From nobody Fri Feb 1 04:35:03 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17451127133 for ; Fri, 1 Feb 2019 04:35:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2L9zZsOmYfv for ; Fri, 1 Feb 2019 04:34:59 -0800 (PST) Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2818126C7E for ; Fri, 1 Feb 2019 04:34:59 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:51758) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gpY25-000uD0-eL (Exim 4.91) for dnsop@ietf.org (return-path ); Fri, 01 Feb 2019 12:34:57 +0000 Date: Fri, 1 Feb 2019 12:34:57 +0000 From: Tony Finch To: dnsop@ietf.org Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: [DNSOP] CDS and multi-provider DNSSEC X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 12:35:02 -0000 I'm working on tools for KSK rollover automation at the moment. It turns out that CDS records are very useful even if your parent zone doesn't check them. KSK rolls work better when the DS records are not simply generated from the current DNSKEY RRset. You need to be a bit more clever if you want to minimize interactions with the parent zone, or minimize the DNSKEY RRset size, or do an algorithm rollover. So your tool for setting DS records needs some way to ask the key store what DS records should be. The nice thing about CDS records is that they provide a standard way to do this, independent of the key store or signing software. This allows registrar API clients to be decoupled from the DNSSEC implementation. This makes me wonder how well this observation generalizes to multi-provider DNSSEC. In model 1, the zone owner manages the KSK, so all the CDS/DS logic remains centralized. In model 2, each DNS provider has its own KSK, and does its own DNSKEY RRset management. In order to support CDS/CDNSKEY, I think it is necessary for each provider to (somehow) generate RRsets that are the union of their CDS/CDNSKEY RRsets and the other provider's. In normal cases, I think the "somehow" involves getting the other provider's RRset, replacing any records corresponding to this provider's keys with what this provider thinks they should be, and retaining any records for unknown keys (which presumably belong to the other provider). There's a mildly awkward risk of zombie records that are copied back and forth despite neither provider knowing about them, but I suppose that can be fixed manually if it arises. Or maybe it's simpler if this is done via an API, like ZSK sharing :-) Algorithm rollovers are more difficult, because loose consistency will not work: a new algorithm needs to be introduced into the DS RRset for all providers at the same time, and same for removing an old algorithm. In any case, a zone owner will have to co-ordinate an algorithm rollover between the providers, so it isn't a big problem that CDS records can't help. Tony. -- f.anthony.n.finch http://dotat.at/ Fitzroy: Northerly or northwesterly 7 to severe gale 9, decreasing 6 at times later. Very high at first in south, otherwise high, becoming very rough later. Showers, thundery in south. Good, occasionally poor. From nobody Fri Feb 1 09:32:47 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78C11310F5 for ; Fri, 1 Feb 2019 09:32:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVe8S817fs40 for ; Fri, 1 Feb 2019 09:32:44 -0800 (PST) Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC631310F4 for ; Fri, 1 Feb 2019 09:32:42 -0800 (PST) Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id F2D03215F8 for ; Fri, 1 Feb 2019 09:32:40 -0800 (PST) From: Wes Hardaker To: dnsop@ietf.org Date: Fri, 01 Feb 2019 09:32:40 -0800 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 17:32:46 -0000 Folks, We (some definite of we, possibly including you) are curious who is planning (or has already) implemented the Extended Error EDNS0 extension [1]? As DNSOP is preferring RFCs that have been implemented already, it would be good to know what plans exist or have been completed. [1]: https://datatracker.ietf.org/doc/draft-ietf-dnsop-extended-error/ -- Wes Hardaker USC/ISI From nobody Fri Feb 1 09:39:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1853A13110E for ; Fri, 1 Feb 2019 09:39:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKCStWdNhgyi for ; Fri, 1 Feb 2019 09:39:09 -0800 (PST) Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42C3113110C for ; Fri, 1 Feb 2019 09:39:08 -0800 (PST) Received: from [188.207.74.243] (helo=[100.122.245.40]) by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1gpcnY-0001lb-1d for dnsop@ietf.org; Fri, 01 Feb 2019 17:40:16 +0000 Date: Fri, 01 Feb 2019 18:38:54 +0100 User-Agent: K-9 Mail for Android In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----T9H4C93XI58KOTRY6P0FIB4PFFYMPV" Content-Transfer-Encoding: 7bit To: dnsop@ietf.org From: Shane Kerr Message-ID: Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 17:39:11 -0000 ------T9H4C93XI58KOTRY6P0FIB4PFFYMPV Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Wes, I was thinking about adding some support for this at the IETF hackathon, b= ut I'll be meeting with some of the open source DNS folks this weekend at F= OSDEM, and seeing if that collides with their existing plans=2E=20 On 1 February 2019 18:32:40 CET, Wes Hardaker wro= te: > >Folks, > >We (some definite of we, possibly including you) are curious who is >planning (or has already) implemented the Extended Error EDNS0 >extension [1]? >As DNSOP is preferring RFCs that have been implemented already, it >would >be good to know what plans exist or have been completed=2E > >[1]: https://datatracker=2Eietf=2Eorg/doc/draft-ietf-dnsop-extended-error= / > >--=20 >Wes Hardaker >USC/ISI > >_______________________________________________ >DNSOP mailing list >DNSOP@ietf=2Eorg >https://www=2Eietf=2Eorg/mailman/listinfo/dnsop --=20 Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E ------T9H4C93XI58KOTRY6P0FIB4PFFYMPV Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Wes,

I was thinking about adding some suppo= rt for this at the IETF hackathon, but I'll be meeting with some of the ope= n source DNS folks this weekend at FOSDEM, and seeing if that collides with= their existing plans=2E

On 1 February 2= 019 18:32:40 CET, Wes Hardaker <wjhns1@hardakers=2Enet> wrote: 

Folks,

We (some definite of we, possibly =
including you) are curious who is
planning (or has already) implemented =
the Extended Error EDNS0 extension [1]?
As DNSOP is preferring RFCs that=
 have been implemented already, it would
be good to know what plans exis=
t or have been completed=2E

[1]: https://datatracker=2Eietf=
=2Eorg/doc/draft-ietf-dnsop-extended-error/

--
Sent from my Android device with K-9 Mail=2E Please excuse my b= revity=2E ------T9H4C93XI58KOTRY6P0FIB4PFFYMPV-- From nobody Fri Feb 1 13:21:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AFCA124408 for ; Fri, 1 Feb 2019 13:21:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDP6bzO-7B55 for ; Fri, 1 Feb 2019 13:21:11 -0800 (PST) Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F442130E8F for ; Fri, 1 Feb 2019 13:21:10 -0800 (PST) Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id B644620FC5; Fri, 1 Feb 2019 13:21:09 -0800 (PST) From: Wes Hardaker To: Shane Kerr Cc: dnsop@ietf.org References: Date: Fri, 01 Feb 2019 13:21:09 -0800 In-Reply-To: (Shane Kerr's message of "Fri, 01 Feb 2019 18:38:54 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Feb 2019 21:21:13 -0000 Shane Kerr writes: > I was thinking about adding some support for this at the IETF hackathon, but I'll be > meeting with some of the open source DNS folks this weekend at FOSDEM, and seeing if > that collides with their existing plans. Excellent! I look forward to hearing the reports of the conversations. -- Wes Hardaker USC/ISI From xofyarg@gmail.com Sat Feb 2 11:04:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59FD01277CC for ; Sat, 2 Feb 2019 11:04:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCJryjLi1DMs for ; Sat, 2 Feb 2019 11:04:58 -0800 (PST) Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D460C1228B7 for ; Sat, 2 Feb 2019 11:04:57 -0800 (PST) Received: by mail-ot1-f50.google.com with SMTP id i20so8985241otl.0 for ; Sat, 02 Feb 2019 11:04:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:subject :in-reply-to:date:message-id:mime-version; bh=xeAmDkgm3XaCw+ggke7zI1+IRQldoNW/CJKsP3L5wpc=; b=TsqDXZ6MqZFTzXLbcq5PHWKGZpWDtG6/Tq7XC24KalolXU7+pQeMBQpz2ul2JBowTH TKo4H1ZjiQdSXBX8zB0JR/iiX3TkbaU/0bbrJhxduXh5IAhccpvmV42xK7oobYsmdR10 ULZQke/F9BAKVic6VsSzMmxns+iAKEv6q+bZzquAPbFoihSlBUJJ2Er3CsgQ73dAphzs RxgQM0Ygmr1GGrVwwphnHYumWC0BiS54k4nHtwTBhHpSGvY+FESNFMEb/EMrcqdFshSO 1KtZou3RzUIvfqpjolF9wiD8NtoMowEw0/MqmscqZfCgaFyecsQW323ZVdHtLZcblIFa NWIg== X-Gm-Message-State: AJcUukeCOwll5DEtfaWdZ01omUc6it7Ntd5z4yU28BRy4B9bBWM+0qN6 ckrHkPdKqpuU+DhD4nQ4OE2mwjQ= X-Google-Smtp-Source: ALg8bN5AI3pQxH51WX+/Ok8+6UV63ED5+r5DnnRj9uu/8oX2/gpuJY/x9XVO/2qel4qleSfOwjmAQg== X-Received: by 2002:a9d:2ae2:: with SMTP id e89mr33747614otb.290.1549134296612; Sat, 02 Feb 2019 11:04:56 -0800 (PST) Received: from vulture ([2600:1700:ced1:8070::1d]) by smtp.gmail.com with ESMTPSA id u136sm5213786oie.38.2019.02.02.11.04.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 02 Feb 2019 11:04:56 -0800 (PST) References: User-agent: mu4e 1.0; emacs 26.1 From: Anbang Wen To: dnsop@ietf.org In-Reply-To: Date: Sat, 02 Feb 2019 11:04:47 -0800 Message-ID: <878syy9flc.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Feb 2019 19:54:36 -0000 Hi Wes, At Cloudflare, we are testing our crude implementation on our public resolver which is built on top of knot-resolver. It would be good to nudge others into working on it. -- Anbang Wen From nobody Mon Feb 4 02:33:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 244CF130E46 for ; Mon, 4 Feb 2019 02:33:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHcwY-NNv-NV for ; Mon, 4 Feb 2019 02:33:02 -0800 (PST) Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D29BD130DE7 for ; Mon, 4 Feb 2019 02:33:01 -0800 (PST) Received: from [2001:470:78c8:2:58d9:59d2:f762:b06f] by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1gqbZr-0001FE-HS for dnsop@ietf.org; Mon, 04 Feb 2019 10:34:11 +0000 To: dnsop@ietf.org References: <878syy9flc.fsf@localhost> From: Shane Kerr Message-ID: <4de7c85b-5875-6db0-9813-b52d9277e47b@time-travellers.org> Date: Mon, 4 Feb 2019 11:32:59 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <878syy9flc.fsf@localhost> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 10:33:03 -0000 Anbang Wen, On 02/02/2019 20.04, Anbang Wen wrote: > > At Cloudflare, we are testing our crude implementation on our public > resolver which is built on top of knot-resolver. It would be good to > nudge others into working on it. Is it already on GitHub or GitLab or something like that? Nudging is easier if the first thing to do is "git clone". 😉 Cheers, -- Shane From nobody Mon Feb 4 02:51:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FB5130E59 for ; Mon, 4 Feb 2019 02:51:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrdp2I9EGMMK for ; Mon, 4 Feb 2019 02:51:21 -0800 (PST) Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0B3B130E2E for ; Mon, 4 Feb 2019 02:51:21 -0800 (PST) Received: from [2001:470:78c8:2:58d9:59d2:f762:b06f] by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1gqbrL-0001HX-Ll; Mon, 04 Feb 2019 10:52:15 +0000 To: Wes Hardaker Cc: dnsop@ietf.org References: From: Shane Kerr Message-ID: Date: Mon, 4 Feb 2019 11:51:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 10:51:23 -0000 Wes, On 01/02/2019 22.21, Wes Hardaker wrote: > Shane Kerr writes: > >> I was thinking about adding some support for this at the IETF hackathon, but I'll be >> meeting with some of the open source DNS folks this weekend at FOSDEM, and seeing if >> that collides with their existing plans. > > Excellent! I look forward to hearing the reports of the conversations. My own thinking is that extended error is much more important on the resolver side than on the authoritative side, so that's what I was asking about. The stub side is also super-important, so maybe I should look at that too. There was some discussion that it might be tricky to get correct information out of the bowels of a resolver that wasn't designed with this sort of reporting in mind. I'm not so worried about that, as any additional information seems better than SERVFAIL to me. 😉 Here's what I took away (people can and should correct me where I am wrong): * ISC has no specific plans for BIND, but will implement extended error codes eventually. "Looks like a reference implementation if you stand back a bit and squint." * CZ.NIC has no plans for Knot Resolver, and still have to look carefully at the latest draft (although Petr has some interesting ideas about what he thinks is valuable in this area). * NLnetLabs has no specific plans, but Willem thinks that it is cool and wants to work with me on it at the Hackathon. Maybe I can work on Unbound and he can work on getdns, so we can have inter-operable tests (admittedly from a single company). I forgot to ask anyone from PowerDNS, which is kind of stupid of me since they did 99% of the work for the DNS devroom at FOSDEM (especially Peter van Dijk). As far as the stub side, I also didn't ask anyone from the systemd-resolverd side, but given that they apparently disable basically all DNS functionality introduced after RFC 1035 by default, I don't know how useful support there would be. And finally also on the stub side, I did not talk to anyone on the glibc team or anyone of the distribution folks depending on it. Apologies for any incorrect reporting here, and for anyone that I omitted. Cheers, -- Shane From nobody Mon Feb 4 04:07:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE82130E6D for ; Mon, 4 Feb 2019 04:07:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qc6Ww6sFbMwm for ; Mon, 4 Feb 2019 04:07:11 -0800 (PST) Received: from mail-it1-x12d.google.com (mail-it1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98535130E62 for ; Mon, 4 Feb 2019 04:07:11 -0800 (PST) Received: by mail-it1-x12d.google.com with SMTP id m62so20415174ith.5 for ; Mon, 04 Feb 2019 04:07:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WEPyIQiiY0e+o/nff0a3xhPMNKf8+Bj98rfBWByZdw4=; b=utmgjO7G0Le3tzxfv28WR7J+y0zu0DUIeR/QccPUroEtEjgckORyeQqeXz5qLzZP8W veG0cjau3x8y5xoUA9o1Zj0fjnVrLMnZhL6pUcOi2tjVx4GZTPLdGpdTcFPU48inFc9X fdPjt0phhMZg8tLfalzQljPErJx45akn0xm1Rjpb07yp2oB5o/AJh3WgY9jKAml+Bypy YZWZ47tIvkjROanxdl2lNMa1+ZoMg1GsRxe27Sq9/cEPux6zII+Z6P79nl3zrWCY+owS qpkxHQGfbQrhYL5xCvjXVYkIORUTp7V0rOXomX8c3jEsS3AnNQb9RJjtVNOg9TuOxr88 lYvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WEPyIQiiY0e+o/nff0a3xhPMNKf8+Bj98rfBWByZdw4=; b=uHBU9ZI6PHDiUj7qNcaJ9FN2+o1PvY5kI+21mtBu/1bIGFwU4CDEL55c3qLtHEB67b leTjeNK8TYzUxLzwI/f6ls17SkoKPN/HnwUFQKTAPNpDeZRtjNAOyLJBhhmfgnmO2iN7 6qeGAnXKqcb44bK9Q4OPyeECMQIlhUjgM5mCZ+hPjEiPZGVDmP7GuYpW/mK/CrIxEIt+ 4Q6enTmv4fdpkzwm8e4QNhNwbxCunDEdTXZW0mZrUDbEys8ji+cOMS7xYpyo02rbDQpC gvi/08AK85Y1TNLaae2sghFrm8V1vqCGK/C2A9XptIosee3TFEMN7VRbfn0un21uSHom jcXQ== X-Gm-Message-State: AHQUAub2bhywZ/8SAnK9YEF2Tt+Og2hDHzRo4TzM9ixAP+I1ylj8Ffid o9VmZB/H5UW3A1+SV+adUnIxZ/CbHM0ESZuDZ7OzTQ8k X-Google-Smtp-Source: AHgI3IZ9OgNXzzoyMalPRU3cVJFgmOKElMPpzNHzdzcKWsTkum1HivuNee8V/ijdI6P69u2EdJA7XF0wk/g+9WRBzpQ= X-Received: by 2002:a24:7b0e:: with SMTP id q14mr7435261itc.82.1549282030911; Mon, 04 Feb 2019 04:07:10 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dick Franks Date: Mon, 4 Feb 2019 12:06:34 +0000 Message-ID: To: Wes Hardaker Cc: IETF DNSOP WG Content-Type: multipart/alternative; boundary="0000000000001c071d05811055e3" Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 12:07:18 -0000 --0000000000001c071d05811055e3 Content-Type: text/plain; charset="UTF-8" There is not yet a proper IANA allocated option code for this. Might I suggest that all interested parties settle on 65015 from the local/experimental block until the real thing arrives. Dick Franks ________________________ On Fri, 1 Feb 2019 at 17:33, Wes Hardaker wrote: > > Folks, > > We (some definite of we, possibly including you) are curious who is > planning (or has already) implemented the Extended Error EDNS0 extension > [1]? > As DNSOP is preferring RFCs that have been implemented already, it would > be good to know what plans exist or have been completed. > > [1]: https://datatracker.ietf.org/doc/draft-ietf-dnsop-extended-error/ > > -- > Wes Hardaker > USC/ISI > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --0000000000001c071d05811055e3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
There is not yet a proper= IANA allocated option code for this.

Might I sugg= est that all interested parties settle on 65015 from the local/experimental= block until the real thing arrives.


Dick Franks
____= ____________________



On Fri, 1 Feb 2019 at 17:33, Wes Ha= rdaker <wjhns1@hardakers.net= > wrote:

Folks,

We (some definite of we, possibly including you) are curious who is
planning (or has already) implemented the Extended Error EDNS0 extension [1= ]?
As DNSOP is preferring RFCs that have been implemented already, it would be good to know what plans exist or have been completed.

