• DNS error, from a newbee to the real experts..

    From Weeltin@weeltinl@gmail.com to bind-users on Fri Jul 17 21:18:33 2020
    From Newsgroup: comp.protocols.dns.bind

    --0000000000008d9b0b05aaa8063e
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    Hello all,

    I=E2=80=99m trying to implement a DNS structure, containing a recursive and authoritative server, but in doing so, I have run into a small problem. I
    can make DNS queries from a client toward the net, but when I try to do the same toward my internal domain, I get no result. I have spent days trying
    to figure out what is going on, but to no avail, I there for hope that
    someone on this list can point me in the right direction or right out tell
    what is wrong.

    /Weeltin.

    -----DIG troubleshoots

    [weeltin@c1 ~]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    nameserver 192.168.14.10

    [weeltin@c1 ~]$ dig google.com
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48932
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)
    ;; QUESTION SECTION:
    ;google.com. IN A

    ;; ANSWER SECTION:
    google.com. 300 IN A 216.58.211.142

    ;; Query time: 179 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:03:27 EDT 2020
    ;; MSG SIZE rcvd: 83

    [weeltin@c1 ~]$ dig c1.example.home
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62602
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020071701 1800
    900 604800 86400

    ;; Query time: 263 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:04:42 EDT 2020
    ;; MSG SIZE rcvd: 147


    [weeltin@c1 ~]$ dig @192.168.14.20 c1.example.home

    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> @192.168.14.20 c1.example.hom=
    e
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20704
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; ANSWER SECTION:
    c1.example.home. 604800 IN A 192.168.14.1

    ;; Query time: 0 msec
    ;; SERVER: 192.168.14.20#53(192.168.14.20)
    ;; WHEN: Fri Jul 17 15:10:12 EDT 2020
    ;; MSG SIZE rcvd: 88



    ----- informations and configurations ----

    OS: Alpine 3.12

    Bind: bind 9.14.12



    Ns1: 192.168.14.10 (recursive)

    Ns2: 192.168.14.20 (authoritative)

    C1: 192.168.14.1 (client)



    --- recursive config (NS1)
    // recursive named.conf

    //

    acl trusted {

    192.168.14.0/24;

    localhost;

    };

    acl rfc1918 {

    10.0.0.0/8;

    172.16.0.0/12;

    !192.168.14.0/24;

    192.168.0.0/16;

    };

    acl rfc5735 {

    0.0.0.0/8;

    169.254.0.0/16;

    192.0.0.0/24;

    192.0.2.0/24;

    192.88.99.0/24;

    198.18.0.0/15;

    198.51.100.0/24;

    203.0.113.0/24;

    224.0.0.0/4;

    };

    options {

    directory "/var/bind";
    listen-on {

    127.0.0.1;

    192.168.14.10;

    };

    listen-on-v6 {

    none;

    };

    allow-query {

    trusted;

    };

    //query-source address * port 53;

    allow-query-cache {

    trusted;

    };

    blackhole {

    rfc1918;

    rfc5735;

    };

    allow-transfer {

    none;

    };

    pid-file "/var/run/named/named.pid";

    // Changing this is NOT RECOMMENDED; see the notes above and in

    // named.conf.recursive.

    allow-recursion {

    trusted;

    };

    recursion yes;

    };

    zone "." IN {

    type hint;

    file "root.cache";

    };

    zone "localhost" IN {

    type master;

    file "pri/localhost.zone";

    allow-update { none; };

    notify no;

    };

    zone "127.in-addr.arpa" IN {

    type master;

    file "pri/127.zone";

    allow-update { none; };

    notify no;

    };

    zone "example.home" {

    type forward;

    forwarders { 192.168.14.20; };

    };


    --- authoritative config (NS2)
    // authoritative named.conf
    //
    acl trusted {
    192.168.14.0/24;
    localhost;
    };

    acl rfc1918 {
    10.0.0.0/8;
    172.16.0.0/12;
    !192.168.14.0/24;
    192.168.0.0/16;
    };

    acl rfc5735 {
    0.0.0.0/8;
    169.254.0.0/16;
    192.0.0.0/24;
    192.0.2.0/24;
    192.88.99.0/24;
    198.18.0.0/15;
    198.51.100.0/24;
    203.0.113.0/24;
    224.0.0.0/4;
    };

    options {
    directory "/var/bind";

    // Configure the IPs to listen on here.
    listen-on {
    127.0.0.1;
    192.168.14.20;
    };
    listen-on-v6 {
    none;
    };

    allow-query {
    trusted;
    };

    //query-source address * port 53;

    allow-query-cache {
    trusted;
    };

    blackhole {
    rfc5735;
    rfc1918;
    };

    allow-transfer {
    none;
    };

    // Cryptographic authentication of DNS information
    // ENABLE LATER
    //dnssec-enable yes;
    //dnssec-validation yes;

    pid-file "/var/run/named/named.pid";

    // Changing this is NOT RECOMMENDED for a authoritative nameserver
    allow-recursion { none; };
    recursion no;
    };

    zone "example.home" {
    type master;
    file "/etc/bind/db.example.home.zone";
    };

    zone "14.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.14.168.192.zone";
    };


    ; ZONE file for example.home.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    2 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    ns2 IN A 192.168.14.20
    ;; hosts (A)
    ns1 IN A 192.168.14.10
    c1 IN A 192.168.14.1

    ;; alias (CNAME)
    client IN CNAME c1


    ; ZONE file for 14.168.192.in-addr.arpa.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    1 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    20 IN PTR ns2.example.home.
    ;; pointer records (PTR)
    1 IN PTR c1.example.home.
    10 IN PTR ns1.example.home.

    --0000000000008d9b0b05aaa8063e
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">
    <span class=3D"gmail-hb"><span dir=3D"ltr" name=3D"bind-users@lists.isc.org=
    " class=3D"gmail-g2">
    </span></span><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-heigh= t:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif">Hello all= ,<span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">I= =E2=80=99m trying
    to implement a DNS structure, containing a recursive and authoritative serv= er,
    but in doing so, I have run into a small problem. I can make DNS queries fr=
    om a
    client toward the net, but when I try to do the same toward my internal
    domain, I get no result. I have spent days trying to figure out what is goi=
    ng on,
    but to no avail, I there for hope that someone on this list can point me in=
    the
    right direction or right out tell what is wrong. <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>/Weeltin.<br></span></span></p><p class=3D"MsoNormal" style=3D"margin:0=
    cm 0cm 8pt;line-height:107%;font-size:11pt;font-family:&quot;Calibri&quot;,= sans-serif"><span lang=3D"EN-US"><span>=C2=A0
    -----DIG troubleshoots</span></span></p><p class=3D"MsoNormal" style=3D"mar= gin:0cm 0cm 8pt;line-height:107%;font-size:11pt;font-family:&quot;Calibri&q= uot;,sans-serif"><span lang=3D"EN-US"><span>[weeltin@c1 ~]$ cat /etc/resolv= .conf <br># Generated by NetworkManager<br>nameserver 192.168.14.10<br> </span></span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-h= eight:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span=
    lang=3D"EN-US"><span>[weeltin@c1=C2=A0 ~]$ dig <a href=3D"http://google.co=
    m" target=3D"_blank">google.com</a><br>; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHa= t-9.11.11-1.fc31 &lt;&lt;&gt;&gt; <a href=3D"http://google.com" target=3D"_= blank">google.com</a><br>;; global options: +cmd<br>;; Got answer:<br>;; -&= gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 48932<br>;; flag=
    s: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT=
    PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; COOKIE: c1bc4= a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)<br>;; QUESTION SECTION:<= br>;<a href=3D"http://google.com" target=3D"_blank">google.com</a>. IN A<=
    <br>;; ANSWER SECTION:<br><a href=3D"http://google.com" target=3D"_blank= ">google.com</a>. 300 IN A 216.58.211.142<br><br>;; Query time: 179 msec<b=
    ;; SERVER: 192.168.14.10#53(192.168.14.10)<br>;; WHEN: Fri Jul 17 15:03:2=
    7 EDT 2020<br>;; MSG SIZE =C2=A0rcvd: 83<br></span></span></p><p class=3D"M= soNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-size:11pt;font-= family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><span></span></= span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107= %;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"= EN-US"><span>
    [weeltin@c1 ~]$ dig c1.example.home<br>; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHa= t-9.11.11-1.fc31 &lt;&lt;&gt;&gt; c1.example.home<br>;; global options: +cm= d<br>;; Got answer:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: N= XDOMAIN, id: 62602<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY=
    : 1, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flag= s:; udp: 4096<br>; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a=
    (good)<br>;; QUESTION SECTION:<br>;c1.example.home. IN A<br><br>;; AUTHOR=
    ITY SECTION:<br>. 10800 IN SOA <a href=3D"http://a.root-servers.net" targ=
    et=3D"_blank">a.root-servers.net</a>. <a href=3D"http://nstld.verisign-grs.= com" target=3D"_blank">nstld.verisign-grs.com</a>. 2020071701 1800 900 6048=
    00 86400<br><br>;; Query time: 263 msec<br>;; SERVER: 192.168.14.10#53(192.= 168.14.10)<br>;; WHEN: Fri Jul 17 15:04:42 EDT 2020<br>;; MSG SIZE =C2=A0rc= vd: 147</span></span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt= ;line-height:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif= "><span lang=3D"EN-US"><span><br></span></span></p><p class=3D"MsoNormal" s= tyle=3D"margin:0cm 0cm 8pt;line-height:107%;font-size:11pt;font-family:&quo= t;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><span>
    [weeltin@c1 ~]$ dig @<a href=3D"http://192.168.14.20" target=3D"_blank">192= .168.14.20</a> c1.example.home<br><br>; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHat= -9.11.11-1.fc31 &lt;&lt;&gt;&gt; @<a href=3D"http://192.168.14.20" target= =3D"_blank">192.168.14.20</a> c1.example.home<br>; (1 server found)<br>;; g= lobal options: +cmd<br>;; Got answer:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode=
    : QUERY, status: NOERROR, id: 20704<br>;; flags: qr aa rd; QUERY: 1, ANSWER=
    : 1, AUTHORITY: 0, ADDITIONAL: 1<br>;; WARNING: recursion requested but not=
    available<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp:=
    4096<br>; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)<= br>;; QUESTION SECTION:<br>;c1.example.home. IN A<br><br>;; ANSWER SECTION=
    :<br>c1.example.home. 604800 IN A 192.168.14.1<br><br>;; Query time: 0 msec=
    <br>;; SERVER: 192.168.14.20#53(192.168.14.20)<br>;; WHEN: Fri Jul 17 15:10= :12 EDT 2020<br>;; MSG SIZE =C2=A0rcvd: 88</span></span></p><p class=3D"Mso= Normal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-size:11pt;font-fa= mily:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><span><br></span>= </span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:1= 07%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang= =3D"EN-US"><span><br></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">--= --- informations
    and configurations ----<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">OS=
    : Alpine 3.12<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif">Bind: bind 9.14.12<span= ></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0</span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">Ns=
    1: 192.168.14.10
    (recursive)<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">Ns=
    2:
    192.168.14.20 (authoritative)<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">C1=
    :
    192.168.14.1 (client)<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0</span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">--=
    -
    recursive config (NS1)<span></span></span></p><span lang=3D"EN-US">//
    recursive named.conf<span></span></span>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">//= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">ac=
    l trusted
    {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://192= .168.14.0/24" target=3D"_blank">192.168.14.0/24</a>;<span></span></span></p=


    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>localhost;<span></spa= n></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">ac=
    l rfc1918
    {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://10.= 0.0.0/8" target=3D"_blank">10.0.0.0/8</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://172= .16.0.0/12" target=3D"_blank">172.16.0.0/12</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>!<a href=3D"http://19= 2.168.14.0/24" target=3D"_blank">192.168.14.0/24</a>;<span></span></span></=


    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://192= .168.0.0/16" target=3D"_blank">192.168.0.0/16</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">ac=
    l rfc5735
    {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://0.0= .0.0/8" target=3D"_blank">0.0.0.0/8</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://169= .254.0.0/16" target=3D"_blank">169.254.0.0/16</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://192= .0.0.0/24" target=3D"_blank">192.0.0.0/24</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://192= .0.2.0/24" target=3D"_blank">192.0.2.0/24</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://192= .88.99.0/24" target=3D"_blank">192.88.99.0/24</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://198= .18.0.0/15" target=3D"_blank">198.18.0.0/15</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://198= .51.100.0/24" target=3D"_blank">198.51.100.0/24</a>;<span></span></span></p=


    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://203= .0.113.0/24" target=3D"_blank">203.0.113.0/24</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span><a href=3D"http://224= .0.0.0/4" target=3D"_blank">224.0.0.0/4</a>;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">op= tions {<br></span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;li= ne-height:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif"><= span lang=3D"EN-US">
    =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=20

    directory &quot;/var/bind&quot;;<span></span></span></p><span lang=3D"EN-US=

    <span>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>

    listen-on {<span></span></span>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>127.0.0.1;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>192.168.14.10;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>listen-on-v6 {<span><= /span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>none;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-query {<s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>trusted;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>//query-source = address * port 53;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-query-cac=
    he {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>trusted;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>blackhole {<spa= n></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>rfc1918;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>rfc5735;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-transfer = {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0 </span><span>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0</span>none;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>pid-file &quot;/var/run/named/named.pid&quot;;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>// Changing this is N=
    OT RECOMMENDED;
    see the notes above and in<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>// named.conf.recursi= ve.<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-recursion {<spa= n></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 </span>trusted;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>};<span></span></span= ></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>recursion yes;<span><= /span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">zo=
    ne
    &quot;.&quot; IN {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>type hint;<span></spa= n></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>file &quot;root.cache= &quot;;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">zo=
    ne
    &quot;localhost&quot; IN {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>type master;<span></s= pan></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>file &quot;pri/localh= ost.zone&quot;;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-update { none; = };<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>notify no;<span></spa= n></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">zo=
    ne
    &quot;127.in-addr.arpa&quot; IN {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>type master;<span></s= pan></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>file &quot;pri/127.zo= ne&quot;;<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>allow-update { none; = };<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>notify no;<span></spa= n></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= <span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">zo=
    ne
    &quot;example.home&quot; {<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 </span>type forward;<span></= span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US"><s= pan>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 </span><span>=C2=A0=C2=A0=C2=A0 </span>forwarders =
    { 192.168.14.20; };<span></span></span></p>

    <p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-si= ze:11pt;font-family:&quot;Calibri&quot;,sans-serif"><span lang=3D"EN-US">};= </span></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:1= 07%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif"><br></p><p c= lass=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-height:107%;font-size:1= 1pt;font-family:&quot;Calibri&quot;,sans-serif">
    ---=C2=A0
    authoritative

    config (NS2)

    <br>// authoritative named.conf<br>//<br>acl trusted {<br>=C2=A0 =C2=A0 =C2= =A0 =C2=A0 <a href=3D"http://192.168.14.0/24" target=3D"_blank">192.168.14.= 0/24</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 localhost;<br>};<br><br>acl rfc191=
    8 {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://10.0.0.0/8" target=3D"= _blank">10.0.0.0/8</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://17= 2.16.0.0/12" target=3D"_blank">172.16.0.0/12</a>;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 !<a href=3D"http://192.168.14.0/24" target=3D"_blank">192.168.14.0/2= 4</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://192.168.0.0/16" tar= get=3D"_blank">192.168.0.0/16</a>;<br>};<br><br>acl rfc5735 {<br>=C2=A0 =C2= =A0 =C2=A0 =C2=A0 <a href=3D"http://0.0.0.0/8" target=3D"_blank">0.0.0.0/8<= /a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://169.254.0.0/16" targe= t=3D"_blank">169.254.0.0/16</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"= http://192.0.0.0/24" target=3D"_blank">192.0.0.0/24</a>;<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 <a href=3D"http://192.0.2.0/24" target=3D"_blank">192.0.2.0/2= 4</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://192.88.99.0/24" tar= get=3D"_blank">192.88.99.0/24</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href= =3D"http://198.18.0.0/15" target=3D"_blank">198.18.0.0/15</a>;<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://198.51.100.0/24" target=3D"_blank">1= 98.51.100.0/24</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://203.0.= 113.0/24" target=3D"_blank">203.0.113.0/24</a>;<br>=C2=A0 =C2=A0 =C2=A0 =C2= =A0 <a href=3D"http://224.0.0.0/4" target=3D"_blank">224.0.0.0/4</a>;<br>};= <br><br>options {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 directory &quot;/var/bind&= quot;;<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 // Configure the IPs to listen on=
    here.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 listen-on {<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 127.0.0.1;<br>=C2=A0 =C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 192.168.14.20;<br>=C2=A0 =C2=A0 =C2=A0 =C2=
    =A0 };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 listen-on-v6 {<br>=C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 none;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0=
    };<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query {<br>=C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 trusted;<br>=C2=A0 =C2=A0 =C2=A0 =C2= =A0 };<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 //query-source address * port 53;= <br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query-cache {<br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 trusted;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 };<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 blackhole { <br>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 rfc5735;<br>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 rfc1918;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 = };<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-transfer {<br>=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 none;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0=
    };<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 // Cryptographic authentication of D=
    NS information <br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 // ENABLE LATER<br>=C2=A0 = =C2=A0 //dnssec-enable yes;<br>=C2=A0 =C2=A0 //dnssec-validation yes;<br>= <br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 pid-file &quot;/var/run/named/named.pid&quo= t;;<br><br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 // Changing this is NOT RECOMMENDED = for a authoritative nameserver<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-recursi=
    on { none; };<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 recursion no;<br>};<br><br>zon=
    e &quot;example.home&quot; {<br>=C2=A0 type master;<br>=C2=A0 file &quot;/e= tc/bind/db.example.home.zone&quot;;<br>};<br><br>zone &quot;14.168.192.in-a= ddr.arpa&quot; {<br>=C2=A0 type master;<br>=C2=A0 file &quot;/etc/bind/db.1= 4.168.192.zone&quot;;<br>};</p><p class=3D"MsoNormal" style=3D"margin:0cm 0=
    cm 8pt;line-height:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans= -serif"><br></p><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 8pt;line-hei= ght:107%;font-size:11pt;font-family:&quot;Calibri&quot;,sans-serif">; ZONE = file for example.home.<br>;<br>$TTL 604800<br>@ IN SOA ns2.example.home. h=
    ostmaster.example.home. (<br> 2 ; Serial<br> 604800 ; Refresh 1week<b=
    86400 ; Retry<br> 2419200 ; Expire 28days<br> 604800 ; Negative=
    Cache TTL<br>)<br>;; name servers (NS)<br>;; only authoritative servers<br=
    @ =C2=A0 =C2=A0 IN NS ns2.example.home.<br>ns2 IN A 192.168.14.20<br>;; =
    hosts (A)<br>ns1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 IN =C2=A0A =C2=A0 192.168.14.1= 0<br>c1 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0IN =C2=A0A =C2=A0 192.168.14.1<br= ><br>;; alias (CNAME)<br>client IN CNAME c1</p><p class=3D"MsoNormal" sty=
    le=3D"margin:0cm 0cm 8pt;line-height:107%;font-size:11pt;font-family:&quot;= Calibri&quot;,sans-serif"><br></p><p class=3D"MsoNormal" style=3D"margin:0c=
    m 0cm 8pt;line-height:107%;font-size:11pt;font-family:&quot;Calibri&quot;,s= ans-serif">; ZONE file for 14.168.192.in-addr.arpa.<br>;<br>$TTL 604800<br>=
    @ IN SOA ns2.example.home. hostmaster.example.home. (<br> 1 =C2=A0 ; Se=
    rial<br> 604800 ; Refresh 1week<br> 86400 ; Retry<br> 2419200 ; Ex=
    pire 28days<br> 604800 ; Negative Cache TTL<br>)<br>;; name servers (NS)=
    <br>;; only authoritative servers<br>@ =C2=A0 IN NS ns2.example.home.<br>20=
    =C2=A0IN PTR ns2.example.home.<br>;; pointer records (PTR)<br>1 =C2=A0 IN =
    =C2=A0PTR c1.example.home.<br>10 =C2=A0IN =C2=A0PTR ns1.example.home.</p>



    </div>

    --0000000000008d9b0b05aaa8063e--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Mark Andrews@marka@isc.org to Weeltin on Sun Jul 19 11:10:33 2020
    From Newsgroup: comp.protocols.dns.bind

    Your problem comes from the fact that BIND 9.14 has DNSSEC validation enabled by default (unless disabled at configure time or in named.conf) and the answers from the grafted on namespace (.home) fail DNSSEC validation as there is not a insecure delegation for .home to break the DNSSEC chain of trust. You can use validate-except to teach there recursive server to not validate parts of the namespace but it is NOT RECOMMENDED as it doesn’t help validating clients.
    e.g.
    validate-except { home; };
    I would stop trying to use .home as it has not been delegated for home use. Use home.arpa instead which has been reserved for home use and has a insecure delegation to break the DNSSEC chain of trust pointing at servers which only return NXDOMAIN for names under home.arpa. This is the same delegation model used for the RFC 1918 reverse zone. Note that DS is absent from the list of types at the delegation point in the NSEC record. There was an attempt made to delegate .home this way but it floundered on ICANN/IETF politics.
    e.g.
    home.arpa. 172800 IN NS blackhole-1.iana.org. home.arpa. 172800 IN NS blackhole-2.iana.org. home.arpa. 86400 IN NSEC in-addr.arpa. NS RRSIG NSEC home.arpa. 86400 IN RRSIG NSEC 8 2 86400 20200731120000 20200718110000 57156 arpa. lSqLNz1E/6WkAUDAJDnvo9X248B+PAWM34s0S0PJFjPi4YLoE//6zSR6 Dgm0T+2qV2KrgvYbOzHV9Z/lRopFxSEJSSwoHgrUmfofXmIbQiKgQHBi g9dvL8yeJm0cRe6QMuM1q/D/3+AnPv5OQNBhC6+UEA+enO3JtDbvjr/H XfPPvfDfozacZkHPe+AYpJbmT7qfHv8Gw/BeeNtDex9jMoDbJ2l0BLT1 UTPKE9+Abrh3RawcKBF3BbLNWU6AhIkOLZRADGMjcZg1M/IHUk/rOWXV EMZihg1+5I4GSmaRDN0jTX9g5jr822EZfaZLmCKlcGYMMHVOkMUA7k0r +v/Zrg==
    If you are using forward zones (not recommended) set “forward only;” as you don’t want to fallback to querying servers on the global Internet when grafting on namespace. If you do use a forward zone then the servers being forwarded to need to either a) serve the *entire* namespace under the forward zone, or b) be configured as recursive servers.
    zone home.arpa {
    type forward;
    forward only;
    forwarders {192.168.14.20;};
    };
    I would recommend using secondary zone rather than forward zones for grafting on namespaces, just ensure that the all slave servers are receiving NOTIFY messages (use also-notify) so that they receive changes fast. Fast propagation of changes is needed in a home environment. Secondary zone also provide a break in the DNSSEC chain of trust as far as the recursive server is concerned. They however do not break the DNSSEC chain of trust for any DNSSEC validating clients of the recursive server.
    zone home.arpa {
    type secondary;
    primaries {192.168.14.20;};
    file “home.arpa.db”;
    ...
    };
    zone home.arpa {
    type primary;
    file “home.arpa.db”;
    also-notify { address list; };
    ...
    };
    Also forget any garbage that recursive servers should not also serve zones. People have take the advice that listed authoritative servers shouldn’t be recursive (which is good advise when serving zones to the public) and inverted it to come up with bad advice.
    Mark
    On 18 Jul 2020, at 05:18, Weeltin <weeltinl@gmail.com> wrote:

    Hello all,

    I’m trying to implement a DNS structure, containing a recursive and authoritative server, but in doing so, I have run into a small problem. I can make DNS queries from a client toward the net, but when I try to do the same toward my internal domain, I get no result. I have spent days trying to figure out what is going on, but to no avail, I there for hope that someone on this list can point me in the right direction or right out tell what is wrong.

