From 3f816768ccdb3f11687bdcb5389186f8bc75d650 Mon Sep 17 00:00:00 2001 From: Ron Aitchison Date: Mon, 4 Apr 2022 20:37:36 +0000 Subject: [PATCH] Rewrite Configurations and Zone Files section in the ARM (cherry picked from commit 5d432d40a1d63c4c251c7e04b54034092cd9427b) --- doc/arm/Makefile.am | 8 +- doc/arm/chapter3.rst | 6 +- doc/arm/config-auth.inc.rst | 272 ++++++++++++++++ doc/arm/config-intro.inc.rst | 208 ++++++++++++ doc/arm/config-resolve.inc.rst | 570 +++++++++++++++++++++++++++++++++ doc/arm/configuration.inc.rst | 128 -------- doc/arm/primary-secondary.dia | Bin 0 -> 2550 bytes doc/arm/primary-secondary.png | Bin 0 -> 18617 bytes doc/arm/resolver-forward.dia | Bin 0 -> 2573 bytes doc/arm/resolver-forward.png | Bin 0 -> 15644 bytes 10 files changed, 1062 insertions(+), 130 deletions(-) create mode 100644 doc/arm/config-auth.inc.rst create mode 100644 doc/arm/config-intro.inc.rst create mode 100644 doc/arm/config-resolve.inc.rst delete mode 100644 doc/arm/configuration.inc.rst create mode 100644 doc/arm/primary-secondary.dia create mode 100644 doc/arm/primary-secondary.png create mode 100644 doc/arm/resolver-forward.dia create mode 100644 doc/arm/resolver-forward.png diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am index f22b365717..972af604e9 100644 --- a/doc/arm/Makefile.am +++ b/doc/arm/Makefile.am @@ -14,7 +14,9 @@ EXTRA_DIST = \ chapter6.rst \ chapter7.rst \ chapter9.rst \ - configuration.inc.rst \ + config-auth.inc.rst \ + config-intro.inc.rst \ + config-resolve.inc.rst \ conf.py \ dlz.inc.rst \ dns-ops.inc.rst \ @@ -43,11 +45,15 @@ EXTRA_DIST = \ pkcs11.inc.rst \ platforms.inc.rst \ plugins.inc.rst \ + primary-secondary.dia \ + primary-secondary.png \ recursive-query.dia \ recursive-query.png \ reference.rst \ requirements.inc.rst \ requirements.txt \ + resolver-forward.dia \ + resolver-forward.png \ security.inc.rst \ sig0.inc.rst \ tkey.inc.rst \ diff --git a/doc/arm/chapter3.rst b/doc/arm/chapter3.rst index a9d263f609..509dc489e6 100644 --- a/doc/arm/chapter3.rst +++ b/doc/arm/chapter3.rst @@ -9,5 +9,9 @@ .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. -.. include:: configuration.inc.rst +.. highlight:: none + +.. include:: config-intro.inc.rst +.. include:: config-auth.inc.rst +.. include:: config-resolve.inc.rst .. include:: zones.inc.rst diff --git a/doc/arm/config-auth.inc.rst b/doc/arm/config-auth.inc.rst new file mode 100644 index 0000000000..6c4272efd0 --- /dev/null +++ b/doc/arm/config-auth.inc.rst @@ -0,0 +1,272 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _config_auth_samples: + +Authoritative Name Servers +-------------------------- + +These provide authoritative answers to user queries for the zones +they support: for instance, the zone data describing the domain name **example.com**. An +authoritative name server may support one or many zones. + +Each zone may be defined as either a **primary** or a **secondary**. A primary zone +reads its zone data directly from a file system. A secondary zone obtains its zone +data from the primary zone using a process called **zone transfer**. Both the primary +and the secondary zones provide authoritative data for their zone; there is no difference +in the answer to a query from a primary or a secondary zone. An authoritative name server +may support any combination of primary and secondary zones. + +.. Note:: The terms **primary** and **secondary** do not imply any access + priority. Resolvers (name servers that provide the complete answers to user + queries) are not aware of (and cannot find out) whether an authoritative + answer comes from the primary or secondary name server. Instead, the + resolver uses the list of authoritative servers for the zone (there must be + at least two) and maintains a Round Trip Time (RTT) - the time taken to + respond to the query - for each server in the list. The resolver uses the + lowest-value server (the fastest) as its preferred server for the zone and + continues to do so until its RTT becomes higher than the next slowest in its + list, at which time that one becomes the preferred server. + + For reasons of backward compatibility BIND 9 treats "primary" and "master" as + synonyms, as well as "secondary" and "slave." + +.. _notify: + +The following diagram shows the relationship between the primary and secondary +name servers. The text below explains the process in detail. + +.. figure:: primary-secondary.png + :align: center + + Authoritative Primary and Secondary Name Servers + +The numbers in parentheses in the following text refer to the numbered items in the diagram above. + +1. The authoritative primary name server always loads (or reloads) its zone + files from (1) a local or networked filestore. + +2. The authoritative secondary name server always loads its zone data from a + primary via a **zone transfer** operation. Zone transfer may use **AXFR** + (complete zone transfer) or **IXFR** (incremental zone transfer), but only + if both primary and secondary name servers support the service. The zone + transfer process (either AXFR or IXFR) works as follows: + + a) The secondary name server for the zone reads (3 and 4) the + :ref:`SOA RR` periodically. The interval is defined by the **refresh** + parameter of the Start of Authority (SOA) RR. + + b) The secondary compares the **serial number** parameter of the SOA RR + received from the primary with the serial number in the SOA RR of its + current zone data. + + c) If the received serial number is arithmetically greater (higher) than the + current one, the secondary initiates a zone transfer (5) using AXFR or IXFR + (depending on the primary and secondary configuration), using TCP over + port 53 (6). + +3. The typically recommended zone refresh times for the SOA RR (the time + interval when the secondary reads or polls the primary for the zone SOA RR) + are multiples of hours to reduce traffic loads. Worst-case zone change + propagation can therefore take extended periods. + +4. The optional NOTIFY (:rfc:`1996`) feature (2) is automatically configured; + use the :ref:`notify ` statement to turn off the feature. + Whenever the primary loads or reloads a zone, it sends a NOTIFY message to + the configured secondary (or secondaries) and may optionally be configured + to send the NOTIFY message to other hosts using the + :ref:`also-notify` statement. The NOTIFY message simply + indicates to the secondary that the primary has loaded or reloaded the zone. + On receipt of the NOTIFY message, the secondary respons to indicate it has received the NOTIFY and immediately reads the SOA RR + from the primary (as described in section 2 a. above). If the zone file has + changed, propagation is practically immediate. + +The authoritative samples all use NOTIFY but identify the statements used, so +that they can be removed if not required. + +.. _sample_primary: + +Primary Authoritative Name Server +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The zone files are unmodified :ref:`from the base samples` but +the :iscman:`named.conf` file has been modified as shown: + +.. code-block:: c + :linenos: + + // authoritative primary named.conf file + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + // This is the default - allows user queries from any IP + allow-query { any; }; + // normal server operations may place items in the cache + // this prevents any user query from accessing these items + // only authoritative zone data will be returned + allow-query-cache { none; }; + // Do not provide recursive service to user queries + recursion no; + }; + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + // Provide forward mapping zone for localhost + // (optional) + zone "localhost" { + type primary; + file "master/localhost-forward.db"; + notify no; + }; + // Provide reverse mapping zone for the loopback + // address 127.0.0.1 + zone "0.0.127.in-addr.arpa" { + type primary; + file "localhost.rev"; + notify no; + }; + // We are the primary server for example.com + zone "example.com" { + // this is the primary name server for the zone + type primary; + file "example.com"; + // this is the default + notify yes; + // IP addresses of secondary servers allowed to + // transfer example.com from this server + allow-transfer { + 192.168.4.14; + 192.168.5.53; + }; + }; + +The added statements and clauses are commented in the above file. + +The :ref:`zone` clause, and :ref:`allow-query`, +:ref:`allow-query-cache`, +:ref:`allow-transfer`, :ref:`file`, +:ref:`notify`, :ref:`recursion`, and :ref:`type` +statements are described in detail in the appropriate sections. + +.. _sample_secondary: + +Secondary Authoritative Name Server +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The zone files ``local-host-forward.db`` and ``localhost.rev`` are unmodified +:ref:`from the base samples`. The **example.com** zone file is +not required (the zone