
-U#Ñi¿44(¬ê
2ê²x¬ÕÁ«ÚšÖC?œÚ0tÎ'¤”äB0w²ýyô‚ˆ9eVDTU™§¨6}¹}žq™�$IÒÔ¿™�KH&äìïA·³X†”½*2õZ–‰ü;p£
-CÅó“P±œ°1R;c6~ËF«¹¢$ËSêÅ! ­Ã8ë$žæ¾ýˆd*&í¬	½ÓÒ(”x?
çèurIšÛnz({—" x¾™Ÿovôú“ÎÖ&•	�Ædžnth£Ú¾ÁÀô€XèʱAwÑu�Œ®1Æ¥ž�¦;3]—ªš†
l*â.â÷æ^nkßÛÊõºÕN•u׿L�S—L¢�ô³í„Ë€å�¡¿ªCSé©M{ó„„+©ñˆ¦ÑmåïVÕ4�„èþ€I‘г;Q¢«•
W7t�”
-€‹F§ˆc_´)@F/œs)›þ1µWuí;±ex}ÁÕþQòÜø}ÕÙ{yÖ mÎq}X�Âß¾&ª~žûÒùf?#d£ÌƒËtNùøà
Û¹‹$<t€V¸+
-&ÐÅ9M°&€1^{–Þb'?àl/<˜u…—èT¤
°öʯ­µ®QU¸Kû£Ëz"°7eÍ–ÝÚºþÕ�ã×cø&„g ýÂœû¾"ÑQ?.'¯ÌXÚ
4æô¥¶ñSõ\Ý4‚Û¼endstream
+xÚ•WÝoÛ6Ï_aäÉ
*Z¤¨¯å©M×-C1kö´î�‘iKˆ,j•Ôú¿�Ç#e)V³†ÁÓéø»ï#EW¡ùÑU“0Êù*Í9‰C¯ŠÃE¸Ú›w?]P'ÃãˆÄ<ŠÌÃÂÛ Ž2g,]S�ww›Œ®XH’„Å«»Ý¨+IÂ(g«»íŸë›R´ZvW
‹Ãuzõ×Ý/¸�“4K)l�
+£�\Øðîö×÷(�ãòICWé#>ݨ¦¯¶²º2ÔˆG9‰xÂ^’žÑÄ⥄^4ÃõÛ¢�}?ÂèNÕøð±êµ‡b«œä	KRĈqÇùíQ”àö+š­
aÈxý9ŒÃ·7{³R|)¬¨tÛ->z¬ƒÐE‰d}BÑ¥ÐÈ<ª
‰B4HôÒ½ZÍMU<4âàTíTçˆAS†^‚»à ¥$�cÌUÕŒñ<Á„eFDD]«§ QºÚ"›Àó4uÂoà8Éâdö÷ »E¬Ø¤”½*PÍZ–ÅùÀ�ˆ×AéõÕ2 %ÔØkìñ–m̱˜ÿOÈûZ¥ªå7‚Œ¾.¶"�™š^œU†îDÓïLŸ«ŠbÂirRe;Jê‚ žÀ ˆ#n¥þè«fo$Ó”¦S�²V8ÚÖ<ZáZŠG‰Ôç0d�(	]&Žt}jEà©G|®ŸJ·ÛvŽÕáG
+³ñÖøÙihâ.NÀ9E�\	ÍÍ4=TÚ–žoŽÎ7[úþˆEgz“&œúüPë�I#œÐVtºòÉÀò€\ÈÚ%±Åp?ÊF#£o•²¥ç²i}b+›JÔó´�MU!}Þãð½ú„Ç�ݪµé\§[ìEÕôúyéLC²�ퟥç \y,ç†ü"m-ç6•ê		ÛR£‹ª•]íÎVѶž„ìþ€EÁéù‘fx&n6&a!œÑ	hXÁX
Ðc[$/ïÕ~è©ûKdàYÔSU×HÝתxXj3¯ò÷74§>ô­€p£f§¦WÇê¤
çv"ûÆé++8{�¬ú—´êpP
DÇzÙ{°ªñ JílÅZ0ÃdŽˆe(
+ï¡�>þc…yjw˜Î�‰ým²ks“aF–æÌ0ÌÃø5ngfn£Tt½ä�‚Àš2Ó$–E™çåÀË�™\»anzñmTÂ"’Ó�¿²
+3í}MÑâ+Ûz̦.«Þ—†.=O.Ö+ï¤p†éiko8ÜËîy:Ø<Þ
+Ÿ
»|!öw
+óÈ Žñm1ÚªÅëé$³þõÌfB�ú{z_šZéMÿŽItñFó
+€�:]C¦ˆcq¿h“‡ž‡-ÖXd¹_UãT]º9GLs^¾jw…9¶nßAôæ_ôqWy?.›)ü!=χhŽs·_òïâÇ»ñ[ËAÁ¥É|�-}�y‘à$ƒŸb³;Yh>‡¢œz ;
 endobj
-1639 0 obj <<
+2075 0 obj <<
 /Type /Page
-/Contents 1640 0 R
-/Resources 1638 0 R
+/Contents 2076 0 R
+/Resources 2074 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
+/Parent 2073 0 R
 >> endobj
-1641 0 obj <<
-/D [1639 0 R /XYZ 85.0394 794.5015 null]
+2077 0 obj <<
+/D [2075 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-570 0 obj <<
-/D [1639 0 R /XYZ 85.0394 769.5949 null]
+706 0 obj <<
+/D [2075 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1642 0 obj <<
-/D [1639 0 R /XYZ 85.0394 573.0962 null]
+2078 0 obj <<
+/D [2075 0 R /XYZ 85.0394 571.259 null]
 >> endobj
-574 0 obj <<
-/D [1639 0 R /XYZ 85.0394 573.0962 null]
+710 0 obj <<
+/D [2075 0 R /XYZ 85.0394 571.259 null]
 >> endobj
-1643 0 obj <<
-/D [1639 0 R /XYZ 85.0394 542.127 null]
+2079 0 obj <<
+/D [2075 0 R /XYZ 85.0394 538.9404 null]
 >> endobj
-1638 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R >>
+2074 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1647 0 obj <<
-/Length 3450      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZëoãFÿž¿ÂßÎ
bYóÐcŠÃ
é>®é»½]wEÛ²¬Äº•%W’“ºý‘CÎX²•f�b±Ñˆq8>~¤,f!ü³(b#Í,1:ˆBÍòÝU8{„gÿ¼<gá&-†³¾]]-ß«dfËx¶zðJƒ0MÅlµùyž2¸þuõýò}"seDR
{œóæ»O?®hÖˆ£N-RÉÓn?¼�âR	Ís>¿[Ýß½�`%¥Uì—¼ýqõîÓõBF!Èx
{çßÞÁ
-–bèòùÝ›ûOw«ŸèîÍÇŸïÞ¾ût{�èùêîp�«w+¯©¡6E¨PM¿]ýük8Û€R¿¿
-eÒhö7a Œ‘³Ý•ŽTi¥¥ºú|õoÏpðÔ¾:y:"
Ärâx¤œ:žÈ±å£Þ7-mn‘κ+뇦Ýe}ÙÔDp×móLƒ¾¡ë¡ãWnßüÐ�í-Ǧ/òžÇæÀ«uEûT´¨ÇG`6ý¶àÓ3Ù•A’wz·÷ŸßÀáEÑœ­f´Q�©	ÏÍ6Oe×´GbŸõßÐbhCƒN“Ì`&"J"ûêßÏÏ7Ö�Ö"™%Z:Ñ	�=ý2s£�Îƽ°¾a�F×¿à‹«?ôûo–Kød‡./Ú>hÚG/÷‡õ’IK·»åí0âpFd‚0ÔÁ¦îÎÅ×
-Œ,	åHþ×T&MÓió\xŽ¯lLÔjÆÜ4—F"Í…†Ï,ÞϺ\ut¬—ÜpٰɈ™Ð�Òà8ÖÀw`ó)p‡—D»èu½aοm›†í8«7ŠþPn&L0œ-$ƒ!CúˆÞ“FóûwÿÅQÌСõ=/{¢–ÍÛ7]W®«‚¨ÖŸ€Ú^§óCM4U@-™w6á6R$
žyB¾%‡�œ’YÅAd7¹¨ŸJš^§5~	£ðЕõ#æ|Uµ.Â8Hµî¹U¾	ÿÅÔºi ãÐðô‡C�cر“í¢ë#¾„'dJ
>*E”_º}‘—G+“Ò‰•	éü)5­6²ÄDBúà°è'"öN–�eÝì)"w�[‡›ÆIÊoÖÙnZÑa`ŒÏD�{âPÎW[<|d�g5­·-ª=�ÊÇÒ'Þ\wìúbG»"?´e¤»õ‘fì«,÷J!k±œXþŒt
-¾€(‰Ó©ô[îÀÈ×Íï8äý¼-ó-˪¢QUîÊþ¹í`“í²G7nj—RØyF€qâÈ·Ï]Ù‹Е†1ù¶n`!|QÛäóp@I´˜?Yð9L‡äð€ä{�pe1ï(»Á}ó@3Ø«€bEÒnS@ÈÖee•l©
]½G—ÙdÅÎ1ΘMÆ÷‡zß–OeU<’eØÝ
4b� ÃL˜¯„ˆ¤@l¾š©¡ùb2‰œ?YŽ—6¨I{/@_3T"œÿçÚHºÃãcÑñéÒVkò}<ÆÎÅBÆ
Ã�9dÐ:Ë)ܬÎ3˜2‰ ߈t<¦|H2‘õ
Î>à`
|”Jã±ñ|W8QÂØ3Æ«õ7¸¿g»}ÅÁw6ÎãMUÖLÆ“·”&ãgì[À¶d>ÙÔ¾
-ñªÅ€!(Ÿm/Ò6rG]ãrÏMû…(f÷E[éYY;IhBÖöe~¨2–tC\
Ê[(�S0Bù
°ïÜL„,f’zbÁÙ�
-â(:Kè/Y1à©4MÌ d¡%'«
-Êi”•pTh8²Ö�	³èipà”šq"¼P˜}k›ñ¨¬óê°)85�8Žý–ój:È«¸b7^’ʦw=Ïy�vîö2rdö7ŒªÆ
-�
-Òeì".†Å	HkuRÚ¾Ü,HSîqŸ¹,Ï›CÍ�ãÁ•Ü`H]àpÄhq–­îkÞ&
-PÑ’nhh�ÃB–㾄hY?8¨‰‚AƒøF8ùëɈ#`Nâó	4" FEãÊê…S‰dô*>VP‰ù‚ ë³~(yÝ´ßÁ#Úð°Ó(>ËEÛŒÂJ˜`_·Y[ZƒK³ØHŒOÈÂS´Ûg¢8O@`dÒùwÍs1hY¤	Dñ}QoÏÀ|ùRßä@
-„W��ª¥�1û
•Nt.@ÝeGšÍzL-ºACáò*g̽7Ÿú±;÷‚q±)D¸Œ»ÜOË?Š¶™‚*HŒo´M…�°LYµà+ÐÎCL!Féט©!³ªy|¡“#Ãä„\\õ=
Œ5á=æYô9Áƒ¾ÜM¹iªÐM¥¯Á&
-D§D¸¦ÀýÎracñ�¿çböÏ
-ã¯q)ã�*!7ð`½iþ	TRžÚ
jÀ‰ä‡.ˆz_+	Ü–òmV?Žn#¨¥C|,ºŽK&Û\
â®Ù”8)wmHÔ
œfçú APa¢ôy¦hÿ´Â€ëCy¾mž§NGÉÀÈX]ì‡3×½OúÓ?ÁYg°Ÿ¥“è‘‚ŠóàrÃ]ŽAƒ•3츓:(½)p -s	åÔ¶öóÛ²§Jhª;­@kÚÈè«ÚÓ4a
-ØA{à–
-ˤ2¥=5½IÚÁQa…(lÚñ°ò‡5¬f/bA|†P¶|†±€¹wtk‘�=HÉìE¨î±Ú·“N%¿%£õƒýÝP3¡d©*ÔPØÁº`àBæQJ�=8[_KHjèS	
j¼B�·S *‡yÏtÓ]ÏBå}Á3÷¶@
ÏèèÞv¡�Ö™[U
-­ùt%ú²b7†8LûM¬oûw�6ø¹ØÁ/l—Ûr"å­�nÖÌ=o�û¾yl³ýÖõðqv
-wfä…äî×D—¢ÿ€ö¦ûendstream
+2082 0 obj <<
+/Length 3284      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZëoÛFÿî¿Bߎ,Šû ¹,¸‰su¯Hz‰�»¢íZ¤-^(RáÃŽú×ßÌÎ,EJt b.g‡³¯yüfVbÀ?±#?Jd²ˆí‡�›ÝE°x„¾^æY9¦Õ˜ëûÛ‹õ;/?‰d´¸}É2~`ŒXÜf¿z±/ýåï·?®ßÅbÄ+?”
+Ä#Ï›>~øpK\‰ÚøZÉlWïßÎIŠ|©„fžO×·w7ogD	
“Ò*†¼úùöúãr%Ã
+°+!ü$¥]Wz_æ™?ô?ÒØžwuCǹ«I$½ÕCÝìÒÎÎ
	î¹­Ÿ©ÑÕôì[þäêÍOí´‹&Ywù¦#¡îy4Þ!ÐœKG`1¸C¤¯Éè´”~l§¯WwŸÞ€º†¡Çv29Zû&	ó¦ÙSÑÖÍ�ħÝwô…[ÍJE q»ÍIì§?ÕèHûZ‹xƒ’éÌÌj õ~^¸Ö¿ŽÚè>X�¿°Ê¨ÇãŸÉÅѺýwë5üõÓ¾ÝäMç×Í#´×ûþ~ͤµ[Ýú꧘mà�Ù$~h?«ÚÓékfr2ÿ×LRú‰1fÞ WƒÄWFë‹0™.0«Ïg
+?HÎvøÄÆ®óQ'Çz.
‡ý«ŒXí+
®Âj
+¶ëÃTâi¸À%· ä÷õWl²‹~Þ›-7‹²¤VYìŠîè¹m#Kwé£kו)l<“@]86µ[ç®h_XWU
á‡ÚŸ‡g¢…÷�§]?Ä0�a@Íl}@‘!lRtƒwŒàÈÁV;%í„ô¾(í&[jMÏÁ"ÇÃdi¾s‚S“ò{_í›â©(óGÒŒÓ@
â=Aƒ™Q_	IÅ¡SßžXB5V_&¡³'+ñ\
'êÁ
+ÐÖ|D�÷Ÿe"hûÇǼåÓ¥¥VdûxŒ­ó…ŒÆ+sÈ qš“;®v0ï<dB¼fâ<ælHø2–çŽÎÞgg
r”2ÑTy~È�‚(‘x„õ»|æ_ÓݾäNÐÅ�õóøR“ñä-¥N¹�mÄ,'�[—‚p�hõ
ëJÂÄ�/áåŒ@­ü@NÞú)mÖ/ù8\ibÇ
+Ö¬Tä
ks+b]žuj¡1êÔ©a „H©“çѾÁíÅ�ŽYÎ?²–È@26Óf‚Íø»ÉI®û¶Y—õ&-×í}QñÚÁ“hö	ò˜ÐÑól“Äàê)d«ØW&Œ†LMpì¿užm3
× 98Î
+ñªÆ€"¨!Úž…m”Ž{�Ã=×Íg¢°›Ýç
¦ØWTn&Ä�6]±éË”gšœ˜tJ#z¨a
l;—3.K�š˜
„ØCpú£ü(õT^ÒbÀSÆÄÉÈe¡&dz
+Ši•°Uå¨زÚ�
3ï¨ÑsHM9žm˜ýj›r«¨6eŸåšs‡nËqÕŒâ*ŽØN‡$ƒ²á]{ï\hWîÖ2A2(ìoèU“
+´ÝÆ€tŸ¶”
)òí‰vi”òn~&Bše„O[þˆ.å8µ·­)erƒ_ [bH9f£�»dëâI–ÅÀª©N÷ÂÐ3+¥ˆ…6ÖQÕ@†�•.N²ý%Åï¯D·•Öмxû:NÖ²7«+>êÙüÔ˜Á‹ýÁåcÃé‚qr±É»¼ÛÖOƒi� r×™`æ�ÆçÇ9Zî¶&×1=ñáX#Wd-“l�å˜Ai±}÷w7ÄòÉæ3a3L+OÛÂ&1!]ÀX�VaÁ
zWe[óŽ×Ý0ÕÔ‰x˜L>¦SœN:çaìþR
Ö�*¼x2*Q¾”,|ådVûL^ÃØ"’­–ÐMÓ�‚Õrì G[¦OÌ:Ü
+`µŠAV£@ßò¯¤["@ó™R;NÀFR—‚/´{ϦÄqJ»r±fNñ7TÐ&7#C0Z,ksú	ä´ëðl3ê¼gj;d‚¡3óP�TC34s&»êKjøN
W+z¼Fꢋ–Q¼þÞ
+B¼T<±lR\¼^'°N§†
 endobj
-1646 0 obj <<
+2081 0 obj <<
 /Type /Page
-/Contents 1647 0 R
-/Resources 1645 0 R
+/Contents 2082 0 R
+/Resources 2080 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
-/Annots [ 1652 0 R ]
+/Parent 2073 0 R
+/Annots [ 2087 0 R ]
 >> endobj
-1652 0 obj <<
+2087 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 738.9144 452.088 749.0762]
+/Rect [63.4454 707.8911 452.088 718.0529]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
 >> endobj
-1648 0 obj <<
-/D [1646 0 R /XYZ 56.6929 794.5015 null]
+2083 0 obj <<
+/D [2081 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-578 0 obj <<
-/D [1646 0 R /XYZ 56.6929 723.0302 null]
+714 0 obj <<
+/D [2081 0 R /XYZ 56.6929 690.9391 null]
 >> endobj
-1653 0 obj <<
-/D [1646 0 R /XYZ 56.6929 689.3491 null]
+2088 0 obj <<
+/D [2081 0 R /XYZ 56.6929 656.5891 null]
 >> endobj
-582 0 obj <<
-/D [1646 0 R /XYZ 56.6929 552.677 null]
+718 0 obj <<
+/D [2081 0 R /XYZ 56.6929 517.028 null]
 >> endobj
-1654 0 obj <<
-/D [1646 0 R /XYZ 56.6929 525.9649 null]
+2089 0 obj <<
+/D [2081 0 R /XYZ 56.6929 489.6469 null]
 >> endobj
-586 0 obj <<
-/D [1646 0 R /XYZ 56.6929 411.5673 null]
+722 0 obj <<
+/D [2081 0 R /XYZ 56.6929 373.2709 null]
 >> endobj
-1655 0 obj <<
-/D [1646 0 R /XYZ 56.6929 383.9327 null]
+2090 0 obj <<
+/D [2081 0 R /XYZ 56.6929 344.9674 null]
 >> endobj
-590 0 obj <<
-/D [1646 0 R /XYZ 56.6929 225.6356 null]
+726 0 obj <<
+/D [2081 0 R /XYZ 56.6929 184.6919 null]
 >> endobj
-1330 0 obj <<
-/D [1646 0 R /XYZ 56.6929 193.4614 null]
+1732 0 obj <<
+/D [2081 0 R /XYZ 56.6929 151.8489 null]
 >> endobj
-1645 0 obj <<
-/Font << /F37 802 0 R /F71 1651 0 R /F22 737 0 R /F39 899 0 R /F11 1397 0 R /F41 939 0 R /F21 714 0 R /F53 1029 0 R /F48 953 0 R /F62 1062 0 R /F63 1065 0 R >>
-/XObject << /Im2 1051 0 R >>
+2080 0 obj <<
+/Font << /F37 1026 0 R /F71 2086 0 R /F22 961 0 R /F39 1161 0 R /F11 1451 0 R /F41 1218 0 R /F21 938 0 R /F53 1313 0 R /F48 1238 0 R /F62 1361 0 R /F63 1364 0 R >>
+/XObject << /Im2 1350 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1658 0 obj <<
-/Length 533       
+2093 0 obj <<
+/Length 846       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6ÊþúšŒ“ -{ZEóÆo>Þx€"b~	Ž	“!Šeˆ9¡å[‡ µ9ûîPËñ/$¿ÏºK�¯ßXŒ$–Q¡ô¥—K`"Eiñ䎌æétáù
'nŒ=ŸGĽKfðHx,§ã‡E’>ÿš-“Ét1òâÐMƒ<?D˜xf3Lg£ŸÉøó	P§ï²=§÷Î4½
-é‹¥„u*þ:OÏFó½C0“‚££
S)´uBÎ0»x*géü¾&ì�žC‡†Ç™À\ñÀô‚`hz\âˆì<½¥ÞªNSä6e«0ó�Ö�u·º{r÷�R;ðdUFqª³m™|ò»"kU
“nžgFÖf`•5¤±°9¬
-½ÍÀkRÖ6²P•Z›D¶ö&k{|¿·ÑìSŠ%çÁY€MÂtÊ乄��Úe{HeЛ®•¹YF"7Ý”
0�ÙÉ£”º_‰)§Àßê�_©WUÝbÁÊuÝšze½¶x_¶Ý
+xÚ¥UK�Û6¾ëWè(KŠ¢ÇÍÚI ÛíZ9I´ÄØB$Qé8î¯ïPCïº[õTg†çñÍ�b!…A(/Ó0/S"(aÝ4<ÀÞû€yL|Å·¨·UðË;ž‡%)³$«o7¾
+B‹‚…Uó9ºÿõî±Ú<­âDÐ('«Xd4z»}X£¥Äe·¹ÿø´­>¡vÿûÃn»Þ<Ý­ò4ª¶ ­â´ œçÞÃúÓÃÝoÛ{Ä|\#tóÊÛ×êC°©ž¹-–Qîªø3øü•†
Ôü! „—…Ï PÂÊ2	û œˆ”ó«¥vÁÏovç£Kä	^Q$ù{I²Äž(IÆ>³÷NO«˜Ó,²Ge”óhZ±"RÒèÁ¼
KB£³B�±óžÝå[ë¾WCsõ$-J§±‘VTöÞ{=]F«“�m-;t”EòLVyG{£Wr0Žj¨7fŒ”B$sòú´#K";
@Ö¶Õƒ3°È´‡AÚ&gô…
+Zí¶ïaeaÕœ©Ûl]¥I–:\$ ŽÝPÇÊŒ¤)ÈtŽYësŒÕyô-ÑYBJV¬Çk^IdŽúÔ5¼k�®GÂœ䇶ïê‚°b‘\Å,êAP˜¦ˆmgB`K³$ý'1ÛGœSÙ4ž3Ó
+“ÚZ¬8‹ê£ÖÆ›­v«
+Íe�=N¤omƒk÷:Ìi%Jí€n¼jNûF÷­àrð'Õ©ƒ›Œ�ÓvÅÇKí�ð3ååT£F9¡+ÐþÒƒ"xIªcky–/]J¯]»ÕcÜ)hâËY”j=Xˆ×¯O­»óպاúˆ’ô¡¼ïÍm¼4ÀÀå\(p<ía°�gµ÷cŠ„QW~‡’QÓ5™ëœ)ps�GÜDÑ7Î�^Jļ`ɽÔ\÷¼.¼«ð÷yÿïWüåû–¦(’åšÓ”p^²kRŽ/Æòש?¿÷ÿÎýo�Êàaendstream
 endobj
-1657 0 obj <<
+2092 0 obj <<
 /Type /Page
-/Contents 1658 0 R
-/Resources 1656 0 R
+/Contents 2093 0 R
+/Resources 2091 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
+/Parent 2073 0 R
 >> endobj
-1659 0 obj <<
-/D [1657 0 R /XYZ 85.0394 794.5015 null]
+2094 0 obj <<
+/D [2092 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1656 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R >>
+2091 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1662 0 obj <<
+2097 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1661 0 obj <<
+2096 0 obj <<
 /Type /Page
-/Contents 1662 0 R
-/Resources 1660 0 R
+/Contents 2097 0 R
+/Resources 2095 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
+/Parent 2073 0 R
 >> endobj
-1663 0 obj <<
-/D [1661 0 R /XYZ 56.6929 794.5015 null]
+2098 0 obj <<
+/D [2096 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1660 0 obj <<
+2095 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1666 0 obj <<
-/Length 1964      
+2101 0 obj <<
+/Length 1965      
 /Filter /FlateDecode
 >>
 stream
@@ -8264,205 +10071,209 @@ i	·¥Ý3éÀ–yíˆùðŠ&�Â8K<æc�ø¡›‚hïCû™<»úÐŒ­êhüýÔï Æס\@�•‰ó÷w= vV
 ýf3GÕ51b‘æi‘diNŒ�‘Œâ�±ˆ±0·"ð0àâÄßZÕ7’\sÂw
"ó‡&0ÍåþF
—?$cRÍZº”í(õåŠ:é�H^�04g¢°û(½ÀÙWáÓ
7�˜¿S,[>°úŒ¹…;î3`ô¦'b�ÕÀ¤Ö^ïöEy˜]¹œ­Þv‹íçÞa¯Úák@n@þzh|ÇütÓOÓ0J¿mºã—¿ÞeÚâš(°ÁiÇEðá
êÍ�âÀz҃ѣm§žæˆ§çOŒ$ 
 ­è×ØÚ:‰óÎÐÃBYn?z·XdÌqâd¾©Üä¤ÚNí:ørðï»QÕaáƒL·CÕMucVìâªV.Wª�4 Û8Hü»Uoy)”@»Zìo+B)ˆ×­©ôD9ƒ©;B.ÊõTyåvÂ)Î6™îZds§¡ÁÓÏMí­µ°r=¶ö�ä&vÓž®é^/yr€�¡¶¯ÓP;«y Â1{9B€FãŸà{ËוÂM>p\×-ž‘7>å	èWˆÌ¨W
 ¥Ìrcø-Š¼ûãËü
-“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoã�ã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy
7G)JΑOü©5­�¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+�¾,}�w¸ÉÀdñ:Æ›�š¥îãºÊǽµÿ¶Uø]5èTíŠË°ç§�ð6hÿ�˜ÈŸ%×"ö"Û‹½H.ƒ€k(,â2÷†0”RÞz›ß7ïÝýqˆŒäendstream
+“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoã�ã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy
7G)JΑOü©5­�¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+�¾,}�w¸ÉÀdñ:Æ›�š¥îãºÊǽµÿ¶Uø]5èTíŠË°ç§�ð6hÿ�˜ÈŸ%×"ö"Û‹½H.ƒH"h<H#a(B”·îæÎ{ÿ
úÀ�endstream
 endobj
-1665 0 obj <<
+2100 0 obj <<
 /Type /Page
-/Contents 1666 0 R
-/Resources 1664 0 R
+/Contents 2101 0 R
+/Resources 2099 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
-/Annots [ 1673 0 R 1674 0 R ]
+/Parent 2073 0 R
+/Annots [ 2108 0 R 2109 0 R ]
 >> endobj
-1673 0 obj <<
+2108 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
 >> endobj
-1674 0 obj <<
+2109 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
 >> endobj
-1667 0 obj <<
-/D [1665 0 R /XYZ 85.0394 794.5015 null]
+2102 0 obj <<
+/D [2100 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-594 0 obj <<
-/D [1665 0 R /XYZ 85.0394 769.5949 null]
+730 0 obj <<
+/D [2100 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1668 0 obj <<
-/D [1665 0 R /XYZ 85.0394 576.7004 null]
+2103 0 obj <<
+/D [2100 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-598 0 obj <<
-/D [1665 0 R /XYZ 85.0394 576.7004 null]
+734 0 obj <<
+/D [2100 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1669 0 obj <<
-/D [1665 0 R /XYZ 85.0394 548.3785 null]
+2104 0 obj <<
+/D [2100 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-602 0 obj <<
-/D [1665 0 R /XYZ 85.0394 548.3785 null]
+738 0 obj <<
+/D [2100 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1670 0 obj <<
-/D [1665 0 R /XYZ 85.0394 518.5228 null]
+2105 0 obj <<
+/D [2100 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
-606 0 obj <<
-/D [1665 0 R /XYZ 85.0394 460.6968 null]
+742 0 obj <<
+/D [2100 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1671 0 obj <<
-/D [1665 0 R /XYZ 85.0394 425.0333 null]
+2106 0 obj <<
+/D [2100 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
-610 0 obj <<
-/D [1665 0 R /XYZ 85.0394 260.2468 null]
+746 0 obj <<
+/D [2100 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1672 0 obj <<
-/D [1665 0 R /XYZ 85.0394 224.698 null]
+2107 0 obj <<
+/D [2100 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1664 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F11 1397 0 R /F41 939 0 R >>
+2099 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F11 1451 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1677 0 obj <<
+2112 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1676 0 obj <<
+2111 0 obj <<
 /Type /Page
-/Contents 1677 0 R
-/Resources 1675 0 R
+/Contents 2112 0 R
+/Resources 2110 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1644 0 R
+/Parent 2114 0 R
 >> endobj
-1678 0 obj <<
-/D [1676 0 R /XYZ 56.6929 794.5015 null]
+2113 0 obj <<
+/D [2111 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1675 0 obj <<
+2110 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1681 0 obj <<
-/Length 2543      
+2117 0 obj <<
+/Length 2544      
 /Filter /FlateDecode
 >>
 stream
-xÚuYYsÛ8~ϯð[誑ÂûØ7[ÎádìrYÎNÕnö
"!	k’`ÒŠæ×O7ºyØéTJ@£hôñuƒö.\øç]¤ÑÚ
²ð"ÉÂuäzÑE^½s/°öù�Ç<a¬£0`²°ºŠ‚t¥~r±šorýôîÃ'ß»ðÝuûÑÅÓ~<+N’µ¥OÅ�«¦‘u¡~]®üÈu®.ÿ÷ô•ÄÂu’&Š¹pD²ã$žKäÒŒÌ^¸ÂØgæ8Z‡A’óÚ»\y®[çϵ>•²8T²îf²Þ:‹¢A6Ö^yƒì$Mú]·JîiøE™N·gšh&vGIƒ›û-
D]°èíý
ê_dë,öc>Ӈ˹!ë[vGÝŽ d¼~ø~gx©óÃuý\‰)´¶»ôyPu­êQ¬6sñ]	UÓø^TLÝžM'+Éó¾mñ
-�\Ó±8Ø�ãràÔòD3hÄ“0D,¤É[µ³:ÝêdÐ9 QÔ€EÒÔ'{)Áúrø®óɪ¢«q—�µÑ$”ÄêY_ÝÔ'ÿ=>\f¾sUË"'Á_‘k/ƒ“†®
-¦6pkK­é·ç÷'‘s[w²…-@Ø£å�Ì­ßp,XBšÎÞ'h7ü•¿Ù*Œpv
-÷Ãa…|‘¥nl Ø-H±ÈZyá6µ¨€÷ƒ(
-RÜŠ1ÏuL~”6�`l�¿‚~ZѨ¢<ÓCƒÚ̓
-’
r�”OœBç=Á	1j"«¢ºÑpQɧUäzý"GöÄÙ	G,ØÝfS6äÐBdz˜€z²Ó„Q™DÏ
B0q
-�ã”U#7Cã@Q²€.ÿ¾ô
-ÝD‘øñðñ^=:\è±æí
-®o¬ƒñ+ñ'E\2}8Ç’;i%Ò‡ï&ª°Wõ\~jÀaÛÍ{³˜¢GË!zeoA
_�^†NmÞxš^Xð”Ð;’ù‚Ïr{z8Ø'"Hóȃ…×UØNÑô�
+xÚuY[sÛ¸~ï¯È[•™µ««e�·Äé%í&“‰Ó³3çô<ÐmóDUQŠëýõ ¤dµÓé˜
Äå¨>ü.ÖÉÒ�²ø"ÍâeâÉE^½ó/°öù]À<q-“8Š`2³ºH¢õ2Y‡éÅbºÉõÓ»ŸÂà"ô—«U˜\<퇳Viº“õÅSñ_ïªid]¨_—‹0ñ½«Ëÿ=}%±x™®Ó
+#œ�‚Ľ;¬�/²Ô�
»)–X+Ïܦð~EAŠC1øžÉ�ÒŒ­‘áWÐO+U”gš€B`hC»  ŸUM”Ä
+FXЭ‚dƒ\#åS¯ÐyOpBŒšÈª†¨n4\Tòi¹^¿È�=õvÂÀ3v·Ù”¹<ƒ
ZˆLPO–`š8I9³€øQ&ŽÀ6
CÆg”ñf±Ñu.{4ÐÈ,0ø$rUªNIƒb¼Ã°:Ý>±‹átûÕé°Ûª)å$
+£��ÄÁ¶‘¹µ/
!.N…Ùzê°Wâ.pl
„ÓÁº°â…!R߸“OG•y—²œ™
®Õ+Å
cøˆP¾·ëU	�é6É–+?£ÂôD˜•ZŒnMG“Ñu	Æ»Æ5
1ŒŒl_àêiìYpɼÔ$LK­¹¿JH\ç d`
+¼
+–a“p¯GkଯëÃá5³îǪÿêÄ-	ÜȽ¬Í|µ/^Äwx�ÒH‚
+D¤<ÐÎÿ—yÇ‘sU@E…ÎqÌ*Š‘×8P”Ì Ë¿/@f4
áRÊ}^º¦ÖÒRº#›Úv�°/×ˈÖFtÅŒ‚þ[åSr Òéú@Øèªé)Ž�L½"Ÿûæ¢@ù<ñpJ�µÙ>~æÜpËLtGY­Fgá±[A
—(-Ì
ƒÅÙ¶Ä� ˜Þ�°)Ëx™AaíF¼¨‚ÕáPâ¥V)§8·º>@ÌÔ4ûôÜÄP‰BÍÞ(d�vP&máªëæßFD3zœ`·“¢ÂEàÛ=ÃBj{
†rh®ÔÐq½ ‘®³«zß�&Å(uùJ¸8…B×ò5ø?Š²9Òp#ªf'Ë’•ú&_æùM_—¢±J6iðU£ª#E}ïãÏ^5X*‰eÃÏÖJ©>KF\¢P¯SSŒo&Œ>Ï! ·LÝ–è@±¸ˆ¤�ægH@Ä9³ZI(�	Ž:ž()6Sq
+
UŸiQc
¢õFêƆ�EiX*×5ÔÏ]OÕ-ãÖXXE p³Í‚¥¢o¹‡šMÔºõÁùˆ4òs®øbðج–×
 endobj
-1680 0 obj <<
+2116 0 obj <<
 /Type /Page
-/Contents 1681 0 R
-/Resources 1679 0 R
+/Contents 2117 0 R
+/Resources 2115 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
+/Parent 2114 0 R
 >> endobj
-1682 0 obj <<
-/D [1680 0 R /XYZ 85.0394 794.5015 null]
+2118 0 obj <<
+/D [2116 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-614 0 obj <<
-/D [1680 0 R /XYZ 85.0394 769.5949 null]
+750 0 obj <<
+/D [2116 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1683 0 obj <<
-/D [1680 0 R /XYZ 85.0394 573.5449 null]
+2119 0 obj <<
+/D [2116 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-618 0 obj <<
-/D [1680 0 R /XYZ 85.0394 573.5449 null]
+754 0 obj <<
+/D [2116 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1684 0 obj <<
-/D [1680 0 R /XYZ 85.0394 539.0037 null]
+2120 0 obj <<
+/D [2116 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-622 0 obj <<
-/D [1680 0 R /XYZ 85.0394 539.0037 null]
+758 0 obj <<
+/D [2116 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1685 0 obj <<
-/D [1680 0 R /XYZ 85.0394 510.2426 null]
+2121 0 obj <<
+/D [2116 0 R /XYZ 85.0394 510.2426 null]
 >> endobj
-1679 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R >>
+2115 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1689 0 obj <<
-/Length 2810      
+2124 0 obj <<
+/Length 2811      
 /Filter /FlateDecode
 >>
 stream
-xÚ­koã¸ñ{~…¿Õ
bEõô²Ù$Í]/—&.Zàö€Òm«+K>QJ6÷ë;Ã!õ°•½ÚäƒÉáp8/΃b3þÙ,�0ñ’Y”øNà²`–îÏÜÙÖîΘÁYX¤Åëãêìò–G³ÄIB/œ­6Z±ãÆ1›­²_æWŽçœw~wópótõ·ó…¸óOÏ4xº¹½yºy¸¾¡éýÃíÏO?]�Gþ|uÿóÃù"Ž’`~õøxóðéþ_„s…]×B¯ožÏ]ýpv³ê8JÅ\Žìþvö˯î,á~8sžÄÁì&®Ã’Ä›íÏü€;�Ϲ…gÏgïVõÖI-1×ñxèM¨Éó¦Ô$NÈ=®ÕôñþáHçÅóY«¼*q’Ì‚½
-EƒúœÅsYH¡dFyI+ÏòÐÈýZÖ4õ\×%QfÊ

Að½øOU©¾Öy#i­ÚÐB)E]¼™mEaªƒLCÌb6;³µ-3©é-Ð( ™cNž³xËË-YÑH#¡ñÓŸ6-1ãØÝžë¸Q4Ôì0:R4óáÇ·‚Â<’•4
>aòÙu½4IÞhK&„”ŠFfàVœ¹ó‡Êìϲ¼�SDAóL¾È¢:ìeÙ@+©T¥=¥<–­·¦ftB%Úï¡	Î�˜âþüµª¿Ð’f~÷"“´v¨”Ê×…$xSeâ�†ë7B +@@»U­vù�V´�q
ΫµF`’Võ¡ª*I] (2F8"9!u“[WVÆŠ†qIm«MU7ª3žþ-Û=ùVÕš•¼Ìò—<kE¡´žàª±óîÃ=„»§ú‘ãã­4Áè|ÁàjÌïdiä#¹‘µ,ScÎû˜ØkùzâVMœs'öXÜE:fÈß?¾„�Õ £4v÷
-þà—šÃØ€f†à™0Š
-†Li2Za†TüÖ™/ÖyC+yî�Ÿ3íïàLÝhOܼld½iGHÛ”Ô‡‘Ö8R¡Fó×]žîÌPöçkD²LÖ¦2³çÐÚ‰Pf ­G	8"ýÂ9y‘7BG!˜«T‚Üf÷ÈJ)š7h œàµM¢ùj×3b8iv4³Ó·ƒ(2‘чú]’ex2°?Ë 2ÿ�2O…j&LÈ™ñ¯E‚Šé²™Å
VAå,xÃF6¾&«¹Ïæ
-ÄD=pßíMòa‚ËØsxÌ=søUùö“ðü
“<äšI<mÌ$B´ëàá–4P}#¦Ô
-÷ ×&
- �¶™ìLtÑâÏ©®ÄAÝ�€}ºÚ��òaÁpÙ"âÖ‘
ôª»è&~¯¡”)üaª»OÕ^XjO]4ƒ	“ëûOOE.húÃ|[JúóÇÕÓ”$¤Qx²hºÀDXækвN‰NÉØ/í
-¹·ÚÖ5
”FE³Ã¼`Pó«è·c'ƒv51y~+Pq�gj�ÍäF@9I“Þ@H{C¿¥„«®Dýv΀¬Å‚x~5Š ?ÈS[ŸŒ[¹QµÏ·;SRUeº×"ÿ"—]»8(GBè9·µ¯çºl™­ã¥¿ÉR¸.Œ¨ñ]ndÌ–Þš{	mÑÑ™(Ù’ã(}¾Öh'J©Q'´jÓèxš`Vé»— Ë�Úâ9Ô
 BCD‡
-÷Ín©äIMAïoV·&÷&¶µHâA–ù6ý禟Åó;Ó�h‘è?ß!}‡0P¥´øÎ�µ·²Zc¬ÜÌܾý¾ä¦T½]=š;Ù,'²ý¦9,//___QN®rGfíe^.´•.±Õ×®ðaòð¸V¡íŸ¿ÂßÄñ¸“0×"9ÍWó°ÂÆyÈ	YdÛâ?:ñ߉’ Ö-;Ÿ¾uÐò—™ýØ÷èv,†[ôwxð)å‘:†ªÀï;äµ—ÇüùÈGGü}‹é°Ny)ã”òô—©¼Ë˜h1ÆDWzíOíÑÐc
û³…ŽïZœ\ÙDv�ÞkÛ–Ø'–n¼Åz1ÍÔÄ·Q(ûIãEäöIuè²½¢SÊõÈ�T¶ÀÏV,d#=œ¸Qè;¾Ï@¯Œ;.þØ‹ì†ÅpÇ©�ÐÕuBÓ;‘l6NUo/ëMzâ;ž9‰Ë�¹:ò�딕‘"N©½ç;‘ùq4|à9NÏà¦1›$°iš›Œ`¾G¨÷¾pòÀÁÏ’r¸]bþŸ¿~ö€�9ÇÞô‡M/ŠJSËJ�Ä'œÛϤ§¬ÿ¤gð
endstream
+xÚ­koã¸ñ{~…¿Õ
bEõ̲»É6w½\š¸h�Û*K´­®,ùD9Ùܯïg¨‡­ì-Ð&L‡Ãyq”˜¹ð/fA脉—Ì¢ÄwW³lwæÎ6°öéL0ÎÂ"-†Xï—g—·2š%Nzál¹Њ7ŽÅl™ÿ2¿v<ç(¸óO7÷7�×;_x�;ÿxÿDƒÇ›Û›Ç›û74½»¿ýùñ§ëóÈŸ/ï~¾?_ÄQ̯nî?Þý‹p®‘ ëZ臛§ó_—?œÝ,;Ž‡R	W"»¿�ýò«;ËA¸Î\G&q0{�‰ëˆ$ñf»3?�NàKi!åÙÓÙß;‚ƒU³uRKÂu<zjò¼)5‰JO5½¿»ÿÒyñüY5º¨+œ$ó„`/©¦As.â¹*UªUNEE+OjߪÝJ54õ\×%„´Ê	T0�”à»ô?u3¤úÒ­¢µzM•J›ò•·•%Ô{•µLÌb¶[Þz¨reè-Ð( ™…Nž³|-ª
Y‘%†Qjð³-ŸµbƱ»=×q£h¨#ØÁ:Ò4óáÇ·‚Â<’U4
>aòÙu½¬
+dþU‘¥º�0¡N$;<¼q*¦cÈ2d¬‚ÊYÈ(†�b|M VK_Ì5ˆ‰z�¾Û›äÝ—±çÈXz|øuõú“ðü
“2”†I<mÌ$BŒëàá–4P}#¦ô;
+h»zxXÑGWø Ÿøxû�pdGS—é³çùŸ˜Œ3;¦`²ƒ€[s�ƒ›&²K¼C*Ç!@þ®Û(�Nê'¨u|6çfÀéà&€S2Z÷ë„c€‹»ÞÐ1Þ<Ós l³ˆú°¢à�Ycè>§'„�)ŽN°ÕEZME‡È	¡äå-�W}×q‘t¼@Ú½”î¾ç;~7eh˜%¥ç¤×ŸŒ�ô‹#ýU1¯Ô�0Mˆ†ÊÒ‰Müñü°×ÈUº’3›‚˜<¸wOçJ¾sêOLŽc®6ÛòÕ¤:³
êö (/rÍG×=…8£?¡prmRXÖ”aÄwâ ´
QC�ɵµÇ¥«°¥«7¾µhÒjƒ—VBF_Z¬Î‘`|΢‰(%[
+KÌÄ­tg¹Ñä	
äh&ÆZéI¥”»
+�À¡�ìLLÑâÏ©®ÄA
Ý]
+ûLµ³òa�¹�lIëÈ
+»�õ.µÔ»h&î>>b¹`:&Ðô‡ù¶”ôçËÇ)IH£5xrÚv
€‰°*V e“
œ’1/ã
+ItdöW9€°;˜
+#";"2ôoÆG‰Fõ	
+EЙ­OƭܨŒÚ›-—e]s÷Z_ÔU×.Ê‘zE)míë¹®¸ÊWñ•¿ÉUêº0¢Æ÷j­bqå­¤7‘Ð�‰’-9ŽÂÐák�q¢ŒuB«×­‰§	fe°�¹{	º©-žC
+â”mÖöÑëC½Ã
+cåàföí÷¹àRõvùÀw²½šÈöëvuyùòò‚*p
+]8*?\ÕÂXé[}ãú�&?�kÚþù+üM\O:‰p-’Ó~å‡1ÎCN("ÛÿùøÓ‰øN”±iÙE˜øô­ƒ–¿ÌìèÇþ»G·c1Üb¾{øÃO)�Ô1T~ß!¯½<æÏGþã8:âïè[L‡uÊÓH§Ô�§¿Lå]ÀĈ90&ºÒK÷ðxj7ˆ†žÄ˜-t|×âÚv ª{ô^Ù¶Ä>±t‹à-Ö‹i¦'¾}¤¥¶Ÿ4žÓÂ>©]¶£÷OtJµùï‘ÊøÙJ„b¤‡7
+}Ç÷èUHÇÁ{‘Ý°î8u¢º¦Nh{'RíÚ©›Íe³ÎN|Çs#'qå1WG¾Óa�²2RÄ)µ·|'r"?Ž†<ÇéÜ4†`“6MKÎü=B¿õ…S~–œ�Ãíóÿüõ³ÿ
 endobj
-1688 0 obj <<
+2123 0 obj <<
 /Type /Page
-/Contents 1689 0 R
-/Resources 1687 0 R
+/Contents 2124 0 R
+/Resources 2122 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
-/Annots [ 1693 0 R 1694 0 R ]
+/Parent 2114 0 R
+/Annots [ 2128 0 R 2129 0 R ]
 >> endobj
-1693 0 obj <<
+2128 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 149.3637 417.685 161.4234]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
 >> endobj
-1694 0 obj <<
+2129 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 110.455 208.8999 120.6168]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
 >> endobj
-1690 0 obj <<
-/D [1688 0 R /XYZ 56.6929 794.5015 null]
+2125 0 obj <<
+/D [2123 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-626 0 obj <<
-/D [1688 0 R /XYZ 56.6929 662.0717 null]
+762 0 obj <<
+/D [2123 0 R /XYZ 56.6929 662.0717 null]
 >> endobj
-1691 0 obj <<
-/D [1688 0 R /XYZ 56.6929 624.1661 null]
+2126 0 obj <<
+/D [2123 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
-630 0 obj <<
-/D [1688 0 R /XYZ 56.6929 624.1661 null]
+766 0 obj <<
+/D [2123 0 R /XYZ 56.6929 624.1661 null]
 >> endobj
-1146 0 obj <<
-/D [1688 0 R /XYZ 56.6929 593.0972 null]
+1531 0 obj <<
+/D [2123 0 R /XYZ 56.6929 593.0972 null]
 >> endobj
-634 0 obj <<
-/D [1688 0 R /XYZ 56.6929 294.2701 null]
+770 0 obj <<
+/D [2123 0 R /XYZ 56.6929 294.2701 null]
 >> endobj
-1692 0 obj <<
-/D [1688 0 R /XYZ 56.6929 255.4568 null]
+2127 0 obj <<
+/D [2123 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
-638 0 obj <<
-/D [1688 0 R /XYZ 56.6929 255.4568 null]
+774 0 obj <<
+/D [2123 0 R /XYZ 56.6929 255.4568 null]
 >> endobj
-967 0 obj <<
-/D [1688 0 R /XYZ 56.6929 226.1045 null]
+1251 0 obj <<
+/D [2123 0 R /XYZ 56.6929 226.1045 null]
 >> endobj
-1695 0 obj <<
-/D [1688 0 R /XYZ 56.6929 53.5688 null]
+2130 0 obj <<
+/D [2123 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
-1696 0 obj <<
-/D [1688 0 R /XYZ 56.6929 53.5688 null]
+2131 0 obj <<
+/D [2123 0 R /XYZ 56.6929 53.5688 null]
 >> endobj
-1687 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F39 899 0 R /F53 1029 0 R /F11 1397 0 R /F41 939 0 R >>
+2122 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R /F53 1313 0 R /F11 1451 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1699 0 obj <<
+2134 0 obj <<
 /Length 2825      
 /Filter /FlateDecode
 >>
@@ -8480,374 +10291,382 @@ Zî–ÁÅ“ž„N(ËEHq¤;#UO«E;õ4�:É$£ÇgöHm)7™FJ“>2½Ð-™'ØÃdvÀ›
 À´jP'Ïå±îí0ô¾ˆpØ!f	
 ã3­¤%ä¶B-dU™Ï}¸­
ö�‡MÐFžŒ¯	-3wÊ,Ÿw¢^
[ÖŒ*…ÅÈ´<Øû©ÍØ/cŒ ­±ïÖÙN­>Ë^vå›~¾Ñó
 åçú«d>C¶K¡`Œidå7ÆÁâU<2³û»I_åC�
æœ:&	ôÚäLcjKy¨ÖRמZ/´EvÛÁ¶
>-÷{¹ëŠõfëÀ·@09—¬–‡JÊH…‰Åq³�N¬é„`ü]þmøèœÆ(æØ>F¢aóù XäýqŸêSW±ïÚôy°Úc	+ïÔàT
>d mâŒ^·Ãs§÷œ¥ÅùÆgîóÝÎœø~ŸIð‘0Šüa	¹
BµT$žƒnk}àak°‘Ù!×G%ǶÚ4[Y�¯†ªLÆ,<=�5G±Žö\×~ïGI ¶àÏÔÿ–�[áZ¨Íø¾Ï¾|¸­ÂûÀÃ
-·‘�÷A�ŸWÏÙ6}ÍE5#P}m kkôÓÒ9áBŸÔ6"²€ÑÛÇ×H^MÖêD2ì #FEÐ|X|Ö~ѼJyÈ«m^§DRãKá%Jæ./öY®�P¯ÙÙC²7Ü…¤jñ	î€j“Ûÿò—¾ÖÎaŒh’8Óh¡„ðX¿”øœ÷ßÜ||úêÿÆùbzendstream
+·‘�÷A�ŸWÏÙ6}ÍE5#P}m kkôÓÒ9áBŸÔ6"²€ÑÛÇ×H^MÖêD2ì #FEÐ|X|Ö~ѼJyÈ«m^§DRãKá%Jæ./öY®�P¯ÙÙC²7Ü…¤jñ	î€j“Ûÿò—¾ÖÎaŒh’8Ó(4Ÿ”r¬_Jü
+LhÿÕÍ7Á§ïþ_$Gb’endstream
 endobj
-1698 0 obj <<
+2133 0 obj <<
 /Type /Page
-/Contents 1699 0 R
-/Resources 1697 0 R
+/Contents 2134 0 R
+/Resources 2132 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
+/Parent 2114 0 R
 >> endobj
-1700 0 obj <<
-/D [1698 0 R /XYZ 85.0394 794.5015 null]
+2135 0 obj <<
+/D [2133 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1701 0 obj <<
-/D [1698 0 R /XYZ 85.0394 752.3015 null]
+2136 0 obj <<
+/D [2133 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1702 0 obj <<
-/D [1698 0 R /XYZ 85.0394 752.3015 null]
+2137 0 obj <<
+/D [2133 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1703 0 obj <<
-/D [1698 0 R /XYZ 85.0394 752.3015 null]
+2138 0 obj <<
+/D [2133 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1704 0 obj <<
-/D [1698 0 R /XYZ 85.0394 746.3107 null]
+2139 0 obj <<
+/D [2133 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
-1705 0 obj <<
-/D [1698 0 R /XYZ 85.0394 731.5461 null]
+2140 0 obj <<
+/D [2133 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
-1706 0 obj <<
-/D [1698 0 R /XYZ 85.0394 728.1497 null]
+2141 0 obj <<
+/D [2133 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
-1707 0 obj <<
-/D [1698 0 R /XYZ 85.0394 713.3851 null]
+2142 0 obj <<
+/D [2133 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
-1708 0 obj <<
-/D [1698 0 R /XYZ 85.0394 709.9887 null]
+2143 0 obj <<
+/D [2133 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
-1709 0 obj <<
-/D [1698 0 R /XYZ 85.0394 651.9592 null]
+2144 0 obj <<
+/D [2133 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1082 0 obj <<
-/D [1698 0 R /XYZ 85.0394 651.9592 null]
+1381 0 obj <<
+/D [2133 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1710 0 obj <<
-/D [1698 0 R /XYZ 85.0394 651.9592 null]
+2145 0 obj <<
+/D [2133 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1711 0 obj <<
-/D [1698 0 R /XYZ 85.0394 648.8377 null]
+2146 0 obj <<
+/D [2133 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
-1712 0 obj <<
-/D [1698 0 R /XYZ 85.0394 634.0731 null]
+2147 0 obj <<
+/D [2133 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
-1713 0 obj <<
-/D [1698 0 R /XYZ 85.0394 630.6767 null]
+2148 0 obj <<
+/D [2133 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
-1714 0 obj <<
-/D [1698 0 R /XYZ 85.0394 615.9121 null]
+2149 0 obj <<
+/D [2133 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
-1715 0 obj <<
-/D [1698 0 R /XYZ 85.0394 612.5156 null]
+2150 0 obj <<
+/D [2133 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
-1716 0 obj <<
-/D [1698 0 R /XYZ 85.0394 585.7959 null]
+2151 0 obj <<
+/D [2133 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
-1717 0 obj <<
-/D [1698 0 R /XYZ 85.0394 582.3994 null]
+2152 0 obj <<
+/D [2133 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
-1718 0 obj <<
-/D [1698 0 R /XYZ 85.0394 567.6349 null]
+2153 0 obj <<
+/D [2133 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
-1719 0 obj <<
-/D [1698 0 R /XYZ 85.0394 564.2384 null]
+2154 0 obj <<
+/D [2133 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
-1720 0 obj <<
-/D [1698 0 R /XYZ 85.0394 549.5337 null]
+2155 0 obj <<
+/D [2133 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
-1721 0 obj <<
-/D [1698 0 R /XYZ 85.0394 546.0774 null]
+2156 0 obj <<
+/D [2133 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
-1722 0 obj <<
-/D [1698 0 R /XYZ 85.0394 531.3128 null]
+2157 0 obj <<
+/D [2133 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
-1723 0 obj <<
-/D [1698 0 R /XYZ 85.0394 527.9163 null]
+2158 0 obj <<
+/D [2133 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
-1724 0 obj <<
-/D [1698 0 R /XYZ 85.0394 513.1518 null]
+2159 0 obj <<
+/D [2133 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
-1725 0 obj <<
-/D [1698 0 R /XYZ 85.0394 509.7553 null]
+2160 0 obj <<
+/D [2133 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
-1726 0 obj <<
-/D [1698 0 R /XYZ 85.0394 483.0356 null]
+2161 0 obj <<
+/D [2133 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
-1727 0 obj <<
-/D [1698 0 R /XYZ 85.0394 479.6391 null]
+2162 0 obj <<
+/D [2133 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
-1728 0 obj <<
-/D [1698 0 R /XYZ 85.0394 464.8745 null]
+2163 0 obj <<
+/D [2133 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
-1729 0 obj <<
-/D [1698 0 R /XYZ 85.0394 461.4781 null]
+2164 0 obj <<
+/D [2133 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
-1730 0 obj <<
-/D [1698 0 R /XYZ 85.0394 446.7135 null]
+2165 0 obj <<
+/D [2133 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
-1731 0 obj <<
-/D [1698 0 R /XYZ 85.0394 443.3171 null]
+2166 0 obj <<
+/D [2133 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
-1732 0 obj <<
-/D [1698 0 R /XYZ 85.0394 428.5525 null]
+2167 0 obj <<
+/D [2133 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
-1733 0 obj <<
-/D [1698 0 R /XYZ 85.0394 425.156 null]
+2168 0 obj <<
+/D [2133 0 R /XYZ 85.0394 425.156 null]
 >> endobj
-1734 0 obj <<
-/D [1698 0 R /XYZ 85.0394 355.0758 null]
+2169 0 obj <<
+/D [2133 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1735 0 obj <<
-/D [1698 0 R /XYZ 85.0394 355.0758 null]
+2170 0 obj <<
+/D [2133 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1736 0 obj <<
-/D [1698 0 R /XYZ 85.0394 355.0758 null]
+2171 0 obj <<
+/D [2133 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1737 0 obj <<
-/D [1698 0 R /XYZ 85.0394 352.0499 null]
+2172 0 obj <<
+/D [2133 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
-1738 0 obj <<
-/D [1698 0 R /XYZ 85.0394 337.3452 null]
+2173 0 obj <<
+/D [2133 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
-1739 0 obj <<
-/D [1698 0 R /XYZ 85.0394 333.8889 null]
+2174 0 obj <<
+/D [2133 0 R /XYZ 85.0394 333.8889 null]
 >> endobj
-1740 0 obj <<
-/D [1698 0 R /XYZ 85.0394 309.8192 null]
+2175 0 obj <<
+/D [2133 0 R /XYZ 85.0394 309.8192 null]
 >> endobj
-1741 0 obj <<
-/D [1698 0 R /XYZ 85.0394 303.7727 null]
+2176 0 obj <<
+/D [2133 0 R /XYZ 85.0394 303.7727 null]
 >> endobj
-1742 0 obj <<
-/D [1698 0 R /XYZ 85.0394 278.3282 null]
+2177 0 obj <<
+/D [2133 0 R /XYZ 85.0394 278.3282 null]
 >> endobj
-1743 0 obj <<
-/D [1698 0 R /XYZ 85.0394 273.6565 null]
+2178 0 obj <<
+/D [2133 0 R /XYZ 85.0394 273.6565 null]
 >> endobj
-1744 0 obj <<
-/D [1698 0 R /XYZ 85.0394 246.9367 null]
+2179 0 obj <<
+/D [2133 0 R /XYZ 85.0394 246.9367 null]
 >> endobj
-1745 0 obj <<
-/D [1698 0 R /XYZ 85.0394 243.5403 null]
+2180 0 obj <<
+/D [2133 0 R /XYZ 85.0394 243.5403 null]
 >> endobj
-1746 0 obj <<
-/D [1698 0 R /XYZ 85.0394 173.5556 null]
+2181 0 obj <<
+/D [2133 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1747 0 obj <<
-/D [1698 0 R /XYZ 85.0394 173.5556 null]
+2182 0 obj <<
+/D [2133 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1748 0 obj <<
-/D [1698 0 R /XYZ 85.0394 173.5556 null]
+2183 0 obj <<
+/D [2133 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1749 0 obj <<
-/D [1698 0 R /XYZ 85.0394 170.4341 null]
+2184 0 obj <<
+/D [2133 0 R /XYZ 85.0394 170.4341 null]
 >> endobj
-1750 0 obj <<
-/D [1698 0 R /XYZ 85.0394 144.9896 null]
+2185 0 obj <<
+/D [2133 0 R /XYZ 85.0394 144.9896 null]
 >> endobj
-1751 0 obj <<
-/D [1698 0 R /XYZ 85.0394 140.3179 null]
+2186 0 obj <<
+/D [2133 0 R /XYZ 85.0394 140.3179 null]
 >> endobj
-1752 0 obj <<
-/D [1698 0 R /XYZ 85.0394 113.5982 null]
+2187 0 obj <<
+/D [2133 0 R /XYZ 85.0394 113.5982 null]
 >> endobj
-1753 0 obj <<
-/D [1698 0 R /XYZ 85.0394 110.2017 null]
+2188 0 obj <<
+/D [2133 0 R /XYZ 85.0394 110.2017 null]
 >> endobj
-1754 0 obj <<
-/D [1698 0 R /XYZ 85.0394 95.4372 null]
+2189 0 obj <<
+/D [2133 0 R /XYZ 85.0394 95.4372 null]
 >> endobj
-1755 0 obj <<
-/D [1698 0 R /XYZ 85.0394 92.0407 null]
+2190 0 obj <<
+/D [2133 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1697 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R >>
+2132 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1758 0 obj <<
+2193 0 obj <<
 /Length 2889      
 /Filter /FlateDecode
 >>
 stream
-xÚµšKsÛ8Çïþ:JU1>�´¥ØJlÅ+ÙÙ™Êä@KtÌ2E:"•Äß~ă E‚™ÝÚòÁÐÄ_ÂÝ@7I&þÈÄõ�Òpâ‡r1q'Ûýž|ƒ¾«3"mΕѹiuqöÇ{æOBzÔ›Ü?c
™Üï¾L#ÄÐFÀÓ‹åÅÍòÓÕ:º»þkvN]<ý»8ZÍŇÍÃÕÕbs¿�׋h¾\]�	™�û^ˆ§ÑÝÝb5_þ)ú#>*Ö­—‹Íìëý‡³Å½þÚæO#˜ñïüýìËW<ÙÁ/üp†wò>`DÂ�NögŽË�ë0¦Z²³ÍÙ¿ô€Fo}kïTŒ(óhÏ\Q2!…®K[“å†Èc”Õ“µNÊâxØ&r
-’mq؉ëûÌÀÛkRþJF�ï;@ÃJ|)ÚPYñïôeýþ’�€}í*Ja:\ß.­­NµYhhê#—úmíUò~>aÓùj#.ÖkÙ�ü�1ÍÓ*-òzN:?…`¦•yð%ø@ïà.Š§—èý,¤S$ÆXüH3LŸãCU�é�ìŠêÿtzïã—¢”½kÙû�eû8Ïå q¾Íw3BC5øm±}‰_“ê�ÂÝðý`&ÔW:Ë@øǧmU<Â÷¨)âÃhˆ°†(ðœ¦Õ0am¥	ûØ&l•nŸh÷ni°ðÓW›èN-{îLÛz1ƒ¶ú¡�ì/�ø�Òü›ø 0ñÑdïe‘%YË{ºœa>è3â�p0¬,”•æø66iƒCW»Ÿƒ©ñµìOo“Ü	.½éSqm‹_¯5�¤,ÅdBçM±�¹ë	‹eÆ{ÝàMSÙQ='âb^ìãTv®â½lݼ•U²ïÁÊ0A.�¢
VFÀ{å`ñ�´”m�ÏAÇç™ëNÓ_i"=Ns®/Œv?ó�)z×YK¹*æéö%ÍË"—âüÞôºð†×…ÛžÃÆüÓ°²¬e¥ÖÅ.µ¬›´±.ºÚýëÂÔ†uÁˆ+Ü”§Ž¿¼¡^übóšlÓ§·zeðÏ5rnÙ,Þ\<Ióäð#Ý&%ê¡Nqˆ£u„y(æw^³Çà*“\Ôèx�^üƒ±êÛ•_×B+´„�*ñqÝ‘ƒ‘ie¡ª¬4UâYöU«´Aµ«ÝOÕÔ~ž3!yÁÅ2¯’CžTâ“
-†•…‚²Ò`¯·P°IºÚýLíù&?ýã⯲s¬Ø,¯dSšwç]ù?ý
-?â7?Òù1Щsàží’9(ô½6¡¹$´ˆË*‹_ÙÌjGß½Sçbá÷ÏšX8LŒÀÌ6 
+1eeó-ÄlÒ±®v?1S{½‰þ¸�»°³øŠó‰<QøŠ¿â€ø±M‚�¢ÆµúI�_�PóBä;80v9_`ã£ØlbãŸlâ0£Fjå“V˜N€‘“n‡iZ
ÃÔVLËng•n`žh÷ÂlioªâPïR$dÓËä ¶08|&%osj†¼¯fÈCÞ(ò+Å�[Œ0¤H;†ü~Î�ßkºvCaS¯0~ñI_wû#jåáF�ÜbÚDÚ⹜ã}æÓ؆•¶²2`‡Ø6ivW»¶©ÍaÇbŸĹÆ
álúTŸZί“º2#zas,E*[dè
ŒÐêС7[
-°I+ «Ý¿Lí{Ôqî‹5eÇaÓèX=ö[½‰®»"ååÑÇ¡®¢»ûµðOÞ_3æ}í¬“wÉä¤?Èz®Óð†hÁSÃú.•®‘Wä‘ÊïlEÕMò
-ñC§)vŽ¶á‘#occa(lAFˆ%¼ZD
~mÕ~z�*?èn®£s"`Èl„Ê£.¥”[ˆ™¼À•(ÔU½¥Fõ–èê-i2\�l—
ðÀŒ˜cˆˆ¿´uæåE\#þò‚tü&™ª1ZP�"¦}ÔÇ�‘…£4j@RKÝΦk�ì÷£4„£&]ÉøZ?¤üÑ`'¿¿IËJ¦ž"öâv1Ž7܉�üðô+)�‡²w7JcðìLÚ[ªz!¯*¶Ï'5+0ˆ8ˆ‘ÐÌ0¦Œ407´”lº
°®p/0SXÔP8þª’¼¬ŸTÂŒEMþ—Ç××âP	£å�hü‘JQ6‡F¯¯2ㄽÐØêN7HÜqÿ\ìE¾À[/eëõ1_�eëg]0‡®�ešÇy%»D
-ͪ§ÕÚÁ´8¦e™öÕ€0&Ì‹·�!6¬,Œ••
ÙRM°J”»Úý˜Mík˜´L?gTÎö�¿äÅϼë´7ß“.×rí²·üC�㇌¤ó]Ë*~*›ÌñtûcêL뽈KV0£ü �LHû9­®lé:–~p0ÀòYÈqðH6­†™k«æÍL†™[¥æ'Ú½Ì[Úz>ù¶Ø�À_%ÕÏâðÒä0ݺà'˜¾Ão@Æ
¢Ø,aö³ù¡õÖ�X¯‡4SÉK0œ¼7D
«˜VJʪ¡dÛ/­Ò¥®v?%S{�|?¦b�Û'¹ÚõÙ<ò⟮½až«¹{ÍÒ­QHoʺ2r÷¹¥É“Ó)œ_â]2P.·Aaðcg¤^gZY (+
Å
m®c“6 tµû¡˜Úãéý¦:·•“Igæ�g=[cè"ÏgN{ò?Hç¸À<GHì‡ßø $ܱ„À´²`PV:­cIJkY¥
]í~¦öe—e¦�‚ËÕy4Ÿ¯Q´Ñ%ú�é†åw&ûZUUÒ]ž¨ t%w’æU=÷EQußÂèD¶æQ~?²á纲;L‚‘Çö¦•™²ÒÈj9MZ¥
d]í~d¦ö2ºP[/Q$ÛçÂS¦^gÚó'÷¡îæ‡<ý~Lº‡ лéP¸žßÛ–‘D
ÇÊŽ§^q§‚ö;•“
-endobj
-1757 0 obj <<
+xÚµšMsÛ8†ïþ:JU1†
+<
+}w„°i5LX[iÂ�ã¶J7„O´{	·´Xøé«M|§–=w¦í½˜A;ˆ‚ÈÀöHü¿HiþM|˜øh²÷²ÈX–%òž.w˜C
+†•…‚²Ò`¯·P°IºÚýLíù&?ýã⯲s¬Ø,¯dSšwç]ù?ý
+?â7?Òù1Щsàží’º(
+ü6¡¹$´HÊ*K^˜l¦µ£ïÞ©s±ðûgM,&†af0�†•…˜²2ˆb6iƒXW»Ÿ˜©½ÞÄÜÎ=ØYE�Xž(E�_q@ü¿Ø&ÁFQã�‚Z}ƒ¤Æ¯G¨ù
+\'4v¹@`ã£Ø\ÇÄÆ?5ØÄaF�ÔÊ'­0ÝÐA>Lº¦i5S[0-»�Uº�y¢Ý³¥½©ŠC½KáˆN/ÙAlapød%osk†¼¯fÈCÞ(ò+Å�[Œ0$aH;†ü~Î�ßkºžã)†Â¦^aüâ“4¾:îöG8ÔÊÃ�¹Å´‰´ÿÄs]8Ç4 #°
+leeÀŽ,°mÒì®v?lS›ÃNÄ>Šs�ÁÙô©>µœ_³º2#zas,E*[dè
�ÐéС7[
+id„ý4¦Õ0m¥Ñ¡¥
+°I+ «Ý¿Lí{Ôu]î‹5e×¥ÓøX=ö[½‰®»"ååÑÇ¡®â»ûµðOÞ_3æ}í¬“wÉä¤?ÈúžÛð†hÁSÃú.•®‘Wä‘ÊïlEÕ
{…ø¡Ó;G
+ÛðÈ‘·±±06Š ÅØ^-¢¿¶j?½F•t7×ñ90d6BäQ—Â-D‹L^àJj±ªÞ£z‹uõ7
®G¶Ëx8›c°ˆ¿¤uæåE\#þò‚tò&™ª1ZP�"¦}ÄÇ�‘…£4j@KÝΦk�ì÷£4„ã&]ÉøZ?$üÑ`'¿¿IËJ¦ž"ö:íbo¸ùáé+�‡²w7Jcðì
··T#ôB^UlŸOj4V`qÅ‘˜a4Li`^d)
Øt`]á^`¦°¨¡†p"üU±¼¬ŸTÂ숚*ü/�¯¯Å¡FË;ÑøƒJQ6‡F¿¯2`äø‘±ºÄ›n�¸ãþ¹Ø‹|�·^ÊÖëc
+¾šÈÖϺ`]Ë4OòJv‰šU
N«µƒiqLË2í«ÿ
+ŒÛÏiueK×±ôƒƒ
æ�ÏBŽãŒÄaÓj˜¹¶jÞLpð0s«tÃüD»—yK[ÏÇ"ß»ø+Vý,/MÓ­~‚é;üd'DÄñCK˜ýl~h½u Äë!ÍTò'/Ø‹PˆÇª¦•…’²j(ÙöK«´A©«ÝOÉÔ^³ïÇTìq{–«íPo‘Í#/þéºÐ湚»×,Ý…ô¦¬+#wŸ[�<¹�ÂùÅ!Ù±�r¹

+…º#õ:ÓÊEYi(^ds›´
¥«ÝÅÔOï7ÕḭD˜d�™7žmôl�‘‡ü€ºíÉÿ �ã
+.Wçñ|¾FñZD—øw¦~TЙìkUUIw9SAèJ6î$Í«z꾅щlÍ£ü~dÃÏu1dwGÛ›VdÊJ#‰å4i•6�uµû‘™ÚËøBm¼DÁ¶Ï9„§L½Î´ç1NîC݇MyúýȺ‡ лéz~ÐÛ–±D
ÇÊŽ§^I§‚ö;•“~f8ö–…a4LK5eb©TÛtV]á^T¦°Žqn¨bœñ7ƒ´ºsnÔ©b‚å2^Åâêr…tÇÉÐû�¼¤é“ÖÓ?±N©áv3¥†f#¥æ�Òè¢.lå¹x	òüßµ·eYšìÕ‹Z¤uö×ÎÚyÍnð i©³xˆ¿OÛ3ùŽ>“þϯíUñ
+endobj
+2192 0 obj <<
 /Type /Page
-/Contents 1758 0 R
-/Resources 1756 0 R
+/Contents 2193 0 R
+/Resources 2191 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
+/Parent 2114 0 R
 >> endobj
-1759 0 obj <<
-/D [1757 0 R /XYZ 56.6929 794.5015 null]
+2194 0 obj <<
+/D [2192 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1760 0 obj <<
-/D [1757 0 R /XYZ 56.6929 748.5056 null]
+2195 0 obj <<
+/D [2192 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1761 0 obj <<
-/D [1757 0 R /XYZ 56.6929 748.5056 null]
+2196 0 obj <<
+/D [2192 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1762 0 obj <<
-/D [1757 0 R /XYZ 56.6929 748.5056 null]
+2197 0 obj <<
+/D [2192 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1763 0 obj <<
-/D [1757 0 R /XYZ 56.6929 743.7078 null]
+2198 0 obj <<
+/D [2192 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
-1764 0 obj <<
-/D [1757 0 R /XYZ 56.6929 719.6381 null]
+2199 0 obj <<
+/D [2192 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
-1765 0 obj <<
-/D [1757 0 R /XYZ 56.6929 711.8197 null]
+2200 0 obj <<
+/D [2192 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
-1766 0 obj <<
-/D [1757 0 R /XYZ 56.6929 697.0552 null]
+2201 0 obj <<
+/D [2192 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
-1767 0 obj <<
-/D [1757 0 R /XYZ 56.6929 691.8868 null]
+2202 0 obj <<
+/D [2192 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
-1768 0 obj <<
-/D [1757 0 R /XYZ 56.6929 665.1671 null]
+2203 0 obj <<
+/D [2192 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
-1769 0 obj <<
-/D [1757 0 R /XYZ 56.6929 659.9987 null]
+2204 0 obj <<
+/D [2192 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
-1770 0 obj <<
-/D [1757 0 R /XYZ 56.6929 635.929 null]
+2205 0 obj <<
+/D [2192 0 R /XYZ 56.6929 635.929 null]
 >> endobj
-1771 0 obj <<
-/D [1757 0 R /XYZ 56.6929 628.1106 null]
+2206 0 obj <<
+/D [2192 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
-1772 0 obj <<
-/D [1757 0 R /XYZ 56.6929 601.3909 null]
+2207 0 obj <<
+/D [2192 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
-1773 0 obj <<
-/D [1757 0 R /XYZ 56.6929 596.2225 null]
+2208 0 obj <<
+/D [2192 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
-1774 0 obj <<
-/D [1757 0 R /XYZ 56.6929 569.5028 null]
+2209 0 obj <<
+/D [2192 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
-1775 0 obj <<
-/D [1757 0 R /XYZ 56.6929 564.3344 null]
+2210 0 obj <<
+/D [2192 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
-1776 0 obj <<
-/D [1757 0 R /XYZ 56.6929 549.6297 null]
+2211 0 obj <<
+/D [2192 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
-1777 0 obj <<
-/D [1757 0 R /XYZ 56.6929 544.4015 null]
+2212 0 obj <<
+/D [2192 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
-1778 0 obj <<
-/D [1757 0 R /XYZ 56.6929 529.6968 null]
+2213 0 obj <<
+/D [2192 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
-1779 0 obj <<
-/D [1757 0 R /XYZ 56.6929 524.4686 null]
+2214 0 obj <<
+/D [2192 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
-1780 0 obj <<
-/D [1757 0 R /XYZ 56.6929 500.3989 null]
+2215 0 obj <<
+/D [2192 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
-1781 0 obj <<
-/D [1757 0 R /XYZ 56.6929 492.5805 null]
+2216 0 obj <<
+/D [2192 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
-1782 0 obj <<
-/D [1757 0 R /XYZ 56.6929 467.136 null]
+2217 0 obj <<
+/D [2192 0 R /XYZ 56.6929 467.136 null]
 >> endobj
-1783 0 obj <<
-/D [1757 0 R /XYZ 56.6929 460.6924 null]
+2218 0 obj <<
+/D [2192 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
-1784 0 obj <<
-/D [1757 0 R /XYZ 56.6929 436.6227 null]
+2219 0 obj <<
+/D [2192 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
-1785 0 obj <<
-/D [1757 0 R /XYZ 56.6929 428.8043 null]
+2220 0 obj <<
+/D [2192 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
-1786 0 obj <<
-/D [1757 0 R /XYZ 56.6929 414.0996 null]
+2221 0 obj <<
+/D [2192 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
-1787 0 obj <<
-/D [1757 0 R /XYZ 56.6929 408.8714 null]
+2222 0 obj <<
+/D [2192 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
-1788 0 obj <<
-/D [1757 0 R /XYZ 56.6929 382.1516 null]
+2223 0 obj <<
+/D [2192 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
-1789 0 obj <<
-/D [1757 0 R /XYZ 56.6929 376.9833 null]
+2224 0 obj <<
+/D [2192 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
-1790 0 obj <<
-/D [1757 0 R /XYZ 56.6929 350.2636 null]
+2225 0 obj <<
+/D [2192 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
-1791 0 obj <<
-/D [1757 0 R /XYZ 56.6929 345.0952 null]
+2226 0 obj <<
+/D [2192 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
-1792 0 obj <<
-/D [1757 0 R /XYZ 56.6929 321.0255 null]
+2227 0 obj <<
+/D [2192 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
-1793 0 obj <<
-/D [1757 0 R /XYZ 56.6929 313.2071 null]
+2228 0 obj <<
+/D [2192 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
-1794 0 obj <<
-/D [1757 0 R /XYZ 56.6929 298.5024 null]
+2229 0 obj <<
+/D [2192 0 R /XYZ 56.6929 298.5024 null]
 >> endobj
-1795 0 obj <<
-/D [1757 0 R /XYZ 56.6929 293.2742 null]
+2230 0 obj <<
+/D [2192 0 R /XYZ 56.6929 293.2742 null]
 >> endobj
-1796 0 obj <<
-/D [1757 0 R /XYZ 56.6929 267.8297 null]
+2231 0 obj <<
+/D [2192 0 R /XYZ 56.6929 267.8297 null]
 >> endobj
-1797 0 obj <<
-/D [1757 0 R /XYZ 56.6929 261.3861 null]
+2232 0 obj <<
+/D [2192 0 R /XYZ 56.6929 261.3861 null]
 >> endobj
-1798 0 obj <<
-/D [1757 0 R /XYZ 56.6929 199.468 null]
+2233 0 obj <<
+/D [2192 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1799 0 obj <<
-/D [1757 0 R /XYZ 56.6929 199.468 null]
+2234 0 obj <<
+/D [2192 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1800 0 obj <<
-/D [1757 0 R /XYZ 56.6929 199.468 null]
+2235 0 obj <<
+/D [2192 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1801 0 obj <<
-/D [1757 0 R /XYZ 56.6929 191.7053 null]
+2236 0 obj <<
+/D [2192 0 R /XYZ 56.6929 191.7053 null]
 >> endobj
-1802 0 obj <<
-/D [1757 0 R /XYZ 56.6929 176.9408 null]
+2237 0 obj <<
+/D [2192 0 R /XYZ 56.6929 176.9408 null]
 >> endobj
-1803 0 obj <<
-/D [1757 0 R /XYZ 56.6929 171.7724 null]
+2238 0 obj <<
+/D [2192 0 R /XYZ 56.6929 171.7724 null]
 >> endobj
-1804 0 obj <<
-/D [1757 0 R /XYZ 56.6929 157.0677 null]
+2239 0 obj <<
+/D [2192 0 R /XYZ 56.6929 157.0677 null]
 >> endobj
-1805 0 obj <<
-/D [1757 0 R /XYZ 56.6929 151.8395 null]
+2240 0 obj <<
+/D [2192 0 R /XYZ 56.6929 151.8395 null]
 >> endobj
-1806 0 obj <<
-/D [1757 0 R /XYZ 56.6929 137.1348 null]
+2241 0 obj <<
+/D [2192 0 R /XYZ 56.6929 137.1348 null]
 >> endobj
-1807 0 obj <<
-/D [1757 0 R /XYZ 56.6929 131.9066 null]
+2242 0 obj <<
+/D [2192 0 R /XYZ 56.6929 131.9066 null]
 >> endobj
-1808 0 obj <<
-/D [1757 0 R /XYZ 56.6929 117.2018 null]
+2243 0 obj <<
+/D [2192 0 R /XYZ 56.6929 117.2018 null]
 >> endobj
-1809 0 obj <<
-/D [1757 0 R /XYZ 56.6929 111.9736 null]
+2244 0 obj <<
+/D [2192 0 R /XYZ 56.6929 111.9736 null]
 >> endobj
-1810 0 obj <<
-/D [1757 0 R /XYZ 56.6929 97.2091 null]
+2245 0 obj <<
+/D [2192 0 R /XYZ 56.6929 97.2091 null]
 >> endobj
-1811 0 obj <<
-/D [1757 0 R /XYZ 56.6929 92.0407 null]
+2246 0 obj <<
+/D [2192 0 R /XYZ 56.6929 92.0407 null]
 >> endobj
-1756 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R >>
+2191 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1814 0 obj <<
+2249 0 obj <<
 /Length 2542      
 /Filter /FlateDecode
 >>
@@ -8858,298 +10677,559 @@ i’|œ8Hrà
€-È_k©îòuà8‹<KkV˜z`Í÷²úwGQ¶eã…±ùA0žI>¦‡,o”Ói’ÖrûîGU¶k,E
 )ÒI�8²×à|
 D}��`k°ùzH‹v;–<óç‘<k˜¹
mP7,ÏKÍt²}Ó|Û«"
 é�ÿBp7¥Œ+)ƒrì Ümp>Ķ�n‚sF…‹±#ø4¥	w}
vÓT`j�¯
K‚^ñÒ•‹µ±Ÿï�ÄQ¾¯Ì‡‹è8:4‰8�Œmúp€ÂŽq~ƒqq¯–p¾óE®nÒ#ü:O‹íkþáAL ƒº”ÍM);áZÊ ÜQ;¡;ÂÏ°Ç	ï�?�ŠÛrÇx
-ÈLíª¯ÝƒïüÂÙ)óWy�~„{¹ÿý_ýò£
Šòr�,4æ0[ÄV>ýˆzQx)]˜Rv>µTÇ'u�NèŽÏ3ìq>{à=}gE7½S.%«‚�ó©ê�ÏrjÇtå¬Q„Gõ1þYoÓm»›x1xé„´H!]Ò£ÈÑùp
RÀNä5ƒnŒ°­Q3+ZÄpEdôºP•:¢	þ0yCA»/ÁóêÁЯ%k”"J¼8õ÷'IQ猣o(À±�&B½
+ÈLíª¯ÝƒïüÂÙ)óWy�~„{¹ÿý_ýò£
Šòr�,4æ0[ÄV>ýˆzQx)]˜Rv>µTÇ'u�NèŽÏ3ìq>{à=}gE7½S.%«‚�ó©ê�ÏrjÇtå¬Q„Gõ1þYoÓm»›x1xé„´H!]Ò£ÈÑùp
RÀNä5ƒnŒ°­Q3+ZÄpEdôºP•:¢	þ0yCA»/ÁóêÁЯ%k”"J¼8õ÷'IQ猣o(À±�&B½
 endobj
-1813 0 obj <<
+2248 0 obj <<
 /Type /Page
-/Contents 1814 0 R
-/Resources 1812 0 R
+/Contents 2249 0 R
+/Resources 2247 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
+/Parent 2114 0 R
 >> endobj
-1815 0 obj <<
-/D [1813 0 R /XYZ 85.0394 794.5015 null]
+2250 0 obj <<
+/D [2248 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1816 0 obj <<
-/D [1813 0 R /XYZ 85.0394 748.4854 null]
+2251 0 obj <<
+/D [2248 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1817 0 obj <<
-/D [1813 0 R /XYZ 85.0394 748.4854 null]
+2252 0 obj <<
+/D [2248 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1818 0 obj <<
-/D [1813 0 R /XYZ 85.0394 748.4854 null]
+2253 0 obj <<
+/D [2248 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1819 0 obj <<
-/D [1813 0 R /XYZ 85.0394 743.3452 null]
+2254 0 obj <<
+/D [2248 0 R /XYZ 85.0394 743.3452 null]
 >> endobj
-1820 0 obj <<
-/D [1813 0 R /XYZ 85.0394 728.6405 null]
+2255 0 obj <<
+/D [2248 0 R /XYZ 85.0394 728.6405 null]
 >> endobj
-1821 0 obj <<
-/D [1813 0 R /XYZ 85.0394 723.1655 null]
+2256 0 obj <<
+/D [2248 0 R /XYZ 85.0394 723.1655 null]
 >> endobj
-1822 0 obj <<
-/D [1813 0 R /XYZ 85.0394 708.4607 null]
+2257 0 obj <<
+/D [2248 0 R /XYZ 85.0394 708.4607 null]
 >> endobj
-1823 0 obj <<
-/D [1813 0 R /XYZ 85.0394 702.9857 null]
+2258 0 obj <<
+/D [2248 0 R /XYZ 85.0394 702.9857 null]
 >> endobj
-1824 0 obj <<
-/D [1813 0 R /XYZ 85.0394 688.2211 null]
+2259 0 obj <<
+/D [2248 0 R /XYZ 85.0394 688.2211 null]
 >> endobj
-1825 0 obj <<
-/D [1813 0 R /XYZ 85.0394 682.8059 null]
+2260 0 obj <<
+/D [2248 0 R /XYZ 85.0394 682.8059 null]
 >> endobj
-1826 0 obj <<
-/D [1813 0 R /XYZ 85.0394 668.0414 null]
+2261 0 obj <<
+/D [2248 0 R /XYZ 85.0394 668.0414 null]
 >> endobj
-1827 0 obj <<
-/D [1813 0 R /XYZ 85.0394 662.6262 null]
+2262 0 obj <<
+/D [2248 0 R /XYZ 85.0394 662.6262 null]
 >> endobj
-1828 0 obj <<
-/D [1813 0 R /XYZ 85.0394 599.7666 null]
+2263 0 obj <<
+/D [2248 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1829 0 obj <<
-/D [1813 0 R /XYZ 85.0394 599.7666 null]
+2264 0 obj <<
+/D [2248 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1830 0 obj <<
-/D [1813 0 R /XYZ 85.0394 599.7666 null]
+2265 0 obj <<
+/D [2248 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1831 0 obj <<
-/D [1813 0 R /XYZ 85.0394 591.7571 null]
+2266 0 obj <<
+/D [2248 0 R /XYZ 85.0394 591.7571 null]
 >> endobj
-1832 0 obj <<
-/D [1813 0 R /XYZ 85.0394 565.0374 null]
+2267 0 obj <<
+/D [2248 0 R /XYZ 85.0394 565.0374 null]
 >> endobj
-1833 0 obj <<
-/D [1813 0 R /XYZ 85.0394 559.6222 null]
+2268 0 obj <<
+/D [2248 0 R /XYZ 85.0394 559.6222 null]
 >> endobj
-1834 0 obj <<
-/D [1813 0 R /XYZ 85.0394 534.1777 null]
+2269 0 obj <<
+/D [2248 0 R /XYZ 85.0394 534.1777 null]
 >> endobj
-1835 0 obj <<
-/D [1813 0 R /XYZ 85.0394 527.4872 null]
+2270 0 obj <<
+/D [2248 0 R /XYZ 85.0394 527.4872 null]
 >> endobj
-1836 0 obj <<
-/D [1813 0 R /XYZ 85.0394 502.0427 null]
+2271 0 obj <<
+/D [2248 0 R /XYZ 85.0394 502.0427 null]
 >> endobj
-1837 0 obj <<
-/D [1813 0 R /XYZ 85.0394 495.3523 null]
+2272 0 obj <<
+/D [2248 0 R /XYZ 85.0394 495.3523 null]
 >> endobj
-1838 0 obj <<
-/D [1813 0 R /XYZ 85.0394 420.5376 null]
+2273 0 obj <<
+/D [2248 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1839 0 obj <<
-/D [1813 0 R /XYZ 85.0394 420.5376 null]
+2274 0 obj <<
+/D [2248 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1840 0 obj <<
-/D [1813 0 R /XYZ 85.0394 420.5376 null]
+2275 0 obj <<
+/D [2248 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1841 0 obj <<
-/D [1813 0 R /XYZ 85.0394 412.5281 null]
+2276 0 obj <<
+/D [2248 0 R /XYZ 85.0394 412.5281 null]
 >> endobj
-1842 0 obj <<
-/D [1813 0 R /XYZ 85.0394 388.4584 null]
+2277 0 obj <<
+/D [2248 0 R /XYZ 85.0394 388.4584 null]
 >> endobj
-1843 0 obj <<
-/D [1813 0 R /XYZ 85.0394 380.3932 null]
+2278 0 obj <<
+/D [2248 0 R /XYZ 85.0394 380.3932 null]
 >> endobj
-1844 0 obj <<
-/D [1813 0 R /XYZ 85.0394 365.6884 null]
+2279 0 obj <<
+/D [2248 0 R /XYZ 85.0394 365.6884 null]
 >> endobj
-1845 0 obj <<
-/D [1813 0 R /XYZ 85.0394 360.2134 null]
+2280 0 obj <<
+/D [2248 0 R /XYZ 85.0394 360.2134 null]
 >> endobj
-1846 0 obj <<
-/D [1813 0 R /XYZ 85.0394 345.4488 null]
+2281 0 obj <<
+/D [2248 0 R /XYZ 85.0394 345.4488 null]
 >> endobj
-1847 0 obj <<
-/D [1813 0 R /XYZ 85.0394 340.0336 null]
+2282 0 obj <<
+/D [2248 0 R /XYZ 85.0394 340.0336 null]
 >> endobj
-1848 0 obj <<
-/D [1813 0 R /XYZ 85.0394 325.269 null]
+2283 0 obj <<
+/D [2248 0 R /XYZ 85.0394 325.269 null]
 >> endobj
-1849 0 obj <<
-/D [1813 0 R /XYZ 85.0394 319.8539 null]
+2284 0 obj <<
+/D [2248 0 R /XYZ 85.0394 319.8539 null]
 >> endobj
-1850 0 obj <<
-/D [1813 0 R /XYZ 85.0394 295.7842 null]
+2285 0 obj <<
+/D [2248 0 R /XYZ 85.0394 295.7842 null]
 >> endobj
-1851 0 obj <<
-/D [1813 0 R /XYZ 85.0394 287.7189 null]
+2286 0 obj <<
+/D [2248 0 R /XYZ 85.0394 287.7189 null]
 >> endobj
-1852 0 obj <<
-/D [1813 0 R /XYZ 85.0394 272.9543 null]
+2287 0 obj <<
+/D [2248 0 R /XYZ 85.0394 272.9543 null]
 >> endobj
-1853 0 obj <<
-/D [1813 0 R /XYZ 85.0394 267.5392 null]
+2288 0 obj <<
+/D [2248 0 R /XYZ 85.0394 267.5392 null]
 >> endobj
-1854 0 obj <<
-/D [1813 0 R /XYZ 85.0394 252.7746 null]
+2289 0 obj <<
+/D [2248 0 R /XYZ 85.0394 252.7746 null]
 >> endobj
-1855 0 obj <<
-/D [1813 0 R /XYZ 85.0394 247.3594 null]
+2290 0 obj <<
+/D [2248 0 R /XYZ 85.0394 247.3594 null]
 >> endobj
-1856 0 obj <<
-/D [1813 0 R /XYZ 85.0394 223.2897 null]
+2291 0 obj <<
+/D [2248 0 R /XYZ 85.0394 223.2897 null]
 >> endobj
-1857 0 obj <<
-/D [1813 0 R /XYZ 85.0394 215.2245 null]
+2292 0 obj <<
+/D [2248 0 R /XYZ 85.0394 215.2245 null]
 >> endobj
-1858 0 obj <<
-/D [1813 0 R /XYZ 85.0394 149.4956 null]
+2293 0 obj <<
+/D [2248 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1859 0 obj <<
-/D [1813 0 R /XYZ 85.0394 149.4956 null]
+2294 0 obj <<
+/D [2248 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1860 0 obj <<
-/D [1813 0 R /XYZ 85.0394 149.4956 null]
+2295 0 obj <<
+/D [2248 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1861 0 obj <<
-/D [1813 0 R /XYZ 85.0394 144.3554 null]
+2296 0 obj <<
+/D [2248 0 R /XYZ 85.0394 144.3554 null]
 >> endobj
-1862 0 obj <<
-/D [1813 0 R /XYZ 85.0394 120.2857 null]
+2297 0 obj <<
+/D [2248 0 R /XYZ 85.0394 120.2857 null]
 >> endobj
-1863 0 obj <<
-/D [1813 0 R /XYZ 85.0394 112.2205 null]
+2298 0 obj <<
+/D [2248 0 R /XYZ 85.0394 112.2205 null]
 >> endobj
-1864 0 obj <<
-/D [1813 0 R /XYZ 85.0394 97.4559 null]
+2299 0 obj <<
+/D [2248 0 R /XYZ 85.0394 97.4559 null]
 >> endobj
-1865 0 obj <<
-/D [1813 0 R /XYZ 85.0394 92.0407 null]
+2300 0 obj <<
+/D [2248 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1812 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R >>
+2247 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1868 0 obj <<
-/Length 2121      
+2303 0 obj <<
+/Length 2928      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YIs㸾ûWèª*B°pÍM¶ÔŽ»=¶cy*™t÷�¦`‰eŠÔˆ”»5¿>x J$5•”Äòà}x 6¢ðc#Ï'~Ä£Q¹Ä£Ì%›+:ZÁÜí34“šhbS]¿\ýí“F‰|î�^Þ,Y!¡aÈF/˯Δ2	Ô¹¾»¾¿{¼}ž>ýã·ñ„{ÔùF=:}˜agñëíí|ñ27Ýçùtv÷p$l<	üˆ:Ó§§ùÃìîß8?URi3z3_Œ¿¿|¾š¿4˶·Æ¨Pkþýêëw:ZÂ?_Q"¢Ðý€%,Šøhsåz‚x®õHvµ¸úg#Кլ�¦b”páó[q6bŒDžÇ[Æò"â.´±_Ë"“•\âgc™ìwiu0¦ùtSönV¸Ð Ñ-*\ﱦRKû
-Z9õ½ï§šç`/VÝP�ë‘¥›ñ€x<hëž›8ÍÇ—Sç!ÞHÕbÎâPVrƒ£G©™ùÏJæeZäÚL'»c!%Aø°.%û¯ÀâgFk\VYü.Çg\GìÆ,t–¨'ÎMãÆЉ÷o›87R>Çù>Þ”VØr­hÒÀúà\¤=ê’�ê
-›ª‹†ª
Ã~4¨úˆÆ™îN8Zº/Û¿h†ý($Š¼ÿ
ƒ_bÝMÖ
Q?~H"\ÈK6Õ
-¸÷‹Š{Jð/qYÊŽéZA/‰E©¢
-\§Il‡·îLx
‹j
-aÜo汆ÆÙ3¨¢sõd¥Ë*^ÉÛXxùÎR~ȬتýÁŠüˆ9w›m&U¿Øé�½cïU¢Àâ,pò¢2ª‹ö6°L@ÎU\¿²q8.€6býN}×I?âL�¥°Ž	�®üHU®‹}fFµVÕx•øý}_à»*ê¬cIj†\m­17ÂÞÔ©ÏpÐƺû<3ú$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê‰¸jHññBçç®:s%võrá‹(+$-K¢èp
-��uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­
/œ÷z‰?Ö)\6;6jVìÙ+†ÎRZ/Ù�ÉT[?뙉WÃ
-BRSOÄú1£ìô<(AD]­Xx©°óZìM¬¸¾{˜åºP¬ú�\J"VßCÞäN¹Qï3;�¡Ô»pý²©Î“	ì‚
-ÓÙ„õç‘A­Ç<r¦¶3�´´b¡žq+êÛ–²íC@
…ñ�ç)ÞgÈ4ÍàÂõlj¤8Nš¼ëøýût¯™çö°KWk�\F,an¨þ^¡æ9Á%@?.aÂIàG°O‹îe^×å€ÃúúdQâÚò5.«b[èhAöfúwœyüË3¤™yÂçžÒur¥kª‘)\+’ÎrÙ[tÀaUuàE›cýÿ/eU/
aßU„
f¿^”6	ågK¯ÿÁ:_û
m�¿endstream
-endobj
-1867 0 obj <<
+xÚ¥ZKs㸾ûWèºjÅ
+á
+/ágP´¸hmÞŠ†—ö´z,¾j枧Dãª;®cÝ"±ts/r/êë¾®Ö2//§¾Çœ;¹Î°Å�ù®i³5Q÷„#7?Ú¬lòªTÇt°;37Š£Ö…²‚)¡p®]=U6m!_³KN#¾#êK;Ò#KݸÒüŸåöe-K-å“,·²Þ¡VزQ4%Øi/`W‘{=§Ä}ïz×z†«C�‹h½1Õz‡º‡Ñ³u+lð3mÕMlšÊÄ5šŠcWÊužRç·ÍB¶Ù�	w}/±€Ts]ú 5Y£¨{³M�ÔÅ#Œ…ÂÆÇñ°¹NãÑquxbÄ›FUïñ8Ò=ˆGO÷ùóqoŠ„›$Áÿ€Á¯RuÓU‡Cr‡Ðw!žFgp°¸Fp0\ÁX<‚Øj‡CÝÃ8غ
"Ž5Ø28¨v‡ƒˆ#çd„ùÍ´¸æÈ—e^.©3Û¶«Jñãä…’Vb=Ïs>¸4ñŸ—�^³¢
+þU6M¶#šªÔ’\­£j0 
+p¹ë,µ]ÌÈœve"ù˜wÒ ö]Á‚3õ‚ÍuÒŽ«ƒ4F U½‡ôH÷ ¤=Ý�Ù"Cç)srq¾ÊÿDÄT¬ËÊ6ÃjY�ÉVR¡›]ë(	ýç¼Â�ÅnÁ"÷1‘qŠ‰0§‰FXBã^3ý²]¬·å¢i0jˆFhÄ.–/§!…K†ŸÐueR‹kRÃeA:’êFU[�ê†ÔÖ}�ÙÒŠ…˜¶Ìi¨´6'°Ôí¦ç•D!¯4Ü'½’Ç¡ëû1ïÇÍ{7{`Q�büï/À"|¸¦±3• Í5‹áê`‰F=mLµË¡îaXlÝ_
+*Ñ"§¬Z­ºêoƒP¡™Ki^Ü<0À‚R}…cn<ù›,Жb"UÿYUÛBS•Vl<gôýc[Ñ+0ª¬´4×$_��ÒXja/hõm|¡»-8fÍŸ¦Õz:„ÏF–¹’Ιó¼£/Y4y“2_«ªdÛ±hæ½Bç›çùhs
uÕráK(VKbmùhˆ+ù¦…HúùKÖÀò¨§¬¾MþƒëªlWz.Ø»Yâû*‡+çÀFõŠ{ÅÐYdÖ«vwdØV�{zàYO!¹®'¤zÒhƒ;
+B…{aª/;ÏÕVÇ
+õkD'. ~ØÉõ\°«H_G^²ýèä›»y.‹#<›Ø\ÇÙ„sæ›ØSé„ŸN$£Z÷‰äHí`"éi¥DÂíW,´�Ê^tÙ'Vȇ9r[ФY
÷®?$]�Y8yúª ô¿ä[œÈ}(97»:_®Tv™ð(†
ø1þÖÂô-"¥%
+اÅ÷�ñ`èv
+`+•Z1†^ž@¼lÐÛeg˜sŠ÷Ó�¬[M”›M‘ÓëY3gÖU^
+â§.|Rƒ¶Im3ìê\ñ–/²ƒI/UQTïT�`7“­.›ŸO@6�á™Ë±Í¥"QÏ‘#÷ÒÐ’¥=9:T�<{ãJ
Ó±ÒžÓÄÜ
ð׋žÒ'uIâ”Ù»:_h¦t4  ñ�‹âh‘£e�=A]-¶…ªÙ‚H{"’ÍWÒgÁNe)hXXQÌ�º€–…–Qj‘è˜/2Õ+.«Jº>
+®,¸è«ªíEšN¡hKÂsÚZ–�LµYÃÈ{Þ®¨%éƒÞš§ÛBÖÔo²úm_áóAÖ¢û9Ø(ããûÃ÷VSì¡Á
ø9-]@
v´tŸa€¢Á†ÂbC=¹x“�¯Á§D°�ØLÀ'sŬ(žCW$¢Ae™/¤y}æÝσ€ug¹ÄÚ7JÙÁà„ð“ÿìW¦*œªÕ/õÍ®LWkYm›ƒ»­¹ÙÉ+mœ¸p¼gž
-¦Óh˜Î9à˜ÆÎÿ5ºŸ­QyŸz5Яnçä^Š€W´Rå# >f-„·7ÌQØ¥‡ýýBgQιƒÿ9ÁÕ¥¥¡¾w!Ej™–wa#»š ëÆ�ÌjÁ_+ÊjUq²7â7ZHZ•/4‚Þh3"Ñf€Ä}–Þ6ë…ú}ÎW¹¤Ùd)ýÐD, {ËmmNæ@´zÄC"-|¿¤–zꢗ0Ê{¡d#ÓW¸î_šì0�À)¦u¾Ù¿v‡{–²Ñ['1´>å p½|§{ÂÎEàâ¿àë.ÿ÷úXo@‘+âøÄO'^¸094‹Ru¥-ÝüOÐñÚÿÔy
Lendstream
+endobj
+2302 0 obj <<
 /Type /Page
-/Contents 1868 0 R
-/Resources 1866 0 R
+/Contents 2303 0 R
+/Resources 2301 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1686 0 R
+/Parent 2336 0 R
 >> endobj
-1869 0 obj <<
-/D [1867 0 R /XYZ 56.6929 794.5015 null]
+2304 0 obj <<
+/D [2302 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1870 0 obj <<
-/D [1867 0 R /XYZ 56.6929 749.4437 null]
+2305 0 obj <<
+/D [2302 0 R /XYZ 56.6929 749.0089 null]
 >> endobj
-1871 0 obj <<
-/D [1867 0 R /XYZ 56.6929 749.4437 null]
+2306 0 obj <<
+/D [2302 0 R /XYZ 56.6929 749.0089 null]
 >> endobj
-1872 0 obj <<
-/D [1867 0 R /XYZ 56.6929 749.4437 null]
+2307 0 obj <<
+/D [2302 0 R /XYZ 56.6929 749.0089 null]
 >> endobj
-1873 0 obj <<
-/D [1867 0 R /XYZ 56.6929 746.6461 null]
+2308 0 obj <<
+/D [2302 0 R /XYZ 56.6929 745.2843 null]
 >> endobj
-1874 0 obj <<
-/D [1867 0 R /XYZ 56.6929 722.5763 null]
+2309 0 obj <<
+/D [2302 0 R /XYZ 56.6929 721.2146 null]
 >> endobj
-1875 0 obj <<
-/D [1867 0 R /XYZ 56.6929 716.7581 null]
+2310 0 obj <<
+/D [2302 0 R /XYZ 56.6929 714.4694 null]
 >> endobj
-1876 0 obj <<
-/D [1867 0 R /XYZ 56.6929 701.9936 null]
+2311 0 obj <<
+/D [2302 0 R /XYZ 56.6929 699.7048 null]
 >> endobj
-1877 0 obj <<
-/D [1867 0 R /XYZ 56.6929 698.8254 null]
+2312 0 obj <<
+/D [2302 0 R /XYZ 56.6929 695.6096 null]
 >> endobj
-1878 0 obj <<
-/D [1867 0 R /XYZ 56.6929 684.1207 null]
+2313 0 obj <<
+/D [2302 0 R /XYZ 56.6929 680.9049 null]
 >> endobj
-1879 0 obj <<
-/D [1867 0 R /XYZ 56.6929 680.8926 null]
+2314 0 obj <<
+/D [2302 0 R /XYZ 56.6929 676.7499 null]
 >> endobj
-1880 0 obj <<
-/D [1867 0 R /XYZ 56.6929 656.8229 null]
+2315 0 obj <<
+/D [2302 0 R /XYZ 56.6929 652.6802 null]
 >> endobj
-1881 0 obj <<
-/D [1867 0 R /XYZ 56.6929 651.0047 null]
+2316 0 obj <<
+/D [2302 0 R /XYZ 56.6929 645.935 null]
 >> endobj
-1882 0 obj <<
-/D [1867 0 R /XYZ 56.6929 636.3 null]
+2317 0 obj <<
+/D [2302 0 R /XYZ 56.6929 631.2303 null]
 >> endobj
-1883 0 obj <<
-/D [1867 0 R /XYZ 56.6929 633.072 null]
+2318 0 obj <<
+/D [2302 0 R /XYZ 56.6929 627.0752 null]
 >> endobj
-1884 0 obj <<
-/D [1867 0 R /XYZ 56.6929 609.0023 null]
+2319 0 obj <<
+/D [2302 0 R /XYZ 56.6929 603.0055 null]
 >> endobj
-1885 0 obj <<
-/D [1867 0 R /XYZ 56.6929 603.184 null]
+2320 0 obj <<
+/D [2302 0 R /XYZ 56.6929 596.2603 null]
 >> endobj
-1886 0 obj <<
-/D [1867 0 R /XYZ 56.6929 579.1143 null]
+2321 0 obj <<
+/D [2302 0 R /XYZ 56.6929 572.1906 null]
 >> endobj
-1887 0 obj <<
-/D [1867 0 R /XYZ 56.6929 573.2961 null]
+2322 0 obj <<
+/D [2302 0 R /XYZ 56.6929 565.4454 null]
 >> endobj
-1888 0 obj <<
-/D [1867 0 R /XYZ 56.6929 558.5914 null]
+2323 0 obj <<
+/D [2302 0 R /XYZ 56.6929 550.7407 null]
 >> endobj
-1889 0 obj <<
-/D [1867 0 R /XYZ 56.6929 555.3634 null]
+2324 0 obj <<
+/D [2302 0 R /XYZ 56.6929 546.5857 null]
 >> endobj
-1890 0 obj <<
-/D [1867 0 R /XYZ 56.6929 540.5988 null]
+2325 0 obj <<
+/D [2302 0 R /XYZ 56.6929 531.8211 null]
 >> endobj
-1891 0 obj <<
-/D [1867 0 R /XYZ 56.6929 537.4306 null]
+2326 0 obj <<
+/D [2302 0 R /XYZ 56.6929 527.7259 null]
 >> endobj
-1892 0 obj <<
-/D [1867 0 R /XYZ 56.6929 510.7109 null]
+2327 0 obj <<
+/D [2302 0 R /XYZ 56.6929 501.0062 null]
 >> endobj
-1893 0 obj <<
-/D [1867 0 R /XYZ 56.6929 507.5427 null]
+2328 0 obj <<
+/D [2302 0 R /XYZ 56.6929 496.911 null]
 >> endobj
-642 0 obj <<
-/D [1867 0 R /XYZ 56.6929 477.5928 null]
+778 0 obj <<
+/D [2302 0 R /XYZ 56.6929 464.7873 null]
 >> endobj
-1894 0 obj <<
-/D [1867 0 R /XYZ 56.6929 453.2532 null]
+2329 0 obj <<
+/D [2302 0 R /XYZ 56.6929 439.0859 null]
 >> endobj
-646 0 obj <<
-/D [1867 0 R /XYZ 56.6929 369.7201 null]
+782 0 obj <<
+/D [2302 0 R /XYZ 56.6929 352.4521 null]
 >> endobj
-1895 0 obj <<
-/D [1867 0 R /XYZ 56.6929 345.3805 null]
+2330 0 obj <<
+/D [2302 0 R /XYZ 56.6929 326.7507 null]
 >> endobj
-1896 0 obj <<
-/D [1867 0 R /XYZ 56.6929 310.6805 null]
+2331 0 obj <<
+/D [2302 0 R /XYZ 56.6929 290.6891 null]
 >> endobj
-1897 0 obj <<
-/D [1867 0 R /XYZ 56.6929 310.6805 null]
+2332 0 obj <<
+/D [2302 0 R /XYZ 56.6929 290.6891 null]
 >> endobj
-1898 0 obj <<
-/D [1867 0 R /XYZ 56.6929 310.6805 null]
+2333 0 obj <<
+/D [2302 0 R /XYZ 56.6929 290.6891 null]
 >> endobj
-1899 0 obj <<
-/D [1867 0 R /XYZ 56.6929 310.6805 null]
+2334 0 obj <<
+/D [2302 0 R /XYZ 56.6929 290.6891 null]
 >> endobj
-1866 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F14 740 0 R >>
+786 0 obj <<
+/D [2302 0 R /XYZ 56.6929 241.4457 null]
+>> endobj
+2335 0 obj <<
+/D [2302 0 R /XYZ 56.6929 201.7704 null]
+>> endobj
+2301 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1902 0 obj <<
+2339 0 obj <<
+/Length 2293      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sã6î=¿Â�9yf­�"õÕ·ìn¶“¶—Ë9éLov÷A–¨˜]Yrõa×ÿþ
+S ÃH:t Eô[óRít¦2pR
îú´VZìKE–
+NP˜d»¤L•%ÎUÒvVž%Íi¯93"(èŠéA·¨û
M—®iKb1i’®AÐÆ„žº	>y¨O�øÆ�&™sgg$rjñÍØ°r?„Z.ÒªL»šø”-úbQæ~­Jz#�aÿÈÏìi’�î÷h+¾+'¯¤ÙªTaÌSjã¾”~‚X¸’þz"S½œª7Á«R�‰àBìd"8{ƒF|GýµUµÆ8N
+Âä5DÒ¾ª¿ákà´¡›n»­0iàKï¡È`{	»î\'VˆuJ€â4hHuÙ˘À®¤ù6åuÍ¡iÕÆÜè6ê/1Ÿ-<0ÈÖ��Ó�†PˆÀ;9ƒ2õP«ZýÙéF·Êr[Dy¾x>íüéþ78‹' U}Có<ò"À�Ÿ
'2ÂÁsÕiÌ°�œp``2Àc

ºsoIX¥œŒ�‰jxZ»
iLˆÔX€¦ÕEAK+un÷ïµ	5ädØOø}{Øâ1¼( 
+
+(„bzØŽàr^CWbøà5sr
+|4
+bs�ب–
+7™06—z[_Ú�T(c›¹$³­4;E+X&›%‡"óÀÐ	5ÔH²RÏu‡l»‘ù©
èj$5.’û4-È¡ƒì1á<k´“Žˆôã;%Lטn
©Íyåi_„xr0\HŠ¦"he%ØÌj8ÑÝöœ&RÐÈþ�9eCñzzÇ…®Û(E/+UTû¡ùŽ 6¨ïJ輋ÿ1ªÓŒž¯ûå8X
¤IÖ÷F®çÖ°õ›ÍK©æ¥Zý
v!˜œÌlö{s#žÊ
+²y<ChR	�µJH%âWÇ«jØ�b€;WP§ªbu8›ZÎU�RC—iÑÁ„&�L^š
+P#¢�
&6æ0wV}-±b]íO«–í%9µ2¶žTû¾Ò�“žAäíEÑѣ̀~ãÊ»Ì^¹¾'åe	±)ìúŸ`ÖnqaSx¿áÄ«¶´¥$ÓÕå„á#áQàY1Ó½|Os‘ï¤Íw¿”Æ
+惒ÊáNšë¥jÚZÓ‡„—8@Ääܘêå
n zs€{Uêq€»;9À�ˆýp2ßh0á–ÂCP˜XÃg‰±ˆ€âLî€×ÛÈwƒã´‚ðYÝ26iàÞ.‘ØO|�)Úˆ8ñKD˜‰�••@Åt"'%M_ñX¨Ù«9÷}WúL¾qŸ#ªWzû>_“:ºÏs±Ó÷9K^"áÐtÀ¼¿TF¹	‘Ë¥é:$ã˜b�¯¦m‹ì›ýpG'ßNìWšèäúÍÖ’žm/zèᢋÛYìÜå´dF+ö‰™Ú¡¾™	8¢oX/dî�pŠ³:áØ8Ò	WÐ
Bi:–Ž™ .Ó>÷7ŠCßfœÈ²‰œ#„‰¸§Ú¯ua‡H;B£x“kéƒÞqàõ�Á�ûxÁÏD‚…¶êÚ³IÙªJ¹’Ì
Exêìc…±dÐż³@©ß•�%±3Hqøñ….oÔ~½9»åη¨ks“ÓÛ;‚W�%0þ5=ÿ}Ï ÷Âòÿ?]¾}¾‘Ž_§œòÕVx*åW1ùQž
%ìoÿ{☻dèŠ(ò¦sˆ€\Sï…
+qï"qù
+uä…gÿ/JD»æendstream
+endobj
+2338 0 obj <<
+/Type /Page
+/Contents 2339 0 R
+/Resources 2337 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2336 0 R
+>> endobj
+2340 0 obj <<
+/D [2338 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+790 0 obj <<
+/D [2338 0 R /XYZ 85.0394 662.3711 null]
+>> endobj
+2341 0 obj <<
+/D [2338 0 R /XYZ 85.0394 634.4781 null]
+>> endobj
+794 0 obj <<
+/D [2338 0 R /XYZ 85.0394 566.8617 null]
+>> endobj
+2342 0 obj <<
+/D [2338 0 R /XYZ 85.0394 536.3186 null]
+>> endobj
+798 0 obj <<
+/D [2338 0 R /XYZ 85.0394 411.7882 null]
+>> endobj
+2343 0 obj <<
+/D [2338 0 R /XYZ 85.0394 386.7645 null]
+>> endobj
+802 0 obj <<
+/D [2338 0 R /XYZ 85.0394 230.2565 null]
+>> endobj
+2344 0 obj <<
+/D [2338 0 R /XYZ 85.0394 203.9874 null]
+>> endobj
+2337 0 obj <<
+/Font << /F37 1026 0 R /F14 964 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2347 0 obj <<
+/Length 2527      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥koÛ8ò{~…±8àd bùгßÒ6=d»Èöììí.Ú~�-Ù*K^INâýõ7Ã!eÉ–�®
*r8œçI‹	‡?1ñÄ2ž„±Ç|.üÉr{Ã'kXû×�08®ErûXïoÞ~Rá$fq ƒÉãªG+b<ŠÄä1ýêÜ2�M�wÞß?|œºÒçNLŸ�sürÿ~v;›ªÐù“
+íp_¦Y]ô>œÓš,“’8Naväí,ö-
€�Á ˜Ýee–÷e²èv—mV¯’¥™¶'ë¡t²­²¤Ýe�Y°KFÄ!SxòU«êc]6«ë5»ºÊ´3¬3¦£–5`:û·+Eà€÷	ù¤Q€h‹@€±ˆ,%x^˜4
+¦Â¡[
+Žù¡FÏ
-iÇ(Êš¤OU²Ôœ	Vσ¢D;3 �NŠ„®
uú‚…Ö
+A!zBΪª	zÊaÄwI�l3H’ ²R7IK#«pˆ1‚¾‡JʤM.“]²È‹¼=Ð<QÊF,\zÔya`,öºu1ƒâA\R
²¾ræ»l™#d	^Eæ
+ÑPùB‡w䟛a	
+�‡P�€bPœÆD”µ�O†mÇhJS¾N°ò,§&§Í“íÎ64·ý*íÕ„6¯Ð
+×–¡ià¸WéÀDÆ5·† ¶ûã]ÈÒï÷†€u½Þf«)AôÑq@h+ÓÑA‚Ę$M˜EQ=w¬ˆ‘À"§‹:ÏVcy-Íše�ïŽ×lm¡±¾ÑSñt © S’Ü?ê›	£qÒÖ;2éÄøO~¼S€Ã¨>ö?Ø
·”+_½˜{ôBJ7È^

‘
ôáí)
+)‚Mþ//€’ÅQ�¿ÿ¹E·Oò<8Â
+ävXíÐð0Išõ›	±ÕFM-‡ÇJ
ðk¿ãètw«é¬÷˜Øšwg=§
+
+H¨ã
+e0ì>Ùr${ÑÁãÍðÍtÜŠzéÙüDñùîÏ¡9rP#nß�Ô“±ÏOè(
µ”GµMo£g~ÿÑèþ�¾–Ž¥4úøôyyyI´î	KyÅK�¶˜¦C7c§±¯ë)ÆãØ£�‘8hyøí�Î,|¦ïO ðOcŸ�õ;²2ˆ�m–h	CnÚwš‡i3ÁEHèówUfÿ4ûðU‚ð`¡É×%Ý(í6O!•î‰%[VÏ¥!Ø£Ò``Û.X»+ÛÚÐÝU�ù‡ž×]DÎï�a38îÈË­�-Õ6oé+ª&i6‰ ‰yÊÄ_ì��E\áê⃣òþR5âѼ«ÃÿïÄŽ/—T•Ñ¥^A†Ð±Ä06B¡„ŒÎ#©ùéì\öÿ=k-¢endstream
+endobj
+2346 0 obj <<
+/Type /Page
+/Contents 2347 0 R
+/Resources 2345 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2336 0 R
+/Annots [ 2350 0 R ]
+>> endobj
+2350 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [344.9397 501.3201 406.1397 512.7122]
+/Subtype /Link
+/A << /S /GoTo /D (trusted-keys) >>
+>> endobj
+2348 0 obj <<
+/D [2346 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+806 0 obj <<
+/D [2346 0 R /XYZ 56.6929 609.3932 null]
+>> endobj
+2349 0 obj <<
+/D [2346 0 R /XYZ 56.6929 583.208 null]
+>> endobj
+810 0 obj <<
+/D [2346 0 R /XYZ 56.6929 484.1849 null]
+>> endobj
+2351 0 obj <<
+/D [2346 0 R /XYZ 56.6929 454.463 null]
+>> endobj
+814 0 obj <<
+/D [2346 0 R /XYZ 56.6929 405.4622 null]
+>> endobj
+2352 0 obj <<
+/D [2346 0 R /XYZ 56.6929 378.8348 null]
+>> endobj
+2345 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F14 964 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2355 0 obj <<
+/Length 2458      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZ[oÛ:~ϯðÛq€c–w‰yKÛì"»9Ù&vÑöA±åD¨,¹’œË¿ß!‡TD[¶Hv±(ZÓähøif8ó
k6¡ð‡MRE¨0r’Iej2_�ÐÉ=¬ýõ„y™Yš
¥>Þž|ø‹H&†Íõäv9Еš¦lr»ø6=¿¾¾¸ú|ùÏÓWtzNNgŠÒ0ûéâætÆdb8¬H»¦éôãåÕg”6øñùê»üøåüË©H¦ÿ‰›¯×׺‰ÛÓ·œ\Üö ‡/ƨ°ˆ�|ûA'x¿?N(&U“'øB	3†OV'R	¢¤a¦<¹9ùG¯p°ê3”T)Q\êÉ„ÁNlÜœ”Pæ™%’™jÙ›“³1s)kÎY‹o¾¨WYQ�ee·ýâLJ’JÀ0Ô~ìÕ91išŽ¿ø¬×x08’¤B¨q›7�y³ƒ2Ñà–„½#Ê ñÊÄj”‰Qf‹E“·í6LÎ1JšæŽC{©‘­ù`kÎRb„[Zçóbù~fšÁ‡¤`´uÖd]Ž“Í)K§ù|Ó´Å£ŸòVu»“h[\\Ö
º‡Üë³{|§”Ïqá;çCÈŽàà	šL/žgöýÁ”p843ÆàÅG­Öe~¢Œöa˜?»Y2¯WgœRv¶¸KÏÎrç<ú ×Æ)ð@î?C©ý'£—:gàÁD´íÛÂÌ+<‘1MeiŒqO”A¢ LÓô°qz©‘­‡QÆ	SñÖzìòú;UôQ~xÔ0`8GLÔKüÄ
+‡P¡‹¾¶Ù}ÈœC¡‰¿…d:žÁ8gD	=QüL¾=�}³�‘RU
˜Œé·
é˧‰
{‡ƒ/_vpJ©Ìû

+� 7‚$B¦òîe�{ÈEµÞì�&!�ç“wÛ+<VHM4$ì¬�QWŠ¹o%š‡€2NâÏuWÔUÈ­.Œ-¹vι߬ ¿¶gû¬Œ¤F¡¦C©ý	¶—RÓ=…˜[ú,U´ÿÛ*qÐx,ãˆ{„v_){Ãåa3õR#[Gõ@H IŠ·¶9Kj(Å�Gqý•	f=XðNïÔ_©0ÁLs¡þÂðµþÚ
úúë´õ(ŸqY`è¹tÁÄBò$‰aUûÐnÖëºéòE8g¡ª>0\
²Á™Ùèuy|OŒÊÔ@�3æpŒ¥öÇh/åbtoºbÔÀù‚`j}[|�G€2Æ	‰Ž‘ÚŒµƒQpB5OÛ§—Ù7&+	¡R²xß×ndÈHÀ^8aQ�3DoËÜmÏyòe¶)½ÙC$ô�õ{ù ¤<Hçé±PH… e_t´0Fm®ÐѶoì¼Æ#m_¡ êÆ _KAœKbh*§—Ù9ŽNÒÔ¤ñΞ5z"6pø6‰mãà.j§Zø˜È³Ð”EåÅæPÆ`‹­¶£§¬Õ}¹‡;{�Ͼ-uÌTFl,Ž
Ëp
ÅÜûôôDMë³[=;	¨ò.@UKžŸŸƒš1ž.4I5³'P‘$õi‰ºˆ‰z“ùi»ýT½¿üꚬj³¹M�Þte
¹ô8%¿td6í/œ�9îÃ|Ÿá†è¾~¥¿/ÀlÎC±I$v	,°>]7E…þcá\³àý5x7G±§¢{ÀµUQ«¬Ä/kdÐs(9àlçTÕ#^Ôy[ýæ¿À«{ˆã|ÜòuŽ­v7ðm„�]
3s£§E‡ËmW¯[zÂÏ·
+¤px—�í¾¾ã bzéQ×Nñˆk¡!µíïÛŒbÓeÑùb
q¥‘Gåþ`…¸Þ=·,M‰N(
+É)´ ½�
n»v—?d�EÈ€Ò‰£~v›.û™±)8�±sY©F)á ¨
+endobj
+2354 0 obj <<
+/Type /Page
+/Contents 2355 0 R
+/Resources 2353 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2336 0 R
+>> endobj
+2356 0 obj <<
+/D [2354 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+818 0 obj <<
+/D [2354 0 R /XYZ 85.0394 650.8348 null]
+>> endobj
+2357 0 obj <<
+/D [2354 0 R /XYZ 85.0394 625.7398 null]
+>> endobj
+822 0 obj <<
+/D [2354 0 R /XYZ 85.0394 378.0874 null]
+>> endobj
+2358 0 obj <<
+/D [2354 0 R /XYZ 85.0394 350.2627 null]
+>> endobj
+826 0 obj <<
+/D [2354 0 R /XYZ 85.0394 153.7325 null]
+>> endobj
+2359 0 obj <<
+/D [2354 0 R /XYZ 85.0394 128.6375 null]
+>> endobj
+2353 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2362 0 obj <<
+/Length 2394      
+/Filter /FlateDecode
+>>
+stream
+xÚÅY_sÛ8ϧðtîAž]sùWsOé5·“Ý�6—xgî¦ÛÅV]m˵”¦î§?€ eÊ–�Îvî®�‰(Aø€ÅˆÃ12)K­´£Ìjf¸0£ÙòŒ�`îç3áy&�is½žžýôw•�,³©LGÓûHVÎxž‹Ñtþ>¹`š�AO^_½}3žHÃK�7ooiðÛÕ뛋›±Ê’áö÷ëëwŽ0O„άL.®¯/ß¾¹ú'1\ LÎõo—·ãÓ_Î.§�ÒñÆW¨ñ§³÷øhûûåŒ3es3z†΄µr´<ÓF1£•
+”ÅÙíÙ?:�ѬûtÐP‚3©R9`))‡,e,K•TÎR¿7ÅCy>ž(Á“¦X®å䡨h¿�uÓ®Še‰»Y"’ÅG¥™ÍyÚÙ;eÌÆy'çi=/Ú » ‘M…S4žoAx5£b¦ñlQ•«–ÆëMý°)–^ÙWA›¡�\á©NŠÙ¬\·
¾(·*КjõàV…q·ŒgõrY¬æž·ñzs“EµòÜÅf,òäái	Êýˆ¤,iÊÕ<|¶"1±|÷Aùé©l¼r˲A{ÓK[ã®pB0kŒtûhaZ©4)žÚÇzSµE[}ö¤¦Ü|.7ãL'°¾2Yâ”w3�õsCÃN
+ù�Ôi߽3¬XÂu…xìœxyiu¿ï´û	Îî‚£é¾1vâž«Ù㞬ØýûeTDP~µÇãA@6¯sõB<D\'â!p¹xøJ«còÊã~ú	@™eö´×€
+=GƒjÁ‘žÓ`§y½„´ÏŸV‡;äf‘9}¢Øƒ"Ÿ26Ç¨rÅR®ÒÓŒ¹Ž°ãBå�W`’CØ+¹W€‰o(À΀3+2qz×À.úg`XŽÖÛÆ-Þ(AÐn×{‡»r½.7…OQ0£¸¬¨Äå#˜ÅUŒÄMø­vs˧!V£îhL(£˜0ùÙdÌuâH—;Ò¥o?ÕàPÀʜԤãP¥Ÿj(ØSÓ×¥;%C“¨‘'Õô¼ó3¤÷KÈ.<Óv]ÍŠ½”_
+j[áëÉϾh’Y²¨¡ò«?ú—ê£çE›Ì€ÈWL+¸½zØ;�þF6¼¹ÙùÒÍ›¬¦øç…°c­GÈ\™Jõ7ÝÁZÀ-l�¾…¡pqÇeÑwdùaøbïBïš¹Òõì²^ u»¿Ám¤2ðAiS&”²Î"o£FŒIáÎuU3J xõ«À¶m*“Ë}Ë€LžÉlW ìÖ:_}	@S,ìS4v{ÝÙÀ~ºZÊÑ›v4Š6ObÉnSiì¥�¬Ÿq@ß÷q-6ž»¼³Á¶š•c¸½±½&²¤ô¸€,Ø�Ág½¡ºdâéKüÒÁ
+�ÔGÏ^¬×›zí¿éú¨
™"ù<–&qp‰¬¡që?ÖÉW4`Vö·!ŒîÇÊ�é@5Nßfy
+—„oÍ98ŒÍ již–î�•.¡UÔè
jӑ
й^�ÖQ›ENj¾×¡ËÚB-3s½h˜£üG®ù…ßQ‹GC.ý9òÃtRr.Îçwùù9”ªúG
½ÿ«dZgNÂ_
+endobj
+2361 0 obj <<
+/Type /Page
+/Contents 2362 0 R
+/Resources 2360 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2336 0 R
+>> endobj
+2363 0 obj <<
+/D [2361 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+830 0 obj <<
+/D [2361 0 R /XYZ 56.6929 740.3318 null]
+>> endobj
+2364 0 obj <<
+/D [2361 0 R /XYZ 56.6929 714.7319 null]
+>> endobj
+2360 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F14 964 0 R /F62 1361 0 R /F41 1218 0 R >>
+/XObject << /Im2 1350 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2367 0 obj <<
+/Length 1890      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÉnÛ8ôî¯ðQj–›¶™SÚ¦ƒE›IR`i²DÇBµ¸’'óõóÈGÊ’­$t’ƒžÉÇ·o$›SøgóÈ'TÄrÆ’ø”ùó´œÑù=ìý1cgé�–C¬w7³·E8�Ið`~³Њ�"6¿Én½³ËËó/.þZ,¹O½3²Xú”ºÕ÷ç׋%“aÌaGê½€zï.¾|@ì?¾\#ðùâÝÕÙÕB„Þ߸pýíòò«Y¸YÜÝ|š�ßôBcTh‰Înïè<ý>Í(qäÏ÷ðƒÇ|^Τ/ˆ/…p+ÅìzögOp°kŽNÊñ#NXŠó)Kù1	ÆRÍ‚Ež*ëÕ¢vIQ pueWÖu〚dOURæ)Q�I¹-Ië7wm^Ý#Øm÷ùƒªü¡žŒ1�h“�`l �/… Œ9ç�S€�(8­j·M½R¿-–‚Q/«Ë$¯Þ‚–E«šeåK7*ýá~ä–q§šÒ*R¯­fß# i(­<|,—$–Ly.:àøH¾E8Ñ	Üíž&­¿(ŸEêj‡¥ìÂÆ(¿†Pþ•oDn¥6ɃÝHë=—vÅÖ
+›Ã¨ðP*­0¨©cŒÄ¾Ï�bZ}Kïf“ë3Œ{øe@.-v™ÊÜ/ÜEÉ`
5‡ÃC/˜x@xkd«ï›¤´T�)4Ö¦Þ#d�
Iõ¸­KµÈWMÒ<áFšT¬îîÚc¹’)ý …—h¥"éô	ßÛm‘§I—×é…$�@úз6¹wѦcÏh²²Ñv»Ìîôp
+Ÿ8k…“,C#µ­Ó-¯¶»îXnÁ	Êþ?¹{Š¯È-xL"Åc¹¿SÊug|ù*IƾóedP¾nµ›Û“*M	õ¡Ø:Xh<Ý},Îr€„’±‰’ê�4Óev̪²”òe~ç”ßÐqL$÷ÇüšEäíª£¢ç*ðwÎe¦V»{
àRYgŠ` îónãä®H›!|ÿûÜu‡lWnRP¿žŽZFÞá×Ö(} %Ϲ
z¡œ±—ý0ÄzÞ=–ñÄÉ'‰âà–i‚åȉÂðˆ%TMÔ9i­ÉÀ:«ºÍ»§qªÁE¶SUuS&Ö¬Em{h	é…¨µžºéýcŠ¡œOÚ­Js�®Â•»¢ËM-6žÍ�Ô³¦÷9aBðWL?ÀzÁô˘þ¥
+È8%aà�ÙÿR%é)¾"+ã‚„þ‘¬º
+`4‰i_õÞÛ‡XxŸª|.ò9ºõ
€2°ÅÖZUe¦„¦óÁ–­Å°ós§šÜ¤,›á&èZ…û‡«.¬c±Ö¤ëÒî�ŽæBËMdghR½‹é7M»*s“T?öj‡þ~4¥IQàÄ{̲þɺç0%ýÜκÛv´f'Ìì$28z¯ñ=�PW…O È†ýCGhŸ9>»¯™£ÕZ5ªJQá—_'δ·1ýµY# 5y
+jm¥	-·Çª¿k7„ÂA­k™T»¤°Z�È[xC[úê1UÛ	8tIMw%D­EÚ¨�%\±nÝŸšH˜p°™�µ}k²Iò
+endobj
+2366 0 obj <<
+/Type /Page
+/Contents 2367 0 R
+/Resources 2365 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2336 0 R
+>> endobj
+2368 0 obj <<
+/D [2366 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+834 0 obj <<
+/D [2366 0 R /XYZ 85.0394 741.6375 null]
+>> endobj
+2369 0 obj <<
+/D [2366 0 R /XYZ 85.0394 716.9352 null]
+>> endobj
+838 0 obj <<
+/D [2366 0 R /XYZ 85.0394 420.5643 null]
+>> endobj
+2370 0 obj <<
+/D [2366 0 R /XYZ 85.0394 393.2598 null]
+>> endobj
+2365 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2373 0 obj <<
+/Length 69        
+/Filter /FlateDecode
+>>
+stream
+xÚ3T0
+endobj
+2372 0 obj <<
+/Type /Page
+/Contents 2373 0 R
+/Resources 2371 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2375 0 R
+>> endobj
+2374 0 obj <<
+/D [2372 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2371 0 obj <<
+/ProcSet [ /PDF ]
+>> endobj
+2378 0 obj <<
 /Length 1945      
 /Filter /FlateDecode
 >>
@@ -9165,44 +11245,44 @@ FU—¨UÙ‘[¢–õ„/
 c˜�"v¨¯]¿x
/¨¦zŠ©,ƒ‡“�jì^MÈ=n´B$ŽÌÿ/Š™AÃozrm@�	£óÀ’O#°ã—_ØäƒcÒú:ƒÄl²«Ö2[PCçB‡A|ßöÀ7zWQ@x©k†ÿˆŽ=]LÈw›{Šh(Ï`žÙ±¥|ßd³ø)¼Áº.4h@õ
 Ôζ–ú‘*ÁŽ––nU@€u´ŽÂMô©…2&ô5»XžG»<•Å”?�
 iô¦?ÿûãçOþóš
Þn1�˜)f3+�NAÍï7QUÊñ§êgCí r õ�(G§ÀM¡É\3-äY=òaoø‰ëà¤m!.cÖAs/ç˜S¤à¬“içÞ7˜P²nïèK]-Þ}¤/ýÞà[fÌ)Qˆéªhij;Œú«p}ÓXåž\E4z%d˜^§ÙüCIMÒ©sgLü¬
-§g=42¾ûùÁC#j*u[øa;xs»icŸì½‡ÁKØù;üø<fø³ìäC;°$GúEöÔfГ/U€:q~ÜðïËóþT?žsendstream
+§g=42¾ûùÁC#j*u[øa;xs»icŸì½‡ÁKØù;üø<fø³ìäC;°$GúEöÔfГ/UJ�7üÀûò¼ÿTÆžvendstream
 endobj
-1901 0 obj <<
+2377 0 obj <<
 /Type /Page
-/Contents 1902 0 R
-/Resources 1900 0 R
+/Contents 2378 0 R
+/Resources 2376 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2375 0 R
 >> endobj
-1903 0 obj <<
-/D [1901 0 R /XYZ 85.0394 794.5015 null]
+2379 0 obj <<
+/D [2377 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-650 0 obj <<
-/D [1901 0 R /XYZ 85.0394 769.5949 null]
+842 0 obj <<
+/D [2377 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1904 0 obj <<
-/D [1901 0 R /XYZ 85.0394 573.0107 null]
+2380 0 obj <<
+/D [2377 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-654 0 obj <<
-/D [1901 0 R /XYZ 85.0394 573.0107 null]
+846 0 obj <<
+/D [2377 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1905 0 obj <<
-/D [1901 0 R /XYZ 85.0394 538.4209 null]
+2381 0 obj <<
+/D [2377 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1906 0 obj <<
-/D [1901 0 R /XYZ 85.0394 504.6118 null]
+2382 0 obj <<
+/D [2377 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1907 0 obj <<
-/D [1901 0 R /XYZ 85.0394 432.7569 null]
+2383 0 obj <<
+/D [2377 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1908 0 obj <<
-/D [1901 0 R /XYZ 85.0394 303.3232 null]
+2384 0 obj <<
+/D [2377 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1900 0 obj <<
-/Font << /F21 714 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R >>
+2376 0 obj <<
+/Font << /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1912 0 obj <<
+2387 0 obj <<
 /Length 3825      
 /Filter /FlateDecode
 >>
@@ -9222,29 +11302,29 @@ bÎDü…îR
 ”®DXð9I;܉
 ô½¿ù@„0È•œåñú¹X¶åçbã?^¡€™	À°õW¶ÖƒMw›gÂW%fèÂphðRØ.]¡Ã‰h¾,¤ª\,6<ÏËe³8´Z9ÿký�¾ÅEÓèâ}ÂÆLÁ©—îÀS7ØQóëEÚP8d½¡é“löá»—)Rú±-Ú5˜³Àe’ù¸Ÿ9.¯nè­NmÆ�ÇácÕyW­	µãrâÖK…zº÷¿
 "BV˜ñ�I§ë†¾xÀfHÏqàÛw/çï^%cÁ8`–Y(bOud)ú	O¨&y¢álD
 ×Tˆc÷Âà)†Ì‰HÉ´õ0QÉÓÁù âþ“I‘r5Æ|Äï4K‹0AN�EÞóTS_Q-ëÁ'ïÑþ´ôŸõnx’»¢ÂK2œvE”'0«
-‚ÕrœÀ4d‹VM}­°¢Æ¾ÌáK‰ÿù{éã×àÚDÊÚ‰o|b‰amfÊ¡¡O¿eâ/«Oyÿ/dËÈmendstream
+‚ÕrœÀ4d‹VM}­°¢Æ¾ÌáK‰ÿù{éã×àÚDÊÚ‰o|b‰amfÊ¡¥O¿eâ/«Oyÿ/eRÈpendstream
 endobj
-1911 0 obj <<
+2386 0 obj <<
 /Type /Page
-/Contents 1912 0 R
-/Resources 1910 0 R
+/Contents 2387 0 R
+/Resources 2385 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2375 0 R
 >> endobj
-1913 0 obj <<
-/D [1911 0 R /XYZ 56.6929 794.5015 null]
+2388 0 obj <<
+/D [2386 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1914 0 obj <<
-/D [1911 0 R /XYZ 56.6929 752.1413 null]
+2389 0 obj <<
+/D [2386 0 R /XYZ 56.6929 752.1413 null]
 >> endobj
-1915 0 obj <<
-/D [1911 0 R /XYZ 56.6929 501.191 null]
+2390 0 obj <<
+/D [2386 0 R /XYZ 56.6929 501.191 null]
 >> endobj
-1910 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F48 953 0 R /F53 1029 0 R /F11 1397 0 R >>
+2385 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F53 1313 0 R /F11 1451 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1918 0 obj <<
+2393 0 obj <<
 /Length 3111      
 /Filter /FlateDecode
 >>
@@ -9262,26 +11342,26 @@ X&dÜ‘Lr­2KU=Æ
 Í©ßpª'uÆ©Vª³nuÞ©ç”{NjŸpª¯ÞdÁRÇÄ£X0<Š…¦hï©dЇ…ëúÅèæžà¨j•·9=ÿá×CɃ”Õ`ÀóP‡|èÆ&ô²Ol¦²öÅÛþ:sày]|Y¦pªÇ#mÈ—ò!¿“š{
oÊ+’Ââ«Û‘ê½{}ø¢«F#F£âÓªy³„ÒK¾)WL˜!=Ë¢$Œpp‰"Ö/—|wJ¡-ªIôä¹@òûŒÀe³]½¹‚d|yôg•u³b¯¥‘¹	
 ÖïIMeµÂÇÓ¢±]Ìm¯ï#ÞåxoÖ“ÍüÉ‚qÞ|³Î³o=†hI9üRX‡‚÷à¬)ö@å—Û¾®Í¿|]PÅ>¯žð
9Rf¶‚ãÙÒOV»ç¨Ûå{Öc¼¨%{
 ¾U¯ycGôsd*ö6Åe%ÎK“ƒ÷¦€}žb|©iŠqRŽb–ç)æ¬òŽbN´�SLO½¡ؘœªevM3Ƀ%ò6>ÜÐ/RÌr],Ÿik@ͪlðD¸â?2€Ã2X0aÒ¥Ç2 ŸX›ú,fa×Ë=äãPõVæšôqóùîîã‡Þr»býØK,ébh
-p2£·RKOhV¨ÃÁfòÞöœÖîÚv¨vüÖÖ×{C�¸Sù:¿ñÞ2�¿\ßÝÙ;ò¢ò^F]Þîdû\5éVˆõ*|ãY¥“™v*Ët7½-,ö‰[!wÉ$
+p2£·RKOhV¨ÃÁfòÞöœÖîÚv¨vüÖÖ×{C�¸Sù:¿ñÞ2�¿\ßÝÙ;ò¢ò^F]Þîdû\5éVˆõ*|ãY¥“™v*Ët7½-,ö‰[!wÉ$
 endobj
-1917 0 obj <<
+2392 0 obj <<
 /Type /Page
-/Contents 1918 0 R
-/Resources 1916 0 R
+/Contents 2393 0 R
+/Resources 2391 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2375 0 R
 >> endobj
-1919 0 obj <<
-/D [1917 0 R /XYZ 85.0394 794.5015 null]
+2394 0 obj <<
+/D [2392 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1920 0 obj <<
-/D [1917 0 R /XYZ 85.0394 679.319 null]
+2395 0 obj <<
+/D [2392 0 R /XYZ 85.0394 679.319 null]
 >> endobj
-1916 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R /F48 953 0 R /F53 1029 0 R >>
+2391 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F48 1238 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1923 0 obj <<
+2398 0 obj <<
 /Length 2837      
 /Filter /FlateDecode
 >>
@@ -9299,119 +11379,112 @@ arFáà�J6ò±´Ð‚c9<™‘m›î} Œåºn0ÝzE½ÂA¨=Ÿ‘Ð Hãœ/çˆÇVt°RÈ=UA‚©Z€Æ-Ä»`>cÝ{ÿ
 ^f¢óá^žÜ¥›õl(š˜9{™a–f9]Ü&QÎÖ¶I<åLø��‡ùtgÚ(0v{$W©Ã´:ÇÃÓæx@  8ùø`zÍ|º© cZFhû�ß
©Ó†Óª\€
¯Å&åtsÈÖ¨]-¯3ZÈYZÐŒÇé±×v‹�ÞwgÍmï�šÆ¸‚
@Æ4ªåL£cßÃtÂÅôzÝ·Zö5í¶kžz/rz!‘†Tžä¨ÆDjbo¿îI[ìOšò_ñ¤P€°†Ž´2nk%GY¢©[ÙÇ!Êm²çÿ�BÖí
•�(¿`�€jÃŽjÌ1°åìWsÌ&ï1Ç̘/瘈»MÇ4÷ÉšÎÉU{ðu�zÑj…FP÷(úóT«¨û¡Þ÷V§9L… ¨~ÚÉÇ
'S‚BãPVòµÚŒâ‘®¯JÏ`}Oã`œøؼL¼¸·æîÚMtÜK¨^j·Íý#)3¨‡Æ¥¯"ˆŠ,eŒ\È�!Õ:‚<•GÐ÷Ó”o‘§œ^`kiæ\'U1…ê¶ÀÛ›Q#_*«%“½ºîÖõå¶õÄ5{pBk¥wqõ÷z}2÷qÌ}ãt�Ò,ÅPåo[b$Ú0„%í 2˜òžµÈºÅ{¬SæËq5äîÌ¡*mW™ø}Š2‡ ãN‹ªßz¹_ÌN†êÐPj]CÓ¾Â<¥¥õ…#´µ%„ÛþçSk
 Vh§[/Vþër5^Ãf?¾8l•Qh_�2¯@èB¦
©Öáà©<Æ2-¾ë àH‚n3÷Tsî“ÐnI`Û±¦Ó¹‡Úl{·±
ˆ´êr9
¶öã�§Ý(Ï׆,(»�rCª
Ã8ªÑ0ö¬w¾›`(¥Y�·ù{ª¹
 gÚGXûkŸÌÛGSQ¤Í'цÑpAR$.ĺ€hÝdŽh´XÓ¬Îm±Ïæ¦|—�æBÆŸ¤�1®lÛ7²´M%Ï<Þ|Eˆ–�ëUê
-éVìÍ)OHjŽ}>«CŸ¦þ¶têž€Òœ4>¦5qféø™«ÿß8Oð˜th«:9Ýü×í¾9WÓÃE}ç þýjå�wÀWý[n
hçœëÿþSÞø—C–AÆÌÉ2žHÆSøX8¡”&0sÇA)¡�vç²ÿ'Tþ†endstream
+éVìÍ)OHjŽ}>«CŸ¦þ¶têž€Òœ4>¦5qféø™«ÿß8Oð˜th«:9Ýü×í¾9WÓÃE}ç þýjå�wÀWý[n
hçœëÿþSÞø—C–AÆÌÉ2žHÆSøX8¡”&
 endobj
-1922 0 obj <<
+2397 0 obj <<
 /Type /Page
-/Contents 1923 0 R
-/Resources 1921 0 R
+/Contents 2398 0 R
+/Resources 2396 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2375 0 R
 >> endobj
-1924 0 obj <<
-/D [1922 0 R /XYZ 56.6929 794.5015 null]
+2399 0 obj <<
+/D [2397 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1921 0 obj <<
-/Font << /F37 802 0 R /F48 953 0 R /F22 737 0 R /F21 714 0 R /F53 1029 0 R >>
+2396 0 obj <<
+/Font << /F37 1026 0 R /F48 1238 0 R /F22 961 0 R /F21 938 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1927 0 obj <<
-/Length 3266      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B3}¡§‚O~<äÁ©ÝœÛ4Ik§w7m(‰²9¥HU¤œº¿þv±
-9ùýâç_ùl|{Á™ÊR3ûÎD–ÉÙæBÅŒVʯTw?„½·vë”
-%Ys1ëãQPcÒRöH•°T‹#ÚwEw9W*‰ºÇ‚õ~³(v8Ž£fMkÈŸË݆ÇüÉíèzæÛmq)¢|GӲƽúƨ’g,NµÞ‘|�o
-‚ð*&ãX8 À?F$$ãZ9ˆë	S
-I
-`â¨nH*É@‰àèNdçŽU™Ë*œÆq‹+¥{³…eo¡Ž´ðì\k½p ŸËîG:ZŸQqÑãÖ¨Xx;mÝ»-­t(JáÑr•wåSAoꕼvП˪¢¥…UB�ÄàjÛ‚(.-~pWV�p
->ý¼Kö
¡Ô²>z˜°‘0­´‡�°²ÝŸv®:…âæ�îA�Ñitz�—Õ¸:„ÔQ%ñyÒ
jLû(�Q�ïdCÚ×X$i(EšŽ:¥�öÚWÅî][ìžlݨ]Ù
-›e⛜w7?^ýôÍe¢£«ÛwŒ–ï=úCQHl%¥]í6Á–/ž
-W
-¡»-–£ë4*™ž' ÆÔ‡×	iM’h1$ÿc
ÉG‹w$ j†€wó5�GÁKPYmŸ­mØ•g¿âr%œX8Føá;·£t[á†_€ÿÍ12Š,>ìþðñ~ŠºsmÀ­¥G½›QŸ¯Ve©K°m,8šzQz‰¥ü'AehR.Ï+Bê´"¨ mù°|ÌÛ‰LG²pœ¥î�ÆÔ‡Š
-+±·Ù–•5´�Æàh~=ÑÖ©d:SzpÒ—ZÂ’eišN7„ç
ãbÑp+
-†±<#úsêT}ÿéV¥÷·ßÝš>Ýüx{s7á}Á+ʘ)‘¾xJ(²ßܾG†ue´Pn¶•ýò—»¬YÛ�
-ÿt>Å5#¸öüYŽìúô÷>ô¾†û�:Ÿút&4Ë’ÌËf‘w˜• 	L.E„§Äi³E.° Â/©‰pù·ßí
¤{´ÍB\
-2Áõeî¸_î«Ò~‘†Uò0¸n‹ñsí íˆ	HÄŒcÀxUùCû•K{,«­·†Õ¨‘í
-xƒ~iG`°ºßVn�¼�´Jƒ
-!4]§ãmÛ¡éI	_ôtf¤’\ždŽ;?õK1UºšüÐÃCˆüÇ¿";üFNC€_Þ'óðžLáïÇS(v0õcÖ
ÆÆT&¼ÿ;ÀVendstream
-endobj
-1926 0 obj <<
+2402 0 obj <<
+/Length 3256      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z[sÛ6~÷¯Ð̾ÐÓ
+!®òàÔNÖmš¤±ÓíNÛJ¢,N)RI»î¯ßsp)Rr§Ýx2ÀCœà;WˆÎbø£3-IÌS1KRAdLål¹½ˆgðîÝu4sO4ïS½¹¿xõ–'³”¤Š©Ùýº7—&±Ötv¿ú9ºúôéæÃõíO—s&ãè
¹œË8Ž¾¿úðåê½ût™²èêÝÍt•ŒQ$Sqt}ûîò×ûo/nîƒ0}�iÌQ’ß/~þ5ž­@îo/bÂS-gOЉ	MS6Û^ɉœû‘òâîâ‡0aï­ùtj„ÔD2¡fs ¦\&ÓÛ“X²牠„+©Ã6	=µMž
+·é«jU·ÍëëãåRΈV1�õçqTcÖŒõXSž-èﻼ½œsžDí&·�ªÛ.ò=¶UT¯íÊçÉ2÷Á&{t_´µ}f»]~I£lo»E…zõVòž,N‰Ò‚�ìȾʶ¹¥ÈÊ”¢ŽæOD‰w×s¤„s&ÁºöBµ}™U´pkXÖUS¬`ÝTGùÊ­gÑÔe×ægŸÍ™V„1Š[NI*%33ß›}“°Gù:ëÊÖv³²sãEcŸnçå/qÌ*ú]SÀ®UžÌ}W¹M‡fÓfm¾Í+÷½ßXAû[¦a€-·àWy»|µÏa
�Ö¶žÚ I” ~¿†¹µˆÌ>
êX!
+�Ø>,Y³³8-Ÿ/)¥Šœ&Ñ�B ¹õ\»-ù€µŽ£}ûG
/è
›vÝU«|5eº�U¯û«úÉé48<ûín_€…îÉEã¡\ø9`aïmAæføÓzœÚöœA‚Ö2ë§�™}à©ÛÖï]¾v¹ŽÖšÕSºÆ(¡B½¤k=ª3ºæ©Œ®å«ªyý¯‘¢1E
+ƒnñ±jžD�ÐŒ(T°³(èS�FA 
+(XgE9®h<,užu ó>Šf9D½é�÷5¦ÊÒºµ�ÝΆ™Wùî]“ïMõ@¸äžÏugéÝ6æ&×À7™}ÜÝ|¾”2úñíe"¢«Û÷Äßûé©5Lbòiá2ø	±|
+
¤F,¸Âº>4^TymŠ¥H1íðЩåCÓR¡½-=šºEŸs#?ù"ßd�€Vw:"&B‹�s :Gp³È!]ƒ¢µ#ô$œ?Ï=�Ø™KSÙ‘þWm›ow¨´Êz
+¦@“‹fWfÏnÐl34 ‘lÑéX³Ç0êÒ¥Æöü1)Ú‹É�*+ÑŽä+ƒç±ðÅÁh@§hœ„”�k9´>”2p2a~�:��·Íàáäaò²ì2¬³§Ù§:}œ�*œ'„nM¾<é
Î2?xƒ÷io0`ÿ9‡à³Á3¢©Œ à»»ùƶGÁµeólL1ÈŒ<û+cÇ@àxÂ�ß¹/
+÷):šë�ÖÅPS
+b�Xœç¨Æì�%‰¤É�ÿljnw2W5 éÁ™Á‹cgF½3³m—»ÚNf?‡Í]y˜šb±ÊZS
+“Ã	>pú
+¹9%:–G˜ý{£XëÓfœ0moµÿÆüŒóþ”­–‚Éç¿„1šr+¥Ïc¬Ouc�*`¯uO&ÍgY’æïɤyÀû¶Z–Ýʇ•Õq‰ÔÜ{»ó�…Þ^÷SHjûô4¯B…÷PŸÈ&ãP㠌ր-
Š¾zÎñÛâÿû/ï1½¿ýôþÆÎòכϷ7wÆŒ"xyÁir¸ñf�^¿¹ý€‹4Jí@±Ý•ææ7sQ³0—@c§…[+£/Ößhê½VÓív�Á6–Scëþv'€‹)…îJ'nHaT¨ì õ0€ÕM[î:²ÕSla~Q8¡1pÞ¡TS~”-šõñ˜Û2D,¼|F"3>}ßSÀsì]ê|êê”
+’&©ß›EÖbT‚,0¸¤®»õ¥À„oÒêâdn~·
$íÆ‹q(ì	Ž/3'ý"?H_æ	0j-Ž›ÀÅÌøT9JóƒËÃnU$F‡?0] +Ïš¯]ØcDmŽJm½‹G0á¡pîïò µ„ gæÊ–šÇw ‰$2öA‘å3q�J¬ýFÛ‚ÂCç~¹
+endobj
+2401 0 obj <<
 /Type /Page
-/Contents 1927 0 R
-/Resources 1925 0 R
+/Contents 2402 0 R
+/Resources 2400 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2375 0 R
 >> endobj
-1928 0 obj <<
-/D [1926 0 R /XYZ 85.0394 794.5015 null]
+2403 0 obj <<
+/D [2401 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1929 0 obj <<
-/D [1926 0 R /XYZ 85.0394 179.5067 null]
+2404 0 obj <<
+/D [2401 0 R /XYZ 85.0394 147.4749 null]
 >> endobj
-1925 0 obj <<
-/Font << /F37 802 0 R /F48 953 0 R /F22 737 0 R /F53 1029 0 R /F41 939 0 R /F21 714 0 R >>
+2400 0 obj <<
+/Font << /F37 1026 0 R /F48 1238 0 R /F22 961 0 R /F53 1313 0 R /F41 1218 0 R /F21 938 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1932 0 obj <<
-/Length 1913      
+2407 0 obj <<
+/Length 2054      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[sÛº~ׯÐCgJ͉`Üx;oJlçøLŽãFÊ´Ç4	YœP„BRVÔNÿ{X�¦$jt:=
-?6öÄ<‡±$>eþ8]�èøæ>Ž˜[3mMû«Þ/FW·"Ç$x0^,{º"B£ˆ�Ù£÷žp2

Ôûíó|1™r?àÔ›=<ÜÜ_ßýÃŒ)¬�”zÌî¿Î>¡ìasoöñf>yZü>ºYtÖô-fTS~ŒŸè8ÃQ"âÈï`@	‹c>^�¤/ˆ/…h%Åh>ú[§°7kÿ:ˆ
-©^¯“2Ci‘—
- 4òfå¼ú9)pþÇVUN¬7M®ËåߨOÕÏTmœ4Ú
µ«[Éz¶ñ(&”q<2VýòXê§t�áÊC/ÀY?n!n{0grâœxv>èWUUy–©ÒèO…ˆ	¢h<eŒÄ¾Ï­šç=6ÁÆú2­7*Í¿QÊS”ÖªÁŽ^ö–9ºl
-ÑJwñCÈTU&&
“"ÿV�—éu’»‹ºLÖª½¿¯Þn6ºjÞáÈFÚîVOÒ¶�¼®2ÉòzS${”–ºœºø*#ÿðÈÌæîîÌñ�‚rkDM�b¨²æVq@Ûü&ÂË
26iT±ÇíR]÷75n˜®’*I
œTeª³¼|Á‘½,Dé³Zb2ºq­JûW$
-N
놇Imø!ˆ]*Ã9©Ø{5ˆ¼k›ì ¨Uõjl2}íZ/¼èÛÍ°w§Ýö �r§î^‚÷áÝ'özû×¹½Ø;“ ÝV%.4@íò@kìÒ̘Œcݧ‡n#ír×�.49©uin
-
Þ)˹ªÆ•ÃÕ)ƒ*€†]ujö>*ü9…ãûñØç>�
-�‰}¨¤ŽØ¶Ý	y-¯�
-mËã÷	ÔdŒ_ä/)d±jyÛ²>Cµ€ •!R-�ãØþåöî¾ïNëö½^©&½ªT­‹W'|Ù¦!à ²+þòïß>ÿqóŸ+vVé�
ôpãùÍ
z?û4ÿ|‘ßWºnÓ2áïð�†+2#Œz¬¬k•N¿«ý‹*{“v÷¡ “v_n?ÀSÖ*	"úݺap9¨ÏÞ®±÷_?Î/º9×rœ}—õŽ^Ÿ!qÜë«Ñ;kûF:÷6ëìSdÐaxew&�ðn2¸¶Á?ááìÛ÷†‡Ï=§B&ã.*¸ù7ÎCì]·E[÷›þ¶É‹¼ÙŸOÄl¾/õ¦†óqD;‚‘0‚ÇpAE
•ÇÀç
Frß\NÃßÀh§²§á”cº/nÑ›‹æ‰ù8M>dEYÕ‹ÝëS+J‡
-Maž²½LÓ"©ëÁW	±´hu
-ï
-ŸD�ß&`™é款0>Vøå²ÂíúY
>¹dÇ›‹›ýfðë‡ 1£òXßß/êÛ%ysVŸèôáƒ,‚·‚Ãø8]ìrhвH^†v‘D†Ñ	
-²ë®‡µ‹•a1ðtî»xg>v
d*íŽÆÿýMíí“¡4Enć?—ñÐ'ðç 5Ê8ÉhtbzûõíÔöÿ�š" endstream
-endobj
-1931 0 obj <<
+xÚ¥XKsÛ8¾ûWè°UK×D0^|ÍMŽíŒ§2Ž7rjwËñ�&!‹ŠTDÊŠvkþût£
Z²¨r¶¶x Ðh6ýøºA1âðˆQ±(•é(N5¹Gùâ„�ž`íÉp<cÏ4Þå:¿;9»Rñ(ei$£ÑÝlGVÂx’ˆÑ]qœ3ÉNA~û4½;Ë0’<˜ÜÞ^Þ\\ÿçx€ƒóà�ÉÍ—ÉG¢Ýž¦2˜|¸œž>Üý~ry×k³«±à
+Uù~rÿÀG(þû	g*MÂÑ&œ‰4•£Å‰µRžR�LOþÑÜYµŸZ@p&U$L å�	”EJ*k‚	œHEÁSÕ<fŽã 5›½¿¯ÍjëHË®lêöÎÒ`3/ó¹ûhÞ¬«‚˜
½³å²*MA]ãˆUõ"µ4^TžÕ~½mè/¦]“p„âap77­!§58
,1‚¥a(í±œÊŠ¯2Nd°X·‘—«S‘&7…¡¥nnhå+çrEl@]/+GGs ©Î´VBy•µ­wÛ%‘Ã+áÈSÙ“ŸeuAbŽ©ÇÉÛRë A[é�TFBÞ,V0R«²6ÖVI0©·ÄÐûÖ½;Q�ßé_yÈÍ�Ü,;ZDé ÇÙ•;Q$“”q!CPµúå¾nòEAœûñaFÊ1ÒV°‡p*gî�îͳY­Ê¢0µ=ýX©”É(I¼(e·”‚½ìYÆíÒä%º-'*E0l{6G¢#£�®š‘Í�l
žþuàÄàˆ„2¦(ŸNÇ Â/ßW4Øl6¬lsÖ¬ÜJ†fÇÁø½…Œ‡GÐt�ÍoÅÕ
<4c¿=…
$Úë
+
+ÕîN ïa`0t¥€P½Î$ÌU4¹´kˆÚͳn ˜ɤ?Α`N�<�Ë’ihPÖeWړäÇ] wô^d…ã$_ÁÀdXÙpDÎKêDcñAjl‹D½/ÒSD!H—ûq8Ï0e•�|UMNÕö%â•îMnÇC&ö¨Q�
†’LŠ—ñ5’ÒdµÓ㘹!¢
ÞÂHÏÈ‹/+w�ºéh°\•uç·14è=ðêÈ›¹±VÖdšæ›SRÎÚTꘅ±ŠömJ²
º1›ð}�MHF+­¹üŸ³É[¬×c:IÍd‚ÈÜ)©å½¾¸!¦_no?}>
¡qwÀ‘: új6à””	ù6ž«$õ.§hÓЈ�
+
+úî¤(Ûe•m‰Z7õØù8bÐdžû.žLß__cŠ©^	߀µlÀR‚\@ä¼e«4â>Æ
�¨ÀAÔf�©¶´]ÞÔ€ÿ�kÉòy¶Êr0-š:oŠ²~¢µ…‡õÑÌ( ݼ5µý”ÀBrDÞxÿÔˆQêÂr[Q$ØÚ%Á…
x ´fõŒ:á¸qog^PDODÚ“·Äât§®£l›L ÜÉ„ú˨&^ÏhaÛ¬ÿ^sUÚâÞ«ïõª&6°ˆ�íIM]˜¡Ê1ûý-‚^) $XãAq •³¶©±ZÀ-¡0wMKœÃª€N€Ç}‡Š{¿º¦I)›†)´¨ÓØØýÄEM²4�ntðš6î%ŽwEÚ;Ø~瀞‰Ž_vF/®§“ó�—C
+q‚Ž:#ª3(8&
¡›z…¸~'¶²}Õl[,¨)З	ù&~i¥½ÇV§I°®Û#pä:öpKš]]¤Ëøa뾯g¦ËÏV¦mªg>ëÿ Wüí¿¿}úãòÏ3Š®ò!
øÞÎÓËK:ýäãôÓÛ
+$&;Ä¢n[“�¿™í“©wí lÇv4bº7Þç«÷‚«p¨/HXö|ÃÖ•€ :M÷ŽxþåÃôí“AÜyœ³÷³Ý‰ƒØGw뚆{W:vGëUÔLé¨7?D€G�s&O!&àþ„¦õUp¿Q©¶7ˆÅÇ®UQ$’Þ1´ùW)c]øÎÂ÷ÿ8^weUvÛŸˆŒmÝ,[È’Wà»Æ	D[œ@o
¼¿t0eˆ%jø‹…€ÜÜ‘pˆ4ýßÇôrH¼lÞ�³÷EU¯Ú»Íóƒ'åC-§ÂË�ö%Õþð¼Ÿ0Ž–©x3 P…,‰B…uÑtGåÅék�Ÿß¸^<šÁ‹cĤÔâµÄîM‰ø_gHCwr®_Ëûç›ò6YÙ•§zyt5KÁÑë¶è~¼Øe_¡Y•=
í¢™Ž“+è~¹u0–F-Áñ�p:üA9©¼OŽÿû?èËo^�­n"‡qÊ8dðqä•ÂC
+•¨îÿ˜êþ�:šendstream
+endobj
+2406 0 obj <<
 /Type /Page
-/Contents 1932 0 R
-/Resources 1930 0 R
+/Contents 2407 0 R
+/Resources 2405 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1909 0 R
+/Parent 2416 0 R
 >> endobj
-1933 0 obj <<
-/D [1931 0 R /XYZ 56.6929 794.5015 null]
+2408 0 obj <<
+/D [2406 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1934 0 obj <<
-/D [1931 0 R /XYZ 56.6929 581.7741 null]
+2409 0 obj <<
+/D [2406 0 R /XYZ 56.6929 562.0317 null]
 >> endobj
-1935 0 obj <<
-/D [1931 0 R /XYZ 56.6929 460.6765 null]
+2410 0 obj <<
+/D [2406 0 R /XYZ 56.6929 444.3852 null]
 >> endobj
-1936 0 obj <<
-/D [1931 0 R /XYZ 56.6929 366.7195 null]
+2411 0 obj <<
+/D [2406 0 R /XYZ 56.6929 354.5963 null]
 >> endobj
-1937 0 obj <<
-/D [1931 0 R /XYZ 56.6929 293.4426 null]
+2412 0 obj <<
+/D [2406 0 R /XYZ 56.6929 284.7704 null]
 >> endobj
-658 0 obj <<
-/D [1931 0 R /XYZ 56.6929 247.3727 null]
+850 0 obj <<
+/D [2406 0 R /XYZ 56.6929 241.0985 null]
 >> endobj
-1938 0 obj <<
-/D [1931 0 R /XYZ 56.6929 211.2315 null]
+2413 0 obj <<
+/D [2406 0 R /XYZ 56.6929 206.0104 null]
 >> endobj
-1939 0 obj <<
-/D [1931 0 R /XYZ 56.6929 172.539 null]
+2414 0 obj <<
+/D [2406 0 R /XYZ 56.6929 168.371 null]
 >> endobj
-1940 0 obj <<
-/D [1931 0 R /XYZ 56.6929 96.3402 null]
+2415 0 obj <<
+/D [2406 0 R /XYZ 56.6929 95.6233 null]
 >> endobj
-1930 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R /F53 1029 0 R /F39 899 0 R >>
+2405 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F53 1313 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1943 0 obj <<
+2419 0 obj <<
 /Length 4190      
 /Filter /FlateDecode
 >>
@@ -9436,1106 +11509,1696 @@ p˺ëæ‚[À‘r8ô	>ð >­EðI‡<ãt
 ì`WAŠõÉóõ82ÒþÀ˜Ï9Ì7ÏÜÌÞ¶óMŒŒ® N“:å“ÄÔgÚ_ó
€Íu2±@�0°_¹šT�‡ÉÙ’›ê’o:æ¤ËHÐŒoi!Ž,«ë4¸«Tz²ézVÿ–N{ÖJf†Nb‡÷ûW³¦nòD&3çMg,Âù²�×/‹o
p…}Ž�Rcpõ7+z›�@
 ‰PÍ}n@©	rüƒv�a¢±}q�M›ï9îîþ@™3}]}9O!£…ìX"B�¾gøzPТZ†C1ÿ8ú|ãOù7›úyü]Wï
 DrÐYúûé8ÆEôȵî9'ÝȇH¥ã$5öäq2U*tìJ,ÕÔ>çÎh¾P�@N
WNœq‚Gbˆ¦š³CÔUK–iC'vbÂ×<Ítþ”¨È¤q8`ûùÄ9‹íÎY&�ñUfÂ0ϧ†�!»³{��i'k’fŸAÛ‘ÖñÉ¿T‚“L?óVÜHi‹ðæäÊŸ¤‹t˜™„Ã{ì=mtÀNr§”¯rŠ—$Ùtõ)Ñ’u×*?gT2ez¶aóäjkA3;ê•Pݺ\©ú‰Ì�Ã4¿¦knÿÉgêù.—Ö'ë¡I¤cm?%%˜EE‰µ£"]x•r(`Nß겑LSs>ÛSbxW/V¨6+*gS8`¼jÚÔG¸UáúäôÜé*ß,ˆeÆZ�Xë¡E„ã¡�Óv;ÐþÆSi8¤KÝÆ8Ù‰ⵑ¸ú”ú“EE@zp~ü„q\ó5
-¾NQü­ñ—ÿ(·‡-_às¤þ�*o‡Q¶ýô`“«¶»€qâ§ÏÍôÔDømÂ_þ™D÷+�Ø
-Èendstream
+¾NQü­ñ—ÿ(·‡-_às¤þ�*o‡Q¶ýô`“«¶»€qâ§ÏÍôÔDømÂ_þ™D÷+�Ø
+Ëendstream
 endobj
-1942 0 obj <<
+2418 0 obj <<
 /Type /Page
-/Contents 1943 0 R
-/Resources 1941 0 R
+/Contents 2419 0 R
+/Resources 2417 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2416 0 R
 >> endobj
-1944 0 obj <<
-/D [1942 0 R /XYZ 85.0394 794.5015 null]
+2420 0 obj <<
+/D [2418 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1945 0 obj <<
-/D [1942 0 R /XYZ 85.0394 751.6872 null]
+2421 0 obj <<
+/D [2418 0 R /XYZ 85.0394 751.6872 null]
 >> endobj
-1941 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F53 1029 0 R /F41 939 0 R >>
+2417 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F53 1313 0 R /F41 1218 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1949 0 obj <<
-/Length 1972      
+2424 0 obj <<
+/Length 2037      
 /Filter /FlateDecode
 >>
 stream
-xÚ½XKsÛ8¾ëWè6RÕÁƒ �£ËYÍdl¯¥líV&Z„$ÖP¤†¤œñüúm
-Ù/veÝ&&ûš)’,tb‹²ñ©Ž�ãØò4¥Q[«"µÀžÚÁŸGU½XZ9X““BýÕR‘ìU­ªgU™y¶1ï¤xq’O‹Õ”ˆ‰ªe‘Ö†ò-kvömë8 T"΄€A’sÚš¹œ?N9Ÿüëv‡“ÙÂfÒI\­~6¤o»l½3ì6ïÖè;S[B¹1öInÆus|H/óÖ|MyR»ä9++mjÍÅ`¦@àYz%ˆD$Š»|Øû‚¢0ä.pë¤p
-ÍûX«Ôn¦´fªælw{µ/u¼²µäT=·Û¬Øšéï³dkŒ³~î°r2r‰Q©uY¥SG"âܲýì‘B¦fŒ)1±¸Ëç¤H=‚ÀqŒÇNRS%kŸ$H!œëPW:]úlÆ
“E„@¹Ã&C†Mõ.nîŒS–ŸîÛ[yäCŒ)‡6¸ØxªS@MaqQœC;	$6#Ž)ÑéIbˆ±Òц\{:fycˆ¦,4Ñ	¤ß1ÇYѨªH4Z$yöw›°”–û$³Bt=+1+õñp(«F
'™•nò˜“õZ,Q‡ÀHËêCž¼Xqe˜Âd
-õ§ŽÂ»m“	pFÒ"àdÝB[�‘Ї£!8ðÓãÒ¾­Á2ÙÒ@Þ¡Ý!L7fÛ{+»-ô¨ÔƒÅ:#Û…—òøSj˜óìÕ7	ÞǪ0là
»H•6Ï´É&e:xëE[û)`\Tjç1J­ÉI]�cŒÁî û0-Tm8?"BÍâ˜:ѺÏz
ŠCD%—ãXád–ßÓ
P}D
-/tƒ¾Èö ?;½cDá„<iÖ&Þ,–³÷Ÿæžd
9ÂaHíVTñœ™°{U4Æ	Ï	dîS®t3e¸ÚYçµ>oýi}ÞN²Ú¬Bžè�RKݪu(FrhD¢ab:Mð;,¾í
-eþ=Þ{)ÊC�Õç%È‚šÁê€ø/°$)×'´¿·ÖBŠöE\Vœk­;®3gXGDàë/Á³¯O º�–®QÈ¡ÇË}}¹nºþê$’nD»QâÑ¢ë-ìúš$ßú€MÀGC`ý&ËÕ«þÅ.XšðoOÄÿ:®×ý—•k~ÒÕðnÿw/	ÖqÃnu�'uýý™‘¾)0°÷ÚG%	;q¦…P‚CÀ†0'lÂ(…Fú aµÞÌ—«Åý�ÉÏ‘ÎMg$8‚s]iylǶ§¢Üö4šÜ¨\m°ÀÂ2ÛmWc
š7KÛq¯»5ÛÁZ.C]›>+=}ùøè@>M¬^×BX¾¶cƒåÇÛ†À".ÌÈ^Æ�ÛÅ ]1
-n1{wïäøħ6É1oήéew×µ—ß²Ù]ê,Ò�ò¨•7
-endobj
-1948 0 obj <<
+xÚµËrÛ8ò®¯Ðm¥ª!‚A‚G%–³šÉØ^SÙÚ­L´I¬¡H
I9ãýúm<H‘,';µ¥ƒ€F³»Ñï™bø‘)PÑhF>â˜ðéæ0ÁÓœ}œ‹ãµH^ëýzòî–…ÓE

¦ëm�–@X2]§_fïCs €g7wq¼üàÝÄ·�÷¿þ²ü÷Ü#¡ÀÑlñð°¼»YýkîQŽ
°1žýº¸û¼ød`óˆÎ—ñüëúçÉrÝIÖ—ž`¦Äúcòå+ž¦p‰Ÿ'±Hðé7Ø`D¢ˆNŸ3Ä}ÆZH>‰'ÿèöNõ§NmŒ(¨C”ºÔÁ#0Ê´:Ö{©.ñîÖ'=T
+}?ú
+Ç«
Ê€áˆS*,Jyl²²˜{Œ‹Y#ó¼ý¢O®	Ø/öeÝ$õ9S1¿%[”�‹u€„†§)
ÛZ©
+š¥Wü�Dˆaç—Q|äû¼5Ü&)Z†æÿTËÔ^¦´bÊft»ƒ<”Ê^?ÙYp*ŸN»]VìÌö7ŒY²³ÆYßwX>´ŽQÉMY¥QG"àÜ¢ýä äƒ§fŒ(2±°óç¤H„@qŒ‡-¥¦J6.Jà0B´ªC]ètî³�z,b( Â.é3l¢wusg”~x¸×¶vÐS;lRàjëˆN
1…ÅEpå$àØŒ´H‰rO‚�¥²6øÚÓ)Ë4a¡€FH
+È¡'‚1Š|ö–¦(ÂA—¢’ãQ‡by¬²Òã‹á±)̦¶»}îÑèH…­,6ejœv:Î"šÕ“Ü–&ÖÍ^¥Bõ©MGaEÁ^Ûø@˜Ad3äɺ1
+òÌY‰x³Šï?-Îês„}ŸÚ«Èâ93f+²hŒžðܧ\ªfÂp½·ÊÓ:×ú´:×›¬6§à'ê£ÔB·j
+†‰84"ÁÐ1[NÃ
+Ø‹o{È5Žì-
¡o§/Á»*VÍÅìTÔît™ù!‡éövõÉô|#…�òë;ÙlÞUºî"ˆñ­‹RŽ—Ks¿Å§øþížf;•L‰J“¶mPÙ U@¡€½[ùˆùAËÓ§ˆÆÛNZ^½mZÔµÜxi½­ÊÃïò¥�(”AÈ�}§²�[0Ð}$Œ\gB&ð1Sµ)
ÍÊ´Ýv›ÿÇGó¿“…¬ÓJš^¡Ì¿G{/Ey¬³z‚Œ (Ðþ!ˆ{˜€£ˆrU¡Ý½µú\´Oâ2âÚÖºÃ)Ã*"
+9ôx¹«/W�BçÁ_[Š¤[Ñn•8¸¨xó»¾&Éw®Ä&`„ÀÁ˜Eî 7ì£liº¤8D³AÛ,—¯ZÙÀØÁb=W,Öb½n1~PÏ3˜È:;ý�¢y[Ñt¶�ê”/‰rZyNþßÖûâÕÝjã ­&,„9ó‡¹}“'uýýn½}SêÖ…Æô`ÒTã÷ˆÞâëµ8
+9ãÿK‚ßçô8¬$TMç„Œ*ÉÍ2þð¸zX¯îïÕlœíéy”†G&$ô0~jŽ'ÝVRnÛ#Ìnd.wmn…ƒ8Ûº±ƒµª7±mº
·Oz±‘Ë@7¦ÕLÏ_>>¶u>M,߶‹²xºi…ãÇÛÀ.ÌÊNNSÏ^bа|(>Ç‘-uº‰LŽ»ìYÚ’
úQ2Õ£*øjí¸×F¸|ɱi„0
¸"ºžkúXæáÅ•k:,=D“1Ë
+ ='ùIœrë¬É!
+ê¼áø55D$¤m¥=œZÞO–UYœé
+endobj
+2423 0 obj <<
 /Type /Page
-/Contents 1949 0 R
-/Resources 1947 0 R
+/Contents 2424 0 R
+/Resources 2422 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2416 0 R
 >> endobj
-1950 0 obj <<
-/D [1948 0 R /XYZ 56.6929 794.5015 null]
+2425 0 obj <<
+/D [2423 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1951 0 obj <<
-/D [1948 0 R /XYZ 56.6929 684.0716 null]
+2426 0 obj <<
+/D [2423 0 R /XYZ 56.6929 684.0716 null]
 >> endobj
-1952 0 obj <<
-/D [1948 0 R /XYZ 56.6929 572.8605 null]
+2427 0 obj <<
+/D [2423 0 R /XYZ 56.6929 572.8605 null]
 >> endobj
-1953 0 obj <<
-/D [1948 0 R /XYZ 56.6929 509.4701 null]
+2428 0 obj <<
+/D [2423 0 R /XYZ 56.6929 509.4701 null]
 >> endobj
-662 0 obj <<
-/D [1948 0 R /XYZ 56.6929 470.2699 null]
+854 0 obj <<
+/D [2423 0 R /XYZ 56.6929 470.2699 null]
 >> endobj
-1954 0 obj <<
-/D [1948 0 R /XYZ 56.6929 433.5878 null]
+2429 0 obj <<
+/D [2423 0 R /XYZ 56.6929 433.5878 null]
 >> endobj
-1955 0 obj <<
-/D [1948 0 R /XYZ 56.6929 401.47 null]
+2430 0 obj <<
+/D [2423 0 R /XYZ 56.6929 401.47 null]
 >> endobj
-1956 0 obj <<
-/D [1948 0 R /XYZ 56.6929 335.1577 null]
+2431 0 obj <<
+/D [2423 0 R /XYZ 56.6929 335.1577 null]
 >> endobj
-1957 0 obj <<
-/D [1948 0 R /XYZ 56.6929 244.1508 null]
+2432 0 obj <<
+/D [2423 0 R /XYZ 56.6929 244.1508 null]
 >> endobj
-1958 0 obj <<
-/D [1948 0 R /XYZ 56.6929 168.8052 null]
+2433 0 obj <<
+/D [2423 0 R /XYZ 56.6929 168.8052 null]
 >> endobj
-1947 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R /F39 899 0 R /F53 1029 0 R /F55 1037 0 R >>
+2422 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F39 1161 0 R /F53 1313 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1961 0 obj <<
-/Length 1658      
+2436 0 obj <<
+/Length 2161      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[wÚ8~çWð'±ª»å¾™„´i“4èžîiûà`A}jì,†¤Ù_¿#KœÐ=›<X¶G3ŸæòÍÒÇðOúJ Ì"Þ#Ž&¢?[öp
ïÞõˆ“	¼PДM{o.XØ�P$©ìOç
]
-a¥Hš~Ä··ã›óË/À
-<¡a 0\Ç7Ÿã+ûìvÑAün<D(%Aˆ1‰ç7“Éø,ø8þëâîÓõU<_
¿O?ôÆÓ-¸æ
fÙß½¯ßq?…s|èaÄ"%úOpƒ‰"Ú_ö¸`HpÆü“¼7éý±UØx[oír
-	Êe?`•cÕí6Œ°
-)˜¥¯çDCèå”ðBuF̺ª#Ê€ÃlÍò¤ª«H ÃE¯ÂÚ
-âj×6AZÀ&z–÷ëýRª£iX½ü†Nõ<Ùäkç\÷âò^‘S{³©ô|“¿gÀ'Àñ�0ŽB*Ø‘˜4¤^	Š—ª£’vs›Š„ç¶4[éÙº\=DF`9¿
-Îu€kEFÎÚè®Êò'”–ƒy¹²@yóH(1‚B±@�7k±–r¦PD€%¬˜­´Êê…�ªeÀBDŠ®óïi).C'™8¥–`
[
e¸í„�AÍ)�	‹¢´¯R+ùôCvU”ë-´¶¶Ýùú
%	艞#l*os¨ýöÍä9Š°„&Ã"$”%Ìñ—øúöjÜq,$lpsÃÔL¥IS2¸ßdyj–Ô§1LÞÇp•öéùÄ>¼»³÷óúœåÒ>5{¬ÃU3úR!…¡bÇä¿’å°á¬\¢ŒÙ	¶Ç@!ª(RQ´Ë
-Áà"ö<š©­Ï§r“»å½ö¥_mtú¶ã@à@A[j«S¨¨*=Òj¾*—
-¦×ã)]»Ž‘VÊÀí,1ͨ�1<HuÅjÊÔÜÝ?Û뺱Ý.²¦‚º�ÌÓ™;hÄ�ÜóÊÇþÐI’$'™ùë
-‘
-Uزo“Ÿ“É0Tí‘c‡
™sâS‘Pªý™ÜZèB¯’µöÕ⺟+Ц�*Ó0
+xÚ¥Y]{›8¾Ï¯ðÝâ§c�„$$z‡§“Išvã´;;ÄÈ	O1dN&ûë÷è&Nf·½@�Wç¼çC™`øO&’#Lc61C>YmNðäÞ}<!Nfæ…f]©ùÍÉ�gTLbGa4¹Ywö’KI&7ÙoAòåËâêôü—é,ä8˜£éŒc|J®¾&—víË4ƒäãb9�!qBT‹E88½Z.f§Ë³ëÏŸ.ÿžþqóóÉâ¦EÖEO0Õ°þ<ùí<Éà?Ÿ`DcÉ'O0ÁˆÄq8Ùœ0Ng”ú•âdyòÏvÃÎ[óé˜5—ˆ‡,šÌ@8b8·F˜ƒ
f‚a$#µ6ɘͼ”¶ÙìBôÇ3Î;’�ñ6×Y¾U«¦Ú>-BxÈ£hÒU{
+ycumÒçÖ,ÆÀReÄHè-lKBµÉ›Fe/SÄ9bq$�SWêå`j¥L0%C•quCˆã*½ÐˆÊ^˜`e/î«</WÅ.ÓD¤qðëòâµ>ãéÑ�*Õ6mòòÎÎO—öi)µªÌ3«‘¶¬þ5å
+ipsïö¬Ô*×N
+—W×p
ÅD_!©€æ0²wÃÅ/ɧ/—‹‘$�'Ð|#"¨¼ÑùÑ4$¸Ýå…Ƀ¡ÇA‚åO	<#»j;â’h§¿6«ú[{d¯Ñ†æ3_U.Ô_éæ
¢uUmÐ;èpÞ…�ŠðPtŽeï/ž{‘}’i±œª(ª'g3¸T›™/HPÙbƇßó<U»"ë÷Py]ïTö~ä@`@¸¯	A¬
³²®Õj–Õëmµ1÷ïã`ÚçÛ�;ض-zðá(PÓ§¹RYm´Ÿ-Wòïê
À»È¦À_¬£Ý¢Ö~ÖO‹Õ¹[±š�EršˆD°¹<ÅóDF"ŒæøCŠ$‘<™Ëùü4œÃ¦Zx-ÎÎ̹
ŽŽ>ðE‚ç1#7î³úìür±<Æiѱ%=ÎPw[©½-ê(þù]ij?ÌnŸí³é|nÐf”�ɦ+Û_ŒµXztæóþE	ÿл4Mßåúßh¨Â1kãÂdÌ®rÈ´…EkŽ0%�²SS
H�¤�¢§ß²Ÿ
©FÈþåo�
ésâ“Ú¢‘ÿ='u	ÊÝ’|¿t늀‹Ø	t5‘¶n
 endobj
-1960 0 obj <<
+2435 0 obj <<
 /Type /Page
-/Contents 1961 0 R
-/Resources 1959 0 R
+/Contents 2436 0 R
+/Resources 2434 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2416 0 R
 >> endobj
-1962 0 obj <<
-/D [1960 0 R /XYZ 85.0394 794.5015 null]
+2437 0 obj <<
+/D [2435 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1963 0 obj <<
-/D [1960 0 R /XYZ 85.0394 575.4191 null]
+2438 0 obj <<
+/D [2435 0 R /XYZ 85.0394 463.2352 null]
 >> endobj
-1964 0 obj <<
-/D [1960 0 R /XYZ 85.0394 427.1073 null]
+2439 0 obj <<
+/D [2435 0 R /XYZ 85.0394 318.8302 null]
 >> endobj
-1965 0 obj <<
-/D [1960 0 R /XYZ 85.0394 329.3834 null]
+2440 0 obj <<
+/D [2435 0 R /XYZ 85.0394 224.0131 null]
 >> endobj
-1966 0 obj <<
-/D [1960 0 R /XYZ 85.0394 262.8864 null]
+2441 0 obj <<
+/D [2435 0 R /XYZ 85.0394 159.9229 null]
 >> endobj
-1967 0 obj <<
-/D [1960 0 R /XYZ 85.0394 196.3893 null]
+2442 0 obj <<
+/D [2435 0 R /XYZ 85.0394 83.8775 null]
 >> endobj
-666 0 obj <<
-/D [1960 0 R /XYZ 85.0394 155.0304 null]
+2434 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F39 1161 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1968 0 obj <<
-/D [1960 0 R /XYZ 85.0394 117.4002 null]
+2445 0 obj <<
+/Length 2556      
+/Filter /FlateDecode
+>>
+stream
+xÚµÛrÛºñÝ_¡™>Tž	\I"oŽ­$>Il×r¦M“<Ð"esL‘ªHÙu¿¾,À›()�ÎϘ`±»Xì¢t"?PLMB%|I¨œ,V'dò
+®âUªç�:ëè°˜òE QÓ]b§4š:‚F?Âk@pxH‹t×YYà¸.ËÜr„óP_IÉ,Kø‘R‘a9-Êu•UÃKáÔ£€O
H�vD‰Â$¨y�†ý�Ò`âuI:br
ÖP�P·gÏ\[”‡¾ˆ„
+•vG‘ÖáP|Ù‚‚FP*„˜!ïÇŒ22å"ê8øÈ…°Àç�Ã)—ÀH„¨y&[PÀLVá·Z§‹LŸÀ
+dt4VÛª¶P\/³Ùoä4JÓYúOYXHߌY{yÌ€‚¹$!¡rcQÿ’po·4ÊìEܧYñЫ–ÒÄÿ�éÚøÃnÝj
žÄ—@
Š+0wëDÑìšrDvo–@=¦äX9Ò•‰2
+U*„ÃýB5(C©º6BÁHÀ­Tó4‡¤5ɘÕ1
+¨±T³ðç[–˱@FC(ÛÅž’«'(�P—ò¬q
Ù{G¾hù˜ïíüìë…|c2øð
+ûf(óOgÆw	›^ÌÏ
+ôê![òè°h
Öˆl½8J$
+¤m¸`É5\¸m¼á¢¡d£ï�ý~‹øBqÞo¸€l
+‘	e´…>pýçõÕgtÄÃ
±+9CÍŠõKÎ&+æZ~eŸhô”&ôyöý- ÁGGL÷ÌXŸtoeÐ+øήî.ï¾ãj+ƒÂ¬ß¥WU¹È¬yÃØÖ¤Š"&›>–椭-ï‘rïÛ|v«˺'G®
³\ƒ
× áP‡	‰z3à‡Žâõݧ.§V->Nºö0`m{¨7í!l{�iGë×NÏ8æ²aè³0 ‡=¶ƒ´ßa’ñ×ó�ÊV	ù9œ]~];™O#õø�÷{�fWe’¾Ãß•�¶ˆm‚.óÄ«ê×ÜævW;ÚŽ_ßh¹­ÝG5­ch>b›íßÛé¦
Þ}oå

-rç ¿÷Þª5}¦Úð˜¶3¥Ðý‹|›¤8°é˼ûýµÂ¹Ú‰ý1QÏ$¦pÆ̓}îT8]Aoe6'8¶O»í	¹+{¶ä‚®â8w/µ€Tb\Ñ(‰ÑþžßŒõo¬|ô�‹4zÿ÷ïÉí¯ç"ôy±qãb!Ô
+`+”Ö:l×{ì/Ï»²ÿ#ÉRendstream
+endobj
+2444 0 obj <<
+/Type /Page
+/Contents 2445 0 R
+/Resources 2443 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2416 0 R
 >> endobj
-1969 0 obj <<
-/D [1960 0 R /XYZ 85.0394 84.3344 null]
+2446 0 obj <<
+/D [2444 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1959 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F55 1037 0 R /F22 737 0 R /F41 939 0 R /F48 953 0 R /F39 899 0 R >>
+858 0 obj <<
+/D [2444 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+2447 0 obj <<
+/D [2444 0 R /XYZ 56.6929 744.4739 null]
+>> endobj
+2448 0 obj <<
+/D [2444 0 R /XYZ 56.6929 712.5891 null]
+>> endobj
+2449 0 obj <<
+/D [2444 0 R /XYZ 56.6929 647.0402 null]
+>> endobj
+2450 0 obj <<
+/D [2444 0 R /XYZ 56.6929 551.5126 null]
+>> endobj
+2451 0 obj <<
+/D [2444 0 R /XYZ 56.6929 446.5077 null]
+>> endobj
+2443 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1972 0 obj <<
-/Length 2625      
+2454 0 obj <<
+/Length 2973      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z]oÛ¸}ϯ0p_ fù!RÒ¾¥MÚdÓ:¹µÜn·Š­ØBdÉ×’dý9¤$ʲ³À"¤ÈáÌ�s8<¤ÃFþØH*¢b�Â8 ’29ZlÎèh}ŸÏ˜•™8¡IWêÃüìý'Žb+®FóÇŽ®ˆÐ(b£ùòçø	È9h ãËélvõqr{õãÓ·»¯_.>\}9Ÿ0Ej|q5½¼ùßù„K
-C`
-&BDA
-Ãá
,±}€ƒxg¤8QÿUZWç!Ù†ÙÚl¬Õë+«ì9-t•ŒŸ³qŽ_�»s�Ë
Š%X,v¯ÛºÄú:1Ë,­¾¤XbåaŸåËÖ¬üI)ÏÓÊZ(wz£‰sÜæfÌ´RIgébïé6è‡fö¿’
-ËeªMé?³ËoŸ¬&ÈSÒŽ(–½¾€
-8BHýÐÝ™¨f}›è¤ŠHL!ŸÌ†])—¤³a#eÒ”Kz²›¦($èXå¼®sŒ3Â#€ÓIï©
÷ºHcœÐé¹7Kót¡1Ç9G|é
-"fµK¶ël�M�“p¦
-ÊÆs'ûœä{[-‡¶äd	Ùi8Á{ÂRƬàf_Õ¨öÁ©/Z;¦ü6»øz)ß!‹Ø
-}@‚ÈìúBNDl|9»Ð5)ÇS€©èvrlj%°“KeÇâ·d»a˜òòK�öËìQc]ƒÙl,5¾Nó|bü£Î/d3›¤ÐA/&£z1+»CÌrÚ}‘t·Î"q"YQ¥E•Õ�H£;"‘Üèå	£qQê2î,¹iÎ*l®¶é";Çí�.õ–(PÌ.ʾdyŽÍ&Pî+³]¡ïá[–éc²Ïk«h_@ʨ°GãjàbRæNŒ‰@HÈ›¤]në¬,g1±Ppz
-*}dÍüªLn¡¿
-ŽœvÌ	
8æçP˜@,Bß³›b	ÇOmV4îÀ5µ+]áÍ
ˆ	;eQ'Y‘«Þ(Tªu¹Ï­ô:yN=9Þe V£^s‘ˆ�­B[QZ§Œ´¥t\¿¬Ì°ÇepIMõfjs¿ýÖê(ô?T‘8
ƒ®Ôq4R�ƒ')t«ÞÛ�ÀI¤¢Ón9¡
·¼'	÷¼ˆùnÍRC†ì#‚®øQ	™åºÎñüìJ·�öÆ�ÛQ&·w%Ûœ‡ª|H騇¦{=¼0¬jNnUd
ºdY.D©Hù˜¸�ݶ§ømj‰Ö,[YØ´ڤ„ÚA<€ŽADÄ„êלÓéH�€ˆ“2Y÷M*¸ùÆá&�ЀÉnøCFhõLÞï²Â‘ÎIJÐu¹³×€j¿Ù$»WŸL5Ô	¯]Uïóòj¯i¶£fåÀ«‡k\Ö�l_ÅVi1phÃ$c¹„y<64Ò kûv¤NÄÆI™Ø<�Í)“mlLƦkòs
-”)q÷Ü7’öö�]b�Cî‚׸ÂCóа£+ÈÂðœƒ]©ã+ØH™ܾI]»ÏȃÔõ¤s-u=ôn�ºzîÍð‰•Åö9•SpǼš¢K¦Ë’PÝi‘'¾²ñZbûSKd%¨™×jnöÜl@ýYì7:–ºé!­_Ró¦ÔŠÁVCúáN{/[\Js‚R÷ÇÜ~˜SJ¡ê(VG¹ ï΂	ªÛ²ª²‡Üjj˜[
-ß­.™ã.KÃRî
3æ6·=´ÐÃÛ”V-¢ :ø-Æs„+¨ì=ÌÚG"ÎÜÃlkúâûüúãÝô“þ­õ6Mï™m´î‡¦Q´}ÆÃiOïÜXƒ]åP¯º¨WõÊó€´Mº&mŠ|LwVؼpåVL�“æe«Ó›ìõãhmßZNêD;/ì/(ºÍ€tsš&ÝW3÷"‘æ}¾;€Ú£pWÜÂipí¡ã`wBëÏÃ9[aÐÿYÍ£­!‰yÄOzåd½òo.œÄ4–ž[³Ã‡²eú°_­Rg¼"Ç~Ë’è༢ÍOEÿúwþö¿‚öRtäy‹‡’À`åœÒócŒÆÙþGÀ¡ï“úendstream
-endobj
-1971 0 obj <<
+xÚ¥ZKsÛ8¾ûWèfºÖb€à£öäÄvâqüØس»S“9Pe±B‘‘²ãùõÛ�(€¢è­Ýä
+¥ðe(„)�ŽþÑmhͪ¥C‘"ñeÂã
‰pnI„УI,S?\(‰¬³7¸¸H¼YNm“·Ø‰½v•oNXâéñ¬¡ö5/Kê}dð¼�•Å<k‹º¢ÁEÖæ§Ð
/›·ÅËðTÞÎa5ÁŠ ò®ó7½y»ÊôéE5/·‹ÜM·GF=›qЈbʘŸJÉÕ½`}½~†ÓgeNš}-Úõêr
WSÝ—|Ó
+
ÕË©‰î‘0çµj49¯«6+ª¢zê­ú‘¿Q§YÕÛRS¯²—Ü¡ã^óœÏ‹ïAÀs³#JBA6ñ®–4VÕš)E=UHœr4å�¹€¤�NIÛ$TÕ½º¥¶Ð¿·M¾8„(æ¾dà%F�`SBG¥€°
+bì|
+ Ynêu™Íòr V§¨ȈhÍa
EÒ‡ì)}GCÕˆ†•ÒÐõP†ÔO¦æÅ&Ÿ·5­ïƒ%‡Ô0ŠÆ™ë¨¸sÌN‚ãÄå\pÓÓ°C.O±¤Í@ƒUÌW=òÆŸ¡.MÎãø¿V›ëÌØЦhÛ¼:¬br½£‹jD†JéâÇAk;rg-{GZ‹}¤ë×TôÁŽ}´Ð€ne²Wȉ´ÐMÐXvX‚
„Y¿“LØT#4TJ‚ÏChf˜1{ÞÔm=¯Ë=4‡!àN†ãÌuTܹ)xêÇ"Š]öÎÂäzr=JÇ5Kjê%+·9u—#�J“‹.ä`a˜$:!€ñþ6\Ŝɨ©¶ëY®w›åíkžW4h2ôvØáRZ›«BÀ]Ò vSˆE¾Ì¶%fH@ªKROÐOL$¨f5µÌÝzpþ¹nŠY8¡.ÜÐÝ©ðÂ!ÛýÒ\g½8
�µU‰L¨ƾ]~¢
.…Ô»T†¦mܪ�êóf;ŸCQTo£6c?¥G­Muµ•Bm;˜CcbIûöœ¥ÀP²„ã|uTŒõSà@`ÎìJˆ¯Ê–
+4¢Bèn&°
+€eÇ${
ç`ûöάõ‘<";ÃN‡zü¡Ò0híÃüÝö¤ö‰K¨öiFElÍ–Ù¬(‹öÍ�Ͷ0_µJøúä¬Í�yÁtfcêÐ
0wÑo··çòj¾y{6¹*l{ñ"e¾"G¼Muñ•BüË°ŸPåhÍ—ùK¾ï¤
<†Bm”³Žj€5·úg>—‘ËÚPʑ϶OO]1¤8;,3	¾#3‹jDf†JÉl/
K¶è�#
ÑÀ‘Nv�øI÷Ž<+ËúÝp ô$ö9%U8Ø%U8ŠøÂÁYNí“Î-4
R«h¢Xê+MÙíwuN3¯ô>‚CÐÊb‘ëqUÞà0=Êà•ÒÁ¨ÍBD@e¡a
+†öjÌ�TŠ©ô¶ªòó—º|
ɨ7S8uYN¦<ôÓ
+"êI=áW˜�j5~n1xýe�nFñÎ"o†öÁbça@
‹ÅšMh¶j[ô=?•®aò,ÚS2â¡w¼®©+¼ã×®·èz+ÓSwÂÕëÂaØ¥côy±{¦E-¾½lIæ,&$Áè[žm4Sè9òY
Õ€I’žOD’:<œ®êí†~,²·F‰´üTÕ2_˜(óì™zê0´*M·®«v¥7uOWCÝyÁ�㬭 BøaŽ·8AzÓ×ITO�뢩4§vIˆ§m
a³«^ðqë_'®Ö–­û^c)ø´ÿDc+Ãz
+³”a½4PŒV#…(KŸ§é;)½Mu8XwT*Xß¿[ˆâG©õR]¥ŸæDÜ�’÷øë¨tÒœ(ö£fuž“ÙBi´ d†ÔCcº{QÁ¢‹F(øaeV×ÔÎô&ú­SišîùŸ³yê�-[=Ô´rºš‰SŒäf�>T¥ë2öc.¤kE¯…ú.síè¹ù„·0¿¨Õ~Ž+ô…¼XX{У­µÙ¶1©»@«_lqkõNž�ü¿µ´zª�®2|,{|L?SÛ=íBE6Jßw¬k¦
+wó¹æt/S5å‰eßÁ'Võ+6‡
Ap?Nâw2}›jÄ•2„³wßÇì ô…dÉ8{Õ
+IÌ\ØÁ]‚;¶´�î8D� Â`ZQÕÔ¦‘\aZJÂ4N)LãaZÈn#�Êï#Lck0�}…ig'B±áDm*Ìï>âÿgLÇ1T�PùŒºÞ�|¹ÖD
+Ð߆
Œÿ7ˆ~lí8Œg¢ÙçÍEsâÇ1D›9
æD»ìh0'äÔ±5`¶©rI _òÈo#(gøÕ’ºn�ƒƒ6ˆNŒ7‚FCÆ÷¶gÑI°C4ž<.¢éæ“	çYc'»*+ð®ZS“(ÿm½â[1ÀJ:O©c€ý�gíú­·“ÝÇ:4“ƒ#¤�83 Û «zþï¿ÏÙý5RƒOH<D‹
+¥ËBÑg½ûKž}Þÿ£"ò…endstream
+endobj
+2453 0 obj <<
 /Type /Page
-/Contents 1972 0 R
-/Resources 1970 0 R
+/Contents 2454 0 R
+/Resources 2452 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2416 0 R
 >> endobj
-1973 0 obj <<
-/D [1971 0 R /XYZ 56.6929 794.5015 null]
+2455 0 obj <<
+/D [2453 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1974 0 obj <<
-/D [1971 0 R /XYZ 56.6929 749.0289 null]
+2456 0 obj <<
+/D [2453 0 R /XYZ 85.0394 287.1527 null]
 >> endobj
-1975 0 obj <<
-/D [1971 0 R /XYZ 56.6929 675.7286 null]
+2452 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F55 1321 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1976 0 obj <<
-/D [1971 0 R /XYZ 56.6929 599.4635 null]
+2459 0 obj <<
+/Length 2099      
+/Filter /FlateDecode
+>>
+stream
+xÚµYKsÛ8¾ûWè°©f…àI
+?ÊÂz³âöñJþéœY©(ý«¿l[‹v³öYg�EXŽèì9“h�8üubõµŽ3«Ój©u¡±µ#ßB­AFøëáuZ‘øöÈÅ	5¹ c¥ÌC‚c—•,»(¥�]{Zmê­�…õ¥{¶©€E“›¦eÃ$°Ê™°”
+žl’©ŠØõY©ð–ó²x#ŽS°1 â>§ÞÀ-ÁãoXàkÏ¡uúâWë4,<0àbì47e�5eõ2�Ú{Ò®ÊgóÁJ>Fà„8
+S¥mÝ9z…ÂHRybjèkµ½€ð@’ „%=[Ÿo˜È¡S	öˆ¢¯;
J‡N÷ò¨ ÿh-ö�ÚdF2HÄ1ñðbY¤ks¨#¡4;
TOë ‚ÖI ^sºjè4Tß)ð=†Fœvõy
+¶|j§ò�Ö¦½…ûäh‘„ÝJ×ÊÝ�šøF‡b­ZÀh£¤<Òª‘;»áÜFšr¾x[@�œw°6+†¹ØlòÀrk¦wC‡�ÄIìÉKŽE	›}²3Ða4„˜Êáøõ{ñø½SM Ý		év{¿_™X”ÚöÉà
(
k¯ä2mG®¤�ý”Ú‡´B÷¹*¬àX3/Ã9hß¹­5bÏ<+´—0
+Ñ$	M?
4EB?º½ºp9f<b®\Ôž3žfÑK
+&!û£Q’„Šƒ²ü£“>ÿ Ùœ„dS•M9/ÿ$vÒíÿ8h7b‚`ûuZE|Q蟇õ\ÊõÂ<Áâ÷–Nã®w}ÒŒ1Pø0¿íæ¤Í#]Û�ÆöžNÚËÍ“É�uP5´÷ÃK…Ÿ!b¿+€}û÷ È‘Œ»1à¿þ³Óî
+@’)Eã¿™S	÷=
²Ên†p~øg˜JV‡±ÿ )Émendstream
+endobj
+2458 0 obj <<
+/Type /Page
+/Contents 2459 0 R
+/Resources 2457 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2466 0 R
 >> endobj
-1970 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F41 939 0 R /F53 1029 0 R /F22 737 0 R /F55 1037 0 R >>
+2460 0 obj <<
+/D [2458 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2461 0 obj <<
+/D [2458 0 R /XYZ 56.6929 632.7441 null]
+>> endobj
+2462 0 obj <<
+/D [2458 0 R /XYZ 56.6929 393.4246 null]
+>> endobj
+2463 0 obj <<
+/D [2458 0 R /XYZ 56.6929 322.7553 null]
+>> endobj
+862 0 obj <<
+/D [2458 0 R /XYZ 56.6929 278.4974 null]
+>> endobj
+1455 0 obj <<
+/D [2458 0 R /XYZ 56.6929 239.5941 null]
+>> endobj
+2464 0 obj <<
+/D [2458 0 R /XYZ 56.6929 205.2551 null]
+>> endobj
+2465 0 obj <<
+/D [2458 0 R /XYZ 56.6929 131.664 null]
+>> endobj
+2457 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R /F14 964 0 R /F39 1161 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1979 0 obj <<
-/Length 2140      
+2469 0 obj <<
+/Length 3070      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKsã6¾ûWè�]	<<jlÍÄÉŒfÖÒÔnÊ™MA+©ˆ”§œ_¿�EÊ�•­�9�F?¾î†ÉÃ2‘a–%“4KÇ„OŠíž<ÁÚ‡+âhbO©Þ-¯~~ÏÒI†2AÅd¹ð’KI&ËÕC4ýòe6¿½ûÏuL9ŽÞ¡ë˜c}šÎ¿N?Ú¹/×�¦f‹ë˜d’g@Ä5™ÀÑí|±˜ÝÄ¿Í~ÿ0›_[þz5[öb
E'˜i™þºzø†'+¸Á¯W1à6ù‘,£“íUÂâ	c~¦ºZ\ý«g8X5[CªàL".iÐ%BPÆ9)ƒgH0ÊŒ2à³û©¾ïrvkow³ƒ÷wApGàDZÅXF)IÃâßU;*2 ¢è
-Ò2îöÍvW©Nµ N*£öPªmׇªz¹&„D?Á¼äQÙÙõݾ¬;C›E¹ÛÒÁÜ“7kûÛm”¬›ýÖÊ�ŒäfÉDP'Äo5üC?æyþc©ÿ¤Ž¹1�Ľ¶ac×X-Úó`Ðvy½Ê÷×DF+;ӺݡÏbGËMÙÚiÿ›×î{¥ê®ücZä]ÙÔž�»Œá*'‡�¢í@o«”çÜÙßMî&žT­öy§Vè¬/cpAQõv¨Œë‘dhVJ6à¥õó&éé¡'°)Iß>µ§z}ìÈ’Ã8ãcµ96¤%˜8›{¼Öf�oÕYU	=H’ªR�WUOuQUožzTÕ«cƒª>ÒF		Ϩª>lÕ¾,ì‡qvµ³?-xñÀM<wæÕS³/»Íö¼‚…
-£ˆ¥R\ôÆ#0¨½�vŽ=¬›¦3˜“:Ø
-ÈI(ø9'%\ö´�†$¦éqÜþ‘<îî4#`mAœµ¥5÷r£BRf(¥½2Ñ	âÌYKC*Ãb �þÊõOª+'ûmê=°^S4>%ê¹n“wŽ‰Nzð¨,`¨öÆô,xE3à/¢¿›Ú?EĪt'uP8V:DôªuÈ
“îæ±UW"��ƒ#O¹ùøõvÖgóNmÕ ºt]4¤°fÁ«0`€×ìyƒSJúŒÔ_)ÁCí&ÔÔŸ$jwª°¥‚]6àP­Z]¾J(éÌÍ�®y|† +›Cëö©â
-ž~]þòùþ²fï
-¥kšêMO´â,^êf×BxœZ:ˆM%(
‹ê
-\_€bcWÎq6*LDz?ÂÉkìâFXßÅ�!nб>KÁámùw“IŠ=]\Ÿe%‰.º—]ˆôÈÐß{±â"ÀŒ2ȺØ7£E•·mœ3$¥?ñ›UÚC¬úÑ:ÀY@(ð¾LXWùSˆq‚’T’ž³Í0�,''Pù?]”ß9*àK@Pq‘�^bÓ�þìG»ÀAG"éÑe·oº¦ðQ° 8=gà	±+÷]ý
-£f»RÏaáî=¬gÚ^d
-x«ê'Hæ—\­çÙxÆL_ßÖHÆ$öÁèŒß�mÒ3~¾(l¥žUõݯ>bÝ´	 )Oq2Æ¢ÛÙâæþîËòîó<Pð¿•€*2ÄiFÇNgËvibÛŽÜダª4u×B×&ïõë}Ò•Q”®(j[âK¨ëì¯Kl2¢œq·£^�¬é¤§ŸO�î:;¥ËF^^ú‘)óªmÆ/}hOžR­[ó]Ž–‹»Ç>ky�aíÍm^sÆjˆ¼s×n5†q]»ëâc§*ý\NBþ iÞu81B¡Î‰7£i»q=lúƒ�é3=–�FFX0wn)šíÖ>ª²VÚ	³Õ¥fÑ{‚åoú?‘¸"ROnmçFyWlNø›{Ø£×+Ám3ðññ›o{lé?²Þ÷MYlÎöÍÎ�ªA?„]¨=?›
-endobj
-1978 0 obj <<
+xÚ¥ËrãFîî¯Ð-t•Åô“�ìɱ=cgv<³#¥jó:PTÛfE–‘ÇùúhŠ¤hÍaËU&º‰n ÑxSr"àON2�›Iš›Ø
+i'åó™˜<»÷g’q¦
iÚÅúq~öý;�Nò8OT2™?töÊb‘er2_þ]~þ|s}÷ßó©²"ú1>ŸZ!¢�—÷?_þ›æ>Ÿç*º|3;ŸÊ<³9 YDKDt}?›Ý\M?Üüòþæþü�ùOg7ó–­.ëRhä鯳ßþ“%œà§3kØmòË<W“ç3cul�Öafu6;ûO»aç­_:&
+«³Øf*‘…’)ãÜZÕ†ÍãD+í…q}3»úr÷y~÷ɟƯ9ÈOL¦*�E¢2�¼\×µ+§º×G·ftÕAOElS«PÜ®h\}>Õ‰Ž`C›
$K‚VÌ\¹ß�Ë,rí{˜–4*xùÒý.„Z»%
«5=¿¼ã�”Õ–W¬—ƒwFh™˜<ºkð
+
+X/Ü4µQ±ª7…ÓЈ“>Lík~÷R5OÍgwï	ÂÓÍÏsíŠu]”Mµa³êq]4ç2âƒ×x`¦]Ó³{^V¼’΀ʌ‘D�—9¨§?�èŸk”
Tøî•ã
+3Ӡ
"�wဴàõ�èEÕ=÷5L
+¹+F3„¸yq_I1.È0ý…iI6¡û9‡æ(	O÷÷vU•Uƒ±	Çý‹‡õœahñF>©¬ŽµÈÛ|²c›F(Ì ç¼´q›rkÙ²æi-:ª£CX^u°VñB„Ê0–yšö•¦µÊ7RaH
+¥�kŠeѨ"�~dbmïøK"Ø@,òô¿õ!"*XGš©¾Šq¯MâW°rµ_:pñš ïßÕ4W’*lœ0³$3—ü	­».‡¦ëfC‹—4æz‡6Ú¼]Ò•˜Ö2¤í6ÚP”F”¥ûXÅVø‘ã8<ɺuÚO43ú(Ïç-WSœßîàø�8‰„ðæ$ÑeƒLŽ½rMÉqK‹?þñæÜgê­|iºªÛ=
+‚ºŒ�œÖ³.®Ü°û
+ç8hAPƒÝ|Š…Ÿäïî¯ÿu*VÂb
+2#2µÑl8ö…aÏz¿Ýò×Ö:ôÑ�Îó›>"ËcÈâõiÑAzÛC$Ïu9þyBÙU® k9JŒ•�¥‹?ÅV‹tÌWOHZÄÒÙcìn½D�ò¢1:(…	ßÈŒÿ0�€j›¡þ¹¤—åfÝ•¢½U”Š
PƒGY1öSñÕõðÔ ¬ÃQ1Å2ÿåæ¨/€›!6·÷þˆÂÈáç�N_›$êÁ»û~v¼<⋃ò†1"jÑ~yý¿íqøU‹Ic�ejüÒ´0�+å20…‡”ÆYorÌûÿ
+endobj
+2468 0 obj <<
 /Type /Page
-/Contents 1979 0 R
-/Resources 1977 0 R
+/Contents 2469 0 R
+/Resources 2467 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2466 0 R
 >> endobj
-1980 0 obj <<
-/D [1978 0 R /XYZ 85.0394 794.5015 null]
+2470 0 obj <<
+/D [2468 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1981 0 obj <<
-/D [1978 0 R /XYZ 85.0394 752.1618 null]
+2471 0 obj <<
+/D [2468 0 R /XYZ 85.0394 751.7313 null]
 >> endobj
-1982 0 obj <<
-/D [1978 0 R /XYZ 85.0394 531.002 null]
+2472 0 obj <<
+/D [2468 0 R /XYZ 85.0394 629.4849 null]
 >> endobj
-1983 0 obj <<
-/D [1978 0 R /XYZ 85.0394 468.4168 null]
+2467 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F55 1321 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-670 0 obj <<
-/D [1978 0 R /XYZ 85.0394 429.776 null]
+2475 0 obj <<
+/Length 3191      
+/Filter /FlateDecode
+>>
+stream
+xڥ˒Û6ò>_¡ª=X³kÁxð…ÍiÖžØÎÄŽcM6»•äÀ‘ Ë©ˆ¤'“¯ßºA�%¥jK�Ðhô?1‰–h©'©ŽXÌE<Yl®øäÆÞ^	™y¤Yˆõ¯û«Wߪt¢™Nd2¹_keŒg™˜Ü/™þ‹ÅìVàÓ7çóÛ׳»Ûÿ¾½ýx=:‹õôæÓ§Û�oÞÿçz&cÈ€ÊùôÃÍÇŸn¾Gاk-§7ooç׿Ýwu{ß“’.¸²4ý~õËo|²„|wÅ™‚&OÐáLh-'›«(V,Ž”ò�òj~õc¿`0ꦎ±"Š3Ë(™ÌTÄ2Øœa‚¥B
+¿Ÿç7Þįà3w#fE@1}‰Ý®14?%Jå#AÍÛº2U{’‘I*YÄùN†X§YÙc9^®Ft,S	é÷ªÌÉÒœÉ,ÉΓå‘FÈ
+9®c&°Ï²æ¦µº¡ÐÚF³5‹âWÎ¥ÕÅcPe®€27XTØûA‡(¯ÅÔ”4±^ ƒxþ
+›Û]aý°m®=6ò°“?ûÁ2V[OEYbë�¦
+©šbOi-¿3÷H’rÎ	1
ÑÉÇ8{pï­›‚eîO¯ŠÞ}�2Zi¥¹}2.•…
Nh`ÇœÇSš¥š§C�'ã˜aæëv”RÎ:ÎyÀWÙƶXo±�,ñ¬O¦÷VØóÎYzX :wÛ
+
k¡ÙåµÝ¥ÕRRá×ùQÛ
+—sÅétS/Í?A¢¤šÎ»-™€‹-0ÜU•±œq.QÅÉ´îÚm×Úà&³©Ø¢ì–ÓÁIâ£_—(ªe±ð%�B’Ÿ¯ãX¿®;¢�¢9h¡}éîJpK~�P¹:̈gM�‰ø«ŽU3•öᱶHA†—Áq±
¨Þ¢-¾+dÏÅJ‹ê{9Íù<¿±
‰i
+íM�ŒÄt�»‹µ6KnLLçb¶h
+ÓVµ’SñýLÀÜîSr»Ð3øÒ
-k¿�+±ØaR÷¯Å’¦ç#FA´ ´ô
Ø+`Ö+\d,�²ì@È{•>4A6îO}ª„±X™ß»bØ–/Æz#ÕK®ÞÇ'vÊ€=ö
+tì>¦l$�qtFšèŒˆÎÈ.²¡Õ`chãˆ6‘ƒ“Øaûæh´}j´ÕöE¿˜ó±¬þD$�Y“þ1`STÝaÁ‡2•!%NÉÁ4‚‘yyTü	^MƒòŽâ4š?ŸÎýDbÿ}�]¨î„X§µ¿ÇrÚߌi?D¶¶äåƒô�©Ûõq
#
+p–¸k„ºAÌ! ÷—I4$ï èàÞ=qK•ã¿£ÌA|)ƒsr
v¨	÷
+=¶J±ä·Ÿð1~_º€ïè±!b÷¯‚bFÆ„LôP¦ÝŽvlK
+818ž¹—Æž¸ò5°m·ÛÖþE×Ä°ÂqZ^ ÒË´¼ð�댼x,'/÷cò"íÿ*¼çÜíœ�;ú‹FÌøEÒz¬Úÿ¢¡�ˆJ‹ì+YÚÿß ŒÄz¨zµ°Œì³›\ã—Þ|4ÈÂe¹ÂA<
Y.p%JŽ¸rgŠÈónÓ5-.ý@[˜KW¶Ý?�ø˜RƦ3} fû¢(˜må�¿
+
+gÐq©|ý²RGô7ír%X@<�9…îÏÆm�_”¾‹œÖy ­ë¯�êË¥_=™{ó(+_ïíÿÌ°÷œ¿k«||~2Øgô_�ào¤f÷0‹@žöýcø»7¯g>Ú¾y·	_Õ$8½{³õ&ýtIÚ—ßbfÿl5¢
|â¯ñÿþO×þ¿kQÊT–�P%™ÆV•O”埈’cËb�B"GhÿïW“Ðendstream
+endobj
+2474 0 obj <<
+/Type /Page
+/Contents 2475 0 R
+/Resources 2473 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2466 0 R
 >> endobj
-1984 0 obj <<
-/D [1978 0 R /XYZ 85.0394 393.3396 null]
+2476 0 obj <<
+/D [2474 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1985 0 obj <<
-/D [1978 0 R /XYZ 85.0394 361.4675 null]
+2473 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1986 0 obj <<
-/D [1978 0 R /XYZ 85.0394 295.9604 null]
+2479 0 obj <<
+/Length 2936      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z_wÛ¶ϧð[”ÓZERΞ²%í²Þ¤½Kvv{Ö=ȶœèÔ–<KNš}ú MÙ²“³µ¤I
+ØðdÁ»—‡ùy[ò⹡o–;{·Öq*wÕ²„
Ê,	Þ[U¦MýXÖ8CiTŠƒjN3ífúp\nµ³}º÷æÍbÑ<ÝELÐëDÊñ
+L¼‚
RÚ�aû5Šâïæ¬aò¢g`l«àtÙPW§O®7s½Û3{ÂÕËÊaø 1,/íïB°é¡�6ËÕ†lT/{.‹5+õ5ÒѬD=k 8x:§,�‰¦N¬ÆÍfM?fÅskL§|_7kr$˜X”ÅŠzFˆL·lêî�™ö¥›!'/: ÎcõT–߬xO¤·}¾v6µ¬j°Š¡
ÇeH­ÊiW�ûÛKn,Eü~¦ak°ä ZPãðÛ�˜Ò;ø]qÐñGkæT\gíÁ@
™S¨âô…Ôħ:¨•	ÔŸ‡u–k¨á)ß5s³•Ýp�Äa’½¤Ÿ£P°®“4L’\÷5äx�[Ûf¹Ñˆ†ššÚ§‡Êø4L4‚yŠù]ÙÕ
µf²ÚLUû`N›vBþdžóWqœÏ!vÙitY	8tÙ5,Ô¤:
ÓXêÝð¹X „cô‘êéb3#ÔÇãcçb£/0ÈK¥Ç£nº>³Mk™½@Û‚;2ë¡‘�â¿·Nõ-;]mõ˜ïè1þ@m³êª†9>��JÃi XNÊ’±�z½Ý»qmšå¹ÆWˆ‰uó„ÍaGˆ4<W’ìGð¨Ž8‚¥2Žp>äðzÐùkü@…R‹ì¸zŽj@¿¾ä¡”Rô$?�šïAì�`OEjeý Ge<
;•]ßP;a‚C°š
F¸–îÄáne!ÜájßçL¨džä
+aÚâ:³aÜ
+„sU"Þc/,®³h‹kÈûã\öq
	€,îïí¥^´~Ja5ÀDâŠÑÁQ\ómd
wxi�‹—| ózvˆ_
+�Ê®o¨¥úX×Ì¢¤»ZFÂ¥¦†…IMY’y&f|ù”cÌܨ]4õ}¹v÷vPÜÍå^¤8Ðá›Î»eñìÇÃeaî1 åªi«®YÓSŒAû
+£≢Àoð•YhdÊ"èù…“’
+d04¥3a\ÃœI3.LÂïòû
+¤™:3…ËiÙ¶ÆUaÒ½!n@Úz+ÎÆËÜ•	}…¶ðÉ£Ã
+ê ;ù'UÑa íìï@]tïc<©óhû1† úáòæò×süRwwyAL>^~yÅ™ßñ4¬ïk%ÜíB'6«¬[PiNvï¨}ž�¦ÊN±Ô‹¹š)”åÖ{ç›Å6xÆYJNOÌլô
µ�-¦çôyÁ>‚q
+ Ý
#Õpw¬«iï	²ýÒè�Õ¸¢¿²XÜ7k…˃¦Mt‰úqËni–i^´ëy[³î´ª'ðPü�1>K^ÄÞÖóm2…ÏDëìó¦éLÄgÝA;JâŸóì+rwÿþ«¡í‘¨4”Yv ¨$Á�RB¤e¥p÷Bí�‰†ëIgq: ûÿ
פDôendstream
+endobj
+2478 0 obj <<
+/Type /Page
+/Contents 2479 0 R
+/Resources 2477 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2466 0 R
 >> endobj
-1987 0 obj <<
-/D [1978 0 R /XYZ 85.0394 212.4297 null]
+2480 0 obj <<
+/D [2478 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1988 0 obj <<
-/D [1978 0 R /XYZ 85.0394 107.4752 null]
+2481 0 obj <<
+/D [2478 0 R /XYZ 85.0394 658.0977 null]
 >> endobj
-1977 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F14 740 0 R /F39 899 0 R /F53 1029 0 R /F55 1037 0 R >>
+2482 0 obj <<
+/D [2478 0 R /XYZ 85.0394 153.2806 null]
+>> endobj
+2477 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R /F14 964 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1991 0 obj <<
-/Length 2950      
+2485 0 obj <<
+/Length 1727      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWè(W�h
-dzéãç›pâšs>þ@ƒí‹¢Îk^îMw³oZêÍõˆß=Ðó™dwÅꚧÐeÂàTYnò
-&9®Çã‡/·'_î¤û8}¸¥é„ž‘³p¼	çA&¥Ð´FˆP"äÝ[BÆz„u#aj1x6!;H.à6C&ƳÕ(šÔGk¨Ÿï�x3±È-¤¨U5E[¼ª #,@¨RMØSÝ"2ÉÆü'<CŒË[Yi" C²†”¥lümz‹'¦™¢¡6§˜µÌÛz÷Nж6¨Í¶TU™uór]ïŠöe£WLÆð’Ùgzë,Йõ戩¤°âR-‘-œ‘4 „£4| ®½-zÒ‹B{ Åeˆ+
-­|
±œ4:Õ~3W;ê×+jçEk`E…-·×|Lop<†¹ÜI”1TÂ.^êb¡ü•«;úືT[-³~m×·‹tâ«%g†AÊCîëû¾!Ádêªt¨yK=²C"ŒÆs Z™®jß”ª
êN’4è¥Ô㛵}“…“Æd�Û‘,µÎv\¤Dn×£iËbÔLÞmžDV[¹Ý&vÄ)ÛÚmà�N8£ñ|Ì™ˆSÏL"ŠÔ_ùÂ,»Ù—m
Æ„žð
-b„$…ZKiHÓÔcˆ
… …se[K!<ð#ý&Š%3ç>£±2‹ƒDr>¬±.ê¼Æv(­±ÕE�­ò�jß·=*K³aâ:TužÊ
-^œ	Ÿ<OeEœS�ú­B�èO�8\y¨lü¥¿ÓÔ0–¤©8e¼¶yM3!rÙ%xð.õ”G¤K0JYhÙeî–U ÂDcJ²
-~TaRw»+6Šº+MO½¡—¿}úHÃB†õÞŠ²¤Þܼ‚v�àÅʬW7M1/Õ?P ýÃ(ñ­hU©'ÚXR€áûqV|CcøAñuQçÅ·Ciñ}9qqÀ²ä–Ô³¥+’	X’mùuWT6²2\øÎð¢Ùo6ùÎè|½:ªˆÔ[¯š£¤Ë¸‹=VŒ!Eö^e R"1z¹¬šF-& ã M=‰
-£�PÚZpvÐ|ÅcOM…9sØCãEÓ©÷¼Îmv¬gªížò¢ãÃÂ¥Œ¥}âqt¬Íš
-endobj
-1990 0 obj <<
+xÚ¥XOWã6¿çSäÐCòv­J²$˽ÈîR P’íÛvw&Vˆß&6;ÐôÓwä‘l[8D’Çó~32ëSøg}©ˆŠyÜ�bA$e²?_÷hÿž½ï1G4DA—êhÖûù]õc+®ú³E‡—&TkÖŸ¥ŸGD‘!p ƒ“Ét:>®Ç¿_ž�‡
‹c!£««ñääôÓ0à’1�R:¸M>ŽÎñìjóÁèýx:ü:ûµ7žµjuUg4´:}ï}þJû)Xðk�’0Ö²ÿ
+v·]+¸
+ID9s�åðGÞ$Iò&³,ñ˜
LCÇ,ꌑXJŽöy•dy‰a­¬*vq·½Yes\[~Œ±Á[Ü&yêQŠqAâgUËîÁeµ˜� �÷>£Ž{ÿ@ŸÚ7ý€C€´
§DðHÕŒfKãÓ2&�aÏxŠ+XÒØaX!&Tu´³»ÄþD¶‚p6þ˜"ó¢þMñ¬Z&•c’丸1È
+Öu¯€<[Ý°c”wfžYÂ9ÒÙ¥Y¥¥Å%Íïj«á¼¸¹ÏŠ­{jz¯ïð‘«Ú²ÈëU!$+÷ìÒ¸÷ó¢B‡E ¯VìÐaËäÞe#€†Ù$+Ü81©ËZ³Yge™¹×�GÉãHABörŽFD	ÀJ$ò—$ÈRTªŠˆ”-Â9/Dr� Ev£œ©˜©ðlQûån½6
+ÒÞ!.Àk«ÀÂFN„DHÜøÓèâê|ìñ¤�°¯+l-3Û%¡šyÈÐy
+ˆ<­7P0d	þÖ.¨nðä埗“1®^6у^uÈ÷ÖÀ¦±³%¯\Š4�¸AÀºX<Ê8ˆÌÚgò#±g%ÉJÃ7\1E_Ò}tZwÙà�¹oÛDíÌ*‚6møµÉFÁ2޷ރɦ–hP`ƒO!°‘²¸Áªgl|˜ea²zàaÇ´íÅ­
+XæRecî‹o¦™BMBÎtM:�ë„_±�{q�q˜5«Z©/œGN×FéÈð
+è²
[ԁȟ
+ñº¸ï¤¯öÊé./îʬ||O„²Š4x‘‰˜„¡¾{�-~È;Xû/}$b̲õ�Oøî|-U×=Î5¶‰|–›¯Íò
ÙÝ›
+X¥š‘kƒÈÊ7tÅDë¦z[~g~!ä�’
vÂ,s|±ÙyxJAoÓ¸e:~•©Éo³Ü7¬’µíêÚ­ Æ‹leü•\dd#Љ÷Éxz|}z5;½œxú“÷Éþ¸AE²v0m†k[`
+3R±}Fªf¶ƒv,;ÎÀ¤_šÊ½‚¹®º¹0וËõ.™ãÇêAÕ¤ÆrÎíl·™{
qè$e¬–Ê›~Ö#›T·Ùvê+7n
+I²ÍáÄѮ퀎SL}gj瓶œóâ¡Sþ©çêìûl!µßZ<õFÛØÿïO:ûOW|£5ß­9¼ãH;Ÿ¨F)ë7¸8>Q½ùøóT÷
+endobj
+2484 0 obj <<
 /Type /Page
-/Contents 1991 0 R
-/Resources 1989 0 R
+/Contents 2485 0 R
+/Resources 2483 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1946 0 R
+/Parent 2466 0 R
 >> endobj
-1992 0 obj <<
-/D [1990 0 R /XYZ 56.6929 794.5015 null]
+2486 0 obj <<
+/D [2484 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1989 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F55 1037 0 R /F41 939 0 R >>
+2487 0 obj <<
+/D [2484 0 R /XYZ 56.6929 598.7685 null]
+>> endobj
+2488 0 obj <<
+/D [2484 0 R /XYZ 56.6929 432.9509 null]
+>> endobj
+2489 0 obj <<
+/D [2484 0 R /XYZ 56.6929 360.8886 null]
+>> endobj
+866 0 obj <<
+/D [2484 0 R /XYZ 56.6929 315.6627 null]
+>> endobj
+2490 0 obj <<
+/D [2484 0 R /XYZ 56.6929 279.8921 null]
+>> endobj
+2491 0 obj <<
+/D [2484 0 R /XYZ 56.6929 241.5703 null]
+>> endobj
+2492 0 obj <<
+/D [2484 0 R /XYZ 56.6929 166.5861 null]
+>> endobj
+2493 0 obj <<
+/D [2484 0 R /XYZ 56.6929 97.4887 null]
+>> endobj
+2483 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F39 1161 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1995 0 obj <<
-/Length 2192      
+2496 0 obj <<
+/Length 1930      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YM{›H¾ûWè°ùÉÐÛMÓìMv”Ä“XñFʳ³›ä€¶˜A ÈϯßjúCHj„g×>Ð4EUõ[߈Œ0ü“‘dÓ8‰8B6Z®/ðèž½¿ †&°DA—êjqñ÷wTŒbó��^a)Éh‘~Oî·7¿\!Ãã+t0ŒÇ·“Ù×É'½ww‡ãÉûéü2 R
D\‘q<~;›Ï§×Áüæýì?ŸgÓË‹Ÿ/¦§XWy‚©Òê÷‹o?ð(…3ü|��%=Ã
F$ŽÃÑú"b±ˆR»S\Ì/þévž¶¯úÀ`T"&CáA#$#BPÌXx
-`™¬³^¨¸äQtª.U?TŽjª³R÷P�ˆõBu œÞ‡w
{ *wël›/õMëßÙF_jp܎˶
Ù}3)«mÞ¬Öý
-ÙVÑ.¼Q'5õ&[êê¯éÚà/ÒZ5¤2¿kO
ûÕýS^íÌëÏ;xýE?2[Weœœ‚AòzÏΪ�V™y¿¬
˜
-pû}ÑèŒ
`9ÊÚ6]i3ýer{÷i:<,ÔL¡zcJ4x—D$7°Èô~¢/‚Ëà¾mU)ŒXó‰ÞÕÊRÛßÂŽ>)ì¤ÕbŘ]˜�¨H´ÍJöG¢F
-“…oø€S1×Ø(Œm=Rª¢¨žu“
"�ÅZƒ
-Ïž«]‘êý{C¾¾ËÒxt
-BΑaïLÙ
8¡A¢¯-íƽ¾@fÃP¶Ãg»:DOöjM¾?
ÜØÓ03S94N:85RùŽ|$öcGIôcú&ä„ãa}oÚjÁl¾Â‘=îOžîFDÐÑSòúÉÆmáíjZ‰™h3ÂiŠ�܈IlsUÏ{Rá ,tUgsì»Zìè\Ac5:3rÜÑ?ÓzPÈ{˜ÛJä
üÀ™ {>5Õròiþy8CÔùc©ª¹ªÝR•WcBw?ØH$cf•ºº™™/±˜®ó2�LÛó~É2m»riœò6)wP“| Ã`Î9w
ª
-endobj
-1994 0 obj <<
+xÚµY[oÛ6~÷¯0°¨Y^DJÜžÒÄéÜK’Åî6 íƒlÓ¶PKò,9Yöëw(’²$Óΰ¢(PSÔá9Gß¹3¤�áéGa&ƒ~(Ä1áýyÚÃý¼{Û#–f舆Mª7ÓÞëö%’‚ŠþtÙà!E¤?]|\Þß�n¯Ç^)ǃ7èbÈ1|¼¼ýtùÁìÝ_H:¸|;š\‰Œ¢P“	<¸¾�LFWÃÉh:]|�¾ë�¦µ^MÝ	fZ©¿zŸ¿âþ>á]#&#Þ‚Œˆ”´ŸöÎs;›Þ¤÷[Í°ñ¶:ê³ñˆ†0(é‚$ç´…—H0Ê*4îî§ã»ÛÉÑ—`„9
+–hؤr‚=VpTZîpÝ	ÊAð‚HGäI"¥D
å‘£4)��÷E¼Rf™ªâðg³P'%:…‰�¡ç1iR�Ƥ¦ª0y¯E¾¾á¼AIÀ¸æšb‘ìÔ¼ÌwÏ]ݧà!Àç¬r5•G»&|„‡ˆ…Q[»‰*ƒN¹¶x�:$X•ª­$3¿Oëd¾î�S–èÆt£,·Øð°´¹ù5{E²P§Í Ý˜Fì34¨Î˜ÁQUfع&ETÌY‘ŽÈ#²åš!¢„‰¶ÈËe©v¸]R&Ùª]¦žjUz`4ˆ¥ù£êÍwÉ*ÉâÍÉó§¦/8�oMs]CSaûèsqÒ dÖÇ7êQmŽü›
+DÃ@œÓ©¦9RªåÛŒ ÊES)Ÿg«Ù~µªíPét'6•Œ¼€T“ê4V5U…ÖÈ�V$¹CKe ¥:‚‹Q�uÏ«VSytkCTPWZÊ}*”®�€Fd8X%�*3{w[•M&̃Ñ*(•lðÇÚÑÌót›lÔÂ<=%åÚ°¹5ù‰³]ì·Û|Wš‡¤4µŒ÷m´J~nv·ßæ!¿h,úC¢ˆ
nú
+9	,u…7H«$™¥1¦6ÂŽ©%°ØÆÉάTå}z•,
ulMž3ëxcÌ/ìy(õEeqX§q9_ë ¯\ˆí¸Žß‡âÍ
+Rk¹N;½C]åÆ×6
/;ÉÅh ±h!„Nû¡º�y)Ã4¨Îø”£ª|êáȧ8tœRžéˆ<"[‰cÄ¡m™÷»$+Oµe¼:�ZMb2EëÝÃè÷»÷#³ž¹¸­ëÜlo‹:’Ë®%<Âj‹tiè£P !
¡õv�ôddå_~˜Üy|CNˆqJ›!
rV*û‚9Žà?òÊd²i7‚0œ
Ž7ã[ëVÒŠ[¤I.¼‹¡	³h¨¥2_–Íí÷|Œ³}¼ñ¨ED„¨€Ï°÷) ‚\½y¸¹2aÐ ~
T×€Kí‡�‚ûDRH‡Ÿ�Ë>M½{8‡œ¡gÐ+eζ“ç¢T©ÍØWyV@±HöéAn
+ endstream
+endobj
+2495 0 obj <<
 /Type /Page
-/Contents 1995 0 R
-/Resources 1993 0 R
+/Contents 2496 0 R
+/Resources 2494 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2466 0 R
 >> endobj
-1996 0 obj <<
-/D [1994 0 R /XYZ 85.0394 794.5015 null]
+2497 0 obj <<
+/D [2495 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1997 0 obj <<
-/D [1994 0 R /XYZ 85.0394 752.3199 null]
+2498 0 obj <<
+/D [2495 0 R /XYZ 85.0394 751.9581 null]
 >> endobj
-1998 0 obj <<
-/D [1994 0 R /XYZ 85.0394 504.8188 null]
+2499 0 obj <<
+/D [2495 0 R /XYZ 85.0394 466.3276 null]
 >> endobj
-1999 0 obj <<
-/D [1994 0 R /XYZ 85.0394 359.3246 null]
+2500 0 obj <<
+/D [2495 0 R /XYZ 85.0394 401.6524 null]
 >> endobj
-2000 0 obj <<
-/D [1994 0 R /XYZ 85.0394 298.3625 null]
+870 0 obj <<
+/D [2495 0 R /XYZ 85.0394 361.5595 null]
 >> endobj
-674 0 obj <<
-/D [1994 0 R /XYZ 85.0394 260.8495 null]
+1456 0 obj <<
+/D [2495 0 R /XYZ 85.0394 328.0431 null]
 >> endobj
-2001 0 obj <<
-/D [1994 0 R /XYZ 85.0394 224.9084 null]
+2501 0 obj <<
+/D [2495 0 R /XYZ 85.0394 291.9754 null]
 >> endobj
-2002 0 obj <<
-/D [1994 0 R /XYZ 85.0394 193.5316 null]
+2502 0 obj <<
+/D [2495 0 R /XYZ 85.0394 224.3783 null]
 >> endobj
-2003 0 obj <<
-/D [1994 0 R /XYZ 85.0394 129.6476 null]
+2503 0 obj <<
+/D [2495 0 R /XYZ 85.0394 138.7576 null]
 >> endobj
-1993 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F14 740 0 R /F48 953 0 R /F39 899 0 R /F53 1029 0 R >>
+2494 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F55 1321 0 R /F39 1161 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2007 0 obj <<
-/Length 2985      
+2506 0 obj <<
+/Length 3014      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[wÛ6~÷¯Ð£|qq%‰î“[{Ótc'»Ýí¶} EÚæ‰Dº"×ýõ;ƒ
 ‚¢¤œ³öÁÁÌåÃ >cðÏg:MR#Ì,3*ÑŒëÙr}Æf�Ð÷öŒ;ž…gZ¹¾»;ûÛ?d63‰IE:»{Œ•',Ïùì®üuþ]’&ç0›_ÞÜÞ^}¿¸}÷öæ¿n®Î<Ïx6¿øøñêæòÝÎB3`fÆæ×7?]¼'ÚÇs#æo¯nÏ¿ûñìê.6ž3‰RýqöëïlVÂ~<c‰4¹ž½ÀK¸1b¶>SZ&ZIé)«³Û³…
½öÓIep–™Š	m>ã<1Z‹HÚ$©ÒªãòêöûOï>Þ½ûpƒ«±ßì4Èf‘&J
-Ë[6]W-]ýØüÕ6•ãþ,K¤P|‡üÈØ�ÊR5/ð!çø(Tj>×é±jªMÑWŽñLBESéÓ'0Ñ6ç<ŸWËÖ>K?61Êù³%·åvYÅÓ¢ •íKµé궡Žö

šsr/‚º@üþ©.¤VÒ�Ô@*V]K­¡üØAZQC-r‘�3áÔò¹zíª~1¡>¥’,å^}¿1&VN„eÛôEÝÔÍ#½Ù`0k�Ѓ£Së
Ô3ãBÞ€ú™×.ÐêzúA¬>x&ÀsãB¡ƒÚ̹…Z/Oõò‰šNÀŽÞÊjU==è¹{ƒ3¯{ÇW ês1oŸ±»X­^©Ãë‘Þ.oé¹op Ò AÃQŸêU¹“Îó‘?¬iB`®7Öa±Õ�ZGJ[§KBÔ"máY2‡ˆT¹ýâƒ�²}ÐàIÆy:KK”‚øœrbZ¹|Œï#^àÂyÅxÊT%Æðüø”žibÊ¡VRhf’ÇSþ|Î9ŸW›úá• ìL
oæ’^ÑëŠ~Kf&eNéFçp�‰ãºrÖM಺Y’ý´Æ+*À(z¹*ºn,˜I“œu\0Ï4!˜ˆ¦ƒð–H²ÛçjY£“YoU‘³k»oQƒ$³ÍöaÄD˜uH�:‡ KO¨sÀuD�žËªóó”:y’-wè7+O
c•ÊñL5T¥án°³EBÝ�怤
-cÁÐãÓ\ñã’®	Ñâø
ÙR­bÙÞîöŸèùå{LÝ~&À<QëÆ1•eÝ»Ü@Ïû–¨RаVŞߘf„ÿ¼úZ<JB4í\4zgS´{E}N¶¿îˆV<?WMéM-tÂRmF‰H;
-î¦XWâ~´aô	;¼'
-bûKE\:ã󋆘‡Ÿ*²ËŽ—ZV>�;~YŸc1JkÊý«›ŸÍv}ïE«Ýø¿Àßõõå"öV
-ÈË~¸¾¾?—<›7moQèïtÒ!ü
¾q¥4cȪ¬€	ù¹úVéo}×Ow Ù÷Ô¶9"p\Û’õOXÁKe‡ÅÄ’‹ùqÅZBvR„¼^%¹SInUô‘;}äóonš„	µþà“ztàMéhì€7ò0h,·’®é]�·Ÿ$ RÓNnŸ°…03lãJ6•§ŽÕ9Ȧß�/Ê,K´†â rÆ°ÑÆ¢ºäšZëºÙº}™Óã©Ýn¨…I¡OÔ Úm_v©†+ÖÚ¥K?ºÏÕ‹Ë1kp#n»cÇòDåPfG¸
ׄó\áªi„Ë esš„ôtßÀ4`?~\¸À5!]œ²
¬æJÅâ|ãÆåBØ |ÖÅ7Ûg�„-·ˆ€oøêð�¶�oH¬þ|vÉ–66¿p/
-‘æÒGd»íŸ·ýâ¡^탘
=cŽ‹¸&ä‹“´,ᜋX@[ÿKžºº#¤�%�`E$¢?øGúðàß{?–¿ÓÀö_-ø´½£Ð,ÛMç,BZ«âŒ-½Ó¹Ãš¥°•y/KDAá�j3Êàœ‡ªd_öî`Ô�],훸XÔÌAÏáyŠ'`'6¿!×aÏ	\ÖsžöªÚ4a&;1¥gš˜2ªjyÂ`�§ü¸©›Þíø…KžÚ�SF·]¯‹Íë�³:5ô7î�jÙÇíº
-÷íÄ]žPÐC„“¹Ó—y
-TÅøÀ&­£ubÌ©3‡!×ëx.k�úÔé"¨²Ú@²Ÿ™À†,�<.[àš.
-jž')T\±tÿiFAº}¬¾Ôí¶[Ñ¥œO8èä[µË$ž‹®ó½…£Ù À�‘‰é¼Äžcã¾f/4“KU0ø'blo„Rz-ªPðV:�v;`gÔÝ8Ë]®|Y᧰o…ã,ÜàÚ ù�ÀŽªã
œUÔž,¨…wÝD5fÕ¶ª¡ª(h_Ó%ÖíÔÙÃ.
t7‰ÅC_íÝ9ºÅæ<,ÖÞuæ᮳˜ãÖL
-jžXù¾Ô]uàXMW—îÌÊÝlZÍÝ©
<­”tÈo]Û6hÊÉŒÅ�Œ;ÿÑltÆò¼*–®±Ÿæà™Úí`Ò£°¥p#¼�¾3·}ëˆÁ¹½œÿ±…<5ˆ/ˆkØÛ‡Akr·Üféè÷UÿRQ”
¸£+C"UT_„Ô›»»‘±Bn[ú€½‡´©qûñƒ�Ÿsõ^‚†ÓÃÉcf”Àä_[Ñú9‹p|‰¿gÕ´#4MAˆLñ¯züõƒô~ôƒŒ‘º;%Rô®–¶Ø(ÒX±;aeF'DØL]14LP‘€	*:­b¾:
-endobj
-2006 0 obj <<
+xÚµZÝsÛ6÷_¡™{0=µ‚ ø1÷”6Nê¦Nr'wz7½>Ð$qÂU¤ì8ýíb)QrÚ›K„�ÅbwñÃ~€“
+„šÌ«‹`²‚¹w‚i¦–hÚ§úþþâÕ[™L2?‹Ãxr¿ìñJý MÅä~ñ›÷½ŸøWÀ!ðÞ|˜Ín~˜Înîïoïn®¦"KEè½þôéæÛÛ]MC
+õÇÅo¿“¨ðÓEàË,U“'è¾È²pR]DJú*’ÒŽ”³‹8†½Y³tÔ"ðC‡#ÆÃ1c¨Ì�e(�1~]ë”
+3ï³~ÆFêUºËy—Óð‚ Ô墥^¾½©§©3_çõJ/®¡'¥÷Ðtkb€KJÍ+š%¯<Øe“[»ƒ
+Ð�¯ÞF¢'n˜Ä~ˆ”DAß×ðÏÿ.Ïóï
+üç#'³j ¤…ŸÊ@ñª¼^Œ°™/"8#Ùd‰Ä�“$�L…ð3¥BCÑÛu³-óN�í$¾Êb»3h%®¦2ëÙ;Ô^éZo�ÍÀ•¨Ä»s&Gš½Éá̇ËÛ®¡î‚úEM¿Ýš	¬|ŽQ©y�×4¶ÞUy=%m�Èmi�ç¡D>Aä-t;ß›®hjÀCÅ_Ú{Ì`¯hé7/Û[ÊÛ”ùÜÈŒ³ÌdÞT•®»v8êX¤`Ãi%¡wo§÷Š{"¹dVmT %«]þªh[P£¥‹¼‡3vʧü™'ZÝQ£kè÷�‰Š:ŸÏ5ð0ÆéSäõsSó\½åi¸$¶egŸj;‹Ø¯šOq n|†—˜¸sY¢"2ñà £‹ûñÓýíÇÇHø‰ñ$ŽR?‘™<á1ˆhÚ§"‡!F†£Â}§ËÃ-c駩JÏoi‰F¶ì_¢8õÓ8Ã-ßæçh%¼hÏ,ñv›…

+ã¥`¨nh¤çî²ÔÝ=„›’Þ¯WJy°¤Ù1£n�àÆu�¹×î¨öJÈ$ò#Xϵ¨ÛVϧ
+†âÀÍ×ükÕÉQ§à³ NlªJÛBq}ûá-V†¸*ÈþÈI¾±‘	âtÎăbýÅšV/hÊxË}’`³	šü7ü»»{ó†fšípôÇïîf3Ÿ&)BG{>äTW»Šã9¦; ~;ú÷¹
+'"—ß]Ú”…¦—&Ád\˜)XÉ¢îô–ÕêH+`Ó9kY.Ì/]*²4ôMu ûA
+¢ö)Hlri²jSZ]Ï5ç\Å’3�Ý|}~ߢË–MY6OFv
yâK@šlj"0):�˜¡mØbûbÎ&/Ÿ/!wA�ÂÈ»¬c®Pz—O®µp­µm�puUØ!N’Dl÷K†Z6½ {¸#›UÁËžu¾e¡°H[h”ʱƒ§sJ=+j„ÑJ†-uPUÃ)¯jÈ^�W…‰Rçj™Í°òcºª©»53în†Ü~Á‰íz¬ž´þl·ïI‚ô¶
æQª*j°Š¡Ù;HF!ƒÔ¥+"¤Š$Œ´œ(öøú°î:v:½Ãè%AP?5µ)Êp¿{|~cg´«ÞsÚk›	ðn—5Àðòd
+爎¥0È“ðÁ¯/ýÌžIšÙò†L}�í“Ï”Þï2›zB¿°«ú}`&¦þh×æ{Ón“¯�	…Q˜y¯—�)Ì´qÖ,��]Ûš¨¦?	etèvM­6x¤™—»Å!ˆö¾ºwš‹Ø=�ºé†Ìv­eda×؆ȓ˜
+Sé¡TçAÕ§:�*Ge`õúÅêæª Á
+$å QíÚŽê/àŽ!£,Ÿ©_å�±‰áÕ´Ìíˆ=s²f+œ�ѰΉûÍ:|~‘�u
8CÔm:S{šqþÚÈ�cÀSÿ G{¡ùVýͲ٦c9[òiŠˆ?¨Að2õžûؤl4ü:´F‹°ŸŽB'¢O¿L
�å"Ì;D{@ÍÂìÒ+Úc^^�½Oõ¾¤ìPû±Í<§˜„çÖ?õ§=˜÷Ž
+ÜKèÿüg?û¿oŠ(OÒpÜ„‰òaql…B-ý1ÍÐ9òËþ_‘Ã8?endstream
+endobj
+2505 0 obj <<
 /Type /Page
-/Contents 2007 0 R
-/Resources 2005 0 R
+/Contents 2506 0 R
+/Resources 2504 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2510 0 R
 >> endobj
-2008 0 obj <<
-/D [2006 0 R /XYZ 56.6929 794.5015 null]
+2507 0 obj <<
+/D [2505 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2009 0 obj <<
-/D [2006 0 R /XYZ 56.6929 751.9327 null]
+2508 0 obj <<
+/D [2505 0 R /XYZ 56.6929 679.0396 null]
 >> endobj
-2010 0 obj <<
-/D [2006 0 R /XYZ 56.6929 651.1304 null]
+2509 0 obj <<
+/D [2505 0 R /XYZ 56.6929 422.1751 null]
 >> endobj
-2005 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F55 1037 0 R >>
+2504 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F41 1218 0 R /F21 938 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2013 0 obj <<
-/Length 3048      
+2513 0 obj <<
+/Length 2295      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWè¶tUÄÁ“�ã¼k’]�3öÔnm’%R63©ˆ”=ίßn4@IÕÔ–€F£Ñ/˜/üñE¢C&SµˆSjÆõb½»b‹èûxÅ-fé@Ë!êÍýÕ«2^¤a‰hq¿Ì•„,Iøâ>ÿ-x}{ûþæݧÿ\/…fÁ›ðz©þõúæëëíö:Áë�ïï®—<‰y aÞÝÜݽ»¼ûôñæ¿ŸoÞ_ÿqÿóÕûûŽ±!óœIä꯫ßþ`‹öðóešèÅ3|°�§©Xì®”–¡VR:Êöêîê×nÂA¯:&¥“P-–Z…RK5.22
"XÆ
-VRÐr"|Ld…"[~Â�¾ú õ
-˜ì�ãȲ‘­êŽ#â¦Ïv£;Ã3ñ(0bhÌÍPÃ;N#29»'ú,“0�¹³ú΀H.‚f_¬KÔO³+8ÞŒèv*Ó~.«¼~¦6™W>—FZ@3Û†_²ÜUæ
- *†�B†ãÙYv˜såÚ*²ÓŒÉÓ[„ÔŽæVu�ÓU=»¢â�‰(,û®v™Mg–órsj–�2RRDÊh†�2B`8#&°di‡tARØŒ°jRCüZ¨­Œ.°`A#ø•&<V>Ÿ†ñÓHÌ´�M‡}ùð–<M„u’ÈŽv)­›á‚¥Ñb¢n7î
-LÚ&Èx ß�†•.jíæp|M�ì/RâBÄ8DÍœŸC™óû|)®€üb¦bCHcgùs þ¼3L8Þ#é3HõÚ˜õõÚ˜S˜»ÜÄ$µÝ! Ðï®y`Ì’º1.ÈÀ¶
2"èv»U:dÄdCÀpdÌ×wÙty×èÎhT S¸ú�?ZÞÓ/‘ª²ÏCÔ´~u(£_ûÓ%¡W)uaIYr¸»²u¡O–üŠuO`$Ø7Å1¯—TŸ@D÷Y›Q糩óI[k&íH•Õ[uÆ°SI[÷–¶Ö�¨MÖ´]Q	œj°2ÊJC†Ú–,†òPì²Îñ6I¡Ô–£ÿ8�Tû"†}´]qìŠñ±ìKÅ
-endobj
-2012 0 obj <<
+xÚ¥Y[sÚH~÷¯àÍPÚÝê‹Ô3O$q2ÌÎ`¯!5[›øAa4‹„ç×ïé+4&Ù­TE­Öѹ|}.Ÿ0éaøGz	G˜JÖ‹%CÞ›¯/pïž}¼ Vf脆m©·³‹«4îI$E$z³eKW‚p’�Þlñ¹?º½½ž¼ÿk0Œ8î¿Eƒ!Ǹÿçhòiô‡Ù»Ȩ?úx=I“„%&pÿýd:½~7œŽ?Nþ}3¹ÜÏ~¿¸žyÇÚÎL•Wÿ¹ø|�{ˆá÷Œ¨Lxïn0"RF½õãqF©Û).¦ÿô
+[Oõ«!0O�˜è
9C
+û*Ž
éûPÔž	E‰)OÕµ¬ÚÐÀªEÛ-uïÞ%@eÖ
+‚7RQÇ׬ÔÊå¿Ú«–ê½%@V«À¸Í:j«P	§Zõãn�•�y¤1‡'˪(ªg�fÔtµ[•{ÝzÃj‚’ßik*7¿eVÇåË¥6,ú—ëÊ/Ÿ/­7—¿·r+8¦
+©náK¡Àç¹�vÛrhở·œË2Np A¯ÒŸ¶Ôiúã¥4ýÙšvÇ;cÒ	L¶–
+a~`ò¶…LÝM�OÇ^³Må:7»uÚœD‡%Á(8CÛR§ÑñR�M€B¾&’S›6ï®n¯FWwWã«÷WiqL�¸"·¯úè¥NvH¢$ˆáïzé
+d…*sÍË…žö�çU®S8ð”âmk«ó¾m¿pˆŽqäÒ'
+0…ñË(éò°Ñ§Ùo7wç‘+FXf6y¦/u“­í”W•ð­Óä»õÞ.L2&"«‡Aª`;×Þ¢d0$‡£®4F”GLOÒ ÇSRјu9¡S¤�úȬÌ/`öÃÆ?WÒžÙ5UU„0ÃÉøRV›:¯ù€ÀˆÀG±@B`¢ð%M«z•Ï´UhªÀB|ÆKÃWuøy˜Þ»ÕÜòÚ™ÚÀâ¨t	8/€Î†ªæ»ì5.»5¾È·ðeRm_JÕ�~‘OV¯ôú¬Ò¬|ÌËP3êŠy�Ùh\÷Ý™í(òÔçÞÎkŒ�’¸;
+�prè:§	â	�•cßÿ€�%ˆendstream
+endobj
+2512 0 obj <<
 /Type /Page
-/Contents 2013 0 R
-/Resources 2011 0 R
+/Contents 2513 0 R
+/Resources 2511 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2510 0 R
 >> endobj
-2014 0 obj <<
-/D [2012 0 R /XYZ 85.0394 794.5015 null]
+2514 0 obj <<
+/D [2512 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2011 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F55 1037 0 R /F22 737 0 R /F41 939 0 R >>
+2515 0 obj <<
+/D [2512 0 R /XYZ 85.0394 567.3101 null]
+>> endobj
+2516 0 obj <<
+/D [2512 0 R /XYZ 85.0394 399.1134 null]
+>> endobj
+2517 0 obj <<
+/D [2512 0 R /XYZ 85.0394 330.2279 null]
+>> endobj
+874 0 obj <<
+/D [2512 0 R /XYZ 85.0394 287.2095 null]
+>> endobj
+2518 0 obj <<
+/D [2512 0 R /XYZ 85.0394 248.8505 null]
+>> endobj
+2519 0 obj <<
+/D [2512 0 R /XYZ 85.0394 215.0559 null]
+>> endobj
+2520 0 obj <<
+/D [2512 0 R /XYZ 85.0394 143.2486 null]
+>> endobj
+2511 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R /F39 1161 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2017 0 obj <<
-/Length 2546      
+2523 0 obj <<
+/Length 2973      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YÝsÛ6÷_¡—Nåi„â‹ùè6n.uëäFδwMh²8‘Hפì¸ýíb
ˆ¤h%sw£‚‹%v±Ÿ?@bÆá'fIÊÒ\æ3“k–p‘ÌV»3>»ƒ¹7gÂó,Ó¢ÏõÃÍÙ÷?)3ËYžÊtv³î­•1žebvSþ1ÿ�¥ìVàó××Ëåå�‹åÛ7×ÿ~w}y¾™f~ñþýåõë·¿Ÿ/dÂ�˜9Ÿÿzqýá⢽?ÏåüâÍåòüÏ›ŸÏ.o¢b}åW¨Õ_güÉg%ìáç3ÎTž%³'xáL乜íÎt¢X¢•
-”íÙòìŸqÁÞ¬ûtÊ:ÉX"u
-fÑL›4Ÿ6™`F`2š3ŽìÁdRL™,p¡É�7šj–ç"›õ;˜&DʞȆF‰¡È·wuóp.²¹%“_-¯hð‘sUÜѸ©éùÉ>Óàic=©´�}ØUuUß…©¢£Q×г­îjväAo&Ã3¦SPþ´-{\'l¸œ-Šüþ§$éq
-ÎL–'°:²´Å¶ë•
-Áò$‘nÁ.†MÂõp£ªÔ­�U’4ŒÇ;2oGg9xãЙøňL1�´úBDö¹^ŽÈÈå"òS‰Ìx«V�Ó½©Û±rBq–˜$;­]äšP¯ïK¡–$FõûíE#Ó&Œ^¦ŽÚµ/U·Q©Ÿß‡”v]ìÇ.œ¿ì¥˜‚ærÚ/¦nñLÎ+G5×0“
-uR^à9–×·³‘Ìh™ä‘••ÌVÆ÷‚ÞÊ8ôVÆak;¸€ÆÁ»÷7X·ß}¸¡÷P°qÜø¯ŠíöhQªö+ªúeëë’eCϺéZRòf,KÌ0q{Aq´2×ðêC¡µ«}¿×”vkïBp¼àô$ËY–ªÓNï1½ìôÀ„JÿÝÔì%·ö¨þK–¦&?)7ðËTÃR
@£/7¿N¹ÔÔ]Ñë ±d¡–Ó•[ª-_6 ¾`µ×	³.Ô
ÀH¦Q8ý™�iBæ _2&31’¹¼·«j�õ$…–¸©V‚.-�ÚM³ß–4v‚§ï
)u!Ç6ó”�gBcYJ²ùÛ5‘êf¼zCAeÐy¶|ã¼å–5Ãe½º& ×ì Ì(ƒìç
-o÷Õc(|¸-´à«�ú£È†:@kÖ¾þ—•ßb×<<Ÿ!æ¯â'‡�C§ñf�„±Þ ¿AOæ±ôРÜz¶�Ð÷x
-Ž
-dyî%”uåz
KÀÇú,¢ÆLçC§#ļêí„}]é;a¤6!&�ÈÉ~°€ÛÇ·Ø‚2Úž‹ù³ÙíÛŽXn=«k„™Ï2$슰�C9E†ÊÕýý)e y�[Þ²ÓöÎK³TöànÔ½j	Èj)ą̀E°
-ÎC‡�G×â‹ôûY„.„q@÷4óX5ûvûLSÞÖnv(Co
Zאּ
¨½t¤Ó
ÕŠˆ›GP(ø
-§ýjeéŸò^vû[C�þ•RS@ãˆh¡Cf¨ìyC/tq�¹�7»ë‘Ja�<tÁÌßw†o”Їp
„“ힺqo¶£Bá‡5º©ºÊtt]4F‹TŸ”�Ñz’°=<
û‡öêð=�ÜICHò�Ý!¼D
-™„ùå�ýOñmëÒ«D7#>ãjApOq 1%'Ú �~”õ`T„_»€Bâ[Çt
{ú@‚Z?´½6žV„ë‹€‘ó¬ÿÃ…>çê{éÿO•0üÓrâÊ�G@ð?ÿ7zøXþ̲.ï¤I|œ¥Ð”pœ8¾£äL*8Yëþ&„±(endstream
-endobj
-2016 0 obj <<
+xÚ¥ZßsÛ6~÷_¡™{¡§?I }rm_ê&v|‘Ó»^ÛZ¤-N$R©¸Î_,@‘Ee¦É¡ÅX,>|Ø]šM(üg“Øp3IŒ$Š25™¯ÎèäúÞž1¯3
JÓ®Ö�gÿü—H&†˜˜Ç“‡§ÎXšP­Ùä!û-ú‘hr#Ðèên6»¾œÎnÞÞýïÃÝõù”é„%ÑÅýýõÝÕÍϧ\QPeJ£Û‹»OïQvnxtñözvþÇÃÏg×­a]ãÖª?Ï~ûƒN2XÃÏg”£Õä~PÂŒá“Õ™T‚()D�,ÏfgÿnìôºW�Á(á"æÞàlÂ1Jñž;”!±à¹ãêzvùñæþáæÃ�]�{gçA:™ò˜hAµSÎʺÎçÓºx.¿Veî_à�’„.xÑê[Å|Ë(µÙ×À£B±è¦AÑs^更ɽâì	v¤e†¢�a�P¶9g:Êç•{falTÑÚ‰«l;ÏûÓZCr?Ú—|SU‰Õ“]¸ÎÛ=E!TšEZFG_
QuÎ"g¼Tqô€]&l7E}¯^ФͶÆ÷`t'Ëòeþœ60«ïxBCWØÝÎÓš	Bç`'ý�*Ú,ÒåEý=ø�±èe‘ËÔi‚=óE±Ì¼Õ0B�ÒýæÖJÃ"9î‘]
+4~?¾â§‡î@^çå|o¼ô±+|òB„�ìböˆpÀ¨ÇÐçüµÎ›
¨	M„Ø£Úï”ò¥ý)Ì™§ó¶‚[ ‰Xïœ�© Ü8SÂÉ8‚þƒ;‡g�‘„±xj�Õ±³‰JÓ®V8š‡DÕjÙy§éþ”àc˜Ÿ2(
LÙõ^ÍD°þ”¿œ3
+à-#÷¸ŽeQ>nmõý/në¼ÏßÕ2Ë}Ÿ¿w
+˜a„ÁVy:*�
+{
+ÿÌòéP\ü”n—M¸Ã+Ý~ž×Œý°wgç«uãyÔ±¸k…88áÛªôOÜ®ãç
+ð&�FZûgOÎ;·WW„Õ¦§åë^?L!Òg‹ÅEô°(üèÕÚçÐ^¥~ŠÇüÐ8Xåº�‡à¥X‡ÊFS¬FÒm`\I–9±Ý­‘íZn»—ÛmãªåÙj•bdØ�™ .Ô@ª£–µZ¦õc&°ÍF¯=Ûv·J[ïSÑÕ{[¢ýe¶|ä¤Eé•Ú<ÎJ݉)ž8h¸]µ=6¶‚ÃþîúWNíj�Ê‘¹½vMá‹‚Ðç½áú]éd颴,l5Dÿ4Vf¯Þ¸öwáÄA¡`ï9Š	ÇÀ2æD
+A›…-�醵\Ìxt�Z}/YutÂ@à\¢½K´sIëíý¡£ïî\vd
+cr12Xƒl‹SÄS+‡´YvX¸Í³£B!ì K)J·X¼éíb­gŽ"'†{�Ÿ¨ëïtF¾•£ŽÃÌâ –j’ÑÉ‚ÊÁd½:&#nüîd÷›¢E]ÿ‰­^Tï€z»Z¥›×#I–ÂË¥ÿ˜Že¦çí*/;çÃÏn\`º]ióovk+;Äþ‰Ñ€“hûçû/™v³%"ô±ÂO�—ã`”5œ)~&ÿ7O‡¶ÿ21?rendstream
+endobj
+2522 0 obj <<
 /Type /Page
-/Contents 2017 0 R
-/Resources 2015 0 R
+/Contents 2523 0 R
+/Resources 2521 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2510 0 R
 >> endobj
-2018 0 obj <<
-/D [2016 0 R /XYZ 56.6929 794.5015 null]
+2524 0 obj <<
+/D [2522 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2019 0 obj <<
-/D [2016 0 R /XYZ 56.6929 485.757 null]
+2525 0 obj <<
+/D [2522 0 R /XYZ 56.6929 751.8053 null]
 >> endobj
-2020 0 obj <<
-/D [2016 0 R /XYZ 56.6929 207.615 null]
+2526 0 obj <<
+/D [2522 0 R /XYZ 56.6929 661.6515 null]
 >> endobj
-2015 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F55 1037 0 R /F53 1029 0 R /F48 953 0 R /F41 939 0 R >>
+2521 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F55 1321 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2023 0 obj <<
-/Length 1499      
+2529 0 obj <<
+/Length 3169      
 /Filter /FlateDecode
 >>
 stream
-xÚ½X[sÚ8~çWð3EÕÝÖcšÐ6Ý–dÙÝ™6.ˆÄ-Ø]Û$¥¿~�,ɱAÀ¶;³“™Œ-:çè;WDúþH?3Åû‘âH`"úóu÷ïáÛ›q˜‘�Ú¨W³ÞË×,ê+¤$•ýÙ²%+F8ŽI¶ø88»¾O..ÿŽ¨ÀƒWh8>œMnÏÞ۵롢ƒ³7ãépD"É8€"“x09û0¾�¿Ÿÿv~5y=¼›½ë�g�amã	fƪ¿{ïp
gx×È©XôŸà#¢í¯{\0$8c~eÕ›ö~o¶¾Ö[Cd#Ó(À%}B�‚vè
-IFYMÇt<¶§>{?½2ç�]´Å!îÃW$å5|‘•¥ž�¾êí½Î>a�cøG^Ø�LµÉ'ˆƒ:`ö½ºœ\X=Ê©[¬Ó,-«"©òÂ.Ýè¥.†$èl®íÒ‡$Û$«€YDƈJ)�ø�
©˜0¸y}n%‚M, �D¹ �¢C߈*�b%UÄ$Š¨Šl<ÝÎÞ^Ýœfî2«t‘éÊš1Ý–•^—öå<Ïʼ¨ÒÍúY/GŒKêä€uqL•eE—b6KÖz1š?èù×yž-Í^f1Yð LSQØš¶+¨6ꥑ}ª?ÛGøü	cz¿
·¥yæ�°²r+·Y•|w`#0Íîí[•ç«­ØÓ)m<n³ü[™–»©%!?¹À‰ˆS�À	©àð,a›„i‰¨Ó„“@ÑhPA†$ðÿqôp矛§/ÍSe�+XK:Å
-QRÛX§SZè9$ÀÖB;†Ž$mBÒI]¦+mŒñ:~Ü…CU2s,ºÜ^Œ§ç7—׳˫I³+¯á#ïGQL�hê¬‘. «‡N8¼°/Ÿ7.ø³¼ÚÅéu’Ué¼tÐÜaò3ÎZoe‡‰«š„é^ýv!Â$dºp4ŽÚ(_n÷ã¨A½£‡]•P²9ç'TzP@eÛ!J!nâ¿£òºH³]º7erï™ß¬×	ÄŸ¥;s,ëïi…²†ÇŒ�`§…:ÂŽGÕìøŒíC!BEÊ—¶m„G°ä5®A¬ëtA‘â\vÍ;¨»Sn¢—a-�µ\@3–Q8¿;J„DqÔœ¬Ì�ЇĉO³ùj³ÐöÕ�q^¥�ºt€!d~—Ãí¥‡YôÚ<'VŽ}ùf4×ÐÔuÿ
-54
-1¸\ÚU;¹
¬ü¦ç©Ù¯fdãÎ
-±
ä
-¶ô…ø¹»¦Y%Õ¦ì#Ò
q]Øz^8Ø“ö�ܼ-t£�o±M¥ÇN$„Añ”–ÿnBŽ~å^ &¥uðÜê-S6»�\n
-=áÿÏ}
:tscæ½ððˆÎþó­ÎóýÌ£~Ù‡³�aSñFÃ	Q»¦7÷?û¶ÿNù‘/endstream
-endobj
-2022 0 obj <<
+xÚ¥ËrÛFò®¯àm¡ª™^G;vRNvm'Rj·6É
"@	1	0Ð2óõÛ=݃
ª\[:p¦§§§§§ß�\	ø“«4
+…ÎÌ*ÉL	­6û±z„µn$ã¬=ÒzˆõúþæÛïu²ÊÂ,Vñê~; •†"Måê¾ø-xõñãÛ÷oÞýçv­"¼oבÁ¿^½ÿõÕ?	öñ6SÁ«ÞÞÝ®ešÈ�RD‹EðæýÝÝÛïÖwï~xÿßïßÞþqÿãÍÛûŽ±!óRhäꯛßþ«îðã�u–F«g˜ˆPf™ZíoL¤ÃÈhí!»›»›Ÿ;‚ƒU·uN&JÃH™xµŽL(¢TÏ‹Là#Bc´êD¦äœÈ<Šl]áE¿ý>Š˜Y(U”
+·5 óµñDݶ9´U÷U*
ì¡ÜT¿¡JK€ÎtƒÍy³ãaw„›åŒ™3‰f‹œomÙÒ|ënÒìq–í­ˆdlNGºeͨmµç#~‘¨<O «º°
+æ:(Êm~Úµ8Q^
+©ÙzีÓÂKë‰ÐA˜”›9ZÈAr%ÇèµX…Þbs_d¸7ÀâÞ6<!&#ygQƒ§Ù8wäÜÐå1Ij¥#Æ,ëò˜·Nó㉸-	ª}Ê['е–i+ 3lϬNЊ
+XÇÁ¶9LùÙ¢ÎTÊö‰€9áxóÈÀ—ÀêB“0"
+¿½û ¹sRð»+­ȩœatxY¸Õò̦ڜvŶ:Ê8ÜÆð.:É®‡ä
ÒrDöH. ¿›
ÈqÚ)�ak�üž4d”ã8„Ä"»Ê\‡tÉÝ($'24ÔmÈžóRZF
Ÿcã´a­_t,Ò…e¢1íJ—”™àccmõ°+	‰ˆYÂhÁD^�	…I,âw¥L[~iñwÆäH-‹¼‰b cÏŠ
Œ�"'>µm	)¥6ƒSŽùóÒ!I(eê9"¸6*!¡‘c‹½r�'‹ú@c;«}~¬vgƒ9Ö…‹J0sJŸÅ¤Ÿ0?Y¿Bæƒâ\çûjCŸá€Ï°
“CßÂ#¦XœöÚÞ…Mm�-=!s3äH`Z7õŸ‚f^7pAƒ2ù
+Bº—¶Ëy):WÕ×DZIW0 Ì{kEÑ—È“+AŒo
+¹^ŠÕÙ5¶:¤K¾Æ!Îc¾îFÎÇø$ÛV3ºÜ-z
·„伌q#fÞ™	^Ÿi…“atëqFm·¡£@+>ÖÑÎwC)BË_GEÙB¦VFá"Q:Öµï>þºø¦ØS"Š¯?êkùU;,÷¬ïçž[¸>W²M¾oQå»…šJ	
UhÁU&;¬.GƒˆÂÄÄñ˜M—Ó‘w^á ˆ%ú—Ʊϭ_a­ßí3
\ÄL
+–&ËÅÖ:ƒh#Ĥí€eЧ²<,”CÚ„Q&ô|Í5×G1
+‚s:¬µ0.¹˜´pDÅhÚ½Þ|aHG‰P=ÕÕô*KDE˜‰®at¡¦R@5	ÜOƒêÄ™³ÇZÑ.U
+›¸'6'Øq«]…ÂDñÇ{¬™ãÇ­ö$*ÎÆç¿i|‘Ó¹è¢ÚN]´SOª�H=ÝROȯ•(1¼ ¸
ÚÁy¬E�÷D@‘uüŒ4ÃÁ¸'"ÂT&fÌ»a*õsã“íR²_¾ÿŽ2KÌ#J{Èš6vY¸�ø#Wé¢-·ÃZ2�±l
92é,x¬FÒ¥GPcîʯ–©Ï?ºÃÅfë7»Ï>ñu-q×Y<4›§ÅH¹b'ú…H5ÄZŽT–‹TÍ|¢MçÈšcõXÕ—e½
+!ýS×Yë°fxç I¨´ŽÆÌÝ{Ar‹bt̸LXP¥;ô£öùä-º4Ï¿D{I½ë5E\+£-@)¿Ÿ¦˜>ƒíhx¾–ÞOâ'Uþõ÷`]y?�åÞïÃK™ÔW:·	¤ˆ°÷*i†¿Ñ¦íH�¤Öm"úÖm")qL|™
b’Æþ‘ûx·ø!î‘@ÝŸvà˜ÓŽÖ=ÞîTK[¯¤	æÜ�B\¤×[½b¹Óëtg6Oˆ²0´ˆ¿¶Ó;§_2‰B£…¼®_C¬eýê°œ~¦Gf?„½p¤Gš9rx»,�Š&GþŠ-P`$8ØòT4kjU òý¼ÍiñÙµü4·�I;2ÃÚÁ
hLD�æ¸æ¶7bmsÛvý%£eðà”0¨$EpÔ§î3âPMŠK<ŸË*s¥
+
+gK Áçóþ\9heÇ÷çb¹|̨}/é;SLmÑ™ûö	C>ìYvwÅaZÃt¯Á¹Û?¦‡^wì§êÐ}H.ý· ^£æþ7L£ïœ-ÎÄÊsýÿßXÿrPÇé4]ø‡*
i¿Ö™ôL¡´d¤§¬G2„T%3¼ÿ2ßžendstream
+endobj
+2528 0 obj <<
 /Type /Page
-/Contents 2023 0 R
-/Resources 2021 0 R
+/Contents 2529 0 R
+/Resources 2527 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2510 0 R
 >> endobj
-2024 0 obj <<
-/D [2022 0 R /XYZ 85.0394 794.5015 null]
+2530 0 obj <<
+/D [2528 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2025 0 obj <<
-/D [2022 0 R /XYZ 85.0394 752.1815 null]
+2527 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2026 0 obj <<
-/D [2022 0 R /XYZ 85.0394 689.7995 null]
+2533 0 obj <<
+/Length 3085      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sãÆíÝ¿Bo‘g¬½ýàò#}rçz¹Ôw�œ¹¶Ihim±'‘ŠHÙçüú,EJ¤®éu<c.±X
+zP"³VwTJ„zJ0™�&I˜Nµ–ÀÝý¾/žòµ+Q&•M�|±pWðb,ïËCòýº¡%=õàé ‚5Á?º—û*÷K–<Sn÷�Ú¬±"•2r�£íÌLnkÀ¹{Û¯ûV�‚mÌ´Ì7Ž@dÏÔí‹U¾Ë�Ûi€1wôD‚k†-ª²É‹’�l‚ÂýÜ2o˜hSÑóž¹ïk·$HQ‚Sä˾((%U†ÝPÒa½T›œÞáV0‘øMækz
ëíÝ€.•²Â*Pé’­°P¥…,¡Tð°¢\‹¼Aý!ùf•74êÛ!ÞŽ,ÒªÚ¯|ÏbâžÅI®ã„éBÄ8›uºXãY§ÅòYç$½Æ±�Yò–
i€eWW‰2I�XÎ7ùõ�&ÓºxD×ø,–B‚
+Œ‚R|X9¤£}xkmX	ðŽùŸÕ¾ô²élZ45a5ņ¤„�krŠdœ	ËܧP0ŠñÍïEc¶€Ä�p¯ªgfÖÐ|šr
>1.˜¾XTQ³~ükŽÅǾêZÝ<TëuõÜÎ{'[»š3ÅMî­‡–Ø/�‘‹'×CdjùÇæ ÐjW4/ôV=a6ì1ô<9þëã —ˆUª'ðO˜$Š±Hd©O3Cñ—*a³²y‡Àiø¥±°©ÌZ.¨$<…u‚ç*=[S¸cJx[å5
î�wÕ
•H‡„s ã(¥¦hª$îÃý `jÛýýº¨WÞ5\b?†…è8ðX,5†Œw
‹ÌÄGÇZ/&Ęîmb…N²øW~—˜öÓŸVý]O
ý|¼
+5‡IQqlƒ-BH3
+ ›&ÂÌI>Øæusuʬ¿ªkŒ±¤2®À
+pc£/P`‡Â¬V�W*:3­
u	”g¬¿,
+úË8-
„ô‡¨^YD[¦½i{<›étõó¿J+éÔxä#í;D­:Kغ£ž‹1udd€Njó
ðgl%á(6_âëg,ÅHÁPÐl±|²õt„‘®žªÖÙepvœõJ–èì—ñ4öªð“ŒîÉ" ø¹ê uyhzì`8^Òøp|
‚´qÕ¨é÷ª==Úu#á÷åv�l‚²|�a»Æ-ÛbÓèÎ]�BB«G¯ƒ©‰ÈT°8Âöeëÿ°
+‚J÷L�ïnçooþI@²O¨(kB(6Ûj×
Έ3[Ë剧NÅõ¦'—õ¾Fu¿Q,“£‡~o�Þ}YCAeÂ…Í9&+cÃÍ	Lnû´‘‡Y(èŠÍ~C/¤&Pçë‡ÉM‡*nÍÇ+Œçï®iÐ×’ª»ïV$‚�Nƒò¹1z`#´Ø+&ž}ÊÅ)nÿɤ‚ù´7×2Iœ…–›ZÖãK+–‡P®ýÒßM
+|ŸVQŸÖ¬†[Ì4ÅY*Ï°3ƒü$òó�ƬrE˜g‹ÅXEÏ@†ÌFKÈb çNaþ~ÀÛ|—oðίjl¤ZãAATIÍȇÕ|zqˆÎ‘ÅòO]f6	Ÿ](ï ï³ù›BªE¦ÒÁ
+ÀÕ¦h\ò†¾[ùº[õª]EUðQ HÕ!¸læ¨;ƪ{×YŦXç»Ó[ÛÓ Î,tZ÷c¸»�õÇÊ«—¿¸ú/C¢Î ˆÔ–	J–P³rÍrÊ9¶`’ö³~ú,d$Ø·ýT+ü%Έk*8î!¾²ó®ÙÅwÍË»æc®y–e뚧,‡\³ÇòM[ŽR‰üvþþ# É¹-àzŸÚp˜<´
+KÏ,š^Óô2¯™
+:kÅtÍ-+$ëcµíF¨jd8ÿé:‰.Â|üø¦¥®¸"²�¦¥<ªˆÂGòãoäe¸GC9zC8ºÇ�k§GÒïá«_¨XÅmÑ5þUÝâåÏ|SoqÎ|Q'ïŒrFü¡Rø-IÑx©«²>ùD“MlzN®çD°^üCƒhm¢º’}U\^ëíªÕ}Pp0Ϧ½»„Þ3lçøwí%U×°—c¿ç™ñGX»–íõÎÿÖëð«¶(&ë+u‡~c
+¨ltêHRhë
Ùÿ(!¬fendstream
+endobj
+2532 0 obj <<
+/Type /Page
+/Contents 2533 0 R
+/Resources 2531 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2510 0 R
 >> endobj
-678 0 obj <<
-/D [2022 0 R /XYZ 85.0394 651.2999 null]
+2534 0 obj <<
+/D [2532 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2027 0 obj <<
-/D [2022 0 R /XYZ 85.0394 618.4832 null]
+2531 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2028 0 obj <<
-/D [2022 0 R /XYZ 85.0394 583.1153 null]
+2537 0 obj <<
+/Length 2027      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XIsÛ6¾ëWèÒ)55Qì$Ž²­´iÛ�”i:i´DYl$R)'ίï
p¬dÚñÁðð–ï­ cø#ãX ÌGŠ#�‰/w#<~€³_FÄÒ„Ž(ìR].F?¿`ÑX!%©/Ö^1ÂqLÆ‹Õ‡`zw7»¹~ù~R�ƒK4	ÆÁ›éÍ»ék³w7Q4˜þ2›OBIÆ�Hi2‰ƒ›é›ÙuxõëìêÕÕíÍ‹ÉÇÅo£Ù¢Q¬«<ÁLkõÏèÃG<^�
¿�0b*ãÏð#¢ïF\0$8cng;š�~ovNë«>0¸ˆ‘ \ŽCAQ,ãØFX
+­o¶Ü˜åÞ˜ü˜Çrk/o’•Yô�„ßéè¤þØ$—R¡HÆô|%èR=_	*mê×"OÁ…t›E
+YL8;/»¡òï
LÄ7äPOúbc3ª` ,ò
+Àì9µ^h]ûN¹·¿Ëì!OWϣNJ	ß@¯Cu=G¥õÿ”>�ÀÅOòè¼LGä‘Ù/¤I³¾Ðù>]šP”²	6X‚2¥Y•›â¸]™u
ü‡Œ²;5xš
+@³;K¤†´d"^®ÍV^¹'M)ÓL´2Ú{éêv¢Ú]5Û¨ÏÖª›ÕÅÀè¥sš!F¢¨ŸÐé—d—嵺ÌÕª‚ë›ù«ÙŸfó´âAR™C#—5
£�öémæÆ0تÒÒµÁþº8æVtâ@Û%iéál—TË�	V¦3>{tM÷†Fðµ„AhC0<óʶˆÌšX‡§	!$¸h®´—K{ÝÂÚÉëînÒþ=‘-ªóõ8¤),¡²2�ãµÂ³÷Ó7w¯gžr	–Q›mK²¶Ûâ³
C
+ÈäÝÎ`gZ|i–m™Ž»Ñ£Å1·EXGÁ~›"`âÑ@ƈÅRXZ`�¨6Fx唺žOÍBgk½p­}e(ïŸH:ÚH@$V®%¬òºx,L7è‚6HÄ\õCYwçWKÐOÐ."å‘n³z¥2¸L—ÉQû’QÒ‚ÓWGA™jZØÜ×Â(’0�
Z£´nªú=ÚèÅ}Z»HKÓq‘Ÿ
F}¬ÑüÑÞ1i¯W»cÙ\·|óžÆt x�뤬ÒC3-˜:_¯ötk˜y#!©Ãý�„˜!7äÔz®h&§,,–I;=m‹âSÙ)¾¡‰!‡åªÔCè©hšÂà­MÓΰÍðvn"ƒWÏd¸¾ZîjRY\HÂ�•½zr=?3}.ÝŒâ
+B¶Û‡ª)
+51
+f7¾í¦—Ùz“äÇdëKrº \ðÉ×3qUàí‹+ÑcÆ<ü8A”ÒÔï\ªŠUÔCoúnñëíÛs°¹ª	‘§6.çO0†ìl=º*òÚavܵR9b\:gq@d<‰
+mßø*áÔ/\îÿ&QÓx±Ñéù!Ü|t«Çfõw³²ã™`Þ+D‰hzgv°5É3sr˜[›H´\×Ù6ÕÊ8ûFÚ×�Ï}'`õÇ]¸qÁÿþ†Ü~-çÐ|âç>¹Àc¼¬ˆSJ›]o¨º`±žÈ"�îÿ­é¯endstream
+endobj
+2536 0 obj <<
+/Type /Page
+/Contents 2537 0 R
+/Resources 2535 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2510 0 R
 >> endobj
-2029 0 obj <<
-/D [2022 0 R /XYZ 85.0394 517.8114 null]
+2538 0 obj <<
+/D [2536 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2030 0 obj <<
-/D [2022 0 R /XYZ 85.0394 458.3941 null]
+2539 0 obj <<
+/D [2536 0 R /XYZ 85.0394 573.4038 null]
 >> endobj
-2031 0 obj <<
-/D [2022 0 R /XYZ 85.0394 396.012 null]
+2540 0 obj <<
+/D [2536 0 R /XYZ 85.0394 309.4358 null]
 >> endobj
-2032 0 obj <<
-/D [2022 0 R /XYZ 85.0394 145.9047 null]
+2541 0 obj <<
+/D [2536 0 R /XYZ 85.0394 249.0624 null]
 >> endobj
-2033 0 obj <<
-/D [2022 0 R /XYZ 85.0394 83.5226 null]
+878 0 obj <<
+/D [2536 0 R /XYZ 85.0394 211.9585 null]
 >> endobj
-2021 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F53 1029 0 R /F55 1037 0 R >>
+2542 0 obj <<
+/D [2536 0 R /XYZ 85.0394 179.7548 null]
+>> endobj
+2543 0 obj <<
+/D [2536 0 R /XYZ 85.0394 144.9999 null]
+>> endobj
+2544 0 obj <<
+/D [2536 0 R /XYZ 85.0394 81.7046 null]
+>> endobj
+2535 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F39 1161 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2036 0 obj <<
-/Length 2089      
+2547 0 obj <<
+/Length 1971      
 /Filter /FlateDecode
 >>
 stream
-xÚÕY[sÛ¶~÷¯Ð#=¢¸À£ë¸­{N·v§�¦y %ÚfB‘ŽHÙU}7Š¤H)N|δã–{ùv±ØÉÙ‰%šê™Ô	LÄl¾<³;Xûþˆxš8Å]ªo¯�¾ùŽÉ™F:¡Éìú¶ÃK!¬™]/ÞEß"…Ž�Ž.NÞœ½ŽO8;ýÏïo/ÎŽc"J¢“Ë˳‹×ç¿ÇT` bŒ£7'¿œü×Í]k�|vuüþúÇ£³ëV±®ò3£Õ§£wïñl
6üx„ÓJÌžà
#¢5�-�¸`HpÆÂLqtuôSË°³j_ƒ`DYBGРdFÒBÐB£„Qfá8ùåú‡·?C€œvÀó˜&ˆ
-Gv^6ÙªÌÀÕ¦n²eíN«²®VM¾^z. ”#ÆêÙpl0èÎ
-²“H&Ní]ëµ@”$a+;pAL¾Ì‹ÔZO ÷)@Q®?e0Ó�\L«Tt³nœ¼¼q¢Òâ)Ýxë僺Єõ
-Î�g Tc†EÛ3œ
-d
-q @6Öš…óÓ^=ÑèW›
-»„c¤ÙF�¬ëô.„èz¹LWþÂÏ×8ÊþÌ›iD°¹ŽÕô
-#{¥Œâ„âÝMí¿^ïêþ7ÚÒ°Fendstream
+xÚ¥X[Sã6~ϯȣ3C´ºY²úƲiK»(dÛN/ÆqÀmbS_è¯ïÑÍ—Ä	ìt˜!’üYçè;W™L1ü‘i(�PTM¥â(Ä$œ&»	žÞóï&Äaæ4ï£Þ¯&ï¾erª�TLW›Þ^ÂQD¦«õïÁ{D0šÁ8XžZ|˜_|¿¸øñ·«åb6'’Pœ__/–.�Íiˆ
`ŒƒOçËÏçíÚõLÑàü»ÅíìÏÕ“Ūլ¯=ÁL«õÏä÷?ñt
‡øa‚SQ8}‚	FD):ÝMxÈPÈó+ÛÉíä§vÃÞSóê(p Ê¡ƒ’)!H…!ð*$e†�‹Û‹›ËëÕåÕRŸÆ¼ÓQˆ§s*)5à<Þ¥ëyò�&'E¾q/ÐÞèËH/j¼AV³9c$¨R=ÀAõ’×ñóLBÜ5µ]Í‹z—îâ¼Î’ÊA‹�Ä#zR,¡\:¹FÏíG4ÊkWä`Lï›2®³"·»ë•íŒ©¶{Hƒ•UÇ=pªe•Þ|:g”#ÅŸÎ[šaßǸ¬@üœĹ*üê¦(õ€.@Xül§iYÎH¥93•A¼-ò{ûÎSV?XT¼ÝÚ%«Re'Yžl›µ—p÷âVk8W"¸ÜØ—ó¢ÿ®¹-ªÇ4Éôƒt}fÙã}’9eH„!wô½Këä�å¡}âx �ÐGQ!B·—Ö@G–9~¯íLBÿ®ÓMÜlá$F˜sN")f9_uú
œ”E}V8xS\�ø‹Äsòº·Š½Š^5·q–Ûß*sÇujgÆôζpð:}®�)µ;7ɃÅÕ¹$’HòV§2_'èïôeD­ƒÏIá€ÚÁFvƒ¡bs—åk½Y5¶C�™C:]c{X«®ŽLke	„ƒqVŽ›ºØA
+C�gñOqe÷�LÒªÚ4[4"ᳯâ•Jbw€»Tÿ2w>»V¸_gý¸µˆ^OŸ·Y’ÕàO„�àÌ%[´I*‡ü=OÀV9ƒ×ºSôŠT0!_í®L¡;¬ÛIBÄ4”©Ë#uÖ‚æ}”/³‡]G‹Òrçû"…@XÉWDzЈHºg*퉼.3¨-&š’ªMß»aÕìvq鬩Rz�>g6ÍŽ²Ã¡ÈBÉ{…�ê;eØq):{HÉ7ô}�•iRå˾n2� B�V®E�h×'ZªˆÕ»x°	Åt(Xé�)Ž!
+#!ÆôÝϸE2ô-RU¸Mu¡2#WÈí62É4©³/&ai
+‰ ý«WÐ�H’QÄØ°7?F”!E0ï‡Ñ~×>çp·'rлß,VŸo–Öi~ž¸Ù�ül¿Áýï¯Vƒ:j½¸Ÿ­|íʨëvê¸nªa&"Cÿ~[Nß+ÔØm	^P>eU:NŽW×±c#õv±°/Ÿ¼½9cKJïãÌpËà9ëõh–)Úíc³S}Ï—`Œx3¾¿\~°›(§Æz—åÚ྅KË7éÆ‘�'Ž‡OqÞÄÛu	¤#(»â¤—0˜@¿>$âüóêû«›SX·¸Ì¡^䩳èí”��³ÕE‘WEYgÍ®]þJ	gçRÐö‹òl�~ÀŸ‰
}
…ŽFHÛ¡,]Â9Ô�aè{0ÙwY½ÑÐ<Åî1Û¦F€í=(•]>î÷#®�·Ù:«ÛÎ6m¹7
4ªu»^ÅöØ×m7ÆƲ"n­ó¿¿|wùá*Æt«6š_©õ·á•Òä‘PV÷�üP÷ÿ
 endobj
-2035 0 obj <<
+2546 0 obj <<
 /Type /Page
-/Contents 2036 0 R
-/Resources 2034 0 R
+/Contents 2547 0 R
+/Resources 2545 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2004 0 R
+/Parent 2556 0 R
 >> endobj
-2037 0 obj <<
-/D [2035 0 R /XYZ 56.6929 794.5015 null]
+2548 0 obj <<
+/D [2546 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2038 0 obj <<
-/D [2035 0 R /XYZ 56.6929 751.9898 null]
+2549 0 obj <<
+/D [2546 0 R /XYZ 56.6929 751.9581 null]
 >> endobj
-682 0 obj <<
-/D [2035 0 R /XYZ 56.6929 712.1227 null]
+2550 0 obj <<
+/D [2546 0 R /XYZ 56.6929 608.6139 null]
 >> endobj
-2039 0 obj <<
-/D [2035 0 R /XYZ 56.6929 678.7055 null]
+2551 0 obj <<
+/D [2546 0 R /XYZ 56.6929 322.9834 null]
 >> endobj
-2040 0 obj <<
-/D [2035 0 R /XYZ 56.6929 642.737 null]
+2552 0 obj <<
+/D [2546 0 R /XYZ 56.6929 258.3082 null]
 >> endobj
-2041 0 obj <<
-/D [2035 0 R /XYZ 56.6929 575.4649 null]
+2553 0 obj <<
+/D [2546 0 R /XYZ 56.6929 193.633 null]
 >> endobj
-2042 0 obj <<
-/D [2035 0 R /XYZ 56.6929 435.4781 null]
+882 0 obj <<
+/D [2546 0 R /XYZ 56.6929 153.54 null]
 >> endobj
-2043 0 obj <<
-/D [2035 0 R /XYZ 56.6929 292.5265 null]
+2554 0 obj <<
+/D [2546 0 R /XYZ 56.6929 120.0237 null]
 >> endobj
-2034 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R /F55 1037 0 R >>
+2555 0 obj <<
+/D [2546 0 R /XYZ 56.6929 83.956 null]
+>> endobj
+2545 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F55 1321 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2046 0 obj <<
-/Length 3060      
+2559 0 obj <<
+/Length 2597      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZKwã¶ÞûWhÑ…|ÎÅ“
-	Eå€4(mHƒ`hód&…F	£ÌJã¶Xef@K´T#"$…¢�”òõq»5¿ž˜¶‰µæÄ/7Ùò×òrÁ¸˜W›´2->¿ýÉ�.‰šgËÂþ®Êæà:;8ÚªpÃW®[|þ†&qT±À�Eµqù~ñßbŸ¹Nº÷4űZk÷–
¢3Ë$l¶ i!¨]À¦(«}ºËJ˜’À¾3‚ÇĤ8lU
1m‹e:&'Æ
4µØo¿8¼‰™ö­ÇeONfðy“/7ÍçVd¦kDf~ãºM'.¹Õ¢§qÅÉ$
-TK@E2_eÛìSZåÅÞ=¹»w¿íÕ%~uÖ2˜ŸÂ;Tô'qc5*L¯!˜Ä¡ÂΨðp�ˆI,Úp€
�6¸fó÷•{–n˵¢@Ûë
´>m�~–tµrÌ–ž¨¯0˜ïÃö5:¯ÙØ¥•Á€{Z”qÚÏÙ¡ÊËle—ƒÃ:Ü?z´Ùéìòíê¾’\’á›LâÛíø+CÛu‹@ëá†çe±Ëê5’\lkkÝG~;æ®±ro¹}2­ì÷¼¬Ê7ÝióÈn¶ïÈÔ²“>¾iî	Ó†è]Ó,Åý:K'1Dz£“‹2ÜæûO#;“pDçþ%ƒüþÄðm¢xo¯OͬÁDˆÀÎ*/ÓÇ­‘csÿ¢éÐ TŽh€ÑÇcåS·nô5;<ç¥Á	×LÂui9°€Q6™ëö&Ÿ6[`#Ô)Ñ0!ù2ó^ÑŸ²e•Î@%hª·ÅŠ"Î1?Û“&{
-˜À4XÇè°ƒ÷]Áúí¯ÇËôXfAI¼Âgk#Ö5XjO}Üomˆf=¸quÜ=•£6`Yì«l_M˜UÌP¢‰:¡(
ª	E	TVQ~V¥EP”�÷,-5¡).¦ù
-D|µ”„
-H§’c²ƒ
ïÀ.sX.¡MŸf÷xáìaIp™¤WnPdþœÛÜOÑ k¤©Sn`�æÛcˆ4Ì€‘ˆQ7Ì[êæ”nº	s-9RR‰f,_á|ÁA*€ÿ®ÎÔZ}Å�ͽ†¨¢­Åî)ßf#:¡AR´ÎMA£ßEøˆjÕÌðžÓÃ~<¬HtÒ·/æû¤&‹×Sž
-êDx2ÍX¤ଭ¥ðh¡Û¬Õ®“ؘÜt¨«Þá¡ËMq4™Œi?f™´µC˜ù§ùÚ?Ødþk1ö·�:56%XKK5a§š.«S(áºï�ë+HÃßyê
-Ðâ‚×.eÀ|��"ìëTç¼P�¼àü$ÀIb´ì„jRM
-¶‚7„ތٗ՗í€ç
5�›Mr©Xk°
-„¶S.´ô#å1¯Üq‰§u�'+¢b	^ØŸ˜±ôX0S¾L·æTÍ=úßÔO–=¥‡´ò“•ËCþdPŠù{7Xí
KûŒÐ}ƒÐÞ
-Ñ\ÂØ$g‘¨ÏZŸ�Rh.©ÉÛõƹ£½ëá(•$T2Èl7¦4ñl\–½ìb&u\ •ï—Ûã*s�•¿Ta�½KO
-endobj
-2045 0 obj <<
+xÚÝZ[wܶ~ׯØGêÁ�ä£bË©ÒZV"µÉ©ëjII´¹¤¼äZQ~}€ËÛîJŽšö4>'�áÌà›Á\ e
+ÿØ"V„ŠD.¢DE™Z,WGtqk?1Gz¢°OõýÕÑwoE´HH¢¹^\ÝôxÅ„Æ1[\e‚“‹‹Óó7g¿‡\Ñà{r*Jƒw'ç?ùÎ]'<8ùáôò8dãˆ5tšç'ïNß„¯ÿrúú¯ÿ|~züñêÇ£Ó«N³¾öŒ
+£Ö—£é"ƒMüxD‰Hbµx€JX’ðÅêH*A”ÂÏ”G—G?u{«öÓ94”ˆ‰Šy4gÆH¢à¡¢�ËǪ¾oŠf¼
ú`	
ıžÍ
+ªœÍXò8—â«a4 Åôm|1Š‚“,+Ú¢®Ò²|<fŒ™m	–ØÝX&÷÷ea¼Ã²j×ŲÓÙ%.”ù×¼lpúúŸY~“nÊÖðãÆÕ2Ç‹„ùÊ cwH‡;«7í½AU08TEYâè:Ç'8w†£´qÏÊ=—í&uÔˆ²uÐ0<˜þëëÇ—à�L P¨±@PŒ‹He/}xð‹=ÿ†õ*­6Pû64
+[J³�©RפÍÔf‘†Ú4ñ~h½`i
6
^†Ñ–˜*êÊv²W3ì%DÚ8#î¡ÑNú)ª:±®qš²…òHƒ3k6ì¿²^¦»Ô‡ÆHI¦ö0–$‰™ì©kÙÒ²®ð}¡	à3i"!BE}ÆXt—šÂdGL°Øg*ìíݪmw±Ø×Ý/ñÑÅÐó§5‘lt#¤i½L¯`|éݯ8ƒ~´Ä¦?kú“7¶ÑZÓ™šé|­×îþ›c‚TÆ—®¡ÓAŠ¢
+½Ç+L‰–Ó¦
ë›Ð'ÖE¨Ì6™ö?Ц´&
7Æ'] Ú
“ÍÅ<›{—YÀ—÷ Ú*	ƒewcD-NÛôÔÃÉL>ÜË»þº…Ì×Ú÷Qá6Ýuñ
+YVÀ±pJ™]A�:V½û-áT÷GG ¬endstream
+endobj
+2558 0 obj <<
 /Type /Page
-/Contents 2046 0 R
-/Resources 2044 0 R
+/Contents 2559 0 R
+/Resources 2557 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2556 0 R
 >> endobj
-2047 0 obj <<
-/D [2045 0 R /XYZ 85.0394 794.5015 null]
+2560 0 obj <<
+/D [2558 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2044 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F21 714 0 R /F55 1037 0 R /F41 939 0 R >>
+2561 0 obj <<
+/D [2558 0 R /XYZ 85.0394 749.1077 null]
+>> endobj
+2562 0 obj <<
+/D [2558 0 R /XYZ 85.0394 598.1922 null]
+>> endobj
+2563 0 obj <<
+/D [2558 0 R /XYZ 85.0394 456.267 null]
+>> endobj
+2557 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F53 1313 0 R /F22 961 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2051 0 obj <<
-/Length 1827      
+2566 0 obj <<
+/Length 2888      
 /Filter /FlateDecode
 >>
 stream
-xÚÝXKoÛF¾ëWÈEÌ;¹{tb'u‘(®%§Ò‰’‰ðáòaÇýõ�å.)RZÉ
Š^
-8¤†3³ß¼I¦~d*$’šêi¨9˜ˆé*›àéþ{?!Ž'蘂!×›åäõ;N5Ò’Êér3�¥VŠL—ë/³7H£3�€gó‹�W—g
åœÉÙÅÍÍÕüòú¸˜€ãÙÇ‹ùÝÅûìæLÓÙÅû«ÅÙ×寓«eoÎÐd‚™±å¯É—¯xºË�`Ä´Ó'¸ÁˆhM§Ù„†g¬{’N“ßz�ƒÛW}p¡� \NÆ‘ý~ 
-	
¦Ph$e=P”ø€ê¸PÁïæ ¯ß	1à$…!V Ý°dÅ:ÞGCKÄBN¦C�vuL»èP&ˆ	Ádž-âU²y>˜–³§û¸¾�K{Söºº�Wß
Î6…û//ò ŽË,É£Ô½š¤ëUTž5[Wàð�«Ùü4—}dïb« J³¢ª

-Ó€h
-¡€ HA[s£ô)z®LœÑ˜j	+¡jÒÚÞ{�ìe%iÓii_,ìµÉ×qYÕQ¾Þ84Ó>É¢zuŸä['8ÝeRßgööO,ðí»·ö‚–Ã0¬f7EU%ßÒÖ³à®ÑaŒÇ+›
-m�ŒÂ‰‡HÌ]�üI)ŠÊÜ\óÐÇL@ìÉŽÌZÇ›p19EpØC%¡d $ÙæES£Ã@–ä°K”C61Á^Ȧ
׉l긌ƿ‹<Σì ]
-µ/¿~Ù‰I	¥»(Ÿ}B!©8€·yQhSu·ï.*0}üj'h&M½R¤s�ÝÙ¾Ÿ{ÎÅ°/ÁŽG»H� Üt‹ÑN¿¯hSÇ¥áòjñööúfyýiþ“
Ú7†B°rÜådb
-.ÍÔo.—®vº-ˆ-eË®¥Mûºœ/ìll¸Ârè?
ñì!‚Ðkÿ2MÜ\ÛAŶ
JÛËÚ4Ÿä[S'…Óº±
Þi»^¼E–z×nQ@dÅnêoWÏö4£lJrع`ùh…¶­?ß›˜àç]]v� ×V}³eç=ÉÏ÷Æ	Ó‹Q¿™(Cƒí
¿ßÇ­
<ßmŸP°Õ÷ESÛìʲm²8¯«s�‰Sa×S�zöówA«Wjå[l"§Ú�WÏÜFco ›9qÛ”=DÊMŽžp%!Fœõ5ãu\¯^·V!SÏ}s,Ê’©áPb>„ÝsÔÐZƒð³›öò¤N¢ÔµÓ¨Žö]�BØÄΧ›nrù«‰Ë$®ÐOôØOm-Ž-Z"ŠÁ'›è€éøÑ1µ_3ø¾>	Ó™&ꤾŽçPßs	dÈÈHß]å"ûúæ‘wy�:ˆ¡[æãѺÏ�{ó1¡¥²È¬ïîqâ²c=Df5�é B"_©f÷	»ÚøöbbR¸ïýª=BØ�EØͱ�<*¦Ëˆh¸dM
lô«´©’Çøø")wž^#{žK¤åÙ™ìsþ	e½ï÷•ù\?P6ô¼üï=Ïÿžïf^�ÌWO�3p_NþõÇÕÝÇcnj½¢~ÇÒÔ@;£Ì᥇A‹e°ôÚþà�q!endstream
+xÚÝZKwã¶ÞûWhÑ…|ÎÁ“
+	Ê3Ћ€÷Ô<­3‚$!À$™FÞ3ê†	�.£³ÅÚ¼èWo…èqj”)–Áä†c]ï·y{¬‚)¢œÎúKž˜‚ÑÞrKD)hb ÙíC±,×On[ÚMá^;®×Gÿ]ïüèWŒiUÀþ2{Z7My_
fhÜM¾¿$j^8´E9Gã …_)åmñ¯Ö\=wÿ¨FX�À‹^ëüPµ0$~¥Ý*±ŠÐHêî�0ù>[C"Bõ¼è Òh“eúTz\P	\*oP!1.ù¬0¤±PÓ¢E®„lC´(¤”$Cá"Z˜âL±ˆC4h14ÿ‡öáÐ:¢Ã‹£7f*C(V
+L	¹ú» %âRÉõ¡Øì&6™„HÜ4»Å³Ý͆$HB‚ç²ìÖ$Èü±l7fDƒ©‘¾I9Â:/«ƒ7K0
+1Ö†ùÀÚ܃ÆM7á¬%GJªþ˜F$_pp5
+Á‡‚]8t8s؃kî.Ùœ!Û=s´u±oܽÅq÷×+Sâ!÷÷<áIˆ†w<b(pÊL}ù3D˜ÏÄ#ìÅ㹞|<×ãX&r½A&$¡’r™=®	d.‹ÌÝ%D“rÅ„èT®TB4�«+1³.÷’Ì­×5÷7·îzâu)£Ñëãu
-z]C4hµŒEáù†à¼®¡D¯kÈÇ^—aѯ[Yðºƒ&ö®æ§
+.G߀Ò^
� �{gétä(Ý[‘yyÛ:¶5€º9€k[xϹ
+ïèìyð·vsh|d=
+Ó˜Ø&ºÔ¡‰#×D—*6Ñ¥öMt›è@ˆMt—þ�¡‰.ƒIÉhF0êšè`ÍÙü]ë—¨šº'Š`vøŽ¡É¿Éÿ<îño‹|g•h{úÇgy!Å;>ô+��̡ʸ%Æ·Huƃö¸&<hà²ôö‹JÚI¹bI{*Wª¤Èz-Â÷ùàš»Ëí—BÌÿánN.â¨á<6Áìþ.bÐp±2µ¼
—Ìœ1¼`Ã…
+ÆŸÝp‘$:ÌÓ†‹|¼áŸÕp9[×™c¢%›FgŸk�‘Ë¢³M&¾„Š „U¹¿`2þ“ºd’éiá"WBºa]ǑЊŻڸxbL˜a�.ḀB0ËRò\¦Ø¡Ìhj?©MžÍ¨Ü-«Ãªp70‘þ	�g
+7úT)„ÍÇ+ªìœUf4LBšÞ™‚°å’y°Í›¶Ø÷™Üø/ïn®¾ûñ͵»;B¦QfêL:̉ëýïþÐþ.ž¬‡«Ç�ŽõQXí‰Õþ²êàË]BeÃîÒAË�y¬SJƒ:¨3ÅQp%�fçŽÞû\ãàŒ\œoŽ—Ì 8bͦ—L‰%GÞAõ�
—|	Túó£¨Rÿ™Ã®ÞÙÒº—ÓŒîb^=æO~�‚X»šêÍ@øGŒ1öòÍ"’9s(ÐçšØªÀe·ê§/:®š”+W�Ê•<®ÖÄBÆÛÄÂ�͈àºôI––¾$
+endobj
+2565 0 obj <<
+/Type /Page
+/Contents 2566 0 R
+/Resources 2564 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2556 0 R
+>> endobj
+2567 0 obj <<
+/D [2565 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2564 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2570 0 obj <<
+/Length 2199      
+/Filter /FlateDecode
+>>
+stream
+xÚÝY[oÛ:~ϯ0Їu€ˆåUÓÄ=›³m’�“³´}PlÚbK>–”4ç×ïð¦H2mXìË"@4"G3ÃáǹÐd„á�ŒR�0“|”HŽ&b4[ŸàÑæ~;!Ž'òLQ—ëÓýÉÇÏ,I$c�îY)ÂiJF÷óoãóÛÛÉõåÕ¿O#*ðø:�Æã¯ç×ç_ìØí©¤ãóß&Sxe’ÅÀDˆæ‹ñøúüëäòôÇýï'“ûÖž®Í3mÌŸ'ß~àÑLÿý#&S1z…Œˆ”t´>á‚!Áó#«“éÉ?[��YóiÈ‚¥H¤4	8�’,… =/‰bF™ñÂÝäþáîÚ®÷�SBåøüˬVf¾w"E”#É	7ÙZÍ£Ù“š=ÿUÊ}@»^ç`4Óvjþí)IǪn¶Eeµe…}ªŸym©ªÎêÆÍ–û$ö‘»Wµ5rÊ­c{UV®}›«ZÍj5÷
+��ÈúIm_óJ¡vuïDÞ܈�¶«œN&öãó/Ó›ÀCNùŽNá9³Ÿv<5+‹EgÚÈc²#�p‚I¥sÚÝççÌD@=pS.¼‹CÁ¸”0ÇðéêúÒÊ“nUóu^äU½Íêrk‡îÔÂù´˜9·~ÍŠ&[Ô“8E4Žc'>ìW&J	‘}Çž?Üÿýæî¸G¯ŠZmå2}«jµv{QU¹­ófý®ö�ÇÔÉa€ó”	»t8º§ÁØí‡þÄðp‹Xžk˜ØcQŠâD²÷=¶|§4±TßÌy¹Îòâ}÷¼Õö\ð€î­(7U^
ÃK1‚ÁA×Q�
+‘†Â

»©à@ã%FX@ü‹º"L¨à$/[®Îºcðà·ˆÿðTÜR3»4Áº
{„ ‰CˆÆ¾ŒùÊ9º§6(Œ;ÞVî< —
¦b!ë\=6Ëh¥^Ôê×ÅNŽŠUÅ2/TT´°ø±‹Z‹DÙ˜�¢v£�í[´l9×
Àá�¤üy]¬²e@3œž¤d¨¹8º ³MS…J”¦‰
+ܸ�ó’Ç�$xÇ5UKM’ûþü°Î~FU9{Ù	,I
+)PÌÛp>Ë ©ì;LÖG²»œ�ÐL!®	<Ìy—“éÅÝÕíýÕÍõ/–
� 	9ÇþÜC,ñ8³�K5m‚®¡lp·´N’—×S�&퀞	‡,±�7@ÏLéRA?!½[¦9MIû˜ë—?6u^:­[F8mWÓd©Ï:
jb]ºÂÂf·šÞY΋E¹]gV¨)0ÜÓ¢	XÁ™�ýn2zÕ¦tvÖ’ülP´èŒ�|–"	’:òkµÿzRF�^Êg›‹Òñk^?•Mmg2cü²Y«¢®Î»HD‚Xšø̽w¡üL°Ñk¾ZYùÖ7™SíÖ+!/²fål€Xÿcºl¶­‹Ò±	•$qÖÆŒ�ªž}4V!�3BÕ%$÷˜¥ÝÒG§5	Ž6ªk­öð›«)‹¼Î³•KÙY�
·`°QnO¾>ú³QÛ\Uèòø�9CÓ�.Á%a*bchTfê.—/êw3uË¥õF|¨R2ÄXJ«ôL
•]ÇCň}••Ã÷Õí÷§aå
y¹è—ñí	y*+W3­!˜A¶u|îŒÌ²Mö¸Rý–
 endobj
-2050 0 obj <<
+2569 0 obj <<
 /Type /Page
-/Contents 2051 0 R
-/Resources 2049 0 R
+/Contents 2570 0 R
+/Resources 2568 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2556 0 R
 >> endobj
-2052 0 obj <<
-/D [2050 0 R /XYZ 56.6929 794.5015 null]
+2571 0 obj <<
+/D [2569 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2053 0 obj <<
-/D [2050 0 R /XYZ 56.6929 627.8052 null]
+2572 0 obj <<
+/D [2569 0 R /XYZ 85.0394 752.4085 null]
 >> endobj
-2054 0 obj <<
-/D [2050 0 R /XYZ 56.6929 562.9454 null]
+2573 0 obj <<
+/D [2569 0 R /XYZ 85.0394 692.9368 null]
 >> endobj
-2055 0 obj <<
-/D [2050 0 R /XYZ 56.6929 498.0856 null]
+2574 0 obj <<
+/D [2569 0 R /XYZ 85.0394 633.465 null]
 >> endobj
-686 0 obj <<
-/D [2050 0 R /XYZ 56.6929 457.8644 null]
+886 0 obj <<
+/D [2569 0 R /XYZ 85.0394 597.1647 null]
 >> endobj
-2056 0 obj <<
-/D [2050 0 R /XYZ 56.6929 424.2917 null]
+2575 0 obj <<
+/D [2569 0 R /XYZ 85.0394 565.0591 null]
 >> endobj
-2057 0 obj <<
-/D [2050 0 R /XYZ 56.6929 388.1677 null]
+2576 0 obj <<
+/D [2569 0 R /XYZ 85.0394 530.4022 null]
 >> endobj
-2058 0 obj <<
-/D [2050 0 R /XYZ 56.6929 320.386 null]
+2577 0 obj <<
+/D [2569 0 R /XYZ 85.0394 468.0086 null]
 >> endobj
-2059 0 obj <<
-/D [2050 0 R /XYZ 56.6929 234.5807 null]
+2578 0 obj <<
+/D [2569 0 R /XYZ 85.0394 387.5913 null]
 >> endobj
-2060 0 obj <<
-/D [2050 0 R /XYZ 56.6929 126.8791 null]
+2579 0 obj <<
+/D [2569 0 R /XYZ 85.0394 286.2765 null]
 >> endobj
-2049 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F55 1037 0 R /F22 737 0 R /F39 899 0 R /F41 939 0 R /F53 1029 0 R >>
+2568 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F39 1161 0 R /F41 1218 0 R /F53 1313 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2063 0 obj <<
-/Length 2977      
-/Filter /FlateDecode
->>
-stream
-xÚÅZm�Û8þ>¿"À}8¨]½ÛLÛÙbÛÙÞvŠ[`w?xeâ«_ÒØî´÷ë�Ô‹c;N2@\Œe‰¢(Š|HÊ¡ÿé"‘á©XÄ©ˆ$¡r±*¯ÈâÆÞ^QGz¢pHõêþêåO<^¤Qª˜ZÜo¼’ˆ$	]ܯÿ®ß¿¿¹{sûû2d’¯¢e(		Þ]ß}¼þÅö½_¦,¸~{ó
^…à
-ˆR$S$¸»~wófù×ýÏW7÷½8C‘)á(Ëç«?þ"‹5Hþó‰xšÈż�ˆ¦)[”WBòH
-Î}Oqõáê_=ÃÁ¨™:§!“H2¡!'°ßY=‘ˆHØw©XôÄ蜞<ê)\á>_þ¯JJ"ÆAÝÄ�¬êj“?†›¼ÐS�PE#Â_W>’¯§š�
—U*"DÆc	?6ډȴ)’x^Ä	_•F*‘ÌÑfÍ2ä©ڭƆÀÉ»}ÖæueG±§Ð¶�WM«³µ¥®7“ék½Éº¢}aC�3ª"!S/åKÝ®^VY©×/B®X”$`
!¥Q*AD¿™™]0¥hw–Xj¢Dp�F\/CÁe «¦Û/ihûÞn³["°½E�­óêÑ:ª£Ýc§ß=N‚6¯:ݸ‰nµ§zÿÉd›Vï'\½ÿâ;· q³]¿·[먫mV=jT.Oƒ¼ml¹Yñe�Û
¬ÚzÿÍuuÚ6Pœá3³�]Ý4ùƒ·†ñ¡p¥„(§H`î«\ÆE3´”õΙ
-êžÖ
- qlDÐiÕøbÆ|C–
-�³è2¤:�.=•A—õºP �Þ�×ú¡{ýEÇèÂÀq/É×SÍ8F—8R*•c	?h𖺓ÄÆ:Óe]ý½qo(žmZCq¬íøL©�
-@@á1`SdG'I!F+
-ùæYÁzªÉF�Ë {Me:
rt{Œ‘‚&V
-”`Ó&ºC_×d�Ú6×LD*ˆ¨<{l0O&ï}”7¤n̾d¶f2G�E¢ãZ-صfÒ­R3ÀEK5ÃUDEÏÆ€õ)6És¹@*Rï×Íé"ŸÀád
-)†\ 0œzÈDì!¡«Ì„¸4â2öÊUûõ9‰*‚ØýVû¸
[´‡Óìjï�m=qáÛ¯§¶É!ÁÐ!/c©žQ�±(5꟫¿Âža8àxlÅ,�²„Ö¯‹Ûzwón*ýI•ü8ùz†çåãàÖ@0–ïÍÍ«�o‡>¢8ß°qºYíó½îáóçÀ˜P4oPÿÈ›ÕKpÑhûÏgd3§À,�r	ìTgÀÎS°«.¦™[íºæíÕ@~V²žjF´ÚA"��‰h¯]îÓÎALˆ©ˆ§"gn„Ÿßae„��SÞⸯõ¨°UdŸ´íÉÖ_²ªµp
-¦z…g	k¾+Ñë÷wCrëL²�cÍN¯r,dôúÅLö‰6J¹”}B¥Ù·à“zç)7‘ðºEì7�ÚÜÇ€‘BUYæ•vÝ[רºòÁ~awƒ´(¿íÙ9dÑUk;lȇÆêpfN}àì•èXxîÀ5²´·Û“;¦¹[­«2}�Æf †Ñ‡»Â[¿h›]ÀwñÂ%$.É�¸W¸þÜ-›�È8–ûÆ‚‡Ý®Oº£ˆ
^hœœwÇ!Õiwì©Œ;î.ºã®Þ·ÇÞH¢DÈóry¢¹Æ™‡Ä벉`¿äM««C
-hŸ;½ÏµƒÆÚ�zù¦ñ –|ñ@u9
-⮃É49À$´û¯
Ð6Ï®ªôJ7M†åˆÅ7èÝ Öä‚w«žX”Ë”Â[™ý)
-ªð>
-{'„¾cæ<vTæþ‡Óà¡sr>èÍá,¼û{änÌ›
-¼B&bí]ûäg	î2<&:õ'.#Ág
„ôiÒwÿøéðã.8W0ÝSwÛ³Ô”z¡ps”ñ©è*w™°xFöÿ
sd
endstream
-endobj
-2062 0 obj <<
+2582 0 obj <<
+/Length 2820      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZmoÛ8þž_aà>œÔ,ßDJ¸Ã
i›-²ØæzÛ·Àî~Pd:Q+K®%5íþúrHY²e»‹tq)PSäh8œ—gfh³…l+¢RžÎt*ILY<Ë×tvk¯/˜§Y¢Å�êÅíÅ󄞥$U\ÍnW^	¡IÂf·Ë_£„124º¹|sõj¾à"*º|ûöêæÕõ/ðS J£7—7ï/¹·ó”G—¯¯ÞÍ¿ýñâ궗g(3£Â
+óéâ×ßél	¢ÿxA‰H“xö”°4å³õ…Œ‰¥a¦¼xwñŸžá`Õ½:¥'$æR�6$QxLjŠÍi‘’„sÑkŠ³)M*«©Åjÿ J�$‰“Ù�ÙÁ–�hbK>ØR%$Qš�·ü¹«P×íƒÁAc¶ŸÍÇÅþâªÞÎY™{÷QwÕç£1-ˆ

+F£e�³UÝâ`™™u] _Ø·¦W™¦à5±>§×
Õ	½*§×û½Æ`îôÌ–�hbË¡^5%± {[~'½faà	rOŸ•%Êúþ¾¨î=»Úžóùr¨š£*ŽáLV°¦]šíéFÇ1¸GOvÔHJ+ÂSÐùI#
©Ž©§rFZ£P ÂŽ’A¤)™z¡Vev`É4&\
Òœ”+MÈ5T
£”p™Ê±`·ó”FÝL&¤ˆj÷)£5xôö+ÎuMvop¸4w�·ˆ¥ú�R‘Ý7Û€ÉÛºiŠ»Ò“ú5|ÈÐþ^bh?•’˜	åu€{š�CP':hêÙ#E˜ìÙ´Û,?Ê&ùV.[“×ÛåYg:˧
h˜F�”Q9ä0Ìí«àc�UÒ8Æp³qr¸K‰ˆµðï¯óöËÑMDï÷ÁnLãC
Nˆ¶i6uˆÆ¶Þ‹ßëw/÷“Û,‘‚“+I„Pé·$)NR§ý©µCŽ‡NÌcMT¢“ÝÆö\o®Þ˜Â9ûžŽçDL ¼Õc_]½xÿúø)҇K ¦É·Å�YöøytàOV¸àSÿ,šü9D)yøׄÕ
Ûu,Σ�à$Ö,9ƒvªh¨ÚUShÇH’ÆÁÿ–oºæ
+õ
+?×]Ù›Ò½|û¾ñãµ'pņ]k6&/À{¸Yzà™C0›{éªlm¦l!Rˆ#)Øh—y
±[‹þn`Á
+Ð
>uf[ε_
âíg@( ø.wT'ò¬O�׫½"~WcçXšUñéÁ¹ˆäFÐ\5©Œ	ƒð=cÒ
Õ	“*gÒè„\^rzË@4±å(}¤D2ˆ˜Ñ–ÿ�km‹Ö+%Tˆvì+D§Æ6kÁ¬EÞœ(ÚðU’ïjöº›2œH ÀQ�,ø‚ùR´
+O‰Ó4ÅC°†K²‰kã�¤{
+ù…âÑÕ�f(Š~ië+ªÝÖ³O3È2M
Æî¬;¸‰ç×k>{UÉfÃCyÆ‹!gw(5JÃ~
+z€™T È`Øu<`é¨Þ´šVûØRÑ:+ªò«__ùµ
+�Û4->a‰ª£×7¯ð�'–f.hôyÎãÈ”5ä¿�o55ð¶_ñ%„g
•þºž³Ø¿·gL�Ÿ4ô¨Yuï*5xp�.|fø±êÚnkp¼5¥É Ê®Þ*!Àx’&³¡?<ÍÅøŽJ¡Ð_ìîxž
+£õª+qæÎä™!KæÎ`gÅNà¡Êί÷ oßrÛ}YL‰œË@2ÏZBãUëÂÖ4Vn»`O%™t½4¨±ò«»³«ÍW(m×HpùöšàìõœE-­Jü>[ã
ãwlLë·²Ip¢‰y|°z’Ty!`°DX¦Ú‰¼®¬>î;h<`ÞËo¬ú£&`f·îÎGc{AÁËž{“{§Ø´õÖ¿ío¥öuˆF�³Ù·ß<³öƒPÉ9»ØÖÕÚ5…–Òù,~¬\~¬pÚuÏ0Ýt›�uJI#ÿB¿ÇØð@[Ù}3ç„XMÉ(iÅøhÿ´ôN­�þ¦n� b(›ÚŽl¨d-Îy£ÃbÞvöHvà\¬q[œÊ`ŸÑÖ0_{oÎJ[Ý8>øQm[š)[;³+ç£åê:N§€¬
+#ƒƒ‘*8¨"Ä
+5ýaÞ8V½iJôžù'Š7YÂÿÚÚ�QnáE~ÿÚmÈùDíƸ&:—nƒ~7UƒÒMûÒM[0ó3…§7ùÐUyxMG�Eû€#ëJ߉B˜ñ”‡¯
+Ý’3h7(Ô3æjAdž?l!&{g怈|ß—3¼�Þl]XáÂ<” ø=!Ìda¥Æ[l-kÓToqÚT�Ír#Þ˜¼ î’¼ò—äuãßÀòªù‡-èhÐÂA™d“‚/ü&”D	¥:\.áYí÷üÜ~‰?¡0€•XÒ�ûœ5uiÍÆk…÷
6Û–XÁ¸e…÷ñN=öÁ[F¨$À.JsoüË®cÔ6±æÙO%
+H¡Å�ðf"0L¢YQχƒ(}ZÜÿÙ“*HtPk$júg(tìüäŸÆì~û#5
ÑŽü
+ì@RR¶’Œ)zxñK	‡:´§Hÿ?=a‹9endstream
+endobj
+2581 0 obj <<
 /Type /Page
-/Contents 2063 0 R
-/Resources 2061 0 R
+/Contents 2582 0 R
+/Resources 2580 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2556 0 R
 >> endobj
-2064 0 obj <<
-/D [2062 0 R /XYZ 85.0394 794.5015 null]
+2583 0 obj <<
+/D [2581 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2061 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F55 1037 0 R /F22 737 0 R /F53 1029 0 R /F41 939 0 R /F62 1062 0 R /F63 1065 0 R >>
-/XObject << /Im2 1051 0 R /Im3 1185 0 R >>
+2580 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F55 1321 0 R /F53 1313 0 R /F62 1361 0 R /F63 1364 0 R >>
+/XObject << /Im2 1350 0 R /Im3 1515 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2067 0 obj <<
-/Length 2424      
+2586 0 obj <<
+/Length 2480      
 /Filter /FlateDecode
 >>
 stream
-xÚµYÝsÛ6÷_¡·R3Šâkúä\œœ;‰“Kœ»›iû@KpÌF"]‘²ãÿ¾»XP"%J¹^’ñŒ‰�Åb±ØÝßb%&þÄDf¼ôës¦¹Ð“ùêŒO>ÂÜË3‘hfѬOõìúì§ÊN<óFšÉõm�—cÜ91¹^üš=cžM�Ï®Î__<ŸÎdž+“�¿}{qõüò¿Ð׈€„óìõùÕ‡óW4övêevþòâýô÷ë_Î.®·âôE\¡,žýú;Ÿ,@ò_Î8SÞéÉ#t8ÞËÉê,׊é\©ndyöþì_[†½Ù¸tL¹tÌ(c' S\‹ÿe[å¢"Üø¶|2óŠå.÷ÇyÑ:¼R³[1d5s‚iïõdf¬fVônHʉÌk-ñŠœeÒ:9±ȼ´ñŠþƒŽ”ži“$„5ÚÂ<�çÓ™‘Ù»øÿ
-þ‹ìrÛ–ÙËýr†y¸�‰å–9í£®&‚¼€Ë�Dýv<ýN+qà§Ë•š<¯áŒ“þ1ãYŸs<¦‘=CRÁe
w«$sÜÑ1¯ïÊLËÛ¬¾o˺¶ɚ»z³\ÐøM ï¦	i¤LTóºúcSÍ»e6{,Û;jµw�ôŠÛ‰ eΤ‡6)p¶!š¡˜9(A䉄„úq:S\dE’t~·®ë¶¬>âr°=å™äpþí•Â–•Ý¯ëyh꬧3¡³MUáÒ8Rt3À[2[Ô¡©~hi8TwE5ÔiÂ|CÊö‰†ðÜø]ÕMZÑ<5mX5?COñNhÔ$yÿã˜S xSgœ[™@gý�k.áŸQx¾Î¹Hôñ6­Îá7Îe¯ºÅrYã®�qÚ zpx«ì¤Ûƒ©ƒèÄå2|iq[ÓdhæÅ=�pfQ
-«.
+��Úå’í»Fnà�w“¾£~�ï+pjã!Îvñëë"˜sÎúì„´~À@ÌÑÀÅé�3J1‚
-[ª¾?hÝ÷Áœ×*]/8áz_{^²Ü;3éïx WG4"Wߘ¼e¹õ{r½í¦Œ¾/ñîIFÕ[•Kf�ûžŒ{¬¥aNø.x·-PE–ózu¿ÑŸcÿ~�Ì-mY߇u�a ‰q@fÍf~GST6_O…ËBÑNE–ø€/ÖóO
ÚDÔÞ--[–à¥Uâ^‘
;ÍòN>0à�(
-ïÒLkkw¶ßkŒý±ñi*ym]gUXþ0;J4>‹›rIxýU˜à”Í
-»6ÆY^¬ë{jA§F¨d·®t€0aΑDœÏópßRŸ$4>ÛÉ€£õ&	¦¡ò”nÊjq
-’rÐÉÃã1€sAŸ¡l
k:Ë
1iµ FÚnU=£‡ÑF›¡§Œa½M½Y#jçÊ‚«¯J
-P4/ª.àè³Ë«çÔòôYÎO
ÕÃ…ÍXq…¢ˆuÙ*UXb'±à»«ùÄ%Qb’AuŠ¢úØ
Æ"—u]
ãvÓnÖ[&ËP4�’ÊcHÝ7¨¯2Ñï€Ó=«çÌA0ìÊžÕw‘RB`•NP2óþòåÕù«÷#Ánù–Þ�—¨?	éxSxÞØ>ç1ì+
©ÜǪÀ$
'·…G™Œ
-oÒÊT�”©%c²¥
–´†bÌ`âÛ„5ÀÑÏIÒ>(ÆVº.K^W‹ùXÅÀ¢c"Ú‰v(ÚpÓ†bq¶Ö©ðÕr·úTÇ�kK•®ãŸÞÔ„,ã^ˆÓÛvD#Û¢—Œ[xîö}QGÅÏ$T¢:Ìr‹W˜Aw2µyv\U
-+š§UÕ£:¡ªŽ*©êòêA*e0p}ñîõ
žÃûÕ;›Ÿ–dK5"Ê@}b¶
_Êr·IÀ¹¨«ÓJ‚›Ê
~4§
-7øbSŽ,ã[.'D‚±¶®©A•ÈÏ4Û¦ÁEhæëò¦[Su£ð\Rõ‰7À°~Àô‘2•5CŸËýNÚ<ÇW'ƯTÜÀw 0CD{(]ý±ìYJ<>ÀEÏè5Ë1™§ã~"µ§ÏùbUVeÓ‚:êt­ïÂm’½êùuQmŠåˆr…q˜+šcoÔÎåH¡Ô˜Ëð­¥|õ¯“»__s¯['Ç}œ†yüÁ)	…‚™FI·‘#²ÿŸsæendstream
-endobj
-2066 0 obj <<
+xÚµYßsÛ¸~÷_¡·R3‚ß ¦ON㤺Iœ4Vz7sw´Ùl$R'’¶óßw
+
BŒ¡œ¦ÉõåÇ«·Óß?]\-:ú>3*Й?.~ý�NVàúO”›ªÉ#¼P¬å“í…T‚()DÛ³¹¸¹øG§°7ê?‹�T)Q\êÉLq’R>(J¨‚‰ÏŒdD[û(ÎÆÕJa f
Îóõ;¥z’ˆÔ*pÌ‹4•ÛƒqJR©&}‹G~µB#~ñ¾5®HÊõ�c7®nò,,S]F'Eï3ɉ‘Ö8y ›k’2›F¡l]ƒ”W¹,·»�«óâ.¼ïöùC¾qw.š,wnŸÕyYT¯¦3AyR5Ëû0”UøÉr?eiâ¦,ɦ3–ÔЈêDR•Ëoðîê([ßguøz“Wµ+¢‘]ö™.¥µ1F¬RÜ;;ðvWîëŠ-…ÉB~hÈ~©™ù3i)R¿SÒñ´¤è†&"Uì´²ð!e±Ù}2T6ký›©”j´îç@7]L9E4—f¢!\0ácpÝ[R¥%ó’”(Áe\ÒOÓ™fÉþóäê(8 Tp•N4¤˜ÑÔ¢ñÉF(„[©^ÛO÷9¾ãõ|Ë'oK˜Ó¤?­Vó¬¯ÚÏKr[ÁS
+hUƒ§ÁiX!uò!/¦Œ&ÍÓ«0O=ÈoH]¡ÛÔ-²-$B�êŠ(ez» 
+ªë{ߦœ&>ëUR¸Í_¦�JQf™í²Û|“×ßÃûÖ-ï³"¯¶øjp×ùîվ܅V¶Ù„ƾ,똺r÷ø0uaC¨$æ/ZÓ¸QMž–nW‡÷ࡶɳØ·ºìW.&ä„äq–·y±ú�*Ê቉„˜0ÖfˆŸhÎÂcèÛ*¸
+šê8綪sv(å,Š”;¬nAgY€~vÜ`Á¤f¸ž�˜¥eÜ7\Nn“Ç{WŒd­ÒD2+_ÎZ‘ò6·ó¨2hpsð‹£ï=Hà0È	l§4 cØ·É°º+HH–®D�‚X;Ûí�3·ñ•'îUP6TMMRå®0âhÀ}È˦
+Âöbï
+Á?(Ê:ôÀn*13Ãëñ¦�NŸ¼ðÑ­ï{WgyáÓ5x<;Î:LÎÊCé¹LèSøG 0K´€uîñ‘‚N<jöL~¸
+uUÊÀ•ûí¼YœãÍ}Õgx³ä
+@Tt逾Ðûf~ý6´lx¬æO
áÝ�Š•'tÈB51i²ÍPü{xA¿ð¹w[ÿAK”DÂ�O$âwmg^„gë¦nö�’�Ë*æ)Ôî'Õ¥éÿ
³™/