    /Weeltin.

    -----DIG troubleshoots

    [weeltin@c1 ~]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    nameserver 192.168.14.10

    [weeltin@c1 ~]$ dig google.com
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48932
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)
    ;; QUESTION SECTION:
    ;google.com. IN A

    ;; ANSWER SECTION:
    google.com. 300 IN A 216.58.211.142

    ;; Query time: 179 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:03:27 EDT 2020
    ;; MSG SIZE rcvd: 83


    [weeltin@c1 ~]$ dig c1.example.home
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62602
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020071701 1800 900 604800 86400

    ;; Query time: 263 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:04:42 EDT 2020
    ;; MSG SIZE rcvd: 147



    [weeltin@c1 ~]$ dig @192.168.14.20 c1.example.home

    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> @192.168.14.20 c1.example.home ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20704
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; ANSWER SECTION:
    c1.example.home. 604800 IN A 192.168.14.1

    ;; Query time: 0 msec
    ;; SERVER: 192.168.14.20#53(192.168.14.20)
    ;; WHEN: Fri Jul 17 15:10:12 EDT 2020
    ;; MSG SIZE rcvd: 88





    ----- informations and configurations ----

    OS: Alpine 3.12

    Bind: bind 9.14.12


    Ns1: 192.168.14.10 (recursive)

    Ns2: 192.168.14.20 (authoritative)

    C1: 192.168.14.1 (client)


    --- recursive config (NS1)

    // recursive named.conf
    //

    acl trusted {

    192.168.14.0/24;

    localhost;

    };


    acl rfc1918 {

    10.0.0.0/8;

    172.16.0.0/12;

    !192.168.14.0/24;

    192.168.0.0/16;

    };


    acl rfc5735 {

    0.0.0.0/8;

    169.254.0.0/16;

    192.0.0.0/24;

    192.0.2.0/24;

    192.88.99.0/24;

    198.18.0.0/15;

    198.51.100.0/24;

    203.0.113.0/24;

    224.0.0.0/4;

    };


    options {

    directory "/var/bind";

    listen-on {
    127.0.0.1;

    192.168.14.10;

    };

    listen-on-v6 {

    none;

    };

    allow-query {

    trusted;

    };

    //query-source address * port 53;

    allow-query-cache {

    trusted;

    };

    blackhole {

    rfc1918;

    rfc5735;

    };

    allow-transfer {

    none;

    };

    pid-file "/var/run/named/named.pid";


    // Changing this is NOT RECOMMENDED; see the notes above and in

    // named.conf.recursive.

    allow-recursion {

    trusted;

    };

    recursion yes;

    };

    zone "." IN {

    type hint;

    file "root.cache";

    };


    zone "localhost" IN {

    type master;

    file "pri/localhost.zone";

    allow-update { none; };

    notify no;

    };


    zone "127.in-addr.arpa" IN {

    type master;

    file "pri/127.zone";

    allow-update { none; };

    notify no;

    };


    zone "example.home" {

    type forward;

    forwarders { 192.168.14.20; };

    };



    --- authoritative config (NS2)
    // authoritative named.conf
    //
    acl trusted {
    192.168.14.0/24;
    localhost;
    };

    acl rfc1918 {
    10.0.0.0/8;
    172.16.0.0/12;
    !192.168.14.0/24;
    192.168.0.0/16;
    };

    acl rfc5735 {
    0.0.0.0/8;
    169.254.0.0/16;
    192.0.0.0/24;
    192.0.2.0/24;
    192.88.99.0/24;
    198.18.0.0/15;
    198.51.100.0/24;
    203.0.113.0/24;
    224.0.0.0/4;
    };

    options {
    directory "/var/bind";

    // Configure the IPs to listen on here.
    listen-on {
    127.0.0.1;
    192.168.14.20;
    };
    listen-on-v6 {
    none;
    };

    allow-query {
    trusted;
    };

    //query-source address * port 53;

    allow-query-cache {
    trusted;
    };

    blackhole {
    rfc5735;
    rfc1918;
    };

    allow-transfer {
    none;
    };

    // Cryptographic authentication of DNS information
    // ENABLE LATER
    //dnssec-enable yes;
    //dnssec-validation yes;

    pid-file "/var/run/named/named.pid";

    // Changing this is NOT RECOMMENDED for a authoritative nameserver
    allow-recursion { none; };
    recursion no;
    };

    zone "example.home" {
    type master;
    file "/etc/bind/db.example.home.zone";
    };

    zone "14.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.14.168.192.zone";
    };



    ; ZONE file for example.home.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    2 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    ns2 IN A 192.168.14.20
    ;; hosts (A)
    ns1 IN A 192.168.14.10
    c1 IN A 192.168.14.1

    ;; alias (CNAME)
    client IN CNAME c1



    ; ZONE file for 14.168.192.in-addr.arpa.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    1 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    20 IN PTR ns2.example.home.
    ;; pointer records (PTR)
    1 IN PTR c1.example.home.
    10 IN PTR ns1.example.home.

    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Weeltin@weeltinl@gmail.com to Mark Andrews on Mon Jul 20 17:20:52 2020
    From Newsgroup: comp.protocols.dns.bind

    --0000000000000a9b0e05aae10e77
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    Hello Mark,

    Thanks for your answer, it gave me a lot to think about.

    I have been reading about the "validate-except" command, but can't get
    myself to use a command that is not recommended.

    I did a lot of research, before I went for the .home domain. I didn't want
    to end up with a domain that potentially could conflict with a domain on
    the internet.
    That ment that I had to read a lot of reports, most of them from ICANN, of
    them from back in Feb 2018(*), reported that .home (.corp and .mail) would
    not be sold and available on the internet.
    i didn't know about the insecure delegation to break the DNSSEC, so it
    might be worth it to switch to .home.arpa, even though I had hoped to keep
    the domain name to 1 tier.

    I have been learning that the DNS structure needs to have a recursive and
    an authoritative server, to be more exact 2 of each for failover purposes,
    if you want a reliable and secure DNS structure. my plan was/is to
    configure failover servers when i got this structure to work..

    so when i am a little bit confused and when reading that "forward zones"
    is not recommended. any links to publications about this?
    also, could i get you to explain the last statement in your reply. As I
    want to implement a DNS structure that follows best practices and hopefully
    is secure, I want to learn about the reasons for this.

    (*) https://www.icann.org/resources/board-material/resolutions-2018-02-04-en#2.=
    c

    /Weeltin




    On Sun, Jul 19, 2020 at 3:10 AM Mark Andrews <marka@isc.org> wrote:

    Your problem comes from the fact that BIND 9.14 has DNSSEC validation
    enabled by default (unless disabled at configure time or in named.conf) a=
    nd
    the answers from the grafted on namespace (.home) fail DNSSEC validation =
    as
    there is not a insecure delegation for .home to break the DNSSEC chain of trust. You can use validate-except to teach there recursive server to no=
    t
    validate parts of the namespace but it is NOT RECOMMENDED as it doesn=E2=
    =80=99t
    help validating clients.

    e.g.

    validate-except { home; };

    I would stop trying to use .home as it has not been delegated for home
    use. Use home.arpa instead which has been reserved for home use and has =
    a
    insecure delegation to break the DNSSEC chain of trust pointing at server=
    s
    which only return NXDOMAIN for names under home.arpa. This is the same delegation model used for the RFC 1918 reverse zone. Note that DS is
    absent from the list of types at the delegation point in the NSEC record. There was an attempt made to delegate .home this way but it floundered on ICANN/IETF politics.

    e.g.

    home.arpa. 172800 IN NS blackhole-1.iana.org. home.arpa. 172800 IN NS blackhole-2.iana.org. home.arpa. 86400 IN NSEC in-addr.arpa. NS RRSIG NS=
    EC
    home.arpa. 86400 IN RRSIG NSEC 8 2 86400
    20200731120000 20200718110000 57156 arpa. lSqLNz1E/6WkAUDAJDnvo9X248B+PAWM34s0S0PJFjPi4YLoE//6zSR6 Dgm0T+2qV2KrgvYbOzHV9Z/lRopFxSEJSSwoHgrUmfofXmIbQiKgQHBi g9dvL8yeJm0cRe6QMuM1q/D/3+AnPv5OQNBhC6+UEA+enO3JtDbvjr/H XfPPvfDfozacZkHPe+AYpJbmT7qfHv8Gw/BeeNtDex9jMoDbJ2l0BLT1 UTPKE9+Abrh3RawcKBF3BbLNWU6AhIkOLZRADGMjcZg1M/IHUk/rOWXV EMZihg1+5I4GSmaRDN0jTX9g5jr822EZfaZLmCKlcGYMMHVOkMUA7k0r +v/Zrg=3D=3D

    If you are using forward zones (not recommended) set =E2=80=9Cforward onl=
    y;=E2=80=9D as
    you don=E2=80=99t want to fallback to querying servers on the global Inte=
    rnet when
    grafting on namespace. If you do use a forward zone then the servers bei=
    ng
    forwarded to need to either a) serve the *entire* namespace under the
    forward zone, or b) be configured as recursive servers.

    zone home.arpa {
    type forward;
    forward only;
    forwarders {192.168.14.20;};
    };

    I would recommend using secondary zone rather than forward zones for
    grafting on namespaces, just ensure that the all slave servers are
    receiving NOTIFY messages (use also-notify) so that they receive changes fast. Fast propagation of changes is needed in a home environment.
    Secondary zone also provide a break in the DNSSEC chain of trust as far a=
    s
    the recursive server is concerned. They however do not break the DNSSEC chain of trust for any DNSSEC validating clients of the recursive server.

    zone home.arpa {
    type secondary;
    primaries {192.168.14.20;};
    file =E2=80=9Chome.arpa.db=E2=80=9D;
    ...
    };

    zone home.arpa {
    type primary;
    file =E2=80=9Chome.arpa.db=E2=80=9D;
    also-notify { address list; };
    ...
    };

    Also forget any garbage that recursive servers should not also serve
    zones. People have take the advice that listed authoritative servers shouldn=E2=80=99t be recursive (which is good advise when serving zones t=
    o the
    public) and inverted it to come up with bad advice.

    Mark

    On 18 Jul 2020, at 05:18, Weeltin <weeltinl@gmail.com> wrote:

    Hello all,

    I=E2=80=99m trying to implement a DNS structure, containing a recursive=
    and
    authoritative server, but in doing so, I have run into a small problem. I
    can make DNS queries from a client toward the net, but when I try to do t=
    he
    same toward my internal domain, I get no result. I have spent days trying
    to figure out what is going on, but to no avail, I there for hope that someone on this list can point me in the right direction or right out tel=
    l
    what is wrong.

    /Weeltin.

    -----DIG troubleshoots

    [weeltin@c1 ~]$ cat /etc/resolv.conf
    # Generated by NetworkManager
    nameserver 192.168.14.10

    [weeltin@c1 ~]$ dig google.com
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48932
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)
    ;; QUESTION SECTION:
    ;google.com. IN A

    ;; ANSWER SECTION:
    google.com. 300 IN A 216.58.211.142

    ;; Query time: 179 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:03:27 EDT 2020
    ;; MSG SIZE rcvd: 83


    [weeltin@c1 ~]$ dig c1.example.home
    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62602
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.co=
    m.
    2020071701 1800 900 604800 86400

    ;; Query time: 263 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Fri Jul 17 15:04:42 EDT 2020
    ;; MSG SIZE rcvd: 147



    [weeltin@c1 ~]$ dig @192.168.14.20 c1.example.home

    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> @192.168.14.20
    c1.example.home
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20704
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; ANSWER SECTION:
    c1.example.home. 604800 IN A 192.168.14.1

    ;; Query time: 0 msec
    ;; SERVER: 192.168.14.20#53(192.168.14.20)
    ;; WHEN: Fri Jul 17 15:10:12 EDT 2020
    ;; MSG SIZE rcvd: 88





    ----- informations and configurations ----

    OS: Alpine 3.12

    Bind: bind 9.14.12


    Ns1: 192.168.14.10 (recursive)

    Ns2: 192.168.14.20 (authoritative)

    C1: 192.168.14.1 (client)


    --- recursive config (NS1)

    // recursive named.conf
    //

    acl trusted {

    192.168.14.0/24;

    localhost;

    };


    acl rfc1918 {

    10.0.0.0/8;

    172.16.0.0/12;

    !192.168.14.0/24;

    192.168.0.0/16;

    };


    acl rfc5735 {

    0.0.0.0/8;

    169.254.0.0/16;

    192.0.0.0/24;

    192.0.2.0/24;

    192.88.99.0/24;

    198.18.0.0/15;

    198.51.100.0/24;

    203.0.113.0/24;

    224.0.0.0/4;

    };


    options {

    directory "/var/bind";

    listen-on {
    127.0.0.1;

    192.168.14.10;

    };

    listen-on-v6 {

    none;

    };

    allow-query {

    trusted;

    };

    //query-source address * port 53;

    allow-query-cache {

    trusted;

    };

    blackhole {

    rfc1918;

    rfc5735;

    };

    allow-transfer {

    none;

    };

    pid-file "/var/run/named/named.pid";


    // Changing this is NOT RECOMMENDED; see the notes above and in

    // named.conf.recursive.

    allow-recursion {

    trusted;

    };

    recursion yes;

    };

    zone "." IN {

    type hint;

    file "root.cache";

    };


    zone "localhost" IN {

    type master;

    file "pri/localhost.zone";

    allow-update { none; };

    notify no;

    };


    zone "127.in-addr.arpa" IN {

    type master;

    file "pri/127.zone";

    allow-update { none; };

    notify no;

    };


    zone "example.home" {

    type forward;

    forwarders { 192.168.14.20; };

    };



    --- authoritative config (NS2)
    // authoritative named.conf
    //
    acl trusted {
    192.168.14.0/24;
    localhost;
    };

    acl rfc1918 {
    10.0.0.0/8;
    172.16.0.0/12;
    !192.168.14.0/24;
    192.168.0.0/16;
    };

    acl rfc5735 {
    0.0.0.0/8;
    169.254.0.0/16;
    192.0.0.0/24;
    192.0.2.0/24;
    192.88.99.0/24;
    198.18.0.0/15;
    198.51.100.0/24;
    203.0.113.0/24;
    224.0.0.0/4;
    };

    options {
    directory "/var/bind";

    // Configure the IPs to listen on here.
    listen-on {
    127.0.0.1;
    192.168.14.20;
    };
    listen-on-v6 {
    none;
    };

    allow-query {
    trusted;
    };

    //query-source address * port 53;

    allow-query-cache {
    trusted;
    };

    blackhole {
    rfc5735;
    rfc1918;
    };

    allow-transfer {
    none;
    };

    // Cryptographic authentication of DNS information
    // ENABLE LATER
    //dnssec-enable yes;
    //dnssec-validation yes;

    pid-file "/var/run/named/named.pid";

    // Changing this is NOT RECOMMENDED for a authoritative
    nameserver
    allow-recursion { none; };
    recursion no;
    };

    zone "example.home" {
    type master;
    file "/etc/bind/db.example.home.zone";
    };

    zone "14.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.14.168.192.zone";
    };



    ; ZONE file for example.home.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    2 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    ns2 IN A 192.168.14.20
    ;; hosts (A)
    ns1 IN A 192.168.14.10
    c1 IN A 192.168.14.1

    ;; alias (CNAME)
    client IN CNAME c1



    ; ZONE file for 14.168.192.in-addr.arpa.
    ;
    $TTL 604800
    @ IN SOA ns2.example.home. hostmaster.example.home. (
    1 ; Serial
    604800 ; Refresh 1week
    86400 ; Retry
    2419200 ; Expire 28days
    604800 ; Negative Cache TTL
    )
    ;; name servers (NS)
    ;; only authoritative servers
    @ IN NS ns2.example.home.
    20 IN PTR ns2.example.home.
    ;; pointer records (PTR)
    1 IN PTR c1.example.home.
    10 IN PTR ns1.example.home.

    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to
    unsubscribe from this list

    ISC funds the development of this software with paid support
    subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users

    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org



    --0000000000000a9b0e05aae10e77
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">Hello Mark,<br><br>Thanks for your answer, it gave me a lo=
    t to think about.<br><br>I have been reading about the &quot;validate-excep= t&quot; command, but can&#39;t get myself to use a command that is not reco= mmended.<br><br>I did a lot of research, before I went for the .home domain=
    . I didn&#39;t want to end up with a domain that potentially could conflict=
    with a domain on the internet.<br>That ment that I had to read a lot of re= ports, most of them from ICANN, of them from back in Feb 2018(*), reported = that .home (.corp and .mail) would not be sold and available on the interne=
    t. <br>i didn&#39;t know about the insecure delegation to break the DNSSEC,=
    so it might be worth it to switch to .home.arpa, even though I had hoped t=
    o keep the domain name to 1 tier. <br><br>I have been learning that the DNS=
    structure needs to have a recursive and an authoritative server, to be mor=
    e exact 2 of each for failover purposes, if you want a reliable and secure = DNS structure. my plan was/is to configure failover servers when i got this=
    structure to work.. <br>=C2=A0<br>so when i am a little bit confused and = =C2=A0when reading that &quot;forward zones&quot; is not recommended. any l= inks to publications about this?<br><div>also, could i get you to explain t=
    he last statement in your reply. As I want to implement a DNS structure tha=
    t follows best practices and hopefully is secure, I want to learn about the=
    reasons for this.=C2=A0 <br></div><div><br></div><div>
    (*) <a href=3D"https://www.icann.org/resources/board-material/resolutions-2= 018-02-04-en#2.c">https://www.icann.org/resources/board-material/resolution= s-2018-02-04-en#2.c</a>

    </div><div><br></div><div>/Weeltin<br></div><br><br><br></div><br><div clas= s=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, Jul 19, 202=
    0 at 3:10 AM Mark Andrews &lt;<a href=3D"mailto:marka@isc.org">marka@isc.or= g</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin= :0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"= >Your problem comes from the fact that BIND 9.14 has DNSSEC validation enab= led by default (unless disabled at configure time or in named.conf) and the=
    answers from the grafted on namespace (.home) fail DNSSEC validation as th= ere is not a insecure delegation for .home to break the DNSSEC chain of tru= st.=C2=A0 You can use validate-except to teach there recursive server to no=
    t validate parts of the namespace but it is NOT RECOMMENDED as it doesn=E2= =80=99t help validating clients.<br>

    e.g. <br>

    validate-except { home; };<br>

    I would stop trying to use .home as it has not been delegated for home use.= =C2=A0 Use home.arpa instead which has been reserved for home use and has a=
    insecure delegation to break the DNSSEC chain of trust pointing at servers=
    which only return NXDOMAIN for names under home.arpa.=C2=A0 This is the sa=
    me delegation model used for the RFC 1918 reverse zone.=C2=A0 Note that DS =
    is absent from the list of types at the delegation point in the NSEC record=
    . There was an attempt made to delegate .home this way but it floundered on=
    ICANN/IETF politics.<br>

    e.g.<br>

    home.arpa.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 172800=C2=A0 IN= =C2=A0 =C2=A0 =C2=A0 NS=C2=A0 =C2=A0 =C2=A0 <a href=3D"http://blackhole-1.i= ana.org" rel=3D"noreferrer" target=3D"_blank">blackhole-1.iana.org</a>.<br> home.arpa.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 172800=C2=A0 IN= =C2=A0 =C2=A0 =C2=A0 NS=C2=A0 =C2=A0 =C2=A0 <a href=3D"http://blackhole-2.i= ana.org" rel=3D"noreferrer" target=3D"_blank">blackhole-2.iana.org</a>.<br> home.arpa.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 86400=C2=A0 =C2= =A0IN=C2=A0 =C2=A0 =C2=A0 NSEC=C2=A0 =C2=A0 in-addr.arpa. NS RRSIG NSEC<br> home.arpa.=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 86400=C2=A0 =C2= =A0IN=C2=A0 =C2=A0 =C2=A0 RRSIG=C2=A0 =C2=A0NSEC 8 2 86400 20200731120000 2= 0200718110000 57156 arpa. lSqLNz1E/6WkAUDAJDnvo9X248B+PAWM34s0S0PJFjPi4YLoE= //6zSR6 Dgm0T+2qV2KrgvYbOzHV9Z/lRopFxSEJSSwoHgrUmfofXmIbQiKgQHBi g9dvL8yeJm= 0cRe6QMuM1q/D/3+AnPv5OQNBhC6+UEA+enO3JtDbvjr/H XfPPvfDfozacZkHPe+AYpJbmT7qf= Hv8Gw/BeeNtDex9jMoDbJ2l0BLT1 UTPKE9+Abrh3RawcKBF3BbLNWU6AhIkOLZRADGMjcZg1M/= IHUk/rOWXV EMZihg1+5I4GSmaRDN0jTX9g5jr822EZfaZLmCKlcGYMMHVOkMUA7k0r +v/Zrg= =3D=3D<br>

    If you are using forward zones (not recommended) set =E2=80=9Cforward only;= =E2=80=9D as you don=E2=80=99t want to fallback to querying servers on the = global Internet when grafting on namespace.=C2=A0 If you do use a forward z= one then the servers being forwarded to need to either a) serve the *entire=
    * namespace under the forward zone, or b) be configured as recursive server= s.<br>

    zone home.arpa {<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 type forward;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 forward only;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 forwarders {192.168.14.20;};<br>
    };<br>

    I would recommend using secondary zone rather than forward zones for grafti=
    ng on namespaces, just ensure that the all slave servers are receiving NOTI=
    FY messages (use also-notify) so that they receive changes fast.=C2=A0 Fast=
    propagation of changes is needed in a home environment.=C2=A0 Secondary zo=
    ne also provide a break in the DNSSEC chain of trust as far as the recursiv=
    e server is concerned.=C2=A0 They however do not break the DNSSEC chain of = trust for any DNSSEC validating clients of the recursive server.<br>

    zone home.arpa {<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 type secondary;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 primaries {192.168.14.20;};<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 file =E2=80=9Chome.arpa.db=E2=80=9D;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 ...<br>
    };<br>

    zone home.arpa {<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 type primary;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 file =E2=80=9Chome.arpa.db=E2=80=9D;<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 also-notify { address list; };<br>
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 ...<br>
    };<br>