file is obtained from the primary via zone transfer). +The :iscman:`named.conf` file has been modified as shown: + +.. code-block:: c + :linenos: + + // authoritative secondary named.conf file + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + // This is the default - allows user queries from any IP + allow-query { any; }; + // normal server operations may place items in the cache + // this prevents any user query from accessing these items + // only authoritative zone data will be returned + allow-query-cache { none; }; + // Do not provide recursive service to user queries + recursion no; + }; + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + // Provide forward mapping zone for localhost + // (optional) + zone "localhost" { + type primary; + file "master/localhost-forward.db"; + notify no; + }; + // Provide reverse mapping zone for the loopback + // address 127.0.0.1 + zone "0.0.127.in-addr.arpa" { + type primary; + file "localhost.rev"; + notify no; + }; + // We are the secondary server for example.com + zone "example.com" { + // this is a secondary server for the zone + type secondary; + // the file statement here allows the secondary to save + // each zone transfer so that in the event of a program restart + // the zone can be loaded immediately and the server can start + // to respond to queries without waiting for a zone transfer + file "example.com.saved"; + // IP address of example.com primary server + primaries { 192.168.254.2; }; + }; + +The statements and clauses added are all commented in the above file. + +The :ref:`zone` clause, and :ref:`allow-query`, +:ref:`allow-query-cache`, +:ref:`allow-transfer`, :ref:`file`, +:ref:`notify`, :ref:`primaries`, +:ref:`recursion`, and :ref:`type` statements are described in +detail in the appropriate sections. + +If NOTIFY is not being used, no changes are required in this +:iscman:`named.conf` file, since it is the primary that initiates the NOTIFY +message. + +.. note:: + Just when the reader thought they understood primary and secondary, things + can get more complicated. A secondary zone can also be a primary to other + secondaries: :iscman:`named`, by default, sends NOTIFY messages for every + zone it loads. Specifying :ref:`notify primary-only;` in the + :ref:`zone` clause for the secondary causes :iscman:`named` to + only send NOTIFY messages for primary zones that it loads. diff --git a/doc/arm/config-intro.inc.rst b/doc/arm/config-intro.inc.rst new file mode 100644 index 0000000000..7598c6571e --- /dev/null +++ b/doc/arm/config-intro.inc.rst @@ -0,0 +1,208 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _configuration: + +.. _sample_configuration: + +Configurations and Zone Files +============================= + +Introduction +------------ + +BIND 9 uses a single configuration file called :iscman:`named.conf`. +:iscman:`named.conf` is typically located in either /etc/namedb or +/usr/local/etc/namedb. + + .. Note:: If :ref:`rndc` is being used locally (on the same host + as BIND 9) then an additional file :iscman:`rndc.conf` may be present, though + :iscman:`rndc` operates without this file. If :iscman:`rndc` is being run + from a remote host then an :iscman:`rndc.conf` file must be present as it + defines the link characteristics and properties. + +Depending on the functionality of the system, one or more zone files is +required. + +The samples given throughout this and subsequent chapters use a standard base +format for both the :iscman:`named.conf` and the zone files for **example.com**. The +intent is for the reader to see the evolution from a common base as features +are added or removed. + +.. _base_named_conf: + +``named.conf`` Base File +~~~~~~~~~~~~~~~~~~~~~~~~ + +This file illustrates the typical format and layout style used for +:iscman:`named.conf` and provides a basic logging service, which may be extended +as required by the user. + +.. code-block:: c + :linenos: + + // base named.conf file + // Recommended that you always maintain a change log in this file as shown here + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + }; + + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + +The :ref:`logging` and :ref:`options` clauses +and :ref:`category`, :ref:`channel`, +:ref:`directory`, :ref:`file`, and :ref:`severity` +statements are all described further in the appropriate sections of this ARM. + +.. _base_zone_file: + +**example.com** base zone file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following is a complete zone file for the domain **example.com**, which +illustrates a number of common features. Comments in the file explain these +features where appropriate. Zone files consist of :ref:`Resource Records (RR) +`, which describe the zone's characteristics or properties. + +.. code-block:: + :linenos: + + ; base zone file for example.com + $TTL 2d ; default TTL for zone + $ORIGIN example.com. ; base domain-name + ; Start of Authority RR defining the key characteristics of the zone (domain) + @ IN SOA ns1.example.com. hostmaster.example.com. ( + 2003080800 ; serial number + 12h ; refresh + 15m ; update retry + 3w ; expiry + 2h ; minimum + ) + ; name server RR for the domain + IN NS ns1.example.com. + ; the second name server is external to this zone (domain) + IN NS ns2.example.net. + ; mail server RRs for the zone (domain) + 3w IN MX 10 mail.example.com. + ; the second mail servers is external to the zone (domain) + IN MX 20 mail.example.net. + ; domain hosts includes NS and MX records defined above + ; plus any others required + ; for instance a user query for the A RR of joe.example.com will + ; return the IPv4 address 192.168.254.6 from this zone file + ns1 IN A 192.168.254.2 + mail IN A 192.168.254.4 + joe IN A 192.168.254.6 + www IN A 192.168.254.7 + ; aliases ftp (ftp server) to an external domain + ftp IN CNAME ftp.example.net. + +This type of zone file is frequently referred to as a **forward-mapped zone +file**, since it maps domain names to some other value, while a +:ref:`reverse-mapped zone file` maps an IP address to a domain +name. The zone file is called **example.com** for no good reason except that +it is the domain name of the zone it describes; as always, users are free to +use whatever file-naming convention is appropriate to their needs. + +Other Zone Files +~~~~~~~~~~~~~~~~ + +Depending on the configuration additional zone files may or should be present. +Their format and functionality are briefly described here. + +localhost Zone File +~~~~~~~~~~~~~~~~~~~ + +All end-user systems are shipped with a ``hosts`` file (usually located in +/etc). This file is normally configured to map the name **localhost** (the name +used by applications when they run locally) to the loopback address. It is +argued, reasonably, that a forward-mapped zone file for **localhost** is +therefore not strictly required. This manual does use the BIND 9 distribution +file ``localhost-forward.db`` (normally in /etc/namedb/master or +/usr/local/etc/namedb/master) in all configuration samples for the following +reasons: + +1. Many users elect to delete the ``hosts`` file for security reasons (it is a + potential target of serious domain name redirection/poisoning attacks). + +2. Systems normally lookup any name (including domain names) using the + ``hosts`` file first (if present), followed by DNS. However, the + ``nsswitch.conf`` file (typically in /etc) controls this order (normally + **hosts: file dns**), allowing the order to be changed or the **file** value + to be deleted entirely depending on local needs. Unless the BIND + administrator controls this file and knows its values, it is unsafe to + assume that **localhost** is forward-mapped correctly. + +3. As a reminder to users that unnecessary queries for **localhost** form a + non-trivial volume of DNS queries on the public network, which affects DNS + performance for all users. + +Users may, however, elect at their discretion not to implement this file since, +depending on the operational environment, it may not be essential. + +The BIND 9 distribution file ``localhost-forward.db`` format is shown for +completeness and provides for both IPv4 and IPv6 localhost resolution. The zone +(domain) name is **localhost.