[1]: https://datatracker.ietf.org/d= oc/draft-ietf-dnsop-extended-error/

--
Wes Hardaker
USC/ISI

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--0000000000001c071d05811055e3-- From nobody Mon Feb 4 16:31:07 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2CC12DF72 for ; Mon, 4 Feb 2019 16:31:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=Uk3spj8t; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=HBQ1c9+s Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAGOHRXhaqPB for ; Mon, 4 Feb 2019 16:31:02 -0800 (PST) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B86D112DDA3 for ; Mon, 4 Feb 2019 16:31:02 -0800 (PST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 7A64822269; Mon, 4 Feb 2019 19:31:01 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 04 Feb 2019 19:31:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=/ mDwCAJZ/IMn+RG0NWPgl5IvGMIm2zMeBUDL7U93lzo=; b=Uk3spj8tUjFAzKeIV pwCOuDioLtDqtquoeezZxBCquyf66oV40EZUuFY/j71TmQrFlmrn3x4Ah0Zf9ROi M0mquHltVDm/XgSTQAHZ85B4Ij3nTPoQkxLYcGKjxjaw+Bgo7NWOwsDoT9hyqvsV p3Sq12vo2XyvnMSFla3+W4xSKyuEouxZK8n5mB+06bBeAdVqWWh4pEdWPXtbm4ZM AsVLuQ9orzwSJ1tRa5vvGhdi2lBLscORa5YXdYujHH2rmf5LT+dxoN77Nxu5pq9/ 3wIO3ofGwsN4y37BBfzgePHtN64dvyrSjkzOLv+1W2VziyGCegSuYliKERcIKrT7 dVx9g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=/mDwCAJZ/IMn+RG0NWPgl5IvGMIm2zMeBUDL7U93l zo=; b=HBQ1c9+s+Hz4r7kBFFYfKjQGYBTqlt3Omi7gnIcpkqiLwqINnZQB1Vw7B 5I28ICFFAsb+gg8QYDTjpMAYH/iMMxfublceFm4Vt57DvObLDOSTxhd24sXP19RB Bm7H2s4anLbbDUSmWX+MzoE2Wdx81JJ2E5S7l5XlXlyf3D6eMXKqbR4JiK1HAYwg 75iqyIPQ7l6d7AbEI54E+5qYpWjO6yFgvJzR1bbfrIGjVsa4lEE4zji6D0J/Ytib HTC/6wykhqz3SUXoGeeU2Ze9oY9/uWjaqjJg3fyhPeYeQtnPVW9KjEQPkm99i8ur 6scgzlT0jb1o/vK/ptpxbCDiRy0DQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrkeehgddvvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhjgffgf fkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhkucfpohhtthhinhhghhgrmhcu oehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinhepughothgrthdrrghtpdhmnh hothdrnhgvthenucfkphepudeggedrudefiedrudejhedrvdeknecurfgrrhgrmhepmhgr ihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from attitudadjuster.mnot.net (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id AF10D10318; Mon, 4 Feb 2019 19:30:55 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Mark Nottingham In-Reply-To: Date: Tue, 5 Feb 2019 11:30:50 +1100 Cc: Tony Finch , "dnsop@ietf.org WG" Content-Transfer-Encoding: quoted-printable Message-Id: <057BE2A8-2F36-4458-AE7A-8FC06ACF7C11@mnot.net> References: <0A018ACB-9958-4202-9263-00EA864E2C5C@mnot.net> To: Brian Dickson X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Accounting for Special Use Names in Application Protocols X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 00:31:05 -0000 I've modified that slightly to come up with this proposal: """ HTTP and HTTPS URIs rely on some name resolution mechanism(s) to = interpret the authority field and ultimately convert it into an = identifier (typically, IPv4 or IPv6 addresses). Often, this is DNS = [ref]. When DNS is consulted for resolution of the authority field, this = specification requires adherence to the requirements that all registered = special use names [RFC6761] place upon applications; if they are not = honoured, security, privacy and interoperability issues may be = encountered. """ Make sense? Thanks, > On 9 Jan 2019, at 1:23 pm, Brian Dickson = wrote: >=20 >=20 > On Tue, Jan 8, 2019 at 4:21 AM Tony Finch wrote: > Brian Dickson wrote: >=20 > > I think it might be good to scope the 6761 issue, with something = like the > > following: >=20 > [SNIP] >=20 > > > I.e. it is necessary to recognize all special use names, and = necessary to > > > not resolve such names via DNS. >=20 > That's going too far: special-use domain names must have specific > instructions to application authors, which might say not to use the > DNS or might say to use the DNS as usual. >=20 > Hi, Tony, > You are, of course, right. I think what I meant was, for the specific = case of .onion, (what I said), > and for the general case, (what you said). I.e. wherever an RFC for = specific special use name exists, > as linked by the IANA registry, those particular instructions MUST be = followed, especially if not following > those rules might/would break things (like the case of .onion vs DNS). >=20 > Brian >=20 > =20 > David Schinazi's comment on the GitHub issue about referring to the = IANA > registry is good, and perhaps more useful than referring to RFCs = directly. >=20 > Tony. > --=20 > f.anthony.n.finch http://dotat.at/ > Trafalgar: Northeast 3 or 4, increasing 5 at times. Moderate. Fair. = Good. -- Mark Nottingham https://www.mnot.net/ From nobody Mon Feb 4 16:50:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D63130EE7 for ; Mon, 4 Feb 2019 16:50:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0Sd56aa7T9C for ; Mon, 4 Feb 2019 16:50:23 -0800 (PST) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D374130DF1 for ; Mon, 4 Feb 2019 16:50:23 -0800 (PST) Received: by mail-qt1-x82f.google.com with SMTP id t33so2153692qtt.4 for ; Mon, 04 Feb 2019 16:50:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vCZU26g2yoLqH2i/dIyMUbjTLfYl1zPrfslBlkKdPvQ=; b=fw2n3wd33FOxKgICROZs3fnWjBUDUAh9bBB9tUntzqS1PEfHsYUvH+mxA92gIEoOP6 mZiNSiB5uwik9y9WTyEfIYVfOqYbCloMS471NCNBzxoEx5GGAGssTyt6zdsR2Laf0I5h ASymnOp3JOHi8vASPQXGpcMoVTqhgfCuFuP8s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vCZU26g2yoLqH2i/dIyMUbjTLfYl1zPrfslBlkKdPvQ=; b=XsHpDkml329aTCRsXkGLuPTox90f4dNLDQCFVeYEFIw54AFazW4QBdEVG0ThppkPJi dE+5SRbRI8hMoQCgUXVGodjIWUzg280g7qJhgUUbh8VPZLxl31efRtPPBCiUgpg3X+jL KcsbOzpLyK34zStkTTPNVNnMhe/Mphtq2TBYsF8ipMQ/18UlSICUChQlVeGHBUufQEWu zO9t9vmZWA7/B+zXi6EkM8bwSZDJ06H97XkRyZYRB84RKL/tbj4lgwhPwREe5TFM2krz 0oJzqlVkgypWlqEL3FKHjDZvW97xMJAEJX3TuSa0K8g6dC7gY9nXa8HFLSMd5foyp1aH 8rhA== X-Gm-Message-State: AHQUAuZ/jNUipDRJEJY3URbyAvP5znUkpAed37YZ/v4lT0q+R1oLAGJJ 5qvL5IuO3teRXP2ikhrh8VsyHA== X-Google-Smtp-Source: AHgI3Ia/HsqOQA9su1qAhhM8nvg88POX0QERWtpooDmyqgRVYR3VOmqyht7Xuc5ojqLxMMbgOIUlbQ== X-Received: by 2002:ac8:7096:: with SMTP id y22mr283743qto.334.1549327822617; Mon, 04 Feb 2019 16:50:22 -0800 (PST) Received: from [199.212.90.100] (198-84-215-70.cpe.teksavvy.com. [198.84.215.70]) by smtp.gmail.com with ESMTPSA id q53sm2553766qte.22.2019.02.04.16.50.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Feb 2019 16:50:21 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: <057BE2A8-2F36-4458-AE7A-8FC06ACF7C11@mnot.net> Date: Mon, 4 Feb 2019 19:50:19 -0500 Cc: Brian Dickson , Tony Finch , "dnsop@ietf.org WG" Content-Transfer-Encoding: quoted-printable Message-Id: References: <0A018ACB-9958-4202-9263-00EA864E2C5C@mnot.net> <057BE2A8-2F36-4458-AE7A-8FC06ACF7C11@mnot.net> To: Mark Nottingham X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Accounting for Special Use Names in Application Protocols X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 00:50:26 -0000 Hi Mark, On 4 Feb 2019, at 19:30, Mark Nottingham wrote: > I've modified that slightly to come up with this proposal: >=20 > """ > HTTP and HTTPS URIs rely on some name resolution mechanism(s) to = interpret the authority field and ultimately convert it into an = identifier (typically, IPv4 or IPv6 addresses). Often, this is DNS = [ref]. >=20 > When DNS is consulted for resolution of the authority field, this = specification requires adherence to the requirements that all registered = special use names [RFC6761] place upon applications; if they are not = honoured, security, privacy and interoperability issues may be = encountered. > """ >=20 > Make sense? I confess I have not being following this thread as closely as perhaps I = should, but the text above strikes me as odd. RFC 6761 describes a registry of special *domain names* -- it's talking = about the namespace, not the resolution protocol. In some cases the = registry directs applications to use different resolution protocols = (protocols other than the DNS) to look things up. The LOCAL and ONION = domains are examples. It's the contents of the registry that are = important, not that subset of initial registry contents that are = specified in RFC 6761, as I think Tony pointed out. The text you suggested could suggest that an application should consult = the DNS for a name that ends in LOCAL and simultaneously satisfy the = requirements implied by LOCAL's presence in the Special-Use Domain Name = registry, which include not using the DNS. This doesn't seem = particularly clear. Since I've been staring out of the window for the rest of the thread = thinking vaguely about lunch it seems a bit presumptuous to suggest = alternative text, but perhaps something like this would be better: --- Resolution of the authority field MUST adhere to any special = requirements documented in the Special-Use Domain Names registry [ref] = which might specify that some protocol other than DNS be used for = resolution for names within a particular domain. If those special = requirements are not honoured diligently, security, privacy and = interoperability problems might well result. For example, consider the authority field EXAMPLE.LOCAL, intended to = resolve to an address on a local, private network using the Multicast = DNS resolution protocol [RFC6762]. If the DNS was used as a resolution = protocol, the existence of the local-scope name EXAMPLE.LOCAL and this = particular instance of its use might be revealed to third-party DNS = servers; there is also a risk that attacks on the DNS system outside the = local network could cause the EXAMPLE.LOCAL name to be resolved to an = external, third-party address with attendant risks to privacy and = security for higher-layer protocols and the application itself. Such = risks are avoided by ensuring that resolution of names in the LOCAL = domain are only attempted by the application using the Multicast DNS = protocol. --- Joe From nobody Mon Feb 4 17:46:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4621D130F34 for ; Mon, 4 Feb 2019 17:46:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=kTFFrPp4; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Iu68MzlH Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cnPnnp6Ntaht for ; Mon, 4 Feb 2019 17:46:35 -0800 (PST) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DDB7130F33 for ; Mon, 4 Feb 2019 17:46:35 -0800 (PST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 66D9C2217D; Mon, 4 Feb 2019 20:46:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 04 Feb 2019 20:46:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=1 PzOo6l6YMQ+3yN6LKXKTmRzEnI9UeSzis2RoPRCfD8=; b=kTFFrPp4cVRsqkJFV qK3JmZetATl0CUWdN/A0MmFG6vzGCgqAfaaO+e+rr2fO3LjCH2ATfRess0/QUO7Z RsbWK3boGD2lvDZVx1lwlSQ9M9+resAoVVtaQdR4tVMhZ012W2Qga4xomnsowSiw B9zyZBTcPNaE18yKqe13YgcTPMHiob69UuEipmc9l2e8g/ZvAU6a1lGu9guBVlxl KCZWF8AK4k2vCr05eaTDAe6SqjYORdQU2E9MRq6qAWXR8dtZjHpuUVYSvHa8usMD OKEm08EpUBJmx0AiZg5X9kRMexzm2f7WavEgRRjlFrsZFQtqSGd/qpMaXL6bkhoJ acs1w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=1PzOo6l6YMQ+3yN6LKXKTmRzEnI9UeSzis2RoPRCf D8=; b=Iu68MzlHL7/EUYAf0aJRzKOOPO9NLng0WL4y7aMk7HfikLMiTbIYWHMkg 1Am794cA25C3im0wOC4oSrRaa0mEKd+tcSo5sH47KJC+yhHizl8xv0zBpsGUwMtH M/P47biv33kCGKVgz+lH+ZTlvSsKYLZZBc1Boz84frHDodmE+vTOwg+JWDStlfXs J4szi3FPBA9AJPu50CM9r+5qZGjdS/Mg9cWXT4ezp/OfO2+J/L+hRP97lIZpP03j 1G8aU9g50evYpd70iedZiPyMs1rrLlMCRTD6jXZm+nDoJcTPK8ZdWU4xYd276f6a doah7A/JpMDRxGXlhWweeCZzC5lLA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrkeehgdeflecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhjgffgf fkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhkucfpohhtthhinhhghhgrmhcu oehmnhhothesmhhnohhtrdhnvghtqeenucffohhmrghinhepmhhnohhtrdhnvghtnecukf hppedugeegrddufeeirddujeehrddvkeenucfrrghrrghmpehmrghilhhfrhhomhepmhhn ohhtsehmnhhothdrnhgvthenucevlhhushhtvghrufhiiigvpedt X-ME-Proxy: Received: from attitudadjuster.mnot.net (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id EF086100BA; Mon, 4 Feb 2019 20:46:30 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Mark Nottingham In-Reply-To: Date: Tue, 5 Feb 2019 12:46:26 +1100 Cc: Brian Dickson , Tony Finch , "dnsop@ietf.org WG" Content-Transfer-Encoding: quoted-printable Message-Id: <76E8CB4A-47C9-4A66-A90C-379E121F8B9B@mnot.net> References: <0A018ACB-9958-4202-9263-00EA864E2C5C@mnot.net> <057BE2A8-2F36-4458-AE7A-8FC06ACF7C11@mnot.net> To: Joe Abley X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Accounting for Special Use Names in Application Protocols X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 01:46:38 -0000 I like it; will append to the issue. Thanks. > On 5 Feb 2019, at 11:50 am, Joe Abley wrote: >=20 > Hi Mark, >=20 > On 4 Feb 2019, at 19:30, Mark Nottingham wrote: >=20 >> I've modified that slightly to come up with this proposal: >>=20 >> """ >> HTTP and HTTPS URIs rely on some name resolution mechanism(s) to = interpret the authority field and ultimately convert it into an = identifier (typically, IPv4 or IPv6 addresses). Often, this is DNS = [ref]. >>=20 >> When DNS is consulted for resolution of the authority field, this = specification requires adherence to the requirements that all registered = special use names [RFC6761] place upon applications; if they are not = honoured, security, privacy and interoperability issues may be = encountered. >> """ >>=20 >> Make sense? >=20 > I confess I have not being following this thread as closely as perhaps = I should, but the text above strikes me as odd. >=20 > RFC 6761 describes a registry of special *domain names* -- it's = talking about the namespace, not the resolution protocol. In some cases = the registry directs applications to use different resolution protocols = (protocols other than the DNS) to look things up. The LOCAL and ONION = domains are examples. It's the contents of the registry that are = important, not that subset of initial registry contents that are = specified in RFC 6761, as I think Tony pointed out. >=20 > The text you suggested could suggest that an application should = consult the DNS for a name that ends in LOCAL and simultaneously satisfy = the requirements implied by LOCAL's presence in the Special-Use Domain = Name registry, which include not using the DNS. This doesn't seem = particularly clear. >=20 > Since I've been staring out of the window for the rest of the thread = thinking vaguely about lunch it seems a bit presumptuous to suggest = alternative text, but perhaps something like this would be better: >=20 > --- > Resolution of the authority field MUST adhere to any special = requirements documented in the Special-Use Domain Names registry [ref] = which might specify that some protocol other than DNS be used for = resolution for names within a particular domain. If those special = requirements are not honoured diligently, security, privacy and = interoperability problems might well result. >=20 > For example, consider the authority field EXAMPLE.LOCAL, intended to = resolve to an address on a local, private network using the Multicast = DNS resolution protocol [RFC6762]. If the DNS was used as a resolution = protocol, the existence of the local-scope name EXAMPLE.LOCAL and this = particular instance of its use might be revealed to third-party DNS = servers; there is also a risk that attacks on the DNS system outside the = local network could cause the EXAMPLE.LOCAL name to be resolved to an = external, third-party address with attendant risks to privacy and = security for higher-layer protocols and the application itself. Such = risks are avoided by ensuring that resolution of names in the LOCAL = domain are only attempted by the application using the Multicast DNS = protocol. > --- >=20 >=20 > Joe >=20 -- Mark Nottingham https://www.mnot.net/ From nobody Tue Feb 5 10:59:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F410130EB0 for ; Tue, 5 Feb 2019 10:59:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klKEeAOdoCgR for ; Tue, 5 Feb 2019 10:59:43 -0800 (PST) Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79323124BAA for ; Tue, 5 Feb 2019 10:59:43 -0800 (PST) Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 09164220BE; Tue, 5 Feb 2019 09:03:50 -0800 (PST) From: Wes Hardaker To: Dick Franks Cc: Wes Hardaker , IETF DNSOP WG References: Date: Tue, 05 Feb 2019 09:03:49 -0800 In-Reply-To: (Dick Franks's message of "Mon, 4 Feb 2019 12:06:34 +0000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:59:45 -0000 Dick Franks writes: > There is not yet a proper IANA allocated option code for this. > > Might I suggest that all interested parties settle on 65015 from the > local/experimental block until the real thing arrives. That seems reasonable. -- Wes Hardaker USC/ISI From nobody Tue Feb 5 10:59:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665C5124BAA for ; Tue, 5 Feb 2019 10:59:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfZHVUoFuVvk for ; Tue, 5 Feb 2019 10:59:43 -0800 (PST) Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 792C012008F for ; Tue, 5 Feb 2019 10:59:43 -0800 (PST) Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 8EEE4225F2; Tue, 5 Feb 2019 09:03:07 -0800 (PST) From: Wes Hardaker To: Shane Kerr Cc: Wes Hardaker , dnsop@ietf.org References: Date: Tue, 05 Feb 2019 09:03:07 -0800 In-Reply-To: (Shane Kerr's message of "Mon, 4 Feb 2019 11:51:03 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:59:46 -0000 Shane Kerr writes: > My own thinking is that extended error is much more important on the > resolver side than on the authoritative side, so that's what I was > asking about. That's fair; it's a generic mechanism but authoritative servers have less reason to return most of the codes (though I cloud see Prohibited and Blocked being useful for authoratatives). (And actually, I just read the "Lame" description in the draft, and it's actually broken. It should talk about what to do for both. I've now fixed that and will push a new version) > There was some discussion that it might be tricky to get correct > information out of the bowels of a resolver that wasn't designed with > this sort of reporting in mind. Yeah, I suspect there are some code bases that this simply won't work with EDE without a major rearchitecture. If they're currently returning a single error code from the depths of a stack trace, they won't be able to easily return either a double-code or potentially modify their codes to be more descriptive. Then we get to "error text" as well and it gets worse. > Here's what I took away (people can and should correct me where I am wrong): Thanks for the summary! Sounds like it was a good discussion. -- Wes Hardaker USC/ISI From nobody Wed Feb 6 00:08:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F67C126C7E for ; Wed, 6 Feb 2019 00:08:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g38RAss_cBJA for ; Wed, 6 Feb 2019 00:08:38 -0800 (PST) Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:151:2016::99]) by ietfa.amsl.com (Postfix) with ESMTP id 245AF12426E for ; Wed, 6 Feb 2019 00:08:38 -0800 (PST) Received: from jurassic.lan.banu.com (unknown [27.5.209.222]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 7272F5A40748; Wed, 6 Feb 2019 08:08:36 +0000 (GMT) Date: Wed, 6 Feb 2019 13:38:32 +0530 From: Mukund Sivaraman To: Benno Overeinder Cc: dnsop Message-ID: <20190206080832.GA14062@jurassic.lan.banu.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2019 08:08:43 -0000 On Fri, Jan 18, 2019 at 06:55:16PM +0100, Benno Overeinder wrote: > Please review this draft to see if you think it is suitable for > adoption by DNSOP, and comments to the list, clearly stating your > view. Considering that the method is implementable without any changes at a resolver, and that it doesn't require compatible behavior among DNS implementations ("protocol" or best practice), I suppose it does not matter if this draft is adopted or not as long as the idea has been described somewhere. Mukund From nobody Wed Feb 6 08:34:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CC6130DD8 for ; Wed, 6 Feb 2019 08:34:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yk8A6ENYDmLH for ; Wed, 6 Feb 2019 08:34:20 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579C112F18C for ; Wed, 6 Feb 2019 08:34:19 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2001:1488:fffe:6:8485:54ff:fe5d:7284]) by mail.nic.cz (Postfix) with ESMTPSA id 349D9601FB for ; Wed, 6 Feb 2019 17:34:17 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549470857; bh=y8e/BS4xrGK4hj7Uyj3IjLnywC6y48WyuExW1mT4fyM=; h=To:From:Date; b=v0WekkUAuewwUHi9Hzn3URa1i3LZYlHtxpzgamskYv25pCCUnvs73dcdECHApf4wu kTy0lyOtEiNRdE0X5SNC0qPeP6bKNDzb40BEJZqq4YQsB6y4gylfOQwuk+ZNz9i2gi ykWO4EL2Aw//ivcH2nF7K0PDjwCgVCy9T6ZDvW+o= To: dnsop@ietf.org References: From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <549fe938-6c4e-66d0-68f4-81034b16e785@nic.cz> Date: Wed, 6 Feb 2019 17:34:27 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] Implementations of extended error? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2019 16:34:23 -0000 On 04. 02. 19 11:51, Shane Kerr wrote: > * CZ.NIC has no plans for Knot Resolver, and still have to look > carefully at the latest draft (although Petr has some interesting ideas > about what he thinks is valuable in this area). Thank you for reminding me, Shane! My personal goal is to provide advice to users "who to call" because neither user or tech support lines want to waste time on issues they cannot fix. (ISP is not going to fix botched bank domain, and vice versa.) It should not (only) a diagnostics tool for DNS geeks! Let me elaborate: We at CZ.NIC experience what it is like to be registry (CZ), software vendor (Knot Resolver), and DNS support team (for Turris routers) at the same time... Based on this experience I came to conclusion that it would have tremendous value if we can split DNS problems to two coarse categories: far/local end problems. Of course more information is bonus for geeks. Ideally the error code should provide the client software with enough information to decide what message should be shown to end-user: a] inform your system/network admin/ISP - when a "local" problem is detected - examples: -- local time is likely off (. NS signature expired/not yet valid?!) -- everything times out -- everything is REFUSED (client blocked for abuse) b] inform site owner (your bank), do not call your ISP! - e.g. all auths return REFUSED, botched DNSSEC signatures, ... I can imagine 4 possibilities: 00 - do not call anyone (no-error messages) 01 - call network admin/ISP 10 - call domain owner 11 - call someone, we do not know what happened This obviously does not conflict with detailed information in current proposal, I have nothing against it. Does it seem useful to others? -- Petr Å paÄek @ CZ.NIC From nobody Thu Feb 7 04:15:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22E1F131119 for ; Thu, 7 Feb 2019 04:15:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.02 X-Spam-Level: X-Spam-Status: No, score=-6.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IQXVy-bwmsu for ; Thu, 7 Feb 2019 04:15:54 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859A812D4F2 for ; Thu, 7 Feb 2019 04:15:53 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2001:67c:1220:8b4:4083:41ad:63c7:e9cb]) by mail.nic.cz (Postfix) with ESMTPSA id 0F3D46333A for ; Thu, 7 Feb 2019 13:15:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549541751; bh=jBT2pfEtybsHgb0a/WwgiZyFX0+KAZIBDyHo6c9ziVM=; h=To:From:Date; b=i/AyFX7uFd9B9q/2Sd2st2eV+6fcRuqxOFfTyKNjgqcJnqgKa0nPSKjRw3pWQyda/ HHmDBBMPzfwKN8UHU9VwmXzrdGH9bgBdps12fOT2lWDcEcJJxZObWdEM4j2c6vXn+R n7QsO5Qc/DF7JOtwWMWTl76M1ZaA1TcsGIG1hlqg= To: "dnsop@ietf.org" From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: Date: Thu, 7 Feb 2019 13:16:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 12:15:57 -0000 Hello dnsop, here is a quiz for experienced RFC archeologists: https://tools.ietf.org/html/rfc1035#section-5.2 section 5.2. Use of master files to define zones does not mention NS at apex at all, but it does explicitly mention SOA at apex. Can it be interpreted as if NS at apex is not mandatory? Funnily enough https://tools.ietf.org/html/rfc1035#section-5.3 has an example which as NS at apex, but it is not clear from the text above. Is it mandatory or not? Should I submit erratum for RFC 1035? Thank you for clarification. -- Petr Å paÄek @ CZ.NIC From nobody Thu Feb 7 04:44:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78BD312D4F2 for ; Thu, 7 Feb 2019 04:44:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiWvPT8L7Pme for ; Thu, 7 Feb 2019 04:44:37 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC52B130EFC for ; Thu, 7 Feb 2019 04:44:36 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (pc-cznic21.fit.vutbr.cz [147.229.13.117]) by mail.nic.cz (Postfix) with ESMTPSA id 2AD6B6333C for ; Thu, 7 Feb 2019 13:44:35 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549543475; bh=5ZC3lWiC5s6UhKlrzmsKUFKUeeOcX106GAs80HLL+8Y=; h=To:From:Date; b=YNNloOp9nd+wa3KOu/FRPHuphvZYyRLawP7pHlxD7lI0w9TDC2GlPYBQjG3YuSdeU b3V2lCpdMARhm4w5BjsUbqu+7U7WNLUtvOvx+0cZPlggIE8ouEdttQjAtW20MVRjmP blIo53gGuF6hxzvTV2Dr2IV+qS2ivEDbMv7UsPHo= To: "dnsop@ietf.org" References: From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> Date: Thu, 7 Feb 2019 13:44:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 12:44:39 -0000 On 07. 02. 19 13:39, Ted Lemon wrote: > Why would NS at the apex be mandatory? What breaks if it’s not there? > > (Playing the devil’s advocate—I’m also curious about this, but I think the answer is that nothing breaks.) When looking at it from resolver perspective, what is the resolver supposed to do with query "zone. NS" if there is no authoritative NS set in the zone? Return NOERROR+NODATA? Returning non-authoritative NS set in ANSWER section sounds wrong to me. -- Petr Å paÄek @ CZ.NIC From nobody Thu Feb 7 04:53:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ADE6130EDE for ; Thu, 7 Feb 2019 04:53:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.041 X-Spam-Level: X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPaPKmlQAGzU for ; Thu, 7 Feb 2019 04:53:08 -0800 (PST) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3332112D4F2 for ; Thu, 7 Feb 2019 04:53:07 -0800 (PST) Received: by mail-qk1-x72b.google.com with SMTP id u188so6344635qkh.8 for ; Thu, 07 Feb 2019 04:53:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wNKggg90o6tWkKO3tHK2hU31Grq9vnjFn5UjhlYcKDQ=; b=q33eQPN470YZHZKHiQkU/qOq6yVQ+P8ZfsXGCzSas0hsE1Q00TIrjPissZ4mYzsoDe N0zrryG12F/Dntb98dOnYHUbdLyMbRdYRL2RA/HQOOJyU/9MaHlkbf+ScydCiYa94lMw 6AXVUE5cXI5zol2QzaXzOSOESypgZQJkMBv0dH4/JAzY+xgtcKAVYt5BYf9Gxj1RMT/4 liWh2aE+ksVHbMKquvh4s3srITFCU2qhEXbZV8GE1oTxsN3ERti6YWTxsGbRG2OFakkq vj6H8Sf0h5WfVdzGxdALpSW5BgOKVJgw2H3sBJzVb+HZLM6V/e0J84KrEMio26xzMJpr c8RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wNKggg90o6tWkKO3tHK2hU31Grq9vnjFn5UjhlYcKDQ=; b=Gt4v0D3CD1zWt2vG4OTWCJeZ6NuvUnhI5UITyspm0AAI0+WX5wFvwQthwyMCAHyFX8 KQWVAxjbB1B3pWYowbSBo31Okl8A2RaXE9b/FUjocI4FGimZh9ZoAWajZ6k0fEVqmQaE vRkwJdchYKk+TtXWPqOugFPCg85pHN9bTbMXHGw+zvhqfvUY1QaEM098TAVhECTrkiy8 pqrIOtPeWt8ECdaswmSzKqxVgxmi/lbGnO1mIRZTAF+wCiQMCZBSLqx/bq1lSe315N/y jrZ195/g4iwSQ92IwHchV5kLMYmMwur/9EGdDMBOgxCHFibl4rJxqQcY/wJK4xdvMmbi HzJg== X-Gm-Message-State: AHQUAub3ZyXSJAcd7oX2p7FL3/Q63buXf0xdp77mCpmUakghtCkjd0iO xRvgL1BBH8JK2kBSI3j52MLpBA== X-Google-Smtp-Source: AHgI3IYgxsEXRF+UhmT70KTHXomQqQLhmZDqPsMT5Nwp6GD7O8bNBqxyag61R2O8UeyTZAtKsqLraQ== X-Received: by 2002:ae9:d804:: with SMTP id u4mr11603802qkf.322.1549543987079; Thu, 07 Feb 2019 04:53:07 -0800 (PST) Received: from [10.0.100.12] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id 13sm2234880qtv.78.2019.02.07.04.52.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 04:52:37 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C4A6EE79-A79B-4DDC-A15A-BC6D13C6BEB7" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 07:52:33 -0500 In-Reply-To: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> Cc: "dnsop@ietf.org" To: =?utf-8?B?UGV0ciDFoHBhxI1law==?= References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 12:53:10 -0000 --Apple-Mail=_C4A6EE79-A79B-4DDC-A15A-BC6D13C6BEB7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 7, 2019, at 7:44 AM, Petr =C5=A0pa=C4=8Dek = wrote: > When looking at it from resolver perspective, what is the resolver > supposed to do with query "zone. NS" if there is no authoritative NS = set > in the zone? Return NOERROR+NODATA? It should reply with no error and no data. But this is okay, because = you never need to ask this question in order to resolve a name. If you = are looking up an NS record with intent to use it, it=E2=80=99s going to = be in the parent zone, where you are looking for a delegation. The real question is whether the NS record needs to be validated. If = it does, then it needs to be signed, and so it needs to appear in the = zone. But that=E2=80=99s what the DS record is for, right? :) --Apple-Mail=_C4A6EE79-A79B-4DDC-A15A-BC6D13C6BEB7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 7, 2019, at 7:44 AM, Petr =C5=A0pa=C4=8Dek <petr.spacek@nic.cz> = wrote:
When looking = at it from resolver perspective, what is the resolver
supposed to = do with query "zone. NS" if there is no authoritative NS set
in the zone? = Return NOERROR+NODATA?

It should reply with no error and no data.   But this is = okay, because you never need to ask this question in order to resolve a = name.   If you are looking up an NS record with intent to use it, = it=E2=80=99s going to be in the parent zone, where you are looking for a = delegation.

The = real question is whether the NS record needs to be validated.   If = it does, then it needs to be signed, and so it needs to appear in the = zone.   But that=E2=80=99s what the DS record is for, right?   = :)

= --Apple-Mail=_C4A6EE79-A79B-4DDC-A15A-BC6D13C6BEB7-- From nobody Thu Feb 7 05:00:53 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7B0130DC8 for ; Thu, 7 Feb 2019 05:00:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.02 X-Spam-Level: X-Spam-Status: No, score=-6.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPD01aXcTpif for ; Thu, 7 Feb 2019 05:00:38 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01B7B130EFC for ; Thu, 7 Feb 2019 05:00:37 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (pc-cznic21.fit.vutbr.cz [147.229.13.117]) by mail.nic.cz (Postfix) with ESMTPSA id 208B4633B7; Thu, 7 Feb 2019 14:00:36 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549544436; bh=JC7/cqhkGr6ot5pNbsga324IBfV+sNz2e97HT2NDG7I=; h=To:From:Date; b=Ae9Ve/I179os0KnqvJS/AF6sSsh15sbNkzihW5ZCRIk7tsctkontOjXeRXW5OZdcT JMHkMTZoCTHPL/qlcZKQVfKhCJxMPLleRMpK0tO7HJ2SfqVgAyD8/uhj+RUAgxsVkW SdkdDawi5briqZSkXb9OkHbLbsaq39jgUWejjVPo= To: Ted Lemon Cc: "dnsop@ietf.org" References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <966fa8dd-f420-adc9-117d-24315b52825d@nic.cz> Date: Thu, 7 Feb 2019 14:00:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 13:00:52 -0000 On 07. 02. 19 13:52, Ted Lemon wrote: > On Feb 7, 2019, at 7:44 AM, Petr Å paÄek > wrote: >> When looking at it from resolver perspective, what is the resolver >> supposed to do with query "zone. NS" if there is no authoritative NS set >> in the zone? Return NOERROR+NODATA? > > It should reply with no error and no data.   But this is okay, because > you never need to ask this question in order to resolve a name.   If you > are looking up an NS record with intent to use it, it’s going to be in > the parent zone, where you are looking for a delegation. I feel something bad will happen if parent and child zone is on the same auth server and resolver is using query name minimization... (This configuration *does* exist in wild as we know from debugging Knot Resolver - we do query name minimization by default.) My gut feeling is that it should be mandatory but I would like to hear from other implementers what assumptions they have in code. Petr Å paÄek @ CZ.NIC > The real question is whether the NS record needs to be validated.   If > it does, then it needs to be signed, and so it needs to appear in the > zone.   But that’s what the DS record is for, right?   :) From nobody Thu Feb 7 05:10:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60B612F1A6 for ; Thu, 7 Feb 2019 05:10:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.041 X-Spam-Level: X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jO_0ivlL34gp for ; Thu, 7 Feb 2019 05:10:14 -0800 (PST) Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CD121294D0 for ; Thu, 7 Feb 2019 05:10:14 -0800 (PST) Received: by mail-qk1-x72e.google.com with SMTP id z18so6370965qkj.10 for ; Thu, 07 Feb 2019 05:10:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5KlEqd1c4usaFSKXEz99OnUtd7Xw6C933WGMxSwn2sY=; b=M6g89EAG2MXjapqA8S2axtJkq8HzuIn/+J2xgaqZNmwF36yMpC/UHUdUifajFShMr4 ykZUdyDxQeyieOmaXhNyxGJnyJ0zEPb1aJST3XkOWY6AZeRslvthu6YZ5ta+MBquSARE MmUnfkbczRJOBy8++z/4WghYBZNrbqHpw679x4ezlP9XcrpbFXjg4HR8yY1rSYcCf1xF 5hsPznwM4J6GbcsgBcugGZOid5I1tZfyeysuo6fEy58XUMmELbqKoSFL58a2D62joEFm vbpEIWJgpDhSH+ShZPv/i76pm7MyMvT1sZqCuMugn6tiswNQAbQnkS/JmzA0CQGsDaWk 5rTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5KlEqd1c4usaFSKXEz99OnUtd7Xw6C933WGMxSwn2sY=; b=RVi8z3AIu1aMtM5ObnQPCNlYs5rZYBW0lfhqkPxlRBvFBneV9Uxm/N4JKX29QPQRg8 LYMArVWs42quDlZ2bHyoLqUlU0iDSBtNcWuRpGPTgKJdBVy9nV7y529fOvTFupe745Jt sc0lveMoIoA2CCeViXtWk5+/wmfLiyXal7Sg2F1jtQHGTL+g1D3Sf8RFYrKAJR9uULxH e8MK8vf7KG/UBbefDngx8os78l3351pgtNRBHKOzHYYTXerH652CX17pKpg5AhF8/bJb znnSwN+ORVksTRqMGFILOTThGZvZmFHVkBiBKYWWDlOGsd20449JbkmJw+8QpZxSOM9e ZO+g== X-Gm-Message-State: AHQUAuavsBz6bnEONq4yc5S5i4y7llIVQU95HosLfaYmDCrhcUvxlkl/ KPgVsU1EwOda6HAKY4YN/uwzBK72rkM= X-Google-Smtp-Source: AHgI3IYI644zV1QRxWh1C9glnC+9sCx1n4EBkwx3Tbdv1R7RJuyFsrXOl2smHLR2X9w9GKaw4tr0Tw== X-Received: by 2002:a37:d612:: with SMTP id t18mr11388082qki.215.1549545013242; Thu, 07 Feb 2019 05:10:13 -0800 (PST) Received: from [10.0.100.12] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id d50sm46098820qta.31.2019.02.07.05.10.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 05:10:12 -0800 (PST) From: Ted Lemon Message-Id: <968D0BAC-4E10-49E8-94A1-6A5679337732@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_04BF544B-FE91-4C56-81FB-E05FC5164554" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 08:10:09 -0500 In-Reply-To: <966fa8dd-f420-adc9-117d-24315b52825d@nic.cz> Cc: "dnsop@ietf.org" To: =?utf-8?B?UGV0ciDFoHBhxI1law==?= References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> <966fa8dd-f420-adc9-117d-24315b52825d@nic.cz> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 13:10:16 -0000 --Apple-Mail=_04BF544B-FE91-4C56-81FB-E05FC5164554 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 7, 2019, at 8:00 AM, Petr =C5=A0pa=C4=8Dek = wrote: > I feel something bad will happen if parent and child zone is on the = same > auth server and resolver is using query name minimization... > (This configuration *does* exist in wild as we know from debugging = Knot > Resolver - we do query name minimization by default.) Interesting! What goes wrong? --Apple-Mail=_04BF544B-FE91-4C56-81FB-E05FC5164554 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 7, 2019, at 8:00 AM, Petr =C5=A0pa=C4=8Dek <petr.spacek@nic.cz> = wrote:
I feel = something bad will happen if parent and child zone is on the = same
auth server = and resolver is using query name minimization...
(This = configuration *does* exist in wild as we know from debugging = Knot
Resolver - we = do query name minimization by default.)

Interesting!   What goes = wrong?