    Also forget any garbage that recursive servers should not also serve zones.= =C2=A0 People have take the advice that listed authoritative servers should= n=E2=80=99t be recursive (which is good advise when serving zones to the pu= blic) and inverted it to come up with bad advice.<br>

    Mark<br>

    &gt; On 18 Jul 2020, at 05:18, Weeltin &lt;<a href=3D"mailto:weeltinl@gmail= .com" target=3D"_blank">weeltinl@gmail.com</a>&gt; wrote:<br>
    &gt; <br>
    &gt; Hello all,<br>
    &gt; <br>
    &gt; I=E2=80=99m trying to implement a DNS structure, containing a recursiv=
    e and authoritative server, but in doing so, I have run into a small proble=
    m. I can make DNS queries from a client toward the net, but when I try to d=
    o the same toward my internal domain, I get no result. I have spent days tr= ying to figure out what is going on, but to no avail, I there for hope that=
    someone on this list can point me in the right direction or right out tell=
    what is wrong.<br>
    &gt; <br>
    &gt; /Weeltin.<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0-----DIG troubleshoots<br>
    &gt; <br>
    &gt; [weeltin@c1 ~]$ cat /etc/resolv.conf <br>
    &gt; # Generated by NetworkManager<br>
    &gt; nameserver 192.168.14.10<br>
    &gt; <br>
    &gt; [weeltin@c1=C2=A0 ~]$ dig <a href=3D"http://google.com" rel=3D"norefer= rer" target=3D"_blank">google.com</a><br>
    &gt; ; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHat-9.11.11-1.fc31 &lt;&lt;&gt;&gt; =
    <a href=3D"http://google.com" rel=3D"noreferrer" target=3D"_blank">google.c= om</a><br>
    &gt; ;; global options: +cmd<br>
    &gt; ;; Got answer:<br>
    &gt; ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 48932<=

    &gt; ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<b=

    &gt; <br>
    &gt; ;; OPT PSEUDOSECTION:<br>
    &gt; ; EDNS: version: 0, flags:; udp: 4096<br>
    &gt; ; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)<br>
    &gt; ;; QUESTION SECTION:<br>
    &gt; ;<a href=3D"http://google.com" rel=3D"noreferrer" target=3D"_blank">go= ogle.com</a>.=C2=A0 IN=C2=A0 =C2=A0 =C2=A0 A<br>
    &gt; <br>
    &gt; ;; ANSWER SECTION:<br>
    &gt; <a href=3D"http://google.com" rel=3D"noreferrer" target=3D"_blank">goo= gle.com</a>.=C2=A0 =C2=A0300=C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 A=C2= =A0 =C2=A0 =C2=A0 =C2=A0216.58.211.142<br>
    &gt; <br>
    &gt; ;; Query time: 179 msec<br>
    &gt; ;; SERVER: 192.168.14.10#53(192.168.14.10)<br>
    &gt; ;; WHEN: Fri Jul 17 15:03:27 EDT 2020<br>
    &gt; ;; MSG SIZE=C2=A0 rcvd: 83<br>
    &gt; <br>
    &gt; <br>
    &gt; [weeltin@c1 ~]$ dig c1.example.home<br>
    &gt; ; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHat-9.11.11-1.fc31 &lt;&lt;&gt;&gt; = c1.example.home<br>
    &gt; ;; global options: +cmd<br>
    &gt; ;; Got answer:<br>
    &gt; ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 62602=

    &gt; ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: = 1<br>
    &gt; <br>
    &gt; ;; OPT PSEUDOSECTION:<br>
    &gt; ; EDNS: version: 0, flags:; udp: 4096<br>
    &gt; ; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good)<br>
    &gt; ;; QUESTION SECTION:<br>
    &gt; ;c1.example.home.=C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 A<br>
    &gt; <br>
    &gt; ;; AUTHORITY SECTION:<br>
    &gt; .=C2=A0 =C2=A0 =C2=A010800=C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 SOA=C2=
    =A0 =C2=A0 =C2=A0<a href=3D"http://a.root-servers.net" rel=3D"noreferrer" t= arget=3D"_blank">a.root-servers.net</a>. <a href=3D"http://nstld.verisign-g= rs.com" rel=3D"noreferrer" target=3D"_blank">nstld.verisign-grs.com</a>. 20= 20071701 1800 900 604800 86400<br>
    &gt; <br>
    &gt; ;; Query time: 263 msec<br>
    &gt; ;; SERVER: 192.168.14.10#53(192.168.14.10)<br>
    &gt; ;; WHEN: Fri Jul 17 15:04:42 EDT 2020<br>
    &gt; ;; MSG SIZE=C2=A0 rcvd: 147<br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; [weeltin@c1 ~]$ dig @<a href=3D"http://192.168.14.20" rel=3D"noreferre=
    r" target=3D"_blank">192.168.14.20</a> c1.example.home<br>
    &gt; <br>
    &gt; ; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHat-9.11.11-1.fc31 &lt;&lt;&gt;&gt; = @<a href=3D"http://192.168.14.20" rel=3D"noreferrer" target=3D"_blank">192.= 168.14.20</a> c1.example.home<br>
    &gt; ; (1 server found)<br>
    &gt; ;; global options: +cmd<br>
    &gt; ;; Got answer:<br>
    &gt; ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 20704<=

    &gt; ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<b=

    &gt; ;; WARNING: recursion requested but not available<br>
    &gt; <br>
    &gt; ;; OPT PSEUDOSECTION:<br>
    &gt; ; EDNS: version: 0, flags:; udp: 4096<br>
    &gt; ; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)<br>
    &gt; ;; QUESTION SECTION:<br>
    &gt; ;c1.example.home.=C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 A<br>
    &gt; <br>
    &gt; ;; ANSWER SECTION:<br>
    &gt; c1.example.home.=C2=A0 =C2=A0 =C2=A0 604800=C2=A0 IN=C2=A0 =C2=A0 =C2=
    =A0 A=C2=A0 =C2=A0 =C2=A0 =C2=A0192.168.14.1<br>
    &gt; <br>
    &gt; ;; Query time: 0 msec<br>
    &gt; ;; SERVER: 192.168.14.20#53(192.168.14.20)<br>
    &gt; ;; WHEN: Fri Jul 17 15:10:12 EDT 2020<br>
    &gt; ;; MSG SIZE=C2=A0 rcvd: 88<br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; ----- informations and configurations ----<br>
    &gt; <br>
    &gt; OS: Alpine 3.12<br>
    &gt; <br>
    &gt; Bind: bind 9.14.12<br>
    &gt; <br>
    &gt;=C2=A0 <br>
    &gt; Ns1: 192.168.14.10 (recursive)<br>
    &gt; <br>
    &gt; Ns2: 192.168.14.20 (authoritative)<br>
    &gt; <br>
    &gt; C1: 192.168.14.1 (client)<br>
    &gt; <br>
    &gt;=C2=A0 <br>
    &gt; --- recursive config (NS1)<br>
    &gt; <br>
    &gt; // recursive named.conf<br>
    &gt; //<br>
    &gt; <br>
    &gt; acl trusted {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.168.14.0/24" re= l=3D"noreferrer" target=3D"_blank">192.168.14.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0localhost;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; acl rfc1918 {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://10.0.0.0/8" rel=3D"= noreferrer" target=3D"_blank">10.0.0.0/8</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://172.16.0.0/12" rel= =3D"noreferrer" target=3D"_blank">172.16.0.0/12</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0!<a href=3D"http://192.168.14.0/24" r= el=3D"noreferrer" target=3D"_blank">192.168.14.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.168.0.0/16" rel= =3D"noreferrer" target=3D"_blank">192.168.0.0/16</a>;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; acl rfc5735 {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://0.0.0.0/8" rel=3D"n= oreferrer" target=3D"_blank">0.0.0.0/8</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://169.254.0.0/16" rel= =3D"noreferrer" target=3D"_blank">169.254.0.0/16</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.0.0.0/24" rel= =3D"noreferrer" target=3D"_blank">192.0.0.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.0.2.0/24" rel= =3D"noreferrer" target=3D"_blank">192.0.2.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.88.99.0/24" rel= =3D"noreferrer" target=3D"_blank">192.88.99.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://198.18.0.0/15" rel= =3D"noreferrer" target=3D"_blank">198.18.0.0/15</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://198.51.100.0/24" re= l=3D"noreferrer" target=3D"_blank">198.51.100.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://203.0.113.0/24" rel= =3D"noreferrer" target=3D"_blank">203.0.113.0/24</a>;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://224.0.0.0/4" rel=3D= "noreferrer" target=3D"_blank">224.0.0.0/4</a>;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; options {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0directory &quot;/var/bind&quot;;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0listen-on {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0127.0.0.1= ;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0192.168.1= 4.10;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0listen-on-v6 {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0none;<br> &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 //query-source address * port 53;<br=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-query-cache {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 blackhole {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfc1918;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfc5735;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-transfer {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0none;<br> &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0pid-file &quot;/var/run/named/named.p= id&quot;;<br>
    &gt; <br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// Changing this is NOT RECOMMENDED; = see the notes above and in<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// named.conf.recursive.<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-recursion {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0recursion yes;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; zone &quot;.&quot; IN {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0type hint;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0file &quot;root.cache&quot;;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; zone &quot;localhost&quot; IN {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0type master;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0file &quot;pri/localhost.zone&quot;;<=

    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-update { none; };<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0notify no;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; zone &quot;127.in-addr.arpa&quot; IN {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0type master;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0file &quot;pri/127.zone&quot;;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-update { none; };<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0notify no;<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; zone &quot;example.home&quot; {<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0type forward;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 forwarders { 192.168.14.20=
    ; };<br>
    &gt; <br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; ---=C2=A0 authoritative config (NS2) <br>
    &gt; // authoritative named.conf<br>
    &gt; //<br>
    &gt; acl trusted {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.168.14.0/24" re= l=3D"noreferrer" target=3D"_blank">192.168.14.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0localhost;<br>
    &gt; };<br>
    &gt; <br>
    &gt; acl rfc1918 {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://10.0.0.0/8" rel=3D"= noreferrer" target=3D"_blank">10.0.0.0/8</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://172.16.0.0/12" rel= =3D"noreferrer" target=3D"_blank">172.16.0.0/12</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0!<a href=3D"http://192.168.14.0/24" r= el=3D"noreferrer" target=3D"_blank">192.168.14.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.168.0.0/16" rel= =3D"noreferrer" target=3D"_blank">192.168.0.0/16</a>;<br>
    &gt; };<br>
    &gt; <br>
    &gt; acl rfc5735 {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://0.0.0.0/8" rel=3D"n= oreferrer" target=3D"_blank">0.0.0.0/8</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://169.254.0.0/16" rel= =3D"noreferrer" target=3D"_blank">169.254.0.0/16</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.0.0.0/24" rel= =3D"noreferrer" target=3D"_blank">192.0.0.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.0.2.0/24" rel= =3D"noreferrer" target=3D"_blank">192.0.2.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://192.88.99.0/24" rel= =3D"noreferrer" target=3D"_blank">192.88.99.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://198.18.0.0/15" rel= =3D"noreferrer" target=3D"_blank">198.18.0.0/15</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://198.51.100.0/24" re= l=3D"noreferrer" target=3D"_blank">198.51.100.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://203.0.113.0/24" rel= =3D"noreferrer" target=3D"_blank">203.0.113.0/24</a>;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"http://224.0.0.0/4" rel=3D= "noreferrer" target=3D"_blank">224.0.0.0/4</a>;<br>
    &gt; };<br>
    &gt; <br>
    &gt; options {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0directory &quot;/var/bind&quot;;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// Configure the IPs to listen on her= e.<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0listen-on {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0127.0.0.1= ;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0192.168.1= 4.20;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0listen-on-v6 {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0none;<br> &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-query {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted;<=

    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0//query-source address * port 53;<br> &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-query-cache {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0trusted;<=

    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0blackhole { <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfc5735;<=

    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0rfc1918;<=

    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-transfer {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0none;<br> &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0};<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// Cryptographic authentication of DN=
    S information <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// ENABLE LATER<br>
    &gt;=C2=A0 =C2=A0 =C2=A0//dnssec-enable yes;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0//dnssec-validation yes;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0pid-file &quot;/var/run/named/named.p= id&quot;;<br>
    &gt; <br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0// Changing this is NOT RECOMMENDED f=
    or a authoritative nameserver<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0allow-recursion { none; };<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0recursion no;<br>
    &gt; };<br>
    &gt; <br>
    &gt; zone &quot;example.home&quot; {<br>
    &gt;=C2=A0 =C2=A0type master;<br>
    &gt;=C2=A0 =C2=A0file &quot;/etc/bind/db.example.home.zone&quot;;<br>
    &gt; };<br>
    &gt; <br>
    &gt; zone &quot;14.168.192.in-addr.arpa&quot; {<br>
    &gt;=C2=A0 =C2=A0type master;<br>
    &gt;=C2=A0 =C2=A0file &quot;/etc/bind/db.14.168.192.zone&quot;;<br>
    &gt; };<br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; ; ZONE file for example.home.<br>
    &gt; ;<br>
    &gt; $TTL=C2=A0 604800<br>
    &gt; @=C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 SOA=C2=A0 =C2=A0 =C2=A0ns2= .example.home. hostmaster.example.home. (<br>
    &gt; 2=C2=A0 =C2=A0 =C2=A0; Serial<br>
    &gt; 604800=C2=A0 =C2=A0 =C2=A0 =C2=A0 ; Refresh 1week<br>
    &gt; 86400 ; Retry<br>
    &gt; 2419200=C2=A0 =C2=A0 =C2=A0 =C2=A0; Expire 28days<br>
    &gt; 604800=C2=A0 =C2=A0 =C2=A0 =C2=A0 ; Negative Cache TTL<br>
    &gt; )<br>
    &gt; ;; name servers (NS)<br>
    &gt; ;; only authoritative servers<br>
    &gt; @=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=
    =A0 NS=C2=A0 =C2=A0 =C2=A0 ns2.example.home.<br>
    &gt; ns2=C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 A=C2=A0 =C2=A0 =C2=A0 =C2=A0192= .168.14.20<br>
    &gt; ;; hosts (A)<br>
    &gt; ns1=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0IN=C2=A0 A=C2=A0 =C2=A0192.168.14= .10<br>
    &gt; c1=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 IN=C2=A0 A=C2=A0 =C2=A0192.168.14= .1<br>
    &gt; <br>
    &gt; ;; alias (CNAME)<br>
    &gt; client IN=C2=A0 =C2=A0 =C2=A0CNAME=C2=A0 =C2=A0c1<br>
    &gt; <br>
    &gt; <br>
    &gt; <br>
    &gt; ; ZONE file for 14.168.192.in-addr.arpa.<br>
    &gt; ;<br>
    &gt; $TTL=C2=A0 604800<br>
    &gt; @=C2=A0 =C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 SOA=C2=A0 =C2=A0 =C2=A0ns2= .example.home. hostmaster.example.home. (<br>
    &gt; 1=C2=A0 =C2=A0; Serial<br>
    &gt; 604800=C2=A0 =C2=A0 =C2=A0 =C2=A0 ; Refresh 1week<br>
    &gt; 86400 ; Retry<br>
    &gt; 2419200=C2=A0 =C2=A0 =C2=A0 =C2=A0; Expire 28days<br>
    &gt; 604800=C2=A0 =C2=A0 =C2=A0 =C2=A0 ; Negative Cache TTL<br>
    &gt; )<br>
    &gt; ;; name servers (NS)<br>
    &gt; ;; only authoritative servers<br>
    &gt; @=C2=A0 =C2=A0IN=C2=A0 =C2=A0 =C2=A0 =C2=A0 NS=C2=A0 =C2=A0 =C2=A0 ns2= .example.home.<br>
    &gt; 20=C2=A0 IN=C2=A0 =C2=A0 =C2=A0 =C2=A0 PTR=C2=A0 =C2=A0 =C2=A0ns2.exam= ple.home.<br>
    &gt; ;; pointer records (PTR)<br>
    &gt; 1=C2=A0 =C2=A0IN=C2=A0 PTR=C2=A0 =C2=A0c1.example.home.<br>
    &gt; 10=C2=A0 IN=C2=A0 PTR=C2=A0 =C2=A0ns1.example.home.<br>
    &gt; <br>
    &gt; _______________________________________________<br>
    &gt; Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-us= ers" rel=3D"noreferrer" target=3D"_blank">https://lists.isc.org/mailman/lis= tinfo/bind-users</a> to unsubscribe from this list<br>
    &gt; <br>
    &gt; ISC funds the development of this software with paid support subscript= ions. Contact us at <a href=3D"https://www.isc.org/contact/" rel=3D"norefer= rer" target=3D"_blank">https://www.isc.org/contact/</a> for more informatio= n.<br>
    &gt; <br>
    &gt; <br>
    &gt; bind-users mailing list<br>
    &gt; <a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank">bind-use= rs@lists.isc.org</a><br>
    &gt; <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"n= oreferrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo/bind-us= ers</a><br>

    -- <br>
    Mark Andrews, ISC<br>
    1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
    PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 INTE= RNET: <a href=3D"mailto:marka@isc.org" target=3D"_blank">marka@isc.org</a><=


    </blockquote></div>

    --0000000000000a9b0e05aae10e77--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Weeltin@weeltinl@gmail.com to Josh Kuo on Mon Jul 20 17:47:05 2020
    From Newsgroup: comp.protocols.dns.bind

    --000000000000d1749405aae16b98
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    Hi Josh,

    Thanks for your answer, it made me go trough all the config again, just to
    make sure that it wasnt pointing to the authoritative server anywhere but
    in the configuration of the recursive server

    I saw that "=E2=80=9Crecursion requested but not available" when i send the=
    query
    against the authoritative. Kind a expected that, since it aint allowed to
    do recursion.

    as requested i made the dig on the the authoritative server i get the
    correct answer, so i expect it has loaded the zonefiles correctly.

    ns2:/home/weeltin# dig @127.0.0.01 example.home

    ; <<>> DiG 9.14.12 <<>> @127.0.0.01 example.home
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45487
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good)
    ;; QUESTION SECTION:
    ;example.home. IN A

    ;; AUTHORITY SECTION:
    example.home. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2
    604800 86400 2419200 604800

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Jul 20 14:04:17 UTC 2020
    ;; MSG SIZE rcvd: 120


    just to be sure, i rand the dig command again on my client

    [weeltin@c1 ~]$ dig c1.example.home

    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1787
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072000 1800
    900 604800 86400

    ;; Query time: 1043 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Mon Jul 20 11:38:06 EDT 2020
    ;; MSG SIZE rcvd: 147


    Log output from NS1 (recursive)
    <truncate>
    Jul 20 15:38:05 ns1 daemon.info named[4022]: validating example.home/SOA:
    got insecure response; parent indicates it should be secure
    Jul 20 15:38:05 ns1 daemon.info named[4022]: no valid RRSIG resolving 'c1.example.home/DS/IN': 192.168.14.20#53
    Jul 20 15:38:06 ns1 daemon.info named[4022]: insecurity proof failed
    resolving 'c1.example.home/A/IN': 192.168.14.20#53
    </truncate>

    and there is no log entries on the authoritative server

    /Weeltin

    On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo <josh.kuo@gmail.com> wrote:

    When querying your internal domain, I see the query actually ends with =E2=80=9Crecursion requested but not available=E2=80=9D, it looks like yo=
    u are querying
    directly against your auth server, so I would check the setting to ensure
    the zone file is actually loaded correctly.

    What Mark answered is assuming you are querying the recursive which then returned SERVFAIL due to DNSSEC validation, but I do not see that in the information you provided.

    Can you run dig on the auth server itself, dig @ 127.0.0.1 for
    example.home, and see what it returns?




    --000000000000d1749405aae16b98
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div dir=3D"ltr">Hi Josh,<br><br>Thanks for your answer, i=
    t made me go trough all the config again, just to make sure that it wasnt p= ointing to the authoritative server anywhere but in the configuration of th=
    e recursive server<br><br>I saw that &quot;=E2=80=9Crecursion requested but=
    not available&quot; when i send the query against the authoritative. Kind =
    a expected that, since it aint allowed to do recursion.<br><br>as requested=
    i made the dig on the the authoritative server i get the correct answer, s=
    o i expect it has loaded the zonefiles correctly. <br><br>ns2:/home/weeltin=
    # dig @<a href=3D"http://127.0.0.01">127.0.0.01</a> example.home<br><br>; &= lt;&lt;&gt;&gt; DiG 9.14.12 &lt;&lt;&gt;&gt; @<a href=3D"http://127.0.0.01"= >127.0.0.01</a> example.home<br>; (1 server found)<br>;; global options: +c= md<br>;; Got answer:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: = NOERROR, id: 45487<br>;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1=
    , ADDITIONAL: 1<br>;; WARNING: recursion requested but not available<br><br= >;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>; COOKIE=
    : b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good)<br>;; QUESTION SE= CTION:<br>;example.home. IN A<br><br>;; AUTHORITY SECTION:<br>example.hom=
    e. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2 604800 86400=
    2419200 604800<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127= .0.0.1)<br>;; WHEN: Mon Jul 20 14:04:17 UTC 2020<br>;; MSG SIZE =C2=A0rcvd:=
    120<br><br><br>just to be sure, i rand the dig command again on my client<= br><br>[weeltin@c1 ~]$ dig c1.example.home<br><br>; &lt;&lt;&gt;&gt; DiG 9.= 11.11-RedHat-9.11.11-1.fc31 &lt;&lt;&gt;&gt; c1.example.home<br>;; global o= ptions: +cmd<br>;; Got answer:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY=
    , status: NXDOMAIN, id: 1787<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0,=
    AUTHORITY: 1, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: versio=
    n: 0, flags:; udp: 4096<br>; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c97= 2d1f753586 (good)<br>;; QUESTION SECTION:<br>;c1.example.home. IN A<br><br=
    ;; AUTHORITY SECTION:<br>. 10800 IN SOA <a href=3D"http://a.root-servers=
    .net">a.root-servers.net</a>. <a href=3D"http://nstld.verisign-grs.com">nst= ld.verisign-grs.com</a>. 2020072000 1800 900 604800 86400<br><br>;; Query t= ime: 1043 msec<br>;; SERVER: 192.168.14.10#53(192.168.14.10)<br>;; WHEN: Mo=
    n Jul 20 11:38:06 EDT 2020<br>;; MSG SIZE =C2=A0rcvd: 147<br><br><br>Log ou= tput from NS1 (recursive)<br>&lt;truncate&gt;<br>Jul 20 15:38:05 ns1 <a hre= f=3D"http://daemon.info">daemon.info</a> named[4022]: =C2=A0 validating exa= mple.home/SOA: got insecure response; parent indicates it should be secure<= br>Jul 20 15:38:05 ns1 <a href=3D"http://daemon.info">daemon.info</a> named= [4022]: no valid RRSIG resolving &#39;c1.example.home/DS/IN&#39;: 192.168.1= 4.20#53<br>Jul 20 15:38:06 ns1 <a href=3D"http://daemon.info">daemon.info</=
    named[4022]: insecurity proof failed resolving &#39;c1.example.home/A/IN=
    &#39;: 192.168.14.20#53<br>&lt;/truncate&gt;<br><br>and there is no log ent= ries on the authoritative server</div><div dir=3D"ltr"><br></div><div>/Weel= tin<br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail= _attr">On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo &lt;<a href=3D"mailto:josh.= kuo@gmail.com">josh.kuo@gmail.com</a>&gt; wrote:<br></div><blockquote class= =3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg= b(204,204,204);padding-left:1ex"><div><div dir=3D"auto">When querying your = internal domain, I see the query actually ends with =E2=80=9Crecursion requ= ested but not available=E2=80=9D, it looks like you are querying directly a= gainst your auth server, so I would check the setting to ensure the zone fi=
    le is actually loaded correctly.</div><div dir=3D"auto"><br></div><div dir= =3D"auto">What Mark answered is assuming you are querying the recursive whi=
    ch then returned SERVFAIL due to DNSSEC validation, but I do not see that i=
    n the information you=C2=A0provided.=C2=A0</div><div dir=3D"auto"><br></div= ><div dir=3D"auto">Can you run dig on the auth server itself, dig @ 127.0.0=
    .1 for example.home, and see what it returns?</div></div><div><br><div clas= s=3D"gmail_quote"><br></div></div>
    </blockquote></div></div>