+Î1‚ȹ¯U
û]èèŽù
+;oã—˜V¡åk<—eQ›ðM(P0‚4¸r{
+=»vìfqU»luÀ8^°@Oè4|µBq5þþõóñM‘"p˜Ñg�vBÇVUAP´³ïJôeƒKánfÓ
Öh„õ˜™œ“N‰/D©“9¤ c4¿^ >EÆ
‹«/�¢f$và:™#'13–›¨ïÅ}ÑrU>çMn°d3 �¬±»~ «Û@W®X…ë0Ï«¾ÇQ0ÙØóVCë帾�G¡¦X¹ß(å…©}X#`ÓIRNñçoŸ®ßÍßýr‰á^Ì?]¿\'íáz°ŽÌâµäÈMÌ@˜¦L·wPÐÕ»&”<¯‰{6þ$'A_]–¡n$ŸÂh;W®ZîóÛö›¢í…Sà&´1ž¸o("=JÆëM×ײ{v$—xæÄz¯6ðÈôÃòU{
™÷2ÅOR¯w„Txÿر€˜(mÃãrµÍ‹¼ª!e\Ö/n}/ÚÍû1+šl3\ÉÕO÷O¨«•üçÆõär	¢hwÇ�ÇÜßÖ*~âŽEq¨9²u¡ÙfÕ·1½x!ÖÑu<t·«Žšã�qÌ	ìÙ–«8†
+ýùÜ¿u¼ºó"Ùe1duˆ+ˆ÷O�
‚éd¾#Álu`7,&On¿�!œ±Œ°ú¥LîgEËë_…ä‘ÀØ(ΆéoÍSnÍS•ü«lö°ïCgôñU¸$/œ÷.
é�Â÷Ùƒ=K x>ÐÌÞæUÕžÛüõúø¥'–jûòŠNÍ!²‚!�¬à†¿Ä÷´Ûä˼FÚˆï~K¤*.t„}ïÒ,’uspSQºWóª:ëŸa�—Å NR½´*‚ÈT¶	=È‹‘Z	ÄKÃé¯Kú5óÝüÃÕÍ)<ÔÈÝÙy<|–ñP$Ó<Œ2hﵫ—¯ýŒTÌõ*ΚîdmÁ Æ£zƣȣÊ��!QÉ©ßÒ—Q”¦]Ðø÷ÂçD¥!@—ùøL¡®-°¬u
+gÊ4;t]	 )ì×cßÿ
£NúÆendstream
+endobj
+2585 0 obj <<
 /Type /Page
-/Contents 2067 0 R
-/Resources 2065 0 R
+/Contents 2586 0 R
+/Resources 2584 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2556 0 R
 >> endobj
-2068 0 obj <<
-/D [2066 0 R /XYZ 56.6929 794.5015 null]
+2587 0 obj <<
+/D [2585 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2069 0 obj <<
-/D [2066 0 R /XYZ 56.6929 243.4864 null]
+2588 0 obj <<
+/D [2585 0 R /XYZ 85.0394 346.0235 null]
 >> endobj
-2070 0 obj <<
-/D [2066 0 R /XYZ 56.6929 96.2114 null]
+2589 0 obj <<
+/D [2585 0 R /XYZ 85.0394 208.5535 null]
 >> endobj
-2065 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F62 1062 0 R /F41 939 0 R /F21 714 0 R /F55 1037 0 R /F53 1029 0 R /F63 1065 0 R /F39 899 0 R >>
-/XObject << /Im3 1185 0 R /Im2 1051 0 R >>
+2590 0 obj <<
+/D [2585 0 R /XYZ 85.0394 94.9938 null]
+>> endobj
+2584 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F53 1313 0 R /F62 1361 0 R /F63 1364 0 R /F41 1218 0 R /F39 1161 0 R /F48 1238 0 R >>
+/XObject << /Im2 1350 0 R /Im3 1515 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2073 0 obj <<
-/Length 2296      
+2593 0 obj <<
+/Length 1457      
 /Filter /FlateDecode
 >>
 stream
-xÚ­YKsܸ¾ëWÌ-£ª/‚äÞdKöjË–�\•Š×Š¤4ŒfÈY>¤(•ŸºÁ!)JV*©9àÕh4úñuƒ#~bŒ«X/ÂX³€‹`‘îŽøâÖ>	¢Yy¢Õ�êýõÑ»�*\Ä,6Ò,®o¼"Æ£H,®³ïË“Ë˳‹Óó¿¯dÀ—ïÙñ*à|ùåäâÛÉgœ»<ŽåòäÓÙ†R+D‚[:×ëo—§'Ç¡^^Ÿÿ¸þýèìºk(ºàÊÊôçÑ÷|‘Á
~?âLÅQ°x„
g"Žåbw¤Å­”ŸÙ­�þÚ3¬º­sªTÄ‚H†3º�bNAÌŒ’Êé¢Lvyf¯
Är@¬à\H8ÁRå&¯‹¶±Ú‘Ëv“ã=dH¦…iG·Kšû9¾.DõøœËmŽœÓúXDË<i‹ªÄ™]•ÑšeôG·Ž²Ú$‚ŽZîäP‹eKSH™æMTÂ,ÏoqžÜLŽu¸‰›'xIÅUlHþµÇY+Oõ‹¥X¬t ¨Ô,VB°8
-–ÿ¨ººL¶8I2þ£X-ËÜIóm…Ä›ä!Ç™´kZ§èïózW4
hÑ™4’ÅÜÄ?7Z(¹7m³©º-‰q“£MÞâDþÏý¶H‹vû„ã¢D´L4i]ì[ÔˆŒfd8ÑH× 	8^Ú¦Mê–¦ü=Ff	�~fÅt¤Q�ü³ì帙¸a&ŒâÅJ(’îãùg€…iÜs°, ‹1‚£_€,"Z
©\˜êh&L{*{껼Mß¹{±´*o§ç‹P³�«ŸÐS=—`¤'@D°:ácŒ/³ü6é¶d�ƺè]W÷AËÉiÙ‹ZR‚©
-"edqR¿.IOõ\”‘º¤ó+Àß‘,óê8ݪȞië¹êˆi‹ÿ#\Ÿ�áÖ“Ï미Oʼn8°À $W?¯DÌ—�‘ÔLXhÎŒ6Ѭ&ülVQ‚†ìôÿ—]ðv+É%Fø*Ýäé½
›F"›ž/ÿ«*óér]fétnûˆøßd³Ì˜?&À•ç—Z	úÚLÀìýùÅ)Ú*&“e»¢,š⥪qê*¿Í)m¥ä4_’²ƒð\ÂDLãSË^ã‰F^sòíú·¯W3<Çîr^¶y]æä°ë§¦Íw
>@>©ê¶èv‡c5SÚHb£
/¢HãÍ¡Ër(­Ê¦Ûg�Yê™
-˜Œ$Âʨ÷™b¦8õ0`¤±wúÖ)R\¬±3¤íÚb[´Osjâ“ z*«}S4S°0P˜)ˆn%
‹„Œç°B€à2ÐÐÒ†,Òæ곞j|sŠü¾Ê~øÞiß»Ãο±YUã!Ý=PC/ŠCpîSá÷Í.IýqŸ[uæ¿6yZçíL¹ 
-|0œž­?\�_^Ÿ½˜)ÄÆP2Œû)¬ÃIkíß`÷¥Ÿ ÒÚ¦»Ù-öÑ.|´Cç›�vè#ŠþÙåMKj³Ü¦ÙÒ³we)´�}¤Pf|f‚�Õ	‘×€Ððäc¶š!¹#N
-§>Ë ñ†Ä'`ÿPEJƶ.G•ï0;ã5i;œê=Bž¨“6»Á
­l«¦�5–«±UϘû0;2;IV…ÞÁª0 Y1<”á>øìšS}Ï�‚ÏN¸«Î}$€
-72úM&62ö¨�oy'd…í
�mÈ ð4ÑPÕdk)Τ0jŒ@6ŒmèòªË>Ä´<\Zj
®S¶8íT®ý‡X²þB{v	Ô€5öGPhÙ;(tKØŠe‘
Û‡)í>¥¸â.—_.N¾œa×Ñ9_‚êv$†ôbÌ€ÏúëÉ‚Úô~2SÍØnÿ‘f5÷Å@Ø>ÕV{|â*”Üû<>²½QÌÄaô&Ó+XçµÃOË» 3²ü¦»£ãªÌÚ3Ð1)ÜNÒcò
N3ðªH¦#›ÛªÞѳ\Ipø—
-á†Ü’—½â$�½€æM�·ëɆwI–O»݌˜ì·…G
-ª\þº“ioF[Þû,	'�zOq¨)›$%lj
'Š»2i;BYœs9ÝvFA‹µ›í9ô‚6éÀŠ
-L»SŒ»€2€3Pí[Ü m’ÅX´tÑ'Ø4
-kbgŸƒnÜâvÊ Ž’Ê
Ç3'–¯¶½/«G⌞;÷O	<fìç­™g3ïÝöþåðo‘™Š"9ÿ!ÏæmÎå…²Š2˜ŠÞÿßò\öÿ
-endobj
-2072 0 obj <<
+xÚÅX[oÛ6~÷¯ð£
T/¢.�nãv	Z'K\`@ÛF¢mu2åIrSï×ïð&˶Ò؆!€EžûùH†Œ1ü‘1�P”Òt§!â˜ðq¶áñÖÞ�ˆã	<SÐçz½]½eñ8EiD£ñrÕ“• œ$d¼Ì?M^#BÑDàÉböa~ÜÞ}|XÌÞß?Ü,–Ó€ð8â“Ùýý|q}óÛ4 ÃàÇxòa¶ø8{oi÷Ó”Nfïæ�Ó/ËÛÑ|Ù×w€`¦-ûcôéçàÇí#–&|üŒHšÒñvr†xȘ§”£Çѯ�ÀÞªÙ:��'ˆÓ0‚ÐpDY‡� ˜`ŠYŠhÄI¶0
+›çÒa»ú&ê«z¯®”ØÊÜþ¢]‘Ÿ»O18ÁÃÞî!K:®KS(í™B1G„EìÔ–åFÚ$är%öek'»zJ’I•É¦	À.CûŒ1-%ÒF‚d2&¥œS-: a‚Â�…=†(g‰‘ý8ŸÛ­³÷�wvK{a0bMbnØÞ¾�šIñRÍœš¾!FQ%°Ms¿¨˜ÇÐþ»âøOˆƒ¼Ð‰Im�mdö{V©ÕgÌq?ärùÏJÉóåZåÙ9­|6©‘M>(y5Ü®\:†QFPº]u+ß,®m²R—³|[¨¢ikÑVµ%=È•´ÚUæªæƒP{Q„ƒD	h±ñx¡l<ÓIÙÌ>.¹{�yV/7ª•µ’®dM+·��¼©TSÕm±ßõ†ˆ…urt½â¸1È,P²ùøZík%Ê]]¨Vo×üe̶̸†­c¼àÖº
Y¶�(�}“uD�};rì¤Pö»Ùo…
+lèE.žJǼªêíP`ñYTµkŠæ_`X€ÀRðŠ�Ž€ƒ Æ?DÁ¾‹‚d
+—8nÊ!ÛÒέú@ìve¡+¡ã‰ºbO}=Éæö¸ƒFÖßdm‹¦/µiEÝz¡bÕz.á6nöm^=;yæ‚oV‹fÉ`,�¼>Xš»¸¼òPÝ÷ÎÚ�‰)N=rÝ”néØ…0éº8�½@Ó±5†Âøé`× $Rå&Æ'ÂäwhüF'Ù”Õ	
+ÒDßbcæ�įjèà¤u-eb}�;7È¥P$.°»
+,›‚Ïk›wF0ÂôžÔÿ†Î/v§ðØÓŸƒG†Rœøs�ò¯‘�ŶÍà�zfZ!¶­
+endobj
+2592 0 obj <<
 /Type /Page
-/Contents 2073 0 R
-/Resources 2071 0 R
+/Contents 2593 0 R
+/Resources 2591 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2603 0 R
 >> endobj
-2074 0 obj <<
-/D [2072 0 R /XYZ 85.0394 794.5015 null]
+2594 0 obj <<
+/D [2592 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2075 0 obj <<
-/D [2072 0 R /XYZ 85.0394 691.7632 null]
+2595 0 obj <<
+/D [2592 0 R /XYZ 56.6929 687.6458 null]
 >> endobj
-2076 0 obj <<
-/D [2072 0 R /XYZ 85.0394 587.392 null]
+2596 0 obj <<
+/D [2592 0 R /XYZ 56.6929 603.9193 null]
 >> endobj
-2077 0 obj <<
-/D [2072 0 R /XYZ 85.0394 513.3346 null]
+890 0 obj <<
+/D [2592 0 R /XYZ 56.6929 558.8956 null]
 >> endobj
-690 0 obj <<
-/D [2072 0 R /XYZ 85.0394 475.0295 null]
+2597 0 obj <<
+/D [2592 0 R /XYZ 56.6929 519.656 null]
 >> endobj
-2078 0 obj <<
-/D [2072 0 R /XYZ 85.0394 438.8551 null]
+2598 0 obj <<
+/D [2592 0 R /XYZ 56.6929 484.9808 null]
 >> endobj
-2079 0 obj <<
-/D [2072 0 R /XYZ 85.0394 407.0157 null]
+2599 0 obj <<
+/D [2592 0 R /XYZ 56.6929 410.2876 null]
 >> endobj
-2080 0 obj <<
-/D [2072 0 R /XYZ 85.0394 341.9916 null]
+2600 0 obj <<
+/D [2592 0 R /XYZ 56.6929 341.4811 null]
 >> endobj
-2081 0 obj <<
-/D [2072 0 R /XYZ 85.0394 270.8991 null]
+2601 0 obj <<
+/D [2592 0 R /XYZ 56.6929 157.2444 null]
 >> endobj
-2071 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F48 953 0 R /F39 899 0 R /F53 1029 0 R >>
+2602 0 obj <<
+/D [2592 0 R /XYZ 56.6929 85.4731 null]
+>> endobj
+2591 0 obj <<
+/Font << /F37 1026 0 R /F48 1238 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2084 0 obj <<
-/Length 3928      
+2606 0 obj <<
+/Length 3409      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÙrÜ6ò]_¡·¥*š
-OðzÇaœF)l‚€E³�ÃÇ&èo*4ÅžF:èªã‡êˆ\f™(~8�*ª¦ßÝ^(¥‚o2^nXà—O‡C{ì+A_5åñöÐ×mÃÏÅîº=ÖýÍž·í‘_»º|þ#OÕÿþýÅãVxŽó•#}¥T˜[«é/žX¢">ÞÔå
sy96ÕoQ¤¦"ê†_?û�ZE1.~iÊŠ'[8Α‡žLÁWðù‘Ë2:÷LGq8ìêòB½ãÉ�õnÇ�M/ãÑ¢é™úÖ³¸Ö�üŽY†|¾å•®ÚUeÏcæ~†»ÁNz¡=k”?Ï�˜��ÿ~¬ˆÀëf<¦÷¼ò´jä­¬6}]ÂQšk¡¯ †gŽg¬*±NƒgÀŒÉÁØFë¦ë`4°Ç
-ïøY¸Ý�v¡rÆÑ@ߘsSc�u˜©4^"Ñe6ÌL<Kwò1-øRµ£å e2°Ý¥/‡+œ9H
-åLÜ™
-N¨�†ÁHÈÖ[^¥8Ï(;òFÙ}š–e¡ÖÚ<L�‹|Ý�4|Ëk¾!�¸ǵÖ�¿¨K)^Úm/a,…Ü-2z*|N4!Ôiê(ŠDàTìu‹rû•KÒ㥜‹A©¯Ê)!�5“"q¿yò
-)L@±á¯î0;V÷)<ë0LHÔ#Ü!!$ÍŽZz˳CÊŽÓm˳;q¯~žÑ„½¹	S¨L§Üe¯'¦ɉôÄDyÂ
ºæ¢acäÉ«ä5iéiçr"§u&2÷™$©܇e~ÃÌ‚n³/ÞWÝ‚l&¹1_%[c’‘l'üðƒŠ½©JnÔ°£²I˜gY:�ûWÞS±¶3~%ÍÜBÇq椫h)žpÑw­¤?Xñ;M‚ñL“F.n_lª©¨bŠÎ\ò³êï‰)Q2Ï3@X ¡´¹qêƒ}ñ©ÞŸö2[ïeº�7ߟÌ&JÕƒ(y´®¶­Wrx®”klP¬©£.¡ãÊQ1TÂ6	8YÀñÜÉÓÚfÓI«å?ÒOq±¦™JP‚Ÿ•è	¿�j
Âô
	
-wjd{oŠ~7gŠ°(â‚¥uå�&Óóˆ|××<ÄA•ù&Ð륚
j1¨£\φêúMµlB�—ÏYmõ(ùëx¢�ù–ëiºÔ‚gV-»4_ÉøSæ¡ÕNá
-¯ã>Ôt³˜«ˆ²‘þÀ+¦`
´e �)RÉ/dÈë¶ð}zM7ˆ*8ˆ“›w�uÆžÌ/‰seò<Lc«f^y"Kãê:ãó$“1É0SðO	ÕlQödYÆñ€—ˆOfTÄ!xK5׸ƒóˆ å'•\&óÕOJ÷wØüç
¶*=¯Ã¥zP|ṅ,Ä=‚üNK¶“‚r$>#1l–Ò˜<̬ï¢AºLYÇ[q¥€ûÌ	kuÃ…2zzÉæqz-TJúÆÑÂE†!úÄ’çxOª0ßÿV*ŸõïöÀ ú°9÷Ñ……Ü"û°cA⊯=ùêÍ¿óì—×/ã-×ÕBþ¯inÙ¦_‘
-;åNß±ñ{Oï„”ç±Û/^þö |ƒLÜ®”ÝDÁS¾ZFcu½‡î>‘Pð
-ˆ¤70ZO°ý
-;² \HËÝaq µVî>Î/.+®Œ¸± ¨Û¢^n
>…Ú»(éP4™4�ž
}Ç2ÄeRUøý\]HV×Ê‘÷¾œÂ——¨LܢÏÕ]<É�ëq e'Y.á��ìvجY�,v�Sí>w¡ƒšIqÃ
-endobj
-2083 0 obj <<
+xÚ¥Ùrã6òÝ_á·Ð‹!‚dÞœ±3™$ãxÇžÊîNü@‰´Ä‰TDÊŽrüûv£¼D{\µå*h
+í+mä€aâË8’–x²³™€e½ßfi“ã©
+¸`”òfþ˜W(—¡†ö¤L~‚ŒÌú(,µ˜�©vÖðä8ùi–Ý»ÖeÛZRãoú̪aw=ì2+BÕÛøéK ÷ü´Ú¤‹oï?çÈÝüÛ:_ìò†–
J€X˜˜—¹>Oí�øqì&â‡b�O`ÔÂ�A0hÚ½•—™B_G¨’íÝ!�³fjå'È9BЛ¼Ú7Ïî#Ú�˜‘û	” ¬±	CžºÏ¶Ïcñ�@ÆXw¯Á
+Þyý,ÖxŒõñîÒ2«6Yþ8…Tû&åé#ó\éˆn–yNò	o
Eâ~J�fRûI`ÌP«.¯nß|xws÷î—ëvÑPÍávQ4Â~ltè+¡
Z:�ôöuža+öšŠ õ~¾)‚µÖ
¬u@èGÖ'îÎDìå¿ïóº©i4eÌYþ[È’ÐG^QÒð‡ïß@
+e†;§ÔEþ0)ùî1ß¡A÷Y’ùA¾[ÙÃã¥ëuõÄm"¬®ö¶±ÈûÐEe¿OµûÃwn'…^še–j
+Àæã9ÿ(¬àX´
µR·vöe–神ubIg£ËXà±H'Eĉo„qòÿ²¢H8ÓVñž)}.xsC-NjÃe¯3j—S?gÂñÂsœèœc>̤Ò~‚›õ{+3Ä>DP»‹´ûð�‚p¨bÁ—�"G­¬ïÓ阼vu’
ŠÏ³Ó&ŠÁœGÖUÝL^Ö�•Ú0™R²ÚW2
+-z²z8D_á -Ð` Ÿp¥
G»ôÞ__¼¿¢¦�ge	&T2¤#c Ýþrñj¥F9™z°©œ"β‰û¨‚¹á
+"†
+oB�J?;?¸{£|“Dñ«®^©¸C�ïÈ—
î‚÷Èòù~ÉÛUÞg¨çf
+o³îp�Üݾ{;´¬²'¦gÄ#3K°æ°åQ°@‹]1ÏyÀZ°ÀÙà%d¬CYgŠkW¼¨ø-ƒ
+ÈóüØ(çegËgâg-]Á+*é’ɼ ÜeU:Ͼ3¶î¦ž-ª
èiZrªñ˜îºŽ�¯Ãáa>mÝå@ß_ÏBŒ{2[ËD€‚`TÑs5š>cÏe,]-hš1�xú‘nÃ�YõÅôÌ1æXªÁÑ@®›ÐɈzU�M·¥ûº+üM^bâkÀêH=L—„ŽLW±›È¤¤šÈi”{ay	‹+:È€Ô¢ŸøwÛ‘A€i‹ƒ½
+mÒ¦þc1iåˆîéÚ­Xá8¹
+?/
+ÚBýÿý«°î×o:ZcÙýàKŽ^*!ÃŽ(<Ž0jLzûû±cÚÿå"-yendstream
+endobj
+2605 0 obj <<
 /Type /Page
-/Contents 2084 0 R
-/Resources 2082 0 R
+/Contents 2606 0 R
+/Resources 2604 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2048 0 R
+/Parent 2603 0 R
 >> endobj
-2085 0 obj <<
-/D [2083 0 R /XYZ 56.6929 794.5015 null]
+2607 0 obj <<
+/D [2605 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2086 0 obj <<
-/D [2083 0 R /XYZ 56.6929 258.0612 null]
+894 0 obj <<
+/D [2605 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-2082 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R >>
+2608 0 obj <<
+/D [2605 0 R /XYZ 85.0394 744.6647 null]
+>> endobj
+2609 0 obj <<
+/D [2605 0 R /XYZ 85.0394 712.9035 null]
+>> endobj
+2610 0 obj <<
+/D [2605 0 R /XYZ 85.0394 648.1357 null]
+>> endobj
+2611 0 obj <<
+/D [2605 0 R /XYZ 85.0394 565.3444 null]
+>> endobj
+2604 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2089 0 obj <<
-/Length 3216      
+2614 0 obj <<
+/Length 3751      
 /Filter /FlateDecode
 >>
 stream
-xÚ½]oÜ6òÝ¿Âo]Y–Ÿùè"i�âšËÅ.z@šÙ+ÛBvWîJ¶ãþú›á׊ZJë4‡Â€E
gÉá|ÏPì”Â;ÕŠPaäii$Q”©ÓëÍ	=½…¹·'Ìã,ÒrˆõÓåÉ�?‹òÔSðâôòf°–&Tkvz¹ú´8ÿðáÍû×ïþ{¶äŠ.~"gKEéâ×ó÷¿�ÿËÁ>œ¾8ûæ^¹ 1Šx]¼¿øíÃëó³R..ßœ}¾üåäÍe$kH:£iúóäÓgzº‚ürB‰0Z�>Á%Ì~º9‘J%…�õÉÅÉ₃YûÓ+”ÐDi^fxÁù€ŒÂX§¥2¤\X^üÕnk8˜”Åâò®†ãšbñëûó_ßàP-þ ”×땃·7ØßU½ƒà¯èôâßç¸;czQ_·ö¹r“OÍzíf›U½í››ç°”ßsSu}½sÀ®Þ=ºq±¸iw¹M	rþÇŸ•œ�ž.#F)nOvßîz‡•p�DJÈˆÓ í*�
û#ÉÅöase‰
-ͽօÓj§dDKÁ<j,ÿû]½uY}ŠûXP×�K§\B€r+ôÄCåÚ€^ÂBLZÙ&÷ö4í#Ø?è–£"'’»ÜvžjaeLɺÜaå6r¿ìØ3‡ÕÖÍ##,c».L¬ÜÀ)3â\ßµ]½uЫg³·[=ƒ«Úä<Ð’ñ’(S^°#ŽÈïqm‰£–¸¦oÚ-(dzƒ\ÕãF}랛ꋟKEP¹¸n7~îÆñ}ã×w�hç×îIÄ(PëF´m÷Sâ-ÇMç¤ï‘ˆ~Ƈ8ι±�h—]×Ün½çð®=ç 
-Q% €Ízˆ!Ö´‹ˆX!ºíq|xâ”"“rž†ˆ•!"ñ-Q:¥â"ò
�½ˆ¯�ÞU
-!çÍgˆ5m>Ë:¯u¢ªN�*¥˜§"beÈ80 ¥Š”k@6±œÌ[,}¨°Œú|‰æ–	AŒ	¶àNx¨-úJ­’dòåIÔ€oM—¥¡ %Ó/ÿî}†‚`Á§d/
$«\‘ý
-dÈYês`Õëu]í&NåS/àÂA^"™Ö
-JÇ|À
-ÙDR­m”ñÀÁ…¬mäç’õÖMH¯›Ê‘"Yb%B{¬¤—Yr%8x
-&z¸ðE*„îå—¿ï-%è-]ûfÚJ†XÓV±pÇÛôæöÀ&XA(‡‚rv㈕Ù99$‡Ü€J–ný[çeðöâb‰Jí%Öz‘Æ<ÊÐÙÈÊGËË»¦K‹y¨7p|¶ÐK–rî­$#k£@JE¬ËÛ㲞Ð-Ôªi	
-JÀbŽø¹!ÖŒ–¥f½š¢ÀTN6»wÄÊlžF:
-àÙ“Í�¥ô¼�jñû™R�ö­Ú§ÎÍpJ©›#îË<
-…¿Œµ!øˆÔaMê$~Z„}ÙNª…ùµ2*#ŽökZ-"R³««µ¯k?¹ñX;$d8…)Žµ†91’�lcxW<B/“
kR)Á’2Ý/	a”«y>E¬ÌÆiÿË�¢:ÝØõ•„Ø·fÄP-ÝD.¬2ΉÆÞ6p|t
- ¼ÂØùiÍdŸz&ÚÈãPõ`¿uY/NM·Šè>+K~ÄŽX3v°lÒµ«wõŸþŒ_Wí¦j¼Ÿqãe®¶…˜²¶Î’±2t¥|Æsð›	aÑáú¦ÀÙ’™�Õâ…�O?Ý>ØÁu=„îoc†á
-ü˜
¯r$’BÈHFh¶½j¬'3i�!B•â<�<i™U%JYþ­ö_»iú>¶þÞ½wO4»fÛ×»mÝ£î§AÖØÌ<Î%áZ¹bÍDÀ:tŠßmŒ‚Hg‰�XjÇA¡žOÉu…ˆ¤4^yíÍCÒ`8_
цֱ‡î­Š�sÖ"ppÄ"$pݨY„|�EŒZùÿ˜IhHEeè9m:/~ë+æ,c‘Q/2�â0ƒ¢ÐGdˆ5m ë{
ÄáU}EÈ
áÜ@Y&ÔÊ#V†ô„єɊí—ùþ$T:Ì߆äåK¡x@Ü!Ëröë;á×'½¡ñ ÀÝÃÕÑ8»ÆÝÄPzk¹iwŸ7È�%&Ý]µs%"^vâÃÞko²_ãèKõ½æì¦úص7DëØ_=˜BemïÇiü\áˆ-‚ÝêØàˆ]i<=ûª±-hd‚ý
-endobj
-2088 0 obj <<
+xÚ¥ZÝsÛ6÷_á·“§B
+™¥­š‘E*çdaœ°Zi/‹�Õ#nâù·J
†ªDä¹Í`~S4%�M'�ÈUbyÌßoŠ]õ‡øJšL|õû¾iwˆû}ýPª™%dæ„V™áïŸ]-u’/>mêõ„ì²Åºh°a«Šª¦ÚÃd%“ã#¦T&œKÏZ6]W­—°Iøx†	k…3yà
4�¦nq»©f¶«@z<nùqf*øT
+“ç )aV£üØ]ñ;“nQl»–Z¸|;Ü
+¶ÜÓÝWëú?PÉ¢ ÚÍ«ï~NÀ
+ªìÌÅñ°©šC½F™{Ê‹GÐK½æ—77üå}Gì¯d¾¨~=VÝ¡C[‡·W
O»©;Ü*ì{´©uÑUÏÈ`=jx®°á7ñs’(¯( ÀþÙ´jxÅÂóo¯¯¿Y¾~aú	¤” …Sµâú Ø,1~ý¦ã
œª!ÇËRÍš"’šlžû«|qdZÍÏ‚Ûv]l—›¶;Ð{Ûl©µkKþüØÕÍjæ­$‘"Ë€#¶”íœå§"ɲÀ"HJÚt¦ç…ÓwÕ¡ëbÒþ¡Ú3ÏeIzë¨v°¿	ÔÛRÙD$Jçcý¡A•uW¬¶´7ØÎHîV‹šYeNw¤a\–‡am˜²@Qº”·à[pÓ-
+ôòí–ùbl¼’‚Çl—*·pž=¶ÏÝœ^S‘;à±¾Žœ÷}¤KYÃa¸+º*ÉŸÛ¦¢Ö¦è¨
Ö<Öi.¬	fC.½¼o·õúñVçI@vPùú‹͉»™³
`:Ë]�ù™N=æÇ=¡eÑ[Ë[ö@è7Jà$D¸-äa«ŠÝ.Oá¬M'bî�™ïS}Øô(zjLNa—¹§NÀ’45aH{�¬âA&FèÔ»þ
+ÉUÊjî\4™�Òº©¨�$§
+¦·G¿ÏuEïdŠWi ÜðΟ‘¡ƒ
FÞcàMyNô�ðŽÚeVáÔWñi×>ÔeSHÏìXtÅŒ|2¡Ò`<ÏaÛωµ¹@9‰Œ)ˆ?YT†¬ÁªÆ.9XÊC½öY¼vç©Á~à“‘PàÝõB!zÍOˆ�W-Å[%�„èH.îä&Ò
+NÒÈæSê„ÐÚ‰,…XbTŒu©³pÐÄ°QçÄ2P
+z¬7žXûL{IÔååÏ×ûáms(ꆔ«ÃÆ©„'õ0ϯÉ
+se-æ*,Œ¹)m²`xýç|'ã°*k¬†¹„BûÜdáx¨›ÒWŠ:ZŠóuXg¢Hè«›û#wv›ö¸eòŠ¹äh–N‹p2ô§OÊa_DøtT%¢tE¡Óºl"  ú~;
+»ãz]yÈJµ[¼÷Ÿò�PÔ±I³ýÒ2ª­1k}½œyB“R¹a缡ùŠg/�C½+êílîú?¬Be}Τ³l¼kì„é;Ò!v{S…ççꊃº–;öôÜÅl
+?žãšgòø‚c>W§óØÑ<¡âƒžmsǧƒŸd»m?ÍÞ.àÅG‘Ô±>@Úä7ªG7%
è÷®¦{'Mc\¨m"ø*&`ËÔø¢ŸlèCøÁ‰áДâZ¹~Òîçôº«;¾FÈó¡÷ÀÙ4Œ
+åÕç+æ¡LgôxzJ<Ï
+Ë0ŠJ=@Q™�aÓßýN’A%5ȤqÌzYnCÔÕ#Ñ8uL¹t8‡C¾8bœíy8r£ß¿à#0ç
úÅ
+û9¶ë2úMŒ/aÎ#I_t�Õiwuõ‡&†’ga"wB�"žF‰Á ó …c�ÖÆV€ñ.(,ÛåO®Æœ®?Âð…Aû��›QyÔÆóRj‚kz›Æ—>hÅÁí0-7¾š?ì	§ñ;�Á	-!0‰w"C)L]/Ã_f 0|øXøÌÌ
ûLâ=mÏÀÔL/jcFè’윤$þT�,õK˜ú–*&RO—
�Ž
'›&,P€™û½”Ä);Nä\ȪÜ(Þò6©œ~ï‡ÏˆêÐ^TwÎUø†S10ñ<þ0ånþ©ˆ‰ÉÇð¾3¿pÕFàÏRgl6‰uÙÿûׯý¯|SÌ4r5oþ*3>¶�)ä^ÚôÔßùw²§¼ÿ;…Eendstream
+endobj
+2613 0 obj <<
 /Type /Page
-/Contents 2089 0 R
-/Resources 2087 0 R
+/Contents 2614 0 R
+/Resources 2612 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2603 0 R
 >> endobj
-2090 0 obj <<
-/D [2088 0 R /XYZ 85.0394 794.5015 null]
+2615 0 obj <<
+/D [2613 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2087 0 obj <<
-/Font << /F37 802 0 R /F22 737 0 R /F53 1029 0 R /F21 714 0 R /F41 939 0 R >>
+2616 0 obj <<
+/D [2613 0 R /XYZ 56.6929 412.0325 null]
+>> endobj
+2612 0 obj <<
+/Font << /F37 1026 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2094 0 obj <<
-/Length 2191      
+2619 0 obj <<
+/Length 2935      
 /Filter /FlateDecode
 >>
 stream
-xÚíY_oã8ï§p/	¶ÑXÿlùå€ì43×ݶÛ�f�=Ì΃+‰1‰Ý‰�vzŸþ(QreÇMwïîñP –(š¤ÈŸHÊ¡£þèHÆ$NY:JRAdDåh¹;‹FkXûxFÏÔ3MC®gï>ðd”’4fñh±
-d))EG‹üóøGB#2
Ñøæî·Û‹Ù$ãÅ|2eLðx<»½�ß\\þs
3pFÑøzvóÛì
-i·“”�gçw“/‹ŸÎæ‹Ö¬ÐtqcÓ·³Ï_¢Q;øé,"<Urô“ˆÐ4e£Ý™�œHÁ¹§lÏîÎ~m«öÕ!W©ˆd"M¹ 
-ô;Œ’„R`JdJbÎxë0F‡湌ÃyÖhÜ{–ç8È«]V”Ó2Û¹•¦Ùâàór›ÕõG}~pë ##„ô}ÆbE¸€Ð„†™ßr
ØÏûYÂ	g©èn`–çõdÊ!Ì>Jýdr¼ŸP5Öuu°ƒ¥Æe¤.+ûÌ‘öT45ÇV?èeñG1�›]½û yh
-�‰P\ÀŒ
Æ=–©c/MHÊ™r<çb¦‚Å„šðRJR)™å´.�Çá	
-yç´'®žð\6ƒéûÃúÈ€ŽD¤§µz¦
­GDDȘuµ.&i4>ìKÜåžÖ–5€…à	åœ$1Ôï)U„&˜k®
-ûšž€“ÁîSŠua)PÏv[»Å`?[ÈÜvÁæpKtɼJ*�*”¸
-SÖ®Ë8V-L[“ø¹¬ÛUÜkTp¨µ£Ø#”¢¬õ¾Az¹Þêƽr\÷
G·î»=­ì¬Ú9
>÷R•!˜ìf_ç²´üÐ`ü«*mÆQñø¦j
-LáÄd�9RQ>\•)J$él¹q#”‹WvjœeNÎ>+¶m%òé	LzÂQ]õ•gȽÆ-ìÖ¢î–l-sxËÚ4Û�YÝæ̬öçÁw}ÏÐ!Kœ„�¤/…ºî¥Û6§ì ’AN±ã—6ûè©«Ê
·;œÚ/‡þšÅx
-ÔnŸ§v)Äæ‹‘†¶ñÐv©™ú[Í3w;ü#’‘âŽk^•þO¡ù°×{ýͱÇÛ˜›˯æ¼tÜøWa9$£�Ë÷7³ë¹ƒ]µÓG¡ûÏQÊ‚"óJ÷ܦ¼h
-[ M"ÓM¿…w™Ã¤?Ÿ9Ìråü�^~õo)¹Ín¦A'¥{q €´×É°€—�Ì:«É܉œãÒ™ô¾
-ãK›�ÓŽ�ð†³ÑÜKâ6…ª áª~ÂUãŒÚŠ•N¬‚7ñ¤¨6ãÂ>*íi•{U/êÆ)ËÐ Ã
-Î`ãž5>ýYõݸ2Ýv}pÎE‚‹Œž6ÚÄYQ·AÕBðH¬½ ©Vå2+Ñv3®J¸Wñbé¥bÓ¥¼Û@<4\ëiÝ@µ3u`Oû	øÖ”cš*[­išŒ?}x7f�D´Ú�3$ ?
aw¨G«�õ'ÒLš±¯´BeCmiý¼dÙ,fµX9{B¡uO*N­ÛŽM¾²'
53)o
-™¾á¬€ë„·<—±ögŒ"!#I“$vƒ•«®¡$AREýG,»…c!ø¥Ë[¿%…ü`œùÀ A‰œþYsö€^,’=9€KKù–AÞbòU?}T�àºÉ$=Ž–ë8Ýo�”Å¢�û¬ÖÓXøo$Ë*oï±þÊð�ëÙûéõ…Ä™±oxH]ê0×`�¸²†vi
-Œk]Ú>ªm›±Æb"é[ß°B®Xó\ÿÇÚ)¬=ì‹G×—vðƉ¸§CÒrǤ÷í9!�U7(-ÞhâÍ̪>_ðffofÐÁ›!Ü»…xë×ȯጧÝ/&wó9Bwvu÷ËÛŸML¤<>Çw`Æ£(y™1ÀF0SB¾ÌLk¬A1
f)§ç/y:o·rþ×Ε;°Aó›Ó@£Ö%ÿõO[/?á	¨MJ±×~Ð
o§0vF/R¦ŽSBD‡{ñíÿT{æöendstream
-endobj
-2093 0 obj <<
+xÚ½Z[oÛ8~ϯðÛ:@ÍáU"3h§è`¶è6)f�N”XI„ÚRj)I³¿~Ï/eJNÚÁ @DSGäá¹~‡$[Pøc­F.r#‰¢L-®¶'tqïÞž0G³òD«!Õ¯'¿ü&ò…!&ãÙââz0–&Tk¶¸X^ž}øðæýëwÿ=]qE—¿’Ó•¢tùï³÷ŸÎþ°}N
_ž½}s?¹1�t]¾?ÿôáõÙi.—oN¿\ü~òæ"°5d�Q�<};ùü….Ö°‚ßO(F«Å#ü „ÃÛ©QRß³99?ùOpð¶ÿ4%
+©4Q\f‹•âD+XxR`”PXå’‘LjÆYJ`ž
+vµ)ÚÖJ¦oÖŶ/�)ET.Åb8þ
�*Á°Á2J”RYÌÇù]yU]?YNºÛÒ6Öåuq¿éü�¦£Ëw׶¯n�Ù_~Sb8ƒĘØÚ¯°§Šøœˆän©*'„ùø‹R^®_eÆ6«6ÉCFrX¦þÝûŒ£w$äÀâœZs Ë�ÉÍè~@5£{O…3vÝÆ-º¼jêu{ w�£”¹œç P%XˆV+4‘\똇½Þ©r¢†Æ^ÔØ[m]w×Øç¦zè{äòºÙÙ®Ý)ÓKXFÿ\·1ý¥û¾X¯Ë5X7jyáçz(6÷eBƒ\Kb¸1N=uS—	r:äÌ=V›�õjS»‰UÁ(‹•†0 3§’I;È2C4ËŽÄ€!Õ´*œôkéü®w~o»²;9Q„g9ñD	Nâ0À‰bzÄÊyp?T¡Fï+:Û*zÑBãþn]tþ}aïˆû¼t¿/Îß½]µÕM]®Ý§mUßø�“J‡ Æu®�>A2N&ðüØ‹e¼ÊçÔÛÁ]Qí0�«kI
¤(°øHמƒHCÌ–åfÏ@j6Îhá\³ÝõÚ*®y(w»j]ºØTÔNµAǃ
+٣ɭ¥t²�jùç©R˪^7�­}Ã)¥ö8q[õƒîæÚv”�Ã4¶×)8ð@ùT{å�}ªXùáPù+²8Ø+åqÀš´
+Ò›m?VÝ­›"ru³œ0*Ô‘ŒFËT³B_j&¹`^·Cªiݪ±nŸ^¢[a¨žg+P%øëVäÐ16Ö­°º=·2$×ú™ÒÎIj�½RÅò/ªèmá~„goJr	¾×v¶kÕ¾‘2+12«W.ã+J´áy`šëQ!�Öl°i�[uÄT36à©ý{·kËîÐlïwg¾ì>°”°|žÙ@•à6N	œdÞFìÆ–Áóµ,´úÏCõì{÷^�}Þ
+°Ýë¤Ï}0Ù	GJ´ÜWN^³)ãUbœ•PÈp3Ò{Æöš¯°žLÀC„ÊÅ"�<Hi‰Q%$J™ÿÐö_³­º.lý½{oŸèvUÝ•»ºìÐöã¤ãßogž¤”ÈœIxCª‡ðT‡Añ§‚QðùYfU‚Û±CP¨çcvm!]ÎÀ‡î!©w|_ɆޱïÝ{~Š�ïz�ÀÆ�� u£žåòÁF ìŸr	
PTú=§í}ëÔßÇŠ9Á\dÔ³$ûDà)Gž³yRM;H úY±tEWrÀ87P–	u„ó@•`=4eD²lÄûEz*f|lCöÒ%ŠPÜ]÷ŽÒ`Õ!3ÀìW·Ø‚j…�]è<Øqg=+8g[õ»¬C’®waì¹nv[‡`cÉG…I{[ìl‰˜)ôgH‹}•ßÔ‰UéKõ³îâ¦úر7Dë°¿
+v,B%}œÛÐ<ž/‚ßê°Áv¥qõ°ì˪߂F!àfööì{
+Ûaõ
�^ØÐÿñ#žveJÚÈi…-
{J3’uoÖÆX`
+‡Ô
ñ<Ïc„óB\"©˜r^ELnØçÑÐ;âš-wzkû£rO+kh´¬©�_•ßÝщÅùw[Ö]ÑÙÝEíÀäp &ÕcLú/gŽŒiHÅöøÑ�¡ã¿³É¨ŒÍò#°hH5õNo·?ý™í¦탠ßu›/‰øÿyŸ
+¦íìÈù߀h&ª8¢qP)Ö뉈nT¼OfFªYÞÑ!óc4™åJGÜŸ­ÑhEnÁ<êò*aïøz\caŸÝPÄ–ÝކƑ*‹
 ÓbÞbXNŒXõ9Û{�5I"¸9im�%¦fÍmH5mo�ÊèæñàŒ‡"Ê,3;k JL¨K"2Ããy_WíݦxB¿Ì3‡
+ qu¿³FÑBǶlÛâ¦D‡ÖÏ!:pFá­½¬‘ÛÊ!h¢Êè?ê£4ö7<àG|�U}UîGµéãÎè¸rSø‚ Ïtõ‰gqL³#û•Cª
z*Ë­õÅ'Æ[/³³ªÄ´± `ȉѼçe½nǬ‘ú Ã©ïÅJÌcVͪߨÁÇ妨¿îï‹L‹š	¨^ŽÝÍR͈ÚSY?oËÝáÕŒœd:Ëçç
T‰‰ùè3Ët<ñÀ[†âvüø@)YhA
+¯Eûé`/Nz—%×Á¶l¾XY[n««fã‡ß×Fî
˜f;‚Í
+endobj
+2618 0 obj <<
 /Type /Page
-/Contents 2094 0 R
-/Resources 2092 0 R
+/Contents 2619 0 R
+/Resources 2617 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2603 0 R
 >> endobj
-2095 0 obj <<
-/D [2093 0 R /XYZ 56.6929 794.5015 null]
+2620 0 obj <<
+/D [2618 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2096 0 obj <<
-/D [2093 0 R /XYZ 56.6929 553.8035 null]
+2617 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F53 1313 0 R /F41 1218 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2097 0 obj <<
-/D [2093 0 R /XYZ 56.6929 216.683 null]
+2623 0 obj <<
+/Length 1959      
+/Filter /FlateDecode
+>>
+stream
+xÚíYÍs㶿û¯ðÌ»ØÓ˜á‡>/�ñn¼ûÒnòòjïL;mŠDÇš•%¯$'›þõ	H‘lÙ»msìø@Aøe1æðc×c^(ñ:ÌåÂÇÛ?ÀØû‘ ™Y#4ëJ½Y�.ß)²Ð“Þxµîè
+1^%¿NÞ0¡ØTðÉíòãÝÕ|ê;“Õb:“ÒQÞd~w·¸½ºþú.a�ä|r3¿ý8ÿ€¼»i('ó÷‹åô÷գŪ5«kºàÊØôyôëï|œÀ~q¦ÂÀ?A‡3†r¼9®b®£TÃÉFËÑÿ[…�Q;uЂ3©<9à)ÆB°ÐueÏnÈ<%•uÆâçùÍÝÜ
+L�çññL†,ðºmµÑ°ý@Mô—h»Ëtezrr¯³â	ª
RrbT(:
+…#™ë;>h6
+ój¿K¢Z,í8°®�`\ì³—¸×¸À¾ÒÄ©ä¤y¥ËyQNƒ‰ÎtMSÊ©&º*ö–ˆi3È�Û&´§µí[ZacMÏDà3Ç‘.P�WÁ:r‹­¼ïNþ(r
¨Q�7¹-êÔ®ìzÕ
E¬4ßí-ÏY:Š7D¡^ìÄE^G°EìE¤§ŒÒ,ÍPÃ}åŸp
+±¥qþç½®hª��i7$±�ªZ—Hƒ’v­ò±á®":ngˆ GôÁ«œ‹
+­YSÛUZhÅÆ:�!m²ž7»no š6
B�	Å—	†¡d&—{M.îÕír¹x‹tJ’ÖC†�®r‘2Ñ´Qf+G£ÂšUõ‡7Ñ£&?-¯ß_´kü¸ø…ädÁ­YvÀòƒ³ÉLFnëÒNeÓ�)á{vڻ뵽`¾ÞX9‚)îû'jqšu¥l)îÏ’Vʬz©ëø²„ü’=ÂáÏׇW2Hê¼­Ô±	½¼+\6ìz}¨¬î”fi…^º¦/ÑëhŸÕ'
+´SãðøòBç+ëH�ñX#e=ö•—å>¿4–$—”p-°OúùÐ) 6\œ·¥•:6¦ç;)|ÆCáô­©ð"ê–³=w­
+ã
+üÛê¼#u¡ß ÞþÂf‰¤ÅÝ~H
+ÙjÚT=HWz•øB„<‹$Tý0Õ¼ÊàUH¯23¹B¥vÁI•yJæöá|{ïÀ@ûáÂr÷^LfÕÍàsâj¹¢'½/£ò°J›**.ŸwuñPF»Mó1±Øi0j¼ê‚>ÌäIóá°¹î6QþpPL­÷õ¾ûíéLCŽ«Ø©oø�¬Í‡÷�ÔÊÛÿãïû/ÿc8PŽ�<‘£}¸C É(ãFáyÇW5ýplûŸè6=Ñendstream
+endobj
+2622 0 obj <<
+/Type /Page
+/Contents 2623 0 R
+/Resources 2621 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2603 0 R
 >> endobj
-2098 0 obj <<
-/D [2093 0 R /XYZ 56.6929 83.2768 null]
+2624 0 obj <<
+/D [2622 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2092 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F53 1029 0 R /F41 939 0 R /F48 953 0 R /F14 740 0 R >>
+2625 0 obj <<
+/D [2622 0 R /XYZ 56.6929 750.8373 null]
+>> endobj
+2626 0 obj <<
+/D [2622 0 R /XYZ 56.6929 374.3309 null]
+>> endobj
+2627 0 obj <<
+/D [2622 0 R /XYZ 56.6929 186.4801 null]
+>> endobj
+2628 0 obj <<
+/D [2622 0 R /XYZ 56.6929 98.3442 null]
+>> endobj
+2621 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F48 1238 0 R /F14 964 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2101 0 obj <<
-/Length 2606      
+2631 0 obj <<
+/Length 3033      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKsÛF¾ëWðª*σ£ly½J­m$§¶ÊÉ
"Ae`ЊþývÏÀ€ åªÌ4zzz¾~’Í(üØÌ(BE*gI*‰¢LÍ–»+:ÛÀÚ§+æi�h1¤zÿtõî_"™¥$Õ\ÏžÖ^†PcØìiõu~óððñþöî×®èü=¹^(JçŸoî¿ÜüÇÍ=\§|~óéã#¼J“J bé4�ÿvûáúϧ_®>>uâEfT ,]}ý“ÎV ù/W”ˆÔ¨Ù¼PÂÒ”ÏvWR	¢¤a¦¼z¼úoÇp°j?�R�†(Ó	p6yS¥x¤•-¸°JxÿåÓ#ˆù@at
- išpKõ´ÍA Œ§k6¼ûä^¾å¯8`ó¢q‡kfæùêX­²ª-ýbÓÖ~Þ•{¶Àê¥vã&ßg‡¬õ›üA)/sXn@×R(Ø>ìàžlž¹×e]5ù_ǼZæn¾^»…ª9îWž!››¢Úø]á$p\< S�ÃÂíã“»ò²x>d‡W÷²Éí h7X^÷m½9dûm±tSõ>Ñ�äg7‘U+7ØežÏr›U›Ü³ª<ïc{tzqïn\æY“ñÝ�ÀõI"¤æþJ$'Z'Æ]@ñzÁ(@öP­–áPB‘„
�ä>Ûågî6%‰P–È~l%øƒóÄ�*üÐŽšüð=÷J
-
#u7¦eêÓ_\8©&Nc}ž¹ù¢i_KËÊŒU`çlR+t64½ÛÀ'6äÔMëy„•ŽÞƒ^'èÁ�ÿÔ¿oö˜™£üp›²Œ6j¦2ðÆÁͽË8;‡€	t•û´swl<åsp/€óà[ž}Î�¹ÇTì7	¤šÍ„
[¢�&üãØ8.†,]	Ù„�”Ê´ßÙÇ~'jU¿øâ ­G
-†ËSÂèä²´rsx–4¤jî¾2çŒ�»W¶°Â*lsì‚9¬ùºÌ8	Å|•·ùaçB
Loë7ïÖ-£6[¶~rëÉB�!®™.
ánüâB5.wVêLÙ#BQ\mjK7¯Ám},ýâ¡y©jq‰Ó¯6gz<©ò}ÉÁƒ™œ¹\—©BQ~Z—tT¸oWŒ¨¡ŸdĤJœ-F†2Ø]sš^±£š�1ΣѦ"!¿4ùDâÍ)$ Z](™"Ö`7¨P‡d6ê±]¹ýá¹ÌÝ2rîÅS:_–ðð	8OÏ«Œ,	Õ
-#R'£Ê!ÿ»hڳdžCù†Á
©Î\Ge
®yÓûö�ºÈÜ#ªŽË¢uT§²Å&$4a,Ibá†=¸ŽhËÎâ\O#
…\’B¹EÇ{»°}Ó�
ƾ>Ãá.k—ÛÜ”�’B4oó�/xSÿ—Ä€-`eá®]ƒú™Jã[�ݾ0½ÛÆ%%§9ºaD'o”Ë ÄDô¶œP…
$Ë[<¸Q×f0îo;uoYØÒÞœH!‹2ƒ®ÎbWû,41`n[ÛZÏp_�ÛI¬£p*üa²`”&G�ïÉÑÿeÿÛÑå8Q/gx
ƒÔèLËO@]&Å*„¢@‹¤7ùqCU
®jPJ¢«:kÏ©")w�Ýóæ< :oÍ�ÈóþÍèzã‘)sl#ª‹BšS¡¢¨É¡zä:–ê1¯&»u!¿µ--›ÿv}ûØ7𔈤ëÚôTñ}i"iðÐ}ЀÁ6]í(ýÉ‹àAwæ_©¨W€Ûú¿å@›g/¬\ð7’äžæüµz{«¿�7KÁYRp–6$'›E×E!-6ép³�Uß-;|®ƒý•õf¥9÷O5$ÌøÁ„,´+Œÿñ¿Øý¿ôë=çÏ% gfƒPx0@ÑXôîÿîSÙÿ̼ò{endstream
-endobj
-2100 0 obj <<
+xÚ­ZKsã6¾ûWè¹j„àMâ8¯Í:µãÌÆNj«&9Ðe±F"‘²ã¿Ýx�
+#g™‘DQ¦fËÝ�=ÂÚOWÌÓ,Ñ"¦zwõã?D63Äh®g÷ëˆWNhž³ÙýêËüíçÏo?ÜüçzÁ�¿#×EéüÓÛÛßÞþËÍ}¾6|þö§�wð(s#�ˆI¤Ótþëí‡÷×Þÿ|õñ¾'™Q�²üuõåO:[�ä?_Q"L®fÏð@	3†ÏvWR	¢¤af{uwõïža´j_�R�9Q9Ï&tÀÙäRóD	ÊžgÜ*
¿èzÁ(|ù¡^-ñ‹€íB(Âx¦-Ém±+qøñH§@Å
�Ý�ƾkuöç™Õøžµåá©<¸ñ²©»Ã5ËçÍÖM»j[u/~�˜£÷[MXÎ� w/u³o«v¬v
º 
+¨šw›Ò
š}y(ºª©ýãÚýîÇyCÊä¢2‡
+…4Dzj¾Zù ½=WÝÆM×�›	¶a'·U]ºéf�âY4÷[Xi�»²îÚ7×A�}ç^Ø*˜ôtî§Ý {ÚÕö»^<»µÓH&	T§.í¬ÓÈq�îm%W½
·îÉIƒž¼x*ªmñ°õ�ƒü#êÊg¦ä[È´‘ƒ5p%øE•Ã70&z#ßíŽuµ,:4E‘)¯pYIE¦½AãTÈ”8núQá~îßvôà9u¹ìªk6ojк¤¼Y¯ªúÑQª±¯a§º³B¬¼éy!˦ ç«ê±ê
+LÐdªë¢;:»´&)Åü¦v”NÛ@µ<Eݹ�¾
£ü	�ýϵ|Õ†%ÕA¡qÔŠ¼Ô�`å¨ÌÕA‰1}´¶ªƒøô¸}q£ØÊL¢<ŒGÞq5‘¹©¯Ø>6PáXka½
ÿùéíûŧ
+w4lþ¼©–·rlKOS¸Ÿvãl÷¶ÏåÒ=wîã!þ–E`QÖ–TÚ‰Φ`l¤©áÄ´4óûM�(
+Rm
+uÝiQÒSá¾}%¢â ÉHn”8[‰Ä2Ø]sj.‹ØSMȘ‚(E4…©DÈßÚrus
+èS«õR¼Fä*!…My,¤VnßGó\–n
¹Øâ)] Jÿ
+‹"§çÕŒFž„j€•ç25¤OÇmWíü¨ê¶+êeÙÆ`ïíÑþ»Ø×-¶[çè¼]g³»
mk¤›¯c'¿ùü$G¦´géÂ’º(à™´Q¬�”¯ØhDuÁF•µÑå”�R@€ìLM›¨f„r).Ë×SM˜(Ø%¥`F‰„ÓŠ�›?Sv'|u´™Œ¬“oIÌLÄHœ1Çh5YÝž;3bx}U®0²7S/…“ÉX�òDz[þˆÁœ ¼Sn”´Î€u¨‰©¹l1Õyc詬1|}5`Å�ˆÄ¤>J^®§š�.±¨	3@%©xg-Ád’OvJ¦P«Q™™È8Ø™Ÿi`¦O�\G�ÖåyH0qáè™ÊIÎM~rôÅŒdË2’Ñ\÷'¸˜
XôûxÑPœ‰­”—&ÓñN."ö!„ÄQi{^
+кÉY�ù¹B°ÇYæÀüB¾]¹‘�ŽðW58£ã‚�e

+Fo8å±
pâ¸Z‹É(Deì[}Ý0Bת)½ uÓ¥0"u&R´]þ]µÝy‡†h
û\v¸ˆê‚Ã*ëpí«ÑwhÓ%î&aPr\­§:•-u!DK,ËRáâaZÄ�iËÞã\CÄ*ÎP#× 0i¾·ëÑ;½1ÀØg8ÜÝrSú—ŠSRÈæ]¹óÕ®qmž˜-ØÊ»õ3eÒSOþȇ°/rJN1zΈÎ^©•
<ebðåŒ*ìY¦ØßÁ�úÌÙ’ç èÝV¶î„''R@QyÔÂYl	aÓ�…Ìm[èåÜ—ßv‹(œò®
+ œ09*›}$[$—Û>
+�óâ–�hbËää(Àäܤ[~¬‡æ)xæC<rÛ<>B1r^	`ÔèWªÚ˜ê‚•UÂË´�‹!æMtj“�˜3žÈõ]­šžãéGŒDH@uúî’&õACrÍøeÅõTšKÎRH¼P鮿ÙÃÓáŽ=Ko+ñ¾˜ªw^ð"úöÿM›=Ç	m&XÐIF¹˜Rç	ˆ'Ê耷×έw#œ†v˜t¡�LÆ!N3ÙyÕØ憌�ö{UÓs|E5xÊDþ¿«ÆwAáÂYø"N!ô×:¤tœòWZ
I!r–›Ñ-VëÛs*n‹ÛG—
TÒܶÏÝÁw8ü¥™’ˆâ€bå`�r½Œbµšï
+j¯Åõü¶±525ý�u.ÛÍD„Õâ:‚®¨ì†°_RáêàÇž Q°6t9aÞ—ð(DãY9hˆ„'W”£;©St6	&Çÿs„ו‚Q÷
£>ìèÄ[7q3Ëu;ØO~걬ËCá7·]úŠåB\h«B”i'ú©¡ªþsÅDŠ§ýEÂwÿãØð�qûãùÜ'(¤{aX
+5Ítv뿘�Êþ_1ƸHendstream
+endobj
+2630 0 obj <<
 /Type /Page
-/Contents 2101 0 R
-/Resources 2099 0 R
+/Contents 2631 0 R
+/Resources 2629 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2603 0 R
 >> endobj
-2102 0 obj <<
-/D [2100 0 R /XYZ 85.0394 794.5015 null]
+2632 0 obj <<
+/D [2630 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2103 0 obj <<
-/D [2100 0 R /XYZ 85.0394 752.0715 null]
+898 0 obj <<
+/D [2630 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-694 0 obj <<
-/D [2100 0 R /XYZ 85.0394 700.8318 null]
+2633 0 obj <<
+/D [2630 0 R /XYZ 85.0394 748.1323 null]
 >> endobj
-2104 0 obj <<
-/D [2100 0 R /XYZ 85.0394 667.6704 null]
+2634 0 obj <<
+/D [2630 0 R /XYZ 85.0394 713.0047 null]
 >> endobj
-2105 0 obj <<
-/D [2100 0 R /XYZ 85.0394 631.9578 null]
+2635 0 obj <<
+/D [2630 0 R /XYZ 85.0394 648.4882 null]
 >> endobj
-2106 0 obj <<
-/D [2100 0 R /XYZ 85.0394 565.5242 null]
+2636 0 obj <<
+/D [2630 0 R /XYZ 85.0394 577.9033 null]
 >> endobj
-2107 0 obj <<
-/D [2100 0 R /XYZ 85.0394 493.0222 null]
+2637 0 obj <<
+/D [2630 0 R /XYZ 85.0394 396.1161 null]
 >> endobj
-2108 0 obj <<
-/D [2100 0 R /XYZ 85.0394 308.5213 null]
+2629 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R /F55 1321 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2099 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F53 1029 0 R /F55 1037 0 R >>
+2640 0 obj <<
+/Length 2232      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YÝoÛ8Ï_aàNÙ­Y~ô-MÓ½,ڴפÀ
Û}Pm%N–r–ÔlþûjHY–ém‡
+ÛÞçuŸWþÔÅ’'Að,#N)>œ8l×îÎmÖ×	-%”þ%8…‹žÊnÓô2ΑúmQw-’ºŸ¨&Ê8³)ªGm‹¶Í
+2J4
+}ž‡ã,µ‹¥0„
+.‡Sß]¿¿¾Ôÿ»»þps›P‡‚!1V‰ïëc‚>ë¦òÕMÐ깃Aת
+n‚f“¨�·!–¦ÓÁ­0²©
+þ±
l`bé'ŠÚÏÙÉ\�o‹u’˜dœ&‹±Æ¹i4Y Lc~ìÎMf8
+¤9Ži�£s?kK8„C`Ÿ†+©¨_ä�yñùî_>ý•qÝuÝ»:âÍísÛÛàÕ˦n
|Ê~»?W!utžä„Y¥Æ~!¤›�.“ŒXiÌàC§8.ãÚ%Ôhܰ圓Èc¯†#Š‘d<«ÐÜÚ؇|áÜìã$Æï<C€ˆ’®�ãaø>×ÍcP7ÇÖÖb
)
æb.Õm
+Ø!ÜU8yXø–šA°A½èDr–mò@̲R
+e=L?×]þŽ¡6û…I
+i£e¬ã#˜¥ÅÏ(;âÉR	•Ýv9$=6PÃÑS9
+·ç5®k=Dµ³U/p2&9ăzv÷‰€‚ÖC'-žãÃw¡‡ëHÊ›^¥DþƒöBGCEy�­$¡¥<¶û‰5âå¥×Ó¿y“}+Âf£ÏËN‰ %�žZÅMqŸ÷U·8Åjb¤Š·><
O+ƒ÷MU5O’Ðá<<ÇaP‡¦
+—@!f7MÛáè©ô·0?úvö
anSÔ�oãŸô€(/0Ž\ÊoqCHy|ŸÜk‘±~ßœbÑ�”D¯›T'É
±†Û™Ã%iÆUÃÕ��©Ñ‰pSCýÜÔ‰@œï%ž�ã‚W,zÅb:xúÓ¦ô�1å	×Áº+}€Îù&o{Žfôì¶77#œJ7MŒ%—„Ó(u›槿Íe×^pm½¿�„Û ØŸ�¼Ë	A”rjÚ+éÉí¢r=h
+Ä¡UÒÑ‚p,v°ž¾ Ùã·ï|œ
ÅY»´„œ6ß3�¦RÌý¬]Ö‚ŸûxÌÐ hô$¼nónµ	Æ«™=4¦¿®&
+V€ÖX[Ãf=Ä#@6b¬1'RS3ÿyQÎRsø:tl#}E<ÊMªÀª€Õ
`UX�áW'?ê B‘¨‹U¤7¸eJ{l  ºÛ¦¬BšÃ(˜,~
+endobj
+2639 0 obj <<
+/Type /Page
+/Contents 2640 0 R
+/Resources 2638 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2649 0 R
+>> endobj
+2641 0 obj <<
+/D [2639 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2642 0 obj <<
+/D [2639 0 R /XYZ 56.6929 703.1515 null]
+>> endobj
+2643 0 obj <<
+/D [2639 0 R /XYZ 56.6929 603.3192 null]
+>> endobj
+2644 0 obj <<
+/D [2639 0 R /XYZ 56.6929 540.5015 null]
+>> endobj
+902 0 obj <<
+/D [2639 0 R /XYZ 56.6929 501.6992 null]
+>> endobj
+2645 0 obj <<
+/D [2639 0 R /XYZ 56.6929 468.7497 null]
+>> endobj
+2646 0 obj <<
+/D [2639 0 R /XYZ 56.6929 433.2488 null]
+>> endobj
+2647 0 obj <<
+/D [2639 0 R /XYZ 56.6929 367.5092 null]
+>> endobj
+2648 0 obj <<
+/D [2639 0 R /XYZ 56.6929 307.6563 null]
+>> endobj
+2638 0 obj <<
+/Font << /F37 1026 0 R /F53 1313 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F39 1161 0 R /F48 1238 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2111 0 obj <<
-/Length 2134      
+2652 0 obj <<
+/Length 2228      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Y_oÛ6ϧ0°e‹’"%±oišnÚ´k\`ÀºÅ–ca²”Yr2ûÝñHY²™fÅŠ5u<ïï�wŠ˜pø'&:a‰‘f’Å4z2_ŸðÉ=ìý|"ÏÔ3M‡\¯g'çoãtb˜Id2™-²2ƳLLf‹?¢×LHvúçì×ó·:0K`\Â
ÈõéæÍ%»üpó–8Gbeš²TÄƱ^|üxuóæú÷Ó©ÔÄŸN5çÑû‹›ÏïˆöñÔÈèâç«[vr5ë
+xŒVü}òÇŸ|²
-`Jg&S¢w±!{.ôÈtçü«œB°XÁaä´¿ŠÝ¡3²„锧“á�/yCg–…}1õ�M)–¦µIÆ&”‹Cõà-5ÖïÈm=WÀorè
ž0e1>õs[@Æ$:êVnáüt�«Z�/¹~Þ—"5,N¾£/½À€/‡Š‰L²¼ræ¡ rMâ‹h¹9YԬ̟7õÎåýv“weS)Uªa!áxaÒçÇ)Ë Ò¾›c¼Àáb©Ù7;f½m;2ûΧDÝ<9OÜíð7‰ê|],ˆôTv«½Aúd*Ó˜¥™Á(
-f´–Vpï <é(¯î›
¼¶v�õ‚m1·Q):÷ÜmÊúžÖ%j UÔXŽE±!ò²q\G!­ˆ°.Ú6¿w'>æU¹ð…ç®q'lçó¢X
-ó
œ‹§¾»~=³­8þ7»þps0rZjfæ_´Çƒê¢)ÚƒÄÜ>›)œ­UÕçu¨Dl.
·]Xa•…(Ntß>�ª
-ƒÃ�O mWVe·;BD>ý
k
^W.ÿ©˜g¾òàxiGáw¾Ý¸êª‘,
-ÃïSî�#æ6�åÂ
-ñp;#|’fÜjÀ3�3,r2H�¬Ö†¥\'_ëòú¦“î>n¾C—G§C‰öâi†Í i¶?øk]žÔ˜¼m©ËBGzÃ?}ð¯:qÄÛâqŠEδ+ Öça�¹w>5«ÂEisšª(XiÜ—XJç]]Ñ»ïn?¬Û–_¸æþgl`cŠ€ê¸—
öl³$E�¤
3Móf˜M0²pÎ}}ìÎ8KpH‡8
-¤=ŽÆ2
Zté0\)Í‘ÉŒñêâóì—Ÿ^öâuÝ›ÚãÍí®…þÇEõZ
-¼r>nmiª´|UY¡ã?×å?Çâ~ø�ÒŽ
`¨éK�Û¡íþT­·vjTó†¡
‘a`­§AKg½ŒoËêNŠ¯2ûAWÙ	µ%j·¢�º�}V½¢×óšøö£ø�ëŒ6}‘C>¨8Eî¿+èÑ'
ÛÉ{�çôC_†|칯ý8fÅqèšà=²ÿï¿ìÿF¢RˆB&Ãß¡ejïƒÄ+…V‹˜©.8¶«2 û¿�àYüendstream
-endobj
-2110 0 obj <<
+xÚ­YYs7~ׯ`ù%T­ˆàëʃlËŽœHVbeË•ãaDÅYÏÁp†âÊ[ùïi s0µ[z ¦Ñèn|è�˜qø³D3®l436bš=[–'|vs¯Nñ,ÓbÈõìöäë—ÊÌ,³±Œg·ë�¬„ñ$³ÛÕ/óó››‹ë—ïNRóù3vºÐœÏ¯Î¯:ÿi7§VÎÏ_]¼…O™˜„f§¿Ý¾þú¥VùÊZf"íÌr’¼~ñœ=sýÒ±ž\Üvö÷$¸rÆþ~òËo|¶‚­½>áLÙDÏðÁ™°VÎÊ“H+¦#¥¥8y{òC'p0ë—Na¤UÂt"ÍH‘˜I[+©üVVÙ:Ýí¢©÷»e¶HW«]Ö4‹‡Q�r @hÉDÀ 
+Ë"Ý7YØ™h~ØäË�ªù2­�v—!
¸VHik¤4YK„M†ƒË›‡çÒjÕ‘bbãNE2_³³Ò}ƒ¥ �-:ÛB0«µô&×6[¶ùCV<ž
+!æþ€a‘0+4âp¾n³H�o“ßü½H0“˜à
M¶{
+%ÇQ1y¸‘;
+' ›r&áž&I0/  ‘>»»A{¨ñ|"ÉL94fw6
„²Ðª¨à–iq_ï`7åT�Cr*øî0¤"¥()%çYµÜ=n[œè…úÏupf9rf£™p�"ŠßU«åÔ‘@J‹9‰°·§0‚Z¸ÜïÐ3ª¶xÄɺ‘œ{uþ|qõB#NÒj%lj«wìC";[ùض€?ΘŽc]E}ðÞÔ»G¤¦øÙdK´£Er—aÜõ
+Æ¥è6õnä&¨c
+8TÔ]pç$nUï}áÆ¿ïë–|l"&ô>ý‡ñŽë©Ëº,½Ë
+­K‡ó=ÃOì6MßA�c.g’›Òeé}-›Š}ÉdÂC=€‡ô¤EC¾¯êCEæ5S:yÂ"Qeþ¥Š	Õ)=#ˆµ`\»»Õ0lº˜:ÓÕ! `;d‡ÐÁ|Jì�Ûǃ†æ׸Åg¦b×€l÷-›Ø˜Œ5Ó]Áþ8–Œ‰qUc+Å nQw³É·HÂÂâFè¢nÖ’åû–ê1·RŽ}.„mú�æEÚÅhHeZQEn¡¡*Êo³ì¨P_¼;¿ºùþ‚˜]¹
2|„yjZnƒÄ]E/ò*ÔëŽ9ƒ^¬‡¯3yíR†»ªYƒ)#è�¨Xp“ˆÝýÈßì¬ÅVÆç8Ps>ÿ¯G&ÈáÒÝ®©Sø‹z™îšöt*…†%xa€x¥
Ã÷SºêŽ5¡KþÑ	ƒŠœÀ%jxMõfvj?iµWm’ÿŸjHÔíð{R·èuˈuš�@êo$oj‡xGq#­´zŠÃ?¦w"'w÷&ÅC4>‰à ‰Ü‘oÊt¹(Wzr3®Rdh)Ÿ?‰_^­ÿ©7͇¨x¼“Ñ›ËLæ¯.>Øb-Šâõ›ž|ùitFª_²ƒøï7 FðÇöäGõíer?ûî`>¼;\«ýüÝþ‡o¾yòiä�R×¢�=Î÷&Çzéó}È
+nYwõC†´ì?þˆÎ&&#Dô‰† Ó6Üöéfr}¿ª(8‘ˆ-–êÞtx!tV×À)ùW®¹�†qøð!�“ØPP`y�…Ù{ Õ~!Ó®Ë#É=CËÇñ3¤¿ëJ¬NþqÆ_´ÄÈ: ÷7ZÑÝ‹%mt¸l	’7B M×rÂ½fÀªÙ@»#!«Ìõó^%6y¤dÒÉÐ4h»¿òoŽ¾Ÿuî÷Ph±N˜„Þ7��
+š1á�1q–ÓdÕ�èÅñ¨gS–z6Ç‚[5ã§: çÕ*_¥	jü±£Bh"âéÙtøl×ݨÁ�k€žRQo–·Mx@6ýÉ éOF�¾é•:ýdÔé'ÔéOô7«Sý¥ÝúÔ{9º{äžxÝæ]zúŸßÒû&D†©$‘Ý3ù¸Kæ‘+ô"å6,b{lz÷êþWÛÿgyÌendstream
+endobj
+2651 0 obj <<
 /Type /Page
-/Contents 2111 0 R
-/Resources 2109 0 R
+/Contents 2652 0 R
+/Resources 2650 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2649 0 R
 >> endobj
-2112 0 obj <<
-/D [2110 0 R /XYZ 56.6929 794.5015 null]
+2653 0 obj <<
+/D [2651 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2113 0 obj <<
-/D [2110 0 R /XYZ 56.6929 605.5421 null]
+2654 0 obj <<
+/D [2651 0 R /XYZ 85.0394 513.4321 null]
 >> endobj
-2114 0 obj <<
-/D [2110 0 R /XYZ 56.6929 504.7499 null]
+2650 0 obj <<
+/Font << /F37 1026 0 R /F53 1313 0 R /F41 1218 0 R /F22 961 0 R /F21 938 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2115 0 obj <<
-/D [2110 0 R /XYZ 56.6929 441.2539 null]
+2657 0 obj <<
+/Length 2274      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YëOãHÿÎ_í§DÚôöûqß²ÀαÚ�Y`V'ÍÌã°Æ±s¶Çéþø«~9NÒF+$ÜÝ.WW×ãWU2ÁðG&B"i¨™(ÑÀDLòÕ	ž<À»'$ÐÌ#Ñ|LõëíÉ/¿151ÈH*'·÷#^a­Éävùeú+"Í€ž^_ž�ÎO¯.ûp~9›ÃŸ.>}:¿<»ø×lNb Äxúqqùyñ‡_û43tºøp~3ûvûûÉùí ÖXt‚™•éß'_¾áÉNðû	FÌh1y†	FÄ:Y�pÁ�àŒÅ•êäæäÏ�áè­û4©
+‚e’&tAiJ É(sº¸¸·g
+$9;²Ü¬…BB	(¿bL«âçÙœƒ²Ë:¯6Kg»�³ÓA�32]U/~!*{é	£±ï2öÅ]áŸÏmÙ÷pP϶³‡A×ÿÌgÌM¢`s;BFêdm6ýzÓP0‚§§ÍjUÔ Â–
+!®Ê°xN+bÂÕ1â”E­�)F1¡¢‰A©}ÛT]J±à x „Cõ…•°óîvß´	æ’#À›ku¶*–¯ÙMRD¥Œ¤^]ÑÛ«.DÁº-­NBÔ0
+>ÄùÁ¨¹Ëºb.ù†�DBkij¶É›e‘87Hªß
+b$â`wä.òG�ZB’øé{Ý<×~¼®2{äÿô~jÕì™Xñ‹þ'?ùŸì	G&ƒ“¹Àcie¼Ë].>žûsßœ_Ï ký7·ÙìâÃçë…ÕæíÅÕe:Š©@TiãïžHgg;|ÚÕÕÆ"¦Ý…·à	6>6ÞKÿÖÅ<³</Ö½§ôÙî”.›ºdõÒÓÄï<³¼y¨Ëÿ�|(�Ã`»Ò­‹¼´›Ç]KS˜œ¶|Ž·&BF"äy
%Q`Ĩ‰)‚Åc>ú¬ø6ÝÊf~ZÖIq 2…~O�AΆÔ%¨áÆLoŠbOŽn¤aæò^|�"‚ãê8€Ì9HQ˜ìÀÞèˆÖñÊÚ?}Þ´¥ÓÅå™ÿX,We]v=¶�»t]ÜÞîu>û˜Õ›¬Ú‚“,‹>+«½#4nÎCd,þ¸¹:îüÖ¾b�5ü#?‡ô<J‚ûïb�Úuâ×ÝÌŒu«l2£ÿž&�@¤¶˜+wHheÎ8(…�Rv´³ø|ûÏ«ëãj¹
+‚	xƒoW)c*§˜ªRª­_�·´·	†è··ŒD‰-w"†
+ÒÞΖg
+16#S0„Y¬™p¸¡q„UÕ<§³<#
+endobj
+2656 0 obj <<
+/Type /Page
+/Contents 2657 0 R
+/Resources 2655 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2649 0 R
 >> endobj
-698 0 obj <<
-/D [2110 0 R /XYZ 56.6929 401.9804 null]
+2658 0 obj <<
+/D [2656 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2116 0 obj <<
-/D [2110 0 R /XYZ 56.6929 368.8669 null]
+2659 0 obj <<
+/D [2656 0 R /XYZ 56.6929 613.6539 null]
 >> endobj
-2117 0 obj <<
-/D [2110 0 R /XYZ 56.6929 333.1161 null]
+2660 0 obj <<
+/D [2656 0 R /XYZ 56.6929 528.5855 null]
 >> endobj
-2118 0 obj <<
-/D [2110 0 R /XYZ 56.6929 266.6983 null]
+2661 0 obj <<
+/D [2656 0 R /XYZ 56.6929 467.4275 null]
 >> endobj
-2119 0 obj <<
-/D [2110 0 R /XYZ 56.6929 206.1673 null]
+906 0 obj <<
+/D [2656 0 R /XYZ 56.6929 429.7784 null]
 >> endobj
-2109 0 obj <<
-/Font << /F37 802 0 R /F53 1029 0 R /F21 714 0 R /F55 1037 0 R /F22 737 0 R /F41 939 0 R /F39 899 0 R /F48 953 0 R >>
+2662 0 obj <<
+/D [2656 0 R /XYZ 56.6929 393.7775 null]
+>> endobj
+2663 0 obj <<
+/D [2656 0 R /XYZ 56.6929 362.3409 null]
+>> endobj
+2664 0 obj <<
+/D [2656 0 R /XYZ 56.6929 298.261 null]
+>> endobj
+2665 0 obj <<
+/D [2656 0 R /XYZ 56.6929 228.1126 null]
+>> endobj
+2666 0 obj <<
+/D [2656 0 R /XYZ 56.6929 131.089 null]
+>> endobj
+2655 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F48 1238 0 R /F41 1218 0 R /F39 1161 0 R /F53 1313 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2122 0 obj <<
-/Length 2593      
+2669 0 obj <<
+/Length 2734      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿B“—ÊsŠo‚—郓8©ÓÆqßM¦½>ÐeñB‘®HYãtúßoP¤LÛÉÜè�ÀØ]ì÷BbÂá'&Î0®R=IRÍf2_ñÉ5¬½=aÏ,nšõw½¼<úþ�J&)K­´“Ëe—cÜ91¹\ü>=¹¸8=}öéx&
Ÿ¾dÇ3ÃùôýÉù¿N~&ØÅq*§'oO?ÂTêÄÂ&!Ùñ—ï¾cT¿JS–hƒl!æ_Ï_¿b¯>œ¿Á­G§—¿ý;	®�Ù?�~ÿƒOpµwGœ©Ô™É&œ‰4•“õ‘6Š­T„”G�~éöVýÑ1å˜q2’”cB2)³J*•ËUN÷Õ¢·UÀu••áºõM[ÔUCû(µf)—q_Ófm¾Î«öx¦x2�×U›pÎÏþù¼ÍÃJ™m›¼
�h'bÁjÆ�5
÷"_fÛ²�5ùæ6ߌ°â,j(²BˆZ8XÖeYïòÍ®îèۮ¶*[{>&3%Óšƒh…`©
¤^
-Ø'Å4[,6ÇÂMó¦!@½ôñxüSÏn¢§h~RÁe‹plU7-�vEYÒè*œÞam•W
/ «ï“ðøý8"¾.nã™,€²8÷œ_oƒ’
-'
Šq¤7Ez¾[óÕg±
-uR´ÖNÏ�qW©GˆË N¨=íb1B]AÜ0iôM›No¼þëÛliáo
-Àº¢/IÈz}{м^¯³jAನòç0LA¢U8;Ê¡	K¸Iž�åZêp³ô¼�dŠŠ@M×Y;_a‚Ž˜³Â
M¶¨®Çb
-dÙiä¡H¢ <'ƒ\]Ròü9í˜&d\ŽGgvÁ™]çÌ°ÖÖɶ k°·9 &ɶD‡†ˆñ] ”f$zØIA(HÁ$̺ä b57µ)Ì&É®iæ}àš7õ¦‘L¢Y’Ü÷MnCŒ5ƒkCŒ51ÆÚ©ÇëGmˆf0„<Qåó¯éˆ7JœÓQ®»®Û€*¸9Œ‚È|ŒõÂÊ2ÍÝн¼Oñ|JB®Ñ*¨n/Áñ w’"ጦs/ò-X‰;º,|@{ßâ{ß’rÚÁàT
]Øý*V÷Šr½d¸�tŠÀcF+Þ¹Æý3 ÞG.ù¤'¨GÆ<	*±àI	ïyÆ(²‘¤s%yW‚op¥$¸|ÉxÀ˜|ìÀì<U]
×Uõv3Ïg˜Ò1�ß¿�PÊ2ýu3"
g1Ä2NdvkÇèÉ„5ÃpÒ‘`Õ!]ÉDMç˜È†A
-ÏJ Ü=ák…°wL˜Š«Û'S´Ý©èDZoÆPb-ÜÙ÷W官3]P†ûÊñ êF¤&C:!'Q	¤gyP9{M™˜jqä;Þd—w
¸
-ûBv�eÙp¤Ÿ]pË��þ
yä�ÌΡ—Òòñ^C2ÎSwÿ™Bs4ÍkÿH�ã]Ñ®°ÌçÞLB�áòÎ'P²À&¦„RðÀªtKÈÝi–8Gq�
ØðÑí®Žm"K¬>0èørr_Xl9Í2+¯ë
Üf=æ䜅Š¶Ók}1¿¨Š”’Ó¼šoîb�{¤~ºŒÆ<x<	”L®ëŸz<€�¾ßä«9åË™X×éé|»!˨ÚòŽëŠFrúãû“W³÷¯
ÉI¦ª/%‡��²·õ.
ž�/¼o§á
Fê¤Û±ïYŠ=B3š6ùœøh	Ü…DwµBÿ­BÅ
-º
ÁT“ð»—‚×=
7Bë5�£~ŸÓ”ªÍd_A}.uLò®+\¯½­åc¾/™t<Ñ=ñ:YÙ?Wõ®
-ì5c49Ø…ÒÕºx„¨bBuDŸÁ¸Ágë¾Û’èl¨º–!T¥}ÑÁz¶wfo{=¬/éŠkZ‰—òoJ7Û–�\LZÃL—°—¥N»WòEM¥>ŠµD»Y7¢Ä‚#2Q\MçÛ6>;;ÆS)^²‚Ûf·YQf��Æ0°Îª�‘›;(¨ÖMˆóü QŸ~:yñóiØŒé6âðæ¡Ùú&èž'p‚ÏÍÁæj±½ø:–ýë1”H©£?"Ù‘„�„Åöê�2Æ࿆™å|ú—LD=Þ\‡BQHØ_Öó¬Ä.íÅXí¿;Cpàñ¾0:Ý!%²È¿;d��5¾öºTÏfGö®EWž@ð4i9JÚÝ#
qºíÏ‘µ1:ê(iß|c7¤GFõ‚†»=K¶/�'oÑ+A4ª|µÎæ³õ¼k†0QäÄ)Ÿ>³oÞ/ÿ«Õ‡æ‹.ﮤþp–Ëâíé—´\Š²|÷áå—gß®�Žé Õo¹�}ørp
¯¶g¿ªÏÜ…}ùÓ.ým÷iw®þýÛOÛ_~ø�¸û\ÿ<ù×�wÌýßÿQîÿ¤Õ	SÎÉñ¿!
0¥R™Âû	%YïþͼÏûÿ
-endstream
-endobj
-2121 0 obj <<
+xÚ¥Z]oÛ6¾Ï¯ð¥Ì,¿Eâ½J×´èÐfy›°íB±äD¨,y–Ü,ûõ;‡¤dI¡ìC�Š¦ŽÈÃsžóÉ°…la¡ÂÊEb%Q”©Åz{A�ðîÃ4«Žh5¤z{ñæ½H–XÍõâ~3XËj[Üg¿-¯no¯oÞ}üõrÅ]¾%—+EéòóÕÍ/WŸüÜí¥åË«×w—+fe"�ˆi¤ÓtùåæÝ�«¾yÿáúæò�ûŸ.®ï{¶†¬3*�§?/~ûƒ.28ÁO”kÔâ~P¬å‹í…T‚()D7S^Ü]ü¿_pðÖ}…†(Óˆ,8È‚QK½H”%ZpádñåPUEõˆ
r6 —ŒPÅ-ì�tû*[¯ÖuµyÌ+”Q²\¥á£á‰ ‰Htø(-Ëú¹ñäo?޼Ñ^Z?‘VYdW£	×J
v�숙š@ÔÖ~Á‡Ü¯hò,löÎö—Ì,ëݪ¼»ßù®L×ù6¯ÚƸ©÷c^“¥ÁÝ+Î%ÀG›ÅŠ1b•âþxÑ0K„JD`.~
+À,ÇÏ2ÿâá%"i.-I¬3µó5Iž¢ñ¤žç?…d¨Í;HÀ9þJ·»2÷b
+žbðM˜²"°ÑjHå�4‹¬žÊ‰üÁ3
+ö;¹±½Â¿æ/Mñw>e�AlH@ûIÞzªs#-K°eÙ˜»»]¾.ЪÑS	ɽ‡Â�ãÈ�êÍäUz€aÕëàpÎàE˜x(Ú£®ÑËχ¦
“y÷lŸó<P²°ªã8n‰ÿÁÐôÈŒ	b˜˜@,Ë7é¡l½º‹ vÆͼ¶¹&–ssFÛªÚ¶×1mƒy¦ŽÚÞeDÛ	aLžf­#Š°6Ö5'ñ5âí—[‡Ñ*î1´„€Ó»Ù¸Ó à‰­š8�a¬kZ›ÿ#
/Ó²Í÷U)tYÖëôø%:ìˆýAFq‚ Ö^s$b8íÜجêäYZÎe¦�ê‡Tóªï©œ˜ž¦[Â[)å™-;¢È–ÃÓYK$W“-o÷EH€¨‹à(õ§z¡9l·é>( ÞL2¯²îã* #u®òñÐgVNŸñðÍ9O¾3daÆ!øYÕ€ÿšò3ªP�PMGåTóõ{|0†–Y|’·£~Í\Ô�¸ù`ÌeƒŽ´wª8p¬¹‘×ã€Æg,8šºånÌKˆÛ÷OEØcë|2ŽºÔ;õ�oiYd~˜ÕÛ´¨Ž�.ø¾ÃÕÔ¿6h8»2rX&¬NY´>fãP:ž†Í€êl:*›ÝYØìÐÚ¦˜�Ïw’¯Ž(Â×1\�ô„±qÔ¶

8X×`ó.�ZåJ�*/ýÇ©=?å!Ë�Ø5…Žk1̶"š’XÑ×I%Ô2yXqY·g6_'ƒìl|%·�Õ]*h*å™Ò‘Ùo
+ˆN¤q¸s¨”bÇØx63
+Û!Õ¼Cë©œCkΖ:i–íœc¥ÎIÖúRç5kÑRgÄÛ8¥â�þ9[~¼õÈš‚M 8Ä;*Yr.*
+ÂŒÑÓ¨ˆ«û^ìßhœí´û1Œ—î›ùx	YáVü»xé])T„LêïLÞÆ%CY×»‡tý5”
+#	º‚;!€'Â汈Ž\š3e÷�ê;*‡Å6\!{êt¶~Ú×u‹­ )!Ë´
+Ì“ÌõTîƱ•+A¾#öBåmmWy[;WyCº'Œ:Ӯ㉖ÓÊ—¬ýóXy[ßÙµfЫ÷áÍIÄCŽ@™dçoÆû^dYú¥C«Ó�Aòǵk¿­$¸ù«ð*ÍV¡¤`¬ØLzôY�gó^Y€}ì^†
SE8Žvà61©9Û0@'-zs
Ìò>¤ˆåó¾h/Á]»Ž4üöÂ*!/ù(|BFœ­` Ÿˆ^6=‘wûbY„'l	ëOvÝÔçpêå	
Êf	z³
+8ÖþMH¢ùYßE‰µâl­N»±ì´©æ-¸§rP?œ­µ Ìíçj­“|õµÖk¾¢µÖˆ±`»N]Îvµœïš%‰bgºf–3;µÝJÒwÚ;p»Aý\¹t
+‡›ÉþãdVpÈ©ý>äôG·D~‡þê$ÀÖÇMä ‰"Šöuyç{Çí*xåÃ{X<-›î”}|΂P˜âS;†x]•/“tÌ鲨&/�–0ìfå¡5öÔ]]k«m]—‘þ¸½#Ú
+´‹&¦þÑô×tS—Έ#\Ïß'9ŵÛÁõD(Vû�µìjHË£·çŒºWçw°HÙ×eóš€Ú„ËéýÕôNÙ2=(b~Á}¼ãjZ°ÀÐ�EžÛ ±‡p¯L4
üUT]åS»InN³íp
¯#â…TEÒïº`+gÇwßóÈÁ¿Z`	Ô×#DšÅ#s£c;»»¾öû\}ºûù¼±áê¿SE
üÇ:;Èà5xá; v«ÒÆõ3ªÃÔñ¦Þ¦²-Ô¯M¶TWò%߄ĪZÓüìÍ/öÇXRêù¸Ûe»Šà_’D¢íE÷Ÿÿ`åø‡9�í
+cfúG‚J4GÖ1…Œ³„MYïÿ´å5ïÿ
+endobj
+2668 0 obj <<
 /Type /Page
-/Contents 2122 0 R
-/Resources 2120 0 R
+/Contents 2669 0 R
+/Resources 2667 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2649 0 R
 >> endobj
-2123 0 obj <<
-/D [2121 0 R /XYZ 85.0394 794.5015 null]
+2670 0 obj <<
+/D [2668 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2124 0 obj <<
-/D [2121 0 R /XYZ 85.0394 420.6717 null]
+2671 0 obj <<
+/D [2668 0 R /XYZ 85.0394 229.9393 null]
 >> endobj
-2120 0 obj <<
-/Font << /F37 802 0 R /F53 1029 0 R /F22 737 0 R /F41 939 0 R /F21 714 0 R >>
+2672 0 obj <<
+/D [2668 0 R /XYZ 85.0394 85.432 null]
+>> endobj
+2667 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F41 1218 0 R /F55 1321 0 R /F48 1238 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2127 0 obj <<
-/Length 2226      
+2675 0 obj <<
+/Length 2590      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y_sÛ6÷§Ðô¥ôL„ÿàú¤ÚNêNí¤¶rÓ™$´[œP¤*Rvss÷Ýo�)R¢-g:z ¸\,‹ÝßîBtÃ�NdBÃÌDAdLåd±:‰'ðíÝ	
<Ó–iÚçúe~òÓ[®&†˜„%“ù}O–&±Öt2Ï>E¿ÊÉ)ˆˆ£›ëó³éÙûë·ï.®O§Ô%¢Ù‡×ç—žN™Œ�8ã8ºš]œýŽ´§†E³w·§_æ¿�\Ì;µúªÓ˜;�þ:ùô%žd°ƒßNbÂ�–“'x‰	5†MV'Br"ç-¥8¹=ù£Øû꧎š‚Æ„ñ„�ØBО-#Rj1QÒ�„3îmñ¿ŸÝ~zËX�sÊ%щ”0ˆ‰H˜ô¬—%ì^ÄQ³´0à&JïªG‹4ûwºZöM6XVE©
-ŒD:a
-äƒPÈÔÊ´0jßÓ!ã².úŒÈ1„KÕò8ÌÙTE=fWpÐ;0vZ£·ÝW›በPi´¡æÀ:{îØFX’´¬h­ÖÙ1ëÀh½É�IBÐp¦¡úRô;ƒf ß5	‘Z« ž;
-Yùßððﮎ½|÷ñfæ¬9¿|=ÄL¥e0¼÷wš„¤Ì©ìÐÓQ±Šp£»ðu—úý	døÕ‡<ÓÅ®äÄäá¨
¤¡R¨[™!O;…-ª‡2ÿOP#x<;J½¶‹Ü-Þ®š—c92”1û!“Ãó,Nª°ˆ3ÓfNy«Çèsê»ô”^¥â^órTˆL©_dP­Cæk5¤ÆD·ÖîéQ÷,Ì}Úk?�á%Šu@¦"oað2¬CzÅX¯ðÀ´éš¦Ëës|̲U^æu�í¢Á‘nì½Ås/aÚUZnÓbNXÍX¨¨
-,aŽ„ÆíEˆŒÙï·ï�;¿ó×h×¼	Ù¹—÷¿µAê[	¤û5¸éÛV¹\ÆZPüg–8ÜM´Ãܤs‡«L¹€þ
Êè¡uf翾¿yÉ,"ôy�Ý”-¸Þ~«á¨CÆ8ƒÊ)ß®vë
-(‚’ö4ƒºBʮ͆ž:ŽãƒÊÂœ…>ÊcšCŸqÅ‘Œ�Ô'^ŸÏÐõìÎ
GX²í	6(Î;«ªx�}+«u�×û½=‡˜Ñ	‡–0jä‘^³aÒåÛñFÝuÂ.”z"ûôö¡ã:Ü»KŸ¦é—vt‡û‚•{ž
-˸ƒ<0KíÀõ
ue{x�ÌňÌö^ yŸß!rÙ�¾Ž‡rZÉ®ò
áe篾>ª¯/úå1€ó}y›yЛrðGÁ†pˆ%ý3¶@üÖûâë£ê¦Y¶±uýz4GE.–›ªj²|¬îƒ>ŒÊÎ]:¡Û£B¡Ã“Ç
-佺’v¤c…:^ñ^Öf*ºlÂÊiXÍßÈhÓ6É0JÃÒi§ã£-sÌ´Ž\8l}ÃLßójìfÂ
`"áZì¥lìmMòLIÀ!ü=ãkê#%ºb¹»õ1¡¬cF†:À¸Êoƒ‰­^W¥oâFÌ	–bÒ˜ãÅ7D$]eÖµFl¯5Ò”²[,à
«Ð±®È$ãõZg4{eS¤X'þ¤.AÝÐ	—2�Ø»AœíN¶Ø]ê	ÐÇ_3‰à4B¢Ó
-endobj
-2126 0 obj <<
+xÚ¥YÝoÛ8Ï_áG¨Y~‹¼{êö벸M»›,p@·Š¥ÄÂÊ’kÉMSÜC)K6í8øA5çã734›Qø±™ÒD[ng™•DQ¦fËõ�=À·�,Ð,"ÑbLõËíÅë"›Yb5׳Ûû/C¨1lv[|™ÿBXF.��¿{w}³xûéúÃÇ÷×—f•âó7Ÿ?¿¿~wõŸËWˆ�’Òùoo®ÿ|óoœû|i�ìãû›Ë¯·¿^¼¿Ä‹Î¨p2}»øò•Î
+8Á¯”kÔì^(aÖòÙúB*A”"ÎÔ7¿G_ýÒ¤*%\hžÐg3ƈ;ÕDÊ-¸ðÊxóçí¿>ýáä|¤::[pM„Ô¨´«¦/·MÙ£nžº¾\wøò¶mºvÛW»u`»J·’>RxáƒòAÓTZM·X¶ÍýCÙ¸•ŽThB5œÀ‘^çë2-˜ `Mé‰&L¼8qžáÈ}ÃÑß倪Üæ}Õâ¾më½Ô{]¹MÔâéožšvÓUÝ¡Á#™Ñb¦@¥”™2ѹž°ÉÓ0±ðÆ“,áÈÕñÙ5¨ôË"ÇÓÀ~ûÅŒ2¢™±°£[–×í¶êWÁ\Ó}±2Ó�òkäºF'økE22á"Ðu3XnÂ\2b¤`‡Ì·	–B£•
+¤Û¼)Úõ}U§¸‚F²L™C®Ý³\OHÉ-1&²û/²[üLp[�¤DÞà9°ägÛ$Ù‚f&ˆù-Žœ4_S®¸�†¦íÔ#ß½¿yûÇÕçÛ«O×âDðûÉq@�ù„†S d!BJ9FÎs÷!€àý¾Ýâ`וøéî)!
+ü3¢Kó€ï9>PyîN3ßl/™™·ß«b íWeâäœr@Æ^ GE¨ ÏêÑHiÆz$Î/ì
+(ñÙ”eQ�®Eí	ÉЈA{è¿è>€ÀUÿ*še½ú€×< tù#Ë¥tÃÀÅUùeDÍ,6m]-ŸÒn>¢îz ^—MOPJf9a¼
+®ç€AyÕà”?YÁÏt›r‰Và‡6�:ËúÁ²]¯½¸¯uÕ”prˆQP
N¡>å]X
Z
+äÕ”™ȼϺ™aŸÂ¾:÷éul
”Á³†'®7|Þ�ҸѼ7{‘ÿd„s!&þ!™Q3ÿà ÄmLû*e[HYÌÆåÓD7Z
+»¯›3î€ÙF lwu8kT
¾åÁC3(W2©¦ñ�Q«Ály]{§ÖÆÒKsÉ<
ˆ!#aÜwçÏÁëOª“C*­e/ŒGšEŒɱñÂ-ᜠWÕǤŽ>äFÎÐî‹7´›ˆ©ÊAšPˆLUP”Ο›j_/!üc•%ÎM/sBèºí˸+Èy¬À¡žÇvA´°½ê»²¾‡Î›xúˆç[æ9>ꌈCWòã(Ø„CÁ
+NÅ»¡3“ˆxƒ½T8ßâÃNÄ@¯¸½¹úèFÙmÁϨž¿q=ø÷¼�­írÕV˸gŽfu^Iå|µÎ—‹u¡œ3J†¯!f$
+Ê¥……g/D^2«	Ž'MA¨­’ϘfDuÆ4‘Ê›æïTÄC;m•8n»'ñl ççe¨ÂMâ�)"hm"Ý$à“¡’„�O±‚©X­2ì°&4˜�Q¾ƒÉ¦¯–!ÝD!ì>n~÷Ru‰†[@·Ã¬œäÖP
+fihªÅU¸ŽZH
+=»+#ò) X¹E`é¡ÞZ%o%˜»pŒ<ãmÄT™’Øl¨q›v›`¥³ÑIã-Ä.([²u8õ&ÿ„
ÑãÎðXu¾a±¯ cÅ‚º“Š�ˆ˜FÎI½ŽÚÍ<È’#ë®Ü䡇I€ñ²YZBUÌ”�jý¾­ëöÑ·4Êß9ø'J
ƒqØãŒ÷³1	ªÆ7³ó’<�W©[š¹ËT{p¸q‰ORFÂAÇúä6î‰þƒàÿ0Zïº>j	+„š–#«ü{y€t�×y?…Á€–ßóº
+È»S7vÛ…ä ÖU]?ôÕ‘A]ö}¹íUQ=@QóÙÓbàY7å¶j‹î$ø1	ÑbTvüÆT§Áo ònÿíT^:»å�—Ž·Lå¥É–¿ïªxÕ½n_E@îöÙ*hÑÝS+E¤
+Jô-£�7›:oò¾�)­/Dv¡«ÚuùC9¹÷8£o&“08¯ïÕ}G*¯ïm"Ù@Cm†þkz;-/¡ÄV\œ—n JˆwVL=•ošn"ŠRó®ÅÖoYâ4"€Ò"
´9ÎúZÓ
Æ—vŽ$
+$c�º�;à‰;7e×…Ë3£Iv”(±¨Õ.0îZègªf³ëIâ”ÆýÝÅÙÄÍ@Î÷“rhÅ»IË¡tŒÊxMæF|‘SC·
+‘:4áÿ÷?ªûŽ¡Ì€Ž•§‘‡gŠÀb…rb?Æâðßë±ìÿИ®`endstream
+endobj
+2674 0 obj <<
 /Type /Page
-/Contents 2127 0 R
-/Resources 2125 0 R
+/Contents 2675 0 R
+/Resources 2673 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2091 0 R
+/Parent 2649 0 R
 >> endobj
-2128 0 obj <<
-/D [2126 0 R /XYZ 56.6929 794.5015 null]
+2676 0 obj <<
+/D [2674 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2129 0 obj <<
-/D [2126 0 R /XYZ 56.6929 513.8248 null]
+2677 0 obj <<
+/D [2674 0 R /XYZ 56.6929 751.9601 null]
 >> endobj
-2130 0 obj <<
-/D [2126 0 R /XYZ 56.6929 427.0967 null]
+910 0 obj <<
+/D [2674 0 R /XYZ 56.6929 711.8811 null]
 >> endobj
-2131 0 obj <<
-/D [2126 0 R /XYZ 56.6929 364.279 null]
+2678 0 obj <<
+/D [2674 0 R /XYZ 56.6929 674.813 null]
 >> endobj
-702 0 obj <<
-/D [2126 0 R /XYZ 56.6929 325.4767 null]
+2679 0 obj <<
+/D [2674 0 R /XYZ 56.6929 642.3093 null]
 >> endobj
-2132 0 obj <<
-/D [2126 0 R /XYZ 56.6929 288.9693 null]
+2680 0 obj <<
+/D [2674 0 R /XYZ 56.6929 574.7324 null]
 >> endobj
-2133 0 obj <<
-/D [2126 0 R /XYZ 56.6929 257.0263 null]
+2681 0 obj <<
+/D [2674 0 R /XYZ 56.6929 501.087 null]
 >> endobj
-2134 0 obj <<
-/D [2126 0 R /XYZ 56.6929 191.2867 null]
+2682 0 obj <<
+/D [2674 0 R /XYZ 56.6929 314.9678 null]
 >> endobj
-2135 0 obj <<
-/D [2126 0 R /XYZ 56.6929 119.4786 null]
+2673 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R /F41 1218 0 R /F53 1313 0 R /F55 1321 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-2125 0 obj <<
-/Font << /F37 802 0 R /F41 939 0 R /F22 737 0 R /F21 714 0 R /F48 953 0 R /F39 899 0 R /F53 1029 0 R >>
+2685 0 obj <<
+/Length 1425      
+/Filter /FlateDecode
+>>
+stream
+xÚÅXÛnÛ8}÷WèQ*†w‘ûæ6N×EëdX éƒÉ�°¶äµä¦é×ïð"Y’•¤‹¶Q3ÃáÌáÌ!e`ø#�3̓Xs$0ÁÝv‚ƒ¯ {;!Þ&jŒ¢®ÕëÕäì‚Å�FZR¬Ö_
+a¥H°J?…³««ùò|ñç4¢‡¯Ñ4‡fË�³÷Nv5Õ4œ½�ßÀ+Ñ1#¢Œ�ÄáìÚi—³óéçÕ»É|Õ†Õ
�`fbú{òé3RÈàÝ#¦•à#¢5
¶.œ±F²™ÜLþhv´vê\($(—A$($®Ô8`a

+ „u±´ëÚÁ-¥ÜL5O'1oõã.ƒ&à±ö¨‚<ÍÖÉaS»—¿²Ç£µå•·K‹*2zBHˆFâ¦J"Š…|!p†´i,gdƒQᲬ³&�¤vȱX#FTƒœk|›•ÔæWe›µË�JÖæçôwIQ”µÓ|ñ²C•¥¯ÌP†€Ø]æ´­K—²•NòÅ¿»íN�p›<:iš¯§D…ëlïë½y-··Ò&@‹äÞ+‡Õ½ÁØ°V¹«ó²pã6Û@ài2p£‡¼¾w#_jg¼×#ŽeÓÑ�‘­ q oâÖF'„èYGÆIBÅóÔÔµzššZ«nhCjŠ•n¨éGYŒRSÌ€nŸ
¬µ‰lHM1o?4».€L:b„¹Æ¡‚<GG„AòSt$ $éñ‘YÑó‘YÈò‘‘Ùº�å##H
+÷løÈ(>2rËGFèªÑ¸}–z"¢ =Ù�¯üO9ˆÐ8î³¥MíS×¥fruøâ•Õ´"Ua²Ù”~j“Iåý”N&N
+ÓÏž?]–åùØùÓZõP;e¸ºÃgõu”ïb€ÖHã:Ë–6Ð
‰c$´ÔÜùüæÍõâjµ¸\Žœ%ƒÂëGÛ«#×ëæ$i6Ý^ßü®k=Üu£2½º¸úƽA‘63¾IÓÁNlï¸)
Œ”†�µŒfççרS"`lïÅÖ§<j·ú¨{Ž­(ô3%uJf=¦ ÷K˜¦5úEL7L£=Ó|Í
+(8H{TCŠi˜µ:zP
(²}Ë4‰WÃucÓJQÃùÝ2I×
3ÉSßã
+endobj
+2684 0 obj <<
+/Type /Page
+/Contents 2685 0 R
+/Resources 2683 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2649 0 R
+>> endobj
+2686 0 obj <<
+/D [2684 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2687 0 obj <<
+/D [2684 0 R /XYZ 85.0394 608.7316 null]
+>> endobj
+2688 0 obj <<
+/D [2684 0 R /XYZ 85.0394 547.8766 null]
+>> endobj
+914 0 obj <<
+/D [2684 0 R /XYZ 85.0394 510.4382 null]
+>> endobj
+2689 0 obj <<
+/D [2684 0 R /XYZ 85.0394 474.6444 null]
+>> endobj
+2690 0 obj <<
+/D [2684 0 R /XYZ 85.0394 443.1856 null]
+>> endobj
+2691 0 obj <<
+/D [2684 0 R /XYZ 85.0394 379.4087 null]
+>> endobj
+2692 0 obj <<
+/D [2684 0 R /XYZ 85.0394 321.5186 null]
+>> endobj
+2693 0 obj <<
+/D [2684 0 R /XYZ 85.0394 248.7084 null]
+>> endobj
+2694 0 obj <<
+/D [2684 0 R /XYZ 85.0394 187.8534 null]
+>> endobj
+918 0 obj <<
+/D [2684 0 R /XYZ 85.0394 150.415 null]
+>> endobj
+2695 0 obj <<
+/D [2684 0 R /XYZ 85.0394 114.5065 null]
+>> endobj
+2696 0 obj <<
+/D [2684 0 R /XYZ 85.0394 83.1624 null]
+>> endobj
+2683 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F55 1321 0 R /F22 961 0 R /F53 1313 0 R /F41 1218 0 R /F39 1161 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2138 0 obj <<
-/Length 3036      
+2699 0 obj <<
+/Length 1821      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[�Û¶~ß_áG/pÌð.ç)iÒ E»ÙÓl�m´–±%×’³ÝþúÎð"KZÊNqàQÒˆÎ|s¥Ù‚Â�-Œ"TX¹È¬$Š2µXïoèâ3¼{ÃÍ*­†Ton^}/²…%Vs½xØæ2„ÃÅoË×÷÷ïîÞ~øõvÅ]¾!·+Eéò§×w¿¼þÑ?»¿µ|ùúý»O·+fe&�ˆ	¤ÓtùóÝÛïVß}¼ûþý»»Û?~¸y÷г5d�Q�<ýyóÛtQÀ~¸¡DX£OpC	³–/ö7R	¢¤ñÉîæÓÍÿú	oݧ)Q(aˆ2<KÈ‚³cÄ*ÅGÂP–hÁ…ÆÇû‡ï>½Ø	%T�¼2Îà#˜<©„@´RÅ…JˆT¸î*Ÿ.iÂðËKF¢Ä’|°$¨[0«ÆK¾m@»F/óS×ìó®Z#^5'&“Ã/Žu‰†³s`‚sˆÖMý;¥üóés65ÀD2³|ØV­_n}¼…û2ïÊð ÷ühWúéå�&‘™æ&È—ò9Áˆ¢DgTªNMÆ
-¦Î÷e‘˜IpbÏâkÂ6Û.?v§€ˆƒzئð�²äzˆQ‚T e€}&ÍDÊiè0öL,®8•Ë¢Ä»Ú¡•*‡V÷t“Ÿv�¿Y7û=îݬ·y]—;ÿ¦
-FvË– >°3gþ12ã	w»æ©ª?'ä'˜"FZuUŠÚ¨®®9svªqÉ2ÈD�+à™Š2ñ!à©Jc€ƒü¤¼¦9A¤‘b 9Œݶôƒ]³Îw~¸mÚÎ�Ü‚nT7þº9á“£¿yáCïJÎ
8vPµÜ³þó©®Ór“àëTï–Pl+4ÉÏ¥ã0.w²™L�LdLN+­'÷Ç•^Zÿ �vLj¥®zL*ÀüÊ‚	K?ÿ©E»wK„µgºÍaUÞ½)vùºÜ¦Zÿáƹ©
¯ÙÒxÑq.!àë‰)ÌØ«%BeQŸé
0M”Ͳ@óŸ9¥¢-|v–ƒˆh&È(ÿªÚuç�À3õ<Oýv\e½\	ª3Á-ðjdË
B<Ë�ñ1„>lp]ëL2š}ã¥ë–»ü±9¢ý¸Û	2ýCpµçQçg
˜•øYá_<>§ìKZ’Y!f jç!j²V�Ôóüç©òƒu¢y„ìã¯|ØE/
-yeÉH”XrTÆZ"¹š,y¬BD]G©o›c0„ö©ù1( ÙL2¯²øq�‘;WùùÔgVNŸéðÍ9Ͼ1dQH¼¿¦™Ib3qÅ©æUÓS9Õ|ùŒ¡eÖ_äíìƒ_2—ôÁ#îF>sÙ #J$8ÖÜÈëq@ã3MÝrœ
óâÃvhEÀ‹ýÉ×#ºO½sùšïªÂ‹fŸWõ™rÁ?D\M}q¢h…rÍÈa™°ºdÑú*lð‘Q{6ª°‰T6‡«°9 µM1Ã)Áý]ä+%ø!†+¬ð'Œ�£¶
hÀA_Ž;(Çñ�ãÔ�ž°ÖtY~®)¤p\‹ku/ÀWôuÒj™²¬¸¬Û³‹¯ƒ“Av6¾’Û§ê.A	£}¹=W:R"ûE
Ñ™4±/r¤ó8ÆÆ«™
¨oL�l`7D]Ó�jL=•Ó1
&K´½%€âš}27P$¬1—¹ë©ì�0¥ –ÊÆü�1¥$ú¡Ô²mNNoëÒ?vÙ \=·ž¦È»Ü?õÚ‡A¨
]‰‹$¡8-x©æXý;¤šW…â»@¤ 8Å�½n-QBN<Nû¨ÛûR¯hœïÔÊïÎ?:x´}­ŠÒ?È“-QC„�õÇ«¢üú*ì+Ä€T÷VW[¬Xv‚Ë¿ëׇ)ªué*аiÇ_C J_:—W¿r]¶­ß53£Å¤_8¸ÌÇƇë஫úpêHb—OÎíL·ð™®Ç„ÌúFîl`z�Bô
-Ò”GíŒÊùˆBLh„èåYøT-xÚ‰9; ¡]–©©�^pGð¤ª
yá{ÙÆ´ÇéÇi‚øRÃG-’U׫Ðç)ÕmåÒ@}9LäQEº/™îûuáÚ�
¢çFÉD‡ðÎé0ôk¬�jÚˆ	êCC
ýØc¹¸÷y‡Æе^Ëw‡TZ¤r­½ZêäEqpN•:YëK�—¬%K�o㔊Gýs¶üpï k.¶�âRTdï¨dÙõn03FO£"Îî{Q°þ¹_Îé _Îé8^ºoæã%dE„[ñïâ¥w¥\&õ7&oÓvvsxÌ×_B©0’ +¸¡Ø„›Å"×@aap‹Cªy,öT‹]2¸Böu¶Þ›¦gR#0B–i5¤â™ë©Ü�c+'V‚|Gì…ÊÛÚXy[;WyCº'ŒºÒ®ã™–Óʧlüõ\y[ßÙµfÐkŽáÍEÄCŽ@™d×o3Æû^än秭N7É;7®ý¶’àæ_‡Wy±
-%(-3uE…{ó^Y€}ž‡
SœE8Žvà6MömG¦Rô昇i}H˧c…W�ëHýÖò’¯�Â!dÄÙ
-ú‰˜áeÛy·/–U¸Â’0ÿdÕMsrî
=Ÿ#!@yr‚Ñ›åPÀ©öo†‡™W}%ÖŠ«µgÜǵh2¤º`Á‘ÊAýtµÖ‚0wœ«µ.òÕ×Z/ùJÖZ#Æ‚í:u9ÛÕr¾k–eŠ]éšYÎìÔv{(Ißi�àvƒæ©vé7“õÇɬà�/RûmÈèOO|a…þè$ÀÖ‡Mb£™"Šöuyô½ãv
¼òá9
LžïÚ¸ËÁ)8›ÅŸNÒ½¦Þ=ObÐ9{¤ËjzÞz¶„a7«­±m<¨bk+Š¶?®+H¿ÝÁ¿eVÊ]ª5VÄb„GæÞýúú§ûß}Jìžb˜ Ï�]xÅÿ5±
ºkžR'¶7…½þ—BÙèìtœÎ�FBÎqŠGÑ“s¼p‚9<�’fx¬£!­¡ÜŒÇvšÒ4àéø«(	A5hM8Ìý¥í�é¦.�!F¸ž?O2rŠk·‚ë‰P¬8Ž!k94�–'OÏu.qþWOwlvmÊkj3./ÿ†LŠ†ô_0ôùŒ«íÀCyî‚ÄÃf¼2Ñ4ð®ªcåS»InN³‹¸
-�+³ötfþ6'‘éf+í-óÿþKÝù¯ƒ�Ý	cx:.*~,2…{
-endobj
-2137 0 obj <<
+xÚ¥XßsÓ8~Ï_‘·Kn°Ð[’s”Io˜
\GM<Û!v¹¿þVZÙ±S·…»ÉƒWÒJ»Z}ûi6¦ðcãHóx¬â�D”Eã4Ññ
+ÆÞŒ˜×	¥ «õb1zþZ¨qLbÉåxq×YKª5/–Ÿ'/§d
+KÐÉlþ2xûþâeðzöéæz°8|rq}}yõjöiðˆ‚:èR:yqusñö]OcP{s9Ÿ~]¼].ZǺÎ3*¬WßFŸ¿ÒñöðnD‰ˆu4>@ƒÇ|œ�ÂH�(¢éÙŒæ£?Û;£nê`0%\H>
ÎÆŒ‘8Šx/QL¤àÂ…c~,Êm•Uç[Œ(-ÅX‰�HFå�i¡æ8÷€_D1&Á­Îέ�
R£e½Z™b—Ë2Ÿ‚ÿ9(¬Ï_ƒ±ÓL-ˆÔ°oê¦ûüÖìP­g@HÂyȼÚ×�…š¡F•ýcÐì]¶1E’œÒfÀ BZFÑ8á±ÝäW—ó—g׋ه«vÖÉ~åì|—¨Ê»a‰ˆÖJxŸ@Óì’ÚTÓ@h5IìGN¾PÊ7»Ê]gHM*S£Ny‡¨ëç§eQ'Y‘+Tj&mMšYE³ÄŽoû¤¨³úØ_j[™ý²š²]ˤNžÙ]À±{ǃ6Xàÿa�¥kLž4)P¸5øÝWÖœ•’ÊñS•ûÝ”éIê­}û5EíúËí;îìæ�F½6^LË<ýŠ¥·Y«Úä¾ó�ÕÞ§¢Äo³%+/Í÷,5dèìiÿÌ/>¾¹yyµ¸O>¢˜ª�N“®V“½÷Ó¤Õ²–Û´ˆúhÖq$î¥E×3FCÜ¢w­Õð­‹UFcŠˆõ�›Ù˜[¸lw‚A¶ËÃÙá϶ËÂ+ JŸA#–ÐßOj¦9‰´ˆ’¿çšÐDq¦½ÚÑ;ÄNŽ–9Ú­KlÆ ÁPô	ã}I¶[S,­Ã¾׋Կæ˜tùZ
㨟0
+CV¥Á:OÒÀžÃ�ýÖ¥¸u/$J(,@¯NŹs@QŒ‹Þ[	�—su:èÆ»k‹XŸ
+æXõÁßœ¥¿+ËͲ¹"¿›]•ÁFû©öbvõê'‚üTÝÈ…€x
Ûý÷º±»ÄÃuc«Õ‹Ú]æ£^3Bé+EÃÁÉfU¶×¶ÌdMéà0„òfÞÅÞ Ú”SþkÊ›´!C.xŒ!w=1~ìqÛ
›µ¶
)€BV¤›ýë¶þD"QX'^5A•Ûý
+Ûi²¯p¢@Àó·¿£Òb>{ƒˆ+!Sxüb(¿ã2ÓrƒŒ'›²X9@�\¯]mç$?¼ÌV¦ª½ª)V®âÙ¡­«¸N*?äeÊ&ö\l�MþŒb™A…ð›á€Gûƒn0IQ¸Íêê4›G²¿1¼sýjaxZ-ŒšÕ ×Ns]Íj š:õ%ƒU-QÑñ&|}e#pnåÖ֛£ƒ‚_¡WA;Á¹¹©ªdåJö'¨ÄSÐs¥,è¥åÒ�‚‡5ö’jhcÖz¾…¹·ÍÕp*};%ó««¹¿.òíÆä`Й«H»¦‚ëI57Nf�Â¥Gë¤é1¦@ɲä÷ €væû=pAŠ‰²/l¡'o˃
JšÂAh„½}ÜðÉõó䈂ųiVmö—mðµâœ¨­žõ¬hsi F…9à‰«./†¾f…^ëò3kSà O)Ûi1ƒ’ÅxýqƉŽ”çž¡«âŒA¤&:ÔÍ»4/—ø8«ÐL½.+ƒn4ÈU‚j‚X«ê²ÍUPóQ
+°ð䈖Âö{qð!´
+endobj
+2698 0 obj <<
 /Type /Page
-/Contents 2138 0 R
-/Resources 2136 0 R
+/Contents 2699 0 R
+/Resources 2697 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2142 0 R
+/Parent 2710 0 R
 >> endobj
-2139 0 obj <<
-/D [2137 0 R /XYZ 85.0394 794.5015 null]
+2700 0 obj <<
+/D [2698 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-2140 0 obj <<
-/D [2137 0 R /XYZ 85.0394 751.8648 null]
+2701 0 obj <<
+/D [2698 0 R /XYZ 56.6929 749.4181 null]
 >> endobj
-2141 0 obj <<
-/D [2137 0 R /XYZ 85.0394 153.4294 null]
+2702 0 obj <<
+/D [2698 0 R /XYZ 56.6929 692.0679 null]
 >> endobj
-2136 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F41 939 0 R /F55 1037 0 R /F48 953 0 R >>
+2703 0 obj <<
+/D [2698 0 R /XYZ 56.6929 619.7977 null]
+>> endobj
+2704 0 obj <<
+/D [2698 0 R /XYZ 56.6929 475.6873 null]
+>> endobj
+2705 0 obj <<
+/D [2698 0 R /XYZ 56.6929 415.3723 null]
+>> endobj
+922 0 obj <<
+/D [2698 0 R /XYZ 56.6929 378.309 null]
+>> endobj
+2706 0 obj <<
+/D [2698 0 R /XYZ 56.6929 342.68 null]
+>> endobj
+2707 0 obj <<
+/D [2698 0 R /XYZ 56.6929 311.386 null]
+>> endobj
+2708 0 obj <<
+/D [2698 0 R /XYZ 56.6929 248.1492 null]
+>> endobj
+2709 0 obj <<
+/D [2698 0 R /XYZ 56.6929 190.799 null]
+>> endobj
+2697 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F41 1218 0 R /F53 1313 0 R /F22 961 0 R /F55 1321 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-2145 0 obj <<
-/Length 438       
+2713 0 obj <<
+/Length 1682      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥SMo›@½ó+öR™îì»GbÇQ‚]C¤Ji–Á‘¥°V1QÕßlg£8Ê¡BBìÌ›·oÞH¨{�HÊ0C#@R”dÓ”<»Ü,À#&>�buU߯yBÅ)·—ª5’²z¯
-h#M $)8?E^‚"øq&ô²CéE+�ãŠ]ð‚!A#%{g†4 8ãƒE–�M¥wÅ¢ïÇU1ÏAJb&À¼µÕæ•T»~+ûlövÛ'¤—°ë¦®<ôÀÎ�ÇŽ‚
j©Ý5Ãdæùt,5GQU³³»C×®»};†Võ¶n#Ôam7õº_Û×õËñ¨40¥Ô‘Ž�w®ÄÜù'$îK"U6}(o«¯
™Û®nmÝ�JŠ¿‡®nãa²·‡}Ûí^›ÏöÄ]Ø÷ÂTéYâïÐÛ¿"àZ³·õðûb‰W¬N¢úæ�‹ÒOÛöQû?pÊÕÁendstream
-endobj
-2144 0 obj <<
+xÚÝXKsÛ6¾ëWèHÍD(	NOŠ£ÄNcǵä™v’(’’8‘HE¤ì¨¿¾,‘2mg¦·ŽÄc±Ï»±!…*I¨ˆüaùDR&‡Év@‡+Øû0`–fÜ�ÛToçƒßÞ‹p‘(àÁp¾lñR„*ņóô‹7¹½�Þ¼»úk4æ’zoÉh,)õ®'7÷“O¸v;Š¸7ù0�Á”…B
+ý|ùF‡)¨ÿq@‰ˆ”>„E|¸øRéѬl³ÁŸŽak×íóƒŠHÅÃGpÞç‘@pa±8ÖY5ʽe¹×æÍ.'Bù¸©[”Œ¥’½�&½z�¸#i‘=â Ê’ýˆ)/«qÿ1ßlpg‘áÊ*+²}\g).'eQåU�+œ—Ëãu\­q!ÍWYU·‰¸ÖC‡
|1fŒDRrcX¹I1�'mˆVœz`½Zâ¦>|F…ó4·Ç‹Ò®àö�CŽ\Ͳ}•—ÅÇ°ÀQnÏ¡õz´°‡vû¼0¶ãv½.–v[¦ùWJy×À’hokÛ �lèŒ[jS…OB!1†€Æû»«ùßÈãâóÍìêÝôn¢
<¿‚™eÑÆpà>‰|æ#g=`�S
fÄZ%ãü‡×™1
Fh5š £ztJž$0°ÄQZB^%ãõ6NÆÚ¼Ÿ‡]�N�">£Ìˆ�›A`µ.A\‘¥ÚË$‡ÁF\¡
+õ:·š7ßuùØlY&—דíï².“rc°3æ\‚p.a–x,÷ßõå`¡—k¬ëC;
\.ÇÅñ1>Žcž¾Bš°ë�´4÷
+Žâ¥»Ì;Ìöy�Çuja»{�›œQß�Ï*ÃÝ÷¾rîÿ‘­R›²Xe{¤‚ˆY�¾‹õš½.=·c“«zý
·'I¶«ãÅÆÎ
6ÝUÉ~Öû‡Èƹ<lÎïL•¯
+è¢ÞíÅ(,Øâ*;c½<	:ל®‘NË Úò_ºS<<ù4ûŒô"zøo¯nÞ!}d�¥Û¼€\AÖéP/ÝeËÌ*’X=¯ãâoz0Ì
+dº›x›=£•"A¡ö'Fˆ}ˆ£¦pàÌÔa6ò^ƒÇ±(wPkÎw
+¸«ÐêÛÄKCJ@A/ðÛN@}™:Ï<lØ[@ZHqXZò?•�©^_âYdžy»xÈ'TºÊCŽŸcE
+Í#Úwk�ÞÑ-3}E‡¹ã‚vêdŒåaƒcH
‡³v‹Ë¦a°Í¨ë¬V‡-H}†LB•”/ðMõ<•é¹O5á	¼6ÃWd;ªá]
+ÂBu&ÝÝ_‡ÄVÆŒSÈ¢ YlŸFu¾Íªg¯2´ÿ®·t�¨lßféó~Õ`‹Â࿶¨^ðkC¥-;ÕÖŽOu@•ÿ²\GÕ#¸ãS®]…]ÉΧVô¯n©:ÙpÑò uГ.@7o’ŠÿG÷,™”¿Ö=÷ý[#àí'D_¸¨sÙþ'çôw•¡ï�» Ðb¨™V)­8å¹êî?Ÿ§ºÿ4›± endstream
+endobj
+2712 0 obj <<
 /Type /Page
-/Contents 2145 0 R
-/Resources 2143 0 R
+/Contents 2713 0 R
+/Resources 2711 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 2142 0 R
+/Parent 2710 0 R
 >> endobj
-2146 0 obj <<
-/D [2144 0 R /XYZ 56.6929 794.5015 null]
+2714 0 obj <<
+/D [2712 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-2147 0 obj <<
-/D [2144 0 R /XYZ 56.6929 752.4085 null]
+2715 0 obj <<
+/D [2712 0 R /XYZ 85.0394 705.7181 null]
 >> endobj
-2148 0 obj <<
-/D [2144 0 R /XYZ 56.6929 692.3565 null]
+2716 0 obj <<
+/D [2712 0 R /XYZ 85.0394 622.1311 null]
 >> endobj
-2143 0 obj <<
-/Font << /F37 802 0 R /F21 714 0 R /F22 737 0 R /F39 899 0 R >>
+2717 0 obj <<
+/D [2712 0 R /XYZ 85.0394 562.4544 null]
+>> endobj
+926 0 obj <<
+/D [2712 0 R /XYZ 85.0394 525.9492 null]
+>> endobj
+2718 0 obj <<
+/D [2712 0 R /XYZ 85.0394 493.8436 null]
+>> endobj
+2719 0 obj <<
+/D [2712 0 R /XYZ 85.0394 459.1867 null]
+>> endobj
+2720 0 obj <<
+/D [2712 0 R /XYZ 85.0394 396.5882 null]
+>> endobj
+2721 0 obj <<
+/D [2712 0 R /XYZ 85.0394 339.8764 null]
+>> endobj
+2722 0 obj <<
+/D [2712 0 R /XYZ 85.0394 268.2446 null]
+>> endobj
+2723 0 obj <<
+/D [2712 0 R /XYZ 85.0394 83.0386 null]
+>> endobj
+2711 0 obj <<
+/Font << /F37 1026 0 R /F22 961 0 R /F21 938 0 R /F39 1161 0 R /F41 1218 0 R /F53 1313 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+2726 0 obj <<
+/Length 312       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥’MOÂ@†ïû+öØ:ÎGwÛ=¬€QD[ÂIИXˆPcü÷nÁB
x2{š�w'Ï<YÒèicÁ:v:q1$£Ÿ*…úÅ÷Š~2QŠº©^©.®$Ñœe«Ëçά0MI—‹YÐ&ýÆEÞ—aVÈ)	²É$_Ž}mÐ'}1¸ÍÆÓìf7	Ù /Âyy­òòÀÔå&”è]Íæ¨ÿZ!ˆK�þô9ǺR±0±H{ó¦
+uØéîžžõ@,–ψ`ÒDàŒá_&Œ+,;Ù´Þ=4‹ø8w¼¡Ž8S¼Ë�Võr³ZÖ{Å׶^VÛ}Ñ_¯¶ëMýúQýåC4Kœ¡Çà¿]?Dœ€¤)5t÷âÄ€l[¨f9Jì	zkõ”ýÄ �¯endstream
+endobj
+2725 0 obj <<
+/Type /Page
+/Contents 2726 0 R
+/Resources 2724 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2710 0 R
+>> endobj
+2727 0 obj <<
+/D [2725 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+2728 0 obj <<
+/D [2725 0 R /XYZ 56.6929 752.4085 null]
+>> endobj
+2724 0 obj <<
+/Font << /F37 1026 0 R /F21 938 0 R /F22 961 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1608 0 obj
-[706 0 R /Fit]
+2053 0 obj
+[930 0 R /Fit]
 endobj
-1464 0 obj
-[706 0 R /Fit]
+1887 0 obj
+[930 0 R /Fit]
 endobj
-1212 0 obj
-[706 0 R /Fit]
+1590 0 obj
+[930 0 R /Fit]
 endobj
-2149 0 obj <<
+2729 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1650 0 obj <<
+2085 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -10545,7 +13208,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
 ¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
+Äü{fXE
 0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -10568,35 +13231,35 @@ $O�íœàÅ€DÈ
 t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
 endobj
-1651 0 obj <<
+2086 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 2150 0 R
-/BaseFont /MOWKTY+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1649 0 R
+/Widths 2730 0 R
+/BaseFont /ZZAPBD+URWPalladioL-Bold-Slant_167
+/FontDescriptor 2084 0 R
 >> endobj
-1649 0 obj <<
+2084 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /MOWKTY+URWPalladioL-Bold-Slant_167
+/FontName /ZZAPBD+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1650 0 R
+/FontFile 2085 0 R
 >> endobj
-2150 0 obj
+2730 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1627 0 obj <<
+2066 0 obj <<
 /Length1 1630
 /Length2 6133
 /Length3 532
@@ -10608,53 +13271,58 @@ xÚíVuTÔí¶VA�!¤†n†n”.IéÎ
†˜
f(‘N)én$†�FJ	Á!¤[:%•$.úÝï|g}÷üuÏùë®;kͬ߻Ÿ½Ÿýìø½
 Òy¦§aáèha
…«pJí•�Ž H
 ±@Bá0Y$D¤±ÉB¬@¼¼ 
 µµC‚XnxXÙÙ9þ²ür
Yzý‰ÜD" ¶0Ó̓;Äîì�!o(þ×�Zi
Ù@! u
%5‹‚šH
ƒ¸Þ¡áf鵩@­ 0„dw9þq
-³rt³þ%àÆnÿ-ÈÙ~ãátƒÝ�iÀH„•+Ô	ºÉª!+ÿ‡N¤�òWnôÁmn<­áVn¿Jú�ÝÐÜ H(
BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#�¸¡¹áþÕ�¿êýSõÎÎŽ^¿£á¿½þ¡
ŠD@m¸
-ÿóü{é!Oˆ`zn%lŸš‘†¬"Ïéé—5úÐÁƒÑâ\\£ý:ß¿Þî—¾(Rf~QÂU;(zÕä5¾í|¹ªÌ¶ÖÛAæÈÜžÙË£ò¡g}ŸO4ÏôNˆ}-lZŒŸöU/Ê{Le
ÓP�[wm©_ó™iÑÅ=àà;>WìýSVz÷|R†g_«”·¯´ÖÞ"®*ØþÊ”°yzÂÜÕ÷±§»ýðîûUJöìW8Œbî˜øL‘þ.Ù”OuJåÊߪݎË;BbubÁï<_^Ë¿Å`�i¢KÙÅy¨yc@–‰Ÿ'\;ø$·®Q;S-”âs/,
9D¦Ô#,9ƦïKv²±SÐúê¿»èçö‰%…÷²õ-âÁ]3ëãÝ“±Ñ][™CæºÊlëŠÑLü‹¦ëÀ¢€5‘ؽrô›ìç3üÜ°�˜üDÑSjÛðôä)Wï�8Ž*öÜŸèž“3@'}~+Ï�Ý6‘žˆ•Ø\Žpµ<züuÚ>AbåPó�بLbZ÷a3ÒYÍEœVÁ= ¾‹­{·^®2<¿}5aq€©ÿ_5¹Ûðòµ÷>›À¥´ê$C}ÀXŠ¹­œÕ÷ji�—û­€�G‡/§Œdû-!j¹;Ë6#ÔÜŠ.Oé­×ôÎc´¼�$z¾I(ñ�ØÇ/Wj®½"¹ßKÒÿ¾ð{Lš¿ÞH¥hԻí�:iÓFRF<g]Û39}—ÞÞF™8|à0­‰å
-b݇a›yKÜ£%t×TcaÖ�ËF˨?B:äÐ	3ÚZP‚ÌÆŠ}
fñφôˆƒ�TU‡J鉽žj:»«Ï‹ºôN)/ÂÕ	äE½¬^gº‹ ^/«k¯&6Ö7%³"”-ήQËòÍ“ñÆ‘r¾“'#
-ñÀèHvo»Vüy½¼Òç³³�”ÎjÁÕŸ,_Âh^§–p³/â#Ó„HÊÀç„»ûÄŒ[‡¤Ê»B8Ò¬’%�PË ™#¹&}Ô7uo(à–îu•úµÒ95À�Œ¾?ËêcÕ8—Äñ�âθÑ,™ê:f”†.‡Ðà¡ÝõÁ41hÀ›3):«;Ícƒ·ú�‘¶Þ,èðY½:Nç5u…QEð‰rŸ–²ÌûŠ!&.ÜYâü×Éú;á$¤`×yme~b©@{•3*¹
-·³®pBk¾j0ĵ¹Žjœßç]ZÙŸB dŠÌÓš­U•
-ÂIÛ9ä‚·œãƒÂè©õß½n^(Á•Ýh´7C¶¦2„K~V')Ïï±^š}zTÉúÔu?£F-!z_‚¬šÉÉ/U‚og4²Š’.§N™EhôáÍÎËåÔŒL^ѽð¹œfC�ÛïPI†^ÔLʸðˆ�§/çÓö±’¾¿Ÿ\S
³©»ï™ή0‰Ú·˜O%”çp×ù1ÔA?P(åÞ.¤gÔ>
-ó¥ªÕl^Œ¨­Ý)e»ò3Pp[´dbõ¬ðVŠÿÒ³Ü4Å+Î�²&VÊBÔ eŒCuOé‚¿#U9fiêCl·\r«ÒzÃÐWü®6êb1~i“EÉ5ÚÒA¦¹§üÑœNƒÇ=<l””íyI�æj%�‡¨äÄiñ(<ÈO›õ;Zõ}¾TªL’[î^åÛA€Z…êþHKJühØûñœq/f
óÄf¢8³?€æ¢%K]TkcÑøK
EÄL1‡•·FÆîšÃºåØ KCÂCkÇxG®ï[v“
-‰ÌÙd%JWܽóµÈT�¿È$ÿ$H~@²&jM¤Iòüé.‡¿÷ywúÜB½ÐÛŠFög„”p¾áÚÀ7sº‰&RDî(ŠpÅ3¯ƒgƒL«Œ˜–)\°¯b„îeý¡u1ì9ÔaºÔ0•i
l]˜dÞÊN�ºwÚøw	T甼T ­31&Óãâå"q
è{•tjIõOÙ#u‰Uð¤û/qA©SˆËÕ[7Š·oÑ4Ʀ^žÔ™Q™¦¤îŠ»Lzò9QT1q†}«caK"ªQv[‘,P.£d�¡ù:üœFª±î¤R=éY@A
-‡¶úL�9’00#†ô}à…Ú¬ëè¾>€à)…fbˆû†7sÓ¿×ÄÅ}ä׊³ÒgÍ¿?FІæIP›˜ké÷2è´à2|Ö§™¥£[¶WBMåtè³<èù:28¢Ä;Xf1S§³E�Š&´×å0Ä0d—5ŤÐ4|ylæ©@Är˜léË@È}±}µ\"òSÐd5ŒÓkùpü3ʇÏÎ
-+˜^h€&9I‰òÝ3¥–\—qaâ)&J™NBb0šNí`Ò.'39ë4^€îg(}*v–õ
-d ¯òˆ¦:ôw
-ýL¡T÷Æ{ši®G3È¥ã"y+â3’§[cͽ<å†Q@òæì+}·÷¼Íñ0þ’�Dâ%ßéfL¹7®‡SìDnŸe�‹ïãF
cé¯ÿäφ=jýúÑ…fìÁµAÌ^He±œÆÌ€PP‹@Sò˜ÈÈ5D7Âþ˃¯íãìoÎ64ÒŽY›]l_o%а¤ÒÉSŽš�Œæ©óAü�ŸhöUù»ÐyèvíS¬ÐD=ËOÃxýa“²I;ÊÃÖ‰do“L�ÈÁd<±~ŒÞg®¨ÙÏØÃîpðzÕ±5õ*¨2Ò1·2BÏ`«ùñG8nå^{bh…Þƒ1K÷©éVZ˜gí"2eF˜ˆA4”ÈTøxzrA�¤ÚØ?ß]íÝ�ÇKÚ
-ö”bÇ�Ѓ 9µ³+&ì��“[8Y)
- ‘x£´J60>y®ê$´7An¦“_ƒúµZ³+i5ºÅ‡Á)	¿{iR`FªFý“Sð™ñå»ÿa%€ðeå÷uì†Ò*ড়ÅÊÎ9
|ÀÑå|,´­Hƒèn_ÙË%i·˜³¼Ã�'µ+c%ü麖‘Ý�@;¶zu@
Ëf#[2aPàØÄë üSÑò“ëùIý1›„túÉb¯Mˆ·gÃÞç+kÚ:ÙîSRc;¦ EKZªâ¤ØjU¡ª�†z­iRûRž2ã ­¾~æ9� ¶hK�I<üORdÑ*ãAŸYëêà“ºñp0�Ÿéj<°�÷8KgQ»$`¹dÌù4à|ÐÈ¥ñ„î±ÃäÂñœð*S
-(Z¢`‘®~VpùEaAzy÷UwJ­s�÷Œ?´½‹š|: }ÒH»a‚º¾g)o}³=‹rrµM3v-ï€Ä@Ùì'pÅXßÒ–×
-ÕB¾ª\h~8©$‰¼¼·ý˜7!g;É¥�ƒ\®cf>}7›ùâžÐÙZسãÁÖ–�Ü^-Už&(
-ÖËÓ»ÜIFÙØS­˜õOV_ºhýÐn-®
-X{$¢½‰¼û£@–rlZ™âɞˊ1o(­¶¨mèö¡Ðé»÷Ýõ�äIŒ]Œ_-ô‹¸Þûò'zŸT¶n76Gت–·&úìIĆ‹7ÎÔ‰‰f¾<B‡›&ª½úŒ×ž´)„Æc+¤ œ?µÆ(
_¹à™ñ0áNZ¬/ˆ_c24íŒË¢—'{.ö¥dÖî§Çz̓¯ÛKÃ{u`‡:s±¹ Á<º'—0—	HMq±LåRnC@x›ôs̈W6ß>uä3¾õˆ;)EO4,Źk&l‰#õŽ¾„˜¬Ù¶³	½höâiF�]	‹œx'´ÅfÊb\ñê{Ý?¬¹¶=ê3�¤XTÕW©*®§‰\Ee¶©x‘@†Dz:ƒ!¡X¾ÂK”G½èß>c{�BŒÍCŒ±¹0šUÕ¼ƒ¿ªÝ•5xfœéÉU“Nhèò�ã»Z–$8û훎·òБÞåú¸;ß¾2~%~QÍ÷*|6οÀ.©ó¶H&l]ážçµÐ[èù%¥κƬ!ÙrOxÆ!.B˜“zuW,Ôêr‹9å™ÊT°CHÖ‘_e‘‰ÿð
:û5r€û3.ñ4v—W”ò]ª[)ïó–äÙÀ—݈H¾�ÌûùSŽ¸+¹ºfS4çHõ¿
ÞzyàÂ*/ç%Šâ׻͠Ï8ôæãmº'7…\ì°Å÷K)8ÐÁ@£bÅî\ç±ÄÝÊ‚×[g“©»5é«ÅÖ¡’'¯ÔíÌ¥ºégˆ<
‚â¢Ï8TŠqùœ_Uå=¢¦#fœÞ*ª6í¶²*�æ›\oi›�–•`ûlj[ÛW*ˆ»ºœ2Ž(ËtŒp{ˆ¥6Í]š†}„¯>{?'CÆà§5zíEëÝÚÓÞ&vø¾öŠ
÷dYcØL‰8àÇÉu°à•GËÝšÎñtûëV²­ˆ’eÓëû­&KÅàჃ‘oS*.m•»8ÕîŒWQì3ÊDÌûj	OpHY
²ï®f>×¼ù‰_ôŸö‘Ƥ‰´»ø|EÀ’=P�zêîXDƒ%½+C£ˆ1_ù¶‡=AýYœ:&Aaú;æ¬U¾ö��Ý*“ÍXJ·=à²ùˆ
1¦¬ý<�ð»©,|#
O'Cƒµë“M]í¼æf°ºÜS4‡AÇ÷Mj€“Ò·ÐökxõÊáž™ËG‡ÞÕéú,óÔ92‚¬
߸gp0o9)ÁM£«&ChVF=Vv¯ñõ­Åž�¡üÜÈT·Žïvä(Ê´ãé¿7jzä­ ¾¹�Â6]E³ÚŸÉÞeI�G�OIùç…&˜+ÊZ Sl©
-Í`ƒ©c�½G¯Lsé:JθÿÍàÿ	þOX9B,\‘p'WÀ
ãÉy¥endstream
+³rt³þ%àÆnÿ-ÈÙ~ãátƒÝ�iÀH„•+Ô	ºÉª!+ÿ‡N¤�òWnôÁmn<­áVn¿Jú�ÝÐÜ H(
BB<‘¿rYB@ÖP„³£…×Mî2gWèon(Ìö/ Wˆ­…«µ#�¸¡¹áþÕ�¿êýSõÎÎŽ^¿£á¿½þ¡
ŠD@m¸
+šÚ²2ìÿúvýí«q³Hm/gè¿é©Â­ÿqøÅ$-
÷ysòqƒ8ùnäðpñ�Dø|þEÖßD<�U-�®PO�777èæ÷Ïï_'“¿ÑÈÁ¬àÖ¿öFi
³¾Yµ~ÁVn®®7þýößþçù÷ÒC ž+ÀôÜJ,Ø>5#
YEžÓÓ/kô¡ƒ£'ŸFûu¾¼Ý/5|Q¤Ìü¢2„«vPôªÉk|ÛùrU™m­·ƒÌ‘¹=²—GåCÏú>Ÿhžé�ûZ Ø´?í«^”÷þ˜Ê¦¡ ·îÚR¿æ3Ó¢‹{ÀÁw|®Øû§¬þôîùþ¤'ξV)o_=h!¬½E\U°ý•)aóô„¹«ïcOwûáÝ÷«”ìÙ¯pÅÜ1ñ™"ý]²)Ÿê”Ê•¿U»—w„ÄêÄ‚‡_)x¾¼–‹	À:7ÒD/–²‹óP'òÆ€,?
N¸vðIn+\£š}§Z(Åç^XrˆL©GXrŒMß—ìdc§ õÕwÑÏíK
+ïeë[ă»4fÖ)Æ»'c£»¶*2‡Ìu•ÙÖ£™øM×�E;
+at
+½’•sJÜkŒ"êC3ó®cUÉÙ4eHÎH~0+¾÷ì
+£Šà>	ä>-e™÷CL\¸³Äù¯“7ôwÂI:HÁ®óÚÊüÄR�ö*gTr
éïI(J‹ÕÏÀÒˆª1!øRb’>¹`ÕÕâ1�3W@‰MÔïÒ335,Gƒ÷îÃ'V? 9ZŽfjW]èUªŠÛ¬[ßÑY@ÞCLAíŸjÙÙ*+òæÅõÁÉÏ5~šj�}‰Ûy]ç¼�cñvË‹Bxi9]'±|¤“²w/±2X®‹‚8w^+ÐKºDœ~$ìl‚Ý‚I®J5`žV¯ipw�/�¢6’
+}ˆçãõF´£ögºts£ng]á„Ö|Õ`ˆksÕ8;¾Ï»´²?…&@È™!*¦54[«*/„“¶sÈo?87Æ…ÑS)ê¿{=ܼP‚+»Ñho†lMe$—ü¬NRž3(Þc½4ûô.¨’õ©ë~F�ZBô¾Y5““_ªßþÎhd%\N+œ2‹ÐèÛ�—ˇ)™¼¢{ás9͆·ß¡’½¨™”qá
'N_Φíc%}#0~?3¸¦fSwß2œ]aµo1ŸJ(Ïá®óc¨ƒ~ P ʽ]HϨ}æKU«Ù0¼Q[»SÊvåg à¶"hÉþÄêYá­ÿ/¤g¹iŠWœeM¬”…¨AˇêžÒGªrÌ,ÒÔ‡Øn¹äV¥õ†¡¯ø]mÔÅbüÒ&‹’j´¥‚LsNù£97œ�{xØ4()Ûó’:ÍÕJ QɉÓ4âQx�Ÿ6êw´êú|©:T™$·Ü½Ê·ƒ
+Õý‘–”øц1öã9ã^Ìæ‰ÍDqf
+pR°‚šL�\(<uØÔûÐéV‘‡ᣩ
ež¨ÓE§vìA7nEŸb�ü­¤6ÌÑ
�ä¡ÁDÈ;Cŵ½AŽcήšÏêYcg)äµU4ø&š˜,9D
+V1-S¸`_3ÄÝËú%6BëbØ
r¨Ãt©a*Óغ0ɼ•�uï´ñï¨Î)y©@[gbL¦Ç)Ä?ÊDâÐ÷*éԒꟲGê«àI÷_â‚R§—«·>noߢiŒ!L½<©35¢$2MIÝw™ôäs¢¨bâ<ûVÇ–DT£ì¶"Y \FÉ…Cóuø9�TcÝI¥zÒ³€‚*lõ™s$a`FéúÀµ
(X×Ñ	|
|
+5ÌÄ÷
o榯‰‹ûȯg¥Ï.š%~2Œþ 
Í“ 60×Ò3îeÐiÁeø¬O3KG·l¯„šÊé:ÐgyÐóud6pD‰+v°Ìb¦Nf‹Mh¯Ëaˆ>.`È.kŠI¡iøòØ"ÌS�ˆå0ÙÒ—��ûbûj¹D䧠Éj§×òáøg”Ÿ�V0½Ð
+½c–$îSÓ5¬´0ÏÚEdÊŒ0ƒh(‘©ðñôä‚Iµ±¾»Ú»	:�—2´
Ä!<|^Þ‚X2›/¾5obÿd¬ë¥KºÃw�ƒø‰Õ˜ÞMG0C&ÊØjãž;áÔ+=ÃÜãÍEXr#à�]Cg
"}Yá¾.¶aýìY³ÆIˆ/^Y»}$oί8lU†ø�„=O'aFX²Åï9hRÔ¤[ÞÞ[ù~ˆ[ró—M~“j…<·ÑVG½‹Xî//¨šá‹ÉVà²hÑi·¢·æÉå6I?,·%F\œÖô™–@ê�õ~ø†YýE>eUλGwü^‚}«
2ë$¶Íð‚
+ïcñ•ñZ×™b”[DÌÛ³>Â&Õ—ÂaY
Kê{@”¹¸’QeUSæX6»ð�¯CvòàªÇ£hœ½a¢ª§é›ßôóƒòêªÎ1‡(‡(-Ô±ßV”ÓyCC..&
+®Æã
+7/ƒ[\ÉcçtFqóÍÍhF4®¾¡õz»Bö¯	ÐØóÜE™Œ®
#ôÃëÅš[È
+ŽM®Aµì)ÅŽ¡ArjgWLØ;'·p
+²R
+Øêa³!ß™ŠxW_FÅyë"3Lêû¸Ž>ê‚*8VŠí_ŠÀÊëó<"•{•îÛá[w õ(FïVqQß¼óq–QõvÕ’Tw͇\÷Yd›fÜÞ>ÄO¯Þû9÷aZjümµ=!À›œÝ>ÜüïQ3Ù¹åÔ«^	ü9â@"ñF/h•>þl`|ò\ÕIh=n‚ÜL'¿õkµf9VÒjt‹ƒS~÷Ò¤&ÀŒT�ú'§$à3ã!Ê5vÿÃJ
+ƃ>³ÖÕ;À'uãá`:?Ó+Ôx`ïq–΢vIÀr=
+ȘóiÀù ÿ�K1â	Ýc‡É…ã9áU¦
+ÐíC¡Ówï»ëÉ“º¿Zèp½÷äOô>/¨lÝ4nlŽ°U-oMôÙ“ˆ
o:œ©Í|y„7MT{õ	¯=i3R�ÇVHA9j�Q¾rÁ3ãaÂ3œ´X_¿ÆdhÚ—E/Oö\ìKɬÝO�õš_·—&†÷ê$ÀuæbsAƒytN.`.�šâb™Ê¥܆€ð6é瘯l¾}êÈg|ëwRŠžhXŠs×L84ØGê}	1Y³mgzÑìÅÓŒ$»9ñNh‹Í”ŸâÕ÷ºXsm{Ôg"'H±¨ª®RU\O¹<Š>ÊlSñ"�
+‰ôt.CB±|…—(�z?п)|Æö…›‡8csa4«ªy=~U»+jð*Ì8Ó“«&�ÐÐåÇw?´,IpöÛ7oå¡#½Ëõqw¾}eüJü¢šïUølœ�]Rçm‘LغÂ=Îk¡·ÐóKJ;œu�Y8:B.²åžðŒC\„0&õê®X¨ÕåsÊ;2•©`‡�¬#¿Ê"ÿÿátökä
+¹Ø+`‹ï—Rp 36‚�FŊݹÎ%:b‰»•¯·0Î&SwjÒV‹­C%#N^©Û™KuÓÏy,ÅEŸq&¨ãò8¿ªÊ{DLGÌ8½UTmÚ5leUÍ?6¹6ÞÒ6!-+ÁöŽ·¶¯T(wu9eQ–éáö:Jmš»4
û_}ö~N†ŒÁOkôÚ‹Ö»µ§½Mìð}íîɲư™qÀ�“ë`Á+�–»5�ãéö×­d[%˦×÷[M–ŠÁÃ#ߦT\Ú*wqªÝ¯¢Øg”‰˜÷Õžà�$²dß]Í|®yó9¾è?)ì#�IiwñùŠ€%z :õÔÝ3°ˆKzW†Fc¾òm={‚ú³8uL‚ÂôwÌY«|í»U&›±”n{ÀeóbL=Xûy*áwSYø"FžN†j×'›<ºÚyÍ7Ì4`u¹§h‚Žï›Ô
+M0	V”µ@¦ØRšÁSÇ8${�^™æÒu”œqÿ›ÀÿüŸ °r„X¸"áN®€ÿjRy—endstream
 endobj
-1628 0 obj <<
+2067 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 66
 /LastChar 78
-/Widths 2151 0 R
-/BaseFont /JEPNFY+URWPalladioL-BoldItal
-/FontDescriptor 1626 0 R
+/Widths 2731 0 R
+/BaseFont /KGQTDC+URWPalladioL-BoldItal
+/FontDescriptor 2065 0 R
 >> endobj
-1626 0 obj <<
+2065 0 obj <<
 /Ascent 728
 /CapHeight 669
 /Descent -256
-/FontName /JEPNFY+URWPalladioL-BoldItal
+/FontName /KGQTDC+URWPalladioL-BoldItal
 /ItalicAngle -9.9
 /StemV 114
 /XHeight 469
 /FontBBox [-170 -300 1073 935]
 /Flags 4
 /CharSet (/B/D/I/N)
-/FontFile 1627 0 R
+/FontFile 2066 0 R
 >> endobj
-2151 0 obj
+2731 0 obj
 [667 0 778 0 0 0 0 389 0 0 0 0 778 ]
 endobj
-1396 0 obj <<
+1450 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
@@ -10662,92 +13330,90 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œ‚4Ã�†�PÀ
-l@’QŒÆžÐ$Á”8à¿�amêÛT:B¤Q¢€Û¤Lw@‰„qL­0¢¤±WãT7„Òòß�5µx�V­^-×L”Ÿtê_y¹UëÿbàšT-‰@ŠÃ�M¥F#oÄIÕj¦f%¤\�*DX²
Lh9‹³ü
Ž¦¡:CI…
-(åê4dG0xªÊ¿IìÐ5Qaá�¿¾v2&G12BŸŠ
--A 99>”Aoc%JyŠ :DA3ßÀÞ[>Þ{j[uŽ¸²ã¨µ{Ú|ãá-m綞4z³†z¼®
?F üa¿Õþcô˜]ñpèWlXÉ륟e™2eì­Ýö&['÷ò}²Cñ‰Ó.•¶¶¼§9°ý®yá@jƒÇƒŸ\ŸÞI?g]»êį L¯¾yãå㜔�í½f›/a×ÁbZBééU{�¨_ï^¿ŒWâæªKsã÷=u|e¦·ÜîJ¹ekJ¥V×�>/fqÜuʾv´?e¡9¦D°R&œ9ßóZT™X¼ïãbŒñmj•þ>³¿Ó]Ðïb|·K’—]-‰™w´ÜAQ=Oí\E·DêZÖ5k|±ùuáy)u\Ÿ"(µacmÒØKÆ‹vL’ðüyϳ×zóE¦‹…óñiÑ^ûýÒÝ<†ÜÛ8të«Ÿ™\båª/î’"¿�›†VÍ~}YM£R#¸žëtãÈg®f.ížpL³·ìCé:�¯M»ãÅ:AìE죾Š‡¿]l6ìç&Äõ$�‰¸éq©¦þ|e cMþôScPPå¢Æ™xw¿ÿ\_ÇùÞ³íDñ@µÓ|¡KWx_u6Ë�7>¶à˜Ðó@×ïÁ‹#M
Ç=äXnž—²“u?bi¦×ïVçBk’ô^5'LßÏY²ŽÈb†ïM9VZ½M£$˜µç¨ î!dU–uö‰¨ñ;e)QjÝB7>]êÞÊX¹æiWö¼"‰EÄú�inÁlàøXf:÷Ìšõ<ïøäW]¾‡×¬ÊܵñÁ£›Ël_OÚôu÷è©âO‹s^oéÖÚØ‹ÛâÌØÝ£ÆÛß÷¢‚þÍgÚk]}b¾ZìÛL¯=ÿËèŠp&×^‘ÉQÇzXö�3à¦
-M�v¸ä/Ov3;›¤ŽßJž8c¦¦Tö ’qèå‰Êâ(vÎ@÷Š“ž.äªÑ
-!&[,9¥^j1íöôÑÇÅÎO‰M®†ðëËvÂ~·ÊÃÖ�”�ûÜé×æ:^.hÿùô2©Rú:N¶'i®2C¯ë˜“ÑØY2Ï®LÀtÛrzMæçÜ/N6YÌ!VKÂào,UmÛ®9^	‰²Õ@›£:î³#1íyVïf¬¤Ó?Á‹kGuûjCJz�츘ù~¾éŽ[”s‰¸ø•elTí`›eiü!®Ð¡AÑPgØ}¡¢Èö£(u
-5"'H\#'Rh/ÙŒªendstream
+xÚíRiTSבª¡¬2©¤j=,Œy5„„ 
£soÈ-ɽôrID¨¤*Ë"6ºd¥Âª"P”Zb^
'Ò*Â#,ŸEªVEÀ©¬««ôgûë­wΟ³¿ý�½¿ó�Ms‹”1D¶
ÆP‚Áar„ P*•pØ€<³Ù-‡å‚¡ArŽ@à´jÀ]
Ø|!o…�ǧÐ@ –®Ç‘T
<é“$>i`QÈQ •*XCÖPÈÕ@†)˜Ð3�H­k'od€µpŒg“Âá
+BÐTÀåy
9ŽËõrˆÈˆ²9
+#°zß×Íç×Ò.ýeö`7]0èf|·GR�[+‰]p´ÒIQ»@íRCµ†ÚÖµjüÐ…–†5Ni
]\ßNzÓÚÚ”ñ—´_—ì˜ù$éùó¾g¯
ÔÖŠl7+×ã3b=½÷ûgzxÓ;ØTÛ«Ÿ™Üâåª/î"ÿÐ>»U†vÍ¿ýrZƤ Np=ßåÆ‘ÏÜÍ\Ê=á¸foÅ¿¤ë<¿n6íNë¬ñѪþ|±Õ°Ÿ›˜Ð—r&ê¦ç¥ºÆóÕAÎu…3“LÍÁÁÕKšgc½ƒ
óÝüœúÌu%Z¢€j§ùB�®ø¾êlŽob|Ñ1¡×�ž>C?”F›šF{-ʳÚ¼ m'ó~Ôòlï_l΅ץ軼ëN˜¾Ÿ·l/•ÃX³7íXmxí6�þ‘`Ξ£‚†‡›Šœ³ODÍß)ËñbPï¾ñérz;mýåºG„Cqäóª&例
ÅQËññìLî™�Öó|S_õø^{°&{×Æ�n®\´}=Eh7Ð;( ¦‹?-Í{½e´7Dkç(nîH0£w�oß�7Ÿ=è¨u÷�ûj©_+µþüÆV­ap•QÙlu¼g‘õÀ
j©ÒԹРË¥
+©Rú:A¶'e¾2K¯ëš—ÕÜ]¶À¡BÈðØrú£ìϹ_œ24m²š‡¯–DBßX«:¶]s¾c¯álŽè¸ÏŽÄuؼ›[F¥~‚–Ö�éöÕ‡–Yú�츘ý~¡éŽGŒk™¸ô•u|LýP‡uyâ!®Ð©IÑÔ`Ø}¡ªÄþÃu ^U h¿•¼9lXZßx|—ÝvÎAUNI÷Ü–YwlúÑåѲLYå—ëüÎñ2cÎóúýç|뾸XE@ɹ'†ŠÅ5RïŠ{Csžù÷ôŽmÐè’DZgŒE…Ï-ª¾ÓÞ%’áË]¢›m»iuÝêæš²ÂÝÒ¹µNëß	q8ÔqYxÕÁwWGIï“öqê2âÅ«„“Ë]¾Ö§s‚zCZ#² ôp+d¿º¯É©ÝŸ™Ÿ/*è¾¾sD•ÜØy­<ÿ'4ZÖH�h¯Þ7‡�ÏòkŸ…/Ø̺÷Á•øO¿I©áŽ�·&]íý|tÍþs‹žTÌ�«zxóÌždE*¨¦Ö
°ÿæ¢ü¿ÀÿD
…–㦑ãi”ß
 endobj
-1397 0 obj <<
+1451 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2152 0 R
+/Encoding 2732 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 2153 0 R
-/BaseFont /KOVPQI+CMMI10
-/FontDescriptor 1395 0 R
+/Widths 2733 0 R
+/BaseFont /LJYLGY+CMMI10
+/FontDescriptor 1449 0 R
 >> endobj
-1395 0 obj <<
+1449 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /KOVPQI+CMMI10
+/FontName /LJYLGY+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1396 0 R
+/FontFile 1450 0 R
 >> endobj
-2153 0 obj
+2733 0 obj
 [778 0 778 ]
 endobj
-2152 0 obj <<
+2732 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-1136 0 obj <<
+1439 0 obj <<
 /Length1 1199
 /Length2 2269
 /Length3 544
-/Length 3059      
+/Length 3058      
 /Filter /FlateDecode
 >>
 stream
-xÚíWi<”k�2ed‰,ñ�e„1c§ìcë„ÑØ©Œ™gÆ0f˜Å¾E'[YJ$KŽl•¢Å’h1Ed
¥¢$J–,Ñ©÷Q§zOoßÞoïï}žÏ}_ÿëú_×õ¿¯ûã(‡Å©›é> �ÆRG#Q†€=%À‡ÍÄái{Ô÷‚d¶-O @WTt¢°¨à/] Ђ
âY:
ƒgA>N¾lÀÏ
-…Pkï÷Õ>èp‰t5쇻=>
-5ìq?;º‚_/Äßt?Ã_ÙÍhd*¨£5¿)L+J(HÄRX߯³óMnâ—
-béLÊÚ‡BtÐ?aN¾‚?
d2¡Cù�4âOI-i:‘B#84¢xñ»a
&°H§/'Å~Û“(P‰ 
-àƒýtÂÎC~5‡–/˜I…¨¿| Õªë¼ø™-«
O¡r�!¹[ì%üÏIi.ègåc°÷}�«=×Û­çJL—²LÑñ70oDnIæ¶I’|ƒ¼´ËÞpóÌ&D×,ªU2ã¨DNÁk‹°;6ïä*Ý�-:„q‰tјm˯&‚`R2ÅU¼ý*b+qÓ6ÔhGCX/§	ƒò‹;œÃ·ûFÝÃÊ»=øêÞ,‰T5
-{÷õß2ç׉éM´†³jf|¤ÜÏé6uÜÐ\ñ-¯'­\àëìÖÚ8¬ÖyÉ‘ò.®É\õäÖìWo$âÝVÈ·”D•—L7—=)ì¨UQD¿T’y´Ú|¸™_x°±™G:PýÏ×¹Iض&.›Gatv™­˜ç 5q9çÏz�•8%ó>§
-‘;xè)Ot²òœ.W»âTq꣉ë›t-—<êùŠúï¶:ó
”˜
-ô§ÇãÕüž­èÏÝ?\†ãŠdÿöbãy­<Iëtp’>p6يꃺŸµ^„ó>k~xˆ÷áý7
ˆ�¡îd™áU9·#>èN[i!Óœ\ÒŽ#ì¸Ú_ºY¹[bÄȱh¡Ùópû‡uf¥!y,íײü$¹2@5âv¿ÌFùý!ÞAɦü¿í1uQM¦Ï³lÚÅ7^Ñ)F”\³�}n í¸òÒl¾x5•�¸°:¶ßK¨ÈÜ°«')B2¾º€&¢
¼»Ü-ã½ûø–ïÎŒ#¤ñLT�ß>á°çU׊3¼pUÉž-µtÜÍãÒ1wÊ„�$NîâȾ¶nb¬Ï‹ƒQŒÛÛ.õÆGyá1êácN&Æ·[m»ù÷\kñQï	±KG)�ð»Õòê
BÒ¼„ŽâfomëæÁuõ‹‹C5@eÂ}–Kðr¨V»ÛzŸÈ€þ¦@“»›V[&Ó,l9½CÕó¨ÁÊËØ©ù[Ï›è>=00æd™xr%=ö¿”þgc%|»ô+i›™ZÑÑëÈfº	Ùe>snùIdSWª,1ø#ïãgýí'>Ö³çZ2Ì¢ßË	w=že¬h”…:ª~ò¦¥{OÌ x\´`ëýö˜Û|çI·»F(ÿ�sð´Ƕ�mí×·ô¼Tui-wx€R™ë2f~”_N=olß~šøŽÜà¡Ü±ò®4
-J¾�ö9¨´g›ÙÕiu^™7ùKýئ ¨Ùµ.NnvÍ<jAœ.zP¼OÃÅN	oéòä¼ðùDÔ<ù•óJ±²$çqn÷Û*h�z¹®gec*‘݈蠆ⲨîƒÎ>œã–QçØ5ž>Ìéa¤§n=*«‘j�•,LÖ
-­,z}áºÃ)ë‹Yé·>V;§Ç(Š%Ž^}r:nk_Ií{ÑÏ9šï®Ð¤;éçDyBÏVìicD½>•ÚÃïÙ�ÏÁ¿Š)¿§­;)h 3™,lâKâÞ‘ÏlãÝ	j)’2$N%:J&ÿ>ó¶À‚[°Y¼3¾ÇºáÚÎF`ySWï�íþgúcæ¬ø'+ð3ÞS�Ì…þä‚"1®8L†Š>#²:;3Ò.×ábB_µÇ:Ç2?‹±óE1êù¦&4©Ìí"F’Ø}¡áBÝ#
-yX²ÓEÿ­‹Õ[¢Œœ”„n"oɘL3¥d™$Ì
- :–p{&Í>ª?½ÂÍãêTõ	qAñ	’ÇsPû%ѾJ¼PlÑ£b{Šê_Ìçϳ[�ã8F“V‰§‚+e|‹>Ö«ëñ$÷)Õño†—³7mO/ã­ÅÞ�Kåé+lGý—üÿÿ*ˆg°è
x†?<‚
2¡ʵ3ø¿
+xÚíWWXSÙ”(AŠô
„R‚@
+�¨ÔÐ�`è ’“	¤P¤
+‚ÂHSŠ"ˆ¤)Ø¥ˆ`!Š‚Tv,)‚£÷€£ÞñúvßîwÏy8{¯­­õ﵎†*ž gEf€vLGƒDc
gZH
+¥AȆdS��ƒÒ†Šµe�m˜!Klø’~8$A�E¡~¥a0ƒÁˆþ%D¡1ÈË푹¡(w-Œ:âþ€Lð6*È
ŒÐúh3´)
+â™lÚÒ‡BŒ0?an�4R0d³¡CY†@ù§¤¶“LcP
Q"‹üÝ°“¸,¤ÓòIA±ßöT"F‚$8€IÚ´7¨aoÓüi+Žw
Ú�Ýg¿pUáét�¤`›³|ðIEÃ’ÓÜ"þv y�ïJ§•)YŠ¶é&ÁfÖÍÈÕ’RÉ’‚©
+o�g6;c×N¬AtO¢Û²È翶‰ºáð^µzÖ[ÃÜæŽ$!…)¿~Þçå«0˜¢ruY­°Ë«
m3Ù…Äw.ô8W,¬�ׂC%îËÙzåü½�Z[}Dο™“ªm–ôï¸f-jß—bç4L(zŸ4Á¶Ü¹¢¿XÕHY8Í-3Új°#tX·ëŒ'"ý}b‹µÎéÓÜ—o䓼öT«µ•ÇV•¿k­|Xr眶æ…¦òýÅÖ}­¢’üæV!è@M¿|ÔXá%ïØž2o‹3Úlµ`��Ô'äŸ:áwBþ¨ò‡übX˜²e�jQ§]Gf‡:û¢Gœýyñ�Â~‹kº…=OǽÖ;­Õ˜¾âM�S0—ó`“q掘~ø�R˜¢XrÅíÑ/|-7¢½Õ8gèÌ>Xª(YívÃÙ#­»§ä›÷~‘H÷F׊Vû‰¸Ï&y´%¿½ï»þY1KÀs㛵Æs3ãÍe‡×êÁì/_-CÖ­CŠÔyç¡šI-ýáÄ”’km*xkù1㥦ü‰íb‘GQf·…¨ͬÖð¦pa_ÿ·;§Í�õàþ0¶Ó¬vOË?xzÒqÇ
¼såùgÙ/÷Ì<Í|}Ž_Øæ•¥39¶×ïÆ{¨k?ß#¼èrS§JîLý:9ýÍŸý½½^[\È+·|Ž–¿ÖõÊnòfá­U²£gíjî¬*¯H<˜ÂY4ý£^Ø1ú�
+œ?Ž(àï},—¦5e,Щ1^–q¿XþîÊcÛ9ŸF‘Ò�[ûìŽå_�µ„;.Ö™þŠ°'¾ÁZíºw·Sö»
;=�ŽRÒŸV�ÉmÒ3—�ÐëZìZ]¢¦0¶x€'¡}Õ»^u6‚Wõ×Ó}G¬Œz8ŠfÏâ�TD³éoN×`'çÓ±9Ͻ´|>ÄQáž_ú1sãwŽú­TÕZ¥gž‹sYgÖ�•Š€¿~‰µ»Ì�üp"ͯ\RiàÏ?U�†ìMñ lÃåWƒMLKÃ禵dž†oÌõ6°?+ôůFÑÊgq‰¸¢ªÌÁw’¢}ÄVˆy^X§§›¾mNÒ
zx ºkwÁÎáJŒ,�/•÷ÛóÕ§
+ì³À1æà‰4;z
+(Ë·àGuÿ2Î-X/BMÀHL6Yïv¾wÞª"¢�c¸ë²Xn�‚@6¨KÞ”Ó¬¶s°:Â?,ÍR4ú·M–:iÌ©2Žƒz§Üª’FeˆòKÎ	OÍPq®/¬¦Ë3DÈ3‹#;ý$J­±Ý½©Ñ
+IuÅ)CàýÙ9˜ð�„×7e琉æ {ƒvHF=­½T–íG¨Mó}ÕvŽI¸zH)þF¥äù#›y*¯íÛ$X+a4óÎŽ3}I±~DœÞî7óëíŽ=¢Û.µ=Òë�pÊB«—˜?õ:'lH(	“ñ4ÖúšÙ·òW4Î΢†f€šäÛ�ðùHƒN¯•
1!-¡7×,̶�eÚ8òú†ê¦Ñüš³øñ+EÒ§,Œï
óó$,|¶¤>>“õgs
|ƒÒK%‡‰sf2Ï.#[™"d·õÄÉù‡1--*BäðOÂŒžv~õéÜAg�9l.óVþnÏC¹æ[rÑÔw¹jëÝÏ—«…›€6\“ßZo:âus:xð$<3ßµãSGçåu½ïù:íU.wÑZRSÝæìOjó§Ì-“:�‘?Àñâ«|´î,¼¯Aµ
•¬ha%™
Ù½-ùüÑöYFaòÕâÃÜ€;A¥°J@K^�c‹T–S&•¨±¾+í�àÀŒy÷€Û˜jS!æÙ=ÉKC~*)‘“ÚÒ{ô†x VnW¿h©¡…wð¹¢E]„d¿yçÆgêÊé'mÓT"p«³¶kÖl­À.ª´D”½�l\…ÈWâíÉäÙßÏ'Œ>m9®I<¦Ü6 ë:©èöé™A¥Þ±¬#ÙòÈG›p
+�-ô³:Ë�5ŽÈ¨¾ÍÐ|RO8þåâ=çç"nT.B(p?
+óÜ~•/²ß²w×cÁ{n4e²~וŽC³À�Ýs™y{]?ÄímBH8ßBìð/͹˜°à:ÈõWÎt7|.èzýø½&ÞêùŠôTÕä]êÁFσºv�h_L¨ã#o$uÁœ�GIÕsÂO¦Æ}rÑæ:–øÖ–Ǽ
è1œ5݉¶y>j±
9é^�tû¦ÔxÑœÒÐ]Þ&«gæaÉÆõi»ª5Znú2ì*ÎVÍ�7%G¸ˆxÛ‡‡{>‡·‹+<W
+Ø£¹m½ÕÅ+™çýr®ŠVq‹-A«Kݼ‚¼†iôŒSf�\?ÊÃI“hëñð”佩ô4õ¥ûBòÁÊT÷QAïëÚ£FÕî'•#Ú1=6ˆ¸°¦²ÊØž=î
ÝÄçÑ'¹
ßËïeeeHPAeØ禩„S
"k*�¾@¸ñpúÊ2NÖ�kŸêܳâ5dSž]|x,Qº¿üÜ™/ùúï/0”º˜'e„"OToë`ž>šÑ+êÛCÌ'¾Œ‹¨ºeh<&n¦?–&iá’@–ÜXÄîÞ—h+UÄ’ÇS\Ò~Ÿx[l#(Þ*וÔkßtéÁAl~Mwß•
ÁÇâ§ìDǪ]‹‰þã]ì™�´âRY�D\¶¶)+¦./'Æ©À¥>¹¿Îg…ke�ÍÈÆéÒx½"K†b΄a)+Uö¶Äp‰ñáGê…xª[½zp‰ôlݺØ-nZw#×P×e�eZÒr-’§ö…�]Ë}S'ï7[òt«ýŒ8­ñ)äË7|Av®•+‘�õ©Þ�®óûéÓ¼öCÞ–1»”£á5Ê�d˜œïõ¥ökž/5_¯â®Ù�U)|kP5C¨¿¤Sý_>ðÿüO�è ‘Åa†YÁðhȆ~(—þÍàÿ�;@µendstream
 endobj
-1137 0 obj <<
+1440 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 97
 /LastChar 110
-/Widths 2154 0 R
-/BaseFont /KLAGHD+NimbusSanL-ReguItal
-/FontDescriptor 1135 0 R
+/Widths 2734 0 R
+/BaseFont /NQJRHU+NimbusSanL-ReguItal
+/FontDescriptor 1438 0 R
 >> endobj
-1135 0 obj <<
+1438 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /KLAGHD+NimbusSanL-ReguItal
+/FontName /NQJRHU+NimbusSanL-ReguItal
 /ItalicAngle -12
 /StemV 88
 /XHeight 523
 /FontBBox [-178 -284 1108 953]
 /Flags 4
 /CharSet (/a/c/n)
-/FontFile 1136 0 R
+/FontFile 1439 0 R
 >> endobj
-2154 0 obj
+2734 0 obj
 [556 0 500 0 0 0 0 0 0 0 0 0 0 556 ]
 endobj
-1064 0 obj <<
+1363 0 obj <<
 /Length1 1608
 /Length2 7939
 /Length3 532
@@ -10758,394 +13424,391 @@ stream
 xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
 G8ÚCзÿã�ºP(
 �²BÂÑ€Û¬Z
-JñDÛ‚Ñ¿s£`·n
-÷ßoÓ?QZ·ª£õÜo‰ýWêÈ?¿1ään
-uƒZ|™BX‰¼LLIB—Qdt
(<ok
bu:æ}Ò{ŸíûÑ쓼,Vôâº4�¯rèéM�ûäŽãÏõg\=-äpöæxèA­3gkö£¶Qî
~ó<¤]ÃpÏÃ	µ%l“Ç+Ú:æ¹×w醄�x‡ß9}™]²}IYΉ¼­*"ÉVb—åìì²Å|ý~ÎÞÑÛÝÕÙ|ŒÓºNÃ�‰Ï*î‚MÈæë”N#m¢_äa™ŒéøÛÔªÏ!´0sL^µ$0ÙÂÿTh5ë¹[­Fúù{ª\™ÏíßÉúÐâ¦Ùé%üföC ~–fí*!Î:‰E�výÔzð­´÷Û6гßÕ•Ü 곺£�Âgü«e‰;}ƒv©b]ùßÖÒï6”�‡ùÚ}sø.Gj¢T«$Kñ£•I
âQ–®‹Â~ÒìEÛ1w.ì*Çbr|¬½}$oÖ‡·Gs]> Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
-¸éÛR§ö
-]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú
+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEé�ïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ�8
-ušÅ?Ó<–“G¬
-hEá$=k
-jK‹ê\ô#Œ²Ô_j$ø>Û}~';Äë08~Ⱥ:{¤j7l˜ŒEÖÉ/‘ÕØô 5³î*Tô#ÛýêŒm¥(Ÿ¡\B½MÈb\Zk³u
-ÂKJ^�'�W²Ù3FÁå¤éÉ.ðÊüÊÕúìðã‹
’c=,®¬3jÉ/Ì ¬}橃”.‡Ó6Š&	êÝîU¸¨Û�kh•kgݺKÙ!ì`M«a'�x0¡�ƒÌ	ùts«,t-¥§†ìC+µýÝû¡ÝÒ^aâBý"
 ðf°Üpûš±›õvV¥³ƒÃ÷Ì
×pJs®a¯—ÀœÉAgÔ6tå„è/Z
ÅkQ^î›íF“’Ô¯[t#¾]°rÛÅ‹60^Ùý”ðzFYËP’OI*ÄmÉ×d«òñ¦¾â�WfÖòûé!ou¾qÊÜCZhµÐÞ“iQ'÷�|(D¦¶xÙ*
ª÷d_�R½˜Ñ�%8Z?Èb+
-à‹)קw&¬��š>òÕäø° DxùAt€næ£`öVk�øqvëð1']/¸t¡yô8,TÎ.a Os%/i5
-ÉzY`yÖP@-ª¤9¯ŸÇæžÓçý¤>Vo€Ì¢éªd>Í/ˆöõÏ}êY
-³¸~h—•¸8˸ƒŒFF¹õ•Šû?ih�
-vžj ×`�­Ú[­›öÇ|-…>°ë=].žàŽJ,}”›­ûÈi±ð!æÛ‹õÛ‰ÌJ«—–r•øœEk±9,ð”ˆO’ܽ…n®Ðq!páxÓ“1¶¥©~à]ÙDXÞÑTtÿXwd‰–¸rϽ”T…³k«eÛ?ƒ6òg
¶òõPªj~«YÏZš{JÃÁp´hü@AÓœlú)ÿ€úBè×@aS‡ž”Y2(õ¡r‹¼û^*84å¹uÞVi¢¾¡HÑÂé…ØÊÏ–)ŸÃ;c4¢ž/{Ž¬Û�e/HìEˆ…jŽÚ¼9CÖ•
Š‚ŒüsB—W¨Èò�è!&�÷E*l.\ÙÈL4´ÚËÚ÷h„¢Æ·GñZÍŽ<çYÎz9†CÅŸäá¦TKñÅ3c/ÕQYV;Ò+Q%_Vªdá�¸ô¿ð‘8ܳ
v4e$2i�ä*õ Œ9csõ3k~YžØaí¼zf¡äö•Á’±¥;Éb1ª"(GO_XLô>ÅGçë%:}¨=Â[#™µ¿Nôp½vCžªÂíu>N1
¬Ê¼íQù„8¬ì¨`æWn-aö­§m+´Y¬~5A”XĽh§"hV לÞ_9æJqB—¡Ìh'·ïžrs)¤<ÃÑ!]‚�ŒšÙZ~\ÍHÒzU´NÏh“[€Hái3
-�RgT­$vÊ®é�ï9‡á�׺ù§ßWŸa|…psØ´"ÀÅÑÁñgð~¸¿Õxy¿oA‹z¾Â¼âÕëPúí
-GZ÷±Z6ÂlƒÝI§(²‡
-?Uôü¬Ë÷
-žä¶�5Äõv!.[7$›\ÙÌù ö	%Ü-DÇ9øÓ\¯ÔÍŸÄ7& Oâ×ÏžÅÚÅ8“£òÅff\Æ

--â×6™…ÈXÓØø¬ï¾ÆÇ„)h}YÆ
ð–êA±>–�?qhYêJ�Áoȯü¸"Š˜‰œñµŠýVw$ˆÇÑ5-C¶Ãö&šgŸI}2Ñ»5ãùáö¶DăuéBÿ;¤»¥ªïÕ\rþhüæx�€Í?‚^z:“Å„ê!Ïå�¨Ú
-DЃqB[äßTœB<ug(°Ø˦×ý9J~¿|º#ß*ý2üÌ‘ÔLÉ{¾OO±ÏïùƒiÌ‚øœÎ'=�Ú‰dž•TŸT¿ÇÍ8ÕíÌ¿Þó£œÁ8©È«ÚÁZ±€,m³2ÓDŽñC£{p›®
Î>*«ic:5uª ÍÐåS;ùEÑÎÙÀ�HoÑÏWçx	×ØÄИ0uÎlPÎ5—¢ú�½»<>ÕW:‹ƒoY2’˜HJyf€ÇòTcª§Y½ªÄæ'Jçx{êI_Í[¾ÆuE^n¥ñÙ±pmËISDx°ñ¸U
-JŠ+
Y–¾^#Y%ÿ	�GpXŽÒ0Nãˆ&^-`iªiðŸ;ÐNU‡UîS’7K±Åüð[Ž�ç&“vñ�;ÁsZ§â�§u‰ö´{§¸àôò‡ëòÔˆBW
×B�‹CóáiòT£ÊÚÿ“±'ŒÒÞÚ¾
ZwÕ¢‰?UÛ.[
h‡)qŒÐÇ
-¯5�Áƒ ¨“¹Ýa%µxkÐÏ_WÃp)Éâ�üdÃS<C&�fåc—ÅoFÏT±Õ„ú°
-)è@#{ë>Y]K¢þäWOk‹à0�É
-m›Hi‘œô
d�„†q.� „WôâPløFûÐÀî±Ü"“­[¹É`¬?sòŠô£NÙêqüiv	Ž&#‘ÑPb6G¨4Ùpòã¹>¼¾_$”ì¹J‘Nx?~«=!ädœGû¥ªw³
-‡¯0&;ì8u¶IýÚ¼ü?"¦ûø}¶lÞK©#«ÞÓBüFçõ'Ã÷bc-~Žò8îêÜÕ,|¦,k�Ï%äq†Ö‰~^÷ŽÓ×™E°~r¥¡˜[©¹Ùéù _T¾lÌâÍî
-ù¡M½Þöxhá,ÿ
-áHQ þY»Bå<GJÞ,6]JOU?ÀÕ«�Uh´\ï	MNñÂçzŽùy¬˜�+߸+¤„#äoàùØÈ)ÏøÅPØ
-Û9ÔB1®¥Ò[Yù=cÁ­öâS§¹óp—ü›ÏUÞYKf†mˆ¡ãž\%¬,Ü1õ È<o«»—ÆØ1D*@„ã¯O‡¿q¡ùî)uô¼ÍÌâýük�jgWØ!›ÖöÎÏb¶wéÜ/žbmS`¼•9yì>ÕjªâD^ûÐ."ß�·ƽú5Zï°Æ溱@²¬®fµ4ðÎ^‚›M²¸©ým|ÿ	¯©‰É«ê4
-$L¦nW`6»SN™’h܉¥::`í ?ä·¾:*Q “ן”„y·±,ˆÅ’·õç?‘²}ùT{·BV°£3ëÉZmmsÇBkÙ-’Ãøá+@™d׾€ËM¥Üšô³lŒ~‹ûÛ«/xôñTpïÅM~âÓ¶•˜IÓAéo�c_3¥KNI/6Và&âûßÕ{´adÂ{Þ@:C&][�°A=Ûe¾¶5YØøJ>ªí®(íPãHš(b"»,ŸÚšíÑ)„Ï\˺_ºw‘©¿cð>b»¨Oœ»Û�ybôÃ$N`ðöL~kñ^óÛSïž]ÞÙXƒ‚AW°�}´e•!]¨µØìà×fÏHÍ·Œš’ ƒGïa:Õsg«1ì8ñÍÑ –äiöÉñhCìò´g¯Ë8ßêô-Ì–~‘9V|T±&Nn·äML†‘§ÚDü”¹Ú>I^Ž”[û•ÞJ¶½ÕÉò<
ë•Zv·yÁ<ü0ˆ¤5ºŒ„hO!ƒÈ÷sÿððd‡åÁúÌ´Jb�+"�ä(2mfƒ77Ê¿”Í
-8*v4ºÏÄ^±ûà+h5zê2¶;šÞþ,-õQü!	C$yw9†CšJO ™ňq\`±"H,Þ)T<icº ¿ª}ZþK§{«Þ®ûªè&4CSQ~åâ7ê
-QH;ǘ¢&šùŸe“ô¿žUÙ|µ°S�c0R2YE]¨
-�‡á{__bçâ.°ßþ
-LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷

<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’
	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½a�Ô\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a
-<¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›
ìÐv_wóý}¾éH`…Ñ'>Êß4¬�>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5�?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ û�j&Q �¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©�¨rAÁM°re.�2Òe%ÉÍ£™6"�5[¹(H4:\mdb“™[i:ýP½2“�¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±�Q�ó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß�¹,QëtT½�}…ÁbWý€�g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
-†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.�ïdîžk0œPañœ„5ðYÓë�F–?ª
U'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´
b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å�[|�)h$úØûeGUeŸ?õ¾†Ó<å�ízznKB†Éd–¬ö…Àÿò!øÿ
+JñDÛ‚Ñ¿s£`·n
+œ6B†Nš
Vµúz9S,nq2BÙYÒ_+Ÿ¦Þsà›`n'.@b%iî§ZüwœJ¯îsúð{^¥’¸úC�HW—Z“èŒÁv,!ieí1«¥O˜–©í[�oF‹£‡y‚öƒÛ¢Aùx@”SÜeMIƒZ|
+úˆJý€•<.%sõJŽÅ?ANïÝy¯2}oÁ[+B”z1’áž ‚`Ïtf�¶¢tÈwŒ°ÏŽ·xÀ©þ™Ììè)‰ë�{çqéœÅâêsn¹ÁâÑÈ!áLâ|®Å–êjÙµXùPüðáæN…:ÍâŸiËÉ#V
+.¡Þ&ä±.­µÙ:á%%¯ÆƒÀ+Ùì£àrÒôdxå	~åj}vøñÅ
+E“õî
÷*\ÔíÀ5´Êµ³nÝ¥¿ìv°¦Õ°“@<˜ÐÀÁæ„|º‡¹Uº–ÒSCö¡•Z„þîýÐ�ni¯0q¡~‘
+5¿Õ¬g-Í=¥á`8Z4~  iN6ý”@}!ôk °)„COÊ,”úP¹EÞ}/šòÜ:o«4QßФháôBlågË”O„á�1
QÏ—�=GÖíÎ2‹$ö"Ä‚B5GmÞœ!k�Ê€ÅÁFþ9¡Ë+TdùGô“Àû"6®ld&Zíeí{4BQãÛ£x­æ
+Çžó,g½Ã!‰âŒOòpÓª¥øℱ—ê¨,«镨’/+U²ðN\ú_øHîÙ;š2™´@r•zPÆœ±¹ú™5¿,Oì°v^=³ŽÐŽrûÊ`ÉØÒ�d±‡U”£'„/,&z‰â£óõ�¾Ôá­�ÌÚ_'z8ƒ^»‚!OUáö:§˜VeÞö¨|BVvÔ0ó+·–0ûÖÓ¶Ú,V¿š J,â^´S´+�kNï¯s¥8¡ËÐ	f´“[„wO¹¹Ržáè�.ÁFFM„l-¿?®f$i½*Z§g´É-@$ˆð‰´…G©3ªV;eW„ôÆw�œÃðÇkÝüÓï«Ï0¾B¸9lZàâèàø3x?Üßj¼¼ß· E=_a^ñêu(ýv
+-gھ蟖¤§I„²kZKéä”ð
+›û,¥ñ­º“ÛýÙU@žXÒÖrÝ}Â;´w`D­.à™Œ«ž¥ÅÇ3\™»ølð­…Ébñƒ¥‚U³¢ÌöMÌœÞÎÛJ”…¶WkÓhý� j¢’«qµD¹Kz瑳�³B|óG\Caî+þ¹*Ê�Û~¡ñ¥ÎGÙ§}–ΪJæÄäû§	W÷�HíÚ>ÛÀaòœúò4ó	üN$ÕYYšžÇï_œ••W+vqƒÛSš:±	0ZÌ©„›a‚â[‹”%sˆ{¬Þd?zä­7~ÞÛsý3M{öž�i17Í
Ö‚\"éýGeã3mì7
+Kygm/®SÉçÍ�Ä\ÊqÈbO;z¸‰ð«-4'¤§€+k=ž~(6¸hLìÈÒúô<6»¯´yjÊ^"þxNLÝ�°Ç%3jz˾‘e2 ÃÏfĺEÎ>_žÝ(¸š¤²uy•“®ƒ›{!Þ4l"ùíóQtñÚIÝE°ºÙu²¯‡Ån¹¹�ÄùÂGˈÃÄ ›
+?y“w¾G$ÜË×ß™‹<Ê™2ãtÏ¢Þ}ÿ†­@´yIGbc‚²Kê�·HŸ|ëÖ	
x°–Ñx½Ùþ2—€_M”+�=‘Û~d˜„“•/tŸ†ò³vLFd*°Ä¾ù±b«&}¢¥çË/à¥2?‘©"B¾,|BÊ1û楛æŽÈkf�}°¿Åø«þŒ„g“IÆÞyã8‚©.Ͳ�mhïF`”ÜN‚”ƺʨjÊéž=wþ¼æuußÆ?ÀTÓˆ½~.%º�·�2¢_½¥’()“�5”ôe-èÍÜhxlšŒS+é\d®ýÞ¢Ïd=ºñ�bfýFÇO¹!3‚"Ž±6÷'íjCœ´¾X‰Œ]Š*ÅÂBùwK‡õiŽ€hn"d²¦…Œ·âg쎓š™Îë`ÎÓp¦»²'UJfaþ»f[Ĉ]ˆ•á®þÍ�z´&—À$ñZ�¼¡®i¾—fG‹LßÇzbÕû\dÊÅï격|X“Ý\sÉ•ŠØÊ+¾ÿfÜŸ
|>„%ýHÎÌÚ`=6"æ’P«ô9#Ñ\Ó#3z-Rô|%ñ¨$¾Gc^¤‹M]÷²³Ôú{'¢_ýDÊû1�éÍ*õ,θÈêÝþ²â³Gƒg¸LMa2B Æ»é»*+M[TÏ•´lm§2!ž7V¦�Ôˆ·nŠæ‘’¸†pj7ŒÙ>ò"$›XêÐ:{—­¶^˜u^9Ì’„‡DW¬9%%^ÑËå�,W0ß²¦ÜÝ™ZÒ×ý/õ{øúÆ>²Ý” à/"ŽDkúmù0§_ì>WTxìÑéƹœ ‹›��
+zƒ½Ê-%¯Oà¸L5�“‡û’ªV�,î½øÊáÃz‡>ò&ïw¼´rY6Ç—ÆJwŽGƒ±Â*ÜA5ƒ
+ëšSùSÕi…Ÿ*z~Öå{OrÛÎâ¿z»—­’M®læ|Pû„î"‡ãüi®WêæˆOâ›Ð'ñëgÏbíbœŒÉQùb³	3.ã…ñk›ÌBd¬ilüÖw_ãcÂŒ´¾,ã
Ž
+¢&tG�÷ü©Ï¾2¤ûôþÌÓ(v'«.Š
+òôÿÑü0�íû�¾€Žˆtß
+sožbrÌûvE	²ÁÅ/ÍWRÙu/w¦ØÒÕÛïòxœ‘h<L�šøÖ‘píÇâa
®”Y
+Kqh|>6œÊ³(æÀ’ßë.
+	a‰ñµoWkrŸÔgÔÅÖº›Ð˜wÜ6îÂÞN¾Ùö
i±	XüÐ~ýÅ´á´ÙÞVóÞ³6÷³Ý>EŽ
+‹^±Šî±nl#šñ�‰65%,ç_°Oê”+µNý%Ùz¯>W7¶]•fzã}A}H›ÎÀSÝÀ~ƒQrNÉ)îs�¬þr]
Lf¸á“
+<á¼ØËûò
Aê)¡³k¯×ývuSøGlVªs#Nu¥¬·OŠE•?.j?øÿ©ÓwGä“øݺ23oªkvSÛë>Ñ=¶ Ðz¸^"èÁ8¡-òo*N¡žº3Xl‰eÓk‹þœ%¿_>
+Ý‘o•�~~æHj¦ä=ß‚§§Øç÷üÁ4fA|Nç“ž@íD2ÏJªÏ	ªßãfœêvæ_ïùQÎ`œTäUí`­Ø
@–�¶Y™i"Çø¡Ñ=¸M×g•Õ´1�š:Uпƒfèò©�ü¢hçˆ		Šl`‡N¤·èç«s¼„klbhL˜:g6(皊…KQ}ÈÞ]Ÿjƒ+�ÅÁ7„,IL$¥<³	
Àãyª1ÕÓ¬^Ubó¥s¼=õ¤¯æ-_ãº"/·ÒøìX¸¶å¤)"<XŠxÜ*%Å•€,Kß‹?¯‘¬’ÿ„Ç#8,Gi§ñ
+D¯°4Õ4øO‰h§ª‚Ã*÷)É›%ŠØb~ø-GÈs“I»øN��à9-ŽSqÈÓºD
{Ú½S\pzùÃuyjD¡«†k!ÈÅ¡ùð4yªQemˆÿÉX‡Fiomß­¿»jÑÄŒŸ*�m—­´Ã”8Fèc…ךÆàAÔÉÜî°’Z¼5è篫a¸”dñF~²á)ž!“F³ò±Ëâ7£gªØjB}X€‰/‘'™“š"ZtÍCöEqË’¼R7ö¿Õð®ÒÂö@.)¨F…t ‘½uŸ¬®%Qò«§µEp˜Çd€™ÑÛkï#ÝýFø‡‰0A³KE*3Æ€F ‚é®0BÖLqÄ`nÿ‚Š%P爉䅟Ú�*›X‹²Å·jÔi÷b¶‹ôRáó"¿¬žû6vTZRœÌ°T3Séèv\ã«%øÜýI¯”Þ¯é¡ëæ®ZÖ·mpßú”Qn?ø&�Å—�Â#Ôߟ›ì}ÅÀ^í° ª"Á"çt{RH:†×¼woŽ¸ÏhFO°™§éç€oÊC£B÷~”…�
+ sœçã¸!q?Oƒ¶•G¯îW̳ŒÔ)HænÉøoÌF–A£Êå{Ç‘æä8£jýäUu;W�+Aà¢ï
óÇ;X;{¥ð”ÇÎwÆ}x"
�Æš=×N¿nc}&±Éy[µ~œ ¿öµh¨»š«¢³ñ©"Ì‹üEmÊ`;µ
+Lj
+â³ß
+�Ì Q=w¾�?‰¦6ª~û�á¤àõd‰xW/aéÒÛ‹†Cú\»UÒâàfÒ~…¶‡Í
+¤´HNú2HBÃ8—GÂ+zq(6|£}h`wŽXn‘ÉÖ­\ƒd0ÖŸ9yEúQ§lõ8þ4»G“‘Èh(1›‚#Tšl8ùñ\^ß/Jö\¥H§¼¿Õž‹r2Σ}‰RÕ»Y€|áCžÓ|ƒi
xCªݪÌZ-›Çð0ÜJLÕ—D9dkùåΞ‹üÀu!!‘}U?³9Ü«eŒ�iÒ�F̦ì½Äõ–çwNRi¸Ž
~ÑqÂzÊ—�eh)¶M#±M¤µ.?¶%aÿ5ßóÀ€L]t“ö´ƒÓÈÙ‹CM³S­ê£²lµ^÷³²Ú�fÉÔë'7±‹÷bqÛG2®K œ¾’j…Ã×?“	vœ:Û¤~í^~ŒÓ}ü>[6ï¥Ô‘Uïi!~£óú“á{±±?Gywuîj>S–µ¿ƒÆçò8CëD?¯‹{ÇéëˆLŠ"X?
¹ÒPÌ­ÔÜìô|�/*_6fñfw
+=ÂRŸó>ÍjóðÔv)Ùyÿ¹[G¼Ü5)­…ðwÃä¼Ar«òqsV
+…üЦ^o{<´p–…p¤(„¬Ý¡òž#%
+o–›�.%�§ª¿ƒàêÕÎ*4Z®÷„&§xás=G‡ü<ṼǕoÜRŠÂò7ð|lä”güâ(l€Â(Ù‘(8Å|)ÿ¿w
Æô/þQL™�uG«ØâÐÏœÎÎ~N*{cÀt(û6HÝB=viˆÀ%ŒÐ/ÌÐà>^P䶊ŧ¡¯ÕrȈ=ÂÆé2¾ldÔD4“kêœÐw§3\Wd†@$B}�vÓmwÝK&à#ýÁ?¡e6êœÿ¸¥*IÖÔ*Àií¨²Q„É¿åAFÜd@+íy‡íj¡×Ré­¬üž±àV{ñ)„ÓÜy¸KþÍç*ï¬%3Ã6ÄÐqO®Vî�z
+Pdž·ÕŽÝKcì" ÂñקÃ߸Ð|÷”:
úaAÞffñ~þµGµ³+ì�Mk{çg1Û»tîO±¶)0ÞÊœ<vŸj5Uq"¯}h‘ïÎ[
ã^ý­ŒwXcsÝX YVW³Zxg/ÁÍ&YÜÔŠþ6¾ÿ„×ÔĈäUu&S·+0›Ý)§LI4îÄR°v�ò[_•(�ÉëOJ¼‡ŽÛXÄbÉÛú󅟃HÙ¾üª½[!+ØÑ™õd­¶¶¹c
¡µìÉŠaüð L²ëb_Àå¦RnMúY6F¿ÅýíÕ<úx*¸÷â&?ñiÛJÌ¤éŠ Žô·Î±¯‰Ò%§¤+Žpñýïê=Ú02á=o �!“®…-‰NØ ží2_Ûš,l|%ÕvW”v¨q$M1‘]–OmÍöèÂg®eÝ/Ý»ÈÔß1x±]Ô'ÎÝíÎ<±úa’'0x{&¿µx¯ùí©wÏ.o†l¬AÁ +Øο>Ú²Ê�.ÔZlvp‡k³g¤…æ[FMI�Á‹£÷0�ê¹³ÕvœøæhPKò´	ûäx´!vyÚ³×eœï?uúfK¿ŠÈ+>ªX'·[ò&&ÇŒÈSm"~Ê�\mŸ$¯GÊ-ˆýJo%ÛÞêdyž†õJ-»Û¼`~DÒ]FB´§�Aäû¹xx²Ãò`}fZ%±ÆÈr™6³Á‡å_Êf
+í&2�PƒóuíIŸ[^|uÊàïíŽl«0x¦ŸøpÙ(ÈÅ%mé
…ÆÃð½/�¯±sqØo
+ŠÉËQfþNÒú�ðÄCzòÛgêg_åD6ºq¸I“ª¸ÊFØ2Ëv­Ö¦™˜¤Pé¿g¦Uu䂱~Õ#ÉUz$¼
+ÇHÄ•vËÕ$«x-‘–ß™š¦#{eöòÓ`ÐhšDŸâ°º ë«×^9ÁB0¤ñ뫽‡í»˜m×ÖÜ¢Ò	¯-‘+ÖŒ!ÇBPŸÕvî¦è	·?§¡ºƒ¼E^$‡ý…’*O*n˜.—Çw2wÏ5N¨°xNÂø,†éõG#ËÕ€ª“ŸêÅUOr3~\Å�[kÒ¸!9×0ϵ
+CÝ_‹{™éÉYŠúð["šgì2eàß$‹îy;Þ;Ú
+_ƒ
ÃižòÆv==·%!Ãd2KVûBàùü€ÿ'
 endobj
-1065 0 obj <<
+1364 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 2155 0 R
-/BaseFont /KXNXTH+NimbusSanL-Bold
-/FontDescriptor 1063 0 R
+/Widths 2735 0 R
+/BaseFont /CBGEIZ+NimbusSanL-Bold
+/FontDescriptor 1362 0 R
 >> endobj
-1063 0 obj <<
+1362 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /KXNXTH+NimbusSanL-Bold
+/FontName /CBGEIZ+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
-/FontFile 1064 0 R
+/FontFile 1363 0 R
 >> endobj
-2155 0 obj
+2735 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
-1061 0 obj <<
+1360 0 obj <<
 /Length1 1166
-/Length2 8686
+/Length2 8911
 /Length3 544
-/Length 9500      
-/Filter /FlateDecode
->>
-stream
-xÚízUX\[Öm�àÜ¡pww—à.…+ pªp‚— Á58„àN°àîî—
-ìhùgK–nÎì:Ž`7Ð[™ÿ	~�Pþ…Yƒ\
¼\‚\
-ò[�^(>P3wÀâòõù߉ß¡pr,Á®
-
{9Ø888
Üÿ\¿¨¥“£½×¿ÂUÍ@
-òrÿ]ñŸ^üåߨºøêäø—ä[G+'€à?Úyññ¯–ÜAèËlþcFÀ¿ë«:¹‚-@
-ähù·”²ŽN–`Gk€–ëËTšA,ÿ	üA[¸A /öüy@/ïþµ·¿y‚,Pçœ,„ƒmk‚[oª$I<XwƸ»ùt®žÝ(xP¢ía¶Ø`»T	íJIxr$eɨÛˆU©ÀÁ„Æ‘ÈFó{Ø	Jµ±!bã„`Ã*D³ÕŠ¨
-¡�!1Lüâè&ŽÿH˜’s íÕ§pJYve@+&=Š­ê„çOvÜÛwQC !/Ë/GVÛŸcÄ¿<QS°÷ÓB˜l—á°
KAUìh˜¼¥W¢6_ã”·a›ÎÎõH¡óúÏ„Ê£¸Öœ™“”òµ�vpÝÙ|ùfuW5èœÏ«Èmì¼ÌÒ›ˆj˜·Ù«ÿ¸ØÊl燅ð©·$Ú·ŒM”¼Õ8P!B�	¸éXèC•ÔÑtÆ<ÛV¦Ò«³.Ÿ�U¿"ïVtÇåþ´Q«¢ÓeYóŽbÒ¿ÙZƒxS›§ñZ§í\O2~«{E3
-\ßâ»Ü&âéy.ßSÇÊë<c×CÜw*⚤Kø0ݪ¥¾ÀU×”s—¯ÜŒÊr¯Øn�g
-èØœvèkwyþÚ‘72çٛ斥‹ÚaGæ¬�å`[B×Óà‰ññÓš	goø$ÝöeßOáj@³pLñõ[>(™eÔ]Gþm!2¢ë!D
-[D«	“-Á'u�™¯nòŽ<'Xð"Yeð&­øc‘#Ñô,åKXÈm®_l™Y¢o׃GÐoR:©‡;Ѧ¯êJ³Š÷ѧ‰mŠoâºë•Bå‚�n‚‘7Cj�¹s�D¼˜<îcØGÌàwÛlÞ—q+Z/½²Í"^Ø|$Go-ÅlêØTåPÛû2oT cÚÝŠùýüÌ
yÚô~8!4}"–öj6ääkÝ8x>9"¡EVj›Y
-˜ñ)l¾ÍkU¾q¥DÚÌå¼S2³òOyÍR¥vHDShÛ!¤ÍÙaæ�Ùþá¿U
¿ë-¿ku§zIúèçÝ‰ŒPËi‹.7
-‹\÷+í°Zû²Æß5eEmüØyò£
¿×Sewœ•õ‹k†­bטUÊA-”Šß
»,ÎCz7†–#œ$%Ïɶ$¢Å*:ú8¬û¼!Ì·ì«�%×ç[âÁÄeÂ[³6æÂîŠî×ÙšÀ³õðù�‹Åôm›Ÿi8e>H
g33nlGº®3có€_ê0µihù¡gÊÀäxFnPê¤ëηk,4K§ͯ_MKíkû ß 6Ú��Àx.a¾+íÌå”o·gKR™¥
Œ’H!ÚèE=é_–9ºã4?
kûŒê‰Z*¬ wøŸOV#•3Ul# 2µÕ¾Aé£ßÚ¿d�›K€�–¤–g§$�ýæªâ'ÚG÷nAüùuÊnûF¼‚›*ñƒ5_ /NŒšrþj{|í
lÎC¤rè·Ív¢âr‡"¡�þßù¦…µš6#qØFn²‹³9ôgåÉŠEg€+Á öÊL–¡ÀN,@‹%8�]è:ÔÊñ»¤>$5o5Ò"“a£ø0ªÃ4v~Ý«¿~õðõ@÷܃3�/qviùk'´-âzÞ<öë#n×
-yíó»Ñ€:+ÅIÄA=Á
ÅqÇR&…{Å�šýÈÉô\‘Ñ›l�l„%Ós@÷j¢¥”¾ì{P¡
-“�þ¡•Æí‰÷@@P‡‘»‹©ÝeÓ¸­
-ÜÜŒ”9rƒéÔ˜OÓ[¬™ï!)-oB€û³}‡rñ.ïÞ%¸ÂÙõ@
-º" "†9ûˆÄ«@ŽŠê&z
-§/ÔÂŒV‚¦�¢PŠ\Ký`a0Œ�¸É0òç?æˆn8Ô&Òm†_Ž'{•ƒ
-ÈxìúYxU‚Äb/Ö[�áNŒe­pŠÞŽéPS{Dí÷æØ*÷¤ë½þ[@ìŠô`ŒJ´ÝŒ	I¢ömu:¶>ÿC˹@â!±S „Á‚Å5ä!4ˆ	•ï¯ÞÄü65ûö£¢M#·Dž^ëgœÒ–óÖp|Ø.õw®òž‚ö§E¨=z¥åÆU²ƒ¬]!áß9Ø)'ª’,4в¨XûrYuPÖJÙ35S1CKX{ûºE†å™ªwïÃ(aÁÛè|êÍ tþ MLªe
-ÕS”Å�zo¢É-Ê–¯‘®xg`ùÕ56b]¿¶Ù0-÷9§ä:Э4•/
-‹ÔÈ
N¨ÆÈ›ÚM„XÉåxÔʈ•xšê®c€‘˜ç$KÁT@üäÛk?ÎT˜þ‹[ìöÀØ”†©´ý²Û7Ç´c¿Æ�äâÛ
ê̈
GŒŠÈ9ob»ÊŒ¡˜‚ü
Dò÷à-:=N&”b¬Ö,áämŠJ-)¸‡0&Ù{Þ‹zîoHª¿^ûûqN:zá¹HÏâxFbq‡Ô›–wˆ­)ÔµîNØUOíãõ¿ÊwáõAKŒ
ðÉõñL
-ˆ°S‘bð(b¬Ùj›_äá~5BWg<÷7©<Z;‹‰qfvèrBÙW†×KïIl¸)ý1·—$^‰ü“ªND ³(çiºVœV÷ù'±/ö³Æ”ù¸÷¦‰0‘1úµë4/‰[&W£„Xó<ÍÜ áÌzêMë"a
-ú¡ÖMz*xù³Ù™Mœ%�˃­ÚUºîC<GëÀ/j� °ïÐ’žSäsݹɑ²ò<;/Â&	Ü#ÍÐfW8­U†¸ãCWÓV³Êô8½dm�ÏɭÇ{cÅ®]0­V’/|h�ÐþX×›fWÐó¢‹×ºö•­‘Î(ª
-!›Ý RŽ_hJK`*twé½Âð!……܇î[ ‹–4
 ÚohëðåŽF
(]F<
Æ©—G©_
-Äê~¢)cGB‹/U¸sP8®mØÇúÒ¢¶`¶Tø`M»"²€œ<Tûh«¤×èÜN%’ŸÆ
-!èµí{8]$W.ú	±ŽRç@¢¨xÀ‰–äð-Aì®°°˜¶VPPyéëÒ$ò±œpxÚ¯ JÌ‚vÔÀ¢æø“µ$ߣ6ÌK2´ÅŽfPiŒœ™åϪÆG:+-4!�8`†©7¬þÀîºNí�Ñú‘m„~µ5I*0ÿ
;¼aƒ�°Ü“ÆŒœV:ò³iuxQ‘ÀëéÐ
-ó6-UNy"Œ‹4°™L;ù4±I
KpVƒ��œÀÞ¤ºT	±ØâigÆ%^gÞｇ¢¹ÃXGÌs§v
-å-òý0òe	[�¿½UeyZ
ŠÜ
ƒ‚¢½šý~Îƹ©Íëw·ï‡rø;)¶loXë[–ˆ;<
ªœ‰¦u†¸,‹#ˆ¯±Ê4#Æ–LkžE{èä" Þ{WMÅoão~ªJ(â¼þíÈ?ÙíÛqLºdØmM¢1ö?kæQáo•d‰eùbÓ
-mUm‡·Ã—ó»@}[ñ½óþw8u"n‰m´ýºß­>?¦ƒé\Wm ázCFàS©�þ|í™1ú¦
-�(ÿC–MsÕXAr^Ó17êLÙÌžlõ­$/xš®X;õi¢¥=bøŸ1_mb|L½dò¦Üw'>z²ò‹O¼#Ìÿ(€5¸ÒC¬Tpy½’kô:Fd‚yÛ¶±Þ4ÙÏi#¦ôâ^ÑpdѵˆÂú#¬áæË”CbëÁÃ%1“}`5^'\[v¬j �‰vý¿ÆÒ›Û'5\ë±IN"(Û
D\ã4˜Øa.O/;ç÷g™¥XêÄêÜŠ¡šWOWÈVå黤{ýg›ß¢‘ÕR÷w¶¦ô$�Ÿ2Így0iƒCif�0kgÓm0qÎS.Gp·Â‹'è§ûŒ”nÔ,=�&‚,bœ”ËUƒ­üøèpß.Z®¨ÈÀ¼®¢O6àøŠÏtó¾I›¿Å˜ÑdGŒW	;VÞ`š#L†ÑšøòtÄ’Ö‰àŹ
|Ì’ûÎëž�µ¾H°gˆGEŒ²/l“9—w^e ™A]9|LÕX/öU)­;tT#é³/‹ñ«¨ƒ0\Í!ñO¼É|®Îiæ
*¿ªV#”±Þ.g)óøá¬]Ú­Å„‹©(üŠý8zË�Þ³e”R|6T…HP£l_›UÔ�byv˜{²M6öJxEuÕ5½µlŸ!rl‘ĬïD+«<]á¶Z†«�×ÇåmT
'j½‘3~jÇxݸç'3Úµ&ÒE…ˆ.š§.ÿ÷| Êu´Jë*‹Ä6·W,
-mCC$³%ɺ¿¾rš³övž]%ØZ™r˜äkЄäªUºN%U+þ÷Š¶[÷þå°GgÍýÉçà¸çaÿ¬Q9®èB€¨¢â&vÚSó
-­s3uÇ…u’Õõ	®]Ãý=rY˜NÊåGÔdÞi<Ô+ßoÆ‚’ôó"hßÇàÀ¿sUòrE©
Ñ{zØÞkpO‰(b„ær>_e”iqÎÑipemë…¦Ôobæa-Æ
¸±.Õ=ò’ó”èÐÅã?0Ábxºœ{ö¥]æÁèo‘êËä¯dŸ�t
-½Ä»¹MmÎG“¯ä7ñ“�Z4š-W!ׂçØù{Öe–”7ÁRš5\ÀÜQ^jRòR©éLYÐ9)˜ÀUnoꃶ:6Јàn!_¾]‹¨'­B xÒƒ�Åv{FWÚ„3¡jì¨cn$“@¼y\D,B@nš¬ôÇÈpiÍèïï°FÙ|w‡4D<=Ãa§w&ª
-,;.Q39œŸ£K÷Uʃ™/!Œ
-j6ïàѲËY[M'㣩ë��Ó3ëK)ÎdâˆE�~=‰ÓÐâZ1ŠY±SÍçw�¿
-à¿(žÃÙÁY>�P
-Ã{Q”(õ¦ú`í|ª[]˜’·.�YMðÉÆ–™“ƒ]ZÜ�•[NgN»Ã‹¨×ê-Tt×n9�ÑB{^Ù¤â¡?Á’#]ü–KÝcôƒvÖoÚS)ãPß7cï·Ž
-_™v5Ìh­a6ÃŒmäs\m�µ1;×Û,¤æ‚pVƒ?Qñ:7i‚ð,yK%Ô‰‚/²Þ�4?à'…ÒpV¥ú®”ÊYøÖåw»:/û0JpaäÒ´øm'v¼ÝŽ[#}é<‚ú$OY°ÒÃ^;W ‹ƒ�ô	<
-3M©VÞM`	€o³z˜™Z`¦›E?É÷c¤«?\ejÆö>îÆø°Ü·M• BöºI@;xl¨Sã0¨
ûŸFTWIƒìg#YNßÙð~+�\@O,¨­¦ñåiA7Th¡†QüÅö«a¿8ý ¥Ù¨ó³8Œ±g±ÂC…ì/¿
õNì�ññáß$d×.†”Ó‘µ¡DÅ$!Œ˜%eÜ''¶¢
-�ïË»6ä½ã¬#Q2Ï E�èÈMmaYEÞêÆ´¼F_wKßûLãqq‡ÿeO-âùgk=þIh®.íéÖ9ûr‹ÕÑÅ)­�µ–aJ_Ü’ÁæG&Sb÷~ã‡gŽÝoûé	·ÃAAWQLÆ|C¦Ä,hèÓ×Ê›'jý1Ãʱåwô
F5
+/Length 9724      
+/Filter /FlateDecode
+>>
+stream
+xÚízU\\kö%‚»înA‚»»;PHî®!x 8îîîîîÁƒ<$ýý¿ÝÓ·{žæm~Sõp¾o­}ÖÞ{}ûœz)
+U
1Kˆ9Pveá`e
+„8
+l)
qøCÀùÏ$AÎ@‹×¦¼Øþî›â
öùØ
+¶ü³%K7G6-0ÈÉ
('ù?Á¯ò¿0k +€‡�“�Ÿ�
+q
ýñ$X8x8þÆiÚ€,ìÀ@—׳ø“‚-ÿ–R
+l
±�­
®¯SiælùOàÚÂÍÙùÕž?èõÞ¿öV ×�@O òÊ"ÄB0Ô¶6´ý¡ZŒØƒe’«�Wëî·97rŒ=ô7V˜^e»bîÜÛwŸ³$UÇl„+
`•`¡Ã㉥bø<ìøÅ;X°°Ã°`d#‰NYë„”P/駯Øûˆ¢	R¾Kx
Ê^P”ÝéÑKL`i„CpHô�œTà‰ÉÊò+�TŽøñž‚ÏUdíýÕàçG:%Ùmƒ#RPä»géäõQOï±+:°LûÅÑxæÃe�]k/͉õJø:'º8ŸlJÛ¬žªGóy乌טò
Q�K6‡
Ñ+íLvþ˜ð‰Å16(ÎñkX„Éßš†+…¨pœº–QÄ´Ôß^î)RêÔ[W,,¨Þ‘õÉ»ãp%n×)iuGYÖÇš�Ï€ñZ¬Õˆv4¹›îµ:®uľõ­«G�ZýÖ:„<=Ÿ@‡ª˜yÝ—l:G�BÎÚOAs½À:rÁUuiw™ª�¨,w‘ʽVç±ÌwZ6ç]ºš½žWßÆe͹�„縤h£öÙ�8âØYWÑtÔ¸c}ü5æ?°5&Jt”ùËÞ
¨—OÉËÛò�ÁHÌîZ‚pr_‘\OœÅ±„4šß²~òIÝbâí‡�y"ûÊ“¬4ò�ŽZ¦¿;‚Àždz™RÑ�t[^cíÆ=ðàæ÷Ÿ‘øÜÏ•ä
=X}§^ÍóâÓÌ:Ë;}ß%[µ, ýÉЛ>µÞܱ^4AXç%ä#¬wÛ±�W:eÅNã¥S¶SÈ“�Hf÷Ö�ϦŠKuP·}.óF!Ö§•"k¯“/ågö«ÉФÁ
+ ê2³Õ°"Ý ÝkÇÃñJ
+¬°PÙÜHy�COÍbñ¶ªß+óN)$Ñd®å]�šU$浈—DÚ!΢ê퉆‘´dGGü4Éøp«lУ³LdÒîJÒ-¹¢TÓÞœl-t=ª²ÃlÌš2iΊÚÞÝÿåOóáQDWX™
¼ åßSͦ¶ ðå«xÂAÄ�¢<ÄQ“IÔ/‚ŸÅe8XW…4XÞO¼ŒiÿÞä]óÓ̇ô+ö`dsaÄÝ´6âÄê�Òú6�këás‹ƒÉضÇÇ8–²"‹½ö6~r_¢¾;cç˜Oü$µytégÿ¬žñé¼ôˆøy!æ“_;ædx–Vªÿ`©«m%sÝ8Kçïˆ&êîvp§ ï�fæZJÛãåªxfÉ°E#ƒb˜&Zazé{_¼ÚH☦τÎ{KÙu¤®€ë™IJSÆÊ=x4ÆŽ:äAºýá�£,ñ‹iÃ01bT2l$qm®JþïiÏ`—Õü@;å³v{"•X”IAÖ¼Á~ر*ŠexATöxšÛX'
ˆè.m;�„E…ÛC·ù¦_ëÔmÆã±ݤV¾¨Ñ]V$Ë:\îøCت2™Gƒ»1
­– dT4�ûp+p�˜®s,JÞÆG‹Lúí¢“¨.Ó¸¥-¯¡†�“7Ã}‹?ñýˆ²K*Þ@P¿5ðä±Ýçr
tWïËßSzy×SìX…»|Û;PRàFá/x˜ìbúðYM¤+#d!&»À¸&æ*IË�¶	‘U‘ëQ2ÛañáË5�Z#ЛÞöWLAjÔÙ¯é>��@“"˜»põ‚Öã;$8¿†²NXæÜG°ìVFPüãï§�3‹!ao|n›ôØ\–`Ä9Ù©¦Y"]°Ý1I`¡ØQ²¯ô9WfD$ë%bJ=ÓBM·–Еõ„|}GC¶;%ýkȃ_Â[]Õ¸QJ•)MÓ?¡×(ür ~é9[m;3l }“}Æp%g�ˤ¿!ríS-Q‡‰<
=•]»Å©É¤LˆógψæÌþÍ)j‡Ÿm‹{¢R××ãÑQædÙœNæ<#C=$V㙃gú±rÃÜ+…>ºJäå28´(”ø±ºød•Ø²3/
áUF�IÏú€�.Cw'S»Ռ۠ŽjXPKbæøÃ[HS>õ@‘z¾‡˜„Œ1>ÎYçÑ>ÅÊSÞ³Sh¥£#ʱ¸Ëú;!á·	0/xßydÉPPÜÞ_Àê$…´2¡V]Ò.�)„îÅw™é
"E2øNÙ‡cO4	µ[àÖH¡¾ 
+Яªh0�/Dý-å€ÈŒcæ½]‡KºðÂý!¢½ž¿
ÎÐçê!ù‚nÝÇ
+Å øÓhaeÜ1ºÛôȇ>ì0x;JÛ”�†Ôáz©ò]É”çQÓ
+Ëlå6¹h�èÏû©Ü)s�ýüµéð´ÊçzïüR|Gz”�ñEß@«M†!»0µç‘“þ¢Â5Ï;©Ó÷›|3Òáž4!Âð…ßÄo+Õ{w¸Šý\Wá	)rtÏŠ“¡÷FŸ¯3]¾Лù ËŸ’n´3–?
,õŽzíFÞMÎ_6uÑ‘—‰òµRçW¾J
+}­ØüN²î��é_ßDЄIxúÆfÛ´Âçš‚óX»ÊT¦
+cú»â«Ì;ìãàc B$æàO|‡féã«îèB¹·öÅÓ¶6›$Xu %áIEœŸ·ºÉò%F
+žP4a€�ã¶VØ:!+¤»×¶×î‡ûl´0j;¥÷oŽâVA[…Îá‰`‘Ú1dËíæ;Õ6áŸïÍ&6ò3ÅŽ Þí·³ÕíëJèþ:g×A6ÉÚ›Ò®œtјûSÓ­&‡£sO1Äõ7d%
YIe*sÇ~ö]/ê¬nojÉw«ùèjh~í”®>ŒäXzÖ»Œ¼Q÷R©¬
+)XOAlþ莻ªÇÁCžòšvšÈÊ—\�mKéÂáçÞ7Œƒ;vAʼnš„}¢ûŒ–4Yä-ÅŸ³×{#+Hm
~±s8Ì9µp/¾{Ô.Ï9m«ŸÅ%²2궩xWEGÖg=Ñaœ�‡ý‘*þ3ì[�ã¼"EÉ<˜÷ðê¥pÉJâ‹Zô¹X¤.«‹fÛkV–séGk´#¸ß=ìk×O+n¨A%¶ ¶b§èôÊÆ;Šü$\Ž°èêÂD˜‰Î¸.Jñâ<Y
Ôï�€A׌œË¹/?ÒÊÈ«
brrG Â­ÐìZêÅæ˜Î92¹sJ3JÞ¿iÅŠ9|Œ@”‡Ê	<‰Up‡Eˆ{’`®ÏY•åª�ØÊ£Œß±7­px|$ÚBg¤”l®¹Ñ…�šÏý|
!nâKÜQ
$?õúŤ&ái²ç£×“4èÚ§´ø†ë|.­�8†
׃ò¬WÍÏ,´dUÈJݦ‹04ÞP…M—âåÙ>¬ïFÍ]‘\Jdì?QÞà�Ò!—ÇÚó‰
+eªYÜÕ›«<l Í㟮ùÀŸi÷yû\'-f"e¸ÌB‹4UtêïÔ&üú)ÀGML]§Åš¹c™©ÜÜ–e"I3S4››k`ÈçÕþÀaø•ïDáWʸ)ËüÈÐ¥°»&; ­º1­EnâÇצWÎW_ŽÉs„¥vƒvžhâן2²g+•Ñ¯ú¢IÌÖ{¸æ®¾Õ©í.׊$9Ã]$ƒD3Icc§Ëþ4žZF�W—C™×¯é•Ýƒ¹ÉóD¸_7Ú’ì9›/z¶§ìmZ›ƒñ“¨‘Ð)IOòMq×ð¡Ñ£Œ&Ùñ†*q]O[Å枯ÐÄ£4°Ž4LØO¦šåæm‹Ä
+n²&†°*¼j«€e2x£ŒM}-ZNòCMxOC½…ã¡¡—•¹äå£føæK²2?‚ÀÝo5Ð6CœgÄô,›¤ä’`p
%oL¬9l'…•èa¥—4ïõ>Èâƒ[®Tþ{7†¨@×V@õ�î±9¥ú墑-7!¼çì«=pÕ0:Ý/s¼h	1(šïr’»&Çí4D
+òÊ¢rÈY*caVøõÈ�€ØV¤®M'êÞ1V>?®#n>¿ƒñ—þ«ÉÒ£!SÆ€j–©Nj5J6Dä„oÔ¨µ8廿J¨‡Õ+QiÛz¯éØä-³Ö³Uéh±«û
+ÄU¼\4Èòá
ÜÞ¯Jý¨»}
+ûIøR1\ÏKÌj‚MM ÔÖ[èÛ ã`R°t�žLIþÀbÀrgÎˬ!ÔÆ{qÒrÖ�ðú3<?
€<ÓÞ»#tºI¥}Âþu
5�Pq'žT|Û9<}ù±„K|£ÂZìªB24ý½€·ùž+tEræ¬n¬[t8	šmœc/@=CD˜ùxVúKŒÑ"Õ¥júøý‰Àw� j˜Òú¨`Uá›e|©¹…5F:ŠNÈïÁyLŽ»g[âM!2…òÚÞcÊ«˜+6Mx<Ò…ÓñI‚³[x$g¦°ÞŠ¬,³QV�ûÎëzGË\öí®jÝ«;Ç—“Ío°ˆÄg˶ü,æ0ûD$g7^çZf\‹ÐÛJhÖNžñJY%mÛñ‘”wó8E-7{‹BîRw~_ìZR£ßØu*ò¦�§–aç— ­Ž)
+ʤÕ�"57Ié=JÎüF¦2$hó�®4A³¾H+²|Ç”£Ó
ë-Ó/ëGÅ?¹¬ÌÏ=£tÀŒ/§¥ô‹RÆb³Æÿׄp1¤|ZÍ&6;�CÌ¢ùC/²^úXI=!A]Ñç3ã´Uï/‹H˜-EΰÔ!OÛO˜}
-ðùL,¸_`¥Ég­üT’gMtÊì¹8¦ßwb/17÷à	.ÆHÊ
+E	è3‹$-,¶Æ¾+:̆�µÔeyø¡úSí™»‰È÷?ÎV›ßõw=€ý$ÿï�k~²�o™HŸƒIßÙÉŽX` 
+‡UžSØ,áµàé|=
+g~nM"up^ÅÃÓíÓêè”� ,{!5ÿ8¿UËn
+÷&w?Øú&aÅ/ê?1ê0Öù½ú�ر6é÷&Üþ0†£,Æu;m·uÚä‚úí&º‘ï^C“�u"Ëe_(w´#øÕd5J, ;çaÌ3EßÁ,EÕ–¸™zèBeò³æ:-ÀåøJÜë�¥Óbb½¿j‡%Úˆ!í«û0ê®.>h~÷ycLWÜØɱ¢n©.È£sr´nÕVÆöÍZŒˬ‚²ÔÂUŠÀö|¥¿Î¥åÚþ‹Ç=É7÷N„ V—|¡°ƒw¤¢&닱¿•È�è
ñ}¯ö㳂ÌÅïø^ŽOu”Ï™r•‘¿½Lyk¬«P9~gë(ïòZð틆GªDöž;Nþ¬œo™ÍI¥âÉl᧢åЪ!ÔÞ˜ìb‚uh*²Òˆ&úË'cÔns®~Af=çRhÈâ2,š9tX¥Üä]�œË1Â&Û'©AX™»ãp
…-ζmmˆ¢ðÔýa¨òó=“d£q �!³“NÎ�³
+�>Íýøee‘þ„1~
ž¹Lèdéק�‰˜§òUPG;K‰SH9÷µóO9)ÖÃdøì)Só̇”ùdؾh€vå×
?9kèd¢^—Û1ÊÖ¤Gœ¯¯¢Ö —ü2@vùÈ}˜ÞIæ,h�~‰:ߺ$HÖìgù@ÃÔîO¹Óp*@û8¼ÏÙ©zF64¡Ësó"î@­,íþždb©d\‰œ=ãhŸ#§ˆ‘øíÍ-”Un`ÌÔg­ñ3“HR\»q=éí­pȸ�¤Šø(âög=:À£³¦Ä'ƒ}ÞXºÝ�^ýb©¯-øo¸óÁ‘
+ÌÄŠvu
+˜ȧ„P겄A•]fv/‚Í–~H;ô„¾uoRùxoù}‰�fí0æóÞÕj�[+uñêN†Ã¶¤P!%8¼ÿH|›‘]@^Kl!@^)
<8›Ž·n|,ÝyŠâOÉ6MýZîzq´:}1üä$?ÃÃJž<Žñ èix±ÿ«]×»+é´
UÖzNYTm_~É­m.7�,Db	nuM±ŽÂϺaW! Ó‡gÒx 4*Hzé·<Ì04,%ÿ£ëzŠ¦ˆÕÔg”ó¹f÷é8¶Ñ�éî)¡¸<‚¤ðöù½ã™·t"�ú_9ËÙ؉5|ó»9�Ä×Q§XÍþÔn{2θI™ÕŒg$=A.u‰÷›�ÚjÁ†û…浉MO´�÷	I~b$tdIî~AáB"Ð9ÍÙü97d'ŠÚ
>Šªï7¡1 
¹Q\cHj?רQâX!ó¢KÌó=Â
íCäüë‡]¢U+(}µÌ}‚önB-ý²ä‡¥­pÖã‚–Ÿ8½5üÕ±]‚bɶ[Ò�}ûs~3L±Xw’žrº_o=af—'œ=s‹¸à8Fag£Ð|ýæŸÛ†><¦¥ª˜œ:¨¡Ó”¦ iåSât)Ñ °¢$3ÕnÙþŠÞΖú•·_›GJí¤·Ž\ÑÂ¥T§h¯9´KÕª-ŸÝ²»ñu—©Óe¦IùFÆwòÅ'�3�½=Ê
+™œzŸŠôÍ‚�í ÌN†ÊŒ»*ž;+[åñ­ŸB–{Œ~g+bò¡zü*É	=x¯Îc9GØý}]e ìq§ZŸµ`)¡µ-MêìÒ¯x5«9Ù©s‡(‰žObõÝ@wk›«`må¹£x!WOŸ§LÐ�[óÔ4"–:ëêô—ƒ[°‘»g10Å«š5íÂssÌv³ïÈÌ<S3[‘zÔPE+
é:�ûåÁ«JùéüJøc‚u–¹©¦h½”l~þ·œž.â,>œ¤ObŽÐW½E´«iÚ^7êµÈ�A·ã,»ßô͘O”¥ÍœÓï[§9õÓf¶ô9°åÂ#Ÿ×–6l¦G“š˜Þ1ÊÓdQqÆÞË®sÀ¨„JÉøï}ˆ°Ü,€‘;`aÖ5!€bä¯àbÖl§ÍS*Köì„¢Gµ„î’Ø̯üLXz¨ÈµÌAí!gßÚF÷¤Iè¢MnÞã?µ-§¹éÏʨNm*°ô²èîˆéE1ô+[çD•½Ì‰Ðö|® 
+ÕÛŸX%`z¼Lõƒ™±î¤Þ1{È‘HÓ#ýEENð=’ôGž»‡.>iîS ®Eò€R‰ÁÞâ–ì–.£aÍIÖÛ^š}�²iø/ÕÈ䆪wÅL~4?O¤#V΂ö
OØ�”%';Ãê!“Ü�d·p²…q!oceZ³sbØ�àß
+Ðú‡ä9¬PjK¢!zóÙ!ñHaŸ´Þãïÿ¼£êOß,?€úVÐz¾’¢Œ¤ñ¸gTW-Š«XÑèƒðN¨PÊ94X}chAc~‡^ÅûI8Y½-°Ji¾á.˜<®¯ÇIâšo,¦ÙNì¥#ÊÍ�½ÊûÊàùk¤lùnýh2³ÒþÝu<Aíâ$FŒþ¦ÏD!þ:ƒêj%FDõŠ‚QúPÀ„´èÖ#מbG¡³°ï\ùe%mËf›‘g�'CÕ䦨Ñ)Ê$‰‡x`A%*›H«¶#Ì'å;…p‘ûÚ9ß/iÔ¤N…ï#‰yàE×Óz˜8ƒÄÛ¼êpXe€N®Ñ	†µ§r%ç˜û7¯¼Çé&ï`Foùª’׬ó›}tW™ë',4Ó‘õÊ™‘8‘À`Z*\-šðú[Ü‚J�åÕ®{i!Ux„T
û•ˆ¼‘‡ôm
Ù85û)îÛ¼e¢ý¾KµÔÌ;¨žè{ÜÈ¡¾è{´Ñe¼Žò»~!–±l�˜×R¡^n`žTG�?ÂŽÎCMž—û[©s¬ ;ZWÀá¤ì`±3iSw-iUÉCW
+ÚVâ>xj„E‹ŒwêIo³}‚üH—ã
+Örú ãkÑnT‚e¿S< ¢x
K»«-1…‹54ËÆa«÷-ÕÜ@ÚUóªîÐsL/}8ÀѶ›Ñl¡ò‰ó9È+ß©O¹È¨qD‹£RKˆ7hëÀûÚë,l³Ž[‹x³#‹³
ÆÒ4
+¶ÿ�Ú®½–ZJS•ñ~´õÓp+S!¨yWC6Æjy.Lä�“X5­^g˜Â£˜ýÿòƒüÿþŸ°°š9»BÌœí�}œ�.®ç?þ€‡ü¿
 endobj
-1062 0 obj <<
+1361 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2156 0 R
-/BaseFont /MRNCPP+NimbusSanL-Regu
-/FontDescriptor 1060 0 R
+/Widths 2736 0 R
+/BaseFont /MNZWGF+NimbusSanL-Regu
+/FontDescriptor 1359 0 R
 >> endobj
-1060 0 obj <<
+1359 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /MRNCPP+NimbusSanL-Regu
+/FontName /MNZWGF+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/H/I/L/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
-/FontFile 1061 0 R
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/five/seven/eight/nine/semicolon/A/B/C/D/E/F/G/H/I/L/M/N/O/P/R/S/T/U/W/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
+/FontFile 1360 0 R
 >> endobj
-2156 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 0 722 278 0 0 556 0 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
+2736 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 278 556 556 556 556 0 556 0 556 556 556 0 278 0 0 0 0 0 667 667 722 722 667 611 778 722 278 0 0 556 833 722 778 667 0 722 667 611 722 0 944 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
 endobj
-1036 0 obj <<
+1320 0 obj <<
 /Length1 1624
-/Length2 8579
+/Length2 9769
 /Length3 532
-/Length 9443      
-/Filter /FlateDecode
->>
-stream
-xÚíwePœë–.îîNCpwM‚»Üh ±†¦qw'H°à’àAîî48A“
-šó“‰Œšq?>îìœK2Ý+Ê‘JÆÇ®5”�岦�ÍаY±:f¿–oʇø«8…| ü}ßHdt°ŸA¨ï}ÝûN†˜B¨×w¡è7ÖU(^˜å·BZų~–§¤ºpz/ÜÚœ	3”ýŠ9Š9zFˆÒüâê¥Ó&BŸÞò•Ãtk„žæìwjH)dݶ])b~¾¯Cl«)x
ŒÈ7Á|‹Þ�ÍJJù›�”º–Áøø½¬¤Gj&³}ªlYØ ¨TH‚m^®šß~‰Rr<‚¶¾½‹;v_ß2žÈƒÏË/Ä‚¨eeŸXÚF+Â$AV}V6¼|c‚ª,V©çÒLÙ6ç´QX¸±­r5´ò�NZGÄ{.<ªýO
·Œ4Tz¡ÐnŒ›LćÞFòwIñeóeòz ëSÔÓØt�賟z~ZÚïB×GOÂd/JLhFl53kZVf,|¦^Ù›cÍ‹Œ·µ®V3Š‚Ø_l椒ü¾?#^套ÎRó±z/ÿ'œø:RÆ�ç0D*ƒÀ…ñ=“M
-~\û¾g»5��LÇ×ð2(JÆâjU”	ýçF¢AíÁ‘¾ØÚ·åý¡[‰ä]¦šåejqmÇè+üä®»MxmÖÜÀÅ‚×Á;ì#oÑÀÛøD›Ì‘ì
-ætÑÖêW«Kš›çêDSIB?'{ØHi“C}i–¿89‹Q#8()¥qÜ&s:c¬ÐzGÀ·k[¼©ìï~²D©O}™¢¹ë¡ßàV,sj[3T‹ôßÕOLÒkOh3íµ:e¬êõ’‚¥Ixó0$ÚÝ¥þû™œÃ¡xˆ`Ï9ã‚ØKþO
-?Ù~½ïŒN0œXjŸ3/û2Ê%ÇúSÂSÜÆhãœÐTÙÄK
-ʤz4´ð-ìŒDÆ�9ø
Ò™çäTu´“õ_.’Äån3~ª>4 6…
-�?5캜(¬öçÚnd"à­æ7…½“4UÆbVf=åî¦bLïS7Ôpo�5….×ÿÞ©¥]—
-
*°?cÇÒnô¥Ö³«m�–Ž!©À³yƒY0˜Þ©øRA>,…o¦�†ªûu¡âå¡ÏöÕ
-8[‘mD¡9fŽIÏWH°gƒ3Æ3È­{ß 1«Œj͘¯nÕÌ�kªäÄ¿*c 3‘§›ÚdŸ(‚Å—£�ýìå_¿^gìAÒæKžn[— ™`�ˆx=u«Çí�tûØ´‡Ðá:ÑJ£±šïbÎÓ•ddqÛÍüå
Nº™;á$±ƒtTí“�±åÌé÷ÞƒöÔÏT ´³è~9»µ~²ëõ¡´Wáp#ú‹T�sýSáË1AºÈÜéñ*Ì@¼Ž¢¼¯Œœæj½úmXqê$’¨Ea
->]kéÛtïŠWÕˆç5|g('®_(ûR®†ˆ/νxD¨}c]ßµÃ�‘úéÅt³"SòAŸb
-
-ÛJ§
-QZœsK)!7	¢)U˜)%ݯð
-F<¯Tváî7üŠ(
$4~x-#|»±JkP4ŠZ¬pƒí„ÊNh±c…5³³:f“ís	îBiFí³teÈßiήÞ鎙øÑ0%$§§H•†ûYðI;‰:|€‰û8}æ®îØc7=sMOUK°ºöZ	¦ëQú¹ñ|ÉꔕQZQ×�¢Å¢ÉZ0ºvø¼-…^_'T…�\Û'Îæ<fÉpù¦ÚãÄî÷g�ˆ÷Øðú÷y?´ýëq
cv?¾˜´9M½¼`T¤o00îtÐQ;úÊÖíÔÎ0›Â²¡Kªnœ=q5&bºâ©¤åy«“C(|©W™XkÚîeÌÚöyÆÛ¦Lϯ×+®ª#£¶/mñ'ÇCZ‡SŬ„2¢—ïŠÎ+äÝrìÌ«>5ØW„î犷8tO\§ìµ�VJßÝpj¤û?‘Ä,¸:Œ dÎiE+ÃÇ£³#åä	NŠ{©µžÔ/¼G¡—©j8ò	;,ÉÛú…�C¹ŸXݜѲ^•-¨F1QfþO’ÂãLºÁ™ñpqNÀå$6/q»Ö$Çße/qð^émv»ï]ƒf"gÐ’…‡IOžX0�rr'jÔ@퀚3K¯ÅT$‹“8ŸÄ~X¡¨ šJÎ,ð®T“¬�CâÑŠ'¤ñ·N^y]t`‹�w¥mò
�4x\8w›zÄDg�x’=ÅR�­Ò
-i0,‘toß—H§v/nÀʼnuã63U))§ñÀ¡�¶öò]9�4
�pŠßŸ§‚8ðe=úÈ•e{Ë&Fæå9S NȬÝÞp)»Àô7¡_úw	Um\0ewœ¬¾Ýpb.ÿИ`Ï^Ff
)0ê{©jœ.*‘M8G
-Ö°¥oµ·LµžLÛ¬âQ­¶>§Ãýåy_®ÑÃlݽD$»ÈfQ«~ÆVx8Sh'@�Ž®>§/”T3D´B.’¹=ßzK“hyzÏt|tT×ö×Ï‘9û0”™Å¤CûŠçý€æc�øÚ[0Qe\þ`áöl5“ˆQ—ã üE‚¾‹à“@úy—Eߤ‹bÇEïO¡õaä,~CýÅaË‹—Ñ.¯‡ÓÏÈ—!‡dûXn†1õÚËm·ˆ&áN»ïgà[Åʬ2ôV×÷Îå‡%Äe_›[Ö$¶§ýj#ã£0¨wrÿŒ®ý´^å¶>}­Çž¦è+¹5Ë@Ÿh†î¨PQ»N×Ì:<</õÖÉþ˜suŠ\ÎfŽjª¿ø“‚
-Ýj}ˆËB@T¡{	®ýæ†{ùÇÔ÷ Ôç$]Ä‘£EqÒWögŒ°RïìºU.Üü:XB ‚õÆf¡›ªƒ/{\'�\cM¦7^†LÙ}þ4GìK±î½+¿ù^Dä�Ÿ½•à߯°Ðªícf^|yíDæ&ê»pV÷DkX+Ý^‚݉™­'´â·«
Ô�ˆ†?ë§O¤(ZS:ú‘Œtm²ü¶#ÒwÝö`äÓ¦¬½â@¾báM�ŸLÝ‹ü/")qDco¾N4'Z†°EÅò	êºxþ’Ë‚HÞhY¥™SLѨôëé$
uìU½Ú2»’Îß,>Š³³~ÝQÎI6€ŸŒç¶Ø—šï¹,Bñæ“"ç^úRKq=ö&*?ˆ3Ä$§{É}"Åv$ù¿"úv–‘Ã/iݨ
-S¬<!7åf®–ÜN„§D…à~Þ—‹	m‰Ö>
ðšM%vÒ;6-BÈ8¹°STWü!ƒÂ§ûy;-V’N
>A…c^¤±ŸbûL™:ÑÞÂâÍDó’³Ü²ç-n<°Ü²ë\‰„�¿¼“81¼ÜòIõç+¦»eV;ƒÓÐƧMñU…&½“Yš
-¿s¾f9ùO§So¸òr˜ÀÅ̘ú)…Æè=Ë—MÍàQÒ´…jìcYå^¬�L+^è³aõ£î:]FŠ8ÕÑø³ G	Kª¶sl"Ó²Œo™ß¹º(Y]S(ŸÅëÕGá^UY,,@r‹¦’TÍæ@Ñ™ø	¹G
-"Q1�m>3ÍÃÉv€ê*Ó«KhoIVÙ¤M›ëNw_
-Hª×6x(Rm,Ùó9'{ºaÇæp–ãÎçÞß}\Õ4Ëö¼c*FØÏeqÊÎÎý(H%W”0Ï¢'_S;eÕ|[´4$k¯í Ó2i^†¨”iºbùÖ
úp{x¹ŒÑ{YdÐ)-\}®×ú‘LV?Ïr
-ăҕõk…&X†#Q‘¿<Z?
-`‚˜y’2k±õ#ðgÀ«HœêßÚËÂ/oS‹JK—a5Çp'fLSÌêï¬]zFkÌ,›Ú„ºnö|ó¡j^-ÑOvÜXo›ûå	ð/‰H×E³­VSä«0k&´¬J2ŠÜ=ò¸Ötçæ™Fqwæd>rÇtŠË†¸ã/‰f%²5ò("ä×ke9tÈsÓ–ÎPŽ;fÌñ0Äl¼xNÃ$Ô/„K¹rHˆ|ÃPšÅ7ÈGÛGè)úk1c\ë¦JÂÒƒdÏ“�xè‰é`Æè;ôpèQÒeŸ8Ð{î��F|òœX�`]ïrrÕ¢Cù5Ä«�e[ƒéoðïç¹Ä·È»Y.¡¼¹º¢ÒïoQ‘×UñEÓ#é|GÇ5Gåvt:eìñeñ÷Ê6€ðmªê¼0ÎùuJ©=–ÛÉáK°pÈ/�¬Ÿœ²3a¦¤c‘»¼ÊÛ¤§(uÔ|ò½bI*›–©a­ý:Qó]§7Qå×­ÑÒqµÔÝA€ZCj&­¿ÕMmùü5òì÷l{Ô�÷NrlIÄ6¶²ßkä£Q·ÏgZÞÿÞŽþæó_\�¥V~)·÷e#®ú0ñîÃÜmÅ–Wjd<Îê—È_a%Ÿ¾çIOÉ`àQg(Å—rØu±†ñr•Nzâ¹ÉŽ³,k…ð¸Æ[%½¥œT ôÆ ±-:d*yËÀz
2ù9_…V³–`}ºfεÁ©éÓQb9™¯,ø㺨¥+)8ÐvMÓóò}XߎöÊ›¸h²3OS˜©ÝËWÝ©È98ÌÞDÉJ§”'ë¦k%"i�(©^HU¸‰E´ÓM"í(Ï<�Ì!‹…²VTô@Å·;&×�uTã_¯|ã@l�äbz̃÷Œf'œn}RS×Ôñ¯ú€÷®ÝWM]Xiwª„ä9*Ig^Þ7:é"îŽHåéHâ–/ÞŽˆÅoÓÏ×»¶"Ûì~Á
-åj¼ÄíyÉWîÌ-ÞYeâ”^P|Ѹ�縱B)—	]ù¼Z‚¯²´®ÕP?t@'M­ožiÂäÁº>5mù»Æþ(C§z…ÊZ»R€=ÛN:Nœ×PK Ìu2�*ñég¢Uª†õÎ�X7a:¼“‹_¡Í�EfÙÝögŸ´×­(yö�é”ä$B0åMÄX”¹°a-{&£$>°ÊÅÇ!§‰£PÆ™az?�k\M’ÃǘΟ¯Â»|�(ÕE£_WF1"•B5q� ‡y³9˜?ÀýÔÜ凲˜k(ÑD¨ÐÜ­Ë%’M_ k$†º:–$:):4}MŒ×µüÆ£�A_V9²!òŠ@y²èI¨ÿ›àõþ¡Ð’ãED-Ÿ¾
—ìŠš6&¢
-EÍÀïíÌõc-„ºGœ‚v1ÒÁ n˜ûÓ%e�)A—*÷4<zaÔ»z>"ì
-w©fïôöÄ®éã¢2�öÅÜŠ~´zA—q_“1e¸âˆ#=e¾>5ЀQnïoŒÏ7Úî‹=ƒ
-|]^,÷5CÁJ¿­XË‹ó{êÖçèÍäü†ã£¾ö0²U\ôöì3ZÁBŸš=)ŠBÅóO2Ÿy˜ :êÕßõ,wÙÌìòé\ßmm*�BÒµãiû6}õpêáŒOI
0yø°C
„—ó‰Jï×Ç�ËU–î°T·»½ØvDûò¹ñ_D,×Ðj+ìi çK°£z„â�<áOΚK–¿û$›$ã
ê«·}ïÿfÛºŽ8~†�½g3w›p-ÜE3†NT×—
ê‰/~ÀFNÞ…zv’V¼ä˜×RÁ†#颞â6Xo™Ä6qӱɫ^¨Óâ¨p'd€¤ÈÃta©‚9ŠÅË–8è”MmÎúŠ0³Ÿ¤µÌÊôw{ç_ð’l»òÔˆI£òÌCû¹4Ò©š½°(f®cÑ.0át�lã’·²XL¢Ÿ¤5˜~�4»§y Æ@³k{(̈Àn}m{ÛóO®Hl€ÝàåG;R½"Ï>'C§ÂéÜœ(‘!ï�ä8Í•È(mÊ{
6t=‰©OJÄw]RËs£ôÆ\pzs[ú±{ÁÎC_|ÞwÛ¢jJÈY̺ŸúÕÞñ‡-Ý/¿Ê¼Y
6�ì)E`w¹†;6ˆÜ„¿‡ʽR6¹Ú£FØl@eç2ù؈{úý ïþ
õC
•s!Á”;66­R×Â�óò··”(*9÷WsÔÜP÷¯œ~:`3ŧ3ªGZkO+Ú�ÈRSY|ë¼o¢1¬DpË9j-q—ݵýð}ĜαŸBÈP„¹×~ùé¼I2èüš“xþÄt¼Û·?//I³r,í>šoé`ܨ=ƒ§Z˜ºüúí?P]ãí€ÓHÏ¡ÆfØî¬LUébH i}pXabÝBdßùˆvǾ^È0Ž3¿a�6þÐkºnUõOsP˦$éÕíÕªˆ'Å\ÈÞ‚LäAc ¼—c·¤¾ÅŽú�¥Äe£”ëmÖÙòÐŒUÚèÇÝŸâ´¯ay0=vêi'¼«�nH¼ŸnFb²Õ¸Ò€ŸƒÁ÷!³¨R\	ÿ
-~uÊÉfÃ.!#¸ûù4%mBKÖèE�¨µ½ÓX·”6LÒÚ6!³DYíaffýOûêWNª}ZÞg‚éž›HR‹êõl—z ó×ÔD57uó=5†!'M­‘‡AÒº2E‚¯:6ÚF�§;©�RÞ‡[BzK+Î
-ß!`óȲœe
-dº9„ÚÑ£onÖ42íöÕ‹4ͳøªƒ“Ûˆ	 +ÖÚ@{”e­^ßxgD_ë¥R6ŠwˆŽ„-7[:ëRöMÂd›2x•û“öÙ°<ÍùG{|E¨ènîÆrSìÏíŸXØòÄB¥:q–h�ŸýǤŠ§éLä]"bF&ÆWtz`k£Qøª�j¾ƒ¾±x±2U?¿
-(|Yr™¤AÛŸ•^þþ`ãMaá“Óe–”ÖOa#aT�ÉÐs;nÁ@úwm¬ì^ùÊAÄÉôæ"�\í¹z]Ñ	ÔŸhÝ��d‡Ijœ×éóæN¹šæüŸL¹†>Ã1NeÚ‡iÑEÛË¢Rõóó"(
me>´�â�åâTï²ìÒf|ãÞ/œe¸²bîµË×
-ªVŽ…¡TYÏñGûçÕ‘¤�`s
-¢à³çúísÔ�ëbdÎ:Õz’¼¶qËyLmcãvü~(5Xt¬_ûïíX(úÎñ*|<^ÕV$yAQ°¤¨Ó@ãpvZ#{-/!~+X3>mÚŒ¸RK4�=ÓÁ“¥Ó~l_r¤Ó�콊%«‡MòöL˜ÊH"l l´å"ßšÚ%““U–÷
cê¥B5à+ƒ_'Ön*œ·Ø=HDV"*õ¦À‡ôJ±í« kwV,f–¡tb,\þ#¶÷"ã\>“hYß¼†÷¾‘xïÕG™šÖ1¬Dµ€Êàw|©+ï¼lNü?x}
-/’½o�Û÷¾^LL9-†ùʈ†?d×8
-ÌÍN;^I^Ü<8[afóøüìÇig*ôB¥�ÛRôÚ_…'Ñ·°¨’sÚær©tÉ­Z"q_½âæ.Y�žÞýìóörµ™´vE»K
-“аg¬¾yrÞ×^‡aî7QvN1}×±Á꣨å¶Xiœ�¤Ê§¼„ÆæñR£îQä1‹Rä;Eøê'Æù×
- ë�—
�^ú©8ð7'B<9ørIÈ–°ºäm†£Å6üü»É‰áËe¯^º¸ÜEÇqwÆòÅ(*õþ©s~¿•›½ ÁìmQ-V+¢&Ú·I„' e¤ÝV‡	ZVf�ñ_6„Üä^&,³¬ÛÚ#¯2^ã3“D®<ÄûZÐ	P}D¯mþÜF`­§5N—Ÿ7¨³ÊŒ´�Ø©Q�mM¨Ž�ná.^"¦ä­%ÎôÂœ4võjõqF°Âù{ìmYUOSðöG²ˆShsàšÉ2Eø�54^
“ï§cù/ÕD@ŒBÚt2[+a\^b¦~�üi®yxû�P`é�G½<yÄÄÍì¾ÍFµžó™m:�Jd€cZðëDÎ>	økj–>¦zSK·±Næ)c¹“ضž­]$+¬àUF¡i—×XÜâ“ØÙ±Ý[!"ùhð&ÜpoEáX
+/Length 10632     
+/Filter /FlateDecode
+>>
+stream
+xÚíveP\í–.î xÒ¸»;ww4t�5�Æ5¸Á=×àÜÝ‚»k°>äûî™3uîüš9¿nÝ]Õ»ö»žµž¥ïª¦£ÒÐf“A-ÀrPG;§0@
â`áê¢
+uTa{µ©[ØC
+ÈÉú¬áðŒ=“i@]`.–Î'àÙ«†ŒÜßqÂl€°?¾] Ï0
+ÃÕâhýÏX
Î`k 3ÈìâòLóÌý§:ÿÌð_²:9Ù{þe
ýKë?c€À\ÀöVì\ÜÏ>-aϾ­!Ž†EÑÑ
+
+àâü[ruúævþ«@Œf†é9 êhï	
+ktòó* íþ)áëB¥æ÷•!ìµcÂ�Mž3‡NÛJÌ;/íÚ“À'¹¾4L�yø+ô-,;�¦…Ø©GúÑÞ§ßUÖ�Œø9õv6F4µLîQ(ÇZxœÑN¯™hÜòi¯œpü,“¿Æ}ë…{Qõùðˆ>aÿúŠ¡g°¿¯·ý¹s›œ%+�NÄ
	›>*à]¹„‘n©w­¸ìà0>¦I‚Ôõ’7¶_„›üë%^ÍœKüÉâWöIñ‘ë¨âx&CêŒm
+ä¿àh×ñ€F
3>ÒaáÓ®GÀÇíí3IúYbɘ¨•šâÓ,&ÿ$ˆ)66ï7¿ï�†%ër�¾Ê�_îoj_
Yüíl§¾v‹w'J‘ñwÛàÎ}¾ÇÁú„l±•÷êµÂœé7ƧøêjܪŸl±Óä½
+™ç
+™zçFˆoxDÔŠ
+’ÆýŸ
ò¸K`º•ü~O3¶Û•Äd2.›ïÈ"oÓª›+sÅ�¡9&˜qèLÄä÷,Ä”U´Æ—ÀÃâÂ.©éÔ–ÉâE
ƒ€"~	j´	xÙ
+ÛrɱÐ×_[Ú)±£öô-bݸ=ñÍ	—öˆÞXi†šÄʨ}—	)Y§(ŽRìº0U²Î<©¨m.[*ÓÖ)EûšÆŽG±W_óâšîÅœ�^�sÆ•U*âCw-ib|Lñl±œt‚z•ìqz«ç£©•´:lÿ#Xæb¿ÈîmÍ«ak�ÔÊÆ¥is¯Iq8?#33¬YÁ±æ–Ö
+U£p¨íùz槗÷7§DË\Ô2éª^ €4¹œ¢Ë0i΃@©”NtiôV	øÑ-{î- ^ÒßúCŠ�QRæ—?S„›P·Öh
÷DUÅ•ôm| m«QR¬�Û|Œ¾ÄCún§¯yè…Å>p>7ðÝÀoì#O!ÿë˜V©Ã¥ÉBMb˹ëgj„“ñ¹ü·]Ìį?y¿ZìtpKqtŸáçí¨84Îd‹Syþ¾¬Ÿtv­´‰ß®U—^òȧò
²®4-íÌ’ÏŸDáYÜ›wöjt¿Âî}Ä{µóÉŸü^9ƒ›‚'¦Ežbõè�>ÝL»âï¹8j¯(¸¿Ò10#·ŸÞy¨”¯_Q˜qÊýªRM­¶#_ì<Ð'Þ:^ìö³¾#ý½¨¡&QZz±ÆÓnš
+0L_ÅÈ™a攣×w¾js¾ƒ¯kc‰ÓoÌòAoÔH”¾•Ým<ìè·��WpÔ
Ç>£E/óMæ¨
+¢Ãü)Ä‘‹™”!‚¬QMžZVçü£ÅÙ?f t˯f'�+jÉ
2&	Ÿ�í¬1~»3Ù]*¦eæPˆÁÃ
+´�(®×áú7¾õu³°XDsÎ�Ф-ßæ ‚ä< ]¤UO_CÑ÷ßC}Þ„©Õ7�ã«$³$~©T)*üſתŒ?p3Q©}ÇéÉ“h†Ì ?‡'²½�KµƒgòëÎA¸t,´ïG—½Æ2ÕqJv¶"ùÄÓ/$zÀ¨Âo>Óxùå„?æe“`µl˜&eo^äkbMšn«Ä6-ý…ù�.Ìúo$KÅž
=_Í@Ÿq¿úܳ}ïð¾)
î†QZ}GN޾Ȁ"Ÿ×	k¾Åš{7&H¢ñ©�5ÞbTü®ãÔw6”ˆø×g¬F¼×ØNF´b¸ú  ¢L¥p1–Eñ‹
+[=@{TÌÏ à¹ä„á£úVBØW
+e?«ïÀï9Ìüï†LßÓ;Rñ÷†yá ZEåÍ´%
¢Õ
Úeª�Ä&Ù—dwàšÂ#ºŸ1X*�Bè$XË5Qt*Ñ"ŽNÙ²”äÞ�Æx©º…”éÙ)Ÿà7,5Í<²wážÿð€¿($ò/	öý²É
G
+©^0?J¹Þ%S0F½¹a[A3ª_NáÒŸ5VÿBÏ~
+þm!u‚±Ý.óû<¥X¸L-åÀ£~Næ;9äWh·¤ý/"Ù+‹bˆJú;ò�®Ùf—ù
MØÅÆ©ƒ�’™Š”µÔ›ãÂYO±"X{6´¸8ÑO	YÊd–`+…þµQ¦ÞáÍ–éŒ�Õae±ÁwmÚÉlSäæøFBîÕÛ‘GšR™Áëxù¯Ÿ<ýö‡é/ûR#¶*�w
©"/@�€P+JcÞ‹¯�_¨L$¿mìS
©—áV瘛hòÈüÀÊ[†;{Øå\I±Ú>k¸ŸÍ6ò®LèWhÊÛ§d¨n%ôÛB%ÎK÷7­8äÇ©)ˆ¹S‘£ª/OjÛœSNÕ[7’•ªq®÷ç„ñ'Æ°88<ÉŽê
�Æóß>q`™“a
Î*($}RÚTžPÐio£·f›oa?ÖxXž“`gôß%î;P»®ùÜ°R>)5Ë5)ÀÚPoX`¢ø�`*7…ÛÄ»'´«®5ùÇ+Öúuïno¬ﮟ9`Ó<´»ÐÜëOÌÄpâ’�ÞÀæO!&vœÝTéR~býî¤á’ŠWQ|Œ\!EÐ:¸	çB«eV>*EÔOþÂÁs
º
+µ‚ˆVžÍ¼Jæs=Q‹•]28m*~)„2…ß<òY§ó‘˜
+D츜£/3à
¹LÜZ‚(1±»wéµM	ÓyKMØjY,XpjuG£äŠ3UMx9½gèOl´zÛ~‰ïß4û/}è´÷tUj»^É0Ô.½¤ÄÍ6fø¨·ÏÇ´ÉöH¯ƒÔ³˜-«Eƒµ™6y]Î(.�öˆCŒ�ú›
+þbXïýÖî——UçNâô7&#ú³yź)¤µ¤*›=A+Õ/µwªY�|�§î«Itô^¨œÞýøŠ kc!@Ìâ×Îoé–TÐÂKª¦ÅY&É�ŒåʹÃI
+“Z#ω,VÚ(œ”MÕÛ‚apa®šR虶¡#ÖqW3¹©aþHï«Û‹P>koQÙYvÓ}y»´7ˆP%¤o&Ê5ëÉFpJX¿šG™s
�Èè’ºñÑ Ìã‹AøÖzŽcøáC ô5slì‹vRuÆê=|aOLÙ!ePÇyL­Ÿ<ïíïaàŠ)æ¥:K,…_îãþ+t2†:Šu’&½ïë‰ÚxÀCÒÄüTœîS$°#géDèxúl+ÍãÌÍqä]‡çÏsº÷=5¸Ù³˜–ŸÎÕ{À¥pYqBx;µDj/YØ—ý–3¿¯&„¬¥d±ìTâ”qÙ+W{|°[TNôƒñ—SÿP¶§Äh™ïE?�ÐC–Êt#½l�
+Ëc$9h
+XGô.£Œ1Õ“MáX<´¼¢y¢ѽâ ÞÃÐÓò�™wN7¾·ªûTÂW¤
.Î/	Dxh!Öw·%ãTÜHævŒMië„»t*‰�‡Šm-õ'œ¨²Exz/s…‘e³Œ£ë›'>À
&­.`Å:¡Äíy¶*9Âï¼s*q$�x°ë®L˜L}ÍÏ3û„ýÆæ—Âo¼–N#Õ¨åc¸ „iÞY·S÷¡#ÕÎt@
+æ@à§ÃÍ[tWa¦Oc³%r"|”É	åoxªn�‡8àÅ•Ô6úÞwuÉ^ oG„$®Ðè{9³IÈêÊ£¦9]ÏÛ/FVÊ,‡2§Kv¥mLA†Ü`£ùvÒÞä«ß>ìÌTF”‡OhÏ‹#�¬É}D¡j«Ä>ÔwLæEUý•œSm×òm Õ˜_©C=D4É"Û†,QVJ;2IÖ'ËÆ°jW?EçÆpë«iœŸëÔÊ(ŒlÉ—km?\æ�]«ü+ô»¯�òOõRÑÜhImV‚ÜÖvÞžÓJ–¬«i†˜’®ü9~.Åò?AEWðZQ†ú2Šo]’˧Ž¦¯F$PEy¸>¦ëD’à€q’_Ï•�o[¤�KƒægK+Óq¥õ{MÁŸÚy�ª¡W�ÎT°ÞW
+ÛÚy—ÚnvI]Íd¤L%úk(““¬Àj@bÙñó0µ§ÕŠ)'ýÇŒ³�Rf•±åE*Ýç-å®}€)W
ùR	Wô�œj»•ð±Cÿð81fô�êôq®úø×'DÎßÃîÓ.©Â¹U´ûÅKmM™ú�ŒÜÒ¹d¬âyd”„è™Y~¿ôÊ@=/jÉR½è¥�ö.�5SØGäšl‡e‘ÓŒm
+ÈOâÙ~Ù'V«™S0‡xÓ™8C‰œ†d£Çýsûž"¯¸±]¸ê´î>œ³æÐ|ñ‡™
+Jünqèèרô§Ty½šƒÊ¿¥I·Aq—õá‹Z%9?)¥§üŠp¢#^lÌáŒðÖ„„I’³ÑÉ!´ðKˆ«åWü–¾UÇC�Û¹†’º‹×®z*®éhíç&îÝÔˆ¦ÒpXNƒéÁc¾ù."”ôÃmPU›AJÒàäÝ
+Uf’å¤<k}Ì�8’„›åy1eª«‡¤7óÈu’p¬®¥s(OeTh—{Àbÿýß
S.…ˆKÞ”PJ=ËjgóÜê-Ô_h®*!Ô†—óXÒûìfÈ“7æÂ4{í]ùÉÚÒ‚oyâߟ0EY.FœÍKŠô@LUOŠi^�w/Üê7¼C(˜ÞÚ÷‰éƒÛ~õ¨ºØØÕÔë’K‚qb�HØÔX˜‡+�…Ù¹=€ž�£Zgk·„¹ž³gú²¹ÕpW-;ÏùzƒÎñ7°eO›âðy~⢾ï´m*Œê30V.o ¼/ƒ«ëŒF¨±L¡Ø65<_w¦âchĨ��GNŒ}tƒ®ÛzIXÈ�Ž«‡ü¦³ÅƒP†P^è2Õ(È—ÖÖL:u¹6�—qéÍq‘Æ”7œ·Ö“íû“¢Œ—o�Ž£å†më/û6ª9r~¼x�tM—ÙlЮƳ�¤Ë4¯†‹30ËI(o³ÔIäÈ@¶Ô„Î<©´U'T9Eí”㦷™{�²ÿ|Ð\¢ˆ÷4ÊNó>
ÏÒê(HvÏÆ-nÂíÌìä`
Þ0DEâÌ
+ð¥ªT	Žºù&¡‰àëvHìÅÎø—â—¨|2#‹ÈûjàÍ­~	v ]_¤sË–¸÷£dL
ý¶‰¬óªl?@7~ÕìÁf/Ôý]ŒéB¾ˆúT-êS“H¾Zª[Ã,›ìÁD#wÛL­øÍ”PÀ68I…ûs—t5\œB¦Ïq
G)fŠ…îÇÂŒ}”ðª4,
m¶Ï]ÍŒš£±éŽ@·Ç"4BËý˜ïÎ÷oŸ¿ˆ9uK…é‚V¨‹Q2dY’ã‡•oÐXë\\ÁT7ôéL§ æ“Å=„«ßKì»×…ãåÞB^¼
ïñ:e:ºûA¾ºÖ�ˆ…Ø×
%YäÜ´évJ÷\«æØYûùJV},6>Þšv½øÈÏi÷°6™’^¸OøM–!kÚ�^Ù»<l
‚'ƒvØCÜZ{óâË!3’î‚UDpì廚ŽgŒ}ÞLªzî�…
’b_V©ò-DÔ7™h~�úÐcÅn»aV¼þŠäãôî´­Ô8Të/Añ^»»£öQÁ*I9ŒëMö|±s£[CËÈP¿Üù†«Ëeõ+tÐÍ	^�‹$¾qobC!,cˆqÕÇ_Î�ÌuMÔÌß`
ÒÔ0Ù˜ú¦BÃညàŸJ}!éGs19lÏñ»Ö—³˜ZéGÓ*HËH"$o—¿Ub-;¶e;žÑœ�ôGé?Õ¥AÉP§ãè}/¸½B
°}¬<‰6Çz«ë=ƒS`ü¤4#\žÀÁhRoÜ;½¡ó”sTocí�LÀä¤MøX÷ÓÃQ‰
+½å>V·.
—
+ÒÜîªQè]‹*ðåVäIw8¶ñÂi›M‰œÌ¿$a|
ÙòȱV�¼ó i×6\…¼“Dýð¹¢\ý�£¡J�©ÔK•¹¡áXl¥ÝöVƒoÓÞ$âbÌegž#ñò¢ïF�’pÌ
¯Úè‰Ñ^rÅ
+¥›S+YÊ;Ūìâ?¬_§IÅ>Ø7!ÒÇÏ£ûQ
+aÑF"$²¯Ö­|3ß!i#ÌT<ÆK[tô	p;w»Ô.Š[°
+ £M~Ñg<ÇÿšâNÜ~¬Š$’
+œ\7±?·-ï¿ý÷¥“ MEo,ÖA„�&±}â÷ÂE¥§Þ[:Ö¢•�P’º‹qݼ¡©Ù¾u¾1b’0W—¦
‡WG&Ù¼2ª¡t7· ,Îĸ—Áw¾Î”…uÑÎŽÕý9f8xºH]*ùY=ŤÔ
\">�_xÞä¾dB²a×/Ë—œ{��íÓ›ã¾p‹Ä#å�N³Œ„„×ÙZ¿5ð
+‹¢T4ƒ	%ŠÑÔfjÂÅ4L7¹ág¿«“qàïÖ�È@¨�DDF‰šO`„®vÓ(�…dE^€É0Þ±½ß­O{_õ�Ì¢„Îú‡Rô¤ê�	quâat¼ÉXe²Ì¾ÎKä£^´¹î¯é,’Ôªy–„ø<œ§c9\`9[B½‹º‰¬ÍDªc£�
ø�,̅ò=åÃÄ3ª"&‚Œ™ž	:XKdÓNBl|ÂXy‘|$F¿¼EcL;×Sü¾g*›EHç8’‰¾óűŸôûNYµ]¿FiS_q³;¾‚AiœôÂÑÅúÈÝ�ÃNÞ‹Üwæ¬J¯@Ï“¡–ËG±M·3%	ÍÀ·°XÄ
óv¦18+M“wÉâý�÷8K‡ó–ŒÀ:ÉÉ/Œ-y$"£âµ°S]{:‘)EÜYíkN
+Ä¢ƒ7Ó*e�¿§Ô¥Ä‚¦o‚¶n»éPà:m;Zd%«xc¥Nâ™aÔŸ?¥=€ýZuxçY+¤ó^¡Supã}ÏC£Õ,ô\�r”xW)<çK	qm’E+Ëç‘‘DÂó_ïŸÃñÆ�@V7³îÒ³3›”a¤)dÚ?·Ý‰@xäÄÀc”´�Ï0̓ºÏó"óâ½û™µrJóòZ˜JÅ›=2Ónñgkù"áz@éóa⵬�å½µ?ÝæöP¤!}•-ҾфýG¨ÈVËs­Rñ²aTRïäËâ‚k\Ãb¿U¶.ÁãgößvQ¼h-aó•âœr
fAÞ€ÊUÁ�èDZ$ù('€»¯LM£/hj¸ÒRöâfòg¶�ËŽ§ÝÞ»'ûêºn ³XÍw‡W×6>y~ëF—Æ”§üŽÓúÝ—HÒN•Ûë
{Bk}ÒL
þo†ô&‰¨¶ßgÎ~Á¼Ù„¨;¥rÁΑ½‚ãi?:±{Êc<ű26ÏÞSˆS¯ÉIy¸z/´Oœ*kYi‰ÙË6lRºQÜqà
+8¾÷z³ž“pTÞC»e1—´}FyèAò%Ó¼&Té³	ÌPæsî'éÄÕH�]†ÌBøÓõ
öa"unáQaÝ,«N”:FÝÑû£i'Ñ£1»Ö[¤$ëêj€þFuÙ¡
dò–MÏ~
Ÿõ½bœ¶¹k½žØMƒGµ*‰ÃG�”0õé™ØЀBBVÅBZ_Âë/y LæBÀkˆß–œ2}Â)<ª2{2nUb^=èΗx¨oDÒš6ž_›ÊXÒÙÜêÚÐ×x�¢–ÌnM¢É'¦WÍäŽî$	9Jœ )o¥ÇH—ð“q\£ÍÃ/Ïîí3
+†µËÏú蟥çf³ÖõÄ›M÷|!¶g#=êŒ.wtCìz¶u¥'}ò°˜_¦*›­PtÜaŽw’ëöR\v^èTª(Õ:¢_ àT·Q¥´æd…úê’ƒŽCð×F³î>{ÄÉúÌÕ‰&Ž]bÑØ›Ë+jžÅýr¨gt��2fÄêÚ+ÏÞ›í–j_€âY^
+ë1£äª
.WÁPxjSÞI#Üʪ֊ çtûuiš!Çî½ÝSo·×íÓ8€+zqõSÈ¡,È!ë*T¶CÌ]ˆX­9v]&8S/¤ê`諺aÄcmHê–ELL.&Í·c_ƒ²ÍçˆSÈ<:~¦¹OÅ;E¥5Íq˜ÙŽà¶?ñv—nŽÓŽQ|oyèNÕïo磞YHºÜÈ÷”L¨·½ÛìC$?Màc¡"ÇN7ÎâbLnÙq�:
+§¬ì:9�§ËY×ûM¹6­È"Ù~ÝßïJ™uz¢ƒÏCz	©aÞÉ!âÚª8µs¨•<Ä×
Òð쳯†²Å³XcÄ*3å²›Ëj†Gˆ4£j2Æ÷Q@\}’Tyž¸¢i¼á8t‚ê·ý†ó`gh‡M£ïBD¸ëÙ›0Âp^*•�-ºkjÚ·Z»æãÜd¨ÅüîÇ&n»$q‡˜,[ijK„½½­%¡“îe6
eS.Ââú˜ˆfÄ®ý>
e¾î–â ¹�¶«ŠØ£>;–¢‚/MòI”¡øi1-ƒ
+¯‹3ÿ²]inÁà�Þ�ËDÒ>{ÓЈ�� dx—v³©lò9 ‰N‰+¶¦zöÍñÔ#é)ó\M£[s@Z›ÉR�'õRÇ}ËAÕNQ¹IuÒ.8þÌ�Àˆ‚;a?ú“
‡ö8ζÜ8ùx ÐxoAy橵"wðõçÆÛƒã)ï¼àì…ŒÞΊ@ÌcKÚ_Ù¼Z‚{+ˆ•\£\hr‹v·ñjÉæǸ((%Õn¹ð·
V•BòÃ�{9y¦gN°œ
fµv*Ûï›s**o™^þ(Ú‘r)`lV3°ð‘öTÇãèή hYmš´0”ÚÊ÷8K¯6ù€›§vóÉy“Æ 7D倷»ò�§1
\eÌ}¯ø§5ˆòþ[%fvÄÕ'œbÛ©ö¦�&�©"ò­ƒõ�4ìË*Ã5[Dô`1käý¶Õ•Ïê`•rM<4{áôUC÷­øwݲðãT5cï¨ûët©„U0í¶»©kµG#G”Ä~}±yôd¹üÄI!ß©¬ÐGÀEîn‡NOí¬PË$‰š�͵ÇWgÞú©é!q@¥{ß®ê7ö$¹UÔî¸ò¡Pšè¾Ð›ÍA©a•bg¿fD(s¥ùv®gZÙZP€=NÕòä9èÕ&çýw…$H›Àì×Eg—ó
¹-}>LÁ•Ó¦4üF¸pâX•*À¢„ƒ0¸�LM­+ª[‹Àãco®OóbÖ�ŽÓ%�Hé..		Ê X;éôN~'R‘`&‹¤­óH–$Ѹ½¤[*¶–�›<
 ZG„‹m8Blà‚`•‰
+&ùf¾±<£>W†2<퀔ã*õ�ˆ¦¸ïÞºÑbï)£(]|Ͳ7.ÅBêOo_™íí—I>Ĺ=à[väÍ$ø¸ºBÎk[œy¸;ª$Ô¶V�Ô¶¨ì+Qý †$·fø‰AÙu­õ€•ô퇚|ÄS)¬ß©ãb
+ÞëÇáØ(>§"´Ô?"¸ÔvÂj“øÓ‹©OïDkº§«wèKêfhÔu­ÐàÕ–®L~vsÜLðw~ùŽø›f÷ÀGY¯y²™)¿ÓbOú©ogɺeÁ]ñ¡—êÅÇêá0·H—c<ØÔrZ
:ÁÀ]>Ùã‚!ååÅÈؤüð¹‘c�›€ù«ð#®QÆÂùOsYŽ\$yÓ&ˆ�³±Ò�„}	Ï
K÷ØÈó¢ä(ä&&¶�¬SÊŠ¡ÊÛË4öË(d��®NÏpT¸#;®±õæü_>ÿŸàÿ	K{0Ðu
 endobj
-1037 0 obj <<
+1321 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 35
 /LastChar 122
-/Widths 2157 0 R
-/BaseFont /VVHOCS+NimbusMonL-BoldObli
-/FontDescriptor 1035 0 R
+/Widths 2737 0 R
+/BaseFont /MCRCVV+NimbusMonL-BoldObli
+/FontDescriptor 1319 0 R
 >> endobj
-1035 0 obj <<
+1319 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /VVHOCS+NimbusMonL-BoldObli
+/FontName /MCRCVV+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
 /FontBBox [-61 -278 840 871]
 /Flags 4
-/CharSet (/numbersign/hyphen/period/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
-/FontFile 1036 0 R
+/CharSet (/numbersign/hyphen/period/slash/A/C/D/I/P/R/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
+/FontFile 1320 0 R
 >> endobj
-2157 0 obj
-[600 0 0 0 0 0 0 0 0 0 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
+2737 0 obj
+[600 0 0 0 0 0 0 0 0 0 600 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 0 0 0 0 600 0 0 0 0 0 0 600 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
 endobj
-1028 0 obj <<
+1312 0 obj <<
 /Length1 1630
-/Length2 10814
+/Length2 10888
 /Length3 532
-/Length 11687     
-/Filter /FlateDecode
->>
-stream
-xÚíteT\ë–-w‚-Ü	®ÁÝ-h h
…KáîîÜ¡p'H ¸;—àÜýqÎíîÛã¾þÕÝ¿Þx5Æ®±¿5ךKæÚ5¹Š:³¨©�1PÊÎÌÌÆÂÊPÙ;;)ÚÙ*0«
Í�•�­A€7€™šZÜhÙÙJ��ü
-  ­�`fç°þÇ
`bgk
-ú«5'–7.Q'€ÀÉhzº™
-k°ºÜ¬š;£ªj_!Oð$ã­Žˆ§·ô~”.ù~8T7öè>&)u±¸m˜
PX5‡G4‰û·7´½Cý}çp]ÛDŒÙ±HÔ.°h4‘~ÙDºåžáŒ[ïjwÈbºr¸�°ÌN¤î“ƒðÆüSgÊrUm4>_pû´e{eÊóÀ@’ªí!B¾^gYâ¶fˆ^FT{ônRçz[âœ5Zóì3ŠìŒ—*J–>#
-sÁx§¼*o.á_g}wýœñl^îkÝŠÔ�'Ø’(Mô{Ä'’WuçÙ>`·pòdèŸoR[ÌÒö!íë&XôÕFZü¦½ê>ì%�Ü}g·û[˽æb6J¸uqÖDP»}"ßžo«/2åKžxÊ$©�ü&Ú6|I²k¢QᲪÖ�Òß(Fà"A=PÎ2íܘ??ý@²å·‡•Hki–óº‚i¦
-Û#Ò¾ç‚u¨Öåºp³àž\¢4hS©–Eéf<	¢sj`ß®›ÌFpï(üÊæú|k-è=‹ãEâï°ü‹�üTvalÝ´X\0X¿Ù¦?˜|ew…­K£KòÉäÃïÚجäÊŠíŒ]Ý�: %¢˜~¡¨ç7GÊÎÉÃÄ}
.Íâ<!˜ !†As¥»˜ö”ÌÔš(;¯3á‘7ÅÆÊ0]²Q|Â^ÿg×C´U´raáfùgzfÊeÑE=n«d?8!j¨¤�WR-å…�D¡œÊ¯mh$¦œa—C½Þæþ©ƒ®Cä¶wk!FËèIØßaNó4dý6x^z/ë„:ŽºøÒÈQgæAÊN6æž›pP¬Š?¼û‰DÜÄ�Ð9Ó,4(E#´Íô;Õð¬ŸIaê‚«{Š‰ÏU–¦/�ƒH»�9ì
�’Újà(XW†ôí¦Ë�ø­Œ¶ù¸ä»Ü_Cþ[uë†LFq
­Æ�!ü
-[ù^®bÓ7£‘“Äh'–y¥QT¼æ�ÇÄÏy±a£üNåM
¾¦‰ÀUOE_Û±Õ©Ù÷œDS±&(Y¡ô{iàÇ¢r_žv¤Ñ«8¤Ab1è±M-„ïÞHHºrßÀb¿Oæ[‹h×èiy¯ø�ÉƤ¢¶­„':çÄE·tzUÿbË–È.ØÖ;̶€ƒ¡</­DuR�‘ZoOdNÔjFÂi/_ZŽ 2f€ÕõAц‡($k}ÍåcTsí1R»°$ˈR÷k»=ÍÈ~€íãÙ3¦èýÅ;ÂÝ'ÁP¦µ�ƒ·ù]DS°3Ýø¢$;è›<£…!sÂÁé,ìÚ	t4�aê\D.ÐÒ/Ýöƒá4$ÌrQàK,T†õ˜zv"ÓÕ�3(²Ö«ñ}Ìsjnv4ÛÏ÷†NÙPJý�‡ÆT+Ëç@f4eËâ¹×pƒÏ˜—yUz„P•Í=ðˆñÚ
-5ú\¾“8¡E8¢ž/›ÿš{¡ ç³cƽžÃ ­þ©mÀeô¤]§�¸ýÏTn)ª¥3½Ù¬YgÁ
Q
hñ}7Ú�_»U;ü‚ h@Øùû3Â)Y#+³RÌ\pgùGÝq÷�pÜAiµßBwànÊfµ„FGjœJnBáð걌¿YâYQìWqò0ƒ¿ÉA–®îUH&@O¾UÒé“̾„ï”®¦¤ö¨b×SHôôò¸Q�™°�‹É•è‰G|)¹½žqt绦_jF7øÝ¡Ôš×Ïi¨£ÿÉ@HRòÎjûioÎI­ÍëÖÄ°2…tZg¦¶��à]Qˆ¢¦�ž:µ.;›#ôªßt0±ÎlÌ{ÏàQüÛvü«¥´®å€
-ª/ªœ{Äøø>º$�ÉvŽÏÊ~{ÞÏ>Ð�QµßS°Ââ¡v»Út`{æÙ°¨ï•›(
wJÝ$ÒTùœÖ’F™yˆç·é›Öõ¸ÇÐv‰øoµBï:>ï2ýôK-ó»}—®ÒÁ//Ä€fH
ÓªQÒBÉÈÏâÏñIW]1NúX˜ðCk“�L2Ö¸V2ûØ/‰.®#G`1¼6ü~fÔ
R–|Imd�¬²ôðh„{üÑš¤‚™Ë
»äË´ÿeÓ.ÿ…Kµla°.
-‹jm“Ÿ�˜=~ͼ”øh0IzÖ¦ú·O%_Ã% óa:¢hšP³
-S¹Ï�ÉÝÌŸÜü¾ØœQlq¸†=žà~pFÛÝÓ³0Ú=�î,ùƒ272ï‘,n&£#:$Š¯J�Ú0ˆ/ŠRžåe\ßoeEÄ`µ^×!Üæª-î¶ÿš¼îKÜ¥8ÈT?ß÷£G§
-÷glü2®® O!ÝèCÖ½93ìôÙÆ_*©a…õD¼3»–èâ/ˆ’Ö®¼à–tõÊC¼z]îú¾�¢(ñÏ~½ŸM¹ã±ÿ.#à:ônÓJÆê|ošAb%¬Äiªê3
M°úá�]@’œïjoj'õÙ{˜D—ÚëF*‹/‡?Éå'Å!\˜ˆeÄ£
-ëŽ,/µs¡*/m¥$±¸§Þ˜¾§Û›§pnBÌHé”S*û0uœd²Â©èyÁ„Sçx"ŽšÓ�ð§ÍïB½þôÁü{Y‹ð"ÂÏ1·¾�Ú½IRA®ÙÜà‘=$Aê[ž„Í�Ÿþ媓D¸“§B1·ø¼•"Höû÷Åj·Â¡Tˆû\ÑiÀ´G¿åG»xÿtÊí|ú?
Ã4fÓmƒŒŠ%	2ôÝLTW¦‹Å&wË…j•¯�?CÈÆ6X™-ù» "zQ׶Ó6å[g#�Yóñäúd[†’°‘ã‹’È®óÐË"6Ç”wue#¬
MË%òG¦ìü) Tsbw^˜¯ž«TMZ‰âK_5¤÷ýÈ¿“ÕÌß/ëâ¸|cÐùò{ý†VðÌSÛ¯Ã9rFò�âý±6„ëhˆ·u^òö´g?›õ¡çxu)	�ìEºéµ5B=]×
;¥Â’Ë0¶§s7ÁjèSƒè‰#Jws¬Á¦ôE`"¨�€:¾2̯sû6Œ¹cÌy!¤¬èb‘߸¬ÉZæc¼`ãû”mÍ—áM*ÛM&½{Rù³®óL–/ìœ
ËG¬¤Á‰ß/é0™'
-ϲiSÛz´­õ…�¡I§ `~œm5é—ÀyyB‘Áƒ"[{ÁûqâoÓ�ÐåºïªðRBøœ
-;Øw3øGæüõù¤…Þì€E
-ªõVÖ>ß"‰Ï
-žzÊ6âÄ:gÒ¬?yéM|â(¦‰RÕùr	ði­æp2¤ˆp(â1¤¸£œ¡æ1Rᨅ59©�ðÏ
~J{ÖÜñ�Ùô�u³Y+ÂJàå)$Müà¹kMˆz,ª.hÚU	�ñ…1FÑÖÅ�*§,	/+C�Åe+ÅàãïG›},{S&›1ê’™l8ÈÏ
›òIø°°€¸¤•·©x€*Ú§wH™^kŽ6ìÔZ$Hq¼Æ!ÜOý#$*%UˆÜGP	õi±}&ÌKá6ºÙÍ(ô@€ØuzZ
�Ý^ˆà>ªR|­	fö*9	Ÿ}&R°ýgFÝ^å†áÞõ°(|�õA~øo,"ÊŠöjes>@vôfK=²ŸßýÄý¥¹£ì“ã§.WòÞNBt�Î�áÂLå*B±Æ5“¢MÔ®øÙûè¡Cž)øð nßúB¦€×~µ_ƒ8c“Îãš(‚×'Ï
Ù¿²6¬iÓкõ°T«¥�‰;kÔ4¥ÒªÐÞ™bä® 5˜Ò´íEXŠC†q)�6ôfWº‘d0¥�àl‚$8ç<
-Ì“
¦Nó�”-ü¨(Û–7 .\2Q0¼[ã>ÞÞc¼9&‹+LÄ@¸J°aiÆ—23Äoâ+Åçu%•!�·îÐ
èä™G—!WùIŽ‰ó¢fÌŒp�V[ºÁ);AŽ+Pc¹ÚY¨N7ÓfH¡RÜõªv¸¯Î_ÛüdE…Ðé
�¼¦‰ˆzèže�.7-„ê½NϨ?iœ¢}U'
ÓÁ¦çÿ
-Úóž¨e6[x5±IœG·6ünñ>ìlu
¬YØÐâBZ*7VU?Átr T1[¸™w¯ËÖj6Ó”äê#ŒSÔ\D¾y¶¢yÂw”
k7Ï�C¤Î‹b‡døé’|7ÝÖè¯:9so³h2ûñ¸î–¾ÈUªû—rl’9å'sÙ°Q@ýBîå6Õ:íkX‹(­ió¼·õUðW¼ÕÂî�cŠ˜-¹¤ƒ�¾
-Nyˆ®:RjQ4KàŒTÇc—ûÜœï¥&)ëdQb¼‘– ˜hïáœ#±»¬žS£`KXÓK5S°]Ħ~
WUðã?É�	g7ÚX¿~p™ÑðÎu=*•ÝGK;t·Ú›iC¢­Õc‘n6=‡˜ñtÄY9ÉæU¹¿«õ¸² êvæão?32y
ÊÂEò^‚iYk»QD}ÔÓp>ÌÔ>�¨[ÑeØØÙÎG
uncáTçÊÅGP½L`.عjÝVͳ…U16–!]!•PN‘âñ³ª^{[T´^Þ•tBÅ.‘¿˜ç‡n\¾„a
ªáàïëðõGn‡ÜÌÂí?¨‘‘å²cýP'}¿ô51iå0¦Tz4½‹Úç=Á‹º£ë°½„ª&koMæ!ø\ß"�g*ãÐu»r£6„ŽÑm­�³�šÞRAàÐ,H¶ëUõ@=ÒØೞTÄ2–‰ÆŽ÷ã3él~ éÅ»{	º;j•ÜvÓœ:Ý×I“ª]:³Í~ÿòYŒ“o4�|l‘E½&�$è0¼¾Mi4p˜òÈK]Pào½Ö§Y[5¯…ˆDEì¬h.«POýéµû’%
-‚¤=Úd!³ãdêÉ‚Îl4ls~…ŠÆAQŽŒr÷îXøT¼m­97bZâ¼é2œÄ‚M<µ/¬
Àoþ´ùŸ“EF:oÏƵ¸rÎrs_€Ezùã\D¯�Ð2ï]‚㓼B�G­+¯£x»oÞ#‹MÞ¢•ÿiœD|!#	R­þ ­1*׶àN ]püPÞ2'¥ò¦H˜f)–ó¦Ž�Wv§Ä…©
:V"å‹G’v
-ÎÒOVYrX¢ïàwJŒSôm‡¯)&`WfXñï³’Ò‚‰oRâ­‘cƒ'ò­–c^ÎlïŽOF–õ×Ùgäëf>MÅ·+(�çÑ£ø½fM•Ý�iïJÍ+lÉÎ$›©Øȧi‹ Kº¢»»þYÆa´á+“Ðã)ÕÕ;{¶
-{郎�£¼Ã/ô‰ï-˨–ÞëijNg°ÐMë"@þ0
ƒ[
®x<Ey3ºs¸I=t¾0fÌдƒ
-Þk—Ç|¶=pÅ^„°·Õ`›óûŸRy£!«#ª£þ²s`�<5…µ1Î}¿äóè-É`Js_!ñ ®èë媌D›å(:>žd/mý€p	@{	m·bÊ3ö£±™W€¯>š‰øç_ìŒïyž"ÿÜßXvܺ†FŽ•	-+›5Æô™6ì{ˆñéŽzÔOBz>1%Α}}mBl*î� Èà+’?îÍ6
±3™þ™^\É;<·ør ø»(YËV¼5,{n½@Ø`2Ÿ<Þ#‡æé6~p/Ø t+—¢44bOT§UŸPʲÁ%Ï™Ý×êmŠ�¿¶kš¹ÒÍ»¿^Q6R|Vœ=¡ÒÝ03ÉX­®/Õ¨îmˆÔ-gN
-^Á?g½Ç[eœ[T.¸;8Ëñ1S¢ÒŠ�s¹£ìãíÃ.õy‡¸MnÕ\v¡.Tü©Ä%ñõdaÑÉ•%úh¡æÍ".‰„%{O÷0+íøHæ
-7³”rÁ©£håIËC3L—ÏÝ|á`
-4T¨Tç
-ç!ÙYê‘éó`þiîcînÿ�)£×„ø6RÜX†™éЩÉ^ÚŸnà×–,&ªn¢r‰þ¥»G
B=àðÇïÄ�‚†v|q”Z¾~½êÓ¾j¹ú–RýÇÕ? ô¨´xË™»ýñpŽ~Îe|E£PñÎPB´*Žm�…ÃÂ9}zùµ‡ìDy?¹8h•))^Çj¹~žn+TêóÈ÷Ð=ƒ,¼¡a"ëž�€)¾®‰£¶:—J¿ŠúD4$ç›mÈXfjfÆ¡ñy%[¸"6¾ÒxB)•®ÅÿÊŠqÎ>¨×l´—틧¡�{¥»¬ëe˜R™ÏJñ­j}Ú§ÝoìU¿ë �à{™ä–\©†õ6Ü:ƒ·¬ct5I/« €,¸Eð=÷
Â8i¢+~[‰2ðL~¿%˽ΨE�
dµÄ3C}®éX…VÇÝ?àëV!CŽä‚à`D2Òé4Ã�›%‘çÖ9¿×õH„)¥ð„Á
úO”P7tt1iU�~½&=I¾òèÏF}=шû\X�UêÅá[&¹î3=ûŠ†ž2¦8Š¼á"GĘ›À[pClC½ÆXÊÉÍÿQi¶Qk	bºmj‹df$Àw =õ´åƒ‡”]·¨¼þÑØŸKƒ©ÄøÄ[¨žúÝðq*ø!y›�%Å…øØLÏ?×-+Ù‚
õ´RGÒX I†ÿI±`dìÚhZN¹Í"VÛ‡ûô2_®ËâÈ«Rßó!«r
-2¯å²vƒêõj:¨¿Q<¯%C/õ±c“I+úI~ŠøwØc`µÝµýƒ§¡þŽ¤ûJâ˜ô	]8 SÆ/¸÷E.ƒa©4Íî¢gb‹òéž
7�î;‹f"pçìÏðB]u±¿‘ßó�‡èãb·4îžiÀ�[.þB&Òva­¬7*l?TГ„ræÝÜnàœ`á'r¬Ó¦L�ó1&9¿å8ƒÓG§~p…QxcÃÒ=´Z‘ðŽ±Ä5ä‡Ø×n™ù
VbY§©àùÏ"§Ñœ}úþZ–§75’¿@-[Ë›œ1=u˜Oÿa"&¦u¶|Êê;ÏõåÅÆŸ'?Hl4ëE\³Üà#ï<Æ—
-¹`†\ÿ¥¨ª1¡Õ–£ªø«¤\Å'GË�'²RSƒbzûÀ…´ãé‘!©¼?ôdFÕ±EÜ%üÝtk'õð‹äpNA‹Ûº†‘ã«óµýñÙyõ)¶'Þ¸$—(ºI‰fÞê¢*)
-£ÖöQðŠ,$ªõ@˜Ôáö%Õóø*(lŒl>9h¼à˜áxJ¹öÅþãnˆï§šxíWE¦º²Úa2”b÷^+BBF¶-c¬>À‡�ï��ç
›Ô„üR¸²ý³áìKE±®èÕ'¥Åq5/ÃÊÛËÑ»ï-ï'{+Z‚"Ìô”{9…Öñ›‰ò¥YnY’8ùUú³­^dËÈæõqàÝÝÚJÌ7C)[yðîñïÆ^3>@–cÉã1ùé
-NaãLïñ˾œ[{Uy<-Þ€-§Žà@÷ÎG{|Ñâ'ú*&MËDß�×°‚ÚKÆ�í¹W!¡ÏN¤µ‘ÖÅe<Ò}øÖÐÇÞfnÑ»…³µêmºŽ5Y
’8&€ù³js¬†]ea^å(Þ¦14üŒ`pË{B/{ã“ÜŘ�Êgþ6<ÔÆGE§Iwuy³¯<¡=	7…ýÉ̸¶ä3…}€ÉüR4{Ò^ø<zN‚‚!y™ÃÛíÃá�xVRο0,¹V‡}’Op7A7!ÐTÑQP˜ùT™ÜÞl,P½ÙTE™>>�™åÝ°^ûþR›„»¸8'n¤-ì
Jk®²QC
-	¦Ô"ZñwOòï™»ÏöP÷�ê¨.ÐJî~&Ö>zm^B�¦[s°'òYøš×Y­D˜¾
-¨ÿKuß!å"|ÐÙEÆVÌð}†ô¡¿ O'®ÖÎþ€å&-¸ùhì8ö²0ËüÀëèæy€ôõ«`o
­$‡Rš�´y?…|¨ç>K/µ^¸°«l/J¿í§öÙÄ¿Ñ׶ݶëÒ“<‰âïŒçî*O©ÍTK?5;º(›o³ÇUJN¤P3
-øÍæ�6?ÅÖ%X<²˜6˜ü”èýÇÓ·55ιbÏ(L85�3ïáˆÕë¡›íÐêº/ÂÐ7q�‹^¿_5
-r•ŽQ¾¹42"ÒQyܽ…8[E~*ï\ºÊYòÃå«&R½n<NÁŽ¨ÎŒóöÀ8mÈpf0
�<«±Ìœ/Fµ{ —·î9ýöÝ„PœÒÄ@cÅÿ4¦; ™«×”¯ü¨K­ À$çdLÎð©»$?ÊCîYÇF¢á‰á&Ø,ØÏ<Ú#@Ë%®]g‰hƦÌäÒ†F�`{&(]ž·/iÇÕÜ\p±"Ëbö>¸M¸  ý¡$úu}ÞÕ*äW˹Ñ�wçQ
-®ŽW_hi+yñ¸âÅ‹…†
-ë‰f	m…ÚÐJï¬ù�Ï¥‹û´¤ešÌiûFt&ß–³´Ó²ë“´›>Y`™å³{ëéÄ2 û“°dõ>sf gz
s‘žIÏ¡¡Æá÷”êK“VeùÞÉÄ;NIN²
-ÅêàÒ[xŽø?‹¬ !¼Ž”x�í°åJ¦v<x¬/ OKÁ5
+/Length 11760     
+/Filter /FlateDecode
+>>
+stream
+xÚíteT\ë–mpw÷‚àÜÝÝ-@€
+(\
+www4Xp×àNp×à®yœs»ûö¸¯u÷¯7^�±kìo͵撹öGC©¦É"nî`
+’q°‡°°³²	
+°
+˜
Î K ³¹-ÈÅå�æ�û¯éü³OÀêèèhëùw´Ãß^ÿQâ²µ`EfçxËiyËm	¶GþðײÈÛ[8
+Œ»C]ø¶t�i ÓRß÷Ý…X«´m¼L»AŒJÑ2�uc¼Ïf•ÖaõyØtv7GÕ5ŒJžáÉÆÛ8�ÏîÞ»àRß:¢û™¥×Åãµc6¼Ãþöåè˜6ùàî–®oxp ¿ó®{‡„)7‰FÐ
�6:À)—DT_»Â;’iºv—"®;)�ˆmq*ó�‚?˜1û5_ÝN[ë’ǯ=×ç³"/LIê�}Ä£›k¼¶lBñ«¨¯¾-š|oRkÜó&[Þ&±ÝñreéòDQnßô?ª[K79�Ð7/Ù/–_!ýmÛÑŸ	·¥Ê“žHÕ]Çy÷A�8­\¼ÙŸ.¶h¬æèú†ô“­Bj£­Öè®{ŽúÈ£÷ öÖt=¿	!æ¢DÚ–¶bO„t8&óïû·ù#¿-�L.Ii§¼�µ�\’îžhRºª®
xïN
+®°V
+(Š0¢™PÁ´i—µ…½g`
äÒWDWN�=%&jc6–K…Á×M囑êæ>vE�ÂëÁ|Ž¹EÊ�¯#«�îu€U•ý9å™x¼.­dávÈ!ý:8ò¾€Ù€;pñJ#WT	¢�ª^Ûà'áHðmAFr4”,=gK3M¨Ì(R
+ª¦S0†¶5§(ƒç•ÒÃòÙ#ÀÀîœj›Ó=âé�ÈmoßÐ
+¸wÛõeä7ÊüÈ‚Wª¤I„ÜGñaquÂŒ†!q”ŠÂÓú
F›�ºNÑvw=É€ˆ
ø?©þ¤ÝÊCÌõýß{?~�µCâ¤ÝXœì†q�&ç1j;¯ãI¢™Ô§U$´ö2s«Q6·oÛ†±Œ•°ëãä'n¢ªÌ(" iÅÚPV Ý£BªÎµqt¸Ö•Ý�m™Y•d>Ã[¶‰’¿¦ÛV­¸‰õ»ë+WÓP¬Å`,kE}±_Ys™°
+ä’Þ›«+;�Wœ‹ò,ïV‘äîIº9^Ü¡U½0~˜ðâÝ^^ñܤOgn}Â]^¿¡%K(îù˜§½ÉõUÙó˜×òÁ
+îÑâ§Ó/ÆÔ€P	+°-¼Ýy×�ªžVý(�/}_#™mѱ¦�€*¥f~[ópÏ8V†ÉÑ8ï„$gÿ" N:<3Uwñò›ðžÂp6­Ö‚ËI&Rü¬ÜŠÊ“‹pžÓo/8)Ô+~ÛJs§\¢­öÊlöí»i{UŸÈ»Ã»4´½ÌM_˜š?Å]FÌ©•A·Ö_\"Óƒ‚’Þ}#FGïK}g|ÿñÌàë":ŠEù×%ñ’õ.C!+6‹¼R±ˆà!Qê˜_};¼È#Ë�ö]¿?Ü~d'My*½{·8¿�á+�ínßû·/ŸuG«ø0¢ß§ÒÍéÌ–àb“'¥ÿî¤ûm>‚ÿ«?‚´Q	õÞ([ºÁfMÛÿŠƒ´–?Â…?¬Žžš.Tùô+ª©ãJ¦eUq8jrÜ…Yp?Á½Y~H…#úò=*Ïqí·Ï™‚T蓦ò¡E‡üA‚⫘Lm=ÏÊ72Ø÷]‹Õ™+eÉ¥½õ¦½=¾¼Eó@•3.¹w¹Gãd“•.Å/‹f\OFJ$Qó:Ñâ
+ýò­Ã)8ȉÅ)7è_£Œ·ÆT÷ô壌mMÌœ+¤
+�G¦©J¨ç­$î}0ÿx¯R7ë&K.iËP6RÔ.<,ë㺥1~4XÛ¸¥>÷Æ	èt�ž•>¢Â:Ñ#)á>æk[�¾»ïÛ'Îåõž¬Ž"¥à P¼Ê!B5ÿi‹ÒÌÒ÷ÀI¯´æ6‰ïíÚK²j?uFéi‰W!Ü’½NÒ.TEtmúÖF°tŽ¹.†}-¾ü%`úµÙVîC¢p?VúŽÎëÏ-jû-fÃrÅó$î‹Ï„¬\AËÇlä¡NÉ�Wô˜,
+Ÿ`bêTèÖ6çCÅx+Äèô@›þ`ÙvªlÐTw»J·ô+²ùøp4Tâî]” ðâú>êóXÿfßdO¤Ï£\Ï”H:[PC‹Ä²¡-‰­Çó|—ÕÏñÊŸ0ï³iov%§Ž=Æ‘»ñfLu³$�ŒX«Dm|BØxz’‘:ÍDï¾T–[&n'îóšZ)	¶L`z˜÷Î(1ܦ—Éc¥œ˜*`ï3Ÿ+F(ò¿gVà/_JcÄh‡ÛÑ|¢Ü
m:rGæ-Ãì]07‰±?×›­‡¶­0RK4åÀí+—‚`îŽDÕÐLºÎ’ùˆ9>ñ¯ëwe£¯ÓÑ©<Ôº:n;=]7¶cm$Ïjô¨âÉåx¸Õ8>Ãp:'`=2’¬~��'¡·:é'î•üc|±#úvN<
+É‹|9
+PÙ·åI,™ËúP5—ã´"ªYžBRÒ!�¿Ñ)ÑEï…ÅEUÁO»« Ñ ¾ 0Å)Û»9Q‡‚áT¥áååh°¹íeýè²bOäo¿*Þe�º}N5à„M=*,".}º.ØÒ
>Dï7¼¤O¯·Äštéþ"Ìs¾Á%Þ�Ìø-".#S„ÚOXõNèWÇl„�Ò]8T‹0üP�Ô}zZ�Ý^„ð!¦Jr½fî:5…€c6Z¸ãGvÝ~Õ¦ÉþÍOqøÛÃÂÈ5Bl’÷eÆT5ª–ü€ÜØ­Özä€�üÛW–ÎòÏÎBÝî”}]Äè»vµ}V­&–h	Ô0;5#ÙB탟{ˆ>â�‚�éñ¯/bú3 13„;6é:®ƒ"|sjü”;“ã´iK—‰Öcˆ­^#kJÚ•üMCG&³
Ú#©Áœ¶}�äe-Yò�
+iÓpn¥ISÖÎ.DŠkÞë‹eªñÔY
’ªU
+{&p–��è°ÌO@¤)ˆ
+á(ÉÐ'k‚ï¾}ZuqåÙaÕa	àuß+•?®Ò,ç<Ü¢p)Lå¶c§z7ƒÜÇc®{Öß°Uþ­ÝûÁÞ_)Pùîã0Nh_4SÌbÉ-Œ”²:ã%¹îL¯EÑ)ƒª�Ç7D.÷{¸>ÈL¾¯“G‰óEZ:|ÇL÷
+ƒÉ/¡¤èïiÔò;ÌóêôÿLšUïÑ[l�æQÎaœ¦Ñ>ñ³G÷™=}!C‡áóoΤ…ÃTD^ê~÷Yñ5l{ž³×(᳓* ŠŸÏgé­?»ñ\²Àå'Ç…îñµþ@vǸŒ‡¨óÀ9šæ‚Ã?ŸŸ¾èxŠBœZ÷ö´köö†dqÏ‘"$!ˆ
íxðÿ"`£þmÍÓK›ë.¿ôe|ê:Ÿ†›%u@éœo('_
+¸=Äõ¹Â¨ìW|ÝóúõyÆå�£¹Œ	O<ã–H¦¾kû»TCT•3S�Qú˜8EŠ9·[Éi{ªðãá²Çä�ve=§ûïŸ$)e	Ù(ïöyï6bU_>`R¨ÿ™2Qt˜çR?=ÝIêbĉ&	¦yÍèZ÷;Ø%U¼å͇⌌àÊ·«6ŠnËLJ˜S2tqŠç+ÚóKÄ0�H ûÓ'­½ª~Ï”aLø˜±ºÙ‰l½,£	;ˆ$ùubq¹ñÝ8c�C¨.b/άKÌJáÖR7£¸�§ôŵRì`çzËb“³Z'º½$ 
éëý€Õ÷ÒÞù¡À.(?ü<Óo' ÂX£¹
+½‚ü\Oãl}çÏ rÉ^ÜëcërhÁÄ{£x.;9¹ž³¸#�ÛO}+öH�‡Gzøå%
Æ®¼ð§AjS2kí;<�)Ÿ@ZÍÆ»È`n#çPglv<C[HÀB
+ó>çxž–HhÑo°þ¦¯£mÉ،Ģo­»L£ÇQ“0í�ñÅùuâ#ø2†Nü®{Q[V¯Àj¿¢»þ
?
ƒNWô
¨?ƒt›á%¦qGGö:¼®*x¼ÃÀÌžÙÍÙ^?£õgf‰•çûúpïîLÂ�TÅ7^\ý?0[ÅÃèQ�Äè$†À�×}ÝŠIÃP±ªÇdYvgä‰e¦w©Þ$àŒ¢_�™×¹Žéß™†Ø'DÂ9ËŒ?h2ó¸%¹ß̆Ó6UÖ¾—õ„¯m“±(ò¨øÈþ­ÉæD¥«‘÷§½ºwõ¦�$�MMó:2ž“ú�©‘ƒ=‡3Ït]ÆF±°i\Çã“%N¥ŠaÿÝ£ÛEK¼
ôÑ×îŒ6y.G­†(
®AM†<ï¹Ö~Êyõ.‹ï—²À.õ8'_e#åBâ[7Q:¿žßämø"mƒbìSƒŽÆZáÂ
4¨YŒ•{t¿Op¡Æ¨à‹!|	‘õj—/™§ÐLve§eŸ(ú]<Žqž(Á¨ð칄…ÏÀßù¨;ïAJGZ0ý7ùˈ¾†
[(-�®P+Uìp¤ëñ|\—;ï<?ÿTlX8ÎíDò§ê÷ç·ÐÄßÇð“QÛ¡ª›¾ž[,d‰É;´Š±¦IÄW
+²
ðêwòoÀ
+=+
ÑºEg¢ŠÖyé5,˜bQÚ¥x®Û:>ùÝ27r¤v¨x©t¯½ <¢íæVþ–(ù’]”Û­®ÂãBB²ßâ	ïE›Üä ?•ïd
+ž¥̺”k®ÖPú-F3{^.|àƒM],¿Òck&Ïý"§^{9D_o·äË•ÄgDwŸÇ>B_6õ¦F§zJ­ïf¬E§9åGÆŠ(IK6na mü¹¢äßúta\‘±+O|oÛn™ÔĺàÙ_
$üÔ>­Šäkës±7¡{^´2ÐX
úñ©ã³¼€¥=Š&I×}µîäØsU5u¨ÿ’àï"VB”—~²rön‰Ã/A“¯>k]苬�’)ŽÄ�ìÂèÌ�?vYèäF8ìúš
+M,b?Sœ†è‚-\	ì‰ûdVwÑIôœúá~Ö7ŽÄkeAø€›ÂG9”¬™C:¶œ<_}9Tïr�TÒ^%M…íŒC,[E
+tÓÎ@½*¯g :_‹»o]Ÿ°’cü‰·ÑcM
+}­+^ÂÂ�í¯e�‚³é)À+-[‚fß7j�5$‡=á›®bÖ;tZs<u%/é*¶Èø²EÌèÁþRå

´6*Fõ0N纄Z
Ä4÷�€4rð¿_ÓktV{zd¨%Î`n
»Ú3NrÁ�'ÉHŠ¡Q1Â\®©9à
+$2ÊÓ‰Ÿ(¹
++ä—JEšÇ—éáJÝËÅGq­¥½oP—Z{@LŠõÈ_
+L„³”%$6$n”%  I1YÈcó³:Áì/÷HÅ
+uÎÂüÕÏÍ{1T¨—�t+jªNìpC4ç@ÖîÅfÙä:)0ýôðt<P‹b�¥7ŠÔÒ·š‚ù(23¬õÙ�Mö+&cÓl.^85^Z
£Luü‰
+ê
+EªÊqÓ
ëTéC�òâ¯yÇõ•+«ûv©FZpÇZòU1ì´‚îâD¨4ùÓ£Bªg9Œ¤ÁÆ{¾Púé™S›vÑ$‡¾\ñxllË5çÍiéõ$éTlFÚ—}GÈØf<üÈ -ü%ë2bh{açògôCÿ£ÜïW{e1¯éF¾'GŠ)Æa.¨³BG=(”ˆ�üªCÞÛjHk_×iêPtkºé7ï�ze›¶ý“tå9¬)U1M¯ž6¾¬ 4*k?¦‘<ꮢ±�²àN|×P’.n¹||£ÜU+¶3F”MhÆœ¡¦9Ÿ?hHû›ç—nrÞ-ä0±Å‡ÝÖà’U·¢PA7ÄÜFwæ°'ŽÁìÓÖ‘–º@çPú)B²àFpéœ=ç(®é…àÎÂL„N·Í-þÄYØÒ.ŽF¹Ïî�À1­ÇN4.ì—{œH¶/ª�B¥0¿N­æ%@»&
ZëÑ»BhÙœæ¹áí�„WèºÑ$Kí[Êit9œßë;*ø¢FÜíƒPk—×xøOyŒüøŠ¼ÂÛ/¯OwÙóp»B"6àl:ˆ›ŠÕ‚U‘eP
+Ç^;áµ³†˜¸ÔÕñXðÞŸÀ�»b’¨®k€*G/·O3(|ýhÉ›ÐÅØ%§Yæ6ÈËM‘~OŽ¿Æñÿü
½}»—%Kƒï¦|º9W¼�ø+[Xìè¤P˸—úòbhê~ƒÐ�T¥:J‹ìÛÔ
 endobj
-1029 0 obj <<
+1313 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 2158 0 R
-/BaseFont /FOHDCE+NimbusMonL-ReguObli
-/FontDescriptor 1027 0 R
+/Widths 2738 0 R
+/BaseFont /AOETMX+NimbusMonL-ReguObli
+/FontDescriptor 1311 0 R
 >> endobj
-1027 0 obj <<
+1311 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /FOHDCE+NimbusMonL-ReguObli
+/FontName /AOETMX+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
 /FontBBox [-61 -237 774 811]
 /Flags 4
-/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 1028 0 R
+/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/slash/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
+/FontFile 1312 0 R
 >> endobj
-2158 0 obj
-[600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+2738 0 obj
+[600 600 0 0 0 0 600 600 0 600 0 600 600 600 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-952 0 obj <<
+1237 0 obj <<
 /Length1 1606
-/Length2 17112
+/Length2 17262
 /Length3 532
-/Length 18022     
-/Filter /FlateDecode
->>
-stream
-xÚ¬µct¦ÝÖ%ÛvîضY1+¶mÛ¶Y±mÛIŶm[õÕsNw¿=Î׿ºß×מsíµÉˆ”è„ŒíMÄìl�é˜è¹
r6†.N²v¶2tÂvÖÆ€¿J622Gg;[Qgn€š‰1@ÔÄÀÌ`âââ‚!ˆØÙ{8Z˜™;(U~ªQÑÐÐþ—怡Çÿ´ü=édaf ÿûãjbmgocbëüâÿú ’‰	ÀÙÜ`jam‘WÐ�”PŠË©
-.†ÖF
-¢bÿÎÓÙÜÀùŸØNÍ
-à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;
-FzÆ+-œÄ,ÜMŒ,œ�Ì
¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF
-Ð÷ª-
KCºæì¢]•ß@e›‡á±Í	R©e7ãÝ8æ¥X¼Ýú^¯bª¿fiWã¦Ç6hé("ôæ?�ü…$ØVS̓÷â¹-Àõæ}DJš2½œœ$~T’D™ˆ‡…:Nq®ó#5ßì"	󧈼ˆÎQჶL–­Èµðc“Êç؉/WöýîŸX2ŸÈÈðxª©-“[¿F7žsWÆ{4B
-pÇ€úâLV›‰¨ÛE�°¼õ`K«Vá½Öž\ºÍªk:K?>1ÁÆy9ãd™5@P2ƒ÷Í°]öþ6Í(9Ð`®¦ ~Ì¢ß
+¹9y´Æ¢]’ˆåþJ¿*ú¨	gÒöK�“]?e’CÌ(�m
-D\ïN¤�Ô´|˜Ǧ¡‹Uf¥—øŒÉïÀúÒáè
-ûÙ
£)�¨Ž&
‹"º–Qª86Æ…‡â�9x
V6jƒxlˆÊù†º’2–^ù
-|Ò Ä;c
g¯lt_´û•jP°–
¼ãT³mê=-ŽÙ
-	Ë�Ö	/¨é?&§ Ã­¤oø
-%Ñ]µÃ³V‹Éµ‡†#hižrX£2¾K±²Å?²©Ç‹t3V<«×üHl'}µ“œ7ÂnhJ권buKÉ)O^Œ Z5‰OßöÚÖ?ý<ÿ�s88z™l­; %ÔVæËŒõ”ð�ðßEôÌH«íjÚ�~öÖ´Öb}ë­MùñÍê+GÝq’Yµ£[N¢+C1¸Ë¯ö
-RÚ8�Ýw>SÓ¯S®A˜Ç©ó-×;%¾À˜úe
-ß$TAÂrü—ÇDUËx,¬mCFË„vh”V¬èæÝod%·Ýͼc‹ò¡R´©kð97Aa¸ö<ër Ñ¿�5{ßîRÖÀª—Öì
-(
ÙóŸAuÂ)¡¦HŸÞOØV";M¸�’…ܶRýd°2auÒ/3ߘ–�¿AjqBGÎÓÙ1\æ›+>€y¥&0•²jmÚqý[„ìÑL6Qb~´+¹PÄ-sÙø¿�µ$ÈÑ*ªï
¥ðÈOÓ…¦JûèY[éýSækŒ¹©[üm}ÿ
˜Ð6L÷èO³[²ò½¼ƒëÆÐNOp:„ùHïä7CĬ“ü]½yî´¶ïï�Ã>Õ“·aý'×M½®qêäîbà_w–
ž]4ðÚÀˆ²öÒøÞó¬n+: §	�Ìô 8û›cÑJ�R[2£mXÅw‹}y7ˆ×ÅLeD$ç,?Yh{³ÛÆBÅΙki¿ŽøК¿ Ø1ò°ºŸ;eó‚T›n|˜)94µ9uæÐ¥x´	ƒã½R
->ç³]æoM%„£¬ÎG)³‘4°ký‡ïbZ~ø ¼`_[h�ã»8ë<¾4²}$.îÁ³Ö
-Œ(iýŽà-º 7~õSLcüýkÅ!.0Yü:7—
`hPêoˆÜä¦ójÂlƒG¥v‚j»8Ç«Á¨›ÕäÅÆ6nÂN'éú3ÑX®ÐH¨Ïü%›zl½ýƒ©´
-)‡¿ÕÖÏéÛNÄD]*¾ÔŸæ›õ·
�­‡.k
Ùõ£a ü�:ræ\e·ûá&ÈÉDŽ¿Œ™%_$$3}9šü• Š8�$½¬€È¢þàÎg×™„�¿ZuÎ�Ú8רË=~³a#›L]gŽyiðÎ+.ÐÇå‹6{™jšSksÀ›ø¥qéD¾~Èͯõ{Ó·Æm'¤v;?«A%qÐ7�ú"�úpM°!(ïx[„Ô]Ä,…u‹0~‘—Ý›°ùot…ÿ‘vm¸oŸÓÔ/˜àyÝSÝñ}Ó"‡ÍÿImñ@ü
-åÚ`qÈoa’:�Üà}ÒË’àóI¡	Å¡H±`í ¾‹¢R¯u²Í3}›’«˜Œ(-�ž� ŒßD<Akº
z³,¼u˜Kí mÇkûL”4iH!±¡wÅE•Ô›ß¶ÑËf½Ä¯Z8_‚vŸªÙÿMÞW'n%Õ‡óyï+ kpKx®˜XnÝÅçel\¶êaºÆ§#§ˆA³K
ES÷éüT¶�È
-Œ¾ˆeD;õ›‘æB,º„5µ³äé
-IEVx[i©ó•û� M�Cá–‚C÷=…ÐÈÏ ½~À
Õõó)Þ7ƒNòw8>Çîwëôêé‚t­»Ìt«Ã<EÀ ‚†Å5#²üd¡,º%¯BBç;¦é.lãWœ›ÜûÜÝ<’ÂÚ9a¨Äƒ.vKž
-q›ÅßZV¶�¸Œ&®äò®Å©ði¬Ÿa
•ÌF/wø†¤°•|ÒÎmyÒd`Í\º¯*ÚßDw§Ìw °)eG8ïÂ5´B¼Hc†µÙt¢ùš^¨3€6ŸoÈ:W¦ z´˜˜éÁéä’*ëÔ£Ÿ@îàâp¯_© ¥ì%Šcga>¯W�¹4#UâRwXPƯY“�4ìg·FRß vßû<ÔxP>†uÂËe&+
-Dì2Çüߢ¿¢‚IÔnèEYÒÒÇe)ü²:V ùUš>иɚúq:…mɲ¶þUñNžY±B§Ýêƒ&³Ã¼]Rý*ÃŽûý=*n…ѽKv„hf0ó;!ØÅ.&f«RÚ„ Ï‹ë&e¤ãe}|“x$Ó½ââ;£kg�ž=çyÅg©Þ+a…¶’û.Î)†Ú`NËiߜʼnW«Uäç*i¼/W6æø>±��§“ <?;dPy\Ÿêd汉ä»tóñ#+|þ­1qÕqVø‚¥Éh¢‹P³Á4>t6ó –p�2/ÉõÚzî„øÑ=h>±`
-n5TÁšëÑ”’ÐX"GEÉ.4–ú&µ¼ ØØ…'Àú|€PÜLêar	¾0N1fo÷í¼Á¶Uå"‹*0âù$]s¨>ÓΆ”'â�¾ÞÑØèÝf6qì�©)¡}mZ€šÍ�
ûIÄN§
-Îþ@PD #V{¿Ö%þVõ|3ùÈ”JE3)&Níð{_’ Êm3™Î1 oåñ S“•/bì~O«¸8/*™Œ²éëí�Zφä(.Pÿ§žÏdÔö¤¾X<é§îrî9YJÛ)E抰z6Ø/v0
¡ªD°¾T㹋˜€7ýP“Ú¡ûµ¿^¶û°iDØF…ṳ̈9Ô\ðØDˆ“Ï%Ë;¥Ø�—qëŒà2ß œNý.¶8bWÉI0Uy®ƒÎÈfPw³‘ Õ8ŒÌ"
Çsäs
-ZmØFÐÃʶÞïPhzI÷™ð€*qaBrÒ·Ø^ðƒMâÝàí-Õ¨ô¡À˜å�®™ÂÞžÑÉö>u¼‰Š�ÏãonŒ{óæâ<ŠéU¿˜f);›Íp±OË,¾†ª™ŸÔL~‡(ÂJšW
-`þ*
ÎŒÔÀh0±ì$�(]J+?!uR[LGÓOÁ
->DGÓyØ}—(l
ø &‰åSß}fÄ	†ù©»7«ôÖÞ•ŸÑ;!)îüP_©cEìì_Ï“Á’TYj¥àê§ïS({	çÑd
-±
�éÇ¥µ¨ÿ‹0Ò±«ö¡`¢/³I	Ph¦€Z�h
tDįcÅxBkô¹õ¾z힢�Uˆ1áû-C^­î@\’ž¶Ê#f„†µ]òOÍÕ5Ñôh‚˜CGÚc(hƼ<@žðŒe/ºˆ¾]úyèŸãgT—–B„W�‹:ƒÅ‹"p+EŒŒûE|ë7p<*6~¾R—”{N f.]Æ&‡•è…M�ÀNsr'=d/UMzW¿¨8ûÎ=ªŽ´n¸ÚvDôÓM=×�ArY8sœ‹ªf(ú²"’å®êvj×;¥ôŠË7/“æÖö¹]Ë\Ù”7Ùë•azgòá¶gÌ)RàÞ%H}!³¡i°�Re<�Ñ 7¡%ý¿¹a¢d:£�gteµIˆ­¨*’
-‡–oü‘éO' °xd�"뙂T¯·3z^‡ø~LËÿ¡IÖBcP/giй.^ÿâ×úÔ¡/jƒX©ÛQÕ­€ÒÆ-Ô¦4Ê{Ù·hïgZ¼'ªF§ó.²$2ÈÙBÆúž07êÅÌJFØ“|Àmv®å·Ìù´"Ëæn0jª8xB¯QÎïïˆþ”âÞþÐßÙ«À|˜­jiu›¡lQæ5ý%ßzÅŒãÎv¥ú…>GïÀ•Nv.óY‹=Šð ðô"¦k
¿E)û›™,$i{;vÓSëœ†œSW¿BPPúËj…+ýá{ÛÏáûg¬ššLœ/