** + +.. code-block:: + :linenos: + + $TTL 3h + localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h + NS localhost. + A 127.0.0.1 + AAAA ::1 + +.. NOTE:: Readers of a certain age or disposition may note the reference in this file to the late, + lamented Douglas Noel Adams. + +localhost Reverse-Mapped Zone File +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This zone file allows any query requesting the name associated with the +loopback IP (127.0.0.1). This file is required to prevent unnecessary queries +from reaching the public DNS hierarchy. The BIND 9 distribution file +``localhost.rev`` is shown for completeness: + +.. code-block:: + :linenos: + + $TTL 1D + @ IN SOA localhost. root.localhost. ( + 2007091701 ; serial + 30800 ; refresh + 7200 ; retry + 604800 ; expire + 300 ) ; minimum + IN NS localhost. + 1 IN PTR localhost. diff --git a/doc/arm/config-resolve.inc.rst b/doc/arm/config-resolve.inc.rst new file mode 100644 index 0000000000..ab05742bac --- /dev/null +++ b/doc/arm/config-resolve.inc.rst @@ -0,0 +1,570 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _config_resolver_samples: + +Resolver (Caching Name Servers) +------------------------------- + +Resolvers handle :ref:`recursive user queries ` and provide +complete answers; that is, they issue one or more :ref:`iterative queries +` to the DNS hierarchy. Having obtained a complete answer (or +an error), a resolver passes the answer to the user and places it in its cache. +Subsequent user requests for the same query will be answered from the +resolver's cache until the :term:`TTL` of the cached answer has expired, when +it will be flushed from the cache; the next user query that requests the same +information results in a new series of queries to the DNS hierarchy. + +Resolvers are frequently referred to by a bewildering variety of names, +including caching name servers, recursive name servers, forwarding resolvers, +area resolvers, and full-service resolvers. + +The following diagram shows how resolvers can function in a typical networked +environment: + +.. figure:: resolver-forward.png + :align: center + +Resolver and Forwarding Resolver + +1. End-user systems are all distributed with a local **stub resolver** as a + standard feature. Today, the majority of stub resolvers also provide a local + cache service to speed up user response times. + +2. A stub resolver has limited functionality; specifically, it cannot follow + :ref:`referrals`. When a stub resolver receives a request for a + name from a local program, such as a browser, and the answer is not in its + local cache, it sends a :ref:`recursive user query` (1) to + a locally configured resolver (5), which may have the answer available in + its cache. If it does not, it issues :ref:`iterative + queries` (2) to the DNS hierarchy to obtain the answer. The + resolver to which the local system sends the user query is configured, for + Linux and Unix hosts, in ``/etc/resolv.conf``; for Windows users it is + configured or changed via the Control Panel or Settings interface. + +3. Alternatively, the user query can be sent to a **forwarding resolver** (4). + Forwarding resolvers on first glance look fairly pointless, since they + appear to be acting as a simple pass-though and, like the stub resolver, + require a full-service resolver (5). However, forwarding resolvers can be + very powerful additions to a network for the following reasons: + + a) Cost and Performance. Each **recursive user query** (1) at the forwarding + resolver (4) results in two messages - the query and its answer. The resolver + (5) may have to issue three, four, or more query pairs (2) to get the required + answer. Traffic is reduced dramatically, increasing performance or reducing + cost (if the link is tariffed). Additionally, since the forwarding resolver is + typically shared across multiple hosts, its cache is more likely to contain + answers, again improving user performance. + + b) Network Maintenance. Forwarding resolvers (4) can be used to ease the burden + of local administration by providing a single point at which changes to remote + name servers can be managed, rather than having to update all hosts. Thus, all + hosts in a particular network section or area can be configured to point to a + forwarding resolver, which can be configured to stream DNS traffic as desired + and changed over time with minimal effort. + + c) Sanitizing Traffic. Especially in larger private networks it may be sensible + to stream DNS traffic using a forwarding resolver structure. The forwarding + resolver (4) may be configured, for example, to handle all in-domain traffic + (relatively safe) and forward all external traffic to a **hardened** resolver + (5). + + d) Stealth Networks. Forwarding resolvers are extensively used in :ref:`stealth + or split networks`. + +4. Forwarding resolvers (4) can be configured to forward all traffic to a + resolver (5), or to only forward selective traffic (5) while directly + resolving other traffic (3). + +.. Attention:: While the diagram above shows **recursive user queries** + arriving via interface (1), there is nothing to stop them from arriving via + interface (2) via the public network. If no limits are placed on the source + IPs that can send such queries, the resolver is termed an **open resolver**. + Indeed, when the world was young this was the way things worked on the + Internet. Much has changed and what seems to be a friendly, generous action + can be used by rogue actors to cause all kinds of problems including + **Denial of Service (DoS)** attacks. Resolvers should always be configured + to limit the IP addresses that can use their services. BIND 9 provides a + number of statements and clauses to simplify defining these IP limits and + configuring a **closed resolver**. The resolver samples given here all + configure closed resolvers using a variety of techniques. + +Additional Zone Files +~~~~~~~~~~~~~~~~~~~~~ + +Root Servers (Hint) Zone File +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Resolvers (although not necessarily forwarding resolvers) need to access the +DNS hierarchy. To do this, they need to know the addresses (IPv4 and/or IPv6) +of the 13 :ref:`root servers`. This is done by the provision of a +root server zone file, which is contained in the standard BIND 9 distribution +as the file ``named.root`` (normally found in /etc/namedb or +/usr/local/namedb). This file may also be obtained from the IANA website +(https://www.iana.org/domains/root/files). + + + .. Note:: Many distributions rename this file for historical reasons. + Consult the appropriate distribution documentation for the actual file name. + + +The hint zone file is referenced using the :ref:`type hint;` statement and +a zone (domain) name of "." (the generally silent dot). + + .. Note:: The root server IP addresses have been stable for a number of + years and are likely to remain stable for the near future. BIND 9 has a + root-server list in its executable such that even if this file is omitted, + out-of-date, or corrupt BIND 9 can still function. For this reason, many + sample configurations omit the hints file. All the samples given here + include the hints file primarily as a reminder of the functionality of the + configuration, rather than as an absolute necessity. + +Private IP Reverse Map Zone Files +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Resolvers are configured to send :ref:`iterative queries` to +the public DNS hierarchy when the information requested is not in their cache +or not defined in any local zone file. Many networks make extensive use of +private IP addresses (defined by :rfc:`1918`, :rfc:`2193`, :rfc:`5737`, and +:rfc:`6598`). By their nature these IP addresses are forward-mapped in various +user zone files. However, certain applications may issue **reverse map** +queries (mapping an IP address to a name). If the private IP addresses are not +defined in one or more reverse-mapped zone file(s), the resolver sends them to +the DNS hierarchy where they are simply useless traffic, slowing down DNS +responses for all users. + +Private IP addresses may be defined using standard :ref:`reverse-mapping +techniques` or using the +:ref:`empty-zones-enable` statement. By +default this statement is set to ``empty-zones-enable yes;`` and thus automatically prevents +unnecessary DNS traffic by sending an NXDOMAIN error response (indicating the +name does not exist) to any request. However, some applications may require a +genuine answer to such reverse-mapped requests or they will fail to function. +Mail systems in particular perform reverse DNS queries as a first-line spam +check; in this case a reverse-mapped zone file is essential. The sample +configuration files given here for both the resolver and the forwarding +resolver provide a reverse-mapping zone file for the private IP address +192.168.254.4, which is the mail server address in the :ref:`base zone +file`, as an illustration of the reverse-map technique. The +file is named ``192.168.254.rev`` and has a zone name of +**254.168.192.in-addr.arpa**. + +.. code-block:: + :linenos: + + ; reverse map zone file for 192.168.254.4 only + $TTL 2d ; 172800 seconds + $ORIGIN 254.168.192.IN-ADDR.ARPA. + @ IN SOA ns1.example.com. hostmaster.example.com. ( + 2003080800 ; serial number + 3h ; refresh + 15m ; update retry + 3w ; expiry + 3h ; nx = nxdomain ttl + ) + ; only one NS is required for this local file + ; and is an out of zone name + IN NS ns1.example.com. + ; other