    --000000000000d1749405aae16b98--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From John W. Blue@john.blue@rrcic.com to bind-users@lists.isc.org on Mon Jul 20 16:40:06 2020
    From Newsgroup: comp.protocols.dns.bind

    --_000_7e1ba3fe933b471d93c5defc7ea72cf1mailrrciccom_
    Content-Type: text/plain; charset="utf-8"
    Content-Transfer-Encoding: base64

    SSBwZXJzb25hbGx5IGdyZWF0bHkgZGlzbGlrZSAubG9jYWwgb3IgYW55IG90aGVyIFRMRCB0aGF0 IGlzIHVzZWQgaW4gYSBub24tc3RhbmRhcmQgd2F5IC4gIE1vc3RseSBiZWNhdXNlIGl0IHBvdGVu dGlhbGx5IGRvZXMgbm90IGFsbG93IGZvciBmdXR1cmUgY2hhbmdlcyB0byBiZSBtYWRlIHdpdGhv dXQgcGFpbiBhbmQgc3VmZmVyaW5nLg0KDQpTbyBtYW55IGNvbXBhbmllcyBoYXZlIGhhZCBBY3Rp dmUgRGlyZWN0b3J5IGRvbWFpbnMgYnVpbHQgb24gLmxvY2FsIHdobyB0aGVuIGRlY2lkZSB0aGV5 IG5vdyB3YW50IGFuIEV4Y2hhbmdlIHNlcnZlci4gIE5vdyB5b3UgY2Fubm90IGV2ZW4gZ2V0IGFu IFNTTCBjZXJ0IGZvciAubG9jYWwuDQoNCldoYXQgaXMgdGhlIGNoZWFwZXN0IHlvdSBjYW4gZ2V0 IGEgcmVnaXN0ZXJlZCBkb21haW4gbmFtZSBmb3I/ICBMb29raW5nIGF0IG15IGNsb3VkZmxhcmUu Y29tIGRhc2hib2FyZCBhIC5jb20gY29zdHMgJDcuODUgVVNEIHdpdGggLjE4IGNlbnRzIHRvIElD QU5OIGZvciBhIHRvdGFsIG9mICQ4LjAzIFVTRC4NCg0KRG8geW91cnNlbGYgYSBmYXZvciAuLiBn ZXQgeW91cnNlbGYgYSBsZWdpdCBkb21haW4gbmFtZS4gIElmIHlvdSB3YW50IHRvIHN0YXJ0IG1l c3NpbmcgYXJvdW5kIHdpdGggZW1haWwgdGhlbiB5b3UgYXJlIHNldC4gIElmIHlvdSB3YW50IHRv IGxlYXJuIEROU1NFQyB0aGVuIHlvdSBhcmUgc2V0Lg0KDQpJZiB5b3Ugc2V0dXAgYW4gZW1haWwg c2VydmVyIGRvbuKAmXQgZm9yZ2V0IHRvIGNvbmZpZ3VyZSBETlMgVFhUIHJlY29yZHMgZm9yIFNQ RiBhbmQgRE1BUkMuDQoNCkpvaG4NCg0KRnJvbTogYmluZC11c2VycyBbbWFpbHRvOmJpbmQtdXNl cnMtYm91bmNlc0BsaXN0cy5pc2Mub3JnXSBPbiBCZWhhbGYgT2YgV2VlbHRpbg0KU2VudDogTW9u ZGF5LCBKdWx5IDIwLCAyMDIwIDEwOjIxIEFNDQpUbzogTWFyayBBbmRyZXdzDQpDYzogYmluZC11 c2Vyc0BsaXN0cy5pc2Mub3JnDQpTdWJqZWN0OiBSZTogRE5TIGVycm9yLCBmcm9tIGEgbmV3YmVl IHRvIHRoZSByZWFsIGV4cGVydHMuLg0KDQpIZWxsbyBNYXJrLA0KDQpUaGFua3MgZm9yIHlvdXIg YW5zd2VyLCBpdCBnYXZlIG1lIGEgbG90IHRvIHRoaW5rIGFib3V0Lg0KDQpJIGhhdmUgYmVlbiBy ZWFkaW5nIGFib3V0IHRoZSAidmFsaWRhdGUtZXhjZXB0IiBjb21tYW5kLCBidXQgY2FuJ3QgZ2V0 IG15c2VsZiB0byB1c2UgYSBjb21tYW5kIHRoYXQgaXMgbm90IHJlY29tbWVuZGVkLg0KDQpJIGRp ZCBhIGxvdCBvZiByZXNlYXJjaCwgYmVmb3JlIEkgd2VudCBmb3IgdGhlIC5ob21lIGRvbWFpbi4g SSBkaWRuJ3Qgd2FudCB0byBlbmQgdXAgd2l0aCBhIGRvbWFpbiB0aGF0IHBvdGVudGlhbGx5IGNv dWxkIGNvbmZsaWN0IHdpdGggYSBkb21haW4gb24gdGhlIGludGVybmV0Lg0KVGhhdCBtZW50IHRo YXQgSSBoYWQgdG8gcmVhZCBhIGxvdCBvZiByZXBvcnRzLCBtb3N0IG9mIHRoZW0gZnJvbSBJQ0FO Tiwgb2YgdGhlbSBmcm9tIGJhY2sgaW4gRmViIDIwMTgoKiksIHJlcG9ydGVkIHRoYXQgLmhvbWUg KC5jb3JwIGFuZCAubWFpbCkgd291bGQgbm90IGJlIHNvbGQgYW5kIGF2YWlsYWJsZSBvbiB0aGUg aW50ZXJuZXQuDQppIGRpZG4ndCBrbm93IGFib3V0IHRoZSBpbnNlY3VyZSBkZWxlZ2F0aW9uIHRv IGJyZWFrIHRoZSBETlNTRUMsIHNvIGl0IG1pZ2h0IGJlIHdvcnRoIGl0IHRvIHN3aXRjaCB0byAu aG9tZS5hcnBhLCBldmVuIHRob3VnaCBJIGhhZCBob3BlZCB0byBrZWVwIHRoZSBkb21haW4gbmFt ZSB0byAxIHRpZXIuDQoNCkkgaGF2ZSBiZWVuIGxlYXJuaW5nIHRoYXQgdGhlIEROUyBzdHJ1Y3R1 cmUgbmVlZHMgdG8gaGF2ZSBhIHJlY3Vyc2l2ZSBhbmQgYW4gYXV0aG9yaXRhdGl2ZSBzZXJ2ZXIs IHRvIGJlIG1vcmUgZXhhY3QgMiBvZiBlYWNoIGZvciBmYWlsb3ZlciBwdXJwb3NlcywgaWYgeW91 IHdhbnQgYSByZWxpYWJsZSBhbmQgc2VjdXJlIEROUyBzdHJ1Y3R1cmUuIG15IHBsYW4gd2FzL2lz IHRvIGNvbmZpZ3VyZSBmYWlsb3ZlciBzZXJ2ZXJzIHdoZW4gaSBnb3QgdGhpcyBzdHJ1Y3R1cmUg dG8gd29yay4uDQoNCnNvIHdoZW4gaSBhbSBhIGxpdHRsZSBiaXQgY29uZnVzZWQgYW5kICB3aGVu IHJlYWRpbmcgdGhhdCAiZm9yd2FyZCB6b25lcyIgaXMgbm90IHJlY29tbWVuZGVkLiBhbnkgbGlu a3MgdG8gcHVibGljYXRpb25zIGFib3V0IHRoaXM/DQphbHNvLCBjb3VsZCBpIGdldCB5b3UgdG8g ZXhwbGFpbiB0aGUgbGFzdCBzdGF0ZW1lbnQgaW4geW91ciByZXBseS4gQXMgSSB3YW50IHRvIGlt cGxlbWVudCBhIEROUyBzdHJ1Y3R1cmUgdGhhdCBmb2xsb3dzIGJlc3QgcHJhY3RpY2VzIGFuZCBo b3BlZnVsbHkgaXMgc2VjdXJlLCBJIHdhbnQgdG8gbGVhcm4gYWJvdXQgdGhlIHJlYXNvbnMgZm9y IHRoaXMuDQoNCigqKSBodHRwczovL3d3dy5pY2Fubi5vcmcvcmVzb3VyY2VzL2JvYXJkLW1hdGVy aWFsL3Jlc29sdXRpb25zLTIwMTgtMDItMDQtZW4jMi5jDQoNCi9XZWVsdGluDQoNCg0KDQpPbiBT dW4sIEp1bCAxOSwgMjAyMCBhdCAzOjEwIEFNIE1hcmsgQW5kcmV3cyA8bWFya2FAaXNjLm9yZzxt YWlsdG86bWFya2FAaXNjLm9yZz4+IHdyb3RlOg0KWW91ciBwcm9ibGVtIGNvbWVzIGZyb20gdGhl IGZhY3QgdGhhdCBCSU5EIDkuMTQgaGFzIEROU1NFQyB2YWxpZGF0aW9uIGVuYWJsZWQgYnkgZGVm YXVsdCAodW5sZXNzIGRpc2FibGVkIGF0IGNvbmZpZ3VyZSB0aW1lIG9yIGluIG5hbWVkLmNvbmYp IGFuZCB0aGUgYW5zd2VycyBmcm9tIHRoZSBncmFmdGVkIG9uIG5hbWVzcGFjZSAoLmhvbWUpIGZh aWwgRE5TU0VDIHZhbGlkYXRpb24gYXMgdGhlcmUgaXMgbm90IGEgaW5zZWN1cmUgZGVsZWdhdGlv biBmb3IgLmhvbWUgdG8gYnJlYWsgdGhlIEROU1NFQyBjaGFpbiBvZiB0cnVzdC4gIFlvdSBjYW4g dXNlIHZhbGlkYXRlLWV4Y2VwdCB0byB0ZWFjaCB0aGVyZSByZWN1cnNpdmUgc2VydmVyIHRvIG5v dCB2YWxpZGF0ZSBwYXJ0cyBvZiB0aGUgbmFtZXNwYWNlIGJ1dCBpdCBpcyBOT1QgUkVDT01NRU5E RUQgYXMgaXQgZG9lc27igJl0IGhlbHAgdmFsaWRhdGluZyBjbGllbnRzLg0KDQplLmcuDQoNCnZh bGlkYXRlLWV4Y2VwdCB7IGhvbWU7IH07DQoNCkkgd291bGQgc3RvcCB0cnlpbmcgdG8gdXNlIC5o b21lIGFzIGl0IGhhcyBub3QgYmVlbiBkZWxlZ2F0ZWQgZm9yIGhvbWUgdXNlLiAgVXNlIGhvbWUu YXJwYSBpbnN0ZWFkIHdoaWNoIGhhcyBiZWVuIHJlc2VydmVkIGZvciBob21lIHVzZSBhbmQgaGFz IGEgaW5zZWN1cmUgZGVsZWdhdGlvbiB0byBicmVhayB0aGUgRE5TU0VDIGNoYWluIG9mIHRydXN0 IHBvaW50aW5nIGF0IHNlcnZlcnMgd2hpY2ggb25seSByZXR1cm4gTlhET01BSU4gZm9yIG5hbWVz IHVuZGVyIGhvbWUuYXJwYS4gIFRoaXMgaXMgdGhlIHNhbWUgZGVsZWdhdGlvbiBtb2RlbCB1c2Vk IGZvciB0aGUgUkZDIDE5MTggcmV2ZXJzZSB6b25lLiAgTm90ZSB0aGF0IERTIGlzIGFic2VudCBm cm9tIHRoZSBsaXN0IG9mIHR5cGVzIGF0IHRoZSBkZWxlZ2F0aW9uIHBvaW50IGluIHRoZSBOU0VD IHJlY29yZC4gVGhlcmUgd2FzIGFuIGF0dGVtcHQgbWFkZSB0byBkZWxlZ2F0ZSAuaG9tZSB0aGlz IHdheSBidXQgaXQgZmxvdW5kZXJlZCBvbiBJQ0FOTi9JRVRGIHBvbGl0aWNzLg0KDQplLmcuDQoN CmhvbWUuYXJwYS4gICAgICAgICAgICAgIDE3MjgwMCAgSU4gICAgICBOUyAgICAgIGJsYWNraG9s ZS0xLmlhbmEub3JnPGh0dHA6Ly9ibGFja2hvbGUtMS5pYW5hLm9yZz4uDQpob21lLmFycGEuICAg ICAgICAgICAgICAxNzI4MDAgIElOICAgICAgTlMgICAgICBibGFja2hvbGUtMi5pYW5hLm9yZzxo dHRwOi8vYmxhY2tob2xlLTIuaWFuYS5vcmc+Lg0KaG9tZS5hcnBhLiAgICAgICAgICAgICAgODY0 MDAgICBJTiAgICAgIE5TRUMgICAgaW4tYWRkci5hcnBhLiBOUyBSUlNJRyBOU0VDDQpob21lLmFy cGEuICAgICAgICAgICAgICA4NjQwMCAgIElOICAgICAgUlJTSUcgICBOU0VDIDggMiA4NjQwMCAy MDIwMDczMTEyMDAwMCAyMDIwMDcxODExMDAwMCA1NzE1NiBhcnBhLiBsU3FMTnoxRS82V2tBVURB SkRudm85WDI0OEIrUEFXTTM0czBTMFBKRmpQaTRZTG9FLy82elNSNiBEZ20wVCsycVYyS3Jndlli T3pIVjlaL2xSb3BGeFNFSlNTd29IZ3JVbWZvZlhtSWJRaUtnUUhCaSBnOWR2TDh5ZUptMGNSZTZR TXVNMXEvRC8zK0FuUHY1T1FOQmhDNitVRUErZW5PM0p0RGJ2anIvSCBYZlBQdmZEZm96YWNaa0hQ ZStBWXBKYm1UN3FmSHY4R3cvQmVlTnREZXg5ak1vRGJKMmwwQkxUMSBVVFBLRTkrQWJyaDNSYXdj S0JGM0JiTE5XVTZBaElrT0xaUkFER01qY1pnMU0vSUhVay9yT1dYViBFTVppaGcxKzVJNEdTbWFS RE4walRYOWc1anI4MjJFWmZhWkxtQ0tsY0dZTU1IVk9rTVVBN2swciArdi9acmc9PQ0KDQpJZiB5 b3UgYXJlIHVzaW5nIGZvcndhcmQgem9uZXMgKG5vdCByZWNvbW1lbmRlZCkgc2V0IOKAnGZvcndh cmQgb25seTvigJ0gYXMgeW91IGRvbuKAmXQgd2FudCB0byBmYWxsYmFjayB0byBxdWVyeWluZyBz ZXJ2ZXJzIG9uIHRoZSBnbG9iYWwgSW50ZXJuZXQgd2hlbiBncmFmdGluZyBvbiBuYW1lc3BhY2Uu ICBJZiB5b3UgZG8gdXNlIGEgZm9yd2FyZCB6b25lIHRoZW4gdGhlIHNlcnZlcnMgYmVpbmcgZm9y d2FyZGVkIHRvIG5lZWQgdG8gZWl0aGVyIGEpIHNlcnZlIHRoZSAqZW50aXJlKiBuYW1lc3BhY2Ug dW5kZXIgdGhlIGZvcndhcmQgem9uZSwgb3IgYikgYmUgY29uZmlndXJlZCBhcyByZWN1cnNpdmUg c2VydmVycy4NCg0Kem9uZSBob21lLmFycGEgew0KICAgICAgICB0eXBlIGZvcndhcmQ7DQogICAg ICAgIGZvcndhcmQgb25seTsNCiAgICAgICAgZm9yd2FyZGVycyB7MTkyLjE2OC4xNC4yMDt9Ow0K fTsNCg0KSSB3b3VsZCByZWNvbW1lbmQgdXNpbmcgc2Vjb25kYXJ5IHpvbmUgcmF0aGVyIHRoYW4g Zm9yd2FyZCB6b25lcyBmb3IgZ3JhZnRpbmcgb24gbmFtZXNwYWNlcywganVzdCBlbnN1cmUgdGhh dCB0aGUgYWxsIHNsYXZlIHNlcnZlcnMgYXJlIHJlY2VpdmluZyBOT1RJRlkgbWVzc2FnZXMgKHVz ZSBhbHNvLW5vdGlmeSkgc28gdGhhdCB0aGV5IHJlY2VpdmUgY2hhbmdlcyBmYXN0LiAgRmFzdCBw cm9wYWdhdGlvbiBvZiBjaGFuZ2VzIGlzIG5lZWRlZCBpbiBhIGhvbWUgZW52aXJvbm1lbnQuICBT ZWNvbmRhcnkgem9uZSBhbHNvIHByb3ZpZGUgYSBicmVhayBpbiB0aGUgRE5TU0VDIGNoYWluIG9m IHRydXN0IGFzIGZhciBhcyB0aGUgcmVjdXJzaXZlIHNlcnZlciBpcyBjb25jZXJuZWQuICBUaGV5 IGhvd2V2ZXIgZG8gbm90IGJyZWFrIHRoZSBETlNTRUMgY2hhaW4gb2YgdHJ1c3QgZm9yIGFueSBE TlNTRUMgdmFsaWRhdGluZyBjbGllbnRzIG9mIHRoZSByZWN1cnNpdmUgc2VydmVyLg0KDQp6b25l IGhvbWUuYXJwYSB7DQogICAgICAgIHR5cGUgc2Vjb25kYXJ5Ow0KICAgICAgICBwcmltYXJpZXMg ezE5Mi4xNjguMTQuMjA7fTsNCiAgICAgICAgZmlsZSDigJxob21lLmFycGEuZGI8aHR0cDovL2hv bWUuYXJwYS5kYj7igJ07DQogICAgICAgIC4uLg0KfTsNCg0Kem9uZSBob21lLmFycGEgew0KICAg ICAgICB0eXBlIHByaW1hcnk7DQogICAgICAgIGZpbGUg4oCcaG9tZS5hcnBhLmRiPGh0dHA6Ly9o b21lLmFycGEuZGI+4oCdOw0KICAgICAgICBhbHNvLW5vdGlmeSB7IGFkZHJlc3MgbGlzdDsgfTsN CiAgICAgICAgLi4uDQp9Ow0KDQpBbHNvIGZvcmdldCBhbnkgZ2FyYmFnZSB0aGF0IHJlY3Vyc2l2 ZSBzZXJ2ZXJzIHNob3VsZCBub3QgYWxzbyBzZXJ2ZSB6b25lcy4gIFBlb3BsZSBoYXZlIHRha2Ug dGhlIGFkdmljZSB0aGF0IGxpc3RlZCBhdXRob3JpdGF0aXZlIHNlcnZlcnMgc2hvdWxkbuKAmXQg YmUgcmVjdXJzaXZlICh3aGljaCBpcyBnb29kIGFkdmlzZSB3aGVuIHNlcnZpbmcgem9uZXMgdG8g dGhlIHB1YmxpYykgYW5kIGludmVydGVkIGl0IHRvIGNvbWUgdXAgd2l0aCBiYWQgYWR2aWNlLg0K DQpNYXJrDQoNCj4gT24gMTggSnVsIDIwMjAsIGF0IDA1OjE4LCBXZWVsdGluIDx3ZWVsdGlubEBn bWFpbC5jb208bWFpbHRvOndlZWx0aW5sQGdtYWlsLmNvbT4+IHdyb3RlOg0KPg0KPiBIZWxsbyBh bGwsDQo+DQo+IEnigJltIHRyeWluZyB0byBpbXBsZW1lbnQgYSBETlMgc3RydWN0dXJlLCBjb250 YWluaW5nIGEgcmVjdXJzaXZlIGFuZCBhdXRob3JpdGF0aXZlIHNlcnZlciwgYnV0IGluIGRvaW5n IHNvLCBJIGhhdmUgcnVuIGludG8gYSBzbWFsbCBwcm9ibGVtLiBJIGNhbiBtYWtlIEROUyBxdWVy aWVzIGZyb20gYSBjbGllbnQgdG93YXJkIHRoZSBuZXQsIGJ1dCB3aGVuIEkgdHJ5IHRvIGRvIHRo ZSBzYW1lIHRvd2FyZCBteSBpbnRlcm5hbCBkb21haW4sIEkgZ2V0IG5vIHJlc3VsdC4gSSBoYXZl IHNwZW50IGRheXMgdHJ5aW5nIHRvIGZpZ3VyZSBvdXQgd2hhdCBpcyBnb2luZyBvbiwgYnV0IHRv IG5vIGF2YWlsLCBJIHRoZXJlIGZvciBob3BlIHRoYXQgc29tZW9uZSBvbiB0aGlzIGxpc3QgY2Fu IHBvaW50IG1lIGluIHRoZSByaWdodCBkaXJlY3Rpb24gb3IgcmlnaHQgb3V0IHRlbGwgd2hhdCBp cyB3cm9uZy4NCj4NCj4gL1dlZWx0aW4uDQo+DQo+ICAgLS0tLS1ESUcgdHJvdWJsZXNob290cw0K Pg0KPiBbd2VlbHRpbkBjMSB+XSQgY2F0IC9ldGMvcmVzb2x2LmNvbmYNCj4gIyBHZW5lcmF0ZWQg YnkgTmV0d29ya01hbmFnZXINCj4gbmFtZXNlcnZlciAxOTIuMTY4LjE0LjEwDQo+DQo+IFt3ZWVs dGluQGMxICB+XSQgZGlnIGdvb2dsZS5jb208aHR0cDovL2dvb2dsZS5jb20+DQo+IDsgPDw+PiBE aUcgOS4xMS4xMS1SZWRIYXQtOS4xMS4xMS0xLmZjMzEgPDw+PiBnb29nbGUuY29tPGh0dHA6Ly9n b29nbGUuY29tPg0KPiA7OyBnbG9iYWwgb3B0aW9uczogK2NtZA0KPiA7OyBHb3QgYW5zd2VyOg0K PiA7OyAtPj5IRUFERVI8PC0gb3Bjb2RlOiBRVUVSWSwgc3RhdHVzOiBOT0VSUk9SLCBpZDogNDg5 MzINCj4gOzsgZmxhZ3M6IHFyIHJkIHJhOyBRVUVSWTogMSwgQU5TV0VSOiAxLCBBVVRIT1JJVFk6 IDAsIEFERElUSU9OQUw6IDENCj4NCj4gOzsgT1BUIFBTRVVET1NFQ1RJT046DQo+IDsgRUROUzog dmVyc2lvbjogMCwgZmxhZ3M6OyB1ZHA6IDQwOTYNCj4gOyBDT09LSUU6IGMxYmM0YTExYzQwYmQ3 NTU5MDVjOGM3MDVmMTFmNWZmZTY5OWNjMDExNmVkOGJhNSAoZ29vZCkNCj4gOzsgUVVFU1RJT04g U0VDVElPTjoNCj4gO2dvb2dsZS5jb208aHR0cDovL2dvb2dsZS5jb20+LiAgSU4gICAgICBBDQo+ DQo+IDs7IEFOU1dFUiBTRUNUSU9OOg0KPiBnb29nbGUuY29tPGh0dHA6Ly9nb29nbGUuY29tPi4g ICAzMDAgICAgIElOICAgICAgQSAgICAgICAyMTYuNTguMjExLjE0Mg0KPg0KPiA7OyBRdWVyeSB0 aW1lOiAxNzkgbXNlYw0KPiA7OyBTRVJWRVI6IDE5Mi4xNjguMTQuMTAjNTMoMTkyLjE2OC4xNC4x MCkNCj4gOzsgV0hFTjogRnJpIEp1bCAxNyAxNTowMzoyNyBFRFQgMjAyMA0KPiA7OyBNU0cgU0la RSAgcmN2ZDogODMNCj4NCj4NCj4gW3dlZWx0aW5AYzEgfl0kIGRpZyBjMS5leGFtcGxlLmhvbWUN Cj4gOyA8PD4+IERpRyA5LjExLjExLVJlZEhhdC05LjExLjExLTEuZmMzMSA8PD4+IGMxLmV4YW1w bGUuaG9tZQ0KPiA7OyBnbG9iYWwgb3B0aW9uczogK2NtZA0KPiA7OyBHb3QgYW5zd2VyOg0KPiA7 