-�¹,6:üâƒ^ÔX'€å9U¿œ‹fkM6¼¿tî˜è^‚(Ò2g¡I›yÕ²˜RôÓ(.ãcÃÿBM¶SaÓv¨‚/uø¹!&jìdR¥*ÿ!´BSJ‡ã� !DË¢FT=B–žýÏm+›ä’…0Ñ
-
’¦ž~o8LÃć4»DÜ϶ÒlÊô‰'´:Y'ϵ:X–¹ȃKKÖr97…üdé2
-{¡„Fuœ·3žÍÇoÕ‹Ü2C7§jy¸-Í@Šæ,dL//¢„KàôÌ°FYîÊ„³Ýþ9Å™
-*–÷oz ×PýÚúŽÇä–G”30¢ò
¡€?Žê)^¿)’£Êw8:B-sìFDò±û¹Õ.¯ýaËmwñ¶ÀBUô�z8sš3&¥JÎ|ñ$¡9ê
-¿’ƒ½[žBš´¾™Kåd H*ž±yÈ"�ýƒßýzêXê>ªµÌWÕŽ“Ѥi$&N“yu°BIsŒŒÓoLª¸IòD·»ñŸ’ÆãÇ•ÑlèE)÷—¡OŠÌ�:˜¶O-h/_cÂ:u*	ý ‚(ÖÛõî9ç}y}F)ß×]>9]¾¬šæù%†­Ž8[pµŠ Úˆììˆ4eAäÙoÀ�ÄÜ#	Ò¹äY¼I©[ˆˆu÷Ìp•)ÁæDÚøõl¡ù})¼ºjoÌa %h1•l­õíP”Eöd¡‹#ò!Œí±Y‡q4NaB¢#@÷3ÁÜ´*ìåFÖ‡ù–[>¼üózëþ2‰ØMÌDn…ÞÜwKØ¢Y(i£X‹ßüƒd¤ú9ò ¯L,ÿì“^^ñëàö­ÂóY%)µ4ÙZ\ÔötôÕW¯ù­i
¢7,qK“ñâ”-Ç?ÑúE�@•àë#¼‰&+ƒÄ0¸Ø¡¸04ºœ5Ö–›ÿë“WåÔ/¶fLƉèß‹›¥0³<IíºÛ‹ÉÄ[t>Å¡u±yØ°Ðu:�¯Û{®[’ĸ2Ï}’ cu¶Þ÷²' )¦Z`‡`\… c¬—ÖÙ±{OÑØD°Çré ám;€¸LÐl}
JÜ„Ž6‘nþ‹‚>°§nºxŽPc=‰6pÊè)L[‡+»†%ª}'¿P°aŽ‘45¨lG½>(ÅûE&-#Èkií·jEüÅ×Ö	"ŸûmUó˜SvL„„§=ªA2Ÿ¶_5J¶Ôø¿ÒU‹‡_O·V°mîl=
-æ7ÒÁÒq3‚`¦	t.Ó„c‰Nä•×wíÝZKGº¦Ô›.(ðÔà^æÕ—w[.,ÕZåŒ
-cGM}!;4šÍCnœ®2'ÖÊï�ìù®? Œå¯@9ÖË'Ñ®æp]CÖ-C¼Dû]QPÓ-}yhÎ�ëzqã©Ýcô‚®ËÚ+›ß™A;t
ocšn’Éæ¤-O‹ÛÃWÓ•ºžÛóÛž:]‚é#Â_fbÈ°g‘øÌÇ
õPŠ€Ú†ÑPÅŽO£ªõdU “ï6dÍpŒ‹bçÆ©\¦�©Þ÷Œ­;£&�{"ÿÚé,–ŒO_»ÔÇÐ9V¼4�7M=ÍaÍ]:mÎïGA�ã›P.4”ªþ3€ãd�—&•É–è*HfÅ„÷‚¼M:ÞÌk(g
-4–·öÈZýjH
sóG··»�èV
üY).üjcPÌ�¥’»nÞÝtïw¼RÓTÔBÇ
-ŠéÑ:kÅÖ ›r}’õéŽVbbérªï�HÎ7Õã³ßêí¥‹_©¼“×2[ëAõ°çô­JCRz!»‘<ùq3mÔ¢W[M0hÒ VÊíaL¦3zb¥ÿÐCNãú?O“l��VŠšßÍÒ4Øë>Rj•·•ÛéD[÷87ž
-vÚÑKâåÅíÍÓ¿½Í~¬?קS§ÎªôÉžµè6.¤K±“H?R‡y�þn�v8Âax9™:¯¼&ýµêo<çßb%ðórÿDí;Ú%§1M–UΗUÈÁX�Ò6G«NJ"€Ùíì£â%Àì”w¶ðtý—_7×¾`!—
-;ÜÆŠF¸�*Cb&Znf]C¡ÈN‹×6Á.þÂÑ,	èW91£ðà«i�K;m+úbTèSpïGsÊuÊkÏ&ALH^Ö™FV{ð$	ÝkúÝMbx�áñå6ÿa˜ƒØÅYå�›a¹5°þ¦J0Ëšëö“©¾é™ý¡
-Ó†©"S—Ïz_¥¬Sþ@ÎlÀ£ì†�D�/®¨÷þ¹B­c0ˆb(	º
-ƒËsˆŸ.ÍÏxP£þþ\næèJµ�õN*·ƒ7A—^…¯f£èïnò˜Øc#ï|<ÐŒ¹a=íÂèœL¹Çt}N9@œí2ò“º¬ð;ŒÔ’`Ÿš瘓gÛ–»
“(kw“Hˆ«fz#
ü«T�U5aQW.;ì§øtÁTK!bñ6Û¨Ú±A2®Èü„è-£�þ|âáŒMÍU5j2~áúˆ^]i‘åe-·¨^žÿWeoÙ~äèžÞÊ„×Cô®ïw=	ý²{ì}Åï÷šNå)àÒ„½\Š*‹Jò|±WŽMí¡±Òøòo-	kÈ“èZ±Õ6"Ù™þ\W7ϧGÂ}VÁc§Úª4�ØXoM�7ùwÂá›P«cþÕ’Ûl{lY
B‰©Ù/šÌÝÖíü¾ì–­˜T¡ÁÜ?ï°êšš+‰¾Å’Ñs­êŠGô†äv5¶ÈÍÌ?ÈÖ§éBÄ<wsÕÆصŸ×ŒD�¦¤9	ߥKòã_Ý»›’�«á`Ž]}‰µñnÃáhDÜÀÂ\É&*NNk…¤û0œ†»™¥
›
ýÔº˜Å9}­Q}lêœD�ª0ŸœÛj2wü“¯µJ÷‹¡œéÃvµvz¬�,Æ}úè"öìijƒŠyñý›·î ’±¼cæOˆq¸Ìpãd:3ö¬Õ¹$c¿_W#ò4ºÑ1¬ç¥†Á	z,8ÚÈÕD-æ h•’ö5Cºͧáƒ_%wÒªu¿ â#¤Ç”g!]7¾ô/BŒ]eh©IKôŠ2¦WTŸu�ÊÊŒk84æÍ¥0Ç‚AÞÈ;b•1b°mÍH;í>nôÏ¢ÖRÂ	/#NìqHºà0gÚ…>tí°§Vûa¶ ˜/�æöŸñü|¥sçYà¨q³Ý,ÙŽÆ™(®”	¿œ^õÏ‚~¢­Ö>ʧÐÃw��Hv«;ø´þâÎMÌÿ$ìe™´´_ÚژтX–KµÆ
-Ú…W¨•fI•M@ï±–KÉ­7‹û)Cc¢ïS`…,8'Îl[stÂ<¡\nc<BU¿Q×ÓãäKüŸþ<¬ÍŽÙ»¯ÅƒúÉM€^ÆÃT»Ì«ÓË4	§¤Š1´\�Ï"µÒˆÊ®ˆéâ]xµŒ'ƃÙIÏKXPõ}BÎè‚YÓÝ2�Ä6å¶a«í™TÙÀ
ô&†’–Àiû‰Ÿº¾îpÆ4
-~[ØÝñ°Lå ¸¡©Ûa
�¨Ë=‘yÿn¬%YçYt½¿Ëú7R¬lN%mÄQ$:�	QŒ²›DµØ†È¨Ð¬)¦ÃºÊìH%Ûß	^>«¡T&8Ñew‹¹ƒã'}'ÅrW÷ ŸMì7#X1nfœ÷
~�¸ŒÓ2Û*¡U§%›ˆÁÇ:èDMÂ|Ò.Ž«ªˆàc:š®�)IË�ü*�ŠÎ¿žê³Â:
-ºâreA5n!Ñ…êì]Œ¨ÁºØ»‚õOWìõHƒ:Ô…—‡uÀÏk2Q:ú†É�df¬š¢µ‡$EÏÐï8f±æ™€âNØÔ@Gœ¹}\=ñõ°¨öˆ¨‹¼_W/nÀÄbÛíÿ¸¯ß0^8U¤>¾û=O?°g›¾U̧[aý;óþÓSX¦ä”gÚLÁ´·¹‹.võ@/Ò&ÿ”i:dÏk0G£u¨ð“rÏBž7gO‚w üúàü•–”À�‰KY&jøœ7¼r2–á°WNÎxëh“õÒ¿Í7§LŽ„×VC@]ÒÖóºÁ*óë-Å ÃA;}üvñïiCU…—.úZl¬ õå?²ŠcHÕ¸´Ôu½ö!» »†ó±œW‚
Ñ/ðó\Hvq•bf€úOÕy3¹;¾Ð¤ ² Ü
Œ°š'ÿˆê�IܯE|Ÿ¹
š­p:ÔC9èc
-gŽ}“ú£qÍòÛ¨ù›ÂN•¥•îÉ/­„¼Ÿ¿¨ÎwýéN­ъ”⃞êöÉ(ú˜i.ŽJÓY{Ê…ë߃ˆêo&ãX
-Ë|åT¬N!{¶ L•„«a` K=ETBÔSEÐATMb§œ
-Q‡Æ~ËJlQ‹Rü¶×ZB§©{g¯^x™‡¾m€ï¨LŽ1p%õïø×ké\¤~}ôO½Ü8Ûu·×çqÏÜV»ì*æGj¸ÙÛ9ýèO�â÷Ž<M×mÆô|UíZ0¥—¶µ™r'·>û’VuûtñCv.¯ÉÞ¯²�”ì U=Ú·rèöI3	Í¢¹ØO7(S~ãÈ”‡	«ÒÛšt”š®`½öÈl/ÅY¦37›„Û¦š ;ŠôÑ
à<‹ÆN–T‘Z.
�!`ßêã…”´I¼M%0,(`Y³¡mm¡ §<!È’WÏX®l‘«oÎ�Fž5Ô¥�Õ
ÂYe%13ð}‡yBjú$·¢³-71\4oà'!¿¾¡Þ­«’[É2@2´�F´‚ø„ö�€ñг…ǬÜÄ#ºÅ[i©R(|˜.Èm‚F
x¼HÃ>&ymr¦-åɽ.§æo�·œ¢ŒEŸ¼B91Œâƒ!ÈD4B\\ò.½Ÿ†‡b.ô¾=ƒq™“s,|Ö?¼�´~8£»»³­
-Ñÿž¶l ÷ö"•äjÓ`Zo…hbµÌ}åÏ0—ŸùoÎ*˯�µŸÞµöñæ/~úÕ'Kü@Tƒ¯k5{<‹i»ö—ROBz@-+µ�yÚª«1èûŒÂ·–µZë¿Ên�òEp7�âPi�«ú€pV¢;g
�.Oã­pÈTA3V.ÀÙòV…I’]UAÍÊ&¯æwú{¥,¿f
-ý’OP\h{†!Ë/:9*ÁþNª‘À„y†Ý¢›¼~¸®<rÍ¥Ø.k�¹á�R\ÄKÀõ=™Ê³ô¤µéšàš)É 
-�Ìó¬¤^©êzX-Ta’•éÔUÚjLØ–‡ÁPϲ‘ Ú€,j%‚‹Bè_|³yŒß]¶to7ɹ¿"Á¡ÒW¾7ÉÔ9NÙbdÌ÷Î2s—O‹D"—MêÓ†l›Ñc,Å=Æ/¿ÎWDk¿þ-ţø¬‰tF%ÿÐjwÕïS;ù^É£ñšo?ñ
-ÆQ'?ßœ†*×3;ùQhþà“R¿«A±FÌb<\gÜÝ@ƒ×oìfg,ÙS¿´íw*0=a{ æŽ!Ù5"OBŃð4ûbü[ïR«r‰2Ó'VìÖĵv\PjÐÝh«»Œd
­ªÌ'3çÜŸ
¬ô£uª�ü”.ø¡×cšÎO
-DSmÝ÷dU�«TòȨr7)z¡mYÅÀX˜Ä5ê¦[�Ø÷ËÅŸ"f ‰@êéqD„ç™Õ'~ñHA[€‹Vû¤“õ^C
-ݓ׀-xú€°š
Nce<Pdc–0`RôA˜‹¬ß”™…r8HXÞú§Ó•~«÷�®tOý08em_¦;nÒB0Õ
üYÂð-'y©_‰ôÛº@Á=¬È*ÃE\Ž�Kδ¿ÅÿØÙ½/™‰HíMâÑÁ�8g7m‘ÿ{<Q-u·´å´_;M;S1Dá[ñ7;žŒØ‚†ò”ÎD!m÷í¯`èh�pÚh16jä¬Ö’ØŸ¸*¿v/¯`%–ëekáÍ?LhÎ=”v‹…}éƒíý8�ÔµÑ89riL&òëcOý‰„iŽý†àÁ¸¬Go›‹Í²fÂɘz(¸—¡3
-ßÜ}º^hîëgŒÛ·S~¢Y 
-ÄSä–5“˜{'Ë¡esøücl\î½gˆî*š1ŽšÈõ¼3ª¶è:ÃegMvc¦‚Ê癚ËÖ¢&§�,€íIš®
Ø1¤¯à
-©*É&;jDú`ç�sÞ#)„Ê4s‡oEcà	&ßÙIÉ;qÝ#K¸n�›å¯ý´Y|”àŒmãø•6ŒÊÑ�é>Ÿ[å˥ߺŽ1
½é˜Ê®aYÝ«ÀF5PYåaÉ|3ãä¡ïbøM@©Nyav.åh­nî×ņ®ô²¡RŠÅ—ȬŒWyŸ¦Þtƒ7×ÔÀOkB¬œC@ƒž©êo´dÏ� “I¿ü“Z©þä}\žÅ’gÎBT…bM+5êõHzJžìfy<p!uš/ÃúZÇÉ vc&Bãž³'˜3{âC"Ã^z�|8�m§¥ØÛ#¦ÔjÞ¿øËú½:¡(Èn‡óÐ)˜âq—4Ù¶³dÑåÚ³;AúGòùVQ°!‡®´$ú>®âq
-C¸ÎÞ•¡‡›û/ìë aLãdU±Å,[g¯úWСÖX·V7~æQÈ¢%+ð?éצµ!ùUè³Êk5ãø&Z£Q‚É�
[äxŽ-b÷uP…#Ïñ¾†E@qI�À$ä;®ŽVçæ$#ÜíkôëtJ€\¶p5žr„�º‘¢€$|H{U¡øæòƒK]N}¬ò†Ÿ€E×D°
-FÏ-¶6© †Â	߸ŒçânVä^… ]šMg\Ô<C‰é>KÇ·ä 9·/£‡õü7o¼¾¾Ð¼­ÎÉSö'ž”Q®¬þ´òB†‡Òe|°ià”¸[‹_Ý‘†6ùŒë.'¸cä�½M½åÕr\S>‚K䃔t§C稶h5uREæ‹LU§­Ò�ƒ˜Oôz VÇ‹;¬¤'áS�™ÇOXñË€¿®›¦™;µWEƒeÔ #:0츜�BøUª,ØÞèb
-Òó…2pÈ^Ù†:0|&e¦Õ,?‚HFkJæU'ý!qÆYµwß³HžÿÔ«œ;…ª»ž–3ª[œé@—h�žÏuãrnL‘;®ˆ=b�ªy7¥�E>°áíîä=HøŠõzŒ³šâs|Ó�߶�ª`KA
-Œõ�_P-ç'„HS
-Л¨'ÁÚæãy¿�ˆ
Re†êi[‘¯²2Ê2ýQ%™ÒZâû®žm-c¢‰LPe³o“=ÒÜi:èÑ'Ðr^ùÑ­ßÔ{?z$É&aM%*Æð®iÞ	ïÚ‹š%4Üôí#6¼�±
-´!;h¾þGáÁj2Á|O¸D‡?ûµ“îw¹´`ªÓ¢¿¸‚’cçÅò¢†‰‡Î·¤ÌaŸŒÄÆ툗62A»wÆÕ(†“Øs/A'viÙ.Ü]Á‰µ‚7*‹4¥'O¢°vŒ�÷øF34§¡Æág¢O¿u¬�.t¼“®rõ–s}/
¸šä”ôÛºö˜#=ÕdrõÔ�VL­WVŒªÙÄKã‰éS.“ (Õ;ãh"’€}R>•lÏs¯ì³²Ô!¶‹lAËE:ßy&ôœh»Æ2©×Äë2+Ù®HѳÁŸ¨0�An´ë‡Lš@°ƒy‡ß[q8^:ZËÄc hjð-¦B_¦–¨ñº€ÛJT§ûš5j9È«>Ú)¢Û»�nSÑj=³ÕXër÷
Hl_—rß:¯0)]F:
”Ùtë,�,pQ£î÷s²•�õÒœúåx.Þ!ª±…» šMdÙŽ%󌥢À>­×בtÍýh;ÑN}ÅO™~�ìx[ôÒ[ ô)Ò`Ç™[z€Ð¥Ç;ÿµbä¸
ý·Z�Û�±ýW=mVùD×®9,«Ÿ³e,ëKj}Ü üïJ¼,®bðýÂò3�Þ2�¼ ­h=Á‰U,jï%
-ìé×¾
Ä92¯kƒG`µÕÂKþ{|*Œ”)ÎêÒˆÁÄRéAîCêD´Ó®ïÒ‰svѬµ>�cj
-6müÍpHr£\Ik[xi×$¼šÉH$S<ÂÐ]­H;"þÏ]…h!ÎKÙçwœÙƒaƒ!Wo§têQ‘21¸¦e}œDó—ýªM¢Ê&ëÅ"þçÍÜ1IpÅQè—{ØAÛ»kJ‡�³÷4°6ŒíîO«Ö*“YŒÝ*³A"Õ±«Ì
Õ	r¤eKãùŒ©$a^Hœ›Œ×ý‰ÞFïNûé)•7µ»‹i?¦:
¤®ý§"×ñ—á
-¦y¼5âéx
Î?8€†,ÄÙ%š¼ø*%q$GÐ]È%\íðÀ¸¯±ÆLÆø¤z*­Ë"7›U0ž$¥¨×”€ïøq*櫸×\~ghL[ü	¢rñY{âkây9‘ä¹_­-¡„­“ߣ|ÒœZ¿€�ë˜û.†zžÜbé�><ZwúµžËtÄw/*‘ê}5Tö4[Ï*ùaÅ6y¡W;åRÊØŸ7¦½jJAºjæ”ÅhÜU–Fî¦|ð¥Ûê:]Ù+ärå’ß±¯µíj�u:Ûdí>1a�NÓßø–à—ÒK!5hI¾?K3²<áŸ,ÞÅÁ¸²��Ü$j:=úzåmÈ_N4ƒ˜�F�äûq
-°’胱«T«þÃ5jíaƒ"¯‹¬Î×Эô'7kˆ]ú†A§òuSà‰epÀƒZ˜%ÆÅ…¹­Â¬¾=úð¤´~¸Pù*€üÕÝ+àŒVd˜¥ódqɈÎEX—dÓJHÁ+°:ƒÊ}Ð)#ôø@ײ!R»ÿ©€£ì–ù
-;\ùˆ¹¥e7ÍHÖx³¡l�½ [sÉHù[êƒáëXôËUNÑõ¢iX–Ø«c4ë7û�\Aº0«<�{ Evg]8xp[lZщ5õè¹r÷ûGâÈm�*Nêê:Q+|‡gµ
}ÁÞ\d„äO¾>hžDä¡GXnöº
+b¸¬óÇ;½<nõÄߺƶrEiO8võÞH•kö}aq²2ß5|LÇŽ´Fa
-ÐQk|/Û9¾ÑxÜÜúÙP7˜ªl©¼å©	敱<ý6œÍ¶Â=Ÿù	…3ñTI‡@TƒÌ07ƒI`5¼áô‡lcoƒ|áþü]¤ãÏ(^¡¥�µºÈÕ6ÿCÞŒ
Ú롾—lšÒÚ´ë÷aµ1Óþÿ×Îœÿ3¡
-šþˆ/KnèE�KØ(xÆÈìƒww¦\3¥kÔ!›ùÑÆlð›Qe8‚nÛh’8¯tãær|BUw•Q“)€gÏ£ŽWºè¥@Pñ„¥¾‡LZð7×(fÐlç9¬Œ bfr·Ñá·šPæ}p
-øš*›íßyýá“ãûB/�1;Aì2ÕÙ3ÕSs�±‘woÃñÕ“VÝÝíßv�¼¯å¹ÜÆ{¯’XcÇú9'*:ÞÒˆVÂ)BSzŠ�)Xý_ƒÓŠÖpm{§z¼¸—±u±)ôc¹ÿÕ)€+H2Qi·'Âڱ׉×b@akÊE¿¢vÉÃBakR‡å:›ñ†‡Fˆ~¨êÈ’Ì�m®g4šv~\œI©¸
-^ýì¶<��[7Û-ú%çq´Å5mââËÊž¶t“Bdc;|WÝÚú7–xSyåÈ4ØÇÖv´¦×ÅõQ«´�˜
„2ã¹Rwr�\Œ¨ÇÂCÀVD
-­`Ú5øy÷»é@k"¢™5)Ï1·ØRù-DÒHÖ»¼ÍDdM†o3w»5Gv`LÐ2î�ä¯uÈoêb—r›[ˆv^Ð^P€ó]üQ¨‹ÔS^?¨Ïóè
_û³£ 'C2T5ÍyÅ
[<;ËÛÜ}‹hL�é4mMmÖéҎ/À}"ÑçB0%’éVE�~µb(e’ ”峕Uò�ïiN“ýië€ëÜ„{X#Œ=dÓ[娽�	ÿÆOƒHð”£Vê
��ªë�vGJMGÚêåÄLX^9ymiZPpù˜B5«¬Âø#…sW+* ¨)¨OñD¾Ë_*Ïøy81¢ÎsY×/NI„8wÖ¦.¶v.rþ÷¥äïûˆÍžá¹ˆ“¤;éë7¤{®ÈE�ÕîÄìø‘VYƒÉïÌ|ÝWN`ÄþÅW‡Ù¾—›º‚ÔÂâsh™ËúÊIÆ(ˆxó^m¸ƒž²Ê+»O':Q�GrçÉ×æ[XFRž;j¸±·ùI•šà5A
-endobj
-953 0 obj <<
+/Length 18167     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬µc”¦ÍÒ%\¶»Ì»ªË¶mÛ¶m]¶­.vÙ¶mÛ¶ñõsÎ̼³Î7¿fÞ×ZWFDîØ;2“„P^‰FÀØÎÐDÔÎÖ™†�–ž kacèâ$cg+M#hgmøkd�!!r41p¶°³6p6ᨙ„MŒ
+Ú¹¼h˜™
+ÿß­tþFÄÖÈÎøŸ)Qr6°5þ;XÿËð�ÛÈÅÑñ¯žÿ:ëþŸë�¸‰‰»‰Ìê’�W°eZfºs
FîЄ°V_èPˆ}I½rQ�•]·_Ú¯Ž
+ý�êÚ†)ίV�Å3ûÏIÊÑtk²î“«|\ŸŸ½È›¤ílT‡�tº%ðéçjQ^×ÒÛ`š¬ôª‡»
+Šº¿? ð¦Ú™¡®Ÿ)üºø£?Ù#ø¥ÖÅ¢u 5
+p¼¹�'M/&&ˆ”$PÆã`¡Ž’�küˆ�À7:~†ù“EœGå¨ð@[&É—çZø±Hæ³mÇ•)û~õŽ/š�§§{<V
U—Ê®]¡Ϻ+ã>!¸£C}²§ªM‡×Žì ÀòYÞx°¤þQá¾ÒžX¸Éªi8M;:6ÂÂ~>egš1âCP2ƒ÷M·]òþ2Mÿ½ Áø‡Œò!0‹v'¬tHèúøÁ“zQ<†ó3í²è½*샶_Z¬ÌòØ	ƒ,bz�LC âZˆ`R u„¦åý´ØMŒ23­øGt~æ§Æ[G˜bCŒ¦8¢:f˜8,Šðjze¨ÂÈ.ŠCFÿ9Xé°Í�À#Ãì¯?–@FÒ*^€�븧­áì•�îŠv>S
+Vs£€·Ý‚ª M½§Ä0š!a9QÛáù5ýGdõ÷u8•ô
_ Ä;+·¹V«18önQ±ù-Í“ªT†ã~í�-oò„lèq#]�Ïè5>ÙI]n'„ç
±š»-¡ØÃFÞ�³Ë‘#¨VFFàѶ|Â0§öN=Í}åÌ_$
+t�•úÂ2"ÄB=Ž‡Ãýw=ÓS«;vbƒŸ¼5­µX@_»«“E¾˜}e)Û.B2*·µcÊ~êJ“õïðªÝ
+HÅ”7dv“Ÿ¼uAeR§Ο�µ~·" 
‰š~�(w·äpÍÂØV±Ð¹ÔškYòV¢¤‹|B>æ�¾s²œ¿­m@e¼É¿ý†‰K¯ã+ aØFÁå0~¨¥?V· £f@;ÔK)”wrïÕ3“ÚîdܲDúP(ØÔÔøœ™ Ð]yžv8Pé¿]Ú½ýÚêPÖÀ¨Ôl6À·¿ÔÅ÷.Îe‘š»¸‡³ÉˆÎà'Ãf9õ›e
+ÿÂøkÄ×\²)1]8ƒ‹h¥OmfÈßaÃé“ÆS“Vò ùëRç«W<³˜&ДÏÖád­y¡¹,˜÷r¢ógoº1Fî×ô;Ë•˜,ÓÚ»W,¦j?úÑ�svÕàÚž.fê"Sp/2²+hÁä.èö	ú¤ õ�´ÙUÏÕŠ<J@öÜGP�`rèº)Ò¾7Ý#‚•ÐvN D!§-„d/	¬tXzz�Ôót߆å~à(H5vèÐéA+ºË\ƒcù;0·ä8†RVµM+Ž“€=ªIÝJ´H«’Yì‡�ÿ3IS¼,µ‚úî@r—ÜMhŠ”�žµ•ŽÑ·X˜2O}ôuͨõ�0�ÿL˜îáw£[’ò�œƒëúÀvWp„ù-H$÷Ä]øŒ“Üm­yïèúA�êñë þ£ë†�‡^Çe:rg1pæ­e�g¼60¢Œ½ž÷s¸Ûü²èIü#-(öÞÆHTŸÒƒä¦ôpfñíBOÞµ âU1C)áÏ3&E&>êîì–‘PÑS~†þjêÏCÔÆ…O(Vô|:ÌΧ¶™¼ Õ†kFr6Mmv�Y4I.m‚à8¯ä‚�Yúl—¹SqÁH«³a²þìz$
¬jÿÁÛè&”—
+]Ké<#
+ç©^–v©K}³Æ�ëY‡ŠA%E FÉ‹PßƲÍ�DäÖ›‹ÄÖ¤ÓM�Õ"]™¾ÒÀ‘;Z	H·Fh	ÀÕQK-‡a³ýý¥¬ÝÒŸ%¥1”NTæ¹$Å#¤aîáÅ3Áë•F?Ê·ØcªjÇc_Y0Zì÷–PÒLÕÃ(
+-wã0!sž-,¼‹¦Ò—t]§Xü²Eùh€ˆ
+ñ~�–Ä-®ŽÈ$`òôtMÐJS]âÁîâÙö,se, -+©û�цò½Šs`Ü&—lÁ8å²£âDÊVÜ´È”'ãÈŒž
TFû"ìçÀp‡LÒýêÒÊl
+Ê^þ¾Œ*Ð,Ú!4\õËs¾‡Vn
Ý��‘^gnaž]��(+P>—�[¡õöã¹Z¾Áxš.¼—Gü3“Û\+\™~ó–F]µêß+IU½*7»àd#ØÖb�ãBî*m‹'g¹D²m)•SA‘X¬0�Ñ<HX°‹aXtͤl�ýaIG™V~¼#)$IœÀÖ�Ÿôv"Sóy3¦³NUáÒ0鼯k‚�%(jJ0g.3¦JR¿£°ø¡Z€®�ûÆÔŠx�I t¢J){CX��í�9Í^<ß&p3Ü5’¬�*|$õ/Š¤³†ÐXjšÁ
+¿ÑÙã]šÑI‹óC’(¸-E\ôHˆ.çÎoBŒT…ž®5:@¬PNkþùò§r¬‹G³ï%馒ü“8™¹/qî1ðBÅWXBÕ½¿ý�¢†Ùј©µ?‚\Jík.ê}êS¥Ë€¶‡ÕØâÚ
L>$�©Ärå`\í ww¤ƒ¢¶óŠŸÀe
+p‰ï�å¬tpy(¶ÅŽ²Wå+\FEÝÔóG9_AóÃDYß=N¿×€õÙ]EÒ8ç�ÍŠ£…<M®Ó";\ÿÐæŸÜræ¹”ÏY`¸0oÜ{sêËXsïrìjƒx—d½+�øh¯µ%â!\êR-±COÑà9ñ^
+n
+t^B…’ y‰ÜD·@µ˜¾Ó÷¡°_z¶2µ$㱘Jó¢a“ÖóƒTp;ÕTšeI�M�•t¾Õ5Šñº
u4¦ù>†ð<î>ÕjÂ	Úhá:â—À–Ü;Ƥßïáî¶ô„¯²Óyú6±¯ê«¤­—�e\>‹.Ò¼Ãz@Š=ü¹v³œ¬àr†¸/„:΂1�“³r_ûÖ‰½^oa~sïª�Ì�(¸dœúvüa$	OÐU¯Õ’
+Œ:�¡G=ñ›–
æ@,
º€5µ³äj²é49èC’Fˆ´d|cp¢ˆC«°'»M~”
+3¤î§�ƦÊgZÉSe–¤õÕo0§Œ"N%¢.ZV×¾(ÜÊ1*”ë´Z½Se´™·Jè¢]¦Ûq¾½EÆ.Ó»wÈN÷§`|Å»x¡ÃEGoVH™à÷˜brÂ$µ=¯�m
ec¸—Ÿ¥wlÏÓ²æ<-û,ÖzÅ/SwCþĺ�uŠ¦4˜U…ÇtÚ3grâÖjR\!ŽóãâhÂÂÛ#²3ðtâ‡çe…*‹ÍãQ�È8òù)ñ&Õxô€ÄŸcŒDTyÔ€ùkÞÒd8ÁE Ñ`Š:›±ŸS°J™ûçÕ
++fÃS뜊”]W¿œŸ_êÓj™#íþkËÏáK±7FMM:Ö—
+ß\
~á^/r$ŒÀô”¢_ÆAµ¹*ó«·töˆðNœ0Â2g¾I›qŲ˜\øÃ(6ý}Ýÿ\M¦]~Ãv œ'eð©.&räx
R¥*ÿ>´BSR‡í
+’†ž~÷/˜ºñwhVñTÞp8Åx–’lò´ñGÔ'ÏÕX¦ÙeÈýKæpRY7ùüsd©R2{�øzuì×S®�‡/Õß¹Ç$†nN×”rp›š�d�YÈ6^^„ñÀiaõ2œñ§;½³
+Ó
”ͼ“¹hÕ®û\,´§É4.O65%FMuCC\ŸìO·­:›�’Ï)_7><›[ü}e‹'\Jöè@Lˆ¨kÜóqYb½âõ~ÙM¹®¬e|
IóÎj+”ÏÕcb8-šÎr`FžËÁ
+?“‚ø½›Cäãµ¾Kd¥¡~–?aÒs‘Dûó¿øuÕ0Õ¼ÿÑ2_QW#¡JÕHH˜"ñjc†"”â,à9¢]ŸúPq“à9Ø�juã<!ŽÃ‹-¥Z׋Tî-E›šv0m�œ×^ºÂ€ujWâ#¡€(ÖÛñî:ã~~y
+AÙF˜/¬³cv
¢
+°a�dÓ@µl¯b3@³õ5ÈqâÛZÐ…DÜöýø}`OÜtq¡FºlàÐ’6!–wÈ«ög¢ÈcÁ!ÅkjòQØ{½“‹õ
+MX†“VSÛoVù‹­®áG<>ôÚªæ1&×m›Nyü
ÉxÜz®×ø½©Æû™@ Z<ør²¹Œ‰HoskëQ0·ž–v€“3…¯»‘ê ðCx,§¼¶cïÖü»~¨cR½áœW-�îyN}i§éÜR­YÖ¨P!fØÔ²M£Ñ<äÚé2c|µìÉž7àòàÊXî4Ó±V.‘z%‡ã
+²f	â9Êï’Œ’f1èÓCsî\׋Wí¦½tM.Ð^ÙüÖÌÚ¡xÃÃtƒD&'íÈx`iêHÌþM‰ë™=¯í‰Ó˜>"üEº4kÖOŸ¹Ø�.r!PÛ0*J ˜±	øj]YåȤ;uYÓlcÂX¹�±*©§ªw]#kÎ?úÀ=‘3·;û%âÒV/ôÑuŽ.äLSN„󅆘sOó{QA~ÄòŒ+JþùîÃv²ÇM•Ì`Ipå'±b@�{FÞ"kä6”5š	Ë[{`þóbH
sý­ÛÝÙJx£�
+þ¤ûër½ŸÌ�©‚³fÎÝtw4N©á*r¾‹m€ œ*
í³3Íõ±(‘V[‹.[³ïäÙ“ÄƇGhÀÜF~pðmï­ÒÎ ŽCeG±üAÒó¤>ò(wnB
#Ñ6±Ø#fV‰è·Ú¸ù0e/ù:Ò!î^Í­A[£¸
ªñmD04µ3NDԺɌ-~zÏ_ÔªçõIÈq#"u2íõªîð¸ç…¬Gûó„ZY5ÿs«^ÉpAþqêÆè§ÜÆ
œÐÓxwwå£jå�hZ3	5Q««Ü‰k«²Ÿ9O8²škVä™Úh˜R¯‹åã *LãBÊP³‘³]OA¡P†´¢ÖŒúK•»ù –É›ýøR ÒÍXäôõ*B
ÅCòýÚbŸ.v[¥Þy#½0oÆo}5št+zÀ˜²³JA1-Z_{µè*DBC®O’>ÍártMΟ;#âø³
õ¸ì×Z{©â
+ï¤ÕŒæZP=¬Y}«’�änzÈN$OÞzœÛyµ¨•f“ytªT¨å2û“©ô®©oZÈ)ß৩Ÿ›§ Âæ·3TuöºäZ¥
�T^--Ýú£ÛzµI8çu`##Pô9ðQ£¦‰*²J3ŒøoÙÛjûÜ÷øË
¹{	¥ïÑómÕå}j*$  õž$Ó;¶£B
+·K=‚'h²@ßóh‹•ÊŒ7¯µŽà8X€›šÞÇvÐk�Ê]�àŸSü=Η]äÖ¥ajË+*¤¾o²ë”¤0K>ûÊV$öåÄgÞ·y[ФÈèYW5")JÍ�ì!h¼¿di|!6
]$ÄÕXT}�|
+È›`”¸5² å!4/VqT,ù’ºÄ÷·Ýg¡»Ý?€¸Ò?FE£tK´²uÀü,…LÁ‹VoùÅöÔ©:Ë\ݯÓ&§¶*á—sÉB½hšYiÉÐlóƽ"΢N
+ióÜG4ƒ�˜Y8åË
+²á²‰Š.²%§:‹™»‰A{okÂ�Ï�M›—ßçB/Èñé”ïÓ²fOk¬ù]ìŸá©Ú$UGÏ	y›j‰Â
x0NùSîg3V8BCúZqœh‘à­ÃÜ8#�ìêLÂÃ-]ñ0OŠÕMærÏø¸MÉ“hZ&ÙÒ¬­¦Qõ5
eJí"oëÙ¤è]yƒ³ÏãRÒu?åþ>®Ó(žR‘²��LŽA†»vÐnØz²)‰Ä "’xœìd‚W[f¸$àµF]ˆl,1 ‚Y_jžæ$Rå›:ˆGlå)^ÕÈÓ;3ò šã«ÔJ˜+͘ŸVlkˆšu‰ýÍA¼fO""©íˆ&&L}sjÖü¢|åõI™m)ýïÃkDÒ…~@XpY>+À8cæ¾8©=<VMò­/<@Üš©í½éëõéØS1CöJEï5Öb“QÛ0o·e­árÀ¼ð6Ý)#/ÎyMð„½�%tFhSTD¸	€>_£Öý‘Dbws»÷³KøbíBw§ªi†#sXꇈz¶Óe¹M„[ÎûÑzjÇT¦o𨉱Wr§'Kýeö<¥„v³;�¼(§ŠÝ™]
+Gzߦ@
ª9�L惣}r#f9£¬÷B/o´þ�ç~B3l?9uB¢˜”ìÎé‡v’ëƒó¢²‚»ß02=·2IL./4í²�ã…±>…SùÇÕ�ðý|žO`s}ëë
ˆ“yúóŽzè7§@„¹‡ÊòÙntæÌ
Yv‹\¡¸Î&�Ê™º4¼XObæŽ{´N¢ý)­< ‡¨ï ûß‹
TºA|夯¾Ø†ôak×J¥0SPÆÐ>*®á7—æµT
å`ƒ_j¿iþ <ßB�
+,«ÁË&^“V—[*%
+LãDÉæú5š³Yèû�Ü�w'Dà†<ÖP²?i�ȯb2‘sÓ'Þ»ÈDcûˈ‹b˜\]ƒgLâ1Ú÷sâÖ³þ��é|Í+Gæxïô’RÉÝ8V³-ÑiÉJëÑbÄq5¸kr‡¾éÃø}$ªÎaunj”M*qœsÎàFi7p�îßp¥ŠF2çØÀOªAŠv’/|(¹ï~	g$dß�¼¡ïñâG*†ètÛ*»_xö«|l‡|¤¯<ÒQ’…µ·�BÏÒbˆÈçSæ|UX¥¤³ƒö‡kmƒK.¢^>^XK¶Z“–—õ"Ùj‰\�O__y¿U2N3•ÆúÁÝùæ²v3©aþ�êâVùóìM
$EÆs^+îÉ%ºœ¶ÉP.LY…Ätï'FøHÜ�vq¡ÉoV'¬ûˆÇÕÝ3Òm¹Sì¾ÀÌÅEKð'í~Þ*žÓñžÒ­CȶvZÕJ^õA4m²\ƒKý�a �Ž³7_‰ˆþÚÁvdª®”ÄÇ0=£m"=®b."nÈ_§XŒ�H/zþóÕ›UíMígOV,¤y�U—.*±™\QšcÀü˲²>^å„
ÀüÏvÁbÀ ï q[QFÐhXô.q±îõ_=B’¿Bƒ0qù™àú9Ã@ß\1É2Xü¡öaã4�réZ¿¬î…ý`$Wü‡ž††˜ño§Iì¹÷ZŠfåmñÕw�û‡òk%¥g©Á®j¢´ç¿¢Dù¥ÐÐÈáFyßÄOt‡á¾<1‹©Mq.Ú¼}-æöáA*zw*üË3{È%äè‘x¢¢ÒÉe)õµ–—òð€ÃŒÎ~£'ÜÜ$�Ëÿ¾±†å‘?`âÕa+ºéòw¢äp¨3ÒÍVèe=å’vˆó\pSìy
÷X²ud;oª7Ím²óù�+÷góuÆ'â«‚â´d|ÇÕÝS>ÿ>\í8âUö¼­´Œ¶G=Ù\ݘîÂqX¢¨
+œ_ðÀ,9°(öhgû¡o¯jÌÖ
o4çþ‚‰f…]Ó좙žÅm)ÜUþ
µÞíQSßïקãW
m‚dôåvqMàÙkN‹u¶��üû‚‰L£R©i	nAÝt]«¬9éT±f�Nûh}¼#ôÃHNº *Tñ³WÅ.}*ZùöA0ô‡©Áš�e¶`v¢°ªC�	<Î<š”¯Šì6-MÂ�Ár¹Èhݾ’ÎHR=­/«ƒ<öí€i"@[®/“pR¯óùw�Uëz¡••zÌÌ%»�Æq
+ÁoP!
~}(™ü5ÌÅ9Æ;Õ±Û´[H.¯Ÿ³ìdÔÑ`“ÍÙJ¦S1<šH
ë¸ÙìÛ ¼°Å˺Ì}Fµó¢¨(*XÎò~¸‚„Ø€gØ�¤qÀìSUhyxZœª.
+YwBæ­‘03ÐÞŒ}NÔ‚‹hÀWºœÌ+wßÑl“1Ë’CQ�С6]áÐw\‘’¦…Sqpi&	â?sv«=ë¨zøÅ£ðí½;Î�©\º c=EB/›´™ý‘“5eª~D§ãƒŽ&Þ)^L�QézåÚÈ»„`¼'8ÌçvŠ Ô�PææV•Ìz(ÞjrHOZªî,ôÏ�z­Ã7í,₸	t!>Õ�¸¢¯Ò»ûÄ&MÌ6ª!ÛaÏãJñ¼oÖ{aA¡
+XúoLaùÐÚt¦@a³Ð"—„S	½ÍϹÎóSß©×C¬ÞML[IÁÄL¢Jð>¥lg¼‚v›ddÆ0¬Åü�!½ÈœKis÷ŽúÃ’bk\¿È†€ŒsF
+ˆ;övû.Õæzi”Áí¹œä`f“s(éA¶R�¼¨2á^:	Ä!=Žfý¾‰;ŽW§c~µÁïnS¿‡ï9âÉLšß<ÚÏ�†¹Rëä0Gc­vѽI±¦€¥('§q9õŒ�Ë�
+ªþ®æ¶Â´]›†fŸ�Ôd:šþ‡|B<ƒ?X�2¾6ñIãpËxCCMS?ILÑE[¤Ÿï9	_ýïNòsª¿pÜÜ	E²A™µ,¦/ŽAd-ÝÌ¥®T[c—[Œ”ƒAN�‘í녻ͅOXUÅÑã¾3ýªõwåߣ	¨çïSR ™¶µTJ]íy©:­ˆÍsÆ[@¥*sÑÓSyKÃOhÏ»E'”�ˆÛ?�ˆf’‹¶2楄pL’
+»BÕ=Hv1eÛ¦š¤ÎûÂÊt Û>–¶,úÅÌÞ$¬Ü¸éì}-160ŠðÿàÏ“t¶û»i$¶ñ@]¥4‹µyñahïwn
+F×Ë0Gn‹ÄŽÕmâ믔õÜ“T^-ú
9�]5pš�zx�ë½!‘PÊ	ܧ`;¿¼TŽÌN®aÒŽà	C�›½/Qð
+�¤}V£×ÑÈv®_`Î…,$
ò£3¶â[ Þ¦¶J,‰Ìߺ‡ÃFŸ°¾ÖÀªÄ‘˜qhíÖ� Ö˜5/$æD*ÔU›Þ‹]áÙ´*Ìz6£¹©2Êõs+ÈÓ#'R”±(d�…ã½ït"-HúGÏ\!j´çzóPêû7žœF´Áë¼�&·æ›Á™\} 6tê¿ØÎ9Ðe4¨Í´ô•±B’}¿O„,/±²X1Én·ñ8o'’¤¾5Ð-±„'j#^)\³¼ÃŠ–Ì?äNªŸ²$+ïц Žñê…‚Ýxš™C>b1¯):ÉÃÐ]|¾ÇÊìóÂý�=(eѼmoL=Ë
ÈŒžÙíÏÕ*9Jö–à7J’GKé/cLòL>[úHAÆÞª©µÄŒ'°‰i5b¸ «‚ݧ�ß=ˆ†ÅïJŒ"J¥É±K¢>Úûˆ_1]@hünH%|Ñ:²¸ew·ý¸90ôBK&×åw5�Bzh¦’æ¸YdÜóæg}D
+V;Ü#R™'Ž5ž%g|!@1žG½Gø†aU!Ðs…R÷+‰µ\[€��gÙ]gÑŒ:)
+Ô‘LN�¤@ÉÌh"OîD½’(ko]¬cúÔ
=Òü¸…&TÎ�¨D´mÊE%JƒÉÞ›’~9Dª�ô˜21xBou×,ÚÔ
™Q
+Z®ËoÛ4ëŠ*s³°ütg†©NeÔú#‡ßìF¹¤¹K¸]C•f/ZЪ}¿@ôFêbM̼¦K´�ØËJ®?L›^ëåɼo¬àÜ^Såõš¾qD¬
E¨ÁOÙC¦ª†�#¢HGd
·ó¡Æ‰APHöʬãÒ_I
+Þ°S,Lq�Î*™C •–ëüðÓ¨Ájl>ækøƒó
+þ„ÑŸœ¥*´ƒÃÜ!Àr™27lÛNâøò,%@/üùjÇëf­„@´RÛÛ¹Õ:#Dô­NtAÊ_‹�+fQ$'ß“_­9ËW„~cŒ�“üŠ¶aÀ-Í<Õçxî~)Bfvd%¦Zýd4Â*Œ^ÓÐÎõ(“nÖ•Á7†Îr{S¦æ”‹ÏF/h8�“¤s$ÁN…t´æzi›
+¡â¸0Ç�ø$øÖ;¬šƒyëMŸžü týLïXºªA-ø]·ö•9£ö˜À[æË#­oÏ}ô<°F—ŸA¤ÌÂ� Èúë…¾K
UÇÅÎ}Ž�øv^¸úͺÛá´„W…Qo;,@o˜ùQ@&×_}=.	š×Š˜c¯(¬t\™z±g�¹8§Ú±ŽŽ�Þ¦LiR™‘KÇ>\
+
+“;·!iÍ1w4!Iõþˆ÷Ûû¼ïð�y¤’�2¶
+¼–I��ã�Š™•oh†ÿ9��œ¡–Îí°Å`û>C¼]ûÖ
ãP[iéº5o™òS·ÍÚ¦b¸ùP7xÊp]_x+Rl¥Ã×z/CUO²�âRÀ¨lX ;²
�
+VÍ]êAy³XH±ÔŒèyÒLåýkoù"-Õ6_XŸs(GÕjØwOÎÃ
IÕÕ�\‘›"NÚGvB<dÎ2æUøõÇͨa'nœ"dáõj›K†·…éÀaµ*»Üz^YCOs´’âUerÕ3“®©¿*̶�^qèåSømÄ“—´¿Ìm+V#.Mï�äîuS³°¢º ½7Rz·Ú•DÊ£{ót§UYEzØ”Qù-t²y˜’…[ O[UÜW¨‡³!¨ï5ý
¹yK=n¸±u».5®°Rë¡fð¨,¸V2�›è>ÓˆŽ…¤Yô·ØfàÄ�Ø(ßÁx‰!´à‰%žM>¯Z)
+å"UØð;z¯Ãg«Ô«¼L’"¤Ú-Û‚ Ÿ‚xwÒ×~ e]bþL‚¸=V›Ïóð¨-ÁÅû”Cª³;ÓÖoä®Í	¨ÐÒ&CdÊÜÞ<_}9Ížsßú�–M©’£ê˜Eä‡S+ø{ðåÅ1Kg¥V£2¾ÒÁ5«È–­eéýê õÏ�Š½SÅöÁ…®ÙK¼TùГ®°zc†\wír,Ö™y�ÆTôfDÇãF^±–ýtÚ|¶«w]’ÂйP
+¿�,:Fp\îŽr|0`Ï!ÛÍé�y¾.Nïè^(%×½ñ>Ü0Ø]^ÒC	‘$®Çž5~<ðrpÊÃz>ŠPãuÍx{¿šècAÊûß·��™ÍZÆ~œe·9^|Ø™ª´:öÛ
9½0	*ÿ}ôõW'¼D>½³}=à -zžûcêÈ^‡õsa`Ô�úþçBº&¿¯ÈÀ}Ü–#üÝ×õ,¶…ð€5nXœ`KÃ|Úªup´ëqª£¦Ws•³Fþ»‰ûë»ÕnË·+1§!NqM;Ú¦”+1Åôä@2Z
œX�Þ%ÉŠû:bj
+XãÙS9´½ AÄŠ›˜ì	\¿j‹Gq‘ñ
YÔ4Ûûª2x"…�þ€¦Æ">5IåñOù¼Ðù)þþbZòZj÷Ö›ŒEŒ×©8Œ†–BYî»
¬‡tç÷]Ü	þ×™¢Ë€9£ýd�%ut o¥t�ÃØ_‹Òs¼#Žp9Ä	RsˆNóÊAα›‘my_êB[öéNU9Wɶ¿~›ê?
+endobj
+1238 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 2159 0 R
-/BaseFont /CKBQFL+NimbusMonL-Bold
-/FontDescriptor 951 0 R
+/Widths 2739 0 R
+/BaseFont /AXOYUR+NimbusMonL-Bold
+/FontDescriptor 1236 0 R
 >> endobj
-951 0 obj <<
+1236 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /CKBQFL+NimbusMonL-Bold
+/FontName /AXOYUR+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
 /FontBBox [-43 -278 681 871]
 /Flags 4
-/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 952 0 R
+/CharSet (/quotedbl/numbersign/quoteright/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 1237 0 R
 >> endobj
-2159 0 obj
-[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+2739 0 obj
+[600 600 0 0 0 600 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-938 0 obj <<
+1217 0 obj <<
 /Length1 1612
 /Length2 18760
 /Length3 532
@@ -11154,7 +13817,7 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)M�
�lpdd"@C's[QC' 7@h
˜™
L\\\pd
-ŠšRò
+ŠšRò
 üªm{|ÓÂv¸*Þk‚駹?ÛÜ—Ní>ö¥©F{1­(zR€—ùøÞ$T}¨›ä4
z%ˆégQžW‹²ÛZìŒê»“JÊzÅïPߧ;X`®ž¨üH\
 üÐIí�|ŒRëc1:QA¾Õžž‘'?=RŽ�õÜ@öíãÑäÄÂ’ñ¸@ ’GúÙçà	h©Ux†SA¥7!àÝ´_}jt{êå‘‘â’FX˾*šæ¯Ù´Ë¾'A¦·ð&Ê9H¶îWþÀ¼žŸŽäJœæšËýZw&sÄâmŸ
 ì¿�µ$
œÉ„®'~
@@ -11235,35 +13898,35 @@ i¿5xÑ@>,Ïu> w?tiÓ¶0ûôIÏä#%(ù‰ö
 ^hâŒð·¹ œ£“hZ™Í/øÅ_à7œÀ+P�¸¸&&êåî$+Nȶp®Ô
~I(�–»c¹ÚŸYªÓÅg¶%ø¥p%ö>­’H¾iL¿\ÚõÐß(¦µâ_«8Cƒ—R{‹
 Žµrð¦ëØíû‹0Ê{‡˜ÊQê¸2‰«Zœa‰ƒ†*7Äc¹äJî„I›ÏüìÒ]©æÁ 1=Š¡å©òñS€MX¡¥�GMøªéþP¢‹:*½ÙOT9†ÜD¨*ÀzÞÃ*Úž�“¬ÿ°Ë_hg
 ‚œ«ê9ŸjˆŠ"J7Þ®(ðhT(ìâ ª¦¼ÜðÊ™§Ä‹V¬áÝq
-oò]ç}£¯9B‘7õ·	ö�œH{È­�’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê�¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤�Ëq�¸ŠÖˆÕ"™[�Ø m¥cA¸¶¹"t8Q+P�K¥ìó÷Ñ”¶ëÛãh_“	®$��+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝ�åûm®Ý‘(ãŸÄ"Þïòwnúê›�»ÉÕ”^«¦
+oò]ç}£¯9B‘7õ·	ö�œH{È­�’ëæi`T&éVÇãs"¹‡‡ªÃßÛçVMo¼iá÷׈â{C„^×;¿_g¿`,·÷þ2
Ún“
RÂɫǶ]ÅjÍuib°ƒãÏV!QÏÆ>²¦aO<ö”ñOÁxƒªH²$áófe°§Åû›ê�¥úКxÇÑiêÅà>ò$­–Ìy"-Ú-ŵ ôý‰¤�Ëq�¸ŠÖˆÕ"™[�Ø m¥cA¸¶¹"t8Q+P�K¥ìó÷Ñ”¶ëÛãh_“	®$��+ƒº‡¼S¾ÎúÜþµ$áØ™éezv~7EhÅZÞ‚¥ÓªãHÝ�åûm®Ý‘(ãŸÄ"Þïòwnúê›�»ÉÕ”^«¦
 endobj
-939 0 obj <<
+1218 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 2160 0 R
-/BaseFont /TBCZJF+NimbusMonL-Regu
-/FontDescriptor 937 0 R
+/Widths 2740 0 R
+/BaseFont /SQDHVH+NimbusMonL-Regu
+/FontDescriptor 1216 0 R
 >> endobj
-937 0 obj <<
+1216 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /TBCZJF+NimbusMonL-Regu
+/FontName /SQDHVH+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
 /FontBBox [-12 -237 650 811]
 /Flags 4
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 938 0 R
+/FontFile 1217 0 R
 >> endobj
-2160 0 obj
+2740 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-898 0 obj <<
+1160 0 obj <<
 /Length1 1620
 /Length2 20127
 /Length3 532
@@ -11271,7 +13934,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
 šþô­¯�œtG
Lz¥ÈéQž7K²;P?8˜Õ�ö¦””õJ>`ˆg:Yánžiü(\
 ü°¾<Ù£ø§6Äbw¡5�aÔž_|M<}~¢î½…î?$¤Ë‰…§äu�Bþéç�C(øC­B¼ªùÕi{Ju¡glŸÏÏìC(»ƒ¢ÈbÓËZÁçjð§fÌÁpC@¶
 ¦éÂú”/é�„ÐaF)¹ìÉT_Äü	AÇDF@’_²–
z¿IÂ>^"ò“£œŸpÖj×Ñm¡HNZ¬¹Šù—;Ão{ô«OŠ—©�š}¾ŽÈïqM gÀÁõ@‰Î
@@ -11345,1245 +14008,1711 @@ K› ÀöYt^¬evQ&57Ñ„t9�Æ©‘;ØQLV2²ûËI2­U^¹¨%Ô~ŸŒ×ˆzW
 p
 íSß»bò7+֘ߠáænÍwˆ'£#µE°nx‹¢PšL~|ö4KQ¦–!¯jn£ÕªîØãVBGE”}œœ Žý­Ð{ƒéV³”Vã0¾ô.
¶Tv‚Ì|`°�SU[¸U!&ýø7 >hI£YÉì0…òÇ*껪¦úݳj€í¨ž¨ß`Ù?8sGx9g3ÎîèñÙt÷:n:—SúluHx‹œ›ÍÉPo·«ÃJAüÕh€ß¾ÅW'ˆÃô´B ¶q…¡Jˆ`“ý kaæ®´bg>–MO”¶æB8uk—ÄþÙ7)Çê®Ü¿5GVQ(ë¿P­m-FG*åTA¸¡WK2z)·	Ž
×?3�Ì�›QOl
 s¹
-�¹ƒ%ÔÕÝÙêj�ý¥÷áõendstream
+�¹ƒ%ÔÕÝÙêj�ýÀâendstream
 endobj
-899 0 obj <<
+1161 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2161 0 R
-/BaseFont /VCEKQN+URWPalladioL-Ital
-/FontDescriptor 897 0 R
+/Widths 2741 0 R
+/BaseFont /APNYSM+URWPalladioL-Ital
+/FontDescriptor 1159 0 R
 >> endobj
-897 0 obj <<
+1159 0 obj <<
 /Ascent 722
 /CapHeight 693
 /Descent -261
-/FontName /VCEKQN+URWPalladioL-Ital
+/FontName /APNYSM+URWPalladioL-Ital
 /ItalicAngle -9.5
 /StemV 78
 /XHeight 482
 /FontBBox [-170 -305 1010 941]
 /Flags 4
 /CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 898 0 R
+/FontFile 1160 0 R
 >> endobj
-2161 0 obj
+2741 0 obj
 [528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
 endobj
-801 0 obj <<
+1025 0 obj <<
 /Length1 1630
-/Length2 15892
+/Length2 16214
 /Length3 532
-/Length 16775     
-/Filter /FlateDecode
->>
-stream
-xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kT�ªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸y
Z@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
- ùËAKOÏð_–\
-ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.
-`abû·Wÿ²kØ›�mAöÀ¿šþ«�
-™**À)—PHW£B¢ªU³m·W�ÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬O�XÏ1Ï-¼§c-NÂ1ipÝ›í\AÖ
-úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
-¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ�”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨å�Á³ñÂjD•jÊ
-Ga1�Ã8‘¯YÛ«Ÿãн>½l•ê!¾™Ç”œ±Rš¶?àW'‡Ù_NÄå�ƒÆY4!aÔ„ø‰¥–
-/ÓLòFºVÕa¥¹òÞ+sTe˜1‘G·G]<ÖlI¯7E³±+’Ò=‚��,Cš«OÒØor.¹kÕ/�ÁÓŒ’ÍU�±Hi~|ŒÖw�Úkµqš‡~ƒ¸Ö£7ö³"ÄÇYæ…ÅO	�k_ã1fo4,ëIoböm5¹‹²O½k‚uÒ¥2ƒÞ¡úd‹j¨7W})“Þ‹¤ÐϾÑdT¥wÇ„{•ü�¦ÒfË�ç«Ø™#K˜€Nƒh
çuÏÏ%¢>ÞØXñÿàÛñÝ%�rá§_&ωbksà£uÂÑj£«ÓEŸ
-ö:çkØ¥»ãÆðòvÏ5ÅΰÂÜ0p!.ZÍ2§.•`Õé;ûòÒŸ¾´E'ôòL‹~­'"Bδ	•RÛ…ê뚀ÄÌË1�ú€Þ‚`0ýzл»-õ®‰ÑÆöø�$·«|�Â9˜ ühˆô`´6GÞ£h‹º¢:"ÎÙ;¾M¯_­µJ�%îo%ÒÌnck—ý'y¾‘ýαšm¡‹¦ƒ”õí�Þ*{	iwQ[™¤kžçË tîF!cö8äÞŠNßãÇx´
’Ü!Ä’¥¼Ö¢¦¥Š—Î~_ó©àH¶ýÛ±1%Š–±Ú¹ Ͼº¦á¢Õ>ÝMÐAŸdZ˜Ê51Ýb1ܤɬUð/
-‡Ø
- օݧ�{ÌæßÖRáï›I“¬ïØÃ4†ºéd`ðe'¢ò›KþÈé•ëÀ0xö¯´ØQ¤Î]åhÓJ;ZL½"�7Ò–ñà|êTñÌãço2R°×%‚¬Xs­üòc–>`pȸÔ¢D…Üo½I[«4uÉG ‡äÇ]F?bo÷¦"1I[#–	x�%‡x‹¹žÆɬ²×Á>Эs*´Ïühd&Cîx3Ôà
9‹œkMŒ™"Sà�ÈÕÍŠL€''ƒ™C¦eòœÿ@ËÞÀ4:%½BÔ‡?Ö´OH6c{h¦5/çÕ
-5’Q�Ä„Qƒœqó™0=l­\αç
-¥×$á_~Т:ò›l
-Û…úMÚ„m>ô‹'Á��†ž§MýO³qÎCÄ�]´5CXá*\•MN£dtWî
-BJ!•l!~X‡’Õ É•aó’1Ë"/°E©ø!Jü÷™oó§KDMk§Èéw“F±§Ûˆ{¹g,˜6Q4²«lía¤WÈw©4q’7_úU0"¾B` Ï"ø?(±*ë2­³G€ ¡fÓêQXŽŠJ5úºîÚ ñ%èÐäíb¡Ê¡ÓYÉ_c¸p'vÿЮ/�]·mÐøD‘/³îwòŸÙ|&æ>¡®GSÜ°
¯d9{¶£IóJŠK÷9fã¢éŠ ©þäÁõ@ñ¼9xŒi,P¾*=cùüà‰µNm6O—^E›ªÖž©ÁôЮº
-M2tÉ»bqJCgª`AjI@vr]Ú@Ö *Óä½è¼‰_‰ä”/ú¼�æ�/
-¨á"�R’´‰öÆ$ä	ÚUW=ŽgY·'æýÕ
±M‘‚‡{}•ÜÿöA®ô5±ò½U<b´Iïqç·3Áì\³ù«çsÿ^«Qº×I?^�s2XÉOzG÷6vïáæàæiðŠáãAûÍ6ü‘îav-œ2æ¯Kr�ʃzs_4/“íBào[çç3r„¸)_&x†·¦3‘�ÂÓeX’9iÏiëxêל-9ˆ‡sA\UÛ=$˘¹¦G	ÐñSÅ¿%ÂßR�2õ«&öòôtÈZ¡EÇ£ÚùÌ.êòhnSm»Ä³=£Dý”Çõ6àÆœêk0¼îSF£4pºJÆßú„c¦…QØÉG‹Ìû,\…RXÒ<5µ[�ŽwÂ×óé	‰ªšRš,¯þþ’\™mÄ�T�0쪃ó‚×sõ`ÃO4â„W…¾lï‹Ãë"Z2µ0lÁ¬{¦'(zñ.9_ÄzÎãБ²þãbîÂÑëwS*ú[­FspÛúÛߤ_é~} ‹s\±š“fÿ{ô÷ÁÑ
#ŽÊ‡/°²V L�lQ9áŽ%Ã¥€T… h�(£Œ"Îå
-Þ_#þÍ:ÑdŒ´r@SÓ^É2çQ›¨ô]´à8UY¦�âq¿½Ÿžj_'åm~²˜O±öòÃ
–,®ùé‹‘c^·�Úû…ç C)¾Êt%E—fã$‘P9¼žˆã4yo(¢�‘d9mšjW˜/¢qg
e>KмÎf6ÞÎ'2¦g¯,5ƒŽh­óçü¨6à«ÈÇ
-g!ò)#îLI•eÇO~,EbÛà ¢.ÈÁî=íõÙL(Bćơ=²a~¡Ž LÌjSÈ�¤k²5ž€ŸH½ºFŒ§WiWམXøwÖýï…	\#A†%ñ³‘�Ë2‘j	Ç�´½Û¡õ´„P2’åíC¶²‹’³o K,\QÛ²ÔŽ‹¼Ü
3WÚ	‰SÁ™Û3èF#ëšlËñ°ÁºÌ¬§T{ô?êu5DZ—b!⺂Æ�n9Š#M‘y^Qi$ë\Êo#£
:“�ÐÇÏq`{‹!ˆC%oÝË|°¢’N½`^¾VÄ:z´ßÂØÚ˜Å,Žž”\uyFÌOà�ø6ëÞÀ…?z†t+A×ÜéEî>VµÝ´çröt'ˇÅ<Ë9¶]ÄöýÞCðò�—|fŒK¨ª£µ®ß(­Â‹%SrÜ3ÀðYÙ%ŸT<RÎm�*ˆæ“SÞÑ-ÏaŠC!)wȨÊ;ý&NÀêpêüôÈtöÅ;ÉÈ]¶ÇŒQÉ�Ž_@q²Óa–Û÷Ý n}ù‘Ûü¤ŸZù“íÓúY»hy5}îê]5P×*»a$G(®‹uý"»ÊÏc9‹z›”­
-Qm�®­.
-_Hf³ÚU;ì­^º~ÁÀÝ3µ5é
øÚ¡ºø[\Ù¡&÷Ú;Mo9E*Ûí¬E	Õm¹lê·šÒqd‹¸þýà¡xZ¯ïvô£æQ¤䨟JêÅcFv£1Xc:bv´æQ43ÜËg¡ã6jÄK¸ú¡|R¹š“øÃ÷N7œô±°ÆDL³
ÒYTmN`ÄÔŠÓi
-öYˆ=~åÇk8¨ehúRZ^±V<£‘x–@#”"s•ýÇÚdÔIðP…®÷­•úz8*uÝKœdÕY…®Ùð.Ó©¬á.‚ºuÆTaˆVÇñŸC—nXЫç«j”«žŠçµS¹	Í[džN–üèÇæz	ôÛ¶IµWV€A¶šéÝØNQõÆ6W
-ÿ·^]Ä“†[#"‡6]”�ý¬…Xí=ïóñhé¼ÜmÄ%ýÖF¢WÛþª†Úû—tµdý
-á;¬/¨`>�‘DÉF•X8)RŒ(êe+QBöìøYýú$ø𙨗wš4ÉAÑåFç[/Ìï(=Š|ú11ǹÌYf�Fã–s»Ø'ú[þµwù|¼ŽÇÛ,ë¢39i¯æ¼Žõšm!¸«uEÖê†î	.>Pr˜áËóOªbeå£/Ï”£�à?cÛ^0ô²³Ë«Lâ9}IÍv#VSgzºŽÙÑ‘ðîàê)˜¶©£p.´ÊI*ðwgÚË&)ƒâ²o�UÌäšH€+ßÞÉ¥al‘BéiWŽÎG^ç˜ÀØl8„¬~ÇH/«æ5Àc/ý
-q,‘ô¡ÇúGåKco IÛ³�ø©‚Ž	Nv#j»£)Ÿ—“Ì·‘¶ý¤C±Œmm§
-ÄáÛì‡VJ@ÂyÜ4A“ß(9�,”÷-mZË)é‹�ò8ÕªÇ+“lvÕcÊž|:"Ú�!ý XjñÕ,NÛO¤y|¯aë�ŸÚaƒ™z
-ùΦ�*-Ír»b3‚Ë1<]#°Õ¤pX%'Lèw²ƒIýohZrI ®ìñõQ„è1šØ—×¾˜I×ì
—UHð¢îq‡G[Y(|#8°ˆ¾«ü Ì¡"�@áBÔóѳ{¾¨'™†VæŒþžßˆ)Iª‡ýE«HÞË]~@wt<ª7çqÄEÔË̬´¥!yšj½7§ßÀÛ*«4øÑ?rê9�ðgÅ£ŽÈKj…4HÍD}L
Âà=™òâ1å7Ü4
S¨r/êö,m@ÍH΋pø^T*õg´ ²è‚V
e™'&¯F€™á�myÛvî
ÃQŠ€X¿6~pl“È3ÍeôÆ`âå=õïÒ3(¬•éq7¥s
šçWÐ)¿Ÿ•µ®K¬1¿!qÄI b^B,Ësb¬@¼‰ja¦•0?8ì@?N�©¶�ôÚos¬y¡¸TF3ÎRer�9IÎÊè7?°0x?Dtebv
-"q‚x”Ad€Äœˆ®wÒ4°ÈJÙ¼­Ì8ø¿Wöwm
B\ëê ìáQ�ïÞÌæºÙ2çŠ'=|J¸^Ö{~
%ÒffÞ2*„ÿ¹UU£î[œRnÖûÎçäà/�︊»æÕµ±úøÖ[²@“¬½¡Í—5NCCOQ~Ù/N»ùÞq¾!ê �‚„ÙHÔÚä5Ôû3õíya÷UTE‡3BŒýóGN½Ü‡ÄlXþÔGõ“)Âå§aow;é5’-Vy3Å„§J%™èvsQ¾ó\¥Æ0wW˜jS4ÂÒlêW
bØ9z%ò¶;,_*EéÃŒ¯ïw1wÙ=ò^D%IßïÿèÀ	‘´ÃΉ™ûÆk¸ß‰y(@ÞqH·DêÇ�ÊQsfT+Û©Õ©s>ÁK@BªB¥¦¤¹já»AÙSg(c¯Ì^¹Ÿˆ<H|…vøuMgÌ[¸åßÎe7�wjrò2DüÛ6dlœ
H.)=í:{˜;œ5vrUå(è
-«°;‡5Î9ø%ÏçL¿ôw_†�hÝ¥‰’
6°V…
-�^”ØD>#û|ïzïÔ>Œ_ƈP‰ÌäFY„“ðÉQ[ÜȾo£zsT¸8ŽZv?=�ªÅHAÓB[LÒÒâvl.èÆí“ÚGÆv‹7"E‰†O¥Ojn(`²¯—½Wb°¡vs÷;îù+®{¿ÈýÀX°«§º½[�ŽÓì1˜'½Û6ˆUÊYø“÷dÌe`3ºæç³¼6àHÅ©ÜÁ­ ¾ØÅú(n°ƒù‹"uY»¦·[F’¼3 	J
-ÓdŠ®ÂlÀZ(”ŸRO¹
Œ»“69Û€Ìà†ûŽ�DQäìUJE5ý*rÍ@
-(§[$$Òè,ŠÕ%%yÔ»´Æ”V°ß{Ó(±3·Z„Ö= (0ÜHnƒ«%1œÍBz;�¦ßŽÚsÌ9û=u›UÛþígàÑv±Ú9Ž{â’®0Ý
-�ø%IÆãа¬"£H_|B
-DÈôZ¨K~¡ºy±'§«š—˜Â2ZSŸÄ*_Žs°¬¿áüy­•4á’DˆìG„V!3ÆÓä.¦ŸõÒÀ~Yx²ÚQ3æ0ËÉ*À‚äêJÛnïPýúúx ëW1�1u‚:OwaA” ^†’ÃÆ„fÚÒRW—Ø(˜¾àBß|d9™eŸÇì	x¹|nzç¥üí’�]áÍOúåð�;={É—êž/Ý„x_
?à^ÊÃxVòWû‚¼%uÅºs+§�iTO˜²�ýôˆí^êÓqFÆï;ëá[1IÑÇ@ÑIÍEÃÎXq{tUå½ÊZ$ÊÈ/.·Ë3¨-Î
ï_ßa?›@ñÅPlTÁLþ�Œ?iy1s•ÂyK°€[å>su
ñ-UXr§m;¨:ª•Kó£*gò¤Åú‰áªY&–Ì1Z°ÏÚ¬½ÙQ‘~r"¬JÅÌ`\Š}‰rí&�–¡[@²¦Ú»Eû($:¥ºøeÖÌÈ|�½C¾Ö(ß~™„¡
-ö99'(ÜÛG(#?‚iÎä²q
-[(†ºÍöt
bÚ[·ö-
-HÉU
-’7ø“’ðüÅšŽ,<ëÀ¢
Ò�½è¥;KY±7¨n’7qÍþL3Œ8Œ@×SÿCŠtv‰jáY²Ž¶bb»¸iS
-ÕL;&�ÜÚ社Q²;»UjNN{)òèÈù¥@Ã:è0>nOG"ýya,.�ÉàÙ zi™T�Äë:q!$*nK\Â)÷.¬�’í8>‹	–
Éîu¾J~&Õ†»M[oȳ©žJ´2Ëxy˜3Ÿ�‰“ýÖ.¿”©tü.ó–�5”Ï8A�ž«Z¦´´ò�Ïn‘Kœ'‘[àõ•úV‡54›»Ü,eW~o§5X9mó‹jœkÑ$'<àY�œ@ªùA-G-�_ÚmVó` «ú„£�ù”Ó¹×”Šó“$È�»²™©CÕr1¹"ÄÃ$AŠíŽ)й¦?¤Í0HÝÅŸàcËÉ&<j	©C@×Þ¶ÃtH.‰ŸkèA™ÎÿÎ!á
-u­WfH´‰6çÈPG
-.g4“Mâ'M¦ï(ŠMÑ|éÖˆð…õ²›ÓĘ#5Ç´=È•ò~u¦5Vê£R¯/®£­óH�Ä®f§ŒŠN¿:¿lŒTmoú_ˆ[O»1Â̤§ké&èIN†‹v@‹þH,€tŒt
¦á>Õ'R¥•K.zgóJ˜ë(+Á5¯2ìkÚ Ý϶¨Â[ú3Änè^þ^×ÌæQ¡T d`v+f<�ñ'yжj~›q)ž\k,°ý”škQí—½`µ‰OÒ«cìÔ\,&	šîJ
-íiW‡fÈ“$#Ò±"÷qHÀŠJ\èWxZ'dô•ÿ
-'�î»ìØ•Ë#>¼ºê£Z*¶
?fôÑ1sm%$¥ž
-aþ2rž¯Y"`��¿
-E¢Ì®_Q²HL‰@Zá~fNS^ÿœí^®<+9;ÚyÜúMtéÔtßæN9ïJAñÀئ{½ùMÌJXQ—DÎ+vûÔÕ†|bs”F-Ë•§EJ òó8}]ÕzÙeRéÀd.Ly’ö|ÿDl>Åõ]Ãh­W[®!ûÄT‡�‡ÞuýÝ!"ƒgúˆ.’FHD•‘õÝÖÚšgì$Ð6MN
â�jpx#2ì,y]®“ê™
_ŽwrÀ%�Oqp¶,Ô†´}–úy.Ì0ØÖ³pßãOS*³ã‡�ïwâE†ó0m‘�¨ü…YiEµ‹X‚EiyÂ’“	F/ɪô¶­‚´J´ž—�‡@%aHøèÕ?7ôÝŽ¨Â'’J‡ˆ2LäÍÝDœŒŸh¸Ì¢±·,Žh¶è„CYö]Ñß´­úgmkôfÆ#ÔíÈä�¡J¸Umßý¶ªæö1ãïÕâ•Æ»Å†-eQCÕs�oŸ½Ø‰	Í™ªLlmwÓšÞ—Jš¶9¾!&5#é»~kÃÓ•±�9wX§Mk‘ŠHg¥éÌÐ6ÓÂx̱Ùõr>%Cçñ#ñ“(ž¢Rm|™$×B\µÉ AvV7Áû¯…00À(ä1˵Õ�ÝÝK¦Ü¹Ù~éo»T9
z˜~Yã{òÑ=Mq0ûJA«ø}/£1ÄíÂ�«e—Ѧn/*ómF¿Äxù
q¬äyJS*\€d­-†:¯Ø]yÜÔåTƒ‡¿øƒØE@Í�fvTü
6íÁ2~lW=_xãSeþ<ùBÐÊÒm"¿‹g|£ž�Ž/>¡„ïn‡œ0'OK_5b«F¾ìؽ°`‚ýÔš´ú&¯Ï¸?`;ãõð
æzâŠ×=k-"c	ª)k¡@2×ÜlSÕs'tÜ«f�€p!Ó«‡¢¤H|ö‘¾×Á[ú4ô‹ê9_¹ªÒSGUPâI%¸5–
-¯
-qQ)[‡ŸäW=Òлe~ÙŒB‘»ëó´#âýmω;y»Š%üŽ@D$zfªéA%OÕtØ9ø»«óu 6’RáÞŠxƒ„ï”
-2:RÒ�]š¡¸\•´²DÊ™º´^-;nðÇY~þ0Ÿ1Í»PÒø¤0«¬}¦“?f0­úÙq†cŒ¶[ú¾;¶96�Ø/
-P„é*Ë~fûiöðÐÁ±y;§‹¸Ãà’ßÐpù<3A,
-HG€BÊ!´q<6õûœp—-HM¶�Ýu'¯ýôhË)
-Ûs'&ÞHË¥Á§õŒñ¾QNç—‰Ÿ8[/»'ÚýtÐMs¾Z!Å7ÃFjA¡;Pì;ÎÓ<Ø:ô‹hX[ÇñxWÓ·MéxW�ÕòћӼaç~ݯJürÎÇû®³`ù²ÏÉF™m¨1£áú§U, Å€ÎÌ÷;:Ö�Ç9½èyÄÂ1ž�ìPUºÝS‹QRUib�3íWëA(W×â“ÙÅ€µ†„�äõ6ú¡Q{I–àÆ/Š†#¿I¨
-RW¥Ï
-Òd<—ñ*õ/^›žˆu“ ”Ö†´06f¾Dx>É3ÓÐ6
$cºŽ~{V
-´.ÎlTÖ±ð`­çÐÖátžë¾±ÉŸÜÖR)z’ºª^Å}bû»Îd7
-Á~‡+Ò«‡´¬©Bcá#šUQˆµ»ž2ßÓ5:a]C>+×­7ø×B
-lwÏÍ	¤Á;e£“/~Å©ô6€bDPö€Àì5	ßhàdÓ'±1ãŽ�ÔH®—äI¯Ãz£íFR…R꿧�ù‰´Ôö~ZB‹µü|†šïs>vŽ(B¯)ˆä<µ¢+þ‰>wÓ*>‰v»P°ÈÒÕìn݇�32B‰;¾}0ñ\d3í•©Þlýöu>Ø5
¹¿
å'Všµ«7ŽìòÂn@ÐŒ_÷ u,c!Üy&iÏ6I�¿ÓpǾ
-I3qn»#q.¢+j¨lx¥šÏw$�àmE8L/ëÄŸ4
-i}ü8c©+V\‚ØH}Hȧ¿`$¾³O4Waˆ©þ«ùů�µbâbõê¿Þ™þz[›aó�¬^QÅç¿o¹59ô>Ÿ%{q‡óx§òêÕ/	ìŸ)¨1£7i�-ɉ<ô–Îy×`áÌ~)/B,ÔŒÄ’$¯üÈà‡Š}Ðq�ƒq\­¸Ôä9XÇÊ&Y Ä~ÛÙ?FÑ«âÖ7A�hnzräÍç$"wÅ:XÞ#uq^ß>\xb1Ò»Ïtá6J•ßOõ;‹ŽÉ–a¨Û�ß„f{âe#zP$ü®)И'Â�´³ýyòÓûÕn&såÚd´‘ôòh0×Qš>™ÒsA”>2Ì„8¹º—£q}�ªé·Lm¯‚Ódx¯N›GQðLÚþ‡Yô2�V÷«½	1±ÅµXè*ýõ÷q¦69+ÛÞ¥Ÿá0ë8õ¯Ü§Xî´ÏÚæs>Þ¡v5js+¹¢ˆ´Qaïe÷
-á°âÐÑÄÕ—bJŽãû—"oRc¸°€~:ƃKÚX^ªðTp�—£™#›2¾&�úÑj±7ÊL�åzm-5?ø±�	%;7Ü'GÈav�&³}.uƒîãÑ-ÏAmixûÞ	¢²c
-MIª\ÂuTØjGI-gý�ÂÓ–GâydføæÅxÃÃ,�oÛ.رÌ*�_ùSÕúƒóØCkëÚ™­¨·>]ÙrÿÅ:K¥ÓS%œx
-æ¨5-lçÖwŠ?v¹Í“!‰P£C´é¹2üÇ6$í.ªM¬—¿òÔö�ž8ü¨=Cî<:6¤Ò*À8€Ëi¾‚’¬ˆ§eœxÁ7gSL¥�]ü÷MÁl϶É_LÎ[¯>7‘~KÔ
C¿
bÖ¡ùMÙDSG„l,Ô±ÿ…ô4¨·ÕõvOój˜ývXÚ‹>N]'#èØÌ×!óþÇ7îð*xîG™õñÌþÀ!%aó�Ц_èõ\{¸®qf__ÌjävU“j3ùêEo/ž416ìž-AXðIŸsþã¹ßZI‚–>ÛýNA¸�­s´Kp‹²�ê˜"ÏGx	�™?þ³Kl\jß»¬“aÒۗ샜+€uÊtC—hÇîá•
-¿n$rÝ	Xð�D˜t
ÎõÓ…”2§—n„sÞmOÆ„
 ˆ;²ÃßshuåU9ñÖ�&;y-sõP~K*ªÅz4rnp´�}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰� Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5
½·x¯'_Ë
-c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$�hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'ž
WùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ�‹Œ:…‘XF.ÿ§�Òfb1\ÄñSÙ£�Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.z�àÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
-cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷
5ØI*·[ÔrH�îD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë 
…
-¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
+/Length 17112     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬¹eTœm“-Œ»kðÆÝ‚{pw×Æ¥qwwwBpwwwwn
‚÷/Ïûž™9kÎùu¾ùÕ÷U»jW]µë®^½š’TI•QÄÌÁÄ\ÒÁÄÈÊÄÂPWÑT2¶µ56:È1ª8Øþš9()ÅœÍ�A@{qc�9@ÓÜ nn
+`c°òòò"PÄ=��–V 
+R
+�ššÛ»˜Ó,œ
¶ÿ>
+üfîajîøÄ
+hjcÿOó9ÿ
™Û›ý÷úÿÊô¯ê™U4´t$¥èÿ�½Ê¨jûw¾Y¹¸ÿ¡ôw@jžŽæ€ÿ•NSÞÁì?ÿð‰Š:x
+2¶7û;nÿiø6uuvþ«ò¿6ÀßëÿÇù_ƒonîanŠ°¾â`Êb�‘�	ªÃÍ™×èc…	u,mT+*¨qèõψØå­4z«
ejšáûh÷\>s|?üFw4Ö‡cKÝ›f~ù�Зœ¶¿ý'U'7ýQ³A)ræ¹fŒ÷Õ’Ü”‹ÆÑÞ”²ŠAÉÑL'»3ÜÕ#m
+‰ªV�¶ý^]n?É�÷oŠ üÐìæÇÕQÿÑŠ´Këñ¯0AÙ�¬ŒÚ#Ûõ½ü¶Sz_“Ò¶Âæ°Â¯£Z¬4¦×âÚpj~¿H]c}jÇyŒ{ì|yz0Òä$·‘×ù³›'È úKåWµ0wïèåóä»÷ ¦¤†®ßëÓôäNg@«ÔËfR~7øX3X¯§º<†ž‡:;D݇Y‹’‡±ÇƲ ¾qv"©Î.嶱8Á[Ö†¸gÛyŽ
+‡Ø
+œQdÓžˆo¥j›*÷ú*yèõA®È›ŠØùÞ*9Ö¤û¸·ÂÃmÈŒ¿Åû×táú9ÂÌ¿×jŒîuÊ�Oà7¬ä'½£[»÷HsHs¢4xÅÈé ývÞh÷»&N™3ï²,ä¯òàÞ¼�«»PøÛÖ……Ì\!nÊ—Iž‘Ý
ù™,dsa‹™2,ÉÜïéÏé›_Ôn8Zr�烹ªv{ˆW1óLN¡¦‹JD¼¥"eéUMäãëj“µB‹ND·ó›^ÖåÓܦÙv‰çxD‹ú)MènÁŒ;Õ×`xÞý¤ŒAhàI%ÜúáG`¦‡SØÉň,ø,^‡QXÒ<5µ[�OtÂ×{ù…Žö„F×�Ï+N•W¾¤Tær U Œ€´q^¾tÆ^?Ø|%uÂŽ¯B_µ÷Åás-™^±`Ö¹Ðü|ñ.ù½„õœÏ¡-eýËÅÌ…£×ïO©èOÕR�Á]k¯þ)¿ÒÃú çøbU'�þ÷˜ÀÁ±
CŽÊ|Øo‹VÀ,÷QYáŽeƒTÅ€4ù`hõhÃÌ"ÎÕ
+¾•Qÿfí2FZ	Ys“^É2ç1›èŒ}´�x•oøLÅ~êú¼Sr6Ã,f“Å$ÖÁ~¸!’Åu£Ã¾¹fu[¨½$|8GŠ	�XP&k©:Ä0[gIJõ„ç)C‘
ŒÄ«é3TûÂü‘�ë8‹(Ù‚.àu6s	v>ñ�±=ei™t„�Ãcþ9
+ËžŸÜxªÄ®»~dÿ|°ƒÝ{ú볩P¤ˆ�C{TÃÂb	~3˜˜	Ô¶�q-ÖTkþWBµRè1
+œ^Å}�÷b"áŸÙ÷?'q
‰�–Å/F?®ÊD¨%·ŽÐrm‡6ÓÃȈWw[ØÊ.K.¼€–X¸¢¶ei—ùy¦ ÚI‰sÁÙÛèFCëšˉ°Áº¬Âì§4{ô_ju5§qWb¡â:‚F�®¹‘
+£MQùžÑéÄ›—\Jo£c
ÚSAЧÏñ`K¡ˆC%oÝ«ü°¢’N½`ž¾VDÚº‘´^álmÌb'OŠ žQS‚s
xCþíº7pá�žÄ!�Jà
wF‘›�UíG7íoY{º³ÕãbžÕ\Û."{Š~ï!x¹Î+~SÆeT•±ZЯÆ7
+«ˆbÉ4‡\·L0<Vö†GÉ'e÷Ôß6ˆ'„)©o�è–¿aŠC!*uȨÈ9ý$JÄêpêütÏröýr–™·j�«œ'“°ˆâd§Í,=~è»EÔúò#¯ùI/­r˜íÓúY«hu=}þú]%HÇ*»a4W(¾‹uó2§ÊÏ}5›z—”í»¹8NÒ7“;ðѨ
+›ˆu61j&všQÌ/‚·bénx;Á8G̾
+Xþ®qp…rÆm`‘ /Iï¨ë‚‘;ýR¨•å)’Ô`m	^f©>¬OÛÎ3[~½›ÍÄŠ
+x¯°&ù.±óh|-ö¤²K¶ÉÉ6
N¿È¿ð.·ÐøSýAH×ú¤ÅÌÞ°—‘,ŠeV®D’R¹ÏÎ_ƒ¢‡):?¨\)Ì/
+ásÆ#ûÝaØü¾C-(^
Ÿ¼,•}3Ûð–VG¼:�Žˆpöø
‡~fê"¡€«ËöDñqšû„\ãL={,Y�6èsÓö&ÿRžéãÎvø
üÆ’ ©—2[<Â]*ŽUÍö~Fº*Äe¤A�¬
+‰&$_׉<%@v©Ç1‰4~å¢få¶_±Eû´½ó*`,ÇÂÍ“)‡�D7^[�#¨eNÄî]›Ä|ccÌ.g‰æRuõ~êP„¨ö­þ²ø�wâ¯Ú¬9ˆÆoDà{éøk	JPÔ箫¾<àØ¡{ÒŽƒ£H	ˆš9Û¾>,v§ßÚˆ37ïegiZØÃÎ’~92ïc¾q`¼„¹WËmÞ/ŸªÈ"Ëùtþù¡Î T¼
1¨3
+ŸáG®o4±	ÖQÓo$øµì;ÑbV!ûykA�žÔ^¶ª¡�/©ƒÁ7ÙÈ�S�÷ƒœ�Ôdí�MèSAˆ2xî^vΨÊXdºo{g@½ËZǃ¤ÃMp¦|€…¤}øí«š
+¹˜%AÇ©OOûØ+VÄ‹~{HŠ¹l…¥mß,+?(òÖÜþòHaöjZ<Dgº¢(ˆSN÷jÖI€µž„*m÷5eÉ
ø;�ë'{ª´äú\U·®¿nâ8¬÷Ó‘àfä
+,"õRbzR_'Ï4�\ÎG-M
+ælSŒNÃ	Ëù}ì3½ÿÚ»~¾-ÇÓ]–Í
+ÑÙÜôW3>Çz�¶P\üõº"kw5·D
+(ÙüՅ'•±²ò±—gÊ1HðḶÝœœò*ãN_RÓýÈõ´Ùž®Svt¤/wpõL;AÔ�Ñ8—šåÄx{K³íeS”Áñ9�UMe›ŽˆÍ×ßÉ¥al‘Âèi×N~�¾Î3�±ÙpYbd�ÕŽðéa/å…8•H	þÐeý%‚BÒØdÎö¬/~.¯mŒ“Óø5­ÝÑ„ßÓIÆk´í0ùX,ãHKKÙ©qä6ç¡•�ø;~¿ÉoŠœç”÷-mzË9é‹�.òÕºû+Ó·œª7ÆÔ¹D´!úÅA±´âë9œ¶a¤<Ïë­á_í°Á‚L=€@°ù¶NM�¹•íô™gFNó®äìS!à{ù²gâA}*ßZ¬¾"L;¡!&{SºGÚõvÿáIt�˜h<Êo`Ð
W•˜÷¨º=áp¬
]3#"ŒBŸtª”‚¥‡˜QðëÿDŸ°Xüù§—K`!6ïH©/ôyþËZ»ùc¥ÏÇÖ™„�ÚÝ"ØÑ�6Ølšä–ãNdn>�‘W¨f4Ý…ÊðB÷=Iâ¹²ÞDŠ¡éóñL—eMåu/÷r5ÒÄØù?¶ßíž;>#ØŸ#J¬ïíýwÅ\á0NJ]þî\wL‰ËW) á«jû콪:‚ÄŒq˾t/eÖ’Ÿn…‡þàOb�ë·¶tóÅ@Ý—†v9p%Z�§P4n¦khÛ%ý®äÇ=v±¯l8E45)ÂcŸfÕ‡³QùâïsÊ9
Yb�Ü„�ƒlï^ë)ý—$ÕŽþ9%AÊf|(—À»‚†�†�î^müu¹ƒŸŽC©¢p°°ð(3ïû{TªÓýᓘï,îÍÔ}»ŸÇ4¼ékv×
з5™\Å«ñNKå'®ÌhüMÁüúîVµü~¦@Œ1ÙYЯx¹éœI¶ä¹O¹˜	N‡6õqéà/ð¸7^–@€OÜslDåÓîjßËVS!V6U%áÇÔaDšò“£u»7Z3c‚8p€È3˜£Iº¾œˆ²#>‘¿ŒRý­Š˜–—œ-¤®ÐáZhOÑŒfuð4±wCóÀ:t²YÆ
+àé nرn¢YoIêŸ<vIS	Y°ÆÒŽ5G­æå0Mö½Aˆß„«ÿ/kZâüÂz×bAdð)9Å’6Îö‘Ðk¿Ý§Ä7#ÀjhD(ÅêùÒÓ|[Cªé¶w€áàrÏxéÈsCptE�’÷$eŸ‘ƒcö2o¬ÝœSaTS¹/]v¶Ag`æÆ¡¦Á§GlÀ¢?væͶuŽ+¨�Î_¸¤ k1¡v=œ°úš§¼›:ܵÍ2¯·^&,ˆ(:˜Kw²´.Ðf‚fr:=P]_ðµW2�Vƒ4‹"úCñSðåÙâ­°¬Ø«õÏR 
,{zvþÉ
ûÕ™€”{uuV�œ¬už‡ìNŸûâˆl,
+_…Q×G×züù²žxZ5„3&° S&áŠT›D«HÎÓMn@gl"º7÷qÔEÔÓÔ´´¥!e†j³7·_ßÛ*
+«4èÑ?jú9‘`¸âQ[è)µF¬j,�>.¡ÿžByù˜únŸ‚)L©uwŽ6 f
+(ëI0r/*•6#ˆ,º¨YCYæ�ɧàIfðcWζ�{À`Œ" ίí+¸6¶qÔ…Æ*zcÑê�Z ô,
+keFüŸÒù
+d§'¬ö
¬Âõ=¹»�+¢Ûžß›-°6Ç´mQ@hbQîÀ@¾<˜õJšBHçJÑ#ëµmVi¸×0®*YEáœ
+ÒÇ™¼ïw±w9=rž„%É�÷¿´á
…ˆÛaçE„Ì|ÔÝîÄOÜå!ƒî8$á[¢ôbIe©93«•ìƒUëÔ8Ÿà% !U ÒRÓAšx®PöÔ™JØkóÇ×ng"¼Ð+7tF|…;þí|PvùçÆg/CD?Aæ`CFF9€”’Ò󮋇ùã9#�H…Kà{p”¦§�ó×XzƒÐhÃƧ	×´;{Ø�É…O�ÅY“�óç"÷
+ãÊÅF_ÕXƒÖw_¡ØKèJVDËXcïEhÛ‹Ô—–ÙR�¡pŠÔ€V§éêÆÎ~'%œjeö¯´!ç˜ö:	cf
f(æ’"äËèÁØ\ûÖôùiÁ<„îvÔÏ:¥•F²,ÎÒ$£ÞzvbsÓÚqÂQ	V-/°í-2vŃ
äƒHì£
߬«&ÍÀµÓ©ê^;	çÞÇóó~ì/ŒŸðþh¿ÂÞ Á†ž^tW÷´]þ�¿À·Õw2tIW1‹*íàNk-ûÈȯÃîoÕ8çâ•<ÿfZÑÛu1¤u“&LÑßÂZ*4|Qdù ˆêó½ë½Sý0z'D%4•cŠHÆ#Gmqu ÜFu7â¨pq³ì~zS�•>�¦…¶˜¢¥‡EíØ^þ®Hj×-Þˆ-1�1e ±%�ɾYö^‰Á†ÚÍÝïx௰éý"ûcÑ®žêön=F8^£G�ônW?&L1wñWþ“—¾Í؆ŸÏêÆ€#§R·¼ÚR룸þæ
+EÚªVMo·Œ$yg@;”¦ñ4]„逵PØWJ]¥0îNÚ”}0ý?ÜwüÄ
+"¯RÊ*×Qú(­À4ö³)FO›’	‚äêàþ(ÇÀN-ÅBÁÚc·}2«Õëé¢~ÒR¯ÛûÇDã]ÛÁ›75ÑâÛ?}’^¸Ã/T89B"j':up·ýÁÀË�uŠwX¨ôN,[œZÕz¡jð^[�éÐÒÊB¬	?ùéˆ&µ_8èè¯\¿T~+¯þzF¹­õ ã+¹6sÕétäïøë÷’ç6é¢MLqý/V‰{k˜ÖtᎭ
5Â3r;þªOé‹-ò°Yüeå‰4Š\uÔ®¾O½ÜlMÀ¢€rº%bABõ΢8ò1âGÝð+kLiyûƒ7õ;3»à%h�#üï[)ÍápµÄsÙHObgÐô»ÑŽ¹?§Çe×ĵ{
�ì«þ&ÄqKZÖ¦ ¿ðÒ;qÛª47·‘)<´2‰Ç-Ò¸6,éó}›‰Êá]Â?…�®ù6Çœb„5ÂxÀž^èvíÙœþÉã…~È’Õ*Epב~솳ŸP§Í!ðœÚ
^*ŽÒ¹�\ÝMÙàvu¸2ÈL].ÍàE´”NDJösö–êä*\Ðqeùšß±œ²ƒ¯êrýrxÍ!¸ï%ծΟÖòÄͱœ·qšZ%ªæé»�V7äÌ¿%þ_ÿVš*Ý\„ÊÒ$ǬÇ™VaÖÃVáÙàYú#gXõÜ¿Œ²ÕÞ·èêµÁ),|d œ¢Û¶†ñ;îìSJh"¬t§?ßyiKYLÚ´pØŠG?'â{âÁ:ì&~&¨*Ir‰OŽŠÜô«þaÀäOÀÝ0ØÔ››Uñ@t°'Âÿ}û¨ÃšA0IùúL{—p.ðZ¦{xyYOÛ–©Äï´+ÜsHuOŒ¨ÎU
G£–@¬Èo`ñý"qà‘±îø•¢†>MÅ€žQg¯¦ün(Nß_äz[òô:ÕKœ­²S—|vîc50ð>rá*˜RLZr§±æ¨F÷ÓËÅRè¯%ùdÏÌnw°GAš¤’€\êÌp½{ë;îÿ©£1ö
§¤Z…(Œ�£ŸâÓlXzøÓ£g®éË7âE–$M@òŠŒ!‘ø„~!Óm¡.YAuõdOÉP)$0+1�7`´¦>‹Sºšà`Ù|ÃùõZ+iÌ%‰Õ-Ž­Lf„1®Á]L?ç©Žý²ødµ§jÄaš›ý’«+}W¸½C…÷	.ìñHÖ¯b sú=l!�î‚0Q­%—�	̤¥¥®.©Q0cÑ…2¡ùÄr*Û>ŸÙ8ðrõÜôÎGùÓ%'§Â5æ+)Éñ;wF$ö’/=Ô=†1Ñ¡*^À½”»ÑœäJû¢œ%uÅ,ºs+§�ItO¸’�ýô�í^êÓqVÆ/�õø­˜¸èc è¬æ²ao¼¸=¦ªò^y#et…Ëõêj‡sKÆÝ{%&é³	˜PÅFU1ÂäÿÈ8Lˇ™§”ÁW‚e¾Sî3_×�ÐR…%«~Þ¶‡ª­R¹¼0Ö¡|!GZ¬7™D¡Â�mlÉ«	û¬ÅÚ›å'û!ªXÌƥЇŸ$Ûn¬ßi¶cNÖT{·d­ì�D§Xw¿§ÄšU ~pÌßíÛ/“8
+—[«R^i52)úIí8Ž?œðí•(Hù%‚¶§q‹©[&H…U½3È’PǃjÞX¡(ìÁõJ[Ú(y4\9{1¯€kÒ‰X)×'Ùʱiüƒ²�{æxŠH.ž?–… Ý®�CÚS‹|¦iŸÎ
+—^Pcª(¿œ($&:W§||RÏä|ó­„Ñgx^­ˆI4¿,]…�ѧ	<‘å ãÜ5u@܉ÜŠ4
+î~%³€8Áj·ÌÓ¥í©ªf‰�¾„ö§Ï‰óçô$zƒ1Ž¤PP9*'+p9øx3T.Œh“öJ™¿Âõæbo¸ó¾4¯íò¯ý	~µbàÜÄÆÅëº
+ÅïBú¦·bF3‘¿Rm«v—¾NhŽµŸSs-©®ØVû$ß±:ÆMÏÇa£é¬¥Òžwu¸`†>I2"m)pŸ†¬)LJ-sE¤wBÆ\ûàx¼uÁ	ìàà�)†ý®?w�-þÄÛóS*‡Û×wün>òîº佇1©úìIn\@Áû‚#–ÊI£óþmü€Êå^MåQ5Û†ì+fÌÉ)sm%$¥®2AÁ*r¾¯i`ƒÿë÷/Éf×(’eŽpý
+’EbŠøÒò÷³órrx¿Ùî…Ía"”æ$çÆ:O[½D—ÏMmî”�ó¯åŽŒlº7›ßÔÁ¬„dp‰e=ãvÏA6ä“Ûc4ªÙ ž)�ÊÏÓŒMëU—)Å#ãùp¥)~Ø߇gºte© wuÃ�^-Ù†œ3m6vxÐ.ú»Cd&ÏÌ	]��ˆ
+%"ë»­µ	4-ÎøY�mº¬<ÄÕàÈVTøEʦl'‡U3ž,3îÔ€K6:á…Á	ز0ÒöuXêçùpƒ$ó¶žÅûšR™=?ì¿3OZ0œ‡‹œ$%fÅ5•.,"	ÅÕIKfL&Ýd«ÒÛ¶
+Ò*Ñz>~|åÄ!á“;Tÿ¼°wc8Â
+Ÿ(*mBÊp‘77cq²¯„#eµˆ½eñ”æ¦KN84�e�
+þ&mÕõ­1Û™�P·£SÓ<òÊVµ}÷Zê§@ÞMë€<€¬åË&ûqÝA_ÁXRz½–¬X;w3ª¹BË?#,d?¥®‹#{œhï1»D‰LÄшÔ]Lª0‹G€~8îK‹žo	H]¤äë®ü²þ“’Bö¾w€Ö:8Y2Ÿo¸È�£Ç}ÜÕV%�$Á½ôK”t³15^@$N5k›¿W²àéîJXɺÝ�h‡ŒqÇ^èð^—ÛÁîHú¸5<ºL~_ÜOùoÝ#ãP÷C(oqZo~„Øq}·wy™søÈ
+Îs!V •ãrMLñ<'šP¾ÔŸ@¸WYÒ‘wçÿò¾Òç–Ö–V.wÚº7qËw ¾y2obW}ËÐë£ ~W·Àg¸sbj„ȳBMtèi(\­ùê“í&�×ÙzzÁð4#C®­x@åHCK�‚[ÐÚ¤[Þ#Ç©rÖ{°“ÈÕ84S’cmáË“áôÚ¤È*§6MM*sËY$:_Îñ¤C“Ø“›Ó¬ªc¾ìi'õs1z³�vØhæ:¬—µ¼ÙùÆLå†Ò–³i]¨W@†–M˶�Ú§‰I܉U¡€G‡•
+ª'>Ûf4C¸MvtrZnà�yTÉZÕ$KËýaGåEìÝ¿krÀ‡~�fµŽúî„ÙGé¦éåGa5ÜÓ1ƒÌZ[\
U¶…\Ðר·ü¥ÀæêÛ‚Rèmà>ñº4ëµ÷VyG~ü½m4��ø0QÍÏ<�5&6,Å*Ô"	€öºàÏ`]M$¥¹¼$ûË«>Sîy
+i¢§£	!ã�º²�”ÐÙmPžY1áÈU—¬h…øƒß'p¿X²0«Åû×N¿”UVÀzÔvƒÜšýâ„å®ðÕæjæ–Ä�9Þr`Ã�²Ù·�…Zî¢ôÃ5†Q¯„ÿÖež&Zç:€âÜ3ùO7î•r+B«(ô]gþÒ¦ÈÑH=F�ˆezu±!DÓÆQfl³C%q§Kõ¯ÏÖZ®^®¹Nˆ;–¤ßÀ¨ZÕS¡…ÄñÎ_\‘닼‹
óDo®Fø>¦R°ÝÍj‘~É÷¯[÷oìÄæòn?[Œá)m’@©—‘Œ1´bÖ9�Í­n8-MŠÝšá_jÂå­êÀ:BÝ{8J4	4q†ea: ý>F‘-¼ªø¬Oð…àŽóMA1bÒvBŽ0{«i~n"É(ãUeAqò`Z(سRl�8ì|–�½v:øŸ”‚'Š’^ÄÏlÇ7…·}¡…4íKœç:©ú,X…¥­­¡bt‡~Wî¥öÕcE«ÃÝS‹†=@å	´Ê×æåóÞ=hj3áRe*ý¸
+Cà ê8ÎÉ]Özá·}6ù\ø*ø�1B%[3DŽG
+ŸH¡ó5q¤Ã·i±‚”p³×S“š¡¬p£“
¿ EûÙc¡ó,ßlÁ5Á²È¬íŽÏl©-fͿ궘SOpø¼5Sy˃øú¶(û
+.3Ÿ–�§ï¢Uí,?H-ýÖÒzÆ¥¨>#uQ4ŸÕÃJE,°NN•SONãó‚©�;0ãb°^‰Uåª<& ²Nåð I[•Æ«çº´ÉQì\ïåºÞïñ8+ìNH‰\¶¥S‰)½0@ÌJ,yßÙ�?3FçÐi®“©
+X%Ž…¾‡¸ÝëÄìk|ßâðmbØ|¶®¶LïÄì†Ùû¸ä¡›¿å�4
žUt§Í-Ú'ÏxñwÓƒhÜ£¬N¦ú€·$:–©<©?æÌ"7{•åQιv� – YRÀ¯Téœ'Ob­²)7_ùÖÊ$ùÐGDËky—Ý�·¢ÉŠ†Ý¡í¸sx¸ìqŽ#cßê©Ê±•góf©õ�Ï)mé¼³_«´`—¦„j?ùÁ“³Û)„„)F'ÏÔJL%%›«Éw‚¦¤‰¡g¸
¢̪Bé±¢W>"BYÉ:VS=e=X|ùÁ±¨Þw	ö¼Ž”ò°=èäÚD¢z*•(J":“–Ýæ�Ü\ÒËâ¦òU�àñ+º¡îîñ,XbA�eL¼�Ásg]ÔPŠûÕ!‘�I´+SdDÞÀð®¼b–ŠÇêqüÆŽ·ß0º¯¬÷Y®M»®¡J±˜|‡à6RBÃ�ðšÍØøæU÷¹¨E—9Ò­êÿ„l™– ÅÚÎÔƒ™­GÝê™"
âX[zq3H³Üé[‹ãq»©¦
-ÚÞ,ÈŒ3:I{r¼â:Ü?#©+²÷%g²	X6F~“K0'Òöé½0r=ŸËH“¢“éÞiŒúR7a´Böj»å¸’CêOm‹FE „m&V”'TKõœ
+
+¿*,‰Hç[`öR{w…ÝƸ5¹¾ŠÇŸÉz¼ÃWDgãX°+>BÃ]‹BámƒéIÜ_<©œ�+V§UžÌGTÆ‚(ø‡Þv9N{ Óü
+Ó�úš"ýSz×âת 2\Ö´ÝõØŽHhKÌ´¥sšùíio�=¶ïÇ·‡¾Ü⪧–AL!¾ëøãt¾tblkMÀé¹7AÑ|e·šáfa$|”?²Å0ËvœÁ×°(Õ‚î)=í†þ ±T1ß<”	î³ PÔÚƒÞzçäu™»Óƶ»]÷so›w~ª°äƒ]ÛG…,¡ñó!XúÆ‘ŽÝo-*d~}áóÖö2§Cv¿*ìiëÕÎøˆIXrg]é‡
³Yèîã`"ùÞW×·�sÔ¿A^nÒÕùIÖÇZˆ‹ÕúMºpn�c1à€ôC…M¯³ùmlU”Ø�—Xz­ìS;ÒÁ’½yXžMÈð›’]h|¹ ˆü¬a^6ÕévH£ÊšÈØDuöGÑwdp7™õñàéÖd“ó?¢Ñ>;ô¥:žu ôÍáS>3ÞÒ÷“ÉU·ák&½þ½e|‘ÝÛZuFÒ0 
¬±üÕ¸¢
+iÑ$Œ.ÞoŠárò"~ÖùôÕ³zUF•=GÉÝ©‚~éRÜ×h4ÖÀ�eiâw±žRü/dR�ÁŒTkÍ#wƒ0&§šžh,Gë±Ãñ°�`¿pLsî'úm�¯=±çɱe—~–¯#\‡zó,ªÊÃã•ì9»^Bü¹“ÿC=u°cDk	þD8œ/�'V¶4¥?�	a¶d»Ø\ñQ­mÓõ:F,ÇÇÔ²\ñÎ<šr9oâ\è‰ñÓ­b]Å»¦�f;Uˆ#e2S> xV¥
˜ÃŽ­ˆ†ê§—jŠP™­¸¡.!‘#È÷©voÔ`ÒSº’ûþž}°S
+T S!õ\¶ZãÒJ)¡#¢:sÌæÀŽ_îR·è¢#Ô¦Bò
+êOqÚô¡9U¤$Ö=6Ððü|Hò‹°s%nS,{¨üˆ&õÊ’—8$²cå’6¿p[Žx7íj£\k@?®ð¶"Ü<4s=3Ña½BÚ_Z¼–âç0h^×IÓ¡gÀDFÌû"�O,v}V%t	ïæûüH¦¼¯¸Êi¹ò¢Œ
+Vº<3ÿiúü`�+zв±ƒõ¤âBy¿e5m¨á^[ÄyaS©aŠ€()ÞŸíÆÜ=7w3ÔV³Md&	ðÑÈå’½Teöä´þe¢QŽh¬õäØîαÿ”øg´>»6¹”¼g´(>\PóÔkºßo†‘vÝ8‹¥‡HZR¯±˜(rÔs•Ì7R¶s×»LíªøŠæüz!ÁÈ 
U[–Õ²69§QŽƒ.[¿’�6çÏhüS—W
se®÷±dß
bfïyîI‡dÁFbNþ%ÕgÔÆGœ¢,bœrü(šÙÂ%+'‹
Òl�£g"îuªrC`Wro¦1€5ÇCÈ…çpû¶šÍÄ]sG¹ÑOnäàrqœìZ�I=…M}…)äCQÊ~	ê!µŸ¾Dz9·%eÞ!­û©ÆÁ”,Ý,>׿¿âb‰lGûrs

RøV0'uV·ƒÔ)É ²;^%!#úㆹå"à÷È“µ‚i4Í p#Öo·¤_Œä%±!¥Óæ`…(`¢ix¸ü={Pìr{[£3þÝɶ*\��ÔvµvÈÆe~0{zŠJ"É®Ñc
+µÄÀ‹í_~ …U¢÷íýwõœÅ6o¸JÚè¨OÊÿ7E®Õ?ÿm]~»úàD¾?œñŽ¹,à¾$ôƒc2‹™‹ãé¸æß‹M|&ìšp{³×Ó�\Ì	�«e
•Œ¤·Æý:®s”CrªÞr±[G^…_x[´?ÒØæå'®Öܬž¥Škv5‰GlŸ뽺>QÄè5ó†…¼~šÒÙŽÝÙvnÂ|*ÑÐaòÝ¥ÉÿÞ^á=tønÚÖ•_ÎïxPðdòùCß•b­RæwWbgÖJ?~årοþC¬[Býäd�Ư{ñ h§úÍwÓ‰Ï'}2~Ñ]Ø6å°âÙŒ9�û²&ÜÔîNÖñûö¡î±`luî‹)G2O=ßùEßCùä”Õùù[
+¹ÓÏ™wŸ˜sìÇÆâ@•»¯M·åöMXvºóEÿÿu9~Û¤k²¹¶…ê¼ª�?yÉg“º”òÌÜ{ç;�OÛ«YŸ$3iÕæ#ÛÏn•8²oväóŽ7¯ã}ËÏë�ÕýÜá?÷þ¹ësÿ„æÕäÈ©Ù÷pö.Õ`¹fýO©a›K<­ÛNîêè=|ˆuÖïD©â¹µßýÝ^Ú(šDªM?T¹CÂxÝ;)ñ´g¥ÙENÓ/Û¾}õ%×ÊÛJ®Q†…
É9©‰E%ù¹‰EÙ\
 endobj
-802 0 obj <<
+1026 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
-/FirstChar 40
+/Encoding 2729 0 R
+/FirstChar 35
 /LastChar 90
-/Widths 2162 0 R
-/BaseFont /ZYQRDH+URWPalladioL-Roma-Slant_167
-/FontDescriptor 800 0 R
+/Widths 2742 0 R
+/BaseFont /RVXZFG+URWPalladioL-Roma-Slant_167
+/FontDescriptor 1024 0 R
 >> endobj
-800 0 obj <<
+1024 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /ZYQRDH+URWPalladioL-Roma-Slant_167
+/FontName /RVXZFG+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
-/CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 801 0 R
+/CharSet (/numbersign/parenleft/parenright/comma/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
+/FontFile 1025 0 R
 >> endobj
-2162 0 obj
-[333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
+2742 0 obj
+[500 0 0 0 0 333 333 0 0 250 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
-739 0 obj <<
+963 0 obj <<
 /Length1 862
 /Length2 1251
 /Length3 532
-/Length 1860      
+/Length 1861      
 /Filter /FlateDecode
 >>
 stream
-xÚíUkTgnõJÀ+Å€€¸
-æ2�@	Š&X$-wDP¤2$H20I0@(P
Á Bå"Pi¥´^€ÊÅ`EÁS#BAn¬\uÝ
ôØ¥?wíÙ™?ó>Ïó½ß3Ïû�ó™™xúèl$vF„bHi€“›Ï
�€D2ÎÌÌ	…!1î�Ä0

-`ÃÉÁö‚1'ÿ
S+›;Kø|wH°Ø~)¥¿ð�€Ç�z£@á1ŒnF…+¥~ð²97˜Í“V²L1Äç±èÂ>@"ÙšºLðDÎ<)Ìöä‰Y\€ñEðÙ+­`ñ-!ùûº»»Ð­ÞÌu‰ô„xBñ¾¨p ¿S/Õà»K	åI�
-\±ÙgBÂæ	C
-Õ€PŠÂa'«¨@ð„lX
-ÀRÌ1‰(DÄØ
-±`>Ìù3lý^ú;ÜÃ!ô€e€
¬0q—à¿Ç` ÒÅ ØÛb?‚¶€�õè¿	Y……⥳‰Åÿ¶æð°‘Á°fáz»–CRh^urEìgçnÿ
IëE[¥ºW³Ù¿66ŸÇ>êC=ëe".-V^9.LJ)ô?g9œÔE/d¸§9]¢{áJZQ¹V<µ‰Øãƒ�JL“­yee>Ê”Gì?UðµÒ�Ö„><óͶí½ÓÛâÚtβUŒƒç绵7ZzŸ°4Ýl×{^sàýMø¨�Ç�['kãò®ïdMܺçÊôÄ‹œÓÌGíàihö.�©PXy�Ð[GôÙóë=Ò›¤OŒSMSÌžµú”KgÒb
c~¿®‰¿“:–Q<󕇮ɘqmà¶<麒”¿·ÑØÕ¨í¡5÷åæ6+wÙG!äAëUGj
ÚCùþ\¦¼Vin.‹}^…Ôäïyñ]ýÎ9_|ÆQâÕ§<-­—kw×ë�º»îö:e¾(ÔrïÐH£¸I®ÌÊj¹ÇÇHøáq›ŽîÛ{KÆÞÓ1øö+¯À\†äüJ#£exðصpŠ–©¬ËÎÈüËý/™«Ë׊J,6‰J.Æ�%Òú�€U7:»ÀûªñŒC9±ÌIfš^nÈÕGŽ·¯²lÞ(«Óë©9#“÷ékö+³¢õ&²Jq�sZ{63=Ã3ÐÝËÿ�¸CÍyI��ÏÔê¾çOË�3;ƶ$Œù©“™Ç[_NXM‰Æ}´i»JýSÍ£à‹
Ž63šôò3ëUL’Ó~ƒáa_·09›=•zö7ÓqƒL~·±(”ðcŒåЄrÓ%{&nÄÍàD÷™Ò£Î¡ºÌØ„Øk?n—Ô‰sDeIíÊ5Oð7¬ƒ:ºÜ§GÄeŽ3ñÔÐõ(—]vÐNH¨¹®[(™Ýaa9ÿ¬TL[�¨{f€kz·îØ3ù¡ö¥ï‘“;~TS,%­ßÖìcÝŸ®öÝô:sÿ³†~îGaÿÐ�õW¿ŒÈ›?<¬>¦ò�õÉ/áÞÏo”~/øãoC¥“ëó¯Þ”_•�	­­ý7‹l©Š#&•×*¯�In8˜ËHÊ[ß„ÓYì€Ò<¿?¨=¢X—U�ªš{êæS‚EáÐ]EÕÇ´y”óÔy¼Âa²²4€ö©�˯qT1çýù/'I¯»ŸkÔµJ�ÊüU)SÓ%Z­¯·zfµyêÉæ¬,”ê5—f�f¿»ßpÇÎÜùߥö-ëÆý‰1ö:Þ!�N8Ëužüt§y÷+nþÓc1)òá">q]À=Õ*•ú”Q8íž<°bŒXW˜vþW÷]…Ê”äùÈ-ùC×+víÏc6û´<°;¶a¶ée¢…ê›Ì*OÓÕÆÅ}%•
-�CbΙüðuôaÕHÀڈџûZôUuu‡Ouv%ûźšÎµKSN+§6îlï&ß•íñˆy¢ïs†ëi�þ9¹Öê¤òXvGh½
w@Òs4Û[£WÆ-XÔ›[ÁyO‡ü>¸ÿ7øŸh€]Ý*F†ûŒ˜þgendstream
+xÚíUkTgnõJÀ+Õ€€¸T
+æ2��¼%X4-�@TPLuH&H20I0�rY bQDƒ
+UQ ÒJi½
+ VÀh,, â@HøJ Iä8Ò”#–\ˆ
+pÃL~`ˆ\ª
°G
+B°½`ÌÉÃÔÌæþ*©4’MµŸNé/<$“H5oˆ,Z¥„Q À¨|¦4~m.HT²™,K	I%|†\$…
èE${R_…¿D
8%_!©žÆa¹`¦,¾i#$nÐÖm®Ç›¹N“H"WnÒDÃ
+ña),ü3ìù~=ôw¸7†Cè;
+)¤OÃ
ŽÉDÔñŠ@ðñÆ~½
�šðoB¾
+Ea¹rúlbñ¿­…ld0¬†ù¸Îv„ï›™W±»4ñ³S׿ÿ€dõ¬©ÌÜiÙV•˜/$p©Ç‚�EÊ¢þBã…ý:|”Áîs¾ï![ô¼}fо/GOÚž¹�q¢$ì@2µžØÁÅkR3´s^z¬ègéb¶.øÚè@¯GïýfùÊÎÑåIM6Ç&æ¶Su=íÖÝCº»,¡už¶ì~1^Óý°uÙpURÞåÕü¡k·X¼Â?c…A¸Æ:b€ã	c
�à>FãM“q—�`r>{_}¸ú‘Ó—t×'zn‰z,#Ñ!þ÷«Ñ–ø{2Ǿb[áê�˜—º¯ëÒ.IYÉꜛî{ŠŸ/iòÒ~$"÷xÎ:ÛWeßù`óÏå`ú+“å’âħ%PTAe®ÓúGq1ßÕ¬žØŒÏL ~Qqxëã¢�u{Í"ÐvíÍN¿¬gÇ­‚Z,2(�ªãÚ*ñþ
¾wЫ¥ýú†¢ûɲ÷lì¿ý*˜W‰ËdCþ/-2{{ö^Š¦X¹hÛhŽ+¾Üòœ5»d®â¤ÛbÅɳÉ©ôÛ»Àò+­mà]Ó`æöœDÖ0+cQ®èb
+Œ#'û”»7,ÔV/ê¨<ªÕuÙ8YÞ6ˆ[dpÖ–)wJ„G¬Ç³öerxAÁa_X$moÈKã±yOÌ殧¥�‹‘£«–¦„šw³öëŸõyŒ(¹Öô³mEaé+4ðÙÚ5^c–Œ’£óM,’Ó|…vfS›øøîlqÜÈžc¿¹<Kêùcø»…'"	?ƻ߲@®nÌKê´?X,~bdWûV;9;}ii‘±¸5¨6­Ù8çþŠçÎÖmïRœb’ìˆpæXزK´ç}­SRdfqÀRÊ‹¬ö¨¡¨œ–FåzGêÇœLpNç²Uë‡?´>WÒwhÕ�fŠ»Jÿmå&Áλ£›¿ÊÚò¤…i—ûQÔ?lÇÃÌÏcò&wôš÷šØÚ.Ý9ÜûùuêïeüíNÑpÌüü‹WuuD‚~Hûê	oªa×½a㥲˪Ú+¾+´$ã5Êæ”#áEy¡g~0³5üó&·åõuÕ“é;{/¢¡›†ò�铨ð±ÿ`©ïpYQ8ýSîÆ_“¨JáAÆÓ_‘^¥¶?µ¨Ö«‹C™åé#£'­ô¯–q4ßa÷,ÒNx¸3)sT@†ÏºÛ«Ö'Nÿ®öiœ7jH�÷±	ÕùáÜ?´yôÓ�†u/Åù�÷ZħëzO0ñ©óÂo™f™Ì‡£é·t¼Ò
bõñŒÓ¿­=nLß=»4ÿÎ¥ºÒµ[òX
ÜÆ{´½Æ럧º™¾É*ç¸Ìv*ìzq²`.ï-4t@R®,#ôÓùCŸžH©m‰átO´©rjsSr‚tçãÈY‹�Â0½—M	¾°#þœ¢}
çØTYË»þ÷=kvµÍ»qÞSs\;`šoÙeo{£Õ¿¸ßVÿ¢J°®ñZÿšÈ;Œ‹Vªi“åO/´Ûêy a[hÞ>Ë1¯©ˆsÎ>Þ`{ÁJ;‡yÙŽHBi8>º~ÿ�zo|Yp�÷àH6�‘_¿�%3<ÅŸrþá븦¾ð¹1ý?w5Ú™ª«wnmÛšà2ѬN?bY¸º¹�°m6û
ë`×çÌ€#·'tV³ÓJ-‘5^hÒVUGBvˆE§V\0wggn©ð=òøàþßà¢
vuC¨‘Ahî_EÖþ}endstream
 endobj
-740 0 obj <<
+964 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2163 0 R
+/Encoding 2743 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 2164 0 R
-/BaseFont /XUNNHA+CMSY10
-/FontDescriptor 738 0 R
+/Widths 2744 0 R
+/BaseFont /SNYZAS+CMSY10
+/FontDescriptor 962 0 R
 >> endobj
-738 0 obj <<
+962 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /XUNNHA+CMSY10
+/FontName /SNYZAS+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
 /FontBBox [-29 -960 1116 775]
 /Flags 4
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 739 0 R
+/FontFile 963 0 R
 >> endobj
-2164 0 obj
+2744 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-2163 0 obj <<
+2743 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
-736 0 obj <<
+960 0 obj <<
 /Length1 1616
-/Length2 25334
+/Length2 25435
 /Length3 532
-/Length 26225     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºc”¤]°%\]î²�,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î�;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDíl�hhé9
*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"
ÙÙ»;X˜™;
ÈÿbPPQQÿ—埀¡ûzþît´0³�þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6
ÉÉkHÈŠ
ÈÅdU
-üPˆŸìá|ŒRbQ»š€�ê
-ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
-Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R�^�iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†Å
Ä ö¶‘�ÛMüc,‚�¨×]EI[™Y…	¸îˆ0�^ÆMÏm}™×Ë 3ž@óɪ�0öGƺ°>KÛy�E‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³ö�B8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å�+åýdä„P9Œ,U•ä�D¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	
-€gÍý¬ÌV” C†�û3æèºnMp»-˜…Z‘˜æj¤¯gÜ\}–ʈ}—}ÍšP«¤{}ò#U/ÉXÑ
…€¼ðk¬¾ëÜV­�Ð<´eÁºµýt�.<Á0œ7Íw©~‹A“1²Ù°¢%îßD?âÝjÑä¤[,È4ý©
-ÔI™Èüíç‘,ª!Û^ó&I|ú,~C¼ð O¯JëŽs/)'UgL—æªöÛ�'ŒŸKnõætÉËÁ!;ÙÜ\õýâÚõþ#ˆ%æÈMµB”j!ˆªÎŒ	o¢†PU�&ø’¿ß¹PÃ$Þ;Ž‘»w©*t!Šꌄ|Õj”1íw-¡LÕÙ—›ö‚ߎ…>ßË>#ÈQ�ƒ›a"¦´Ú×5ù“97Û
-Ïþu¿^ù5cÔÃ[î˜4mô–
CÌb^Ûe 
m¦Ýìž88ç}gõi.Ó	6Û�²¡{ÇÙº[·:±’‚~s¼r^®µ{×y"j¾À`UŠ2f5?+ún ¸	¼â@œî×�¿…@“�%5£shàî‚Œš¶{++¬#ÂЙH¼GH–�T
l™!Ñ+PH­ÞPË9­«·Ä[ZYIç�i\e�yr*–¨Ö{Gnðx*yçK ’„èD2JG
«L¸Vä±èG6<… †Žçð9‡X�¹;‹X‡ã$]Hñ8ÇR™¿}t%بêŸZ¥
-´êÄÐÓ
-Þkvßèå�à?`Hdò8Ÿáz„û%u•$õAºu™\<bxÂ0×í°–h¹ÚU\£ÑÈÖ{¥ß\«E²È²æx,3wר•Ù.$UÚr¸kÀrJ“»Ü$œ)»
-�'Þõ¹TÒktÊ1 ÊYµœóý–,‚Åw†Åáù.Ûå•OسÐ-Ž^ö�}ÃÊÔ§4¼°…ï¿•U;hŒIv@™È8Too?â.i¾NFNû²O	
*¿‹Ÿ9áäu7é8ã›
-|V뛚¢”ø±W’\úyëªb™=)ÎþWàöûI¢¥Í|ûBŸx§/i¾Úæ3“�"¬ì!óYº&4«?©eL:ˆ˜¨^lHëž|´XÁSº)7x}:Z=n¸Ö‚žäQÊü˜‚>›+Gr*|wݨWÔÐæ>zuÚÐÜHq…ȃŠ0?‰Ù“]¢¨=+ûfUˆb9T
V¶54ç,Te5®Åj
-–€íÖ—ݯU
Ûˆ¢¿ß$»�Zµg-SÃ]‚.(#º™‡`¿Ât
´Üæ	�6¿mà¯ò�™9M}§’ˆù'�WÃÙð´£ÜNæÜ‚é§$# ÁIÀq¯¹
-ýl…;œë‚$#¥Rј'ûBYâSö JLjN·—“\ð“ë�¨zå0y¥~Сª{úë#Òsa¢¸²ÆfÙà´ñéöªðc~ßâ} ]˜V42lï
-T ›+=Ý"N¸F{VwÜ«Ýê'O¼o3Mk¹‘)&
Y)‘-ÍÇ�aÊgþÆ®
-˜r]w9jr‡šØ[�O§ÎéåMÍ�ÏÞ@Í?éÀ0ÕíµDJF„rFhS[ͺ.ÆŠz¤9dR’XL
-fÎ$Ë\n�Þq�94e#q0r±MnJïù»1ç5Gö>
-ª *Aº\Õ@^¿>V1Ö†ÑîçhµäÀɱ~°ìj-ýflâÉL8D¼ÈV©§p¤‡Ekc4²îþÝc=´BªÔ"–¹² + „›šíwp	‹ÚjOI­{4°ؘ…‹VxáOR¡®TÈGA ì³+ ®À©„”À3ã×ËbÀõøϬ¸»eéj	.5ß?.4?‚w1¤ÉÙ,ðà_–yCQöê¶9›«¾_¼­pJ-G¥™Ñx¨^ð5xŽ“L�¼<k-Ÿ>ðh¼D°A€'áO¶0„0²8t³˜¡�hÀ~AÛ{ˆ&î)'`Gï^¦‰m�½\‹HBõoW"Þ<y]7}rÈ“!Vý,U4.Ð"‹¹ Üw9…	ÆžîôÀjìS›•ó™…)å’æøUOí›|XÚr
-j«ˆ•Úý¶”À´�.u-EaAB´=?`Š)/æúÂÆ=š�öÌé×K¼xX¯·ÎŸÙ5½È}áÍŠ•ÛìŸZñ�f6nŸ�Û2£‚õ¥­¥gÕv/ð^€axe¦÷Êcé…|Q*íÎÅ�>t.Äñ˜êò[Ê&G>¬šX>­|¶F‹ÿF9ÈG:�
-}ˆÀu‰‡FëOðѾÒ`g!ë˶’Si™Ûs„×dŒìΈ”’G‹ŒÒ÷¤�úPXŸ‘ÊX*òp¾š£µô†;pšX	¯»Õ䄾ÐÐÅ·.Ê�Æ™³õK·	ó§r±çÌg<¢åûœs§0œRÁãýËdò3‹Lqø%$ØDë=+¶X—¥�ˆÚ�Hï´
m%¾”+pÔg­2œÐSíÛ&ÛÆ’ú
-ˆ!Ýkk»†“×ÉÇ.¾á®ì6Ëq_6…áNÝ«—6™T¶Sµ–F¦›�–‰0;4Kÿ½26aþ2+Ai}
;
bŸÀ‰ŒIu)I£YÅï“y¨)õ‹—­VïEeõ–œ+e"ÑèËF	ÏèwéV¹Õ> ^;"ZÀÌ}¯å®I„
-Ú
ŒW?ð9ÉšjgÄO¤¨Ê£%Oy-¨Ê¾ÆÃt­Š�É2¶”êy(6eÅF~!²×9ÞÕ=¨�NdÔ_Èí
]Þ[‰+£øþþ>»`.‡`ÔŠk™½¼CæêU¬ùôÃÅN²3Ë
-Ú¬wî‘ê"�¹¼|=�’4v§Ù:¬)ÈÝ%¿Ÿë°yÔÅ)aÆÃ=Ax•qÊ�8úçUûƒ�òM[�iñÊŽBËE7ø·džŒ¿_SMé)7ç	\=aY„2Ǹ,DôÝØÌ¿ðÿtöÒãž¿â	K‚7Ö–ªëÏ«wV÷ž®a@¡ §¶¦Û£;4É™ÕÖYYøuzD�×/e£*)£‘ò9fS$ 6úÀ÷ÒlE;ûrðã`Û¸ËCë*‰{•mÖƒºàÊ–Mx¥PJÇn7ß7Á±^m©Þ®;±ùM6ÂqN;Me.”·k–ü¸¿mF²jkÁÒâ¥êv„,Î8½Õ­Mþk´«Á5­� ÜªUôæ^NÁ&ºg3w‘²X4YeWn)•#~…¼qòõh¯jH¨Åö¤Tpû÷ؾö|]–öÎ…¸�GxÖÀ´K<$L
-ÔUñ`•5Þ
-¶¾¨1&µwÉù|ì9UÛ39TQ÷䆹í| ¡Ã(=̨º;	GLâ§6ÿã�ì¸Ì¡"¾Ž•w…B|(iï�ˆ'Å'º¬ú[7ô
¹r+£²*iÌ�Æä;¹E}—ûOþÊF\]¦l{YåAF=AD
-»÷I¦aôIãÔ'§»ÞÄû�✨œùZzñ
-´a�fÓ´s!(ˆ)§é‡¸˜Š Â
Mí0Âß<_°7;3s]˜(ª¬Þ)J�ÁsTæû°€½F’§Ò“_íç#¹ÏïЉ¯"#(àÖ!È¢‹ù£áõDóòöÔfÆë"S§ÔtN'Þf~¥ê:#Ï¡Ú®“×5¬'9/Š�Ų
-1«¬Ù]͊¼Ð�°ŽÎžl_ø)J%r˜#sŽ-Àë÷­Ýà,Ó’µÿV¨ðyºoèLLe·rÝLû—‚f{��ûc†lî�	%Gä·Ú÷<{­ëk†¯¹�­ey4X«Þ>¹×¢ìØÀª"¬‰åLóp	å4I»{lî5<o„îÌû4%s‹_?Y	sP[ϱ0Êh5è²ÀEÎÀ—B]X´sd«3*8w†çñOSDŸkâHÅkd/t$æÕû9ÃÝpš®²èwm·Ù`×E¦mSû™ªf.þÝ‘¤�ÐjõmïòïË`m•œyò§oURl»î*8
-©~ó lP}E�H¦à%ÄM¼·¾t›t‡¥âÐ{cöÞBÑP,Ì6@�–�0®ª7ëSB¢sÐãiÃ]î“
-á¹×»­còh�¹ÂY!Ä÷­Kο™x�¤õb�VÑÄŠéw�‘q¢†BŸíú·\¦å!ÎïÖt–N´AGsƒaÃ6ö¥¬0%˜Y�—½ãX*íUϼ.;ÆëÚBØ�åŸÕ$’a’ÉÅ/KáKv2zQü	ÜIDîÔ”´Ö# ­w±Bl*sA™vœFûô¹êH¨ËWŠeÍ6«T¬GK¨´gÙ¯Æ#&¤'E�¶ÞèÛƒb�mAФMÞùpþÀx¼(³L½†^PÅ”‡¤•ã°Ò'_ÊsGÈxh�4ÒçÝ06�‰½`}‡­¹Gî‡)U¦5u†=¹‰€®qäXZ`”…*ƒ
}^­Ý›ZÆËYÝ�…Ô
ÀüF0j ÉؽoÑuo·àd¶lŠôæ¦|•À|�ÒM ÒÐ$<tÒ;¹–®ö¿¾Þ~<€·j4�uuþe»ñW¥”ñƒ£D9ovˆ<Õ¹çp¶Ö\g‡=–ã;`×_LtZ±É'ò�ãó2M
iBE‹À¿×jö
-rÂWf¯(¾ Ê.Tsûœ$rG~‡ÌR)G…-
ú²O2cl?ÂBüX	CÇäd"iXćÏà÷ÈÏ:ŽDN
-ä¶Ôñ{mƸM¯ýœîdßË
-‹¬)Ì Ÿž6Ö=
jÖdÃ�;í¡Ô¶„µ¼n:_>;y""¸ü,߸藵’ðȲd
Ëd¨Q T
ÇëìÙÚÏÜ­•ïØ`.ø|Mõíº�$õ´#É�*šö7 ´¢Z•—Ã^SúëVa=žBžk#UõuƒKVQVQJÕ�ÞL§Q¶Å¡ïºÜöÞÖøMØ¥b]k�®Û
ý7�>ݳd«,B?.ÿ@uÏD®3uçæM‰0).WòòÉÈhW'Vws˜‡×ˆ¢ƒ•\
-=;3؇ZÑíx§fÇu1{©‚qnˆé%Ñ)(Û+Ë*jóºpd±NãÎH¶›áóú E‹´Ø*ë_ªŒ®MuL¡Q°­èlq±ô¦‡³ý4ýCÂ4Š
-õgðeµ™	ýÙabÎbg›iÏRZkaPC+ˆrÖƒŒF&õ*4¥vè°½4ü`�o²O¹Û•{6oŽ;ǧ5M²*ËË»mýæAd/œvH&TvןŠ•×èë§fè"W"Ô ˜_©§D´ß-ê{IU#\Ôw€18_1mGwÃI&Ùj™6j%µ�Α4»o»R.*Z¼Ê…jº…i7“—n+2{'oœnó„É^*½mp`6id¢ýU•DoPþOz¯@@�W7Q!˜ã¯º|—qu
ËNƒò,ÖÆ8þÉòê’xÅ“œ-LÂæ“š¤Ö
�,Q‘ݾŠY]ò:ú©s¸÷8UsÞð„Œ)ü<²oD¹B2Â
-Q9ÁïÕ@[E£©ë|å»Þ¡–åq¡¢ pȫУá'¨h æl¥ËˆxKw,Š–Z�=S÷z ë‹TgÔèŸ)¸ yXɶÚj"�С~Ù·©y¾Wjǵ­
-)˜Y?þÄô‰H;§#ËaY‹zv,„krÇ)Æ-�¼›è™«Ÿg\�VÆAÜ®ô×f�-²”xéH9ØM±·‘úÕ¿)ÇDEðHÅ#Àë-WΈbe8Ôç˜y•ÛaÈÓ¶#„ŠB€s¨Ô[¿Ñ¬å=%*žÞ$�ŠÞµmu|6$)!¨z°ŸøÇ�¸ô†áîÊMÌ]Ê„hf⃕ðH!
-Z_!ÎØÏ™P°‚ž§TÙ
s§ÌÛ ˆ�o{V®!(H”4o|ؤvIÒ†¹./ÔPÒùä³L6ŠH±ÞNÛ¯9s=N­âkûrë¡¡ #Ž™.|eìÀ‡Ú½ì�ðâ+}(|ô’�‹Ñ<w–ãÇûpÌ'ä çEFeÆZ
-O>´
?�ˆw]°÷¨Ãæ'²�€n]*¼½ZX6Ïv�Jgv’‚¶Á�=£;–ðO
½‘*-ŸâÝx�>G(
†Væ3�ÀamÔ­{b|¥%D~!Ù;'½Xï×>Å{2\ôsA¢›å
ÖOUiCYxm]¦ý,+“+ÎLïûôc�K”¿´ãOn¶Ó†�2pÖh¿�EßµWê¼
݆a#’Á°I�mǨÐ5<,”ç'—ÇI$º¬ª�êßbŒ>"1^ÓZ-âáÛÝ-ƺ%·£¹¤“—Í¥’IÙ ÕÛzbÑéš}¶~Ä�©âLÄ6 ãaÕÁq�ðP2´6GðâPx,ro½sayjñ¥\Mó8Ë49öÑ~q|¾^þZ:@MSAÜÓÕ}$\æý¸ú�†
-ÔSßõ}FÆúcþ„"Ã\|¯*)ÕI
ÓÔ–,õ†˜¥I"
-n½ü.ñø*ì	AÆtþØãR‰øæåUçÙ
+KùMg”�m{·Hn-dðƒ­
-'´	‡úÃi©�šTâ¦a4ÛÀór4C{$ÐI™}ø¢Ù>a‘Z(žxSomgìY/àOêÛ–·Go<Ü�;œö£~NCbŸPT{ŸíþBÎÞ×pR½P¤ä¹ÃV‹»MÿpžíÜ*¨‚]�”Yè=¡zéêÛCœ£LŸ3t7_�>&IZoômG‘f~�•¤Ôóþ{àMß�q;:Š»Åu ¦€©ÓZOk˜ˆ<´Xm�ümŸãT`»u6J�+kŽ¦‡+Ö3ê~ªdô›™Ò]þAO†ðq
†Â
…“”ÈH
®è$#c*ÿ1^ïÉ’^‹ÍR¹aéc‚ç'JžÂF°úÝŽH18LVÙë`¨çòö«�;nQRGí\vß]"zÊ°�¼~Ë*¬‰@ÔàÀ°··¹K
-
ª`Ί‹šXN”ÀU?Ž¢®ºëÈ5ËXrB0n9½âà!§æ®»u*PSçoiyµÚÒLNöol�U®/'
²ºN�l¾�+
-z·ôÌ�‡oŠ%ž}Áwiô[ªÙ׶K�¸pWâ^­
níåÛiíèf.\«™CÐ
f¤: l©N}Vâk¿3Ê[‹æ+>C²W�97û&
Î_lûnú6±pÎÈè?9+Ì^?…ö	z×û±·ÝIÉ*ð¸ãEu…nÄsA´Ç×ñ�^dŒ–kC2^FvBñ§	Ó¬Yƒ¸†|óIÔµ%y$¥Í•Èƒ’¬¿BPÞƒúuÓ?fÒrJZÔø¯e¢ú
-WL©,ãõ®<ò¼z8Ø�AÚBeåŽýAf!Òç.P£MX“mtŠž¼ßZ‰^`«-Þè|‘ª<:´N†„¥,ûP£—ærÌö)ìÆFSuê‘Ù-Qà‘×®
-õó"KŒŸIF€¥%(³–_@k°„
-j-éù•_"R§‡7D.àúœµÁK`RŠcàÅR
Ó¶µËê‘V¡€Â‚�
¾±Ð
‡‰ŸV�':–ðê$íôÃDgènº¾Í·ìM‡k/‡&ŽNYúÞVÆ3‚tӾݭæ;["Û‰`Ëk•¬‡~bŒók-<ÓLÄHsH‡X®¡Ê%¨};É„ÞÌ“Äo·ç™HV²[]û:ûýã÷ön±Út‹©¯¼€ x-0å­¤ò3(×|–¤á#¸Úª$xœ£
“µ[=~©øwBˆ¢ÞЦîx´-«’Â@iaéLß
-–qÇÙ¶â(ŽÇwû',»_eßùÈvôÕÝU]wùd}ðy0=˜$IyO›ÍÈ€œ=»U9e~5ÉŒœ¼uo{´Ñä¬nEhÕkPía˺Oo
ÑQ2úˆ9Ôì&\`}ÕGÈÔ³ktð´bÖ¬5‰\5�°ÀÃbC“
-8×Ù¾]“’h·À¯6æâYn%«ç�Œò2Ã>¾õúŒP?$8uŽÁp
- ™ðˆfd;®"¤¹dA¾£B·KµAP�ùsF_óuª†.áŠD*Aü¨ÊiðÔ•Çð—3+¥]ª„kyÕ£dfÕp¥ß†ÜŒ&è tÝøgXÕ€Š¢ ãŸ�6MªE×ôR¦™–/œÅOtÞÖôÝýÙbE€(àºè±GÑ@…¸A¦½¹ûÆŽJÉìÁÚ ˜‘êæ§p„¼a¦ÎïbH—@$ÕflÕ?îTù×7íÛ|¯œ1¿T({�i•ò¡Òj�[Tb�>J°ÿ܃>Ž.è
h‹æ
-v¡=åze׶)ö\à˜¯y€Š|É)
Àµêú<`I@Nw¦éŠHræ­Ôóºƒuy.)ø·Û‰Ýê‚í\üèG®øÜè8tÏ»ôanퟒJRo╨,ëE…cc!�U!ž¤ºõ�N�±“¤×[zç�Q¤QC"5ä
ã‚Ê|7ù9s0˜L½I½\ðî	§¼õq·aø‹_®sÅ$Ö꩜Ė]dyé=t°P‚Ö¦—3YoÝçÒ2Ëp•ç]Lò2†ÎïOñfÊäNªQJUfî‰8¶÷$ý›°‰¯öOv¢�8ÉæòLvViÊZã¬à¥Wf¥
-<”â×­Ò�ª�ܹ�çò3¼+çÓ2> $´‰G£éœ'¹’Ž¼ˆÔ
-ªwQå\T1‡`ï–*�!7Ñb¬§¤ƒÌ%©©Â+¨÷|¸M·äv×·vã„z²Žç§ñN4És÷ôq€ÔüY ÐW<o9tƦ7°6UL¡y¶s-ýsŒ,�ÓÁDHHZiÝwà¾8›5‘ÊK×>8­-²¼
-!STlÕ
ȇ=f¿lOtÀGF­FTØÌ]¾Žr»j€¨7mÞ±Ï[Üû)ѢÈõ|ÿ`yzŠöÒé±<‡‡a^!½Ì=UÆø×ÈÂúa¤Î†¯=Æ%L€®"¿ý%âwQ˜H_éwõ#"Ü�H„-»Ö0PõºÞ¥@°lÛ�t´+Ã=¼~•¬Z>ñ~�)E‚®8¿’…@ Å²!tiv6diü•â¨n�©
J@u˜$íoá}ÝÉ–i3Áñ§EÊ®�äK�„o«9
‘9�Px¶:lrÔpÊÕ²²`¸uÓ/µo­î’h±†™º¤Õá¤Üôƒa30 ?GÝf×�k!{h¢Ræ×;ì]
OËÄ(«‹ž<üÓÎÃijW$Ä,=
B‘Å)HS†b@‚ÕIw´«–¨;¬Ùlͨn³]]C�þÃzÃÅH4¯9¦d˜«çï¡~�¬ˆÊ \ES ·Â>VjPÈ7³�ßtë™LËYýUå€(ÉxpЋØÁß`›¿ÃTdߢ}éøO Éñ¬1°y°‰¼wx;l¦"–SH{ïÚË“°ØéÆÛ'µ‚� ‰œõO
-‘xÑ6@·î“ü <SË~m!¾áº™Àƒøu’°ag¥Þ¼ÃæÚ ñŠw­“ë•Î2z­B•CÜ.7`˜Uy̨²Bzx’qê/›ä?º—d¾¨¢
ѧcŠA×<38æª"<ž ‚õ�Æ—½
-;i÷¤ð =¨?³F‰%dr,¯Ô=wxŽ$Ì„½‹eÐQ˜	}èax>�,�¢RÔ÷ÕüMoÖ+&Dù
={ùfs�9µ¨<|ó\¡Ð’0së·§!Æì¡K^j1®!çóã7ƒÂF!2ùš/ÞQ	ýW…!dHc±g±Ä{«£Pa,†S™"GÂd¯Íçe䶬ÍöáÇþ°Ë�V¼Èˆ�€CaDÜ�øç�f:*ºXþÉÁŽ)2Å·áV׫ÂPHLVz륚íä«Ÿ96? Í2åÈÕZrÍ­Í »È»Tn¢"Öhd T3‡½:¬&™t0M	
;Éà¡?„R„ùHÌ÷�ŽlߪeÌ—cN^Žaî[¦|©"ÏP%]Éúí9F{ ,R˜,wÃy'kÊ?Áz�ï×J#ů§¼¶�7èÑf[ØÖ¸Ü8�m>é,Õ£ñgsöèîǼ–Ÿ >¢’m�ƒ»šz¶‡–œµýdïŽf[¹öEódd@â?õ–ûn±áH¬‘YÄ.·äÈ"R½¨³®®c41V8;MmàZË¢ò·ÝHu0”`QMĦ‹Â‘.;¢¯|í/âcb�ÇóŽ—GÛR>BŒÛb}7krê«<Hú€·Ïg†Îq¯Kîý� \—|XY¿k˜ôÆñÚ.ŠÖ§	rõy£çu‚dàlríÝ‚KWe>À¡꓃ BÓwè‰)YXP›Ålè•1«€KDà©)ÎýâÌ2~eœM=¤®%Õ3– Cu^yQ ä7ô£¿˜e*²»ž¬js»
¯ù‘1'¡Û~POœÓü	T™æ·UFaØ­ŸsA?Áè¼³Þïê/Ã×›Ý/ˆ'xû:ï+#™>ãàiýƒžþˆ¶	âh1CJi•ÅĨ�
0+íˆ	ªä›Ò¼fÓjæ®3„":b^¿’ž¾>œÒGßzHű�I
ŠÍ2‚W<—ø­î±aj4Dµ“	5«\6†3Ÿ‚ c½Fbá¯8çÒIzTp…!‡ˆ­W@Ö…•Le2ˆm¿MߨC8Žžç
¾|à̤ÞBÂîÞÄx˜1=WUTw.ÒB²è¾Ô�ç+Sïj©zx¡Ê-iSŒÌ¥ŠvÔ¼+ù$zÁÏ™FK0&}
–ã㪼¬Y‡~9M+Ã¥SÐ%Ì.äÛ¼­=éšâÒá™>uMÎWÐ_Jú±Å("3²8Bwú÷7Ôm´pJ°B�4¥”Nƒk[‰urÙÍù¤†sH÷Ö°aÍúFŒÆ]bføÓy<;X†4Ò²RÖ:’êa“‘qXL¢e9G膥`ÓC®%…›ëTÕ“�PnòDXup­<§Û­Èž¤ODZ‹ø5­¦/»#øí>¹Ý¨€º ~'–®y×âSï2ˆÊ²„´` l—Ú-|Us¡o(ШUó4¶ƒ�¼&‘níüÅçcè¯7Lçdk~Üæî…MTx€iÊL1ĺŠœŽõ‰4Ábͯ†Á¬R=ÐFÿ‡	hC(íú6IÙÇ0”¬ aúÊBJiÞþv£¬zh7ùp¢wÉ×é–WŠ|WXva,qkOæê¸ü¢AÂLR¿i9ßv«�!Uno¿¾Ó7…­EýØé2CGÊHß
soo¹°®âîç´ÃÓ.·ü‰XÝ[ä
-sŽ[ò¯ÆºŽÏ ZªT˜Fu醭aw;ôfI´ª|fÜÚâñ‚ÑîB5ç:�ô›C]Åt)´¨[³')Öá(Ö²Xý”©A8çŒFŠƒ9'™�ûkóm
Áh%žºË!]Çqf°pPŠpÛhT€[LœPv?çM4™£nÓ
MZw ×Ð]ÚUå)nÆ<DíÃ�Ð0ŸJç!pº�­µB‡#_JÔ&bƒf�ç×M2ÇjH@§ùåAßÄt
-Ópd½Ô[`çCDîãY`=O¨ã<IÅÿò‹I‡ªF<
óPZ�ä„N|£Ñkÿh!Jž¾”Ú§x¼¬ÃÇ�`3´üµj¥mÛ*õ·ÒÝ“$Á³a†£ò��Ñ*ààw¥+}ü[=5êÔ;ºžiþÜÉzÇS^ dSuœÏóÿüÿ,.Ä2lsŽ¸@
î³ñÀH²Ç¦¸c;däýHŽˆEpcæ2®ªÉ'ýœ²( HñíÀfº6¢~ãÍè’6yÏØlêÖ¿Œ·ð‘®ª_0
°—j†BƒLgxN†N¼¸4tãr&ð$Òá“×â�³¦\׬#RdBÚsdz/¬Ôü(Lš]ÓÄ>º
-Á¸ç‡ÂúIo>¢ž  Y†¬ƒ;¢+A²ne�çΚ[czýMµm/p5@?¶~t€pð’ºF°‹[Ç
- }W—ÔÖ¤í®d�Ïê3Æ­­Ò‡¿�$ºÕVP› øÅVc%3¥@¡íä&žH˜.ÀýÁ6vÀáõ£…z…BqÛNÉš›2•TûD:½õ®àxü
\Æ/(tùDѦ$C‹%Ð}B–ÌCÀèçQÅÞ§�ŠµHËÅL9Ú~[[f︙¼mZŒ=6%	Ù]NÐu¤s0E‚ÿYð»\I'T‹p>̵†ƒ"H=‘ª-ùQLO*I!P9RÖ°´
-tE$ú�oÜK‚†¥ocÙÙ E/¥ïµ
-žž3¬ªA9^éH_ˆÊ3ìšæدÙnà‹)áâm>À}ÐhàÄ�šŒ
åø3ÓÝŸ•Tw²•ä!l}òrû´žMßÁž}µe¤Ä¨(ÔvÇ �µþ«Š	ÉpÝ8})Z¯ìf�ä8»8Iƒ~±žH.<³�»k—�Ã¥ÌdÕ¹<™Xð’hɤbÕs!÷Müÿ´/$¥nŒñIpƒR{Ä„'âcêRIÙ=\XÌDçl„ñÙ7<²´-œà	SæÞ’ÇV�ûñâ¸bå#É^e‚ÏÙþ*Y¥µ
-÷5bóWŸüÕôt³C9D$š)I®«K$j tR(PPÀ"“‰ìXjÄrÍq=L7D�ã`f*n^˜ÑééÍz˜`ÕîÊ�_Òºn°u|ù5Öe3Œ?�Ä‚!×J„·LR8“*'²¸¢hŽ•ˆã€AŒe~ô"ž^'Ô®qiÙ&­´fˆÄãow^xvÁoóÏRvÎ?îè†÷ÖlùÑ2ú«4Nc|mOdòpÝ.#8£²#îK²nd¹!6Hßçw¿Mï;ž†‚ìÞ	BUuו€‚CTl®´ÔZ¡ØlAi!Lëö.¨N«�¬œÏÂðNÕ ÷?õaØÞ&.8Gq2x4Sâ@ò~ê–œ%´Æ­j¤«¦³úN‚Ó˜N S�ˆWVµêYkÇ°¬5²¥áŽ¥ôbûz\séeñ½kQZy¤h*Z–E(ÚRˆ3Fè~�˜;ã�|$ªÓÃ[®ÍÖ-˜N]ˆÉáÙP�<|Å:³èôFÎõSº6¾Ï,)£Tÿ¨²š
-Ñ�åêB:­ÃÖŠ
Êx$To9@H¸%±.¨Ì~jô&+A
 7—ê³Óê®ãOºQœßÝÓ¼UëªðKŒGf´Â8�Jý?âá~«¦°,i´KRQFÈ:çZÔ²öhÚO>Oɽfx‡2ȪA™`dµjgÞqÚþæ
b[{e=?_)ºüDÁêÊl[TÌ�37Æ8)Ñn+àAíMõ­¨Š"z´CE'h˜¹BÅQqzïªö0|#aÄ—loàÊ—v’³XfŒ´x�è@—zÁÄJ/Ÿa‰¹­2ŸÝ¥1%~¬uÂ…ÚÐ63íè4(ÖOHv´Éã‡6ø‚æ*ñ;yŸÄp+íKÈG?üþúI‹À7	
\sNw%Ø’‰î;J¸To•Ö!�N�ÉSenéN†£�²p¬î“‹
-4­úWM‹~©¡CÏßÊÿU-Ÿ}ìŽY¾†¢á_±@Yh€íu›�øbÔnW,ø”=ízt<îKfp¥]“ŸqæÅÞ-3Æn’aZ|ìŠï|=AW?~†ŠŠ¬‘-šë\ïb;üšsî¶j÷�Žmùé4§xßîh&ô¥ü"{kƒ³é|‡l#g nl+Ï�7#R±´Ö>õŒ™Y©âeë:@³Í¿xçc…/}RÖ¸g´µõIßârÎëýM•4yþ^Ú'ȇ·ø§–ýͬ&‘^×Á7È:6'ó'r2!LÇ1¤Abw>ñg²*¯Ž¾O‚Gk(9ïu
-�%¶íV,ÜQòQÛÆtäf‡ÅuZý~J´A{�3’ÀJ™‰&Ð0M\ý\¶XÀö1S¤³ô;5¯EaÏôJ0·/›Í4j³}
-eOLÌq3©¶Ô}ÅÂù„×
-�³ÝMB®Oá÷£…ˆ¾b4Ûm5Ðo{\ˆciÿ™ÇWáÿ3Î%üg©çŽŒ¸Û¹�J…QÒ‚Q
]¢À›ÿБ:™¾††4§VõÏ_$2}Y뤩ØÝððÙ� ÿ¶cÚ¨"yo�g2ÃŽ‘}	º8SJ)ì"Ko™†øžJ/	Æ´“+b<7H @,U¸)‹}ȼŒë§ü`J†g¹÷ûŠ¡tm
-…™¡é*®ïÏZžx;À-Ïåìƒ"ïÚ†ùòù·)*¤¥3�ËÚ^ý=äÜúP~Ø.†ÜTË‹ùæ�(Õ¯
^þkΛ±¢é¤TrÌ°íåZãÒm5Xî3·#xæÓÄ·¼+»b{ÿÃ�0œ}-å1˜Ë¾•áQÎÁz‰Â¬ÊÞ¹tEpyIêY`à7¢K	KÀ½1«Òâ
-+aëØ “)¯[L’ïµ' ò+Ÿ°Ÿl
‘\ñ™ÛtôÍ<ÌÖëwÊ¢bð59Ð*ßCdŠã•Q¦T¹/®¬“¯}%%§º/»ï³t.fÌ
fMÚ˜Õ]Õ4}/	
ÃÆѾ9ÿ5$ÉýÓ\úP/eë1WÞ³…Óv`ÓHT»Š@NùÛèjÔø«Â2¬ËXì^â{ËÆmô«—Ä 3¥è)Ç�	UGø:ÿ‚|…o?W6Á~ÇÈ!]ØâgÆ®±ê3_áoxFP²¾Nµ¢CŸs|’u(ÙR«ãòâü)ÞNcZöÒ¼°nPF›‘úâP‰6�úÓ(1êv¾o*ï›”|QÐ�ù#$!4SzâS#Ž·uþI6Då%3פx{ˆé´¯KKÁçÌ®CÌ
|HuæË‚Þ
-mèLj¿I¼Äyê4¢“xC‹´¾}í_dšÈb‡a¼Ð˜
,ÇÁ”jÿ»¡|
-ôÏ™�¶ôú�û¿
-h?IOø¿{EÁk–X4~Ôåqp�„DuNLi’ã¨L’¸œKŒ}ƒ—Öxåp·UÚ¡e=.L,¾uêÀ±Ó>Ø6¶�Ëh
¾­I
©¥2ÈæýkæYל2oíˆ6K�îØà|ž	°
-4£|í4öî
#a`ã�åƱÂcJN¿$DÁäÊ:ß÷”¶Sù¿�š0'x\n)|”"<
jÈàlZñL|ì�ó“ ¨EëhÈ`TdÈægòㄲ'{°›ö…`*ÌñN¦ÈKìí111—Q'ÁX¢‡^¡8fŽ$°}d+xÑW_Ìñ÷õ•Â
 Rö>ü?ëáˆò$ƒ‚EÍ›z`…Ó.´ï�îÞ9C˜Lö*¸`b@å
Ml
å½/O‹EW9
-¦?Ä›Q‰ìó
-€u“¶o-ռζÈFE£ð.åƒÊŠë>{‰*¨òwµš°s÷ãÁ±A
-Ä¡gK°–jྤvÖ?�”lMöV([®™4úÊáD3p½$V¶Å,t‰#”ò·k¼�Í_y´©¡4A{;D9"š;ó;ée�$X|9T7N®åüok½µÏÝ�3äñ= àŠŸœó,çPzìýªk,AUóÚd¢`VX�¬@a!G»�¸¬³^„žÍdSïÄâzy’_W}TkÓˆ}¯µj,BMðî´¥{¦XS~§aN·¶®žc“£Ô‘«8³s&ëÊ‹·Å	&èñÜ”?äý«>�ÀÞ×]Q´®óP™Øk`ßäÕÝfû®‹Y×Z«ruì=È3€1\&ÀHCNXùlu[80ëFÝŨïØìNÄ]©
-˜%0œÒAJ^ý´¼%¤w}/ö‡î²òAæìQæãžûnúéùÎÕŽÙPÒòçÌÃzÈ/Z;ž)\x‘ÚìëÖÞ9”U.‰Ó_>ò_øá5Uûc-­@6
QEæ*D}X2a/GúGc1§OMc-Œ¾2å\¶ý„ÆP¶ó2¥‡`1”{݆àYšU!²TQŒywµÄB´¶BS�Òhឤ2šA1±3_o�yPüTIŠ¼û«õ[»TW�”—¡6ŠÅ~u‘#·ë�õpmðI„#³ZÕY$Ø�óyø2XõþÇ0†¸-{ñÍ·¾ªå¼2ñåÐèœ/ûY-T !ÓXÈ`lgÀðß‹Ù§¦ß
-_ÃýS‡µ	)1ŒÊ�OesLQ²
-Ôqµw
ˆlød�{ŽÞ‹t¢Þâ+ïí[^.\1}
)ÃÌÚtú¢à›%×ùRO|cÇŠˆ?ô€L�]£µúem˜m…pRn7+o“Þ«¶�›4s·Í–çë:yÊtôÒ²
ê+ã\æ—�‹HöÉ�ˆD#|q™eѺTÀ?È6@å¦}Òú”¶¢§†ñ®ÐJÛ?ûÝ(
-!N™<‘cÞšó¬1¬
-Jµ¸�Q
-¸*	ÞNK
-Ä'ΕoäNï
çÊòHª,—üw*»ú.|¶0ÚIÐ	ž4[Vƒç›
-Gy2½
û{(b'óXèŽïÝÕˆYzåeø’ºkSoðÕzN
-…Ï\{¥?!݈¿Q圲,é“Ó{Ü™Óó½%·‡ƒR™ØKY,áëÎú¤ÌLŠšàßÎÐc+t_5ñ‡^€¨aà¹3n<‰¨t6.ôÌö›Šûƒì-w\£ÐZÆ.�ž(¯íôúDÀëôèT!þYÑPêÒ•m‘�Q•ôƒMƒhØ�›‹Öš– Z¿,ÃCó
-ËÝ@Á¢g�ßqìöD€¶þ¸µÿO™ë&Ñsu€r“·NŽ¸¬¸Ü/½à=Nº&F¼«F_L-C§ˆ�}yï=]Ií˵¦² †¤Ä,Õmza­®4@Aĺ@q‘s “†D(�7–Øuç´qçGªw=cPÏú#ÆÅ·¹ªËPl²Uø¾d¤GË^ôë/mŠ¯,¾R�Á
-¶Èãé©t²�„4å¼н”n_0gþZXßåì…×bKÀ!È*Š¢Só±[¸ùq]²Q¨ù
-R㻯Ù�QôÏŽ}ÔZ—7“Á ¬¤jžé
ñ"�FOi�Š>?ÎyÛ!änQT)Æd§
Õ©Jü[—p1}àn‹ß�¯¶ñˆ#ªU{¹SV}¿W†yT¼"~,�*0W‰™ý.ÜXxäݾw‚”ÕÏ#hïyª ?N8,�¬Ÿ¢Ò‚÷†—ó]ÅŒPpF�ÅKÕ~G‹kýj
Ý¿þKIÕ$õºÁÞ�º©‰uVé¡OýC±ÉåMìi	ž2C´gyƒ?’ËvH4åËÌŠJ
ÂCéØK!ÄÕãþIêf|ÐÝþs/ô³@Ä:÷8=]׆ËlÙím1qGoi{tÒ-3î.¡¡�¡)òË“–š1®”9c¿X;È:Œ5ð4‘�t�# `bK)qA¢
©˜æš ›c´­5ÁzZ1ŠÞÖª)\“²1ì×±u2�7Õ@}}·
f RÙáÝoW9Ç\P¦0»EÆ}UB%×/y×—¶¤^â¡26ýù,bÍŽóPI2ƒM<¦éË:ª‚ »û­h�¡1¢Yâl8.ì4„ãGóqj#ÊÑY
-bJÁœ>ZÔ¶X-wJÂp²u©âÆ0S§±sª3KÅæóì“#‹yžÇ�­¶÷âÙØn¼ú}åÔ\C"…}ñõkRO‘"ÆÉصCŸ°Ç&î—»ýl#˜LV¢n÷‘¡ÈÀ)5~ÁrioΟeÓH²ƒ'¨ŠÒc~1GÙÏVÛÔ&¶b®Æz†­(óÞçy]µu9Û³·ºSß<ñ‘¨¥ÔÆúµ•†Š·ý]n>+�`½÷£�¯´¢w¬lŤŸÊPh;w#7Ž®vUsË0 ÒÕ1©HÖ�W¦Bü0%Ï�	x4î/ƤúEGû ¤y+Ë(§ÛH·ïv²x�¹1=›uBCpƒÉ�Œ5¾ÂÇ™Ò{A•0žÑ5'†:]+³lYô9²Ÿo
Û;O%í§æe½;ió]…J.Å*¸½ÚWf�éë]šÆ¨’IFD>’!(š
9$˜Õ{è{W»‰êå|�rg,fi©†Yœž›V™êkS3ððŠ³Œê£s(h"ñÞJÚ¹‚ërG×ȃ®Ÿ¦Ô\ãûö!]aX
-=ÄWDe1ˆ�¦H”L9Ê
�³‹Šâ(ÉLU~f
3Š^ùž©DÃUBAB´m0Ap ÿØÁ÷4@-ð³ÅÌO­‰D^¯-;<�BÖ6÷¨qs LâãÔ#½×ÄoQ,Lñ¹½
-A™âõ2ѶŠŸÓ¶Äøí÷w6Ê+–IºÓœnµq×oúWïkN)ï�‡mÖ8/1aÀÈ[­ø
'! ´ŒÄPxÉ¢rB<�–ðœØEÔ?Pr|7°™2�­²�3Dá ÄWUOš9¬hÓÄ5@)NI´°
›s0ÇÖnŸ[fö½U¹fHɸ>›»|¾¸¬{ü*ÄØ*X‰À¤ø‹Ã’mdñ„]�8Î̱r¯�éúë$Ÿ5îyôÅ1™ú&àv(WØáñªLŽe½pò‰õTàb{´ŠÄB!ð¸YRE!ɾdä\ÁÔ|
-Äôò}	0á·Ï<ðx­×³5(©²ÓÇXõ̼‰h8�L©�m¢Í°]ºÓŒx$“
-­�u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×�€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_�¢£J¾:¤ íéJ$<ÂBÿˆSUÅö�
ìMø›Yr¤˜¾�ÃÈ×`Qí�å?›�Ù±Vƒ�ÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N�<•ê`¢µ+çN¼é
¬
-g¤£Ê¾2f~mû„�m}…i
-'óP4I×¥ŸÐ?`b¬FH.�÷R}ÿÀ#]«i�ÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑF�åq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿
-ä&oH[œ¯A•9f
-endobj
-737 0 obj <<
+/Length 26323     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºc”¤]°%\]î²�,Û¶mÛvuÙ¶mÛ¶»lW—mÛúú}ïܹ³î̯ùæG®õœˆ8;vÄ>'Öz2“„@^‰FÀØÎÐDÔÎÖ‰†�–ž ¢¨&o`mm`la'M£hgc
+áàUûZ­RRŽ_&½þ’ÞŸfx¯%Ê3® ôEþsÈC®”ô“‘Bå0²TU’?…šÜ¡ˆhÍÒVù�òýåm»TúÃ8Z§ä‚�Û°ý	³:I?Ôöz"6›Èbœ^%
+
yá×h}×¹­Z ypÓ‚u=jëé 3\xœa(74nŠïRýƒ&cx£aYKÜ¿‰~ػբÉI·X�iêS¨“2�ø	ú›G²¨†lkÕ›$ñé³øIñƒ<½*­;:̽¤PœT�1]š«ÚowŽ0~,A¸ÕO˜Ó%/‡ìdccÅ÷‹k×{GKÌ‘›j™(+ÔBU�ÞD#¡6ª:Mð%¿s¾†I¼;v#wïRUèB&%Ô	øªÕ(cÊïZB™ª³/7í¿'|8¾—}Z�£6Ã*DLi´¯kâ'/rn¶
èXÐ60µ!~Èaïގا*\Dxc(uè³?^NWù±CVØñ Áá´ÅÚQ[´¬5üŠvȈ0Kïø^•vµÚ*V¦°cœ
(p3“¸µMÖiÒ|#Óƒ}5ãBy�E¦Ç•yÖÌÞ¢º<^×<;>3ý
+ÎÈ;V<g5j‡ùôIH›C„ÿæaTÓÂ
€
+úÍòÊix¹Öî]牨ùƒU)ʘÕü¬è»�à&ðŠqº_Eþ>Mv–ԌΡ�»:0jÚê­¬°ŽCgþ!ñ!YBRÕ¿i†D¯@!µrC!,ç´¦Üoieq$�wj¤q•M4räMÈ©X¢Z_ì¹Îãi¨ä�/�JF y Ètp(¬2îZ‘Ç¢Ùð‚:–ÃOxäb=ê:äH@,bŽ“t!ÅãKMdþöÑ•`£ªj•*ЪC[L+x¯Ù}£C”‚ÿ€!‘Éã|†ëuî—ÔU’ÔézÔerðˆá	Ã\·ÍZ åjWq�FW [ï•~s­É"Ëšã±ÄÜ]£Vf;ŸTiËá®
+Xz‚G)gàcúl¶É©ðÝu½^QC˜ûèÕi]s]°?Å"*Âü$fOv‘¢ö¬ì›	T!ŠåPXÙÖÐœ³P•Õ¸«
 "è
ƒ7käþkÂ[ŸŠÐâÓn¥%
„¸rñƒ‹3!ö†¿wqŠ+÷-×}ñ¨C}3X¶[G\v¿Vl=Šþ~ƒìBjÅžµ@L
wº Œèf‚ý.ÓÐr›'<Òü¶Ž¿Âfæ4ù�J äŸt^
gÃÓŒr;‘s¦ŸV�hŒ@€'
ǽêdòÉ,·œ
+lô³î@p®’Œ”JEcžìe‰;LÙƒ*#.P8Ý^NrÁO®w¢êåÃPäåú
‡ªî©¯�HÏùñâÊ›%ƒÓÆ{¤Û«Â�¹}‹÷þta2XÑ`È°½W(P�l®ôt‹8áníÝ1¯v«Ÿ<ñ¾Í4­åF¦˜4d¤Dr´4J„)Ÿùë¸L²µ%	ç?·ëÚUA§tkݱxèLë…3kàN,ˆÛ3«QÉĸǹ‰–B´‚7�’ûÄL³_ËgƒÕ
ñŽ1Ü
+˜šæ}›Û}}<‘3°2èRÍ�p´$ðʧFu(#6A<x•)Ÿö·QÜ´Ç
+å,´,œ6ˆ�å|ëÒtлå$
3ÊŽ¢¨'‚±×ÄŠé›v#c5ÉÇâÔǤw
ÐÛ�µ0ÁoãiÙíà°Añòœ¥µ¢Ã®
 DSêá©ó,zé6A²”VèFšxzGˆâJæls¬>ìFÏÊ2/ÕÐ:C
+Ífg4ÎS"
>ˆö—H¨äµ>8h¡Š¡3lÒ
+{%ྼ¿#‡«BÈ,>‚^@Ò¬Ç0n�ÓCížU½šÂZ^u»éên®p%	À#d���_Ðby¾ÅéZDzl€÷„R%ìS¢Ù+L}êPS«‰$1Ád8Ç2cæÃJœ¸Lx™Š¬3µ”êR'1ãø
+ø—I›&ÃX9!«<O	|è¥5©ÓÑ
+ÕMêÔž5…ÅÉmW¶Ä!ßCXéží´*m¤ÈjÏCB€5BŒÏ)Õ‡d"ZÕጼ B^moJ¡ì‘×Y±øRAD%HX—«Èë·ÀÇ*ÆÚ0Úýé –ì?9Ö–]©e¢ßÄŒ�B<ÙÁ„CdÀ‹l•z
+GzX°ö0F!ëþ½{¬‡VH•ZÄ2[t”€pS³õ.aQ[í)©u�
3Ñ
+/üI*Ô•ª"ù(T€}vÄ8™�xfüzYX¥û™w·$]-aÁ¥æ»ãBó!xCšœÍþe‰7Ä…`¯n‹³¹êûÅÛ
+§ÔrDš�‡ê_ƒç8ÉÈ˳f^‘±Ðòé£�ÆK$
xþdC#‹C7‹Úˆì´½‡hâžrvôîešxÐÖðà˵ˆ$Ôï­JÄ›'¯ë¡¦¯Cy2äÀªŸå‚¡ŠÆZd1”ûÎçÐ"ÁØS�X�}j3r>“¢0¥\Ò;QõԾɇ¥-§ ¶ŠX©Ýo‹	LëèR×R$A[sã
¦ø—òÂ`®/lÜ#ùhŸÁœŽq½Ä'�õzkü™]sÑÜÞ¬(Q¹Íþ©iv`cöù¸-Óz X_ÑZzVm÷ïȆ·ÐQfúq¯<–^È¥Òî\èƒçB�©.ô lräê‰åÓÊgj´øod‘ƒ|¤ˆ¡Ð	\yh´v‚�öµ�:ãY_¶”œJË”(Øž#¼&bd·‡¥”<Xd”¾×!}ÔÃúŒT†‰ÀR‘‡òÕ­¥×Ý�“ÐÄJxÝ­&Æõ…/¾uQ~4NŸ­]º�›?•‹=gæ8ã
+ßçœ;…!à<�
+>î]&“ŸYdŠÃ/"Á&ZïY±Åº,nGÔ®Gz§õk+ñ¥\�£>k•á„žjß6Ù6–Ô8tµÄO§&¢„œ´bú‰|uTè@ê^[Û5œ¼N<vñ•we·!XŽù²)uê^½´É¤²�ªµ42Ý´Œç€Ù¡Yú	ó—Y	JëØ	ûŽgL¨KqHÍ(~ŸÌAMª_¼lkµz/(«·ä´X)‰F_6JxF¿K·Ê­ô
ñÚѦï{-wM"TШ`¼~Ÿ“¬ªvFüÔAŠª<Zô”ׂªìk<Lתø˜(cK©ž³€bSVlä"{�å]Ùó€ZïDFý…ÜÐå½™¸<‚ïïï³{
+„,Î8½Õ­Mþk¤«Á5­� ÜªUôæ^NÁ&ºg#w�²X4YeWn1•#~™¼qâõh¯jP¨Åö¤TpëÏè¾ö\]–öö<…¸�GxVÿ”K<$L
+ÔUñ@•5Þ"
+¶¾¨1&µwÉù\ì9UÛ39TQ÷亹í\ ¡Ã=̈º;	GLâ§6ÿã�ì˜Ì¡"¾Ž•w…B|(iï�ˆ'Å'º¬ú[7ô
¹r+£²*iÌ�ÆÄ;¹E}—ûOþÊF\]¦l{Yå
F=AD
+»÷	¦!ô	ãÔ'§»ÞÄû�✨œ¹Zzñ
+‡™r@ŸZo_ß±¼AÚ
+êú<V{VIÚÝLná_ïÞ‡¾’õ™”÷Õ.
+óBÂ:2s²uá§(•ÈaŽÌ9:¯Ü·2tƒ³DKÖ<ôG¡Âç龡31•ÝÊt#íg\
+.˜íu6î�i²ÙJŽÈoµïxöZ××_sZËòh°V5¼}r¯ÙÑþ3DXÿ8Ëé6æQàÊ)’v÷ØÜkxÞÝé÷)Jæ¿ßd%ÌAm=ÇÂ(#Õ KY8ý_
+u1`ÑΑI¬ÎP¨@àÜžÇ?M}®‰#	¯‘½Ð‘˜W–íg
wÃ!hºÊ¢ßµÝf‚]\@˜¶Lyìodªš¹øw‡“>B«Õ·¼Ë¿/K€µUræÈŸ¾UI±íº«à
+g…ß·.:ÿaâ5’Ö‹AZiD+¦ßuFƉ}¶û½é2™¸ (ùp~·ª³x¢
:’3¶¾/e…)ÁÌ
+¼äÇRi¯z>ïuÙ1VÏм ÿ¬&‘3ŸL.~Y
+_²�©Ð‹âOàvH"r§¦$ µé
+º'7$c²ÐˆÐ!•ÎݧC½¬�ç$Ê?bï¨þìl"OâŽK±¾'˜w
+bx—‰Üêüj¹£O@ÿÙ,s�[»6ýªícávÑY¹hd_æ“,
VŒ œb¨
+‰ð#"^ÆÃg¶µ¸!ÿÉ#i/“ªñ�d—ÁÐRD4ìŒ-%…·#àrþvf"I(&!QƒÑCG¨swEe`Ff÷Ëڌ札RC†×Ëîï+ZsÃãØHz–Xf--¦¼…”N)±;±shs{£•aVXAת]¾b9ï"Áúpœä•Ô�m90$j®„ÎxLYxCÀ8ÏB¿Ãí¼ìùìéÒeEá…i˜Uê#‘ÕA¤’¯ÍŒ’a
+«Ç­´
©¾T#$5?	éŸè¯¡³präZè<§ ÑM{å«¡x¦¯¡É!‚)±6¿Up‚Ó¼Ì�ÑÜŒ0+ü9r×óÕ>�ÞYãÃô	d3–Ò_`gbת}û
+rÂWf¯(¾ Ê.T³ûœ$rG~‡ÌR)G…-
ú²O2£l?ÂBüX	CÇäd"iXćÎà÷ÈÏ:ŽçEN
+}
ö&�Õ>­o´×ã®�æ¬Ñ@z-Ã=é÷îÛƒîø»^]bÄËŠ¬N-Iý
J€°ÀjDM;©ËœU×ô™Ã|ÁÊȳ5Ã
+¶!yJ6Ü#½ºø5ÒÇ-u
´–Otÿ‹Ê‡ßk§]Ã3¤¬„0¥`áÊ“êí~©/^Cë÷•µp­Éü7scË	�Oó‹¿£hˆ-Þ€îi	î¸[jÄ'Õƒ�´§!¶—7žÝÔY¿EΜީÊËi`µêm£¢>TÓñ1Z`NŸ‡¤'ü±i“’Jbÿ€‰9XêÊÚ—µp,�½ÓW¥ÂÔr×!KšÂÎèü`‡ž„�Õà@�l®
/­Øúæ.z”ÈÙä+ö<7›ƒ�\i0z�lý£b©UÐ{S›|€h•Yƒ‘æ>…mL0‹¾¾„,qÊdnï#çK�{êºýÂI_r(®¬µ׉Òõv/ˆÏñó÷†ÙÈBDßÑÑ#…iâ·d‡W¸ˆ½÷šЛ­ðƒ‹_
+ä¶Ôñ{uÚ¸M¯ýœîdßË
+‹¬)Ì Ÿž6Ö=
jÆdÝ�;í¡Ô¶„µ¼n*_>;y<"¸ü,߸藵’ðð’d
ËD¨Q T
ÇëÌÙêÏÜÍåïØ`.ø|Mõ­ºí$õ´ÃÉ�*šö7 ´¢Z•—C^“úkVa=žBž«ÃUõu‹VQVQJÕ�ÞL§Q¶Å¡ïºÜöÞÖøMØ¥b]«�®[
¿o:}ºûg<$ÈVX„~\î@uOG®1uçæM	‰0).
UòòÉÈhW'Vws˜‡×ˆ¢ƒ•\
+=;3؇ZÑm{§fÇu1{©‚q®‹é%Ñ)(Û+Ë*jóºpd±NáNK¶›áóú E‹´Ø*ë_ªŒ®NvL¢Q°-ëlr±ô¦‡³ý4Ý!aA…ÚxYGmfBv_C…³ØÞbšÅ³”ÖšÐÐ
+¢œñ £‘I½…
+M©�:l/
?Xå›èSîvåžÉ›åÎÁñiM„ED“¬Êòòn[»yÙ§”	•Ýõ§âCå5úú©:‰È•5
+.¨CAV²­¶šH't¨_ömjAžï•Úqm«B
+fÖ��˜>içtd9,kQÏŽùpMî8Åx¢E�w=sõóŒ«ÓjÀ˜#ˆÛ•¾€áꌳE–o!)»)öÒoõoÊQQ<RñðzËå3¢XõYf^åvò´­¡b†à*õÖo4kyO‰Š§7É_#¢�wm›Ÿ
IJªì'þq .½aø°+rã³—2!š™ø`%<Rˆ‚ÖWˆÓö³&¬ ç)UvCÜ)s6(âÃÂ[ž•«
+%Íë6©]’´a®Kó5”t>ù,�bR¬÷„Sö«NÁ\�S_+Ç‚øÚ¾‡Üzh(èˆÃA¦ó_Ûð¡v/Û¤¼øAÇJ
+½dcb4Ç�åøñ¾
+™1ü�˜|Þ_"UZ¤l€¹y%N
+�ENc­wî ¬ O-¾”+ÉagÙ€ÆAÇ>Ú/ŽÏ×Ë_‹¨i*ˆ{ºº�„˼WÐP�ºb껾ÏÈXÌ�P@d˜‹ïU%¥:©a:ƒÚ’¥Þ³4IDÁ­•ß%_…=!ȘÎa\*ß¼¼ê<»áae)£éŒð"0£míÉ­¦€|°Uá„6ÁâPx0-öQ“ŠCÜ4Œdx^Ždh:)³]4Û',PÅoè­noƒ=ë줾mz{ôÆøÃi?ê—á4ô!ö	åðA5±÷ÙîÏçì}
%ÕEJž;l¶¸Ûü
+³�]AQ°ë±€2½'T/]y{ˆs”és†îæëqÀÇ$Ië�¾í(Ò̯³’”šeÞ¼é4nGGq·¸Ä0uZí‰b
óÑ£€‡«
²``ƒ¿ísœl·ÎF)peÍÑôpÅzFÝO•Œ~3SºË?¨àÉ>î#À�€B8 p’Ù)À�`¤cLå?Æë'DÒk±G*7,}LðüDÉSXV¿;Â)‡É*{õ\Úz5pÇ-Jêè �Íî»KDO²‘×oyAƒ5ȃèòö6w	 Q¼RxÜ^ÏGçÊÕÛ·Ì9Ö=øÕ!ކ˶±€ü©¦âù)�X“`I:qSŒÄ¸Œ)>]K!@ÌYqQÁ‰¸âÇQÔUw¹jKNFÀ-§W<¬
+<òÚU¡~^d‰ñÓÉ°´eÖòóh
–P�B­åÃ=¿ò‹BDêôðÉ\Ÿ³Öy	LJq¼X*`Ú6wY=Ò*PØC2À×ç»á0ñÓ
+òDG^�d£�~‚ÈâÌ
+øZŠ.�V«‡§G¯�Kb)¤ž†¤Œ,]1ccQ­ÎO2œ…á´ÒåÇh‚TÓ÷ãφ»™¼u‹gÂö<†¤|d±�‚Z5Úd¥ÇøG?fIiÿÑPU=Ý <G þ`GCp”vö©.W¯Ò*³À}%)ÒÓ/“çÀ�y:P‚N§ÓX&O2ÌœÂ6ç
+êh»c±ƒI%+¸3“-_†éqí¢BfÑ?X¢=¦ú<=U¶8hÎA/*Ï	ÌI¥ÍÝHÑÐ[ælÄ•éînx™60ª_{tžõš“KFÏ)`¶Ïß*‚Ó±¹‹ë.V˜o—“ñ,C±±7'Š´Œã"œKýóG�:ÃJ‹¶�;êF'þ-­Ö×RñI
±+Æ·êûVÍb|‰(Ñþ£`wœa+ŽâX|G°Â’ûUö��lG_Ý�QÕu—OÖŸ‡
Óƒy@’”÷TÀ±Ù´ÈÙ³[•ãqPæW“ÌðÉ[çñ–GMÎÊf„V½Õ¶¬ûÔ&`¥?£�˜CÍnÜÖW}˜L=»FO+fÕZs�ÈUÉ
+qÎèÁ(/3ìã[¯ÏõC‚Sçü°b¤
+BšKä;*t»Tåà™Ÿ1gô5_§jè’®H¤²Ä�ª<‘&
+:þÙiÓ„ZtM/e*�iùüYüxçmMßÝÎú +D
×Åo{
TˆdÚ[�»o쨔̬u‚i9¡n~p
+GÈfêìð.†t	DRmfÀ&Qý3áv•}Ó¾}À÷òóK…²×™V)*­¹Eµ é£ûÏ=è㨡‚€¶h®`ÚS΀Wvm›bÏŽù2‘¨È—œR?\«®Ï–äTgš®ˆ$gÞr=¯;˜QW�碂»�Øí¡.ØöÅ�ßÈŸë}
‡îy—>Ì­}¢à“RIêM¼•e½¨pl,¤3*ÄT·þÑ)0v’ôz‹ïü1Š4jH¤†¼a\P™ï&?§’©7¨—
+Þ=á”7?îÖ
ñËu.›ÄZ=•“ز‹,-~ ‡JÐÚôr&ëm û\Zæâo®ð¼‹I^†ÀÐùío¤Ll‡ ¥TeæN"‘ˆc{Oп	›Xñjÿd'ÚŽ“La.Ï4ag•¦¬5ÎÁ
+^|eV
+ ó8BгMð�öŽ5·krÌ¡¦É‰†Î*óî˜E”
+}Åó–CglxkSÅšg;×rÑ?ÇÈ8Œ‡„¤•Ö}Y©¼tíƒÓÚ",É«2EÅV€|ÈÑcþ–í‰øȨՈ
+›¾Ë×±BnWMèõ¦Í;öy‹{?%Zp¶þ�ï,OOÑ^:5šçð0Ä+¤‚¹§jÀø
ÿ™BX?„ÔÙðµÇ¸ˆ	ÐUä·¿Dü.
+é+ý®ÞfDäƒ[䉰eתG×»–m»Ñ€Žve¸‡×o òƒUËG#Þ¯3¥HÐçW²Ðh´XÖ….ÍÎ-�€¿BÕ
2µA	¨“¤ý­"¼¯;Ùò mf"8vzP¤ìúH¾Iø6[‘#aЙ…gªÃ&F']-+†Z7üRûVë^ ‰j˜©KZNÊýA?6~ç¨Û욃áqÍgŽWÊüzǃ½+àIcauÑ“‡Úþ`öŠ„˜¡‡€ A(¡8Å
iÊPH°:)âŽvÕu‡5›„­™±Àíc¶«kèÑXËa¸Žæ5Ç”sõü3øE +¢2WÑÅÈ­°�•òÍ,ä�ÃZ&ÓRÖïªr@”ä4¼8è‹EìÀ°�?a*²oѾtü�§ÐäxÖØ<ØDÞ�Û<Ž6“K)¤½wíåIXìtcíZÁGPŽDÎú'…H¼hë ›ý÷I~žŽ©e¿6ßpÝLàAü:IØ°³ƒŒRoÞasmÐxÅ»ÖÈõJg½V Ê!n—ú1̃*�<¦UY!=<É8õ—LòÝK2_TÑéÓ1Å kžsÕ
+OÁúFbáË^€� á�–ßô¶Ø<ˆ’*¦®ôÚÚ[ªO@/iMô—±™µÈÕò¶¹j‡ƒ9�GMzOUõ~<m€ÄÊ“ÅÚŸF—ë*ú·¿…¶ˆç%cíЬòré!’½œÎ-'š!ÈJ¥¾±M
FÿÕ“úå: ¦©at4g$©\-ið1¤r§å}êëŠëC¡ˆ
+.“Ÿ²l8mdÇÄ×ÕB„�¾É•‰¿eI¹Q!b'ìž´ô§W)±„LŽå•ºgÏ‘„™°w‘£:
+3¡�
=ϧ‘¥QTŠú¾šèÍzÅ„(¿¡gÎ"ßl®3‡ ”‡îoÞƒ+Z¦oáöà4Ę=tÉK-Æ4ä|~üaPX/D&_õÅ;*¡ÿªð!„i,ö,–xou*Œ…Â0c*SäH˜èµù¼ŒÜ’µÙ:üØr9Њ6p(ŒˆÿÔLGEË?9Ø6E¦ø Cø6ÜìzU‰ÉJo½TÓ �xõ3ÇÂæ´Yæ ¹ZK®ºµdy—ªÀ�WÄ
÷—Jbæ°W‡Õ$“¤)!`'<ü¡a¾ó=¤#Û·jõ嘕Wqo˜ý–)_¬HÅ3ÔAIW²~{ŽÑÇî/‹&Ëß]wÞÎZƒòO°^åûµÁHñë)¯­ÿ
z¤ÙÖ¶5.7N`‹O:KõhìÙœ=ºû1¯å'ˆ�¨d[àÀ®¦ží¡¥gío²wG³Í\û¢922 ñŸzK}·Øp$ÖÈ,b—›rd)^ÔYW†×1š
Ëœ�¦6p-eÑù[n$„:J°¨&bSEa‡H—‚ÑW¾öqŽ�11ÀcyÇK#m)!Æm±¾59õU$}À[çÓƒç¸×‚%÷‚~H®‹>¬¬ß5Lzcxí
Ek“ˆ¹ú¼Ñs:A²óp6¹önÁ¥+²àP	õÉA¡‚�éÛôÄ”,,¨Í�b6ôʘŽUÀ%"ðÔ”ç~qf?�2ÎƉRW‹êKС:¯¼(Pò~£¿˜e*²»ž¬hq»
¯ù‘1'¡Û~P�ŸÓìªLqŒÙ*£0ì�ÔϺ Ÿ`tÞYïwý.Ã×›Ù/ˆ'xû:ï+#™:ãàiÝAÏDÛ
+ÛÁ@^“H·vîâó1ôצs²5?ns÷ü*<À´eºbME„NÇúDš`¡æWÃ@V©h£�ÿ�Ã8´¡
”v}‰¤ìcJVÐ}e!¥´ï»QV=´›|8Ñ»äëTË+E¾+,»0–¸µ'su\~Ñ
+�ò$7c¢öázh˜O¥ó 8Ýúæj¡Ã‹‘/%j±A³Àóë™c5$ Óür’ o|*…i(²^j”-°ó!"÷ñ,°ž'Ôqˆ��¤âùŤCU#‰†y0-Hr\'¾Ñè5‡¤%O_JíS<^ÖácP°ZþZ5‚Ò¶m…ú[éîI’àÙ0ÃQùÎÇhpð§Ò•>þ‰­žuê]O‰´öd­ã)/P2‚©:Îçùþ–
b	¶9G\ 
+,IŒ¿&˜^ý�¾"Ϧ¢Ø�qr�,Íß®Ê>î&x콋Ád@ÜhìÒZtES·Úå«\¹
�ž@mú
+eî$Âjp¥dJºlw Äì³j
+Ü�5Ç+Iö*|Îü®’UZ­p_%6opõÉ_IO7;”Cô@¢™”人D@2¡B'…õ
,0™ânN-ÖkƒS[7p,sÍ>
­ëÝ]àÚt�¶Ÿ¾ÿòM5nڛē


ìhT?]ÙÅ+e@Ch@JH$êÏ&>2ýã°£­ YúDXQÕ¾ŠÈ‰ÕŠÃÒâ¦Æ\x+¿`2eÉ	µ^´ôB|iCEÊ·\=
Ùü*7�CRLžÜt›x,3¶J%A ~†Ó`�®*w‡Zý.¨#WÈáˆêS‹“É*&ÖLL~'Ñ;¶�M'&%ê"×[*moº¿ôH^ú‚	nM6)•U«¬¢WVg§Ä&xKí{Ç�¿]zÉ�
+¹º˜X£fÜ<#}ôÞœl:\ö%\á·Ñ–Ôõ<Eña›ýE>WYŠd÷
ŒÂ[‹¡Þ
äº\œÚ�9IxúIÞpÌš
äµBÔ:¶—³ìôxÅÚQn¸ÌÄ/„ÂœõÞwŠëÂ\ÓùÐÈ/ç:køTqjNÅë“j…㜸\—³†g›d8¤¤ŽšÚ’ãLZ¾Ã�¸]âì´�¶Ï T&¬ï66ªÌ½*|¥0w«
vî
&‹®l5fÙšEÉÿô̹ñ�$\wñ£O*9ÑÔ
+MpÂœ(i¹p—ÂMœ;Uk>$×,>c§ˆa&¼(öBŽ“,Ÿe
£Ü
+ýG±ý�N�;ã8ñsø¨ï牑1\°Q“âæZbgxÁqÚŸ¦)1â­Ûw!hK{…
Ñh­¯\¾ò–§¢,ˆOÀ°h|ÎÞØéjn‰‘£#ÍúÅ4|ÑÓ²qÔÑÁ¹õ1³G�ï¶&dðb<àËVOÇW­R‰<­¦*›¸!ôøP_1[,±Œ�v÷~Î Š¾rŠ€¹³¶fúÎÒ6Ð…i„
€ƒC#Âu�Ãè÷Ê­¢‘i˜=ÒL\™¼æÕ�Ù¢'¯Æ’•Â835P�òîL±ÇSÌÍQýí–Ór&€cÛ¶9±&¶mÛ¶mÛ¶&úbÛ¶mÛÉþï°w[ÛÐ7]§ê´sÐç	eˆ%Ó29§b²øǦ+îäò3ÎøÅ/åÚ¬¿ÛŒS¾\æDéH¶ÎÇhyvÿ9ž^¹þS”s9õsꔜ\ÊP[	ãÇcƺîÄJ¡Cr‰ŠÂéå»N,à] 5ý…–
+ý¿'¾�-ØGŸs¶Ö¶�
+48§4î²Gá0>¾Wlx{O..ʼn6mD¸—ÚµQ¤]ä]Ž.†Ø0k–:3ê‘M}úf¸âH]*�Ñ|ïâ|@…Òï‡H™ÂÖ„ Æ;¾æ™�œåâÈÑ¥¹Ìx0»°WäîÎ{Þ~
+ƒÐñ�2×"ËOÿi"4§^¦"ˆËoå<ð­��áÏ'¸ä[ÓÄõ*	wX¼�ê	`؆
ÅuŒÕ×´$¦0o±��ƒ¢ã ÿnlkÄ=³÷�0ú@TÓ~"Ó,àçÜñOÞ\à}ü½ mxT�ÀÈ²?+Ÿðw
íxª¬ò“ÞcÄ1¨+EâyT;°O
+”¼´„Ì•4YHU�†Ûî:À’´6c§ŸL<ôwÐvbif””	èAÆ1`Ï”yþ–b“àÂ…–WƒÌà.šžîý˜ìãObéFv©rüh€ÕÌ
} §¾FUStŽüõ¥¶£ŽÆÝAï¥i’h� Õj=úè@ÂÅðÂÅþ°•¼Sá"ŸÎîÓb¸®"ú�áÀT°îJƒôúïë&n‹™Ë‚'ÊøOIµé„o„œrÃîä8й+óu¯é¬�¦ÎuܬȔ
+ AˆÄÒŒS�€w¢3"cöèF‘þH™ÿU¬þ›�€ªb;6ý@>œãžÊß7)Sz'Ìä­Cs"Oõ«—$Ö‡Xž|ê#ϳ݀¸®3Éþ¸x0±Ý¾Æ@ÁJ&íæ×jJ¨µjÃ[ä-ÙL˜N`žFšxó
MCÜÞ ›³R_Óf
·âéÛßVçv¡>	 $àdã<#OG1Û¢F7û™m@`�ƒ“rº”®½C><ªˆF[·ŽI<.f$#Ðüõ‰F¼úóÓZ—zð}‚4JÚ‡©‚­oI†yjø
[xWûêJ¢rédªM.<T¬¬š–âà˜.LVÙÓÔ¸û‘P·ï�ëÂ1ÌfÂ
Ÿ@@¯1yO~CnÅŸædçn$�»2âç
+J’8±ûüÙM’æ”[¼®Á'Á„SbS
+¸âÆ°ŸË_¯h	jŸ*5Îþ¤.D#gÃQ‡wÏEœl,›^BŠLg<$¼]àÂñõøzGÖÀùš>£é¤+ÿÖÁHc4à�Î’»	KA(‰ÔÎH$<!%È…ë5
ªÇ„÷ØÑ
+ü}«Ò@ÕAšêïÚX²aÒ
+˜=–ú™ˆ©hi$BnÛÕYoÊcFTNŸûìèÍ2õë”™Ûøà§{¢Ið§!U/M眼ԴŒÈRgªÛOCº2Èz –æÅ/ñŠvqü0kZÎ$‘T.R©fÇ­Ðêƒ
+MhÚÿ„¤BMsß{€ðÕí,UtËm YÅk¦X—|Žª…Ò/M½l=¸0Ó-R1ˆ¯
+f_iz�,©”›6]%¼5¦�D–Së:I™›&ziŠ…D¦>ƆÑåϨÓ})mŒ=Tmñ�
yDÊö7©ÏîEx×$Ž¾—6êñUÙªû®'.•ÁÛ|uK�uË 5y¢¼qžYàΈf'«|~ÁÅ
Þ°Mœ6Qï¥ùTú‹­K¸«ÿ*èžø’ªq7
+ìÎ[ ¶
ÿøVfÄX#Û;Á7å‰
+SCsìtLÑp|† _VçuÞEª¡ôx7?Ž ëDäMvŽCÛp—à�ŒCˆ~x�eÇè	ñ„E
©Vš‡Ûé¥ÀÜpŒc1C	xnÏÛppÔnÆÀŒ:ݨ¬}tS4Î
Õº�´ÐûKÜ^ÅÝbh6˜,•áNfÊm×A˜ªŠ�·×鶠™‚mƒpÞÄÄ%å˜swÃ�Õö)
+5n
V¨~vu²H§<mUv€[A„!‘#%2‹ä
+Lø9Ñ{ýœËå¦ÑMj]3þ
+ƒÄ(}®™˜/—BÅeUx
+Sêò Uµ°W�¦+­¨SÒÇp§�-ÿDjë3Žsneé6O¾ÍlY¡¸;ãß¿Ç5ú˜�Lý:àÑ0Š[5´q!‹:Ms<”ýñÊ’º?ú„
+›Ü«¨Ö5"
sVÚGZò×gkïá.W
+ÈMBU7{:ãKIÐ
+ˆ�—ˆw›&(8Ü“æ½Ì±ñ1ÑÔ�^Ú¯Ãàrð£0ë[kf÷Õ*}¹ß@„Æäö}7YÃê¨Æz'·KeªÛ$Ó²bI
EÙ#ßï{†,’æÕ~ExT.!Ì.
ѸqGhý9p2À@Êp_Œ^Šòû»âÑ@Æëø�æ
n ^ãÂÍ’ºñjQ�‘ãj韹ԤíÌw/®xá�úÄ3@�ŽK�Ñå=µ…T¯à™ªFã�õÏ'
‹J.ô'¤w£1’ñú8ŠCå#ðóÔ†,éx‘ï6ÓÆ/Hi4’&ÕM~ÿh/ˆGðv�â2•øÃ:jp}�¤gIp;pƒRM1¸ÄÜo¡\
+rGþ@Lrêjhx%8ŸÚ>l«Ý^=é⪲
F+©d€†µ‰¼½¾B�`o%冴ržÊ7.Õ…þÓ”.ÓÃOçkÀîö
HÐ?šnü\ûÊ—–ò¦þIØcl6_å?2aZòEô‡C8žF~Ôè,KzŒoŒ‡JO*·ÒÄh^–R…{Q '!²·¤äõì‰
+ás(;Í9r£aC¶Ê`:ðY;ÛQ™!¾�4Ê——
rÌ|¸’¢Î_”àvî‰ÐRëX.üfvÜd¢9=‚Ð]·b>ùÆÿÌÎë'Ãè¢9"¶•†³¡Õ—lS-†ÜZAqªïÙØÕèúD	žÓ”5Š•sAŽª¤{ žç?˜X{.ú:„bíò·ëÕÊÝEhâ.ÍúB_ƲÁæSË<hS†–èð¦‚ÅóX0áJ÷¤æoHÖ^'‹¹.W‚…¶‡{¶Éxl‹�¶gœJ„fž²Dí��â*ÔpÞõ‚Þ3¢3ÿ7v�¸œ=¡kÖè6zø+òᶑþhóf …Y>vçô]þŸê7Xà…ÕҗΠUÕD�”7¥Oªˆ�Ær#\¿»õe]©�ôwÞ#Êq°ŸuMÙþ›Šü$ÔÍÈͨ­ÎÜ°é´=�•qð#çgþÕPäŒÏ´áÏûójb2Žû‡¤S°RY«Ã€…rSðûÁ�2ïü‘lãïPi5v\?%•–ì|]‡?jßSšaõæ…à	·ŸâK‹âS7§xÐhît²­ííXÌ÷»øñ½QYM·õÉÛ*02÷—'(~@÷*cx.ag$Ì.6ÊÎ0~zGóÓþZ²¿o­xä²&ËN‰U]œPÄZ/ú~Q¶Îö\[Ö$ñãR[öé–’t—/)$¯h´<¤ŽcéýÃÄð±9>Z|É	ˆÞ¨¬ghH€ñj~…îç °QÏšd"ÄÙdž>É×¥‚–ÉsJ¿öãô5BíìÀ½Ã¾DÑYÁß9TFÛiô…H¿=~!µ”_£ÿÕhz Ûé�³�RÇ=@QXÚ›$ùQ
Ÿ2laŽ(ðvºQ„]jŠ�Ö-`ëÇ8öJ•§ä.?N*êh âÚ2T
+êÙ©ï•×`±–¼ì«
í‚ú{}Xíl\ER«êb{E,ìêlÁ¨ž¶`Ë	eFõÌÔøÜ�¤ó¼ Ú˜Â_‹Ú}L݇yûCö=z´©Å¯ž.ÉÔQ;¨iœ„ 6J†b<YÔþKKv”x–•L@ªžZþä&$'
+ûÛÎ ´*5R]‹ŽÅ^ØÕB¹*ú[wD„¶ù×Wàaͳ®nNo<cÂQÝ~�;ž�™>j‘ýÎn¤‘M©l"cÊ9Ѷ›|îÄó¯”ííU}]íbÐnܮфôK¤‰þ䯸¡§ÚŠ±[ÂãÏ.åð¢XØm‘yLpÅì•\’ho;�¶ÓèïÙ±Zظ¿‘+ÿ¼÷£Ì®Î2�é€_zñÌ·^ioůW'<ßf(àÂÏ›¡‹"Ç™·Åô%O™Îr(ÊQzΩDP±pH*
u`ب#_çß!×Vê´P2âý/ˆ|ð ‹„oçš>“ÇCü±ð+5ëã(w8ëÉ,4ë1Ù|†U_5Y}6bïü§a…«JhÛà’;îdÁq¤Ÿr(ÂkVU˜U”UH3~Ì cs_lŽ+ä¨<L¦Oy§ÞŸZ6Œ"ès~fûQ6ƒ›™J÷WãIø²ó`ø9„Q3¼j9p¬ð<еó¥ËbÖm–à%»Ã p¸«C’ø|' yܹ·ñy
Yð'µ