IP addresses can be added as required + ; this maps 192.168.254.4 as shown + 4 IN PTR mail.example.com. ; fully qualified domain name (FQDN) + +.. _sample_resolver: + +Resolver Configuration +~~~~~~~~~~~~~~~~~~~~~~ + +The resolver provides :ref:`recursive query support` to a defined set of IP addresses. +It is therefore a **closed** resolver and cannot be used in wider network attacks. + +.. code-block:: c + :linenos: + + // resolver named.conf file + // Two corporate subnets we wish to allow queries from + // defined in an acl clause + acl corpnets { + 192.168.4.0/24; + 192.168.7.0/24; + }; + + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + // this is the default + recursion yes; + // recursive queries only allowed from these ips + // and references the acl clause + allow-query { corpnets; }; + // this ensures that any reverse map for private IPs + // not defined in a zone file will *not* be passed to the public network + // it is the default value + empty-zones-enable yes; + }; + + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + + // zone file for the root servers + // discretionary zone (see root server discussion above) + zone "." { + type hint; + file "named.root"; + }; + + // zone file for the localhost forward map + // discretionary zone depending on hosts file (see discussion) + zone "localhost" { + type primary; + file "masters/localhost-forward.db"; + notify no; + }; + + // zone file for the loopback address + // necessary zone + zone "0.0.127.in-addr.arpa" { + type primary; + file "localhost.rev"; + notify no; + }; + + // zone file for local IP reverse map + // discretionary file depending on requirements + zone "254.168.192.in-addr.arpa" { + type primary; + file "192.168.254.rev"; + notify no; + }; + +The :ref:`zone` and :ref:`acl` clauses, and the +:ref:`allow-query`, :ref:`empty-zones-enable`, +:ref:`file`, :ref:`notify`, :ref:`recursion`, and +:ref:`type` statements are described in detail in the appropriate +sections. + +As a reminder, the configuration of this resolver does **not** access the DNS +hierarchy (does not use the public network) for any recursive query for which: + +1. The answer is already in the cache. + +2. The domain name is **localhost** (zone localhost). + +3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). + +4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). + +5. Is a reverse-map query for any local IP (``empty-zones-enable`` + statement). + +All other recursive queries will result in access to the DNS hierarchy to +resolve the query. + +.. _sample_forwarding: + +Forwarding Resolver Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This forwarding resolver configuration forwards all recursive queries, other +than those for the defined zones and those for which the answer is already in +its cache, to a full-service resolver at the IP address 192.168.250.3, with an +alternative at 192.168.230.27. The forwarding resolver will cache all responses +from these servers. The configuration is closed, in that it defines those IPs +from which it will accept recursive queries. + +A second configuration in which selective forwarding occurs :ref:`is also +provided`. + +.. code-block:: c + :linenos: + + // forwarding named.conf file + // Two corporate subnets we wish to allow queries from + // defined in an acl clause + acl corpnets { + 192.168.4.0/24; + 192.168.7.0/24; + }; + + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + // this is the default + recursion yes; + // recursive queries only allowed from these ips + // and references the acl clause + allow-query { corpnets; }; + // this ensures that any reverse map for private IPs + // not defined in a zone file will *not* be passed to the public network + // it is the default value + empty-zones-enable yes; + // this defines the addresses of the resolvers to which queries will be forwarded + forwarders { + 192.168.250.3; + 192.168.230.27; + }; + // indicates all queries will be forwarded other than for defined zones + forward only; + }; + + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + + // hints zone file is not required + + // zone file for the localhost forward map + // discretionary zone depending on hosts file (see discussion) + zone "localhost" { + type primary; + file "masters/localhost-forward.db"; + notify no; + }; + + // zone file for the loopback address + // necessary zone + zone "0.0.127.in-addr.arpa" { + type primary; + file "localhost.rev"; + notify no; + }; + + // zone file for local IP reverse map + // discretionary file depending on requirements + zone "254.168.192.in-addr.arpa" { + type primary; + file "192.168.254.rev"; + notify no; + }; + +The :ref:`zone` and :ref:`acl` clauses, and the +:ref:`allow-query`, :ref:`empty-zones-enable`, +:ref:`file`, :ref:`forward`, :ref:`forwarders`, +:ref:`notify`, :ref:`recursion`, and :ref:`type` +statements are described in detail in the appropriate sections. + +As a reminder, the configuration of this forwarding resolver does **not** +forward any recursive query for which: + +1. The answer is already in the cache. + +2. The domain name is **localhost** (zone localhost). + +3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). + +4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). + +5. Is a reverse-map query for any local IP (``empty-zones-enable`` statement). + +All other recursive queries will be forwarded to resolve the query. + +.. _selective_forward_sample: + +Selective Forwarding Resolver Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This forwarding resolver configuration only forwards recursive queries for the +zone **example.com** to the resolvers at 192.168.250.3 and 192.168.230.27. All +other recursive queries, other than those for the defined zones and those for +which the answer is already in its cache, are handled by this resolver. The +forwarding resolver will cache all responses from both the public network and +from the forwarded resolvers. The configuration is closed, in that it defines +those IPs from which it will accept recursive queries. + +.. code-block:: c + :linenos: + + // selective forwarding named.conf file + // Two corporate subnets we wish to allow queries from + // defined in an acl clause + acl corpnets { + 192.168.4.0/24; + 192.168.7.0/24; + }; + + // options clause defining the server-wide properties + options { + // all relative paths use this directory as a base + directory "/var"; + // version statement for security to avoid hacking known weaknesses + // if the real version number is revealed + version "not currently available"; + // this is the default + recursion yes; + // recursive queries only allowed from these ips + // and references the acl clause + allow-query { corpnets; }; + // this ensures that any reverse map for private IPs + // not defined in a zone file will *not* be passed to the public network + // it is the default value + empty-zones-enable yes; + + // forwarding is not global but selective by zone in this configuration + }; + + // logging clause + // log to /var/log/named/example.log all events from info UP in severity (no debug) + // uses 3 files in rotation swaps files when size reaches 250K + // failure messages that occur before logging is established are + // in syslog (/var/log/messages) + // + logging { + channel example_log { + // uses a relative path name and the directory statement to + // expand to /var/log/named/example.log + file "log/named/example.log" versions 3 size 250k; + // only log info and up messages - all others discarded + severity info; + }; + category default { + example_log; + }; + }; + + // zone file for the root servers + // discretionary zone (see root server discussion above) + zone "." { + type hint; + file "named.root"; + }; + + // zone file for the localhost forward map + // discretionary zone depending on hosts file (see discussion) + zone "localhost" { + type primary; + file "masters/localhost-forward.db"; + notify no; + }; + + // zone file for the loopback address + // necessary zone + zone "0.0.127.in-addr.arpa" { + type primary; + file "localhost.rev"; + notify no; + }; + + // zone file for local IP reverse map + // discretionary file depending on requirements + zone "254.168.192.in-addr.arpa" { + type primary; + file "192.168.254.rev"; + notify no; + }; + // zone file forwarded example.com + zone "example.com" { + type forward; + // this defines the addresses of the resolvers to + // which queries for this zone will be forwarded + forwarders { + 192.168.250.3; + 192.168.230.27; + }; + // indicates all queries for this zone will be forwarded + forward only; + }; + + +The :ref:`zone` and :ref:`acl` clauses, and the +:ref:`allow-query`, :ref:`empty-zones-enable`, +:ref:`file`, :ref:`forward`, :ref:`forwarders`, +:ref:`notify`, :ref:`recursion`, and :ref:`type` +statements are described in detail in the appropriate sections. + +As