OyAtPj5IRUFERVI8PC0gb3Bjb2RlOiBRVUVSWSwgc3RhdHVzOiBOWERPTUFJTiwgaWQ6IDYyNjAy DQo+IDs7IGZsYWdzOiBxciByZCByYSBhZDsgUVVFUlk6IDEsIEFOU1dFUjogMCwgQVVUSE9SSVRZ OiAxLCBBRERJVElPTkFMOiAxDQo+DQo+IDs7IE9QVCBQU0VVRE9TRUNUSU9OOg0KPiA7IEVETlM6 IHZlcnNpb246IDAsIGZsYWdzOjsgdWRwOiA0MDk2DQo+IDsgQ09PS0lFOiBjZjg4NzZlM2IzNTEz OGY0NzA0MDE4OGU1ZjExZjY0YTkxNDQ1YWE0ZjgzMTBmNWEgKGdvb2QpDQo+IDs7IFFVRVNUSU9O IFNFQ1RJT046DQo+IDtjMS5leGFtcGxlLmhvbWUuICAgICBJTiAgICAgIEENCj4NCj4gOzsgQVVU SE9SSVRZIFNFQ1RJT046DQo+IC4gICAgIDEwODAwICAgSU4gICAgICBTT0EgICAgIGEucm9vdC1z ZXJ2ZXJzLm5ldDxodHRwOi8vYS5yb290LXNlcnZlcnMubmV0Pi4gbnN0bGQudmVyaXNpZ24tZ3Jz LmNvbTxodHRwOi8vbnN0bGQudmVyaXNpZ24tZ3JzLmNvbT4uIDIwMjAwNzE3MDEgMTgwMCA5MDAg NjA0ODAwIDg2NDAwDQo+DQo+IDs7IFF1ZXJ5IHRpbWU6IDI2MyBtc2VjDQo+IDs7IFNFUlZFUjog MTkyLjE2OC4xNC4xMCM1MygxOTIuMTY4LjE0LjEwKQ0KPiA7OyBXSEVOOiBGcmkgSnVsIDE3IDE1 OjA0OjQyIEVEVCAyMDIwDQo+IDs7IE1TRyBTSVpFICByY3ZkOiAxNDcNCj4NCj4NCj4NCj4gW3dl ZWx0aW5AYzEgfl0kIGRpZyBAMTkyLjE2OC4xNC4yMDxodHRwOi8vMTkyLjE2OC4xNC4yMD4gYzEu ZXhhbXBsZS5ob21lDQo+DQo+IDsgPDw+PiBEaUcgOS4xMS4xMS1SZWRIYXQtOS4xMS4xMS0xLmZj MzEgPDw+PiBAMTkyLjE2OC4xNC4yMDxodHRwOi8vMTkyLjE2OC4xNC4yMD4gYzEuZXhhbXBsZS5o b21lDQo+IDsgKDEgc2VydmVyIGZvdW5kKQ0KPiA7OyBnbG9iYWwgb3B0aW9uczogK2NtZA0KPiA7 OyBHb3QgYW5zd2VyOg0KPiA7OyAtPj5IRUFERVI8PC0gb3Bjb2RlOiBRVUVSWSwgc3RhdHVzOiBO T0VSUk9SLCBpZDogMjA3MDQNCj4gOzsgZmxhZ3M6IHFyIGFhIHJkOyBRVUVSWTogMSwgQU5TV0VS OiAxLCBBVVRIT1JJVFk6IDAsIEFERElUSU9OQUw6IDENCj4gOzsgV0FSTklORzogcmVjdXJzaW9u IHJlcXVlc3RlZCBidXQgbm90IGF2YWlsYWJsZQ0KPg0KPiA7OyBPUFQgUFNFVURPU0VDVElPTjoN Cj4gOyBFRE5TOiB2ZXJzaW9uOiAwLCBmbGFnczo7IHVkcDogNDA5Ng0KPiA7IENPT0tJRTogNzQ3 Mjg5Yzk0ODc2Y2YzNDkwMzRhZWMzNWYxMWY3OTRhMjljNjc0N2JiNmE2OTRmIChnb29kKQ0KPiA7 OyBRVUVTVElPTiBTRUNUSU9OOg0KPiA7YzEuZXhhbXBsZS5ob21lLiAgICAgSU4gICAgICBBDQo+ DQo+IDs7IEFOU1dFUiBTRUNUSU9OOg0KPiBjMS5leGFtcGxlLmhvbWUuICAgICAgNjA0ODAwICBJ TiAgICAgIEEgICAgICAgMTkyLjE2OC4xNC4xDQo+DQo+IDs7IFF1ZXJ5IHRpbWU6IDAgbXNlYw0K PiA7OyBTRVJWRVI6IDE5Mi4xNjguMTQuMjAjNTMoMTkyLjE2OC4xNC4yMCkNCj4gOzsgV0hFTjog RnJpIEp1bCAxNyAxNToxMDoxMiBFRFQgMjAyMA0KPiA7OyBNU0cgU0laRSAgcmN2ZDogODgNCj4N Cj4NCj4NCj4NCj4NCj4gLS0tLS0gaW5mb3JtYXRpb25zIGFuZCBjb25maWd1cmF0aW9ucyAtLS0t DQo+DQo+IE9TOiBBbHBpbmUgMy4xMg0KPg0KPiBCaW5kOiBiaW5kIDkuMTQuMTINCj4NCj4NCj4g TnMxOiAxOTIuMTY4LjE0LjEwIChyZWN1cnNpdmUpDQo+DQo+IE5zMjogMTkyLjE2OC4xNC4yMCAo YXV0aG9yaXRhdGl2ZSkNCj4NCj4gQzE6IDE5Mi4xNjguMTQuMSAoY2xpZW50KQ0KPg0KPg0KPiAt LS0gcmVjdXJzaXZlIGNvbmZpZyAoTlMxKQ0KPg0KPiAvLyByZWN1cnNpdmUgbmFtZWQuY29uZg0K PiAvLw0KPg0KPiBhY2wgdHJ1c3RlZCB7DQo+DQo+ICAgICAgICAgMTkyLjE2OC4xNC4wLzI0PGh0 dHA6Ly8xOTIuMTY4LjE0LjAvMjQ+Ow0KPg0KPiAgICAgICAgIGxvY2FsaG9zdDsNCj4NCj4gfTsN Cj4NCj4NCj4gYWNsIHJmYzE5MTggew0KPg0KPiAgICAgICAgIDEwLjAuMC4wLzg8aHR0cDovLzEw LjAuMC4wLzg+Ow0KPg0KPiAgICAgICAgIDE3Mi4xNi4wLjAvMTI8aHR0cDovLzE3Mi4xNi4wLjAv MTI+Ow0KPg0KPiAgICAgICAgICExOTIuMTY4LjE0LjAvMjQ8aHR0cDovLzE5Mi4xNjguMTQuMC8y ND47DQo+DQo+ICAgICAgICAgMTkyLjE2OC4wLjAvMTY8aHR0cDovLzE5Mi4xNjguMC4wLzE2PjsN Cj4NCj4gfTsNCj4NCj4NCj4gYWNsIHJmYzU3MzUgew0KPg0KPiAgICAgICAgIDAuMC4wLjAvODxo dHRwOi8vMC4wLjAuMC84PjsNCj4NCj4gICAgICAgICAxNjkuMjU0LjAuMC8xNjxodHRwOi8vMTY5 LjI1NC4wLjAvMTY+Ow0KPg0KPiAgICAgICAgIDE5Mi4wLjAuMC8yNDxodHRwOi8vMTkyLjAuMC4w LzI0PjsNCj4NCj4gICAgICAgICAxOTIuMC4yLjAvMjQ8aHR0cDovLzE5Mi4wLjIuMC8yND47DQo+ DQo+ICAgICAgICAgMTkyLjg4Ljk5LjAvMjQ8aHR0cDovLzE5Mi44OC45OS4wLzI0PjsNCj4NCj4g ICAgICAgICAxOTguMTguMC4wLzE1PGh0dHA6Ly8xOTguMTguMC4wLzE1PjsNCj4NCj4gICAgICAg ICAxOTguNTEuMTAwLjAvMjQ8aHR0cDovLzE5OC41MS4xMDAuMC8yND47DQo+DQo+ICAgICAgICAg MjAzLjAuMTEzLjAvMjQ8aHR0cDovLzIwMy4wLjExMy4wLzI0PjsNCj4NCj4gICAgICAgICAyMjQu MC4wLjAvNDxodHRwOi8vMjI0LjAuMC4wLzQ+Ow0KPg0KPiB9Ow0KPg0KPg0KPiBvcHRpb25zIHsN Cj4NCj4gICAgICAgICBkaXJlY3RvcnkgIi92YXIvYmluZCI7DQo+DQo+ICAgICAgICAgbGlzdGVu LW9uIHsNCj4gICAgICAgICAgICAgICAgIDEyNy4wLjAuMTsNCj4NCj4gICAgICAgICAgICAgICAg IDE5Mi4xNjguMTQuMTA7DQo+DQo+ICAgICAgICAgfTsNCj4NCj4gICAgICAgICBsaXN0ZW4tb24t djYgew0KPg0KPiAgICAgICAgICAgICAgICAgbm9uZTsNCj4NCj4gICAgICAgICB9Ow0KPg0KPiAg ICAgICAgICBhbGxvdy1xdWVyeSB7DQo+DQo+ICAgICAgICAgICAgICAgICB0cnVzdGVkOw0KPg0K PiAgICAgICAgIH07DQo+DQo+ICAgICAgICAgIC8vcXVlcnktc291cmNlIGFkZHJlc3MgKiBwb3J0 IDUzOw0KPg0KPiAgICAgICAgICBhbGxvdy1xdWVyeS1jYWNoZSB7DQo+DQo+ICAgICAgICAgICAg ICAgICB0cnVzdGVkOw0KPg0KPiAgICAgICAgIH07DQo+DQo+ICAgICAgICAgIGJsYWNraG9sZSB7 DQo+DQo+ICAgICAgICAgICAgICAgICByZmMxOTE4Ow0KPg0KPiAgICAgICAgICAgICAgICAgcmZj NTczNTsNCj4NCj4gICAgICAgICB9Ow0KPg0KPiAgICAgICAgICBhbGxvdy10cmFuc2ZlciB7DQo+ DQo+ICAgICAgICAgICAgICAgICBub25lOw0KPg0KPiAgICAgICAgIH07DQo+DQo+ICAgICAgICAg cGlkLWZpbGUgIi92YXIvcnVuL25hbWVkL25hbWVkLnBpZCI7DQo+DQo+DQo+ICAgICAgICAgLy8g Q2hhbmdpbmcgdGhpcyBpcyBOT1QgUkVDT01NRU5ERUQ7IHNlZSB0aGUgbm90ZXMgYWJvdmUgYW5k IGluDQo+DQo+ICAgICAgICAgLy8gbmFtZWQuY29uZi5yZWN1cnNpdmUuDQo+DQo+ICAgICAgICAg YWxsb3ctcmVjdXJzaW9uIHsNCj4NCj4gICAgICAgICAgICAgICAgIHRydXN0ZWQ7DQo+DQo+ICAg ICAgICAgfTsNCj4NCj4gICAgICAgICByZWN1cnNpb24geWVzOw0KPg0KPiB9Ow0KPg0KPiB6b25l ICIuIiBJTiB7DQo+DQo+ICAgICAgICAgdHlwZSBoaW50Ow0KPg0KPiAgICAgICAgIGZpbGUgInJv b3QuY2FjaGUiOw0KPg0KPiB9Ow0KPg0KPg0KPiB6b25lICJsb2NhbGhvc3QiIElOIHsNCj4NCj4g ICAgICAgICB0eXBlIG1hc3RlcjsNCj4NCj4gICAgICAgICBmaWxlICJwcmkvbG9jYWxob3N0Lnpv bmUiOw0KPg0KPiAgICAgICAgIGFsbG93LXVwZGF0ZSB7IG5vbmU7IH07DQo+DQo+ICAgICAgICAg bm90aWZ5IG5vOw0KPg0KPiB9Ow0KPg0KPg0KPiB6b25lICIxMjcuaW4tYWRkci5hcnBhIiBJTiB7 DQo+DQo+ICAgICAgICAgdHlwZSBtYXN0ZXI7DQo+DQo+ICAgICAgICAgZmlsZSAicHJpLzEyNy56 b25lIjsNCj4NCj4gICAgICAgICBhbGxvdy11cGRhdGUgeyBub25lOyB9Ow0KPg0KPiAgICAgICAg IG5vdGlmeSBubzsNCj4NCj4gfTsNCj4NCj4NCj4gem9uZSAiZXhhbXBsZS5ob21lIiB7DQo+DQo+ ICAgICAgICAgdHlwZSBmb3J3YXJkOw0KPg0KPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBmb3J3YXJkZXJzIHsgMTkyLjE2OC4xNC4yMDsgfTsNCj4NCj4gfTsNCj4NCj4NCj4NCj4g LS0tICBhdXRob3JpdGF0aXZlIGNvbmZpZyAoTlMyKQ0KPiAvLyBhdXRob3JpdGF0aXZlIG5hbWVk LmNvbmYNCj4gLy8NCj4gYWNsIHRydXN0ZWQgew0KPiAgICAgICAgIDE5Mi4xNjguMTQuMC8yNDxo dHRwOi8vMTkyLjE2OC4xNC4wLzI0PjsNCj4gICAgICAgICBsb2NhbGhvc3Q7DQo+IH07DQo+DQo+ IGFjbCByZmMxOTE4IHsNCj4gICAgICAgICAxMC4wLjAuMC84PGh0dHA6Ly8xMC4wLjAuMC84PjsN Cj4gICAgICAgICAxNzIuMTYuMC4wLzEyPGh0dHA6Ly8xNzIuMTYuMC4wLzEyPjsNCj4gICAgICAg ICAhMTkyLjE2OC4xNC4wLzI0PGh0dHA6Ly8xOTIuMTY4LjE0LjAvMjQ+Ow0KPiAgICAgICAgIDE5 Mi4xNjguMC4wLzE2PGh0dHA6Ly8xOTIuMTY4LjAuMC8xNj47DQo+IH07DQo+DQo+IGFjbCByZmM1 NzM1IHsNCj4gICAgICAgICAwLjAuMC4wLzg8aHR0cDovLzAuMC4wLjAvOD47DQo+ICAgICAgICAg MTY5LjI1NC4wLjAvMTY8aHR0cDovLzE2OS4yNTQuMC4wLzE2PjsNCj4gICAgICAgICAxOTIuMC4w LjAvMjQ8aHR0cDovLzE5Mi4wLjAuMC8yND47DQo+ICAgICAgICAgMTkyLjAuMi4wLzI0PGh0dHA6 Ly8xOTIuMC4yLjAvMjQ+Ow0KPiAgICAgICAgIDE5Mi44OC45OS4wLzI0PGh0dHA6Ly8xOTIuODgu OTkuMC8yND47DQo+ICAgICAgICAgMTk4LjE4LjAuMC8xNTxodHRwOi8vMTk4LjE4LjAuMC8xNT47 DQo+ICAgICAgICAgMTk4LjUxLjEwMC4wLzI0PGh0dHA6Ly8xOTguNTEuMTAwLjAvMjQ+Ow0KPiAg ICAgICAgIDIwMy4wLjExMy4wLzI0PGh0dHA6Ly8yMDMuMC4xMTMuMC8yND47DQo+ICAgICAgICAg MjI0LjAuMC4wLzQ8aHR0cDovLzIyNC4wLjAuMC80PjsNCj4gfTsNCj4NCj4gb3B0aW9ucyB7DQo+ ICAgICAgICAgZGlyZWN0b3J5ICIvdmFyL2JpbmQiOw0KPg0KPiAgICAgICAgIC8vIENvbmZpZ3Vy ZSB0aGUgSVBzIHRvIGxpc3RlbiBvbiBoZXJlLg0KPiAgICAgICAgIGxpc3Rlbi1vbiB7DQo+ICAg ICAgICAgICAgICAgICAxMjcuMC4wLjE7DQo+ICAgICAgICAgICAgICAgICAxOTIuMTY4LjE0LjIw Ow0KPiAgICAgICAgIH07DQo+ICAgICAgICAgbGlzdGVuLW9uLXY2IHsNCj4gICAgICAgICAgICAg ICAgIG5vbmU7DQo+ICAgICAgICAgfTsNCj4NCj4gICAgICAgICBhbGxvdy1xdWVyeSB7DQo+ICAg ICAgICAgICAgICAgICB0cnVzdGVkOw0KPiAgICAgICAgIH07DQo+DQo+ICAgICAgICAgLy9xdWVy eS1zb3VyY2UgYWRkcmVzcyAqIHBvcnQgNTM7DQo+DQo+ICAgICAgICAgYWxsb3ctcXVlcnktY2Fj aGUgew0KPiAgICAgICAgICAgICAgICAgdHJ1c3RlZDsNCj4gICAgICAgICB9Ow0KPg0KPiAgICAg ICAgIGJsYWNraG9sZSB7DQo+ICAgICAgICAgICAgICAgICByZmM1NzM1Ow0KPiAgICAgICAgICAg ICAgICAgcmZjMTkxODsNCj4gICAgICAgICB9Ow0KPg0KPiAgICAgICAgIGFsbG93LXRyYW5zZmVy IHsNCj4gICAgICAgICAgICAgICAgIG5vbmU7DQo+ICAgICAgICAgfTsNCj4NCj4gICAgICAgICAv LyBDcnlwdG9ncmFwaGljIGF1dGhlbnRpY2F0aW9uIG9mIEROUyBpbmZvcm1hdGlvbg0KPiAgICAg ICAgIC8vIEVOQUJMRSBMQVRFUg0KPiAgICAgLy9kbnNzZWMtZW5hYmxlIHllczsNCj4gICAgIC8v ZG5zc2VjLXZhbGlkYXRpb24geWVzOw0KPg0KPiAgICAgICAgIHBpZC1maWxlICIvdmFyL3J1bi9u YW1lZC9uYW1lZC5waWQiOw0KPg0KPiAgICAgICAgIC8vIENoYW5naW5nIHRoaXMgaXMgTk9UIFJF Q09NTUVOREVEIGZvciBhIGF1dGhvcml0YXRpdmUgbmFtZXNlcnZlcg0KPiAgICAgICAgIGFsbG93 LXJlY3Vyc2lvbiB7IG5vbmU7IH07DQo+ICAgICAgICAgcmVjdXJzaW9uIG5vOw0KPiB9Ow0KPg0K PiB6b25lICJleGFtcGxlLmhvbWUiIHsNCj4gICB0eXBlIG1hc3RlcjsNCj4gICBmaWxlICIvZXRj L2JpbmQvZGIuZXhhbXBsZS5ob21lLnpvbmUiOw0KPiB9Ow0KPg0KPiB6b25lICIxNC4xNjguMTky LmluLWFkZHIuYXJwYSIgew0KPiAgIHR5cGUgbWFzdGVyOw0KPiAgIGZpbGUgIi9ldGMvYmluZC9k Yi4xNC4xNjguMTkyLnpvbmUiOw0KPiB9Ow0KPg0KPg0KPg0KPiA7IFpPTkUgZmlsZSBmb3IgZXhh bXBsZS5ob21lLg0KPiA7DQo+ICRUVEwgIDYwNDgwMA0KPiBAICAgICBJTiAgICAgIFNPQSAgICAg bnMyLmV4YW1wbGUuaG9tZS4gaG9zdG1hc3Rlci5leGFtcGxlLmhvbWUuICgNCj4gMiAgICAgOyBT ZXJpYWwNCj4gNjA0ODAwICAgICAgICA7IFJlZnJlc2ggMXdlZWsNCj4gODY0MDAgOyBSZXRyeQ0K PiAyNDE5MjAwICAgICAgIDsgRXhwaXJlIDI4ZGF5cw0KPiA2MDQ4MDAgICAgICAgIDsgTmVnYXRp dmUgQ2FjaGUgVFRMDQo+ICkNCj4gOzsgbmFtZSBzZXJ2ZXJzIChOUykNCj4gOzsgb25seSBhdXRo b3JpdGF0aXZlIHNlcnZlcnMNCj4gQCAgICAgICAgICAgICBJTiAgICAgIE5TICAgICAgbnMyLmV4 YW1wbGUuaG9tZS4NCj4gbnMyICAgSU4gICAgICBBICAgICAgIDE5Mi4xNjguMTQuMjANCj4gOzsg aG9zdHMgKEEpDQo+IG5zMSAgICAgICAgIElOICBBICAgMTkyLjE2OC4xNC4xMA0KPiBjMSAgICAg ICAgICBJTiAgQSAgIDE5Mi4xNjguMTQuMQ0KPg0KPiA7OyBhbGlhcyAoQ05BTUUpDQo+IGNsaWVu dCBJTiAgICAgQ05BTUUgICBjMQ0KPg0KPg0KPg0KPiA7IFpPTkUgZmlsZSBmb3IgMTQuMTY4LjE5 Mi5pbi1hZGRyLmFycGEuDQo+IDsNCj4gJFRUTCAgNjA0ODAwDQo+IEAgICAgIElOICAgICAgU09B ICAgICBuczIuZXhhbXBsZS5ob21lLiBob3N0bWFzdGVyLmV4YW1wbGUuaG9tZS4gKA0KPiAxICAg OyBTZXJpYWwNCj4gNjA0ODAwICAgICAgICA7IFJlZnJlc2ggMXdlZWsNCj4gODY0MDAgOyBSZXRy eQ0KPiAyNDE5MjAwICAgICAgIDsgRXhwaXJlIDI4ZGF5cw0KPiA2MDQ4MDAgICAgICAgIDsgTmVn YXRpdmUgQ2FjaGUgVFRMDQo+ICkNCj4gOzsgbmFtZSBzZXJ2ZXJzIChOUykNCj4gOzsgb25seSBh dXRob3JpdGF0aXZlIHNlcnZlcnMNCj4gQCAgIElOICAgICAgICBOUyAgICAgIG5zMi5leGFtcGxl LmhvbWUuDQo+IDIwICBJTiAgICAgICAgUFRSICAgICBuczIuZXhhbXBsZS5ob21lLg0KPiA7OyBw b2ludGVyIHJlY29yZHMgKFBUUikNCj4gMSAgIElOICBQVFIgICBjMS5leGFtcGxlLmhvbWUuDQo+ IDEwICBJTiAgUFRSICAgbnMxLmV4YW1wbGUuaG9tZS4NCj4NCj4gX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gUGxlYXNlIHZpc2l0IGh0dHBzOi8vbGlz dHMuaXNjLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2JpbmQtdXNlcnMgdG8gdW5zdWJzY3JpYmUgZnJv bSB0aGlzIGxpc3QNCj4NCj4gSVNDIGZ1bmRzIHRoZSBkZXZlbG9wbWVudCBvZiB0aGlzIHNvZnR3 YXJlIHdpdGggcGFpZCBzdXBwb3J0IHN1YnNjcmlwdGlvbnMuIENvbnRhY3QgdXMgYXQgaHR0cHM6 Ly93d3cuaXNjLm9yZy9jb250YWN0LyBmb3IgbW9yZSBpbmZvcm1hdGlvbi4NCj4NCj4NCj4gYmlu ZC11c2VycyBtYWlsaW5nIGxpc3QNCj4gYmluZC11c2Vyc0BsaXN0cy5pc2Mub3JnPG1haWx0bzpi aW5kLXVzZXJzQGxpc3RzLmlzYy5vcmc+DQo+IGh0dHBzOi8vbGlzdHMuaXNjLm9yZy9tYWlsbWFu L2xpc3RpbmZvL2JpbmQtdXNlcnMNCg0KLS0NCk1hcmsgQW5kcmV3cywgSVNDDQoxIFNleW1vdXIg U3QuLCBEdW5kYXMgVmFsbGV5LCBOU1cgMjExNywgQXVzdHJhbGlhDQpQSE9ORTogKzYxIDIgOTg3 MSA0NzQyICAgICAgICAgICAgICBJTlRFUk5FVDogbWFya2FAaXNjLm9yZzxtYWlsdG86bWFya2FA aXNjLm9yZz4NCg==