+»°fp¾bDºi7n©•7¶·tišy‚‹Å„ïÕ­i-šyç<á‹™ãžG�”2š$M…8†]�æœxÝ™+ì—ƒIÂ48
+PÔ3)lmŒ;œ¸
—ü“5|—î”+ÀTÅv‰¼Ô_òF^›bQãLT?yÇ¥ðb²èewïA© !ÅdYò]mÝÏÈÍ[ŸC9Év%?Ó8|
+\°l{ˆ<­û$\Û5•/—»ì…ñVT~B
+‡)Í
1p’}l‹ÈÙ¤û¨¯šð1ônQ“Öü:”ƒ‘96êì(…+õƒ<“4Ã7Q|ÿF1°²¨üñ#\õl1ï,äÝ?7Âeì7®Œ½nØ<É„3ÄÓ›rhNBRòÂÑC
+^[ÜÀ�!ÄŠxMcOÝ—ÙPFt>l¿��‹JF¢‡ßÂöð1’£†°åïxDÑ
v	hÇÚ
+¥åã—r¢f�Y—òU·zifÁUÆz*JfU¤ËÞ ½ýä|ÿ:Ð(�Pk<’¥WÝìo*Á]ö…�gP³Šþ,ÚFjî¶%™;ɘ¹á9L9.D�œÇǦÝ@sOµhòÚ³BãtÑsÒ~ˆ®›×)-ÉA
+ÇГ�öÞVMýͲ:“®³m›ÓWBÖþü/�ùÁÿ	�±�©¡“‹½­¡“5Ìÿ
+endobj
+961 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 2165 0 R
-/BaseFont /IJNCPT+URWPalladioL-Roma
-/FontDescriptor 735 0 R
+/Widths 2745 0 R
+/BaseFont /KNFIKS+URWPalladioL-Roma
+/FontDescriptor 959 0 R
 >> endobj
-735 0 obj <<
+959 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /IJNCPT+URWPalladioL-Roma
+/FontName /KNFIKS+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
-/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/endash/emdash/Oslash)
-/FontFile 736 0 R
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblleft/quotedblright/endash/emdash/Oslash)
+/FontFile 960 0 R
 >> endobj
-2165 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
+2745 0 obj
+[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 500 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
-713 0 obj <<
+937 0 obj <<
 /Length1 1614
-/Length2 24766
+/Length2 24903
 /Length3 532
-/Length 25647     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:1Q955!ªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
-Šº%`¸3�LŽ7)ü‰]üQHžíá|�ÒâP»š
-ÿ\�%�ý}þ54>:2Ü{Ú„M•IÊå
-Kåï�ƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`�{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó<M`IÍÍÍLÕ‘˜‡‰ŠŒDa_gÁ¡Ãœá½]é–§	9ç8sêÓšÆô e¬bô:miØ*N±«z|+hytHOÛV77Ùa‰
-×Nä&ýâ3­çï²E@\æYzm¾~D9šru]
ƒR¢á×0��u+»Y}Îî+�\·�¤èƒ˜`Ixï|P>½«D¡�;MMM¬:NNIˆ0þŒÞû+âÝzzÜðà\
-Š—€’»qt‰�ÿß)âxô0EBå)¦d4Ôà,Y=2€Ä„ÖÈ=ðK86iÓ·��½µS(ç�óQôx;”ˆwMÒ�Ý\]°Ň„ŒŒÄŽ¸¼'Ž‚ŒHè¬|Ûd@I¹²‘E	
—çê‰xERµÆ[ºª�–ØÞ÷6µt×Ûô”Uâ£ÀíÇÏcí—‡²áŠù¥�t/ëE½Nr…5õƒ‡À}[�ÖvÞbO¿öxî3–^üX³~ݱÚtX”·úbÛ»Ze¦B}Dþ¡¥±{dyÉÞâþÝbæZR4ŠR`s§Ú1w	p˜aºÃVÒ}ŽÔŠ'X7zÉ(S†Å£À¥AKÝÁÆçr&ì椫û\šì‘F­ÆLu×c¶X‡YÈnT<)—l%WªzÈ
-Ì�0Lo”2´“4c×±¢»ò“÷é·%¶œìÔr÷«rOxRæ
@oÑ[#OóÐY„ý‹UՈʼn%?¼H»@yÖÞãLùbùÛ�q÷›c}DNCýŸoìsÑr?áƒÔÝÛóŠJx>æ?¤å‘]ò;ÔHbÓ‘¾tTï¨)Âm"È|Ó\¹¢óCÁ†e`ç'(Ël-zÝÇ.æfì„©ƒ5/Â/‘˜ÅÓSþÃEÞW;mdu‘ýêØ®=)À6li»ÙæüÖEÍX»Æn–ç]6
-Ȇ§yð»Ô™6üÏ2Röv•ŽQvvåôTÂ*¦(?ç)m¶5”OVÀ#8”¦Ú•4áîPñ"!Ýa¶é]\yc™··sãAZPU6gbß+:�*(¥Þ'V­PÜ…¥Û)+#®¦.r�áýô[yÞ]²ÅÕ¦<×µAÅÊ|…ø	Ý&Û¦ÖŒß,`ÄÆ
-\w­wñ0‹²R§ËJ†H®oQSÓâ�(b½,íµ‚9¹/#Ýýo
¹|Êq3d›p+¯º>2£~ìîšzµ´[=1#„ãW*Ža†Æ4õ
-|\4YÍùô\VŽAò¡iÙœÐV
-'Œ†Ý¥ýrˆøœ]E‚ˆó(‚ƒ+c[€Éj‹®¦
Qíä¼_Þâgˆí44U÷“É
;2–×LC
-JOÉÒ4WÑœž:óû\™Ñ™ïÞ!×yÖ\3Ûø=«/Τ€çÞ¸¯æŸ/8ˆÇîc+Š
GI1(yBª5ŠÝ
-ˆÐ÷™êq¥@ûÏ|å�RøíçÒ¨Zqé1#
.²[Â^�%â”(:^ŒD”ÚPØ•/ð
-ÐJºN$†¦ædœÆak¯n¡mk5¼{n
-©.׬nà''2‘î3ˆ2?g‚Ó<ûeZ‘™�a÷­6™'z��OÁt­:ñÕBzÚFÑ£AjÅ6©²}Ôq”‹ðü¬
fŠ™ðaNõRäm€É€e‰aS—š=ø„PD�‹ Å©?Κ-Év“Ü*.ºå„í_óÄpçÂ’EJ-Mn’†´#Îó¿?JýjÌàUàTƒ*
-dªÑ‹ï­M1–7°¤*’±¹+DÞÄZ·íøjâ?å
-”;�çÙß
ëÀÓùÙ—8Ç!‚Kùz.Áøò¯�Xñ€¯ÈHêKŠ\�M(€Á½µBO8 çXE_æsÃYZ·èp6aaLÞ5f(wS;áKéªOÙÓzôx
-Õ§µ÷YÍÛž�—™®Î燸-f: sôqó957ì>\Ç�´¶	¬C½}8$;DPì…eªì¢V¼'­ØíÄ<È“½Ü¾NO(߈]øé¦ÛÅr_[Þ*ʇ¡ÆËÆ<Òx ç˜î®l
-Ä’£×¬÷°zJmp¤0ZgôìuáÜí™ô!F…ªä
Œb“Ð.ƒ‰¢9wØhQÝ+âGùTjx­~wtñ».^jËð‘g&rÖ̹V§
#KÚý®Œ¿çqÑHºö”Å~àlsLÓfH9�áNjn£W4`oÑ£:»Øš^ÀÅK¥ŽÒúƒ
òL9ôlÊ0Û‰B˜ÚÔ#k|yË¢\Ÿ=*XˆÕ<d0 ¢‰úJkáÜ«mµuˆ„‘¯H`Ž6彋EÖùñ�ïùBÅ«�/hüî#Ô^†§ö¬i(]‘×Z]°&�ÈC˜ìö¶ãíöù{Ùj+à€Ú‘ZQ[){Â�¤iZ_Âì“à=Fº(s!:T
KØ;Xž�ZÆ#›DÂ,vÌ4ÐüQD~ô¡²ôå *×BêbŠµÊ´è˜:³�pu þ§þ9rK28]±„»]Êö]– ÌiŽ rÆf§>Ä
 óRi×à¦H~&¸·—ϲSz…€ÕhßÝ0Ö/äH—Ì-Z‘m®Ûû
<€úQ³Õ0zÒבß8r¨tIÏ'Õ`™@*ØÆ®@fÃ&€IѪ¥v%QÏ:®Á:.s&ŸëF­¤ƒQüʸúW	›_!Ò�0sI"A4ªØ¼D×Ä÷¨C!n†Ñðú;+‘Öº{ýŠ÷ÊdÒ”üÝz/1�76ßÆÊê0l®�«ßCヤb£s0 N­÷ä?‰X! ¦œ´Î`ÿ¾‰$ý:Š¾]‘µß«�kw#+‡üåj$P®¶½¬6>žæØñ^70•öKú€ø$ˆ]ïï­�óÝo¸@g\³°G
-9ÅùbW<-—Ô9â�EjRœáÖÚîö©ÝRËâG^ì sJ¬¾bíÇAÂxÙýeØ­ÒæÊ>•¸jÀ ,WÐs
-�ñÝ‹¼I2ˆô|ß{1¦[y#²š‹9ö_ÀSƒæŸ’™fyf+(ý
-K#Îø/÷2ž;¼£§Zç$Êò^Mú½0�)íN(ïó‘µ<‘Š6lþ;9ÅуŸ)Ðæ¦óF}»ºÐ=À¸¶V
Û˜Å/éGŽIÌYW¯µ=·ŒìŶÑ;˜vìbs¯+�YÈý/âwåáNV­&Þ÷¥0óŸ7¯Â$6/	ÈÉa…�Ø藺¢z|£>†²ª
-«Mˆí&/·}�ÎI	Ø%΄%0W¦É·¤¬´{âI\5d§1ÖÙA)£7½¡TDƒÖcÆãM~ÉÛ0l4ÚÔÕÝ„ùäˆ÷)—h7¿d~aùruÖ[l¡F÷è\)ãƒ|<k�z?D	\]ò7ï2¤ÎÐdåÛTª³WdDmI!÷Ï€S‚'#Q~On	)vE6ün¡Öi¢� Ó€(IIŠ?´ëôWÞbÚ¼%­ÂbAP­`6D
-–fçÚïC%ÇÎbl·Å$ûÄÒéæÅÇDÙdÿ
-Ÿýpô¯°0TO@,{i`·Î¶ÍÆ¢ãÚâ×Kܬ	¾�yOàï–<ÀQ–
-ðÕŽ£èÈp¬­°"M¸p‘)š
!
(´Æ[É⯻¹ÑòsŸûùWÅʨBP¨hÙ'“¨¿ÞÞÀOԫøŠ½â{Ë	eÊdëô¹Kx5QªÎ™6!â–­a˦½ë}2 ¨Ýˆð+0ö|3k³Ÿr™eÈ[A˜ýl\ÊŠ}óÃ\&Ñ[Ããóqt“´ú8ûy:µlõUñ®¥"„KЯ¬’Cpeªb•^¶¨¦oÀªs'ª¹þ¯cÙKñ]ùw+VuN|äáù	s.…�¸¦Ÿn ª4—&Ðøš{«î‹½±é
-uW–ÿðžZ—â9«ÞËÛråŠi~Û�0¿<€G<æÀ›3¦?›(íPÒá“~šGÁqFëÝ�ŽíƽHšJ+3"Ê«F…@™'›ñ‡îIŸŒ‰õ‰ZêÀ7Y
-gìзt@Š™+[Ñ3²/*;œ÷Q¿.ønÐDâ]ñê “R£Þ?*ã�]£_×êCék~Á3A¬
-$1üf¡
-‰¾É%|¾Uůx¯¸;%ÒŠƒ}5]åD„¢J›œ)h#?yºâþ-^ø*#G„	Ú”¢‘
üÀÄi;IÑÉ2ç�ŽÌ/~é)Ñu	죯ã3noዯ78]P³]nÃ|¾g
-6ψ6o‘PBšP'̧AFæêdf?P0dGC×´rW›çB¼¼6&³SÊr¥Ü	•¬SS‰ÓòñÞõT9Žú¼K�)Œ\û)°bç¶Õ†3´�$ZÞ#&†×ææjsmÂCf‰àS4XäHFZ”ÔzϘ(Pt
-|ÿÖc2›#á¦$'j‡ß|c›xß3ÃlÞ“”3Bm€Ü9ºš?¨
-LÈJ„5(µ
-S|ØHˆGð—Ã=>ô�ԑʇÞw1®V®Áç€�R=äŽK‚uW—e“	4¤µZ^ öçý†Ï#ÃÎDžâØmwp#ŸT-Œä{Mô§SqêßÑZ!¯È¥û;Åcï¤ág´SƒqÑq/V1aŶõrR€ñùòdfN51©é‹å=túúöp›˜Ùøfqû—
áoœ
-#‘%‘�Ï+0{—¹�Vx³½û³IÏßç@
›A
Öå]d˜± ÜšfÓ
3.ˆ•Lçû^«ªwk
FOpªÍm“é éâKL§.ã¬f0æµ2x‘$âGÈÛ~Í…�†ÙgpèÙzœlŸTêŸß'Ah7‹#m¢(´â'Z	%åÝa
&˜P[&W)íýyÝa
HÄrÇxg+Ešê»ÎÑû ^äŽ(úÖß `–ºr¶jºù7Yþsß›ûPDS"äÊ"pqšQ¦Mê´šsËÚ‰ÉöR' 
)Ú0çöÌzlšºð•`^•¼ßÖ——úq2‹ãqÙ•ÚüŒmÄàðr²ÉEh
-¤á¾}˜D'N+�nš~¯Ðß0’ƒo™¬WOÜs:¡ðwaz;A³cJ©ÚäA çÖûÈ<’+UȯÉCvL¥ºøPô‚Û²sùô*
ze-£Šü;2 «ù«#_š¤£s¾þ vêÄ‹úñe‡Î‡CØ“¨Ï>¼»,æñ’peàùhôm2’ÏÝ°MÍ[®¼¬Ý’‹�÷	€"_o UÅôh£
ÖB57„ý^æÛT'kiWCEÏr§ó•
-©ØWÚ¿\N[Ž”ÀöŒÍ�&nâáµ9vdµÍ¢–£¡!Šã5iAÅ�@ñ/*w.¸Ã(:³›Åå×Î6
îu1Ü3î᪾ûõW¤®48ð“ã‹KÓ^¥3Tòte:ëù`Ë"‰‹º‚p­,»iAX/†HÛ˜?äµÞ)RR«Y?êxjÒ/½)‚P8ñ“—»C>Är–BŒ!†¬gÝ@¯kîÚ“èNü½?DÆF¹U<þ5”I.:´�s¾Ÿj-p“Ã䊰"Ÿ�ªcÂ#Œ:B
�+?/P— wég&åoï�²û×!æ9œa pñ|Š®¥Þ²K5lïøŠÑ9„CF	†ºž/õ¬;¿G@!íxc|ȹD¤.׎n^H$ßÄÛÂÓq]Èõ+É{¸i™’
-“*ÅûÖ€H-eëpg,eƒ|ÍaJtžŒ/d�Œú*Λ¢6ºK2;”‹x'.QŸ[å Ì�ñÚ:ŸÄTß$$¯µ“Í¥¤·4UA
-~:Š0NÇŽŸÂy¨r“Ñ$85¿Aš«`!¨WÄF'*nNÁbt*Ú*¼ëë�Âæ;ŠEôû”ÕaÇòõT~ÔÖ“S4Ÿò3<5×Ø\ÛJ´Æß&æ–“O=P©[¨P$“Óµãñ€èiªš_`Ž.Šó{h/"•"v¥¯CŸ)-FßE¶ÛA<ÝïKF‡�é9	‚'ýøa¢4*$'=ÝèOáequGf0[éÒ´ò¢ïÑÞ7™Ë©4€ÐóØxâ%%Ì:¼ã/º.@ªã#)NˆÈÌaÀSt–k	�’»´jˆ5b;¦¿J;÷Ò±C°7·ä°ƒÂKŒwA¹5S‚é%8.nN`ºê9_Žû�¡ôÓ;Sæüê\g|¢�Häae#§û×çÛu¦�;¯ºÖÈÊXšŠäo+7×m4”°‹ª0Ýë#4åâ8�hù‚˜RË9«�»åì{°S©ã£›�ªˆ¿z� rª“ÊûýÎœ•VØÖi�!z_)�õ¸¨VS[i²sõq£Ë%®µe?åw«ìbØ-…97Á �|Êš
	aü’Þ[
-4%Å5k£½02ƒ�Áw¿b¶8y<•«ápÁÒ*Á–È��p«¯
,”&«‚rÃæG€Tëƒç¦£¤å¿”X{Š”ùH;_
ÕZ ¼ë/i)ï1Èû£.5n仯ðå9
=)ÂéÌW%^}@|Ѧ{P`Áíea°,pS L§Ü”üÚ®Û7CÖÄbÀtÝzÏ3$rX§5Ø¢Pü–„˜jW~\\{	7NìySE¼9
]ºž½"„i5¿ÓúÅXôxBää\„“y”\á¼¼!‡k(MÂÖL]*/öðéžä§�FJ{Y<Á&eš¯lõ‰Ïƒï…Ì‚+üŽŠ<Ù@9vOŽ�’¤ä[RY·ZßUM�Zûp4–DagPcZ‚%V_©Þ\;=MåWÛ¾ÖG
-›¶ƒ¯ñ¦¯<¢—h¸E“;Ukê ñ
-J±&éù
雈‹˜9›âÆæZue)äG$ LË#[|íÕϬ4ÈÝÕbO
-€£AÚ¤x8mw›þÖµÔ�„±ßxèÍ#ºaýªU!˜ù´TßN.ÓÙÇ-É™Q‚«iy@ŒWc²8qá/øç ‹ïåqYw'`:ÓN·ˆ=
-*¥6©!bÆ¥$ž)ÈFå¨3Çx=H3/xRÎWGzÊt¡Dc€Ê'ÒHD´öXM-®Áö
páØîÐÌ’!#ŠÅø*ÒÕ	Íè/<Ô¢8>§Ð†ó÷‰rŠeÀìåtѦ’¾Lñp	m…
U?ˆ+
-�½ŽîÏ>¿ÇrøKKíùƒrÍAfjxy‘	^W_ª^ø‘U
ŠäNGReÈ\®v/ÖVö†¶Rú׌hÉýy3˜Œßc¼b'óÑl«ð‘Ä�›k,¢°§ƒ.ˆkx„Kªý( 9×^ÅÈ
-…d«…œ#£}þÂÀÑÜÂG( ÑhQ/Um+‹|“·^±OI$ѸÙ0ãÆVèþ)ÆJ3ÍLJ_ñ·ÿÑLÖ÷¥Ÿn­Þo”vÒJáØêqmìíçâ%�Á­Ãcœ~ªzVÈ�‘søqÕg%ŽQÌ4³æ`£E�–/T�““?§púyÂå[uïлJ÷ödhºHÐÈÜlM�
-Ås?Òr&Fd¿Ä6ë&>N´.Š ¦¾1:¹
rP1ûØ——k¡f)ØdQmŸèÄI BÐä5Mþ¦1T¿`m[;­z!î_µ±=ñp)ä5^Išõ@ÑðÈ
š¢
žAò'tG<ÞÊÁæa¯š�m-mn(Ø
-‰�|¿"]ˆnŸ†GhS”C£ãžä.%^=‰Â	žš| È%ÿÅ%Ÿ/†5¥n�tntI-¿ÊÍÈ.-ÚŠ
-˜4ƒ¿à†tæ-ws(›¢ü	À.}!Ë•™ª^‘ 805D|~ØfÌWŸ½æ°›ã‰Å9ãqÀy[eN ù~TÒ€J…gD›¼à%HõŽN´W¤VêÜ©&QXS²;^Æ#~o ÄSÙÄòQ¯¹Omº¿k�Ê–»{.�
-àé%.@”ØÀÄZPÑ}ú¥ÄÝØÇ<†,2xˆá+„PÀ:І¢€XH‚9É2¯!I‰¥“–mõ놀)Ó
LvÒÀªÊŠ‘¤®­‰ŠI¾ž´ÀJ€-um~5SµÏ?�¼‘ÞËxXkDZÎS§ꊿʥ�'ÿâA“EÈz©Ltª=ø½¿ˆÀ¯’ëÊ›2{@?ï5ºûšõ¨N…&øºòȨŽ3HKãGš‹6hXle¡ïÿ–kMžÍMxßqhìàV…Ú¤ki1IƒË‹ë°ª¶ƒÊ9UFmwY¥YññW>èYM Ð7u
-Ç:ê
hפ�­ߛ֙C9߇¬o“‚/¶z>‡”8Õ"�¬pÔ"8f@xk©óí…f¸®��söšË‚ý(†'ï»Úƒ½pLjt:1[ɘú‚ËHâûŠK¥Q¹ÞAH)†3W.‡å¬ÉüÖÀU7¹þ"ݨ²_mz$(®$åÔ^ÕìÊÆŸ‡EÄÆvPºÄ¤7/'ìl\du#vتç¾½ììÄ“QP‹qH{Ä$5ƒlíÛóyïd? 2$yá9MLºG%[!/J™Í2an¶ÁœÞOz~ØŠ9@5ꎥ;V7Î
F��FsÕàd—ûãת?siÜ5$�$éD_j(¯Ü‡ËOÒðBO¿šq€îôN»#.Æ/8ZëùkVŒè‚¹ép›ÆjÕGpéÎØz
ÇöÛI9´HÓ®"!ÕJˆá«OY¢Úîµ5¤=.J×ø�2yØPK0úÍ�ÙÃPI¼ ÌIñ$GÈ^˜ÆºÌ‚cý%úE˜òï„cijñ¼•9‹ž9Ñ’l{ˆ‰$0¢w¯¡&jjia>’4�\¸	KDÃ{pÊŒ#?ÓAþ0›9°ñ-D>"ª:c?ܺÚ~†‡^e55¸l
-:kb¾ÉLQÒcèâåSŠ�Û€ …l±Ã{Y14¯ŸË#Y‘·IUHš6‰·'&:,q[ÞÀÑçºËÔg+ñA¼dÖ/LŒn”•ÿRÔ
-ˇ—Õøê�MCEýŒw·òÞPðÃ�]ï-¼5L-§Ô²%\ðd*]®K¬qtmpMó¹{Â6Dm1Ð[�2m¢ºûw*QÝd‹Q“÷\ÒBq¶˜™2<ôÜå`ve¹¿�*9GiÐÍ
- .ÓÐ']ÒÀ^Od°â®D—üå„,?#ÞWÖ³bRªv×èSž¼˜Î§ÁØ$ôÊ`mñ
2D=ón“þ´ÁžD㔹=õk½IPïÅvƒJ<�¨±ÏÞtݘÍZ´G
U^�W0äõ¬’”¤¡ÌšÙ=JéSQŠT#’åOµŸ>]žAß÷åʇȆ³Z!“Œ®Íïå>÷Ô‹fÜ.å�¾Ó;ö§hgXUãÿ‚yXÛ%…6,˜Ä�™T¸«úÊ*1²ö°Ò”"‚ï3Y¶m"ˆ†s¸µÌ·
Rþ;ÕõµU§é±8fŠ•ì0A¾Ç¤‘oxZ¼ÒÀá¸+ÊNVk�ú÷#$ Ë£6\4ŠtóV·‘D^2'lRw‚fÈ2Ñ[£Ø߇`Ÿk5Ñs kÜË·g¤Ãs©	ÛÂÍÝ�ÍŸ¬B?1|k6*yf¡3ñÚP‘|Büu+ÁËNõ8XÄôÈä‘¡ù EUQÊFÿµð¥¸ËôiÔ2¼ð`Næ}ïT´?AËÒiÎâ ú[¼5�¿«-ŠCLÓÇUY$ÐÀéëh¤®WN�ÉJB-þ¾ÜaìÚvvÚT¤‡dŽò[µ>Æ–ø|sÔrèCd `¦Ÿü^†ÕÁÊãDÃ*ã%­ã»ò�ýÏŸ‚«ˆ›ó�ñÚ àfX¡6øvçŽÒ]©Â�—ñV¤M"BÝèù£=&w>8Kº�ä
*¯+–¡oèKᣵ4æx(
=¾$h%H
-£VâRÑ
-ï82Ö&)°"¶E;Ü´”ŤUYvƒÜìVZ9M*­µjQSJ­)‡Ÿï@LH§Ò5Èþ¥
-½~ÒoÍdW)�(Ö€çÜÀæP»€Zø¦ÂP³¢½OU®æ’mèß´¨§raäÓw@„�&7ìVÛÌyå\çøiÃH47�+ù׉L
-µQu-W€»×4~Q.£ÎÐ)ÅÈLHQ-Û(èÖü¥> ø|kúÜ„X`Ž�×¾®º]	#.ëwx+«;.ñml3ÁѪ۰çµs
-:Ê(׸B®Ó'=êû’ýeÅ9,†`óÙ‡{ß%€ª�
¢0<ý}õ¬YâÁ}‹
-ˆ¬BÙp:©Ñx”Mî§�?ó}¢Ø×4¹„“ùïüGßß�aWGÄð«à
-�«1,u6AS�£áx\|czíR¢€oÀbÐ�.P³¦‹Ý=Öö+<µU
ZäÍ&zÐÑÅReu–
-[5Öð�Æê_ka‘¢Þ÷£ø‘*q¥=¡R4Ð/@™jÂHµ0M’$Ùþz„
-˜É¦p8çˆC¡·š•òÏq0ÞSGD¼ÆS
âT2J¹Ôi­¸É½°½äA�	iÎáDµ9)î“>oâÚà�Ђ,®DOͺ؀¢À¨&¯¬±ßŸ“ãùí„í½OÄ[¢:&ßQC—Ýåy�˜1ŸÜ¨^Nò`ϯȌ)†¬!�îÍÓ¤~»,˜7Õ$á/°Ûº¤zé5"™4¾bø–ˆÛM]üè»o~E®5p‰ñðJÌs¨�{•mo�œäÜ%Ö¡A;›<Ñíô¦óñÜý¦�¦@=®Ð@ZR¸ôGv Ö}¬ÇàƒO³þ›§—ÙA´|:÷©‡ž™Ï	@pmðïÑçñ€RÀw<—a°Ý½7#øSBG�8-(v�>	Ûžq<]ù�ÞÚÖÁPdöÙò@JÞâõ•WÑ2|¥ —Ê„s’¨Ê‘i%
Ìî3² °6“NP&0ž>�>ÀI2åOø®¾Ój¬ŠÛ¯)ÒÀŠÜÚJ8¯Öß*fzU;.ÏZÜ$Úùd
-×D½í¤»a£ªâ*¶‰ÂÀÜÙš*û(Œõ¤qÁÃåäÌ°
[¨.xÔŒHhý� {§ú·–æýy�澡:ÔuÓçg¦�¨÷œ4k	ÜÀ�=ñï�El�D+Ž9Ó{û¤Î=£n„ÉÐE:x�ª»n½†í·ô
-é4NÈŠóv É.Õƒ_Þn$`¬ÓÖ)<ËEŠþê°õ�ç@‘q6I„òÝäŽO¦ù¬R²Ôg-£d–‚îAúô>l¿ 3)VÐñ,ÿ²8Änd2€ø»Ì@צÍ*€]ÉãhsÀž”nä¦(ºÎõ§ÕŸW‘ÉÒî#�ÐósD–&�ôؤžm<[ãXp.7ôâ(5%ö‘ì>B8‘�'ÇÏÉÄ-ŽM%f+ùo0à8}¤{+Ãþ/®ò ¡‹pp… ‚óìô½ÙW¬ÒCF8fÎÞßòä6ŽÓ‘æBVÎÒP,-{DÞBЪðß“úé,¢�îN`:¹ ¾ÔŒ/™t>¯‘¾ÀýÝ«9Ñ>á…‡]`5TæÑ’zûvyWX2FüºþbfO–f§>}al÷¨\ÔMê—´ìù¥ìâVPÇsp¥²oøâÇШ›x¨³N
�O_Ž»N=ð£��³§ND˜ÿ«ýzZ¯@(5Ic{Çv³cÛ¶mÛ¶mÛ¶�ƶm»Ñ™w8wóÍz€ÿ~eŸYçÞ*D+_—‚#ioÛçT¢{?ØÏ|Xž!ÃS)Ëb×ß[ñ_ˆ
-ï%,3”1•äœJñÙwG¯üûñšøoeüªyDhéNÁÁϹݎÓR
þ ~¯›GßB‚\ÌŽ™;؆r•R-ŸEGT±ùø°ãѶ÷�Žz ‡¤/z”Þ‰…3¿µf!KÜt[¢áqQ‰(¤Õþˆg§þ¬EÒudV;~_€dr‡çI;17a£ƒžq”„)b±¿²‡s(…0
-IfLt´&
-¸Õ‰]ª¼ÖÀ·ü´¨ˆúWÓž•N€ÓáÚ îËè ¥·I­Ñ—Øü:k
b-F”ÛÈØyŒÔLúcÙY>#S·ÿý�¢žæãþx5
-ŽsU	? ë{x[òq=4£øŠÉTñ�ñbEK'òmç±v�§9ˆçì‘È�$“CXcþ©\“±>ÊG˜m@>¥¼lX1
©ô¸dwO	�AþŠEÒÖ’±Sc¸I/cK+–5>¶V‘+"zg
-*»åMì•¡p_ÐV—+}¤ªÞ�TžY!�æĹ(K§i�"üÇ(*wOzŒF®¯’«X`Ž¡ÿ­Š�¢É
-™*r[¶Â—n³î+ˆm•€Î
êËÜun2qÄi"P6h£.ü·T”•OdÉ_ùüånµ~ ‡q#$i5’2Íçš�uÛOÖL[˱ÙE¶IkQñßå:¢_é²w«®º!É·Õ7ˬÞýóÌlÒλª>	^ØH•€
þfuĶgŽÍÆm4N}Ò
-žº²Ü�à9UwgÒBkÙãƒËÚž½Gr˜�u)Ôë
-èòÔAé›ðöÖ_ß5Xuïwo%~’KG`4÷B9MXÄ—›Ý*¬â=cÉwú¦¶­r±¼§˜½ïÙÌèÀXmgsÌ{ná>³.ëÀS±¾ü¾ºÈÙ”¦ŠQ®�Ÿ6È4ȤÍzÚ9Ú—¦Å÷K\
ìkCì«›!ê;àú¸èy¢Å
-	
-"¿‘©ÜŒ˜%�(–PL•„�àà�}çô—ìd¸A�4HVs_™c‚Ò„µÜÅ‘nÜŠ¡V�z*-‰To­”�â7*úï	#{y‚íl¤â:n\Æ�>‡áos.ø¨ŠsýE×õ©É¡Ã<äm¶E±¸@ˆ�x²îkrŸËÁ}G=1ôƒNl.&·´Mf‰2À4îۯ0ö€6Ñð
�G¥í¤B§R“Bt•¯º%õĪÜ~ç$`XÞ(ÿ¶ˆphíÒ[,	²�·wÄ.„ˆØeæÒ$HÃù”±åá<€;]vÛàr Öù›–ÞpuU“J¯Ð�œA£½<�ÚÓ¤ïõV1r¿Â¥“e8Õè7Þ)h(²¼Eð¥GðЖ„ñ˜WÒMæ	_Y£õ‡æÒËfcØŠ�¡ÌõCÒ0—£Û²u—§§äùp3¦~ùÌ[yÔ5!Áy˜Ý Ð-¹9¨ÉŠ%�Q-}/DšC¦—jn¦%>HLgùh:âî…¶Bldš½üuô݈°½‹IÖ#o½¿ùði9žìtå‰ò2¯̉ê³æÖ®Ê2VÂ^­.îÔ
-ëÿ8±²
-òo·�ĉè8²{ãqÍED§G×æë±ÆöåÜbùÜß°”\&Ü�‘ù­òÏ2qsÈÆ°Ûy¾�>bò´ÌOX(oÁYÓ‹Þ"4Ù†w�7«~Lé'ƒ]‰v }Oä8ÝMª)Ž�–X’�EÀ,3bQ*ÞWAš0 N5<_8%)FľJVßr”[‰=Wÿ:¯&,o/ÑQƒ�+"%N†êémü‡*VtŸ_-’È°”´sPàkX‹'ÙÊ‘FâbMüzyixû�ŸGG1SÝ(&¦F›Å8'Ç
-mÁR!/¤ïmYz'Úò”¦ÀÀh'¨1I	ÌѨ�õéI¹;b’@\Öq×Ü[¤µ*ý�ôF£½™ÃØ»ÚRqõ¶›0ý×nD%ŒãßÉ€¦]:bĨvÿŽ“U®ïqî{Ĥ
-Èù#†ð÷†(£ÃÐw¾áR¼­ñ¿ø;	h@À‘Ä8~©Lp©™¦¿RÒtª3ª5/0Ò¡S0±nÍ&9=Ó ÷-Áz;¢Ir�H©3©Òpdl²l[‹}B¿p“šÌN2ùòw
Д˜…¥Uh�pO· 
-FÖ—bowÖç'<{†Ëe/>w¤ìºO Óyf4,%[n‹¦ó<ÑȲ’Dø¯7XQ`õì¹;ðkgýÑt{D¯VC|n$è_
-5±)Ä;À†íkPAs~6wD¦l¹Y²˜'À&>)Ž:•„ΊÙtAÊ�˜xñI…Å©Ñ’"Vï�·´—Á}“Ôl—Üœ2Ê?«RÙª¦»�
Ñ2ø¡†LŠ¶Ð*¥ÕùÏ•Õz¢W¯íPO!Zñšâ:¡••3ìv{´3:9¨;8
~†»Gcã–XÇ*ؾƔrõFÉ×<ͤŸ”WSs¤ù€ûñúóRXÙlN|PLò4ŠÒñ£l8¯´Àøî[ë†4 Àñɽ.zšcF­{ý†ÄT¢¸ˆŽ¾�‘Ð
[™(�)ä ‡¦f¾ÆF£ðÝ
´Z"gº…´>Ôæ5âµlÏ
â,¥÷y”¦Ä“1Êe]#¾{Gš!ÓK±¾„OÍ÷¢ü¤ïï!Œ^{ßðÉ‘F'U0BBo÷LÉ7„ob�¨AÏqØ5ƒ£&ÜçîYd5K­ÜeíO%:Ó
6™zD�-߹̫\šM0
-¯'l­Õ_‡2›.vèKâÔ€fïø¯âˆÚ\ŸÙÊ
¡òËà.¶¸iAìU„‹Åss*’ñªÛ
-ó
Ë.ºÞJy'k<¬¾T¨u®rï
p¦±2Äé�yš˜¾Á0^øÓí ›Hv,¥wó!éùž1�ÄVûr#Âp_JI´¿4ŽÎ¸6ú˘ì{2{ã•
<[—)¾Íj°xÔo~y‘S¿mäó¼—¯ùh§NWp¡Q2¬ð‚‰>÷ËgCX ÀõVUé³½æ·ÝbM†Ðñù6 kh*†4¬†	·ÚTã’#­Ò<÷òwHÜ�2ÈAœS¼WR¬v"«¡™Ô1í2•¢¨¡;ŽÞuE@L
±Âà‘Œ”ª^4þÕŒl«áÇü̺-€¾¨“\Z™�Òçtä %p´§”î–©ÚËj�Kûr¦ä¦¥Æ¢[~ÕÇÆ
-eÁ½õiÐGÓ8¿ÙñCÊI´‚¥º]u¯˜Ôjù -JtáBÊk(W
I�)Í’ˆÇ ¨�kFîÈ�Ji…ÕFS„Éãâ…—¹l;£—¬(¯cgHÖ5§ýUj®¦›¤ÞNX*1a"˜…J[å?x¯5Mï@ 7‰íɳ't"
Mrmc
§Õnœ€rÍÖÔ<.ïo°öÝｦk¶åÎM¾×ÅŸ“p40¶Y¤ÉçŠÀ^s ëµ¬d>Rõ~YîZ_Ä둹v0§Gm‡‡N®3çï7G$*›½th•ëù�ý¹¡Òg)ˆ,&ƒM€¶ïÎ3«yÔ&o¹Ù›ïu–ž4«ô,öZÎOkÜ÷ªÔD%«†Déz¡v?ò‡/óÀ;�Š'?§îºËcšý‹Üè
-µ(à\èaª
-E‰7jŨi¥oòƒŒ:½úþ·cêSJo*>»u+Æ#@Ä«áb\[k!s&D “‹Ãd`È<HØò†T¦EÚdò:±CíkE
-j!H·îà3ÁE.
- ø!{mž/ƒòZú+p%Œ«u–}Fcí¿èýˆ/ì…Ƶ1>§ÌM)ÔÐ	O�%Sýù8½î×Ç
-dˆü�r4îŠ$#œ™/à·Ñw$–+3¸]Ì„5¼T87Å]ý—‰Ø¥–…ZPŽü¢
X¥Ì[šÿ8™XpÉþCi€ó`KpmMƒ*­y¨À&ÕÇ*é\—l¹ïˆü°xr#L?)¨ù¹kvü¯â|V{þ–aÀB$ÇÉÎàj�`ñh›Îëæîõ­QUd�j5Ë$k>7¦|©™¬âÃöõÚ¾¤,ˆÇSÎbÎ=¯	6¢ŽIÛž‚2üúð?÷ò)CÎ|æ¡î0)uktùþîo#‘Æ�$÷s‡³Wgª~„ŸÙñôÀԥ;º�aâlèQÌãæƒhË›ƒÌð`
-Z®§Ñœ8Îeä¾ÏFþ±Ã,ô\5ˆI.èÑaM
4Ž´mÇÕ‹èqWM‘±•î·egcØøí
«\[þT
-¿Á…æËU¨—xÙLDÞsäÓš
-Iö×~pºóE¦f}^!˜tQ°Ù’‹ƒEäì>‰ n|'ÆV²5D9_äå‹7â̬FJvõ˜2È­ÛŒ’ý;Û£K¿>Z&ú‰Àš¤þØɉ,-¯,Yت–=–ÏÞáÆX8?�¸#…m èÓð¥žçßèðž–u¤<5åÑwÒ6¨´Í�Ô™­×#0±q“²Qý‰±ÀåÙëã=¥—;1Â&<
-| fÉg¬,=‘¥vp‘�·xMŒé‰_b¬5
-µœóû¿ µ§öÈ4¿À#è¸?§ß7LíXʳŒ”ñkÌ€Zî»vSLR‡û
4ƒ?&4=cwÓ™7mÿ­8 ‡L¡ž~šËmé0Rƒù]N9ÄO:;e0vÈ(©6‘÷ôŒ÷ÃæÓ=Ô
èÖ‡7œŠ?­)Í'á ž	àÇ38ƬpYBà³Â|ƾC¬D?ÖD‡§-QÊ(6ò˜¤>Œö)€*#£˜ò�DUdùªé³ÓvU
-[`÷QìÿY¨OÖØJæÒ2‹„a¤.‡yMÙB.½T›.¡
-¥í’bWW�ž^¿§M?¼ªßªéë;ëš<™áh ±Kñŵž¢¨ÚÆóV1îcÖOÏ"ž³x4tÅ:l�¼t@i×uÅ«»‡‹Á0“ö�ë]RϺM'Ü>Á™?#ÉABlž=fÌì…
ïé ÚiózõÔ¨¿!…+°2Ô’Ýzôµ¥Îb—B
-y‘üP'càÜ^M#R°·ñÃ4
{LJB«œ»×ën¾HïŸMc–9|þ*S5ïV®ñKãÁ“ü�vÚJ¦‰‡’à°áR‹ÁPKw©ä;ÉͳðåH-ºOÖ²ÉâØÉ*Wü—¼éýšö•p…+èó®a7AÔºº;˜âR·~4ÿÕ|S®‘mƒ®W•~	©Ãâ‡}DL×WF5J‰åéØ|¨i÷>#\2®˜
-šÒ30D”€`Ÿ†§¾ç�4}&1xÒ¤Ö¥	ÎdP•Ý‹$ȾCO‡Ù’jÛvëö?`C&W'aÔCJ•I'sŠFðìM˼k©¡¨»°+X	ŠcAÐÀ«á¥£ùr!<s%!ÈbˆÀNÑ*d3³Ê6�†Ø0´+3ïÍNYÀ8�îj•ÛP³7Þ¨VäÎc=$0€Ž9€òõ
«£…WCÒ¸1å
Ô²9L±ž±~óŸ–äWÚyüInÐäöÀ'¼I3
ú]`+ò7vÃÝ!�’ÔËö—k«Zœ–(&4¨j�„¸`é+àpôxÿÅë«SüWâ$åM7ƒ[IZÒýš®ê~‚VƒÍ:Ø\é«…Œ
€Øy_à£öý
-.ÈëÃ6‹û¯™ÅSßcŽ¾Q&É5	fd
-ön’“,6"”@K;\ÿŸÁüø¯
+/Length 25789     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬zcteß³mlÛN:¶“ŽmÛö‰mÛN:¶mÛ¶�ŽÙq^ÿþWoÜ÷>½w?ì1öªª5kVÍZkœ3Æ&'VP¦4
™Š
ìœé˜è¹‰T•ÔmlM,
2tB
+Ѫ&ðëöÜ(ÞÃÇ‘œåRMyû©i¯MH>c¸¤bq›‹bgÜë㤸>·+Zµ‹¥{ü‹q=v¾­™«O¼—«Ñ)X!íÁ/$ä��±)$§ÁØ^‘w?í¦‘ù]€§“X.2)§©Êer[¤	.©»¹™ ;þÄýI‰ŽBÃA¦¸¯»àÐaÁôÞ®|û³	5ï8sêÓ†
+"ŸÍëã
-ö .TÞ;”Ïè*Yp§«© ‹ÕÀKÀk"!œÑE¾[O�
žKA3æTv7‰.ѧü™"�ÇS"V™bIÆ@Ζӧ
+
+áê¡טÞO¿UæÝ¥šÑ<ÑmËs]T­
�+¤O˜¶1¸¶�ðææ
#¶V0�BøkÅø‹‡ÙÔ•º]Ö²$ò}‹ZZ–$ëe1¯¥P¬É}éîjÀ(RŽ›¡ÛDZù4P™
bw×4ªeÜêI™A ¿RñŒ24§iÒƒo•æ7…j,;Ù:Œq«úÑNèHåÊÓBuNí|ÚÌ
+6q!#z~`i# VEôyA
ã
+5?Ä…J‰¡?‘–x°Š:p´xî@ŸË*£WƒõNQŠÃómƒ
Ë@bÙ‚ÄÛ6=_ïc¨Å¨�üÐIûVs/D–)h=[¿°J›ÔðV]èB¨öK6J‰ôÍî=®µ5ðç"YAr1ä�c¶Ð�ô¢.�é1ÄéÀy²†_Õ-ÿ)¥º*™ïH €Ò°@¿¿ßå|�Ç1SsüîóFXF¢ÙB¤þŽ0¶m粿R‚žPï[#@U4K£»åí8c¨t�ÜÙÇUmÌƒz‘HÌkËKÙœ¨ÈÏC—ÝœÏÈcí¤šö‹›ê
+
Ú
1ËÔå
+Éqž—êhËÏFÇ=êO”ù+Š<cÁ·.üIƒF&Tfj%v}Hæ®»º�/Þ‹:€…tq>ÆSþRL|žíl}„¨IVâMˆ³¹¬|övW£UEqݲ–^`)d_„¯×aå0áï'
+µãJc 0Î�Ÿó•wê(á·ŸK£êÅ¥Ç<ÌDø¨n	{AVÈSb˜1’Qêg aW¾ ¿á¨À+:Q˜šš“ñ‡m¼º…·mÔ	îy©¤»\pºAŸœ,)üE»Ï Êüœ‰Nóí—éEgB†Ý·ÚdŸu5C
+<…:0µo$VéÅŽi•Ú¤ËöÑÇÑ.f ó³X©f‡¹5JQ·�&–
%CDÌ\jö˜B‘u/‚§~;kµ$&yU]ôʉۿæIÎE¤Š”[šÜ¤ŒèGœç³>JýjˆÌUÔ‚*
+e«1‹ïmÍ°–7p¤+’qy+EßÄ[·
ü5ñŸòÀ^îF„}fá•Iû~�c”sÄŸ[&ž¼‚Ÿ?/žaÑvãEÎY\T{�‚ëv<ŠtcûpÚ¥AgÒg	]`ÃʉJÛv§ltê- \5©1&딠丯¡¨Mٰ݈?T™ðï.™mëßýߘVý4ÄK/Ññ“ê4„T²(óìï@
+ŠuüìKœã�!¥}=—à|ÖÀ¬B®ÈJH‰^�M(B ¼µÂN8`æXG_æó"XÙ´èr6á`MÞ5f¨tÓ:JëiLÙÓ{ôx
+קµ÷YÏÛ�P–™­Î›ä‡¸-f: ƒrõñò;57ì>\Ç�µ¶	®Ã¼}8&;DPí…eªî¢W¼'­
+aèqÁr1�t˜9f»+ (*‘³-ÃòèR�ö£½gè–ß~n)véâlOŠeøÝܨë?PÃ-L¿Ol�‚€qäµê=¬ŸR©Ì…×9°­zGB¸w{&=GHÑa*ù£8uÊBâŸèÎ6ZÔöŠ¸ÇÑ>Õ‡žC«ß]ü®A‹—Ú!2|XIœµr®5è (’v¿+ãïùF\4“®=åpß¹ÛÓt8RÎÀàx“š›„ÇÕL9[ôiÎ.¶¦ð	Ri£´c�=S‚<›1ÍÆv¢§6õÈ™\Þ²©Ôÿª
+
Æi2ÐÓB¥·åÒ
îÕ±Þ:D!€ÊW"²À˜òÞÅ¡èüxÈ÷|¡á3 2y÷n/D#PÖ2’©Èk­.؇�Hd†£Lv{Ûñö�ûüŠ½lµt@
ïH­¨­”;áBÑ2«C¬aCõIð#_”½ª†'î,ÏG¯û)—DÆ*~Ì2ÐüQDyô¡ºôå &ßBêf†³Ê²è˜:³�tu ñ»þ9rK*8]©„·]ÆîCŽÜiŽ�JÆf§
Ô
0ëRi×ð¦ha&¤·—ϲSz… õhßÝ0ÎÔH—Ì-zÑmžÛû
S úQóÕFòב,<yt†¤ç“jˆLU\WóaSà¤hµR$@IÔ³®kð†®ËÅœéçºq+¹¤å`”
+þƒÁUÂæWˆÌ#Ü\Ò€h�®&ŸÉ5é=úPȆ›Q4¢ÁÎJG¤�Þ^¿Ò½
+…Œµ@w‡þKLà�í÷�‰ŠÆŸ
+çÈz%ÿjv꡼½ŸY/fyŸ&ž<tj«öÒlò?ÖŸÑq�ÕMêÕA•Ž—ÅïƼQa¸á;
d:…­Ö`‡-^uI&¯,ª�Æ‘ÜÏÆ¢VÚ�57Ç´Ú¬3W'¿/ ÊŒ£Œ¤Ðyû°
n~œ?xÿ棄ïr6ßÛS+#ÆB£Ï=¯Uiƒ¢‰w5ô,·
+Cà—qžàî´Ô›‘õÔÛ÷5ÇPÍrÃ#Ä^ÄïŒå—“¢¡“ôâm‡{£ÊÛìF^¿¬¥V
+ÖY¢ï㸂çõ(‚Ê7º¦�šßaYY®ƒµ‘î¯
+Z[Ä…‘ÇÌ®
g{S”v
+…€˜!0"ªó:¤¢¯“‘
+£{t¯TÁ>žµÁ½¢¯�.šIw™Rçè²óm+5؆+2¢¶¤Qûg ©!“Q¨¿E&·„•º"²Zhu‚è (4¡JRE†â
�þ [,›·äbU8ì`Hj¬F(Á2"Lã<û}蔸ÙÌívØ_ƒ8Z¢Ý|„Àh›œ_á³bŽ¾�–F	Èe/í‚œ6¿ì~á0€l	è'oÖßN‹¾'tKà©H
øêÇQud8Ö�VX“'K\¸ÈÍ€‘
•Û¬dÔ‹ßÜhû¹ÏýýWÅάJT¨dÝ'›h°ÙÞ @Ò«û3pw+Ä÷–ÆŒÅÎés—øj¢:\ƒ;mBÔí—¦‡Î®÷É€’N#Ò�ÀØóÍìÍ~êe¶!oEγqi{ÎÍÙDoM¬ÏÇEðMFðêã_Ïã8°©ý«¯Jw-!<À~e•\B+SÝP3èŒ"ð= 5}Ö�;QÍõË^ŠïÊ¿[qªsâ#Ï·ÈXs©Å!µüôÕdx´@Æ×<8[õ^ìMÌVhx²ýç@÷Ô»¤‘ÏÙõCYÝ–«<PµÈØ…„ùå
=°Üœ±üÞ¤Bk‡‘	ŸôÓ:
+Ž3^ïîtl7éEÐR^™UY5.ÔÉ<ÙŒ?tLúdN¬OÔÖ
+Ô>Ä*â-æ6Ò}É›@CÌ=ÒžæPÛÏÓUmeX†0>¥Š;qA0hº
xô�Ì%šæ¡îËÀ÷·]³c^þå˜[¶Iî4÷,_#5é¡ñ;X“g+É1¨ê#=µmuþm^G˲K‹c�¦�éÆ3	=U_²Ÿ}{óÉɶ=éÜ~Ã*Ly¾•µ1hÌâÇ„'Šƒ{ŸôHrHOðŸûû“7„æ
¿Z6ÐL4Ó÷€»Qª4™Ö®ÍåY»s¿¥¤Ò'w²¸q;F¸5ûfå9$X†/ñ‘2—¹nl¡-'jU¦wíûE¿•¡¥\H[‰Úû¦ËÞSŒâ¼	@¹8>Ü
p¼îf©óXŠ+6§Ú¡¥0”j9Ímp\`Y¥¢«§
+–0@JèÝõ5@9>ÐmçæsS£pð\OÏJðôEXŠ±É¬Uâ”ÛÍ�†B¨Ç—ùYʦ˜nà^`nn$ÛLÆ®¬Â�Çýã�?µòÔ5™ŒQË��™Jƒ­×C‰½Ñ=´³q™»môûrlîÆ"HµÕÿý·”TÑ
Ð)§^nL¾”¦–ãiõ@¨­Î~�†+ÆÂÆkinuyÄMò.-ÛŃ«×åÝ,>áa•¬
+…>èc‹ÿµï"¨ÈIÓèÛÝÔÆ./>À"¸x»ø�Ù^ªç-RR¨¥ñ�R-Åå\-‡´¤DoÞå±($ú&—øôV�°â½âî”Ä`(fþQ̤Ön•W†&mr¦ �òäéŠ7K¢ðUVž¼)(E3ô9€…Ûn’ª“mÎU@âÒS²ëÔÇ@×gÜÞÒ—Ppþ
+¶¨f»Ü–õ|ÏbžcÞ2¡„<¡N„_“‚ÂÕÉÜ~ `$@ÇдvW›çBº¼6&»SÊv¥Ü	“¬[S‰×òñÞõT9Žþ¼K”)‚Zû)¸pÛjCŽÚN+ï'hssµ½6ýIa…äS4XäHA
+^”Ô~Ïœ(Xt
+zÿÖc:›#é¦,‹  l¾1�M¼ï™áŒ
¶èIÊ¡5Díœ
]ÍT%f'Á”^…+>l$& úÃåú[úHõCÿ»_»ßðsÀG¹zÇ%Á¦«ËªIšÚF=/÷ó~Ãç‘iç*Oé
â¶;¸‘_ºNê½&úÓ©8õÏh­°WäÒý�Ò±wÒð3Æ©á¸X‰„»¸ˆRÛz99Ðø|y2+·º¸ôôÅò‹>&c
c{¸mÜl|³„ýˆÈ7^€§;{í:`ØÏÓpÏ>ø0#Çù^|V”ñÚÀU�é�é,±[ý&¸¤h«¸YÊArÇó×J{D†:ðëÒÚ&ˆ�ßæée¼ü×+[ŠÔ;¾ Ç-áTWQßmtÖUüÇ^ÒlÆ‘�jpnå)Vi²+b¨¤ïëìl÷ØéØaK´x4èD0ž}�Ó$Óï<¯l<>~ÚXvŒ‘�¶5ÙüF;¼RåÅ-NSÎÖÏ)P¶’�maKËîf×èËÀÊX4ø®ó·œè—ôÑ–`9dfÍ·µÄÉmbc�
°k›íŽ¾¶‘nªºtw³­	¢íÛŠ­²ÞY®%ÈBV¥*(<�=Èn®±ˆ¢8w�#Ðù÷–ºÒÑ$1wBú,1A�jÕÅ#)K¼kòãùmË¥4ÚHkÛM\áfyÉ7ϽfšWp…ŸDÇÛ8ªÝYqRyœ:+äóÞ™?
HÔošÃ»ÎJÅi5ÍERP†\¤äbchÚJé
+n‡¤˜o|YÇœ!¾ÿ�|`VÓsÕ'6¾ZÃ:‘ˆ†XµX–Oß•vnwspÙ�DbE:Þ]Õ–
+Êл�wB…È1ƒþ”¯úäUoà.ó+i‘ =ÈÕýŠN¬m·þÃxí.=Œ­5®óš®H¿><Ǥí�Å6‰W¢óÕ³NPùg›ÊXtItàó
+ÂÞeî£Ñ|ïÁþlÒ3ë«a3È2À¦¼‹¢;œWË|ºaƹ’å|ßkõ@Rín-Àø	A­©mr#<]b‰åô÷eœõ,Öœ�vŠdüeÛ�¹0ð0û.};�“Íá“Jƒóû$(�f	”-b4ÅVÂDk᤼;àSZR«ä*å½ß¯;l@‰8îXïLÁa¥(S}×9ú´‹¼EYaý
‚Æ©+g«¡f›"P>ç	=pyEµ$C®,s�§™eÛ¤O«¹·lœXì.ÅðÚP¢�rnÏlƦi_‰æÕ(ûíÌñùh'³¹Ž‘Q]i-> 8F/'›\„@Hù½Ü{\dß—§S"Ç
i8<hÀîÛÇAÉtã´¦÷
+m	�3¡¹ø—)zõ%<§
+³
+ÓÛ‰šSNÕ— =·ÞGæQ\iB~Lrb+×ŇbÄÐÙ•�+¤Wi2ªhWä.
+oÉ1Ê0웘àÍk.sD•}?*åVM�VÇp%:h¦·ˆú]9RG®å3/¥ñÛ��@f 3öÁª®‘ÙµÿxTº‡W†×qNë#èô‡F0ôxƒO =­E:5½´è.Ü&>Sï$§ØrY§r–¹qJ
+i8WÚ¿\N[Ž”!öL,Œ'nâu¸våtÌ¢–£a¡ŠãµèÁ%œÀ	/*w.ˆxé:”~5K(¬�mg}îu1Ý3ï㫽ûõW¤®48P‚JÈÐ_¥3UþìÊtÖ÷Á•C3s-ãYYvÓ‚²Y�±µxÈk½S¢¦U·yÔ5ôÔb\z34V£r ,w‡~ˆå.…CYϾ5„]×Úµ'Ó›øs+qˆ)‚‹v«tüc(“Rlh
+ï|?ÕFð &‡Åi%DáWª®)slŒAè-¾Â¼`]‚þ¥Ÿ¹´¿½Úçp¦�ÀÅó)†–z«.µ°½ã+fç.Ye8ÚzF‚ô³îüAÅ´ã�ñ!GÔ~0Ѻ<|
+#æk›\B23/°�|‚ÖN—’ÞÒXtEiÄé(â8]€
+\J®=EÊ~¤�¯€k/Pßõ—´”÷æýÖ�7öÝ×øòœ†�e�ô毒¨> ¾hÓ;(°äõ²4\–¸©?�
ePiJ~m×뛇£hb3d¹n½gŠŠ=¬ÓˆlQ,~KBN”†WÅ^"Œ“zÞT‘nNÖ®ÿZƶžßiýb.z<!
qr.ÂË<J®p^Þ�G�5’!ãh¦-	UøŠ‡vOòÓI#§¿,žà�6ËW±þ$ä‹!ôBeÃyGG�l »§ÄMIRö-©¬[­ïª¦Œ@¯}8K¢ÖĘ•àˆ×Gj4×NOÓøÕ¶¯õ‘†Â§íj¾¨Œ(Æ%mÑåÎDÕš9h> þ$®…Î\“©ª�m´‚ŠÆ¨Îò&aa.òä^çšàu~{ •q¯2 ]}‘G@åŠä×aÑU®ó:`’PX@h&õx†HˆâóÒf†Bz˨¨_ïI@B&f4Mš¬.aƒ¢K
Bzê«!ªÿ3NP‰É�¥9*š1zÆ\–|wQS…59f¶Øinµ¼IîË
+ýÑ
×òÈ_ûAówVäïjq'!1 mS<œ¶»Í²À­"áì7zóÇHnØ¿jU‰f~-Õ·SÊvöñÀJqg”`ÇjY�Ô˜.N\øý>èây\ÖÛ	˜ÎôAЫXÀþPË#-Ęéý†õ¾ð¥20ÄÙß‹„i=óYÃ$¢5Â'5D̸”ijÙªu昬iåOjãa!øêÊL™-ƒ	c
ÐøD‹ŠÕ««Ç•c#Ù=
+n®±ˆÊž
¶ ®áJ<©ö; €îÜ x+ø÷­µ–'IטáŸoŒY™(±¦¬óÓE_3µ#d1�š‘js
Åû³Rñüä~
+«…ÛÁ0|ØÛ¨rž[ñÅ
+n£Œˆàwƒm5†‰u“
Ž°‘£óq
+/U¼;Ö}â$X…ÚÓ�´Kç«fàÓ*MM‘9Œ}ì‹À
@ÄèßSš³«<Gëw²¾×+TR­–òŽÌöQ„g@Gs¡ÀÆ£E½4µ­l
+MÞúÅ>Hd‘$ã^ÃÌ[¡û/äX+Ít~ÅßþS$3Ùß—~z]ôúYhí²ä!Ô"'ðÕã:t¸ÛÏÅK`ƒ[‡Çxý4õìÐ!#çˆ/jÎpÊ\£ØiæÍÁÆ‹‚-	^è‚…''¿OòD�¹Ê·êÞaw•ïí)0õP`Q?x9š �ü°šhx‰?·Ø c~ûZ6ÒQ@
+keG
+
+Ÿ‚„¨Õ/k‡
]Ѻ/ÍxÂp¬\>™Lê}û(ù'™y
^d1]ÀGò¤­K\ÙL·(Û×9Ʀ i�‹cÝ›õN ™¹n,:m$øçhÚV‡.¬
+ÈÙ!z»[úœD¸¡\™V\aü<I�'bÜšÄÎgw—ì£;ÞüÒÙ 
¤#~�™6HùY�S’‡•å蓳6Ò9f|Ðl}çšß‚¥/d¥Þ…vXËpd&—H~T
§ÅÔ—s¬:×÷öÚèžnžŠÕ¥á¢ý\ñó�Ör4íô+³»¥XÐvel›¢žŠEJ&vÚw·ðÌ:˜6WG'K9¯j—‚l¦xÃ逖LÖ^Žqþƒ='\ŽAï é/*�‹
`~&Ë}UïV…ÆMlƒÙ÷‰x^�³CI“=_k<S_óØÝîDÍæªê.úõ ®3[ù;ìÛ. $šÓžæSá2ZЯ
+ß¼'ýPb€XÑFM¿ÊœJ»'“ˆ¸Î„J‡ÄÜg*Ÿµ¤õµ§C*•ñ
+¦Çƒç†«4	yãöæšã§>Κüè¯>šbºØýúÅP¬
+ælîtV¸û‘–3qû%ŽY7‰‰p’u1$q�…ˆÑÙÈ
 �ƒŠÙǾ¼\‹uûK¡&˺hûD'n"Q¢&¯iÊ7Í¡ú»šØiµ	ÿÒ¨�퉇Ka¯Ñðò(`hò쪆G6XðMÈ²ß±à;ñÖ¶{õ°”H$3isCÁ†`Ã#: ^üë
äçÔ{T\žCÙì¥öD.íðbU'çMPä Î“&.A0(œ”ûéò ût?…7Ÿ4;î¹ÁîRâUÀ0cQ¨œi)‚\ò_\òùÁ±§Ôí"‘Ï�n¡¨çW¹
@
+4mbA‘.,+ù3ÞräÉ7zz¸xº„vFà5Åï÷`>ƒ¿	Ê3¢jÐ1	_òÿMšÎQ1Y©à$SÁÎꨄó‘ð,?/øŒ#q¹,•Mþ@š7Èlf§¯•1NK¨æ×$£`ÈxE�ŠÕ6èr%ò1+Éà÷
†Cp³pÜo†WiÎë*$•FxO.†@Mñ¹™å«i;Lg�{ã�v
+„�,˜›"óšœT&iÙÎà±n”:Èt'
¢ª¬õA©AúÚ†ô ˜ìëI¢ÔJÏöG)MûüÅÁù½¬‡�f¤Õ<mÊ¡žÄ«|d‚É�Ÿr¨
Ù/•‰NµÇ
Yû‹Hª¹®|)³Œó^£»¯Ù�¤0B¯+�Ìxƒôt~乃FÅÖ–þo¹6”¿x‰ï;MܪðXB“ô¬,‡C#)bðùðVÕwЙ"§Êh
—UZ‚žÕë�}S§ðl¢@vM9Jà½é�¹Tò}(ú¶±©Øb«çsÈIS-(
+G-ƒcD¶–:ß^è†ëÚ8¹g¯y,9�b~¦œáV{pî“O'þ’G1¡½à1–ü¾"ÃQíFV©wVŽ¡ÂΕÏa;k²„¼5tÕK®¿ÈÄ´
+&{b¾é\QÊcèâåKŠ¡Û€•\±"Ó{E),ŸŸË#E‘·iUHš™·'6&<i[ÞÀÑçºËÔg+éA¼Töl¬n´•ÿRÔ—œÄ�ù²4ˆ�/åÖƒ
ZÓoíضSG‡EŸÃqÉÛ³�í±FÁéÛn´!19÷÷.
ý¥+õh¨
Üíï�s´q×0
2|—…ÃtBƧ´ä ¾œJ3›n`m$Ä;Pž=Ì!·þö»$Q¯I
cQÞò>u
¯_«÷–¤ËÜ‘ÛàÐðÔKÛ?¼û©)ÑQTóQUm`¦iø<uè¿>:Ñ[—§sø®á›)%
¤ç7óD¨×K×F´XÖŒAHØú¸a—/«	5:›†Šú™ïn¼#`‡+»Þ[øjXZNiåJx)T»\—ØãÚšæs÷DlIÚb`·:eÛÄôöïT£º)£&ïyd„ãì°3e2ò–/@
+ .Ó0']Ó _Odqâ®Ä–üå…­>#ÞWÖ³cRªv×Sž¼XΧ!8$õËàí
3D=ón“~·ÁŸD㕹=’ô™h¿IÒîÇvƒK>A¨sÎÞtݘÏZ¶G
U^�W0åõ®’•¤¡Íš’
+/<˜“}ß;ëOжrš³<ˆþ–hMèj‹â×òų@W
4tú:©ë•×`±–T�¿/à#�]ÛÍN›‰ö�ÍQ«ÕÇØÑ£ƒžoŽzB}ˆŒ¢ÁõSÞ˲ÛA!YÛa�hZg¼¤u|W¾qþ~âWt`us2yX‚
+¨El*Å3/ZÑÿTãi.)Ñ�Í¢G÷8•{ðp œ¾!î4½á´ÞfÍ+ç9'LF¡»�^É¿Nd
*¹ÆhÇŽ g¥n)ZR¾œ2/@KŒµK¨øXI6ÇRÉ	ëaµ$ÅîN»-�¢'¼%+iâ?h%Fbs„òj\¥­¡uËøÄ
âÂêáÄí(-¯!Ö0\÷è|žÀ
+¶	ƒ
�¢E2Ltãæâè¾I;Æ|ˆ»µ]0ÊÈ!çÛJ¢b^ûÙ­&×à}»'0qT[}yë&P½1ÞAæá^™0qŒk7Ù¥±ßbª0Äüh«N±D3Gˆ¾_²ßý&±UG·b`üÂO|=ÇÎYדnj‡üG tÆδ/Œ±§ÚÖ%t}šøhPÀgz͆ª©d•î2^G¡¥o¯¡Óü‘UC‹)Ö”ÖSˆ*Ñ’È:k@o‹ý})f°+L�XnÅ@ê_
ß2Åiâ(ªt…Þ¨¶–+ÈÛk¿(ŸQg䔈Šfl.¬¤þË8èÖâ¥> ø|gúÜ”
+TpŽ‰ß¾®º]+.;+¼•ÝŸô6¶�èhÕmØóÚ¹	ˆÿwkÍn‹ØÖæaðÙFu—k\!Ïé“>í}Éþ²ÒS°ÅìC�½ïPUÈÉ�Á¾Fö,éà¾e�ö4°GñeáºÑ¢Å"w)œçzO§$�#g^†¾I†b¡lì4e—8&áâÄ«ðÔc‰þo˜iw¨	={€õôI=wlº·(n'˜}ü;h|-Pn%Xª²ˆ~~»'›ò
!é@Õ]͹à*îªDÝ*õæO͵˜ý¨¡Ò-s‡˜ÐIò3)‘™{¦_ÇWu†ùµ°\°%ßï7iåÜG¥DÞ ñ?’|%ÆüiG—lGê¾L‹`1îDx,½‹ŒÊp—š‚D~e'K™…V,u¤>ŸâìçF»	nLFäè”.1°FÖˆ-oË”pÊøcó;6³ùFma7A­CÕW'éÞ¼�<«1„6œ&³ƒF5Ì7�Òo`¥dº%<‡|W¹[õTú'ÿX'3§]…±åvR§ó(›ÜOæÿD³¯ir	§ðßù�¾¿¡Â¯ŽˆV!"
ñ/Ô­‚VcYén‚§ F#ütñ�é¤D�Þ@Ä`] gO»{¬íWxj+.ª¶(XNô`bŠ§Êé.
WQT2³Ù‡y©X¦Ž(
÷|Α‘Ýv*¤†Õ�¤D˜Ï‹ÏâM[EÓ
+ëá0íá3õFt;ÉÁš¼‘Þ<ÅyÕê©–ze¢lÒft£?ÿF%݇¤�G[dÊ°ó2¯|?s‡·‚ÁÆ9—¸,k/KÁØÖI_ GÂ+Š$ýv$¡G|7FiÃoÑ�LØS‰µ¶‰V�6bBš×F¬zÓä·Wè߆Û#¢š»°žq"®¦<I6Ãèýñ4
+Û–åÃ{>;³Ä¬²ÔÙþSXqå§%
Œo…
Š¥]ôêûæ‰ÁyP;Bi)Omq”©{‡+™ Y=Ëv—0ÒË+A
Ÿ´ë�	Ó�&5Š÷ÓP„R'ë-â+	„ÛƵq�›Ý“<–á�C“Þ®›8ÔÁhîÏ#íÞ^�tG†°QbŲ)N#†·î	?±°ù¦„•›£æˆa$(H쵄…PZsÑ&†®é¶
àb’ã�°¤Œ0‹§§ï»§óD‡~3:+éØÕä}÷	8ñ`î©?ßÓo›wºFWÐéO´©0Èò¹½¶BÄÛp
=d²ÿP-âëÅèTÊÏÞg~®ýú=£g­l´þC}—&³¯ÁŒÊ÷ššIîä™��é9©±ùÉ•àõ+#�ž¢˜£
ºþ\Ö��ƒ#ÞkÝŒë&t0ÊÝá¦7Ö¶¡ä”5jÌÔ²ÉwvxÙ–î›à`¬ç÷ì¡"�a¡f*í`–zL©b¤5Þ+6=jô{zÌ9ùŠ÷´zû¤dI7ý¢éaùgÌ]rä–ºúhl=M(j�tn˜3Ã	¯L2�èféòÞ¹’IPË—~/+$c ª‰Á½ˆã+Z ºù­
+Ï{ªsåšU#ô½V¼oØ6‚ž€‚êƒ37•(S¸nÛ\+5ˆððr~ÉžLO5Ÿ?žUaÂCs`~I®úb®E»IÏZ0<LPÛ~²|gUkìFÒ`×0�ÖþÈÙ
[Â3�䀳ýÜ;ߢ�šìµèÓxƒÊ 'ÉÇWõ©>¸y‡(.Uôë	´ŸG}µ‚wëN<heÕn']D³C‹u„̯ä?O V†w9àÊHýžt;�ƒÀv7vŸT¸[�xNø%²OfpIø_$§é5.¾‰ìZÌ
+ç�ßQ-<F_¾Aºtï=Wxi¿'SŸ{Ç4¡†[PǦØÊv±­o*SÚ®²2WÿWûæ°À(ÐضÕØnÒÆnl6lc[�íL&ÎÄæÄFcÛžØNcÜ»¹Opwÿ÷Ÿ8«³=ÝÃR.ÅE…E‹UöÁÎtZ‹¸»4Àâ)³SdÖÑ´S	p@E‹iɳ×aBk®$^‘½ùèVŒ×
µæv1’qpVnªra\KJÃ02øÏQ?”KñµyTˆ"\ºg‘K®™Ö„Ê›Tc/¾-ª«1ïkÄ�ó	çôç%E׿ÖÃŒ±Læ‹ØÞ¨€áýf¡g·�/7Å¢¼R[õâ7ï™Æz’ø/Nzoàû¬åäckƒÇ›˜Äù˜Võð:)ÿýãµüþéJ
+3n
+ÿýûAL”2àC¼IÑ2VÃ$:9Ûö¹o„rcl¼Î]üÉ%ä[�&=ë6…ï¾ëiÈ¥øOŒ‚ã$K¿h«•uÕ6Iå/8dÉwMNN�X’ÔZ1(Ö¥ô¤`Ñk�Ù°Ô‚7U%bŸMWž•:+úa™šíù´Ïè΄Ÿ,^Ç0Š!qù«N6@ñË«µ°¤��”¯S©iÝÆ{Ý�Ç>_À
+ÿ��?!Cçcæ^‘O}ÿƒ5 “Cü!ØÉ»®?í|”+¨4ÂöªlØå½û$†,øá¾/ùt£ËzÒ~ج¡1ш—�~D
Õ1ˆ%ÀlÑ„A·ïª©þ5c ŽŒ·(ˆèß…®tÞ6ž«¨ý+>ù¤"µÕØ®¦?¤Fn®¤ðÂÀ�¯BˆCÍoäÛV ü¾‘«`$¸+°"¤u¡%f?ýãŽVãü�ZékK
²}_î™ééË@©éŸ­z™xzWáQ&gvL®ÎØÕÏƉÈP¨î¬/uâ¤á�£§XdýÿÖ•fB]
+:À€•á�Ž±¿X8Ñj‡Œ˜>Ág{ZÐ×Ø°i«‡ºyDj"Å
jµK–D¥«œ.¯üç”ä�àd7X‘7æ<¶’Û*¢†ED6 
+” ]´±1Ü?“¹FÁ&¦¡l—FJÐs²!½‹Dãpù!/dÔˆOÄŽ]{TÖƒ:_Iî�ÖáíŒãH%#ˆ1`@�®Ö|Èuåñ¢O¾.$YP'jŸ?¿5×^Ü‚îY%’>É,MŒ20HÒV™H³ÊÎÒ—àýŽ³Ñ]E}�Tyƒ¿Õ´9•&ÝÝ
+¾²Sî¹”s¬
¨Ë¶´óEñźA/Me‘Å
+é	>Ÿ¼Ã<»ê
+8‚ã*[KEUè)ùa$¿N¢µøïÍÇ>:Ç4Ø-,¾Ÿò>Þ¤¹µÀžSƒ…n5É¡è7»~²§bí–L
+•¡–¸CŒ#¶ž©Þ.ίè¿·zÆQè}ÛÌŒ6™Äò"ò¼h÷üõ2ÿ²,›û}
‹0~77_J¼­SÕdj1ø7nÅëH‘óx>/'7ÅWWâ7'Žú �yÒ>;Fç:ä{g'àÉ.C»4H%ì²õ8ÃñÒj
MæúmÒ“<ïPѤ}RÐQ
­}Gý.\Ìûþïã Ú/X…$Ñ�¦{ЗÝØ�MÉaúèÜch¨$D
+‹ÁcB
+ 
+AàÃÐ>4.Ðt’ÁýŽ`¡õ1uĬS‰aÏ	çF^V-š>¡ýØNñ‡0åT¯Ù
+·è‡7ëéBñ(9™ÀcY+�k$þŶ«Œ=ðµ�¢QwL
ä<(ró`,XeG÷¦ÝY–‚®ùÕKé÷ÈÞHC°£ää$=üæ…q
+_Ñ=d´)î`Åœ¬~sÙ:Uµ	´§ÞV¶_K!Ô¦`‘EùcTñYŽdÊæÎx¹ÓÀÏÕ7s,|äº�S†ííRN]exÀq”›ý-Ë`ë`‰¨ÖÄc±¸.�u¹g9ºBµfœ:îïæ2HV1ÒÎ<lš”¶Øµ±HiœQ‘5ü»ž¹R�ª»ôB€î.VÂ˵ävŽí®)üfÄ?æˆ,ÞÄoà¤ÈÍæ
+ôéeÉþ&‡2"$8¬íÛãO˜ˆ7SÆ,é
+±õñ¨E'Oƒ¦ò¸Žœ­²„Œ¨ISŽ§ìº2!²³’D‡H¶ê;”|‹!¶jè²_rDꀩžÖ¸Øã}ˆ8——T²|+Å�׋8¾�ûW÷šo
+†?Å,� Ô±™x¬ç¥\3*Ï©C¶q0ëß½«™Ž>­jâÄ>Kt¤)¦k>(ªK·#:›xMµ–Ð2²ßñ®ÄýRò¡ì‘wz!î,±•ÁÌõ
+DŒ–¯ØØ®0o´×\Ú²{löjâ­°C¨õ3Lu3¤RLyz§	1ÛÁÂË6».} À|?ò�{,j¢:µæû#-ÝÑ"åHbˆGžaæÀ~À_tݶÛàE•
+ócÆ�
+ݲ+‡S?èoJ£K¤
+ÓþL5ºÐ$p•ü›yBÃ|5»w^þ�l23(ËÛô€åµm‘ï7ì·5v°“’._ô]ÕD�O¸X�R6ö}ÇÉÉ
+Û7Ñ8úŠßî7;°”—\&›ˆÏ
æÄeâê.s¤ÆÑŽ…Y0´ÊéÞÀâžì
 	‹x4ÜÁw\•fèöê°¼Ÿ3�pÇOy³Í4ù”-†¢£À ÂN¿ËþÙP³z[´‹�üò®¯˜Æ®-×I£+”–öH34PçM÷|´wÁ°Qv@2vºŒR�¶�f¼Ÿ4È,²,BÓœ“Uêä~ó‚ù·•6oáéA+K?ó	FC¤h¼ÍRÚ_±L²"çªÒÍ“÷û³ÔBKŒÃ(¼shEŽmä_ÞÙSI
f8¢lEúKAfð²ÜeM¥ÐŽ™Ü*ÝS‰§d#…$3u}!jÌïƨCaô‚”¿•Ú Q,Ü4ŒT=AÅ?AUJ”e	–×S<)UÇ‘¡„cc	lÛ mvØsÖË(?ú¸D˺¯xì/Pç/·‡ðbÞ�
+ËÚ."dšñãí·<ÈAmM�ãsåýëà½Æ™ûÓKæPú iìЇÖó!œi"
+RY,ÀrÚ°ݧ-¦£<@$•N\×:6EwFàC´Y«Uvvµ×�çên¿ò\Vê6â~òT¥•½IýA<_½µ™íb+ö@ö­xž>o´x�(°‹àšƒû‹ÿ'õeÓloZK’8´†á'ÔpøºÔ�fž�ni(|"¨,ÿ°®u ¨‹êûÔˆ,Фè¾9 {+¸$°w/ž‰’&3RÀ¯„„cÁšOmÏHµ]	Ú!ÝÕJ$Žá
+V‘<}6j]'»EVîhû‚}6¡ÝÀ6àÛ·o÷CfÀ¿ièﬕò1e·)(+‚§l¦…ãƒÖˆç\àíÈìk}/y»—ìǸo�ÕóÑ#Žuo'i”FG	œpÖCfïÌŸ¢7j½W¨évôœ­FaÇ¢~®|Z�][p�ÔÖù(Ž�¥å
–pÖ–	œL®€î2Ÿd#FñD§ðïƳK“UðIó‘½ØÒ^�¿ºýO4Jh%9rCØ\\ú+Þüæ8[…}Ú ôu¨›ÔV�¤J»ˆ¢<#¡%ÁtÇ2å	7ÙIŸÔ®O™oßpÙêÈ�—µ9	§.†*iTáŠNG‚÷Yk(ÅiJÌÇgÖ'�gOZU\òo®\9F®hÛŽ²v@›”PN•ªþ|z¥»"^‘—ËN§³$Ë'‡kWØœ.Þe#ÄÚä/ª«:I!îò@F.Ù§N,X!Ϫ%µpºDÖEÐ’6å5eFÙ™ÂôÛ’EöqäœØ+R²Ÿ]C~=ëÿÖxP„»w(ŠÉTn
ý£ê
öÅëGÏ!_/Ä!„ûݸЩîçCs›äJ §±üð@ÔÖf�Ë4á
ü%å/«‚ÎüTï;MKð"3¢Îæc7 
+Ú–þb$ˆF›š×4ÌGÂw6 �JBÊA©­R"±#ªvw>�!*3ûLß´Öax�qUR±™^3îjÕƪ®vOÍ+ê]	N
nìþù‡Õ¨¸®â�ƒÑ±ÕÉíÍU
+`õØ
i:ey/Ó�T“îüÃg{qª}ŽTr 3ý\:×îY6Ò°’Ù<e�ÚCÈ_üiš–Qm–›#öïÎTº9\œëyíŽ&$ÞñeÞI4ðúl#ÿ�¿{2/ô)™®#0„ÇB_ò
	l•�û©¥×ë¥ê:&T‡í¨9WÚ!’q¨ÿÁTˆÛ¥â«×™a9¦ˆRPÕ½¤Ô_i&U—M“X
<ÜôYÈ«¶ª&v@¤àÆ2˜1j	9
+ƒÖù9üÞë%CßšAÛ±·�ÁÿxHí´ËúD®Ãn6j­°øc„-±‘F®�mð€�äÓz#ìA;L	{&a0%­j8ÊÔó£{Gµ¢=4‰¤)Ú[ôÐÓ°ÏOw¥Ç÷MªºA:X¹Í¶Âv4ihìä×s¾ø,‚ÆP’�㉖Õù™\†@¯Á±ÆÎßC
—èœFì§M¹"â“Êonn_Ö³ÿLBfFÄ>;xŒoù3‡ý%¤àö.ÜÍ‘8iòzÍ´ÎÈéÕCùÔîÉ(ŒŒ«�ªû-
äd�˜6í‹(ÇJT*L_4�¥öÍü…°í¡M¶¤íâ‹1Ö`×xÜe²lÜá†Ö/®;Gæ+àÆÛÔÜÞ釾{å
+2K(¾àÈrG€éI^ݯ§ËœE;ÉëZ$„)½J%†	* ÷%„.Jr–&*¹Ü¯Ms¶°_k„îš¿NÆS»‚wX*ÿï­fƒ=ºðW=›±7Zx‰’d­#ó’1ãZ˜5'`N
@­@Ótq¶¥Ù�Ɖ›–îà—%Š7ûÙ¹%.Ìx¤D—ãðÁ³b‰C5ø Idõk/ÅQŠ?èxãê5³¯ÄÖ>Òðuowõ=–è9­Y'àã« 	Õ‚zɦ±¶Ô‚>N
;}`÷*Ž¿ÃÞƒ$“ƒ†Ï|£�ã·Ä#@ºêÊͪ²Æ.ˆX³¤¾àŽG¿¯ö„«‡w‚MšZögsÎÙQ1ª¡ï±ª;_þSì?“áx´Ÿ‚^¯I«˜�E2•“§–κÛw!l¾:‡_¼sªÔNÿ˜~ù™Û݃[²3ùULiµeižÀìe%¥½˜¨üß’O¬/°”:�¿èx>D@þ¦ùòá=9'»|»Ä½Œ©L²Ä/–ê-‚½ÎìÃsœ” ~(áà,åpƒ¡ËRs,Õ:Ž±ÿÃ6hÆËÔDÞï^ÑêI¬'k𽠱ĞÙþ÷ŸøŸ…ÜÈÆ›	�;™l+ä­ñy̼Ú(g`ý	s}ÔÖ’�×åù$Ï–c†ƒvjlHM»kœÄ^ý08ùqS}�ã
!<¢¥mPYm¼ÑјÃs:öhª6¯!Û(sD¹16äÑ?«r.o™Éûò�ˆ¾SšÉí³•õP1K²EreS‘(§AðÖ?žÔ�o§G,C<òΔ½kuló µkX“ÁñÓ—WO�Gˆ‹�v$ÔÃÁ×a¶D´­ƒæé<xç x÷DɺBõoÙòQ3ª‘GÞŠgMyÎëæ:ç
èWƒ’¥oáµ=£öb2ð»±K<6ö%J{
+‹ÅK0}´zc?¹
L£Z^FªËï;�—þ d%CºŸüÂ�¥ü¨)0óšâ5µû|#ñÊ1¤Šµ– Pgm
 _R„®z1ÙïO,îSò[³ÃY[Z…-¶2
+{å]­è«X• ²ßæF]T%9FáTâþ¥}qÚxo‚{w;w+h|ŠÏíaqˆíX7ŒÒz¡î±vñ¨ˆæK܉�bs6Ÿ±™"‚¬|;¯mš®u˜4bƼý¦þ7õ™•�»Ð¯l(hõ)&I—¼¸óÝô#Fê%yDôêWÖëÏäôD‡߂ù‘|�}Å99Q}â�>	uôÒ§«h†:úVLãÖzBžÅŒå’F'üÕÆQÓ/9ÎFÝҰɵ#6snœjGöXã~ÃéPóLpJýœ&wB˽óÂób17aªÓHj;è•ßÐðS½]þÅÝpÌÚò“
­ªAë8Kž�pªä¦<ëñ-ùS¢äëÊõ
&}9c­àÒo˜òt3aëc`StŒÔDr3œ–ic#Ñ‘x"£ž7ý³–þl­ÊêIF)^ˆ×LÌŠ[h£IµA	_#ƒc«¬LÔ'PŒö–Tñ™»�,Š x�´År
+‹;dTx¢CŠÚµ'x^3$|ÀȽ¬4ì^áœ�¥$0ý'�©´s
ác@ÓAÙouÖŒÎ@@�‹Ù[¨ñÄ#rµì‘ö9s¤Nè2êš>8*û@�‹hËçESæIh’V\ºw+›øYETŽë楋ÆEêæcfCoŠåÚM¬·Ôþáéw„IiD¤^‹J­÷T¹J†a±kãÂúôꟶÊçÆck€-T	ÿŠ×Ý¥è�Ýû
+¥`M/\oõÛþJXS�ù6”¿ü'ŽOØLaà¨oÍZNõµáø÷�P³¬æ�#À«-’·^=èCp§“´ñ»�wÓ^»±òž,�àìÎ-3à rg‡lÖ:G>
+‡û$Ëú�*Ï[¾'е5Ø̽þ^¿‚@rG{XÎN3?Ü&Óvj½ìÖfl3O­ˆÐ¥\á"ÝJ)P\°7À«J&zgT‘š|†ñhÝh^r×X&âhŒç]CŠÒ÷ˆÂ�ú%#ÅŸß’ïçUUÒÙ$ïRDäü¾R�k¤zwŒñ­ã—Z
+UßD„j%‘{7¹’&LoÅLó´T0‰*
+Ë—ÌF+uå|	ã_ìŽ'¬gk"¸qáD]²
 endobj
-714 0 obj <<
+938 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 2149 0 R
+/Encoding 2729 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 2166 0 R
-/BaseFont /GFOWWC+URWPalladioL-Bold
-/FontDescriptor 712 0 R
+/Widths 2746 0 R
+/BaseFont /YHPRZJ+URWPalladioL-Bold
+/FontDescriptor 936 0 R
 >> endobj
-712 0 obj <<
+936 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /GFOWWC+URWPalladioL-Bold
+/FontName /YHPRZJ+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 713 0 R
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
+/FontFile 937 0 R
 >> endobj
-2166 0 obj
-[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
+2746 0 obj
+[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
-715 0 obj <<
+939 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [706 0 R 732 0 R 742 0 R 797 0 R 861 0 R 923 0 R]
+/Parent 2747 0 R
+/Kids [930 0 R 956 0 R 966 0 R 1021 0 R 1085 0 R 1148 0 R]
 >> endobj
-954 0 obj <<
+1226 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [943 0 R 956 0 R 969 0 R 980 0 R 987 0 R 999 0 R]
+/Parent 2747 0 R
+/Kids [1210 0 R 1228 0 R 1240 0 R 1253 0 R 1264 0 R 1271 0 R]
 >> endobj
-1011 0 obj <<
+1287 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [1004 0 R 1013 0 R 1024 0 R 1032 0 R 1039 0 R 1045 0 R]
+/Parent 2747 0 R
+/Kids [1283 0 R 1289 0 R 1297 0 R 1306 0 R 1316 0 R 1329 0 R]
 >> endobj
-1068 0 obj <<
+1337 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [1053 0 R 1075 0 R 1084 0 R 1090 0 R 1094 0 R 1100 0 R]
+/Parent 2747 0 R
+/Kids [1333 0 R 1340 0 R 1347 0 R 1352 0 R 1373 0 R 1383 0 R]
 >> endobj
-1116 0 obj <<
+1392 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [1109 0 R 1119 0 R 1126 0 R 1132 0 R 1140 0 R 1148 0 R]
+/Parent 2747 0 R
+/Kids [1388 0 R 1394 0 R 1399 0 R 1408 0 R 1417 0 R 1424 0 R]
 >> endobj
-1158 0 obj <<
+1433 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2167 0 R
-/Kids [1152 0 R 1160 0 R 1164 0 R 1174 0 R 1179 0 R 1187 0 R]
+/Parent 2747 0 R
+/Kids [1430 0 R 1435 0 R 1444 0 R 1458 0 R 1465 0 R 1479 0 R]
 >> endobj
-1203 0 obj <<
+1489 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1195 0 R 1205 0 R 1214 0 R 1225 0 R 1230 0 R 1236 0 R]
+/Parent 2748 0 R
+/Kids [1485 0 R 1491 0 R 1497 0 R 1504 0 R 1512 0 R 1517 0 R]
 >> endobj
-1245 0 obj <<
+1530 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1242 0 R 1247 0 R 1255 0 R 1265 0 R 1269 0 R 1273 0 R]
+/Parent 2748 0 R
+/Kids [1523 0 R 1533 0 R 1540 0 R 1544 0 R 1554 0 R 1559 0 R]
 >> endobj
-1282 0 obj <<
+1573 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1278 0 R 1285 0 R 1289 0 R 1295 0 R 1306 0 R 1310 0 R]
+/Parent 2748 0 R
+/Kids [1566 0 R 1575 0 R 1584 0 R 1592 0 R 1603 0 R 1609 0 R]
 >> endobj
-1322 0 obj <<
+1620 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1314 0 R 1325 0 R 1332 0 R 1337 0 R 1342 0 R 1346 0 R]
+/Parent 2748 0 R
+/Kids [1615 0 R 1622 0 R 1626 0 R 1633 0 R 1641 0 R 1648 0 R]
 >> endobj
-1356 0 obj <<
+1655 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1350 0 R 1358 0 R 1365 0 R 1371 0 R 1378 0 R 1385 0 R]
+/Parent 2748 0 R
+/Kids [1652 0 R 1657 0 R 1661 0 R 1665 0 R 1671 0 R 1676 0 R]
 >> endobj
-1398 0 obj <<
+1686 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2168 0 R
-/Kids [1391 0 R 1401 0 R 1409 0 R 1413 0 R 1417 0 R 1422 0 R]
+/Parent 2748 0 R
+/Kids [1681 0 R 1688 0 R 1693 0 R 1703 0 R 1707 0 R 1711 0 R]
 >> endobj
-1437 0 obj <<
+1723 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1430 0 R 1439 0 R 1443 0 R 1447 0 R 1451 0 R 1459 0 R]
+/Parent 2749 0 R
+/Kids [1716 0 R 1726 0 R 1734 0 R 1739 0 R 1743 0 R 1747 0 R]
 >> endobj
-1484 0 obj <<
+1758 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1466 0 R 1486 0 R 1500 0 R 1520 0 R 1526 0 R 1536 0 R]
+/Parent 2749 0 R
+/Kids [1751 0 R 1760 0 R 1767 0 R 1772 0 R 1779 0 R 1786 0 R]
 >> endobj
-1547 0 obj <<
+1796 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1542 0 R 1549 0 R 1558 0 R 1569 0 R 1579 0 R 1587 0 R]
+/Parent 2749 0 R
+/Kids [1792 0 R 1799 0 R 1807 0 R 1811 0 R 1816 0 R 1821 0 R]
 >> endobj
-1602 0 obj <<
+1829 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1594 0 R 1604 0 R 1610 0 R 1620 0 R 1631 0 R 1635 0 R]
+/Parent 2749 0 R
+/Kids [1826 0 R 1831 0 R 1836 0 R 1842 0 R 1851 0 R 1856 0 R]
 >> endobj
-1644 0 obj <<
+1864 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1639 0 R 1646 0 R 1657 0 R 1661 0 R 1665 0 R 1676 0 R]
+/Parent 2749 0 R
+/Kids [1861 0 R 1866 0 R 1870 0 R 1874 0 R 1882 0 R 1889 0 R]
 >> endobj
-1686 0 obj <<
+1922 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2169 0 R
-/Kids [1680 0 R 1688 0 R 1698 0 R 1757 0 R 1813 0 R 1867 0 R]
+/Parent 2749 0 R
+/Kids [1909 0 R 1924 0 R 1935 0 R 1951 0 R 1957 0 R 1961 0 R]
 >> endobj
-1909 0 obj <<
+1976 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2170 0 R
-/Kids [1901 0 R 1911 0 R 1917 0 R 1922 0 R 1926 0 R 1931 0 R]
+/Parent 2750 0 R
+/Kids [1971 0 R 1978 0 R 1984 0 R 1994 0 R 2006 0 R 2014 0 R]
 >> endobj
-1946 0 obj <<
+2025 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2170 0 R
-/Kids [1942 0 R 1948 0 R 1960 0 R 1971 0 R 1978 0 R 1990 0 R]
+/Parent 2750 0 R
+/Kids [2022 0 R 2027 0 R 2035 0 R 2043 0 R 2055 0 R 2062 0 R]
 >> endobj
-2004 0 obj <<
+2073 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2170 0 R
-/Kids [1994 0 R 2006 0 R 2012 0 R 2016 0 R 2022 0 R 2035 0 R]
+/Parent 2750 0 R
+/Kids [2070 0 R 2075 0 R 2081 0 R 2092 0 R 2096 0 R 2100 0 R]
 >> endobj
-2048 0 obj <<
+2114 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2170 0 R
-/Kids [2045 0 R 2050 0 R 2062 0 R 2066 0 R 2072 0 R 2083 0 R]
+/Parent 2750 0 R
+/Kids [2111 0 R 2116 0 R 2123 0 R 2133 0 R 2192 0 R 2248 0 R]
 >> endobj
-2091 0 obj <<
+2336 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 2170 0 R
-/Kids [2088 0 R 2093 0 R 2100 0 R 2110 0 R 2121 0 R 2126 0 R]
+/Parent 2750 0 R
+/Kids [2302 0 R 2338 0 R 2346 0 R 2354 0 R 2361 0 R 2366 0 R]
 >> endobj
-2142 0 obj <<
+2375 0 obj <<
 /Type /Pages
-/Count 2
-/Parent 2170 0 R
-/Kids [2137 0 R 2144 0 R]
+/Count 6
+/Parent 2750 0 R
+/Kids [2372 0 R 2377 0 R 2386 0 R 2392 0 R 2397 0 R 2401 0 R]
 >> endobj
-2167 0 obj <<
+2416 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2406 0 R 2418 0 R 2423 0 R 2435 0 R 2444 0 R 2453 0 R]
+>> endobj
+2466 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2458 0 R 2468 0 R 2474 0 R 2478 0 R 2484 0 R 2495 0 R]
+>> endobj
+2510 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2505 0 R 2512 0 R 2522 0 R 2528 0 R 2532 0 R 2536 0 R]
+>> endobj
+2556 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2546 0 R 2558 0 R 2565 0 R 2569 0 R 2581 0 R 2585 0 R]
+>> endobj
+2603 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2592 0 R 2605 0 R 2613 0 R 2618 0 R 2622 0 R 2630 0 R]
+>> endobj
+2649 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2751 0 R
+/Kids [2639 0 R 2651 0 R 2656 0 R 2668 0 R 2674 0 R 2684 0 R]
+>> endobj
+2710 0 obj <<
+/Type /Pages
+/Count 3
+/Parent 2752 0 R
+/Kids [2698 0 R 2712 0 R 2725 0 R]
+>> endobj
+2747 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2171 0 R
-/Kids [715 0 R 954 0 R 1011 0 R 1068 0 R 1116 0 R 1158 0 R]
+/Parent 2753 0 R
+/Kids [939 0 R 1226 0 R 1287 0 R 1337 0 R 1392 0 R 1433 0 R]
 >> endobj
-2168 0 obj <<
+2748 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2171 0 R
-/Kids [1203 0 R 1245 0 R 1282 0 R 1322 0 R 1356 0 R 1398 0 R]
+/Parent 2753 0 R
+/Kids [1489 0 R 1530 0 R 1573 0 R 1620 0 R 1655 0 R 1686 0 R]
 >> endobj
-2169 0 obj <<
+2749 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 2171 0 R
-/Kids [1437 0 R 1484 0 R 1547 0 R 1602 0 R 1644 0 R 1686 0 R]
+/Parent 2753 0 R
+/Kids [1723 0 R 1758 0 R 1796 0 R 1829 0 R 1864 0 R 1922 0 R]
 >> endobj
-2170 0 obj <<
+2750 0 obj <<
 /Type /Pages
-/Count 32
-/Parent 2171 0 R
-/Kids [1909 0 R 1946 0 R 2004 0 R 2048 0 R 2091 0 R 2142 0 R]
+/Count 36
+/Parent 2753 0 R
+/Kids [1976 0 R 2025 0 R 2073 0 R 2114 0 R 2336 0 R 2375 0 R]
 >> endobj
-2171 0 obj <<
+2751 0 obj <<
+/Type /Pages
+/Count 36
+/Parent 2753 0 R
+/Kids [2416 0 R 2466 0 R 2510 0 R 2556 0 R 2603 0 R 2649 0 R]
+>> endobj
+2752 0 obj <<
 /Type /Pages
-/Count 140
-/Kids [2167 0 R 2168 0 R 2169 0 R 2170 0 R]
+/Count 3
+/Parent 2753 0 R
+/Kids [2710 0 R]
 >> endobj
-2172 0 obj <<
+2753 0 obj <<
+/Type /Pages
+/Count 183
+/Kids [2747 0 R 2748 0 R 2749 0 R 2750 0 R 2751 0 R 2752 0 R]
+>> endobj
+2754 0 obj <<
 /Type /Outlines
 /First 7 0 R
-/Last 651 0 R
+/Last 843 0 R
 /Count 10
 >> endobj
+927 0 obj <<
+/Title 928 0 R
+/A 925 0 R
+/Parent 843 0 R
+/Prev 923 0 R
+>> endobj
+923 0 obj <<
+/Title 924 0 R
+/A 921 0 R
+/Parent 843 0 R
+/Prev 919 0 R
+/Next 927 0 R
+>> endobj
+919 0 obj <<
+/Title 920 0 R
+/A 917 0 R
+/Parent 843 0 R
+/Prev 915 0 R
+/Next 923 0 R
+>> endobj
+915 0 obj <<
+/Title 916 0 R
+/A 913 0 R
+/Parent 843 0 R
+/Prev 911 0 R
+/Next 919 0 R
+>> endobj
+911 0 obj <<
+/Title 912 0 R
+/A 909 0 R
+/Parent 843 0 R
+/Prev 907 0 R
+/Next 915 0 R
+>> endobj
+907 0 obj <<
+/Title 908 0 R
+/A 905 0 R
+/Parent 843 0 R
+/Prev 903 0 R
+/Next 911 0 R
+>> endobj
+903 0 obj <<
+/Title 904 0 R
+/A 901 0 R
+/Parent 843 0 R
+/Prev 899 0 R
+/Next 907 0 R
+>> endobj
+899 0 obj <<
+/Title 900 0 R
+/A 897 0 R
+/Parent 843 0 R
+/Prev 895 0 R
+/Next 903 0 R
+>> endobj
+895 0 obj <<
+/Title 896 0 R
+/A 893 0 R
+/Parent 843 0 R
+/Prev 891 0 R
+/Next 899 0 R
+>> endobj
+891 0 obj <<
+/Title 892 0 R
+/A 889 0 R
+/Parent 843 0 R
+/Prev 887 0 R
+/Next 895 0 R
+>> endobj
+887 0 obj <<
+/Title 888 0 R
+/A 885 0 R
+/Parent 843 0 R
+/Prev 883 0 R
+/Next 891 0 R
+>> endobj
+883 0 obj <<
+/Title 884 0 R
+/A 881 0 R
+/Parent 843 0 R
+/Prev 879 0 R
+/Next 887 0 R
+>> endobj
+879 0 obj <<
+/Title 880 0 R
+/A 877 0 R
+/Parent 843 0 R
+/Prev 875 0 R
+/Next 883 0 R
+>> endobj
+875 0 obj <<
+/Title 876 0 R
+/A 873 0 R
+/Parent 843 0 R
+/Prev 871 0 R
+/Next 879 0 R
+>> endobj
+871 0 obj <<
+/Title 872 0 R
+/A 869 0 R
+/Parent 843 0 R
+/Prev 867 0 R
+/Next 875 0 R
+>> endobj
+867 0 obj <<
+/Title 868 0 R
+/A 865 0 R
+/Parent 843 0 R
+/Prev 863 0 R
+/Next 871 0 R
+>> endobj
+863 0 obj <<
+/Title 864 0 R
+/A 861 0 R
+/Parent 843 0 R
+/Prev 859 0 R
+/Next 867 0 R
+>> endobj
+859 0 obj <<
+/Title 860 0 R
+/A 857 0 R
+/Parent 843 0 R
+/Prev 855 0 R
+/Next 863 0 R
+>> endobj
+855 0 obj <<
+/Title 856 0 R
+/A 853 0 R
+/Parent 843 0 R
+/Prev 851 0 R
+/Next 859 0 R
+>> endobj
+851 0 obj <<
+/Title 852 0 R
+/A 849 0 R
+/Parent 843 0 R
+/Prev 847 0 R
+/Next 855 0 R
+>> endobj
+847 0 obj <<
+/Title 848 0 R
+/A 845 0 R
+/Parent 843 0 R
+/Next 851 0 R
+>> endobj
+843 0 obj <<
+/Title 844 0 R
+/A 841 0 R
+/Parent 2754 0 R
+/Prev 751 0 R
+/First 847 0 R
+/Last 927 0 R
+/Count -21
+>> endobj
+839 0 obj <<
+/Title 840 0 R
+/A 837 0 R
+/Parent 787 0 R
+/Prev 811 0 R
+>> endobj
+835 0 obj <<
+/Title 836 0 R
+/A 833 0 R
+/Parent 811 0 R
+/Prev 831 0 R
+>> endobj
+831 0 obj <<
+/Title 832 0 R
+/A 829 0 R
+/Parent 811 0 R
+/Prev 827 0 R
+/Next 835 0 R
+>> endobj
+827 0 obj <<
+/Title 828 0 R
+/A 825 0 R
+/Parent 811 0 R
+/Prev 823 0 R
+/Next 831 0 R
+>> endobj
+823 0 obj <<
+/Title 824 0 R
+/A 821 0 R
+/Parent 811 0 R
+/Prev 819 0 R
+/Next 827 0 R
+>> endobj
+819 0 obj <<
+/Title 820 0 R
+/A 817 0 R
+/Parent 811 0 R
+/Prev 815 0 R
+/Next 823 0 R
+>> endobj
+815 0 obj <<
+/Title 816 0 R
+/A 813 0 R
+/Parent 811 0 R
+/Next 819 0 R
+>> endobj
+811 0 obj <<
+/Title 812 0 R
+/A 809 0 R
+/Parent 787 0 R
+/Prev 807 0 R
+/Next 839 0 R
+/First 815 0 R
+/Last 835 0 R
+/Count -6
+>> endobj
+807 0 obj <<
+/Title 808 0 R
+/A 805 0 R
+/Parent 787 0 R
+/Prev 803 0 R
+/Next 811 0 R
+>> endobj
+803 0 obj <<
+/Title 804 0 R
+/A 801 0 R
+/Parent 787 0 R
+/Prev 799 0 R
+/Next 807 0 R
+>> endobj
+799 0 obj <<
+/Title 800 0 R
+/A 797 0 R
+/Parent 787 0 R
+/Prev 795 0 R
+/Next 803 0 R
+>> endobj
+795 0 obj <<
+/Title 796 0 R
+/A 793 0 R
+/Parent 787 0 R
+/Prev 791 0 R
+/Next 799 0 R
+>> endobj
+791 0 obj <<
+/Title 792 0 R
+/A 789 0 R
+/Parent 787 0 R
+/Next 795 0 R
+>> endobj
+787 0 obj <<
+/Title 788 0 R
+/A 785 0 R
+/Parent 751 0 R
+/Prev 771 0 R
+/First 791 0 R
+/Last 839 0 R
+/Count -7
+>> endobj
+783 0 obj <<
+/Title 784 0 R
+/A 781 0 R
+/Parent 771 0 R
+/Prev 779 0 R
+>> endobj
+779 0 obj <<
+/Title 780 0 R
+/A 777 0 R
+/Parent 771 0 R
+/Prev 775 0 R
+/Next 783 0 R
+>> endobj
+775 0 obj <<
+/Title 776 0 R
+/A 773 0 R
+/Parent 771 0 R
+/Next 779 0 R
+>> endobj
+771 0 obj <<
+/Title 772 0 R
+/A 769 0 R
+/Parent 751 0 R
+/Prev 763 0 R
+/Next 787 0 R
+/First 775 0 R
+/Last 783 0 R
+/Count -3
+>> endobj
+767 0 obj <<
+/Title 768 0 R
+/A 765 0 R
+/Parent 763 0 R
+>> endobj
+763 0 obj <<
+/Title 764 0 R
+/A 761 0 R
+/Parent 751 0 R
+/Prev 755 0 R
+/Next 771 0 R
+/First 767 0 R
+/Last 767 0 R
+/Count -1
+>> endobj
+759 0 obj <<
+/Title 760 0 R
+/A 757 0 R
+/Parent 755 0 R
+>> endobj
+755 0 obj <<
+/Title 756 0 R
+/A 753 0 R
+/Parent 751 0 R
+/Next 763 0 R
+/First 759 0 R
+/Last 759 0 R
+/Count -1
+>> endobj
+751 0 obj <<
+/Title 752 0 R
+/A 749 0 R
+/Parent 2754 0 R
+/Prev 731 0 R
+/Next 843 0 R
+/First 755 0 R
+/Last 787 0 R
+/Count -4
+>> endobj
+747 0 obj <<
+/Title 748 0 R
+/A 745 0 R
+/Parent 731 0 R
+/Prev 743 0 R
+>> endobj
+743 0 obj <<
+/Title 744 0 R
+/A 741 0 R
+/Parent 731 0 R
+/Prev 735 0 R
+/Next 747 0 R
+>> endobj
+739 0 obj <<
+/Title 740 0 R
+/A 737 0 R
+/Parent 735 0 R
+>> endobj
+735 0 obj <<
+/Title 736 0 R
+/A 733 0 R
+/Parent 731 0 R
+/Next 743 0 R
+/First 739 0 R
+/Last 739 0 R
+/Count -1
+>> endobj
+731 0 obj <<
+/Title 732 0 R
+/A 729 0 R
+/Parent 2754 0 R
+/Prev 707 0 R
+/Next 751 0 R
+/First 735 0 R
+/Last 747 0 R
+/Count -3
+>> endobj
+727 0 obj <<
+/Title 728 0 R
+/A 725 0 R
+/Parent 707 0 R
+/Prev 715 0 R
+>> endobj
+723 0 obj <<
+/Title 724 0 R
+/A 721 0 R
+/Parent 715 0 R
+/Prev 719 0 R
+>> endobj
+719 0 obj <<
+/Title 720 0 R
+/A 717 0 R
+/Parent 715 0 R
+/Next 723 0 R
+>> endobj
+715 0 obj <<
+/Title 716 0 R
+/A 713 0 R
+/Parent 707 0 R
+/Prev 711 0 R
+/Next 727 0 R
+/First 719 0 R
+/Last 723 0 R
+/Count -2
+>> endobj
+711 0 obj <<
+/Title 712 0 R
+/A 709 0 R
+/Parent 707 0 R
+/Next 715 0 R
+>> endobj
+707 0 obj <<
+/Title 708 0 R
+/A 705 0 R
+/Parent 2754 0 R
+/Prev 363 0 R
+/Next 731 0 R
+/First 711 0 R
+/Last 727 0 R
+/Count -3
+>> endobj
 703 0 obj <<
 /Title 704 0 R
 /A 701 0 R
-/Parent 651 0 R
+/Parent 683 0 R
 /Prev 699 0 R
 >> endobj
 699 0 obj <<
 /Title 700 0 R
 /A 697 0 R
-/Parent 651 0 R
+/Parent 683 0 R
 /Prev 695 0 R
 /Next 703 0 R
 >> endobj
 695 0 obj <<
 /Title 696 0 R
 /A 693 0 R
-/Parent 651 0 R
+/Parent 683 0 R
 /Prev 691 0 R
 /Next 699 0 R
 >> endobj
 691 0 obj <<
 /Title 692 0 R
 /A 689 0 R
-/Parent 651 0 R
+/Parent 683 0 R
 /Prev 687 0 R
 /Next 695 0 R
 >> endobj
 687 0 obj <<
 /Title 688 0 R
 /A 685 0 R
-/Parent 651 0 R
-/Prev 683 0 R
+/Parent 683 0 R
 /Next 691 0 R
 >> endobj
 683 0 obj <<
 /Title 684 0 R
 /A 681 0 R
-/Parent 651 0 R
+/Parent 675 0 R
 /Prev 679 0 R
-/Next 687 0 R
+/First 687 0 R
+/Last 703 0 R
+/Count -5
 >> endobj
 679 0 obj <<
 /Title 680 0 R
 /A 677 0 R
-/Parent 651 0 R
-/Prev 675 0 R
+/Parent 675 0 R
 /Next 683 0 R
 >> endobj
 675 0 obj <<
 /Title 676 0 R
 /A 673 0 R
-/Parent 651 0 R
-/Prev 671 0 R
-/Next 679 0 R
+/Parent 363 0 R
+/Prev 619 0 R
+/First 679 0 R
+/Last 683 0 R
+/Count -2
 >> endobj
 671 0 obj <<
 /Title 672 0 R
 /A 669 0 R
-/Parent 651 0 R
+/Parent 619 0 R
 /Prev 667 0 R
-/Next 675 0 R
 >> endobj
 667 0 obj <<
 /Title 668 0 R
 /A 665 0 R
-/Parent 651 0 R
-/Prev 663 0 R
+/Parent 619 0 R
+/Prev 647 0 R
 /Next 671 0 R
 >> endobj
 663 0 obj <<
 /Title 664 0 R
 /A 661 0 R
-/Parent 651 0 R
+/Parent 647 0 R
 /Prev 659 0 R
-/Next 667 0 R
 >> endobj
 659 0 obj <<
 /Title 660 0 R
 /A 657 0 R
-/Parent 651 0 R
+/Parent 647 0 R
 /Prev 655 0 R
 /Next 663 0 R
 >> endobj
 655 0 obj <<
 /Title 656 0 R
 /A 653 0 R
-/Parent 651 0 R
+/Parent 647 0 R
+/Prev 651 0 R
 /Next 659 0 R
 >> endobj
 651 0 obj <<
 /Title 652 0 R
 /A 649 0 R
-/Parent 2172 0 R
-/Prev 615 0 R
-/First 655 0 R
-/Last 703 0 R
-/Count -13
+/Parent 647 0 R
+/Next 655 0 R
 >> endobj
 647 0 obj <<
 /Title 648 0 R
 /A 645 0 R
-/Parent 635 0 R
+/Parent 619 0 R
 /Prev 643 0 R
+/Next 667 0 R
+/First 651 0 R
+/Last 663 0 R
+/Count -4
 >> endobj
 643 0 obj <<
 /Title 644 0 R
 /A 641 0 R
-/Parent 635 0 R
+/Parent 619 0 R
 /Prev 639 0 R
 /Next 647 0 R
 >> endobj
 639 0 obj <<
 /Title 640 0 R
 /A 637 0 R
-/Parent 635 0 R
+/Parent 619 0 R
+/Prev 635 0 R
 /Next 643 0 R
 >> endobj
 635 0 obj <<
 /Title 636 0 R
 /A 633 0 R
-/Parent 615 0 R
-/Prev 627 0 R
-/First 639 0 R
-/Last 647 0 R
-/Count -3
+/Parent 619 0 R
+/Prev 623 0 R
+/Next 639 0 R
 >> endobj
 631 0 obj <<
 /Title 632 0 R
 /A 629 0 R
-/Parent 627 0 R
+/Parent 623 0 R
+/Prev 627 0 R
 >> endobj
 627 0 obj <<
 /Title 628 0 R
 /A 625 0 R
-/Parent 615 0 R
-/Prev 619 0 R
-/Next 635 0 R
-/First 631 0 R
-/Last 631 0 R
-/Count -1
+/Parent 623 0 R
+/Next 631 0 R
 >> endobj
 623 0 obj <<
 /Title 624 0 R
 /A 621 0 R
 /Parent 619 0 R
+/Next 635 0 R
+/First 627 0 R
+/Last 631 0 R
+/Count -2
 >> endobj
 619 0 obj <<
 /Title 620 0 R
 /A 617 0 R
-/Parent 615 0 R
-/Next 627 0 R
+/Parent 363 0 R
+/Prev 395 0 R
+/Next 675 0 R
 /First 623 0 R
-/Last 623 0 R
-/Count -1
+/Last 671 0 R
+/Count -7
 >> endobj
 615 0 obj <<
 /Title 616 0 R
 /A 613 0 R
-/Parent 2172 0 R
-/Prev 595 0 R
-/Next 651 0 R
-/First 619 0 R
-/Last 635 0 R
-/Count -3
+/Parent 599 0 R
+/Prev 611 0 R
 >> endobj
 611 0 obj <<
 /Title 612 0 R
 /A 609 0 R
-/Parent 595 0 R
+/Parent 599 0 R
 /Prev 607 0 R
+/Next 615 0 R
 >> endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 595 0 R
-/Prev 599 0 R
+/Parent 599 0 R
+/Prev 603 0 R
 /Next 611 0 R
 >> endobj
 603 0 obj <<
 /Title 604 0 R
 /A 601 0 R
 /Parent 599 0 R
+/Next 607 0 R
 >> endobj
 599 0 obj <<
 /Title 600 0 R
 /A 597 0 R
-/Parent 595 0 R
-/Next 607 0 R
+/Parent 395 0 R
+/Prev 595 0 R
 /First 603 0 R
-/Last 603 0 R
-/Count -1
+/Last 615 0 R
+/Count -4
 >> endobj
 595 0 obj <<
 /Title 596 0 R
 /A 593 0 R
-/Parent 2172 0 R
-/Prev 571 0 R
-/Next 615 0 R
-/First 599 0 R
-/Last 611 0 R
-/Count -3
+/Parent 395 0 R
+/Prev 591 0 R
+/Next 599 0 R
 >> endobj
 591 0 obj <<
 /Title 592 0 R
 /A 589 0 R
-/Parent 571 0 R
-/Prev 579 0 R
+/Parent 395 0 R
+/Prev 587 0 R
+/Next 595 0 R
 >> endobj
 587 0 obj <<
 /Title 588 0 R
 /A 585 0 R
-/Parent 579 0 R
+/Parent 395 0 R
 /Prev 583 0 R
+/Next 591 0 R
 >> endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 579 0 R
+/Parent 395 0 R
+/Prev 579 0 R
 /Next 587 0 R
 >> endobj
 579 0 obj <<
 /Title 580 0 R
 /A 577 0 R
-/Parent 571 0 R
+/Parent 395 0 R
 /Prev 575 0 R
-/Next 591 0 R
-/First 583 0 R
-/Last 587 0 R
-/Count -2
+/Next 583 0 R
 >> endobj
 575 0 obj <<
 /Title 576 0 R
 /A 573 0 R
-/Parent 571 0 R
+/Parent 395 0 R
+/Prev 571 0 R
 /Next 579 0 R
 >> endobj
 571 0 obj <<
 /Title 572 0 R
 /A 569 0 R
-/Parent 2172 0 R
-/Prev 243 0 R
-/Next 595 0 R
-/First 575 0 R
-/Last 591 0 R
-/Count -3
+/Parent 395 0 R
+/Prev 567 0 R
+/Next 575 0 R
 >> endobj
 567 0 obj <<
 /Title 568 0 R
 /A 565 0 R
-/Parent 547 0 R
+/Parent 395 0 R
 /Prev 563 0 R
+/Next 571 0 R
 >> endobj
 563 0 obj <<
 /Title 564 0 R
 /A 561 0 R
-/Parent 547 0 R
+/Parent 395 0 R
 /Prev 559 0 R
 /Next 567 0 R
 >> endobj
 559 0 obj <<
 /Title 560 0 R
 /A 557 0 R
-/Parent 547 0 R
+/Parent 395 0 R
 /Prev 555 0 R
 /Next 563 0 R
 >> endobj
 555 0 obj <<
 /Title 556 0 R
 /A 553 0 R
-/Parent 547 0 R
-/Prev 551 0 R
+/Parent 395 0 R
+/Prev 471 0 R
 /Next 559 0 R
 >> endobj
 551 0 obj <<
 /Title 552 0 R
 /A 549 0 R
-/Parent 547 0 R
-/Next 555 0 R
+/Parent 471 0 R
+/Prev 547 0 R
 >> endobj
 547 0 obj <<
 /Title 548 0 R
 /A 545 0 R
-/Parent 539 0 R
+/Parent 471 0 R
 /Prev 543 0 R
-/First 551 0 R
-/Last 567 0 R
-/Count -5
+/Next 551 0 R
 >> endobj
 543 0 obj <<
 /Title 544 0 R
 /A 541 0 R
-/Parent 539 0 R
+/Parent 471 0 R
+/Prev 539 0 R
 /Next 547 0 R
 >> endobj
 539 0 obj <<
 /Title 540 0 R
 /A 537 0 R
-/Parent 243 0 R
-/Prev 483 0 R
-/First 543 0 R
-/Last 547 0 R
-/Count -2
+/Parent 471 0 R
+/Prev 535 0 R
+/Next 543 0 R
 >> endobj
 535 0 obj <<
 /Title 536 0 R
 /A 533 0 R
-/Parent 483 0 R
+/Parent 471 0 R
 /Prev 531 0 R
+/Next 539 0 R
 >> endobj
 531 0 obj <<
 /Title 532 0 R
 /A 529 0 R
-/Parent 483 0 R
-/Prev 511 0 R
+/Parent 471 0 R
+/Prev 527 0 R
 /Next 535 0 R
 >> endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 511 0 R
+/Parent 471 0 R
 /Prev 523 0 R
+/Next 531 0 R
 >> endobj
 523 0 obj <<
 /Title 524 0 R
 /A 521 0 R
-/Parent 511 0 R
+/Parent 471 0 R
 /Prev 519 0 R
 /Next 527 0 R
 >> endobj
 519 0 obj <<
 /Title 520 0 R
 /A 517 0 R
-/Parent 511 0 R
+/Parent 471 0 R
 /Prev 515 0 R
 /Next 523 0 R
 >> endobj
 515 0 obj <<
 /Title 516 0 R
 /A 513 0 R
-/Parent 511 0 R
+/Parent 471 0 R
+/Prev 511 0 R
 /Next 519 0 R
 >> endobj
 511 0 obj <<
 /Title 512 0 R
 /A 509 0 R
-/Parent 483 0 R
+/Parent 471 0 R
 /Prev 507 0 R
-/Next 531 0 R
-/First 515 0 R
-/Last 527 0 R
-/Count -4
+/Next 515 0 R
 >> endobj
 507 0 obj <<
 /Title 508 0 R
 /A 505 0 R
-/Parent 483 0 R
+/Parent 471 0 R
 /Prev 503 0 R
 /Next 511 0 R
 >> endobj
 503 0 obj <<
 /Title 504 0 R
 /A 501 0 R
-/Parent 483 0 R
+/Parent 471 0 R
 /Prev 499 0 R
 /Next 507 0 R
 >> endobj
 499 0 obj <<
 /Title 500 0 R
 /A 497 0 R
-/Parent 483 0 R
-/Prev 487 0 R
+/Parent 471 0 R
+/Prev 495 0 R
 /Next 503 0 R
 >> endobj
 495 0 obj <<
 /Title 496 0 R
 /A 493 0 R
-/Parent 487 0 R
+/Parent 471 0 R
 /Prev 491 0 R
+/Next 499 0 R
 >> endobj
 491 0 obj <<
 /Title 492 0 R
 /A 489 0 R
-/Parent 487 0 R
+/Parent 471 0 R
+/Prev 487 0 R
 /Next 495 0 R
 >> endobj
 487 0 obj <<
 /Title 488 0 R
 /A 485 0 R
-/Parent 483 0 R
-/Next 499 0 R
-/First 491 0 R
-/Last 495 0 R
-/Count -2
+/Parent 471 0 R
+/Prev 483 0 R
+/Next 491 0 R
 >> endobj
 483 0 obj <<
 /Title 484 0 R
 /A 481 0 R
-/Parent 243 0 R
-/Prev 275 0 R
-/Next 539 0 R
-/First 487 0 R
-/Last 535 0 R
-/Count -7
+/Parent 471 0 R
+/Prev 479 0 R
+/Next 487 0 R
 >> endobj
 479 0 obj <<
 /Title 480 0 R
 /A 477 0 R
-/Parent 463 0 R
+/Parent 471 0 R
 /Prev 475 0 R
+/Next 483 0 R
 >> endobj
 475 0 obj <<
 /Title 476 0 R
 /A 473 0 R
-/Parent 463 0 R
-/Prev 471 0 R
+/Parent 471 0 R
 /Next 479 0 R
 >> endobj
 471 0 obj <<
 /Title 472 0 R
 /A 469 0 R
-/Parent 463 0 R
+/Parent 395 0 R
 /Prev 467 0 R
-/Next 475 0 R
+/Next 555 0 R
+/First 475 0 R
+/Last 551 0 R
+/Count -20
 >> endobj
 467 0 obj <<
 /Title 468 0 R
 /A 465 0 R
-/Parent 463 0 R
+/Parent 395 0 R
+/Prev 463 0 R
 /Next 471 0 R
 >> endobj
 463 0 obj <<
 /Title 464 0 R
 /A 461 0 R
-/Parent 275 0 R
+/Parent 395 0 R
 /Prev 459 0 R
-/First 467 0 R
-/Last 479 0 R
-/Count -4
+/Next 467 0 R
 >> endobj
 459 0 obj <<
 /Title 460 0 R
 /A 457 0 R
-/Parent 275 0 R
+/Parent 395 0 R
 /Prev 455 0 R
 /Next 463 0 R
 >> endobj
 455 0 obj <<
 /Title 456 0 R
 /A 453 0 R
-/Parent 275 0 R
+/Parent 395 0 R
 /Prev 451 0 R
 /Next 459 0 R
 >> endobj
 451 0 obj <<
 /Title 452 0 R
 /A 449 0 R
-/Parent 275 0 R
-/Prev 447 0 R
+/Parent 395 0 R
+/Prev 435 0 R
 /Next 455 0 R
 >> endobj
 447 0 obj <<
 /Title 448 0 R
 /A 445 0 R
-/Parent 275 0 R
+/Parent 435 0 R
 /Prev 443 0 R
-/Next 451 0 R
 >> endobj
 443 0 obj <<
 /Title 444 0 R
 /A 441 0 R
-/Parent 275 0 R
+/Parent 435 0 R
 /Prev 439 0 R
 /Next 447 0 R
 >> endobj
 439 0 obj <<
 /Title 440 0 R
 /A 437 0 R
-/Parent 275 0 R
-/Prev 435 0 R
+/Parent 435 0 R
 /Next 443 0 R
 >> endobj
 435 0 obj <<
 /Title 436 0 R
 /A 433 0 R
-/Parent 275 0 R
+/Parent 395 0 R
 /Prev 431 0 R
-/Next 439 0 R
+/Next 451 0 R
+/First 439 0 R
+/Last 447 0 R
+/Count -3
 >> endobj
 431 0 obj <<
 /Title 432 0 R
 /A 429 0 R
-/Parent 275 0 R
+/Parent 395 0 R
 /Prev 427 0 R
 /Next 435 0 R
 >> endobj
 427 0 obj <<
 /Title 428 0 R
 /A 425 0 R
-/Parent 275 0 R
-/Prev 351 0 R
+/Parent 395 0 R
+/Prev 423 0 R
 /Next 431 0 R
 >> endobj
 423 0 obj <<
 /Title 424 0 R
 /A 421 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 419 0 R
+/Next 427 0 R
 >> endobj
 419 0 obj <<
 /Title 420 0 R
 /A 417 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 415 0 R
 /Next 423 0 R
 >> endobj
 415 0 obj <<
 /Title 416 0 R
 /A 413 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 411 0 R
 /Next 419 0 R
 >> endobj
 411 0 obj <<
 /Title 412 0 R
 /A 409 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 407 0 R
 /Next 415 0 R
 >> endobj
 407 0 obj <<
 /Title 408 0 R
 /A 405 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 403 0 R
 /Next 411 0 R
 >> endobj
 403 0 obj <<
 /Title 404 0 R
 /A 401 0 R
-/Parent 351 0 R
+/Parent 395 0 R
 /Prev 399 0 R
 /Next 407 0 R
 >> endobj
 399 0 obj <<
 /Title 400 0 R
 /A 397 0 R
-/Parent 351 0 R
-/Prev 395 0 R
+/Parent 395 0 R
 /Next 403 0 R
 >> endobj
 395 0 obj <<
 /Title 396 0 R
 /A 393 0 R
-/Parent 351 0 R
-/Prev 391 0 R
-/Next 399 0 R
+/Parent 363 0 R
+/Prev 367 0 R
+/Next 619 0 R
+/First 399 0 R
+/Last 599 0 R
+/Count -28
 >> endobj
 391 0 obj <<
 /Title 392 0 R
 /A 389 0 R
-/Parent 351 0 R
+/Parent 383 0 R
 /Prev 387 0 R
-/Next 395 0 R
 >> endobj
 387 0 obj <<
 /Title 388 0 R
 /A 385 0 R
-/Parent 351 0 R
-/Prev 383 0 R
+/Parent 383 0 R
 /Next 391 0 R
 >> endobj
 383 0 obj <<
 /Title 384 0 R
 /A 381 0 R
-/Parent 351 0 R
-/Prev 379 0 R
-/Next 387 0 R
+/Parent 367 0 R
+/Prev 371 0 R
+/First 387 0 R
+/Last 391 0 R
+/Count -2
 >> endobj
 379 0 obj <<
 /Title 380 0 R
 /A 377 0 R
-/Parent 351 0 R
+/Parent 371 0 R
 /Prev 375 0 R
-/Next 383 0 R
 >> endobj
 375 0 obj <<
 /Title 376 0 R
 /A 373 0 R
-/Parent 351 0 R
-/Prev 371 0 R
+/Parent 371 0 R
 /Next 379 0 R
 >> endobj
 371 0 obj <<
 /Title 372 0 R
 /A 369 0 R
-/Parent 351 0 R
-/Prev 367 0 R
-/Next 375 0 R
+/Parent 367 0 R
+/Next 383 0 R
+/First 375 0 R
+/Last 379 0 R
+/Count -2
 >> endobj
 367 0 obj <<
 /Title 368 0 R
 /A 365 0 R
-/Parent 351 0 R
-/Prev 363 0 R
-/Next 371 0 R
+/Parent 363 0 R
+/Next 395 0 R
+/First 371 0 R
+/Last 383 0 R
+/Count -2
 >> endobj
 363 0 obj <<
 /Title 364 0 R
 /A 361 0 R
-/Parent 351 0 R
-/Prev 359 0 R
-/Next 367 0 R
+/Parent 2754 0 R
+/Prev 351 0 R
+/Next 707 0 R
+/First 367 0 R
+/Last 675 0 R
+/Count -4
 >> endobj
 359 0 obj <<
 /Title 360 0 R
 /A 357 0 R
 /Parent 351 0 R
 /Prev 355 0 R
-/Next 363 0 R
 >> endobj
 355 0 obj <<
 /Title 356 0 R
@@ -12594,132 +15723,133 @@ endobj
 351 0 obj <<
 /Title 352 0 R
 /A 349 0 R
-/Parent 275 0 R
-/Prev 347 0 R
-/Next 427 0 R
+/Parent 2754 0 R
+/Prev 131 0 R
+/Next 363 0 R
 /First 355 0 R
-/Last 423 0 R
-/Count -18
+/Last 359 0 R
+/Count -2
 >> endobj
 347 0 obj <<
 /Title 348 0 R
 /A 345 0 R
-/Parent 275 0 R
+/Parent 339 0 R
 /Prev 343 0 R
-/Next 351 0 R
 >> endobj
 343 0 obj <<
 /Title 344 0 R
 /A 341 0 R
-/Parent 275 0 R
-/Prev 339 0 R
+/Parent 339 0 R
 /Next 347 0 R
 >> endobj
 339 0 obj <<
 /Title 340 0 R
 /A 337 0 R
-/Parent 275 0 R
-/Prev 335 0 R
-/Next 343 0 R
+/Parent 131 0 R
+/Prev 287 0 R
+/First 343 0 R
+/Last 347 0 R
+/Count -2
 >> endobj
 335 0 obj <<
 /Title 336 0 R
 /A 333 0 R
-/Parent 275 0 R
+/Parent 287 0 R
 /Prev 331 0 R
-/Next 339 0 R
 >> endobj
 331 0 obj <<
 /Title 332 0 R
 /A 329 0 R
-/Parent 275 0 R
-/Prev 315 0 R
+/Parent 287 0 R
+/Prev 327 0 R
 /Next 335 0 R
 >> endobj
 327 0 obj <<
 /Title 328 0 R
 /A 325 0 R
-/Parent 315 0 R
+/Parent 287 0 R
 /Prev 323 0 R
+/Next 331 0 R
 >> endobj
 323 0 obj <<
 /Title 324 0 R
 /A 321 0 R
-/Parent 315 0 R
-/Prev 319 0 R
+/Parent 287 0 R
+/Prev 307 0 R
 /Next 327 0 R
 >> endobj
 319 0 obj <<
 /Title 320 0 R
 /A 317 0 R
-/Parent 315 0 R
-/Next 323 0 R
+/Parent 307 0 R
+/Prev 315 0 R
 >> endobj
 315 0 obj <<
 /Title 316 0 R
 /A 313 0 R
-/Parent 275 0 R
+/Parent 307 0 R
 /Prev 311 0 R
-/Next 331 0 R
-/First 319 0 R
-/Last 327 0 R
-/Count -3
+/Next 319 0 R
 >> endobj
 311 0 obj <<
 /Title 312 0 R
 /A 309 0 R
-/Parent 275 0 R
-/Prev 307 0 R
+/Parent 307 0 R
 /Next 315 0 R
 >> endobj
 307 0 obj <<
 /Title 308 0 R
 /A 305 0 R
-/Parent 275 0 R
-/Prev 303 0 R
-/Next 311 0 R
+/Parent 287 0 R
+/Prev 291 0 R
+/Next 323 0 R
+/First 311 0 R
+/Last 319 0 R
+/Count -3
 >> endobj
 303 0 obj <<
 /Title 304 0 R
 /A 301 0 R
-/Parent 275 0 R
+/Parent 291 0 R
 /Prev 299 0 R
-/Next 307 0 R
 >> endobj
 299 0 obj <<
 /Title 300 0 R
 /A 297 0 R
-/Parent 275 0 R
+/Parent 291 0 R
 /Prev 295 0 R
 /Next 303 0 R
 >> endobj
 295 0 obj <<
 /Title 296 0 R
 /A 293 0 R
-/Parent 275 0 R
-/Prev 291 0 R
+/Parent 291 0 R
 /Next 299 0 R
 >> endobj
 291 0 obj <<
 /Title 292 0 R
 /A 289 0 R
-/Parent 275 0 R
-/Prev 287 0 R
-/Next 295 0 R
+/Parent 287 0 R
+/Next 307 0 R
+/First 295 0 R
+/Last 303 0 R
+/Count -3
 >> endobj
 287 0 obj <<
 /Title 288 0 R
 /A 285 0 R
-/Parent 275 0 R
-/Prev 283 0 R
-/Next 291 0 R
+/Parent 131 0 R
+/Prev 275 0 R
+/Next 339 0 R
+/First 291 0 R
+/Last 335 0 R
+/Count -6
 >> endobj
 283 0 obj <<
 /Title 284 0 R
 /A 281 0 R
 /Parent 275 0 R
 /Prev 279 0 R
-/Next 287 0 R
 >> endobj
 279 0 obj <<
 /Title 280 0 R
@@ -12730,101 +15860,95 @@ endobj
 275 0 obj <<
 /Title 276 0 R
 /A 273 0 R
-/Parent 243 0 R
-/Prev 247 0 R
-/Next 483 0 R
+/Parent 131 0 R
+/Prev 219 0 R
+/Next 287 0 R
 /First 279 0 R
-/Last 463 0 R
-/Count -26
+/Last 283 0 R
+/Count -2
 >> endobj
 271 0 obj <<
 /Title 272 0 R
 /A 269 0 R
-/Parent 263 0 R
+/Parent 219 0 R
 /Prev 267 0 R
 >> endobj
 267 0 obj <<
 /Title 268 0 R
 /A 265 0 R
-/Parent 263 0 R
+/Parent 219 0 R
+/Prev 263 0 R
 /Next 271 0 R
 >> endobj
 263 0 obj <<
 /Title 264 0 R
 /A 261 0 R
-/Parent 247 0 R
-/Prev 251 0 R
-/First 267 0 R
-/Last 271 0 R
-/Count -2
+/Parent 219 0 R
+/Prev 259 0 R
+/Next 267 0 R
 >> endobj
 259 0 obj <<
 /Title 260 0 R
 /A 257 0 R
-/Parent 251 0 R
+/Parent 219 0 R
 /Prev 255 0 R
+/Next 263 0 R
 >> endobj
 255 0 obj <<
 /Title 256 0 R
 /A 253 0 R
-/Parent 251 0 R
+/Parent 219 0 R
+/Prev 251 0 R
 /Next 259 0 R
 >> endobj
 251 0 obj <<
 /Title 252 0 R
 /A 249 0 R
-/Parent 247 0 R
-/Next 263 0 R
-/First 255 0 R
-/Last 259 0 R
-/Count -2
+/Parent 219 0 R
+/Prev 247 0 R
+/Next 255 0 R
 >> endobj
 247 0 obj <<
 /Title 248 0 R
 /A 245 0 R
-/Parent 243 0 R
-/Next 275 0 R
-/First 251 0 R
-/Last 263 0 R
-/Count -2
+/Parent 219 0 R
+/Prev 243 0 R
+/Next 251 0 R
 >> endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 2172 0 R
-/Prev 231 0 R
-/Next 571 0 R
-/First 247 0 R
-/Last 539 0 R
-/Count -4
+/Parent 219 0 R
+/Prev 239 0 R
+/Next 247 0 R
 >> endobj
 239 0 obj <<
 /Title 240 0 R
 /A 237 0 R
-/Parent 231 0 R
+/Parent 219 0 R
 /Prev 235 0 R
+/Next 243 0 R
 >> endobj
 235 0 obj <<
 /Title 236 0 R
 /A 233 0 R
-/Parent 231 0 R
+/Parent 219 0 R
+/Prev 231 0 R
 /Next 239 0 R
 >> endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 2172 0 R
-/Prev 131 0 R
-/Next 243 0 R
-/First 235 0 R
-/Last 239 0 R
-/Count -2
+/Parent 219 0 R
+/Prev 227 0 R
+/Next 235 0 R
 >> endobj
 227 0 obj <<
 /Title 228 0 R
 /A 225 0 R
 /Parent 219 0 R
 /Prev 223 0 R
+/Next 231 0 R
 >> endobj
 223 0 obj <<
 /Title 224 0 R
@@ -12837,9 +15961,10 @@ endobj
 /A 217 0 R
 /Parent 131 0 R
 /Prev 203 0 R
+/Next 275 0 R
 /First 223 0 R
-/Last 227 0 R
-/Count -2
+/Last 271 0 R
+/Count -13
 >> endobj
 215 0 obj <<
 /Title 216 0 R
@@ -12995,12 +16120,12 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 2172 0 R
+/Parent 2754 0 R
 /Prev 91 0 R
-/Next 231 0 R
+/Next 351 0 R
 /First 135 0 R
-/Last 219 0 R
-/Count -9
+/Last 339 0 R
+/Count -12
 >> endobj
 127 0 obj <<
 /Title 128 0 R
@@ -13069,7 +16194,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 2172 0 R
+/Parent 2754 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -13112,7 +16237,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 2172 0 R
+/Parent 2754 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -13221,2222 +16346,2804 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 2172 0 R
+/Parent 2754 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-2173 0 obj <<
-/Names [(Access_Control_Lists) 1643 0 R (Bv9ARM.ch01) 945 0 R (Bv9ARM.ch02) 990 0 R (Bv9ARM.ch03) 1007 0 R (Bv9ARM.ch04) 1056 0 R (Bv9ARM.ch05) 1155 0 R (Bv9ARM.ch06) 1167 0 R (Bv9ARM.ch07) 1642 0 R (Bv9ARM.ch08) 1668 0 R (Bv9ARM.ch09) 1683 0 R (Bv9ARM.ch10) 1904 0 R (Configuration_File_Grammar) 1191 0 R (DNSSEC) 1123 0 R (Doc-Start) 711 0 R (Setting_TTLs) 1564 0 R (acache) 997 0 R (access_control) 1320 0 R (acl) 1199 0 R (address_match_lists) 1172 0 R (admin_tools) 1030 0 R (appendix.A) 614 0 R (appendix.B) 650 0 R (bibliography) 1692 0 R (boolean_options) 1072 0 R (builtin) 1404 0 R (chapter*.1) 745 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 570 0 R (chapter.8) 594 0 R (cite.RFC1033) 1819 0 R (cite.RFC1034) 1704 0 R (cite.RFC1035) 1706 0 R (cite.RFC1101) 1801 0 R (cite.RFC1123) 1803 0 R (cite.RFC1183) 1763 0 R (cite.RFC1464) 1841 0 R (cite.RFC1535) 1749 0 R (cite.RFC1536) 1751 0 R (cite.RFC1537) 1821 0 R (cite.RFC1591) 1805 0 R (cite.RFC1706) 1765 0 R (cite.RFC1712) 1861 0 R (cite.RFC1713) 1843 0 R (cite.RFC1794) 1845 0 R (cite.RFC1876) 1767 0 R (cite.RFC1912) 1823 0 R (cite.RFC1982) 1753 0 R (cite.RFC1995) 1711 0 R (cite.RFC1996) 1713 0 R (cite.RFC2010) 1825 0 R (cite.RFC2052) 1769 0 R (cite.RFC2065) 1873 0 R (cite.RFC2136) 1715 0 R (cite.RFC2137) 1875 0 R (cite.RFC2163) 1771 0 R (cite.RFC2168) 1773 0 R (cite.RFC2181) 1717 0 R (cite.RFC2219) 1827 0 R (cite.RFC2230) 1775 0 R (cite.RFC2240) 1847 0 R (cite.RFC2308) 1719 0 R (cite.RFC2317) 1807 0 R (cite.RFC2345) 1849 0 R (cite.RFC2352) 1851 0 R (cite.RFC2535) 1877 0 R (cite.RFC2536) 1777 0 R (cite.RFC2537) 1779 0 R (cite.RFC2538) 1781 0 R (cite.RFC2539) 1783 0 R (cite.RFC2540) 1785 0 R (cite.RFC2671) 1721 0 R (cite.RFC2672) 1723 0 R (cite.RFC2673) 1863 0 R (cite.RFC2782) 1787 0 R (cite.RFC2825) 1831 0 R (cite.RFC2826) 1809 0 R (cite.RFC2845) 1725 0 R (cite.RFC2874) 1865 0 R (cite.RFC2915) 1789 0 R (cite.RFC2929) 1811 0 R (cite.RFC2930) 1727 0 R (cite.RFC2931) 1729 0 R (cite.RFC3007) 1731 0 R (cite.RFC3008) 1879 0 R (cite.RFC3071) 1853 0 R (cite.RFC3090) 1881 0 R (cite.RFC3110) 1791 0 R (cite.RFC3123) 1793 0 R (cite.RFC3225) 1737 0 R (cite.RFC3258) 1855 0 R (cite.RFC3445) 1883 0 R (cite.RFC3490) 1833 0 R (cite.RFC3491) 1835 0 R (cite.RFC3492) 1837 0 R (cite.RFC3596) 1795 0 R (cite.RFC3597) 1797 0 R (cite.RFC3645) 1733 0 R (cite.RFC3655) 1885 0 R (cite.RFC3658) 1887 0 R (cite.RFC3755) 1889 0 R (cite.RFC3757) 1891 0 R (cite.RFC3833) 1739 0 R (cite.RFC3845) 1893 0 R (cite.RFC3901) 1857 0 R (cite.RFC4033) 1741 0 R (cite.RFC4034) 1743 0 R (cite.RFC4035) 1745 0 R (cite.RFC4074) 1755 0 R (cite.RFC974) 1708 0 R (cite.id2506267) 1898 0 R (clients-per-query) 1608 0 R (configuration_file_elements) 1168 0 R (controls_statement_definition_and_usage) 1043 0 R (diagnostic_tools) 978 0 R (dynamic_update) 1066 0 R (dynamic_update_policies) 1117 0 R (dynamic_update_security) 1330 0 R (empty) 1406 0 R (historical_dns_information) 1685 0 R (id2466566) 946 0 R (id2466589) 947 0 R (id2467273) 1081 0 R (id2467291) 1087 0 R (id2467480) 948 0 R (id2467490) 949 0 R (id2467730) 960 0 R (id2467751) 961 0 R (id2467785) 962 0 R (id2467869) 965 0 R (id2467962) 958 0 R (id2470267) 972 0 R (id2470291) 975 0 R (id2470389) 976 0 R (id2470410) 977 0 R (id2470508) 983 0 R (id2470544) 984 0 R (id2470570) 985 0 R (id2470604) 991 0 R (id2470631) 992 0 R (id2470712) 993 0 R (id2470738) 996 0 R (id2470748) 1002 0 R (id2470780) 1009 0 R (id2470796) 1010 0 R (id2470819) 1016 0 R (id2470836) 1017 0 R (id2471173) 1020 0 R (id2471178) 1021 0 R (id2473061) 1048 0 R (id2473073) 1049 0 R (id2474212) 1098 0 R (id2474229) 1103 0 R (id2474336) 1104 0 R (id2474354) 1105 0 R (id2474364) 1106 0 R (id2474401) 1107 0 R (id2474458) 1112 0 R (id2474506) 1114 0 R (id2474520) 1115 0 R (id2474569) 1122 0 R (id2474706) 1124 0 R (id2474785) 1129 0 R (id2474934) 1130 0 R (id2475240) 1138 0 R (id2475302) 1144 0 R (id2475323) 1145 0 R (id2475425) 1156 0 R (id2475640) 1169 0 R (id2476434) 1177 0 R (id2476530) 1182 0 R (id2476736) 1183 0 R (id2476750) 1184 0 R (id2476780) 1190 0 R (id2477060) 1192 0 R (id2477434) 1198 0 R (id2477545) 1200 0 R (id2477692) 1202 0 R (id2478053) 1210 0 R (id2478070) 1211 0 R (id2478162) 1217 0 R (id2478185) 1218 0 R (id2478276) 1222 0 R (id2478402) 1223 0 R (id2478454) 1228 0 R (id2479216) 1239 0 R (id2479881) 1250 0 R (id2479941) 1251 0 R (id2480326) 1253 0 R (id2480400) 1258 0 R (id2480464) 1261 0 R (id2480576) 1262 0 R (id2480590) 1263 0 R (id2483009) 1292 0 R (id2484780) 1317 0 R (id2484976) 1319 0 R (id2485481) 1335 0 R (id2486691) 1353 0 R (id2486750) 1355 0 R (id2487241) 1368 0 R (id2487812) 1382 0 R (id2489969) 1428 0 R (id2490192) 1433 0 R (id2490243) 1434 0 R (id2490325) 1436 0 R (id2491798) 1454 0 R (id2491805) 1455 0 R (id2491811) 1456 0 R (id2492233) 1463 0 R (id2492266) 1469 0 R (id2493981) 1523 0 R (id2494482) 1529 0 R (id2494500) 1530 0 R (id2494520) 1533 0 R (id2494757) 1539 0 R (id2495927) 1545 0 R (id2496055) 1552 0 R (id2496076) 1553 0 R (id2496439) 1555 0 R (id2496576) 1561 0 R (id2496594) 1562 0 R (id2496998) 1565 0 R (id2497191) 1567 0 R (id2497274) 1572 0 R (id2497386) 1574 0 R (id2497409) 1575 0 R (id2497425) 1576 0 R (id2497622) 1577 0 R (id2497691) 1582 0 R (id2497728) 1583 0 R (id2497858) 1584 0 R (id2498357) 1591 0 R (id2498656) 1599 0 R (id2498661) 1600 0 R (id2500197) 1613 0 R (id2500203) 1614 0 R (id2500648) 1616 0 R (id2500653) 1617 0 R (id2501667) 1623 0 R (id2501699) 1624 0 R (id2502040) 1629 0 R (id2502350) 1653 0 R (id2502500) 1654 0 R (id2502560) 1655 0 R (id2502708) 1669 0 R (id2502713) 1670 0 R (id2502861) 1671 0 R (id2502878) 1672 0 R (id2502940) 1684 0 R (id2503044) 1691 0 R (id2503300) 1696 0 R (id2503302) 1702 0 R (id2503310) 1707 0 R (id2503334) 1703 0 R (id2503357) 1705 0 R (id2503394) 1716 0 R (id2503420) 1718 0 R (id2503446) 1710 0 R (id2503470) 1712 0 R (id2503494) 1714 0 R (id2503549) 1720 0 R (id2503576) 1722 0 R (id2503603) 1724 0 R (id2503665) 1726 0 R (id2503694) 1728 0 R (id2503724) 1730 0 R (id2503751) 1732 0 R (id2503826) 1735 0 R (id2503833) 1736 0 R (id2503860) 1738 0 R (id2503896) 1740 0 R (id2503961) 1742 0 R (id2504026) 1744 0 R (id2504091) 1747 0 R (id2504100) 1748 0 R (id2504125) 1750 0 R (id2504194) 1752 0 R (id2504229) 1754 0 R (id2504269) 1761 0 R (id2504275) 1762 0 R (id2504332) 1764 0 R (id2504370) 1772 0 R (id2504405) 1766 0 R (id2504459) 1768 0 R (id2504498) 1770 0 R (id2504523) 1774 0 R (id2504549) 1776 0 R (id2504576) 1778 0 R (id2504602) 1780 0 R (id2504710) 1782 0 R (id2504740) 1784 0 R (id2504770) 1786 0 R (id2504812) 1788 0 R (id2504845) 1790 0 R (id2504872) 1792 0 R (id2504896) 1794 0 R (id2504953) 1796 0 R (id2504978) 1799 0 R (id2504985) 1800 0 R (id2505011) 1802 0 R (id2505033) 1804 0 R (id2505057) 1806 0 R (id2505102) 1808 0 R (id2505126) 1810 0 R (id2505176) 1817 0 R (id2505184) 1818 0 R (id2505207) 1820 0 R (id2505234) 1822 0 R (id2505260) 1824 0 R (id2505297) 1826 0 R (id2505337) 1829 0 R (id2505342) 1830 0 R (id2505374) 1832 0 R (id2505420) 1834 0 R (id2505456) 1836 0 R (id2505482) 1839 0 R (id2505500) 1840 0 R (id2505523) 1842 0 R (id2505548) 1844 0 R (id2505574) 1846 0 R (id2505597) 1848 0 R (id2505643) 1850 0 R (id2505667) 1852 0 R (id2505693) 1854 0 R (id2505719) 1856 0 R (id2505756) 1859 0 R (id2505763) 1860 0 R (id2505820) 1862 0 R (id2505847) 1864 0 R (id2505883) 1871 0 R (id2505895) 1872 0 R (id2505934) 1874 0 R (id2505961) 1876 0 R (id2505991) 1878 0 R (id2506017) 1880 0 R (id2506043) 1882 0 R (id2506080) 1884 0 R (id2506116) 1886 0 R (id2506142) 1888 0 R (id2506169) 1890 0 R (id2506214) 1892 0 R (id2506256) 1895 0 R (id2506265) 1897 0 R (id2506267) 1899 0 R (incremental_zone_transfers) 1078 0 R (internet_drafts) 1894 0 R (ipv6addresses) 1146 0 R (journal) 1067 0 R (lwresd) 1157 0 R (man.dig) 1905 0 R (man.dnssec-dsfromkey) 1954 0 R (man.dnssec-keyfromlabel) 1968 0 R (man.dnssec-keygen) 1984 0 R (man.dnssec-signzone) 2001 0 R (man.host) 1938 0 R (man.named) 2056 0 R (man.named-checkconf) 2027 0 R (man.named-checkzone) 2039 0 R (man.nsupdate) 2078 0 R (man.rndc) 2104 0 R (man.rndc-confgen) 2132 0 R (man.rndc.conf) 2116 0 R (notify) 1057 0 R (options) 1276 0 R (page.1) 710 0 R (page.10) 1034 0 R (page.100) 1759 0 R (page.101) 1815 0 R (page.102) 1869 0 R (page.103) 1903 0 R (page.104) 1913 0 R (page.105) 1919 0 R (page.106) 1924 0 R (page.107) 1928 0 R (page.108) 1933 0 R (page.109) 1944 0 R (page.11) 1041 0 R (page.110) 1950 0 R (page.111) 1962 0 R (page.112) 1973 0 R (page.113) 1980 0 R (page.114) 1992 0 R (page.115) 1996 0 R (page.116) 2008 0 R (page.117) 2014 0 R (page.118) 2018 0 R (page.119) 2024 0 R (page.12) 1047 0 R (page.120) 2037 0 R (page.121) 2047 0 R (page.122) 2052 0 R (page.123) 2064 0 R (page.124) 2068 0 R (page.125) 2074 0 R (page.126) 2085 0 R (page.127) 2090 0 R (page.128) 2095 0 R (page.129) 2102 0 R (page.13) 1055 0 R (page.130) 2112 0 R (page.131) 2123 0 R (page.132) 2128 0 R (page.133) 2139 0 R (page.134) 2146 0 R (page.14) 1077 0 R (page.15) 1086 0 R (page.16) 1092 0 R (page.17) 1096 0 R (page.18) 1102 0 R (page.19) 1111 0 R (page.2) 734 0 R (page.20) 1121 0 R (page.21) 1128 0 R (page.22) 1134 0 R (page.23) 1142 0 R (page.24) 1150 0 R (page.25) 1154 0 R (page.26) 1162 0 R (page.27) 1166 0 R (page.28) 1176 0 R (page.29) 1181 0 R (page.3) 971 0 R (page.30) 1189 0 R (page.31) 1197 0 R (page.32) 1207 0 R (page.33) 1216 0 R (page.34) 1227 0 R (page.35) 1232 0 R (page.36) 1238 0 R (page.37) 1244 0 R (page.38) 1249 0 R (page.39) 1257 0 R (page.4) 982 0 R (page.40) 1267 0 R (page.41) 1271 0 R (page.42) 1275 0 R (page.43) 1280 0 R (page.44) 1287 0 R (page.45) 1291 0 R (page.46) 1297 0 R (page.47) 1308 0 R (page.48) 1312 0 R (page.49) 1316 0 R (page.5) 989 0 R (page.50) 1327 0 R (page.51) 1334 0 R (page.52) 1339 0 R (page.53) 1344 0 R (page.54) 1348 0 R (page.55) 1352 0 R (page.56) 1360 0 R (page.57) 1367 0 R (page.58) 1373 0 R (page.59) 1380 0 R (page.6) 1001 0 R (page.60) 1387 0 R (page.61) 1393 0 R (page.62) 1403 0 R (page.63) 1411 0 R (page.64) 1415 0 R (page.65) 1419 0 R (page.66) 1424 0 R (page.67) 1432 0 R (page.68) 1441 0 R (page.69) 1445 0 R (page.7) 1006 0 R (page.70) 1449 0 R (page.71) 1453 0 R (page.72) 1461 0 R (page.73) 1468 0 R (page.74) 1488 0 R (page.75) 1502 0 R (page.76) 1522 0 R (page.77) 1528 0 R (page.78) 1538 0 R (page.79) 1544 0 R (page.8) 1015 0 R (page.80) 1551 0 R (page.81) 1560 0 R (page.82) 1571 0 R (page.83) 1581 0 R (page.84) 1589 0 R (page.85) 1596 0 R (page.86) 1606 0 R (page.87) 1612 0 R (page.88) 1622 0 R (page.89) 1633 0 R (page.9) 1026 0 R (page.90) 1637 0 R (page.91) 1641 0 R (page.92) 1648 0 R (page.93) 1659 0 R (page.94) 1663 0 R (page.95) 1667 0 R (page.96) 1678 0 R (page.97) 1682 0 R (page.98) 1690 0 R (page.99) 1700 0 R (page.i) 744 0 R (page.ii) 799 0 R (page.iii) 863 0 R (page.iv) 925 0 R (proposed_standards) 1082 0 R (query_address) 1340 0 R (rfcs) 967 0 R (rndc) 1212 0 R (root_delegation_only) 1464 0 R (rrset_ordering) 1022 0 R (sample_configuration) 1008 0 R (section*.10) 1828 0 R (section*.100) 2114 0 R (section*.101) 2115 0 R (section*.102) 2117 0 R (section*.103) 2118 0 R (section*.104) 2119 0 R (section*.105) 2124 0 R (section*.106) 2129 0 R (section*.107) 2130 0 R (section*.108) 2131 0 R (section*.109) 2133 0 R (section*.11) 1838 0 R (section*.110) 2134 0 R (section*.111) 2135 0 R (section*.112) 2140 0 R (section*.113) 2141 0 R (section*.114) 2147 0 R (section*.115) 2148 0 R (section*.12) 1858 0 R (section*.13) 1870 0 R (section*.14) 1896 0 R (section*.15) 1906 0 R (section*.16) 1907 0 R (section*.17) 1908 0 R (section*.18) 1914 0 R (section*.19) 1915 0 R (section*.2) 1695 0 R (section*.20) 1920 0 R (section*.21) 1929 0 R (section*.22) 1934 0 R (section*.23) 1935 0 R (section*.24) 1936 0 R (section*.25) 1937 0 R (section*.26) 1939 0 R (section*.27) 1940 0 R (section*.28) 1945 0 R (section*.29) 1951 0 R (section*.3) 1701 0 R (section*.30) 1952 0 R (section*.31) 1953 0 R (section*.32) 1955 0 R (section*.33) 1956 0 R (section*.34) 1957 0 R (section*.35) 1958 0 R (section*.36) 1963 0 R (section*.37) 1964 0 R (section*.38) 1965 0 R (section*.39) 1966 0 R (section*.4) 1709 0 R (section*.40) 1967 0 R (section*.41) 1969 0 R (section*.42) 1974 0 R (section*.43) 1975 0 R (section*.44) 1976 0 R (section*.45) 1981 0 R (section*.46) 1982 0 R (section*.47) 1983 0 R (section*.48) 1985 0 R (section*.49) 1986 0 R (section*.5) 1734 0 R (section*.50) 1987 0 R (section*.51) 1988 0 R (section*.52) 1997 0 R (section*.53) 1998 0 R (section*.54) 1999 0 R (section*.55) 2000 0 R (section*.56) 2002 0 R (section*.57) 2003 0 R (section*.58) 2009 0 R (section*.59) 2010 0 R (section*.6) 1746 0 R (section*.60) 2019 0 R (section*.61) 2020 0 R (section*.62) 2025 0 R (section*.63) 2026 0 R (section*.64) 2028 0 R (section*.65) 2029 0 R (section*.66) 2030 0 R (section*.67) 2031 0 R (section*.68) 2032 0 R (section*.69) 2033 0 R (section*.7) 1760 0 R (section*.70) 2038 0 R (section*.71) 2040 0 R (section*.72) 2041 0 R (section*.73) 2042 0 R (section*.74) 2043 0 R (section*.75) 2053 0 R (section*.76) 2054 0 R (section*.77) 2055 0 R (section*.78) 2057 0 R (section*.79) 2058 0 R (section*.8) 1798 0 R (section*.80) 2059 0 R (section*.81) 2060 0 R (section*.82) 2069 0 R (section*.83) 2070 0 R (section*.84) 2075 0 R (section*.85) 2076 0 R (section*.86) 2077 0 R (section*.87) 2079 0 R (section*.88) 2080 0 R (section*.89) 2081 0 R (section*.9) 1816 0 R (section*.90) 2086 0 R (section*.91) 2096 0 R (section*.92) 2097 0 R (section*.93) 2098 0 R (section*.94) 2103 0 R (section*.95) 2105 0 R (section*.96) 2106 0 R (section*.97) 2107 0 R (section*.98) 2108 0 R (section*.99) 2113 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 482 0 R (section.6.4) 538 0 R (section.7.1) 574 0 R (section.7.2) 578 0 R (section.7.3) 590 0 R (section.8.1) 598 0 R (section.8.2) 606 0 R (section.8.3) 610 0 R (section.A.1) 618 0 R (section.A.2) 626 0 R (section.A.3) 634 0 R (section.B.1) 654 0 R (section.B.10) 690 0 R (section.B.11) 694 0 R (section.B.12) 698 0 R (section.B.13) 702 0 R (section.B.2) 658 0 R (section.B.3) 662 0 R (section.B.4) 666 0 R (section.B.5) 670 0 R (section.B.6) 674 0 R (section.B.7) 678 0 R (section.B.8) 682 0 R (section.B.9) 686 0 R (server_resource_limits) 1362 0 R (server_statement_definition_and_usage) 1304 0 R (server_statement_grammar) 1420 0 R (statistics) 1590 0 R (statistics_counters) 1598 0 R (statschannels) 1427 0 R (statsfile) 1283 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 330 0 R (subsection.6.2.12) 334 0 R (subsection.6.2.13) 338 0 R (subsection.6.2.14) 342 0 R (subsection.6.2.15) 346 0 R (subsection.6.2.16) 350 0 R (subsection.6.2.17) 426 0 R (subsection.6.2.18) 430 0 R (subsection.6.2.19) 434 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 438 0 R (subsection.6.2.21) 442 0 R (subsection.6.2.22) 446 0 R (subsection.6.2.23) 450 0 R (subsection.6.2.24) 454 0 R (subsection.6.2.25) 458 0 R (subsection.6.2.26) 462 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 486 0 R (subsection.6.3.2) 498 0 R (subsection.6.3.3) 502 0 R (subsection.6.3.4) 506 0 R (subsection.6.3.5) 510 0 R (subsection.6.3.6) 530 0 R (subsection.6.3.7) 534 0 R (subsection.6.4.1) 546 0 R (subsection.7.2.1) 582 0 R (subsection.7.2.2) 586 0 R (subsection.8.1.1) 602 0 R (subsection.A.1.1) 622 0 R (subsection.A.2.1) 630 0 R (subsection.A.3.1) 638 0 R (subsection.A.3.2) 642 0 R (subsection.A.3.3) 646 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.10.3) 326 0 R (subsubsection.6.2.16.1) 354 0 R (subsubsection.6.2.16.10) 390 0 R (subsubsection.6.2.16.11) 394 0 R (subsubsection.6.2.16.12) 398 0 R (subsubsection.6.2.16.13) 402 0 R (subsubsection.6.2.16.14) 406 0 R (subsubsection.6.2.16.15) 410 0 R (subsubsection.6.2.16.16) 414 0 R (subsubsection.6.2.16.17) 418 0 R (subsubsection.6.2.16.18) 422 0 R (subsubsection.6.2.16.2) 358 0 R (subsubsection.6.2.16.3) 362 0 R (subsubsection.6.2.16.4) 366 0 R (subsubsection.6.2.16.5) 370 0 R (subsubsection.6.2.16.6) 374 0 R (subsubsection.6.2.16.7) 378 0 R (subsubsection.6.2.16.8) 382 0 R (subsubsection.6.2.16.9) 386 0 R (subsubsection.6.2.26.1) 466 0 R (subsubsection.6.2.26.2) 470 0 R (subsubsection.6.2.26.3) 474 0 R (subsubsection.6.2.26.4) 478 0 R (subsubsection.6.3.1.1) 490 0 R (subsubsection.6.3.1.2) 494 0 R (subsubsection.6.3.5.1) 514 0 R (subsubsection.6.3.5.2) 518 0 R (subsubsection.6.3.5.3) 522 0 R (subsubsection.6.3.5.4) 526 0 R (subsubsection.6.4.0.1) 542 0 R (subsubsection.6.4.1.1) 550 0 R (subsubsection.6.4.1.2) 554 0 R (subsubsection.6.4.1.3) 558 0 R (subsubsection.6.4.1.4) 562 0 R (subsubsection.6.4.1.5) 566 0 R (table.1.1) 950 0 R (table.1.2) 959 0 R (table.3.1) 1018 0 R (table.3.2) 1050 0 R (table.6.1) 1170 0 R (table.6.10) 1534 0 R (table.6.11) 1540 0 R (table.6.12) 1546 0 R (table.6.13) 1554 0 R (table.6.14) 1556 0 R (table.6.15) 1563 0 R (table.6.16) 1566 0 R (table.6.17) 1573 0 R (table.6.18) 1585 0 R (table.6.19) 1592 0 R (table.6.2) 1193 0 R (table.6.20) 1601 0 R (table.6.21) 1615 0 R (table.6.22) 1618 0 R (table.6.23) 1625 0 R (table.6.3) 1201 0 R (table.6.4) 1240 0 R (table.6.5) 1252 0 R (table.6.6) 1293 0 R (table.6.7) 1383 0 R (table.6.8) 1457 0 R (table.6.9) 1524 0 R (the_category_phrase) 1234 0 R (the_sortlist_statement) 1374 0 R (topology) 1369 0 R (tsig) 1097 0 R (tuning) 1388 0 R (types_of_resource_records_and_when_to_use_them) 966 0 R (view_statement_grammar) 1407 0 R (zone_statement_grammar) 1323 0 R (zone_transfers) 1073 0 R (zonefile_format) 1399 0 R]
+2755 0 obj <<
+/Names [(Access_Control_Lists) 2079 0 R (Bv9ARM.ch01) 1230 0 R (Bv9ARM.ch02) 1274 0 R (Bv9ARM.ch03) 1292 0 R (Bv9ARM.ch04) 1355 0 R (Bv9ARM.ch05) 1536 0 R (Bv9ARM.ch06) 1547 0 R (Bv9ARM.ch07) 2078 0 R (Bv9ARM.ch08) 2103 0 R (Bv9ARM.ch09) 2119 0 R (Bv9ARM.ch10) 2380 0 R (Configuration_File_Grammar) 1570 0 R (DNSSEC) 1421 0 R (Doc-Start) 935 0 R (Setting_TTLs) 1999 0 R (acache) 1281 0 R (access_control) 1721 0 R (acl) 1579 0 R (address_match_lists) 1552 0 R (admin_tools) 1314 0 R (appendix.A) 750 0 R (appendix.B) 842 0 R (bibliography) 2127 0 R (bind9.library) 2335 0 R (boolean_options) 1370 0 R (builtin) 1802 0 R (chapter*.1) 969 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 350 0 R (chapter.6) 362 0 R (chapter.7) 706 0 R (chapter.8) 730 0 R (cite.RFC1033) 2254 0 R (cite.RFC1034) 2139 0 R (cite.RFC1035) 2141 0 R (cite.RFC1101) 2236 0 R (cite.RFC1123) 2238 0 R (cite.RFC1183) 2198 0 R (cite.RFC1464) 2276 0 R (cite.RFC1535) 2184 0 R (cite.RFC1536) 2186 0 R (cite.RFC1537) 2256 0 R (cite.RFC1591) 2240 0 R (cite.RFC1706) 2200 0 R (cite.RFC1712) 2296 0 R (cite.RFC1713) 2278 0 R (cite.RFC1794) 2280 0 R (cite.RFC1876) 2202 0 R (cite.RFC1912) 2258 0 R (cite.RFC1982) 2188 0 R (cite.RFC1995) 2146 0 R (cite.RFC1996) 2148 0 R (cite.RFC2010) 2260 0 R (cite.RFC2052) 2204 0 R (cite.RFC2065) 2308 0 R (cite.RFC2136) 2150 0 R (cite.RFC2137) 2310 0 R (cite.RFC2163) 2206 0 R (cite.RFC2168) 2208 0 R (cite.RFC2181) 2152 0 R (cite.RFC2219) 2262 0 R (cite.RFC2230) 2210 0 R (cite.RFC2240) 2282 0 R (cite.RFC2308) 2154 0 R (cite.RFC2317) 2242 0 R (cite.RFC2345) 2284 0 R (cite.RFC2352) 2286 0 R (cite.RFC2535) 2312 0 R (cite.RFC2536) 2212 0 R (cite.RFC2537) 2214 0 R (cite.RFC2538) 2216 0 R (cite.RFC2539) 2218 0 R (cite.RFC2540) 2220 0 R (cite.RFC2671) 2156 0 R (cite.RFC2672) 2158 0 R (cite.RFC2673) 2298 0 R (cite.RFC2782) 2222 0 R (cite.RFC2825) 2266 0 R (cite.RFC2826) 2244 0 R (cite.RFC2845) 2160 0 R (cite.RFC2874) 2300 0 R (cite.RFC2915) 2224 0 R (cite.RFC2929) 2246 0 R (cite.RFC2930) 2162 0 R (cite.RFC2931) 2164 0 R (cite.RFC3007) 2166 0 R (cite.RFC3008) 2314 0 R (cite.RFC3071) 2288 0 R (cite.RFC3090) 2316 0 R (cite.RFC3110) 2226 0 R (cite.RFC3123) 2228 0 R (cite.RFC3225) 2172 0 R (cite.RFC3258) 2290 0 R (cite.RFC3445) 2318 0 R (cite.RFC3490) 2268 0 R (cite.RFC3491) 2270 0 R (cite.RFC3492) 2272 0 R (cite.RFC3596) 2230 0 R (cite.RFC3597) 2232 0 R (cite.RFC3645) 2168 0 R (cite.RFC3655) 2320 0 R (cite.RFC3658) 2322 0 R (cite.RFC3755) 2324 0 R (cite.RFC3757) 2326 0 R (cite.RFC3833) 2174 0 R (cite.RFC3845) 2328 0 R (cite.RFC3901) 2292 0 R (cite.RFC4033) 2176 0 R (cite.RFC4034) 2178 0 R (cite.RFC4035) 2180 0 R (cite.RFC4074) 2190 0 R (cite.RFC974) 2143 0 R (cite.id2512276) 2333 0 R (clients-per-query) 2053 0 R (configuration_file_elements) 1548 0 R (controls_statement_definition_and_usage) 1338 0 R (diagnostic_tools) 1262 0 R (dnssec.dynamic.zones) 1441 0 R (dynamic_update) 1365 0 R (dynamic_update_policies) 1327 0 R (dynamic_update_security) 1732 0 R (empty) 1804 0 R (historical_dns_information) 2121 0 R (id2466567) 1231 0 R (id2466590) 1232 0 R (id2467233) 1405 0 R (id2467243) 1406 0 R (id2467280) 1411 0 R (id2467337) 1412 0 R (id2467481) 1233 0 R (id2467491) 1234 0 R (id2467731) 1244 0 R (id2467752) 1245 0 R (id2467786) 1246 0 R (id2467870) 1249 0 R (id2467963) 1242 0 R (id2470268) 1256 0 R (id2470292) 1259 0 R (id2470390) 1260 0 R (id2470411) 1261 0 R (id2470441) 1267 0 R (id2470476) 1268 0 R (id2470571) 1269 0 R (id2470605) 1275 0 R (id2470632) 1276 0 R (id2470713) 1277 0 R (id2470739) 1280 0 R (id2470749) 1286 0 R (id2470781) 1294 0 R (id2470797) 1295 0 R (id2470820) 1300 0 R (id2470837) 1301 0 R (id2471242) 1309 0 R (id2471248) 1310 0 R (id2473363) 1343 0 R (id2473374) 1344 0 R (id2473876) 1380 0 R (id2473894) 1386 0 R (id2474464) 1402 0 R (id2474481) 1403 0 R (id2474519) 1404 0 R (id2474896) 1414 0 R (id2474909) 1415 0 R (id2475027) 1420 0 R (id2475163) 1422 0 R (id2475310) 1427 0 R (id2475392) 1428 0 R (id2475612) 1442 0 R (id2475786) 1447 0 R (id2475822) 1448 0 R (id2475905) 1454 0 R (id2475942) 1461 0 R (id2475955) 1462 0 R (id2476056) 1463 0 R (id2476083) 1468 0 R (id2476092) 1469 0 R (id2476170) 1470 0 R (id2476183) 1471 0 R (id2476220) 1472 0 R (id2476230) 1473 0 R (id2476336) 1475 0 R (id2476358) 1482 0 R (id2476528) 1488 0 R (id2476692) 1494 0 R (id2476761) 1495 0 R (id2476878) 1500 0 R (id2477097) 1501 0 R (id2477106) 1502 0 R (id2477138) 1507 0 R (id2477174) 1508 0 R (id2477222) 1509 0 R (id2477253) 1510 0 R (id2477588) 1520 0 R (id2477634) 1521 0 R (id2477825) 1526 0 R (id2477955) 1528 0 R (id2477976) 1529 0 R (id2478009) 1537 0 R (id2478225) 1549 0 R (id2479049) 1557 0 R (id2479077) 1562 0 R (id2479351) 1563 0 R (id2479366) 1564 0 R (id2479396) 1569 0 R (id2479539) 1571 0 R (id2480073) 1578 0 R (id2480116) 1580 0 R (id2480263) 1582 0 R (id2480622) 1589 0 R (id2480640) 1595 0 R (id2480663) 1596 0 R (id2480686) 1597 0 R (id2480845) 1601 0 R (id2480971) 1606 0 R (id2481024) 1607 0 R (id2481649) 1618 0 R (id2482477) 1629 0 R (id2482539) 1630 0 R (id2482997) 1636 0 R (id2483070) 1637 0 R (id2483134) 1644 0 R (id2483178) 1645 0 R (id2483193) 1646 0 R (id2486510) 1684 0 R (id2488830) 1714 0 R (id2488957) 1720 0 R (id2489509) 1731 0 R (id2490718) 1754 0 R (id2490778) 1756 0 R (id2491132) 1765 0 R (id2491703) 1783 0 R (id2493307) 1814 0 R (id2493498) 1824 0 R (id2494690) 1846 0 R (id2494829) 1848 0 R (id2494876) 1854 0 R (id2495234) 1859 0 R (id2496921) 1877 0 R (id2496929) 1878 0 R (id2496934) 1879 0 R (id2497474) 1886 0 R (id2497507) 1892 0 R (id2499730) 1954 0 R (id2500393) 1964 0 R (id2500480) 1965 0 R (id2500500) 1968 0 R (id2500668) 1974 0 R (id2501838) 1981 0 R (id2501966) 1987 0 R (id2502056) 1988 0 R (id2502419) 1990 0 R (id2502555) 1992 0 R (id2502573) 1997 0 R (id2503114) 2000 0 R (id2503239) 2002 0 R (id2503254) 2003 0 R (id2503366) 2009 0 R (id2503388) 2010 0 R (id2503404) 2011 0 R (id2503465) 2012 0 R (id2503534) 2017 0 R (id2503571) 2018 0 R (id2503646) 2019 0 R (id2504226) 2031 0 R (id2504661) 2039 0 R (id2504666) 2040 0 R (id2506134) 2047 0 R (id2506140) 2048 0 R (id2506517) 2050 0 R (id2506522) 2051 0 R (id2507607) 2058 0 R (id2507639) 2059 0 R (id2508049) 2068 0 R (id2508222) 2088 0 R (id2508372) 2089 0 R (id2508432) 2090 0 R (id2508512) 2104 0 R (id2508517) 2105 0 R (id2508529) 2106 0 R (id2508546) 2107 0 R (id2508744) 2120 0 R (id2509052) 2126 0 R (id2509172) 2131 0 R (id2509174) 2137 0 R (id2509182) 2142 0 R (id2509206) 2138 0 R (id2509298) 2140 0 R (id2509334) 2151 0 R (id2509361) 2153 0 R (id2509386) 2145 0 R (id2509411) 2147 0 R (id2509434) 2149 0 R (id2509490) 2155 0 R (id2509516) 2157 0 R (id2509543) 2159 0 R (id2509605) 2161 0 R (id2509635) 2163 0 R (id2509665) 2165 0 R (id2509691) 2167 0 R (id2509766) 2170 0 R (id2509773) 2171 0 R (id2509800) 2173 0 R (id2509836) 2175 0 R (id2509901) 2177 0 R (id2510035) 2179 0 R (id2510100) 2182 0 R (id2510108) 2183 0 R (id2510134) 2185 0 R (id2510202) 2187 0 R (id2510237) 2189 0 R (id2510278) 2196 0 R (id2510283) 2197 0 R (id2510341) 2199 0 R (id2510378) 2207 0 R (id2510413) 2201 0 R (id2510468) 2203 0 R (id2510506) 2205 0 R (id2510532) 2209 0 R (id2510557) 2211 0 R (id2510584) 2213 0 R (id2510611) 2215 0 R (id2510650) 2217 0 R (id2510680) 2219 0 R (id2510710) 2221 0 R (id2510753) 2223 0 R (id2510786) 2225 0 R (id2510812) 2227 0 R (id2510836) 2229 0 R (id2510893) 2231 0 R (id2510918) 2234 0 R (id2510925) 2235 0 R (id2510951) 2237 0 R (id2510973) 2239 0 R (id2510997) 2241 0 R (id2511043) 2243 0 R (id2511066) 2245 0 R (id2511116) 2252 0 R (id2511124) 2253 0 R (id2511147) 2255 0 R (id2511174) 2257 0 R (id2511201) 2259 0 R (id2511237) 2261 0 R (id2511277) 2264 0 R (id2511283) 2265 0 R (id2511315) 2267 0 R (id2511361) 2269 0 R (id2511396) 2271 0 R (id2511422) 2274 0 R (id2511441) 2275 0 R (id2511531) 2277 0 R (id2511557) 2279 0 R (id2511582) 2281 0 R (id2511606) 2283 0 R (id2511652) 2285 0 R (id2511675) 2287 0 R (id2511702) 2289 0 R (id2511728) 2291 0 R (id2511765) 2294 0 R (id2511771) 2295 0 R (id2511829) 2297 0 R (id2511856) 2299 0 R (id2511892) 2306 0 R (id2511904) 2307 0 R (id2511943) 2309 0 R (id2511970) 2311 0 R (id2512000) 2313 0 R (id2512025) 2315 0 R (id2512052) 2317 0 R (id2512088) 2319 0 R (id2512124) 2321 0 R (id2512151) 2323 0 R (id2512178) 2325 0 R (id2512222) 2327 0 R (id2512264) 2330 0 R (id2512274) 2332 0 R (id2512276) 2334 0 R (id2512432) 2341 0 R (id2512441) 2342 0 R (id2512466) 2343 0 R (id2512497) 2344 0 R (id2512642) 2349 0 R (id2512668) 2351 0 R (id2512677) 2352 0 R (id2512768) 2357 0 R (id2512821) 2358 0 R (id2512885) 2359 0 R (id2512968) 2364 0 R (id2513099) 2369 0 R (id2513300) 2370 0 R (incremental_zone_transfers) 1377 0 R (internet_drafts) 2329 0 R (ipv6addresses) 1531 0 R (journal) 1376 0 R (lwresd) 1538 0 R (man.arpaname) 2689 0 R (man.ddns-confgen) 2678 0 R (man.dig) 2381 0 R (man.dnssec-dsfromkey) 2429 0 R (man.dnssec-keyfromlabel) 2447 0 R (man.dnssec-keygen) 1455 0 R (man.dnssec-revoke) 2490 0 R (man.dnssec-settime) 1456 0 R (man.dnssec-signzone) 2518 0 R (man.genrandom) 2695 0 R (man.host) 2413 0 R (man.isc-hmac-fixup) 2706 0 R (man.named) 2575 0 R (man.named-checkconf) 2542 0 R (man.named-checkzone) 2554 0 R (man.named-journalprint) 2597 0 R (man.nsec3hash) 2718 0 R (man.nsupdate) 2608 0 R (man.rndc) 2633 0 R (man.rndc-confgen) 2662 0 R (man.rndc.conf) 2645 0 R (managed-keys) 1477 0 R (notify) 1356 0 R (options) 1326 0 R (page.1) 934 0 R (page.10) 1318 0 R (page.100) 1959 0 R (page.101) 1963 0 R (page.102) 1973 0 R (page.103) 1980 0 R (page.104) 1986 0 R (page.105) 1996 0 R (page.106) 2008 0 R (page.107) 2016 0 R (page.108) 2024 0 R (page.109) 2029 0 R (page.11) 1331 0 R (page.110) 2037 0 R (page.111) 2045 0 R (page.112) 2057 0 R (page.113) 2064 0 R (page.114) 2072 0 R (page.115) 2077 0 R (page.116) 2083 0 R (page.117) 2094 0 R (page.118) 2098 0 R (page.119) 2102 0 R (page.12) 1335 0 R (page.120) 2113 0 R (page.121) 2118 0 R (page.122) 2125 0 R (page.123) 2135 0 R (page.124) 2194 0 R (page.125) 2250 0 R (page.126) 2304 0 R (page.127) 2340 0 R (page.128) 2348 0 R (page.129) 2356 0 R (page.13) 1342 0 R (page.130) 2363 0 R (page.131) 2368 0 R (page.132) 2374 0 R (page.133) 2379 0 R (page.134) 2388 0 R (page.135) 2394 0 R (page.136) 2399 0 R (page.137) 2403 0 R (page.138) 2408 0 R (page.139) 2420 0 R (page.14) 1349 0 R (page.140) 2425 0 R (page.141) 2437 0 R (page.142) 2446 0 R (page.143) 2455 0 R (page.144) 2460 0 R (page.145) 2470 0 R (page.146) 2476 0 R (page.147) 2480 0 R (page.148) 2486 0 R (page.149) 2497 0 R (page.15) 1354 0 R (page.150) 2507 0 R (page.151) 2514 0 R (page.152) 2524 0 R (page.153) 2530 0 R (page.154) 2534 0 R (page.155) 2538 0 R (page.156) 2548 0 R (page.157) 2560 0 R (page.158) 2567 0 R (page.159) 2571 0 R (page.16) 1375 0 R (page.160) 2583 0 R (page.161) 2587 0 R (page.162) 2594 0 R (page.163) 2607 0 R (page.164) 2615 0 R (page.165) 2620 0 R (page.166) 2624 0 R (page.167) 2632 0 R (page.168) 2641 0 R (page.169) 2653 0 R (page.17) 1385 0 R (page.170) 2658 0 R (page.171) 2670 0 R (page.172) 2676 0 R (page.173) 2686 0 R (page.174) 2700 0 R (page.175) 2714 0 R (page.176) 2727 0 R (page.18) 1390 0 R (page.19) 1396 0 R (page.2) 958 0 R (page.20) 1401 0 R (page.21) 1410 0 R (page.22) 1419 0 R (page.23) 1426 0 R (page.24) 1432 0 R (page.25) 1437 0 R (page.26) 1446 0 R (page.27) 1460 0 R (page.28) 1467 0 R (page.29) 1481 0 R (page.3) 1255 0 R (page.30) 1487 0 R (page.31) 1493 0 R (page.32) 1499 0 R (page.33) 1506 0 R (page.34) 1514 0 R (page.35) 1519 0 R (page.36) 1525 0 R (page.37) 1535 0 R (page.38) 1542 0 R (page.39) 1546 0 R (page.4) 1266 0 R (page.40) 1556 0 R (page.41) 1561 0 R (page.42) 1568 0 R (page.43) 1577 0 R (page.44) 1586 0 R (page.45) 1594 0 R (page.46) 1605 0 R (page.47) 1611 0 R (page.48) 1617 0 R (page.49) 1624 0 R (page.5) 1273 0 R (page.50) 1628 0 R (page.51) 1635 0 R (page.52) 1643 0 R (page.53) 1650 0 R (page.54) 1654 0 R (page.55) 1659 0 R (page.56) 1663 0 R (page.57) 1667 0 R (page.58) 1673 0 R (page.59) 1678 0 R (page.6) 1285 0 R (page.60) 1683 0 R (page.61) 1690 0 R (page.62) 1695 0 R (page.63) 1705 0 R (page.64) 1709 0 R (page.65) 1713 0 R (page.66) 1718 0 R (page.67) 1728 0 R (page.68) 1736 0 R (page.69) 1741 0 R (page.7) 1291 0 R (page.70) 1745 0 R (page.71) 1749 0 R (page.72) 1753 0 R (page.73) 1762 0 R (page.74) 1769 0 R (page.75) 1774 0 R (page.76) 1781 0 R (page.77) 1788 0 R (page.78) 1794 0 R (page.79) 1801 0 R (page.8) 1299 0 R (page.80) 1809 0 R (page.81) 1813 0 R (page.82) 1818 0 R (page.83) 1823 0 R (page.84) 1828 0 R (page.85) 1833 0 R (page.86) 1838 0 R (page.87) 1844 0 R (page.88) 1853 0 R (page.89) 1858 0 R (page.9) 1308 0 R (page.90) 1863 0 R (page.91) 1868 0 R (page.92) 1872 0 R (page.93) 1876 0 R (page.94) 1884 0 R (page.95) 1891 0 R (page.96) 1911 0 R (page.97) 1926 0 R (page.98) 1937 0 R (page.99) 1953 0 R (page.i) 968 0 R (page.ii) 1023 0 R (page.iii) 1087 0 R (page.iv) 1150 0 R (page.v) 1212 0 R (pkcs11) 1483 0 R (proposed_standards) 1381 0 R (query_address) 1737 0 R (rfc5011.support) 1474 0 R (rfcs) 1251 0 R (rndc) 1590 0 R (root_delegation_only) 1887 0 R (rrset_ordering) 1304 0 R (sample_configuration) 1293 0 R (section*.10) 2263 0 R (section*.100) 2595 0 R (section*.101) 2596 0 R (section*.102) 2598 0 R (section*.103) 2599 0 R (section*.104) 2600 0 R (section*.105) 2601 0 R (section*.106) 2602 0 R (section*.107) 2609 0 R (section*.108) 2610 0 R (section*.109) 2611 0 R (section*.11) 2273 0 R (section*.110) 2616 0 R (section*.111) 2625 0 R (section*.112) 2626 0 R (section*.113) 2627 0 R (section*.114) 2628 0 R (section*.115) 2634 0 R (section*.116) 2635 0 R (section*.117) 2636 0 R (section*.118) 2637 0 R (section*.119) 2642 0 R (section*.12) 2293 0 R (section*.120) 2643 0 R (section*.121) 2644 0 R (section*.122) 2646 0 R (section*.123) 2647 0 R (section*.124) 2648 0 R (section*.125) 2654 0 R (section*.126) 2659 0 R (section*.127) 2660 0 R (section*.128) 2661 0 R (section*.129) 2663 0 R (section*.13) 2305 0 R (section*.130) 2664 0 R (section*.131) 2665 0 R (section*.132) 2666 0 R (section*.133) 2671 0 R (section*.134) 2672 0 R (section*.135) 2677 0 R (section*.136) 2679 0 R (section*.137) 2680 0 R (section*.138) 2681 0 R (section*.139) 2682 0 R (section*.14) 2331 0 R (section*.140) 2687 0 R (section*.141) 2688 0 R (section*.142) 2690 0 R (section*.143) 2691 0 R (section*.144) 2692 0 R (section*.145) 2693 0 R (section*.146) 2694 0 R (section*.147) 2696 0 R (section*.148) 2701 0 R (section*.149) 2702 0 R (section*.15) 2382 0 R (section*.150) 2703 0 R (section*.151) 2704 0 R (section*.152) 2705 0 R (section*.153) 2707 0 R (section*.154) 2708 0 R (section*.155) 2709 0 R (section*.156) 2715 0 R (section*.157) 2716 0 R (section*.158) 2717 0 R (section*.159) 2719 0 R (section*.16) 2383 0 R (section*.160) 2720 0 R (section*.161) 2721 0 R (section*.162) 2722 0 R (section*.163) 2723 0 R (section*.164) 2728 0 R (section*.17) 2384 0 R (section*.18) 2389 0 R (section*.19) 2390 0 R (section*.2) 2130 0 R (section*.20) 2395 0 R (section*.21) 2404 0 R (section*.22) 2409 0 R (section*.23) 2410 0 R (section*.24) 2411 0 R (section*.25) 2412 0 R (section*.26) 2414 0 R (section*.27) 2415 0 R (section*.28) 2421 0 R (section*.29) 2426 0 R (section*.3) 2136 0 R (section*.30) 2427 0 R (section*.31) 2428 0 R (section*.32) 2430 0 R (section*.33) 2431 0 R (section*.34) 2432 0 R (section*.35) 2433 0 R (section*.36) 2438 0 R (section*.37) 2439 0 R (section*.38) 2440 0 R (section*.39) 2441 0 R (section*.4) 2144 0 R (section*.40) 2442 0 R (section*.41) 2448 0 R (section*.42) 2449 0 R (section*.43) 2450 0 R (section*.44) 2451 0 R (section*.45) 2456 0 R (section*.46) 2461 0 R (section*.47) 2462 0 R (section*.48) 2463 0 R (section*.49) 2464 0 R (section*.5) 2169 0 R (section*.50) 2465 0 R (section*.51) 2471 0 R (section*.52) 2472 0 R (section*.53) 2481 0 R (section*.54) 2482 0 R (section*.55) 2487 0 R (section*.56) 2488 0 R (section*.57) 2489 0 R (section*.58) 2491 0 R (section*.59) 2492 0 R (section*.6) 2181 0 R (section*.60) 2493 0 R (section*.61) 2498 0 R (section*.62) 2499 0 R (section*.63) 2500 0 R (section*.64) 2501 0 R (section*.65) 2502 0 R (section*.66) 2503 0 R (section*.67) 2508 0 R (section*.68) 2509 0 R (section*.69) 2515 0 R (section*.7) 2195 0 R (section*.70) 2516 0 R (section*.71) 2517 0 R (section*.72) 2519 0 R (section*.73) 2520 0 R (section*.74) 2525 0 R (section*.75) 2526 0 R (section*.76) 2539 0 R (section*.77) 2540 0 R (section*.78) 2541 0 R (section*.79) 2543 0 R (section*.8) 2233 0 R (section*.80) 2544 0 R (section*.81) 2549 0 R (section*.82) 2550 0 R (section*.83) 2551 0 R (section*.84) 2552 0 R (section*.85) 2553 0 R (section*.86) 2555 0 R (section*.87) 2561 0 R (section*.88) 2562 0 R (section*.89) 2563 0 R (section*.9) 2251 0 R (section*.90) 2572 0 R (section*.91) 2573 0 R (section*.92) 2574 0 R (section*.93) 2576 0 R (section*.94) 2577 0 R (section*.95) 2578 0 R (section*.96) 2579 0 R (section*.97) 2588 0 R (section*.98) 2589 0 R (section*.99) 2590 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.10) 274 0 R (section.4.11) 286 0 R (section.4.12) 338 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 354 0 R (section.5.2) 358 0 R (section.6.1) 366 0 R (section.6.2) 394 0 R (section.6.3) 618 0 R (section.6.4) 674 0 R (section.7.1) 710 0 R (section.7.2) 714 0 R (section.7.3) 726 0 R (section.8.1) 734 0 R (section.8.2) 742 0 R (section.8.3) 746 0 R (section.A.1) 754 0 R (section.A.2) 762 0 R (section.A.3) 770 0 R (section.A.4) 786 0 R (section.B.1) 846 0 R (section.B.10) 882 0 R (section.B.11) 886 0 R (section.B.12) 890 0 R (section.B.13) 894 0 R (section.B.14) 898 0 R (section.B.15) 902 0 R (section.B.16) 906 0 R (section.B.17) 910 0 R (section.B.18) 914 0 R (section.B.19) 918 0 R (section.B.2) 850 0 R (section.B.20) 922 0 R (section.B.21) 926 0 R (section.B.3) 854 0 R (section.B.4) 858 0 R (section.B.5) 862 0 R (section.B.6) 866 0 R (section.B.7) 870 0 R (section.B.8) 874 0 R (section.B.9) 878 0 R (server_resource_limits) 1763 0 R (server_statement_definition_and_usage) 1701 0 R (server_statement_grammar) 1834 0 R (statistics) 2030 0 R (statistics_counters) 2038 0 R (statschannels) 1845 0 R (statsfile) 1669 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.10.1) 278 0 R (subsection.4.10.2) 282 0 R (subsection.4.11.1) 290 0 R (subsection.4.11.2) 306 0 R (subsection.4.11.3) 322 0 R (subsection.4.11.4) 326 0 R (subsection.4.11.5) 330 0 R (subsection.4.11.6) 334 0 R (subsection.4.12.1) 342 0 R (subsection.4.12.2) 346 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.10) 258 0 R (subsection.4.9.11) 262 0 R (subsection.4.9.12) 266 0 R (subsection.4.9.13) 270 0 R (subsection.4.9.2) 226 0 R (subsection.4.9.3) 230 0 R (subsection.4.9.4) 234 0 R (subsection.4.9.5) 238 0 R (subsection.4.9.6) 242 0 R (subsection.4.9.7) 246 0 R (subsection.4.9.8) 250 0 R (subsection.4.9.9) 254 0 R (subsection.6.1.1) 370 0 R (subsection.6.1.2) 382 0 R (subsection.6.2.1) 398 0 R (subsection.6.2.10) 434 0 R (subsection.6.2.11) 450 0 R (subsection.6.2.12) 454 0 R (subsection.6.2.13) 458 0 R (subsection.6.2.14) 462 0 R (subsection.6.2.15) 466 0 R (subsection.6.2.16) 470 0 R (subsection.6.2.17) 554 0 R (subsection.6.2.18) 558 0 R (subsection.6.2.19) 562 0 R (subsection.6.2.2) 402 0 R (subsection.6.2.20) 566 0 R (subsection.6.2.21) 570 0 R (subsection.6.2.22) 574 0 R (subsection.6.2.23) 578 0 R (subsection.6.2.24) 582 0 R (subsection.6.2.25) 586 0 R (subsection.6.2.26) 590 0 R (subsection.6.2.27) 594 0 R (subsection.6.2.28) 598 0 R (subsection.6.2.3) 406 0 R (subsection.6.2.4) 410 0 R (subsection.6.2.5) 414 0 R (subsection.6.2.6) 418 0 R (subsection.6.2.7) 422 0 R (subsection.6.2.8) 426 0 R (subsection.6.2.9) 430 0 R (subsection.6.3.1) 622 0 R (subsection.6.3.2) 634 0 R (subsection.6.3.3) 638 0 R (subsection.6.3.4) 642 0 R (subsection.6.3.5) 646 0 R (subsection.6.3.6) 666 0 R (subsection.6.3.7) 670 0 R (subsection.6.4.1) 682 0 R (subsection.7.2.1) 718 0 R (subsection.7.2.2) 722 0 R (subsection.8.1.1) 738 0 R (subsection.A.1.1) 758 0 R (subsection.A.2.1) 766 0 R (subsection.A.3.1) 774 0 R (subsection.A.3.2) 778 0 R (subsection.A.3.3) 782 0 R (subsection.A.4.1) 790 0 R (subsection.A.4.2) 794 0 R (subsection.A.4.3) 798 0 R (subsection.A.4.4) 802 0 R (subsection.A.4.5) 806 0 R (subsection.A.4.6) 810 0 R (subsection.A.4.7) 838 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.11.1.1) 294 0 R (subsubsection.4.11.1.2) 298 0 R (subsubsection.4.11.1.3) 302 0 R (subsubsection.4.11.2.1) 310 0 R (subsubsection.4.11.2.2) 314 0 R (subsubsection.4.11.2.3) 318 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 374 0 R (subsubsection.6.1.1.2) 378 0 R (subsubsection.6.1.2.1) 386 0 R (subsubsection.6.1.2.2) 390 0 R (subsubsection.6.2.10.1) 438 0 R (subsubsection.6.2.10.2) 442 0 R (subsubsection.6.2.10.3) 446 0 R (subsubsection.6.2.16.1) 474 0 R (subsubsection.6.2.16.10) 510 0 R (subsubsection.6.2.16.11) 514 0 R (subsubsection.6.2.16.12) 518 0 R (subsubsection.6.2.16.13) 522 0 R (subsubsection.6.2.16.14) 526 0 R (subsubsection.6.2.16.15) 530 0 R (subsubsection.6.2.16.16) 534 0 R (subsubsection.6.2.16.17) 538 0 R (subsubsection.6.2.16.18) 542 0 R (subsubsection.6.2.16.19) 546 0 R (subsubsection.6.2.16.2) 478 0 R (subsubsection.6.2.16.20) 550 0 R (subsubsection.6.2.16.3) 482 0 R (subsubsection.6.2.16.4) 486 0 R (subsubsection.6.2.16.5) 490 0 R (subsubsection.6.2.16.6) 494 0 R (subsubsection.6.2.16.7) 498 0 R (subsubsection.6.2.16.8) 502 0 R (subsubsection.6.2.16.9) 506 0 R (subsubsection.6.2.28.1) 602 0 R (subsubsection.6.2.28.2) 606 0 R (subsubsection.6.2.28.3) 610 0 R (subsubsection.6.2.28.4) 614 0 R (subsubsection.6.3.1.1) 626 0 R (subsubsection.6.3.1.2) 630 0 R (subsubsection.6.3.5.1) 650 0 R (subsubsection.6.3.5.2) 654 0 R (subsubsection.6.3.5.3) 658 0 R (subsubsection.6.3.5.4) 662 0 R (subsubsection.6.4.0.1) 678 0 R (subsubsection.6.4.1.1) 686 0 R (subsubsection.6.4.1.2) 690 0 R (subsubsection.6.4.1.3) 694 0 R (subsubsection.6.4.1.4) 698 0 R (subsubsection.6.4.1.5) 702 0 R (subsubsection.A.4.6.1) 814 0 R (subsubsection.A.4.6.2) 818 0 R (subsubsection.A.4.6.3) 822 0 R (subsubsection.A.4.6.4) 826 0 R (subsubsection.A.4.6.5) 830 0 R (subsubsection.A.4.6.6) 834 0 R (table.1.1) 1235 0 R (table.1.2) 1243 0 R (table.3.1) 1302 0 R (table.3.2) 1345 0 R (table.6.1) 1550 0 R (table.6.10) 1969 0 R (table.6.11) 1975 0 R (table.6.12) 1982 0 R (table.6.13) 1989 0 R (table.6.14) 1991 0 R (table.6.15) 1998 0 R (table.6.16) 2001 0 R (table.6.17) 2004 0 R (table.6.18) 2020 0 R (table.6.19) 2032 0 R (table.6.2) 1572 0 R (table.6.20) 2041 0 R (table.6.21) 2049 0 R (table.6.22) 2052 0 R (table.6.23) 2060 0 R (table.6.3) 1581 0 R (table.6.4) 1619 0 R (table.6.5) 1631 0 R (table.6.6) 1685 0 R (table.6.7) 1784 0 R (table.6.8) 1880 0 R (table.6.9) 1955 0 R (the_category_phrase) 1613 0 R (the_sortlist_statement) 1775 0 R (topology) 1770 0 R (trusted-keys) 1847 0 R (tsig) 1397 0 R (tuning) 1789 0 R (types_of_resource_records_and_when_to_use_them) 1250 0 R (view_statement_grammar) 1805 0 R (zone_statement_grammar) 1724 0 R (zone_transfers) 1371 0 R (zonefile_format) 1797 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-2174 0 obj <<
-/Kids [2173 0 R]
+2756 0 obj <<
+/Kids [2755 0 R]
 >> endobj
-2175 0 obj <<
-/Dests 2174 0 R
+2757 0 obj <<
+/Dests 2756 0 R
 >> endobj
-2176 0 obj <<
+2758 0 obj <<
 /Type /Catalog
-/Pages 2171 0 R
-/Outlines 2172 0 R
-/Names 2175 0 R
+/Pages 2753 0 R
+/Outlines 2754 0 R
+/Names 2757 0 R
 /PageMode /UseOutlines 
-/OpenAction 705 0 R
+/OpenAction 929 0 R
 >> endobj
-2177 0 obj <<
+2759 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20120720043702Z)
+/CreationDate (D:20120720044330Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 2178
+0 2760
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000328757 00000 n 
-0001014574 00000 n 
+0000348639 00000 n 
+0001182928 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000328881 00000 n 
-0001014502 00000 n 
+0000348766 00000 n 
+0001182856 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000329006 00000 n 
-0001014416 00000 n 
+0000348894 00000 n 
+0001182770 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000329131 00000 n 
-0001014330 00000 n 
+0000349022 00000 n 
+0001182684 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000333393 00000 n 
-0001014220 00000 n 
+0000353308 00000 n 
+0001182574 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000333517 00000 n 
-0001014146 00000 n 
+0000353435 00000 n 
+0001182500 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000333642 00000 n 
-0001014059 00000 n 
+0000353563 00000 n 
+0001182413 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000333766 00000 n 
-0001013972 00000 n 
+0000353690 00000 n 
+0001182326 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000338045 00000 n 
-0001013848 00000 n 
+0000357987 00000 n 
+0001182202 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000338170 00000 n 
-0001013774 00000 n 
+0000358115 00000 n 
+0001182128 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000338295 00000 n 
-0001013687 00000 n 
+0000358243 00000 n 
+0001182041 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000338420 00000 n 
-0001013613 00000 n 
+0000358371 00000 n 
+0001181967 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000341391 00000 n 
-0001013489 00000 n 
+0000361356 00000 n 
+0001181843 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000341516 00000 n 
-0001013428 00000 n 
+0000361484 00000 n 
+0001181782 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000341641 00000 n 
-0001013354 00000 n 
+0000361612 00000 n 
+0001181708 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000344571 00000 n 
-0001013229 00000 n 
+0000364559 00000 n 
+0001181583 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000344696 00000 n 
-0001013155 00000 n 
+0000364687 00000 n 
+0001181509 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000344821 00000 n 
-0001013068 00000 n 
+0000364815 00000 n 
+0001181422 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000344946 00000 n 
-0001012981 00000 n 
+0000364943 00000 n 
+0001181335 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000345070 00000 n 
-0001012894 00000 n 
+0000365070 00000 n 
+0001181248 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
-0000346153 00000 n 
-0001012820 00000 n 
+0000366147 00000 n 
+0001181174 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
-0000347864 00000 n 
-0001012692 00000 n 
+0000367806 00000 n 
+0001181046 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
-0000347991 00000 n 
-0001012579 00000 n 
+0000367933 00000 n 
+0001180933 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
-0000348119 00000 n 
-0001012503 00000 n 
+0000368061 00000 n 
+0001180857 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
-0000348247 00000 n 
-0001012426 00000 n 
+0000368189 00000 n 
+0001180780 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000350790 00000 n 
-0001012335 00000 n 
+0000370638 00000 n 
+0001180689 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000351049 00000 n 
-0001012218 00000 n 
+0000373976 00000 n 
+0001180572 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000351178 00000 n 
-0001012100 00000 n 
+0000374104 00000 n 
+0001180454 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000354409 00000 n 
-0001012021 00000 n 
+0000374232 00000 n 
+0001180375 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000354537 00000 n 
-0001011942 00000 n 
+0000374361 00000 n 
+0001180296 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000365580 00000 n 
-0001011863 00000 n 
+0000389227 00000 n 
+0001180217 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000370601 00000 n 
-0001011731 00000 n 
+0000394851 00000 n 
+0001180084 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000370730 00000 n 
-0001011652 00000 n 
+0000394980 00000 n 
+0001180005 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000370859 00000 n 
-0001011520 00000 n 
+0000395109 00000 n 
+0001179873 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000370988 00000 n 
-0001011455 00000 n 
+0000399481 00000 n 
+0001179808 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000375265 00000 n 
-0001011362 00000 n 
+0000399610 00000 n 
+0001179715 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000375394 00000 n 
-0001011230 00000 n 
+0000399739 00000 n 
+0001179583 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000379309 00000 n 
-0001011165 00000 n 
+0000403459 00000 n 
+0001179518 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
-0000382737 00000 n 
-0001011033 00000 n 
+0000406613 00000 n 
+0001179386 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
-0000382866 00000 n 
-0001010915 00000 n 
+0000409558 00000 n 
+0001179268 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
-0000385506 00000 n 
-0001010836 00000 n 
+0000409687 00000 n 
+0001179189 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
-0000385635 00000 n 
-0001010757 00000 n 
+0000409816 00000 n 
+0001179110 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
-0000385764 00000 n 
-0001010664 00000 n 
+0000409945 00000 n 
+0001179017 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
-0000385892 00000 n 
-0001010571 00000 n 
+0000410074 00000 n 
+0001178924 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
-0000386021 00000 n 
-0001010478 00000 n 
+0000413537 00000 n 
+0001178831 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
-0000389887 00000 n 
-0001010385 00000 n 
+0000413666 00000 n 
+0001178738 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
-0000390016 00000 n 
-0001010306 00000 n 
+0000413795 00000 n 
+0001178659 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
-0000390145 00000 n 
-0001010213 00000 n 
+0000413924 00000 n 
+0001178566 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
-0000393790 00000 n 
-0001010120 00000 n 
+0000417784 00000 n 
+0001178473 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
-0000393916 00000 n 
-0001009988 00000 n 
+0000417913 00000 n 
+0001178341 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
-0000394045 00000 n 
-0001009909 00000 n 
+0000418041 00000 n 
+0001178262 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
-0000397881 00000 n 
-0001009816 00000 n 
+0000421944 00000 n 
+0001178169 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
-0000398010 00000 n 
-0001009737 00000 n 
+0000422072 00000 n 
+0001178090 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
-0000400958 00000 n 
-0001009619 00000 n 
+0000427212 00000 n 
+0001177957 00000 n 
 0000005226 00000 n 
-0000005272 00000 n 
-0000403574 00000 n 
-0001009540 00000 n 
-0000005326 00000 n 
-0000005386 00000 n 
-0000403703 00000 n 
-0001009461 00000 n 
-0000005440 00000 n 
-0000005509 00000 n 
-0000406525 00000 n 
-0001009328 00000 n 
-0000005556 00000 n 
-0000005609 00000 n 
-0000406654 00000 n 
-0001009249 00000 n 
-0000005658 00000 n 
-0000005714 00000 n 
-0000406783 00000 n 
-0001009170 00000 n 
-0000005763 00000 n 
-0000005812 00000 n 
-0000410967 00000 n 
-0001009037 00000 n 
-0000005859 00000 n 
-0000005911 00000 n 
-0000411096 00000 n 
-0001008919 00000 n 
-0000005960 00000 n 
-0000006011 00000 n 
-0000415788 00000 n 
-0001008801 00000 n 
-0000006065 00000 n 
-0000006110 00000 n 
-0000415916 00000 n 
-0001008722 00000 n 
-0000006169 00000 n 
-0000006203 00000 n 
-0000419537 00000 n 
-0001008643 00000 n 
-0000006262 00000 n 
-0000006310 00000 n 
-0000419665 00000 n 
-0001008525 00000 n 
-0000006364 00000 n 
-0000006404 00000 n 
-0000419794 00000 n 
-0001008446 00000 n 
-0000006463 00000 n 
-0000006497 00000 n 
-0000423731 00000 n 
-0001008367 00000 n 
-0000006556 00000 n 
-0000006604 00000 n 
-0000423860 00000 n 
-0001008234 00000 n 
-0000006653 00000 n 
-0000006703 00000 n 
-0000426680 00000 n 
-0001008155 00000 n 
-0000006757 00000 n 
-0000006804 00000 n 
-0000426808 00000 n 
-0001008062 00000 n 
-0000006858 00000 n 
-0000006918 00000 n 
-0000427067 00000 n 
-0001007969 00000 n 
-0000006972 00000 n 
-0000007024 00000 n 
-0000432416 00000 n 
-0001007876 00000 n 
-0000007078 00000 n 
-0000007143 00000 n 
-0000432545 00000 n 
-0001007783 00000 n 
-0000007197 00000 n 
-0000007248 00000 n 
-0000432674 00000 n 
-0001007690 00000 n 
-0000007302 00000 n 
-0000007366 00000 n 
-0000436126 00000 n 
-0001007597 00000 n 
-0000007420 00000 n 
-0000007467 00000 n 
-0000436255 00000 n 
-0001007504 00000 n 
-0000007521 00000 n 
-0000007581 00000 n 
-0000436384 00000 n 
-0001007411 00000 n 
-0000007635 00000 n 
-0000007686 00000 n 
-0000436513 00000 n 
-0001007279 00000 n 
-0000007741 00000 n 
-0000007806 00000 n 
-0000440744 00000 n 
-0001007200 00000 n 
-0000007866 00000 n 
-0000007913 00000 n 
-0000447301 00000 n 
-0001007107 00000 n 
-0000007973 00000 n 
-0000008021 00000 n 
-0000454853 00000 n 
-0001007028 00000 n 
-0000008081 00000 n 
-0000008135 00000 n 
-0000455112 00000 n 
-0001006935 00000 n 
-0000008190 00000 n 
-0000008240 00000 n 
-0000457935 00000 n 
-0001006842 00000 n 
-0000008295 00000 n 
-0000008358 00000 n 
-0000458064 00000 n 
-0001006749 00000 n 
-0000008413 00000 n 
-0000008465 00000 n 
-0000458193 00000 n 
-0001006656 00000 n 
-0000008520 00000 n 
-0000008585 00000 n 
-0000458322 00000 n 
-0001006563 00000 n 
-0000008640 00000 n 
-0000008692 00000 n 
-0000464333 00000 n 
-0001006430 00000 n 
-0000008747 00000 n 
-0000008812 00000 n 
-0000472736 00000 n 
-0001006351 00000 n 
-0000008872 00000 n 
-0000008916 00000 n 
-0000493992 00000 n 
-0001006258 00000 n 
-0000008976 00000 n 
-0000009015 00000 n 
-0000494121 00000 n 
-0001006165 00000 n 
-0000009075 00000 n 
-0000009122 00000 n 
-0000494250 00000 n 
-0001006072 00000 n 
-0000009182 00000 n 
-0000009225 00000 n 
-0000501166 00000 n 
-0001005979 00000 n 
-0000009285 00000 n 
-0000009324 00000 n 
-0000504682 00000 n 
-0001005886 00000 n 
-0000009384 00000 n 
-0000009426 00000 n 
-0000507862 00000 n 
-0001005793 00000 n 
-0000009486 00000 n 
-0000009529 00000 n 
-0000515570 00000 n 
-0001005700 00000 n 
-0000009589 00000 n 
-0000009632 00000 n 
-0000515698 00000 n 
-0001005607 00000 n 
-0000009692 00000 n 
-0000009753 00000 n 
-0000519891 00000 n 
-0001005514 00000 n 
-0000009814 00000 n 
-0000009866 00000 n 
-0000523784 00000 n 
-0001005421 00000 n 
-0000009927 00000 n 
-0000009980 00000 n 
-0000523913 00000 n 
-0001005328 00000 n 
-0000010041 00000 n 
-0000010079 00000 n 
-0000527947 00000 n 
-0001005235 00000 n 
-0000010140 00000 n 
-0000010192 00000 n 
-0000531103 00000 n 
-0001005142 00000 n 
-0000010253 00000 n 
-0000010297 00000 n 
-0000535042 00000 n 
-0001005049 00000 n 
-0000010358 00000 n 
-0000010394 00000 n 
-0000543486 00000 n 
-0001004956 00000 n 
-0000010455 00000 n 
-0000010518 00000 n 
-0000543615 00000 n 
-0001004863 00000 n 
-0000010579 00000 n 
-0000010629 00000 n 
-0000549448 00000 n 
-0001004784 00000 n 
-0000010690 00000 n 
-0000010746 00000 n 
-0000552876 00000 n 
-0001004691 00000 n 
-0000010801 00000 n 
-0000010852 00000 n 
-0000553005 00000 n 
-0001004598 00000 n 
-0000010907 00000 n 
-0000010971 00000 n 
-0000557400 00000 n 
-0001004505 00000 n 
-0000011026 00000 n 
-0000011090 00000 n 
-0000557528 00000 n 
-0001004412 00000 n 
-0000011145 00000 n 
-0000011222 00000 n 
-0000561108 00000 n 
-0001004319 00000 n 
-0000011277 00000 n 
-0000011334 00000 n 
-0000561237 00000 n 
-0001004226 00000 n 
-0000011389 00000 n 
-0000011459 00000 n 
-0000561366 00000 n 
-0001004133 00000 n 
-0000011514 00000 n 
-0000011563 00000 n 
-0000561495 00000 n 
-0001004040 00000 n 
-0000011618 00000 n 
-0000011680 00000 n 
-0000566204 00000 n 
-0001003947 00000 n 
-0000011735 00000 n 
-0000011784 00000 n 
-0000570290 00000 n 
-0001003829 00000 n 
-0000011839 00000 n 
-0000011901 00000 n 
-0000570419 00000 n 
-0001003750 00000 n 
-0000011961 00000 n 
-0000012000 00000 n 
-0000574747 00000 n 
-0001003657 00000 n 
-0000012060 00000 n 
-0000012094 00000 n 
-0000580643 00000 n 
-0001003564 00000 n 
-0000012154 00000 n 
-0000012195 00000 n 
-0000592022 00000 n 
-0001003485 00000 n 
-0000012255 00000 n 
-0000012307 00000 n 
-0000599204 00000 n 
-0001003353 00000 n 
-0000012356 00000 n 
-0000012389 00000 n 
-0000599333 00000 n 
-0001003235 00000 n 
-0000012443 00000 n 
-0000012515 00000 n 
-0000599461 00000 n 
-0001003156 00000 n 
-0000012574 00000 n 
-0000012618 00000 n 
-0000610003 00000 n 
-0001003077 00000 n 
-0000012677 00000 n 
-0000012730 00000 n 
-0000614058 00000 n 
-0001002984 00000 n 
-0000012784 00000 n 
-0000012834 00000 n 
-0000614316 00000 n 
-0001002891 00000 n 
-0000012888 00000 n 
-0000012926 00000 n 
-0000614575 00000 n 
-0001002798 00000 n 
-0000012980 00000 n 
-0000013029 00000 n 
-0000617626 00000 n 
-0001002666 00000 n 
-0000013083 00000 n 
-0000013135 00000 n 
-0000617755 00000 n 
-0001002587 00000 n 
-0000013194 00000 n 
-0000013239 00000 n 
-0000617883 00000 n 
-0001002494 00000 n 
-0000013298 00000 n 
-0000013350 00000 n 
-0000618012 00000 n 
-0001002401 00000 n 
-0000013409 00000 n 
-0000013462 00000 n 
-0000621549 00000 n 
-0001002322 00000 n 
-0000013521 00000 n 
-0000013570 00000 n 
-0000621678 00000 n 
-0001002229 00000 n 
-0000013624 00000 n 
-0000013704 00000 n 
-0000625519 00000 n 
-0001002150 00000 n 
-0000013758 00000 n 
-0000013807 00000 n 
-0000625647 00000 n 
-0001002032 00000 n 
-0000013856 00000 n 
-0000013896 00000 n 
-0000629200 00000 n 
-0001001953 00000 n 
-0000013955 00000 n 
-0000014002 00000 n 
-0000629329 00000 n 
-0001001835 00000 n 
-0000014056 00000 n 
-0000014101 00000 n 
-0000629458 00000 n 
-0001001756 00000 n 
-0000014160 00000 n 
-0000014219 00000 n 
-0000635940 00000 n 
-0001001663 00000 n 
-0000014278 00000 n 
-0000014342 00000 n 
-0000636199 00000 n 
-0001001570 00000 n 
-0000014401 00000 n 
-0000014457 00000 n 
-0000640040 00000 n 
-0001001477 00000 n 
-0000014516 00000 n 
-0000014574 00000 n 
-0000640299 00000 n 
-0001001398 00000 n 
-0000014633 00000 n 
-0000014695 00000 n 
-0000643357 00000 n 
-0001001265 00000 n 
-0000014742 00000 n 
-0000014794 00000 n 
-0000643486 00000 n 
-0001001186 00000 n 
-0000014843 00000 n 
-0000014887 00000 n 
-0000647685 00000 n 
-0001001054 00000 n 
-0000014936 00000 n 
-0000014977 00000 n 
-0000647814 00000 n 
-0001000975 00000 n 
-0000015031 00000 n 
-0000015079 00000 n 
-0000647942 00000 n 
-0001000896 00000 n 
-0000015133 00000 n 
-0000015184 00000 n 
-0000648071 00000 n 
-0001000817 00000 n 
-0000015233 00000 n 
-0000015280 00000 n 
-0000652338 00000 n 
-0001000684 00000 n 
-0000015327 00000 n 
-0000015364 00000 n 
-0000652467 00000 n 
-0001000566 00000 n 
-0000015413 00000 n 
-0000015452 00000 n 
-0000652596 00000 n 
-0001000501 00000 n 
-0000015506 00000 n 
-0000015584 00000 n 
-0000652725 00000 n 
-0001000408 00000 n 
-0000015633 00000 n 
-0000015700 00000 n 
-0000652854 00000 n 
-0001000329 00000 n 
-0000015749 00000 n 
-0000015794 00000 n 
-0000656293 00000 n 
-0001000196 00000 n 
-0000015842 00000 n 
-0000015874 00000 n 
-0000656422 00000 n 
-0001000078 00000 n 
-0000015923 00000 n 
-0000015962 00000 n 
-0000656551 00000 n 
-0001000013 00000 n 
-0000016016 00000 n 
-0000016077 00000 n 
-0000660232 00000 n 
-0000999881 00000 n 
-0000016126 00000 n 
-0000016183 00000 n 
-0000660361 00000 n 
-0000999816 00000 n 
-0000016237 00000 n 
-0000016286 00000 n 
-0000660490 00000 n 
-0000999698 00000 n 
-0000016335 00000 n 
-0000016397 00000 n 
-0000660619 00000 n 
-0000999619 00000 n 
-0000016451 00000 n 
-0000016506 00000 n 
-0000684641 00000 n 
-0000999526 00000 n 
-0000016560 00000 n 
+0000005294 00000 n 
+0000427341 00000 n 
+0001177878 00000 n 
+0000005348 00000 n 
+0000005408 00000 n 
+0000431146 00000 n 
+0001177785 00000 n 
+0000005462 00000 n 
+0000005513 00000 n 
+0000431275 00000 n 
+0001177692 00000 n 
+0000005567 00000 n 
+0000005621 00000 n 
+0000431404 00000 n 
+0001177599 00000 n 
+0000005675 00000 n 
+0000005721 00000 n 
+0000434522 00000 n 
+0001177506 00000 n 
+0000005775 00000 n 
+0000005817 00000 n 
+0000434651 00000 n 
+0001177413 00000 n 
+0000005871 00000 n 
+0000005922 00000 n 
+0000434780 00000 n 
+0001177320 00000 n 
+0000005976 00000 n 
+0000006025 00000 n 
+0000437878 00000 n 
+0001177227 00000 n 
+0000006079 00000 n 
+0000006136 00000 n 
+0000438007 00000 n 
+0001177134 00000 n 
+0000006190 00000 n 
+0000006245 00000 n 
+0000438135 00000 n 
+0001177041 00000 n 
+0000006300 00000 n 
+0000006356 00000 n 
+0000438264 00000 n 
+0001176948 00000 n 
+0000006411 00000 n 
+0000006472 00000 n 
+0000438392 00000 n 
+0001176855 00000 n 
+0000006527 00000 n 
+0000006573 00000 n 
+0000438520 00000 n 
+0001176776 00000 n 
+0000006628 00000 n 
+0000006671 00000 n 
+0000438649 00000 n 
+0001176644 00000 n 
+0000006721 00000 n 
+0000006777 00000 n 
+0000438778 00000 n 
+0001176565 00000 n 
+0000006832 00000 n 
+0000006878 00000 n 
+0000442370 00000 n 
+0001176486 00000 n 
+0000006933 00000 n 
+0000006980 00000 n 
+0000442499 00000 n 
+0001176354 00000 n 
+0000007030 00000 n 
+0000007087 00000 n 
+0000445659 00000 n 
+0001176236 00000 n 
+0000007142 00000 n 
+0000007182 00000 n 
+0000448354 00000 n 
+0001176157 00000 n 
+0000007242 00000 n 
+0000007315 00000 n 
+0000448483 00000 n 
+0001176064 00000 n 
+0000007375 00000 n 
+0000007448 00000 n 
+0000451264 00000 n 
+0001175985 00000 n 
+0000007508 00000 n 
+0000007565 00000 n 
+0000451393 00000 n 
+0001175853 00000 n 
+0000007620 00000 n 
+0000007678 00000 n 
+0000451522 00000 n 
+0001175774 00000 n 
+0000007738 00000 n 
+0000007815 00000 n 
+0000454016 00000 n 
+0001175681 00000 n 
+0000007875 00000 n 
+0000007952 00000 n 
+0000454145 00000 n 
+0001175602 00000 n 
+0000008012 00000 n 
+0000008071 00000 n 
+0000454274 00000 n 
+0001175509 00000 n 
+0000008126 00000 n 
+0000008170 00000 n 
+0000454403 00000 n 
+0001175416 00000 n 
+0000008225 00000 n 
+0000008265 00000 n 
+0000460723 00000 n 
+0001175323 00000 n 
+0000008320 00000 n 
+0000008388 00000 n 
+0000460852 00000 n 
+0001175244 00000 n 
+0000008443 00000 n 
+0000008514 00000 n 
+0000463643 00000 n 
+0001175126 00000 n 
+0000008564 00000 n 
+0000008611 00000 n 
+0000463772 00000 n 
+0001175047 00000 n 
+0000008666 00000 n 
+0000008727 00000 n 
+0000463901 00000 n 
+0001174968 00000 n 
+0000008782 00000 n 
+0000008852 00000 n 
+0000466343 00000 n 
+0001174835 00000 n 
+0000008899 00000 n 
+0000008952 00000 n 
+0000466472 00000 n 
+0001174756 00000 n 
+0000009001 00000 n 
+0000009057 00000 n 
+0000466601 00000 n 
+0001174677 00000 n 
+0000009106 00000 n 
+0000009155 00000 n 
+0000470871 00000 n 
+0001174544 00000 n 
+0000009202 00000 n 
+0000009254 00000 n 
+0000471000 00000 n 
+0001174426 00000 n 
+0000009303 00000 n 
+0000009354 00000 n 
+0000475692 00000 n 
+0001174308 00000 n 
+0000009408 00000 n 
+0000009453 00000 n 
+0000475820 00000 n 
+0001174229 00000 n 
+0000009512 00000 n 
+0000009546 00000 n 
+0000479413 00000 n 
+0001174150 00000 n 
+0000009605 00000 n 
+0000009653 00000 n 
+0000479542 00000 n 
+0001174032 00000 n 
+0000009707 00000 n 
+0000009747 00000 n 
+0000479671 00000 n 
+0001173953 00000 n 
+0000009806 00000 n 
+0000009840 00000 n 
+0000482523 00000 n 
+0001173874 00000 n 
+0000009899 00000 n 
+0000009947 00000 n 
+0000482652 00000 n 
+0001173741 00000 n 
+0000009996 00000 n 
+0000010046 00000 n 
+0000485722 00000 n 
+0001173662 00000 n 
+0000010100 00000 n 
+0000010147 00000 n 
+0000485850 00000 n 
+0001173569 00000 n 
+0000010201 00000 n 
+0000010261 00000 n 
+0000486109 00000 n 
+0001173476 00000 n 
+0000010315 00000 n 
+0000010367 00000 n 
+0000491291 00000 n 
+0001173383 00000 n 
+0000010421 00000 n 
+0000010486 00000 n 
+0000491420 00000 n 
+0001173290 00000 n 
+0000010540 00000 n 
+0000010591 00000 n 
+0000494897 00000 n 
+0001173197 00000 n 
+0000010645 00000 n 
+0000010709 00000 n 
+0000495026 00000 n 
+0001173104 00000 n 
+0000010763 00000 n 
+0000010810 00000 n 
+0000495155 00000 n 
+0001173011 00000 n 
+0000010864 00000 n 
+0000010924 00000 n 
+0000495284 00000 n 
+0001172918 00000 n 
+0000010978 00000 n 
+0000011029 00000 n 
+0000499302 00000 n 
+0001172786 00000 n 
+0000011084 00000 n 
+0000011149 00000 n 
+0000499431 00000 n 
+0001172707 00000 n 
+0000011209 00000 n 
+0000011256 00000 n 
+0000506252 00000 n 
+0001172614 00000 n 
+0000011316 00000 n 
+0000011364 00000 n 
+0000513361 00000 n 
+0001172535 00000 n 
+0000011424 00000 n 
+0000011478 00000 n 
+0000516958 00000 n 
+0001172442 00000 n 
+0000011533 00000 n 
+0000011583 00000 n 
+0000517087 00000 n 
+0001172349 00000 n 
+0000011638 00000 n 
+0000011701 00000 n 
+0000519024 00000 n 
+0001172256 00000 n 
+0000011756 00000 n 
+0000011808 00000 n 
+0000519153 00000 n 
+0001172163 00000 n 
+0000011863 00000 n 
+0000011928 00000 n 
+0000519282 00000 n 
+0001172070 00000 n 
+0000011983 00000 n 
+0000012035 00000 n 
+0000524428 00000 n 
+0001171937 00000 n 
+0000012090 00000 n 
+0000012155 00000 n 
+0000544388 00000 n 
+0001171858 00000 n 
+0000012215 00000 n 
+0000012259 00000 n 
+0000565985 00000 n 
+0001171765 00000 n 
+0000012319 00000 n 
+0000012358 00000 n 
+0000569620 00000 n 
+0001171672 00000 n 
+0000012418 00000 n 
+0000012465 00000 n 
+0000569749 00000 n 
+0001171579 00000 n 
+0000012525 00000 n 
+0000012568 00000 n 
+0000574175 00000 n 
+0001171486 00000 n 
+0000012628 00000 n 
+0000012667 00000 n 
+0000577523 00000 n 
+0001171393 00000 n 
+0000012727 00000 n 
+0000012769 00000 n 
+0000584483 00000 n 
+0001171300 00000 n 
+0000012829 00000 n 
+0000012872 00000 n 
+0000592253 00000 n 
+0001171207 00000 n 
+0000012932 00000 n 
+0000012975 00000 n 
+0000592382 00000 n 
+0001171114 00000 n 
+0000013035 00000 n 
+0000013096 00000 n 
+0000596338 00000 n 
+0001171021 00000 n 
+0000013157 00000 n 
+0000013209 00000 n 
+0000596467 00000 n 
+0001170928 00000 n 
+0000013270 00000 n 
+0000013323 00000 n 
+0000599686 00000 n 
+0001170835 00000 n 
+0000013384 00000 n 
+0000013422 00000 n 
+0000603538 00000 n 
+0001170742 00000 n 
+0000013483 00000 n 
+0000013535 00000 n 
+0000606956 00000 n 
+0001170649 00000 n 
+0000013596 00000 n 
+0000013640 00000 n 
+0000610967 00000 n 
+0001170556 00000 n 
+0000013701 00000 n 
+0000013737 00000 n 
+0000619337 00000 n 
+0001170463 00000 n 
+0000013798 00000 n 
+0000013861 00000 n 
+0000619466 00000 n 
+0001170370 00000 n 
+0000013922 00000 n 
+0000013972 00000 n 
+0000626008 00000 n 
+0001170277 00000 n 
+0000014033 00000 n 
+0000014089 00000 n 
+0000626135 00000 n 
+0001170184 00000 n 
+0000014150 00000 n 
+0000014197 00000 n 
+0000634312 00000 n 
+0001170105 00000 n 
+0000014258 00000 n 
+0000014326 00000 n 
+0000640547 00000 n 
+0001170012 00000 n 
+0000014381 00000 n 
+0000014432 00000 n 
+0000640676 00000 n 
+0001169919 00000 n 
+0000014487 00000 n 
+0000014551 00000 n 
+0000649330 00000 n 
+0001169826 00000 n 
+0000014606 00000 n 
+0000014670 00000 n 
+0000649459 00000 n 
+0001169733 00000 n 
+0000014725 00000 n 
+0000014802 00000 n 
+0000649588 00000 n 
+0001169640 00000 n 
+0000014857 00000 n 
+0000014914 00000 n 
+0000649717 00000 n 
+0001169547 00000 n 
+0000014969 00000 n 
+0000015039 00000 n 
+0000654026 00000 n 
+0001169454 00000 n 
+0000015094 00000 n 
+0000015151 00000 n 
+0000654155 00000 n 
+0001169361 00000 n 
+0000015206 00000 n 
+0000015276 00000 n 
+0000657626 00000 n 
+0001169268 00000 n 
+0000015331 00000 n 
+0000015380 00000 n 
+0000657755 00000 n 
+0001169175 00000 n 
+0000015435 00000 n 
+0000015497 00000 n 
+0000659509 00000 n 
+0001169082 00000 n 
+0000015552 00000 n 
+0000015601 00000 n 
+0000665970 00000 n 
+0001168964 00000 n 
+0000015656 00000 n 
+0000015718 00000 n 
+0000666099 00000 n 
+0001168885 00000 n 
+0000015778 00000 n 
+0000015817 00000 n 
+0000670336 00000 n 
+0001168792 00000 n 
+0000015877 00000 n 
+0000015911 00000 n 
+0000676258 00000 n 
+0001168699 00000 n 
+0000015971 00000 n 
+0000016012 00000 n 
+0000691898 00000 n 
+0001168620 00000 n 
+0000016072 00000 n 
+0000016124 00000 n 
+0000702584 00000 n 
+0001168488 00000 n 
+0000016173 00000 n 
+0000016206 00000 n 
+0000702713 00000 n 
+0001168370 00000 n 
+0000016260 00000 n 
+0000016332 00000 n 
+0000702842 00000 n 
+0001168291 00000 n 
+0000016391 00000 n 
+0000016435 00000 n 
+0000713443 00000 n 
+0001168212 00000 n 
+0000016494 00000 n 
+0000016547 00000 n 
+0000713832 00000 n 
+0001168119 00000 n 
 0000016601 00000 n 
-0000684770 00000 n 
-0000999447 00000 n 
-0000016655 00000 n 
-0000016707 00000 n 
-0000687501 00000 n 
-0000999327 00000 n 
-0000016755 00000 n 
-0000016789 00000 n 
-0000687630 00000 n 
-0000999248 00000 n 
-0000016838 00000 n 
-0000016865 00000 n 
-0000705454 00000 n 
-0000999155 00000 n 
-0000016914 00000 n 
-0000016942 00000 n 
-0000712942 00000 n 
-0000999062 00000 n 
-0000016991 00000 n 
-0000017031 00000 n 
-0000715737 00000 n 
-0000998969 00000 n 
-0000017080 00000 n 
-0000017123 00000 n 
-0000721920 00000 n 
-0000998876 00000 n 
-0000017172 00000 n 
-0000017209 00000 n 
-0000728546 00000 n 
-0000998783 00000 n 
-0000017258 00000 n 
-0000017297 00000 n 
-0000740929 00000 n 
-0000998690 00000 n 
-0000017346 00000 n 
-0000017385 00000 n 
-0000744025 00000 n 
-0000998597 00000 n 
-0000017434 00000 n 
-0000017473 00000 n 
-0000750305 00000 n 
-0000998504 00000 n 
-0000017522 00000 n 
-0000017551 00000 n 
-0000760117 00000 n 
-0000998411 00000 n 
-0000017601 00000 n 
-0000017634 00000 n 
-0000774349 00000 n 
-0000998318 00000 n 
-0000017684 00000 n 
+0000016651 00000 n 
+0000717686 00000 n 
+0001168026 00000 n 
+0000016705 00000 n 
+0000016743 00000 n 
+0000717945 00000 n 
+0001167933 00000 n 
+0000016797 00000 n 
+0000016846 00000 n 
+0000720718 00000 n 
+0001167801 00000 n 
+0000016900 00000 n 
+0000016952 00000 n 
+0000720843 00000 n 
+0001167722 00000 n 
+0000017011 00000 n 
+0000017056 00000 n 
+0000720972 00000 n 
+0001167629 00000 n 
+0000017115 00000 n 
+0000017167 00000 n 
+0000721101 00000 n 
+0001167536 00000 n 
+0000017226 00000 n 
+0000017279 00000 n 
+0000723553 00000 n 
+0001167457 00000 n 
+0000017338 00000 n 
+0000017387 00000 n 
+0000723682 00000 n 
+0001167364 00000 n 
+0000017441 00000 n 
+0000017521 00000 n 
+0000727997 00000 n 
+0001167285 00000 n 
+0000017575 00000 n 
+0000017624 00000 n 
+0000731503 00000 n 
+0001167167 00000 n 
+0000017673 00000 n 
 0000017713 00000 n 
-0000777479 00000 n 
-0000998225 00000 n 
-0000017763 00000 n 
-0000017797 00000 n 
-0000783717 00000 n 
-0000998146 00000 n 
-0000017847 00000 n 
-0000017884 00000 n 
-0000018257 00000 n 
-0000018379 00000 n 
-0000283180 00000 n 
-0000017937 00000 n 
-0000283054 00000 n 
-0000283117 00000 n 
-0000993500 00000 n 
-0000967557 00000 n 
-0000993326 00000 n 
-0000994525 00000 n 
-0000019688 00000 n 
-0000019881 00000 n 
-0000019961 00000 n 
-0000019998 00000 n 
-0000020079 00000 n 
-0000020203 00000 n 
-0000020462 00000 n 
-0000020821 00000 n 
-0000020853 00000 n 
-0000020947 00000 n 
-0000021980 00000 n 
-0000033116 00000 n 
-0000098706 00000 n 
-0000164296 00000 n 
-0000229886 00000 n 
-0000284610 00000 n 
-0000284425 00000 n 
-0000283280 00000 n 
-0000284547 00000 n 
-0000966336 00000 n 
-0000939815 00000 n 
-0000966162 00000 n 
-0000939130 00000 n 
-0000936986 00000 n 
-0000938966 00000 n 
-0000296315 00000 n 
-0000287660 00000 n 
-0000284695 00000 n 
-0000296189 00000 n 
-0000296252 00000 n 
-0000288194 00000 n 
-0000288348 00000 n 
-0000288505 00000 n 
-0000288662 00000 n 
-0000288819 00000 n 
-0000288976 00000 n 
-0000289138 00000 n 
-0000289300 00000 n 
-0000289461 00000 n 
-0000289623 00000 n 
-0000289790 00000 n 
-0000289957 00000 n 
-0000290122 00000 n 
-0000290284 00000 n 
-0000290450 00000 n 
-0000290612 00000 n 
-0000290766 00000 n 
-0000290923 00000 n 
-0000291080 00000 n 
-0000291236 00000 n 
-0000291392 00000 n 
-0000291549 00000 n 
-0000291704 00000 n 
-0000291861 00000 n 
-0000292023 00000 n 
-0000292185 00000 n 
-0000292342 00000 n 
-0000292497 00000 n 
-0000292658 00000 n 
-0000292825 00000 n 
-0000292992 00000 n 
-0000293154 00000 n 
-0000293309 00000 n 
-0000293466 00000 n 
-0000293623 00000 n 
-0000293785 00000 n 
-0000293942 00000 n 
-0000294099 00000 n 
-0000294261 00000 n 
-0000294418 00000 n 
-0000294580 00000 n 
-0000294747 00000 n 
-0000294914 00000 n 
-0000295076 00000 n 
-0000295238 00000 n 
-0000295400 00000 n 
-0000295562 00000 n 
-0000295724 00000 n 
-0000295879 00000 n 
-0000296034 00000 n 
-0000309692 00000 n 
-0000299643 00000 n 
-0000296400 00000 n 
-0000309629 00000 n 
-0000936435 00000 n 
-0000919354 00000 n 
-0000936251 00000 n 
-0000300233 00000 n 
-0000300396 00000 n 
-0000300559 00000 n 
-0000300721 00000 n 
-0000300879 00000 n 
-0000301042 00000 n 
-0000301205 00000 n 
-0000301360 00000 n 
-0000301518 00000 n 
-0000301676 00000 n 
-0000301832 00000 n 
-0000301990 00000 n 
-0000302153 00000 n 
-0000302321 00000 n 
-0000302489 00000 n 
-0000302652 00000 n 
-0000302820 00000 n 
-0000302988 00000 n 
-0000303145 00000 n 
-0000303308 00000 n 
-0000303471 00000 n 
-0000303634 00000 n 
-0000303796 00000 n 
-0000303959 00000 n 
-0000304121 00000 n 
-0000304283 00000 n 
-0000304446 00000 n 
-0000304609 00000 n 
-0000304772 00000 n 
-0000304940 00000 n 
-0000305109 00000 n 
-0000305278 00000 n 
-0000305442 00000 n 
-0000305606 00000 n 
-0000305770 00000 n 
-0000305934 00000 n 
-0000306098 00000 n 
-0000306262 00000 n 
-0000306430 00000 n 
-0000306599 00000 n 
-0000306768 00000 n 
-0000306937 00000 n 
-0000307106 00000 n 
-0000307275 00000 n 
-0000307444 00000 n 
-0000307613 00000 n 
-0000307782 00000 n 
-0000307952 00000 n 
-0000308122 00000 n 
-0000308291 00000 n 
-0000308461 00000 n 
-0000308631 00000 n 
-0000308799 00000 n 
-0000308968 00000 n 
-0000309138 00000 n 
-0000309306 00000 n 
-0000309467 00000 n 
-0000322865 00000 n 
-0000313322 00000 n 
-0000309790 00000 n 
-0000322802 00000 n 
-0000313896 00000 n 
-0000314059 00000 n 
-0000314222 00000 n 
-0000314385 00000 n 
-0000314548 00000 n 
-0000314711 00000 n 
-0000314874 00000 n 
-0000315037 00000 n 
-0000315198 00000 n 
-0000315365 00000 n 
-0000315533 00000 n 
-0000315701 00000 n 
-0000315869 00000 n 
-0000316026 00000 n 
-0000316188 00000 n 
-0000316355 00000 n 
-0000316522 00000 n 
-0000316684 00000 n 
-0000316846 00000 n 
-0000317008 00000 n 
-0000317169 00000 n 
-0000317335 00000 n 
-0000317502 00000 n 
-0000317669 00000 n 
-0000317836 00000 n 
-0000317998 00000 n 
-0000318160 00000 n 
-0000318317 00000 n 
-0000318484 00000 n 
-0000318646 00000 n 
-0000318813 00000 n 
-0000318980 00000 n 
-0000319147 00000 n 
-0000918465 00000 n 
-0000897134 00000 n 
-0000918291 00000 n 
-0000319314 00000 n 
-0000319480 00000 n 
-0000319635 00000 n 
-0000319792 00000 n 
-0000319948 00000 n 
-0000320110 00000 n 
-0000320272 00000 n 
-0000320429 00000 n 
-0000320584 00000 n 
-0000320741 00000 n 
-0000320903 00000 n 
-0000321060 00000 n 
-0000321217 00000 n 
-0000321373 00000 n 
-0000321530 00000 n 
-0000321692 00000 n 
-0000321849 00000 n 
-0000322010 00000 n 
-0000322165 00000 n 
-0000322327 00000 n 
-0000322488 00000 n 
-0000322648 00000 n 
-0000326282 00000 n 
-0000323941 00000 n 
-0000322976 00000 n 
-0000326219 00000 n 
-0000324179 00000 n 
-0000324336 00000 n 
-0000324493 00000 n 
-0000324649 00000 n 
-0000324806 00000 n 
-0000324962 00000 n 
-0000325119 00000 n 
-0000325276 00000 n 
-0000325433 00000 n 
-0000325588 00000 n 
-0000325746 00000 n 
-0000896168 00000 n 
-0000876201 00000 n 
-0000895995 00000 n 
-0000325903 00000 n 
-0000326061 00000 n 
-0000329382 00000 n 
-0000328635 00000 n 
-0000326380 00000 n 
-0000328818 00000 n 
-0000328943 00000 n 
-0000329068 00000 n 
-0000329193 00000 n 
-0000329256 00000 n 
-0000329319 00000 n 
-0000875407 00000 n 
-0000857090 00000 n 
-0000875234 00000 n 
-0000994643 00000 n 
-0000333890 00000 n 
-0000332773 00000 n 
-0000329506 00000 n 
-0000333267 00000 n 
-0000333330 00000 n 
-0000333454 00000 n 
-0000333579 00000 n 
-0000333704 00000 n 
-0000332923 00000 n 
-0000333116 00000 n 
-0000333827 00000 n 
-0000599397 00000 n 
-0000660683 00000 n 
-0000338545 00000 n 
-0000337509 00000 n 
-0000334014 00000 n 
-0000337982 00000 n 
-0000338107 00000 n 
-0000337659 00000 n 
-0000337821 00000 n 
-0000338232 00000 n 
-0000338357 00000 n 
-0000338482 00000 n 
-0000354473 00000 n 
-0000341766 00000 n 
-0000341206 00000 n 
-0000338669 00000 n 
-0000341328 00000 n 
-0000341453 00000 n 
-0000341578 00000 n 
-0000341703 00000 n 
-0000345195 00000 n 
-0000344054 00000 n 
-0000341877 00000 n 
-0000344508 00000 n 
-0000344633 00000 n 
-0000344758 00000 n 
-0000344883 00000 n 
-0000345008 00000 n 
-0000344204 00000 n 
-0000344356 00000 n 
-0000345132 00000 n 
-0000549512 00000 n 
-0000346279 00000 n 
-0000345966 00000 n 
-0000345280 00000 n 
-0000346089 00000 n 
-0000346215 00000 n 
-0000348376 00000 n 
-0000347673 00000 n 
-0000346377 00000 n 
-0000347799 00000 n 
-0000347927 00000 n 
-0000348054 00000 n 
-0000348182 00000 n 
-0000348311 00000 n 
-0000994761 00000 n 
-0000351306 00000 n 
-0000350417 00000 n 
-0000348475 00000 n 
-0000350725 00000 n 
-0000350854 00000 n 
-0000350919 00000 n 
-0000350984 00000 n 
-0000350564 00000 n 
-0000351113 00000 n 
-0000351242 00000 n 
-0000531167 00000 n 
-0000354666 00000 n 
-0000354218 00000 n 
-0000351418 00000 n 
-0000354344 00000 n 
-0000856415 00000 n 
-0000844426 00000 n 
-0000856236 00000 n 
-0000354601 00000 n 
-0000358490 00000 n 
-0000358299 00000 n 
-0000354792 00000 n 
-0000358425 00000 n 
-0000843885 00000 n 
-0000834141 00000 n 
-0000843706 00000 n 
-0000362953 00000 n 
-0000362554 00000 n 
-0000358656 00000 n 
-0000362888 00000 n 
-0000362701 00000 n 
-0000432480 00000 n 
-0000365839 00000 n 
-0000365389 00000 n 
-0000363092 00000 n 
-0000365515 00000 n 
-0000365644 00000 n 
-0000365709 00000 n 
-0000365774 00000 n 
-0000368570 00000 n 
-0000371117 00000 n 
-0000368414 00000 n 
-0000365964 00000 n 
-0000370536 00000 n 
-0000370665 00000 n 
-0000370794 00000 n 
-0000370213 00000 n 
-0000370375 00000 n 
-0000833243 00000 n 
-0000823447 00000 n 
-0000833069 00000 n 
-0000822883 00000 n 
-0000813797 00000 n 
-0000822708 00000 n 
-0000370923 00000 n 
-0000371052 00000 n 
-0000994886 00000 n 
-0000370042 00000 n 
-0000370100 00000 n 
-0000370190 00000 n 
-0000472800 00000 n 
-0000507926 00000 n 
-0000375523 00000 n 
-0000374716 00000 n 
-0000371273 00000 n 
-0000375200 00000 n 
-0000375329 00000 n 
-0000374872 00000 n 
-0000375038 00000 n 
-0000375458 00000 n 
-0000664710 00000 n 
-0000379438 00000 n 
-0000378929 00000 n 
-0000375675 00000 n 
-0000379244 00000 n 
-0000379373 00000 n 
-0000379076 00000 n 
-0000380664 00000 n 
-0000380473 00000 n 
-0000379576 00000 n 
-0000380599 00000 n 
-0000382994 00000 n 
-0000382546 00000 n 
-0000380763 00000 n 
-0000382672 00000 n 
-0000382801 00000 n 
-0000382930 00000 n 
-0000386150 00000 n 
-0000385315 00000 n 
-0000383119 00000 n 
-0000385441 00000 n 
-0000385570 00000 n 
-0000385699 00000 n 
-0000385827 00000 n 
-0000385956 00000 n 
-0000386085 00000 n 
-0000390274 00000 n 
-0000389504 00000 n 
-0000386288 00000 n 
-0000389822 00000 n 
-0000389951 00000 n 
-0000389651 00000 n 
-0000390080 00000 n 
-0000390209 00000 n 
-0000995011 00000 n 
-0000592086 00000 n 
-0000394174 00000 n 
-0000393599 00000 n 
-0000390412 00000 n 
-0000393725 00000 n 
-0000393854 00000 n 
-0000393980 00000 n 
-0000394109 00000 n 
-0000398139 00000 n 
-0000397690 00000 n 
-0000394312 00000 n 
-0000397816 00000 n 
-0000397945 00000 n 
-0000398074 00000 n 
-0000401086 00000 n 
-0000400767 00000 n 
-0000398264 00000 n 
-0000400893 00000 n 
-0000813522 00000 n 
-0000810162 00000 n 
-0000813343 00000 n 
-0000401022 00000 n 
-0000403832 00000 n 
-0000403202 00000 n 
-0000401255 00000 n 
-0000403509 00000 n 
-0000403349 00000 n 
-0000403638 00000 n 
-0000403767 00000 n 
-0000660425 00000 n 
-0000404298 00000 n 
-0000404107 00000 n 
-0000403957 00000 n 
-0000404233 00000 n 
-0000406912 00000 n 
-0000406334 00000 n 
-0000404340 00000 n 
-0000406460 00000 n 
-0000406589 00000 n 
-0000406718 00000 n 
-0000406847 00000 n 
-0000995136 00000 n 
-0000407352 00000 n 
-0000407161 00000 n 
-0000407011 00000 n 
-0000407287 00000 n 
-0000411354 00000 n 
-0000410588 00000 n 
-0000407394 00000 n 
-0000410902 00000 n 
-0000411031 00000 n 
-0000411159 00000 n 
-0000411224 00000 n 
-0000411289 00000 n 
-0000410735 00000 n 
-0000415852 00000 n 
-0000416044 00000 n 
-0000415597 00000 n 
-0000411453 00000 n 
-0000415723 00000 n 
-0000415979 00000 n 
-0000419923 00000 n 
-0000419346 00000 n 
-0000416169 00000 n 
-0000419472 00000 n 
-0000419600 00000 n 
-0000419729 00000 n 
-0000419858 00000 n 
-0000422740 00000 n 
-0000424119 00000 n 
-0000422614 00000 n 
-0000420061 00000 n 
-0000423666 00000 n 
-0000423795 00000 n 
-0000423924 00000 n 
-0000423989 00000 n 
-0000424054 00000 n 
-0000427196 00000 n 
-0000426489 00000 n 
-0000424274 00000 n 
-0000426615 00000 n 
-0000426744 00000 n 
-0000426872 00000 n 
-0000426937 00000 n 
-0000427002 00000 n 
-0000427131 00000 n 
-0000995261 00000 n 
-0000432803 00000 n 
-0000431885 00000 n 
-0000427308 00000 n 
-0000432351 00000 n 
-0000432041 00000 n 
-0000432192 00000 n 
-0000432609 00000 n 
-0000432738 00000 n 
-0000788788 00000 n 
-0000436642 00000 n 
-0000435371 00000 n 
-0000432941 00000 n 
-0000436061 00000 n 
-0000436190 00000 n 
-0000436319 00000 n 
-0000435536 00000 n 
-0000435688 00000 n 
-0000435874 00000 n 
-0000436448 00000 n 
-0000436577 00000 n 
-0000440873 00000 n 
-0000440553 00000 n 
-0000436768 00000 n 
-0000440679 00000 n 
-0000440808 00000 n 
-0000444348 00000 n 
-0000443969 00000 n 
-0000440998 00000 n 
-0000444283 00000 n 
-0000444116 00000 n 
-0000447365 00000 n 
-0000447560 00000 n 
-0000447110 00000 n 
-0000444460 00000 n 
-0000447236 00000 n 
-0000447430 00000 n 
-0000447495 00000 n 
-0000450929 00000 n 
-0000450738 00000 n 
-0000447672 00000 n 
-0000450864 00000 n 
-0000995386 00000 n 
-0000455240 00000 n 
-0000454662 00000 n 
-0000451041 00000 n 
-0000454788 00000 n 
-0000454917 00000 n 
-0000454982 00000 n 
-0000455047 00000 n 
-0000455176 00000 n 
-0000458451 00000 n 
-0000457409 00000 n 
-0000455352 00000 n 
-0000457870 00000 n 
-0000457999 00000 n 
-0000457565 00000 n 
-0000457717 00000 n 
-0000458128 00000 n 
-0000458257 00000 n 
-0000458386 00000 n 
-0000460003 00000 n 
-0000459812 00000 n 
-0000458563 00000 n 
-0000459938 00000 n 
-0000461538 00000 n 
-0000461347 00000 n 
-0000460102 00000 n 
-0000461473 00000 n 
-0000464462 00000 n 
-0000464142 00000 n 
-0000461637 00000 n 
-0000464268 00000 n 
-0000464397 00000 n 
-0000468893 00000 n 
-0000468524 00000 n 
-0000464600 00000 n 
-0000468828 00000 n 
-0000468671 00000 n 
-0000995511 00000 n 
-0000629264 00000 n 
-0000472865 00000 n 
-0000472545 00000 n 
-0000469005 00000 n 
-0000472671 00000 n 
-0000476703 00000 n 
-0000476383 00000 n 
-0000472990 00000 n 
-0000476509 00000 n 
-0000476574 00000 n 
-0000476638 00000 n 
-0000481999 00000 n 
-0000480707 00000 n 
-0000476828 00000 n 
-0000481934 00000 n 
-0000480899 00000 n 
-0000481053 00000 n 
-0000481208 00000 n 
-0000481393 00000 n 
-0000481567 00000 n 
-0000481752 00000 n 
-0000553069 00000 n 
-0000486301 00000 n 
-0000486110 00000 n 
-0000482180 00000 n 
-0000486236 00000 n 
-0000490065 00000 n 
-0000489874 00000 n 
-0000486426 00000 n 
-0000490000 00000 n 
-0000494379 00000 n 
-0000493436 00000 n 
-0000490177 00000 n 
-0000493927 00000 n 
-0000494056 00000 n 
-0000493592 00000 n 
-0000494185 00000 n 
-0000494314 00000 n 
-0000493761 00000 n 
-0000995636 00000 n 
-0000566268 00000 n 
-0000498041 00000 n 
-0000497479 00000 n 
-0000494491 00000 n 
-0000497976 00000 n 
-0000497635 00000 n 
-0000497806 00000 n 
-0000648135 00000 n 
-0000501295 00000 n 
-0000500975 00000 n 
-0000498210 00000 n 
-0000501101 00000 n 
-0000501230 00000 n 
-0000504811 00000 n 
-0000504491 00000 n 
-0000501420 00000 n 
-0000504617 00000 n 
-0000504746 00000 n 
-0000507991 00000 n 
-0000507671 00000 n 
-0000504923 00000 n 
-0000507797 00000 n 
-0000511939 00000 n 
-0000511748 00000 n 
-0000508147 00000 n 
-0000511874 00000 n 
-0000515826 00000 n 
-0000515198 00000 n 
-0000512094 00000 n 
-0000515505 00000 n 
-0000515634 00000 n 
-0000515345 00000 n 
-0000515762 00000 n 
-0000995761 00000 n 
-0000520020 00000 n 
-0000519341 00000 n 
-0000515995 00000 n 
-0000519826 00000 n 
-0000519497 00000 n 
-0000519955 00000 n 
-0000519671 00000 n 
-0000524042 00000 n 
-0000523593 00000 n 
-0000520132 00000 n 
-0000523719 00000 n 
-0000523848 00000 n 
-0000523977 00000 n 
-0000528075 00000 n 
-0000527409 00000 n 
-0000524197 00000 n 
-0000527882 00000 n 
-0000528011 00000 n 
-0000527565 00000 n 
-0000527727 00000 n 
-0000531362 00000 n 
-0000530723 00000 n 
-0000528244 00000 n 
-0000531038 00000 n 
-0000530870 00000 n 
-0000531232 00000 n 
-0000531297 00000 n 
-0000535171 00000 n 
-0000534668 00000 n 
-0000531488 00000 n 
-0000534977 00000 n 
-0000535106 00000 n 
-0000534815 00000 n 
-0000539786 00000 n 
-0000539412 00000 n 
-0000535353 00000 n 
-0000539721 00000 n 
-0000539559 00000 n 
-0000809807 00000 n 
-0000807809 00000 n 
-0000809642 00000 n 
-0000995886 00000 n 
-0000625583 00000 n 
-0000543744 00000 n 
-0000543107 00000 n 
-0000539912 00000 n 
-0000543421 00000 n 
-0000543550 00000 n 
-0000543254 00000 n 
-0000543679 00000 n 
-0000561430 00000 n 
-0000545840 00000 n 
-0000545649 00000 n 
-0000543869 00000 n 
-0000545775 00000 n 
-0000549576 00000 n 
-0000549257 00000 n 
-0000545952 00000 n 
-0000549383 00000 n 
-0000553134 00000 n 
-0000552685 00000 n 
-0000549718 00000 n 
-0000552811 00000 n 
-0000552940 00000 n 
-0000557657 00000 n 
-0000556868 00000 n 
-0000553246 00000 n 
-0000557335 00000 n 
-0000557024 00000 n 
-0000557175 00000 n 
-0000557463 00000 n 
-0000557592 00000 n 
-0000561624 00000 n 
-0000560742 00000 n 
-0000557769 00000 n 
-0000561043 00000 n 
-0000561172 00000 n 
-0000561301 00000 n 
-0000560889 00000 n 
-0000561559 00000 n 
-0000996011 00000 n 
-0000564692 00000 n 
-0000564501 00000 n 
-0000561736 00000 n 
-0000564627 00000 n 
-0000566333 00000 n 
-0000566013 00000 n 
-0000564804 00000 n 
-0000566139 00000 n 
-0000567806 00000 n 
-0000567615 00000 n 
-0000566445 00000 n 
-0000567741 00000 n 
-0000570678 00000 n 
-0000570099 00000 n 
-0000567905 00000 n 
-0000570225 00000 n 
-0000570354 00000 n 
-0000570483 00000 n 
-0000570548 00000 n 
-0000570613 00000 n 
-0000574876 00000 n 
-0000574368 00000 n 
-0000570790 00000 n 
-0000574682 00000 n 
-0000574515 00000 n 
-0000574811 00000 n 
-0000788755 00000 n 
-0000580772 00000 n 
-0000578038 00000 n 
-0000574988 00000 n 
-0000580578 00000 n 
-0000580707 00000 n 
-0000578302 00000 n 
-0000578464 00000 n 
-0000578626 00000 n 
-0000578787 00000 n 
-0000578947 00000 n 
-0000579109 00000 n 
-0000579280 00000 n 
-0000579442 00000 n 
-0000579604 00000 n 
-0000579765 00000 n 
-0000579926 00000 n 
-0000580089 00000 n 
-0000580252 00000 n 
-0000580415 00000 n 
-0000996136 00000 n 
-0000585994 00000 n 
-0000584078 00000 n 
-0000580884 00000 n 
-0000585929 00000 n 
-0000584306 00000 n 
-0000584467 00000 n 
-0000584635 00000 n 
-0000584804 00000 n 
-0000584966 00000 n 
-0000585127 00000 n 
-0000585289 00000 n 
-0000585450 00000 n 
-0000585613 00000 n 
-0000585766 00000 n 
-0000592151 00000 n 
-0000589154 00000 n 
-0000586119 00000 n 
-0000591957 00000 n 
-0000589436 00000 n 
-0000589590 00000 n 
-0000589744 00000 n 
-0000589898 00000 n 
-0000590052 00000 n 
-0000590213 00000 n 
-0000590375 00000 n 
-0000590535 00000 n 
-0000590695 00000 n 
-0000590857 00000 n 
-0000591017 00000 n 
-0000591176 00000 n 
-0000591327 00000 n 
-0000591490 00000 n 
-0000591641 00000 n 
-0000591803 00000 n 
-0000595863 00000 n 
-0000595542 00000 n 
-0000592263 00000 n 
-0000595668 00000 n 
-0000595733 00000 n 
-0000595798 00000 n 
-0000599718 00000 n 
-0000598655 00000 n 
-0000595989 00000 n 
-0000599139 00000 n 
-0000599268 00000 n 
-0000599525 00000 n 
-0000598811 00000 n 
-0000598979 00000 n 
-0000599590 00000 n 
-0000599654 00000 n 
-0000603371 00000 n 
-0000603050 00000 n 
-0000599887 00000 n 
-0000603176 00000 n 
-0000603241 00000 n 
-0000603306 00000 n 
-0000606631 00000 n 
-0000606311 00000 n 
-0000603470 00000 n 
-0000606437 00000 n 
-0000606502 00000 n 
-0000606567 00000 n 
-0000996261 00000 n 
-0000610392 00000 n 
-0000609812 00000 n 
-0000606743 00000 n 
-0000609938 00000 n 
-0000610067 00000 n 
-0000610132 00000 n 
-0000610197 00000 n 
-0000610262 00000 n 
-0000610327 00000 n 
-0000614704 00000 n 
-0000613867 00000 n 
-0000610504 00000 n 
-0000613993 00000 n 
-0000614122 00000 n 
-0000614187 00000 n 
-0000614251 00000 n 
-0000614380 00000 n 
-0000614445 00000 n 
-0000614510 00000 n 
-0000614639 00000 n 
-0000618141 00000 n 
-0000617305 00000 n 
-0000614829 00000 n 
-0000617431 00000 n 
-0000617496 00000 n 
-0000617561 00000 n 
-0000617690 00000 n 
-0000617819 00000 n 
-0000617947 00000 n 
-0000618076 00000 n 
-0000621937 00000 n 
-0000621358 00000 n 
-0000618338 00000 n 
-0000621484 00000 n 
-0000621613 00000 n 
-0000621742 00000 n 
-0000621807 00000 n 
-0000621872 00000 n 
-0000625905 00000 n 
-0000625328 00000 n 
-0000622133 00000 n 
-0000625454 00000 n 
-0000625711 00000 n 
-0000625775 00000 n 
-0000625840 00000 n 
-0000629717 00000 n 
-0000628828 00000 n 
-0000626017 00000 n 
-0000629135 00000 n 
-0000628975 00000 n 
-0000629393 00000 n 
-0000629522 00000 n 
-0000629587 00000 n 
-0000629652 00000 n 
-0000996386 00000 n 
-0000633311 00000 n 
-0000632934 00000 n 
-0000629842 00000 n 
-0000633246 00000 n 
-0000633081 00000 n 
-0000788722 00000 n 
-0000636457 00000 n 
-0000635749 00000 n 
-0000633410 00000 n 
-0000635875 00000 n 
-0000636004 00000 n 
-0000636069 00000 n 
-0000636134 00000 n 
-0000636262 00000 n 
-0000636327 00000 n 
-0000636392 00000 n 
-0000640428 00000 n 
-0000639849 00000 n 
-0000636569 00000 n 
-0000639975 00000 n 
-0000640104 00000 n 
-0000640169 00000 n 
-0000640234 00000 n 
-0000807528 00000 n 
-0000800244 00000 n 
-0000807348 00000 n 
-0000640363 00000 n 
-0000641279 00000 n 
-0000641088 00000 n 
-0000640568 00000 n 
-0000641214 00000 n 
-0000641719 00000 n 
-0000641528 00000 n 
-0000641378 00000 n 
-0000641654 00000 n 
-0000643614 00000 n 
-0000643166 00000 n 
-0000641761 00000 n 
-0000643292 00000 n 
-0000643421 00000 n 
-0000643550 00000 n 
-0000996511 00000 n 
-0000648200 00000 n 
-0000647257 00000 n 
-0000643726 00000 n 
-0000647620 00000 n 
-0000799923 00000 n 
-0000790710 00000 n 
-0000799737 00000 n 
-0000647404 00000 n 
-0000647749 00000 n 
-0000647877 00000 n 
-0000648006 00000 n 
-0000649242 00000 n 
-0000649051 00000 n 
-0000648437 00000 n 
-0000649177 00000 n 
-0000649669 00000 n 
-0000649478 00000 n 
-0000649328 00000 n 
-0000649604 00000 n 
-0000652982 00000 n 
-0000651756 00000 n 
-0000649711 00000 n 
-0000652273 00000 n 
-0000652402 00000 n 
-0000652531 00000 n 
-0000652660 00000 n 
-0000652789 00000 n 
-0000652918 00000 n 
-0000651912 00000 n 
-0000652084 00000 n 
-0000653436 00000 n 
-0000653245 00000 n 
-0000653095 00000 n 
-0000653371 00000 n 
-0000656680 00000 n 
-0000656102 00000 n 
-0000653478 00000 n 
-0000656228 00000 n 
-0000656357 00000 n 
-0000656486 00000 n 
-0000656615 00000 n 
-0000996636 00000 n 
-0000660875 00000 n 
-0000659657 00000 n 
-0000656766 00000 n 
-0000660167 00000 n 
-0000660296 00000 n 
-0000660554 00000 n 
-0000659813 00000 n 
-0000659992 00000 n 
-0000660747 00000 n 
-0000660811 00000 n 
-0000667762 00000 n 
-0000663934 00000 n 
-0000661028 00000 n 
-0000664060 00000 n 
-0000664125 00000 n 
-0000664190 00000 n 
-0000664255 00000 n 
-0000664320 00000 n 
-0000664385 00000 n 
-0000664450 00000 n 
-0000664515 00000 n 
-0000664580 00000 n 
-0000664645 00000 n 
-0000664775 00000 n 
-0000664840 00000 n 
-0000664905 00000 n 
-0000664970 00000 n 
-0000665035 00000 n 
-0000665100 00000 n 
-0000665165 00000 n 
-0000665230 00000 n 
-0000665295 00000 n 
-0000665360 00000 n 
-0000665425 00000 n 
-0000665490 00000 n 
-0000665555 00000 n 
-0000665620 00000 n 
-0000665685 00000 n 
-0000665750 00000 n 
-0000665815 00000 n 
-0000665880 00000 n 
-0000665945 00000 n 
-0000666010 00000 n 
-0000666075 00000 n 
-0000666140 00000 n 
-0000666205 00000 n 
-0000666270 00000 n 
-0000666334 00000 n 
-0000666399 00000 n 
-0000666464 00000 n 
-0000666529 00000 n 
-0000666594 00000 n 
-0000666659 00000 n 
-0000666724 00000 n 
-0000666789 00000 n 
-0000666854 00000 n 
-0000666919 00000 n 
-0000666984 00000 n 
-0000667049 00000 n 
-0000667114 00000 n 
-0000667179 00000 n 
-0000667244 00000 n 
-0000667309 00000 n 
-0000667374 00000 n 
-0000667439 00000 n 
-0000667504 00000 n 
-0000667569 00000 n 
-0000667634 00000 n 
-0000667698 00000 n 
-0000674408 00000 n 
-0000670844 00000 n 
-0000667874 00000 n 
-0000670970 00000 n 
-0000671035 00000 n 
-0000671100 00000 n 
-0000671165 00000 n 
-0000671230 00000 n 
-0000671295 00000 n 
-0000671360 00000 n 
-0000671425 00000 n 
-0000671490 00000 n 
-0000671555 00000 n 
-0000671620 00000 n 
-0000671685 00000 n 
-0000671749 00000 n 
-0000671814 00000 n 
-0000671879 00000 n 
-0000671944 00000 n 
-0000672009 00000 n 
-0000672074 00000 n 
-0000672139 00000 n 
-0000672204 00000 n 
-0000672269 00000 n 
-0000672334 00000 n 
-0000672399 00000 n 
-0000672464 00000 n 
-0000672528 00000 n 
-0000672593 00000 n 
-0000672658 00000 n 
-0000672723 00000 n 
-0000672788 00000 n 
-0000672853 00000 n 
-0000672918 00000 n 
-0000672983 00000 n 
-0000673048 00000 n 
-0000673113 00000 n 
-0000673178 00000 n 
-0000673243 00000 n 
-0000673308 00000 n 
-0000673373 00000 n 
-0000673438 00000 n 
-0000673503 00000 n 
-0000673567 00000 n 
-0000673631 00000 n 
-0000673695 00000 n 
-0000673760 00000 n 
-0000673825 00000 n 
-0000673890 00000 n 
-0000673955 00000 n 
-0000674020 00000 n 
-0000674085 00000 n 
-0000674150 00000 n 
-0000674215 00000 n 
-0000674280 00000 n 
-0000674344 00000 n 
-0000680581 00000 n 
-0000677143 00000 n 
-0000674520 00000 n 
-0000677269 00000 n 
-0000677334 00000 n 
-0000677399 00000 n 
-0000677464 00000 n 
-0000677529 00000 n 
-0000677594 00000 n 
-0000677659 00000 n 
-0000677724 00000 n 
-0000677789 00000 n 
-0000677854 00000 n 
-0000677919 00000 n 
-0000677984 00000 n 
-0000678049 00000 n 
-0000678114 00000 n 
-0000678179 00000 n 
-0000678244 00000 n 
-0000678309 00000 n 
-0000678374 00000 n 
-0000678439 00000 n 
-0000678504 00000 n 
-0000678569 00000 n 
-0000678634 00000 n 
-0000678699 00000 n 
-0000678764 00000 n 
-0000678829 00000 n 
-0000678894 00000 n 
-0000678959 00000 n 
-0000679024 00000 n 
-0000679089 00000 n 
-0000679154 00000 n 
-0000679219 00000 n 
-0000679284 00000 n 
-0000679349 00000 n 
-0000679414 00000 n 
-0000679478 00000 n 
-0000679543 00000 n 
-0000679608 00000 n 
-0000679673 00000 n 
-0000679738 00000 n 
-0000679803 00000 n 
-0000679868 00000 n 
-0000679933 00000 n 
-0000679998 00000 n 
-0000680063 00000 n 
-0000680128 00000 n 
-0000680193 00000 n 
-0000680258 00000 n 
-0000680323 00000 n 
-0000680388 00000 n 
-0000680453 00000 n 
-0000680517 00000 n 
-0000685159 00000 n 
-0000682895 00000 n 
-0000680693 00000 n 
-0000683021 00000 n 
-0000683086 00000 n 
-0000683151 00000 n 
-0000683216 00000 n 
-0000683281 00000 n 
-0000683346 00000 n 
-0000683411 00000 n 
-0000683476 00000 n 
-0000683541 00000 n 
-0000683606 00000 n 
-0000683671 00000 n 
-0000683736 00000 n 
-0000683801 00000 n 
-0000683866 00000 n 
-0000683928 00000 n 
-0000683992 00000 n 
-0000684057 00000 n 
-0000684121 00000 n 
-0000684186 00000 n 
-0000684251 00000 n 
-0000684316 00000 n 
-0000684381 00000 n 
-0000684446 00000 n 
-0000684511 00000 n 
-0000684576 00000 n 
-0000684705 00000 n 
-0000684834 00000 n 
-0000684899 00000 n 
-0000684964 00000 n 
-0000685029 00000 n 
-0000685094 00000 n 
-0000687954 00000 n 
-0000687310 00000 n 
-0000685284 00000 n 
-0000687436 00000 n 
-0000687565 00000 n 
-0000687694 00000 n 
-0000687759 00000 n 
-0000687824 00000 n 
-0000687889 00000 n 
-0000996761 00000 n 
-0000692293 00000 n 
-0000691973 00000 n 
-0000688067 00000 n 
-0000692099 00000 n 
-0000692164 00000 n 
-0000692229 00000 n 
-0000695893 00000 n 
-0000695638 00000 n 
-0000692446 00000 n 
-0000695764 00000 n 
-0000695829 00000 n 
-0000699141 00000 n 
-0000698950 00000 n 
-0000696032 00000 n 
-0000699076 00000 n 
-0000702870 00000 n 
-0000702614 00000 n 
-0000699267 00000 n 
-0000702740 00000 n 
-0000702805 00000 n 
-0000705711 00000 n 
-0000705003 00000 n 
-0000703009 00000 n 
-0000705129 00000 n 
-0000705194 00000 n 
-0000705259 00000 n 
-0000705324 00000 n 
-0000705389 00000 n 
-0000705518 00000 n 
-0000705583 00000 n 
-0000705647 00000 n 
-0000710377 00000 n 
-0000710121 00000 n 
-0000705850 00000 n 
-0000710247 00000 n 
-0000710312 00000 n 
-0000996886 00000 n 
-0000713329 00000 n 
-0000712556 00000 n 
-0000710503 00000 n 
-0000712682 00000 n 
-0000712747 00000 n 
-0000712812 00000 n 
-0000712877 00000 n 
-0000713006 00000 n 
-0000713071 00000 n 
-0000713134 00000 n 
-0000713199 00000 n 
-0000713264 00000 n 
-0000715930 00000 n 
-0000715221 00000 n 
-0000713482 00000 n 
-0000715347 00000 n 
-0000715412 00000 n 
-0000715477 00000 n 
-0000715542 00000 n 
-0000715607 00000 n 
-0000715672 00000 n 
-0000715801 00000 n 
-0000715866 00000 n 
-0000719174 00000 n 
-0000718788 00000 n 
-0000716082 00000 n 
-0000718914 00000 n 
-0000718979 00000 n 
-0000719044 00000 n 
-0000719109 00000 n 
-0000722308 00000 n 
-0000721535 00000 n 
-0000719314 00000 n 
-0000721661 00000 n 
-0000721726 00000 n 
-0000721791 00000 n 
-0000721855 00000 n 
-0000721983 00000 n 
-0000722048 00000 n 
-0000722113 00000 n 
-0000722178 00000 n 
-0000722243 00000 n 
-0000725696 00000 n 
-0000725505 00000 n 
-0000722474 00000 n 
-0000725631 00000 n 
-0000728805 00000 n 
-0000728095 00000 n 
-0000725822 00000 n 
-0000728221 00000 n 
-0000728286 00000 n 
-0000728351 00000 n 
-0000728416 00000 n 
-0000728481 00000 n 
-0000728610 00000 n 
-0000728675 00000 n 
-0000728740 00000 n 
-0000997011 00000 n 
-0000732357 00000 n 
-0000732036 00000 n 
-0000728970 00000 n 
-0000732162 00000 n 
-0000732227 00000 n 
-0000732292 00000 n 
-0000735803 00000 n 
-0000735612 00000 n 
-0000732483 00000 n 
-0000735738 00000 n 
-0000738875 00000 n 
-0000738556 00000 n 
-0000735929 00000 n 
-0000738682 00000 n 
-0000738747 00000 n 
-0000738811 00000 n 
-0000741446 00000 n 
-0000740608 00000 n 
-0000739028 00000 n 
-0000740734 00000 n 
-0000740799 00000 n 
-0000740864 00000 n 
-0000740993 00000 n 
-0000741058 00000 n 
-0000741123 00000 n 
-0000741188 00000 n 
-0000741253 00000 n 
-0000741317 00000 n 
-0000741382 00000 n 
-0000744413 00000 n 
-0000743769 00000 n 
-0000741599 00000 n 
-0000743895 00000 n 
-0000743960 00000 n 
-0000744089 00000 n 
-0000744154 00000 n 
-0000744218 00000 n 
-0000744283 00000 n 
-0000744348 00000 n 
-0000747885 00000 n 
-0000747694 00000 n 
-0000744553 00000 n 
-0000747820 00000 n 
-0000997136 00000 n 
-0000750693 00000 n 
-0000749919 00000 n 
-0000748011 00000 n 
-0000750045 00000 n 
-0000750110 00000 n 
-0000750175 00000 n 
-0000750240 00000 n 
-0000750369 00000 n 
-0000750434 00000 n 
-0000750499 00000 n 
-0000750563 00000 n 
-0000750628 00000 n 
-0000754095 00000 n 
-0000753904 00000 n 
-0000750846 00000 n 
-0000754030 00000 n 
-0000757131 00000 n 
-0000756811 00000 n 
-0000754306 00000 n 
-0000756937 00000 n 
-0000757002 00000 n 
-0000757067 00000 n 
-0000760441 00000 n 
-0000759732 00000 n 
-0000757355 00000 n 
-0000759858 00000 n 
-0000759923 00000 n 
-0000759988 00000 n 
-0000760052 00000 n 
-0000760181 00000 n 
-0000760246 00000 n 
-0000760311 00000 n 
-0000760376 00000 n 
-0000764858 00000 n 
-0000764602 00000 n 
-0000760593 00000 n 
-0000764728 00000 n 
-0000764793 00000 n 
-0000768472 00000 n 
-0000768281 00000 n 
-0000764984 00000 n 
-0000768407 00000 n 
-0000997261 00000 n 
-0000771254 00000 n 
-0000770870 00000 n 
-0000768598 00000 n 
-0000770996 00000 n 
-0000771061 00000 n 
-0000771126 00000 n 
-0000771190 00000 n 
-0000774738 00000 n 
-0000774093 00000 n 
-0000771406 00000 n 
-0000774219 00000 n 
-0000774284 00000 n 
-0000774413 00000 n 
-0000774478 00000 n 
-0000774543 00000 n 
-0000774608 00000 n 
-0000774673 00000 n 
-0000777803 00000 n 
-0000777093 00000 n 
-0000774878 00000 n 
-0000777219 00000 n 
-0000777284 00000 n 
-0000777349 00000 n 
-0000777414 00000 n 
-0000777543 00000 n 
-0000777608 00000 n 
-0000777673 00000 n 
-0000777738 00000 n 
-0000780899 00000 n 
-0000780643 00000 n 
-0000777969 00000 n 
-0000780769 00000 n 
-0000780834 00000 n 
-0000784041 00000 n 
-0000783332 00000 n 
-0000781025 00000 n 
-0000783458 00000 n 
-0000783523 00000 n 
-0000783588 00000 n 
-0000783653 00000 n 
-0000783781 00000 n 
-0000783846 00000 n 
-0000783911 00000 n 
-0000783976 00000 n 
-0000787631 00000 n 
-0000787310 00000 n 
-0000784193 00000 n 
-0000787436 00000 n 
-0000787501 00000 n 
-0000787566 00000 n 
-0000997386 00000 n 
-0000788610 00000 n 
-0000788289 00000 n 
-0000787770 00000 n 
-0000788415 00000 n 
-0000788480 00000 n 
-0000788545 00000 n 
-0000788821 00000 n 
-0000800165 00000 n 
-0000807754 00000 n 
-0000810054 00000 n 
-0000810023 00000 n 
-0000813742 00000 n 
-0000823182 00000 n 
-0000833689 00000 n 
-0000844173 00000 n 
-0000856797 00000 n 
-0000875862 00000 n 
-0000896749 00000 n 
-0000918892 00000 n 
-0000936787 00000 n 
-0000939617 00000 n 
-0000939387 00000 n 
-0000966924 00000 n 
-0000994035 00000 n 
-0000997475 00000 n 
-0000997599 00000 n 
-0000997725 00000 n 
-0000997851 00000 n 
-0000997977 00000 n 
-0000998069 00000 n 
-0001014684 00000 n 
-0001033993 00000 n 
-0001034034 00000 n 
-0001034074 00000 n 
-0001034208 00000 n 
+0000731762 00000 n 
+0001167088 00000 n 
+0000017772 00000 n 
+0000017819 00000 n 
+0000735194 00000 n 
+0001166970 00000 n 
+0000017873 00000 n 
+0000017918 00000 n 
+0000735323 00000 n 
+0001166891 00000 n 
+0000017977 00000 n 
+0000018036 00000 n 
+0000738678 00000 n 
+0001166798 00000 n 
+0000018095 00000 n 
+0000018159 00000 n 
+0000738937 00000 n 
+0001166705 00000 n 
+0000018218 00000 n 
+0000018274 00000 n 
+0000743094 00000 n 
+0001166612 00000 n 
+0000018333 00000 n 
+0000018391 00000 n 
+0000745115 00000 n 
+0001166533 00000 n 
+0000018450 00000 n 
+0000018512 00000 n 
+0000747283 00000 n 
+0001166400 00000 n 
+0000018559 00000 n 
+0000018611 00000 n 
+0000747411 00000 n 
+0001166321 00000 n 
+0000018660 00000 n 
+0000018704 00000 n 
+0000751446 00000 n 
+0001166189 00000 n 
+0000018753 00000 n 
+0000018794 00000 n 
+0000751575 00000 n 
+0001166110 00000 n 
+0000018848 00000 n 
+0000018896 00000 n 
+0000751703 00000 n 
+0001166031 00000 n 
+0000018950 00000 n 
+0000019001 00000 n 
+0000751832 00000 n 
+0001165952 00000 n 
+0000019050 00000 n 
+0000019097 00000 n 
+0000756431 00000 n 
+0001165819 00000 n 
+0000019144 00000 n 
+0000019181 00000 n 
+0000756560 00000 n 
+0001165701 00000 n 
+0000019230 00000 n 
+0000019269 00000 n 
+0000756689 00000 n 
+0001165636 00000 n 
+0000019323 00000 n 
+0000019401 00000 n 
+0000756818 00000 n 
+0001165543 00000 n 
+0000019450 00000 n 
+0000019517 00000 n 
+0000756947 00000 n 
+0001165464 00000 n 
+0000019566 00000 n 
+0000019611 00000 n 
+0000760388 00000 n 
+0001165331 00000 n 
+0000019659 00000 n 
+0000019691 00000 n 
+0000760517 00000 n 
+0001165213 00000 n 
+0000019740 00000 n 
+0000019779 00000 n 
+0000760646 00000 n 
+0001165148 00000 n 
+0000019833 00000 n 
+0000019894 00000 n 
+0000764328 00000 n 
+0001165016 00000 n 
+0000019943 00000 n 
+0000020000 00000 n 
+0000764457 00000 n 
+0001164951 00000 n 
+0000020054 00000 n 
+0000020103 00000 n 
+0000764586 00000 n 
+0001164819 00000 n 
+0000020152 00000 n 
+0000020214 00000 n 
+0000764715 00000 n 
+0001164740 00000 n 
+0000020268 00000 n 
+0000020323 00000 n 
+0000789557 00000 n 
+0001164647 00000 n 
+0000020377 00000 n 
+0000020418 00000 n 
+0000789686 00000 n 
+0001164568 00000 n 
+0000020472 00000 n 
+0000020524 00000 n 
+0000790075 00000 n 
+0001164450 00000 n 
+0000020573 00000 n 
+0000020623 00000 n 
+0000792896 00000 n 
+0001164371 00000 n 
+0000020677 00000 n 
+0000020715 00000 n 
+0000793025 00000 n 
+0001164278 00000 n 
+0000020769 00000 n 
+0000020806 00000 n 
+0000793154 00000 n 
+0001164185 00000 n 
+0000020860 00000 n 
+0000020898 00000 n 
+0000793283 00000 n 
+0001164092 00000 n 
+0000020952 00000 n 
+0000021004 00000 n 
+0000796519 00000 n 
+0001163999 00000 n 
+0000021058 00000 n 
+0000021101 00000 n 
+0000796647 00000 n 
+0001163867 00000 n 
+0000021155 00000 n 
+0000021200 00000 n 
+0000796775 00000 n 
+0001163788 00000 n 
+0000021259 00000 n 
+0000021325 00000 n 
+0000799761 00000 n 
+0001163695 00000 n 
+0000021384 00000 n 
+0000021472 00000 n 
+0000799890 00000 n 
+0001163602 00000 n 
+0000021531 00000 n 
+0000021606 00000 n 
+0000800019 00000 n 
+0001163509 00000 n 
+0000021665 00000 n 
+0000021750 00000 n 
+0000802928 00000 n 
+0001163416 00000 n 
+0000021809 00000 n 
+0000021890 00000 n 
+0000805389 00000 n 
+0001163337 00000 n 
+0000021949 00000 n 
+0000022033 00000 n 
+0000805518 00000 n 
+0001163258 00000 n 
+0000022087 00000 n 
+0000022131 00000 n 
+0000808347 00000 n 
+0001163138 00000 n 
+0000022179 00000 n 
+0000022213 00000 n 
+0000808476 00000 n 
+0001163059 00000 n 
+0000022262 00000 n 
+0000022289 00000 n 
+0000826443 00000 n 
+0001162966 00000 n 
+0000022338 00000 n 
+0000022366 00000 n 
+0000834001 00000 n 
+0001162873 00000 n 
+0000022415 00000 n 
+0000022455 00000 n 
+0000840285 00000 n 
+0001162780 00000 n 
+0000022504 00000 n 
+0000022547 00000 n 
+0000846820 00000 n 
+0001162687 00000 n 
+0000022596 00000 n 
+0000022633 00000 n 
+0000860111 00000 n 
+0001162594 00000 n 
+0000022682 00000 n 
+0000022719 00000 n 
+0000862987 00000 n 
+0001162501 00000 n 
+0000022768 00000 n 
+0000022806 00000 n 
+0000869773 00000 n 
+0001162408 00000 n 
+0000022855 00000 n 
+0000022894 00000 n 
+0000883267 00000 n 
+0001162315 00000 n 
+0000022943 00000 n 
+0000022982 00000 n 
+0000886248 00000 n 
+0001162222 00000 n 
+0000023032 00000 n 
+0000023072 00000 n 
+0000895738 00000 n 
+0001162129 00000 n 
+0000023122 00000 n 
+0000023152 00000 n 
+0000904634 00000 n 
+0001162036 00000 n 
+0000023202 00000 n 
+0000023245 00000 n 
+0000908923 00000 n 
+0001161943 00000 n 
+0000023295 00000 n 
+0000023328 00000 n 
+0000922876 00000 n 
+0001161850 00000 n 
+0000023378 00000 n 
+0000023407 00000 n 
+0000926106 00000 n 
+0001161757 00000 n 
+0000023457 00000 n 
+0000023491 00000 n 
+0000932020 00000 n 
+0001161664 00000 n 
+0000023541 00000 n 
+0000023578 00000 n 
+0000938780 00000 n 
+0001161571 00000 n 
+0000023628 00000 n 
+0000023665 00000 n 
+0000941136 00000 n 
+0001161478 00000 n 
+0000023715 00000 n 
+0000023748 00000 n 
+0000941590 00000 n 
+0001161385 00000 n 
+0000023798 00000 n 
+0000023832 00000 n 
+0000944356 00000 n 
+0001161292 00000 n 
+0000023882 00000 n 
+0000023921 00000 n 
+0000946966 00000 n 
+0001161213 00000 n 
+0000023971 00000 n 
+0000024005 00000 n 
+0000024378 00000 n 
+0000024500 00000 n 
+0000289301 00000 n 
+0000024058 00000 n 
+0000289175 00000 n 
+0000289238 00000 n 
+0001155435 00000 n 
+0001129350 00000 n 
+0001155261 00000 n 
+0001156473 00000 n 
+0000025809 00000 n 
+0000026002 00000 n 
+0000026082 00000 n 
+0000026119 00000 n 
+0000026200 00000 n 
+0000026324 00000 n 
+0000026583 00000 n 
+0000026942 00000 n 
+0000026974 00000 n 
+0000027068 00000 n 
+0000028101 00000 n 
+0000039237 00000 n 
+0000104827 00000 n 
+0000170417 00000 n 
+0000236007 00000 n 
+0000290731 00000 n 
+0000290546 00000 n 
+0000289401 00000 n 
+0000290668 00000 n 
+0001128114 00000 n 
+0001101495 00000 n 
+0001127940 00000 n 
+0001100810 00000 n 
+0001098665 00000 n 
+0001100646 00000 n 
+0000302473 00000 n 
+0000293782 00000 n 
+0000290816 00000 n 
+0000302347 00000 n 
+0000302410 00000 n 
+0000294336 00000 n 
+0000294490 00000 n 
+0000294647 00000 n 
+0000294804 00000 n 
+0000294961 00000 n 
+0000295118 00000 n 
+0000295280 00000 n 
+0000295442 00000 n 
+0000295603 00000 n 
+0000295765 00000 n 
+0000295932 00000 n 
+0000296099 00000 n 
+0000296264 00000 n 
+0000296426 00000 n 
+0000296592 00000 n 
+0000296754 00000 n 
+0000296908 00000 n 
+0000297065 00000 n 
+0000297222 00000 n 
+0000297378 00000 n 
+0000297534 00000 n 
+0000297691 00000 n 
+0000297846 00000 n 
+0000298003 00000 n 
+0000298165 00000 n 
+0000298327 00000 n 
+0000298484 00000 n 
+0000298639 00000 n 
+0000298800 00000 n 
+0000298967 00000 n 
+0000299134 00000 n 
+0000299296 00000 n 
+0000299452 00000 n 
+0000299610 00000 n 
+0000299768 00000 n 
+0000299931 00000 n 
+0000300089 00000 n 
+0000300247 00000 n 
+0000300409 00000 n 
+0000300567 00000 n 
+0000300730 00000 n 
+0000300898 00000 n 
+0000301066 00000 n 
+0000301229 00000 n 
+0000301392 00000 n 
+0000301555 00000 n 
+0000301717 00000 n 
+0000301880 00000 n 
+0000302036 00000 n 
+0000302192 00000 n 
+0000315981 00000 n 
+0000305912 00000 n 
+0000302558 00000 n 
+0000315916 00000 n 
+0001098077 00000 n 
+0001080656 00000 n 
+0001097891 00000 n 
+0000306562 00000 n 
+0000306726 00000 n 
+0000306889 00000 n 
+0000307053 00000 n 
+0000307212 00000 n 
+0000307376 00000 n 
+0000307540 00000 n 
+0000307704 00000 n 
+0000307868 00000 n 
+0000308032 00000 n 
+0000308196 00000 n 
+0000308360 00000 n 
+0000308524 00000 n 
+0000308688 00000 n 
+0000308853 00000 n 
+0000309018 00000 n 
+0000309183 00000 n 
+0000309348 00000 n 
+0000309508 00000 n 
+0000309673 00000 n 
+0000309837 00000 n 
+0000309997 00000 n 
+0000310162 00000 n 
+0000310332 00000 n 
+0000310502 00000 n 
+0000310672 00000 n 
+0000310836 00000 n 
+0000311005 00000 n 
+0000311175 00000 n 
+0000311345 00000 n 
+0000311509 00000 n 
+0000311674 00000 n 
+0000311839 00000 n 
+0000312004 00000 n 
+0000312164 00000 n 
+0000312329 00000 n 
+0000312494 00000 n 
+0000312651 00000 n 
+0000312810 00000 n 
+0000312969 00000 n 
+0000313125 00000 n 
+0000313284 00000 n 
+0000313448 00000 n 
+0000313617 00000 n 
+0000313786 00000 n 
+0000313950 00000 n 
+0000314119 00000 n 
+0000314288 00000 n 
+0000314447 00000 n 
+0000314611 00000 n 
+0000314775 00000 n 
+0000314939 00000 n 
+0000315103 00000 n 
+0000315267 00000 n 
+0000315431 00000 n 
+0000315593 00000 n 
+0000315754 00000 n 
+0000330136 00000 n 
+0000319588 00000 n 
+0000316081 00000 n 
+0000330071 00000 n 
+0000320256 00000 n 
+0000320420 00000 n 
+0000320589 00000 n 
+0000320758 00000 n 
+0000320926 00000 n 
+0000321090 00000 n 
+0000321253 00000 n 
+0000321417 00000 n 
+0000321581 00000 n 
+0000321745 00000 n 
+0000321908 00000 n 
+0000322077 00000 n 
+0000322246 00000 n 
+0000322414 00000 n 
+0000322583 00000 n 
+0000322752 00000 n 
+0000322921 00000 n 
+0000323090 00000 n 
+0000323259 00000 n 
+0000323427 00000 n 
+0000323597 00000 n 
+0000323767 00000 n 
+0000323937 00000 n 
+0000324107 00000 n 
+0000324277 00000 n 
+0000324447 00000 n 
+0000324617 00000 n 
+0000324787 00000 n 
+0000324957 00000 n 
+0000325127 00000 n 
+0000325296 00000 n 
+0000325460 00000 n 
+0000325624 00000 n 
+0000325788 00000 n 
+0000325952 00000 n 
+0000326116 00000 n 
+0000326279 00000 n 
+0000326443 00000 n 
+0000326607 00000 n 
+0000326770 00000 n 
+0000326934 00000 n 
+0000327098 00000 n 
+0000327262 00000 n 
+0000327431 00000 n 
+0000327600 00000 n 
+0000327768 00000 n 
+0000327937 00000 n 
+0000328095 00000 n 
+0000328257 00000 n 
+0000328425 00000 n 
+0000328592 00000 n 
+0000328755 00000 n 
+0000328918 00000 n 
+0000329081 00000 n 
+0000329244 00000 n 
+0000329412 00000 n 
+0000329579 00000 n 
+0000329745 00000 n 
+0000329910 00000 n 
+0000343318 00000 n 
+0000333744 00000 n 
+0000330236 00000 n 
+0000343253 00000 n 
+0000334376 00000 n 
+0000334539 00000 n 
+0000334697 00000 n 
+0000334865 00000 n 
+0000335028 00000 n 
+0000335196 00000 n 
+0000335364 00000 n 
+0000335531 00000 n 
+0001079765 00000 n 
+0001058431 00000 n 
+0001079589 00000 n 
+0000335697 00000 n 
+0000335864 00000 n 
+0000336020 00000 n 
+0000336177 00000 n 
+0000336335 00000 n 
+0000336498 00000 n 
+0000336661 00000 n 
+0000336819 00000 n 
+0000336975 00000 n 
+0000337133 00000 n 
+0000337296 00000 n 
+0000337454 00000 n 
+0000337612 00000 n 
+0000337769 00000 n 
+0000337927 00000 n 
+0000338090 00000 n 
+0000338248 00000 n 
+0000338411 00000 n 
+0000338569 00000 n 
+0000338732 00000 n 
+0000338895 00000 n 
+0000339058 00000 n 
+0000339216 00000 n 
+0000339379 00000 n 
+0000339542 00000 n 
+0000339705 00000 n 
+0000339868 00000 n 
+0000340031 00000 n 
+0000340194 00000 n 
+0000340362 00000 n 
+0000340530 00000 n 
+0000340697 00000 n 
+0000340864 00000 n 
+0000341032 00000 n 
+0000341200 00000 n 
+0000341363 00000 n 
+0000341519 00000 n 
+0000341677 00000 n 
+0000341835 00000 n 
+0000341993 00000 n 
+0000342151 00000 n 
+0000342309 00000 n 
+0000342467 00000 n 
+0000342625 00000 n 
+0000342783 00000 n 
+0000342939 00000 n 
+0000343096 00000 n 
+0000346157 00000 n 
+0000344278 00000 n 
+0000343432 00000 n 
+0000346092 00000 n 
+0000344506 00000 n 
+0000344665 00000 n 
+0000344824 00000 n 
+0001057463 00000 n 
+0001037493 00000 n 
+0001057288 00000 n 
+0000344982 00000 n 
+0000345141 00000 n 
+0000345299 00000 n 
+0000345458 00000 n 
+0000345617 00000 n 
+0000345776 00000 n 
+0000345933 00000 n 
+0001156594 00000 n 
+0000349280 00000 n 
+0000348513 00000 n 
+0000346258 00000 n 
+0000348701 00000 n 
+0000348829 00000 n 
+0000348957 00000 n 
+0000349085 00000 n 
+0000349150 00000 n 
+0000349215 00000 n 
+0001036676 00000 n 
+0001018211 00000 n 
+0001036501 00000 n 
+0000353817 00000 n 
+0000352676 00000 n 
+0000349408 00000 n 
+0000353178 00000 n 
+0000353243 00000 n 
+0000353370 00000 n 
+0000353498 00000 n 
+0000353626 00000 n 
+0000352832 00000 n 
+0000353026 00000 n 
+0000353752 00000 n 
+0000702777 00000 n 
+0000764779 00000 n 
+0000358499 00000 n 
+0000357441 00000 n 
+0000353945 00000 n 
+0000357922 00000 n 
+0000358050 00000 n 
+0000357597 00000 n 
+0000357760 00000 n 
+0000358178 00000 n 
+0000358306 00000 n 
+0000358434 00000 n 
+0000374296 00000 n 
+0000361740 00000 n 
+0000361165 00000 n 
+0000358627 00000 n 
+0000361291 00000 n 
+0000361419 00000 n 
+0000361547 00000 n 
+0000361675 00000 n 
+0000365198 00000 n 
+0000364032 00000 n 
+0000361854 00000 n 
+0000364494 00000 n 
+0000364622 00000 n 
+0000364750 00000 n 
+0000364878 00000 n 
+0000365006 00000 n 
+0000364188 00000 n 
+0000364341 00000 n 
+0000365133 00000 n 
+0000626071 00000 n 
+0000366275 00000 n 
+0000365956 00000 n 
+0000365284 00000 n 
+0000366082 00000 n 
+0000366210 00000 n 
+0001156719 00000 n 
+0000368318 00000 n 
+0000367615 00000 n 
+0000366375 00000 n 
+0000367741 00000 n 
+0000367869 00000 n 
+0000367996 00000 n 
+0000368124 00000 n 
+0000368253 00000 n 
+0000370897 00000 n 
+0000370267 00000 n 
+0000368418 00000 n 
+0000370573 00000 n 
+0000370702 00000 n 
+0000370767 00000 n 
+0000370832 00000 n 
+0000370414 00000 n 
+0000607020 00000 n 
+0000374490 00000 n 
+0000373785 00000 n 
+0000371011 00000 n 
+0000373911 00000 n 
+0000374040 00000 n 
+0000374167 00000 n 
+0001017528 00000 n 
+0001005466 00000 n 
+0001017349 00000 n 
+0000374425 00000 n 
+0000379097 00000 n 
+0000378207 00000 n 
+0000374618 00000 n 
+0000379032 00000 n 
+0001004893 00000 n 
+0000993960 00000 n 
+0001004714 00000 n 
+0000378381 00000 n 
+0000378536 00000 n 
+0000378706 00000 n 
+0000378861 00000 n 
+0000524492 00000 n 
+0000691960 00000 n 
+0000382462 00000 n 
+0000382271 00000 n 
+0000379266 00000 n 
+0000382397 00000 n 
+0000387241 00000 n 
+0000386843 00000 n 
+0000382604 00000 n 
+0000387176 00000 n 
+0000386990 00000 n 
+0001156844 00000 n 
+0000491355 00000 n 
+0000389484 00000 n 
+0000389036 00000 n 
+0000387397 00000 n 
+0000389162 00000 n 
+0000389290 00000 n 
+0000389355 00000 n 
+0000389420 00000 n 
+0000389953 00000 n 
+0000389762 00000 n 
+0000389612 00000 n 
+0000389888 00000 n 
+0000392648 00000 n 
+0000395238 00000 n 
+0000392483 00000 n 
+0000389995 00000 n 
+0000394786 00000 n 
+0000394915 00000 n 
+0000395044 00000 n 
+0000394291 00000 n 
+0000394453 00000 n 
+0000993054 00000 n 
+0000983034 00000 n 
+0000992880 00000 n 
+0000982470 00000 n 
+0000973384 00000 n 
+0000982295 00000 n 
+0000395173 00000 n 
+0000394615 00000 n 
+0000394120 00000 n 
+0000394178 00000 n 
+0000394268 00000 n 
+0000544452 00000 n 
+0000584547 00000 n 
+0000399868 00000 n 
+0000398932 00000 n 
+0000395409 00000 n 
+0000399416 00000 n 
+0000399545 00000 n 
+0000399674 00000 n 
+0000399088 00000 n 
+0000399254 00000 n 
+0000399803 00000 n 
+0000768810 00000 n 
+0000403588 00000 n 
+0000403268 00000 n 
+0000400024 00000 n 
+0000403394 00000 n 
+0000403523 00000 n 
+0000405164 00000 n 
+0000404784 00000 n 
+0000403729 00000 n 
+0000405099 00000 n 
+0000404931 00000 n 
+0001156969 00000 n 
+0000406741 00000 n 
+0000406422 00000 n 
+0000405265 00000 n 
+0000406548 00000 n 
+0000406677 00000 n 
+0000410203 00000 n 
+0000409367 00000 n 
+0000406855 00000 n 
+0000409493 00000 n 
+0000409622 00000 n 
+0000409751 00000 n 
+0000409880 00000 n 
+0000410009 00000 n 
+0000410138 00000 n 
+0000414052 00000 n 
+0000413155 00000 n 
+0000410345 00000 n 
+0000413472 00000 n 
+0000413601 00000 n 
+0000413730 00000 n 
+0000413302 00000 n 
+0000413859 00000 n 
+0000413988 00000 n 
+0000418170 00000 n 
+0000417593 00000 n 
+0000414193 00000 n 
+0000417719 00000 n 
+0000417848 00000 n 
+0000417976 00000 n 
+0000418105 00000 n 
+0000422201 00000 n 
+0000421753 00000 n 
+0000418312 00000 n 
+0000421879 00000 n 
+0000422008 00000 n 
+0000422136 00000 n 
+0000424201 00000 n 
+0000424010 00000 n 
+0000422329 00000 n 
+0000424136 00000 n 
+0001157094 00000 n 
+0000427470 00000 n 
+0000427021 00000 n 
+0000424302 00000 n 
+0000427147 00000 n 
+0000973109 00000 n 
+0000969750 00000 n 
+0000972930 00000 n 
+0000427276 00000 n 
+0000427405 00000 n 
+0000431533 00000 n 
+0000430596 00000 n 
+0000427641 00000 n 
+0000431081 00000 n 
+0000431210 00000 n 
+0000431339 00000 n 
+0000969395 00000 n 
+0000967397 00000 n 
+0000969230 00000 n 
+0000430752 00000 n 
+0000430917 00000 n 
+0000431468 00000 n 
+0000846884 00000 n 
+0000863051 00000 n 
+0000434908 00000 n 
+0000434331 00000 n 
+0000431661 00000 n 
+0000434457 00000 n 
+0000434586 00000 n 
+0000434715 00000 n 
+0000434844 00000 n 
+0000438906 00000 n 
+0000437510 00000 n 
+0000435022 00000 n 
+0000437813 00000 n 
+0000437942 00000 n 
+0000438070 00000 n 
+0000438199 00000 n 
+0000438328 00000 n 
+0000438455 00000 n 
+0000438584 00000 n 
+0000438713 00000 n 
+0000438842 00000 n 
+0000437657 00000 n 
+0000654219 00000 n 
+0000442628 00000 n 
+0000442179 00000 n 
+0000439034 00000 n 
+0000442305 00000 n 
+0000442434 00000 n 
+0000442563 00000 n 
+0000445788 00000 n 
+0000445468 00000 n 
+0000442742 00000 n 
+0000445594 00000 n 
+0000445723 00000 n 
+0001157219 00000 n 
+0000448611 00000 n 
+0000448163 00000 n 
+0000445958 00000 n 
+0000448289 00000 n 
+0000448418 00000 n 
+0000448546 00000 n 
+0000451649 00000 n 
+0000451073 00000 n 
+0000448768 00000 n 
+0000451199 00000 n 
+0000451328 00000 n 
+0000451457 00000 n 
+0000451586 00000 n 
+0000454531 00000 n 
+0000453825 00000 n 
+0000451763 00000 n 
+0000453951 00000 n 
+0000454080 00000 n 
+0000454209 00000 n 
+0000454338 00000 n 
+0000454467 00000 n 
+0000457225 00000 n 
+0000457034 00000 n 
+0000454645 00000 n 
+0000457160 00000 n 
+0000459732 00000 n 
+0000460980 00000 n 
+0000459606 00000 n 
+0000457339 00000 n 
+0000460658 00000 n 
+0000460787 00000 n 
+0000460915 00000 n 
+0000464030 00000 n 
+0000463271 00000 n 
+0000461151 00000 n 
+0000463578 00000 n 
+0000463707 00000 n 
+0000463418 00000 n 
+0000463836 00000 n 
+0000463965 00000 n 
+0001157344 00000 n 
+0000764521 00000 n 
+0000466730 00000 n 
+0000466152 00000 n 
+0000464158 00000 n 
+0000466278 00000 n 
+0000466407 00000 n 
+0000466536 00000 n 
+0000466665 00000 n 
+0000467171 00000 n 
+0000466980 00000 n 
+0000466830 00000 n 
+0000467106 00000 n 
+0000471258 00000 n 
+0000470492 00000 n 
+0000467213 00000 n 
+0000470806 00000 n 
+0000470935 00000 n 
+0000471063 00000 n 
+0000471128 00000 n 
+0000471193 00000 n 
+0000470639 00000 n 
+0000475756 00000 n 
+0000475948 00000 n 
+0000475501 00000 n 
+0000471358 00000 n 
+0000475627 00000 n 
+0000475883 00000 n 
+0000479800 00000 n 
+0000479222 00000 n 
+0000476076 00000 n 
+0000479348 00000 n 
+0000479477 00000 n 
+0000479606 00000 n 
+0000479735 00000 n 
+0000482910 00000 n 
+0000482332 00000 n 
+0000479941 00000 n 
+0000482458 00000 n 
+0000482587 00000 n 
+0000482716 00000 n 
+0000482781 00000 n 
+0000482845 00000 n 
+0001157469 00000 n 
+0000486235 00000 n 
+0000485531 00000 n 
+0000483067 00000 n 
+0000485657 00000 n 
+0000485786 00000 n 
+0000485914 00000 n 
+0000485979 00000 n 
+0000486044 00000 n 
+0000486170 00000 n 
+0000491548 00000 n 
+0000490760 00000 n 
+0000486349 00000 n 
+0000491226 00000 n 
+0000490916 00000 n 
+0000491067 00000 n 
+0000491484 00000 n 
+0000948376 00000 n 
+0000495413 00000 n 
+0000494142 00000 n 
+0000491689 00000 n 
+0000494832 00000 n 
+0000494961 00000 n 
+0000495090 00000 n 
+0000495219 00000 n 
+0000494307 00000 n 
+0000494459 00000 n 
+0000494645 00000 n 
+0000495348 00000 n 
+0000499560 00000 n 
+0000499111 00000 n 
+0000495541 00000 n 
+0000499237 00000 n 
+0000499366 00000 n 
+0000499495 00000 n 
+0000503466 00000 n 
+0000503087 00000 n 
+0000499688 00000 n 
+0000503401 00000 n 
+0000503234 00000 n 
+0000506316 00000 n 
+0000506511 00000 n 
+0000506061 00000 n 
+0000503580 00000 n 
+0000506187 00000 n 
+0000506381 00000 n 
+0000506446 00000 n 
+0001157594 00000 n 
+0000510072 00000 n 
+0000509881 00000 n 
+0000506625 00000 n 
+0000510007 00000 n 
+0000513619 00000 n 
+0000513170 00000 n 
+0000510186 00000 n 
+0000513296 00000 n 
+0000513424 00000 n 
+0000513489 00000 n 
+0000513554 00000 n 
+0000517215 00000 n 
+0000516432 00000 n 
+0000513733 00000 n 
+0000516893 00000 n 
+0000517022 00000 n 
+0000517150 00000 n 
+0000516588 00000 n 
+0000516741 00000 n 
+0000519411 00000 n 
+0000518833 00000 n 
+0000517329 00000 n 
+0000518959 00000 n 
+0000519088 00000 n 
+0000519217 00000 n 
+0000519346 00000 n 
+0000520991 00000 n 
+0000520800 00000 n 
+0000519525 00000 n 
+0000520926 00000 n 
+0000522519 00000 n 
+0000522328 00000 n 
+0000521092 00000 n 
+0000522454 00000 n 
+0001157719 00000 n 
+0000524556 00000 n 
+0000524237 00000 n 
+0000522620 00000 n 
+0000524363 00000 n 
+0000528083 00000 n 
+0000527892 00000 n 
+0000524670 00000 n 
+0000528018 00000 n 
+0000532444 00000 n 
+0000532075 00000 n 
+0000528225 00000 n 
+0000532379 00000 n 
+0000532222 00000 n 
+0000731826 00000 n 
+0000536380 00000 n 
+0000535998 00000 n 
+0000532572 00000 n 
+0000536315 00000 n 
+0000536145 00000 n 
+0000540898 00000 n 
+0000540533 00000 n 
+0000536508 00000 n 
+0000540833 00000 n 
+0000540680 00000 n 
+0000544646 00000 n 
+0000544197 00000 n 
+0000541040 00000 n 
+0000544323 00000 n 
+0000544517 00000 n 
+0000544581 00000 n 
+0001157844 00000 n 
+0000548947 00000 n 
+0000548581 00000 n 
+0000544774 00000 n 
+0000548882 00000 n 
+0000548728 00000 n 
+0000554031 00000 n 
+0000552898 00000 n 
+0000549075 00000 n 
+0000553966 00000 n 
+0000553081 00000 n 
+0000553237 00000 n 
+0000553422 00000 n 
+0000553596 00000 n 
+0000553781 00000 n 
+0000640740 00000 n 
+0000558307 00000 n 
+0000558116 00000 n 
+0000554229 00000 n 
+0000558242 00000 n 
+0000562260 00000 n 
+0000562069 00000 n 
+0000558421 00000 n 
+0000562195 00000 n 
+0000566114 00000 n 
+0000565794 00000 n 
+0000562374 00000 n 
+0000565920 00000 n 
+0000566049 00000 n 
+0000569878 00000 n 
+0000569062 00000 n 
+0000566228 00000 n 
+0000569555 00000 n 
+0000569218 00000 n 
+0000569684 00000 n 
+0000569813 00000 n 
+0000569388 00000 n 
+0001157969 00000 n 
+0000659573 00000 n 
+0000574304 00000 n 
+0000573613 00000 n 
+0000570035 00000 n 
+0000574110 00000 n 
+0000573769 00000 n 
+0000573939 00000 n 
+0000574239 00000 n 
+0000751896 00000 n 
+0000577652 00000 n 
+0000577332 00000 n 
+0000574432 00000 n 
+0000577458 00000 n 
+0000577587 00000 n 
+0000580605 00000 n 
+0000580414 00000 n 
+0000577766 00000 n 
+0000580540 00000 n 
+0000584611 00000 n 
+0000584292 00000 n 
+0000580776 00000 n 
+0000584418 00000 n 
+0000588170 00000 n 
+0000587979 00000 n 
+0000584768 00000 n 
+0000588105 00000 n 
+0000592511 00000 n 
+0000591697 00000 n 
+0000588341 00000 n 
+0000592188 00000 n 
+0000592317 00000 n 
+0000591853 00000 n 
+0000592446 00000 n 
+0000592014 00000 n 
+0001158094 00000 n 
+0000596595 00000 n 
+0000595971 00000 n 
+0000592668 00000 n 
+0000596273 00000 n 
+0000596402 00000 n 
+0000596118 00000 n 
+0000596531 00000 n 
+0000599815 00000 n 
+0000599495 00000 n 
+0000596723 00000 n 
+0000599621 00000 n 
+0000599750 00000 n 
+0000603666 00000 n 
+0000603000 00000 n 
+0000599972 00000 n 
+0000603473 00000 n 
+0000603601 00000 n 
+0000603156 00000 n 
+0000603317 00000 n 
+0000607215 00000 n 
+0000606574 00000 n 
+0000603837 00000 n 
+0000606891 00000 n 
+0000606721 00000 n 
+0000607085 00000 n 
+0000607150 00000 n 
+0000611096 00000 n 
+0000610593 00000 n 
+0000607400 00000 n 
+0000610902 00000 n 
+0000611031 00000 n 
+0000610740 00000 n 
+0000615678 00000 n 
+0000615303 00000 n 
+0000611267 00000 n 
+0000615613 00000 n 
+0000615450 00000 n 
+0001158219 00000 n 
+0000728061 00000 n 
+0000619594 00000 n 
+0000618956 00000 n 
+0000615806 00000 n 
+0000619272 00000 n 
+0000619401 00000 n 
+0000619103 00000 n 
+0000619529 00000 n 
+0000657690 00000 n 
+0000622185 00000 n 
+0000621994 00000 n 
+0000619721 00000 n 
+0000622120 00000 n 
+0000626264 00000 n 
+0000625817 00000 n 
+0000622355 00000 n 
+0000625943 00000 n 
+0000626199 00000 n 
+0000630269 00000 n 
+0000629906 00000 n 
+0000626378 00000 n 
+0000630204 00000 n 
+0000630053 00000 n 
+0000634441 00000 n 
+0000634121 00000 n 
+0000630397 00000 n 
+0000634247 00000 n 
+0000634376 00000 n 
+0000638406 00000 n 
+0000638215 00000 n 
+0000634568 00000 n 
+0000638341 00000 n 
+0001158344 00000 n 
+0000640805 00000 n 
+0000640356 00000 n 
+0000638533 00000 n 
+0000640482 00000 n 
+0000640611 00000 n 
+0000645519 00000 n 
+0000644988 00000 n 
+0000640919 00000 n 
+0000645454 00000 n 
+0000645144 00000 n 
+0000645295 00000 n 
+0000649846 00000 n 
+0000648964 00000 n 
+0000645619 00000 n 
+0000649265 00000 n 
+0000649394 00000 n 
+0000649523 00000 n 
+0000649652 00000 n 
+0000649781 00000 n 
+0000649111 00000 n 
+0000654284 00000 n 
+0000653835 00000 n 
+0000649960 00000 n 
+0000653961 00000 n 
+0000654090 00000 n 
+0000657884 00000 n 
+0000657435 00000 n 
+0000654426 00000 n 
+0000657561 00000 n 
+0000657819 00000 n 
+0000659638 00000 n 
+0000659318 00000 n 
+0000657998 00000 n 
+0000659444 00000 n 
+0001158469 00000 n 
+0000661250 00000 n 
+0000661059 00000 n 
+0000659752 00000 n 
+0000661185 00000 n 
+0000662636 00000 n 
+0000662445 00000 n 
+0000661351 00000 n 
+0000662571 00000 n 
+0000666358 00000 n 
+0000665779 00000 n 
+0000662737 00000 n 
+0000665905 00000 n 
+0000666034 00000 n 
+0000666163 00000 n 
+0000666228 00000 n 
+0000666293 00000 n 
+0000670465 00000 n 
+0000669957 00000 n 
+0000666472 00000 n 
+0000670271 00000 n 
+0000670104 00000 n 
+0000670400 00000 n 
+0000948343 00000 n 
+0000676387 00000 n 
+0000673480 00000 n 
+0000670579 00000 n 
+0000676193 00000 n 
+0000676322 00000 n 
+0000673753 00000 n 
+0000673915 00000 n 
+0000674077 00000 n 
+0000674239 00000 n 
+0000674401 00000 n 
+0000674563 00000 n 
+0000674734 00000 n 
+0000674896 00000 n 
+0000675059 00000 n 
+0000675219 00000 n 
+0000675380 00000 n 
+0000675543 00000 n 
+0000675706 00000 n 
+0000675869 00000 n 
+0000676032 00000 n 
+0000681485 00000 n 
+0000679568 00000 n 
+0000676501 00000 n 
+0000681420 00000 n 
+0000679796 00000 n 
+0000679957 00000 n 
+0000680125 00000 n 
+0000680295 00000 n 
+0000680456 00000 n 
+0000680618 00000 n 
+0000680780 00000 n 
+0000680942 00000 n 
+0000681105 00000 n 
+0000681259 00000 n 
+0001158594 00000 n 
+0000686017 00000 n 
+0000684655 00000 n 
+0000681613 00000 n 
+0000685952 00000 n 
+0000684856 00000 n 
+0000685010 00000 n 
+0000685164 00000 n 
+0000685318 00000 n 
+0000685472 00000 n 
+0000685634 00000 n 
+0000685794 00000 n 
+0000692025 00000 n 
+0000689661 00000 n 
+0000686145 00000 n 
+0000691833 00000 n 
+0000689907 00000 n 
+0000690068 00000 n 
+0000690230 00000 n 
+0000690392 00000 n 
+0000690554 00000 n 
+0000690708 00000 n 
+0000690871 00000 n 
+0000691026 00000 n 
+0000691191 00000 n 
+0000691357 00000 n 
+0000691519 00000 n 
+0000691673 00000 n 
+0000696120 00000 n 
+0000695799 00000 n 
+0000692153 00000 n 
+0000695925 00000 n 
+0000695990 00000 n 
+0000696055 00000 n 
+0000698894 00000 n 
+0000698703 00000 n 
+0000696262 00000 n 
+0000698829 00000 n 
+0000703101 00000 n 
+0000702031 00000 n 
+0000699052 00000 n 
+0000702519 00000 n 
+0000702648 00000 n 
+0000702906 00000 n 
+0000702187 00000 n 
+0000702357 00000 n 
+0000702971 00000 n 
+0000703036 00000 n 
+0000706552 00000 n 
+0000706232 00000 n 
+0000703229 00000 n 
+0000706358 00000 n 
+0000706423 00000 n 
+0000706487 00000 n 
+0001158719 00000 n 
+0000710040 00000 n 
+0000709719 00000 n 
+0000706653 00000 n 
+0000709845 00000 n 
+0000709910 00000 n 
+0000709975 00000 n 
+0000713961 00000 n 
+0000713252 00000 n 
+0000710155 00000 n 
+0000713378 00000 n 
+0000713507 00000 n 
+0000713572 00000 n 
+0000713637 00000 n 
+0000713702 00000 n 
+0000713767 00000 n 
+0000713896 00000 n 
+0000718202 00000 n 
+0000717365 00000 n 
+0000714075 00000 n 
+0000717491 00000 n 
+0000717556 00000 n 
+0000717621 00000 n 
+0000717750 00000 n 
+0000717815 00000 n 
+0000717880 00000 n 
+0000718009 00000 n 
+0000718074 00000 n 
+0000718138 00000 n 
+0000721229 00000 n 
+0000720527 00000 n 
+0000718330 00000 n 
+0000720653 00000 n 
+0000720780 00000 n 
+0000720907 00000 n 
+0000721036 00000 n 
+0000721164 00000 n 
+0000723939 00000 n 
+0000723362 00000 n 
+0000721428 00000 n 
+0000723488 00000 n 
+0000723617 00000 n 
+0000723746 00000 n 
+0000723811 00000 n 
+0000723875 00000 n 
+0000728126 00000 n 
+0000727806 00000 n 
+0000724124 00000 n 
+0000727932 00000 n 
+0001158844 00000 n 
+0000731891 00000 n 
+0000731131 00000 n 
+0000728253 00000 n 
+0000731438 00000 n 
+0000731567 00000 n 
+0000731632 00000 n 
+0000731697 00000 n 
+0000731278 00000 n 
+0000735582 00000 n 
+0000735003 00000 n 
+0000732005 00000 n 
+0000735129 00000 n 
+0000735258 00000 n 
+0000735387 00000 n 
+0000735452 00000 n 
+0000735517 00000 n 
+0000739196 00000 n 
+0000738301 00000 n 
+0000735696 00000 n 
+0000738613 00000 n 
+0000738448 00000 n 
+0000738742 00000 n 
+0000738807 00000 n 
+0000738872 00000 n 
+0000739001 00000 n 
+0000739066 00000 n 
+0000739131 00000 n 
+0000948310 00000 n 
+0000743353 00000 n 
+0000742903 00000 n 
+0000739310 00000 n 
+0000743029 00000 n 
+0000743158 00000 n 
+0000743223 00000 n 
+0000743288 00000 n 
+0000745244 00000 n 
+0000744924 00000 n 
+0000743481 00000 n 
+0000745050 00000 n 
+0000967116 00000 n 
+0000959832 00000 n 
+0000966936 00000 n 
+0000745179 00000 n 
+0000745727 00000 n 
+0000745536 00000 n 
+0000745386 00000 n 
+0000745662 00000 n 
+0001158969 00000 n 
+0000747539 00000 n 
+0000747092 00000 n 
+0000745769 00000 n 
+0000747218 00000 n 
+0000747347 00000 n 
+0000747474 00000 n 
+0000751961 00000 n 
+0000751018 00000 n 
+0000747653 00000 n 
+0000751381 00000 n 
+0000959511 00000 n 
+0000950298 00000 n 
+0000959325 00000 n 
+0000751165 00000 n 
+0000751510 00000 n 
+0000751638 00000 n 
+0000751767 00000 n 
+0000753320 00000 n 
+0000753129 00000 n 
+0000752202 00000 n 
+0000753255 00000 n 
+0000753761 00000 n 
+0000753570 00000 n 
+0000753420 00000 n 
+0000753696 00000 n 
+0000757075 00000 n 
+0000755849 00000 n 
+0000753803 00000 n 
+0000756366 00000 n 
+0000756495 00000 n 
+0000756624 00000 n 
+0000756753 00000 n 
+0000756882 00000 n 
+0000757011 00000 n 
+0000756005 00000 n 
+0000756177 00000 n 
+0000757530 00000 n 
+0000757339 00000 n 
+0000757189 00000 n 
+0000757465 00000 n 
+0001159094 00000 n 
+0000760775 00000 n 
+0000760197 00000 n 
+0000757572 00000 n 
+0000760323 00000 n 
+0000760452 00000 n 
+0000760581 00000 n 
+0000760710 00000 n 
+0000764972 00000 n 
+0000763753 00000 n 
+0000760861 00000 n 
+0000764263 00000 n 
+0000764392 00000 n 
+0000764650 00000 n 
+0000763909 00000 n 
+0000764088 00000 n 
+0000764844 00000 n 
+0000764908 00000 n 
+0000771862 00000 n 
+0000768034 00000 n 
+0000765128 00000 n 
+0000768160 00000 n 
+0000768225 00000 n 
+0000768290 00000 n 
+0000768355 00000 n 
+0000768420 00000 n 
+0000768485 00000 n 
+0000768550 00000 n 
+0000768615 00000 n 
+0000768680 00000 n 
+0000768745 00000 n 
+0000768875 00000 n 
+0000768940 00000 n 
+0000769005 00000 n 
+0000769070 00000 n 
+0000769135 00000 n 
+0000769200 00000 n 
+0000769265 00000 n 
+0000769330 00000 n 
+0000769395 00000 n 
+0000769460 00000 n 
+0000769525 00000 n 
+0000769590 00000 n 
+0000769655 00000 n 
+0000769720 00000 n 
+0000769785 00000 n 
+0000769850 00000 n 
+0000769915 00000 n 
+0000769980 00000 n 
+0000770045 00000 n 
+0000770110 00000 n 
+0000770175 00000 n 
+0000770240 00000 n 
+0000770305 00000 n 
+0000770370 00000 n 
+0000770434 00000 n 
+0000770499 00000 n 
+0000770564 00000 n 
+0000770629 00000 n 
+0000770694 00000 n 
+0000770759 00000 n 
+0000770824 00000 n 
+0000770889 00000 n 
+0000770954 00000 n 
+0000771019 00000 n 
+0000771084 00000 n 
+0000771149 00000 n 
+0000771214 00000 n 
+0000771279 00000 n 
+0000771344 00000 n 
+0000771409 00000 n 
+0000771474 00000 n 
+0000771539 00000 n 
+0000771604 00000 n 
+0000771669 00000 n 
+0000771734 00000 n 
+0000771798 00000 n 
+0000778510 00000 n 
+0000774946 00000 n 
+0000771976 00000 n 
+0000775072 00000 n 
+0000775137 00000 n 
+0000775202 00000 n 
+0000775267 00000 n 
+0000775332 00000 n 
+0000775397 00000 n 
+0000775462 00000 n 
+0000775527 00000 n 
+0000775592 00000 n 
+0000775657 00000 n 
+0000775722 00000 n 
+0000775787 00000 n 
+0000775851 00000 n 
+0000775916 00000 n 
+0000775981 00000 n 
+0000776046 00000 n 
+0000776111 00000 n 
+0000776176 00000 n 
+0000776241 00000 n 
+0000776306 00000 n 
+0000776371 00000 n 
+0000776436 00000 n 
+0000776501 00000 n 
+0000776566 00000 n 
+0000776630 00000 n 
+0000776695 00000 n 
+0000776760 00000 n 
+0000776825 00000 n 
+0000776890 00000 n 
+0000776955 00000 n 
+0000777020 00000 n 
+0000777085 00000 n 
+0000777150 00000 n 
+0000777215 00000 n 
+0000777280 00000 n 
+0000777345 00000 n 
+0000777410 00000 n 
+0000777475 00000 n 
+0000777540 00000 n 
+0000777605 00000 n 
+0000777669 00000 n 
+0000777733 00000 n 
+0000777797 00000 n 
+0000777862 00000 n 
+0000777927 00000 n 
+0000777992 00000 n 
+0000778057 00000 n 
+0000778122 00000 n 
+0000778187 00000 n 
+0000778252 00000 n 
+0000778317 00000 n 
+0000778382 00000 n 
+0000778446 00000 n 
+0000784685 00000 n 
+0000781247 00000 n 
+0000778624 00000 n 
+0000781373 00000 n 
+0000781438 00000 n 
+0000781503 00000 n 
+0000781568 00000 n 
+0000781633 00000 n 
+0000781698 00000 n 
+0000781763 00000 n 
+0000781828 00000 n 
+0000781893 00000 n 
+0000781958 00000 n 
+0000782023 00000 n 
+0000782088 00000 n 
+0000782153 00000 n 
+0000782218 00000 n 
+0000782283 00000 n 
+0000782348 00000 n 
+0000782413 00000 n 
+0000782478 00000 n 
+0000782543 00000 n 
+0000782608 00000 n 
+0000782673 00000 n 
+0000782738 00000 n 
+0000782803 00000 n 
+0000782868 00000 n 
+0000782933 00000 n 
+0000782998 00000 n 
+0000783063 00000 n 
+0000783128 00000 n 
+0000783193 00000 n 
+0000783258 00000 n 
+0000783323 00000 n 
+0000783388 00000 n 
+0000783453 00000 n 
+0000783518 00000 n 
+0000783582 00000 n 
+0000783647 00000 n 
+0000783712 00000 n 
+0000783777 00000 n 
+0000783842 00000 n 
+0000783907 00000 n 
+0000783972 00000 n 
+0000784037 00000 n 
+0000784102 00000 n 
+0000784167 00000 n 
+0000784232 00000 n 
+0000784297 00000 n 
+0000784362 00000 n 
+0000784427 00000 n 
+0000784492 00000 n 
+0000784557 00000 n 
+0000784621 00000 n 
+0000790204 00000 n 
+0000787808 00000 n 
+0000784799 00000 n 
+0000787934 00000 n 
+0000787999 00000 n 
+0000788064 00000 n 
+0000788129 00000 n 
+0000788194 00000 n 
+0000788259 00000 n 
+0000788324 00000 n 
+0000788389 00000 n 
+0000788454 00000 n 
+0000788519 00000 n 
+0000788584 00000 n 
+0000788649 00000 n 
+0000788714 00000 n 
+0000788778 00000 n 
+0000788843 00000 n 
+0000788908 00000 n 
+0000788973 00000 n 
+0000789038 00000 n 
+0000789103 00000 n 
+0000789168 00000 n 
+0000789233 00000 n 
+0000789298 00000 n 
+0000789363 00000 n 
+0000789428 00000 n 
+0000789493 00000 n 
+0000789621 00000 n 
+0000789750 00000 n 
+0000789815 00000 n 
+0000789880 00000 n 
+0000789945 00000 n 
+0000790010 00000 n 
+0000790139 00000 n 
+0001159219 00000 n 
+0000793412 00000 n 
+0000792705 00000 n 
+0000790331 00000 n 
+0000792831 00000 n 
+0000792960 00000 n 
+0000793089 00000 n 
+0000793218 00000 n 
+0000793347 00000 n 
+0000796904 00000 n 
+0000796147 00000 n 
+0000793539 00000 n 
+0000796454 00000 n 
+0000796583 00000 n 
+0000796294 00000 n 
+0000796711 00000 n 
+0000796839 00000 n 
+0000800148 00000 n 
+0000799570 00000 n 
+0000797031 00000 n 
+0000799696 00000 n 
+0000799825 00000 n 
+0000799954 00000 n 
+0000800083 00000 n 
+0000803057 00000 n 
+0000802737 00000 n 
+0000800262 00000 n 
+0000802863 00000 n 
+0000802992 00000 n 
+0000805647 00000 n 
+0000805198 00000 n 
+0000803227 00000 n 
+0000805324 00000 n 
+0000805453 00000 n 
+0000805582 00000 n 
+0000806088 00000 n 
+0000805897 00000 n 
+0000805747 00000 n 
+0000806023 00000 n 
+0001159344 00000 n 
+0000808800 00000 n 
+0000808156 00000 n 
+0000806130 00000 n 
+0000808282 00000 n 
+0000808411 00000 n 
+0000808540 00000 n 
+0000808605 00000 n 
+0000808670 00000 n 
+0000808735 00000 n 
+0000813140 00000 n 
+0000812820 00000 n 
+0000808914 00000 n 
+0000812946 00000 n 
+0000813011 00000 n 
+0000813076 00000 n 
+0000816743 00000 n 
+0000816488 00000 n 
+0000813296 00000 n 
+0000816614 00000 n 
+0000816679 00000 n 
+0000819994 00000 n 
+0000819803 00000 n 
+0000816885 00000 n 
+0000819929 00000 n 
+0000823715 00000 n 
+0000823459 00000 n 
+0000820122 00000 n 
+0000823585 00000 n 
+0000823650 00000 n 
+0000826700 00000 n 
+0000825992 00000 n 
+0000823857 00000 n 
+0000826118 00000 n 
+0000826183 00000 n 
+0000826248 00000 n 
+0000826313 00000 n 
+0000826378 00000 n 
+0000826507 00000 n 
+0000826572 00000 n 
+0000826636 00000 n 
+0001159469 00000 n 
+0000831369 00000 n 
+0000831113 00000 n 
+0000826842 00000 n 
+0000831239 00000 n 
+0000831304 00000 n 
+0000834388 00000 n 
+0000833615 00000 n 
+0000831497 00000 n 
+0000833741 00000 n 
+0000833806 00000 n 
+0000833871 00000 n 
+0000833936 00000 n 
+0000834065 00000 n 
+0000834130 00000 n 
+0000834193 00000 n 
+0000834258 00000 n 
+0000834323 00000 n 
+0000837301 00000 n 
+0000836786 00000 n 
+0000834544 00000 n 
+0000836912 00000 n 
+0000836977 00000 n 
+0000837042 00000 n 
+0000837107 00000 n 
+0000837172 00000 n 
+0000837237 00000 n 
+0000840674 00000 n 
+0000840094 00000 n 
+0000837457 00000 n 
+0000840220 00000 n 
+0000840349 00000 n 
+0000840414 00000 n 
+0000840479 00000 n 
+0000840544 00000 n 
+0000840609 00000 n 
+0000844126 00000 n 
+0000843870 00000 n 
+0000840816 00000 n 
+0000843996 00000 n 
+0000844061 00000 n 
+0000847078 00000 n 
+0000846434 00000 n 
+0000844254 00000 n 
+0000846560 00000 n 
+0000846625 00000 n 
+0000846690 00000 n 
+0000846755 00000 n 
+0000846949 00000 n 
+0000847014 00000 n 
+0001159594 00000 n 
+0000850719 00000 n 
+0000850398 00000 n 
+0000847247 00000 n 
+0000850524 00000 n 
+0000850589 00000 n 
+0000850654 00000 n 
+0000854310 00000 n 
+0000854119 00000 n 
+0000850847 00000 n 
+0000854245 00000 n 
+0000857776 00000 n 
+0000857455 00000 n 
+0000854438 00000 n 
+0000857581 00000 n 
+0000857646 00000 n 
+0000857711 00000 n 
+0000860434 00000 n 
+0000859725 00000 n 
+0000857917 00000 n 
+0000859851 00000 n 
+0000859916 00000 n 
+0000859981 00000 n 
+0000860046 00000 n 
+0000860175 00000 n 
+0000860240 00000 n 
+0000860305 00000 n 
+0000860370 00000 n 
+0000863311 00000 n 
+0000862601 00000 n 
+0000860590 00000 n 
+0000862727 00000 n 
+0000862792 00000 n 
+0000862857 00000 n 
+0000862922 00000 n 
+0000863116 00000 n 
+0000863181 00000 n 
+0000863246 00000 n 
+0000866883 00000 n 
+0000866562 00000 n 
+0000863467 00000 n 
+0000866688 00000 n 
+0000866753 00000 n 
+0000866818 00000 n 
+0001159719 00000 n 
+0000870032 00000 n 
+0000869387 00000 n 
+0000867011 00000 n 
+0000869513 00000 n 
+0000869578 00000 n 
+0000869643 00000 n 
+0000869708 00000 n 
+0000869837 00000 n 
+0000869902 00000 n 
+0000869967 00000 n 
+0000873563 00000 n 
+0000873242 00000 n 
+0000870188 00000 n 
+0000873368 00000 n 
+0000873433 00000 n 
+0000873498 00000 n 
+0000877146 00000 n 
+0000876955 00000 n 
+0000873705 00000 n 
+0000877081 00000 n 
+0000880631 00000 n 
+0000880440 00000 n 
+0000877274 00000 n 
+0000880566 00000 n 
+0000883525 00000 n 
+0000882881 00000 n 
+0000880773 00000 n 
+0000883007 00000 n 
+0000883072 00000 n 
+0000883137 00000 n 
+0000883202 00000 n 
+0000883331 00000 n 
+0000883396 00000 n 
+0000883461 00000 n 
+0000886438 00000 n 
+0000885733 00000 n 
+0000883681 00000 n 
+0000885859 00000 n 
+0000885924 00000 n 
+0000885989 00000 n 
+0000886054 00000 n 
+0000886119 00000 n 
+0000886184 00000 n 
+0000886310 00000 n 
+0000886375 00000 n 
+0001159844 00000 n 
+0000889643 00000 n 
+0000889258 00000 n 
+0000886580 00000 n 
+0000889384 00000 n 
+0000889449 00000 n 
+0000889514 00000 n 
+0000889579 00000 n 
+0000892945 00000 n 
+0000892754 00000 n 
+0000889785 00000 n 
+0000892880 00000 n 
+0000896127 00000 n 
+0000895353 00000 n 
+0000893073 00000 n 
+0000895479 00000 n 
+0000895544 00000 n 
+0000895609 00000 n 
+0000895674 00000 n 
+0000895802 00000 n 
+0000895867 00000 n 
+0000895932 00000 n 
+0000895997 00000 n 
+0000896062 00000 n 
+0000899375 00000 n 
+0000899184 00000 n 
+0000896283 00000 n 
+0000899310 00000 n 
+0000902534 00000 n 
+0000902149 00000 n 
+0000899588 00000 n 
+0000902275 00000 n 
+0000902340 00000 n 
+0000902405 00000 n 
+0000902470 00000 n 
+0000905086 00000 n 
+0000904313 00000 n 
+0000902775 00000 n 
+0000904439 00000 n 
+0000904504 00000 n 
+0000904569 00000 n 
+0000904698 00000 n 
+0000904762 00000 n 
+0000904827 00000 n 
+0000904892 00000 n 
+0000904957 00000 n 
+0000905022 00000 n 
+0001159969 00000 n 
+0000909247 00000 n 
+0000908732 00000 n 
+0000905242 00000 n 
+0000908858 00000 n 
+0000908987 00000 n 
+0000909052 00000 n 
+0000909117 00000 n 
+0000909182 00000 n 
+0000913463 00000 n 
+0000913207 00000 n 
+0000909375 00000 n 
+0000913333 00000 n 
+0000913398 00000 n 
+0000916798 00000 n 
+0000916607 00000 n 
+0000913591 00000 n 
+0000916733 00000 n 
+0000919416 00000 n 
+0000918966 00000 n 
+0000916926 00000 n 
+0000919092 00000 n 
+0000919157 00000 n 
+0000919222 00000 n 
+0000919287 00000 n 
+0000919352 00000 n 
+0000923265 00000 n 
+0000922685 00000 n 
+0000919571 00000 n 
+0000922811 00000 n 
+0000922940 00000 n 
+0000923005 00000 n 
+0000923070 00000 n 
+0000923135 00000 n 
+0000923200 00000 n 
+0000926430 00000 n 
+0000925720 00000 n 
+0000923407 00000 n 
+0000925846 00000 n 
+0000925911 00000 n 
+0000925976 00000 n 
+0000926041 00000 n 
+0000926170 00000 n 
+0000926235 00000 n 
+0000926300 00000 n 
+0000926365 00000 n 
+0001160094 00000 n 
+0000929151 00000 n 
+0000928895 00000 n 
+0000926586 00000 n 
+0000929021 00000 n 
+0000929086 00000 n 
+0000932407 00000 n 
+0000931634 00000 n 
+0000929279 00000 n 
+0000931760 00000 n 
+0000931825 00000 n 
+0000931890 00000 n 
+0000931955 00000 n 
+0000932084 00000 n 
+0000932149 00000 n 
+0000932214 00000 n 
+0000932278 00000 n 
+0000932343 00000 n 
+0000935697 00000 n 
+0000935378 00000 n 
+0000932563 00000 n 
+0000935504 00000 n 
+0000935569 00000 n 
+0000935634 00000 n 
+0000939167 00000 n 
+0000938524 00000 n 
+0000935853 00000 n 
+0000938650 00000 n 
+0000938715 00000 n 
+0000938844 00000 n 
+0000938908 00000 n 
+0000938973 00000 n 
+0000939038 00000 n 
+0000939102 00000 n 
+0000941782 00000 n 
+0000940815 00000 n 
+0000939309 00000 n 
+0000940941 00000 n 
+0000941006 00000 n 
+0000941071 00000 n 
+0000941200 00000 n 
+0000941265 00000 n 
+0000941330 00000 n 
+0000941395 00000 n 
+0000941460 00000 n 
+0000941525 00000 n 
+0000941653 00000 n 
+0000941718 00000 n 
+0000944675 00000 n 
+0000943840 00000 n 
+0000941938 00000 n 
+0000943966 00000 n 
+0000944031 00000 n 
+0000944096 00000 n 
+0000944161 00000 n 
+0000944226 00000 n 
+0000944291 00000 n 
+0000944419 00000 n 
+0000944482 00000 n 
+0000944546 00000 n 
+0000944611 00000 n 
+0001160219 00000 n 
+0000947419 00000 n 
+0000946580 00000 n 
+0000944817 00000 n 
+0000946706 00000 n 
+0000946771 00000 n 
+0000946836 00000 n 
+0000946901 00000 n 
+0000947030 00000 n 
+0000947095 00000 n 
+0000947160 00000 n 
+0000947225 00000 n 
+0000947290 00000 n 
+0000947355 00000 n 
+0000948210 00000 n 
+0000947954 00000 n 
+0000947561 00000 n 
+0000948080 00000 n 
+0000948145 00000 n 
+0000948409 00000 n 
+0000959753 00000 n 
+0000967342 00000 n 
+0000969642 00000 n 
+0000969611 00000 n 
+0000973329 00000 n 
+0000982769 00000 n 
+0000993504 00000 n 
+0001005199 00000 n 
+0001017916 00000 n 
+0001037150 00000 n 
+0001058046 00000 n 
+0001080194 00000 n 
+0001098450 00000 n 
+0001101297 00000 n 
+0001101067 00000 n 
+0001128715 00000 n 
+0001155981 00000 n 
+0001160317 00000 n 
+0001160442 00000 n 
+0001160568 00000 n 
+0001160694 00000 n 
+0001160820 00000 n 
+0001160946 00000 n 
+0001161026 00000 n 
+0001161136 00000 n 
+0001183038 00000 n 
+0001207231 00000 n 
+0001207272 00000 n 
+0001207312 00000 n 
+0001207446 00000 n 
 trailer
 <<
-/Size 2178
-/Root 2176 0 R
-/Info 2177 0 R
-/ID [<AE77623B2C928387BC4F87262D905186> <AE77623B2C928387BC4F87262D905186>]
+/Size 2760
+/Root 2758 0 R
+/Info 2759 0 R
+/ID [<56A51CE89D72B9E1A2B24B6DA534816F> <56A51CE89D72B9E1A2B24B6DA534816F>]
 >>
 startxref
-1034466
+1207704
 %%EOF
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
index fe2947c6841f..3ecf4af90bb1 100644
--- a/contrib/bind9/doc/arm/Makefile.in
+++ b/contrib/bind9/doc/arm/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.22 2009/02/12 23:47:56 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/doc/arm/dnssec.xml b/contrib/bind9/doc/arm/dnssec.xml
new file mode 100644
index 000000000000..f89e17421b5f
--- /dev/null
+++ b/contrib/bind9/doc/arm/dnssec.xml
@@ -0,0 +1,268 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id$ -->
+
+<sect1 id="dnssec.dynamic.zones">
+  <title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
+  <para>As of BIND 9.7.0 it is possible to change a dynamic zone
+  from insecure to signed and back again. A secure zone can use
+  either NSEC or NSEC3 chains.</para>
+  <sect2>
+    <title>Converting from insecure to secure</title>
+  </sect2>
+  <para>Changing a zone from insecure to secure can be done in two
+  ways: using a dynamic DNS update, or the 
+  <command>auto-dnssec</command> zone option.</para>
+  <para>For either method, you need to configure 
+  <command>named</command> so that it can see the 
+  <filename>K*</filename> files which contain the public and private
+  parts of the keys that will be used to sign the zone. These files
+  will have been generated by 
+  <command>dnssec-keygen</command>. You can do this by placing them
+  in the key-directory, as specified in 
+  <filename>named.conf</filename>:</para>
+  <programlisting>
+        zone example.net {
+                type master;
+                update-policy local;
+                file "dynamic/example.net/example.net";
+                key-directory "dynamic/example.net";
+        };
+</programlisting>
+  <para>If one KSK and one ZSK DNSKEY key have been generated, this
+  configuration will cause all records in the zone to be signed
+  with the ZSK, and the DNSKEY RRset to be signed with the KSK as
+  well. An NSEC chain will be generated as part of the initial
+  signing process.</para>
+  <sect2>
+    <title>Dynamic DNS update method</title>
+  </sect2>
+  <para>To insert the keys via dynamic update:</para>
+  <screen>
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; send
+</screen>
+  <para>While the update request will complete almost immediately,
+  the zone will not be completely signed until 
+  <command>named</command> has had time to walk the zone and
+  generate the NSEC and RRSIG records. The NSEC record at the apex
+  will be added last, to signal that there is a complete NSEC
+  chain.</para>
+  <para>If you wish to sign using NSEC3 instead of NSEC, you should
+  add an NSEC3PARAM record to the initial update request. If you
+  wish the NSEC3 chain to have the OPTOUT bit set, set it in the
+  flags field of the NSEC3PARAM record.</para>
+  <screen>
+        % nsupdate
+        &gt; ttl 3600
+        &gt; update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+        &gt; update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+        &gt; update add example.net NSEC3PARAM 1 1 100 1234567890
+        &gt; send
+</screen>
+  <para>Again, this update request will complete almost
+  immediately; however, the record won't show up until 
+  <command>named</command> has had a chance to build/remove the
+  relevant chain. A private type record will be created to record
+  the state of the operation (see below for more details), and will
+  be removed once the operation completes.</para>
+  <para>While the initial signing and NSEC/NSEC3 chain generation
+  is happening, other updates are possible as well.</para>
+  <sect2>
+    <title>Fully automatic zone signing</title>
+  </sect2>
+  <para>To enable automatic signing, add the 
+  <command>auto-dnssec</command> option to the zone statement in 
+  <filename>named.conf</filename>. 
+  <command>auto-dnssec</command> has two possible arguments: 
+  <constant>allow</constant> or 
+  <constant>maintain</constant>.</para>
+  <para>With 
+  <command>auto-dnssec allow</command>, 
+  <command>named</command> can search the key directory for keys
+  matching the zone, insert them into the zone, and use them to
+  sign the zone. It will do so only when it receives an 
+  <command>rndc sign &lt;zonename&gt;</command> or 
+  <command>rndc loadkeys &lt;zonename&gt;</command> command.</para>
+  <para>
+  <!-- TODO: this is repeated in the ARM -->
+  <command>auto-dnssec maintain</command> includes the above
+  functionality, but will also automatically adjust the zone's
+  DNSKEY records on schedule according to the keys' timing metadata.
+  (See <xref linkend="man.dnssec-keygen"/> and
+  <xref linkend="man.dnssec-settime"/> for more information.) 
+  If keys are present in the key directory the first time the zone
+  is loaded, it will be signed immediately, without waiting for an 
+  <command>rndc sign</command> or <command>rndc loadkeys</command>
+  command. (Those commands can still be used when there are unscheduled
+  key changes, however.)
+  </para>
+  <para>Using the 
+  <command>auto-dnssec</command> option requires the zone to be
+  configured to allow dynamic updates, by adding an 
+  <command>allow-update</command> or 
+  <command>update-policy</command> statement to the zone
+  configuration. If this has not been done, the configuration will
+  fail.</para>
+  <sect2>
+    <title>Private-type records</title>
+  </sect2>
+  <para>The state of the signing process is signaled by
+  private-type records (with a default type value of 65534). When
+  signing is complete, these records will have a nonzero value for
+  the final octet (for those records which have a nonzero initial
+  octet).</para>
+  <para>The private type record format: If the first octet is
+  non-zero then the record indicates that the zone needs to be
+  signed with the key matching the record, or that all signatures
+  that match the record should be removed.</para>
+  <para>
+    <literallayout>
+<!-- TODO: how to format this? -->
+  algorithm (octet 1)
+  key id in network order (octet 2 and 3)
+  removal flag (octet 4)
+  complete flag (octet 5)
+</literallayout>
+  </para>
+  <para>Only records flagged as "complete" can be removed via
+  dynamic update. Attempts to remove other private type records
+  will be silently ignored.</para>
+  <para>If the first octet is zero (this is a reserved algorithm
+  number that should never appear in a DNSKEY record) then the
+  record indicates changes to the NSEC3 chains are in progress. The
+  rest of the record contains an NSEC3PARAM record. The flag field
+  tells what operation to perform based on the flag bits.</para>
+  <para>
+    <literallayout>
+<!-- TODO: how to format this? -->
+  0x01 OPTOUT
+  0x80 CREATE
+  0x40 REMOVE
+  0x20 NONSEC
+</literallayout>
+  </para>
+  <sect2>
+    <title>DNSKEY rollovers</title>
+  </sect2>
+  <para>As with insecure-to-secure conversions, rolling DNSSEC
+  keys can be done in two ways: using a dynamic DNS update, or the 
+  <command>auto-dnssec</command> zone option.</para>
+  <sect2>
+    <title>Dynamic DNS update method</title>
+  </sect2>
+  <para> To perform key rollovers via dynamic update, you need to add
+  the <filename>K*</filename> files for the new keys so that 
+  <command>named</command> can find them. You can then add the new
+  DNSKEY RRs via dynamic update. 
+  <command>named</command> will then cause the zone to be signed
+  with the new keys. When the signing is complete the private type
+  records will be updated so that the last octet is non
+  zero.</para>
+  <para>If this is for a KSK you need to inform the parent and any
+  trust anchor repositories of the new KSK.</para>
+  <para>You should then wait for the maximum TTL in the zone before
+  removing the old DNSKEY. If it is a KSK that is being updated,
+  you also need to wait for the DS RRset in the parent to be
+  updated and its TTL to expire. This ensures that all clients will
+  be able to verify at least one signature when you remove the old
+  DNSKEY.</para>
+  <para>The old DNSKEY can be removed via UPDATE. Take care to
+  specify the correct key. 
+  <command>named</command> will clean out any signatures generated
+  by the old key after the update completes.</para>
+  <sect2>
+    <title>Automatic key rollovers</title>
+  </sect2>
+  <para>When a new key reaches its activation date (as set by
+  <command>dnssec-keygen</command> or <command>dnssec-settime</command>),
+  if the <command>auto-dnssec</command> zone option is set to 
+  <constant>maintain</constant>, <command>named</command> will
+  automatically carry out the key rollover.  If the key's algorithm
+  has not previously been used to sign the zone, then the zone will
+  be fully signed as quickly as possible.  However, if the new key
+  is replacing an existing key of the same algorithm, then the
+  zone will be re-signed incrementally, with signatures from the
+  old key being replaced with signatures from the new key as their
+  signature validity periods expire.  By default, this rollover
+  completes in 30 days, after which it will be safe to remove the
+  old key from the DNSKEY RRset.</para>
+  <sect2>
+    <title>NSEC3PARAM rollovers via UPDATE</title>
+  </sect2>
+  <para>Add the new NSEC3PARAM record via dynamic update. When the
+  new NSEC3 chain has been generated, the NSEC3PARAM flag field
+  will be zero. At this point you can remove the old NSEC3PARAM
+  record. The old chain will be removed after the update request
+  completes.</para>
+  <sect2>
+    <title>Converting from NSEC to NSEC3</title>
+  </sect2>
+  <para>To do this, you just need to add an NSEC3PARAM record. When
+  the conversion is complete, the NSEC chain will have been removed
+  and the NSEC3PARAM record will have a zero flag field. The NSEC3
+  chain will be generated before the NSEC chain is
+  destroyed.</para>
+  <sect2>
+    <title>Converting from NSEC3 to NSEC</title>
+  </sect2>
+  <para>To do this, use <command>nsupdate</command> to
+  remove all NSEC3PARAM records with a zero flag
+  field. The NSEC chain will be generated before the NSEC3 chain is
+  removed.</para>
+  <sect2>
+    <title>Converting from secure to insecure</title>
+  </sect2>
+  <para>To convert a signed zone to unsigned using dynamic DNS,
+  delete all the DNSKEY records from the zone apex using
+  <command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
+  and associated NSEC3PARAM records will be removed automatically.
+  This will take place after the update request completes.</para>
+  <para> This requires the 
+  <command>dnssec-secure-to-insecure</command> option to be set to 
+  <userinput>yes</userinput> in 
+  <filename>named.conf</filename>.</para>
+  <para>In addition, if the <command>auto-dnssec maintain</command>
+  zone statement is used, it should be removed or changed to
+  <command>allow</command> instead (or it will re-sign).
+  </para>
+  <sect2>
+    <title>Periodic re-signing</title>
+  </sect2>
+  <para>In any secure zone which supports dynamic updates, named
+  will periodically re-sign RRsets which have not been re-signed as
+  a result of some update action. The signature lifetimes will be
+  adjusted so as to spread the re-sign load over time rather than
+  all at once.</para>
+  <sect2>
+    <title>NSEC3 and OPTOUT</title>
+  </sect2>
+  <para>
+  <command>named</command> only supports creating new NSEC3 chains
+  where all the NSEC3 records in the zone have the same OPTOUT
+  state. 
+  <command>named</command> supports UPDATES to zones where the NSEC3
+  records in the chain have mixed OPTOUT state. 
+  <command>named</command> does not support changing the OPTOUT
+  state of an individual NSEC3 record, the entire chain needs to be
+  changed if the OPTOUT state of an individual NSEC3 needs to be
+  changed.</para>
+</sect1>
diff --git a/contrib/bind9/doc/arm/libdns.xml b/contrib/bind9/doc/arm/libdns.xml
new file mode 100644
index 000000000000..6134ff6521f6
--- /dev/null
+++ b/contrib/bind9/doc/arm/libdns.xml
@@ -0,0 +1,530 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<sect1 id="bind9.library">
+  <title>BIND 9 DNS Library Support</title>
+  <para>This version of BIND 9 "exports" its internal libraries so
+  that they can be used by third-party applications more easily (we
+  call them "export" libraries in this document). In addition to
+  all major DNS-related APIs BIND 9 is currently using, the export
+  libraries provide the following features:</para>
+  <itemizedlist>
+    <listitem>
+      <para>The newly created "DNS client" module. This is a higher
+      level API that provides an interface to name resolution,
+      single DNS transaction with a particular server, and dynamic
+      update. Regarding name resolution, it supports advanced
+      features such as DNSSEC validation and caching. This module
+      supports both synchronous and asynchronous mode.</para>
+    </listitem>
+    <listitem>
+      <para>The new "IRS" (Information Retrieval System) library.
+      It provides an interface to parse the traditional resolv.conf
+      file and more advanced, DNS-specific configuration file for
+      the rest of this package (see the description for the
+      dns.conf file below).</para>
+    </listitem>
+    <listitem>
+      <para>As part of the IRS library, newly implemented standard
+      address-name mapping functions, getaddrinfo() and
+      getnameinfo(), are provided. They use the DNSSEC-aware
+      validating resolver backend, and could use other advanced
+      features of the BIND 9 libraries such as caching. The
+      getaddrinfo() function resolves both A and AAAA RRs
+      concurrently (when the address family is unspecified).</para>
+    </listitem>
+    <listitem>
+      <para>An experimental framework to support other event
+      libraries than BIND 9's internal event task system.</para>
+    </listitem>
+  </itemizedlist>
+  <sect2>
+    <title>Prerequisite</title>
+  <para>GNU make is required to build the export libraries (other
+  part of BIND 9 can still be built with other types of make). In
+  the reminder of this document, "make" means GNU make. Note that
+  in some platforms you may need to invoke a different command name
+  than "make" (e.g. "gmake") to indicate it's GNU make.</para>
+  </sect2>
+  <sect2>
+    <title>Compilation</title>
+  <screen>
+$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
+$ <userinput>make</userinput>
+</screen>
+  <para>
+  This will create (in addition to usual BIND 9 programs) and a
+  separate set of libraries under the lib/export directory. For
+  example, <filename>lib/export/dns/libdns.a</filename> is the archive file of the
+  export version of the BIND 9 DNS library. Sample application
+  programs using the libraries will also be built under the
+  lib/export/samples directory (see below).</para>
+  </sect2>
+  <sect2>
+    <title>Installation</title>
+  <screen>
+$ <userinput>cd lib/export</userinput>
+$ <userinput>make install</userinput>
+</screen>
+  <para>
+  This will install library object files under the directory
+  specified by the --with-export-libdir configure option (default:
+  EPREFIX/lib/bind9), and header files under the directory
+  specified by the --with-export-includedir configure option
+  (default: PREFIX/include/bind9).
+  Root privilege is normally required.
+  "<command>make install</command>" at the top directory will do the
+  same.
+  </para>
+  <para>
+  To see how to build your own
+  application after the installation, see
+  <filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
+  </sect2>
+  <sect2>
+    <title>Known Defects/Restrictions</title>
+  <itemizedlist>
+    <listitem>
+<!-- TODO: what about AIX? -->
+      <para>Currently, win32 is not supported for the export
+      library. (Normal BIND 9 application can be built as
+      before).</para>
+    </listitem>
+    <listitem>
+      <para>The "fixed" RRset order is not (currently) supported in
+      the export library. If you want to use "fixed" RRset order
+      for, e.g. <command>named</command> while still building the
+      export library even without the fixed order support, build
+      them separately:
+      <screen>
+$ <userinput>./configure --enable-fixed-rrset <replaceable>[other flags, but not --enable-exportlib]</replaceable></userinput>
+$ <userinput>make</userinput>
+$ <userinput>./configure --enable-exportlib <replaceable>[other flags, but not --enable-fixed-rrset]</replaceable></userinput>
+$ <userinput>cd lib/export</userinput>
+$ <userinput>make</userinput>
+</screen>
+    </para>
+    </listitem>
+    <listitem>
+      <para>The client module and the IRS library currently do not
+      support DNSSEC validation using DLV (the underlying modules
+      can handle it, but there is no tunable interface to enable
+      the feature).</para>
+    </listitem>
+    <listitem>
+      <para>RFC 5011 is not supported in the validating stub
+      resolver of the export library. In fact, it is not clear
+      whether it should: trust anchors would be a system-wide
+      configuration which would be managed by an administrator,
+      while the stub resolver will be used by ordinary applications
+      run by a normal user.</para>
+    </listitem>
+    <listitem>
+      <para>Not all common <filename>/etc/resolv.conf</filename>
+      options are supported
+      in the IRS library. The only available options in this
+      version are "debug" and "ndots".</para>
+    </listitem>
+  </itemizedlist>
+  </sect2>
+  <sect2>
+    <title>The dns.conf File</title>
+  <para>The IRS library supports an "advanced" configuration file
+  related to the DNS library for configuration parameters that
+  would be beyond the capability of the
+  <filename>resolv.conf</filename> file.
+  Specifically, it is intended to provide DNSSEC related
+  configuration parameters. By default the path to this
+  configuration file is <filename>/etc/dns.conf</filename>.
+  This module is very
+  experimental and the configuration syntax or library interfaces
+  may change in future versions. Currently, only the
+  <command>trusted-keys</command>
+  statement is supported, whose syntax is the same as the same name
+  of statement for <filename>named.conf</filename>. (See
+  <xref linkend="trusted-keys" /> for details.)</para>
+  </sect2>
+  <sect2>
+    <title>Sample Applications</title>
+  <para>Some sample application programs using this API are
+  provided for reference. The following is a brief description of
+  these applications.
+  </para>
+  <sect3>
+    <title>sample: a simple stub resolver utility</title>
+  <para>
+  It sends a query of a given name (of a given optional RR type) to a
+  specified recursive server, and prints the result as a list of
+  RRs. It can also act as a validating stub resolver if a trust
+  anchor is given via a set of command line options.</para>
+  <para>
+  Usage: sample [options] server_address hostname
+  </para>
+  <para>
+  Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+  <term>
+  -t RRtype
+  </term>
+  <listitem><para>
+        specify the RR type of the query.  The default is the A RR.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  [-a algorithm] [-e] -k keyname -K keystring
+  </term>
+  <listitem><para>
+        specify a command-line DNS key to validate the answer.  For
+        example, to specify the following DNSKEY of example.com:
+<literallayout>
+                example.com. 3600 IN DNSKEY 257 3 5 xxx
+</literallayout>
+        specify the options as follows:
+<screen>
+<userinput>
+          -e -k example.com -K "xxx"
+</userinput>
+</screen>
+        -e means that this key is a zone's "key signing key" (as known
+        as "secure Entry point").
+        When -a is omitted rsasha1 will be used by default.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -s domain:alt_server_address
+  </term>
+  <listitem><para>
+         specify a separate recursive server address for the specific
+        "domain".  Example: -s example.com:2001:db8::1234
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>server_address</term>
+  <listitem><para>
+        an IP(v4/v6) address of the recursive server to which queries
+        are sent.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>hostname</term>
+  <listitem><para>
+        the domain name for the query
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-async: a simple stub resolver, working asynchronously</title>
+  <para>
+  Similar to "sample", but accepts a list
+  of (query) domain names as a separate file and resolves the names
+  asynchronously.</para>
+  <para>
+    Usage: sample-async [-s server_address] [-t RR_type] input_file</para>
+  <para>
+ Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+   -s server_address
+   </term>
+  <listitem>
+   an IPv4 address of the recursive server to which queries are sent.
+  (IPv6 addresses are not supported in this implementation)
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+   -t RR_type
+  </term>
+  <listitem>
+  specify the RR type of the queries. The default is the A
+  RR.
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+   input_file
+  </term>
+  <listitem>
+   a list of domain names to be resolved. each line
+  consists of a single domain name. Example:
+  <literallayout>
+  www.example.com
+  mx.examle.net
+  ns.xxx.example
+</literallayout>
+  </listitem>
+    </varlistentry>
+    </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-request: a simple DNS transaction client</title>
+  <para>
+  It sends a query to a specified server, and
+  prints the response with minimal processing. It doesn't act as a
+  "stub resolver": it stops the processing once it gets any
+  response from the server, whether it's a referral or an alias
+  (CNAME or DNAME) that would require further queries to get the
+  ultimate answer. In other words, this utility acts as a very
+  simplified <command>dig</command>.
+  </para>
+  <para>
+  Usage: sample-request [-t RRtype] server_address hostname
+  </para>
+  <para>
+    Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+   -t RRtype
+  </term>
+  <listitem>
+  <para>
+  specify the RR type of
+  the queries. The default is the A RR.
+  </para>
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  server_address
+  </term>
+  <listitem>
+  <para>
+   an IP(v4/v6)
+  address of the recursive server to which the query is sent.
+  </para>
+  </listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  hostname
+  </term>
+  <listitem>
+  <para>
+  the domain name for the query
+  </para>
+  </listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  <sect3>
+    <title>sample-gai: getaddrinfo() and getnameinfo() test code</title>
+  <para>
+  This is a test program
+  to check getaddrinfo() and getnameinfo() behavior. It takes a
+  host name as an argument, calls getaddrinfo() with the given host
+  name, and calls getnameinfo() with the resulting IP addresses
+  returned by getaddrinfo(). If the dns.conf file exists and
+  defines a trust anchor, the underlying resolver will act as a
+  validating resolver, and getaddrinfo()/getnameinfo() will fail
+  with an EAI_INSECUREDATA error when DNSSEC validation fails.
+  </para>
+  <para>
+  Usage: sample-gai hostname
+  </para>
+  </sect3>
+  <sect3>
+    <title>sample-update: a simple dynamic update client program</title>
+  <para>
+  It accepts a single update command as a
+  command-line argument, sends an update request message to the
+  authoritative server, and shows the response from the server. In
+  other words, this is a simplified <command>nsupdate</command>.
+  </para>
+  <para>
+   Usage: sample-update [options] (add|delete) "update data"
+  </para>
+  <para>
+  Options and Arguments:
+  </para>
+  <variablelist>
+  <varlistentry>
+   <term>
+  -a auth_server
+   </term>
+   <listitem><para>
+        An IP address of the authoritative server that has authority
+        for the zone containing the update name.  This should normally
+        be the primary authoritative server that accepts dynamic
+        updates.  It can also be a secondary server that is configured
+        to forward update requests to the primary server.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -k keyfile
+   </term>
+   <listitem><para>
+        A TSIG key file to secure the update transaction.  The keyfile
+        format is the same as that for the nsupdate utility.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -p prerequisite
+   </term>
+   <listitem><para>
+        A prerequisite for the update (only one prerequisite can be
+        specified).  The prerequisite format is the same as that is
+        accepted by the nsupdate utility.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -r recursive_server
+   </term>
+   <listitem><para>
+        An IP address of a recursive server that this utility will
+        use.  A recursive server may be necessary to identify the
+        authoritative server address to which the update request is
+        sent.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  -z zonename
+   </term>
+   <listitem><para>
+        The domain name of the zone that contains
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  (add|delete)
+   </term>
+   <listitem><para>
+        Specify the type of update operation.  Either "add" or "delete"
+        must be specified.
+   </para></listitem>
+   </varlistentry>
+   <varlistentry>
+   <term>
+  "update data"
+   </term>
+   <listitem><para>
+        Specify the data to be updated.  A typical example of the data
+        would look like "name TTL RRtype RDATA".
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+
+   <note>In practice, either -a or -r must be specified.  Others can
+   be optional; the underlying library routine tries to identify the
+   appropriate server and the zone name for the update.</note>
+
+   <para>
+   Examples: assuming the primary authoritative server of the
+   dynamic.example.com zone has an IPv6 address 2001:db8::1234,
+   </para>
+   <screen>
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key add "foo.dynamic.example.com 30 IN A 192.168.2.1"</userinput></screen>
+   <para>
+     adds an A RR for foo.dynamic.example.com using the given key.
+   </para>
+   <screen>
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com 30 IN A"</userinput></screen>
+   <para>
+     removes all A RRs for foo.dynamic.example.com using the given key.
+   </para>
+   <screen>   
+$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
+   <para>
+     removes all RRs for foo.dynamic.example.com using the given key.
+   </para>
+  </sect3>
+  <sect3>
+    <title>nsprobe: domain/name server checker in terms of RFC 4074</title>
+  <para>
+  It checks a set
+  of domains to see the name servers of the domains behave
+  correctly in terms of RFC 4074. This is included in the set of
+  sample programs to show how the export library can be used in a
+  DNS-related application.
+  </para>
+  <para>
+ Usage: nsprobe [-d] [-v [-v...]] [-c cache_address] [input_file]
+  </para>
+  <para>
+   Options
+  </para>
+
+  <variablelist>
+  <varlistentry>
+  <term>
+  -d
+  </term>
+  <listitem><para>
+        run in the "debug" mode.  with this option nsprobe will dump
+        every RRs it receives.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -v
+  </term>
+  <listitem><para>
+        increase verbosity of other normal log messages.  This can be
+        specified multiple times
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  -c cache_address
+  </term>
+  <listitem><para>
+        specify an IP address of a recursive (caching) name server.
+        nsprobe uses this server to get the NS RRset of each domain and
+        the A and/or AAAA RRsets for the name servers.  The default
+        value is 127.0.0.1.
+  </para></listitem>
+  </varlistentry>
+  <varlistentry>
+  <term>
+  input_file
+  </term>
+  <listitem><para>
+        a file name containing a list of domain (zone) names to be
+        probed.  when omitted the standard input will be used.  Each
+        line of the input file specifies a single domain name such as
+        "example.com".  In general this domain name must be the apex
+        name of some DNS zone (unlike normal "host names" such as
+        "www.example.com").  nsprobe first identifies the NS RRsets for
+        the given domain name, and sends A and AAAA queries to these
+        servers for some "widely used" names under the zone;
+        specifically, adding "www" and "ftp" to the zone name.
+  </para></listitem>
+  </varlistentry>
+  </variablelist>
+  </sect3>
+  </sect2>
+  <sect2>
+    <title>Library References</title>
+  <para>As of this writing, there is no formal "manual" of the
+  libraries, except this document, header files (some of them
+  provide pretty detailed explanations), and sample application
+  programs.</para>
+  </sect2>
+</sect1>
+<!-- $Id: libdns.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
diff --git a/contrib/bind9/doc/arm/man.arpaname.html b/contrib/bind9/doc/arm/man.arpaname.html
new file mode 100644
index 000000000000..814e0b8a33ae
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.arpaname.html
@@ -0,0 +1,91 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>arpaname</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.ddns-confgen.html" title="ddns-confgen">
+<link rel="next" href="man.genrandom.html" title="genrandom">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">arpaname</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.arpaname"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2618405"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
+      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2618420"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2618434"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.ddns-confgen.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.genrandom.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">ddns-confgen</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">genrandom</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.ddns-confgen.html b/contrib/bind9/doc/arm/man.ddns-confgen.html
new file mode 100644
index 000000000000..372430484ed7
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.ddns-confgen.html
@@ -0,0 +1,180 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
+<link rel="next" href="man.arpaname.html" title="arpaname">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em>  |   -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2641910"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+      generates a key for use by <span><strong class="command">nsupdate</strong></span>
+      and <span><strong class="command">named</strong></span>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+      syntax that will be needed to use it, including an example
+      <span><strong class="command">update-policy</strong></span> statement.
+    </p>
+<p>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <span><strong class="command">named.conf</strong></span> syntax.  For example,
+      <span><strong class="command">ddns-confgen example.com</strong></span> would
+      generate a key called "ddns-key.example.com", and sample
+      <span><strong class="command">named.conf</strong></span> command that could be used
+      in the zone definition for "example.com".
+    </p>
+<p>
+      Note that <span><strong class="command">named</strong></span> itself can configure a
+      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2641997"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Prints a short summary of the options and arguments to
+	    <span><strong class="command">ddns-confgen</strong></span>.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <code class="option">-s</code> nor <code class="option">-z</code> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <code class="filename">/dev/random</code> or equivalent device, the
+            default source of randomness is keyboard input.
+            <code class="filename">randomdev</code> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard input
+            should be used.
+	  </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+	    Single host mode: The example <span><strong class="command">named.conf</strong></span> text
+	    shows how to set an update policy for the specified
+	    <em class="replaceable"><code>name</code></em>
+	    using the "name" nametype.
+	    The default key name is
+	    ddns-key.<em class="replaceable"><code>name</code></em>.
+	    Note that the "self" nametype cannot be used, since
+	    the name to be updated may differ from the key name.
+	    This option cannot be used with the <code class="option">-z</code> option.
+	  </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <code class="option">-s</code> option.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642608"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642646"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.arpaname.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">rndc-confgen</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">arpaname</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dig.html b/contrib/bind9/doc/arm/man.dig.html
index eb536df6c86f..e5796ca56eee 100644
--- a/contrib/bind9/doc/arm/man.dig.html
+++ b/contrib/bind9/doc/arm/man.dig.html
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563914"></a><h2>DESCRIPTION</h2>
+<a name="id2609644"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2579301"></a><h2>SIMPLE USAGE</h2>
+<a name="id2609808"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630339"></a><h2>OPTIONS</h2>
+<a name="id2610055"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -248,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630681"></a><h2>QUERY OPTIONS</h2>
+<a name="id2662690"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -517,6 +517,12 @@
               each record on a single line, to facilitate machine parsing
               of the <span><strong class="command">dig</strong></span> output.
             </p></dd>
+<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
+<dd><p>
+	      Print only one (starting) SOA record when performing
+	      an AXFR. The default is to print both the starting and
+	      ending SOA records.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
               Do not try the next server if you receive a SERVFAIL.  The
@@ -573,7 +579,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631750"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2663772"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -619,7 +625,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631835"></a><h2>IDN SUPPORT</h2>
+<a name="id2663858"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +639,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631864"></a><h2>FILES</h2>
+<a name="id2663886"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631885"></a><h2>SEE ALSO</h2>
+<a name="id2663908"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +654,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631923"></a><h2>BUGS</h2>
+<a name="id2663945"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html b/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
index 276dcc166bdd..d63d6da85969 100644
--- a/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
+++ b/contrib/bind9/doc/arm/man.dnssec-dsfromkey.html
@@ -47,18 +47,18 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
-<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604359"></a><h2>DESCRIPTION</h2>
+<a name="id2611633"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604373"></a><h2>OPTIONS</h2>
+<a name="id2611646"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -72,34 +72,55 @@
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
             Select the digest algorithm. The value of
-            <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
-            SHA-256 (SHA256). These values are case insensitive.
+            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
+            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+            These values are case insensitive.
           </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-            Sets the debugging level.
+            Look for key files (or, in keyset mode,
+            <code class="filename">keyset-</code> files) in
+            <code class="option">directory</code>.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
+<dd><p>
+            Zone file mode: in place of the keyfile name, the argument is
+            the DNS domain name of a zone master file, which can be read
+            from <code class="option">file</code>.  If the zone name is the same as
+            <code class="option">file</code>, then it may be omitted.
+          </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+            Include ZSK's when generating DS records.  Without this option,
+            only keys which have the KSK flag set will be converted to DS
+            records and printed.  Useful only in zone file mode. 
+          </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set instead of a DS set.  The specified
+            <code class="option">domain</code> is appended to the name for each
+            record in the set.
+            The DNSSEC Lookaside Validation (DLV) RR is described
+            in RFC 4431.
           </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd><p>
             Keyset mode: in place of the keyfile name, the argument is
-            the DNS domain name of a keyset file. Following options make sense
-            only in this mode.
+            the DNS domain name of a keyset file.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-            Specifies the DNS class (default is IN), useful only
-            in the keyset mode.
+            Specifies the DNS class (default is IN).  Useful only
+            in keyset or zone file mode.
           </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
-            Look for <code class="filename">keyset</code> files in
-            <code class="option">directory</code> as the directory, ignored when
-            not in the keyset mode.
+            Sets the debugging level.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604503"></a><h2>EXAMPLE</h2>
+<a name="id2611835"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -114,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604744"></a><h2>FILES</h2>
+<a name="id2611872"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -128,22 +149,23 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604786"></a><h2>CAVEAT</h2>
+<a name="id2611913"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604795"></a><h2>SEE ALSO</h2>
+<a name="id2611923"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4431</em>.
       <em class="citetitle">RFC 4509</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604832"></a><h2>AUTHOR</h2>
+<a name="id2611962"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html b/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
index b3d89b10ea7e..38cba98fa5bb 100644
--- a/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
+++ b/contrib/bind9/doc/arm/man.dnssec-keyfromlabel.html
@@ -47,26 +47,31 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605163"></a><h2>DESCRIPTION</h2>
+<a name="id2612614"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  
     </p>
+<p>
+      The <code class="option">name</code> of the key is specified on the command
+      line.  This must match the name of the zone for which the key is
+      being generated.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605177"></a><h2>OPTIONS</h2>
+<a name="id2612634"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
 	    Selects the cryptographic algorithm.  The value of
-	    <code class="option">algorithm</code> must be one of RSAMD5,
- 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
- 	    RSASHA512 or DH (Diffie Hellman).
+            <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
 	    These values are case insensitive.
 	  </p>
 <p>
@@ -84,10 +89,23 @@
             Note 2: DH automatically sets the -k flag.
           </p>
 </dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to "pkcs11".
+          </p></dd>
 <dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
 <dd><p>
-            Specifies the label of keys in the crypto hardware
-            (PKCS#11 device).
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           </p></dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
@@ -96,8 +114,17 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.
+          </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
@@ -107,12 +134,21 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-h</span></dt>
 <dd><p>
             Prints a short summary of the options and arguments to
-            <span><strong class="command">dnssec-keygen</strong></span>.
+            <span><strong class="command">dnssec-keyfromlabel</strong></span>.
+          </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to be written.
           </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
@@ -120,7 +156,7 @@
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
-            Sets the protocol value for the generated key.  The protocol
+            Sets the protocol value for the key.  The protocol
             is a number between 0 and 255.  The default is 3 (DNSSEC).
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
@@ -136,10 +172,65 @@
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-y</span></dt>
+<dd><p>
+            Allows DNSSEC key files to be generated even if the key ID
+	    would collide with that of an existing key, in the event of
+	    either key being revoked.  (This is only safe to use if you
+            are sure you won't be using RFC 5011 trust anchor maintenance
+            with either of the keys involved.)
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2613344"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605656"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2615080"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -151,8 +242,7 @@
 <li><p><code class="filename">nnnn</code> is the key name.
         </p></li>
 <li><p><code class="filename">aaa</code> is the numeric representation
-          of the
-          algorithm.
+          of the algorithm.
         </p></li>
 <li><p><code class="filename">iiiii</code> is the key identifier (or
           footprint).
@@ -163,8 +253,7 @@
       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
       contains the public key, and
       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
-      private
-      key.
+      private key.
     </p>
 <p>
       The <code class="filename">.key</code> file contains a DNS KEY record
@@ -173,14 +262,14 @@
       statement).
     </p>
 <p>
-      The <code class="filename">.private</code> file contains algorithm
-      specific
+      The <code class="filename">.private</code> file contains
+      algorithm-specific
       fields.  For obvious security reasons, this file does not have
       general read permission.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605955"></a><h2>SEE ALSO</h2>
+<a name="id2615447"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -188,7 +277,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605988"></a><h2>AUTHOR</h2>
+<a name="id2615480"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/man.dnssec-keygen.html b/contrib/bind9/doc/arm/man.dnssec-keygen.html
index ba35c871a42f..3a3a8394bb4d 100644
--- a/contrib/bind9/doc/arm/man.dnssec-keygen.html
+++ b/contrib/bind9/doc/arm/man.dnssec-keygen.html
@@ -23,7 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
-<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
+<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -33,7 +33,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
 </td>
 </tr>
 </table>
@@ -47,14 +47,15 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606377"></a><h2>DESCRIPTION</h2>
+<a name="id2613979"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
-      TSIG (Transaction Signatures), as defined in RFC 2845.
+      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
+      (Transaction Key) as defined in RFC 2930.
     </p>
 <p>
       The <code class="option">name</code> of the key is specified on the command
@@ -63,37 +64,58 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606397"></a><h2>OPTIONS</h2>
+<a name="id2614068"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
             Selects the cryptographic algorithm.  For DNSSEC keys, the value
             of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
-            DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
-            For TSIG/TKEY, the value must
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 or ECDSAP384SHA384.
+	    For TSIG/TKEY, the value must
             be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
             HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
             case insensitive.
           </p>
 <p>
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the <code class="option">-3</code> option is specified,
+            in which case NSEC3RSASHA1 will be used instead.  (If
+            <code class="option">-3</code> is used and an algorithm is specified,
+            that algorithm will be checked for compatibility with NSEC3.)
+          </p>
+<p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
 	    mandatory.
           </p>
 <p>
-            Note 2: HMAC-MD5 and DH automatically set the -k flag.
+            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
+            automatically set the -T KEY option.
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+<p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSA keys must be
             between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC keys must be
-            between 1 and 512 bits.
-          </p></dd>
+            between 1 and 512 bits. Elliptic curve algorithms don't need
+            this parameter.
+          </p>
+<p>
+            The key size does not need to be specified if using a default
+            algorithm.  The default key size is 1024 bits for zone signing
+            keys (ZSK's) and 2048 bits for key signing keys (KSK's,
+            generated with <code class="option">-f KSK</code>).  However, if an
+            algorithm is explicitly specified with the <code class="option">-a</code>,
+            then there is no default key size, and the <code class="option">-b</code>
+            must be used.
+          </p>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
@@ -104,11 +126,37 @@
             These values are case insensitive.  Defaults to ZONE for DNSKEY
 	    generation.
           </p></dd>
+<dt><span class="term">-3</span></dt>
+<dd><p>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default. Note that RSASHA256, RSASHA512, ECCGOST,
+	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
+	    are NSEC3-capable.
+          </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+	    Compatibility mode:  generates an old-style key, without
+	    any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
+	    will include the key's creation date in the metadata stored
+	    with the private key, and other dates may be set there as well
+	    (publication date, activation date, etc).  Keys that include
+	    this data may be incompatible with older versions of BIND; the
+	    <code class="option">-C</code> option suppresses them.
+          </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
             Indicates that the DNS record containing the key should have
             the specified class.  If not specified, class IN is used.
           </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pkcs11; the empty name resets it to
+            no engine.
+          </p></dd>
 <dt><span class="term">-e</span></dt>
 <dd><p>
             If generating an RSAMD5/RSASHA1 key, use a large exponent.
@@ -116,7 +164,12 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+            The only recognized flags are KSK (Key Signing Key) and REVOKE.
+          </p></dd>
+<dt><span class="term">-G</span></dt>
+<dd><p>
+            Generate a key, but do not publish it or sign with it.  This
+            option is incompatible with -P and -A.
           </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
@@ -130,9 +183,13 @@
             Prints a short summary of the options and arguments to
             <span><strong class="command">dnssec-keygen</strong></span>.
           </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to be written.
+          </p></dd>
 <dt><span class="term">-k</span></dt>
 <dd><p>
-            Generate KEY records rather than DNSKEY records.
+            Deprecated in favor of -T KEY.
           </p></dd>
 <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
 <dd><p>
@@ -141,6 +198,20 @@
             Other possible values for this argument are listed in
             RFC 2535 and its successors.
           </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+            Quiet mode: Suppresses unnecessary output, including
+            progress indication.  Without this option, when
+            <span><strong class="command">dnssec-keygen</strong></span> is run interactively
+            to generate an RSA or DSA key pair, it will print a string
+            of symbols to <code class="filename">stderr</code> indicating the
+            progress of the key generation.  A '.' indicates that a
+            random number has been found which passed an initial
+            sieve test; '+' means a number has passed a single
+            round of the Miller-Rabin primality test; a space
+            means that the number has passed all the tests and is
+            a satisfactory key.
+          </p></dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
@@ -153,12 +224,37 @@
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
+<dd><p>
+            Create a new key which is an explicit successor to an
+            existing key.  The name, algorithm, size, and type of the
+            key will be set to match the existing key.  The activation
+            date of the new key will be set to the inactivation date of
+            the existing one.  The publication date will be set to the
+            activation date minus the prepublication interval, which
+            defaults to 30 days.
+          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
 <dd><p>
             Specifies the strength value of the key.  The strength is
             a number between 0 and 15, and currently has no defined
             purpose in DNSSEC.
           </p></dd>
+<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
+<dd>
+<p>
+            Specifies the resource record type to use for the key.
+            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
+            default is DNSKEY when using a DNSSEC algorithm, but it can be
+            overridden to KEY for use with SIG(0).
+          </p>
+<p>
+          </p>
+<p>
+            Using any TSIG algorithm (HMAC-* or DH) forces this option
+            to KEY.
+          </p>
+</dd>
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd><p>
             Indicates the use of the key.  <code class="option">type</code> must be
@@ -173,7 +269,78 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606877"></a><h2>GENERATED KEYS</h2>
+<a name="id2666124"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.  If not set, and if the -G option has
+            not been used, the default is "now".
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.  If not set, and if the -G option has not been used, the
+            default is "now".
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </p>
+<p>
+            If the key is being created as an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </p>
+<p>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2666314"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -219,7 +386,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606985"></a><h2>EXAMPLE</h2>
+<a name="id2666422"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -240,7 +407,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607929"></a><h2>SEE ALSO</h2>
+<a name="id2666478"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -249,7 +416,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607960"></a><h2>AUTHOR</h2>
+<a name="id2666509"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -261,14 +428,14 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-revoke.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">dnssec-keyfromlabel</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-revoke</span>
 </td>
 </tr>
 </table>
diff --git a/contrib/bind9/doc/arm/man.dnssec-revoke.html b/contrib/bind9/doc/arm/man.dnssec-revoke.html
new file mode 100644
index 000000000000..e1ff637706a7
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-revoke.html
@@ -0,0 +1,131 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-revoke</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
+<link rel="next" href="man.dnssec-settime.html" title="dnssec-settime">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-revoke</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code>  [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614416"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-revoke</strong></span>
+      reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+      in RFC 5011, and creates a new pair of key files containing the
+      now-revoked key.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614429"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Emit usage message and exit.
+	  </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to reside.
+          </p></dd>
+<dt><span class="term">-r</span></dt>
+<dd><p>
+	    After writing the new keyset files remove the original keyset
+	    files.
+	  </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+            Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
+            write the new key pair even if a file already exists matching
+            the algorithm and key ID of the revoked key.
+          </p></dd>
+<dt><span class="term">-R</span></dt>
+<dd><p>
+	    Print the key tag of the key with the REVOKE bit set but do
+	    not revoke the key.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614550"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614574"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-settime.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-keygen</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-settime</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-settime.html b/contrib/bind9/doc/arm/man.dnssec-settime.html
new file mode 100644
index 000000000000..cd14fe2cdc22
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.dnssec-settime.html
@@ -0,0 +1,250 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-settime</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
+<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-settime"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614758"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-settime</strong></span>
+      reads a DNSSEC private key file and sets the key timing metadata
+      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
+      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
+      options.  The metadata can then be used by
+      <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
+      determine when a key is to be published, whether it should be
+      used for signing a zone, etc.
+    </p>
+<p>
+      If none of these options is set on the command line,
+      then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
+      metadata already stored in the key.
+    </p>
+<p>
+      When key metadata fields are changed, both files of a key
+      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+      Metadata fields are stored in the private file.  A human-readable
+      description of the metadata is also placed in comments in the key
+      file.  The private file's permissions are always set to be
+      inaccessible to anyone other than the owner (mode 0600).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2614817"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+	    Force an update of an old-format key with no metadata fields.
+            Without this option, <span><strong class="command">dnssec-settime</strong></span> will
+            fail when attempting to update a legacy key.  With this option,
+            the key will be recreated in the new format, but with the
+            original key data retained.  The key's creation date will be
+            set to the present time.  If no other values are specified, 
+            then the key's publication and activation dates will also 
+            be set to the present time.
+	  </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Sets the directory in which the key files are to reside.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Emit usage message and exit.
+	  </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2615184"></a><h2>TIMING OPTIONS</h2>
+<p>
+      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+      If the argument begins with a '+' or '-', it is interpreted as
+      an offset from the present time.  For convenience, if such an offset
+      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+      then the offset is computed in years (defined as 365 24-hour days,
+      ignoring leap years), months (defined as 30 24-hour days), weeks,
+      days, hours, or minutes, respectively.  Without a suffix, the offset
+      is computed in seconds.  To unset a date, use 'none'.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which a key is to be published to the zone.
+            After that date, the key will be included in the zone but will
+            not be used to sign it.
+          </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be activated.  After that
+            date, the key will be included in the zone and used to sign
+            it.
+          </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be revoked.  After that
+            date, the key will be flagged as revoked.  It will be included
+            in the zone and will be used to sign it.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be retired.  After that
+            date, the key will still be included in the zone, but it
+            will not be used to sign it.
+          </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+            Sets the date on which the key is to be deleted.  After that
+            date, the key will no longer be included in the zone.  (It
+            may remain in the key repository, however.)
+          </p></dd>
+<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
+<dd><p>
+            Select a key for which the key being modified will be an
+            explicit successor.  The name, algorithm, size, and type of the
+            predecessor key must exactly match those of the key being
+            modified.  The activation date of the successor key will be set
+            to the inactivation date of the predecessor.  The publication
+            date will be set to the activation date minus the prepublication
+            interval, which defaults to 30 days.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
+<dd>
+<p>
+            Sets the prepublication interval for a key.  If set, then
+            the publication and activation dates must be separated by at least
+            this much time.  If the activation date is specified but the
+            publication date isn't, then the publication date will default
+            to this much time before the activation date; conversely, if
+            the publication date is specified but activation date isn't,
+            then activation will be set to this much time after publication.
+          </p>
+<p>
+            If the key is being set to be an explicit successor to another
+            key, then the default prepublication interval is 30 days; 
+            otherwise it is zero.
+          </p>
+<p>
+            As with date offsets, if the argument is followed by one of
+            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+            interval is measured in years, months, weeks, days, hours,
+            or minutes, respectively.  Without a suffix, the interval is
+            measured in seconds.
+          </p>
+</dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2615322"></a><h2>PRINTING OPTIONS</h2>
+<p>
+      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
+      timing metadata associated with a key.
+    </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-u</span></dt>
+<dd><p>
+	    Print times in UNIX epoch format.
+	  </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
+<dd><p>
+	    Print a specific metadata value or set of metadata values.
+            The <code class="option">-p</code> option may be followed by one or more
+            of the following letters to indicate which value or values to print:
+            <code class="option">C</code> for the creation date,
+            <code class="option">P</code> for the publication date,
+            <code class="option">A</code> for the activation date,
+            <code class="option">R</code> for the revocation date,
+            <code class="option">I</code> for the inactivation date, or
+            <code class="option">D</code> for the deletion date.
+            To print all of the metadata, use <code class="option">-p all</code>.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2615607"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5011</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2615640"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-revoke</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.dnssec-signzone.html b/contrib/bind9/doc/arm/man.dnssec-signzone.html
index 9f07b6f40535..3132c54440a3 100644
--- a/contrib/bind9/doc/arm/man.dnssec-signzone.html
+++ b/contrib/bind9/doc/arm/man.dnssec-signzone.html
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
+<link rel="prev" href="man.dnssec-settime.html" title="dnssec-settime">
 <link rel="next" href="man.named-checkconf.html" title="named-checkconf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -31,7 +31,7 @@
 <tr><th colspan="3" align="center"><span class="application">dnssec-signzone</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
@@ -47,21 +47,21 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608530"></a><h2>DESCRIPTION</h2>
+<a name="id2616228"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
-      zone.  It also generates a <code class="filename">keyset-</code> file containing
-      the key-signing keys for the zone, and if signing a zone which
-      contains delegations, it can optionally generate DS records for
-      the child zones from their <code class="filename">keyset-</code> files.
+      zone. The security status of delegations from the signed zone
+      (that is, whether the child zones are secure or not) is
+      determined by the presence or absence of a
+      <code class="filename">keyset</code> file for each child zone.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608622"></a><h2>OPTIONS</h2>
+<a name="id2616247"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -71,6 +71,38 @@
 <dd><p>
             Specifies the DNS class of the zone.
           </p></dd>
+<dt><span class="term">-C</span></dt>
+<dd><p>
+            Compatibility mode: Generate a
+            <code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
+            file in addition to
+            <code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
+            when signing a zone, for use by older versions of
+            <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">dsset-</code> or
+            <code class="filename">keyset-</code> files in <code class="option">directory</code>.
+          </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pkcs11; the empty name resets it to no engine.
+          </p></dd>
+<dt><span class="term">-g</span></dt>
+<dd><p>
+            Generate DS records for child zones from
+            <code class="filename">dsset-</code> or <code class="filename">keyset-</code>
+            file.  Existing DS records will be removed.
+          </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Key repository: Specify a directory to search for DNSSEC keys.
+            If not specified, defaults to the current directory.
+          </p></dd>
 <dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
 <dd><p>
             Treat specified key as a key signing key ignoring any
@@ -81,18 +113,6 @@
             Generate a DLV set in addition to the key (DNSKEY) and DS sets.
             The domain is appended to the name of the records.
           </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-            Look for <code class="filename">keyset</code> files in
-            <code class="option">directory</code> as the directory
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-            If the zone contains any delegations, and there are
-            <code class="filename">keyset-</code> files for any of the child zones,
-            then DS records for the child zones will be generated from the
-            keys in those files.  Existing DS records will be removed.
-          </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
 <dd><p>
             Specify the date and time when the generated RRSIG records
@@ -113,6 +133,8 @@
             the start time.  A time relative to the current time is
             indicated with now+N.  If no <code class="option">end-time</code> is
             specified, 30 days from the start time is used as a default.
+            <code class="option">end-time</code> must be later than
+            <code class="option">start-time</code>.
           </p></dd>
 <dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
 <dd><p>
@@ -247,35 +269,119 @@
             <code class="filename">keyboard</code> indicates that keyboard
             input should be used.
           </p></dd>
+<dt><span class="term">-S</span></dt>
+<dd>
+<p>
+            Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
+            search the key repository for keys that match the zone being
+            signed, and to include them in the zone if appropriate.
+          </p>
+<p>
+            When a key is found, its timing metadata is examined to
+            determine how it should be used, according to the following
+            rules.  Each successive rule takes priority over the prior
+            ones:
+          </p>
+<div class="variablelist"><dl>
+<dt></dt>
+<dd><p>
+                  If no timing metadata has been set for the key, the key is
+                  published in the zone and used to sign the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's publication date is set and is in the past, the
+                  key is published in the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's activation date is set and in the past, the
+                  key is published (regardless of publication date) and
+                  used to sign the zone.  
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If the key's revocation date is set and in the past, and the
+                  key is published, then the key is revoked, and the revoked key
+                  is used to sign the zone.
+                </p></dd>
+<dt></dt>
+<dd><p>
+                  If either of the key's unpublication or deletion dates are set
+                  and in the past, the key is NOT published or used to sign the
+                  zone, regardless of any other metadata.
+                </p></dd>
+</dl></div>
+</dd>
+<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
+<dd><p>
+            Specifies the TTL to be used for new DNSKEY records imported
+            into the zone from the key repository.  If not specified,
+            the default is the minimum TTL value from the zone's SOA
+            record.  This option is ignored when signing without
+            <code class="option">-S</code>, since DNSKEY records are not imported
+            from the key repository in that case.  It is also ignored if
+            there are any pre-existing DNSKEY records at the zone apex,
+            in which case new records' TTL values will be set to match
+            them.
+          </p></dd>
 <dt><span class="term">-t</span></dt>
 <dd><p>
             Print statistics at completion.
           </p></dd>
+<dt><span class="term">-u</span></dt>
+<dd><p>
+            Update NSEC/NSEC3 chain when re-signing a previously signed
+            zone.  With this option, a zone signed with NSEC can be
+            switched to NSEC3, or a zone signed with NSEC3 can
+            be switch to NSEC or to NSEC3 with different parameters.
+            Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
+            retain the existing chain when re-signing.
+          </p></dd>
 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+            Only sign the DNSKEY RRset with key-signing keys, and omit
+            signatures from zone-signing keys.  (This is similar to the
+            <span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
+            <span><strong class="command">named</strong></span>.)
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
-            Ignore KSK flag on key when determining what to sign.
+            Ignore KSK flag on key when determining what to sign.  This
+            causes KSK-flagged keys to sign all records, not just the
+            DNSKEY RRset.  (This is similar to the
+            <span><strong class="command">update-check-ksk no;</strong></span> zone option in
+            <span><strong class="command">named</strong></span>.)
           </p></dd>
 <dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
 <dd><p>
-            Generate a NSEC3 chain with the given hex encoded salt.
+            Generate an NSEC3 chain with the given hex encoded salt.
 	    A dash (<em class="replaceable"><code>salt</code></em>) can
 	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
           </p></dd>
 <dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
 <dd><p>
-	    When generating a NSEC3 chain use this many interations.  The
-	    default is 100.
+	    When generating an NSEC3 chain, use this many interations.  The
+	    default is 10.
           </p></dd>
 <dt><span class="term">-A</span></dt>
-<dd><p>
-	    When generating a NSEC3 chain set the OPTOUT flag on all
+<dd>
+<p>
+	    When generating an NSEC3 chain set the OPTOUT flag on all
 	    NSEC3 records and do not generate NSEC3 records for insecure
 	    delegations.
-          </p></dd>
+          </p>
+<p>
+	    Using this option twice (i.e., <code class="option">-AA</code>)
+	    turns the OPTOUT flag off for all records.  This is useful
+	    when using the <code class="option">-u</code> option to modify an NSEC3
+	    chain which previously had OPTOUT set.
+          </p>
+</dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
@@ -291,14 +397,15 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659081"></a><h2>EXAMPLE</h2>
+<a name="id2667564"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
-      (Kexample.com.+003+17247).  The zone's keys must be in the master
-      file (<code class="filename">db.example.com</code>).  This invocation looks
-      for <code class="filename">keyset</code> files, in the current directory,
-      so that DS records can be generated from them (<span><strong class="command">-g</strong></span>).
+      (Kexample.com.+003+17247).  Because the <span><strong class="command">-S</strong></span> option
+      is not being used, the zone's keys must be in the master file
+      (<code class="filename">db.example.com</code>).  This invocation looks
+      for <code class="filename">dsset</code> files, in the current directory,
+      so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
     </p>
 <pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
 Kexample.com.+003+17247
@@ -320,39 +427,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659222"></a><h2>KNOWN BUGS</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </p>
-<p>
-        An unfortunate side-effect of this flexibility is that
-        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </p>
-<p>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2659254"></a><h2>SEE ALSO</h2>
+<a name="id2667643"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2659278"></a><h2>AUTHOR</h2>
+<a name="id2667668"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -362,14 +444,14 @@ db.example.com.signed
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.dnssec-keygen.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-settime.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">dnssec-keygen</span> </td>
+<span class="application">dnssec-settime</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
 </td>
diff --git a/contrib/bind9/doc/arm/man.genrandom.html b/contrib/bind9/doc/arm/man.genrandom.html
new file mode 100644
index 000000000000..0b72a6e8fa29
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.genrandom.html
@@ -0,0 +1,112 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>genrandom</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.arpaname.html" title="arpaname">
+<link rel="next" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">genrandom</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.genrandom"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">genrandom</code>  [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642837"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">genrandom</strong></span>
+      generates a file or a set of files containing a specified quantity
+      of pseudo-random data, which can be used as a source of entropy for
+      other commands on systems with no random device.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642852"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
+<dd><p>
+            In place of generating one file, generates <code class="option">number</code>
+            (from 2 to 9) files, appending <code class="option">number</code> to the name.
+          </p></dd>
+<dt><span class="term">size</span></dt>
+<dd><p>
+            The size of the file, in kilobytes, to generate.
+          </p></dd>
+<dt><span class="term">filename</span></dt>
+<dd><p>
+            The file name into which random data should be written.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642913"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2642939"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.arpaname.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.isc-hmac-fixup.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">arpaname</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">isc-hmac-fixup</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.host.html b/contrib/bind9/doc/arm/man.host.html
index 2442b9ce5b87..dd70d66b6d45 100644
--- a/contrib/bind9/doc/arm/man.host.html
+++ b/contrib/bind9/doc/arm/man.host.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603717"></a><h2>DESCRIPTION</h2>
+<a name="id2610871"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604231"></a><h2>IDN SUPPORT</h2>
+<a name="id2611317"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605898"></a><h2>FILES</h2>
+<a name="id2611346"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605912"></a><h2>SEE ALSO</h2>
+<a name="id2611360"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/contrib/bind9/doc/arm/man.isc-hmac-fixup.html b/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
new file mode 100644
index 000000000000..d089af0476ca
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.isc-hmac-fixup.html
@@ -0,0 +1,122 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.genrandom.html" title="genrandom">
+<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code>  {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2619705"></a><h2>DESCRIPTION</h2>
+<p>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </p>
+<p>
+      This bug has been fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <span><strong class="command">isc-hmac-fixup</strong></span>
+      modifies those keys to restore compatibility.
+    </p>
+<p>
+      To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643899"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+      Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643915"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2104</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643932"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">genrandom</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named-checkconf.html b/contrib/bind9/doc/arm/man.named-checkconf.html
index 7a8e2c1c885f..d3dc621a946d 100644
--- a/contrib/bind9/doc/arm/man.named-checkconf.html
+++ b/contrib/bind9/doc/arm/man.named-checkconf.html
@@ -47,17 +47,30 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609432"></a><h2>DESCRIPTION</h2>
+<a name="id2617093"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
-      checks the syntax, but not the semantics, of a named
-      configuration file.
+      checks the syntax, but not the semantics, of a
+      <span><strong class="command">named</strong></span> configuration file.  The file is parsed
+      and checked for syntax errors, along with all files included by it.
+      If no file is specified, <code class="filename">/etc/named.conf</code> is read
+      by default.
+    </p>
+<p>
+      Note: files that <span><strong class="command">named</strong></span> reads in separate
+      parser contexts, such as <code class="filename">rndc.key</code> and
+      <code class="filename">bind.keys</code>, are not automatically read
+      by <span><strong class="command">named-checkconf</strong></span>.  Configuration
+      errors in these files may cause <span><strong class="command">named</strong></span> to
+      fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
+      successful.  <span><strong class="command">named-checkconf</strong></span> can be run
+      on these files explicitly, however.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609446"></a><h2>OPTIONS</h2>
+<a name="id2617163"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -65,8 +78,7 @@
           </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
-            Chroot to <code class="filename">directory</code> so that
-            include
+            Chroot to <code class="filename">directory</code> so that include
             directives in the configuration file are processed as if
             run by a similarly chrooted named.
           </p></dd>
@@ -75,6 +87,11 @@
             Print the version of the <span><strong class="command">named-checkconf</strong></span>
             program and exit.
           </p></dd>
+<dt><span class="term">-p</span></dt>
+<dd><p>
+	    Print out the <code class="filename">named.conf</code> and included files
+	    in canonical form if no errors were detected.
+          </p></dd>
 <dt><span class="term">-z</span></dt>
 <dd><p>
 	    Perform a test load of all master zones found in
@@ -92,21 +109,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609562"></a><h2>RETURN VALUES</h2>
+<a name="id2617298"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609576"></a><h2>SEE ALSO</h2>
+<a name="id2617312"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609606"></a><h2>AUTHOR</h2>
+<a name="id2617341"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/man.named-checkzone.html b/contrib/bind9/doc/arm/man.named-checkzone.html
index 583bc83b1447..12b789777316 100644
--- a/contrib/bind9/doc/arm/man.named-checkzone.html
+++ b/contrib/bind9/doc/arm/man.named-checkzone.html
@@ -47,11 +47,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
-<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610356"></a><h2>DESCRIPTION</h2>
+<a name="id2618775"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610406"></a><h2>OPTIONS</h2>
+<a name="id2618825"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -195,6 +195,14 @@
 	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
+<dd><p>
+            Check for records that are treated as different by DNSSEC but
+	    are semantically equal in plain DNS.  
+            Possible modes are <span><strong class="command">"fail"</strong></span>,
+            <span><strong class="command">"warn"</strong></span> (default) and
+            <span><strong class="command">"ignore"</strong></span>.
+	  </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
 <dd><p>
 	    Specify the style of the dumped zone file.
@@ -257,14 +265,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660023"></a><h2>RETURN VALUES</h2>
+<a name="id2671342"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660037"></a><h2>SEE ALSO</h2>
+<a name="id2671356"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -272,7 +280,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660070"></a><h2>AUTHOR</h2>
+<a name="id2671389"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/man.named-journalprint.html b/contrib/bind9/doc/arm/man.named-journalprint.html
new file mode 100644
index 000000000000..c6d1b117b2fb
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.named-journalprint.html
@@ -0,0 +1,112 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-journalprint</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named.html" title="named">
+<link rel="next" href="man.nsupdate.html" title="nsupdate">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">named-journalprint</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.named-journalprint"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-journalprint</span> &#8212; print zone journal in human-readable form</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2616312"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">named-journalprint</strong></span>
+      prints the contents of a zone journal file in a human-readable
+      form. 
+    </p>
+<p>
+      Journal files are automatically created by <span><strong class="command">named</strong></span> 
+      when changes are made to dynamic zones (e.g., by
+      <span><strong class="command">nsupdate</strong></span>).  They record each addition
+      or deletion of a resource record, in binary format, allowing the
+      changes to be re-applied to the zone when the server is
+      restarted after a shutdown or crash.  By default, the name of
+      the journal file is formed by appending the extension
+      <code class="filename">.jnl</code> to the name of the corresponding
+      zone file.
+    </p>
+<p>
+      <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
+      journal file into a human-readable text format.  Each line begins
+      with "add" or "del", to indicate whether the record was added or
+      deleted, and continues with the resource record in master-file
+      format.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2621956"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2621987"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.named.html b/contrib/bind9/doc/arm/man.named.html
index 2fdb5a97deb6..729a9afcc955 100644
--- a/contrib/bind9/doc/arm/man.named.html
+++ b/contrib/bind9/doc/arm/man.named.html
@@ -23,7 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
-<link rel="next" href="man.nsupdate.html" title="nsupdate">
+<link rel="next" href="man.named-journalprint.html" title="named-journalprint">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -33,7 +33,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
 </td>
 </tr>
 </table>
@@ -47,10 +47,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine-name</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610912"></a><h2>DESCRIPTION</h2>
+<a name="id2619008"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610942"></a><h2>OPTIONS</h2>
+<a name="id2619038"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -97,6 +97,14 @@
             Debugging traces from <span><strong class="command">named</strong></span> become
             more verbose as the debug level increases.
           </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine-name</code></em></span></dt>
+<dd><p>
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            <em class="replaceable"><code>engine-name</code></em>
+            defaults to pkcs11, the empty name resets it to no engine.
+          </p></dd>
 <dt><span class="term">-f</span></dt>
 <dd><p>
             Run the server in the foreground (i.e. do not daemonize).
@@ -238,7 +246,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613112"></a><h2>SIGNALS</h2>
+<a name="id2638843"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -259,7 +267,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613162"></a><h2>CONFIGURATION</h2>
+<a name="id2660602"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -276,7 +284,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613211"></a><h2>FILES</h2>
+<a name="id2660651"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -289,7 +297,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613255"></a><h2>SEE ALSO</h2>
+<a name="id2660695"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -302,7 +310,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660156"></a><h2>AUTHOR</h2>
+<a name="id2675716"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -314,14 +322,14 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-journalprint.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-checkzone</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
+<td width="40%" align="right" valign="top"> <span class="application">named-journalprint</span>
 </td>
 </tr>
 </table>
diff --git a/contrib/bind9/doc/arm/man.nsec3hash.html b/contrib/bind9/doc/arm/man.nsec3hash.html
new file mode 100644
index 000000000000..d266a22c887f
--- /dev/null
+++ b/contrib/bind9/doc/arm/man.nsec3hash.html
@@ -0,0 +1,113 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nsec3hash</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.isc-hmac-fixup.html" title="isc-hmac-fixup">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">nsec3hash</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> </td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.nsec3hash"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643980"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
+      a set of NSEC3 parameters.  This can be used to check the validity
+      of NSEC3 records in a signed zone.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2643995"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">salt</span></dt>
+<dd><p>
+            The salt provided to the hash algorithm.
+          </p></dd>
+<dt><span class="term">algorithm</span></dt>
+<dd><p>
+            A number indicating the hash algorithm.  Currently the
+            only supported hash algorithm for NSEC3 is SHA-1, which is
+            indicated by the number 1; consequently "1" is the only
+            useful value for this argument.
+          </p></dd>
+<dt><span class="term">iterations</span></dt>
+<dd><p>
+            The number of additional times the hash should be performed.
+          </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+            The domain name to be hashed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2644125"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5155</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2644142"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.isc-hmac-fixup.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> </td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">isc-hmac-fixup</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> </td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/contrib/bind9/doc/arm/man.nsupdate.html b/contrib/bind9/doc/arm/man.nsupdate.html
index 7476e78b0af8..1542215b60da 100644
--- a/contrib/bind9/doc/arm/man.nsupdate.html
+++ b/contrib/bind9/doc/arm/man.nsupdate.html
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named.html" title="named">
+<link rel="prev" href="man.named-journalprint.html" title="named-journalprint">
 <link rel="next" href="man.rndc.html" title="rndc">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -31,7 +31,7 @@
 <tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
@@ -47,12 +47,12 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-l</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611752"></a><h2>DESCRIPTION</h2>
+<a name="id2626656"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
-      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      is used to submit Dynamic DNS Update requests as defined in RFC 2136
       to a name server.
       This allows resource records to be added or removed from a zone
       without manually editing the zone file.
@@ -88,10 +88,14 @@
       report additional debugging information to <code class="option">-d</code>.
     </p>
 <p>
+      The <code class="option">-L</code> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
-      in RFC2845 or the SIG(0) record described in RFC3535 and
-      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      in RFC 2845 or the SIG(0) record described in RFC 2535 and
+      RFC 2931 or GSS-TSIG as described in RFC 3645.  TSIG relies on
       a shared secret that should only be known to
       <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
       the only supported encryption algorithm for TSIG is HMAC-MD5,
@@ -108,44 +112,59 @@
       record in a zone served by the name server.
       <span><strong class="command">nsupdate</strong></span> does not read
       <code class="filename">/etc/named.conf</code>.
-      GSS-TSIG uses Kerberos credentials.
+    </p>
+<p>
+      GSS-TSIG uses Kerberos credentials.  Standard GSS-TSIG mode
+      is switched on with the <code class="option">-g</code> flag.  A
+      non-standards-compliant variant of GSS-TSIG used by Windows
+      2000 can be switched on with the <code class="option">-o</code> flag.
     </p>
 <p><span><strong class="command">nsupdate</strong></span>
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
-      whose name is of the form
-      <code class="filename">K{name}.+157.+{random}.private</code>.  For
-      historical reasons, the file
-      <code class="filename">K{name}.+157.+{random}.key</code> must also be
-      present.  When the <code class="option">-y</code> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </p>
+<p>
+      When the <code class="option">-y</code> option is used, a signature is
+      generated from
       [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
       <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
-      secret.  Use of the <code class="option">-y</code> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
-      shell.
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
+      Use of the <code class="option">-y</code> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in a history file maintained by the user's shell.
     </p>
 <p>
+      With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
+      Keyfiles may be in two formats: a single file containing
+      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
+      statement, which may be generated automatically by
+      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
+      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
+      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
+      generated by <span><strong class="command">dnssec-keygen</strong></span>.
       The <code class="option">-k</code> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </p>
 <p>
-      The <code class="option">-g</code> and <code class="option">-o</code> specify that
-      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
-      be used with old Microsoft Windows 2000 servers.
+      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
+      using the <code class="option">-l</code> flag.  This sets the server address to
+      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
+      which is automatically generated by <span><strong class="command">named</strong></span> if any
+      local master zone has set <span><strong class="command">update-policy</strong></span> to
+      <span><strong class="command">local</strong></span>.  The location of this key file can be
+      overridden with the <code class="option">-k</code> option.
     </p>
 <p>
-      By default,
-      <span><strong class="command">nsupdate</strong></span>
+      By default, <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -156,6 +175,10 @@
       This may be preferable when a batch of update requests is made.
     </p>
 <p>
+      The <code class="option">-p</code> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </p>
+<p>
       The <code class="option">-t</code> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -187,7 +210,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612283"></a><h2>INPUT FORMAT</h2>
+<a name="id2633475"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -475,7 +498,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661118"></a><h2>EXAMPLES</h2>
+<a name="id2678828"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -522,19 +545,23 @@
       If there are, the update request fails.
       If this name does not exist, a CNAME for it is added.
       This ensures that when the CNAME is added, it cannot conflict with the
-      long-standing rule in RFC1034 that a name must not exist as any other
+      long-standing rule in RFC 1034 that a name must not exist as any other
       record type if it exists as a CNAME.
-      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
       RRSIG, DNSKEY and NSEC records.)
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661169"></a><h2>FILES</h2>
+<a name="id2678878"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
             used to identify default name server
           </p></dd>
+<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
+<dd><p>
+            sets the default TSIG key for use in local-only mode
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
@@ -548,20 +575,22 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661306"></a><h2>SEE ALSO</h2>
-<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
-      <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
+<a name="id2678962"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">RFC 2136</em>,
+      <em class="citetitle">RFC 3007</em>,
+      <em class="citetitle">RFC 2104</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 1034</em>,
+      <em class="citetitle">RFC 2535</em>,
+      <em class="citetitle">RFC 2931</em>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2661377"></a><h2>BUGS</h2>
+<a name="id2679019"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
@@ -575,14 +604,14 @@
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.named-journalprint.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">named</span> </td>
+<span class="application">named-journalprint</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">rndc</span>
 </td>
diff --git a/contrib/bind9/doc/arm/man.rndc-confgen.html b/contrib/bind9/doc/arm/man.rndc-confgen.html
index 15a670c97f4f..b24590701c69 100644
--- a/contrib/bind9/doc/arm/man.rndc-confgen.html
+++ b/contrib/bind9/doc/arm/man.rndc-confgen.html
@@ -23,6 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
+<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -32,7 +33,8 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> </td>
+<td width="20%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
+</td>
 </tr>
 </table>
 <hr>
@@ -48,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634268"></a><h2>DESCRIPTION</h2>
+<a name="id2641110"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -64,7 +66,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634334"></a><h2>OPTIONS</h2>
+<a name="id2641176"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -171,7 +173,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2635198"></a><h2>EXAMPLES</h2>
+<a name="id2641835"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -188,7 +190,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636211"></a><h2>SEE ALSO</h2>
+<a name="id2643189"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -196,7 +198,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2636249"></a><h2>AUTHOR</h2>
+<a name="id2643842"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -208,13 +210,15 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> </td>
+<td width="40%" align="right"> <a accesskey="n" href="man.ddns-confgen.html">Next</a>
+</td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <code class="filename">rndc.conf</code> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
+<td width="40%" align="right" valign="top"> <span class="application">ddns-confgen</span>
+</td>
 </tr>
 </table>
 </div>
diff --git a/contrib/bind9/doc/arm/man.rndc.conf.html b/contrib/bind9/doc/arm/man.rndc.conf.html
index a268d740733c..8a3d4e252ccc 100644
--- a/contrib/bind9/doc/arm/man.rndc.conf.html
+++ b/contrib/bind9/doc/arm/man.rndc.conf.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615076"></a><h2>DESCRIPTION</h2>
+<a name="id2639872"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2624532"></a><h2>EXAMPLE</h2>
+<a name="id2640180"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633596"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2640301"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633622"></a><h2>SEE ALSO</h2>
+<a name="id2640327"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633660"></a><h2>AUTHOR</h2>
+<a name="id2640365"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/man.rndc.html b/contrib/bind9/doc/arm/man.rndc.html
index f4ba1f433d32..058328742224 100644
--- a/contrib/bind9/doc/arm/man.rndc.html
+++ b/contrib/bind9/doc/arm/man.rndc.html
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612519"></a><h2>DESCRIPTION</h2>
+<a name="id2638953"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612569"></a><h2>OPTIONS</h2>
+<a name="id2639003"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614091"></a><h2>LIMITATIONS</h2>
+<a name="id2639228"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2614122"></a><h2>SEE ALSO</h2>
+<a name="id2639259"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633565"></a><h2>AUTHOR</h2>
+<a name="id2639315"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/contrib/bind9/doc/arm/managed-keys.xml b/contrib/bind9/doc/arm/managed-keys.xml
new file mode 100644
index 000000000000..51949487fbb4
--- /dev/null
+++ b/contrib/bind9/doc/arm/managed-keys.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
+
+<sect1 id="rfc5011.support">
+  <title>Dynamic Trust Anchor Management</title>
+  <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
+  anchor management. Using this feature allows 
+  <command>named</command> to keep track of changes to critical
+  DNSSEC keys without any need for the operator to make changes to
+  configuration files.</para>
+  <sect2>
+    <title>Validating Resolver</title>
+    <!-- TODO: command tag is overloaded for configuration and executables -->
+    <para>To configure a validating resolver to use RFC 5011 to
+    maintain a trust anchor, configure the trust anchor using a 
+    <command>managed-keys</command> statement. Information about
+    this can be found in 
+    <xref linkend="managed-keys" />.</para>
+    <!-- TODO: managed-keys examples
+also in DNSSEC section above here in ARM -->
+  </sect2>
+  <sect2>
+    <title>Authoritative Server</title>
+    <para>To set up an authoritative zone for RFC 5011 trust anchor
+    maintenance, generate two (or more) key signing keys (KSKs) for
+    the zone. Sign the zone with one of them; this is the "active"
+    KSK. All KSK's which do not sign the zone are "stand-by"
+    keys.</para>
+    <para>Any validating resolver which is configured to use the
+    active KSK as an RFC 5011-managed trust anchor will take note
+    of the stand-by KSKs in the zone's DNSKEY RRset, and store them
+    for future reference. The resolver will recheck the zone
+    periodically, and after 30 days, if the new key is still there,
+    then the key will be accepted by the resolver as a valid trust
+    anchor for the zone. Any time after this 30-day acceptance
+    timer has completed, the active KSK can be revoked, and the
+    zone can be "rolled over" to the newly accepted key.</para>
+    <para>The easiest way to place a stand-by key in a zone is to
+    use the "smart signing" features of 
+    <command>dnssec-keygen</command> and 
+    <command>dnssec-signzone</command>. If a key with a publication
+    date in the past, but an activation date which is unset or in
+    the future, " 
+    <command>dnssec-signzone -S</command>" will include the DNSKEY
+    record in the zone, but will not sign with it:</para>
+    <screen>
+$ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
+$ <userinput>dnssec-signzone -S -K keys example.net</userinput>
+</screen>
+    <para>To revoke a key, the new command 
+    <command>dnssec-revoke</command> has been added. This adds the
+    REVOKED bit to the key flags and re-generates the 
+    <filename>K*.key</filename> and 
+    <filename>K*.private</filename> files.</para>
+    <para>After revoking the active key, the zone must be signed
+    with both the revoked KSK and the new active KSK. (Smart
+    signing takes care of this automatically.)</para>
+    <para>Once a key has been revoked and used to sign the DNSKEY
+    RRset in which it appears, that key will never again be
+    accepted as a valid trust anchor by the resolver. However,
+    validation can proceed using the new active key (which had been
+    accepted by the resolver when it was a stand-by key).</para>
+    <para>See RFC 5011 for more details on key rollover
+    scenarios.</para>
+    <para>When a key has been revoked, its key ID changes,
+    increasing by 128, and wrapping around at 65535. So, for
+    example, the key "<filename>Kexample.com.+005+10000</filename>" becomes
+    "<filename>Kexample.com.+005+10128</filename>".</para>
+    <para>If two keys have ID's exactly 128 apart, and one is
+    revoked, then the two key ID's will collide, causing several
+    problems. To prevent this, 
+    <command>dnssec-keygen</command> will not generate a new key if
+    another key is present which may collide. This checking will
+    only occur if the new keys are written to the same directory
+    which holds all other keys in use for that zone.</para>
+    <para>Older versions of BIND 9 did not have this precaution.
+    Exercise caution if using key revocation on keys that were
+    generated by previous releases, or if using keys stored in
+    multiple directories or on multiple machines.</para>
+    <para>It is expected that a future release of BIND 9 will
+    address this problem in a different way, by storing revoked
+    keys with their original unrevoked key ID's.</para>
+  </sect2>
+</sect1>
diff --git a/contrib/bind9/doc/arm/pkcs11.xml b/contrib/bind9/doc/arm/pkcs11.xml
new file mode 100644
index 000000000000..d3cfa28cbdd4
--- /dev/null
+++ b/contrib/bind9/doc/arm/pkcs11.xml
@@ -0,0 +1,443 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+               [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id$ -->
+
+<sect1 id="pkcs11">
+  <title>PKCS #11 (Cryptoki) support</title>
+  <para>PKCS #11 (Public Key Cryptography Standard #11) defines a
+  platform- independent API for the control of hardware security
+  modules (HSMs) and other cryptographic support devices.</para>
+  <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000
+  cryptographic acceleration board, tested under Solaris x86, and
+  the AEP Keyper network-attached key storage device, tested with
+  Debian Linux, Solaris x86 and Windows Server 2003.</para>
+  <sect2>
+    <title>Prerequisites</title>
+    <para>See the HSM vendor documentation for information about
+    installing, initializing, testing and troubleshooting the
+    HSM.</para>
+    <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
+    does not yet fully support PKCS #11. However, a PKCS #11 engine
+    for OpenSSL is available from the OpenSolaris project. It has
+    been modified by ISC to work with with BIND 9, and to provide
+    new features such as PIN management and key by
+    reference.</para>
+    <para>The patched OpenSSL depends on a "PKCS #11 provider".
+    This is a shared library object, providing a low-level PKCS #11
+    interface to the HSM hardware. It is dynamically loaded by
+    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
+    vendor, and and is specific to the HSM to be controlled.</para>
+    <para>There are two "flavors" of PKCS #11 support provided by
+    the patched OpenSSL, one of which must be chosen at
+    configuration time. The correct choice depends on the HSM
+    hardware:</para>
+    <itemizedlist>
+      <listitem>
+        <para>Use 'crypto-accelerator' with HSMs that have hardware
+        cryptographic acceleration features, such as the SCA 6000
+        board. This causes OpenSSL to run all supported
+        cryptographic operations in the HSM.</para>
+      </listitem>
+      <listitem>
+        <para>Use 'sign-only' with HSMs that are designed to
+        function primarily as secure key storage devices, but lack
+        hardware acceleration. These devices are highly secure, but
+        are not necessarily any faster at cryptography than the
+        system CPU &mdash; often, they are slower. It is therefore
+        most efficient to use them only for those cryptographic
+        functions that require access to the secured private key,
+        such as zone signing, and to use the system CPU for all
+        other computationally-intensive operations. The AEP Keyper
+        is an example of such a device.</para>
+      </listitem>
+    </itemizedlist>
+    <para>The modified OpenSSL code is included in the BIND 9 release,
+        in the form of a context diff against the latest verions of
+        OpenSSL.  OpenSSL 0.9.8 and 1.0.0 are both supported; there are
+        separate diffs for each version.  In the examples to follow,
+        we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0.
+    </para>
+    <note>
+      The latest OpenSSL versions at the time of the BIND release
+      are 0.9.8s and 1.0.0f.
+      ISC will provide an updated patch as new versions of OpenSSL
+      are released. The version number in the following examples
+      is expected to change.</note>
+    <para>
+    Before building BIND 9 with PKCS #11 support, it will be
+    necessary to build OpenSSL with this patch in place and inform
+    it of the path to the HSM-specific PKCS #11 provider
+    library.</para>
+    <para>Obtain OpenSSL 0.9.8s:</para>
+    <screen>
+$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput>
+</screen>
+    <para>Extract the tarball:</para>
+    <screen>
+$ <userinput>tar zxf openssl-0.9.8s.tar.gz</userinput>
+</screen>
+    <para>Apply the patch from the BIND 9 release:</para>
+    <screen>
+$ <userinput>patch -p1 -d openssl-0.9.8s \
+            &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</userinput>
+</screen>
+    <note>(Note that the patch file may not be compatible with the
+    "patch" utility on all operating systems. You may need to
+    install GNU patch.)</note>
+    <para>When building OpenSSL, place it in a non-standard
+    location so that it does not interfere with OpenSSL libraries
+    elsewhere on the system. In the following examples, we choose
+    to install into "/opt/pkcs11/usr". We will use this location
+    when we configure BIND 9.</para>
+    <sect3>
+      <!-- Example 1 -->
+      <title>Building OpenSSL for the AEP Keyper on Linux</title>
+      <para>The AEP Keyper is a highly secure key storage device,
+      but does not provide hardware cryptographic acceleration. It
+      can carry out cryptographic operations, but it is probably
+      slower than your system's CPU. Therefore, we choose the
+      'sign-only' flavor when building OpenSSL.</para>
+      <para>The Keyper-specific PKCS #11 provider library is
+      delivered with the Keyper software. In this example, we place
+      it /opt/pkcs11/usr/lib:</para>
+      <screen>
+$ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+      <para>This library is only available for Linux as a 32-bit
+      binary. If we are compiling on a 64-bit Linux system, it is
+      necessary to force a 32-bit build, by specifying -m32 in the
+      build options.</para>
+      <para>Finally, the Keyper library requires threads, so we
+      must specify -pthread.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>./Configure linux-generic32 -m32 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>After configuring, run "<command>make</command>"
+      and "<command>make test</command>". If "<command>make
+      test</command>" fails with "pthread_atfork() not found", you forgot to
+      add the -pthread above.</para>
+    </sect3>
+    <sect3>
+      <!-- Example 2 -->
+      <title>Building OpenSSL for the SCA 6000 on Solaris</title>
+      <para>The SCA-6000 PKCS #11 provider is installed as a system
+      library, libpkcs11. It is a true crypto accelerator, up to 4
+      times faster than any CPU, so the flavor shall be
+      'crypto-accelerator'.</para>
+      <para>In this example, we are building on Solaris x86 on an
+      AMD64 system.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>./Configure solaris64-x86_64-cc \
+            --pk11-libname=/usr/lib/64/libpkcs11.so \
+            --pk11-flavor=crypto-accelerator \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>(For a 32-bit build, use "solaris-x86-cc" and
+      /usr/lib/libpkcs11.so.)</para>
+      <para>After configuring, run 
+      <command>make</command> and 
+      <command>make test</command>.</para>
+    </sect3>
+    <sect3>
+      <!-- Example 3 -->
+      <title>Building OpenSSL for SoftHSM</title>
+      <para>SoftHSM is a software library provided by the OpenDNSSEC
+      project (http://www.opendnssec.org) which provides a PKCS#11
+      interface to a virtual HSM, implemented in the form of encrypted
+      data on the local filesystem.  It uses the Botan library for
+      encryption and SQLite3 for data storage.  Though less secure
+      than a true HSM, it can provide more secure key storage than
+      traditional key files, and can allow you to experiment with
+      PKCS#11 when an HSM is not available.</para>
+      <para>The SoftHSM cryptographic store must be installed and
+      initialized before using it with OpenSSL, and the SOFTHSM_CONF
+      environment variable must always point to the SoftHSM configuration
+      file:</para>
+      <screen>
+$ <userinput> cd softhsm-1.3.0 </userinput>
+$ <userinput> configure --prefix=/opt/pkcs11/usr </userinput>
+$ <userinput> make </userinput>
+$ <userinput> make install </userinput>
+$ <userinput> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </userinput>
+$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput>
+$ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput>
+</screen>
+      <para>SoftHSM can perform all cryptographic operations, but
+      since it only uses your system CPU, there is no need to use it
+      for anything but signing.  Therefore, we choose the 'sign-only'
+      flavor when building OpenSSL.</para>
+      <screen>
+$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>./Configure linux-x86_64 -pthread \
+            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-flavor=sign-only \
+            --prefix=/opt/pkcs11/usr</userinput>
+</screen>
+      <para>After configuring, run "<command>make</command>"
+      and "<command>make test</command>".</para>
+    </sect3>
+    <para>Once you have built OpenSSL, run
+    "<command>apps/openssl engine pkcs11</command>" to confirm
+    that PKCS #11 support was compiled in correctly. The output
+    should be one of the following lines, depending on the flavor
+    selected:</para>
+    <screen>
+        (pkcs11) PKCS #11 engine support (sign only)
+</screen>
+    <para>Or:</para>
+    <screen>
+        (pkcs11) PKCS #11 engine support (crypto accelerator)
+</screen>
+    <para>Next, run
+    "<command>apps/openssl engine pkcs11 -t</command>". This will
+    attempt to initialize the PKCS #11 engine. If it is able to
+    do so successfully, it will report
+    <quote><literal>[ available ]</literal></quote>.</para>
+    <para>If the output is correct, run
+    "<command>make install</command>" which will install the
+    modified OpenSSL suite to 
+    <filename>/opt/pkcs11/usr</filename>.</para>
+  </sect2>
+  <sect2>
+    <title>Building BIND 9 with PKCS#11</title>
+    <para>When building BIND 9, the location of the custom-built
+    OpenSSL library must be specified via configure.</para>
+    <sect3>
+      <!-- Example 4 -->
+      <title>Configuring BIND 9 for Linux with the AEP Keyper</title>
+      <para>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</para>
+      <para>The PKCS #11 library for the AEP Keyper is currently
+      only available as a 32-bit binary. If we are building on a
+      64-bit host, we must force a 32-bit build by adding "-m32" to
+      the CC options on the "configure" command line.</para>
+      <screen>
+$ <userinput>cd ../bind9</userinput>
+$ <userinput>./configure CC="gcc -m32" --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+    </sect3>
+    <sect3>
+      <!-- Example 5 -->
+      <title>Configuring BIND 9 for Solaris with the SCA 6000</title>
+      <para>To link with the PKCS #11 provider, threads must be
+      enabled in the BIND 9 build.</para>
+      <screen>
+$ <userinput>cd ../bind9</userinput>
+$ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
+            --with-openssl=/opt/pkcs11/usr \
+            --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput>
+</screen>
+      <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para>
+      <para>If configure complains about OpenSSL not working, you
+      may have a 32/64-bit architecture mismatch. Or, you may have
+      incorrectly specified the path to OpenSSL (it should be the
+      same as the --prefix argument to the OpenSSL
+      Configure).</para>
+    </sect3>
+    <sect3>
+      <!-- Example 6 -->
+      <title>Configuring BIND 9 for SoftHSM</title>
+      <screen>
+$ <userinput>cd ../bind9</userinput>
+$ <userinput>./configure --enable-threads \
+           --with-openssl=/opt/pkcs11/usr \
+           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+</screen>
+    </sect3>
+    <para>After configuring, run
+    "<command>make</command>",
+    "<command>make test</command>" and
+    "<command>make install</command>".</para>
+    <para>(Note: If "make test" fails in the "pkcs11" system test, you may
+    have forgotten to set the SOFTHSM_CONF environment variable.)</para>
+  </sect2>
+  <sect2>
+    <title>PKCS #11 Tools</title>
+    <para>BIND 9 includes a minimal set of tools to operate the
+    HSM, including 
+    <command>pkcs11-keygen</command> to generate a new key pair
+    within the HSM, 
+    <command>pkcs11-list</command> to list objects currently
+    available, and 
+    <command>pkcs11-destroy</command> to remove objects.</para>
+    <para>In UNIX/Linux builds, these tools are built only if BIND
+    9 is configured with the --with-pkcs11 option. (NOTE: If
+    --with-pkcs11 is set to "yes", rather than to the path of the
+    PKCS #11 provider, then the tools will be built but the
+    provider will be left undefined. Use the -m option or the
+    PKCS11_PROVIDER environment variable to specify the path to the
+    provider.)</para>
+  </sect2>
+  <sect2>
+    <title>Using the HSM</title>
+    <para>First, we must set up the runtime environment so the
+    OpenSSL and PKCS #11 libraries can be loaded:</para>
+    <screen>
+$ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput>
+</screen>
+    <para>When operating an AEP Keyper, it is also necessary to
+    specify the location of the "machine" file, which stores
+    information about the Keyper for use by PKCS #11 provider
+    library. If the machine file is in 
+    <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
+    use:</para>
+    <screen>
+$ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput>
+</screen>
+    <!-- TODO: why not defined at compile time? -->
+    <para>These environment variables must be set whenever running
+    any tool that uses the HSM, including 
+    <command>pkcs11-keygen</command>, 
+    <command>pkcs11-list</command>, 
+    <command>pkcs11-destroy</command>, 
+    <command>dnssec-keyfromlabel</command>, 
+    <command>dnssec-signzone</command>, 
+    <command>dnssec-keygen</command>(which will use the HSM for
+    random number generation), and 
+    <command>named</command>.</para>
+    <para>We can now create and use keys in the HSM. In this case,
+    we will create a 2048 bit key and give it the label
+    "sample-ksk":</para>
+    <screen>
+$ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput>
+</screen>
+    <para>To confirm that the key exists:</para>
+    <screen>
+$ <userinput>pkcs11-list</userinput>
+Enter PIN:
+object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
+object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
+</screen>
+    <para>Before using this key to sign a zone, we must create a
+    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+    does this. In this case, we will be using the HSM key
+    "sample-ksk" as the key-signing key for "example.net":</para>
+    <screen>
+$ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
+</screen>
+    <para>The resulting K*.key and K*.private files can now be used
+    to sign the zone. Unlike normal K* files, which contain both
+    public and private key data, these files will contain only the
+    public key data, plus an identifier for the private key which
+    remains stored within the HSM. The HSM handles signing with the
+    private key.</para>
+    <para>If you wish to generate a second key in the HSM for use
+    as a zone-signing key, follow the same procedure above, using a
+    different keylabel, a smaller key size, and omitting "-f KSK"
+    from the dnssec-keyfromlabel arguments:</para>
+    <screen>
+$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
+$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
+</screen>
+    <para>Alternatively, you may prefer to generate a conventional
+    on-disk key, using dnssec-keygen:</para>
+    <screen>
+$ <userinput>dnssec-keygen example.net</userinput>
+</screen>
+    <para>This provides less security than an HSM key, but since
+    HSMs can be slow or cumbersome to use for security reasons, it
+    may be more efficient to reserve HSM keys for use in the less
+    frequent key-signing operation. The zone-signing key can be
+    rolled more frequently, if you wish, to compensate for a
+    reduction in key security.</para>
+    <para>Now you can sign the zone. (Note: If not using the -S
+    option to 
+    <command>dnssec-signzone</command>, it will be necessary to add
+    the contents of both 
+    <filename>K*.key</filename> files to the zone master file before
+    signing it.)</para>
+    <screen>
+$ <userinput>dnssec-signzone -S example.net</userinput>
+Enter PIN:
+Verifying the zone using the following algorithms:
+NSEC3RSASHA1.
+Zone signing complete:
+Algorithm: NSEC3RSASHA1: ZSKs: 1, KSKs: 1 active, 0 revoked, 0 stand-by
+example.net.signed
+</screen>
+  </sect2>
+  <sect2>
+    <title>Specifying the engine on the command line</title>
+    <para>The OpenSSL engine can be specified in 
+    <command>named</command> and all of the BIND 
+    <command>dnssec-*</command> tools by using the "-E
+    &lt;engine&gt;" command line option. If BIND 9 is built with
+    the --with-pkcs11 option, this option defaults to "pkcs11".
+    Specifying the engine will generally not be necessary unless
+    for some reason you wish to use a different OpenSSL
+    engine.</para>
+    <para>If you wish to disable use of the "pkcs11" engine &mdash;
+    for troubleshooting purposes, or because the HSM is unavailable
+    &mdash; set the engine to the empty string. For example:</para>
+    <screen>
+$ <userinput>dnssec-signzone -E '' -S example.net</userinput>
+</screen>
+    <para>This causes 
+    <command>dnssec-signzone</command> to run as if it were compiled
+    without the --with-pkcs11 option.</para>
+  </sect2>
+  <sect2>
+    <title>Running named with automatic zone re-signing</title>
+    <para>If you want 
+    <command>named</command> to dynamically re-sign zones using HSM
+    keys, and/or to to sign new records inserted via nsupdate, then
+    named must have access to the HSM PIN. This can be accomplished
+    by placing the PIN into the openssl.cnf file (in the above
+    examples, 
+    <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para>
+    <para>The location of the openssl.cnf file can be overridden by
+    setting the OPENSSL_CONF environment variable before running
+    named.</para>
+    <para>Sample openssl.cnf:</para>
+    <programlisting>
+        openssl_conf = openssl_def
+        [ openssl_def ]
+        engines = engine_section
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+        [ pkcs11_section ]
+        PIN = <replaceable>&lt;PLACE PIN HERE&gt;</replaceable>
+</programlisting>
+    <para>This will also allow the dnssec-* tools to access the HSM
+    without PIN entry. (The pkcs11-* tools access the HSM directly,
+    not via OpenSSL, so a PIN will still be required to use
+    them.)</para>
+<!-- 
+If the PIN is not known, I believe the first time named needs the
+PIN to open a key, it'll ask you to type in the PIN, which will be
+a problem because it probably won't be running on a terminal
+-->
+    <warning>
+      <para>Placing the HSM's PIN in a text file in
+      this manner may reduce the security advantage of using an
+      HSM. Be sure this is what you want to do before configuring
+      OpenSSL in this way.</para>
+    </warning>
+  </sect2>
+  <!-- TODO: what is alternative then for named dynamic re-signing? -->
+  <!-- TODO: what happens if PIN is not known? named will log about it? -->
+</sect1>
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
index 5f4d4c82a794..0ddd14d4e497 100644
--- a/contrib/bind9/doc/misc/Makefile.in
+++ b/contrib/bind9/doc/misc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.9 2009/07/10 23:47:58 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
index a6b2dcdfdb76..51d2506989e3 100644
--- a/contrib/bind9/doc/misc/options
+++ b/contrib/bind9/doc/misc/options
@@ -44,6 +44,9 @@ lwres {
         view <string> <optional_class>;
 };
 
+managed-keys { <string> <string> <integer> <integer> <integer>
+    <quoted_string>; ... };
+
 masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [ port
     <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
 
@@ -52,6 +55,7 @@ options {
         acache-enable <boolean>;
         additional-from-auth <boolean>;
         additional-from-cache <boolean>;
+        allow-new-zones <boolean>;
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
         allow-query-cache { <address_match_element>; ... };
@@ -68,11 +72,15 @@ options {
         alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ];
+        attach-cache <string>;
         auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off );
         avoid-v4-udp-ports { <portrange>; ... };
         avoid-v6-udp-ports { <portrange>; ... };
+        bindkeys-file <quoted_string>;
         blackhole { <address_match_element>; ... };
         cache-file <quoted_string>;
+        check-dup-records ( fail | warn | ignore );
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
@@ -85,15 +93,31 @@ options {
         coresize <size>;
         datasize <size>;
         deallocate-on-exit <boolean>; // obsolete
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <quoted_string>; ... } ];
+        deny-answer-aliases { <quoted_string>; ... } [ except-from {
+            <quoted_string>; ... } ];
         dialup <dialuptype>;
         directory <quoted_string>;
         disable-algorithms <string> { <string>; ... };
         disable-empty-zone <string>;
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        };
+        dns64-contact <string>;
+        dns64-server <string>;
         dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;
-        dnssec-lookaside <string> trust-anchor <string>;
+        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
         dnssec-must-be-secure <string> <boolean>;
-        dnssec-validation <boolean>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-validation ( yes | no | auto );
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ); ... };
@@ -105,6 +129,8 @@ options {
         fake-iquery <boolean>; // obsolete
         fetch-glue <boolean>; // obsolete
         files <size>;
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 <v4_aaaa>; // not configured
         flush-zones-on-shutdown <boolean>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
@@ -121,6 +147,7 @@ options {
         listen-on [ port <integer> ] { <address_match_element>; ... };
         listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
         maintain-ixfr-base <boolean>; // obsolete
+        managed-keys-directory <quoted_string>;
         masterfile-format ( text | raw );
         match-mapped-addresses <boolean>;
         max-acache-size <size_no_default>;
@@ -168,13 +195,23 @@ options {
         request-ixfr <boolean>;
         request-nsid <boolean>;
         reserved-sockets <integer>;
+        resolver-query-timeout <integer>;
+        response-policy { zone <quoted_string> [ policy ( given | disabled
+            | passthru | no-op | nxdomain | nodata | cname <quoted_string>
+            ) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
+            ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
+            max-policy-ttl <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
             <quoted_string> ] <string> <string>; ... };
+        secroots-file <quoted_string>;
         serial-queries <integer>; // obsolete
         serial-query-rate <integer>;
         server-id ( <quoted_string> | none | hostname );
+        session-keyalg <string>;
+        session-keyfile ( <quoted_string> | none );
+        session-keyname <string>;
         sig-signing-nodes <integer>;
         sig-signing-signatures <integer>;
         sig-signing-type <integer>;
@@ -189,6 +226,7 @@ options {
         tkey-dhkey <quoted_string> <integer>;
         tkey-domain <quoted_string>;
         tkey-gssapi-credential <quoted_string>;
+        tkey-gssapi-keytab <quoted_string>;
         topology { <address_match_element>; ... }; // not implemented
         transfer-format ( many-answers | one-answer );
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
@@ -242,6 +280,7 @@ view <string> <optional_class> {
         acache-enable <boolean>;
         additional-from-auth <boolean>;
         additional-from-cache <boolean>;
+        allow-new-zones <boolean>;
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
         allow-query-cache { <address_match_element>; ... };
@@ -258,8 +297,11 @@ view <string> <optional_class> {
         alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ];
+        attach-cache <string>;
         auth-nxdomain <boolean>; // default changed
+        auto-dnssec ( allow | maintain | off );
         cache-file <quoted_string>;
+        check-dup-records ( fail | warn | ignore );
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
@@ -270,17 +312,33 @@ view <string> <optional_class> {
         cleaning-interval <integer>;
         clients-per-query <integer>;
         database <string>;
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <quoted_string>; ... } ];
+        deny-answer-aliases { <quoted_string>; ... } [ except-from {
+            <quoted_string>; ... } ];
         dialup <dialuptype>;
         disable-algorithms <string> { <string>; ... };
         disable-empty-zone <string>;
         dlz <string> {
                 database <string>;
         };
+        dns64 <netprefix> {
+                break-dnssec <boolean>;
+                clients { <address_match_element>; ... };
+                exclude { <address_match_element>; ... };
+                mapped { <address_match_element>; ... };
+                recursive-only <boolean>;
+                suffix <ipv6_address>;
+        };
+        dns64-contact <string>;
+        dns64-server <string>;
         dnssec-accept-expired <boolean>;
+        dnssec-dnskey-kskonly <boolean>;
         dnssec-enable <boolean>;
-        dnssec-lookaside <string> trust-anchor <string>;
+        dnssec-lookaside ( <string> trust-anchor <string> | auto | no );
         dnssec-must-be-secure <string> <boolean>;
-        dnssec-validation <boolean>;
+        dnssec-secure-to-insecure <boolean>;
+        dnssec-validation ( yes | no | auto );
         dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
             <integer> ] | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ); ... };
@@ -289,6 +347,8 @@ view <string> <optional_class> {
         empty-server <string>;
         empty-zones-enable <boolean>;
         fetch-glue <boolean>; // obsolete
+        filter-aaaa { <address_match_element>; ... }; // not configured
+        filter-aaaa-on-v4 <v4_aaaa>; // not configured
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
             [ port <integer> ]; ... };
@@ -300,6 +360,8 @@ view <string> <optional_class> {
         key-directory <quoted_string>;
         lame-ttl <integer>;
         maintain-ixfr-base <boolean>; // obsolete
+        managed-keys { <string> <string> <integer> <integer> <integer>
+            <quoted_string>; ... };
         masterfile-format ( text | raw );
         match-clients { <address_match_element>; ... };
         match-destinations { <address_match_element>; ... };
@@ -338,6 +400,12 @@ view <string> <optional_class> {
         recursion <boolean>;
         request-ixfr <boolean>;
         request-nsid <boolean>;
+        resolver-query-timeout <integer>;
+        response-policy { zone <quoted_string> [ policy ( given | disabled
+            | passthru | no-op | nxdomain | nodata | cname <quoted_string>
+            ) ] [ recursive-only <boolean> ] [ max-policy-ttl <integer> ];
+            ... } [ recursive-only <boolean> ] [ break-dnssec <boolean> ] [
+            max-policy-ttl <integer> ];
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
@@ -395,6 +463,8 @@ view <string> <optional_class> {
                     <integer> | * ) ];
                 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
                     <integer> | * ) ];
+                auto-dnssec ( allow | maintain | off );
+                check-dup-records ( fail | warn | ignore );
                 check-integrity <boolean>;
                 check-mx ( fail | warn | ignore );
                 check-mx-cname ( fail | warn | ignore );
@@ -405,6 +475,8 @@ view <string> <optional_class> {
                 database <string>;
                 delegation-only <boolean>;
                 dialup <dialuptype>;
+                dnssec-dnskey-kskonly <boolean>;
+                dnssec-secure-to-insecure <boolean>;
                 file <quoted_string>;
                 forward ( first | only );
                 forwarders [ port <integer> ] { ( <ipv4_address> |
@@ -440,6 +512,9 @@ view <string> <optional_class> {
                 nsec3-test-zone <boolean>; // test only
                 pubkey <integer> <integer> <integer>
                     <quoted_string>; // obsolete
+                server-addresses { ( <ipv4_address> | <ipv6_address> ) [
+                    port <integer> ]; ... };
+                server-names { <quoted_string>; ... };
                 sig-signing-nodes <integer>;
                 sig-signing-signatures <integer>;
                 sig-signing-type <integer>;
@@ -449,13 +524,14 @@ view <string> <optional_class> {
                 transfer-source-v6 ( <ipv6_address> | * ) [ port (
                     <integer> | * ) ];
                 try-tcp-refresh <boolean>;
-                type ( master | slave | stub | hint | forward |
-                    delegation-only );
+                type ( master | slave | stub | static-stub | hint | forward
+                    | delegation-only );
                 update-check-ksk <boolean>;
-                update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self | selfsub | selfwild |
+                update-policy ( local | { ( grant | deny ) <string> ( name
+                    | subdomain | wildcard | self | selfsub | selfwild |
                     krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-                    tcp-self | 6to4-self ) <string> <rrtypelist>; ... };
+                    tcp-self | 6to4-self | zonesub | external ) [ <string>
+                    ] <rrtypelist>; ... };
                 use-alt-transfer-source <boolean>;
                 zero-no-soa-ttl <boolean>;
                 zone-statistics <boolean>;
@@ -475,6 +551,8 @@ zone <string> <optional_class> {
         alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ];
+        auto-dnssec ( allow | maintain | off );
+        check-dup-records ( fail | warn | ignore );
         check-integrity <boolean>;
         check-mx ( fail | warn | ignore );
         check-mx-cname ( fail | warn | ignore );
@@ -485,6 +563,8 @@ zone <string> <optional_class> {
         database <string>;
         delegation-only <boolean>;
         dialup <dialuptype>;
+        dnssec-dnskey-kskonly <boolean>;
+        dnssec-secure-to-insecure <boolean>;
         file <quoted_string>;
         forward ( first | only );
         forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
@@ -517,6 +597,9 @@ zone <string> <optional_class> {
         notify-to-soa <boolean>;
         nsec3-test-zone <boolean>; // test only
         pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
+        server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
+            <integer> ]; ... };
+        server-names { <quoted_string>; ... };
         sig-signing-nodes <integer>;
         sig-signing-signatures <integer>;
         sig-signing-type <integer>;
@@ -524,12 +607,13 @@ zone <string> <optional_class> {
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         try-tcp-refresh <boolean>;
-        type ( master | slave | stub | hint | forward | delegation-only );
+        type ( master | slave | stub | static-stub | hint | forward |
+            delegation-only );
         update-check-ksk <boolean>;
-        update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self | selfsub | selfwild | krb5-self | ms-self |
-            krb5-subdomain | ms-subdomain | tcp-self | 6to4-self ) <string>
-            <rrtypelist>; ... };
+        update-policy ( local | { ( grant | deny ) <string> ( name |
+            subdomain | wildcard | self | selfsub | selfwild | krb5-self |
+            ms-self | krb5-subdomain | ms-subdomain | tcp-self | 6to4-self
+            | zonesub | external ) [ <string> ] <rrtypelist>; ... };
         use-alt-transfer-source <boolean>;
         zero-no-soa-ttl <boolean>;
         zone-statistics <boolean>;
diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in
index 5c566e259fd0..73285e1e9629 100644
--- a/contrib/bind9/lib/bind9/Makefile.in
+++ b/contrib/bind9/lib/bind9/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.14 2009/12/05 23:31:40 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api
index 8361ce630bd3..7e9b11513e12 100644
--- a/contrib/bind9/lib/bind9/api
+++ b/contrib/bind9/lib/bind9/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 50
-LIBREVISION = 9
+LIBINTERFACE = 80
+LIBREVISION = 7
 LIBAGE = 0
diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c
index b43bb7076ad6..f76560415539 100644
--- a/contrib/bind9/lib/bind9/check.c
+++ b/contrib/bind9/lib/bind9/check.c
@@ -103,7 +103,7 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "rrset-order: invalid name '%s'", str);
@@ -202,7 +202,7 @@ check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
 		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
-					   ISC_FALSE, NULL);
+					    0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "bad name '%s'", str);
@@ -265,7 +265,7 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 	str = cfg_obj_asstring(obj);
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (tresult != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "bad domain name '%s'", str);
@@ -348,7 +348,7 @@ mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
 	str = cfg_obj_asstring(obj);
 	isc_buffer_init(&b, str, strlen(str));
 	isc_buffer_add(&b, strlen(str));
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "bad domain name '%s'", str);
@@ -403,7 +403,7 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	static const char *acls[] = { "allow-query", "allow-query-on",
 		"allow-query-cache", "allow-query-cache-on",
 		"blackhole", "match-clients", "match-destinations",
-		"sortlist", NULL };
+		"sortlist", "filter-aaaa", NULL };
 
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -414,6 +414,106 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+static const unsigned char zeros[16];
+
+static isc_result_t
+check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	    const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *dns64 = NULL;
+	const cfg_obj_t *options;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *map, *obj;
+	isc_netaddr_t na, sa;
+	unsigned int prefixlen;
+	int nbytes;
+	int i;
+
+	static const char *acls[] = { "clients", "exclude", "mapped", NULL};
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "dns64", &dns64);
+	if (config != NULL && dns64 == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "dns64", &dns64);
+	}
+	if (dns64 == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(dns64);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		map = cfg_listelt_value(element);
+		obj = cfg_map_getname(map);
+
+		cfg_obj_asnetprefix(obj, &na, &prefixlen);
+		if (na.family != AF_INET6) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "dns64 requires a IPv6 prefix");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
+		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "bad prefix length %u [32/40/48/56/64/96]",
+				    prefixlen);
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		for (i = 0; acls[i] != NULL; i++) {
+			obj = NULL;
+			(void)cfg_map_get(map, acls[i], &obj);
+			if (obj != NULL) {
+				dns_acl_t *acl = NULL;
+				isc_result_t tresult;
+
+				tresult = cfg_acl_fromconfig(obj, config,
+							     logctx, actx,
+							     mctx, 0, &acl);
+				if (acl != NULL)
+					dns_acl_detach(&acl);
+				if (tresult != ISC_R_SUCCESS)
+					result = tresult;
+			}
+		}
+
+		obj = NULL;
+		(void)cfg_map_get(map, "suffix", &obj);
+		if (obj != NULL) {
+			isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj));
+			if (sa.family != AF_INET6) {
+				cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+					    "dns64 requires a IPv6 suffix");
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			nbytes = prefixlen / 8 + 4;
+			if (prefixlen >= 32 && prefixlen <= 64)
+				nbytes++;
+			if (memcmp(sa.type.in6.s6_addr, zeros, nbytes) != 0) {
+				char netaddrbuf[ISC_NETADDR_FORMATSIZE];
+				isc_netaddr_format(&sa, netaddrbuf,
+						   sizeof(netaddrbuf));
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad suffix '%s' leading "
+					    "%u octets not zeros",
+					    netaddrbuf, nbytes);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	return (result);
+}
+
+
 /*
  * Check allow-recursion and allow-recursion-on acls, and also log a
  * warning if they're inconsistent with the "recursion" option.
@@ -489,14 +589,95 @@ check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+static isc_result_t
+check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		 const char *viewname, const cfg_obj_t *config,
+		 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	dns_v4_aaaa_t filter;
+	const char *forview = " for view ";
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa-on-v4", &obj);
+	}
+
+	if (obj == NULL)
+		filter = dns_v4_aaaa_ok;		/* default */
+	else if (cfg_obj_isboolean(obj))
+		filter = cfg_obj_asboolean(obj) ? dns_v4_aaaa_filter :
+						  dns_v4_aaaa_ok;
+	else
+		filter = dns_v4_aaaa_break_dnssec; 	/* break-dnssec */
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	aclobj = options = NULL;
+	acl = NULL;
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa", &aclobj);
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa", &aclobj);
+	}
+	if (aclobj == NULL)
+		return (result);
+
+	tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+				    actx, mctx, 0, &acl);
+
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	} else if (filter != dns_v4_aaaa_ok && dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "both \"filter-aaaa-on-v4 %s;\" and "
+			    "\"filter-aaaa\" is 'none;'%s%s",
+			    filter == dns_v4_aaaa_break_dnssec ?
+			    "break-dnssec" : "yes", forview, viewname);
+		result = ISC_R_FAILURE;
+	} else if (filter == dns_v4_aaaa_ok && !dns_acl_isnone(acl)) {
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "both \"filter-aaaa-on-v4 no;\" and "
+			    "\"filter-aaaa\" is set%s%s", forview, viewname);
+		result = ISC_R_FAILURE;
+	}
+
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
 	unsigned int max;
 } intervaltable;
 
+typedef enum {
+	optlevel_config,
+	optlevel_options,
+	optlevel_view,
+	optlevel_zone
+} optlevel_t;
+
 static isc_result_t
-check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+	      optlevel_t optlevel)
+{
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
@@ -520,6 +701,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
 	};
 
+	static const char *server_contact[] = {
+		"empty-server", "empty-contact",
+		"dns64-server", "dns64-contact",
+		NULL
+	};
+
 	/*
 	 * Check that fields specified in units of time other than seconds
 	 * have reasonable values.
@@ -616,7 +803,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				isc_buffer_add(&b, strlen(str));
 				tresult = dns_name_fromtext(name, &b,
 							   dns_rootname,
-							   ISC_FALSE, NULL);
+							   0, NULL);
 				if (tresult != ISC_R_SUCCESS) {
 					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 						    "bad domain name '%s'",
@@ -662,14 +849,28 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		     element = cfg_list_next(element))
 		{
 			const char *dlv;
+			const cfg_obj_t *dlvobj, *anchor;
 
 			obj = cfg_listelt_value(element);
 
-			dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
+			anchor = cfg_tuple_get(obj, "trust-anchor");
+			dlvobj = cfg_tuple_get(obj, "domain");
+			dlv = cfg_obj_asstring(dlvobj);
+
+			/*
+			 * If domain is "auto" or "no" and trust anchor
+			 * is missing, skip remaining tests
+			 */
+			if (cfg_obj_isvoid(anchor)) {
+				if (!strcasecmp(dlv, "no") ||
+				    !strcasecmp(dlv, "auto"))
+					continue;
+			}
+
 			isc_buffer_init(&b, dlv, strlen(dlv));
 			isc_buffer_add(&b, strlen(dlv));
 			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
+						    0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 					    "bad domain name '%s'", dlv);
@@ -697,24 +898,52 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_FAILURE;
 			}
-			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
-					       "trust-anchor"));
-			isc_buffer_init(&b, dlv, strlen(dlv));
-			isc_buffer_add(&b, strlen(dlv));
-			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
-			if (tresult != ISC_R_SUCCESS) {
+
+			if (!cfg_obj_isvoid(anchor)) {
+				dlv = cfg_obj_asstring(anchor);
+				isc_buffer_init(&b, dlv, strlen(dlv));
+				isc_buffer_add(&b, strlen(dlv));
+				tresult = dns_name_fromtext(name, &b,
+							    dns_rootname,
+							    DNS_NAME_DOWNCASE,
+							    NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    dlv);
+					if (result == ISC_R_SUCCESS)
+						result = tresult;
+				}
+			} else {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
+					"dnssec-lookaside requires "
+					"either 'auto' or 'no', or a "
+					"domain and trust anchor");
 				if (result == ISC_R_SUCCESS)
-					result = tresult;
+					result = ISC_R_FAILURE;
 			}
 		}
+
 		if (symtab != NULL)
 			isc_symtab_destroy(&symtab);
 	}
 
 	/*
+	 * Check auto-dnssec at the view/options level
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "auto-dnssec", &obj);
+	if (obj != NULL) {
+		const char *arg = cfg_obj_asstring(obj);
+		if (optlevel != optlevel_zone && strcasecmp(arg, "off") != 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "auto-dnssec may only be activated at the "
+				    "zone level");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
 	 * Check dnssec-must-be-secure.
 	 */
 	obj = NULL;
@@ -739,38 +968,29 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	}
 
 	/*
-	 * Check empty zone configuration.
+	 * Check server/contacts for syntactic validity.
 	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "empty-server", &obj);
-	if (obj != NULL) {
-		str = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "empty-server: invalid name '%s'", str);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(options, "empty-contact", &obj);
-	if (obj != NULL) {
-		str = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "empty-contact: invalid name '%s'", str);
-			result = ISC_R_FAILURE;
+	for (i= 0; server_contact[i] != NULL; i++) {
+		obj = NULL;
+		(void)cfg_map_get(options, server_contact[i], &obj);
+		if (obj != NULL) {
+			str = cfg_obj_asstring(obj);
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
+						    &b, dns_rootname, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s: invalid name '%s'",
+					    server_contact[i], str);
+				result = ISC_R_FAILURE;
+			}
 		}
 	}
 
+	/*
+	 * Check empty zone configuration.
+	 */
 	obj = NULL;
 	(void)cfg_map_get(options, "disable-empty-zone", &obj);
 	for (element = cfg_list_first(obj);
@@ -782,7 +1002,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "disable-empty-zone: invalid name '%s'",
@@ -946,6 +1166,12 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 	const char *str;
 	isc_buffer_t b;
 
+	/* Check for "update-policy local;" */
+	if (cfg_obj_isstring(policy) &&
+	    strcmp("local", cfg_obj_asstring(policy)) == 0)
+		return (ISC_R_SUCCESS);
+
+	/* Now check the grant policy */
 	for (element = cfg_list_first(policy);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -961,24 +1187,28 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		isc_buffer_init(&b, str, strlen(str));
 		isc_buffer_add(&b, strlen(str));
 		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
+					    dns_rootname, 0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
 				    "'%s' is not a valid name", str);
 			result = tresult;
 		}
 
-		dns_fixedname_init(&fixed);
-		str = cfg_obj_asstring(dname);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			result = tresult;
+		if (tresult == ISC_R_SUCCESS &&
+		    strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
+			dns_fixedname_init(&fixed);
+			str = cfg_obj_asstring(dname);
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
+						    &b, dns_rootname, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				result = tresult;
+			}
 		}
+
 		if (tresult == ISC_R_SUCCESS &&
 		    strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
 		    !dns_name_iswildcard(dns_fixedname_name(&fixed))) {
@@ -1016,7 +1246,8 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 #define HINTZONE	8
 #define FORWARDZONE	16
 #define DELEGATIONZONE	32
-#define CHECKACL	64
+#define STATICSTUBZONE	64
+#define CHECKACL	128
 
 typedef struct {
 	const char *name;
@@ -1052,7 +1283,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	       dns_rdataclass_t defclass, cfg_aclconfctx_t *actx,
 	       isc_log_t *logctx, isc_mem_t *mctx)
 {
-	const char *zname;
+	const char *znamestr;
 	const char *typestr;
 	unsigned int ztype;
 	const cfg_obj_t *zoptions, *goptions = NULL;
@@ -1062,19 +1293,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	unsigned int i;
 	dns_rdataclass_t zclass;
 	dns_fixedname_t fixedname;
+	dns_name_t *zname = NULL;
 	isc_buffer_t b;
 	isc_boolean_t root = ISC_FALSE;
+	const cfg_listelt_t *element;
 
 	static optionstable options[] = {
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | CHECKACL },
+	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | CHECKACL |
+	  STATICSTUBZONE },
 	{ "allow-notify", SLAVEZONE | CHECKACL },
 	{ "allow-transfer", MASTERZONE | SLAVEZONE | CHECKACL },
 	{ "notify", MASTERZONE | SLAVEZONE },
 	{ "also-notify", MASTERZONE | SLAVEZONE },
 	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
-	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
-	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
+	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE |
+	  STATICSTUBZONE | FORWARDZONE },
+	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE |
+	  STATICSTUBZONE | FORWARDZONE },
 	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
 	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
 	{ "notify-source", MASTERZONE | SLAVEZONE },
@@ -1089,12 +1325,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "min-retry-time", SLAVEZONE | STUBZONE },
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
+	{ "dnssec-secure-to-insecure", MASTERZONE },
 	{ "sig-validity-interval", MASTERZONE },
 	{ "sig-re-signing-interval", MASTERZONE },
 	{ "sig-signing-nodes", MASTERZONE },
 	{ "sig-signing-type", MASTERZONE },
 	{ "sig-signing-signatures", MASTERZONE },
-	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE |
+	  STATICSTUBZONE},
 	{ "allow-update", MASTERZONE | CHECKACL },
 	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
 	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
@@ -1108,12 +1346,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "key-directory", MASTERZONE },
 	{ "check-wildcard", MASTERZONE },
 	{ "check-mx", MASTERZONE },
+	{ "check-dup-records", MASTERZONE },
 	{ "integrity-check", MASTERZONE },
 	{ "check-mx-cname", MASTERZONE },
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
+	{ "dnssec-dnskey-kskonly", MASTERZONE },
+	{ "auto-dnssec", MASTERZONE },
 	{ "try-tcp-refresh", SLAVEZONE },
+	{ "server-addresses", STATICSTUBZONE },
+	{ "server-names", STATICSTUBZONE },
 	};
 
 	static optionstable dialups[] = {
@@ -1123,7 +1366,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "passive", SLAVEZONE | STUBZONE },
 	};
 
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
 	zoptions = cfg_tuple_get(zconfig, "options");
 
 	if (config != NULL)
@@ -1133,7 +1378,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	(void)cfg_map_get(zoptions, "type", &obj);
 	if (obj == NULL) {
 		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': type not present", zname);
+			    "zone '%s': type not present", znamestr);
 		return (ISC_R_FAILURE);
 	}
 
@@ -1144,6 +1389,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		ztype = SLAVEZONE;
 	else if (strcasecmp(typestr, "stub") == 0)
 		ztype = STUBZONE;
+	else if (strcasecmp(typestr, "static-stub") == 0)
+		ztype = STATICSTUBZONE;
 	else if (strcasecmp(typestr, "forward") == 0)
 		ztype = FORWARDZONE;
 	else if (strcasecmp(typestr, "hint") == 0)
@@ -1153,7 +1400,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	else {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "zone '%s': invalid type %s",
-			    zname, typestr);
+			    znamestr, typestr);
 		return (ISC_R_FAILURE);
 	}
 
@@ -1167,14 +1414,14 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (result != ISC_R_SUCCESS) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "zone '%s': invalid class %s",
-				    zname, r.base);
+				    znamestr, r.base);
 			return (ISC_R_FAILURE);
 		}
 		if (zclass != defclass) {
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "zone '%s': class '%s' does not "
 				    "match view/default class",
-				    zname, r.base);
+				    znamestr, r.base);
 			return (ISC_R_FAILURE);
 		}
 	}
@@ -1185,26 +1432,25 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * deals with strings.
 	 */
 	dns_fixedname_init(&fixedname);
-	isc_buffer_init(&b, zname, strlen(zname));
-	isc_buffer_add(&b, strlen(zname));
+	isc_buffer_init(&b, znamestr, strlen(znamestr));
+	isc_buffer_add(&b, strlen(znamestr));
 	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-				    dns_rootname, ISC_TRUE, NULL);
+				    dns_rootname, DNS_NAME_DOWNCASE, NULL);
 	if (tresult != ISC_R_SUCCESS) {
 		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': is not a valid name", zname);
+			    "zone '%s': is not a valid name", znamestr);
 		result = ISC_R_FAILURE;
 	} else {
 		char namebuf[DNS_NAME_FORMATSIZE];
 
-		dns_name_format(dns_fixedname_name(&fixedname),
-				namebuf, sizeof(namebuf));
+		zname = dns_fixedname_name(&fixedname);
+		dns_name_format(zname, namebuf, sizeof(namebuf));
 		tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2,
 				    symtab, "zone '%s': already exists "
 				    "previous definition: %s:%u", logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
-		if (dns_name_equal(dns_fixedname_name(&fixedname),
-				   dns_rootname))
+		if (dns_name_equal(zname, dns_rootname))
 			root = ISC_TRUE;
 	}
 
@@ -1229,13 +1475,15 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 					    "option '%s' is not allowed "
 					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
+					    options[i].name, typestr,
+					    znamestr);
 					result = ISC_R_FAILURE;
 			} else
 				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
 					    "option '%s' is not allowed "
 					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
+					    options[i].name, typestr,
+					    znamestr);
 		}
 		obj = NULL;
 		if ((options[i].allowed & ztype) != 0 &&
@@ -1257,7 +1505,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
 			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
 				    "zone '%s': missing 'masters' entry",
-				    zname);
+				    znamestr);
 			result = ISC_R_FAILURE;
 		} else {
 			isc_uint32_t count;
@@ -1268,7 +1516,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			if (tresult == ISC_R_SUCCESS && count == 0) {
 				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
 					    "zone '%s': empty 'masters' entry",
-					    zname);
+					    znamestr);
 				result = ISC_R_FAILURE;
 			}
 		}
@@ -1278,7 +1526,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	 * Master zones can't have both "allow-update" and "update-policy".
 	 */
 	if (ztype == MASTERZONE) {
-		isc_result_t res1, res2;
+		isc_result_t res1, res2, res3;
+		const char *arg;
+		isc_boolean_t ddns;
+
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "allow-update", &obj);
 		obj = NULL;
@@ -1287,11 +1538,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 				    "zone '%s': 'allow-update' is ignored "
 				    "when 'update-policy' is present",
-				    zname);
+				    znamestr);
 			result = ISC_R_FAILURE;
 		} else if (res2 == ISC_R_SUCCESS &&
 			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
+		ddns = ISC_TF(res1 == ISC_R_SUCCESS || res2 == ISC_R_SUCCESS);
+
+		obj = NULL;
+		arg = "off";
+		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (res3 == ISC_R_SUCCESS)
+			arg = cfg_obj_asstring(obj);
+		if (strcasecmp(arg, "off") != 0 && !ddns) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'auto-dnssec %s;' requires "
+				    "dynamic DNS to be configured in the zone",
+				    arg);
+			result = ISC_R_FAILURE;
+		}
+		if (strcasecmp(arg, "create") == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'auto-dnssec create;' is not "
+				    "yet implemented");
+			result = ISC_R_FAILURE;
+		}
+
 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
 		if (res1 == ISC_R_SUCCESS) {
@@ -1325,7 +1597,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 						    "dialup type '%s' is not "
 						    "allowed in '%s' "
 						    "zone '%s'",
-						    str, typestr, zname);
+						    str, typestr, znamestr);
 					result = ISC_R_FAILURE;
 				}
 				break;
@@ -1333,7 +1605,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			if (i == sizeof(dialups) / sizeof(dialups[0])) {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 					    "invalid dialup type '%s' in zone "
-					    "'%s'", str, zname);
+					    "'%s'", str, znamestr);
 				result = ISC_R_FAILURE;
 			}
 		}
@@ -1357,9 +1629,81 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		result = ISC_R_FAILURE;
 
 	/*
+	 * Check validity of static stub server addresses.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-addresses", &obj);
+	if (ztype == STATICSTUBZONE && obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+			isc_netaddr_t na;
+			obj = cfg_listelt_value(element);
+			sa = *cfg_obj_assockaddr(obj);
+
+			if (isc_sockaddr_getport(&sa) != 0) {
+				result = ISC_R_FAILURE;
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port is not configurable for "
+					    "static stub server-addresses");
+			}
+
+			isc_netaddr_fromsockaddr(&na, &sa);
+			if (isc_netaddr_getzone(&na) != 0) {
+				result = ISC_R_FAILURE;
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "scoped address is not allowed "
+					    "for static stub "
+					    "server-addresses");
+			}
+		}
+	}
+
+	/*
+	 * Check validity of static stub server names.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-names", &obj);
+	if (zname != NULL && ztype == STATICSTUBZONE && obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const char *snamestr;
+			dns_fixedname_t fixed_sname;
+			isc_buffer_t b2;
+			dns_name_t *sname;
+
+			obj = cfg_listelt_value(element);
+			snamestr = cfg_obj_asstring(obj);
+
+			dns_fixedname_init(&fixed_sname);
+			isc_buffer_init(&b2, snamestr, strlen(snamestr));
+			isc_buffer_add(&b2, strlen(snamestr));
+			sname = dns_fixedname_name(&fixed_sname);
+			tresult = dns_name_fromtext(sname, &b2, dns_rootname,
+						    0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' is not a valid "
+					    "name", snamestr);
+				result = ISC_R_FAILURE;
+			} else if (dns_name_issubdomain(sname, zname)) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' must not be a "
+					    "subdomain of zone name '%s'",
+					    snamestr, znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
 	 * Check various options.
 	 */
-	tresult = check_options(zoptions, logctx, mctx);
+	tresult = check_options(zoptions, logctx, mctx, optlevel_zone);
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
@@ -1379,7 +1723,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		    (ztype == MASTERZONE || ztype == HINTZONE)) {
 			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
 				    "zone '%s': missing 'file' entry",
-				    zname);
+				    znamestr);
 			result = tresult;
 		}
 	}
@@ -1427,8 +1771,7 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	}
 
 	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
-	result = isc_base64_decodestring(cfg_obj_asstring(secretobj),
-					 &buf);
+	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
 			    "bad secret '%s'", isc_result_totext(result));
@@ -1519,7 +1862,7 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
 		isc_buffer_init(&b, keyid, strlen(keyid));
 		isc_buffer_add(&b, strlen(keyid));
 		tresult = dns_name_fromtext(name, &b, dns_rootname,
-					    ISC_FALSE, NULL);
+					    0, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
 				    "key '%s': bad key name", keyid);
@@ -1689,7 +2032,7 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			isc_buffer_add(&b, strlen(keyval));
 			keyname = dns_fixedname_name(&fname);
 			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
-						    ISC_FALSE, NULL);
+						    0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
 					    "bad key name '%s'", keyval);
@@ -1709,7 +2052,8 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 }
 
 static isc_result_t
-check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx)
+check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
+		  isc_log_t *logctx)
 {
 	const char *keystr, *keynamestr;
 	dns_fixedname_t fkeyname;
@@ -1724,6 +2068,7 @@ check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx)
 	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
 	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
 	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+
 	dns_fixedname_init(&fkeyname);
 	keyname = dns_fixedname_name(&fkeyname);
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
@@ -1753,6 +2098,19 @@ check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx)
 		result = ISC_R_FAILURE;
 	}
 
+	if (managed) {
+		const char *initmethod;
+		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+		if (strcasecmp(initmethod, "initial-key") != 0) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "managed key '%s': "
+				    "invalid initialization method '%s'",
+				    keynamestr, initmethod);
+			result = ISC_R_FAILURE;
+		}
+	}
+
 	isc_buffer_init(&b, keydata, sizeof(keydata));
 
 	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
@@ -1768,7 +2126,8 @@ check_trusted_key(const cfg_obj_t *key, isc_log_t *logctx)
 		if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
 		    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
 			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
-				    "trusted key '%s' has a weak exponent",
+				    "%s key '%s' has a weak exponent",
+				    managed ? "managed" : "trusted",
 				    keynamestr);
 	}
 
@@ -1786,13 +2145,14 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_symtab_t *symtab = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult = ISC_R_SUCCESS;
-	cfg_aclconfctx_t actx;
-	const cfg_obj_t *options = NULL;
+	cfg_aclconfctx_t *actx = NULL;
 	const cfg_obj_t *obj;
+	const cfg_obj_t *options = NULL;
 	isc_boolean_t enablednssec, enablevalidation;
+	const char *valstr = "no";
 
 	/*
-	 * Get global options block.
+	 * Get global options block
 	 */
 	(void)cfg_map_get(config, "options", &options);
 
@@ -1805,7 +2165,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		return (ISC_R_NOMEMORY);
 
-	cfg_aclconfctx_init(&actx);
+	cfg_aclconfctx_create(mctx, &actx);
 
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "zone", &zones);
@@ -1820,7 +2180,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		const cfg_obj_t *zone = cfg_listelt_value(element);
 
 		tresult = check_zoneconf(zone, voptions, config, symtab,
-					 vclass, &actx, logctx, mctx);
+					 vclass, actx, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
@@ -1912,8 +2272,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	obj = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
-	if (obj == NULL)
-		(void)cfg_map_get(config, "dnssec-enable", &obj);
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-enable", &obj);
 	if (obj == NULL)
 		enablednssec = ISC_TRUE;
 	else
@@ -1922,16 +2282,23 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	obj = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
-	if (obj == NULL)
-		(void)cfg_map_get(config, "dnssec-validation", &obj);
-	if (obj == NULL)
-		enablevalidation = ISC_FALSE;	/* XXXMPA Change for 9.5. */
-	else
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-validation", &obj);
+	if (obj == NULL) {
+		enablevalidation = enablednssec;
+		valstr = "yes";
+	} else if (cfg_obj_isboolean(obj)) {
 		enablevalidation = cfg_obj_asboolean(obj);
+		valstr = enablevalidation ? "yes" : "no";
+	} else {
+		enablevalidation = ISC_TRUE;
+		valstr = "auto";
+	}
 
 	if (enablevalidation && !enablednssec)
 		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "'dnssec-validation yes;' and 'dnssec-enable no;'");
+			    "'dnssec-validation %s;' and 'dnssec-enable no;'",
+			    valstr);
 
 	/*
 	 * Check trusted-keys and managed-keys.
@@ -1951,7 +2318,28 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2)) {
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, logctx);
+			tresult = check_trusted_key(obj, ISC_FALSE, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "managed-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "managed-keys", &keys);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, ISC_TRUE, logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
@@ -1961,25 +2349,37 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	 * Check options.
 	 */
 	if (voptions != NULL)
-		tresult = check_options(voptions, logctx, mctx);
+		tresult = check_options(voptions, logctx, mctx,
+					optlevel_view);
 	else
-		tresult = check_options(config, logctx, mctx);
+		tresult = check_options(config, logctx, mctx,
+					optlevel_config);
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
-	tresult = check_viewacls(&actx, voptions, config, logctx, mctx);
+	tresult = check_viewacls(actx, voptions, config, logctx, mctx);
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
-	tresult = check_recursionacls(&actx, voptions, viewname,
+	tresult = check_recursionacls(actx, voptions, viewname,
 				      config, logctx, mctx);
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_filteraaaa(actx, voptions, viewname, config,
+				   logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_dns64(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
  cleanup:
 	if (symtab != NULL)
 		isc_symtab_destroy(&symtab);
-	cfg_aclconfctx_destroy(&actx);
+	if (actx != NULL)
+		cfg_aclconfctx_detach(&actx);
 
 	return (result);
 }
@@ -2136,7 +2536,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 		     isc_mem_t *mctx)
 {
 	isc_result_t result = ISC_R_SUCCESS, tresult;
-	cfg_aclconfctx_t actx;
+	cfg_aclconfctx_t *actx = NULL;
 	const cfg_listelt_t *element, *element2;
 	const cfg_obj_t *allow;
 	const cfg_obj_t *control;
@@ -2157,7 +2557,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 
 	(void)cfg_map_get(config, "key", &keylist);
 
-	cfg_aclconfctx_init(&actx);
+	cfg_aclconfctx_create(mctx, &actx);
 
 	/*
 	 * INET: Check allow clause.
@@ -2177,7 +2577,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 			control = cfg_listelt_value(element2);
 			allow = cfg_tuple_get(control, "allow");
 			tresult = cfg_acl_fromconfig(allow, config, logctx,
-						     &actx, mctx, 0, &acl);
+						     actx, mctx, 0, &acl);
 			if (acl != NULL)
 				dns_acl_detach(&acl);
 			if (tresult != ISC_R_SUCCESS)
@@ -2224,7 +2624,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 				result = tresult;
 		}
 	}
-	cfg_aclconfctx_destroy(&actx);
+	cfg_aclconfctx_detach(&actx);
 	return (result);
 }
 
@@ -2248,7 +2648,8 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	(void)cfg_map_get(config, "options", &options);
 
 	if (options != NULL &&
-	    check_options(options, logctx, mctx) != ISC_R_SUCCESS)
+	    check_options(options, logctx, mctx,
+			  optlevel_options) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;
 
 	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
diff --git a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
index 1f6bdb30936c..01aa67a44a97 100644
--- a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
+++ b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: getaddresses.h,v 1.11 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in
index 836074606964..a01bb4161fc5 100644
--- a/contrib/bind9/lib/dns/Makefile.in
+++ b/contrib/bind9/lib/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -34,8 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
-		${USE_ISC_SPNEGO}
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
 
 CWARNINGS =
 
@@ -48,6 +47,7 @@ LIBS =		@LIBS@
 # Alphabetically
 
 OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+		  opensslecdsa_link.@O@ opensslgost_link.@O@ \
 		  opensslrsa_link.@O@
 
 DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
@@ -58,24 +58,26 @@ DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
 DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ journal.@O@ \
-		keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
+		dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ \
+		journal.@O@ keydata.@O@ keytable.@O@ \
+		lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ portlist.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
+		portlist.@O@ private.@O@ \
 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
-		rdatalist.@O@ \
-		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
-		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ sdlz.@O@ \
-		soa.@O@ ssu.@O@ \
+		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+		request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \
+		rriterator.@O@ sdb.@O@ \
+		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
 		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
-		tsig.@O@ ttl.@O@ validator.@O@ \
+		tsec.@O@ tsig.@O@ ttl.@O@ validator.@O@ \
 		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
 
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
 
 # Alphabetically
-OPENSSLLINKSRCS = openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslrsa_link.c
+OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
+		  opensslecdsa_link.c opensslgost_link.c opensslrsa_link.c
 
 DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
 		dst_api.c dst_lib.c dst_parse.c \
@@ -85,18 +87,18 @@ DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
 DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dlz.c dnssec.c ds.c forward.c iptable.c journal.c \
-		keytable.c lib.c log.c lookup.c \
+		dlz.c dns64.c dnssec.c ds.c forward.c iptable.c journal.c \
+		keydata.c keytable.c lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
 		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
-		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
-		rdatalist.c \
+		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c sdb.c sdlz.c \
-		soa.c ssu.c \
+		resolver.c result.c rootns.c rpz.c rriterator.c \
+		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsig.c ttl.c validator.c \
+		tsec.c tsig.c ttl.c validator.c \
 		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
+
 SRCS = ${DSTSRCS} ${DNSSRCS}
 
 SUBDIRS =	include
diff --git a/contrib/bind9/lib/dns/acl.c b/contrib/bind9/lib/dns/acl.c
index ed0894227861..ec29bc7b54ca 100644
--- a/contrib/bind9/lib/dns/acl.c
+++ b/contrib/bind9/lib/dns/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -99,6 +99,7 @@ static isc_result_t
 dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
 	isc_result_t result;
 	dns_acl_t *acl = NULL;
+
 	result = dns_acl_create(mctx, 0, &acl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -341,7 +342,6 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
 		}
 	}
 
-
 	/*
 	 * Merge the iptables.  Make sure the destination ACL's
 	 * node_count value is set correctly afterward.
@@ -439,6 +439,7 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
 void
 dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
 	REQUIRE(DNS_ACL_VALID(source));
+
 	isc_refcount_increment(&source->refcount, NULL);
 	*target = source;
 }
@@ -446,6 +447,9 @@ dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
 static void
 destroy(dns_acl_t *dacl) {
 	unsigned int i;
+
+	INSIST(!ISC_LINK_LINKED(dacl, nextincache));
+
 	for (i = 0; i < dacl->length; i++) {
 		dns_aclelement_t *de = &dacl->elements[i];
 		if (de->type == dns_aclelementtype_keyname) {
@@ -470,7 +474,9 @@ void
 dns_acl_detach(dns_acl_t **aclp) {
 	dns_acl_t *acl = *aclp;
 	unsigned int refs;
+
 	REQUIRE(DNS_ACL_VALID(acl));
+
 	isc_refcount_decrement(&acl->refcount, &refs);
 	if (refs == 0)
 		destroy(acl);
@@ -590,6 +596,7 @@ dns_acl_isinsecure(const dns_acl_t *a) {
 isc_result_t
 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
 	isc_result_t result;
+
 	env->localhost = NULL;
 	env->localnets = NULL;
 	result = dns_acl_create(mctx, 0, &env->localhost);
diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c
index 35b4caeb0be2..531d112e6393 100644
--- a/contrib/bind9/lib/dns/adb.c
+++ b/contrib/bind9/lib/dns/adb.c
@@ -66,13 +66,6 @@
 #define DNS_ADBFETCH6_VALID(x)    ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
 
 /*!
- * The number of buckets needs to be a prime (for good hashing).
- *
- * XXXRTH  How many buckets do we need?
- */
-#define NBUCKETS               1009     /*%< how many buckets for names/addrs */
-
-/*!
  * For type 3 negative cache entries, we will remember that the address is
  * broken for this long.  XXXMLG This is also used for actual addresses, too.
  * The intent is to keep us from constantly asking about A/AAAA records
@@ -118,6 +111,7 @@ struct dns_adb {
 
 	isc_taskmgr_t                  *taskmgr;
 	isc_task_t                     *task;
+	isc_task_t                     *excl;
 
 	isc_interval_t                  tick_interval;
 	int                             next_cleanbucket;
@@ -139,30 +133,37 @@ struct dns_adb {
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
-	dns_adbnamelist_t               names[NBUCKETS];
-	dns_adbnamelist_t               deadnames[NBUCKETS];
-	/*% See dns_adbnamelist_t */
-	isc_mutex_t                     namelocks[NBUCKETS];
-	/*% See dns_adbnamelist_t */
-	isc_boolean_t                   name_sd[NBUCKETS];
-	/*% See dns_adbnamelist_t */
-	unsigned int                    name_refcnt[NBUCKETS];
+	unsigned int			nnames;
+	isc_mutex_t                     namescntlock;
+	unsigned int			namescnt;
+	dns_adbnamelist_t               *names;
+	dns_adbnamelist_t               *deadnames;
+	isc_mutex_t                     *namelocks;
+	isc_boolean_t                   *name_sd;
+	unsigned int                    *name_refcnt;
 
 	/*!
-	 * Bucketized locks for entries.
+	 * Bucketized locks and lists for entries.
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
-	dns_adbentrylist_t              entries[NBUCKETS];
-	dns_adbentrylist_t              deadentries[NBUCKETS];
-	isc_mutex_t                     entrylocks[NBUCKETS];
-	isc_boolean_t                   entry_sd[NBUCKETS]; /*%< shutting down */
-	unsigned int                    entry_refcnt[NBUCKETS];
+	unsigned int			nentries;
+	isc_mutex_t                     entriescntlock;
+	unsigned int			entriescnt;
+	dns_adbentrylist_t              *entries;
+	dns_adbentrylist_t              *deadentries;
+	isc_mutex_t                     *entrylocks;
+	isc_boolean_t                   *entry_sd; /*%< shutting down */
+	unsigned int                    *entry_refcnt;
 
 	isc_event_t                     cevent;
 	isc_boolean_t                   cevent_sent;
 	isc_boolean_t                   shutting_down;
 	isc_eventlist_t                 whenshutdown;
+	isc_event_t			growentries;
+	isc_boolean_t			growentries_sent;
+	isc_event_t			grownames;
+	isc_boolean_t			grownames_sent;
 };
 
 /*
@@ -254,6 +255,7 @@ struct dns_adbentry {
 
 	ISC_LIST(dns_adblameinfo_t)     lameinfo;
 	ISC_LINK(dns_adbentry_t)        plink;
+
 };
 
 /*
@@ -484,6 +486,322 @@ ttlclamp(dns_ttl_t ttl) {
 }
 
 /*
+ * Hashing is most efficient if the number of buckets is prime.
+ * The sequence below is the closest previous primes to 2^n and
+ * 1.5 * 2^n, for values of n from 10 to 28.  (The tables will
+ * no longer grow beyond 2^28 entries.)
+ */
+static const unsigned nbuckets[] = { 1021, 1531, 2039, 3067, 4093, 6143,
+				     8191, 12281, 16381, 24571, 32749,
+				     49193, 65521, 98299, 131071, 199603,
+				     262139, 393209, 524287, 768431, 1048573,
+				     1572853, 2097143, 3145721, 4194301,
+				     6291449, 8388593, 12582893, 16777213,
+				     25165813, 33554393, 50331599, 67108859,
+				     100663291, 134217689, 201326557,
+				     268535431, 0 };
+
+static void
+grow_entries(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbentry_t *e;
+	dns_adbentrylist_t *newdeadentries = NULL;
+	dns_adbentrylist_t *newentries = NULL;
+	isc_boolean_t *newentry_sd = NULL;
+	isc_mutex_t *newentrylocks = NULL;
+	isc_result_t result;
+	unsigned int *newentry_refcnt = NULL;
+	unsigned int i, n, bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	isc_task_beginexclusive(task);
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nentries >= nbuckets[i])
+		i++;
+	if (nbuckets[i] != 0)
+		n = nbuckets[i];
+	else
+		goto done;
+
+	DP(ISC_LOG_INFO, "adb: grow_entries to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nentries; i++)
+		if (adb->entry_sd[i])
+			goto cleanup;
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newentries = isc_mem_get(adb->mctx, sizeof(*newentries) * n);
+	newdeadentries = isc_mem_get(adb->mctx, sizeof(*newdeadentries) * n);
+	newentrylocks = isc_mem_get(adb->mctx, sizeof(*newentrylocks) * n);
+	newentry_sd = isc_mem_get(adb->mctx, sizeof(*newentry_sd) * n);
+	newentry_refcnt = isc_mem_get(adb->mctx, sizeof(*newentry_refcnt) * n);
+	if (newentries == NULL || newdeadentries == NULL ||
+	    newentrylocks == NULL || newentry_sd == NULL ||
+	    newentry_refcnt == NULL)
+		goto cleanup;
+
+	/*
+	 * Initialise the new resources.
+	 */
+	result = isc_mutexblock_init(newentrylocks, n);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newentries[i]);
+		ISC_LIST_INIT(newdeadentries[i]);
+		newentry_sd[i] = ISC_FALSE;
+		newentry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move entries to new arrays.
+	 */
+	for (i = 0; i < adb->nentries; i++) {
+		e = ISC_LIST_HEAD(adb->entries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->entries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, ISC_TRUE) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->entries[i]);
+		}
+		e = ISC_LIST_HEAD(adb->deadentries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->deadentries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, ISC_TRUE) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->deadentries[i]);
+		}
+		INSIST(adb->entry_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->entries = newentries;
+	adb->deadentries = newdeadentries;
+	adb->entrylocks = newentrylocks;
+	adb->entry_sd = newentry_sd;
+	adb->entry_refcnt = newentry_refcnt;
+	adb->nentries = n;
+
+	/*
+	 * Only on success do we set adb->growentries_sent to ISC_FALSE.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->growentries_sent = ISC_FALSE;
+	goto done;
+
+ cleanup:
+	if (newentries != NULL)
+		isc_mem_put(adb->mctx, newentries,
+			    sizeof(*newentries) * n);
+	if (newdeadentries != NULL)
+		isc_mem_put(adb->mctx, newdeadentries,
+			    sizeof(*newdeadentries) * n);
+	if (newentrylocks != NULL)
+		isc_mem_put(adb->mctx, newentrylocks,
+			    sizeof(*newentrylocks) * n);
+	if (newentry_sd != NULL)
+		isc_mem_put(adb->mctx, newentry_sd,
+			    sizeof(*newentry_sd) * n);
+	if (newentry_refcnt != NULL)
+		isc_mem_put(adb->mctx, newentry_refcnt,
+			     sizeof(*newentry_refcnt) * n);
+ done:
+	isc_task_endexclusive(task);
+
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_entries finished");
+}
+
+static void
+grow_names(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbname_t *name;
+	dns_adbnamelist_t *newdeadnames = NULL;
+	dns_adbnamelist_t *newnames = NULL;
+	isc_boolean_t *newname_sd = NULL;
+	isc_mutex_t *newnamelocks = NULL;
+	isc_result_t result;
+	unsigned int *newname_refcnt = NULL;
+	unsigned int i, n, bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	isc_task_beginexclusive(task);
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nnames >= nbuckets[i])
+		i++;
+	if (nbuckets[i] != 0)
+		n = nbuckets[i];
+	else
+		goto done;
+
+	DP(ISC_LOG_INFO, "adb: grow_names to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nnames; i++)
+		if (adb->name_sd[i])
+			goto cleanup;
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newnames = isc_mem_get(adb->mctx, sizeof(*newnames) * n);
+	newdeadnames = isc_mem_get(adb->mctx, sizeof(*newdeadnames) * n);
+	newnamelocks = isc_mem_get(adb->mctx, sizeof(*newnamelocks) * n);
+	newname_sd = isc_mem_get(adb->mctx, sizeof(*newname_sd) * n);
+	newname_refcnt = isc_mem_get(adb->mctx, sizeof(*newname_refcnt) * n);
+	if (newnames == NULL || newdeadnames == NULL ||
+	    newnamelocks == NULL || newname_sd == NULL ||
+	    newname_refcnt == NULL)
+		goto cleanup;
+
+	/*
+	 * Initialise the new resources.
+	 */
+	result = isc_mutexblock_init(newnamelocks, n);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newnames[i]);
+		ISC_LIST_INIT(newdeadnames[i]);
+		newname_sd[i] = ISC_FALSE;
+		newname_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move names to new arrays.
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		name = ISC_LIST_HEAD(adb->names[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->names[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, ISC_TRUE) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->names[i]);
+		}
+		name = ISC_LIST_HEAD(adb->deadnames[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->deadnames[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, ISC_TRUE) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->deadnames[i]);
+		}
+		INSIST(adb->name_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names,
+		    sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->names = newnames;
+	adb->deadnames = newdeadnames;
+	adb->namelocks = newnamelocks;
+	adb->name_sd = newname_sd;
+	adb->name_refcnt = newname_refcnt;
+	adb->nnames = n;
+
+	/*
+	 * Only on success do we set adb->grownames_sent to ISC_FALSE.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->grownames_sent = ISC_FALSE;
+	goto done;
+
+ cleanup:
+	if (newnames != NULL)
+		isc_mem_put(adb->mctx, newnames, sizeof(*newnames) * n);
+	if (newdeadnames != NULL)
+		isc_mem_put(adb->mctx, newdeadnames, sizeof(*newdeadnames) * n);
+	if (newnamelocks != NULL)
+		isc_mem_put(adb->mctx, newnamelocks, sizeof(*newnamelocks) * n);
+	if (newname_sd != NULL)
+		isc_mem_put(adb->mctx, newname_sd, sizeof(*newname_sd) * n);
+	if (newname_refcnt != NULL)
+		isc_mem_put(adb->mctx, newname_refcnt,
+			     sizeof(*newname_refcnt) * n);
+ done:
+	isc_task_endexclusive(task);
+
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_names finished");
+}
+
+/*
  * Requires the adbname bucket be locked and that no entry buckets be locked.
  *
  * This code handles A and AAAA rdatasets only.
@@ -838,12 +1156,12 @@ violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
  */
 static isc_boolean_t
 shutdown_names(dns_adb_t *adb) {
-	int bucket;
+	unsigned int bucket;
 	isc_boolean_t result = ISC_FALSE;
 	dns_adbname_t *name;
 	dns_adbname_t *next_name;
 