a reminder, the configuration of this resolver does **not** access the DNS +hierarchy (does not use the public network) for any recursive query for which: + +1. The answer is already in the cache. + +2. The domain name is **localhost** (zone localhost). + +3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa). + +4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa). + +5. Is a reverse-map query for any local IP (empty-zones-enable statement). + +6. Is a query for the domain name **example.com**, in which case it will be + forwarded to either 192.168.250.3 or 192.168.230.27 (zone example.com). + +All other recursive queries will result in access to the DNS hierarchy to +resolve the query. + +.. _load_balancing: + +Load Balancing +-------------- + +A primitive form of load balancing can be achieved in the DNS by using multiple +resource records (RRs) in a :ref:`zone file` (such as multiple A +records) for one name. + +For example, assuming three HTTP servers with network addresses of +10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following +means that clients will connect to each machine one-third of the time: + ++-----------+------+----------+----------+----------------------------+ +| Name | TTL | CLASS | TYPE | Resource Record (RR) Data | ++-----------+------+----------+----------+----------------------------+ +| www | 600 | IN | A | 10.0.0.1 | ++-----------+------+----------+----------+----------------------------+ +| | 600 | IN | A | 10.0.0.2 | ++-----------+------+----------+----------+----------------------------+ +| | 600 | IN | A | 10.0.0.3 | ++-----------+------+----------+----------+----------------------------+ + +When a resolver queries for these records, BIND rotates them and +responds to the query with the records in a random order. In the +example above, clients randomly receive records in the order 1, 2, +3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned +and discard the rest. + +For more detail on ordering responses, refer to the +:ref:`rrset-order` statement in the +:ref:`options` clause. diff --git a/doc/arm/configuration.inc.rst b/doc/arm/configuration.inc.rst deleted file mode 100644 index 2c6684737a..0000000000 --- a/doc/arm/configuration.inc.rst +++ /dev/null @@ -1,128 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -.. _configuration: - -Configurations and Zone Files -============================= - -In this chapter we provide some suggested configurations, along with -guidelines for their use. We suggest reasonable values for certain -option settings. - -.. _sample_configuration: - -Sample Configurations ---------------------- - -.. _cache_only_sample: - -A Caching-only Name Server -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following sample configuration is appropriate for a caching-only -name server for use by clients internal to a corporation. All queries -from outside clients are refused using the ``allow-query`` option. -The same effect can be achieved using suitable firewall -rules. - -:: - - // Two corporate subnets we wish to allow queries from. - acl corpnets { 192.168.4.0/24; 192.168.7.0/24; }; - options { - allow-query { corpnets; }; - }; - // Provide a reverse mapping for the loopback - // address 127.0.0.1 - zone "0.0.127.in-addr.arpa" { - type primary; - file "localhost.rev"; - notify no; - }; - -.. _auth_only_sample: - -An Authoritative-only Name Server -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This sample configuration is for an authoritative-only server that is -the primary server for ``example.com`` and a secondary server for the subdomain -``eng.example.com``. - -:: - - options { - // Do not allow access to cache - allow-query-cache { none; }; - // This is the default - allow-query { any; }; - // Do not provide recursive service - recursion no; - }; - - // Provide a reverse mapping for the loopback - // address 127.0.0.1 - zone "0.0.127.in-addr.arpa" { - type primary; - file "localhost.rev"; - notify no; - }; - // We are the primary server for example.com - zone "example.com" { - type primary; - file "example.com.db"; - // IP addresses of secondary servers allowed to - // transfer example.com - allow-transfer { - 192.168.4.14; - 192.168.5.53; - }; - }; - // We are a secondary server for eng.example.com - zone "eng.example.com" { - type secondary; - file "eng.example.com.bk"; - // IP address of eng.example.com primary server - primaries { 192.168.4.12; }; - }; - -.. _load_balancing: - -Load Balancing --------------- - -A primitive form of load balancing can be achieved in the DNS by using -multiple records (such as multiple A records) for one name. - -For example, assuming three HTTP servers with network addresses of -10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following -means that clients will connect to each machine one-third of the time: - -+-----------+------+----------+----------+----------------------------+ -| Name | TTL | CLASS | TYPE | Resource Record (RR) Data | -+-----------+------+----------+----------+----------------------------+ -| www | 600 | IN | A | 10.0.0.1 | -+-----------+------+----------+----------+----------------------------+ -| | 600 | IN | A | 10.0.0.2 | -+-----------+------+----------+----------+----------------------------+ -| | 600 | IN | A | 10.0.0.3 | -+-----------+------+----------+----------+----------------------------+ - -When a resolver queries for these records, BIND rotates them and -responds to the query with the records in a different order. In the -example above, clients randomly receive records in the order 1, 2, -3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned -and discard the rest. - -For more detail on ordering responses, check the ``rrset-order`` -sub-statement in the ``options`` statement; see :ref:`rrset_ordering`. - diff --git a/doc/arm/primary-secondary.dia b/doc/arm/primary-secondary.dia new file mode 100644 index 0000000000000000000000000000000000000000..795625a2d834f874e31354b18b68ff3c547f1262 GIT binary patch literal 2550 zcmVFmR$McM<3+@VQIxZGTo}Kgw z!u?*HP4a1y%})CN`uyRY?*DZ9=ErFg{Qy6+BAWN$8`;9XJLzAP<>e2<;myqrN^ciY znHMNcuFxVL{vM@iG=xUO{^^@u?{NpysEq7qt52h{ERyk68TYbi9-s8b(d5gl$gi?# zf7xo)Zjz^Y(Yub)lm6TD>eU~vx*4wZ^F-g5(JUSpar9+(*BD;LH0k;>E;hTJU*?Mh znv}PfTTOQKV}Cztvud?~M%nE2?a%z}@{(2`JoHs}p*um!c~s1jY#RsWCS6VhMVe9y zlOc>YSaC(}=Hzg=al3G7yKqIjaLMBAGB3&^O3H1>ah|7flr2%q;wo;AvzSCFh}cuZ zau~&VQkMBM*MAQD~m$Jh)P7%Kp{>VBF1SvKbz!5w#^fcIj{<*GAY}GyE7*WN&NUlxC7Qj zoXjrD-Cztc^Z2DyGq7=9OylCYpF}Z+0`g<@axzz26c`y z*f!1V%Lq&u!Nd)7T^#oo$tF;n=3r+86Js}^C{1SBJg&c~adtIdS-U+^YF*F6G~~Lv zq)i=pxD?ikb>gnpNh3uE1To>&I#nnbF%Y;BB}f8yfZz1x+oqLWf*bHDp5*pse6Kc& zljX}WCa}iLw~eY5%wVHlvW@yjlEpRdjBt(s2N+Im_I%{1Ke$>ruH)J3}w=`@8K{=5UiR{jSu6dS5d z!`rwhqoO>EiXy++Ezy)ZcYc<}+3e{N33rfZXH6VIH$TSZO6oTpM5tN=oL_q!7IRa0pR+_(F{!F{Nf32TsEmjglCb0E&s zJ?U?U32VMfR^OHD-^JVcmm3$fk0JS6oX=wz-UKYkZ*g&M|MHil zn51z=pv7-2dV*kKVS z$E=x`6Jc_Jc-0Z6;Nu?O$0gX^$+b2Zdp7!aC`2hS0w+dVvrn2rw&~`Q?<|Daev(wJ z1bTC7H#Y!+Q|pC`5^@wW%9udmC_B$Z9p)@>(ZEFm7Y$sr85gBT;Gzml zaMP-geVM2=kv82Ch^Quj$N0;qp)}A?|1@+{_yP&-V5UBCE+jIDS7Axww~}ZHgAoJr zNw_U02Tax&vrTLC^S?j*bNCDV3Ux%S*rs}k3>&{M**xv2(swQ-A`&rb>va7(#?mf_ zfMQR#V93}l4&nK93)g{#3gp*Ns=sSl7e_eX!q9<2%&+29C=!V((oK=!%MxJ<%SAUz zgunL!ytWtjTDc5sdk2%ch&)0C9v1_Kl;0x^h^V5(T$m9cN*e=Vg11n8w>7xBntA3h z0o_mM+9x7PLZ(gE?Fdz)XYp8*6t?V&a0&}IT(sNkc>^UY%G_7>qTkp5V zS8E!8CN)2NC}eR4-K^71eS`&B344T#=TkelHU#8ft122Okagg|ZNQv0ExtWuS>76A zT~)k+HbFgudLGfIH%ADDaSF?t^c@W2HaA3DpS~*30!ZD3?6t6M=-qp-lfbZX*sAyL zRPuq>>o#=zbsH2Pfu%^hd2NVSGbn7f9JiKlWRKOgVNNc)oG#}&Z6RMS1olgm3l-g${Z=S=#eS7^*`#fg{j#uw)fNZdmczh-yIsLSozr=hrHjIIWtl?4 zik>YeHp_>wbh?_@b&s&eCRNpTV%i zrHyghWTreY(^i=2E_n>(wBzKIA0cEaY}TD;-&xqY4nQGQ$P`ycT9IytOx>m}5Y#|W z13?W0wHZMbM+li>HqciMIF6`jTKuB95q_tug7-r<(s(vP{Y$8SsiP0ZojzcDeknG7*#m%3ggK}wK?>U%ZYH~M zPSwX>KmYRKKjA^rtvpD&P8P#479FGz%)K5(+g(DA1jC$o4Q64+g#oEE);MWf&LQk+ z&YJoznynvUU3`iux0wh>T09j}%cj0q$$i)UILQOV(HY6|eHz`y#p#>n8~B+O(fsty MA5I>Pzs?+fEA4ToDNLp_@NQ_2Fxo2m}p6QTBnhSK9XcOE04F z8N^FeeJ0B zBTXdKlAoLau1I~Y(*yoO7$A*EAP`=t3MUA}5(&+`4|}>=Z>0(ie!;kn&!%?KxEBs# zSl3-sAMAPqPJ9f7-FjKN$3^3!=~3H%(t=N8B~D*7uqd1ueK+CG$<4ie3%LemUwZ0J ziDn@`8FtqSTF`^+Vfe-NTzy>0RG?6h+wM3v8p?Cuo-kRunumxsZ20V}!8MB8&w1}& zeP}l+_tTbVjbDymU0oGs(mi2J>85<#WnS8kl^v1ltReUqhzozz9ztXUdw zuUX=ij=Y%RMLcUSpZr;vgnS9>|EYggogfm?x{ zbmge;Ij_E2mea^|P!bSCXrQpP>v)i9quT^-iF72z_IQNMMPo3r|4|kf07qaCs zx_f(5Nr$ZXbJ!wlxP21ZO}NF<>?ef@WxkHQKpU0I)nwUMH)HEs@KjQIw_P&(_SAwk zUP(FKAx$kmn{1QG&>)M`&Zin9tE!5>(y=9XP(na}B%oNQC|)Uddu^tJL(-tO_xJ?I ziS*rqM4@en=b^$SWARfp@nM_Y46n4QL53b_akZ`2*428Fnd)2aDLPTT<^tNww)b0n z?_8`1ol}!%4&Djx&Y_762oTzP`l^}a)cN8m@;V2@(NLHpO&h`smZNW>q2VP z&-cU>-rY?;+>u!6bhq8h^I|WO%2d6!%{ooC(`(agsMV&pGG;$wj$<(k`Eoe${ODKe zZ>}PGj)Vp2BBWGC$q@>N;}Yovd8u;Guut6Xt2vgcz52`xDx)35@v~I4Q6+ejV(lhT zPgf59c{eX?Y2`%aM6#!MuN{Ql;oulvcOwjY<0hbx|D>b-J&%$RZb$|)@(U8Y2%Vu)h@9pZQ* zbHQJCsY~@?73Y>4Pb9cVtk@;bb0zjYq9Zsu<=T%8deSwl&t9_ht-Gg;THfTqsoaP} za74y;!cFvDyUEfe<-Q+{A;M|Z;dW)BP1-=Gq=69X`T|>0RPvuA?