= --Apple-Mail=_04BF544B-FE91-4C56-81FB-E05FC5164554-- From nobody Thu Feb 7 05:11:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3182213112A for ; Thu, 7 Feb 2019 05:10:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Spa00w7AEsD6 for ; Thu, 7 Feb 2019 05:10:54 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46633130E72 for ; Thu, 7 Feb 2019 05:10:54 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 24F273AB066; Thu, 7 Feb 2019 13:10:54 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A8D5F160071; Thu, 7 Feb 2019 13:10:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 98639160070; Thu, 7 Feb 2019 13:10:50 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mZ39HT6Xmdsm; Thu, 7 Feb 2019 13:10:50 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 73C74160064; Thu, 7 Feb 2019 13:10:49 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Fri, 8 Feb 2019 00:10:44 +1100 Cc: "dnsop@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <0869E3C6-2362-42CC-BD22-293CB9BF25D6@isc.org> References: To: =?utf-8?B?UGV0ciDFoHBhxI1law==?= X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 13:11:07 -0000 > On 7 Feb 2019, at 11:16 pm, Petr =C5=A0pa=C4=8Dek = wrote: >=20 > Hello dnsop, >=20 > here is a quiz for experienced RFC archeologists: >=20 > https://tools.ietf.org/html/rfc1035#section-5.2 > section 5.2. Use of master files to define zones > does not mention NS at apex at all, but it does explicitly mention SOA > at apex. Can it be interpreted as if NS at apex is not mandatory? No. Go read RFC 1034. > Funnily enough > https://tools.ietf.org/html/rfc1035#section-5.3 > has an example which as NS at apex, but it is not clear from the text = above. >=20 > Is it mandatory or not? Should I submit erratum for RFC 1035? >=20 > Thank you for clarification. >=20 > --=20 > Petr =C5=A0pa=C4=8Dek @ CZ.NIC >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 7 05:54:09 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05CBE124BE5 for ; Thu, 7 Feb 2019 05:54:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.041 X-Spam-Level: X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fcagroup-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezW64Un8BzAw for ; Thu, 7 Feb 2019 05:54:06 -0800 (PST) Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240A2123FFD for ; Thu, 7 Feb 2019 05:54:06 -0800 (PST) Received: by mail-it1-x136.google.com with SMTP id m62so14884946ith.5 for ; Thu, 07 Feb 2019 05:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcagroup-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=OHAQ7pWbAvGItQ7w/HjonWH38h0GVK9sNnB+IQrlJIw=; b=1PCDKWmeniT5yd/F8ZY08XnlAxRrAcq0AoPmPlp+CBVks9S8Hd45OKHQxroES+nd7+ aeyBaWhucOUHWuOq726l082FSikOKyUM6Rd++Emka33/v3S5r5sWTKJFYZVMxcQcvA8Y BW4pwaN1zBR8QdeScv9ybTp1GLL3UVGeuhSSY0EO9GORr32lB2nZ1PM1gyXeuWZK/86X vfVobRfPADtYuAnRySZDlXqYUXgc5gnJg52mWEnaP2mj6ymw/rGZQtzSdBlE8suy1Gln K5KATv06lWCGtyE8hHa6l63M4Sb0GiK6VFNjR2kBApMxKpjLlfzq40mH4jyvAqsrsysz QA9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=OHAQ7pWbAvGItQ7w/HjonWH38h0GVK9sNnB+IQrlJIw=; b=i1b193yyHHbHk6FOgXBbs7ewnFUIV7qc/uq27wCPk0rsBblD1UkdvsBAk5GyBDspXp HC5l0nBX+/9h3oqJfxoPf9Eky7Vf/8RGWePl+cMcMbOBAk7yTSqvpHLfpC+lzAfLEU+n DueIM4l7XBIk5BTBnOiiiiSNusyyVaHxEd1egUtZKN2CF3qtwy93uIwywGHcYlDolfGe bQcVWOROd/CFk2M9gwvasmiu90s/dMSAjw6FK/SkggBVZUKpCrykxKxVV1p7zxStQhCS maTDXWSsagtAXdHofXtjBYKb+lN5J5xzoiryPZorHr5cOVPD7L34/rhxtiM7Upx+eJaE PPFQ== X-Gm-Message-State: AHQUAubBmF+jbGdu1Q9kijYO2swQ2i47sPq6y6BqKJ8MC35inIzllfWI RI8fgQcyJ3XnKRMNkffNbdzQJAW8XGEUmzXia7BNHjs4Nfhagw== X-Google-Smtp-Source: AHgI3IYzyNLXHmbE2jjcT6ghZ0XaC+r9jbIdTxPzi4jiFA1EDR4hPCn/JGCqzb9QC9pCSqaXe9ZXbguxP+oLji/np/A= X-Received: by 2002:a24:5651:: with SMTP id o78mr4877386itb.157.1549547645003; Thu, 07 Feb 2019 05:54:05 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Kevin Darcy Date: Thu, 7 Feb 2019 08:53:54 -0500 Message-ID: To: "dnsop@ietf.org" Content-Type: multipart/alternative; boundary="000000000000f1a5c105814e2cd8" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 13:54:08 -0000 --000000000000f1a5c105814e2cd8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The "apex" terminology didn't come into vogue until later. Prior to that, people talked about the "top" of a zone. RFC 1034 Section 4.2.1 lays this out: "In the data that makes up a zone, NS RRs are found at the top node of the zone (and are authoritative)". Admittedly "are found" doesn't sound to modern ears (or look to modern eyes) like a mandatory requirement. That's another thing that's changed over the years: RFC 2026 was yet to be published, which tightened up the requirement levels and how to signal them textually. When looking at pre-RFC-2026 RFC's, one has to exercise some judgement of whether verbiage describing "typical" or "normal" situations is actually normative, perhaps even mandatory.. - Kevin On Thu, Feb 7, 2019 at 7:16 AM Petr =C5=A0pa=C4=8Dek w= rote: > Hello dnsop, > > here is a quiz for experienced RFC archeologists: > > https://tools.ietf.org/html/rfc1035#section-5.2 > section 5.2. Use of master files to define zones > does not mention NS at apex at all, but it does explicitly mention SOA > at apex. Can it be interpreted as if NS at apex is not mandatory? > > Funnily enough > https://tools.ietf.org/html/rfc1035#section-5.3 > has an example which as NS at apex, but it is not clear from the text > above. > > Is it mandatory or not? Should I submit erratum for RFC 1035? > > Thank you for clarification. > > -- > Petr =C5=A0pa=C4=8Dek @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000f1a5c105814e2cd8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The "apex" terminology didn't come into vogu= e until later. Prior to that, people talked about the "top" of a = zone.

RFC 1034 Section 4.2.1 lays this out:
"In the data that makes up a zone, NS RRs are found at th= e top node of the zone (and are authoritative)".

<= div>Admittedly "are found" doesn't sound to modern ears (or l= ook to modern eyes) like a mandatory requirement. That's another thing = that's changed over the years: RFC 2026 was yet to be published, which = tightened up the requirement levels and how to signal them textually. When = looking at pre-RFC-2026 RFC's, one has to exercise some judgement of wh= ether verbiage describing "typical" or "normal" situati= ons is actually normative, perhaps even mandatory..

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0- Kevin

On Thu, Feb 7, 2019 at 7:16 AM Petr =C5=A0pa=C4=8Dek <petr.spacek@nic.cz> wrote:
Hello dnsop,

here is a quiz for experienced RFC archeologists:

https://tools.ietf.org/html/rfc1035#section-5.2 section 5.2. Use of master files to define zones
does not mention NS at apex at all, but it does explicitly mention SOA
at apex. Can it be interpreted as if NS at apex is not mandatory?

Funnily enough
https://tools.ietf.org/html/rfc1035#section-5.3 has an example which as NS at apex, but it is not clear from the text above= .

Is it mandatory or not? Should I submit erratum for RFC 1035?

Thank you for clarification.

--
Petr =C5=A0pa=C4=8Dek=C2=A0 @=C2=A0 CZ.NIC

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000f1a5c105814e2cd8-- From nobody Thu Feb 7 06:16:09 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E764A126CB6 for ; Thu, 7 Feb 2019 06:16:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbuzHIjlTqU3 for ; Thu, 7 Feb 2019 06:16:05 -0800 (PST) Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7BED123FFD for ; Thu, 7 Feb 2019 06:16:05 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:53886) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1grkTC-0006j5-j2 (Exim 4.91) (return-path ); Thu, 07 Feb 2019 14:16:02 +0000 Date: Thu, 7 Feb 2019 14:16:02 +0000 From: Tony Finch To: Ted Lemon cc: =?UTF-8?Q?Petr_=C5=A0pa=C4=8Dek?= , "dnsop@ietf.org" In-Reply-To: Message-ID: References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-1654332391-1549548962=:18720" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 14:16:08 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-1654332391-1549548962=:18720 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Ted Lemon wrote: > On Feb 7, 2019, at 7:44 AM, Petr =C5=A0pa=C4=8Dek wr= ote: > > When looking at it from resolver perspective, what is the resolver > > supposed to do with query "zone. NS" if there is no authoritative NS se= t > > in the zone? Return NOERROR+NODATA? > > It should reply with no error and no data. But this is okay, because > you never need to ask this question in order to resolve a name. If you > are looking up an NS record with intent to use it, it=E2=80=99s going to = be in > the parent zone, where you are looking for a delegation. But in this scenario things soon go wrong, because RFC 2181 says the NODATA reply replaces the delegation records in the resolver's cache. This means that if a client explicitly asks for the NS records of a zone that lacks them, resolution for other records in the zone will subsequently fail. Tony. --=20 f.anthony.n.finch http://dotat.at/ Tyne: West, backing south, 5 to 7. Slight or moderate, occasionally rough later. Showers. Good occasionally moderate. --1870870841-1654332391-1549548962=:18720-- From nobody Thu Feb 7 06:40:31 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA39C1228B7 for ; Thu, 7 Feb 2019 06:40:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xe7yNek1mAUY for ; Thu, 7 Feb 2019 06:40:28 -0800 (PST) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131011200ED for ; Thu, 7 Feb 2019 06:40:27 -0800 (PST) Received: by mail-qk1-x72d.google.com with SMTP id y16so34843qki.7 for ; Thu, 07 Feb 2019 06:40:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DeaxW0pVxU48LR93zx3TJRwe5+8F9y53S9AEwzDsTaU=; b=SFK5COHryZwFp25Mlg//xdDljgCXeEqIgF1bSzbUuA/ZrPOqLCxF1idVJCUXZ8/ord r8+dU2fuAigDvKm1tUhtppSy+U5moGC1tSIvHRHKR/L/Kz2hkZj+L1Imb6OMCv2VsoZu nBIQ/EidOnxSPPQ8RzvbD/AEx5eOpXINvwFuyDt9WqF+2Nehjr8ld7a4yTX6HVrBdQAD e89Uko5fSXx5L2QI3TDJ6o8tWVV98Ksbrjh4UlATQDjLqhgQOZ8Qvxpgbj+V5GJEgXgR hiTMp4g58ERb4M84Jf1fJ0j/ZVwQL/9pC+W2K6uSqyowBtJRLVkSX5lPYGegRjTwSY9z zxfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DeaxW0pVxU48LR93zx3TJRwe5+8F9y53S9AEwzDsTaU=; b=AugueyBFBCeJKfZgzUL4+kb8U34HdYALjT/Pa2xnXVOzVYvRRXwhtvPFiOLHgseUob Nz+NvnvTiy8A0DD0+TgWtD8/W3shLv3oL0AyAyXmVLC/87r6JJmMgxKOT6rTGj0CAg8i Hk5dOOrc6Q6M6/wNUp3/tMt7rxr8kHanSaR6KmbmGNkj7QyC8qUhbz2pEg0G3dwQKUvx jagODW1GxPD3DDg96U+TPm+onBo2KhZS5hOHAoZpZ4kT81dyVjjDIiZHZ0u2ffRqxJRh kRezCsCMkKGs3PzEK/f144HLy49zw9e41jliv7EA0t6woKx4TadecNuLAw/jqo0st2ll K8Mw== X-Gm-Message-State: AHQUAubq1GFQgnavQW7k6OrEbjm+V4P/LKrs4IzUJQpECt9/DhbwfaYx 7/XfhhA7Of4Z19mCAWvsxBAfHQ== X-Google-Smtp-Source: AHgI3IY5d9cAYGWdbIVn5Jled/8gj0/dpg8xG0QVTebPEiARBBeoC+xdW7gVsHeCKpCKKI2wkfy6qg== X-Received: by 2002:a37:5686:: with SMTP id k128mr11074497qkb.29.1549550427054; Thu, 07 Feb 2019 06:40:27 -0800 (PST) Received: from [10.0.10.34] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id n68sm19761530qte.66.2019.02.07.06.40.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 06:40:26 -0800 (PST) From: Ted Lemon Message-Id: <0F4355DC-CC6C-430B-AE8E-6FB5A44FD9C8@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_E5E1B465-2501-4B6C-82B2-2DCAA8BA94CD" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 09:40:24 -0500 In-Reply-To: Cc: =?utf-8?B?UGV0ciDFoHBhxI1law==?= , "dnsop@ietf.org" To: Tony Finch References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 14:40:30 -0000 --Apple-Mail=_E5E1B465-2501-4B6C-82B2-2DCAA8BA94CD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 7, 2019, at 9:16 AM, Tony Finch wrote: > But in this scenario things soon go wrong, because RFC 2181 says the > NODATA reply replaces the delegation records in the resolver's cache. = This > means that if a client explicitly asks for the NS records of a zone = that > lacks them, resolution for other records in the zone will subsequently > fail. Ah, there you have it. So then it _is_ required. Kevin=E2=80=99s = point also points in that direction. Is there somewhere in a later spec where this is stated explicitly, = then? --Apple-Mail=_E5E1B465-2501-4B6C-82B2-2DCAA8BA94CD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 7, 2019, at 9:16 AM, Tony Finch <dot@dotat.at> wrote:
But in this scenario things soon go wrong, because RFC 2181 = says the
NODATA reply = replaces the delegation records in the resolver's cache. This
means that if = a client explicitly asks for the NS records of a zone that
lacks them, = resolution for other records in the zone will subsequently
fail.

Ah, there you have it.   So then it _is_ required. =   Kevin=E2=80=99s point also points in that direction.

Is there somewhere in a = later spec where this is stated explicitly, then?
= --Apple-Mail=_E5E1B465-2501-4B6C-82B2-2DCAA8BA94CD-- From nobody Thu Feb 7 06:41:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB996129741 for ; Thu, 7 Feb 2019 06:41:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CWpU4BLxxHm4 for ; Thu, 7 Feb 2019 06:41:06 -0800 (PST) Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3C612D827 for ; Thu, 7 Feb 2019 06:41:06 -0800 (PST) Received: from open-xchange.com (unknown [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id D208C6A24B; Thu, 7 Feb 2019 15:41:04 +0100 (CET) Received: from [10.242.2.79] (unknown [10.242.2.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 8F61B3C0B4B; Thu, 7 Feb 2019 15:41:04 +0100 (CET) From: "Peter van Dijk" To: dnsop Date: Thu, 07 Feb 2019 15:41:04 +0100 X-Mailer: MailMate (1.12.4r5594) Message-ID: <3B046CC4-B67E-4960-9950-527169060AFD@powerdns.com> In-Reply-To: <20190206080832.GA14062@jurassic.lan.banu.com> References: <20190206080832.GA14062@jurassic.lan.banu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 14:41:25 -0000 On 6 Feb 2019, at 9:08, Mukund Sivaraman wrote: > Considering that the method is implementable without any changes at a > resolver, and that it doesn't require compatible behavior among DNS > implementations ("protocol" or best practice), I suppose it does not > matter if this draft is adopted or not as long as the idea has been > described somewhere. While it can be implemented on an auth without changes to resolvers, doing that would severely impact operation of all resolvers. I think it’s important to repeat that not only do I oppose adoption - any implementation, no matter the status of the document, will be *actively harmful to the DNS at large*. Please do not implement this. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ From nobody Thu Feb 7 07:06:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70BB71200ED for ; Thu, 7 Feb 2019 07:06:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.994 X-Spam-Level: X-Spam-Status: No, score=-4.994 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.105, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fs7CuzhScRnP for ; Thu, 7 Feb 2019 07:06:13 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090671271FF for ; Thu, 7 Feb 2019 07:06:08 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2001:67c:1220:80c:2198:e685:86e1:b423]) by mail.nic.cz (Postfix) with ESMTPSA id F3C1762F8D; Thu, 7 Feb 2019 16:06:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549551966; bh=kztR/f7o6L4LB/wxLILXQU2O+Y2ordch+NiKRf1XKEA=; h=To:From:Date; b=txI9AWKXIYntQ5KV9S3HxqdpQo+YutgC431NBIYLeXSgdhJG0aX2gT6aKe+m7RFTE 3ETHUYIE+zXRpabDNRFuTSru+y9Htmj8Gt6ZHSVhw49WHUEOGKs5B7h90PzQXM81HC Zr5TONnc1oec/M8U2oGmJOAQFcztZVgFHzBLAHKI= To: Tony Finch , Kevin Darcy References: Cc: dnsop@ietf.org From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> Date: Thu, 7 Feb 2019 16:06:16 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 15:06:15 -0000 Thank you Kevin and Tony! We (as developers in our office) all have had gut feeling that NS is mandatory but we could not find it in the RFCs. Thank you for your time! Petr Å paÄek @ CZ.NIC On 07. 02. 19 14:53, Kevin Darcy wrote: > The "apex" terminology didn't come into vogue until later. Prior to > that, people talked about the "top" of a zone. > > RFC 1034 Section 4.2.1 lays this out: > > "In the data that makes up a zone, NS RRs are found at the top node of > the zone (and are authoritative)". > > Admittedly "are found" doesn't sound to modern ears (or look to modern > eyes) like a mandatory requirement. That's another thing that's changed > over the years: RFC 2026 was yet to be published, which tightened up the > requirement levels and how to signal them textually. When looking at > pre-RFC-2026 RFC's, one has to exercise some judgement of whether > verbiage describing "typical" or "normal" situations is actually > normative, perhaps even mandatory.. > >                                                                         >                                  - Kevin > > On Thu, Feb 7, 2019 at 7:16 AM Petr Å paÄek > wrote: > > Hello dnsop, > > here is a quiz for experienced RFC archeologists: > > https://tools.ietf.org/html/rfc1035#section-5.2 > section 5.2. Use of master files to define zones > does not mention NS at apex at all, but it does explicitly mention SOA > at apex. Can it be interpreted as if NS at apex is not mandatory? > > Funnily enough > https://tools.ietf.org/html/rfc1035#section-5.3 > has an example which as NS at apex, but it is not clear from the > text above.. > > Is it mandatory or not? Should I submit erratum for RFC 1035? > > Thank you for clarification. > > -- > Petr Å paÄek  @  CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop From nobody Thu Feb 7 07:35:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404121271FF for ; Thu, 7 Feb 2019 07:35:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xdvm1LAbm2Kg for ; Thu, 7 Feb 2019 07:35:36 -0800 (PST) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF2E126D00 for ; Thu, 7 Feb 2019 07:35:36 -0800 (PST) Received: by mail-qt1-x82f.google.com with SMTP id 2so304189qtb.5 for ; Thu, 07 Feb 2019 07:35:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5By6t+H4JmCUkePNpuNVduq4M6CHyRKnwv5fIYxC3/I=; b=rz2xWcw6SVPw5HaTy2MNcbYvFr/V/zmXpsopHRLuaH1jwQCIozMbAJXVbtMxGNFrMt /+UhRmbDz9Bs86sp0qbHze8yI73Kko6I7/RDEW4nj4ZBGhGTtizIcAj25BhPQM7uxzy3 IC2Bp9dmsWF9t1qHqkSyMGS95/BLbBIiWLpgU+qo2gK/Gij23uRNbts+WY10OPuiEgIs WZt6LQv7z7o6bT8vMemQKYTI5JYBRgVDiKXCBBkYEWbQ7fz85duQIgG3JFwsm+2n06wd CAoC4WimFb21iP2WPJRsWkGnyM2ngaiRd0q+GeSVNHHisOupKxAPnXq4njHKVnVi6+k6 pHtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5By6t+H4JmCUkePNpuNVduq4M6CHyRKnwv5fIYxC3/I=; b=isws4PkIeJuT0oabD/x1cYSKITzMS7ek+weYoxZqKIclEB80GyDP8Jd4u1njppvTU+ hhvP94vvoqOrEnVO5Q+lko8G+aNMvaoHjNw9e1DEm9qRL24Ukrrc/7hkyCLWalTCP1PR weRP7c5Fn2rzXsMzhdLs7OVo/7Hd9Nf6nKxkqS7TDrW8HSnUa8JDkZZRnHLipsUkU+vO +kf5UfIcAF64/kPjFlPTXSPknay2DxmsDBflvfbrKZeZ57KOUhsyr4/ZV5GcwOkCnYKm Gbnm2yBKm0knGhMov9dKLWe5BF+HYxw8Wl3Fg9N7uIEGbYsexFEFXj9dhMISdl5aVflP ldKQ== X-Gm-Message-State: AHQUAuaYmn7R9HlWvDxiJ7OZeJNzP7kS6Vdw1ZR2EVvzoMN+h4hGrrqX Hn1/0xmeYTduKr8EFIoZIImH1Q== X-Google-Smtp-Source: AHgI3IacHvTLvLenJ3q2MGg4YCRM9tv2xaPU0ONWNyIeO2ghXT8f6+HBTRuTZLIDF/yD/yzRIuEKKw== X-Received: by 2002:a0c:e189:: with SMTP id p9mr12295727qvl.68.1549553735201; Thu, 07 Feb 2019 07:35:35 -0800 (PST) Received: from [10.0.10.34] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id h14sm7946002qkk.61.2019.02.07.07.35.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 07:35:34 -0800 (PST) From: Ted Lemon Message-Id: <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_BFC4FDE6-2C52-459B-96B5-E62DA2FC35E1" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 10:35:32 -0500 In-Reply-To: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> Cc: Tony Finch , Kevin Darcy , dnsop@ietf.org To: =?utf-8?B?UGV0ciDFoHBhxI1law==?= References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 15:35:38 -0000 --Apple-Mail=_BFC4FDE6-2C52-459B-96B5-E62DA2FC35E1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 7, 2019, at 10:06 AM, Petr =C5=A0pa=C4=8Dek = wrote: > We (as developers in our office) all have had gut feeling that NS is > mandatory but we could not find it in the RFCs. I hate to say it, but we should really make sure that this is actually = stated somewhere where it can reasonably be found. If it is not, we = should state it. Petr was completely sensible to think it was the case = but not be sure. Saying that it is the case, and why it is the case, = would be helpful. This is something that I hadn=E2=80=99t really = thought through before Petr asked the question, but I=E2=80=99d been = wondering about it too because the question comes up in the DNSSD = Discovery Proxy code I=E2=80=99m working on (I assumed the answer was = yes). --Apple-Mail=_BFC4FDE6-2C52-459B-96B5-E62DA2FC35E1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 7, 2019, at 10:06 AM, Petr =C5=A0pa=C4=8Dek <petr.spacek@nic.cz> = wrote:
We (as = developers in our office) all have had gut feeling that NS is
mandatory but = we could not find it in the RFCs.

I hate to say it, but we should really make = sure that this is actually stated somewhere where it can reasonably be = found.   If it is not, we should state it.   Petr was = completely sensible to think it was the case but not be sure.   = Saying that it is the case, and why it is the case, would be helpful. =   This is something that I hadn=E2=80=99t really thought through = before Petr asked the question, but I=E2=80=99d been wondering about it = too because the question comes up in the DNSSD Discovery Proxy code = I=E2=80=99m working on (I assumed the answer was yes).

= --Apple-Mail=_BFC4FDE6-2C52-459B-96B5-E62DA2FC35E1-- From nobody Thu Feb 7 07:46:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4B21293B1 for ; Thu, 7 Feb 2019 07:46:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.994 X-Spam-Level: X-Spam-Status: No, score=-4.994 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.105, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jU5ue0WysllU for ; Thu, 7 Feb 2019 07:46:53 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BABF9126D00 for ; Thu, 7 Feb 2019 07:46:52 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2001:67c:1220:80c:2198:e685:86e1:b423]) by mail.nic.cz (Postfix) with ESMTPSA id 0C19662FB2 for ; Thu, 7 Feb 2019 16:46:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549554411; bh=5XA99b08HXlO1K4X81+vJhLiihZx+Lt99I/Hgew75MU=; h=To:From:Date; b=DW3n4GXl/ecF+pKt3ZeqT5kqE2fp49J8VCc4Uxe7pHJ8QaPjY7Y/A3aPZniFfwWu3 V4xNzrzJILLIXhKerDsfVEvGo0ZvuiqNDEEaUxvwC3TZnWXlgHGe2cfPkpW6p7vc3d Tfi2zBSfc0ALvrpklojxaS80ctJ2KcUQq+6hFDcM= To: dnsop@ietf.org References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> Date: Thu, 7 Feb 2019 16:47:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 15:46:56 -0000 On 08. 01. 19 17:30, Wes Hardaker wrote: > internet-drafts@ietf.org writes: > >> Title : Extended DNS Errors >> Filename : draft-ietf-dnsop-extended-error-04.txt > > FYI, updates from 03 to 04 include: > > 1. moving the unsupported algorithm codes to "NOERROR" > 2. changing the text encoding to UTF-8 (was ASCII) > > The authors know of no more outstanding issues. Time for LCv2? Hello and sorry for being late, first of all I believe this is useful and suppor the work, but still needs more work *and implementation experience* before going to LC. Here is couple specific changes to version 04. --- Minor changes/clarifications --- > 2. Extended Error EDNS0 option format > o The RESERVED bits, 15 bits: these bits are reserved for future > use, potentially as additional flags. The RESERVED bits MUST be > set to 0 by the sender and SHOULD be ignored by the receiver. IMHO "SHOULD be ignored" is asking for trouble. We just went through DNS flag day to clean up implementations which insisted on some fields being zero. Can we please use this instead? set to 0 by the sender and MUST be ignored by the receiver. > 3. Use of the Extended DNS Error option > The Extended DNS Error (EDE) is an EDNS option. It can be included > in any response (SERVFAIL, NXDOMAIN, REFUSED, etc) to a query that > includes an EDNS option. Why "EDNS option" (at very end of the sentence) and not "OPT Pseudo-RR"? AFAIK it is perfectly fine to send EDNS0 OPT without any options inside. Proposed text (only the last line was changed): The Extended DNS Error (EDE) is an EDNS option. It can be included in any response (SERVFAIL, NXDOMAIN, REFUSED, etc) to a query that includes OPT Pseudo-RR [RFC 6891]. > 3.2. The RESPONSE-CODE field > This 4-bit value SHOULD be a copy of the RCODE from the primary DNS > packet. Multiple EDNS0/EDE records may be included in the response. > When including multiple EDNS0/EDE records in a response in order to > provide additional error information, other RESPONSE-CODEs MAY use a > different RCODE. This paragraph worries me for multiple reasons: 0) Terminology: EDE is an EDNS option, not record! a) If I am an implementer, in what cases I might want to go against "4-bit value SHOULD be a copy of the RCODE"? b) Terminology: Where is a definition of "primary DNS packet"? c) When I read this now, many months after the initial draft, I have trouble understanding logic why we are duplicating RCODE here. There might be a good reasons but we need to state them explicitly otherwise it will get ignored (or misunderstood). Unfortunatelly I have trouble understanding intent behind this description so I'm not able to draft a better text. > 4.1.1. NOERROR Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm > > The resolver attempted to perform DNSSEC validation, but a DNSKEY > RRSET contained only unknown algorithms. The R flag should be set. > > 4.1.2. NOERROR Extended DNS Error Code 2 - Unsupported DS Algorithm > > The resolver attempted to perform DNSSEC validation, but a DS RRSET > contained only unknown algorithms. The R flag should be set. Why R flag? This is not an error, resolution suceeded, and there is nothing to retry. I propose change both cases to "The R flag should not be set." > 4.2.2. SERVFAIL Extended DNS Error Code 2 - DNSSEC Indeterminate > > The resolver attempted to perform DNSSEC validation, but validation > ended in the Indeterminate state. The R flag should not be set. This should be in NOERROR category. AFAIK Indeterminate state is not an error, it is most likely a configuration choice on the resolver. E.g. DNSSEC-validating resolver running without any trust anchor is in Indeterminate state. --- New code points --- I propose to add couple more codes: + SERVFAIL Extended DNS Error Code 8 - NSEC Missing The resolver attempted to perform DNSSEC validation, but the requested data were missing and covering NSEC was not provided. RETRY=0 + SERVFAIL Extended DNS Error Code 9 - Cached Error The resolver has cached SERVFAIL for this query. RETRY=1 Often the SERVFAIL comes from cache which is unlikely to contain specific error details, but it is still useful to distinguish "proper" cached SERVFAIL from other weird errors like running out of file descriptors etc. Info text could contain remaining TTL ... + SERVFAIL Extended DNS Error Code 10 - Server Not Ready Server is not up and running (yet). RETRY=1 + NOTIMP Extended DNS Error Code 1 - Deprecated Requested operation or query is not supported because it was deprecated. Retrying request elsewhere is unlikely to yield any other results. RETRY=0 Intended use: - OPCODE=IQUERY - OPCODE=QUERY QTYPE={ANY, RRSIG, MAILA, MAILB} etc. --- More adventurous proposals --- a) Two more bits to implement "advice for user" (longer explanation can be found in archives https://mailarchive.ietf.org/arch/msg/dnsop/b3wtVj_aWm24PXyHr1M9NMj3LJ0) I believe this will make the draft way more useful for everyone and not just geeks. Proposed addition to text: > 2. Extended Error EDNS0 option format +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ 4: | R | N | F | RESERVED | +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ o The NEAR flag, 1 bit; the NEAR bit (N) indicates a flag defined for use in this specification. o The FAR flag, 1 bit; the FAR bit (F) indicates a flag defined for use in this specification. > 3. Use of the Extended DNS Error option 3.2. The N (Near) flag The N (Near) flag indicates that the error reported is likely caused by conditions "near" the sender. Value 1 is a hint for user interface that user should contact administrator responsible for local DNS. For example, an DNS resolver running on CPE will set N=1 in its error responses if it detects that all queries to upstream DNS resolver timed out. This likely indicates a link problem and must be fixed locally. Another example is an DNSSEC-validator which detects that query ". IN NS" fails DNSSEC validation because signature is expired or not yet valid. This most likely indicates misconfigured system time and needs to investigated and fixed locally. 3.3. The F (Far) flag The F (Far) flag indicates that the error reported is likely caused by conditions on the "far" end, i.e. typically authoritative side or upstream forwarder. Value 1 is a hint for user interface to display message suggesting user to contact operator of the "far end" because it is unlikely that local operator can fix the problem. For example, an DNS resolver might set F=1 if all authoritative servers for a given domain are lame. b) Another thing to consider is adding optional TTL value to EDE option. E.g. there is no point in retrying the query again and again until bogus response is cached. It is much better to display error message "try again in 10 seconds, if the problem persists call X" than just "try again". What do you think? -- Petr Å paÄek @ CZ.NIC From nobody Thu Feb 7 07:48:35 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717B71279E6 for ; Thu, 7 Feb 2019 07:48:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.099 X-Spam-Level: X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNK72Lgi2u1O for ; Thu, 7 Feb 2019 07:48:32 -0800 (PST) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56DF9126D00 for ; Thu, 7 Feb 2019 07:48:32 -0800 (PST) Received: by mail-lj1-x229.google.com with SMTP id z25-v6so259147ljk.7 for ; Thu, 07 Feb 2019 07:48:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=95fHgSpJE2a/3pwyKvGNb1L0YoT7mXAkeuotnBAIh8s=; b=YhEEJdLyxasmK8ApodQrdtTl6JCvmOf61rssxIKA7ZR48p8BClgbbhtUMsqUzD65me IlHuppSRQABoDweLgaYgfMaPXpmMisReQ8iKECjx6yqDvFjV81HsL/CBSOugDDJzTHCu tpsCV8gvZ6ooZeyCIIlTg/j1ldetdCZYYshlFEE9q7BM1zmryy7I14Lxc46ytLInMN2J /l63b2nKyncSHLZX3ie+IEscHCoQ4n00O2oootFnr12UzaBsHPuJBVcVYGBNH/N2NcQn 77PRqtJn/esIC0JP+e16mGpDKvVx1vcA+4HGnc3DfJwfniZXk1GAwkdXCIrEkBYvFcLK +yww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=95fHgSpJE2a/3pwyKvGNb1L0YoT7mXAkeuotnBAIh8s=; b=ixo66gF7zjoCbjBBaswScX+BiRVHmfnLHKhf8L2U/L7NEYr6lKRQlENjyPhS3jlEsn CIYEerwW1rsuo0Vl6hFYAv2g5S1SuDJoWYxoVI0G12G4WPP8aYBHIvlMI9nd+BSf/Dzu lGsS7D+wwZd91tW+3Pn76grLe67Mtiz4hnGbbO5kk7lLGAjxESmDlI/bq470IUs3UeLW VclxMAMOVqRswNupebGz+9VvBnK7ja6aZrmFTV2uwjApxsE1ZsF1wiItFvKNmcOAPLx2 F+d8fDVSfsE3vLgTQg+JjE0rwAA4hzsXOPcIQALcJ0z9O7BIU6GoAs8yHNG2D75d/Ry3 5J9g== X-Gm-Message-State: AHQUAub4py3RSocLPWBDYhq/KLzrlqiJMukwJeJh4TW+AZ7PO/kVgVVf td9lqihu+J21qDuIHLpi8q0YZzv0aSaRyN67YdokeU9V X-Google-Smtp-Source: AHgI3IbarXtu3QmNOCIxQMlUl4AQof41vkVG6+bd8d2N8Mhr9+0fEbdWYK1bEjuauddg/VDb5WeG5g2l1k44jKwYCCI= X-Received: by 2002:a2e:84ca:: with SMTP id q10-v6mr10403618ljh.65.1549554510442; Thu, 07 Feb 2019 07:48:30 -0800 (PST) MIME-Version: 1.0 References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> In-Reply-To: <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> From: Bob Harold Date: Thu, 7 Feb 2019 10:48:19 -0500 Message-ID: To: Ted Lemon Cc: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= , Tony Finch , IETF DNSOP WG , Kevin Darcy Content-Type: multipart/alternative; boundary="00000000000027bbac05814fc63c" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 15:48:34 -0000 --00000000000027bbac05814fc63c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Feb 7, 2019 at 10:35 AM Ted Lemon wrote: > On Feb 7, 2019, at 10:06 AM, Petr =C5=A0pa=C4=8Dek w= rote: > > We (as developers in our office) all have had gut feeling that NS is > mandatory but we could not find it in the RFCs. > > > I hate to say it, but we should really make sure that this is actually > stated somewhere where it can reasonably be found. If it is not, we > should state it. Petr was completely sensible to think it was the case > but not be sure. Saying that it is the case, and why it is the case, > would be helpful. This is something that I hadn=E2=80=99t really though= t through > before Petr asked the question, but I=E2=80=99d been wondering about it t= oo because > the question comes up in the DNSSD Discovery Proxy code I=E2=80=99m worki= ng on (I > assumed the answer was yes). > If we write it down, perhaps we should also mention that other things that answer DNS queries, like load balancers, should also return proper SOA and NS records, not just A and AAAA records, for the same reasons. --=20 Bob Harold --00000000000027bbac05814fc63c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, Feb 7, 2019 at 10:35 AM Ted Lemon= <mellon@fugue.com> wrote:
On Feb 7, 2019, at 10:06 AM, Petr =C5=A0pa=C4=8Dek = <petr.spacek@nic= .cz> wrote:
We (as developers in our office) all have ha= d gut feeling that NS is
mandatory but we could not find it in the R= FCs.