-	for (bucket = 0; bucket < NBUCKETS; bucket++) {
+	for (bucket = 0; bucket < adb->nnames; bucket++) {
 		LOCK(&adb->namelocks[bucket]);
 		adb->name_sd[bucket] = ISC_TRUE;
 
@@ -883,12 +1201,12 @@ shutdown_names(dns_adb_t *adb) {
  */
 static isc_boolean_t
 shutdown_entries(dns_adb_t *adb) {
-	int bucket;
+	unsigned int bucket;
 	isc_boolean_t result = ISC_FALSE;
 	dns_adbentry_t *entry;
 	dns_adbentry_t *next_entry;
 
-	for (bucket = 0; bucket < NBUCKETS; bucket++) {
+	for (bucket = 0; bucket < adb->nentries; bucket++) {
 		LOCK(&adb->entrylocks[bucket]);
 		adb->entry_sd[bucket] = ISC_TRUE;
 
@@ -1308,6 +1626,18 @@ new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
 	ISC_LIST_INIT(name->finds);
 	ISC_LINK_INIT(name, plink);
 
+	LOCK(&adb->namescntlock);
+	adb->namescnt++;
+	if (!adb->grownames_sent && adb->excl != NULL &&
+	    adb->namescnt > (adb->nnames * 8))
+	{
+		isc_event_t *event = &adb->grownames;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->excl, &event);
+		adb->grownames_sent = ISC_TRUE;
+	}
+	UNLOCK(&adb->namescntlock);
+
 	return (name);
 }
 
@@ -1331,6 +1661,9 @@ free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
 	dns_name_free(&n->name, adb->mctx);
 
 	isc_mempool_put(adb->nmp, n);
+	LOCK(&adb->namescntlock);
+	adb->namescnt--;
+	UNLOCK(&adb->namescntlock);
 }
 
 static inline dns_adbnamehook_t *
@@ -1419,6 +1752,17 @@ new_adbentry(dns_adb_t *adb) {
 	e->expires = 0;
 	ISC_LIST_INIT(e->lameinfo);
 	ISC_LINK_INIT(e, plink);
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt++;
+	if (!adb->growentries_sent && adb->growentries_sent &&
+	    adb->entriescnt > (adb->nentries * 8))
+	{
+		isc_event_t *event = &adb->growentries;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->task, &event);
+		adb->growentries_sent = ISC_TRUE;
+	}
+	UNLOCK(&adb->entriescntlock);
 
 	return (e);
 }
@@ -1446,6 +1790,9 @@ free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
 	}
 
 	isc_mempool_put(adb->emp, e);
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt--;
+	UNLOCK(&adb->entriescntlock);
 }
 
 static inline dns_adbfind_t *
@@ -1599,7 +1946,7 @@ find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
 	dns_adbname_t *adbname;
 	int bucket;
 
-	bucket = dns_name_fullhash(name, ISC_FALSE) % NBUCKETS;
+	bucket = dns_name_fullhash(name, ISC_FALSE) % adb->nnames;
 
 	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
 		LOCK(&adb->namelocks[bucket]);
@@ -1641,7 +1988,7 @@ find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp,
 	dns_adbentry_t *entry, *entry_next;
 	int bucket;
 
-	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % NBUCKETS;
+	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % adb->nentries;
 
 	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
 		LOCK(&adb->entrylocks[bucket]);
@@ -1984,6 +2331,7 @@ destroy(dns_adb_t *adb) {
 	adb->magic = 0;
 
 	isc_task_detach(&adb->task);
+	isc_task_detach(&adb->excl);
 
 	isc_mempool_destroy(&adb->nmp);
 	isc_mempool_destroy(&adb->nhmp);
@@ -1993,13 +2341,36 @@ destroy(dns_adb_t *adb) {
 	isc_mempool_destroy(&adb->aimp);
 	isc_mempool_destroy(&adb->afmp);
 
-	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
-	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names,
+		    sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
 
 	DESTROYLOCK(&adb->reflock);
 	DESTROYLOCK(&adb->lock);
 	DESTROYLOCK(&adb->mplock);
 	DESTROYLOCK(&adb->overmemlock);
+	DESTROYLOCK(&adb->entriescntlock);
+	DESTROYLOCK(&adb->namescntlock);
 
 	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
 }
@@ -2015,7 +2386,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 {
 	dns_adb_t *adb;
 	isc_result_t result;
-	int i;
+	unsigned int i;
 
 	REQUIRE(mem != NULL);
 	REQUIRE(view != NULL);
@@ -2044,6 +2415,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	adb->aimp = NULL;
 	adb->afmp = NULL;
 	adb->task = NULL;
+	adb->excl = NULL;
 	adb->mctx = NULL;
 	adb->view = view;
 	adb->taskmgr = taskmgr;
@@ -2055,6 +2427,40 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	adb->shutting_down = ISC_FALSE;
 	ISC_LIST_INIT(adb->whenshutdown);
 
+	adb->nentries = nbuckets[0];
+	adb->entriescnt = 0;
+	adb->entries = NULL;
+	adb->deadentries = NULL;
+	adb->entry_sd = NULL;
+	adb->entry_refcnt = NULL;
+	adb->entrylocks = NULL;
+	ISC_EVENT_INIT(&adb->growentries, sizeof(adb->growentries), 0, NULL,
+		       DNS_EVENT_ADBGROWENTRIES, grow_entries, adb,
+		       adb, NULL, NULL);
+	adb->growentries_sent = ISC_FALSE;
+
+	adb->nnames = nbuckets[0];
+	adb->namescnt = 0;
+	adb->names = NULL;
+	adb->deadnames = NULL;
+	adb->name_sd = NULL;
+	adb->name_refcnt = NULL;
+	adb->namelocks = NULL;
+	ISC_EVENT_INIT(&adb->grownames, sizeof(adb->grownames), 0, NULL,
+		       DNS_EVENT_ADBGROWNAMES, grow_names, adb,
+		       adb, NULL, NULL);
+	adb->grownames_sent = ISC_FALSE;
+
+	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
+	if (result != ISC_R_SUCCESS) {
+		DP(ISC_LOG_INFO, "adb: task-exclusive mode unavailable, "
+				 "intializing table sizes to %u\n",
+				 nbuckets[11]);
+		adb->nentries = nbuckets[11];
+		adb->nnames= nbuckets[11];
+
+	}
+
 	isc_mem_attach(mem, &adb->mctx);
 
 	result = isc_mutex_init(&adb->lock);
@@ -2073,28 +2479,68 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	if (result != ISC_R_SUCCESS)
 		goto fail0e;
 
+	result = isc_mutex_init(&adb->entriescntlock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0f;
+
+	result = isc_mutex_init(&adb->namescntlock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0g;
+
+#define ALLOCENTRY(adb, el) \
+	do { \
+		(adb)->el = isc_mem_get((adb)->mctx, \
+				     sizeof(*(adb)->el) * (adb)->nentries); \
+		if ((adb)->el == NULL) { \
+			result = ISC_R_NOMEMORY; \
+			goto fail1; \
+		}\
+	} while (0)
+	ALLOCENTRY(adb, entries);
+	ALLOCENTRY(adb, deadentries);
+	ALLOCENTRY(adb, entrylocks);
+	ALLOCENTRY(adb, entry_sd);
+	ALLOCENTRY(adb, entry_refcnt);
+#undef ALLOCENTRY
+
+#define ALLOCNAME(adb, el) \
+	do { \
+		(adb)->el = isc_mem_get((adb)->mctx, \
+				     sizeof(*(adb)->el) * (adb)->nnames); \
+		if ((adb)->el == NULL) { \
+			result = ISC_R_NOMEMORY; \
+			goto fail1; \
+		}\
+	} while (0)
+	ALLOCNAME(adb, names);
+	ALLOCNAME(adb, deadnames);
+	ALLOCNAME(adb, namelocks);
+	ALLOCNAME(adb, name_sd);
+	ALLOCNAME(adb, name_refcnt);
+#undef ALLOCNAME
+
 	/*
 	 * Initialize the bucket locks for names and elements.
 	 * May as well initialize the list heads, too.
 	 */
-	result = isc_mutexblock_init(adb->namelocks, NBUCKETS);
+	result = isc_mutexblock_init(adb->namelocks, adb->nnames);
 	if (result != ISC_R_SUCCESS)
 		goto fail1;
-	for (i = 0; i < NBUCKETS; i++) {
+	for (i = 0; i < adb->nnames; i++) {
 		ISC_LIST_INIT(adb->names[i]);
 		ISC_LIST_INIT(adb->deadnames[i]);
 		adb->name_sd[i] = ISC_FALSE;
 		adb->name_refcnt[i] = 0;
 		adb->irefcnt++;
 	}
-	for (i = 0; i < NBUCKETS; i++) {
+	for (i = 0; i < adb->nentries; i++) {
 		ISC_LIST_INIT(adb->entries[i]);
 		ISC_LIST_INIT(adb->deadentries[i]);
 		adb->entry_sd[i] = ISC_FALSE;
 		adb->entry_refcnt[i] = 0;
 		adb->irefcnt++;
 	}
-	result = isc_mutexblock_init(adb->entrylocks, NBUCKETS);
+	result = isc_mutexblock_init(adb->entrylocks, adb->nentries);
 	if (result != ISC_R_SUCCESS)
 		goto fail2;
 
@@ -2127,6 +2573,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	result = isc_task_create(adb->taskmgr, 0, &adb->task);
 	if (result != ISC_R_SUCCESS)
 		goto fail3;
+
 	isc_task_setname(adb->task, "ADB", adb);
 
 	/*
@@ -2141,12 +2588,42 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 		isc_task_detach(&adb->task);
 
 	/* clean up entrylocks */
-	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
 
  fail2: /* clean up namelocks */
-	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
 
  fail1: /* clean up only allocated memory */
+	if (adb->entries != NULL)
+		isc_mem_put(adb->mctx, adb->entries,
+			    sizeof(*adb->entries) * adb->nentries);
+	if (adb->deadentries != NULL)
+		isc_mem_put(adb->mctx, adb->deadentries,
+			    sizeof(*adb->deadentries) * adb->nentries);
+	if (adb->entrylocks != NULL)
+		isc_mem_put(adb->mctx, adb->entrylocks,
+			    sizeof(*adb->entrylocks) * adb->nentries);
+	if (adb->entry_sd != NULL)
+		isc_mem_put(adb->mctx, adb->entry_sd,
+			    sizeof(*adb->entry_sd) * adb->nentries);
+	if (adb->entry_refcnt != NULL)
+		isc_mem_put(adb->mctx, adb->entry_refcnt,
+			    sizeof(*adb->entry_refcnt) * adb->nentries);
+	if (adb->names != NULL)
+		isc_mem_put(adb->mctx, adb->names,
+			    sizeof(*adb->names) * adb->nnames);
+	if (adb->deadnames != NULL)
+		isc_mem_put(adb->mctx, adb->deadnames,
+			    sizeof(*adb->deadnames) * adb->nnames);
+	if (adb->namelocks != NULL)
+		isc_mem_put(adb->mctx, adb->namelocks,
+			    sizeof(*adb->namelocks) * adb->nnames);
+	if (adb->name_sd != NULL)
+		isc_mem_put(adb->mctx, adb->name_sd,
+			    sizeof(*adb->name_sd) * adb->nnames);
+	if (adb->name_refcnt != NULL)
+		isc_mem_put(adb->mctx, adb->name_refcnt,
+			    sizeof(*adb->name_refcnt) * adb->nnames);
 	if (adb->nmp != NULL)
 		isc_mempool_destroy(&adb->nmp);
 	if (adb->nhmp != NULL)
@@ -2162,6 +2639,10 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	if (adb->afmp != NULL)
 		isc_mempool_destroy(&adb->afmp);
 
+	DESTROYLOCK(&adb->namescntlock);
+ fail0g:
+	DESTROYLOCK(&adb->entriescntlock);
+ fail0f:
 	DESTROYLOCK(&adb->overmemlock);
  fail0e:
 	DESTROYLOCK(&adb->reflock);
@@ -2732,7 +3213,7 @@ dns_adb_cancelfind(dns_adbfind_t *find) {
 
 void
 dns_adb_dump(dns_adb_t *adb, FILE *f) {
-	int i;
+	unsigned int i;
 	isc_stdtime_t now;
 
 	REQUIRE(DNS_ADB_VALID(adb));
@@ -2748,9 +3229,9 @@ dns_adb_dump(dns_adb_t *adb, FILE *f) {
 	LOCK(&adb->lock);
 	isc_stdtime_get(&now);
 
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nnames; i++)
 		RUNTIME_CHECK(cleanup_names(adb, i, now) == ISC_FALSE);
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nentries; i++)
 		RUNTIME_CHECK(cleanup_entries(adb, i, now) == ISC_FALSE);
 
 	dump_adb(adb, f, ISC_FALSE, now);
@@ -2766,7 +3247,7 @@ dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
 
 static void
 dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
-	int i;
+	unsigned int i;
 	dns_adbname_t *name;
 	dns_adbentry_t *entry;
 
@@ -2776,15 +3257,15 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
 			adb, adb->erefcnt, adb->irefcnt,
 			isc_mempool_getallocated(adb->nhmp));
 
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nnames; i++)
 		LOCK(&adb->namelocks[i]);
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nentries; i++)
 		LOCK(&adb->entrylocks[i]);
 
 	/*
 	 * Dump the names
 	 */
-	for (i = 0; i < NBUCKETS; i++) {
+	for (i = 0; i < adb->nnames; i++) {
 		name = ISC_LIST_HEAD(adb->names[i]);
 		if (name == NULL)
 			continue;
@@ -2828,7 +3309,7 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
 
 	fprintf(f, ";\n; Unassociated entries\n;\n");
 
-	for (i = 0; i < NBUCKETS; i++) {
+	for (i = 0; i < adb->nentries; i++) {
 		entry = ISC_LIST_HEAD(adb->entries[i]);
 		while (entry != NULL) {
 			if (entry->refcnt == 0)
@@ -2840,9 +3321,9 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
 	/*
 	 * Unlock everything
 	 */
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nentries; i++)
 		UNLOCK(&adb->entrylocks[i]);
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nnames; i++)
 		UNLOCK(&adb->namelocks[i]);
 }
 
@@ -3003,10 +3484,20 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
 	else
 		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
 
-	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
-			       ISC_TF(NAME_HINTOK(adbname)),
-			       NULL, NULL, fname, &rdataset, NULL);
+	/*
+	 * We need to specify whether to search static-stub zones (if
+	 * configured) depending on whether this is a "start at zone" lookup,
+	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
+	 * case NAME_STARTATZONE is set) we need to stop the search at any
+	 * matching static-stub zone without looking into the cache to honor
+	 * the configuration on which server we should send queries to.
+	 */
+	result = dns_view_find2(adb->view, &adbname->name, rdtype, now,
+				NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
+				ISC_TF(NAME_HINTOK(adbname)),
+				(adbname->flags & NAME_STARTATZONE) != 0 ?
+				ISC_TRUE : ISC_FALSE,
+				NULL, NULL, fname, &rdataset, NULL);
 
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (result) {
@@ -3571,9 +4062,9 @@ dns_adb_flush(dns_adb_t *adb) {
 	/*
 	 * Call our cleanup routines.
 	 */
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nnames; i++)
 		RUNTIME_CHECK(cleanup_names(adb, i, INT_MAX) == ISC_FALSE);
-	for (i = 0; i < NBUCKETS; i++)
+	for (i = 0; i < adb->nentries; i++)
 		RUNTIME_CHECK(cleanup_entries(adb, i, INT_MAX) == ISC_FALSE);
 
 #ifdef DUMP_ADB_AFTER_CLEANING
@@ -3592,7 +4083,7 @@ dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
 	INSIST(DNS_ADB_VALID(adb));
 
 	LOCK(&adb->lock);
-	bucket = dns_name_hash(name, ISC_FALSE) % NBUCKETS;
+	bucket = dns_name_hash(name, ISC_FALSE) % adb->nnames;
 	LOCK(&adb->namelocks[bucket]);
 	adbname = ISC_LIST_HEAD(adb->names[bucket]);
 	while (adbname != NULL) {
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api
index 02fb649d2678..325781a06836 100644
--- a/contrib/bind9/lib/dns/api
+++ b/contrib/bind9/lib/dns/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 111
-LIBREVISION = 2
+LIBINTERFACE = 89
+LIBREVISION = 1
 LIBAGE = 1
diff --git a/contrib/bind9/lib/dns/byaddr.c b/contrib/bind9/lib/dns/byaddr.c
index 42a5e7d030c4..6a3a6036180a 100644
--- a/contrib/bind9/lib/dns/byaddr.c
+++ b/contrib/bind9/lib/dns/byaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: byaddr.c,v 1.41 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -43,25 +43,6 @@
  * XXXRTH  We could use a static event...
  */
 
-struct dns_byaddr {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	dns_lookup_t *		lookup;
-	isc_task_t *		task;
-	dns_byaddrevent_t *	event;
-	isc_boolean_t		canceled;
-};
-
-#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
-#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
-
-#define MAX_RESTARTS 16
-
 static char hex_digits[] = {
 	'0', '1', '2', '3', '4', '5', '6', '7',
 	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
@@ -125,10 +106,29 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 	len = (unsigned int)strlen(textname);
 	isc_buffer_init(&buffer, textname, len);
 	isc_buffer_add(&buffer, len);
-	return (dns_name_fromtext(name, &buffer, dns_rootname,
-				  ISC_FALSE, NULL));
+	return (dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL));
 }
 
+#ifdef BIND9
+struct dns_byaddr {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	dns_lookup_t *		lookup;
+	isc_task_t *		task;
+	dns_byaddrevent_t *	event;
+	isc_boolean_t		canceled;
+};
+
+#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
+#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
+
+#define MAX_RESTARTS 16
+
 static inline isc_result_t
 copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
 	isc_result_t result;
@@ -314,3 +314,4 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
 
 	*byaddrp = NULL;
 }
+#endif /* BIND9 */
diff --git a/contrib/bind9/lib/dns/cache.c b/contrib/bind9/lib/dns/cache.c
index 659ce1bbef5b..56bff8d9d8d7 100644
--- a/contrib/bind9/lib/dns/cache.c
+++ b/contrib/bind9/lib/dns/cache.c
@@ -125,6 +125,7 @@ struct dns_cache {
 	isc_mutex_t		filelock;
 	isc_mem_t		*mctx;		/* Main cache memory */
 	isc_mem_t		*hmctx;		/* Heap memory */
+	char			*name;
 
 	/* Locked by 'lock'. */
 	int			references;
@@ -135,6 +136,7 @@ struct dns_cache {
 	char			*db_type;
 	int			db_argc;
 	char			**db_argv;
+	isc_uint32_t		size;
 
 	/* Locked by 'filelock'. */
 	char			*filename;
@@ -174,8 +176,8 @@ dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
 		 const char *db_type, unsigned int db_argc, char **db_argv,
 		 dns_cache_t **cachep)
 {
-	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass,
-				  NULL, db_type, db_argc, db_argv, cachep));
+	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass, "",
+				  db_type, db_argc, db_argv, cachep));
 }
 
 isc_result_t
@@ -204,8 +206,7 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
 	REQUIRE(*cachep == NULL);
 	REQUIRE(cmctx != NULL);
 	REQUIRE(hmctx != NULL);
-
-	UNUSED(cachename);
+	REQUIRE(cachename != NULL);
 
 	cache = isc_mem_get(cmctx, sizeof(*cache));
 	if (cache == NULL)
@@ -215,6 +216,15 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
 	isc_mem_attach(cmctx, &cache->mctx);
 	isc_mem_attach(hmctx, &cache->hmctx);
 
+	cache->name = NULL;
+	if (cachename != NULL) {
+		cache->name = isc_mem_strdup(cmctx, cachename);
+		if (cache->name == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_mem;
+		}
+	}
+
 	result = isc_mutex_init(&cache->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
@@ -318,6 +328,8 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
  cleanup_lock:
 	DESTROYLOCK(&cache->lock);
  cleanup_mem:
+	if (cache->name != NULL)
+		isc_mem_free(cmctx, cache->name);
 	isc_mem_detach(&cache->hmctx);
 	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
 	return (result);
@@ -372,6 +384,9 @@ cache_free(dns_cache_t *cache) {
 	if (cache->db_type != NULL)
 		isc_mem_free(cache->mctx, cache->db_type);
 
+	if (cache->name != NULL)
+		isc_mem_free(cache->mctx, cache->name);
+
 	DESTROYLOCK(&cache->lock);
 	DESTROYLOCK(&cache->filelock);
 
@@ -472,6 +487,7 @@ dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
 	return (ISC_R_SUCCESS);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_cache_load(dns_cache_t *cache) {
 	isc_result_t result;
@@ -487,22 +503,29 @@ dns_cache_load(dns_cache_t *cache) {
 
 	return (result);
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_cache_dump(dns_cache_t *cache) {
+#ifdef BIND9
 	isc_result_t result;
+#endif
 
 	REQUIRE(VALID_CACHE(cache));
 
 	if (cache->filename == NULL)
 		return (ISC_R_SUCCESS);
 
+#ifdef BIND9
 	LOCK(&cache->filelock);
 	result = dns_master_dump(cache->mctx, cache->db, NULL,
 				 &dns_master_style_cache, cache->filename);
 	UNLOCK(&cache->filelock);
-
 	return (result);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+
 }
 
 void
@@ -542,6 +565,26 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
 	UNLOCK(&cache->lock);
 }
 
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache) {
+	unsigned int t;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	t = cache->cleaner.cleaning_interval;
+	UNLOCK(&cache->lock);
+
+	return (t);
+}
+
+const char *
+dns_cache_getname(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+
+	return (cache->name);
+}
+
 /*
  * Initialize the cache cleaner object at *cleaner.
  * Space for the object must be allocated by the caller.
@@ -568,6 +611,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	cleaner->cleaning_timer = NULL;
 	cleaner->resched_event = NULL;
 	cleaner->overmem_event = NULL;
+	cleaner->cleaning_interval = 0; /* Initially turned off. */
 
 	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
 				       &cleaner->iterator);
@@ -596,7 +640,6 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 			goto cleanup;
 		}
 
-		cleaner->cleaning_interval = 0; /* Initially turned off. */
 		result = isc_timer_create(timermgr, isc_timertype_inactive,
 					   NULL, NULL, cleaner->task,
 					   cleaning_timer_action, cleaner,
@@ -998,6 +1041,10 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
 	if (size != 0 && size < DNS_CACHE_MINSIZE)
 		size = DNS_CACHE_MINSIZE;
 
+	LOCK(&cache->lock);
+	cache->size = size;
+	UNLOCK(&cache->lock);
+
 	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
 	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
 
@@ -1021,6 +1068,19 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
 		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
 }
 
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache) {
+	isc_uint32_t size;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	size = cache->size;
+	UNLOCK(&cache->lock);
+
+	return (size);
+}
+
 /*
  * The cleaner task is shutting down; do the necessary cleanup.
  */
diff --git a/contrib/bind9/lib/dns/client.c b/contrib/bind9/lib/dns/client.c
new file mode 100644
index 000000000000..7b6d16408485
--- /dev/null
+++ b/contrib/bind9/lib/dns/client.c
@@ -0,0 +1,3023 @@
+/*
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/app.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/client.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+#define DNS_CLIENT_MAGIC		ISC_MAGIC('D', 'N', 'S', 'c')
+#define DNS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, DNS_CLIENT_MAGIC)
+
+#define RCTX_MAGIC			ISC_MAGIC('R', 'c', 't', 'x')
+#define RCTX_VALID(c)			ISC_MAGIC_VALID(c, RCTX_MAGIC)
+
+#define REQCTX_MAGIC			ISC_MAGIC('R', 'q', 'c', 'x')
+#define REQCTX_VALID(c)			ISC_MAGIC_VALID(c, REQCTX_MAGIC)
+
+#define UCTX_MAGIC			ISC_MAGIC('U', 'c', 't', 'x')
+#define UCTX_VALID(c)			ISC_MAGIC_VALID(c, UCTX_MAGIC)
+
+#define MAX_RESTARTS 16
+
+/*%
+ * DNS client object
+ */
+struct dns_client {
+	/* Unlocked */
+	unsigned int			magic;
+	unsigned int			attributes;
+	isc_mutex_t			lock;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_dispatchmgr_t		*dispatchmgr;
+	dns_dispatch_t			*dispatchv4;
+	dns_dispatch_t			*dispatchv6;
+
+	unsigned int			update_timeout;
+	unsigned int			update_udptimeout;
+	unsigned int			update_udpretries;
+	unsigned int			find_timeout;
+	unsigned int			find_udpretries;
+
+	/* Locked */
+	unsigned int			references;
+	dns_viewlist_t			viewlist;
+	ISC_LIST(struct resctx)		resctxs;
+	ISC_LIST(struct reqctx)		reqctxs;
+	ISC_LIST(struct updatectx)	updatectxs;
+};
+
+/*%
+ * Timeout/retry constants for dynamic update borrowed from nsupdate
+ */
+#define DEF_UPDATE_TIMEOUT	300
+#define MIN_UPDATE_TIMEOUT	30
+#define DEF_UPDATE_UDPTIMEOUT	3
+#define DEF_UPDATE_UDPRETRIES	3
+
+#define DEF_FIND_TIMEOUT	5
+#define DEF_FIND_UDPRETRIES	3
+
+#define DNS_CLIENTATTR_OWNCTX			0x01
+
+#define DNS_CLIENTVIEW_NAME			"dnsclient"
+
+/*%
+ * Internal state for a single name resolution procedure
+ */
+typedef struct resctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	isc_boolean_t		want_dnssec;
+
+	/* Locked */
+	ISC_LINK(struct resctx)	link;
+	isc_task_t		*task;
+	dns_view_t		*view;
+	unsigned int		restarts;
+	dns_fixedname_t		name;
+	dns_rdatatype_t		type;
+	dns_fetch_t		*fetch;
+	dns_namelist_t		namelist;
+	isc_result_t		result;
+	dns_clientresevent_t	*event;
+	isc_boolean_t		canceled;
+	dns_rdataset_t		*rdataset;
+	dns_rdataset_t		*sigrdataset;
+} resctx_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct resarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	isc_result_t		vresult;
+	dns_namelist_t		*namelist;
+	dns_clientrestrans_t	*trans;
+	isc_boolean_t		canceled;
+} resarg_t;
+
+/*%
+ * Internal state for a single DNS request
+ */
+typedef struct reqctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	unsigned int		parseoptions;
+
+	/* Locked */
+	ISC_LINK(struct reqctx)	link;
+	isc_boolean_t		canceled;
+	dns_tsigkey_t		*tsigkey;
+	dns_request_t		*request;
+	dns_clientreqevent_t	*event;
+} reqctx_t;
+
+/*%
+ * Argument of an internal event for synchronous DNS request.
+ */
+typedef struct reqarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientreqtrans_t	*trans;
+	isc_boolean_t		canceled;
+} reqarg_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct updatearg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientupdatetrans_t	*trans;
+	isc_boolean_t		canceled;
+} updatearg_t;
+
+/*%
+ * Internal state for a single dynamic update procedure
+ */
+typedef struct updatectx {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_client_t			*client;
+
+	/* Locked */
+	dns_request_t			*updatereq;
+	dns_request_t			*soareq;
+	dns_clientrestrans_t		*restrans;
+	dns_clientrestrans_t		*restrans2;
+	isc_boolean_t			canceled;
+
+	/* Task Locked */
+	ISC_LINK(struct updatectx) 	link;
+	dns_clientupdatestate_t		state;
+	dns_rdataclass_t		rdclass;
+	dns_view_t			*view;
+	dns_message_t			*updatemsg;
+	dns_message_t			*soaquery;
+	dns_clientupdateevent_t		*event;
+	dns_tsigkey_t			*tsigkey;
+	dst_key_t			*sig0key;
+	dns_name_t			*firstname;
+	dns_name_t			soaqname;
+	dns_fixedname_t			zonefname;
+	dns_name_t			*zonename;
+	isc_sockaddrlist_t		servers;
+	unsigned int			nservers;
+	isc_sockaddr_t			*currentserver;
+	struct updatectx		*bp4;
+	struct updatectx		*bp6;
+} updatectx_t;
+
+static isc_result_t request_soa(updatectx_t *uctx);
+static void client_resfind(resctx_t *rctx, dns_fetchevent_t *event);
+static isc_result_t send_update(updatectx_t *uctx);
+
+static isc_result_t
+getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
+	       isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+	       isc_boolean_t is_shared, dns_dispatch_t **dispp)
+{
+	unsigned int attrs, attrmask;
+	isc_sockaddr_t sa;
+	dns_dispatch_t *disp;
+	unsigned buffersize, maxbuffers, maxrequests, buckets, increment;
+	isc_result_t result;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (family) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		INSIST(0);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	isc_sockaddr_anyofpf(&sa, family);
+
+	buffersize = 4096;
+	maxbuffers = is_shared ? 1000 : 8;
+	maxrequests = 32768;
+	buckets = is_shared ? 16411 : 3;
+	increment = is_shared ? 16433 : 5;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr,
+				     taskmgr, &sa,
+				     buffersize, maxbuffers, maxrequests,
+				     buckets, increment,
+				     attrs, attrmask, &disp);
+	if (result == ISC_R_SUCCESS)
+		*dispp = disp;
+
+	return (result);
+}
+
+static isc_result_t
+dns_client_createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		      unsigned int options, isc_taskmgr_t *taskmgr,
+		      unsigned int ntasks, isc_socketmgr_t *socketmgr,
+		      isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_view_t **viewp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	const char *dbtype;
+
+	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Initialize view security roots */
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	result = dns_view_createresolver(view, taskmgr, ntasks, socketmgr,
+					 timermgr, 0, dispatchmgr,
+					 dispatchv4, dispatchv6);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	/*
+	 * Set cache DB.
+	 * XXX: it may be better if specific DB implementations can be
+	 * specified via some configuration knob.
+	 */
+	if ((options & DNS_CLIENTCREATEOPT_USECACHE) != 0)
+		dbtype = "rbt";
+	else
+		dbtype = "ecdb";
+	result = dns_db_create(mctx, dbtype, dns_rootname, dns_dbtype_cache,
+			       rdclass, 0, NULL, &view->cachedb);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	*viewp = view;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	isc_appctx_t *actx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_appctx_create(mctx, &actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_socketmgr_createinctx(mctx, actx, &socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_timermgr_createinctx(mctx, actx, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    options, clientp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(*clientp)->attributes |= DNS_CLIENTATTR_OWNCTX;
+
+	/* client has its own reference to mctx, so we can detach it here */
+	isc_mem_detach(&mctx);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (actx != NULL)
+		isc_appctx_destroy(&actx);
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp)
+{
+	dns_client_t *client;
+	isc_result_t result;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_dispatch_t *dispatchv6 = NULL;
+	dns_view_t *view = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(clientp != NULL && *clientp == NULL);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+	if (client == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&client->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, client, sizeof(*client));
+		return (result);
+	}
+
+	client->actx = actx;
+	client->taskmgr = taskmgr;
+	client->socketmgr = socketmgr;
+	client->timermgr = timermgr;
+
+	client->task = NULL;
+	result = isc_task_create(client->taskmgr, 0, &client->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->dispatchmgr = dispatchmgr;
+
+	/* TODO: whether to use dispatch v4 or v6 should be configurable */
+	client->dispatchv4 = NULL;
+	client->dispatchv6 = NULL;
+	result = getudpdispatch(AF_INET, dispatchmgr, socketmgr,
+				taskmgr, ISC_TRUE, &dispatchv4);
+	if (result == ISC_R_SUCCESS)
+		client->dispatchv4 = dispatchv4;
+	result = getudpdispatch(AF_INET6, dispatchmgr, socketmgr,
+				taskmgr, ISC_TRUE, &dispatchv6);
+	if (result == ISC_R_SUCCESS)
+		client->dispatchv6 = dispatchv6;
+
+	/* We need at least one of the dispatchers */
+	if (dispatchv4 == NULL && dispatchv6 == NULL) {
+		INSIST(result != ISC_R_SUCCESS);
+		goto cleanup;
+	}
+
+	/* Create the default view for class IN */
+	result = dns_client_createview(mctx, dns_rdataclass_in, options,
+				       taskmgr, 31, socketmgr, timermgr,
+				       dispatchmgr, dispatchv4, dispatchv6,
+				       &view);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	ISC_LIST_INIT(client->viewlist);
+	ISC_LIST_APPEND(client->viewlist, view, link);
+
+	dns_view_freeze(view); /* too early? */
+
+	ISC_LIST_INIT(client->resctxs);
+	ISC_LIST_INIT(client->reqctxs);
+	ISC_LIST_INIT(client->updatectxs);
+
+	client->mctx = NULL;
+	isc_mem_attach(mctx, &client->mctx);
+
+	client->update_timeout = DEF_UPDATE_TIMEOUT;
+	client->update_udptimeout = DEF_UPDATE_UDPTIMEOUT;
+	client->update_udpretries = DEF_UPDATE_UDPRETRIES;
+	client->find_timeout = DEF_FIND_TIMEOUT;
+	client->find_udpretries = DEF_FIND_UDPRETRIES;
+
+	client->references = 1;
+	client->magic = DNS_CLIENT_MAGIC;
+
+	*clientp = client;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dispatchv4 != NULL)
+		dns_dispatch_detach(&dispatchv4);
+	if (dispatchv6 != NULL)
+		dns_dispatch_detach(&dispatchv6);
+	if (dispatchmgr != NULL)
+		dns_dispatchmgr_destroy(&dispatchmgr);
+	if (client->task != NULL)
+		isc_task_detach(&client->task);
+	isc_mem_put(mctx, client, sizeof(*client));
+
+	return (result);
+}
+
+static void
+destroyclient(dns_client_t **clientp) {
+	dns_client_t *client = *clientp;
+	dns_view_t *view;
+
+	while ((view = ISC_LIST_HEAD(client->viewlist)) != NULL) {
+		ISC_LIST_UNLINK(client->viewlist, view, link);
+		dns_view_detach(&view);
+	}
+
+	if (client->dispatchv4 != NULL)
+		dns_dispatch_detach(&client->dispatchv4);
+	if (client->dispatchv6 != NULL)
+		dns_dispatch_detach(&client->dispatchv6);
+
+	dns_dispatchmgr_destroy(&client->dispatchmgr);
+
+	isc_task_detach(&client->task);
+
+	/*
+	 * If the client has created its own running environments,
+	 * destroy them.
+	 */
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) != 0) {
+		isc_taskmgr_destroy(&client->taskmgr);
+		isc_timermgr_destroy(&client->timermgr);
+		isc_socketmgr_destroy(&client->socketmgr);
+
+		isc_app_ctxfinish(client->actx);
+		isc_appctx_destroy(&client->actx);
+	}
+
+	DESTROYLOCK(&client->lock);
+	client->magic = 0;
+
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
+
+	*clientp = NULL;
+}
+
+void
+dns_client_destroy(dns_client_t **clientp) {
+	dns_client_t *client;
+	isc_boolean_t destroyok = ISC_FALSE;
+
+	REQUIRE(clientp != NULL);
+	client = *clientp;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	client->references--;
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		destroyok = ISC_TRUE;
+	}
+	UNLOCK(&client->lock);
+
+	if (destroyok)
+		destroyclient(&client);
+
+	*clientp = NULL;
+}
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *namespace, isc_sockaddrlist_t *addrs)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(addrs != NULL);
+
+	if (namespace == NULL)
+		namespace = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_add(view->fwdtable, namespace, addrs,
+				  dns_fwdpolicy_only);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *namespace)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if (namespace == NULL)
+		namespace = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_delete(view->fwdtable, namespace);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+static isc_result_t
+getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(rdataset);
+
+	*rdatasetp = rdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+putrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(rdatasetp != NULL);
+	rdataset = *rdatasetp;
+	REQUIRE(rdataset != NULL);
+
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	isc_mem_put(mctx, rdataset, sizeof(*rdataset));
+
+	*rdatasetp = NULL;
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	resctx_t *rctx = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->task == task);
+	fevent = (dns_fetchevent_t *)event;
+
+	client_resfind(rctx, fevent);
+}
+
+static inline isc_result_t
+start_fetch(resctx_t *rctx) {
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the rctx's lock.
+	 */
+
+	REQUIRE(rctx->fetch == NULL);
+
+	result = dns_resolver_createfetch(rctx->view->resolver,
+					  dns_fixedname_name(&rctx->name),
+					  rctx->type,
+					  NULL, NULL, NULL, 0,
+					  rctx->task, fetch_done, rctx,
+					  rctx->rdataset,
+					  rctx->sigrdataset,
+					  &rctx->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_name_t *foundname)
+{
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&rctx->name);
+	dns_rdatatype_t type;
+
+	if (rctx->type == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = rctx->type;
+
+	result = dns_view_find(rctx->view, name, type, 0, 0, ISC_FALSE,
+			       dbp, nodep, foundname, rctx->rdataset,
+			       rctx->sigrdataset);
+
+	return (result);
+}
+
+static void
+client_resfind(resctx_t *rctx, dns_fetchevent_t *event) {
+	isc_mem_t *mctx;
+	isc_result_t tresult, result = ISC_R_SUCCESS;
+	isc_result_t vresult = ISC_R_SUCCESS;
+	isc_boolean_t want_restart;
+	isc_boolean_t send_event = ISC_FALSE;
+	dns_name_t *name, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdataset_t *trdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	mctx = rctx->view->mctx;
+
+	name = dns_fixedname_name(&rctx->name);
+
+	do {
+		dns_name_t *fname = NULL;
+		dns_name_t *ansname = NULL;
+		dns_db_t *db = NULL;
+		dns_dbnode_t *node = NULL;
+
+		rctx->restarts++;
+		want_restart = ISC_FALSE;
+
+		if (event == NULL && !rctx->canceled) {
+			dns_fixedname_init(&foundname);
+			fname = dns_fixedname_name(&foundname);
+			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
+			INSIST(rctx->sigrdataset == NULL ||
+			       !dns_rdataset_isassociated(rctx->sigrdataset));
+			result = view_find(rctx, &db, &node, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if (node != NULL) {
+					INSIST(db != NULL);
+					dns_db_detachnode(db, &node);
+				}
+				if (db != NULL)
+					dns_db_detach(&db);
+				result = start_fetch(rctx);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+					if (rctx->sigrdataset != NULL)
+						putrdataset(mctx,
+							    &rctx->sigrdataset);
+					send_event = ISC_TRUE;
+				}
+				goto done;
+			}
+		} else {
+			INSIST(event != NULL);
+			INSIST(event->fetch == rctx->fetch);
+			dns_resolver_destroyfetch(&rctx->fetch);
+			db = event->db;
+			node = event->node;
+			result = event->result;
+			vresult = event->vresult;
+			fname = dns_fixedname_name(&event->foundname);
+			INSIST(event->rdataset == rctx->rdataset);
+			INSIST(event->sigrdataset == rctx->sigrdataset);
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (rctx->canceled)
+			result = ISC_R_CANCELED;
+		else {
+			/*
+			 * Otherwise, get some resource for copying the
+			 * result.
+			 */
+			ansname = isc_mem_get(mctx, sizeof(*ansname));
+			if (ansname == NULL)
+				tresult = ISC_R_NOMEMORY;
+			else {
+				dns_name_t *aname;
+
+				aname = dns_fixedname_name(&rctx->name);
+				dns_name_init(ansname, NULL);
+				tresult = dns_name_dup(aname, mctx, ansname);
+				if (tresult != ISC_R_SUCCESS)
+					isc_mem_put(mctx, ansname,
+						    sizeof(*ansname));
+			}
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			send_event = ISC_TRUE;
+			/*
+			 * This case is handled in the main line below.
+			 */
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Add the CNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			tresult = dns_name_copy(&cname.cname, name, NULL);
+			dns_rdata_freestruct(&cname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_DNAME:
+			/*
+			 * Add the DNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			/*
+			 * Construct the new query name and start over.
+			 */
+			dns_fixedname_init(&fixed);
+			prefix = dns_fixedname_name(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			tresult = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+			rctx->rdataset = NULL;
+			/* What about sigrdataset? */
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = ISC_TRUE;
+			goto done;
+		default:
+			if (rctx->rdataset != NULL)
+				putrdataset(mctx, &rctx->rdataset);
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = ISC_TRUE;
+			goto done;
+		}
+
+		if (rctx->type == dns_rdatatype_any) {
+			int n = 0;
+			dns_rdatasetiter_t *rdsiter = NULL;
+
+			tresult = dns_db_allrdatasets(db, node, NULL, 0,
+						      &rdsiter);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+
+			tresult = dns_rdatasetiter_first(rdsiter);
+			while (tresult == ISC_R_SUCCESS) {
+				dns_rdatasetiter_current(rdsiter,
+							 rctx->rdataset);
+				if (rctx->rdataset->type != 0) {
+					ISC_LIST_APPEND(ansname->list,
+							rctx->rdataset,
+							link);
+					n++;
+					rctx->rdataset = NULL;
+				} else {
+					/*
+					 * We're not interested in this
+					 * rdataset.
+					 */
+					dns_rdataset_disassociate(
+						rctx->rdataset);
+				}
+				tresult = dns_rdatasetiter_next(rdsiter);
+
+				if (tresult == ISC_R_SUCCESS &&
+				    rctx->rdataset == NULL) {
+					tresult = getrdataset(mctx,
+							      &rctx->rdataset);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+						POST(result);
+						break;
+					}
+				}
+			}
+			if (n == 0) {
+				/*
+				 * We didn't match any rdatasets (which means
+				 * something went wrong in this
+				 * implementation).
+				 */
+				result = DNS_R_SERVFAIL; /* better code? */
+				POST(result);
+			} else {
+				ISC_LIST_APPEND(rctx->namelist, ansname, link);
+				ansname = NULL;
+			}
+			dns_rdatasetiter_destroy(&rdsiter);
+			if (tresult != ISC_R_NOMORE)
+				result = DNS_R_SERVFAIL; /* ditto */
+			else
+				result = ISC_R_SUCCESS;
+			goto done;
+		} else {
+			/*
+			 * This is the "normal" case -- an ordinary question
+			 * to which we've got the answer.
+			 */
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+		}
+
+	done:
+		/*
+		 * Free temporary resources
+		 */
+		if (ansname != NULL) {
+			dns_rdataset_t *rdataset;
+
+			while ((rdataset = ISC_LIST_HEAD(ansname->list))
+			       != NULL) {
+				ISC_LIST_UNLINK(ansname->list, rdataset, link);
+				putrdataset(mctx, &rdataset);
+			}
+			dns_name_free(ansname, mctx);
+			isc_mem_put(mctx, ansname, sizeof(*ansname));
+		}
+
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (db != NULL)
+			dns_db_detach(&db);
+		if (event != NULL)
+			isc_event_free(ISC_EVENT_PTR(&event));
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && rctx->restarts == MAX_RESTARTS) {
+			want_restart = ISC_FALSE;
+			result = ISC_R_QUOTA;
+			send_event = ISC_TRUE;
+		}
+
+		/*
+		 * Prepare further find with new resources
+		 */
+		if (want_restart) {
+			INSIST(rctx->rdataset == NULL &&
+			       rctx->sigrdataset == NULL);
+
+			result = getrdataset(mctx, &rctx->rdataset);
+			if (result == ISC_R_SUCCESS && rctx->want_dnssec) {
+				result = getrdataset(mctx, &rctx->sigrdataset);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+				}
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				want_restart = ISC_FALSE;
+				send_event = ISC_TRUE;
+			}
+		}
+	} while (want_restart);
+
+	if (send_event) {
+		isc_task_t *task;
+
+		while ((name = ISC_LIST_HEAD(rctx->namelist)) != NULL) {
+			ISC_LIST_UNLINK(rctx->namelist, name, link);
+			ISC_LIST_APPEND(rctx->event->answerlist, name, link);
+		}
+
+		rctx->event->result = result;
+		rctx->event->vresult = vresult;
+		task = rctx->event->ev_sender;
+		rctx->event->ev_sender = rctx;
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&rctx->event));
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+static void
+resolve_done(isc_task_t *task, isc_event_t *event) {
+	resarg_t *resarg = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+
+	UNUSED(task);
+
+	LOCK(&resarg->lock);
+
+	resarg->result = rev->result;
+	resarg->vresult = rev->vresult;
+	while ((name = ISC_LIST_HEAD(rev->answerlist)) != NULL) {
+		ISC_LIST_UNLINK(rev->answerlist, name, link);
+		ISC_LIST_APPEND(*resarg->namelist, name, link);
+	}
+
+	dns_client_destroyrestrans(&resarg->trans);
+	isc_event_free(&event);
+
+	if (!resarg->canceled) {
+		UNLOCK(&resarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(resarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&resarg->lock);
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(resarg->client->mctx, resarg, sizeof(*resarg));
+	}
+}
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	resarg_t *resarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL && ISC_LIST_EMPTY(*namelist));
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	resarg = isc_mem_get(client->mctx, sizeof(*resarg));
+	if (resarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&resarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	resarg->actx = actx;
+	resarg->client = client;
+	resarg->result = DNS_R_SERVFAIL;
+	resarg->namelist = namelist;
+	resarg->trans = NULL;
+	resarg->canceled = ISC_FALSE;
+	result = dns_client_startresolve(client, name, rdclass, type, options,
+					 client->task, resolve_done, resarg,
+					 &resarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&resarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = resarg->result;
+	if (result != ISC_R_SUCCESS && resarg->vresult != ISC_R_SUCCESS) {
+		/*
+		 * If this lookup failed due to some error in DNSSEC
+		 * validation, return the validation error code.
+		 * XXX: or should we pass the validation result separately?
+		 */
+		result = resarg->vresult;
+	}
+	if (resarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		resarg->canceled = ISC_TRUE;
+		dns_client_cancelresolve(resarg->trans);
+
+		UNLOCK(&resarg->lock);
+
+		/* resarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&resarg->lock);
+
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	dns_clientresevent_t *event = NULL;
+	resctx_t *rctx = NULL;
+	isc_task_t *clone = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_boolean_t want_dnssec;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	mctx = client->mctx;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	want_dnssec = ISC_TF((options & DNS_CLIENTRESOPT_NODNSSEC) == 0);
+
+	/*
+	 * Prepare some intermediate resources
+	 */
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	event = (dns_clientresevent_t *)
+		isc_event_allocate(mctx, clone, DNS_EVENT_CLIENTRESDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	event->result = DNS_R_SERVFAIL;
+	ISC_LIST_INIT(event->answerlist);
+
+	rctx = isc_mem_get(mctx, sizeof(*rctx));
+	if (rctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&rctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, rctx, sizeof(*rctx));
+			rctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = getrdataset(mctx, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	rctx->rdataset = rdataset;
+
+	if (want_dnssec) {
+		result = getrdataset(mctx, &sigrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	rctx->sigrdataset = sigrdataset;
+
+	dns_fixedname_init(&rctx->name);
+	result = dns_name_copy(name, dns_fixedname_name(&rctx->name), NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rctx->client = client;
+	ISC_LINK_INIT(rctx, link);
+	rctx->canceled = ISC_FALSE;
+	rctx->task = client->task;
+	rctx->type = type;
+	rctx->view = view;
+	rctx->restarts = 0;
+	rctx->fetch = NULL;
+	rctx->want_dnssec = want_dnssec;
+	ISC_LIST_INIT(rctx->namelist);
+	rctx->event = event;
+
+	rctx->magic = RCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->resctxs, rctx, link);
+	UNLOCK(&client->lock);
+
+	client_resfind(rctx, NULL);
+
+	*transp = (dns_clientrestrans_t *)rctx;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdataset != NULL)
+		putrdataset(client->mctx, &rdataset);
+	if (sigrdataset != NULL)
+		putrdataset(client->mctx, &sigrdataset);
+	if (rctx != NULL) {
+		DESTROYLOCK(&rctx->lock);
+		isc_mem_put(mctx, rctx, sizeof(*rctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&clone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans) {
+	resctx_t *rctx;
+
+	REQUIRE(trans != NULL);
+	rctx = (resctx_t *)trans;
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	if (!rctx->canceled) {
+		rctx->canceled = ISC_TRUE;
+		if (rctx->fetch != NULL)
+			dns_resolver_cancelfetch(rctx->fetch);
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL);
+
+	while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while ((rdataset = ISC_LIST_HEAD(name->list)) != NULL) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			putrdataset(client->mctx, &rdataset);
+		}
+		dns_name_free(name, client->mctx);
+		isc_mem_put(client->mctx, name, sizeof(*name));
+	}
+}
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp) {
+	resctx_t *rctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+
+	REQUIRE(transp != NULL);
+	rctx = (resctx_t *)*transp;
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->fetch == NULL);
+	REQUIRE(rctx->event == NULL);
+	client = rctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	mctx = client->mctx;
+	dns_view_detach(&rctx->view);
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(rctx, link));
+	ISC_LIST_UNLINK(client->resctxs, rctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = ISC_TRUE;
+
+	UNLOCK(&client->lock);
+
+	INSIST(ISC_LIST_EMPTY(rctx->namelist));
+
+	DESTROYLOCK(&rctx->lock);
+	rctx->magic = 0;
+
+	isc_mem_put(mctx, rctx, sizeof(*rctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	dst_key_t *dstkey = NULL;
+	dns_keytable_t *secroots = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_view_getsecroots(view, &secroots);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
+				 &dstkey);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_keytable_add(secroots, ISC_FALSE, &dstkey);
+
+ cleanup:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	return (result);
+}
+
+/*%
+ * Simple request routines
+ */
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	isc_result_t result, eresult;
+	reqctx_t *ctx;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	ctx = reqev->ev_arg;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	isc_event_free(&event);
+
+	LOCK(&ctx->lock);
+
+	if (eresult == ISC_R_SUCCESS) {
+		result = dns_request_getresponse(request, ctx->event->rmessage,
+						 ctx->parseoptions);
+	}
+
+	if (ctx->tsigkey != NULL)
+		dns_tsigkey_detach(&ctx->tsigkey);
+
+	if (ctx->canceled)
+		ctx->event->result = ISC_R_CANCELED;
+	else
+		ctx->event->result = result;
+	task = ctx->event->ev_sender;
+	ctx->event->ev_sender = ctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&ctx->event));
+
+	UNLOCK(&ctx->lock);
+}
+
+static void
+localrequest_done(isc_task_t *task, isc_event_t *event) {
+	reqarg_t *reqarg = event->ev_arg;
+	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_CLIENTREQDONE);
+
+	LOCK(&reqarg->lock);
+
+	reqarg->result = rev->result;
+	dns_client_destroyreqtrans(&reqarg->trans);
+	isc_event_free(&event);
+
+	if (!reqarg->canceled) {
+		UNLOCK(&reqarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(reqarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&reqarg->lock);
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(reqarg->client->mctx, reqarg, sizeof(*reqarg));
+	}
+}
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries)
+{
+	isc_appctx_t *actx;
+	reqarg_t *reqarg;
+	isc_result_t result;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTREQOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	reqarg = isc_mem_get(client->mctx, sizeof(*reqarg));
+	if (reqarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&reqarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	reqarg->actx = actx;
+	reqarg->client = client;
+	reqarg->trans = NULL;
+	reqarg->canceled = ISC_FALSE;
+
+	result = dns_client_startrequest(client, qmessage, rmessage, server,
+					 options, parseoptions, tsec, timeout,
+					 udptimeout, udpretries,
+					 client->task, localrequest_done,
+					 reqarg, &reqarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&reqarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = reqarg->result;
+	if (reqarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		reqarg->canceled = ISC_TRUE;
+		dns_client_cancelresolve(reqarg->trans);
+
+		UNLOCK(&reqarg->lock);
+
+		/* reqarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&reqarg->lock);
+
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	isc_task_t *clone = NULL;
+	dns_clientreqevent_t *event = NULL;
+	reqctx_t *ctx = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+
+	UNUSED(options);
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   qmessage->rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	event = (dns_clientreqevent_t *)
+		isc_event_allocate(client->mctx, clone,
+				   DNS_EVENT_CLIENTREQDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	ctx = isc_mem_get(client->mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&ctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+			ctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ctx->client = client;
+	ISC_LINK_INIT(ctx, link);
+	ctx->parseoptions = parseoptions;
+	ctx->canceled = ISC_FALSE;
+	ctx->event = event;
+	ctx->event->rmessage = rmessage;
+	ctx->tsigkey = NULL;
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &ctx->tsigkey);
+
+	ctx->magic = REQCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->reqctxs, ctx, link);
+	UNLOCK(&client->lock);
+
+	ctx->request = NULL;
+	result = dns_request_createvia3(view->requestmgr, qmessage, NULL,
+					server, options, ctx->tsigkey,
+					timeout, udptimeout, udpretries,
+					client->task, request_done, ctx,
+					&ctx->request);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		*transp = (dns_clientreqtrans_t *)ctx;
+		return (ISC_R_SUCCESS);
+	}
+
+ cleanup:
+	if (ctx != NULL) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+		UNLOCK(&client->lock);
+		DESTROYLOCK(&ctx->lock);
+		isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&clone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *trans) {
+	reqctx_t *ctx;
+
+	REQUIRE(trans != NULL);
+	ctx = (reqctx_t *)trans;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	LOCK(&ctx->lock);
+
+	if (!ctx->canceled) {
+		ctx->canceled = ISC_TRUE;
+		if (ctx->request != NULL)
+			dns_request_cancel(ctx->request);
+	}
+
+	UNLOCK(&ctx->lock);
+}
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp) {
+	reqctx_t *ctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+
+	REQUIRE(transp != NULL);
+	ctx = (reqctx_t *)*transp;
+	REQUIRE(REQCTX_VALID(ctx));
+	client = ctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(ctx->event == NULL);
+	REQUIRE(ctx->request != NULL);
+
+	dns_request_destroy(&ctx->request);
+	mctx = client->mctx;
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(ctx, link));
+	ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		need_destroyclient = ISC_TRUE;
+	}
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&ctx->lock);
+	ctx->magic = 0;
+
+	isc_mem_put(mctx, ctx, sizeof(*ctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+/*%
+ * Dynamic update routines
+ */
+static isc_result_t
+rcode2result(dns_rcode_t rcode) {
+	/* XXX: isn't there a similar function? */
+	switch (rcode) {
+	case dns_rcode_formerr:
+		return (DNS_R_FORMERR);
+	case dns_rcode_servfail:
+		return (DNS_R_SERVFAIL);
+	case dns_rcode_nxdomain:
+		return (DNS_R_NXDOMAIN);
+	case dns_rcode_notimp:
+		return (DNS_R_NOTIMP);
+	case dns_rcode_refused:
+		return (DNS_R_REFUSED);
+	case dns_rcode_yxdomain:
+		return (DNS_R_YXDOMAIN);
+	case dns_rcode_yxrrset:
+		return (DNS_R_YXRRSET);
+	case dns_rcode_nxrrset:
+		return (DNS_R_NXRRSET);
+	case dns_rcode_notauth:
+		return (DNS_R_NOTAUTH);
+	case dns_rcode_notzone:
+		return (DNS_R_NOTZONE);
+	case dns_rcode_badvers:
+		return (DNS_R_BADVERS);
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+static void
+update_sendevent(updatectx_t *uctx, isc_result_t result) {
+	isc_task_t *task;
+
+	dns_message_destroy(&uctx->updatemsg);
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	if (uctx->sig0key != NULL)
+		dst_key_free(&uctx->sig0key);
+
+	if (uctx->canceled)
+		uctx->event->result = ISC_R_CANCELED;
+	else
+		uctx->event->result = result;
+	uctx->event->state = uctx->state;
+	task = uctx->event->ev_sender;
+	uctx->event->ev_sender = uctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&uctx->event));
+}
+
+static void
+update_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	dns_message_t *answer = NULL;
+	updatectx_t *uctx = event->ev_arg;
+	dns_client_t *client;
+	unsigned int timeout;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	result = reqev->result;
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
+				    &answer);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	uctx->state = dns_clientupdatestate_done;
+	result = dns_request_getresponse(request, answer,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == ISC_R_SUCCESS && answer->rcode != dns_rcode_noerror)
+		result = rcode2result(answer->rcode);
+
+ out:
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	uctx->currentserver = ISC_LIST_NEXT(uctx->currentserver, link);
+	dns_request_destroy(&uctx->updatereq);
+	if (result != ISC_R_SUCCESS && !uctx->canceled &&
+	    uctx->currentserver != NULL) {
+		dns_message_renderreset(uctx->updatemsg);
+		dns_message_settsigkey(uctx->updatemsg, NULL);
+
+		timeout = client->update_timeout / uctx->nservers;
+		if (timeout < MIN_UPDATE_TIMEOUT)
+			timeout = MIN_UPDATE_TIMEOUT;
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->updatemsg,
+						NULL,
+						uctx->currentserver, 0,
+						uctx->tsigkey,
+						timeout,
+						client->update_udptimeout,
+						client->update_udpretries,
+						client->task,
+						update_done, uctx,
+						&uctx->updatereq);
+		UNLOCK(&uctx->lock);
+
+		if (result == ISC_R_SUCCESS) {
+			/* XXX: should we keep the 'done' state here? */
+			uctx->state = dns_clientupdatestate_sent;
+			return;
+		}
+	} else
+		UNLOCK(&uctx->lock);
+
+	update_sendevent(uctx, result);
+}
+
+static isc_result_t
+send_update(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_client_t *client = uctx->client;
+	unsigned int timeout;
+
+	REQUIRE(uctx->zonename != NULL && uctx->currentserver != NULL);
+
+	result = dns_message_gettempname(uctx->updatemsg, &name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(name, NULL);
+	dns_name_clone(uctx->zonename, name);
+	result = dns_message_gettemprdataset(uctx->updatemsg, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(uctx->updatemsg, &name);
+		return (result);
+	}
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(uctx->updatemsg, name, DNS_SECTION_ZONE);
+	if (uctx->tsigkey == NULL && uctx->sig0key != NULL) {
+		result = dns_message_setsig0key(uctx->updatemsg,
+						uctx->sig0key);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	timeout = client->update_timeout / uctx->nservers;
+	if (timeout < MIN_UPDATE_TIMEOUT)
+		timeout = MIN_UPDATE_TIMEOUT;
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					uctx->updatemsg,
+					NULL, uctx->currentserver, 0,
+					uctx->tsigkey, timeout,
+					client->update_udptimeout,
+					client->update_udpretries,
+					client->task, update_done, uctx,
+					&uctx->updatereq);
+	if (result == ISC_R_SUCCESS &&
+	    uctx->state == dns_clientupdatestate_prepare) {
+		uctx->state = dns_clientupdatestate_sent;
+	}
+
+	return (result);
+}
+
+static void
+resolveaddr_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	int family;
+	dns_rdatatype_t qtype;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	updatectx_t *uctx;
+	isc_boolean_t completed = ISC_FALSE;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_arg != NULL);
+	uctx = *(updatectx_t **)event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	if (event->ev_arg == &uctx->bp4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans);
+		UNLOCK(&uctx->lock);
+	} else {
+		INSIST(event->ev_arg == &uctx->bp6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans2);
+		UNLOCK(&uctx->lock);
+	}
+
+	result = rev->result;
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+				isc_sockaddr_t *sa;
+
+				sa = isc_mem_get(uctx->client->mctx,
+						 sizeof(*sa));
+				if (sa == NULL) {
+					/*
+					 * If we fail to get a sockaddr,
+					 we simply move forward with the
+					 * addresses we've got so far.
+					 */
+					goto done;
+				}
+
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_a,
+							   NULL);
+					isc_sockaddr_fromin(sa,
+							    &rdata_a.in_addr,
+							    53);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_aaaa,
+							   NULL);
+					isc_sockaddr_fromin6(sa,
+							     &rdata_aaaa.in6_addr,
+							     53);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				ISC_LINK_INIT(sa, link);
+				ISC_LIST_APPEND(uctx->servers, sa, link);
+				uctx->nservers++;
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	if (uctx->restrans == NULL && uctx->restrans2 == NULL)
+		completed = ISC_TRUE;
+	UNLOCK(&uctx->lock);
+
+	if (completed) {
+		INSIST(uctx->currentserver == NULL);
+		uctx->currentserver = ISC_LIST_HEAD(uctx->servers);
+		if (uctx->currentserver != NULL && !uctx->canceled)
+			send_update(uctx);
+		else {
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_NOTFOUND;
+			update_sendevent(uctx, result);
+		}
+	}
+}
+
+static isc_result_t
+process_soa(updatectx_t *uctx, dns_rdataset_t *soaset, dns_name_t *soaname) {
+	isc_result_t result;
+	dns_rdata_t soarr = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_name_t primary;
+
+	result = dns_rdataset_first(soaset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdata_init(&soarr);
+	dns_rdataset_current(soaset, &soarr);
+	result = dns_rdata_tostruct(&soarr, &soa, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_name_init(&primary, NULL);
+	dns_name_clone(&soa.origin, &primary);
+
+	if (uctx->zonename == NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(soaname, uctx->zonename, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+	}
+
+	if (uctx->currentserver != NULL)
+		result = send_update(uctx);
+	else {
+		/*
+		 * Get addresses of the primary server.  We don't use the ADB
+		 * feature so that we could avoid caching data.
+		 */
+		LOCK(&uctx->lock);
+		uctx->bp4 = uctx;
+		result = dns_client_startresolve(uctx->client, &primary,
+						 uctx->rdclass,
+						 dns_rdatatype_a,
+						 0, uctx->client->task,
+						 resolveaddr_done, &uctx->bp4,
+						 &uctx->restrans);
+		if (result == ISC_R_SUCCESS) {
+			uctx->bp6 = uctx;
+			result = dns_client_startresolve(uctx->client,
+							 &primary,
+							 uctx->rdclass,
+							 dns_rdatatype_aaaa,
+							 0, uctx->client->task,
+							 resolveaddr_done,
+							 &uctx->bp6,
+							 &uctx->restrans2);
+		}
+		UNLOCK(&uctx->lock);
+	}
+
+ out:
+	dns_rdata_freestruct(&soa);
+
+	return (result);
+}
+
+static void
+receive_soa(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	updatectx_t *uctx;
+	dns_client_t *client;
+	isc_result_t result, eresult;
+	dns_request_t *request;
+	dns_message_t *rcvmsg = NULL;
+	dns_section_t section;
+	dns_rdataset_t *soaset = NULL;
+	int pass = 0;
+	dns_name_t *name;
+	dns_message_t *soaquery = NULL;
+	isc_sockaddr_t *addr;
+	isc_boolean_t seencname = ISC_FALSE;
+	isc_boolean_t droplabel = ISC_FALSE;
+	dns_name_t tname;
+	unsigned int nlabels;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	POST(result);
+	uctx = reqev->ev_arg;
+	client = uctx->client;
+	soaquery = uctx->soaquery;
+	addr = uctx->currentserver;
+	INSIST(addr != NULL);
+
+	isc_event_free(&event);
+
+	if (eresult != ISC_R_SUCCESS) {
+		result = eresult;
+		goto out;
+	}
+
+	result = dns_message_create(uctx->client->mctx,
+				    DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result == DNS_R_TSIGERRORSET) {
+		dns_request_t *newrequest = NULL;
+
+		/* Retry SOA request without TSIG */
+		dns_message_destroy(&rcvmsg);
+		dns_message_renderreset(uctx->soaquery);
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->soaquery, NULL, addr, 0,
+						NULL,
+						client->find_timeout * 20,
+						client->find_timeout, 3,
+						uctx->client->task,
+						receive_soa, uctx,
+						&newrequest);
+		if (result == ISC_R_SUCCESS) {
+			LOCK(&uctx->lock);
+			dns_request_destroy(&uctx->soareq);
+			uctx->soareq = newrequest;
+			UNLOCK(&uctx->lock);
+
+			return;
+		}
+		goto out;
+	}
+
+	section = DNS_SECTION_ANSWER;
+	POST(section);
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain) {
+		result = rcode2result(rcvmsg->rcode);
+		goto out;
+	}
+
+ lookforsoa:
+	if (pass == 0)
+		section = DNS_SECTION_ANSWER;
+	else if (pass == 1)
+		section = DNS_SECTION_AUTHORITY;
+	else {
+		droplabel = ISC_TRUE;
+		goto out;
+	}
+
+	result = dns_message_firstname(rcvmsg, section);
+	if (result != ISC_R_SUCCESS) {
+		pass++;
+		goto lookforsoa;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(rcvmsg, section, &name);
+		soaset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
+					      &soaset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		if (section == DNS_SECTION_ANSWER) {
+			dns_rdataset_t *tset = NULL;
+			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    ||
+			    dns_message_findtype(name, dns_rdatatype_dname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    )
+			{
+				seencname = ISC_TRUE;
+				break;
+			}
+		}
+
+		result = dns_message_nextname(rcvmsg, section);
+	}
+
+	if (soaset == NULL && !seencname) {
+		pass++;
+		goto lookforsoa;
+	}
+
+	if (seencname) {
+		droplabel = ISC_TRUE;
+		goto out;
+	}
+
+	result = process_soa(uctx, soaset, name);
+
+ out:
+	if (droplabel) {
+		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+		INSIST(result == ISC_R_SUCCESS);
+		name = NULL;
+		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+		nlabels = dns_name_countlabels(name);
+		if (nlabels == 1)
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+		else {
+			dns_name_init(&tname, NULL);
+			dns_name_getlabelsequence(name, 1, nlabels - 1,
+						  &tname);
+			dns_name_clone(&tname, name);
+			dns_request_destroy(&request);
+			LOCK(&uctx->lock);
+			uctx->soareq = NULL;
+			UNLOCK(&uctx->lock);
+			dns_message_renderreset(soaquery);
+			dns_message_settsigkey(soaquery, NULL);
+			result = dns_request_createvia3(uctx->view->requestmgr,
+							soaquery, NULL,
+							uctx->currentserver, 0,
+							uctx->tsigkey,
+							client->find_timeout *
+							20,
+							client->find_timeout,
+							3, client->task,
+							receive_soa, uctx,
+							&uctx->soareq);
+		}
+	}
+
+	if (!droplabel || result != ISC_R_SUCCESS) {
+		dns_message_destroy(&uctx->soaquery);
+		LOCK(&uctx->lock);
+		dns_request_destroy(&uctx->soareq);
+		UNLOCK(&uctx->lock);
+	}
+
+	if (rcvmsg != NULL)
+		dns_message_destroy(&rcvmsg);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+request_soa(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_message_t *soaquery = uctx->soaquery;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+
+	if (soaquery == NULL) {
+		result = dns_message_create(uctx->client->mctx,
+					    DNS_MESSAGE_INTENTRENDER,
+					    &soaquery);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	result = dns_message_gettempname(soaquery, &name);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	result = dns_message_gettemprdataset(soaquery, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	dns_name_clone(uctx->firstname, name);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
+	rdataset = NULL;
+	name = NULL;
+
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					soaquery, NULL, uctx->currentserver, 0,
+					uctx->tsigkey,
+					uctx->client->find_timeout * 20,
+					uctx->client->find_timeout, 3,
+					uctx->client->task, receive_soa, uctx,
+					&uctx->soareq);
+	if (result == ISC_R_SUCCESS) {
+		uctx->soaquery = soaquery;
+		return (ISC_R_SUCCESS);
+	}
+
+ fail:
+	if (rdataset != NULL) {
+		ISC_LIST_UNLINK(name->list, rdataset, link); /* for safety */
+		dns_message_puttemprdataset(soaquery, &rdataset);
+	}
+	if (name != NULL)
+		dns_message_puttempname(soaquery, &name);
+	dns_message_destroy(&soaquery);
+
+	return (result);
+}
+
+static void
+resolvesoa_done(isc_task_t *task, isc_event_t *event) {
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	updatectx_t *uctx;
+	dns_name_t *name, tname;
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result = rev->result;
+	unsigned int nlabels;
+
+	UNUSED(task);
+
+	uctx = event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+	dns_client_destroyrestrans(&uctx->restrans);
+	UNLOCK(&uctx->lock);
+
+	uctx = event->ev_arg;
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_NCACHENXDOMAIN &&
+	    result != DNS_R_NCACHENXRRSET) {
+		/* XXX: what about DNSSEC failure? */
+		goto out;
+	}
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (dns_rdataset_isassociated(rdataset) &&
+			    rdataset->type == dns_rdatatype_soa)
+				break;
+		}
+	}
+
+	if (rdataset == NULL) {
+		/* Drop one label and retry resolution. */
+		nlabels = dns_name_countlabels(&uctx->soaqname);
+		if (nlabels == 1) {
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+			goto out;
+		}
+		dns_name_init(&tname, NULL);
+		dns_name_getlabelsequence(&uctx->soaqname, 1, nlabels - 1,
+					  &tname);
+		dns_name_clone(&tname, &uctx->soaqname);
+
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa, 0,
+						 uctx->client->task,
+						 resolvesoa_done, uctx,
+						 &uctx->restrans);
+	} else
+		result = process_soa(uctx, rdataset, &uctx->soaqname);
+
+ out:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+copy_name(isc_mem_t *mctx, dns_message_t *msg, dns_name_t *name,
+	  dns_name_t **newnamep)
+{
+	isc_result_t result;
+	dns_name_t *newname = NULL;
+	isc_region_t r;
+	isc_buffer_t *namebuf = NULL, *rdatabuf = NULL;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset, *newrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT, *newrdata;
+
+	result = dns_message_gettempname(msg, &newname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_name_init(newname, NULL);
+	dns_name_setbuffer(newname, namebuf);
+	dns_message_takebuffer(msg, &namebuf);
+	result = dns_name_copy(name, newname, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		rdatalist = NULL;
+		result = dns_message_gettemprdatalist(msg, &rdatalist);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdatalist_init(rdatalist);
+		rdatalist->type = rdataset->type;
+		rdatalist->rdclass = rdataset->rdclass;
+		rdatalist->covers = rdataset->covers;
+		rdatalist->ttl = rdataset->ttl;
+
+		result = dns_rdataset_first(rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(rdataset, &rdata);
+
+			newrdata = NULL;
+			result = dns_message_gettemprdata(msg, &newrdata);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_rdata_toregion(&rdata, &r);
+			rdatabuf = NULL;
+			result = isc_buffer_allocate(mctx, &rdatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			isc_buffer_putmem(rdatabuf, r.base, r.length);
+			isc_buffer_usedregion(rdatabuf, &r);
+			dns_rdata_init(newrdata);
+			dns_rdata_fromregion(newrdata, rdata.rdclass,
+					     rdata.type, &r);
+			newrdata->flags = rdata.flags;
+
+			ISC_LIST_APPEND(rdatalist->rdata, newrdata, link);
+			dns_message_takebuffer(msg, &rdatabuf);
+
+			result = dns_rdataset_next(rdataset);
+		}
+
+		newrdataset = NULL;
+		result = dns_message_gettemprdataset(msg, &newrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdataset_init(newrdataset);
+		dns_rdatalist_tordataset(rdatalist, newrdataset);
+
+		ISC_LIST_APPEND(newname->list, newrdataset, link);
+	}
+
+	*newnamep = newname;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	dns_message_puttempname(msg, &newname);
+
+	return (result);
+
+}
+
+static void
+internal_update_callback(isc_task_t *task, isc_event_t *event) {
+	updatearg_t *uarg = event->ev_arg;
+	dns_clientupdateevent_t *uev = (dns_clientupdateevent_t *)event;
+
+	UNUSED(task);
+
+	LOCK(&uarg->lock);
+
+	uarg->result = uev->result;
+
+	dns_client_destroyupdatetrans(&uarg->trans);
+	isc_event_free(&event);
+
+	if (!uarg->canceled) {
+		UNLOCK(&uarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(uarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&uarg->lock);
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(uarg->client->mctx, uarg, sizeof(*uarg));
+	}
+}
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	updatearg_t *uarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	uarg = isc_mem_get(client->mctx, sizeof(*uarg));
+	if (uarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&uarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	uarg->actx = actx;
+	uarg->client = client;
+	uarg->result = ISC_R_FAILURE;
+	uarg->trans = NULL;
+	uarg->canceled = ISC_FALSE;
+
+	result = dns_client_startupdate(client, rdclass, zonename,
+					prerequisites, updates, servers,
+					tsec, options, client->task,
+					internal_update_callback, uarg,
+					&uarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&uarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = uarg->result;
+
+	if (uarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		uarg->canceled = ISC_TRUE;
+		dns_client_cancelupdate(uarg->trans);
+
+		UNLOCK(&uarg->lock);
+
+		/* uarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&uarg->lock);
+
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	isc_result_t result;
+	dns_name_t *name, *newname;
+	updatectx_t *uctx;
+	isc_task_t *clone = NULL;
+	dns_section_t section = DNS_SECTION_UPDATE;
+	isc_sockaddr_t *server, *sa = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+
+	UNUSED(options);
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+	REQUIRE(updates != NULL);
+	REQUIRE(task != NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Create a context and prepare some resources */
+	uctx = isc_mem_get(client->mctx, sizeof(*uctx));
+	if (uctx == NULL) {
+		dns_view_detach(&view);
+		return (ISC_R_NOMEMORY);
+	}
+	result = isc_mutex_init(&uctx->lock);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+		return (ISC_R_NOMEMORY);
+	}
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	uctx->client = client;
+	ISC_LINK_INIT(uctx, link);
+	uctx->state = dns_clientupdatestate_prepare;
+	uctx->view = view;
+	uctx->rdclass = rdclass;
+	uctx->canceled = ISC_FALSE;
+	uctx->updatemsg = NULL;
+	uctx->soaquery = NULL;
+	uctx->updatereq = NULL;
+	uctx->restrans = NULL;
+	uctx->restrans2 = NULL;
+	uctx->bp4 = NULL;
+	uctx->bp6 = NULL;
+	uctx->soareq = NULL;
+	uctx->event = NULL;
+	uctx->tsigkey = NULL;
+	uctx->sig0key = NULL;
+	uctx->zonename = NULL;
+	dns_name_init(&uctx->soaqname, NULL);
+	ISC_LIST_INIT(uctx->servers);
+	uctx->nservers = 0;
+	uctx->currentserver = NULL;
+	dns_fixedname_init(&uctx->zonefname);
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &uctx->tsigkey);
+	uctx->event = (dns_clientupdateevent_t *)
+		isc_event_allocate(client->mctx, clone, DNS_EVENT_UPDATEDONE,
+				   action, arg, sizeof(*uctx->event));
+	if (uctx->event == NULL)
+		goto fail;
+	if (zonename != NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(zonename, uctx->zonename, NULL);
+	}
+	if (servers != NULL) {
+		for (server = ISC_LIST_HEAD(*servers);
+		     server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			sa = isc_mem_get(client->mctx, sizeof(*sa));
+			if (sa == NULL)
+				goto fail;
+			sa->type = server->type;
+			sa->length = server->length;
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(uctx->servers, sa, link);
+			if (uctx->currentserver == NULL)
+				uctx->currentserver = sa;
+			uctx->nservers++;
+		}
+	}
+
+	/* Make update message */
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &uctx->updatemsg);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	uctx->updatemsg->opcode = dns_opcode_update;
+
+	if (prerequisites != NULL) {
+		for (name = ISC_LIST_HEAD(*prerequisites); name != NULL;
+		     name = ISC_LIST_NEXT(name, link)) {
+			newname = NULL;
+			result = copy_name(client->mctx, uctx->updatemsg,
+					   name, &newname);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_message_addname(uctx->updatemsg, newname,
+					    DNS_SECTION_PREREQUISITE);
+		}
+	}
+
+	for (name = ISC_LIST_HEAD(*updates); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		newname = NULL;
+		result = copy_name(client->mctx, uctx->updatemsg, name,
+				   &newname);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_message_addname(uctx->updatemsg, newname,
+				    DNS_SECTION_UPDATE);
+	}
+
+	uctx->firstname = NULL;
+	result = dns_message_firstname(uctx->updatemsg, section);
+	if (result == ISC_R_NOMORE) {
+		section = DNS_SECTION_PREREQUISITE;
+		result = dns_message_firstname(uctx->updatemsg, section);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_message_currentname(uctx->updatemsg, section, &uctx->firstname);
+
+	uctx->magic = UCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->updatectxs, uctx, link);
+	UNLOCK(&client->lock);
+
+	if (uctx->zonename != NULL && uctx->currentserver != NULL) {
+		result = send_update(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else if (uctx->currentserver != NULL) {
+		result = request_soa(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else {
+		dns_name_clone(uctx->firstname, &uctx->soaqname);
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa, 0,
+						 client->task, resolvesoa_done,
+						 uctx, &uctx->restrans);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	*transp = (dns_clientupdatetrans_t *)uctx;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (ISC_LINK_LINKED(uctx, link)) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+		UNLOCK(&client->lock);
+	}
+	if (uctx->updatemsg != NULL)
+		dns_message_destroy(&uctx->updatemsg);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(client->mctx, sa, sizeof(*sa));
+	}
+	if (uctx->event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&uctx->event));
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	isc_task_detach(&clone);
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+	isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans) {
+	updatectx_t *uctx;
+
+	REQUIRE(trans != NULL);
+	uctx = (updatectx_t *)trans;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+
+	if (!uctx->canceled) {
+		uctx->canceled = ISC_TRUE;
+		if (uctx->updatereq != NULL)
+			dns_request_cancel(uctx->updatereq);
+		if (uctx->soareq != NULL)
+			dns_request_cancel(uctx->soareq);
+		if (uctx->restrans != NULL)
+			dns_client_cancelresolve(uctx->restrans);
+		if (uctx->restrans2 != NULL)
+			dns_client_cancelresolve(uctx->restrans2);
+	}
+
+	UNLOCK(&uctx->lock);
+}
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp) {
+	updatectx_t *uctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	isc_boolean_t need_destroyclient = ISC_FALSE;
+	isc_sockaddr_t *sa;
+
+	REQUIRE(transp != NULL);
+	uctx = (updatectx_t *)*transp;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(uctx->updatereq == NULL && uctx->updatemsg == NULL &&
+		uctx->soareq == NULL && uctx->soaquery == NULL &&
+		uctx->event == NULL && uctx->tsigkey == NULL &&
+		uctx->sig0key == NULL);
+
+	mctx = client->mctx;
+	dns_view_detach(&uctx->view);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(uctx, link));
+	ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = ISC_TRUE;
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+
+	isc_mem_put(mctx, uctx, sizeof(*uctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client) {
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	return (client->mctx);
+}
+
+typedef struct {
+	isc_buffer_t 	buffer;
+	dns_rdataset_t	rdataset;
+	dns_rdatalist_t	rdatalist;
+	dns_rdata_t	rdata;
+	size_t		size;
+	isc_mem_t *	mctx;
+	unsigned char	data[FLEXIBLE_ARRAY_MEMBER];
+} dns_client_updaterec_t;
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx)
+{
+	dns_client_updaterec_t *updaterec = NULL;
+	size_t size = offsetof(dns_client_updaterec_t, data);
+
+	REQUIRE(op < updateop_max);
+	REQUIRE(owner != NULL);
+	REQUIRE((rdataset != NULL && rdatalist != NULL && rdata != NULL) ||
+		(rdataset == NULL && rdatalist == NULL && rdata == NULL &&
+		 mctx != NULL));
+	if (op == updateop_add)
+		REQUIRE(source != NULL);
+	if (source != NULL) {
+		REQUIRE(source->type == type);
+		REQUIRE(op == updateop_add || op == updateop_delete ||
+			op == updateop_exist);
+	}
+
+	size += owner->length;
+	if (source != NULL)
+		size += source->length;
+
+	if (rdataset == NULL) {
+		updaterec = isc_mem_get(mctx, size);
+		if (updaterec == NULL)
+			return (ISC_R_NOMEMORY);
+		rdataset = &updaterec->rdataset;
+		rdatalist = &updaterec->rdatalist;
+		rdata = &updaterec->rdata;
+		dns_rdataset_init(rdataset);
+		dns_rdatalist_init(&updaterec->rdatalist);
+		dns_rdata_init(&updaterec->rdata);
+		isc_buffer_init(&updaterec->buffer, updaterec->data,
+				size - offsetof(dns_client_updaterec_t, data));
+		dns_name_copy(owner, target, &updaterec->buffer);
+		if (source != NULL) {
+			isc_region_t r;
+			dns_rdata_clone(source, rdata);
+			dns_rdata_toregion(rdata, &r);
+			rdata->data = isc_buffer_used(&updaterec->buffer);
+			isc_buffer_copyregion(&updaterec->buffer, &r);
+		}
+		updaterec->mctx = NULL;
+		isc_mem_attach(mctx, &updaterec->mctx);
+	} else if (source != NULL)
+		dns_rdata_clone(source, rdata);
+
+	switch (op) {
+	case updateop_add:
+		break;
+	case updateop_delete:
+		if (source != NULL) {
+			ttl = 0;
+			dns_rdata_makedelete(rdata);
+		} else
+			dns_rdata_deleterrset(rdata, type);
+		break;
+	case updateop_notexist:
+		dns_rdata_notexist(rdata, type);
+		break;
+	case updateop_exist:
+		if (source == NULL) {
+			ttl = 0;
+			dns_rdata_exists(rdata, type);
+		}
+	case updateop_none:
+		break;
+	default:
+		INSIST(0);
+	}
+
+	rdatalist->type = rdata->type;
+	rdatalist->rdclass = rdata->rdclass;
+	if (source != NULL) {
+		rdatalist->covers = dns_rdata_covers(rdata);
+		rdatalist->ttl = ttl;
+	}
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_APPEND(target->list, rdataset, link);
+	if (updaterec != NULL) {
+		target->attributes |= DNS_NAMEATTR_HASUPDATEREC;
+		dns_name_setbuffer(target, &updaterec->buffer);
+	}
+	if (op == updateop_add || op == updateop_delete)
+		target->attributes |= DNS_NAMEATTR_UPDATE;
+	else
+		target->attributes |= DNS_NAMEATTR_PREREQUISITE;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_client_freeupdate(dns_name_t **namep) {
+	dns_client_updaterec_t *updaterec;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t *rdata;
+	dns_name_t *name;
+
+	REQUIRE(namep != NULL && *namep != NULL);
+
+	name = *namep;
+	for (rdataset = ISC_LIST_HEAD(name->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_HEAD(name->list)) {
+		ISC_LIST_UNLINK(name->list, rdataset, link);
+		rdatalist = NULL;
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
+		if (rdatalist == NULL) {
+			dns_rdataset_disassociate(rdataset);
+			continue;
+		}
+		for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
+		     rdata != NULL;
+		     rdata = ISC_LIST_HEAD(rdatalist->rdata))
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	if ((name->attributes & DNS_NAMEATTR_HASUPDATEREC) != 0) {
+		updaterec = (dns_client_updaterec_t *)name->buffer;
+		INSIST(updaterec != NULL);
+		isc_mem_putanddetach(&updaterec->mctx, updaterec,
+				     updaterec->size);
+		*namep = NULL;
+	}
+}
diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c
index f48b35e1fa2e..0cf2c27ce227 100644
--- a/contrib/bind9/lib/dns/db.c
+++ b/contrib/bind9/lib/dns/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -34,10 +34,12 @@
 
 #include <dns/callbacks.h>
 #include <dns/db.h>
+#include <dns/dbiterator.h>
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/result.h>
 
 /***
@@ -61,14 +63,18 @@ struct dns_dbimplementation {
  */
 
 #include "rbtdb.h"
+#ifdef BIND9
 #include "rbtdb64.h"
+#endif
 
 static ISC_LIST(dns_dbimplementation_t) implementations;
 static isc_rwlock_t implock;
 static isc_once_t once = ISC_ONCE_INIT;
 
 static dns_dbimplementation_t rbtimp;
+#ifdef BIND9
 static dns_dbimplementation_t rbt64imp;
+#endif
 
 static void
 initialize(void) {
@@ -80,15 +86,19 @@ initialize(void) {
 	rbtimp.driverarg = NULL;
 	ISC_LINK_INIT(&rbtimp, link);
 
+#ifdef BIND9
 	rbt64imp.name = "rbt64";
 	rbt64imp.create = dns_rbtdb64_create;
 	rbt64imp.mctx = NULL;
 	rbt64imp.driverarg = NULL;
 	ISC_LINK_INIT(&rbt64imp, link);
+#endif
 
 	ISC_LIST_INIT(implementations);
 	ISC_LIST_APPEND(implementations, &rbtimp, link);
+#ifdef BIND9
 	ISC_LIST_APPEND(implementations, &rbt64imp, link);
+#endif
 }
 
 static inline dns_dbimplementation_t *
@@ -290,6 +300,7 @@ dns_db_class(dns_db_t *db) {
 	return (db->rdclass);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
 		 dns_dbload_t **dbloadp) {
@@ -318,14 +329,19 @@ dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 
 isc_result_t
 dns_db_load(dns_db_t *db, const char *filename) {
-	return (dns_db_load2(db, filename, dns_masterformat_text));
+	return (dns_db_load3(db, filename, dns_masterformat_text, 0));
 }
 
 isc_result_t
 dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format) {
+	return (dns_db_load3(db, filename, format, 0));
+}
+
+isc_result_t
+dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	     unsigned int options) {
 	isc_result_t result, eresult;
 	dns_rdatacallbacks_t callbacks;
-	unsigned int options = 0;
 
 	/*
 	 * Load master file 'filename' into 'db'.
@@ -376,6 +392,7 @@ dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
 
 	return ((db->methods->dump)(db, version, filename, masterformat));
 }
+#endif /* BIND9 */
 
 /***
  *** Version Methods
@@ -921,8 +938,27 @@ dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
 }
 
 void
-dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version)
 {
 	if (db->methods->resigned != NULL)
 		(db->methods->resigned)(db, rdataset, version);
 }
+
+void
+dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
+{
+	if (db->methods->rpz_enabled != NULL)
+		(db->methods->rpz_enabled)(db, st);
+}
+
+void
+dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+		   dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		   dns_rdataset_t *ardataset, dns_rpz_st_t *st,
+		   dns_name_t *query_qname)
+{
+	if (db->methods->rpz_findips != NULL)
+		(db->methods->rpz_findips)(rpz, rpz_type, zone, db, version,
+					   ardataset, st, query_qname);
+}
diff --git a/contrib/bind9/lib/dns/diff.c b/contrib/bind9/lib/dns/diff.c
index 560be89202c8..de00d0f9566b 100644
--- a/contrib/bind9/lib/dns/diff.c
+++ b/contrib/bind9/lib/dns/diff.c
@@ -392,10 +392,22 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 				 * from a server that is not as careful.
 				 * Issue a warning and continue.
 				 */
-				if (warn)
+				if (warn) {
+					char classbuf[DNS_RDATATYPE_FORMATSIZE];
+					char namebuf[DNS_NAME_FORMATSIZE];
+
+					dns_name_format(dns_db_origin(db),
+							namebuf,
+							sizeof(namebuf));
+					dns_rdataclass_format(dns_db_class(db),
+							      classbuf,
+							      sizeof(classbuf));
 					isc_log_write(DIFF_COMMON_LOGARGS,
 						      ISC_LOG_WARNING,
-						      "update with no effect");
+						      "%s/%s: dns_diff_apply: "
+						      "update with no effect",
+						      namebuf, classbuf);
+				}
 			} else if (result == DNS_R_NXRRSET) {
 				/*
 				 * OK.
@@ -483,6 +495,7 @@ dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
 			if (result == DNS_R_UNCHANGED) {
 				isc_log_write(DIFF_COMMON_LOGARGS,
 					      ISC_LOG_WARNING,
+					      "dns_diff_load: "
 					      "update with no effect");
 			} else if (result == ISC_R_SUCCESS ||
 				   result == DNS_R_NXRRSET) {
diff --git a/contrib/bind9/lib/dns/dispatch.c b/contrib/bind9/lib/dns/dispatch.c
index 735119fdeea2..775d4f453e48 100644
--- a/contrib/bind9/lib/dns/dispatch.c
+++ b/contrib/bind9/lib/dns/dispatch.c
@@ -417,7 +417,7 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
 
 /*%
  * ARC4 random number generator derived from OpenBSD.
- * Only dispatch_arc4random() and dispatch_arc4uniformrandom() are expected
+ * Only dispatch_random() and dispatch_uniformrandom() are expected
  * to be called from general dispatch routines; the rest of them are subroutines
  * for these two.
  *
@@ -437,8 +437,11 @@ request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
+#ifdef BIND9
 static void
-dispatch_arc4init(arc4ctx_t *actx, isc_entropy_t *entropy, isc_mutex_t *lock) {
+dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
+		    isc_mutex_t *lock)
+{
 	int n;
 	for (n = 0; n < 256; n++)
 		actx->s[n] = n;
@@ -527,7 +530,7 @@ dispatch_arc4stir(arc4ctx_t *actx) {
 }
 
 static isc_uint16_t
-dispatch_arc4random(arc4ctx_t *actx) {
+dispatch_random(arc4ctx_t *actx) {
 	isc_uint16_t result;
 
 	if (actx->lock != NULL)
@@ -543,9 +546,38 @@ dispatch_arc4random(arc4ctx_t *actx) {
 
 	return (result);
 }
+#else
+/*
+ * For general purpose library, we don't have to be too strict about the
+ * quality of random values.  Performance doesn't matter much, either.
+ * So we simply use the isc_random module to keep the library as small as
+ * possible.
+ */
+
+static void
+dispatch_initrandom(arc4ctx_t *actx, isc_entropy_t *entropy,
+		    isc_mutex_t *lock)
+{
+	UNUSED(actx);
+	UNUSED(entropy);
+	UNUSED(lock);
+
+	return;
+}
 
 static isc_uint16_t
-dispatch_arc4uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
+dispatch_random(arc4ctx_t *actx) {
+	isc_uint32_t r;
+
+	UNUSED(actx);
+
+	isc_random_get(&r);
+	return (r & 0xffff);
+}
+#endif	/* BIND9 */
+
+static isc_uint16_t
+dispatch_uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
 	isc_uint16_t min, r;
 
 	if (upper_bound < 2)
@@ -568,7 +600,7 @@ dispatch_arc4uniformrandom(arc4ctx_t *actx, isc_uint16_t upper_bound) {
 	 * to re-roll.
 	 */
 	for (;;) {
-		r = dispatch_arc4random(actx);
+		r = dispatch_random(actx);
 		if (r >= min)
 			break;
 	}
@@ -859,7 +891,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	 */
 	localaddr = disp->local;
 	for (i = 0; i < 64; i++) {
-		port = ports[dispatch_arc4uniformrandom(DISP_ARC4CTX(disp),
+		port = ports[dispatch_uniformrandom(DISP_ARC4CTX(disp),
 							nports)];
 		isc_sockaddr_setport(&localaddr, port);
 
@@ -970,6 +1002,7 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 	INSIST(dispsock->portentry != NULL);
 	deref_portentry(disp, &dispsock->portentry);
 
+#ifdef BIND9
 	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
 		destroy_dispsocket(disp, &dispsock);
 	else {
@@ -993,6 +1026,13 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 			destroy_dispsocket(disp, &dispsock);
 		}
 	}
+#else
+	/* This kind of optimization isn't necessary for normal use */
+	UNUSED(qid);
+	UNUSED(result);
+
+	destroy_dispsocket(disp, &dispsock);
+#endif
 }
 
 /*
@@ -1711,13 +1751,17 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) {
 	isc_mempool_destroy(&mgr->epool);
 	isc_mempool_destroy(&mgr->rpool);
 	isc_mempool_destroy(&mgr->dpool);
-	isc_mempool_destroy(&mgr->bpool);
-	isc_mempool_destroy(&mgr->spool);
+	if (mgr->bpool != NULL)
+		isc_mempool_destroy(&mgr->bpool);
+	if (mgr->spool != NULL)
+		isc_mempool_destroy(&mgr->spool);
 
 	DESTROYLOCK(&mgr->pool_lock);
 
+#ifdef BIND9
 	if (mgr->entropy != NULL)
 		isc_entropy_detach(&mgr->entropy);
+#endif /* BIND9 */
 	if (mgr->qid != NULL)
 		qid_destroy(mctx, &mgr->qid);
 
@@ -1756,9 +1800,13 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 			return (result);
 		isc_socket_setname(sock, "dispatcher", NULL);
 	} else {
+#ifdef BIND9
 		result = isc_socket_open(sock);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+#else
+		INSIST(0);
+#endif
 	}
 
 #ifndef ISC_ALLOW_MAPPED
@@ -1768,8 +1816,13 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 	if (result != ISC_R_SUCCESS) {
 		if (*sockp == NULL)
 			isc_socket_detach(&sock);
-		else
+		else {
+#ifdef BIND9
 			isc_socket_close(sock);
+#else
+			INSIST(0);
+#endif
+		}
 		return (result);
 	}
 
@@ -1901,10 +1954,14 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
 	if (result != ISC_R_SUCCESS)
 		goto kill_dpool;
 
+#ifdef BIND9
 	if (entropy != NULL)
 		isc_entropy_attach(entropy, &mgr->entropy);
+#else
+	UNUSED(entropy);
+#endif
 
-	dispatch_arc4init(&mgr->arc4ctx, mgr->entropy, &mgr->arc4_lock);
+	dispatch_initrandom(&mgr->arc4ctx, mgr->entropy, &mgr->arc4_lock);
 
 	*mgrp = mgr;
 	return (ISC_R_SUCCESS);
@@ -2415,7 +2472,7 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	ISC_LIST_INIT(disp->activesockets);
 	ISC_LIST_INIT(disp->inactivesockets);
 	disp->nsockets = 0;
-	dispatch_arc4init(&disp->arc4ctx, mgr->entropy, NULL);
+	dispatch_initrandom(&disp->arc4ctx, mgr->entropy, NULL);
 	disp->port_table = NULL;
 	disp->portpool = NULL;
 
@@ -2712,7 +2769,7 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
 		for (i = 0; i < 1024; i++) {
 			in_port_t prt;
 
-			prt = ports[dispatch_arc4uniformrandom(
+			prt = ports[dispatch_uniformrandom(
 					DISP_ARC4CTX(disp),
 					nports)];
 			isc_sockaddr_setport(&localaddr_bound, prt);
@@ -2848,8 +2905,10 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		disp->task[i] = NULL;
 		result = isc_task_create(taskmgr, 0, &disp->task[i]);
 		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0)
-				isc_task_destroy(&disp->task[i]);
+			while (--i >= 0) {
+				isc_task_shutdown(disp->task[i]);
+				isc_task_detach(&disp->task[i]);
+			}
 			goto kill_socket;
 		}
 		isc_task_setname(disp->task[i], "udpdispatch", disp);
@@ -3048,7 +3107,7 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	/*
 	 * Try somewhat hard to find an unique ID.
 	 */
-	id = (dns_messageid_t)dispatch_arc4random(DISP_ARC4CTX(disp));
+	id = (dns_messageid_t)dispatch_random(DISP_ARC4CTX(disp));
 	bucket = dns_hash(qid, dest, id, localport);
 	ok = ISC_FALSE;
 	for (i = 0; i < 64; i++) {
diff --git a/contrib/bind9/lib/dns/dlz.c b/contrib/bind9/lib/dns/dlz.c
index 65d3cc0fd9c5..8d1625a46be4 100644
--- a/contrib/bind9/lib/dns/dlz.c
+++ b/contrib/bind9/lib/dns/dlz.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005, 2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -64,6 +64,8 @@
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/dlz.h>
+#include <dns/ssu.h>
+#include <dns/zone.h>
 
 
 #include <isc/buffer.h>
@@ -230,6 +232,12 @@ dns_dlzdestroy(dns_dlzdb_t **dbp) {
 	 */
 	REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp));
 
+#ifdef BIND9
+	if ((*dbp)->ssutable != NULL) {
+		dns_ssutable_detach(&(*dbp)->ssutable);
+	}
+#endif
+
 	/* call the drivers destroy method */
 	if ((*dbp) != NULL) {
 		mctx = (*dbp)->mctx;
@@ -499,7 +507,7 @@ dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
 	mctx = dlz_imp->mctx;
 
 	/*
-	 * return the memory back to the available memory pool and
+	 * Return the memory back to the available memory pool and
 	 * remove it from the memory context.
 	 */
 	isc_mem_put(mctx, dlz_imp, sizeof(dns_dlzimplementation_t));
@@ -508,3 +516,138 @@ dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
 	/* Unlock the dlz_implementations list. */
 	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
 }
+
+#ifdef BIND9
+/*
+ * Create a writeable DLZ zone. This can be called by DLZ drivers
+ * during configure() to create a zone that can be updated. The zone
+ * type is set to dns_zone_dlz, which is equivalent to a master zone
+ *
+ * This function uses a callback setup in dns_dlzconfigure() to call
+ * into the server zone code to setup the remaining pieces of server
+ * specific functionality on the zone
+ */
+isc_result_t
+dns_dlz_writeablezone(dns_view_t *view, const char *zone_name) {
+	dns_zone_t *zone = NULL;
+	dns_zone_t *dupzone = NULL;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	dns_dlzdb_t *dlzdatabase;
+
+	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
+
+	dlzdatabase = view->dlzdatabase;
+
+	REQUIRE(dlzdatabase->configure_callback != NULL);
+
+	isc_buffer_init(&buffer, zone_name, strlen(zone_name));
+	isc_buffer_add(&buffer, strlen(zone_name));
+	dns_fixedname_init(&fixorigin);
+	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
+				   &buffer, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	origin = dns_fixedname_name(&fixorigin);
+
+	/* See if the zone already exists */
+	result = dns_view_findzone(view, origin, &dupzone);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_detach(&dupzone);
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	}
+	INSIST(dupzone == NULL);
+
+	/* Create it */
+	result = dns_zone_create(&zone, view->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_zone_setorigin(zone, origin);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_zone_setview(zone, view);
+
+	dns_zone_setadded(zone, ISC_TRUE);
+
+	if (dlzdatabase->ssutable == NULL) {
+		result = dns_ssutable_createdlz(dlzdatabase->mctx,
+						&dlzdatabase->ssutable,
+						view->dlzdatabase);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	dns_zone_setssutable(zone, dlzdatabase->ssutable);
+
+	result = dlzdatabase->configure_callback(view, zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Add the zone to its view in the new view list.
+	 */
+	result = dns_view_addzone(view, zone);
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+#endif
+
+/*%
+ * Configure a DLZ driver. This is optional, and if supplied gives
+ * the backend an opportunity to configure parameters related to DLZ.
+ */
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, isc_result_t (*callback)(dns_view_t *,
+		 dns_zone_t *))
+{
+	dns_dlzimplementation_t *impl;
+	dns_dlzdb_t *dlzdatabase;
+	isc_result_t result;
+
+	REQUIRE(view != NULL);
+	REQUIRE(DNS_DLZ_VALID(view->dlzdatabase));
+	REQUIRE(view->dlzdatabase->implementation != NULL);
+
+	dlzdatabase = view->dlzdatabase;
+	impl = dlzdatabase->implementation;
+
+	if (impl->methods->configure == NULL)
+		return (ISC_R_SUCCESS);
+
+	dlzdatabase->configure_callback = callback;
+
+	result = impl->methods->configure(impl->driverarg,
+					  dlzdatabase->dbdata, view);
+	return (result);
+}
+
+isc_boolean_t
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase,
+		  dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
+		  dns_rdatatype_t type, const dst_key_t *key)
+{
+	dns_dlzimplementation_t *impl;
+	isc_boolean_t r;
+
+	REQUIRE(dlzdatabase != NULL);
+	REQUIRE(dlzdatabase->implementation != NULL);
+	REQUIRE(dlzdatabase->implementation->methods != NULL);
+	impl = dlzdatabase->implementation;
+
+	if (impl->methods->ssumatch == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+			      "No ssumatch method for DLZ database");
+		return (ISC_FALSE);
+	}
+
+	r = impl->methods->ssumatch(signer, name, tcpaddr, type, key,
+				    impl->driverarg, dlzdatabase->dbdata);
+	return (r);
+}
diff --git a/contrib/bind9/lib/dns/dns64.c b/contrib/bind9/lib/dns/dns64.c
new file mode 100644
index 000000000000..0b3f1d48b892
--- /dev/null
+++ b/contrib/bind9/lib/dns/dns64.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dns64.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+struct dns_dns64 {
+	unsigned char		bits[16];	/*
+						 * Prefix + suffix bits.
+						 */
+	dns_acl_t *		clients;	/*
+						 * Which clients get mapped
+						 * addresses.
+						 */
+	dns_acl_t *		mapped;		/*
+						 * IPv4 addresses to be mapped.
+						 */
+	dns_acl_t *		excluded;	/*
+						 * IPv6 addresses that are
+						 * treated as not existing.
+						 */
+	unsigned int		prefixlen;	/*
+						 * Start of mapped address.
+						 */
+	unsigned int		flags;
+	isc_mem_t *		mctx;
+	ISC_LINK(dns_dns64_t)	link;
+};
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
+		 unsigned int prefixlen, isc_netaddr_t *suffix,
+		 dns_acl_t *clients, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64)
+{
+	dns_dns64_t *new;
+	unsigned int nbytes = 16;
+
+	REQUIRE(prefix != NULL && prefix->family == AF_INET6);
+	/* Legal prefix lengths from draft-ietf-behave-address-format-04. */
+	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
+		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
+	REQUIRE(isc_netaddr_prefixok(prefix, prefixlen) == ISC_R_SUCCESS);
+	REQUIRE(dns64 != NULL && *dns64 == NULL);
+
+	if (suffix != NULL) {
+		static const unsigned char zeros[16];
+		REQUIRE(prefix->family == AF_INET6);
+		nbytes = prefixlen / 8 + 4;
+		/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
+		if (prefixlen >= 32 && prefixlen <= 64)
+			nbytes++;
+		REQUIRE(memcmp(suffix->type.in6.s6_addr, zeros, nbytes) == 0);
+	}
+
+	new = isc_mem_get(mctx, sizeof(dns_dns64_t));
+	if (new == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(new->bits, 0, sizeof(new->bits));
+	memcpy(new->bits, prefix->type.in6.s6_addr, prefixlen / 8);
+	if (suffix != NULL)
+		memcpy(new->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
+		       16 - nbytes);
+	new->clients = NULL;
+	if (clients != NULL)
+		dns_acl_attach(clients, &new->clients);
+	new->mapped = NULL;
+	if (mapped != NULL)
+		dns_acl_attach(mapped, &new->mapped);
+	new->excluded = NULL;
+	if (excluded != NULL)
+		dns_acl_attach(excluded, &new->excluded);
+	new->prefixlen = prefixlen;
+	new->flags = flags;
+	ISC_LINK_INIT(new, link);
+	new->mctx = NULL;
+	isc_mem_attach(mctx, &new->mctx);
+	*dns64 = new;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p) {
+	dns_dns64_t *dns64;
+
+	REQUIRE(dns64p != NULL && *dns64p != NULL);
+
+	dns64 = *dns64p;
+	*dns64p = NULL;
+
+	REQUIRE(!ISC_LINK_LINKED(dns64, link));
+
+	if (dns64->clients != NULL)
+		dns_acl_detach(&dns64->clients);
+	if (dns64->mapped != NULL)
+		dns_acl_detach(&dns64->mapped);
+	if (dns64->excluded != NULL)
+		dns_acl_detach(&dns64->excluded);
+	isc_mem_putanddetach(&dns64->mctx, dns64, sizeof(*dns64));
+}
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa)
+{
+	unsigned int nbytes, i;
+	isc_result_t result;
+	int match;
+
+	if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+	    (flags & DNS_DNS64_RECURSIVE) == 0)
+		return (DNS_R_DISALLOWED);
+
+	if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+	    (flags & DNS_DNS64_DNSSEC) != 0)
+		return (DNS_R_DISALLOWED);
+
+	if (dns64->clients != NULL) {
+		result = dns_acl_match(reqaddr, reqsigner, dns64->clients, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (match <= 0)
+			return (DNS_R_DISALLOWED);
+	}
+
+	if (dns64->mapped != NULL) {
+		struct in_addr ina;
+		isc_netaddr_t netaddr;
+
+		memcpy(&ina.s_addr, a, 4);
+		isc_netaddr_fromin(&netaddr, &ina);
+		result = dns_acl_match(&netaddr, NULL, dns64->mapped, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (match <= 0)
+			return (DNS_R_DISALLOWED);
+	}
+
+	nbytes = dns64->prefixlen / 8;
+	INSIST(nbytes <= 12);
+	/* Copy prefix. */
+	memcpy(aaaa, dns64->bits, nbytes);
+	/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
+	if (nbytes == 8)
+		aaaa[nbytes++] = 0;
+	/* Copy mapped address. */
+	for (i = 0; i < 4U; i++) {
+		aaaa[nbytes++] = a[i];
+		/* Bits 64-71 are zeros. draft-ietf-behave-address-format-04 */
+		if (nbytes == 8)
+			aaaa[nbytes++] = 0;
+	}
+	/* Copy suffix. */
+	memcpy(aaaa + nbytes, dns64->bits + nbytes, 16 - nbytes);
+	return (ISC_R_SUCCESS);
+}
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64) {
+	dns64 = ISC_LIST_NEXT(dns64, link);
+	return (dns64);
+}
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_APPEND(*list, dns64, link);
+}
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_UNLINK(*list, dns64, link);
+}
+
+isc_boolean_t
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset,
+		 isc_boolean_t *aaaaok, size_t aaaaoklen)
+{
+	struct in6_addr in6;
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	int match;
+	isc_boolean_t answer = ISC_FALSE;
+	isc_boolean_t found = ISC_FALSE;
+	unsigned int i, ok;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_aaaa);
+	REQUIRE(rdataset->rdclass == dns_rdataclass_in);
+	if (aaaaok != NULL)
+		REQUIRE(aaaaoklen == dns_rdataset_count(rdataset));
+
+	for (;dns64 != NULL; dns64 = ISC_LIST_NEXT(dns64, link)) {
+		if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+		    (flags & DNS_DNS64_RECURSIVE) == 0)
+			continue;
+
+		if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+		    (flags & DNS_DNS64_DNSSEC) != 0)
+			continue;
+		/*
+		 * Work out if this dns64 structure applies to this client.
+		 */
+		if (dns64->clients != NULL) {
+			result = dns_acl_match(reqaddr, reqsigner,
+					       dns64->clients, env,
+					       &match, NULL);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (match <= 0)
+				continue;
+		}
+
+		if (!found && aaaaok != NULL) {
+			for (i = 0; i < aaaaoklen; i++)
+				aaaaok[i] = ISC_FALSE;
+		}
+		found = ISC_TRUE;
+
+		/*
+		 * If we are not excluding any addresses then any AAAA
+		 * will do.
+		 */
+		if (dns64->excluded == NULL) {
+			answer = ISC_TRUE;
+			if (aaaaok == NULL)
+				goto done;
+			for (i = 0; i < aaaaoklen; i++)
+				aaaaok[i] = ISC_TRUE;
+			goto done;
+		}
+
+		i = 0; ok = 0;
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			if (aaaaok == NULL || !aaaaok[i]) {
+
+				dns_rdataset_current(rdataset, &rdata);
+				memcpy(&in6.s6_addr, rdata.data, 16);
+				isc_netaddr_fromin6(&netaddr, &in6);
+
+				result = dns_acl_match(&netaddr, NULL,
+						       dns64->excluded,
+						       env, &match, NULL);
+				if (result == ISC_R_SUCCESS && match <= 0) {
+					answer = ISC_TRUE;
+					if (aaaaok == NULL)
+						goto done;
+					aaaaok[i] = ISC_TRUE;
+					ok++;
+				}
+			} else
+				ok++;
+			i++;
+		}
+		/*
+		 * Are all addresses ok?
+		 */
+		if (aaaaok != NULL && ok == aaaaoklen)
+			goto done;
+	}
+
+ done:
+	if (!found && aaaaok != NULL) {
+		for (i = 0; i < aaaaoklen; i++)
+			aaaaok[i] = ISC_TRUE;
+	}
+	return (found ? answer : ISC_TRUE);
+}
diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c
index 393a9c794d9d..3569ad7cc84a 100644
--- a/contrib/bind9/lib/dns/dnssec.c
+++ b/contrib/bind9/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -26,12 +26,14 @@
 #include <stdlib.h>
 
 #include <isc/buffer.h>
+#include <isc/dir.h>
 #include <isc/mem.h>
 #include <isc/serial.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
+#include <dns/diff.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -599,6 +601,58 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	return (result);
 }
 
+static isc_boolean_t
+key_active(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t publish, active, revoke, inactive, delete;
+	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
+	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
+	isc_boolean_t delset = ISC_FALSE;
+	int major, minor;
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3; prior to that, all
+	 * keys are assumed active
+	 */
+	if (major == 1 && minor <= 2)
+		return (ISC_TRUE);
+
+	result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish);
+	if (result == ISC_R_SUCCESS)
+		pubset = ISC_TRUE;
+
+	result = dst_key_gettime(key, DST_TIME_ACTIVATE, &active);
+	if (result == ISC_R_SUCCESS)
+		actset = ISC_TRUE;
+
+	result = dst_key_gettime(key, DST_TIME_REVOKE, &revoke);
+	if (result == ISC_R_SUCCESS)
+		revset = ISC_TRUE;
+
+	result = dst_key_gettime(key, DST_TIME_INACTIVE, &inactive);
+	if (result == ISC_R_SUCCESS)
+		inactset = ISC_TRUE;
+
+	result = dst_key_gettime(key, DST_TIME_DELETE, &delete);
+	if (result == ISC_R_SUCCESS)
+		delset = ISC_TRUE;
+
+	if ((inactset && inactive <= now) || (delset && delete <= now))
+		return (ISC_FALSE);
+
+	if (revset && revoke <= now && pubset && publish <= now)
+		return (ISC_TRUE);
+
+	if (actset && active <= now)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
 #define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
 			  == DNS_KEYOWNER_ZONE)
 
@@ -614,10 +668,13 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 	isc_result_t result;
 	dst_key_t *pubkey = NULL;
 	unsigned int count = 0;
+	isc_stdtime_t now;
 
 	REQUIRE(nkeys != NULL);
 	REQUIRE(keys != NULL);
 
+	isc_stdtime_get(&now);
+
 	*nkeys = 0;
 	dns_rdataset_init(&rdataset);
 	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
@@ -640,14 +697,70 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
 					  directory,
 					  mctx, &keys[count]);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
 		if (result == ISC_R_FILENOTFOUND) {
+			isc_uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(dst_key_name(pubkey),
+							  dst_key_id(pubkey),
+							  dst_key_alg(pubkey),
+							  DST_TYPE_PUBLIC|
+							  DST_TYPE_PRIVATE,
+							  directory,
+							  mctx, &keys[count]);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, keys[count],
+						       ISC_FALSE)) {
+					dst_key_setflags(keys[count], flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char keybuf[DNS_NAME_FORMATSIZE];
+			char algbuf[DNS_SECALG_FORMATSIZE];
+			dns_name_format(dst_key_name(pubkey), keybuf,
+					sizeof(keybuf));
+			dns_secalg_format(dst_key_alg(pubkey), algbuf,
+					  sizeof(algbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_findzonekeys2: error "
+				      "reading private key file %s/%s/%d: %s",
+				      keybuf, algbuf, dst_key_id(pubkey),
+				      isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
 			keys[count] = pubkey;
 			pubkey = NULL;
 			count++;
 			goto next;
 		}
+
 		if (result != ISC_R_SUCCESS)
 			goto failure;
+
+		/*
+		 * If a key is marked inactive, skip it
+		 */
+		if (!key_active(keys[count], now)) {
+			dst_key_free(&keys[count]);
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+
 		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
 			/* We should never get here. */
 			dst_key_free(&keys[count]);
@@ -964,13 +1077,6 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
 		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     isc_boolean_t ignoretime, isc_mem_t *mctx)
 {
-	dst_key_t *dstkey = NULL;
-	dns_keytag_t keytag;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
 	INSIST(rdataset->type == dns_rdatatype_key ||
 	       rdataset->type == dns_rdatatype_dnskey);
 	if (rdataset->type == dns_rdatatype_key) {
@@ -981,6 +1087,27 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
 		INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
 	}
 
+	return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset,
+				 ignoretime, mctx));
+
+}
+
+isc_boolean_t
+dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     isc_boolean_t ignoretime, isc_mem_t *mctx)
+{
+	dst_key_t *dstkey = NULL;
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+	if (sigrdataset->covers != rdataset->type)
+		return (ISC_FALSE);
+
 	result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_FALSE);
@@ -1011,3 +1138,694 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
 	dst_key_free(&dstkey);
 	return (ISC_FALSE);
 }
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp)
+{
+	isc_result_t result;
+	dns_dnsseckey_t *dk;
+	int major, minor;
+
+	REQUIRE(dkp != NULL && *dkp == NULL);
+	dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
+	if (dk == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dk->key = *dstkey;
+	*dstkey = NULL;
+	dk->force_publish = ISC_FALSE;
+	dk->force_sign = ISC_FALSE;
+	dk->hint_publish = ISC_FALSE;
+	dk->hint_sign = ISC_FALSE;
+	dk->hint_remove = ISC_FALSE;
+	dk->first_sign = ISC_FALSE;
+	dk->is_active = ISC_FALSE;
+	dk->prepublish = 0;
+	dk->source = dns_keysource_unknown;
+	dk->index = 0;
+
+	/* KSK or ZSK? */
+	dk->ksk = ISC_TF((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(dk->key, &major, &minor);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/* Smart signing started with key format 1.3 */
+	dk->legacy = ISC_TF(major == 1 && minor <= 2);
+
+	ISC_LINK_INIT(dk, link);
+	*dkp = dk;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
+	dns_dnsseckey_t *dk;
+
+	REQUIRE(dkp != NULL && *dkp != NULL);
+	dk = *dkp;
+	if (dk->key != NULL)
+		dst_key_free(&dk->key);
+	isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
+	*dkp = NULL;
+}
+
+static void
+get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t publish, active, revoke, inactive, delete;
+	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
+	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
+	isc_boolean_t delset = ISC_FALSE;
+
+	REQUIRE(key != NULL && key->key != NULL);
+
+	result = dst_key_gettime(key->key, DST_TIME_PUBLISH, &publish);
+	if (result == ISC_R_SUCCESS)
+		pubset = ISC_TRUE;
+
+	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
+	if (result == ISC_R_SUCCESS)
+		actset = ISC_TRUE;
+
+	result = dst_key_gettime(key->key, DST_TIME_REVOKE, &revoke);
+	if (result == ISC_R_SUCCESS)
+		revset = ISC_TRUE;
+
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
+	if (result == ISC_R_SUCCESS)
+		inactset = ISC_TRUE;
+
+	result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
+	if (result == ISC_R_SUCCESS)
+		delset = ISC_TRUE;
+
+	/* Metadata says publish (but possibly not activate) */
+	if (pubset && publish <= now)
+		key->hint_publish = ISC_TRUE;
+
+	/* Metadata says activate (so we must also publish) */
+	if (actset && active <= now) {
+		key->hint_sign = ISC_TRUE;
+		key->hint_publish = ISC_TRUE;
+	}
+
+	/*
+	 * Activation date is set (maybe in the future), but
+	 * publication date isn't. Most likely the user wants to
+	 * publish now and activate later.
+	 */
+	if (actset && !pubset)
+		key->hint_publish = ISC_TRUE;
+
+	/*
+	 * If activation date is in the future, make note of how far off
+	 */
+	if (key->hint_publish && actset && active > now) {
+		key->prepublish = active - now;
+	}
+
+	/*
+	 * Key has been marked inactive: we can continue publishing,
+	 * but don't sign.
+	 */
+	if (key->hint_publish && inactset && inactive <= now) {
+		key->hint_sign = ISC_FALSE;
+	}
+
+	/*
+	 * Metadata says revoke.  If the key is published,
+	 * we *have to* sign with it per RFC5011--even if it was
+	 * not active before.
+	 *
+	 * If it hasn't already been done, we should also revoke it now.
+	 */
+	if (key->hint_publish && (revset && revoke <= now)) {
+		isc_uint32_t flags;
+		key->hint_sign = ISC_TRUE;
+		flags = dst_key_flags(key->key);
+		if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+			flags |= DNS_KEYFLAG_REVOKE;
+			dst_key_setflags(key->key, flags);
+		}
+	}
+
+	/*
+	 * Metadata says delete, so don't publish this key or sign with it.
+	 */
+	if (delset && delete <= now) {
+		key->hint_publish = ISC_FALSE;
+		key->hint_sign = ISC_FALSE;
+		key->hint_remove = ISC_TRUE;
+	}
+}
+
+/*%
+ * Get a list of DNSSEC keys from the key repository
+ */
+isc_result_t
+dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
+			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t dir_open = ISC_FALSE;
+	dns_dnsseckeylist_t list;
+	isc_dir_t dir;
+	dns_dnsseckey_t *key = NULL;
+	dst_key_t *dstkey = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE], *p;
+	isc_buffer_t b;
+	unsigned int len;
+	isc_stdtime_t now;
+
+	REQUIRE(keylist != NULL);
+	ISC_LIST_INIT(list);
+	isc_dir_init(&dir);
+
+	isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
+	RETERR(dns_name_tofilenametext(origin, ISC_FALSE, &b));
+	len = isc_buffer_usedlength(&b);
+	namebuf[len] = '\0';
+
+	if (directory == NULL)
+		directory = ".";
+	RETERR(isc_dir_open(&dir, directory));
+	dir_open = ISC_TRUE;
+
+	isc_stdtime_get(&now);
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.name[0] == 'K' &&
+		    dir.entry.length > len + 1 &&
+		    dir.entry.name[len + 1] == '+' &&
+		    strncasecmp(dir.entry.name + 1, namebuf, len) == 0) {
+			p = strrchr(dir.entry.name, '.');
+			if (p != NULL && strcmp(p, ".private") != 0)
+				continue;
+
+			dstkey = NULL;
+			result = dst_key_fromnamedfile(dir.entry.name,
+						       directory,
+						       DST_TYPE_PUBLIC |
+						       DST_TYPE_PRIVATE,
+						       mctx, &dstkey);
+
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_DNSSEC,
+					      ISC_LOG_WARNING,
+					      "dns_dnssec_findmatchingkeys: "
+					      "error reading key file %s: %s",
+					      dir.entry.name,
+					      isc_result_totext(result));
+				continue;
+			}
+
+			RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
+			key->source = dns_keysource_repository;
+			get_hints(key, now);
+
+			if (key->legacy) {
+				dns_dnsseckey_destroy(mctx, &key);
+			} else {
+				ISC_LIST_APPEND(list, key, link);
+				key = NULL;
+			}
+		}
+	}
+
+	if (!ISC_LIST_EMPTY(list))
+		ISC_LIST_APPENDLIST(*keylist, list, link);
+	else
+		result = ISC_R_NOTFOUND;
+
+ failure:
+	if (dir_open)
+		isc_dir_close(&dir);
+	INSIST(key == NULL);
+	while ((key = ISC_LIST_HEAD(list)) != NULL) {
+		ISC_LIST_UNLINK(list, key, link);
+		INSIST(key->key != NULL);
+		dst_key_free(&key->key);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+/*%
+ * Add 'newkey' to 'keylist' if it's not already there.
+ *
+ * If 'savekeys' is ISC_TRUE, then we need to preserve all
+ * the keys in the keyset, regardless of whether they have
+ * metadata indicating they should be deactivated or removed.
+ */
+static isc_result_t
+addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
+       isc_boolean_t savekeys, isc_mem_t *mctx)
+{
+	dns_dnsseckey_t *key;
+	isc_result_t result;
+
+	/* Skip duplicates */
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
+		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
+		    dns_name_equal(dst_key_name(key->key),
+				   dst_key_name(*newkey)))
+			break;
+	}
+
+	if (key != NULL) {
+		/*
+		 * Found a match.  If the old key was only public and the
+		 * new key is private, replace the old one; otherwise
+		 * leave it.  But either way, mark the key as having
+		 * been found in the zone.
+		 */
+		if (dst_key_isprivate(key->key)) {
+			dst_key_free(newkey);
+		} else if (dst_key_isprivate(*newkey)) {
+			dst_key_free(&key->key);
+			key->key = *newkey;
+		}
+
+		key->source = dns_keysource_zoneapex;
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_dnsseckey_create(mctx, newkey, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (key->legacy || savekeys) {
+		key->force_publish = ISC_TRUE;
+		key->force_sign = dst_key_isprivate(key->key);
+	}
+	key->source = dns_keysource_zoneapex;
+	ISC_LIST_APPEND(*keylist, key, link);
+	*newkey = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+
+/*%
+ * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
+ * for future reference.
+ */
+static isc_result_t
+mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t sigs;
+	dns_dnsseckey_t *key;
+
+	REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
+
+	dns_rdataset_init(&sigs);
+	dns_rdataset_clone(rrsigs, &sigs);
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		isc_uint16_t keyid, sigid;
+		dns_secalg_t keyalg, sigalg;
+		keyid = dst_key_id(key->key);
+		keyalg = dst_key_alg(key->key);
+
+		for (result = dns_rdataset_first(&sigs);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&sigs)) {
+			dns_rdata_rrsig_t sig;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&sigs, &rdata);
+			result = dns_rdata_tostruct(&rdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			sigalg = sig.algorithm;
+			sigid = sig.keyid;
+			if (keyid == sigid && keyalg == sigalg) {
+				key->is_active = ISC_TRUE;
+				break;
+			}
+		}
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (dns_rdataset_isassociated(&sigs))
+		dns_rdataset_disassociate(&sigs);
+	return (result);
+}
+
+/*%
+ * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ */
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
+			       isc_boolean_t public,
+			       dns_dnsseckeylist_t *keylist)
+{
+	dns_rdataset_t keys;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
+
+	dns_rdataset_init(&keys);
+
+	dns_rdataset_clone(keyset, &keys);
+	for (result = dns_rdataset_first(&keys);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keys)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&keys, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+
+		if (!is_zone_key(pubkey) ||
+		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto skip;
+
+		/* Corrupted .key file? */
+		if (!dns_name_equal(origin, dst_key_name(pubkey)))
+			goto skip;
+
+		if (public) {
+			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
+			goto skip;
+		}
+
+		result = dst_key_fromfile(dst_key_name(pubkey),
+					  dst_key_id(pubkey),
+					  dst_key_alg(pubkey),
+					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					  directory, mctx, &privkey);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			isc_uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(dst_key_name(pubkey),
+							  dst_key_id(pubkey),
+							  dst_key_alg(pubkey),
+							  DST_TYPE_PUBLIC|
+							  DST_TYPE_PRIVATE,
+							  directory,
+							  mctx, &privkey);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, privkey,
+						       ISC_FALSE)) {
+					dst_key_setflags(privkey, flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char keybuf[DNS_NAME_FORMATSIZE];
+			char algbuf[DNS_SECALG_FORMATSIZE];
+			dns_name_format(dst_key_name(pubkey), keybuf,
+					sizeof(keybuf));
+			dns_secalg_format(dst_key_alg(pubkey), algbuf,
+					  sizeof(algbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_keylistfromrdataset: error "
+				      "reading private key file %s/%s/%d: %s",
+				      keybuf, algbuf, dst_key_id(pubkey),
+				      isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
+			goto skip;
+		}
+		RETERR(result);
+
+		/* This should never happen. */
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto skip;
+
+		RETERR(addkey(keylist, &privkey, savekeys, mctx));
+ skip:
+		if (pubkey != NULL)
+			dst_key_free(&pubkey);
+		if (privkey != NULL)
+			dst_key_free(&privkey);
+	}
+
+	if (result != ISC_R_NOMORE)
+		RETERR(result);
+
+	if (keysigs != NULL && dns_rdataset_isassociated(keysigs))
+		RETERR(mark_active_keys(keylist, keysigs));
+
+	if (soasigs != NULL && dns_rdataset_isassociated(soasigs))
+		RETERR(mark_active_keys(keylist, soasigs));
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&keys))
+		dns_rdataset_disassociate(&keys);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (privkey != NULL)
+		dst_key_free(&privkey);
+	return (result);
+}
+
+static isc_result_t
+make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
+	    dns_rdata_t *target)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, buf, bufsize);
+	result = dst_key_todns(key, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdata_reset(target);
+	isc_buffer_usedregion(&b, &r);
+	dns_rdata_fromregion(target, dst_key_class(key),
+			     dns_rdatatype_dnskey, &r);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
+	    dns_ttl_t ttl, isc_mem_t *mctx, isc_boolean_t allzsk,
+	    void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_rdata_reset(&dnskey);
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Fetching %s %d/%s from key %s.",
+	       key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
+	       dst_key_id(key->key), alg,
+	       key->source == dns_keysource_user ?  "file" : "repository");
+
+	if (key->prepublish && ttl > key->prepublish) {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t now;
+
+		dst_key_format(key->key, keystr, sizeof(keystr));
+		report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
+		       keystr, ttl);
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
+	}
+
+	/* publish key */
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
+				    &dnskey, &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
+	  dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
+	  void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Removing %s key %d/%s from DNSKEY RRset.",
+	       reason, dst_key_id(key->key), alg);
+
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
+				    &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+/*
+ * Update 'keys' with information from 'newkeys'.
+ *
+ * If 'removed' is not NULL, any keys that are being removed from
+ * the zone will be added to the list for post-removal processing.
+ */
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      isc_mem_t *mctx, void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_dnsseckey_t *key, *key1, *key2, *next;
+
+	/*
+	 * First, look through the existing key list to find keys
+	 * supplied from the command line which are not in the zone.
+	 * Update the zone to include them.
+	 */
+	for (key = ISC_LIST_HEAD(*keys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (key->source == dns_keysource_user &&
+		    (key->hint_publish || key->force_publish)) {
+			RETERR(publish_key(diff, key, origin, ttl,
+					   mctx, allzsk, report));
+		}
+	}
+
+	/*
+	 * Second, scan the list of newly found keys looking for matches
+	 * with known keys, and update accordingly.
+	 */
+	for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
+		isc_boolean_t key_revoked = ISC_FALSE;
+
+		next = ISC_LIST_NEXT(key1, link);
+
+		for (key2 = ISC_LIST_HEAD(*keys);
+		     key2 != NULL;
+		     key2 = ISC_LIST_NEXT(key2, link)) {
+			if (dst_key_pubcompare(key1->key, key2->key,
+					       ISC_TRUE)) {
+				int r1, r2;
+				r1 = dst_key_flags(key1->key) &
+					DNS_KEYFLAG_REVOKE;
+				r2 = dst_key_flags(key2->key) &
+					DNS_KEYFLAG_REVOKE;
+				key_revoked = ISC_TF(r1 != r2);
+				break;
+			}
+		}
+
+		/* No match found in keys; add the new key. */
+		if (key2 == NULL) {
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			if (key1->source != dns_keysource_zoneapex &&
+			    (key1->hint_publish || key1->force_publish)) {
+				RETERR(publish_key(diff, key1, origin, ttl,
+						   mctx, allzsk, report));
+				if (key1->hint_sign || key1->force_sign)
+					key1->first_sign = ISC_TRUE;
+			}
+
+			continue;
+		}
+
+		/* Match found: remove or update it as needed */
+		if (key1->hint_remove) {
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "expired", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+		} else if (key_revoked &&
+			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
+
+			/*
+			 * A previously valid key has been revoked.
+			 * We need to remove the old version and pull
+			 * in the new one.
+			 */
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "revoked", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+
+			RETERR(publish_key(diff, key1, origin, ttl,
+					   mctx, allzsk, report));
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			/*
+			 * XXX: The revoke flag is only defined for trust
+			 * anchors.  Setting the flag on a non-KSK is legal,
+			 * but not defined in any RFC.  It seems reasonable
+			 * to treat it the same as a KSK: keep it in the
+			 * zone, sign the DNSKEY set with it, but not
+			 * sign other records with it.
+			 */
+			key1->ksk = ISC_TRUE;
+			continue;
+		} else {
+			if (!key2->is_active &&
+			    (key1->hint_sign || key1->force_sign))
+				key2->first_sign = ISC_TRUE;
+			key2->hint_sign = key1->hint_sign;
+			key2->hint_publish = key1->hint_publish;
+		}
+	}
+
+	/* Free any leftover keys in newkeys */
+	while (!ISC_LIST_EMPTY(*newkeys)) {
+		key1 = ISC_LIST_HEAD(*newkeys);
+		ISC_LIST_UNLINK(*newkeys, key1, link);
+		dns_dnsseckey_destroy(mctx, &key1);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c
index 7a93914c29ad..e72ecbb6cc2c 100644
--- a/contrib/bind9/lib/dns/ds.c
+++ b/contrib/bind9/lib/dns/ds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ds.c,v 1.13 2010/12/23 23:47:08 tbox Exp $ */
 
 /*! \file */
 
@@ -38,6 +38,13 @@
 
 #include <dst/dst.h>
 
+#ifdef HAVE_OPENSSL_GOST
+#include <dst/result.h>
+#include <openssl/evp.h>
+
+extern const EVP_MD * EVP_gost(void);
+#endif
+
 isc_result_t
 dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		  unsigned int digest_type, unsigned char *buffer,
@@ -45,10 +52,17 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 {
 	dns_fixedname_t fname;
 	dns_name_t *name;
-	unsigned char digest[ISC_SHA256_DIGESTLENGTH];
+	unsigned char digest[ISC_SHA384_DIGESTLENGTH];
 	isc_region_t r;
 	isc_buffer_t b;
 	dns_rdata_ds_t ds;
+	isc_sha1_t sha1;
+	isc_sha256_t sha256;
+	isc_sha384_t sha384;
+#ifdef HAVE_OPENSSL_GOST
+	EVP_MD_CTX ctx;
+	const EVP_MD *md;
+#endif
 
 	REQUIRE(key != NULL);
 	REQUIRE(key->type == dns_rdatatype_dnskey);
@@ -63,8 +77,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	memset(buffer, 0, DNS_DS_BUFFERSIZE);
 	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
 
-	if (digest_type == DNS_DSDIGEST_SHA1) {
-		isc_sha1_t sha1;
+	switch (digest_type) {
+	case DNS_DSDIGEST_SHA1:
 		isc_sha1_init(&sha1);
 		dns_name_toregion(name, &r);
 		isc_sha1_update(&sha1, r.base, r.length);
@@ -72,8 +86,46 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		INSIST(r.length >= 4);
 		isc_sha1_update(&sha1, r.base, r.length);
 		isc_sha1_final(&sha1, digest);
-	} else {
-		isc_sha256_t sha256;
+		break;
+
+#ifdef HAVE_OPENSSL_GOST
+#define CHECK(x)					\
+	if ((x) != 1) {					\
+		EVP_MD_CTX_cleanup(&ctx);		\
+		return (DST_R_CRYPTOFAILURE);		\
+	}
+
+	case DNS_DSDIGEST_GOST:
+		md = EVP_gost();
+		if (md == NULL)
+			return (DST_R_CRYPTOFAILURE);
+		EVP_MD_CTX_init(&ctx);
+		CHECK(EVP_DigestInit(&ctx, md));
+		dns_name_toregion(name, &r);
+		CHECK(EVP_DigestUpdate(&ctx,
+				       (const void *) r.base,
+				       (size_t) r.length));
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		CHECK(EVP_DigestUpdate(&ctx,
+				       (const void *) r.base,
+				       (size_t) r.length));
+		CHECK(EVP_DigestFinal(&ctx, digest, NULL));
+		break;
+#endif
+
+	case DNS_DSDIGEST_SHA384:
+		isc_sha384_init(&sha384);
+		dns_name_toregion(name, &r);
+		isc_sha384_update(&sha384, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha384_update(&sha384, r.base, r.length);
+		isc_sha384_final(digest, &sha384);
+		break;
+
+	case DNS_DSDIGEST_SHA256:
+	default:
 		isc_sha256_init(&sha256);
 		dns_name_toregion(name, &r);
 		isc_sha256_update(&sha256, r.base, r.length);
@@ -81,6 +133,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 		INSIST(r.length >= 4);
 		isc_sha256_update(&sha256, r.base, r.length);
 		isc_sha256_final(digest, &sha256);
+		break;
 	}
 
 	ds.mctx = NULL;
@@ -89,8 +142,26 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 	ds.algorithm = r.base[3];
 	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
 	ds.digest_type = digest_type;
-	ds.length = (digest_type == DNS_DSDIGEST_SHA1) ?
-		    ISC_SHA1_DIGESTLENGTH : ISC_SHA256_DIGESTLENGTH;
+	switch (digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		ds.length = ISC_SHA1_DIGESTLENGTH;
+		break;
+
+#ifdef HAVE_OPENSSL_GOST
+	case DNS_DSDIGEST_GOST:
+		ds.length = ISC_GOST_DIGESTLENGTH;
+		break;
+#endif
+
+	case DNS_DSDIGEST_SHA384:
+		ds.length = ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case DNS_DSDIGEST_SHA256:
+	default:
+		ds.length = ISC_SHA256_DIGESTLENGTH;
+		break;
+	}
 	ds.digest = digest;
 
 	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
@@ -99,6 +170,14 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
 
 isc_boolean_t
 dns_ds_digest_supported(unsigned int digest_type) {
+#ifdef HAVE_OPENSSL_GOST
+	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
+			digest_type == DNS_DSDIGEST_SHA256 ||
+			digest_type == DNS_DSDIGEST_GOST ||
+			digest_type == DNS_DSDIGEST_SHA384));
+#else
 	return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
-			digest_type == DNS_DSDIGEST_SHA256));
+			digest_type == DNS_DSDIGEST_SHA256 ||
+			digest_type == DNS_DSDIGEST_SHA384));
+#endif
 }
diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c
index 7b69538ebd82..f5dd89ad4f5e 100644
--- a/contrib/bind9/lib/dns/dst_api.c
+++ b/contrib/bind9/lib/dns/dst_api.c
@@ -39,6 +39,7 @@
 #include <config.h>
 
 #include <stdlib.h>
+#include <time.h>
 
 #include <isc/buffer.h>
 #include <isc/dir.h>
@@ -48,12 +49,14 @@
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/refcount.h>
 #include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
+#include <isc/file.h>
 
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -70,7 +73,9 @@
 #define DST_AS_STR(t) ((t).value.as_textregion.base)
 
 static dst_func_t *dst_t_func[DST_MAX_ALGS];
+#ifdef BIND9
 static isc_entropy_t *dst_entropy_pool = NULL;
+#endif
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 
@@ -108,10 +113,11 @@ static isc_result_t	frombuffer(dns_name_t *name,
 
 static isc_result_t	algorithm_status(unsigned int alg);
 
-static isc_result_t	addsuffix(char *filename, unsigned int len,
-				  const char *ofilename, const char *suffix);
+static isc_result_t	addsuffix(char *filename, int len,
+				  const char *dirname, const char *ofilename,
+				  const char *suffix);
 
-#define RETERR(x) 				\
+#define RETERR(x)				\
 	do {					\
 		result = (x);			\
 		if (result != ISC_R_SUCCESS)	\
@@ -126,7 +132,7 @@ static isc_result_t	addsuffix(char *filename, unsigned int len,
 			return (_r);		\
 	} while (0);				\
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(BIND9)
 static void *
 default_memalloc(void *arg, size_t size) {
 	UNUSED(arg);
@@ -144,14 +150,29 @@ default_memfree(void *arg, void *ptr) {
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	return (dst_lib_init2(mctx, ectx, NULL, eflags));
+}
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags) {
 	isc_result_t result;
 
-	REQUIRE(mctx != NULL && ectx != NULL);
+	REQUIRE(mctx != NULL);
+#ifdef BIND9
+	REQUIRE(ectx != NULL);
+#else
+	UNUSED(ectx);
+#endif
 	REQUIRE(dst_initialized == ISC_FALSE);
 
+#ifndef OPENSSL
+	UNUSED(engine);
+#endif
+
 	dst__memory_pool = NULL;
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(BIND9)
 	UNUSED(mctx);
 	/*
 	 * When using --with-openssl, there seems to be no good way of not
@@ -166,11 +187,15 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_mem_setname(dst__memory_pool, "dst", NULL);
+#ifndef OPENSSL_LEAKS
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
+#endif
 #else
 	isc_mem_attach(mctx, &dst__memory_pool);
 #endif
+#ifdef BIND9
 	isc_entropy_attach(ectx, &dst_entropy_pool);
+#endif
 	dst_entropy_flags = eflags;
 
 	dst_result_register();
@@ -183,7 +208,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
-	RETERR(dst__openssl_init());
+	RETERR(dst__openssl_init(engine));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
 				    DST_ALG_RSAMD5));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
@@ -199,6 +224,13 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
 #endif
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#ifdef HAVE_OPENSSL_GOST
+	RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
+#endif
+#ifdef HAVE_OPENSSL_ECDSA
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#endif
 #endif /* OPENSSL */
 #ifdef GSSAPI
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
@@ -207,6 +239,8 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	return (ISC_R_SUCCESS);
 
  out:
+	/* avoid immediate crash! */
+	dst_initialized = ISC_TRUE;
 	dst_lib_destroy();
 	return (result);
 }
@@ -225,9 +259,10 @@ dst_lib_destroy(void) {
 #endif
 	if (dst__memory_pool != NULL)
 		isc_mem_detach(&dst__memory_pool);
+#ifdef BIND9
 	if (dst_entropy_pool != NULL)
 		isc_entropy_detach(&dst_entropy_pool);
-
+#endif
 }
 
 isc_boolean_t
@@ -402,7 +437,7 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
 		return (result);
 
 	key = NULL;
-	result = dst_key_fromnamedfile(filename, type, mctx, &key);
+	result = dst_key_fromnamedfile(filename, NULL, type, mctx, &key);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -417,19 +452,17 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
 		dst_key_free(&key);
 		return (DST_R_INVALIDPRIVATEKEY);
 	}
-	key->key_id = id;
 
 	*keyp = key;
 	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
-		      dst_key_t **keyp)
+dst_key_fromnamedfile(const char *filename, const char *dirname,
+		      int type, isc_mem_t *mctx, dst_key_t **keyp)
 {
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *key = NULL;
-	dns_keytag_t id;
 	char *newfilename = NULL;
 	int newfilenamelen = 0;
 	isc_lex_t *lex = NULL;
@@ -440,11 +473,23 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	REQUIRE(mctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
+	/* If an absolute path is specified, don't use the key directory */
+#ifndef WIN32
+	if (filename[0] == '/')
+		dirname = NULL;
+#else /* WIN32 */
+	if (filename[0] == '/' || filename[0] == '\\')
+		dirname = NULL;
+#endif
+
 	newfilenamelen = strlen(filename) + 5;
+	if (dirname != NULL)
+		newfilenamelen += strlen(dirname) + 1;
 	newfilename = isc_mem_get(mctx, newfilenamelen);
 	if (newfilename == NULL)
 		return (ISC_R_NOMEMORY);
-	result = addsuffix(newfilename, newfilenamelen, filename, ".key");
+	result = addsuffix(newfilename, newfilenamelen,
+			   dirname, filename, ".key");
 	INSIST(result == ISC_R_SUCCESS);
 
 	result = dst_key_read_public(newfilename, type, mctx, &pubkey);
@@ -474,38 +519,43 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
 			     pubkey->key_flags, pubkey->key_proto, 0,
 			     pubkey->key_class, mctx);
-	id = pubkey->key_id;
-	dst_key_free(&pubkey);
-
-	if (key == NULL)
+	if (key == NULL) {
+		dst_key_free(&pubkey);
 		return (ISC_R_NOMEMORY);
+	}
 
 	if (key->func->parse == NULL)
 		RETERR(DST_R_UNSUPPORTEDALG);
 
 	newfilenamelen = strlen(filename) + 9;
+	if (dirname != NULL)
+		newfilenamelen += strlen(dirname) + 1;
 	newfilename = isc_mem_get(mctx, newfilenamelen);
 	if (newfilename == NULL)
 		RETERR(ISC_R_NOMEMORY);
-	result = addsuffix(newfilename, newfilenamelen, filename, ".private");
+	result = addsuffix(newfilename, newfilenamelen,
+			   dirname, filename, ".private");
 	INSIST(result == ISC_R_SUCCESS);
 
 	RETERR(isc_lex_create(mctx, 1500, &lex));
 	RETERR(isc_lex_openfile(lex, newfilename));
 	isc_mem_put(mctx, newfilename, newfilenamelen);
 
-	RETERR(key->func->parse(key, lex));
+	RETERR(key->func->parse(key, lex, pubkey));
 	isc_lex_destroy(&lex);
 
 	RETERR(computeid(key));
 
-	if (id != key->key_id)
+	if (pubkey->key_id != key->key_id)
 		RETERR(DST_R_INVALIDPRIVATEKEY);
+	dst_key_free(&pubkey);
 
 	*keyp = key;
 	return (ISC_R_SUCCESS);
 
  out:
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
 	if (newfilename != NULL)
 		isc_mem_put(mctx, newfilename, newfilenamelen);
 	if (lex != NULL)
@@ -552,7 +602,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 	isc_uint8_t alg, proto;
 	isc_uint32_t flags, extflags;
 	dst_key_t *key = NULL;
-	dns_keytag_t id;
+	dns_keytag_t id, rid;
 	isc_region_t r;
 	isc_result_t result;
 
@@ -567,6 +617,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 	alg = isc_buffer_getuint8(source);
 
 	id = dst_region_computeid(&r, alg);
+	rid = dst_region_computerid(&r, alg);
 
 	if (flags & DNS_KEYFLAG_EXTENDED) {
 		if (isc_buffer_remaininglength(source) < 2)
@@ -580,6 +631,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	key->key_id = id;
+	key->key_rid = rid;
 
 	*keyp = key;
 	return (ISC_R_SUCCESS);
@@ -640,7 +692,7 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
 
 	RETERR(isc_lex_create(key->mctx, 1500, &lex));
 	RETERR(isc_lex_openbuffer(lex, buffer));
-	RETERR(key->func->parse(key, lex));
+	RETERR(key->func->parse(key, lex, NULL));
  out:
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
@@ -657,9 +709,10 @@ dst_key_getgssctx(const dst_key_t *key)
 
 isc_result_t
 dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
-		   dst_key_t **keyp)
+		   dst_key_t **keyp, isc_region_t *intoken)
 {
 	dst_key_t *key;
+	isc_result_t result;
 
 	REQUIRE(gssctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
@@ -669,9 +722,21 @@ dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
+	if (intoken != NULL) {
+		/*
+		 * Keep the token for use by external ssu rules. They may need
+		 * to examine the PAC in the kerberos ticket.
+		 */
+		RETERR(isc_buffer_allocate(key->mctx, &key->key_tkeytoken,
+		       intoken->length));
+		RETERR(isc_buffer_copyregion(key->key_tkeytoken, intoken));
+	}
+
 	key->keydata.gssctx = gssctx;
 	*keyp = key;
-	return (ISC_R_SUCCESS);
+	result = ISC_R_SUCCESS;
+out:
+	return result;
 }
 
 isc_result_t
@@ -723,6 +788,18 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		 dns_rdataclass_t rdclass,
 		 isc_mem_t *mctx, dst_key_t **keyp)
 {
+	return (dst_key_generate2(name, alg, bits, param, flags, protocol,
+				  rdclass, mctx, keyp, NULL));
+}
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int))
+{
 	dst_key_t *key;
 	isc_result_t ret;
 
@@ -748,7 +825,7 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		return (DST_R_UNSUPPORTEDALG);
 	}
 
-	ret = key->func->generate(key, param);
+	ret = key->func->generate(key, param, callback);
 	if (ret != ISC_R_SUCCESS) {
 		dst_key_free(&key);
 		return (ret);
@@ -764,25 +841,175 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 	return (ISC_R_SUCCESS);
 }
 
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	if (!key->numset[type])
+		return (ISC_R_NOTFOUND);
+	*valuep = key->nums[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->nums[type] = value;
+	key->numset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsetnum(dst_key_t *key, int type)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->numset[type] = ISC_FALSE;
+}
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(timep != NULL);
+	REQUIRE(type <= DST_MAX_TIMES);
+	if (!key->timeset[type])
+		return (ISC_R_NOTFOUND);
+	*timep = key->times[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+	key->times[type] = when;
+	key->timeset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsettime(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+	key->timeset[type] = ISC_FALSE;
+}
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(majorp != NULL);
+	REQUIRE(minorp != NULL);
+	*majorp = key->fmt_major;
+	*minorp = key->fmt_minor;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
+	REQUIRE(VALID_KEY(key));
+	key->fmt_major = major;
+	key->fmt_minor = minor;
+}
+
+static isc_boolean_t
+comparekeys(const dst_key_t *key1, const dst_key_t *key2,
+	    isc_boolean_t match_revoked_key,
+	    isc_boolean_t (*compare)(const dst_key_t *key1,
+				     const dst_key_t *key2))
+{
 	REQUIRE(dst_initialized == ISC_TRUE);
 	REQUIRE(VALID_KEY(key1));
 	REQUIRE(VALID_KEY(key2));
 
 	if (key1 == key2)
 		return (ISC_TRUE);
+
 	if (key1 == NULL || key2 == NULL)
 		return (ISC_FALSE);
-	if (key1->key_alg == key2->key_alg &&
-	    key1->key_id == key2->key_id &&
-	    key1->func->compare != NULL &&
-	    key1->func->compare(key1, key2) == ISC_TRUE)
-		return (ISC_TRUE);
+
+	if (key1->key_alg != key2->key_alg)
+		return (ISC_FALSE);
+
+	if (key1->key_id != key2->key_id) {
+		if (!match_revoked_key)
+			return (ISC_FALSE);
+		if (key1->key_alg == DST_ALG_RSAMD5)
+			return (ISC_FALSE);
+		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
+		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
+			return (ISC_FALSE);
+		if (key1->key_id != key2->key_rid &&
+		    key1->key_rid != key2->key_id)
+			return (ISC_FALSE);
+	}
+
+	if (compare != NULL)
+		return (compare(key1, key2));
 	else
 		return (ISC_FALSE);
 }
 
+
+/*
+ * Compares only the public portion of two keys, by converting them
+ * both to wire format and comparing the results.
+ */
+static isc_boolean_t
+pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	isc_result_t result;
+	unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
+	isc_buffer_t b1, b2;
+	isc_region_t r1, r2;
+
+	isc_buffer_init(&b1, buf1, sizeof(buf1));
+	result = dst_key_todns(key1, &b1);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+	/* Zero out flags. */
+	buf1[0] = buf1[1] = 0;
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b1, 2);
+
+	isc_buffer_init(&b2, buf2, sizeof(buf2));
+	result = dst_key_todns(key2, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+	/* Zero out flags. */
+	buf2[0] = buf2[1] = 0;
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b2, 2);
+
+	isc_buffer_usedregion(&b1, &r1);
+	/* Remove extended flags. */
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf1[4], &buf1[6], r1.length - 6);
+		r1.length -= 2;
+	}
+
+	isc_buffer_usedregion(&b2, &r2);
+	/* Remove extended flags. */
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf2[4], &buf2[6], r2.length - 6);
+		r2.length -= 2;
+	}
+	return (ISC_TF(isc_region_compare(&r1, &r2) == 0));
+}
+
+isc_boolean_t
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	return (comparekeys(key1, key2, ISC_FALSE, key1->func->compare));
+}
+
+isc_boolean_t
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   isc_boolean_t match_revoked_key)
+{
+	return (comparekeys(key1, key2, match_revoked_key, pub_compare));
+}
+
+
 isc_boolean_t
 dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	REQUIRE(dst_initialized == ISC_TRUE);
@@ -839,6 +1066,9 @@ dst_key_free(dst_key_t **keyp) {
 		isc_mem_free(mctx, key->label);
 	dns_name_free(key->key_name, mctx);
 	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+	if (key->key_tkeytoken) {
+		isc_buffer_free(&key->key_tkeytoken);
+	}
 	memset(key, 0, sizeof(dst_key_t));
 	isc_mem_put(mctx, key, sizeof(dst_key_t));
 	*keyp = NULL;
@@ -882,6 +1112,15 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_NSEC3DSA:
 		*n = DNS_SIG_DSASIGSIZE;
 		break;
+	case DST_ALG_ECCGOST:
+		*n = DNS_SIG_GOSTSIGSIZE;
+		break;
+	case DST_ALG_ECDSA256:
+		*n = DNS_SIG_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		*n = DNS_SIG_ECDSA384SIZE;
+		break;
 	case DST_ALG_HMACMD5:
 		*n = 16;
 		break;
@@ -923,6 +1162,69 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Set the flags on a key, then recompute the key ID
+ */
+isc_result_t
+dst_key_setflags(dst_key_t *key, isc_uint32_t flags) {
+	REQUIRE(VALID_KEY(key));
+	key->key_flags = flags;
+	return (computeid(key));
+}
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	dns_secalg_format((dns_secalg_t) dst_key_alg(key), algstr,
+			  sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
+}
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+
+	REQUIRE(buffer != NULL && *buffer == NULL);
+	REQUIRE(length != NULL && *length == 0);
+	REQUIRE(VALID_KEY(key));
+
+	if (key->func->isprivate == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return (key->func->dump(key, mctx, buffer, length));
+}
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp)
+{
+	isc_result_t result;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (dst_t_func[alg]->restore == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = (dst_t_func[alg]->restore)(key, keystr);
+	if (result == ISC_R_SUCCESS)
+		*keyp = key;
+	else
+		dst_key_free(&key);
+
+	return (result);
+}
+
 /***
  *** Static methods
  ***/
@@ -938,6 +1240,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 {
 	dst_key_t *key;
 	isc_result_t result;
+	int i;
 
 	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
 	if (key == NULL)
@@ -974,6 +1277,12 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	key->key_size = bits;
 	key->key_class = rdclass;
 	key->func = dst_t_func[alg];
+	key->fmt_major = 0;
+	key->fmt_minor = 0;
+	for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
+		key->times[i] = 0;
+		key->timeset[i] = ISC_FALSE;
+	}
 	return (key);
 }
 
@@ -1046,7 +1355,7 @@ dst_key_read_public(const char *filename, int type,
 	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
 	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
 	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
-				ISC_FALSE, NULL);
+				0, NULL);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -1116,6 +1425,9 @@ issymmetric(const dst_key_t *key) {
 	case DST_ALG_DSA:
 	case DST_ALG_NSEC3DSA:
 	case DST_ALG_DH:
+	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
 		return (ISC_FALSE);
 	case DST_ALG_HMACMD5:
 	case DST_ALG_GSSAPI:
@@ -1126,6 +1438,55 @@ issymmetric(const dst_key_t *key) {
 }
 
 /*%
+ * Write key timing metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+#ifdef ISC_PLATFORM_USETHREADS
+	char output[26]; /* Minimum buffer as per ctime_r() specification. */
+#else
+	const char *output;
+#endif
+	isc_stdtime_t when;
+	time_t t;
+	char utc[sizeof("YYYYMMDDHHSSMM")];
+	isc_buffer_t b;
+	isc_region_t r;
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND)
+		return;
+
+	/* time_t and isc_stdtime_t might be different sizes */
+	t = when;
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef WIN32
+	if (ctime_s(output, sizeof(output), &t) != 0)
+		goto error;
+#else
+	if (ctime_r(&t, output) == NULL)
+		goto error;
+#endif
+#else
+	output = ctime(&t);
+#endif
+
+	isc_buffer_init(&b, utc, sizeof(utc));
+	result = dns_time32_totext(when, &b);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%s: %.*s (%.*s)\n", tag, (int)r.length, r.base,
+		 (int)strlen(output) - 1, output);
+	return;
+
+ error:
+	fprintf(stream, "%s: (set, unable to display)\n", tag);
+}
+
+/*%
  * Writes a public key to disk in DNS format.
  */
 static isc_result_t
@@ -1184,12 +1545,34 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 		(void)isc_fsaccess_set(filename, access);
 	}
 
-	ret = dns_name_print(key->key_name, fp);
-	if (ret != ISC_R_SUCCESS) {
-		fclose(fp);
-		return (ret);
+	/* Write key information in comments */
+	if ((type & DST_TYPE_KEY) == 0) {
+		fprintf(fp, "; This is a %s%s-signing key, keyid %d, for ",
+			(key->key_flags & DNS_KEYFLAG_REVOKE) != 0 ?
+				"revoked " :
+				"",
+			(key->key_flags & DNS_KEYFLAG_KSK) != 0 ?
+				"key" :
+				"zone",
+			key->key_id);
+		ret = dns_name_print(key->key_name, fp);
+		if (ret != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (ret);
+		}
+		fputc('\n', fp);
+
+		printtime(key, DST_TIME_CREATED, "; Created", fp);
+		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
+		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
+		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
+		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
+		printtime(key, DST_TIME_DELETE, "; Delete", fp);
 	}
 
+	/* Now print the actual key */
+	ret = dns_name_print(key->key_name, fp);
+
 	fprintf(fp, " ");
 
 	isc_buffer_usedregion(&classb, &r);
@@ -1266,6 +1649,7 @@ computeid(dst_key_t *key) {
 
 	isc_buffer_usedregion(&dnsbuf, &r);
 	key->key_id = dst_region_computeid(&r, key->key_alg);
+	key->key_rid = dst_region_computerid(&r, key->key_alg);
 	return (ISC_R_SUCCESS);
 }
 
@@ -1319,15 +1703,17 @@ algorithm_status(unsigned int alg) {
 	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
 	    alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
 	    alg == DST_ALG_NSEC3RSASHA1 ||
-	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512)
+	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
+	    alg == DST_ALG_ECCGOST ||
+	    alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
 		return (DST_R_NOCRYPTO);
 #endif
 	return (DST_R_UNSUPPORTEDALG);
 }
 
 static isc_result_t
-addsuffix(char *filename, unsigned int len, const char *ofilename,
-	  const char *suffix)
+addsuffix(char *filename, int len, const char *odirname,
+	  const char *ofilename, const char *suffix)
 {
 	int olen = strlen(ofilename);
 	int n;
@@ -1339,27 +1725,42 @@ addsuffix(char *filename, unsigned int len, const char *ofilename,
 	else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
 		olen -= 4;
 
-	n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
+	if (odirname == NULL)
+		n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
+	else
+		n = snprintf(filename, len, "%s/%.*s%s",
+			     odirname, olen, ofilename, suffix);
 	if (n < 0)
 		return (ISC_R_FAILURE);
-	if ((unsigned int)n >= len)
+	if (n >= len)
 		return (ISC_R_NOSPACE);
 	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
+#ifdef BIND9
 	unsigned int flags = dst_entropy_flags;
 
 	if (len == 0)
 		return (ISC_R_SUCCESS);
 	if (pseudo)
 		flags &= ~ISC_ENTROPY_GOODONLY;
+	else
+		flags |= ISC_ENTROPY_BLOCKING;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#else
+	UNUSED(buf);
+	UNUSED(len);
+	UNUSED(pseudo);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 unsigned int
 dst__entropy_status(void) {
+#ifdef BIND9
 #ifdef GSSAPI
 	unsigned int flags = dst_entropy_flags;
 	isc_result_t ret;
@@ -1378,4 +1779,13 @@ dst__entropy_status(void) {
 	}
 #endif
 	return (isc_entropy_status(dst_entropy_pool));
+#else
+	return (0);
+#endif
+}
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_tkeytoken);
 }
diff --git a/contrib/bind9/lib/dns/dst_internal.h b/contrib/bind9/lib/dns/dst_internal.h
index 276e04c4483a..2f4f946a3652 100644
--- a/contrib/bind9/lib/dns/dst_internal.h
+++ b/contrib/bind9/lib/dns/dst_internal.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -44,9 +44,12 @@
 #include <isc/refcount.h>
 #include <isc/sha1.h>
 #include <isc/sha2.h>
+#include <isc/stdtime.h>
 #include <isc/hmacmd5.h>
 #include <isc/hmacsha.h>
 
+#include <dns/time.h>
+
 #include <dst/dst.h>
 
 #ifdef OPENSSL
@@ -60,8 +63,8 @@
 
 ISC_LANG_BEGINDECLS
 
-#define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
-#define CTX_MAGIC       ISC_MAGIC('D','S','T','C')
+#define KEY_MAGIC	ISC_MAGIC('D','S','T','K')
+#define CTX_MAGIC	ISC_MAGIC('D','S','T','C')
 
 #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
 #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
@@ -74,7 +77,7 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
-typedef struct dst_hmacmd5_key    dst_hmacmd5_key_t;
+typedef struct dst_hmacmd5_key	  dst_hmacmd5_key_t;
 typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
 typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
 typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
@@ -91,6 +94,8 @@ struct dst_key {
 	unsigned int	key_alg;	/*%< algorithm of the key */
 	isc_uint32_t	key_flags;	/*%< flags of the public key */
 	isc_uint16_t	key_id;		/*%< identifier of the key */
+	isc_uint16_t	key_rid;	/*%< identifier of the key when
+					     revoked */
 	isc_uint16_t	key_bits;	/*%< hmac digest bits */
 	dns_rdataclass_t key_class;	/*%< class of the key record */
 	isc_mem_t	*mctx;		/*%< memory context */
@@ -115,7 +120,17 @@ struct dst_key {
 		dst_hmacsha512_key_t *hmacsha512;
 
 	} keydata;			/*%< pointer to key in crypto pkg fmt */
-	dst_func_t *	func;		/*%< crypto package specific functions */
+
+	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< timing metadata */
+	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
+	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
+	isc_boolean_t	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
+
+	int		fmt_major;     /*%< private key format, major version */
+	int		fmt_minor;     /*%< private key format, minor version */
+
+	dst_func_t *    func;	       /*%< crypto package specific functions */
+	isc_buffer_t   *key_tkeytoken; /*%< TKEY token data */
 };
 
 struct dst_context {
@@ -160,7 +175,8 @@ struct dst_func {
 	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
 	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
 				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
+				 void (*callback)(int));
 	isc_boolean_t (*isprivate)(const dst_key_t *key);
 	void (*destroy)(dst_key_t *key);
 
@@ -168,19 +184,24 @@ struct dst_func {
 	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
 	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
-	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer);
+	isc_result_t (*parse)(dst_key_t *key,
+			      isc_lex_t *lexer,
+			      dst_key_t *pub);
 
 	/* cleanup */
 	void (*cleanup)(void);
 
 	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
 				  const char *label, const char *pin);
+	isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
+			     int *length);
+	isc_result_t (*restore)(dst_key_t *key, const char *keystr);
 };
 
 /*%
  * Initializers
  */
-isc_result_t dst__openssl_init(void);
+isc_result_t dst__openssl_init(const char *engine);
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
@@ -193,6 +214,12 @@ isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__gssapi_init(struct dst_func **funcp);
+#ifdef HAVE_OPENSSL_GOST
+isc_result_t dst__opensslgost_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_OPENSSL_ECDSA
+isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#endif
 
 /*%
  * Destructors
diff --git a/contrib/bind9/lib/dns/dst_openssl.h b/contrib/bind9/lib/dns/dst_openssl.h
index 4ecbb22ac195..a30fd6a461e3 100644
--- a/contrib/bind9/lib/dns/dst_openssl.h
+++ b/contrib/bind9/lib/dns/dst_openssl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -49,9 +49,6 @@ dst__openssl_getengine(const char *engine);
 #define dst__openssl_getengine(x) NULL
 #endif
 
-isc_result_t
-dst__openssl_setdefault(const char *name);
-
 ISC_LANG_ENDDECLS
 
 #endif /* DST_OPENSSL_H */
diff --git a/contrib/bind9/lib/dns/dst_parse.c b/contrib/bind9/lib/dns/dst_parse.c
index e0db5fe9733e..95896c4a8870 100644
--- a/contrib/bind9/lib/dns/dst_parse.c
+++ b/contrib/bind9/lib/dns/dst_parse.c
@@ -41,8 +41,13 @@
 #include <isc/fsaccess.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
+#include <isc/stdtime.h>
 #include <isc/string.h>
 #include <isc/util.h>
+#include <isc/file.h>
+
+#include <dns/time.h>
+#include <dns/log.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
@@ -53,6 +58,25 @@
 #define PRIVATE_KEY_STR "Private-key-format:"
 #define ALGORITHM_STR "Algorithm:"
 
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timetags[TIMING_NTAGS] = {
+	"Created:",
+	"Publish:",
+	"Activate:",
+	"Revoke:",
+	"Inactive:",
+	"Delete:",
+	"DSPublish:"
+};
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:",
+	"Successor:",
+	"MaxTTL:",
+	"RollPeriod:"
+};
+
 struct parse_map {
 	const int value;
 	const char *tag;
@@ -82,6 +106,10 @@ static struct parse_map map[] = {
 	{TAG_DSA_PRIVATE, "Private_value(x):"},
 	{TAG_DSA_PUBLIC, "Public_value(y):"},
 
+	{TAG_GOST_PRIVASN1, "GostAsn1:"},
+
+	{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
+
 	{TAG_HMACMD5_KEY, "Key:"},
 	{TAG_HMACMD5_BITS, "Bits:"},
 
@@ -107,13 +135,12 @@ static int
 find_value(const char *s, const unsigned int alg) {
 	int i;
 
-	for (i = 0; ; i++) {
-		if (map[i].tag == NULL)
-			return (-1);
-		else if (strcasecmp(s, map[i].tag) == 0 &&
-			 TAG_ALG(map[i].value) == alg)
+	for (i = 0; map[i].tag != NULL; i++) {
+		if (strcasecmp(s, map[i].tag) == 0 &&
+		    (TAG_ALG(map[i].value) == alg))
 			return (map[i].value);
 	}
+	return (-1);
 }
 
 static const char *
@@ -129,6 +156,28 @@ find_tag(const int value) {
 }
 
 static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	int i;
+
+	for (i = 0; i < ntags; i++) {
+		if (strcasecmp(s, tags[i]) == 0)
+			return (i);
+	}
+
+	return (-1);
+}
+
+static int
+find_timedata(const char *s) {
+	return (find_metadata(s, timetags, TIMING_NTAGS));
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
+static int
 check_rsa(const dst_private_t *priv) {
 	int i, j;
 	isc_boolean_t have[RSA_NTAGS];
@@ -197,6 +246,24 @@ check_dsa(const dst_private_t *priv) {
 }
 
 static int
+check_gost(const dst_private_t *priv) {
+	if (priv->nelements != GOST_NTAGS)
+		return (-1);
+	if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0))
+		return (-1);
+	return (0);
+}
+
+static int
+check_ecdsa(const dst_private_t *priv) {
+	if (priv->nelements != ECDSA_NTAGS)
+		return (-1);
+	if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0))
+		return (-1);
+	return (0);
+}
+
+static int
 check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
 	int i, j;
 
@@ -257,6 +324,11 @@ check_data(const dst_private_t *priv, const unsigned int alg,
 	case DST_ALG_DSA:
 	case DST_ALG_NSEC3DSA:
 		return (check_dsa(priv));
+	case DST_ALG_ECCGOST:
+		return (check_gost(priv));
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+		return (check_ecdsa(priv));
 	case DST_ALG_HMACMD5:
 		return (check_hmac_md5(priv, old));
 	case DST_ALG_HMACSHA1:
@@ -289,7 +361,7 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
 	priv->nelements = 0;
 }
 
-int
+isc_result_t
 dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		      isc_mem_t *mctx, dst_private_t *priv)
 {
@@ -298,6 +370,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 	isc_token_t token;
 	unsigned char *data = NULL;
 	unsigned int opt = ISC_LEXOPT_EOL;
+	isc_stdtime_t when;
 	isc_result_t ret;
 
 	REQUIRE(priv != NULL);
@@ -345,13 +418,16 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
-	if (major > MAJOR_VERSION ||
-	    (major == MAJOR_VERSION && minor > MINOR_VERSION))
-	{
+	if (major > DST_MAJOR_VERSION) {
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
 	}
 
+	/*
+	 * Store the private key format version number
+	 */
+	dst_key_setprivateformat(key, major, minor);
+
 	READLINE(lex, opt, &token);
 
 	/*
@@ -381,7 +457,6 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 	for (n = 0; n < MAXFIELDS; n++) {
 		int tag;
 		isc_region_t r;
-
 		do {
 			ret = isc_lex_gettoken(lex, opt, &token);
 			if (ret == ISC_R_EOF)
@@ -395,11 +470,50 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 			goto fail;
 		}
 
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			dst_key_setnum(key, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < TIMING_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			ret = dns_time32_fromtext(DST_AS_STR(token), &when);
+			if (ret != ISC_R_SUCCESS)
+				goto fail;
+
+			dst_key_settime(key, tag, when);
+
+			goto next;
+		}
+
+		/* Key data */
 		tag = find_value(DST_AS_STR(token), alg);
-		if (tag < 0 || TAG_ALG(tag) != alg) {
+		if (tag < 0 && minor > DST_MINOR_VERSION)
+			goto next;
+		else if (tag < 0) {
 			ret = DST_R_INVALIDPRIVATEKEY;
 			goto fail;
 		}
+
 		priv->elements[n].tag = tag;
 
 		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
@@ -410,16 +524,17 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		ret = isc_base64_tobuffer(lex, &b, -1);
 		if (ret != ISC_R_SUCCESS)
 			goto fail;
+
 		isc_buffer_usedregion(&b, &r);
 		priv->elements[n].length = r.length;
 		priv->elements[n].data = r.base;
+		priv->nelements++;
 
+	  next:
 		READLINE(lex, opt, &token);
 		data = NULL;
 	}
  done:
-	priv->nelements = n;
-
 	check = check_data(priv, alg, ISC_TRUE);
 	if (check < 0) {
 		ret = DST_R_INVALIDPRIVATEKEY;
@@ -432,7 +547,6 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 	return (ISC_R_SUCCESS);
 
 fail:
-	priv->nelements = n;
 	dst__privstruct_free(priv, mctx);
 	if (data != NULL)
 		isc_mem_put(mctx, data, MAXFIELDSIZE);
@@ -440,17 +554,22 @@ fail:
 	return (ret);
 }
 
-int
+isc_result_t
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			  const char *directory)
 {
 	FILE *fp;
-	int ret, i;
 	isc_result_t result;
 	char filename[ISC_DIR_NAMEMAX];
 	char buffer[MAXFIELDSIZE * 2];
-	isc_buffer_t b;
 	isc_fsaccess_t access;
+	isc_stdtime_t when;
+	isc_uint32_t value;
+	isc_buffer_t b;
+	isc_region_t r;
+	int major, minor;
+	mode_t mode;
+	int i, ret;
 
 	REQUIRE(priv != NULL);
 
@@ -465,6 +584,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	result = isc_file_mode(filename, &mode);
+	if (result == ISC_R_SUCCESS && mode != 0600) {
+		/* File exists; warn that we are changing its permissions */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+			      "Permissions on the file %s "
+			      "have changed from 0%o to 0600 as "
+			      "a result of this operation.",
+			      filename, (unsigned int)mode);
+	}
+
 	if ((fp = fopen(filename, "w")) == NULL)
 		return (DST_R_WRITEERROR);
 
@@ -474,11 +604,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			 &access);
 	(void)isc_fsaccess_set(filename, access);
 
+	dst_key_getprivateformat(key, &major, &minor);
+	if (major == 0 && minor == 0) {
+		major = DST_MAJOR_VERSION;
+		minor = DST_MINOR_VERSION;
+	}
+
 	/* XXXDCL return value should be checked for full filesystem */
-	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
-		MINOR_VERSION);
+	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
 
 	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (dst_key_alg(key)) {
 	case DST_ALG_RSAMD5:
@@ -493,18 +629,27 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_RSASHA1:
 		fprintf(fp, "(RSASHA1)\n");
 		break;
-	case DST_ALG_NSEC3DSA:
-		fprintf(fp, "(NSEC3DSA)\n");
-		break;
 	case DST_ALG_NSEC3RSASHA1:
 		fprintf(fp, "(NSEC3RSASHA1)\n");
 		break;
+	case DST_ALG_NSEC3DSA:
+		fprintf(fp, "(NSEC3DSA)\n");
+		break;
 	case DST_ALG_RSASHA256:
 		fprintf(fp, "(RSASHA256)\n");
 		break;
 	case DST_ALG_RSASHA512:
 		fprintf(fp, "(RSASHA512)\n");
 		break;
+	case DST_ALG_ECCGOST:
+		fprintf(fp, "(ECC-GOST)\n");
+		break;
+	case DST_ALG_ECDSA256:
+		fprintf(fp, "(ECDSAP256SHA256)\n");
+		break;
+	case DST_ALG_ECDSA384:
+		fprintf(fp, "(ECDSAP384SHA384)\n");
+		break;
 	case DST_ALG_HMACMD5:
 		fprintf(fp, "(HMAC_MD5)\n");
 		break;
@@ -529,8 +674,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	}
 
 	for (i = 0; i < priv->nelements; i++) {
-		isc_buffer_t b;
-		isc_region_t r;
 		const char *s;
 
 		s = find_tag(priv->elements[i].tag);
@@ -548,6 +691,33 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	       fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
 	}
 
+	/* Add the metadata tags */
+	if (major > 1 || (major == 1 && minor >= 3)) {
+		for (i = 0; i < NUMERIC_NTAGS; i++) {
+			result = dst_key_getnum(key, i, &value);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			fprintf(fp, "%s %u\n", numerictags[i], value);
+		}
+		for (i = 0; i < TIMING_NTAGS; i++) {
+			result = dst_key_gettime(key, i, &when);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			isc_buffer_init(&b, buffer, sizeof(buffer));
+			result = dns_time32_totext(when, &b);
+		       if (result != ISC_R_SUCCESS) {
+			       fclose(fp);
+			       return (DST_R_INVALIDPRIVATEKEY);
+		       }
+
+			isc_buffer_usedregion(&b, &r);
+
+		       fprintf(fp, "%s %.*s\n", timetags[i], (int)r.length,
+				r.base);
+		}
+	}
+
 	fflush(fp);
 	result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
 	fclose(fp);
diff --git a/contrib/bind9/lib/dns/dst_parse.h b/contrib/bind9/lib/dns/dst_parse.h
index e5ec63f29d00..f048bf0c01ed 100644
--- a/contrib/bind9/lib/dns/dst_parse.h
+++ b/contrib/bind9/lib/dns/dst_parse.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dst_parse.h,v 1.17 2010/12/23 23:47:08 tbox Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
@@ -39,11 +39,13 @@
 
 #include <dst/dst.h>
 
-#define MAJOR_VERSION		1
-#define MINOR_VERSION		2
-
 #define MAXFIELDSIZE		512
-#define MAXFIELDS		12
+
+/*
+ * Maximum number of fields in a private file is 18 (12 algorithm-
+ * specific fields for RSA, plus 6 generic fields).
+ */
+#define MAXFIELDS		12+6
 
 #define TAG_SHIFT		4
 #define TAG_ALG(tag)		((unsigned int)(tag) >> TAG_SHIFT)
@@ -76,6 +78,12 @@
 #define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
 #define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
 
+#define GOST_NTAGS		1
+#define TAG_GOST_PRIVASN1	((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
+
+#define ECDSA_NTAGS		1
+#define TAG_ECDSA_PRIVATEKEY	((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
+
 #define OLD_HMACMD5_NTAGS	1
 #define HMACMD5_NTAGS		2
 #define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
@@ -121,11 +129,11 @@ ISC_LANG_BEGINDECLS
 void
 dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
 
-int
+isc_result_t
 dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		      isc_mem_t *mctx, dst_private_t *priv);
 
-int
+isc_result_t
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			  const char *directory);
 
diff --git a/contrib/bind9/lib/dns/ecdb.c b/contrib/bind9/lib/dns/ecdb.c
new file mode 100644
index 000000000000..f1a833fe1403
--- /dev/null
+++ b/contrib/bind9/lib/dns/ecdb.c
@@ -0,0 +1,818 @@
+/*
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include "config.h"
+
+#include <isc/result.h>
+#include <isc/util.h>
+#include <isc/mutex.h>
+#include <isc/mem.h>
+
+#include <dns/db.h>
+#include <dns/ecdb.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+
+#define ECDB_MAGIC		ISC_MAGIC('E', 'C', 'D', 'B')
+#define VALID_ECDB(db)		((db) != NULL && \
+				 (db)->common.impmagic == ECDB_MAGIC)
+
+#define ECDBNODE_MAGIC		ISC_MAGIC('E', 'C', 'D', 'N')
+#define VALID_ECDBNODE(ecdbn)	ISC_MAGIC_VALID(ecdbn, ECDBNODE_MAGIC)
+
+/*%
+ * The 'ephemeral' cache DB (ecdb) implementation.  An ecdb just provides
+ * temporary storage for ongoing name resolution with the common DB interfaces.
+ * It actually doesn't cache anything.  The implementation expects any stored
+ * data is released within a short period, and does not care about the
+ * scalability in terms of the number of nodes.
+ */
+
+typedef struct dns_ecdb {
+	/* Unlocked */
+	dns_db_t			common;
+	isc_mutex_t			lock;
+
+	/* Locked */
+	unsigned int			references;
+	ISC_LIST(struct dns_ecdbnode)	nodes;
+} dns_ecdb_t;
+
+typedef struct dns_ecdbnode {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_ecdb_t			*ecdb;
+	dns_name_t			name;
+	ISC_LINK(struct dns_ecdbnode)	link;
+
+	/* Locked */
+	ISC_LIST(struct rdatasetheader)	rdatasets;
+	unsigned int			references;
+} dns_ecdbnode_t;
+
+typedef struct rdatasetheader {
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	unsigned int			attributes;
+
+	ISC_LINK(struct rdatasetheader)	link;
+} rdatasetheader_t;
+
+/* Copied from rbtdb.c */
+#define RDATASET_ATTR_NXDOMAIN		0x0010
+#define NXDOMAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+
+static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin,
+				    dns_dbtype_t type,
+				    dns_rdataclass_t rdclass,
+				    unsigned int argc, char *argv[],
+				    void *driverarg, dns_db_t **dbp);
+
+static void rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
+static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,			/* addnoqname */
+	NULL,			/* getnoqname */
+	NULL,			/* addclosest */
+	NULL,			/* getclosest */
+	NULL,			/* getadditional */
+	NULL,			/* setadditional */
+	NULL,			/* putadditional */
+	rdataset_settrust,	/* settrust */
+	NULL			/* expire */
+};
+
+typedef struct ecdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	rdatasetheader_t	       *current;
+} ecdb_rdatasetiter_t;
+
+static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
+					     dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	return (dns_db_register("ecdb", dns_ecdb_create, NULL, mctx, dbimp));
+}
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp) {
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	dns_db_unregister(dbimp);
+}
+
+/*%
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&ecdb->lock);
+	ecdb->references++;
+	UNLOCK(&ecdb->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy_ecdb(dns_ecdb_t **ecdbp) {
+	dns_ecdb_t *ecdb = *ecdbp;
+	isc_mem_t *mctx = ecdb->common.mctx;
+
+	if (dns_name_dynamic(&ecdb->common.origin))
+		dns_name_free(&ecdb->common.origin, mctx);
+
+	DESTROYLOCK(&ecdb->lock);
+
+	ecdb->common.impmagic = 0;
+	ecdb->common.magic = 0;
+
+	isc_mem_putanddetach(&mctx, ecdb, sizeof(*ecdb));
+
+	*ecdbp = NULL;
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_ecdb_t *ecdb;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(dbp != NULL);
+	ecdb = (dns_ecdb_t *)*dbp;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	LOCK(&ecdb->lock);
+	ecdb->references--;
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroy = ISC_TRUE;
+	UNLOCK(&ecdb->lock);
+
+	if (need_destroy)
+		destroy_ecdb(&ecdb);
+
+	*dbp = NULL;
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node = (dns_ecdbnode_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(node));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = node;
+}
+
+static void
+destroynode(dns_ecdbnode_t *node) {
+	isc_mem_t *mctx;
+	dns_ecdb_t *ecdb = node->ecdb;
+	isc_boolean_t need_destroydb = ISC_FALSE;
+	rdatasetheader_t *header;
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_UNLINK(ecdb->nodes, node, link);
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroydb = ISC_TRUE;
+	UNLOCK(&ecdb->lock);
+
+	dns_name_free(&node->name, mctx);
+
+	while ((header = ISC_LIST_HEAD(node->rdatasets)) != NULL) {
+		unsigned int headersize;
+
+		ISC_LIST_UNLINK(node->rdatasets, header, link);
+		headersize =
+			dns_rdataslab_size((unsigned char *)header,
+					   sizeof(*header));
+		isc_mem_put(mctx, header, headersize);
+	}
+
+	DESTROYLOCK(&node->lock);
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(*node));
+
+	if (need_destroydb)
+		destroy_ecdb(&ecdb);
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL);
+	node = (dns_ecdbnode_t *)*nodep;
+	REQUIRE(VALID_ECDBNODE(node));
+
+	UNUSED(ecdb);		/* in case REQUIRE() is empty */
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*nodep = NULL;
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+    dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+    dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name,
+	    unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	 dns_dbnode_t **nodep)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *node;
+	isc_result_t result;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+
+	if (create != ISC_TRUE)	{
+		/* an 'ephemeral' node is never reused. */
+		return (ISC_R_NOTFOUND);
+	}
+
+	mctx = ecdb->common.mctx;
+	node = isc_mem_get(mctx, sizeof(*node));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	dns_name_init(&node->name, NULL);
+	result = dns_name_dup(name, mctx, &node->name);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&node->lock);
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (result);
+	}
+	node->ecdb= ecdb;
+	node->references = 1;
+	ISC_LIST_INIT(node->rdatasets);
+
+	ISC_LINK_INIT(node, link);
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_APPEND(ecdb->nodes, node, link);
+	UNLOCK(&ecdb->lock);
+
+	node->magic = ECDBNODE_MAGIC;
+
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node,
+	      rdatasetheader_t *header, dns_rdataset_t *rdataset)
+{
+	unsigned char *raw;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ecdb->common.rdclass;
+	rdataset->type = header->type;
+	rdataset->covers = header->covers;
+	rdataset->ttl = header->ttl;
+	rdataset->trust = header->trust;
+	if (NXDOMAIN(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+
+	rdataset->private1 = ecdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	INSIST(node->references > 0);
+	node->references++;
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(options);
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdbnode->lock);
+
+	/*
+	 * Sanity check: this implementation does not allow overriding an
+	 * existing rdataset of the same type.
+	 */
+	for (header = ISC_LIST_HEAD(ecdbnode->rdatasets); header != NULL;
+	     header = ISC_LIST_NEXT(header, link)) {
+		INSIST(header->type != rdataset->type ||
+		       header->covers != rdataset->covers);
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, mctx,
+					    &r, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	header = (rdatasetheader_t *)r.base;
+	header->type = rdataset->type;
+	header->ttl = rdataset->ttl;
+	header->trust = rdataset->trust;
+	header->covers = rdataset->covers;
+	header->attributes = 0;
+	if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+		header->attributes |= RDATASET_ATTR_NXDOMAIN;
+	ISC_LINK_INIT(header, link);
+	ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
+
+	if (addedrdataset == NULL)
+		goto unlock;
+
+	bind_rdataset(ecdb, ecdbnode, header, addedrdataset);
+
+ unlock:
+	UNLOCK(&ecdbnode->lock);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp)
+{
+	UNUSED(db);
+	UNUSED(options);
+	UNUSED(iteratorp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	isc_mem_t *mctx;
+	ecdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	mctx = ecdb->common.mctx;
+
+	iterator = isc_mem_get(mctx, sizeof(ecdb_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static dns_dbmethods_t ecdb_methods = {
+	attach,
+	detach,
+	NULL,			/* beginload */
+	NULL,			/* endload */
+	NULL,			/* dump */
+	NULL,			/* currentversion */
+	NULL,			/* newversion */
+	NULL,			/* attachversion */
+	NULL,			/* closeversion */
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	NULL,			/* expirenode */
+	NULL,			/* printnode */
+	createiterator,		/* createiterator */
+	NULL,			/* findrdataset */
+	allrdatasets,
+	addrdataset,
+	NULL,			/* subtractrdataset */
+	deleterdataset,
+	NULL,			/* issecure */
+	NULL,			/* nodecount */
+	NULL,			/* ispersistent */
+	NULL,			/* overmem */
+	NULL,			/* settask */
+	NULL,			/* getoriginnode */
+	NULL,			/* transfernode */
+	NULL,			/* getnsec3parameters */
+	NULL,			/* findnsec3node */
+	NULL,			/* setsigningtime */
+	NULL,			/* getsigningtime */
+	NULL,			/* resigned */
+	NULL,			/* isdnssec */
+	NULL,			/* getrrsetstats */
+	NULL,			/* rpz_enabled */
+	NULL			/* rpz_findips */
+};
+
+static isc_result_t
+dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		void *driverarg, dns_db_t **dbp)
+{
+	dns_ecdb_t *ecdb;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(origin == dns_rootname);
+	REQUIRE(type == dns_dbtype_cache);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	UNUSED(argc);
+	UNUSED(argv);
+	UNUSED(driverarg);
+
+	ecdb = isc_mem_get(mctx, sizeof(*ecdb));
+	if (ecdb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ecdb->common.attributes = DNS_DBATTR_CACHE;
+	ecdb->common.rdclass = rdclass;
+	ecdb->common.methods = &ecdb_methods;
+	dns_name_init(&ecdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(origin, mctx, &ecdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (result);
+	}
+
+	result = isc_mutex_init(&ecdb->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		if (dns_name_dynamic(&ecdb->common.origin))
+			dns_name_free(&ecdb->common.origin, mctx);
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ecdb->references = 1;
+	ISC_LIST_INIT(ecdb->nodes);
+
+	ecdb->common.mctx = NULL;
+	isc_mem_attach(mctx, &ecdb->common.mctx);
+	ecdb->common.impmagic = ECDB_MAGIC;
+	ecdb->common.magic = DNS_DB_MAGIC;
+
+	*dbp = (dns_db_t *)ecdb;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	dns_db_detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+#if DNS_RDATASET_FIXED
+	raw += 2 + (4 * count);
+#else
+	raw += 2;
+#endif
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += length + 4;
+#else
+	raw += length + 2;
+#endif
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 4;
+#else
+	raw += 2;
+#endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	header->trust = rdataset->trust = trust;
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	ecdb_rdatasetiter_t *ecdbiterator;
+	isc_mem_t *mctx;
+
+	REQUIRE(iteratorp != NULL);
+	ecdbiterator = (ecdb_rdatasetiter_t *)*iteratorp;
+	REQUIRE(DNS_RDATASETITER_VALID(&ecdbiterator->common));
+
+	mctx = ecdbiterator->common.db->mctx;
+
+	ecdbiterator->common.magic = 0;
+
+	dns_db_detachnode(ecdbiterator->common.db, &ecdbiterator->common.node);
+	isc_mem_put(mctx, ecdbiterator, sizeof(ecdb_rdatasetiter_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)iterator->node;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	if (ISC_LIST_EMPTY(ecdbnode->rdatasets))
+		return (ISC_R_NOMORE);
+	ecdbiterator->current = ISC_LIST_HEAD(ecdbnode->rdatasets);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	ecdbiterator->current = ISC_LIST_NEXT(ecdbiterator->current, link);
+	if (ecdbiterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdb_t *ecdb;
+
+	ecdb = (dns_ecdb_t *)iterator->db;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	bind_rdataset(ecdb, iterator->node, ecdbiterator->current, rdataset);
+}
diff --git a/contrib/bind9/lib/dns/forward.c b/contrib/bind9/lib/dns/forward.c
index c7ed5bd1aec3..7ec4e5c9debb 100644
--- a/contrib/bind9/lib/dns/forward.c
+++ b/contrib/bind9/lib/dns/forward.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: forward.c,v 1.14 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -133,6 +133,22 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
 }
 
 isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name) {
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_deletename(fwdtable->table, name, ISC_FALSE);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp)
 {
diff --git a/contrib/bind9/lib/dns/gen-unix.h b/contrib/bind9/lib/dns/gen-unix.h
index 12dc0b35e41d..87529d4edfa0 100644
--- a/contrib/bind9/lib/dns/gen-unix.h
+++ b/contrib/bind9/lib/dns/gen-unix.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: gen-unix.h,v 1.21 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/contrib/bind9/lib/dns/gen.c b/contrib/bind9/lib/dns/gen.c
index f8831a2108b8..a0b4df37593f 100644
--- a/contrib/bind9/lib/dns/gen.c
+++ b/contrib/bind9/lib/dns/gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: gen.c,v 1.85 2009/12/04 22:06:37 tbox Exp $ */
 
 /*! \file */
 
@@ -631,6 +631,8 @@ main(int argc, char **argv) {
 			 TOWIRETYPE, TOWIRECLASS, TOWIREDEF);
 		doswitch("COMPARESWITCH", "compare", COMPAREARGS,
 			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
+		doswitch("CASECOMPARESWITCH", "casecompare", COMPAREARGS,
+			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
 		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
 			  FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
 		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
diff --git a/contrib/bind9/lib/dns/gssapi_link.c b/contrib/bind9/lib/dns/gssapi_link.c
index 063399dc5185..a992a8953f20 100644
--- a/contrib/bind9/lib/dns/gssapi_link.c
+++ b/contrib/bind9/lib/dns/gssapi_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -23,6 +23,7 @@
 
 #ifdef GSSAPI
 
+#include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -44,6 +45,12 @@
 		(gb).value = (r).base; \
 	} while (0)
 
+#define GBUFFER_TO_REGION(gb, r) \
+	do { \
+		(r).length = (gb).length; \
+		(r).base = (gb).value; \
+	} while (0)
+
 
 struct dst_gssapi_signverifyctx {
 	isc_buffer_t *buffer;
@@ -254,9 +261,10 @@ gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
 }
 
 static isc_result_t
-gssapi_generate(dst_key_t *key, int unused) {
+gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	UNUSED(key);
 	UNUSED(unused);
+	UNUSED(callback);
 
 	/* No idea */
 	return (ISC_R_FAILURE);
@@ -275,6 +283,79 @@ gssapi_destroy(dst_key_t *key) {
 	key->keydata.gssctx = NULL;
 }
 
+static isc_result_t
+gssapi_restore(dst_key_t *key, const char *keystr) {
+	OM_uint32 major, minor;
+	size_t len;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	gss_buffer_desc gssbuffer;
+	isc_result_t result;
+
+	len = strlen(keystr);
+	if ((len % 4) != 0U)
+		return (ISC_R_BADBASE64);
+
+	len = (len / 4) * 3;
+
+	result = isc_buffer_allocate(key->mctx, &b, len);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_base64_decodestring(keystr, b);
+	if (result != ISC_R_SUCCESS) {
+		isc_buffer_free(&b);
+		return (result);
+	}
+
+	isc_buffer_remainingregion(b, &r);
+	REGION_TO_GBUFFER(r, gssbuffer);
+	major = gss_import_sec_context(&minor, &gssbuffer,
+				       &key->keydata.gssctx);
+	if (major != GSS_S_COMPLETE) {
+		isc_buffer_free(&b);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_free(&b);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+	OM_uint32 major, minor;
+	gss_buffer_desc gssbuffer;
+	size_t len;
+	char *buf;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	major = gss_export_sec_context(&minor, &key->keydata.gssctx,
+				       &gssbuffer);
+	if (major != GSS_S_COMPLETE) {
+		fprintf(stderr, "gss_export_sec_context -> %d, %d\n",
+			major, minor);
+		return (ISC_R_FAILURE);
+	}
+	if (gssbuffer.length == 0U)
+		return (ISC_R_FAILURE);
+	len = ((gssbuffer.length + 2)/3) * 4;
+	buf = isc_mem_get(mctx, len);
+	if (buf == NULL) {
+		gss_release_buffer(&minor, &gssbuffer);
+		return (ISC_R_NOMEMORY);
+	}
+	isc_buffer_init(&b, buf, len);
+	GBUFFER_TO_REGION(gssbuffer, r);
+	result = isc_base64_totext(&r, 0, "", &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	gss_release_buffer(&minor, &gssbuffer);
+	*buffer = buf;
+	*length = len;
+	return (ISC_R_SUCCESS);
+}
+
 static dst_func_t gssapi_functions = {
 	gssapi_create_signverify_ctx,
 	gssapi_destroy_signverify_ctx,
@@ -292,7 +373,9 @@ static dst_func_t gssapi_functions = {
 	NULL, /*%< tofile */
 	NULL, /*%< parse */
 	NULL, /*%< cleanup */
-	NULL  /*%< fromlabel */
+	NULL,  /*%< fromlabel */
+	gssapi_dump,
+	gssapi_restore,
 };
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/gssapictx.c b/contrib/bind9/lib/dns/gssapictx.c
index 3e1c5217005f..ee5be561673b 100644
--- a/contrib/bind9/lib/dns/gssapictx.c
+++ b/contrib/bind9/lib/dns/gssapictx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -19,12 +19,14 @@
 
 #include <config.h>
 
+#include <ctype.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include <isc/buffer.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
+#include <isc/file.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
@@ -202,9 +204,12 @@ log_cred(const gss_cred_id_t cred) {
  *   - tkey-gssapi-credential doesn't start with DNS/
  *   - the default realm in /etc/krb5.conf and the
  *     tkey-gssapi-credential bind config option don't match
+ *
+ * Note that if tkey-gssapi-keytab is set then these configure checks
+ * are not performed, and runtime errors from gssapi are used instead
  */
 static void
-dst_gssapi_check_config(const char *gss_name) {
+check_config(const char *gss_name) {
 	const char *p;
 	krb5_context krb5_ctx;
 	char *krb5_realm = NULL;
@@ -264,7 +269,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 	 * here when we're in the acceptor role, which would let us
 	 * default the hostname and use a compiled in default service
 	 * name of "DNS", giving one less thing to configure in
-	 * named.conf.  Unfortunately, this creates a circular
+	 * named.conf.	Unfortunately, this creates a circular
 	 * dependency due to DNS-based realm lookup in at least one
 	 * GSSAPI implementation (Heimdal).  Oh well.
 	 */
@@ -274,7 +279,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 		gret = gss_import_name(&minor, &gnamebuf,
 				       GSS_C_NO_OID, &gname);
 		if (gret != GSS_S_COMPLETE) {
-			dst_gssapi_check_config((char *)array);
+			check_config((char *)array);
 
 			gss_log(3, "failed gss_import_name: %s",
 				gss_error_tostring(gret, minor, buf,
@@ -307,7 +312,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
 			initiate ? "initiate" : "accept",
 			(gname != NULL) ? (char *)gnamebuf.value : "?",
 			gss_error_tostring(gret, minor, buf, sizeof(buf)));
-		dst_gssapi_check_config((char *)array);
+		check_config((char *)array);
 		return (ISC_R_FAILURE);
 	}
 
@@ -366,7 +371,7 @@ dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
 	rname++;
 
 	/*
-	 * Find the host portion of the signer's name.  We do this by
+	 * Find the host portion of the signer's name.	We do this by
 	 * searching for the first / character.  We then check to make
 	 * certain the instance name is "host"
 	 *
@@ -447,7 +452,7 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
 		return (isc_boolean_false);
 
 	/*
-	 * Find the host portion of the signer's name.  Zero out the $ so
+	 * Find the host portion of the signer's name.	Zero out the $ so
 	 * it terminates the signer's name, and skip past the @ for
 	 * the realm.
 	 *
@@ -461,7 +466,7 @@ dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
 
 	/*
 	 * Find the first . in the target name, and make it the end of
-	 * the string.   The rest of the name has to match the realm.
+	 * the string.	 The rest of the name has to match the realm.
 	 */
 	if (name != NULL) {
 		nname = strchr(nbuf, '.');
@@ -517,9 +522,34 @@ dst_gssapi_releasecred(gss_cred_id_t *cred) {
 #endif
 }
 
+#ifdef GSSAPI
+/*
+ * Format a gssapi error message info into a char ** on the given memory
+ * context. This is used to return gssapi error messages back up the
+ * call chain for reporting to the user.
+ */
+static void
+gss_err_message(isc_mem_t *mctx, isc_uint32_t major, isc_uint32_t minor,
+		char **err_message)
+{
+	char buf[1024];
+	char *estr;
+
+	if (err_message == NULL || mctx == NULL) {
+		/* the caller doesn't want any error messages */
+		return;
+	}
+
+	estr = gss_error_tostring(major, minor, buf, sizeof(buf));
+	if (estr)
+		(*err_message) = isc_mem_strdup(mctx, estr);
+}
+#endif
+
 isc_result_t
 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
-		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message)
 {
 #ifdef GSSAPI
 	isc_region_t r;
@@ -530,10 +560,10 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	isc_result_t result;
 	gss_buffer_desc gnamebuf;
 	unsigned char array[DNS_NAME_MAXTEXT + 1];
-	char buf[1024];
 
 	/* Client must pass us a valid gss_ctx_id_t here */
 	REQUIRE(gssctx != NULL);
+	REQUIRE(mctx != NULL);
 
 	isc_buffer_init(&namebuf, array, sizeof(array));
 	name_to_gbuffer(name, &namebuf, &gnamebuf);
@@ -541,6 +571,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	/* Get the name as a GSS name */
 	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
 	if (gret != GSS_S_COMPLETE) {
+		gss_err_message(mctx, gret, minor, err_message);
 		result = ISC_R_FAILURE;
 		goto out;
 	}
@@ -557,8 +588,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	 * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
 	 * servers don't like it.
 	 */
-	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
-		GSS_C_INTEG_FLAG;
+	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
 
 	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
 				    gname, GSS_SPNEGO_MECHANISM, flags,
@@ -566,9 +596,9 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 				    NULL, &gouttoken, &ret_flags, NULL);
 
 	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
-		gss_log(3, "Failure initiating security context");
-		gss_log(3, "%s", gss_error_tostring(gret, minor,
-						    buf, sizeof(buf)));
+		gss_err_message(mctx, gret, minor, err_message);
+		gss_log(3, "Failure initiating security context: %s",
+			*err_message);
 		result = ISC_R_FAILURE;
 		goto out;
 	}
@@ -600,6 +630,8 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	UNUSED(intoken);
 	UNUSED(outtoken);
 	UNUSED(gssctx);
+	UNUSED(mctx);
+	UNUSED(err_message);
 
 	return (ISC_R_NOTIMPLEMENTED);
 #endif
@@ -607,6 +639,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 
 isc_result_t
 dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     const char *gssapi_keytab,
 		     isc_region_t *intoken, isc_buffer_t **outtoken,
 		     gss_ctx_id_t *ctxout, dns_name_t *principal,
 		     isc_mem_t *mctx)
@@ -631,6 +664,33 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 	else
 		context = *ctxout;
 
+	if (gssapi_keytab != NULL) {
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed "
+				"gsskrb5_register_acceptor_identity(%s): %s",
+				gssapi_keytab,
+				gss_error_tostring(gret, 0, buf, sizeof(buf)));
+			return (DNS_R_INVALIDTKEY);
+		}
+#else
+		/*
+		 * Minimize memory leakage by only setting KRB5_KTNAME
+		 * if it needs to change.
+		 */
+		const char *old = getenv("KRB5_KTNAME");
+		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
+			char *kt = malloc(strlen(gssapi_keytab) + 13);
+			if (kt == NULL)
+				return (ISC_R_NOMEMORY);
+			sprintf(kt, "KRB5_KTNAME=%s", gssapi_keytab);
+			if (putenv(kt) != 0)
+				return (ISC_R_NOMEMORY);
+		}
+#endif
+	}
+
 	log_cred(cred);
 
 	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
@@ -699,7 +759,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 		isc_buffer_add(&namebuf, r.length);
 
 		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
-					 ISC_FALSE, NULL));
+					 0, NULL));
 
 		if (gnamebuf.length != 0U) {
 			gret = gss_release_buffer(&minor, &gnamebuf);
@@ -724,6 +784,7 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 	return (result);
 #else
 	UNUSED(cred);
+	UNUSED(gssapi_keytab);
 	UNUSED(intoken);
 	UNUSED(outtoken);
 	UNUSED(ctxout);
diff --git a/contrib/bind9/lib/dns/hmac_link.c b/contrib/bind9/lib/dns/hmac_link.c
index 908154464c1d..bc0e9a04ed07 100644
--- a/contrib/bind9/lib/dns/hmac_link.c
+++ b/contrib/bind9/lib/dns/hmac_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id$
+ * $Id: hmac_link.c,v 1.19 2011/01/11 23:47:13 tbox Exp $
  */
 
 #include <config.h>
@@ -50,14 +50,10 @@
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#define HMAC_LEN	64
-#define HMAC_IPAD	0x36
-#define HMAC_OPAD	0x5c
-
 static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacmd5_key {
-	unsigned char key[HMAC_LEN];
+	unsigned char key[ISC_MD5_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -79,7 +75,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
 	if (hmacmd5ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
 	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -142,26 +138,28 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+		bytes = ISC_SHA1_BLOCK_LENGTH;
+		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -170,7 +168,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacmd5_fromdns(key, &b);
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -184,6 +182,7 @@ hmacmd5_isprivate(const dst_key_t *key) {
 static void
 hmacmd5_destroy(dst_key_t *key) {
 	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+
 	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
 	key->keydata.hmacmd5 = NULL;
@@ -223,7 +222,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > HMAC_LEN) {
+	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
 		isc_md5_init(&md5ctx);
 		isc_md5_update(&md5ctx, r.base, r.length);
 		isc_md5_final(&md5ctx, hkey->key);
@@ -268,15 +267,17 @@ hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
+	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
+				       &priv);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -324,6 +325,8 @@ static dst_func_t hmacmd5_functions = {
 	hmacmd5_parse,
 	NULL, /*%< cleanup */
 	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
 };
 
 isc_result_t
@@ -337,7 +340,7 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha1_key {
-	unsigned char key[ISC_SHA1_DIGESTLENGTH];
+	unsigned char key[ISC_SHA1_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -348,7 +351,7 @@ hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
 	if (hmacsha1ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
+	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -411,26 +414,28 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+		bytes = ISC_SHA1_BLOCK_LENGTH;
+		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -439,7 +444,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha1_fromdns(key, &b);
-	memset(data, 0, ISC_SHA1_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -453,6 +458,7 @@ hmacsha1_isprivate(const dst_key_t *key) {
 static void
 hmacsha1_destroy(dst_key_t *key) {
 	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+
 	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
 	key->keydata.hmacsha1 = NULL;
@@ -492,7 +498,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA1_DIGESTLENGTH) {
+	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
 		isc_sha1_init(&sha1ctx);
 		isc_sha1_update(&sha1ctx, r.base, r.length);
 		isc_sha1_final(&sha1ctx, hkey->key);
@@ -537,13 +543,14 @@ hmacsha1_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,
 				       &priv);
@@ -594,6 +601,8 @@ static dst_func_t hmacsha1_functions = {
 	hmacsha1_parse,
 	NULL, /* cleanup */
 	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
 };
 
 isc_result_t
@@ -607,7 +616,7 @@ dst__hmacsha1_init(dst_func_t **funcp) {
 static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha224_key {
-	unsigned char key[ISC_SHA224_DIGESTLENGTH];
+	unsigned char key[ISC_SHA224_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -618,7 +627,7 @@ hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
 	if (hmacsha224ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -681,26 +690,30 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA224_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA224_BLOCK_LENGTH) {
+		bytes = ISC_SHA224_BLOCK_LENGTH;
+		key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -709,7 +722,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha224_fromdns(key, &b);
-	memset(data, 0, ISC_SHA224_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -723,6 +736,7 @@ hmacsha224_isprivate(const dst_key_t *key) {
 static void
 hmacsha224_destroy(dst_key_t *key) {
 	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+
 	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
 	key->keydata.hmacsha224 = NULL;
@@ -762,7 +776,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA224_DIGESTLENGTH) {
+	if (r.length > ISC_SHA224_BLOCK_LENGTH) {
 		isc_sha224_init(&sha224ctx);
 		isc_sha224_update(&sha224ctx, r.base, r.length);
 		isc_sha224_final(hkey->key, &sha224ctx);
@@ -807,13 +821,14 @@ hmacsha224_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,
 				       &priv);
@@ -864,6 +879,8 @@ static dst_func_t hmacsha224_functions = {
 	hmacsha224_parse,
 	NULL, /* cleanup */
 	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
 };
 
 isc_result_t
@@ -877,7 +894,7 @@ dst__hmacsha224_init(dst_func_t **funcp) {
 static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha256_key {
-	unsigned char key[ISC_SHA256_DIGESTLENGTH];
+	unsigned char key[ISC_SHA256_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -888,7 +905,7 @@ hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
 	if (hmacsha256ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -951,26 +968,30 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA256_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA256_BLOCK_LENGTH) {
+		bytes = ISC_SHA256_BLOCK_LENGTH;
+		key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -979,7 +1000,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha256_fromdns(key, &b);
-	memset(data, 0, ISC_SHA256_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -993,6 +1014,7 @@ hmacsha256_isprivate(const dst_key_t *key) {
 static void
 hmacsha256_destroy(dst_key_t *key) {
 	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+
 	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
 	key->keydata.hmacsha256 = NULL;
@@ -1032,7 +1054,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA256_DIGESTLENGTH) {
+	if (r.length > ISC_SHA256_BLOCK_LENGTH) {
 		isc_sha256_init(&sha256ctx);
 		isc_sha256_update(&sha256ctx, r.base, r.length);
 		isc_sha256_final(hkey->key, &sha256ctx);
@@ -1077,13 +1099,14 @@ hmacsha256_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,
 				       &priv);
@@ -1134,6 +1157,8 @@ static dst_func_t hmacsha256_functions = {
 	hmacsha256_parse,
 	NULL, /* cleanup */
 	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
 };
 
 isc_result_t
@@ -1147,7 +1172,7 @@ dst__hmacsha256_init(dst_func_t **funcp) {
 static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha384_key {
-	unsigned char key[ISC_SHA384_DIGESTLENGTH];
+	unsigned char key[ISC_SHA384_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -1158,7 +1183,7 @@ hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
 	if (hmacsha384ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -1221,26 +1246,30 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA384_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA384_BLOCK_LENGTH) {
+		bytes = ISC_SHA384_BLOCK_LENGTH;
+		key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -1249,7 +1278,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha384_fromdns(key, &b);
-	memset(data, 0, ISC_SHA384_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -1263,6 +1292,7 @@ hmacsha384_isprivate(const dst_key_t *key) {
 static void
 hmacsha384_destroy(dst_key_t *key) {
 	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+
 	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
 	key->keydata.hmacsha384 = NULL;
@@ -1302,7 +1332,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA384_DIGESTLENGTH) {
+	if (r.length > ISC_SHA384_BLOCK_LENGTH) {
 		isc_sha384_init(&sha384ctx);
 		isc_sha384_update(&sha384ctx, r.base, r.length);
 		isc_sha384_final(hkey->key, &sha384ctx);
@@ -1347,13 +1377,14 @@ hmacsha384_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,
 				       &priv);
@@ -1404,6 +1435,8 @@ static dst_func_t hmacsha384_functions = {
 	hmacsha384_parse,
 	NULL, /* cleanup */
 	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
 };
 
 isc_result_t
@@ -1417,7 +1450,7 @@ dst__hmacsha384_init(dst_func_t **funcp) {
 static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacsha512_key {
-	unsigned char key[ISC_SHA512_DIGESTLENGTH];
+	unsigned char key[ISC_SHA512_BLOCK_LENGTH];
 };
 
 static isc_result_t
@@ -1428,7 +1461,7 @@ hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
 	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
 	if (hmacsha512ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
+	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
 	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
 	return (ISC_R_SUCCESS);
 }
@@ -1491,26 +1524,30 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	else if (hkey1 == NULL || hkey2 == NULL)
 		return (ISC_FALSE);
 
-	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)
+	if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH) == 0)
 		return (ISC_TRUE);
 	else
 		return (ISC_FALSE);
 }
 
 static isc_result_t
-hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
+hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
 	isc_buffer_t b;
 	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
+	unsigned int bytes;
+	unsigned char data[ISC_SHA512_BLOCK_LENGTH];
+
+	UNUSED(callback);
 
 	bytes = (key->key_size + 7) / 8;
-	if (bytes > HMAC_LEN) {
-		bytes = HMAC_LEN;
-		key->key_size = HMAC_LEN * 8;
+	if (bytes > ISC_SHA512_BLOCK_LENGTH) {
+		bytes = ISC_SHA512_BLOCK_LENGTH;
+		key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
 	}
 
-	memset(data, 0, HMAC_LEN);
+	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
 	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
 
 	if (ret != ISC_R_SUCCESS)
@@ -1519,7 +1556,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha512_fromdns(key, &b);
-	memset(data, 0, ISC_SHA512_DIGESTLENGTH);
+	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
 
 	return (ret);
 }
@@ -1533,6 +1570,7 @@ hmacsha512_isprivate(const dst_key_t *key) {
 static void
 hmacsha512_destroy(dst_key_t *key) {
 	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+
 	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
 	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
 	key->keydata.hmacsha512 = NULL;
@@ -1572,7 +1610,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	memset(hkey->key, 0, sizeof(hkey->key));
 
-	if (r.length > ISC_SHA512_DIGESTLENGTH) {
+	if (r.length > ISC_SHA512_BLOCK_LENGTH) {
 		isc_sha512_init(&sha512ctx);
 		isc_sha512_update(&sha512ctx, r.base, r.length);
 		isc_sha512_final(hkey->key, &sha512ctx);
@@ -1617,13 +1655,14 @@ hmacsha512_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {
+hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t result, tresult;
 	isc_buffer_t b;
 	isc_mem_t *mctx = key->mctx;
 	unsigned int i;
 
+	UNUSED(pub);
 	/* read private key file */
 	result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,
 				       &priv);
@@ -1674,6 +1713,8 @@ static dst_func_t hmacsha512_functions = {
 	hmacsha512_parse,
 	NULL, /* cleanup */
 	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
 };
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/include/dns/Makefile.in b/contrib/bind9/lib/dns/include/dns/Makefile.in
index 1abd38869472..ad8bc383e4b3 100644
--- a/contrib/bind9/lib/dns/include/dns/Makefile.in
+++ b/contrib/bind9/lib/dns/include/dns/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -21,19 +21,17 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
-		cert.h compress.h \
+HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
 		db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
-		dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
-		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
-		message.h name.h ncache.h \
-		nsec.h peer.h portlist.h rbt.h rcode.h \
+		dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
+		keyflags.h keytable.h keyvalues.h lib.h log.h \
+		master.h masterdump.h message.h name.h ncache.h nsec.h \
+		peer.h portlist.h private.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
-		rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
-		tcpmsg.h time.h tkey.h \
-		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
+		rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
+		tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
+		validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
 
 GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
 
diff --git a/contrib/bind9/lib/dns/include/dns/acl.h b/contrib/bind9/lib/dns/include/dns/acl.h
index e43ff3d6560d..41b9522f0317 100644
--- a/contrib/bind9/lib/dns/include/dns/acl.h
+++ b/contrib/bind9/lib/dns/include/dns/acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -145,9 +145,26 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
 
 void
 dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+/*%<
+ * Attach to acl 'source'.
+ *
+ * Requires:
+ *\li	'source' to be a valid acl.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
 
 void
 dns_acl_detach(dns_acl_t **aclp);
+/*%<
+ * Detach the acl. On final detach the acl must not be linked on any
+ * list.
+ *
+ * Requires:
+ *\li	'*aclp' to be a valid acl.
+ *
+ * Insists:
+ *\li	'*aclp' is not linked on final detach.
+ */
 
 isc_boolean_t
 dns_acl_isinsecure(const dns_acl_t *a);
diff --git a/contrib/bind9/lib/dns/include/dns/adb.h b/contrib/bind9/lib/dns/include/dns/adb.h
index d4d1b05a1735..b8c41dcdd485 100644
--- a/contrib/bind9/lib/dns/include/dns/adb.h
+++ b/contrib/bind9/lib/dns/include/dns/adb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/dns/include/dns/cache.h b/contrib/bind9/lib/dns/include/dns/cache.h
index db7112b6fd12..f0825be3063b 100644
--- a/contrib/bind9/lib/dns/include/dns/cache.h
+++ b/contrib/bind9/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -78,10 +78,9 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
 /*%<
  * Create a new DNS cache.
  *
- * dns_cache_create2() is used in BIND 9.7 and up but is not implemented
- * here.
+ * dns_cache_create2() will create a named cache.
  *
- * dns_cache_create3() will create a cache using two separate memory
+ * dns_cache_create3() will create a named cache using two separate memory
  * contexts, one for cache data which can be cleaned and a separate one for
  * memory allocated for the heap (which can grow without an upper limit and
  * has no mechanism for shrinking).
@@ -97,6 +96,8 @@ dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
  * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
  * 	cache will take place.
  *
+ *\li	'cachename' is a valid string.  This must not be NULL.
+ *
  *\li	'cachep' is a valid pointer, and *cachep == NULL
  *
  * Ensures:
@@ -238,12 +239,36 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
  * Set the periodic cache cleaning interval to 'interval' seconds.
  */
 
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache);
+/*%<
+ * Get the periodic cache cleaning interval to 'interval' seconds.
+ */
+
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
+const char *
+dns_cache_getname(dns_cache_t *cache);
+/*%<
+ * Get the cache name.
+ */
+
 void
 dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size);
 /*%<
  * Set the maximum cache size.  0 means unlimited.
  */
 
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
 isc_result_t
 dns_cache_flush(dns_cache_t *cache);
 /*%<
diff --git a/contrib/bind9/lib/dns/include/dns/client.h b/contrib/bind9/lib/dns/include/dns/client.h
new file mode 100644
index 000000000000..d21dff788dde
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/client.h
@@ -0,0 +1,621 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: client.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef DNS_CLIENT_H
+#define DNS_CLIENT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The DNS client module provides convenient programming interfaces to various
+ * DNS services, such as name resolution with or without DNSSEC validation or
+ * dynamic DNS update.  This module is primarily expected to be used by other
+ * applications than BIND9-related ones that need such advanced DNS features.
+ *
+ * MP:
+ *\li	In the typical usage of this module, application threads will not share
+ *	the same data structures created and manipulated in this module.
+ *	However, the module still ensures appropriate synchronization of such
+ *	data structures.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <isc/event.h>
+#include <isc/sockaddr.h>
+
+#include <dns/tsig.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+typedef enum {
+	updateop_none = 0,
+	updateop_add = 1,
+	updateop_delete = 2,
+	updateop_exist = 3,
+	updateop_notexist = 4,
+	updateop_max = 5
+} dns_client_updateop_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Optional flags for dns_client_create(x).
+ */
+/*%< Enable caching resolution results (experimental). */
+#define DNS_CLIENTCREATEOPT_USECACHE	0x8000
+
+/*%
+ * Optional flags for dns_client_(start)resolve.
+ */
+/*%< Disable DNSSEC validation. */
+#define DNS_CLIENTRESOPT_NODNSSEC	0x01
+/*%< Allow running external context. */
+#define DNS_CLIENTRESOPT_ALLOWRUN	0x02
+
+/*%
+ * Optional flags for dns_client_(start)request.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTREQOPT_ALLOWRUN	0x01
+
+/*%
+ * A dns_clientresevent_t is sent when name resolution performed by a client
+ * completes.  'result' stores the result code of the entire resolution
+ * procedure.  'vresult' specifically stores the result code of DNSSEC
+ * validation if it is performed.  When name resolution successfully completes,
+ * 'answerlist' is typically non empty, containing answer names along with
+ * RRsets.  It is the receiver's responsibility to free this list by calling
+ * dns_client_freeresanswer() before freeing the event structure.
+ */
+typedef struct dns_clientresevent {
+	ISC_EVENT_COMMON(struct dns_clientresevent);
+	isc_result_t	result;
+	isc_result_t	vresult;
+	dns_namelist_t	answerlist;
+} dns_clientresevent_t;		/* too long? */
+
+/*%
+ * Status of a dynamic update procedure.
+ */
+typedef enum {
+	dns_clientupdatestate_prepare,	/*%< no updates have been sent */
+	dns_clientupdatestate_sent,	/*%< updates were sent, no response */
+	dns_clientupdatestate_done	/*%< update was sent and succeeded */
+} dns_clientupdatestate_t;
+
+/*%
+ * A dns_clientreqevent_t is sent when a DNS request is completed by a client.
+ * 'result' stores the result code of the entire transaction.
+ * If the transaction is successfully completed but the response packet cannot
+ * be parsed, 'result' will store the result code of dns_message_parse().
+ * If the response packet is received, 'rmessage' will contain the response
+ * message, whether it is successfully parsed or not.
+ */
+typedef struct dns_clientreqevent {
+	ISC_EVENT_COMMON(struct dns_clientreqevent);
+	isc_result_t	result;
+	dns_message_t	*rmessage;
+} dns_clientreqevent_t;		/* too long? */
+
+/*%
+ * A dns_clientupdateevent_t is sent when dynamic update performed by a client
+ * completes.  'result' stores the result code of the entire update procedure.
+ * 'state' specifies the status of the update procedure when this event is
+ * sent.  This can be used as a hint by the receiver to determine whether
+ * the update attempt was ever made.  In particular, if the state is
+ * dns_clientupdatestate_prepare, the receiver can be sure that the requested
+ * update was not applied.
+ */
+typedef struct dns_clientupdateevent {
+	ISC_EVENT_COMMON(struct dns_clientupdateevent);
+	isc_result_t		result;
+	dns_clientupdatestate_t	state;
+} dns_clientupdateevent_t;	/* too long? */
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options);
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp);
+/*%<
+ * Create a DNS client.  These functions create a new client object with
+ * minimal internal resources such as the default 'view' for the IN class and
+ * IPv4/IPv6 dispatches for the view.
+ *
+ * dns_client_createx() takes 'manager' arguments so that the caller can
+ * control the behavior of the client through the underlying event framework.
+ * On the other hand, dns_client_create() simplifies the interface and creates
+ * the managers internally.  A DNS client object created via
+ * dns_client_create() is expected to be used by an application that only needs
+ * simple synchronous services or by a thread-based application.
+ *
+ * If the DNS_CLIENTCREATEOPT_USECACHE flag is set in 'options',
+ * dns_client_create(x) will create a cache database with the view.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'actx' is a valid application context.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	clientp != NULL && *clientp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_destroy(dns_client_t **clientp);
+/*%<
+ * Destroy 'client'.
+ *
+ * Requires:
+ *
+ *\li	'*clientp' is a valid client.
+ *
+ * Ensures:
+ *
+ *\li	*clientp == NULL.
+ */
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *namespace, isc_sockaddrlist_t *addrs);
+/*%<
+ * Specify a list of addresses of recursive name servers that the client will
+ * use for name resolution.  A view for the 'rdclass' class must be created
+ * beforehand.  If 'namespace' is non NULL, the specified server will be used
+ * if and only if the query name is a subdomain of 'namespace'.  When servers
+ * for multiple 'namespace's are provided, and a query name is covered by
+ * more than one 'namespace', the servers for the best (longest) matching
+ * namespace will be used.  If 'namespace' is NULL, it works as if
+ * dns_rootname (.) were specified.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namespace' is NULL or a valid name.
+ *
+ *\li	'addrs' != NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *namespace);
+/*%<
+ * Remove configured recursive name servers for the 'rdclass' and 'namespace'
+ * from the client.  See the description of dns_client_setservers() for
+ * the requirements about 'rdclass' and 'namespace'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namespace' is NULL or a valid name.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist);
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp);
+/*%<
+ * Perform name resolution for 'name', 'rdclass', and 'type'.
+ *
+ * If any trusted keys are configured and the query name is considered to
+ * belong to a secure zone, these functions also validate the responses
+ * using DNSSEC by default.  If the DNS_CLIENTRESOPT_NODNSSEC flag is set
+ * in 'options', DNSSEC validation is disabled regardless of the configured
+ * trusted keys or the query name.
+ *
+ * dns_client_resolve() provides a synchronous service.  This function starts
+ * name resolution internally and blocks until it completes.  On success,
+ * 'namelist' will contain a list of answer names, each of which has
+ * corresponding RRsets.  The caller must provide a valid empty list, and
+ * is responsible for freeing the list content via dns_client_freeresanswer().
+ * If the name resolution fails due to an error in DNSSEC validation,
+ * dns_client_resolve() returns the result code indicating the validation
+ * error. Otherwise, it returns the result code of the entire resolution
+ * process, either success or failure.
+ *
+ * It is typically expected that the client object passed to
+ * dns_client_resolve() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTRESOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startresolve() is an asynchronous version of dns_client_resolve()
+ * and does not block.  When name resolution is completed, 'action' will be
+ * called with the argument of a 'dns_clientresevent_t' object, which contains
+ * the resulting list of answer names (on success).  On return, '*transp' is
+ * set to an opaque transaction ID so that the caller can cancel this
+ * resolution process.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'addrs' != NULL.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'namelist' != NULL and is not empty.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans);
+/*%<
+ * Cancel an ongoing resolution procedure started via
+ * dns_client_startresolve().
+ *
+ * Notes:
+ *
+ *\li	If the resolution procedure has not completed, post its CLIENTRESDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp);
+/*%<
+ * Destroy name resolution transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTRESDONE event (either because the
+ *	resolution completed or because dns_client_cancelresolve() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist);
+/*%<
+ * Free resources allocated for the content of 'namelist'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namelist' != NULL.
+ */
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf);
+/*%<
+ * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
+ * class must be created beforehand.  'keyname' is the DNS name of the key,
+ * and 'keydatabuf' stores the resource data of the key.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'keyname' is a valid name.
+ *
+ *\li	'keydatabuf' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries);
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp);
+
+/*%<
+ * Send a DNS request containig a query message 'query' to 'server'.
+ *
+ * 'parseoptions' will be used when the response packet is parsed, and will be
+ * passed to dns_message_parse() via dns_request_getresponse().  See
+ * dns_message_parse() for more details.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the request/response transaction.  This is optional and can
+ * be NULL, in which case this library performs the transaction  without any
+ * transaction authentication.
+ *
+ * 'timeout', 'udptimeout', and 'udpretries' are passed to
+ * dns_request_createvia3().  See dns_request_createvia3() for more details.
+ *
+ * dns_client_request() provides a synchronous service.  This function sends
+ * the request and blocks until a response is received.  On success,
+ * 'rmessage' will contain the response message.  The caller must provide a
+ * valid initialized message.
+ *
+ * It is usually expected that the client object passed to
+ * dns_client_request() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTREQOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startrequest() is an asynchronous version of dns_client_request()
+ * and does not block.  When the transaction is completed, 'action' will be
+ * called with the argument of a 'dns_clientreqevent_t' object, which contains
+ * the response message (on success).  On return, '*transp' is set to an opaque
+ * transaction ID so that the caller can cancel this request.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'qmessage' and 'rmessage' are valid initialized message.
+ *
+ *\li	'server' is a valid socket address structure.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *transp);
+/*%<
+ * Cancel an ongoing DNS request procedure started via
+ * dns_client_startrequest().
+ *
+ * Notes:
+ *
+ *\li	If the request procedure has not completed, post its CLIENTREQDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp);
+/*%
+ * Destroy DNS request transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTREQDONE event (either because the
+ *	request completed or because dns_client_cancelrequest() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options);
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp);
+/*%<
+ * Perform DNS dynamic update for 'updates' of the 'rdclass' class with
+ * optional 'prerequisites'.
+ *
+ * 'updates' are a list of names with associated RRsets to be updated.
+ *
+ * 'prerequisites' are a list of names with associated RRsets corresponding to
+ * the prerequisites of the updates.  This is optional and can be NULL, in
+ * which case the prerequisite section of the update message will be empty.
+ *
+ * Both 'updates' and 'prerequisites' must be constructed as specified in
+ * RFC2136.
+ *
+ * 'zonename' is the name of the zone in which the updated names exist.
+ * This is optional and can be NULL.  In this case, these functions internally
+ * identify the appropriate zone through some queries for the SOA RR starting
+ * with the first name in prerequisites or updates.
+ *
+ * 'servers' is a list of authoritative servers to which the update message
+ * should be sent.  This is optional and can be NULL.  In this case, these
+ * functions internally identify the appropriate primary server name and its
+ * addresses through some queries for the SOA RR (like the case of zonename)
+ * and supplemental A/AAAA queries for the server name.
+ * Note: The client module generally assumes the given addresses are of the
+ * primary server of the corresponding zone.  It will work even if a secondary
+ * server address is specified as long as the server allows update forwarding,
+ * it is generally discouraged to include secondary server addresses unless
+ * there's strong reason to do so.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the update transaction (and the supplemental query/response
+ * transactions if the server is specified).  This is optional and can be
+ * NULL, in which case the library tries the update without any transaction
+ * authentication.
+ *
+ * dns_client_update() provides a synchronous service.  This function blocks
+ * until the entire update procedure completes, including the additional
+ * queries when necessary.
+ *
+ * dns_client_startupdate() is an asynchronous version of dns_client_update().
+ * It immediately returns (typically with *transp being set to a non-NULL
+ * pointer), and performs the update procedure through a set of internal
+ * events.  All transactions including the additional query exchanges are
+ * performed as a separate event, so none of these events cause blocking
+ * operation.  When the update procedure completes, the specified function
+ * 'action' will be called with the argument of a 'dns_clientupdateevent_t'
+ * structure.  On return, '*transp' is set to an opaque transaction ID so that
+ * the caller can cancel this update process.
+ *
+ * Notes:
+ *\li	No options are currently defined.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'updates' != NULL.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans);
+/*%<
+ * Cancel an ongoing dynamic update procedure started via
+ * dns_client_startupdate().
+ *
+ * Notes:
+ *
+ *\li	If the update procedure has not completed, post its UPDATEDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp);
+/*%<
+ * Destroy dynamic update transaction identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the UPDATEDONE event (either because the
+ *	update completed or because dns_client_cancelupdate() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx);
+/*%<
+ * TBD
+ */
+
+void
+dns_client_freeupdate(dns_name_t **namep);
+/*%<
+ * TBD
+ */
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/compress.h b/contrib/bind9/lib/dns/include/dns/compress.h
index bb34501fa712..a10f4d3930f0 100644
--- a/contrib/bind9/lib/dns/include/dns/compress.h
+++ b/contrib/bind9/lib/dns/include/dns/compress.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: compress.h,v 1.42 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h
index c5056d753057..fe268f439e93 100644
--- a/contrib/bind9/lib/dns/include/dns/db.h
+++ b/contrib/bind9/lib/dns/include/dns/db.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -59,7 +59,11 @@
 #include <isc/ondestroy.h>
 #include <isc/stdtime.h>
 
+#include <dns/fixedname.h>
 #include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rpz.h>
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
@@ -167,6 +171,14 @@ typedef struct dns_dbmethods {
 					   dns_dbversion_t *version);
 	isc_boolean_t	(*isdnssec)(dns_db_t *db);
 	dns_stats_t	*(*getrrsetstats)(dns_db_t *db);
+	void		(*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st);
+	void		(*rpz_findips)(dns_rpz_zone_t *rpz,
+				       dns_rpz_type_t rpz_type,
+				       dns_zone_t *zone, dns_db_t *db,
+				       dns_dbversion_t *version,
+				       dns_rdataset_t *ardataset,
+				       dns_rpz_st_t *st,
+				       dns_name_t *query_qname);
 } dns_dbmethods_t;
 
 typedef isc_result_t
@@ -491,6 +503,10 @@ dns_db_load(dns_db_t *db, const char *filename);
 
 isc_result_t
 dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format);
+
+isc_result_t
+dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	     unsigned int options);
 /*%<
  * Load master file 'filename' into 'db'.
  *
@@ -614,7 +630,7 @@ dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
  *
  * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
  * then all changes made in the version will take effect, otherwise they
- * will be rolled back.  The value if 'commit' is ignored for read-only
+ * will be rolled back.  The value of 'commit' is ignored for read-only
  * versions.
  *
  * Requires:
@@ -841,6 +857,9 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
  *						that potentially covers 'name'.
  *
+ *	\li	#DNS_R_EMPTYWILD		The name is a wildcard without
+ *						resource records.
+ *
  *	Error results:
  *
  *	\li	#ISC_R_NOMEMORY
@@ -1423,7 +1442,9 @@ dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
  *
  * Requires:
  * \li	'db' is a valid zone database.
- * \li	'rdataset' to be associated with 'db'.
+ * \li	'rdataset' is or is to be associated with 'db'.
+ * \li  'rdataset' is not pending removed from the heap via an
+ *       uncommitted call to dns_db_resigned().
  *
  * Returns:
  * \li	#ISC_R_SUCCESS
@@ -1454,7 +1475,9 @@ dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
  * Mark 'rdataset' as not being available to be returned by
  * dns_db_getsigningtime().  If the changes associated with 'version'
  * are committed this will be permanent.  If the version is not committed
- * this change will be rolled back when the version is closed.
+ * this change will be rolled back when the version is closed.  Until
+ * 'version' is either committed or rolled back, 'rdataset' can no longer
+ * be acted upon by dns_db_setsigningtime().
  *
  * Requires:
  * \li	'db' is a valid zone database.
@@ -1477,6 +1500,32 @@ dns_db_getrrsetstats(dns_db_t *db);
  *	dns_rdatasetstats_create(); otherwise NULL.
  */
 
+void
+dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st);
+/*%<
+ * See if a policy database has DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSIP, or
+ * DNS_RPZ_TYPE_NSDNAME records.
+ */
+
+void
+dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+		   dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		   dns_rdataset_t *ardataset, dns_rpz_st_t *st,
+		   dns_name_t *query_qname);
+/*%<
+ * Search the CDIR block tree of a response policy tree of trees for the best
+ * match to any of the IP addresses in an A or AAAA rdataset.
+ *
+ * Requires:
+ * \li	search in policy zone 'rpz' for a match of 'rpz_type' either
+ *	    DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP
+ * \li	'zone' and 'db' are the database corresponding to 'rpz'
+ * \li	'version' is the required version of the database
+ * \li	'ardataset' is an A or AAAA rdataset of addresses to check
+ * \li	'found' specifies the previous best match if any or
+ *	    or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/diff.h b/contrib/bind9/lib/dns/include/dns/diff.h
index 9736885796e5..d522feb6f9cf 100644
--- a/contrib/bind9/lib/dns/include/dns/diff.h
+++ b/contrib/bind9/lib/dns/include/dns/diff.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: diff.h,v 1.19 2010/06/04 23:51:14 tbox Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/dlz.h b/contrib/bind9/lib/dns/include/dns/dlz.h
index e6c99fe095a0..48dfb833f650 100644
--- a/contrib/bind9/lib/dns/include/dns/dlz.h
+++ b/contrib/bind9/lib/dns/include/dns/dlz.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -87,6 +87,7 @@
 #include <dns/name.h>
 #include <dns/types.h>
 #include <dns/view.h>
+#include <dst/dst.h>
 
 #include <isc/lang.h>
 
@@ -166,12 +167,37 @@ typedef isc_result_t
  * return a result code indicating the type of error.
  */
 
+
+typedef isc_result_t
+(*dns_dlzconfigure_t)(void *driverarg, void *dbdata, dns_view_t *view);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a configure method. If supplied, this will be
+ * called immediately after the create method is called. The driver
+ * may call configuration functions during the configure call
+ */
+
+
+typedef isc_boolean_t (*dns_dlzssumatch_t)(dns_name_t *signer,
+					   dns_name_t *name,
+					   isc_netaddr_t *tcpaddr,
+					   dns_rdatatype_t type,
+					   const dst_key_t *key,
+					   void *driverarg, void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a ssumatch method. If supplied, this will be
+ * called to authorize update requests
+ */
+
 /*% the methods supplied by a DLZ driver */
 typedef struct dns_dlzmethods {
 	dns_dlzcreate_t		create;
 	dns_dlzdestroy_t	destroy;
 	dns_dlzfindzone_t	findzone;
 	dns_dlzallowzonexfr_t	allowzonexfr;
+	dns_dlzconfigure_t	configure;
+	dns_dlzssumatch_t	ssumatch;
 } dns_dlzmethods_t;
 
 /*% information about a DLZ driver */
@@ -183,12 +209,18 @@ struct dns_dlzimplementation {
 	ISC_LINK(dns_dlzimplementation_t)	link;
 };
 
-/*% an instance of a DLZ driver */
+typedef isc_result_t (*dlzconfigure_callback_t)(dns_view_t *, dns_zone_t *);
+
+/*% An instance of a DLZ driver */
 struct dns_dlzdb {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
 	dns_dlzimplementation_t	*implementation;
 	void			*dbdata;
+	dlzconfigure_callback_t configure_callback;
+#ifdef BIND9
+	dns_ssutable_t 		*ssutable;
+#endif
 };
 
 
@@ -285,6 +317,30 @@ dns_dlzunregister(dns_dlzimplementation_t **dlzimp);
  * is called.
  */
 
+
+typedef isc_result_t dns_dlz_writeablezone_t(dns_view_t *view,
+					     const char *zone_name);
+dns_dlz_writeablezone_t dns_dlz_writeablezone;
+/*%<
+ * creates a writeable DLZ zone. Must be called from within the
+ * configure() method of a DLZ driver.
+ */
+
+
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, dlzconfigure_callback_t callback);
+/*%<
+ * call a DLZ drivers configure method, if supplied
+ */
+
+isc_boolean_t
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase,
+		  dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
+		  dns_rdatatype_t type, const dst_key_t *key);
+/*%<
+ * call a DLZ drivers ssumatch method, if supplied. Otherwise return ISC_FALSE
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h b/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h
new file mode 100644
index 000000000000..6ad7e7a33ae0
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dlz_dlopen.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file dns/dlz_open.h */
+
+#ifndef DLZ_DLOPEN_H
+#define DLZ_DLOPEN_H
+
+#include <dns/sdlz.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * This header provides a minimal set of defines and typedefs needed
+ * for the entry points of an external DLZ module for bind9.
+ */
+
+#define DLZ_DLOPEN_VERSION 1
+
+/*
+ * dlz_dlopen_version() is required for all DLZ external drivers. It
+ * should return DLZ_DLOPEN_VERSION
+ */
+typedef int dlz_dlopen_version_t (unsigned int *flags);
+
+/*
+ * dlz_dlopen_create() is required for all DLZ external drivers.
+ */
+typedef isc_result_t dlz_dlopen_create_t (const char *dlzname,
+					  unsigned int argc,
+					  char *argv[],
+					  void **dbdata,
+					  ...);
+
+/*
+ * dlz_dlopen_destroy() is optional, and will be called when the
+ * driver is unloaded if supplied
+ */
+typedef void dlz_dlopen_destroy_t (void *dbdata);
+
+/*
+ * dlz_dlopen_findzonedb() is required for all DLZ external drivers
+ */
+typedef isc_result_t dlz_dlopen_findzonedb_t (void *dbdata,
+					      const char *name);
+
+/*
+ * dlz_dlopen_lookup() is required for all DLZ external drivers
+ */
+typedef isc_result_t dlz_dlopen_lookup_t (const char *zone,
+					  const char *name,
+					  void *dbdata,
+					  dns_sdlzlookup_t *lookup);
+
+/*
+ * dlz_dlopen_authority is optional() if dlz_dlopen_lookup()
+ * supplies authority information for the dns record
+ */
+typedef isc_result_t dlz_dlopen_authority_t (const char *zone,
+					     void *dbdata,
+					     dns_sdlzlookup_t *lookup);
+
+/*
+ * dlz_dlopen_allowzonexfr() is optional, and should be supplied if
+ * you want to support zone transfers
+ */
+typedef isc_result_t dlz_dlopen_allowzonexfr_t (void *dbdata,
+						const char *name,
+						const char *client);
+
+/*
+ * dlz_dlopen_allnodes() is optional, but must be supplied if supply a
+ * dlz_dlopen_allowzonexfr() function
+ */
+typedef isc_result_t dlz_dlopen_allnodes_t (const char *zone,
+					    void *dbdata,
+					    dns_sdlzallnodes_t *allnodes);
+
+/*
+ * dlz_dlopen_newversion() is optional. It should be supplied if you
+ * want to support dynamic updates.
+ */
+typedef isc_result_t dlz_dlopen_newversion_t (const char *zone,
+					      void *dbdata,
+					      void **versionp);
+
+/*
+ * dlz_closeversion() is optional, but must be supplied if you supply
+ * a dlz_newversion() function
+ */
+typedef void dlz_dlopen_closeversion_t (const char *zone,
+					isc_boolean_t commit,
+					void *dbdata,
+					void **versionp);
+
+/*
+ * dlz_dlopen_configure() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_configure_t (dns_view_t *view,
+					     void *dbdata);
+
+/*
+ * dlz_dlopen_ssumatch() is optional, but must be supplied if you want
+ * to support dynamic updates
+ */
+typedef isc_boolean_t dlz_dlopen_ssumatch_t (const char *signer,
+					     const char *name,
+					     const char *tcpaddr,
+					     const char *type,
+					     const char *key,
+					     isc_uint32_t keydatalen,
+					     unsigned char *keydata,
+					     void *dbdata);
+
+/*
+ * dlz_dlopen_addrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_addrdataset_t (const char *name,
+					       const char *rdatastr,
+					       void *dbdata,
+					       void *version);
+
+/*
+ * dlz_dlopen_subrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_subrdataset_t (const char *name,
+					       const char *rdatastr,
+					       void *dbdata,
+					       void *version);
+
+/*
+ * dlz_dlopen_delrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_delrdataset_t (const char *name,
+					       const char *type,
+					       void *dbdata,
+					       void *version);
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/lib/dns/include/dns/dns64.h b/contrib/bind9/lib/dns/include/dns/dns64.h
new file mode 100644
index 000000000000..eb8f8d6436a6
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dns64.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dns64.h,v 1.3 2010/12/08 23:51:56 tbox Exp $ */
+
+#ifndef DNS_DNS64_H
+#define DNS_DNS64_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * dns_dns64_create() flags.
+ */
+#define DNS_DNS64_RECURSIVE_ONLY	0x01	/* If set then this record
+						 * only applies to recursive
+						 * queries.
+						 */
+#define DNS_DNS64_BREAK_DNSSEC		0x02	/* If set then still perform
+						 * DNSSEC synthesis even
+						 * though the result would
+						 * fail validation.
+						 */
+
+/*
+ * dns_dns64_aaaaok() and dns_dns64_aaaafroma() flags.
+ */
+#define DNS_DNS64_RECURSIVE		0x01	/* Recursive query. */
+#define DNS_DNS64_DNSSEC		0x02	/* DNSSEC sensitive query. */
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
+		 unsigned int prefixlen, isc_netaddr_t *suffix,
+		 dns_acl_t *client, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64);
+/*
+ * Create a dns64 record which is used to identify the set of clients
+ * it applies to and how to perform the DNS64 synthesis.
+ *
+ * 'prefix' and 'prefixlen' defined the leading bits of the AAAA records
+ * to be synthesised.  'suffix' defines the bits after the A records bits.
+ * If suffix is NULL zeros will be used for these bits.  'client' defines
+ * for which clients this record applies.  If 'client' is NULL then all
+ * clients apply.  'mapped' defines which A records are candidated for
+ * mapping.  If 'mapped' is NULL then all A records will be mapped.
+ * 'excluded' defines which AAAA are to be treated as non-existent for the
+ * purposed of determining whether to perform syntesis.  If 'excluded' is
+ * NULL then no AAAA records prevent synthesis.
+ *
+ * If DNS_DNS64_RECURSIVE_ONLY is set then the record will only match if
+ * DNS_DNS64_RECURSIVE is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma().
+ *
+ * If DNS_DNS64_BREAK_DNSSEC is set then the record will still apply if
+ * DNS_DNS64_DNSSEC is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma() otherwise the record will be ignored.
+ *
+ * Requires:
+ *      'mctx'          to be valid.
+ *      'prefix'        to be valid and the address family to AF_INET6.
+ *      'prefixlen'     to be one of 32, 40, 48, 56, 72 and 96.
+ *                      the bits not covered by prefixlen in prefix to
+ *                      be zero.
+ *      'suffix'        to be NULL or the address family be set to AF_INET6
+ *                      and the leading 'prefixlen' + 32 bits of the 'suffix'
+ *                      to be zero.  If 'prefixlen' is 40, 48 or 56 then the
+ *                      the leading 'prefixlen' + 40 bits of 'suffix' must be
+ *                      zero.
+ *	'client'	to be NULL or a valid acl.
+ *	'mapped'	to be NULL or a valid acl.
+ *	'exculded'	to be NULL or a valid acl.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p);
+/*
+ * Destroys a dns64 record.
+ *
+ * Requires the record to not be linked.
+ */
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa);
+/*
+ * dns_dns64_aaaafroma() determines whether to perform a DNS64 address
+ * synthesis from 'a' based on 'dns64', 'reqaddr', 'reqsigner', 'env',
+ * 'flags' and 'aaaa'.  If synthesis is performed then the result is
+ * written to '*aaaa'.
+ *
+ * The synthesised address will be of the form:
+ *
+ *	 <prefix bits><a bits><suffix bits>
+ *
+ * If <a bits> straddle bits 64-71 of the AAAA record, then 8 zero bits will
+ * be inserted at bits 64-71.
+ *
+ * Requires:
+ *	'dns64'		to be valid.
+ *	'reqaddr'	to be valid.
+ *	'reqsigner'	to be NULL or valid.
+ *	'env'		to be valid.
+ *	'a'		to point to a IPv4 address in network order.
+ *	'aaaa'		to point to a IPv6 address buffer in network order.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		if synthesis was performed.
+ *	DNS_R_DISALLOWED	if there is no match.
+ */
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64);
+/*
+ * Return the next dns64 record in the list.
+ */
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Append the dns64 record to the list.
+ */
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Unlink the dns64 record from the list.
+ */
+
+isc_boolean_t
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset,
+		 isc_boolean_t *aaaaok, size_t aaaaoklen);
+/*
+ * Determine if there are any non-excluded AAAA records in from the
+ * matching dns64 records in the list starting at 'dns64'.  If there
+ * is a non-exluded address return ISC_TRUE.  If all addresses are
+ * excluded in the matched records return ISC_FALSE.   If no records
+ * match then return ISC_TRUE.
+ *
+ * If aaaaok is defined then dns_dns64_aaaaok() return a array of which
+ * addresses in 'rdataset' were deemed to not be exclude by any matching
+ * record.  If there are no matching records then all entries are set
+ * to ISC_TRUE.
+ *
+ * Requires
+ * 	'rdataset'	to be valid and to be for type AAAA and class IN.
+ *	'aaaaoklen'	must match the number of records in 'rdataset'
+ *			if 'aaaaok' in non NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNS64_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h
index 22a8a41e6d48..e986d406f617 100644
--- a/contrib/bind9/lib/dns/include/dns/dnssec.h
+++ b/contrib/bind9/lib/dns/include/dns/dnssec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -26,6 +26,7 @@
 #include <isc/stdtime.h>
 #include <isc/stats.h>
 
+#include <dns/diff.h>
 #include <dns/types.h>
 
 #include <dst/dst.h>
@@ -37,6 +38,41 @@ LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats;
 /*%< Maximum number of keys supported in a zone. */
 #define DNS_MAXZONEKEYS 32
 
+/*
+ * Indicates how the signer found this key: in the key repository, at the
+ * zone apex, or specified by the user.
+ */
+typedef enum {
+	dns_keysource_unknown,
+	dns_keysource_repository,
+	dns_keysource_zoneapex,
+	dns_keysource_user
+} dns_keysource_t;
+
+/*
+ * A DNSSEC key and hints about its intended use gleaned from metadata
+ */
+struct dns_dnsseckey {
+	dst_key_t *key;
+	isc_boolean_t hint_publish;  /*% metadata says to publish */
+	isc_boolean_t force_publish; /*% publish regardless of metadata */
+	isc_boolean_t hint_sign;     /*% metadata says to sign with this key */
+	isc_boolean_t force_sign;    /*% sign with key regardless of metadata */
+	isc_boolean_t hint_remove;   /*% metadata says *don't* publish */
+	isc_boolean_t is_active;     /*% key is already active */
+	isc_boolean_t first_sign;    /*% key is newly becoming active */
+	unsigned int prepublish;     /*% how long until active? */
+	dns_keysource_t source;      /*% how the key was found */
+	isc_boolean_t ksk;           /*% this is a key-signing key */
+	isc_boolean_t legacy;        /*% this is old-style key with no
+					 metadata (possibly generated by
+					 an older version of BIND9) and
+					 should be ignored when searching
+					 for keys to import into the zone */
+	unsigned int index;          /*% position in list */
+	ISC_LINK(dns_dnsseckey_t) link;
+};
+
 isc_result_t
 dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
 			dst_key_t **key);
@@ -190,6 +226,116 @@ dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
 		     isc_boolean_t ignoretime, isc_mem_t *mctx);
 
 
+isc_boolean_t
+dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 isc_boolean_t ignoretime, isc_mem_t *mctx);
+/*%<
+ * Verify that 'rdataset' is validly signed in 'sigrdataset' by
+ * the key in 'rdata'.
+ *
+ * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY
+ * rrset.  dns_dnssec_signs() works on any rrset.
+ */
+
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp);
+/*%<
+ * Create and initialize a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ */
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
+/*%<
+ * Reclaim a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is not NULL.
+ *
+ *	Ensures:
+ *\li		'*dkp' is NULL.
+ */
+
+isc_result_t
+dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
+			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
+/*%<
+ * Search 'directory' for K* key files matching the name in 'origin'.
+ * Append all such keys, along with use hints gleaned from their
+ * metadata, onto 'keylist'.
+ *
+ *	Requires:
+ *\li		'keylist' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
+ *\li		#ISC_R_NOMEMORY
+ *\li		any error returned by dns_name_totext(), isc_dir_open(), or
+ *              dst_key_fromnamedfile()
+ *
+ *	Ensures:
+ *\li		On error, keylist is unchanged
+ */
+
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, isc_boolean_t savekeys,
+			       isc_boolean_t public,
+			       dns_dnsseckeylist_t *keylist);
+/*%<
+ * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ * Omit duplicates.  If 'public' is ISC_FALSE, search 'directory' for
+ * matching key files, and load the private keys that go with
+ * the public ones.  If 'savekeys' is ISC_TRUE, mark the keys so
+ * they will not be deleted or inactivated regardless of metadata.
+ *
+ * 'keysigs' and 'soasigs', if not NULL and associated, contain the
+ * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
+ * whether a key is already active in the zone.
+ */
+
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t ttl, dns_diff_t *diff, isc_boolean_t allzsk,
+		      isc_mem_t *mctx, void (*report)(const char *, ...));
+/*%<
+ * Update the list of keys in 'keys' with new key information in 'newkeys'.
+ *
+ * For each key in 'newkeys', see if it has a match in 'keys'.
+ * - If not, and if the metadata says the key should be published:
+ *   add it to 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be added to the DNSKEY set.  If the metadata says it
+ *   should be active, set the first_sign flag.
+ * - If so, and if the metadata says it should be removed:
+ *   remove it from 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
+ *   copy the key into that list; otherwise destroy it.
+ * - Otherwise, make sure keys has current metadata.
+ *
+ * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
+ * ZSKs.
+ *
+ * 'ttl' is the TTL of the DNSKEY RRset; if it is longer than the
+ * time until a new key will be activated, then we have to delay the
+ * key's activation.
+ *
+ * 'report' points to a function for reporting status.
+ *
+ * On completion, any remaining keys in 'newkeys' are freed.
+ */
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DNSSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h
index 023c4a9f557f..03ab0ed09da6 100644
--- a/contrib/bind9/lib/dns/include/dns/ds.h
+++ b/contrib/bind9/lib/dns/include/dns/ds.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ds.h,v 1.12 2010/12/23 23:47:08 tbox Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
@@ -26,11 +26,17 @@
 
 #define DNS_DSDIGEST_SHA1 (1)
 #define DNS_DSDIGEST_SHA256 (2)
+#define DNS_DSDIGEST_GOST (3)
+#define DNS_DSDIGEST_SHA384 (4)
+
+/* should not be here... */
+
+#define ISC_GOST_DIGESTLENGTH 32U
 
 /*
- * Assuming SHA-256 digest type.
+ * Assuming SHA-384 digest type.
  */
-#define DNS_DS_BUFFERSIZE (36)
+#define DNS_DS_BUFFERSIZE (52)
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/dns/include/dns/ecdb.h b/contrib/bind9/lib/dns/include/dns/ecdb.h
new file mode 100644
index 000000000000..246cc30a3826
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/ecdb.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ecdb.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef DNS_ECDB_H
+#define DNS_ECDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/* TBD */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/* TBD: describe those */
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ECDB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/events.h b/contrib/bind9/lib/dns/include/dns/events.h
index d9451c88a45e..3a28ab2aec1c 100644
--- a/contrib/bind9/lib/dns/include/dns/events.h
+++ b/contrib/bind9/lib/dns/include/dns/events.h
@@ -69,6 +69,11 @@
 #define DNS_EVENT_ACACHECLEAN			(ISC_EVENTCLASS_DNS + 39)
 #define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
 #define DNS_EVENT_RBTPRUNE			(ISC_EVENTCLASS_DNS + 41)
+#define DNS_EVENT_MANAGEKEYS			(ISC_EVENTCLASS_DNS + 42)
+#define DNS_EVENT_CLIENTRESDONE			(ISC_EVENTCLASS_DNS + 43)
+#define DNS_EVENT_CLIENTREQDONE			(ISC_EVENTCLASS_DNS + 44)
+#define DNS_EVENT_ADBGROWENTRIES		(ISC_EVENTCLASS_DNS + 45)
+#define DNS_EVENT_ADBGROWNAMES			(ISC_EVENTCLASS_DNS + 46)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
diff --git a/contrib/bind9/lib/dns/include/dns/forward.h b/contrib/bind9/lib/dns/include/dns/forward.h
index ae331720d5a4..23e94be7894e 100644
--- a/contrib/bind9/lib/dns/include/dns/forward.h
+++ b/contrib/bind9/lib/dns/include/dns/forward.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: forward.h,v 1.13 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
@@ -67,6 +67,21 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
  */
 
 isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name);
+/*%<
+ * Removes an entry for 'name' from the forwarding table.  If an entry
+ * that exactly matches 'name' does not exist, ISC_R_NOTFOUND will be returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+isc_result_t
 dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
 		  dns_forwarders_t **forwardersp);
 /*%<
diff --git a/contrib/bind9/lib/dns/include/dns/keydata.h b/contrib/bind9/lib/dns/include/dns/keydata.h
new file mode 100644
index 000000000000..f24ca06e7c6b
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/keydata.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keydata.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
+
+#ifndef DNS_KEYDATA_H
+#define DNS_KEYDATA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/keydata.h
+ * \brief
+ * KEYDATA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+#include <dns/rdatastruct.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
+		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
+		       dns_rdata_dnskey_t *dnskey,
+		       isc_uint32_t refresh, isc_uint32_t addhd,
+		       isc_uint32_t removehd, isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keytable.h b/contrib/bind9/lib/dns/include/dns/keytable.h
index d951883346ff..3f4adaf6e398 100644
--- a/contrib/bind9/lib/dns/include/dns/keytable.h
+++ b/contrib/bind9/lib/dns/include/dns/keytable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: keytable.h,v 1.23 2010/06/25 03:24:05 marka Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
@@ -42,6 +42,10 @@
  */
 
 #include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
 
 #include <dns/types.h>
 
@@ -49,6 +53,33 @@
 
 ISC_LANG_BEGINDECLS
 
+struct dns_keytable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	isc_rwlock_t		rwlock;
+	/* Locked by lock. */
+	isc_uint32_t		active_nodes;
+	/* Locked by rwlock. */
+	isc_uint32_t		references;
+	dns_rbt_t		*table;
+};
+
+#define KEYTABLE_MAGIC			ISC_MAGIC('K', 'T', 'b', 'l')
+#define VALID_KEYTABLE(kt)	 	ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
+
+struct dns_keynode {
+	unsigned int		magic;
+	isc_refcount_t		refcount;
+	dst_key_t *		key;
+	isc_boolean_t           managed;
+	struct dns_keynode *	next;
+};
+
+#define KEYNODE_MAGIC			ISC_MAGIC('K', 'N', 'o', 'd')
+#define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
+
 isc_result_t
 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
 /*%<
@@ -106,16 +137,22 @@ dns_keytable_detach(dns_keytable_t **keytablep);
  */
 
 isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp);
+dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
+		 dst_key_t **keyp);
 /*%<
- * Add '*keyp' to 'keytable'.
+ * Add '*keyp' to 'keytable' (using the name in '*keyp').
+ * The value of keynode->managed is set to 'managed'
  *
  * Notes:
  *
  *\li	Ownership of *keyp is transferred to the keytable.
+ *\li   If the key already exists in the table, ISC_R_EXISTS is
+ *      returned and the new key is freed.
  *
  * Requires:
  *
+ *\li	'keytable' points to a valid keytable.
+ *
  *\li	keyp != NULL && *keyp is a valid dst_key_t *.
  *
  * Ensures:
@@ -125,11 +162,124 @@ dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp);
  * Returns:
  *
  *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name);
+/*%<
+ * Add a null key to 'keytable' for name 'name'.  This marks the
+ * name as a secure domain, but doesn't supply any key data to allow the
+ * domain to be validated.  (Used when automated trust anchor management
+ * has gotten broken by a zone misconfiguration; for example, when the
+ * active key has been revoked but the stand-by key was still in its 30-day
+ * waiting period for validity.)
+ *
+ * Notes:
+ *
+ *\li   If a key already exists in the table, ISC_R_EXISTS is
+ *      returned and nothing is done.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	keyp != NULL && *keyp is a valid dst_key_t *.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname);
+/*%<
+ * Delete node(s) from 'keytable' matching name 'keyname'
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	'name' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey);
+/*%<
+ * Delete node(s) from 'keytable' containing copies of the key pointed
+ * to by 'dstkey'
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *\li	'dstkey' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
  *
  *\li	Any other result indicates failure.
  */
 
 isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
+		  dns_keynode_t **keynodep);
+/*%<
+ * Search for the first instance of a key named 'name' in 'keytable',
+ * without regard to keyid and algorithm.  Use dns_keytable_nextkeynode()
+ * to find subsequent instances.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	keynodep != NULL && *keynodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			 dns_keynode_t **nextnodep);
+/*%<
+ * Return for the next key after 'keynode' in 'keytable', without regard to
+ * keyid and algorithm.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'keynode' is a valid keynode.
+ *
+ *\li	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			 dns_secalg_t algorithm, dns_keytag_t tag,
 			 dns_keynode_t **keynodep);
@@ -201,6 +351,22 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
  */
 
 void
+dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
+			   dns_keynode_t **target);
+/*%<
+ * Attach a keynode and and increment the active_nodes counter in a
+ * corresponding keytable.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'source' is a valid keynode.
+ *
+ *\li	'target' is not null and '*target' is null.
+ */
+
+void
 dns_keytable_detachkeynode(dns_keytable_t *keytable,
 			   dns_keynode_t **keynodep);
 /*%<
@@ -244,12 +410,48 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
  *\li	Any other result is an error.
  */
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode);
 /*%<
  * Get the DST key associated with keynode.
  */
 
+isc_boolean_t
+dns_keynode_managed(dns_keynode_t *keynode);
+/*%<
+ * Is this flagged as a managed key?
+ */
+
+isc_result_t
+dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Allocate space for a keynode
+ */
+
+void
+dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
+/*%<
+ * Attach keynode 'source' to '*target'
+ */
+
+void
+dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Detach a single keynode, without touching any keynodes that
+ * may be pointed to by its 'next' pointer
+ */
+
+void
+dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Detach a keynode and all its succesors.
+ */
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_KEYTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h
index 79d1b60468dd..0c392ca14cff 100644
--- a/contrib/bind9/lib/dns/include/dns/keyvalues.h
+++ b/contrib/bind9/lib/dns/include/dns/keyvalues.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: keyvalues.h,v 1.29 2010/12/23 23:47:08 tbox Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
@@ -42,7 +42,7 @@
 #define DNS_KEYOWNER_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
 #define DNS_KEYOWNER_ZONE	0x0100	/*%< key is zone key */
 #define DNS_KEYOWNER_RESERVED	0x0300	/*%< reserved meaning */
-#define DNS_KEYFLAG_REVOKE	0x0080	/*%< key revoked (per rfc5001) */
+#define DNS_KEYFLAG_REVOKE	0x0080	/*%< key revoked (per rfc5011) */
 #define DNS_KEYFLAG_RESERVED9	0x0040	/*%< reserved - must be zero */
 #define DNS_KEYFLAG_RESERVED10	0x0020	/*%< reserved - must be zero */
 #define DNS_KEYFLAG_RESERVED11	0x0010	/*%< reserved - must be zero */
@@ -51,7 +51,6 @@
 #define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
 				  DNS_KEYFLAG_RESERVED4 | \
 				  DNS_KEYFLAG_RESERVED5 | \
-				  DNS_KEYFLAG_RESERVED8 | \
 				  DNS_KEYFLAG_RESERVED9 | \
 				  DNS_KEYFLAG_RESERVED10 | \
 				  DNS_KEYFLAG_RESERVED11 )
@@ -71,6 +70,9 @@
 #define DNS_KEYALG_NSEC3RSASHA1	7
 #define DNS_KEYALG_RSASHA256	8
 #define DNS_KEYALG_RSASHA512	10
+#define DNS_KEYALG_ECCGOST	12
+#define DNS_KEYALG_ECDSA256	13
+#define DNS_KEYALG_ECDSA384	14
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
@@ -99,4 +101,12 @@
 #define DNS_SIG_DSAMINBYTES	213
 #define DNS_SIG_DSAMAXBYTES	405
 
+#define DNS_SIG_GOSTSIGSIZE	64
+
+#define DNS_SIG_ECDSA256SIZE	64
+#define DNS_SIG_ECDSA384SIZE	96
+
+#define DNS_KEY_ECDSA256SIZE	64
+#define DNS_KEY_ECDSA384SIZE	96
+
 #endif /* DNS_KEYVALUES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lib.h b/contrib/bind9/lib/dns/include/dns/lib.h
index d339ee77bc8e..a78562f910c0 100644
--- a/contrib/bind9/lib/dns/include/dns/lib.h
+++ b/contrib/bind9/lib/dns/include/dns/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lib.h,v 1.18 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
@@ -40,6 +40,20 @@ dns_lib_initmsgcat(void);
  * has not already been initialized.
  */
 
+isc_result_t
+dns_lib_init(void);
+/*%<
+ * A set of initialization procedure used in the DNS library.  This function
+ * is provided for an application that is not aware of the underlying ISC or
+ * DNS libraries much.
+ */
+
+void
+dns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in dns_lib_init().
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h
index fbcd2def8986..689b148eb8f3 100644
--- a/contrib/bind9/lib/dns/include/dns/log.h
+++ b/contrib/bind9/lib/dns/include/dns/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -42,6 +42,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
 #define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
 #define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
+#define DNS_LOGCATEGORY_RPZ		(&dns_categories[12])
 
 /* Backwards compatibility. */
 #define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
diff --git a/contrib/bind9/lib/dns/include/dns/lookup.h b/contrib/bind9/lib/dns/include/dns/lookup.h
index fe3e0503b943..e825e00ba4e5 100644
--- a/contrib/bind9/lib/dns/include/dns/lookup.h
+++ b/contrib/bind9/lib/dns/include/dns/lookup.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lookup.h,v 1.14 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/master.h b/contrib/bind9/lib/dns/include/dns/master.h
index 7608582653bf..a852ae4b2aa7 100644
--- a/contrib/bind9/lib/dns/include/dns/master.h
+++ b/contrib/bind9/lib/dns/include/dns/master.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -56,6 +56,7 @@
 #define DNS_MASTER_CHECKMXFAIL	0x00001000
 
 #define DNS_MASTER_RESIGN	0x00002000
+#define DNS_MASTER_KEY	 	0x00004000	/*%< Loading a key zone master file. */
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/dns/include/dns/message.h b/contrib/bind9/lib/dns/include/dns/message.h
index 9d311f3d2d47..3bc734d40cb2 100644
--- a/contrib/bind9/lib/dns/include/dns/message.h
+++ b/contrib/bind9/lib/dns/include/dns/message.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -81,8 +81,7 @@
  *	name = NULL;
  *	name = dns_message_gettempname(message, &name);
  *	dns_name_init(name, NULL);
- *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
- *				   buffer);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, 0, buffer);
  *	dns_message_takebuffer(message, &buffer);
  * \endcode
  *
@@ -137,6 +136,8 @@ typedef int dns_pseudosection_t;
 typedef int dns_messagetextflag_t;
 #define DNS_MESSAGETEXTFLAG_NOCOMMENTS	0x0001
 #define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
+#define DNS_MESSAGETEXTFLAG_ONESOA	0x0004
+#define DNS_MESSAGETEXTFLAG_OMITSOA	0x0008
 
 /*
  * Dynamic update names for these sections.
@@ -174,6 +175,9 @@ typedef int dns_messagetextflag_t;
 						      additional section. */
 #define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
 						  additional section. */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+#define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
+#endif
 
 typedef struct dns_msgblock dns_msgblock_t;
 
@@ -369,6 +373,14 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
  *      #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
  *      be emitted.
  *
+ *	If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the
+ *	first SOA record in the answer section.  If
+ *	#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
+ *	in the answer section.  These are useful for suppressing the
+ *	display of the second SOA record in a AXFR by setting
+ *	#DNS_MESSAGETEXTFLAG_ONESOA on the first message in a AXFR stream
+ *	and #DNS_MESSAGETEXTFLAG_OMITSOA on subsequent messages.
+ *
  * Requires:
  *
  *\li	'msg' is a valid message.
diff --git a/contrib/bind9/lib/dns/include/dns/name.h b/contrib/bind9/lib/dns/include/dns/name.h
index fc2058975f90..bef86931877c 100644
--- a/contrib/bind9/lib/dns/include/dns/name.h
+++ b/contrib/bind9/lib/dns/include/dns/name.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: name.h,v 1.137 2011/01/13 04:59:26 tbox Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -121,21 +121,27 @@ struct dns_name {
 
 #define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
 
-#define DNS_NAMEATTR_ABSOLUTE		0x0001
-#define DNS_NAMEATTR_READONLY		0x0002
-#define DNS_NAMEATTR_DYNAMIC		0x0004
-#define DNS_NAMEATTR_DYNOFFSETS		0x0008
-#define DNS_NAMEATTR_NOCOMPRESS		0x0010
+#define DNS_NAMEATTR_ABSOLUTE		0x00000001
+#define DNS_NAMEATTR_READONLY		0x00000002
+#define DNS_NAMEATTR_DYNAMIC		0x00000004
+#define DNS_NAMEATTR_DYNOFFSETS		0x00000008
+#define DNS_NAMEATTR_NOCOMPRESS		0x00000010
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
-#define DNS_NAMEATTR_CACHE		0x0100		/*%< Used by resolver. */
-#define DNS_NAMEATTR_ANSWER		0x0200		/*%< Used by resolver. */
-#define DNS_NAMEATTR_NCACHE		0x0400		/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHAINING		0x0800		/*%< Used by resolver. */
-#define DNS_NAMEATTR_CHASE		0x1000		/*%< Used by resolver. */
-#define DNS_NAMEATTR_WILDCARD		0x2000		/*%< Used by server. */
+#define DNS_NAMEATTR_CACHE		0x00000100	/*%< Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x00000200	/*%< Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x00000400	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHAINING		0x00000800	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHASE		0x00001000	/*%< Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x00002000	/*%< Used by server. */
+#define DNS_NAMEATTR_PREREQUISITE	0x00004000	/*%< Used by client. */
+#define DNS_NAMEATTR_UPDATE		0x00008000	/*%< Used by client. */
+#define DNS_NAMEATTR_HASUPDATEREC	0x00010000	/*%< Used by client. */
 
+/*
+ * Various flags.
+ */
 #define DNS_NAME_DOWNCASE		0x0001
 #define DNS_NAME_CHECKNAMES		0x0002		/*%< Used by rdata. */
 #define DNS_NAME_CHECKNAMESFAIL		0x0004		/*%< Used by rdata. */
@@ -1139,6 +1145,56 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size);
  */
 
 isc_result_t
+dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
+/*%<
+ * Convert 'name' to string format, allocating sufficient memory to
+ * hold it (free with isc_mem_free()).
+ *
+ * Differs from dns_name_format in that it allocates its own memory.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *\li	'target' is not NULL.
+ *\li	'*target' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx);
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx);
+/*%<
+ * Convert a string to a name and place it in target, allocating memory
+ * as necessary.  'options' has the same semantics as that of
+ * dns_name_fromtext().
+ *
+ * If 'target' has a buffer then the name will be copied into it rather than
+ * memory being allocated.
+ *
+ * Requires:
+ *
+ * \li	'target' is a valid name that is not read-only.
+ * \li	'src' is not NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_fromtext() can return.
+ *
+ *\li	Any error that dns_name_dup() can return.
+ */
+
+isc_result_t
 dns_name_settotextfilter(dns_name_totextfilter_t proc);
 /*%<
  * Set / clear a thread specific function 'proc' to be called at the
diff --git a/contrib/bind9/lib/dns/include/dns/ncache.h b/contrib/bind9/lib/dns/include/dns/ncache.h
index 8497c307e527..8d89879cc5e4 100644
--- a/contrib/bind9/lib/dns/include/dns/ncache.h
+++ b/contrib/bind9/lib/dns/include/dns/ncache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ncache.h,v 1.29 2010/05/14 23:50:40 tbox Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/nsec3.h b/contrib/bind9/lib/dns/include/dns/nsec3.h
index ee70aa2ea67b..beb44f3e63e2 100644
--- a/contrib/bind9/lib/dns/include/dns/nsec3.h
+++ b/contrib/bind9/lib/dns/include/dns/nsec3.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -110,6 +110,12 @@ isc_result_t
 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		    dns_name_t *name, dns_ttl_t nsecttl,
 		    isc_boolean_t unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t private,
+		     dns_diff_t *diff);
 /*%<
  * Add NSEC3 records for 'name', recording the change in 'diff'.
  * Adjust previous NSEC3 records, if any, to reflect the addition.
@@ -130,6 +136,10 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
  * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
  * record in the chain.
  *
+ * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -145,6 +155,10 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t private, dns_diff_t *diff);
 /*%<
  * Remove NSEC3 records for 'name', recording the change in 'diff'.
  * Adjust previous NSEC3 records, if any, to reflect the removal.
@@ -156,6 +170,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
  * records have the OPTOUT flag preserved.
  *
+ * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -167,10 +185,19 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer);
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t private,
+		  isc_boolean_t *answer);
 /*%<
  * Check if there are any complete/to be built NSEC3 chains.
  * If 'complete' is ISC_TRUE only complete chains will be recognized.
  *
+ * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
  * Requires:
  *	'db' to be valid.
  *	'version' to be valid or NULL.
@@ -191,6 +218,36 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
  *	'iterationsp' to be non NULL.
  */
 
+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a private rdata to a nsec3param rdata.
+ *
+ * Return ISC_TRUE if 'src' could be successfully converted.
+ *
+ * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
+ */
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype,
+			 unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a nsec3param rdata to a private rdata.
+ *
+ * 'buf' should be at least src->length + 1 in size.
+ */
+
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, dns_diff_t *diff);
+
+/*%<
+ * Mark NSEC3PARAM for deletion.
+ */
+
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NSEC3_H */
diff --git a/contrib/bind9/lib/dns/include/dns/peer.h b/contrib/bind9/lib/dns/include/dns/peer.h
index 6eca31be04fd..86324a3d7021 100644
--- a/contrib/bind9/lib/dns/include/dns/peer.h
+++ b/contrib/bind9/lib/dns/include/dns/peer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: peer.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/private.h b/contrib/bind9/lib/dns/include/dns/private.h
new file mode 100644
index 000000000000..7bc59b2cea6d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/private.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+#include <dns/db.h>
+
+#ifndef DNS_PRIVATE_H
+#define DNS_PRIVATE_H
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype,
+		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3);
+/*%<
+ * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
+ * database to determine which of NSEC or NSEC3 chains we are currently
+ * maintaining.  In normal operations only one of NSEC or NSEC3 is being
+ * maintained but when we are transitiong between NSEC and NSEC3 we need
+ * to update both sets of chains.  If 'privatetype' is zero then the
+ * privatetype RRset will not be examined.
+ *
+ * Requires:
+ * \li	'db' is valid.
+ * \li	'version' is valid or NULL.
+ * \li	'build_nsec' is a pointer to a isc_boolean_t or NULL.
+ * \li	'build_nsec3' is a pointer to a isc_boolean_t or NULL.
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS, 'build_nsec' and 'build_nsec3' will be valid.
+ * \li	other on error
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/lib/dns/include/dns/rbt.h b/contrib/bind9/lib/dns/include/dns/rbt.h
index 420727743d63..3e9dc886576f 100644
--- a/contrib/bind9/lib/dns/include/dns/rbt.h
+++ b/contrib/bind9/lib/dns/include/dns/rbt.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rbt.h,v 1.77 2009/11/04 01:18:19 marka Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
@@ -70,6 +70,12 @@ ISC_LANG_BEGINDECLS
  * multiple dns_rbtnode structures will not work.
  */
 typedef struct dns_rbtnode dns_rbtnode_t;
+enum {
+	DNS_RBT_NSEC_NORMAL=0,      /* in main tree */
+	DNS_RBT_NSEC_HAS_NSEC=1,    /* also has node in nsec tree */
+	DNS_RBT_NSEC_NSEC=2,        /* in nsec tree */
+	DNS_RBT_NSEC_NSEC3=3        /* in nsec3 tree */
+};
 struct dns_rbtnode {
 #if DNS_RBT_USEMAGIC
 	unsigned int magic;
@@ -94,10 +100,7 @@ struct dns_rbtnode {
 	 * The following bitfields add up to a total bitwidth of 32.
 	 * The range of values necessary for each item is indicated,
 	 * but in the case of "attributes" the field is wider to accommodate
-	 * possible future expansion.  "offsetlen" could be one bit
-	 * narrower by always adjusting its value by 1 to find the real
-	 * offsetlen, but doing so does not gain anything (except perhaps
-	 * another bit for "attributes", which doesn't yet need any more).
+	 * possible future expansion.
 	 *
 	 * In each case below the "range" indicated is what's _necessary_ for
 	 * the bitfield to hold, not what it actually _can_ hold.
@@ -105,8 +108,8 @@ struct dns_rbtnode {
 	unsigned int is_root : 1;       /*%< range is 0..1 */
 	unsigned int color : 1;         /*%< range is 0..1 */
 	unsigned int find_callback : 1; /*%< range is 0..1 */
-	unsigned int attributes : 4;    /*%< range is 0..2 */
-	unsigned int nsec3 : 1;    	/*%< range is 0..1 */
+	unsigned int attributes : 3;    /*%< range is 0..2 */
+	unsigned int nsec : 2;          /*%< range is 0..3 */
 	unsigned int namelen : 8;       /*%< range is 1..255 */
 	unsigned int offsetlen : 8;     /*%< range is 1..128 */
 	unsigned int oldnamelen : 8;    /*%< range is 1..255 */
@@ -909,7 +912,7 @@ dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
 	} while (0)
 #else  /* DNS_RBT_USEISCREFCOUNT */
 #define dns_rbtnode_refinit(node, n)    ((node)->references = (n))
-#define dns_rbtnode_refdestroy(node)    (REQUIRE((node)->references == 0))
+#define dns_rbtnode_refdestroy(node)    REQUIRE((node)->references == 0)
 #define dns_rbtnode_refcurrent(node)    ((node)->references)
 #define dns_rbtnode_refincrement0(node, refs)                   \
 	do {                                                    \
diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
index 3b316e3923ea..c3e7db61bdbf 100644
--- a/contrib/bind9/lib/dns/include/dns/rdata.h
+++ b/contrib/bind9/lib/dns/include/dns/rdata.h
@@ -95,6 +95,7 @@
 
 #include <dns/types.h>
 #include <dns/name.h>
+#include <dns/message.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -124,9 +125,27 @@ struct dns_rdata {
 
 #define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
 
+#define DNS_RDATA_CHECKINITIALIZED
+#ifdef DNS_RDATA_CHECKINITIALIZED
+#define DNS_RDATA_INITIALIZED(rdata) \
+	((rdata)->data == NULL && (rdata)->length == 0 && \
+	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+	 !ISC_LINK_LINKED((rdata), link))
+#else
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) \
+	(!ISC_LINK_LINKED((rdata), link))
+#else
+#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
+#endif
+#endif
+
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
 
+#define DNS_RDATA_VALIDFLAGS(rdata) \
+	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+
 /*
  * The maximum length of a RDATA that can be sent on the wire.
  * Max packet size (65535) less header (12), less name (1), type (2),
@@ -212,6 +231,25 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
  *\li	> 0		'rdata1' is greater than 'rdata2'
  */
 
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*%<
+ * dns_rdata_casecompare() is similar to dns_rdata_compare() but also
+ * compares domain names case insensitively in known rdata types that
+ * are treated as opaque data by dns_rdata_compare().
+ *
+ * Requires:
+ *
+ *\li	'rdata1' is a valid, non-empty rdata
+ *
+ *\li	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
+ */
+
 /***
  *** Conversions
  ***/
@@ -709,6 +747,21 @@ dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
  *	'bad'	to be NULL or valid.
  */
 
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata);
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h
index 791855175f5c..b2b8370db051 100644
--- a/contrib/bind9/lib/dns/include/dns/rdataset.h
+++ b/contrib/bind9/lib/dns/include/dns/rdataset.h
@@ -56,6 +56,7 @@
 #include <isc/stdtime.h>
 
 #include <dns/types.h>
+#include <dns/rdatastruct.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -651,6 +652,25 @@ dns_rdataset_expire(dns_rdataset_t *rdataset);
  * Mark the rdataset to be expired in the backing database.
  */
 
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     isc_boolean_t acceptexpired);
+/*%<
+ * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
+ * at or before 'rrsig->expiretime'.  If 'acceptexpired' is true and the
+ * signature has expired or will expire in the next 120 seconds, limit
+ * the ttl to be no more than 120 seconds.
+ *
+ * The ttl is further limited by the original ttl as stored in 'rrsig'
+ * and the original ttl values of 'rdataset' and 'sigrdataset'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'sigrdataset' is a valid rdataset.
+ * \li	'rrsig' is non NULL.
+ */
+
 const char *
 dns_trust_totext(dns_trust_t trust);
 /*
diff --git a/contrib/bind9/lib/dns/include/dns/request.h b/contrib/bind9/lib/dns/include/dns/request.h
index ecf223703dfd..8c792ddd5774 100644
--- a/contrib/bind9/lib/dns/include/dns/request.h
+++ b/contrib/bind9/lib/dns/include/dns/request.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: request.h,v 1.31 2010/03/04 23:50:34 tbox Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
@@ -47,6 +47,7 @@
 #include <dns/types.h>
 
 #define DNS_REQUESTOPT_TCP 0x00000001U
+#define DNS_REQUESTOPT_CASE 0x00000002U
 
 typedef struct dns_requestevent {
 	ISC_EVENT_COMMON(struct dns_requestevent);
@@ -175,6 +176,9 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
  *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
  *	will timeout after 'timeout' seconds.
  *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
  *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
@@ -227,6 +231,9 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
  *	will timeout after 'timeout' seconds.  UDP requests will be resent
  *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
  *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
  *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
diff --git a/contrib/bind9/lib/dns/include/dns/resolver.h b/contrib/bind9/lib/dns/include/dns/resolver.h
index d293daa9f968..7f7d09317c8d 100644
--- a/contrib/bind9/lib/dns/include/dns/resolver.h
+++ b/contrib/bind9/lib/dns/include/dns/resolver.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -81,6 +81,7 @@ typedef struct dns_fetchevent {
 	dns_fixedname_t			foundname;
 	isc_sockaddr_t *		client;
 	dns_messageid_t			id;
+	isc_result_t			vresult;
 } dns_fetchevent_t;
 
 /*
@@ -179,7 +180,7 @@ dns_resolver_freeze(dns_resolver_t *res);
  *
  * Requires:
  *
- *\li	'res' is a valid, unfrozen resolver.
+ *\li	'res' is a valid resolver.
  *
  * Ensures:
  *
@@ -491,6 +492,27 @@ dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
 isc_boolean_t
 dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
 
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds);
+/*%<
+ * Set the length of time the resolver will work on a query, in seconds.
+ *
+ * If timeout is 0, the default timeout will be applied.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver);
+/*%<
+ * Get the current length of time the resolver will work on a query, in seconds.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
 void
 dns_resolver_setclientsperquery(dns_resolver_t *resolver,
 				isc_uint32_t min, isc_uint32_t max);
diff --git a/contrib/bind9/lib/dns/include/dns/result.h b/contrib/bind9/lib/dns/include/dns/result.h
index 4675ef5b21b8..21388b2c8078 100644
--- a/contrib/bind9/lib/dns/include/dns/result.h
+++ b/contrib/bind9/lib/dns/include/dns/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -148,10 +148,11 @@
 #define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
 #define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
 #define DNS_R_INVALIDNSEC3		(ISC_RESULTCLASS_DNS + 104)
-#define DNS_R_NOTMASTER			(ISC_RESULTCLASS_DNS + 105)
+#define DNS_R_NOTMASTER 		(ISC_RESULTCLASS_DNS + 105)
 #define DNS_R_BROKENCHAIN		(ISC_RESULTCLASS_DNS + 106)
+#define DNS_R_EXPIRED			(ISC_RESULTCLASS_DNS + 107)
 
-#define DNS_R_NRESULTS			107	/*%< Number of results */
+#define DNS_R_NRESULTS			108	/*%< Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/contrib/bind9/lib/dns/include/dns/rpz.h b/contrib/bind9/lib/dns/include/dns/rpz.h
new file mode 100644
index 000000000000..4227dd44e05b
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rpz.h
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef DNS_RPZ_H
+#define DNS_RPZ_H 1
+
+#include <isc/lang.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RPZ_IP_ZONE		"rpz-ip"
+#define DNS_RPZ_NSIP_ZONE	"rpz-nsip"
+#define DNS_RPZ_NSDNAME_ZONE	"rpz-nsdname"
+#define DNS_RPZ_PASSTHRU_ZONE	"rpz-passthru"
+
+typedef isc_uint8_t		dns_rpz_cidr_bits_t;
+
+typedef enum {
+	DNS_RPZ_TYPE_BAD,
+	DNS_RPZ_TYPE_QNAME,
+	DNS_RPZ_TYPE_IP,
+	DNS_RPZ_TYPE_NSDNAME,
+	DNS_RPZ_TYPE_NSIP
+} dns_rpz_type_t;
+
+/*
+ * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
+ * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
+ * policies.
+ */
+typedef enum {
+	DNS_RPZ_POLICY_GIVEN = 0,	/* 'given': what policy record says */
+	DNS_RPZ_POLICY_DISABLED = 1,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_PASSTHRU = 2,	/* 'passthru': do not rewrite */
+	DNS_RPZ_POLICY_NXDOMAIN = 3,	/* 'nxdomain': answer with NXDOMAIN */
+	DNS_RPZ_POLICY_NODATA = 4,	/* 'nodata': answer with ANCOUNT=0 */
+	DNS_RPZ_POLICY_CNAME = 5,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_RECORD,
+	DNS_RPZ_POLICY_WILDCNAME,
+	DNS_RPZ_POLICY_MISS,
+	DNS_RPZ_POLICY_ERROR
+} dns_rpz_policy_t;
+
+/*
+ * Specify a response policy zone.
+ */
+typedef struct dns_rpz_zone dns_rpz_zone_t;
+
+struct dns_rpz_zone {
+	ISC_LINK(dns_rpz_zone_t) link;
+	int			 num;	  /* ordinal in list of policy zones */
+	dns_name_t		 origin;  /* Policy zone name */
+	dns_name_t		 nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
+	dns_name_t		 passthru;/* DNS_RPZ_PASSTHRU_ZONE. */
+	dns_name_t		 cname;	  /* override value for ..._CNAME */
+	dns_ttl_t		 max_policy_ttl;
+	dns_rpz_policy_t	 policy;  /* DNS_RPZ_POLICY_GIVEN or override */
+	isc_boolean_t		 recursive_only;
+};
+
+/*
+ * Radix trees for response policy IP addresses.
+ */
+typedef struct dns_rpz_cidr	dns_rpz_cidr_t;
+
+/*
+ * context for finding the best policy
+ */
+typedef struct {
+	unsigned int		state;
+# define DNS_RPZ_REWRITTEN	0x0001
+# define DNS_RPZ_DONE_QNAME	0x0002	/* qname checked */
+# define DNS_RPZ_DONE_QNAME_IP	0x0004	/* IP addresses of qname checked */
+# define DNS_RPZ_DONE_NSDNAME	0x0008	/* NS name missed; checking addresses */
+# define DNS_RPZ_DONE_IPv4 	0x0010
+# define DNS_RPZ_RECURSING	0x0020
+# define DNS_RPZ_HAVE_IP 	0x0040	/* a policy zone has IP addresses */
+# define DNS_RPZ_HAVE_NSIPv4	0x0080	/*		  IPv4 NISP addresses */
+# define DNS_RPZ_HAVE_NSIPv6	0x0100	/*		  IPv6 NISP addresses */
+# define DNS_RPZ_HAVE_NSDNAME	0x0200	/*		  NS names */
+	/*
+	 * Best match so far.
+	 */
+	struct {
+		dns_rpz_type_t		type;
+		dns_rpz_zone_t		*rpz;
+		dns_rpz_cidr_bits_t	prefix;
+		dns_rpz_policy_t	policy;
+		dns_ttl_t		ttl;
+		isc_result_t		result;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbversion_t		*version;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+	} m;
+	/*
+	 * State for chasing IP addresses and NS names including recursion.
+	 */
+	struct {
+		unsigned int		label;
+		dns_db_t		*db;
+		dns_rdataset_t		*ns_rdataset;
+		dns_rdatatype_t		r_type;
+		isc_result_t		r_result;
+		dns_rdataset_t		*r_rdataset;
+	} r;
+	/*
+	 * State of real query while recursing for NSIP or NSDNAME.
+	 */
+	struct {
+		isc_result_t		result;
+		isc_boolean_t		is_zone;
+		isc_boolean_t		authoritative;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+		dns_rdataset_t		*sigrdataset;
+		dns_rdatatype_t		qtype;
+	} q;
+	dns_name_t		*qname;
+	dns_name_t		*r_name;
+	dns_name_t		*fname;
+	dns_fixedname_t		_qnamef;
+	dns_fixedname_t		_r_namef;
+	dns_fixedname_t		_fnamef;
+} dns_rpz_st_t;
+
+#define DNS_RPZ_TTL_DEFAULT		5
+#define DNS_RPZ_MAX_TTL_DEFAULT		DNS_RPZ_TTL_DEFAULT
+
+/*
+ * So various response policy zone messages can be turned up or down.
+ */
+#define DNS_RPZ_ERROR_LEVEL	ISC_LOG_WARNING
+#define DNS_RPZ_INFO_LEVEL	ISC_LOG_INFO
+#define DNS_RPZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
+#define DNS_RPZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
+#define DNS_RPZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
+#define DNS_RPZ_DEBUG_QUIET	(DNS_RPZ_DEBUG_LEVEL3+1)
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type);
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str);
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy);
+
+void
+dns_rpz_set_need(isc_boolean_t need);
+
+isc_boolean_t
+dns_rpz_needed(void);
+
+void
+dns_rpz_cidr_free(dns_rpz_cidr_t **cidr);
+
+void
+dns_rpz_view_destroy(dns_view_t *view);
+
+isc_result_t
+dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
+		 dns_rpz_cidr_t **rbtdb_cidr);
+void
+dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st);
+
+void
+dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name);
+
+void
+dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name);
+
+isc_result_t
+dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
+		  dns_rpz_type_t type, dns_name_t *canon_name,
+		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix);
+
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RPZ_H */
+
diff --git a/contrib/bind9/lib/dns/include/dns/rriterator.h b/contrib/bind9/lib/dns/include/dns/rriterator.h
new file mode 100644
index 000000000000..a3e8e479b920
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rriterator.h
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef DNS_RRITERATOR_H
+#define DNS_RRITERATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rriterator.h
+ * \brief
+ * Functions for "walking" a zone database, visiting each RR or RRset in turn.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/stdtime.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+/*%
+ * A dns_rriterator_t is an iterator that iterates over an entire database,
+ * returning one RR at a time, in some arbitrary order.
+ */
+
+typedef struct dns_rriterator {
+	unsigned int		magic;
+	isc_result_t		result;
+	dns_db_t		*db;
+	dns_dbiterator_t 	*dbit;
+	dns_dbversion_t 	*ver;
+	isc_stdtime_t		now;
+	dns_dbnode_t		*node;
+	dns_fixedname_t		fixedname;
+	dns_rdatasetiter_t 	*rdatasetit;
+	dns_rdataset_t 		rdataset;
+	dns_rdata_t		rdata;
+} dns_rriterator_t;
+
+#define RRITERATOR_MAGIC		ISC_MAGIC('R', 'R', 'I', 't')
+#define VALID_RRITERATOR(m)		ISC_MAGIC_VALID(m, RRITERATOR_MAGIC)
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db,
+		       dns_dbversion_t *ver, isc_stdtime_t now);
+/*%
+ * Initialize an rriterator; sets the cursor to the origin node
+ * of the database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the first rdata in the database.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more rrsets in the database
+ */
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more records in the database
+ */
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
+			  isc_uint32_t *ttl, dns_rdataset_t **rdataset,
+			  dns_rdata_t **rdata);
+/*%<
+ * Make '*name' refer to the current name.  If 'rdataset' is not NULL,
+ * make '*rdataset' refer to the current * rdataset.  If '*rdata' is not
+ * NULL, make '*rdata' refer to the current record.
+ *
+ * Requires:
+ *\li	'*name' is a valid name object
+ *\li	'rdataset' is NULL or '*rdataset' is NULL
+ *\li	'rdata' is NULL or '*rdata' is NULL
+ *
+ * Ensures:
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
+ */
+
+void
+dns_rriterator_pause(dns_rriterator_t *it);
+/*%<
+ * Pause rriterator.  Frees any locks held by the database iterator.
+ * Callers should use this routine any time they are not going to
+ * execute another rriterator method in the immediate future.
+ *
+ * Requires:
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *\li	Any database locks being held for efficiency of iterator access are
+ *	released.
+ */
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it);
+/*%<
+ * Shut down and free resources in rriterator 'it'.
+ *
+ * Requires:
+ *
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the rriterator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRITERATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdb.h b/contrib/bind9/lib/dns/include/dns/sdb.h
index 4b3ab480d553..c57c4a1d038a 100644
--- a/contrib/bind9/lib/dns/include/dns/sdb.h
+++ b/contrib/bind9/lib/dns/include/dns/sdb.h
@@ -59,6 +59,9 @@ typedef struct dns_sdballnodes dns_sdballnodes_t;
 typedef isc_result_t
 (*dns_sdblookupfunc_t)(const char *zone, const char *name, void *dbdata,
 		       dns_sdblookup_t *);
+typedef isc_result_t
+(*dns_sdblookup2func_t)(const dns_name_t *zone, const dns_name_t *name,
+			void *dbdata, dns_sdblookup_t *lookup);
 
 typedef isc_result_t
 (*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata, dns_sdblookup_t *);
@@ -81,6 +84,7 @@ typedef struct dns_sdbmethods {
 	dns_sdballnodesfunc_t	allnodes;
 	dns_sdbcreatefunc_t	create;
 	dns_sdbdestroyfunc_t	destroy;
+	dns_sdblookup2func_t	lookup2;
 } dns_sdbmethods_t;
 
 /***
@@ -92,6 +96,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
 #define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
 #define DNS_SDBFLAG_THREADSAFE 0x00000004U
+#define DNS_SDBFLAG_DNS64 0x00000008U
 
 isc_result_t
 dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
diff --git a/contrib/bind9/lib/dns/include/dns/sdlz.h b/contrib/bind9/lib/dns/include/dns/sdlz.h
index 3516c15574b1..375a99a6d69e 100644
--- a/contrib/bind9/lib/dns/include/dns/sdlz.h
+++ b/contrib/bind9/lib/dns/include/dns/sdlz.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -74,11 +74,10 @@ typedef struct dns_sdlzlookup dns_sdlzlookup_t;
  /* A simple DLZ database traversal in progress. */
 typedef struct dns_sdlzallnodes dns_sdlzallnodes_t;
 
-
-typedef isc_result_t
-(*dns_sdlzallnodesfunc_t)(const char *zone, void *driverarg, void *dbdata,
-			  dns_sdlzallnodes_t *allnodes);
-
+typedef isc_result_t (*dns_sdlzallnodesfunc_t)(const char *zone,
+					       void *driverarg,
+					       void *dbdata,
+					       dns_sdlzallnodes_t *allnodes);
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
  * supply an all nodes method.  This method is called when the DNS
@@ -92,9 +91,9 @@ typedef isc_result_t
  * does not have to implement an all nodes method.
  */
 
-typedef isc_result_t
-(*dns_sdlzallowzonexfr_t)(void *driverarg, void *dbdata, const char *name,
-			  const char *client);
+typedef isc_result_t (*dns_sdlzallowzonexfr_t)(void *driverarg,
+					       void *dbdata, const char *name,
+					       const char *client);
 
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
@@ -117,9 +116,9 @@ typedef isc_result_t
  * error.
  */
 
-typedef isc_result_t
-(*dns_sdlzauthorityfunc_t)(const char *zone, void *driverarg, void *dbdata,
-			   dns_sdlzlookup_t *lookup);
+typedef isc_result_t (*dns_sdlzauthorityfunc_t)(const char *zone,
+						void *driverarg, void *dbdata,
+						dns_sdlzlookup_t *lookup);
 
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
@@ -131,9 +130,9 @@ typedef isc_result_t
  * method.
  */
 
-typedef isc_result_t
-(*dns_sdlzcreate_t)(const char *dlzname, unsigned int argc, char *argv[],
-		    void *driverarg, void **dbdata);
+typedef isc_result_t (*dns_sdlzcreate_t)(const char *dlzname,
+					 unsigned int argc, char *argv[],
+					 void *driverarg, void **dbdata);
 
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
@@ -142,8 +141,7 @@ typedef isc_result_t
  * does not have to implement a create method.
  */
 
-typedef void
-(*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
+typedef void (*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
 
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
@@ -198,6 +196,87 @@ typedef isc_result_t
  * lookup method.
  */
 
+typedef isc_result_t (*dns_sdlznewversion_t)(const char *zone,
+					     void *driverarg, void *dbdata,
+					     void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a newversion method.  This method is called to start a
+ * write transaction on a zone and should only be implemented by
+ * writeable backends.
+ * When implemented, the driver should create a new transaction, and
+ * fill *versionp with a pointer to the transaction state. The
+ * closeversion function will be called to close the transaction.
+ */
+
+typedef void (*dns_sdlzcloseversion_t)(const char *zone, isc_boolean_t commit,
+				       void *driverarg, void *dbdata,
+				       void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface must
+ * supply a closeversion method if they supply a newversion method.
+ * When implemented, the driver should close the given transaction,
+ * committing changes if 'commit' is ISC_TRUE. If 'commit' is not true
+ * then all changes should be discarded and the database rolled back.
+ * If the call is successful then *versionp should be set to NULL
+ */
+
+typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t *view, void *driverarg,
+					    void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a configure method. When supplied, it will be called
+ * immediately after the create method to give the driver a chance
+ * to configure writeable zones
+ */
+
+
+typedef isc_boolean_t (*dns_sdlzssumatch_t)(const char *signer,
+					    const char *name,
+					    const char *tcpaddr,
+					    const char *type,
+					    const char *key,
+					    isc_uint32_t keydatalen,
+					    unsigned char *keydata,
+					    void *driverarg,
+					    void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a ssumatch method. If supplied, then ssumatch will be
+ * called to authorize any zone updates. The driver should return
+ * ISC_TRUE to allow the update, and ISC_FALSE to deny it. For a DLZ
+ * controlled zone, this is the only access control on updates.
+ */
+
+
+typedef isc_result_t (*dns_sdlzmodrdataset_t)(const char *name,
+					      const char *rdatastr,
+					      void *driverarg, void *dbdata,
+					      void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply addrdataset and subtractrdataset methods. If supplied, then these
+ * will be called when rdatasets are added/subtracted during
+ * updates. The version parameter comes from a call to the sdlz
+ * newversion() method from the driver. The rdataset parameter is a
+ * linearise string representation of the rdataset change. The format
+ * is the same as used by dig when displaying records. The fields are
+ * tab delimited.
+ */
+
+typedef isc_result_t (*dns_sdlzdelrdataset_t)(const char *name,
+					      const char *type,
+					      void *driverarg, void *dbdata,
+					      void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a delrdataset method. If supplied, then this
+ * function will be called when rdatasets are deleted during
+ * updates. The call should remove all rdatasets of the given type for
+ * the specified name.
+ */
+
 typedef struct dns_sdlzmethods {
 	dns_sdlzcreate_t	create;
 	dns_sdlzdestroy_t	destroy;
@@ -206,6 +285,13 @@ typedef struct dns_sdlzmethods {
 	dns_sdlzauthorityfunc_t	authority;
 	dns_sdlzallnodesfunc_t	allnodes;
 	dns_sdlzallowzonexfr_t	allowzonexfr;
+	dns_sdlznewversion_t    newversion;
+	dns_sdlzcloseversion_t  closeversion;
+	dns_sdlzconfigure_t	configure;
+	dns_sdlzssumatch_t	ssumatch;
+	dns_sdlzmodrdataset_t	addrdataset;
+	dns_sdlzmodrdataset_t	subtractrdataset;
+	dns_sdlzdelrdataset_t	delrdataset;
 } dns_sdlzmethods_t;
 
 isc_result_t
@@ -231,25 +317,33 @@ dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp);
  * function is called.
  */
 
-isc_result_t
-dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data);
+typedef isc_result_t dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes,
+					   const char *name,
+					   const char *type,
+					   dns_ttl_t ttl,
+					   const char *data);
+dns_sdlz_putnamedrr_t dns_sdlz_putnamedrr;
+
 /*%<
  * Add a single resource record to the allnodes structure to be later
  * parsed into a zone transfer response.
  */
 
-isc_result_t
-dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data);
+typedef isc_result_t dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup,
+				      const char *type,
+				      dns_ttl_t ttl,
+				      const char *data);
+dns_sdlz_putrr_t dns_sdlz_putrr;
 /*%<
  * Add a single resource record to the lookup structure to be later
  * parsed into a query response.
  */
 
-isc_result_t
-dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
-	       isc_uint32_t serial);
+typedef isc_result_t dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup,
+				       const char *mname,
+				       const char *rname,
+				       isc_uint32_t serial);
+dns_sdlz_putsoa_t dns_sdlz_putsoa;
 /*%<
  * This function may optionally be called from the 'authority'
  * callback to simplify construction of the SOA record for 'zone'.  It
@@ -261,6 +355,16 @@ dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
  */
 
 
+typedef isc_result_t dns_sdlz_setdb_t(dns_dlzdb_t *dlzdatabase,
+				      dns_rdataclass_t rdclass,
+				      dns_name_t *name,
+				      dns_db_t **dbp);
+dns_sdlz_setdb_t dns_sdlz_setdb;
+/*%<
+ * Create the database pointers for a writeable SDLZ zone
+ */
+
+
 ISC_LANG_ENDDECLS
 
 #endif /* SDLZ_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secalg.h b/contrib/bind9/lib/dns/include/dns/secalg.h
index fe4a66ce331f..43d9fb25e1d2 100644
--- a/contrib/bind9/lib/dns/include/dns/secalg.h
+++ b/contrib/bind9/lib/dns/include/dns/secalg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: secalg.h,v 1.21 2009/10/12 23:48:02 tbox Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
@@ -66,6 +66,13 @@ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
  *\li	ISC_R_NOSPACE			target buffer is too small
  */
 
+#define DNS_SECALG_FORMATSIZE 20
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_secalg_totext(), writing text into 'cp'
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_SECALG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/soa.h b/contrib/bind9/lib/dns/include/dns/soa.h
index ab3f188bb346..696235eea87b 100644
--- a/contrib/bind9/lib/dns/include/dns/soa.h
+++ b/contrib/bind9/lib/dns/include/dns/soa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: soa.h,v 1.12 2009/09/10 01:47:09 each Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
@@ -40,6 +40,28 @@
 
 ISC_LANG_BEGINDECLS
 
+#define DNS_SOA_BUFFERSIZE      ((2 * DNS_NAME_MAXWIRE) + (4 * 5))
+
+isc_result_t
+dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
+		   dns_rdataclass_t rdclass,
+		   isc_uint32_t serial, isc_uint32_t refresh,
+		   isc_uint32_t retry, isc_uint32_t expire,
+		   isc_uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of an SOA record.
+ *
+ * Requires:
+ *\li   buffer  Points to a temporary buffer of at least
+ *              DNS_SOA_BUFFERSIZE bytes.
+ *\li   rdata   Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata       Contains a valid SOA rdata.  The 'data' member
+ *  			refers to 'buffer'.
+ */
+
 isc_uint32_t
 dns_soa_getserial(dns_rdata_t *rdata);
 isc_uint32_t
diff --git a/contrib/bind9/lib/dns/include/dns/ssu.h b/contrib/bind9/lib/dns/include/dns/ssu.h
index 40f84b1bad06..fbe01c3d6641 100644
--- a/contrib/bind9/lib/dns/include/dns/ssu.h
+++ b/contrib/bind9/lib/dns/include/dns/ssu.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
@@ -25,6 +25,7 @@
 #include <isc/lang.h>
 
 #include <dns/types.h>
+#include <dst/dst.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -40,7 +41,9 @@ ISC_LANG_BEGINDECLS
 #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
 #define DNS_SSUMATCHTYPE_TCPSELF	10
 #define DNS_SSUMATCHTYPE_6TO4SELF	11
-#define DNS_SSUMATCHTYPE_MAX 		11  /* max value */
+#define DNS_SSUMATCHTYPE_EXTERNAL	12
+#define DNS_SSUMATCHTYPE_DLZ		13
+#define DNS_SSUMATCHTYPE_MAX 		12  /* max value */
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -57,6 +60,16 @@ dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
  *\li		ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase);
+/*%<
+ * Create an SSU table that contains a dlzdatabase pointer, and a
+ * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
+ * table is used by writeable DLZ drivers to offload authorization for
+ * updates to the driver.
+ */
+
 void
 dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
 /*%<
@@ -120,7 +133,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			dns_name_t *name, isc_netaddr_t *tcpaddr,
-			dns_rdatatype_t type);
+			dns_rdatatype_t type, const dst_key_t *key);
 /*%<
  *	Checks that the attempted update of (name, type) is allowed according
  *	to the rules specified in the simple-secure-update rule table.  If
@@ -184,6 +197,16 @@ isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
  *\li	#ISC_R_NOMORE
  */
 
+
+/*%<
+ * Check a policy rule via an external application
+ */
+isc_boolean_t
+dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
+		       dns_name_t *name, isc_netaddr_t *tcpaddr,
+		       dns_rdatatype_t type, const dst_key_t *key,
+		       isc_mem_t *mctx);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_SSU_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tkey.h b/contrib/bind9/lib/dns/include/dns/tkey.h
index 61d1fcd310b8..0dcec1ecb4c7 100644
--- a/contrib/bind9/lib/dns/include/dns/tkey.h
+++ b/contrib/bind9/lib/dns/include/dns/tkey.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: tkey.h,v 1.32 2011/01/08 23:47:01 tbox Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
@@ -44,6 +44,7 @@ struct dns_tkeyctx {
 	gss_cred_id_t gsscred;
 	isc_mem_t *mctx;
 	isc_entropy_t *ectx;
+	char *gssapi_keytab;
 };
 
 isc_result_t
@@ -123,7 +124,8 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 isc_result_t
 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 		       isc_buffer_t *intoken, isc_uint32_t lifetime,
-		       gss_ctx_id_t *context, isc_boolean_t win2k);
+		       gss_ctx_id_t *context, isc_boolean_t win2k,
+		       isc_mem_t *mctx, char **err_message);
 /*%<
  *	Builds a query containing a TKEY that will generate a GSSAPI context.
  *	The key is requested to have the specified lifetime (in seconds).
@@ -141,6 +143,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
  *\li		ISC_R_SUCCESS	msg was successfully updated to include the
  *				query to be sent
  *\li		other		an error occurred while building the message
+ *\li		*err_message	optional error message
  */
 
 
@@ -187,7 +190,7 @@ isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 			    dns_name_t *gname, gss_ctx_id_t *context,
 			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
-			    dns_tsig_keyring_t *ring);
+			    dns_tsig_keyring_t *ring, char **err_message);
 /*%<
  * XXX
  */
@@ -211,12 +214,11 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
  *				component of the query or response
  */
 
-
 isc_result_t
 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 		      dns_name_t *server, gss_ctx_id_t *context,
 		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k);
+		      isc_boolean_t win2k, char **err_message);
 
 /*
  *	Client side negotiation of GSS-TSIG.  Process the response
diff --git a/contrib/bind9/lib/dns/include/dns/tsec.h b/contrib/bind9/lib/dns/include/dns/tsec.h
new file mode 100644
index 000000000000..4f31c3e2949d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/tsec.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsec.h,v 1.6 2010/12/09 00:54:34 marka Exp $ */
+
+#ifndef DNS_TSEC_H
+#define DNS_TSEC_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The TSEC (Transaction Security) module is an abstraction layer for managing
+ * DNS transaction mechanisms such as TSIG or SIG(0).  A TSEC structure is a
+ * mechanism-independent object containing key information specific to the
+ * mechanism, and is expected to be used as an argument to other modules
+ * that use transaction security in a mechanism-independent manner.
+ *
+ * MP:
+ *\li	A TSEC structure is expected to be thread-specific.  No inter-thread
+ *	synchronization is ensured in multiple access to a single TSEC
+ *	structure.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Transaction security types.
+ */
+typedef enum {
+	dns_tsectype_none,
+	dns_tsectype_tsig,
+	dns_tsectype_sig0
+} dns_tsectype_t;
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp);
+/*%<
+ * Create a TSEC structure and stores a type-dependent key structure in it.
+ * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
+ * TSIG key structure from '*key' and keeps it in the structure.  For other
+ * types, this function simply retains '*key' in the structure.  In either
+ * case, the ownership of '*key' is transferred to the TSEC module; the caller
+ * must not modify or destroy it after the call to dns_tsec_create().
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'type' is a valid value of dns_tsectype_t (see above).
+ *
+ *\li	'key' is a valid key.
+ *
+ *\li	tsecp != NULL && *tsecp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp);
+/*%<
+ * Destroy the TSEC structure.  The stored key is also detached or destroyed.
+ *
+ * Requires
+ *
+ *\li	'*tsecp' is a valid TSEC structure.
+ *
+ * Ensures
+ *
+ *\li	*tsecp == NULL.
+ *
+ */
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec);
+/*%<
+ * Return the TSEC type of '*tsec'.
+ *
+ * Requires
+ *
+ *\li	'tsec' is a valid TSEC structure.
+ *
+ */
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp);
+/*%<
+ * Return the TSEC key of '*tsec' in '*keyp'.
+ *
+ * Requires
+ *
+ *\li	keyp != NULL
+ *
+ * Ensures
+ *
+ *\li	*tsecp points to a valid key structure depending on the TSEC type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tsig.h b/contrib/bind9/lib/dns/include/dns/tsig.h
index e86f832f4210..0422414d6edc 100644
--- a/contrib/bind9/lib/dns/include/dns/tsig.h
+++ b/contrib/bind9/lib/dns/include/dns/tsig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: tsig.h,v 1.59 2011/01/11 23:47:13 tbox Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -25,6 +25,7 @@
 #include <isc/lang.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
+#include <isc/stdio.h>
 #include <isc/stdtime.h>
 
 #include <dns/types.h>
@@ -69,6 +70,7 @@ struct dns_tsig_keyring {
 	unsigned int generated;
 	unsigned int maxgenerated;
 	ISC_LIST(dns_tsigkey_t) lru;
+	unsigned int references;
 };
 
 struct dns_tsigkey {
@@ -253,9 +255,30 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
  *\li		#ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey);
+/*%<
+ *      Place a TSIG key onto a key ring.
+ *
+ *	Requires:
+ *\li		'ring', 'name' and 'tkey' are not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		Any other value indicates failure.
+ */
+
+
+void
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target);
 
 void
-dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp);
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp);
+
 /*%<
  *	Destroy a TSIG key ring.
  *
@@ -263,6 +286,9 @@ dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
  *\li		'ringp' is not NULL
  */
 
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_TSIG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/types.h b/contrib/bind9/lib/dns/include/dns/types.h
index e0f6a7d27cf0..921c76aaf308 100644
--- a/contrib/bind9/lib/dns/include/dns/types.h
+++ b/contrib/bind9/lib/dns/include/dns/types.h
@@ -44,6 +44,10 @@ typedef struct dns_adbentry			dns_adbentry_t;
 typedef struct dns_adbfind			dns_adbfind_t;
 typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
 typedef struct dns_byaddr			dns_byaddr_t;
+typedef struct dns_client			dns_client_t;
+typedef void					dns_clientrestrans_t;
+typedef void					dns_clientreqtrans_t;
+typedef void					dns_clientupdatetrans_t;
 typedef struct dns_cache			dns_cache_t;
 typedef isc_uint16_t				dns_cert_t;
 typedef struct dns_compress			dns_compress_t;
@@ -63,6 +67,10 @@ typedef struct dns_dispatchevent		dns_dispatchevent_t;
 typedef struct dns_dispatchlist			dns_dispatchlist_t;
 typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
 typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_dns64			dns_dns64_t;
+typedef ISC_LIST(dns_dns64_t)			dns_dns64list_t;
+typedef struct dns_dnsseckey			dns_dnsseckey_t;
+typedef ISC_LIST(dns_dnsseckey_t)		dns_dnsseckeylist_t;
 typedef struct dns_dumpctx			dns_dumpctx_t;
 typedef struct dns_fetch			dns_fetch_t;
 typedef struct dns_fixedname			dns_fixedname_t;
@@ -72,6 +80,7 @@ typedef struct dns_iptable			dns_iptable_t;
 typedef isc_uint32_t				dns_iterations_t;
 typedef isc_uint16_t				dns_keyflags_t;
 typedef struct dns_keynode			dns_keynode_t;
+typedef ISC_LIST(dns_keynode_t)			dns_keynodelist_t;
 typedef struct dns_keytable			dns_keytable_t;
 typedef isc_uint16_t				dns_keytag_t;
 typedef struct dns_loadctx			dns_loadctx_t;
@@ -111,6 +120,7 @@ typedef struct dns_stats			dns_stats_t;
 typedef isc_uint32_t				dns_rdatastatstype_t;
 typedef struct dns_tkeyctx			dns_tkeyctx_t;
 typedef isc_uint16_t				dns_trust_t;
+typedef struct dns_tsec				dns_tsec_t;
 typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
 typedef struct dns_tsigkey			dns_tsigkey_t;
 typedef isc_uint32_t				dns_ttl_t;
@@ -179,6 +189,12 @@ typedef enum {
 	dns_masterformat_raw = 2
 } dns_masterformat_t;
 
+typedef enum {
+	dns_v4_aaaa_ok = 0,
+	dns_v4_aaaa_filter = 1,
+	dns_v4_aaaa_break_dnssec = 2
+} dns_v4_aaaa_t;
+
 /*
  * These are generated by gen.c.
  */
diff --git a/contrib/bind9/lib/dns/include/dns/validator.h b/contrib/bind9/lib/dns/include/dns/validator.h
index 265e49892476..7d6ea7a89d2f 100644
--- a/contrib/bind9/lib/dns/include/dns/validator.h
+++ b/contrib/bind9/lib/dns/include/dns/validator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h
index 667b87522ec1..4a0486721b26 100644
--- a/contrib/bind9/lib/dns/include/dns/view.h
+++ b/contrib/bind9/lib/dns/include/dns/view.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -73,6 +73,8 @@
 
 #include <dns/acl.h>
 #include <dns/fixedname.h>
+#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
@@ -92,8 +94,13 @@ struct dns_view {
 	dns_cache_t *			cache;
 	dns_db_t *			cachedb;
 	dns_db_t *			hints;
-	dns_keytable_t *		secroots;
-	dns_keytable_t *		trustedkeys;
+
+	/*
+	 * security roots.
+	 * internal use only; access via * dns_view_getsecroots()
+	 */
+	dns_keytable_t *		secroots_priv;
+
 	isc_mutex_t			lock;
 	isc_boolean_t			frozen;
 	isc_task_t *			task;
@@ -102,6 +109,7 @@ struct dns_view {
 	isc_event_t			reqevent;
 	isc_stats_t *			resstats;
 	dns_stats_t *			resquerystats;
+	isc_boolean_t			cacheshared;
 
 	/* Configurable data. */
 	dns_tsig_keyring_t *		statickeys;
@@ -129,6 +137,10 @@ struct dns_view {
 	dns_acl_t *			transferacl;
 	dns_acl_t *			updateacl;
 	dns_acl_t *			upfwdacl;
+	dns_acl_t *			denyansweracl;
+	dns_rbt_t *			answeracl_exclude;
+	dns_rbt_t *			denyanswernames;
+	dns_rbt_t *			answernames_exclude;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
 	isc_boolean_t			requestnsid;
@@ -145,6 +157,13 @@ struct dns_view {
 	dns_name_t *			dlv;
 	dns_fixedname_t			dlv_fixed;
 	isc_uint16_t			maxudp;
+	dns_v4_aaaa_t			v4_aaaa;
+	dns_acl_t *			v4_aaaa_acl;
+	dns_dns64list_t 		dns64;
+	unsigned int 			dns64cnt;
+	ISC_LIST(dns_rpz_zone_t)	rpz_zones;
+	isc_boolean_t			rpz_recursive_only;
+	isc_boolean_t			rpz_break_dnssec;
 
 	/*
 	 * Configurable data for server use only,
@@ -162,6 +181,17 @@ struct dns_view {
 	unsigned int			attributes;
 	/* Under owner's locking control. */
 	ISC_LINK(struct dns_view)	link;
+	dns_viewlist_t *		viewlist;
+
+	dns_zone_t *			managed_keys;
+
+#ifdef BIND9
+	/* File in which to store configuration for newly added zones */
+	char *				new_zone_file;
+
+	void *				new_zone_config;
+	void				(*cfg_destroy)(void **);
+#endif
 };
 
 #define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')
@@ -310,8 +340,12 @@ dns_view_createresolver(dns_view_t *view,
 
 void
 dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared);
 /*%<
- * Set the view's cache database.
+ * Set the view's cache database.  If 'shared' is true, this means the cache
+ * is created by another view and is shared with that view.  dns_view_setcache()
+ * is a backward compatible version equivalent to setcache2(..., ISC_FALSE).
  *
  * Requires:
  *
@@ -346,6 +380,8 @@ dns_view_sethints(dns_view_t *view, dns_db_t *hints);
 
 void
 dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+void
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
 /*%<
  * Set the view's static TSIG keys
  *
@@ -362,6 +398,15 @@ dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
  */
 
 void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp);
+/*%<
+ * Return the views dynamic keys.
+ *
+ *   \li  'view' is a valid, unfrozen view.
+ *   \li  'ringp' != NULL && ringp == NULL.
+ */
+
+void
 dns_view_setdstport(dns_view_t *view, in_port_t dstport);
 /*%<
  * Set the view's destination port.  This is the port to
@@ -398,7 +443,7 @@ dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
 void
 dns_view_freeze(dns_view_t *view);
 /*%<
- * Freeze view.
+ * Freeze view.  No changes can be made to view configuration while frozen.
  *
  * Requires:
  *
@@ -409,14 +454,44 @@ dns_view_freeze(dns_view_t *view);
  *\li	'view' is frozen.
  */
 
+void
+dns_view_thaw(dns_view_t *view);
+/*%<
+ * Thaw view.  This allows zones to be added or removed at runtime.  This is
+ * NOT thread-safe; the caller MUST have run isc_task_exclusive() prior to
+ * thawing the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is no longer frozen.
+ */
 isc_result_t
 dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
 	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
 	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+isc_result_t
+dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, unsigned int options,
+	       isc_boolean_t use_hints, isc_boolean_t use_static_stub,
+	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
 /*%<
  * Find an rdataset whose owner name is 'name', and whose type is
  * 'type'.
+ * In general, this function first searches view's zone and cache DBs for the
+ * best match data against 'name'.  If nothing found there, and if 'use_hints'
+ * is ISC_TRUE, the view's hint DB (if configured) is searched.
+ * If the view is configured with a static-stub zone which gives the longest
+ * match for 'name' among the zones, however, the cache DB is not consulted
+ * unless 'use_static_stub' is ISC_FALSE (see below about this argument).
+ *
+ * dns_view_find() is a backward compatible version equivalent to
+ * dns_view_find2() with use_static_stub argument being ISC_FALSE.
  *
  * Notes:
  *
@@ -432,6 +507,23 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  *	in the hints database but not the type, the result code will be
  *	#DNS_R_HINTNXRRSET.
  *
+ *\li	If 'use_static_stub' is ISC_FALSE and the longest match zone for 'name'
+ *	is a static-stub zone, it's ignored and the cache and/or hints will be
+ *	searched.  In the majority of the cases this argument should be
+ *	ISC_FALSE.  The only known usage of this argument being ISC_TRUE is
+ *	if this search is for a "bailiwick" glue A or AAAA RRset that may
+ *	best match a static-stub zone.  Consider the following example:
+ *	this view is configured with a static-stub zone "example.com",
+ *	and an attempt of recursive resolution needs to send a query for the
+ *	zone.  In this case it's quite likely that the resolver is trying to
+ *	find A/AAAA RRs for the apex name "example.com".  And, to honor the
+ *	static-stub configuration it needs to return the glue RRs in the
+ *	static-stub zone even if that exact RRs coming from the authoritative
+ *	zone has been cached.
+ *	In other general cases, the requested data is better to be
+ *	authoritative, either locally configured or retrieved from an external
+ *	server, and the data in the static-stub zone should better be ignored.
+ *
  *\li	'foundname' must meet the requirements of dns_db_find().
  *
  *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
@@ -728,8 +820,14 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view);
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly);
 /*%<
- * Flush the view's cache (and ADB).
+ * Flush the view's cache (and ADB).  If 'fixuponly' is true, it only updates
+ * the internal reference to the cache DB with omitting actual flush operation.
+ * 'fixuponly' is intended to be used for a view that shares a cache with
+ * a different view.  dns_view_flushcache() is a backward compatible version
+ * that always sets fixuponly to false.
  *
  * Requires:
  * 	'view' is valid.
@@ -878,6 +976,107 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
  *\li	'statsp' != NULL && '*statsp' != NULL
  */
 
+isc_boolean_t
+dns_view_iscacheshared(dns_view_t *view);
+/*%<
+ * Check if the view shares the cache created by another view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	#ISC_TRUE if the cache is shared.
+ *\li	#ISC_FALSE otherwise.
+ */
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view.  (Note that secroots is
+ * NULL until this function is called, so any function using
+ * secroots must check its validity first.  One way to do this is
+ * use dns_view_getsecroots() and check its return value.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'view->secroots' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key?  Put answer in
+ * '*secure_domain'.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other value indicates failure
+ */
+
+void
+dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
+		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
+/*%<
+ * Remove keys that match 'keyname' and 'dnskey' from the views trust
+ * anchors.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'keyname' is valid.
+ * \li	'mctx' is valid.
+ * \li	'dnskey' is valid.
+ */
+
+void
+dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
+		     void (*cfg_destroy)(void **));
+/*%<
+ * Set whether or not to allow zones to be created or deleted at runtime.
+ *
+ * If 'allow' is ISC_TRUE, determines the filename into which new zone
+ * configuration will be written.  Preserves the configuration context
+ * (a pointer to which is passed in 'cfgctx') for use when parsing new
+ * zone configuration.  'cfg_destroy' points to a callback routine to
+ * destroy the configuration context when the view is destroyed.  (This
+ * roundabout method is used in order to avoid libdns having a dependency
+ * on libisccfg and libbind9.)
+ *
+ * If 'allow' is ISC_FALSE, removes any existing references to
+ * configuration context and frees any memory.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ */
+
+void
+dns_view_restorekeyring(dns_view_t *view);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_VIEW_H */
diff --git a/contrib/bind9/lib/dns/include/dns/xfrin.h b/contrib/bind9/lib/dns/include/dns/xfrin.h
index 7cc5ce7f21c2..2f20c35f4d05 100644
--- a/contrib/bind9/lib/dns/include/dns/xfrin.h
+++ b/contrib/bind9/lib/dns/include/dns/xfrin.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: xfrin.h,v 1.30 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h
index 5bfe1485c0f8..9db825cb09ea 100644
--- a/contrib/bind9/lib/dns/include/dns/zone.h
+++ b/contrib/bind9/lib/dns/include/dns/zone.h
@@ -40,7 +40,10 @@ typedef enum {
 	dns_zone_none,
 	dns_zone_master,
 	dns_zone_slave,
-	dns_zone_stub
+	dns_zone_stub,
+	dns_zone_staticstub,
+	dns_zone_key,
+	dns_zone_dlz
 } dns_zonetype_t;
 
 #define DNS_ZONEOPT_SERVERS	  0x00000001U	/*%< perform server checks */
@@ -70,6 +73,10 @@ typedef enum {
 #define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
 #define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
 #define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
+#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnssec-dnskey-kskonly */
+#define DNS_ZONEOPT_CHECKDUPRR	  0x20000000U   /*%< check-dup-records */
+#define DNS_ZONEOPT_CHECKDUPRRFAIL 0x40000000U	/*%< fatal check-dup-records failures */
 
 #ifndef NOMINUM_PUBLIC
 /*
@@ -78,6 +85,14 @@ typedef enum {
 #define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
 #endif /* NOMINUM_PUBLIC */
 
+/*
+ * Zone key maintenance options
+ */
+#define DNS_ZONEKEY_ALLOW	0x00000001U	/*%< fetch keys on command */
+#define DNS_ZONEKEY_MAINTAIN	0x00000002U	/*%< publish/sign on schedule */
+#define DNS_ZONEKEY_CREATE	0x00000004U	/*%< make keys when needed */
+#define DNS_ZONEKEY_FULLSIGN    0x00000008U     /*%< roll to new keys immediately */
+
 #ifndef DNS_ZONE_MINREFRESH
 #define DNS_ZONE_MINREFRESH		    300	/*%< 5 minutes */
 #endif
@@ -367,6 +382,22 @@ dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
  *\li	DNS_R_NOTLOADED
  */
 
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db);
+/*%<
+ *	Sets the zone database to 'db'.
+ *
+ *	This function is expected to be used to configure a zone with a
+ *	database which is not loaded from a file or zone transfer.
+ *	It can be used for a general purpose zone, but right now its use
+ *	is limited to static-stub zones to avoid possible undiscovered
+ *	problems in the general cases.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone of static-stub.
+ *\li	zone doesn't have a database.
+ */
+
 isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone,
 		   unsigned int dbargc, const char * const *dbargv);
@@ -568,6 +599,25 @@ dns_zone_getoptions(dns_zone_t *zone);
  */
 
 void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
+/*%<
+ *	Set key options on ('value' == ISC_TRUE) or off ('value' ==
+ *	#ISC_FALSE).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone key options.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
 dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
 /*%<
  *	Set the minimum refresh time.
@@ -1786,6 +1836,68 @@ dns_zone_getprivatetype(dns_zone_t *zone);
  * will not be permanent.
  */
 
+void
+dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign);
+/*%<
+ * Update the zone's DNSKEY set from the key repository.
+ *
+ * If 'fullsign' is true, trigger an immediate full signing of
+ * the zone with the new key.  Otherwise, if there are no keys or
+ * if the new keys are for algorithms that have already signed the
+ * zone, then the zone can be re-signed incrementally.
+ */
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors);
+/*%
+ * Check if the name servers for the zone are sane (have address, don't
+ * refer to CNAMEs/DNAMEs.  The number of constiancy errors detected in
+ * returned in '*errors'
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ * \li	'db' to be valid.
+ * \li	'version' to be valid or NULL.
+ * \li	'errors' to be non NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS if there were no errors examining the zone contents.
+ */
+
+void
+dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added);
+/*%
+ * Sets the value of zone->added, which should be ISC_TRUE for
+ * zones that were originally added by "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_boolean_t
+dns_zone_getadded(dns_zone_t *zone);
+/*%
+ * Returns ISC_TRUE if the zone was originally added at runtime
+ * using "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * Load the origin names for a writeable DLZ database.
+ */
+
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone);
+/*%
+ * Force the managed key zone to synchronize, and start the key
+ * maintenance timer.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/contrib/bind9/lib/dns/include/dst/dst.h b/contrib/bind9/lib/dns/include/dst/dst.h
index fd625e02e81c..b0fa690fdd0e 100644
--- a/contrib/bind9/lib/dns/include/dst/dst.h
+++ b/contrib/bind9/lib/dns/include/dst/dst.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -23,8 +23,11 @@
 /*! \file dst/dst.h */
 
 #include <isc/lang.h>
+#include <isc/stdtime.h>
 
 #include <dns/types.h>
+#include <dns/name.h>
+#include <dns/secalg.h>
 
 #include <dst/gssapi.h>
 
@@ -55,6 +58,9 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_NSEC3RSASHA1	7
 #define DST_ALG_RSASHA256	8
 #define DST_ALG_RSASHA512	10
+#define DST_ALG_ECCGOST		12
+#define DST_ALG_ECDSA256	13
+#define DST_ALG_ECDSA384	14
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_HMACSHA1	161	/* XXXMPA */
@@ -80,12 +86,55 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TYPE_PRIVATE	0x2000000
 #define DST_TYPE_PUBLIC		0x4000000
 
+/* Key timing metadata definitions */
+#define DST_TIME_CREATED	0
+#define DST_TIME_PUBLISH	1
+#define DST_TIME_ACTIVATE	2
+#define DST_TIME_REVOKE 	3
+#define DST_TIME_INACTIVE	4
+#define DST_TIME_DELETE 	5
+#define DST_TIME_DSPUBLISH 	6
+#define DST_MAX_TIMES		6
+
+/* Numeric metadata definitions */
+#define DST_NUM_PREDECESSOR	0
+#define DST_NUM_SUCCESSOR	1
+#define DST_NUM_MAXTTL		2
+#define DST_NUM_ROLLPERIOD	3
+#define DST_MAX_NUMERIC		3
+
+/*
+ * Current format version number of the private key parser.
+ *
+ * When parsing a key file with the same major number but a higher minor
+ * number, the key parser will ignore any fields it does not recognize.
+ * Thus, DST_MINOR_VERSION should be incremented whenever new
+ * fields are added to the private key file (such as new metadata).
+ *
+ * When rewriting these keys, those fields will be dropped, and the
+ * format version set back to the current one..
+ *
+ * When a key is seen with a higher major number, the key parser will
+ * reject it as invalid.  Thus, DST_MAJOR_VERSION should be incremented
+ * and DST_MINOR_VERSION set to zero whenever there is a format change
+ * which is not backward compatible to previous versions of the dst_key
+ * parser, such as change in the syntax of an existing field, the removal
+ * of a currently mandatory field, or a new field added which would
+ * alter the functioning of the key if it were absent.
+ */
+#define DST_MAJOR_VERSION	1
+#define DST_MINOR_VERSION	3
+
 /***
  *** Functions
  ***/
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags);
 /*%<
  * Initializes the DST subsystem.
  *
@@ -96,6 +145,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
  * Returns:
  * \li	ISC_R_SUCCESS
  * \li	ISC_R_NOMEMORY
+ * \li	DST_R_NOENGINE
  *
  * Ensures:
  * \li	DST is properly initialized.
@@ -244,13 +294,17 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
  */
 
 isc_result_t
-dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
-		      dst_key_t **keyp);
+dst_key_fromnamedfile(const char *filename, const char *dirname,
+		      int type, isc_mem_t *mctx, dst_key_t **keyp);
 /*%<
  * Reads a key from permanent storage.  The key can either be a public or
  * key, and is specified by filename.  If a private key is specified, the
  * public key must also be present.
  *
+ * If 'dirname' is not NULL, and 'filename' is a relative path,
+ * then the file is looked up relative to the given directory.
+ * If 'filename' is an absolute path, 'dirname' is ignored.
+ *
  * Requires:
  * \li	"filename" is not NULL
  * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
@@ -419,7 +473,7 @@ dst_key_getgssctx(const dst_key_t *key);
 
 isc_result_t
 dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
-		   dst_key_t **keyp);
+		   dst_key_t **keyp, isc_region_t *intoken);
 /*%<
  * Converts a GSSAPI opaque context id into a DST key.
  *
@@ -450,6 +504,14 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 		 unsigned int flags, unsigned int protocol,
 		 dns_rdataclass_t rdclass,
 		 isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int));
 /*%<
  * Generate a DST key (or keypair) with the supplied parameters.  The
  * interpretation of the "param" field depends on the algorithm:
@@ -482,7 +544,31 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 isc_boolean_t
 dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
 /*%<
- * Compares two DST keys.
+ * Compares two DST keys.  Returns true if they match, false otherwise.
+ *
+ * Keys ARE NOT considered to match if one of them is the revoked version
+ * of the other.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	ISC_TRUE
+ * \li	ISC_FALSE
+ */
+
+isc_boolean_t
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   isc_boolean_t match_revoked_key);
+/*%<
+ * Compares only the public portions of two DST keys.  Returns true
+ * if they match, false otherwise.  This allows us, for example, to
+ * determine whether a public key found in a zone matches up with a
+ * key pair found on disk.
+ *
+ * If match_revoked_key is TRUE, then keys ARE considered to match if one
+ * of them is the revoked version of the other. Otherwise, they are not.
  *
  * Requires:
  *\li	"key1" is a valid key.
@@ -521,10 +607,12 @@ dst_key_attach(dst_key_t *source, dst_key_t **target);
 void
 dst_key_free(dst_key_t **keyp);
 /*%<
- * Release all memory associated with the key.
+ * Decrement the key's reference counter and, when it reaches zero,
+ * release all memory associated with the key.
  *
  * Requires:
  *\li	"keyp" is not NULL and "*keyp" is a valid key.
+ *\li	reference counter greater than zero.
  *
  * Ensures:
  *\li	All memory associated with "*keyp" will be freed.
@@ -555,6 +643,9 @@ dst_key_flags(const dst_key_t *key);
 dns_keytag_t
 dst_key_id(const dst_key_t *key);
 
+dns_keytag_t
+dst_key_rid(const dst_key_t *key);
+
 dns_rdataclass_t
 dst_key_class(const dst_key_t *key);
 
@@ -620,9 +711,11 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n);
 
 isc_uint16_t
 dst_region_computeid(const isc_region_t *source, unsigned int alg);
+isc_uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg);
 /*%<
- * Computes the key id of the key stored in the provided region with the
- * given algorithm.
+ * Computes the (revoked) key id of the key stored in the provided
+ * region with the given algorithm.
  *
  * Requires:
  *\li	"source" contains a valid, non-NULL region.
@@ -633,7 +726,7 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg);
 
 isc_uint16_t
 dst_key_getbits(const dst_key_t *key);
-/*
+/*%<
  * Get the number of digest bits required (0 == MAX).
  *
  * Requires:
@@ -642,13 +735,153 @@ dst_key_getbits(const dst_key_t *key);
 
 void
 dst_key_setbits(dst_key_t *key, isc_uint16_t bits);
-/*
+/*%<
  * Set the number of digest bits required (0 == MAX).
  *
  * Requires:
  *	"key" is a valid key.
  */
 
+isc_result_t
+dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
+/*
+ * Set the key flags, and recompute the key ID.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep);
+/*%<
+ * Get a member of the numeric metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ *	"timep" is not null.
+ */
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value);
+/*%<
+ * Set a member of the numeric metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+void
+dst_key_unsetnum(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the numeric metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
+/*%<
+ * Get a member of the timing metadata array and place it in '*timep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ *	"timep" is not null.
+ */
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
+/*%<
+ * Set a member of the timing metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+void
+dst_key_unsettime(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the timing metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
+/*%<
+ * Get the private key format version number.  (If the key does not have
+ * a private key associated with it, the version will be 0.0.)  The major
+ * version number is placed in '*majorp', and the minor version number in
+ * '*minorp'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"majorp" is not NULL.
+ *	"minorp" is not NULL.
+ */
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor);
+/*%<
+ * Set the private key format version number.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+#define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7)
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size);
+/*%<
+ * Write the uniquely identifying information about the key (name,
+ * algorithm, key ID) into a string 'cp' of size 'size'.
+ */
+
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key);
+/*%<
+ * Return the token from the TKEY request, if any.  If this key was
+ * not negotiated via TKEY, return NULL.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length);
+/*%<
+ * Allocate 'buffer' and dump the key into it in base64 format. The buffer
+ * is not NUL terminated. The length of the buffer is returned in *length.
+ *
+ * 'buffer' needs to be freed using isc_mem_put(mctx, buffer, length);
+ *
+ * Requires:
+ *	'buffer' to be non NULL and *buffer to be NULL.
+ *	'length' to be non NULL and *length to be zero.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTIMPLEMENTED
+ *	others.
+ */
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
+
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_H */
diff --git a/contrib/bind9/lib/dns/include/dst/gssapi.h b/contrib/bind9/lib/dns/include/dst/gssapi.h
index 1456bbd4fa38..1e81a55b9718 100644
--- a/contrib/bind9/lib/dns/include/dst/gssapi.h
+++ b/contrib/bind9/lib/dns/include/dst/gssapi.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: gssapi.h,v 1.16 2011/01/08 23:47:01 tbox Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
@@ -34,8 +34,12 @@
  * MSVC does not like macros in #include lines.
  */
 #include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
 #else
 #include ISC_PLATFORM_GSSAPIHEADER
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#endif
 #endif
 #ifndef GSS_SPNEGO_MECHANISM
 #define GSS_SPNEGO_MECHANISM ((void*)0)
@@ -90,7 +94,8 @@ dst_gssapi_releasecred(gss_cred_id_t *cred);
 
 isc_result_t
 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
-		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx);
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message);
 /*
  *	Initiates a GSS context.
  *
@@ -108,10 +113,12 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
  *		ISC_R_SUCCESS   msg was successfully updated to include the
  * 				query to be sent
  *		other		an error occurred while building the message
+ *		*err_message	optional error message
  */
 
 isc_result_t
 dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     const char *gssapi_keytab,
 		     isc_region_t *intoken, isc_buffer_t **outtoken,
 		     gss_ctx_id_t *context, dns_name_t *principal,
 		     isc_mem_t *mctx);
diff --git a/contrib/bind9/lib/dns/iptable.c b/contrib/bind9/lib/dns/iptable.c
index 532382316f74..e960d5c48cd1 100644
--- a/contrib/bind9/lib/dns/iptable.c
+++ b/contrib/bind9/lib/dns/iptable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: iptable.c,v 1.15 2009/02/18 23:47:48 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c
index d0af6c1c0554..1564a811ffed 100644
--- a/contrib/bind9/lib/dns/journal.c
+++ b/contrib/bind9/lib/dns/journal.c
@@ -562,11 +562,9 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 
 	if (result == ISC_R_FILENOTFOUND) {
 		if (create) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS,
-				      ISC_LOG_INFO,
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(1),
 				      "journal file %s does not exist, "
-				      "creating it",
-				      j->filename);
+				      "creating it", j->filename);
 			CHECK(journal_file_create(mctx, filename));
 			/*
 			 * Retry.
diff --git a/contrib/bind9/lib/dns/key.c b/contrib/bind9/lib/dns/key.c
index f1465c22e23e..bf9b16c170c4 100644
--- a/contrib/bind9/lib/dns/key.c
+++ b/contrib/bind9/lib/dns/key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -56,6 +56,33 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg) {
 	return ((isc_uint16_t)(ac & 0xffff));
 }
 
+isc_uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg) {
+	isc_uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	if (alg == DST_ALG_RSAMD5)
+		return ((p[size - 3] << 8) + p[size - 2]);
+
+	ac = ((*p) << 8) + *(p + 1);
+	ac |= DNS_KEYFLAG_REVOKE;
+	for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
+		ac += ((*p) << 8) + *(p + 1);
+
+	if (size > 0)
+		ac += ((*p) << 8);
+	ac += (ac >> 16) & 0xffff;
+
+	return ((isc_uint16_t)(ac & 0xffff));
+}
+
 dns_name_t *
 dst_key_name(const dst_key_t *key) {
 	REQUIRE(VALID_KEY(key));
@@ -92,6 +119,12 @@ dst_key_id(const dst_key_t *key) {
 	return (key->key_id);
 }
 