-2&B34*dK0`!;b zmp`O26mvDrEaQZaTu=9Y>Zsqr47La$7!AMA#1tyLtkP7V5JbN?iYus!Hz{ebduyG_ z3E9~{SeKpApF|{f=I!+_qFx+`l5Nq#Z@*mh^C(OWw@M8gm*oq%%rSyx%uIvYrFnja z>W;Woy*c$CAv^q7V30qWyxru}AG*0iGmr9P*oxnaGfv@t)!H#F*7dK^oyRlG92_`} zQg4%D6yxp?5fKe9_I|`cLs=(ISIgHaf+!UH`;fexG)%UO|6P0+Rb0tz-trEN-hsIo0)c<#lS#nSuoVH9>@H)-N3WkftYHw^P{tkmC9&J-t~Jz%o<>8AIj~R= zrux(~=XZa}MG9GaREH8blB97Nzv&hP&j;77C>zE2>6GjS^qnzx18-uW|+ zf)_d;6!hxuG!>epL1SC4-cp4M7wt%k@a;Nyf!u@}-HTmQ4nMrRoFTk75HAsptRKnf z0b|?)(LL?GpEDTV|K;hAo_Gj^(f=oPqaXsG2D<&9|6&jsQa(LC#w}u0mCWuwh5LlB zq@~$eViep&DIe+Um|7-NRWu9M8>q2DHdb9>dZczee+w~%HX?D3jTWR=Qq$a|mQRFn zi!MeXdzcIx%}jzkQtm#X;(bD%!sN4txrYZi80!-U{E#Ni;yQQ-sS%|YsOZ<7btAce0O zYqOG6$gr4J7Bkyr>;dD+s z3MXlS#^d*++`X_zjl{865KG?gcSIhr#?OqjuMsQrx%QJX9{n;ULq|*oxeb!&h@A>X zjZ6vuUNJLl^ysE`Wnx7%VdnUh(s=A8vOhDc!RC3am(o+|x~6u)vniyHgs4LqkqBL) z^o^7=uW8%+*}30qk-z`mL045#(Ue~r5l8{2rA=V0SW;kv$wW4zHZIYL+o=!k%R(UT z<@h*!>+jFuEO%a!yQpY4QBYRyWNIQhKlhbfER5ShLO7t0NYp}R*}!elU>>un9(yX* zZN{_e4cI5g=SRg%J0vjgW}~9_=C?!!=AY(aDcqD`(p=R71N1QmeR8szF>FJkO=etq|{d{)4$bk>Z$oi*i9gP(f6g)g?#towJ z8{F1M-qSubGdJ(+>!WleM_6KEVlMA{Ra8{)CT~rY=-Y*&ApCHTb|}cnH8nNg7X6+1 zvA7s;d3Hp^sPb`M6j8dr)E+c7HTC)P=e9QKLTypcow*wO*)NpD2#*89Iw#s@KKQ7a znVJ9jwvczekbuDUbY=dNA{{tI_EQu@DFHF@;h*8`I3{&Le*QEGpW~vkmIf$I(Nq#0 z9UW7+I0&(!-Fd0&i-S9y22SFy9a}FwzJFkennVdafN8wII6Qncni(L?Z;A8I;f{K`=uvdQMNm7RZw(LhNKggThGoTy5Y`Hyt~++YHB7H7o}KO!rDcVOh_ePJDw3otfSPL zc<%b2A8$K0?T3t;$z*Z!@evv0wE_Ce%OgxQW4eujQBYQvUwZH(T?`c!)#FikcvRHR zSRqlfYj}7#+>E;Sn#aZ%i>PSILOr|zMlH*8$8}KR&fU9;yK{>H*YgP?)fUZr9avRy z^V5}3?ZkgSL#b!Zm7K9i*+0(jY>XFK*Pb8GI*vMc zp6tw5%~Fbcac_GZ{QYZHt9*V=M(eh_AThIj_V3@Y!(?n*Tiabei@BzkaUR+*TrJAg zI5;@}{{5@@pv@YO{0g!AL-{`8b9;fLvX-;&r6!0a_PY02!e3k5T1`9Ad>QW9h#KW*yKIKL@-Agz$H#fKZk!Jne&6yQpRn9e^De0GD#0QmU19R)>=tw<7JnN|x zVvhLUJ#oLYLlM{CdtTx-=12=aTHFFwdT_i4Oj2ERXI_(>^il^56;UHfZ{y--z}t>C zC!dz+q4pIaahC7Wku*R43gaP}S*Fd(V)5GqP{8rU!Jxi3EY=#X)(hT91isAv{{Eqw zECvMLutTli`Ek{(-%kCSRqbqpyY0+&3rvQjB>!%!>vP;s3isbdM&^2QZd;3BWF;DT z7gkgZ_jIiNNUs#NXAu_m+88UWv>Xg!#}n>u2}`GmKFMB1LM;_hfy8SWXC*P*%4+{&cXy%?Mo3!GeVpq|3+ng9E^%9r%^MknDOyo4w z)6|TOk0+s``r#ql)gt<(E3uf}fr?~H9(1tsdo!m29b#pSUUx5Zk=Mb%Wn zX-!R_72Re*?Iu2@ctHEGv8&jqYUNZ8F|u?@^i(q?)3-kcKFahzV_ARO%j6xAnQ2^U zF)$T{JVcC-A1GC``);mrx5aklk$AF72>$ZHzpllQF(MwH!#}1^xp#_MTCO(BT1hc( z?KYoKB|xb2S^juaDq$JZaLm1lR!4vCeS(C91d~`}P?F2jcQXga8Ot6D65jXRwncDv zXM7Z+sl4ttuFVc)NX*`KK0QAd`yz{dlDs{<^3itih3+Jk_hH-obovgHddAk*GzVqL zi@k?4uFWD*qQmrmW?UD($FtE6qu@zfaf6{%HyKV=|JlHh|ll{BXxH}?t z5=!kq_2mUtv#S;ynwo#o&yOaJsYTu1_Jm#k8w~hUjZqi&TWL`~>fZWXePz1|vw`pRYVzXwuB#RzC&P14V7d+aWxdo+@ekW|f9`%R;0F)%Px z&Du|vQf_-diGb|T{Pb2e)*a3vhdW+`DeDWpy=x=6%EQCM@R2BfDaVDTXO$Krnkb%A zsecF}W>63YZ?DFOA%jo|IW(Ovhaak)932@pdsmMO@Xmh)Tp@M#hkn*oLZ-lTcY)gm z58;Fp%Gh}e9evYHv|4X_bJKP*?D6BrKyMNrjm~|YsxVhpQi36|GbZ^vl=biqmyw%| zHUbf7YO=Eei^%8t>e6%JWp4rlzNp7mo%Lv*nCH%r(MCd_UbPKW%O~2}&&@}K$Roo^ zIb0r?AP^>t$X|8*4hG<*-?fYWjeh5XEd!<+8X5)$X&THb%F5ZgKNdQ*wY7b({;e7N z?mu#O7kI=&747-61NGwd8kFZh0zk!u-2P~IuSxn}oI+7M{DFgo1(*5BbLaB>#CkV+ zB2P6{((i0Y>;%Rd>e)w6hfrL~29Ir}U4x)@_%i9;IZnfdp@oJ^7|cUKM!gEN?r(8S zo?BBq7X4)2swfljA3jt$F17#;fHZ}j?;~xdJQA>7J?Ve?6aA?iY9I%|@mlj`HYtfr zN=hoT_4MCA_pK>sSe@KE=vKhKJ5x3lXyd1qy3 z2f0)VzT^CCv#i!?*leNcC6orcQ0zJE93PJ)M!!ExK9%#0o}r^dikrvQT0Q$Okrm_XQ^QT1i*qq zWFA6-Vr6671bm{cO|0dPJe!-J-+DNrjH@G)mKH|APDAh2uLM0s!N4=be*gF{D&;<(?e|hAav4i{ z?ig$hmY0{e2ch$6@|kpp;83JJ<}mn-8i+bsW^7#V!VpCABUPxZsVS`;^VQlbI0=?q zB>9Ufab+3Sc&OdW7 z=oIBHnE&kxBRWiwK`}xG5vw#IJzdpMI(zu7EFD#J@5;U`9f7~d=v1#8@3vzmfv|bw(eHL748S9LOuv318YR$W3)F*fXT#o(NkL+8#^v8V$4uH z>L`hthR)LCSFjaj<;ufJ!p2;5{>;Ua+7Y9gb|RcBr_ek$wo#- zOavvIZsquxWG*i+vuNerzkfeX(vRGu`QwAK$x-3(!8IsbsopNQh%uns`tb<~YN>)H zu4_MFa&4`wPES{&FE5q^C2lg&w5Ce_=>FBGVJmzYUr8wbk!n%6Uc3q?Z4FT829tOm z(%}0-1OsGvfN`^am%GC3dVeKcTwZQVy!aN&Fon{4X9{Tn8*b1A7Aqtu_l>djaIThu zqN2{|!E~`ixfx`Ptf?v84P?#24{lmdEG+Wkf{=}n{3B2fSXo&m&$lW8ER493E4sNI z<|xMLhJ8or>h0C%peGH7=~#D0yCZ~VgfSvPQ&e1R0NG6@%j{{MbKkz-?J zEl~E@nR^Lwyp{KOBZyczx_(NTtND4#4uK5Zz;ugWBcGn{zh8;9cGJrdDX-A?f*uLZ zJ#ui^$&m12=Wsbc-CrpJ%+u`sq(n#RWX?6y?|8c0w9~Hecz>mL5vJ+yuRi-N5+ErT z@Yb5p?ST{wsn)lo?7B-iZc;9*Upe$^`1$$g>Ro&99-(+=y!?F^gi@*!$bE2~#EmKA z?r06(cl}`>CFa<8!5YemFBT1FQd8_HfbI9TOZBm8=p8?41oLg%CkXH**`h4+*6)^;8d8<=#Vby;!%;k z{;{yo8ssiOlbgfY=<9_LVP!yXVKUfsicbNpQ%iWSn&=xWZEkL^+#EqtG%ow?P*b$t zoB@)!hPOccxL!QT&(D8YimvmZVXc5k;0e>Jd4!4zueFtx7mOSm8ygBTvPve5V2MoD zO{4){J_7KdZ@OwAAM=pHDGhWFOKKPN8r)d4Xp!*H z)-$rB)O@<9zD_x|^+r=i-{lK2t3E6!C?H|e0Tyd{v@s5=DmRy+7+=P6Fk>FDiow#0 z@9I*QA3)=RWVKQ>KRM|+{pAHbRxXAD*8<%JMULW6Y#nD)RKketN=UD^YZsaG&|=?&hFU&~#rs#BMGRWr|HwQj(1g>zt*= zYWNdS2RI<`p+=hh>n$51(y%$=7WE6bVs$Gc=Lz6ONvc@-b+0HLZ7%|2%o}gunAlSz5XcaG1V^#vY88 z!)(n!`wRlXiE^+blK*XnV{+B@$j_g?qe z89CYWv?f_x=^9V?^uLsFzg$Y8-e383XOJo-EdqZdHET8cY`14RWS*kbPKVI8=QBgb zR{{SA?dlm5`dsqixjrwD+CcFOYX3NFb<+`92$IW&W{PIvm?jQD1~)ACV!aS^RF7qc z-Ij)&y@Z{;tZ(0XEt@QA+BoJ-J9lu11;{)czYZkCv^*-eNyh$QowY5hA?cgJJFEZGVY!U8kDd%>L!acXeJ?Vlq3KW7%o8 z4Bz)z8I!}0XlVwQ>>VEZBahviH_;y(n2774xqA!5udQrGqyz;8#l^;^J+7?%2l>g* z*H@eMiLdX)2NtbT<5r-iDs;GG`0}efz_sOmx7=3vpp^SxWA69|3EGd&dADf%j?g6n znY9|jjjq5?SsEz&?*O=PgP=M={I!NPk(tB7gu|XyD0R9 z>FBN09cETHLH9`hc9Ca;*1HnLZPpLl%isf|171;#Jj z8G~hB8D>2x)b_HZrj@N|$8|y~&G+#&QazaB%o~*R*bQYk9L4%d)XLo~sTXCKwVj&P zC3cRHHL`M^j?W%<7V!5;B?h1Ez$ggpzXvl1we1mnwiCtW<=i9f0Q8}_9c@j!0^e90 z%(P_SMknCv)Jt(H)L<^RtpVazr41b_m|IAYa@hoVznqZrM|?;+@%5L>1#j_s5_U|kZ4L4(Y0gBV-j`!G0>`ejl9CxeonA@Q zxunJyHa&6O?<>zU=aq$JRX@!;YFl$IcWftSVimgj__Y5Xg!I&4a5=8S&?H90+lxuO zHGie`;lsn*+e$JrGN3(?l97EiF}XK9HujvKJXJ;5YpApXgp2m}_GqeP{5y-S z0l;B_=cP*pv^4i6HpFTc-e+(C`ACDASuI8>*XLwMz%XFegga>>1Z260l`QXQ0C&*8 z6Vv^cF6Oz{o2Gn%I@`j?uv62qYDCSEFB~joqq)9+nJ1+FB#}5}B4qu&`1gGcLmJ`F zhDtxiJ9n`QTOO=Mbpb_XfA-}$2vo)Sk1VUYPaC(z(ebFnz4n$s?S(0la$1tE>CA$B zfQtOU!h%uKHbVxWvUS7LLT$LL@y(;ISu4Q9k?zO_-ZzJ65Qz)t{0ckACleh=v?`;1 zi`XyVO2!!`!-OVkNH!Z)dj7W;fN@rrN&c3cY}AyWTGMpC3`@?^+2jnG^N<_ zsJayB%2}hIP&|aaZ=_>+$PlomuK)INRZ`;0U`+dO#!bh9favx_8`PAFF644U6%`dA z`ecQev+ttV))$WTGy4-FwiX;ABjyBMJdR_JJZ(%js?<63+KoH--v8-xmVA?1>jO3( zUZ$w~2GmDDO87F8D(Zi3;flWe``pFF1=fwLtE;KvV`6aT(`5o`#QxV`({k%g4^<*@E5Ll?ulPA@_|6JH7=@m}q;*yf; z%zL9CjmeavbN0k9NR%5El{V|SZ$A=u`E@SP%EF6|Lq68*8D9>zBs z9v&VhCMHlR-rObv0l75+4RuOx&d2EmcdwhR%Nq?{6@w1hxQjU@Wh0hRm|E!kJ*DOJzWo%qFxq0M$2|6(v?!8lh$9#1|WOnpBPlV?idnfX0 zt9))F?Eb;)(bQ6a&<~&^1Bmd2g~dqU5pQxagu@i+f({mRJ}4!;tCSNtZv?&JglFZE zbx(g9Gzc{ch#a-ttif`vB~OG?Bw*beP)SP43261@!Eb&WW-hMi=xC5iBRRq{zFP5H zSXzQcmfmjaS2X)J4$ZfJN48*e{q2kUgtx76p1&h6&o3vq@5`qK{mU5+WzNJEfh5W@ zrbwlq?kNfF9i6is1lb*U-u)hp26y{;#-Zw-nkB@CTtMPzex@KyQ zaeJw-p9M@s>O9Z3;3o&+a^n{tR%%KLjNpyTG$SxJHU@2{+)tlgd*FbQvjI|qlgGB6l9Cd*R8;Sj+%FA`Zug+;9~|s`svyV_RPrG?F7DyuP7n(#kcF33Nx)Wf zpYW$~DA*h7&KOB6#}o60t!^Q|nm(F;yZIPAC+r;{b((E9{(PA^xaQL@laaPLKf64% z`h4_=iv`nMu?f)F(CX? z_4M>W;QB+-acX=IQ$kfH|k9~DIzLM0`ZoI0?pm8dE z)GWl80YrINi&4P=VoreLU2L?iM}YDO#drZ?p)Wq)S#oG#a(FTR`nnZ|&v6}h1w}Hi z$Ru`dgmMR}?=e?b6tUfTircM4G~2EWEU)U7L5Z!@ELn`3)US3*+a1W&Yiy|b*6-!g z%hv6{tSTdkP=097fk+H@M8u?aPt1co-@(RR9%>K=C#OZuXSS!MO~)w@pVkyR&`0g6 z7HG5Xx8pPwMcKE!N}L8?!U92pQm!tpz&ZOuA=A$4kF|sSs&L0QuSsZhUQ6I(22XkD z$>tz2j1~=9%yuj-`T}tSbINJA&4z^0+zn0za8~gw{!~Ft-;}o^=pHGNeDmz>$GR%_ z1RGvYN{hd?f3ADE79chGH{9|hax1L5rP@Oh+63RtW4R~nmsOFDSinzRK#{`Ri`nn}{asX6{3#5|2`15Dj&ISI3>ug) z!^1XHv+hS`gm$}q$q!L`)9Xx}pJ*%|j(7fEo5V1;fOHg4*;YHp{Lh=%q9PJ{=qZMd zd+*PD<4M8e>^(mRK3-m56F=472uiVpX-pujL6p7`Kf15 zm@$AZJp_klUi?r+4j<^FBHu&`^2{9Nhc zThU0=MojJAm$0I_?C3{VcT8tpoH^$!aU0b%{P(xkQAyFS`gv7%9E5ldLBzj4?Uf3_ zrL<`v?uY&zc2SksA5fA#H3t$1GoMTeE>Dr@jd%$qm82!zZxjbC3rB)v*k0HHWsNZFyLMbI7ti9A9({h0 zs~KZqs!4D7B;nh0uS>El4Fx;6Dvq}YPJ6p}(e3juPdG`Zn~fK-f5i_d*`2l=P>hP+ zkN)Dgt}2{}NRLCZXs4{Plj2uVkxyG?m55 zx4yojvNF$+@RGtp7FJehPFA1DQq&TF-#|x*C!h1-{QLDV3n2-(+MEX*ns-NaRM;w< zg*+_sXXWMOW}aL@kyQ~;?TUAE?3-9k_?|TXdakN`oIdX;N$s%88Oyyk$syqC;vZDE zt;N>N23@FP(Akjuw@NhmTqO^;;kU&7e|w#H9FbE~?$h`Lf5F6f<8E2+ca9y+S07b4 z3B+i9grI#c+BZr7Y8&>19L3X-W_0FOFVfu^CY9C0g2i0r#G9gLIY_0yvsCu^bH`dP zk`1vjU(Fn{4XNNxOj449M1~eLNy_{KX&0*d)((=J6`;}MN1oVX#a^O>)3cN8?Av1- z%6RQ*fh$>^8B}Ue&+9N(2a@E@Li6mxxL)8B;`J-&kO=C?G-cgZm)7B;0NcTouGGgK zNLH!!NrY-xEA$0Jjh19Jym+&ZlbGU_CQI~tC!|A#K6*KJc6Qnqz8VWoRJeay`$d~I zmu#dE+87*iCK-m4k@KMBSiIjsUC9%$oq!@?4vj%*o7wd)CzDf9a7c_7#`zI7Z*?!x zowjK`XgHyJ_39PWlPi!(&O!0<0SWBUqeph~tHhGGT3T8p8Phz=q0lFM+JKzQ(GDnN zIry1bV%(X{HaG<=XJ=8G?&SEC0c8X)7n5qr;pNF9mtn)$MpM<&(h|r7pfFV=$!&}N zNvRz+>I}iD%q8kYogQ-aH-Ku>Uz=7L0ibAkzdNBhMV323c=2%MlK z>3vuLr&(WLFU1}_sIr^p6&0P?pu?n#Vdmr0qQPIP#WH2{c+4datj=op4Q>;<|J1f(Je#Doggzq&Nt{ zzWWy%(Nq%NZg7UF7?^D!lF{=8!VG|YOLTgBd(|@~FF}s2Nn2i9JL$xe;ugq(Qy&0# z;n5_yQRM4C6=r4WR<1zGefg9~XeW%C-)ab23og*Kh73J1HYP0}TL7nlX@kHvZuH>D z98B!{1xAqy?+FmnTQ2@8_v)|hdqF?-{uMGxAh}A{^XYL8+wg#e$4|VfD_Www3=;oE zIaap)b~ZF)a4c_eYf-p=1_cpl3n;x$baY5bNV*-w=XfBnp~-NUR{QDGd~Md&%j4OT z1s_MSNrNJgC%oBwvH+5)ew9@Wy=s|m1+pM5!s93H8!t&o$5j_IKeaL!fA^m1^o_iH z_2PuXeMeF$!EMy~?iVa&zOBE79{q-qPT=x9Q~Lvbi}DhZ$1X0s*0uX!YXUKRFh!sU z+(5)kRKiY60HOmfPAi%@Lf*XD0(BCa<{rJ62H-eq&AK^WVO@{6nc!l5=eo3O#jKPW_uU!7+UcX0k#ibOz@#RuQ z%j@ZfxOK%yO-rOV2m;t^yeHv(n44(yiTS3_13~Gx*N#3$vlS1n5#FTE3km-~jvTjEv+j5Gu4`Y&@EQ#+=Hn6* zE!