I hate= to say it, but we should really make sure that this is actually stated som= ewhere where it can reasonably be found. =C2=A0 If it is not, we should sta= te it. =C2=A0 Petr was completely sensible to think it was the case but not= be sure. =C2=A0 Saying that it is the case, and why it is the case, would = be helpful. =C2=A0 This is something that I hadn=E2=80=99t really thought t= hrough before Petr asked the question, but I=E2=80=99d been wondering about= it too because the question comes up in the DNSSD Discovery Proxy code I= =E2=80=99m working on (I assumed the answer was yes).

If we write it down, perhaps we should also mention = that other things that answer DNS queries, like load balancers, should also= return proper SOA and NS records, not just A and AAAA records,=C2=A0 for t= he same reasons.

--=C2=A0
Bob Harold

--00000000000027bbac05814fc63c-- From nobody Thu Feb 7 07:55:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FAC126D00 for ; Thu, 7 Feb 2019 07:55:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r06v870r4Fhk for ; Thu, 7 Feb 2019 07:55:15 -0800 (PST) Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095BB12008F for ; Thu, 7 Feb 2019 07:55:15 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id y4so338253qtc.10 for ; Thu, 07 Feb 2019 07:55:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4vPAK7p4Bmtgx9Ngu5LGT8c/qT4SHRuKVfYfWZoEFlU=; b=OzP34CJZ2Dx8pPVGIrpkdLD/RgYxQL0VJouuig7eW/NQCamhWhKfyg8XqsWK1dkiqj K8qfh9Yyr0kPcPjcie+ni7NyDKBtY2rWqyOJpzcOEPOlaLGs5P9+MUnhf+hcQATxgaOI nfW7vAKo9W8lVXI58UL+D7SI77/Fr9nMhi18Ith2fT3xGyas9tkAd7l0L2N4PWNrmJCM oyWpblGove3bRUXH6HaXOv+pzBukcwMVpVdO0MUQyQereiBTdsOdg40Ta8Hk8bh1MNVn p8ztNQAc+LJdbtTsL/M49RTLeNVROvVAb5Y+8DIjbb8YaKEH8vTiihwGN7GbUYIQVKzP xYvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4vPAK7p4Bmtgx9Ngu5LGT8c/qT4SHRuKVfYfWZoEFlU=; b=eIdKLfoIj4QIpYEA10AjdEgWWuksABK27WV0FLBoFtCz6BKeB85IH32yd1KnBgjd/w qZXKcU6X03r6GGColQ7PQtqq69Kou0ha3OoOJsOkJ+SgBD9hoiU6nph63M1WsWscdSwf u7dCizSOLsDgg1IxhfLotYwFnfNjoKAxaUY+in1Z6bWp2ahwTUmGXwS9GzXH7u6RdMZi 3P7dR+kEAI2toYfL+fMuJJhcv4W5jcqzLhwIx0antGwOh92FhSJygpo6EYRFHB9JXBgF 8pdhWWflmt0H2CphSkQM6zJi7ky8ejL+LFpdZUXSxLnJMdsIKNmO8EZEyoepS/5RAr7P iIdg== X-Gm-Message-State: AHQUAua8rMeRU4V9NpN2DFy5RqPHNsFeHtN7q8VeA5FBXpw4UVqNxUtS grJvQgBhT0l9s2oi+GMIUrBVEg== X-Google-Smtp-Source: AHgI3IZDQNUVmxvD/EekQq0Mdt55qObc9RN/y1AAHbJDpWcc3b0E/kc+rGZ2T9rAHD2k8sTyTwT/ZQ== X-Received: by 2002:ac8:27ec:: with SMTP id x41mr12642913qtx.49.1549554913928; Thu, 07 Feb 2019 07:55:13 -0800 (PST) Received: from [10.0.10.34] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id d51sm6318118qtd.35.2019.02.07.07.55.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 07:55:13 -0800 (PST) From: Ted Lemon Message-Id: <020C8BBA-8729-48E7-B893-1C2594D2186A@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_B454ADD6-78D1-4CA5-844D-E1DFF2E57D6B" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 10:55:11 -0500 In-Reply-To: Cc: =?utf-8?B?UGV0ciDFoHBhxI1law==?= , Tony Finch , IETF DNSOP WG , Kevin Darcy To: Bob Harold References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 15:55:17 -0000 --Apple-Mail=_B454ADD6-78D1-4CA5-844D-E1DFF2E57D6B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 7, 2019, at 10:48 AM, Bob Harold wrote: > If we write it down, perhaps we should also mention that other things = that answer DNS queries, like load balancers, should also return proper = SOA and NS records, not just A and AAAA records, for the same reasons. Are they currently returning no error/no data? --Apple-Mail=_B454ADD6-78D1-4CA5-844D-E1DFF2E57D6B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On = Feb 7, 2019, at 10:48 AM, Bob Harold <rharolde@umich.edu> = wrote:
If we = write it down, perhaps we should also mention that other things that = answer DNS queries, like load balancers, should also return proper SOA = and NS records, not just A and AAAA records,  for the same = reasons.

Are they = currently returning no error/no data?


= --Apple-Mail=_B454ADD6-78D1-4CA5-844D-E1DFF2E57D6B-- From nobody Thu Feb 7 08:04:02 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE85E12008F for ; Thu, 7 Feb 2019 08:03:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZXa0iX5rJJ7 for ; Thu, 7 Feb 2019 08:03:57 -0800 (PST) Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:151:2016::99]) by ietfa.amsl.com (Postfix) with ESMTP id 735B41228B7 for ; Thu, 7 Feb 2019 08:03:57 -0800 (PST) Received: from jurassic.lan.banu.com (unknown [27.5.235.215]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 738365A40C3C; Thu, 7 Feb 2019 16:03:54 +0000 (GMT) Date: Thu, 7 Feb 2019 21:33:50 +0530 From: Mukund Sivaraman To: Ted Lemon Cc: Tony Finch , "dnsop@ietf.org" Message-ID: <20190207160350.GA25708@jurassic.lan.banu.com> References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> <0F4355DC-CC6C-430B-AE8E-6FB5A44FD9C8@fugue.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0F4355DC-CC6C-430B-AE8E-6FB5A44FD9C8@fugue.com> User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:04:00 -0000 On Thu, Feb 07, 2019 at 09:40:24AM -0500, Ted Lemon wrote: > On Feb 7, 2019, at 9:16 AM, Tony Finch wrote: > > But in this scenario things soon go wrong, because RFC 2181 says the > > NODATA reply replaces the delegation records in the resolver's cache. This > > means that if a client explicitly asks for the NS records of a zone that > > lacks them, resolution for other records in the zone will subsequently > > fail. > > Ah, there you have it. So then it _is_ required. Kevin’s point also > points in that direction. > > Is there somewhere in a later spec where this is stated explicitly, then? Though RFC 1034/1035 are a point for DNS that obsoleted some preceding RFCs and other documentation and they are quite comprehensive, there are things that they have missed. Something that comes to mind is the definition of hostnames. Remember that DNS evolved to RFC 1034/1035. It didn't begin there, so if something is not clear, there are documents preceding it which may be obsolete but can contain useful information and justification. For this topic of NS at apex, there is some mention of it in RFC 883: Note that there is one special case that requires consideration when a name server is implemented. A node that contains a SOA RR denoting a start of zone will also have NS records that identify the name servers that are expected to have a copy of the zone. (The word "will" cannot be strictly assumed to have RFC 2119 meaning, but it's clear that it's expected.) There's mention of it in RFC 882 where it says an NS record is necessary because an authority for the zone is expected to answer for a query for NS information of the zone. If all else fails in explaining something, there's also the old saying - "Do what BIND does". :-) Mukund From nobody Thu Feb 7 08:05:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2D4E129619 for ; Thu, 7 Feb 2019 08:05:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.994 X-Spam-Level: X-Spam-Status: No, score=-4.994 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.105, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwlEcrWkl-QC for ; Thu, 7 Feb 2019 08:05:29 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09CD012008F for ; Thu, 7 Feb 2019 08:05:29 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (unknown [IPv6:2001:67c:1220:80c:2198:e685:86e1:b423]) by mail.nic.cz (Postfix) with ESMTPSA id 082FB633BA; Thu, 7 Feb 2019 17:05:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1549555527; bh=vu4C+Ys5ciM13BTBLvW+SsbZhyfCpMc0/Ys3kp3kMCc=; h=To:From:Date; b=ZgnidfvbDBHwskYmBGCsCFjajBxOza8x0iWExeXPUHxzF+DaC7TY0TCFAAnrXIbuw fzF0SX+0IUN7MJF8JZ3zZX6iJdfqgAhXAPA8vRFSUovfRRQwssvu3A97x3Kn5ZFFwk YHGxXCLs/xgxUvqwHtXlMeO8xEvCx3sPmyDTDGoo= To: Bob Harold , Ted Lemon Cc: Tony Finch , IETF DNSOP WG , Kevin Darcy References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> Date: Thu, 7 Feb 2019 17:05:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:05:34 -0000 On 07. 02. 19 16:48, Bob Harold wrote: > > On Thu, Feb 7, 2019 at 10:35 AM Ted Lemon > wrote: > > On Feb 7, 2019, at 10:06 AM, Petr Å paÄek > wrote: >> We (as developers in our office) all have had gut feeling that NS is >> mandatory but we could not find it in the RFCs. > > I hate to say it, but we should really make sure that this is > actually stated somewhere where it can reasonably be found.   If it > is not, we should state it.   Petr was completely sensible to think > it was the case but not be sure.   Saying that it is the case, and > why it is the case, would be helpful.   This is something that I > hadn’t really thought through before Petr asked the question, but > I’d been wondering about it too because the question comes up in the > DNSSD Discovery Proxy code I’m working on (I assumed the answer was > yes). > > > If we write it down, perhaps we should also mention that other things > that answer DNS queries, like load balancers, should also return proper > SOA and NS records, not just A and AAAA records,  for the same reasons. Let's start with this: -------- Forwarded Message -------- Subject: [Technical Errata Reported] RFC1035 (5626) Date: Thu, 7 Feb 2019 08:04:27 -0800 (PST) From: RFC Errata System To: iesg@ietf.org CC: petr.spacek@nic.cz, rfc-editor@rfc-editor.org The following errata report has been submitted for RFC1035, "Domain names - implementation and specification". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5626 -------------------------------------- Type: Technical Reported by: Petr Å paÄek Section: 5.2. Original Text ------------- Several other validity checks that should be performed in addition to insuring that the file is syntactically correct: 1. All RRs in the file should have the same class. 2. Exactly one SOA RR should be present at the top of the zone. 3. If delegations are present and glue information is required, it should be present. 4. Information present outside of the authoritative nodes in the zone should be glue information, rather than the result of an origin or similar error. Corrected Text -------------- Several other validity checks that should be performed in addition to insuring that the file is syntactically correct: 1. All RRs in the file should have the same class. 2. Exactly one SOA RR should be present at the top of the zone. 3. If delegations are present and glue information is required, it should be present. 4. Information present outside of the authoritative nodes in the zone should be glue information, rather than the result of an origin or similar error. 5. At least one NS RR must be present at the top of the zone. Notes ----- RFC 1034 Section 4.2.1 vaguely specifies that NS RRs are expected to be found at zone apex but it is missing in the original algorithm above. This erratum adds explicit requirement for NS RR at zone apex. Even more importantly this expectation was built into subsequent RFCs, e.g. RFC 2181 which would break if NS was present only in the parent zone but not in the child zone. References to dnsop mailing list: - https://mailarchive.ietf.org/arch/msg/dnsop/ipwko314FenUxrdzMl5vcick9wQ - https://mailarchive.ietf.org/arch/msg/dnsop/JAS6TREsOh-b2J4rEAND6cds0Og Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC1035 (no draft string recorded) -------------------------------------- Title : Domain names - implementation and specification Publication Date : November 1987 Author(s) : P.V. Mockapetris Category : INTERNET STANDARD Source : Legacy Area : Legacy Stream : IETF Verifying Party : IESG -- Petr Å paÄek @ CZ.NIC From nobody Thu Feb 7 08:06:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B57126D00 for ; Thu, 7 Feb 2019 08:06:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tosl7I59CrA4 for ; Thu, 7 Feb 2019 08:06:57 -0800 (PST) Received: from mail.banu.com (mail.banu.com [188.40.18.99]) by ietfa.amsl.com (Postfix) with ESMTP id 81A6212008F for ; Thu, 7 Feb 2019 08:06:57 -0800 (PST) Received: from jurassic.lan.banu.com (unknown [27.5.235.215]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id B8B925A40C3C; Thu, 7 Feb 2019 16:06:55 +0000 (GMT) Date: Thu, 7 Feb 2019 21:36:52 +0530 From: Mukund Sivaraman To: Petr =?utf-8?B?xaBwYcSNZWs=?= Cc: "dnsop@ietf.org" Message-ID: <20190207160652.GA26069@jurassic.lan.banu.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:06:59 -0000 On Thu, Feb 07, 2019 at 01:16:01PM +0100, Petr Å paÄek wrote: > Is it mandatory or not? Should I submit erratum for RFC 1035? Please do so. If something that's widely accepted is not clearly stated, documenting it would be helpful both to implementors and also to point as reference when checking for correctness. Mukund From nobody Thu Feb 7 08:08:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D6C1289FA for ; Thu, 7 Feb 2019 08:08:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0bDCOCew9dp for ; Thu, 7 Feb 2019 08:08:37 -0800 (PST) Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 320E7126D00 for ; Thu, 7 Feb 2019 08:08:37 -0800 (PST) Received: by mail-qt1-x835.google.com with SMTP id o6so431007qtk.6 for ; Thu, 07 Feb 2019 08:08:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mj797F/2WOzc+wvkONjY0P3Ymcy9FHnk5WMkCyuyoIU=; b=Xru3t35IOsRvWfam5DcKZRxDqJYBXeN1ijspajJVZf1nti6wZWL1tebZxm9ILgrTGY rfOQvG14kMk29Y6WSW8yIcpQoflk6R1H5kmduSpY4gKSkeAn3jM4MtpJfojxF3yMKfl1 +FK+f/wlCHCmx4WVotlG0Bo86WeMLGSC7gNH1RZNwQuoiYV1Z9WceyG14Pfycr+XFcPn W3DtuF30XEkXh+yOk8hhtVRkh66Iy29laNgLLSr2aJOBtLKtUg7kNvF6YMTZOgglpyJx fPAyw2yNWIz/dwYQY5HscYH0C/nVrDuQUteLhH0dz61TB5H5ONzVzGbmL1E6sdnN0WJZ jISQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mj797F/2WOzc+wvkONjY0P3Ymcy9FHnk5WMkCyuyoIU=; b=CE2h7GHZHiTtRhpcKWY/7AIXCGab+L5CWqvMw9IDaEqgkWIIT6cZZTebkCBeSs//p4 NcyE50yD/vY+GcStK7w5qz/HR3RWNpbCK++0Sfj8sI058NHpk/jk5C7aNEQG7p8WEq6b dF6qiGumevzicLEEKIXC25RCd4whRv87Dkz1PxASw4PTgiqHGZpeoo+ZRnxTIKPKnVkT d9hfIBAv1bBdtt81t1tZHRLzoEuh1fc9K023GKW0gPVYdYZYOH2gs48WXOApIFk0EezQ abY5DdYV8jOahdpfSyzQpnrbf3GjXZjSpLZu9pnNLvadKM9Io4NxW+aRzVwhy3WJj9gL OYnw== X-Gm-Message-State: AHQUAuYC0m0gOFf5UpRQyFUWB46dSRGWBWwWiMg0HTqvk6E9luJSdC/E BWFJQHWtYj2iDVmkBZvZgOznZw== X-Google-Smtp-Source: AHgI3Iabo0z0fbarjdGiAZAq/OUuXeFsqwwRrh5legQvnfu6+bqLPncIoF8NBYj8lTLZdZEKGKudcA== X-Received: by 2002:aed:2ee5:: with SMTP id k92mr12657656qtd.304.1549555716210; Thu, 07 Feb 2019 08:08:36 -0800 (PST) Received: from [10.0.10.34] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id d50sm47000091qta.31.2019.02.07.08.08.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 08:08:33 -0800 (PST) From: Ted Lemon Message-Id: <5C8B5FF4-CF0A-4D6D-9621-4D8A4544F7BC@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_A5BB2C82-8E6A-48DB-B2B1-D13AA6EF69C8" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 11:08:27 -0500 In-Reply-To: <20190207160511.mua3wa244wr34rkt@hi.is> Cc: dnsop@ietf.org To: Marius Olafsson References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <20190207160511.mua3wa244wr34rkt@hi.is> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:08:39 -0000 --Apple-Mail=_A5BB2C82-8E6A-48DB-B2B1-D13AA6EF69C8 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On Feb 7, 2019, at 11:05 AM, Marius Olafsson wrote: > "The authoritative servers for a zone are enumerated in the NS records > for the origin of the zone, which, along with a Start of Authority > (SOA) record are the mandatory records in every zone." Problem solved. :) --Apple-Mail=_A5BB2C82-8E6A-48DB-B2B1-D13AA6EF69C8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On = Feb 7, 2019, at 11:05 AM, Marius Olafsson <marius@hi.is> = wrote:
"The = authoritative servers for a zone are enumerated in the NS = records
  for= the origin of the zone, which, along with a Start of = Authority
  (SOA) record are the mandatory records in every = zone."

Problem solved.   :)

= --Apple-Mail=_A5BB2C82-8E6A-48DB-B2B1-D13AA6EF69C8-- From marius@ok.rhi.hi.is Thu Feb 7 08:05:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1144126D00 for ; Thu, 7 Feb 2019 08:05:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sub4wEQBVU7L for ; Thu, 7 Feb 2019 08:05:17 -0800 (PST) Received: from ok.rhi.hi.is (ok.rhi.hi.is [IPv6:2a00:c88:4000:690::69:172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00F8D12008F for ; Thu, 7 Feb 2019 08:05:16 -0800 (PST) Received: from ok.rhi.hi.is (localhost [127.0.0.1]) by ok.rhi.hi.is (8.15.2/8.15.2) with ESMTP id x17G5B20005840; Thu, 7 Feb 2019 16:05:11 GMT Received: (from marius@localhost) by ok.rhi.hi.is (8.15.2/8.15.2/Submit) id x17G5Bkc005839; Thu, 7 Feb 2019 16:05:11 GMT Date: Thu, 7 Feb 2019 16:05:11 +0000 From: Marius Olafsson To: Ted Lemon Cc: dnsop@ietf.org Message-ID: <20190207160511.mua3wa244wr34rkt@hi.is> References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:09:07 -0000 > I hate to say it, but we should really make sure that this is actually stated somewhere where it can reasonably be found. If it is not, we should state it. Petr was completely sensible to think it was the case but not be sure. Saying that it is the case, and why it is the case, would be helpful. This is something that I hadn???t really thought through before Petr asked the question, but I???d been wondering about it too because the question comes up in the DNSSD Discovery Proxy code I???m working on (I assumed the answer was yes). How about RFC2181 section 6.1 "The authoritative servers for a zone are enumerated in the NS records for the origin of the zone, which, along with a Start of Authority (SOA) record are the mandatory records in every zone." -- Marius Olafsson University of Iceland From nobody Thu Feb 7 08:12:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287E4128CF3 for ; Thu, 7 Feb 2019 08:12:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MsnqsvVgZ28f for ; Thu, 7 Feb 2019 08:12:21 -0800 (PST) Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 737A41289FA for ; Thu, 7 Feb 2019 08:12:21 -0800 (PST) Received: from open-xchange.com (unknown [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 7E70D6A288; Thu, 7 Feb 2019 17:12:19 +0100 (CET) Received: from [10.242.2.79] (unknown [10.242.2.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 3ADCB3C18CE; Thu, 7 Feb 2019 17:12:19 +0100 (CET) From: "Peter van Dijk" To: "IETF DNSOP WG" Date: Thu, 07 Feb 2019 17:12:18 +0100 X-Mailer: MailMate (1.12.4r5594) Message-ID: <66182A61-58C6-4639-AB4E-25163C667906@powerdns.com> In-Reply-To: <020C8BBA-8729-48E7-B893-1C2594D2186A@fugue.com> References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <020C8BBA-8729-48E7-B893-1C2594D2186A@fugue.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:12:23 -0000 On 7 Feb 2019, at 16:55, Ted Lemon wrote: > On Feb 7, 2019, at 10:48 AM, Bob Harold wrote: >> If we write it down, perhaps we should also mention that other things >> that answer DNS queries, like load balancers, should also return >> proper SOA and NS records, not just A and AAAA records, for the same >> reasons. > > Are they currently returning no error/no data? Yes, many do. Others do not respond at all (i.e., timeout). Case in point: https://github.com/dns-violations/dnsflagday/issues/73 Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ From nobody Thu Feb 7 08:48:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513121292F1 for ; Thu, 7 Feb 2019 08:48:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.998 X-Spam-Level: X-Spam-Status: No, score=-4.998 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPxaB3Mge6ZG for ; Thu, 7 Feb 2019 08:48:17 -0800 (PST) Received: from mail.sbg.nic.at (mail.sbg.nic.at [83.136.33.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DEA4124BF6 for ; Thu, 7 Feb 2019 08:48:15 -0800 (PST) Received: from nics-exch2.sbg.nic.at ([10.17.175.6]) by mail.sbg.nic.at with XWall v3.53 ; Thu, 7 Feb 2019 17:48:09 +0100 Received: from NICS-EXCH2.sbg.nic.at ([fe80::a5b2:6e42:e54d:9d57]) by NICS-EXCH2.sbg.nic.at ([fe80::a5b2:6e42:e54d:9d57%12]) with mapi id 14.03.0435.000; Thu, 7 Feb 2019 17:47:41 +0100 From: Alexander Mayrhofer To: "dnsop@ietf.org" Thread-Topic: draft-ietf-dnsop-attrleaf vs. RFC7553 Thread-Index: AdS/A6lXkR/vK91JS+aKsAvRVHamBg== Date: Thu, 7 Feb 2019 16:47:41 +0000 Message-ID: <19F54F2956911544A32543B8A9BDE0759FBCD40B@NICS-EXCH2.sbg.nic.at> Accept-Language: en-US, de-DE Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.10.0.110] Content-Type: multipart/alternative; boundary="_000_19F54F2956911544A32543B8A9BDE0759FBCD40BNICSEXCH2sbgnic_" MIME-Version: 1.0 X-XWALL-BCKS: auto Archived-At: Subject: [DNSOP] draft-ietf-dnsop-attrleaf vs. RFC7553 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:48:19 -0000 --_000_19F54F2956911544A32543B8A9BDE0759FBCD40BNICSEXCH2sbgnic_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello everyone, I'm turning my head around an issue around the attrleaf draft, and its conn= ection with RFC7553 (the URI RRType). Im specifically wondering what the co= nnection between the "service parameter" in RFC 7553 and the "Global Unders= core Node Names" in draft-ietf-dnsop-attrleaf is. I'm trying to reword dra= ft-mayrhofer-dns-did to request a new underscore node name. My issues is as= follows: RFC 7553 restricts the "service parameters" (those underscored names) as f= ollows: Valid service parameters are those registered by IANA in the "Service Name and Transport Protocol Port Number Registry" [RFC6335] or as "Enumservice Registrations [RFC6117]. However, I understand the intent of draft-ietf-attrleaf (as far as I unders= tand) is to replace/extend that definition by a new registry, and does inde= ed include underscore node names for the URI RRType in Section 4.3. However= , I'm wondering whether that formally "overrides" the previous specificatio= n.. So, my questions are: A) Would it be enough to request a global underscore node name to use = it with the URI RRType B) And shouldn't draft-ietf-dnsop-attrleaf hence UPDATE RFC7553? (I know the draft is already *very* well advanced in the process, so I'm op= ening a can of worms here - but better late than never? And there are defin= itely more future use cases for URI records that might be well covered by t= he attrleaf document..) Comments appreciated! Best, Alex --_000_19F54F2956911544A32543B8A9BDE0759FBCD40BNICSEXCH2sbgnic_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello everyone,

 

I’m turning my head aroun= d an issue around the attrleaf draft, and its connection with RFC7553 (the = URI RRType). Im specifically wondering what the connection between the R= 20;service parameter” in RFC 7553 and the “Global Underscore Node Names” in draft-ietf-dnsop-attrleaf is.  I̵= 7;m trying to reword draft-mayrhofer-dns-did to request a new underscore no= de name. My issues is as follows:

 

RFC 7553 restricts the  &#= 8220;service parameters” (those underscored names) as follows:

 

   Valid se=
rvice
   parameters are=
 those registered by IANA in the "Service Name and

   Transport Prot=
ocol Port Number Registry" [RFC6=
335] or as &qu=
ot;Enumservice


   Registrations [RFC6117].