+dns_keytag_t
+dst_key_rid(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_rid);
+}
+
 dns_rdataclass_t
 dst_key_class(const dst_key_t *key) {
 	REQUIRE(VALID_KEY(key));
diff --git a/contrib/bind9/lib/dns/keydata.c b/contrib/bind9/lib/dns/keydata.c
new file mode 100644
index 000000000000..822bd467dc55
--- /dev/null
+++ b/contrib/bind9/lib/dns/keydata.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keydata.c,v 1.3 2009/07/01 23:47:36 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/keydata.h>
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
+		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
+{
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	dnskey->common.rdtype = dns_rdatatype_dnskey;
+	dnskey->common.rdclass = keydata->common.rdclass;
+	dnskey->mctx = mctx;
+	dnskey->flags = keydata->flags;
+	dnskey->protocol = keydata->protocol;
+	dnskey->algorithm = keydata->algorithm;
+
+	dnskey->datalen = keydata->datalen;
+
+	if (mctx == NULL)
+		dnskey->data = keydata->data;
+	else {
+		dnskey->data = isc_mem_allocate(mctx, dnskey->datalen);
+		if (dnskey->data == NULL)
+			return (ISC_R_NOMEMORY);
+		memcpy(dnskey->data, keydata->data, dnskey->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
+		       dns_rdata_dnskey_t *dnskey,
+		       isc_uint32_t refresh, isc_uint32_t addhd,
+		       isc_uint32_t removehd, isc_mem_t *mctx)
+{
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	keydata->common.rdtype = dns_rdatatype_keydata;
+	keydata->common.rdclass = dnskey->common.rdclass;
+	keydata->mctx = mctx;
+	keydata->refresh = refresh;
+	keydata->addhd = addhd;
+	keydata->removehd = removehd;
+	keydata->flags = dnskey->flags;
+	keydata->protocol = dnskey->protocol;
+	keydata->algorithm = dnskey->algorithm;
+
+	keydata->datalen = dnskey->datalen;
+	if (mctx == NULL)
+		keydata->data = dnskey->data;
+	else {
+		keydata->data = isc_mem_allocate(mctx, keydata->datalen);
+		if (keydata->data == NULL)
+			return (ISC_R_NOMEMORY);
+		memcpy(keydata->data, dnskey->data, keydata->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/keytable.c b/contrib/bind9/lib/dns/keytable.c
index 792d319898a6..309e9dd2d8d5 100644
--- a/contrib/bind9/lib/dns/keytable.c
+++ b/contrib/bind9/lib/dns/keytable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: keytable.c,v 1.41 2010/06/25 23:46:51 tbox Exp $ */
 
 /*! \file */
 
@@ -31,41 +31,12 @@
 #include <dns/rbt.h>
 #include <dns/result.h>
 
-struct dns_keytable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	isc_uint32_t		active_nodes;
-	/* Locked by rwlock. */
-	isc_uint32_t		references;
-	dns_rbt_t		*table;
-};
-
-#define KEYTABLE_MAGIC			ISC_MAGIC('K', 'T', 'b', 'l')
-#define VALID_KEYTABLE(kt)	 	ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
-
-struct dns_keynode {
-	unsigned int		magic;
-	dst_key_t *		key;
-	struct dns_keynode *	next;
-};
-
-#define KEYNODE_MAGIC			ISC_MAGIC('K', 'N', 'o', 'd')
-#define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
-
 static void
 free_keynode(void *node, void *arg) {
 	dns_keynode_t *keynode = node;
 	isc_mem_t *mctx = arg;
 
-	REQUIRE(VALID_KEYNODE(keynode));
-	dst_key_free(&keynode->key);
-	if (keynode->next != NULL)
-		free_keynode(keynode->next, mctx);
-	isc_mem_put(mctx, keynode, sizeof(dns_keynode_t));
+	dns_keynode_detachall(mctx, &keynode);
 }
 
 isc_result_t
@@ -116,7 +87,6 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 	return (result);
 }
 
-
 void
 dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
 
@@ -173,50 +143,224 @@ dns_keytable_detach(dns_keytable_t **keytablep) {
 	*keytablep = NULL;
 }
 
-isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
+static isc_result_t
+insert(dns_keytable_t *keytable, isc_boolean_t managed,
+       dns_name_t *keyname, dst_key_t **keyp)
+{
 	isc_result_t result;
-	dns_keynode_t *knode;
+	dns_keynode_t *knode = NULL;
 	dns_rbtnode_t *node;
-	dns_name_t *keyname;
-
-	/*
-	 * Add '*keyp' to 'keytable'.
-	 */
 
+	REQUIRE(keyp == NULL || *keyp != NULL);
 	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keyp != NULL);
 
-	keyname = dst_key_name(*keyp);
+	result = dns_keynode_create(keytable->mctx, &knode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 
-	knode = isc_mem_get(keytable->mctx, sizeof(*knode));
-	if (knode == NULL)
-		return (ISC_R_NOMEMORY);
+	knode->managed = managed;
 
 	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
 
 	node = NULL;
 	result = dns_rbt_addnode(keytable->table, keyname, &node);
 
-	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
-		knode->magic = KEYNODE_MAGIC;
-		knode->key = *keyp;
-		knode->next = node->data;
+	if (keyp != NULL) {
+		if (result == ISC_R_EXISTS) {
+			/* Key already in table? */
+			dns_keynode_t *k;
+			for (k = node->data; k != NULL; k = k->next) {
+				if (k->key == NULL) {
+					k->key = *keyp;
+					break;
+				}
+				if (dst_key_compare(k->key, *keyp) == ISC_TRUE)
+					break;
+			}
+
+			if (k == NULL)
+				result = ISC_R_SUCCESS;
+			else
+				dst_key_free(keyp);
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			knode->key = *keyp;
+			knode->next = node->data;
+			*keyp = NULL;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
 		node->data = knode;
-		*keyp = NULL;
 		knode = NULL;
-		result = ISC_R_SUCCESS;
 	}
 
+	/* Key was already there?  That's the same as a success */
+	if (result == ISC_R_EXISTS)
+		result = ISC_R_SUCCESS;
+
 	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
 
 	if (knode != NULL)
-		isc_mem_put(keytable->mctx, knode, sizeof(*knode));
+		dns_keynode_detach(keytable->mctx, &knode);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
+		 dst_key_t **keyp)
+{
+	REQUIRE(keyp != NULL && *keyp != NULL);
+	return (insert(keytable, managed, dst_key_name(*keyp), keyp));
+}
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name) {
+	return (insert(keytable, ISC_TRUE, name, NULL));
+}
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL)
+			result = dns_rbt_deletenode(keytable->table,
+						    node, ISC_FALSE);
+		else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
 
 	return (result);
 }
 
 isc_result_t
+dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey) {
+	isc_result_t result;
+	dns_name_t *keyname;
+	dns_rbtnode_t *node = NULL;
+	dns_keynode_t *knode = NULL, **kprev = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dstkey != NULL);
+
+	keyname = dst_key_name(dstkey);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	if (result != ISC_R_SUCCESS)
+		goto finish;
+
+	if (node->data == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto finish;
+	}
+
+	knode = node->data;
+	if (knode->next == NULL &&
+	    (knode->key == NULL ||
+	     dst_key_compare(knode->key, dstkey) == ISC_TRUE)) {
+		result = dns_rbt_deletenode(keytable->table, node, ISC_FALSE);
+		goto finish;
+	}
+
+	kprev = (dns_keynode_t **) &node->data;
+	while (knode != NULL) {
+		if (dst_key_compare(knode->key, dstkey) == ISC_TRUE)
+			break;
+		kprev = &knode->next;
+		knode = knode->next;
+	}
+
+	if (knode != NULL) {
+		if (knode->key != NULL)
+			dst_key_free(&knode->key);
+		/*
+		 * This is equivalent to:
+		 * dns_keynode_attach(knode->next, &tmp);
+		 * dns_keynode_detach(kprev);
+		 * dns_keynode_attach(tmp, &kprev);
+		 * dns_keynode_detach(&tmp);
+		 */
+		*kprev = knode->next;
+		knode->next = NULL;
+		dns_keynode_detach(keytable->mctx, &knode);
+	} else
+		result = DNS_R_PARTIALMATCH;
+  finish:
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
+		  dns_keynode_t **keynodep)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+	REQUIRE(keynodep != NULL && *keynodep == NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL) {
+			LOCK(&keytable->lock);
+			keytable->active_nodes++;
+			UNLOCK(&keytable->lock);
+			dns_keynode_attach(node->data, keynodep);
+		} else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			 dns_keynode_t **nextnodep)
+{
+	/*
+	 * Return the next key after 'keynode', regardless of
+	 * properties.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	if (keynode->next == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_keynode_attach(keynode->next, nextnodep);
+	LOCK(&keytable->lock);
+	keytable->active_nodes++;
+	UNLOCK(&keytable->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			 dns_secalg_t algorithm, dns_keytag_t tag,
 			 dns_keynode_t **keynodep)
@@ -250,6 +394,10 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 	if (result == ISC_R_SUCCESS) {
 		INSIST(data != NULL);
 		for (knode = data; knode != NULL; knode = knode->next) {
+			if (knode->key == NULL) {
+				knode = NULL;
+				break;
+			}
 			if (algorithm == dst_key_alg(knode->key)
 			    && tag == dst_key_id(knode->key))
 				break;
@@ -258,7 +406,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 			LOCK(&keytable->lock);
 			keytable->active_nodes++;
 			UNLOCK(&keytable->lock);
-			*keynodep = knode;
+			dns_keynode_attach(knode, keynodep);
 		} else
 			result = DNS_R_PARTIALMATCH;
 	} else if (result == DNS_R_PARTIALMATCH)
@@ -286,6 +434,10 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
 
 	for (knode = keynode->next; knode != NULL; knode = knode->next) {
+		if (knode->key == NULL) {
+			knode = NULL;
+			break;
+		}
 		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
 		    dst_key_id(keynode->key) == dst_key_id(knode->key))
 			break;
@@ -295,7 +447,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 		keytable->active_nodes++;
 		UNLOCK(&keytable->lock);
 		result = ISC_R_SUCCESS;
-		*nextnodep = knode;
+		dns_keynode_attach(knode, nextnodep);
 	} else
 		result = ISC_R_NOTFOUND;
 
@@ -331,6 +483,25 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
 }
 
 void
+dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
+			   dns_keynode_t **target)
+{
+	/*
+	 * Give back a keynode found via dns_keytable_findkeynode().
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&keytable->lock);
+	keytable->active_nodes++;
+	UNLOCK(&keytable->lock);
+
+	dns_keynode_attach(source, target);
+}
+
+void
 dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
 {
 	/*
@@ -345,7 +516,7 @@ dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
 	keytable->active_nodes--;
 	UNLOCK(&keytable->lock);
 
-	*keynodep = NULL;
+	dns_keynode_detach(keytable->mctx, keynodep);
 }
 
 isc_result_t
@@ -382,6 +553,44 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, keytable->mctx);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		goto cleanup;
+	for (;;) {
+		char pbuf[DST_KEY_FORMATSIZE];
+
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		for (knode = node->data; knode != NULL; knode = knode->next) {
+			dst_key_format(knode->key, pbuf, sizeof(pbuf));
+			fprintf(fp, "%s ; %s\n", pbuf,
+				knode->managed ? "managed" : "trusted");
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode) {
 
@@ -393,3 +602,71 @@ dns_keynode_key(dns_keynode_t *keynode) {
 
 	return (keynode->key);
 }
+
+isc_boolean_t
+dns_keynode_managed(dns_keynode_t *keynode) {
+	/*
+	 * Is this a managed key?
+	 */
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	return (keynode->managed);
+}
+
+isc_result_t
+dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
+	isc_result_t result;
+	dns_keynode_t *knode = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	knode = isc_mem_get(mctx, sizeof(dns_keynode_t));
+	if (knode == NULL)
+		return (ISC_R_NOMEMORY);
+
+	knode->magic = KEYNODE_MAGIC;
+	knode->managed = ISC_FALSE;
+	knode->key = NULL;
+	knode->next = NULL;
+
+	result = isc_refcount_init(&knode->refcount, 1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	*target = knode;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
+	REQUIRE(VALID_KEYNODE(source));
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+void
+dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynode) {
+	unsigned int refs;
+	dns_keynode_t *node = *keynode;
+	REQUIRE(VALID_KEYNODE(node));
+	isc_refcount_decrement(&node->refcount, &refs);
+	if (refs == 0) {
+		if (node->key != NULL)
+			dst_key_free(&node->key);
+		isc_refcount_destroy(&node->refcount);
+		isc_mem_put(mctx, node, sizeof(dns_keynode_t));
+	}
+	*keynode = NULL;
+}
+
+void
+dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **keynode) {
+	dns_keynode_t *next = NULL, *node = *keynode;
+	REQUIRE(VALID_KEYNODE(node));
+	while (node != NULL) {
+		next = node->next;
+		dns_keynode_detach(mctx, &node);
+		node = next;
+	}
+	*keynode = NULL;
+}
diff --git a/contrib/bind9/lib/dns/lib.c b/contrib/bind9/lib/dns/lib.c
index 0782863466fc..df16fa22d0c1 100644
--- a/contrib/bind9/lib/dns/lib.c
+++ b/contrib/bind9/lib/dns/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
 
 /*! \file */
 
@@ -23,11 +23,20 @@
 
 #include <stddef.h>
 
-#include <isc/once.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
 #include <isc/msgcat.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
 #include <isc/util.h>
 
+#include <dns/db.h>
+#include <dns/ecdb.h>
 #include <dns/lib.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
 
 /***
  *** Globals
@@ -63,3 +72,97 @@ dns_lib_initmsgcat(void) {
 
 	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
 }
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_mem_t *dns_g_mctx = NULL;
+#ifndef BIND9
+static dns_dbimplementation_t *dbimp = NULL;
+#endif
+static isc_boolean_t initialize_done = ISC_FALSE;
+static isc_mutex_t reflock;
+static unsigned int references = 0;
+
+static void
+initialize(void) {
+	isc_result_t result;
+
+	REQUIRE(initialize_done == ISC_FALSE);
+
+	result = isc_mem_create(0, 0, &dns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_result_register();
+#ifndef BIND9
+	result = dns_ecdb_register(dns_g_mctx, &dbimp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mctx;
+#endif
+	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	result = dst_lib_init(dns_g_mctx, NULL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_hash;
+
+	result = isc_mutex_init(&reflock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dst;
+
+	initialize_done = ISC_TRUE;
+	return;
+
+  cleanup_dst:
+	dst_lib_destroy();
+  cleanup_hash:
+	isc_hash_destroy();
+  cleanup_db:
+#ifndef BIND9
+	dns_ecdb_unregister(&dbimp);
+  cleanup_mctx:
+#endif
+	isc_mem_detach(&dns_g_mctx);
+}
+
+isc_result_t
+dns_lib_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Since this routine is expected to be used by a normal application,
+	 * it should be better to return an error, instead of an emergency
+	 * abort, on any failure.
+	 */
+	result = isc_once_do(&init_once, initialize);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!initialize_done)
+		return (ISC_R_FAILURE);
+
+	LOCK(&reflock);
+	references++;
+	UNLOCK(&reflock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_lib_shutdown(void) {
+	isc_boolean_t cleanup_ok = ISC_FALSE;
+
+	LOCK(&reflock);
+	if (--references == 0)
+		cleanup_ok = ISC_TRUE;
+	UNLOCK(&reflock);
+
+	if (!cleanup_ok)
+		return;
+
+	dst_lib_destroy();
+	isc_hash_destroy();
+#ifndef BIND9
+	dns_ecdb_unregister(&dbimp);
+#endif
+	isc_mem_detach(&dns_g_mctx);
+}
diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c
index 3c9727df72c1..d286d103e63c 100644
--- a/contrib/bind9/lib/dns/log.c
+++ b/contrib/bind9/lib/dns/log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -44,6 +44,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "lame-servers", 0 },
 	{ "delegation-only", 0 },
 	{ "edns-disabled", 0 },
+	{ "rpz",	0 },
 	{ NULL, 	0 }
 };
 
diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
index d87d3987f350..8304507f5193 100644
--- a/contrib/bind9/lib/dns/master.c
+++ b/contrib/bind9/lib/dns/master.c
@@ -34,7 +34,6 @@
 #include <isc/util.h>
 
 #include <dns/callbacks.h>
-#include <dns/compress.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
 #include <dns/master.h>
@@ -86,7 +85,11 @@
  */
 #define TOKENSIZ (8*1024)
 
-#define DNS_MASTER_BUFSZ 2048
+/*%
+ * Buffers sizes for $GENERATE.
+ */
+#define DNS_MASTER_LHS 2048
+#define DNS_MASTER_RHS MINTSIZ
 
 typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
 
@@ -615,6 +618,57 @@ loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
 	return (result);
 }
 
+static const char *hex = "0123456789abcdef0123456789ABCDEF";
+
+/*%
+ * Convert value into a nibble sequence from least significant to most
+ * significant nibble.  Zero fill upper most significant nibbles if
+ * required to make the width.
+ *
+ * Returns the number of characters that should have been written without
+ * counting the terminating NUL.
+ */
+static unsigned int
+nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
+	unsigned int count = 0;
+
+	/*
+	 * This reserve space for the NUL string terminator.
+	 */
+	if (length > 0U) {
+		*numbuf = '\0';
+		length--;
+	}
+	do {
+		char val = hex[(value & 0x0f) + ((mode == 'n') ? 0 : 16)];
+		value >>= 4;
+		if (length > 0U) {
+			*numbuf++ = val;
+			*numbuf = '\0';
+			length--;
+		}
+		if (width > 0)
+			width--;
+		count++;
+		/*
+		 * If width is non zero then we need to add a label seperator.
+		 * If value is non zero then we need to add another label and
+		 * that requires a label seperator.
+		 */
+		if (width > 0 || value != 0) {
+			if (length > 0U) {
+				*numbuf++ = '.';
+				*numbuf = '\0';
+				length--;
+			}
+			if (width > 0)
+				width--;
+			count++;
+		}
+	} while (value != 0 || width > 0);
+	return (count);
+}
+
 static isc_result_t
 genname(char *name, int it, char *buffer, size_t length) {
 	char fmt[sizeof("%04000000000d")];
@@ -625,6 +679,7 @@ genname(char *name, int it, char *buffer, size_t length) {
 	isc_textregion_t r;
 	unsigned int n;
 	unsigned int width;
+	isc_boolean_t nibblemode;
 
 	r.base = buffer;
 	r.length = length;
@@ -639,10 +694,11 @@ genname(char *name, int it, char *buffer, size_t length) {
 				isc_textregion_consume(&r, 1);
 				continue;
 			}
+			nibblemode = ISC_FALSE;
 			strcpy(fmt, "%d");
 			/* Get format specifier. */
 			if (*name == '{' ) {
-				n = sscanf(name, "{%d,%u,%1[doxX]}",
+				n = sscanf(name, "{%d,%u,%1[doxXnN]}",
 					   &delta, &width, mode);
 				switch (n) {
 				case 1:
@@ -652,6 +708,8 @@ genname(char *name, int it, char *buffer, size_t length) {
 						     "%%0%ud", width);
 					break;
 				case 3:
+					if (mode[0] == 'n' || mode[0] == 'N')
+						nibblemode = ISC_TRUE;
 					n = snprintf(fmt, sizeof(fmt),
 						     "%%0%u%c", width, mode[0]);
 					break;
@@ -664,7 +722,12 @@ genname(char *name, int it, char *buffer, size_t length) {
 				while (*name != '\0' && *name++ != '}')
 					continue;
 			}
-			n = snprintf(numbuf, sizeof(numbuf), fmt, it + delta);
+			if (nibblemode)
+				n = nibbles(numbuf, sizeof(numbuf), width,
+					    mode[0], it + delta);
+			else
+				n = snprintf(numbuf, sizeof(numbuf), fmt,
+					     it + delta);
 			if (n >= sizeof(numbuf))
 				return (ISC_R_NOSPACE);
 			cp = numbuf;
@@ -747,8 +810,8 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	ISC_LIST_INIT(head);
 
 	target_mem = isc_mem_get(lctx->mctx, target_size);
-	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
-	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
+	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_RHS);
+	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_LHS);
 	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto error_cleanup;
@@ -779,35 +842,13 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		goto insist_cleanup;
 	}
 
-	switch (type) {
-	case dns_rdatatype_ns:
-	case dns_rdatatype_ptr:
-	case dns_rdatatype_cname:
-	case dns_rdatatype_dname:
-		break;
-
-	case dns_rdatatype_a:
-	case dns_rdatatype_aaaa:
-		if (lctx->zclass == dns_rdataclass_in ||
-		    lctx->zclass == dns_rdataclass_ch ||
-		    lctx->zclass == dns_rdataclass_hs)
-			break;
-		/* FALLTHROUGH */
-	default:
-	       (*callbacks->error)(callbacks,
-				  "%s: %s:%lu: unsupported type '%s'",
-				  "$GENERATE", source, line, gtype);
-		result = ISC_R_NOTIMPLEMENTED;
-		goto error_cleanup;
-	}
-
 	ISC_LIST_INIT(rdatalist.rdata);
 	ISC_LINK_INIT(&rdatalist, link);
 	for (i = start; i <= stop; i += step) {
-		result = genname(lhs, i, lhsbuf, DNS_MASTER_BUFSZ);
+		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
-		result = genname(rhs, i, rhsbuf, DNS_MASTER_BUFSZ);
+		result = genname(rhs, i, rhsbuf, DNS_MASTER_RHS);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
 
@@ -821,6 +862,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 
 		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
 		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    (lctx->options & DNS_MASTER_KEY) == 0 &&
 		    !dns_name_issubdomain(owner, lctx->top))
 		{
 			char namebuf[DNS_NAME_FORMATSIZE];
@@ -881,9 +923,9 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	if (target_mem != NULL)
 		isc_mem_put(lctx->mctx, target_mem, target_size);
 	if (lhsbuf != NULL)
-		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_BUFSZ);
+		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_LHS);
 	if (rhsbuf != NULL)
-		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_BUFSZ);
+		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_RHS);
 	return (result);
 }
 
@@ -1272,7 +1314,8 @@ load_text(dns_loadctx_t *lctx) {
 					goto log_and_cleanup;
 				}
 				/* RHS */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING,
+					 &token, ISC_FALSE);
 				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
 				if (rhs == NULL) {
 					result = ISC_R_NOMEMORY;
@@ -1340,7 +1383,7 @@ load_text(dns_loadctx_t *lctx) {
 			isc_buffer_setactive(&buffer,
 					     token.value.as_region.length);
 			result = dns_name_fromtext(new_name, &buffer,
-					  ictx->origin, ISC_FALSE, NULL);
+					  ictx->origin, 0, NULL);
 			if (MANYERRS(lctx, result)) {
 				SETRESULT(lctx, result);
 				LOGIT(result);
@@ -1462,6 +1505,7 @@ load_text(dns_loadctx_t *lctx) {
 			}
 			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
 			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+			    (lctx->options & DNS_MASTER_KEY) == 0 &&
 			    !dns_name_issubdomain(new_name, lctx->top))
 			{
 				char namebuf[DNS_NAME_FORMATSIZE];
diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c
index b02cc11f5219..a10e6f2d559e 100644
--- a/contrib/bind9/lib/dns/masterdump.c
+++ b/contrib/bind9/lib/dns/masterdump.c
@@ -42,6 +42,7 @@
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
+#include <dns/ncache.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
@@ -60,6 +61,11 @@
 		return (_r); \
 	} while (0)
 
+#define CHECK(x) do { \
+	if ((x) != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
 struct dns_master_style {
 	unsigned int flags;		/* DNS_STYLEFLAG_* */
 	unsigned int ttl_column;
@@ -156,6 +162,7 @@ static char spaces[N_SPACES+1] = "          ";
 #define N_TABS 10
 static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
 
+#ifdef BIND9
 struct dns_dumpctx {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
@@ -183,6 +190,7 @@ struct dns_dumpctx {
 					    dns_totext_ctx_t *ctx,
 					    isc_buffer_t *buffer, FILE *f);
 };
+#endif /* BIND9 */
 
 #define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 
@@ -336,6 +344,52 @@ str_totext(const char *source, isc_buffer_t *target) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+ncache_summary(dns_rdataset_t *rdataset, isc_boolean_t omit_final_dot,
+	       isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t rds;
+	dns_name_t name;
+
+	dns_rdataset_init(&rds);
+	dns_name_init(&name, NULL);
+
+	do {
+		dns_ncache_current(rdataset, &name, &rds);
+		for (result = dns_rdataset_first(&rds);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rds)) {
+			CHECK(str_totext("; ", target));
+			CHECK(dns_name_totext(&name, omit_final_dot, target));
+			CHECK(str_totext(" ", target));
+			CHECK(dns_rdatatype_totext(rds.type, target));
+			if (rds.type == dns_rdatatype_rrsig) {
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdatatype_totext(rds.covers, target));
+				CHECK(str_totext(" ...\n", target));
+			} else {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rds, &rdata);
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdata_tofmttext(&rdata, dns_rootname,
+							  0, 0, " ", target));
+				CHECK(str_totext("\n", target));
+			}
+		}
+		dns_rdataset_disassociate(&rds);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	if (dns_rdataset_isassociated(&rds))
+		dns_rdataset_disassociate(&rds);
+
+	return (result);
+}
+
 /*
  * Convert 'rdataset' to master file text format according to 'ctx',
  * storing the result in 'target'.  If 'owner_name' is NULL, it
@@ -461,6 +515,13 @@ rdataset_totext(dns_rdataset_t *rdataset,
 				RETERR(str_totext(";-$NXDOMAIN\n", target));
 			else
 				RETERR(str_totext(";-$NXRRSET\n", target));
+			/*
+			 * Print a summary of the cached records which make
+			 * up the negative response.
+			 */
+			RETERR(ncache_summary(rdataset, omit_final_dot,
+					      target));
+			break;
 		} else {
 			dns_rdata_t rdata = DNS_RDATA_INIT;
 			isc_region_t r;
@@ -636,6 +697,7 @@ dns_master_questiontotext(dns_name_t *owner_name,
 				ISC_FALSE, target));
 }
 
+#ifdef BIND9
 /*
  * Print an rdataset.  'buffer' is a scratch buffer, which must have been
  * dynamically allocated by the caller.  It must be large enough to
@@ -1706,6 +1768,7 @@ dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 	return (result);
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
diff --git a/contrib/bind9/lib/dns/message.c b/contrib/bind9/lib/dns/message.c
index 41a5d5fcccca..2b65f0e48243 100644
--- a/contrib/bind9/lib/dns/message.c
+++ b/contrib/bind9/lib/dns/message.c
@@ -1803,6 +1803,36 @@ wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
 	return (ISC_TRUE);
 }
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+/*
+ * Decide whether to not answer with an AAAA record and its RRSIG
+ */
+static inline isc_boolean_t
+norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options)
+{
+	switch (rdataset->type) {
+	case dns_rdatatype_aaaa:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0)
+			return (ISC_FALSE);
+		break;
+
+	case dns_rdatatype_rrsig:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0 ||
+		    rdataset->covers != dns_rdatatype_aaaa)
+			return (ISC_FALSE);
+		break;
+
+	default:
+		return (ISC_FALSE);
+	}
+
+	if (rdataset->rdclass != dns_rdataclass_in)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+#endif
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			  unsigned int options)
@@ -1930,6 +1960,23 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 						      preferred_glue))
 					goto next;
 
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+				/*
+				 * Suppress AAAAs if asked and we are
+				 * not doing DNSSEC or are breaking DNSSEC.
+				 * Say so in the AD bit if we break DNSSEC.
+				 */
+				if (norender_rdataset(rdataset, options) &&
+				    sectionid != DNS_SECTION_QUESTION) {
+					if (sectionid == DNS_SECTION_ANSWER ||
+					    sectionid == DNS_SECTION_AUTHORITY)
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					if (OPTOUT(rdataset))
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					goto next;
+				}
+
+#endif
 				st = *(msg->buffer);
 
 				count = 0;
@@ -3071,6 +3118,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 	dns_name_t *name, empty_name;
 	dns_rdataset_t *rdataset;
 	isc_result_t result;
+	isc_boolean_t seensoa = ISC_FALSE;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(target != NULL);
@@ -3100,6 +3148,15 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 		for (rdataset = ISC_LIST_HEAD(name->list);
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (section == DNS_SECTION_ANSWER &&
+			    rdataset->type == dns_rdatatype_soa) {
+				if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0)
+					continue;
+				if (seensoa &&
+				    (flags & DNS_MESSAGETEXTFLAG_ONESOA) != 0)
+					continue;
+				seensoa = ISC_TRUE;
+			}
 			if (section == DNS_SECTION_QUESTION) {
 				ADD_STRING(target, ";");
 				result = dns_master_questiontotext(name,
diff --git a/contrib/bind9/lib/dns/name.c b/contrib/bind9/lib/dns/name.c
index b546133adaf2..fab1f3345838 100644
--- a/contrib/bind9/lib/dns/name.c
+++ b/contrib/bind9/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -34,6 +34,7 @@
 #include <isc/util.h>
 
 #include <dns/compress.h>
+#include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/result.h>
 
@@ -1018,7 +1019,6 @@ dns_name_toregion(dns_name_t *name, isc_region_t *r) {
 	DNS_NAME_TOREGION(name, r);
 }
 
-
 isc_result_t
 dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		  const dns_name_t *origin, unsigned int options,
@@ -2353,6 +2353,75 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
 		snprintf(cp, size, "<unknown>");
 }
 
+/*
+ * dns_name_tostring() -- similar to dns_name_format() but allocates its own
+ * memory.
+ */
+isc_result_t
+dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_region_t reg;
+	char *p, txt[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_buffer_init(&buf, txt, sizeof(txt));
+	result = dns_name_totext(name, ISC_FALSE, &buf);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buf, &reg);
+	p = isc_mem_allocate(mctx, reg.length + 1);
+	memcpy(p, (char *) reg.base, (int) reg.length);
+	p[reg.length] = '\0';
+
+	*target = p;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * dns_name_fromstring() -- convert directly from a string to a name,
+ * allocating memory as needed
+ */
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx)
+{
+	return (dns_name_fromstring2(target, src, dns_rootname, options, mctx));
+}
+
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	REQUIRE(src != NULL);
+
+	isc_buffer_init(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	if (BINDABLE(target) && target->buffer != NULL)
+		name = target;
+	else {
+		dns_fixedname_init(&fn);
+		name = dns_fixedname_name(&fn);
+	}
+
+	result = dns_name_fromtext(name, &buf, origin, options, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (name != target)
+		result = dns_name_dupwithoffsets(name, mctx, target);
+	return (result);
+}
+
 isc_result_t
 dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 	unsigned char *ndata;
diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
index 077a217dd761..c0e99d4969d4 100644
--- a/contrib/bind9/lib/dns/ncache.c
+++ b/contrib/bind9/lib/dns/ncache.c
@@ -35,7 +35,7 @@
 #define DNS_NCACHE_RDATA 20U
 
 /*
- * The format of an ncache rdata is a sequence of one or more records of
+ * The format of an ncache rdata is a sequence of zero or more records of
  * the following format:
  *
  *	owner name
@@ -223,42 +223,6 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		return (result);
 
 	if (trust == 0xffff) {
-		/*
-		 * We didn't find any authority data from which to create a
-		 * negative cache rdataset.  In particular, we have no SOA.
-		 *
-		 * We trust that the caller wants negative caching, so this
-		 * means we have a "type 3 nxdomain" or "type 3 nodata"
-		 * response (see RFC2308 for details).
-		 *
-		 * We will now build a suitable negative cache rdataset that
-		 * will cause zero bytes to be emitted when converted to
-		 * wire format.
-		 */
-
-		/*
-		 * The ownername must exist, but it doesn't matter what value
-		 * it has.  We use the root name.
-		 */
-		dns_name_toregion(dns_rootname, &r);
-		result = isc_buffer_copyregion(&buffer, &r);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/*
-		 * Copy the type and a zero rdata count to the buffer.
-		 */
-		isc_buffer_availableregion(&buffer, &r);
-		if (r.length < 5)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(&buffer, 0);	/* type */
-		/*
-		 * RFC2308, section 5, says that negative answers without
-		 * SOAs should not be cached.
-		 */
-		ttl = 0;
-		/*
-		 * Set trust.
-		 */
 		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
 		    message->counts[DNS_SECTION_ANSWER] == 0) {
 			/*
@@ -268,22 +232,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 			trust = dns_trust_authauthority;
 		} else
 			trust = dns_trust_additional;
-		isc_buffer_putuint8(&buffer, (unsigned char)trust); /* trust */
-		isc_buffer_putuint16(&buffer, 0);	/* count */
-
-		/*
-		 * Now add it to the cache.
-		 */
-		if (next >= DNS_NCACHE_RDATA)
-			return (ISC_R_NOSPACE);
-		dns_rdata_init(&rdata[next]);
-		isc_buffer_remainingregion(&buffer, &r);
-		rdata[next].data = r.base;
-		rdata[next].length = r.length;
-		rdata[next].rdclass = ncrdatalist.rdclass;
-		rdata[next].type = 0;
-		rdata[next].flags = 0;
-		ISC_LIST_APPEND(ncrdatalist.rdata, &rdata[next], link);
+		ttl = 0;
 	}
 
 	INSIST(trust != 0xffff);
diff --git a/contrib/bind9/lib/dns/nsec3.c b/contrib/bind9/lib/dns/nsec3.c
index 44fe5a8ec9b5..123126dc3f03 100644
--- a/contrib/bind9/lib/dns/nsec3.c
+++ b/contrib/bind9/lib/dns/nsec3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -28,6 +28,8 @@
 #include <dst/dst.h>
 
 #include <dns/db.h>
+#include <dns/zone.h>
+#include <dns/compress.h>
 #include <dns/dbiterator.h>
 #include <dns/diff.h>
 #include <dns/fixedname.h>
@@ -472,7 +474,6 @@ delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	return (result);
 }
 
-#ifndef RFC5155_STRICT
 static isc_boolean_t
 better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_t rdataset;
@@ -487,7 +488,17 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata =  DNS_RDATA_INIT;
-		dns_rdataset_current(&rdataset, &rdata);
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		if (rdataset.type != dns_rdatatype_nsec3param) {
+			dns_rdata_t tmprdata =  DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &tmprdata);
+			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+		} else
+			dns_rdataset_current(&rdataset, &rdata);
+
 		if (rdata.length != param->length)
 			continue;
 		if (rdata.data[0] != param->data[0] ||
@@ -505,7 +516,6 @@ better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
 	dns_rdataset_disassociate(&rdataset);
 	return (ISC_FALSE);
 }
-#endif
 
 static isc_result_t
 find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
@@ -547,8 +557,8 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	int pass;
-	isc_boolean_t exists;
-	isc_boolean_t remove_unsecure = ISC_FALSE;
+	isc_boolean_t exists = ISC_FALSE;
+	isc_boolean_t maybe_remove_unsecure = ISC_FALSE;
 	isc_uint8_t flags;
 	isc_buffer_t buffer;
 	isc_result_t result;
@@ -629,8 +639,12 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 			 */
 			if (!unsecure)
 				goto addnsec3;
-			else
-				remove_unsecure = ISC_TRUE;
+			else if (CREATE(nsec3param->flags) && OPTOUT(flags)) {
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			} else
+				maybe_remove_unsecure = ISC_TRUE;
 		} else {
 			dns_rdataset_disassociate(&rdataset);
 			if (result != ISC_R_NOMORE)
@@ -666,26 +680,19 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 
-		if (remove_unsecure) {
+		if (maybe_remove_unsecure) {
 			dns_rdataset_disassociate(&rdataset);
 			/*
-			 * We have found the previous NSEC3 record and can now
-			 * see if the existing NSEC3 record needs to be
-			 * updated or deleted.
+			 * If we have OPTOUT set in the previous NSEC3 record
+			 * we actually need to delete the NSEC3 record.
+			 * Otherwise we just need to replace the NSEC3 record.
 			 */
-			if (!OPTOUT(nsec3.flags)) {
-				/*
-				 * Just update the NSEC3 record.
-				 */
-				goto addnsec3;
-			} else {
-				/*
-				 * This is actually a deletion not a add.
-				 */
+			if (OPTOUT(nsec3.flags)) {
 				result = dns_nsec3_delnsec3(db, version, name,
 							    nsec3param, diff);
 				goto failure;
 			}
+			goto addnsec3;
 		} else {
 			/*
 			 * Is this is a unsecure delegation we are adding?
@@ -928,17 +935,323 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 
 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+isc_boolean_t
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen)
+{
+	dns_decompress_t dctx;
+	isc_result_t result;
+	isc_buffer_t buf1;
+	isc_buffer_t buf2;
+
+	/*
+	 * Algorithm 0 (reserved by RFC 4034) is used to identify
+	 * NSEC3PARAM records from DNSKEY pointers.
+	 */
+	if (src->length < 1 || src->data[0] != 0)
+		return (ISC_FALSE);
+
+	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
+	isc_buffer_add(&buf1, src->length - 1);
+	isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_init(&buf2, buf, buflen);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	result = dns_rdata_fromwire(target, src->rdclass,
+				    dns_rdatatype_nsec3param,
+				    &buf1, &dctx, 0, &buf2);
+	dns_decompress_invalidate(&dctx);
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype,
+			 unsigned char *buf, size_t buflen)
+{
+	REQUIRE(buflen >= src->length + 1);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	memcpy(buf + 1, src->data, src->length);
+	buf[0] = 0;
+	target->data = buf;
+	target->length = src->length + 1;
+	target->type = privatetype;
+	target->rdclass = src->rdclass;
+	target->flags = 0;
+	ISC_LINK_INIT(target, link);
+}
+
+#ifdef BIND9
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, isc_boolean_t *flag)
+{
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
+	else
+		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_casecompare(&myrdata, rdata))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = ISC_TRUE;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+#endif
+
+#ifdef BIND9
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_name_t next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_boolean_t flag;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	dns_name_init(&next, NULL);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Cause all NSEC3 chains to be deleted.
+	 */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		dns_nsec3param_toprivate(&rdata, &private, privatetype,
+					 buf, sizeof(buf));
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &private, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &private,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		INSIST(rdata.length <= sizeof(buf));
+		memcpy(buf, rdata.data, rdata.length);
+
+		if (buf[0] != 0 ||
+		    buf[2] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   0, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		rdata.data = buf;
+		buf[2] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+ success:
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+#endif
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     isc_boolean_t unsecure, dns_rdatatype_t type,
+		     dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t prdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &prdataset, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 
-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (!dns_rdataset_isassociated(&prdataset))
+		goto success;
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&prdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&prdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
 		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
 			continue;
-		if (better_param(&rdataset, &rdata))
+		if (better_param(&prdataset, &rdata2))
 			continue;
-#endif
 
 		/*
 		 * We have a active chain.  Update it.
@@ -947,11 +1260,13 @@ dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
 					 nsecttl, unsecure, diff));
 	}
 	if (result == ISC_R_NOMORE)
+ success:
 		result = ISC_R_SUCCESS;
-
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
 
@@ -1120,6 +1435,8 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		 */
 		nsec3.next = nexthash;
 		nsec3.next_length = next_length;
+		if (CREATE(nsec3param->flags))
+			nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
 		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
 		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
 					   dns_rdatatype_nsec3, &nsec3,
@@ -1257,6 +1574,13 @@ isc_result_t
 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		    dns_diff_t *diff)
 {
+	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
+}
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t privatetype, dns_diff_t *diff)
+{
 	dns_dbnode_t *node = NULL;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdataset_t rdataset;
@@ -1274,11 +1598,10 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto failure;
 
 	/*
 	 * Update each active NSEC3 chain.
@@ -1289,17 +1612,47 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 
 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 
-#ifdef RFC5155_STRICT
 		if (nsec3param.flags != 0)
 			continue;
-#else
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each NSEC3 chain being built.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1,  &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
 		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
 			continue;
-		if (better_param(&rdataset, &rdata))
+		if (better_param(&rdataset, &rdata2))
 			continue;
-#endif
 
 		/*
 		 * We have a active chain.  Update it.
@@ -1307,6 +1660,7 @@ dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
 	}
 	if (result == ISC_R_NOMORE)
+ success:
 		result = ISC_R_SUCCESS;
 
  failure:
@@ -1322,6 +1676,14 @@ isc_result_t
 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 		 isc_boolean_t complete, isc_boolean_t *answer)
 {
+	return (dns_nsec3_activex(db, version, complete, 0, answer));
+}
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t complete, dns_rdatatype_t privatetype,
+		  isc_boolean_t *answer)
+{
 	dns_dbnode_t *node = NULL;
 	dns_rdataset_t rdataset;
 	dns_rdata_nsec3param_t nsec3param;
@@ -1338,34 +1700,78 @@ dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
 	result = dns_db_findrdataset(db, node, version,
 				     dns_rdatatype_nsec3param, 0, 0,
 				     &rdataset, NULL);
-	dns_db_detachnode(db, &node);
 
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (nsec3param.flags == 0)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		*answer = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_NOMORE)
+		*answer = ISC_FALSE;
+
+ try_private:
+	if (privatetype == 0 || complete) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+
+	dns_db_detachnode(db, &node);
 	if (result == ISC_R_NOTFOUND) {
 		*answer = ISC_FALSE;
 		return (ISC_R_SUCCESS);
 	}
 	if (result != ISC_R_SUCCESS)
 		return (result);
+
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
 
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
-		if ((nsec3param.flags) == 0 ||
-		    (!complete && CREATE(nsec3param.flags)))
+		if (!complete && CREATE(nsec3param.flags))
 			break;
 	}
 	dns_rdataset_disassociate(&rdataset);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		*answer = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+	}
 	if (result == ISC_R_NOMORE) {
 		*answer = ISC_FALSE;
 		result = ISC_R_SUCCESS;
 	}
+
 	return (result);
 }
 
diff --git a/contrib/bind9/lib/dns/openssl_link.c b/contrib/bind9/lib/dns/openssl_link.c
index dd930bdb64fe..d186761c2caa 100644
--- a/contrib/bind9/lib/dns/openssl_link.c
+++ b/contrib/bind9/lib/dns/openssl_link.c
@@ -54,12 +54,6 @@
 
 #ifdef USE_ENGINE
 #include <openssl/engine.h>
-
-#ifdef ENGINE_ID
-const char *engine_id = ENGINE_ID;
-#else
-const char *engine_id;
-#endif
 #endif
 
 static RAND_METHOD *rm = NULL;
@@ -68,15 +62,7 @@ static isc_mutex_t *locks = NULL;
 static int nlocks;
 
 #ifdef USE_ENGINE
-static ENGINE *e;
-static ENGINE *he;
-#endif
-
-#ifdef USE_PKCS11
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num);
+static ENGINE *e = NULL;
 #endif
 
 static int
@@ -129,8 +115,16 @@ id_callback(void) {
 
 static void *
 mem_alloc(size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *ptr;
+
+	INSIST(dst__memory_pool != NULL);
+	ptr = isc_mem_allocate(dst__memory_pool, size);
+	return (ptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_allocate(dst__memory_pool, size));
+#endif
 }
 
 static void
@@ -142,16 +136,26 @@ mem_free(void *ptr) {
 
 static void *
 mem_realloc(void *ptr, size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *rptr;
+
+	INSIST(dst__memory_pool != NULL);
+	rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
+	return (rptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
+#endif
 }
 
 isc_result_t
-dst__openssl_init() {
+dst__openssl_init(const char *engine) {
 	isc_result_t result;
 #ifdef USE_ENGINE
-	/* const char  *name; */
 	ENGINE *re;
+#else
+
+	UNUSED(engine);
 #endif
 
 #ifdef  DNS_CRYPTO_LEAKS
@@ -183,70 +187,26 @@ dst__openssl_init() {
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
 	rm->status = entropy_status;
+
 #ifdef USE_ENGINE
 	OPENSSL_config(NULL);
-#ifdef USE_PKCS11
-#ifndef PKCS11_SO_PATH
-#define PKCS11_SO_PATH		"/usr/local/lib/engines/engine_pkcs11.so"
-#endif
-#ifndef PKCS11_MODULE_PATH
-#define PKCS11_MODULE_PATH	"/usr/lib/libpkcs11.so"
-#endif
-	{
-		/*
-		 * to use this to config the PIN, add in openssl.cnf:
-		 *  - at the beginning: "openssl_conf = openssl_def"
-		 *  - at any place these sections:
-		 * [ openssl_def ]
-		 * engines = engine_section
-		 * [ engine_section ]
-		 * pkcs11 = pkcs11_section
-		 * [ pkcs11_section ]
-		 * PIN = my___pin
-		 */
-
-		const char *pre_cmds[] = {
-			"SO_PATH", PKCS11_SO_PATH,
-			"LOAD", NULL,
-			"MODULE_PATH", PKCS11_MODULE_PATH
-		};
-		const char *post_cmds[] = {
-			/* "PIN", "my___pin" */
-		};
-		result = dst__openssl_load_engine("pkcs11", "pkcs11",
-						  pre_cmds, 0,
-						  post_cmds, /*1*/ 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rm;
-	}
-#endif /* USE_PKCS11 */
-	if (engine_id != NULL) {
-		e = ENGINE_by_id(engine_id);
+
+	if (engine != NULL && *engine == '\0')
+		engine = NULL;
+
+	if (engine != NULL) {
+		e = ENGINE_by_id(engine);
 		if (e == NULL) {
-			result = ISC_R_NOTFOUND;
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		if (!ENGINE_init(e)) {
-			result = ISC_R_FAILURE;
-			ENGINE_free(e);
+		/* This will init the engine. */
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		ENGINE_set_default(e, ENGINE_METHOD_ALL);
-		ENGINE_free(e);
-	} else {
-		ENGINE_register_all_complete();
-		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-
-			/*
-			 * Something weird here. If we call ENGINE_finish()
-			 * ENGINE_get_default_RAND() will fail.
-			 */
-			if (ENGINE_init(e)) {
-				if (he == NULL)
-					he = e;
-			}
-		}
 	}
+
 	re = ENGINE_get_default_RAND();
 	if (re == NULL) {
 		re = ENGINE_new();
@@ -259,7 +219,6 @@ dst__openssl_init() {
 		ENGINE_free(re);
 	} else
 		ENGINE_finish(re);
-
 #else
 	RAND_set_rand_method(rm);
 #endif /* USE_ENGINE */
@@ -267,13 +226,18 @@ dst__openssl_init() {
 
 #ifdef USE_ENGINE
  cleanup_rm:
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
 	mem_free(rm);
+	rm = NULL;
 #endif
  cleanup_mutexinit:
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
 	mem_free(locks);
+	locks = NULL;
 	return (result);
 }
 
@@ -283,15 +247,22 @@ dst__openssl_destroy() {
 	/*
 	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
 	 */
+	if (rm != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		RAND_cleanup();
+#endif
+		mem_free(rm);
+		rm = NULL;
+	}
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-	CONF_modules_unload(1);
+	CONF_modules_free();
 #endif
+	OBJ_cleanup();
 	EVP_cleanup();
 #if defined(USE_ENGINE)
-	if (e != NULL) {
-		ENGINE_finish(e);
-		e = NULL;
-	}
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
 #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
@@ -300,23 +271,18 @@ dst__openssl_destroy() {
 	CRYPTO_cleanup_all_ex_data();
 #endif
 	ERR_clear_error();
-	ERR_free_strings();
 	ERR_remove_state(0);
+	ERR_free_strings();
 
 #ifdef  DNS_CRYPTO_LEAKS
 	CRYPTO_mem_leaks_fp(stderr);
 #endif
 
-	if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-		RAND_cleanup();
-#endif
-		mem_free(rm);
-	}
 	if (locks != NULL) {
 		CRYPTO_set_locking_callback(NULL);
 		DESTROYMUTEXBLOCK(locks, nlocks);
 		mem_free(locks);
+		locks = NULL;
 	}
 }
 
@@ -372,87 +338,17 @@ dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
 
 #if defined(USE_ENGINE)
 ENGINE *
-dst__openssl_getengine(const char *name) {
-
-	UNUSED(name);
-
-	return (he);
-}
-#endif
-
-isc_result_t
-dst__openssl_setdefault(const char *name) {
-
-	UNUSED(name);
-
-#if defined(USE_ENGINE)
-	ENGINE_set_default(e, ENGINE_METHOD_ALL);
-#endif
-	/*
-	 * XXXMPA If the engine does not have a default RAND method
-	 * restore our method.
-	 */
-	return (ISC_R_SUCCESS);
-}
+dst__openssl_getengine(const char *engine) {
 
-#ifdef USE_PKCS11
-/*
- * 'name' is the name the engine is known by to the dst library.
- * This may or may not match the name the engine is known by to
- * openssl.  It is the name that is stored in the private key file.
- *
- * 'engine_id' is the openssl engine name.
- *
- * pre_cmds and post_cmds a sequence if command argument pairs
- * pre_num and post_num are a count of those pairs.
- *
- * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
- * "LOAD", NULL
- * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
- */
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num)
-{
-	ENGINE *e;
-
-	UNUSED(name);
-
-	if (!strcasecmp(engine_id, "dynamic"))
-		ENGINE_load_dynamic();
-	e = ENGINE_by_id(engine_id);
+	if (engine == NULL)
+		return (NULL);
 	if (e == NULL)
-		return (ISC_R_NOTFOUND);
-	while (pre_num--) {
-		if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
-			ENGINE_free(e);
-			return (ISC_R_FAILURE);
-		}
-		pre_cmds += 2;
-	}
-	if (!ENGINE_init(e)) {
-		ENGINE_free(e);
-		return (ISC_R_FAILURE);
-	}
-	/*
-	 * ENGINE_init() returned a functional reference, so free the
-	 * structural reference from ENGINE_by_id().
-	 */
-	ENGINE_free(e);
-	while (post_num--) {
-		if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
-			ENGINE_free(e);
-			return (ISC_R_FAILURE);
-		}
-		post_cmds += 2;
-	}
-	if (he != NULL)
-		ENGINE_finish(he);
-	he = e;
-	return (ISC_R_SUCCESS);
+		return (NULL);
+	if (strcmp(engine, ENGINE_get_id(e)) == 0)
+		return (e);
+	return (NULL);
 }
-#endif /* USE_PKCS11 */
+#endif
 
 #else /* OPENSSL */
 
diff --git a/contrib/bind9/lib/dns/openssldh_link.c b/contrib/bind9/lib/dns/openssldh_link.c
index 04fb9fe5afa1..9fe9bb52524f 100644
--- a/contrib/bind9/lib/dns/openssldh_link.c
+++ b/contrib/bind9/lib/dns/openssldh_link.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id$
+ * $Id: openssldh_link.c,v 1.20 2011/01/11 23:47:13 tbox Exp $
  */
 
 #ifdef OPENSSL
@@ -150,12 +150,37 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = cb->arg;
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+#endif
+
 static isc_result_t
-openssldh_generate(dst_key_t *key, int generator) {
+openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+	DH *dh = NULL;
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 	BN_GENCB cb;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+#else
+
+	UNUSED(callback);
 #endif
-	DH *dh = NULL;
 
 	if (generator == 0) {
 		if (key->key_size == 768 ||
@@ -182,7 +207,12 @@ openssldh_generate(dst_key_t *key, int generator) {
 		if (dh == NULL)
 			return (dst__openssl_toresult(ISC_R_NOMEMORY));
 
-		BN_GENCB_set_old(&cb, NULL, NULL);
+		if (callback == NULL) {
+			BN_GENCB_set_old(&cb, NULL, NULL);
+		} else {
+			u.fptr = callback;
+			BN_GENCB_set(&cb, &progress_cb, u.dptr);
+		}
 
 		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
 					       &cb)) {
@@ -482,7 +512,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -490,6 +520,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
 	isc_mem_t *mctx;
 #define DST_RET(a) {ret = a; goto err;}
 
+	UNUSED(pub);
 	mctx = key->mctx;
 
 	/* read private key file */
@@ -615,6 +646,8 @@ static dst_func_t openssldh_functions = {
 	openssldh_parse,
 	openssldh_cleanup,
 	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
 };
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/openssldsa_link.c b/contrib/bind9/lib/dns/openssldsa_link.c
index 68d19745e419..e2cf8cd6eb73 100644
--- a/contrib/bind9/lib/dns/openssldsa_link.c
+++ b/contrib/bind9/lib/dns/openssldsa_link.c
@@ -321,15 +321,40 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
-static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
-	BN_GENCB cb;
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = cb->arg;
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
 #endif
+
+static isc_result_t
+openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	DSA *dsa;
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
 	isc_result_t result;
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB cb;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+#else
 
+	UNUSED(callback);
+#endif
 	UNUSED(unused);
 
 	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
@@ -342,7 +367,12 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	if (dsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
-	BN_GENCB_set_old(&cb, NULL, NULL);
+	if (callback == NULL) {
+		BN_GENCB_set_old(&cb, NULL, NULL);
+	} else {
+		u.fptr = callback;
+		BN_GENCB_set(&cb, &progress_cb, u.dptr);
+	}
 
 	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
 					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
@@ -523,7 +553,7 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
@@ -531,6 +561,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	isc_mem_t *mctx = key->mctx;
 #define DST_RET(a) {ret = a; goto err;}
 
+	UNUSED(pub);
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
@@ -598,6 +629,8 @@ static dst_func_t openssldsa_functions = {
 	openssldsa_parse,
 	NULL, /*%< cleanup */
 	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
 };
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/opensslecdsa_link.c b/contrib/bind9/lib/dns/opensslecdsa_link.c
new file mode 100644
index 000000000000..e6c9b677697a
--- /dev/null
+++ b/contrib/bind9/lib/dns/opensslecdsa_link.c
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#ifdef HAVE_OPENSSL_ECDSA
+
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+#error "ECDSA without EVP for SHA2?"
+#endif
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/ecdsa.h>
+#include <openssl/bn.h>
+
+#ifndef NID_X9_62_prime256v1
+#error "P-256 group is not known (NID_X9_62_prime256v1)"
+#endif
+#ifndef NID_secp384r1
+#error "P-384 group is not known (NID_secp384r1)"
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t opensslecdsa_todns(const dst_key_t *key,
+				       isc_buffer_t *data);
+
+static isc_result_t
+opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	if (dctx->key->key_alg == DST_ALG_ECDSA256)
+		type = EVP_sha256();
+	else
+		type = EVP_sha384();
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (dst__openssl_toresult2("EVP_DigestInit_ex",
+					       ISC_R_FAILURE));
+	}
+
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslecdsa_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
+		return (dst__openssl_toresult2("EVP_DigestUpdate",
+					       ISC_R_FAILURE));
+
+	return (ISC_R_SUCCESS);
+}
+
+static int
+BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
+	int bytes = size - BN_num_bytes(bn);
+
+	while (bytes-- > 0)
+		*buf++ = 0;
+	BN_bn2bin(bn, buf);
+	return (size);
+}
+
+static isc_result_t
+opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t r;
+	ECDSA_SIG *ecdsasig;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL)
+		return (ISC_R_FAILURE);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		siglen = DNS_SIG_ECDSA256SIZE;
+	else
+		siglen = DNS_SIG_ECDSA384SIZE;
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
+		DST_RET(dst__openssl_toresult2("EVP_DigestFinal",
+					       ISC_R_FAILURE));
+
+	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
+	if (ecdsasig == NULL)
+		DST_RET(dst__openssl_toresult2("ECDSA_do_sign",
+					       DST_R_SIGNFAILURE));
+	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+	r.base += siglen / 2;
+	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+	r.base += siglen / 2;
+	ECDSA_SIG_free(ecdsasig);
+	isc_buffer_add(sig, siglen);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	unsigned char *cp = sig->base;
+	ECDSA_SIG *ecdsasig = NULL;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL)
+		return (ISC_R_FAILURE);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		siglen = DNS_SIG_ECDSA256SIZE;
+	else
+		siglen = DNS_SIG_ECDSA384SIZE;
+
+	if (sig->length != siglen)
+		return (DST_R_VERIFYFAILURE);
+
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+		DST_RET (dst__openssl_toresult2("EVP_DigestFinal_ex",
+						ISC_R_FAILURE));
+
+	ecdsasig = ECDSA_SIG_new();
+	if (ecdsasig == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL);
+	cp += siglen / 2;
+	ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL);
+	/* cp += siglen / 2; */
+
+	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult2("ECDSA_do_verify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+ err:
+	if (ecdsasig != NULL)
+		ECDSA_SIG_free(ecdsasig);
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_boolean_t
+opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	isc_boolean_t ret;
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+	EC_KEY *eckey1 = NULL;
+	EC_KEY *eckey2 = NULL;
+	const BIGNUM *priv1, *priv2;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (ISC_TRUE);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (ISC_FALSE);
+
+	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
+	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
+	if (eckey1 == NULL && eckey2 == NULL) {
+		DST_RET (ISC_TRUE);
+	} else if (eckey1 == NULL || eckey2 == NULL)
+		DST_RET (ISC_FALSE);
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status != 1)
+		DST_RET (ISC_FALSE);
+
+	priv1 = EC_KEY_get0_private_key(eckey1);
+	priv2 = EC_KEY_get0_private_key(eckey2);
+	if (priv1 != NULL || priv2 != NULL) {
+		if (priv1 == NULL || priv2 == NULL)
+			DST_RET (ISC_FALSE);
+		if (BN_cmp(priv1, priv2) != 0)
+			DST_RET (ISC_FALSE);
+	}
+	ret = ISC_TRUE;
+
+ err:
+	if (eckey1 != NULL)
+		EC_KEY_free(eckey1);
+	if (eckey2 != NULL)
+		EC_KEY_free(eckey2);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	int group_nid;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		group_nid = NID_X9_62_prime256v1;
+	else
+		group_nid = NID_secp384r1;
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
+					       DST_R_OPENSSLFAILURE));
+
+	if (EC_KEY_generate_key(eckey) != 1)
+		DST_RET (dst__openssl_toresult2("EC_KEY_generate_key",
+						DST_R_OPENSSLFAILURE));
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (ISC_R_FAILURE);
+	}
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_boolean_t
+opensslecdsa_isprivate(const dst_key_t *key) {
+	isc_boolean_t ret;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+
+	ret = ISC_TF(eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static void
+opensslecdsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int len;
+	unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	len = i2o_ECPublicKey(eckey, NULL);
+	/* skip form */
+	len--;
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < (unsigned int) len)
+		DST_RET (ISC_R_NOSPACE);
+	cp = buf;
+	if (!i2o_ECPublicKey(eckey, &cp))
+		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
+	memcpy(r.base, buf + 1, len);
+	isc_buffer_add(data, len);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int group_nid;
+	unsigned int len;
+	const unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		len = DNS_KEY_ECDSA256SIZE;
+		group_nid = NID_X9_62_prime256v1;
+	} else {
+		len = DNS_KEY_ECDSA384SIZE;
+		group_nid = NID_secp384r1;
+	}
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length < len)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memcpy(buf + 1, r.base, len);
+	cp = buf;
+	if (o2i_ECPublicKey(&eckey,
+			    (const unsigned char **) &cp,
+			    (long) len + 1) == NULL)
+		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+	if (EC_KEY_check_key(eckey) != 1)
+		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
+	}
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	const BIGNUM *privkey;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	privkey = EC_KEY_get0_private_key(eckey);
+	if (privkey == NULL)
+		DST_RET (ISC_R_FAILURE);
+
+	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+	if (buf == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+
+	priv.elements[0].tag = TAG_ECDSA_PRIVATEKEY;
+	priv.elements[0].length = BN_num_bytes(privkey);
+	BN_bn2bin(privkey, buf);
+	priv.elements[0].data = buf;
+	priv.nelements = ECDSA_NTAGS;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	if (buf != NULL)
+		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+	return (ret);
+}
+
+static isc_result_t
+ecdsa_check(EC_KEY *eckey, dst_key_t *pub)
+{
+	isc_result_t ret = ISC_R_FAILURE;
+	EVP_PKEY *pkey;
+	EC_KEY *pubeckey = NULL;
+	const EC_POINT *pubkey;
+
+	if (pub == NULL)
+		return (ISC_R_SUCCESS);
+	pkey = pub->keydata.pkey;
+	if (pkey == NULL)
+		return (ISC_R_SUCCESS);
+	pubeckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (pubeckey == NULL)
+		return (ISC_R_SUCCESS);
+	pubkey = EC_KEY_get0_public_key(pubeckey);
+	if (pubkey == NULL)
+		DST_RET (ISC_R_SUCCESS);
+	if (EC_KEY_set_public_key(eckey, pubkey) != 1)
+		DST_RET (ISC_R_SUCCESS);
+	if (EC_KEY_check_key(eckey) == 1)
+		DST_RET (ISC_R_SUCCESS);
+
+ err:
+	if (pubeckey != NULL)
+		EC_KEY_free(pubeckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	BIGNUM *privkey;
+	int group_nid;
+	isc_mem_t *mctx = key->mctx;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		group_nid = NID_X9_62_prime256v1;
+	else
+		group_nid = NID_secp384r1;
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	privkey = BN_bin2bn(priv.elements[0].data,
+			    priv.elements[0].length, NULL);
+	if (privkey == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (!EC_KEY_set_private_key(eckey, privkey))
+		DST_RET(ISC_R_NOMEMORY);
+	if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t opensslecdsa_functions = {
+	opensslecdsa_createctx,
+	opensslecdsa_destroyctx,
+	opensslecdsa_adddata,
+	opensslecdsa_sign,
+	opensslecdsa_verify,
+	NULL, /*%< computesecret */
+	opensslecdsa_compare,
+	NULL, /*%< paramcompare */
+	opensslecdsa_generate,
+	opensslecdsa_isprivate,
+	opensslecdsa_destroy,
+	opensslecdsa_todns,
+	opensslecdsa_fromdns,
+	opensslecdsa_tofile,
+	opensslecdsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__opensslecdsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &opensslecdsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* HAVE_OPENSSL_ECDSA */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_ECDSA */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslgost_link.c b/contrib/bind9/lib/dns/opensslgost_link.c
new file mode 100644
index 000000000000..8a55a6b228e7
--- /dev/null
+++ b/contrib/bind9/lib/dns/opensslgost_link.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: opensslgost_link.c,v 1.5 2011/01/19 23:47:12 tbox Exp $ */
+
+#include <config.h>
+
+#ifdef HAVE_OPENSSL_GOST
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include <openssl/engine.h>
+
+static ENGINE *e = NULL;
+static const EVP_MD *opensslgost_digest;
+extern const EVP_MD *EVP_gost(void);
+
+const EVP_MD *EVP_gost(void) {
+	return (opensslgost_digest);
+}
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t opensslgost_todns(const dst_key_t *key,
+				      isc_buffer_t *data);
+
+static isc_result_t
+opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *md = EVP_gost();
+
+	UNUSED(key);
+
+	if (md == NULL)
+		return (DST_R_OPENSSLFAILURE);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (ISC_R_FAILURE);
+	}
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslgost_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	isc_region_t r;
+	unsigned int siglen = 0;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
+		return (ISC_R_NOSPACE);
+
+	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_add(sig, siglen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	int status = 0;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult2("EVP_VerifyFinal",
+					       DST_R_VERIFYFAILURE));
+	}
+}
+
+static isc_boolean_t
+opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	EVP_PKEY *pkey1, *pkey2;
+
+	pkey1 = key1->keydata.pkey;
+	pkey2 = key2->keydata.pkey;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (ISC_TRUE);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (EVP_PKEY_cmp(pkey1, pkey2) != 1)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+static int
+progress_cb(EVP_PKEY_CTX *ctx)
+{
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	int p;
+
+	u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
+	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+
+static isc_result_t
+opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	EVP_PKEY_CTX *ctx;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	EVP_PKEY *pkey = NULL;
+	isc_result_t ret;
+
+	UNUSED(unused);
+	ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
+	if (ctx == NULL)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+					       DST_R_OPENSSLFAILURE));
+	if (callback != NULL) {
+		u.fptr = callback;
+		EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
+		EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
+	}
+	if (EVP_PKEY_keygen_init(ctx) <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
+					       DST_R_OPENSSLFAILURE));
+	if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
+					       DST_R_OPENSSLFAILURE));
+	if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
+					       DST_R_OPENSSLFAILURE));
+	key->keydata.pkey = pkey;
+	EVP_PKEY_CTX_free(ctx);
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	if (ctx != NULL)
+		EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static isc_boolean_t
+opensslgost_isprivate(const dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *ec;
+
+	INSIST(pkey != NULL);
+
+	ec = EVP_PKEY_get0(pkey);
+	return (ISC_TF(ec != NULL && EC_KEY_get0_private_key(ec) != NULL));
+}
+
+static void
+opensslgost_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+unsigned char gost_prefix[37] = {
+	0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
+	0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07,
+	0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06,
+	0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01,
+	0x03, 0x43, 0x00, 0x04, 0x40
+};
+
+static isc_result_t
+opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey;
+	isc_region_t r;
+	unsigned char der[37 + 64], *p;
+	int len;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < 64)
+		return (ISC_R_NOSPACE);
+
+	p = der;
+	len = i2d_PUBKEY(pkey, &p);
+	INSIST(len == sizeof(der));
+	INSIST(memcmp(gost_prefix, der, 37) == 0);
+	memcpy(r.base, der + 37, 64);
+	isc_buffer_add(data, 64);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_region_t r;
+	EVP_PKEY *pkey = NULL;
+	unsigned char der[37 + 64];
+	const unsigned char *p;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	if (r.length != 64)
+		return (DST_R_INVALIDPUBLICKEY);
+	memcpy(der, gost_prefix, 37);
+	memcpy(der + 37, r.base, 64);
+	isc_buffer_forward(data, 64);
+
+	p = der;
+	if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL)
+		return (dst__openssl_toresult2("d2i_PUBKEY",
+					       DST_R_OPENSSLFAILURE));
+	key->keydata.pkey = pkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_tofile(const dst_key_t *key, const char *directory) {
+	EVP_PKEY *pkey;
+	dst_private_t priv;
+	isc_result_t result;
+	unsigned char *der, *p;
+	int len;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	pkey = key->keydata.pkey;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	der = isc_mem_get(key->mctx, (size_t) len);
+	if (der == NULL)
+		return (ISC_R_NOMEMORY);
+
+	p = der;
+	if (i2d_PrivateKey(pkey, &p) != len) {
+		result = dst__openssl_toresult2("i2d_PrivateKey",
+						DST_R_OPENSSLFAILURE);
+		goto fail;
+	}
+
+	priv.elements[0].tag = TAG_GOST_PRIVASN1;
+	priv.elements[0].length = len;
+	priv.elements[0].data = der;
+	priv.nelements = GOST_NTAGS;
+
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	if (der != NULL)
+		isc_mem_put(key->mctx, der, (size_t) len);
+	return (result);
+}
+
+static isc_result_t
+opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	isc_mem_t *mctx = key->mctx;
+	EVP_PKEY *pkey = NULL;
+	const unsigned char *p;
+
+	UNUSED(pub);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	INSIST(priv.elements[0].tag == TAG_GOST_PRIVASN1);
+	p = priv.elements[0].data;
+	if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+			   (long) priv.elements[0].length) == NULL)
+		DST_RET(dst__openssl_toresult2("d2i_PrivateKey",
+					       DST_R_INVALIDPRIVATEKEY));
+	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	opensslgost_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static void
+opensslgost_cleanup(void) {
+	if (e != NULL) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		e = NULL;
+	}
+}
+
+static dst_func_t opensslgost_functions = {
+	opensslgost_createctx,
+	opensslgost_destroyctx,
+	opensslgost_adddata,
+	opensslgost_sign,
+	opensslgost_verify,
+	NULL, /*%< computesecret */
+	opensslgost_compare,
+	NULL, /*%< paramcompare */
+	opensslgost_generate,
+	opensslgost_isprivate,
+	opensslgost_destroy,
+	opensslgost_todns,
+	opensslgost_fromdns,
+	opensslgost_tofile,
+	opensslgost_parse,
+	opensslgost_cleanup,
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL  /*%< restore */
+};
+
+isc_result_t
+dst__opensslgost_init(dst_func_t **funcp) {
+	isc_result_t ret;
+
+	REQUIRE(funcp != NULL);
+
+	/* check if the gost engine works properly */
+	e = ENGINE_by_id("gost");
+	if (e == NULL)
+		return (dst__openssl_toresult2("ENGINE_by_id",
+					       DST_R_OPENSSLFAILURE));
+	if (ENGINE_init(e) <= 0) {
+		ENGINE_free(e);
+		e = NULL;
+		return (dst__openssl_toresult2("ENGINE_init",
+					       DST_R_OPENSSLFAILURE));
+	}
+	/* better than to rely on digest_gost symbol */
+	opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94);
+	if (opensslgost_digest == NULL)
+		DST_RET(dst__openssl_toresult2("ENGINE_get_digest",
+					       DST_R_OPENSSLFAILURE));
+	/* from openssl.cnf */
+	if (ENGINE_register_pkey_asn1_meths(e) <= 0)
+		DST_RET(dst__openssl_toresult2(
+				"ENGINE_register_pkey_asn1_meths",
+				DST_R_OPENSSLFAILURE));
+	if (ENGINE_ctrl_cmd_string(e,
+				   "CRYPT_PARAMS",
+				   "id-Gost28147-89-CryptoPro-A-ParamSet",
+				   0) <= 0)
+		DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string",
+					       DST_R_OPENSSLFAILURE));
+
+	if (*funcp == NULL)
+		*funcp = &opensslgost_functions;
+	return (ISC_R_SUCCESS);
+
+ err:
+	ENGINE_finish(e);
+	ENGINE_free(e);
+	e = NULL;
+	return (ret);
+}
+
+#else /* HAVE_OPENSSL_GOST */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_GOST */
+/*! \file */
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
index fb35ce8813d9..80c3f57a6d02 100644
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ b/contrib/bind9/lib/dns/opensslrsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -30,6 +30,7 @@
 #endif
 #endif
 
+
 #include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/sha1.h>
@@ -372,7 +373,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	RSA *rsa = key->keydata.rsa;
 	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
 	unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
-	int status = 0;
+	int status;
 	int type = 0;
 	unsigned int digestlen = 0;
 #if OPENSSL_VERSION_NUMBER < 0x00908000L
@@ -703,11 +704,33 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	return (ISC_TRUE);
 }
 
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb)
+{
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = cb->arg;
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+#endif
+
 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp) {
+opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 	isc_result_t ret = DST_R_OPENSSLFAILURE;
 	BN_GENCB cb;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
 	RSA *rsa = RSA_new();
 	BIGNUM *e = BN_new();
 #if USE_EVP
@@ -733,7 +756,12 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 		BN_set_bit(e, 32);
 	}
 
-	BN_GENCB_set_old(&cb, NULL, NULL);
+	if (callback == NULL) {
+		BN_GENCB_set_old(&cb, NULL, NULL);
+	} else {
+		u.fptr = callback;
+		BN_GENCB_set(&cb, &progress_cb, u.dptr);
+	}
 
 	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
 		BN_free(e);
@@ -766,8 +794,12 @@ err:
 #if USE_EVP
 	EVP_PKEY *pkey = EVP_PKEY_new();
 
+	UNUSED(callback);
+
 	if (pkey == NULL)
 		return (ISC_R_NOMEMORY);
+#else
+	UNUSED(callback);
 #endif
 
 	if (exp == 0)
@@ -1064,8 +1096,9 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 		i++;
 	}
 
+
 	priv.nelements = i;
-	result =  dst__privstruct_writefile(key, &priv, directory);
+	result = dst__privstruct_writefile(key, &priv, directory);
  fail:
 #if USE_EVP
 	RSA_free(rsa);
@@ -1079,20 +1112,56 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 }
 
 static isc_result_t
-opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+rsa_check(RSA *rsa, RSA *pub)
+{
+	/* Public parameters should be the same but if they are not set
+	 * copy them from the public key. */
+	if (pub != NULL) {
+		if (rsa->n != NULL) {
+			if (BN_cmp(rsa->n, pub->n) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			rsa->n = pub->n;
+			pub->n = NULL;
+		}
+		if (rsa->e != NULL) {
+			if (BN_cmp(rsa->e, pub->e) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			rsa->e = pub->e;
+			pub->e = NULL;
+		}
+	}
+	if (rsa->n == NULL || rsa->e == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
-	RSA *rsa = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
 #ifdef USE_ENGINE
 	ENGINE *e = NULL;
 #endif
 	isc_mem_t *mctx = key->mctx;
-	const char *name = NULL, *label = NULL;
+	const char *engine = NULL, *label = NULL;
 #if defined(USE_ENGINE) || USE_EVP
 	EVP_PKEY *pkey = NULL;
 #endif
 
+#if USE_EVP
+	if (pub != NULL && pub->keydata.pkey != NULL)
+		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
+#else
+	if (pub != NULL && pub->keydata.rsa != NULL) {
+		pubrsa = pub->keydata.rsa;
+		pub->keydata.rsa = NULL;
+	}
+#endif
+
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
@@ -1101,7 +1170,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	for (i = 0; i < priv.nelements; i++) {
 		switch (priv.elements[i].tag) {
 		case TAG_RSA_ENGINE:
-			name = (char *)priv.elements[i].data;
+			engine = (char *)priv.elements[i].data;
 			break;
 		case TAG_RSA_LABEL:
 			label = (char *)priv.elements[i].data;
@@ -1114,11 +1183,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	 * Is this key is stored in a HSM?
 	 * See if we can fetch it.
 	 */
-	if (name != NULL || label != NULL) {
+	if (label != NULL) {
 #ifdef USE_ENGINE
-		INSIST(name != NULL);
-		INSIST(label != NULL);
-		e = dst__openssl_getengine(name);
+		if (engine == NULL)
+			DST_RET(DST_R_NOENGINE);
+		e = dst__openssl_getengine(engine);
 		if (e == NULL)
 			DST_RET(DST_R_NOENGINE);
 		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
@@ -1126,22 +1195,29 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 			DST_RET(dst__openssl_toresult2(
 					"ENGINE_load_private_key",
 					ISC_R_NOTFOUND));
-		key->engine = isc_mem_strdup(key->mctx, name);
+		key->engine = isc_mem_strdup(key->mctx, engine);
 		if (key->engine == NULL)
 			DST_RET(ISC_R_NOMEMORY);
 		key->label = isc_mem_strdup(key->mctx, label);
 		if (key->label == NULL)
 			DST_RET(ISC_R_NOMEMORY);
+		rsa = EVP_PKEY_get1_RSA(pkey);
+		if (rsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pubrsa != NULL)
+			RSA_free(pubrsa);
 		key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 		key->keydata.pkey = pkey;
+		RSA_free(rsa);
 #else
-		key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
-		if (rsa == NULL)
-			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		key->keydata.rsa = rsa;
 		EVP_PKEY_free(pkey);
 #endif
 		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
 		return (ISC_R_SUCCESS);
 #else
 		DST_RET(DST_R_NOENGINE);
@@ -1157,9 +1233,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	pkey = EVP_PKEY_new();
 	if (pkey == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+	if (!EVP_PKEY_set1_RSA(pkey, rsa))
 		DST_RET(ISC_R_FAILURE);
-	}
 	key->keydata.pkey = pkey;
 #else
 	key->keydata.rsa = rsa;
@@ -1209,8 +1284,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
 
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
 	key->key_size = BN_num_bits(rsa->n);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 #if USE_EVP
 	RSA_free(rsa);
 #endif
@@ -1224,6 +1304,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 #endif
 	if (rsa != NULL)
 		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	opensslrsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));
@@ -1238,34 +1320,64 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	ENGINE *e = NULL;
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
+	char *colon;
 
 	UNUSED(pin);
 
+	if (engine == NULL)
+		DST_RET(DST_R_NOENGINE);
 	e = dst__openssl_getengine(engine);
 	if (e == NULL)
 		DST_RET(DST_R_NOENGINE);
+	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (pkey != NULL) {
+		pubrsa = EVP_PKEY_get1_RSA(pkey);
+		EVP_PKEY_free(pkey);
+		if (pubrsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
 	if (pkey == NULL)
 		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
 					       ISC_R_NOTFOUND));
-	key->engine = isc_mem_strdup(key->mctx, label);
-	if (key->engine == NULL)
-		DST_RET(ISC_R_NOMEMORY);
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	} else {
+		key->engine = isc_mem_strdup(key->mctx, label);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		colon = strchr(key->engine, ':');
+		if (colon != NULL)
+			*colon = '\0';
+	}
 	key->label = isc_mem_strdup(key->mctx, label);
 	if (key->label == NULL)
 		DST_RET(ISC_R_NOMEMORY);
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	key->key_size = EVP_PKEY_bits(pkey);
 #if USE_EVP
 	key->keydata.pkey = pkey;
+	RSA_free(rsa);
 #else
-	key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
+	key->keydata.rsa = rsa;
 	EVP_PKEY_free(pkey);
-	if (key->keydata.rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 #endif
 	return (ISC_R_SUCCESS);
 
  err:
+	if (rsa != NULL)
+		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
 	if (pkey != NULL)
 		EVP_PKEY_free(pkey);
 	return (ret);
@@ -1296,6 +1408,8 @@ static dst_func_t opensslrsa_functions = {
 	opensslrsa_parse,
 	NULL, /*%< cleanup */
 	opensslrsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
 };
 
 isc_result_t
diff --git a/contrib/bind9/lib/dns/peer.c b/contrib/bind9/lib/dns/peer.c
index af310f3d2419..c55d73dddf5b 100644
--- a/contrib/bind9/lib/dns/peer.c
+++ b/contrib/bind9/lib/dns/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: peer.c,v 1.33 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -536,7 +536,7 @@ dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
 	isc_buffer_init(&b, keyval, strlen(keyval));
 	isc_buffer_add(&b, strlen(keyval));
 	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/contrib/bind9/lib/dns/private.c b/contrib/bind9/lib/dns/private.c
new file mode 100644
index 000000000000..b0cb96f5ee04
--- /dev/null
+++ b/contrib/bind9/lib/dns/private.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include "config.h"
+
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/base64.h>
+
+#include <dns/nsec3.h>
+#include <dns/private.h>
+
+/*
+ * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
+ * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
+ *
+ * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
+ * if all the NSEC3PARAM records (and associated chains) are slated for
+ * destruction and we have not been told to NOT build the NSEC chain.
+ *
+ * If the NSEC set exist then check to see if there is a request to create
+ * a NSEC3 chain.
+ *
+ * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
+ * type exists then we need to examine it to determine if NSEC3 chain has
+ * been requested to be built otherwise a NSEC chain needs to be built.
+ */
+
+#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
+
+#define CHECK(x) do {					\
+			 result = (x);			\
+			 if (result != ISC_R_SUCCESS)	\
+				goto failure;		\
+		 } while (0)
+
+/*
+ * Work out if 'param' should be ignored or not (i.e. it is in the process
+ * of being removed).
+ *
+ * Note: we 'belt-and-braces' here by also checking for a CREATE private
+ * record and keep the param record in this case.
+ */
+
+static isc_boolean_t
+ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(privateset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		/*
+		 * We are going to create a new NSEC3 chain so it
+		 * doesn't matter if we are removing this one.
+		 */
+		if (CREATE(rdata.data[1]))
+			return (ISC_FALSE);
+		if (rdata.data[0] != param->data[0] ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+			continue;
+		/*
+		 * The removal of this NSEC3 chain does NOT cause a
+		 * NSEC chain to be created so we don't need to tell
+		 * the caller that it will be removed.
+		 */
+		if (NONSEC(rdata.data[1]))
+			return (ISC_FALSE);
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype,
+		   isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3)
+{
+	dns_dbnode_t *node;
+	dns_rdataset_t nsecset, nsec3paramset, privateset;
+	isc_boolean_t nsec3chain;
+	isc_boolean_t signing;
+	isc_result_t result;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned int count;
+
+	node = NULL;
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&nsec3paramset);
+	dns_rdataset_init(&privateset);
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, (isc_stdtime_t) 0, &nsecset, NULL);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &nsec3paramset,
+				     NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	if (dns_rdataset_isassociated(&nsecset) &&
+	    dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_TRUE;
+		goto success;
+	}
+
+	if (privatetype != (dns_rdatatype_t)0) {
+		result = dns_db_findrdataset(db, node, ver, privatetype,
+					     0, (isc_stdtime_t) 0,
+					     &privateset, NULL);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+			goto failure;
+	}
+
+	/*
+	 * Look to see if we also need to be creating a NSEC3 chains.
+	 */
+	if (dns_rdataset_isassociated(&nsecset)) {
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_FALSE;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			if (REMOVE(rdata.data[1]))
+				continue;
+			if (build_nsec3 != NULL)
+				*build_nsec3 = ISC_TRUE;
+			break;
+		}
+		goto success;
+	}
+
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec3 != NULL)
+			*build_nsec3 = ISC_TRUE;
+		if (build_nsec != NULL)
+			*build_nsec = ISC_FALSE;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		/*
+		 * If we are in the process of building a new NSEC3 chain
+		 * then we don't need to build a NSEC chain.
+		 */
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			if (CREATE(rdata.data[1]))
+				goto success;
+		}
+
+		/*
+		 * Check to see if there will be a active NSEC3CHAIN once
+		 * the changes queued complete.
+		 */
+		count = 0;
+		for (result = dns_rdataset_first(&nsec3paramset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nsec3paramset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			/*
+			 * If there is more that one NSEC3 chain present then
+			 * we don't need to construct a NSEC chain.
+			 */
+			if (++count > 1)
+				goto success;
+			dns_rdataset_current(&nsec3paramset, &rdata);
+			if (ignore(&rdata, &privateset))
+				continue;
+			/*
+			 * We still have a good NSEC3 chain or we are
+			 * not creating a NSEC chain as NONSEC is set.
+			 */
+			goto success;
+		}
+
+		/*
+		 * The last NSEC3 chain is being removed and does not have
+		 * have NONSEC set.
+		 */
+		if (build_nsec != NULL)
+			*build_nsec = ISC_TRUE;
+		goto success;
+	}
+
+	if (build_nsec != NULL)
+		*build_nsec = ISC_FALSE;
+	if (build_nsec3 != NULL)
+		*build_nsec3 = ISC_FALSE;
+	if (!dns_rdataset_isassociated(&privateset))
+		goto success;
+
+	signing = ISC_FALSE;
+	nsec3chain = ISC_FALSE;
+
+	for (result = dns_rdataset_first(&privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&privateset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf))) {
+			/*
+			 * Look for record that says we are signing the
+			 * zone with a key.
+			 */
+			if (private.length == 5 && private.data[0] != 0 &&
+			    private.data[3] == 0 && private.data[4] == 0)
+				signing = ISC_TRUE;
+		} else {
+			if (CREATE(rdata.data[1]))
+				nsec3chain = ISC_TRUE;
+		}
+	}
+
+	if (signing) {
+		if (nsec3chain) {
+			if (build_nsec3 != NULL)
+				*build_nsec3 = ISC_TRUE;
+		} else {
+			if (build_nsec != NULL)
+				*build_nsec = ISC_TRUE;
+		}
+	}
+
+ success:
+	result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&nsecset))
+		dns_rdataset_disassociate(&nsecset);
+	if (dns_rdataset_isassociated(&nsec3paramset))
+		dns_rdataset_disassociate(&nsec3paramset);
+	if (dns_rdataset_isassociated(&privateset))
+		dns_rdataset_disassociate(&privateset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/rbt.c b/contrib/bind9/lib/dns/rbt.c
index a8b34a2d58f2..4e033d66ed14 100644
--- a/contrib/bind9/lib/dns/rbt.c
+++ b/contrib/bind9/lib/dns/rbt.c
@@ -537,7 +537,10 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * current node.
 				 */
 				new_current->is_root = current->is_root;
-				new_current->nsec3 = current->nsec3;
+				if (current->nsec == DNS_RBT_NSEC_HAS_NSEC)
+					new_current->nsec = DNS_RBT_NSEC_NORMAL;
+				else
+					new_current->nsec = current->nsec;
 				PARENT(new_current)  = PARENT(current);
 				LEFT(new_current)    = LEFT(current);
 				RIGHT(new_current)   = RIGHT(current);
@@ -1453,7 +1456,7 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	DIRTY(node) = 0;
 	dns_rbtnode_refinit(node, 0);
 	node->find_callback = 0;
-	node->nsec3 = 0;
+	node->nsec = DNS_RBT_NSEC_NORMAL;
 
 	MAKE_BLACK(node);
 
diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c
index 2e8245d43b8f..ef721b8690c9 100644
--- a/contrib/bind9/lib/dns/rbtdb.c
+++ b/contrib/bind9/lib/dns/rbtdb.c
@@ -53,6 +53,7 @@
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
 #include <dns/rbt.h>
+#include <dns/rpz.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
@@ -450,7 +451,9 @@ struct dns_rbtdb {
 
 	/* Locked by tree_lock. */
 	dns_rbt_t *                     tree;
+	dns_rbt_t *			nsec;
 	dns_rbt_t *			nsec3;
+	dns_rpz_cidr_t *		rpz_cidr;
 
 	/* Unlocked */
 	unsigned int                    quantum;
@@ -630,8 +633,9 @@ typedef struct rbtdb_dbiterator {
 static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 		       isc_event_t *event);
 static void overmem(dns_db_t *db, isc_boolean_t overmem);
-static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-			       isc_boolean_t *nsec3createflag);
+#ifdef BIND9
+static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
+#endif
 
 /*%
  * 'init_count' is used to initialize 'newheader->count' which inturn
@@ -839,6 +843,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	isc_ondestroy_t ondest;
 	isc_result_t result;
 	char buf[DNS_NAME_FORMATSIZE];
+	dns_rbt_t **treep;
 	isc_time_t start;
 
 	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
@@ -875,33 +880,26 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 
 	if (event == NULL)
 		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
- again:
-	if (rbtdb->tree != NULL) {
-		isc_time_now(&start);
-		result = dns_rbt_destroy2(&rbtdb->tree, rbtdb->quantum);
-		if (result == ISC_R_QUOTA) {
-			INSIST(rbtdb->task != NULL);
-			if (rbtdb->quantum != 0)
-				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
-								&start);
-			if (event == NULL)
-				event = isc_event_allocate(rbtdb->common.mctx,
-							   NULL,
-							 DNS_EVENT_FREESTORAGE,
-							   free_rbtdb_callback,
-							   rbtdb,
-							   sizeof(isc_event_t));
-			if (event == NULL)
-				goto again;
-			isc_task_send(rbtdb->task, &event);
-			return;
+
+	for (;;) {
+		/*
+		 * pick the next tree to (start to) destroy
+		 */
+		treep = &rbtdb->tree;
+		if (*treep == NULL) {
+			treep = &rbtdb->nsec;
+			if (*treep == NULL) {
+				treep = &rbtdb->nsec3;
+				/*
+				 * we're finished after clear cutting
+				 */
+				if (*treep == NULL)
+					break;
+			}
 		}
-		INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL);
-	}
 
-	if (rbtdb->nsec3 != NULL) {
 		isc_time_now(&start);
-		result = dns_rbt_destroy2(&rbtdb->nsec3, rbtdb->quantum);
+		result = dns_rbt_destroy2(treep, rbtdb->quantum);
 		if (result == ISC_R_QUOTA) {
 			INSIST(rbtdb->task != NULL);
 			if (rbtdb->quantum != 0)
@@ -915,11 +913,11 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 							   rbtdb,
 							   sizeof(isc_event_t));
 			if (event == NULL)
-				goto again;
+				continue;
 			isc_task_send(rbtdb->task, &event);
 			return;
 		}
-		INSIST(result == ISC_R_SUCCESS && rbtdb->nsec3 == NULL);
+		INSIST(result == ISC_R_SUCCESS && *treep == NULL);
 	}
 
 	if (event != NULL)
@@ -973,6 +971,11 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	if (rbtdb->rrsetstats != NULL)
 		dns_stats_detach(&rbtdb->rrsetstats);
 
+#ifdef BIND9
+	if (rbtdb->rpz_cidr != NULL)
+		dns_rpz_cidr_free(&rbtdb->rpz_cidr);
+#endif
+
 	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
 		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
 	isc_rwlock_destroy(&rbtdb->tree_lock);
@@ -1499,6 +1502,82 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		node->dirty = 0;
 }
 
+static void
+delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
+{
+	dns_rbtnode_t *nsecnode;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_UNEXPECTED;
+
+	INSIST(!ISC_LINK_LINKED(node, deadlink));
+
+	switch (node->nsec) {
+	case DNS_RBT_NSEC_NORMAL:
+#ifdef BIND9
+		if (rbtdb->rpz_cidr != NULL) {
+			dns_fixedname_init(&fname);
+			name = dns_fixedname_name(&fname);
+			dns_rbt_fullnamefromnode(node, name);
+			dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
+		}
+#endif
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
+		break;
+	case DNS_RBT_NSEC_HAS_NSEC:
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+		/*
+		 * Delete the corresponding node from the auxiliary NSEC
+		 * tree before deleting from the main tree.
+		 */
+		nsecnode = NULL;
+		result = dns_rbt_findnode(rbtdb->nsec, name, NULL, &nsecnode,
+					  NULL, DNS_RBTFIND_EMPTYDATA,
+					  NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "delete_node: "
+				      "dns_rbt_findnode(nsec): %s",
+				      isc_result_totext(result));
+		} else {
+			result = dns_rbt_deletenode(rbtdb->nsec, nsecnode,
+						    ISC_FALSE);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_WARNING,
+					      "delete_nsecnode(): "
+					      "dns_rbt_deletenode(nsecnode): %s",
+					      isc_result_totext(result));
+			}
+		}
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
+#ifdef BIND9
+		dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name);
+#endif
+		break;
+	case DNS_RBT_NSEC_NSEC:
+		result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
+		break;
+	case DNS_RBT_NSEC_NSEC3:
+		result = dns_rbt_deletenode(rbtdb->nsec3, node, ISC_FALSE);
+		break;
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "delete_nsecnode(): "
+			      "dns_rbt_deletenode: %s",
+			      isc_result_totext(result));
+	}
+}
+
 /*%
  * Clean up dead nodes.  These are nodes which have no references, and
  * have no data.  They are dead but we could not or chose not to delete
@@ -1510,7 +1589,6 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 static void
 cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 	dns_rbtnode_t *node;
-	isc_result_t result;
 	int count = 10;         /* XXXJT: should be adjustable */
 
 	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
@@ -1524,19 +1602,8 @@ cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
 		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
 		       node->data == NULL);
 
-		INSIST(!ISC_LINK_LINKED(node, deadlink));
-		if (node->nsec3)
-			result = dns_rbt_deletenode(rbtdb->nsec3, node,
-						    ISC_FALSE);
-		else
-			result = dns_rbt_deletenode(rbtdb->tree, node,
-						    ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "cleanup_dead_nodes: "
-				      "dns_rbt_deletenode: %s",
-				      isc_result_totext(result));
+		delete_node(rbtdb, node);
+
 		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
 		count--;
 	}
@@ -1789,22 +1856,7 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 							sizeof(printname)));
 			}
 
-			INSIST(!ISC_LINK_LINKED(node, deadlink));
-			if (node->nsec3)
-				result = dns_rbt_deletenode(rbtdb->nsec3, node,
-							    ISC_FALSE);
-			else
-				result = dns_rbt_deletenode(rbtdb->tree, node,
-							    ISC_FALSE);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(dns_lctx,
-					      DNS_LOGCATEGORY_DATABASE,
-					      DNS_LOGMODULE_CACHE,
-					      ISC_LOG_WARNING,
-					      "decrement_reference: "
-					      "dns_rbt_deletenode: %s",
-					      isc_result_totext(result));
-			}
+			delete_node(rbtdb, node);
 		}
 	} else {
 		INSIST(node->data == NULL);
@@ -1940,13 +1992,17 @@ cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
 
 static void
 iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
+#ifndef BIND9
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(origin);
+
+	return;
+#else
 	dns_rdataset_t keyset;
 	dns_rdataset_t nsecset, signsecset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t haszonekey = ISC_FALSE;
 	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_boolean_t hasoptbit = ISC_FALSE;
-	isc_boolean_t nsec3createflag = ISC_FALSE;
 	isc_result_t result;
 
 	dns_rdataset_init(&keyset);
@@ -1978,41 +2034,30 @@ iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 	if (result == ISC_R_SUCCESS) {
 		if (dns_rdataset_isassociated(&signsecset)) {
 			hasnsec = ISC_TRUE;
-			result = dns_rdataset_first(&nsecset);
-			if (result == ISC_R_SUCCESS) {
-				dns_rdataset_current(&nsecset, &rdata);
-				hasoptbit = dns_nsec_typepresent(&rdata,
-							     dns_rdatatype_opt);
-			}
 			dns_rdataset_disassociate(&signsecset);
 		}
 		dns_rdataset_disassociate(&nsecset);
 	}
 
-	setnsec3parameters(db, version, &nsec3createflag);
+	setnsec3parameters(db, version);
 
 	/*
 	 * Do we have a valid NSEC/NSEC3 chain?
 	 */
-	if (version->havensec3 || (hasnsec && !hasoptbit))
+	if (version->havensec3 || hasnsec)
 		version->secure = dns_db_secure;
-	/*
-	 * Do we have a NSEC/NSEC3 chain under creation?
-	 */
-	else if (hasoptbit || nsec3createflag)
-		version->secure = dns_db_partial;
 	else
 		version->secure = dns_db_insecure;
+#endif
 }
 
 /*%<
  * Walk the origin node looking for NSEC3PARAM records.
  * Cache the nsec3 parameters.
  */
+#ifdef BIND9
 static void
-setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
-		   isc_boolean_t *nsec3createflag)
-{
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
 	dns_rbtnode_t *node;
 	dns_rdata_nsec3param_t nsec3param;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -2043,7 +2088,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		} while (header != NULL);
 
 		if (header != NULL &&
-		    header->type == dns_rdatatype_nsec3param) {
+		    (header->type == dns_rdatatype_nsec3param)) {
 			/*
 			 * Find A NSEC3PARAM with a supported algorithm.
 			 */
@@ -2078,17 +2123,8 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 				    !dns_nsec3_supportedhash(nsec3param.hash))
 					continue;
 
-#ifdef RFC5155_STRICT
 				if (nsec3param.flags != 0)
 					continue;
-#else
-				if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE)
-				    != 0)
-					*nsec3createflag = ISC_TRUE;
-				if ((nsec3param.flags & ~DNS_NSEC3FLAG_OPTOUT)
-				    != 0)
-					continue;
-#endif
 
 				memcpy(version->salt, nsec3param.salt,
 				       nsec3param.salt_length);
@@ -2111,6 +2147,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
 		    isc_rwlocktype_read);
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 }
+#endif
 
 static void
 cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) {
@@ -2431,7 +2468,8 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
-	node->nsec3 = 0;
+	if (result == ISC_R_SUCCESS)
+		node->nsec = DNS_RBT_NSEC_NORMAL;
 	node->find_callback = 1;
 	node->wild = 1;
 	return (ISC_R_SUCCESS);
@@ -2459,7 +2497,8 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 						 &node);
 			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 				return (result);
-			node->nsec3 = 0;
+			if (result == ISC_R_SUCCESS)
+				node->nsec = DNS_RBT_NSEC_NORMAL;
 		}
 		i++;
 	}
@@ -2497,6 +2536,17 @@ findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
 		node = NULL;
 		result = dns_rbt_addnode(tree, name, &node);
 		if (result == ISC_R_SUCCESS) {
+#ifdef BIND9
+			if (tree == rbtdb->tree && rbtdb->rpz_cidr != NULL) {
+				dns_fixedname_t fnamef;
+				dns_name_t *fname;
+
+				dns_fixedname_init(&fnamef);
+				fname = dns_fixedname_name(&fnamef);
+				dns_rbt_fullnamefromnode(node, fname);
+				dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname);
+			}
+#endif
 			dns_rbt_namefromnode(node, &nodename);
 #ifdef DNS_RBT_USEHASH
 			node->locknum = node->hashval % rbtdb->node_lock_count;
@@ -2505,21 +2555,18 @@ findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
 				rbtdb->node_lock_count;
 #endif
 			if (tree == rbtdb->tree) {
-				node->nsec3 = 0;
 				add_empty_wildcards(rbtdb, name);
 
 				if (dns_name_iswildcard(name)) {
-					result = add_wildcard_magic(rbtdb,
-								    name);
+					result = add_wildcard_magic(rbtdb, name);
 					if (result != ISC_R_SUCCESS) {
-						RWUNLOCK(&rbtdb->tree_lock,
-							 locktype);
+						RWUNLOCK(&rbtdb->tree_lock, locktype);
 						return (result);
 					}
 				}
 			}
 			if (tree == rbtdb->nsec3)
-				node->nsec3 = 1;
+				node->nsec = DNS_RBT_NSEC_NSEC3;
 		} else if (result != ISC_R_EXISTS) {
 			RWUNLOCK(&rbtdb->tree_lock, locktype);
 			return (result);
@@ -2527,7 +2574,7 @@ findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
 	}
 
 	if (tree == rbtdb->nsec3)
-		INSIST(node->nsec3 == 1);
+		INSIST(node->nsec == DNS_RBT_NSEC_NSEC3);
 
 	reactivate_node(rbtdb, node, locktype);
 	RWUNLOCK(&rbtdb->tree_lock, locktype);
@@ -2539,7 +2586,7 @@ findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
 
 static isc_result_t
 findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	      dns_dbnode_t **nodep)
+	 dns_dbnode_t **nodep)
 {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 
@@ -3264,13 +3311,125 @@ matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
  * Find node of the NSEC/NSEC3 record that is 'name'.
  */
 static inline isc_result_t
+previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
+		    dns_name_t *name, dns_name_t *origin,
+		    dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
+		    isc_boolean_t *firstp)
+{
+	dns_fixedname_t ftarget;
+	dns_name_t *target;
+	dns_rbtnode_t *nsecnode;
+	isc_result_t result;
+
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (type == dns_rdatatype_nsec3) {
+		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+			return (result);
+		result = dns_rbtnodechain_current(&search->chain, name, origin,
+						  nodep);
+		return (result);
+	}
+
+	dns_fixedname_init(&ftarget);
+	target = dns_fixedname_name(&ftarget);
+
+	for (;;) {
+		if (*firstp) {
+			/*
+			 * Construct the name of the second node to check.
+			 * It is the first node sought in the NSEC tree.
+			 */
+			*firstp = ISC_FALSE;
+			dns_rbtnodechain_init(nsecchain, NULL);
+			result = dns_name_concatenate(name, origin,
+						      target, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			nsecnode = NULL;
+			result = dns_rbt_findnode(search->rbtdb->nsec,
+						  target, NULL,
+						  &nsecnode, nsecchain,
+						  DNS_RBTFIND_NOOPTIONS,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * Since this was the first loop, finding the
+				 * name in the NSEC tree implies that the first
+				 * node checked in the main tree had an
+				 * unacceptable NSEC record.
+				 * Try the previous node in the NSEC tree.
+				 */
+				result = dns_rbtnodechain_prev(nsecchain,
+							       name, origin);
+				if (result == DNS_R_NEWORIGIN)
+					result = ISC_R_SUCCESS;
+			} else if (result == ISC_R_NOTFOUND ||
+				   result == DNS_R_PARTIALMATCH) {
+				result = dns_rbtnodechain_current(nsecchain,
+							name, origin, NULL);
+				if (result == ISC_R_NOTFOUND)
+					result = ISC_R_NOMORE;
+			}
+		} else {
+			/*
+			 * This is a second or later trip through the auxiliary
+			 * tree for the name of a third or earlier NSEC node in
+			 * the main tree.  Previous trips through the NSEC tree
+			 * must have found nodes in the main tree with NSEC
+			 * records.  Perhaps they lacked signature records.
+			 */
+			result = dns_rbtnodechain_prev(nsecchain, name, origin);
+			if (result == DNS_R_NEWORIGIN)
+				result = ISC_R_SUCCESS;
+		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * Construct the name to seek in the main tree.
+		 */
+		result = dns_name_concatenate(name, origin, target, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		*nodep = NULL;
+		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
+					  nodep, &search->chain,
+					  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * There should always be a node in the main tree with the
+		 * same name as the node in the auxiliary NSEC tree, except for
+		 * nodes in the auxiliary tree that are awaiting deletion.
+		 */
+		if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
+				      "previous_closest_nsec(): %s",
+				      isc_result_totext(result));
+			return (DNS_R_BADDB);
+		}
+	}
+}
+
+/*
+ * Find the NSEC/NSEC3 which is or before the current point on the
+ * search chain.  For NSEC3 records only NSEC3 records that match the
+ * current NSEC3PARAM record are considered.
+ */
+static inline isc_result_t
 find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		  dns_name_t *foundname, dns_rdataset_t *rdataset,
 		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
 		  dns_db_secure_t secure)
 {
-	dns_rbtnode_t *node;
+	dns_rbtnode_t *node, *prevnode;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	dns_rbtnodechain_t nsecchain;
 	isc_boolean_t empty_node;
 	isc_result_t result;
 	dns_fixedname_t fname, forigin;
@@ -3278,6 +3437,7 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	dns_rdatatype_t type;
 	rbtdb_rdatatype_t sigtype;
 	isc_boolean_t wraps;
+	isc_boolean_t first = ISC_TRUE;
 	isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure);
 
 	if (tree == search->rbtdb->nsec3) {
@@ -3290,17 +3450,21 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		wraps = ISC_FALSE;
 	}
 
+	/*
+	 * Use the auxiliary tree only starting with the second node in the
+	 * hope that the original node will be right much of the time.
+	 */
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&forigin);
+	origin = dns_fixedname_name(&forigin);
  again:
+	node = NULL;
+	prevnode = NULL;
+	result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	do {
-		node = NULL;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_fixedname_init(&forigin);
-		origin = dns_fixedname_name(&forigin);
-		result = dns_rbtnodechain_current(&search->chain, name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			  isc_rwlocktype_read);
 		found = NULL;
@@ -3350,11 +3514,12 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				empty_node = ISC_TRUE;
 				found = NULL;
 				foundsig = NULL;
-				result = dns_rbtnodechain_prev(&search->chain,
-							       NULL, NULL);
+				result = previous_closest_nsec(type, search,
+							       name, origin,
+							       &prevnode, NULL,
+							       NULL);
 			} else if (found != NULL &&
-				   (foundsig != NULL || !need_sig))
-			{
+				   (foundsig != NULL || !need_sig)) {
 				/*
 				 * We've found the right NSEC/NSEC3 record.
 				 *
@@ -3391,8 +3556,11 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * node as if it were empty and keep looking.
 				 */
 				empty_node = ISC_TRUE;
-				result = dns_rbtnodechain_prev(&search->chain,
-							       NULL, NULL);
+				result = previous_closest_nsec(type, search,
+							       name, origin,
+							       &prevnode,
+							       &nsecchain,
+							       &first);
 			} else {
 				/*
 				 * We found an active node, but either the
@@ -3406,13 +3574,19 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			 * This node isn't active.  We've got to keep
 			 * looking.
 			 */
-			result = dns_rbtnodechain_prev(&search->chain, NULL,
-						       NULL);
+			result = previous_closest_nsec(type, search,
+						       name, origin, &prevnode,
+						       &nsecchain, &first);
 		}
 		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
 			    isc_rwlocktype_read);
+		node = prevnode;
+		prevnode = NULL;
 	} while (empty_node && result == ISC_R_SUCCESS);
 
+	if (!first)
+		dns_rbtnodechain_invalidate(&nsecchain);
+
 	if (result == ISC_R_NOMORE && wraps) {
 		result = dns_rbtnodechain_last(&search->chain, tree,
 					       NULL, NULL);
@@ -3959,6 +4133,7 @@ zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 
 	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
 
+	/* NOTREACHED */
 	return (ISC_R_NOTIMPLEMENTED);
 }
 
@@ -4371,6 +4546,221 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	return (result);
 }
 
+/*
+ * Mark a database for response policy rewriting.
+ */
+#ifdef BIND9
+static void
+get_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st)
+{
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+	REQUIRE(VALID_RBTDB(rbtdb));
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	dns_rpz_enabled(rbtdb->rpz_cidr, st);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+}
+
+/*
+ * Search the CDIR block tree of a response policy tree of trees for all of
+ * the IP addresses in an A or AAAA rdataset.
+ * Among the policies for all IPv4 and IPv6 addresses for a name, choose
+ *	the earliest configured policy,
+ *	QNAME over IP over NSDNAME over NSIP,
+ *	the longest prefix,
+ *	the lexically smallest address.
+ * The caller must have already checked that any existing policy was not
+ * configured earlier than this policy zone and does not have a higher
+ * precedence type.
+ */
+static void
+rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
+	    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+	    dns_rdataset_t *ardataset, dns_rpz_st_t *st,
+	    dns_name_t *query_qname)
+{
+	dns_rbtdb_t *rbtdb;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_netaddr_t netaddr;
+	dns_fixedname_t selfnamef, qnamef;
+	dns_name_t *selfname, *qname;
+	dns_rbtnode_t *node;
+	dns_rdataset_t zrdataset;
+	dns_rpz_cidr_bits_t prefix;
+	isc_result_t result;
+	dns_rpz_policy_t rpz_policy;
+	dns_ttl_t ttl;
+
+	rbtdb = (dns_rbtdb_t *)db;
+	REQUIRE(VALID_RBTDB(rbtdb));
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	if (rbtdb->rpz_cidr == NULL) {
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		return;
+	}
+
+	dns_fixedname_init(&selfnamef);
+	dns_fixedname_init(&qnamef);
+	selfname = dns_fixedname_name(&selfnamef);
+	qname = dns_fixedname_name(&qnamef);
+
+	for (result = dns_rdataset_first(ardataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(ardataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(ardataset, &rdata);
+		switch (rdata.type) {
+		case dns_rdatatype_a:
+			INSIST(rdata.length == 4);
+			memcpy(&ina.s_addr, rdata.data, 4);
+			isc_netaddr_fromin(&netaddr, &ina);
+			break;
+		case dns_rdatatype_aaaa:
+			INSIST(rdata.length == 16);
+			memcpy(in6a.s6_addr, rdata.data, 16);
+			isc_netaddr_fromin6(&netaddr, &in6a);
+			break;
+		default:
+			continue;
+		}
+
+		result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type,
+					   selfname, qname, &prefix);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		/*
+		 * If we already have a rule, discard this new rule if
+		 * is not better.
+		 * The caller has checked that st->m.rpz->num > rpz->num
+		 * or st->m.rpz->num == rpz->num and st->m.type >= rpz_type
+		 */
+		if (st->m.policy != DNS_RPZ_POLICY_MISS &&
+		    st->m.rpz->num == rpz->num &&
+		    (st->m.type < rpz_type ||
+		     (st->m.type == rpz_type &&
+		      (st->m.prefix > prefix ||
+		       (st->m.prefix == prefix &&
+			0 > dns_name_rdatacompare(st->qname, qname))))))
+			continue;
+
+		/*
+		 * We have rpz_st an entry with a prefix at least as long as
+		 * the prefix of the entry we had before.  Find the node
+		 * corresponding to CDIR tree entry.
+		 */
+		node = NULL;
+		result = dns_rbt_findnode(rbtdb->tree, qname, NULL,
+					  &node, NULL, 0, NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "rpz_findips findnode(%s) failed: %s",
+				      namebuf, isc_result_totext(result));
+			continue;
+		}
+		/*
+		 * First look for a simple rewrite of the IP address.
+		 * If that fails, look for a CNAME.  If we cannot find
+		 * a CNAME or the CNAME is neither of the special forms
+		 * "*" or ".", treat it like a real CNAME.
+		 */
+		dns_rdataset_init(&zrdataset);
+		result = dns_db_findrdataset(db, node, version, ardataset->type,
+					     0, 0, &zrdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			result = dns_db_findrdataset(db, node, version,
+						     dns_rdatatype_cname,
+						     0, 0, &zrdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			if (zrdataset.type != dns_rdatatype_cname) {
+				rpz_policy = DNS_RPZ_POLICY_RECORD;
+			} else {
+				rpz_policy = dns_rpz_decode_cname(rpz,
+								  &zrdataset,
+								  selfname);
+				if (rpz_policy == DNS_RPZ_POLICY_RECORD ||
+				    rpz_policy == DNS_RPZ_POLICY_WILDCNAME)
+					result = DNS_R_CNAME;
+			}
+			ttl = zrdataset.ttl;
+		} else {
+			rpz_policy = DNS_RPZ_POLICY_RECORD;
+			result = DNS_R_NXRRSET;
+			ttl = DNS_RPZ_TTL_DEFAULT;
+		}
+
+		/*
+		 * Use an overriding action specified in the configuration file
+		 */
+		if (rpz->policy != DNS_RPZ_POLICY_GIVEN) {
+			/*
+			 * only log DNS_RPZ_POLICY_DISABLED hits
+			 */
+			if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
+				if (isc_log_wouldlog(dns_lctx,
+						     DNS_RPZ_INFO_LEVEL)) {
+					char qname_buf[DNS_NAME_FORMATSIZE];
+					char rpz_qname_buf[DNS_NAME_FORMATSIZE];
+					dns_name_format(query_qname, qname_buf,
+							sizeof(qname_buf));
+					dns_name_format(qname, rpz_qname_buf,
+							sizeof(rpz_qname_buf));
+
+					isc_log_write(dns_lctx,
+						DNS_LOGCATEGORY_RPZ,
+						DNS_LOGMODULE_RBTDB,
+						DNS_RPZ_INFO_LEVEL,
+						"disabled rpz %s %s rewrite"
+						" %s via %s",
+						dns_rpz_type2str(rpz_type),
+						dns_rpz_policy2str(rpz_policy),
+						qname_buf, rpz_qname_buf);
+				}
+				continue;
+			}
+
+			rpz_policy = rpz->policy;
+		}
+
+		if (dns_rdataset_isassociated(st->m.rdataset))
+			dns_rdataset_disassociate(st->m.rdataset);
+		if (st->m.node != NULL)
+			dns_db_detachnode(st->m.db, &st->m.node);
+		if (st->m.db != NULL)
+			dns_db_detach(&st->m.db);
+		if (st->m.zone != NULL)
+			dns_zone_detach(&st->m.zone);
+		st->m.rpz = rpz;
+		st->m.type = rpz_type;
+		st->m.prefix = prefix;
+		st->m.policy = rpz_policy;
+		st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl);
+		st->m.result = result;
+		dns_name_copy(qname, st->qname, NULL);
+		if ((rpz_policy == DNS_RPZ_POLICY_RECORD ||
+		    rpz_policy == DNS_RPZ_POLICY_WILDCNAME) &&
+		    result != DNS_R_NXRRSET) {
+			dns_rdataset_clone(&zrdataset,st->m.rdataset);
+			dns_db_attachnode(db, node, &st->m.node);
+		}
+		dns_db_attach(db, &st->m.db);
+		st->m.version = version;
+		dns_zone_attach(zone, &st->m.zone);
+		if (dns_rdataset_isassociated(&zrdataset))
+			dns_rdataset_disassociate(&zrdataset);
+	}
+
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+}
+#endif
+
 static isc_result_t
 cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
@@ -5698,6 +6088,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				free_rdataset(rbtdb, rbtdb->common.mctx,
 					      newheader);
 				newheader = (rdatasetheader_t *)merged;
+				init_rdataset(rbtdb, newheader);
 				if (loading && RESIGN(newheader) &&
 				    RESIGN(header) &&
 				    header->resign < newheader->resign)
@@ -6035,6 +6426,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	rdatasetheader_t *header;
 	isc_result_t result;
 	isc_boolean_t delegating;
+	isc_boolean_t newnsec;
 	isc_boolean_t tree_locked = ISC_FALSE;
 	isc_boolean_t cache_is_overmem = ISC_FALSE;
 
@@ -6042,10 +6434,10 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
 	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec3 &&
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
 			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (!rbtnode->nsec3 &&
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
 			   rdataset->type != dns_rdatatype_nsec3 &&
 			   rdataset->covers != dns_rdatatype_nsec3)));
 
@@ -6121,14 +6513,23 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		delegating = ISC_FALSE;
 
 	/*
-	 * If we're adding a delegation type or the DB is a cache in an overmem
-	 * state, hold an exclusive lock on the tree.  In the latter case
-	 * the lock does not necessarily have to be acquired but it will help
-	 * purge stale entries more effectively.
+	 * Add to the auxiliary NSEC tree if we're adding an NSEC record.
+	 */
+	if (rbtnode->nsec != DNS_RBT_NSEC_HAS_NSEC &&
+	    rdataset->type == dns_rdatatype_nsec)
+		newnsec = ISC_TRUE;
+	else
+		newnsec = ISC_FALSE;
+
+	/*
+	 * If we're adding a delegation type, adding to the auxiliary NSEC tree,
+	 * or the DB is a cache in an overmem state, hold an exclusive lock on
+	 * the tree.  In the latter case the lock does not necessarily have to
+	 * be acquired but it will help purge stale entries more effectively.
 	 */
 	if (IS_CACHE(rbtdb) && isc_mem_isovermem(rbtdb->common.mctx))
 		cache_is_overmem = ISC_TRUE;
-	if (delegating || cache_is_overmem) {
+	if (delegating || newnsec || cache_is_overmem) {
 		tree_locked = ISC_TRUE;
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 	}
@@ -6157,14 +6558,35 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		 * cleaning, we can release it now.  However, we still need the
 		 * node lock.
 		 */
-		if (tree_locked && !delegating) {
+		if (tree_locked && !delegating && !newnsec) {
 			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 			tree_locked = ISC_FALSE;
 		}
 	}
 
-	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
-		     addedrdataset, now);
+	result = ISC_R_SUCCESS;
+	if (newnsec) {
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		dns_rbtnode_t *nsecnode;
+
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_rbt_fullnamefromnode(rbtnode, name);
+		nsecnode = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+		if (result == ISC_R_SUCCESS) {
+			nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		} else if (result == ISC_R_EXISTS) {
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = add(rbtdb, rbtnode, rbtversion, newheader, options,
+			     ISC_FALSE, addedrdataset, now);
 	if (result == ISC_R_SUCCESS && delegating)
 		rbtnode->find_callback = 1;
 
@@ -6202,10 +6624,10 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
 
 	if (rbtdb->common.methods == &zone_methods)
-		REQUIRE(((rbtnode->nsec3 &&
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
 			   rdataset->covers == dns_rdatatype_nsec3)) ||
-			 (!rbtnode->nsec3 &&
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
 			   rdataset->type != dns_rdatatype_nsec3 &&
 			   rdataset->covers != dns_rdatatype_nsec3)));
 
@@ -6425,6 +6847,78 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	return (result);
 }
 
+/*
+ * load a non-NSEC3 node in the main tree and optionally to the auxiliary NSEC
+ */
+static isc_result_t
+loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
+	 isc_boolean_t hasnsec)
+{
+	isc_result_t noderesult, nsecresult;
+	dns_rbtnode_t *nsecnode;
+
+	noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
+
+#ifdef BIND9
+	if (noderesult == ISC_R_SUCCESS)
+		dns_rpz_cidr_addip(rbtdb->rpz_cidr, name);
+#endif
+
+	if (!hasnsec)
+		return (noderesult);
+	if (noderesult == ISC_R_EXISTS) {
+		/*
+		 * Add a node to the auxiliary NSEC tree for an old node
+		 * just now getting an NSEC record.
+		 */
+		if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC)
+			return (noderesult);
+	} else if (noderesult != ISC_R_SUCCESS) {
+		return (noderesult);
+	}
+
+	/*
+	 * Build the auxiliary tree for NSECs as we go.
+	 * This tree speeds searches for closest NSECs that would otherwise
+	 * need to examine many irrelevant nodes in large TLDs.
+	 *
+	 * Add nodes to the auxiliary tree after corresponding nodes have
+	 * been added to the main tree.
+	 */
+	nsecnode = NULL;
+	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+	if (nsecresult == ISC_R_SUCCESS) {
+		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		return (noderesult);
+	}
+
+	if (nsecresult == ISC_R_EXISTS) {
+#if 1 /* 0 */
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "addnode: NSEC node already exists");
+#endif
+		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		return (noderesult);
+	}
+
+	nsecresult = dns_rbt_deletenode(rbtdb->tree, *nodep, ISC_FALSE);
+	if (nsecresult != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "loading_addrdataset: "
+			      "dns_rbt_deletenode: %s after "
+			      "dns_rbt_addnode(NSEC): %s",
+			      isc_result_totext(nsecresult),
+			      isc_result_totext(noderesult));
+	return (noderesult);
+}
+
 static isc_result_t
 loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	rbtdb_load_t *loadctx = arg;
@@ -6473,15 +6967,15 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	    rdataset->covers == dns_rdatatype_nsec3) {
 		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
 		if (result == ISC_R_SUCCESS)
-			node->nsec3 = 1;
+			node->nsec = DNS_RBT_NSEC_NSEC3;
+	} else if (rdataset->type == dns_rdatatype_nsec) {
+		result = loadnode(rbtdb, name, &node, ISC_TRUE);
 	} else {
-		result = dns_rbt_addnode(rbtdb->tree, name, &node);
-		if (result == ISC_R_SUCCESS)
-			node->nsec3 = 0;
+		result = loadnode(rbtdb, name, &node, ISC_FALSE);
 	}
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
-	if (result != ISC_R_EXISTS) {
+	if (result == ISC_R_SUCCESS) {
 		dns_name_t foundname;
 		dns_name_init(&foundname, NULL);
 		dns_rbt_namefromnode(node, &foundname);
@@ -6602,14 +7096,24 @@ static isc_result_t
 dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
      dns_masterformat_t masterformat) {
 	dns_rbtdb_t *rbtdb;
+	rbtdb_version_t *rbtversion = version;
 
 	rbtdb = (dns_rbtdb_t *)db;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
+#ifdef BIND9
 	return (dns_master_dump2(rbtdb->common.mctx, db, version,
 				 &dns_master_style_default,
 				 filename, masterformat));
+#else
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif /* BIND9 */
 }
 
 static void
@@ -6791,7 +7295,7 @@ setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
 		} else if (resign < oldresign)
 			isc_heap_increased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
-		else
+		else if (resign > oldresign)
 			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
 	} else if (resign && header->heap_index == 0) {
@@ -6941,7 +7445,14 @@ static dns_dbmethods_t zone_methods = {
 	getsigningtime,
 	resigned,
 	isdnssec,
+	NULL,
+#ifdef BIND9
+	get_rpz_enabled,
+	rpz_findips
+#else
+	NULL,
 	NULL
+#endif
 };
 
 static dns_dbmethods_t cache_methods = {
@@ -6980,7 +7491,9 @@ static dns_dbmethods_t cache_methods = {
 	NULL,
 	NULL,
 	isdnssec,
-	getrrsetstats
+	getrrsetstats,
+	NULL,
+	NULL
 };
 
 isc_result_t
@@ -7156,12 +7669,36 @@ dns_rbtdb_create
 		return (result);
 	}
 
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
+
 	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
 	if (result != ISC_R_SUCCESS) {
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (result);
 	}
 
+#ifdef BIND9
+	/*
+	 * Get ready for response policy IP address searching if at least one
+	 * zone has been configured as a response policy zone and this
+	 * is not a cache zone.
+	 * It would be better to know that this database is for a policy
+	 * zone named for a view, but that would require knowledge from
+	 * above such as an argv[] set from data in the zone.
+	 */
+	if (type == dns_dbtype_zone && !dns_name_equal(origin, dns_rootname)) {
+		result = dns_rpz_new_cidr(mctx, origin, &rbtdb->rpz_cidr);
+		if (result != ISC_R_SUCCESS) {
+			free_rbtdb(rbtdb, ISC_FALSE, NULL);
+			return (result);
+		}
+	}
+#endif
+
 	/*
 	 * In order to set the node callback bit correctly in zone databases,
 	 * we need to know if the node has the origin name of the zone.
@@ -7186,7 +7723,7 @@ dns_rbtdb_create
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
-		rbtdb->origin_node->nsec3 = 0;
+		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
 		/*
 		 * We need to give the origin node the right locknum.
 		 */
@@ -7214,7 +7751,7 @@ dns_rbtdb_create
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
-		nsec3node->nsec3 = 1;
+		nsec3node->nsec = DNS_RBT_NSEC_NSEC3;
 		/*
 		 * We need to give the nsec3 origin node the right locknum.
 		 */
@@ -8274,6 +8811,21 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 		       dns_name_t *fname, dns_message_t *msg,
 		       isc_stdtime_t now)
 {
+#ifndef BIND9
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+	UNUSED(acache);
+	UNUSED(zonep);
+	UNUSED(dbp);
+	UNUSED(versionp);
+	UNUSED(nodep);
+	UNUSED(fname);
+	UNUSED(msg);
+	UNUSED(now);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8390,8 +8942,10 @@ acache_callback(dns_acacheentry_t *entry, void **arg) {
 	dns_db_detach((dns_db_t **)(void*)&rbtdb);
 
 	*arg = NULL;
+#endif /* BIND9 */
 }
 
+#ifdef BIND9
 static void
 acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
 		      acache_cbarg_t **cbargp)
@@ -8412,6 +8966,7 @@ acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
 
 	*cbargp = NULL;
 }
+#endif /* BIND9 */
 
 static isc_result_t
 rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
@@ -8420,6 +8975,19 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 		       dns_dbversion_t *version, dns_dbnode_t *node,
 		       dns_name_t *fname)
 {
+#ifndef BIND9
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+	UNUSED(acache);
+	UNUSED(zone);
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(node);
+	UNUSED(fname);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8543,12 +9111,21 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 	}
 
 	return (result);
+#endif
 }
 
 static isc_result_t
 rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 		       dns_rdatasetadditional_t type, dns_rdatatype_t qtype)
 {
+#ifndef BIND9
+	UNUSED(acache);
+	UNUSED(rdataset);
+	UNUSED(type);
+	UNUSED(qtype);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#else
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
@@ -8613,6 +9190,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 	}
 
 	return (ISC_R_SUCCESS);
+#endif
 }
 
 /*%
diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c
index 5d5a28da4336..0b7fe8c28051 100644
--- a/contrib/bind9/lib/dns/rcode.c
+++ b/contrib/bind9/lib/dns/rcode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -79,12 +79,17 @@
 	{ dns_tsigerror_badtrunc, "BADTRUNC", 0}, \
 	{ 0, NULL, 0 }
 
-/* RFC2538 section 2.1 */
+/* RFC4398 section 2.1 */
 
 #define CERTNAMES \
 	{ 1, "PKIX", 0}, \
 	{ 2, "SPKI", 0}, \
 	{ 3, "PGP", 0}, \
+	{ 4, "IPKIX", 0}, \
+	{ 5, "ISPKI", 0}, \
+	{ 6, "IPGP", 0}, \
+	{ 7, "ACPKIX", 0}, \
+	{ 8, "IACPKIX", 0}, \
 	{ 253, "URI", 0}, \
 	{ 254, "OID", 0}, \
 	{ 0, NULL, 0}
@@ -102,6 +107,9 @@
 	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
 	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
 	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
+	{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
+	{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
+	{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
 	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
 	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
 	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
@@ -313,6 +321,21 @@ dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
 	return (dns_mnemonic_totext(secalg, target, secalgs));
 }
 
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_secalg_totext(alg, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS)
+		r.base[0] = 0;
+}
+
 isc_result_t
 dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
 	unsigned int value;
diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
index 2577e6b29be2..60890e05583f 100644
--- a/contrib/bind9/lib/dns/rdata.c
+++ b/contrib/bind9/lib/dns/rdata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -38,6 +38,7 @@
 #include <dns/enumtype.h>
 #include <dns/keyflags.h>
 #include <dns/keyvalues.h>
+#include <dns/message.h>
 #include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -279,23 +280,6 @@ dns_rdata_init(dns_rdata_t *rdata) {
 	/* ISC_LIST_INIT(rdata->list); */
 }
 
-#if 1
-#define DNS_RDATA_INITIALIZED(rdata) \
-	((rdata)->data == NULL && (rdata)->length == 0 && \
-	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-	 !ISC_LINK_LINKED((rdata), link))
-#else
-#ifdef ISC_LIST_CHECKINIT
-#define DNS_RDATA_INITIALIZED(rdata) \
-	(!ISC_LINK_LINKED((rdata), link))
-#else
-#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
-#endif
-#endif
-
-#define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
-
 void
 dns_rdata_reset(dns_rdata_t *rdata) {
 
@@ -369,6 +353,37 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
 	return (result);
 }
 
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	isc_boolean_t use_default = ISC_FALSE;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass)
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+
+	if (rdata1->type != rdata2->type)
+		return (rdata1->type < rdata2->type ? -1 : 1);
+
+	CASECOMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
 /***
  *** Conversions
  ***/
@@ -1816,3 +1831,93 @@ dns_rdatatype_isknown(dns_rdatatype_t type) {
 		return (ISC_TRUE);
 	return (ISC_FALSE);
 }
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	switch (section) {
+	case DNS_SECTION_PREREQUISITE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain doesn't exist");
+			default:
+				return ("rrset doesn't exist");
+			}
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain exists");
+			default:
+				return ("rrset exists (value independent)");
+			}
+		default:
+			return ("rrset exists (value dependent)");
+		}
+	case DNS_SECTION_UPDATE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			return ("delete");
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("delete all rrsets");
+			default:
+				return ("delete rrset");
+			}
+		default:
+			return ("add");
+		}
+	}
+	return ("invalid");
+}
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
index 5addc4ab85de..338c5dd05eb0 100644
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
+++ b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -594,4 +594,9 @@ checknames_any_tsig(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_any_tsig(ARGS_COMPARE) {
+	return (compare_any_tsig(rdata1, rdata2));
+}
+
 #endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/contrib/bind9/lib/dns/rdata/ch_3/a_1.c b/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
index c2ecbe95d772..e3f98106514d 100644
--- a/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
+++ b/contrib/bind9/lib/dns/rdata/ch_3/a_1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: a_1.c,v 1.8 2009/12/04 22:06:37 tbox Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/soa_6.c and generic/mx_15.c */
@@ -313,4 +313,8 @@ checknames_ch_a(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_ch_a(ARGS_COMPARE) {
+	return (compare_ch_a(rdata1, rdata2));
+}
 #endif	/* RDATA_CH_3_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
index cfedf9f3b537..279f86c677d7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
+++ b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: afsdb_18.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
@@ -306,4 +306,8 @@ checknames_afsdb(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_afsdb(ARGS_COMPARE) {
+	return (compare_afsdb(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.c b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
index 8902ad7744f5..2a447a67a268 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.c
+++ b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -276,5 +276,9 @@ checknames_cert(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
-#endif	/* RDATA_GENERIC_CERT_37_C */
 
+static inline int
+casecompare_cert(ARGS_COMPARE) {
+	return (compare_cert(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_CERT_37_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.c b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
index f4af8eeba5e0..45a48a897fc0 100644
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.c
+++ b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: cname_5.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
@@ -229,4 +229,9 @@ checknames_cname(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_cname(ARGS_COMPARE) {
+	return (compare_cname(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
index 0fccfd1ad46e..4dbcb1eed883 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dlv_32769.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -74,12 +74,23 @@ fromtext_dlv(ARGS_FROMTEXT) {
 	/*
 	 * Digest.
 	 */
-	if (c == DNS_DSDIGEST_SHA1)
+	switch (c) {
+	case DNS_DSDIGEST_SHA1:
 		length = ISC_SHA1_DIGESTLENGTH;
-	else if (c == DNS_DSDIGEST_SHA256)
+		break;
+	case DNS_DSDIGEST_SHA256:
 		length = ISC_SHA256_DIGESTLENGTH;
-	else
+		break;
+	case DNS_DSDIGEST_GOST:
+		length = ISC_GOST_DIGESTLENGTH;
+		break;
+	case DNS_DSDIGEST_SHA384:
+		length = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
 		length = -1;
+		break;
+	}
 	return (isc_hex_tobuffer(lexer, target, -1));
 }
 
@@ -152,7 +163,11 @@ fromwire_dlv(ARGS_FROMWIRE) {
 	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
 	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
 	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
-	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH))
+	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_GOST &&
+	     sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
+	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
 		return (ISC_R_UNEXPECTEDEND);
 
 	/*
@@ -164,6 +179,10 @@ fromwire_dlv(ARGS_FROMWIRE) {
 		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
 	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
 		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+	else if (sr.base[3] == DNS_DSDIGEST_GOST)
+		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+	else if (sr.base[3] == DNS_DSDIGEST_SHA384)
+		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -213,6 +232,12 @@ fromstruct_dlv(ARGS_FROMSTRUCT) {
 	case DNS_DSDIGEST_SHA256:
 		REQUIRE(dlv->length == ISC_SHA256_DIGESTLENGTH);
 		break;
+	case DNS_DSDIGEST_GOST:
+		REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH);
+		break;
+	case DNS_DSDIGEST_SHA384:
+		REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH);
+		break;
 	}
 
 	UNUSED(type);
@@ -318,4 +343,9 @@ checknames_dlv(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_dlv(ARGS_COMPARE) {
+	return (compare_dlv(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_DLV_32769_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.c b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
index 21a31e6335aa..d899494f5368 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: dname_39.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
@@ -230,4 +230,8 @@ checknames_dname(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_dname(ARGS_COMPARE) {
+	return (compare_dname(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
index 022f85ad0ce8..b7eeb34f2b02 100644
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
+++ b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -76,6 +76,7 @@ totext_dnskey(ARGS_TOTEXT) {
 	char buf[sizeof("64000")];
 	unsigned int flags;
 	unsigned char algorithm;
+	char namebuf[DNS_NAME_FORMATSIZE];
 
 	REQUIRE(rdata->type == 48);
 	REQUIRE(rdata->length != 0);
@@ -105,6 +106,15 @@ totext_dnskey(ARGS_TOTEXT) {
 	if ((flags & 0xc000) == 0xc000)
 		return (ISC_R_SUCCESS);
 
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0 &&
+	     algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &sr);
+		dns_name_format(&name, namebuf, sizeof(namebuf));
+	} else
+		namebuf[0] = 0;
+
 	/* key */
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" (", target));
@@ -127,12 +137,18 @@ totext_dnskey(ARGS_TOTEXT) {
 		dns_rdata_toregion(rdata, &tmpr);
 		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
 		RETERR(str_totext(buf, target));
+		if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+			RETERR(str_totext(tctx->linebreak, target));
+			RETERR(str_totext("; alg = ", target));
+			RETERR(str_totext(namebuf, target));
+		}
 	}
 	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
 fromwire_dnskey(ARGS_FROMWIRE) {
+	unsigned char algorithm;
 	isc_region_t sr;
 
 	REQUIRE(type == 48);
@@ -146,6 +162,18 @@ fromwire_dnskey(ARGS_FROMWIRE) {
 	if (sr.length < 4)
 		return (ISC_R_UNEXPECTEDEND);
 
+	algorithm = sr.base[3];
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -309,4 +337,13 @@ checknames_dnskey(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_dnskey(ARGS_COMPARE) {
+
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 */
+	return (compare_dnskey(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
index 40b17092dd45..20bac85ccac0 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -74,12 +74,23 @@ fromtext_ds(ARGS_FROMTEXT) {
 	/*
 	 * Digest.
 	 */
-	if (c == DNS_DSDIGEST_SHA1)
+	switch (c) {
+	case DNS_DSDIGEST_SHA1:
 		length = ISC_SHA1_DIGESTLENGTH;
-	else if (c == DNS_DSDIGEST_SHA256)
+		break;
+	case DNS_DSDIGEST_SHA256:
 		length = ISC_SHA256_DIGESTLENGTH;
-	else
+		break;
+	case DNS_DSDIGEST_GOST:
+		length = ISC_GOST_DIGESTLENGTH;
+		break;
+	case DNS_DSDIGEST_SHA384:
+		length = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
 		length = -1;
+		break;
+	}
 	return (isc_hex_tobuffer(lexer, target, length));
 }
 
@@ -152,7 +163,11 @@ fromwire_ds(ARGS_FROMWIRE) {
 	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
 	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
 	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
-	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH))
+	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_GOST &&
+	     sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
+	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
 		return (ISC_R_UNEXPECTEDEND);
 
 	/*
@@ -164,6 +179,10 @@ fromwire_ds(ARGS_FROMWIRE) {
 		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
 	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
 		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+	else if (sr.base[3] == DNS_DSDIGEST_GOST)
+		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+	else if (sr.base[3] == DNS_DSDIGEST_SHA384)
+		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -213,6 +232,12 @@ fromstruct_ds(ARGS_FROMSTRUCT) {
 	case DNS_DSDIGEST_SHA256:
 		REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
 		break;
+	case DNS_DSDIGEST_GOST:
+		REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
+		break;
+	case DNS_DSDIGEST_SHA384:
+		REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
+		break;
 	}
 
 	UNUSED(type);
@@ -318,4 +343,9 @@ checknames_ds(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_ds(ARGS_COMPARE) {
+	return (compare_ds(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
index 3960a2a6289b..ce71822b8237 100644
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
+++ b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: gpos_27.c,v 1.43 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
@@ -249,4 +249,9 @@ checknames_gpos(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_gpos(ARGS_COMPARE) {
+	return (compare_gpos(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
index 583d8c652703..10b4fec79dea 100644
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
+++ b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hinfo_13.c,v 1.46 2009/12/04 22:06:37 tbox Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -221,4 +221,8 @@ checknames_hinfo(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_hinfo(ARGS_COMPARE) {
+	return (compare_hinfo(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hip_55.c b/contrib/bind9/lib/dns/rdata/generic/hip_55.c
new file mode 100644
index 000000000000..5a5140f8ddd6
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/hip_55.c
@@ -0,0 +1,506 @@
+/*
+ * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hip_55.c,v 1.8 2011/01/13 04:59:26 tbox Exp $ */
+
+/* reviewed: TBC */
+
+/* RFC 5205 */
+
+#ifndef RDATA_GENERIC_HIP_5_C
+#define RDATA_GENERIC_HIP_5_C
+
+#define RRTYPE_HIP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hip(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_buffer_t hit_len;
+	isc_buffer_t key_len;
+	unsigned char *start;
+	size_t len;
+
+	REQUIRE(type == 55);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Dummy HIT len.
+	 */
+	hit_len = *target;
+	RETERR(uint8_tobuffer(0, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Dummy KEY len.
+	 */
+	key_len = *target;
+	RETERR(uint16_tobuffer(0, target));
+
+	/*
+	 * HIT (base16).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(isc_hex_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in HIT len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(len, &hit_len));
+
+	/*
+	 * Public key (base64).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(isc_base64_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in KEY len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(len, &key_len));
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		buffer_fromregion(&buffer, &token.value.as_region);
+		origin = (origin != NULL) ? origin : dns_rootname;
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hip(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	size_t length, key_len, hit_len;
+	unsigned char algorithm;
+	char buf[sizeof("225 ")];
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
+
+	/*
+	 * Algorithm
+	 */
+	sprintf(buf, "%u ", algorithm);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * HIT.
+	 */
+	INSIST(hit_len < region.length);
+	length = region.length;
+	region.length = hit_len;
+	RETERR(isc_hex_totext(&region, 1, "", target));
+	region.length = length - hit_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Public KEY.
+	 */
+	INSIST(key_len <= region.length);
+	length = region.length;
+	region.length = key_len;
+	RETERR(isc_base64_totext(&region, 1, "", target));
+	region.length = length - key_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	while (region.length > 0) {
+		dns_name_fromregion(&name, &region);
+
+		RETERR(dns_name_totext(&name, ISC_FALSE, target));
+		isc_region_consume(&region, name.length);
+		if (region.length > 0)
+			RETERR(str_totext(tctx->linebreak, target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_hip(ARGS_FROMWIRE) {
+	isc_region_t region, rr;
+	dns_name_t name;
+	isc_uint8_t hit_len;
+	isc_uint16_t key_len;
+
+	REQUIRE(type == 55);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4U)
+		RETERR(DNS_R_FORMERR);
+
+	rr = region;
+	hit_len = uint8_fromregion(&region);
+	if (hit_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);  	/* hit length + algorithm */
+	key_len = uint16_fromregion(&region);
+	if (key_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);
+	if (region.length < (unsigned) (hit_len + key_len))
+		RETERR(DNS_R_FORMERR);
+
+	RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
+	isc_buffer_forward(source, 4 + hit_len + key_len);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	while (isc_buffer_activelength(source) > 0) {
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_hip(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_hip(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 55);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_hip(ARGS_FROMSTRUCT) {
+	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t myhip;
+	isc_result_t result;
+
+	REQUIRE(type == 55);
+	REQUIRE(source != NULL);
+	REQUIRE(hip->common.rdtype == type);
+	REQUIRE(hip->common.rdclass == rdclass);
+	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
+	REQUIRE(hip->key_len > 0 && hip->key != NULL);
+	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
+		 (hip->servers != NULL && hip->servers_len != 0));
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hip->hit_len, target));
+	RETERR(uint8_tobuffer(hip->algorithm, target));
+	RETERR(uint16_tobuffer(hip->key_len, target));
+	RETERR(mem_tobuffer(target, hip->hit, hip->hit_len));
+	RETERR(mem_tobuffer(target, hip->key, hip->key_len));
+
+	myhip = *hip;
+	for (result = dns_rdata_hip_first(&myhip);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdata_hip_next(&myhip))
+		/* empty */;
+
+	return(mem_tobuffer(target, hip->servers, hip->servers_len));
+}
+
+static inline isc_result_t
+tostruct_hip(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_hip_t *hip = target;
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hip->common.rdclass = rdata->rdclass;
+	hip->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hip->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hip->hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	hip->hit = hip->key = hip->servers = NULL;
+
+	hip->hit = mem_maybedup(mctx, region.base, hip->hit_len);
+	if (hip->hit == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->hit_len);
+
+	hip->key = mem_maybedup(mctx, region.base, hip->key_len);
+	if (hip->key == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->key_len);
+
+	hip->servers_len = region.length;
+	if (hip->servers_len != 0) {
+		hip->servers = mem_maybedup(mctx, region.base, region.length);
+		if (hip->servers == NULL)
+			goto cleanup;
+	}
+
+	hip->offset = hip->servers_len;
+	hip->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (hip->hit != NULL)
+		isc_mem_free(mctx, hip->hit);
+	if (hip->key != NULL)
+		isc_mem_free(mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(mctx, hip->servers);
+	return (ISC_R_NOMEMORY);
+
+}
+
+static inline void
+freestruct_hip(ARGS_FREESTRUCT) {
+	dns_rdata_hip_t *hip = source;
+
+	REQUIRE(source != NULL);
+
+	if (hip->mctx == NULL)
+		return;
+
+	isc_mem_free(hip->mctx, hip->hit);
+	isc_mem_free(hip->mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(hip->mctx, hip->servers);
+	hip->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_hip(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 55);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hip(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 55);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_hip(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 55);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hip(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 55);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *hip) {
+	if (hip->servers_len == 0)
+		return (ISC_R_NOMORE);
+	hip->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *hip) {
+	isc_region_t region;
+	dns_name_t name;
+
+	if (hip->offset >= hip->servers_len)
+		return (ISC_R_NOMORE);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	hip->offset += name.length;
+	INSIST(hip->offset <= hip->servers_len);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *hip, dns_name_t *name) {
+	isc_region_t region;
+
+	REQUIRE(hip->offset < hip->servers_len);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_fromregion(name, &region);
+
+	INSIST(name->length + hip->offset <= hip->servers_len);
+}
+
+static inline int
+casecompare_hip(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+	isc_uint8_t hit_len;
+	isc_uint16_t key_len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 55);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 4);
+	INSIST(r2.length > 4);
+	r1.length = 4;
+	r2.length = 4;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+
+	hit_len = uint8_fromregion(&r1);
+	isc_region_consume(&r1, 2);         /* hit length + algorithm */
+	key_len = uint16_fromregion(&r1);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 4);
+	isc_region_consume(&r2, 4);
+	INSIST(r1.length >= (unsigned) (hit_len + key_len));
+	INSIST(r2.length >= (unsigned) (hit_len + key_len));
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+	isc_region_consume(&r1, hit_len + key_len);
+	isc_region_consume(&r2, hit_len + key_len);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	while (r1.length != 0 && r2.length != 0) {
+		dns_name_fromregion(&name1, &r1);
+		dns_name_fromregion(&name2, &r2);
+		order = dns_name_rdatacompare(&name1, &name2);
+		if (order != 0)
+			return (order);
+
+		isc_region_consume(&r1, name_length(&name1));
+		isc_region_consume(&r2, name_length(&name2));
+	}
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif	/* RDATA_GENERIC_HIP_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hip_55.h b/contrib/bind9/lib/dns/rdata/generic/hip_55.h
new file mode 100644
index 000000000000..69f2eba88046
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/hip_55.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hip_55.h,v 1.2 2009/02/26 06:09:19 marka Exp $ */
+
+#ifndef GENERIC_HIP_5_H
+#define GENERIC_HIP_5_H 1
+
+/* RFC 5205 */
+
+typedef struct dns_rdata_hip {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		hit;
+	unsigned char *		key;
+	unsigned char *		servers;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		hit_len;
+	isc_uint16_t		key_len;
+	isc_uint16_t		servers_len;
+	/* Private */
+	isc_uint16_t		offset;
+} dns_rdata_hip_t;
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *);
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *);
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
+
+#endif /* GENERIC_HIP_5_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
index df11837e01df..7e65e655d290 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ipseckey_45.c
@@ -456,4 +456,43 @@ checknames_ipseckey(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 45);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	if (memcmp(region1.base, region2.base, 3) != 0 || region1.base[1] != 3)
+		return (isc_region_compare(&region1, &region2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	isc_region_consume(&region1, 3);
+	isc_region_consume(&region2, 3);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
 #endif	/* RDATA_GENERIC_IPSECKEY_45_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
index b3a763c45341..5aac73f3713f 100644
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
+++ b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: isdn_20.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
@@ -231,4 +231,9 @@ checknames_isdn(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_isdn(ARGS_COMPARE) {
+	return (compare_isdn(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.c b/contrib/bind9/lib/dns/rdata/generic/key_25.c
index 5c2a5cfb6c7f..26ca9a9b82da 100644
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.c
+++ b/contrib/bind9/lib/dns/rdata/generic/key_25.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -76,6 +76,7 @@ totext_key(ARGS_TOTEXT) {
 	char buf[sizeof("64000")];
 	unsigned int flags;
 	unsigned char algorithm;
+	char namebuf[DNS_NAME_FORMATSIZE];
 
 	REQUIRE(rdata->type == 25);
 	REQUIRE(rdata->length != 0);
@@ -105,6 +106,15 @@ totext_key(ARGS_TOTEXT) {
 	if ((flags & 0xc000) == 0xc000)
 		return (ISC_R_SUCCESS);
 
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0 &&
+	     algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &sr);
+		dns_name_format(&name, namebuf, sizeof(namebuf));
+	} else
+		namebuf[0] = 0;
+
 	/* key */
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" (", target));
@@ -127,12 +137,18 @@ totext_key(ARGS_TOTEXT) {
 		dns_rdata_toregion(rdata, &tmpr);
 		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
 		RETERR(str_totext(buf, target));
+		if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+			RETERR(str_totext(tctx->linebreak, target));
+			RETERR(str_totext("; alg = ", target));
+			RETERR(str_totext(namebuf, target));
+		}
 	}
 	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
 fromwire_key(ARGS_FROMWIRE) {
+	unsigned char algorithm;
 	isc_region_t sr;
 
 	REQUIRE(type == 25);
@@ -146,6 +162,18 @@ fromwire_key(ARGS_FROMWIRE) {
 	if (sr.length < 4)
 		return (ISC_R_UNEXPECTEDEND);
 
+	algorithm = sr.base[3];
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -309,4 +337,9 @@ checknames_key(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_key(ARGS_COMPARE) {
+	return (compare_key(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
new file mode 100644
index 000000000000..2592c30f6a08
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
@@ -0,0 +1,377 @@
+/*
+ * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef GENERIC_KEYDATA_65533_C
+#define GENERIC_KEYDATA_65533_C 1
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEYDATA_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_keydata(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+	isc_uint32_t refresh, addhd, removehd;
+
+	REQUIRE(type == 65533);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* refresh timer */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
+	RETERR(uint32_tobuffer(refresh, target));
+
+	/* add hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
+	RETERR(uint32_tobuffer(addhd, target));
+
+	/* remove hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
+	RETERR(uint32_tobuffer(removehd, target));
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_keydata(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char algorithm;
+	unsigned long when;
+
+	REQUIRE(rdata->type == 65533);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* refresh timer */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/* add hold-down */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/* remove hold-down */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* protocol */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	sprintf(buf, "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
+		isc_region_t tmpr;
+
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		/* Skip over refresh, addhd, and removehd */
+		isc_region_consume(&tmpr, 12);
+		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_keydata(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 65533);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_keydata(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 65533);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_keydata(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 65533);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_keydata(ARGS_FROMSTRUCT) {
+	dns_rdata_keydata_t *keydata = source;
+
+	REQUIRE(type == 65533);
+	REQUIRE(source != NULL);
+	REQUIRE(keydata->common.rdtype == type);
+	REQUIRE(keydata->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Refresh timer */
+	RETERR(uint32_tobuffer(keydata->refresh, target));
+
+	/* Add hold-down */
+	RETERR(uint32_tobuffer(keydata->addhd, target));
+
+	/* Remove hold-down */
+	RETERR(uint32_tobuffer(keydata->removehd, target));
+
+	/* Flags */
+	RETERR(uint16_tobuffer(keydata->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(keydata->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(keydata->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, keydata->data, keydata->datalen));
+}
+
+static inline isc_result_t
+tostruct_keydata(ARGS_TOSTRUCT) {
+	dns_rdata_keydata_t *keydata = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 65533);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	keydata->common.rdclass = rdata->rdclass;
+	keydata->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&keydata->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Refresh timer */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->refresh = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Add hold-down */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->addhd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Remove hold-down */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->removehd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	keydata->datalen = sr.length;
+	keydata->data = mem_maybedup(mctx, sr.base, keydata->datalen);
+	if (keydata->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	keydata->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_keydata(ARGS_FREESTRUCT) {
+	dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(keydata->common.rdtype == 65533);
+
+	if (keydata->mctx == NULL)
+		return;
+
+	if (keydata->data != NULL)
+		isc_mem_free(keydata->mctx, keydata->data);
+	keydata->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_keydata(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 65533);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_keydata(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 65533);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_keydata(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 65533);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_keydata(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 65533);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+static inline int
+casecompare_keydata(ARGS_COMPARE) {
+	return (compare_keydata(rdata1, rdata2));
+}
+
+#endif /* GENERIC_KEYDATA_65533_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h
new file mode 100644
index 000000000000..8db827ecd399
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_H
+#define GENERIC_KEYDATA_65533_H 1
+
+/* $Id: keydata_65533.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
+
+typedef struct dns_rdata_keydata {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	isc_uint32_t		refresh;      /* Timer for refreshing data */
+	isc_uint32_t		addhd;	      /* Hold-down timer for adding */
+	isc_uint32_t		removehd;     /* Hold-down timer for removing */
+	isc_uint16_t		flags;	      /* Copy of DNSKEY_48 */
+	isc_uint8_t		protocol;
+	isc_uint8_t		algorithm;
+	isc_uint16_t		datalen;
+	unsigned char *		data;
+} dns_rdata_keydata_t;
+
+#endif /* GENERIC_KEYDATA_65533_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.c b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
index ac28c2467434..904dbb402a97 100644
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.c
+++ b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: loc_29.c,v 1.50 2009/12/04 21:09:33 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
@@ -796,4 +796,9 @@ checknames_loc(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_loc(ARGS_COMPARE) {
+	return (compare_loc(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.c b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
index 82ea7a5cbaa8..8e588fc7b8a5 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mb_7.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
@@ -231,4 +231,9 @@ checknames_mb(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_mb(ARGS_COMPARE) {
+	return (compare_mb(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.c b/contrib/bind9/lib/dns/rdata/generic/md_3.c
index 86d64ea1b2ed..e00f1f6ca368 100644
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.c
+++ b/contrib/bind9/lib/dns/rdata/generic/md_3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: md_3.c,v 1.49 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
@@ -233,4 +233,9 @@ checknames_md(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_md(ARGS_COMPARE) {
+	return (compare_md(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.c b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
index 57899eaa423a..a85809aef223 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mf_4.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
@@ -232,4 +232,9 @@ checknames_mf(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_mf(ARGS_COMPARE) {
+	return (compare_mf(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.c b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
index a76c006037dc..d0af188e7373 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mg_8.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
@@ -227,4 +227,9 @@ checknames_mg(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_mg(ARGS_COMPARE) {
+	return (compare_mg(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
index 5260fc6c5eb2..9e2214c98aa3 100644
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
+++ b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: minfo_14.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
@@ -321,4 +321,9 @@ checknames_minfo(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_minfo(ARGS_COMPARE) {
+	return (compare_minfo(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.c b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
index 99d40738d3b4..590235d961bb 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mr_9.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
@@ -228,4 +228,9 @@ checknames_mr(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_mr(ARGS_COMPARE) {
+	return (compare_mr(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.c b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
index 2f5608007fb8..fd09e92535f5 100644
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.c
+++ b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mx_15.c,v 1.58 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
@@ -316,4 +316,9 @@ checknames_mx(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_mx(ARGS_COMPARE) {
+	return (compare_mx(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.c b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
index 92780aa0f49d..5db81e7cb390 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ns_2.c,v 1.48 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
@@ -248,4 +248,9 @@ checknames_ns(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_ns(ARGS_COMPARE) {
+	return (compare_ns(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
index 374b2bd3a4eb..96b2dc8f5feb 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec3_50.c
@@ -478,4 +478,9 @@ checknames_nsec3(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_nsec3(ARGS_COMPARE) {
+	return (compare_nsec3(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_NSEC3_50_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c b/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
index d7f1706fc4c8..379a46b53542 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec3param_51.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nsec3param_51.c,v 1.7 2009/12/04 21:09:34 marka Exp $ */
 
 /*
  * Copyright (C) 2004  Nominet, Ltd.
@@ -311,4 +311,9 @@ checknames_nsec3param(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_nsec3param(ARGS_COMPARE) {
+	return (compare_nsec3param(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_NSEC3PARAM_51_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
index 62ea5d89f3a5..095f42eba899 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nsec_47.c,v 1.15 2011/01/13 04:59:26 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
@@ -361,4 +361,36 @@ checknames_nsec(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_nsec(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 47);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
 #endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.c b/contrib/bind9/lib/dns/rdata/generic/null_10.c
index 7bbb458dd427..8ba86fbca9b7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.c
+++ b/contrib/bind9/lib/dns/rdata/generic/null_10.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -185,4 +185,9 @@ checknames_null(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_null(ARGS_COMPARE) {
+	return (compare_null(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
index 1c5208cc2669..4d291a8e6f6e 100644
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
+++ b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nxt_30.c,v 1.65 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
@@ -326,4 +326,8 @@ checknames_nxt(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_nxt(ARGS_COMPARE) {
+	return (compare_nxt(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.c b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
index aa2e43922a99..fa349f1f5808 100644
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.c
+++ b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -277,4 +277,9 @@ checknames_opt(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_opt(ARGS_COMPARE) {
+	return (compare_opt(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.c b/contrib/bind9/lib/dns/rdata/generic/proforma.c
index 4f09e9405694..d1a5ecd77cc2 100644
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.c
+++ b/contrib/bind9/lib/dns/rdata/generic/proforma.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: proforma.c,v 1.38 2009/12/04 22:06:37 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
@@ -170,4 +170,21 @@ checknames_#(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_#(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == #);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0);	/* XXX */
+	REQUIRE(rdata2->length != 0);	/* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
 #endif	/* RDATA_GENERIC_#_#_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
index e80f9c894f39..a619f137a877 100644
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
+++ b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ptr_12.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
@@ -288,4 +288,8 @@ checknames_ptr(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_ptr(ARGS_COMPARE) {
+	return (compare_ptr(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.c b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
index c14cadf1f1db..3291f7bb55cd 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rp_17.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
 
 /* RFC1183 */
 
@@ -311,4 +311,8 @@ checknames_rp(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_rp(ARGS_COMPARE) {
+	return (compare_rp(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
index 5b761d85fee9..82dfce69d31e 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -544,4 +544,47 @@ checknames_rrsig(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 46);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
 #endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.c b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
index e631f2886993..8f71a2afc850 100644
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.c
+++ b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rt_21.c,v 1.48 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
@@ -308,4 +308,9 @@ checknames_rt(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_rt(ARGS_COMPARE) {
+	return (compare_rt(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.c b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
index e6cfa7af5280..3cdd17a06b8a 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.c
+++ b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -575,4 +575,8 @@ checknames_sig(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_sig(ARGS_COMPARE) {
+	return (compare_sig(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.c b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
index cdea9d4447b1..a86761035751 100644
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.c
+++ b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
@@ -441,4 +441,9 @@ checknames_soa(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_soa(ARGS_COMPARE) {
+	return (compare_soa(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/spf_99.c b/contrib/bind9/lib/dns/rdata/generic/spf_99.c
index 92c6f57a73c1..492e315d4542 100644
--- a/contrib/bind9/lib/dns/rdata/generic/spf_99.c
+++ b/contrib/bind9/lib/dns/rdata/generic/spf_99.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: spf_99.c,v 1.6 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
@@ -235,4 +235,8 @@ checknames_spf(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_spf(ARGS_COMPARE) {
+	return (compare_spf(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_SPF_99_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
index 5fc2a8471d93..c94c75c791ee 100644
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
+++ b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -259,4 +259,9 @@ checknames_sshfp(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_sshfp(ARGS_COMPARE) {
+	return (compare_sshfp(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
index 618bb5c82322..3afee1308245 100644
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
+++ b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -552,4 +552,8 @@ checknames_tkey(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline isc_result_t
+casecompare_tkey(ARGS_COMPARE) {
+	return (compare_tkey(rdata1, rdata2));
+}
 #endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c b/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
index 194f846b1c62..11c6d7528f98 100644
--- a/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
+++ b/contrib/bind9/lib/dns/rdata/generic/tlsa_52.c
@@ -282,4 +282,9 @@ checknames_tlsa(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_tlsa(ARGS_COMPARE) {
+	return (compare_tlsa(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_TLSA_52_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.c b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
index a468b41d7e5b..c49864e670a8 100644
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.c
+++ b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: txt_16.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
@@ -235,4 +235,9 @@ checknames_txt(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline isc_result_t
+casecompare_txt(ARGS_COMPARE) {
+	return (compare_txt(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
index 2cb70311fb61..c335c6751da7 100644
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
+++ b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: unspec_103.c,v 1.37 2009/12/04 22:06:37 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
@@ -186,4 +186,9 @@ checknames_unspec(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_unspec(ARGS_COMPARE) {
+	return (compare_unspec(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.c b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
index 49ef2bd95daa..6867fecd86f8 100644
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.c
+++ b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: x25_19.c,v 1.41 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
@@ -216,4 +216,9 @@ checknames_x25(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_x25(ARGS_COMPARE) {
+	return (compare_x25(rdata1, rdata2));
+}
+
 #endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
index e8d2ef5fe6ec..50ae25d52b83 100644
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
+++ b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: a_1.c,v 1.33 2009/12/04 22:06:37 tbox Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
@@ -229,4 +229,9 @@ checknames_hs_a(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_hs_a(ARGS_COMPARE) {
+	return (compare_hs_a(rdata1, rdata2));
+}
+
 #endif	/* RDATA_HS_4_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
index 16a6a931a80f..8619f8a21363 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: a6_38.c,v 1.56 2009/12/04 22:06:37 tbox Exp $ */
 
 /* RFC2874 */
 
@@ -458,4 +458,9 @@ checknames_in_a6(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_a6(ARGS_COMPARE) {
+	return (compare_in_a6(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_A6_38_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.c b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
index 0f659744b50b..902932e02548 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: a_1.c,v 1.55 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -233,4 +233,9 @@ checknames_in_a(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_a(ARGS_COMPARE) {
+	return (compare_in_a(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
index 69f8c20bb765..5aa59b2ccc2c 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: aaaa_28.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -230,4 +230,8 @@ checknames_in_aaaa(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_aaaa(ARGS_COMPARE) {
+	return (compare_in_aaaa(rdata1, rdata2));
+}
 #endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
index 633ef495c042..eb927b9219e3 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: apl_42.c,v 1.16 2009/12/04 22:06:37 tbox Exp $ */
 
 /* RFC3123 */
 
@@ -450,4 +450,9 @@ checknames_in_apl(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_apl(ARGS_COMPARE) {
+	return (compare_in_apl(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_APL_42_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c b/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
index 6f549af71c3d..1ec75ecacfb5 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/dhcid_49.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -226,4 +226,9 @@ checknames_in_dhcid(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_dhcid(ARGS_COMPARE) {
+	return (compare_in_dhcid(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_DHCID_49_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
index 8b13ba8f0017..fbe3b71deaa0 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: kx_36.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
@@ -285,4 +285,9 @@ checknames_in_kx(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_kx(ARGS_COMPARE) {
+	return (compare_in_kx(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_KX_36_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/naptr_35.c b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
index 32bcc1998b19..71ba31e2faed 100644
--- a/contrib/bind9/lib/dns/rdata/generic/naptr_35.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -21,18 +21,141 @@
 
 /* RFC2915 */
 
-#ifndef RDATA_GENERIC_NAPTR_35_C
-#define RDATA_GENERIC_NAPTR_35_C
+#ifndef RDATA_IN_1_NAPTR_35_C
+#define RDATA_IN_1_NAPTR_35_C
 
 #define RRTYPE_NAPTR_ATTRIBUTES (0)
+#ifdef HAVE_REGEX_H
+#include <regex.h>
+#endif
 
+/*
+ * Check the wire format of the Regexp field.
+ * Don't allow embeded NUL's.
+ */
 static inline isc_result_t
-fromtext_naptr(ARGS_FROMTEXT) {
+txt_valid_regex(const unsigned char *txt) {
+#ifdef HAVE_REGEX_H
+	regex_t preg;
+	unsigned int regflags = REG_EXTENDED;
+	unsigned int nsub = 0;
+	char regex[256];
+	char *cp;
+#endif
+	isc_boolean_t flags = ISC_FALSE;
+	isc_boolean_t replace = ISC_FALSE;
+	unsigned char c;
+	unsigned char delim;
+	unsigned int len;
+
+	len = *txt++;
+	if (len == 0U)
+		return (ISC_R_SUCCESS);
+
+	delim = *txt++;
+	len--;
+
+	/*
+	 * Digits, backslash and flags can't be delimiters.
+	 */
+	switch (delim) {
+	case '0': case '1': case '2': case '3': case '4':
+	case '5': case '6': case '7': case '8': case '9':
+	case '\\': case 'i': case 0:
+		return (DNS_R_SYNTAX);
+	}
+
+#ifdef HAVE_REGEX_H
+	memset(&preg, 0, sizeof(preg));
+	cp = regex;
+#endif
+
+	while (len-- > 0) {
+		c = *txt++;
+		if (c == 0)
+			return (DNS_R_SYNTAX);
+		if (c == delim && !replace) {
+			replace = ISC_TRUE;
+			continue;
+		} else if (c == delim && !flags) {
+			flags = ISC_TRUE;
+			continue;
+		} else if (c == delim)
+			return (DNS_R_SYNTAX);
+		/*
+		 * Flags are not escaped.
+		 */
+		if (flags) {
+			switch (c) {
+			case 'i':
+#ifdef HAVE_REGEX_H
+				regflags |= REG_ICASE;
+#endif
+				continue;
+			default:
+				return (DNS_R_SYNTAX);
+			}
+		}
+#ifdef HAVE_REGEX_H
+		if (!replace)
+			*cp++ = c;
+#endif
+		if (c == '\\') {
+			if (len == 0)
+				return (DNS_R_SYNTAX);
+			c = *txt++;
+			if (c == 0)
+				return (DNS_R_SYNTAX);
+			len--;
+			if (replace)
+				switch (c) {
+				case '0': return (DNS_R_SYNTAX);
+#ifdef HAVE_REGEX_H
+				case '1': if (nsub < 1) nsub = 1; break;
+				case '2': if (nsub < 2) nsub = 2; break;
+				case '3': if (nsub < 3) nsub = 3; break;
+				case '4': if (nsub < 4) nsub = 4; break;
+				case '5': if (nsub < 5) nsub = 5; break;
+				case '6': if (nsub < 6) nsub = 6; break;
+				case '7': if (nsub < 7) nsub = 7; break;
+				case '8': if (nsub < 8) nsub = 8; break;
+				case '9': if (nsub < 9) nsub = 9; break;
+#endif
+				}
+#ifdef HAVE_REGEX_H
+			if (!replace)
+				*cp++ = c;
+#endif
+		}
+	}
+	if (!flags)
+		return (DNS_R_SYNTAX);
+#ifdef HAVE_REGEX_H
+	*cp = '\0';
+	if (regcomp(&preg, regex, regflags))
+		return (DNS_R_SYNTAX);
+	/*
+	 * Check that substitutions in the replacement string are consistant
+	 * with the regular expression.
+	 */
+	if (preg.re_nsub < nsub) {
+		regfree(&preg);
+		return (DNS_R_SYNTAX);
+	}
+	regfree(&preg);
+#endif
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromtext_in_naptr(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	unsigned char *regex;
 
 	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -73,9 +196,11 @@ fromtext_naptr(ARGS_FROMTEXT) {
 	/*
 	 * Regexp.
 	 */
+	regex = isc_buffer_used(target);
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
 				      ISC_FALSE));
 	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	RETTOK(txt_valid_regex(regex));
 
 	/*
 	 * Replacement.
@@ -90,7 +215,7 @@ fromtext_naptr(ARGS_FROMTEXT) {
 }
 
 static inline isc_result_t
-totext_naptr(ARGS_TOTEXT) {
+totext_in_naptr(ARGS_TOTEXT) {
 	isc_region_t region;
 	dns_name_t name;
 	dns_name_t prefix;
@@ -99,6 +224,7 @@ totext_naptr(ARGS_TOTEXT) {
 	unsigned short num;
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(rdata->length != 0);
 
 	dns_name_init(&name, NULL);
@@ -151,11 +277,13 @@ totext_naptr(ARGS_TOTEXT) {
 }
 
 static inline isc_result_t
-fromwire_naptr(ARGS_FROMWIRE) {
+fromwire_in_naptr(ARGS_FROMWIRE) {
 	dns_name_t name;
 	isc_region_t sr;
+	unsigned char *regex;
 
 	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
 
 	UNUSED(type);
 	UNUSED(rdclass);
@@ -186,7 +314,9 @@ fromwire_naptr(ARGS_FROMWIRE) {
 	/*
 	 * Regexp.
 	 */
+	regex = isc_buffer_used(target);
 	RETERR(txt_fromwire(source, target));
+	RETERR(txt_valid_regex(regex));
 
 	/*
 	 * Replacement.
@@ -195,12 +325,13 @@ fromwire_naptr(ARGS_FROMWIRE) {
 }
 
 static inline isc_result_t
-towire_naptr(ARGS_TOWIRE) {
+towire_in_naptr(ARGS_TOWIRE) {
 	dns_name_t name;
 	dns_offsets_t offsets;
 	isc_region_t sr;
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(rdata->length != 0);
 
 	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
@@ -238,7 +369,7 @@ towire_naptr(ARGS_TOWIRE) {
 }
 
 static inline int
-compare_naptr(ARGS_COMPARE) {
+compare_in_naptr(ARGS_COMPARE) {
 	dns_name_t name1;
 	dns_name_t name2;
 	isc_region_t region1;
@@ -248,6 +379,7 @@ compare_naptr(ARGS_COMPARE) {
 	REQUIRE(rdata1->type == rdata2->type);
 	REQUIRE(rdata1->rdclass == rdata2->rdclass);
 	REQUIRE(rdata1->type == 35);
+	REQUIRE(rdata1->rdclass == 1);
 	REQUIRE(rdata1->length != 0);
 	REQUIRE(rdata2->length != 0);
 
@@ -306,11 +438,12 @@ compare_naptr(ARGS_COMPARE) {
 }
 
 static inline isc_result_t
-fromstruct_naptr(ARGS_FROMSTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
+fromstruct_in_naptr(ARGS_FROMSTRUCT) {
+	dns_rdata_in_naptr_t *naptr = source;
 	isc_region_t region;
 
 	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
 	REQUIRE(source != NULL);
 	REQUIRE(naptr->common.rdtype == type);
 	REQUIRE(naptr->common.rdclass == rdclass);
@@ -334,13 +467,14 @@ fromstruct_naptr(ARGS_FROMSTRUCT) {
 }
 
 static inline isc_result_t
-tostruct_naptr(ARGS_TOSTRUCT) {
-	dns_rdata_naptr_t *naptr = target;
+tostruct_in_naptr(ARGS_TOSTRUCT) {
+	dns_rdata_in_naptr_t *naptr = target;
 	isc_region_t r;
 	isc_result_t result;
 	dns_name_t name;
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(target != NULL);
 	REQUIRE(rdata->length != 0);
 
@@ -404,10 +538,11 @@ tostruct_naptr(ARGS_TOSTRUCT) {
 }
 
 static inline void
-freestruct_naptr(ARGS_FREESTRUCT) {
-	dns_rdata_naptr_t *naptr = source;
+freestruct_in_naptr(ARGS_FREESTRUCT) {
+	dns_rdata_in_naptr_t *naptr = source;
 
 	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdclass == 1);
 	REQUIRE(naptr->common.rdtype == 35);
 
 	if (naptr->mctx == NULL)
@@ -424,7 +559,7 @@ freestruct_naptr(ARGS_FREESTRUCT) {
 }
 
 static inline isc_result_t
-additionaldata_naptr(ARGS_ADDLDATA) {
+additionaldata_in_naptr(ARGS_ADDLDATA) {
 	dns_name_t name;
 	dns_offsets_t offsets;
 	isc_region_t sr;
@@ -433,6 +568,7 @@ additionaldata_naptr(ARGS_ADDLDATA) {
 	char *cp;
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 
 	/*
 	 * Order, preference.
@@ -481,13 +617,14 @@ additionaldata_naptr(ARGS_ADDLDATA) {
 }
 
 static inline isc_result_t
-digest_naptr(ARGS_DIGEST) {
+digest_in_naptr(ARGS_DIGEST) {
 	isc_region_t r1, r2;
 	unsigned int length, n;
 	isc_result_t result;
 	dns_name_t name;
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 
 	dns_rdata_toregion(rdata, &r1);
 	r2 = r1;
@@ -539,9 +676,10 @@ digest_naptr(ARGS_DIGEST) {
 }
 
 static inline isc_boolean_t
-checkowner_naptr(ARGS_CHECKOWNER) {
+checkowner_in_naptr(ARGS_CHECKOWNER) {
 
 	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
 
 	UNUSED(name);
 	UNUSED(type);
@@ -552,9 +690,10 @@ checkowner_naptr(ARGS_CHECKOWNER) {
 }
 
 static inline isc_boolean_t
-checknames_naptr(ARGS_CHECKNAMES) {
+checknames_in_naptr(ARGS_CHECKNAMES) {
 
 	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
 
 	UNUSED(rdata);
 	UNUSED(owner);
@@ -563,4 +702,9 @@ checknames_naptr(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
-#endif	/* RDATA_GENERIC_NAPTR_35_C */
+static inline int
+casecompare_in_naptr(ARGS_COMPARE) {
+	return (compare_in_naptr(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_NAPTR_35_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/naptr_35.h b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
index f88c52336f82..04e8d691a582 100644
--- a/contrib/bind9/lib/dns/rdata/generic/naptr_35.h
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,15 +15,15 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-#ifndef GENERIC_NAPTR_35_H
-#define GENERIC_NAPTR_35_H 1
+#ifndef IN_1_NAPTR_35_H
+#define IN_1_NAPTR_35_H 1
 
 /* $Id$ */
 
 /*!
  *  \brief Per RFC2915 */
 
-typedef struct dns_rdata_naptr {
+typedef struct dns_rdata_in_naptr {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
 	isc_uint16_t		order;
@@ -35,6 +35,6 @@ typedef struct dns_rdata_naptr {
 	char			*regexp;
 	isc_uint8_t		regexp_len;
 	dns_name_t		replacement;
-} dns_rdata_naptr_t;
+} dns_rdata_in_naptr_t;
 
-#endif /* GENERIC_NAPTR_35_H */
+#endif /* IN_1_NAPTR_35_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
index bc7c3d22e078..78df645a2a1f 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nsap-ptr_23.c,v 1.40 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
@@ -242,4 +242,9 @@ checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_nsap_ptr(ARGS_COMPARE) {
+	return (compare_in_nsap_ptr(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
index f499bf99ca1a..d762fe1d5688 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: nsap_22.c,v 1.44 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
@@ -252,4 +252,9 @@ checknames_in_nsap(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_nsap(ARGS_COMPARE) {
+	return (compare_in_nsap(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.c b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
index 0c26f5953ff3..a4111ad5bb76 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: px_26.c,v 1.45 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
@@ -371,4 +371,9 @@ checknames_in_px(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_px(ARGS_COMPARE) {
+	return (compare_in_px(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_PX_26_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
index 203aae5b063f..ea4f3edbcdef 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: srv_33.c,v 1.47 2009/12/04 22:06:37 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
@@ -370,4 +370,9 @@ checknames_in_srv(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_srv(ARGS_COMPARE) {
+	return (compare_in_srv(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
index 0804202da629..1da2611da9b5 100644
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
+++ b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
@@ -375,4 +375,9 @@ checknames_in_wks(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
+static inline int
+casecompare_in_wks(ARGS_COMPARE) {
+	return (compare_in_wks(rdata1, rdata2));
+}
+
 #endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c
index 8c865498ef37..026d771235cc 100644
--- a/contrib/bind9/lib/dns/rdataset.c
+++ b/contrib/bind9/lib/dns/rdataset.c
@@ -26,6 +26,7 @@
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/random.h>
+#include <isc/serial.h>
 #include <isc/util.h>
 
 #include <dns/name.h>
@@ -772,3 +773,30 @@ dns_rdataset_expire(dns_rdataset_t *rdataset) {
 	if (rdataset->methods->expire != NULL)
 		(rdataset->methods->expire)(rdataset);
 }
+
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     isc_boolean_t acceptexpired)
+{
+	isc_uint32_t ttl = 0;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(DNS_RDATASET_VALID(sigrdataset));
+	REQUIRE(rrsig != NULL);
+
+	/*
+	 * If we accept expired RRsets keep them for no more than 120 seconds.
+	 */
+	if (acceptexpired &&
+	    (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
+	     isc_serial_le(rrsig->timeexpire, now)))
+		ttl = 120;
+	else if (isc_serial_ge(rrsig->timeexpire, now))
+		ttl = rrsig->timeexpire - now;
+
+	ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
+		      ISC_MIN(rrsig->originalttl, ttl));
+	rdataset->ttl = ttl;
+	sigrdataset->ttl = ttl;
+}
diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c
index bfb542d7cefb..cb9ae5425ef9 100644
--- a/contrib/bind9/lib/dns/rdataslab.c
+++ b/contrib/bind9/lib/dns/rdataslab.c
@@ -150,21 +150,25 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 
 	nalloc = dns_rdataset_count(rdataset);
 	nitems = nalloc;
-	if (nitems == 0)
+	if (nitems == 0 && rdataset->type != 0)
 		return (ISC_R_FAILURE);
 
 	if (nalloc > 0xffff)
 		return (ISC_R_NOSPACE);
 
-	x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
-	if (x == NULL)
-		return (ISC_R_NOMEMORY);
+
+	if (nalloc != 0) {
+		x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
+		if (x == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		x = NULL;
 
 	/*
 	 * Save all of the rdata members into an array.
 	 */
 	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
 		goto free_rdatas;
 	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
 		INSIST(result == ISC_R_SUCCESS);
@@ -229,11 +233,14 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	/*
 	 * Don't forget the last item!
 	 */
+	if (nalloc != 0) {
 #if DNS_RDATASET_FIXED
-	buflen += (8 + x[i-1].rdata.length);
+		buflen += (8 + x[i-1].rdata.length);
 #else
-	buflen += (2 + x[i-1].rdata.length);
+		buflen += (2 + x[i-1].rdata.length);
 #endif
+	}
+
 	/*
 	 * Provide space to store the per RR meta data.
 	 */
@@ -323,7 +330,8 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	result = ISC_R_SUCCESS;
 
  free_rdatas:
-	isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
+	if (x != NULL)
+		isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
 	return (result);
 }
 
diff --git a/contrib/bind9/lib/dns/request.c b/contrib/bind9/lib/dns/request.c
index 2ff5b173a91d..58c0103f4c7e 100644
--- a/contrib/bind9/lib/dns/request.c
+++ b/contrib/bind9/lib/dns/request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -447,7 +447,8 @@ req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
 }
 
 static isc_result_t
-new_request(isc_mem_t *mctx, dns_request_t **requestp) {
+new_request(isc_mem_t *mctx, dns_request_t **requestp)
+{
 	dns_request_t *request;
 
 	request = isc_mem_get(mctx, sizeof(*request));
@@ -1056,6 +1057,9 @@ req_render(dns_message_t *message, isc_buffer_t **bufferp,
 		return (result);
 	cleanup_cctx = ISC_TRUE;
 
+	if ((options & DNS_REQUESTOPT_CASE) != 0)
+		dns_compress_setsensitive(&cctx, ISC_TRUE);
+
 	/*
 	 * Render message.
 	 */
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index e56dbbd6b813..503f1d23b92f 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -105,6 +105,27 @@
 #define QTRACE(m)
 #endif
 
+#define US_PER_SEC 1000000U
+/*
+ * The maximum time we will wait for a single query.
+ */
+#define MAX_SINGLE_QUERY_TIMEOUT 9U
+#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC)
+
+/*
+ * We need to allow a individual query time to complete / timeout.
+ */
+#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
+
+/* The default time in seconds for the whole query to live. */
+#ifndef DEFAULT_QUERY_TIMEOUT
+#define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
+#endif
+
+#ifndef MAXIMUM_QUERY_TIMEOUT
+#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
+#endif
+
 /*%
  * Maximum EDNS0 input packet size.
  */
@@ -278,6 +299,7 @@ struct fetchctx {
 	unsigned int			valfail;
 	isc_boolean_t			timeout;
 	dns_adbaddrinfo_t 		*addrinfo;
+	isc_sockaddr_t			*client;
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
@@ -389,6 +411,7 @@ struct dns_resolver {
 	unsigned int			spillatmin;
 	isc_timer_t *			spillattimer;
 	isc_boolean_t			zero_no_soa_ttl;
+	unsigned int			query_timeout;
 
 	/* Locked by lock. */
 	unsigned int			references;
@@ -811,8 +834,8 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			 */
 			INSIST(no_response);
 			rtt = query->addrinfo->srtt + 200000;
-			if (rtt > 10000000)
-				rtt = 10000000;
+			if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US)
+				rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
 			/*
 			 * Replace the current RTT with our value.
 			 */
@@ -1042,6 +1065,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 		ISC_LIST_UNLINK(fctx->events, event, ev_link);
 		task = event->ev_sender;
 		event->ev_sender = fctx;
+		event->vresult = fctx->vresult;
 		if (!HAVE_ANSWER(fctx))
 			event->result = result;
 
@@ -1325,12 +1349,18 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
 		us = (800000 << (fctx->restarts - 2));
 
 	/*
-	 * Double the round-trip time.
+	 * Add a fudge factor to the expected rtt based on the current
+	 * estimate.
 	 */
-	rtt *= 2;
+	if (rtt < 50000)
+		rtt += 50000;
+	else if (rtt < 100000)
+		rtt += 100000;
+	else
+		rtt += 200000;
 
 	/*
-	 * Always wait for at least the doubled round-trip time.
+	 * Always wait for at least the expected rtt.
 	 */
 	if (us < rtt)
 		us = rtt;
@@ -1338,11 +1368,11 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
 	/*
 	 * But don't ever wait for more than 10 seconds.
 	 */
-	if (us > 10000000)
-		us = 10000000;
+	if (us > MAX_SINGLE_QUERY_TIMEOUT_US)
+		us = MAX_SINGLE_QUERY_TIMEOUT_US;
 
-	seconds = us / 1000000;
-	us -= seconds * 1000000;
+	seconds = us / US_PER_SEC;
+	us -= seconds * US_PER_SEC;
 	isc_interval_set(&fctx->interval, seconds, us * 1000);
 }
 
@@ -1364,6 +1394,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	task = res->buckets[fctx->bucketnum].task;
 
 	srtt = addrinfo->srtt;
+
+	/*
+	 * A forwarder needs to make multiple queries. Give it at least
+	 * a second to do these in.
+	 */
 	if (ISFORWARDER(addrinfo) && srtt < 1000000)
 		srtt = 1000000;
 
@@ -1747,9 +1782,8 @@ resquery_send(resquery_t *query) {
 	if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
 		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
 	} else if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots,
-						     &fctx->name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, &fctx->name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			secure_domain = ISC_FALSE;
 		if (res->view->dlv != NULL)
@@ -2306,7 +2340,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 	char code[64];
 	isc_buffer_t b;
 	isc_sockaddr_t *sa;
-	const char *sep1, *sep2;
+	const char *spc = "";
 	isc_sockaddr_t *address = &addrinfo->sockaddr;
 
 	if (reason == DNS_R_LAME)
@@ -2351,18 +2385,14 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 		isc_buffer_init(&b, code, sizeof(code) - 1);
 		dns_rcode_totext(fctx->rmessage->rcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
+		spc = " ";
 	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
 		isc_buffer_init(&b, code, sizeof(code) - 1);
 		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
+		spc = " ";
 	} else {
 		code[0] = '\0';
-		sep1 = "";
-		sep2 = "";
 	}
 	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
 	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
@@ -2370,83 +2400,19 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "%s %s%s%sresolving '%s/%s/%s': %s",
-		      dns_result_totext(reason), sep1, code, sep2,
+		      "error (%s%s%s) resolving '%s/%s/%s': %s",
+		      dns_result_totext(reason), spc, code,
 		      namebuf, typebuf, classbuf, addrbuf);
 }
 
 /*
- * Return 'bits' bits of random entropy from fctx->rand_buf,
- * refreshing it by calling isc_random_get() whenever the requested
- * number of bits is greater than the number in the buffer.
- */
-static inline isc_uint32_t
-random_bits(fetchctx_t *fctx, isc_uint32_t bits) {
-	isc_uint32_t ret = 0;
-
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(bits <= 32);
-	if (bits == 0)
-		return (0);
-
-	if (bits >= fctx->rand_bits) {
-		/* if rand_bits == 0, this is unnecessary but harmless */
-		bits -= fctx->rand_bits;
-		ret = fctx->rand_buf << bits;
-
-		/* refresh random buffer now */
-		isc_random_get(&fctx->rand_buf);
-		fctx->rand_bits = sizeof(fctx->rand_buf) * CHAR_BIT;
-	}
-
-	if (bits > 0) {
-		isc_uint32_t mask = 0xffffffff;
-		if (bits < 32) {
-			mask = (1 << bits) - 1;
-		}
-
-		ret |= fctx->rand_buf & mask;
-		fctx->rand_buf >>= bits;
-		fctx->rand_bits -= bits;
-	}
-
-	return (ret);
-}
-
-/*
- * Add some random jitter to a server's RTT value so that the
- * order of queries will be unpredictable.
- *
- * RTT values of servers which have been tried are fuzzed by 128 ms.
- * Servers that haven't been tried yet have their RTT set to a random
- * value between 0 ms and 7 ms; they should get to go first, but in
- * unpredictable order.
- */
-static inline void
-randomize_srtt(fetchctx_t *fctx, dns_adbaddrinfo_t *ai) {
-	if (TRIED(ai)) {
-		ai->srtt >>= 10; /* convert to milliseconds, near enough */
-		ai->srtt |= (ai->srtt & 0x80) | random_bits(fctx, 7);
-		ai->srtt <<= 10; /* now back to microseconds */
-	} else
-		ai->srtt = random_bits(fctx, 3) << 10;
-}
-
-/*
- * Sort addrinfo list by RTT (with random jitter)
+ * Sort addrinfo list by RTT.
  */
 static void
-sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) {
+sort_adbfind(dns_adbfind_t *find) {
 	dns_adbaddrinfo_t *best, *curr;
 	dns_adbaddrinfolist_t sorted;
 
-	/* Add jitter to SRTT values */
-	curr = ISC_LIST_HEAD(find->list);
-	while (curr != NULL) {
-		randomize_srtt(fctx, curr);
-		curr = ISC_LIST_NEXT(curr, publink);
-	}
-
 	/* Lame N^2 bubble sort. */
 	ISC_LIST_INIT(sorted);
 	while (!ISC_LIST_EMPTY(find->list)) {
@@ -2464,19 +2430,19 @@ sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) {
 }
 
 /*
- * Sort a list of finds by server RTT (with random jitter)
+ * Sort a list of finds by server RTT.
  */
 static void
-sort_finds(fetchctx_t *fctx, dns_adbfindlist_t *findlist) {
+sort_finds(dns_adbfindlist_t *findlist) {
 	dns_adbfind_t *best, *curr;
 	dns_adbfindlist_t sorted;
 	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
 
-	/* Sort each find's addrinfo list by SRTT (after adding jitter) */
+	/* Sort each find's addrinfo list by SRTT. */
 	for (curr = ISC_LIST_HEAD(*findlist);
 	     curr != NULL;
 	     curr = ISC_LIST_NEXT(curr, publink))
-		sort_adbfind(fctx, curr);
+		sort_adbfind(curr);
 
 	/* Lame N^2 bubble sort. */
 	ISC_LIST_INIT(sorted);
@@ -2857,8 +2823,8 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
 		 * We've found some addresses.  We might still be looking
 		 * for more addresses.
 		 */
-		sort_finds(fctx, &fctx->finds);
-		sort_finds(fctx, &fctx->altfinds);
+		sort_finds(&fctx->finds);
+		sort_finds(&fctx->altfinds);
 		result = ISC_R_SUCCESS;
 	}
 
@@ -3518,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
 	else
 		ISC_LIST_APPEND(fctx->events, event, ev_link);
 	fctx->references++;
+	fctx->client = client;
 
 	fetch->magic = DNS_FETCH_MAGIC;
 	fetch->private = fctx;
@@ -3633,6 +3600,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->rand_bits = 0;
 	fctx->timeout = ISC_FALSE;
 	fctx->addrinfo = NULL;
+	fctx->client = NULL;
 	fctx->ns_ttl = 0;
 	fctx->ns_ttl_ok = ISC_FALSE;
 
@@ -3722,7 +3690,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	/*
 	 * Compute an expiration time for the entire fetch.
 	 */
-	isc_interval_set(&interval, 30, 0);             /* XXXRTH constant */
+	isc_interval_set(&interval, res->query_timeout, 0);
 	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
 	if (iresult != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -3866,6 +3834,33 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
 		      namebuf, domainbuf, addrbuf);
 }
 
+static inline void
+log_formerr(fetchctx_t *fctx, const char *format, ...) {
+	char nsbuf[ISC_SOCKADDR_FORMATSIZE];
+	char clbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *clmsg = "";
+	char msgbuf[2048];
+	va_list args;
+
+	va_start(args, format);
+	vsnprintf(msgbuf, sizeof(msgbuf), format, args);
+	va_end(args);
+
+	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
+
+	if (fctx->client != NULL) {
+		clmsg = " for client ";
+		isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
+	} else {
+		clbuf[0] = '\0';
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+		      "DNS format error from %s resolving %s%s%s: %s",
+		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+}
+
 static inline isc_result_t
 same_question(fetchctx_t *fctx) {
 	isc_result_t result;
@@ -3880,8 +3875,10 @@ same_question(fetchctx_t *fctx) {
 	/*
 	 * XXXRTH  Currently we support only one question.
 	 */
-	if (message->counts[DNS_SECTION_QUESTION] != 1)
+	if (message->counts[DNS_SECTION_QUESTION] != 1) {
+		log_formerr(fctx, "too many questions");
 		return (DNS_R_FORMERR);
+	}
 
 	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
 	if (result != ISC_R_SUCCESS)
@@ -3891,10 +3888,21 @@ same_question(fetchctx_t *fctx) {
 	rdataset = ISC_LIST_HEAD(name->list);
 	INSIST(rdataset != NULL);
 	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+
 	if (fctx->type != rdataset->type ||
 	    fctx->res->rdclass != rdataset->rdclass ||
-	    !dns_name_equal(&fctx->name, name))
+	    !dns_name_equal(&fctx->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char class[DNS_RDATACLASS_FORMATSIZE];
+		char type[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(rdataset->rdclass, class, sizeof(class));
+		dns_rdatatype_format(rdataset->type, type, sizeof(type));
+		log_formerr(fctx, "question section mismatch: got %s/%s/%s",
+			    namebuf, class, type);
 		return (DNS_R_FORMERR);
+	}
 
 	return (ISC_R_SUCCESS);
 }
@@ -4034,6 +4042,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
 
 	vevent = (dns_validatorevent_t *)event;
+	fctx->vresult = vevent->result;
 
 	FCTXTRACE("received validation completion event");
 
@@ -4414,8 +4423,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
@@ -4888,8 +4897,8 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * Is DNSSEC validation required for this name?
 	 */
 	if (fctx->res->view->enablevalidation) {
-		result = dns_keytable_issecuredomain(res->view->secroots, name,
-						     &secure_domain);
+		result = dns_view_issecuredomain(res->view, name,
+						 &secure_domain);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
@@ -5033,7 +5042,9 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
 }
 
 static isc_result_t
-check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+	      dns_section_t section)
+{
 	fetchctx_t *fctx = arg;
 	isc_result_t result;
 	dns_name_t *name;
@@ -5044,15 +5055,19 @@ check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 
 	REQUIRE(VALID_FCTX(fctx));
 
+#if CHECK_FOR_GLUE_IN_ANSWER
+	if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
+		return (ISC_R_SUCCESS);
+#endif
+
 	if (GLUING(fctx))
 		gluing = ISC_TRUE;
 	else
 		gluing = ISC_FALSE;
 	name = NULL;
 	rdataset = NULL;
-	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
-				      addname, dns_rdatatype_any, 0, &name,
-				      NULL);
+	result = dns_message_findname(fctx->rmessage, section, addname,
+				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		if (type == dns_rdatatype_a) {
@@ -5090,6 +5105,21 @@ check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
+}
+
+#ifndef CHECK_FOR_GLUE_IN_ANSWER
+#define CHECK_FOR_GLUE_IN_ANSWER 0
+#endif
+#if CHECK_FOR_GLUE_IN_ANSWER
+static isc_result_t
+check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
+}
+#endif
+
 static void
 chase_additional(fetchctx_t *fctx) {
 	isc_boolean_t rescan;
@@ -5146,8 +5176,8 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
 }
 
 static inline isc_result_t
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
-	     dns_fixedname_t *fixeddname)
+dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
+	     dns_name_t *oname, dns_fixedname_t *fixeddname)
 {
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -5160,7 +5190,6 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	/*
 	 * Get the target name of the DNAME.
 	 */
-
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -5174,7 +5203,14 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	 */
 	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
 	if (namereln != dns_namereln_subdomain) {
+		char qbuf[DNS_NAME_FORMATSIZE];
+		char obuf[DNS_NAME_FORMATSIZE];
+
 		dns_rdata_freestruct(&dname);
+		dns_name_format(qname, qbuf, sizeof(qbuf));
+		dns_name_format(oname, obuf, sizeof(obuf));
+		log_formerr(fctx, "unrelated DNAME in answer: "
+				   "%s is not in %s", qbuf, obuf);
 		return (DNS_R_FORMERR);
 	}
 	dns_fixedname_init(&prefix);
@@ -5187,6 +5223,134 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	return (result);
 }
 
+static isc_boolean_t
+is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
+			 dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_netaddr_t netaddr;
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	int match;
+
+	/* By default, we allow any addresses. */
+	if (view->denyansweracl == NULL)
+		return (ISC_TRUE);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answeracl_exclude != NULL) {
+		dns_rbtnode_t *node = NULL;
+
+		result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (ISC_TRUE);
+	}
+
+	/*
+	 * Otherwise, search the filter list for a match for each address
+	 * record.  If a match is found, the address should be filtered,
+	 * so should the entire answer.
+	 */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdataset->type == dns_rdatatype_a) {
+			INSIST(rdata.length == sizeof(ina.s_addr));
+			memcpy(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
+			isc_netaddr_fromin(&netaddr, &ina);
+		} else {
+			INSIST(rdata.length == sizeof(in6a.s6_addr));
+			memcpy(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
+			isc_netaddr_fromin6(&netaddr, &in6a);
+		}
+
+		result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
+				       &view->aclenv, &match, NULL);
+
+		if (result == ISC_R_SUCCESS && match > 0) {
+			isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "answer address %s denied for %s/%s/%s",
+				      addrbuf, namebuf, typebuf, classbuf);
+			return (ISC_FALSE);
+		}
+	}
+
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
+			dns_rdatatype_t type, dns_name_t *tname,
+			dns_name_t *domain)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char tnamebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+
+	/* By default, we allow any target name. */
+	if (view->denyanswernames == NULL)
+		return (ISC_TRUE);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answernames_exclude != NULL) {
+		result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (ISC_TRUE);
+	}
+
+	/*
+	 * If the target name is a subdomain of the search domain, allow it.
+	 */
+	if (dns_name_issubdomain(tname, domain))
+		return (ISC_TRUE);
+
+	/*
+	 * Otherwise, apply filters.
+	 */
+	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
+				  NULL, 0, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		dns_name_format(name, qnamebuf, sizeof(qnamebuf));
+		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
+		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(view->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "%s target %s denied for %s/%s",
+			      typebuf, tnamebuf, qnamebuf, classbuf);
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static void
 trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
 	char ns_namebuf[DNS_NAME_FORMATSIZE];
@@ -5209,14 +5373,17 @@ trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
 
 /*
  * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
- * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
- * response to an NS query that should be treated as a referral
- * even though the NS records occur in the answer section
- * rather than the authority section.
+ * If look_in_options has LOOK_FOR_NS_IN_ANSWER then we look in the answer
+ * section for the NS RRset if the query type is NS; if it has
+ * LOOK_FOR_GLUE_IN_ANSWER we look for glue incorrectly returned in the answer
+ * section for A and AAAA queries.
  */
+#define LOOK_FOR_NS_IN_ANSWER 0x1
+#define LOOK_FOR_GLUE_IN_ANSWER 0x2
+
 static isc_result_t
 noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
-		  isc_boolean_t bind8_ns_resp)
+		  unsigned int look_in_options)
 {
 	isc_result_t result;
 	dns_message_t *message;
@@ -5224,11 +5391,16 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t aa, negative_response;
 	dns_rdatatype_t type;
-	dns_section_t section =
-		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
+	dns_section_t section;
 
 	FCTXTRACE("noanswer_response");
 
+	if ((look_in_options & LOOK_FOR_NS_IN_ANSWER) != 0) {
+		INSIST(fctx->type == dns_rdatatype_ns);
+		section = DNS_SECTION_ANSWER;
+	} else
+		section = DNS_SECTION_AUTHORITY;
+
 	message = fctx->rmessage;
 
 	/*
@@ -5301,8 +5473,22 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 					type = rdataset->covers;
 				if (((type == dns_rdatatype_ns ||
 				      type == dns_rdatatype_soa) &&
-				     !dns_name_issubdomain(qname, name)))
+				     !dns_name_issubdomain(qname, name))) {
+					char qbuf[DNS_NAME_FORMATSIZE];
+					char nbuf[DNS_NAME_FORMATSIZE];
+					char tbuf[DNS_RDATATYPE_FORMATSIZE];
+					dns_rdatatype_format(fctx->type, tbuf,
+							     sizeof(tbuf));
+					dns_name_format(name, nbuf,
+							     sizeof(nbuf));
+					dns_name_format(qname, qbuf,
+							     sizeof(qbuf));
+					log_formerr(fctx,
+						    "unrelated %s %s in "
+						    "%s authority section",
+						    tbuf, qbuf, nbuf);
 					return (DNS_R_FORMERR);
+				}
 				if (type == dns_rdatatype_ns) {
 					/*
 					 * NS or RRSIG NS.
@@ -5312,8 +5498,14 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 					if (rdataset->type ==
 					    dns_rdatatype_ns) {
 						if (ns_name != NULL &&
-						    name != ns_name)
+						    name != ns_name) {
+							log_formerr(fctx,
+								"multiple NS "
+								"RRsets in "
+								"authority "
+								"section");
 							return (DNS_R_FORMERR);
+						}
 						ns_name = name;
 						ns_rdataset = rdataset;
 					}
@@ -5332,8 +5524,14 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 					if (rdataset->type ==
 					    dns_rdatatype_soa) {
 						if (soa_name != NULL &&
-						    name != soa_name)
+						    name != soa_name) {
+							log_formerr(fctx,
+								"multiple SOA "
+								"RRs in "
+								"authority "
+								"section");
 							return (DNS_R_FORMERR);
+						}
 						soa_name = name;
 					}
 					name->attributes |=
@@ -5421,15 +5619,25 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 					 *
 					 * These should only be here if
 					 * this is a referral, and there
-					 * should only be one DS.
+					 * should only be one DS RRset.
 					 */
-					if (ns_name == NULL)
+					if (ns_name == NULL) {
+						log_formerr(fctx,
+							    "DS with no "
+							    "referral");
 						return (DNS_R_FORMERR);
+					}
 					if (rdataset->type ==
 					    dns_rdatatype_ds) {
 						if (ds_name != NULL &&
-						    name != ds_name)
+						    name != ds_name) {
+							log_formerr(fctx,
+								"DS doesn't "
+								"match "
+								"referral "
+								"(NS)");
 							return (DNS_R_FORMERR);
+						}
 						ds_name = name;
 					}
 					name->attributes |=
@@ -5482,6 +5690,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 			/*
 			 * The responder is insane.
 			 */
+			log_formerr(fctx, "invalid response");
 			return (DNS_R_FORMERR);
 		}
 	}
@@ -5489,8 +5698,10 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	/*
 	 * If we found both NS and SOA, they should be the same name.
 	 */
-	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name)
+	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) {
+		log_formerr(fctx, "NS/SOA mismatch");
 		return (DNS_R_FORMERR);
+	}
 
 	/*
 	 * Do we have a referral?  (We only want to follow a referral if
@@ -5503,14 +5714,18 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 * progress.  We return DNS_R_FORMERR so that we'll keep
 		 * trying other servers.
 		 */
-		if (dns_name_equal(ns_name, &fctx->domain))
+		if (dns_name_equal(ns_name, &fctx->domain)) {
+			log_formerr(fctx, "non-improving referral");
 			return (DNS_R_FORMERR);
+		}
 
 		/*
 		 * If the referral name is not a parent of the query
 		 * name, consider the responder insane.
 		 */
 		if (! dns_name_issubdomain(&fctx->name, ns_name)) {
+			/* Logged twice */
+			log_formerr(fctx, "referral to non-parent");
 			FCTXTRACE("referral to non-parent");
 			return (DNS_R_FORMERR);
 		}
@@ -5524,6 +5739,20 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		fctx->attributes |= FCTX_ATTR_GLUING;
 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
 						  fctx);
+#if CHECK_FOR_GLUE_IN_ANSWER
+		/*
+		 * Look in the answer section for "glue" that is incorrectly
+		 * returned as a answer.  This is needed if the server also
+		 * minimizes the response size by not adding records to the
+		 * additional section that are in the answer section or if
+		 * the record gets dropped due to message size constraints.
+		 */
+		if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
+		    (fctx->type == dns_rdatatype_aaaa ||
+		     fctx->type == dns_rdatatype_a))
+			(void)dns_rdataset_additionaldata(ns_rdataset,
+							  check_answer, fctx);
+#endif
 		fctx->attributes &= ~FCTX_ATTR_GLUING;
 		/*
 		 * NS rdatasets with 0 TTL cause problems.
@@ -5578,6 +5807,7 @@ answer_response(fetchctx_t *fctx) {
 	unsigned int aflag;
 	dns_rdatatype_t type;
 	dns_fixedname_t dname, fqname;
+	dns_view_t *view;
 
 	FCTXTRACE("answer_response");
 
@@ -5601,6 +5831,7 @@ answer_response(fetchctx_t *fctx) {
 		aa = ISC_FALSE;
 	qname = &fctx->name;
 	type = fctx->type;
+	view = fctx->res->view;
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
 		name = NULL;
@@ -5619,8 +5850,21 @@ answer_response(fetchctx_t *fctx) {
 					 * NSEC3 records are not allowed to
 					 * appear in the answer section.
 					 */
+					log_formerr(fctx, "NSEC3 in answer");
 					return (DNS_R_FORMERR);
 				}
+
+				/*
+				 * Apply filters, if given, on answers to reject
+				 * a malicious attempt of rebinding.
+				 */
+				if ((rdataset->type == dns_rdatatype_a ||
+				     rdataset->type == dns_rdatatype_aaaa) &&
+				    !is_answeraddress_allowed(view, name,
+							      rdataset)) {
+					return (DNS_R_SERVFAIL);
+				}
+
 				if (rdataset->type == type && !found_cname) {
 					/*
 					 * We've found an ordinary answer.
@@ -5659,8 +5903,16 @@ answer_response(fetchctx_t *fctx) {
 					 */
 					if (type == dns_rdatatype_rrsig ||
 					    type == dns_rdatatype_dnskey ||
-					    type == dns_rdatatype_nsec)
+					    type == dns_rdatatype_nsec ||
+					    type == dns_rdatatype_nsec3) {
+						char buf[DNS_RDATATYPE_FORMATSIZE];
+						dns_rdatatype_format(fctx->type,
+							      buf, sizeof(buf));
+						log_formerr(fctx,
+							    "CNAME response "
+							    "for %s RR", buf);
 						return (DNS_R_FORMERR);
+					}
 					found = ISC_TRUE;
 					found_cname = ISC_TRUE;
 					want_chaining = ISC_TRUE;
@@ -5669,6 +5921,14 @@ answer_response(fetchctx_t *fctx) {
 							      &tname);
 					if (result != ISC_R_SUCCESS)
 						return (result);
+					/* Apply filters on the target name. */
+					if (!is_answertarget_allowed(view,
+							name,
+							rdataset->type,
+							&tname,
+							&fctx->domain)) {
+						return (DNS_R_SERVFAIL);
+					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_cname
@@ -5769,6 +6029,8 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 				isc_boolean_t found_dname = ISC_FALSE;
+				dns_name_t *dname_name;
+
 				found = ISC_FALSE;
 				aflag = 0;
 				if (rdataset->type == dns_rdatatype_dname) {
@@ -5779,13 +6041,16 @@ answer_response(fetchctx_t *fctx) {
 					 * If we're not chaining, then the
 					 * DNAME should not be external.
 					 */
-					if (!chaining && external)
+					if (!chaining && external) {
+						log_formerr(fctx,
+							    "external DNAME");
 						return (DNS_R_FORMERR);
+					}
 					found = ISC_TRUE;
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset,
+					result = dname_target(fctx, rdataset,
 							      qname, name,
 							      &dname);
 					if (result == ISC_R_NOSPACE) {
@@ -5800,6 +6065,15 @@ answer_response(fetchctx_t *fctx) {
 						return (result);
 					else
 						found_dname = ISC_TRUE;
+
+					dname_name = dns_fixedname_name(&dname);
+					if (!is_answertarget_allowed(view,
+							qname,
+							rdataset->type,
+							dname_name,
+							&fctx->domain)) {
+						return (DNS_R_SERVFAIL);
+					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_dname) {
@@ -5887,8 +6161,10 @@ answer_response(fetchctx_t *fctx) {
 	/*
 	 * We should have found an answer.
 	 */
-	if (!have_answer)
+	if (!have_answer) {
+		log_formerr(fctx, "reply has no answer");
 		return (DNS_R_FORMERR);
+	}
 
 	/*
 	 * This response is now potentially cacheable.
@@ -5905,15 +6181,18 @@ answer_response(fetchctx_t *fctx) {
 		 * If it isn't a noanswer response, no harm will be
 		 * done.
 		 */
-		return (noanswer_response(fctx, qname, ISC_FALSE));
+		return (noanswer_response(fctx, qname, 0));
 	}
 
 	/*
 	 * We didn't end with an incomplete chain, so the rcode should be
 	 * "no error".
 	 */
-	if (message->rcode != dns_rcode_noerror)
+	if (message->rcode != dns_rcode_noerror) {
+		log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
+				  "indicates error");
 		return (DNS_R_FORMERR);
+	}
 
 	/*
 	 * Examine the authority section (if there is one).
@@ -6263,6 +6542,39 @@ log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
 		isc_mem_put(mctx, buf, len);
 }
 
+static isc_boolean_t
+iscname(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
+				      &fctx->name, dns_rdatatype_cname, 0,
+				      NULL, NULL);
+	return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
+}
+
+static isc_boolean_t
+betterreferral(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_message_t *message = fctx->rmessage;
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (!isstrictsubdomain(name, &fctx->domain))
+			continue;
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+			if (rdataset->type == dns_rdatatype_ns)
+				return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 static void
 resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -6611,6 +6923,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 * cannot make any more progress with this
 				 * fetch.
 				 */
+				log_formerr(fctx, "server sent FORMERR");
 				result = DNS_R_FORMERR;
 			}
 		} else if (message->rcode == dns_rcode_yxdomain) {
@@ -6726,27 +7039,62 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	    (message->rcode == dns_rcode_noerror ||
 	     message->rcode == dns_rcode_nxdomain)) {
 		/*
-		 * We've got answers.  However, if we sent
-		 * a BIND 8 server an NS query, it may have
-		 * incorrectly responded with a non-authoritative
-		 * answer instead of a referral.  Since this
-		 * answer lacks the SIGs necessary to do DNSSEC
-		 * validation, we must invoke the following special
-		 * kludge to treat it as a referral.
+		 * [normal case]
+		 * We've got answers.  If it has an authoritative answer or an
+		 * answer from a forwarder, we're done.
 		 */
-		if (fctx->type == dns_rdatatype_ns &&
-		    (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
-		    !ISFORWARDER(query->addrinfo))
-		{
-			result = noanswer_response(fctx, NULL, ISC_TRUE);
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
+		    ISFORWARDER(query->addrinfo))
+			result = answer_response(fctx);
+		else if (iscname(fctx) &&
+			 fctx->type != dns_rdatatype_any &&
+			 fctx->type != dns_rdatatype_cname) {
+			/*
+			 * A BIND8 server could return a non-authoritative
+			 * answer when a CNAME is followed.  We should treat
+			 * it as a valid answer.
+			 */
+			result = answer_response(fctx);
+		} else if (fctx->type != dns_rdatatype_ns &&
+			   !betterreferral(fctx)) {
+			/*
+			 * Lame response !!!.
+			 */
+			result = answer_response(fctx);
+		} else {
+			if (fctx->type == dns_rdatatype_ns) {
+				/*
+				 * A BIND 8 server could incorrectly return a
+				 * non-authoritative answer to an NS query
+				 * instead of a referral. Since this answer
+				 * lacks the SIGs necessary to do DNSSEC
+				 * validation, we must invoke the following
+				 * special kludge to treat it as a referral.
+				 */
+				result = noanswer_response(fctx, NULL,
+						   LOOK_FOR_NS_IN_ANSWER);
+			} else {
+				/*
+				 * Some other servers may still somehow include
+				 * an answer when it should return a referral
+				 * with an empty answer.  Check to see if we can
+				 * treat this as a referral by ignoring the
+				 * answer.  Further more, there may be an
+				 * implementation that moves A/AAAA glue records
+				 * to the answer section for that type of
+				 * delegation when the query is for that glue
+				 * record.  LOOK_FOR_GLUE_IN_ANSWER will handle
+				 * such a corner case.
+				 */
+				result = noanswer_response(fctx, NULL,
+						   LOOK_FOR_GLUE_IN_ANSWER);
+			}
 			if (result != DNS_R_DELEGATION) {
 				/*
-				 * The answer section must have contained
-				 * something other than the NS records
-				 * we asked for.  Since AA is not set
-				 * and the server is not a forwarder,
-				 * it is technically lame and it's easier
-				 * to treat it as such than to figure out
+				 * At this point, AA is not set, the response
+				 * is not a referral, and the server is not a
+				 * forwarder.  It is technically lame and it's
+				 * easier to treat it as such than to figure out
 				 * some more elaborate course of action.
 				 */
 				broken_server = DNS_R_LAME;
@@ -6755,7 +7103,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			}
 			goto force_referral;
 		}
-		result = answer_response(fctx);
 		if (result != ISC_R_SUCCESS) {
 			if (result == DNS_R_FORMERR)
 				keep_trying = ISC_TRUE;
@@ -6767,7 +7114,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * NXDOMAIN, NXRDATASET, or referral.
 		 */
-		result = noanswer_response(fctx, NULL, ISC_FALSE);
+		result = noanswer_response(fctx, NULL, 0);
 		if (result == DNS_R_CHASEDSSERVERS) {
 		} else if (result == DNS_R_DELEGATION) {
 		force_referral:
@@ -7178,6 +7525,7 @@ dns_resolver_create(dns_view_t *view,
 	res->spillatmax = 100;
 	res->spillattimer = NULL;
 	res->zero_no_soa_ttl = ISC_FALSE;
+	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
 	res->ndisps = 0;
 	res->nextdisp = 0; /* meaningless at this point, but init it */
 	res->nbuckets = ntasks;
@@ -7329,6 +7677,7 @@ dns_resolver_create(dns_view_t *view,
 	return (result);
 }
 
+#ifdef BIND9
 static void
 prime_done(isc_task_t *task, isc_event_t *event) {
 	dns_resolver_t *res;
@@ -7434,16 +7783,15 @@ dns_resolver_prime(dns_resolver_t *res) {
 		}
 	}
 }
+#endif /* BIND9 */
 
 void
 dns_resolver_freeze(dns_resolver_t *res) {
-
 	/*
 	 * Freeze resolver.
 	 */
 
 	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(!res->frozen);
 
 	res->frozen = ISC_TRUE;
 }
@@ -7887,8 +8235,8 @@ dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
 			      "timeout:%u,lame:%u,neterr:%u,badresp:%u,"
 			      "adberr:%u,findfail:%u,valfail:%u]",
 			      __FILE__, fctx->exitline, fctx->info,
-			      fctx->duration / 1000000,
-			      fctx->duration % 1000000,
+			      fctx->duration / US_PER_SEC,
+			      fctx->duration % US_PER_SEC,
 			      isc_result_totext(fctx->result),
 			      isc_result_totext(fctx->vresult), domainbuf,
 			      fctx->referrals, fctx->restarts,
@@ -8478,3 +8826,24 @@ dns_resolver_getoptions(dns_resolver_t *resolver) {
 
 	return (resolver->options);
 }
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->query_timeout);
+}
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	if (seconds == 0)
+		seconds = DEFAULT_QUERY_TIMEOUT;
+	if (seconds > MAXIMUM_QUERY_TIMEOUT)
+		seconds = MAXIMUM_QUERY_TIMEOUT;
+	if (seconds < MINIMUM_QUERY_TIMEOUT)
+		seconds =  MINIMUM_QUERY_TIMEOUT;
+
+	resolver->query_timeout = seconds;
+}
diff --git a/contrib/bind9/lib/dns/result.c b/contrib/bind9/lib/dns/result.c
index 0d2ecc06f027..0546d0f1eb0a 100644
--- a/contrib/bind9/lib/dns/result.c
+++ b/contrib/bind9/lib/dns/result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -105,7 +105,7 @@ static const char *text[DNS_R_NRESULTS] = {
 	"no valid RRSIG",		       /*%< 59 DNS_R_NOVALIDSIG */
 
 	"no valid NSEC",		       /*%< 60 DNS_R_NOVALIDNSEC */
-	"not insecure",			       /*%< 61 DNS_R_NOTINSECURE */
+	"insecurity proof failed",	       /*%< 61 DNS_R_NOTINSECURE */
 	"unknown service",		       /*%< 62 DNS_R_UNKNOWNSERVICE */
 	"recoverable error occurred",	       /*%< 63 DNS_R_RECOVERABLE */
 	"unknown opt attribute record",	       /*%< 64 DNS_R_UNKNOWNOPT */
@@ -160,6 +160,7 @@ static const char *text[DNS_R_NRESULTS] = {
 
 	"not master",			       /*%< 105 DNS_R_NOTMASTER */
 	"broken trust chain",		       /*%< 106 DNS_R_BROKENCHAIN */
+	"expired",			       /*%< 106 DNS_R_EXPIRED */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/contrib/bind9/lib/dns/rootns.c b/contrib/bind9/lib/dns/rootns.c
index 5e76aa88ca64..9b25369daad5 100644
--- a/contrib/bind9/lib/dns/rootns.c
+++ b/contrib/bind9/lib/dns/rootns.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: rootns.c,v 1.40 2010/06/18 05:36:24 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/dns/rpz.c b/contrib/bind9/lib/dns/rpz.c
new file mode 100644
index 000000000000..78658590ae48
--- /dev/null
+++ b/contrib/bind9/lib/dns/rpz.c
@@ -0,0 +1,1208 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/rpz.h>
+#include <dns/view.h>
+
+
+/*
+ * Parallel radix trees for databases of response policy IP addresses
+ *
+ * The radix or Patricia trees are somewhat specialized to handle response
+ * policy addresses by representing the two test of IP IP addresses and name
+ * server IP addresses in a single tree.
+ *
+ * Each leaf indicates that an IP address is listed in the IP address or the
+ * name server IP address policy sub-zone (or both) of the corresponding
+ * response response zone.  The policy data such as a CNAME or an A record
+ * is kept in the policy zone.  After an IP address has been found in a radix
+ * tree, the node in the policy zone's database is found by converting
+ * the IP address to a domain name in a canonical form.
+ *
+ * The response policy zone canonical form of IPv6 addresses is one of:
+ *	prefix.W.W.W.W.W.W.W.W
+ *	prefix.WORDS.zz
+ *	prefix.WORDS.zz.WORDS
+ *	prefix.zz.WORDS
+ *  where
+ *	prefix	is the prefix length of the IPv6 address between 1 and 128
+ *	W	is a number between 0 and 65535
+ *	WORDS	is one or more numbers W separated with "."
+ *	zz	corresponds to :: in the standard IPv6 text representation
+ *
+ * The canonical form of IPv4 addresses is:
+ *	prefix.B.B.B.B
+ *  where
+ *	prefix	is the prefix length of the address between 1 and 32
+ *	B	is a number between 0 and 255
+ *
+ * IPv4 addresses are distinguished from IPv6 addresses by having
+ * 5 labels all of which are numbers, and a prefix between 1 and 32.
+ */
+
+
+/*
+ * Use a private definition of IPv6 addresses because s6_addr32 is not
+ * always defined and our IPv6 addresses are in non-standard byte order
+ */
+typedef isc_uint32_t		dns_rpz_cidr_word_t;
+#define DNS_RPZ_CIDR_WORD_BITS	((int)sizeof(dns_rpz_cidr_word_t)*8)
+#define DNS_RPZ_CIDR_KEY_BITS	((int)sizeof(dns_rpz_cidr_key_t)*8)
+#define DNS_RPZ_CIDR_WORDS	(128/DNS_RPZ_CIDR_WORD_BITS)
+typedef struct {
+	dns_rpz_cidr_word_t	w[DNS_RPZ_CIDR_WORDS];
+} dns_rpz_cidr_key_t;
+
+#define ADDR_V4MAPPED		0xffff
+
+#define DNS_RPZ_WORD_MASK(b)				\
+	((b) == 0 ? (dns_rpz_cidr_word_t)(-1)		\
+		  : ((dns_rpz_cidr_word_t)(-1)		\
+		    << (DNS_RPZ_CIDR_WORD_BITS - (b))))
+
+#define DNS_RPZ_IP_BIT(ip, bitno) \
+	(1 & ((ip)->w[(bitno)/DNS_RPZ_CIDR_WORD_BITS] >> \
+	    (DNS_RPZ_CIDR_WORD_BITS - 1 - ((bitno) % DNS_RPZ_CIDR_WORD_BITS))))
+
+typedef struct dns_rpz_cidr_node	dns_rpz_cidr_node_t;
+typedef isc_uint8_t			dns_rpz_cidr_flags_t;
+struct dns_rpz_cidr_node {
+	dns_rpz_cidr_node_t		*parent;
+	dns_rpz_cidr_node_t		*child[2];
+	dns_rpz_cidr_key_t		ip;
+	dns_rpz_cidr_bits_t		bits;
+	dns_rpz_cidr_flags_t		flags;
+#define	DNS_RPZ_CIDR_FG_IP	 0x01	/* has IP data or is parent of IP */
+#define	DNS_RPZ_CIDR_FG_IP_DATA	 0x02	/* has IP data */
+#define	DNS_RPZ_CIDR_FG_NSIPv4	 0x04	/* has or is parent of NSIPv4 data */
+#define	DNS_RPZ_CIDR_FG_NSIPv6	 0x08	/* has or is parent of NSIPv6 data */
+#define	DNS_RPZ_CIDR_FG_NSIP_DATA 0x10	/* has NSIP data */
+};
+
+struct dns_rpz_cidr {
+	isc_mem_t		*mctx;
+	isc_boolean_t		have_nsdname;	/* zone has NSDNAME record */
+	dns_rpz_cidr_node_t	*root;
+	dns_name_t		ip_name;	/* RPZ_IP_ZONE.origin. */
+	dns_name_t		nsip_name;      /* RPZ_NSIP_ZONE.origin. */
+	dns_name_t		nsdname_name;	/* RPZ_NSDNAME_ZONE.origin */
+};
+
+static isc_boolean_t		have_rpz_zones = ISC_FALSE;
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_QNAME:
+		return ("QNAME");
+	case DNS_RPZ_TYPE_IP:
+		return ("IP");
+	case DNS_RPZ_TYPE_NSIP:
+		return ("NSIP");
+	case DNS_RPZ_TYPE_NSDNAME:
+		return ("NSDNAME");
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+	FATAL_ERROR(__FILE__, __LINE__,
+		    "impossible rpz type %d", type);
+	return ("impossible");
+}
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str) {
+	if (str == NULL)
+		return (DNS_RPZ_POLICY_ERROR);
+	if (!strcasecmp(str, "given"))
+		return (DNS_RPZ_POLICY_GIVEN);
+	if (!strcasecmp(str, "disabled"))
+		return (DNS_RPZ_POLICY_DISABLED);
+	if (!strcasecmp(str, "passthru"))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+	if (!strcasecmp(str, "nxdomain"))
+		return (DNS_RPZ_POLICY_NXDOMAIN);
+	if (!strcasecmp(str, "nodata"))
+		return (DNS_RPZ_POLICY_NODATA);
+	if (!strcasecmp(str, "cname"))
+		return (DNS_RPZ_POLICY_CNAME);
+	/*
+	 * Obsolete
+	 */
+	if (!strcasecmp(str, "no-op"))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+	return (DNS_RPZ_POLICY_ERROR);
+}
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy) {
+	const char *str;
+
+	switch (policy) {
+	case DNS_RPZ_POLICY_PASSTHRU:
+		str = "PASSTHRU";
+		break;
+	case DNS_RPZ_POLICY_NXDOMAIN:
+		str = "NXDOMAIN";
+		break;
+	case DNS_RPZ_POLICY_NODATA:
+		str = "NODATA";
+		break;
+	case DNS_RPZ_POLICY_RECORD:
+		str = "Local-Data";
+		break;
+	case DNS_RPZ_POLICY_CNAME:
+	case DNS_RPZ_POLICY_WILDCNAME:
+		str = "CNAME";
+		break;
+	default:
+		str = "";
+		INSIST(0);
+	}
+	return (str);
+}
+
+/*
+ * Free the radix tree of a response policy database.
+ */
+void
+dns_rpz_cidr_free(dns_rpz_cidr_t **cidrp) {
+	dns_rpz_cidr_node_t *cur, *child, *parent;
+	dns_rpz_cidr_t *cidr;
+
+	REQUIRE(cidrp != NULL);
+
+	cidr = *cidrp;
+	if (cidr == NULL)
+		return;
+
+	cur = cidr->root;
+	while (cur != NULL) {
+		/* Depth first. */
+		child = cur->child[0];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+		child = cur->child[1];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+
+		/* Delete this leaf and go up. */
+		parent = cur->parent;
+		if (parent == NULL)
+			cidr->root = NULL;
+		else
+			parent->child[parent->child[1] == cur] = NULL;
+		isc_mem_put(cidr->mctx, cur, sizeof(*cur));
+		cur = parent;
+	}
+
+	dns_name_free(&cidr->ip_name, cidr->mctx);
+	dns_name_free(&cidr->nsip_name, cidr->mctx);
+	dns_name_free(&cidr->nsdname_name, cidr->mctx);
+	isc_mem_put(cidr->mctx, cidr, sizeof(*cidr));
+	*cidrp = NULL;
+}
+
+/*
+ * Forget a view's list of policy zones.
+ */
+void
+dns_rpz_view_destroy(dns_view_t *view) {
+	dns_rpz_zone_t *zone;
+
+	REQUIRE(view != NULL);
+
+	while (!ISC_LIST_EMPTY(view->rpz_zones)) {
+		zone = ISC_LIST_HEAD(view->rpz_zones);
+		ISC_LIST_UNLINK(view->rpz_zones, zone, link);
+		if (dns_name_dynamic(&zone->origin))
+			dns_name_free(&zone->origin, view->mctx);
+		if (dns_name_dynamic(&zone->passthru))
+			dns_name_free(&zone->passthru, view->mctx);
+		if (dns_name_dynamic(&zone->nsdname))
+			dns_name_free(&zone->nsdname, view->mctx);
+		if (dns_name_dynamic(&zone->cname))
+			dns_name_free(&zone->cname, view->mctx);
+		isc_mem_put(view->mctx, zone, sizeof(*zone));
+	}
+}
+
+/*
+ * Note that we have at least one response policy zone.
+ * It would be better for something to tell the rbtdb code that the
+ * zone is in at least one view's list of policy zones.
+ */
+void
+dns_rpz_set_need(isc_boolean_t need) {
+	have_rpz_zones = need;
+}
+
+isc_boolean_t
+dns_rpz_needed(void) {
+	return (have_rpz_zones);
+}
+
+/*
+ * Start a new radix tree for a response policy zone.
+ */
+isc_result_t
+dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin,
+		 dns_rpz_cidr_t **rbtdb_cidr)
+{
+	isc_result_t result;
+	dns_rpz_cidr_t *cidr;
+
+	REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL);
+
+	/*
+	 * Only if there is at least one response policy zone.
+	 */
+	if (!have_rpz_zones)
+		return (ISC_R_SUCCESS);
+
+	cidr = isc_mem_get(mctx, sizeof(*cidr));
+	if (cidr == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(cidr, 0, sizeof(*cidr));
+	cidr->mctx = mctx;
+
+	dns_name_init(&cidr->ip_name, NULL);
+	result = dns_name_fromstring2(&cidr->ip_name, DNS_RPZ_IP_ZONE, origin,
+				      DNS_NAME_DOWNCASE, mctx);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, cidr, sizeof(*cidr));
+		return (result);
+	}
+
+	dns_name_init(&cidr->nsip_name, NULL);
+	result = dns_name_fromstring2(&cidr->nsip_name, DNS_RPZ_NSIP_ZONE,
+				      origin, DNS_NAME_DOWNCASE, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_free(&cidr->ip_name, mctx);
+		isc_mem_put(mctx, cidr, sizeof(*cidr));
+		return (result);
+	}
+
+	dns_name_init(&cidr->nsdname_name, NULL);
+	result = dns_name_fromstring2(&cidr->nsdname_name, DNS_RPZ_NSDNAME_ZONE,
+				      origin, DNS_NAME_DOWNCASE, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_free(&cidr->nsip_name, mctx);
+		dns_name_free(&cidr->ip_name, mctx);
+		isc_mem_put(mctx, cidr, sizeof(*cidr));
+		return (result);
+	}
+
+	*rbtdb_cidr = cidr;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * See if a policy zone has IP, NSIP, or NSDNAME rules or records.
+ */
+void
+dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) {
+	if (cidr == NULL)
+		return;
+	if (cidr->root != NULL &&
+	    (cidr->root->flags & DNS_RPZ_CIDR_FG_IP) != 0)
+		st->state |= DNS_RPZ_HAVE_IP;
+	if (cidr->root != NULL &&
+	    (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv4) != 0)
+		st->state |= DNS_RPZ_HAVE_NSIPv4;
+	if (cidr->root != NULL &&
+	    (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv6) != 0)
+		st->state |= DNS_RPZ_HAVE_NSIPv6;
+	if (cidr->have_nsdname)
+		st->state |= DNS_RPZ_HAVE_NSDNAME;
+}
+
+static inline dns_rpz_cidr_flags_t
+get_flags(const dns_rpz_cidr_key_t *ip, dns_rpz_cidr_bits_t prefix,
+	dns_rpz_type_t rpz_type)
+{
+	if (rpz_type == DNS_RPZ_TYPE_NSIP) {
+		if (prefix >= 96 &&
+		    ip->w[0] == 0 && ip->w[1] == 0 &&
+		    ip->w[2] == ADDR_V4MAPPED)
+			return (DNS_RPZ_CIDR_FG_NSIP_DATA |
+				DNS_RPZ_CIDR_FG_NSIPv4);
+		else
+			return (DNS_RPZ_CIDR_FG_NSIP_DATA |
+				DNS_RPZ_CIDR_FG_NSIPv6);
+	} else {
+		return (DNS_RPZ_CIDR_FG_IP | DNS_RPZ_CIDR_FG_IP_DATA);
+	}
+}
+
+/*
+ * Mark a node as having IP or NSIP data and all of its parents
+ * as members of the IP or NSIP tree.
+ */
+static void
+set_node_flags(dns_rpz_cidr_node_t *node, dns_rpz_type_t rpz_type) {
+	dns_rpz_cidr_flags_t flags;
+
+	flags = get_flags(&node->ip, node->bits, rpz_type);
+	node->flags |= flags;
+	flags &= ~(DNS_RPZ_CIDR_FG_NSIP_DATA | DNS_RPZ_CIDR_FG_IP_DATA);
+	for (;;) {
+		node = node->parent;
+		if (node == NULL)
+			return;
+		node->flags |= flags;
+	}
+}
+
+/*
+ * Make a radix tree node.
+ */
+static dns_rpz_cidr_node_t *
+new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip,
+	 dns_rpz_cidr_bits_t bits, dns_rpz_cidr_flags_t flags)
+{
+	dns_rpz_cidr_node_t *node;
+	int i, words, wlen;
+
+	node = isc_mem_get(cidr->mctx, sizeof(*node));
+	if (node == NULL)
+		return (NULL);
+	memset(node, 0, sizeof(*node));
+
+	node->flags = flags & ~(DNS_RPZ_CIDR_FG_IP_DATA |
+				DNS_RPZ_CIDR_FG_NSIP_DATA);
+
+	node->bits = bits;
+	words = bits / DNS_RPZ_CIDR_WORD_BITS;
+	wlen = bits % DNS_RPZ_CIDR_WORD_BITS;
+	i = 0;
+	while (i < words) {
+		node->ip.w[i] = ip->w[i];
+		++i;
+	}
+	if (wlen != 0) {
+		node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
+		++i;
+	}
+	while (i < DNS_RPZ_CIDR_WORDS)
+		node->ip.w[i++] = 0;
+
+	return (node);
+}
+
+static void
+badname(int level, dns_name_t *name, const char *str1, const char *str2) {
+	char printname[DNS_NAME_FORMATSIZE];
+
+	if (level < DNS_RPZ_DEBUG_QUIET
+	    && isc_log_wouldlog(dns_lctx, level)) {
+		dns_name_format(name, printname, sizeof(printname));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, level,
+			      "invalid rpz IP address \"%s\"%s%s",
+			      printname, str1, str2);
+	}
+}
+
+/*
+ * Convert an IP address from radix tree binary (host byte order) to
+ * to its canonical response policy domain name and its name in the
+ * policy zone.
+ */
+static isc_result_t
+ip2name(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip,
+	dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type,
+	dns_name_t *canon_name, dns_name_t *search_name)
+{
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif
+	int w[DNS_RPZ_CIDR_WORDS*2];
+	char str[1+8+1+INET6_ADDRSTRLEN+1];
+	isc_buffer_t buffer;
+	dns_name_t *name;
+	isc_result_t result;
+	isc_boolean_t zeros;
+	int i, n, len;
+
+	if (tgt_prefix > 96 &&
+	    tgt_ip->w[0] == 0 &&
+	    tgt_ip->w[1] == 0 &&
+	    tgt_ip->w[2] == ADDR_V4MAPPED) {
+		len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d",
+			       tgt_prefix - 96,
+			       tgt_ip->w[3] & 0xff,
+			       (tgt_ip->w[3]>>8) & 0xff,
+			       (tgt_ip->w[3]>>16) & 0xff,
+			       (tgt_ip->w[3]>>24) & 0xff);
+		if (len == -1 || len > (int)sizeof(str))
+			return (ISC_R_FAILURE);
+	} else {
+		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
+			w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
+				    & 0xffff);
+			w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
+		}
+		zeros = ISC_FALSE;
+		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
+		if (len == -1)
+			return (ISC_R_FAILURE);
+		i = 0;
+		while (i < DNS_RPZ_CIDR_WORDS * 2) {
+			if (w[i] != 0 || zeros
+			    || i >= DNS_RPZ_CIDR_WORDS * 2 - 1
+			    || w[i+1] != 0) {
+				INSIST((size_t)len <= sizeof(str));
+				n = snprintf(&str[len], sizeof(str) - len,
+					     ".%x", w[i++]);
+				if (n < 0)
+					return (ISC_R_FAILURE);
+				len += n;
+			} else {
+				zeros = ISC_TRUE;
+				INSIST((size_t)len <= sizeof(str));
+				n = snprintf(&str[len], sizeof(str) - len,
+					     ".zz");
+				if (n < 0)
+					return (ISC_R_FAILURE);
+				len += n;
+				i += 2;
+				while (i < DNS_RPZ_CIDR_WORDS * 2 && w[i] == 0)
+					++i;
+			}
+			if (len > (int)sizeof(str))
+				return (ISC_R_FAILURE);
+		}
+	}
+
+	if (canon_name != NULL) {
+		isc__buffer_init(&buffer, str, sizeof(str));
+		isc__buffer_add(&buffer, len);
+		result = dns_name_fromtext(canon_name, &buffer,
+					   dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (search_name != NULL) {
+		isc__buffer_init(&buffer, str, sizeof(str));
+		isc__buffer_add(&buffer, len);
+		if (type == DNS_RPZ_TYPE_NSIP)
+			name = &cidr->nsip_name;
+		else
+			name = &cidr->ip_name;
+		result = dns_name_fromtext(search_name, &buffer, name, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Decide which kind of IP address response policy zone a name is in.
+ */
+static dns_rpz_type_t
+set_type(dns_rpz_cidr_t *cidr, dns_name_t *name) {
+
+	if (dns_name_issubdomain(name, &cidr->ip_name))
+		return (DNS_RPZ_TYPE_IP);
+
+	/*
+	 * Require `./configure --enable-rpz-nsip` and nsdname
+	 * until consistency problems are resolved.
+	 */
+#ifdef ENABLE_RPZ_NSIP
+	if (dns_name_issubdomain(name, &cidr->nsip_name))
+		return (DNS_RPZ_TYPE_NSIP);
+#endif
+
+#ifdef ENABLE_RPZ_NSDNAME
+	if (dns_name_issubdomain(name, &cidr->nsdname_name))
+		return (DNS_RPZ_TYPE_NSDNAME);
+#endif
+
+	return (DNS_RPZ_TYPE_QNAME);
+}
+
+/*
+ * Convert an IP address from canonical response policy domain name form
+ * to radix tree binary (host byte order).
+ */
+static isc_result_t
+name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name,
+	   dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip,
+	   dns_rpz_cidr_bits_t *tgt_prefix)
+{
+	isc_result_t result;
+	dns_fixedname_t fname;
+	dns_name_t *ipname;
+	char ipstr[DNS_NAME_FORMATSIZE];
+	const char *prefix_str, *cp, *end;
+	char *cp2;
+	int ip_labels;
+	dns_rpz_cidr_bits_t bits;
+	unsigned long prefix, l;
+	int i;
+
+	/*
+	 * Need at least enough labels for the shortest name,
+	 * :: or 128.*.RPZ_x_ZONE.rpz.LOCALHOST.
+	 */
+	ip_labels = dns_name_countlabels(src_name);
+	ip_labels -= dns_name_countlabels(&cidr->ip_name);
+	ip_labels--;
+	if (ip_labels < 1) {
+		badname(level, src_name, "; too short", "");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Get text for the IP address
+	 */
+	dns_fixedname_init(&fname);
+	ipname = dns_fixedname_name(&fname);
+	dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name),
+		       ipname, NULL);
+	dns_name_format(ipname, ipstr, sizeof(ipstr));
+	end = &ipstr[strlen(ipstr)+1];
+	prefix_str = ipstr;
+
+	prefix = strtoul(prefix_str, &cp2, 10);
+	if (*cp2 != '.') {
+		badname(level, src_name,
+			"; invalid leading prefix length", "");
+		return (ISC_R_FAILURE);
+	}
+	*cp2 = '\0';
+	if (prefix < 1U || prefix > 128U) {
+		badname(level, src_name,
+			"; invalid prefix length of ", prefix_str);
+		return (ISC_R_FAILURE);
+	}
+	cp = cp2+1;
+
+	if (ip_labels == 4 && !strchr(cp, 'z')) {
+		/*
+		 * Convert an IPv4 address
+		 * from the form "prefix.w.z.y.x"
+		 */
+		if (prefix > 32U) {
+			badname(level, src_name,
+				"; invalid IPv4 prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		prefix += 96;
+		*tgt_prefix = (dns_rpz_cidr_bits_t)prefix;
+		tgt_ip->w[0] = 0;
+		tgt_ip->w[1] = 0;
+		tgt_ip->w[2] = ADDR_V4MAPPED;
+		tgt_ip->w[3] = 0;
+		for (i = 0; i < 32; i += 8) {
+			l = strtoul(cp, &cp2, 10);
+			if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
+				if (*cp2 == '.')
+					*cp2 = '\0';
+				badname(level, src_name,
+					"; invalid IPv4 octet ", cp);
+				return (ISC_R_FAILURE);
+			}
+			tgt_ip->w[3] |= l << i;
+			cp = cp2 + 1;
+		}
+	} else {
+		/*
+		 * Convert a text IPv6 address.
+		 */
+		*tgt_prefix = (dns_rpz_cidr_bits_t)prefix;
+		for (i = 0;
+		     ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
+		     ip_labels--) {
+			if (cp[0] == 'z' && cp[1] == 'z' &&
+			    (cp[2] == '.' || cp[2] == '\0') &&
+			    i <= 6) {
+				do {
+					if ((i & 1) == 0)
+					    tgt_ip->w[3-i/2] = 0;
+					++i;
+				} while (ip_labels + i <= 8);
+				cp += 3;
+			} else {
+				l = strtoul(cp, &cp2, 16);
+				if (l > 0xffffu ||
+				    (*cp2 != '.' && *cp2 != '\0')) {
+					if (*cp2 == '.')
+					    *cp2 = '\0';
+					badname(level, src_name,
+						"; invalid IPv6 word ", cp);
+					return (ISC_R_FAILURE);
+				}
+				if ((i & 1) == 0)
+					tgt_ip->w[3-i/2] = l;
+				else
+					tgt_ip->w[3-i/2] |= l << 16;
+				i++;
+				cp = cp2 + 1;
+			}
+		}
+	}
+	if (cp != end) {
+		badname(level, src_name, "", "");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Check for 1s after the prefix length.
+	 */
+	bits = (dns_rpz_cidr_bits_t)prefix;
+	while (bits < DNS_RPZ_CIDR_KEY_BITS) {
+		dns_rpz_cidr_word_t aword;
+
+		i = bits % DNS_RPZ_CIDR_WORD_BITS;
+		aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS];
+		if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
+			badname(level, src_name,
+				"; too small prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		bits -= i;
+		bits += DNS_RPZ_CIDR_WORD_BITS;
+	}
+
+	/*
+	 * Convert the address back to a canonical policy domain name
+	 * to ensure that it is in canonical form.
+	 */
+	result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix,
+			 type, NULL, ipname);
+	if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) {
+		badname(level, src_name, "; not canonical", "");
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Find first differing bit.
+ */
+static int
+ffbit(dns_rpz_cidr_word_t w) {
+	int bit;
+
+	bit = DNS_RPZ_CIDR_WORD_BITS-1;
+	if ((w & 0xffff0000) != 0) {
+		w >>= 16;
+		bit -= 16;
+	}
+	if ((w & 0xff00) != 0) {
+		w >>= 8;
+		bit -= 8;
+	}
+	if ((w & 0xf0) != 0) {
+		w >>= 4;
+		bit -= 4;
+	}
+	if ((w & 0xc) != 0) {
+		w >>= 2;
+		bit -= 2;
+	}
+	if ((w & 2) != 0)
+		--bit;
+	return (bit);
+}
+
+/*
+ * Find the first differing bit in two keys.
+ */
+static int
+diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1,
+	  const dns_rpz_cidr_key_t *key2, dns_rpz_cidr_bits_t bits2)
+{
+	dns_rpz_cidr_word_t delta;
+	dns_rpz_cidr_bits_t maxbit, bit;
+	int i;
+
+	maxbit = ISC_MIN(bits1, bits2);
+
+	/*
+	 * find the first differing words
+	 */
+	for (i = 0, bit = 0;
+	     bit <= maxbit;
+	     i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
+		delta = key1->w[i] ^ key2->w[i];
+		if (delta != 0) {
+			bit += ffbit(delta);
+			break;
+		}
+	}
+	return (ISC_MIN(bit, maxbit));
+}
+
+/*
+ * Search a radix tree for an IP address for ordinary lookup
+ *	or for a CIDR block adding or deleting an entry
+ * The tree read (for simple search) or write lock must be held by the caller.
+ *
+ * Return ISC_R_SUCCESS, ISC_R_NOTFOUND, DNS_R_PARTIALMATCH, ISC_R_EXISTS,
+ *	ISC_R_NOMEMORY
+ */
+static isc_result_t
+search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip,
+       dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type,
+       isc_boolean_t create,
+       dns_rpz_cidr_node_t **found)		/* NULL or longest match node */
+{
+	dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
+	int cur_num, child_num;
+	dns_rpz_cidr_bits_t dbit;
+	dns_rpz_cidr_flags_t flags, data_flag;
+	isc_result_t find_result;
+
+	flags = get_flags(tgt_ip, tgt_prefix, type);
+	data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA |
+			     DNS_RPZ_CIDR_FG_NSIP_DATA);
+
+	find_result = ISC_R_NOTFOUND;
+	if (found != NULL)
+		*found = NULL;
+	cur = cidr->root;
+	parent = NULL;
+	cur_num = 0;
+	for (;;) {
+		if (cur == NULL) {
+			/*
+			 * No child so we cannot go down.  Fail or
+			 * add the target as a child of the current parent.
+			 */
+			if (!create)
+				return (find_result);
+			child = new_node(cidr, tgt_ip, tgt_prefix, 0);
+			if (child == NULL)
+				return (ISC_R_NOMEMORY);
+			if (parent == NULL)
+				cidr->root = child;
+			else
+				parent->child[cur_num] = child;
+			child->parent = parent;
+			set_node_flags(child, type);
+			if (found != NULL)
+				*found = cur;
+			return (ISC_R_SUCCESS);
+		}
+
+		/*
+		 * Pretend a node not in the correct tree does not exist
+		 * if we are not adding to the tree,
+		 * If we are adding, then continue down to eventually
+		 * add a node and mark/put this node in the correct tree.
+		 */
+		if ((cur->flags & flags) == 0 && !create)
+			return (find_result);
+
+		dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->bits);
+		/*
+		 * dbit <= tgt_prefix and dbit <= cur->bits always.
+		 * We are finished searching if we matched all of the target.
+		 */
+		if (dbit == tgt_prefix) {
+			if (tgt_prefix == cur->bits) {
+				/*
+				 * The current node matches the target exactly.
+				 * It is the answer if it has data.
+				 */
+				if ((cur->flags & data_flag) != 0) {
+					if (create)
+						return (ISC_R_EXISTS);
+					if (found != NULL)
+						*found = cur;
+					return (ISC_R_SUCCESS);
+				} else if (create) {
+					/*
+					 * The node had no data but does now.
+					 */
+					set_node_flags(cur, type);
+					if (found != NULL)
+						*found = cur;
+					return (ISC_R_SUCCESS);
+				}
+				return (find_result);
+			}
+
+			/*
+			 * We know tgt_prefix < cur_bits which means that
+			 * the target is shorter than the current node.
+			 * Add the target as the current node's parent.
+			 */
+			if (!create)
+				return (find_result);
+
+			new_parent = new_node(cidr, tgt_ip, tgt_prefix,
+					      cur->flags);
+			if (new_parent == NULL)
+				return (ISC_R_NOMEMORY);
+			new_parent->parent = parent;
+			if (parent == NULL)
+				cidr->root = new_parent;
+			else
+				parent->child[cur_num] = new_parent;
+			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
+			new_parent->child[child_num] = cur;
+			cur->parent = new_parent;
+			set_node_flags(new_parent, type);
+			if (found != NULL)
+				*found = new_parent;
+			return (ISC_R_SUCCESS);
+		}
+
+		if (dbit == cur->bits) {
+			/*
+			 * We have a partial match by matching of all of the
+			 * current node but only part of the target.
+			 * Try to go down.
+			 */
+			if ((cur->flags & data_flag) != 0) {
+				find_result = DNS_R_PARTIALMATCH;
+				if (found != NULL)
+					*found = cur;
+			}
+
+			parent = cur;
+			cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+			cur = cur->child[cur_num];
+			continue;
+		}
+
+
+		/*
+		 * dbit < tgt_prefix and dbit < cur->bits,
+		 * so we failed to match both the target and the current node.
+		 * Insert a fork of a parent above the current node and
+		 * add the target as a sibling of the current node
+		 */
+		if (!create)
+			return (find_result);
+
+		sibling = new_node(cidr, tgt_ip, tgt_prefix, 0);
+		if (sibling == NULL)
+			return (ISC_R_NOMEMORY);
+		new_parent = new_node(cidr, tgt_ip, dbit, cur->flags);
+		if (new_parent == NULL) {
+			isc_mem_put(cidr->mctx, sibling, sizeof(*sibling));
+			return (ISC_R_NOMEMORY);
+		}
+		new_parent->parent = parent;
+		if (parent == NULL)
+			cidr->root = new_parent;
+		else
+			parent->child[cur_num] = new_parent;
+		child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+		new_parent->child[child_num] = sibling;
+		new_parent->child[1-child_num] = cur;
+		cur->parent = new_parent;
+		sibling->parent = new_parent;
+		set_node_flags(sibling, type);
+		if (found != NULL)
+			*found = sibling;
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*
+ * Add an IP address to the radix tree of a response policy database.
+ *	The tree write lock must be held by the caller.
+ */
+void
+dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) {
+	isc_result_t result;
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_cidr_bits_t tgt_prefix;
+	dns_rpz_type_t type;
+
+	if (cidr == NULL)
+		return;
+
+	/*
+	 * No worries if the new name is not an IP address.
+	 */
+	type = set_type(cidr, name);
+	switch (type) {
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		cidr->have_nsdname = ISC_TRUE;
+		return;
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_BAD:
+		return;
+	}
+	result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name,
+			    type, &tgt_ip, &tgt_prefix);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL);
+	if (result == ISC_R_EXISTS &&
+	    isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL))
+	{
+		char printname[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(name, printname, sizeof(printname));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz add failed; \"%s\" is a duplicate name",
+			      printname);
+	}
+}
+
+/*
+ * Delete an IP address from the radix tree of a response policy database.
+ *	The tree write lock must be held by the caller.
+ */
+void
+dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) {
+	isc_result_t result;
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_cidr_bits_t tgt_prefix;
+	dns_rpz_type_t type;
+	dns_rpz_cidr_node_t *tgt = NULL, *parent, *child;
+	dns_rpz_cidr_flags_t flags, data_flag;
+
+	if (cidr == NULL)
+		return;
+
+	/*
+	 * Decide which kind of policy zone IP address it is, if either
+	 * and then find its node.
+	 */
+	type = set_type(cidr, name);
+	switch (type) {
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		/*
+		 * We cannot easily count nsdnames because
+		 * internal rbt nodes get deleted.
+		 */
+		return;
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_BAD:
+		return;
+	}
+
+	/*
+	 * Do not get excited about the deletion of interior rbt nodes.
+	 */
+	result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name,
+			    type, &tgt_ip, &tgt_prefix);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt);
+	if (result != ISC_R_SUCCESS) {
+		badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", "");
+		return;
+	}
+
+	/*
+	 * Mark the node and its parents to reflect the deleted IP address.
+	 */
+	flags = get_flags(&tgt_ip, tgt_prefix, type);
+	data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA |
+			      DNS_RPZ_CIDR_FG_NSIP_DATA);
+	tgt->flags &= ~data_flag;
+	for (parent = tgt; parent != NULL; parent = parent->parent) {
+		if ((parent->flags & data_flag) != 0 ||
+		    (parent->child[0] != NULL &&
+		     (parent->child[0]->flags & flags) != 0) ||
+		    (parent->child[1] != NULL &&
+		     (parent->child[1]->flags & flags) != 0))
+			break;
+		parent->flags &= ~flags;
+	}
+
+	/*
+	 * We might need to delete 2 nodes.
+	 */
+	do {
+		/*
+		 * The node is now useless if it has no data of its own
+		 * and 0 or 1 children.  We are finished if it is not useless.
+		 */
+		if ((child = tgt->child[0]) != NULL) {
+			if (tgt->child[1] != NULL)
+				return;
+		} else {
+			child = tgt->child[1];
+		}
+		if ((tgt->flags & (DNS_RPZ_CIDR_FG_IP_DATA |
+				 DNS_RPZ_CIDR_FG_NSIP_DATA)) != 0)
+			return;
+
+		/*
+		 * Replace the pointer to this node in the parent with
+		 * the remaining child or NULL.
+		 */
+		parent = tgt->parent;
+		if (parent == NULL) {
+			cidr->root = child;
+		} else {
+			parent->child[parent->child[1] == tgt] = child;
+		}
+		/*
+		 * If the child exists fix up its parent pointer.
+		 */
+		if (child != NULL)
+			child->parent = parent;
+		isc_mem_put(cidr->mctx, tgt, sizeof(*tgt));
+
+		tgt = parent;
+	} while (tgt != NULL);
+}
+
+/*
+ * Caller must hold tree lock.
+ * Return  ISC_R_NOTFOUND
+ *	or ISC_R_SUCCESS and the found entry's canonical and search names
+ *	    and its prefix length
+ */
+isc_result_t
+dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr,
+		  dns_rpz_type_t type, dns_name_t *canon_name,
+		  dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix)
+{
+	dns_rpz_cidr_key_t tgt_ip;
+	isc_result_t result;
+	dns_rpz_cidr_node_t *found;
+	int i;
+
+	/*
+	 * Convert IP address to CIDR tree key.
+	 */
+	if (netaddr->family == AF_INET) {
+		tgt_ip.w[0] = 0;
+		tgt_ip.w[1] = 0;
+		tgt_ip.w[2] = ADDR_V4MAPPED;
+		tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
+	} else if (netaddr->family == AF_INET6) {
+		dns_rpz_cidr_key_t src_ip6;
+
+		/*
+		 * Given the int aligned struct in_addr member of netaddr->type
+		 * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
+		 * but there are objections.
+		 */
+		memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
+		for (i = 0; i < 4; i++) {
+			tgt_ip.w[i] = ntohl(src_ip6.w[i]);
+		}
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+
+	result = search(cidr, &tgt_ip, 128, type, ISC_FALSE, &found);
+	if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH)
+		return (result);
+
+	*prefix = found->bits;
+	return (ip2name(cidr, &found->ip, found->bits, type,
+			canon_name, search_name));
+}
+
+/*
+ * Translate CNAME rdata to a QNAME response policy action.
+ */
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+	isc_result_t result;
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * CNAME . means NXDOMAIN
+	 */
+	if (dns_name_equal(&cname.cname, dns_rootname))
+		return (DNS_RPZ_POLICY_NXDOMAIN);
+
+	if (dns_name_iswildcard(&cname.cname)) {
+		/*
+		 * CNAME *. means NODATA
+		 */
+		if (dns_name_countlabels(&cname.cname) == 2)
+			return (DNS_RPZ_POLICY_NODATA);
+
+		/*
+		 * A qname of www.evil.com and a policy of
+		 *	*.evil.com    CNAME   *.garden.net
+		 * gives a result of
+		 *	evil.com    CNAME   evil.com.garden.net
+		 */
+		if (dns_name_countlabels(&cname.cname) > 2)
+			return (DNS_RPZ_POLICY_WILDCNAME);
+	}
+
+	/*
+	 * CNAME PASSTHRU.origin means "do not rewrite.
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->passthru))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+
+	/*
+	 * 128.1.0.127.rpz-ip CNAME  128.1.0.0.127. is obsolete PASSTHRU
+	 */
+	if (selfname != NULL && dns_name_equal(&cname.cname, selfname))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+
+	/*
+	 * Any other rdata gives a response consisting of the rdata.
+	 */
+	return (DNS_RPZ_POLICY_RECORD);
+}
diff --git a/contrib/bind9/lib/dns/rriterator.c b/contrib/bind9/lib/dns/rriterator.c
new file mode 100644
index 000000000000..509fb42270f3
--- /dev/null
+++ b/contrib/bind9/lib/dns/rriterator.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+
+/***
+ *** RRiterator methods
+ ***/
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now)
+{
+	isc_result_t result;
+	it->magic = RRITERATOR_MAGIC;
+	it->db = db;
+	it->dbit = NULL;
+	it->ver = ver;
+	it->now = now;
+	it->node = NULL;
+	result = dns_db_createiterator(it->db, 0, &it->dbit);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	it->rdatasetit = NULL;
+	dns_rdata_init(&it->rdata);
+	dns_rdataset_init(&it->rdataset);
+	dns_fixedname_init(&it->fixedname);
+	INSIST(! dns_rdataset_isassociated(&it->rdataset));
+	it->result = ISC_R_SUCCESS;
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	/* Reset state */
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	if (it->rdatasetit != NULL)
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	if (it->node != NULL)
+		dns_db_detachnode(it->db, &it->node);
+	it->result = dns_dbiterator_first(it->dbit);
+
+	/*
+	 * The top node may be empty when out of zone glue exists.
+	 * Walk the tree to find the first node with data.
+	 */
+	while (it->result == ISC_R_SUCCESS) {
+		it->result = dns_dbiterator_current(it->dbit, &it->node,
+					   dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			/*
+			 * This node is empty. Try next node.
+			 */
+			dns_rdatasetiter_destroy(&it->rdatasetit);
+			dns_db_detachnode(it->db, &it->node);
+			it->result = dns_dbiterator_next(it->dbit);
+			continue;
+		}
+		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+		it->result = dns_rdataset_first(&it->rdataset);
+		return (it->result);
+	}
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	it->result = dns_rdatasetiter_next(it->rdatasetit);
+	/*
+	 * The while loop body is executed more than once
+	 * only when an empty dbnode needs to be skipped.
+	 */
+	while (it->result == ISC_R_NOMORE) {
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+		dns_db_detachnode(it->db, &it->node);
+		it->result = dns_dbiterator_next(it->dbit);
+		if (it->result == ISC_R_NOMORE) {
+			/* We are at the end of the entire database. */
+			return (it->result);
+		}
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_dbiterator_current(it->dbit, &it->node,
+					   dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+	}
+	if (it->result != ISC_R_SUCCESS)
+		return (it->result);
+	dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+	it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+	it->result = dns_rdataset_first(&it->rdataset);
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (it->result != ISC_R_SUCCESS)
+		return (it->result);
+
+	INSIST(it->dbit != NULL);
+	INSIST(it->node != NULL);
+	INSIST(it->rdatasetit != NULL);
+
+	it->result = dns_rdataset_next(&it->rdataset);
+	if (it->result == ISC_R_NOMORE)
+		return (dns_rriterator_nextrrset(it));
+	return (it->result);
+}
+
+void
+dns_rriterator_pause(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
+}
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	if (it->rdatasetit != NULL)
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	if (it->node != NULL)
+		dns_db_detachnode(it->db, &it->node);
+	dns_dbiterator_destroy(&it->dbit);
+}
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
+		       isc_uint32_t *ttl, dns_rdataset_t **rdataset,
+		       dns_rdata_t **rdata)
+{
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(VALID_RRITERATOR(it));
+	REQUIRE(it->result == ISC_R_SUCCESS);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+	REQUIRE(rdata == NULL || *rdata == NULL);
+
+	*name = dns_fixedname_name(&it->fixedname);
+	*ttl = it->rdataset.ttl;
+
+	dns_rdata_reset(&it->rdata);
+	dns_rdataset_current(&it->rdataset, &it->rdata);
+
+	if (rdataset != NULL)
+		*rdataset = &it->rdataset;
+
+	if (rdata != NULL)
+		*rdata = &it->rdata;
+}
diff --git a/contrib/bind9/lib/dns/sdb.c b/contrib/bind9/lib/dns/sdb.c
index 447ecbd2e574..8092c5a551cb 100644
--- a/contrib/bind9/lib/dns/sdb.c
+++ b/contrib/bind9/lib/dns/sdb.c
@@ -216,12 +216,13 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
 
 	REQUIRE(drivername != NULL);
 	REQUIRE(methods != NULL);
-	REQUIRE(methods->lookup != NULL);
+	REQUIRE(methods->lookup != NULL || methods->lookup2 != NULL);
 	REQUIRE(mctx != NULL);
 	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
 	REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER |
 			   DNS_SDBFLAG_RELATIVERDATA |
-			   DNS_SDBFLAG_THREADSAFE)) == 0);
+			   DNS_SDBFLAG_THREADSAFE|
+			   DNS_SDBFLAG_DNS64)) == 0);
 
 	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
 	if (imp == NULL)
@@ -280,8 +281,9 @@ initial_size(unsigned int len) {
 }
 
 isc_result_t
-dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl,
-		 const unsigned char *rdatap, unsigned int rdlen)
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval,
+		 dns_ttl_t ttl, const unsigned char *rdatap,
+		 unsigned int rdlen)
 {
 	dns_rdatalist_t *rdatalist;
 	dns_rdata_t *rdata;
@@ -338,7 +340,6 @@ dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl
 	return (result);
 }
 
-
 isc_result_t
 dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
 	      const char *data)
@@ -450,7 +451,7 @@ getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
 	isc_buffer_init(&b, name, strlen(name));
 	isc_buffer_add(&b, strlen(name));
 
-	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -737,6 +738,8 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	char namestr[DNS_NAME_MAXTEXT + 1];
 	isc_boolean_t isorigin;
 	dns_sdbimplementation_t *imp;
+	dns_name_t relname;
+	unsigned int labels;
 
 	REQUIRE(VALID_SDB(sdb));
 	REQUIRE(create == ISC_FALSE);
@@ -747,33 +750,46 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 
 	imp = sdb->implementation;
 
-	isc_buffer_init(&b, namestr, sizeof(namestr));
-	if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
-		dns_name_t relname;
-		unsigned int labels;
+	isorigin = dns_name_equal(name, &sdb->common.origin);
 
-		labels = dns_name_countlabels(name) -
-			 dns_name_countlabels(&db->origin);
-		dns_name_init(&relname, NULL);
-		dns_name_getlabelsequence(name, 0, labels, &relname);
-		result = dns_name_totext(&relname, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
+	if (imp->methods->lookup2 != NULL) {
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			name = &relname;
+		}
 	} else {
-		result = dns_name_totext(name, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
+		isc_buffer_init(&b, namestr, sizeof(namestr));
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			result = dns_name_totext(&relname, ISC_TRUE, &b);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		} else {
+			result = dns_name_totext(name, ISC_TRUE, &b);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		isc_buffer_putuint8(&b, 0);
 	}
-	isc_buffer_putuint8(&b, 0);
 
 	result = createnode(sdb, &node);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	isorigin = dns_name_equal(name, &sdb->common.origin);
-
 	MAYBE_LOCK(sdb);
-	result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata, node);
+	if (imp->methods->lookup2 != NULL)
+		result = imp->methods->lookup2(&sdb->common.origin, name,
+					       sdb->dbdata, node);
+	else
+		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
+					      node);
 	MAYBE_UNLOCK(sdb);
 	if (result != ISC_R_SUCCESS &&
 	    !(result == ISC_R_NOTFOUND &&
@@ -811,13 +827,13 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	unsigned int nlabels, olabels;
 	isc_result_t result;
 	unsigned int i;
+	unsigned int flags;
 
 	REQUIRE(VALID_SDB(sdb));
 	REQUIRE(nodep == NULL || *nodep == NULL);
 	REQUIRE(version == NULL || version == (void *) &dummy);
 
 	UNUSED(options);
-	UNUSED(sdb);
 
 	if (!dns_name_issubdomain(name, &db->origin))
 		return (DNS_R_NXDOMAIN);
@@ -834,8 +850,9 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	}
 
 	result = DNS_R_NXDOMAIN;
-
-	for (i = olabels; i <= nlabels; i++) {
+	flags = sdb->implementation->flags;
+	i = (flags & DNS_SDBFLAG_DNS64) != 0 ? nlabels : olabels;
+	for (; i <= nlabels; i++) {
 		/*
 		 * Look up the next label.
 		 */
@@ -854,6 +871,18 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			return (result);
 
 		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0)
+			goto skip;
+
+		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0)
+			goto skip;
+
+		/*
 		 * Look for a DNAME at the current label, unless this is
 		 * the qname.
 		 */
@@ -902,6 +931,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			continue;
 		}
 
+ skip:
 		/*
 		 * If we're looking for ANY, we're done.
 		 */
@@ -1260,6 +1290,8 @@ static dns_dbmethods_t sdb_methods = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
diff --git a/contrib/bind9/lib/dns/sdlz.c b/contrib/bind9/lib/dns/sdlz.c
index 75f7deff4bf5..870e981a29ad 100644
--- a/contrib/bind9/lib/dns/sdlz.c
+++ b/contrib/bind9/lib/dns/sdlz.c
@@ -108,6 +108,8 @@ struct dns_sdlz_db {
 	isc_mutex_t			refcnt_lock;
 	/* Locked */
 	unsigned int			references;
+	dns_dbversion_t			*future_version;
+	int				dummy_version;
 };
 
 struct dns_sdlzlookup {
@@ -164,8 +166,6 @@ typedef struct sdlz_rdatasetiter {
 /* This is a reasonable value */
 #define SDLZ_DEFAULT_TTL	(60 * 60 * 24)
 
-static int dummy;
-
 #ifdef __COVERITY__
 #define MAYBE_LOCK(imp) LOCK(&imp->driverlock)
 #define MAYBE_UNLOCK(imp) UNLOCK(&imp->driverlock)
@@ -225,11 +225,22 @@ static dns_dbiteratormethods_t dbiterator_methods = {
  * Utility functions
  */
 
-/*% Converts the input string to lowercase, in place. */
+/*
+ * Log a message at the given level
+ */
+static void
+sdlz_log(int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		       DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(level),
+		       fmt, ap);
+	va_end(ap);
+}
 
+/*% Converts the input string to lowercase, in place. */
 static void
 dns_sdlz_tolower(char *str) {
-
 	unsigned int len = strlen(str);
 	unsigned int i;
 
@@ -237,7 +248,6 @@ dns_sdlz_tolower(char *str) {
 		if (str[i] >= 'A' && str[i] <= 'Z')
 			str[i] += 32;
 	}
-
 }
 
 static inline unsigned int
@@ -381,43 +391,79 @@ dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
 
 static void
 currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	REQUIRE(VALID_SDLZDB(sdlz));
 	REQUIRE(versionp != NULL && *versionp == NULL);
 
-	UNUSED(db);
-
-	*versionp = (void *) &dummy;
+	*versionp = (void *) &sdlz->dummy_version;
 	return;
 }
 
 static isc_result_t
 newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	UNUSED(db);
-	UNUSED(versionp);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
 
-	return (ISC_R_NOTIMPLEMENTED);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->newversion == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
+
+	result = sdlz->dlzimp->methods->newversion(origin,
+						   sdlz->dlzimp->driverarg,
+						   sdlz->dbdata, versionp);
+	if (result != ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_ERROR,
+			 "sdlz newversion on origin %s failed : %s",
+			 origin, isc_result_totext(result));
+		return (result);
+	}
+
+	sdlz->future_version = *versionp;
+	return (ISC_R_SUCCESS);
 }
 
 static void
 attachversion(dns_db_t *db, dns_dbversion_t *source,
 	      dns_dbversion_t **targetp)
 {
-	REQUIRE(source != NULL && source == (void *) &dummy);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(source != NULL && source == (void *)&sdlz->dummy_version);
 
-	UNUSED(db);
-	UNUSED(source);
-	UNUSED(targetp);
 	*targetp = source;
 }
 
 static void
 closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
-	REQUIRE(commit == ISC_FALSE);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
 
-	UNUSED(db);
-	UNUSED(commit);
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(versionp != NULL);
+
+	if (*versionp == (void *)&sdlz->dummy_version) {
+		*versionp = NULL;
+		return;
+	}
+
+	REQUIRE(*versionp == sdlz->future_version);
+	REQUIRE(sdlz->dlzimp->methods->closeversion != NULL);
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
 
-	*versionp = NULL;
+	sdlz->dlzimp->methods->closeversion(origin, commit,
+					    sdlz->dlzimp->driverarg,
+					    sdlz->dbdata, versionp);
+	if (*versionp != NULL)
+		sdlz_log(ISC_LOG_ERROR,
+			"sdlz closeversion on origin %s failed", origin);
+
+	sdlz->future_version = NULL;
 }
 
 static isc_result_t
@@ -506,11 +552,11 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	dns_sdlzauthorityfunc_t authority;
 
 	REQUIRE(VALID_SDLZDB(sdlz));
-	REQUIRE(create == ISC_FALSE);
 	REQUIRE(nodep != NULL && *nodep == NULL);
 
-	UNUSED(name);
-	UNUSED(create);
+	if (sdlz->dlzimp->methods->newversion == NULL) {
+		REQUIRE(create == ISC_FALSE);
+	}
 
 	isc_buffer_init(&b, namestr, sizeof(namestr));
 	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) {
@@ -558,7 +604,7 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	 * if the host (namestr) was not found, try to lookup a
 	 * "wildcard" host.
 	 */
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS && !create) {
 		result = sdlz->dlzimp->methods->lookup(zonestr, "*",
 						       sdlz->dlzimp->driverarg,
 						       sdlz->dbdata, node);
@@ -566,7 +612,7 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 
 	MAYBE_UNLOCK(sdlz->dlzimp);
 
-	if (result != ISC_R_SUCCESS && !isorigin) {
+	if (result != ISC_R_SUCCESS && !isorigin && !create) {
 		destroynode(node);
 		return (result);
 	}
@@ -584,6 +630,23 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 		}
 	}
 
+	if (node->name == NULL) {
+		node->name = isc_mem_get(sdlz->common.mctx,
+					 sizeof(dns_name_t));
+		if (node->name == NULL) {
+			destroynode(node);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(node->name, NULL);
+		result = dns_name_dup(name, sdlz->common.mctx, node->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(sdlz->common.mctx, node->name,
+				    sizeof(dns_name_t));
+			destroynode(node);
+			return (result);
+		}
+	}
+
 	*nodep = node;
 	return (ISC_R_SUCCESS);
 }
@@ -778,7 +841,7 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	REQUIRE(VALID_SDLZDB(sdlz));
 	REQUIRE(nodep == NULL || *nodep == NULL);
-	REQUIRE(version == NULL || version == (void *) &dummy);
+	REQUIRE(version == NULL || version == (void*)&sdlz->dummy_version);
 
 	UNUSED(options);
 	UNUSED(sdlz);
@@ -920,9 +983,14 @@ static isc_result_t
 allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
 {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) db;
 	sdlz_rdatasetiter_t *iterator;
 
-	REQUIRE(version == NULL || version == &dummy);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	REQUIRE(version == NULL ||
+		version == (void*)&sdlz->dummy_version ||
+		version == sdlz->future_version);
 
 	UNUSED(version);
 	UNUSED(now);
@@ -945,47 +1013,139 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 }
 
 static isc_result_t
+modrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    dns_rdataset_t *rdataset, unsigned int options,
+	    dns_sdlzmodrdataset_t mod_function)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_master_style_t *style = NULL;
+	isc_result_t result;
+	isc_buffer_t *buffer = NULL;
+	isc_mem_t *mctx;
+	dns_sdlznode_t *sdlznode;
+	char *rdatastr = NULL;
+	char name[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (mod_function == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdlznode = (dns_sdlznode_t *)node;
+
+	UNUSED(options);
+
+	dns_name_format(sdlznode->name, name, sizeof(name));
+
+	mctx = sdlz->common.mctx;
+
+	result = isc_buffer_allocate(mctx, &buffer, 1024);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_master_stylecreate(&style, 0, 0, 0, 0, 0, 0, 1, mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_master_rdatasettotext(sdlznode->name, rdataset,
+					   style, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (isc_buffer_usedlength(buffer) < 1) {
+		result = ISC_R_BADADDRESSFORM;
+		goto cleanup;
+	}
+
+	rdatastr = isc_buffer_base(buffer);
+	if (rdatastr == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	rdatastr[isc_buffer_usedlength(buffer) - 1] = 0;
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = mod_function(name, rdatastr, sdlz->dlzimp->driverarg,
+			      sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+cleanup:
+	isc_buffer_free(&buffer);
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+
+	return (result);
+}
+
+static isc_result_t
 addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
 	    dns_rdataset_t *addedrdataset)
 {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
 	UNUSED(now);
-	UNUSED(rdataset);
-	UNUSED(options);
 	UNUSED(addedrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
 
-	return (ISC_R_NOTIMPLEMENTED);
+	if (sdlz->dlzimp->methods->addrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->addrdataset);
+	return (result);
 }
 
+
 static isc_result_t
 subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		 dns_rdataset_t *rdataset, unsigned int options,
 		 dns_rdataset_t *newrdataset)
 {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(rdataset);
-	UNUSED(options);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
 	UNUSED(newrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
 
-	return (ISC_R_NOTIMPLEMENTED);
+	if (sdlz->dlzimp->methods->subtractrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->subtractrdataset);
+	return (result);
 }
 
 static isc_result_t
 deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	       dns_rdatatype_t type, dns_rdatatype_t covers)
 {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(type);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char name[DNS_NAME_MAXTEXT + 1];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	dns_sdlznode_t *sdlznode;
+	isc_result_t result;
+
 	UNUSED(covers);
 
-	return (ISC_R_NOTIMPLEMENTED);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->delrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdlznode = (dns_sdlznode_t *)node;
+	dns_name_format(sdlznode->name, name, sizeof(name));
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->delrdataset(name, b_type,
+						    sdlz->dlzimp->driverarg,
+						    sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	return (result);
 }
 
 static isc_boolean_t
@@ -1021,6 +1181,26 @@ settask(dns_db_t *db, isc_task_t *task) {
 }
 
 
+/*
+ * getoriginnode() is used by the update code to find the
+ * dns_rdatatype_dnskey record for a zone
+ */
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	if (sdlz->dlzimp->methods->newversion == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	result = findnode(db, &sdlz->common.origin, ISC_FALSE, nodep);
+	if (result != ISC_R_SUCCESS)
+		sdlz_log(ISC_LOG_ERROR, "sdlz getoriginnode failed : %s",
+			 isc_result_totext(result));
+	return (result);
+}
+
 static dns_dbmethods_t sdlzdb_methods = {
 	attach,
 	detach,
@@ -1049,6 +1229,8 @@ static dns_dbmethods_t sdlzdb_methods = {
 	ispersistent,
 	overmem,
 	settask,
+	getoriginnode,
+	NULL,
 	NULL,
 	NULL,
 	NULL,
@@ -1371,9 +1553,7 @@ dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
 	isc_result_t result = ISC_R_NOTFOUND;
 
 	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Loading SDLZ driver.");
+	sdlz_log(ISC_LOG_DEBUG(2), "Loading SDLZ driver.");
 
 	/*
 	 * Performs checks to make sure data is as we expect it to be.
@@ -1395,13 +1575,9 @@ dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
 
 	/* Write debugging message to log */
 	if (result == ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-			      "SDLZ driver loaded successfully.");
+		sdlz_log(ISC_LOG_DEBUG(2), "SDLZ driver loaded successfully.");
 	} else {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
-			      "SDLZ driver failed to load.");
+		sdlz_log(ISC_LOG_ERROR, "SDLZ driver failed to load.");
 	}
 
 	return (result);
@@ -1414,9 +1590,7 @@ dns_sdlzdestroy(void *driverdata, void **dbdata)
 	dns_sdlzimplementation_t *imp;
 
 	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Unloading SDLZ driver.");
+	sdlz_log(ISC_LOG_DEBUG(2), "Unloading SDLZ driver.");
 
 	imp = driverdata;
 
@@ -1472,11 +1646,96 @@ dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
 	return (result);
 }
 
+
+static isc_result_t
+dns_sdlzconfigure(void *driverarg, void *dbdata, dns_view_t *view)
+{
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Call SDLZ driver's configure method */
+	if (imp->methods->configure != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->configure(view, imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static isc_boolean_t
+dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
+		 dns_rdatatype_t type, const dst_key_t *key, void *driverarg,
+		 void *dbdata)
+{
+	dns_sdlzimplementation_t *imp;
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	isc_region_t token_region;
+	isc_uint32_t token_len = 0;
+	isc_boolean_t ret;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+	if (imp->methods->ssumatch == NULL)
+		return (ISC_FALSE);
+
+	/*
+	 * Format the request elements. sdlz operates on strings, not
+	 * structures
+	 */
+	if (signer != NULL)
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	else
+		b_signer[0] = 0;
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL)
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	else
+		b_addr[0] = 0;
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else
+		b_key[0] = 0;
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	MAYBE_LOCK(imp);
+	ret = imp->methods->ssumatch(b_signer, b_name, b_addr, b_type, b_key,
+				     token_len,
+				     token_len != 0 ? token_region.base : NULL,
+				     imp->driverarg, dbdata);
+	MAYBE_UNLOCK(imp);
+	return (ret);
+}
+
 static dns_dlzmethods_t sdlzmethods = {
 	dns_sdlzcreate,
 	dns_sdlzdestroy,
 	dns_sdlzfindzone,
-	dns_sdlzallowzonexfr
+	dns_sdlzallowzonexfr,
+	dns_sdlzconfigure,
+	dns_sdlzssumatch
 };
 
 /*
@@ -1530,8 +1789,16 @@ dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
 		ISC_LINK_INIT(rdatalist, link);
 		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
 	} else
-		if (rdatalist->ttl != ttl)
-			return (DNS_R_BADTTL);
+		if (rdatalist->ttl > ttl) {
+			/*
+			 * BIND9 doesn't enforce all RRs in an RRset
+			 * having the same TTL, as per RFC 2136,
+			 * section 7.12. If a DLZ backend has
+			 * different TTLs, then the best
+			 * we can do is return the lowest.
+			*/
+			rdatalist->ttl = ttl;
+		}
 
 	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
 	if (rdata == NULL)
@@ -1619,7 +1886,7 @@ dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
 	isc_buffer_init(&b, name, strlen(name));
 	isc_buffer_add(&b, strlen(name));
 
-	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1698,9 +1965,7 @@ dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
 			   DNS_SDLZFLAG_THREADSAFE)) == 0);
 
 	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Registering SDLZ driver '%s'", drivername);
+	sdlz_log(ISC_LOG_DEBUG(2), "Registering SDLZ driver '%s'", drivername);
 
 	/*
 	 * Allocate memory for a sdlz_implementation object.  Error if
@@ -1773,9 +2038,7 @@ dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
 	isc_mem_t *mctx;
 
 	/* Write debugging message to log */
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
-		      "Unregistering SDLZ driver.");
+	sdlz_log(ISC_LOG_DEBUG(2), "Unregistering SDLZ driver.");
 
 	/*
 	 * Performs checks to make sure data is as we expect it to be.
@@ -1801,3 +2064,16 @@ dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
 
 	*sdlzimp = NULL;
 }
+
+
+isc_result_t
+dns_sdlz_setdb(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass,
+	       dns_name_t *name, dns_db_t **dbp)
+{
+	isc_result_t result;
+
+	result = dns_sdlzcreateDBP(dlzdatabase->mctx,
+				   dlzdatabase->implementation->driverarg,
+				   dlzdatabase->dbdata, name, rdclass, dbp);
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/soa.c b/contrib/bind9/lib/dns/soa.c
index 3e83b62c3349..1b58bfec12d5 100644
--- a/contrib/bind9/lib/dns/soa.c
+++ b/contrib/bind9/lib/dns/soa.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,15 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: soa.c,v 1.12 2009/09/10 02:18:40 each Exp $ */
 
 /*! \file */
 
 #include <config.h>
+#include <string.h>
 
+#include <isc/buffer.h>
 #include <isc/util.h>
 
 #include <dns/rdata.h>
+#include <dns/rdatastruct.h>
 #include <dns/soa.h>
 
 static inline isc_uint32_t
@@ -60,6 +63,39 @@ soa_get(dns_rdata_t *rdata, int offset) {
 	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
 }
 
+isc_result_t
+dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
+		   dns_rdataclass_t rdclass,
+		   isc_uint32_t serial, isc_uint32_t refresh,
+		   isc_uint32_t retry, isc_uint32_t expire,
+		   isc_uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata) {
+	dns_rdata_soa_t soa;
+	isc_buffer_t rdatabuf;
+
+	REQUIRE(origin != NULL);
+	REQUIRE(contact != NULL);
+
+	memset(buffer, 0, DNS_SOA_BUFFERSIZE);
+	isc_buffer_init(&rdatabuf, buffer, DNS_SOA_BUFFERSIZE);
+
+	soa.common.rdtype = dns_rdatatype_soa;
+	soa.common.rdclass = rdclass;
+	soa.mctx = NULL;
+	soa.serial = serial;
+	soa.refresh = refresh;
+	soa.retry = retry;
+	soa.expire = expire;
+	soa.minimum = minimum;
+	dns_name_init(&soa.origin, NULL);
+	dns_name_clone(origin, &soa.origin);
+	dns_name_init(&soa.contact, NULL);
+	dns_name_clone(contact, &soa.contact);
+
+	return (dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_soa,
+				      &soa, &rdatabuf));
+}
+
 isc_uint32_t
 dns_soa_getserial(dns_rdata_t *rdata) {
 	return soa_get(rdata, 0);
diff --git a/contrib/bind9/lib/dns/spnego.c b/contrib/bind9/lib/dns/spnego.c
index 13015fa43fbf..0486a722c731 100644
--- a/contrib/bind9/lib/dns/spnego.c
+++ b/contrib/bind9/lib/dns/spnego.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c
index f78f9d83e20b..83aa67936105 100644
--- a/contrib/bind9/lib/dns/ssu.c
+++ b/contrib/bind9/lib/dns/ssu.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
 
 /*! \file */
 /*
- * $Id$
+ * $Id: ssu.c,v 1.38 2011/01/06 23:47:00 tbox Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -30,11 +30,13 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <dns/dlz.h>
 #include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/ssu.h>
 
 #include <dst/gssapi.h>
+#include <dst/dst.h>
 
 #define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
 #define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
@@ -59,6 +61,7 @@ struct dns_ssutable {
 	isc_mem_t *mctx;
 	unsigned int references;
 	isc_mutex_t lock;
+	dns_dlzdb_t *dlzdatabase;
 	ISC_LIST(dns_ssurule_t) rules;
 };
 
@@ -345,7 +348,8 @@ stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			dns_name_t *name, isc_netaddr_t *tcpaddr,
-			dns_rdatatype_t type)
+			dns_rdatatype_t type,
+			const dst_key_t *key)
 {
 	dns_ssurule_t *rule;
 	unsigned int i;
@@ -483,10 +487,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			if (!dns_name_equal(stfself, name))
 				continue;
 			break;
+		case DNS_SSUMATCHTYPE_EXTERNAL:
+			if (!dns_ssu_external_match(rule->identity, signer,
+						    name, tcpaddr, type, key,
+						    table->mctx))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_DLZ:
+			if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
+					      name, tcpaddr, type, key))
+				continue;
+			break;
 		}
 
 		if (rule->ntypes == 0) {
-			if (!isusertype(type))
+			/*
+			 * If this is a DLZ rule, then the DLZ ssu
+			 * checks will have already checked
+			 * the type.
+			 */
+			if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ &&
+			    !isusertype(type))
 				continue;
 		} else {
 			for (i = 0; i < rule->ntypes; i++) {
@@ -550,3 +571,42 @@ dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
 	*nextrule = ISC_LIST_NEXT(rule, link);
 	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
 }
+
+/*
+ * Create a specialised SSU table that points at an external DLZ database
+ */
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase)
+{
+	isc_result_t result;
+	dns_ssurule_t *rule;
+	dns_ssutable_t *table = NULL;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+
+	result = dns_ssutable_create(mctx, &table);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	table->dlzdatabase = dlzdatabase;
+
+	rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
+	if (rule == NULL) {
+		dns_ssutable_detach(&table);
+		return (ISC_R_NOMEMORY);
+	}
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+	rule->grant = ISC_TRUE;
+	rule->matchtype = DNS_SSUMATCHTYPE_DLZ;
+	rule->ntypes = 0;
+	rule->types = NULL;
+	rule->magic = SSURULEMAGIC;
+
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/ssu_external.c b/contrib/bind9/lib/dns/ssu_external.c
new file mode 100644
index 000000000000..65ba1b53f6e9
--- /dev/null
+++ b/contrib/bind9/lib/dns/ssu_external.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*
+ * This implements external update-policy rules.  This allows permission
+ * to update a zone to be checked by consulting an external daemon (e.g.,
+ * kerberos).
+ */
+
+#include <config.h>
+#include <errno.h>
+#include <unistd.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/socket.h>
+#include <sys/un.h>
+#endif
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/strerror.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ssu.h>
+#include <dns/log.h>
+#include <dns/rdatatype.h>
+
+#include <dst/dst.h>
+
+
+static void
+ssu_e_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+		       DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+
+/*
+ * Connect to a UNIX domain socket.
+ */
+static int
+ux_socket_connect(const char *path) {
+	int fd = -1;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	struct sockaddr_un addr;
+
+	REQUIRE(path != NULL);
+
+	if (strlen(path) > sizeof(addr.sun_path)) {
+		ssu_e_log(3, "ssu_external: socket path '%s' "
+			     "longer than system maximum %u",
+			  path, sizeof(addr.sun_path));
+		return (-1);
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sun_family = AF_UNIX;
+	strncpy(addr.sun_path, path, sizeof(addr.sun_path));
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to create socket - %s",
+			  strbuf);
+		return (-1);
+	}
+
+	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to connect to "
+			     "socket '%s' - %s",
+			  path, strbuf);
+		close(fd);
+		return (-1);
+	}
+#endif
+	return (fd);
+}
+
+/* Change this version if you update the format of the request */
+#define SSU_EXTERNAL_VERSION 1
+
+/*
+ * Perform an update-policy rule check against an external application
+ * over a socket.
+ *
+ * This currently only supports local: for unix domain datagram sockets.
+ *
+ * Note that by using a datagram socket and creating a new socket each
+ * time we avoid the need for locking and allow for parallel access to
+ * the authorization server.
+ */
+isc_boolean_t
+dns_ssu_external_match(dns_name_t *identity,
+		       dns_name_t *signer, dns_name_t *name,
+		       isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
+		       const dst_key_t *key, isc_mem_t *mctx)
+{
+	char b_identity[DNS_NAME_FORMATSIZE];
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	int fd;
+	const char *sock_path;
+	size_t req_len;
+	isc_region_t token_region;
+	unsigned char *data;
+	isc_buffer_t buf;
+	isc_uint32_t token_len = 0;
+	isc_uint32_t reply;
+	ssize_t ret;
+
+	/* The identity contains local:/path/to/socket */
+	dns_name_format(identity, b_identity, sizeof(b_identity));
+
+	/* For now only local: is supported */
+	if (strncmp(b_identity, "local:", 6) != 0) {
+		ssu_e_log(3, "ssu_external: invalid socket path '%s'",
+			  b_identity);
+		return (ISC_FALSE);
+	}
+	sock_path = &b_identity[6];
+
+	fd = ux_socket_connect(sock_path);
+	if (fd == -1)
+		return (ISC_FALSE);
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else
+		b_key[0] = 0;
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	/* Format the request elements */
+	if (signer != NULL)
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	else
+		b_signer[0] = 0;
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL)
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	else
+		b_addr[0] = 0;
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	/* Work out how big the request will be */
+	req_len = sizeof(isc_uint32_t)     + /* Format version */
+		  sizeof(isc_uint32_t)     + /* Length */
+		  strlen(b_signer) + 1 + /* Signer */
+		  strlen(b_name) + 1   + /* Name */
+		  strlen(b_addr) + 1   + /* Address */
+		  strlen(b_type) + 1   + /* Type */
+		  strlen(b_key) + 1    + /* Key */
+		  sizeof(isc_uint32_t)     + /* tkey_token length */
+		  token_len;             /* tkey_token */
+
+
+	/* format the buffer */
+	data = isc_mem_allocate(mctx, req_len);
+	if (data == NULL) {
+		close(fd);
+		return (ISC_FALSE);
+	}
+
+	isc_buffer_init(&buf, data, req_len);
+	isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
+	isc_buffer_putuint32(&buf, req_len);
+
+	/* Strings must be null-terminated */
+	isc_buffer_putstr(&buf, b_signer);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_name);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_addr);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_type);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_key);
+	isc_buffer_putuint8(&buf, 0);
+
+	isc_buffer_putuint32(&buf, token_len);
+	if (tkey_token && token_len != 0)
+		isc_buffer_putmem(&buf, token_region.base, token_len);
+
+	ENSURE(isc_buffer_availablelength(&buf) == 0);
+
+	/* Send the request */
+	ret = write(fd, data, req_len);
+	isc_mem_free(mctx, data);
+	if (ret != (ssize_t) req_len) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to send request - %s",
+			  strbuf);
+		close(fd);
+		return (ISC_FALSE);
+	}
+
+	/* Receive the reply */
+	ret = read(fd, &reply, sizeof(isc_uint32_t));
+	if (ret != (ssize_t) sizeof(isc_uint32_t)) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to receive reply - %s",
+			  strbuf);
+		close(fd);
+		return (ISC_FALSE);
+	}
+
+	close(fd);
+
+	reply = ntohl(reply);
+
+	if (reply == 0) {
+		ssu_e_log(3, "ssu_external: denied external auth for '%s'",
+			  b_name);
+		return (ISC_FALSE);
+	} else if (reply == 1) {
+		ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
+			  b_name);
+		return (ISC_TRUE);
+	}
+
+	ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
+
+	return (ISC_FALSE);
+}
diff --git a/contrib/bind9/lib/dns/stats.c b/contrib/bind9/lib/dns/stats.c
index e49273bf68da..a59dde633217 100644
--- a/contrib/bind9/lib/dns/stats.c
+++ b/contrib/bind9/lib/dns/stats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: stats.c,v 1.18 2009/01/27 23:47:54 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
index 0b38417e087f..0112f7ec760e 100644
--- a/contrib/bind9/lib/dns/tkey.c
+++ b/contrib/bind9/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -101,6 +101,7 @@ dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 	tctx->dhkey = NULL;
 	tctx->domain = NULL;
 	tctx->gsscred = NULL;
+	tctx->gssapi_keytab = NULL;
 
 	*tctxp = tctx;
 	return (ISC_R_SUCCESS);
@@ -123,6 +124,9 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
 			dns_name_free(tctx->domain, mctx);
 		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
 	}
+	if (tctx->gssapi_keytab != NULL) {
+		isc_mem_free(mctx, tctx->gssapi_keytab);
+	}
 	if (tctx->gsscred != NULL)
 		dst_gssapi_releasecred(&tctx->gsscred);
 	isc_entropy_detach(&tctx->ectx);
@@ -434,8 +438,17 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	isc_buffer_t *outtoken = NULL;
 	gss_ctx_id_t gss_ctx = NULL;
 
-	if (tctx->gsscred == NULL)
+	/*
+	 * You have to define either a gss credential (principal) to
+	 * accept with tkey-gssapi-credential, or you have to
+	 * configure a specific keytab (with tkey-gssapi-keytab) in
+	 * order to use gsstkey
+	 */
+	if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
+		tkey_log("process_gsstkey(): no tkey-gssapi-credential "
+			 "or tkey-gssapi-keytab configured");
 		return (ISC_R_NOPERM);
+	}
 
 	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
 	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
@@ -458,7 +471,11 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 
 	dns_fixedname_init(&principal);
 
-	result = dst_gssapi_acceptctx(tctx->gsscred, &intoken,
+	/*
+	 * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
+	 */
+	result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
+				      &intoken,
 				      &outtoken, &gss_ctx,
 				      dns_fixedname_name(&principal),
 				      tctx->mctx);
@@ -483,7 +500,8 @@ process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 #endif
 		isc_uint32_t expire;
 
-		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey));
+		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx,
+					  &dstkey, &intoken));
 		/*
 		 * Limit keys to 1 hour or the context's lifetime whichever
 		 * is smaller.
@@ -738,8 +756,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			}
 			isc_buffer_init(&b, randomtext, sizeof(randomtext));
 			isc_buffer_add(&b, sizeof(randomtext));
-			result = dns_name_fromtext(keyname, &b, NULL,
-						   ISC_FALSE, NULL);
+			result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
 			if (result != ISC_R_SUCCESS)
 				goto failure;
 		}
@@ -989,7 +1006,8 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 isc_result_t
 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 		       isc_buffer_t *intoken, isc_uint32_t lifetime,
-		       gss_ctx_id_t *context, isc_boolean_t win2k)
+		       gss_ctx_id_t *context, isc_boolean_t win2k,
+		       isc_mem_t *mctx, char **err_message)
 {
 	dns_rdata_tkey_t tkey;
 	isc_result_t result;
@@ -1003,9 +1021,11 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 	REQUIRE(name != NULL);
 	REQUIRE(gname != NULL);
 	REQUIRE(context != NULL);
+	REQUIRE(mctx != NULL);
 
 	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, NULL, &token, context);
+	result = dst_gssapi_initctx(gname, NULL, &token, context,
+				    mctx, err_message);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1222,7 +1242,7 @@ isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 			    dns_name_t *gname, gss_ctx_id_t *context,
 			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
-			    dns_tsig_keyring_t *ring)
+			    dns_tsig_keyring_t *ring, char **err_message)
 {
 	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
 	dns_name_t *tkeyname;
@@ -1236,6 +1256,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	REQUIRE(qmsg != NULL);
 	REQUIRE(rmsg != NULL);
 	REQUIRE(gname != NULL);
+	REQUIRE(ring != NULL);
 	if (outkey != NULL)
 		REQUIRE(*outkey == NULL);
 
@@ -1272,10 +1293,11 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 	isc_buffer_init(outtoken, array, sizeof(array));
 	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
-	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));
+	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
+				  ring->mctx, err_message));
 
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
-				  &dstkey));
+				  &dstkey, NULL));
 
 	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
 					 dstkey, ISC_FALSE, NULL,
@@ -1353,7 +1375,7 @@ isc_result_t
 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 		      dns_name_t *server, gss_ctx_id_t *context,
 		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
-		      isc_boolean_t win2k)
+		      isc_boolean_t win2k, char **err_message)
 {
 	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
 	dns_name_t *tkeyname;
@@ -1397,12 +1419,13 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
 	isc_buffer_init(&outtoken, array, sizeof(array));
 
-	result = dst_gssapi_initctx(server, &intoken, &outtoken, context);
+	result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
+				    ring->mctx, err_message);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);
 
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
-				  &dstkey));
+				  &dstkey, NULL));
 
 	/*
 	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
diff --git a/contrib/bind9/lib/dns/tsec.c b/contrib/bind9/lib/dns/tsec.c
new file mode 100644
index 000000000000..bfa6195d0d89
--- /dev/null
+++ b/contrib/bind9/lib/dns/tsec.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsec.c,v 1.7 2010/12/09 00:54:34 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#define DNS_TSEC_MAGIC			ISC_MAGIC('T', 's', 'e', 'c')
+#define DNS_TSEC_VALID(t)		ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
+
+/*%
+ * DNS Transaction Security object.  We assume this is not shared by
+ * multiple threads, and so the structure does not contain a lock.
+ */
+struct dns_tsec {
+	unsigned int		magic;
+	dns_tsectype_t		type;
+	isc_mem_t		*mctx;
+	union {
+		dns_tsigkey_t	*tsigkey;
+		dst_key_t	*key;
+	} ukey;
+};
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp)
+{
+	isc_result_t result;
+	dns_tsec_t *tsec;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *algname;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(tsecp != NULL && *tsecp == NULL);
+
+	tsec = isc_mem_get(mctx, sizeof(*tsec));
+	if (tsec == NULL)
+		return (ISC_R_NOMEMORY);
+
+	tsec->type = type;
+	tsec->mctx = mctx;
+
+	switch (type) {
+	case dns_tsectype_tsig:
+		switch (dst_key_alg(key)) {
+		case DST_ALG_HMACMD5:
+			algname = dns_tsig_hmacmd5_name;
+			break;
+		case DST_ALG_HMACSHA1:
+			algname = dns_tsig_hmacsha1_name;
+			break;
+		case DST_ALG_HMACSHA224:
+			algname = dns_tsig_hmacsha224_name;
+			break;
+		case DST_ALG_HMACSHA256:
+			algname = dns_tsig_hmacsha256_name;
+			break;
+		case DST_ALG_HMACSHA384:
+			algname = dns_tsig_hmacsha384_name;
+			break;
+		case DST_ALG_HMACSHA512:
+			algname = dns_tsig_hmacsha512_name;
+			break;
+		default:
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (DNS_R_BADALG);
+		}
+		result = dns_tsigkey_createfromkey(dst_key_name(key),
+						   algname, key, ISC_FALSE,
+						   NULL, 0, 0, mctx, NULL,
+						   &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (result);
+		}
+		tsec->ukey.tsigkey = tsigkey;
+		break;
+	case dns_tsectype_sig0:
+		tsec->ukey.key = key;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = DNS_TSEC_MAGIC;
+
+	*tsecp = tsec;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp) {
+	dns_tsec_t *tsec;
+
+	REQUIRE(tsecp != NULL && *tsecp != NULL);
+	tsec = *tsecp;
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_detach(&tsec->ukey.tsigkey);
+		break;
+	case dns_tsectype_sig0:
+		dst_key_free(&tsec->ukey.key);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = 0;
+	isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
+
+	*tsecp = NULL;
+}
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	return (tsec->type);
+}
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+	REQUIRE(keyp != NULL);
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
+		break;
+	case dns_tsectype_sig0:
+		*(dst_key_t **)keyp = tsec->ukey.key;
+		break;
+	default:
+		INSIST(0);
+	}
+}
diff --git a/contrib/bind9/lib/dns/tsig.c b/contrib/bind9/lib/dns/tsig.c
index c67f225c4d7e..76c239bb775f 100644
--- a/contrib/bind9/lib/dns/tsig.c
+++ b/contrib/bind9/lib/dns/tsig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -91,31 +91,6 @@ static dns_name_t gsstsig = {
 };
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
 
-static void
-remove_fromring(dns_tsigkey_t *tkey) {
-	if (tkey->generated) {
-		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
-		tkey->ring->generated--;
-	}
-	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE);
-}
-
-static void
-adjust_lru(dns_tsigkey_t *tkey) {
-	if (tkey->generated) {
-		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
-		/*
-		 * We may have been removed from the LRU list between
-		 * removing the read lock and aquiring the write lock.
-		 */
-		if (ISC_LINK_LINKED(tkey, link)) {
-			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
-			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
-		}
-		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
-	}
-}
-
 /*
  * Since Microsoft doesn't follow its own standard, we will use this
  * alternate name as a second guess.
@@ -228,8 +203,10 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 	else
 		strcpy(namestr, "<null>");
 
-	if (key != NULL && key->generated)
+	if (key != NULL && key->generated && key->creator)
 		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
+	else
+		strcpy(creatorstr, "<null>");
 
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
@@ -245,6 +222,71 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 			      level, "tsig key '%s': %s", namestr, message);
 }
 
+static void
+remove_fromring(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+		tkey->ring->generated--;
+	}
+	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE);
+}
+
+static void
+adjust_lru(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+		/*
+		 * We may have been removed from the LRU list between
+		 * removing the read lock and aquiring the write lock.
+		 */
+		if (ISC_LINK_LINKED(tkey, link)) {
+			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
+		}
+		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+	}
+}
+
+/*
+ * A supplemental routine just to add a key to ring.  Note that reference
+ * counter should be counted separately because we may be adding the key
+ * as part of creation of the key, in which case the reference counter was
+ * already initialized.  Also note we don't need RWLOCK for the reference
+ * counter: it's protected by a separate lock.
+ */
+static isc_result_t
+keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+	    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	ring->writecount++;
+
+	/*
+	 * Do on the fly cleaning.  Find some nodes we might not
+	 * want around any more.
+	 */
+	if (ring->writecount > 10) {
+		cleanup_ring(ring);
+		ring->writecount = 0;
+	}
+
+	result = dns_rbt_addname(ring->keys, name, tkey);
+	if (tkey->generated) {
+		/*
+		 * Add the new key to the LRU list and remove the least
+		 * recently used key if there are too many keys on the list.
+		 */
+		ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
+		if (ring->generated++ > ring->maxgenerated)
+			remove_fromring(ISC_LIST_HEAD(ring->lru));
+	}
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
 isc_result_t
 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			  dst_key_t *dstkey, isc_boolean_t generated,
@@ -363,7 +405,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->ring = ring;
 
 	if (key != NULL)
-		refs++;
+		refs = 1;
 	if (ring != NULL)
 		refs++;
 	ret = isc_refcount_init(&tkey->refs, refs);
@@ -379,36 +421,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->magic = TSIG_MAGIC;
 
 	if (ring != NULL) {
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		ring->writecount++;
-
-		/*
-		 * Do on the fly cleaning.  Find some nodes we might not
-		 * want around any more.
-		 */
-		if (ring->writecount > 10) {
-			cleanup_ring(ring);
-			ring->writecount = 0;
-		}
-
-		ret = dns_rbt_addname(ring->keys, name, tkey);
-		if (ret != ISC_R_SUCCESS) {
-			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+		ret = keyring_add(ring, name, tkey);
+		if (ret != ISC_R_SUCCESS)
 			goto cleanup_refs;
-		}
-
-		if (tkey->generated) {
-			/*
-			 * Add the new key to the LRU list and remove the
-			 * least recently used key if there are too many
-			 * keys on the list.
-			 */
-			ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
-			if (ring->generated++ > ring->maxgenerated)
-				remove_fromring(ISC_LIST_HEAD(ring->lru));
-		}
-
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 	}
 
 	/*
@@ -424,6 +439,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			      "the key '%s' is too short to be secure",
 			      namestr);
 	}
+
 	if (key != NULL)
 		*key = tkey;
 
@@ -512,6 +528,184 @@ cleanup_ring(dns_tsig_keyring_t *ring)
 	}
 }
 
+static void
+destroyring(dns_tsig_keyring_t *ring) {
+	dns_rbt_destroy(&ring->keys);
+	isc_rwlock_destroy(&ring->lock);
+	isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
+}
+
+static unsigned int
+dst_alg_fromname(dns_name_t *algorithm) {
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		return (DST_ALG_HMACMD5);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		return (DST_ALG_HMACSHA1);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		return (DST_ALG_HMACSHA224);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		return (DST_ALG_HMACSHA256);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		return (DST_ALG_HMACSHA384);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		return (DST_ALG_HMACSHA512);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
+		return (DST_ALG_GSSAPI);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		return (DST_ALG_GSSAPI);
+	} else
+		return (0);
+}
+
+static isc_result_t
+restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
+	dst_key_t *dstkey = NULL;
+	char namestr[1024];
+	char creatorstr[1024];
+	char algorithmstr[1024];
+	char keystr[4096];
+	unsigned int inception, expire;
+	int n;
+	isc_buffer_t b;
+	dns_name_t *name, *creator, *algorithm;
+	dns_fixedname_t fname, fcreator, falgorithm;
+	isc_result_t result;
+	unsigned int dstalg;
+
+	n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
+		   creatorstr, &inception, &expire, algorithmstr, keystr);
+	if (n == EOF)
+		return (ISC_R_NOMORE);
+	if (n != 6)
+		return (ISC_R_FAILURE);
+
+	if (isc_serial_lt(expire, now))
+		return (DNS_R_EXPIRED);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	isc_buffer_init(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&fcreator);
+	creator = dns_fixedname_name(&fcreator);
+	isc_buffer_init(&b, creatorstr, strlen(creatorstr));
+	isc_buffer_add(&b, strlen(creatorstr));
+	result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&falgorithm);
+	algorithm = dns_fixedname_name(&falgorithm);
+	isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
+	isc_buffer_add(&b, strlen(algorithmstr));
+	result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dstalg = dst_alg_fromname(algorithm);
+	if (dstalg == 0)
+		return (DNS_R_BADALG);
+
+	result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
+				 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
+				 ring->mctx, keystr, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
+					   ISC_TRUE, creator, inception,
+					   expire, ring->mctx, ring, NULL);
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+static void
+dump_key(dns_tsigkey_t *tkey, FILE *fp)
+{
+	char *buffer = NULL;
+	int length = 0;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	char algorithmstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+
+	dns_name_format(&tkey->name, namestr, sizeof(namestr));
+	dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
+	dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
+	result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
+	if (result == ISC_R_SUCCESS)
+		fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
+			tkey->inception, tkey->expire, algorithmstr,
+			length, buffer);
+	if (buffer != NULL)
+		isc_mem_put(tkey->mctx, buffer, length);
+}
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	dns_tsig_keyring_t *ring;
+	unsigned int references;
+
+	REQUIRE(ringp != NULL && *ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	INSIST(ring->references > 0);
+	ring->references--;
+	references = ring->references;
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	if (references != 0)
+		return (DNS_R_CONTINUE);
+
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		goto destroy;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL && tkey->generated && tkey->expire >= now)
+			dump_key(tkey, fp);
+		result = dns_rbtnodechain_next(&chain, &foundname,
+					       origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			goto destroy;
+		}
+	}
+
+ destroy:
+	destroyring(ring);
+	return (result);
+}
+
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
@@ -1593,14 +1787,43 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
 	ISC_LIST_INIT(ring->lru);
 	isc_mem_attach(mctx, &ring->mctx);
+	ring->references = 1;
 
 	*ringp = ring;
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	result = keyring_add(ring, name, tkey);
+	if (result == ISC_R_SUCCESS)
+		isc_refcount_increment(&tkey->refs, NULL);
+
+	return (result);
+}
+
 void
-dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target)
+{
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	RWLOCK(&source->lock, isc_rwlocktype_write);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references > 0);
+	*target = source;
+	RWUNLOCK(&source->lock, isc_rwlocktype_write);
+}
+
+void
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
 	dns_tsig_keyring_t *ring;
+	unsigned int references;
 
 	REQUIRE(ringp != NULL);
 	REQUIRE(*ringp != NULL);
@@ -1608,7 +1831,27 @@ dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
 	ring = *ringp;
 	*ringp = NULL;
 
-	dns_rbt_destroy(&ring->keys);
-	isc_rwlock_destroy(&ring->lock);
-	isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	INSIST(ring->references > 0);
+	ring->references--;
+	references = ring->references;
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	if (references == 0)
+		destroyring(ring);
+}
+
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	isc_stdtime_get(&now);
+	do {
+		result = restore_key(ring, now, fp);
+		if (result == ISC_R_NOMORE)
+			return;
+		if (result == DNS_R_BADALG || result == DNS_R_EXPIRED)
+			result = ISC_R_SUCCESS;
+	} while (result == ISC_R_SUCCESS);
 }
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
index 27e149b38d87..674675fc7396 100644
--- a/contrib/bind9/lib/dns/validator.c
+++ b/contrib/bind9/lib/dns/validator.c
@@ -28,17 +28,17 @@
 #include <isc/util.h>
 
 #include <dns/db.h>
-#include <dns/ds.h>
 #include <dns/dnssec.h>
+#include <dns/ds.h>
 #include <dns/events.h>
 #include <dns/keytable.h>
+#include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/ncache.h>
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
 #include <dns/rdata.h>
-#include <dns/rdatastruct.h>
 #include <dns/rdataset.h>
 #include <dns/rdatatype.h>
 #include <dns/resolver.h>
@@ -255,9 +255,17 @@ dlv_algorithm_supported(dns_validator_t *val) {
 						      dlv.algorithm))
 			continue;
 
+#ifdef HAVE_OPENSSL_GOST
+		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+		    dlv.digest_type != DNS_DSDIGEST_SHA1 &&
+		    dlv.digest_type != DNS_DSDIGEST_GOST)
+			continue;
+#else
 		if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
 		    dlv.digest_type != DNS_DSDIGEST_SHA1)
 			continue;
+#endif
+
 
 		return (ISC_TRUE);
 	}
@@ -382,7 +390,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 }
 
 /*%
- * We have been asked to to look for a key.
+ * We have been asked to look for a key.
  * If found resume the validation process.
  * If not found fail the validation process.
  */
@@ -586,7 +594,8 @@ dsfetched2(isc_task_t *task, isc_event_t *event) {
 		    isdelegation(tname, &val->frdataset, eresult)) {
 			if (val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure");
+					      "must be secure failure, no DS"
+					      " and this is a delegation");
 				validator_done(val, DNS_R_MUSTBESECURE);
 			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
 				markanswer(val, "dsfetched2");
@@ -1149,7 +1158,7 @@ nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
 			if (ns && !soa) {
 				if (!atparent) {
 					/*
-					 * This NSEC record is from somewhere
+					 * This NSEC3 record is from somewhere
 					 * higher in the DNS, and at the
 					 * parent of a delegation. It can not
 					 * be legitimately used here.
@@ -1160,7 +1169,7 @@ nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
 				}
 			} else if (atparent && ns && soa) {
 				/*
-				 * This NSEC record is from the child.
+				 * This NSEC3 record is from the child.
 				 * It can not be legitimately used here.
 				 */
 				validator_log(val, ISC_LOG_DEBUG(3),
@@ -1563,8 +1572,11 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	if (dns_rdataset_isassociated(&val->fsigrdataset))
 		dns_rdataset_disassociate(&val->fsigrdataset);
 
-	if (check_deadlock(val, name, type, NULL, NULL))
+	if (check_deadlock(val, name, type, NULL, NULL)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_fetch)");
 		return (DNS_R_NOVALIDSIG);
+	}
 
 	validator_logcreate(val, name, type, caller, "fetch");
 	return (dns_resolver_createfetch(val->view->resolver, name, type,
@@ -1586,8 +1598,11 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 {
 	isc_result_t result;
 
-	if (check_deadlock(val, name, type, rdataset, sigrdataset))
+	if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_validator)");
 		return (DNS_R_NOVALIDSIG);
+	}
 
 	validator_logcreate(val, name, type, caller, "validator");
 	result = dns_validator_create(val->view, name, type,
@@ -1826,16 +1841,23 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
  */
 static isc_boolean_t
 isselfsigned(dns_validator_t *val) {
+	dns_fixedname_t fixed;
 	dns_rdataset_t *rdataset, *sigrdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdata_dnskey_t key;
 	dns_rdata_rrsig_t sig;
 	dns_keytag_t keytag;
+	dns_name_t *name;
 	isc_result_t result;
+	dst_key_t *dstkey;
+	isc_mem_t *mctx;
+	isc_boolean_t answer = ISC_FALSE;
 
 	rdataset = val->event->rdataset;
 	sigrdataset = val->event->sigrdataset;
+	name = val->event->name;
+	mctx = val->view->mctx;
 
 	INSIST(rdataset->type == dns_rdatatype_dnskey);
 
@@ -1857,12 +1879,31 @@ isselfsigned(dns_validator_t *val) {
 			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
-			if (sig.algorithm == key.algorithm &&
-			    sig.keyid == keytag)
-				return (ISC_TRUE);
+			if (sig.algorithm != key.algorithm ||
+			    sig.keyid != keytag ||
+			    !dns_name_equal(name, &sig.signer))
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(name, &rdata, mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			result = dns_dnssec_verify2(name, rdataset, dstkey,
+						    ISC_TRUE, mctx, &sigrdata,
+						    dns_fixedname_name(&fixed));
+			dst_key_free(&dstkey);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+				answer = ISC_TRUE;
+				continue;
+			}
+			dns_view_untrust(val->view, name, &key, mctx);
 		}
 	}
-	return (ISC_FALSE);
+	return (answer);
 }
 
 /*%
@@ -2022,6 +2063,8 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 					break;
 				}
 				val->key = dns_keynode_key(val->keynode);
+				if (val->key == NULL)
+					break;
 			} else {
 				if (get_dst_key(val, val->siginfo, val->keyset)
 				    != ISC_R_SUCCESS)
@@ -2032,17 +2075,13 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "failed to verify rdataset");
 		else {
-			isc_uint32_t ttl;
 			isc_stdtime_t now;
 
 			isc_stdtime_get(&now);
-			ttl = ISC_MIN(event->rdataset->ttl,
-				      ISC_MIN(val->siginfo->originalttl,
-					      val->siginfo->timeexpire - now));
-			if (val->keyset != NULL)
-				ttl = ISC_MIN(ttl, val->keyset->ttl);
-			event->rdataset->ttl = ttl;
-			event->sigrdataset->ttl = ttl;
+			dns_rdataset_trimttl(event->rdataset,
+					     event->sigrdataset,
+					     val->siginfo, now,
+					     val->view->acceptexpired);
 		}
 
 		if (val->keynode != NULL)
@@ -2069,7 +2108,8 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		} else if (result == ISC_R_SUCCESS) {
 			marksecure(event);
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure");
+				      "marking as secure, "
+				      "noqname proof not needed");
 			return (result);
 		} else {
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -2090,25 +2130,102 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 }
 
 /*%
+ * Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
+ * (val->event->rdataset).
+ */
+static isc_result_t
+checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, isc_uint16_t keyid,
+	 dns_secalg_t algorithm)
+{
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(val->event->sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->event->sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(val->event->sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (keyid != sig.keyid || algorithm != sig.algorithm)
+			continue;
+		if (dstkey == NULL) {
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+		}
+		result = verify(val, dstkey, &rdata, sig.keyid);
+		if (result == ISC_R_SUCCESS)
+			break;
+	}
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+/*%
+ * Find the DNSKEY that corresponds to the DS.
+ */
+static isc_result_t
+keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata,
+	  isc_uint8_t digest, isc_uint16_t keyid, dns_secalg_t algorithm,
+	  dns_rdata_t *keyrdata)
+{
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	isc_result_t result;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+
+		dns_rdata_reset(keyrdata);
+		dns_rdataset_current(rdataset, keyrdata);
+		result = dns_rdata_tostruct(keyrdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		keytag = compute_keytag(keyrdata, &key);
+		if (keyid != keytag || algorithm != key.algorithm)
+			continue;
+		dns_rdata_reset(&newdsrdata);
+		result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
+					   dsbuf, &newdsrdata);
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "dns_ds_buildrdata() -> %s",
+				      dns_result_totext(result));
+			continue;
+		}
+		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0)
+			break;
+	}
+	return (result);
+}
+
+/*%
  * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
  * DLV record and that also verifies the DNSKEY RRset.
  */
 static isc_result_t
 dlv_validatezonekey(dns_validator_t *val) {
-	dns_keytag_t keytag;
 	dns_rdata_dlv_t dlv;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
 	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
 	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdataset_t trdataset;
-	dst_key_t *dstkey;
 	isc_boolean_t supported_algorithm;
 	isc_result_t result;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	isc_uint8_t digest_type;
+	char digest_types[256];
 
 	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
 
@@ -2125,7 +2242,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
 	 * is present.
 	 */
-	digest_type = DNS_DSDIGEST_SHA1;
+	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(&val->dlv);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&val->dlv)) {
@@ -2141,7 +2258,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 
 		if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
 		    dlv.length == ISC_SHA256_DIGESTLENGTH) {
-			digest_type = DNS_DSDIGEST_SHA256;
+			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}
 	}
@@ -2159,7 +2276,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 						   dlv.digest_type))
 			continue;
 
-		if (dlv.digest_type != digest_type)
+		if (digest_types[dlv.digest_type] == 0)
 			continue;
 
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
@@ -2172,70 +2289,27 @@ dlv_validatezonekey(dns_validator_t *val) {
 		dns_rdataset_init(&trdataset);
 		dns_rdataset_clone(val->event->rdataset, &trdataset);
 
-		for (result = dns_rdataset_first(&trdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&trdataset))
-		{
-			dns_rdata_reset(&keyrdata);
-			dns_rdataset_current(&trdataset, &keyrdata);
-			result = dns_rdata_tostruct(&keyrdata, &key, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			keytag = compute_keytag(&keyrdata, &key);
-			if (dlv.key_tag != keytag ||
-			    dlv.algorithm != key.algorithm)
-				continue;
-			dns_rdata_reset(&newdsrdata);
-			result = dns_ds_buildrdata(val->event->name,
-						   &keyrdata, dlv.digest_type,
-						   dsbuf, &newdsrdata);
-			if (result != ISC_R_SUCCESS) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "dns_ds_buildrdata() -> %s",
-					      dns_result_totext(result));
-				continue;
-			}
-			/* Covert to DLV */
-			newdsrdata.type = dns_rdatatype_dlv;
-			if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
-				break;
-		}
+		/*
+		 * Convert to DLV to DS and find matching DNSKEY.
+		 */
+		dlvrdata.type = dns_rdatatype_ds;
+		result = keyfromds(val, &trdataset, &dlvrdata,
+				   dlv.digest_type, dlv.key_tag,
+				   dlv.algorithm, &keyrdata);
 		if (result != ISC_R_SUCCESS) {
 			dns_rdataset_disassociate(&trdataset);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "no DNSKEY matching DLV");
 			continue;
 		}
+
 		validator_log(val, ISC_LOG_DEBUG(3),
 		      "Found matching DLV record: checking for signature");
+		/*
+		 * Check that this DNSKEY signed the DNSKEY rrset.
+		 */
+		result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm);
 
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (dlv.key_tag != sig.keyid ||
-			    dlv.algorithm != sig.algorithm)
-				continue;
-			dstkey = NULL;
-			result = dns_dnssec_keyfromrdata(val->event->name,
-							 &keyrdata,
-							 val->view->mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				/*
-				 * This really shouldn't happen, but...
-				 */
-				continue;
-
-			result = verify(val, dstkey, &sigrdata, sig.keyid);
-			dst_key_free(&dstkey);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
 		dns_rdataset_disassociate(&trdataset);
 		if (result == ISC_R_SUCCESS)
 			break;
@@ -2244,12 +2318,13 @@ dlv_validatezonekey(dns_validator_t *val) {
 	}
 	if (result == ISC_R_SUCCESS) {
 		marksecure(val->event);
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)");
 		return (result);
 	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
 		if (val->mustbesecure) {
 			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
+				      "must be secure failure,"
+				      "no supported algorithm/digest (dlv)");
 			return (DNS_R_MUSTBESECURE);
 		}
 		validator_log(val, ISC_LOG_DEBUG(3),
@@ -2261,7 +2336,8 @@ dlv_validatezonekey(dns_validator_t *val) {
 }
 
 /*%
- * Attempts positive response validation of an RRset containing zone keys.
+ * Attempts positive response validation of an RRset containing zone keys
+ * (i.e. a DNSKEY rrset).
  *
  * Returns:
  * \li	ISC_R_SUCCESS	Validation completed successfully
@@ -2275,19 +2351,15 @@ validatezonekey(dns_validator_t *val) {
 	dns_validatorevent_t *event;
 	dns_rdataset_t trdataset;
 	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
 	dns_rdata_t keyrdata = DNS_RDATA_INIT;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_keytag_t keytag;
 	dns_rdata_ds_t ds;
-	dns_rdata_dnskey_t key;
 	dns_rdata_rrsig_t sig;
 	dst_key_t *dstkey;
 	isc_boolean_t supported_algorithm;
 	isc_boolean_t atsep = ISC_FALSE;
-	isc_uint8_t digest_type;
+	char digest_types[256];
 
 	/*
 	 * Caller must be holding the validator lock.
@@ -2336,8 +2408,7 @@ validatezonekey(dns_validator_t *val) {
 			result = dns_keytable_findkeynode(val->keytable,
 							  val->event->name,
 							  sig.algorithm,
-							  sig.keyid,
-							  &keynode);
+							  sig.keyid, &keynode);
 			if (result == ISC_R_NOTFOUND &&
 			    dns_keytable_finddeepestmatch(val->keytable,
 				  val->event->name, found) != ISC_R_SUCCESS) {
@@ -2361,11 +2432,18 @@ validatezonekey(dns_validator_t *val) {
 			while (result == ISC_R_SUCCESS) {
 				dns_keynode_t *nextnode = NULL;
 				dstkey = dns_keynode_key(keynode);
+				if (dstkey == NULL) {
+					dns_keytable_detachkeynode(
+								val->keytable,
+								&keynode);
+					break;
+				}
 				result = verify(val, dstkey, &sigrdata,
 						sig.keyid);
 				if (result == ISC_R_SUCCESS) {
-					dns_keytable_detachkeynode(val->keytable,
-								   &keynode);
+					dns_keytable_detachkeynode(
+								val->keytable,
+								&keynode);
 					break;
 				}
 				result = dns_keytable_findnextkeynode(
@@ -2395,8 +2473,8 @@ validatezonekey(dns_validator_t *val) {
 					sizeof(namebuf));
 			validator_log(val, ISC_LOG_NOTICE,
 				      "unable to find a DNSKEY which verifies "
-				      "the DNSKEY RRset and also matches one "
-				      "of specified trusted-keys for '%s'",
+				      "the DNSKEY RRset and also matches a "
+				      "trusted key for '%s'",
 				      namebuf);
 			validator_log(val, ISC_LOG_NOTICE,
 				      "please check the 'trusted-keys' for "
@@ -2493,7 +2571,8 @@ validatezonekey(dns_validator_t *val) {
 	if (val->dsset->trust < dns_trust_secure) {
 		if (val->mustbesecure) {
 			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
+				      "must be secure failure,"
+				      " insecure DS");
 			return (DNS_R_MUSTBESECURE);
 		}
 		if (val->view->dlv == NULL || DLVTRIED(val)) {
@@ -2517,7 +2596,7 @@ validatezonekey(dns_validator_t *val) {
 	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
 	 * is present.
 	 */
-	digest_type = DNS_DSDIGEST_SHA1;
+	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(val->dsset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(val->dsset)) {
@@ -2533,7 +2612,7 @@ validatezonekey(dns_validator_t *val) {
 
 		if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
 		    ds.length == ISC_SHA256_DIGESTLENGTH) {
-			digest_type = DNS_DSDIGEST_SHA256;
+			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}
 	}
@@ -2551,7 +2630,7 @@ validatezonekey(dns_validator_t *val) {
 						   ds.digest_type))
 			continue;
 
-		if (ds.digest_type != digest_type)
+		if (digest_types[ds.digest_type] == 0)
 			continue;
 
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
@@ -2565,29 +2644,10 @@ validatezonekey(dns_validator_t *val) {
 		dns_rdataset_clone(val->event->rdataset, &trdataset);
 
 		/*
-		 * Look for the KEY that matches the DS record.
+		 * Find matching DNSKEY from DS.
 		 */
-		for (result = dns_rdataset_first(&trdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&trdataset))
-		{
-			dns_rdata_reset(&keyrdata);
-			dns_rdataset_current(&trdataset, &keyrdata);
-			result = dns_rdata_tostruct(&keyrdata, &key, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			keytag = compute_keytag(&keyrdata, &key);
-			if (ds.key_tag != keytag ||
-			    ds.algorithm != key.algorithm)
-				continue;
-			dns_rdata_reset(&newdsrdata);
-			result = dns_ds_buildrdata(val->event->name,
-						   &keyrdata, ds.digest_type,
-						   dsbuf, &newdsrdata);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
-				break;
-		}
+		result = keyfromds(val, &trdataset, &dsrdata, ds.digest_type,
+				   ds.key_tag, ds.algorithm, &keyrdata);
 		if (result != ISC_R_SUCCESS) {
 			dns_rdataset_disassociate(&trdataset);
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -2595,38 +2655,11 @@ validatezonekey(dns_validator_t *val) {
 			continue;
 		}
 
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (ds.key_tag != sig.keyid ||
-			    ds.algorithm != sig.algorithm)
-				continue;
-			if (!dns_name_equal(val->event->name, &sig.signer)) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "DNSKEY signer mismatch");
-				continue;
-			}
-			dstkey = NULL;
-			result = dns_dnssec_keyfromrdata(val->event->name,
-							 &keyrdata,
-							 val->view->mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				/*
-				 * This really shouldn't happen, but...
-				 */
-				continue;
-			result = verify(val, dstkey, &sigrdata, sig.keyid);
-			dst_key_free(&dstkey);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
+		/*
+		 * Check that this DNSKEY signed the DNSKEY rrset.
+		 */
+		result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
+
 		dns_rdataset_disassociate(&trdataset);
 		if (result == ISC_R_SUCCESS)
 			break;
@@ -2635,20 +2668,24 @@ validatezonekey(dns_validator_t *val) {
 	}
 	if (result == ISC_R_SUCCESS) {
 		marksecure(event);
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
 		return (result);
 	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
 		if (val->mustbesecure) {
 			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
+				      "must be secure failure, "
+				      "no supported algorithm/digest (DS)");
 			return (DNS_R_MUSTBESECURE);
 		}
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "no supported algorithm/digest (DS)");
 		markanswer(val, "validatezonekey (3)");
 		return (ISC_R_SUCCESS);
-	} else
+	} else {
+		validator_log(val, ISC_LOG_INFO,
+			      "no valid signature found (DS)");
 		return (DNS_R_NOVALIDSIG);
+	}
 }
 
 /*%
@@ -3048,13 +3085,11 @@ validate_authority(dns_validator_t *val, isc_boolean_t resume) {
 			 * infinite loop.  Avoid that.
 			 */
 			if (val->event->type == dns_rdatatype_dnskey &&
+			    rdataset->type == dns_rdatatype_nsec &&
 			    dns_name_equal(name, val->event->name))
 			{
 				dns_rdata_t nsec = DNS_RDATA_INIT;
 
-				if (rdataset->type != dns_rdatatype_nsec)
-					continue;
-
 				result = dns_rdataset_first(rdataset);
 				if (result != ISC_R_SUCCESS)
 					return (result);
@@ -3128,13 +3163,11 @@ validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
 		 * infinite loop.  Avoid that.
 		 */
 		if (val->event->type == dns_rdatatype_dnskey &&
+		    rdataset->type == dns_rdatatype_nsec &&
 		    dns_name_equal(name, val->event->name))
 		{
 			dns_rdata_t nsec = DNS_RDATA_INIT;
 
-			if (rdataset->type != dns_rdatatype_nsec)
-				continue;
-
 			result = dns_rdataset_first(rdataset);
 			if (result != ISC_R_SUCCESS)
 				return (result);
@@ -3194,9 +3227,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			findnsec3proofs(val);
 		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
 			validator_log(val, ISC_LOG_DEBUG(3),
-				      "noqname proof found");
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure");
+				      "marking as secure, noqname proof found");
 			marksecure(val->event);
 			return (ISC_R_SUCCESS);
 		} else if (FOUNDOPTOUT(val) &&
@@ -3243,7 +3274,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			marksecure(val->event);
 		return (ISC_R_SUCCESS);
 	}
-		findnsec3proofs(val);
 
 	if (val->authfail != 0 && val->authcount == val->authfail)
 		return (DNS_R_BROKENCHAIN);
@@ -3445,7 +3475,8 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 		      namebuf);
 
 	if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
-		validator_log(val, ISC_LOG_WARNING, "must be secure failure");
+		validator_log(val, ISC_LOG_WARNING, "must be secure failure, "
+			      " %s is under DLV (startfinddlvsep)", namebuf);
 		return (DNS_R_MUSTBESECURE);
 	}
 
@@ -3497,10 +3528,12 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 	INSIST(val->view->dlv != NULL);
 
 	if (!resume) {
-
 		if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
+			dns_name_format(val->event->name, namebuf,
+					sizeof(namebuf));
 			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
+				      "must be secure failure, "
+				      "%s is under DLV (finddlvsep)", namebuf);
 			return (DNS_R_MUSTBESECURE);
 		}
 
@@ -3568,8 +3601,11 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 					return (result);
 				return (DNS_R_WAIT);
 			}
-			if (val->frdataset.trust < dns_trust_secure)
+			if (val->frdataset.trust < dns_trust_secure) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV not validated");
 				return (DNS_R_NOVALIDSIG);
+			}
 			val->havedlvsep = ISC_TRUE;
 			dns_rdataset_clone(&val->frdataset, &val->dlv);
 			return (ISC_R_SUCCESS);
@@ -3654,10 +3690,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		if (result == ISC_R_NOTFOUND) {
 			if (val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure");
+					      "must be secure failure, "
+					      "not beneath secure root");
 				result = DNS_R_MUSTBESECURE;
 				goto out;
-			}
+			} else
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "not beneath secure root");
 			if (val->view->dlv == NULL || DLVTRIED(val)) {
 				markanswer(val, "proveunsecure (1)");
 				return (ISC_R_SUCCESS);
@@ -3677,7 +3716,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		/*
 		 * If we have a DS rdataset and it is secure then check if
 		 * the DS rdataset has a supported algorithm combination.
-		 * If not this is a insecure delegation as far as this
+		 * If not this is an insecure delegation as far as this
 		 * resolver is concerned.  Fall back to DLV if available.
 		 */
 		if (have_ds && val->frdataset.trust >= dns_trust_secure &&
@@ -3688,7 +3727,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 			if ((val->view->dlv == NULL || DLVTRIED(val)) &&
 			    val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure at '%s'",
+					      "must be secure failure at '%s', "
+					      "can't fall back to DLV",
 					      namebuf);
 				result = DNS_R_MUSTBESECURE;
 				goto out;
@@ -3729,7 +3769,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
 			/*
 			 * There is no DS.  If this is a delegation,
-			 * we maybe done.
+			 * we may be done.
 			 */
 			/*
 			 * If we have "trust == answer" then this namespace
@@ -3742,7 +3782,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 							  &val->frdataset,
 							  NULL, dsvalidated,
 							  "proveunsecure");
-				 if (result != ISC_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					goto out;
 				return (DNS_R_WAIT);
 			}
@@ -3754,12 +3794,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 			if (result == DNS_R_NXRRSET &&
 			    !dns_rdataset_isassociated(&val->frdataset) &&
 			    dns_view_findzonecut2(val->view, tname, found,
-						  0, 0, ISC_FALSE, ISC_FALSE,
-						  NULL, NULL) == ISC_R_SUCCESS &&
+						 0, 0, ISC_FALSE, ISC_FALSE,
+						 NULL, NULL) == ISC_R_SUCCESS &&
 			    dns_name_equal(tname, found)) {
 				if (val->mustbesecure) {
 					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure");
+						      "must be secure failure, "
+						      "no DS at zone cut");
 					return (DNS_R_MUSTBESECURE);
 				}
 				if (val->view->dlv == NULL || DLVTRIED(val)) {
@@ -3775,13 +3816,18 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 				 * there's no way of validating existing
 				 * negative response blobs, give up.
 				 */
+				validator_log(val, ISC_LOG_WARNING,
+					      "can't validate existing "
+					      "negative responses (no DS)");
 				result = DNS_R_NOVALIDSIG;
 				goto out;
 			}
 			if (isdelegation(tname, &val->frdataset, result)) {
 				if (val->mustbesecure) {
 					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure");
+						      "must be secure failure, "
+						      "%s is a delegation",
+						      namebuf);
 					return (DNS_R_MUSTBESECURE);
 				}
 				if (val->view->dlv == NULL || DLVTRIED(val)) {
@@ -3818,7 +3864,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 					if (val->mustbesecure) {
 						validator_log(val,
 							      ISC_LOG_WARNING,
-						      "must be secure failure");
+						      "must be secure failure, "
+						      "no supported algorithm/"
+						      "digest (%s/DS)",
+						      namebuf);
 						result = DNS_R_MUSTBESECURE;
 						goto out;
 					}
@@ -3835,6 +3884,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 			}
 			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
 			{
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DS is unsigned");
 				result = DNS_R_NOVALIDSIG;
 				goto out;
 			}
@@ -3883,6 +3934,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 				 * there's no way of validating existing
 				 * negative response blobs, give up.
 				 */
+				validator_log(val, ISC_LOG_WARNING,
+					      "can't validate existing "
+					      "negative responses "
+					      "(not a zone cut)");
 				result = DNS_R_NOVALIDSIG;
 				goto out;
 			}
@@ -3902,7 +3957,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 
 	/* Couldn't complete insecurity proof */
 	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
+	return (DNS_R_NOTINSECURE);
 
  out:
 	if (dns_rdataset_isassociated(&val->frdataset))
@@ -3941,7 +3996,7 @@ dlv_validator_start(dns_validator_t *val) {
  * \li	3. a negative answer (secure or unsecure).
  *
  * Note a answer that appears to be a secure positive answer may actually
- * be a unsecure positive answer.
+ * be an unsecure positive answer.
  */
 static void
 validator_start(isc_task_t *task, isc_event_t *event) {
@@ -4007,6 +4062,10 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 		val->attributes |= VALATTR_INSECURITY;
 		result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
+		if (result == DNS_R_NOTINSECURE)
+			validator_log(val, ISC_LOG_INFO,
+				      "got insecure response; "
+				      "parent indicates it should be secure");
 	} else if (val->event->rdataset == NULL &&
 		   val->event->sigrdataset == NULL)
 	{
@@ -4076,6 +4135,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		return (ISC_R_NOMEMORY);
 	val->view = NULL;
 	dns_view_weakattach(view, &val->view);
+
 	event = (dns_validatorevent_t *)
 		isc_event_allocate(view->mctx, task,
 				   DNS_EVENT_VALIDATORSTART,
@@ -4104,8 +4164,12 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	val->fetch = NULL;
 	val->subvalidator = NULL;
 	val->parent = NULL;
+
 	val->keytable = NULL;
-	dns_keytable_attach(val->view->secroots, &val->keytable);
+	result = dns_view_getsecroots(val->view, &val->keytable);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	val->keynode = NULL;
 	val->key = NULL;
 	val->siginfo = NULL;
diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c
index 781aac60be82..675005863ea8 100644
--- a/contrib/bind9/lib/dns/view.c
+++ b/contrib/bind9/lib/dns/view.c
@@ -21,7 +21,10 @@
 
 #include <config.h>
 
+#include <isc/file.h>
 #include <isc/hash.h>
+#include <isc/print.h>
+#include <isc/sha2.h>
 #include <isc/stats.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/task.h>
@@ -33,17 +36,24 @@
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dlz.h>
+#ifdef BIND9
+#include <dns/dns64.h>
+#endif
+#include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/forward.h>
 #include <dns/keytable.h>
+#include <dns/keyvalues.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/order.h>
 #include <dns/peer.h>
+#include <dns/rbt.h>
 #include <dns/rdataset.h>
 #include <dns/request.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
+#include <dns/rpz.h>
 #include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/zone.h>
@@ -85,6 +95,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_name;
 
+#ifdef BIND9
 	view->zonetable = NULL;
 	result = dns_zt_create(mctx, rdclass, &view->zonetable);
 	if (result != ISC_R_SUCCESS) {
@@ -94,24 +105,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup_mutex;
 	}
-	view->secroots = NULL;
-	result = dns_keytable_create(mctx, &view->secroots);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_keytable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_zt;
-	}
-	view->trustedkeys = NULL;
-	result = dns_keytable_create(mctx, &view->trustedkeys);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_keytable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_secroots;
-	}
+#endif
+	view->secroots_priv = NULL;
 	view->fwdtable = NULL;
 	result = dns_fwdtable_create(mctx, &view->fwdtable);
 	if (result != ISC_R_SUCCESS) {
@@ -119,7 +114,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 				 "dns_fwdtable_create() failed: %s",
 				 isc_result_totext(result));
 		result = ISC_R_UNEXPECTED;
-		goto cleanup_trustedkeys;
+		goto cleanup_zt;
 	}
 
 	view->acache = NULL;
@@ -155,6 +150,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->rootexclude = NULL;
 	view->resstats = NULL;
 	view->resquerystats = NULL;
+	view->cacheshared = ISC_FALSE;
+	ISC_LIST_INIT(view->dns64);
+	view->dns64cnt = 0;
 
 	/*
 	 * Initialize configuration data with default values.
@@ -179,6 +177,10 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->notifyacl = NULL;
 	view->updateacl = NULL;
 	view->upfwdacl = NULL;
+	view->denyansweracl = NULL;
+	view->answeracl_exclude = NULL;
+	view->denyanswernames = NULL;
+	view->answernames_exclude = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
 	view->maxcachettl = 7 * 24 * 3600;
@@ -188,11 +190,22 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->flush = ISC_FALSE;
 	view->dlv = NULL;
 	view->maxudp = 0;
+	view->v4_aaaa = dns_v4_aaaa_ok;
+	view->v4_aaaa_acl = NULL;
+	ISC_LIST_INIT(view->rpz_zones);
+	view->rpz_recursive_only = ISC_TRUE;
+	view->rpz_break_dnssec = ISC_FALSE;
 	dns_fixedname_init(&view->dlv_fixed);
+	view->managed_keys = NULL;
+#ifdef BIND9
+	view->new_zone_file = NULL;
+	view->new_zone_config = NULL;
+	view->cfg_destroy = NULL;
 
 	result = dns_order_create(view->mctx, &view->order);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dynkeys;
+#endif
 
 	result = dns_peerlist_new(view->mctx, &view->peers);
 	if (result != ISC_R_SUCCESS)
@@ -222,10 +235,12 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	dns_peerlist_detach(&view->peers);
 
  cleanup_order:
+#ifdef BIND9
 	dns_order_detach(&view->order);
 
  cleanup_dynkeys:
-	dns_tsigkeyring_destroy(&view->dynamickeys);
+#endif
+	dns_tsigkeyring_detach(&view->dynamickeys);
 
  cleanup_references:
 	isc_refcount_destroy(&view->references);
@@ -233,16 +248,12 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
  cleanup_fwdtable:
 	dns_fwdtable_destroy(&view->fwdtable);
 
- cleanup_trustedkeys:
-	dns_keytable_detach(&view->trustedkeys);
-
- cleanup_secroots:
-	dns_keytable_detach(&view->secroots);
-
  cleanup_zt:
+#ifdef BIND9
 	dns_zt_detach(&view->zonetable);
 
  cleanup_mutex:
+#endif
 	DESTROYLOCK(&view->lock);
 
  cleanup_name:
@@ -256,6 +267,10 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 
 static inline void
 destroy(dns_view_t *view) {
+#ifdef BIND9
+	dns_dns64_t *dns64;
+#endif
+
 	REQUIRE(!ISC_LINK_LINKED(view, link));
 	REQUIRE(isc_refcount_current(&view->references) == 0);
 	REQUIRE(view->weakrefs == 0);
@@ -263,23 +278,62 @@ destroy(dns_view_t *view) {
 	REQUIRE(ADBSHUTDOWN(view));
 	REQUIRE(REQSHUTDOWN(view));
 