    --_000_7e1ba3fe933b471d93c5defc7ea72cf1mailrrciccom_
    Content-Type: text/html; charset="utf-8"
    Content-Transfer-Encoding: base64

    PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYi O30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNw YW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9y OnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE3 DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fu cy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1z ZXJpZiI7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUt dHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiO30N CkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4g MS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9u MTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0 cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1b aWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRt YXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5k aWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1 cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkkgcGVyc29uYWxseSBn cmVhdGx5IGRpc2xpa2UgLmxvY2FsIG9yIGFueSBvdGhlciBUTEQgdGhhdCBpcyB1c2VkIGluIGEg bm9uLXN0YW5kYXJkIHdheSAuJm5ic3A7IE1vc3RseSBiZWNhdXNlIGl0IHBvdGVudGlhbGx5IGRv ZXMgbm90IGFsbG93IGZvciBmdXR1cmUgY2hhbmdlcyB0bw0KIGJlIG1hZGUgd2l0aG91dCBwYWlu IGFuZCBzdWZmZXJpbmcuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5TbyBtYW55IGNvbXBhbmllcyBoYXZlIGhhZCBBY3Rp dmUgRGlyZWN0b3J5IGRvbWFpbnMgYnVpbHQgb24gLmxvY2FsIHdobyB0aGVuIGRlY2lkZSB0aGV5 IG5vdyB3YW50IGFuIEV4Y2hhbmdlIHNlcnZlci4mbmJzcDsgTm93IHlvdSBjYW5ub3QgZXZlbiBn ZXQgYW4gU1NMIGNlcnQgZm9yDQogLmxvY2FsLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+V2hhdCBpcyB0aGUgY2hlYXBl c3QgeW91IGNhbiBnZXQgYSByZWdpc3RlcmVkIGRvbWFpbiBuYW1lIGZvcj8mbmJzcDsgTG9va2lu ZyBhdCBteSBjbG91ZGZsYXJlLmNvbSBkYXNoYm9hcmQgYSAuY29tIGNvc3RzICQ3Ljg1IFVTRCB3 aXRoIC4xOCBjZW50cyB0byBJQ0FOTiBmb3IgYQ0KIHRvdGFsIG9mICQ4LjAzIFVTRC48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5 N0QiPkRvIHlvdXJzZWxmIGEgZmF2b3IgLi4gZ2V0IHlvdXJzZWxmIGEgbGVnaXQgZG9tYWluIG5h bWUuJm5ic3A7IElmIHlvdSB3YW50IHRvIHN0YXJ0IG1lc3NpbmcgYXJvdW5kIHdpdGggZW1haWwg dGhlbiB5b3UgYXJlIHNldC4mbmJzcDsgSWYgeW91IHdhbnQgdG8gbGVhcm4gRE5TU0VDIHRoZW4N CiB5b3UgYXJlIHNldC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPklmIHlvdSBzZXR1cCBhbiBlbWFpbCBzZXJ2ZXIgZG9u 4oCZdCBmb3JnZXQgdG8gY29uZmlndXJlIEROUyBUWFQgcmVjb3JkcyBmb3IgU1BGIGFuZCBETUFS Qy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiMxRjQ5N0QiPkpvaG48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7Ij4gYmluZC11c2VycyBbbWFpbHRvOmJpbmQtdXNlcnMtYm91bmNlc0BsaXN0cy5pc2Mub3Jn XQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5XZWVsdGluPGJyPg0KPGI+U2VudDo8L2I+IE1vbmRheSwg SnVseSAyMCwgMjAyMCAxMDoyMSBBTTxicj4NCjxiPlRvOjwvYj4gTWFyayBBbmRyZXdzPGJyPg0K PGI+Q2M6PC9iPiBiaW5kLXVzZXJzQGxpc3RzLmlzYy5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g UmU6IEROUyBlcnJvciwgZnJvbSBhIG5ld2JlZSB0byB0aGUgcmVhbCBleHBlcnRzLi48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZWxsbyBNYXJrLDxicj4NCjxicj4NClRo YW5rcyBmb3IgeW91ciBhbnN3ZXIsIGl0IGdhdmUgbWUgYSBsb3QgdG8gdGhpbmsgYWJvdXQuPGJy Pg0KPGJyPg0KSSBoYXZlIGJlZW4gcmVhZGluZyBhYm91dCB0aGUgJnF1b3Q7dmFsaWRhdGUtZXhj ZXB0JnF1b3Q7IGNvbW1hbmQsIGJ1dCBjYW4ndCBnZXQgbXlzZWxmIHRvIHVzZSBhIGNvbW1hbmQg dGhhdCBpcyBub3QgcmVjb21tZW5kZWQuPGJyPg0KPGJyPg0KSSBkaWQgYSBsb3Qgb2YgcmVzZWFy Y2gsIGJlZm9yZSBJIHdlbnQgZm9yIHRoZSAuaG9tZSBkb21haW4uIEkgZGlkbid0IHdhbnQgdG8g ZW5kIHVwIHdpdGggYSBkb21haW4gdGhhdCBwb3RlbnRpYWxseSBjb3VsZCBjb25mbGljdCB3aXRo IGEgZG9tYWluIG9uIHRoZSBpbnRlcm5ldC48YnI+DQpUaGF0IG1lbnQgdGhhdCBJIGhhZCB0byBy ZWFkIGEgbG90IG9mIHJlcG9ydHMsIG1vc3Qgb2YgdGhlbSBmcm9tIElDQU5OLCBvZiB0aGVtIGZy b20gYmFjayBpbiBGZWIgMjAxOCgqKSwgcmVwb3J0ZWQgdGhhdCAuaG9tZSAoLmNvcnAgYW5kIC5t YWlsKSB3b3VsZCBub3QgYmUgc29sZCBhbmQgYXZhaWxhYmxlIG9uIHRoZSBpbnRlcm5ldC4NCjxi cj4NCmkgZGlkbid0IGtub3cgYWJvdXQgdGhlIGluc2VjdXJlIGRlbGVnYXRpb24gdG8gYnJlYWsg dGhlIEROU1NFQywgc28gaXQgbWlnaHQgYmUgd29ydGggaXQgdG8gc3dpdGNoIHRvIC5ob21lLmFy cGEsIGV2ZW4gdGhvdWdoIEkgaGFkIGhvcGVkIHRvIGtlZXAgdGhlIGRvbWFpbiBuYW1lIHRvIDEg dGllci4NCjxicj4NCjxicj4NCkkgaGF2ZSBiZWVuIGxlYXJuaW5nIHRoYXQgdGhlIEROUyBzdHJ1 Y3R1cmUgbmVlZHMgdG8gaGF2ZSBhIHJlY3Vyc2l2ZSBhbmQgYW4gYXV0aG9yaXRhdGl2ZSBzZXJ2 ZXIsIHRvIGJlIG1vcmUgZXhhY3QgMiBvZiBlYWNoIGZvciBmYWlsb3ZlciBwdXJwb3NlcywgaWYg eW91IHdhbnQgYSByZWxpYWJsZSBhbmQgc2VjdXJlIEROUyBzdHJ1Y3R1cmUuIG15IHBsYW4gd2Fz L2lzIHRvIGNvbmZpZ3VyZSBmYWlsb3ZlciBzZXJ2ZXJzIHdoZW4gaSBnb3QgdGhpcw0KIHN0cnVj dHVyZSB0byB3b3JrLi4gPGJyPg0KJm5ic3A7PGJyPg0Kc28gd2hlbiBpIGFtIGEgbGl0dGxlIGJp dCBjb25mdXNlZCBhbmQgJm5ic3A7d2hlbiByZWFkaW5nIHRoYXQgJnF1b3Q7Zm9yd2FyZCB6b25l cyZxdW90OyBpcyBub3QgcmVjb21tZW5kZWQuIGFueSBsaW5rcyB0byBwdWJsaWNhdGlvbnMgYWJv dXQgdGhpcz88bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5hbHNv LCBjb3VsZCBpIGdldCB5b3UgdG8gZXhwbGFpbiB0aGUgbGFzdCBzdGF0ZW1lbnQgaW4geW91ciBy ZXBseS4gQXMgSSB3YW50IHRvIGltcGxlbWVudCBhIEROUyBzdHJ1Y3R1cmUgdGhhdCBmb2xsb3dz IGJlc3QgcHJhY3RpY2VzIGFuZCBob3BlZnVsbHkgaXMgc2VjdXJlLCBJIHdhbnQgdG8gbGVhcm4g YWJvdXQgdGhlIHJlYXNvbnMgZm9yIHRoaXMuJm5ic3A7DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+KCopIDxhIGhyZWY9Imh0dHBzOi8vd3d3 LmljYW5uLm9yZy9yZXNvdXJjZXMvYm9hcmQtbWF0ZXJpYWwvcmVzb2x1dGlvbnMtMjAxOC0wMi0w NC1lbiMyLmMiPg0KaHR0cHM6Ly93d3cuaWNhbm4ub3JnL3Jlc291cmNlcy9ib2FyZC1tYXRlcmlh bC9yZXNvbHV0aW9ucy0yMDE4LTAyLTA0LWVuIzIuYzwvYT4gPG86cD4NCjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+L1dlZWx0aW48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIu MHB0Ij48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPk9uIFN1biwgSnVsIDE5LCAyMDIwIGF0IDM6MTAgQU0gTWFyayBBbmRyZXdzICZsdDs8 YSBocmVmPSJtYWlsdG86bWFya2FAaXNjLm9yZyI+bWFya2FAaXNjLm9yZzwvYT4mZ3Q7IHdyb3Rl OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0 O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5Zb3VyIHByb2JsZW0gY29tZXMgZnJvbSB0 aGUgZmFjdCB0aGF0IEJJTkQgOS4xNCBoYXMgRE5TU0VDIHZhbGlkYXRpb24gZW5hYmxlZCBieSBk ZWZhdWx0ICh1bmxlc3MgZGlzYWJsZWQgYXQgY29uZmlndXJlIHRpbWUgb3IgaW4gbmFtZWQuY29u ZikgYW5kIHRoZSBhbnN3ZXJzIGZyb20gdGhlIGdyYWZ0ZWQgb24gbmFtZXNwYWNlICguaG9tZSkg ZmFpbCBETlNTRUMNCiB2YWxpZGF0aW9uIGFzIHRoZXJlIGlzIG5vdCBhIGluc2VjdXJlIGRlbGVn YXRpb24gZm9yIC5ob21lIHRvIGJyZWFrIHRoZSBETlNTRUMgY2hhaW4gb2YgdHJ1c3QuJm5ic3A7 IFlvdSBjYW4gdXNlIHZhbGlkYXRlLWV4Y2VwdCB0byB0ZWFjaCB0aGVyZSByZWN1cnNpdmUgc2Vy dmVyIHRvIG5vdCB2YWxpZGF0ZSBwYXJ0cyBvZiB0aGUgbmFtZXNwYWNlIGJ1dCBpdCBpcyBOT1Qg UkVDT01NRU5ERUQgYXMgaXQgZG9lc27igJl0IGhlbHAgdmFsaWRhdGluZyBjbGllbnRzLjxicj4N Cjxicj4NCmUuZy4gPGJyPg0KPGJyPg0KdmFsaWRhdGUtZXhjZXB0IHsgaG9tZTsgfTs8YnI+DQo8 YnI+DQpJIHdvdWxkIHN0b3AgdHJ5aW5nIHRvIHVzZSAuaG9tZSBhcyBpdCBoYXMgbm90IGJlZW4g ZGVsZWdhdGVkIGZvciBob21lIHVzZS4mbmJzcDsgVXNlIGhvbWUuYXJwYSBpbnN0ZWFkIHdoaWNo IGhhcyBiZWVuIHJlc2VydmVkIGZvciBob21lIHVzZSBhbmQgaGFzIGEgaW5zZWN1cmUgZGVsZWdh dGlvbiB0byBicmVhayB0aGUgRE5TU0VDIGNoYWluIG9mIHRydXN0IHBvaW50aW5nIGF0IHNlcnZl cnMgd2hpY2ggb25seSByZXR1cm4gTlhET01BSU4gZm9yIG5hbWVzDQogdW5kZXIgaG9tZS5hcnBh LiZuYnNwOyBUaGlzIGlzIHRoZSBzYW1lIGRlbGVnYXRpb24gbW9kZWwgdXNlZCBmb3IgdGhlIFJG QyAxOTE4IHJldmVyc2Ugem9uZS4mbmJzcDsgTm90ZSB0aGF0IERTIGlzIGFic2VudCBmcm9tIHRo ZSBsaXN0IG9mIHR5cGVzIGF0IHRoZSBkZWxlZ2F0aW9uIHBvaW50IGluIHRoZSBOU0VDIHJlY29y ZC4gVGhlcmUgd2FzIGFuIGF0dGVtcHQgbWFkZSB0byBkZWxlZ2F0ZSAuaG9tZSB0aGlzIHdheSBi dXQgaXQgZmxvdW5kZXJlZCBvbiBJQ0FOTi9JRVRGDQogcG9saXRpY3MuPGJyPg0KPGJyPg0KZS5n Ljxicj4NCjxicj4NCmhvbWUuYXJwYS4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgMTcyODAwJm5ic3A7IElOJm5ic3A7ICZuYnNwOyAmbmJzcDsgTlMmbmJz cDsgJm5ic3A7ICZuYnNwOyA8YSBocmVmPSJodHRwOi8vYmxhY2tob2xlLTEuaWFuYS5vcmciIHRh cmdldD0iX2JsYW5rIj4NCmJsYWNraG9sZS0xLmlhbmEub3JnPC9hPi48YnI+DQpob21lLmFycGEu Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IDE3MjgwMCZu YnNwOyBJTiZuYnNwOyAmbmJzcDsgJm5ic3A7IE5TJm5ic3A7ICZuYnNwOyAmbmJzcDsgPGEgaHJl Zj0iaHR0cDovL2JsYWNraG9sZS0yLmlhbmEub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQpibGFja2hv bGUtMi5pYW5hLm9yZzwvYT4uPGJyPg0KaG9tZS5hcnBhLiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyA4NjQwMCZuYnNwOyAmbmJzcDtJTiZuYnNwOyAmbmJz cDsgJm5ic3A7IE5TRUMmbmJzcDsgJm5ic3A7IGluLWFkZHIuYXJwYS4gTlMgUlJTSUcgTlNFQzxi cj4NCmhvbWUuYXJwYS4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgODY0MDAmbmJzcDsgJm5ic3A7SU4mbmJzcDsgJm5ic3A7ICZuYnNwOyBSUlNJRyZuYnNw OyAmbmJzcDtOU0VDIDggMiA4NjQwMCAyMDIwMDczMTEyMDAwMCAyMDIwMDcxODExMDAwMCA1NzE1 NiBhcnBhLiBsU3FMTnoxRS82V2tBVURBSkRudm85WDI0OEImIzQzO1BBV00zNHMwUzBQSkZqUGk0 WUxvRS8vNnpTUjYgRGdtMFQmIzQzOzJxVjJLcmd2WWJPekhWOVovbFJvcEZ4U0VKU1N3b0hnclVt Zm9mWG1JYlFpS2dRSEJpIGc5ZHZMOHllSm0wY1JlNlFNdU0xcS9ELzMmIzQzO0FuUHY1T1FOQmhD NiYjNDM7VUVBJiM0Mztlbk8zSnREYnZqci9IDQogWGZQUHZmRGZvemFjWmtIUGUmIzQzO0FZcEpi bVQ3cWZIdjhHdy9CZWVOdERleDlqTW9EYkoybDBCTFQxIFVUUEtFOSYjNDM7QWJyaDNSYXdjS0JG M0JiTE5XVTZBaElrT0xaUkFER01qY1pnMU0vSUhVay9yT1dYViBFTVppaGcxJiM0Mzs1STRHU21h UkROMGpUWDlnNWpyODIyRVpmYVpMbUNLbGNHWU1NSFZPa01VQTdrMHIgJiM0Mzt2L1pyZz09PGJy Pg0KPGJyPg0KSWYgeW91IGFyZSB1c2luZyBmb3J3YXJkIHpvbmVzIChub3QgcmVjb21tZW5kZWQp IHNldCDigJxmb3J3YXJkIG9ubHk74oCdIGFzIHlvdSBkb27igJl0IHdhbnQgdG8gZmFsbGJhY2sg dG8gcXVlcnlpbmcgc2VydmVycyBvbiB0aGUgZ2xvYmFsIEludGVybmV0IHdoZW4gZ3JhZnRpbmcg b24gbmFtZXNwYWNlLiZuYnNwOyBJZiB5b3UgZG8gdXNlIGEgZm9yd2FyZCB6b25lIHRoZW4gdGhl IHNlcnZlcnMgYmVpbmcgZm9yd2FyZGVkIHRvIG5lZWQgdG8gZWl0aGVyIGEpIHNlcnZlDQogdGhl ICplbnRpcmUqIG5hbWVzcGFjZSB1bmRlciB0aGUgZm9yd2FyZCB6b25lLCBvciBiKSBiZSBjb25m aWd1cmVkIGFzIHJlY3Vyc2l2ZSBzZXJ2ZXJzLjxicj4NCjxicj4NCnpvbmUgaG9tZS5hcnBhIHs8 YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgdHlwZSBmb3J3YXJkOzxicj4NCiZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBmb3J3YXJkIG9ubHk7PGJyPg0KJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7IGZvcndhcmRlcnMgezE5Mi4xNjguMTQuMjA7fTs8YnI+DQp9Ozxicj4NCjxi cj4NCkkgd291bGQgcmVjb21tZW5kIHVzaW5nIHNlY29uZGFyeSB6b25lIHJhdGhlciB0aGFuIGZv cndhcmQgem9uZXMgZm9yIGdyYWZ0aW5nIG9uIG5hbWVzcGFjZXMsIGp1c3QgZW5zdXJlIHRoYXQg dGhlIGFsbCBzbGF2ZSBzZXJ2ZXJzIGFyZSByZWNlaXZpbmcgTk9USUZZIG1lc3NhZ2VzICh1c2Ug YWxzby1ub3RpZnkpIHNvIHRoYXQgdGhleSByZWNlaXZlIGNoYW5nZXMgZmFzdC4mbmJzcDsgRmFz dCBwcm9wYWdhdGlvbiBvZiBjaGFuZ2VzIGlzIG5lZWRlZCBpbg0KIGEgaG9tZSBlbnZpcm9ubWVu dC4mbmJzcDsgU2Vjb25kYXJ5IHpvbmUgYWxzbyBwcm92aWRlIGEgYnJlYWsgaW4gdGhlIEROU1NF QyBjaGFpbiBvZiB0cnVzdCBhcyBmYXIgYXMgdGhlIHJlY3Vyc2l2ZSBzZXJ2ZXIgaXMgY29uY2Vy bmVkLiZuYnNwOyBUaGV5IGhvd2V2ZXIgZG8gbm90IGJyZWFrIHRoZSBETlNTRUMgY2hhaW4gb2Yg dHJ1c3QgZm9yIGFueSBETlNTRUMgdmFsaWRhdGluZyBjbGllbnRzIG9mIHRoZSByZWN1cnNpdmUg c2VydmVyLjxicj4NCjxicj4NCnpvbmUgaG9tZS5hcnBhIHs8YnI+DQombmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgdHlwZSBzZWNvbmRhcnk7PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7IHByaW1hcmllcyB7MTkyLjE2OC4xNC4yMDt9Ozxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyBmaWxlIOKAnDxhIGhyZWY9Imh0dHA6Ly9ob21lLmFycGEuZGIiPmhvbWUuYXJwYS5k YjwvYT7igJ07PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IC4uLjxicj4NCn07PGJy Pg0KPGJyPg0Kem9uZSBob21lLmFycGEgezxicj4NCiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyB0eXBlIHByaW1hcnk7PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IGZpbGUg4oCc PGEgaHJlZj0iaHR0cDovL2hvbWUuYXJwYS5kYiI+aG9tZS5hcnBhLmRiPC9hPuKAnTs8YnI+DQom bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgYWxzby1ub3RpZnkgeyBhZGRyZXNzIGxpc3Q7IH07 PGJyPg0KJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IC4uLjxicj4NCn07PGJyPg0KPGJyPg0K QWxzbyBmb3JnZXQgYW55IGdhcmJhZ2UgdGhhdCByZWN1cnNpdmUgc2VydmVycyBzaG91bGQgbm90 IGFsc28gc2VydmUgem9uZXMuJm5ic3A7IFBlb3BsZSBoYXZlIHRha2UgdGhlIGFkdmljZSB0aGF0 IGxpc3RlZCBhdXRob3JpdGF0aXZlIHNlcnZlcnMgc2hvdWxkbuKAmXQgYmUgcmVjdXJzaXZlICh3 aGljaCBpcyBnb29kIGFkdmlzZSB3aGVuIHNlcnZpbmcgem9uZXMgdG8gdGhlIHB1YmxpYykgYW5k IGludmVydGVkIGl0IHRvIGNvbWUgdXAgd2l0aCBiYWQgYWR2aWNlLjxicj4NCjxicj4NCk1hcms8 YnI+DQo8YnI+DQomZ3Q7IE9uIDE4IEp1bCAyMDIwLCBhdCAwNToxOCwgV2VlbHRpbiAmbHQ7PGEg aHJlZj0ibWFpbHRvOndlZWx0aW5sQGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPndlZWx0aW5s QGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj4NCiZndDsgPGJyPg0KJmd0OyBIZWxsbyBhbGws PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEnigJltIHRyeWluZyB0byBpbXBsZW1lbnQgYSBETlMgc3Ry dWN0dXJlLCBjb250YWluaW5nIGEgcmVjdXJzaXZlIGFuZCBhdXRob3JpdGF0aXZlIHNlcnZlciwg YnV0IGluIGRvaW5nIHNvLCBJIGhhdmUgcnVuIGludG8gYSBzbWFsbCBwcm9ibGVtLiBJIGNhbiBt YWtlIEROUyBxdWVyaWVzIGZyb20gYSBjbGllbnQgdG93YXJkIHRoZSBuZXQsIGJ1dCB3aGVuIEkg dHJ5IHRvIGRvIHRoZSBzYW1lIHRvd2FyZCBteSBpbnRlcm5hbCBkb21haW4sIEkgZ2V0DQogbm8g cmVzdWx0LiBJIGhhdmUgc3BlbnQgZGF5cyB0cnlpbmcgdG8gZmlndXJlIG91dCB3aGF0IGlzIGdv aW5nIG9uLCBidXQgdG8gbm8gYXZhaWwsIEkgdGhlcmUgZm9yIGhvcGUgdGhhdCBzb21lb25lIG9u IHRoaXMgbGlzdCBjYW4gcG9pbnQgbWUgaW4gdGhlIHJpZ2h0IGRpcmVjdGlvbiBvciByaWdodCBv dXQgdGVsbCB3aGF0IGlzIHdyb25nLjxicj4NCiZndDsgPGJyPg0KJmd0OyAvV2VlbHRpbi48YnI+ DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7LS0tLS1ESUcgdHJvdWJsZXNob290czxicj4N CiZndDsgPGJyPg0KJmd0OyBbd2VlbHRpbkBjMSB+XSQgY2F0IC9ldGMvcmVzb2x2LmNvbmYgPGJy Pg0KJmd0OyAjIEdlbmVyYXRlZCBieSBOZXR3b3JrTWFuYWdlcjxicj4NCiZndDsgbmFtZXNlcnZl ciAxOTIuMTY4LjE0LjEwPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFt3ZWVsdGluQGMxJm5ic3A7IH5d JCBkaWcgPGEgaHJlZj0iaHR0cDovL2dvb2dsZS5jb20iIHRhcmdldD0iX2JsYW5rIj5nb29nbGUu Y29tPC9hPjxicj4NCiZndDsgOyAmbHQ7Jmx0OyZndDsmZ3Q7IERpRyA5LjExLjExLVJlZEhhdC05 LjExLjExLTEuZmMzMSAmbHQ7Jmx0OyZndDsmZ3Q7IDxhIGhyZWY9Imh0dHA6Ly9nb29nbGUuY29t IiB0YXJnZXQ9Il9ibGFuayI+DQpnb29nbGUuY29tPC9hPjxicj4NCiZndDsgOzsgZ2xvYmFsIG9w dGlvbnM6ICYjNDM7Y21kPGJyPg0KJmd0OyA7OyBHb3QgYW5zd2VyOjxicj4NCiZndDsgOzsgLSZn dDsmZ3Q7SEVBREVSJmx0OyZsdDstIG9wY29kZTogUVVFUlksIHN0YXR1czogTk9FUlJPUiwgaWQ6 IDQ4OTMyPGJyPg0KJmd0OyA7OyBmbGFnczogcXIgcmQgcmE7IFFVRVJZOiAxLCBBTlNXRVI6IDEs IEFVVEhPUklUWTogMCwgQURESVRJT05BTDogMTxicj4NCiZndDsgPGJyPg0KJmd0OyA7OyBPUFQg UFNFVURPU0VDVElPTjo8YnI+DQomZ3Q7IDsgRUROUzogdmVyc2lvbjogMCwgZmxhZ3M6OyB1ZHA6 IDQwOTY8YnI+DQomZ3Q7IDsgQ09PS0lFOiBjMWJjNGExMWM0MGJkNzU1OTA1YzhjNzA1ZjExZjVm ZmU2OTljYzAxMTZlZDhiYTUgKGdvb2QpPGJyPg0KJmd0OyA7OyBRVUVTVElPTiBTRUNUSU9OOjxi cj4NCiZndDsgOzxhIGhyZWY9Imh0dHA6Ly9nb29nbGUuY29tIiB0YXJnZXQ9Il9ibGFuayI+Z29v Z2xlLmNvbTwvYT4uJm5ic3A7IElOJm5ic3A7ICZuYnNwOyAmbmJzcDsgQTxicj4NCiZndDsgPGJy Pg0KJmd0OyA7OyBBTlNXRVIgU0VDVElPTjo8YnI+DQomZ3Q7IDxhIGhyZWY9Imh0dHA6Ly9nb29n bGUuY29tIiB0YXJnZXQ9Il9ibGFuayI+Z29vZ2xlLmNvbTwvYT4uJm5ic3A7ICZuYnNwOzMwMCZu YnNwOyAmbmJzcDsgJm5ic3A7SU4mbmJzcDsgJm5ic3A7ICZuYnNwOyBBJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7MjE2LjU4LjIxMS4xNDI8YnI+DQomZ3Q7IDxicj4NCiZndDsgOzsgUXVlcnkg dGltZTogMTc5IG1zZWM8YnI+DQomZ3Q7IDs7IFNFUlZFUjogMTkyLjE2OC4xNC4xMCM1MygxOTIu MTY4LjE0LjEwKTxicj4NCiZndDsgOzsgV0hFTjogRnJpIEp1bCAxNyAxNTowMzoyNyBFRFQgMjAy MDxicj4NCiZndDsgOzsgTVNHIFNJWkUmbmJzcDsgcmN2ZDogODM8YnI+DQomZ3Q7IDxicj4NCiZn dDsgPGJyPg0KJmd0OyBbd2VlbHRpbkBjMSB+XSQgZGlnIGMxLmV4YW1wbGUuaG9tZTxicj4NCiZn dDsgOyAmbHQ7Jmx0OyZndDsmZ3Q7IERpRyA5LjExLjExLVJlZEhhdC05LjExLjExLTEuZmMzMSAm bHQ7Jmx0OyZndDsmZ3Q7IGMxLmV4YW1wbGUuaG9tZTxicj4NCiZndDsgOzsgZ2xvYmFsIG9wdGlv bnM6ICYjNDM7Y21kPGJyPg0KJmd0OyA7OyBHb3QgYW5zd2VyOjxicj4NCiZndDsgOzsgLSZndDsm Z3Q7SEVBREVSJmx0OyZsdDstIG9wY29kZTogUVVFUlksIHN0YXR1czogTlhET01BSU4sIGlkOiA2 MjYwMjxicj4NCiZndDsgOzsgZmxhZ3M6IHFyIHJkIHJhIGFkOyBRVUVSWTogMSwgQU5TV0VSOiAw LCBBVVRIT1JJVFk6IDEsIEFERElUSU9OQUw6IDE8YnI+DQomZ3Q7IDxicj4NCiZndDsgOzsgT1BU IFBTRVVET1NFQ1RJT046PGJyPg0KJmd0OyA7IEVETlM6IHZlcnNpb246IDAsIGZsYWdzOjsgdWRw OiA0MDk2PGJyPg0KJmd0OyA7IENPT0tJRTogY2Y4ODc2ZTNiMzUxMzhmNDcwNDAxODhlNWYxMWY2 NGE5MTQ0NWFhNGY4MzEwZjVhIChnb29kKTxicj4NCiZndDsgOzsgUVVFU1RJT04gU0VDVElPTjo8 YnI+DQomZ3Q7IDtjMS5leGFtcGxlLmhvbWUuJm5ic3A7ICZuYnNwOyAmbmJzcDtJTiZuYnNwOyAm bmJzcDsgJm5ic3A7IEE8YnI+DQomZ3Q7IDxicj4NCiZndDsgOzsgQVVUSE9SSVRZIFNFQ1RJT046 PGJyPg0KJmd0OyAuJm5ic3A7ICZuYnNwOyAmbmJzcDsxMDgwMCZuYnNwOyAmbmJzcDtJTiZuYnNw OyAmbmJzcDsgJm5ic3A7IFNPQSZuYnNwOyAmbmJzcDsgJm5ic3A7PGEgaHJlZj0iaHR0cDovL2Eu cm9vdC1zZXJ2ZXJzLm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmEucm9vdC1zZXJ2ZXJzLm5ldDwvYT4u DQo8YSBocmVmPSJodHRwOi8vbnN0bGQudmVyaXNpZ24tZ3JzLmNvbSIgdGFyZ2V0PSJfYmxhbmsi Pm5zdGxkLnZlcmlzaWduLWdycy5jb208L2E+LiAyMDIwMDcxNzAxIDE4MDAgOTAwIDYwNDgwMCA4 NjQwMDxicj4NCiZndDsgPGJyPg0KJmd0OyA7OyBRdWVyeSB0aW1lOiAyNjMgbXNlYzxicj4NCiZn dDsgOzsgU0VSVkVSOiAxOTIuMTY4LjE0LjEwIzUzKDE5Mi4xNjguMTQuMTApPGJyPg0KJmd0OyA7 OyBXSEVOOiBGcmkgSnVsIDE3IDE1OjA0OjQyIEVEVCAyMDIwPGJyPg0KJmd0OyA7OyBNU0cgU0la RSZuYnNwOyByY3ZkOiAxNDc8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQom Z3Q7IFt3ZWVsdGluQGMxIH5dJCBkaWcgQDxhIGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjE0LjIwIiB0 YXJnZXQ9Il9ibGFuayI+MTkyLjE2OC4xNC4yMDwvYT4gYzEuZXhhbXBsZS5ob21lPGJyPg0KJmd0 OyA8YnI+DQomZ3Q7IDsgJmx0OyZsdDsmZ3Q7Jmd0OyBEaUcgOS4xMS4xMS1SZWRIYXQtOS4xMS4x MS0xLmZjMzEgJmx0OyZsdDsmZ3Q7Jmd0OyBAPGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMTQuMjAi IHRhcmdldD0iX2JsYW5rIj4xOTIuMTY4LjE0LjIwPC9hPiBjMS5leGFtcGxlLmhvbWU8YnI+DQom Z3Q7IDsgKDEgc2VydmVyIGZvdW5kKTxicj4NCiZndDsgOzsgZ2xvYmFsIG9wdGlvbnM6ICYjNDM7 Y21kPGJyPg0KJmd0OyA7OyBHb3QgYW5zd2VyOjxicj4NCiZndDsgOzsgLSZndDsmZ3Q7SEVBREVS Jmx0OyZsdDstIG9wY29kZTogUVVFUlksIHN0YXR1czogTk9FUlJPUiwgaWQ6IDIwNzA0PGJyPg0K Jmd0OyA7OyBmbGFnczogcXIgYWEgcmQ7IFFVRVJZOiAxLCBBTlNXRVI6IDEsIEFVVEhPUklUWTog MCwgQURESVRJT05BTDogMTxicj4NCiZndDsgOzsgV0FSTklORzogcmVjdXJzaW9uIHJlcXVlc3Rl ZCBidXQgbm90IGF2YWlsYWJsZTxicj4NCiZndDsgPGJyPg0KJmd0OyA7OyBPUFQgUFNFVURPU0VD VElPTjo8YnI+DQomZ3Q7IDsgRUROUzogdmVyc2lvbjogMCwgZmxhZ3M6OyB1ZHA6IDQwOTY8YnI+ DQomZ3Q7IDsgQ09PS0lFOiA3NDcyODljOTQ4NzZjZjM0OTAzNGFlYzM1ZjExZjc5NGEyOWM2NzQ3 YmI2YTY5NGYgKGdvb2QpPGJyPg0KJmd0OyA7OyBRVUVTVElPTiBTRUNUSU9OOjxicj4NCiZndDsg O2MxLmV4YW1wbGUuaG9tZS4mbmJzcDsgJm5ic3A7ICZuYnNwO0lOJm5ic3A7ICZuYnNwOyAmbmJz cDsgQTxicj4NCiZndDsgPGJyPg0KJmd0OyA7OyBBTlNXRVIgU0VDVElPTjo8YnI+DQomZ3Q7IGMx LmV4YW1wbGUuaG9tZS4mbmJzcDsgJm5ic3A7ICZuYnNwOyA2MDQ4MDAmbmJzcDsgSU4mbmJzcDsg