 


However, I understand the inten=
t of draft-ietf-attrleaf (as far as I understand) is to replace/extend that=
 definition by a new registry, and does indeed include underscore node name=
s for the URI RRType in Section 4.3.
 However, I’m wondering whether that formally “overrides”=
 the previous specification.. So, my questions are:


 


A) &nbs=
p;   
Would it be enough to r=
equest a global underscore node name to use it with the URI RRType


B) &nbs=
p;   
And shouldn’t dra=
ft-ietf-dnsop-attrleaf hence UPDATE RFC7553?



 


(I know the draft is already *<=
b>very* well advanced in the process, so I’m opening a can of wor=
ms here – but better late than never? And there are definitely more f=
uture use cases for URI records that might be well
 covered by the attrleaf document..)


 


Comments appreciated!


 


Best,


Alex


 
--_000_19F54F2956911544A32543B8A9BDE0759FBCD40BNICSEXCH2sbgnic_-- From nobody Thu Feb 7 08:59:54 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A33D4124BF6 for ; Thu, 7 Feb 2019 08:59:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8R-cMfxmiYd for ; Thu, 7 Feb 2019 08:59:50 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5E9E1200D8 for ; Thu, 7 Feb 2019 08:59:49 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:54390) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1grn1e-000F4o-2V (Exim 4.91) (return-path ); Thu, 07 Feb 2019 16:59:46 +0000 Date: Thu, 7 Feb 2019 16:59:46 +0000 From: Tony Finch To: =?UTF-8?Q?Petr_=C5=A0pa=C4=8Dek?= cc: Kevin Darcy , dnsop@ietf.org In-Reply-To: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> Message-ID: References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-2075598731-1549558705=:18720" Content-ID: Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:59:53 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-2075598731-1549558705=:18720 Content-Type: text/plain; CHARSET=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: Petr =C5=A0pa=C4=8Dek wrote: > > We (as developers in our office) all have had gut feeling that NS is > mandatory but we could not find it in the RFCs. There's this bit in RFC 1034 which discusses zone cuts and says the NS RRset above and below the cut should be exactly the same. DNS admins are generally too relaxed about allowing them to become inconsistent. : The RRs that describe cuts around the bottom of the zone are NS RRs that : name the servers for the subzones. Since the cuts are between nodes, : these RRs are NOT part of the authoritative data of the zone, and should : be exactly the same as the corresponding RRs in the top node of the : subzone. Since name servers are always associated with zone boundaries, : NS RRs are only found at nodes which are the top node of some zone. In : the data that makes up a zone, NS RRs are found at the top node of the : zone (and are authoritative) and at cuts around the bottom of the zone : (where they are not authoritative), but never in between. See also RFC 1912 section 2.8: Make sure your parent domain has the same NS records for your zone as you do. Tony. --=20 f.anthony.n.finch http://dotat.at/ Dogger: West, backing southwest, 6 to gale 8. Moderate or rough, occasional= ly very rough. Occasional rain. Good occasionally poor. --1870870841-2075598731-1549558705=:18720-- From nobody Thu Feb 7 09:29:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB0B12E04D for ; Thu, 7 Feb 2019 09:29:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0gRFleherpJ for ; Thu, 7 Feb 2019 09:29:23 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE0D12D861 for ; Thu, 7 Feb 2019 09:29:23 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:5093:709c:3b4b:7ac4] (unknown [IPv6:2001:559:8000:c9:5093:709c:3b4b:7ac4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 5DC6B892C6; Thu, 7 Feb 2019 17:29:22 +0000 (UTC) To: Peter van Dijk Cc: dnsop References: <20190206080832.GA14062@jurassic.lan.banu.com> <3B046CC4-B67E-4960-9950-527169060AFD@powerdns.com> From: Paul Vixie Message-ID: <386a049f-0534-b9a4-1770-f6db62d7c177@redbarn.org> Date: Thu, 7 Feb 2019 09:29:21 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.9 MIME-Version: 1.0 In-Reply-To: <3B046CC4-B67E-4960-9950-527169060AFD@powerdns.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 17:29:26 -0000 Peter van Dijk wrote on 2019-02-07 06:41: > ... > > I think it’s important to repeat that not only do I oppose adoption - > any implementation, no matter the status of the document, will be > *actively harmful to the DNS at large*. Please do not implement this. to be fair, the harm in terms of icmp noise would be to the whole internet, not just to the dns. -- P Vixie From nobody Thu Feb 7 11:09:36 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBD9E12426E for ; Thu, 7 Feb 2019 11:09:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jk1rcIg0ZshH for ; Thu, 7 Feb 2019 11:09:32 -0800 (PST) Received: from mail.banu.com (mail.banu.com [188.40.18.99]) by ietfa.amsl.com (Postfix) with ESMTP id B4365128CF3 for ; Thu, 7 Feb 2019 11:09:32 -0800 (PST) Received: from jurassic.lan.banu.com (unknown [27.5.235.215]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 6DA385A401EA; Thu, 7 Feb 2019 19:09:30 +0000 (GMT) Date: Fri, 8 Feb 2019 00:39:27 +0530 From: Mukund Sivaraman To: Peter van Dijk Cc: dnsop Message-ID: <20190207190927.GA30071@jurassic.lan.banu.com> References: <4A75C4E3-F74F-46DB-9A8A-879C0BB79190@powerdns.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A75C4E3-F74F-46DB-9A8A-879C0BB79190@powerdns.com> User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 19:09:35 -0000 Hi Peter On Mon, Jan 21, 2019 at 11:22:00AM +0100, Peter van Dijk wrote: > The draft doubles the number of packets involved in a legitimate > exchange; it more than doubles the number of packets involved in a > spoofed exchange. About half of these packets are ICMP > packets. Without the draft, ICMP packets are useful debugging aids, > and in big numbers, indications of attacks or operational > problems. With the draft, ICMP becomes another useless source of > background noise. I had implemented the draft about a year ago as a server-side patch for BIND so that it could be tried/tested. But I was not aware of the ICMP issue that you mentioned. Today I looked at a packet capture with ATR response and sure enough, the 2nd truncated response generates an ICMP message from the recipient. I agree that this would be noisy. Mukund From nobody Thu Feb 7 11:29:07 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6BF612F1A5 for ; Thu, 7 Feb 2019 11:29:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=bpb8gcnb; dkim=pass (1536-bit key) header.d=taugh.com header.b=ODmTOp2T Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAXfrCBVORvK for ; Thu, 7 Feb 2019 11:29:04 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C99D12E036 for ; Thu, 7 Feb 2019 11:29:04 -0800 (PST) Received: (qmail 39734 invoked from network); 7 Feb 2019 19:29:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=9b34.5c5c86ff.k1902; bh=ynzDBKIIQkI8olN9Vuh3kva4dNU131rNFM3CR5qawm8=; b=bpb8gcnbLNqGaWh1UO4K4w3UHrCO2E1jY3qbic9qJxjQr1yco1zegFoGFb8kSeTCyAFdtjzb3QD70lvSPV+xAYpgZbuToZzwO2N3wcoiR93PfVweTKeS1wLMrzy7CdOR8JMmEdB3HHYgbjauS7Vp2zyueM6ZiODBPHjiiRh4Hl7MxYPBGLv680hvPerHc7JGOrmgv9mgfZvd7Y+au5t6goroH3ohL+qN4L4auYpUNVfoy1+2PHxmQ6AXvlkZUl7P DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=9b34.5c5c86ff.k1902; bh=ynzDBKIIQkI8olN9Vuh3kva4dNU131rNFM3CR5qawm8=; b=ODmTOp2TbfKaBPHKvJYNmSXy9YlrgIlLxOs3UQCYu5eEG6cX6rNwkzAwCkrw9TAZ6T+Dkprs4pkyOF8RBBOiJwrSoxyFxcQk093qQbOxGaW8K1qz6aOrJ5aknRAhSfRAlMIJX3plaH0ULs1Ahd6nIHXZo1NPcYezN0SHXm8w5p5Y3Y7sWFvlMLNGm7DHSZNVhrjjt1V58WXPB/QfF+aJ+QZfgXf836Lz8yR58TJXOiWoSHLRlqZB9+OxmgIWwmDi Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 07 Feb 2019 19:29:03 -0000 Received: by ary.qy (Postfix, from userid 501) id 2BDB2200DF041A; Thu, 7 Feb 2019 14:29:02 -0500 (EST) Date: 7 Feb 2019 14:29:02 -0500 Message-Id: <20190207192903.2BDB2200DF041A@ary.qy> From: "John Levine" To: dnsop@ietf.org Cc: alexander.mayrhofer@nic.at In-Reply-To: <19F54F2956911544A32543B8A9BDE0759FBCD40B@NICS-EXCH2.sbg.nic.at> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [DNSOP] draft-ietf-dnsop-attrleaf vs. RFC7553 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 19:29:06 -0000 In article <19F54F2956911544A32543B8A9BDE0759FBCD40B@NICS-EXCH2.sbg.nic.at> you write: >I'm turning my head around an issue around the attrleaf draft, and its connection with RFC7553 (the URI >RRType). Im specifically wondering what the connection between the "service parameter" in RFC 7553 and the >"Global Underscore Node Names" in draft-ietf-dnsop-attrleaf is. Dave moved the duct tape patching up all the places that defined underscored names to draft-ietf-dnsop-attrleaf-fix. See sections 2.3 and 2.3 for URI records. It's still a draft so if it seems wrong, send text. R's, John Linguistic note: people from the antipodes should read "duct tape" as "number 8 wire" From nobody Thu Feb 7 11:39:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5401200D8 for ; Thu, 7 Feb 2019 11:39:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.902 X-Spam-Level: X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0wmgBFcypFhM for ; Thu, 7 Feb 2019 11:39:44 -0800 (PST) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C0F512D4EB for ; Thu, 7 Feb 2019 11:39:44 -0800 (PST) Received: by mail-wm1-f50.google.com with SMTP id r17so1099256wmh.5 for ; Thu, 07 Feb 2019 11:39:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zqd0eXJmrCwWovtLwqhpUkf9nqlYlsJrtTuSF3JXUYQ=; b=SkpniwMo/MRISzuqzg3l4Z+OK6ZklBMspDqj12RSP9x6ItNf06X+izck/ERW589wOr ZZkNY2G/7RncksTXNx7OpYz1E6yOa7yl7mF1Cf5n/6KiF8icWcq0vc4/koD8wdyR36Ci mbZqsA5mgeXlh/CibJVYwJKu2VUUAzaS0cqFaiGpVDwkxhgwdbmTgn7vLzgpT9CKoVNj W+iqQRSrCq4SRCThmBQPfQZHFrOdtC5jgKDT1xG+uTILvrPeawOLEU8T4tE+v03z3L/C bmo8hTIwygKwv5K5OYvKw4AaVv6GsoDVIdj081mZMerhaRHQLEKCC6QWYjqqsUcDlE4R 94XQ== X-Gm-Message-State: AHQUAuYJjqQOKbrAVw+P4Tddcivyye0VlJQnBsZG5U3VlinuX9cQuVOo Z+qcui1YqqsteYIr6Mc54wzHi+YM0ZUmPsss4R2gAATW X-Google-Smtp-Source: AHgI3IYGC+8/iKKq8FvYj9hDEYF6a+j6NKGry0aOZnmZBBjvhFd7JNvRL2WInszY+hx56AhvKwRTa7Tl0Fuv9B0/Z9U= X-Received: by 2002:a1c:ce0e:: with SMTP id e14mr9159772wmg.53.1549568382238; Thu, 07 Feb 2019 11:39:42 -0800 (PST) MIME-Version: 1.0 References: <4A75C4E3-F74F-46DB-9A8A-879C0BB79190@powerdns.com> <20190207190927.GA30071@jurassic.lan.banu.com> In-Reply-To: <20190207190927.GA30071@jurassic.lan.banu.com> From: =?UTF-8?B?56We5piO6YGU5ZOJ?= Date: Thu, 7 Feb 2019 11:39:30 -0800 Message-ID: To: Mukund Sivaraman Cc: Peter van Dijk , dnsop Content-Type: multipart/alternative; boundary="000000000000fa8504058153003e" Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 19:39:46 -0000 --000000000000fa8504058153003e Content-Type: text/plain; charset="UTF-8" At Fri, 8 Feb 2019 00:39:27 +0530, Mukund Sivaraman wrote: > > The draft doubles the number of packets involved in a legitimate > > exchange; it more than doubles the number of packets involved in a > > spoofed exchange. About half of these packets are ICMP > > packets. Without the draft, ICMP packets are useful debugging aids, > > and in big numbers, indications of attacks or operational > > problems. With the draft, ICMP becomes another useless source of > > background noise. > > I had implemented the draft about a year ago as a server-side patch for > BIND so that it could be tried/tested. But I was not aware of the ICMP > issue that you mentioned. Today I looked at a packet capture with ATR > response and sure enough, the 2nd truncated response generates an ICMP > message from the recipient. I agree that this would be noisy. Probably off topic in the context of the adoption call, but I'd note that it depends on some implementation details of the resolver. ICMP port unreachable errors will be likely to be increased if the resolver closes the UDP socket for a query with an authoritative server immediately after it receives a return packet. BIND behaves that way by default, so did PowerDNS recursor when I checked the implementation many years ago (it probably still does). But not all resolver implementations adopt this practice; if I understand it correctly Unbound uses a pool of (many) UDP sockets and reuse the same socket for multiple queries. I've not tested it myself but I believe you won't see an increase of ICMP errors with such resolver implementations. -- JINMEI, Tatuya --000000000000fa8504058153003e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
At Fri, 8 Feb 2019 00:39:27 +0530,
Muk= und Sivaraman <muks@mukund.org>= ; wrote:

> > The draft doubles the number of packets involved = in a legitimate
> > exchange; it more than doubles the number of p= ackets involved in a
> > spoofed exchange. About half of these pac= kets are ICMP
> > packets. Without the draft, ICMP packets are use= ful debugging aids,
> > and in big numbers, indications of attacks= or operational
> > problems. With the draft, ICMP becomes another= useless source of
> > background noise.
>
> I had im= plemented the draft about a year ago as a server-side patch for
> BIN= D so that it could be tried/tested. But I was not aware of the ICMP
>= issue that you mentioned. Today I looked at a packet capture with ATR
&= gt; response and sure enough, the 2nd truncated response generates an ICMP<= br>> message from the recipient. I agree that this would be noisy.
Probably off topic in the context of the adoption call, but I'd note<= br>that it depends on some implementation details of the resolver.=C2=A0 IC= MP
port unreachable errors will be likely to be increased if the resolve= r
closes the UDP socket for a query with an authoritative server
imme= diately after it receives a return packet.=C2=A0 BIND behaves that way
b= y default, so did PowerDNS recursor when I checked the implementation
ma= ny years ago (it probably still does).=C2=A0 But not all resolver
implem= entations adopt this practice; if I understand it correctly
Unbound uses= a pool of (many) UDP sockets and reuse the same socket
for multiple que= ries.=C2=A0 I've not tested it myself but I believe you
won't se= e an increase of ICMP errors with such resolver
implementations.

= --
JINMEI, Tatuya
--000000000000fa8504058153003e-- From nobody Thu Feb 7 13:44:53 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8117129A87 for ; Thu, 7 Feb 2019 13:44:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQpMpdp0TLqQ for ; Thu, 7 Feb 2019 13:44:49 -0800 (PST) Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B358127AC2 for ; Thu, 7 Feb 2019 13:44:49 -0800 (PST) Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 7 Feb 2019 13:44:47 -0800 Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Thu, 7 Feb 2019 13:44:47 -0800 From: Paul Hoffman To: John Levine CC: "dnsop@ietf.org" , "alexander.mayrhofer@nic.at" Thread-Topic: [Ext] [DNSOP] draft-ietf-dnsop-attrleaf vs. RFC7553 Thread-Index: AQHUvy5X0XjjyIKZFUqoPEnrNHkLcw== Date: Thu, 7 Feb 2019 21:44:46 +0000 Message-ID: References: <20190207192903.2BDB2200DF041A@ary.qy> In-Reply-To: <20190207192903.2BDB2200DF041A@ary.qy> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.32.234] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] [Ext] draft-ietf-dnsop-attrleaf vs. RFC7553 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 21:44:51 -0000 On Feb 7, 2019, at 11:29 AM, John Levine wrote: >=20 > In article <19F54F2956911544A32543B8A9BDE0759FBCD40B@NICS-EXCH2.sbg.nic.a= t> you write: >> I'm turning my head around an issue around the attrleaf draft, and its c= onnection with RFC7553 (the URI >> RRType). Im specifically wondering what the connection between the "serv= ice parameter" in RFC 7553 and the >> "Global Underscore Node Names" in draft-ietf-dnsop-attrleaf is.=20 >=20 > Dave moved the duct tape patching up all the places that defined > underscored names to draft-ietf-dnsop-attrleaf-fix. >=20 > See sections 2.3 and 2.3 for URI records. >=20 > It's still a draft so if it seems wrong, send text. It is a draft, but it is has been in the RFC Editor's queue for 2.5 months.= Unless there is a technical problem, fixing it now (without WG review) cou= ld cause more harm than benefit. --Paul= From nobody Thu Feb 7 14:06:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A007412D4E8 for ; Thu, 7 Feb 2019 14:06:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=RRenfKYn; dkim=pass (1536-bit key) header.d=taugh.com header.b=ACt1br0I Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzYpQ4Ls9o9g for ; Thu, 7 Feb 2019 14:06:20 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24095127AC2 for ; Thu, 7 Feb 2019 14:06:19 -0800 (PST) Received: (qmail 70800 invoked from network); 7 Feb 2019 22:06:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1148e.5c5cabda.k1902; bh=RNGWvs1MBBEoF94iM9RC/xDr6UI/Cc1qxBnhq//E7KU=; b=RRenfKYnHhLY1VmEzGpzyF4/f5sRYs8IGaicb5pmR8gmuIqUizVjZ88KF7Sy90W0KY5CEL8aWQvNS7LIzdXCiL/ipvLPGFynWYGrgZf1M7GxgExGzZPqUPttQw8TYNixl0x4vCoadHbSIS4UEgewv7tqRtArvDamUKznBZAmJyJ538p4SUH4aY6QntwEf1oGnb952Pu0+Tjq5BnsPmi3BHFu+vtsKMB5V1NqvDVON6XqPG7ENTEgVVTIqOnZkmvV DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1148e.5c5cabda.k1902; bh=RNGWvs1MBBEoF94iM9RC/xDr6UI/Cc1qxBnhq//E7KU=; b=ACt1br0IOG8EDTeqNoQ+9dQHF+gOXcJ+2CFjkhBnpuXX5BgvQx88/F+HjfmeXuqTdEtpQsYIcLCn8+9quou6/Mb4Qj8VJrj1PKeVgal+W0zS8ZOv2sOWE3djBWcDqZ4WhmgI17CsXx2Td6xX6K1Jrw/XKTm7cg42yBDPoh9ze4/wxeVTBTqZl393YzSmYQKgis3kWgCKkYFb7UhIk4JhbA2py7lzpsPwzJDduIbrseDY0Bdv+/Jtnxu0Kbc6tFKa Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 07 Feb 2019 22:06:18 -0000 Date: 7 Feb 2019 17:06:17 -0500 Message-ID: From: "John R Levine" To: "Paul Hoffman" Cc: "dnsop@ietf.org" In-Reply-To: References: <20190207192903.2BDB2200DF041A@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [Ext] draft-ietf-dnsop-attrleaf vs. RFC7553 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 22:06:23 -0000 >> Dave moved the duct tape patching up all the places that defined >> underscored names to draft-ietf-dnsop-attrleaf-fix. >> >> See sections 2.3 and 2.3 for URI records. >> >> It's still a draft so if it seems wrong, send text. > > It is a draft, but it is has been in the RFC Editor's queue for 2.5 months. Unless there is a technical problem, fixing it now (without WG review) could cause more harm than benefit. Oh, definitely. When I said wrong I meant like it doesn't work, not that a sentence could be reworded. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Thu Feb 7 15:28:28 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E58A130ED0 for ; Thu, 7 Feb 2019 15:28:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mGk07rsJZNX for ; Thu, 7 Feb 2019 15:28:25 -0800 (PST) Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 4A3E7130ECF for ; Thu, 7 Feb 2019 15:28:25 -0800 (PST) Received: (qmail 15319 invoked from network); 7 Feb 2019 23:19:28 -0000 Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 7 Feb 2019 23:19:28 -0000 To: dnsop@ietf.org References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> From: Masataka Ohta Message-ID: Date: Fri, 8 Feb 2019 08:28:54 +0900 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> Content-Type: text/plain; charset=iso-2022-jp; format=flowed; delsp=yes Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 23:28:27 -0000 Petr Spacek wrote: > Subject: [Technical Errata Reported] RFC1035 (5626) I don't think errata is necessary. > 5. At least one NS RR must be present at the top of the zone. At least two. Masataka Ohta From nobody Thu Feb 7 15:37:32 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D0F130F12 for ; Thu, 7 Feb 2019 15:37:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.102 X-Spam-Level: X-Spam-Status: No, score=-1.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_BOUND_DIGITS_15=0.798, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dW8ptVtUMCNc for ; Thu, 7 Feb 2019 15:37:28 -0800 (PST) Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6017130F15 for ; Thu, 7 Feb 2019 15:37:27 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id g67so1637022wmd.2 for ; Thu, 07 Feb 2019 15:37:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gfLrLBAT2wUhBlyQVKD/xkL9LpwoNiId22PtXUXC4a8=; b=ee2ekq4SRThVLn0aNf3kPQJiivGjy5clDojxkHQuMScbDjTZrAgIZvvIYNG9UNYGT1 U4PzxbltRHKmxQmWBgOCe2kh1YpvEjWNOtkQXx6anR9td2xXDudSCklKyStrlAaj91q+ zJ6FRc1hKyMCU/E6a+8ru2CzJ6iRXIxII40Bme25xQle4bLZXgUxmR6cuRmVVJoNyVOE tQBVi2Rif+ecjpPeBr3PCkkUvJLggYr+0SqYPaFCf6A+KdnWUxyz1dfB8l6kMN+z+roX MxGgJ+FQRkTUA5fvlcn1qa2xRCjejbsZnXh76EUdcyevJ7tuhESAtk9isKu3BucUSVh9 3/mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gfLrLBAT2wUhBlyQVKD/xkL9LpwoNiId22PtXUXC4a8=; b=EELXLXDmCQlgQrMZoaUCVoypwuO30nMwTehPESPTX/y/JvmlkoLCLf2K6ph/SzhYus hTQdAQuqgEWmCfKhqCYALGxOlhUz594FFepqUw0nEPWjHrXvpYHppK9hQPinwT6aHpNr sR3qAxJYyqpXi1SOBXzsWI7o7JBfc1TaroTLUtVm0FqgLbL05giVriDLF5shFBGAfG4t DZhcZDJVEh3slfZH4/CeJOsXdEh3JJx6itItdgaDw9fHBo6thSj5NUxQ6W++IlKLjXc1 h7sUZCXQnYKoYp3szpWhV+hic+BG4w30dY1/JMPrhm1wSvl+0Vev+dZ5LWzY/KQQQUB5 PtJg== X-Gm-Message-State: AHQUAuaZcqN2eqQBnZ89B/t+swTNBgTksGqrn0j/NeQFNfWK/jbZNiwI hjHGa3fY+1buz+gdOLUx3lbneSB1SnqNeGSEO6/96Q== X-Google-Smtp-Source: AHgI3IaWlxvBZxfjhVJmt58dtCSgMs1iwpbr+Eqsnz6mNAvMIFM99HP16qFDAsvEGPAYXAqZyxHN+uuoH28KTS2eOos= X-Received: by 2002:a7b:c853:: with SMTP id c19mr6793038wml.61.1549582645660; Thu, 07 Feb 2019 15:37:25 -0800 (PST) MIME-Version: 1.0 References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> In-Reply-To: From: Warren Kumari Date: Thu, 7 Feb 2019 18:36:48 -0500 Message-ID: To: Tony Finch Cc: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= , dnsop , Kevin Darcy Content-Type: multipart/alternative; boundary="0000000000002525490581565386" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 23:37:31 -0000 --0000000000002525490581565386 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable [ Top-post ] So, I've been staring at the Errata which Petr submitted, and trying to work out what to do. I'd like to mark it as either Verified, but the errata process cannot be used for fixing issues with the protocol itself, or adding additional restrictions which may cause compatibility issues (otherwise we wouldn't be able to have the fun of -bis documents :-)) -- so, what I'm trying to figure out is if this was something where the was consensus *when RFC1035 was published* (and just missed when writing the list), or if it is a new(er) restriction. I agree that it should be checked, but I really want to be able to point at something in 1034 / 1035 which says this. Tony's below is close, but not quite there yet - it says they should be the same, but not that it is an error in the zone file (the section is "5.2. Use of master files to define zones") if they are not. So, can y'all help me find evidence *from this timeframe* that shows that this was viewed as true at that time? Otherwise, I should be able to make it "Hold for Document Update": "Changes that modify the working of a protocol to something that might be different from the intended consensus when the document was approved should be either Hold for Document Update or Rejected. Deciding between these two depends on judgment. Changes that are clearly modifications to the intended consensus, or involve large textual changes, should be Rejected. In unclear situations, small changes can be Hold for Document Update. " W On Thu, Feb 7, 2019 at 12:00 PM Tony Finch wrote: > Petr =C5=A0pa=C4=8Dek wrote: > > > > We (as developers in our office) all have had gut feeling that NS is > > mandatory but we could not find it in the RFCs. > > There's this bit in RFC 1034 which discusses zone cuts and says the NS > RRset above and below the cut should be exactly the same. DNS admins are > generally too relaxed about allowing them to become inconsistent. > > : The RRs that describe cuts around the bottom of the zone are NS RRs tha= t > : name the servers for the subzones. Since the cuts are between nodes, > : these RRs are NOT part of the authoritative data of the zone, and shoul= d > : be exactly the same as the corresponding RRs in the top node of the > : subzone. Since name servers are always associated with zone boundaries= , > : NS RRs are only found at nodes which are the top node of some zone. In > : the data that makes up a zone, NS RRs are found at the top node of the > : zone (and are authoritative) and at cuts around the bottom of the zone > : (where they are not authoritative), but never in between. > > See also RFC 1912 section 2.8: > > Make sure your parent domain has the same NS records for your zone as > you do. > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Dogger: West, backing southwest, 6 to gale 8. Moderate or rough, > occasionally > very rough. Occasional rain. Good occasionally > poor._______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --=20 I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --0000000000002525490581565386 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
[ Top-post ]=

So, I've been staring at the Errata which Petr submitted, and try= ing to work out what to do.=C2=A0

I'd like to mark it as either = Verified, but the errata process cannot be used for fixing issues with the = protocol itself, or adding additional restrictions which may cause compatib= ility issues (otherwise we wouldn't be able to have the fun of -bis doc= uments :-)) -- so, what I'm trying to figure out is if this was somethi= ng where the was consensus=C2=A0 *when RFC1035 was published* (and just mis= sed when writing the list), or if it is a new(er) restriction.=C2=A0
<= div class=3D"gmail_default" style=3D"font-family:verdana,sans-serif">
I= agree that it should be checked, but I really want to be able to point at = something in 1034 / 1035 which says this.=C2=A0
Tony's below is close, = but not quite there yet - it says they should be the same, but not that it = is an error in the zone file (the section is "5.2. Use of master files= to define zones") if they are not. So, can y'all help me find evi= dence *from this timeframe* that shows that this was viewed as true at that= time?

Otherwise, I should be able to make it "= ;Hold for Document Update":
"Changes that modify the= working of a protocol to something that might be different from the intend= ed consensus when the document was approved should be either Hold for Docum= ent Update or Rejected. Deciding between these two depends on judgment. Cha= nges that are clearly modifications to the intended consensus, or involve l= arge textual changes, should be Rejected. In unclear situations, small chan= ges can be Hold for Document Update. "

<= div>= W



On Thu, Feb 7, 2019 at 1= 2:00 PM Tony Finch <dot@dotat.at>= wrote:
Petr =C5= =A0pa=C4=8Dek <p= etr.spacek@nic.cz> wrote:
>
> We (as developers in our office) all have had gut feeling that NS is > mandatory but we could not find it in the RFCs.

There's this bit in RFC 1034 which discusses zone cuts and says the NS<= br> RRset above and below the cut should be exactly the same. DNS admins are generally too relaxed about allowing them to become inconsistent.

: The RRs that describe cuts around the bottom of the zone are NS RRs that<= br> : name the servers for the subzones.=C2=A0 Since the cuts are between nodes= ,
: these RRs are NOT part of the authoritative data of the zone, and should<= br> : be exactly the same as the corresponding RRs in the top node of the
: subzone.=C2=A0 Since name servers are always associated with zone boundar= ies,
: NS RRs are only found at nodes which are the top node of some zone.=C2=A0= In
: the data that makes up a zone, NS RRs are found at the top node of the : zone (and are authoritative) and at cuts around the bottom of the zone : (where they are not authoritative), but never in between.