+#ifdef BIND9
 	if (view->order != NULL)
 		dns_order_detach(&view->order);
+#endif
 	if (view->peers != NULL)
 		dns_peerlist_detach(&view->peers);
-	if (view->dynamickeys != NULL)
-		dns_tsigkeyring_destroy(&view->dynamickeys);
+
+	if (view->dynamickeys != NULL) {
+		isc_result_t result;
+		char template[20];
+		char keyfile[20];
+		FILE *fp = NULL;
+		int n;
+
+		n = snprintf(keyfile, sizeof(keyfile), "%s.tsigkeys",
+			     view->name);
+		if (n > 0 && (size_t)n < sizeof(keyfile)) {
+			result = isc_file_mktemplate(keyfile, template,
+						     sizeof(template));
+			if (result == ISC_R_SUCCESS)
+				(void)isc_file_openuniqueprivate(template, &fp);
+		}
+		if (fp == NULL)
+			dns_tsigkeyring_detach(&view->dynamickeys);
+		else {
+			result = dns_tsigkeyring_dumpanddetach(
+							&view->dynamickeys, fp);
+			if (result == ISC_R_SUCCESS) {
+				if (fclose(fp) == 0)
+					result = isc_file_rename(template,
+								 keyfile);
+				if (result != ISC_R_SUCCESS)
+					(void)remove(template);
+			} else {
+				(void)fclose(fp);
+				(void)remove(template);
+			}
+		}
+	}
 	if (view->statickeys != NULL)
-		dns_tsigkeyring_destroy(&view->statickeys);
+		dns_tsigkeyring_detach(&view->statickeys);
 	if (view->adb != NULL)
 		dns_adb_detach(&view->adb);
 	if (view->resolver != NULL)
 		dns_resolver_detach(&view->resolver);
+#ifdef BIND9
 	if (view->acache != NULL) {
 		if (view->cachedb != NULL)
 			dns_acache_putdb(view->acache, view->cachedb);
 		dns_acache_detach(&view->acache);
 	}
+	dns_rpz_view_destroy(view);
+#else
+	INSIST(view->acache == NULL);
+	INSIST(ISC_LIST_EMPTY(view->rpz_zones));
+#endif
 	if (view->requestmgr != NULL)
 		dns_requestmgr_detach(&view->requestmgr);
 	if (view->task != NULL)
@@ -318,6 +372,16 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->updateacl);
 	if (view->upfwdacl != NULL)
 		dns_acl_detach(&view->upfwdacl);
+	if (view->denyansweracl != NULL)
+		dns_acl_detach(&view->denyansweracl);
+	if (view->v4_aaaa_acl != NULL)
+		dns_acl_detach(&view->v4_aaaa_acl);
+	if (view->answeracl_exclude != NULL)
+		dns_rbt_destroy(&view->answeracl_exclude);
+	if (view->denyanswernames != NULL)
+		dns_rbt_destroy(&view->denyanswernames);
+	if (view->answernames_exclude != NULL)
+		dns_rbt_destroy(&view->answernames_exclude);
 	if (view->delonly != NULL) {
 		dns_name_t *name;
 		int i;
@@ -357,8 +421,19 @@ destroy(dns_view_t *view) {
 		isc_stats_detach(&view->resstats);
 	if (view->resquerystats != NULL)
 		dns_stats_detach(&view->resquerystats);
-	dns_keytable_detach(&view->trustedkeys);
-	dns_keytable_detach(&view->secroots);
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+#ifdef BIND9
+	for (dns64 = ISC_LIST_HEAD(view->dns64);
+	     dns64 != NULL;
+	     dns64 = ISC_LIST_HEAD(view->dns64)) {
+		dns_dns64_unlink(&view->dns64, dns64);
+		dns_dns64_destroy(&dns64);
+	}
+	if (view->managed_keys != NULL)
+		dns_zone_detach(&view->managed_keys);
+	dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
+#endif
 	dns_fwdtable_destroy(&view->fwdtable);
 	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
@@ -414,12 +489,19 @@ view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
 			dns_adb_shutdown(view->adb);
 		if (!REQSHUTDOWN(view))
 			dns_requestmgr_shutdown(view->requestmgr);
+#ifdef BIND9
 		if (view->acache != NULL)
 			dns_acache_shutdown(view->acache);
 		if (view->flush)
 			dns_zt_flushanddetach(&view->zonetable);
 		else
 			dns_zt_detach(&view->zonetable);
+		if (view->managed_keys != NULL) {
+			if (view->flush)
+				dns_zone_flush(view->managed_keys);
+			dns_zone_detach(&view->managed_keys);
+		}
+#endif
 		done = all_done(view);
 		UNLOCK(&view->lock);
 	}
@@ -440,6 +522,7 @@ dns_view_detach(dns_view_t **viewp) {
 	view_flushanddetach(viewp, ISC_FALSE);
 }
 
+#ifdef BIND9
 static isc_result_t
 dialup(dns_zone_t *zone, void *dummy) {
 	UNUSED(dummy);
@@ -452,6 +535,7 @@ dns_view_dialup(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
 }
+#endif
 
 void
 dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
@@ -633,12 +717,20 @@ dns_view_createresolver(dns_view_t *view,
 
 void
 dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
+	dns_view_setcache2(view, cache, ISC_FALSE);
+}
+
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(!view->frozen);
 
+	view->cacheshared = shared;
 	if (view->cache != NULL) {
+#ifdef BIND9
 		if (view->acache != NULL)
 			dns_acache_putdb(view->acache, view->cachedb);
+#endif
 		dns_db_detach(&view->cachedb);
 		dns_cache_detach(&view->cache);
 	}
@@ -646,8 +738,17 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
 	dns_cache_attachdb(cache, &view->cachedb);
 	INSIST(DNS_DB_VALID(view->cachedb));
 
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_setdb(view->acache, view->cachedb);
+#endif
+}
+
+isc_boolean_t
+dns_view_iscacheshared(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (view->cacheshared);
 }
 
 void
@@ -665,26 +766,52 @@ dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(ring != NULL);
 	if (view->statickeys != NULL)
-		dns_tsigkeyring_destroy(&view->statickeys);
-	view->statickeys = ring;
+		dns_tsigkeyring_detach(&view->statickeys);
+	dns_tsigkeyring_attach(ring, &view->statickeys);
 }
 
 void
-dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
 	REQUIRE(DNS_VIEW_VALID(view));
-	view->dstport = dstport;
+	REQUIRE(ring != NULL);
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_detach(&view->dynamickeys);
+	dns_tsigkeyring_attach(ring, &view->dynamickeys);
 }
 
-isc_result_t
-dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
-	isc_result_t result;
+void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ringp != NULL && *ringp == NULL);
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_attach(view->dynamickeys, ringp);
+}
+
+void
+dns_view_restorekeyring(dns_view_t *view) {
+	FILE *fp;
+	char keyfile[20];
+	int n;
 
 	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
 
-	result = dns_zt_mount(view->zonetable, zone);
+	if (view->dynamickeys != NULL) {
+		n = snprintf(keyfile, sizeof(keyfile), "%s.tsigkeys",
+			     view->name);
+		if (n > 0 && (size_t)n < sizeof(keyfile)) {
+			fp = fopen(keyfile, "r");
+			if (fp != NULL) {
+				dns_keyring_restore(view->dynamickeys, fp);
+				(void)fclose(fp);
+			}
+		}
+	}
+}
 
-	return (result);
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->dstport = dstport;
 }
 
 void
@@ -699,6 +826,29 @@ dns_view_freeze(dns_view_t *view) {
 	view->frozen = ISC_TRUE;
 }
 
+#ifdef BIND9
+void
+dns_view_thaw(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	view->frozen = ISC_FALSE;
+}
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	result = dns_zt_mount(view->zonetable, zone);
+
+	return (result);
+}
+#endif
+
+#ifdef BIND9
 isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 	isc_result_t result;
@@ -713,20 +863,37 @@ dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 
 	return (result);
 }
+#endif
 
 isc_result_t
 dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
 	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	return (dns_view_find2(view, name, type, now, options, use_hints,
+			       ISC_FALSE, dbp, nodep, foundname, rdataset,
+			       sigrdataset));
+}
+
+isc_result_t
+dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, unsigned int options,
+	       isc_boolean_t use_hints, isc_boolean_t use_static_stub,
+	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_db_t *db, *zdb;
 	dns_dbnode_t *node, *znode;
-	isc_boolean_t is_cache;
+	isc_boolean_t is_cache, is_staticstub_zone;
 	dns_rdataset_t zrdataset, zsigrdataset;
 	dns_zone_t *zone;
 
+#ifndef BIND9
+	UNUSED(use_hints);
+	UNUSED(use_static_stub);
+#endif
+
 	/*
 	 * Find an rdataset whose owner name is 'name', and whose type is
 	 * 'type'.
@@ -752,15 +919,30 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	zone = NULL;
 	db = NULL;
 	node = NULL;
+	is_staticstub_zone = ISC_FALSE;
+#ifdef BIND9
 	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	if (zone != NULL && dns_zone_gettype(zone) == dns_zone_staticstub &&
+	    !use_static_stub) {
+		result = ISC_R_NOTFOUND;
+	}
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		result = dns_zone_getdb(zone, &db);
 		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
 			dns_db_attach(view->cachedb, &db);
 		else if (result != ISC_R_SUCCESS)
 			goto cleanup;
+		if (dns_zone_gettype(zone) == dns_zone_staticstub &&
+		    dns_name_equal(name, dns_zone_getorigin(zone))) {
+			is_staticstub_zone = ISC_TRUE;
+		}
 	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
 		dns_db_attach(view->cachedb, &db);
+#else
+	result = ISC_R_NOTFOUND;
+	if (view->cachedb != NULL)
+		dns_db_attach(view->cachedb, &db);
+#endif /* BIND9 */
 	else
 		goto cleanup;
 
@@ -773,8 +955,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	result = dns_db_find(db, name, NULL, type, options,
 			     now, &node, foundname, rdataset, sigrdataset);
 
-	if (result == DNS_R_DELEGATION ||
-	    result == ISC_R_NOTFOUND) {
+	if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) {
 		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
 		if (sigrdataset != NULL &&
@@ -784,10 +965,13 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			dns_db_detachnode(db, &node);
 		if (!is_cache) {
 			dns_db_detach(&db);
-			if (view->cachedb != NULL) {
+			if (view->cachedb != NULL && !is_staticstub_zone) {
 				/*
 				 * Either the answer is in the cache, or we
 				 * don't know it.
+				 * Note that if the result comes from a
+				 * static-stub zone we stop the search here
+				 * (see the function description in view.h).
 				 */
 				is_cache = ISC_TRUE;
 				dns_db_attach(view->cachedb, &db);
@@ -817,7 +1001,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		 */
 		result = ISC_R_NOTFOUND;
 	} else if (result == DNS_R_GLUE) {
-		if (view->cachedb != NULL) {
+		if (view->cachedb != NULL && !is_staticstub_zone) {
 			/*
 			 * We found an answer, but the cache may be better.
 			 * Remember what we've got and go look in the cache.
@@ -843,6 +1027,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		result = ISC_R_SUCCESS;
 	}
 
+#ifdef BIND9
 	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
 		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
@@ -877,6 +1062,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		if (db == NULL && node != NULL)
 			dns_db_detachnode(view->hints, &node);
 	}
+#endif /* BIND9 */
 
  cleanup:
 	if (dns_rdataset_isassociated(&zrdataset)) {
@@ -905,8 +1091,10 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	} else
 		INSIST(node == NULL);
 
+#ifdef BIND9
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+#endif
 
 	return (result);
 }
@@ -969,7 +1157,7 @@ dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 isc_result_t
 dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 		      isc_stdtime_t now, unsigned int options,
-		      isc_boolean_t use_hints,  isc_boolean_t use_cache,
+		      isc_boolean_t use_hints,	isc_boolean_t use_cache,
 		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
@@ -999,9 +1187,13 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	/*
 	 * Find the right database.
 	 */
+#ifdef BIND9
 	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
+#else
+	result = ISC_R_NOTFOUND;
+#endif
 	if (result == ISC_R_NOTFOUND) {
 		/*
 		 * We're not directly authoritative for this query name, nor
@@ -1064,7 +1256,9 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 					    fname, rdataset, sigrdataset);
 		if (result == ISC_R_SUCCESS) {
 			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
+			    (!dns_name_issubdomain(fname, zfname) ||
+			     (dns_zone_staticstub &&
+			      dns_name_equal(fname, zfname)))) {
 				/*
 				 * We found a zonecut in the cache, but our
 				 * zone delegation is better.
@@ -1133,8 +1327,10 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	}
 	if (db != NULL)
 		dns_db_detach(&db);
+#ifdef BIND9
 	if (zone != NULL)
 		dns_zone_detach(&zone);
+#endif
 
 	return (result);
 }
@@ -1161,6 +1357,7 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
 	return (ISC_R_SUCCESS);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
 		      isc_boolean_t allclasses, dns_rdataclass_t rdclass,
@@ -1226,6 +1423,7 @@ dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) {
 
 	return (dns_zt_loadnew(view->zonetable, stop));
 }
+#endif /* BIND9 */
 
 isc_result_t
 dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
@@ -1270,6 +1468,7 @@ dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
 				view->dynamickeys));
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 	isc_result_t result;
@@ -1285,26 +1484,38 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 	dns_resolver_printbadcache(view->resolver, fp);
 	return (ISC_R_SUCCESS);
 }
+#endif
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view) {
+	return (dns_view_flushcache2(view, ISC_FALSE));
+}
+
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly) {
 	isc_result_t result;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	if (view->cachedb == NULL)
 		return (ISC_R_SUCCESS);
-	result = dns_cache_flush(view->cache);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (!fixuponly) {
+		result = dns_cache_flush(view->cache);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_putdb(view->acache, view->cachedb);
+#endif
 	dns_db_detach(&view->cachedb);
 	dns_cache_attachdb(view->cache, &view->cachedb);
+#ifdef BIND9
 	if (view->acache != NULL)
 		dns_acache_setdb(view->acache, view->cachedb);
 	if (view->resolver != NULL)
 		dns_resolver_flushbadcache(view->resolver, NULL);
+#endif
 
 	dns_adb_flush(view->adb);
 	return (ISC_R_SUCCESS);
@@ -1438,11 +1649,13 @@ dns_view_getrootdelonly(dns_view_t *view) {
 	return (view->rootdelonly);
 }
 
+#ifdef BIND9
 isc_result_t
 dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (dns_zt_freezezones(view->zonetable, value));
 }
+#endif
 
 void
 dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
@@ -1479,3 +1692,100 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
 	if (view->resquerystats != NULL)
 		dns_stats_attach(view->resquerystats, statsp);
 }
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+	return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ktp != NULL && *ktp == NULL);
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	dns_keytable_attach(view->secroots_priv, ktp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			 isc_boolean_t *secure_domain) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	return (dns_keytable_issecuredomain(view->secroots_priv, name,
+					    secure_domain));
+}
+
+void
+dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
+		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	unsigned char data[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	dst_key_t *key = NULL;
+	dns_keytable_t *sr = NULL;
+
+	/*
+	 * Clear the revoke bit, if set, so that the key will match what's
+	 * in secroots now.
+	 */
+	dnskey->flags &= ~DNS_KEYFLAG_REVOKE;
+
+	/* Convert dnskey to DST key. */
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+	result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return;
+	result = dns_view_getsecroots(view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_deletekeynode(sr, key);
+		dns_keytable_detach(&sr);
+	}
+	dst_key_free(&key);
+}
+
+#define NZF ".nzf"
+
+void
+dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
+		     void (*cfg_destroy)(void **))
+{
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE((cfgctx != NULL && cfg_destroy != NULL) || !allow);
+
+#ifdef BIND9
+	if (view->new_zone_file != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_file);
+		view->new_zone_file = NULL;
+	}
+
+	if (view->new_zone_config != NULL) {
+		view->cfg_destroy(&view->new_zone_config);
+		view->cfg_destroy = NULL;
+	}
+
+	if (allow) {
+		char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(NZF)];
+		isc_sha256_data((void *)view->name, strlen(view->name), buffer);
+		/* Truncate the hash at 16 chars; full length is overkill */
+		isc_string_printf(buffer + 16, sizeof(NZF), "%s", NZF);
+		view->new_zone_file = isc_mem_strdup(view->mctx, buffer);
+		view->new_zone_config = cfgctx;
+		view->cfg_destroy = cfg_destroy;
+	}
+#else
+	UNUSED(allow);
+	UNUSED(cfgctx);
+	UNUSED(cfg_destroy);
+#endif
+}
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
index 63e09ee1289a..22db239bbd63 100644
--- a/contrib/bind9/lib/dns/zone.c
+++ b/contrib/bind9/lib/dns/zone.c
@@ -21,7 +21,6 @@
 
 #include <config.h>
 #include <errno.h>
-#include <stdlib.h>
 
 #include <isc/file.h>
 #include <isc/mutex.h>
@@ -48,6 +47,8 @@
 #include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/journal.h>
+#include <dns/keydata.h>
+#include <dns/keytable.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/master.h>
@@ -57,6 +58,8 @@
 #include <dns/nsec.h>
 #include <dns/nsec3.h>
 #include <dns/peer.h>
+#include <dns/private.h>
+#include <dns/rbt.h>
 #include <dns/rcode.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -67,6 +70,7 @@
 #include <dns/request.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
+#include <dns/rriterator.h>
 #include <dns/soa.h>
 #include <dns/ssu.h>
 #include <dns/stats.h>
@@ -106,12 +110,20 @@
 
 #define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
 
+/*%
+ * Key flags
+ */
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ALG(x) dst_key_alg(x)
+
 /*
  * Default values.
  */
 #define DNS_DEFAULT_IDLEIN 3600		/*%< 1 hour */
 #define DNS_DEFAULT_IDLEOUT 3600	/*%< 1 hour */
 #define MAX_XFER_TIME (2*3600)		/*%< Documented default is 2 hours */
+#define RESIGN_DELAY 3600		/*%< 1 hour */
 
 #ifndef DNS_MAX_EXPIRE
 #define DNS_MAX_EXPIRE	14515200	/*%< 24 weeks */
@@ -132,6 +144,7 @@ typedef struct dns_signing dns_signing_t;
 typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
 typedef struct dns_nsec3chain dns_nsec3chain_t;
 typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
+typedef struct dns_keyfetch dns_keyfetch_t;
 
 #define DNS_ZONE_CHECKLOCK
 #ifdef DNS_ZONE_CHECKLOCK
@@ -203,11 +216,14 @@ struct dns_zone {
 	isc_time_t		keywarntime;
 	isc_time_t		signingtime;
 	isc_time_t		nsec3chaintime;
+	isc_time_t		refreshkeytime;
+	isc_uint32_t		refreshkeycount;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
 	isc_uint32_t		minimum;
 	isc_stdtime_t		key_expiry;
+	isc_stdtime_t		log_key_expired_timer;
 	char			*keydirectory;
 
 	isc_uint32_t		maxrefresh;
@@ -276,13 +292,13 @@ struct dns_zone {
 	/*%
 	 * Statistics counters about zone management.
 	 */
-	isc_stats_t	    	*stats;
+	isc_stats_t		*stats;
 	/*%
 	 * Optional per-zone statistics counters.  Counted outside of this
 	 * module.
 	 */
-	isc_boolean_t	    	requeststats_on;
-	isc_stats_t	    	*requeststats;
+	isc_boolean_t		requeststats_on;
+	isc_stats_t		*requeststats;
 	isc_uint32_t		notifydelay;
 	dns_isselffunc_t	isself;
 	void			*isselfarg;
@@ -309,6 +325,21 @@ struct dns_zone {
 	dns_rdatatype_t		privatetype;
 
 	/*%
+	 * Autosigning/key-maintenance options
+	 */
+	isc_uint32_t		keyopts;
+
+	/*%
+	 * True if added by "rndc addzone"
+	 */
+	isc_boolean_t           added;
+
+	/*%
+	 * whether a rpz radix was needed when last loaded
+	 */
+	isc_boolean_t           rpz_zone;
+
+	/*%
 	 * Outstanding forwarded UPDATE requests.
 	 */
 	dns_forwardlist_t	forwards;
@@ -347,7 +378,7 @@ struct dns_zone {
 						 * from SOA (if not set, we
 						 * are still using
 						 * default timer values) */
-#define DNS_ZONEFLG_FORCEXFER   0x00008000U     /*%< Force a zone xfer */
+#define DNS_ZONEFLG_FORCEXFER	0x00008000U	/*%< Force a zone xfer */
 #define DNS_ZONEFLG_NOREFRESH	0x00010000U
 #define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
 #define DNS_ZONEFLG_DIALREFRESH	0x00040000U
@@ -360,8 +391,11 @@ struct dns_zone {
 #define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U
 #define DNS_ZONEFLG_REFRESHING	0x04000000U	/*%< Refreshing keydata */
 #define DNS_ZONEFLG_THAW	0x08000000U
+/* #define DNS_ZONEFLG_XXXXX	0x10000000U   XXXMPA unused. */
+#define DNS_ZONEFLG_NODELAY	0x20000000U
 
 #define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
+#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
 
 /* Flags for zone_load() */
 #define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
@@ -494,7 +528,7 @@ struct dns_io {
  *	DNSKEY as result of an update.
  */
 struct dns_signing {
-	unsigned int    	magic;
+	unsigned int		magic;
 	dns_db_t		*db;
 	dns_dbiterator_t	*dbiterator;
 	dns_secalg_t		algorithm;
@@ -505,15 +539,15 @@ struct dns_signing {
 };
 
 struct dns_nsec3chain {
-	unsigned int            	magic;
+	unsigned int			magic;
 	dns_db_t			*db;
 	dns_dbiterator_t		*dbiterator;
 	dns_rdata_nsec3param_t		nsec3param;
 	unsigned char			salt[255];
 	isc_boolean_t			done;
-	isc_boolean_t 			seen_nsec;
-	isc_boolean_t 			delete_nsec;
-	isc_boolean_t 			save_delete_nsec;
+	isc_boolean_t			seen_nsec;
+	isc_boolean_t			delete_nsec;
+	isc_boolean_t			save_delete_nsec;
 	ISC_LINK(dns_nsec3chain_t)	link;
 };
 /*%<
@@ -538,6 +572,19 @@ struct dns_nsec3chain {
  * so it can be recovered in the event of a error.
  */
 
+struct dns_keyfetch {
+	dns_fixedname_t name;
+	dns_rdataset_t keydataset;
+	dns_rdataset_t dnskeyset;
+	dns_rdataset_t dnskeysigset;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_fetch_t *fetch;
+};
+
+#define HOUR 3600
+#define DAY (24*HOUR)
+#define MONTH (30*DAY)
 
 #define SEND_BUFFER_SIZE 2048
 
@@ -548,6 +595,10 @@ static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
 static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 static void queue_xfrin(dns_zone_t *zone);
+static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
+				  dns_diff_t *diff, dns_diffop_t op,
+				  dns_name_t *name, dns_ttl_t ttl,
+				  dns_rdata_t *rdata);
 static void zone_unload(dns_zone_t *zone);
 static void zone_expire(dns_zone_t *zone);
 static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
@@ -619,6 +670,12 @@ static void zone_notify(dns_zone_t *zone, isc_time_t *now);
 static void dump_done(void *arg, isc_result_t result);
 static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
 				     isc_uint16_t keyid, isc_boolean_t delete);
+static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
+				dns_dbnode_t *node, dns_name_t *name,
+				dns_diff_t *diff);
+static void zone_rekey(dns_zone_t *zone);
+static isc_boolean_t delsig_ok(dns_rdata_rrsig_t *rrsig_ptr,
+			       dst_key_t **keys, unsigned int nkeys);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -716,6 +773,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->type = dns_zone_none;
 	zone->flags = 0;
 	zone->options = 0;
+	zone->keyopts = 0;
 	zone->db_argc = 0;
 	zone->db_argv = NULL;
 	isc_time_settoepoch(&zone->expiretime);
@@ -727,6 +785,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_time_settoepoch(&zone->keywarntime);
 	isc_time_settoepoch(&zone->signingtime);
 	isc_time_settoepoch(&zone->nsec3chaintime);
+	isc_time_settoepoch(&zone->refreshkeytime);
+	zone->refreshkeycount = 0;
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
 	zone->expire = 0;
@@ -761,6 +821,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->timer = NULL;
 	zone->idlein = DNS_DEFAULT_IDLEIN;
 	zone->idleout = DNS_DEFAULT_IDLEOUT;
+	zone->log_key_expired_timer = 0;
 	ISC_LIST_INIT(zone->notifies);
 	isc_sockaddr_any(&zone->notifysrc4);
 	isc_sockaddr_any6(&zone->notifysrc6);
@@ -793,6 +854,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->signatures = 10;
 	zone->nodes = 100;
 	zone->privatetype = (dns_rdatatype_t)0xffffU;
+	zone->added = ISC_FALSE;
+	zone->rpz_zone = ISC_FALSE;
 	ISC_LIST_INIT(zone->forwards);
 
 	zone->magic = ZONE_MAGIC;
@@ -1311,8 +1374,8 @@ dns_zone_getjournal(dns_zone_t *zone) {
  * master file (if any) is written by the server, rather than being
  * updated manually and read by the server.
  *
- * This is true for slave zones, stub zones, and zones that allow
- * dynamic updates either by having an update policy ("ssutable")
+ * This is true for slave zones, stub zones, key zones, and zones that
+ * allow dynamic updates either by having an update policy ("ssutable")
  * or an "allow-update" ACL with a value other than exactly "{ none; }".
  */
 static isc_boolean_t
@@ -1321,6 +1384,7 @@ zone_isdynamic(dns_zone_t *zone) {
 
 	return (ISC_TF(zone->type == dns_zone_slave ||
 		       zone->type == dns_zone_stub ||
+		       zone->type == dns_zone_key ||
 		       (!zone->update_disabled && zone->ssutable != NULL) ||
 		       (!zone->update_disabled && zone->update_acl != NULL &&
 			!dns_acl_isnone(zone->update_acl))));
@@ -1391,11 +1455,12 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 	 */
 	if (zone->masterfile != NULL) {
 		/*
-		 * The file is already loaded.  If we are just doing a
+		 * The file is already loaded.	If we are just doing a
 		 * "rndc reconfig", we are done.
 		 */
 		if (!isc_time_isepoch(&zone->loadtime) &&
-		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
+		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0 &&
+		    zone->rpz_zone == dns_rpz_needed()) {
 			result = ISC_R_SUCCESS;
 			goto cleanup;
 		}
@@ -1404,7 +1469,8 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 		if (result == ISC_R_SUCCESS) {
 			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
 			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE) &&
-			    isc_time_compare(&filetime, &zone->loadtime) <= 0) {
+			    isc_time_compare(&filetime, &zone->loadtime) <= 0 &&
+			    zone->rpz_zone == dns_rpz_needed()) {
 				dns_zone_log(zone, ISC_LOG_DEBUG(1),
 					     "skipping load: master file "
 					     "older than last load");
@@ -1412,6 +1478,7 @@ zone_load(dns_zone_t *zone, unsigned int flags) {
 				goto cleanup;
 			}
 			loadtime = filetime;
+			zone->rpz_zone = dns_rpz_needed();
 		}
 	}
 
@@ -1533,6 +1600,8 @@ get_master_options(dns_zone_t *zone) {
 	options = DNS_MASTER_ZONE;
 	if (zone->type == dns_zone_slave)
 		options |= DNS_MASTER_SLAVE;
+	if (zone->type == dns_zone_key)
+		options |= DNS_MASTER_KEY;
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
 		options |= DNS_MASTER_CHECKNS;
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
@@ -1752,11 +1821,12 @@ zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 	dns_name_format(name, namebuf, sizeof namebuf);
 	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
 	    result == DNS_R_EMPTYNAME) {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+			level = ISC_LOG_WARNING;
 		dns_zone_log(zone, level,
 			     "%s/MX '%s' has no address records (A or AAAA)",
 			     ownerbuf, namebuf);
-		/* XXX950 make fatal for 9.5.0. */
-		return (ISC_TRUE);
+		return ((level == ISC_LOG_WARNING) ? ISC_TRUE : ISC_FALSE);
 	}
 
 	if (result == DNS_R_CNAME) {
@@ -1997,6 +2067,113 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 }
 
 static isc_boolean_t
+zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
+		     dns_rdataset_t *rdataset)
+{
+	dns_rdataset_t tmprdataset;
+	isc_result_t result;
+	isc_boolean_t answer = ISC_TRUE;
+	isc_boolean_t format = ISC_TRUE;
+	int level = ISC_LOG_WARNING;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	unsigned int count1 = 0;
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL))
+		level = ISC_LOG_ERROR;
+
+	dns_rdataset_init(&tmprdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		unsigned int count2 = 0;
+
+		count1++;
+		dns_rdataset_current(rdataset, &rdata1);
+		dns_rdataset_clone(rdataset, &tmprdataset);
+		for (result = dns_rdataset_first(&tmprdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&tmprdataset)) {
+			dns_rdata_t rdata2 = DNS_RDATA_INIT;
+			count2++;
+			if (count1 >= count2)
+				continue;
+			dns_rdataset_current(&tmprdataset, &rdata2);
+			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
+				if (format) {
+					dns_name_format(owner, ownerbuf,
+							sizeof ownerbuf);
+					dns_rdatatype_format(rdata1.type,
+							     typebuf,
+							     sizeof(typebuf));
+					format = ISC_FALSE;
+				}
+				dns_zone_log(zone, level, "%s/%s has "
+					     "semantically identical records",
+					     ownerbuf, typebuf);
+				if (level == ISC_LOG_ERROR)
+					answer = ISC_FALSE;
+				break;
+			}
+		}
+		dns_rdataset_disassociate(&tmprdataset);
+		if (!format)
+			break;
+	}
+	return (answer);
+}
+
+static isc_boolean_t
+zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsit = NULL;
+	isc_boolean_t ok = ISC_TRUE;
+	isc_result_t result;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_createiterator(db, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	for (result = dns_dbiterator_first(dbiterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiterator)) {
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsit);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		for (result = dns_rdatasetiter_first(rdsit);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsit)) {
+			dns_rdatasetiter_current(rdsit, &rdataset);
+			if (!zone_rrset_check_dup(zone, name, &rdataset))
+				ok = ISC_FALSE;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&rdsit);
+		dns_db_detachnode(db, &node);
+	}
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+static isc_boolean_t
 integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 	dns_dbiterator_t *dbiterator = NULL;
 	dns_dbnode_t *node = NULL;
@@ -2063,6 +2240,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 			result = dns_rdataset_next(&rdataset);
 		}
 		dns_rdataset_disassociate(&rdataset);
+		goto next;
 
  checkmx:
 		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
@@ -2115,7 +2293,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 
 /*
  * OpenSSL verification of RSA keys with exponent 3 is known to be
- * broken prior OpenSSL 0.9.8c/0.9.7k.  Look for such keys and warn
+ * broken prior OpenSSL 0.9.8c/0.9.7k.	Look for such keys and warn
  * if they are in use.
  */
 static void
@@ -2179,7 +2357,6 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 		dns_db_detachnode(db, &node);
 	if (version != NULL)
 		dns_db_closeversion(db, &version, ISC_FALSE);
-
 }
 
 static void
@@ -2200,15 +2377,18 @@ resume_signingwithkey(dns_zone_t *zone) {
 				     zone->privatetype,
 				     dns_rdatatype_none, 0,
 				     &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto cleanup;
+	}
 
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
 		dns_rdataset_current(&rdataset, &rdata);
-		if (rdata.length != 5 || rdata.data[4] != 0) {
+		if (rdata.length != 5 ||
+		    rdata.data[0] == 0 || rdata.data[4] != 0) {
 			dns_rdata_reset(&rdata);
 			continue;
 		}
@@ -2230,7 +2410,6 @@ resume_signingwithkey(dns_zone_t *zone) {
 		dns_db_detachnode(zone->db, &node);
 	if (version != NULL)
 		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-
 }
 
 static isc_result_t
@@ -2239,6 +2418,9 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	isc_result_t result;
 	isc_time_t now;
 	unsigned int options = 0;
+	char saltbuf[255*2+1];
+	char flags[sizeof("REMOVE|CREATE|NONSEC|OPTOUT")];
+	int i;
 
 	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
 	if (nsec3chain == NULL)
@@ -2260,6 +2442,40 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	nsec3chain->delete_nsec = ISC_FALSE;
 	nsec3chain->save_delete_nsec = ISC_FALSE;
 
+	if (nsec3param->flags == 0)
+		strlcpy(flags, "NONE", sizeof(flags));
+	else {
+		flags[0] = '\0';
+		if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
+			strlcat(flags, "REMOVE", sizeof(flags));
+		if (nsec3param->flags & DNS_NSEC3FLAG_CREATE) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "CREATE", sizeof(flags));
+			else
+				strlcat(flags, "|CREATE", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_NONSEC) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "NONSEC", sizeof(flags));
+			else
+				strlcat(flags, "|NONSEC", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "OPTOUT", sizeof(flags));
+			else
+				strlcat(flags, "|OPTOUT", sizeof(flags));
+		}
+	}
+	if (nsec3param->salt_length == 0)
+		strlcpy(saltbuf, "-", sizeof(saltbuf));
+	else
+		for (i = 0; i < nsec3param->salt_length; i++)
+			sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
+	dns_zone_log(zone, ISC_LOG_INFO,
+		     "zone_addnsec3chain(%u,%s,%u,%s)",
+		      nsec3param->hash, flags, nsec3param->iterations,
+		      saltbuf);
 	for (current = ISC_LIST_HEAD(zone->nsec3chain);
 	     current != NULL;
 	     current = ISC_LIST_NEXT(current, link)) {
@@ -2309,11 +2525,13 @@ static void
 resume_addnsec3chain(dns_zone_t *zone) {
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	isc_result_t result;
 	dns_rdata_nsec3param_t nsec3param;
 
+	if (zone->privatetype == 0)
+		return;
+
 	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
@@ -2321,17 +2539,25 @@ resume_addnsec3chain(dns_zone_t *zone) {
 	dns_db_currentversion(zone->db, &version);
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(zone->db, node, version,
-				     dns_rdatatype_nsec3param,
-				     dns_rdatatype_none, 0,
-				     &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto cleanup;
+	}
 
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
-		dns_rdataset_current(&rdataset, &rdata);
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+			continue;
 		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 ||
@@ -2343,10 +2569,8 @@ resume_addnsec3chain(dns_zone_t *zone) {
 					     dns_result_totext(result));
 			}
 		}
-		dns_rdata_reset(&rdata);
 	}
 	dns_rdataset_disassociate(&rdataset);
-
  cleanup:
 	if (node != NULL)
 		dns_db_detachnode(zone->db, &node);
@@ -2364,8 +2588,8 @@ set_resigntime(dns_zone_t *zone) {
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
-	result  = dns_db_getsigningtime(zone->db, &rdataset,
-					dns_fixedname_name(&fixed));
+	result = dns_db_getsigningtime(zone->db, &rdataset,
+				       dns_fixedname_name(&fixed));
 	if (result != ISC_R_SUCCESS) {
 		isc_time_settoepoch(&zone->resigntime);
 		return;
@@ -2403,10 +2627,12 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
 				     dns_rdatatype_nsec3param,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		result = ISC_R_SUCCESS;
 		goto cleanup;
 	}
 	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "nsec3param lookup failure: %s",
 			     dns_result_totext(result));
@@ -2467,6 +2693,609 @@ check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
 	return (result);
 }
 
+/*
+ * Set the timer for refreshing the key zone to the soonest future time
+ * of the set (current timer, keydata->refresh, keydata->addhd,
+ * keydata->removehd).
+ */
+static void
+set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
+		    isc_stdtime_t now)
+{
+	const char me[] = "set_refreshkeytimer";
+	isc_stdtime_t then;
+	isc_time_t timenow, timethen;
+	char timebuf[80];
+
+	ENTER;
+	then = key->refresh;
+	if (key->addhd > now && key->addhd < then)
+		then = key->addhd;
+	if (key->removehd > now && key->removehd < then)
+		then = key->removehd;
+
+	TIME_NOW(&timenow);
+	if (then > now)
+		DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+	else
+		timethen = timenow;
+	if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
+	    isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
+		zone->refreshkeytime = timethen;
+
+	isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
+	zone_settimer(zone, &timenow);
+}
+
+/*
+ * Convert key(s) linked from 'keynode' to KEYDATA and add to the key zone.
+ * If the key zone is changed, set '*changed' to ISC_TRUE.
+ */
+static isc_result_t
+create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       dns_diff_t *diff, dns_keytable_t *keytable,
+	       dns_keynode_t **keynodep, isc_boolean_t *changed)
+{
+	const char me[] = "create_keydata";
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t keyb, dstb;
+	unsigned char key_buf[4096], dst_buf[DST_KEY_MAXSIZE];
+	dns_rdata_keydata_t keydata;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_keynode_t *keynode;
+	isc_stdtime_t now;
+	isc_region_t r;
+	dst_key_t *key;
+
+	REQUIRE(keynodep != NULL);
+	keynode = *keynodep;
+
+	ENTER;
+	isc_stdtime_get(&now);
+
+	/* Loop in case there's more than one key. */
+	while (result == ISC_R_SUCCESS) {
+		dns_keynode_t *nextnode = NULL;
+
+		key = dns_keynode_key(keynode);
+		if (key == NULL)
+			goto skip;
+
+		isc_buffer_init(&dstb, dst_buf, sizeof(dst_buf));
+		CHECK(dst_key_todns(key, &dstb));
+
+		/* Convert DST key to DNSKEY. */
+		dns_rdata_reset(&rdata);
+		isc_buffer_usedregion(&dstb, &r);
+		dns_rdata_fromregion(&rdata, dst_key_class(key),
+				     dns_rdatatype_dnskey, &r);
+
+		/* DSTKEY to KEYDATA. */
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		CHECK(dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0,
+					     NULL));
+
+		/* KEYDATA to rdata. */
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
+
+		/* Add rdata to zone. */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD,
+				    dst_key_name(key), 0, &rdata));
+		*changed = ISC_TRUE;
+
+ skip:
+		result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
+		if (result != ISC_R_NOTFOUND) {
+			dns_keytable_detachkeynode(keytable, &keynode);
+			keynode = nextnode;
+		}
+	}
+
+	/* Refresh new keys from the zone apex as soon as possible. */
+	if (*changed)
+		set_refreshkeytimer(zone, &keydata, now);
+
+	if (keynode != NULL)
+		dns_keytable_detachkeynode(keytable, &keynode);
+	*keynodep = NULL;
+
+	return (ISC_R_SUCCESS);
+
+  failure:
+	return (result);
+}
+
+/*
+ * Remove from the key zone all the KEYDATA records found in rdataset.
+ */
+static isc_result_t
+delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	       dns_name_t *name, dns_rdataset_t *rdataset)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result, uresult;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					name, 0, &rdata);
+		if (uresult != ISC_R_SUCCESS)
+			return (uresult);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+/*
+ * Compute the DNSSEC key ID for a DNSKEY record.
+ */
+static isc_result_t
+compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
+	    dns_keytag_t *tag)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096];
+	isc_buffer_t buffer;
+	dst_key_t *dstkey = NULL;
+
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
+	if (result == ISC_R_SUCCESS)
+		*tag = dst_key_id(dstkey);
+	dst_key_free(&dstkey);
+
+	return (result);
+}
+
+/*
+ * Add key to the security roots.
+ */
+static void
+trust_key(dns_zone_t *zone, dns_name_t *keyname,
+	  dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096];
+	isc_buffer_t buffer;
+	dns_keytable_t *sr = NULL;
+	dst_key_t *dstkey = NULL;
+
+	/* Convert dnskey to DST key. */
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
+	CHECK(dns_keytable_add(sr, ISC_TRUE, &dstkey));
+	dns_keytable_detach(&sr);
+
+  failure:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
+	return;
+}
+
+/*
+ * Add a null key to the security roots for so that all queries
+ * to the zone will fail.
+ */
+static void
+fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
+	isc_result_t result;
+	dns_keytable_t *sr = NULL;
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_marksecure(sr, keyname);
+		dns_keytable_detach(&sr);
+	}
+}
+
+/*
+ * Scan a set of KEYDATA records from the key zone.  The ones that are
+ * valid (i.e., the add holddown timer has expired) become trusted keys.
+ */
+static void
+load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_rdata_dnskey_t dnskey;
+	isc_mem_t *mctx = zone->mctx;
+	int trusted = 0, revoked = 0, pending = 0;
+	isc_stdtime_t now;
+	dns_keytable_t *sr = NULL;
+
+	isc_stdtime_get(&now);
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_delete(sr, name);
+		dns_keytable_detach(&sr);
+	}
+
+	/* Now insert all the accepted trust anchors from this keydata set. */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+
+		/* Convert rdata to keydata. */
+		dns_rdata_tostruct(&rdata, &keydata, NULL);
+
+		/* Set the key refresh timer. */
+		set_refreshkeytimer(zone, &keydata, now);
+
+		/* If the removal timer is nonzero, this key was revoked. */
+		if (keydata.removehd != 0) {
+			revoked++;
+			continue;
+		}
+
+		/*
+		 * If the add timer is still pending, this key is not
+		 * trusted yet.
+		 */
+		if (now < keydata.addhd) {
+			pending++;
+			continue;
+		}
+
+		/* Convert keydata to dnskey. */
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+
+		/* Add to keytables. */
+		trusted++;
+		trust_key(zone, name, &dnskey, mctx);
+	}
+
+	if (trusted == 0 && pending != 0) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof namebuf);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "No valid trust anchors for '%s'!", namebuf);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "%d key(s) revoked, %d still pending",
+			     revoked, pending);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "All queries to '%s' will fail", namebuf);
+		fail_secure(zone, name);
+	}
+}
+
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op,
+				      name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+static isc_result_t
+increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
+		     dns_diff_t *diff, isc_mem_t *mctx) {
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	isc_uint32_t serial;
+	isc_result_t result;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+
+	/* RFC1982 */
+	serial = (serial + 1) & 0xFFFFFFFF;
+	if (serial == 0)
+		serial = 1;
+
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+	failure:
+	if (addtuple != NULL)
+		dns_difftuple_free(&addtuple);
+	if (deltuple != NULL)
+		dns_difftuple_free(&deltuple);
+	return (result);
+}
+
+/*
+ * Write all transactions in 'diff' to the zone journal file.
+ */
+static isc_result_t
+zone_journal(dns_zone_t *zone, dns_diff_t *diff, const char *caller) {
+	const char me[] = "zone_journal";
+	const char *journalfile;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_journal_t *journal = NULL;
+
+	ENTER;
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		result = dns_journal_open(zone->mctx, journalfile,
+					  ISC_TRUE, &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_open -> %s",
+				     caller, dns_result_totext(result));
+			return (result);
+		}
+
+		result = dns_journal_write_transaction(journal, diff);
+		dns_journal_destroy(&journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_write_transaction -> %s",
+				     caller, dns_result_totext(result));
+			return (result);
+		}
+	}
+	return (result);
+}
+
+/*
+ * Create an SOA record for a newly-created zone
+ */
+static isc_result_t
+add_soa(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
+
+	dns_diff_init(zone->mctx, &diff);
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Build SOA record */
+	result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
+				    0, 0, 0, 0, 0, buf, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_soa_buildrdata -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
+			       &zone->origin, 0, &rdata);
+
+failure:
+	dns_diff_clear(&diff);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, ISC_TF(result == ISC_R_SUCCESS));
+
+	return (result);
+}
+
+/*
+ * Synchronize the set of initializing keys found in managed-keys {}
+ * statements with the set of trust anchors found in the managed-keys.bind
+ * zone.  If a domain is no longer named in managed-keys, delete all keys
+ * from that domain from the key zone.	If a domain is mentioned in in
+ * managed-keys but there are no references to it in the key zone, load
+ * the key zone with the initializing key(s) for that domain.
+ */
+static isc_result_t
+sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t changed = ISC_FALSE;
+	isc_boolean_t commit = ISC_FALSE;
+	dns_rbtnodechain_t chain;
+	dns_fixedname_t fn;
+	dns_name_t foundname, *origin;
+	dns_keynode_t *keynode = NULL;
+	dns_view_t *view = zone->view;
+	dns_keytable_t *sr = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rriterator_t rrit;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
+
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fn);
+	origin = dns_fixedname_name(&fn);
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_view_getsecroots(view, &sr));
+
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sync_keyzone:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Walk the zone DB.  If we find any keys whose names are no longer
+	 * in managed-keys (or *are* in trusted-keys, meaning they are
+	 * permanent and not RFC5011-maintained), delete them from the
+	 * zone.  Otherwise call load_secroots(), which loads keys into
+	 * secroots as appropriate.
+	 */
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit)) {
+		dns_rdataset_t *rdataset = NULL;
+		dns_name_t *rrname = NULL;
+		isc_uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &rrname, &ttl,
+				       &rdataset, NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			dns_rriterator_destroy(&rrit);
+			goto failure;
+		}
+
+		if (rdataset->type != dns_rdatatype_keydata)
+			continue;
+
+		result = dns_keytable_find(sr, rrname, &keynode);
+		if ((result != ISC_R_SUCCESS &&
+		     result != DNS_R_PARTIALMATCH) ||
+		    dns_keynode_managed(keynode) == ISC_FALSE) {
+			CHECK(delete_keydata(db, ver, &diff,
+					     rrname, rdataset));
+			changed = ISC_TRUE;
+		} else {
+			load_secroots(zone, rrname, rdataset);
+		}
+
+		if (keynode != NULL)
+			dns_keytable_detachkeynode(sr, &keynode);
+	}
+	dns_rriterator_destroy(&rrit);
+
+	/*
+	 * Now walk secroots to find any managed keys that aren't
+	 * in the zone.  If we find any, we add them to the zone.
+	 */
+	RWLOCK(&sr->rwlock, isc_rwlocktype_write);
+	dns_rbtnodechain_init(&chain, zone->mctx);
+	result = dns_rbtnodechain_first(&chain, sr->table, &foundname, origin);
+	if (result == ISC_R_NOTFOUND)
+		result = ISC_R_NOMORE;
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		dns_rbtnode_t *rbtnode = NULL;
+
+		dns_rbtnodechain_current(&chain, &foundname, origin, &rbtnode);
+		if (rbtnode->data == NULL)
+			goto skip;
+
+		dns_keytable_attachkeynode(sr, rbtnode->data, &keynode);
+		if (dns_keynode_managed(keynode)) {
+			dns_fixedname_t fname;
+			dns_name_t *keyname;
+			dst_key_t *key;
+
+			key = dns_keynode_key(keynode);
+			dns_fixedname_init(&fname);
+
+			if (key == NULL)   /* fail_secure() was called. */
+				goto skip;
+
+			keyname = dst_key_name(key);
+			result = dns_db_find(db, keyname, ver,
+					     dns_rdatatype_keydata,
+					     DNS_DBFIND_NOWILD, 0, NULL,
+					     dns_fixedname_name(&fname),
+					     NULL, NULL);
+			if (result != ISC_R_SUCCESS)
+				result = create_keydata(zone, db, ver, &diff,
+							sr, &keynode, &changed);
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+  skip:
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (keynode != NULL)
+			dns_keytable_detachkeynode(sr, &keynode);
+	}
+	RWUNLOCK(&sr->rwlock, isc_rwlocktype_write);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (changed) {
+		/* Write changes to journal file. */
+		CHECK(increment_soa_serial(db, ver, &diff, zone->mctx));
+		CHECK(zone_journal(zone, &diff, "sync_keyzone"));
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		commit = ISC_TRUE;
+	}
+
+ failure:
+	if (keynode != NULL)
+		dns_keytable_detachkeynode(sr, &keynode);
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, commit);
+	dns_diff_clear(&diff);
+
+	return (result);
+}
+
 static isc_result_t
 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	      isc_result_t result)
@@ -2478,6 +3307,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
 	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	isc_boolean_t nomaster = ISC_FALSE;
 	unsigned int options;
 
 	TIME_NOW(&now);
@@ -2499,12 +3329,20 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "failed: %s",
 					     zone->masterfile,
 					     dns_result_totext(result));
-		} else
-			dns_zone_log(zone, ISC_LOG_ERROR,
+		} else {
+			int level = ISC_LOG_ERROR;
+			if (zone->type == dns_zone_key &&
+			    result == ISC_R_FILENOTFOUND)
+				level = ISC_LOG_DEBUG(1);
+			dns_zone_log(zone, level,
 				     "loading from master file %s failed: %s",
 				     zone->masterfile,
 				     dns_result_totext(result));
-		goto cleanup;
+			nomaster = ISC_TRUE;
+		}
+
+		if (zone->type != dns_zone_key)
+			goto cleanup;
 	}
 
 	dns_zone_log(zone, ISC_LOG_DEBUG(2),
@@ -2517,6 +3355,18 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
 
 	/*
+	 * If there's no master file for a key zone, then the zone is new:
+	 * create an SOA record.  (We do this now, instead of later, so that
+	 * if there happens to be a journal file, we can roll forward from
+	 * a sane starting point.)
+	 */
+	if (nomaster && zone->type == dns_zone_key) {
+		result = add_soa(zone, db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/*
 	 * Apply update log, if any, on initial load.
 	 */
 	if (zone->journal != NULL &&
@@ -2561,7 +3411,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
 				  &refresh, &retry, &expire, &minimum,
 				  &errors);
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "could not find NS and/or SOA records");
 	}
@@ -2572,6 +3422,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	 */
 
 	switch (zone->type) {
+	case dns_zone_dlz:
 	case dns_zone_master:
 	case dns_zone_slave:
 	case dns_zone_stub:
@@ -2603,6 +3454,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			goto cleanup;
 		}
 
+		if (zone->type == dns_zone_master &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
+		    !zone_check_dup(zone, db)) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+
 		if (zone->db != NULL) {
 			/*
 			 * This is checked in zone_replacedb() for slave zones
@@ -2630,13 +3488,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				goto cleanup;
 			} else if (!isc_serial_ge(serial, oldserial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial has gone backwards");
+					     "zone serial (%u/%u) has gone "
+					     "backwards", serial, oldserial);
 			else if (serial == oldserial && !hasinclude &&
 				 strcmp(zone->db_argv[0], "_builtin") != 0)
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged. "
+					     "zone serial (%u) unchanged. "
 					     "zone may fail to transfer "
-					     "to slaves.");
+					     "to slaves.", serial);
 		}
 
 		if (zone->type == dns_zone_master &&
@@ -2682,6 +3541,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				zone->refreshtime = now;
 		}
 		break;
+
+	case dns_zone_key:
+		result = sync_keyzone(zone, db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		break;
+
 	default:
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "unexpected zone type %d", zone->type);
@@ -2695,6 +3561,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	if (zone->type == dns_zone_master)
 		zone_check_dnskeys(zone, db);
 
+	/*
+	 * Schedule DNSSEC key refresh.
+	 */
+	if (zone->type == dns_zone_master &&
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+		zone->refreshkeytime = now;
+
 #if 0
 	/* destroy notification example. */
 	{
@@ -2719,28 +3592,69 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		DNS_ZONE_SETFLAG(zone,
 				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
 	}
+
 	result = ISC_R_SUCCESS;
-	if (needdump)
-		zone_needdump(zone, DNS_DUMP_DELAY);
+
+	if (needdump) {
+		if (zone->type == dns_zone_key)
+			zone_needdump(zone, 30);
+		else
+			zone_needdump(zone, DNS_DUMP_DELAY);
+	}
+
 	if (zone->task != NULL) {
 		if (zone->type == dns_zone_master) {
 			set_resigntime(zone);
 			resume_signingwithkey(zone);
 			resume_addnsec3chain(zone);
 		}
+
+		if (zone->type == dns_zone_master &&
+		    zone_isdynamic(zone) &&
+		    dns_db_issecure(db)) {
+			dns_name_t *name;
+			dns_fixedname_t fixed;
+			dns_rdataset_t next;
+
+			dns_rdataset_init(&next);
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+
+			result = dns_db_getsigningtime(db, &next, name);
+			if (result == ISC_R_SUCCESS) {
+				isc_stdtime_t timenow;
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				isc_stdtime_get(&timenow);
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				dns_rdatatype_format(next.covers,
+						     typebuf, sizeof(typebuf));
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "next resign: %s/%s in %d seconds",
+					     namebuf, typebuf,
+					     next.resign - timenow);
+				dns_rdataset_disassociate(&next);
+			} else
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "signed dynamic zone has no "
+					     "resign event scheduled");
+		}
+
 		zone_settimer(zone, &now);
 	}
 
 	if (! dns_db_ispersistent(db))
 		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial,
-			     dns_db_issecure(db) ? " (signed)" : "");
+			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
 
 	zone->loadtime = loadtime;
 	return (result);
 
  cleanup:
 	if (zone->type == dns_zone_slave ||
-	    zone->type == dns_zone_stub) {
+	    zone->type == dns_zone_stub ||
+	    zone->type == dns_zone_key) {
 		if (zone->journal != NULL)
 			zone_saveunique(zone, zone->journal, "jn-XXXXXXXX");
 		if (zone->masterfile != NULL)
@@ -2774,7 +3688,9 @@ exit_check(dns_zone_t *zone) {
 }
 
 static isc_boolean_t
-zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_name_t *name) {
+zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+	      dns_name_t *name, isc_boolean_t logit)
+{
 	isc_result_t result;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char altbuf[DNS_NAME_FORMATSIZE];
@@ -2793,42 +3709,45 @@ zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_name_t *name) {
 	dns_fixedname_init(&fixed);
 	foundname = dns_fixedname_name(&fixed);
 
-	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+	result = dns_db_find(db, name, version, dns_rdatatype_a,
 			     0, 0, NULL, foundname, NULL, NULL);
 	if (result == ISC_R_SUCCESS)
 		return (ISC_TRUE);
 
 	if (result == DNS_R_NXRRSET) {
-		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+		result = dns_db_find(db, name, version, dns_rdatatype_aaaa,
 				     0, 0, NULL, foundname, NULL, NULL);
 		if (result == ISC_R_SUCCESS)
 			return (ISC_TRUE);
 	}
 
-	dns_name_format(name, namebuf, sizeof namebuf);
 	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
 	    result == DNS_R_EMPTYNAME) {
-		dns_zone_log(zone, level,
-			     "NS '%s' has no address records (A or AAAA)",
-			     namebuf);
-		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
-		return (ISC_TRUE);
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level, "NS '%s' has no address "
+				     "records (A or AAAA)", namebuf);
+		}
+		return (ISC_FALSE);
 	}
 
 	if (result == DNS_R_CNAME) {
-		dns_zone_log(zone, level, "NS '%s' is a CNAME (illegal)",
-			     namebuf);
-		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
-		return (ISC_TRUE);
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level, "NS '%s' is a CNAME "
+				     "(illegal)", namebuf);
+		}
+		return (ISC_FALSE);
 	}
 
 	if (result == DNS_R_DNAME) {
-		dns_name_format(foundname, altbuf, sizeof altbuf);
-		dns_zone_log(zone, level,
-			     "NS '%s' is below a DNAME '%s' (illegal)",
-			     namebuf, altbuf);
-		/* XXX950 Make fatal ISC_FALSE for 9.5.0. */
-		return (ISC_TRUE);
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "NS '%s' is below a DNAME "
+				     "'%s' (illegal)", namebuf, altbuf);
+		}
+		return (ISC_FALSE);
 	}
 
 	return (ISC_TRUE);
@@ -2837,7 +3756,7 @@ zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_name_t *name) {
 static isc_result_t
 zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 		 dns_dbversion_t *version, unsigned int *nscount,
-		 unsigned int *errors)
+		 unsigned int *errors, isc_boolean_t logit)
 {
 	isc_result_t result;
 	unsigned int count = 0;
@@ -2849,10 +3768,14 @@ zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto success;
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto invalidate_rdataset;
+	}
 
 	result = dns_rdataset_first(&rdataset);
 	while (result == ISC_R_SUCCESS) {
@@ -2864,7 +3787,7 @@ zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
 			result = dns_rdata_tostruct(&rdata, &ns, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			if (dns_name_issubdomain(&ns.name, &zone->origin) &&
-			    !zone_check_ns(zone, db, &ns.name))
+			    !zone_check_ns(zone, db, version, &ns.name, logit))
 				ecount++;
 		}
 		count++;
@@ -2903,6 +3826,7 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
 				     dns_rdatatype_none, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		if (soacount != NULL)
 			*soacount = 0;
 		if (serial != NULL)
@@ -2918,8 +3842,10 @@ zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		result = ISC_R_SUCCESS;
 		goto invalidate_rdataset;
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto invalidate_rdataset;
+	}
 
 	count = 0;
 	result = dns_rdataset_first(&rdataset);
@@ -2971,15 +3897,14 @@ zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 		 isc_uint32_t *expire, isc_uint32_t *minimum,
 		 unsigned int *errors)
 {
-	dns_dbversion_t *version;
 	isc_result_t result;
 	isc_result_t answer = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
 	dns_dbnode_t *node;
 
 	REQUIRE(db != NULL);
 	REQUIRE(zone != NULL);
 
-	version = NULL;
 	dns_db_currentversion(db, &version);
 
 	node = NULL;
@@ -2991,7 +3916,7 @@ zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 
 	if (nscount != NULL || errors != NULL) {
 		result = zone_count_ns_rr(zone, db, node, version,
-					  nscount, errors);
+					  nscount, errors, ISC_TRUE);
 		if (result != ISC_R_SUCCESS)
 			answer = result;
 	}
@@ -3039,7 +3964,7 @@ dns_zone_detach(dns_zone_t **zonep) {
 		 */
 		if (zone->task != NULL) {
 			/*
-			 * This zone is being managed.  Post
+			 * This zone is being managed.	Post
 			 * its control event and let it clean
 			 * up synchronously in the context of
 			 * its task.
@@ -3077,6 +4002,26 @@ dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
 	UNLOCK_ZONE(source);
 }
 
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	if (zone->type != dns_zone_key)
+		return (DNS_R_BADZONE);
+
+	CHECK(dns_zone_getdb(zone, &db));
+
+	LOCK_ZONE(zone);
+	result = sync_keyzone(zone, db);
+	UNLOCK_ZONE(zone);
+
+ failure:
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
 static void
 zone_iattach(dns_zone_t *source, dns_zone_t **target) {
 
@@ -3174,6 +4119,27 @@ dns_zone_getoptions(dns_zone_t *zone) {
 	return (zone->options);
 }
 
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, isc_boolean_t value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->keyopts |= keyopt;
+	else
+		zone->keyopts &= ~keyopt;
+	UNLOCK_ZONE(zone);
+}
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keyopts);
+}
+
 isc_result_t
 dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -3511,6 +4477,17 @@ dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
 	return (result);
 }
 
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->type == dns_zone_staticstub);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	REQUIRE(zone->db == NULL);
+	dns_db_attach(db, &zone->db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+}
+
 /*
  * Co-ordinates the starting of routine jobs.
  */
@@ -3545,126 +4522,6 @@ was_dumping(dns_zone_t *zone) {
 }
 
 static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	temp_diff.resign = diff->resign;
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
-		     dns_diff_t *diff, isc_mem_t *mctx)
-{
-	dns_difftuple_t *deltuple = NULL;
-	dns_difftuple_t *addtuple = NULL;
-	isc_uint32_t serial;
-	isc_result_t result;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
-	CHECK(dns_difftuple_copy(deltuple, &addtuple));
-	addtuple->op = DNS_DIFFOP_ADD;
-
-	serial = dns_soa_getserial(&addtuple->rdata);
-
-	/* RFC1982 */
-	serial = (serial + 1) & 0xFFFFFFFF;
-	if (serial == 0)
-		serial = 1;
-
-	dns_soa_setserial(serial, &addtuple->rdata);
-	CHECK(do_one_tuple(&deltuple, db, ver, diff));
-	CHECK(do_one_tuple(&addtuple, db, ver, diff));
-	result = ISC_R_SUCCESS;
-
-	failure:
-	if (addtuple != NULL)
-		dns_difftuple_free(&addtuple);
-	if (deltuple != NULL)
-		dns_difftuple_free(&deltuple);
-	return (result);
-}
-
-static isc_result_t
-update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-	      dns_rdata_t *rdata)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	result = dns_difftuple_create(diff->mctx, op,
-				      name, ttl, rdata, &tuple);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (do_one_tuple(&tuple, db, ver, diff));
-}
-
-static isc_boolean_t
-ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
-	isc_boolean_t ret = ISC_FALSE;
-	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t dnskey;
-
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
-		dns_rdataset_current(&rdataset, &rdata);
-		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
-		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
-				 == DNS_KEYOWNER_ZONE) {
-			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
-				have_ksk = ISC_TRUE;
-			else
-				have_nonksk = ISC_TRUE;
-		}
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (have_ksk && have_nonksk)
-		ret = ISC_TRUE;
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (ret);
-}
-
-static isc_result_t
 find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	       isc_mem_t *mctx, unsigned int maxkeys,
 	       dst_key_t **keys, unsigned int *nkeys)
@@ -3707,6 +4564,7 @@ static void
 set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
 {
 	unsigned int delta;
+	char timebuf[80];
 
 	zone->key_expiry = when;
 	if (when <= now) {
@@ -3714,38 +4572,74 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
 			     "DNSKEY RRSIG(s) have expired");
 		isc_time_settoepoch(&zone->keywarntime);
 	} else if (when < now + 7 * 24 * 3600) {
+		isc_time_t t;
+		isc_time_set(&t, when, 0);
+		isc_time_formattimestamp(&t, timebuf, 80);
 		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "DNSKEY RRSIG(s) will expire at %u",
-			     when);	/* XXXMPA convert to date. */
+			     "DNSKEY RRSIG(s) will expire within 7 days: %s",
+			     timebuf);
 		delta = when - now;
 		delta--;		/* loop prevention */
 		delta /= 24 * 3600;	/* to whole days */
 		delta *= 24 * 3600;	/* to seconds */
 		isc_time_set(&zone->keywarntime, when - delta, 0);
 	}  else {
-		dns_zone_log(zone, ISC_LOG_NOTICE, /* XXMPA ISC_LOG_DEBUG(1) */
-			     "setting keywarntime to %u - 7 days",
-			     when);	/* XXXMPA convert to date. */
 		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "setting keywarntime to %s", timebuf);
 	}
 }
 
 /*
+ * Helper function to del_sigs(). We don't want to delete RRSIGs that
+ * have no new key.
+ */
+static isc_boolean_t
+delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys) {
+	unsigned int i = 0;
+
+	/*
+	 * It's okay to delete a signature if there is an active ZSK
+	 * with the same algorithm
+	 */
+	for (i = 0; i < nkeys; i++) {
+		if (rrsig_ptr->algorithm == dst_key_alg(keys[i]) &&
+		    (dst_key_isprivate(keys[i])) && !KSK(keys[i]))
+			return (ISC_TRUE);
+	}
+
+	/*
+	 * Failing that, it is *not* okay to delete a signature
+	 * if the associated public key is still in the DNSKEY RRset
+	 */
+	for (i = 0; i < nkeys; i++) {
+		if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
+		    (rrsig_ptr->keyid == dst_key_id(keys[i])))
+			return (ISC_FALSE);
+	}
+
+	/*
+	 * But if the key is gone, then go ahead.
+	 */
+	return (ISC_TRUE);
+}
+
+/*
  * Delete expired RRsigs and any RRsigs we are about to re-sign.
  * See also update.c:del_keysigs().
  */
 static isc_result_t
 del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
-	 unsigned int nkeys, isc_stdtime_t now)
+	 unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
 	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
 	unsigned int i;
 	dns_rdata_rrsig_t rrsig;
-	isc_boolean_t found;
+	isc_boolean_t found, changed;
 	isc_int64_t warn = 0, maybe = 0;
 
 	dns_rdataset_init(&rdataset);
@@ -3762,25 +4656,75 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				     (isc_stdtime_t) 0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
 
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 
+	changed = ISC_FALSE;
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
 		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		if (type != dns_rdatatype_dnskey) {
-			result = update_one_rr(db, ver, diff,
+			if (delsig_ok(&rrsig, keys, nkeys)) {
+				result = update_one_rr(db, ver, diff,
 					       DNS_DIFFOP_DELRESIGN, name,
 					       rdataset.ttl, &rdata);
-			dns_rdata_reset(&rdata);
-			if (result != ISC_R_SUCCESS)
-				break;
+				if (incremental)
+					changed = ISC_TRUE;
+				if (result != ISC_R_SUCCESS)
+					break;
+			} else {
+				/*
+				 * At this point, we've got an RRSIG,
+				 * which is signed by an inactive key.
+				 * An administrator needs to provide a new
+				 * key/alg, but until that time, we want to
+				 * keep the old RRSIG.  Marking the key as
+				 * offline will prevent us spinning waiting
+				 * for the private part.
+				 */
+				if (incremental) {
+					result = offline(db, ver, diff, name,
+							 rdataset.ttl, &rdata);
+					changed = ISC_TRUE;
+					if (result != ISC_R_SUCCESS)
+						break;
+				}
+
+				/*
+				 * Log the key id and algorithm of
+				 * the inactive key with no replacement
+				 */
+				if (zone->log_key_expired_timer <= now) {
+					char origin[DNS_NAME_FORMATSIZE];
+					char algbuf[DNS_NAME_FORMATSIZE];
+					dns_name_format(&zone->origin, origin,
+							sizeof(origin));
+					dns_secalg_format(rrsig.algorithm,
+							  algbuf,
+							  sizeof(algbuf));
+					dns_zone_log(zone, ISC_LOG_WARNING,
+						     "Key %s/%s/%d "
+						     "missing or inactive "
+						     "and has no replacement: "
+						     "retaining signatures.",
+						     origin, algbuf,
+						     rrsig.keyid);
+					zone->log_key_expired_timer = now +
+									3600;
+				}
+			}
 			continue;
 		}
 
@@ -3823,6 +4767,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				break;
 			}
 		}
+
 		/*
 		 * If there is not a matching DNSKEY then
 		 * delete the RRSIG.
@@ -3831,10 +4776,13 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			result = update_one_rr(db, ver, diff,
 					       DNS_DIFFOP_DELRESIGN, name,
 					       rdataset.ttl, &rdata);
-		dns_rdata_reset(&rdata);
 		if (result != ISC_R_SUCCESS)
 			break;
 	}
+
+	if (changed && (rdataset.attributes & DNS_RDATASETATTR_RESIGN) != 0)
+		dns_db_resigned(db, &rdataset, ver);
+
 	dns_rdataset_disassociate(&rdataset);
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
@@ -3860,7 +4808,8 @@ static isc_result_t
 add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
 	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire, isc_boolean_t check_ksk)
+	 isc_stdtime_t expire, isc_boolean_t check_ksk,
+	 isc_boolean_t keyset_kskonly)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -3868,7 +4817,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
 	unsigned char data[1024]; /* XXX */
 	isc_buffer_t buffer;
-	unsigned int i;
+	unsigned int i, j;
 
 	dns_rdataset_init(&rdataset);
 	isc_buffer_init(&buffer, data, sizeof(data));
@@ -3884,18 +4833,55 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	result = dns_db_findrdataset(db, node, ver, type, 0,
 				     (isc_stdtime_t) 0, &rdataset, NULL);
 	dns_db_detachnode(db, &node);
-	if (result == ISC_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 
 	for (i = 0; i < nkeys; i++) {
-		if (check_ksk && type != dns_rdatatype_dnskey &&
-		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
-			continue;
+		isc_boolean_t both = ISC_FALSE;
+
 		if (!dst_key_isprivate(keys[i]))
 			continue;
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			isc_boolean_t have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = ISC_TRUE;
+				have_nonksk = ISC_FALSE;
+			} else {
+				have_ksk = ISC_FALSE;
+				have_nonksk = ISC_TRUE;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = ISC_TRUE;
+				else
+					have_nonksk = ISC_TRUE;
+				both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (KSK(keys[i]))
+				continue;
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+				continue;
+
 		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
 				      &inception, &expire,
 				      mctx, &buffer, &sig_rdata));
@@ -3917,7 +4903,6 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
 static void
 zone_resigninc(dns_zone_t *zone) {
-	const char *journalfile;
 	dns_db_t *db = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_diff_t sig_diff;
@@ -3926,7 +4911,7 @@ zone_resigninc(dns_zone_t *zone) {
 	dns_rdataset_t rdataset;
 	dns_rdatatype_t covers;
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
-	isc_boolean_t check_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
 	isc_uint32_t jitter;
@@ -3981,8 +4966,7 @@ zone_resigninc(dns_zone_t *zone) {
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	name = dns_fixedname_name(&fixed);
 	result = dns_db_getsigningtime(db, &rdataset, name);
@@ -3996,6 +4980,8 @@ zone_resigninc(dns_zone_t *zone) {
 	while (result == ISC_R_SUCCESS) {
 		resign = rdataset.resign;
 		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
 		/*
 		 * Stop if we hit the SOA as that means we have walked the
 		 * entire zone.  The SOA record should always be the most
@@ -4003,37 +4989,28 @@ zone_resigninc(dns_zone_t *zone) {
 		 */
 		/* XXXMPA increase number of RRsets signed pre call */
 		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
-		    resign > stop) {
-			/*
-			 * Ensure that we don't loop resigning the SOA.
-			 */
-			if (covers == dns_rdatatype_soa)
-				dns_db_resigned(db, &rdataset, version);
-			dns_rdataset_disassociate(&rdataset);
+		    resign > stop)
 			break;
-		}
-
-		dns_db_resigned(db, &rdataset, version);
-		dns_rdataset_disassociate(&rdataset);
 
 		result = del_sigs(zone, db, version, name, covers, &sig_diff,
-				  zone_keys, nkeys, now);
+				  zone_keys, nkeys, now, ISC_TRUE);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_resigninc:del_sigs -> %s",
 				     dns_result_totext(result));
 			break;
 		}
+
 		result = add_sigs(db, version, name, covers, &sig_diff,
 				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
+				  expire, check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_resigninc:add_sigs -> %s",
 				     dns_result_totext(result));
 			break;
 		}
-		result  = dns_db_getsigningtime(db, &rdataset,
+		result	= dns_db_getsigningtime(db, &rdataset,
 						dns_fixedname_name(&fixed));
 		if (nkeys == 0 && result == ISC_R_NOTFOUND) {
 			result = ISC_R_SUCCESS;
@@ -4049,7 +5026,7 @@ zone_resigninc(dns_zone_t *zone) {
 		goto failure;
 
 	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &sig_diff, zone_keys, nkeys, now);
+			  &sig_diff, zone_keys, nkeys, now, ISC_TRUE);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_resigninc:del_sigs -> %s",
@@ -4057,6 +5034,13 @@ zone_resigninc(dns_zone_t *zone) {
 		goto failure;
 	}
 
+	/*
+	 * Did we change anything in the zone?
+	 */
+	if (ISC_LIST_EMPTY(sig_diff.tuples))
+		goto failure;
+
+	/* Increment SOA serial if we have made changes */
 	result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
@@ -4071,7 +5055,7 @@ zone_resigninc(dns_zone_t *zone) {
 	 */
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_resigninc:add_sigs -> %s",
@@ -4079,31 +5063,10 @@ zone_resigninc(dns_zone_t *zone) {
 		goto failure;
 	}
 
-	journalfile = dns_zone_getjournal(zone);
-	if (journalfile != NULL) {
-		dns_journal_t *journal = NULL;
-		result = dns_journal_open(zone->mctx, journalfile,
-					  ISC_TRUE, &journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_resigninc:dns_journal_open -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-
-		result = dns_journal_write_transaction(journal, &sig_diff);
-		dns_journal_destroy(&journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-			 "zone_resigninc:dns_journal_write_transaction -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, &sig_diff, "zone_resigninc"));
 
-	/*
-	 * Everything has succeeded. Commit the changes.
-	 */
+	/* Everything has succeeded. Commit the changes. */
 	dns_db_closeversion(db, &version, ISC_TRUE);
 
  failure:
@@ -4170,16 +5133,6 @@ next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
 	return (result);
 }
 
-static void
-set_bit(unsigned char *array, unsigned int index) {
-	unsigned int shift, mask;
-
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	array[index / 8] |= mask;
-}
-
 static isc_boolean_t
 signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		dns_rdatatype_t type, dst_key_t *key)
@@ -4192,8 +5145,10 @@ signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
 				     type, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		return (ISC_FALSE);
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
@@ -4228,21 +5183,6 @@ add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	CHECK(next_active(db, version, name, next, bottom));
 	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
 				  &rdata));
-	if (dns_name_equal(dns_db_origin(db), name)) {
-		/*
-		 * Set the OPT bit to indicate that this is a
-		 * partially secure zone.
-		 */
-		isc_region_t region;
-
-		dns_rdata_toregion(&rdata, &region);
-		dns_name_fromregion(next, &region);
-		isc_region_consume(&region, next->length);
-		INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
-		       region.base[0] == 0 &&
-		       region.base[1] > dns_rdatatype_opt / 8);
-		set_bit(region.base + 2, dns_rdatatype_opt);
-	}
 	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
 			    &rdata));
  failure:
@@ -4255,8 +5195,8 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	    isc_boolean_t build_nsec, dst_key_t *key,
 	    isc_stdtime_t inception, isc_stdtime_t expire,
 	    unsigned int minimum, isc_boolean_t is_ksk,
-	    isc_boolean_t *delegation, dns_diff_t *diff,
-	    isc_int32_t *signatures, isc_mem_t *mctx)
+	    isc_boolean_t keyset_kskonly, isc_boolean_t *delegation,
+	    dns_diff_t *diff, isc_int32_t *signatures, isc_mem_t *mctx)
 {
 	isc_result_t result;
 	dns_rdatasetiter_t *iterator = NULL;
@@ -4274,6 +5214,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 			result = ISC_R_SUCCESS;
 		return (result);
 	}
+
 	dns_rdataset_init(&rdataset);
 	isc_buffer_init(&buffer, data, sizeof(data));
 	seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
@@ -4294,7 +5235,8 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 			seen_nsec = ISC_TRUE;
 		else if (rdataset.type == dns_rdatatype_nsec3)
 			seen_nsec3 = ISC_TRUE;
-		seen_rr = ISC_TRUE;
+		if (rdataset.type != dns_rdatatype_rrsig)
+			seen_rr = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
 	}
 	if (result != ISC_R_NOMORE)
@@ -4318,9 +5260,15 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
 		/* Build and add NSEC. */
 		bottom = (seen_ns && !seen_soa) || seen_dname;
-		CHECK(add_nsec(db, version, name, node, minimum, bottom, diff));
-		/* Count a NSEC generation as a signature generation. */
-		(*signatures)--;
+		/*
+		 * Build a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			CHECK(add_nsec(db, version, name, node, minimum,
+				       bottom, diff));
+			/* Count a NSEC generation as a signature generation. */
+			(*signatures)--;
+		}
 	}
 	result = dns_rdatasetiter_first(iterator);
 	while (result == ISC_R_SUCCESS) {
@@ -4328,7 +5276,10 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 		if (rdataset.type == dns_rdatatype_soa ||
 		    rdataset.type == dns_rdatatype_rrsig)
 			goto next_rdataset;
-		if (is_ksk && rdataset.type != dns_rdatatype_dnskey)
+		if (rdataset.type == dns_rdatatype_dnskey) {
+			if (!is_ksk && keyset_kskonly)
+				goto next_rdataset;
+		} else if (is_ksk)
 			goto next_rdataset;
 		if (*delegation &&
 		    rdataset.type != dns_rdatatype_ds &&
@@ -4337,6 +5288,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 		if (signed_with_key(db, node, version, rdataset.type, key))
 			goto next_rdataset;
 		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
 		CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
 				      &expire, mctx, &buffer, &rdata));
 		/* Update the database and journal with the RRSIG. */
@@ -4353,7 +5305,7 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
 		result = ISC_R_SUCCESS;
 	if (seen_dname)
 		*delegation = ISC_TRUE;
-failure:
+ failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	if (iterator != NULL)
@@ -4361,63 +5313,45 @@ failure:
 	return (result);
 }
 
+/*
+ * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
+ */
 static isc_result_t
 updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-	     dns_ttl_t minimum, isc_boolean_t *secureupdated, dns_diff_t *diff)
+	     dns_ttl_t minimum, isc_boolean_t update_only, dns_diff_t *diff)
 {
 	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
 	dns_rdataset_t rdataset;
-	dns_rdata_nsec_t nsec;
 	dns_dbnode_t *node = NULL;
 
-	/*
-	 * Check to see if the OPT bit has already been cleared.
-	 */
 	CHECK(dns_db_getoriginnode(db, &node));
-	dns_rdataset_init(&rdataset);
-	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				  dns_rdatatype_none, 0, &rdataset, NULL));
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-
-	/*
-	 * Find the NEXT name for building the new record.
-	 */
-	CHECK(dns_rdata_tostruct(&rdata, &nsec, NULL));
-
-	/*
-	 * Delete the old NSEC record.
-	 */
-	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_DEL, name, minimum,
-			    &rdata));
-	dns_rdata_reset(&rdata);
-
-	/*
-	 * Add the new NSEC record.
-	 */
-	CHECK(dns_nsec_buildrdata(db, version, node, &nsec.next, nsecbuffer,
-				  &rdata));
-	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, minimum,
-			    &rdata));
-	dns_rdata_reset(&rdata);
-
-	if (secureupdated != NULL)
-		*secureupdated = ISC_TRUE;
-
+	if (update_only) {
+		dns_rdataset_init(&rdataset);
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec,
+					     dns_rdatatype_none,
+					     0, &rdataset, NULL);
+		if (dns_rdataset_isassociated(&rdataset))
+			dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOTFOUND)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	CHECK(delete_nsec(db, version, node, name, diff));
+	CHECK(add_nsec(db, version, name, node, minimum, ISC_FALSE, diff));
+ success:
+	result = ISC_R_SUCCESS;
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
 	return (result);
 }
 
 static isc_result_t
-updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
-		  dns_name_t *name, dns_rdatatype_t privatetype,
-		  dns_diff_t *diff)
+updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
+		  dns_dbversion_t *version, isc_boolean_t build_nsec3,
+		  dns_ttl_t minimum, dns_diff_t *diff)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -4425,43 +5359,68 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	unsigned char data[5];
 	isc_boolean_t seen_done = ISC_FALSE;
+	isc_boolean_t have_rr = ISC_FALSE;
 
 	dns_rdataset_init(&rdataset);
 	result = dns_db_getoriginnode(signing->db, &node);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_db_findrdataset(signing->db, node, version, privatetype,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
+	result = dns_db_findrdataset(signing->db, node, version,
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		result = ISC_R_SUCCESS;
 		goto failure;
 	}
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
 		goto failure;
+	}
 	for (result = dns_rdataset_first(&rdataset);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdataset_current(&rdataset, &rdata);
+		/*
+		 * If we don't match the algorithm or keyid skip the record.
+		 */
 		if (rdata.length != 5 ||
 		    rdata.data[0] != signing->algorithm ||
 		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
 		    rdata.data[2] != (signing->keyid & 0xff)) {
+			have_rr = ISC_TRUE;
 			dns_rdata_reset(&rdata);
 			continue;
 		}
-		if (!signing->delete && rdata.data[4] != 0)
+		/*
+		 * We have a match.  If we were signing (!signing->delete)
+		 * and we already have a record indicating that we have
+		 * finished signing (rdata.data[4] != 0) then keep it.
+		 * Otherwise it needs to be deleted as we have removed all
+		 * the signatures (signing->delete), so any record indicating
+		 * completion is now out of date, or we have finished signing
+		 * with the new record so we no longer need to remember that
+		 * we need to sign the zone with the matching key across a
+		 * nameserver re-start.
+		 */
+		if (!signing->delete && rdata.data[4] != 0) {
 			seen_done = ISC_TRUE;
-		else
+			have_rr = ISC_TRUE;
+		} else
 			CHECK(update_one_rr(signing->db, version, diff,
-					    DNS_DIFFOP_DEL, name,
+					    DNS_DIFFOP_DEL, &zone->origin,
 					    rdataset.ttl, &rdata));
 		dns_rdata_reset(&rdata);
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
 	if (!signing->delete && !seen_done) {
-
+		/*
+		 * If we were signing then we need to indicate that we have
+		 * finished signing the zone with this key.  If it is already
+		 * there we don't need to add it a second time.
+		 */
 		data[0] = signing->algorithm;
 		data[1] = (signing->keyid >> 8) & 0xff;
 		data[2] = signing->keyid & 0xff;
@@ -4469,11 +5428,23 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 		data[4] = 1;
 		rdata.length = sizeof(data);
 		rdata.data = data;
-		rdata.type = privatetype;
+		rdata.type = zone->privatetype;
 		rdata.rdclass = dns_db_class(signing->db);
 		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
-				    name, rdataset.ttl, &rdata));
+				    &zone->origin, rdataset.ttl, &rdata));
+	} else if (!have_rr) {
+		dns_name_t *origin = dns_db_origin(signing->db);
+		/*
+		 * Rebuild the NSEC/NSEC3 record for the origin as we no
+		 * longer have any private records.
+		 */
+		if (build_nsec3)
+			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
+						  minimum, ISC_FALSE, diff));
+		CHECK(updatesecure(signing->db, version, origin, minimum,
+				   ISC_TRUE, diff));
 	}
+
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
@@ -4482,9 +5453,15 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 	return (result);
 }
 
+/*
+ * If 'active' is set then we are not done with the chain yet so only
+ * delete the nsec3param record which indicates a full chain exists
+ * (flags == 0).
+ */
 static isc_result_t
 fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
-		 isc_boolean_t active, dns_diff_t *diff)
+		 isc_boolean_t active, dns_rdatatype_t privatetype,
+		 dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL;
 	dns_name_t *name = dns_db_origin(db);
@@ -4503,7 +5480,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND)
-		goto add;
+		goto try_private;
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -4539,6 +5516,50 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 	if (result != ISC_R_NOMORE)
 		goto failure;
 
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+
+	if (active)
+		goto add;
+	/*
+	 * Delete all private records which match that in nsec3chain.
+	 */
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto add;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.hash != chain->nsec3param.hash ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+				    name, rdataset.ttl, &private));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
   add:
 	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
 		result = ISC_R_SUCCESS;
@@ -4639,7 +5660,7 @@ deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
 static isc_result_t
 need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 		const dns_rdata_nsec3param_t *param,
-		isc_boolean_t *answer, isc_boolean_t *updatensec)
+		isc_boolean_t *answer)
 {
 	dns_dbnode_t *node = NULL;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -4653,29 +5674,19 @@ need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	dns_rdataset_init(&rdataset);
+
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
 				     0, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto check_nsec3param;
-
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	CHECK(dns_rdataset_first(&rdataset));
-	dns_rdataset_current(&rdataset, &rdata);
-
-	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_opt)) {
-		/*
-		 * We have a complete NSEC chain.  Signal to update
-		 * the apex NSEC record.
-		 */
-		*updatensec = ISC_TRUE;
-		goto failure;
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		dns_db_detachnode(db, &node);
+		return (result);
 	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_rdata_reset(&rdata);
 
- check_nsec3param:
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
 				     0, 0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {
@@ -4724,13 +5735,60 @@ need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
+static isc_result_t
+update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+	    dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
+	    isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
+	    isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
+	    dns_diff_t *sig_diff)
+{
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(diff->tuples)) {
+		result = del_sigs(zone, db, version, &tuple->name,
+				  tuple->rdata.type, sig_diff,
+				  zone_keys, nkeys, now, ISC_FALSE);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "update_sigs:del_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  tuple->rdata.type, sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk, keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "update_sigs:add_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+
+		do {
+			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
+			while (next != NULL &&
+			       (tuple->rdata.type != next->rdata.type ||
+				!dns_name_equal(&tuple->name, &next->name)))
+				next = ISC_LIST_NEXT(next, link);
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_diff_appendminimal(sig_diff, &tuple);
+			INSIST(tuple == NULL);
+			tuple = next;
+		} while (tuple != NULL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Incrementally build and sign a new NSEC3 chain using the parameters
  * requested.
  */
 static void
 zone_nsec3chain(dns_zone_t *zone) {
-	const char *journalfile;
 	dns_db_t *db = NULL;
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
@@ -4746,7 +5804,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	dns_nsec3chainlist_t cleanup;
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
 	isc_int32_t signatures;
-	isc_boolean_t check_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly;
 	isc_boolean_t delegation;
 	isc_boolean_t first;
 	isc_result_t result;
@@ -4759,9 +5817,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 	isc_boolean_t seen_soa, seen_ns, seen_dname, seen_ds;
 	isc_boolean_t seen_nsec, seen_nsec3, seen_rr;
 	dns_rdatasetiter_t *iterator = NULL;
-	dns_difftuple_t *tuple;
 	isc_boolean_t buildnsecchain;
 	isc_boolean_t updatensec = ISC_FALSE;
+	dns_rdatatype_t privatetype = zone->privatetype;
 
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fixed);
@@ -4817,8 +5875,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	expire = soaexpire - jitter % 3600;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	/*
 	 * We keep pulling nodes off each iterator in turn until
@@ -4861,19 +5918,19 @@ zone_nsec3chain(dns_zone_t *zone) {
 		if (NSEC3REMOVE(nsec3chain->nsec3param.flags))
 			goto next_addchain;
 
-		delegation = ISC_FALSE;
 		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
 
 		if (nsec3chain->delete_nsec) {
+			delegation = ISC_FALSE;
 			dns_dbiterator_pause(nsec3chain->dbiterator);
 			CHECK(delete_nsec(db, version, node, name, &nsec_diff));
 			goto next_addnode;
 		}
-
 		/*
 		 * On the first pass we need to check if the current node
 		 * has not been obscured.
 		 */
+		delegation = ISC_FALSE;
 		unsecure = ISC_FALSE;
 		if (first) {
 			dns_fixedname_t ffound;
@@ -4940,9 +5997,17 @@ zone_nsec3chain(dns_zone_t *zone) {
 		 * Process one node.
 		 */
 		dns_dbiterator_pause(nsec3chain->dbiterator);
-		CHECK(dns_nsec3_addnsec3(db, version, name,
-					 &nsec3chain->nsec3param,
-					 zone->minimum, unsecure, &nsec3_diff));
+		result = dns_nsec3_addnsec3(db, version, name,
+					    &nsec3chain->nsec3param,
+					    zone->minimum, unsecure,
+					    &nsec3_diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_nsec3_addnsec3 -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
 		/*
 		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
 		 * two signatures.  Additionally there will, in general, be
@@ -4964,7 +6029,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
 				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, &param_diff));
+						       ISC_FALSE, privatetype,
+						       &param_diff));
 				LOCK_ZONE(zone);
 				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
 						link);
@@ -4978,12 +6044,14 @@ zone_nsec3chain(dns_zone_t *zone) {
 					CHECK(fixup_nsec3param(db, version,
 							       nsec3chain,
 							       ISC_TRUE,
+							       privatetype,
 							       &param_diff));
 					nsec3chain->delete_nsec = ISC_TRUE;
 					goto same_addchain;
 				}
 				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, &param_diff));
+						       ISC_FALSE, privatetype,
+						       &param_diff));
 				LOCK_ZONE(zone);
 				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
 						link);
@@ -5044,10 +6112,22 @@ zone_nsec3chain(dns_zone_t *zone) {
 		 * of removing this NSEC3 chain.
 		 */
 		if (first && !updatensec &&
-		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
-			CHECK(need_nsec_chain(db, version,
-					      &nsec3chain->nsec3param,
-					      &buildnsecchain, &updatensec));
+		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0) {
+			result = need_nsec_chain(db, version,
+						 &nsec3chain->nsec3param,
+						 &buildnsecchain);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "need_nsec_chain -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+
+		if (first)
+			dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
+				     "buildnsecchain = %u\n", buildnsecchain);
 
 		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
 		delegation = ISC_FALSE;
@@ -5056,16 +6136,33 @@ zone_nsec3chain(dns_zone_t *zone) {
 			/*
 			 * Delete the NSECPARAM record that matches this chain.
 			 */
-			if (first)
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_TRUE, &param_diff));
+			if (first) {
+				result = fixup_nsec3param(db, version,
+							  nsec3chain,
+							  ISC_TRUE, privatetype,
+							  &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s",
+						     dns_result_totext(result));
+					goto failure;
+				}
+			}
 
 			/*
 			 *  Delete the NSEC3 records.
 			 */
-			CHECK(deletematchingnsec3(db, version, node, name,
-						  &nsec3chain->nsec3param,
-						  &nsec3_diff));
+			result = deletematchingnsec3(db, version, node, name,
+						     &nsec3chain->nsec3param,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "deletematchingnsec3 -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
 			goto next_removenode;
 		}
 
@@ -5116,7 +6213,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 				seen_nsec = ISC_TRUE;
 			else if (rdataset.type == dns_rdatatype_nsec3)
 				seen_nsec3 = ISC_TRUE;
-			seen_rr = ISC_TRUE;
+			if (rdataset.type != dns_rdatatype_rrsig)
+				seen_rr = ISC_TRUE;
 			dns_rdataset_disassociate(&rdataset);
 		}
 		dns_rdatasetiter_destroy(&iterator);
@@ -5126,8 +6224,14 @@ zone_nsec3chain(dns_zone_t *zone) {
 		if ((seen_ns && !seen_soa) || seen_dname)
 			delegation = ISC_TRUE;
 
-		CHECK(add_nsec(db, version, name, node, zone->minimum,
-			       delegation, &nsec_diff));
+		/*
+		 * Add a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(add_nsec(db, version, name, node, zone->minimum,
+				       delegation, &nsec_diff));
+		}
 
  next_removenode:
 		first = ISC_FALSE;
@@ -5149,8 +6253,17 @@ zone_nsec3chain(dns_zone_t *zone) {
 				UNLOCK_ZONE(zone);
 				ISC_LIST_APPEND(cleanup, nsec3chain, link);
 				dns_dbiterator_pause(nsec3chain->dbiterator);
-				CHECK(fixup_nsec3param(db, version, nsec3chain,
-						       ISC_FALSE, &param_diff));
+				result = fixup_nsec3param(db, version,
+							  nsec3chain, ISC_FALSE,
+							  privatetype,
+							  &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s",
+						     dns_result_totext(result));
+					goto failure;
+				}
 				goto next_removechain;
 			} else if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5182,107 +6295,107 @@ zone_nsec3chain(dns_zone_t *zone) {
 	}
 
 	/*
-	 * Add / update signatures for the NSEC3 records.
+	 * We may need to update the NSEC/NSEC3 records for the zone apex.
 	 */
-	for (tuple = ISC_LIST_HEAD(nsec3_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(nsec3_diff.tuples)) {
-		/*
-		 * We have changed the NSEC3 RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec3, &sig_diff,
-				  zone_keys, nkeys, now);
+	if (!ISC_LIST_EMPTY(param_diff.tuples)) {
+		isc_boolean_t rebuild_nsec = ISC_FALSE,
+			      rebuild_nsec3 = ISC_FALSE;
+		result = dns_db_getoriginnode(db, &node);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
 		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s",
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_db_allrdatasets -> %s",
 				     dns_result_totext(result));
 			goto failure;
 		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec3, &sig_diff, zone_keys,
-				  nkeys, zone->mctx, inception, expire,
-				  check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_nsec)
+				rebuild_nsec = ISC_TRUE;
+			if (rdataset.type == dns_rdatatype_nsec3param)
+				rebuild_nsec3 = ISC_TRUE;
+			dns_rdataset_disassociate(&rdataset);
 		}
+		dns_rdatasetiter_destroy(&iterator);
+		dns_db_detachnode(db, &node);
 
-		do {
-			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
-			while (next != NULL &&
-			       !dns_name_equal(&tuple->name, &next->name))
-				next = ISC_LIST_NEXT(next, link);
-			ISC_LIST_UNLINK(nsec3_diff.tuples, tuple, link);
-			dns_diff_appendminimal(&sig_diff, &tuple);
-			INSIST(tuple == NULL);
-			tuple = next;
-		} while (tuple != NULL);
-	}
-
-	for (tuple = ISC_LIST_HEAD(param_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(param_diff.tuples)) {
-		/*
-		 * We have changed the NSEC3PARAM RRset above so we need to
-		 * update the signatures.
-		 */
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec3param, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
+		if (rebuild_nsec) {
+			if (nsec3chain != NULL)
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+			result = updatesecure(db, version, &zone->origin,
+					      zone->minimum, ISC_TRUE,
+					      &nsec_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "updatesecure -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
 		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec3param, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
+		if (rebuild_nsec3) {
+			result = dns_nsec3_addnsec3s(db, version,
+						     dns_db_origin(db),
+						     zone->minimum, ISC_FALSE,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_nsec3_addnsec3s -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
 		}
-		ISC_LIST_UNLINK(param_diff.tuples, tuple, link);
-		dns_diff_appendminimal(&sig_diff, &tuple);
-		INSIST(tuple == NULL);
 	}
 
-	if (updatensec)
-		CHECK(updatesecure(db, version, &zone->origin, zone->minimum,
-				   NULL, &nsec_diff));
+	/*
+	 * Add / update signatures for the NSEC3 records.
+	 */
+	result = update_sigs(&nsec3_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, keyset_kskonly, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s", dns_result_totext(result));
+		goto failure;
+	}
 
-	for (tuple = ISC_LIST_HEAD(nsec_diff.tuples);
-	     tuple != NULL;
-	     tuple = ISC_LIST_HEAD(nsec_diff.tuples)) {
-		result = del_sigs(zone, db, version, &tuple->name,
-				  dns_rdatatype_nsec, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:del_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &tuple->name,
-				  dns_rdatatype_nsec, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  expire, check_ksk);
+	/*
+	 * We have changed the NSEC3PARAM or private RRsets
+	 * above so we need to update the signatures.
+	 */
+	result = update_sigs(&param_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, keyset_kskonly, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s", dns_result_totext(result));
+		goto failure;
+	}
+
+	if (updatensec) {
+		if (nsec3chain != NULL)
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+		result = updatesecure(db, version, &zone->origin,
+				      zone->minimum, ISC_FALSE, &nsec_diff);
 		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_nsec3chain:add_sigs -> %s",
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "updatesecure -> %s",
 				     dns_result_totext(result));
 			goto failure;
 		}
-		ISC_LIST_UNLINK(nsec_diff.tuples, tuple, link);
-		dns_diff_appendminimal(&sig_diff, &tuple);
-		INSIST(tuple == NULL);
+	}
+
+	result = update_sigs(&nsec_diff, db, version, zone_keys,
+			     nkeys, zone, inception, expire, now,
+			     check_ksk, keyset_kskonly, &sig_diff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_sigs -> %s", dns_result_totext(result));
+		goto failure;
 	}
 
 	/*
@@ -5293,7 +6406,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 		goto done;
 
 	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &sig_diff, zone_keys, nkeys, now);
+			  &sig_diff, zone_keys, nkeys, now, ISC_FALSE);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "del_sigs -> %s", dns_result_totext(result));
@@ -5310,34 +6423,15 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
 			     "add_sigs -> %s", dns_result_totext(result));
 		goto failure;
 	}
 
-	journalfile = dns_zone_getjournal(zone);
-	if (journalfile != NULL) {
-		dns_journal_t *journal = NULL;
-		result = dns_journal_open(zone->mctx, journalfile,
-					  ISC_TRUE, &journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-				     "dns_journal_open -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-
-		result = dns_journal_write_transaction(journal, &sig_diff);
-		dns_journal_destroy(&journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-				     "dns_journal_write_transaction -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, &sig_diff, "zone_nsec3chain"));
 
 	LOCK_ZONE(zone);
 	zone_needdump(zone, DNS_DUMP_DELAY);
@@ -5375,6 +6469,9 @@ zone_nsec3chain(dns_zone_t *zone) {
 	set_resigntime(zone);
 
  failure:
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
+			     dns_result_totext(result));
 	/*
 	 * On error roll back the current nsec3chain.
 	 */
@@ -5431,6 +6528,8 @@ zone_nsec3chain(dns_zone_t *zone) {
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
@@ -5523,11 +6622,11 @@ del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  */
 static void
 zone_sign(dns_zone_t *zone) {
-	const char *journalfile;
 	dns_db_t *db = NULL;
 	dns_dbnode_t *node = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_diff_t sig_diff;
+	dns_diff_t post_diff;
 	dns_fixedname_t fixed;
 	dns_fixedname_t nextfixed;
 	dns_name_t *name, *nextname;
@@ -5536,17 +6635,16 @@ zone_sign(dns_zone_t *zone) {
 	dns_signinglist_t cleanup;
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
 	isc_int32_t signatures;
-	isc_boolean_t check_ksk, is_ksk;
+	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
 	isc_boolean_t commit = ISC_FALSE;
 	isc_boolean_t delegation;
-	isc_boolean_t finishedakey = ISC_FALSE;
-	isc_boolean_t secureupdated = ISC_FALSE;
-	isc_boolean_t build_nsec3 = ISC_FALSE, build_nsec = ISC_FALSE;
+	isc_boolean_t build_nsec = ISC_FALSE;
+	isc_boolean_t build_nsec3 = ISC_FALSE;
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
 	isc_uint32_t jitter;
-	unsigned int i;
+	unsigned int i, j;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
 
@@ -5557,6 +6655,7 @@ zone_sign(dns_zone_t *zone) {
 	nextname = dns_fixedname_name(&nextfixed);
 	dns_diff_init(zone->mctx, &sig_diff);
 	sig_diff.resign = zone->sigresigninginterval;
+	dns_diff_init(zone->mctx, &post_diff);
 	ISC_LIST_INIT(cleanup);
 
 	/*
@@ -5600,10 +6699,6 @@ zone_sign(dns_zone_t *zone) {
 	isc_random_get(&jitter);
 	expire = soaexpire - jitter % 3600;
 
-	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
-	if (check_ksk)
-		check_ksk = ksk_sanity(db, version);
-
 	/*
 	 * We keep pulling nodes off each iterator in turn until
 	 * we have no more nodes to pull off or we reach the limits
@@ -5613,39 +6708,17 @@ zone_sign(dns_zone_t *zone) {
 	signatures = zone->signatures;
 	signing = ISC_LIST_HEAD(zone->signing);
 	first = ISC_TRUE;
-	/*
-	 * See if we have a NSEC chain.
-	 */
-	result = dns_db_getoriginnode(db, &node);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	dns_db_detachnode(db, &node);
-	if (result == ISC_R_SUCCESS) {
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/* Determine which type of chain to build */
+	CHECK(dns_private_chains(db, version, zone->privatetype,
+				 &build_nsec, &build_nsec3));
+
+	/* If neither chain is found, default to NSEC */
+	if (!build_nsec && !build_nsec3)
 		build_nsec = ISC_TRUE;
-		dns_rdataset_disassociate(&rdataset);
-	} else if (result != ISC_R_NOTFOUND) {
-		goto failure;
-	} else {
-		/*
-		 * No NSEC chain present.
-		 * See if we need to build a NSEC3 chain?
-		 */
-		result = dns_nsec3_active(db, version, ISC_TRUE, &build_nsec3);
-		if (result == ISC_R_SUCCESS) {
-			if (build_nsec3)
-				build_nsec3 = ISC_FALSE;
-			else  {
-				result = dns_nsec3_active(db, version,
-							  ISC_FALSE,
-							  &build_nsec3);
-				if (build_nsec3)
-					secureupdated = ISC_TRUE;
-				else
-					build_nsec = ISC_TRUE;
-			}
-		}
-	}
 
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
 		nextsigning = ISC_LIST_NEXT(signing, link);
@@ -5653,7 +6726,7 @@ zone_sign(dns_zone_t *zone) {
 		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 		if (signing->done || signing->db != zone->db) {
 			/*
-			 * The zone has been reloaded.  We will have
+			 * The zone has been reloaded.	We will have
 			 * created new signings as part of the reload
 			 * process so we can destroy this one.
 			 */
@@ -5667,9 +6740,29 @@ zone_sign(dns_zone_t *zone) {
 		if (signing->db != db)
 			goto next_signing;
 
-		is_ksk = ISC_FALSE;
 		delegation = ISC_FALSE;
 
+		if (first && signing->delete) {
+			/*
+			 * Remove the key we are deleting from consideration.
+			 */
+			for (i = 0, j = 0; i < nkeys; i++) {
+				/*
+				 * Find the key we want to remove.
+				 */
+				if (ALG(zone_keys[i]) == signing->algorithm &&
+				    dst_key_id(zone_keys[i]) == signing->keyid)
+				{
+					if (KSK(zone_keys[i]))
+						dst_key_free(&zone_keys[i]);
+					continue;
+				}
+				zone_keys[j] = zone_keys[i];
+				j++;
+			}
+			nkeys = j;
+		}
+
 		dns_dbiterator_current(signing->dbiterator, &node, name);
 
 		if (signing->delete) {
@@ -5677,8 +6770,8 @@ zone_sign(dns_zone_t *zone) {
 			CHECK(del_sig(db, version, name, node, nkeys,
 				      signing->algorithm, signing->keyid,
 				      &sig_diff));
-			goto next_node;
 		}
+
 		/*
 		 * On the first pass we need to check if the current node
 		 * has not been obscured.
@@ -5710,26 +6803,77 @@ zone_sign(dns_zone_t *zone) {
 		 */
 		dns_dbiterator_pause(signing->dbiterator);
 		for (i = 0; i < nkeys; i++) {
+			isc_boolean_t both = ISC_FALSE;
+
+			/*
+			 * Find the keys we want to sign with.
+			 */
+			if (!dst_key_isprivate(zone_keys[i]))
+				continue;
+
 			/*
-			 * Find the key we want to sign with.
+			 * When adding look for the specific key.
 			 */
-			if (dst_key_alg(zone_keys[i]) != signing->algorithm ||
-			    dst_key_id(zone_keys[i]) != signing->keyid ||
-			    !dst_key_isprivate(zone_keys[i]))
+			if (!signing->delete &&
+			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+			     dst_key_id(zone_keys[i]) != signing->keyid))
 				continue;
+
+			/*
+			 * When deleting make sure we are properly signed
+			 * with the algorithm that was being removed.
+			 */
+			if (signing->delete &&
+			    ALG(zone_keys[i]) != signing->algorithm)
+				continue;
+
 			/*
 			 * Do we do KSK processing?
 			 */
-			if (check_ksk &&
-			    (dst_key_flags(zone_keys[i]) & DNS_KEYFLAG_KSK) != 0)
-				is_ksk = ISC_TRUE;
+			if (check_ksk && !REVOKE(zone_keys[i])) {
+				isc_boolean_t have_ksk, have_nonksk;
+				if (KSK(zone_keys[i])) {
+					have_ksk = ISC_TRUE;
+					have_nonksk = ISC_FALSE;
+				} else {
+					have_ksk = ISC_FALSE;
+					have_nonksk = ISC_TRUE;
+				}
+				for (j = 0; j < nkeys; j++) {
+					if (j == i ||
+					    ALG(zone_keys[i]) !=
+					    ALG(zone_keys[j]))
+						continue;
+					if (REVOKE(zone_keys[j]))
+						continue;
+					if (KSK(zone_keys[j]))
+						have_ksk = ISC_TRUE;
+					else
+						have_nonksk = ISC_TRUE;
+					both = have_ksk && have_nonksk;
+					if (both)
+						break;
+				}
+			}
+			if (both || REVOKE(zone_keys[i]))
+				is_ksk = KSK(zone_keys[i]);
+			else
+				is_ksk = ISC_FALSE;
+
 			CHECK(sign_a_node(db, name, node, version, build_nsec3,
 					  build_nsec, zone_keys[i], inception,
 					  expire, zone->minimum, is_ksk,
-					  &delegation, &sig_diff, &signatures,
-					  zone->mctx));
-			break;
+					  ISC_TF(both && keyset_kskonly),
+					  &delegation, &sig_diff,
+					  &signatures, zone->mctx));
+			/*
+			 * If we are adding we are done.  Look for other keys
+			 * of the same algorithm if deleting.
+			 */
+			if (!signing->delete)
+				break;
 		}
+
 		/*
 		 * Go onto next node.
 		 */
@@ -5742,9 +6886,7 @@ zone_sign(dns_zone_t *zone) {
 				ISC_LIST_UNLINK(zone->signing, signing, link);
 				ISC_LIST_APPEND(cleanup, signing, link);
 				dns_dbiterator_pause(signing->dbiterator);
-				finishedakey = ISC_TRUE;
-				if (!is_ksk && !secureupdated && nkeys != 0 &&
-				    build_nsec) {
+				if (nkeys != 0 && build_nsec) {
 					/*
 					 * We have finished regenerating the
 					 * zone with a zone signing key.
@@ -5756,8 +6898,8 @@ zone_sign(dns_zone_t *zone) {
 					result = updatesecure(db, version,
 							      &zone->origin,
 							      zone->minimum,
-							      &secureupdated,
-							      &sig_diff);
+							      ISC_FALSE,
+							      &post_diff);
 					if (result != ISC_R_SUCCESS) {
 						dns_zone_log(zone,
 							     ISC_LOG_ERROR,
@@ -5766,16 +6908,18 @@ zone_sign(dns_zone_t *zone) {
 						goto failure;
 					}
 				}
-				result = updatesignwithkey(signing, version,
-							   &zone->origin,
-							   zone->privatetype,
-							   &sig_diff);
+				result = updatesignwithkey(zone, signing,
+							   version,
+							   build_nsec3,
+							   zone->minimum,
+							   &post_diff);
 				if (result != ISC_R_SUCCESS) {
 					dns_zone_log(zone, ISC_LOG_ERROR,
 						     "updatesignwithkey -> %s",
 						     dns_result_totext(result));
 					goto failure;
 				}
+				build_nsec = ISC_FALSE;
 				goto next_signing;
 			} else if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5799,53 +6943,13 @@ zone_sign(dns_zone_t *zone) {
 		first = ISC_TRUE;
 	}
 
-	if (secureupdated) {
-		/*
-		 * We have changed the NSEC RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &zone->origin,
-				  dns_rdatatype_nsec, &sig_diff, zone_keys,
-				  nkeys, now);
+	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
+		result = update_sigs(&post_diff, db, version, zone_keys,
+				     nkeys, zone, inception, expire, now,
+				     check_ksk, keyset_kskonly, &sig_diff);
 		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:del_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &zone->origin,
-				  dns_rdatatype_nsec, &sig_diff, zone_keys,
-				  nkeys, zone->mctx, inception, soaexpire,
-				  check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:add_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
-
-	if (finishedakey) {
-		/*
-		 * We have changed the RRset above so we need to update
-		 * the signatures.
-		 */
-		result = del_sigs(zone, db, version, &zone->origin,
-				  zone->privatetype, &sig_diff,
-				  zone_keys, nkeys, now);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:del_sigs -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-		result = add_sigs(db, version, &zone->origin,
-				  zone->privatetype, &sig_diff,
-				  zone_keys, nkeys, zone->mctx, inception,
-				  soaexpire, check_ksk);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:add_sigs -> %s",
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
+				     "update_sigs -> %s",
 				     dns_result_totext(result));
 			goto failure;
 		}
@@ -5854,13 +6958,15 @@ zone_sign(dns_zone_t *zone) {
 	/*
 	 * Have we changed anything?
 	 */
-	if (ISC_LIST_HEAD(sig_diff.tuples) == NULL)
+	if (ISC_LIST_HEAD(sig_diff.tuples) == NULL) {
+		result = ISC_R_SUCCESS;
 		goto pauseall;
+	}
 
 	commit = ISC_TRUE;
 
 	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
-			  &sig_diff, zone_keys, nkeys, now);
+			  &sig_diff, zone_keys, nkeys, now, ISC_FALSE);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_sign:del_sigs -> %s",
@@ -5882,7 +6988,7 @@ zone_sign(dns_zone_t *zone) {
 	 */
 	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
 			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
-			  soaexpire, check_ksk);
+			  soaexpire, check_ksk, keyset_kskonly);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "zone_sign:add_sigs -> %s",
@@ -5893,27 +6999,7 @@ zone_sign(dns_zone_t *zone) {
 	/*
 	 * Write changes to journal file.
 	 */
-	journalfile = dns_zone_getjournal(zone);
-	if (journalfile != NULL) {
-		dns_journal_t *journal = NULL;
-		result = dns_journal_open(zone->mctx, journalfile,
-					  ISC_TRUE, &journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "zone_sign:dns_journal_open -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-
-		result = dns_journal_write_transaction(journal, &sig_diff);
-		dns_journal_destroy(&journal);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-			 "zone_sign:dns_journal_write_transaction -> %s",
-				     dns_result_totext(result));
-			goto failure;
-		}
-	}
+	CHECK(zone_journal(zone, &sig_diff, "zone_sign"));
 
  pauseall:
 	/*
@@ -5950,6 +7036,7 @@ zone_sign(dns_zone_t *zone) {
 
 	if (commit) {
 		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
 		zone_needdump(zone, DNS_DUMP_DELAY);
 		UNLOCK_ZONE(zone);
 	}
@@ -5961,7 +7048,7 @@ zone_sign(dns_zone_t *zone) {
 	signing = ISC_LIST_HEAD(cleanup);
 	while (signing != NULL) {
 		ISC_LIST_UNLINK(cleanup, signing, link);
-		ISC_LIST_APPEND(zone->signing, signing, link);
+		ISC_LIST_PREPEND(zone->signing, signing, link);
 		dns_dbiterator_first(signing->dbiterator);
 		dns_dbiterator_pause(signing->dbiterator);
 		signing = ISC_LIST_HEAD(cleanup);
@@ -5977,6 +7064,9 @@ zone_sign(dns_zone_t *zone) {
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
 	if (version != NULL) {
 		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
@@ -5995,6 +7085,887 @@ zone_sign(dns_zone_t *zone) {
 }
 
 static void
+normalize_key(dns_rdata_t *rr, dns_rdata_t *target,
+	      unsigned char *data, int size) {
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	isc_buffer_t buf;
+
+	dns_rdata_reset(target);
+	isc_buffer_init(&buf, data, size);
+
+	switch (rr->type) {
+	    case dns_rdatatype_dnskey:
+		dns_rdata_tostruct(rr, &dnskey, NULL);
+		dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	    case dns_rdatatype_keydata:
+		dns_rdata_tostruct(rr, &keydata, NULL);
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	    default:
+		INSIST(0);
+	}
+}
+
+/*
+ * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
+ * a KEYDATA rdataset from the key zone.
+ *
+ * 'rr' contains either a DNSKEY record, or a KEYDATA record
+ *
+ * After normalizing keys to the same format (DNSKEY, with revoke bit
+ * cleared), return ISC_TRUE if a key that matches 'rr' is found in
+ * 'rdset', or ISC_FALSE if not.
+ */
+
+static isc_boolean_t
+matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
+	unsigned char data1[4096], data2[4096];
+	dns_rdata_t rdata, rdata1, rdata2;
+	isc_result_t result;
+
+	dns_rdata_init(&rdata);
+	dns_rdata_init(&rdata1);
+	dns_rdata_init(&rdata2);
+
+	normalize_key(rr, &rdata1, data1, sizeof(data1));
+
+	for (result = dns_rdataset_first(rdset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdset, &rdata);
+		normalize_key(&rdata, &rdata2, data2, sizeof(data2));
+		if (dns_rdata_compare(&rdata1, &rdata2) == 0)
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+/*
+ * Calculate the refresh interval for a keydata zone, per
+ * RFC5011: MAX(1 hr,
+ *		MIN(15 days,
+ *		    1/2 * OrigTTL,
+ *		    1/2 * RRSigExpirationInterval))
+ * or for retries: MAX(1 hr,
+ *		       MIN(1 day,
+ *			   1/10 * OrigTTL,
+ *			   1/10 * RRSigExpirationInterval))
+ */
+static inline isc_stdtime_t
+refresh_time(dns_keyfetch_t *kfetch, isc_boolean_t retry) {
+	isc_result_t result;
+	isc_uint32_t t;
+	dns_rdataset_t *rdset;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_sig_t sig;
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+
+	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
+		rdset = &kfetch->dnskeysigset;
+	else
+		return (now + HOUR);
+
+	result = dns_rdataset_first(rdset);
+	if (result != ISC_R_SUCCESS)
+		return (now + HOUR);
+
+	dns_rdataset_current(rdset, &sigrr);
+	result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (!retry) {
+		t = sig.originalttl / 2;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			isc_uint32_t exp = (sig.timeexpire - now) / 2;
+			if (t > exp)
+				t = exp;
+		}
+
+		if (t > (15*DAY))
+			t = (15*DAY);
+
+		if (t < HOUR)
+			t = HOUR;
+	} else {
+		t = sig.originalttl / 10;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			isc_uint32_t exp = (sig.timeexpire - now) / 10;
+			if (t > exp)
+				t = exp;
+		}
+
+		if (t > DAY)
+			t = DAY;
+
+		if (t < HOUR)
+			t = HOUR;
+	}
+
+	return (now + t);
+}
+
+/*
+ * This routine is called when no changes are needed in a KEYDATA
+ * record except to simply update the refresh timer.  Caller should
+ * hold zone lock.
+ */
+static isc_result_t
+minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	isc_result_t result;
+	isc_buffer_t keyb;
+	unsigned char key_buf[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_name_t *name;
+	dns_zone_t *zone = kfetch->zone;
+	isc_stdtime_t now;
+
+	name = dns_fixedname_name(&kfetch->name);
+	isc_stdtime_get(&now);
+
+	for (result = dns_rdataset_first(&kfetch->keydataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->keydataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&kfetch->keydataset, &rdata);
+
+		/* Delete old version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL,
+				    name, 0, &rdata));
+
+		/* Update refresh timer */
+		CHECK(dns_rdata_tostruct(&rdata, &keydata, NULL));
+		keydata.refresh = refresh_time(kfetch, ISC_TRUE);
+		set_refreshkeytimer(zone, &keydata, now);
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
+
+		/* Insert updated version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD,
+				    name, 0, &rdata));
+	}
+	result = ISC_R_SUCCESS;
+  failure:
+	return (result);
+}
+
+/*
+ * Verify that DNSKEY set is signed by the key specified in 'keydata'.
+ */
+static isc_boolean_t
+revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
+	isc_result_t result;
+	dns_name_t *keyname;
+	isc_mem_t *mctx;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t rr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dst_key_t *dstkey = NULL;
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	isc_boolean_t answer = ISC_FALSE;
+
+	REQUIRE(kfetch != NULL && keydata != NULL);
+	REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
+
+	keyname = dns_fixedname_name(&kfetch->name);
+	mctx = kfetch->zone->view->mctx;
+
+	/* Generate a key from keydata */
+	isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+	dns_keydata_todnskey(keydata, &dnskey, NULL);
+	dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &keyb);
+	result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	/* See if that key generated any of the signatures */
+	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
+		dns_fixedname_t fixed;
+		dns_fixedname_init(&fixed);
+
+		dns_rdata_reset(&sigrr);
+		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
+		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dst_key_alg(dstkey) == sig.algorithm &&
+		    (dst_key_id(dstkey) == sig.keyid ||
+		     dst_key_rid(dstkey) == sig.keyid)) {
+			result = dns_dnssec_verify2(keyname,
+					    &kfetch->dnskeyset,
+					    dstkey, ISC_FALSE, mctx, &sigrr,
+					    dns_fixedname_name(&fixed));
+
+			dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
+				     "Confirm revoked DNSKEY is self-signed: "
+				     "%s", dns_result_totext(result));
+
+			if (result == ISC_R_SUCCESS) {
+				answer = ISC_TRUE;
+				break;
+			}
+		}
+	}
+
+	dst_key_free(&dstkey);
+	return (answer);
+}
+
+/*
+ * A DNSKEY set has been fetched from the zone apex of a zone whose trust
+ * anchors are being managed; scan the keyset, and update the key zone and the
+ * local trust anchors according to RFC5011.
+ */
+static void
+keyfetch_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result, eresult;
+	dns_fetchevent_t *devent;
+	dns_keyfetch_t *kfetch;
+	dns_zone_t *zone;
+	isc_mem_t *mctx = NULL;
+	dns_keytable_t *secroots = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	isc_boolean_t alldone = ISC_FALSE;
+	isc_boolean_t commit = ISC_FALSE;
+	dns_name_t *keyname;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
+	dns_rdata_t keydatarr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	isc_boolean_t initializing;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	dst_key_t *dstkey;
+	isc_stdtime_t now;
+	int pending = 0;
+	isc_boolean_t secure;
+	isc_boolean_t free_needed;
+
+	UNUSED(task);
+	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
+	INSIST(event->ev_arg != NULL);
+
+	kfetch = event->ev_arg;
+	zone = kfetch->zone;
+	isc_mem_attach(zone->mctx, &mctx);
+	keyname = dns_fixedname_name(&kfetch->name);
+
+	devent = (dns_fetchevent_t *) event;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&kfetch->fetch);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL)
+		goto cleanup;
+
+	isc_stdtime_get(&now);
+	dns_name_format(keyname, namebuf, sizeof(namebuf));
+
+	result = dns_view_getsecroots(zone->view, &secroots);
+	INSIST(result == ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &diff);
+	diff.resign = zone->sigresigninginterval;
+
+	CHECK(dns_db_newversion(kfetch->db, &ver));
+
+	zone->refreshkeycount--;
+	alldone = ISC_TF(zone->refreshkeycount == 0);
+
+	if (alldone)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	/* Fetch failed */
+	if (eresult != ISC_R_SUCCESS ||
+	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "Unable to fetch DNSKEY set "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/* No RRSIGs found */
+	if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "No DNSKEY RRSIGs found for "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/*
+	 * Validate the dnskeyset against the current trusted keys.
+	 */
+	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
+		dns_keynode_t *keynode = NULL;
+
+		dns_rdata_reset(&sigrr);
+		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
+		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		result = dns_keytable_find(secroots, keyname, &keynode);
+		while (result == ISC_R_SUCCESS) {
+			dns_keynode_t *nextnode = NULL;
+			dns_fixedname_t fixed;
+			dns_fixedname_init(&fixed);
+
+			dstkey = dns_keynode_key(keynode);
+			if (dstkey == NULL) /* fail_secure() was called */
+				break;
+
+			if (dst_key_alg(dstkey) == sig.algorithm &&
+			    dst_key_id(dstkey) == sig.keyid) {
+				result = dns_dnssec_verify2(keyname,
+						    &kfetch->dnskeyset,
+						    dstkey, ISC_FALSE,
+						    zone->view->mctx, &sigrr,
+						    dns_fixedname_name(&fixed));
+
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Verifying DNSKEY set for zone "
+					     "'%s': %s", namebuf,
+					     dns_result_totext(result));
+
+				if (result == ISC_R_SUCCESS) {
+					kfetch->dnskeyset.trust =
+						dns_trust_secure;
+					kfetch->dnskeysigset.trust =
+						dns_trust_secure;
+					dns_keytable_detachkeynode(secroots,
+								   &keynode);
+					break;
+				}
+			}
+
+			result = dns_keytable_nextkeynode(secroots,
+							  keynode, &nextnode);
+			dns_keytable_detachkeynode(secroots, &keynode);
+			keynode = nextnode;
+		}
+
+		if (kfetch->dnskeyset.trust == dns_trust_secure)
+			break;
+	}
+
+	/*
+	 * If we were not able to verify the answer using the current
+	 * trusted keys then all we can do is look at any revoked keys.
+	 */
+	secure = ISC_TF(kfetch->dnskeyset.trust == dns_trust_secure);
+
+	/*
+	 * First scan keydataset to find keys that are not in dnskeyset
+	 *   - Missing keys which are not scheduled for removal,
+	 *     log a warning
+	 *   - Missing keys which are scheduled for removal and
+	 *     the remove hold-down timer has completed should
+	 *     be removed from the key zone
+	 *   - Missing keys whose acceptance timers have not yet
+	 *     completed, log a warning and reset the acceptance
+	 *     timer to 30 days in the future
+	 *   - All keys not being removed have their refresh timers
+	 *     updated
+	 */
+	initializing = ISC_TRUE;
+	for (result = dns_rdataset_first(&kfetch->keydataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->keydataset)) {
+		dns_rdata_reset(&keydatarr);
+		dns_rdataset_current(&kfetch->keydataset, &keydatarr);
+		dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+
+		/*
+		 * If any keydata record has a nonzero add holddown, then
+		 * there was a pre-existing trust anchor for this domain;
+		 * that means we are *not* initializing it and shouldn't
+		 * automatically trust all the keys we find at the zone apex.
+		 */
+		initializing = initializing && ISC_TF(keydata.addhd == 0);
+
+		if (! matchkey(&kfetch->dnskeyset, &keydatarr)) {
+			isc_boolean_t deletekey = ISC_FALSE;
+
+			if (!secure) {
+				if (now > keydata.removehd)
+					deletekey = ISC_TRUE;
+			} else if (now < keydata.addhd) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "Pending key unexpectedly missing "
+					     "from %s; restarting acceptance "
+					     "timer", namebuf);
+				keydata.addhd = now + MONTH;
+				keydata.refresh = refresh_time(kfetch,
+							       ISC_FALSE);
+			} else if (keydata.addhd == 0) {
+				keydata.addhd = now;
+			} else if (keydata.removehd == 0) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "Active key unexpectedly missing "
+					     "from %s", namebuf);
+				keydata.refresh = now + HOUR;
+			} else if (now > keydata.removehd) {
+				deletekey = ISC_TRUE;
+			} else {
+				keydata.refresh = refresh_time(kfetch,
+							       ISC_FALSE);
+			}
+
+			if  (secure || deletekey) {
+				/* Delete old version */
+				CHECK(update_one_rr(kfetch->db, ver, &diff,
+						    DNS_DIFFOP_DEL, keyname, 0,
+						    &keydatarr));
+			}
+
+			if (!secure || deletekey)
+				continue;
+
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+
+			set_refreshkeytimer(zone, &keydata, now);
+		}
+	}
+
+	/*
+	 * Next scan dnskeyset:
+	 *   - If new keys are found (i.e., lacking a match in keydataset)
+	 *     add them to the key zone and set the acceptance timer
+	 *     to 30 days in the future (or to immediately if we've
+	 *     determined that we're initializing the zone for the
+	 *     first time)
+	 *   - Previously-known keys that have been revoked
+	 *     must be scheduled for removal from the key zone (or,
+	 *     if they hadn't been accepted as trust anchors yet
+	 *     anyway, removed at once)
+	 *   - Previously-known unrevoked keys whose acceptance timers
+	 *     have completed are promoted to trust anchors
+	 *   - All keys not being removed have their refresh
+	 *     timers updated
+	 */
+	for (result = dns_rdataset_first(&kfetch->dnskeyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeyset)) {
+		isc_boolean_t revoked = ISC_FALSE;
+		isc_boolean_t newkey = ISC_FALSE;
+		isc_boolean_t updatekey = ISC_FALSE;
+		isc_boolean_t deletekey = ISC_FALSE;
+		isc_boolean_t trustkey = ISC_FALSE;
+
+		dns_rdata_reset(&dnskeyrr);
+		dns_rdataset_current(&kfetch->dnskeyset, &dnskeyrr);
+		dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+
+		/* Skip ZSK's */
+		if (!ISC_TF(dnskey.flags & DNS_KEYFLAG_KSK))
+			continue;
+
+		revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
+
+		if (matchkey(&kfetch->keydataset, &dnskeyrr)) {
+			dns_rdata_reset(&keydatarr);
+			dns_rdataset_current(&kfetch->keydataset, &keydatarr);
+			dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+
+			if (revoked && revocable(kfetch, &keydata)) {
+				if (keydata.addhd > now) {
+					/*
+					 * Key wasn't trusted yet, and now
+					 * it's been revoked?  Just remove it
+					 */
+					deletekey = ISC_TRUE;
+				} else if (keydata.removehd == 0) {
+					/* Remove from secroots */
+					dns_view_untrust(zone->view, keyname,
+							 &dnskey, mctx);
+
+					/* If initializing, delete now */
+					if (keydata.addhd == 0)
+						deletekey = ISC_TRUE;
+					else
+						keydata.removehd = now + MONTH;
+				} else if (keydata.removehd < now) {
+					/* Scheduled for removal */
+					deletekey = ISC_TRUE;
+				}
+			} else if (revoked) {
+				if (secure && keydata.removehd == 0) {
+					dns_zone_log(zone, ISC_LOG_WARNING,
+						     "Active key for zone "
+						     "'%s' is revoked but "
+						     "did not self-sign; "
+							 "ignoring.", namebuf);
+						continue;
+				}
+			} else if (secure) {
+				if (keydata.removehd != 0) {
+					/*
+					 * Key isn't revoked--but it
+					 * seems it used to be.
+					 * Remove it now and add it
+					 * back as if it were a fresh key.
+					 */
+					deletekey = ISC_TRUE;
+					newkey = ISC_TRUE;
+				} else if (keydata.addhd > now)
+					pending++;
+				else if (keydata.addhd == 0)
+					keydata.addhd = now;
+
+				if (keydata.addhd <= now)
+					trustkey = ISC_TRUE;
+			}
+
+			if (!deletekey && !newkey)
+				updatekey = ISC_TRUE;
+		} else if (secure) {
+			/*
+			 * Key wasn't in the key zone but it's
+			 * revoked now anyway, so just skip it
+			 */
+			if (revoked)
+				continue;
+
+			/* Key wasn't in the key zone: add it */
+			newkey = ISC_TRUE;
+
+			if (initializing) {
+				dns_keytag_t tag = 0;
+				CHECK(compute_tag(keyname, &dnskey,
+						  mctx, &tag));
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "Initializing automatic trust "
+					     "anchor management for zone '%s'; "
+					     "DNSKEY ID %d is now trusted, "
+					     "waiving the normal 30-day "
+					     "waiting period.",
+					     namebuf, tag);
+				trustkey = ISC_TRUE;
+			}
+		}
+
+		/* Delete old version */
+		if (deletekey || !newkey)
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_DEL, keyname, 0,
+					    &keydatarr));
+
+		if (updatekey) {
+			/* Set refresh timer */
+			keydata.refresh = refresh_time(kfetch, ISC_FALSE);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		} else if (newkey) {
+			/* Convert DNSKEY to KEYDATA */
+			dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
+					       NULL);
+			keydata.addhd = initializing ? now : now + MONTH;
+			keydata.refresh = refresh_time(kfetch, ISC_FALSE);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert into key zone */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		}
+
+		if (trustkey) {
+			/* Trust this key. */
+			dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			trust_key(zone, keyname, &dnskey, mctx);
+		}
+
+		if (!deletekey)
+			set_refreshkeytimer(zone, &keydata, now);
+	}
+
+	/*
+	 * RFC5011 says, "A trust point that has all of its trust anchors
+	 * revoked is considered deleted and is treated as if the trust
+	 * point was never configured."  But if someone revoked their
+	 * active key before the standby was trusted, that would mean the
+	 * zone would suddenly be nonsecured.  We avoid this by checking to
+	 * see if there's pending keydata.  If so, we put a null key in
+	 * the security roots; then all queries to the zone will fail.
+	 */
+	if (pending != 0)
+		fail_secure(zone, keyname);
+
+ done:
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		/* Write changes to journal file. */
+		CHECK(increment_soa_serial(kfetch->db, ver, &diff, mctx));
+		CHECK(zone_journal(zone, &diff, "keyfetch_done"));
+		commit = ISC_TRUE;
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	}
+
+  failure:
+
+	dns_diff_clear(&diff);
+	if (ver != NULL)
+		dns_db_closeversion(kfetch->db, &ver, commit);
+
+ cleanup:
+	dns_db_detach(&kfetch->db);
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	kfetch->zone = NULL;
+
+	if (dns_rdataset_isassociated(&kfetch->keydataset))
+		dns_rdataset_disassociate(&kfetch->keydataset);
+	if (dns_rdataset_isassociated(&kfetch->dnskeyset))
+		dns_rdataset_disassociate(&kfetch->dnskeyset);
+	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
+		dns_rdataset_disassociate(&kfetch->dnskeysigset);
+
+	dns_name_free(keyname, mctx);
+	isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
+	isc_mem_detach(&mctx);
+
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+/*
+ * Refresh the data in the key zone.  Initiate a fetch to get new DNSKEY
+ * records from the zone apex.
+ */
+static void
+zone_refreshkeys(dns_zone_t *zone) {
+	const char me[] = "zone_refreshkeys";
+	isc_result_t result;
+	dns_rriterator_t rrit;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t kd;
+	isc_stdtime_t now;
+	isc_boolean_t commit = ISC_FALSE;
+	isc_boolean_t fetching = ISC_FALSE, fetch_err = ISC_FALSE;
+
+	ENTER;
+	REQUIRE(zone->db != NULL);
+
+	isc_stdtime_get(&now);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		isc_time_settoepoch(&zone->refreshkeytime);
+		UNLOCK_ZONE(zone);
+		return;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_db_newversion(db, &ver));
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit)) {
+		isc_stdtime_t timer = 0xffffffff;
+		dns_name_t *name = NULL, *kname = NULL;
+		dns_rdataset_t *kdset = NULL;
+		dns_keyfetch_t *kfetch;
+		isc_uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
+		if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
+		    !dns_rdataset_isassociated(kdset))
+			continue;
+
+		/*
+		 * Scan the stored keys looking for ones that need
+		 * removal or refreshing
+		 */
+		for (result = dns_rdataset_first(kdset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(kdset)) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(kdset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &kd, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			/* Removal timer expired? */
+			if (kd.removehd != 0 && kd.removehd < now) {
+				CHECK(update_one_rr(db, ver, &diff,
+						    DNS_DIFFOP_DEL, name, ttl,
+						    &rdata));
+				continue;
+			}
+
+			/* Acceptance timer expired? */
+			if (kd.addhd != 0 && kd.addhd < now)
+				timer = kd.addhd;
+
+			/* Or do we just need to refresh the keyset? */
+			if (timer > kd.refresh)
+				timer = kd.refresh;
+		}
+
+		if (timer > now)
+			continue;
+
+		kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
+		if (kfetch == NULL) {
+			fetch_err = ISC_TRUE;
+			goto failure;
+		}
+
+		zone->refreshkeycount++;
+		kfetch->zone = zone;
+		zone->irefs++;
+		INSIST(zone->irefs != 0);
+		dns_fixedname_init(&kfetch->name);
+		kname = dns_fixedname_name(&kfetch->name);
+		dns_name_dup(name, zone->mctx, kname);
+		dns_rdataset_init(&kfetch->dnskeyset);
+		dns_rdataset_init(&kfetch->dnskeysigset);
+		dns_rdataset_init(&kfetch->keydataset);
+		dns_rdataset_clone(kdset, &kfetch->keydataset);
+		kfetch->db = NULL;
+		dns_db_attach(db, &kfetch->db);
+		kfetch->fetch = NULL;
+
+		result = dns_resolver_createfetch(zone->view->resolver,
+						  kname, dns_rdatatype_dnskey,
+						  NULL, NULL, NULL,
+						  DNS_FETCHOPT_NOVALIDATE,
+						  zone->task,
+						  keyfetch_done, kfetch,
+						  &kfetch->dnskeyset,
+						  &kfetch->dnskeysigset,
+						  &kfetch->fetch);
+		if (result == ISC_R_SUCCESS)
+			fetching = ISC_TRUE;
+		else {
+			zone->refreshkeycount--;
+			zone->irefs--;
+			dns_db_detach(&kfetch->db);
+			dns_rdataset_disassociate(&kfetch->keydataset);
+			dns_name_free(kname, zone->mctx);
+			isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "Failed to create fetch for "
+				     "DNSKEY update");
+			fetch_err = ISC_TRUE;
+		}
+	}
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(increment_soa_serial(db, ver, &diff, zone->mctx));
+		CHECK(zone_journal(zone, &diff, "zone_refreshkeys"));
+		commit = ISC_TRUE;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	}
+
+  failure:
+	if (fetch_err) {
+		/*
+		 * Error during a key fetch; retry in an hour.
+		 */
+		isc_time_t timenow, timethen;
+		char timebuf[80];
+
+		TIME_NOW(&timenow);
+		DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen);
+		zone->refreshkeytime = timethen;
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
+			     timebuf);
+
+		if (!fetching)
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+	}
+
+	UNLOCK_ZONE(zone);
+
+	dns_diff_clear(&diff);
+	if (ver != NULL) {
+		dns_rriterator_destroy(&rrit);
+		dns_db_closeversion(db, &ver, commit);
+	}
+	dns_db_detach(&db);
+}
+
+static void
 zone_maintenance(dns_zone_t *zone) {
 	const char me[] = "zone_maintenance";
 	isc_time_t now;
@@ -6007,7 +7978,7 @@ zone_maintenance(dns_zone_t *zone) {
 	/*
 	 * Configuring the view of this zone may have
 	 * failed, for example because the config file
-	 * had a syntax error.  In that case, the view
+	 * had a syntax error.	In that case, the view
 	 * db or resolver will be NULL, and we had better not try
 	 * to do maintenance on it.
 	 */
@@ -6054,6 +8025,7 @@ zone_maintenance(dns_zone_t *zone) {
 	switch (zone->type) {
 	case dns_zone_master:
 	case dns_zone_slave:
+	case dns_zone_key:
 	case dns_zone_stub:
 		LOCK_ZONE(zone);
 		if (zone->masterfile != NULL &&
@@ -6076,6 +8048,24 @@ zone_maintenance(dns_zone_t *zone) {
 		break;
 	}
 
+	/*
+	 * Do we need to refresh keys?
+	 */
+	switch (zone->type) {
+	case dns_zone_key:
+		if (isc_time_compare(&now, &zone->refreshkeytime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING))
+			zone_refreshkeys(zone);
+		break;
+	case dns_zone_master:
+		if (!isc_time_isepoch(&zone->refreshkeytime) &&
+		    isc_time_compare(&now, &zone->refreshkeytime) >= 0)
+			zone_rekey(zone);
+	default:
+		break;
+	}
+
 	switch (zone->type) {
 	case dns_zone_master:
 	case dns_zone_slave:
@@ -8286,7 +10276,13 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 			dns_db_settask(stub->db, zone->task);
 		}
 
-		dns_db_newversion(stub->db, &stub->version);
+		result = dns_db_newversion(stub->db, &stub->version);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
+				     "dns_db_newversion() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
 
 		/*
 		 * Update SOA record.
@@ -8294,8 +10290,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 		result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE,
 					 &node);
 		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: "
+			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
 				     "dns_db_findnode() failed: %s",
 				     dns_result_totext(result));
 			goto cleanup;
@@ -8517,7 +10512,7 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
 
 	/*
 	 * We have now canceled everything set the flag to allow exit_check()
-	 * to succeed.  We must not unlock between setting this flag and
+	 * to succeed.	We must not unlock between setting this flag and
 	 * calling exit_check().
 	 */
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
@@ -8548,6 +10543,7 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 	isc_time_t next;
 	isc_result_t result;
 
+	ENTER;
 	REQUIRE(DNS_ZONE_VALID(zone));
 	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
 		return;
@@ -8565,6 +10561,12 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 			    isc_time_compare(&zone->dumptime, &next) < 0)
 				next = zone->dumptime;
 		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
+		    !isc_time_isepoch(&zone->refreshkeytime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0)
+				next = zone->refreshkeytime;
+		}
 		if (!isc_time_isepoch(&zone->resigntime)) {
 			if (isc_time_isepoch(&next) ||
 			    isc_time_compare(&zone->resigntime, &next) < 0)
@@ -8617,6 +10619,22 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 		}
 		break;
 
+	case dns_zone_key:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+			if (isc_time_isepoch(&next) ||
+			    (!isc_time_isepoch(&zone->refreshkeytime) &&
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0))
+				next = zone->refreshkeytime;
+		}
+		break;
+
 	default:
 		break;
 	}
@@ -8830,7 +10848,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	/*
-	 * If type != T_SOA return DNS_R_REFUSED.  We don't yet support
+	 * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
 	 * ROLLOVER.
 	 *
 	 * SOA:	RFC1996
@@ -8949,7 +10967,8 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 						  NULL, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			if (isc_serial_le(serial, oldserial)) {
-			  dns_zone_log(zone, ISC_LOG_INFO,
+				dns_zone_log(zone,
+					     ISC_LOG_INFO,
 					     "notify from %s: "
 					     "zone is up to date",
 					     fromtext);
@@ -9356,7 +11375,8 @@ dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", zone->strnamerd, message);
+		      level, "%s %s: %s", (zone->type == dns_zone_key) ?
+		      "managed-keys-zone" : "zone", zone->strnamerd, message);
 }
 
 void
@@ -9371,7 +11391,8 @@ dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", zone->strnamerd, message);
+		      level, "%s %s: %s", (zone->type == dns_zone_key) ?
+		      "managed-keys-zone" : "zone", zone->strnamerd, message);
 }
 
 static void
@@ -9389,7 +11410,8 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s: zone %s: %s", me, zone->strnamerd, message);
+		      level, "%s: %s %s: %s", me, zone->type != dns_zone_key ?
+		      "zone" : "managed-keys-zone", zone->strnamerd, message);
 }
 
 static int
@@ -9546,7 +11568,7 @@ notify_done(isc_task_t *task, isc_event_t *event) {
 			   dns_result_totext(result));
 
 	/*
-	 * Old bind's return formerr if they see a soa record.  Retry w/o
+	 * Old bind's return formerr if they see a soa record.	Retry w/o
 	 * the soa if we see a formerr and had sent a SOA.
 	 */
 	isc_event_free(&event);
@@ -9601,7 +11623,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 				     "has %d SOA records", soacount);
 			result = DNS_R_BADZONE;
 		}
-		if (nscount == 0) {
+		if (nscount == 0 && zone->type != dns_zone_key) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
 			result = DNS_R_BADZONE;
 		}
@@ -9687,24 +11709,27 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		}
 	} else {
 		if (dump && zone->masterfile != NULL) {
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-				      "dumping new zone version");
-			result = dns_db_dump2(db, ver, zone->masterfile,
-					      zone->masterformat);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-
 			/*
-			 * Update the time the zone was updated, so
-			 * dns_zone_load can avoid loading it when
-			 * the server is reloaded.  If isc_time_now
-			 * fails for some reason, all that happens is
-			 * the timestamp is not updated.
+			 * If DNS_ZONEFLG_FORCEXFER was set we don't want
+			 * to keep the old masterfile.
 			 */
-			TIME_NOW(&zone->loadtime);
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
+			    remove(zone->masterfile) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove masterfile "
+					      "'%s': '%s'",
+					      zone->masterfile, strbuf);
+			}
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
+			else
+				zone_needdump(zone, 0);
 		}
-
 		if (dump && zone->journal != NULL) {
 			/*
 			 * The in-memory database just changed, and
@@ -9712,7 +11737,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			 * being loaded from disk.  Also, we have not
 			 * journaled diffs for this change.
 			 * Therefore, the on-disk journal is missing
-			 * the deltas for this change.  Since it can
+			 * the deltas for this change.	Since it can
 			 * no longer be used to bring the zone
 			 * up-to-date, it is useless and should be
 			 * removed.
@@ -9900,16 +11925,19 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 							  &now);
 			/* Someone removed the file from underneath us! */
 			if (result == ISC_R_FILENOTFOUND &&
-			    zone->masterfile != NULL)
-				zone_needdump(zone, DNS_DUMP_DELAY);
-			else if (result != ISC_R_SUCCESS)
+			    zone->masterfile != NULL) {
+				unsigned int delay = DNS_DUMP_DELAY;
+				if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY))
+					delay = 0;
+				zone_needdump(zone, delay);
+			} else if (result != ISC_R_SUCCESS)
 				dns_zone_log(zone, ISC_LOG_ERROR,
 					     "transfer: could not set file "
 					     "modification time of '%s': %s",
 					     zone->masterfile,
 					     dns_result_totext(result));
 		}
-
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
 		inc_stats(zone, dns_zonestatscounter_xfrsuccess);
 		break;
 
@@ -11476,7 +13504,7 @@ dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
 	case dns_dialuptype_no:
 		break;
 	case dns_dialuptype_yes:
-		DNS_ZONE_SETFLAG(zone,  (DNS_ZONEFLG_DIALNOTIFY |
+		DNS_ZONE_SETFLAG(zone,	(DNS_ZONEFLG_DIALNOTIFY |
 				 DNS_ZONEFLG_DIALREFRESH |
 				 DNS_ZONEFLG_NOREFRESH));
 		break;
@@ -11805,3 +13833,759 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
 	}
 	return (result);
 }
+
+static void
+logmsg(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		       ISC_LOG_DEBUG(1), format, args);
+	va_end(args);
+}
+
+static void
+clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
+	dns_dnsseckey_t *key;
+	while (!ISC_LIST_EMPTY(*list)) {
+		key = ISC_LIST_HEAD(*list);
+		ISC_LIST_UNLINK(*list, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+}
+
+/* Called once; *timep should be set to the current time. */
+static isc_result_t
+next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
+	isc_result_t result;
+	isc_stdtime_t now, then = 0, event;
+	int i;
+
+	now = *timep;
+
+	for (i = 0; i <= DST_MAX_TIMES; i++) {
+		result = dst_key_gettime(key, i, &event);
+		if (result == ISC_R_SUCCESS && event > now &&
+		    (then == 0 || event < then))
+			then = event;
+	}
+
+	if (then != 0) {
+		*timep = then;
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, isc_boolean_t *flag)
+{
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
+	else
+		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_compare(&myrdata, rdata))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = ISC_TRUE;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Add records to signal the state of signing or of key removal.
+ */
+static isc_result_t
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff,
+		    isc_boolean_t sign_all)
+{
+	dns_difftuple_t *tuple, *newtuple = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t flag;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_uint16_t keyid;
+	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->rdata.type != dns_rdatatype_dnskey)
+			continue;
+
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((dnskey.flags &
+		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+			 != DNS_KEYOWNER_ZONE)
+			continue;
+
+		dns_rdata_toregion(&tuple->rdata, &r);
+
+		keyid = dst_region_computeid(&r, dnskey.algorithm);
+
+		buf[0] = dnskey.algorithm;
+		buf[1] = (keyid & 0xff00) >> 8;
+		buf[2] = (keyid & 0xff);
+		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
+		buf[4] = 0;
+		rdata.data = buf;
+		rdata.length = sizeof(buf);
+		rdata.type = privatetype;
+		rdata.rdclass = tuple->rdata.rdclass;
+
+		if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+			if (flag)
+				continue;
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+
+		/*
+		 * Remove any record which says this operation has already
+		 * completed.
+		 */
+		buf[4] = 1;
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+	}
+ failure:
+	return (result);
+}
+
+static isc_result_t
+sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_diff_t *diff, dns_diff_t *sig_diff)
+{
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire;
+	isc_boolean_t check_ksk, keyset_kskonly;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	unsigned int nkeys = 0, i;
+	dns_difftuple_t *tuple;
+
+	result = find_zone_keys(zone, db, ver, zone->mctx, DNS_MAXZONEKEYS,
+				zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_apex:find_zone_keys -> %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/*
+	 * See if update_sigs will update DNSKEY signature and if not
+	 * cause them to sign so that so that newly activated keys
+	 * are used.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->rdata.type == dns_rdatatype_dnskey &&
+		    dns_name_equal(&tuple->name, &zone->origin))
+			break;
+	}
+
+	if (tuple == NULL) {
+		result = del_sigs(zone, db, ver, &zone->origin,
+				  dns_rdatatype_dnskey, sig_diff,
+				  zone_keys, nkeys, now, ISC_FALSE);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "sign_apex:del_sigs -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
+				  sig_diff, zone_keys, nkeys, zone->mctx,
+				  inception, soaexpire, check_ksk,
+				  keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "sign_apex:add_sigs -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
+			     inception, soaexpire, now, check_ksk,
+			     keyset_kskonly, sig_diff);
+
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_apex:update_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+ failure:
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+	return (result);
+}
+
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ * See update.c:check_dnssec()
+ */
+static isc_boolean_t
+dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	    dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple;
+	isc_boolean_t nseconly = ISC_FALSE, nsec3 = ISC_FALSE;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	/* Scan the tuples for an NSEC-only DNSKEY */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		isc_uint8_t alg;
+		if (tuple->rdata.type != dns_rdatatype_dnskey ||
+		    tuple->op != DNS_DIFFOP_ADD)
+			continue;
+
+		alg = tuple->rdata.data[3];
+		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+		    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+			nseconly = ISC_TRUE;
+			break;
+		}
+	}
+
+	/* Check existing DB for NSEC-only DNSKEY */
+	if (!nseconly)
+		CHECK(dns_nsec_nseconly(db, ver, &nseconly));
+
+	/* Check existing DB for NSEC3 */
+	if (!nsec3)
+		CHECK(dns_nsec3_activex(db, ver, ISC_FALSE,
+					privatetype, &nsec3));
+
+	/* Refuse to allow NSEC3 with NSEC-only keys */
+	if (nseconly && nsec3) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+		goto failure;
+	}
+
+	return (ISC_TRUE);
+
+ failure:
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		 dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_nsec3param_deletechains(db, ver, zone, diff);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Given an RRSIG rdataset and an algorithm, determine whether there
+ * are any signatures using that algorithm.
+ */
+static isc_boolean_t
+signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	isc_result_t result;
+
+	REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
+		return (ISC_FALSE);
+	}
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		if (rrsig.algorithm == alg)
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	   dns_diff_t *diff)
+{
+	dns_name_t *origin;
+	isc_boolean_t build_nsec3;
+	isc_result_t result;
+
+	origin = dns_db_origin(db);
+	CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
+				 &build_nsec3));
+	if (build_nsec3)
+		CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
+					   ISC_FALSE, zone->privatetype, diff));
+	CHECK(updatesecure(db, ver, origin, zone->minimum, ISC_TRUE, diff));
+
+ failure:
+	return (result);
+}
+
+static void
+zone_rekey(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataset_t soaset, soasigs, keyset, keysigs;
+	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
+	dns_dnsseckey_t *key;
+	dns_diff_t diff, sig_diff;
+	isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
+	isc_boolean_t newalg = ISC_FALSE;
+	isc_boolean_t fullsign;
+	dns_ttl_t ttl = 3600;
+	const char *dir;
+	isc_mem_t *mctx;
+	isc_stdtime_t now;
+	isc_time_t timenow;
+	isc_interval_t ival;
+	char timebuf[80];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ISC_LIST_INIT(dnskeys);
+	ISC_LIST_INIT(keys);
+	ISC_LIST_INIT(rmkeys);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&keysigs);
+	dir = dns_zone_getkeydirectory(zone);
+	mctx = zone->mctx;
+	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
+
+	CHECK(dns_zone_getdb(zone, &db));
+	CHECK(dns_db_newversion(db, &ver));
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	TIME_NOW(&timenow);
+	now = isc_time_seconds(&timenow);
+
+	dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
+
+	/* Get the SOA record's TTL */
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
+				  dns_rdatatype_none, 0, &soaset, &soasigs));
+	ttl = soaset.ttl;
+	dns_rdataset_disassociate(&soaset);
+
+	/* Get the DNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &keyset, &keysigs);
+	if (result == ISC_R_SUCCESS) {
+		ttl = keyset.ttl;
+		result = dns_dnssec_keylistfromrdataset(&zone->origin, dir,
+							mctx, &keyset,
+							&keysigs, &soasigs,
+							ISC_FALSE, ISC_FALSE,
+							&dnskeys);
+		/* Can't get keys for some reason; try again later. */
+		if (result != ISC_R_SUCCESS)
+			goto trylater;
+	} else if (result != ISC_R_NOTFOUND)
+		goto failure;
+
+	/*
+	 * True when called from "rndc sign".  Indicates the zone should be
+	 * fully signed now.
+	 */
+	fullsign = ISC_TF(DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN) != 0);
+
+	result = dns_dnssec_findmatchingkeys(&zone->origin, dir, mctx, &keys);
+	if (result == ISC_R_SUCCESS) {
+		isc_boolean_t check_ksk;
+		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+
+		result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
+					       &zone->origin, ttl, &diff,
+					       ISC_TF(!check_ksk),
+					       mctx, logmsg);
+
+		/* Keys couldn't be updated for some reason;
+		 * try again later. */
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
+				     "couldn't update zone keys: %s",
+				     isc_result_totext(result));
+			goto trylater;
+		}
+
+		/*
+		 * See if any pre-existing keys have newly become active;
+		 * also, see if any new key is for a new algorithm, as in that
+		 * event, we need to sign the zone fully.  (If there's a new
+		 * key, but it's for an already-existing algorithm, then
+		 * the zone signing can be handled incrementally.)
+		 */
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (!key->first_sign)
+				continue;
+
+			newactive = ISC_TRUE;
+
+			if (!dns_rdataset_isassociated(&keysigs)) {
+				newalg = ISC_TRUE;
+				break;
+			}
+
+			if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
+				/*
+				 * This isn't a new algorithm; clear
+				 * first_sign so we won't sign the
+				 * whole zone with this key later
+				 */
+				key->first_sign = ISC_FALSE;
+			} else {
+				newalg = ISC_TRUE;
+				break;
+			}
+		}
+
+		if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
+		    dnskey_sane(zone, db, ver, &diff)) {
+			CHECK(dns_diff_apply(&diff, db, ver));
+			CHECK(clean_nsec3param(zone, db, ver, &diff));
+			CHECK(add_signing_records(db, zone->privatetype,
+						  ver, &diff,
+						  ISC_TF(newalg || fullsign)));
+			CHECK(increment_soa_serial(db, ver, &diff, mctx));
+			CHECK(add_chains(zone, db, ver, &diff));
+			CHECK(sign_apex(zone, db, ver, &diff, &sig_diff));
+			CHECK(zone_journal(zone, &sig_diff, "zone_rekey"));
+			commit = ISC_TRUE;
+		}
+	}
+
+	dns_db_closeversion(db, &ver, commit);
+
+	if (commit) {
+		dns_difftuple_t *tuple;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+		zone_needdump(zone, DNS_DUMP_DELAY);
+
+		zone_settimer(zone, &timenow);
+
+		/* Remove any signatures from removed keys.  */
+		if (!ISC_LIST_EMPTY(rmkeys)) {
+			for (key = ISC_LIST_HEAD(rmkeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  ISC_TRUE);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		}
+
+		if (fullsign) {
+			/*
+			 * "rndc sign" was called, so we now sign the zone
+			 * with all active keys, whether they're new or not.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				if (!key->force_sign && !key->hint_sign)
+					continue;
+
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  ISC_FALSE);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		} else if (newalg) {
+			/*
+			 * We haven't been told to sign fully, but a new
+			 * algorithm was added to the DNSKEY.  We sign
+			 * the full zone, but only with newly active
+			 * keys.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				if (!key->first_sign)
+					continue;
+
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  ISC_FALSE);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		}
+
+		/*
+		 * Clear fullsign flag, if it was set, so we don't do
+		 * another full signing next time
+		 */
+		zone->keyopts &= ~DNS_ZONEKEY_FULLSIGN;
+
+		/*
+		 * Cause the zone to add/delete NSEC3 chains for the
+		 * deferred NSEC3PARAM changes.
+		 */
+		for (tuple = ISC_LIST_HEAD(sig_diff.tuples);
+		     tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_nsec3param_t nsec3param;
+
+			if (tuple->rdata.type != zone->privatetype ||
+			    tuple->op != DNS_DIFFOP_ADD)
+				continue;
+
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (nsec3param.flags == 0)
+				continue;
+
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_addnsec3chain failed: %s",
+					     dns_result_totext(result));
+			}
+		}
+
+		/*
+		 * Schedule the next resigning event
+		 */
+		set_resigntime(zone);
+		UNLOCK_ZONE(zone);
+	}
+
+	isc_time_settoepoch(&zone->refreshkeytime);
+
+	/*
+	 * If we're doing key maintenance, set the key refresh timer to
+	 * the next scheduled key event or to one hour in the future,
+	 * whichever is sooner.
+	 */
+	if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) {
+		isc_time_t timethen;
+		isc_stdtime_t then;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_TIME_ADD(&timenow, HOUR, &timethen);
+		zone->refreshkeytime = timethen;
+		UNLOCK_ZONE(zone);
+
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			then = now;
+			result = next_keyevent(key->key, &then);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+			LOCK_ZONE(zone);
+			if (isc_time_compare(&timethen,
+					     &zone->refreshkeytime) < 0) {
+				zone->refreshkeytime = timethen;
+			}
+			UNLOCK_ZONE(zone);
+		}
+
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+	}
+
+ failure:
+	dns_diff_clear(&diff);
+	dns_diff_clear(&sig_diff);
+
+	clear_keylist(&dnskeys, mctx);
+	clear_keylist(&keys, mctx);
+	clear_keylist(&rmkeys, mctx);
+
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, ISC_FALSE);
+	if (dns_rdataset_isassociated(&keyset))
+		dns_rdataset_disassociate(&keyset);
+	if (dns_rdataset_isassociated(&keysigs))
+		dns_rdataset_disassociate(&keysigs);
+	if (dns_rdataset_isassociated(&soasigs))
+		dns_rdataset_disassociate(&soasigs);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return;
+
+ trylater:
+	isc_interval_set(&ival, HOUR, 0);
+	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+	goto failure;
+}
+
+void
+dns_zone_rekey(dns_zone_t *zone, isc_boolean_t fullsign) {
+	isc_time_t now;
+
+	if (zone->type == dns_zone_master && zone->task != NULL) {
+		LOCK_ZONE(zone);
+
+		if (fullsign)
+			zone->keyopts |= DNS_ZONEKEY_FULLSIGN;
+
+		TIME_NOW(&now);
+		zone->refreshkeytime = now;
+		zone_settimer(zone, &now);
+
+		UNLOCK_ZONE(zone);
+	}
+}
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(errors != NULL);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = zone_count_ns_rr(zone, db, node, version, NULL, errors,
+				  ISC_FALSE);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+void
+dns_zone_setadded(dns_zone_t *zone, isc_boolean_t added) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	LOCK_ZONE(zone);
+	zone->added = added;
+	UNLOCK_ZONE(zone);
+}
+
+isc_boolean_t
+dns_zone_getadded(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->added);
+}
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db)
+{
+	isc_time_t loadtime;
+	isc_result_t result;
+	TIME_NOW(&loadtime);
+
+	LOCK_ZONE(zone);
+	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
+	UNLOCK_ZONE(zone);
+	return result;
+}
diff --git a/contrib/bind9/lib/dns/zt.c b/contrib/bind9/lib/dns/zt.c
index 0827b99a03be..650d46bf9002 100644
--- a/contrib/bind9/lib/dns/zt.c
+++ b/contrib/bind9/lib/dns/zt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/export/Makefile.in b/contrib/bind9/lib/export/Makefile.in
new file mode 100644
index 000000000000..1fd72168ed53
--- /dev/null
+++ b/contrib/bind9/lib/export/Makefile.in
@@ -0,0 +1,27 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	isc dns isccfg irs samples
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/dns/Makefile.in b/contrib/bind9/lib/export/dns/Makefile.in
new file mode 100644
index 000000000000..6df36fe8c296
--- /dev/null
+++ b/contrib/bind9/lib/export/dns/Makefile.in
@@ -0,0 +1,179 @@
+# Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/dns
+export_srcdir =	@top_srcdir@/lib/export
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+@BIND9_VERSION@
+
+@LIBDNS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+
+CWARNINGS =
+
+ISCLIBS =	../isc/libisc.@A@
+
+ISCDEPLIBS =	../isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+
+OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+		opensslecdsa_link.@O@ opensslgost_link.@O@ opensslrsa_link.@O@
+
+DSTOBJS =	@OPENSSLLINKOBJS@ \
+		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
+
+DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
+		cache.@O@ callbacks.@O@ client.@O@ compress.@O@ \
+		db.@O@ dbiterator.@O@ diff.@O@ dispatch.@O@ dlz.@O@ dnssec.@O@ \
+		ds.@O@ \
+		forward.@O@ iptable.@O@ \
+		keytable.@O@ \
+		lib.@O@ log.@O@ \
+		master.@O@ masterdump.@O@ message.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ \
+		peer.@O@ portlist.@O@ \
+		rbt.@O@ rbtdb.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+		request.@O@ resolver.@O@ result.@O@ soa.@O@ stats.@O@ \
+		tcpmsg.@O@ time.@O@ tsec.@O@ tsig.@O@ ttl.@O@ \
+		validator.@O@ version.@O@ view.@O@
+PORTDNSOBJS =	ecdb.@O@
+
+OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS}
+
+# Alphabetically
+
+OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
+		opensslecdsa_link.c opensslgost_link.c opensslrsa_link.c
+
+DSTSRCS =	@OPENSSLLINKSRCS@ \
+		dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c 
+
+DNSSRCS =	acl.c adb.c byaddr.c \
+		cache.c callbacks.c client.c compress.c \
+		db.c dbiterator.c diff.c dispatch.c dlz.c dnssec.c ds.c \
+		forward.c iptable.c \
+		keytable.c \
+		lib.c log.c \
+		master.c masterdump.c message.c \
+		name.c ncache.c nsec.c nsec3.c \
+		peer.c portlist.c \
+		rbt.c rbtdb.c rcode.c rdata.c \
+		rdatalist.c rdataset.c rdatasetiter.c rdataslab.c \
+		request.c res.c resolver.c result.c soa.c stats.c \
+		tcpmsg.c time.c tsec.c tsig.c ttl.c \
+		validator.c version.c view.c
+PORTDNSSRCS =	ecdb.c
+
+SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS}
+
+SUBDIRS =	include
+TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
+		include/dns/rdatastruct.h timestamp
+
+DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
+		-s ${srcdir} -d >> Makefile ;
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libdns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libdns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+timestamp: libdns.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
+	${DESTDIR}${export_libdir}/
+
+clean distclean::
+	rm -f libdns.@A@ timestamp
+	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+newrr::
+	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+include: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
+
+rdata.@O@: code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h
+
+gen: ${srcdir}/gen.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
+
+#We don't need rbtdb64 for this library
+#rbtdb64.@O@: rbtdb.c
+
+depend: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+subdirs: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
diff --git a/contrib/bind9/lib/export/dns/include/Makefile.in b/contrib/bind9/lib/export/dns/include/Makefile.in
new file mode 100644
index 000000000000..6bf120534079
--- /dev/null
+++ b/contrib/bind9/lib/export/dns/include/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/dns/include/dns/Makefile.in b/contrib/bind9/lib/export/dns/include/dns/Makefile.in
new file mode 100644
index 000000000000..b7f51b4a3be2
--- /dev/null
+++ b/contrib/bind9/lib/export/dns/include/dns/Makefile.in
@@ -0,0 +1,56 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2009/09/18 07:18:04 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	acl.h adb.h byaddr.h \
+		cache.h callbacks.h cert.h client.h compress.h \
+		db.h dbiterator.h diff.h dispatch.h dlz.h dnssec.h \
+		ds.h events.h fixedname.h ecdb.h \
+		forward.h iptable.h \
+		keytable.h keyvalues.h \
+		lib.h log.h \
+		master.h masterdump.h message.h \
+		name.h ncache.h nsec.h nsec3.h \
+		peer.h portlist.h \
+		rbt.h rcode.h rdata.h rdataclass.h \
+		rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \
+		request.h resolver.h result.h \
+		secalg.h secproto.h soa.h stats.h \
+		tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \
+		validator.h version.h view.h
+
+GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dns/$$i \
+		${DESTDIR}${export_includedir}/dns ; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${DESTDIR}${export_includedir}/dns ; \
+	done
diff --git a/contrib/bind9/lib/export/dns/include/dst/Makefile.in b/contrib/bind9/lib/export/dns/include/dst/Makefile.in
new file mode 100644
index 000000000000..f6f540a2ea82
--- /dev/null
+++ b/contrib/bind9/lib/export/dns/include/dst/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dst.h gssapi.h lib.h result.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/dst
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/dns/include/dst/$$i \
+		${DESTDIR}${export_includedir}/dst ; \
+	done
diff --git a/contrib/bind9/lib/export/irs/Makefile.in b/contrib/bind9/lib/export/irs/Makefile.in
new file mode 100644
index 000000000000..2cbc0bbe271c
--- /dev/null
+++ b/contrib/bind9/lib/export/irs/Makefile.in
@@ -0,0 +1,86 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/irs
+export_srcdir =	@top_srcdir@/lib/export
+
+@BIND9_VERSION@
+
+@LIBIRS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${ISCCFG_INCLUDES} -I../dns/include ${DNS_INCLUDES} \
+		-I${export_srcdir}/isc/include ${ISC_INCLUDES}
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_sterror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+ISCLIBS =	../isc/libisc.@A@
+DNSLIBS =	../dns/libdns.@A@
+ISCCFGLIBS =	../isccfg/libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
+	${DESTDIR}${export_libdir}/
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/contrib/bind9/lib/export/irs/include/Makefile.in b/contrib/bind9/lib/export/irs/include/Makefile.in
new file mode 100644
index 000000000000..2c167d17637a
--- /dev/null
+++ b/contrib/bind9/lib/export/irs/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/irs/include/irs/Makefile.in b/contrib/bind9/lib/export/irs/include/irs/Makefile.in
new file mode 100644
index 000000000000..530e67c847ef
--- /dev/null
+++ b/contrib/bind9/lib/export/irs/include/irs/Makefile.in
@@ -0,0 +1,46 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h dnsconf.h resconf.h types.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/$$i \
+		${DESTDIR}${export_includedir}/irs ; \
+	done
+	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/netdb.h \
+	${DESTDIR}${export_includedir}/irs
+	${INSTALL_DATA} ${top_srcdir}/lib/irs/include/irs/platform.h \
+	${DESTDIR}${export_includedir}/irs
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/export/isc/Makefile.in b/contrib/bind9/lib/export/isc/Makefile.in
new file mode 100644
index 000000000000..86726ab34d22
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/Makefile.in
@@ -0,0 +1,139 @@
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8 2010/06/09 23:50:58 tbox Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc
+export_srcdir =	@top_srcdir@/lib/export
+
+@BIND9_VERSION@
+
+@LIBISC_API@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I${srcdir}/@ISC_THREAD_DIR@/include \
+		-I${srcdir}/@ISC_ARCH_DIR@/include \
+		-I${export_srcdir}/isc/include -I${srcdir}/include \
+		@ISC_OPENSSL_INC@
+CDEFINES =	@USE_OPENSSL@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \
+		-DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \
+		-DUSE_TIMERIMPREGISTER
+CWARNINGS =
+
+# Alphabetically
+# {file,dir}.c is necessary for isclog
+# symtab.c is necessary for isccfg
+APIOBJS =	app_api.@O@ mem_api.@O@ socket_api.@O@ \
+		task_api.@O@ timer_api.@O@
+
+ISCDRIVEROBJS =	mem.@O@ unix/socket.@O@ task.@O@ timer.@O@ lib.@O@ \
+		heap.@O@	#timer module depends on this
+
+UNIXOBJS =	@ISC_ISCIPV6_O@ \
+		unix/app.@O@ \
+		unix/dir.@O@ \
+		unix/errno2result.@O@ \
+		unix/file.@O@ \
+		unix/fsaccess.@O@ \
+		unix/stdio.@O@ \
+		unix/stdtime.@O@ unix/strerror.@O@ unix/time.@O@
+
+NLSOBJS =	nls/msgcat.@O@
+
+THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
+
+THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
+
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
+		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
+		win32/thread.@O@ win32/time.@O@
+
+# Alphabetically
+OBJS =		@ISC_EXTRA_OBJS@ \
+		assertions.@O@ backtrace.@O@ backtrace-emptytbl.@O@ base32.@O@ \
+		base64.@O@ buffer.@O@ bufferlist.@O@ \
+		error.@O@ event.@O@ \
+		hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
+		inet_aton.@O@ iterated_hash.@O@ lex.@O@ lfsr.@O@ log.@O@ \
+		md5.@O@ mutexblock.@O@ \
+		netaddr.@O@ netscope.@O@ \
+		ondestroy.@O@ \
+		parseint.@O@ portset.@O@ radix.@O@ \
+		random.@O@ refcount.@O@ region.@O@ result.@O@ rwlock.@O@ \
+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ string.@O@ \
+		symtab.@O@ \
+		version.@O@ \
+		${APIOBJS} ${ISCDRIVEROBJS} \
+		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+
+# Alphabetically
+APISRCS =	app_api.c mem_api.c socket_api.c \
+		task_api.c timer_api.c
+
+ISCDRIVERSRCS =	mem.c task.c lib.c timer.c heap.c
+
+SRCS =		@ISC_EXTRA_SRCS@ \
+		assertions.c backtrace.c backtrace-emptytbl.c base32.c \
+		base64.c buffer.c bufferlist.c \
+		error.c event.c \
+		hash.c hex.c hmacmd5.c hmacsha.c \
+		inet_aton.c iterated_hash.c lex.c log.c lfsr.c \
+		md5.c mutexblock.c \
+		netaddr.c netscope.c \
+		ondestroy.c \
+		parseint.c portset.c radix.c \
+		random.c refcount.c region.c result.c rwlock.c \
+		serial.c sha1.c sha2.c sockaddr.c stats.c string.c symtab.c \
+		version.c \
+		${APISRCS} ${ISCDRIVERSRCS}
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include unix nls @ISC_THREAD_DIR@
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libisc.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
+	${DESTDIR}${export_libdir}
+
+clean distclean::
+	rm -f libisc.@A@ libisc.la timestamp
diff --git a/contrib/bind9/lib/export/isc/include/Makefile.in b/contrib/bind9/lib/export/isc/include/Makefile.in
new file mode 100644
index 000000000000..1b7c65974521
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/include/isc/Makefile.in
new file mode 100644
index 000000000000..91f538c4c17d
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/include/isc/Makefile.in
@@ -0,0 +1,66 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/12/05 23:31:41 each Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+export_srcdir =	@top_srcdir@/lib/export
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h \
+		buffer.h bufferlist.h commandline.h entropy.h error.h event.h \
+		eventclass.h file.h formatcheck.h fsaccess.h \
+		hash.h heap.h hex.h hmacmd5.h \
+		httpd.h \
+		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
+		lfsr.h lib.h list.h log.h \
+		magic.h md5.h mem.h msgcat.h msgs.h \
+		mutexblock.h namespace.h netaddr.h ondestroy.h os.h parseint.h \
+		print.h quota.h radix.h random.h ratelimiter.h \
+		refcount.h region.h resource.h \
+		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
+		sockaddr.h socket.h stdio.h stdlib.h string.h \
+		symtab.h \
+	        task.h taskpool.h timer.h types.h util.h version.h \
+		xml.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
+	${INSTALL_DATA} ${top_srcdir}/lib/isc/include/isc/platform.h \
+	${DESTDIR}${export_includedir}/isc
+	${INSTALL_DATA} ${top_srcdir}/lib/isc/@ISC_ARCH_DIR@/include/isc/atomic.h \
+	${DESTDIR}${export_includedir}/isc
+	${INSTALL_DATA} ${export_srcdir}/isc/include/isc/bind9.h \
+	${DESTDIR}${export_includedir}/isc
+
+distclean::
+	rm -f platform.h
diff --git a/contrib/bind9/lib/export/isc/include/isc/bind9.h b/contrib/bind9/lib/export/isc/include/isc/bind9.h
new file mode 100644
index 000000000000..e96789b6d8f1
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/include/isc/bind9.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bind9.h,v 1.2 2009/12/05 23:31:41 each Exp $ */
+
+#ifndef ISC_BIND9_H
+#define ISC_BIND9_H 1
+
+/*
+ * This determines whether we are building BIND9 or using the exported
+ * libisc/libdns libraries.  The version of this file included in the
+ * standard BIND9 build defines BIND9; the version included with the
+ * exportable libraries does not.
+ */
+#undef BIND9
+
+#endif /* ISC_BIND9_H */
diff --git a/contrib/bind9/lib/export/isc/nls/Makefile.in b/contrib/bind9/lib/export/isc/nls/Makefile.in
new file mode 100644
index 000000000000..25156854d1e1
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/nls/Makefile.in
@@ -0,0 +1,35 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nls
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		msgcat.@O@
+
+SRCS =		msgcat.c
+
+SUBDIRS =
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/Makefile.in
new file mode 100644
index 000000000000..994da6362c6b
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/nothreads/Makefile.in
@@ -0,0 +1,40 @@
+# Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5 2010/06/09 23:50:58 tbox Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nothreads
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+THREADOPTOBJS = condition.@O@ mutex.@O@
+OBJS =		@THREADOPTOBJS@ thread.@O@
+
+THREADOPTSRCS = condition.c mutex.c
+SRCS =		@THREADOPTSRCS@ thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in
new file mode 100644
index 000000000000..1b7c65974521
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/nothreads/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in
new file mode 100644
index 000000000000..9bda987ddcd1
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/nothreads/include/isc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/nothreads/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/export/isc/pthreads/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/Makefile.in
new file mode 100644
index 000000000000..f08e5c630b39
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/pthreads/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/pthreads
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in
new file mode 100644
index 000000000000..1b7c65974521
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/pthreads/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in
new file mode 100644
index 000000000000..431976853726
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/pthreads/include/isc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/pthreads/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/export/isc/unix/Makefile.in b/contrib/bind9/lib/export/isc/unix/Makefile.in
new file mode 100644
index 000000000000..f5cf7e86caf6
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/unix/Makefile.in
@@ -0,0 +1,57 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/unix
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../@ISC_THREAD_DIR@/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =	-DUSE_SOCKETIMPREGISTER -DUSE_APPIMPREGISTER
+
+CWARNINGS =
+
+# Alphabetically
+ISCDRIVEROBJS =	app.@O@ socket.@O@
+
+OBJS =		@ISC_IPV6_O@ \
+		dir.@O@ \
+		errno2result.@O@ \
+		file.@O@ fsaccess.@O@ \
+		stdio.@O@ stdtime.@O@ strerror.@O@ \
+		time.@O@ \
+		${ISCDRIVEROBJS}
+
+# Alphabetically
+ISCDRIVERSRCS =	app.c socket.c
+
+SRCS =		@ISC_IPV6_C@ \
+		dir.c \
+		errno2result.c \
+		file.c fsaccess.c \
+		stdio.c stdtime.c strerror.c \
+		time.c \
+		${ISCDRIVERSRCS}
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/unix/include/Makefile.in b/contrib/bind9/lib/export/isc/unix/include/Makefile.in
new file mode 100644
index 000000000000..1b7c65974521
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/unix/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in
new file mode 100644
index 000000000000..7159c76865ca
--- /dev/null
+++ b/contrib/bind9/lib/export/isc/unix/include/isc/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/09/01 00:22:27 jinmei Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
+		syslog.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(top_srcdir)/lib/isc/unix/include/isc/$$i \
+		${DESTDIR}${export_includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/export/isccfg/Makefile.in b/contrib/bind9/lib/export/isccfg/Makefile.in
new file mode 100644
index 000000000000..907af5086e22
--- /dev/null
+++ b/contrib/bind9/lib/export/isccfg/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isccfg
+export_srcdir =	@top_srcdir@/lib/export
+
+@BIND9_VERSION@
+
+@LIBISCCFG_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} -I${export_srcdir}/isc/include \
+		${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../isc/libisc.@A@
+DNSLIBS =	../dns/libdns.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		dnsconf.@O@ log.@O@ parser.@O@ version.@O@
+
+# Alphabetically
+SRCS =		dnsconf.c log.c parser.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: ${srcdir}/version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccfg.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccfg.la: ${OBJS}
+	 ${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
+		-rpath ${export_libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
+
+timestamp: libisccfg.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
+	${DESTDIR}${export_libdir}/
+
+clean distclean::
+	rm -f libisccfg.@A@ timestamp
diff --git a/contrib/bind9/lib/export/isccfg/include/Makefile.in b/contrib/bind9/lib/export/isccfg/include/Makefile.in
new file mode 100644
index 000000000000..9733c11c7bd8
--- /dev/null
+++ b/contrib/bind9/lib/export/isccfg/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+
+SUBDIRS =	isccfg
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in
new file mode 100644
index 000000000000..57a344cc24e3
--- /dev/null
+++ b/contrib/bind9/lib/export/isccfg/include/isccfg/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	cfg.h grammar.h log.h dnsconf.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs \
+	${DESTDIR}${export_includedir}/isccfg
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${top_srcdir}/lib/isccfg/include/isccfg/$$i \
+		${DESTDIR}${export_includedir}/isccfg ; \
+	done
diff --git a/contrib/bind9/lib/export/samples/Makefile-postinstall.in b/contrib/bind9/lib/export/samples/Makefile-postinstall.in
new file mode 100644
index 000000000000..5b1aafba724f
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/Makefile-postinstall.in
@@ -0,0 +1,78 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile-postinstall.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+#prefix =	@prefix@
+#exec_prefix =	@exec_prefix@
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	-ldns @DNS_CRYPTO_LIBS@
+ISCLIBS =	-lisc
+ISCCFGLIBS =	-lisccfg
+IRSLIBS =	-lirs
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \
+		dlvchecks@EXEEXT@
+
+OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@ dlvchecks.@O@
+
+SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c dlvchecks..c
+
+@BIND9_MAKE_RULES@
+
+# The following two may depend on BIND9_MAKE_RULES
+CINCLUDES =	-I@export_includedir@
+LDFLAGS =	-L@export_libdir@
+
+sample@EXEEXT@: sample.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample.@O@ ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dlvchecks.@O@ ${LIBS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/contrib/bind9/lib/export/samples/Makefile.in b/contrib/bind9/lib/export/samples/Makefile.in
new file mode 100644
index 000000000000..cdc66b16ddc2
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/Makefile.in
@@ -0,0 +1,98 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2009/12/05 23:31:41 each Exp $
+
+srcdir =	@srcdir@
+top_srcdir =	@top_srcdir@
+export_srcdir =	@top_srcdir@/lib/export
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I../dns/include \
+		-I${export_srcdir}/isc/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		-I${top_srcdir}/lib/irs/include
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../isc/libisc.@A@
+ISCCFGLIBS =	../isccfg/libisccfg.@A@
+IRSLIBS =	../irs/libirs.@A@
+
+DNSDEPLIBS =	../dns/libdns.@A@
+ISCDEPLIBS =	../isc/libisc.@A@
+ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
+IRSDEPLIBS =	../irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
+
+OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@
+
+UOBJS =
+
+SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c
+
+MANPAGES =
+
+HTMLPAGES =
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+sample@EXEEXT@: sample.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample.@O@ ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/contrib/bind9/lib/export/samples/nsprobe.c b/contrib/bind9/lib/export/samples/nsprobe.c
new file mode 100644
index 000000000000..869b19471729
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/nsprobe.c
@@ -0,0 +1,1222 @@
+/*
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#define MAX_PROBES 1000
+
+static dns_client_t *client = NULL;
+static isc_task_t *probe_task = NULL;
+static isc_appctx_t *actx = NULL;
+static isc_mem_t *mctx = NULL;
+static unsigned int outstanding_probes = 0;
+const char *cacheserver = "127.0.0.1";
+static FILE *fp;
+
+typedef enum {
+	none,
+	exist,
+	nxdomain,
+	othererr,
+	multiplesoa,
+	multiplecname,
+	brokenanswer,
+	lame,
+	timedout,
+	notype,
+	unexpected
+} query_result_t;
+
+struct server {
+	ISC_LINK(struct server) link;
+
+	isc_sockaddr_t address;
+	query_result_t result_a;
+	query_result_t result_aaaa;
+};
+
+struct probe_ns {
+	ISC_LINK(struct probe_ns) link;
+
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	struct server *current_server;
+	ISC_LIST(struct server) servers;
+};
+
+struct probe_trans {
+	isc_boolean_t inuse;
+	char *domain;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	const char **qlabel;
+	isc_boolean_t qname_found;
+	dns_clientrestrans_t *resid;
+	dns_message_t *qmessage;
+	dns_message_t *rmessage;
+	dns_clientreqtrans_t *reqid;
+
+	/* NS list */
+	struct probe_ns *current_ns;
+	ISC_LIST(struct probe_ns) nslist;
+};
+
+struct lcl_stat {
+	unsigned long valid;
+	unsigned long ignore;
+	unsigned long nxdomain;
+	unsigned long othererr;
+	unsigned long multiplesoa;
+	unsigned long multiplecname;
+	unsigned long brokenanswer;
+	unsigned long lame;
+	unsigned long unknown;
+} server_stat, domain_stat;
+
+static unsigned long number_of_domains = 0;
+static unsigned long number_of_servers = 0;
+static unsigned long multiple_error_domains = 0;
+static isc_boolean_t debug_mode = ISC_FALSE;
+static int verbose_level = 0;
+static const char *qlabels[] = {"www.", "ftp.", NULL};
+static struct probe_trans probes[MAX_PROBES];
+
+static isc_result_t probe_domain(struct probe_trans *trans);
+static void reset_probe(struct probe_trans *trans);
+static isc_result_t fetch_nsaddress(struct probe_trans *trans);
+static isc_result_t probe_name(struct probe_trans *trans,
+			       dns_rdatatype_t type);
+
+/* Dump an rdataset for debug */
+static isc_result_t
+print_rdataset(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!debug_mode)
+		return (ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+print_name(dns_name_t *name) {
+	isc_result_t result;
+	isc_buffer_t target;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+	result = dns_name_totext(name, ISC_TRUE, &target);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&target, &r);
+		printf("%.*s", (int)r.length, (char *)r.base);
+	} else
+		printf("(invalid name)");
+
+	return (result);
+}
+
+static isc_result_t
+print_address(FILE *fp, isc_sockaddr_t *addr) {
+	char buf[NI_MAXHOST];
+
+	if (getnameinfo(&addr->type.sa, addr->length, buf, sizeof(buf),
+			NULL, 0, NI_NUMERICHOST) == 0) {
+		fprintf(fp, "%s", buf);
+	} else {
+		fprintf(fp, "(invalid address)");
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+/*
+ * Common routine to make query data
+ */
+static isc_result_t
+make_querymessage(dns_message_t *message, dns_name_t *qname0,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+/*
+ * Update statistics
+ */
+static inline void
+increment_entry(unsigned long *entryp) {
+	(*entryp)++;
+	INSIST(*entryp != 0);	/* check overflow */
+}
+
+static void
+update_stat(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	struct lcl_stat local_stat;
+	unsigned int err_count = 0;
+	const char *stattype;
+
+	increment_entry(&number_of_domains);
+	memset(&local_stat, 0, sizeof(local_stat));
+
+	/* Update per sever statistics */
+	for (pns = ISC_LIST_HEAD(trans->nslist); pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			increment_entry(&number_of_servers);
+
+			if (server->result_aaaa == exist ||
+			    server->result_aaaa == notype) {
+				/*
+				 * Don't care about the result of A query if
+				 * the answer to AAAA query was expected.
+				 */
+				stattype = "valid";
+				increment_entry(&server_stat.valid);
+				increment_entry(&local_stat.valid);
+			} else if (server->result_a == exist) {
+				switch (server->result_aaaa) {
+				case exist:
+				case notype:
+					stattype = "valid";
+					increment_entry(&server_stat.valid);
+					increment_entry(&local_stat.valid);
+					break;
+				case timedout:
+					stattype = "ignore";
+					increment_entry(&server_stat.ignore);
+					increment_entry(&local_stat.ignore);
+					break;
+				case nxdomain:
+					stattype = "nxdomain";
+					increment_entry(&server_stat.nxdomain);
+					increment_entry(&local_stat.nxdomain);
+					break;
+				case othererr:
+					stattype = "othererr";
+					increment_entry(&server_stat.othererr);
+					increment_entry(&local_stat.othererr);
+					break;
+				case multiplesoa:
+					stattype = "multiplesoa";
+					increment_entry(&server_stat.multiplesoa);
+					increment_entry(&local_stat.multiplesoa);
+					break;
+				case multiplecname:
+					stattype = "multiplecname";
+					increment_entry(&server_stat.multiplecname);
+					increment_entry(&local_stat.multiplecname);
+					break;
+				case brokenanswer:
+					stattype = "brokenanswer";
+					increment_entry(&server_stat.brokenanswer);
+					increment_entry(&local_stat.brokenanswer);
+					break;
+				case lame:
+					stattype = "lame";
+					increment_entry(&server_stat.lame);
+					increment_entry(&local_stat.lame);
+					break;
+				default:
+					stattype = "unknown";
+					increment_entry(&server_stat.unknown);
+					increment_entry(&local_stat.unknown);
+					break;
+				}
+			} else {
+				stattype = "unknown";
+				increment_entry(&server_stat.unknown);
+				increment_entry(&local_stat.unknown);
+			}
+
+			if (verbose_level > 1 ||
+			    (verbose_level == 1 &&
+			     strcmp(stattype, "valid") != 0 &&
+			     strcmp(stattype, "unknown") != 0)) {
+				print_name(pns->name);
+				putchar('(');
+				print_address(stdout, &server->address);
+				printf(") for %s:%s\n", trans->domain,
+				       stattype);
+			}
+		}
+	}
+
+	/* Update per domain statistics */
+	if (local_stat.ignore > 0) {
+		if (verbose_level > 0)
+			printf("%s:ignore\n", trans->domain);
+		increment_entry(&domain_stat.ignore);
+		err_count++;
+	}
+	if (local_stat.nxdomain > 0) {
+		if (verbose_level > 0)
+			printf("%s:nxdomain\n", trans->domain);
+		increment_entry(&domain_stat.nxdomain);
+		err_count++;
+	}
+	if (local_stat.othererr > 0) {
+		if (verbose_level > 0)
+			printf("%s:othererr\n", trans->domain);
+		increment_entry(&domain_stat.othererr);
+		err_count++;
+	}
+	if (local_stat.multiplesoa > 0) {
+		if (verbose_level > 0)
+			printf("%s:multiplesoa\n", trans->domain);
+		increment_entry(&domain_stat.multiplesoa);
+		err_count++;
+	}
+	if (local_stat.multiplecname > 0) {
+		if (verbose_level > 0)
+			printf("%s:multiplecname\n", trans->domain);
+		increment_entry(&domain_stat.multiplecname);
+		err_count++;
+	}
+	if (local_stat.brokenanswer > 0) {
+		if (verbose_level > 0)
+			printf("%s:brokenanswer\n", trans->domain);
+		increment_entry(&domain_stat.brokenanswer);
+		err_count++;
+	}
+	if (local_stat.lame > 0) {
+		if (verbose_level > 0)
+			printf("%s:lame\n", trans->domain);
+		increment_entry(&domain_stat.lame);
+		err_count++;
+	}
+
+	if (err_count > 1)
+		increment_entry(&multiple_error_domains);
+
+	/*
+	 * We regard the domain as valid if and only if no authoritative server
+	 * has a problem and at least one server is known to be valid.
+	 */
+	if (local_stat.valid > 0 && err_count == 0) {
+		if (verbose_level > 1)
+			printf("%s:valid\n", trans->domain);
+		increment_entry(&domain_stat.valid);
+	}
+
+	/*
+	 * If the domain has no available server or all servers have the
+	 * 'unknown' result, the domain's result is also regarded as unknown.
+	 */
+	if (local_stat.valid == 0 && err_count == 0) {
+		if (verbose_level > 1)
+			printf("%s:unknown\n", trans->domain);
+		increment_entry(&domain_stat.unknown);
+	}
+}
+
+/*
+ * Search for an existent name with an A RR
+ */
+
+static isc_result_t
+set_nextqname(struct probe_trans *trans) {
+	isc_result_t result;
+	size_t domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad-hoc constant, but should be enough */
+
+	if (*trans->qlabel == NULL)
+		return (ISC_R_NOMORE);
+
+	result = isc_string_copy(buf, sizeof(buf), *trans->qlabel);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_string_append(buf, sizeof(buf), trans->domain);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname,
+				   0, NULL);
+
+	trans->qlabel++;
+
+	return (result);
+}
+
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientreqevent_t *rev = (dns_clientreqevent_t *)event;
+	dns_message_t *rmessage;
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+	query_result_t *resultp;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans != NULL && trans->inuse == ISC_TRUE);
+	rmessage = rev->rmessage;
+	REQUIRE(rmessage == trans->rmessage);
+	INSIST(outstanding_probes > 0);
+
+	server = trans->current_ns->current_server;
+	INSIST(server != NULL);
+
+	if (server->result_a == none) {
+		type = dns_rdatatype_a;
+		resultp = &server->result_a;
+	} else {
+		resultp = &server->result_aaaa;
+		type = dns_rdatatype_aaaa;
+	}
+
+	if (rev->result == ISC_R_SUCCESS) {
+		if ((rmessage->flags & DNS_MESSAGEFLAG_AA) == 0)
+			*resultp = lame;
+		else if (rmessage->rcode == dns_rcode_nxdomain)
+			*resultp = nxdomain;
+		else if (rmessage->rcode != dns_rcode_noerror)
+			*resultp = othererr;
+		else if (rmessage->counts[DNS_SECTION_ANSWER] == 0) {
+			/* no error but empty answer */
+			*resultp = notype;
+		} else {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					(void)print_rdataset(rdataset, name);
+
+					if (rdataset->type ==
+					    dns_rdatatype_cname ||
+					    rdataset->type ==
+					    dns_rdatatype_dname) {
+						/* Should chase the chain? */
+						*resultp = exist;
+						goto found;
+					} else if (rdataset->type == type) {
+						*resultp = exist;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+
+			/*
+			 * Something unexpected happened: the response
+			 * contained a non-empty authoritative answer, but we
+			 * could not find an expected result.
+			 */
+			*resultp = unexpected;
+		}
+	} else if (rev->result == DNS_R_RECOVERABLE ||
+		   rev->result == DNS_R_BADLABELTYPE) {
+		/* Broken response.  Try identifying known cases. */
+		*resultp = brokenanswer;
+
+		if (rmessage->counts[DNS_SECTION_ANSWER] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * CNAME RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_cname &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplecname;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+		}
+
+		if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_AUTHORITY);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * SOA RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_AUTHORITY,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_soa &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplesoa;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_AUTHORITY);
+			}
+		}
+	} else if (rev->result == ISC_R_TIMEDOUT)
+		*resultp = timedout;
+	else {
+		fprintf(stderr, "unexpected result: %d (domain=%s, server=",
+			rev->result, trans->domain);
+		print_address(stderr, &server->address);
+		fputc('\n', stderr);
+		*resultp = unexpected;
+	}
+
+ found:
+	INSIST(*resultp != none);
+	if (type == dns_rdatatype_a && *resultp == exist)
+		trans->qname_found = ISC_TRUE;
+
+	dns_client_destroyreqtrans(&trans->reqid);
+	isc_event_free(&event);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	result = probe_name(trans, type);
+	if (result == ISC_R_NOMORE) {
+		/* We've tried all addresses of all servers. */
+		if (type == dns_rdatatype_a && trans->qname_found) {
+			/*
+			 * If we've explored A RRs and found an existent
+			 * record, we can move to AAAA.
+			 */
+			trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+			probe_name(trans, dns_rdatatype_aaaa);
+			result = ISC_R_SUCCESS;
+		} else if (type == dns_rdatatype_a) {
+			/*
+			 * No server provided an existent A RR of this name.
+			 * Try next label.
+			 */
+			dns_fixedname_invalidate(&trans->fixedname);
+			trans->qname = NULL;
+			result = set_nextqname(trans);
+			if (result == ISC_R_SUCCESS) {
+				trans->current_ns =
+					ISC_LIST_HEAD(trans->nslist);
+				for (pns = trans->current_ns; pns != NULL;
+				     pns = ISC_LIST_NEXT(pns, link)) {
+					for (server = ISC_LIST_HEAD(pns->servers);
+					     server != NULL;
+					     server = ISC_LIST_NEXT(server,
+								    link)) {
+						INSIST(server->result_aaaa ==
+						       none);
+						server->result_a = none;
+					}
+				}
+				result = probe_name(trans, dns_rdatatype_a);
+			}
+		}
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We've explored AAAA RRs or failed to find a valid
+			 * query label.  Wrap up the result and move to the
+			 * next domain.
+			 */
+			reset_probe(trans);
+		}
+	} else if (result != ISC_R_SUCCESS)
+		reset_probe(trans); /* XXX */
+}
+
+static isc_result_t
+probe_name(struct probe_trans *trans, dns_rdatatype_t type) {
+	isc_result_t result;
+	struct probe_ns *pns;
+	struct server *server;
+
+	REQUIRE(trans->reqid == NULL);
+	REQUIRE(type == dns_rdatatype_a || type == dns_rdatatype_aaaa);
+
+	for (pns = trans->current_ns; pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			if ((type == dns_rdatatype_a &&
+			     server->result_a == none) ||
+			    (type == dns_rdatatype_aaaa &&
+			     server->result_aaaa == none)) {
+				pns->current_server = server;
+				goto found;
+			}
+		}
+	}
+
+ found:
+	trans->current_ns = pns;
+	if (pns == NULL)
+		return (ISC_R_NOMORE);
+
+	INSIST(pns->current_server != NULL);
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	result = make_querymessage(trans->qmessage, trans->qname, type);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_client_startrequest(client, trans->qmessage,
+					 trans->rmessage,
+					 &pns->current_server->address,
+					 0, DNS_MESSAGEPARSE_BESTEFFORT,
+					 NULL, 120, 0, 4,
+					 probe_task, request_done, trans,
+					 &trans->reqid);
+
+	return (result);
+}
+
+/*
+ * Get IP addresses of NSes
+ */
+
+static void
+resolve_nsaddress(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns = trans->current_ns;
+	isc_result_t result;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	REQUIRE(pns != NULL);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_a)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_in_a_t rdata_a;
+				struct server *server;
+
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tostruct(&rdata, &rdata_a,
+							    NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				server = isc_mem_get(mctx, sizeof(*server));
+				if (server == NULL) {
+					fprintf(stderr, "resolve_nsaddress: "
+						"mem_get failed");
+					result = ISC_R_NOMEMORY;
+					POST(result);
+					goto cleanup;
+				}
+				isc_sockaddr_fromin(&server->address,
+						    &rdata_a.in_addr, 53);
+				ISC_LINK_INIT(server, link);
+				server->result_a = none;
+				server->result_aaaa = none;
+				ISC_LIST_APPEND(pns->servers, server, link);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+ next_ns:
+	trans->current_ns = ISC_LIST_NEXT(pns, link);
+	if (trans->current_ns == NULL) {
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		dns_fixedname_invalidate(&trans->fixedname);
+		trans->qname = NULL;
+		result = set_nextqname(trans);
+		if (result == ISC_R_SUCCESS)
+			 result = probe_name(trans, dns_rdatatype_a);
+	} else {
+		result = fetch_nsaddress(trans);
+		if (result != ISC_R_SUCCESS)
+			goto next_ns; /* XXX: this is unlikely to succeed */
+	}
+
+	if (result != ISC_R_SUCCESS)
+		reset_probe(trans);
+}
+
+static isc_result_t
+fetch_nsaddress(struct probe_trans *trans) {
+	struct probe_ns *pns;
+
+	pns = trans->current_ns;
+	REQUIRE(pns != NULL);
+
+	return (dns_client_startresolve(client, pns->name, dns_rdataclass_in,
+					dns_rdatatype_a, 0, probe_task,
+					resolve_nsaddress, trans,
+					&trans->resid));
+}
+
+/*
+ * Get NS RRset for a given domain
+ */
+
+static void
+reset_probe(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+
+	REQUIRE(trans->resid == NULL);
+	REQUIRE(trans->reqid == NULL);
+
+	update_stat(trans);
+
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	trans->inuse = ISC_FALSE;
+	if (trans->domain != NULL)
+		isc_mem_free(mctx, trans->domain);
+	trans->domain = NULL;
+	if (trans->qname != NULL)
+		dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	trans->qlabel = qlabels;
+	trans->qname_found = ISC_FALSE;
+	trans->current_ns = NULL;
+
+	while ((pns = ISC_LIST_HEAD(trans->nslist)) != NULL) {
+		ISC_LIST_UNLINK(trans->nslist, pns, link);
+		while ((server = ISC_LIST_HEAD(pns->servers)) != NULL) {
+			ISC_LIST_UNLINK(pns->servers, server, link);
+			isc_mem_put(mctx, server, sizeof(*server));
+		}
+		isc_mem_put(mctx, pns, sizeof(*pns));
+	}
+
+	outstanding_probes--;
+
+	result = probe_domain(trans);
+	if (result == ISC_R_NOMORE && outstanding_probes == 0)
+		isc_app_ctxshutdown(actx);
+}
+
+static void
+resolve_ns(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_ns)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_ns_t ns;
+
+				dns_rdataset_current(rdataset, &rdata);
+				/*
+				 * Extract the name from the NS record.
+				 */
+				result = dns_rdata_tostruct(&rdata, &ns, NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				pns = isc_mem_get(mctx, sizeof(*pns));
+				if (pns == NULL) {
+					fprintf(stderr,
+						"resolve_ns: mem_get failed");
+					result = ISC_R_NOMEMORY;
+					POST(result);
+					/*
+					 * XXX: should we continue with the
+					 * available servers anyway?
+					 */
+					goto cleanup;
+				}
+
+				dns_fixedname_init(&pns->fixedname);
+				pns->name =
+					dns_fixedname_name(&pns->fixedname);
+				ISC_LINK_INIT(pns, link);
+				ISC_LIST_APPEND(trans->nslist, pns, link);
+				ISC_LIST_INIT(pns->servers);
+
+				dns_name_copy(&ns.name, pns->name, NULL);
+				dns_rdata_reset(&rdata);
+				dns_rdata_freestruct(&ns);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+	if (!ISC_LIST_EMPTY(trans->nslist)) {
+		/* Go get addresses of NSes */
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		result = fetch_nsaddress(trans);
+	} else
+		result = ISC_R_FAILURE;
+
+	if (result == ISC_R_SUCCESS)
+		return;
+
+	reset_probe(trans);
+}
+
+static isc_result_t
+probe_domain(struct probe_trans *trans) {
+	isc_result_t result;
+	size_t domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == ISC_FALSE);
+	REQUIRE(outstanding_probes < MAX_PROBES);
+
+	/* Construct domain */
+	cp = fgets(buf, sizeof(buf), fp);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	if ((cp = strchr(buf, '\n')) != NULL) /* zap NL if any */
+		*cp = '\0';
+	trans->domain = isc_mem_strdup(mctx, buf);
+	if (trans->domain == NULL) {
+		fprintf(stderr,
+			"failed to allocate memory for domain: %s", cp);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Start getting NS for the domain */
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, dns_rdatatype_ns,
+					 0, probe_task, resolve_ns, trans,
+					 &trans->resid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = ISC_TRUE;
+	outstanding_probes++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_free(mctx, trans->domain);
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: nsprobe [-d] [-v [-v...]] [-c cache_address] "
+		"[input_file]\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch, error;
+	struct addrinfo hints, *res;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+
+	while ((ch = getopt(argc, argv, "c:dhv")) != -1) {
+		switch (ch) {
+		case 'c':
+			cacheserver = optarg;
+			break;
+		case 'd':
+			debug_mode = ISC_TRUE;
+			break;
+		case 'h':
+			usage();
+			break;
+		case 'v':
+			verbose_level++;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	/* Common set up */
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %d\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(actx);
+
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set local cache server */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	error = getaddrinfo(cacheserver, "53", &hints, &res);
+	if (error != 0) {
+		fprintf(stderr, "failed to convert server name (%s): %s\n",
+			cacheserver, gai_strerror(error));
+		exit(1);
+	}
+
+	if (res->ai_addrlen > sizeof(sa.type)) {
+		fprintf(stderr,
+			"assumption failure: addrlen is too long: %ld\n",
+			(long)res->ai_addrlen);
+		exit(1);
+	}
+	memcpy(&sa.type.sa, res->ai_addr, res->ai_addrlen);
+	sa.length = res->ai_addrlen;
+	freeaddrinfo(res);
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to set server: %d\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	probe_task = NULL;
+	result = isc_task_create(taskmgr, 0, &probe_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %d\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	if (argc == 0)
+		fp = stdin;
+	else {
+		fp = fopen(argv[0], "r");
+		if (fp == NULL) {
+			fprintf(stderr, "failed to open input file: %s\n",
+				argv[0]);
+			exit(1);
+		}
+	}
+
+	/* Set up and start probe */
+	for (i = 0; i < MAX_PROBES; i++) {
+		probes[i].inuse = ISC_FALSE;
+		probes[i].domain = NULL;
+		dns_fixedname_init(&probes[i].fixedname);
+		probes[i].qname = NULL;
+		probes[i].qlabel = qlabels;
+		probes[i].qname_found = ISC_FALSE;
+		probes[i].resid = NULL;
+		ISC_LIST_INIT(probes[i].nslist);
+		probes[i].reqid = NULL;
+
+		probes[i].qmessage = NULL;
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+					    &probes[i].qmessage);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_message_create(mctx,
+						    DNS_MESSAGE_INTENTPARSE,
+						    &probes[i].rmessage);
+		}
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "initialization failure\n");
+			exit(1);
+		}
+	}
+	for (i = 0; i < MAX_PROBES; i++) {
+		result = probe_domain(&probes[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to issue an initial probe\n");
+			exit(1);
+		}
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(actx);
+
+	/* Dump results */
+	printf("Per domain results (out of %lu domains):\n",
+	       number_of_domains);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n"
+	       "  multiple errors: %lu\n",
+	       domain_stat.valid, domain_stat.ignore, domain_stat.nxdomain,
+	       domain_stat.othererr, domain_stat.multiplesoa,
+	       domain_stat.multiplecname, domain_stat.brokenanswer,
+	       domain_stat.lame, domain_stat.unknown, multiple_error_domains);
+	printf("Per server results (out of %lu servers):\n",
+	       number_of_servers);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n",
+	       server_stat.valid, server_stat.ignore, server_stat.nxdomain,
+	       server_stat.othererr, server_stat.multiplesoa,
+	       server_stat.multiplecname, server_stat.brokenanswer,
+	       server_stat.lame, server_stat.unknown);
+
+	/* Cleanup */
+	for (i = 0; i < MAX_PROBES; i++) {
+		dns_message_destroy(&probes[i].qmessage);
+		dns_message_destroy(&probes[i].rmessage);
+	}
+	isc_task_detach(&probe_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(actx);
+	ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+
+	exit(0);
+}
diff --git a/contrib/bind9/lib/export/samples/sample-async.c b/contrib/bind9/lib/export/samples/sample-async.c
new file mode 100644
index 000000000000..e646e795e9ae
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/sample-async.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-async.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/sockaddr.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#define MAX_SERVERS 10
+#define MAX_QUERIES 100
+
+static dns_client_t *client = NULL;
+static isc_task_t *query_task = NULL;
+static isc_appctx_t *query_actx = NULL;
+static unsigned int outstanding_queries = 0;
+static const char *def_server = "127.0.0.1";
+static FILE *fp;
+
+struct query_trans {
+	int id;
+	isc_boolean_t inuse;
+	dns_rdatatype_t type;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	dns_namelist_t answerlist;
+	dns_clientrestrans_t *xid;
+};
+
+static struct query_trans query_array[MAX_QUERIES];
+
+static isc_result_t dispatch_query(struct query_trans *trans);
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("  %.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	struct query_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(task == query_task);
+	REQUIRE(trans->inuse == ISC_TRUE);
+	REQUIRE(outstanding_queries > 0);
+
+	printf("answer[%2d]\n", trans->id);
+
+	if (rev->result != ISC_R_SUCCESS)
+		printf("  failed: %d(%s)\n", rev->result,
+		       dns_result_totext(rev->result));
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)printdata(rdataset, name);
+		}
+	}
+
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	trans->inuse = ISC_FALSE;
+	dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	outstanding_queries--;
+
+	result = dispatch_query(trans);
+#if 0				/* for cancel test */
+	if (result == ISC_R_SUCCESS) {
+		static int count = 0;
+
+		if ((++count) % 10 == 0)
+			dns_client_cancelresolve(trans->xid);
+	}
+#endif
+	if (result == ISC_R_NOMORE && outstanding_queries == 0)
+		isc_app_ctxshutdown(query_actx);
+}
+
+static isc_result_t
+dispatch_query(struct query_trans *trans) {
+	isc_result_t result;
+	size_t namelen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == ISC_FALSE);
+	REQUIRE(ISC_LIST_EMPTY(trans->answerlist));
+	REQUIRE(outstanding_queries < MAX_QUERIES);
+
+	/* Construct qname */
+	cp = fgets(buf, sizeof(buf), fp);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	/* zap NL if any */
+	if ((cp = strchr(buf, '\n')) != NULL)
+		*cp = '\0';
+	namelen = strlen(buf);
+	isc_buffer_init(&b, buf, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&trans->fixedname);
+	trans->qname = dns_fixedname_name(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Start resolution */
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, trans->type, 0,
+					 query_task, process_answer, trans,
+					 &trans->xid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = ISC_TRUE;
+	outstanding_queries++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: sample-async [-s server_address] [-t RR type] "
+		"input_file\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	int nservers = 0;
+	const char *serveraddr[MAX_SERVERS];
+	isc_sockaddr_t sa[MAX_SERVERS];
+	isc_sockaddrlist_t servers;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	struct in_addr inaddr;
+	isc_result_t result;
+	int i;
+
+	while ((ch = getopt(argc, argv, "s:t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		case 's':
+			if (nservers == MAX_SERVERS) {
+				fprintf(stderr,
+					"too many servers (up to %d)\n",
+					MAX_SERVERS);
+				exit(1);
+			}
+			serveraddr[nservers++] = (const char *)optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 1)
+		usage();
+
+	if (nservers == 0) {
+		nservers = 1;
+		serveraddr[0] = def_server;
+	}
+
+	for (i = 0; i < MAX_QUERIES; i++) {
+		query_array[i].id = i;
+		query_array[i].inuse = ISC_FALSE;
+		query_array[i].type = type;
+		dns_fixedname_init(&query_array[i].fixedname);
+		query_array[i].qname = NULL;
+		ISC_LIST_INIT(query_array[i].answerlist);
+		query_array[i].xid = NULL;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &query_actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %d\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(query_actx);
+
+	result = dns_client_createx(mctx, query_actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set nameservers */
+	ISC_LIST_INIT(servers);
+	for (i = 0; i < nservers; i++) {
+		if (inet_pton(AF_INET, serveraddr[i], &inaddr) != 1) {
+			fprintf(stderr, "failed to parse IPv4 address %s\n",
+				serveraddr[i]);
+			exit(1);
+		}
+		isc_sockaddr_fromin(&sa[i], &inaddr, 53);
+		ISC_LIST_APPEND(servers, &sa[i], link);
+	}
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	query_task = NULL;
+	result = isc_task_create(taskmgr, 0, &query_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %d\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	fp = fopen(argv[0], "r");
+	if (fp == NULL) {
+		fprintf(stderr, "failed to open input file: %s\n", argv[1]);
+		exit(1);
+	}
+
+	/* Dispatch initial queries */
+	for (i = 0; i < MAX_QUERIES; i++) {
+		result = dispatch_query(&query_array[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(query_actx);
+
+	/* Sanity check */
+	for (i = 0; i < MAX_QUERIES; i++)
+		INSIST(query_array[i].inuse == ISC_FALSE);
+
+	/* Cleanup */
+	isc_task_detach(&query_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(query_actx);
+	ctxs_destroy(&mctx, &query_actx, &taskmgr, &socketmgr, &timermgr);
+
+	exit(0);
+}
diff --git a/contrib/bind9/lib/export/samples/sample-gai.c b/contrib/bind9/lib/export/samples/sample-gai.c
new file mode 100644
index 000000000000..6dc4014ed56d
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/sample-gai.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-gai.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <irs/netdb.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+static void
+do_gai(int family, char *hostname) {
+	struct addrinfo hints, *res, *res0;
+	int error;
+	char namebuf[1024], addrbuf[1024], servbuf[1024];
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_CANONNAME;
+	error = getaddrinfo(hostname, "http", &hints, &res0);
+	if (error) {
+		fprintf(stderr, "getaddrinfo failed for %s,family=%d: %s\n",
+			hostname, family, gai_strerror(error));
+		return;
+	}
+
+	for (res = res0; res; res = res->ai_next) {
+		error = getnameinfo(res->ai_addr, res->ai_addrlen,
+				    addrbuf, sizeof(addrbuf),
+				    NULL, 0, NI_NUMERICHOST);
+		if (error == 0)
+			error = getnameinfo(res->ai_addr, res->ai_addrlen,
+					    namebuf, sizeof(namebuf),
+					    servbuf, sizeof(servbuf), 0);
+		if (error != 0) {
+			fprintf(stderr, "getnameinfo failed: %s\n",
+				gai_strerror(error));
+		} else {
+			printf("%s(%s/%s)=%s:%s\n", hostname,
+			       res->ai_canonname, addrbuf, namebuf, servbuf);
+		}
+	}
+
+	freeaddrinfo(res);
+}
+
+int
+main(int argc, char *argv[]) {
+	if (argc < 2)
+		exit(1);
+
+	do_gai(AF_INET, argv[1]);
+	do_gai(AF_INET6, argv[1]);
+	do_gai(AF_UNSPEC, argv[1]);
+
+	exit(0);
+}
diff --git a/contrib/bind9/lib/export/samples/sample-request.c b/contrib/bind9/lib/export/samples/sample-request.c
new file mode 100644
index 000000000000..d5d2312e30d1
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/sample-request.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-request.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+static isc_mem_t *mctx;
+static dns_fixedname_t fixedqname;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "sample-request [-t RRtype] server_address hostname\n");
+
+	exit(1);
+}
+
+static isc_result_t
+make_querymessage(dns_message_t *message, const char *namestr,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL, *qname0;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	size_t namelen;
+
+	/* Construct qname */
+	namelen = strlen(namestr);
+	isc_buffer_init(&b, namestr, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fixedqname);
+	qname0 = dns_fixedname_name(&fixedqname);
+	result = dns_name_fromtext(qname0, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to convert qname: %d\n", result);
+		return (result);
+	}
+
+	/* Construct query message */
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+static void
+print_section(dns_message_t *message, int section, isc_buffer_t *buf) {
+	isc_result_t result;
+	isc_region_t r;
+
+	result = dns_message_sectiontotext(message, section,
+					   &dns_master_style_full, 0, buf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	isc_buffer_usedregion(buf, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return;
+
+ fail:
+	fprintf(stderr, "failed to convert a section\n");
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch, i, gai_error;
+	struct addrinfo hints, *res;
+	isc_textregion_t tr;
+	dns_client_t *client = NULL;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	dns_message_t *qmessage, *rmessage;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	isc_buffer_t *outputbuf;
+
+	while ((ch = getopt(argc, argv, "t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Prepare message structures */
+	mctx = NULL;
+	qmessage = NULL;
+	rmessage = NULL;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a memory context\n");
+		exit(1);
+	}
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &qmessage);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					    &rmessage);
+	}
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create messages\n");
+		exit(1);
+	}
+
+	/* Initialize the nameserver address */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gai_error = getaddrinfo(argv[0], "53", &hints, &res);
+	if (gai_error != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gai_error));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	sa.length = res->ai_addrlen;
+	ISC_LINK_INIT(&sa, link);
+
+	/* Construct qname */
+	result = make_querymessage(qmessage, argv[1], type);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a query\n");
+		exit(1);
+	}
+
+	/* Send request and wait for a response */
+	result = dns_client_request(client, qmessage, rmessage, &sa, 0, 0,
+				    NULL, 60, 0, 3);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to get a response: %s\n",
+			dns_result_totext(result));
+	}
+
+	/* Dump the response */
+	outputbuf = NULL;
+	result = isc_buffer_allocate(mctx, &outputbuf, 65535);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to allocate a result buffer\n");
+		exit(1);
+	}
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		print_section(rmessage, i, outputbuf);
+		isc_buffer_clear(outputbuf);
+	}
+	isc_buffer_free(&outputbuf);
+
+	/* Cleanup */
+	dns_message_destroy(&qmessage);
+	dns_message_destroy(&rmessage);
+	isc_mem_destroy(&mctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	exit(0);
+}
diff --git a/contrib/bind9/lib/export/samples/sample-update.c b/contrib/bind9/lib/export/samples/sample-update.c
new file mode 100644
index 000000000000..e54d154424e8
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/sample-update.c
@@ -0,0 +1,755 @@
+/*
+ * Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample-update.c,v 1.10 2010/12/09 00:54:34 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/tsec.h>
+
+#include <dst/dst.h>
+
+static dns_tsec_t *tsec = NULL;
+static const dns_rdataclass_t default_rdataclass = dns_rdataclass_in;
+static isc_bufferlist_t usedbuffers;
+static ISC_LIST(dns_rdatalist_t) usedrdatalists;
+
+static void setup_tsec(char *keyfile, isc_mem_t *mctx);
+static void update_addordelete(isc_mem_t *mctx, char *cmdline,
+			       isc_boolean_t isdelete, dns_name_t *name);
+static void evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name);
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "sample-update "
+		"[-a auth_server] "
+		"[-k keyfile] "
+		"[-p prerequisite] "
+		"[-r recursive_server] "
+		"[-z zonename] "
+		"(add|delete) \"name TTL RRtype RDATA\"\n");
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	struct addrinfo hints, *res;
+	int gai_error;
+	dns_client_t *client = NULL;
+	char *zonenamestr = NULL;
+	char *keyfilename = NULL;
+	char *prereqstr = NULL;
+	isc_sockaddrlist_t auth_servers;
+	char *auth_server = NULL;
+	char *recursive_server = NULL;
+	isc_sockaddr_t sa_auth, sa_recursive;
+	isc_sockaddrlist_t rec_servers;
+	isc_result_t result;
+	isc_boolean_t isdelete;
+	isc_buffer_t b, *buf;
+	dns_fixedname_t zname0, pname0, uname0;
+	size_t namelen;
+	dns_name_t *zname = NULL, *uname, *pname;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_namelist_t updatelist, prereqlist, *prereqlistp = NULL;
+	isc_mem_t *umctx = NULL;
+
+	while ((ch = getopt(argc, argv, "a:k:p:r:z:")) != -1) {
+		switch (ch) {
+		case 'k':
+			keyfilename = optarg;
+			break;
+		case 'a':
+			auth_server = optarg;
+			break;
+		case 'p':
+			prereqstr = optarg;
+			break;
+		case 'r':
+			recursive_server = optarg;
+			break;
+		case 'z':
+			zonenamestr = optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	/* command line argument validation */
+	if (strcmp(argv[0], "delete") == 0)
+		isdelete = ISC_TRUE;
+	else if (strcmp(argv[0], "add") == 0)
+		isdelete = ISC_FALSE;
+	else {
+		fprintf(stderr, "invalid update command: %s\n", argv[0]);
+		exit(1);
+	}
+
+	if (auth_server == NULL && recursive_server == NULL) {
+		fprintf(stderr, "authoritative or recursive server "
+			"must be specified\n");
+		usage();
+	}
+
+	/* Initialization */
+	ISC_LIST_INIT(usedbuffers);
+	ISC_LIST_INIT(usedrdatalists);
+	ISC_LIST_INIT(prereqlist);
+	ISC_LIST_INIT(auth_servers);
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+	result = isc_mem_create(0, 0, &umctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set the authoritative server */
+	if (auth_server != NULL) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = AF_UNSPEC;
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		hints.ai_flags = AI_NUMERICHOST;
+		gai_error = getaddrinfo(auth_server, "53", &hints, &res);
+		if (gai_error != 0) {
+			fprintf(stderr, "getaddrinfo failed: %s\n",
+				gai_strerror(gai_error));
+			exit(1);
+		}
+		INSIST(res->ai_addrlen <= sizeof(sa_auth.type));
+		memcpy(&sa_auth.type, res->ai_addr, res->ai_addrlen);
+		freeaddrinfo(res);
+		sa_auth.length = res->ai_addrlen;
+		ISC_LINK_INIT(&sa_auth, link);
+
+		ISC_LIST_APPEND(auth_servers, &sa_auth, link);
+	}
+
+	/* Set the recursive server */
+	if (recursive_server != NULL) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = AF_UNSPEC;
+		hints.ai_socktype = SOCK_DGRAM;
+		hints.ai_protocol = IPPROTO_UDP;
+		hints.ai_flags = AI_NUMERICHOST;
+		gai_error = getaddrinfo(recursive_server, "53", &hints, &res);
+		if (gai_error != 0) {
+			fprintf(stderr, "getaddrinfo failed: %s\n",
+				gai_strerror(gai_error));
+			exit(1);
+		}
+		INSIST(res->ai_addrlen <= sizeof(sa_recursive.type));
+		memcpy(&sa_recursive.type, res->ai_addr, res->ai_addrlen);
+		freeaddrinfo(res);
+		sa_recursive.length = res->ai_addrlen;
+		ISC_LINK_INIT(&sa_recursive, link);
+		ISC_LIST_INIT(rec_servers);
+		ISC_LIST_APPEND(rec_servers, &sa_recursive, link);
+		result = dns_client_setservers(client, dns_rdataclass_in,
+					       NULL, &rec_servers);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "set server failed: %d\n", result);
+			exit(1);
+		}
+	}
+
+	/* Construct zone name */
+	zname = NULL;
+	if (zonenamestr != NULL) {
+		namelen = strlen(zonenamestr);
+		isc_buffer_init(&b, zonenamestr, namelen);
+		isc_buffer_add(&b, namelen);
+		dns_fixedname_init(&zname0);
+		zname = dns_fixedname_name(&zname0);
+		result = dns_name_fromtext(zname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			fprintf(stderr, "failed to convert zone name: %d\n",
+				result);
+	}
+
+	/* Construct prerequisite name (if given) */
+	if (prereqstr != NULL) {
+		dns_fixedname_init(&pname0);
+		pname = dns_fixedname_name(&pname0);
+		evaluate_prereq(umctx, prereqstr, pname);
+		ISC_LIST_APPEND(prereqlist, pname, link);
+		prereqlistp = &prereqlist;
+	}
+
+	/* Construct update name */
+	ISC_LIST_INIT(updatelist);
+	dns_fixedname_init(&uname0);
+	uname = dns_fixedname_name(&uname0);
+	update_addordelete(umctx, argv[1], isdelete, uname);
+	ISC_LIST_APPEND(updatelist, uname, link);
+
+	/* Set up TSIG/SIG(0) key (if given) */
+	if (keyfilename != NULL)
+		setup_tsec(keyfilename, umctx);
+
+	/* Perform update */
+	result = dns_client_update(client,
+				   default_rdataclass, /* XXX: fixed */
+				   zname, prereqlistp, &updatelist,
+				   (auth_server == NULL) ? NULL :
+				   &auth_servers, tsec, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"update failed: %s\n", dns_result_totext(result));
+	} else
+		fprintf(stderr, "update succeeded\n");
+
+	/* Cleanup */
+	while ((pname = ISC_LIST_HEAD(prereqlist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(pname->list)) != NULL) {
+			ISC_LIST_UNLINK(pname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(prereqlist, pname, link);
+	}
+	while ((uname = ISC_LIST_HEAD(updatelist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(uname->list)) != NULL) {
+			ISC_LIST_UNLINK(uname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(updatelist, uname, link);
+	}
+	while ((rdatalist = ISC_LIST_HEAD(usedrdatalists)) != NULL) {
+		while ((rdata = ISC_LIST_HEAD(rdatalist->rdata)) != NULL) {
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+			isc_mem_put(umctx, rdata, sizeof(*rdata));
+		}
+		ISC_LIST_UNLINK(usedrdatalists, rdatalist, link);
+		isc_mem_put(umctx, rdatalist, sizeof(*rdatalist));
+	}
+	while ((buf = ISC_LIST_HEAD(usedbuffers)) != NULL) {
+		ISC_LIST_UNLINK(usedbuffers, buf, link);
+		isc_buffer_free(&buf);
+	}
+	if (tsec != NULL)
+		dns_tsec_destroy(&tsec);
+	isc_mem_destroy(&umctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	exit(0);
+}
+
+/*
+ *  Subroutines borrowed from nsupdate.c
+ */
+#define MAXWIRE (64 * 1024)
+#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
+
+static char *
+nsu_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (; *string != '\0'; string++) {
+		sc = *string;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc)
+				break;
+		}
+		if (dc == 0)
+			break;
+	}
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+		}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", msg, isc_result_totext(result));
+}
+
+static void
+parse_name(char **cmdlinep, dns_name_t *name) {
+	isc_result_t result;
+	char *word;
+	isc_buffer_t source;
+
+	word = nsu_strsep(cmdlinep, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read owner name\n");
+		exit(1);
+	}
+
+	isc_buffer_init(&source, word, strlen(word));
+	isc_buffer_add(&source, strlen(word));
+	result = dns_name_fromtext(name, &source, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext");
+	isc_buffer_invalidate(&source);
+}
+
+static void
+parse_rdata(isc_mem_t *mctx, char **cmdlinep, dns_rdataclass_t rdataclass,
+	    dns_rdatatype_t rdatatype, dns_rdata_t *rdata)
+{
+	char *cmdline = *cmdlinep;
+	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
+	isc_region_t r;
+	isc_lex_t *lex = NULL;
+	dns_rdatacallbacks_t callbacks;
+	isc_result_t result;
+
+	while (cmdline != NULL && *cmdline != 0 &&
+	       isspace((unsigned char)*cmdline))
+		cmdline++;
+
+	if (cmdline != NULL && *cmdline != 0) {
+		dns_rdatacallbacks_init(&callbacks);
+		result = isc_lex_create(mctx, strlen(cmdline), &lex);
+		check_result(result, "isc_lex_create");
+		isc_buffer_init(&source, cmdline, strlen(cmdline));
+		isc_buffer_add(&source, strlen(cmdline));
+		result = isc_lex_openbuffer(lex, &source);
+		check_result(result, "isc_lex_openbuffer");
+		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
+					    dns_rootname, 0, mctx, buf,
+					    &callbacks);
+		isc_lex_destroy(&lex);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(buf, &r);
+			result = isc_buffer_allocate(mctx, &newbuf, r.length);
+			check_result(result, "isc_buffer_allocate");
+			isc_buffer_putmem(newbuf, r.base, r.length);
+			isc_buffer_usedregion(newbuf, &r);
+			dns_rdata_reset(rdata);
+			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
+			isc_buffer_free(&buf);
+			ISC_LIST_APPEND(usedbuffers, newbuf, link);
+		} else {
+			fprintf(stderr, "invalid rdata format: %s\n",
+				isc_result_totext(result));
+			isc_buffer_free(&buf);
+			exit(1);
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+	*cmdlinep = cmdline;
+}
+
+static void
+update_addordelete(isc_mem_t *mctx, char *cmdline, isc_boolean_t isdelete,
+		   dns_name_t *name)
+{
+	isc_result_t result;
+	isc_uint32_t ttl;
+	char *word;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	isc_textregion_t region;
+
+	/*
+	 * Read the owner name.
+	 */
+	parse_name(&cmdline, name);
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	/*
+	 * If this is an add, read the TTL and verify that it's in range.
+	 * If it's a delete, ignore a TTL if present (for compatibility).
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		if (!isdelete) {
+			fprintf(stderr, "could not read owner ttl\n");
+			exit(1);
+		}
+		else {
+			ttl = 0;
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		}
+	}
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		if (isdelete) {
+			ttl = 0;
+			goto parseclass;
+		} else {
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (isdelete)
+		ttl = 0;
+	else if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
+			word, TTL_MAX);
+		exit(1);
+	}
+
+	/*
+	 * Read the class or type.
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+ parseclass:
+	if (word == NULL || *word == 0) {
+		if (isdelete) {
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+		goto doneparsing;
+		} else {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+	}
+	region.base = word;
+	region.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdataclass, &region);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Now read the type.
+		 */
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			if (isdelete) {
+				rdataclass = dns_rdataclass_any;
+				rdatatype = dns_rdatatype_any;
+				rdata->flags = DNS_RDATA_UPDATE;
+				goto doneparsing;
+			} else {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid type: %s\n",
+				word, isc_result_totext(result));
+			exit(1);
+		}
+	} else {
+		rdataclass = default_rdataclass;
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid class or type: "
+				"%s\n", word, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+
+	if (isdelete) {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
+			rdataclass = dns_rdataclass_any;
+		else
+			rdataclass = dns_rdataclass_none;
+	} else {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			fprintf(stderr, "could not read rdata\n");
+			exit(1);
+		}
+	}
+
+ doneparsing:
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	rdatalist->rdclass = rdataclass;
+	rdatalist->covers = rdatatype;
+	rdatalist->ttl = (dns_ttl_t)ttl;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+make_prereq(isc_mem_t *mctx, char *cmdline, isc_boolean_t ispositive,
+	    isc_boolean_t isrrset, dns_name_t *name)
+{
+	isc_result_t result;
+	char *word;
+	isc_textregion_t region;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+
+	/*
+	 * Read the owner name
+	 */
+	parse_name(&cmdline, name);
+
+	/*
+	 * If this is an rrset prereq, read the class or type.
+	 */
+	if (isrrset) {
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdataclass_fromtext(&rdataclass, &region);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Now read the type.
+			 */
+			word = nsu_strsep(&cmdline, " \t\r\n");
+			if (word == NULL || *word == 0) {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+			region.base = word;
+			region.length = strlen(word);
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		} else {
+			rdataclass = default_rdataclass;
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		}
+	} else
+		rdatatype = dns_rdatatype_any;
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	if (isrrset && ispositive)
+		parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+	else
+		rdata->flags = DNS_RDATA_UPDATE;
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	if (ispositive) {
+		if (isrrset && rdata->data != NULL)
+			rdatalist->rdclass = rdataclass;
+		else
+			rdatalist->rdclass = dns_rdataclass_any;
+	} else
+		rdatalist->rdclass = dns_rdataclass_none;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatatype;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name) {
+	char *word;
+	isc_boolean_t ispositive, isrrset;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		exit(1);
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "yxdomain") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "nxrrset") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_TRUE;
+	} else if (strcasecmp(word, "yxrrset") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_TRUE;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		exit(1);
+	}
+
+	make_prereq(mctx, cmdline, ispositive, isrrset, name);
+}
+
+static void
+setup_tsec(char *keyfile, isc_mem_t *mctx) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	dns_tsectype_t tsectype;
+
+	result = dst_key_fromnamedfile(keyfile, NULL,
+				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+				       &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not read key from %s: %s\n",
+			keyfile, isc_result_totext(result));
+		exit(1);
+	}
+
+	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5)
+		tsectype = dns_tsectype_tsig;
+	else
+		tsectype = dns_tsectype_sig0;
+
+	result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
+	dst_key_free(&dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create tsec: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+}
diff --git a/contrib/bind9/lib/export/samples/sample.c b/contrib/bind9/lib/export/samples/sample.c
new file mode 100644
index 000000000000..7fc6a303ffa9
--- /dev/null
+++ b/contrib/bind9/lib/export/samples/sample.c
@@ -0,0 +1,378 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sample.c,v 1.5 2009/09/29 15:06:07 fdupont Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+static char *algname;
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		printf("[WARN: empty]\n");
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "sample [-t RRtype] "
+		"[[-a algorithm] [-e] -k keyname -K keystring] "
+		"[-s domain:serveraddr_for_domain ] "
+		"server_address hostname\n");
+
+	exit(1);
+}
+
+static void
+set_key(dns_client_t *client, char *keynamestr, char *keystr,
+	isc_boolean_t is_sep, isc_mem_t **mctxp)
+{
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	size_t namelen;
+	dns_name_t *keyname;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_buffer_t b;
+	isc_textregion_t tr;
+	isc_region_t r;
+	dns_secalg_t alg;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	if (algname != NULL) {
+		tr.base = algname;
+		tr.length = strlen(algname);
+		result = dns_secalg_fromtext(&alg, &tr);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to identify the algorithm\n");
+			exit(1);
+		}
+	} else
+		alg = DNS_KEYALG_RSASHA1;
+
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
+	if (is_sep)
+		keystruct.flags |= DNS_KEYFLAG_KSK;
+	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
+	keystruct.algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	result = isc_base64_decodestring(keystr, &keydatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "base64 decode failed\n");
+		exit(1);
+	}
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+				      keystruct.common.rdtype,
+				      &keystruct, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key rdata\n");
+		exit(1);
+	}
+	namelen = strlen(keynamestr);
+	isc_buffer_init(&b, keynamestr, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fkeyname);
+	keyname = dns_fixedname_name(&fkeyname);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key name\n");
+		exit(1);
+	}
+	result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+					  keyname, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to add key for %s\n",
+			keynamestr);
+		exit(1);
+	}
+}
+
+static void
+addserver(dns_client_t *client, const char *addrstr, const char *namespace) {
+	struct addrinfo hints, *res;
+	int gai_error;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_result_t result;
+	size_t namelen;
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gai_error = getaddrinfo(addrstr, "53", &hints, &res);
+	if (gai_error != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gai_error));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memcpy(&sa.type, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	sa.length = res->ai_addrlen;
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+
+	if (namespace != NULL) {
+		namelen = strlen(namespace);
+		isc_buffer_init(&b, namespace, namelen);
+		isc_buffer_add(&b, namelen);
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to convert qname: %d\n",
+				result);
+			exit(1);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, name,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %d\n", result);
+		exit(1);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	char *altserver = NULL;
+	char *altserveraddr = NULL;
+	char *altservername = NULL;
+	dns_client_t *client = NULL;
+	char *keynamestr = NULL;
+	char *keystr = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t qname0;
+	size_t namelen;
+	dns_name_t *qname, *name;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	isc_mem_t *keymctx = NULL;
+	unsigned int clientopt, resopt;
+	isc_boolean_t is_sep = ISC_FALSE;
+
+	while ((ch = getopt(argc, argv, "a:es:t:k:K:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = optarg;
+			tr.length = strlen(optarg);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n", optarg);
+				exit(1);
+			}
+			break;
+		case 'a':
+			algname = optarg;
+			break;
+		case 'e':
+			is_sep = ISC_TRUE;
+			break;
+		case 's':
+			if (altserver != NULL) {
+				fprintf(stderr, "alternate server "
+					"already defined: %s\n",
+					altserver);
+				exit(1);
+			}
+			altserver = optarg;
+			break;
+		case 'k':
+			keynamestr = optarg;
+			break;
+		case 'K':
+			keystr = optarg;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+	if (argc < 2)
+		usage();
+
+	if (altserver != NULL) {
+		char *cp;
+
+		cp = strchr(altserver, ':');
+		if (cp == NULL) {
+			fprintf(stderr, "invalid alternate server: %s\n",
+				altserver);
+			exit(1);
+		}
+		*cp = '\0';
+		altservername = altserver;
+		altserveraddr = cp + 1;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		exit(1);
+	}
+
+	clientopt = 0;
+	result = dns_client_create(&client, clientopt);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		exit(1);
+	}
+
+	/* Set the nameserver */
+	addserver(client, argv[0], NULL);
+
+	/* Set the alternate nameserver (when specified) */
+	if (altserver != NULL)
+		addserver(client, altserveraddr, altservername);
+
+	/* Install DNSSEC key (if given) */
+	if (keynamestr != NULL) {
+		if (keystr == NULL) {
+			fprintf(stderr,
+				"key string is missing "
+				"while key name is provided\n");
+			exit(1);
+		}
+		set_key(client, keynamestr, keystr, is_sep, &keymctx);
+	}
+
+	/* Construct qname */
+	namelen = strlen(argv[1]);
+	isc_buffer_init(&b, argv[1], namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&qname0);
+	qname = dns_fixedname_name(&qname0);
+	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "failed to convert qname: %d\n", result);
+
+	/* Perform resolution */
+	resopt = 0;
+	if (keynamestr == NULL)
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, qname, dns_rdataclass_in, type,
+				    resopt, &namelist);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"resolution failed: %s\n", dns_result_totext(result));
+	}
+	for (name = ISC_LIST_HEAD(namelist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (printdata(rdataset, name) != ISC_R_SUCCESS)
+				fprintf(stderr, "print data failed\n");
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+	/* Cleanup */
+	dns_client_destroy(&client);
+	if (keynamestr != NULL)
+		isc_mem_destroy(&keymctx);
+	dns_lib_shutdown();
+
+	exit(0);
+}
diff --git a/contrib/bind9/lib/irs/Makefile.in b/contrib/bind9/lib/irs/Makefile.in
new file mode 100644
index 000000000000..d3c47b0137aa
--- /dev/null
+++ b/contrib/bind9/lib/irs/Makefile.in
@@ -0,0 +1,80 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBIRS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_sterror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/contrib/bind9/lib/irs/api b/contrib/bind9/lib/irs/api
new file mode 100644
index 000000000000..ba19dd9150e0
--- /dev/null
+++ b/contrib/bind9/lib/irs/api
@@ -0,0 +1,8 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89
+# 9.9: 90-109
+LIBINTERFACE = 80
+LIBREVISION = 2
+LIBAGE = 0
diff --git a/contrib/bind9/lib/irs/context.c b/contrib/bind9/lib/irs/context.c
new file mode 100644
index 000000000000..be69622b5b6a
--- /dev/null
+++ b/contrib/bind9/lib/irs/context.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#include <config.h>
+
+#include <isc/app.h>
+#include <isc/lib.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/lib.h>
+
+#include <irs/context.h>
+#include <irs/dnsconf.h>
+#include <irs/resconf.h>
+
+#define IRS_CONTEXT_MAGIC		ISC_MAGIC('I', 'R', 'S', 'c')
+#define IRS_CONTEXT_VALID(c)		ISC_MAGIC_VALID(c, IRS_CONTEXT_MAGIC)
+
+#ifndef RESOLV_CONF
+/*% location of resolve.conf */
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+
+#ifndef DNS_CONF
+/*% location of dns.conf */
+#define DNS_CONF "/etc/dns.conf"
+#endif
+
+#ifndef ISC_PLATFORM_USETHREADS
+irs_context_t *irs_g_context = NULL;
+#else
+static isc_boolean_t thread_key_initialized = ISC_FALSE;
+static isc_mutex_t thread_key_mutex;
+static isc_thread_key_t irs_context_key;
+static isc_once_t once = ISC_ONCE_INIT;
+#endif
+
+
+struct irs_context {
+	/*
+	 * An IRS context is a thread-specific object, and does not need to
+	 * be locked.
+	 */
+	unsigned int			magic;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_client_t			*dnsclient;
+	irs_resconf_t			*resconf;
+	irs_dnsconf_t			*dnsconf;
+};
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static void
+free_specific_context(void *arg) {
+	irs_context_t *context = arg;
+
+	irs_context_destroy(&context);
+
+	isc_thread_key_setspecific(irs_context_key, NULL);
+}
+
+static void
+thread_key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
+}
+
+static isc_result_t
+thread_key_init() {
+	isc_result_t result;
+
+	result = isc_once_do(&once, thread_key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!thread_key_initialized) {
+		LOCK(&thread_key_mutex);
+
+		if (!thread_key_initialized &&
+		    isc_thread_key_create(&irs_context_key,
+					  free_specific_context) != 0) {
+			result = ISC_R_FAILURE;
+		} else
+			thread_key_initialized = ISC_TRUE;
+
+		UNLOCK(&thread_key_mutex);
+	}
+
+	return (result);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp) {
+	irs_context_t *context;
+	isc_result_t result;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (irs_g_context == NULL) {
+		result = irs_context_create(&irs_g_context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	context = irs_g_context;
+#else
+	result = thread_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	context = isc_thread_key_getspecific(irs_context_key);
+	if (context == NULL) {
+		result = irs_context_create(&context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = isc_thread_key_setspecific(irs_context_key, context);
+		if (result != ISC_R_SUCCESS) {
+			irs_context_destroy(&context);
+			return (result);
+		}
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+irs_context_create(irs_context_t **contextp) {
+	isc_result_t result;
+	irs_context_t *context;
+	isc_appctx_t *actx = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_client_t *client = NULL;
+	isc_sockaddrlist_t *nameservers;
+	irs_dnsconf_dnskeylist_t *trustedkeys;
+	irs_dnsconf_dnskey_t *trustedkey;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (result);
+	}
+
+	context = isc_mem_get(mctx, sizeof(*context));
+	if (context == NULL) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (ISC_R_NOMEMORY);
+	}
+
+	context->mctx = mctx;
+	context->actx = actx;
+	context->taskmgr = taskmgr;
+	context->socketmgr = socketmgr;
+	context->timermgr = timermgr;
+	context->resconf = NULL;
+	context->dnsconf = NULL;
+	context->task = NULL;
+	result = isc_task_create(taskmgr, 0, &context->task);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Create a DNS client object */
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    0, &client);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	context->dnsclient = client;
+
+	/* Read resolver configuration file */
+	result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/* Set nameservers */
+	nameservers = irs_resconf_getnameservers(context->resconf);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Read advanced DNS configuration (if any) */
+	result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
+	for (trustedkey = ISC_LIST_HEAD(*trustedkeys);
+	     trustedkey != NULL;
+	     trustedkey = ISC_LIST_NEXT(trustedkey, link)) {
+		result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+						  trustedkey->keyname,
+						  trustedkey->keydatabuf);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	context->magic = IRS_CONTEXT_MAGIC;
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+
+  fail:
+	if (context->task != NULL)
+		isc_task_detach(&context->task);
+	if (context->resconf != NULL)
+		irs_resconf_destroy(&context->resconf);
+	if (context->dnsconf != NULL)
+		irs_dnsconf_destroy(&context->dnsconf);
+	if (client != NULL)
+		dns_client_destroy(&client);
+	ctxs_destroy(NULL, &actx, &taskmgr, &socketmgr, &timermgr);
+	isc_mem_putanddetach(&mctx, context, sizeof(*context));
+
+	return (result);
+}
+
+void
+irs_context_destroy(irs_context_t **contextp) {
+	irs_context_t *context;
+
+	REQUIRE(contextp != NULL);
+	context = *contextp;
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	isc_task_detach(&context->task);
+	irs_dnsconf_destroy(&context->dnsconf);
+	irs_resconf_destroy(&context->resconf);
+	dns_client_destroy(&context->dnsclient);
+
+	ctxs_destroy(NULL, &context->actx, &context->taskmgr,
+		     &context->socketmgr, &context->timermgr);
+
+	context->magic = 0;
+
+	isc_mem_putanddetach(&context->mctx, context, sizeof(*context));
+
+	*contextp = NULL;
+
+#ifndef ISC_PLATFORM_USETHREADS
+	irs_g_context = NULL;
+#else
+	(void)isc_thread_key_setspecific(irs_context_key, NULL);
+#endif
+}
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->mctx);
+}
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->actx);
+}
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->taskmgr);
+}
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->timermgr);
+}
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->task);
+}
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsclient);
+}
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->resconf);
+}
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsconf);
+}
diff --git a/contrib/bind9/lib/irs/dnsconf.c b/contrib/bind9/lib/irs/dnsconf.c
new file mode 100644
index 000000000000..4a7d58bfbc50
--- /dev/null
+++ b/contrib/bind9/lib/irs/dnsconf.c
@@ -0,0 +1,269 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <isccfg/dnsconf.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+
+#include <irs/dnsconf.h>
+
+#define IRS_DNSCONF_MAGIC		ISC_MAGIC('D', 'c', 'f', 'g')
+#define IRS_DNSCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_DNSCONF_MAGIC)
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_dnsconf {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	irs_dnsconf_dnskeylist_t trusted_keylist;
+};
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+		     dns_rdataclass_t rdclass)
+{
+	isc_mem_t *mctx = conf->mctx;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key, *keylist;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname_base, *keyname;
+	const cfg_listelt_t *element, *element2;
+	isc_result_t result;
+	isc_uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf_base, *keydatabuf;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	cfg_map_get(cfgobj, "trusted-keys", &keys);
+	if (keys == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			keydatabuf = NULL;
+			keyname = NULL;
+
+			key = cfg_listelt_value(element2);
+
+			flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+			proto = cfg_obj_asuint32(cfg_tuple_get(key,
+							       "protocol"));
+			alg = cfg_obj_asuint32(cfg_tuple_get(key,
+							     "algorithm"));
+			keynamestr = cfg_obj_asstring(cfg_tuple_get(key,
+								    "name"));
+
+			keystruct.common.rdclass = rdclass;
+			keystruct.common.rdtype = dns_rdatatype_dnskey;
+			keystruct.mctx = NULL;
+			ISC_LINK_INIT(&keystruct.common, link);
+
+			if (flags > 0xffff)
+				return (ISC_R_RANGE);
+			if (proto > 0xff)
+				return (ISC_R_RANGE);
+			if (alg > 0xff)
+				return (ISC_R_RANGE);
+			keystruct.flags = (isc_uint16_t)flags;
+			keystruct.protocol = (isc_uint8_t)proto;
+			keystruct.algorithm = (isc_uint8_t)alg;
+
+			isc_buffer_init(&keydatabuf_base, keydata,
+					sizeof(keydata));
+			isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+			/* Configure key value */
+			keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+			result = isc_base64_decodestring(keystr,
+							 &keydatabuf_base);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&keydatabuf_base, &r);
+			keystruct.datalen = r.length;
+			keystruct.data = r.base;
+
+			result = dns_rdata_fromstruct(NULL,
+						      keystruct.common.rdclass,
+						      keystruct.common.rdtype,
+						      &keystruct, &rrdatabuf);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&rrdatabuf, &r);
+			result = isc_buffer_allocate(mctx, &keydatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = isc_buffer_copyregion(keydatabuf, &r);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Configure key name */
+			dns_fixedname_init(&fkeyname);
+			keyname_base = dns_fixedname_name(&fkeyname);
+			isc_buffer_init(&namebuf, keynamestr,
+					strlen(keynamestr));
+			isc_buffer_add(&namebuf, strlen(keynamestr));
+			result = dns_name_fromtext(keyname_base, &namebuf,
+						   dns_rootname, 0, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			keyname = isc_mem_get(mctx, sizeof(*keyname));
+			if (keyname == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			dns_name_init(keyname, NULL);
+			result = dns_name_dup(keyname_base, mctx, keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Add the key data to the list */
+			keyent = isc_mem_get(mctx, sizeof(*keyent));
+			if (keyent == NULL) {
+				dns_name_free(keyname, mctx);
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			keyent->keyname = keyname;
+			keyent->keydatabuf = keydatabuf;
+
+			ISC_LIST_APPEND(conf->trusted_keylist, keyent, link);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (keydatabuf != NULL)
+		isc_buffer_free(&keydatabuf);
+	if (keyname != NULL)
+		isc_mem_put(mctx, keyname, sizeof(*keyname));
+
+	return (result);
+}
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp)
+{
+	irs_dnsconf_t *conf;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *cfgobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->trusted_keylist);
+
+	/*
+	 * If the specified file does not exist, we'll simply with an empty
+	 * configuration.
+	 */
+	if (!isc_file_exists(filename))
+		goto cleanup;
+
+	result = cfg_parser_create(mctx, NULL, &parser);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(parser, filename, &cfg_type_dnsconf,
+				&cfgobj);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = configure_dnsseckeys(conf, cfgobj, dns_rdataclass_in);
+
+ cleanup:
+	if (parser != NULL) {
+		if (cfgobj != NULL)
+			cfg_obj_destroy(parser, &cfgobj);
+		cfg_parser_destroy(&parser);
+	}
+
+	conf->magic = IRS_DNSCONF_MAGIC;
+
+	if (result == ISC_R_SUCCESS)
+		*confp = conf;
+	else
+		irs_dnsconf_destroy(&conf);
+
+	return (result);
+}
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp) {
+	irs_dnsconf_t *conf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
+		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
+
+		isc_buffer_free(&keyent->keydatabuf);
+		dns_name_free(keyent->keyname, conf->mctx);
+		isc_mem_put(conf->mctx, keyent->keyname, sizeof(dns_name_t));
+		isc_mem_put(conf->mctx, keyent, sizeof(*keyent));
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf) {
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	return (&conf->trusted_keylist);
+}
diff --git a/contrib/bind9/lib/irs/gai_strerror.c b/contrib/bind9/lib/irs/gai_strerror.c
new file mode 100644
index 000000000000..2fe394161963
--- /dev/null
+++ b/contrib/bind9/lib/irs/gai_strerror.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gai_strerror.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file gai_strerror.c
+ * gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo() and getnameinfo(). The following error
+ * codes and their meaning are defined in
+ * \link netdb.h include/irs/netdb.h.\endlink
+ * This implementation is almost an exact copy of lwres/gai_sterror.c except
+ * that it catches up the latest API standard, RFC3493.
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname (obsoleted in RFC3493)
+ * \li #EAI_NONAME hostname nor servname provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ * \li #EAI_BADHINTS Invalid value for hints (non-standard)
+ * \li #EAI_PROTOCOL Resolved protocol is unknown (non-standard)
+ * \li #EAI_OVERFLOW Argument buffer overflow
+ * \li #EAI_INSECUREDATA Insecure Data (experimental)
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
+ */
+#include <config.h>
+
+#include <irs/netdb.h>
+
+/*% Text of error messages. */
+static const char *gai_messages[] = {
+	"no error",
+	"address family for hostname not supported",
+	"temporary failure in name resolution",
+	"invalid value for ai_flags",
+	"non-recoverable failure in name resolution",
+	"ai_family not supported",
+	"memory allocation failure",
+	"no address associated with hostname",
+	"hostname nor servname provided, or not known",
+	"servname not supported for ai_socktype",
+	"ai_socktype not supported",
+	"system error returned in errno",
+	"bad hints",
+	"bad protocol",
+	"argument buffer overflow",
+	"insecure data provided"
+};
+
+/*%
+ * Returns an error message corresponding to an error code returned by
+ * getaddrinfo() and getnameinfo()
+ */
+IRS_GAISTRERROR_RETURN_T
+gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
+		ptr.const_ptr = "invalid error code";
+	else
+		ptr.const_ptr = gai_messages[ecode];
+	return (ptr.deconst_ptr);
+}
diff --git a/contrib/bind9/lib/irs/getaddrinfo.c b/contrib/bind9/lib/irs/getaddrinfo.c
new file mode 100644
index 000000000000..4b1f4a9221e3
--- /dev/null
+++ b/contrib/bind9/lib/irs/getaddrinfo.c
@@ -0,0 +1,1295 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddrinfo.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname as defined in RFC3493.
+ *    hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ *
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ *
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ *
+ *
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ *
+ * <ul>
+ *    <li>ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.</li>
+ *
+ *    <li>ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.</li>
+ *
+ *    <li>ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.</li>
+ *
+ *    <li>ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.<br /><br />
+ *
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
+ *
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * </li></ul>
+ *
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ *
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ *
+ *    After a successful call to getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ *
+ *    All of the information returned by getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to getaddrinfo() is released by freeaddrinfo().
+ *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
+ *
+ * \section irsreturn RETURN VALUES
+ *
+ *    getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL getaddrinfo() returns #EAI_NONAME.
+ *
+ * \section irssee SEE ALSO
+ *
+ *    getaddrinfo(), freeaddrinfo(),
+ *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+#include <irs/resconf.h>
+
+#define SA(addr)	((struct sockaddr *)(addr))
+#define SIN(addr)	((struct sockaddr_in *)(addr))
+#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
+#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
+
+/*! \struct addrinfo
+ */
+static struct addrinfo
+	*ai_concat(struct addrinfo *ai1, struct addrinfo *ai2),
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int get_local(const char *name, int socktype, struct addrinfo **res);
+#endif
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port);
+
+static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static void set_order(int, int (**)(const char *, int, struct addrinfo **,
+				    int, int));
+
+#define FOUND_IPV4	0x1
+#define FOUND_IPV6	0x2
+#define FOUND_MAX	2
+
+#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
+/*%
+ * Get a list of IP addresses and port numbers for host hostname and
+ * service servname.
+ */
+int
+getaddrinfo(const char *hostname, const char *servname,
+	    const struct addrinfo *hints, struct addrinfo **res)
+{
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int err = 0;
+	int port, i;
+	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
+				      int, int);
+
+	if (hostname == NULL && servname == NULL)
+		return (EAI_NONAME);
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
+			return (EAI_BADFLAGS);
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next) {
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef	AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef	AF_LOCAL
+	/*!
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+		return (get_local(hostname, socktype, res));
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+		return (get_local(servname, socktype, res));
+#endif
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0)
+				return (EAI_SOCKTYPE);
+			if (port < 0 || port > 65535)
+				return (EAI_SERVICE);
+			port = htons((unsigned short) port);
+		} else {
+			sp = getservbyname(servname, proto);
+			if (sp == NULL)
+				return (EAI_SERVICE);
+			port = sp->s_port;
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0)
+					socktype = SOCK_STREAM;
+				else if (strcmp(sp->s_proto, "udp") == 0)
+					socktype = SOCK_DGRAM;
+			}
+		}
+	} else
+		port = 0;
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified, check
+	 * first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine will recognize numeric addresses,
+	 * it will only recognize the format that it is being called for.  Thus,
+	 * a numeric AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics here
+	 * avoids that.
+	 */
+	if (hostname != NULL &&
+	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		char *p, *ep;
+		char ntmp[NI_MAXHOST];
+		isc_uint32_t scopeid;
+#endif
+
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
+			ntmp[sizeof(ntmp) - 1] = '\0';
+			p = strchr(ntmp, '%');
+			ep = NULL;
+
+			/*
+			 * Vendors may want to support non-numeric
+			 * scopeid around here.
+			 */
+
+			if (p != NULL)
+				scopeid = (isc_uint32_t)strtoul(p + 1,
+								&ep, 10);
+			if (p != NULL && ep != NULL && ep[0] == '\0')
+				*p = '\0';
+			else {
+				ntmp[0] = '\0';
+				scopeid = 0;
+			}
+		} else
+			scopeid = 0;
+#endif
+
+		if (inet_pton(AF_INET, hostname, (struct in_addr *)abuf)
+		    == 1) {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
+			family = AF_INET;
+			goto common;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		} else if (ntmp[0] != '\0' &&
+			   inet_pton(AF_INET6, ntmp, abuf) == 1) {
+			if (family && family != AF_INET6)
+				return (EAI_NONAME);
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+			goto common;
+#endif
+		} else if (inet_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6)
+				return (EAI_NONAME);
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+
+		common:
+			ai = ai_alloc(family,
+				      ((family == AF_INET6) ?
+				       sizeof(struct sockaddr_in6) :
+				       sizeof(struct sockaddr_in)));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if ((flags & AI_CANONNAME) != 0) {
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+				if (ai->ai_family == AF_INET6)
+					SIN6(ai->ai_addr)->sin6_scope_id =
+						scopeid;
+#endif
+				if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+						nbuf, sizeof(nbuf), NULL, 0,
+						NI_NUMERICHOST) == 0) {
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL) {
+						freeaddrinfo(ai);
+						return (EAI_MEMORY);
+					}
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		set_order(family, net_order);
+		for (i = 0; i < FOUND_MAX; i++) {
+			if (net_order[i] == NULL)
+				break;
+			err = (net_order[i])(hostname, flags, &ai_list,
+					     socktype, port);
+			if (err != 0) {
+				if (ai_list != NULL)
+					freeaddrinfo(ai_list);
+				break;
+			}
+		}
+	} else
+		err = resolve_name(family, hostname, flags, &ai_list,
+				   socktype, port);
+
+	if (ai_list == NULL) {
+		if (err == 0)
+			err = EAI_NONAME;
+		return (err);
+	}
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+typedef struct gai_restrans {
+	dns_clientrestrans_t	*xid;
+	isc_boolean_t		is_inprogress;
+	int			error;
+	struct addrinfo		ai_sentinel;
+	struct gai_resstate	*resstate;
+} gai_restrans_t;
+
+typedef struct gai_resstate {
+	isc_mem_t			*mctx;
+	struct gai_statehead		*head;
+	dns_fixedname_t			fixedname;
+	dns_name_t			*qname;
+	gai_restrans_t			*trans4;
+	gai_restrans_t			*trans6;
+	ISC_LINK(struct gai_resstate)	link;
+} gai_resstate_t;
+
+typedef struct gai_statehead {
+	int				ai_family;
+	int				ai_flags;
+	int				ai_socktype;
+	int				ai_port;
+	isc_appctx_t			*actx;
+	dns_client_t			*dnsclient;
+	ISC_LIST(struct gai_resstate)	resstates;
+	unsigned int			activestates;
+} gai_statehead_t;
+
+static isc_result_t
+make_resstate(isc_mem_t *mctx, gai_statehead_t *head, const char *hostname,
+	      const char *domain, gai_resstate_t **statep)
+{
+	isc_result_t result;
+	gai_resstate_t *state;
+	dns_fixedname_t fixeddomain;
+	dns_name_t *qdomain;
+	size_t namelen;
+	isc_buffer_t b;
+	isc_boolean_t need_v4 = ISC_FALSE;
+	isc_boolean_t need_v6 = ISC_FALSE;
+
+	state = isc_mem_get(mctx, sizeof(*state));
+	if (state == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Construct base domain name */
+	namelen = strlen(domain);
+	isc_buffer_init(&b, domain, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&fixeddomain);
+	qdomain = dns_fixedname_name(&fixeddomain);
+	result = dns_name_fromtext(qdomain, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	/* Construct query name */
+	namelen = strlen(hostname);
+	isc_buffer_init(&b, hostname, namelen);
+	isc_buffer_add(&b, namelen);
+	dns_fixedname_init(&state->fixedname);
+	state->qname = dns_fixedname_name(&state->fixedname);
+	result = dns_name_fromtext(state->qname, &b, qdomain, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET)
+		need_v4 = ISC_TRUE;
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET6)
+		need_v6 = ISC_TRUE;
+
+	state->trans6 = NULL;
+	state->trans4 = NULL;
+	if (need_v4) {
+		state->trans4 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans4 == NULL) {
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans4->error = 0;
+		state->trans4->xid = NULL;
+		state->trans4->resstate = state;
+		state->trans4->is_inprogress = ISC_TRUE;
+		state->trans4->ai_sentinel.ai_next = NULL;
+	}
+	if (need_v6) {
+		state->trans6 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans6 == NULL) {
+			if (state->trans4 != NULL)
+				isc_mem_put(mctx, state->trans4,
+					    sizeof(*state->trans4));
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans6->error = 0;
+		state->trans6->xid = NULL;
+		state->trans6->resstate = state;
+		state->trans6->is_inprogress = ISC_TRUE;
+		state->trans6->ai_sentinel.ai_next = NULL;
+	}
+
+	state->mctx = mctx;
+	state->head = head;
+	ISC_LINK_INIT(state, link);
+
+	*statep = state;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+make_resstates(isc_mem_t *mctx, const char *hostname, gai_statehead_t *head,
+	       irs_resconf_t *resconf)
+{
+	isc_result_t result;
+	irs_resconf_searchlist_t *searchlist;
+	irs_resconf_search_t *searchent;
+	gai_resstate_t *resstate, *resstate0;
+
+	resstate0 = NULL;
+	result = make_resstate(mctx, head, hostname, ".", &resstate0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	searchlist = irs_resconf_getsearchlist(resconf);
+	for (searchent = ISC_LIST_HEAD(*searchlist); searchent != NULL;
+	     searchent = ISC_LIST_NEXT(searchent, link)) {
+		resstate = NULL;
+		result = make_resstate(mctx, head, hostname,
+				       (const char *)searchent->domain,
+				       &resstate);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		ISC_LIST_APPEND(head->resstates, resstate, link);
+		head->activestates++;
+	}
+
+	/*
+	 * Insert the original hostname either at the head or the tail of the
+	 * state list, depending on the number of labels contained in the
+	 * original name and the 'ndots' configuration parameter.
+	 */
+	if (dns_name_countlabels(resstate0->qname) >
+	    irs_resconf_getndots(resconf) + 1) {
+		ISC_LIST_PREPEND(head->resstates, resstate0, link);
+	} else
+		ISC_LIST_APPEND(head->resstates, resstate0, link);
+	head->activestates++;
+
+	if (result != ISC_R_SUCCESS) {
+		while ((resstate = ISC_LIST_HEAD(head->resstates)) != NULL) {
+			ISC_LIST_UNLINK(head->resstates, resstate, link);
+			if (resstate->trans4 != NULL) {
+				isc_mem_put(mctx, resstate->trans4,
+					    sizeof(*resstate->trans4));
+			}
+			if (resstate->trans6 != NULL) {
+				isc_mem_put(mctx, resstate->trans6,
+					    sizeof(*resstate->trans6));
+			}
+
+			isc_mem_put(mctx, resstate, sizeof(*resstate));
+		}
+	}
+
+	return (result);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	int error = 0, family;
+	gai_restrans_t *trans = event->ev_arg;
+	gai_resstate_t *resstate;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_rdatatype_t qtype;
+	dns_name_t *name;
+
+	REQUIRE(trans != NULL);
+	resstate = trans->resstate;
+	REQUIRE(resstate != NULL);
+	REQUIRE(task != NULL);
+
+	if (trans == resstate->trans4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+	} else {
+		INSIST(trans == resstate->trans6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+	}
+
+	INSIST(trans->is_inprogress);
+	trans->is_inprogress = ISC_FALSE;
+
+	switch (rev->result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN: /* treat this as a fatal error? */
+	case DNS_R_NCACHENXRRSET:
+		break;
+	default:
+		switch (rev->vresult) {
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			error = EAI_INSECUREDATA;
+			break;
+		default:
+			error = EAI_FAIL;
+		}
+		goto done;
+	}
+
+	/* Parse the response and construct the addrinfo chain */
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		isc_result_t result;
+		dns_rdataset_t *rdataset;
+		isc_buffer_t b;
+		isc_region_t r;
+		char t[1024];
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			if ((resstate->head->ai_flags & AI_CANONNAME) != 0) {
+				isc_buffer_init(&b, t, sizeof(t));
+				result = dns_name_totext(name, ISC_TRUE, &b);
+				if (result != ISC_R_SUCCESS) {
+					error = EAI_FAIL;
+					goto done;
+				}
+				isc_buffer_putuint8(&b, '\0');
+				isc_buffer_usedregion(&b, &r);
+			}
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				struct addrinfo *ai;
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+
+				ai = ai_alloc(family,
+					      ((family == AF_INET6) ?
+					       sizeof(struct sockaddr_in6) :
+					       sizeof(struct sockaddr_in)));
+				if (ai == NULL) {
+					error = EAI_MEMORY;
+					goto done;
+				}
+				ai->ai_socktype = resstate->head->ai_socktype;
+				ai->ai_next = trans->ai_sentinel.ai_next;
+				trans->ai_sentinel.ai_next = ai;
+
+				/*
+				 * Set AF-specific parameters
+				 * (IPv4/v6 address/port)
+				 */
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_a,
+							   NULL);
+
+					SIN(ai->ai_addr)->sin_port =
+						resstate->head->ai_port;
+					memcpy(&SIN(ai->ai_addr)->sin_addr,
+					       &rdata_a.in_addr, 4);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_aaaa,
+							   NULL);
+					SIN6(ai->ai_addr)->sin6_port =
+						resstate->head->ai_port;
+					memcpy(&SIN6(ai->ai_addr)->sin6_addr,
+					       &rdata_aaaa.in6_addr, 16);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				if ((resstate->head->ai_flags & AI_CANONNAME)
+				    != 0) {
+					ai->ai_canonname =
+						strdup((const char *)r.base);
+					if (ai->ai_canonname == NULL) {
+						error = EAI_MEMORY;
+						goto done;
+					}
+				}
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(resstate->head->dnsclient, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	/* Make sure that error == 0 iff we have a non-empty list */
+	if (error == 0) {
+		if (trans->ai_sentinel.ai_next == NULL)
+			error = EAI_NONAME;
+	} else {
+		if (trans->ai_sentinel.ai_next != NULL) {
+			freeaddrinfo(trans->ai_sentinel.ai_next);
+			trans->ai_sentinel.ai_next = NULL;
+		}
+	}
+	trans->error = error;
+
+	/* Check whether we are done */
+	if ((resstate->trans4 == NULL || !resstate->trans4->is_inprogress) &&
+	    (resstate->trans6 == NULL || !resstate->trans6->is_inprogress)) {
+		/*
+		 * We're done for this state.  If there is no other outstanding
+		 * state, we can exit.
+		 */
+		resstate->head->activestates--;
+		if (resstate->head->activestates == 0) {
+			isc_app_ctxsuspend(resstate->head->actx);
+			return;
+		}
+
+		/*
+		 * There are outstanding states, but if we are at the head
+		 * of the state list (i.e., at the highest search priority)
+		 * and have any answer, we can stop now by canceling the
+		 * others.
+		 */
+		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
+			if ((resstate->trans4 != NULL &&
+			     resstate->trans4->ai_sentinel.ai_next != NULL) ||
+			    (resstate->trans6 != NULL &&
+			     resstate->trans6->ai_sentinel.ai_next != NULL)) {
+				gai_resstate_t *rest;
+
+				for (rest = ISC_LIST_NEXT(resstate, link);
+				     rest != NULL;
+				     rest = ISC_LIST_NEXT(rest, link)) {
+					if (rest->trans4 != NULL &&
+					    rest->trans4->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans4->xid);
+					if (rest->trans6 != NULL &&
+					    rest->trans6->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans6->xid);
+				}
+			} else {
+				/*
+				 * This search fails, so we move to the tail
+				 * of the list so that the next entry will
+				 * have the highest priority.
+				 */
+				ISC_LIST_UNLINK(resstate->head->resstates,
+						resstate, link);
+				ISC_LIST_APPEND(resstate->head->resstates,
+						resstate, link);
+			}
+		}
+	}
+}
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port)
+{
+	isc_result_t result;
+	irs_context_t *irsctx;
+	irs_resconf_t *conf;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_task_t *task;
+	int terror = 0;
+	int error = 0;
+	dns_client_t *client;
+	gai_resstate_t *resstate;
+	gai_statehead_t head;
+	isc_boolean_t all_fail = ISC_TRUE;
+
+	/* get IRS context and the associated parameters */
+	irsctx = NULL;
+	result = irs_context_get(&irsctx);
+	if (result != ISC_R_SUCCESS)
+		return (EAI_FAIL);
+	actx = irs_context_getappctx(irsctx);
+
+	mctx = irs_context_getmctx(irsctx);
+	task = irs_context_gettask(irsctx);
+	conf = irs_context_getresconf(irsctx);
+	client = irs_context_getdnsclient(irsctx);
+
+	/* construct resolution states */
+	head.activestates = 0;
+	head.ai_family = family;
+	head.ai_socktype = socktype;
+	head.ai_flags = flags;
+	head.ai_port = port;
+	head.actx = actx;
+	head.dnsclient = client;
+	ISC_LIST_INIT(head.resstates);
+	result = make_resstates(mctx, hostname, &head, conf);
+	if (result != ISC_R_SUCCESS)
+		return (EAI_FAIL);
+
+	for (resstate = ISC_LIST_HEAD(head.resstates);
+	     resstate != NULL; resstate = ISC_LIST_NEXT(resstate, link)) {
+		if (resstate->trans4 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_a,
+							 0, task,
+							 process_answer,
+							 resstate->trans4,
+							 &resstate->trans4->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans4->is_inprogress = ISC_TRUE;
+				all_fail = ISC_FALSE;
+			} else
+				resstate->trans4->is_inprogress = ISC_FALSE;
+		}
+		if (resstate->trans6 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_aaaa,
+							 0, task,
+							 process_answer,
+							 resstate->trans6,
+							 &resstate->trans6->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans6->is_inprogress = ISC_TRUE;
+				all_fail = ISC_FALSE;
+			} else
+				resstate->trans6->is_inprogress= ISC_FALSE;
+		}
+	}
+	if (!all_fail) {
+		/* Start all the events */
+		isc_app_ctxrun(actx);
+	} else
+		error = EAI_FAIL;
+
+	/* Cleanup */
+	while ((resstate = ISC_LIST_HEAD(head.resstates)) != NULL) {
+		int terror4 = 0, terror6 = 0;
+
+		ISC_LIST_UNLINK(head.resstates, resstate, link);
+
+		if (*aip == NULL) {
+			struct addrinfo *sentinel4 = NULL;
+			struct addrinfo *sentinel6 = NULL;
+
+			if (resstate->trans4 != NULL) {
+				sentinel4 =
+					resstate->trans4->ai_sentinel.ai_next;
+				resstate->trans4->ai_sentinel.ai_next = NULL;
+			}
+			if (resstate->trans6 != NULL) {
+				sentinel6 =
+					resstate->trans6->ai_sentinel.ai_next;
+				resstate->trans6->ai_sentinel.ai_next = NULL;
+			}
+			*aip = ai_concat(sentinel4, sentinel6);
+		}
+
+		if (resstate->trans4 != NULL) {
+			INSIST(resstate->trans4->xid == NULL);
+			terror4 = resstate->trans4->error;
+			isc_mem_put(mctx, resstate->trans4,
+				    sizeof(*resstate->trans4));
+		}
+		if (resstate->trans6 != NULL) {
+			INSIST(resstate->trans6->xid == NULL);
+			terror6 = resstate->trans6->error;
+			isc_mem_put(mctx, resstate->trans6,
+				    sizeof(*resstate->trans6));
+		}
+
+		/*
+		 * If the entire lookup fails, we need to choose an appropriate
+		 * error code from individual codes.  We'll try to provide as
+		 * specific a code as possible.  In general, we are going to
+		 * find an error code other than EAI_NONAME (which is too
+		 * generic and may actually not be problematic in some cases).
+		 * EAI_NONAME will be set below if no better code is found.
+		 */
+		if (terror == 0 || terror == EAI_NONAME) {
+			if (terror4 != 0 && terror4 != EAI_NONAME)
+				terror = terror4;
+			else if (terror6 != 0 && terror6 != EAI_NONAME)
+				terror = terror6;
+		}
+
+		isc_mem_put(mctx, resstate, sizeof(*resstate));
+	}
+
+	if (*aip == NULL) {
+		error = terror;
+		if (error == 0)
+			error = EAI_NONAME;
+	}
+
+#if 1	/*  XXX: enabled for finding leaks.  should be cleaned up later. */
+	isc_app_ctxfinish(actx);
+	irs_context_destroy(&irsctx);
+#endif
+
+	return (error);
+}
+
+static char *
+irs_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
+{
+	char *order, *tok;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		while (order != NULL) {
+			/*
+			 * We ignore any unknown names.
+			 */
+			tok = irs_strsep(&order, ":");
+			if (strcasecmp(tok, "inet6") == 0) {
+				if ((found & FOUND_IPV6) == 0)
+					*net_order++ = add_ipv6;
+				found |= FOUND_IPV6;
+			} else if (strcasecmp(tok, "inet") == 0 ||
+			    strcasecmp(tok, "inet4") == 0) {
+				if ((found & FOUND_IPV4) == 0)
+					*net_order++ = add_ipv4;
+				found |= FOUND_IPV4;
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0)
+			*net_order++ = add_ipv4;
+		if ((found & FOUND_IPV6) == 0)
+			*net_order++ = add_ipv6;
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET); /* don't use ai_clone() */
+	if (ai == NULL) {
+		freeaddrinfo(*aip);
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN(ai->ai_addr)->sin_port = port;
+	memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+
+	return (0);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET6); /* don't use ai_clone() */
+	if (ai == NULL) {
+		freeaddrinfo(*aip);
+		return (EAI_MEMORY);
+	}
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN6(ai->ai_addr)->sin6_port = port;
+	memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+
+	return (0);
+}
+
+/*% Free address info. */
+void
+freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL)
+			free(ai->ai_addr);
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *slocal;
+
+	if (socktype == 0)
+		return (EAI_SOCKTYPE);
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	slocal = SLOCAL(ai->ai_addr);
+	strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif
+
+/*!
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specificed length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(IRS_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL)
+		return (NULL);
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef IRS_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family, ((family == AF_INET6) ?
+	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL) {
+		if (oai != NULL)
+			freeaddrinfo(oai);
+		return (NULL);
+	}
+	if (oai == NULL)
+		return (ai);
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
+
+
+static struct addrinfo *
+ai_concat(struct addrinfo *ai1, struct addrinfo *ai2) {
+	struct addrinfo *ai_tmp;
+
+	if (ai1 == NULL)
+		return (ai2);
+	else if (ai2 == NULL)
+		return (ai1);
+
+	for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL;
+	     ai_tmp = ai_tmp->ai_next)
+		;
+
+	ai_tmp->ai_next = ai2;
+
+	return (ai1);
+}
diff --git a/contrib/bind9/lib/irs/getnameinfo.c b/contrib/bind9/lib/irs/getnameinfo.c
new file mode 100644
index 000000000000..80e36776d18b
--- /dev/null
+++ b/contrib/bind9/lib/irs/getnameinfo.c
@@ -0,0 +1,408 @@
+/*
+ * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/**
+ *    getnameinfo() returns the hostname for the struct sockaddr sa which is
+ *    salen bytes long. The hostname is of length hostlen and is returned via
+ *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
+ *
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ *
+ *    The flags argument sets the following bits:
+ *
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ *
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ *
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ *
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ *
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ *
+ * \section getnameinfo_return Return Values
+ *
+ *    getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ *
+ * \section getname_see See Also
+ *
+ *    RFC3493, getservbyport(),
+ *    getnamebyaddr(). inet_ntop().
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+
+#define SUCCESS 0
+
+/*% afd structure definition */
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl [] = {
+	/*!
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{0, 0, 0},
+};
+
+/*!
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+int
+getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host,
+	    IRS_GETNAMEINFO_BUFLEN_T hostlen, char *serv,
+	    IRS_GETNAMEINFO_BUFLEN_T servlen, IRS_GETNAMEINFO_FLAGS_T flags)
+{
+	struct afd *afd;
+	struct servent *sp;
+	unsigned short port = 0;
+#ifdef IRS_PLATFORM_HAVESALEN
+	size_t len;
+#endif
+	int family, i;
+	const void *addr = NULL;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
+		    + 1 + sizeof("4294967295")];
+	const char *proto;
+	int result = SUCCESS;
+
+	if (sa == NULL)
+		ERR(EAI_FAIL);
+
+#ifdef IRS_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen)
+		ERR(EAI_FAIL);
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	ERR(EAI_FAMILY);
+
+ found:
+	if (salen != afd->a_socklen)
+		ERR(EAI_FAIL);
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		INSIST(0);
+	}
+	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(serv, numserv);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(serv, sp->s_name);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+			flags |= NI_NUMERICHOST;
+		break;
+	}
+#endif
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * do nothing in this case.
+		 * in case you are wondering if "&&" is more correct than
+		 * "||" here: RFC3493 says that host == NULL or hostlen == 0
+		 * means that the caller does not want the result.
+		 */
+	} else if ((flags & NI_NUMERICHOST) != 0) {
+		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			ERR(EAI_SYSTEM);
+#if defined(IRS_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#ifdef VENDOR_SPECIFIC
+			/*
+			 * Vendors may want to add support for
+			 * non-numeric scope identifier.
+			 */
+			stringscope = foo;
+#endif
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%u",
+				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%s", stringscope);
+			}
+		}
+#endif
+		if (strlen(numaddr) + 1 > hostlen)
+			ERR(EAI_OVERFLOW);
+		strcpy(host, numaddr);
+	} else {
+		isc_netaddr_t netaddr;
+		dns_fixedname_t ptrfname;
+		dns_name_t *ptrname;
+		irs_context_t *irsctx = NULL;
+		dns_client_t *client;
+		isc_boolean_t found = ISC_FALSE;
+		dns_namelist_t answerlist;
+		dns_rdataset_t *rdataset;
+		isc_region_t hostregion;
+		char hoststr[1024]; /* is this enough? */
+		isc_result_t iresult;
+
+		/* Get IRS context and the associated DNS client object */
+		iresult = irs_context_get(&irsctx);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+		client = irs_context_getdnsclient(irsctx);
+
+		/* Make query name */
+		isc_netaddr_fromsockaddr(&netaddr, (const isc_sockaddr_t *)sa);
+		dns_fixedname_init(&ptrfname);
+		ptrname = dns_fixedname_name(&ptrfname);
+		iresult = dns_byaddr_createptrname2(&netaddr, 0, ptrname);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+
+		/* Get the PTR RRset */
+		ISC_LIST_INIT(answerlist);
+		iresult = dns_client_resolve(client, ptrname,
+					     dns_rdataclass_in,
+					     dns_rdatatype_ptr,
+					     DNS_CLIENTRESOPT_ALLOWRUN,
+					     &answerlist);
+		switch (iresult) {
+		case ISC_R_SUCCESS:
+		/*
+		 * a 'non-existent' error is not necessarily fatal for
+		 * getnameinfo().
+		 */
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			break;
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			ERR(EAI_INSECUREDATA);
+		default:
+			ERR(EAI_FAIL);
+		}
+
+		/* Parse the answer for the hostname */
+		for (ptrname = ISC_LIST_HEAD(answerlist); ptrname != NULL;
+		     ptrname = ISC_LIST_NEXT(ptrname, link)) {
+			for (rdataset = ISC_LIST_HEAD(ptrname->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (!dns_rdataset_isassociated(rdataset))
+					continue;
+				if (rdataset->type != dns_rdatatype_ptr)
+					continue;
+
+				for (iresult = dns_rdataset_first(rdataset);
+				     iresult == ISC_R_SUCCESS;
+				     iresult = dns_rdataset_next(rdataset)) {
+					dns_rdata_t rdata;
+					dns_rdata_ptr_t rdata_ptr;
+					isc_buffer_t b;
+
+					dns_rdata_init(&rdata);
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_ptr,
+							   NULL);
+
+					isc_buffer_init(&b, hoststr,
+							sizeof(hoststr));
+					iresult =
+						dns_name_totext(&rdata_ptr.ptr,
+								ISC_TRUE, &b);
+					dns_rdata_freestruct(&rdata_ptr);
+					if (iresult == ISC_R_SUCCESS) {
+						/*
+						 * We ignore the rest of the
+						 * answer.  After all,
+						 * getnameinfo() can return
+						 * at most one hostname.
+						 */
+						found = ISC_TRUE;
+						isc_buffer_usedregion(
+							&b, &hostregion);
+						goto ptrfound;
+					}
+
+				}
+			}
+		}
+	ptrfound:
+		dns_client_freeresanswer(client, &answerlist);
+		if (found) {
+			if ((flags & NI_NOFQDN) != 0) {
+				p = strchr(hoststr, '.');
+				if (p)
+					*p = '\0';
+			}
+			if (hostregion.length + 1 > hostlen)
+				ERR(EAI_OVERFLOW);
+			snprintf(host, hostlen, "%.*s",
+				 (int)hostregion.length,
+				 (char *)hostregion.base);
+		} else {
+			if ((flags & NI_NAMEREQD) != 0)
+				ERR(EAI_NONAME);
+			if (inet_ntop(afd->a_af, addr, numaddr,
+				      sizeof(numaddr)) == NULL)
+				ERR(EAI_SYSTEM);
+			if ((strlen(numaddr) + 1) > hostlen)
+				ERR(EAI_OVERFLOW);
+			strcpy(host, numaddr);
+		}
+	}
+	result = SUCCESS;
+
+ cleanup:
+	return (result);
+}
diff --git a/contrib/bind9/lib/irs/include/Makefile.in b/contrib/bind9/lib/irs/include/Makefile.in
new file mode 100644
index 000000000000..91099f1e39ff
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/Makefile.in
@@ -0,0 +1,24 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/irs/include/irs/Makefile.in b/contrib/bind9/lib/irs/include/irs/Makefile.in
new file mode 100644
index 000000000000..63e7fd6be63f
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/Makefile.in
@@ -0,0 +1,44 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs ; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/irs
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/irs
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/irs/include/irs/context.h b/contrib/bind9/lib/irs/include/irs/context.h
new file mode 100644
index 000000000000..f2ef3f4790b5
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/context.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef IRS_CONTEXT_H
+#define IRS_CONTEXT_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS context module provides an abstract interface to the DNS library
+ * with an application.  An IRS context object initializes and holds various
+ * resources used in the DNS library.
+ */
+
+#include <dns/types.h>
+#include <irs/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_context_create(irs_context_t **contextp);
+/*%<
+ * Create an IRS context.  It internally initializes the ISC and DNS libraries
+ * (if not yet), creates a DNS client object and initializes the client using
+ * the configuration files parsed via the 'resconf' and 'dnsconf' IRS modules.
+ * Some of the internally initialized objects can be used by the application
+ * via irs_context_getxxx() functions (see below).
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp);
+/*%<
+ * Return an IRS context for the calling thread.  If no IRS context is
+ * associated to the thread, this function creates a new one by calling
+ * irs_context_create(), and associates it with the thread as a thread specific
+ * data value.  This function is provided for standard libraries that are
+ * expected to be thread-safe but do not accept an appropriate IRS context
+ * as a library parameter, e.g., getaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+void
+irs_context_destroy(irs_context_t **contextp);
+/*%<
+ * Destroy an IRS context.
+ *
+ * Requires:
+ *
+ *\li	'*contextp' is a valid IRS context.
+ *
+ * Ensures:
+ *\li	'*contextp' == NULL.
+ */
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context);
+/*%<
+ * Return the memory context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context);
+/*%<
+ * Return the application context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context);
+/*%<
+ * Return the task manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context);
+/*%<
+ * Return the timer manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context);
+/*%<
+ * Return the task object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context);
+/*%<
+ * Return the DNS client object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context);
+/*%<
+ * Return the resolver configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context);
+/*%<
+ * Return the advanced DNS configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_CONTEXT_H */
diff --git a/contrib/bind9/lib/irs/include/irs/dnsconf.h b/contrib/bind9/lib/irs/include/irs/dnsconf.h
new file mode 100644
index 000000000000..4f673ff2df27
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/dnsconf.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef IRS_DNSCONF_H
+#define IRS_DNSCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS dnsconf module parses an "advanced" configuration file related to
+ * the DNS library, such as trusted keys for DNSSEC validation, and creates
+ * the corresponding configuration objects for the DNS library modules.
+ *
+ * Notes:
+ * This module is very experimental and the configuration syntax or library
+ * interfaces may change in future versions.  Currently, only the
+ * 'trusted-keys' statement is supported, whose syntax is the same as the
+ * same name of statement for named.conf.
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A compound structure storing DNS key information mainly for DNSSEC
+ * validation.  A dns_key_t object will be created using the 'keyname' and
+ * 'keydatabuf' members with the dst_key_fromdns() function.
+ */
+typedef struct irs_dnsconf_dnskey {
+	dns_name_t				*keyname;
+	isc_buffer_t				*keydatabuf;
+	ISC_LINK(struct irs_dnsconf_dnskey)	link;
+} irs_dnsconf_dnskey_t;
+
+typedef ISC_LIST(irs_dnsconf_dnskey_t) irs_dnsconf_dnskeylist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp);
+/*%<
+ * Load the "advanced" DNS configuration file 'filename' in the "dns.conf"
+ * format, and create a new irs_dnsconf_t object from the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp);
+/*%<
+ * Destroy the dnsconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid dnsconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf);
+/*%<
+ * Return a list of key information stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid dnsconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_DNSCONF_H */
diff --git a/contrib/bind9/lib/irs/include/irs/netdb.h.in b/contrib/bind9/lib/irs/include/irs/netdb.h.in
new file mode 100644
index 000000000000..299928b9726d
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/netdb.h.in
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netdb.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+#include <netdb.h>	/* Contractual provision. */
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+@ISC_IRS_NEEDADDRINFO@
+
+#ifdef ISC_IRS_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_INSECUREDATA
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/contrib/bind9/lib/irs/include/irs/platform.h.in b/contrib/bind9/lib/irs/include/irs/platform.h.in
new file mode 100644
index 000000000000..0e9be3ce2345
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/platform.h.in
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: platform.h.in,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#ifndef IRS_PLATFORM_USEDECLSPEC
+#define LIBIRS_EXTERNAL_DATA
+#else
+#ifdef LIBIRS_EXPORTS
+#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/contrib/bind9/lib/irs/include/irs/resconf.h b/contrib/bind9/lib/irs/include/irs/resconf.h
new file mode 100644
index 000000000000..78c87d51660d
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/resconf.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resconf.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef IRS_RESCONF_H
+#define IRS_RESCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS resconf module parses the legacy "/etc/resolv.conf" file and
+ * creates the corresponding configuration objects for the DNS library
+ * modules.
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A DNS search list specified in the 'domain' or 'search' statements
+ * in the "resolv.conf" file.
+ */
+typedef struct irs_resconf_search {
+	char					*domain;
+	ISC_LINK(struct irs_resconf_search)	link;
+} irs_resconf_search_t;
+
+typedef ISC_LIST(irs_resconf_search_t) irs_resconf_searchlist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp);
+/*%<
+ * Load the resolver configuration file 'filename' in the "resolv.conf" format,
+ * and create a new irs_resconf_t object from the configuration.
+ *
+ * Notes:
+ *
+ *\li	Currently, only the following options are supported:
+ *	nameserver, domain, search, sortlist, ndots, and options.
+ *	In addition, 'sortlist' is not actually effective; it's parsed, but
+ *	the application cannot use the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_resconf_destroy(irs_resconf_t **confp);
+/*%<
+ * Destroy the resconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid resconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf);
+/*%<
+ * Return a list of name server addresses stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf);
+/*%<
+ * Return the search list stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf);
+/*%<
+ * Return the 'ndots' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_RESCONF_H */
diff --git a/contrib/bind9/lib/irs/include/irs/types.h b/contrib/bind9/lib/irs/include/irs/types.h
new file mode 100644
index 000000000000..0a539decd865
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/types.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef IRS_TYPES_H
+#define IRS_TYPES_H 1
+
+/* Core Types.  Alphabetized by defined type. */
+
+/*%< per-thread IRS context */
+typedef struct irs_context		irs_context_t;
+/*%< resolv.conf configuration information */
+typedef struct irs_resconf		irs_resconf_t;
+/*%< advanced DNS-related configuration information */
+typedef struct irs_dnsconf		irs_dnsconf_t;
+
+#endif /* IRS_TYPES_H */
diff --git a/contrib/bind9/lib/irs/include/irs/version.h b/contrib/bind9/lib/irs/include/irs/version.h
new file mode 100644
index 000000000000..bd7e5cf8e0d6
--- /dev/null
+++ b/contrib/bind9/lib/irs/include/irs/version.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#include <irs/platform.h>
+
+LIBIRS_EXTERNAL_DATA extern const char irs_version[];
+
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libinterface;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_librevision;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libage;
diff --git a/contrib/bind9/lib/irs/resconf.c b/contrib/bind9/lib/irs/resconf.c
new file mode 100644
index 000000000000..18525e8393ab
--- /dev/null
+++ b/contrib/bind9/lib/irs/resconf.c
@@ -0,0 +1,637 @@
+/*
+ * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file resconf.c */
+
+/**
+ * Module for parsing resolv.conf files (largely derived from lwconfig.c).
+ *
+ *    irs_resconf_load() opens the file filename and parses it to initialize
+ *    the configuration structure.
+ *
+ * \section lwconfig_return Return Values
+ *
+ *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns a non-0 error code if filename could not be
+ *    opened or contained incorrect resolver statements.
+ *
+ * \section lwconfig_see See Also
+ *
+ *    stdio(3), \link resolver resolver \endlink
+ *
+ * \section files Files
+ *
+ *    /etc/resolv.conf
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <irs/resconf.h>
+
+#define IRS_RESCONF_MAGIC		ISC_MAGIC('R', 'E', 'S', 'c')
+#define IRS_RESCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_RESCONF_MAGIC)
+
+/*!
+ * protocol constants
+ */
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+/*!
+ * resolv.conf parameters
+ */
+
+#define RESCONFMAXNAMESERVERS 3		/*%< max 3 "nameserver" entries */
+#define RESCONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
+#define RESCONFMAXLINELEN 256		/*%< max size of a line */
+#define RESCONFMAXSORTLIST 10		/*%< max 10 */
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_resconf {
+	/*
+	 * The configuration data is a thread-specific object, and does not
+	 * need to be locked.
+	 */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+
+	isc_sockaddrlist_t	nameservers;
+	unsigned int		numns; /*%< number of configured servers */
+
+	char	       		*domainname;
+	char 	       		*search[RESCONFMAXSEARCH];
+	isc_uint8_t		searchnxt; /*%< index for next free slot */
+
+	irs_resconf_searchlist_t searchlist;
+
+	struct {
+		isc_netaddr_t	addr;
+		/*% mask has a non-zero 'family' if set */
+		isc_netaddr_t	mask;
+	} sortlist[RESCONFMAXSORTLIST];
+	isc_uint8_t		sortlistnxt;
+
+	/*%< non-zero if 'options debug' set */
+	isc_uint8_t		resdebug;
+	/*%< set to n in 'options ndots:n' */
+	isc_uint8_t		ndots;
+};
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parseoption(irs_resconf_t *ctx,  FILE *fp);
+
+/*!
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF)
+		ch = fgetc(fp);
+
+	return (ch);
+}
+
+/*!
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
+		ch = fgetc(fp);
+
+	if (ch == ';' || ch == '#')
+		ch = eatline(fp);
+
+	return (ch);
+}
+
+/*!
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p = buffer;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF)
+		return (EOF);
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch))
+			break;
+		else if ((size_t) (p - buffer) == size - 1)
+			return (EOF);	/* Not enough space. */
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static isc_result_t
+add_server(isc_mem_t *mctx, const char *address_str,
+	   isc_sockaddrlist_t *nameservers)
+{
+	int error;
+	isc_sockaddr_t *address = NULL;
+	struct addrinfo hints, *res;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	res = NULL;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(address_str, "53", &hints, &res);
+	if (error != 0)
+		return (ISC_R_BADADDRESSFORM);
+
+	/* XXX: special case: treat all-0 IPv4 address as loopback */
+	if (res->ai_family == AF_INET) {
+		struct in_addr *v4;
+		unsigned char zeroaddress[] = {0, 0, 0, 0};
+		unsigned char loopaddress[] = {127, 0, 0, 1};
+
+		v4 = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		if (memcmp(v4, zeroaddress, 4) == 0)
+			memcpy(v4, loopaddress, 4);
+	}
+
+	address = isc_mem_get(mctx, sizeof(*address));
+	if (address == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	if (res->ai_addrlen > sizeof(address->type)) {
+		isc_mem_put(mctx, address, sizeof(*address));
+		result = ISC_R_RANGE;
+		goto cleanup;
+	}
+	address->length = res->ai_addrlen;
+	memcpy(&address->type.sa, res->ai_addr, res->ai_addrlen);
+	ISC_LINK_INIT(address, link);
+	ISC_LIST_APPEND(*nameservers, address, link);
+
+  cleanup:
+	freeaddrinfo(res);
+
+	return (result);
+}
+
+static isc_result_t
+create_addr(const char *buffer, isc_netaddr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+
+	if (inet_aton(buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = {0, 0, 0, 0};
+			unsigned char loopaddress[] = {127, 0, 0, 1};
+			if (memcmp(&v4, zeroaddress, 4) == 0)
+				memcpy(&v4, loopaddress, 4);
+		}
+		addr->family = AF_INET;
+		memcpy(&addr->type.in, &v4, NS_INADDRSZ);
+		addr->zone = 0;
+	} else if (inet_pton(AF_INET6, buffer, &v6) == 1) {
+		addr->family = AF_INET6;
+		memcpy(&addr->type.in6, &v6, NS_IN6ADDRSZ);
+		addr->zone = 0;
+	} else
+		return (ISC_R_BADADDRESSFORM); /* Unrecognised format. */
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int cp;
+	isc_result_t result;
+
+	if (conf->numns == RESCONFMAXNAMESERVERS)
+		return (ISC_R_SUCCESS);
+
+	cp = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
+	else if (cp == ' ' || cp == '\t')
+		cp = eatwhite(fp);
+
+	if (cp != EOF && cp != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	result = add_server(conf->mctx, word, &conf->nameservers);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	conf->numns++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int res, i;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[i]);
+			conf->search[i] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	conf->domainname = isc_mem_strdup(conf->mctx, word);
+	if (conf->domainname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp) {
+	int idx, delim;
+	char word[RESCONFMAXLINELEN];
+
+	if (conf->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		isc_mem_free(conf->mctx, conf->domainname);
+		conf->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < RESCONFMAXSEARCH; idx++) {
+		if (conf->search[idx] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[idx]);
+			conf->search[idx] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (conf->searchnxt == RESCONFMAXSEARCH)
+			goto ignore; /* Too many domains. */
+
+		conf->search[idx] = isc_mem_strdup(conf->mctx, word);
+		if (conf->search[idx] == NULL)
+			return (ISC_R_NOMEMORY);
+		idx++;
+		conf->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp) {
+	int delim, res, idx;
+	char word[RESCONFMAXLINELEN];
+	char *p;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (conf->sortlistnxt == RESCONFMAXSORTLIST)
+			return (ISC_R_QUOTA); /* Too many values. */
+
+		p = strchr(word, '/');
+		if (p != NULL)
+			*p++ = '\0';
+
+		idx = conf->sortlistnxt;
+		res = create_addr(word, &conf->sortlist[idx].addr, 1);
+		if (res != ISC_R_SUCCESS)
+			return (res);
+
+		if (p != NULL) {
+			res = create_addr(p, &conf->sortlist[idx].mask, 0);
+			if (res != ISC_R_SUCCESS)
+				return (res);
+		} else {
+			/*
+			 * Make up a mask. (XXX: is this correct?)
+			 */
+			conf->sortlist[idx].mask = conf->sortlist[idx].addr;
+			memset(&conf->sortlist[idx].mask.type, 0xff,
+			       sizeof(conf->sortlist[idx].mask.type));
+		}
+
+		conf->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parseoption(irs_resconf_t *conf,  FILE *fp) {
+	int delim;
+	long ndots;
+	char *p;
+	char word[RESCONFMAXLINELEN];
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			conf->resdebug = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (ISC_R_UNEXPECTEDTOKEN);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
+				return (ISC_R_RANGE);
+			conf->ndots = (isc_uint8_t)ndots;
+		}
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_search(irs_resconf_t *conf, char *domain) {
+	irs_resconf_search_t *entry;
+
+	entry = isc_mem_get(conf->mctx, sizeof(*entry));
+	if (entry == NULL)
+		return (ISC_R_NOMEMORY);
+
+	entry->domain = domain;
+	ISC_LINK_INIT(entry, link);
+	ISC_LIST_APPEND(conf->searchlist, entry, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*% parses a file and fills in the data structure. */
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
+{
+	FILE *fp = NULL;
+	char word[256];
+	isc_result_t rval, ret;
+	irs_resconf_t *conf;
+	int i, stopchar;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->nameservers);
+	conf->numns = 0;
+	conf->domainname = NULL;
+	conf->searchnxt = 0;
+	conf->resdebug = 0;
+	conf->ndots = 1;
+	for (i = 0; i < RESCONFMAXSEARCH; i++)
+		conf->search[i] = NULL;
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) == NULL) {
+		isc_mem_put(mctx, conf, sizeof(*conf));
+		return (ISC_R_INVALIDFILE);
+	}
+
+	ret = ISC_R_SUCCESS;
+	do {
+		stopchar = getword(fp, word, sizeof(word));
+		if (stopchar == EOF) {
+			rval = ISC_R_SUCCESS;
+			POST(rval);
+			break;
+		}
+
+		if (strlen(word) == 0U)
+			rval = ISC_R_SUCCESS;
+		else if (strcmp(word, "nameserver") == 0)
+			rval = resconf_parsenameserver(conf, fp);
+		else if (strcmp(word, "domain") == 0)
+			rval = resconf_parsedomain(conf, fp);
+		else if (strcmp(word, "search") == 0)
+			rval = resconf_parsesearch(conf, fp);
+		else if (strcmp(word, "sortlist") == 0)
+			rval = resconf_parsesortlist(conf, fp);
+		else if (strcmp(word, "options") == 0)
+			rval = resconf_parseoption(conf, fp);
+		else {
+			/* unrecognised word. Ignore entire line */
+			rval = ISC_R_SUCCESS;
+			stopchar = eatline(fp);
+			if (stopchar == EOF) {
+				break;
+			}
+		}
+		if (ret == ISC_R_SUCCESS && rval != ISC_R_SUCCESS)
+			ret = rval;
+	} while (1);
+
+	fclose(fp);
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (conf->numns == 0) {
+		INSIST(ISC_LIST_EMPTY(conf->nameservers));
+
+		/* XXX: should we catch errors? */
+		(void)add_server(conf->mctx, "127.0.0.1", &conf->nameservers);
+		(void)add_server(conf->mctx, "::1", &conf->nameservers);
+	}
+
+	/*
+	 * Construct unified search list from domain or configured
+	 * search list
+	 */
+	ISC_LIST_INIT(conf->searchlist);
+	if (conf->domainname != NULL) {
+		ret = add_search(conf, conf->domainname);
+	} else if (conf->searchnxt > 0) {
+		for (i = 0; i < conf->searchnxt; i++) {
+			ret = add_search(conf, conf->search[i]);
+			if (ret != ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+	conf->magic = IRS_RESCONF_MAGIC;
+
+	if (ret != ISC_R_SUCCESS)
+		irs_resconf_destroy(&conf);
+	else
+		*confp = conf;
+
+	return (ret);
+}
+
+void
+irs_resconf_destroy(irs_resconf_t **confp) {
+	irs_resconf_t *conf;
+	isc_sockaddr_t *address;
+	irs_resconf_search_t *searchentry;
+	int i;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
+		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
+		isc_mem_put(conf->mctx, searchentry, sizeof(*searchentry));
+	}
+
+	while ((address = ISC_LIST_HEAD(conf->nameservers)) != NULL) {
+		ISC_LIST_UNLINK(conf->nameservers, address, link);
+		isc_mem_put(conf->mctx, address, sizeof(*address));
+	}
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL)
+			isc_mem_free(conf->mctx, conf->search[i]);
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->nameservers);
+}
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->searchlist);
+}
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return ((unsigned int)conf->ndots);
+}
diff --git a/contrib/bind9/lib/irs/version.c b/contrib/bind9/lib/irs/version.c
new file mode 100644
index 000000000000..f50a3855563d
--- /dev/null
+++ b/contrib/bind9/lib/irs/version.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#include <irs/version.h>
+
+const char irs_version[] = VERSION;
+
+const unsigned int irs_libinterface = LIBINTERFACE;
+const unsigned int irs_librevision = LIBREVISION;
+const unsigned int irs_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isc/Makefile.in b/contrib/bind9/lib/isc/Makefile.in
index 14b4e826a287..ff500ffd3fb2 100644
--- a/contrib/bind9/lib/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/Makefile.in
@@ -27,8 +27,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
 		-I${srcdir}/@ISC_THREAD_DIR@/include \
 		-I${srcdir}/@ISC_ARCH_DIR@/include \
 		-I./include \
-		-I${srcdir}/include
-CDEFINES =
+		-I${srcdir}/include @ISC_OPENSSL_INC@
+CDEFINES =	@USE_OPENSSL@
 CWARNINGS =
 
 # Alphabetically
@@ -39,7 +39,6 @@ UNIXOBJS =	@ISC_ISCIPV6_O@ \
 		unix/os.@O@ unix/resource.@O@ unix/socket.@O@ unix/stdio.@O@ \
 		unix/stdtime.@O@ unix/strerror.@O@ unix/syslog.@O@ unix/time.@O@
 
-
 NLSOBJS =	nls/msgcat.@O@
 
 THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
@@ -52,8 +51,9 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 
 # Alphabetically
 OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ base32.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
-		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
+		assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
+		bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \
+		error.@O@ event.@O@ \
 		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
 		httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
 		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
@@ -64,11 +64,12 @@ OBJS =		@ISC_EXTRA_OBJS@ \
 		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
 		timer.@O@ version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+SYMTBLOBJS =	backtrace-emptytbl.@O@
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c base32.c base64.c bitstring.c buffer.c \
-		bufferlist.c commandline.c error.c event.c \
+		assertions.c backtrace.c base32.c base64.c bitstring.c \
+		buffer.c bufferlist.c commandline.c error.c event.c \
 		heap.c hex.c hmacmd5.c hmacsha.c \
 		httpd.c inet_aton.c iterated_hash.c \
 		lex.c lfsr.c lib.c log.c \
@@ -77,7 +78,7 @@ SRCS =		@ISC_EXTRA_SRCS@ \
 		parseint.c portset.c quota.c radix.c random.c \
 		ratelimiter.c refcount.c region.c result.c rwlock.c \
 		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
-		symtab.c task.c taskpool.c timer.c version.c
+		symtab.c symtbl-empty.c task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
 
@@ -99,17 +100,27 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
 
-libisc.@SA@: ${OBJS}
+libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
+	${RANLIB} $@
+
+libisc-nosymtbl.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
 
-libisc.la: ${OBJS}
+libisc.la: ${OBJS} ${SYMTBLOBJS}
 	${LIBTOOL_MODE_LINK} \
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${SYMTBLOBJS} ${LIBS}
+
+libisc-nosymtbl.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS}
 
-timestamp: libisc.@A@
+timestamp: libisc.@A@ libisc-nosymtbl.@A@
 	touch timestamp
 
 installdirs:
@@ -119,4 +130,5 @@ install:: timestamp installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
 
 clean distclean::
-	rm -f libisc.@A@ libisc.la timestamp
+	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
+	libisc-nosymtbl.la timestamp
diff --git a/contrib/bind9/lib/isc/alpha/include/isc/atomic.h b/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
index b61cb9606767..138d8287e840 100644
--- a/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
+++ b/contrib/bind9/lib/isc/alpha/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: atomic.h,v 1.7 2009/04/08 06:48:23 tbox Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api
index e11f8735d1e6..18de29ceb9d2 100644
--- a/contrib/bind9/lib/isc/api
+++ b/contrib/bind9/lib/isc/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 58
+LIBINTERFACE = 85
 LIBREVISION = 0
 LIBAGE = 1
diff --git a/contrib/bind9/lib/isc/app_api.c b/contrib/bind9/lib/isc/app_api.c
new file mode 100644
index 000000000000..ce767d175053
--- /dev/null
+++ b/contrib/bind9/lib/isc/app_api.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: app_api.c,v 1.5 2009/09/02 23:48:02 tbox Exp $ */
+
+#include <config.h>
+
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_appctxcreatefunc_t appctx_createfunc = NULL;
+
+#define ISCAPI_APPMETHODS_VALID(m) ISC_MAGIC_VALID(m, ISCAPI_APPMETHODS_MAGIC)
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (appctx_createfunc == NULL)
+		appctx_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(appctx_createfunc != NULL);
+	result = (*appctx_createfunc)(mctx, ctxp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp) {
+	REQUIRE(ctxp != NULL && ISCAPI_APPCTX_VALID(*ctxp));
+
+	(*ctxp)->methods->ctxdestroy(ctxp);
+
+	ENSURE(*ctxp == NULL);
+}
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxstart(ctx));
+}
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxrun(ctx));
+}
+
+isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxsuspend(ctx));
+}
+
+isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	return (ctx->methods->ctxshutdown(ctx));
+}
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	ctx->methods->ctxfinish(ctx);
+}
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(taskmgr != NULL);
+
+	ctx->methods->settaskmgr(ctx, taskmgr);
+}
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(socketmgr != NULL);
+
+	ctx->methods->setsocketmgr(ctx, socketmgr);
+}
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(timermgr != NULL);
+
+	ctx->methods->settimermgr(ctx, timermgr);
+}
diff --git a/contrib/bind9/lib/isc/assertions.c b/contrib/bind9/lib/isc/assertions.c
index a07edd1bfcba..31c4fe7c9f27 100644
--- a/contrib/bind9/lib/isc/assertions.c
+++ b/contrib/bind9/lib/isc/assertions.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: assertions.c,v 1.26 2009/09/29 15:06:07 fdupont Exp $ */
 
 /*! \file */
 
@@ -25,12 +25,20 @@
 #include <stdlib.h>
 
 #include <isc/assertions.h>
+#include <isc/backtrace.h>
 #include <isc/msgs.h>
+#include <isc/result.h>
+
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif
 
 /*%
  * Forward.
  */
-/* coverity[+kill] */
 static void
 default_callback(const char *, int, isc_assertiontype_t, const char *);
 
@@ -51,7 +59,6 @@ isc_assertion_failed(const char *file, int line, isc_assertiontype_t type,
 	/* NOTREACHED */
 }
 
-
 /*% Set callback. */
 void
 isc_assertion_setcallback(isc_assertioncallback_t cb) {
@@ -98,11 +105,35 @@ static void
 default_callback(const char *file, int line, isc_assertiontype_t type,
 		 const char *cond)
 {
-	fprintf(stderr, "%s:%d: %s(%s) %s.\n",
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	const char *logsuffix = ".";
+	const char *fname;
+	isc_result_t result;
+
+	result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME, &nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0)
+			logsuffix = ", back trace";
+
+	fprintf(stderr, "%s:%d: %s(%s) %s%s\n",
 		file, line, isc_assertion_typetotext(type), cond,
 		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FAILED, "failed"));
+			       ISC_MSG_FAILED, "failed"), logsuffix);
+	if (result == ISC_R_SUCCESS) {
+		for (i = 0; i < nframes; i++) {
+			unsigned long offset;
+
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS) {
+				fprintf(stderr, "#%d %p in %s()+0x%lx\n", i,
+					tracebuf[i], fname, offset);
+			} else {
+				fprintf(stderr, "#%d %p in ??\n", i,
+					tracebuf[i]);
+			}
+		}
+	}
 	fflush(stderr);
-	abort();
-	/* NOTREACHED */
 }
diff --git a/contrib/bind9/lib/isc/backtrace-emptytbl.c b/contrib/bind9/lib/isc/backtrace-emptytbl.c
new file mode 100644
index 000000000000..bd534d60c8e2
--- /dev/null
+++ b/contrib/bind9/lib/isc/backtrace-emptytbl.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace-emptytbl.c,v 1.3 2009/09/01 20:13:44 each Exp $ */
+
+/*! \file */
+
+/*
+ * This file defines an empty (default) symbol table used in backtrace.c
+ * If the application wants to have a complete symbol table, it should redefine
+ * isc__backtrace_symtable with the complete table in some way, and link the
+ * version of the library not including this definition
+ * (e.g. libisc-nosymbol.a).
+ */
+
+#include <config.h>
+
+#include <isc/backtrace.h>
+
+const int isc__backtrace_nsymbols = 0;
+const isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/contrib/bind9/lib/isc/backtrace.c b/contrib/bind9/lib/isc/backtrace.c
new file mode 100644
index 000000000000..d2f044cb8c4c
--- /dev/null
+++ b/contrib/bind9/lib/isc/backtrace.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#include "config.h"
+
+#include <string.h>
+#include <stdlib.h>
+#ifdef HAVE_LIBCTRACE
+#include <execinfo.h>
+#endif
+
+#include <isc/backtrace.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_USEBACKTRACE
+/*
+ * Getting a back trace of a running process is tricky and highly platform
+ * dependent.  Our current approach is as follows:
+ * 1. If the system library supports the "backtrace()" function, use it.
+ * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
+ *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
+ *    function doesn't work for C programs on many other architectures.
+ * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
+ *    frame following frame pointers.  This assumes the executable binary
+ *    compiled with frame pointers; this is not always true for x86_64 (rather,
+ *    compiler optimizations often disable frame pointers).  The validation
+ *    checks in getnextframeptr() hopefully rejects bogus values stored in
+ *    the RBP register in such a case.  If the backtrace function itself crashes
+ *    due to this problem, the whole package should be rebuilt with
+ *    --disable-backtrace.
+ */
+#ifdef HAVE_LIBCTRACE
+#define BACKTRACE_LIBC
+#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__ia64__))
+#define BACKTRACE_GCC
+#elif defined(__x86_64__) || defined(__i386__)
+#define BACKTRACE_X86STACK
+#else
+#define BACKTRACE_DISABLED
+#endif  /* HAVE_LIBCTRACE */
+#else	/* !ISC_PLATFORM_USEBACKTRACE */
+#define BACKTRACE_DISABLED
+#endif	/* ISC_PLATFORM_USEBACKTRACE */
+
+#ifdef BACKTRACE_LIBC
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int n;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	/*
+	 * backtrace(3) includes this function itself in the address array,
+	 * which should be eliminated from the returned sequence.
+	 */
+	n = backtrace(addrs, maxaddrs);
+	if (n < 2)
+		return (ISC_R_NOTFOUND);
+	n--;
+	memmove(addrs, &addrs[1], sizeof(void *) * n);
+	*nframes = n;
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_GCC)
+extern int _Unwind_Backtrace(void* fn, void* a);
+extern void* _Unwind_GetIP(void* ctx);
+
+typedef struct {
+	void **result;
+	int max_depth;
+	int skip_count;
+	int count;
+} trace_arg_t;
+
+static int
+btcallback(void *uc, void *opq) {
+	trace_arg_t *arg = (trace_arg_t *)opq;
+
+	if (arg->skip_count > 0)
+		arg->skip_count--;
+	else
+		arg->result[arg->count++] = (void *)_Unwind_GetIP(uc);
+	if (arg->count == arg->max_depth)
+		return (5); /* _URC_END_OF_STACK */
+
+	return (0); /* _URC_NO_REASON */
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	trace_arg_t arg;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	arg.skip_count = 1;
+	arg.result = addrs;
+	arg.max_depth = maxaddrs;
+	arg.count = 0;
+	_Unwind_Backtrace(btcallback, &arg);
+
+	*nframes = arg.count;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_X86STACK)
+#ifdef __x86_64__
+static unsigned long
+getrbp() {
+	__asm("movq %rbp, %rax\n");
+}
+#endif
+
+static void **
+getnextframeptr(void **sp) {
+	void **newsp = (void **)*sp;
+
+	/*
+	 * Perform sanity check for the new frame pointer, derived from
+	 * google glog.  This can actually be bogus depending on compiler.
+	 */
+
+	/* prohibit the stack frames from growing downwards */
+	if (newsp <= sp)
+		return (NULL);
+
+	/* A heuristics to reject "too large" frame: this actually happened. */
+	if ((char *)newsp - (char *)sp > 100000)
+		return (NULL);
+
+	/*
+	 * Not sure if other checks used in glog are needed at this moment.
+	 * For our purposes we don't have to consider non-contiguous frames,
+	 * for example.
+	 */
+
+	return (newsp);
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int i = 0;
+	void **sp;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+#ifdef __x86_64__
+	sp = (void **)getrbp();
+	if (sp == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * sp is the frame ptr of this function itself due to the call to
+	 * getrbp(), so need to unwind one frame for consistency.
+	 */
+	sp = getnextframeptr(sp);
+#else
+	/*
+	 * i386: the frame pointer is stored 2 words below the address for the
+	 * first argument.  Note that the body of this function cannot be
+	 * inlined since it depends on the address of the function argument.
+	 */
+	sp = (void **)&addrs - 2;
+#endif
+
+	while (sp != NULL && i < maxaddrs) {
+		addrs[i++] = *(sp + 1);
+		sp = getnextframeptr(sp);
+	}
+
+	*nframes = i;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_DISABLED)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	UNUSED(maxaddrs);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+#endif
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp)
+{
+	REQUIRE(addrp != NULL && *addrp == NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	if (index < 0 || index >= isc__backtrace_nsymbols)
+		return (ISC_R_RANGE);
+
+	*addrp = isc__backtrace_symtable[index].addr;
+	*symbolp = isc__backtrace_symtable[index].symbol;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+symtbl_compare(const void *addr, const void *entryarg) {
+	const isc_backtrace_symmap_t *entry = entryarg;
+	const isc_backtrace_symmap_t *end =
+		&isc__backtrace_symtable[isc__backtrace_nsymbols - 1];
+
+	if (isc__backtrace_nsymbols == 1 || entry == end) {
+		if (addr >= entry->addr) {
+			/*
+			 * If addr is equal to or larger than that of the last
+			 * entry of the table, we cannot be sure if this is
+			 * within a valid range so we consider it valid.
+			 */
+			return (0);
+		}
+		return (-1);
+	}
+
+	/* entry + 1 is a valid entry from now on. */
+	if (addr < entry->addr)
+		return (-1);
+	else if (addr >= (entry + 1)->addr)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_backtrace_symmap_t *found;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (symbolp == NULL || *symbolp != NULL || offsetp == NULL)
+		return (ISC_R_FAILURE);
+
+	if (isc__backtrace_nsymbols < 1)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Search the table for the entry that meets:
+	 * entry.addr <= addr < next_entry.addr.
+	 */
+	found = bsearch(addr, isc__backtrace_symtable, isc__backtrace_nsymbols,
+			sizeof(isc__backtrace_symtable[0]), symtbl_compare);
+	if (found == NULL)
+		result = ISC_R_NOTFOUND;
+	else {
+		*symbolp = found->symbol;
+		*offsetp = (const char *)addr - (char *)found->addr;
+	}
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/base32.c b/contrib/bind9/lib/isc/base32.c
index 86480e0dadcc..d25e3c4716bb 100644
--- a/contrib/bind9/lib/isc/base32.c
+++ b/contrib/bind9/lib/isc/base32.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: base32.c,v 1.6 2009/10/21 01:22:29 each Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/base64.c b/contrib/bind9/lib/isc/base64.c
index ac1398d0d778..bad1565bea7b 100644
--- a/contrib/bind9/lib/isc/base64.c
+++ b/contrib/bind9/lib/isc/base64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: base64.c,v 1.34 2009/10/21 23:48:05 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/entropy.c b/contrib/bind9/lib/isc/entropy.c
index 74b96924a9c1..da9e81fb3129 100644
--- a/contrib/bind9/lib/isc/entropy.c
+++ b/contrib/bind9/lib/isc/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: entropy.c,v 1.22 2010/08/10 23:48:19 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/contrib/bind9/lib/isc/hash.c b/contrib/bind9/lib/isc/hash.c
index 829676f1284f..f1d68c7700f5 100644
--- a/contrib/bind9/lib/isc/hash.c
+++ b/contrib/bind9/lib/isc/hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hash.c,v 1.16 2009/09/01 00:22:28 jinmei Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
@@ -194,8 +194,12 @@ isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
 	hctx->vectorlen = vlen;
 	hctx->rndvector = rv;
 
+#ifdef BIND9
 	if (entropy != NULL)
 		isc_entropy_attach(entropy, &hctx->entropy);
+#else
+	UNUSED(entropy);
+#endif
 
 	*hctxp = hctx;
 	return (ISC_R_SUCCESS);
@@ -236,18 +240,22 @@ isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
 
 void
 isc_hash_ctxinit(isc_hash_t *hctx) {
-	isc_result_t result;
-
 	LOCK(&hctx->lock);
 
 	if (hctx->initialized == ISC_TRUE)
 		goto out;
 
 	if (hctx->entropy) {
+#ifdef BIND9
+		isc_result_t result;
+
 		result = isc_entropy_getdata(hctx->entropy,
 					     hctx->rndvector, hctx->vectorlen,
 					     NULL, 0);
 		INSIST(result == ISC_R_SUCCESS);
+#else
+		INSIST(0);
+#endif
 	} else {
 		isc_uint32_t pr;
 		unsigned int i, copylen;
@@ -293,6 +301,7 @@ static void
 destroy(isc_hash_t **hctxp) {
 	isc_hash_t *hctx;
 	isc_mem_t *mctx;
+	unsigned char canary0[4], canary1[4];
 
 	REQUIRE(hctxp != NULL && *hctxp != NULL);
 	hctx = *hctxp;
@@ -303,8 +312,10 @@ destroy(isc_hash_t **hctxp) {
 	isc_refcount_destroy(&hctx->refcnt);
 
 	mctx = hctx->mctx;
+#ifdef BIND9
 	if (hctx->entropy != NULL)
 		isc_entropy_detach(&hctx->entropy);
+#endif
 	if (hctx->rndvector != NULL)
 		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
 
@@ -312,7 +323,10 @@ destroy(isc_hash_t **hctxp) {
 
 	DESTROYLOCK(&hctx->lock);
 
+	memcpy(canary0, hctx + 1, sizeof(canary0));
 	memset(hctx, 0, sizeof(isc_hash_t));
+	memcpy(canary1, hctx + 1, sizeof(canary1));
+	INSIST(memcmp(canary0, canary1, sizeof(canary0)) == 0);
 	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
 	isc_mem_detach(&mctx);
 }
diff --git a/contrib/bind9/lib/isc/hmacmd5.c b/contrib/bind9/lib/isc/hmacmd5.c
index 5d761e4d4581..6abe6e27df8e 100644
--- a/contrib/bind9/lib/isc/hmacmd5.c
+++ b/contrib/bind9/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hmacmd5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -27,10 +27,40 @@
 #include <isc/assertions.h>
 #include <isc/hmacmd5.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5());
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	HMAC_Final(ctx, digest, NULL);
+	HMAC_CTX_cleanup(ctx);
+}
+
+#else
+
 #define PADLEN 64
 #define IPAD 0x36
 #define OPAD 0x5C
@@ -98,6 +128,7 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
 	isc_md5_final(&ctx->md5ctx, digest);
 	isc_hmacmd5_invalidate(ctx);
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
 
 /*!
  * Verify signature - finalize MD5 operation and reapply MD5, then
diff --git a/contrib/bind9/lib/isc/hmacsha.c b/contrib/bind9/lib/isc/hmacsha.c
index 0bd78d7b2301..d7b9f1897eb0 100644
--- a/contrib/bind9/lib/isc/hmacsha.c
+++ b/contrib/bind9/lib/isc/hmacsha.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -26,12 +26,172 @@
 
 #include <isc/assertions.h>
 #include <isc/hmacsha.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+#else
+
 #define IPAD 0x36
 #define OPAD 0x5C
 
@@ -104,19 +264,6 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA1 operation and reapply SHA1, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
  */
 void
@@ -183,19 +330,6 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA224 operation and reapply SHA224, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
  */
 void
@@ -262,19 +396,6 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA256 operation and reapply SHA256, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
  */
 void
@@ -341,19 +462,6 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA384 operation and reapply SHA384, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
  */
 void
@@ -418,6 +526,59 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	memcpy(digest, newdigest, len);
 	memset(newdigest, 0, sizeof(newdigest));
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Verify signature - finalize SHA1 operation and reapply SHA1, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA224 operation and reapply SHA224, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA256 operation and reapply SHA256, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA384 operation and reapply SHA384, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
 
 /*
  * Verify signature - finalize SHA512 operation and reapply SHA512, then
diff --git a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
index 1c7c6cd112bc..557941d02c55 100644
--- a/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
+++ b/contrib/bind9/lib/isc/ia64/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: atomic.h,v 1.7 2009/06/24 02:22:50 marka Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/Makefile.in b/contrib/bind9/lib/isc/include/isc/Makefile.in
index d48ac85a7cd6..b8acdb5dbe0f 100644
--- a/contrib/bind9/lib/isc/include/isc/Makefile.in
+++ b/contrib/bind9/lib/isc/include/isc/Makefile.in
@@ -26,15 +26,15 @@ top_srcdir =	@top_srcdir@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
-		bufferlist.h commandline.h entropy.h error.h event.h \
+HEADERS =	app.h assertions.h base64.h bind9.h bitstring.h boolean.h \
+		buffer.h bufferlist.h commandline.h entropy.h error.h event.h \
 		eventclass.h file.h formatcheck.h fsaccess.h \
 		hash.h heap.h hex.h hmacmd5.h hmacsha.h \
 		httpd.h \
 		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
 		lfsr.h lib.h list.h log.h \
-		magic.h md5.h mem.h msgcat.h msgs.h \
-		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
+		magic.h md5.h mem.h msgcat.h msgs.h mutexblock.h \
+		namespace.h netaddr.h ondestroy.h os.h parseint.h \
 		print.h quota.h radix.h random.h ratelimiter.h \
 		refcount.h region.h resource.h \
 		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
diff --git a/contrib/bind9/lib/isc/include/isc/app.h b/contrib/bind9/lib/isc/include/isc/app.h
index ff398bdd10cc..e0be79063709 100644
--- a/contrib/bind9/lib/isc/include/isc/app.h
+++ b/contrib/bind9/lib/isc/include/isc/app.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: app.h,v 1.11 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -54,12 +54,23 @@
  * Use of this module is not required.  In particular, isc_app_start() is
  * NOT an ISC library initialization routine.
  *
+ * This module also supports per-thread 'application contexts'.  With this
+ * mode, a thread-based application will have a separate context, in which
+ * it uses other ISC library services such as tasks or timers.  Signals are
+ * not caught in this mode, so that the application can handle the signals
+ * in its preferred way.
+ *
  * \li MP:
  *	Clients must ensure that isc_app_start(), isc_app_run(), and
  *	isc_app_finish() are called at most once.  isc_app_shutdown()
  *	is safe to use by any thread (provided isc_app_start() has been
  *	called previously).
  *
+ *	The same note applies to isc_app_ctxXXX() functions, but in this case
+ *	it's a per-thread restriction.  For example, a thread with an
+ *	application context must ensure that isc_app_ctxstart() with the
+ *	context is called at most once.
+ *
  * \li Reliability:
  *	No anticipated impact.
  *
@@ -75,17 +86,64 @@
 
 #include <isc/eventclass.h>
 #include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/result.h>
 
+/***
+ *** Types
+ ***/
+
 typedef isc_event_t isc_appevent_t;
 
 #define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
 #define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
 #define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
 
+/*%
+ * app module methods.  Only app driver implementations use this structure.
+ * Other clients should use the top-level interfaces (i.e., isc_app_xxx
+ * functions).  magic must be ISCAPI_APPMETHODS_MAGIC.
+ */
+typedef struct isc_appmethods {
+	void		(*ctxdestroy)(isc_appctx_t **ctxp);
+	isc_result_t	(*ctxstart)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxrun)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxsuspend)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxshutdown)(isc_appctx_t *ctx);
+	void		(*ctxfinish)(isc_appctx_t *ctx);
+	void		(*settaskmgr)(isc_appctx_t *ctx,
+				      isc_taskmgr_t *timermgr);
+	void		(*setsocketmgr)(isc_appctx_t *ctx,
+					isc_socketmgr_t *timermgr);
+	void		(*settimermgr)(isc_appctx_t *ctx,
+				       isc_timermgr_t *timermgr);
+} isc_appmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of an application context
+ * implementation's version of an isc_appctx_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  app implementations
+ * may change the structure.  'magic' must be ISCAPI_APPCTX_MAGIC for any
+ * of the isc_app_ routines to work.  app implementations must maintain
+ * all app context invariants.
+ */
+struct isc_appctx {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_appmethods_t	*methods;
+};
+
+#define ISCAPI_APPCTX_MAGIC		ISC_MAGIC('A','a','p','c')
+#define ISCAPI_APPCTX_VALID(c)		((c) != NULL && \
+					 (c)->magic == ISCAPI_APPCTX_MAGIC)
+
 ISC_LANG_BEGINDECLS
 
 isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx);
+
+isc_result_t
 isc_app_start(void);
 /*!<
  * \brief Start an ISC library application.
@@ -93,6 +151,9 @@ isc_app_start(void);
  * Notes:
  *	This call should be made before any other ISC library call, and as
  *	close to the beginning of the application as possible.
+ *
+ * Requires:
+ *	'ctx' is a valid application context (for app_ctxstart()).
  */
 
 isc_result_t
@@ -102,7 +163,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
  * \brief Request delivery of an event when the application is run.
  *
  * Requires:
- *	isc_app_start() has been called.
+ *\li	isc_app_start() has been called.
  *
  * Returns:
  *	ISC_R_SUCCESS
@@ -110,6 +171,9 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
  */
 
 isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx);
+
+isc_result_t
 isc_app_run(void);
 /*!<
  * \brief Run an ISC library application.
@@ -120,11 +184,12 @@ isc_app_run(void);
  *	caller should start shutting down the application.
  *
  * Requires:
- *\li	isc_app_start() has been called.
+ *\li	isc_app_[ctx]start() has been called.
  *
  * Ensures:
  *\li	Any events requested via isc_app_onrun() will have been posted (in
  *	FIFO order) before isc_app_run() blocks.
+ *\li	'ctx' is a valid application context (for app_ctxrun()).
  *
  * Returns:
  *\li	ISC_R_SUCCESS			Shutdown has been requested.
@@ -132,6 +197,9 @@ isc_app_run(void);
  */
 
 isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx);
+
+isc_result_t
 isc_app_shutdown(void);
 /*!<
  * \brief Request application shutdown.
@@ -141,7 +209,8 @@ isc_app_shutdown(void);
  *	only be triggered once.
  *
  * Requires:
- *\li	isc_app_run() has been called.
+ *\li	isc_app_[ctx]run() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxshutdown()).
  *
  * Returns:
  *\li	ISC_R_SUCCESS
@@ -149,6 +218,12 @@ isc_app_shutdown(void);
  */
 
 isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx);
+/*!<
+ * \brief This has the same behavior as isc_app_ctxsuspend().
+ */
+
+isc_result_t
 isc_app_reload(void);
 /*!<
  * \brief Request application reload.
@@ -162,6 +237,9 @@ isc_app_reload(void);
  */
 
 void
+isc_app_ctxfinish(isc_appctx_t *ctx);
+
+void
 isc_app_finish(void);
 /*!<
  * \brief Finish an ISC library application.
@@ -171,6 +249,7 @@ isc_app_finish(void);
  *
  * Requires:
  *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxfinish()).
  *
  * Ensures:
  *\li	Any resources allocated by isc_app_start() have been released.
@@ -206,6 +285,90 @@ isc_app_unblock(void);
  * \li	isc_app_block() has been called by the same thread.
  */
 
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+/*!<
+ * \brief Create an application context.
+ *
+ * Requires:
+ *\li	'mctx' is a valid memory context.
+ *\li	'ctxp' != NULL && *ctxp == NULL.
+ */
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp);
+/*!<
+ * \brief Destroy an application context.
+ *
+ * Requires:
+ *\li	'*ctxp' is a valid application context.
+ *
+ * Ensures:
+ *\li	*ctxp == NULL.
+ */
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
+/*!<
+ * \brief Associate a task manager with an application context.
+ *
+ * This must be done before running tasks within the application context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'taskmgr' is a valid task manager.
+ */
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
+/*!<
+ * \brief Associate a socket manager with an application context.
+ *
+ * This must be done before handling socket events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'socketmgr' is a valid socket manager.
+ */
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
+/*!<
+ * \brief Associate a socket timer with an application context.
+ *
+ * This must be done before handling timer events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'timermgr' is a valid timer manager.
+ */
+
+#ifdef USE_APPIMPREGISTER
+/*%<
+ * See isc_appctx_create() above.
+ */
+typedef isc_result_t
+(*isc_appctxcreatefunc_t)(isc_mem_t *mctx, isc_appctx_t **ctxp);
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc);
+/*%<
+ * Register a new application implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__app_register(void);
+/*%<
+ * A short cut function that specifies the application module in the ISC
+ * library for isc_app_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_APPIMPREGISTER */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/assertions.h b/contrib/bind9/lib/isc/include/isc/assertions.h
index d62d2d3ed9a5..2c81b1ae9880 100644
--- a/contrib/bind9/lib/isc/include/isc/assertions.h
+++ b/contrib/bind9/lib/isc/include/isc/assertions.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id$
+ * $Id: assertions.h,v 1.28 2009/09/29 23:48:04 tbox Exp $
  */
 /*! \file isc/assertions.h
  */
diff --git a/contrib/bind9/lib/isc/include/isc/backtrace.h b/contrib/bind9/lib/isc/include/isc/backtrace.h
new file mode 100644
index 000000000000..c0e98c0b7530
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/backtrace.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace.h,v 1.2 2009/09/01 18:40:25 jinmei Exp $ */
+
+/*! \file isc/backtrace.h
+ * \brief provide a back trace of the running process to help debug problems.
+ *
+ * This module tries to get a back trace of the process using some platform
+ * dependent way when available.  It also manages an internal symbol table
+ * that maps function addresses used in the process to their textual symbols.
+ * This module is expected to be used to help debug when some fatal error
+ * happens.
+ *
+ * IMPORTANT NOTE: since the (major) intended use case of this module is
+ * dumping a back trace on a fatal error, normally followed by self termination,
+ * functions defined in this module generally doesn't employ assertion checks
+ * (if it did, a program bug could cause infinite recursive calls to a
+ * backtrace function).  These functions still perform minimal checks and return
+ * ISC_R_FAILURE if they detect an error, but the caller should therefore be
+ * very careful about the use of these functions, and generally discouraged to
+ * use them except in an exit path.  The exception is
+ * isc_backtrace_getsymbolfromindex(), which is expected to be used in a
+ * non-error-handling context and validates arguments with assertion checks.
+ */
+
+#ifndef ISC_BACKTRACE_H
+#define ISC_BACKTRACE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/types.h>
+
+/***
+ *** Types
+ ***/
+struct isc_backtrace_symmap {
+	void		*addr;
+	const char	*symbol;
+};
+
+extern const int isc__backtrace_nsymbols;
+extern const isc_backtrace_symmap_t isc__backtrace_symtable[];
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes);
+/*%<
+ * Get a back trace of the running process above this function itself.  On
+ * success, addrs[i] will store the address of the call point of the i-th
+ * stack frame (addrs[0] is the caller of this function).  *nframes will store
+ * the total number of frames.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'addrs' is a valid array containing at least 'maxaddrs' void * entries.
+ *
+ *\li	'nframes' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp);
+/*%<
+ * Returns the content of the internal symbol table of the given index.
+ * On success, *addrsp and *symbolp point to the address and the symbol of
+ * the 'index'th entry of the table, respectively.  If 'index' is not in the
+ * range of the symbol table, ISC_R_RANGE will be returned.
+ *
+ * Requires
+ *
+ *\li	'addrp' must be non NULL && '*addrp' == NULL.
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ */
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp);
+/*%<
+ * Searches the internal symbol table for the symbol that most matches the
+ * given 'addr'.  On success, '*symbolp' will point to the name of function
+ * to which the address 'addr' belong, and '*offsetp' will store the offset
+ * from the function's entry address to 'addr'.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ *\li	'offsetp' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ */
+ISC_LANG_ENDDECLS
+
+#endif	/* ISC_BACKTRACE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bind9.h b/contrib/bind9/lib/isc/include/isc/bind9.h
new file mode 100644
index 000000000000..00bcb24c4a9b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/bind9.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bind9.h,v 1.2 2009/12/05 23:31:41 each Exp $ */
+
+#ifndef ISC_BIND9_H
+#define ISC_BIND9_H 1
+
+/*
+ * This determines whether we are building BIND9 or using the exported
+ * libisc/libdns libraries.  The version of this file included in the
+ * standard BIND9 build defines BIND9; the version included with the
+ * exportable libraries does not.
+ */
+#define BIND9 1
+
+#endif /* ISC_BIND9_H */
diff --git a/contrib/bind9/lib/isc/include/isc/buffer.h b/contrib/bind9/lib/isc/include/isc/buffer.h
index a8a96695ef31..ae7e4c3dfc34 100644
--- a/contrib/bind9/lib/isc/include/isc/buffer.h
+++ b/contrib/bind9/lib/isc/include/isc/buffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: buffer.h,v 1.55 2010/12/20 23:47:21 tbox Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/entropy.h b/contrib/bind9/lib/isc/include/isc/entropy.h
index 78a271b10157..d28f29a56ecf 100644
--- a/contrib/bind9/lib/isc/include/isc/entropy.h
+++ b/contrib/bind9/lib/isc/include/isc/entropy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/error.h b/contrib/bind9/lib/isc/include/isc/error.h
index 871d23e83c8e..e0cdfa83e7cb 100644
--- a/contrib/bind9/lib/isc/include/isc/error.h
+++ b/contrib/bind9/lib/isc/include/isc/error.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: error.h,v 1.22 2009/09/29 23:48:04 tbox Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h
index a7e65e4b0378..38f78b7403e8 100644
--- a/contrib/bind9/lib/isc/include/isc/file.h
+++ b/contrib/bind9/lib/isc/include/isc/file.h
@@ -25,6 +25,7 @@
 #include <stdio.h>
 
 #include <isc/lang.h>
+#include <isc/stat.h>
 #include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
@@ -33,6 +34,9 @@ isc_result_t
 isc_file_settime(const char *file, isc_time_t *time);
 
 isc_result_t
+isc_file_mode(const char *file, mode_t *modep);
+
+isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time);
 /*!<
  * \brief Get the time of last modification of a file.
@@ -100,7 +104,15 @@ isc_file_mktemplate(const char *path, char *buf, size_t buflen);
 isc_result_t
 isc_file_openunique(char *templet, FILE **fp);
 isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp);
+isc_result_t
 isc_file_bopenunique(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp);
 /*!<
  * \brief Create and open a file with a unique name based on 'templet'.
  *	isc_file_bopen*() open the file in binary mode in Windows. 
@@ -275,6 +287,29 @@ isc_file_truncate(const char *filename, isc_offset_t size);
  * Truncate/extend the file specified to 'size' bytes.
  */
 
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp);
+/*%<
+ * Open 'filename' for writing, truncating if necessary.  Ensure that
+ * if it existed it was a normal file.  If creating the file, ensure
+ * that only the owner can read/write it.
+ */
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, char *path,
+		   char **dirname, char **basename);
+/*%<
+ * Split a path into dirname and basename.  If 'path' contains no slash
+ * (or, on windows, backslash), then '*dirname' is set to ".".
+ *
+ * Allocates memory for '*dirname', which can be freed with isc_mem_free().
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_INVALIDFILE if 'path' is empty or ends with '/'
+ * - ISC_R_NOMEMORY if unable to allocate memory
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_FILE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/fsaccess.h b/contrib/bind9/lib/isc/include/isc/fsaccess.h
index 37c0ef54ae24..7962bbe21ab1 100644
--- a/contrib/bind9/lib/isc/include/isc/fsaccess.h
+++ b/contrib/bind9/lib/isc/include/isc/fsaccess.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: fsaccess.h,v 1.16 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/hash.h b/contrib/bind9/lib/isc/include/isc/hash.h
index 87719bc64d06..ca04b4e43c75 100644
--- a/contrib/bind9/lib/isc/include/isc/hash.h
+++ b/contrib/bind9/lib/isc/include/isc/hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hash.h,v 1.12 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/heap.h b/contrib/bind9/lib/isc/include/isc/heap.h
index 88ec44d1a15e..77bf07c34498 100644
--- a/contrib/bind9/lib/isc/include/isc/heap.h
+++ b/contrib/bind9/lib/isc/include/isc/heap.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: heap.h,v 1.26 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/hmacmd5.h b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
index a999ec389842..9ecad453dfa5 100644
--- a/contrib/bind9/lib/isc/include/isc/hmacmd5.h
+++ b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hmacmd5.h,v 1.14 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file isc/hmacmd5.h
  * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
@@ -27,14 +27,23 @@
 
 #include <isc/lang.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_HMACMD5_KEYLENGTH 64
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/hmac.h>
+
+typedef HMAC_CTX isc_hmacmd5_t;
+
+#else
+
 typedef struct {
 	isc_md5_t md5ctx;
 	unsigned char key[ISC_HMACMD5_KEYLENGTH];
 } isc_hmacmd5_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/hmacsha.h b/contrib/bind9/lib/isc/include/isc/hmacsha.h
index 6ca053ba4b52..1d0e18409536 100644
--- a/contrib/bind9/lib/isc/include/isc/hmacsha.h
+++ b/contrib/bind9/lib/isc/include/isc/hmacsha.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: hmacsha.h,v 1.9 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file isc/hmacsha.h
  * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
@@ -25,6 +25,7 @@
 #define ISC_HMACSHA_H 1
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/sha2.h>
 #include <isc/types.h>
@@ -35,6 +36,17 @@
 #define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
 #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/hmac.h>
+
+typedef HMAC_CTX isc_hmacsha1_t;
+typedef HMAC_CTX isc_hmacsha224_t;
+typedef HMAC_CTX isc_hmacsha256_t;
+typedef HMAC_CTX isc_hmacsha384_t;
+typedef HMAC_CTX isc_hmacsha512_t;
+
+#else
+
 typedef struct {
 	isc_sha1_t sha1ctx;
 	unsigned char key[ISC_HMACSHA1_KEYLENGTH];
@@ -59,6 +71,7 @@ typedef struct {
 	isc_sha512_t sha512ctx;
 	unsigned char key[ISC_HMACSHA512_KEYLENGTH];
 } isc_hmacsha512_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/lib.h b/contrib/bind9/lib/isc/include/isc/lib.h
index c16372da7bde..f24fef850169 100644
--- a/contrib/bind9/lib/isc/include/isc/lib.h
+++ b/contrib/bind9/lib/isc/include/isc/lib.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lib.h,v 1.16 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
@@ -36,6 +36,15 @@ isc_lib_initmsgcat(void);
  * has not already been initialized.
  */
 
+void
+isc_lib_register(void);
+/*!<
+ * \brief Register the ISC library implementations for some base services
+ * such as memory or event management and handling socket or timer events.
+ * An external application that wants to use the ISC library must call this
+ * function very early in main().
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_LIB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/log.h b/contrib/bind9/lib/isc/include/isc/log.h
index aecedc19ed62..741c5324290c 100644
--- a/contrib/bind9/lib/isc/include/isc/log.h
+++ b/contrib/bind9/lib/isc/include/isc/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: log.h,v 1.59 2009/02/16 02:01:16 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/md5.h b/contrib/bind9/lib/isc/include/isc/md5.h
index 69617dec0ce2..dfa586d0a3b0 100644
--- a/contrib/bind9/lib/isc/include/isc/md5.h
+++ b/contrib/bind9/lib/isc/include/isc/md5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: md5.h,v 1.20 2010/01/07 23:48:54 tbox Exp $ */
 
 /*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
@@ -44,15 +44,25 @@
 #define ISC_MD5_H 1
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_MD5_DIGESTLENGTH 16U
+#define ISC_MD5_BLOCK_LENGTH 64U
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_md5_t;
+
+#else
 
 typedef struct {
 	isc_uint32_t buf[4];
 	isc_uint32_t bytes[2];
 	isc_uint32_t in[16];
 } isc_md5_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/mem.h b/contrib/bind9/lib/isc/include/isc/mem.h
index 43b97fd9880c..c47ae55ad1be 100644
--- a/contrib/bind9/lib/isc/include/isc/mem.h
+++ b/contrib/bind9/lib/isc/include/isc/mem.h
@@ -152,11 +152,29 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 #endif
 
 
-#define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
+/*%<
+ * We use either isc___mem (three underscores) or isc__mem (two) depending on
+ * whether it's for BIND9's internal purpose (with -DBIND9) or generic export
+ * library.  This condition is generally handled in isc/namespace.h, but for
+ * Windows it doesn't work if it involves multiple times of macro expansion
+ * (such as isc_mem to isc__mem then to isc___mem).  The following definitions
+ * are used to work around this portability issue.  Right now, we don't support
+ * the export library for Windows, so we always use the three-underscore
+ * version.
+ */
+#ifdef WIN32
+#define ISCMEMFUNC(sfx) isc___mem_ ## sfx
+#define ISCMEMPOOLFUNC(sfx) isc___mempool_ ## sfx
+#else
+#define ISCMEMFUNC(sfx) isc__mem_ ## sfx
+#define ISCMEMPOOLFUNC(sfx) isc__mempool_ ## sfx
+#endif
+
+#define isc_mem_get(c, s)	ISCMEMFUNC(get)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s)	ISCMEMFUNC(allocate)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) ISCMEMFUNC(reallocate)((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p)	ISCMEMFUNC(strdup)((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_get(c)	ISCMEMPOOLFUNC(get)((c) _ISC_MEM_FILELINE)
 