~3}Kp=r;+&N?sJY3uw@&Gxx9)RX|z4;J*!m&G-#XGOokrKF!uYhQuY>fALKh7^K zDERvItBDN?3srO?Ncjzf3NysBeYHI8Mv~pghoz9cn!$=wtXIt{At3=KL2ugz@Ujum z%hj<9E@}VJ6%WGA&KL7OWR_v(;i-Tb?&c<2^!o%XX^aEJex6x66OGv#`&KXvG&G1# zUL2sbS@C;c4fXH-c_;xcGD#=j!8V(5!r#4_$>O9cwf9D@W4hZ zUH-Xl1S0TFYbQU`|NF%805EM2x$3b^8kvSQc1S?5@-91qv7iI+`}?5p5~^3md_7Dj zc_iAk>wJUz58c@Jde5L6JSc9itQaiA0}$NK7z^yfb6r1T8$EaR8eSbhKLK2HwrAnP zR(5pdo9gK5mNkNn-(9yeYs<=Z!D$T{0o?}&dGcV@EnsI(WJH3U5->J1v(tXnFFdIW zjVujaj=agueVhmzQI}^gIKrhoZE!2KTNq`v)Kc8kMxb4hMcXOd9 z#eREEoEg*FdcFEB4&2MLrpS(K70u_cuEAD3dN>XoAL`9hhpp+)PuMmhAH0#t(kXf* zc=&5T$H>TNN5i*`N62wu_23^+@H} zeK-3DdUrN9HU{`;JsV?Sjx}93C<+pRexlnn7E<07SQRV=QV67CmX=KF4g3#&tJXY3 z35-Y%OM>2!Jxn%)E(|ogyTvZFyPyw8%At3-J$nL8JIfqHWiTzIva3I2hm6?hQKE%H z^X2llb);P9%D$I)hQj@hDBbk-XNHE`8cuCI&z?OyC7F5u{yhXN2`MRfdK#eHwuOck zco)~-5X>a^85w70nWKA^)zvLm&%b{#Dmyu-$r^> z>^3Ni5hm2zTDhV2?1c@ZGz2#l`HC2I0to1pK3yK**9Bo)toY!*0p29^IOn z5CBoSJ&)r?Nhy(gz2-@{5d%UtlnBE;LIi>;(4qkk3#(G1NKe4^w~CxmKgfaGDH_zI zq~KJNkW0z4u&yDz*|czWnglMpqI${u_q$NrQ4r!N>BC7d{ybu|vW40S@$n)?gMe-Z z7Pie4-QADgk+9u!ocvs2-mAxvJ-U7i8EKabw)$-3oI|AX5Yr&q4yOH{+QZs~g?86i zPxC$@_(;FUkOQIwj&KfUsm33exVSC;mkp81Ny8IR*I;OU%(F=e2{oTRvv$XY%QxBD znGZPq8CtXIZTIcY)}1%w4{pDC5AF>k>$cBO{|F9PU=b)P(#GG$#DxAKGS4FbUsiw! zqpEDNq@-G5ym%3(}Rab_|F(5N&Z&i94gCquWX<9=SeH$#w;_b#$Or37yY%aH{0wD{PLRo}I;F zg8Zk&nFw~FPvzzBjW#`Ao*i1dxm6kN(kiN`^aE>1C#G_4_X8&7olsYrrc)#!0e+D< zR@#mX0sFVQfw~;H`kdPAq!hO&llS(f-eDqY&5awVL1hbOf1Y8uPDLy0sJ99w9*G9NS&*Dh>sL zD24PR;tLQ?V#m4X&@+8@w%g9`GuoV6tV&^BE%OGyQfPk!NOJX?H@9XNzd>b#3?d?M zzd~2VX3VaPG(d-))cn#RLWQvtb4ig%%Itd;wtv^5Et=1}F;SN521!=LT$CT5D>zHG zSRH}!uv)P38~)C!sEC$fm*MIT({GRlU%f&Q-|i zYTe>vPZMH$p0FQvg=I4ncQWR*ld^}cnCjY$bw5U0irU(o7xU>G0Pl?j+v=7HZvG!P z(V+G~iJs%Z4lZ}jXJ5MPUM^?y>$LU2wl%w940c4aiX6E=?9YMDV**tWTQ+hV<#ghX z{j>An8t_{18s)E>MDgiNd3tv7c(V_{r?%96r8AiY1maKgVP9Tj6JDXb3cdM^aO}!5 z%&`{CF|dKDx;pyfMZyV1{!0dj8=$>~*+Y7dx^WFdygoG;Z_|9$MdV5gLA}{l7Bz#V z+;VC_o~x;7=Kx3tBMWGZZb@%E+)v(?5#Jj1^=arhFKiOD#65ZjT%}rwtjL7Bmv#A( zo>}c3>OtDl<7}vqyJ)b)n@Cxq&D{%|clLin7iVupFlx0<7#7Hf`Spzb+!k)YI`AE0 zE8`s|QBQR7$de6viHdS3*)1qTt^0%c+*qP#J*u;^ZgnXDfbsJ zKU|HYejuuX;pe;8JpfeZO=`EAeJGZ)5Aw_zPsil!oHD1hdQP6*{}Jd`juoMf=nk2$ zkW)<*U~qQUjskB$5c*wE2ZBRFG(Ui&>I|SS zY-dPwmXCkNodl;NgSFu>{0UXivn4O@_YIK;ezl*R0;$srP#828O=l)O1Y!3Q0)d_W z^28y>xYZxXLKpqZmoI_pBJ1zN?o)k(`FRhX|K1c4n(tGmjRj}MQ$OMMfNe}YA*r91=0(K6H`-DsEdx!YXRcHmW7N6WUK$x zpVreOm#+3yPft%*S65pb%-%rk9Omm?^NWiksL^VVIPJo;6Ly;MN$ZH8Z}uJJ_is0mRfL-kwXC>C*QbE%*$iU z9-bN-gNuaY1ngaqbm4&O9vdG|E`iij2F4aJ*l)vyK$8>j^Um2h8Vo(loazZs8j+WO zbL6r`0EvVVF}-y@J3E6S-wbmN|A9d5nkr~N1MLKmXW;~+Rs}HjJD{cR%(HQFw!nNr ztbh;#O$LS$$Ka12Kf*RzIH2zU4QF{{Dg>gA^v>udeB2+*yzpiz??VhRSPEj`frUE< zc2fic1ZQx5Kn7`XU|^uxYkwK;A9_4Snwqbr1e})IfW_Q^UT`9z#=xbo2!GfCK=8C! z7d*S~zJFKR`ijNX#BDdlU7^cP7?w1n8e9V|O1MrTA)ymkDnRSyG5(#O!#VxI{SSKt zwt8R;betJ(_CR=pRS)`Q@)*IPp#g`(@;8l#BAt?{s6OoMVXv*J3b3kzirrV+K_yjJWNbcu(U0<_&tm0A^@fjjkz8e;SBKoL53h3M?yH^rxJaO zlv@F79Dxjsulpi2UH%>&%~zPq!}Nl)?-Hy+Unp_mI@&E7T3;SmC@LyiSy?G5VTPM> zzwTX$q?XF)T^Vkyyn{fbMGm+b8yZI9e=aF0`TW_82RqNIS}%LJ4)%K0pg_FwO{ttf zNMO)r4+}$$C+#$mH8uSSMs0i19S;2xZ-rS z%DU47*1iea`TA9|Wyb!&!EB|ax}Dt?M8yN!Mh@})U&zs6c zPe%ter^aD^V{Pm=z>+44#Fl29@3*ddI!5WW|1+x3~;`L=FM&cdm?G^RM?e_?9j_X6%0sTM`Qmb%lJb(`jg5`ZSDHFHA@+`c*D?cO z|Lh7RjhyYi%Zm%}3PGrWuP))kht=KP-Hlqfh_UPKAx!`P z1FjA-;a(tVWJ0nL3%C-m>CJHq?Y{#R72+S5wm2Q# zC*TQF6RWVrf`^9({$I`nVEdp>t3l}3%E~B!S`Z}5DKQWTCrUSSBt#n9edf|#mo$2Py!Svkh^s@uPU5KBb<_#b+U?ak?!zD}>ie;aN8wRbmfq^d=xWPw8 zDdm69XAzWxFJHdEezU%n{i!I(8_7Mm*agVJjfH4(8kWI@#T1a(l5rI0I^zt^s2@6b3br6FPoBN<$L9*?l zx$&06wweF2*xpoqh$=xrU@&9tza!*UK*fRWNQIM|H+J+Jd;8N;Vq)U4$;p)$$S5ei z5qJ5ZB;E`)8k*=79e@Ku&ryj|z!b2L^yX?nW`pSh2ZKrcUPT)Zgpa{!Wkz0XPMbnPc734>DC;>WXepm(9! zBM=VXaYiI!hOO8+IGX<^f}jbB43O#g*qE>`Uv#f6@N94{0Z!UC#)BPuFdPxGFs55B zm2QsTpy)cz)jihv?*O~;#@EU5aS6Y(v8q05GP0=}d;Kk;2e3cpa1IGU)&KD30VfEX zayrKU=W|Z}e>Tfw(83<|m*N@HG&B+({D-+>1l4Bp#V{UZ#I z7nvzA;PjN!SIQ-%y&tc{^8M>`-Z$^#kl}j>Nk{zD)S_afi^dy-5nxEIE!AMgm%$9~ zu;S;f9+OOHhi%dB6~LEh-r(L7Zd1rcAfzLIwckruVZvwgn9GAPSEp#)rusj(NX!>gfB%+YEAVEZ1<}GoL1=S;fmOo(Rk>_ur`7bYn!gCc zWV46C+pzUi1~3o6!3r&SR*OslaQmrDVg_)!%3xd*0RZ{>m5Lovp&LQnjwTIO+J;WTgXA}ZScU4daBDK%D|h_9$8H*gMRO!1Y1w3#()lIyb_dj z!H%HFZ{Y2_MbHwtm*!A-|7^3dYpa$V@DTlAXuXfpSI{!(E1qw8*>>2lfac$#eu zgHz8iXw%i?S8Pg}`#l@^-mVGfrObO+OGZFjlB~Aj4 zs;Pt(O#PjugMX)OSk@|O!XD9=isD$UoJz9fmrS3?8f&#hBz>c4qgu@cmgL#vyOwDM z;eLLgfEIu%_+9;S;rlNaX!Z{(!J5kdd$XN!Cr)m5X{F{~WJb)+ig}%EO+*H-=Pv_@%cXueeU&K{W zqAXpaMRNYXILqR5D0Du!JPU%S6-?tQ)}J+>##L3O<7Jfuc|1=p2IF}0X;v1?d^)I0 zHRUEnR+Pc#IJ+3Ux;EF~ys74VrJiT%zKv(exJ=?t-BpKhDb=Uy+oW8tc79tdQYcd0 z-)$IwhE$@FFXNz4LP=EY&w7qoX&dPN9{J>o)(NW7?I<0Q5zBuZxy7qfVwSP_*={QT; z-agH%y;Xm|pX%4Y9mC#_k6T(pU0dh$FqH{U_{*n<*)p9bi!ElhTBf6>o2JfY7kH$>GWdoN4VNq>&=78fCo2v>$do6QVa>shZHG6_ww8qmH!zr~5aS4wesF0HU)0qqX|$@!>+3M=2eG&*?yg!? z@%Aadou1Ag$Knoy^RMJf^<;G7W^`iP(aBLrh8$txa%>t9hNu*LqyP&5XddN zK9Wd9dLj?y@w3v0lQ=3J4ZaQXeYF~3YfboM_)_NAT~1r07$5)S{;^t)gV&RIas#(-&K}lDg4ZA3zxhEYdm$pMFCI}w6vNIZ z`xYbhbNw;T_5Vuqq-C;?_B7dZM5WUR3#Nz&CBWo_Qdo?@07J$p04o{Fo-WCx$n&ct zpPKgcXl08Crikg6qN=Yr00WrZuD?oKi1a0uX7KHApO$GeD`Q1MMWpH(>RD8ASzX0t zS=@D-HzC%QUu8)?d%i{79%O5;^%a5n)KwpSt=e4=JwoiOfAm;{ArI`d*w7IVe+h1Y z&-7di^i>tcR|y{fy26>=&*J9UaP?WX86;nOq5bGXVI4FZMlPdeKwc~~L2SxE6-K>R zm<}lkU%#)_VDLLU5PVEZ==L{$;pZ?5KPv|5Rp9BZ_(=OK8zuP=1J@I$Nj8ca6edQP zBND+4$SvYF$HuZ{yR7v<^@OPUBAh8E-LCa8_4JB-j?ED-Cn@_J8v+K5ks!ovmJKoE z1cs;{oR}L>)f@DX>fzU-yn`=6>j$57bKs<#Hskaf;shhwINSqM(IF;?GspRW8V0zD z*SWe}fSUubkrLk1@t)2Wx@xgdPgkes@?gA=FkS78xQ)|=waY_BL?Voh%R`0J0Jmks ze02Lej&5VJhjBw|=YV0S9?1g`%oDWE4`C58Gd&30$cMRon0u!%cdN1bDgOjx-FP2K zw*=P<8_aRuZ5UCdfhd+(2fGQ!*ho);mE&M{M=QIOf(ecLShtUL`&hTrShwtqS8tDX zgS*oeDBn-8yNhzIlZjR10J+?YCBfH`iVY(ai7=8Qg`$Y^$T&e9OUHEE(!$n4is)#( z?7gDy$<~vtC)<9>LD8Z3lG|@yjZ6xU+pVigsZb3Wl9jW zU1qHA3v9PJWKYps1EwQ8%Psk;tMQ(fKwPI;<``nnF=&hVHr$Xct*4&8sQPV?Gki~MW&+1JEy*p`7`2p5@39vv^pV7x$3i29+p-AZ* zK!H>Qh|vigzlD8b@<9@l+pN%8(0}zLdmr?7B}c9IQbb6RA+UvV8T>c$P3YMBNC&2d z3h}1 z8a-__O7I>$Wo1H2Sh;nTr3oEjHo^)q6SNZSgx5!HyUi<7uSmTj^@_BgBDLN?rDIe~ zlQ4Ff^YDWV6wpMBhAfp4k5`hxUqrpOjk?#D)Z!=D>Q}5IyBwCEHH(Zn$^Dy&LY`@P5iy z*mJ&6=DfQo!cJMgh6#m?fcL4?ydU<)Jf!%g-WxxV1a7lLuYpfIHYE3Onv>8c*t+%2 z0fm^K22p$jMi{{jN8u^QhphX}D^ssby)yO6w4X9n_Po!DBDbn#T95RJk>rRsB_hO~bK z=_rzzY`e{iR4-D!NcAGMmq?}d`>8Nu5=hwXb}9ox5DST+{ZN=R*5lWu-0RZAWYxD= jp_ioJRFc;BS$vi)TufdaZ=kI^kzFP^YaHzyLzT+g)627w{<@mDu zq+fC+{Ya3v7d@!Ua$~F*{{36af49EAP79A4H!L4NcBos+tE{X{5q=UycSqFD(bQr~p^z!l| z_(uIkacChWC1r{c&ui85wc`6#F+4=ynaT6%I`=<6Kby6+jgF4m+1W94!}s#N!Wlkt zX5-{sSz5Z5_q@a|tq%(!n)XI~_KWJQLaR*$J13{>lbet7xx)TTR&Q$soW_r9J%&3t zJ=!iUQiFkG2goChi<7L43P+z-Pab+p>7Z{9uDS8{Qc_a(l3o)4sLaTAJ*Cg)jUonuBR>2Xp}{IRLq&D?Zd}Av;Q<3?tU)tF zkKgg!tERKP$U-eORn?z)HN*WuK|$;5Pn&APnUs}>-B2_1WbiZMM}a-k+rooT5}TL z!!Py|IipYE8i;0xYK-Q&Z?9ZkT~#cK4SFLNm5=XMhQy?&+gDHa*;Huezt5Ox^po69 z|2X>8rH-w!W-uT;&ouEJ(o2ZS?wXLO_r=M|bkfkqp#w#%^~A~k3eP4z%Uxkc0eRw7 znUK!Mp9KlxV`H-o3Tq$w;3|7+MZ}t!kq=w1EG{ZP6i!iR3!K$wGrjS7`%|)(h6ejm zG^32P_kpbw78l$eHI1+h0U|dy7lGh(#0q|KL=VGM(C?IFJEIciGc_w5tvlb=PWtre zlX<|o{>^7;VvYtqdI(~V-wvJhQXj5GQL*4eb66sIdy^6pxQ6$=BMb^Dq7IxqPaBQ{ zU!tB>Px4W!85b4bvA-S)&`p$r0Uc=&#(2|l**EQ&d3$4NLNwWx#Gqchi)^PGu>k~Gw9 z!eyCoad9yw-`7oHW?#%O2HX5;mGS$b*9=mrA6wtvvb1GgjEq@TA`fnnRZI&Z;^`9p zs$XajyRBA-8{E=NL7d4ReU{8sI%L}wsA^!4)c!cuaga*-{6KdN9fn0iL$mlY1F6cc zC2nd_WlZ5NC>|D79Uk>v%Ud1IyX&?RetY=G_^V!H&KgeL=;^wa}>O2@8Z>GOR5L0^{6JU8 zaN#+_o5iZitDC+S+G#m8Gy6(ncXyZc-MU*{YwO*TZP;&5tA06Dt8qCu`Ja<}3^~SJ z8aPmp5;!+_7jrT_wY7EUc`I zUW>8SGu}M6Zt1jmkOY+34&}5*Qu!DrTfCjF_avefQ8r43VPTM`nK&)=P!t=aB_yzA zOCX%iPY;V9R(q`fu=`bMr+WL%akxSxW%mT5T$t*I)8mC`9d}|(5`~no{DuZ3JNt){ zlK%I`p40B*p1=L5=;=4>F~Tk%R69%;8C5JkVYHq6vY9F6w< zRj&0;dZu_(SzR6J^S4O#!`={fTdAI*;j^k=Qa*o`sUjmHQbp{B>)bb-sEOo=aeXN= z@u~PB!Sy9m1Rc%zY#W;UEkzP3KN5Fc{$6g~3z2T1qa$Z73QJ{L??Es4sCl_Bjg`g8 znmUNdVMiaO_?mjI-oD7Z$^Z0VO`28?UB%LJVd%Y5Z%>cn8`{vv!AxOF$85+~g!FX_ zQIhg}t8R6F{@C+#Caz*VqvK9o|5f$uX8tqF~oL;A<{m<(A?txWa%JE`g% z!7bYN@6U4wG=7_V@cD7On!wk^NMW2H%(opK9lw74dgMd$SYBRUnKRH47sa^yV|=`` zqob!tGs4=+s^-_VTv+#|rKK4!mc=y3Mz7s=s>Je_m~SPwYAhj{xBNwS)-p1pS-!WI zz;9Zor>BQG8OgNZ*H&TOOL>jzU8c0(>DkG?YB6_lNy$u8fJ`NZ?fWn(wm?0EW&}Q; zL+w&h{Z<{%PqPp#%1HK~{37@bRGCE5$Fepm{2TQLd9Qx^|J$^TmRhcoVJX5w8LRjx zGublQV-pj3&Az}MD}G32FK{>b1qL?vu`Q?Du0OIVH&F*~e`41W&7t^IXDb9jOgO{pJ7%a{*CMY^ zu-zt~S9@(<{gsp(C4d9~ERi0z6_IyGG(W8>*A$_B6Vif)fra`%Z_$!EOel=D7rnvy zQhxQD;P)8jdkr2~axvPR0s_$%)bEG5OkZ12hl_AERw@vBTcjVL9Hf-Q;hyD!u@n>( zZZ36Z$pt$FV6vTY2?z-A@_ru}80hZ4$;I`tw3O(Jl7FYIh|5uGcX#)qhi=}-u3LnN zJ9qBjiGQM_eWO@xu(G_2H5nVzlHYyJvg5T*PxQE%kH$^iJ{(pA#_UEP4XOA4CN;YC z9-DQZ+nI@px82u&d{9f4K3R;vb?a8Kah0luh7@GQGQR_SpjWlEwLo@|rUN}a_s9Gl z97^DszwP#IiHs;~BZuj1r5MN5ROl~8OjI4p;E_JF#(iDfw67}57=pB``yNCVgV6~%jMo} zIPZ^Tc4$B6Zp! znXA_CpNFl)jAg|{TztF=@7*T~WJ$S`E*k^`gt!ih(F~gxy-fVtkI>eV&HdL7)mN#^ zeRo5t%yy=+t-BCq;`dni0yEctzd=wUiiM525kHp`i0hKjn8w}76-q3&8hfy0{b{Gp z--Td=JlDj|b)bo5dL){*(wDYkI!!O>@tRS_%qSozOf#S7=1t}o=;D&k6qMD}Faj4k zqwBc^z4ol?ryWGoOcmHJI!5~iaEQ!9SLWLzB|W#!