Jm5ic3A7ICZuYnNwOyBBJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7MTkyLjE2OC4xNC4xPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IDs7IFF1ZXJ5IHRpbWU6IDAgbXNlYzxicj4NCiZndDsgOzsgU0VS VkVSOiAxOTIuMTY4LjE0LjIwIzUzKDE5Mi4xNjguMTQuMjApPGJyPg0KJmd0OyA7OyBXSEVOOiBG cmkgSnVsIDE3IDE1OjEwOjEyIEVEVCAyMDIwPGJyPg0KJmd0OyA7OyBNU0cgU0laRSZuYnNwOyBy Y3ZkOiA4ODxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0K Jmd0OyA8YnI+DQomZ3Q7IC0tLS0tIGluZm9ybWF0aW9ucyBhbmQgY29uZmlndXJhdGlvbnMgLS0t LTxicj4NCiZndDsgPGJyPg0KJmd0OyBPUzogQWxwaW5lIDMuMTI8YnI+DQomZ3Q7IDxicj4NCiZn dDsgQmluZDogYmluZCA5LjE0LjEyPGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7IDxicj4NCiZn dDsgTnMxOiAxOTIuMTY4LjE0LjEwIChyZWN1cnNpdmUpPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IE5z MjogMTkyLjE2OC4xNC4yMCAoYXV0aG9yaXRhdGl2ZSk8YnI+DQomZ3Q7IDxicj4NCiZndDsgQzE6 IDE5Mi4xNjguMTQuMSAoY2xpZW50KTxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyA8YnI+DQom Z3Q7IC0tLSByZWN1cnNpdmUgY29uZmlnIChOUzEpPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IC8vIHJl Y3Vyc2l2ZSBuYW1lZC5jb25mPGJyPg0KJmd0OyAvLzxicj4NCiZndDsgPGJyPg0KJmd0OyBhY2wg dHJ1c3RlZCB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjE0LjAvMjQiIHRhcmdldD0iX2JsYW5rIj4x OTIuMTY4LjE0LjAvMjQ8L2E+Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDtsb2NhbGhvc3Q7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IH07PGJyPg0K Jmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgYWNsIHJmYzE5MTggezxicj4NCiZndDsgPGJyPg0K Jmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMTAu MC4wLjAvOCIgdGFyZ2V0PSJfYmxhbmsiPjEwLjAuMC4wLzg8L2E+Ozxicj4NCiZndDsgPGJyPg0K Jmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMTcy LjE2LjAuMC8xMiIgdGFyZ2V0PSJfYmxhbmsiPjE3Mi4xNi4wLjAvMTI8L2E+Ozxicj4NCiZndDsg PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDshPGEgaHJlZj0iaHR0 cDovLzE5Mi4xNjguMTQuMC8yNCIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4xNjguMTQuMC8yNDwvYT47 PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxh IGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjAuMC8xNiIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4xNjguMC4w LzE2PC9hPjs8YnI+DQomZ3Q7IDxicj4NCiZndDsgfTs8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJy Pg0KJmd0OyBhY2wgcmZjNTczNSB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly8wLjAuMC4wLzgiIHRhcmdldD0iX2Js YW5rIj4wLjAuMC4wLzg8L2E+Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMTY5LjI1NC4wLjAvMTYiIHRhcmdldD0i X2JsYW5rIj4xNjkuMjU0LjAuMC8xNjwvYT47PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly8xOTIuMC4wLjAvMjQiIHRh cmdldD0iX2JsYW5rIj4xOTIuMC4wLjAvMjQ8L2E+Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMTkyLjAuMi4wLzI0 IiB0YXJnZXQ9Il9ibGFuayI+MTkyLjAuMi4wLzI0PC9hPjs8YnI+DQomZ3Q7IDxicj4NCiZndDsm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PGEgaHJlZj0iaHR0cDovLzE5Mi44OC45 OS4wLzI0IiB0YXJnZXQ9Il9ibGFuayI+MTkyLjg4Ljk5LjAvMjQ8L2E+Ozxicj4NCiZndDsgPGJy Pg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8v MTk4LjE4LjAuMC8xNSIgdGFyZ2V0PSJfYmxhbmsiPjE5OC4xOC4wLjAvMTU8L2E+Ozxicj4NCiZn dDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJo dHRwOi8vMTk4LjUxLjEwMC4wLzI0IiB0YXJnZXQ9Il9ibGFuayI+MTk4LjUxLjEwMC4wLzI0PC9h Pjs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 PGEgaHJlZj0iaHR0cDovLzIwMy4wLjExMy4wLzI0IiB0YXJnZXQ9Il9ibGFuayI+MjAzLjAuMTEz LjAvMjQ8L2E+Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMjI0LjAuMC4wLzQiIHRhcmdldD0iX2JsYW5rIj4yMjQu MC4wLjAvNDwvYT47PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IH07PGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IDxicj4NCiZndDsgb3B0aW9ucyB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwO2RpcmVjdG9yeSAmcXVvdDsvdmFyL2JpbmQmcXVvdDs7PGJyPg0K Jmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2xpc3Rlbi1v biB7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7MTI3LjAuMC4xOzxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7MTky LjE2OC4xNC4xMDs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7fTs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7bGlzdGVuLW9uLXY2IHs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO25vbmU7PGJy Pg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO307PGJy Pg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBhbGxv dy1xdWVyeSB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt0cnVzdGVkOzxicj4NCiZndDsgPGJy Pg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt9Ozxicj4NCiZndDsgPGJy Pg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgLy9xdWVyeS1zb3VyY2Ug YWRkcmVzcyAqIHBvcnQgNTM7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyBhbGxvdy1xdWVyeS1jYWNoZSB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDt0cnVzdGVkOzxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDt9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgYmxhY2tob2xlIHs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3JmYzE5MTg7 PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtyZmM1NzM1Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgYWxsb3ctdHJhbnNmZXIgezxicj4NCiZn dDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7bm9uZTs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7fTs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7cGlkLWZpbGUgJnF1b3Q7L3Zhci9ydW4vbmFtZWQvbmFtZWQu cGlkJnF1b3Q7Ozxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOy8vIENoYW5naW5nIHRoaXMgaXMgTk9UIFJFQ09NTUVOREVEOyBz ZWUgdGhlIG5vdGVzIGFib3ZlIGFuZCBpbjxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsvLyBuYW1lZC5jb25mLnJlY3Vyc2l2ZS48YnI+DQomZ3Q7 IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7YWxsb3ctcmVjdXJz aW9uIHs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3RydXN0ZWQ7PGJyPg0KJmd0OyA8YnI+DQom Z3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO307PGJyPg0KJmd0OyA8YnI+DQom Z3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3JlY3Vyc2lvbiB5ZXM7PGJyPg0K Jmd0OyA8YnI+DQomZ3Q7IH07PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHpvbmUgJnF1b3Q7LiZxdW90 OyBJTiB7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwO3R5cGUgaGludDs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ZmlsZSAmcXVvdDtyb290LmNhY2hlJnF1b3Q7Ozxicj4NCiZndDsgPGJyPg0K Jmd0OyB9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHpvbmUgJnF1b3Q7bG9jYWxo b3N0JnF1b3Q7IElOIHs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7dHlwZSBtYXN0ZXI7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwO2ZpbGUgJnF1b3Q7cHJpL2xvY2FsaG9zdC56b25lJnF1b3Q7 Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDth bGxvdy11cGRhdGUgeyBub25lOyB9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDtub3RpZnkgbm87PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IH07PGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgem9uZSAmcXVvdDsxMjcuaW4tYWRkci5hcnBh JnF1b3Q7IElOIHs8YnI+DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7dHlwZSBtYXN0ZXI7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwO2ZpbGUgJnF1b3Q7cHJpLzEyNy56b25lJnF1b3Q7Ozxicj4NCiZn dDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDthbGxvdy11cGRh dGUgeyBub25lOyB9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDtub3RpZnkgbm87PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IH07PGJyPg0KJmd0OyA8 YnI+DQomZ3Q7IDxicj4NCiZndDsgem9uZSAmcXVvdDtleGFtcGxlLmhvbWUmcXVvdDsgezxicj4N CiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDt0eXBlIGZv cndhcmQ7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBmb3J3YXJkZXJzIHsgMTkyLjE2OC4xNC4y MDsgfTs8YnI+DQomZ3Q7IDxicj4NCiZndDsgfTs8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0K Jmd0OyA8YnI+DQomZ3Q7IC0tLSZuYnNwOyBhdXRob3JpdGF0aXZlIGNvbmZpZyAoTlMyKSA8YnI+ DQomZ3Q7IC8vIGF1dGhvcml0YXRpdmUgbmFtZWQuY29uZjxicj4NCiZndDsgLy88YnI+DQomZ3Q7 IGFjbCB0cnVzdGVkIHs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OzxhIGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjE0LjAvMjQiIHRhcmdldD0iX2JsYW5rIj4xOTIuMTY4 LjE0LjAvMjQ8L2E+Ozxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 bG9jYWxob3N0Ozxicj4NCiZndDsgfTs8YnI+DQomZ3Q7IDxicj4NCiZndDsgYWNsIHJmYzE5MTgg ezxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PGEgaHJlZj0iaHR0 cDovLzEwLjAuMC4wLzgiIHRhcmdldD0iX2JsYW5rIj4xMC4wLjAuMC84PC9hPjs8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOzxhIGhyZWY9Imh0dHA6Ly8xNzIuMTYu MC4wLzEyIiB0YXJnZXQ9Il9ibGFuayI+MTcyLjE2LjAuMC8xMjwvYT47PGJyPg0KJmd0OyZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDshPGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMTQu MC8yNCIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4xNjguMTQuMC8yNDwvYT47PGJyPg0KJmd0OyZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMTkyLjE2OC4wLjAv MTYiIHRhcmdldD0iX2JsYW5rIj4xOTIuMTY4LjAuMC8xNjwvYT47PGJyPg0KJmd0OyB9Ozxicj4N CiZndDsgPGJyPg0KJmd0OyBhY2wgcmZjNTczNSB7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMC4wLjAuMC84IiB0YXJnZXQ9Il9ibGFu ayI+MC4wLjAuMC84PC9hPjs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOzxhIGhyZWY9Imh0dHA6Ly8xNjkuMjU0LjAuMC8xNiIgdGFyZ2V0PSJfYmxhbmsiPjE2OS4y NTQuMC4wLzE2PC9hPjs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OzxhIGhyZWY9Imh0dHA6Ly8xOTIuMC4wLjAvMjQiIHRhcmdldD0iX2JsYW5rIj4xOTIuMC4wLjAv MjQ8L2E+Ozxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PGEgaHJl Zj0iaHR0cDovLzE5Mi4wLjIuMC8yNCIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4wLjIuMC8yNDwvYT47 PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRw Oi8vMTkyLjg4Ljk5LjAvMjQiIHRhcmdldD0iX2JsYW5rIj4xOTIuODguOTkuMC8yNDwvYT47PGJy Pg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8v MTk4LjE4LjAuMC8xNSIgdGFyZ2V0PSJfYmxhbmsiPjE5OC4xOC4wLjAvMTU8L2E+Ozxicj4NCiZn dDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7PGEgaHJlZj0iaHR0cDovLzE5OC41 MS4xMDAuMC8yNCIgdGFyZ2V0PSJfYmxhbmsiPjE5OC41MS4xMDAuMC8yNDwvYT47PGJyPg0KJmd0 OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMjAzLjAu MTEzLjAvMjQiIHRhcmdldD0iX2JsYW5rIj4yMDMuMC4xMTMuMC8yNDwvYT47PGJyPg0KJmd0OyZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDs8YSBocmVmPSJodHRwOi8vMjI0LjAuMC4w LzQiIHRhcmdldD0iX2JsYW5rIj4yMjQuMC4wLjAvNDwvYT47PGJyPg0KJmd0OyB9Ozxicj4NCiZn dDsgPGJyPg0KJmd0OyBvcHRpb25zIHs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwO2RpcmVjdG9yeSAmcXVvdDsvdmFyL2JpbmQmcXVvdDs7PGJyPg0KJmd0OyA8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOy8vIENvbmZpZ3VyZSB0aGUg SVBzIHRvIGxpc3RlbiBvbiBoZXJlLjxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDsgJm5ic3A7bGlzdGVuLW9uIHs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsxMjcuMC4wLjE7PGJyPg0KJmd0OyZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7MTkyLjE2OC4xNC4yMDs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwO307PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtsaXN0ZW4t b24tdjYgezxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwO25vbmU7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDt9Ozxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDthbGxvdy1xdWVyeSB7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7dHJ1c3RlZDs8YnI+DQom Z3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO307PGJyPg0KJmd0OyA8YnI+DQom Z3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOy8vcXVlcnktc291cmNlIGFkZHJl c3MgKiBwb3J0IDUzOzxicj4NCiZndDsgPGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDthbGxvdy1xdWVyeS1jYWNoZSB7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7dHJ1c3RlZDs8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO307PGJyPg0KJmd0OyA8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2JsYWNraG9sZSB7IDxicj4N CiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5i c3A7ICZuYnNwO3JmYzU3MzU7PGJyPg0KJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7cmZjMTkxODs8YnI+DQomZ3Q7Jm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO307PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO2FsbG93LXRyYW5zZmVyIHs8YnI+DQomZ3Q7Jm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJz cDtub25lOzxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7fTs8YnI+ DQomZ3Q7IDxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7Ly8gQ3J5 cHRvZ3JhcGhpYyBhdXRoZW50aWNhdGlvbiBvZiBETlMgaW5mb3JtYXRpb24gPGJyPg0KJmd0OyZu YnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsvLyBFTkFCTEUgTEFURVI8YnI+DQomZ3Q7 Jm5ic3A7ICZuYnNwOyAmbmJzcDsvL2Ruc3NlYy1lbmFibGUgeWVzOzxicj4NCiZndDsmbmJzcDsg Jm5ic3A7ICZuYnNwOy8vZG5zc2VjLXZhbGlkYXRpb24geWVzOzxicj4NCiZndDsgPGJyPg0KJmd0 OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDtwaWQtZmlsZSAmcXVvdDsvdmFyL3J1 bi9uYW1lZC9uYW1lZC5waWQmcXVvdDs7PGJyPg0KJmd0OyA8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNw OyAmbmJzcDsgJm5ic3A7ICZuYnNwOy8vIENoYW5naW5nIHRoaXMgaXMgTk9UIFJFQ09NTUVOREVE IGZvciBhIGF1dGhvcml0YXRpdmUgbmFtZXNlcnZlcjxicj4NCiZndDsmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7YWxsb3ctcmVjdXJzaW9uIHsgbm9uZTsgfTs8YnI+DQomZ3Q7Jm5i c3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwO3JlY3Vyc2lvbiBubzs8YnI+DQomZ3Q7IH07 PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IHpvbmUgJnF1b3Q7ZXhhbXBsZS5ob21lJnF1b3Q7IHs8YnI+ DQomZ3Q7Jm5ic3A7ICZuYnNwO3R5cGUgbWFzdGVyOzxicj4NCiZndDsmbmJzcDsgJm5ic3A7Zmls ZSAmcXVvdDsvZXRjL2JpbmQvZGIuZXhhbXBsZS5ob21lLnpvbmUmcXVvdDs7PGJyPg0KJmd0OyB9 Ozxicj4NCiZndDsgPGJyPg0KJmd0OyB6b25lICZxdW90OzE0LjE2OC4xOTIuaW4tYWRkci5hcnBh JnF1b3Q7IHs8YnI+DQomZ3Q7Jm5ic3A7ICZuYnNwO3R5cGUgbWFzdGVyOzxicj4NCiZndDsmbmJz cDsgJm5ic3A7ZmlsZSAmcXVvdDsvZXRjL2JpbmQvZGIuMTQuMTY4LjE5Mi56b25lJnF1b3Q7Ozxi cj4NCiZndDsgfTs8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDsg Wk9ORSBmaWxlIGZvciBleGFtcGxlLmhvbWUuPGJyPg0KJmd0OyA7PGJyPg0KJmd0OyAkVFRMJm5i c3A7IDYwNDgwMDxicj4NCiZndDsgQCZuYnNwOyAmbmJzcDsgJm5ic3A7SU4mbmJzcDsgJm5ic3A7 ICZuYnNwOyBTT0EmbmJzcDsgJm5ic3A7ICZuYnNwO25zMi5leGFtcGxlLmhvbWUuIGhvc3RtYXN0 ZXIuZXhhbXBsZS5ob21lLiAoPGJyPg0KJmd0OyAyJm5ic3A7ICZuYnNwOyAmbmJzcDs7IFNlcmlh bDxicj4NCiZndDsgNjA0ODAwJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IDsgUmVmcmVzaCAx d2Vlazxicj4NCiZndDsgODY0MDAgOyBSZXRyeTxicj4NCiZndDsgMjQxOTIwMCZuYnNwOyAmbmJz cDsgJm5ic3A7ICZuYnNwOzsgRXhwaXJlIDI4ZGF5czxicj4NCiZndDsgNjA0ODAwJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7IDsgTmVnYXRpdmUgQ2FjaGUgVFRMPGJyPg0KJmd0OyApPGJyPg0K Jmd0OyA7OyBuYW1lIHNlcnZlcnMgKE5TKTxicj4NCiZndDsgOzsgb25seSBhdXRob3JpdGF0aXZl IHNlcnZlcnM8YnI+DQomZ3Q7IEAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDtJTiZuYnNwOyAmbmJzcDsgJm5ic3A7IE5TJm5ic3A7ICZuYnNwOyAmbmJzcDsg bnMyLmV4YW1wbGUuaG9tZS48YnI+DQomZ3Q7IG5zMiZuYnNwOyAmbmJzcDtJTiZuYnNwOyAmbmJz cDsgJm5ic3A7IEEmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsxOTIuMTY4LjE0LjIwPGJyPg0K Jmd0OyA7OyBob3N0cyAoQSk8YnI+DQomZ3Q7IG5zMSZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDtJTiZuYnNwOyBBJm5ic3A7ICZuYnNwOzE5Mi4xNjguMTQuMTA8YnI+DQomZ3Q7IGMx Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBJTiZuYnNwOyBBJm5ic3A7ICZuYnNw OzE5Mi4xNjguMTQuMTxicj4NCiZndDsgPGJyPg0KJmd0OyA7OyBhbGlhcyAoQ05BTUUpPGJyPg0K Jmd0OyBjbGllbnQgSU4mbmJzcDsgJm5ic3A7ICZuYnNwO0NOQU1FJm5ic3A7ICZuYnNwO2MxPGJy Pg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyA7IFpPTkUgZmlsZSBmb3Ig MTQuMTY4LjE5Mi5pbi1hZGRyLmFycGEuPGJyPg0KJmd0OyA7PGJyPg0KJmd0OyAkVFRMJm5ic3A7 IDYwNDgwMDxicj4NCiZndDsgQCZuYnNwOyAmbmJzcDsgJm5ic3A7SU4mbmJzcDsgJm5ic3A7ICZu YnNwOyBTT0EmbmJzcDsgJm5ic3A7ICZuYnNwO25zMi5leGFtcGxlLmhvbWUuIGhvc3RtYXN0ZXIu ZXhhbXBsZS5ob21lLiAoPGJyPg0KJmd0OyAxJm5ic3A7ICZuYnNwOzsgU2VyaWFsPGJyPg0KJmd0 OyA2MDQ4MDAmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgOyBSZWZyZXNoIDF3ZWVrPGJyPg0K Jmd0OyA4NjQwMCA7IFJldHJ5PGJyPg0KJmd0OyAyNDE5MjAwJm5ic3A7ICZuYnNwOyAmbmJzcDsg Jm5ic3A7OyBFeHBpcmUgMjhkYXlzPGJyPg0KJmd0OyA2MDQ4MDAmbmJzcDsgJm5ic3A7ICZuYnNw OyAmbmJzcDsgOyBOZWdhdGl2ZSBDYWNoZSBUVEw8YnI+DQomZ3Q7ICk8YnI+DQomZ3Q7IDs7IG5h bWUgc2VydmVycyAoTlMpPGJyPg0KJmd0OyA7OyBvbmx5IGF1dGhvcml0YXRpdmUgc2VydmVyczxi cj4NCiZndDsgQCZuYnNwOyAmbmJzcDtJTiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBOUyZu YnNwOyAmbmJzcDsgJm5ic3A7IG5zMi5leGFtcGxlLmhvbWUuPGJyPg0KJmd0OyAyMCZuYnNwOyBJ TiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBQVFImbmJzcDsgJm5ic3A7ICZuYnNwO25zMi5l eGFtcGxlLmhvbWUuPGJyPg0KJmd0OyA7OyBwb2ludGVyIHJlY29yZHMgKFBUUik8YnI+DQomZ3Q7 IDEmbmJzcDsgJm5ic3A7SU4mbmJzcDsgUFRSJm5ic3A7ICZuYnNwO2MxLmV4YW1wbGUuaG9tZS48 YnI+DQomZ3Q7IDEwJm5ic3A7IElOJm5ic3A7IFBUUiZuYnNwOyAmbmJzcDtuczEuZXhhbXBsZS5o b21lLjxicj4NCiZndDsgPGJyPg0KJmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXzxicj4NCiZndDsgUGxlYXNlIHZpc2l0IDxhIGhyZWY9Imh0dHBzOi8v bGlzdHMuaXNjLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2JpbmQtdXNlcnMiIHRhcmdldD0iX2JsYW5r Ij4NCmh0dHBzOi8vbGlzdHMuaXNjLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2JpbmQtdXNlcnM8L2E+ IHRvIHVuc3Vic2NyaWJlIGZyb20gdGhpcyBsaXN0PGJyPg0KJmd0OyA8YnI+DQomZ3Q7IElTQyBm dW5kcyB0aGUgZGV2ZWxvcG1lbnQgb2YgdGhpcyBzb2Z0d2FyZSB3aXRoIHBhaWQgc3VwcG9ydCBz dWJzY3JpcHRpb25zLiBDb250YWN0IHVzIGF0DQo8YSBocmVmPSJodHRwczovL3d3dy5pc2Mub3Jn L2NvbnRhY3QvIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaXNjLm9yZy9jb250YWN0Lzwv YT4gZm9yIG1vcmUgaW5mb3JtYXRpb24uPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsg YmluZC11c2VycyBtYWlsaW5nIGxpc3Q8YnI+DQomZ3Q7IDxhIGhyZWY9Im1haWx0bzpiaW5kLXVz ZXJzQGxpc3RzLmlzYy5vcmciIHRhcmdldD0iX2JsYW5rIj5iaW5kLXVzZXJzQGxpc3RzLmlzYy5v cmc8L2E+PGJyPg0KJmd0OyA8YSBocmVmPSJodHRwczovL2xpc3RzLmlzYy5vcmcvbWFpbG1hbi9s aXN0aW5mby9iaW5kLXVzZXJzIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5pc2Mub3Jn L21haWxtYW4vbGlzdGluZm8vYmluZC11c2VyczwvYT48YnI+DQo8YnI+DQotLSA8YnI+DQpNYXJr IEFuZHJld3MsIElTQzxicj4NCjEgU2V5bW91ciBTdC4sIER1bmRhcyBWYWxsZXksIE5TVyAyMTE3 LCBBdXN0cmFsaWE8YnI+DQpQSE9ORTogJiM0Mzs2MSAyIDk4NzEgNDc0MiZuYnNwOyAmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyBJTlRFUk5FVDogPGEgaHJlZj0ibWFp bHRvOm1hcmthQGlzYy5vcmciIHRhcmdldD0iX2JsYW5rIj4NCm1hcmthQGlzYy5vcmc8L2E+PG86 cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9o dG1sPg0K