 /*%
  * isc_mem_putanddetach() is a convenience function for use where you
@@ -187,33 +205,102 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
  * \endcode
  */
 
+/*% memory and memory pool methods */
+typedef struct isc_memmethods {
+	void (*attach)(isc_mem_t *source, isc_mem_t **targetp);
+	void (*detach)(isc_mem_t **mctxp);
+	void (*destroy)(isc_mem_t **mctxp);
+	void *(*memget)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void (*memput)(isc_mem_t *mctx, void *ptr, size_t size _ISC_MEM_FLARG);
+	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
+				size_t size _ISC_MEM_FLARG);
+	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void *(*memreallocate)(isc_mem_t *mctx, void *ptr,
+			       size_t size _ISC_MEM_FLARG);
+	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
+	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
+	void (*setdestroycheck)(isc_mem_t *mctx, isc_boolean_t flag);
+	void (*setwater)(isc_mem_t *ctx, isc_mem_water_t water,
+			 void *water_arg, size_t hiwater, size_t lowater);
+	void (*waterack)(isc_mem_t *ctx, int flag);
+	size_t (*inuse)(isc_mem_t *mctx);
+	isc_boolean_t (*isovermem)(isc_mem_t *mctx);
+	isc_result_t (*mpcreate)(isc_mem_t *mctx, size_t size,
+				 isc_mempool_t **mpctxp);
+} isc_memmethods_t;
+
+typedef struct isc_mempoolmethods {
+	void (*destroy)(isc_mempool_t **mpctxp);
+	void *(*get)(isc_mempool_t *mpctx _ISC_MEM_FLARG);
+	void (*put)(isc_mempool_t *mpctx, void *mem _ISC_MEM_FLARG);
+	unsigned int (*getallocated)(isc_mempool_t *mpctx);
+	void (*setmaxalloc)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setfreemax)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setname)(isc_mempool_t *mpctx, const char *name);
+	void (*associatelock)(isc_mempool_t *mpctx, isc_mutex_t *lock);
+	void (*setfillcount)(isc_mempool_t *mpctx, unsigned int limit);
+} isc_mempoolmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a memory context
+ * implementation's version of an isc_mem_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_MCTX_MAGIC for any of the
+ * isc_mem_ routines to work.  mctx implementations must maintain all mctx
+ * invariants.
+ */
+struct isc_mem {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_memmethods_t	*methods;
+};
+
+#define ISCAPI_MCTX_MAGIC	ISC_MAGIC('A','m','c','x')
+#define ISCAPI_MCTX_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_MCTX_MAGIC)
+
+/*%
+ * This is the common prefix of a memory pool context.  The same note as
+ * that for the mem structure applies.
+ */
+struct isc_mempool {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_mempoolmethods_t	*methods;
+};
+
+#define ISCAPI_MPOOL_MAGIC	ISC_MAGIC('A','m','p','l')
+#define ISCAPI_MPOOL_VALID(mp)	((mp) != NULL && \
+				 (mp)->magic == ISCAPI_MPOOL_MAGIC)
+
 #if ISC_MEM_DEBUG
 #define isc_mem_put(c, p, s) \
 	do { \
-		isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_putanddetach(c, p, s) \
 	do { \
-		isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE); \
 		(p) = NULL; \
 	} while (0)
 #define isc_mem_free(c, p) \
 	do { \
-		isc__mem_free((c), (p) _ISC_MEM_FILELINE); \
+		ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #define isc_mempool_put(c, p) \
 	do { \
-		isc__mempool_put((c), (p) _ISC_MEM_FILELINE); \
+		ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
 #else
-#define isc_mem_put(c, p, s)	isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_put(c, p, s)	ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE)
 #define isc_mem_putanddetach(c, p, s) \
-	isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_free(c, p)	isc__mem_free((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
+	ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_free(c, p)	ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_put(c, p)	ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE)
 #endif
 
 /*@{*/
@@ -613,24 +700,50 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
  * Pseudo-private functions for use via macros.  Do not call directly.
  */
 void *
-isc__mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(get)(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_putanddetach(isc_mem_t **, void *,
-				      size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(putanddetach)(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(put)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
-isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(allocate)(isc_mem_t *, size_t _ISC_MEM_FLARG);
 void *
-isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ISCMEMFUNC(reallocate)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void
-isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
+ISCMEMFUNC(free)(isc_mem_t *, void * _ISC_MEM_FLARG);
 char *
-isc__mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
+ISCMEMFUNC(strdup)(isc_mem_t *, const char *_ISC_MEM_FLARG);
 void *
-isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
+ISCMEMPOOLFUNC(get)(isc_mempool_t * _ISC_MEM_FLARG);
 void
-isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
+ISCMEMPOOLFUNC(put)(isc_mempool_t *, void * _ISC_MEM_FLARG);
+
+#ifdef USE_MEMIMPREGISTER
+
+/*%<
+ * See isc_mem_create2() above.
+ */
+typedef isc_result_t
+(*isc_memcreatefunc_t)(size_t init_max_size, size_t target_size,
+		       isc_mem_t **ctxp, unsigned int flags);
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc);
+/*%<
+ * Register a new memory management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * memory management library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__mem_register(void);
+/*%<
+ * A short cut function that specifies the memory management module in the ISC
+ * library for isc_mem_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_MEMIMPREGISTER */
 
 ISC_LANG_ENDDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/msgs.h b/contrib/bind9/lib/isc/include/isc/msgs.h
index 7e4dac01a06b..f78028469197 100644
--- a/contrib/bind9/lib/isc/include/isc/msgs.h
+++ b/contrib/bind9/lib/isc/include/isc/msgs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: msgs.h,v 1.19 2009/10/01 23:48:08 tbox Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
@@ -156,7 +156,7 @@
 #define ISC_MSG_FILTER	       1421 /*%< setsockopt(SO_ACCEPTFILTER): %s */
 
 #define ISC_MSG_TOOMANYHANDLES 1422 /*%< %s: too many open WSA event handles: %s */
-
+#define ISC_MSG_POKED          1423 /*%< "poked flags: %d" */
 
 #define ISC_MSG_AWAKE	       1502 /*%< "awake" */
 #define ISC_MSG_WORKING	       1503 /*%< "working" */
diff --git a/contrib/bind9/lib/isc/include/isc/namespace.h b/contrib/bind9/lib/isc/include/isc/namespace.h
new file mode 100644
index 000000000000..ae1801d5f461
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/namespace.h
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef ISCAPI_NAMESPACE_H
+#define ISCAPI_NAMESPACE_H 1
+
+/*%
+ * name space conversions
+ */
+
+#ifdef BIND9
+
+#define isc_app_start isc__app_start
+#define isc_app_ctxstart isc__app_ctxstart
+#define isc_app_onrun isc__app_onrun
+#define isc_app_run isc__app_run
+#define isc_app_ctxrun isc__app_ctxrun
+#define isc_app_shutdown isc__app_shutdown
+#define isc_app_ctxshutdown isc__app_ctxshutdown
+#define isc_app_ctxsuspend isc__app_ctxsuspend
+#define isc_app_reload isc__app_reload
+#define isc_app_finish isc__app_finish
+#define isc_app_block isc__app_block
+#define isc_app_unblock isc__app_unblock
+#define isc_appctx_create isc__appctx_create
+#define isc_appctx_destroy isc__appctx_destroy
+#define isc_appctx_settaskmgr isc__appctx_settaskmgr
+#define isc_appctx_setsocketmgr isc__appctx_setsocketmgr
+#define isc_appctx_settimermgr isc__appctx_settimermgr
+
+#define isc_mem_checkdestroyed isc__mem_checkdestroyed
+#define isc_mem_createx isc__mem_createx
+#define isc_mem_createx2 isc__mem_createx2
+#define isc_mem_create isc__mem_create
+#define isc_mem_create2 isc__mem_create2
+#define isc_mem_attach isc__mem_attach
+#define isc_mem_detach isc__mem_detach
+#define isc__mem_putanddetach isc___mem_putanddetach
+#define isc_mem_destroy isc__mem_destroy
+#define isc_mem_ondestroy isc__mem_ondestroy
+#define isc__mem_get isc___mem_get
+#define isc__mem_put isc___mem_put
+#define isc_mem_stats isc__mem_stats
+#define isc__mem_allocate isc___mem_allocate
+#define isc__mem_free isc___mem_free
+#define isc__mem_strdup isc___mem_strdup
+#define isc__mem_reallocate isc___mem_reallocate
+#define isc_mem_references isc__mem_references
+#define isc_mem_setdestroycheck isc__mem_setdestroycheck
+#define isc_mem_setquota isc__mem_setquota
+#define isc_mem_getname isc__mem_getname
+#define isc_mem_getquota isc__mem_getquota
+#define isc_mem_gettag isc__mem_gettag
+#define isc_mem_inuse isc__mem_inuse
+#define isc_mem_isovermem isc__mem_isovermem
+#define isc_mem_setname isc__mem_setname
+#define isc_mem_setwater isc__mem_setwater
+#define isc_mem_printallactive isc__mem_printallactive
+#define isc_mem_waterack isc__mem_waterack
+#define isc_mempool_create isc__mempool_create
+#define isc_mempool_setname isc__mempool_setname
+#define isc_mempool_destroy isc__mempool_destroy
+#define isc_mempool_associatelock isc__mempool_associatelock
+#define isc__mempool_get isc___mempool_get
+#define isc__mempool_put isc___mempool_put
+#define isc_mempool_setfreemax isc__mempool_setfreemax
+#define isc_mempool_getfreemax isc__mempool_getfreemax
+#define isc_mempool_getfreecount isc__mempool_getfreecount
+#define isc_mempool_setmaxalloc isc__mempool_setmaxalloc
+#define isc_mempool_getmaxalloc isc__mempool_getmaxalloc
+#define isc_mempool_getallocated isc__mempool_getallocated
+#define isc_mempool_setfillcount isc__mempool_setfillcount
+#define isc_mempool_getfillcount isc__mempool_getfillcount
+
+#define isc_socket_create isc__socket_create
+#define isc_socket_attach isc__socket_attach
+#define isc_socket_detach isc__socket_detach
+#define isc_socketmgr_create isc__socketmgr_create
+#define isc_socketmgr_create2 isc__socketmgr_create2
+#define isc_socketmgr_destroy isc__socketmgr_destroy
+#define isc_socket_open isc__socket_open
+#define isc_socket_close isc__socket_close
+#define isc_socket_recvv isc__socket_recvv
+#define isc_socket_recv isc__socket_recv
+#define isc_socket_recv2 isc__socket_recv2
+#define isc_socket_send isc__socket_send
+#define isc_socket_sendto isc__socket_sendto
+#define isc_socket_sendv isc__socket_sendv
+#define isc_socket_sendtov isc__socket_sendtov
+#define isc_socket_sendto2 isc__socket_sendto2
+#define isc_socket_cleanunix isc__socket_cleanunix
+#define isc_socket_permunix isc__socket_permunix
+#define isc_socket_bind isc__socket_bind
+#define isc_socket_filter isc__socket_filter
+#define isc_socket_listen isc__socket_listen
+#define isc_socket_accept isc__socket_accept
+#define isc_socket_connect isc__socket_connect
+#define isc_socket_getname isc__socket_getname
+#define isc_socket_gettag isc__socket_gettag
+#define isc_socket_getpeername isc__socket_getpeername
+#define isc_socket_getsockname isc__socket_getsockname
+#define isc_socket_cancel isc__socket_cancel
+#define isc_socket_gettype isc__socket_gettype
+#define isc_socket_isbound isc__socket_isbound
+#define isc_socket_ipv6only isc__socket_ipv6only
+#define isc_socket_setname isc__socket_setname
+#define isc_socketmgr_getmaxsockets isc__socketmgr_getmaxsockets
+#define isc_socketmgr_setstats isc__socketmgr_setstats
+#define isc_socketmgr_setreserved isc__socketmgr_setreserved
+#define isc__socketmgr_maxudp isc___socketmgr_maxudp
+#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate
+#define isc_socket_fdwatchpoke isc__socket_fdwatchpoke
+
+#define isc_task_create isc__task_create
+#define isc_task_attach isc__task_attach
+#define isc_task_detach isc__task_detach
+/* #define isc_task_exiting isc__task_exiting XXXMPA */
+#define isc_task_send isc__task_send
+#define isc_task_sendanddetach isc__task_sendanddetach
+#define isc_task_purgerange isc__task_purgerange
+#define isc_task_purge isc__task_purge
+#define isc_task_purgeevent isc__task_purgeevent
+#define isc_task_unsendrange isc__task_unsendrange
+#define isc_task_unsend isc__task_unsend
+#define isc_task_onshutdown isc__task_onshutdown
+#define isc_task_shutdown isc__task_shutdown
+#define isc_task_destroy isc__task_destroy
+#define isc_task_setname isc__task_setname
+#define isc_task_getname isc__task_getname
+#define isc_task_gettag isc__task_gettag
+#define isc_task_getcurrenttime isc__task_getcurrenttime
+#define isc_taskmgr_create isc__taskmgr_create
+#define isc_taskmgr_destroy isc__taskmgr_destroy
+#define isc_taskmgr_setexcltask isc__taskmgr_setexcltask
+#define isc_taskmgr_excltask isc__taskmgr_excltask
+#define isc_task_beginexclusive isc__task_beginexclusive
+#define isc_task_endexclusive isc__task_endexclusive
+
+#define isc_timer_create isc__timer_create
+#define isc_timer_reset isc__timer_reset
+#define isc_timer_gettype isc__timer_gettype
+#define isc_timer_touch isc__timer_touch
+#define isc_timer_attach isc__timer_attach
+#define isc_timer_detach isc__timer_detach
+#define isc_timermgr_create isc__timermgr_create
+#define isc_timermgr_poke isc__timermgr_poke
+#define isc_timermgr_destroy isc__timermgr_destroy
+
+#endif /* BIND9 */
+
+#endif /* ISCAPI_NAMESPACE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netaddr.h b/contrib/bind9/lib/isc/include/isc/netaddr.h
index 2df529024c3f..954d77019b69 100644
--- a/contrib/bind9/lib/isc/include/isc/netaddr.h
+++ b/contrib/bind9/lib/isc/include/isc/netaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: netaddr.h,v 1.37 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/netscope.h b/contrib/bind9/lib/isc/include/isc/netscope.h
index 1a2ca099801a..163a08ca2ea7 100644
--- a/contrib/bind9/lib/isc/include/isc/netscope.h
+++ b/contrib/bind9/lib/isc/include/isc/netscope.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: netscope.h,v 1.13 2009/06/25 23:48:02 tbox Exp $ */
 
 #ifndef ISC_NETSCOPE_H
 #define ISC_NETSCOPE_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/platform.h.in b/contrib/bind9/lib/isc/include/isc/platform.h.in
index a1e0d65c2256..03c2710bac35 100644
--- a/contrib/bind9/lib/isc/include/isc/platform.h.in
+++ b/contrib/bind9/lib/isc/include/isc/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: platform.h.in,v 1.56 2010/12/18 01:56:23 each Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -146,6 +146,11 @@
  */
 @ISC_PLATFORM_HAVEDEVPOLL@
 
+/*! \brief
+ * Define if we want to log backtrace
+ */
+@ISC_PLATFORM_USEBACKTRACE@
+
 /*
  *** Printing.
  ***/
@@ -215,6 +220,12 @@
 @ISC_PLATFORM_GSSAPIHEADER@
 
 /*
+ * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
+ * include the GSSAPI KRB5 header.
+ */
+@ISC_PLATFORM_GSSAPI_KRB5_HEADER@
+
+/*
  * Defined to <krb5.h> or <krb5/krb5.h> for how to include
  * the KRB5 header.
  */
@@ -291,6 +302,11 @@
 @ISC_PLATFORM_HAVESTRINGSH@
 
 /*
+ * Define if the hash functions must be provided by OpenSSL.
+ */
+@ISC_PLATFORM_OPENSSLHASH@
+
+/*
  * Defines for the noreturn attribute.
  */
 @ISC_PLATFORM_NORETURN_PRE@
diff --git a/contrib/bind9/lib/isc/include/isc/portset.h b/contrib/bind9/lib/isc/include/isc/portset.h
index 69e4ca7cbd63..774d6bb18cbd 100644
--- a/contrib/bind9/lib/isc/include/isc/portset.h
+++ b/contrib/bind9/lib/isc/include/isc/portset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: portset.h,v 1.6 2009/06/25 05:28:34 marka Exp $ */
 
 /*! \file isc/portset.h
  * \brief Transport Protocol Port Manipulation Module
diff --git a/contrib/bind9/lib/isc/include/isc/radix.h b/contrib/bind9/lib/isc/include/isc/radix.h
index 63431e5e7920..6b413a23b909 100644
--- a/contrib/bind9/lib/isc/include/isc/radix.h
+++ b/contrib/bind9/lib/isc/include/isc/radix.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: radix.h,v 1.13 2008/12/01 23:47:45 tbox Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
diff --git a/contrib/bind9/lib/isc/include/isc/random.h b/contrib/bind9/lib/isc/include/isc/random.h
index 4ed4f72e4f07..1f9572d30ebf 100644
--- a/contrib/bind9/lib/isc/include/isc/random.h
+++ b/contrib/bind9/lib/isc/include/isc/random.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/ratelimiter.h b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
index dcb316b14a62..00a7209758bb 100644
--- a/contrib/bind9/lib/isc/include/isc/ratelimiter.h
+++ b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ratelimiter.h,v 1.23 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/refcount.h b/contrib/bind9/lib/isc/include/isc/refcount.h
index 74eec722fc9b..b72b1585be39 100644
--- a/contrib/bind9/lib/isc/include/isc/refcount.h
+++ b/contrib/bind9/lib/isc/include/isc/refcount.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: refcount.h,v 1.17 2009/09/29 23:48:04 tbox Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
@@ -103,7 +103,7 @@ typedef struct isc_refcount {
 	isc_int32_t refs;
 } isc_refcount_t;
 
-#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
+#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
 #define isc_refcount_increment0(rp, tp)				\
@@ -192,7 +192,7 @@ typedef struct isc_refcount {
 	int refs;
 } isc_refcount_t;
 
-#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
+#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
 #define isc_refcount_increment0(rp, tp)					\
diff --git a/contrib/bind9/lib/isc/include/isc/result.h b/contrib/bind9/lib/isc/include/isc/result.h
index befa172e75a7..dcd457b3d1b0 100644
--- a/contrib/bind9/lib/isc/include/isc/result.h
+++ b/contrib/bind9/lib/isc/include/isc/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -42,6 +42,7 @@
 #define ISC_R_EOF			14	/*%< end of file */
 #define ISC_R_BOUND			15	/*%< socket already bound */
 #define ISC_R_RELOAD			16	/*%< reload */
+#define ISC_R_SUSPEND	      ISC_R_RELOAD	/*%< alias of 'reload' */
 #define ISC_R_LOCKBUSY			17	/*%< lock busy */
 #define ISC_R_EXISTS			18	/*%< already exists */
 #define ISC_R_NOSPACE			19	/*%< ran out of space */
diff --git a/contrib/bind9/lib/isc/include/isc/resultclass.h b/contrib/bind9/lib/isc/include/isc/resultclass.h
index 2acf820c369a..d91e800e063c 100644
--- a/contrib/bind9/lib/isc/include/isc/resultclass.h
+++ b/contrib/bind9/lib/isc/include/isc/resultclass.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: resultclass.h,v 1.20 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
@@ -45,6 +45,7 @@
 #define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
 #define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
 #define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
+#define	ISC_RESULTCLASS_DHCP		ISC_RESULTCLASS_FROMNUM(6)
 
 
 #endif /* ISC_RESULTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/serial.h b/contrib/bind9/lib/isc/include/isc/serial.h
index e5567b402b06..a5e03970c3e6 100644
--- a/contrib/bind9/lib/isc/include/isc/serial.h
+++ b/contrib/bind9/lib/isc/include/isc/serial.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: serial.h,v 1.18 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/sha1.h b/contrib/bind9/lib/isc/include/isc/sha1.h
index 984691000b07..313ff96391b2 100644
--- a/contrib/bind9/lib/isc/include/isc/sha1.h
+++ b/contrib/bind9/lib/isc/include/isc/sha1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id$ */
+/* $Id: sha1.h,v 1.19 2009/02/06 23:47:42 tbox Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
@@ -29,16 +29,25 @@
  */
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_SHA1_DIGESTLENGTH 20U
 #define ISC_SHA1_BLOCK_LENGTH 64U
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_sha1_t;
+
+#else
+
 typedef struct {
 	isc_uint32_t state[5];
 	isc_uint32_t count[2];
 	unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
 } isc_sha1_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/contrib/bind9/lib/isc/include/isc/sha2.h b/contrib/bind9/lib/isc/include/isc/sha2.h
index b29bb362361d..9788a64fc1b1 100644
--- a/contrib/bind9/lib/isc/include/isc/sha2.h
+++ b/contrib/bind9/lib/isc/include/isc/sha2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: sha2.h,v 1.12 2009/10/22 02:21:31 each Exp $ */
 
 /*	$FreeBSD$	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
@@ -58,6 +58,7 @@
 #define ISC_SHA2_H
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 /*** SHA-224/256/384/512 Various Length Definitions ***********************/
@@ -75,10 +76,15 @@
 #define ISC_SHA512_DIGESTLENGTH	64U
 #define ISC_SHA512_DIGESTSTRINGLENGTH	(ISC_SHA512_DIGESTLENGTH * 2 + 1)
 
+/*** SHA-256/384/512 Context Structures *******************************/
 
-ISC_LANG_BEGINDECLS
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
 
-/*** SHA-256/384/512 Context Structures *******************************/
+typedef EVP_MD_CTX isc_sha256_t;
+typedef EVP_MD_CTX isc_sha512_t;
+
+#else
 
 /*
  * Keep buffer immediately after bitcount to preserve alignment.
@@ -97,10 +103,13 @@ typedef struct {
 	isc_uint64_t	bitcount[2];
 	isc_uint8_t	buffer[ISC_SHA512_BLOCK_LENGTH];
 } isc_sha512_t;
+#endif
 
 typedef isc_sha256_t isc_sha224_t;
 typedef isc_sha512_t isc_sha384_t;
 
+ISC_LANG_BEGINDECLS
+
 /*** SHA-224/256/384/512 Function Prototypes ******************************/
 
 void isc_sha224_init (isc_sha224_t *);
diff --git a/contrib/bind9/lib/isc/include/isc/sockaddr.h b/contrib/bind9/lib/isc/include/isc/sockaddr.h
index 9b65d965a55d..1e6914222c1b 100644
--- a/contrib/bind9/lib/isc/include/isc/sockaddr.h
+++ b/contrib/bind9/lib/isc/include/isc/sockaddr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: sockaddr.h,v 1.57 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
diff --git a/contrib/bind9/lib/isc/include/isc/socket.h b/contrib/bind9/lib/isc/include/isc/socket.h
index 036e17dd0695..0df7d27f14ad 100644
--- a/contrib/bind9/lib/isc/include/isc/socket.h
+++ b/contrib/bind9/lib/isc/include/isc/socket.h
@@ -260,6 +260,85 @@ typedef enum {
 #define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
 /*@}*/
 
+/*% Socket and socket manager methods */
+typedef struct isc_socketmgrmethods {
+	void		(*destroy)(isc_socketmgr_t **managerp);
+	isc_result_t	(*socketcreate)(isc_socketmgr_t *manager, int pf,
+					isc_sockettype_t type,
+					isc_socket_t **socketp);
+	isc_result_t    (*fdwatchcreate)(isc_socketmgr_t *manager, int fd,
+					 int flags,
+					 isc_sockfdwatch_t callback,
+					 void *cbarg, isc_task_t *task,
+					 isc_socket_t **socketp);
+} isc_socketmgrmethods_t;
+
+typedef struct isc_socketmethods {
+	void		(*attach)(isc_socket_t *socket,
+				  isc_socket_t **socketp);
+	void		(*detach)(isc_socket_t **socketp);
+	isc_result_t	(*bind)(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+				unsigned int options);
+	isc_result_t	(*sendto)(isc_socket_t *sock, isc_region_t *region,
+				  isc_task_t *task, isc_taskaction_t action,
+				  const void *arg, isc_sockaddr_t *address,
+				  struct in6_pktinfo *pktinfo);
+	isc_result_t	(*connect)(isc_socket_t *sock, isc_sockaddr_t *addr,
+				   isc_task_t *task, isc_taskaction_t action,
+				   const void *arg);
+	isc_result_t	(*recv)(isc_socket_t *sock, isc_region_t *region,
+				unsigned int minimum, isc_task_t *task,
+				isc_taskaction_t action, const void *arg);
+	void		(*cancel)(isc_socket_t *sock, isc_task_t *task,
+				  unsigned int how);
+	isc_result_t	(*getsockname)(isc_socket_t *sock,
+				       isc_sockaddr_t *addressp);
+	isc_sockettype_t (*gettype)(isc_socket_t *sock);
+	void		(*ipv6only)(isc_socket_t *sock, isc_boolean_t yes);
+	isc_result_t    (*fdwatchpoke)(isc_socket_t *sock, int flags);
+} isc_socketmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a socket manager
+ * object implementation's version of an isc_socketmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  socket implementations
+ * may change the structure.  'magic' must be ISCAPI_SOCKETMGR_MAGIC for any
+ * of the isc_socket_ routines to work.  socket implementations must maintain
+ * all socket invariants.
+ * In effect, this definition is used only for non-BIND9 version ("export")
+ * of the library, and the export version does not work for win32.  So, to avoid
+ * the definition conflict with win32/socket.c, we enable this definition only
+ * for non-Win32 (i.e. Unix) platforms.
+ */
+#ifndef WIN32
+struct isc_socketmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmgrmethods_t	*methods;
+};
+#endif
+
+#define ISCAPI_SOCKETMGR_MAGIC		ISC_MAGIC('A','s','m','g')
+#define ISCAPI_SOCKETMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_SOCKETMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a socket object.  The same note as
+ * that for the socketmgr structure applies.
+ */
+#ifndef WIN32
+struct isc_socket {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmethods_t	*methods;
+};
+#endif
+
+#define ISCAPI_SOCKET_MAGIC	ISC_MAGIC('A','s','c','t')
+#define ISCAPI_SOCKET_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_SOCKET_MAGIC)
+
 /***
  *** Socket and Socket Manager Functions
  ***
@@ -307,6 +386,35 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager,
  */
 
 isc_result_t
+isc_socket_fdwatchpoke(isc_socket_t *sock,
+		       int flags);
+/*%<
+ * Poke a file descriptor watch socket informing the manager that it
+ * should restart watching the socket
+ *
+ * Note:
+ *
+ *\li   'sock' is the socket returned by isc_socket_fdwatchcreate
+ *
+ *\li   'flags' indicates what the manager should watch for on the socket
+ *      in addition to what it may already be watching.  It can be one or
+ *      both of ISC_SOCKFDWATCH_READ and ISC_SOCKFDWATCH_WRITE.  To
+ *      temporarily disable watching on a socket the value indicating
+ *      no more data should be returned from the call back routine.
+ *
+ *\li	This function is not available on Windows.
+ *
+ * Requires:
+ *
+ *\li	'sock' is a valid isc socket
+ *
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
 isc_socket_create(isc_socketmgr_t *manager,
 		  int pf,
 		  isc_sockettype_t type,
@@ -821,6 +929,10 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 /*@}*/
 
 isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp);
+
+isc_result_t
 isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
 
 isc_result_t
@@ -831,6 +943,8 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
  * maximum number of sockets that the created manager should handle.
  * isc_socketmgr_create() is equivalent of isc_socketmgr_create2() with
  * "maxsocks" being zero.
+ * isc_socketmgr_createinctx() also associates the new manager with the
+ * specified application context.
  *
  * Notes:
  *
@@ -842,6 +956,8 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
  *
  *\li	'managerp' points to a NULL isc_socketmgr_t.
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	'*managerp' is a valid isc_socketmgr_t.
@@ -992,6 +1108,12 @@ isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
  * Temporary.  For use by named only.
  */
 
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *mgr, int maxudp);
+/*%<
+ * Test interface. Drop UDP packet > 'maxudp'.
+ */
+
 #ifdef HAVE_LIBXML2
 
 void
@@ -1002,6 +1124,31 @@ isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
 
 #endif /* HAVE_LIBXML2 */
 
+#ifdef USE_SOCKETIMPREGISTER
+/*%<
+ * See isc_socketmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new socket I/O implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__socket_register(void);
+/*%<
+ * A short cut function that specifies the socket I/O module in the ISC
+ * library for isc_socket_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_SOCKETIMPREGISTER */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h
index 2dd3983871be..19d47835786b 100644
--- a/contrib/bind9/lib/isc/include/isc/task.h
+++ b/contrib/bind9/lib/isc/include/isc/task.h
@@ -94,11 +94,76 @@
  ***** Tasks.
  *****/
 
-#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
-#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
-
 ISC_LANG_BEGINDECLS
 
+/***
+ *** Types
+ ***/
+
+/*% Task and task manager methods */
+typedef struct isc_taskmgrmethods {
+	void		(*destroy)(isc_taskmgr_t **managerp);
+	isc_result_t	(*taskcreate)(isc_taskmgr_t *manager,
+				      unsigned int quantum,
+				      isc_task_t **taskp);
+	void (*setexcltask)(isc_taskmgr_t *mgr, isc_task_t *task);
+	isc_result_t (*excltask)(isc_taskmgr_t *mgr, isc_task_t **taskp);
+} isc_taskmgrmethods_t;
+
+typedef struct isc_taskmethods {
+	void (*attach)(isc_task_t *source, isc_task_t **targetp);
+	void (*detach)(isc_task_t **taskp);
+	void (*destroy)(isc_task_t **taskp);
+	void (*send)(isc_task_t *task, isc_event_t **eventp);
+	void (*sendanddetach)(isc_task_t **taskp, isc_event_t **eventp);
+	unsigned int (*unsend)(isc_task_t *task, void *sender, isc_eventtype_t type,
+			       void *tag, isc_eventlist_t *events);
+	isc_result_t (*onshutdown)(isc_task_t *task, isc_taskaction_t action,
+				   const void *arg);
+	void (*shutdown)(isc_task_t *task);
+	void (*setname)(isc_task_t *task, const char *name, void *tag);
+	unsigned int (*purgeevents)(isc_task_t *task, void *sender,
+				    isc_eventtype_t type, void *tag);
+	unsigned int (*purgerange)(isc_task_t *task, void *sender,
+				   isc_eventtype_t first, isc_eventtype_t last,
+				   void *tag);
+	isc_result_t (*beginexclusive)(isc_task_t *task);
+	void (*endexclusive)(isc_task_t *task);
+} isc_taskmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a task manager
+ * object implementation's version of an isc_taskmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  task implementations
+ * may change the structure.  'magic' must be ISCAPI_TASKMGR_MAGIC for any
+ * of the isc_task_ routines to work.  task implementations must maintain
+ * all task invariants.
+ */
+struct isc_taskmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmgrmethods_t	*methods;
+};
+
+#define ISCAPI_TASKMGR_MAGIC	ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TASKMGR_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_TASKMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a task object.  The same note as
+ * that for the taskmgr structure applies.
+ */
+struct isc_task {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmethods_t	*methods;
+};
+
+#define ISCAPI_TASK_MAGIC	ISC_MAGIC('A','t','s','t')
+#define ISCAPI_TASK_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TASK_MAGIC)
+
 isc_result_t
 isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		isc_task_t **taskp);
@@ -553,10 +618,15 @@ isc_task_exiting(isc_task_t *t);
  *****/
 
 isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp);
+isc_result_t
 isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		   unsigned int default_quantum, isc_taskmgr_t **managerp);
 /*%<
- * Create a new task manager.
+ * Create a new task manager.  isc_taskmgr_createinctx() also associates
+ * the new manager with the specified application context.
  *
  * Notes:
  *
@@ -578,6 +648,8 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
  *
  *\li	managerp != NULL && *managerp == NULL
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	On success, '*managerp' will be attached to the newly created task
@@ -587,8 +659,10 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
  *
  *\li	#ISC_R_SUCCESS
  *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_NOTHREADS			No threads could be created.
+ *\li	#ISC_R_NOTHREADS		No threads could be created.
  *\li	#ISC_R_UNEXPECTED		An unexpected error occurred.
+ *\li	#ISC_R_SHUTTINGDOWN      	The non-threaded, shared, task
+ *					manager shutting down.
  */
 
 void
@@ -625,6 +699,31 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp);
  *	have been freed.
  */
 
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task);
+/*%<
+ * Set a task which will be used for all task-exclusive operations.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	'task' is a valid task.
+ */
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp);
+/*%<
+ * Attach '*taskp' to the task set by isc_taskmgr_getexcltask().
+ * This task should be used whenever running in task-exclusive mode,
+ * so as to prevent deadlock between two exclusive tasks.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+
+ *\li	taskp != NULL && *taskp == NULL
+ */
+
+
 #ifdef HAVE_LIBXML2
 
 void
@@ -632,6 +731,31 @@ isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
 
 #endif
 
+/*%<
+ * See isc_taskmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_taskmgrcreatefunc_t)(isc_mem_t *mctx, unsigned int workers,
+			   unsigned int default_quantum,
+			   isc_taskmgr_t **managerp);
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new task management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__task_register(void);
+/*%<
+ * A short cut function that specifies the task management module in the ISC
+ * library for isc_task_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TASK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/timer.h b/contrib/bind9/lib/isc/include/isc/timer.h
index 49d140812261..fa9abb16aa9d 100644
--- a/contrib/bind9/lib/isc/include/isc/timer.h
+++ b/contrib/bind9/lib/isc/include/isc/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: timer.h,v 1.43 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -103,6 +103,61 @@ typedef struct isc_timerevent {
 #define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
 #define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
 
+/*% Timer and timer manager methods */
+typedef struct {
+	void		(*destroy)(isc_timermgr_t **managerp);
+	isc_result_t	(*timercreate)(isc_timermgr_t *manager,
+				       isc_timertype_t type,
+				       isc_time_t *expires,
+				       isc_interval_t *interval,
+				       isc_task_t *task,
+				       isc_taskaction_t action,
+				       const void *arg,
+				       isc_timer_t **timerp);
+} isc_timermgrmethods_t;
+
+typedef struct {
+	void		(*attach)(isc_timer_t *timer, isc_timer_t **timerp);
+	void		(*detach)(isc_timer_t **timerp);
+	isc_result_t	(*reset)(isc_timer_t *timer, isc_timertype_t type,
+				 isc_time_t *expires, isc_interval_t *interval,
+				 isc_boolean_t purge);
+	isc_result_t	(*touch)(isc_timer_t *timer);
+} isc_timermethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a timer manager
+ * object implementation's version of an isc_timermgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  timer implementations
+ * may change the structure.  'magic' must be ISCAPI_TIMERMGR_MAGIC for any
+ * of the isc_timer_ routines to work.  timer implementations must maintain
+ * all timer invariants.
+ */
+struct isc_timermgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermgrmethods_t	*methods;
+};
+
+#define ISCAPI_TIMERMGR_MAGIC		ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TIMERMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_TIMERMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a timer object.  The same note as
+ * that for the timermgr structure applies.
+ */
+struct isc_timer {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermethods_t	*methods;
+};
+
+#define ISCAPI_TIMER_MAGIC	ISC_MAGIC('A','t','m','r')
+#define ISCAPI_TIMER_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TIMER_MAGIC)
+
 /***
  *** Timer and Timer Manager Functions
  ***
@@ -289,9 +344,14 @@ isc_timer_gettype(isc_timer_t *timer);
  */
 
 isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp);
+
+isc_result_t
 isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
 /*%<
- * Create a timer manager.
+ * Create a timer manager.  isc_timermgr_createinctx() also associates
+ * the new manager with the specified application context.
  *
  * Notes:
  *
@@ -303,6 +363,8 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
  *
  *\li	'managerp' points to a NULL isc_timermgr_t.
  *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
  * Ensures:
  *
  *\li	'*managerp' is a valid isc_timermgr_t.
@@ -339,6 +401,31 @@ isc_timermgr_destroy(isc_timermgr_t **managerp);
 
 void isc_timermgr_poke(isc_timermgr_t *m);
 
+#ifdef USE_TIMERIMPREGISTER
+/*%<
+ * See isc_timermgr_create() above.
+ */
+typedef isc_result_t
+(*isc_timermgrcreatefunc_t)(isc_mem_t *mctx, isc_timermgr_t **managerp);
+
+isc_result_t
+isc__timer_register(void);
+/*%<
+ * Register a new timer management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc);
+/*%<
+ * A short cut function that specifies the timer management module in the ISC
+ * library for isc_timer_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+#endif /* USE_TIMERIMPREGISTER */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TIMER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/types.h b/contrib/bind9/lib/isc/include/isc/types.h
index 8e8b08fe6d78..8dbf67ed109e 100644
--- a/contrib/bind9/lib/isc/include/isc/types.h
+++ b/contrib/bind9/lib/isc/include/isc/types.h
@@ -20,6 +20,9 @@
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
+#include <isc/bind9.h>
+#include <isc/namespace.h>
+
 /*! \file isc/types.h
  * \brief
  * OS-specific types, from the OS-specific include directories.
@@ -40,6 +43,8 @@
 
 /* Core Types.  Alphabetized by defined type. */
 
+typedef struct isc_appctx		isc_appctx_t;	 	/*%< Application context */
+typedef struct isc_backtrace_symmap	isc_backtrace_symmap_t; /*%< Symbol Table Entry */
 typedef struct isc_bitstring		isc_bitstring_t; 	/*%< Bitstring */
 typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
 typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
@@ -94,7 +99,7 @@ typedef struct isc_timer		isc_timer_t;		/*%< Timer */
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
-typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *);
+typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
 
 /* The following cannot be listed alphabetically due to forward reference */
 typedef isc_result_t (isc_httpdaction_t)(const char *url,
diff --git a/contrib/bind9/lib/isc/inet_aton.c b/contrib/bind9/lib/isc/inet_aton.c
index 2bb964134945..14b4887f4f16 100644
--- a/contrib/bind9/lib/isc/inet_aton.c
+++ b/contrib/bind9/lib/isc/inet_aton.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -71,7 +71,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id$";
+static char rcsid[] = "$Id: inet_aton.c,v 1.23 2008/12/01 23:47:45 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/contrib/bind9/lib/isc/inet_ntop.c b/contrib/bind9/lib/isc/inet_ntop.c
index cee586ada525..94910f03eee5 100644
--- a/contrib/bind9/lib/isc/inet_ntop.c
+++ b/contrib/bind9/lib/isc/inet_ntop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id$";
+	"$Id: inet_ntop.c,v 1.21 2009/07/17 23:47:41 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/contrib/bind9/lib/isc/iterated_hash.c b/contrib/bind9/lib/isc/iterated_hash.c
index aa1f0c53773c..86dedde2880c 100644
--- a/contrib/bind9/lib/isc/iterated_hash.c
+++ b/contrib/bind9/lib/isc/iterated_hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: iterated_hash.c,v 1.6 2009/02/18 23:47:48 tbox Exp $ */
 
 #include "config.h"
 
diff --git a/contrib/bind9/lib/isc/lib.c b/contrib/bind9/lib/isc/lib.c
index b8b37d3cc398..a50542551df3 100644
--- a/contrib/bind9/lib/isc/lib.c
+++ b/contrib/bind9/lib/isc/lib.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: lib.c,v 1.16 2009/09/02 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -24,9 +24,15 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include <isc/once.h>
-#include <isc/msgs.h>
+#include <isc/app.h>
 #include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
 
 /***
  *** Globals
@@ -41,7 +47,6 @@ LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
 
 static isc_once_t		msgcat_once = ISC_ONCE_INIT;
 
-
 /***
  *** Functions
  ***/
@@ -77,3 +82,22 @@ isc_lib_initmsgcat(void) {
 		abort();
 	}
 }
+
+#ifndef BIND9
+static isc_once_t		register_once = ISC_ONCE_INIT;
+
+static void
+do_register(void) {
+	RUNTIME_CHECK(isc__mem_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__app_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__task_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__socket_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__timer_register() == ISC_R_SUCCESS);
+}
+
+void
+isc_lib_register() {
+	RUNTIME_CHECK(isc_once_do(&register_once, do_register)
+		      == ISC_R_SUCCESS);
+}
+#endif
diff --git a/contrib/bind9/lib/isc/md5.c b/contrib/bind9/lib/isc/md5.c
index 2cea018c246e..7c6419b2a9c7 100644
--- a/contrib/bind9/lib/isc/md5.c
+++ b/contrib/bind9/lib/isc/md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: md5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file
  * This code implements the MD5 message-digest algorithm.
@@ -38,10 +38,35 @@
 
 #include <isc/assertions.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+	EVP_DigestInit(ctx, EVP_md5());
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	EVP_MD_CTX_cleanup(ctx);
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len);
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	EVP_DigestFinal(ctx, digest, NULL);
+}
+
+#else
+
 static void
 byteSwap(isc_uint32_t *buf, unsigned words)
 {
@@ -249,3 +274,4 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
 	memcpy(digest, ctx->buf, 16);
 	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
 }
+#endif
diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c
index 64df00b33269..1964b7a07996 100644
--- a/contrib/bind9/lib/isc/mem.c
+++ b/contrib/bind9/lib/isc/mem.c
@@ -60,6 +60,9 @@ LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
 /*
  * Types.
  */
+typedef struct isc__mem isc__mem_t;
+typedef struct isc__mempool isc__mempool_t;
+
 #if ISC_MEM_TRACKLINES
 typedef struct debuglink debuglink_t;
 struct debuglink {
@@ -89,7 +92,7 @@ typedef struct {
 	 */
 	union {
 		size_t		size;
-		isc_mem_t	*ctx;
+		isc__mem_t	*ctx;
 		char		bytes[ALIGNMENT_SIZE];
 	} u;
 } size_info;
@@ -110,7 +113,7 @@ typedef ISC_LIST(debuglink_t)	debuglist_t;
 
 /* List of all active memory contexts. */
 
-static ISC_LIST(isc_mem_t)	contexts;
+static ISC_LIST(isc__mem_t)	contexts;
 static isc_once_t		once = ISC_ONCE_INIT;
 static isc_mutex_t		lock;
 
@@ -120,8 +123,8 @@ static isc_mutex_t		lock;
  */
 static isc_uint64_t		totallost;
 
-struct isc_mem {
-	unsigned int		magic;
+struct isc__mem {
+	isc_mem_t		common;
 	isc_ondestroy_t		ondestroy;
 	unsigned int		flags;
 	isc_mutex_t		lock;
@@ -144,7 +147,7 @@ struct isc_mem {
 	isc_boolean_t		is_overmem;
 	isc_mem_water_t		water;
 	void *			water_arg;
-	ISC_LIST(isc_mempool_t)	pools;
+	ISC_LIST(isc__mempool_t) pools;
 	unsigned int		poolcnt;
 
 	/*  ISC_MEMFLAG_INTERNAL */
@@ -163,19 +166,19 @@ struct isc_mem {
 #endif
 
 	unsigned int		memalloc_failures;
-	ISC_LINK(isc_mem_t)	link;
+	ISC_LINK(isc__mem_t)	link;
 };
 
 #define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
 #define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
 
-struct isc_mempool {
+struct isc__mempool {
 	/* always unlocked */
-	unsigned int	magic;		/*%< magic number */
+	isc_mempool_t	common;		/*%< common header of mempool's */
 	isc_mutex_t    *lock;		/*%< optional lock */
-	isc_mem_t      *mctx;		/*%< our memory context */
+	isc__mem_t      *mctx;		/*%< our memory context */
 	/*%< locked via the memory context's lock */
-	ISC_LINK(isc_mempool_t)	link;	/*%< next pool in this mem context */
+	ISC_LINK(isc__mempool_t)	link;	/*%< next pool in this mem context */
 	/*%< optionally locked from here down */
 	element	       *items;		/*%< low water item list */
 	size_t		size;		/*%< size of each item on this pool */
@@ -210,13 +213,187 @@ struct isc_mempool {
 #define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
 
 static void
-print_active(isc_mem_t *ctx, FILE *out);
+print_active(isc__mem_t *ctx, FILE *out);
+
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_MEMFUNC_SCOPE
+#else
+#define ISC_MEMFUNC_SCOPE static
+#endif
+
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx2(size_t init_max_size, size_t target_size,
+		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		  isc_mem_t **ctxp, unsigned int flags);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size,
+		 isc_mem_t **ctxp, unsigned int flags);
+ISC_MEMFUNC_SCOPE void
+isc__mem_attach(isc_mem_t *source, isc_mem_t **targetp);
+ISC_MEMFUNC_SCOPE void
+isc__mem_detach(isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_destroy(isc_mem_t **ctxp);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_get(isc_mem_t *ctx, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_stats(isc_mem_t *ctx, FILE *out);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void *
+isc___mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
+ISC_MEMFUNC_SCOPE char *
+isc___mem_strdup(isc_mem_t *mctx, const char *s FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setquota(isc_mem_t *ctx, size_t quota);
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_getquota(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_inuse(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE isc_boolean_t
+isc__mem_isovermem(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		  size_t hiwater, size_t lowater);
+ISC_MEMFUNC_SCOPE void
+isc__mem_waterack(isc_mem_t *ctx0, int flag);
+ISC_MEMFUNC_SCOPE void
+isc__mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+ISC_MEMFUNC_SCOPE const char *
+isc__mem_getname(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE void *
+isc__mem_gettag(isc_mem_t *ctx);
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setname(isc_mempool_t *mpctx, const char *name);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_destroy(isc_mempool_t **mpctxp);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
+ISC_MEMFUNC_SCOPE void *
+isc___mempool_get(isc_mempool_t *mpctx FLARG);
+ISC_MEMFUNC_SCOPE void
+isc___mempool_put(isc_mempool_t *mpctx, void *mem FLARG);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreemax(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreecount(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getmaxalloc(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx);
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfillcount(isc_mempool_t *mpctx);
+#ifdef BIND9
+ISC_MEMFUNC_SCOPE void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file);
+ISC_MEMFUNC_SCOPE void
+isc__mem_printallactive(FILE *file);
+ISC_MEMFUNC_SCOPE void
+isc__mem_checkdestroyed(FILE *file);
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mem_references(isc_mem_t *ctx0);
+#endif
+
+static struct isc__memmethods {
+	isc_memmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *createx, *create, *create2, *ondestroy, *stats,
+		*setquota, *getquota, *setname, *getname, *gettag;
+#endif
+} memmethods = {
+	{
+		isc__mem_attach,
+		isc__mem_detach,
+		isc__mem_destroy,
+		isc___mem_get,
+		isc___mem_put,
+		isc___mem_putanddetach,
+		isc___mem_allocate,
+		isc___mem_reallocate,
+		isc___mem_strdup,
+		isc___mem_free,
+		isc__mem_setdestroycheck,
+		isc__mem_setwater,
+		isc__mem_waterack,
+		isc__mem_inuse,
+		isc__mem_isovermem,
+		isc__mempool_create
+	}
+#ifndef BIND9
+	,
+	(void *)isc__mem_createx, (void *)isc__mem_create,
+	(void *)isc__mem_create2, (void *)isc__mem_ondestroy,
+	(void *)isc__mem_stats, (void *)isc__mem_setquota,
+	(void *)isc__mem_getquota, (void *)isc__mem_setname,
+	(void *)isc__mem_getname, (void *)isc__mem_gettag
+#endif
+};
+
+static struct isc__mempoolmethods {
+	isc_mempoolmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *getfreemax, *getfreecount, *getmaxalloc, *getfillcount;
+#endif
+} mempoolmethods = {
+	{
+		isc__mempool_destroy,
+		isc___mempool_get,
+		isc___mempool_put,
+		isc__mempool_getallocated,
+		isc__mempool_setmaxalloc,
+		isc__mempool_setfreemax,
+		isc__mempool_setname,
+		isc__mempool_associatelock,
+		isc__mempool_setfillcount
+	}
+#ifndef BIND9
+	,
+	(void *)isc__mempool_getfreemax, (void *)isc__mempool_getfreecount,
+	(void *)isc__mempool_getmaxalloc, (void *)isc__mempool_getfillcount
+#endif
+};
 
 /*!
  * mctx must be locked.
  */
 static inline void
-add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
+add_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size
 		FLARG)
 {
 	debuglink_t *dl;
@@ -276,7 +453,7 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
 }
 
 static inline void
-delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
+delete_trace_entry(isc__mem_t *mctx, const void *ptr, unsigned int size,
 		   const char *file, unsigned int line)
 {
 	debuglink_t *dl;
@@ -347,7 +524,7 @@ quantize(size_t size) {
 }
 
 static inline isc_boolean_t
-more_basic_blocks(isc_mem_t *ctx) {
+more_basic_blocks(isc__mem_t *ctx) {
 	void *new;
 	unsigned char *curr, *next;
 	unsigned char *first, *last;
@@ -417,7 +594,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 }
 
 static inline isc_boolean_t
-more_frags(isc_mem_t *ctx, size_t new_size) {
+more_frags(isc__mem_t *ctx, size_t new_size) {
 	int i, frags;
 	size_t total_size;
 	void *new;
@@ -479,7 +656,7 @@ more_frags(isc_mem_t *ctx, size_t new_size) {
 }
 
 static inline void *
-mem_getunlocked(isc_mem_t *ctx, size_t size) {
+mem_getunlocked(isc__mem_t *ctx, size_t size) {
 	size_t new_size = quantize(size);
 	void *ret;
 
@@ -560,7 +737,7 @@ check_overrun(void *mem, size_t size, size_t new_size) {
 #endif
 
 static inline void
-mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
+mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) {
 	size_t new_size = quantize(size);
 
 	if (size == ctx->max_size || new_size >= ctx->max_size) {
@@ -608,7 +785,7 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
  * Perform a malloc, doing memory filling and overrun detection as necessary.
  */
 static inline void *
-mem_get(isc_mem_t *ctx, size_t size) {
+mem_get(isc__mem_t *ctx, size_t size) {
 	char *ret;
 
 #if ISC_MEM_CHECKOVERRUN
@@ -636,7 +813,7 @@ mem_get(isc_mem_t *ctx, size_t size) {
  * Perform a free, doing memory filling and overrun detection as necessary.
  */
 static inline void
-mem_put(isc_mem_t *ctx, void *mem, size_t size) {
+mem_put(isc__mem_t *ctx, void *mem, size_t size) {
 #if ISC_MEM_CHECKOVERRUN
 	INSIST(((unsigned char *)mem)[size] == 0xbe);
 #endif
@@ -652,7 +829,7 @@ mem_put(isc_mem_t *ctx, void *mem, size_t size) {
  * Update internal counters after a memory get.
  */
 static inline void
-mem_getstats(isc_mem_t *ctx, size_t size) {
+mem_getstats(isc__mem_t *ctx, size_t size) {
 	ctx->total += size;
 	ctx->inuse += size;
 
@@ -669,7 +846,7 @@ mem_getstats(isc_mem_t *ctx, size_t size) {
  * Update internal counters after a memory put.
  */
 static inline void
-mem_putstats(isc_mem_t *ctx, void *ptr, size_t size) {
+mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) {
 	UNUSED(ptr);
 
 	INSIST(ctx->inuse >= size);
@@ -713,22 +890,22 @@ initialize_action(void) {
  * Public.
  */
 
-isc_result_t
-isc_mem_createx(size_t init_max_size, size_t target_size,
-		isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		isc_mem_t **ctxp)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp)
 {
-	return (isc_mem_createx2(init_max_size, target_size, memalloc, memfree,
-				 arg, ctxp, ISC_MEMFLAG_DEFAULT));
+	return (isc__mem_createx2(init_max_size, target_size, memalloc, memfree,
+				  arg, ctxp, ISC_MEMFLAG_DEFAULT));
 
 }
 
-isc_result_t
-isc_mem_createx2(size_t init_max_size, size_t target_size,
-		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		 isc_mem_t **ctxp, unsigned int flags)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_createx2(size_t init_max_size, size_t target_size,
+		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		  isc_mem_t **ctxp, unsigned int flags)
 {
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 	isc_result_t result;
 
 	REQUIRE(ctxp != NULL && *ctxp == NULL);
@@ -769,7 +946,9 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	ctx->is_overmem = ISC_FALSE;
 	ctx->water = NULL;
 	ctx->water_arg = NULL;
-	ctx->magic = MEM_MAGIC;
+	ctx->common.impmagic = MEM_MAGIC;
+	ctx->common.magic = ISCAPI_MCTX_MAGIC;
+	ctx->common.methods = (isc_memmethods_t *)&memmethods;
 	isc_ondestroy_init(&ctx->ondestroy);
 	ctx->memalloc = memalloc;
 	ctx->memfree = memfree;
@@ -834,7 +1013,7 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
 	UNLOCK(&lock);
 
-	*ctxp = ctx;
+	*ctxp = (isc_mem_t *)ctx;
 	return (ISC_R_SUCCESS);
 
   error:
@@ -855,26 +1034,24 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	return (result);
 }
 
-isc_result_t
-isc_mem_create(size_t init_max_size, size_t target_size,
-	       isc_mem_t **ctxp)
-{
-	return (isc_mem_createx2(init_max_size, target_size,
-				 default_memalloc, default_memfree, NULL,
-				 ctxp, ISC_MEMFLAG_DEFAULT));
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create(size_t init_max_size, size_t target_size, isc_mem_t **ctxp) {
+	return (isc__mem_createx2(init_max_size, target_size,
+				  default_memalloc, default_memfree, NULL,
+				  ctxp, ISC_MEMFLAG_DEFAULT));
 }
 
-isc_result_t
-isc_mem_create2(size_t init_max_size, size_t target_size,
-		isc_mem_t **ctxp, unsigned int flags)
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size,
+		 isc_mem_t **ctxp, unsigned int flags)
 {
-	return (isc_mem_createx2(init_max_size, target_size,
-				 default_memalloc, default_memfree, NULL,
-				 ctxp, flags));
+	return (isc__mem_createx2(init_max_size, target_size,
+				  default_memalloc, default_memfree, NULL,
+				  ctxp, flags));
 }
 
 static void
-destroy(isc_mem_t *ctx) {
+destroy(isc__mem_t *ctx) {
 	unsigned int i;
 	isc_ondestroy_t ondest;
 
@@ -883,7 +1060,8 @@ destroy(isc_mem_t *ctx) {
 	totallost += ctx->inuse;
 	UNLOCK(&lock);
 
-	ctx->magic = 0;
+	ctx->common.impmagic = 0;
+	ctx->common.magic = 0;
 
 	INSIST(ISC_LIST_EMPTY(ctx->pools));
 
@@ -941,8 +1119,10 @@ destroy(isc_mem_t *ctx) {
 	isc_ondestroy_notify(&ondest, ctx);
 }
 
-void
-isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_attach(isc_mem_t *source0, isc_mem_t **targetp) {
+	isc__mem_t *source = (isc__mem_t *)source0;
+
 	REQUIRE(VALID_CONTEXT(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
@@ -950,16 +1130,16 @@ isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
 	source->references++;
 	MCTXUNLOCK(source, &source->lock);
 
-	*targetp = source;
+	*targetp = (isc_mem_t *)source;
 }
 
-void
-isc_mem_detach(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc__mem_detach(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
 	isc_boolean_t want_destroy = ISC_FALSE;
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -985,15 +1165,15 @@ isc_mem_detach(isc_mem_t **ctxp) {
  * isc_mem_detach(&mctx);
  */
 
-void
-isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx;
 	isc_boolean_t want_destroy = ISC_FALSE;
 	size_info *si;
 	size_t oldsize;
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(ptr != NULL);
 
@@ -1011,7 +1191,7 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 				oldsize -= ALIGNMENT_SIZE;
 			INSIST(oldsize == size);
 		}
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
 
 		MCTXLOCK(ctx, &ctx->lock);
 		ctx->references--;
@@ -1045,9 +1225,9 @@ isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 		destroy(ctx);
 }
 
-void
-isc_mem_destroy(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
+ISC_MEMFUNC_SCOPE void
+isc__mem_destroy(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
 
 	/*
 	 * This routine provides legacy support for callers who use mctxs
@@ -1055,7 +1235,7 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	 */
 
 	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
+	ctx = (isc__mem_t *)*ctxp;
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1072,8 +1252,9 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	*ctxp = NULL;
 }
 
-isc_result_t
-isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mem_ondestroy(isc_mem_t *ctx0, isc_task_t *task, isc_event_t **event) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_result_t res;
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1083,16 +1264,16 @@ isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
 	return (res);
 }
 
-
-void *
-isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_get(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	void *ptr;
 	isc_boolean_t call_water = ISC_FALSE;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0)
-		return (isc__mem_allocate(ctx, size FLARG_PASS));
+		return (isc__mem_allocate(ctx0, size FLARG_PASS));
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 		MCTXLOCK(ctx, &ctx->lock);
@@ -1128,9 +1309,9 @@ isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
 	return (ptr);
 }
 
-void
-isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
-{
+ISC_MEMFUNC_SCOPE void
+isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_boolean_t call_water = ISC_FALSE;
 	size_info *si;
 	size_t oldsize;
@@ -1146,7 +1327,7 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 				oldsize -= ALIGNMENT_SIZE;
 			INSIST(oldsize == size);
 		}
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
 		return;
 	}
 
@@ -1181,8 +1362,10 @@ isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
 		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
 }
 
-void
-isc_mem_waterack(isc_mem_t *ctx, int flag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_waterack(isc_mem_t *ctx0, int flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1195,7 +1378,7 @@ isc_mem_waterack(isc_mem_t *ctx, int flag) {
 
 #if ISC_MEM_TRACKLINES
 static void
-print_active(isc_mem_t *mctx, FILE *out) {
+print_active(isc__mem_t *mctx, FILE *out) {
 	if (mctx->debuglist != NULL) {
 		debuglink_t *dl;
 		unsigned int i, j;
@@ -1237,11 +1420,12 @@ print_active(isc_mem_t *mctx, FILE *out) {
 /*
  * Print the stats[] on the stream "out" with suitable formatting.
  */
-void
-isc_mem_stats(isc_mem_t *ctx, FILE *out) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_stats(isc_mem_t *ctx0, FILE *out) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t i;
 	const struct stats *s;
-	const isc_mempool_t *pool;
+	const isc__mempool_t *pool;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
@@ -1314,7 +1498,8 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
  */
 
 static void *
-isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
+isc__mem_allocateunlocked(isc_mem_t *ctx0, size_t size) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 
 	size += ALIGNMENT_SIZE;
@@ -1336,8 +1521,9 @@ isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
 	return (&si[1]);
 }
 
-void *
-isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 	isc_boolean_t call_water = ISC_FALSE;
 
@@ -1345,9 +1531,9 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 
 	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 		MCTXLOCK(ctx, &ctx->lock);
-		si = isc__mem_allocateunlocked(ctx, size);
+		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
 	} else {
-		si = isc__mem_allocateunlocked(ctx, size);
+		si = isc__mem_allocateunlocked((isc_mem_t *)ctx, size);
 		MCTXLOCK(ctx, &ctx->lock);
 		if (si != NULL)
 			mem_getstats(ctx, si[-1].u.size);
@@ -1381,8 +1567,9 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 	return (si);
 }
 
-void *
-isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	void *new_ptr = NULL;
 	size_t oldsize, copysize;
 
@@ -1400,7 +1587,7 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
 	 *     NULL if allocation fails or doesn't happen.
 	 */
 	if (size > 0U) {
-		new_ptr = isc__mem_allocate(ctx, size FLARG_PASS);
+		new_ptr = isc__mem_allocate(ctx0, size FLARG_PASS);
 		if (new_ptr != NULL && ptr != NULL) {
 			oldsize = (((size_info *)ptr)[-1]).u.size;
 			INSIST(oldsize >= ALIGNMENT_SIZE);
@@ -1411,16 +1598,17 @@ isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
 			}
 			copysize = (oldsize > size) ? size : oldsize;
 			memcpy(new_ptr, ptr, copysize);
-			isc__mem_free(ctx, ptr FLARG_PASS);
+			isc__mem_free(ctx0, ptr FLARG_PASS);
 		}
 	} else if (ptr != NULL)
-		isc__mem_free(ctx, ptr FLARG_PASS);
+		isc__mem_free(ctx0, ptr FLARG_PASS);
 
 	return (new_ptr);
 }
 
-void
-isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
+ISC_MEMFUNC_SCOPE void
+isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_info *si;
 	size_t size;
 	isc_boolean_t call_water= ISC_FALSE;
@@ -1476,8 +1664,9 @@ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
  * Other useful things.
  */
 
-char *
-isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+ISC_MEMFUNC_SCOPE char *
+isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
 	size_t len;
 	char *ns;
 
@@ -1486,7 +1675,7 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 
 	len = strlen(s);
 
-	ns = isc__mem_allocate(mctx, len + 1 FLARG_PASS);
+	ns = isc___mem_allocate((isc_mem_t *)mctx, len + 1 FLARG_PASS);
 
 	if (ns != NULL)
 		strncpy(ns, s, len + 1);
@@ -1494,8 +1683,10 @@ isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
 	return (ns);
 }
 
-void
-isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setdestroycheck(isc_mem_t *ctx0, isc_boolean_t flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
 
@@ -1508,8 +1699,10 @@ isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
  * Quotas
  */
 
-void
-isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setquota(isc_mem_t *ctx0, size_t quota) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 	MCTXLOCK(ctx, &ctx->lock);
 
@@ -1518,8 +1711,9 @@ isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
 	MCTXUNLOCK(ctx, &ctx->lock);
 }
 
-size_t
-isc_mem_getquota(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_getquota(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t quota;
 
 	REQUIRE(VALID_CONTEXT(ctx));
@@ -1532,8 +1726,9 @@ isc_mem_getquota(isc_mem_t *ctx) {
 	return (quota);
 }
 
-size_t
-isc_mem_inuse(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE size_t
+isc__mem_inuse(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	size_t inuse;
 
 	REQUIRE(VALID_CONTEXT(ctx));
@@ -1546,10 +1741,11 @@ isc_mem_inuse(isc_mem_t *ctx) {
 	return (inuse);
 }
 
-void
-isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+ISC_MEMFUNC_SCOPE void
+isc__mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
 		 size_t hiwater, size_t lowater)
 {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	isc_boolean_t callwater = ISC_FALSE;
 	isc_mem_water_t oldwater;
 	void *oldwater_arg;
@@ -1584,8 +1780,10 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
-isc_boolean_t
-isc_mem_isovermem(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE isc_boolean_t
+isc__mem_isovermem(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	/*
@@ -1596,8 +1794,10 @@ isc_mem_isovermem(isc_mem_t *ctx) {
 	return (ctx->is_overmem);
 }
 
-void
-isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	LOCK(&ctx->lock);
@@ -1607,15 +1807,19 @@ isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
 	UNLOCK(&ctx->lock);
 }
 
-const char *
-isc_mem_getname(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE const char *
+isc__mem_getname(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	return (ctx->name);
 }
 
-void *
-isc_mem_gettag(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE void *
+isc__mem_gettag(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	return (ctx->tag);
@@ -1625,9 +1829,10 @@ isc_mem_gettag(isc_mem_t *ctx) {
  * Memory pool stuff
  */
 
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
+ISC_MEMFUNC_SCOPE isc_result_t
+isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	isc__mempool_t *mpctx;
 
 	REQUIRE(VALID_CONTEXT(mctx));
 	REQUIRE(size > 0U);
@@ -1637,11 +1842,13 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 	 * Allocate space for this pool, initialize values, and if all works
 	 * well, attach to the memory context.
 	 */
-	mpctx = isc_mem_get(mctx, sizeof(isc_mempool_t));
+	mpctx = isc_mem_get((isc_mem_t *)mctx, sizeof(isc__mempool_t));
 	if (mpctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	mpctx->magic = MEMPOOL_MAGIC;
+	mpctx->common.methods = (isc_mempoolmethods_t *)&mempoolmethods;
+	mpctx->common.impmagic = MEMPOOL_MAGIC;
+	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
 	mpctx->lock = NULL;
 	mpctx->mctx = mctx;
 	mpctx->size = size;
@@ -1656,7 +1863,7 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 #endif
 	mpctx->items = NULL;
 
-	*mpctxp = mpctx;
+	*mpctxp = (isc_mempool_t *)mpctx;
 
 	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
@@ -1666,9 +1873,12 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(name != NULL);
+	REQUIRE(VALID_MEMPOOL(mpctx));
 
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->lock != NULL)
@@ -1685,20 +1895,20 @@ isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
 #endif
 }
 
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
-	isc_mem_t *mctx;
+ISC_MEMFUNC_SCOPE void
+isc__mempool_destroy(isc_mempool_t **mpctxp) {
+	isc__mempool_t *mpctx;
+	isc__mem_t *mctx;
 	isc_mutex_t *lock;
 	element *item;
 
 	REQUIRE(mpctxp != NULL);
-	mpctx = *mpctxp;
+	mpctx = (isc__mempool_t *)*mpctxp;
 	REQUIRE(VALID_MEMPOOL(mpctx));
 #if ISC_MEMPOOL_NAMES
 	if (mpctx->allocated > 0)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mempool_destroy(): mempool %s "
+				 "isc__mempool_destroy(): mempool %s "
 				 "leaked memory",
 				 mpctx->name);
 #endif
@@ -1738,9 +1948,10 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	mctx->poolcnt--;
 	MCTXUNLOCK(mctx, &mctx->lock);
 
-	mpctx->magic = 0;
+	mpctx->common.impmagic = 0;
+	mpctx->common.magic = 0;
 
-	isc_mem_put(mpctx->mctx, mpctx, sizeof(isc_mempool_t));
+	isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
 
 	if (lock != NULL)
 		UNLOCK(lock);
@@ -1748,8 +1959,10 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	*mpctxp = NULL;
 }
 
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_associatelock(isc_mempool_t *mpctx0, isc_mutex_t *lock) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(VALID_MEMPOOL(mpctx));
 	REQUIRE(mpctx->lock == NULL);
 	REQUIRE(lock != NULL);
@@ -1757,10 +1970,11 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
 	mpctx->lock = lock;
 }
 
-void *
-isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+ISC_MEMFUNC_SCOPE void *
+isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	element *item;
-	isc_mem_t *mctx;
+	isc__mem_t *mctx;
 	unsigned int i;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1839,9 +2053,10 @@ isc__mempool_get(isc_mempool_t *mpctx FLARG) {
 	return (item);
 }
 
-void
-isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
-	isc_mem_t *mctx;
+ISC_MEMFUNC_SCOPE void
+isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mem_t *mctx;
 	element *item;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1896,8 +2111,10 @@ isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
  * Quotas
  */
 
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
 	if (mpctx->lock != NULL)
@@ -1909,8 +2126,9 @@ isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreemax(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int freemax;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1926,8 +2144,9 @@ isc_mempool_getfreemax(isc_mempool_t *mpctx) {
 	return (freemax);
 }
 
-unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfreecount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int freecount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1943,8 +2162,10 @@ isc_mempool_getfreecount(isc_mempool_t *mpctx) {
 	return (freecount);
 }
 
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(limit > 0);
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1958,8 +2179,9 @@ isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getmaxalloc(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int maxalloc;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1975,8 +2197,9 @@ isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
 	return (maxalloc);
 }
 
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
 	unsigned int allocated;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1992,8 +2215,10 @@ isc_mempool_getallocated(isc_mempool_t *mpctx) {
 	return (allocated);
 }
 
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+ISC_MEMFUNC_SCOPE void
+isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	REQUIRE(limit > 0);
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
@@ -2006,8 +2231,10 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
 		UNLOCK(mpctx->lock);
 }
 
-unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc__mempool_getfillcount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
 	unsigned int fillcount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -2023,8 +2250,17 @@ isc_mempool_getfillcount(isc_mempool_t *mpctx) {
 	return (fillcount);
 }
 
-void
-isc_mem_printactive(isc_mem_t *ctx, FILE *file) {
+#ifdef USE_MEMIMPREGISTER
+isc_result_t
+isc__mem_register() {
+	return (isc_mem_register(isc__mem_create2));
+}
+#endif
+
+#ifdef BIND9
+ISC_MEMFUNC_SCOPE void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(file != NULL);
@@ -2037,12 +2273,12 @@ isc_mem_printactive(isc_mem_t *ctx, FILE *file) {
 #endif
 }
 
-void
-isc_mem_printallactive(FILE *file) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_printallactive(FILE *file) {
 #if !ISC_MEM_TRACKLINES
 	UNUSED(file);
 #else
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
@@ -2057,15 +2293,15 @@ isc_mem_printallactive(FILE *file) {
 #endif
 }
 
-void
-isc_mem_checkdestroyed(FILE *file) {
+ISC_MEMFUNC_SCOPE void
+isc__mem_checkdestroyed(FILE *file) {
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 
 	LOCK(&lock);
 	if (!ISC_LIST_EMPTY(contexts))  {
 #if ISC_MEM_TRACKLINES
-		isc_mem_t *ctx;
+		isc__mem_t *ctx;
 
 		for (ctx = ISC_LIST_HEAD(contexts);
 		     ctx != NULL;
@@ -2080,9 +2316,11 @@ isc_mem_checkdestroyed(FILE *file) {
 	UNLOCK(&lock);
 }
 
-unsigned int
-isc_mem_references(isc_mem_t *ctx) {
+ISC_MEMFUNC_SCOPE unsigned int
+isc_mem_references(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 	unsigned int references;
+
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	MCTXLOCK(ctx, &ctx->lock);
@@ -2102,7 +2340,7 @@ typedef struct summarystat {
 } summarystat_t;
 
 static void
-renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
+renderctx(isc__mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "context");
@@ -2188,7 +2426,7 @@ renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
 
 void
 isc_mem_renderxml(xmlTextWriterPtr writer) {
-	isc_mem_t *ctx;
+	isc__mem_t *ctx;
 	summarystat_t summary;
 	isc_uint64_t lost;
 
@@ -2240,3 +2478,4 @@ isc_mem_renderxml(xmlTextWriterPtr writer) {
 }
 
 #endif /* HAVE_LIBXML2 */
+#endif /* BIND9 */
diff --git a/contrib/bind9/lib/isc/mem_api.c b/contrib/bind9/lib/isc/mem_api.c
new file mode 100644
index 000000000000..85abb9b4507c
--- /dev/null
+++ b/contrib/bind9/lib/isc/mem_api.c
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mem_api.c,v 1.8 2010/08/12 21:30:26 jinmei Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/util.h>
+
+#if ISC_MEM_TRACKLINES
+#define FLARG_PASS	, file, line
+#define FLARG		, const char *file, unsigned int line
+#else
+#define FLARG_PASS
+#define FLARG
+#endif
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_memcreatefunc_t mem_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (mem_createfunc == NULL)
+		mem_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create(size_t init_max_size, size_t target_size, isc_mem_t **mctxp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp,
+				   ISC_MEMFLAG_DEFAULT);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create2(size_t init_max_size, size_t target_size, isc_mem_t **mctxp,
+		unsigned int flags)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp, flags);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+	REQUIRE(ISCAPI_MCTX_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_mem_detach(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->detach(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void
+isc_mem_destroy(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->destroy(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void *
+isc__mem_get(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memget(mctx, size FLARG_PASS));
+}
+
+void
+isc__mem_put(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memput(mctx, ptr, size FLARG_PASS);
+}
+
+void
+isc__mem_putanddetach(isc_mem_t **mctxp, void *ptr, size_t size FLARG) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	(*mctxp)->methods->memputanddetach(mctxp, ptr, size FLARG_PASS);
+
+	/*
+	 * XXX: We cannot always ensure *mctxp == NULL here
+	 * (see lib/isc/mem.c).
+	 */
+}
+
+void *
+isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
+}
+
+void *
+isc__mem_reallocate(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memreallocate(mctx, ptr, size FLARG_PASS));
+}
+
+char *
+isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->memstrdup(mctx, s FLARG_PASS));
+}
+
+void
+isc__mem_free(isc_mem_t *mctx, void *ptr FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->memfree(mctx, ptr FLARG_PASS);
+}
+
+void
+isc_mem_setdestroycheck(isc_mem_t *mctx, isc_boolean_t flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->setdestroycheck(mctx, flag);
+}
+
+void
+isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater)
+{
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	ctx->methods->setwater(ctx, water, water_arg, hiwater, lowater);
+}
+
+void
+isc_mem_waterack(isc_mem_t *ctx, int flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	ctx->methods->waterack(ctx, flag);
+}
+
+size_t
+isc_mem_inuse(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->inuse(mctx));
+}
+
+isc_boolean_t
+isc_mem_isovermem(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->isovermem(mctx));
+}
+
+void
+isc_mem_setname(isc_mem_t *mctx, const char *name, void *tag) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	UNUSED(name);
+	UNUSED(tag);
+
+	return;
+}
+
+const char *
+isc_mem_getname(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return ("");
+}
+
+void *
+isc_mem_gettag(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (NULL);
+}
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->mpcreate(mctx, size, mpctxp));
+}
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
+	REQUIRE(mpctxp != NULL && ISCAPI_MPOOL_VALID(*mpctxp));
+
+	(*mpctxp)->methods->destroy(mpctxp);
+
+	ENSURE(*mpctxp == NULL);
+}
+
+void *
+isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	return (mpctx->methods->get(mpctx FLARG_PASS));
+}
+
+void
+isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->put(mpctx, mem FLARG_PASS);
+}
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	return (mpctx->methods->getallocated(mpctx));
+}
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setmaxalloc(mpctx, limit);
+}
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setfreemax(mpctx, limit);
+}
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setname(mpctx, name);
+}
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->associatelock(mpctx, lock);
+}
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	mpctx->methods->setfillcount(mpctx, limit);
+}
diff --git a/contrib/bind9/lib/isc/netaddr.c b/contrib/bind9/lib/isc/netaddr.c
index c7b4801f9e4b..5cce1bc1a03e 100644
--- a/contrib/bind9/lib/isc/netaddr.c
+++ b/contrib/bind9/lib/isc/netaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in
index 9b5bdeb59e56..7bacf1c82dac 100644
--- a/contrib/bind9/lib/isc/nls/Makefile.in
+++ b/contrib/bind9/lib/isc/nls/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.17 2009/12/05 23:31:41 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in
index 4b5187c4c664..540b2434240c 100644
--- a/contrib/bind9/lib/isc/nothreads/Makefile.in
+++ b/contrib/bind9/lib/isc/nothreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,11 +13,11 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.12 2010/06/09 23:50:58 tbox Exp $
 
-srcdir =	@srcdir@
-VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
+srcdir =	@top_srcdir@/lib/isc/nothreads
+VPATH =		@top_srcdir@/lib/isc/nothreads
 
 CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../unix/include \
diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c
index b3380e224475..a5e5ba6699d6 100644
--- a/contrib/bind9/lib/isc/print.c
+++ b/contrib/bind9/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: print.c,v 1.37 2010/10/18 23:47:08 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in
index 1540c00ac215..9f66ef33ccee 100644
--- a/contrib/bind9/lib/isc/pthreads/Makefile.in
+++ b/contrib/bind9/lib/isc/pthreads/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.22 2009/12/05 23:31:41 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/pthreads/mutex.c b/contrib/bind9/lib/isc/pthreads/mutex.c
index 7c9cc19e651e..c7e5795b6807 100644
--- a/contrib/bind9/lib/isc/pthreads/mutex.c
+++ b/contrib/bind9/lib/isc/pthreads/mutex.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: mutex.c,v 1.18 2011/01/04 23:47:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/random.c b/contrib/bind9/lib/isc/random.c
index d49a5d74ed4b..8b73ed56927d 100644
--- a/contrib/bind9/lib/isc/random.c
+++ b/contrib/bind9/lib/isc/random.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: random.c,v 1.28 2009/07/16 05:52:46 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/sha1.c b/contrib/bind9/lib/isc/sha1.c
index 023edbae5adb..cce96036045f 100644
--- a/contrib/bind9/lib/isc/sha1.c
+++ b/contrib/bind9/lib/isc/sha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -38,11 +38,47 @@
 #include "config.h"
 
 #include <isc/assertions.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_sha1_init(isc_sha1_t *context)
+{
+	INSIST(context != NULL);
+
+	EVP_DigestInit(context, EVP_sha1());
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void
+isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
+		unsigned int len)
+{
+	INSIST(context != 0);
+	INSIST(data != 0);
+
+	EVP_DigestUpdate(context, (const void *) data, (size_t) len);
+}
+
+void
+isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
+	INSIST(digest != 0);
+	INSIST(context != 0);
+
+	EVP_DigestFinal(context, digest, NULL);
+}
+
+#else
+
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 
 /*@{*/
@@ -315,3 +351,4 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
 
 	memset(context, 0, sizeof(isc_sha1_t));
 }
+#endif
diff --git a/contrib/bind9/lib/isc/sha2.c b/contrib/bind9/lib/isc/sha2.c
index 7db65556e280..aca048e73b12 100644
--- a/contrib/bind9/lib/isc/sha2.c
+++ b/contrib/bind9/lib/isc/sha2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -58,10 +58,169 @@
 #include <config.h>
 
 #include <isc/assertions.h>
+#include <isc/platform.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+	if (context == (isc_sha224_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha224());
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha256());
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha512());
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha384());
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+#else
+
 /*
  * UNROLLED TRANSFORM LOOP NOTE:
  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
@@ -394,13 +553,6 @@ static const isc_uint64_t sha512_initial_hash_value[8] = {
 };
 #endif
 
-/*
- * Constant used by SHA256/384/512_End() functions for converting the
- * digest to a readable hexadecimal character string:
- */
-static const char *sha2_hex_digits = "0123456789abcdef";
-
-
 
 /*** SHA-224: *********************************************************/
 void
@@ -432,41 +584,6 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
 	memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH);
 }
 
-char *
-isc_sha224_end(isc_sha224_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha224_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha224_final(digest, context);
-
-		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(*context));
-	}
-	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
-	return buffer;
-}
-
-char*
-isc_sha224_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
-{
-	isc_sha224_t context;
-
-	isc_sha224_init(&context);
-	isc_sha224_update(&context, data, len);
-	return (isc_sha224_end(&context, digest));
-}
-
 /*** SHA-256: *********************************************************/
 void
 isc_sha256_init(isc_sha256_t *context) {
@@ -479,6 +596,11 @@ isc_sha256_init(isc_sha256_t *context) {
 	context->bitcount = 0;
 }
 
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	memset(context, 0, sizeof(isc_sha256_t));
+}
+
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
 
 /* Unrolled SHA-256 round macros: */
@@ -662,11 +784,6 @@ isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
 #endif /* ISC_SHA2_UNROLL_TRANSFORM */
 
 void
-isc_sha256_invalidate(isc_sha256_t *context) {
-	memset(context, 0, sizeof(isc_sha256_t));
-}
-
-void
 isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
 	unsigned int	freespace, usedspace;
 
@@ -793,42 +910,6 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 	POST(usedspace);
 }
 
-char *
-isc_sha256_end(isc_sha256_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha256_final(digest, context);
-
-		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(*context));
-	}
-	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha256_data(const isc_uint8_t* data, size_t len,
-		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
-{
-	isc_sha256_t context;
-
-	isc_sha256_init(&context);
-	isc_sha256_update(&context, data, len);
-	return (isc_sha256_end(&context, digest));
-}
-
-
 /*** SHA-512: *********************************************************/
 void
 isc_sha512_init(isc_sha512_t *context) {
@@ -841,6 +922,11 @@ isc_sha512_init(isc_sha512_t *context) {
 	context->bitcount[0] = context->bitcount[1] =  0;
 }
 
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	memset(context, 0, sizeof(isc_sha512_t));
+}
+
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
 
 /* Unrolled SHA-512 round macros: */
@@ -1017,13 +1103,7 @@ isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
 
 #endif /* ISC_SHA2_UNROLL_TRANSFORM */
 
-void
-isc_sha512_invalidate(isc_sha512_t *context) {
-	memset(context, 0, sizeof(isc_sha512_t));
-}
-
-void
-isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
+void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
 	unsigned int	freespace, usedspace;
 
 	if (len == 0U) {
@@ -1152,41 +1232,6 @@ void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
 	memset(context, 0, sizeof(*context));
 }
 
-char *
-isc_sha512_end(isc_sha512_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha512_final(digest, context);
-
-		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(*context));
-	}
-	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha512_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
-{
-	isc_sha512_t 	context;
-
-	isc_sha512_init(&context);
-	isc_sha512_update(&context, data, len);
-	return (isc_sha512_end(&context, digest));
-}
-
 
 /*** SHA-384: *********************************************************/
 void
@@ -1239,6 +1284,130 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
 	/* Zero out state data */
 	memset(context, 0, sizeof(*context));
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Constant used by SHA256/384/512_End() functions for converting the
+ * digest to a readable hexadecimal character string:
+ */
+static const char *sha2_hex_digits = "0123456789abcdef";
+
+char *
+isc_sha224_end(isc_sha224_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha224_final(digest, context);
+
+		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(*context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha224_data(const isc_uint8_t *data, size_t len,
+		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
+{
+	isc_sha224_t context;
+
+	isc_sha224_init(&context);
+	isc_sha224_update(&context, data, len);
+	return (isc_sha224_end(&context, digest));
+}
+
+char *
+isc_sha256_end(isc_sha256_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha256_final(digest, context);
+
+		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(*context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha256_data(const isc_uint8_t* data, size_t len,
+		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
+{
+	isc_sha256_t context;
+
+	isc_sha256_init(&context);
+	isc_sha256_update(&context, data, len);
+	return (isc_sha256_end(&context, digest));
+}
+
+char *
+isc_sha512_end(isc_sha512_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha512_final(digest, context);
+
+		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(*context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha512_data(const isc_uint8_t *data, size_t len,
+		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
+{
+	isc_sha512_t 	context;
+
+	isc_sha512_init(&context);
+	isc_sha512_update(&context, data, len);
+	return (isc_sha512_end(&context, digest));
+}
 
 char *
 isc_sha384_end(isc_sha384_t *context, char buffer[]) {
@@ -1258,13 +1427,17 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
 		memset(context, 0, sizeof(*context));
+#endif
 	}
 	memset(digest, 0, ISC_SHA384_DIGESTLENGTH);
 	return buffer;
 }
 
-char*
+char *
 isc_sha384_data(const isc_uint8_t *data, size_t len,
 		char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
 {
diff --git a/contrib/bind9/lib/isc/sockaddr.c b/contrib/bind9/lib/isc/sockaddr.c
index b241b1f1cfa5..7b43b8f31bb8 100644
--- a/contrib/bind9/lib/isc/sockaddr.c
+++ b/contrib/bind9/lib/isc/sockaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/isc/socket_api.c b/contrib/bind9/lib/isc/socket_api.c
new file mode 100644
index 000000000000..e97a93149cc9
--- /dev/null
+++ b/contrib/bind9/lib/isc/socket_api.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_socketmgrcreatefunc_t socketmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (socketmgr_createfunc == NULL)
+		socketmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_setsocketmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_SOCKETMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp)
+{
+	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
+
+	return (manager->methods->socketcreate(manager, pf, type, socketp));
+}
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	sock->methods->attach(sock, socketp);
+
+	ENSURE(*socketp == sock);
+}
+
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	REQUIRE(socketp != NULL && ISCAPI_SOCKET_VALID(*socketp));
+
+	(*socketp)->methods->detach(socketp);
+
+	ENSURE(*socketp == NULL);
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		unsigned int options)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->bind(sock, sockaddr, options));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->sendto(sock, region, task, action, arg, address,
+				      pktinfo));
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, isc_task_t *task,
+		   isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->connect(sock, addr, task, action, arg));
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->recv(sock, region, minimum, task, action, arg));
+}
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	sock->methods->cancel(sock, task, how);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->getsockname(sock, addressp));
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	sock->methods->ipv6only(sock, yes);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return (sock->methods->gettype(sock));
+}
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+	REQUIRE(ISCAPI_SOCKET_VALID(socket));
+
+	UNUSED(socket);		/* in case REQUIRE() is empty */
+	UNUSED(name);
+	UNUSED(tag);
+}
+
+isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			 isc_sockfdwatch_t callback, void *cbarg,
+			 isc_task_t *task, isc_socket_t **socketp)
+{
+	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
+
+	return (manager->methods->fdwatchcreate(manager, fd, flags,
+						callback, cbarg, task,
+						socketp));
+}
+
+isc_result_t
+isc_socket_fdwatchpoke(isc_socket_t *sock, int flags)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	return(sock->methods->fdwatchpoke(sock, flags));
+}
diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c
index abd851d7deee..a5f6ef98f6c9 100644
--- a/contrib/bind9/lib/isc/task.c
+++ b/contrib/bind9/lib/isc/task.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -40,9 +40,33 @@
 #include <isc/util.h>
 #include <isc/xml.h>
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
+/*%
+ * For BIND9 internal applications:
+ * when built with threads we use multiple worker threads shared by the whole
+ * application.
+ * when built without threads we share a single global task manager and use
+ * an integrated event loop for socket, timer, and other generic task events.
+ * For generic library:
+ * we don't use either of them: an application can have multiple task managers
+ * whether or not it's threaded, and if the application is threaded each thread
+ * is expected to have a separate manager; no "worker threads" are shared by
+ * the application threads.
+ */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WORKER_THREADS
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_WORKER_THREADS
 #include "task_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 #ifdef ISC_TASK_TRACE
 #define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
@@ -66,16 +90,22 @@ typedef enum {
 	task_state_done
 } task_state_t;
 
-#ifdef HAVE_LIBXML2
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 static const char *statenames[] = {
 	"idle", "ready", "running", "done",
 };
 #endif
 
-struct isc_task {
+#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
+#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
+
+typedef struct isc__task isc__task_t;
+typedef struct isc__taskmgr isc__taskmgr_t;
+
+struct isc__task {
 	/* Not locked. */
-	unsigned int			magic;
-	isc_taskmgr_t *			manager;
+	isc_task_t			common;
+	isc__taskmgr_t *		manager;
 	isc_mutex_t			lock;
 	/* Locked by task lock. */
 	task_state_t			state;
@@ -88,8 +118,8 @@ struct isc_task {
 	char				name[16];
 	void *				tag;
 	/* Locked by task manager lock. */
-	LINK(isc_task_t)		link;
-	LINK(isc_task_t)		ready_link;
+	LINK(isc__task_t)		link;
+	LINK(isc__task_t)		ready_link;
 };
 
 #define TASK_F_SHUTTINGDOWN		0x01
@@ -100,9 +130,11 @@ struct isc_task {
 #define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
 
-struct isc_taskmgr {
+typedef ISC_LIST(isc__task_t)	isc__tasklist_t;
+
+struct isc__taskmgr {
 	/* Not locked. */
-	unsigned int			magic;
+	isc_taskmgr_t			common;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 #ifdef ISC_PLATFORM_USETHREADS
@@ -111,8 +143,8 @@ struct isc_taskmgr {
 #endif /* ISC_PLATFORM_USETHREADS */
 	/* Locked by task manager lock. */
 	unsigned int			default_quantum;
-	LIST(isc_task_t)		tasks;
-	isc_tasklist_t			ready_tasks;
+	LIST(isc__task_t)		tasks;
+	isc__tasklist_t			ready_tasks;
 #ifdef ISC_PLATFORM_USETHREADS
 	isc_condition_t			work_available;
 	isc_condition_t			exclusive_granted;
@@ -120,7 +152,8 @@ struct isc_taskmgr {
 	unsigned int			tasks_running;
 	isc_boolean_t			exclusive_requested;
 	isc_boolean_t			exiting;
-#ifndef ISC_PLATFORM_USETHREADS
+	isc__task_t			*excl;
+#ifdef USE_SHARED_MANAGER
 	unsigned int			refs;
 #endif /* ISC_PLATFORM_USETHREADS */
 };
@@ -129,17 +162,122 @@ struct isc_taskmgr {
 #define DEFAULT_DEFAULT_QUANTUM		5
 #define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
 
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_taskmgr_t *taskmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef USE_SHARED_MANAGER
+static isc__taskmgr_t *taskmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_TASKFUNC_SCOPE
+#else
+#define ISC_TASKFUNC_SCOPE static
+#endif
+
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp);
+ISC_TASKFUNC_SCOPE void
+isc__task_detach(isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp);
+ISC_TASKFUNC_SCOPE void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag);
+ISC_TASKFUNC_SCOPE isc_boolean_t
+isc__task_purgeevent(isc_task_t *task0, isc_event_t *event);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events);
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     const void *arg);
+ISC_TASKFUNC_SCOPE void
+isc__task_shutdown(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void
+isc__task_destroy(isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag);
+ISC_TASKFUNC_SCOPE const char *
+isc__task_getname(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void *
+isc__task_gettag(isc_task_t *task0);
+ISC_TASKFUNC_SCOPE void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp);
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp);
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp);
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_beginexclusive(isc_task_t *task);
+ISC_TASKFUNC_SCOPE void
+isc__task_endexclusive(isc_task_t *task0);
+
+static struct isc__taskmethods {
+	isc_taskmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *purgeevent, *unsendrange, *getname, *gettag, *getcurrenttime;
+#endif
+} taskmethods = {
+	{
+		isc__task_attach,
+		isc__task_detach,
+		isc__task_destroy,
+		isc__task_send,
+		isc__task_sendanddetach,
+		isc__task_unsend,
+		isc__task_onshutdown,
+		isc__task_shutdown,
+		isc__task_setname,
+		isc__task_purge,
+		isc__task_purgerange,
+		isc__task_beginexclusive,
+		isc__task_endexclusive
+	}
+#ifndef BIND9
+	,
+	(void *)isc__task_purgeevent, (void *)isc__task_unsendrange,
+	(void *)isc__task_getname, (void *)isc__task_gettag,
+	(void *)isc__task_getcurrenttime
+#endif
+};
+
+static isc_taskmgrmethods_t taskmgrmethods = {
+	isc__taskmgr_destroy,
+	isc__task_create,
+	isc__taskmgr_setexcltask,
+	isc__taskmgr_excltask
+};
 
 /***
  *** Tasks.
  ***/
 
 static void
-task_finished(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
+task_finished(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
 
 	REQUIRE(EMPTY(task->events));
 	REQUIRE(EMPTY(task->on_shutdown));
@@ -150,7 +288,7 @@ task_finished(isc_task_t *task) {
 
 	LOCK(&manager->lock);
 	UNLINK(manager->tasks, task, link);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	if (FINISHED(manager)) {
 		/*
 		 * All tasks have completed and the
@@ -160,19 +298,21 @@ task_finished(isc_task_t *task) {
 		 */
 		BROADCAST(&manager->work_available);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	UNLOCK(&manager->lock);
 
 	DESTROYLOCK(&task->lock);
-	task->magic = 0;
+	task->common.impmagic = 0;
+	task->common.magic = 0;
 	isc_mem_put(manager->mctx, task, sizeof(*task));
 }
 
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp)
 {
-	isc_task_t *task;
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	isc__task_t *task;
 	isc_boolean_t exiting;
 	isc_result_t result;
 
@@ -217,14 +357,17 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
-	task->magic = TASK_MAGIC;
-	*taskp = task;
+	task->common.methods = (isc_taskmethods_t *)&taskmethods;
+	task->common.magic = ISCAPI_TASK_MAGIC;
+	task->common.impmagic = TASK_MAGIC;
+	*taskp = (isc_task_t *)task;
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp) {
+	isc__task_t *source = (isc__task_t *)source0;
 
 	/*
 	 * Attach *targetp to source.
@@ -239,11 +382,11 @@ isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
 	source->references++;
 	UNLOCK(&source->lock);
 
-	*targetp = source;
+	*targetp = (isc_task_t *)source;
 }
 
 static inline isc_boolean_t
-task_shutdown(isc_task_t *task) {
+task_shutdown(isc__task_t *task) {
 	isc_boolean_t was_idle = ISC_FALSE;
 	isc_event_t *event, *prev;
 
@@ -280,8 +423,8 @@ task_shutdown(isc_task_t *task) {
 }
 
 static inline void
-task_ready(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
+task_ready(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(task->state == task_state_ready);
@@ -291,15 +434,15 @@ task_ready(isc_task_t *task) {
 	LOCK(&manager->lock);
 
 	ENQUEUE(manager->ready_tasks, task, ready_link);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	SIGNAL(&manager->work_available);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 	UNLOCK(&manager->lock);
 }
 
 static inline isc_boolean_t
-task_detach(isc_task_t *task) {
+task_detach(isc__task_t *task) {
 
 	/*
 	 * Caller must be holding the task lock.
@@ -327,9 +470,9 @@ task_detach(isc_task_t *task) {
 	return (ISC_FALSE);
 }
 
-void
-isc_task_detach(isc_task_t **taskp) {
-	isc_task_t *task;
+ISC_TASKFUNC_SCOPE void
+isc__task_detach(isc_task_t **taskp) {
+	isc__task_t *task;
 	isc_boolean_t was_idle;
 
 	/*
@@ -337,7 +480,7 @@ isc_task_detach(isc_task_t **taskp) {
 	 */
 
 	REQUIRE(taskp != NULL);
-	task = *taskp;
+	task = (isc__task_t *)*taskp;
 	REQUIRE(VALID_TASK(task));
 
 	XTRACE("isc_task_detach");
@@ -353,7 +496,7 @@ isc_task_detach(isc_task_t **taskp) {
 }
 
 static inline isc_boolean_t
-task_send(isc_task_t *task, isc_event_t **eventp) {
+task_send(isc__task_t *task, isc_event_t **eventp) {
 	isc_boolean_t was_idle = ISC_FALSE;
 	isc_event_t *event;
 
@@ -382,8 +525,9 @@ task_send(isc_task_t *task, isc_event_t **eventp) {
 	return (was_idle);
 }
 
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t was_idle;
 
 	/*
@@ -423,10 +567,10 @@ isc_task_send(isc_task_t *task, isc_event_t **eventp) {
 	}
 }
 
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 	isc_boolean_t idle1, idle2;
-	isc_task_t *task;
+	isc__task_t *task;
 
 	/*
 	 * Send '*event' to '*taskp' and then detach '*taskp' from its
@@ -434,7 +578,7 @@ isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 	 */
 
 	REQUIRE(taskp != NULL);
-	task = *taskp;
+	task = (isc__task_t *)*taskp;
 	REQUIRE(VALID_TASK(task));
 
 	XTRACE("isc_task_sendanddetach");
@@ -460,7 +604,7 @@ isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 #define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
 
 static unsigned int
-dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
+dequeue_events(isc__task_t *task, void *sender, isc_eventtype_t first,
 	       isc_eventtype_t last, void *tag,
 	       isc_eventlist_t *events, isc_boolean_t purging)
 {
@@ -499,10 +643,11 @@ dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
 	return (count);
 }
 
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag)
 {
+	isc__task_t *task = (isc__task_t *)task0;
 	unsigned int count;
 	isc_eventlist_t events;
 	isc_event_t *event, *next_event;
@@ -530,9 +675,9 @@ isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
 	return (count);
 }
 
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-	       void *tag)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag)
 {
 	/*
 	 * Purge events from a task's event queue.
@@ -540,11 +685,12 @@ isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
 
 	XTRACE("isc_task_purge");
 
-	return (isc_task_purgerange(task, sender, type, type, tag));
+	return (isc__task_purgerange(task, sender, type, type, tag));
 }
 
-isc_boolean_t
-isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
+ISC_TASKFUNC_SCOPE isc_boolean_t
+isc__task_purgeevent(isc_task_t *task0, isc_event_t *event) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_event_t *curr_event, *next_event;
 
 	/*
@@ -585,10 +731,10 @@ isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
 	return (ISC_TRUE);
 }
 
-unsigned int
-isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag,
-		     isc_eventlist_t *events)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events)
 {
 	/*
 	 * Remove events from a task's event queue.
@@ -596,13 +742,13 @@ isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
 
 	XTRACE("isc_task_unsendrange");
 
-	return (dequeue_events(task, sender, first, last, tag, events,
-			       ISC_FALSE));
+	return (dequeue_events((isc__task_t *)task, sender, first,
+			       last, tag, events, ISC_FALSE));
 }
 
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events)
+ISC_TASKFUNC_SCOPE unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events)
 {
 	/*
 	 * Remove events from a task's event queue.
@@ -610,13 +756,15 @@ isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
 
 	XTRACE("isc_task_unsend");
 
-	return (dequeue_events(task, sender, type, type, tag, events,
-			       ISC_FALSE));
+	return (dequeue_events((isc__task_t *)task, sender, type,
+			       type, tag, events, ISC_FALSE));
 }
 
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     const void *arg)
 {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t disallowed = ISC_FALSE;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_event_t *event;
@@ -652,8 +800,9 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
 	return (result);
 }
 
-void
-isc_task_shutdown(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE void
+isc__task_shutdown(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
 	isc_boolean_t was_idle;
 
 	/*
@@ -670,8 +819,8 @@ isc_task_shutdown(isc_task_t *task) {
 		task_ready(task);
 }
 
-void
-isc_task_destroy(isc_task_t **taskp) {
+ISC_TASKFUNC_SCOPE void
+isc__task_destroy(isc_task_t **taskp) {
 
 	/*
 	 * Destroy '*taskp'.
@@ -683,8 +832,9 @@ isc_task_destroy(isc_task_t **taskp) {
 	isc_task_detach(taskp);
 }
 
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+ISC_TASKFUNC_SCOPE void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
+	isc__task_t *task = (isc__task_t *)task0;
 
 	/*
 	 * Name 'task'.
@@ -699,18 +849,28 @@ isc_task_setname(isc_task_t *task, const char *name, void *tag) {
 	UNLOCK(&task->lock);
 }
 
-const char *
-isc_task_getname(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE const char *
+isc__task_getname(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
 	return (task->name);
 }
 
-void *
-isc_task_gettag(isc_task_t *task) {
+ISC_TASKFUNC_SCOPE void *
+isc__task_gettag(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
 	return (task->tag);
 }
 
-void
-isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+ISC_TASKFUNC_SCOPE void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
+	isc__task_t *task = (isc__task_t *)task0;
+
 	REQUIRE(VALID_TASK(task));
 	REQUIRE(t != NULL);
 
@@ -725,12 +885,12 @@ isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
  *** Task Manager.
  ***/
 static void
-dispatch(isc_taskmgr_t *manager) {
-	isc_task_t *task;
-#ifndef ISC_PLATFORM_USETHREADS
+dispatch(isc__taskmgr_t *manager) {
+	isc__task_t *task;
+#ifndef USE_WORKER_THREADS
 	unsigned int total_dispatch_count = 0;
-	isc_tasklist_t ready_tasks;
-#endif /* ISC_PLATFORM_USETHREADS */
+	isc__tasklist_t ready_tasks;
+#endif /* USE_WORKER_THREADS */
 
 	REQUIRE(VALID_MANAGER(manager));
 
@@ -784,12 +944,12 @@ dispatch(isc_taskmgr_t *manager) {
 	 * unlocks.  The while expression is always protected by the lock.
 	 */
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	ISC_LIST_INIT(ready_tasks);
 #endif
 	LOCK(&manager->lock);
 	while (!FINISHED(manager)) {
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 		/*
 		 * For reasons similar to those given in the comment in
 		 * isc_task_send() above, it is safe for us to dequeue
@@ -809,11 +969,11 @@ dispatch(isc_taskmgr_t *manager) {
 						    ISC_MSGSET_TASK,
 						    ISC_MSG_AWAKE, "awake"));
 		}
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WORKER_THREADS */
 		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
 		    EMPTY(manager->ready_tasks))
 			break;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
 					    ISC_MSG_WORKING, "working"));
 
@@ -856,13 +1016,15 @@ dispatch(isc_taskmgr_t *manager) {
 							    "execute action"));
 					if (event->ev_action != NULL) {
 						UNLOCK(&task->lock);
-						(event->ev_action)(task,event);
+						(event->ev_action)(
+							(isc_task_t *)task,
+							event);
 						LOCK(&task->lock);
 					}
 					dispatch_count++;
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 					total_dispatch_count++;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 				}
 
 				if (task->references == 0 &&
@@ -947,12 +1109,12 @@ dispatch(isc_taskmgr_t *manager) {
 
 			LOCK(&manager->lock);
 			manager->tasks_running--;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 			if (manager->exclusive_requested &&
 			    manager->tasks_running == 1) {
 				SIGNAL(&manager->exclusive_granted);
 			}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 			if (requeue) {
 				/*
 				 * We know we're awake, so we don't have
@@ -973,7 +1135,7 @@ dispatch(isc_taskmgr_t *manager) {
 				 * were usually nonempty, the 'optimization'
 				 * might even hurt rather than help.
 				 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 				ENQUEUE(manager->ready_tasks, task,
 					ready_link);
 #else
@@ -982,19 +1144,19 @@ dispatch(isc_taskmgr_t *manager) {
 			}
 		}
 	}
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	ISC_LIST_APPENDLIST(manager->ready_tasks, ready_tasks, ready_link);
 #endif
 	UNLOCK(&manager->lock);
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 static isc_threadresult_t
 #ifdef _WIN32
 WINAPI
 #endif
 run(void *uap) {
-	isc_taskmgr_t *manager = uap;
+	isc__taskmgr_t *manager = uap;
 
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_STARTING, "starting"));
@@ -1004,33 +1166,42 @@ run(void *uap) {
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_EXITING, "exiting"));
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 
 static void
-manager_free(isc_taskmgr_t *manager) {
+manager_free(isc__taskmgr_t *manager) {
 	isc_mem_t *mctx;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	(void)isc_condition_destroy(&manager->exclusive_granted);
 	(void)isc_condition_destroy(&manager->work_available);
 	isc_mem_free(manager->mctx, manager->threads);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
 	mctx = manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
+
+#ifdef USE_SHARED_MANAGER
+	taskmgr = NULL;
+#endif	/* USE_SHARED_MANAGER */
 }
 
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp)
 {
 	isc_result_t result;
 	unsigned int i, started = 0;
-	isc_taskmgr_t *manager;
+	isc__taskmgr_t *manager;
 
 	/*
 	 * Create a new task manager.
@@ -1039,28 +1210,33 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	REQUIRE(workers > 0);
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	UNUSED(i);
 	UNUSED(started);
-	UNUSED(workers);
+#endif
 
+#ifdef USE_SHARED_MANAGER
 	if (taskmgr != NULL) {
+		if (taskmgr->refs == 0)
+			return (ISC_R_SHUTTINGDOWN);
 		taskmgr->refs++;
-		*managerp = taskmgr;
+		*managerp = (isc_taskmgr_t *)taskmgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
-	manager->magic = TASK_MANAGER_MAGIC;
+	manager->common.methods = &taskmgrmethods;
+	manager->common.impmagic = TASK_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TASKMGR_MAGIC;
 	manager->mctx = NULL;
 	result = isc_mutex_init(&manager->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mgr;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	manager->workers = 0;
 	manager->threads = isc_mem_allocate(mctx,
 					    workers * sizeof(isc_thread_t));
@@ -1084,7 +1260,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup_workavailable;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
 	if (default_quantum == 0)
 		default_quantum = DEFAULT_DEFAULT_QUANTUM;
 	manager->default_quantum = default_quantum;
@@ -1093,10 +1269,11 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	manager->tasks_running = 0;
 	manager->exclusive_requested = ISC_FALSE;
 	manager->exiting = ISC_FALSE;
+	manager->excl = NULL;
 
 	isc_mem_attach(mctx, &manager->mctx);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	LOCK(&manager->lock);
 	/*
 	 * Start workers.
@@ -1116,16 +1293,17 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		return (ISC_R_NOTHREADS);
 	}
 	isc_thread_setconcurrency(workers);
-#else /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
 	taskmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
-	*managerp = manager;
+	*managerp = (isc_taskmgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
  cleanup_workavailable:
 	(void)isc_condition_destroy(&manager->work_available);
  cleanup_threads:
@@ -1138,10 +1316,10 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	return (result);
 }
 
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
-	isc_taskmgr_t *manager;
-	isc_task_t *task;
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
+	isc__taskmgr_t *manager;
+	isc__task_t *task;
 	unsigned int i;
 
 	/*
@@ -1149,18 +1327,20 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__taskmgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 	UNUSED(i);
+#endif /* USE_WORKER_THREADS */
 
-	if (manager->refs > 1) {
-		manager->refs--;
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
 		*managerp = NULL;
 		return;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif
 
 	XTHREADTRACE("isc_taskmgr_destroy");
 	/*
@@ -1172,6 +1352,12 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 */
 
 	/*
+	 * Detach the exclusive task before acquiring the manager lock
+	 */
+	if (manager->excl != NULL)
+		isc__task_detach((isc_task_t **) &manager->excl);
+
+	/*
 	 * Unlike elsewhere, we're going to hold this lock a long time.
 	 * We need to do so, because otherwise the list of tasks could
 	 * change while we were traversing it.
@@ -1200,7 +1386,7 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 			ENQUEUE(manager->ready_tasks, task, ready_link);
 		UNLOCK(&task->lock);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WORKER_THREADS
 	/*
 	 * Wake up any sleeping workers.  This ensures we get work done if
 	 * there's work left to do, and if there are already no tasks left
@@ -1214,36 +1400,51 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 */
 	for (i = 0; i < manager->workers; i++)
 		(void)isc_thread_join(manager->threads[i], NULL);
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WORKER_THREADS */
 	/*
 	 * Dispatch the shutdown events.
 	 */
 	UNLOCK(&manager->lock);
-	while (isc__taskmgr_ready())
-		(void)isc__taskmgr_dispatch();
+	while (isc__taskmgr_ready((isc_taskmgr_t *)manager))
+		(void)isc__taskmgr_dispatch((isc_taskmgr_t *)manager);
+#ifdef BIND9
 	if (!ISC_LIST_EMPTY(manager->tasks))
 		isc_mem_printallactive(stderr);
+#endif
 	INSIST(ISC_LIST_EMPTY(manager->tasks));
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef USE_SHARED_MANAGER
+	taskmgr = NULL;
+#endif
+#endif /* USE_WORKER_THREADS */
 
 	manager_free(manager);
 
 	*managerp = NULL;
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WORKER_THREADS
 isc_boolean_t
-isc__taskmgr_ready(void) {
-	if (taskmgr == NULL)
+isc__taskmgr_ready(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_FALSE);
-	return (ISC_TF(!ISC_LIST_EMPTY(taskmgr->ready_tasks)));
+	return (ISC_TF(!ISC_LIST_EMPTY(manager->ready_tasks)));
 }
 
 isc_result_t
-isc__taskmgr_dispatch(void) {
-	isc_taskmgr_t *manager = taskmgr;
+isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
 
-	if (taskmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_R_NOTFOUND);
 
 	dispatch(manager);
@@ -1251,13 +1452,43 @@ isc__taskmgr_dispatch(void) {
 	return (ISC_R_SUCCESS);
 }
 
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WORKER_THREADS */
+
+ISC_TASKFUNC_SCOPE void
+isc__taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
+	isc__task_t *task = (isc__task_t *) task0;
+
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(VALID_TASK(task));
+	if (mgr->excl != NULL)
+		isc__task_detach((isc_task_t **) &mgr->excl);
+	isc__task_attach(task0, (isc_task_t **) &mgr->excl);
+}
+
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
+
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	if (mgr->excl == NULL)
+		return (ISC_R_NOTFOUND);
+
+	isc__task_attach((isc_task_t *) mgr->excl, taskp);
+	return (ISC_R_SUCCESS);
+}
+
+ISC_TASKFUNC_SCOPE isc_result_t
+isc__task_beginexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
 
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_taskmgr_t *manager = task->manager;
 	REQUIRE(task->state == task_state_running);
+	/* XXX: Require task == manager->excl? */
+
 	LOCK(&manager->lock);
 	if (manager->exclusive_requested) {
 		UNLOCK(&manager->lock);
@@ -1269,15 +1500,17 @@ isc_task_beginexclusive(isc_task_t *task) {
 	}
 	UNLOCK(&manager->lock);
 #else
-	UNUSED(task);
+	UNUSED(task0);
 #endif
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_task_endexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_taskmgr_t *manager = task->manager;
+ISC_TASKFUNC_SCOPE void
+isc__task_endexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
+
 	REQUIRE(task->state == task_state_running);
 	LOCK(&manager->lock);
 	REQUIRE(manager->exclusive_requested);
@@ -1285,23 +1518,31 @@ isc_task_endexclusive(isc_task_t *task) {
 	BROADCAST(&manager->work_available);
 	UNLOCK(&manager->lock);
 #else
-	UNUSED(task);
+	UNUSED(task0);
 #endif
 }
 
+#ifdef USE_SOCKETIMPREGISTER
+isc_result_t
+isc__task_register() {
+	return (isc_task_register(isc__taskmgr_create));
+}
+#endif
+
 isc_boolean_t
 isc_task_exiting(isc_task_t *t) {
-	isc_task_t *task = (isc_task_t *)t;
+	isc__task_t *task = (isc__task_t *)t;
 
 	REQUIRE(VALID_TASK(task));
 	return (TASK_SHUTTINGDOWN(task));
 }
 
-#ifdef HAVE_LIBXML2
+
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 void
-isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
-{
-	isc_task_t *task;
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
+	isc__task_t *task;
 
 	LOCK(&mgr->lock);
 
@@ -1377,4 +1618,4 @@ isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
 
 	UNLOCK(&mgr->lock);
 }
-#endif /* HAVE_LIBXML2 */
+#endif /* HAVE_LIBXML2 && BIND9 */
diff --git a/contrib/bind9/lib/isc/task_api.c b/contrib/bind9/lib/isc/task_api.c
new file mode 100644
index 000000000000..06a8d24849ba
--- /dev/null
+++ b/contrib/bind9/lib/isc/task_api.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_taskmgrcreatefunc_t taskmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (taskmgr_createfunc == NULL)
+		taskmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settaskmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_TASKMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp)
+{
+	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	return (manager->methods->taskcreate(manager, quantum, taskp));
+}
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+	REQUIRE(ISCAPI_TASK_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_task_detach(isc_task_t **taskp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+
+	(*taskp)->methods->detach(taskp);
+
+	ENSURE(*taskp == NULL);
+}
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	task->methods->send(task, eventp);
+
+	ENSURE(*eventp == NULL);
+}
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	(*taskp)->methods->sendanddetach(taskp, eventp);
+
+	ENSURE(*taskp == NULL && *eventp == NULL);
+}
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->unsend(task, sender, type, tag, events));
+}
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->onshutdown(task, action, arg));
+}
+
+void
+isc_task_shutdown(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	task->methods->shutdown(task);
+}
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	task->methods->setname(task, name, tag);
+}
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->purgeevents(task, sender, type, tag));
+}
+
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+	return (mgr->methods->setexcltask(mgr, task));
+}
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
+	return (mgr->methods->excltask(mgr, taskp));
+}
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->beginexclusive(task));
+}
+
+void
+isc_task_endexclusive(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	task->methods->endexclusive(task);
+}
+
+
+/*%
+ * This is necessary for libisc's internal timer implementation.  Other
+ * implementation might skip implementing this.
+ */
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	return (task->methods->purgerange(task, sender, first, last, tag));
+}
diff --git a/contrib/bind9/lib/isc/task_p.h b/contrib/bind9/lib/isc/task_p.h
index 5342a50b0099..85deeae0d0ea 100644
--- a/contrib/bind9/lib/isc/task_p.h
+++ b/contrib/bind9/lib/isc/task_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -23,9 +23,9 @@
 /*! \file */
 
 isc_boolean_t
-isc__taskmgr_ready(void);
+isc__taskmgr_ready(isc_taskmgr_t *taskmgr);
 
 isc_result_t
-isc__taskmgr_dispatch(void);
+isc__taskmgr_dispatch(isc_taskmgr_t *taskmgr);
 
 #endif /* ISC_TASK_P_H */
diff --git a/contrib/bind9/lib/isc/timer.c b/contrib/bind9/lib/isc/timer.c
index dfebaa39d25d..0da251f4c31b 100644
--- a/contrib/bind9/lib/isc/timer.c
+++ b/contrib/bind9/lib/isc/timer.c
@@ -34,9 +34,22 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
+/* See task.c about the following definition: */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_TIMER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_TIMER_THREAD
 #include "timer_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 #ifdef ISC_TIMER_TRACE
 #define XTRACE(s)			fprintf(stderr, "%s\n", (s))
@@ -58,10 +71,13 @@
 #define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
 #define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
 
-struct isc_timer {
+typedef struct isc__timer isc__timer_t;
+typedef struct isc__timermgr isc__timermgr_t;
+
+struct isc__timer {
 	/*! Not locked. */
-	unsigned int			magic;
-	isc_timermgr_t *		manager;
+	isc_timer_t			common;
+	isc__timermgr_t *		manager;
 	isc_mutex_t			lock;
 	/*! Locked by timer lock. */
 	unsigned int			references;
@@ -75,45 +91,119 @@ struct isc_timer {
 	void *				arg;
 	unsigned int			index;
 	isc_time_t			due;
-	LINK(isc_timer_t)		link;
+	LINK(isc__timer_t)		link;
 };
 
 #define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
 #define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
 
-struct isc_timermgr {
+struct isc__timermgr {
 	/* Not locked. */
-	unsigned int			magic;
+	isc_timermgr_t			common;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 	/* Locked by manager lock. */
 	isc_boolean_t			done;
-	LIST(isc_timer_t)		timers;
+	LIST(isc__timer_t)		timers;
 	unsigned int			nscheduled;
 	isc_time_t			due;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	isc_condition_t			wakeup;
 	isc_thread_t			thread;
-#else /* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_TIMER_THREAD */
+#ifdef USE_SHARED_MANAGER
 	unsigned int			refs;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 	isc_heap_t *			heap;
 };
 
-#ifndef ISC_PLATFORM_USETHREADS
+/*%
+ * The followings can be either static or public, depending on build
+ * environment.
+ */
+
+#ifdef BIND9
+#define ISC_TIMERFUNC_SCOPE
+#else
+#define ISC_TIMERFUNC_SCOPE static
+#endif
+
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		  isc_time_t *expires, isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_boolean_t purge);
+ISC_TIMERFUNC_SCOPE isc_timertype_t
+isc__timer_gettype(isc_timer_t *timer);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_touch(isc_timer_t *timer);
+ISC_TIMERFUNC_SCOPE void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE void
+isc__timer_detach(isc_timer_t **timerp);
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_poke(isc_timermgr_t *manager0);
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_destroy(isc_timermgr_t **managerp);
+
+static struct isc__timermethods {
+	isc_timermethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *gettype;
+#endif
+} timermethods = {
+	{
+		isc__timer_attach,
+		isc__timer_detach,
+		isc__timer_reset,
+		isc__timer_touch
+	}
+#ifndef BIND9
+	,
+	(void *)isc__timer_gettype
+#endif
+};
+
+static struct isc__timermgrmethods {
+	isc_timermgrmethods_t methods;
+#ifndef BIND9
+	void *poke;		/* see above */
+#endif
+} timermgrmethods = {
+	{
+		isc__timermgr_destroy,
+		isc__timer_create
+	}
+#ifndef BIND9
+	,
+	(void *)isc__timermgr_poke
+#endif
+};
+
+#ifdef USE_SHARED_MANAGER
 /*!
- * If threads are not in use, there can be only one.
+ * If the manager is supposed to be shared, there can be only one.
  */
-static isc_timermgr_t *timermgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+static isc__timermgr_t *timermgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
 static inline isc_result_t
-schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
+schedule(isc__timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	isc_result_t result;
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 	isc_time_t due;
 	int cmp;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	isc_boolean_t timedwait;
 #endif
 
@@ -123,13 +213,13 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 
 	REQUIRE(timer->type != isc_timertype_inactive);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_TIMER_THREAD
 	UNUSED(signal_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	manager = timer->manager;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	/*!
 	 * If the manager was timed wait, we may need to signal the
 	 * manager to force a wakeup.
@@ -199,7 +289,7 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	 * the current "next" timer.  We do this either by waking up the
 	 * run thread, or explicitly setting the value in the manager.
 	 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 
 	/*
 	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
@@ -232,21 +322,21 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 				      "signal (schedule)"));
 		SIGNAL(&manager->wakeup);
 	}
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_TIMER_THREAD */
 	if (timer->index == 1 &&
 	    isc_time_compare(&timer->due, &manager->due) < 0)
 		manager->due = timer->due;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	return (ISC_R_SUCCESS);
 }
 
 static inline void
-deschedule(isc_timer_t *timer) {
-#ifdef ISC_PLATFORM_USETHREADS
+deschedule(isc__timer_t *timer) {
+#ifdef USE_TIMER_THREAD
 	isc_boolean_t need_wakeup = ISC_FALSE;
 #endif
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 
 	/*
 	 * The caller must ensure locking.
@@ -254,7 +344,7 @@ deschedule(isc_timer_t *timer) {
 
 	manager = timer->manager;
 	if (timer->index > 0) {
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 		if (timer->index == 1)
 			need_wakeup = ISC_TRUE;
 #endif
@@ -262,20 +352,20 @@ deschedule(isc_timer_t *timer) {
 		timer->index = 0;
 		INSIST(manager->nscheduled > 0);
 		manager->nscheduled--;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 		if (need_wakeup) {
 			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
 					      ISC_MSG_SIGNALDESCHED,
 					      "signal (deschedule)"));
 			SIGNAL(&manager->wakeup);
 		}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 	}
 }
 
 static void
-destroy(isc_timer_t *timer) {
-	isc_timermgr_t *manager = timer->manager;
+destroy(isc__timer_t *timer) {
+	isc__timermgr_t *manager = timer->manager;
 
 	/*
 	 * The caller must ensure it is safe to destroy the timer.
@@ -295,17 +385,19 @@ destroy(isc_timer_t *timer) {
 
 	isc_task_detach(&timer->task);
 	DESTROYLOCK(&timer->lock);
-	timer->magic = 0;
+	timer->common.impmagic = 0;
+	timer->common.magic = 0;
 	isc_mem_put(manager->mctx, timer, sizeof(*timer));
 }
 
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
-		 isc_time_t *expires, isc_interval_t *interval,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg,
-		 isc_timer_t **timerp)
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
+		  isc_time_t *expires, isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_timer_t **timerp)
 {
-	isc_timer_t *timer;
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc__timer_t *timer;
 	isc_result_t result;
 	isc_time_t now;
 
@@ -386,7 +478,9 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 		return (result);
 	}
 	ISC_LINK_INIT(timer, link);
-	timer->magic = TIMER_MAGIC;
+	timer->common.impmagic = TIMER_MAGIC;
+	timer->common.magic = ISCAPI_TIMER_MAGIC;
+	timer->common.methods = (isc_timermethods_t *)&timermethods;
 
 	LOCK(&manager->lock);
 
@@ -405,25 +499,27 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	UNLOCK(&manager->lock);
 
 	if (result != ISC_R_SUCCESS) {
-		timer->magic = 0;
+		timer->common.impmagic = 0;
+		timer->common.magic = 0;
 		DESTROYLOCK(&timer->lock);
 		isc_task_detach(&timer->task);
 		isc_mem_put(manager->mctx, timer, sizeof(*timer));
 		return (result);
 	}
 
-	*timerp = timer;
+	*timerp = (isc_timer_t *)timer;
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
-		isc_time_t *expires, isc_interval_t *interval,
-		isc_boolean_t purge)
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_boolean_t purge)
 {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_time_t now;
-	isc_timermgr_t *manager;
+	isc__timermgr_t *manager;
 	isc_result_t result;
 
 	/*
@@ -492,8 +588,9 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 	return (result);
 }
 
-isc_timertype_t
-isc_timer_gettype(isc_timer_t *timer) {
+ISC_TIMERFUNC_SCOPE isc_timertype_t
+isc__timer_gettype(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_timertype_t t;
 
 	REQUIRE(VALID_TIMER(timer));
@@ -505,8 +602,9 @@ isc_timer_gettype(isc_timer_t *timer) {
 	return (t);
 }
 
-isc_result_t
-isc_timer_touch(isc_timer_t *timer) {
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timer_touch(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
 	isc_result_t result;
 	isc_time_t now;
 
@@ -535,8 +633,10 @@ isc_timer_touch(isc_timer_t *timer) {
 	return (result);
 }
 
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+ISC_TIMERFUNC_SCOPE void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+
 	/*
 	 * Attach *timerp to timer.
 	 */
@@ -548,12 +648,12 @@ isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
 	timer->references++;
 	UNLOCK(&timer->lock);
 
-	*timerp = timer;
+	*timerp = (isc_timer_t *)timer;
 }
 
-void
-isc_timer_detach(isc_timer_t **timerp) {
-	isc_timer_t *timer;
+ISC_TIMERFUNC_SCOPE void
+isc__timer_detach(isc_timer_t **timerp) {
+	isc__timer_t *timer;
 	isc_boolean_t free_timer = ISC_FALSE;
 
 	/*
@@ -561,7 +661,7 @@ isc_timer_detach(isc_timer_t **timerp) {
 	 */
 
 	REQUIRE(timerp != NULL);
-	timer = *timerp;
+	timer = (isc__timer_t *)*timerp;
 	REQUIRE(VALID_TIMER(timer));
 
 	LOCK(&timer->lock);
@@ -578,11 +678,11 @@ isc_timer_detach(isc_timer_t **timerp) {
 }
 
 static void
-dispatch(isc_timermgr_t *manager, isc_time_t *now) {
+dispatch(isc__timermgr_t *manager, isc_time_t *now) {
 	isc_boolean_t done = ISC_FALSE, post_event, need_schedule;
 	isc_timerevent_t *event;
 	isc_eventtype_t type = 0;
-	isc_timer_t *timer;
+	isc__timer_t *timer;
 	isc_result_t result;
 	isc_boolean_t idle;
 
@@ -696,13 +796,13 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 	}
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 static isc_threadresult_t
 #ifdef _WIN32			/* XXXDCL */
 WINAPI
 #endif
 run(void *uap) {
-	isc_timermgr_t *manager = uap;
+	isc__timermgr_t *manager = uap;
 	isc_time_t now;
 	isc_result_t result;
 
@@ -735,13 +835,17 @@ run(void *uap) {
 	}
 	UNLOCK(&manager->lock);
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 static isc_boolean_t
 sooner(void *v1, void *v2) {
-	isc_timer_t *t1, *t2;
+	isc__timer_t *t1, *t2;
 
 	t1 = v1;
 	t2 = v2;
@@ -755,7 +859,7 @@ sooner(void *v1, void *v2) {
 
 static void
 set_index(void *what, unsigned int index) {
-	isc_timer_t *timer;
+	isc__timer_t *timer;
 
 	timer = what;
 	REQUIRE(VALID_TIMER(timer));
@@ -763,9 +867,9 @@ set_index(void *what, unsigned int index) {
 	timer->index = index;
 }
 
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
+ISC_TIMERFUNC_SCOPE isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
 	isc_result_t result;
 
 	/*
@@ -774,19 +878,21 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (timermgr != NULL) {
 		timermgr->refs++;
-		*managerp = timermgr;
+		*managerp = (isc_timermgr_t *)timermgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	manager = isc_mem_get(mctx, sizeof(*manager));
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 
-	manager->magic = TIMER_MANAGER_MAGIC;
+	manager->common.impmagic = TIMER_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TIMERMGR_MAGIC;
+	manager->common.methods = (isc_timermgrmethods_t *)&timermgrmethods;
 	manager->mctx = NULL;
 	manager->done = ISC_FALSE;
 	INIT_LIST(manager->timers);
@@ -806,7 +912,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		return (result);
 	}
 	isc_mem_attach(mctx, &manager->mctx);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
 		isc_mem_detach(&manager->mctx);
 		DESTROYLOCK(&manager->lock);
@@ -831,30 +937,33 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 						ISC_MSG_FAILED, "failed"));
 		return (ISC_R_UNEXPECTED);
 	}
-#else /* ISC_PLATFORM_USETHREADS */
+#endif
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
 	timermgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
-	*managerp = manager;
+	*managerp = (isc_timermgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_timermgr_poke(isc_timermgr_t *manager) {
-#ifdef ISC_PLATFORM_USETHREADS
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_poke(isc_timermgr_t *manager0) {
+#ifdef USE_TIMER_THREAD
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
 	REQUIRE(VALID_MANAGER(manager));
 
 	SIGNAL(&manager->wakeup);
 #else
-	UNUSED(manager);
+	UNUSED(manager0);
 #endif
 }
 
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
+ISC_TIMERFUNC_SCOPE void
+isc__timermgr_destroy(isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
 	isc_mem_t *mctx;
 
 	/*
@@ -862,34 +971,37 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__timermgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
 	LOCK(&manager->lock);
 
-#ifndef ISC_PLATFORM_USETHREADS
-	if (manager->refs > 1) {
-		manager->refs--;
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
 		UNLOCK(&manager->lock);
 		*managerp = NULL;
 		return;
 	}
+	timermgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
-	isc__timermgr_dispatch();
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifndef USE_TIMER_THREAD
+	isc__timermgr_dispatch((isc_timermgr_t *)manager);
+#endif
 
 	REQUIRE(EMPTY(manager->timers));
 	manager->done = ISC_TRUE;
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
 			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
 	SIGNAL(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	UNLOCK(&manager->lock);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	/*
 	 * Wait for thread to exit.
 	 */
@@ -898,39 +1010,63 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 				 "isc_thread_join() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 
 	/*
 	 * Clean up.
 	 */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_TIMER_THREAD
 	(void)isc_condition_destroy(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
 	DESTROYLOCK(&manager->lock);
 	isc_heap_destroy(&manager->heap);
-	manager->magic = 0;
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
 	mctx = manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	timermgr = NULL;
+#endif
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_TIMER_THREAD
 isc_result_t
-isc__timermgr_nextevent(isc_time_t *when) {
-	if (timermgr == NULL || timermgr->nscheduled == 0)
+isc__timermgr_nextevent(isc_timermgr_t *manager0, isc_time_t *when) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL || manager->nscheduled == 0)
 		return (ISC_R_NOTFOUND);
-	*when = timermgr->due;
+	*when = manager->due;
 	return (ISC_R_SUCCESS);
 }
 
 void
-isc__timermgr_dispatch(void) {
+isc__timermgr_dispatch(isc_timermgr_t *manager0) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
 	isc_time_t now;
-	if (timermgr == NULL)
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL)
 		return;
 	TIME_NOW(&now);
-	dispatch(timermgr, &now);
+	dispatch(manager, &now);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_TIMER_THREAD */
+
+#ifdef USE_TIMERIMPREGISTER
+isc_result_t
+isc__timer_register() {
+	return (isc_timer_register(isc__timermgr_create));
+}
+#endif
diff --git a/contrib/bind9/lib/isc/timer_api.c b/contrib/bind9/lib/isc/timer_api.c
new file mode 100644
index 000000000000..97e62b3f0ec4
--- /dev/null
+++ b/contrib/bind9/lib/isc/timer_api.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer_api.c,v 1.4 2009/09/02 23:48:02 tbox Exp $ */
+
+#include <config.h>
+
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_timermgrcreatefunc_t timermgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (timermgr_createfunc == NULL)
+		timermgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settimermgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp) {
+	REQUIRE(*managerp != NULL && ISCAPI_TIMERMGR_VALID(*managerp));
+
+	(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg,
+		 isc_timer_t **timerp)
+{
+	REQUIRE(ISCAPI_TIMERMGR_VALID(manager));
+
+	return (manager->methods->timercreate(manager, type, expires,
+					      interval, task, action, arg,
+					      timerp));
+}
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	timer->methods->attach(timer, timerp);
+
+	ENSURE(*timerp == timer);
+}
+
+void
+isc_timer_detach(isc_timer_t **timerp) {
+	REQUIRE(timerp != NULL && ISCAPI_TIMER_VALID(*timerp));
+
+	(*timerp)->methods->detach(timerp);
+
+	ENSURE(*timerp == NULL);
+}
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		isc_time_t *expires, isc_interval_t *interval,
+		isc_boolean_t purge)
+{
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	return (timer->methods->reset(timer, type, expires, interval, purge));
+}
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	return (timer->methods->touch(timer));
+}
diff --git a/contrib/bind9/lib/isc/timer_p.h b/contrib/bind9/lib/isc/timer_p.h
index 54a0aae9adb0..d6f7c996c7e2 100644
--- a/contrib/bind9/lib/isc/timer_p.h
+++ b/contrib/bind9/lib/isc/timer_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: timer_p.h,v 1.12 2009/09/02 23:48:02 tbox Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
@@ -23,9 +23,9 @@
 /*! \file */
 
 isc_result_t
-isc__timermgr_nextevent(isc_time_t *when);
+isc__timermgr_nextevent(isc_timermgr_t *timermgr, isc_time_t *when);
 
 void
-isc__timermgr_dispatch(void);
+isc__timermgr_dispatch(isc_timermgr_t *timermgr);
 
 #endif /* ISC_TIMER_P_H */
diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in
index 8aae749ece16..c1411cb3566a 100644
--- a/contrib/bind9/lib/isc/unix/Makefile.in
+++ b/contrib/bind9/lib/isc/unix/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id$
+# $Id: Makefile.in,v 1.44 2009/12/05 23:31:41 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/isc/unix/app.c b/contrib/bind9/lib/isc/unix/app.c
index 729e1dbaf90d..5393be942504 100644
--- a/contrib/bind9/lib/isc/unix/app.c
+++ b/contrib/bind9/lib/isc/unix/app.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: app.c,v 1.64 2009/11/04 05:58:46 marka Exp $ */
 
 /*! \file */
 
@@ -37,6 +37,7 @@
 #include <isc/app.h>
 #include <isc/boolean.h>
 #include <isc/condition.h>
+#include <isc/mem.h>
 #include <isc/msgs.h>
 #include <isc/mutex.h>
 #include <isc/event.h>
@@ -47,31 +48,129 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+/*%
+ * For BIND9 internal applications built with threads, we use a single app
+ * context and let multiple worker, I/O, timer threads do actual jobs.
+ * For other cases (including BIND9 built without threads) an app context acts
+ * as an event loop dispatching various events.
+ */
+#if defined(ISC_PLATFORM_USETHREADS) && defined(BIND9)
+#define USE_THREADS_SINGLECTX
+#endif
+
 #ifdef ISC_PLATFORM_USETHREADS
 #include <pthread.h>
-#else /* ISC_PLATFORM_USETHREADS */
+#endif
+
+#ifndef USE_THREADS_SINGLECTX
 #include "../timer_p.h"
 #include "../task_p.h"
 #include "socket_p.h"
+#endif /* USE_THREADS_SINGLECTX */
+
+#ifdef ISC_PLATFORM_USETHREADS
+static pthread_t		blockedthread;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-static isc_eventlist_t		on_run;
-static isc_mutex_t		lock;
-static isc_boolean_t		shutdown_requested = ISC_FALSE;
-static isc_boolean_t		running = ISC_FALSE;
-/*!
- * We assume that 'want_shutdown' can be read and written atomically.
+/*%
+ * The following can be either static or public, depending on build environment.
  */
-static volatile isc_boolean_t	want_shutdown = ISC_FALSE;
+
+#ifdef BIND9
+#define ISC_APPFUNC_SCOPE
+#else
+#define ISC_APPFUNC_SCOPE static
+#endif
+
+ISC_APPFUNC_SCOPE isc_result_t isc__app_start(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxstart(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_onrun(isc_mem_t *mctx,
+					      isc_task_t *task,
+					      isc_taskaction_t action,
+					      void *arg);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxrun(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_run(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxshutdown(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_shutdown(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_reload(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__app_ctxsuspend(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE void isc__app_ctxfinish(isc_appctx_t *ctx);
+ISC_APPFUNC_SCOPE void isc__app_finish(void);
+ISC_APPFUNC_SCOPE void isc__app_block(void);
+ISC_APPFUNC_SCOPE void isc__app_unblock(void);
+ISC_APPFUNC_SCOPE isc_result_t isc__appctx_create(isc_mem_t *mctx,
+						  isc_appctx_t **ctxp);
+ISC_APPFUNC_SCOPE void isc__appctx_destroy(isc_appctx_t **ctxp);
+ISC_APPFUNC_SCOPE void isc__appctx_settaskmgr(isc_appctx_t *ctx,
+					      isc_taskmgr_t *taskmgr);
+ISC_APPFUNC_SCOPE void isc__appctx_setsocketmgr(isc_appctx_t *ctx,
+						isc_socketmgr_t *socketmgr);
+ISC_APPFUNC_SCOPE void isc__appctx_settimermgr(isc_appctx_t *ctx,
+					       isc_timermgr_t *timermgr);
+
 /*
- * We assume that 'want_reload' can be read and written atomically.
+ * The application context of this module.  This implementation actually
+ * doesn't use it. (This may change in the future).
  */
-static volatile isc_boolean_t	want_reload = ISC_FALSE;
+#define APPCTX_MAGIC		ISC_MAGIC('A', 'p', 'c', 'x')
+#define VALID_APPCTX(c)		ISC_MAGIC_VALID(c, APPCTX_MAGIC)
+
+typedef struct isc__appctx {
+	isc_appctx_t		common;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	isc_eventlist_t		on_run;
+	isc_boolean_t		shutdown_requested;
+	isc_boolean_t		running;
+
+	/*!
+	 * We assume that 'want_shutdown' can be read and written atomically.
+	 */
+	isc_boolean_t		want_shutdown;
+	/*
+	 * We assume that 'want_reload' can be read and written atomically.
+	 */
+	isc_boolean_t		want_reload;
 
-static isc_boolean_t		blocked  = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
-static pthread_t		blockedthread;
-#endif /* ISC_PLATFORM_USETHREADS */
+	isc_boolean_t		blocked;
+
+	isc_taskmgr_t		*taskmgr;
+	isc_socketmgr_t		*socketmgr;
+	isc_timermgr_t		*timermgr;
+} isc__appctx_t;
+
+static isc__appctx_t isc_g_appctx;
+
+static struct {
+	isc_appmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *run, *shutdown, *start, *onrun, *reload, *finish,
+		*block, *unblock;
+#endif
+} appmethods = {
+	{
+		isc__appctx_destroy,
+		isc__app_ctxstart,
+		isc__app_ctxrun,
+		isc__app_ctxsuspend,
+		isc__app_ctxshutdown,
+		isc__app_ctxfinish,
+		isc__appctx_settaskmgr,
+		isc__appctx_setsocketmgr,
+		isc__appctx_settimermgr
+	}
+#ifndef BIND9
+	,
+	(void *)isc__app_run, (void *)isc__app_shutdown,
+	(void *)isc__app_start, (void *)isc__app_onrun, (void *)isc__app_reload,
+	(void *)isc__app_finish, (void *)isc__app_block,
+	(void *)isc__app_unblock
+#endif
+};
 
 #ifdef HAVE_LINUXTHREADS
 /*!
@@ -91,13 +190,13 @@ static pthread_t		main_thread;
 static void
 exit_action(int arg) {
 	UNUSED(arg);
-	want_shutdown = ISC_TRUE;
+	isc_g_appctx.want_shutdown = ISC_TRUE;
 }
 
 static void
 reload_action(int arg) {
 	UNUSED(arg);
-	want_reload = ISC_TRUE;
+	isc_g_appctx.want_reload = ISC_TRUE;
 }
 #endif
 
@@ -123,12 +222,12 @@ handle_signal(int sig, void (*handler)(int)) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_start(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxstart(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_result_t result;
-	int presult;
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_APPCTX(ctx));
 
 	/*
 	 * Start an ISC library application.
@@ -151,7 +250,35 @@ isc_app_start(void) {
 	main_thread = pthread_self();
 #endif
 
-	result = isc_mutex_init(&lock);
+	result = isc_mutex_init(&ctx->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	ISC_LIST_INIT(ctx->on_run);
+
+	ctx->shutdown_requested = ISC_FALSE;
+	ctx->running = ISC_FALSE;
+	ctx->want_shutdown = ISC_FALSE;
+	ctx->want_reload = ISC_FALSE;
+	ctx->blocked = ISC_FALSE;
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_start(void) {
+	isc_result_t result;
+	int presult;
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+
+	isc_g_appctx.common.impmagic = APPCTX_MAGIC;
+	isc_g_appctx.common.magic = ISCAPI_APPCTX_MAGIC;
+	isc_g_appctx.common.methods = &appmethods.methods;
+	isc_g_appctx.mctx = NULL;
+	/* The remaining members will be initialized in ctxstart() */
+
+	result = isc__app_ctxstart((isc_appctx_t *)&isc_g_appctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -253,22 +380,20 @@ isc_app_start(void) {
 	}
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	ISC_LIST_INIT(on_run);
-
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 	      void *arg)
 {
 	isc_event_t *event;
 	isc_task_t *cloned_task = NULL;
 	isc_result_t result;
 
-	LOCK(&lock);
+	LOCK(&isc_g_appctx.lock);
 
-	if (running) {
+	if (isc_g_appctx.running) {
 		result = ISC_R_ALREADYRUNNING;
 		goto unlock;
 	}
@@ -285,24 +410,25 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 		goto unlock;
 	}
 
-	ISC_LIST_APPEND(on_run, event, ev_link);
+	ISC_LIST_APPEND(isc_g_appctx.on_run, event, ev_link);
 
 	result = ISC_R_SUCCESS;
 
  unlock:
-	UNLOCK(&lock);
+	UNLOCK(&isc_g_appctx.lock);
 
 	return (result);
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_THREADS_SINGLECTX
 /*!
  * Event loop for nonthreaded programs.
  */
 static isc_result_t
-evloop(void) {
+evloop(isc__appctx_t *ctx) {
 	isc_result_t result;
-	while (!want_shutdown) {
+
+	while (!ctx->want_shutdown) {
 		int n;
 		isc_time_t when, now;
 		struct timeval tv, *tvp;
@@ -310,14 +436,27 @@ evloop(void) {
 		isc_boolean_t readytasks;
 		isc_boolean_t call_timer_dispatch = ISC_FALSE;
 
-		readytasks = isc__taskmgr_ready();
+		/*
+		 * Check the reload (or suspend) case first for exiting the
+		 * loop as fast as possible in case:
+		 *   - the direct call to isc__taskmgr_dispatch() in
+		 *     isc__app_ctxrun() completes all the tasks so far,
+		 *   - there is thus currently no active task, and
+		 *   - there is a timer event
+		 */
+		if (ctx->want_reload) {
+			ctx->want_reload = ISC_FALSE;
+			return (ISC_R_RELOAD);
+		}
+
+		readytasks = isc__taskmgr_ready(ctx->taskmgr);
 		if (readytasks) {
 			tv.tv_sec = 0;
 			tv.tv_usec = 0;
 			tvp = &tv;
 			call_timer_dispatch = ISC_TRUE;
 		} else {
-			result = isc__timermgr_nextevent(&when);
+			result = isc__timermgr_nextevent(ctx->timermgr, &when);
 			if (result != ISC_R_SUCCESS)
 				tvp = NULL;
 			else {
@@ -334,7 +473,7 @@ evloop(void) {
 		}
 
 		swait = NULL;
-		n = isc__socketmgr_waitevents(tvp, &swait);
+		n = isc__socketmgr_waitevents(ctx->socketmgr, tvp, &swait);
 
 		if (n == 0 || call_timer_dispatch) {
 			/*
@@ -351,20 +490,17 @@ evloop(void) {
 			 * call, since this loop only runs in the non-thread
 			 * mode.
 			 */
-			isc__timermgr_dispatch();
+			isc__timermgr_dispatch(ctx->timermgr);
 		}
 		if (n > 0)
-			(void)isc__socketmgr_dispatch(swait);
-		(void)isc__taskmgr_dispatch();
-
-		if (want_reload) {
-			want_reload = ISC_FALSE;
-			return (ISC_R_RELOAD);
-		}
+			(void)isc__socketmgr_dispatch(ctx->socketmgr, swait);
+		(void)isc__taskmgr_dispatch(ctx->taskmgr);
 	}
 	return (ISC_R_SUCCESS);
 }
+#endif	/* USE_THREADS_SINGLECTX */
 
+#ifndef ISC_PLATFORM_USETHREADS
 /*
  * This is a gross hack to support waiting for condition
  * variables in nonthreaded programs in a limited way;
@@ -400,11 +536,11 @@ isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
 	INSIST(*mp == 1); /* Mutex must be locked on entry. */
 	--*mp;
 
-	result = evloop();
+	result = evloop(&isc_g_appctx);
 	if (result == ISC_R_RELOAD)
-		want_reload = ISC_TRUE;
+		isc_g_appctx.want_reload = ISC_TRUE;
 	if (signalled) {
-		want_shutdown = ISC_FALSE;
+		isc_g_appctx.want_shutdown = ISC_FALSE;
 		signalled = ISC_FALSE;
 	}
 
@@ -420,43 +556,46 @@ isc__nothread_signal_hack(isc_condition_t *cp) {
 
 	INSIST(in_recursive_evloop);
 
-	want_shutdown = ISC_TRUE;
+	isc_g_appctx.want_shutdown = ISC_TRUE;
 	signalled = ISC_TRUE;
 	return (ISC_R_SUCCESS);
 }
 
 #endif /* ISC_PLATFORM_USETHREADS */
 
-isc_result_t
-isc_app_run(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxrun(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	int result;
 	isc_event_t *event, *next_event;
 	isc_task_t *task;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_THREADS_SINGLECTX
 	sigset_t sset;
 	char strbuf[ISC_STRERRORSIZE];
 #ifdef HAVE_SIGWAIT
 	int sig;
 #endif
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_THREADS_SINGLECTX */
+
+	REQUIRE(VALID_APPCTX(ctx));
 
 #ifdef HAVE_LINUXTHREADS
 	REQUIRE(main_thread == pthread_self());
 #endif
 
-	LOCK(&lock);
+	LOCK(&ctx->lock);
 
-	if (!running) {
-		running = ISC_TRUE;
+	if (!ctx->running) {
+		ctx->running = ISC_TRUE;
 
 		/*
 		 * Post any on-run events (in FIFO order).
 		 */
-		for (event = ISC_LIST_HEAD(on_run);
+		for (event = ISC_LIST_HEAD(ctx->on_run);
 		     event != NULL;
 		     event = next_event) {
 			next_event = ISC_LIST_NEXT(event, ev_link);
-			ISC_LIST_UNLINK(on_run, event, ev_link);
+			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
 			task = event->ev_sender;
 			event->ev_sender = NULL;
 			isc_task_sendanddetach(&task, &event);
@@ -464,7 +603,7 @@ isc_app_run(void) {
 
 	}
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 #ifndef HAVE_SIGWAIT
 	/*
@@ -473,19 +612,27 @@ isc_app_run(void) {
 	 * We do this here to ensure that the signal handler is installed
 	 * (i.e. that it wasn't a "one-shot" handler).
 	 */
-	result = handle_signal(SIGHUP, reload_action);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
+	if (ctx == &isc_g_appctx) {
+		result = handle_signal(SIGHUP, reload_action);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
 #endif
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_THREADS_SINGLECTX
+	/*
+	 * When we are using multiple contexts, we don't rely on signals.
+	 */
+	if (ctx != &isc_g_appctx)
+		return (ISC_R_SUCCESS);
+
 	/*
 	 * There is no danger if isc_app_shutdown() is called before we wait
 	 * for signals.  Signals are blocked, so any such signal will simply
 	 * be made pending and we will get it when we call sigwait().
 	 */
 
-	while (!want_shutdown) {
+	while (!ctx->want_shutdown) {
 #ifdef HAVE_SIGWAIT
 		/*
 		 * Wait for SIGHUP, SIGINT, or SIGTERM.
@@ -503,21 +650,19 @@ isc_app_run(void) {
 #ifndef HAVE_UNIXWARE_SIGWAIT
 		result = sigwait(&sset, &sig);
 		if (result == 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
+			if (sig == SIGINT || sig == SIGTERM)
+				ctx->want_shutdown = ISC_TRUE;
 			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
+				ctx->want_reload = ISC_TRUE;
 		}
 
 #else /* Using UnixWare sigwait semantics. */
 		sig = sigwait(&sset);
 		if (sig >= 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
+			if (sig == SIGINT || sig == SIGTERM)
+				ctx->want_shutdown = ISC_TRUE;
 			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
+				ctx->want_reload = ISC_TRUE;
 		}
 
 #endif /* HAVE_UNIXWARE_SIGWAIT */
@@ -528,131 +673,174 @@ isc_app_run(void) {
 		if (sigemptyset(&sset) != 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s", strbuf);
+					 "isc_app_run() sigsetops: %s",
+					 strbuf);
 			return (ISC_R_UNEXPECTED);
 		}
 		result = sigsuspend(&sset);
 #endif /* HAVE_SIGWAIT */
 
-		if (want_reload) {
-			want_reload = ISC_FALSE;
+		if (ctx->want_reload) {
+			ctx->want_reload = ISC_FALSE;
 			return (ISC_R_RELOAD);
 		}
 
-		if (want_shutdown && blocked)
+		if (ctx->want_shutdown && ctx->blocked)
 			exit(1);
 	}
 
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_THREADS_SINGLECTX */
 
-	(void)isc__taskmgr_dispatch();
+	(void)isc__taskmgr_dispatch(ctx->taskmgr);
 
-	result = evloop();
+	result = evloop(ctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_THREADS_SINGLECTX */
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_shutdown(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_run() {
+	return (isc__app_ctxrun((isc_appctx_t *)&isc_g_appctx));
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxshutdown(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_boolean_t want_kill = ISC_TRUE;
 	char strbuf[ISC_STRERRORSIZE];
 
-	LOCK(&lock);
+	REQUIRE(VALID_APPCTX(ctx));
 
-	REQUIRE(running);
+	LOCK(&ctx->lock);
 
-	if (shutdown_requested)
+	REQUIRE(ctx->running);
+
+	if (ctx->shutdown_requested)
 		want_kill = ISC_FALSE;
 	else
-		shutdown_requested = ISC_TRUE;
+		ctx->shutdown_requested = ISC_TRUE;
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 	if (want_kill) {
+		if (ctx != &isc_g_appctx)
+			ctx->want_shutdown = ISC_TRUE;
+		else {
 #ifdef HAVE_LINUXTHREADS
-		int result;
-
-		result = pthread_kill(main_thread, SIGTERM);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			int result;
+
+			result = pthread_kill(main_thread, SIGTERM);
+			if (result != 0) {
+				isc__strerror(result, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_shutdown() "
+						 "pthread_kill: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #else
-		if (kill(getpid(), SIGTERM) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
+			if (kill(getpid(), SIGTERM) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_shutdown() "
+						 "kill: %s", strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+#endif	/* HAVE_LINUXTHREADS */
 		}
-#endif
 	}
 
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_app_reload(void) {
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_shutdown() {
+	return (isc__app_ctxshutdown((isc_appctx_t *)&isc_g_appctx));
+}
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_ctxsuspend(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
 	isc_boolean_t want_kill = ISC_TRUE;
 	char strbuf[ISC_STRERRORSIZE];
 
-	LOCK(&lock);
+	REQUIRE(VALID_APPCTX(ctx));
+
+	LOCK(&ctx->lock);
 
-	REQUIRE(running);
+	REQUIRE(ctx->running);
 
 	/*
 	 * Don't send the reload signal if we're shutting down.
 	 */
-	if (shutdown_requested)
+	if (ctx->shutdown_requested)
 		want_kill = ISC_FALSE;
 
-	UNLOCK(&lock);
+	UNLOCK(&ctx->lock);
 
 	if (want_kill) {
+		if (ctx != &isc_g_appctx)
+			ctx->want_reload = ISC_TRUE;
+		else {
 #ifdef HAVE_LINUXTHREADS
-		int result;
-
-		result = pthread_kill(main_thread, SIGHUP);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			int result;
+
+			result = pthread_kill(main_thread, SIGHUP);
+			if (result != 0) {
+				isc__strerror(result, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_reload() "
+						 "pthread_kill: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #else
-		if (kill(getpid(), SIGHUP) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
+			if (kill(getpid(), SIGHUP) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_reload() "
+						 "kill: %s", strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
 #endif
+		}
 	}
 
 	return (ISC_R_SUCCESS);
 }
 
-void
-isc_app_finish(void) {
-	DESTROYLOCK(&lock);
+ISC_APPFUNC_SCOPE isc_result_t
+isc__app_reload(void) {
+	return (isc__app_ctxsuspend((isc_appctx_t *)&isc_g_appctx));
+}
+
+ISC_APPFUNC_SCOPE void
+isc__app_ctxfinish(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	DESTROYLOCK(&ctx->lock);
+}
+
+ISC_APPFUNC_SCOPE void
+isc__app_finish(void) {
+	isc__app_ctxfinish((isc_appctx_t *)&isc_g_appctx);
 }
 
-void
-isc_app_block(void) {
+ISC_APPFUNC_SCOPE void
+isc__app_block(void) {
 #ifdef ISC_PLATFORM_USETHREADS
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
-	REQUIRE(running);
-	REQUIRE(!blocked);
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(!isc_g_appctx.blocked);
 
-	blocked = ISC_TRUE;
+	isc_g_appctx.blocked = ISC_TRUE;
 #ifdef ISC_PLATFORM_USETHREADS
 	blockedthread = pthread_self();
 	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
@@ -662,16 +850,16 @@ isc_app_block(void) {
 #endif /* ISC_PLATFORM_USETHREADS */
 }
 
-void
-isc_app_unblock(void) {
+ISC_APPFUNC_SCOPE void
+isc__app_unblock(void) {
 #ifdef ISC_PLATFORM_USETHREADS
 	sigset_t sset;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-	REQUIRE(running);
-	REQUIRE(blocked);
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(isc_g_appctx.blocked);
 
-	blocked = ISC_FALSE;
+	isc_g_appctx.blocked = ISC_FALSE;
 
 #ifdef ISC_PLATFORM_USETHREADS
 	REQUIRE(blockedthread == pthread_self());
@@ -682,3 +870,77 @@ isc_app_unblock(void) {
 	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
 #endif /* ISC_PLATFORM_USETHREADS */
 }
+
+ISC_APPFUNC_SCOPE isc_result_t
+isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ctx->common.impmagic = APPCTX_MAGIC;
+	ctx->common.magic = ISCAPI_APPCTX_MAGIC;
+	ctx->common.methods = &appmethods.methods;
+
+	ctx->mctx = NULL;
+	isc_mem_attach(mctx, &ctx->mctx);
+
+	ctx->taskmgr = NULL;
+	ctx->socketmgr = NULL;
+	ctx->timermgr = NULL;
+
+	*ctxp = (isc_appctx_t *)ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_destroy(isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__appctx_t *)*ctxp;
+	REQUIRE(VALID_APPCTX(ctx));
+
+	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
+
+	*ctxp = NULL;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->taskmgr = taskmgr;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->socketmgr = socketmgr;
+}
+
+ISC_APPFUNC_SCOPE void
+isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->timermgr = timermgr;
+}
+
+#ifdef USE_APPIMPREGISTER
+isc_result_t
+isc__app_register() {
+	return (isc_app_register(isc__appctx_create));
+}
+#endif
diff --git a/contrib/bind9/lib/isc/unix/dir.c b/contrib/bind9/lib/isc/unix/dir.c
index 7206836b040a..0d647782a1d9 100644
--- a/contrib/bind9/lib/isc/unix/dir.c
+++ b/contrib/bind9/lib/isc/unix/dir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/isc/unix/entropy.c b/contrib/bind9/lib/isc/unix/entropy.c
index 4777c1be3d23..ab53faf6754e 100644
--- a/contrib/bind9/lib/isc/unix/entropy.c
+++ b/contrib/bind9/lib/isc/unix/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: entropy.c,v 1.82 2008/12/01 23:47:45 tbox Exp $ */
 
 /* \file unix/entropy.c
  * \brief
diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c
index 582fc23df179..99c02ec7b628 100644
--- a/contrib/bind9/lib/isc/unix/file.c
+++ b/contrib/bind9/lib/isc/unix/file.c
@@ -68,6 +68,7 @@
 #include <isc/dir.h>
 #include <isc/file.h>
 #include <isc/log.h>
+#include <isc/mem.h>
 #include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -97,6 +98,20 @@ file_stats(const char *file, struct stat *stats) {
 }
 
 isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS)
+		*modep = (stats.st_mode & 07777);
+
+	return (result);
+}
+
+isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time) {
 	isc_result_t result;
 	struct stat stats;
@@ -242,16 +257,26 @@ isc_file_renameunique(const char *file, char *templet) {
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 isc_file_openunique(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
 	int fd;
 	FILE *f;
 	isc_result_t result = ISC_R_SUCCESS;
 	char *x;
 	char *cp;
 	isc_uint32_t which;
-	int mode;
 
 	REQUIRE(templet != NULL);
 	REQUIRE(fp != NULL && *fp == NULL);
@@ -269,7 +294,6 @@ isc_file_openunique(char *templet, FILE **fp) {
 		x = cp--;
 	}
 
-	mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
 
 	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
 		if (errno != EEXIST)
@@ -304,7 +328,19 @@ isc_file_openunique(char *templet, FILE **fp) {
 
 isc_result_t
 isc_file_bopenunique(char *templet, FILE **fp) {
-	return (isc_file_openunique(templet, fp));
+	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
+	return (isc_file_openuniquemode(templet, mode, fp));
 }
 
 isc_result_t
@@ -464,3 +500,73 @@ isc_file_truncate(const char *filename, isc_offset_t size) {
 		result = isc__errno2result(errno);
 	return (result);
 }
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0)
+			return (ISC_R_INVALIDFILE);
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else
+		return (result);
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (isc__errno2result(errno));
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, char *path, char **dirname, char **basename)
+{
+	char *dir, *file, *slash;
+
+	slash = strrchr(path, '/');
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		if (dir != NULL)
+			strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*basename = file;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
index bddd82a23178..637450aaf4f5 100644
--- a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
+++ b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ifiter_getifaddrs.c,v 1.13 2009/09/24 23:48:13 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
index 1efb36d3238f..38c34fd61ab1 100644
--- a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
+++ b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: ifiter_ioctl.c,v 1.62 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/contrib/bind9/lib/isc/unix/include/isc/net.h b/contrib/bind9/lib/isc/unix/include/isc/net.h
index 04139e72681d..efa67c223bef 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/net.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/isc/unix/include/isc/offset.h b/contrib/bind9/lib/isc/unix/include/isc/offset.h
index 32f3a22f8b29..8bf3779997cd 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/offset.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/offset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: offset.h,v 1.17 2008/12/01 23:47:45 tbox Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
diff --git a/contrib/bind9/lib/isc/unix/include/isc/strerror.h b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
index cf3bf02ccff4..899043bbffdd 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/strerror.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: strerror.h,v 1.10 2008/12/01 23:47:45 tbox Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
diff --git a/contrib/bind9/lib/isc/unix/include/isc/time.h b/contrib/bind9/lib/isc/unix/include/isc/time.h
index 99403afa68d9..dc1cef9ad3f2 100644
--- a/contrib/bind9/lib/isc/unix/include/isc/time.h
+++ b/contrib/bind9/lib/isc/unix/include/isc/time.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: time.h,v 1.40 2009/01/05 23:47:54 tbox Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
diff --git a/contrib/bind9/lib/isc/unix/interfaceiter.c b/contrib/bind9/lib/isc/unix/interfaceiter.c
index b22462b616fb..af2b06d093a6 100644
--- a/contrib/bind9/lib/isc/unix/interfaceiter.c
+++ b/contrib/bind9/lib/isc/unix/interfaceiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: interfaceiter.c,v 1.45 2008/12/01 03:51:47 marka Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isc/unix/net.c b/contrib/bind9/lib/isc/unix/net.c
index b2fb30e4ed99..ea4a504ebdec 100644
--- a/contrib/bind9/lib/isc/unix/net.c
+++ b/contrib/bind9/lib/isc/unix/net.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.40 2008/07/04 05:52:31 each Exp $ */
+/* $Id$ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/resource.c b/contrib/bind9/lib/isc/unix/resource.c
index 9b026c294230..29596e2aa6a1 100644
--- a/contrib/bind9/lib/isc/unix/resource.c
+++ b/contrib/bind9/lib/isc/unix/resource.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: resource.c,v 1.23 2009/02/13 23:48:14 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/isc/unix/socket.c b/contrib/bind9/lib/isc/unix/socket.c
index 721f6dd0beeb..9d64a77ab37b 100644
--- a/contrib/bind9/lib/isc/unix/socket.c
+++ b/contrib/bind9/lib/isc/unix/socket.c
@@ -76,9 +76,19 @@
 
 #include "errno2result.h"
 
-#ifndef ISC_PLATFORM_USETHREADS
+/* See task.c about the following definition: */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WATCHER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* BIND9 */
+
+#ifndef USE_WATCHER_THREAD
 #include "socket_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
+#include "../task_p.h"
+#endif /* USE_WATCHER_THREAD */
 
 #if defined(SO_BSDCOMPAT) && defined(__linux__)
 #include <sys/utsname.h>
@@ -101,7 +111,7 @@ typedef struct {
 #define USE_SELECT
 #endif	/* ISC_PLATFORM_HAVEKQUEUE */
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifndef USE_WATCHER_THREAD
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
 struct isc_socketwait {
 	int nevents;
@@ -114,7 +124,7 @@ struct isc_socketwait {
 	int maxfd;
 };
 #endif	/* USE_KQUEUE */
-#endif /* !ISC_PLATFORM_USETHREADS */
+#endif /* !USE_WATCHER_THREAD */
 
 /*%
  * Maximum number of allowable open sockets.  This is also the maximum
@@ -248,7 +258,7 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
 typedef isc_event_t intev_t;
 
 #define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
-#define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
+#define VALID_SOCKET(s)		ISC_MAGIC_VALID(s, SOCKET_MAGIC)
 
 /*!
  * IPv6 control information.  If the socket is an IPv6 socket we want
@@ -282,16 +292,21 @@ typedef isc_event_t intev_t;
  */
 #define NRETRIES 10
 
-struct isc_socket {
+typedef struct isc__socket isc__socket_t;
+typedef struct isc__socketmgr isc__socketmgr_t;
+
+#define NEWCONNSOCK(ev) ((isc__socket_t *)(ev)->newsocket)
+
+struct isc__socket {
 	/* Not locked. */
-	unsigned int		magic;
-	isc_socketmgr_t	       *manager;
+	isc_socket_t		common;
+	isc__socketmgr_t	*manager;
 	isc_mutex_t		lock;
 	isc_sockettype_t	type;
 	const isc_statscounter_t	*statsindex;
 
 	/* Locked by socket lock. */
-	ISC_LINK(isc_socket_t)	link;
+	ISC_LINK(isc__socket_t)	link;
 	unsigned int		references;
 	int			fd;
 	int			pf;
@@ -339,9 +354,9 @@ struct isc_socket {
 #define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
 #define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
 
-struct isc_socketmgr {
+struct isc__socketmgr {
 	/* Not locked. */
-	unsigned int		magic;
+	isc_socketmgr_t		common;
 	isc_mem_t	       *mctx;
 	isc_mutex_t		lock;
 	isc_mutex_t		*fdlock;
@@ -370,14 +385,14 @@ struct isc_socketmgr {
 #endif
 
 	/* Locked by fdlock. */
-	isc_socket_t	       **fds;
+	isc__socket_t	       **fds;
 	int			*fdstate;
 #ifdef USE_DEVPOLL
 	pollinfo_t		*fdpollinfo;
 #endif
 
 	/* Locked by manager lock. */
-	ISC_LIST(isc_socket_t)	socklist;
+	ISC_LIST(isc__socket_t)	socklist;
 #ifdef USE_SELECT
 	fd_set			*read_fds;
 	fd_set			*read_fds_copy;
@@ -386,17 +401,18 @@ struct isc_socketmgr {
 	int			maxfd;
 #endif	/* USE_SELECT */
 	int			reserved;	/* unlocked */
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_thread_t		watcher;
 	isc_condition_t		shutdown_ok;
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 	unsigned int		refs;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
+	int			maxudp;
 };
 
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_socketmgr_t *socketmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef USE_SHARED_MANAGER
+static isc__socketmgr_t *socketmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
 #define CLOSED			0	/* this one must be zero */
 #define MANAGED			1
@@ -412,26 +428,165 @@ static isc_socketmgr_t *socketmgr = NULL;
 # define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
 #endif
 
-static void send_recvdone_event(isc_socket_t *, isc_socketevent_t **);
-static void send_senddone_event(isc_socket_t *, isc_socketevent_t **);
-static void free_socket(isc_socket_t **);
-static isc_result_t allocate_socket(isc_socketmgr_t *, isc_sockettype_t,
-				    isc_socket_t **);
-static void destroy(isc_socket_t **);
+static void send_recvdone_event(isc__socket_t *, isc_socketevent_t **);
+static void send_senddone_event(isc__socket_t *, isc_socketevent_t **);
+static void free_socket(isc__socket_t **);
+static isc_result_t allocate_socket(isc__socketmgr_t *, isc_sockettype_t,
+				    isc__socket_t **);
+static void destroy(isc__socket_t **);
 static void internal_accept(isc_task_t *, isc_event_t *);
 static void internal_connect(isc_task_t *, isc_event_t *);
 static void internal_recv(isc_task_t *, isc_event_t *);
 static void internal_send(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
-static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
-static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
+static void process_cmsg(isc__socket_t *, struct msghdr *, isc_socketevent_t *);
+static void build_msghdr_send(isc__socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
-static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
+static void build_msghdr_recv(isc__socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
-#ifdef ISC_PLATFORM_USETHREADS
-static isc_boolean_t process_ctlfd(isc_socketmgr_t *manager);
+#ifdef USE_WATCHER_THREAD
+static isc_boolean_t process_ctlfd(isc__socketmgr_t *manager);
+#endif
+
+/*%
+ * The following can be either static or public, depending on build environment.
+ */
+
+#ifdef BIND9
+#define ISC_SOCKETFUNC_SCOPE
+#else
+#define ISC_SOCKETFUNC_SCOPE static
+#endif
+
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_detach(isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks);
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+		     isc_uint32_t owner, isc_uint32_t group);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		 unsigned int options);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_filter(isc_socket_t *sock, const char *filter);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_listen(isc_socket_t *sock, unsigned int backlog);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_accept(isc_socket_t *sock,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		    isc_task_t *task, isc_taskaction_t action,
+		    const void *arg);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how);
+ISC_SOCKETFUNC_SCOPE isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock);
+ISC_SOCKETFUNC_SCOPE isc_boolean_t
+isc__socket_isbound(isc_socket_t *sock);
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
+#if defined(HAVE_LIBXML2) && defined(BIND9)
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer);
+#endif
+
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			  isc_sockfdwatch_t callback, void *cbarg,
+			  isc_task_t *task, isc_socket_t **socketp);
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_fdwatchpoke(isc_socket_t *sock, int flags);
+
+static struct {
+	isc_socketmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+#ifndef BIND9
+	void *recvv, *send, *sendv, *sendto2, *cleanunix, *permunix, *filter,
+		*listen, *accept, *getpeername, *isbound;
+#endif
+} socketmethods = {
+	{
+		isc__socket_attach,
+		isc__socket_detach,
+		isc__socket_bind,
+		isc__socket_sendto,
+		isc__socket_connect,
+		isc__socket_recv,
+		isc__socket_cancel,
+		isc__socket_getsockname,
+		isc__socket_gettype,
+		isc__socket_ipv6only,
+		isc__socket_fdwatchpoke
+	}
+#ifndef BIND9
+	,
+	(void *)isc__socket_recvv, (void *)isc__socket_send,
+	(void *)isc__socket_sendv, (void *)isc__socket_sendto2,
+	(void *)isc__socket_cleanunix, (void *)isc__socket_permunix,
+	(void *)isc__socket_filter, (void *)isc__socket_listen,
+	(void *)isc__socket_accept, (void *)isc__socket_getpeername,
+	(void *)isc__socket_isbound
 #endif
+};
+
+static isc_socketmgrmethods_t socketmgrmethods = {
+	isc__socketmgr_destroy,
+	isc__socket_create,
+	isc__socket_fdwatchcreate
+};
 
 #define SELECT_POKE_SHUTDOWN		(-1)
 #define SELECT_POKE_NOTHING		(-2)
@@ -531,12 +686,14 @@ static const isc_statscounter_t fdwatchstatsindex[] = {
 	isc_sockstatscounter_fdwatchrecvfail
 };
 
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \
+    defined(USE_WATCHER_THREAD)
 static void
-manager_log(isc_socketmgr_t *sockmgr,
+manager_log(isc__socketmgr_t *sockmgr,
 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
 static void
-manager_log(isc_socketmgr_t *sockmgr,
+manager_log(isc__socketmgr_t *sockmgr,
 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	    const char *fmt, ...)
 {
@@ -553,14 +710,15 @@ manager_log(isc_socketmgr_t *sockmgr,
 	isc_log_write(isc_lctx, category, module, level,
 		      "sockmgr %p: %s", sockmgr, msgbuf);
 }
+#endif
 
 static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
 	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
 static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
 	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
 	   isc_msgcat_t *msgcat, int msgset, int message,
 	   const char *fmt, ...)
@@ -595,7 +753,7 @@ socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
  * setting IPV6_V6ONLY.
  */
 static void
-FIX_IPV6_RECVPKTINFO(isc_socket_t *sock)
+FIX_IPV6_RECVPKTINFO(isc__socket_t *sock)
 {
 	char strbuf[ISC_STRERRORSIZE];
 	int on = 1;
@@ -633,7 +791,7 @@ inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
 }
 
 static inline isc_result_t
-watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 #ifdef USE_KQUEUE
@@ -701,7 +859,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
 }
 
 static inline isc_result_t
-unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+unwatch_fd(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result = ISC_R_SUCCESS;
 
 #ifdef USE_KQUEUE
@@ -788,7 +946,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
 }
 
 static void
-wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
+wakeup_socket(isc__socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result;
 	int lockid = FDLOCK_ID(fd);
 
@@ -849,14 +1007,14 @@ wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
 	}
 }
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 /*
  * Poke the select loop when there is something for us to do.
  * The write is required (by POSIX) to complete.  That is, we
  * will not get partial writes.
  */
 static void
-select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
+select_poke(isc__socketmgr_t *mgr, int fd, int msg) {
 	int cc;
 	int buf[2];
 	char strbuf[ISC_STRERRORSIZE];
@@ -895,7 +1053,7 @@ select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
  * Read a message on the internal fd.
  */
 static void
-select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
+select_readmsg(isc__socketmgr_t *mgr, int *fd, int *msg) {
 	int buf[2];
 	int cc;
 	char strbuf[ISC_STRERRORSIZE];
@@ -922,19 +1080,19 @@ select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
 	*fd = buf[0];
 	*msg = buf[1];
 }
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 /*
  * Update the state of the socketmgr when something changes.
  */
 static void
-select_poke(isc_socketmgr_t *manager, int fd, int msg) {
+select_poke(isc__socketmgr_t *manager, int fd, int msg) {
 	if (msg == SELECT_POKE_SHUTDOWN)
 		return;
 	else if (fd >= 0)
 		wakeup_socket(manager, fd, msg);
 	return;
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 /*
  * Make a fd non-blocking.
@@ -1027,7 +1185,7 @@ cmsg_space(ISC_SOCKADDR_LEN_T len) {
  * Process control messages received on a socket.
  */
 static void
-process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 #ifdef USE_CMSG
 	struct cmsghdr *cmsgp;
 #ifdef ISC_PLATFORM_HAVEIN6PKTINFO
@@ -1130,7 +1288,7 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
  * this transaction can send.
  */
 static void
-build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
 {
 	unsigned int iovcount;
@@ -1268,7 +1426,7 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
  * this transaction can receive.
  */
 static void
-build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
 {
 	unsigned int iovcount;
@@ -1389,7 +1547,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 }
 
 static void
-set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
+set_dev_address(isc_sockaddr_t *address, isc__socket_t *sock,
 		isc_socketevent_t *dev)
 {
 	if (sock->type == isc_sockettype_udp) {
@@ -1413,7 +1571,7 @@ destroy_socketevent(isc_event_t *event) {
 }
 
 static isc_socketevent_t *
-allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
+allocate_socketevent(isc__socket_t *sock, isc_eventtype_t eventtype,
 		     isc_taskaction_t action, const void *arg)
 {
 	isc_socketevent_t *ev;
@@ -1466,7 +1624,7 @@ dump_msg(struct msghdr *msg) {
 #define DOIO_EOF		3	/* EOF, no event sent */
 
 static int
-doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_RECV];
 	size_t read_count;
@@ -1574,6 +1732,12 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 			}
 			return (DOIO_SOFT);
 		}
+		/*
+		 * Simulate a firewall blocking UDP responses bigger than
+		 * 512 bytes.
+		 */
+		if (sock->manager->maxudp != 0 && cc > sock->manager->maxudp)
+			return (DOIO_SOFT);
 	}
 
 	socket_log(sock, &dev->address, IOEVENT,
@@ -1651,7 +1815,7 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
  *	No other return values are possible.
  */
 static int
-doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
+doio_send(isc__socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_SEND];
 	size_t write_count;
@@ -1762,7 +1926,7 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
  * references exist.
  */
 static void
-closesocket(isc_socketmgr_t *manager, isc_socket_t *sock, int fd) {
+closesocket(isc__socketmgr_t *manager, isc__socket_t *sock, int fd) {
 	isc_sockettype_t type = sock->type;
 	int lockid = FDLOCK_ID(fd);
 
@@ -1825,10 +1989,10 @@ closesocket(isc_socketmgr_t *manager, isc_socket_t *sock, int fd) {
 }
 
 static void
-destroy(isc_socket_t **sockp) {
+destroy(isc__socket_t **sockp) {
 	int fd;
-	isc_socket_t *sock = *sockp;
-	isc_socketmgr_t *manager = sock->manager;
+	isc__socket_t *sock = *sockp;
+	isc__socketmgr_t *manager = sock->manager;
 
 	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
 		   ISC_MSG_DESTROYING, "destroying");
@@ -1849,10 +2013,10 @@ destroy(isc_socket_t **sockp) {
 
 	ISC_LIST_UNLINK(manager->socklist, sock, link);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (ISC_LIST_EMPTY(manager->socklist))
 		SIGNAL(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	/* can't unlock manager as its memory context is still used */
 	free_socket(sockp);
@@ -1861,10 +2025,10 @@ destroy(isc_socket_t **sockp) {
 }
 
 static isc_result_t
-allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
-		isc_socket_t **socketp)
+allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
+		isc__socket_t **socketp)
 {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_result_t result;
 	ISC_SOCKADDR_LEN_T cmsgbuflen;
 
@@ -1873,7 +2037,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	if (sock == NULL)
 		return (ISC_R_NOMEMORY);
 
-	sock->magic = 0;
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
 	sock->references = 0;
 
 	sock->manager = manager;
@@ -1948,7 +2113,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	 */
 	result = isc_mutex_init(&sock->lock);
 	if (result != ISC_R_SUCCESS) {
-		sock->magic = 0;
+		sock->common.magic = 0;
+		sock->common.impmagic = 0;
 		goto error;
 	}
 
@@ -1962,7 +2128,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
 		       NULL, sock, sock, NULL, NULL);
 
-	sock->magic = SOCKET_MAGIC;
+	sock->common.magic = ISCAPI_SOCKET_MAGIC;
+	sock->common.impmagic = SOCKET_MAGIC;
 	*socketp = sock;
 
 	return (ISC_R_SUCCESS);
@@ -1987,8 +2154,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
  * also close the socket.
  */
 static void
-free_socket(isc_socket_t **socketp) {
-	isc_socket_t *sock = *socketp;
+free_socket(isc__socket_t **socketp) {
+	isc__socket_t *sock = *socketp;
 
 	INSIST(sock->references == 0);
 	INSIST(VALID_SOCKET(sock));
@@ -2008,7 +2175,8 @@ free_socket(isc_socket_t **socketp) {
 		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
 			    sock->sendcmsgbuflen);
 
-	sock->magic = 0;
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
 
 	DESTROYLOCK(&sock->lock);
 
@@ -2056,7 +2224,7 @@ clear_bsdcompat(void) {
 #endif
 
 static isc_result_t
-opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
+opensocket(isc__socketmgr_t *manager, isc__socket_t *sock) {
 	isc_result_t result;
 	char strbuf[ISC_STRERRORSIZE];
 	const char *err = "socket";
@@ -2358,11 +2526,12 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
  * called with 'arg' as the arg value.  The new socket is returned
  * in 'socketp'.
  */
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
-		  isc_socket_t **socketp)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp)
 {
-	isc_socket_t *sock = NULL;
+	isc__socket_t *sock = NULL;
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 	isc_result_t result;
 	int lockid;
 
@@ -2398,8 +2567,9 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 		return (result);
 	}
 
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
 	sock->references = 1;
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 
 	/*
 	 * Note we don't have to lock the socket like we normally would because
@@ -2430,9 +2600,11 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_socket_open(isc_socket_t *sock) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_open(isc_socket_t *sock0) {
 	isc_result_t result;
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -2472,6 +2644,7 @@ isc_socket_open(isc_socket_t *sock) {
 
 	return (result);
 }
+#endif	/* BIND9 */
 
 /*
  * Create a new 'type' socket managed by 'manager'.  Events
@@ -2479,12 +2652,13 @@ isc_socket_open(isc_socket_t *sock) {
  * called with 'arg' as the arg value.  The new socket is returned
  * in 'socketp'.
  */
-isc_result_t
-isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
-			 isc_sockfdwatch_t callback, void *cbarg,
-			 isc_task_t *task, isc_socket_t **socketp)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags,
+			  isc_sockfdwatch_t callback, void *cbarg,
+			  isc_task_t *task, isc_socket_t **socketp)
 {
-	isc_socket_t *sock = NULL;
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	isc__socket_t *sock = NULL;
 	isc_result_t result;
 	int lockid;
 
@@ -2502,8 +2676,9 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
 	sock->fdwatchtask = task;
 	sock->statsindex = fdwatchstatsindex;
 
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
 	sock->references = 1;
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 
 	/*
 	 * Note we don't have to lock the socket like we normally would because
@@ -2536,10 +2711,50 @@ isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
 }
 
 /*
+ * Indicate to the manager that it should watch the socket again.
+ * This can be used to restart watching if the previous event handler
+ * didn't indicate there was more data to be processed.  Primarily
+ * it is for writing but could be used for reading if desired
+ */
+
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_fdwatchpoke(isc_socket_t *sock0, int flags)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * We check both flags first to allow us to get the lock
+	 * once but only if we need it.
+	 */
+
+	if ((flags & (ISC_SOCKFDWATCH_READ | ISC_SOCKFDWATCH_WRITE)) != 0) {
+		LOCK(&sock->lock);
+		if (((flags & ISC_SOCKFDWATCH_READ) != 0) &&
+		    !sock->pending_recv)
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_READ);
+		if (((flags & ISC_SOCKFDWATCH_WRITE) != 0) &&
+		    !sock->pending_send)
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_WRITE);
+		UNLOCK(&sock->lock);
+	}
+
+	socket_log(sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_POKED, "fdwatch-poked flags: %d", flags);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_attach(isc_socket_t *sock0, isc_socket_t **socketp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
@@ -2547,20 +2762,20 @@ isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
 	sock->references++;
 	UNLOCK(&sock->lock);
 
-	*socketp = sock;
+	*socketp = (isc_socket_t *)sock;
 }
 
 /*
  * Dereference a socket.  If this is the last reference to it, clean things
  * up by destroying the socket.
  */
-void
-isc_socket_detach(isc_socket_t **socketp) {
-	isc_socket_t *sock;
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_detach(isc_socket_t **socketp) {
+	isc__socket_t *sock;
 	isc_boolean_t kill_socket = ISC_FALSE;
 
 	REQUIRE(socketp != NULL);
-	sock = *socketp;
+	sock = (isc__socket_t *)*socketp;
 	REQUIRE(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -2576,10 +2791,12 @@ isc_socket_detach(isc_socket_t **socketp) {
 	*socketp = NULL;
 }
 
-isc_result_t
-isc_socket_close(isc_socket_t *sock) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_close(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	int fd;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -2615,6 +2832,7 @@ isc_socket_close(isc_socket_t *sock) {
 
 	return (ISC_R_SUCCESS);
 }
+#endif	/* BIND9 */
 
 /*
  * I/O is possible on a given socket.  Schedule an event to this task that
@@ -2625,7 +2843,7 @@ isc_socket_close(isc_socket_t *sock) {
  * The socket and manager must be locked before calling this function.
  */
 static void
-dispatch_recv(isc_socket_t *sock) {
+dispatch_recv(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 	isc_task_t *sender;
@@ -2659,7 +2877,7 @@ dispatch_recv(isc_socket_t *sock) {
 }
 
 static void
-dispatch_send(isc_socket_t *sock) {
+dispatch_send(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 	isc_task_t *sender;
@@ -2696,7 +2914,7 @@ dispatch_send(isc_socket_t *sock) {
  * Dispatch an internal accept event.
  */
 static void
-dispatch_accept(isc_socket_t *sock) {
+dispatch_accept(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socket_newconnev_t *ev;
 
@@ -2722,7 +2940,7 @@ dispatch_accept(isc_socket_t *sock) {
 }
 
 static void
-dispatch_connect(isc_socket_t *sock) {
+dispatch_connect(isc__socket_t *sock) {
 	intev_t *iev;
 	isc_socket_connev_t *ev;
 
@@ -2752,7 +2970,7 @@ dispatch_connect(isc_socket_t *sock) {
  * Caller must have the socket locked if the event is attached to the socket.
  */
 static void
-send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+send_recvdone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
 	isc_task_t *task;
 
 	task = (*dev)->ev_sender;
@@ -2775,7 +2993,7 @@ send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
  * Caller must have the socket locked if the event is attached to the socket.
  */
 static void
-send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+send_senddone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
 	isc_task_t *task;
 
 	INSIST(dev != NULL && *dev != NULL);
@@ -2806,8 +3024,8 @@ send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
  */
 static void
 internal_accept(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
-	isc_socketmgr_t *manager;
+	isc__socket_t *sock;
+	isc__socketmgr_t *manager;
 	isc_socket_newconnev_t *dev;
 	isc_task_t *task;
 	ISC_SOCKADDR_LEN_T addrlen;
@@ -2862,9 +3080,9 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	 * daemons such as BIND 8 and Apache.
 	 */
 
-	addrlen = sizeof(dev->newsocket->peer_address.type);
-	memset(&dev->newsocket->peer_address.type, 0, addrlen);
-	fd = accept(sock->fd, &dev->newsocket->peer_address.type.sa,
+	addrlen = sizeof(NEWCONNSOCK(dev)->peer_address.type);
+	memset(&NEWCONNSOCK(dev)->peer_address.type, 0, addrlen);
+	fd = accept(sock->fd, &NEWCONNSOCK(dev)->peer_address.type.sa,
 		    (void *)&addrlen);
 
 #ifdef F_DUPFD
@@ -2934,14 +3152,14 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 
 			(void)close(fd);
 			goto soft_error;
-		} else if (dev->newsocket->peer_address.type.sa.sa_family !=
+		} else if (NEWCONNSOCK(dev)->peer_address.type.sa.sa_family !=
 			   sock->pf)
 		{
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() returned peer address "
 					 "family %u (expected %u)",
-					 dev->newsocket->peer_address.
+					 NEWCONNSOCK(dev)->peer_address.
 					 type.sa.sa_family,
 					 sock->pf);
 			(void)close(fd);
@@ -2960,8 +3178,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	}
 
 	if (fd != -1) {
-		dev->newsocket->peer_address.length = addrlen;
-		dev->newsocket->pf = sock->pf;
+		NEWCONNSOCK(dev)->peer_address.length = addrlen;
+		NEWCONNSOCK(dev)->pf = sock->pf;
 	}
 
 	/*
@@ -2992,28 +3210,28 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		int lockid = FDLOCK_ID(fd);
 
 		LOCK(&manager->fdlock[lockid]);
-		manager->fds[fd] = dev->newsocket;
+		manager->fds[fd] = NEWCONNSOCK(dev);
 		manager->fdstate[fd] = MANAGED;
 		UNLOCK(&manager->fdlock[lockid]);
 
 		LOCK(&manager->lock);
-		ISC_LIST_APPEND(manager->socklist, dev->newsocket, link);
+		ISC_LIST_APPEND(manager->socklist, NEWCONNSOCK(dev), link);
 
-		dev->newsocket->fd = fd;
-		dev->newsocket->bound = 1;
-		dev->newsocket->connected = 1;
+		NEWCONNSOCK(dev)->fd = fd;
+		NEWCONNSOCK(dev)->bound = 1;
+		NEWCONNSOCK(dev)->connected = 1;
 
 		/*
 		 * Save away the remote address
 		 */
-		dev->address = dev->newsocket->peer_address;
+		dev->address = NEWCONNSOCK(dev)->peer_address;
 
 #ifdef USE_SELECT
 		if (manager->maxfd < fd)
 			manager->maxfd = fd;
 #endif
 
-		socket_log(sock, &dev->newsocket->peer_address, CREATION,
+		socket_log(sock, &NEWCONNSOCK(dev)->peer_address, CREATION,
 			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
 			   "accepted connection, new socket %p",
 			   dev->newsocket);
@@ -3023,8 +3241,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
 	} else {
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
-		dev->newsocket->references--;
-		free_socket(&dev->newsocket);
+		NEWCONNSOCK(dev)->references--;
+		free_socket((isc__socket_t **)&dev->newsocket);
 	}
 
 	/*
@@ -3048,7 +3266,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 static void
 internal_recv(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
 
@@ -3113,14 +3331,14 @@ internal_recv(isc_task_t *me, isc_event_t *ev) {
 static void
 internal_send(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
 
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3167,7 +3385,7 @@ internal_send(isc_task_t *me, isc_event_t *ev) {
 
 static void
 internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	int more_data;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
@@ -3175,7 +3393,7 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3186,7 +3404,8 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 	INSIST(sock->pending_send == 1);
 
 	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg, ISC_SOCKFDWATCH_WRITE);
 	LOCK(&sock->lock);
 
 	sock->pending_send = 0;
@@ -3207,7 +3426,7 @@ internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
 
 static void
 internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	int more_data;
 
 	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
@@ -3215,7 +3434,7 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->ev_sender;
+	sock = (isc__socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
@@ -3226,7 +3445,8 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
 	INSIST(sock->pending_recv == 1);
 
 	UNLOCK(&sock->lock);
-	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg, ISC_SOCKFDWATCH_READ);
 	LOCK(&sock->lock);
 
 	sock->pending_recv = 0;
@@ -3250,10 +3470,10 @@ internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
  * and unlocking twice if both reads and writes are possible.
  */
 static void
-process_fd(isc_socketmgr_t *manager, int fd, isc_boolean_t readable,
+process_fd(isc__socketmgr_t *manager, int fd, isc_boolean_t readable,
 	   isc_boolean_t writeable)
 {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_boolean_t unlock_sock;
 	isc_boolean_t unwatch_read = ISC_FALSE, unwatch_write = ISC_FALSE;
 	int lockid = FDLOCK_ID(fd);
@@ -3319,11 +3539,11 @@ check_write:
 
 #ifdef USE_KQUEUE
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct kevent *events, int nevents) {
 	int i;
 	isc_boolean_t readable, writable;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3341,7 +3561,7 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].ident < manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].ident == (uintptr_t)manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3352,7 +3572,7 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 		process_fd(manager, events[i].ident, readable, writable);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3361,10 +3581,11 @@ process_fds(isc_socketmgr_t *manager, struct kevent *events, int nevents) {
 }
 #elif defined(USE_EPOLL)
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
+{
 	int i;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3377,7 +3598,7 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].data.fd < (int)manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].data.fd == manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3399,7 +3620,7 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 			   (events[i].events & EPOLLOUT) != 0);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3408,10 +3629,10 @@ process_fds(isc_socketmgr_t *manager, struct epoll_event *events, int nevents) {
 }
 #elif defined(USE_DEVPOLL)
 static isc_boolean_t
-process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
+process_fds(isc__socketmgr_t *manager, struct pollfd *events, int nevents) {
 	int i;
 	isc_boolean_t done = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	isc_boolean_t have_ctlevent = ISC_FALSE;
 #endif
 
@@ -3424,7 +3645,7 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 
 	for (i = 0; i < nevents; i++) {
 		REQUIRE(events[i].fd < (int)manager->maxsocks);
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (events[i].fd == manager->pipe_fds[0]) {
 			have_ctlevent = ISC_TRUE;
 			continue;
@@ -3435,7 +3656,7 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 			   (events[i].events & POLLOUT) != 0);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (have_ctlevent)
 		done = process_ctlfd(manager);
 #endif
@@ -3444,27 +3665,27 @@ process_fds(isc_socketmgr_t *manager, struct pollfd *events, int nevents) {
 }
 #elif defined(USE_SELECT)
 static void
-process_fds(isc_socketmgr_t *manager, int maxfd,
-	    fd_set *readfds, fd_set *writefds)
+process_fds(isc__socketmgr_t *manager, int maxfd, fd_set *readfds,
+	    fd_set *writefds)
 {
 	int i;
 
 	REQUIRE(maxfd <= (int)manager->maxsocks);
 
 	for (i = 0; i < maxfd; i++) {
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
 			continue;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 		process_fd(manager, i, FD_ISSET(i, readfds),
 			   FD_ISSET(i, writefds));
 	}
 }
 #endif
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 static isc_boolean_t
-process_ctlfd(isc_socketmgr_t *manager) {
+process_ctlfd(isc__socketmgr_t *manager) {
 	int msg, fd;
 
 	for (;;) {
@@ -3512,7 +3733,7 @@ process_ctlfd(isc_socketmgr_t *manager) {
  */
 static isc_threadresult_t
 watcher(void *uap) {
-	isc_socketmgr_t *manager = uap;
+	isc__socketmgr_t *manager = uap;
 	isc_boolean_t done;
 	int cc;
 #ifdef USE_KQUEUE
@@ -3629,22 +3850,34 @@ watcher(void *uap) {
 
 	return ((isc_threadresult_t)0);
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
-void
-isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
+#ifdef BIND9
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_setreserved(isc_socketmgr_t *manager0, isc_uint32_t reserved) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 
 	REQUIRE(VALID_MANAGER(manager));
 
 	manager->reserved = reserved;
 }
 
+ISC_SOCKETFUNC_SCOPE void
+isc___socketmgr_maxudp(isc_socketmgr_t *manager0, int maxudp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->maxudp = maxudp;
+}
+#endif	/* BIND9 */
+
 /*
  * Create a new socket manager.
  */
 
 static isc_result_t
-setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
+setup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
 	isc_result_t result;
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
 	char strbuf[ISC_STRERRORSIZE];
@@ -3670,7 +3903,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 		return (result);
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->kqueue_fd);
@@ -3678,7 +3911,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct kevent) * manager->nevents);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_EPOLL)
 	manager->nevents = ISC_SOCKET_MAXEVENTS;
 	manager->events = isc_mem_get(mctx, sizeof(struct epoll_event) *
@@ -3698,7 +3931,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct epoll_event) * manager->nevents);
 		return (result);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->epoll_fd);
@@ -3706,7 +3939,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(struct epoll_event) * manager->nevents);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_DEVPOLL)
 	/*
 	 * XXXJT: /dev/poll seems to reject large numbers of events,
@@ -3744,7 +3977,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(pollinfo_t) * manager->maxsocks);
 		return (result);
 	}
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	if (result != ISC_R_SUCCESS) {
 		close(manager->devpoll_fd);
@@ -3754,7 +3987,7 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 			    sizeof(pollinfo_t) * manager->maxsocks);
 		return (result);
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 #elif defined(USE_SELECT)
 	UNUSED(result);
 
@@ -3802,20 +4035,20 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	memset(manager->read_fds, 0, manager->fd_bufsize);
 	memset(manager->write_fds, 0, manager->fd_bufsize);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
 	manager->maxfd = manager->pipe_fds[0];
-#else /* ISC_PLATFORM_USETHREADS */
+#else /* USE_WATCHER_THREAD */
 	manager->maxfd = 0;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 #endif	/* USE_KQUEUE */
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
-cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
-#ifdef ISC_PLATFORM_USETHREADS
+cleanup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
+#ifdef USE_WATCHER_THREAD
 	isc_result_t result;
 
 	result = unwatch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
@@ -3825,7 +4058,7 @@ cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
 	}
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
 #ifdef USE_KQUEUE
 	close(manager->kqueue_fd);
@@ -3853,35 +4086,35 @@ cleanup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 #endif	/* USE_KQUEUE */
 }
 
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
-	return (isc_socketmgr_create2(mctx, managerp, 0));
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc__socketmgr_create2(mctx, managerp, 0));
 }
 
-isc_result_t
-isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
-		      unsigned int maxsocks)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
 {
 	int i;
-	isc_socketmgr_t *manager;
-#ifdef ISC_PLATFORM_USETHREADS
+	isc__socketmgr_t *manager;
+#ifdef USE_WATCHER_THREAD
 	char strbuf[ISC_STRERRORSIZE];
 #endif
 	isc_result_t result;
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	if (socketmgr != NULL) {
 		/* Don't allow maxsocks to be updated */
 		if (maxsocks > 0 && socketmgr->maxsocks != maxsocks)
 			return (ISC_R_EXISTS);
 
 		socketmgr->refs++;
-		*managerp = socketmgr;
+		*managerp = (isc_socketmgr_t *)socketmgr;
 		return (ISC_R_SUCCESS);
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	if (maxsocks == 0)
 		maxsocks = ISC_SOCKET_MAXSOCKETS;
@@ -3894,8 +4127,9 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	memset(manager, 0, sizeof(*manager));
 	manager->maxsocks = maxsocks;
 	manager->reserved = 0;
+	manager->maxudp = 0;
 	manager->fds = isc_mem_get(mctx,
-				   manager->maxsocks * sizeof(isc_socket_t *));
+				   manager->maxsocks * sizeof(isc__socket_t *));
 	if (manager->fds == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto free_manager;
@@ -3907,7 +4141,9 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	}
 	manager->stats = NULL;
 
-	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->common.methods = &socketmgrmethods;
+	manager->common.magic = ISCAPI_SOCKETMGR_MAGIC;
+	manager->common.impmagic = SOCKET_MANAGER_MAGIC;
 	manager->mctx = NULL;
 	memset(manager->fds, 0, manager->maxsocks * sizeof(isc_socket_t *));
 	ISC_LIST_INIT(manager->socklist);
@@ -3931,7 +4167,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		}
 	}
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_condition_init() %s",
@@ -3960,9 +4196,11 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 #if 0
 	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
 #endif
-#else /* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
+
+#ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_SHARED_MANAGER */
 
 	/*
 	 * Set up initial state for the select loop
@@ -3971,7 +4209,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	memset(manager->fdstate, 0, manager->maxsocks * sizeof(int));
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	/*
 	 * Start up the select/poll thread.
 	 */
@@ -3985,26 +4223,26 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 	isc_mem_attach(mctx, &manager->mctx);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	socketmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
-	*managerp = manager;
+#endif /* USE_SHARED_MANAGER */
+	*managerp = (isc_socketmgr_t *)manager;
 
 	return (ISC_R_SUCCESS);
 
 cleanup:
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)close(manager->pipe_fds[0]);
 	(void)close(manager->pipe_fds[1]);
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 cleanup_condition:
 	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif	/* ISC_PLATFORM_USETHREADS */
+#endif	/* USE_WATCHER_THREAD */
 
 
 cleanup_lock:
@@ -4032,8 +4270,10 @@ free_manager:
 	return (result);
 }
 
+#ifdef BIND9
 isc_result_t
-isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+isc__socketmgr_getmaxsockets(isc_socketmgr_t *manager0, unsigned int *nsockp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(nsockp != NULL);
 
@@ -4043,7 +4283,9 @@ isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
 }
 
 void
-isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+isc__socketmgr_setstats(isc_socketmgr_t *manager0, isc_stats_t *stats) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
 	REQUIRE(manager->stats == NULL);
@@ -4051,10 +4293,11 @@ isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
 
 	isc_stats_attach(stats, &manager->stats);
 }
+#endif
 
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
-	isc_socketmgr_t *manager;
+ISC_SOCKETFUNC_SCOPE void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc__socketmgr_t *manager;
 	int i;
 	isc_mem_t *mctx;
 
@@ -4063,42 +4306,36 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 */
 
 	REQUIRE(managerp != NULL);
-	manager = *managerp;
+	manager = (isc__socketmgr_t *)*managerp;
 	REQUIRE(VALID_MANAGER(manager));
 
-#ifndef ISC_PLATFORM_USETHREADS
-	if (manager->refs > 1) {
-		manager->refs--;
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
 		*managerp = NULL;
 		return;
 	}
-#endif /* ISC_PLATFORM_USETHREADS */
+	socketmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
 
 	LOCK(&manager->lock);
 
-#ifdef ISC_PLATFORM_USETHREADS
 	/*
 	 * Wait for all sockets to be destroyed.
 	 */
 	while (!ISC_LIST_EMPTY(manager->socklist)) {
+#ifdef USE_WATCHER_THREAD
 		manager_log(manager, CREATION, "%s",
 			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
 					   ISC_MSG_SOCKETSREMAIN,
 					   "sockets exist"));
 		WAIT(&manager->shutdown_ok, &manager->lock);
+#else /* USE_WATCHER_THREAD */
+		UNLOCK(&manager->lock);
+		isc__taskmgr_dispatch(NULL);
+		LOCK(&manager->lock);
+#endif /* USE_WATCHER_THREAD */
 	}
-#else /* ISC_PLATFORM_USETHREADS */
-	/*
-	 * Hope all sockets have been destroyed.
-	 */
-	if (!ISC_LIST_EMPTY(manager->socklist)) {
-		manager_log(manager, CREATION, "%s",
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_SOCKETSREMAIN,
-					   "sockets exist"));
-		INSIST(0);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
 
 	UNLOCK(&manager->lock);
 
@@ -4109,7 +4346,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 */
 	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	/*
 	 * Wait for thread to exit.
 	 */
@@ -4118,25 +4355,25 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 				 "isc_thread_join() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	/*
 	 * Clean up.
 	 */
 	cleanup_watcher(manager->mctx, manager);
 
-#ifdef ISC_PLATFORM_USETHREADS
+#ifdef USE_WATCHER_THREAD
 	(void)close(manager->pipe_fds[0]);
 	(void)close(manager->pipe_fds[1]);
 	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
 	for (i = 0; i < (int)manager->maxsocks; i++)
 		if (manager->fdstate[i] == CLOSE_PENDING) /* no need to lock */
 			(void)close(i);
 
 	isc_mem_put(manager->mctx, manager->fds,
-		    manager->maxsocks * sizeof(isc_socket_t *));
+		    manager->maxsocks * sizeof(isc__socket_t *));
 	isc_mem_put(manager->mctx, manager->fdstate,
 		    manager->maxsocks * sizeof(int));
 
@@ -4150,17 +4387,22 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 			    FDLOCK_COUNT * sizeof(isc_mutex_t));
 	}
 	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
+	manager->common.magic = 0;
+	manager->common.impmagic = 0;
 	mctx= manager->mctx;
 	isc_mem_put(mctx, manager, sizeof(*manager));
 
 	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	socketmgr = NULL;
+#endif
 }
 
 static isc_result_t
-socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+socket_recv(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	    unsigned int flags)
 {
 	int io_state;
@@ -4231,13 +4473,14 @@ socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	return (result);
 }
 
-isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recvv(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	unsigned int iocount;
 	isc_buffer_t *buffer;
 
@@ -4284,12 +4527,14 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	return (socket_recv(sock, dev, task, 0));
 }
 
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv(isc_socket_t *sock0, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(action != NULL);
@@ -4303,14 +4548,16 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 	if (dev == NULL)
 		return (ISC_R_NOMEMORY);
 
-	return (isc_socket_recv2(sock, region, minimum, task, dev, 0));
+	return (isc__socket_recv2(sock0, region, minimum, task, dev, 0));
 }
 
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_recv2(isc_socket_t *sock0, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	event->ev_sender = sock;
 	event->result = ISC_R_UNSET;
 	ISC_LIST_INIT(event->bufferlist);
@@ -4335,7 +4582,7 @@ isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
 }
 
 static isc_result_t
-socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
 	    unsigned int flags)
 {
@@ -4426,24 +4673,25 @@ socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 	return (result);
 }
 
-isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
 	/*
 	 * REQUIRE() checking is performed in isc_socket_sendto().
 	 */
-	return (isc_socket_sendto(sock, region, task, action, arg, NULL,
-				  NULL));
+	return (isc__socket_sendto(sock, region, task, action, arg, NULL,
+				   NULL));
 }
 
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto(isc_socket_t *sock0, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(region != NULL);
@@ -4464,21 +4712,22 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 	return (socket_send(sock, dev, task, address, pktinfo, 0));
 }
 
-isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
-	return (isc_socket_sendtov(sock, buflist, task, action, arg, NULL,
-				   NULL));
+	return (isc__socket_sendtov(sock, buflist, task, action, arg, NULL,
+				    NULL));
 }
 
-isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, const void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	unsigned int iocount;
 	isc_buffer_t *buffer;
 
@@ -4511,12 +4760,15 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	return (socket_send(sock, dev, task, address, pktinfo, 0));
 }
 
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags)
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendto2(isc_socket_t *sock0, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
 	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
 		REQUIRE(sock->type == isc_sockettype_udp);
@@ -4531,8 +4783,8 @@ isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
 	return (socket_send(sock, event, task, address, pktinfo, flags));
 }
 
-void
-isc_socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
 #ifdef ISC_PLATFORM_HAVESYSUNH
 	int s;
 	struct stat sb;
@@ -4661,8 +4913,8 @@ isc_socket_cleanunix(isc_sockaddr_t *sockaddr, isc_boolean_t active) {
 #endif
 }
 
-isc_result_t
-isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 		    isc_uint32_t owner, isc_uint32_t group)
 {
 #ifdef ISC_PLATFORM_HAVESYSUNH
@@ -4715,12 +4967,15 @@ isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 #endif
 }
 
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
-		unsigned int options) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
+		 unsigned int options) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	char strbuf[ISC_STRERRORSIZE];
 	int on = 1;
 
+	REQUIRE(VALID_SOCKET(sock));
+
 	LOCK(&sock->lock);
 
 	INSIST(!sock->bound);
@@ -4786,8 +5041,9 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
  */
 #undef ENABLE_ACCEPTFILTER
 
-isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_filter(isc_socket_t *sock0, const char *filter) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 #if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
 	char strbuf[ISC_STRERRORSIZE];
 	struct accept_filter_arg afa;
@@ -4825,8 +5081,9 @@ isc_socket_filter(isc_socket_t *sock, const char *filter) {
  * is a new connection we'll have to allocate a new one anyway, so we might
  * as well keep things simple rather than having to track them.
  */
-isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_listen(isc_socket_t *sock0, unsigned int backlog) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	char strbuf[ISC_STRERRORSIZE];
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -4859,14 +5116,15 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
 /*
  * This should try to do aggressive accept() XXXMLG
  */
-isc_result_t
-isc_socket_accept(isc_socket_t *sock,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_accept(isc_socket_t *sock0,
 		  isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socket_newconnev_t *dev;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	isc_task_t *ntask = NULL;
-	isc_socket_t *nsock;
+	isc__socket_t *nsock;
 	isc_result_t result;
 	isc_boolean_t do_poke = ISC_FALSE;
 
@@ -4914,7 +5172,7 @@ isc_socket_accept(isc_socket_t *sock,
 	nsock->statsindex = sock->statsindex;
 
 	dev->ev_sender = ntask;
-	dev->newsocket = nsock;
+	dev->newsocket = (isc_socket_t *)nsock;
 
 	/*
 	 * Poke watcher here.  We still have the socket locked, so there
@@ -4933,13 +5191,14 @@ isc_socket_accept(isc_socket_t *sock,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
 		   isc_task_t *task, isc_taskaction_t action, const void *arg)
 {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_socket_connev_t *dev;
 	isc_task_t *ntask = NULL;
-	isc_socketmgr_t *manager;
+	isc__socketmgr_t *manager;
 	int cc;
 	char strbuf[ISC_STRERRORSIZE];
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
@@ -5079,7 +5338,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
  */
 static void
 internal_connect(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
+	isc__socket_t *sock;
 	isc_socket_connev_t *dev;
 	isc_task_t *task;
 	int cc;
@@ -5193,8 +5452,9 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
 }
 
-isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_result_t result;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -5214,8 +5474,9 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	return (result);
 }
 
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_getsockname(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	ISC_SOCKADDR_LEN_T len;
 	isc_result_t result;
 	char strbuf[ISC_STRERRORSIZE];
@@ -5252,8 +5513,9 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
  * Run through the list of events on this socket, and cancel the ones
  * queued for task "task" of type "how".  "how" is a bitmask.
  */
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_cancel(isc_socket_t *sock0, isc_task_t *task, unsigned int how) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 
 	REQUIRE(VALID_SOCKET(sock));
 
@@ -5332,8 +5594,8 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 				ISC_LIST_UNLINK(sock->accept_list, dev,
 						ev_link);
 
-				dev->newsocket->references--;
-				free_socket(&dev->newsocket);
+				NEWCONNSOCK(dev)->references--;
+				free_socket((isc__socket_t **)&dev->newsocket);
 
 				dev->result = ISC_R_CANCELED;
 				dev->ev_sender = sock;
@@ -5372,17 +5634,22 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 	UNLOCK(&sock->lock);
 }
 
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock) {
+ISC_SOCKETFUNC_SCOPE isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
 	REQUIRE(VALID_SOCKET(sock));
 
 	return (sock->type);
 }
 
-isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock) {
+ISC_SOCKETFUNC_SCOPE isc_boolean_t
+isc__socket_isbound(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 	isc_boolean_t val;
 
+	REQUIRE(VALID_SOCKET(sock));
+
 	LOCK(&sock->lock);
 	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
 	UNLOCK(&sock->lock);
@@ -5390,8 +5657,9 @@ isc_socket_isbound(isc_socket_t *sock) {
 	return (val);
 }
 
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+ISC_SOCKETFUNC_SCOPE void
+isc__socket_ipv6only(isc_socket_t *sock0, isc_boolean_t yes) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
 #if defined(IPV6_V6ONLY)
 	int onoff = yes ? 1 : 0;
 #else
@@ -5421,12 +5689,21 @@ isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
 #endif
 }
 
-#ifndef ISC_PLATFORM_USETHREADS
-/* In our assumed scenario, we can simply use a single static object. */
+#ifndef USE_WATCHER_THREAD
+/*
+ * In our assumed scenario, we can simply use a single static object.
+ * XXX: this is not true if the application uses multiple threads with
+ *      'multi-context' mode.  Fixing this is a future TODO item.
+ */
 static isc_socketwait_t swait_private;
 
 int
-isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
+isc__socketmgr_waitevents(isc_socketmgr_t *manager0, struct timeval *tvp,
+			  isc_socketwait_t **swaitp)
+{
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+
 	int n;
 #ifdef USE_KQUEUE
 	struct timespec ts, *tsp;
@@ -5440,7 +5717,11 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 
 	REQUIRE(swaitp != NULL && *swaitp == NULL);
 
-	if (socketmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
 		return (0);
 
 #ifdef USE_KQUEUE
@@ -5450,8 +5731,8 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 		tsp = &ts;
 	} else
 		tsp = NULL;
-	swait_private.nevents = kevent(socketmgr->kqueue_fd, NULL, 0,
-				       socketmgr->events, socketmgr->nevents,
+	swait_private.nevents = kevent(manager->kqueue_fd, NULL, 0,
+				       manager->events, manager->nevents,
 				       tsp);
 	n = swait_private.nevents;
 #elif defined(USE_EPOLL)
@@ -5459,29 +5740,28 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 		timeout = tvp->tv_sec * 1000 + (tvp->tv_usec + 999) / 1000;
 	else
 		timeout = -1;
-	swait_private.nevents = epoll_wait(socketmgr->epoll_fd,
-					   socketmgr->events,
-					   socketmgr->nevents, timeout);
+	swait_private.nevents = epoll_wait(manager->epoll_fd,
+					   manager->events,
+					   manager->nevents, timeout);
 	n = swait_private.nevents;
 #elif defined(USE_DEVPOLL)
-	dvp.dp_fds = socketmgr->events;
-	dvp.dp_nfds = socketmgr->nevents;
+	dvp.dp_fds = manager->events;
+	dvp.dp_nfds = manager->nevents;
 	if (tvp != NULL) {
 		dvp.dp_timeout = tvp->tv_sec * 1000 +
 			(tvp->tv_usec + 999) / 1000;
 	} else
 		dvp.dp_timeout = -1;
-	swait_private.nevents = ioctl(socketmgr->devpoll_fd, DP_POLL, &dvp);
+	swait_private.nevents = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
 	n = swait_private.nevents;
 #elif defined(USE_SELECT)
-	memcpy(socketmgr->read_fds_copy, socketmgr->read_fds,
-	       socketmgr->fd_bufsize);
-	memcpy(socketmgr->write_fds_copy, socketmgr->write_fds,
-	       socketmgr->fd_bufsize);
+	memcpy(manager->read_fds_copy, manager->read_fds,  manager->fd_bufsize);
+	memcpy(manager->write_fds_copy, manager->write_fds,
+	       manager->fd_bufsize);
 
-	swait_private.readset = socketmgr->read_fds_copy;
-	swait_private.writeset = socketmgr->write_fds_copy;
-	swait_private.maxfd = socketmgr->maxfd + 1;
+	swait_private.readset = manager->read_fds_copy;
+	swait_private.writeset = manager->write_fds_copy;
+	swait_private.maxfd = manager->maxfd + 1;
 
 	n = select(swait_private.maxfd, swait_private.readset,
 		   swait_private.writeset, NULL, tvp);
@@ -5492,24 +5772,32 @@ isc__socketmgr_waitevents(struct timeval *tvp, isc_socketwait_t **swaitp) {
 }
 
 isc_result_t
-isc__socketmgr_dispatch(isc_socketwait_t *swait) {
+isc__socketmgr_dispatch(isc_socketmgr_t *manager0, isc_socketwait_t *swait) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
 	REQUIRE(swait == &swait_private);
 
-	if (socketmgr == NULL)
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
 		return (ISC_R_NOTFOUND);
 
 #if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
-	(void)process_fds(socketmgr, socketmgr->events, swait->nevents);
+	(void)process_fds(manager, manager->events, swait->nevents);
 	return (ISC_R_SUCCESS);
 #elif defined(USE_SELECT)
-	process_fds(socketmgr, swait->maxfd, swait->readset, swait->writeset);
+	process_fds(manager, swait->maxfd, swait->readset, swait->writeset);
 	return (ISC_R_SUCCESS);
 #endif
 }
-#endif /* ISC_PLATFORM_USETHREADS */
+#endif /* USE_WATCHER_THREAD */
 
+#ifdef BIND9
 void
-isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
 
 	/*
 	 * Name 'socket'.
@@ -5524,17 +5812,29 @@ isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
 	UNLOCK(&socket->lock);
 }
 
-const char *
-isc_socket_getname(isc_socket_t *socket) {
+ISC_SOCKETFUNC_SCOPE const char *
+isc__socket_getname(isc_socket_t *socket0) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
+
 	return (socket->name);
 }
 
 void *
-isc_socket_gettag(isc_socket_t *socket) {
+isc__socket_gettag(isc_socket_t *socket0) {
+	isc__socket_t *socket = (isc__socket_t *)socket0;
+
 	return (socket->tag);
 }
+#endif	/* BIND9 */
 
-#ifdef HAVE_LIBXML2
+#ifdef USE_SOCKETIMPREGISTER
+isc_result_t
+isc__socket_register() {
+	return (isc_socket_register(isc__socketmgr_create));
+}
+#endif
+
+#if defined(HAVE_LIBXML2) && defined(BIND9)
 
 static const char *
 _socktype(isc_sockettype_t type)
@@ -5551,21 +5851,21 @@ _socktype(isc_sockettype_t type)
 		return ("not-initialized");
 }
 
-void
-isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer)
-{
-	isc_socket_t *sock;
+ISC_SOCKETFUNC_SCOPE void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__socketmgr_t *mgr = (isc__socketmgr_t *)mgr0;
+	isc__socket_t *sock;
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t addr;
 	ISC_SOCKADDR_LEN_T len;
 
 	LOCK(&mgr->lock);
 
-#ifndef ISC_PLATFORM_USETHREADS
+#ifdef USE_SHARED_MANAGER
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
 	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
 	xmlTextWriterEndElement(writer);
-#endif
+#endif	/* USE_SHARED_MANAGER */
 
 	xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets");
 	sock = ISC_LIST_HEAD(mgr->socklist);
diff --git a/contrib/bind9/lib/isc/unix/socket_p.h b/contrib/bind9/lib/isc/unix/socket_p.h
index 24e4eb3c8b59..13160117391f 100644
--- a/contrib/bind9/lib/isc/unix/socket_p.h
+++ b/contrib/bind9/lib/isc/unix/socket_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: socket_p.h,v 1.15 2009/09/02 23:48:03 tbox Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
@@ -27,6 +27,7 @@
 #endif
 
 typedef struct isc_socketwait isc_socketwait_t;
-int isc__socketmgr_waitevents(struct timeval *, isc_socketwait_t **);
-isc_result_t isc__socketmgr_dispatch(isc_socketwait_t *);
+int isc__socketmgr_waitevents(isc_socketmgr_t *, struct timeval *,
+			      isc_socketwait_t **);
+isc_result_t isc__socketmgr_dispatch(isc_socketmgr_t *, isc_socketwait_t *);
 #endif /* ISC_SOCKET_P_H */
diff --git a/contrib/bind9/lib/isc/unix/strerror.c b/contrib/bind9/lib/isc/unix/strerror.c
index a09186ac702a..caa6659154f9 100644
--- a/contrib/bind9/lib/isc/unix/strerror.c
+++ b/contrib/bind9/lib/isc/unix/strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: strerror.c,v 1.10 2009/02/16 23:48:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/isccc/Makefile.in b/contrib/bind9/lib/isccc/Makefile.in
index e35e358d6fb9..efa834133c73 100644
--- a/contrib/bind9/lib/isccc/Makefile.in
+++ b/contrib/bind9/lib/isccc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api
index eee306167cee..ba19dd9150e0 100644
--- a/contrib/bind9/lib/isccc/api
+++ b/contrib/bind9/lib/isccc/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 50
-LIBREVISION = 3
+LIBINTERFACE = 80
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/Makefile.in
index df658d130487..bc42880b6a24 100644
--- a/contrib/bind9/lib/isccfg/Makefile.in
+++ b/contrib/bind9/lib/isccfg/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -27,7 +27,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
 
-CDEFINES =      @USE_DLZ@
+CDEFINES =
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
diff --git a/contrib/bind9/lib/isccfg/aclconf.c b/contrib/bind9/lib/isccfg/aclconf.c
index 2ba55cf8d7cd..469989afcebb 100644
--- a/contrib/bind9/lib/isccfg/aclconf.c
+++ b/contrib/bind9/lib/isccfg/aclconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -33,22 +33,68 @@
 
 #define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
 
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret) {
+	isc_result_t result;
+	cfg_aclconfctx_t *actx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	actx = isc_mem_get(mctx, sizeof(*actx));
+	if (actx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_refcount_init(&actx->references, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	actx->mctx = NULL;
+	isc_mem_attach(mctx, &actx->mctx);
+	ISC_LIST_INIT(actx->named_acl_cache);
+
+	*ret = actx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(mctx, actx, sizeof(*actx));
+	return (result);
+}
+
 void
-cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
-	ISC_LIST_INIT(ctx->named_acl_cache);
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references, NULL);
+	*dest = src;
 }
 
 void
-cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) {
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp) {
+	cfg_aclconfctx_t *actx;
 	dns_acl_t *dacl, *next;
-
-	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
-	     dacl != NULL;
-	     dacl = next)
-	{
-		next = ISC_LIST_NEXT(dacl, nextincache);
-		dns_acl_detach(&dacl);
+	unsigned int refs;
+
+	REQUIRE(actxp != NULL && *actxp != NULL);
+
+	actx = *actxp;
+
+	isc_refcount_decrement(&actx->references, &refs);
+	if (refs == 0) {
+		for (dacl = ISC_LIST_HEAD(actx->named_acl_cache);
+		     dacl != NULL;
+		     dacl = next)
+		{
+			next = ISC_LIST_NEXT(dacl, nextincache);
+			ISC_LIST_UNLINK(actx->named_acl_cache, dacl,
+					nextincache);
+			dns_acl_detach(&dacl);
+		}
+		isc_mem_putanddetach(&actx->mctx, actx, sizeof(*actx));
 	}
+
+	*actxp = NULL;
 }
 
 /*
@@ -150,7 +196,7 @@ convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
 	isc_buffer_add(&buf, keylen);
 	dns_fixedname_init(&fixname);
 	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
+				   dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
 		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
 			    "key name '%s' is not a valid domain name",
diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api
index d15c78ebe60d..cde1e2feaaae 100644
--- a/contrib/bind9/lib/isccfg/api
+++ b/contrib/bind9/lib/isccfg/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 50
-LIBREVISION = 6
+LIBINTERFACE = 82
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/dnsconf.c b/contrib/bind9/lib/isccfg/dnsconf.c
new file mode 100644
index 000000000000..704d383a7782
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/dnsconf.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.c,v 1.4 2009/09/02 23:48:03 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+
+/*%
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_trustedkey = {
+	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, trustedkey_fields
+};
+
+static cfg_type_t cfg_type_trustedkeys = {
+	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_trustedkey
+};
+
+/*%
+ * Clauses that can be found within the top level of the dns.conf
+ * file only.
+ */
+static cfg_clausedef_t
+dnsconf_clauses[] = {
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level dns.conf syntax. */
+
+static cfg_clausedef_t *
+dnsconf_clausesets[] = {
+	dnsconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnsconf = {
+	"dnsconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, dnsconf_clausesets
+};
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h b/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
index 5171b5fb1bcd..38ab9f696fb0 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/aclconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -28,7 +28,8 @@
 
 typedef struct cfg_aclconfctx {
 	ISC_LIST(dns_acl_t) named_acl_cache;
-	ISC_LIST(dns_iptable_t) named_iptable_cache;
+	isc_mem_t *mctx;
+	isc_refcount_t references;
 } cfg_aclconfctx_t;
 
 /***
@@ -37,16 +38,23 @@ typedef struct cfg_aclconfctx {
 
 ISC_LANG_BEGINDECLS
 
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret);
+/*
+ * Creates and initializes an ACL configuration context.
+ */
+
 void
-cfg_aclconfctx_init(cfg_aclconfctx_t *ctx);
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp);
 /*
- * Initialize an ACL configuration context.
+ * Removes a reference to an ACL configuration context; when references
+ * reaches zero, clears the contents and deallocate the structure.
  */
 
 void
-cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx);
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest);
 /*
- * Destroy an ACL configuration context.
+ * Attaches a pointer to an existing ACL configuration context.
  */
 
 isc_result_t
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
index 0d5e6ea2d8e5..f46776834465 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: cfg.h,v 1.46 2010/08/13 23:47:04 tbox Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -35,6 +35,7 @@
 
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
+#include <isc/refcount.h>
 #include <isc/types.h>
 #include <isc/list.h>
 
@@ -83,6 +84,12 @@ typedef isc_result_t
 
 ISC_LANG_BEGINDECLS
 
+void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest);
+/*%<
+ * Reference a parser object.
+ */
+
 isc_result_t
 cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
 /*%<
@@ -140,7 +147,8 @@ cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 void
 cfg_parser_destroy(cfg_parser_t **pctxp);
 /*%<
- * Destroy a configuration parser.
+ * Remove a reference to a configuration parser; destroy it if there are no
+ * more references.
  */
 
 isc_boolean_t
@@ -355,7 +363,7 @@ cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse);
  * all contained lists.
  */
 
-const cfg_obj_t *
+cfg_obj_t *
 cfg_listelt_value(const cfg_listelt_t *elt);
 /*%<
  * Returns the configuration object associated with cfg_listelt_t.
@@ -392,9 +400,17 @@ cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
  * Return true iff 'obj' is of type 'type'.
  */
 
-void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest);
+/*%<
+ * Reference a configuration object.
+ */
+
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
 /*%<
- * Destroy a configuration object.
+ * Delete a reference to a configuration object; destroy the object if
+ * there are no more references.
  */
 
 void
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h b/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h
new file mode 100644
index 000000000000..edc5e5037b20
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/dnsconf.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnsconf.h,v 1.3 2009/09/02 23:48:03 tbox Exp $ */
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*! \file
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
+/*%< A complete dns.conf file. */
+
+#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
index 9bb355f19d53..2d7080c24c40 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: grammar.h,v 1.24 2011/01/04 23:47:14 tbox Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -53,6 +53,8 @@
 #define CFG_CLAUSEFLAG_CALLBACK		0x00000020
 /*% A option that is only used in testing. */
 #define CFG_CLAUSEFLAG_TESTONLY		0x00000040
+/*% A configuration option that was not configured at compile time. */
+#define CFG_CLAUSEFLAG_NOTCONFIGURED	0x00000080
 
 typedef struct cfg_clausedef cfg_clausedef_t;
 typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
@@ -157,6 +159,7 @@ struct cfg_obj {
 		isc_sockaddr_t	sockaddr;
 		cfg_netprefix_t netprefix;
 	}               value;
+	isc_refcount_t  references;     /*%< reference counter */
 	const char *	file;
 	unsigned int    line;
 };
@@ -210,10 +213,21 @@ struct cfg_parser {
 	 */
 	unsigned int	line;
 
+	/*%
+	 * Parser context flags, used for maintaining state
+	 * from one token to the next.
+	 */
+	unsigned int flags;
+
+	/*%< Reference counter */
+	isc_refcount_t  references;
+
 	cfg_parsecallback_t callback;
 	void *callbackarg;
 };
 
+/* Parser context flags */
+#define CFG_PCTX_SKIP		0x1
 
 /*@{*/
 /*%
@@ -314,10 +328,16 @@ cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
 isc_result_t
 cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
 void
 cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
 
 void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
 cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
 
 isc_result_t
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/log.h b/contrib/bind9/lib/isccfg/include/isccfg/log.h
index 390040176417..1f9fc21e9083 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/log.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/log.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: log.h,v 1.14 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
index 18d00948f2ec..507da0658730 100644
--- a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
+++ b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: namedconf.h,v 1.18 2010/08/11 18:14:20 each Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
@@ -33,12 +33,24 @@
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
 /*%< A complete named.conf file. */
 
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
+/*%< A bind.keys file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_newzones;
+/*%< A new-zones file (for zones added by 'rndc addzone'). */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_addzoneconf;
+/*%< A single zone passed via the addzone rndc command. */
+
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
 /*%< A complete rndc.conf file. */
 
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
 /*%< A complete rndc.key file. */
 
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey;
+/*%< A complete session.key file. */
+
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
 /*%< A key reference, used as an ACL element */
 
diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c
index 80cc5af5acb7..4d09f112f453 100644
--- a/contrib/bind9/lib/isccfg/namedconf.c
+++ b/contrib/bind9/lib/isccfg/namedconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -24,6 +24,7 @@
 #include <string.h>
 
 #include <isc/lex.h>
+#include <isc/mem.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -35,9 +36,9 @@
 #define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
 
 /*% Check a return value. */
-#define CHECK(op) 						\
-	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto cleanup; 	\
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
 	} while (0)
 
 /*% Clean up a configuration object if non-NULL. */
@@ -57,7 +58,17 @@ static isc_result_t
 parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
 
 static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret);
+
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret);
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type);
 
 static void
 print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
@@ -111,6 +122,7 @@ static cfg_type_t cfg_type_zone;
 static cfg_type_t cfg_type_zoneopts;
 static cfg_type_t cfg_type_dynamically_loadable_zones;
 static cfg_type_t cfg_type_dynamically_loadable_zones_opts;
+static cfg_type_t cfg_type_v4_aaaa;
 
 /*
  * Clauses that can be found in a 'dynamically loadable zones' statement
@@ -241,30 +253,76 @@ static cfg_tuplefielddef_t pubkey_fields[] = {
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_pubkey = {
-	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, pubkey_fields };
+	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, pubkey_fields };
 
 /*%
  * A list of RR types, used in grant statements.
  * Note that the old parser allows quotes around the RR type names.
  */
 static cfg_type_t cfg_type_rrtypelist = {
-	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
-	&cfg_rep_list, &cfg_type_astring
+	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
 };
 
 static const char *mode_enums[] = { "grant", "deny", NULL };
 static cfg_type_t cfg_type_mode = {
-	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&mode_enums
+	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &mode_enums
 };
 
+static isc_result_t
+parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type,
+		cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
+		pctx->flags |= CFG_PCTX_SKIP;
+	}
+	return (cfg_parse_enum(pctx, type, ret));
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
+		pctx->flags &= ~CFG_PCTX_SKIP;
+		CHECK(cfg_parse_void(pctx, NULL, &obj));
+	} else
+		result = cfg_parse_astring(pctx, type, &obj);
+
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+static void
+doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_chars(pctx, "[ ", 2);
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_chars(pctx, " ]", 2);
+}
+
 static const char *matchtype_enums[] = {
 	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
 	"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
-	"tcp-self", "6to4-self", NULL };
+	"tcp-self", "6to4-self", "zonesub", "external", NULL };
+
 static cfg_type_t cfg_type_matchtype = {
-	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&matchtype_enums
+	"matchtype", parse_matchtype, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &matchtype_enums
+};
+
+static cfg_type_t cfg_type_matchname = {
+	"optional_matchname", parse_matchname, cfg_print_ustring,
+	&doc_matchname, &cfg_rep_tuple, &cfg_type_ustring
 };
 
 /*%
@@ -274,18 +332,70 @@ static cfg_tuplefielddef_t grant_fields[] = {
 	{ "mode", &cfg_type_mode, 0 },
 	{ "identity", &cfg_type_astring, 0 }, /* domain name */
 	{ "matchtype", &cfg_type_matchtype, 0 },
-	{ "name", &cfg_type_astring, 0 }, /* domain name */
+	{ "name", &cfg_type_matchname, 0 }, /* domain name */
 	{ "types", &cfg_type_rrtypelist, 0 },
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_grant = {
-	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, grant_fields };
+	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	 &cfg_rep_tuple, grant_fields
+};
 
 static cfg_type_t cfg_type_updatepolicy = {
-	"update_policy", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_grant
+	"update_policy", parse_updatepolicy, print_updatepolicy,
+	doc_updatepolicy, &cfg_rep_list, &cfg_type_grant
 };
 
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret) {
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{') {
+		cfg_ungettoken(pctx);
+		return (cfg_parse_bracketed_list(pctx, type, ret));
+	}
+
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "local") == 0) {
+		cfg_obj_t *obj = NULL;
+		CHECK(cfg_create_obj(pctx, &cfg_type_ustring, &obj));
+		obj->value.string.length = strlen("local");
+		obj->value.string.base	= isc_mem_get(pctx->mctx,
+						obj->value.string.length + 1);
+		if (obj->value.string.base == NULL) {
+			isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+			return (ISC_R_NOMEMORY);
+		}
+		memcpy(obj->value.string.base, "local", 5);
+		obj->value.string.base[5] = '\0';
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_ungettoken(pctx);
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+ cleanup:
+	return (result);
+}
+
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (cfg_obj_isstring(obj))
+		cfg_print_ustring(pctx, obj);
+	else
+		cfg_print_bracketed_list(pctx, obj);
+}
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_cstr(pctx, "( local | { ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, "; ... }");
+}
+
 /*%
  * A view statement.
  */
@@ -296,7 +406,9 @@ static cfg_tuplefielddef_t view_fields[] = {
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_view = {
-	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, view_fields };
+	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	 &cfg_rep_tuple, view_fields
+};
 
 /*%
  * A zone statement.
@@ -308,7 +420,9 @@ static cfg_tuplefielddef_t zone_fields[] = {
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_zone = {
-	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, zone_fields };
+	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, zone_fields
+};
 
 /*%
  * A "category" clause in the "logging" statement.
@@ -319,13 +433,15 @@ static cfg_tuplefielddef_t category_fields[] = {
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_category = {
-	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, category_fields };
+	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, category_fields
+};
 
 
 /*%
- * A trusted key, as used in the "trusted-keys" statement.
+ * A dnssec key, as used in the "trusted-keys" statement.
  */
-static cfg_tuplefielddef_t trustedkey_fields[] = {
+static cfg_tuplefielddef_t dnsseckey_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
 	{ "flags", &cfg_type_uint32, 0 },
 	{ "protocol", &cfg_type_uint32, 0 },
@@ -333,9 +449,27 @@ static cfg_tuplefielddef_t trustedkey_fields[] = {
 	{ "key", &cfg_type_qstring, 0 },
 	{ NULL, NULL, 0 }
 };
-static cfg_type_t cfg_type_trustedkey = {
-	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	trustedkey_fields
+static cfg_type_t cfg_type_dnsseckey = {
+	"dnsseckey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, dnsseckey_fields
+};
+
+/*%
+ * A managed key initialization specifier, as used in the
+ * "managed-keys" statement.
+ */
+static cfg_tuplefielddef_t managedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "init", &cfg_type_ustring, 0 },   /* must be literal "initial-key" */
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_managedkey = {
+	"managedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, managedkey_fields
 };
 
 static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
@@ -397,6 +531,7 @@ static cfg_tuplefielddef_t checknames_fields[] = {
 	{ "mode", &cfg_type_checkmode, 0 },
 	{ NULL, NULL, 0 }
 };
+
 static cfg_type_t cfg_type_checknames = {
 	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
 	checknames_fields
@@ -407,6 +542,12 @@ static cfg_type_t cfg_type_bracketed_sockaddrlist = {
 	&cfg_rep_list, &cfg_type_sockaddr
 };
 
+static const char *autodnssec_enums[] = { "allow", "maintain", "off", NULL };
+static cfg_type_t cfg_type_autodnssec = {
+	"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &autodnssec_enums
+};
+
 static cfg_type_t cfg_type_rrsetorder = {
 	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
 	&cfg_rep_list, &cfg_type_rrsetorderingelement
@@ -421,13 +562,27 @@ static cfg_type_t cfg_type_optional_port = {
 
 /*% A list of keys, as in the "key" clause of the controls statement. */
 static cfg_type_t cfg_type_keylist = {
-	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
-	&cfg_type_astring
+	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
 };
 
-static cfg_type_t cfg_type_trustedkeys = {
-	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
-	&cfg_type_trustedkey
+/*% A list of dnssec keys, as in "trusted-keys" */
+static cfg_type_t cfg_type_dnsseckeys = {
+	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
+};
+
+/*%
+ * A list of managed key entries, as in "trusted-keys".  Currently
+ * (9.7.0) this has a format similar to dnssec keys, except the keyname
+ * is followed by the keyword "initial-key".  In future releases, this
+ * keyword may take other values indicating different methods for the
+ * key to be initialized.
+ */
+
+static cfg_type_t cfg_type_managedkeys = {
+	"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
 };
 
 static const char *forwardtype_enums[] = { "first", "only", NULL };
@@ -437,7 +592,8 @@ static cfg_type_t cfg_type_forwardtype = {
 };
 
 static const char *zonetype_enums[] = {
-	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
+	"master", "slave", "stub", "static-stub", "hint", "forward",
+	"delegation-only", NULL };
 static cfg_type_t cfg_type_zonetype = {
 	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
 	&cfg_rep_string, &zonetype_enums
@@ -479,6 +635,7 @@ parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
 		    cfg_obj_t **ret)
 {
 	isc_result_t result;
+
 	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
 	if (pctx->token.type == isc_tokentype_string &&
 	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
@@ -496,12 +653,64 @@ doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
 }
 
 static cfg_type_t cfg_type_qstringornone = {
-	"qstringornone", parse_qstringornone, NULL, doc_qstringornone, NULL, NULL };
+	"qstringornone", parse_qstringornone, NULL, doc_qstringornone,
+	NULL, NULL
+};
 
 /*%
- * keyword hostname
+ * A boolean ("yes" or "no"), or the special keyword "auto".
+ * Used in the dnssec-validation option.
  */
+static void
+print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "auto");
+}
+
+static cfg_type_t cfg_type_auto = {
+	"auto", NULL, print_auto, NULL, &cfg_rep_void, NULL
+};
+
+static isc_result_t
+parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
 
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_auto, ret));
+	cfg_ungettoken(pctx);
+	return (cfg_parse_boolean(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->type->rep == &cfg_rep_void)
+		cfg_print_chars(pctx, "auto", 4);
+	else if (obj->value.boolean)
+		cfg_print_chars(pctx, "yes", 3);
+	else
+		cfg_print_chars(pctx, "no", 2);
+}
+
+static void
+doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( yes | no | auto )");
+}
+
+static cfg_type_t cfg_type_boolorauto = {
+	"boolorauto", parse_boolorauto, print_boolorauto,
+	doc_boolorauto, NULL, NULL
+};
+
+/*%
+ * keyword hostname
+ */
 static void
 print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	UNUSED(obj);
@@ -652,7 +861,18 @@ namedconf_or_view_clauses[] = {
 	/* only 1 DLZ per view allowed */
 	{ "dlz", &cfg_type_dynamically_loadable_zones, 0 },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can occur in the bind.keys file.
+ */
+static cfg_clausedef_t
+bindkeys_clauses[] = {
+	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 
@@ -661,18 +881,21 @@ namedconf_or_view_clauses[] = {
  */
 static cfg_clausedef_t
 options_clauses[] = {
-	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "bindkeys-file", &cfg_type_qstring, 0 },
 	{ "blackhole", &cfg_type_bracketed_aml, 0 },
 	{ "coresize", &cfg_type_size, 0 },
 	{ "datasize", &cfg_type_size, 0 },
+	{ "session-keyfile", &cfg_type_qstringornone, 0 },
+	{ "session-keyname", &cfg_type_astring, 0 },
+	{ "session-keyalg", &cfg_type_astring, 0 },
 	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
 	{ "dump-file", &cfg_type_qstring, 0 },
 	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "files", &cfg_type_size, 0 },
+	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
 	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "heartbeat-interval", &cfg_type_uint32, 0 },
 	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
@@ -681,6 +904,7 @@ options_clauses[] = {
 	{ "interface-interval", &cfg_type_uint32, 0 },
 	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
 	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys-directory", &cfg_type_qstring, 0 },
 	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
 	{ "memstatistics-file", &cfg_type_qstring, 0 },
 	{ "memstatistics", &cfg_type_boolean, 0 },
@@ -693,6 +917,7 @@ options_clauses[] = {
 	{ "random-device", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
+	{ "secroots-file", &cfg_type_qstring, 0 },
 	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "serial-query-rate", &cfg_type_uint32, 0 },
 	{ "server-id", &cfg_type_serverid, 0 },
@@ -703,6 +928,7 @@ options_clauses[] = {
 	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
 	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
 	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+	{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
 	{ "tkey-domain", &cfg_type_qstring, 0 },
 	{ "transfers-per-ns", &cfg_type_uint32, 0 },
 	{ "transfers-in", &cfg_type_uint32, 0 },
@@ -710,12 +936,12 @@ options_clauses[] = {
 	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-ixfr", &cfg_type_boolean, 0 },
+	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "version", &cfg_type_qstringornone, 0 },
-	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
-
 static cfg_type_t cfg_type_namelist = {
 	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
@@ -726,6 +952,34 @@ static cfg_type_t cfg_type_optional_exclude = {
 	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
 	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
 
+static keyword_type_t exceptionnames_kw = { "except-from", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exceptionnames = {
+	"optional_allow", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exceptionnames_kw };
+
+static cfg_tuplefielddef_t denyaddresses_fields[] = {
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaddresses = {
+	"denyaddresses", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaddresses_fields
+};
+
+static cfg_tuplefielddef_t denyaliases_fields[] = {
+	{ "name", &cfg_type_namelist, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaliases = {
+	"denyaliases", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaliases_fields
+};
+
 static cfg_type_t cfg_type_algorithmlist = {
 	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
@@ -758,28 +1012,291 @@ static cfg_type_t cfg_type_masterformat = {
 	&cfg_rep_string, &masterformat_enums
 };
 
+
+
+/*%
+ *  response-policy {
+ *	zone <string> [ policy (given|disabled|passthru|
+ *					nxdomain|nodata|cname <domain> ) ]
+ *		      [ recursive-only yes|no ]
+ *		      [ max-policy-ttl number ] ;
+ *  } [ recursive-only yes|no ] [ break-dnssec yes|no ]
+ *	[ max-policy-ttl number ] ;
+ */
+
+static void
+doc_rpz_policy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char * const *p;
+	/*
+	 * This is cfg_doc_enum() without the trailing " )".
+	 */
+	cfg_print_chars(pctx, "( ", 2);
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL)
+			cfg_print_chars(pctx, " | ", 3);
+	}
+}
+
+static void
+doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_terminal(pctx, type);
+	cfg_print_chars(pctx, " )", 2);
+}
+
+/*
+ * Parse
+ *	given|disabled|passthru|nxdomain|nodata|cname <domain>
+ */
+static isc_result_t
+cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj;
+	const cfg_tuplefielddef_t *fields;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+	/*
+	 * parse cname domain only after "policy cname"
+	 */
+	if (strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[0])) != 0) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	} else {
+		CHECK(cfg_parse_obj(pctx, fields[1].type,
+				    &obj->value.tuple[1]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a tuple consisting of any kind of  required field followed
+ * by 2 or more optional keyvalues that can be in any order.
+ */
+static isc_result_t
+cfg_parse_kv_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	const cfg_tuplefielddef_t *fields, *f;
+	cfg_obj_t *obj;
+	int fn;
+	isc_result_t result;
+
+	obj = NULL;
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/*
+	 * The zone first field is required and always first.
+	 */
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+		if (pctx->token.type != isc_tokentype_string)
+			break;
+
+		for (fn = 1, f = &fields[1]; ; ++fn, ++f) {
+			if (f->name == NULL) {
+				cfg_parser_error(pctx, 0, "unexpected '%s'",
+						 TOKEN_STRING(pctx));
+				result = ISC_R_UNEXPECTEDTOKEN;
+				goto cleanup;
+			}
+			if (obj->value.tuple[fn] == NULL &&
+			    strcasecmp(f->name, TOKEN_STRING(pctx)) == 0)
+				break;
+		}
+
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[fn]));
+	}
+
+	for (fn = 1, f = &fields[1]; f->name != NULL; ++fn, ++f) {
+		if (obj->value.tuple[fn] == NULL)
+			CHECK(cfg_parse_void(pctx, NULL,
+					     &obj->value.tuple[fn]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+cfg_print_kv_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields, *f;
+	const cfg_obj_t *fieldobj;
+
+	fields = obj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		fieldobj = obj->value.tuple[i];
+		if (fieldobj->type->print == cfg_print_void)
+			continue;
+		if (i != 0) {
+			cfg_print_chars(pctx, " ", 1);
+			cfg_print_cstr(pctx, f->name);
+			cfg_print_chars(pctx, " ", 1);
+		}
+		cfg_print_obj(pctx, fieldobj);
+	}
+}
+
+static void
+cfg_doc_kv_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields, *f;
+
+	fields = type->of;
+	for (f = fields; f->name != NULL; f++) {
+		if (f != fields) {
+			cfg_print_chars(pctx, " [ ", 3);
+			cfg_print_cstr(pctx, f->name);
+			if (f->type->doc != cfg_doc_void)
+				cfg_print_chars(pctx, " ", 1);
+		}
+		cfg_doc_obj(pctx, f->type);
+		if (f != fields)
+			cfg_print_chars(pctx, " ]", 2);
+	}
+}
+
+static keyword_type_t zone_kw = {"zone", &cfg_type_qstring};
+static cfg_type_t cfg_type_rpz_zone = {
+	"zone", parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string,
+	&zone_kw
+};
+static const char *rpz_policies[] = {
+	"given", "disabled", "passthru", "no-op", "nxdomain", "nodata",
+	"cname", NULL
+};
+static cfg_type_t cfg_type_rpz_policy_name = {
+	"policy name", cfg_parse_enum, cfg_print_ustring,
+	doc_rpz_policy, &cfg_rep_string,
+	&rpz_policies
+};
+static cfg_type_t cfg_type_rpz_cname = {
+	"quoted_string", cfg_parse_astring, NULL,
+	doc_rpz_cname, &cfg_rep_string,
+	NULL
+};
+static cfg_tuplefielddef_t rpz_policy_fields[] = {
+	{ "policy name", &cfg_type_rpz_policy_name, 0 },
+	{ "cname", &cfg_type_rpz_cname, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_policy = {
+	"policy tuple", cfg_parse_rpz_policy,
+	cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	rpz_policy_fields
+};
+static cfg_tuplefielddef_t rpz_zone_fields[] = {
+	{ "zone name", &cfg_type_rpz_zone, 0 },
+	{ "policy", &cfg_type_rpz_policy, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_tuple = {
+	"rpz tuple", cfg_parse_kv_tuple,
+	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
+	rpz_zone_fields
+};
+static cfg_type_t cfg_type_rpz_list = {
+	"zone list", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_rpz_tuple
+};
+static cfg_tuplefielddef_t rpz_fields[] = {
+	{ "zone list", &cfg_type_rpz_list, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz = {
+	"rpz", cfg_parse_kv_tuple,
+	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
+	rpz_fields
+};
+
+
 /*%
  * dnssec-lookaside
  */
 
+static void
+print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj)
+{
+	const cfg_obj_t *domain = obj->value.tuple[0];
+
+	if (domain->value.string.length == 4 &&
+	    strncmp(domain->value.string.base, "auto", 4) == 0)
+		cfg_print_cstr(pctx, "auto");
+	else
+		cfg_print_tuple(pctx, obj);
+}
+
+static void
+doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto | no )");
+}
+
 static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
 
-static cfg_type_t cfg_type_trustanchor = {
-	"trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
-	&cfg_rep_string, &trustanchor_kw
+static cfg_type_t cfg_type_optional_trustanchor = {
+	"optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string, &trustanchor_kw
 };
 
 static cfg_tuplefielddef_t lookaside_fields[] = {
 	{ "domain", &cfg_type_astring, 0 },
-	{ "trust-anchor", &cfg_type_trustanchor, 0 },
+	{ "trust-anchor", &cfg_type_optional_trustanchor, 0 },
 	{ NULL, NULL, 0 }
 };
 
 static cfg_type_t cfg_type_lookaside = {
-	"lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	"lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
 	&cfg_rep_tuple, lookaside_fields
 };
 
+/*
+ * DNS64.
+ */
+static cfg_clausedef_t
+dns64_clauses[] = {
+	{ "clients", &cfg_type_bracketed_aml, 0 },
+	{ "mapped", &cfg_type_bracketed_aml, 0 },
+	{ "exclude", &cfg_type_bracketed_aml, 0 },
+	{ "suffix", &cfg_type_netaddr6, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_clausedef_t *
+dns64_clausesets[] = {
+	dns64_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_dns64 = {
+	"dns64", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, dns64_clausesets
+};
+
 /*%
  * Clauses that can be found within the 'view' statement,
  * with defaults in the 'options' statement.
@@ -791,26 +1308,33 @@ view_clauses[] = {
 	{ "acache-enable", &cfg_type_boolean, 0 },
 	{ "additional-from-auth", &cfg_type_boolean, 0 },
 	{ "additional-from-cache", &cfg_type_boolean, 0 },
+	{ "allow-new-zones", &cfg_type_boolean, 0 },
 	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
 	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "attach-cache", &cfg_type_astring, 0 },
 	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
 	{ "cache-file", &cfg_type_qstring, 0 },
 	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
 	{ "cleaning-interval", &cfg_type_uint32, 0 },
 	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "deny-answer-addresses", &cfg_type_denyaddresses, 0 },
+	{ "deny-answer-aliases", &cfg_type_denyaliases, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64", &cfg_type_dns64, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64-server", &cfg_type_astring, 0 },
+	{ "dns64-contact", &cfg_type_astring, 0 },
 	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
 	  CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-validation", &cfg_type_boolean, 0 },
+	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
 	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
 	{ "edns-udp-size", &cfg_type_uint32, 0 },
 	{ "empty-contact", &cfg_type_astring, 0 },
@@ -841,6 +1365,7 @@ view_clauses[] = {
 	{ "recursion", &cfg_type_boolean, 0 },
 	{ "request-ixfr", &cfg_type_boolean, 0 },
 	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
 	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
@@ -850,6 +1375,16 @@ view_clauses[] = {
 	{ "transfer-format", &cfg_type_transferformat, 0 },
 	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
+	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa, 0 },
+#else
+	{ "filter-aaaa", &cfg_type_bracketed_aml,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v4", &cfg_type_v4_aaaa,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
+	{ "response-policy", &cfg_type_rpz, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -920,6 +1455,8 @@ zone_clauses[] = {
 	{ "also-notify", &cfg_type_portiplist, 0 },
 	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
 	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "auto-dnssec", &cfg_type_autodnssec, 0 },
+	{ "check-dup-records", &cfg_type_checkmode, 0 },
 	{ "check-integrity", &cfg_type_boolean, 0 },
 	{ "check-mx", &cfg_type_checkmode, 0 },
 	{ "check-mx-cname", &cfg_type_checkmode, 0 },
@@ -927,6 +1464,8 @@ zone_clauses[] = {
 	{ "check-srv-cname", &cfg_type_checkmode, 0 },
 	{ "check-wildcard", &cfg_type_boolean, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
+	{ "dnssec-dnskey-kskonly", &cfg_type_boolean, 0 },
+	{ "dnssec-secure-to-insecure", &cfg_type_boolean, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
 	{ "key-directory", &cfg_type_qstring, 0 },
@@ -986,6 +1525,8 @@ zone_only_clauses[] = {
 	 */
 	{ "check-names", &cfg_type_checkmode, 0 },
 	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
+	{ "server-addresses", &cfg_type_bracketed_sockaddrlist, 0 },
+	{ "server-names", &cfg_type_namelist, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -998,12 +1539,40 @@ namedconf_clausesets[] = {
 	namedconf_or_view_clauses,
 	NULL
 };
-
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
 	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
 	&cfg_rep_map, namedconf_clausesets
 };
 
+/*% The bind.keys syntax (trusted-keys/managed-keys only). */
+static cfg_clausedef_t *
+bindkeys_clausesets[] = {
+	bindkeys_clauses,
+	NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
+	"bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, bindkeys_clausesets
+};
+
+/*% The new-zone-file syntax (for zones added by 'rndc addzone') */
+static cfg_clausedef_t
+newzones_clauses[] = {
+	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+newzones_clausesets[] = {
+	newzones_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_newzones = {
+	"newzones", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, newzones_clausesets
+};
+
 /*% The "options" statement syntax. */
 
 static cfg_clausedef_t *
@@ -1166,6 +1735,38 @@ static cfg_type_t cfg_type_logging = {
 	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
 
 
+/*%
+ * For parsing an 'addzone' statement
+ */
+
+static cfg_tuplefielddef_t addzone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "view", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_addzone = {
+	"addzone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, addzone_fields };
+
+static cfg_clausedef_t
+addzoneconf_clauses[] = {
+	{ "addzone", &cfg_type_addzone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+addzoneconf_clausesets[] = {
+	addzoneconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_addzoneconf = {
+	"addzoneconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, addzoneconf_clausesets
+};
+
+
 static isc_result_t
 parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
 	char *endp;
@@ -1385,6 +1986,17 @@ static cfg_type_t cfg_type_ixfrdifftype = {
 	&cfg_rep_string, ixfrdiff_enums,
 };
 
+static const char *v4_aaaa_enums[] = { "break-dnssec", NULL };
+static isc_result_t
+parse_v4_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_v4_aaaa = {
+	"v4_aaaa", parse_v4_aaaa, cfg_print_ustring,
+	doc_enum_or_other, &cfg_rep_string, v4_aaaa_enums,
+};
+
 static keyword_type_t key_kw = { "key", &cfg_type_astring };
 
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
@@ -2083,6 +2695,15 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
 	&cfg_rep_map, rndckey_clausesets
 };
 
+/*
+ * session.key has exactly the same syntax as rndc.key, but it's defined
+ * separately for clarity (and so we can extend it someday, if needed).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sessionkey = {
+	"sessionkey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
 static cfg_tuplefielddef_t nameport_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
 	{ "port", &cfg_type_optional_port, 0 },
diff --git a/contrib/bind9/lib/isccfg/parser.c b/contrib/bind9/lib/isccfg/parser.c
index 3d02379447e0..ef20184f3975 100644
--- a/contrib/bind9/lib/isccfg/parser.c
+++ b/contrib/bind9/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,12 +29,12 @@
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/netaddr.h>
+#include <isc/netscope.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/sockaddr.h>
-#include <isc/netscope.h>
-#include <isc/util.h>
 #include <isc/symtab.h>
+#include <isc/util.h>
 
 #include <isccfg/cfg.h>
 #include <isccfg/grammar.h>
@@ -387,6 +387,12 @@ cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
 	if (pctx == NULL)
 		return (ISC_R_NOMEMORY);
 
+	result = isc_refcount_init(&pctx->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, pctx, sizeof(*pctx));
+		return (result);
+	}
+
 	pctx->mctx = mctx;
 	pctx->lctx = lctx;
 	pctx->lexer = NULL;
@@ -400,6 +406,7 @@ cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
 	pctx->callback = NULL;
 	pctx->callbackarg = NULL;
 	pctx->token.type = isc_tokentype_unknown;
+	pctx->flags = 0;
 
 	memset(specials, 0, sizeof(specials));
 	specials['{'] = 1;
@@ -526,17 +533,30 @@ cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 }
 
 void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+	isc_refcount_increment(&src->references, NULL);
+	*dest = src;
+}
+
+void
 cfg_parser_destroy(cfg_parser_t **pctxp) {
 	cfg_parser_t *pctx = *pctxp;
-	isc_lex_destroy(&pctx->lexer);
-	/*
-	 * Cleaning up open_files does not
-	 * close the files; that was already done
-	 * by closing the lexer.
-	 */
-	CLEANUP_OBJ(pctx->open_files);
-	CLEANUP_OBJ(pctx->closed_files);
-	isc_mem_put(pctx->mctx, pctx, sizeof(*pctx));
+	unsigned int refs;
+
+	isc_refcount_decrement(&pctx->references, &refs);
+	if (refs == 0) {
+		isc_lex_destroy(&pctx->lexer);
+		/*
+		 * Cleaning up open_files does not
+		 * close the files; that was already done
+		 * by closing the lexer.
+		 */
+		CLEANUP_OBJ(pctx->open_files);
+		CLEANUP_OBJ(pctx->closed_files);
+		isc_mem_put(pctx->mctx, pctx, sizeof(*pctx));
+	}
 	*pctxp = NULL;
 }
 
@@ -848,8 +868,8 @@ cfg_obj_asboolean(const cfg_obj_t *obj) {
 	return (obj->value.boolean);
 }
 
-static isc_result_t
-parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
 	isc_result_t result;
 	isc_boolean_t value;
@@ -888,8 +908,8 @@ parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	return (result);
 }
 
-static void
-print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 	if (obj->value.boolean)
 		cfg_print_chars(pctx, "yes", 3);
 	else
@@ -897,7 +917,7 @@ print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 }
 
 cfg_type_t cfg_type_boolean = {
-	"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
+	"boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal,
 	&cfg_rep_boolean, NULL
 };
 
@@ -1132,7 +1152,7 @@ cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse) {
 	return (count);
 }
 
-const cfg_obj_t *
+cfg_obj_t *
 cfg_listelt_value(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
 	return (elt->obj);
@@ -1237,6 +1257,14 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
 			cfg_parser_warning(pctx, 0, "option '%s' is "
 				       "not implemented", clause->name);
+
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' is not "
+					   "configured", clause->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
 		/*
 		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
 		 * set here - we need to log the *lack* of such an option,
@@ -1478,6 +1506,7 @@ static struct flagtext {
 	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
 	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
 	{ CFG_CLAUSEFLAG_TESTONLY, "test only" },
+	{ CFG_CLAUSEFLAG_NOTCONFIGURED, "not configured" },
 	{ 0, NULL }
 };
 
@@ -2326,6 +2355,7 @@ cfg_obj_line(const cfg_obj_t *obj) {
 
 isc_result_t
 cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
 	cfg_obj_t *obj;
 
 	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
@@ -2334,10 +2364,16 @@ cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	obj->type = type;
 	obj->file = current_file(pctx);
 	obj->line = pctx->line;
+	result = isc_refcount_init(&obj->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+		return (result);
+	}
 	*ret = obj;
 	return (ISC_R_SUCCESS);
 }
 
+
 static void
 map_symtabitem_destroy(char *key, unsigned int type,
 		       isc_symvalue_t symval, void *userarg)
@@ -2391,11 +2427,25 @@ cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
 void
 cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
 	cfg_obj_t *obj = *objp;
-	obj->type->rep->free(pctx, obj);
-	isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+	unsigned int refs;
+
+	isc_refcount_decrement(&obj->references, &refs);
+	if (refs == 0) {
+		obj->type->rep->free(pctx, obj);
+		isc_refcount_destroy(&obj->references);
+		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+	}
 	*objp = NULL;
 }
 
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest) {
+    REQUIRE(src != NULL);
+    REQUIRE(dest != NULL && *dest == NULL);
+    isc_refcount_increment(&src->references, NULL);
+    *dest = src;
+}
+
 static void
 free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
 	UNUSED(pctx);
diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api
index d15c78ebe60d..1e51baab5d46 100644
--- a/contrib/bind9/lib/lwres/api
+++ b/contrib/bind9/lib/lwres/api
@@ -3,6 +3,6 @@
 # 9.7: 60-79
 # 9.8: 80-89
 # 9.9: 90-109
-LIBINTERFACE = 50
-LIBREVISION = 6
+LIBINTERFACE = 80
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/contrib/bind9/lib/lwres/context.c b/contrib/bind9/lib/lwres/context.c
index 26572e3d74fc..64bdaa107dd4 100644
--- a/contrib/bind9/lib/lwres/context.c
+++ b/contrib/bind9/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: context.c,v 1.55 2009/09/02 23:48:03 tbox Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
diff --git a/contrib/bind9/lib/lwres/context_p.h b/contrib/bind9/lib/lwres/context_p.h
index 2633ff0c43a1..baac07f8dd43 100644
--- a/contrib/bind9/lib/lwres/context_p.h
+++ b/contrib/bind9/lib/lwres/context_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: context_p.h,v 1.19 2008/12/17 23:47:58 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c
index f8b4c81d2c41..811a2fee5ef7 100644
--- a/contrib/bind9/lib/lwres/getaddrinfo.c
+++ b/contrib/bind9/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: getaddrinfo.c,v 1.54 2008/11/25 23:47:23 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/lwres/getipnode.c b/contrib/bind9/lib/lwres/getipnode.c
index df86cc85dd5e..3bd82177b1e6 100644
--- a/contrib/bind9/lib/lwres/getipnode.c
+++ b/contrib/bind9/lib/lwres/getipnode.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: getipnode.c,v 1.47 2009/09/01 23:47:45 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/lwres/include/lwres/context.h b/contrib/bind9/lib/lwres/include/lwres/context.h
index a2165122d059..434573cac293 100644
--- a/contrib/bind9/lib/lwres/include/lwres/context.h
+++ b/contrib/bind9/lib/lwres/include/lwres/context.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: context.h,v 1.23 2008/12/17 23:47:58 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
diff --git a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
index 066e53992c50..0844384e5219 100644
--- a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
+++ b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/contrib/bind9/lib/lwres/man/lwres.html b/contrib/bind9/lib/lwres/man/lwres.html
index 238b3e1f12a9..84008b625e05 100644
--- a/contrib/bind9/lib/lwres/man/lwres.html
+++ b/contrib/bind9/lib/lwres/man/lwres.html
@@ -32,7 +32,7 @@
 <div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543349"></a><h2>DESCRIPTION</h2>
+<a name="id2543350"></a><h2>DESCRIPTION</h2>
 <p>
       The BIND 9 lightweight resolver library is a simple, name service
       independent stub resolver library.  It provides hostname-to-address
@@ -47,7 +47,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543362"></a><h2>OVERVIEW</h2>
+<a name="id2543363"></a><h2>OVERVIEW</h2>
 <p>
       The lwresd library implements multiple name service APIs.
       The standard
@@ -101,7 +101,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543426"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543427"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When a client program wishes to make an lwres request using the
       native low-level API, it typically performs the following
@@ -149,7 +149,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543574"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+<a name="id2543575"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
 <p>
       When implementing the server side of the lightweight resolver
       protocol using the lwres library, a sequence of actions like the
@@ -191,7 +191,7 @@
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543657"></a><h2>SEE ALSO</h2>
+<a name="id2543658"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.html b/contrib/bind9/lib/lwres/man/lwres_buffer.html
index 0c4106252a4d..b2a9bfc62fec 100644
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.html
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.html
@@ -262,7 +262,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543892"></a><h2>DESCRIPTION</h2>
+<a name="id2543893"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide bounds checked access to a region of memory
       where data is being read or written.
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.3 b/contrib/bind9/lib/lwres/man/lwres_config.3
index 42f0e695f7b3..a0919d95f25b 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.3
+++ b/contrib/bind9/lib/lwres/man/lwres_config.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -100,7 +100,7 @@ unless an error occurred when converting the network addresses to a numeric host
 .PP
 \fI/etc/resolv.conf\fR
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.docbook b/contrib/bind9/lib/lwres/man/lwres_config.docbook
index 5736ef3b6490..71475706e96f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_config.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_config.docbook,v 1.9 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
   <refentryinfo>
 
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.html b/contrib/bind9/lib/lwres/man/lwres_config.html
index ea3a0166d0e5..ccc9db14dfa8 100644
--- a/contrib/bind9/lib/lwres/man/lwres_config.html
+++ b/contrib/bind9/lib/lwres/man/lwres_config.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -90,7 +90,7 @@ lwres_conf_t *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543441"></a><h2>DESCRIPTION</h2>
+<a name="id2543445"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_conf_init()</code>
       creates an empty
       <span class="type">lwres_conf_t</span>
@@ -123,7 +123,7 @@ lwres_conf_t *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543508"></a><h2>RETURN VALUES</h2>
+<a name="id2543512"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_conf_parse()</code>
       returns <span class="errorcode">LWRES_R_SUCCESS</span>
       if it successfully read and parsed
@@ -142,13 +142,13 @@ lwres_conf_t *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543545"></a><h2>SEE ALSO</h2>
+<a name="id2543549"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543571"></a><h2>FILES</h2>
+<a name="id2543575"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.3 b/contrib/bind9/lib/lwres/man/lwres_context.3
index 5764809fbd50..c888c70696d3 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.3
+++ b/contrib/bind9/lib/lwres/man/lwres_context.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -164,7 +164,7 @@ times out waiting for a response.
 \fBmalloc\fR(3),
 \fBfree\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.docbook b/contrib/bind9/lib/lwres/man/lwres_context.docbook
index ad0392e4e51e..d5092ac7cf69 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_context.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_context.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.html b/contrib/bind9/lib/lwres/man/lwres_context.html
index 3b92d1b04591..70efa240c80c 100644
--- a/contrib/bind9/lib/lwres/man/lwres_context.html
+++ b/contrib/bind9/lib/lwres/man/lwres_context.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -172,7 +172,7 @@ void *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543531"></a><h2>DESCRIPTION</h2>
+<a name="id2543536"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_context_create()</code>
       creates a <span class="type">lwres_context_t</span> structure for use in
       lightweight resolver operations.  It holds a socket and other
@@ -258,7 +258,7 @@ void *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543719"></a><h2>RETURN VALUES</h2>
+<a name="id2543723"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_context_create()</code>
       returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
       the <span class="type">struct lwres_context</span> could not be allocated,
@@ -283,7 +283,7 @@ void *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543769"></a><h2>SEE ALSO</h2>
+<a name="id2543773"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.3 b/contrib/bind9/lib/lwres/man/lwres_gabn.3
index ea746903d4e7..0cb5ac56f81e 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -189,7 +189,7 @@ indicate that the packet is not a response to an earlier query.
 .PP
 \fBlwres_packet\fR(3)
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
index d0b5c190c318..6063c15beb27 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gabn.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.html b/contrib/bind9/lib/lwres/man/lwres_gabn.html
index 9a6192a4cb34..30c9dda251e9 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
@@ -178,7 +178,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543523"></a><h2>DESCRIPTION</h2>
+<a name="id2543526"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver name-to-address lookup request and
@@ -278,7 +278,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543668"></a><h2>RETURN VALUES</h2>
+<a name="id2543671"></a><h2>RETURN VALUES</h2>
 <p>
       The getaddrbyname opcode functions
       <code class="function">lwres_gabnrequest_render()</code>,
@@ -316,7 +316,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543734"></a><h2>SEE ALSO</h2>
+<a name="id2543737"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
index fa3f494dd6f3..99d3cd221d84 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -123,7 +123,7 @@ used by
 \fBgetaddrinfo\fR(3),
 \fBRFC2133\fR().
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
index c33fee5ea6cf..de6c04193501 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gai_strerror.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
index 4bd118272dd5..e8d4935c303c 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -42,7 +42,7 @@ char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543361"></a><h2>DESCRIPTION</h2>
+<a name="id2543365"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_gai_strerror()</code>
       returns an error message corresponding to an error code returned by
       <code class="function">getaddrinfo()</code>.
@@ -110,7 +110,7 @@ char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543576"></a><h2>SEE ALSO</h2>
+<a name="id2543580"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
index a80904b8abba..96acaaea4623 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -240,7 +240,7 @@ returns
 \fBsendmsg\fR(2),
 \fBsocket\fR(2).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
index a328764dbbe9..cedb6eaa9cd9 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
index eec65ec46a0d..57025c0c232e 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -89,7 +89,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543412"></a><h2>DESCRIPTION</h2>
+<a name="id2543416"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       is used to get a list of IP addresses and port numbers for host
       <em class="parameter"><code>hostname</code></em> and service
@@ -283,7 +283,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543789"></a><h2>RETURN VALUES</h2>
+<a name="id2543794"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getaddrinfo()</code>
       returns zero on success or one of the error codes listed in
       <span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3)</span>
@@ -294,7 +294,7 @@ struct  addrinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543827"></a><h2>SEE ALSO</h2>
+<a name="id2543831"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.3 b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
index 37067273f890..d6d32e0c0bdd 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -309,7 +309,7 @@ The resolver daemon does not currently support any non\-DNS name services such a
 or
 \fBNIS\fR, consequently the above functions don't, either.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
index a3f084bc2fe7..b5389153fee3 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gethostent.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.html b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
index 875657dff3ad..e5f660cb0c70 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -228,7 +228,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543608"></a><h2>DESCRIPTION</h2>
+<a name="id2543612"></a><h2>DESCRIPTION</h2>
 <p>
       These functions provide hostname-to-address and
       address-to-hostname lookups by means of the lightweight resolver.
@@ -366,7 +366,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543959"></a><h2>RETURN VALUES</h2>
+<a name="id2543963"></a><h2>RETURN VALUES</h2>
 <p>
       The functions
       <code class="function">lwres_gethostbyname()</code>,
@@ -430,7 +430,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544193"></a><h2>SEE ALSO</h2>
+<a name="id2544197"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
@@ -439,7 +439,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544227"></a><h2>BUGS</h2>
+<a name="id2544231"></a><h2>BUGS</h2>
 <p><code class="function">lwres_gethostbyname()</code>,
       <code class="function">lwres_gethostbyname2()</code>,
       <code class="function">lwres_gethostbyaddr()</code>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.3 b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
index 3632e64b1239..c234ddf766a9 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -200,7 +200,7 @@ translates these error codes to suitable error messages.
 \fBlwres_getnameinfo\fR(3),
 \fBlwres_hstrerror\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
index 825f46209cb7..8fd9914d7a7a 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getipnode.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.html b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
index 82e4bc257b68..410fec937555 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -98,7 +98,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543431"></a><h2>DESCRIPTION</h2>
+<a name="id2543435"></a><h2>DESCRIPTION</h2>
 <p>
       These functions perform thread safe, protocol independent
       nodename-to-address and address-to-nodename
@@ -217,7 +217,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543689"></a><h2>RETURN VALUES</h2>
+<a name="id2543693"></a><h2>RETURN VALUES</h2>
 <p>
       If an error occurs,
       <code class="function">lwres_getipnodebyname()</code>
@@ -261,7 +261,7 @@ struct  hostent {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543786"></a><h2>SEE ALSO</h2>
+<a name="id2543790"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
index 8ceb47cf6ec1..4a9eb021d9e2 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -111,7 +111,7 @@ RFC2133 fails to define what the nonzero return values of
 \fBgetnameinfo\fR(3)
 are.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
index 504dfb70adea..4b35f02ecab4 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getnameinfo.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
index 8dbc84831663..f4808e742dc9 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -82,7 +82,7 @@ int
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543393"></a><h2>DESCRIPTION</h2>
+<a name="id2543397"></a><h2>DESCRIPTION</h2>
 <p>
        This function is equivalent to the
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
@@ -149,13 +149,13 @@ int
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543534"></a><h2>RETURN VALUES</h2>
+<a name="id2543539"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getnameinfo()</code>
       returns 0 on success or a non-zero error code if an error occurs.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543546"></a><h2>SEE ALSO</h2>
+<a name="id2543550"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
       <span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
@@ -165,7 +165,7 @@ int
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543604"></a><h2>BUGS</h2>
+<a name="id2543608"></a><h2>BUGS</h2>
 <p>
       RFC2133 fails to define what the nonzero return values of
       <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
index f2e33413b845..be8abab00a30 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -158,7 +158,7 @@ other failure
 .PP
 \fBlwres\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
index 5f2a68d1da1a..51a7701f01b6 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
index 4871cf237d28..7f3b56dac228 100644
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -102,7 +102,7 @@ struct  rrsetinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543414"></a><h2>DESCRIPTION</h2>
+<a name="id2543418"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       gets a set of resource records associated with a
       <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
@@ -150,7 +150,7 @@ struct  rrsetinfo {
 <p></p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543526"></a><h2>RETURN VALUES</h2>
+<a name="id2543530"></a><h2>RETURN VALUES</h2>
 <p><code class="function">lwres_getrrsetbyname()</code>
       returns zero on success, and one of the following error codes if
       an error occurred:
@@ -184,7 +184,7 @@ struct  rrsetinfo {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543626"></a><h2>SEE ALSO</h2>
+<a name="id2543630"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
     </p>
 </div>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.3 b/contrib/bind9/lib/lwres/man/lwres_gnba.3
index 413519035e41..5c2b264e789a 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.3
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -177,7 +177,7 @@ indicate that the packet is not a response to an earlier query.
 .PP
 \fBlwres_packet\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
index 452cdfcb0f43..4aa7fcb58491 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gnba.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.html b/contrib/bind9/lib/lwres/man/lwres_gnba.html
index f7b646135474..774a166eba1d 100644
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.html
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
@@ -183,7 +183,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543526"></a><h2>DESCRIPTION</h2>
+<a name="id2543529"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver address-to-name lookup request and
@@ -270,7 +270,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543666"></a><h2>RETURN VALUES</h2>
+<a name="id2543669"></a><h2>RETURN VALUES</h2>
 <p>
       The getnamebyaddr opcode functions
       <code class="function">lwres_gnbarequest_render()</code>,
@@ -308,7 +308,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543732"></a><h2>SEE ALSO</h2>
+<a name="id2543735"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
     </p>
 </div>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
index 6d24cf65e3fd..5beff3c6b169 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -93,7 +93,7 @@ is not a valid error code.
 \fBherror\fR(3),
 \fBlwres_hstrerror\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
index ca4589e080b4..d937b6c4d28f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_hstrerror.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
index 7f230f2c9026..c698d55d4d5e 100644
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -50,7 +50,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543379"></a><h2>DESCRIPTION</h2>
+<a name="id2543383"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_herror()</code>
       prints the string <em class="parameter"><code>s</code></em> on
       <span class="type">stderr</span> followed by the string generated by
@@ -84,7 +84,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543497"></a><h2>RETURN VALUES</h2>
+<a name="id2543501"></a><h2>RETURN VALUES</h2>
 <p>
       The string <span class="errorname">Unknown resolver error</span> is returned by
       <code class="function">lwres_hstrerror()</code>
@@ -94,7 +94,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543517"></a><h2>SEE ALSO</h2>
+<a name="id2543522"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.3 b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
index 0dfe5e6eca6b..48a0319a2350 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.3
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -71,7 +71,7 @@ is not supported.
 \fBinet_ntop\fR(3),
 \fBerrno\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
index 26f1779d3139..93a9a4fe0fa6 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_inetntop.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.html b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
index 7f2ac5a2267b..64be8a929f9d 100644
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.html
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -62,7 +62,7 @@ const char *
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543379"></a><h2>DESCRIPTION</h2>
+<a name="id2543383"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_net_ntop()</code>
       converts an IP address of protocol family
       <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
@@ -80,7 +80,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543411"></a><h2>RETURN VALUES</h2>
+<a name="id2543415"></a><h2>RETURN VALUES</h2>
 <p>
       If successful, the function returns <em class="parameter"><code>dst</code></em>:
       a pointer to a string containing the presentation format of the
@@ -93,7 +93,7 @@ const char *
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543444"></a><h2>SEE ALSO</h2>
+<a name="id2543448"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
       <span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.3 b/contrib/bind9/lib/lwres/man/lwres_noop.3
index c0fc47ed6548..aa13875c5dc1 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.3
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -177,7 +177,7 @@ indicate that the packet is not a response to an earlier query.
 .PP
 \fBlwres_packet\fR(3)
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.docbook b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
index eb823b77335b..be03c8f0ee9e 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_noop.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.html b/contrib/bind9/lib/lwres/man/lwres_noop.html
index e8aec4db8505..9db4d062683f 100644
--- a/contrib/bind9/lib/lwres/man/lwres_noop.html
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476274"></a><div class="titlepage"></div>
+<a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
@@ -179,7 +179,7 @@ void
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543523"></a><h2>DESCRIPTION</h2>
+<a name="id2543526"></a><h2>DESCRIPTION</h2>
 <p>
       These are low-level routines for creating and parsing
       lightweight resolver no-op request and response messages.
@@ -270,7 +270,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543673"></a><h2>RETURN VALUES</h2>
+<a name="id2543676"></a><h2>RETURN VALUES</h2>
 <p>
       The no-op opcode functions
       <code class="function">lwres_nooprequest_render()</code>,
@@ -309,7 +309,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543739"></a><h2>SEE ALSO</h2>
+<a name="id2543742"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>
     </p>
 </div>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.3 b/contrib/bind9/lib/lwres/man/lwres_packet.3
index 49ebff7ada41..21bc90dfaadb 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.3
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -164,7 +164,7 @@ and lightweight resolver packet
 both functions return
 \fBLWRES_R_UNEXPECTEDEND\fR.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.docbook b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
index 87841db7c71a..b191b35b1c1d 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_packet.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.html b/contrib/bind9/lib/lwres/man/lwres_packet.html
index 678ac77ad6c7..362746563721 100644
--- a/contrib/bind9/lib/lwres/man/lwres_packet.html
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -66,7 +66,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543389"></a><h2>DESCRIPTION</h2>
+<a name="id2543394"></a><h2>DESCRIPTION</h2>
 <p>
       These functions rely on a
       <span class="type">struct lwres_lwpacket</span>
@@ -219,7 +219,7 @@ struct lwres_lwpacket {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543706"></a><h2>RETURN VALUES</h2>
+<a name="id2543710"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_lwpacket_renderheader()</code> and
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.3 b/contrib/bind9/lib/lwres/man/lwres_resutil.3
index 0e9cf6f97800..75dd751d4924 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.3
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.3
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
@@ -164,7 +164,7 @@ if the buffers used for sending queries and receiving replies are too small.
 \fBlwres_buffer\fR(3),
 \fBlwres_gabn\fR(3).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
index e6184d912f5d..d071bcad1730 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_resutil.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
+<!-- $Id$ -->
 <refentry>
 
   <refentryinfo>
@@ -36,6 +36,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.html b/contrib/bind9/lib/lwres/man/lwres_resutil.html
index 2632217430d8..cbe724b3d1f8 100644
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.html
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -134,7 +134,7 @@ lwres_result_t
 </div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543466"></a><h2>DESCRIPTION</h2>
+<a name="id2543470"></a><h2>DESCRIPTION</h2>
 <p><code class="function">lwres_string_parse()</code>
       retrieves a DNS-encoded string starting the current pointer of
       lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
@@ -210,7 +210,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543605"></a><h2>RETURN VALUES</h2>
+<a name="id2543609"></a><h2>RETURN VALUES</h2>
 <p>
       Successful calls to
       <code class="function">lwres_string_parse()</code>
@@ -248,7 +248,7 @@ typedef struct {
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543676"></a><h2>SEE ALSO</h2>
+<a name="id2543681"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
 
       <span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
diff --git a/contrib/bind9/lib/lwres/strtoul.c b/contrib/bind9/lib/lwres/strtoul.c
index f16896c1dcb9..c9413a4663d5 100644
--- a/contrib/bind9/lib/lwres/strtoul.c
+++ b/contrib/bind9/lib/lwres/strtoul.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.4 2007/06/19 23:47:22 tbox Exp $ */
+/* $Id$ */
 
 #include <config.h>
 
diff --git a/contrib/bind9/lib/lwres/unix/Makefile.in b/contrib/bind9/lib/lwres/unix/Makefile.in
index 26ca4fb8211a..15f052d00b0a 100644
--- a/contrib/bind9/lib/lwres/unix/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+# $Id$
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/Makefile.in b/contrib/bind9/lib/lwres/unix/include/Makefile.in
index 5372543cc014..9c70db277692 100644
--- a/contrib/bind9/lib/lwres/unix/include/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/include/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+# $Id$
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
index 4f60ce82f886..21b63ddb199e 100644
--- a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+# $Id$
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/net.h b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
index 0b16178c282f..390853f985c5 100644
--- a/contrib/bind9/lib/lwres/unix/include/lwres/net.h
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
+/* $Id$ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
@@ -65,7 +65,7 @@
 #ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
 #include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
 #endif
-#include <net/if.h>	
+#include <net/if.h>
 
 #include <lwres/lang.h>
 
@@ -80,7 +80,7 @@
 /*!
  * Required for some pre RFC2133 implementations.
  * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.
  * If 's6_addr' is defined then assume that there is a union and three
  * levels otherwise assume two levels required.
  */
diff --git a/contrib/bind9/lib/lwres/version.c b/contrib/bind9/lib/lwres/version.c
index cc52c510035a..a7e5a7e42bf1 100644
--- a/contrib/bind9/lib/lwres/version.c
+++ b/contrib/bind9/lib/lwres/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.12 2007/06/19 23:47:22 tbox Exp $ */
+/* $Id$ */
 
 /*! \file */
 
diff --git a/contrib/bind9/make/rules.in b/contrib/bind9/make/rules.in
index f9f3faa7ceab..cd4cf4f79e5e 100644
--- a/contrib/bind9/make/rules.in
+++ b/contrib/bind9/make/rules.in
@@ -35,6 +35,8 @@ sysconfdir =	@sysconfdir@
 localstatedir =	@localstatedir@
 mandir =	@mandir@
 datarootdir =   @datarootdir@
+export_libdir =	@export_libdir@
+export_includedir = @export_includedir@
 
 DESTDIR =
 
@@ -134,7 +136,7 @@ ALL_CPPFLAGS = \
 ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
 	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
 
-.c.@O@:
+@BIND9_CO_RULE@
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
 
 SHELL = @SHELL@
@@ -146,12 +148,97 @@ PURIFY = @PURIFY@
 
 MKDEP = ${SHELL} ${top_builddir}/make/mkdep
 
+###
+### This is a template compound command to build an executable binary with
+### an internal symbol table.
+### This process is tricky.  We first link all objects including a tentative
+### empty symbol table, then get a tentative list of symbols from the resulting
+### binary ($@tmp0).  Next, we re-link all objects, but this time with the
+### symbol table just created ($tmp@1).  The set of symbols should be the same,
+### but the corresponding addresses would be changed due to the difference on
+### the size of symbol tables.  So we create the symbol table and re-create the
+### objects once again.  Finally, we check the symbol table embedded in the
+### final binaryis consistent with the binary itself; otherwise the process is
+### terminated.
+###
+### To minimize the overhead of creating symbol tables, the autoconf switch
+### --enable-symtable takes an argument so that the symbol table can be created
+### on a per application basis: unless the argument is set to "all", the symbol
+### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is
+### set to a non-null value in the rule to build the executable binary.
+###
+### Each Makefile.in that uses this macro is expected to define "LIBS" and
+### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and
+### the latter includes libisc without the definition of a symbol table.
+### The rule to make the executable binary will look like this
+### binary@EXEEXT@: ${OBJS}
+###     #export MAKE_SYMTABLE="yes"; \  <- enable if symtable is always needed
+###	export BASEOBJS="${OBJS}"; \
+###	${FINALBUILDCMD}
+###
+### Normally, ${LIBS} includes all necessary libraries to build the binary;
+### there are some exceptions however, where the rule lists some of the
+### necessary libraries explicitly in addition to (or instead of) ${LIBS},
+### like this:
+### binary@EXEEXT@: ${OBJS}
+###     cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${lIBS}
+### in order to modify such a rule to use this compound command, a separate
+### variable "LIBS0" should be deinfed for the explicitly listed libraries,
+### while making sure ${LIBS} still includes libisc.  So the above rule would
+### be modified as follows:
+### binary@EXEEXT@: ${OBJS}
+###	export BASEOBJS="${OBJS}"; \
+###	export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \
+###     ${FINALBUILDCMD}
+### See bin/check/Makefile.in for a complete example of the use of LIBS0.
+###
+FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \
+	else \
+		rm -f $@tmp0; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp0 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		rm -f $@tmp1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp1 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS} || exit 1; \
+		rm -f $@-symtbl.c $@-symtbl.@O@; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl.c $@tmp1 || exit 1; \
+		$(MAKE) $@-symtbl.@O@ || exit 1; \
+		${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+		-o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ $${LIBS0} ${NOSYMLIBS}; \
+		${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+		-o $@-symtbl2.c $@tmp2; \
+		count=0; \
+		until diff $@-symtbl.c $@-symtbl2.c > /dev/null ; \
+		do \
+			count=`expr $$count + 1` ; \
+			test $$count = 42 && exit 1 ; \
+			rm -f $@-symtbl.c $@-symtbl.@O@; \
+			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+			-o $@-symtbl.c $@tmp2 || exit 1; \
+			$(MAKE) $@-symtbl.@O@ || exit 1; \
+			${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} \
+			${LDFLAGS} -o $@tmp2 $${BASEOBJS} $@-symtbl.@O@ \
+			$${LIBS0} ${NOSYMLIBS}; \
+			${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \
+			-o $@-symtbl2.c $@tmp2; \
+		done ; \
+		mv $@tmp2 $@; \
+		rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \
+	fi
+
 cleandir: distclean
 superclean: maintainer-clean
 
 clean distclean maintainer-clean::
-	rm -f *.@O@ *.o *.lo *.la core *.core .depend
-	rm -rf .libs
+	rm -f *.@O@ *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2
+	rm -rf .depend .libs
 
 distclean maintainer-clean::
 	rm -f Makefile
@@ -229,6 +316,16 @@ PDFLATEX =		@PDFLATEX@
 W3M =			@W3M@
 
 ###
+### Script language program used to create internal symbol tables
+###
+MKSYMTBL_PROGRAM =	@MKSYMTBL_PROGRAM@
+
+###
+### Switch to create internal symbol table selectively
+###
+ALWAYS_MAKE_SYMTABLE =	@ALWAYS_MAKE_SYMTABLE@
+
+###
 ### DocBook -> HTML
 ### DocBook -> man page
 ###
diff --git a/contrib/bind9/version b/contrib/bind9/version
index 22ece06bf884..1090bee28cee 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@@ -4,7 +4,7 @@
 # configure.
 #
 MAJORVER=9
-MINORVER=6
-PATCHVER=
-RELEASETYPE=-ESV
-RELEASEVER=-R8
+MINORVER=8
+PATCHVER=4
+RELEASETYPE=-P
+RELEASEVER=1
diff --git a/lib/bind/Makefile b/lib/bind/Makefile
index 4268219f2fa8..e2457b78937c 100644
--- a/lib/bind/Makefile
+++ b/lib/bind/Makefile
@@ -1,5 +1,5 @@
 # $FreeBSD$
 
-SUBDIR=		bind9 dns isc isccc isccfg lwres
+SUBDIR=		isc isccc dns isccfg bind9 lwres
 
 .include <bsd.subdir.mk>
diff --git a/lib/bind/config.h b/lib/bind/config.h
index 1d9498aa877f..5e9d74b66010 100644
--- a/lib/bind/config.h
+++ b/lib/bind/config.h
@@ -3,7 +3,7 @@
 /* config.h.  Generated from config.h.in by configure.  */
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -19,7 +19,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.51.334.2 2009-02-16 23:47:15 tbox Exp $ */
+/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -141,14 +141,20 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if OpenSSL includes DSA support */
 #define HAVE_OPENSSL_DSA 1
 
+/* Define if OpenSSL includes ECDSA support */
+#define HAVE_OPENSSL_ECDSA 1
+
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #define ISC_SOCKADDR_LEN_T socklen_t
 
 /* Define if threads need PTHREAD_SCOPE_SYSTEM */
 /* #undef NEED_PTHREAD_SCOPE_SYSTEM */
 
-/* define if ATF unit tests are to be built. */
-/* #undef ATF_TEST */
+/* Define if building universal (internal helper macro) */
+/* #undef AC_APPLE_UNIVERSAL_BUILD */
+
+/* Define to enable the "filter-aaaa-on-v4" option. */
+/* #undef ALLOW_FILTER_AAAA_ON_V4 */
 
 /* Define if recvmsg() does not meet all of the BSD socket API specifications.
    */
@@ -160,6 +166,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to enable "rrset-order fixed" syntax. */
 /* #undef DNS_RDATASET_FIXED */
 
+/* Define to enable rpz-nsdname rules. */
+/* #undef ENABLE_RPZ_NSDNAME */
+
+/* Define to enable rpz-nsip rules. */
+/* #undef ENABLE_RPZ_NSIP */
+
 /* Solaris hack to get select_large_fdset. */
 /* #undef FD_SETSIZE */
 
@@ -178,27 +190,42 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <devpoll.h> header file. */
 /* #undef HAVE_DEVPOLL_H */
 
+/* Define to 1 if you have the `dlclose' function. */
+#define HAVE_DLCLOSE 1
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #define HAVE_DLFCN_H 1
 
+/* Define to 1 if you have the `dlopen' function. */
+#define HAVE_DLOPEN 1
+
+/* Define to 1 if you have the `dlsym' function. */
+#define HAVE_DLSYM 1
+
 /* Define to 1 if you have the `EVP_sha256' function. */
 #define HAVE_EVP_SHA256 1
 
+/* Define to 1 if you have the `EVP_sha384' function. */
+#define HAVE_EVP_SHA384 1
+
 /* Define to 1 if you have the `EVP_sha512' function. */
 #define HAVE_EVP_SHA512 1
 
 /* Define to 1 if you have the <fcntl.h> header file. */
 #define HAVE_FCNTL_H 1
 
-/* Define to 1 if you have the `getenv' function. */
-#define HAVE_GETENV 1
-
 /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
 /* #undef HAVE_GSSAPI_GSSAPI_H */
 
+/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
+/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
+
 /* Define to 1 if you have the <gssapi.h> header file. */
 /* #undef HAVE_GSSAPI_H */
 
+/* Define to 1 if you have the <gssapi_krb5.h> header file. */
+/* #undef HAVE_GSSAPI_KRB5_H */
+
 /* Define to 1 if you have the <inttypes.h> header file. */
 #define HAVE_INTTYPES_H 1
 
@@ -217,6 +244,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `cap' library (-lcap). */
 /* #undef HAVE_LIBCAP */
 
+/* if system have backtrace function */
+/* #undef HAVE_LIBCTRACE */
+
 /* Define to 1 if you have the `c_r' library (-lc_r). */
 /* #undef HAVE_LIBC_R */
 
@@ -253,9 +283,27 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <net/if6.h> header file. */
 /* #undef HAVE_NET_IF6_H */
 
+/* Define if your OpenSSL version supports GOST. */
+/* #undef HAVE_OPENSSL_GOST */
+
+/* Define to 1 if you have the <regex.h> header file. */
+#define HAVE_REGEX_H 1
+
+/* Define to 1 if you have the `setegid' function. */
+#define HAVE_SETEGID 1
+
+/* Define to 1 if you have the `seteuid' function. */
+#define HAVE_SETEUID 1
+
 /* Define to 1 if you have the `setlocale' function. */
 #define HAVE_SETLOCALE 1
 
+/* Define to 1 if you have the `setresgid' function. */
+#define HAVE_SETRESGID 1
+
+/* Define to 1 if you have the `setresuid' function. */
+#define HAVE_SETRESUID 1
+
 /* Define to 1 if you have the <stdint.h> header file. */
 #define HAVE_STDINT_H 1
 
@@ -310,6 +358,18 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <unistd.h> header file. */
 #define HAVE_UNISTD_H 1
 
+/* return type of gai_strerror */
+#define IRS_GAISTRERROR_RETURN_T const char *
+
+/* Define to the buffer length type used by getnameinfo(3). */
+#define IRS_GETNAMEINFO_BUFLEN_T size_t
+
+/* Define to the flags type used by getnameinfo(3). */
+#define IRS_GETNAMEINFO_FLAGS_T int
+
+/* Define to allow building of objects for dlopen(). */
+#define ISC_DLZ_DLOPEN 1
+
 /* Define to the sub-directory in which libtool stores uninstalled libraries.
    */
 #define LT_OBJDIR ".libs/"
@@ -333,6 +393,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME ""
 
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
 /* Define to the version of this package. */
 #define PACKAGE_VERSION ""
 
@@ -357,21 +420,22 @@ int sigwait(const unsigned int *set, int *sig);
 /* #undef WITH_IDN */
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
-#if defined __BIG_ENDIAN__
-# define WORDS_BIGENDIAN 1
-#elif ! defined __LITTLE_ENDIAN__
-/* # undef WORDS_BIGENDIAN */
+   significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+#  define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+/* #  undef WORDS_BIGENDIAN */
+# endif
 #endif
 
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
 
-/* Define to `__inline__' or `__inline' if that's what the C compiler
-   calls it, or to nothing if 'inline' is not supported under any name.  */
-#ifndef __cplusplus
+/* Define to empty if your compiler does not support "static inline". */
 #define inline /**/
-#endif
 
 /* Define to `unsigned int' if <sys/types.h> does not define. */
 /* #undef size_t */
diff --git a/lib/bind/dns/Makefile b/lib/bind/dns/Makefile
index 72b9f80c4085..89dfd408286b 100644
--- a/lib/bind/dns/Makefile
+++ b/lib/bind/dns/Makefile
@@ -15,26 +15,25 @@ LIB=		dns
 SRCS+=		acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dlz.c dnssec.c ds.c \
+		dlz.c dns64.c dnssec.c ds.c \
 		dst_api.c dst_lib.c dst_parse.c dst_result.c \
 		forward.c \
 		gssapi_link.c gssapictx.c hmac_link.c \
-		iptable.c \
-		journal.c \
+		iptable.c journal.c \
 		key.c \
-		keytable.c \
-		lib.c log.c lookup.c \
+		keydata.c keytable.c lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
 		name.c ncache.c nsec.c nsec3.c \
 		openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslrsa_link.c \
-		order.c peer.c portlist.c \
-		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
-		rdatalist.c \
+		openssldsa_link.c opensslgost_link.c opensslrsa_link.c \
+		opensslecdsa_link.c \
+		order.c peer.c portlist.c private.c \
+		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c sdb.c sdlz.c soa.c ssu.c \
+		resolver.c result.c rootns.c rpz.c rriterator.c \
+		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
 		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsig.c ttl.c validator.c \
+		tsec.c tsig.c ttl.c validator.c \
 		version.c view.c xfrin.c zone.c zonekey.c zt.c
 
 CFLAGS+=	-I${SRCDIR}/include/dst -I${SRCDIR}/include -I${SRCDIR}
@@ -84,6 +83,7 @@ DNSINCS=	${SRCDIR}/include/dns/acache.h \
 		${SRCDIR}/include/dns/order.h \
 		${SRCDIR}/include/dns/peer.h \
 		${SRCDIR}/include/dns/portlist.h \
+		${SRCDIR}/include/dns/private.h \
 		${SRCDIR}/include/dns/rbt.h \
 		${SRCDIR}/include/dns/rcode.h \
 		${SRCDIR}/include/dns/rdata.h \
diff --git a/lib/bind/dns/code.h b/lib/bind/dns/code.h
index cfbd1ef0357a..a451eeb03031 100644
--- a/lib/bind/dns/code.h
+++ b/lib/bind/dns/code.h
@@ -67,7 +67,7 @@
 #include "rdata/generic/loc_29.c"
 #include "rdata/generic/nxt_30.c"
 #include "rdata/in_1/srv_33.c"
-#include "rdata/generic/naptr_35.c"
+#include "rdata/in_1/naptr_35.c"
 #include "rdata/in_1/kx_36.c"
 #include "rdata/generic/cert_37.c"
 #include "rdata/in_1/a6_38.c"
@@ -84,11 +84,13 @@
 #include "rdata/generic/nsec3_50.c"
 #include "rdata/generic/nsec3param_51.c"
 #include "rdata/generic/tlsa_52.c"
+#include "rdata/generic/hip_55.c"
 #include "rdata/generic/spf_99.c"
 #include "rdata/generic/unspec_103.c"
 #include "rdata/generic/tkey_249.c"
 #include "rdata/any_255/tsig_250.c"
 #include "rdata/generic/dlv_32769.c"
+#include "rdata/generic/keydata_65533.c"
 
 
 
@@ -155,7 +157,11 @@
 		default: result = DNS_R_UNKNOWN; break; \
 		} \
 		break; \
-	case 35: result = fromtext_naptr(rdclass, type, lexer, origin, options, target, callbacks); break; \
+	case 35: switch (rdclass) { \
+		case 1: result = fromtext_in_naptr(rdclass, type, lexer, origin, options, target, callbacks); break; \
+		default: result = DNS_R_UNKNOWN; break; \
+		} \
+		break; \
 	case 36: switch (rdclass) { \
 		case 1: result = fromtext_in_kx(rdclass, type, lexer, origin, options, target, callbacks); break; \
 		default: result = DNS_R_UNKNOWN; break; \
@@ -188,6 +194,7 @@
 	case 50: result = fromtext_nsec3(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	case 51: result = fromtext_nsec3param(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	case 52: result = fromtext_tlsa(rdclass, type, lexer, origin, options, target, callbacks); break; \
+	case 55: result = fromtext_hip(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	case 99: result = fromtext_spf(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	case 103: result = fromtext_unspec(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	case 249: result = fromtext_tkey(rdclass, type, lexer, origin, options, target, callbacks); break; \
@@ -197,6 +204,7 @@
 		} \
 		break; \
 	case 32769: result = fromtext_dlv(rdclass, type, lexer, origin, options, target, callbacks); break; \
+	case 65533: result = fromtext_keydata(rdclass, type, lexer, origin, options, target, callbacks); break; \
 	default: result = DNS_R_UNKNOWN; break; \
 	}
 
@@ -263,7 +271,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = totext_naptr(rdata, tctx, target); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = totext_in_naptr(rdata, tctx, target); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = totext_in_kx(rdata, tctx, target); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -296,6 +308,7 @@
 	case 50: result = totext_nsec3(rdata, tctx, target); break; \
 	case 51: result = totext_nsec3param(rdata, tctx, target); break; \
 	case 52: result = totext_tlsa(rdata, tctx, target); break; \
+	case 55: result = totext_hip(rdata, tctx, target); break; \
 	case 99: result = totext_spf(rdata, tctx, target); break; \
 	case 103: result = totext_unspec(rdata, tctx, target); break; \
 	case 249: result = totext_tkey(rdata, tctx, target); break; \
@@ -305,6 +318,7 @@
 		} \
 		break; \
 	case 32769: result = totext_dlv(rdata, tctx, target); break; \
+	case 65533: result = totext_keydata(rdata, tctx, target); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -371,7 +385,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = fromwire_naptr(rdclass, type, source, dctx, options, target); break; \
+	case 35: switch (rdclass) { \
+		case 1: result = fromwire_in_naptr(rdclass, type, source, dctx, options, target); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdclass) { \
 		case 1: result = fromwire_in_kx(rdclass, type, source, dctx, options, target); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -404,6 +422,7 @@
 	case 50: result = fromwire_nsec3(rdclass, type, source, dctx, options, target); break; \
 	case 51: result = fromwire_nsec3param(rdclass, type, source, dctx, options, target); break; \
 	case 52: result = fromwire_tlsa(rdclass, type, source, dctx, options, target); break; \
+	case 55: result = fromwire_hip(rdclass, type, source, dctx, options, target); break; \
 	case 99: result = fromwire_spf(rdclass, type, source, dctx, options, target); break; \
 	case 103: result = fromwire_unspec(rdclass, type, source, dctx, options, target); break; \
 	case 249: result = fromwire_tkey(rdclass, type, source, dctx, options, target); break; \
@@ -413,6 +432,7 @@
 		} \
 		break; \
 	case 32769: result = fromwire_dlv(rdclass, type, source, dctx, options, target); break; \
+	case 65533: result = fromwire_keydata(rdclass, type, source, dctx, options, target); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -479,7 +499,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = towire_naptr(rdata, cctx, target); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = towire_in_naptr(rdata, cctx, target); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = towire_in_kx(rdata, cctx, target); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -512,6 +536,7 @@
 	case 50: result = towire_nsec3(rdata, cctx, target); break; \
 	case 51: result = towire_nsec3param(rdata, cctx, target); break; \
 	case 52: result = towire_tlsa(rdata, cctx, target); break; \
+	case 55: result = towire_hip(rdata, cctx, target); break; \
 	case 99: result = towire_spf(rdata, cctx, target); break; \
 	case 103: result = towire_unspec(rdata, cctx, target); break; \
 	case 249: result = towire_tkey(rdata, cctx, target); break; \
@@ -521,6 +546,7 @@
 		} \
 		break; \
 	case 32769: result = towire_dlv(rdata, cctx, target); break; \
+	case 65533: result = towire_keydata(rdata, cctx, target); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -587,7 +613,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = compare_naptr(rdata1, rdata2); break; \
+	case 35: switch (rdata1->rdclass) { \
+		case 1: result = compare_in_naptr(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata1->rdclass) { \
 		case 1: result = compare_in_kx(rdata1, rdata2); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -620,6 +650,7 @@
 	case 50: result = compare_nsec3(rdata1, rdata2); break; \
 	case 51: result = compare_nsec3param(rdata1, rdata2); break; \
 	case 52: result = compare_tlsa(rdata1, rdata2); break; \
+	case 55: result = compare_hip(rdata1, rdata2); break; \
 	case 99: result = compare_spf(rdata1, rdata2); break; \
 	case 103: result = compare_unspec(rdata1, rdata2); break; \
 	case 249: result = compare_tkey(rdata1, rdata2); break; \
@@ -629,6 +660,121 @@
 		} \
 		break; \
 	case 32769: result = compare_dlv(rdata1, rdata2); break; \
+	case 65533: result = compare_keydata(rdata1, rdata2); break; \
+	default: use_default = ISC_TRUE; break; \
+	}
+
+#define CASECOMPARESWITCH \
+	switch (rdata1->type) { \
+	case 1: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_a(rdata1, rdata2); break; \
+		case 3: result = casecompare_ch_a(rdata1, rdata2); break; \
+		case 4: result = casecompare_hs_a(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 2: result = casecompare_ns(rdata1, rdata2); break; \
+	case 3: result = casecompare_md(rdata1, rdata2); break; \
+	case 4: result = casecompare_mf(rdata1, rdata2); break; \
+	case 5: result = casecompare_cname(rdata1, rdata2); break; \
+	case 6: result = casecompare_soa(rdata1, rdata2); break; \
+	case 7: result = casecompare_mb(rdata1, rdata2); break; \
+	case 8: result = casecompare_mg(rdata1, rdata2); break; \
+	case 9: result = casecompare_mr(rdata1, rdata2); break; \
+	case 10: result = casecompare_null(rdata1, rdata2); break; \
+	case 11: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_wks(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 12: result = casecompare_ptr(rdata1, rdata2); break; \
+	case 13: result = casecompare_hinfo(rdata1, rdata2); break; \
+	case 14: result = casecompare_minfo(rdata1, rdata2); break; \
+	case 15: result = casecompare_mx(rdata1, rdata2); break; \
+	case 16: result = casecompare_txt(rdata1, rdata2); break; \
+	case 17: result = casecompare_rp(rdata1, rdata2); break; \
+	case 18: result = casecompare_afsdb(rdata1, rdata2); break; \
+	case 19: result = casecompare_x25(rdata1, rdata2); break; \
+	case 20: result = casecompare_isdn(rdata1, rdata2); break; \
+	case 21: result = casecompare_rt(rdata1, rdata2); break; \
+	case 22: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_nsap(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 23: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_nsap_ptr(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 24: result = casecompare_sig(rdata1, rdata2); break; \
+	case 25: result = casecompare_key(rdata1, rdata2); break; \
+	case 26: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_px(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 27: result = casecompare_gpos(rdata1, rdata2); break; \
+	case 28: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_aaaa(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 29: result = casecompare_loc(rdata1, rdata2); break; \
+	case 30: result = casecompare_nxt(rdata1, rdata2); break; \
+	case 33: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_srv(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 35: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_naptr(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 36: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_kx(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 37: result = casecompare_cert(rdata1, rdata2); break; \
+	case 38: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_a6(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 39: result = casecompare_dname(rdata1, rdata2); break; \
+	case 41: result = casecompare_opt(rdata1, rdata2); break; \
+	case 42: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_apl(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 43: result = casecompare_ds(rdata1, rdata2); break; \
+	case 44: result = casecompare_sshfp(rdata1, rdata2); break; \
+	case 45: result = casecompare_ipseckey(rdata1, rdata2); break; \
+	case 46: result = casecompare_rrsig(rdata1, rdata2); break; \
+	case 47: result = casecompare_nsec(rdata1, rdata2); break; \
+	case 48: result = casecompare_dnskey(rdata1, rdata2); break; \
+	case 49: switch (rdata1->rdclass) { \
+		case 1: result = casecompare_in_dhcid(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 50: result = casecompare_nsec3(rdata1, rdata2); break; \
+	case 51: result = casecompare_nsec3param(rdata1, rdata2); break; \
+	case 52: result = casecompare_tlsa(rdata1, rdata2); break; \
+	case 55: result = casecompare_hip(rdata1, rdata2); break; \
+	case 99: result = casecompare_spf(rdata1, rdata2); break; \
+	case 103: result = casecompare_unspec(rdata1, rdata2); break; \
+	case 249: result = casecompare_tkey(rdata1, rdata2); break; \
+	case 250: switch (rdata1->rdclass) { \
+		case 255: result = casecompare_any_tsig(rdata1, rdata2); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
+	case 32769: result = casecompare_dlv(rdata1, rdata2); break; \
+	case 65533: result = casecompare_keydata(rdata1, rdata2); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -695,7 +841,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = fromstruct_naptr(rdclass, type, source, target); break; \
+	case 35: switch (rdclass) { \
+		case 1: result = fromstruct_in_naptr(rdclass, type, source, target); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdclass) { \
 		case 1: result = fromstruct_in_kx(rdclass, type, source, target); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -728,6 +878,7 @@
 	case 50: result = fromstruct_nsec3(rdclass, type, source, target); break; \
 	case 51: result = fromstruct_nsec3param(rdclass, type, source, target); break; \
 	case 52: result = fromstruct_tlsa(rdclass, type, source, target); break; \
+	case 55: result = fromstruct_hip(rdclass, type, source, target); break; \
 	case 99: result = fromstruct_spf(rdclass, type, source, target); break; \
 	case 103: result = fromstruct_unspec(rdclass, type, source, target); break; \
 	case 249: result = fromstruct_tkey(rdclass, type, source, target); break; \
@@ -737,6 +888,7 @@
 		} \
 		break; \
 	case 32769: result = fromstruct_dlv(rdclass, type, source, target); break; \
+	case 65533: result = fromstruct_keydata(rdclass, type, source, target); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -803,7 +955,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = tostruct_naptr(rdata, target, mctx); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = tostruct_in_naptr(rdata, target, mctx); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = tostruct_in_kx(rdata, target, mctx); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -836,6 +992,7 @@
 	case 50: result = tostruct_nsec3(rdata, target, mctx); break; \
 	case 51: result = tostruct_nsec3param(rdata, target, mctx); break; \
 	case 52: result = tostruct_tlsa(rdata, target, mctx); break; \
+	case 55: result = tostruct_hip(rdata, target, mctx); break; \
 	case 99: result = tostruct_spf(rdata, target, mctx); break; \
 	case 103: result = tostruct_unspec(rdata, target, mctx); break; \
 	case 249: result = tostruct_tkey(rdata, target, mctx); break; \
@@ -845,6 +1002,7 @@
 		} \
 		break; \
 	case 32769: result = tostruct_dlv(rdata, target, mctx); break; \
+	case 65533: result = tostruct_keydata(rdata, target, mctx); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -911,7 +1069,11 @@
 		default: break; \
 		} \
 		break; \
-	case 35: freestruct_naptr(source); break; \
+	case 35: switch (common->rdclass) { \
+		case 1: freestruct_in_naptr(source); break; \
+		default: break; \
+		} \
+		break; \
 	case 36: switch (common->rdclass) { \
 		case 1: freestruct_in_kx(source); break; \
 		default: break; \
@@ -944,6 +1106,7 @@
 	case 50: freestruct_nsec3(source); break; \
 	case 51: freestruct_nsec3param(source); break; \
 	case 52: freestruct_tlsa(source); break; \
+	case 55: freestruct_hip(source); break; \
 	case 99: freestruct_spf(source); break; \
 	case 103: freestruct_unspec(source); break; \
 	case 249: freestruct_tkey(source); break; \
@@ -953,6 +1116,7 @@
 		} \
 		break; \
 	case 32769: freestruct_dlv(source); break; \
+	case 65533: freestruct_keydata(source); break; \
 	default: break; \
 	}
 
@@ -1019,7 +1183,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = additionaldata_naptr(rdata, add, arg); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = additionaldata_in_naptr(rdata, add, arg); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = additionaldata_in_kx(rdata, add, arg); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -1052,6 +1220,7 @@
 	case 50: result = additionaldata_nsec3(rdata, add, arg); break; \
 	case 51: result = additionaldata_nsec3param(rdata, add, arg); break; \
 	case 52: result = additionaldata_tlsa(rdata, add, arg); break; \
+	case 55: result = additionaldata_hip(rdata, add, arg); break; \
 	case 99: result = additionaldata_spf(rdata, add, arg); break; \
 	case 103: result = additionaldata_unspec(rdata, add, arg); break; \
 	case 249: result = additionaldata_tkey(rdata, add, arg); break; \
@@ -1061,6 +1230,7 @@
 		} \
 		break; \
 	case 32769: result = additionaldata_dlv(rdata, add, arg); break; \
+	case 65533: result = additionaldata_keydata(rdata, add, arg); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -1127,7 +1297,11 @@
 		default: use_default = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = digest_naptr(rdata, digest, arg); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = digest_in_naptr(rdata, digest, arg); break; \
+		default: use_default = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = digest_in_kx(rdata, digest, arg); break; \
 		default: use_default = ISC_TRUE; break; \
@@ -1160,6 +1334,7 @@
 	case 50: result = digest_nsec3(rdata, digest, arg); break; \
 	case 51: result = digest_nsec3param(rdata, digest, arg); break; \
 	case 52: result = digest_tlsa(rdata, digest, arg); break; \
+	case 55: result = digest_hip(rdata, digest, arg); break; \
 	case 99: result = digest_spf(rdata, digest, arg); break; \
 	case 103: result = digest_unspec(rdata, digest, arg); break; \
 	case 249: result = digest_tkey(rdata, digest, arg); break; \
@@ -1169,6 +1344,7 @@
 		} \
 		break; \
 	case 32769: result = digest_dlv(rdata, digest, arg); break; \
+	case 65533: result = digest_keydata(rdata, digest, arg); break; \
 	default: use_default = ISC_TRUE; break; \
 	}
 
@@ -1235,7 +1411,11 @@
 		default: result = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = checkowner_naptr(name, rdclass, type, wildcard); break; \
+	case 35: switch (rdclass) { \
+		case 1: result = checkowner_in_naptr(name, rdclass, type, wildcard); break; \
+		default: result = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdclass) { \
 		case 1: result = checkowner_in_kx(name, rdclass, type, wildcard); break; \
 		default: result = ISC_TRUE; break; \
@@ -1268,6 +1448,7 @@
 	case 50: result = checkowner_nsec3(name, rdclass, type, wildcard); break; \
 	case 51: result = checkowner_nsec3param(name, rdclass, type, wildcard); break; \
 	case 52: result = checkowner_tlsa(name, rdclass, type, wildcard); break; \
+	case 55: result = checkowner_hip(name, rdclass, type, wildcard); break; \
 	case 99: result = checkowner_spf(name, rdclass, type, wildcard); break; \
 	case 103: result = checkowner_unspec(name, rdclass, type, wildcard); break; \
 	case 249: result = checkowner_tkey(name, rdclass, type, wildcard); break; \
@@ -1277,6 +1458,7 @@
 		} \
 		break; \
 	case 32769: result = checkowner_dlv(name, rdclass, type, wildcard); break; \
+	case 65533: result = checkowner_keydata(name, rdclass, type, wildcard); break; \
 	default: result = ISC_TRUE; break; \
 	}
 
@@ -1343,7 +1525,11 @@
 		default: result = ISC_TRUE; break; \
 		} \
 		break; \
-	case 35: result = checknames_naptr(rdata, owner, bad); break; \
+	case 35: switch (rdata->rdclass) { \
+		case 1: result = checknames_in_naptr(rdata, owner, bad); break; \
+		default: result = ISC_TRUE; break; \
+		} \
+		break; \
 	case 36: switch (rdata->rdclass) { \
 		case 1: result = checknames_in_kx(rdata, owner, bad); break; \
 		default: result = ISC_TRUE; break; \
@@ -1376,6 +1562,7 @@
 	case 50: result = checknames_nsec3(rdata, owner, bad); break; \
 	case 51: result = checknames_nsec3param(rdata, owner, bad); break; \
 	case 52: result = checknames_tlsa(rdata, owner, bad); break; \
+	case 55: result = checknames_hip(rdata, owner, bad); break; \
 	case 99: result = checknames_spf(rdata, owner, bad); break; \
 	case 103: result = checknames_unspec(rdata, owner, bad); break; \
 	case 249: result = checknames_tkey(rdata, owner, bad); break; \
@@ -1385,6 +1572,7 @@
 		} \
 		break; \
 	case 32769: result = checknames_dlv(rdata, owner, bad); break; \
+	case 65533: result = checknames_keydata(rdata, owner, bad); break; \
 	default: result = ISC_TRUE; break; \
 	}
 #define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \
@@ -1547,6 +1735,9 @@
 		case 120: \
 			RDATATYPE_COMPARE("tlsa", 52, _typename, _length, _typep); \
 			break; \
+		case 208: \
+			RDATATYPE_COMPARE("hip", 55, _typename, _length, _typep); \
+			break; \
 		case 230: \
 			RDATATYPE_COMPARE("uinfo", 100, _typename, _length, _typep); \
 			break; \
@@ -1573,6 +1764,7 @@
 			break; \
 		case 50: \
 			RDATATYPE_COMPARE("maila", 254, _typename, _length, _typep); \
+			RDATATYPE_COMPARE("keydata", 65533, _typename, _length, _typep); \
 			break; \
 		case 68: \
 			RDATATYPE_COMPARE("any", 255, _typename, _length, _typep); \
@@ -1632,6 +1824,7 @@
 	case 50: return (RRTYPE_NSEC3_ATTRIBUTES); \
 	case 51: return (RRTYPE_NSEC3PARAM_ATTRIBUTES); \
 	case 52: return (RRTYPE_TLSA_ATTRIBUTES); \
+	case 55: return (RRTYPE_HIP_ATTRIBUTES); \
 	case 99: return (RRTYPE_SPF_ATTRIBUTES); \
 	case 100: return (DNS_RDATATYPEATTR_RESERVED); \
 	case 101: return (DNS_RDATATYPEATTR_RESERVED); \
@@ -1645,6 +1838,7 @@
 	case 254: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
 	case 255: return (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_QUESTIONONLY); \
 	case 32769: return (RRTYPE_DLV_ATTRIBUTES); \
+	case 65533: return (RRTYPE_KEYDATA_ATTRIBUTES); \
 	}
 #define RDATATYPE_TOTEXT_SW \
 	switch (type) { \
@@ -1700,6 +1894,7 @@
 	case 50: return (str_totext("NSEC3", target)); \
 	case 51: return (str_totext("NSEC3PARAM", target)); \
 	case 52: return (str_totext("TLSA", target)); \
+	case 55: return (str_totext("HIP", target)); \
 	case 99: return (str_totext("SPF", target)); \
 	case 100: return (str_totext("UINFO", target)); \
 	case 101: return (str_totext("UID", target)); \
@@ -1713,5 +1908,6 @@
 	case 254: return (str_totext("MAILA", target)); \
 	case 255: return (str_totext("ANY", target)); \
 	case 32769: return (str_totext("DLV", target)); \
+	case 65533: return (str_totext("KEYDATA", target)); \
 	}
 #endif /* DNS_CODE_H */
diff --git a/lib/bind/dns/dns/enumtype.h b/lib/bind/dns/dns/enumtype.h
index 23ddc49b9575..4c9a2f9b57fd 100644
--- a/lib/bind/dns/dns/enumtype.h
+++ b/lib/bind/dns/dns/enumtype.h
@@ -79,11 +79,13 @@ enum {
 	dns_rdatatype_nsec3 = 50,
 	dns_rdatatype_nsec3param = 51,
 	dns_rdatatype_tlsa = 52,
+	dns_rdatatype_hip = 55,
 	dns_rdatatype_spf = 99,
 	dns_rdatatype_unspec = 103,
 	dns_rdatatype_tkey = 249,
 	dns_rdatatype_tsig = 250,
 	dns_rdatatype_dlv = 32769,
+	dns_rdatatype_keydata = 65533,
 	dns_rdatatype_ixfr = 251,
 	dns_rdatatype_axfr = 252,
 	dns_rdatatype_mailb = 253,
@@ -140,11 +142,13 @@ enum {
 #define dns_rdatatype_nsec3	((dns_rdatatype_t)dns_rdatatype_nsec3)
 #define dns_rdatatype_nsec3param	((dns_rdatatype_t)dns_rdatatype_nsec3param)
 #define dns_rdatatype_tlsa	((dns_rdatatype_t)dns_rdatatype_tlsa)
+#define dns_rdatatype_hip	((dns_rdatatype_t)dns_rdatatype_hip)
 #define dns_rdatatype_spf	((dns_rdatatype_t)dns_rdatatype_spf)
 #define dns_rdatatype_unspec	((dns_rdatatype_t)dns_rdatatype_unspec)
 #define dns_rdatatype_tkey	((dns_rdatatype_t)dns_rdatatype_tkey)
 #define dns_rdatatype_tsig	((dns_rdatatype_t)dns_rdatatype_tsig)
 #define dns_rdatatype_dlv	((dns_rdatatype_t)dns_rdatatype_dlv)
+#define dns_rdatatype_keydata	((dns_rdatatype_t)dns_rdatatype_keydata)
 #define dns_rdatatype_ixfr	((dns_rdatatype_t)dns_rdatatype_ixfr)
 #define dns_rdatatype_axfr	((dns_rdatatype_t)dns_rdatatype_axfr)
 #define dns_rdatatype_mailb	((dns_rdatatype_t)dns_rdatatype_mailb)
diff --git a/lib/bind/dns/dns/rdatastruct.h b/lib/bind/dns/dns/rdatastruct.h
index 8b9386d305d3..9504fa8c79c0 100644
--- a/lib/bind/dns/dns/rdatastruct.h
+++ b/lib/bind/dns/dns/rdatastruct.h
@@ -1178,7 +1178,7 @@ typedef struct dns_rdata_in_srv {
 
 #endif /* IN_1_SRV_33_H */
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -1194,15 +1194,15 @@ typedef struct dns_rdata_in_srv {
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-#ifndef GENERIC_NAPTR_35_H
-#define GENERIC_NAPTR_35_H 1
+#ifndef IN_1_NAPTR_35_H
+#define IN_1_NAPTR_35_H 1
 
 /* $Id$ */
 
 /*!
  *  \brief Per RFC2915 */
 
-typedef struct dns_rdata_naptr {
+typedef struct dns_rdata_in_naptr {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
 	isc_uint16_t		order;
@@ -1214,9 +1214,9 @@ typedef struct dns_rdata_naptr {
 	char			*regexp;
 	isc_uint8_t		regexp_len;
 	dns_name_t		replacement;
-} dns_rdata_naptr_t;
+} dns_rdata_in_naptr_t;
 
-#endif /* GENERIC_NAPTR_35_H */
+#endif /* IN_1_NAPTR_35_H */
 /*
  * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
@@ -1875,6 +1875,53 @@ typedef struct dns_rdata_tlsa {
 
 #endif /* GENERIC_TLSA_52_H */
 /*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hip_55.h,v 1.2 2009/02/26 06:09:19 marka Exp $ */
+
+#ifndef GENERIC_HIP_5_H
+#define GENERIC_HIP_5_H 1
+
+/* RFC 5205 */
+
+typedef struct dns_rdata_hip {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		hit;
+	unsigned char *		key;
+	unsigned char *		servers;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		hit_len;
+	isc_uint16_t		key_len;
+	isc_uint16_t		servers_len;
+	/* Private */
+	isc_uint16_t		offset;
+} dns_rdata_hip_t;
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *);
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *);
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
+
+#endif /* GENERIC_HIP_5_H */
+/*
  * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
@@ -2069,6 +2116,41 @@ typedef struct dns_rdata_dlv {
 
 #endif /* GENERIC_DLV_32769_H */
 /*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_H
+#define GENERIC_KEYDATA_65533_H 1
+
+/* $Id: keydata_65533.h,v 1.2 2009/06/30 02:52:32 each Exp $ */
+
+typedef struct dns_rdata_keydata {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	isc_uint32_t		refresh;      /* Timer for refreshing data */
+	isc_uint32_t		addhd;	      /* Hold-down timer for adding */
+	isc_uint32_t		removehd;     /* Hold-down timer for removing */
+	isc_uint16_t		flags;	      /* Copy of DNSKEY_48 */
+	isc_uint8_t		protocol;
+	isc_uint8_t		algorithm;
+	isc_uint16_t		datalen;
+	unsigned char *		data;
+} dns_rdata_keydata_t;
+
+#endif /* GENERIC_KEYDATA_65533_H */
+/*
  * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
diff --git a/lib/bind/isc/Makefile b/lib/bind/isc/Makefile
index 7648da5f32a4..f41f604bf0e9 100644
--- a/lib/bind/isc/Makefile
+++ b/lib/bind/isc/Makefile
@@ -27,18 +27,26 @@ SRCS+=		condition.c mutex.c \
 
 .PATH:		${SRCDIR}
 SRCS+=		inet_pton.c \
-		assertions.c base32.c base64.c bitstring.c buffer.c \
-		bufferlist.c commandline.c entropy.c error.c event.c \
-		fsaccess.c hash.c heap.c hex.c hmacmd5.c hmacsha.c \
-		httpd.c inet_aton.c inet_ntop.c iterated_hash.c \
+		assertions.c backtrace.c base32.c base64.c bitstring.c \
+		buffer.c bufferlist.c commandline.c error.c event.c \
+		fsaccess.c hash.c \
+		heap.c hex.c hmacmd5.c hmacsha.c \
+		httpd.c inet_aton.c \
+		inet_ntop.c \
+		iterated_hash.c \
 		lex.c lfsr.c lib.c log.c \
 		md5.c mem.c mutexblock.c \
 		netaddr.c netscope.c ondestroy.c \
-		parseint.c portset.c print.c quota.c radix.c random.c \
+		parseint.c portset.c \
+		print.c \
+		quota.c radix.c random.c \
 		ratelimiter.c refcount.c region.c result.c rwlock.c \
 		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
 		symtab.c task.c taskpool.c timer.c version.c
 
+.PATH:		${.CURDIR}
+SRCS+=		backtrace-emptytbl.c
+
 CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/pthreads/include
 CFLAGS+=	-I${SRCDIR}/include -I${.CURDIR}
 CFLAGS+=	-I${SRCDIR}/${ISC_ATOMIC_ARCH}/include
@@ -51,6 +59,7 @@ INCS=		${SRCDIR}/include/isc/app.h \
 		${SRCDIR}/include/isc/assertions.h \
 		${SRCDIR}/include/isc/base32.h \
 		${SRCDIR}/include/isc/base64.h \
+		${SRCDIR}/include/isc/bind9.h \
 		${SRCDIR}/include/isc/bitstring.h \
 		${SRCDIR}/include/isc/boolean.h \
 		${SRCDIR}/include/isc/buffer.h \
@@ -84,6 +93,7 @@ INCS=		${SRCDIR}/include/isc/app.h \
 		${SRCDIR}/include/isc/msgcat.h \
 		${SRCDIR}/include/isc/msgs.h \
 		${SRCDIR}/include/isc/mutexblock.h \
+		${SRCDIR}/include/isc/namespace.h \
 		${SRCDIR}/include/isc/netaddr.h \
 		${SRCDIR}/include/isc/netscope.h \
 		${SRCDIR}/include/isc/ondestroy.h \
diff --git a/lib/bind/isc/backtrace-emptytbl.c b/lib/bind/isc/backtrace-emptytbl.c
new file mode 100644
index 000000000000..9c50d95a8c70
--- /dev/null
+++ b/lib/bind/isc/backtrace-emptytbl.c
@@ -0,0 +1,36 @@
+/* $FreeBSD$ */
+
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace-emptytbl.c,v 1.3 2009-09-01 20:13:44 each Exp $ */
+
+/*! \file */
+
+/*
+ * This file defines an empty (default) symbol table used in backtrace.c
+ * If the application wants to have a complete symbol table, it should redefine
+ * isc__backtrace_symtable with the complete table in some way, and link the
+ * version of the library not including this definition
+ * (e.g. libisc-nosymbol.a).
+ */
+
+#include <config.h>
+
+#include <isc/backtrace.h>
+
+const int isc__backtrace_nsymbols = 0;
+const isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/lib/bind/isc/isc/platform.h b/lib/bind/isc/isc/platform.h
index 8c699d5c69e1..61630f4be6cc 100644
--- a/lib/bind/isc/isc/platform.h
+++ b/lib/bind/isc/isc/platform.h
@@ -1,7 +1,7 @@
 /* $FreeBSD$ */
 
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.48.84.4 2010-06-03 23:47:49 tbox Exp $ */
+/* $Id: platform.h.in,v 1.56 2010/12/18 01:56:23 each Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -148,6 +148,11 @@
  */
 #undef ISC_PLATFORM_HAVEDEVPOLL
 
+/*! \brief
+ * Define if we want to log backtrace
+ */
+#define ISC_PLATFORM_USEBACKTRACE 1
+
 /*
  *** Printing.
  ***/
@@ -214,13 +219,19 @@
  * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
  * the GSSAPI header.
  */
+#define ISC_PLATFORM_GSSAPIHEADER <gssapi/gssapi.h>
 
+/*
+ * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
+ * include the GSSAPI KRB5 header.
+ */
+#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <gssapi/gssapi_krb5.h>
 
 /*
  * Defined to <krb5.h> or <krb5/krb5.h> for how to include
  * the KRB5 header.
  */
-
+#define ISC_PLATFORM_KRB5HEADER <krb5.h>
 
 /*
  * Type used for resource limits.
@@ -328,6 +339,11 @@
 #define ISC_PLATFORM_HAVESTRINGSH 1
 
 /*
+ * Define if the hash functions must be provided by OpenSSL.
+ */
+#undef ISC_PLATFORM_OPENSSLHASH
+
+/*
  * Defines for the noreturn attribute.
  */
 #define ISC_PLATFORM_NORETURN_PRE
diff --git a/lib/bind/lwres/lwres/netdb.h b/lib/bind/lwres/lwres/netdb.h
index de835a5c94c5..55dc7a15c14a 100644
--- a/lib/bind/lwres/lwres/netdb.h
+++ b/lib/bind/lwres/lwres/netdb.h
@@ -1,7 +1,7 @@
 /* $FreeBSD$ */
 
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
+/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/share/doc/bind9/Makefile b/share/doc/bind9/Makefile
index 84031de4076f..3aca4e5515a0 100644
--- a/share/doc/bind9/Makefile
+++ b/share/doc/bind9/Makefile
@@ -8,17 +8,20 @@ SRCDIR=		${BIND_DIR}/doc
 NO_OBJ=
 
 FILESGROUPS=	TOP ARM MISC
-TOP=		CHANGES COPYRIGHT FAQ KNOWN-DEFECTS NSEC3-NOTES README \
-		README.idnkit README.pkcs11
+TOP=		CHANGES COPYRIGHT FAQ HISTORY README
 TOPDIR=		${DOCDIR}/bind9
 ARM=		Bv9ARM.ch01.html Bv9ARM.ch02.html Bv9ARM.ch03.html \
 		Bv9ARM.ch04.html Bv9ARM.ch05.html Bv9ARM.ch06.html \
 		Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html \
-		Bv9ARM.ch10.html Bv9ARM.html Bv9ARM.pdf man.dig.html \
+		Bv9ARM.ch10.html Bv9ARM.html Bv9ARM.pdf \
+		man.arpaname.html man.ddns-confgen.html man.dig.html \
 		man.dnssec-dsfromkey.html man.dnssec-keyfromlabel.html \
-		man.dnssec-keygen.html man.dnssec-signzone.html man.host.html \
+		man.dnssec-keygen.html man.dnssec-revoke.html \
+		man.dnssec-settime.html man.dnssec-signzone.html \
+		man.genrandom.html man.host.html man.isc-hmac-fixup.html \
 		man.named-checkconf.html man.named-checkzone.html \
-		man.named.html man.nsupdate.html \
+		man.named-journalprint.html man.named.html \
+		man.nsec3hash.html man.nsupdate.html \
 		man.rndc-confgen.html man.rndc.conf.html man.rndc.html
 ARMDIR=		${TOPDIR}/arm
 MISC=		dnssec format-options.pl ipv6 migration migration-4to9 \
diff --git a/usr.bin/nsupdate/Makefile b/usr.bin/nsupdate/Makefile
index 0b81c5eb6643..cad02a3c558e 100644
--- a/usr.bin/nsupdate/Makefile
+++ b/usr.bin/nsupdate/Makefile
@@ -14,6 +14,7 @@ SRCS+=		nsupdate.c
 
 CFLAGS+=	-I${SRCDIR}/include
 CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
+CFLAGS+=	-DSESSION_KEYFILE=\"/var/run/named/session.key\"
 
 DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
 LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index 49074f229965..0a88bf14d8c3 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -43,10 +43,6 @@ SUBDIR=	${_ac} \
 	devinfo \
 	digictl \
 	diskinfo \
-	${_dnssec-dsfromkey} \
-	${_dnssec-keyfromlabel} \
-	${_dnssec-keygen} \
-	${_dnssec-signzone} \
 	dumpcis \
 	${_editmap} \
 	${_edquota} \
@@ -107,10 +103,6 @@ SUBDIR=	${_ac} \
 	mptutil \
 	mtest \
 	mtree \
-	${_named} \
-	${_named-checkconf} \
-	${_named-checkzone} \
-	${_named.reload} \
 	${_ndiscvt} \
 	${_ndp} \
 	newsyslog \
@@ -149,8 +141,6 @@ SUBDIR=	${_ac} \
 	${_repquota} \
 	${_rip6query} \
 	rmt \
-	${_rndc} \
-	${_rndc-confgen} \
 	${_route6d} \
 	rpcbind \
 	rpc.lockd \
@@ -236,18 +226,26 @@ _authpf=	authpf
 .endif
 
 .if ${MK_BIND_DNSSEC} != "no" && ${MK_OPENSSL} != "no"
-_dnssec-dsfromkey=	dnssec-dsfromkey
-_dnssec-keyfromlabel=	dnssec-keyfromlabel
-_dnssec-keygen=		dnssec-keygen
-_dnssec-signzone=	dnssec-signzone
+SUBDIR+=	dnssec-dsfromkey
+SUBDIR+=	dnssec-keyfromlabel
+SUBDIR+=	dnssec-keygen
+SUBDIR+=	dnssec-revoke
+SUBDIR+=	dnssec-settime
+SUBDIR+=	dnssec-signzone
 .endif
 .if ${MK_BIND_NAMED} != "no"
-_named=			named
-_named-checkconf=	named-checkconf
-_named-checkzone=	named-checkzone
-_named.reload=		named.reload
-_rndc=			rndc
-_rndc-confgen=		rndc-confgen
+SUBDIR+=	arpaname
+SUBDIR+=	ddns-confgen
+SUBDIR+=	genrandom
+SUBDIR+=	isc-hmac-fixup
+SUBDIR+=	named
+SUBDIR+=	named-checkconf
+SUBDIR+=	named-checkzone
+SUBDIR+=	named-journalprint
+SUBDIR+=	named.reload
+SUBDIR+=	nsec3hash
+SUBDIR+=	rndc
+SUBDIR+=	rndc-confgen
 .endif
 
 .if ${MK_BLUETOOTH} != "no"
diff --git a/usr.sbin/arpaname/Makefile b/usr.sbin/arpaname/Makefile
new file mode 100644
index 000000000000..145d18a1f047
--- /dev/null
+++ b/usr.sbin/arpaname/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/tools
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		arpaname
+
+.PATH: ${SRCDIR}
+SRCS+=		arpaname.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		arpaname.1
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/ddns-confgen/Makefile b/usr.sbin/ddns-confgen/Makefile
new file mode 100644
index 000000000000..a33bea33ea75
--- /dev/null
+++ b/usr.sbin/ddns-confgen/Makefile
@@ -0,0 +1,31 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/confgen
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		ddns-confgen
+
+.PATH: ${SRCDIR}/unix
+SRCS+=		os.c
+
+.PATH: ${SRCDIR}
+SRCS+=		ddns-confgen.c keygen.c util.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
+
+WARNS?=		3
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+MAN=		ddns-confgen.8
+
+MANFILTER=	sed -e 's@fI/etc\\fR.*@fI/etc/namedb\\fR@' \
+		-e '/^sysconfdir$$/d' \
+		-e '/was specified as when BIND was built)/d'
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-revoke/Makefile b/usr.sbin/dnssec-revoke/Makefile
new file mode 100644
index 000000000000..7889d968ca04
--- /dev/null
+++ b/usr.sbin/dnssec-revoke/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/dnssec
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		dnssec-revoke
+
+.PATH: ${SRCDIR}
+SRCS+=		dnssec-revoke.c dnssectool.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		dnssec-revoke.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-settime/Makefile b/usr.sbin/dnssec-settime/Makefile
new file mode 100644
index 000000000000..4ab7fb591bca
--- /dev/null
+++ b/usr.sbin/dnssec-settime/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/dnssec
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		dnssec-settime
+
+.PATH: ${SRCDIR}
+SRCS+=		dnssec-settime.c dnssectool.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		dnssec-settime.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/dnssec-signzone/Makefile b/usr.sbin/dnssec-signzone/Makefile
index 7c4ca65a78cc..7f56b8d382fc 100644
--- a/usr.sbin/dnssec-signzone/Makefile
+++ b/usr.sbin/dnssec-signzone/Makefile
@@ -17,6 +17,8 @@ CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
 DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
 LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
 
+WARNS?=		2
+
 MAN=		dnssec-signzone.8
 
 .include <bsd.prog.mk>
diff --git a/usr.sbin/genrandom/Makefile b/usr.sbin/genrandom/Makefile
new file mode 100644
index 000000000000..975d84bb8b95
--- /dev/null
+++ b/usr.sbin/genrandom/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/tools
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		genrandom
+
+.PATH: ${SRCDIR}
+SRCS+=		genrandom.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		genrandom.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/isc-hmac-fixup/Makefile b/usr.sbin/isc-hmac-fixup/Makefile
new file mode 100644
index 000000000000..1313855ebf02
--- /dev/null
+++ b/usr.sbin/isc-hmac-fixup/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/tools
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		isc-hmac-fixup
+
+.PATH: ${SRCDIR}
+SRCS+=		isc-hmac-fixup.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		isc-hmac-fixup.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/named-checkconf/Makefile b/usr.sbin/named-checkconf/Makefile
index 8728b4ad15e9..cb55c6452e50 100644
--- a/usr.sbin/named-checkconf/Makefile
+++ b/usr.sbin/named-checkconf/Makefile
@@ -13,6 +13,7 @@ PROG=		named-checkconf
 SRCS+=		named-checkconf.c check-tool.c
 
 CFLAGS+=	-I${LIB_BIND_DIR}
+CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
 
 DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
 LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
diff --git a/usr.sbin/named-journalprint/Makefile b/usr.sbin/named-journalprint/Makefile
new file mode 100644
index 000000000000..cdf40164c093
--- /dev/null
+++ b/usr.sbin/named-journalprint/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/tools
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		named-journalprint
+
+.PATH: ${SRCDIR}
+SRCS+=		named-journalprint.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		3
+
+MAN=		named-journalprint.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/named/Makefile b/usr.sbin/named/Makefile
index 619a6e16ac19..fefa7f8cdab1 100644
--- a/usr.sbin/named/Makefile
+++ b/usr.sbin/named/Makefile
@@ -30,18 +30,17 @@ CONFIGARGS+='--without-libxml2'
 .endif
 
 .PATH: ${SRCDIR}/unix
-SRCS+=		os.c
+SRCS+=		os.c dlz_dlopen_driver.c
 
 .PATH: ${SRCDIR}
 SRCS+=		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c \
+		query.c server.c sortlist.c statschannel.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		statschannel.c
+		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
 
 CFLAGS+=	-DCONFIGARGS="\"${CONFIGARGS}\""
 
diff --git a/usr.sbin/nsec3hash/Makefile b/usr.sbin/nsec3hash/Makefile
new file mode 100644
index 000000000000..6dbea096ca4f
--- /dev/null
+++ b/usr.sbin/nsec3hash/Makefile
@@ -0,0 +1,24 @@
+# $FreeBSD$
+
+BIND_DIR=	${.CURDIR}/../../contrib/bind9
+LIB_BIND_REL=	../../lib/bind
+LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
+SRCDIR=		${BIND_DIR}/bin/tools
+
+.include	"${LIB_BIND_DIR}/config.mk"
+
+PROG=		nsec3hash
+
+.PATH: ${SRCDIR}
+SRCS+=		nsec3hash.c
+
+CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include
+
+DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
+LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}
+
+WARNS?=		2
+
+MAN=		nsec3hash.8
+
+.include <bsd.prog.mk>
diff --git a/usr.sbin/rndc-confgen/Makefile b/usr.sbin/rndc-confgen/Makefile
index b8a52dd4d57a..ef43490b48f8 100644
--- a/usr.sbin/rndc-confgen/Makefile
+++ b/usr.sbin/rndc-confgen/Makefile
@@ -3,7 +3,7 @@
 BIND_DIR=	${.CURDIR}/../../contrib/bind9
 LIB_BIND_REL=	../../lib/bind
 LIB_BIND_DIR=	${.CURDIR}/${LIB_BIND_REL}
-SRCDIR=		${BIND_DIR}/bin/rndc
+SRCDIR=		${BIND_DIR}/bin/confgen
 
 .include	"${LIB_BIND_DIR}/config.mk"
 
@@ -13,7 +13,7 @@ PROG=		rndc-confgen
 SRCS+=		os.c
 
 .PATH: ${SRCDIR}
-SRCS+=		rndc-confgen.c util.c
+SRCS+=		rndc-confgen.c keygen.c util.c
 
 CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
 
diff --git a/usr.sbin/rndc/Makefile b/usr.sbin/rndc/Makefile
index 2ca76976e5a9..f958a9fd56bb 100644
--- a/usr.sbin/rndc/Makefile
+++ b/usr.sbin/rndc/Makefile
@@ -9,13 +9,11 @@ SRCDIR=		${BIND_DIR}/bin/rndc
 
 PROG=		rndc
 
-.PATH: ${SRCDIR}/unix
-SRCS+=		os.c
-
 .PATH: ${SRCDIR}
 SRCS+=		rndc.c util.c
 
-CFLAGS+=	-I${SRCDIR}/unix/include -I${SRCDIR}/include -I${LIB_BIND_DIR}
+CFLAGS+=	-I${SRCDIR}/include -I${LIB_BIND_DIR}
+CFLAGS+=	-I${BIND_DIR}/lib/isc/${ISC_ATOMIC_ARCH}/include
 
 DPADD+=		${BIND_DPADD} ${CRYPTO_DPADD} ${PTHREAD_DPADD}
 LDADD+=		${BIND_LDADD} ${CRYPTO_LDADD} ${PTHREAD_LDADD}