See also RFC 1912 section 2.8:

=C2=A0 =C2=A0Make sure your parent domain has the same NS records for your = zone as
=C2=A0 =C2=A0you do.

Tony.
--
f.anthony.n.finch=C2=A0 <dot@dotat.at>=C2=A0 http://dotat.at/
Dogger: West, backing southwest, 6 to gale 8. Moderate or rough, occasional= ly
very rough. Occasional rain. Good occasionally poor._______________________= ________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div>
--0000000000002525490581565386-- From nobody Thu Feb 7 15:42:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0CA130F12 for ; Thu, 7 Feb 2019 15:42:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBDV1teOKpzC for ; Thu, 7 Feb 2019 15:42:07 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 638EE130F01 for ; Thu, 7 Feb 2019 15:42:07 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EE87A3AB064; Thu, 7 Feb 2019 23:42:06 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D7ECA160074; Thu, 7 Feb 2019 23:42:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id BA857160073; Thu, 7 Feb 2019 23:42:06 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id r5RIwhUCEWOW; Thu, 7 Feb 2019 23:42:06 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 0686D160044; Thu, 7 Feb 2019 23:42:05 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Fri, 8 Feb 2019 10:42:03 +1100 Cc: dnsop@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> To: Masataka Ohta X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 23:42:09 -0000 > On 8 Feb 2019, at 10:28 am, Masataka Ohta = wrote: >=20 > Petr Spacek wrote: >=20 >> Subject: [Technical Errata Reported] RFC1035 (5626) >=20 > I don't think errata is necessary. Neither do I. >> 5. At least one NS RR must be present at the top of the zone. >=20 > At least two. And address records for the name servers at top of zone MUST exist.=20 if the names are in zone. Similarly GLUE records must exist for delegating NS records if they are below bottom of zone. There are a whole heap of checks that can be performed when you load a zone. That list was clearly not intended to be exhaustive. Constructing and getting consensus over a exhaustive list is likely to take months. Mark > Masataka Ohta >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 7 16:54:28 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26659127133 for ; Thu, 7 Feb 2019 16:54:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5KCwmhsGran for ; Thu, 7 Feb 2019 16:54:23 -0800 (PST) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA6011274D0 for ; Thu, 7 Feb 2019 16:54:23 -0800 (PST) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 583EA22C10; Thu, 7 Feb 2019 19:54:22 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 07 Feb 2019 19:54:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=euyy5dI612v0UCBaLTR5ft1XzHB49ewDOEr7e3gon dc=; b=TLSIDcwV9ObRXV7VprF6LxMzAAUHZvqtTKIRl2x5N2a3adHbu+KGUdd3q NmUjygndjV11jJ8rUbc4t5V7xa90zy9EizdKaOUfagr2LLRjRXvJsba+KxomLfAK B17Yfh+9a9HSrVhmLzG91ZJNDZoPc9HKri2d3YfAt/9VGZmHfboX3KwZvhbIa7T7 R/Ya4n8pzGIegTPywE3vIOeFEBzSY7ES5T6Eutk9sRtnahKsaeFTJETY0k15GB4N aXp09HusJDeJSZX9oRG3SZkBIcM7ee8K7NyKug9JpDsMu1eFduBdMSuczuQLO2G2 Q0HrTNZzWpBwY7BgANFVzdqtYpuyw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrledugddviecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurheptggguffhofgjff fgkfhfvfesrgejmherhhdtjeenucfhrhhomhepvfhonhihucfhihhntghhuceoughothes ughothgrthdrrghtqeenucffohhmrghinhepughothgrthdrrghtnecukfhppeduleehrd dugeejrdefgedrvddutdenucfrrghrrghmpehmrghilhhfrhhomhepughothesughothgr thdrrghtnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from [192.168.1.100] (unknown [195.147.34.210]) by mail.messagingengine.com (Postfix) with ESMTPA id 3BBE11030F; Thu, 7 Feb 2019 19:54:21 -0500 (EST) Content-Type: multipart/alternative; boundary=Apple-Mail-0BC90843-C8B7-4BB4-9A8A-3228D0A0AD14 Mime-Version: 1.0 (1.0) From: Tony Finch X-Mailer: iPhone Mail (16C101) In-Reply-To: Date: Fri, 8 Feb 2019 00:54:19 +0000 Cc: =?utf-8?Q?Petr_=C5=A0pa=C4=8Dek?= , dnsop , Kevin Darcy Content-Transfer-Encoding: 7bit Message-Id: <10CCD09E-C254-470E-BA41-A0FDCBDC4902@dotat.at> References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> To: Warren Kumari Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 00:54:26 -0000 --Apple-Mail-0BC90843-C8B7-4BB4-9A8A-3228D0A0AD14 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On 7 Feb 2019, at 23:36, Warren Kumari wrote: >=20 > I agree that it should be checked, but I really want to be able to point a= t something in 1034 / 1035 which says this.=20 > Tony's below is close, but not quite there yet - it says they should be th= e same, but not that it is an error in the zone file (the section is "5.2. U= se of master files to define zones") if they are not. So, can y'all help me f= ind evidence *from this timeframe* that shows that this was viewed as true a= t that time? >=20 RFC 1033: > NS records for a domain exist in both the zone that delegates the domain, a= nd in the domain itself.=20 This says they can=E2=80=99t be missing from the domain itself. Tony. --=20 f.anthony.n.finch http://dotat.at --Apple-Mail-0BC90843-C8B7-4BB4-9A8A-3228D0A0AD14 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
On 7 Feb 2019, at 23:3= 6, Warren Kumari <warren@kumari.net<= /a>> wrote:


= = --Apple-Mail-0BC90843-C8B7-4BB4-9A8A-3228D0A0AD14-- From nobody Thu Feb 7 17:09:54 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D45B1277D2 for ; Thu, 7 Feb 2019 17:09:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3El2mSftO9Oi for ; Thu, 7 Feb 2019 17:09:51 -0800 (PST) Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5D9C1274D0 for ; Thu, 7 Feb 2019 17:09:50 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id t200so1801928wmt.0 for ; Thu, 07 Feb 2019 17:09:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=E6qV/GlMne7nhQIHgpJgBw3hF4X8U0E0YpM7U2Xjuhw=; b=fmb7X0XLJE6tq4U1ZHrqUKogKj4XUXwgMnFwVEiCMry6fBpHVUkN87ndw567pxzb/R CQ/zPZV/qCvBZIaJChyZ6tdau0beTmRO6d78BWLVYoJBmGL8nMC+0rZmxWypVDKcM2nK hmhox/M+AmJDmMigzzO7HAFS67IusvcgB564nMQlYR0OY5yUUwY+GQKe4ToAZtaEfX9R SnDeQQJ1Cwg0TJkqsahSqWQa+c2ceOIrgndq2EauuYMpW+BCk5yFzKnXA24XQlASuGpq qe4ZDEHWX+wPJCez919nVTaJ6trXuzpNUS+lvxQxy0ZFvaAYqdTfBfXVGoSjyLt0VavY LEIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E6qV/GlMne7nhQIHgpJgBw3hF4X8U0E0YpM7U2Xjuhw=; b=UGjghk/H9cnFxxLgsWJFORKvO9uuXlfepDrtFhDsVTs+bScfMcCdOA6uRnwq1yINt2 tfWtmSErFzN6+zJ/fIVTjEWNNYSMvJkTZKlBNvAB1Butff5sZpRC+lsi7tddZE8Goq5A 86JT0hGtph63LWsMw2MZTAbpbLgRyG3Gw9cGlWmsymlHc7Gow6g8aZBpIUL9lFaZZEx6 X6yzpnITYwb9e0IWNoh/OeIk8C/a8StkMwNiol26QnkRl2ntA0Fb5L+6l/Yixj4aKyz7 mJgAQiUyTEpV9hkuhMSB0tFSKDPD4kFEZVZ73kC5tvDa5DjdoZG4hNUWeDlvpgL0nwv2 ZTAQ== X-Gm-Message-State: AHQUAub/TgCKHsKYGArD+sSCmRI05SbV87mPrAr6oxrV30QLJ4fSkqT6 R6Wii0K3KHVI1J/iRsp9aJIdZV318l3a3SHuGt2weQ== X-Google-Smtp-Source: AHgI3IbEWQgsA3yaxwjbKIxdTYrBivPUEkEMUdgkwfAwccRj2MjRM+u0wmaMihq78GeD7D1o7FDqKWEgwxSVF/UQvbk= X-Received: by 2002:a1c:f605:: with SMTP id w5mr9807887wmc.116.1549588188873; Thu, 07 Feb 2019 17:09:48 -0800 (PST) MIME-Version: 1.0 References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> In-Reply-To: From: Warren Kumari Date: Thu, 7 Feb 2019 20:09:12 -0500 Message-ID: To: Mark Andrews Cc: Masataka Ohta , dnsop Content-Type: multipart/alternative; boundary="0000000000008be4e00581579db5" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 01:09:53 -0000 --0000000000008be4e00581579db5 Content-Type: text/plain; charset="UTF-8" On Thu, Feb 7, 2019 at 6:42 PM Mark Andrews wrote: > > > > On 8 Feb 2019, at 10:28 am, Masataka Ohta < > mohta@necom830.hpcl.titech.ac.jp> wrote: > > > > Petr Spacek wrote: > > > >> Subject: [Technical Errata Reported] RFC1035 (5626) > > > > I don't think errata is necessary. > > Neither do I. > > >> 5. At least one NS RR must be present at the top of the zone. > > > > At least two. > > And address records for the name servers at top of zone MUST exist. > if the names are in zone. Similarly GLUE records must exist for > delegating NS records if they are below bottom of zone. There > are a whole heap of checks that can be performed when you load > a zone. > > That list was clearly not intended to be exhaustive. Constructing > and getting consensus over a exhaustive list is likely to take > months. > Ok, fair. I'll do "Hold for Document Update": "Hold for Document Update - The erratum is not a necessary update to the RFC. However, any future update of the document might consider this erratum, and determine whether it is correct and merits including in the update. " If people read the errata they will see it listed. W > > Mark > > > Masataka Ohta > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --0000000000008be4e00581579db5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Feb 7, 2019= at 6:42 PM Mark Andrews <marka@isc.org= > wrote:
=

> On 8 Feb 2019, at 10:28 am, Masataka Ohta <mohta@necom830.hpcl.titech.ac= .jp> wrote:
>
> Petr Spacek wrote:
>
>> Subject: [Technical Errata Reported] RFC1035 (5626)
>
> I don't think errata is necessary.

Neither do I.

>>=C2=A0 =C2=A0 5. At least one NS RR must be present at the top of t= he zone.
>
> At least two.

And address records for the name servers at top of zone MUST exist.
if the names are in zone.=C2=A0 Similarly GLUE records must exist for
delegating NS records if they are below bottom of zone.=C2=A0 There
are a whole heap of checks that can be performed when you load
a zone.

That list was clearly not intended to be exhaustive.=C2=A0 Constructing
and getting consensus over a exhaustive list is likely to take
months.

Ok, fair.=C2=A0
I'll do "Ho= ld for Document Update":
"Hold for Document Update - The erratum = is not a necessary update to the RFC. However, any future update of the doc= ument might consider this erratum, and determine whether it is correct and = merits including in the update. "

If people read the errata they = will see it listed.=C2=A0
W

=C2=A0

Mark

>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0Masataka Ohta
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org=
> https://www.ietf.org/mailman/listinfo/dnsop

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 INTE= RNET: marka@isc.org<= br>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div>
--0000000000008be4e00581579db5-- From nobody Thu Feb 7 17:53:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1EF712D4F3 for ; Thu, 7 Feb 2019 17:53:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gr5PcQ_qEkBe for ; Thu, 7 Feb 2019 17:53:37 -0800 (PST) Received: from mail-it1-x12d.google.com (mail-it1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABAA21274D0 for ; Thu, 7 Feb 2019 17:53:37 -0800 (PST) Received: by mail-it1-x12d.google.com with SMTP id r6so5349573itk.0 for ; Thu, 07 Feb 2019 17:53:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=r/+71ygfRG1kkvODpDYET4MBCWsLkav9ZShMrD0/q2M=; b=PZu+uGx4mkN3MmBo5EMUwtuI8QBi2ACmAxYyOgASMJmwEpoeAJhYMhaLMLc09efKWi IozuQhlqGOChaGbQn4yzgHPdlbzjZUcQpCMvf8D28zEyhVNH0ylPo8FbZk4vnA1ZnOhD qGx3cfd7HHXyq0n551d9hwh/CHkQttMynYGoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=r/+71ygfRG1kkvODpDYET4MBCWsLkav9ZShMrD0/q2M=; b=jNjMwT9k/MivHCaQOi9PiDdlxT1JGu5eFWGHG3ow/KrIRUezK1RzOMs6ZtnHLardeG DNkm0yQLzxcz2+nWvW2M6a3ee4DVsg5bNUZMixfI5aaUawvLkBHJT1eMcAXHbBr+asPb UWlzUEskRGZ0dShhqi0EYqZ62kwXKJSzmJZUrX6hVYfF3R0QErM4vzhXUv45jH9Mc2yV +qz1px9SdpHdbwQL5Pl9fx7LLEUUkUV07vcDe/XsGeqWoW+WHUX1ppEReYqhVZiSPP7i MYP7N3p+SKm3EErgtVVADjpMcTgWmPiHqd/JQuCcF6Ay1X1pvcI6nPnIsEfm5nsQpEPh ED3w== X-Gm-Message-State: AHQUAua7raO1MtHr1Nq2+teEWcVR+7YZMx7nJyK2vaodQwwgboHYUsV2 UNm0cEFKvG1UM7JR2hCWUMFCcpsgtEg= X-Google-Smtp-Source: AHgI3IYBOD4BlKCi39Q4n85rgDhrZOxdk8/G95whcbfuYOHqk/MLUwSErp99UQuq0H6dLFKozYKl3A== X-Received: by 2002:a05:660c:91:: with SMTP id t17mr5988744itj.41.1549590816853; Thu, 07 Feb 2019 17:53:36 -0800 (PST) Received: from [199.212.90.100] (198-84-215-70.cpe.teksavvy.com. [198.84.215.70]) by smtp.gmail.com with ESMTPSA id f21sm567422itc.14.2019.02.07.17.53.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 17:53:35 -0800 (PST) From: Joe Abley Message-Id: <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> Content-Type: multipart/alternative; boundary="Apple-Mail=_D0EBB4EC-C6EF-44CE-9DE0-F751F119E1D2" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Thu, 7 Feb 2019 20:53:34 -0500 In-Reply-To: Cc: dnsop@ietf.org To: Masataka Ohta References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 01:53:40 -0000 --Apple-Mail=_D0EBB4EC-C6EF-44CE-9DE0-F751F119E1D2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Ohta-san, On 7 Feb 2019, at 18:28, Masataka Ohta = wrote: > Petr Spacek wrote: >=20 >> 5. At least one NS RR must be present at the top of the zone. >=20 > At least two. With respect, I think the protocol requirement is at least one, not at = least two. I think best current practice is to avoid single-points of failure with = the set of servers used to provide authoritative answers, and I agree = that in many cases this is codified in user interfaces and registry = policy as requiring two NS RRs. However, there is no shortage of such = multiple RRs that refer to a single subnet or even a single instance of = a nameserver process (so "at least two" is sometimes insufficient), and = its perfectly possible to use anycast or both A and AAAA RRs attached to = a single nameserver name that provide useful much more useful diversity = than those degenerate two-NS implementations (so "just one" could in = some circumstances be adequate). RFC 7108 describes the implementation of a method that includes a single = point-of-failure by design (see discussion of IDENTITY.L.ROOT-SERVERS. = ORG in section 5). In short, this is an operational question with multiple answers and I = don't like the idea of formalising an over-simplistic restriction in the = protocol specification. Joe= --Apple-Mail=_D0EBB4EC-C6EF-44CE-9DE0-F751F119E1D2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Ohta-san,

On = 7 Feb 2019, at 18:28, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:

Petr Spacek = wrote:

   5. At least one NS RR must be present at the top = of the zone.

At least two.

With = respect, I think the protocol requirement is at least one, not at least = two.

I think best = current practice is to avoid single-points of failure with the set of = servers used to provide authoritative answers, and I agree that in many = cases this is codified in user interfaces and registry policy as = requiring two NS RRs. However, there is no shortage of such multiple RRs = that refer to a single subnet or even a single instance of a nameserver = process (so "at least two" is sometimes insufficient), and its perfectly = possible to use anycast or both A and AAAA RRs attached to a single = nameserver name that provide useful much more useful diversity than = those degenerate two-NS implementations (so "just one" could in some = circumstances be adequate).

RFC 7108 describes the implementation of a method that = includes a single point-of-failure by design (see discussion of IDENTITY.L.ROOT-SERVERS.ORG in section 5).

In short, this is an = operational question with multiple answers and I don't like the idea of = formalising an over-simplistic restriction in the protocol = specification.


Joe
= --Apple-Mail=_D0EBB4EC-C6EF-44CE-9DE0-F751F119E1D2-- From nobody Thu Feb 7 18:06:18 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6F3130E25 for ; Thu, 7 Feb 2019 18:06:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TkhgnpANWG4 for ; Thu, 7 Feb 2019 18:06:15 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90362129AA0 for ; Thu, 7 Feb 2019 18:06:15 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 6BE3F3AB05B; Fri, 8 Feb 2019 02:06:15 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 53B9E160044; Fri, 8 Feb 2019 02:06:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3BF0B160066; Fri, 8 Feb 2019 02:06:15 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vznTL54mJvcP; Fri, 8 Feb 2019 02:06:15 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 08DAF160044; Fri, 8 Feb 2019 02:06:13 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> Date: Fri, 8 Feb 2019 13:06:10 +1100 Cc: Masataka Ohta , dnsop@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> To: Joe Abley X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 02:06:17 -0000 > On 8 Feb 2019, at 12:53 pm, Joe Abley wrote: >=20 > Ohta-san, >=20 > On 7 Feb 2019, at 18:28, Masataka Ohta = wrote: >=20 >> Petr Spacek wrote: >>=20 >>> 5. At least one NS RR must be present at the top of the zone. >>=20 >> At least two. >=20 > With respect, I think the protocol requirement is at least one, not at = least two. >=20 > I think best current practice is to avoid single-points of failure = with the set of servers used to provide authoritative answers, and I = agree that in many cases this is codified in user interfaces and = registry policy as requiring two NS RRs. However, there is no shortage = of such multiple RRs that refer to a single subnet or even a single = instance of a nameserver process (so "at least two" is sometimes = insufficient), and its perfectly possible to use anycast or both A and = AAAA RRs attached to a single nameserver name that provide useful much = more useful diversity than those degenerate two-NS implementations (so = "just one" could in some circumstances be adequate). A single anycast server DOES NOT and never can provide diversity from = the client=E2=80=99s perspective. Additionally multiple servers in the same /24 (IPv4) or same /48 (IPv6) = should be treated as a single server for diversity testing as these are accepted longest = accepted prefixes. > RFC 7108 describes the implementation of a method that includes a = single point-of-failure by design (see discussion of = IDENTITY.L.ROOT-SERVERS.ORG in section 5). >=20 > In short, this is an operational question with multiple answers and I = don't like the idea of formalising an over-simplistic restriction in the = protocol specification. >=20 >=20 > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 7 18:16:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7E2130E25 for ; Thu, 7 Feb 2019 18:16:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hFzJRCoSx0p5 for ; Thu, 7 Feb 2019 18:16:51 -0800 (PST) Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EE471274D0 for ; Thu, 7 Feb 2019 18:16:51 -0800 (PST) Received: by mail-qk1-x741.google.com with SMTP id f196so779181qke.10 for ; Thu, 07 Feb 2019 18:16:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ERETKD1ziwDuWkFe6o2KXa3XnNlTFMDoUhzJlSZIsfI=; b=R09RCXqJ/t5YFw/Trhzclhik7nfxlqz/JnwFmc+5E2NnKnAuiL+YVNsxdgUdK2Cccb gfWALxDIMRj/zkE9KS0oCisZMU1AnW5/n0hodaOxNX/kC4/LDYCVrPFiX1tKIAMnzm3b c+dbOn3wQUsbu8Jh7+SBMR0j/yuOIUyKu/48g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ERETKD1ziwDuWkFe6o2KXa3XnNlTFMDoUhzJlSZIsfI=; b=Po6pDkYnPJ3QCr6RRZ4Cl+c5b0g6MSwBdFbsukzlAaxM4xCb9AHUJ9bfzZahUayxlS i+hL0xvmnE0+AeMxcdEMxSoffqaxYgxG0vlAxp3boJNs0qqypY8lVth1R6PE+OQx/a79 McEy//iuHXfRCBTFhrHwDIJFjeNhfLFVQL8tEIG9obpULYF2c4dpgyN8W4uUS8TDe1Pt Htn6HOaTODFUVSkOanAge2mKx4ItYMP9T3i3hB2w/ptmxVw4hyFXlTGRLKf4iunF30T2 0RmDxRIacEsqQ8VnE2qqjANcPCRI0P4GDtov7zosRSDQD3ZoqRG0ngSyFzVrD/7SGRzd YtDg== X-Gm-Message-State: AHQUAuYUkoR6jziP31mDtUIlTwUlBVUuFA9m/E/bmAAYKV2cqLjun0As HpQA5RqkgVeqLk6fMjuQ5JTyAg== X-Google-Smtp-Source: AHgI3IZQUSrfwzoRbwS4wj7OXBBlZ9iaRfLtVNCjrrLIuBIDi4VY1zHzG2eNq94jwEgxyEvo33w5LA== X-Received: by 2002:a37:657:: with SMTP id 84mr13429556qkg.86.1549592210575; Thu, 07 Feb 2019 18:16:50 -0800 (PST) Received: from [199.212.90.100] (198-84-215-70.cpe.teksavvy.com. [198.84.215.70]) by smtp.gmail.com with ESMTPSA id e35sm687467qte.8.2019.02.07.18.16.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 18:16:49 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> Date: Thu, 7 Feb 2019 21:16:48 -0500 Cc: Masataka Ohta , dnsop@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <9A3C20FC-CCA2-4902-9153-D4E7F696B9DA@hopcount.ca> References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> To: Mark Andrews X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 02:16:53 -0000 On 7 Feb 2019, at 21:06, Mark Andrews wrote: > On 8 Feb 2019, at 12:53 pm, Joe Abley wrote: >=20 >> Ohta-san, >>=20 >> On 7 Feb 2019, at 18:28, Masataka Ohta = wrote: >>=20 >>> Petr Spacek wrote: >>>=20 >>>> 5. At least one NS RR must be present at the top of the zone. >>>=20 >>> At least two. >>=20 >> With respect, I think the protocol requirement is at least one, not = at least two. >>=20 >> I think best current practice is to avoid single-points of failure = with the set of servers used to provide authoritative answers, and I = agree that in many cases this is codified in user interfaces and = registry policy as requiring two NS RRs. However, there is no shortage = of such multiple RRs that refer to a single subnet or even a single = instance of a nameserver process (so "at least two" is sometimes = insufficient), and its perfectly possible to use anycast or both A and = AAAA RRs attached to a single nameserver name that provide useful much = more useful diversity than those degenerate two-NS implementations (so = "just one" could in some circumstances be adequate). >=20 > A single anycast server DOES NOT and never can provide diversity from = the client=E2=80=99s perspective. > Additionally multiple servers in the same /24 (IPv4) or same /48 = (IPv6) should be treated as a > single server for diversity testing as these are accepted longest = accepted prefixes. That depends on what you mean by "server" and how things are = provisioned. It's not 1981 and there are many valid approaches for the = removal of the outer feline layers. I'll suggest that while recommendations and guidance about formulating a = risk analysis are valuable outputs for this working group, absolute and = broad statements are bet viewed with suspicion. No individual, no matter = how well-informed and well-intentioned, can possibly know with certainty = the complete situation of every relying party. I think it's best for this working group to stick to what it's good at. Joe= From nobody Thu Feb 7 20:11:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBC8130E11 for ; Thu, 7 Feb 2019 20:11:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tNZFe88TX2q for ; Thu, 7 Feb 2019 20:11:45 -0800 (PST) Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 03B85128B01 for ; Thu, 7 Feb 2019 20:11:44 -0800 (PST) Received: (qmail 40253 invoked from network); 8 Feb 2019 04:02:47 -0000 Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 8 Feb 2019 04:02:47 -0000 To: Mark Andrews , Joe Abley Cc: dnsop@ietf.org References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> From: Masataka Ohta Message-ID: Date: Fri, 8 Feb 2019 13:12:14 +0900 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> Content-Type: text/plain; charset=iso-2022-jp; format=flowed; delsp=yes Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 04:11:48 -0000 Mark Andrews wrote: > A single anycast server DOES NOT and never can provide diversity from the client$B!G(Bs perspective. > Additionally multiple servers in the same /24 (IPv4) or same /48 (IPv6) should be treated as a > single server for diversity testing as these are accepted longest accepted prefixes. This WG should conclude that IPv6-style anycast is useless and tell IESG obsolete it. >> RFC 7108 describes the implementation of a method that includes a single point-of-failure by design (see discussion of IDENTITY.L.ROOT-SERVERS.ORG in section 5). >> >> In short, this is an operational question with multiple answers and I don't like the idea of formalising an over-simplistic restriction in the protocol specification. How do you do IPv6 anycast with L servers? Masataka Ohta From nobody Thu Feb 7 20:17:18 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DCE9130F23 for ; Thu, 7 Feb 2019 20:17:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHHzc5yXdTXr for ; Thu, 7 Feb 2019 20:17:14 -0800 (PST) Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68655130E11 for ; Thu, 7 Feb 2019 20:17:14 -0800 (PST) Received: by mail-lf1-x12d.google.com with SMTP id e27so1551114lfj.8 for ; Thu, 07 Feb 2019 20:17:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:references:in-reply-to:date:message-id:subject:to :cc; bh=B6SnClB63SiC+i/Ziw+gSuyRvT3ALXm2rAE/Y0QsyCk=; b=j44h8UCM6HmmQjUHQDRvhlvR3s2EXDjyFvrYCFm7TnuAYVTpJZntj6J4KxKkosuC83 sMhKDeGtyD+BtFRNr0OC1ONiRwWQtUDFiWIxpp6XzXbfaqRmeXMcQt0XAQuTlz8DSmB2 aoLFG7WegyRMk4SKMmzqVnVTyeClwSRpfiFMc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:references:in-reply-to:date :message-id:subject:to:cc; bh=B6SnClB63SiC+i/Ziw+gSuyRvT3ALXm2rAE/Y0QsyCk=; b=idvhrxKzBMKvggBq2j4el73fqfwUap8U20LeXzTexUs5nF0xkiM7/bpJJb0puaj+bK MCNwjcyqUmKTrLn+rYvwSWUA+OcWBdTVgyowzIAbvw8VauN07kGkkedUVJ6CYRmCyR38 8F6D+mGJNo7JQgUz6C35ytfnQx6x6Q1UyEVo6EM3/6W2E7XlOV9NYm1cPohz/UUXJDlS /ujvFgKW+XFP08P9Lb/WTbEKSHPt8jcJHVxK9wE72gHtlGGdXbMX7wmRWPdzrxIF8w4l KBVDGKjsNm1kfD8aaoulrauiv2VWOUX4S7GmBoE1/I4CferJTM8CJ+6LgozFyO3pD1/E rSoA== X-Gm-Message-State: AHQUAuaTNcHwUCCZ3Wn7Ek5J+AxBRQl0Rmg7HXJrARL7yjGq3eIwJAmt bcjB0gA+mOuw2IkeiMt+kXNFsgoaOquG0ph7LhXSlA== X-Google-Smtp-Source: AHgI3IYx2p7zu1V9395LfzrL026HQ5c5FKKiP2VnVa/eN6WliB+KCmZIwvSs37glQkTeS2thGO6W9974nf3Q5EmmeqU= X-Received: by 2002:a19:6001:: with SMTP id u1mr7384255lfb.56.1549599432259; Thu, 07 Feb 2019 20:17:12 -0800 (PST) Received: from unknown named unknown by gmailapi.google.com with HTTPREST; Thu, 7 Feb 2019 20:17:11 -0800 From: Joe Abley Mime-Version: 1.0 (1.0) References: <56839e19-afe9-df4b-d432-09a949cc658c@nic.cz> <06E02AB3-5E3B-4E1F-9B23-BB0810F73B66@fugue.com> <8a7a70e4-7214-c127-8542-0131bbc823bc@nic.cz> <7751AB0C-F738-4270-9C7E-2937F773187F@hopcount.ca> <2B4B9C25-F2CF-43D3-B0CC-64E7D7CA7D6C@isc.org> In-Reply-To: Date: Thu, 7 Feb 2019 20:17:11 -0800 Message-ID: To: Masataka Ohta Cc: Mark Andrews , dnsop@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 04:17:16 -0000 On Feb 7, 2019, at 23:12, Masataka Ohta wrote: >>> In short, this is an operational question with multiple answers and I don't like the idea of formalising an over-simplistic restriction in the protocol specification. > > How do you do IPv6 anycast with L servers? That question seems a bit tangential, but in any case the simple answer is I don't. You might ask the people who operate the ICANN root server if you want a more useful answer; I haven't been in that team since 2013). Joe From nobody Fri Feb 8 01:13:50 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFC11288BD for ; Fri, 8 Feb 2019 01:13:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8InviI-1OhKh for ; Fri, 8 Feb 2019 01:13:45 -0800 (PST) Received: from mail.sbg.nic.at (mail.sbg.nic.at [83.136.33.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 565E8126F72 for ; Fri, 8 Feb 2019 01:13:44 -0800 (PST) Received: from nics-exch2.sbg.nic.at ([10.17.175.6]) by mail.sbg.nic.at with XWall v3.53 ; Fri, 8 Feb 2019 10:13:42 +0100 Received: from NICS-EXCH2.sbg.nic.at ([fe80::a5b2:6e42:e54d:9d57]) by NICS-EXCH2.sbg.nic.at ([fe80::a5b2:6e42:e54d:9d57%12]) with mapi id 14.03.0435.000; Fri, 8 Feb 2019 10:13:41 +0100 From: Alexander Mayrhofer To: Paul Hoffman , John Levine CC: "dnsop@ietf.org" Thread-Topic: [Ext] [DNSOP] draft-ietf-dnsop-attrleaf vs. RFC7553 Thread-Index: AdS/A6lXkR/vK91JS+aKsAvRVHamBgAD1ZMAAAS9jQAAGhHCkA== Date: Fri, 8 Feb 2019 09:13:40 +0000 Message-ID: <19F54F2956911544A32543B8A9BDE0759FBCDEC9@NICS-EXCH2.sbg.nic.at> References: <20190207192903.2BDB2200DF041A@ary.qy> In-Reply-To: Accept-Language: en-US, de-DE Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.10.0.110] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-XWALL-BCKS: auto Archived-At: Subject: Re: [DNSOP] [Ext] draft-ietf-dnsop-attrleaf vs. RFC7553 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 09:13:49 -0000 Hi, > Von: Paul Hoffman > Gesendet: Donnerstag, 7. Februar 2019 22:45 [..] > > Dave moved the duct tape patching up all the places that defined > > underscored names to draft-ietf-dnsop-attrleaf-fix. > > > > See sections 2.3 and 2.3 for URI records. > > Oh, i should have looked at the attrleaf-fix too, yes. I think that works, = I'll go forward with the suggested text for registration of an global under= scored node name. Pretty straightforward. > > It's still a draft so if it seems wrong, send text. >=20 > It is a draft, but it is has been in the RFC Editor's queue for 2.5 month= s. Unless > there is a technical problem, fixing it now (without WG review) could cau= se > more harm than benefit. I agree. I actually waited with the revision of my draft to the very last m= oment, because I was hoping the attrleaf cluster makes it through the RFC e= ditors before my draft expires ;) Thanks! Alex From nobody Fri Feb 8 01:28:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4D851288BD for ; Fri, 8 Feb 2019 01:28:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FFxUUeW1PQt for ; Fri, 8 Feb 2019 01:28:08 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9E9124B0C for ; Fri, 8 Feb 2019 01:28:07 -0800 (PST) Received: from [192.168.1.171] ([80.159.240.13]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0Lbi2Z-1hYGpR1jfH-00lBZO; Fri, 08 Feb 2019 10:27:58 +0100 From: Normen Kowalewski Message-Id: <1110971C-F693-41F6-9CE4-2CDF2A4184E4@gmx.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_01FE93E4-52B8-4526-A8BF-1AB7B89E1666" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Fri, 8 Feb 2019 10:27:55 +0100 In-Reply-To: <0F4355DC-CC6C-430B-AE8E-6FB5A44FD9C8@fugue.com> Cc: "dnsop@ietf.org" To: Ted Lemon , Tony Finch References: <48a12f46-eee1-823e-a448-8f3b0d973f7d@nic.cz> <0F4355DC-CC6C-430B-AE8E-6FB5A44FD9C8@fugue.com> X-Mailer: Apple Mail (2.3445.9.1) X-Provags-ID: V03:K1:hKh9fDbB3PGQ9qTvF+trqS0bWS1fZ1At5xETCJxGx/f1Iqj1vEk mKgF5esRoiIrHoApJovaSnMq9FwXZAan7TwkfvU230dDzvhm2NBo617ryIPITq6/DdCy6Vf lLWFtCBQM3/34HJ4DOMEG85xptgtVw5H475g1Uj/z0R32T1AYP+l/J43NBArIeV2XI4FcFK xDxIfLCj0LVPquyigFcNw== X-UI-Out-Filterresults: notjunk:1;V03:K0:qCz866fdovw=:j9RgJ60aeHbov1VTGH9klI LhV/xITV1rQyOAzfpdHtl3U/XxJIN4N30ylwHA/GlBRbSsm7a9ibbWFK/2oyp4hhTw+UGxM2g 7bi2CZIAB5OCfy+8O4kwjYDej1n1ZWGD+AWYoyzWT2fT1KQqocdYmuKcKiHGOOKwoTFwEPWAX 8MoTmMurHaTwk70ahaDLU6D8CG4u27w/oIWMUdMUVa5aQfVDAr5tTFm6vR7ThwDoT9e76tuYu GVdv8UIyudetgJeo+HT+mz0+fWPpksusXdmrNjEOTP5iRB/Kto8cjWN0mndFa454zc+YQD/u5 /2pLCWFcjbOv5bULcVrRsUJOFCgY81Kmq0mloMaIk8cX+zMrh2jKd8gJF8eZYjmWFnSzSlPOV ypw4s3F0At7+DEbGuWVz38B84UWgUWQdYy9JBOyZQzptLLTlrJdOyKcPtXnb41OYf1C5Wf3Lo Nji6sdLu9AP+adLX/k8VHObfKc7IsH693wcnZbmWGrBJ+VxGiK3IvCC5b97kVA1SSDN2tmd7x CwsPCQF1JrPuoQKebxPQRBgax9S+8v10XNWNgRESDoDM0ULoNqnuPIQyeuCW04XlzGTwg4xjI P8bOlQDzqAT7W/6yW5S/zJEctpPSZLFkUUISbgvOUmzVtKaP/VpgxW+OI+lujw5ssekmXWWf6 9IzZrMP6HUow9AixXV28CeWicBd3F6khiUOkg286E4mUZCASFxLQ3ObRStHPbHBln1jm5vmyO dFzw0l3eXuM7GAeSyoB3XQUr1C/oGPJCEgz56SG4kQ7AGtDlXDvwZIWhKlcNs18Gc4BZAAkb7 Ac4owQQJEY74UAm0JUp9HrrMiTRv6IrtJt92k1iplwyzSZe5yHwDgwfEuvjhABtFVOysIGBLu wXQjM04SM11m5tt2bXxw1HRbwdAmk9ibImL1ATcDSAV70eKR884Z8EUsUe+MFhSpJmUOChUZG pXjvxnOQm4g== Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 09:28:11 -0000 --Apple-Mail=_01FE93E4-52B8-4526-A8BF-1AB7B89E1666 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Tony, Ted, seem to not be a DNSOP specific thing: Obviously the inherent = understanding of what consensus is at the time of creation of the = textual representation of that consensus may be still ambiguous at time = of writing to some, however may also become ambiguous over time, in part = because over time ALL originators of a text might no longer be reachable = for questions, and also there may be no snippets of text that could be = cited from WG mailing lists. Feels to me like something is needed as a tool to augment this, = something that can more formally represent what the consensus = requirements and definitions indeed are. IMHO to grow the set of = representations of DNS in form of a suite of RFC7950 YANG based models = could help for many such clarification cases, completely independent = from the general usefulness of gaining an interoperable representation = of DNS related data.=20 BR,=20 Normen > On 7. Feb 2019, at 15:40, Ted Lemon wrote: >=20 > On Feb 7, 2019, at 9:16 AM, Tony Finch > wrote: >> But in this scenario things soon go wrong, because RFC 2181 says the >> NODATA reply replaces the delegation records in the resolver's cache. = This >> means that if a client explicitly asks for the NS records of a zone = that >> lacks them, resolution for other records in the zone will = subsequently >> fail. >=20 > Ah, there you have it. So then it _is_ required. Kevin=E2=80=99s = point also points in that direction. >=20 > Is there somewhere in a later spec where this is stated explicitly, = then? >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --Apple-Mail=_01FE93E4-52B8-4526-A8BF-1AB7B89E1666 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Tony, Ted,