    --_000_7e1ba3fe933b471d93c5defc7ea72cf1mailrrciccom_--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Josh Kuo@josh.kuo@gmail.com to Weeltin on Tue Jul 21 23:39:41 2020
    From Newsgroup: comp.protocols.dns.bind

    --0000000000003316f905aaf56f03
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    From what you posted, it appears when you query the recursive server NS1 (192.168.14.10), it returns no error, it gives back NXDOMAIN with the AD
    flag. That would indicate DNSSEC worked. That does not match the log
    messages you posted, that would indicate there's a DNSSEC validation error,
    and you should have received SERVFAIL.

    On Mon, Jul 20, 2020 at 11:47 PM Weeltin <weeltinl@gmail.com> wrote:

    Hi Josh,

    Thanks for your answer, it made me go trough all the config again, just t=
    o
    make sure that it wasnt pointing to the authoritative server anywhere but
    in the configuration of the recursive server

    I saw that "=E2=80=9Crecursion requested but not available" when i send t=
    he query
    against the authoritative. Kind a expected that, since it aint allowed to
    do recursion.

    as requested i made the dig on the the authoritative server i get the
    correct answer, so i expect it has loaded the zonefiles correctly.

    ns2:/home/weeltin# dig @127.0.0.01 example.home

    ; <<>> DiG 9.14.12 <<>> @127.0.0.01 example.home
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45487
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good)
    ;; QUESTION SECTION:
    ;example.home. IN A

    ;; AUTHORITY SECTION:
    example.home. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2 604800 86400 2419200 604800

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Jul 20 14:04:17 UTC 2020
    ;; MSG SIZE rcvd: 120


    just to be sure, i rand the dig command again on my client

    [weeltin@c1 ~]$ dig c1.example.home

    ; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1787
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good)
    ;; QUESTION SECTION:
    ;c1.example.home. IN A

    ;; AUTHORITY SECTION:
    . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072000
    1800 900 604800 86400

    ;; Query time: 1043 msec
    ;; SERVER: 192.168.14.10#53(192.168.14.10)
    ;; WHEN: Mon Jul 20 11:38:06 EDT 2020
    ;; MSG SIZE rcvd: 147


    Log output from NS1 (recursive)
    <truncate>
    Jul 20 15:38:05 ns1 daemon.info named[4022]: validating
    example.home/SOA: got insecure response; parent indicates it should be
    secure
    Jul 20 15:38:05 ns1 daemon.info named[4022]: no valid RRSIG resolving 'c1.example.home/DS/IN': 192.168.14.20#53
    Jul 20 15:38:06 ns1 daemon.info named[4022]: insecurity proof failed resolving 'c1.example.home/A/IN': 192.168.14.20#53
    </truncate>

    and there is no log entries on the authoritative server

    /Weeltin

    On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo <josh.kuo@gmail.com> wrote:

    When querying your internal domain, I see the query actually ends with
    =E2=80=9Crecursion requested but not available=E2=80=9D, it looks like y=
    ou are querying
    directly against your auth server, so I would check the setting to ensur=
    e
    the zone file is actually loaded correctly.

    What Mark answered is assuming you are querying the recursive which then
    returned SERVFAIL due to DNSSEC validation, but I do not see that in the
    information you provided.

    Can you run dig on the auth server itself, dig @ 127.0.0.1 for
    example.home, and see what it returns?




    --0000000000003316f905aaf56f03
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr">From what you posted, it appears=C2=A0when you query the r= ecursive server NS1 (192.168.14.10), it returns no error, it gives back NXD= OMAIN with the AD flag. That would indicate DNSSEC worked. That does not ma= tch the log messages you posted, that would indicate there&#39;s a DNSSEC v= alidation error, and you should have received SERVFAIL.=C2=A0</div><br><div=
    class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jul 20=
    , 2020 at 11:47 PM Weeltin &lt;<a href=3D"mailto:weeltinl@gmail.com">weelti= nl@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" styl= e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin= g-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">Hi Josh,<br><br>Thanks for yo=
    ur answer, it made me go trough all the config again, just to make sure tha=
    t it wasnt pointing to the authoritative server anywhere but in the configu= ration of the recursive server<br><br>I saw that &quot;=E2=80=9Crecursion r= equested but not available&quot; when i send the query against the authorit= ative. Kind a expected that, since it aint allowed to do recursion.<br><br>=
    as requested i made the dig on the the authoritative server i get the corre=
    ct answer, so i expect it has loaded the zonefiles correctly. <br><br>ns2:/= home/weeltin# dig @<a href=3D"http://127.0.0.01" target=3D"_blank">127.0.0.= 01</a> example.home<br><br>; &lt;&lt;&gt;&gt; DiG 9.14.12 &lt;&lt;&gt;&gt; = @<a href=3D"http://127.0.0.01" target=3D"_blank">127.0.0.01</a> example.hom= e<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; = -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 45487<br>;; fl= ags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1<br>;; WARNI= NG: recursion requested but not available<br><br>;; OPT PSEUDOSECTION:<br>;=
    EDNS: version: 0, flags:; udp: 4096<br>; COOKIE: b9129ece5d9fbc3e6f01a2215= f15a461388d4af048be37fa (good)<br>;; QUESTION SECTION:<br>;example.home. =
    IN A<br><br>;; AUTHORITY SECTION:<br>example.home. 604800 IN SOA ns2.examp=
    le.home. hostmaster.example.home. 2 604800 86400 2419200 604800<br><br>;; Q= uery time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Mon Jul=
    20 14:04:17 UTC 2020<br>;; MSG SIZE =C2=A0rcvd: 120<br><br><br>just to be = sure, i rand the dig command again on my client<br><br>[weeltin@c1 ~]$ dig = c1.example.home<br><br>; &lt;&lt;&gt;&gt; DiG 9.11.11-RedHat-9.11.11-1.fc31=
    &lt;&lt;&gt;&gt; c1.example.home<br>;; global options: +cmd<br>;; Got answ= er:<br>;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 178= 7<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: = 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 4096<br>=
    ; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good)<br>;; QUE= STION SECTION:<br>;c1.example.home. IN A<br><br>;; AUTHORITY SECTION:<br>.=
    10800 IN SOA <a href=3D"http://a.root-servers.net" target=3D"_blank">a.r=
    oot-servers.net</a>. <a href=3D"http://nstld.verisign-grs.com" target=3D"_b= lank">nstld.verisign-grs.com</a>. 2020072000 1800 900 604800 86400<br><br>;=
    ; Query time: 1043 msec<br>;; SERVER: 192.168.14.10#53(192.168.14.10)<br>;;=
    WHEN: Mon Jul 20 11:38:06 EDT 2020<br>;; MSG SIZE =C2=A0rcvd: 147<br><br><= br>Log output from NS1 (recursive)<br>&lt;truncate&gt;<br>Jul 20 15:38:05 n=
    s1 <a href=3D"http://daemon.info" target=3D"_blank">daemon.info</a> named[4= 022]: =C2=A0 validating example.home/SOA: got insecure response; parent ind= icates it should be secure<br>Jul 20 15:38:05 ns1 <a href=3D"http://daemon.= info" target=3D"_blank">daemon.info</a> named[4022]: no valid RRSIG resolvi=
    ng &#39;c1.example.home/DS/IN&#39;: 192.168.14.20#53<br>Jul 20 15:38:06 ns1=
    <a href=3D"http://daemon.info" target=3D"_blank">daemon.info</a> named[402= 2]: insecurity proof failed resolving &#39;c1.example.home/A/IN&#39;: 192.1= 68.14.20#53<br>&lt;/truncate&gt;<br><br>and there is no log entries on the = authoritative server</div><div dir=3D"ltr"><br></div><div>/Weeltin<br></div= ><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Su=
    n, Jul 19, 2020 at 6:05 AM Josh Kuo &lt;<a href=3D"mailto:josh.kuo@gmail.co=
    m" target=3D"_blank">josh.kuo@gmail.com</a>&gt; wrote:<br></div><blockquote=
    class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so= lid rgb(204,204,204);padding-left:1ex"><div><div dir=3D"auto">When querying=
    your internal domain, I see the query actually ends with =E2=80=9Crecursio=
    n requested but not available=E2=80=9D, it looks like you are querying dire= ctly against your auth server, so I would check the setting to ensure the z= one file is actually loaded correctly.</div><div dir=3D"auto"><br></div><di=
    v dir=3D"auto">What Mark answered is assuming you are querying the recursiv=
    e which then returned SERVFAIL due to DNSSEC validation, but I do not see t= hat in the information you=C2=A0provided.=C2=A0</div><div dir=3D"auto"><br>= </div><div dir=3D"auto">Can you run dig on the auth server itself, dig @ 12= 7.0.0.1 for example.home, and see what it returns?</div></div><div><br><div=
    class=3D"gmail_quote"><br></div></div>
    </blockquote></div></div>
    </blockquote></div>

    --0000000000003316f905aaf56f03--
    --- Synchronet 3.18a-Linux NewsLink 1.113