=3X%(`?hIFNOs2_Iu;vMDCT^J z>f++x@5|H0cbM{snj5sk?KcozW$d+L^Zr7M_gBz`ugfwAb{MH`6e%1u4~rDdQ7@b& zl(icfMq$X(%eQ^}^yw-;1P>o{$8)~(`)g#*Yd_O)GNL7;-@~X?P+DqUX*&c-%~#A? zgw~5WO5R+ZEkum}Zb$@@Wg#3JH@K$Lh>ea!nng`b4OZ8!ZQ)aHKCvXwTar2r!pGEX zRAUeOGo_vhQj?OBYNm_JMLpn60_5+p6Jcjx`nTPbJkkS&%qt?si^FkqpT$YWars7J zX(jt+kzTQ1VI9Q`O2r1PaoWOZ=P3IVvObWha7ESQA@aeRJxqb z*Ls(E%Tlq>pxFO(jWe2?Tj6)3pQ-73XlSU(tu-`6qUs@B4ZA%c$vTRLE;V1ozQBDIB7ssJ@Ug zU}J;ihU{y%IQPU>5W7Z|fgdLis$G3Lw(2%Y0PVYEzRg95wccaPhmDNb`7S)LBi+~6 z_jU8jr2Nrmg91HB@f#3Zi`9oq$>wo&-(C@2t{0YCjm42N6jtzXHlb?@hmf}V&>Wk0 z-k7^38I4mV--<@gK$U*S)n@s73gk<~&QHte?xqs*#r**pDzkNDS6208?8-#N6YM3P zGG3px;SYrL5(rs)`#-N~gnN2>mwu4qX(0mhyeWCZ;z+Dnf|M?jutHzWrtG9k`Hb0$ zkanX5e*DPAKSctWIjQO5uoR{z1=2YrQFwfHbzU9Jo)XZ_JFB5$uyEuj$2An-u~vN$ z>7ej~L!4;OO7UuhXh1{#pc)BZL?FHiViVHsY@zSRLatNp#qFZZjG~vsTH+yw>Zikt zl#EQ+@6@e&kBoc{m!%=B2mk!u9CH^%W<&&@u?vot%z34G2J4@x+W4b?4ga?4FZbVF zD(l6vBa5<*IGqL>zb6pb7AzoXvikPg?&+zmDo=ASXAi;{@FZrJsinLthsQHa^tg|F zBD=^L5I-xPXq7c~0WJWWQKoF4s%i@BmQ4>%>45tZ0*|P-oPWz75oq!D z{NK^PeRQ{QCv7?Mlh*yS{Q>NyNMf^qbN6gD$RQ(n8j@anxn)Sa==`i5;@ptV#6@Cs zvMu5eIik)oi*F%&to+Dhyzu0=JLwSX?NsLW({)v=w|BZ&qcPW27yp|rWAsd%fsZ=x zgAPp}Bo!AIYpAP}yYos&7?+MGCngRpVQ?T1b{g-ao@-x(MG=!T1Rd)JxvumV12eT3 zHLrD1s0>v7P`8rlgTj@0@L5VF6#FYrQc{xQ7~lT!-$_TM*VMP{f0kV(CYEhN(g)l; zJcf|_EWTkGCbN7Ky!VRmd@)|D*{jdVknr5#xK!X;jm+Qe-=%+!q?~4(VXK_4)J~%N z{rgMN$9CV`+)*@5?D?+)_(qeS1n$~cPrP)9+;SzfV|nz z_x<~#jZNX`dR!bSKl?{FJS=&_EXMpn|3?GsjnZ>7O9lk&tMrE)?vaBiS3 zh%>{&!aQfZ@@r~PXUDs-v9T?O-Bd3LXv!@+que*f!UKwC4RE~pWxh_bt32U_zZ!L9_aUr!`@PIa>>}pBAJ1y9xULGK)c^_@{eYK{3X()?o>wLV@pAp~Be%q=m26n6T@oX@HDf4fH z+jFu1{!q=|&4@Z?I&q$4s*A+vRI! z7?hZ#WMq8xK3s1)-*ikCF!#`Z_~HKH_HP*>p*R!KsrGwKi6^n1*Q77c_FullQs~G0 zCI|(c_{2{!L}n!A@yW_N&&^*;J@*n-Z(Fp6q^HyE?F;bmkn!b>KE=n!?=JJTvEeuh z>3Lc;Oz$lx*Rt3hPxDfza1_`okW`0yAE7d>J+pfwQ?|&39M@Q!oNmSNfrHqD1oFuC z`+9ndJv{2T>ry3H0Z|N65*DqP;j1g}qowz@cgPgn-4CyeP0jYiw*+Hv|NI=xzwJUF zUAOkowoWQq$#T}}PLzBEy}8+xF{3wHfzx#KJm0XIdGUpP)Da7Q=64MaDyOs4jZy%J zH<6L9?r6LZzwkav&WUke=;%Jq=zhF2+ah1)f>obNls&d-Y1|5@s%TV!}0hJ zo;qb}3bKY=BwVBsR6i&-u%NshR3H1^#TJ{enL|dN_JYCq_Kal-6hzDtS z(H~zm1kb9|U~9w+;7HB6pXaRe80-9G31inx)E)nI5YX9KH*uXan-L_A94n9BX< zSI4$CrEvI~k|NvLZZ13ijjC44`;5g(RU1`pW-cVA(aP4(&z3oRWN)*SM5bs&Y-2ty z63d6YqRMjet805MZm7tDhQ^0wd~1$`Qcye7ww-rm>3aVxMjH!5|GhfCUmV*!gGQg( z$qo6mO)L~j8UziAJxy#(zpPOusHf=a>mLrQ3E(b0f$V)zdunydbIW8W#p2t`YrBxs z9~v5t7e5sH^#L^0a57E?NssUPi81{qh?+nV6pHCrXB2&!xHAi%%nMv^)Lc~MB5?y1 z0}lmHV8v_WBEjd{cTpkNY@an?o7|nV$Ovtj5Qy|vu4X3}t;mX4^<1G4)}F!R+3V*_ z7FRshm>xTnN8#w}>%+8aDJ#zs!1^^pfl?dUZ|Tr@V$)K67HGn$*2oNd)_V?ELG&b>CfOPHH}rk*OI^5Op1)Ad3?=Zl@! zWe(GIkyHYNbmB3}QAd*#as1I~6p9?$YX!x3*Kh~zel-4I`dR)KF1zisr zVdg7_+uRX4g13=IW(raE>y8<(+*N3Z#2oE^H=f6_tEsA~QSm+)1QrZYWmf0bElk!k zROkMzewyEvRX(+*rUnC>5YumOtK-cL9&YZADEfzbdIun&OuO{*wH#vOIyOw5N`Q=$ zl{LFF_ib%$?c!l0P(JpwzAun_zxo_;mj&0MHEZ6y9!@QUphk2QsDMingC;8=CyYjo z;O&oVt&(K0Kp#Y3L>JskxHlqFPI9QN`5x=Z`^9!vibwVPtWtrLS=wd_gckgAGR6D9{lA*YRC%TpUPrzY-5jTqVi5}ZOQ)yFslg!_xFkY_65RvdU|^M*;vEn#Xs;mK==FVvZR_O`uxY!!`YT# z5Q2PHGCZ*+H862$@o2@;WPpj)`oNr<;)=dOOD zUhwSqJ zte+qhwjwgS1!4oL^WNTGuTFjLQ3z$9qb+*!(*OO%gU$A$`1;rgI>OGqrCy9}Sdy^u zM{Q*2CbcdfJhx|n9*~`jNJ!Lybpanl`+IdkNw^@|jPJgN;U^5l;o%{VVF^L54BSFv zAc>Z1{+BPJH*Xev`lOnp4s{b?tOKyHK(A0HocY_-yCRD1fL&=;;Q z8U3hjq^K6P`}qF-`|j>llX0LdfB5hLs(gY#u=D==;tHF?^-&i+Yy`h~qrFhd+2+*; zx8Z}ncLFYafq;T^+&u{s^W%qJ9CJcUT-@X8$s0Frbc1FynUt6a6Ty$u$bu8pg~gh= z+zYoGzTVc+A$>IE3ho2csQiLYe|&^>mx84u_=b=Ld_6tf2wvcU>)30fQg1?4HeF_M z4|cwp?`}Knvxbx9G@#?Ks1l|eLPC3ACLR8P3J`F%+gVh^ivU&IBqRhhKP2u(acSE1 zD`E^f1BllFfB#GX3$(GZiK4#6!g5#j5U~HU6<>h*O-Eas{8pAWs*4c-36z8hfC7Ly zsBB(>DjVR758AP$RA79*y5ZO`^hodwDlFva+%f0|ov&#|zyv)z^PS7T zJBs#V=c69W(e;9Y0<+rJ5UNbtsDvj_&H}6^D7)O#)zuXSc@LM2qw6Lw{Vwdd5KJy4 zp0NKJN+2)kE1(5bOhd=D!}KhI$qO&x%IbX3oeAJ_z?Q2EtpA}I5}w zJ$8e%0vDt@nwM7|-ljMmVYt5d6>x;0aUpxMW-msz8~>FQMqdFAE`~OWym`(E6lE^! zO^}6Pb5oov_e%i!#MltxMWg$|BKB~cT&%v2mXEglpFtunFOHfLZ=?SFyfw7&Ki`eV zbc?7@QZo~I)0>Ve2JC69tQ`?0u&p_U7N}ufuAXxtCSGaCq0krB#jl2(jRTh;pb?U< zLm0_E6-`5vEjEZx%%y$Pq3;EzmNy;XUW_0jR0%ClJ%z;-ikBseiV2g%fvzrMsi^;% z6~yMRs`|N?HxkMz$;cL-CSzWKXDfo7!5a1Fb7z9k?WaGu3>oLp@BhzVH;SttTUz>6 zgLDkFARVC+1lx}89g=}W9z$PG42bQ3tcG#a9Rz}|;;I*5hbvh1gK^oT7uz10-s=Uh zVRSy+*LW*v0U{wNMR_ubW}UhwCP@FY;|xj9(=99rl}p(tagb+%r}MYh>UlLdV0sr|Z&X!P-M)RBUcyaTON;T2%OcF_!u)*hMmcXe2cojz1E6~KNGdrZjs4xnNI0VP7P1oGK$)+zA41Az)W22)m za6ZUE0EYlkkXZYAdhl|EvxC0P)f|pJ3^-Y$np1*I2`;0$ni_t?6@br>h|d*#{78Mr z#md?FvwR9jSO9~+ZAGv;J`l6W$OOQAv@XDRO*eSC&YoY5HdPi!%hK|_X8u3WW%(kzj^^0g~t;sAmVhjnZL5-EdNr zh)&#Td**A8_$#I`#^b$S0qA;Q02cNdlm{^w-A^-2v_zTL5arPfiJW$qe3X%e=%5dp zNm^DJ%be}pD=lQT=otQ>wy>}O42$}{w)PHCAneIVVpbU$#!${da!N|*GT5u0b_m$4 z8aGL_AN`a#UQA9!)dYZVW~kKq8ag%J?;J;iar?z#S^~U2M7`&>Sp&+s>?;m!3wh@E z@9KN6x~+t$2@DEHN8f*eO?>+6fpjyD`E#c1J|u#`@BDih2`e!0piKoFZ9_vUd#a#t z^N@Tf0vHm-Xy0H3qanbI>$4%F)P6*2_#`m1@t5q~8)E-nvqDll6DoWTd!vW8ZAuV! zx<#;g2q!bMoW$y_6m=`b+eeg$KOXhAH5iEZO3?;m_h7Br9vnZT9{?wgO`6@yyk_*h zk&zK#T1is=6(8CEF6_Tcdc}IhFH%je@;+=B6<$&y+BZU;wC(3*B!K3)0SZW99w>-l zziKiPlGwDgje2@;A;Z9#erYi^lO{y)O(RPG3!lp%{(@+lM$`%)os3QX#cVJU6c)ZB z_-<{5!x!_H`Tqv$2us;8NfVy!*I6K zYQTX8=}cCv-Afoc+K|(nx^iYkdYzqXSe;sCDn`(_)nu5oyF-K!OFk9IDem$ zL;VuOOj>DQlz{=|H^K1maG*M+MMVT(q8Vh%V~ltyhmGP(%=1T}O$s4MO~Bhb+{+yT zeMd>w#Ri4b4l8zAIyxj*{Xj9*itl5iO4K>XaE)+`iw#Q0$*PFKMH5QvD;f6O{eKO< zLM6@ zDl*~~(yZ-RyLX_pn8^E0=uYMzmf2aUx1`3i`g18gy0+6Z@82~|BEU7vXJZn`O;>D%0_pRvCFm5v4C(80#I<3OgA z-0q-mSO?r50=m+?zs`&})9-zcK&n?vZj!Qt=0T{@=>w*9^)6mU;DZNo4!y;~NJ+Mu zme7}(q&Rc`nMz>EB_$_AO>>@?=0HkmJNilg>C>mq&buI#1tW#e_i`fIZ@mSo_=-LF8@eJ-<(TmG}O_x6K zlcKWQ83<1F4Y4a@KGT4$+IVL>ZwTv!SjV?FR*1kC5_ctRD}-MkFSOMPDql*})Q#nJ z*wwt1{ZT$ha~jr?ajmYb^5#%7adB2%7rVlV;+2^>C_jI&*GRIhd+NA0rl7SvfT1>RTVPLtl=)B(O_mBK@ckp+o$k(swWc<&72`?EE#O&B+ zSlfQrz>hC9-SkzHetywv=}v1X#<%@NqF5^3G82!;GYR!uv(BCUs^^e^PMjDqzpzmF z=~F|U{q*cVLUibxi12B5KL!61j8_@=^@MceyK}gRLA`;XYdS(X>he2Xze%%pj@yoY z2WZ($$MB45%@H!QvIbYq$DTo7YinaP{~uM9xDMLNb?GC6jhs?9o*SejfmE%m&wGk@ za5nL;*LfS=)E&+@yfP(K)1?$bpTNu>tjB&YY z;*nv%k9IR$RYk2vYEOzBkZkf4>si?KRthiYiAs?&*y*}}!zWjrmh`~t(vRgVES?7@MX06~w{Vpr^e-|FGU_;27b zlMeOI=i9AQ+7)z^+AL(LA$Wy)AnaVfSP5R=8$L_AxzkHQM9vzuBNT3hO{9n~19kl)CJ?ujh`1)r_j zCx8?O&R@++o25h0q0#vMey0b-=rM1wN<7EVH(|u!;9!~ENFMmWAg``L70@I4s!|*o zR{;F7t|zrq@H-H}bGB$YC>v^RH?C%wQxoa&=WSU8sx4T6KThypQ?|{X3&}2sUY-!> zIpYum#oXN7XU^c~98)YQPVLt~D$KaBC-Vx|=s|QVE!WY`F?`oQcU46iTp< z>)kh?TTMq-H$FYx#N0dpkh86=4NUd~XciI`CDrquS=2(k0wgTLjAOC(5B|_L>wM zFaxM{aMSAj&rg9*mw}(J#OUYN5_Ao^1j!B~{x1&fG^0!$FwPPpy~0t@l}uE%*T@NQ z7^{aXpA0Zm_m*}o20<@k#Z~DxQ}xU+$y(*_3#dlpt(~KhdpN!2SJeXo_Ho?kIMlHg zMqfY#zAA8yJm9j3GRscFa?;h$oeY*nf4e!~VFrHs#O>mG%esf$?uj1vXs${;V43Dw zXV^-Bz_XDmNtfkoAtR9yC_)D0G2FIyvV!2Fu4q&c4w!Gqy)H1|xFj-Y(_=ADb|e1p zZf|dXs1owNB~so6I<0s~R*6@4AB-I?JLVV`uR7zh!cyORNf2AM<|IA?<@1jpKOk$1 z?K3{l8bTy!(>s6Ucy|yER*}qZ8yRdXkf=_yqD%DU$&;*Q&JRYQ$IW-YPmHu3^@1?j zEMBcf{KQ}i^QlE|RkwVR4@mta# z_$GK-US20qS#!Cz{Jm21t8-jfoITgpkG4PcEJVv}jj^-HU|{XbmprWpB05KyzlgN-gMGSUZXe`o}P@cFZz5clT? zbOu5Xc^7WV^}_KDnwQK4GPSwl4b5SiZ7P*7ww`u5Lk}1W^Zn^W=PR-)r1aMI-5M9R z4qid`wdcPoQ$U@r7?7@qN&>=N#Y#;Q8t{C5kt!FlF)^}=wvXY6Ma>*m`Gf4MnEO?U z76^@x)u5KLu&@XTl|P^S0&N!vVk#=n^HX<3SVV-XvNBUWvlA9b37|v3yWjy$xquP5 zj{MM&0=Iq+Z6WRL?J9omSh9tK3wcO{RG?f;cpRPKr^KYd>rD6lsB?FMyKn{#Sbd;} zF7+gyoSftYuh4;{6$yOWsZ~%t1R+2;Ha6xD#DR1Z&Of+d6j~jlA%uj4R{!~>0%iaM zz9&b-%EAJv8%m7AhDaDV^n`kQcz8U1oO6IX{HF{x;C&Vn}q)j+eayya+{3ETcJF+ zyi}YUe4K~qGbCDciKP5?g^Fv9?KYyRPPPwUS+}^YgD4EjFHC!VUC!3mBQqJ(?#69A zt$nE0xVPr;1sa%s830m4QgAY;J6J?dqD{{y`;L<>^Wl<1)xOF&)aVCJ>pD`)qzZ?h zg9;}SO_N_6XJBlX_{7;gdcQQ_yjRQ2GPB4Qj=pht51~^NdzvZHBYeqo*fIS+nN+>6f zQvThiHp22}Erdp9Z7;xN`!V~d#>lX(Db=HEYZxJ^oiu2OXS#FXxQSo1X9yQ(=?vK_ zvRqHKRTv@>v*3Sv$Gte{lKv8(Xb#A`z}JH~CwV9EvMy@gLL%Vu7;6C0PtN%Wc=T+P&-5QL*jV=p(u_w=Clfv)lgvH22x$DF*{Cr5%%lyTRt?XUrQS^2SgGDKVTrH9- zk9zDKbH;0v=imfP@{~3VmzYYPs{R87p5klFrEGznzyZTRgww^D7ypHBfgZH`>e<;9 zOd3P7eUTrEAANMA1){1iMR*0sRd2EYG%K*)Q67sqJ<}y^nR5bdDB)}x7HqW8@SV8x zV{jR)`h(1~#3Gg{g<}7>C9tAbLlPP}`r#^oZadOv+4 z!^74MVUv&iS&$+1fyc$C+_}CwR)NZDKrF>QSOW|)03{OxgD)Uz{@t9655`mE6nQpQ zv^%YAVqyXfy#HJ>%RDxJ!Pt}(6*YmT0NsaUCXj0L%Qcwz=*&Htph+T4($m4t?q=*e zkXUZk)bsTL&3aNjd8a$&_Oqm;xO>a=y#Mg`1=eq5E-TU^ zztolgHakhT#{_iAE|BxZd4*8wfrA|+q3{vF3N&Uo98}tL;r;mWJScW3*L3o^lqZ?H z&bhBFs3Y4+|2sHrwiMwj z(4hkQQg6$CWyv6}wkr56S52fz4;^&Igo2#7Sdk$xRImNzb5KMZy$?SH*`R?C@b`Z= z&if_O5n=>p+^0=a{V^bZy8sUM2_aUi1~?GGuFo(O2jzV5Cb*al{}`okrRK%H`S{9( z_O|#9b^(S0#AF8J&_>LZ!Qw1wv@XjTa;~h~9{L5#M8{J1G?;ZJa^Kj>P~I4%|?iB=-1B+rh`?1_7CvMAeOi)WB`8 z>cFK-8&FRgkLM#F`Sf9PQlT(4`E3iz`k1l<-$Wo>&?@~+J~PtVB7RbOlIFaBf5i^w z=O34U4s+|y2M3}x6rWWoir}>)&OFiLR%h_>wc!C499e*WD2lADmvR&$LE|yd)g2ie zl)bM42lQ^;xnuNx2>O~qu)g-2mt_te>=zMMP<0!i9j_dYRD|%Lj=-e*|7bn`k8ABj z4=zrG9BB^bBz|t~$m5U|g67YU{sm$tr#_M#M4#Qve#MkiNj;ZxwZ|ZJnUq^~SK5isz)=)IxjEeDV2hAxAwL5lKhcML=2$TSGk(4T#~8!F$75E9 z^!`rT59s8UT{|Q=2-RueH5WTz0n5{pXA;{q2ciKW?3XxzBMQR>l`zpA7d#|B@meOm z6KFL3Qw2vKK=P1wSyaAuCF;lGDk7O7uXgiQPtE_kG&M7u`B9)t;S8UW=YVUfczd4$ zvG=VWfn@~KjtQO= z0=g|!%x6+FDCP-5I1&S1fQ=@Qi~m-gqsllVEe(#zO&jy@^BZ&tfDCJtwG+ZH?2plirB!4i&$PJl6ixLXvkoOAtjW_tRco>@R;*mOm213)8=1BcyP zd9fDU87rHVm}-YM?|?2Qfio|DnTw zf19P&TGcT!f*yUU4@D3rT2LP7_RzxOJp_AR3a*u&nD`;AAkCo;S0BtoL@G|_AB=~SQ}xya19G6xJ7_U3UJT3kDCJKs@7l40zP@>;PSi6vz7JHLWuQ6L%{Sg zP$C%NfRxOYL&Mgr^n9)v+K-Gw{NaP0q literal 0 HcmV?d00001