seem to not be  a DNSOP specific = thing: Obviously the inherent understanding of what consensus is at the = time of creation of the textual representation of that consensus may be = still ambiguous at time of writing to some, however may also become = ambiguous over time, in part because over time ALL originators of a text = might no longer be reachable for questions, and also there may be no = snippets of text that could be cited from WG mailing lists.

Feels to me like = something is needed as a tool to augment this, something that can more = formally represent what the consensus requirements and definitions = indeed are. IMHO to grow the set of representations of DNS in form of a = suite of RFC7950 YANG based models could help for many such = clarification cases, completely independent from the general usefulness = of gaining an interoperable representation of DNS related = data. 

BR, 
Normen

On = 7. Feb 2019, at 15:40, Ted Lemon <mellon@fugue.com> wrote:

On Feb 7, 2019, at = 9:16 AM, Tony Finch <dot@dotat.at> wrote:
But in this scenario things soon go wrong, because RFC 2181 = says the
NODATA reply = replaces the delegation records in the resolver's cache. This
means that if = a client explicitly asks for the NS records of a zone that
lacks them, = resolution for other records in the zone will subsequently
fail.

Ah, there you have it.   So then it _is_ required. =   Kevin=E2=80=99s point also points in that direction.

Is there somewhere in a = later spec where this is stated explicitly, then?
_______________________________________________DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

= --Apple-Mail=_01FE93E4-52B8-4526-A8BF-1AB7B89E1666-- From nobody Fri Feb 8 05:58:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BE4E1289FA for ; Fri, 8 Feb 2019 05:58:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfzBVdr3XjZz for ; Fri, 8 Feb 2019 05:58:54 -0800 (PST) Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFBA0126C01 for ; Fri, 8 Feb 2019 05:58:53 -0800 (PST) Received: by mail-lf1-x133.google.com with SMTP id p6so2621697lfc.1 for ; Fri, 08 Feb 2019 05:58:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YUivnc0m6hvg9VoEkexuZxYRnovzj62yubNYLJuOtvA=; b=fvf3t5yDy5ErC6pxt1DSZ8gWekBjIj6IhBkxUiqBaGrha43NnM3OwlCbF+e2sXtZsi w0q3Gq7Xk5tgIrN/yVFB1qRDVv24YDii8TLxxr9EiGtbgsR3H9ynfDXraeFxr9cZM3ZA aa5jdtIutzoZRfzwDqFO9/BJGLqhmlzjz2cM+2rBnTd/+hCMVyQVtbkYWwqUexBFvadp gzYeIiMrZ2gJr06x4IXpxbavfAmlVX6GkD8kwJ1zsB6u2yuYtthUPeUKZw0FMi78Rikp kmGhUEYuOsEXcDUgF3gfSKtMfxxJUTQ6uFDJYsUey6AY0+NpQ/XBxWLDnvBgs4I9dvnp 5/Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YUivnc0m6hvg9VoEkexuZxYRnovzj62yubNYLJuOtvA=; b=Q5K29IjR00X7CoK/kb9yM44W6gf2FXPSRrvhEi0leytzNMvaDmjqIkUx5jgc72tj1I Dcxyz+Q+IAWaCEyUjtp3sLhTFvnIa9rKbOZ/fEoFINlBUtmUthaWDnONeOpyZRlbPqWu S1b1K3E6pVfzNj71W24J95EU3o51MSWKK2RPwyrqc2JBEi5Pw0CJXYgbQEVcFudxk//9 Aw4jfXtoGQpbGzGgPDarpVJIaDuFaX2f5kTsL/hwUBhnW0Okx5G2zb01Y9OSRIs/e1CG 3g6qsoje96UkFiikR1FEC1nQSFstbOv3r/N0G2Jk+iz+FjTnvfQMZhGynQOq1GLaNWe1 4iYQ== X-Gm-Message-State: AHQUAuZdVHeOqx4vV7laCyHl9PuqCsKAzji2LYGmUBrHQRQpjU5lmD0n 4zXSkdvQzwR52QRUbiiVvA5t3oJ8FUpfGaAb+HFB6g== X-Google-Smtp-Source: AHgI3IbvA+doRIzLWphvhZyHS7E/J8Afa4/5VnNPxq2nu6ls1fPw82cDb9fF3dsTGpUdOd9Uavc5ZCmJ4Ypq9oTMul4= X-Received: by 2002:ac2:561a:: with SMTP id v26mr13608672lfd.38.1549634329888; Fri, 08 Feb 2019 05:58:49 -0800 (PST) MIME-Version: 1.0 References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> In-Reply-To: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> From: Alexander Mayrhofer Date: Fri, 8 Feb 2019 14:58:38 +0100 Message-ID: To: IETF DNSOP WG , din@irtf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [DNSOP] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 13:58:57 -0000 FYI, i've submitted a new revision of the DID-DNS draft (publishing Decentralized Identifiers in the DNS). The major changes in this revision are: - The registration for the _did Label is now performed via the Global Underscore Name registry (see draft-ietf-dnsop-attrleaf, currently in RFC editor queue) - The experimental "email" method uses _mailto._did as scope selector (rather than plain _did). This allows for clean seperation of other future services using the scheme. Feedback highly appreciated, Alex ---------- Forwarded message --------- From: Date: Fri, Feb 8, 2019 at 2:52 PM Subject: New Version Notification for draft-mayrhofer-did-dns-01.txt To: Dimitrij Klesev , Alexander Mayrhofer , Markus Sabadello A new version of I-D, draft-mayrhofer-did-dns-01.txt has been successfully submitted by Alexander Mayrhofer and posted to the IETF repository. Name: draft-mayrhofer-did-dns Revision: 01 Title: The Decentralized Identifier (DID) in the DNS Document date: 2019-02-08 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-mayrhofer-did-dns-01.txt Status: https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/ Htmlized: https://tools.ietf.org/html/draft-mayrhofer-did-dns-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-mayrhofer-did-dns Diff: https://www.ietf.org/rfcdiff?url2=draft-mayrhofer-did-dns-01 Abstract: This document specifies the use of the URI Resource Record Type to publish Decentralized Identifiers (DIDs) in the DNS. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Fri Feb 8 07:38:50 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D63128B36; Fri, 8 Feb 2019 07:38:48 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tim Wicinski To: X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Cc: Tim Wicinski , tjw.ietf@gmail.com, dnsop@ietf.org, iesg-secretary@ietf.org, dnsop-chairs@ietf.org Message-ID: <154964032882.31156.17055958005467105357.idtracker@ietfa.amsl.com> Date: Fri, 08 Feb 2019 07:38:48 -0800 Archived-At: Subject: [DNSOP] Publication has been requested for draft-ietf-dnsop-algorithm-update-04 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 15:38:49 -0000 Tim Wicinski has requested publication of draft-ietf-dnsop-algorithm-update-04 as Proposed Standard on behalf of the DNSOP working group. Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ From nobody Fri Feb 8 09:07:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F121112867A for ; Fri, 8 Feb 2019 09:07:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=opendkim.org header.b=p3BwyGYl; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=elandsys.com header.b=XG/KbmnN Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yztpPzcleXN for ; Fri, 8 Feb 2019 09:07:09 -0800 (PST) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9271200ED for ; Fri, 8 Feb 2019 09:07:09 -0800 (PST) Received: from DESKTOP-K6V9C2L.elandsys.com (tunnel414165-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:1315::2]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id x18H6tO3008257 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 Feb 2019 09:07:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1549645628; x=1549732028; bh=h9cggrwexmvI/EU4FqUEdYTbY41puFqDcTM8htJzkMI=; h=Date:To:From:Subject:In-Reply-To:References; b=p3BwyGYly6xl1GN8GIOnbhgLzH3G6YIxTJ3QQsBGCEy7hdZOHUaMSWACwZjHldc0K +KgtNbYnEc8PvuORFMLjhkMyiNKAxU3UHxY1iF3MOrFTBRC0aUDz/y5XIxH6hLxman 6JEw4nlLNlJzli3GEmRDd4LQtLsablpIV70Hnox4= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1549645628; x=1549732028; i=@elandsys.com; bh=h9cggrwexmvI/EU4FqUEdYTbY41puFqDcTM8htJzkMI=; h=Date:To:From:Subject:In-Reply-To:References; b=XG/KbmnNVr3O5G3CPjDdWyDAlSOP7L6xBZKgJCawpDRkvbCQ/zepUJqm5MN/tdH8h CqfNzcspoCdREhTy3bYapkggJTysAv4F+slK5w+mVJ7b8yZKfYfL7EEnRrbIS2v7nf OTPnjFQ9iIHApqSJZyBq8L1tUMdFo0ln/7pDCbQQ= Message-Id: <6.2.5.6.2.20190208083642.0db88e00@elandnews.com> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Fri, 08 Feb 2019 09:06:20 -0800 To: =?iso-8859-1?Q?=22Petr_=8Apacek=22?= , dnsop@ietf.org From: S Moonesamy In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2019 17:07:11 -0000 Hi Peter, At 04:16 AM 07-02-2019, Petr =8Apacek wrote: >here is a quiz for experienced RFC archeologists: > >https://tools.ietf.org/html/rfc1035#section-5.2 >section 5.2. Use of master files to define zones >does not mention NS at apex at all, but it does explicitly mention SOA >at apex. Can it be interpreted as if NS at apex is not mandatory? > >Funnily enough >https://tools.ietf.org/html/rfc1035#section-5.3 >has an example which as NS at apex, but it is not clear from the text= above. > >Is it mandatory or not? Should I submit erratum for RFC 1035? RFC 1035 assumes that the reader is familiar with=20 RFC 1034. Section 5.2 of RFC 1035 discusses=20 about validity checks to be performed on the=20 master files used to define zones. I would read=20 Section 4.2 of RFC 1034 to understand the=20 technical considerations, e.g. is a NS needed or=20 not. The examples in RFC 1035 are "primarily=20 pedagogical". I suggest taking into=20 consideration that RFC 1035 is part of STD 13 for errata processing. Regards, S. Moonesamy=20 From nobody Mon Feb 11 13:17:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAC3124B0C for ; Mon, 11 Feb 2019 13:17:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdVKYM-ewzwf for ; Mon, 11 Feb 2019 13:17:47 -0800 (PST) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5AE126C15 for ; Mon, 11 Feb 2019 13:17:46 -0800 (PST) Received: by mail-wr1-x436.google.com with SMTP id t27so364462wra.6 for ; Mon, 11 Feb 2019 13:17:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=10WjK271//Fdiqz6IF+5qjCdOB5VBSrlNyqmZVXggks=; b=Vr1phtnJGf0GmmF+3fCFf++HdVuOFH1UjqtdeztirwqY0XcYA2CszUWNCT8i51lVUn 6pXe9m8phqbTA2n74s9IT3aN1qx2wxX9CuKr6uQQ/5hE20C4I2IcTiquBNvLRutMTGrO 2Fp96ApOHjhl/eqIdtvez+an/GpL0AzUMw3NaDzPNRD4QAzY+DHUSUwueLceWJrp2vz6 LM7wLtmKV6kHJcux9pOMFur4Rz5MQfGRjC/pGykwpp6viNX4WbFwtUeOrskUoSXWUrwM uyjwG6GJ69UdI7WRJ7VVdUqGudOxMtXaezvvjSspXmCYFii3s6Fb8/kQ82QcLz8nYKIw Lt/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=10WjK271//Fdiqz6IF+5qjCdOB5VBSrlNyqmZVXggks=; b=imVlnodt2mI7/cF7cdEBSXvIew3NdBS8g+DZOPF+furHA7hTC1hPDjH6MtjbTs6iV6 s7+WI8VbzCLgJ1TODxg+q87F4T9BBVgpOkwIXFKxqMPdw+kMta/uCjUSsPnbdtN/Vf6C PyJwwlRpNEM24Xtgs2wVfUYJ5gsTxvt+hIf306NhTRjssrNWChfD2aHVy3GfSOjeALq6 2kVB+NqQ9jt0plZvNG1nhd1CoM9fo6d62Jy1Kv9iChdPnoAWPeEkBSQt5q63s64jcW2K tQBoJrQEJXTQaFLQ8FOEnfO3FdjDa3sMXqwHYgjLLugJfb+mYbWp4W6QNoFM+xcYrLUB cxQw== X-Gm-Message-State: AHQUAub4HVMzNHmlxMyL+BbWOlG6dT5I3y1DSLu3RhvAuJcMf76dnRl+ VOjPljpk0/tEYOmQsdCMcEHl1mFklI8yMMpGUbTP+5zolfM= X-Google-Smtp-Source: AHgI3IZcOrL64hh6VPdGe9r3ew9mc9RA/TTFc71wKoMmizkhGhjGpdssFeRYkJb4aJi2y92cdBqgqDtflQ+ExRVVCR4= X-Received: by 2002:adf:ba12:: with SMTP id o18mr189849wrg.326.1549919864214; Mon, 11 Feb 2019 13:17:44 -0800 (PST) MIME-Version: 1.0 From: Warren Kumari Date: Mon, 11 Feb 2019 16:17:07 -0500 Message-ID: To: dnsop Content-Type: multipart/alternative; boundary="000000000000efece60581a4d622" Archived-At: Subject: [DNSOP] AD Review of draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Feb 2019 21:17:48 -0000 --000000000000efece60581a4d622 Content-Type: text/plain; charset="UTF-8" Hi there, Section 1.2. Updating Algorithm Requirement Levels says: "[RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and SHOULD NOT equivalent to NOT RECOMMENDED. The authors of this document have chosen to use the terms RECOMMENDED and NOT RECOMMENDED, as this more clearly expresses the recommendations to implementers." Actually, RFC2119 doesn't really contain NOT RECOMMENDED --- but, RFC8174 ("Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"), which updates RFC2119 *does*. Can the authors please resubmit with the new boilerplate from RFC8174 in Section 2 (Conventions Used in This Document) and I'll kick off IETF LC. W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --000000000000efece60581a4d622 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi there,

Section 1.2.=C2=A0 Updating Algorithm Requirement Level= s says:
"[RFC2119] considers the term SHOULD equivalent to RECOMMENDED= , and
=C2=A0 =C2=A0SHOULD NOT equivalent to NOT RECOMMENDED.=C2=A0 The auth= ors of this
=C2=A0 =C2=A0document have chosen to use the terms RECOMMENDED = and NOT
=C2=A0 =C2=A0RECOMMENDED, as this more clearly expresses the recomm= endations to
=C2=A0 =C2=A0implementers."

Actually, RFC2119 doesn&= #39;t really contain NOT RECOMMENDED --- but, RFC8174 ("Ambiguity of U= ppercase vs Lowercase in RFC 2119 Key Words"), which updates RFC2119 *= does*.=C2=A0

Can the authors please resubmit with the new bo= ilerplate from RFC8174 in Section=C2=A02 (Conventions Used in This Document= ) and I'll kick off IETF LC.

W
--
I don't think the execution is relevant when it wa= s obviously a bad idea in the first place.
This is like putting rabid we= asels in your pants, and later expressing regret at having chosen those par= ticular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf
<= /div>
--000000000000efece60581a4d622-- From nobody Mon Feb 11 23:56:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62D6124408 for ; Mon, 11 Feb 2019 23:56:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.889 X-Spam-Level: X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbF5o1c817Ii for ; Mon, 11 Feb 2019 23:56:14 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id A835A130DBE for ; Mon, 11 Feb 2019 23:56:11 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0Bplq0VfGJcXVEfAA--.22404S2; Tue, 12 Feb 2019 15:56:05 +0800 (CST) Date: Tue, 12 Feb 2019 15:56:04 +0800 From: "zuopeng@cnnic.cn" To: dnsop X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <2019021215560470371417@cnnic.cn> Content-Type: multipart/related; boundary="----=_001_NextPart435814428311_=----" X-CM-TRANSID: AQAAf0Bplq0VfGJcXVEfAA--.22404S2 X-Coremail-Antispam: 1UD129KBjvdXoW7Wr47Jw4DXw13Jw47Ar1fZwb_yoW3JFb_uw 1UCF9xKw4rKF1IgFsak3WxArWjqrW29r4rt3yYvrnru34DAws7Wr4vy3W3ZFy0gasYqF4D Gr9Yk39Fvr4F9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbmAYjsxI4VWkKwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wASzI0EjI02j7Aq F2xKxwAqx4xG67k08I80eVWUJVW8JwAqx4xG64kEw2xG04xIwI0_Jr0_Gr1l5I8CrVC2j2 CEjI02ccxYII8I67AEr4CY67k08wAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAF wI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4xvF2IEb7IF0F y264kE64k0F24lFcxC0VAYjxAxZF0Ex2IqxwCY02Avz4vE14v_GF4l42xK82IYc2Ij64vI r41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUGVWUWwC20s026x8Gjc xK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1j6r15MIIYrxkI7VAKI48JMIIF0xvE2Ix0 cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8V AvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF 7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x07be385UUUUU= X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 07:56:17 -0000 This is a multi-part message in MIME format. ------=_001_NextPart435814428311_=---- Content-Type: multipart/alternative; boundary="----=_002_NextPart554146654330_=----" ------=_002_NextPart554146654330_=---- Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 SEkgQUxMLA0KUkZDODQ4NCChtkROUyBRdWVyaWVzIG92ZXIgSFRUUFOht2RlZmluZXMgYSBwcm90 b2NvbCBmb3Igc2VuZGluZyBETlMgcXVlcmllcyBhbmQgZ2V0dGluZyBETlMgcmVzcG9uc2VzIG92 ZXIgSFRUUFMuIEl0cyBwcmltYXJ5IHNlY25hcmlvIGlzIGJldHdlZW4gc3R1YiByZXNvbHZlciBh bmQgcmVjdXJzaXZlIHJlc29sdmVyLg0KSSBhbSBjb25zaWRlcmluZyBleHRlbmRpbmcgdGhlIERv SCBwcm90b2NhbCB0byBhdXRob3JpdGF0aXZlIHNlcnZlcnMuIFRvIGJ1aWxkIHRoZSB0cnVzdCBj aGFpbiwgdGhlIGNoaWxkIHpvbmUgcHVibGlzaGVzIGEgVExTQSByZWNvcmQgaW5zdGVhZCBvZiBh IERTIHJlY29yZCBpbiB0aGUgcGFyZW50IHpvbmUgW1JGQyA2Njk4IG1heSBuZWVkIHVwZGF0ZV0u IFRoZSBUTFNBIHJlY29yZCBjb250YWlucyB0aGUgY2VydGlmaWNhdGUgdGhhdCBpZGVudGlmaWVz IHRoZSBjaGlsZCB6b25lLg0KSW4gdGhpcyB3YXksIHRoZSB3aG9sZSBETlMgaXMgYnVpbHQgb24g SFRUUFMgd2hpY2ggbWFrZXMgRE5TIG1vcmUgc2VjdXJlLiBETlNTRUMgaXMgbm90IG5lY2Vzc2Fy eSBhbnltb3JlIGFuZCBtYW55IG90aGVyIHByb2JsZW1zIGxpa2UgZnJhZ21lbnRhdGlvbiBhbHNv IHdpbGwgbm90IGV4aXN0Lg0KVGhlIHNrZXRjaCBkaWFncmFtIGlzIGFzIGZvbGxvd2VkLiAgQW55 IGNvbW1lbnRzIGFyZSB3ZWxjb21lIQ0KDQoNCg0KenVvcGVuZ0Bjbm5pYy5jbg0K ------=_002_NextPart554146654330_=---- Content-Type: text/html; charset="GB2312" Content-Transfer-Encoding: quoted-printable =0A
HI ALL,

RFC8484 = =A1=B6DNS Queries over HTTPS=A1=B7defines a protocol for sending DNS qu= eries and getting DNS responses over HTTPS. Its primary secnario is betwee= n stub resolver and recursive resolver.

I am considering ext= ending the DoH protocal to authoritative servers. To build th= e trust chain, the child zone publishes a TLSA record instead of a DS reco= rd in the parent zone [RFC 6698 may need update]= . The TLSA record contains the certificate that identifies the chi= ld zone.

In this way, the whole DNS is built on HTTPS which makes DNS = more secure. DNSSEC is not necessary anymore and many other problems like = fragmentation also will not exist.

The sketch diagra= m is as followed.  Any comments are welcome!

=0A

=
=0A
zuopeng@cnnic.cn
=0A<= /body> ------=_002_NextPart554146654330_=------ ------=_001_NextPart435814428311_=---- Content-Type: image/png; name="InsertPic_A6AA(0(02-12-15-50-52).png" Content-Transfer-Encoding: base64 Content-ID: <_Foxmail.1@8ba44042-e629-b42c-003d-a572a38ada28> iVBORw0KGgoAAAANSUhEUgAAAzUAAAOHCAMAAAApMJ2gAAAAAXNSR0IArs4c6QAAAHhQTFRF//// IiIiaGho3t3dRkZGEBAQ7u3tAAAAw8PDiYmJNDQ0VlZW0dHRtbW1mZmZp6enAAD/l5f/cHD/enp6 W5zVgYGB2ej2bKbbhrbhwNnv8ff8qszqmcHl/f3//wcHSUnPAwOU/0FB/3Z2AQFp/6qqKyuUO2WM /4+PQR1QxgAAIABJREFUeNrtXYd22zyzBAsIdiZR3O0kX7v/+7/hxaKDpAptFUqaOccWBKJIS4yw aEPGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4 PLgArhIJ2u7lIGAC3DgAxseNA2B8ADcOxgdw42B8ADcOxgdw4wAYHzcOgPEB3DgYH8CNg/EB3DgY H8CNA2B83DgAxseNA2B8ADcOxgdw42B8jVKIFiYEa2D8hawpYUKw5u6NXwpe2P+ERnSpaGRMI4Ro FEdcsFGHCnuKa/UBwyJMKLNWiUg6myepYG6w5iaNX6nuo3KdSC64EDnrzLlbGeuDAWsyy5ogocoq kbk8qankAXYHa26sr8nsf80aUbGMcVFnrJT/WRiMPLQioT4puJoTozrKzxKxUYTKwBqw5g6Mn1P7 J3qQo7URIgzGrGlEUkRXc9lHyQoka1rhe6AHsAasuX3W5H7YX2nW2GDEmkHNp4VXPWtKy5qWPYA1 YM39sGZPX9Ny8sS29DUmlviiALODNTdl/IxTl6H/e9YUdrjShEHFhkJPttUqXXTVs0aPdoo+YQyU AWtucTaAuo8ymENTbKi0h0VzBEFQzZxVJpsetwRXA9b0JhbeGVhzo6zJ7H89xm/Ua5fLRp9mo+CQ CK7o1fqJaXdVZ9WeG8UmaQZ7gzW3Z/zv3zfiv++M/f4nl2FYB6wB9hv/x7c/f759+/FD/f2AdcAa 4ADj/9ac+UOvMA5YAxxkfPLL7B8A1gAwPm4cAOPjxgEwPoAbB+MDuHEwPoAbB8D4uHEAjI8bB1zS +CXtKmvNHv/eHQkYaiEatSE6SxMh6t7E905qAABr7ps1pXlEd2VZU4meFT1tyxxEk7Fi4LU5KtCI AeYEa8Aa+pcqMjjW8NpcznhjkqmjApnokubIn60Vp1a1OX0NYM1dsqZMkiJgjT5uw+i4ptn3X3Pt oLFUHNlFK0/epkuwBjgJawZqWY41tfXD8sTRh0Y5Nak/HeKiVW5cpB2+NqHy24ZO5SjWuWCqjuzY lEXKySXU1+vO5U0VewueTq74LLqmTF72VVDCuAawBjgaa1gih/mONS0XeRl1OpWeNZDDHRe1izRp xrIk8azhA8tkqSmdm65VBS4Y9QRNkrG+V9cL2bN1Nm+nBNk6GTG+4rKYmpKBHE4WFjHpax7AGuAo rKHOxrGGZfIHOm/HrFEdTi0OPKxZOXnoSjdb3XGpzioIRm3a1teo63Xi8iZ0IeUzVyIWV2oysBFR EWANcCLWsJwXVSB8Jnkje5+YNQlnen7tQNaUccioctJLEIzadCqqzCethMu7oeEU38xcsVmCmuhq kDCq4QGsAY7HGunXVJEMOtGjToJpgVY1xFLUe+sraFwjJqypXH8SBEsrFkWKHUXFdR/nhDtM3kx2 Sx31cpMrNsuENS5hyJoHsAY4ImtYLjYRa6ixpdYdS2qlfyaspvNu5Lyb62s2zL4EwbH/NPDE9UVB j1U3LK3Z3BWTZb6vGc2hXZtSG1izdtaUIn7kxiDHCKVp3j2NQMzwvt/voqlcE9bo/FRsGGTjUQe1 +ToZc2MQBR/Y3BVLkxFrfEI27mvAGuATxvcNP2ANPT1At8My7wpW8lyl3GTSCaIf7s4wqNjvoiVJ JjsAKk3VZNp3R1PCutggyHhe2M6rzEuWJcpto1m4qvHcKIReKRpfcVmCmhRrfEJTg/7SYA1wVNZ4 Lc6ehM0qteqhn1TTsWDFM9377DRaKml6Smbass6g9NKqcXBIhO8/ErOgox6FsymCmbjUuFzjKzZL UJPuelxCU0N/6DQGWAPA+LhxAIyPGwfA+ABuHIwP4MbB+ABuHIwP4MYBMD5uHADjA7hxMD6AGwfj A7hxMP654A+q+Q2XAFgD4+9mTQnWgDUwPlgD1sD4p4GRJANrwBoY/2CUYA1YA+Pv9sOcKJkRK7OS ZJo1XS14FbCmNOJpXi7NliCvJANuHHAXrHGiZFasLOxr5JUiy7nw/VBakKh0oJGmShhEXrfbjsA9 4MYBN8YaJ0pmlaFC1iihsqJ2n8ke8A800nQJCR15zublZsEa4NZY4w7vW7GykDWiicc1Ro4g1Eir jGiOel/NMQasAW6WNVasLGJNNWJNFb1S97STNQ9gDXDTrGFGrOygvsZrpO1izbVJmoE1MP5y1hhN P8+aejSusSrqgUba/r4GNw64VdY4sTIjSaaudHLkktVqDk2JLXViU7ChCTXSxqyJRZnAGuAWWeNE yZy+mZYk01co3PeONbR+I5oy1EjT6XI+zxrcOADGB3DjYHwANw7GB3DjYHwANw6A8XHjABgfwI2D 8QHcOBgfwI2D8QHcOADGx40DYHzcOOC2jZ+liRYC0FIASWdizWYy2nZWx1eDHD6dD/lSgvJGafwm tq2pZyqeFEgP8+TV+EKtTzccUod/3qgryhew44uANXfOmkqd/+d0fJm2blZ0pplVXOg9/4PYsKLh WXjV5/DpfMinC8pjcZpSVAXrKbw19VzF4wIHKibrRhd6rk5yH1CHT+KL8gXs+CJgDTp61WhkH5Aq ItCBmjKpBt2+E5LTyOics7/qc/h0PuTTjXIEaZRKAavzHannKh4lKbg5IRddKHilGv0Bdfgkvihf wPYvAtaANeZX10oBGHVnfZ7TqGfUfHTVnfd0ry7k041yBGlyUuZgdJRnW+rZikcF9vbh8NGFiheq 0e+vI0jii/IF7PwiYA1YwzrZc7TWJ+t8+3atfHRV55hjjU83zhGkHqgd9tLl2Zp6ruJxgbn98Q8v ZLzXWjv76/BJfFG+gN1fBKwBa1gqf2tLN+YIew4rGxBH6xxzrPHpxjnCN6moUwpuTz1T8ThJUm9o WiL+5GliFar21+GS+KJ8AduzPYA1YI36sU7ZPGto0qsY+IQ1rVF2+iRrikaIutyVeqbiCbFIiIqE DIMLLfUcmjX763BJfFG+ALAGrNmJoqbh7ixrig0XPG3GrNE5Ps2aNknKLhHDjtQzFU9Yo8ixEWVw Ic/thQPqcEl8Ub6A+WwPYA1Yo1Grca4bc5STxi7d/vhq7UbGW1gzuLY8eI11dzUhzhWJyHanHlU8 TqKm2eQAqwyTlJY1B9ThkoRFlTFr4mwPYA1YY50htRJR2KmibMIansZXU792MWaNTxeXF88YbPSV cnfqUcXjJFoVZwhLqYRBdUAdPokvyhcwl22PuhtYcz+sqWy7r7n/BY9Y0ythNH+1Cq5NZp59uqi8 ME3mp3J3ph5XPEqirkoGF+ML1FUcUEeQxBflfb+5bLvV3cCau2HNYMf1+nEBqXFfDAe6lhVaqclf 9TnmWOPTReVFaXLqq5SY2tbUcxWPkhS8zvTS/uiCWa/ZW4dP4ovyBcxmA2vAGt10hHlejZM6k83E xtEmmFyvU7irPkc5E/LpgpChjE1TVAltACt2pJ6reFwgbQ+ru+kFpW14QB1BEl+UK2B7vWANPDQA Nw7GB3DjYHwANw6A8XHjABgfwI2D8QHcOBgfwI2D8QHcOADGx40DYHzcOADGB3Dj7sP4vRB1oV7p MLGSFxtgXLAGxt8F2mRJe4aVTlHvNlcCYA2Mv4M1NT3JWbOGi7xgXQLjgjUw/m7W5LWSypSsKUR4 NBMAa27e+KXQYhhW4EIf92i1NrE+99GIruIi6YpURhSONQN1M6qvEYKXsCxYcz/GrwQdI9T/CYMa ouSsM6e8SmIIV0Gur1jWsEReVKzZiHAy4AFGBmtuv6/J7H8CF3Rct9GvpfyvRv49jfhlh9LYMT+x ZhCNZo2iDY1twBqw5h6NXwqrKateN8SSXCsT0+BF9kCZY43sbDLNGpalWtH/AawBa+6SNWXwWo1Y Yy/ruEFsKuuytfSEiQewBqxBX7PZyZqCc8caitmj6AWANTdi/IyT0qX+z0inj8YzQ1PYcU2zgzWy K0rka0lyLzJpykAZsOZOZgO0KJedQ9uYOTSjE0mTBNtZU5BCkhVVorlrsAasuRPWZPa/QmWei0mP leQpxTZqrxlXzy8Tpk9K9cMsBpmWFVUtRJIWMC5YcxfG//59I/77ztjvf3IZhnXAGmC/8X98+/Pn 27cfP9TfD1gHrAEOMP5vzZk/9ArjgDXAQcYnv8z+AWANAOPjxgEwPm4cAOMDuHEwPoAbB+MDuHEA jI8bB8D4uHHAyo1f0t7N1hwm6O2GzzhiMLoD25GlShQKAGvuhzWlUJpOrLKsiSIqyYiib3YUUnFo 2oA198ealDSdQtYEEbzeV0ZSDWANWHN3rCmTpIhYE0S4s507iwFrwJqrNn5pxiFtQ+dpCtVnZDKc FvJKMsyyRnUWIWt8hNIW9N6YKUoGi5SLJpuyZkn9uHHAJfDKJ7/7aUHjkJZOoJXKv6qosQ4ir1uW inaONSzhRcQaH0GqG2XAGlmUrEIGmyRjfT9hzaL6H8Aa4AKkeR4PO2ojz5yr106r0NKUWCLk734W +1KONdS3RKzxEVkqRN461lBRDd3xwHULWbOofrAGuARpfo6HHWJjXlP3olt/rm7TFtawnBcRa8II yRurf1sZfShGZ6arbIY1B9f/ANYAFyLNz/8b34wqetXazftZIx2rmDVhhJp+HrOmqLjtgyLWHFj/ A1gDXIo0U9Zsold6OYQ18vImYk0Y4WkRsEZi4Mn2vmZ3/ZBaA2sugg8izc+fo9gkCV8HGlIcxJpS iJg1QYQuZsoaGwhZc2j9dy+1BtZchDTvijQ/X+PoTmwKNjTyNS1YyXM2bbW92wATsIaE0iPW6Igy 72wxMWvKvGRZkoesUeUeXD9YA1yMND8fRxfU82pKrX+WVLqp0/Aj57tZ4+Q644heFVM41rS2i6kS vRxjNAeFLXdJ/WANcBHS/HwJo0OtjV1/AFhzz6T5+RbG/7BaaLv+IPkE1twna16eLWveWUyb/byB +cCae8Xri+5vnuJo+GdgDbADj88v70+TqWcArAG2410OaT6S91dYAqwBDsXTI4wP1gDLHLQnGB+s AZbh7Q3GB2uATzhoMD5YAyx10GB8sAZY6qBdXg8tS5N9gmkAWLMqB+3yemiV0gfgePYtWHMNDtrH 0VjzJT00hQHbmMGaa3DQ3tnRWPNVPTQoooE114Hnxy3Gv4AeGp1F6z9TP1gDnBOvPz/mjX8JPTQS rMk+Uz/UNoBz4uV9i/EvoYfGWqPjxKCHBtas2UF72WL8S+ihFbWfQoMeGlizXgftdRtrLqCHVgd+ F/TQwJrVOmjPbF9fcz49tDScMIAeGlizegdtYvzz66FVUZnQQwNrVu+gTYx/dj20wc0EQA8NrLkO B21q/HProeXQQwNrrsxBGxkfemhgDbDXQRsZH3poYA2w10EbGx96aGANMIv3l+3Gh38G1gAz+Aif IwDjgzXAAXh8hvHBGmChg/YG44M1wDIH7ekVxgdrgGUO2hOMD9YAy/D2BuODNcAyPD3C+GAN8AUH 7QjGtxvJRM5SwXUcbSar9f7/RhwmuAGANdfioB2XNbnQxfV2QyZjBQUymB2suSEH7TjGL80pAcsa LvKCdeaETM2xRxmsuSkH7SSskf2LO2jWiD4VNewO1ly1g/a+2/ilUsbQ//VZl1a+lYMTdehFkqCr uEi6IpURxba+RghuTqhJAmUDXDSw5rrx/Ljb+JXQ6sz0fzDDlc4MXEh6RnAV5PrKFtZshJ0MGERC zNnMfJIH3Ayw5jrwauSdd/U1mf3PRZ2xvtGvJSdHS/Kip8G+7EsaIbaxRtGGxjasJsI0IgFrwJrb cdB2Gb80T9QwrxuiRK46GDVu6UQgmDliDctSTokyoU5BC9FOGQPWgDXX4qC9LGJNGbxWI9aUIlBu GrNGS9XaKeixi/YA1oA1V+Sg/fw4Wl+zhzUqaW1Zk8SkuXcxM7DmmhCefZ43vlaWUf/lKF6OZ4am sOOa5kDWlLlkmUyfSgdtMFMM7aSvAcCaK3XQZmYDzPPPSjOmlzSpdH9BEwR7WUOw6QvpoKnZ6Xbi ouFWgDXX46C9HsCazP4nzTK1XkPaZPRkDJoOo4cFqtX+0ncgrQkaunSV9MyStJCpzeR0gr1oYM3t OGgT429k+/7+fSP+gzIaWAPMO2gT43Pph/349ufPt0OU0aDyBNbco4M2Nr56zBL7fSBnoCgI1tyj g7bF+Icq1/6AjwbW3DjeX2B8sAZYhI8ZBw3GB2uApQ4ajA/WADsdtDcYH6wBljloT68wPlgDLMLj M4wP1gBHcNBgfLAG2IGROM1Bxq/VtjMfylKzM+2UUM/1bM0xhd5sEXX6UZV97idjQ+0+TK+FDiz+ /evXr7/+te/aRoik81ez9AZUc8CaszhoT8uN33O769KEqpSODEQN9ESsKc2ZnMptrJafNffX1aWe Fb2mdd3oMwka//v1Nyv++mXYndFTcyt/veIifgA8WANswdvbYuMXvDIN1YeCn/8Q7RHboWFNqtr5 DtZwLxiViS5pfAm//qKPpP5LpIrltT0YVybVANYAX3DQdhq/4oVpqD7EaK9aOdPSj86aMkmKnawJ Th/0gqXC9YCt7Gok/vplsqW6Z2pP8mnBmvtz0HYZP+O9aZk+pH67p/JmqVWoLfVQQ7IsjQZAJl4N MchholacyXBayCvJMMsa1SPsYE3tna46N/tO9agmYo3pBgfRgTXAQgftfbHx08Q2VB+Szlo/p25m 2qH0qwoaalRC8iyrk8Jd1vEtVwOjWrFGkmUQed1KzrVzrGEJL3axhvQ8TIhGOEHXo32zv3/FH60C a4CjOGg7jN/Sj7dqij6kOpUm28oaO3io1CSV//m38XnCbHylfvsT8quyuBE71lBns4M1NBcmciLc hmhX+y7wL5oN+N8vsAb4EibqgfuNn+e2ofqQdrb41nGN7YZ0Wy9c47TxeoihXnSSXNW/hTUs58Uu 1ije0FA/4Y6puj/8+9evX3/9BdYAJ3HQthtft01qqD5k2iSvt7KmClnjyOLizSuVdQhrpGO3mzWa K60iYzkWYY9ZMwS5wBrgEMycfd5j/MotK/qQ7YXEp/uajXs5hDXy8mYPa6jijf2AsetoZp4LO4eW gTXAIgft58fnjO97mGCwzZuZhKodJtG4xk9b2fgkcdNZB7GmFGIPa6gsU3ofr/j//ctsDqjVA9yS moE1wBK8vLOjsCYZMpY11GpHTZTxvMhonL8p2EBzaOQ4KU9OJbTxnUgLVvKcTVnjCwxYQxLs21hT 5p0uqzM9WOFctH//paHN3668tCjScQcF1gCfddD2GZ/nUWggYTS1DDNmzZCoHTDqiTcl7V/JzbqM TmjilbJaUunuiIrJ+W7WaCnQuI9rzXNBelVWIR0043u5GWw1GeC2obnKbfH++YdgDbDDQXs9r/Gr me0DAFhzXQ7aMwNrwBrgSA4aWAPWAEsdtLHxhcMhN25r4kq0MDtYc6sOGowP1gBLHTQYH6wB5vCx w0GD8cEaYKmDBuODNcAc3l9gfLAGWOagPb3C+GANsAiPz6cyforHBoI1t+qgvZ3I+Jk5qum0yNQG sWSj32QpF7wpTSxv3Kl9raxmNpPRJn4nVxbljxK6yFD3zIf97jandda7haSwgEAZrSQFgyr+eLHc mxWDsyn91fgr2eujKmnf6bxF7CpXGUZOVNvAmkti29nnLxu/MqowTotM7bjs9M7kjjcZK4bExGaV OcZpldX8dn8vVxbmjxO6yFD3LKi3KmSbJdo4rbMqeEC1KyBQRhsoT9bFHy+Se7NicC6lvxp9JX89 rnK7RTRyKslHjlXbwJqLOmhPpzJ+nZsux2qR6caiJJYKfwbHNCGjQWaV1TxrvFxZkH+c0ESGumc+ 3Aj7cbzW2bgJqwJ8VQXfzH485uTebP0+JdPp+jiPv76NNROLmI55E0WOVNvAmovi7e1ExrcaGV6L TLcR1XiCk5NOiEkdCrDKap41Xq4syD9OaCJD3TMfztVLYk/fzLJGvfdV9e7zxR+PObk3W38fnxBV xYd5/PWtrBlbRLOE3geRU9U2sGatDtoXjG/FBL0WmW4jDbXh4DfTC8yWgbKaa1iBXFmQf5xQR0a6 Zz48UIvrvbs214SpgKCqPJn9eK45+/rzZPSt+ziPv76VNWOL6K4sj7qWGdU2sGatDtoXjG9+FgMt slIf8iSPJTgvbZtQSe3NKasFDctJyAT5RwlNZKh7FoZTUafWw3KsEeYomi8gqCqpN4nWqIo+npd7 c/X7lJ5TYR5/fVTldovonnKIImeUdMCatTpoXzB+qrMGWmT6lKSaB5plTRUoq5V2wilijcs/Tqgn l0LdszBcNELUMQsVsWrRhQUEVQlRGTnD8ON5uTdfv0+puZqOvtLoelCl2GYRQqIPsYI11+igfcH4 Rqkm0CLTU0up1xwcsWYIlNW29jU6/yihjox0z4JwmyRll8QemnaDnDCVKiBkTa6ZV0YfT70quTdf v09JBdZqzB7mia6HVbKtFlEXNmDNavH6xE7LmlCLzDQWkowJJNOCQUCgrDZmzeAbsMw/TUiFhnWF YVK2ZUWi+52o3eWCRaW6qrRiTRewxo1KSO4tqN+npHGI9krDPNH1uMptFlFDHfVhfeSMahtYczEH 7f1kxtceWqhFZtoItZt0dg6tmnl0UyBX5vNPE1KhYV1BuNW/26bZR6zx89lUQFCVpnxAVT+HNqrf p6RvNUzm3cLroyq3WYTmH/Ng5mFkBrDm0nh+PJnxdSsNtciCX9bSS6i7xQ2rQTOaefZyZUH+SUKK DOsKwlk0aRuyRl0JCvBV9W4hZfLxvNybmXl2Sy6Vn3HwefpwPSmucptFrMh1FDlVbQNrLuWgbVUP /Lrx1SRppEWm2kiRqhYxiM383oAJa7xcWZg/Tqgiw7qienO1sYBH6zV1p4YoRVSqr0q6YZneThB+ PC/35uv3KQf3FcI8/vqoSsa2WUQSM3FG9GYaq7aBNRfCy/vpjK9WOSMtMr39yiiPqd1ZwT403xy4 fk6BAgWdXFmUP05IkWFdUb1FlWhltEDrrKrtBrCwVK+MRru+arf5zXw8L/fm6/cpc1d49JXcdV9l sBg1ZxHJedcfBpGRahtYc0EH7eWExk+w5fmCAGsu56B9xfgbUcDEYM3tOWjPpzR+dvgGXQCsuSEH DafSwBpg5KC9wvhgDXBsBw3GB2uApQ4ajA/WAEsdNBgfrAGWOmgwPlgDhHh/gfHBGmARPg5x0GD8 i6LJwZp14fH51MaPJc9I38tLgvXBg20i6TGtgRbogM0Uo/Zk1U55LC45EC1zEmIjqTJVR6BFNqdP FgS9PpkPRZJnM/VMagwfOjqvqzYjfdZ9/jk/YM1pHLS3Ext/JHlG8IITwdPSYumxcd65YgaxYUXD s/mSnSyZlxAbSZVprnotsjl9slhnjRl9MhcKtzXP1TNTo5dlm9VVm5U+i2WjwJqLO2hPr6c1/lTy bJ41E+mxOO9cMeqUSXxSZfTMQnWqZSQh1gfPjmaRFtmcPlkZn4uxZ9tsKJQ8G9Xjj+KE4mihLJv/ OKGu2pz0WZOANaty0J5ObPwZybNZ1kylx6K8M8UYpTU6p7WNNV0sb+bjyjkdtDl9skhnjYXHKiMZ GvoQo3r8ubdIHC2WZZvoqs1Ln/WfdtHAmlPg7e3Exp+RPJtlzVR6LMo7U4xpltEJ/BFrUnXyOZYQ i1p7pEU2p08W6axZfTIfCqQBxvV0rq+JxNFiWbaJrtq89Fnpj5CCNSvAPnGaLxt/RoYmkATzoan0 WJR3rhg9fK7EbMnMipbFsi5GyGzEmlHkOK53bplv7ToUSJ6N5WO29EqxLNtEV21ejqZwH+ABrLka B+1YrAmeBK0lwXwolB6zybaxxlyn5wIUAxfzJVvRsrD1OSEznyHQIpvTJwt11pjVJ/OhoN8bsaZ1 B6GtTo6t0cuyzemqzYs4uWiw5noctCP3Nfpn1l1Roan02N6+pthwwdNGbC1ZiZaNWrMWMhv1NVqL bE6fLNRZC2UvTCiQPBv1abWdaxuJo8WybFt01eZZ8wDWXJWD9gXjz0ie2ZGMCENT6bEo745iku0l a9GyWEKsCKU0R/ow5bY4o3XTOK+rsbJqgYpbWE8t/DpMG8/8hbJsE121LdJndO0BrLkuB+1LemjZ lubuB74UmkqPRXm3F8PTHSXH8maeUxPWzKn6BXH602WuJ7ChYA4tqicNRvuxOFosy8bGumpbpM9k dQ8KmA1YgYP2fnLjTyXPXMNLw9BEemycd0sxo+WXuGQlWjaWEKO4z/U1lVOT8kplXvIsqMdJok3E 0UaybGysqzYvfaZmA5ZTBqw5CZ4fT2/8keSZag9OEsyHRtJj47xzxXQtzUH1bLZkL1rmJcTCuIg1 VgetnI+z4mtOn8yFwr0Bvh4viTYSR9N9i5Vlm9NVm5c+0zPPYM0q8Pr0cQbjOy0vPz/sJMF8aCQ9 JsxTO5wO2FwxXKbqoibpywtEy5yEmI/zdQRaZHP6ZJFMmutBXCiSPHP1eEk0H/JzGE6WbVZXbVb6 DKuc1+igwfiXRcMZWLMaB+0Fxr8K8BSsWY2D9vMDxr8G4KTAivDyDuNfh4OGU2nX6KDB+NcK3Lij O2ivMD5YAyxz0J5hfLAGOJmDBuODNcBSBw3GB2uApQ4ajA/WAIT3FxgfrAEW4WOJgwbjgzXAUgeN cQFcJRK09KM6aG+wAQAsc9CeXmEEAFiEx2fYAADgoAHAaXGoOA0AANZBe4INAGAZ3uCgAQAcNACA gwYAcNAA4LrxDAcNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK4MqVAPDm6FaN0D vEXuQ6wPnvpND+muBxgNuHPkQmn8lkKU86yxwY5pAgloAgNgjWdN8OpDKkHJSQqYi7xgHTSBAbDm ENao/4UQFQwGAEtYw+T4poTFAMCNYHaypqcRDtsITAYAwGGsUbNoLdO0obENAMBD2+OhCZGkmYrV v09hAAAgAElEQVTMUo7BDQDWHDaucWg5+WoAANYczhr5HqwBwJpDWVPmnVq5SWE1AKw5lDVmXgCz AcCdI9yHFrz6kEkgUVQ1zQuANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwLXh8 hg0AYBne32ADAFiEj6dXGAEA4KABwEnxBgcNABbi6RE2AIBlDtoTbAAAcNAAAA4aANyeg8YFcJXA I/Au6KDhqZ1XCty4z+H5EcYHa4BFeH36gPHBGmARXt5hfLAGuICDBuODNXfloP38gPHBGuACDhqM D9bclYP2AuODNcBCB+0VxgdrgGUO2jOMD9YAF3HQYHywBg4ajA/WAKd20GB8sOZ+8P4C44M1wCJ8 HMtBg/HBGjhoMD5YA5zaQYPxwZq7cdCOpx4I44M1d4IjqgeOjV8KXtj/Cl0tRNPKqEbIQCljGtFV XCRdkcoInazVp3KLcbJEJlOlytikwo0Day7poL2dzPiVEKX9TxgUHXLWmePqMjoXWmyA6yuEzLJm JlnGbGxq6njAHQRrzo8jyjvP9DWZ/U/gos5Y3+jXUv4nOoie9ZI1pexPXP4iEQ2bJJN8kV1MIjaK UBlYA9ZczEF7OpvxSyG64HVDLMlVB6Po4JkgCZQUW5K1wvdAD2ANWHMRHFM9cD9ryuC1GrGmDD25 dluy0rKmZQ9gDVhzIQft8Zys2dXXONa0nN5uSWYLkXxRwB0Ea67aQZsYP+PUZ+j/NFoRNFAZmsIO WJp51tR6WmBLMhVb9AljoAxYc/0O2sxsAPHAe14bM4dWaR+LJglmWFPacct8st7EwjsDay6F58fT siaz/xWqRK/XdLls9mmmxv2yJ5H9R6/SqT6pdaP9aTLy3Cg2STPcO7DmQnh9Op3xv3/fiP++M/b7 n1yGYWuw5mYctPfTGf/Htz9/vn378UP9/YCtwRo4aAcY/7fmzB96hanBmttx0D5OaXzyy+wfANbc CF7eYXwAN26hg/YC4wO4cZd00GB8sAYOGowP1gCndtBgfLDmHhy0VxgfwI1b5qA9w/gAbtwyvL+s yfgl7TxrzTmA3m74ZIORGmAsSxMh6t7E916NYBuyVPS4y2DNUfFxbAftCKwphUjoTWVZU8mGX/S0 dXMQTcaKgdeaLHUjht0FVlztkQbAmjU7aEdhTarI4FjDa9tx8MYkU0zIRJc0u8tLqgGsAWvW7qAd hTVlkhQBa4xuDZ3NMWcDaq4dNJaKYm+RYA1Ys3IHbWr80gxK2oYOyhSqE8lkOC3klWSYZY3qIBxr auuH5YmjD41yatKH8gXYYmWwSDn5chPWLPksYA0wj8fnkxtf+lsFDUpaOlpWKmerogY6iLxuZV/R zrGGJXKY71jTcpGXUadT6VkDOdxxUabYUomkNUnG+n7CmkWf5QGsAeYdtLeTG79Own5C9Q2VmiNL yLnKYv/JsYY6G8camggTeTtmjepwandG1BTbiJBeMWsWfRawBpjH8R20ifHFxrym7kXTIVcpt7CG 5bzwrFG8kb1PzJqEMz2/FkbK//JfKqpshjUHf5YHsAY4o4M2ZU0VvVLDP4Q10pkKWaPpUSfBtECr 2n4p6hnWFBVXndOYNQd+lgewBtiKt7czsGYTvdLLIayRlzcRa6j1p9YdS2ordiMCGQ/PGomBJ9v7 mt2f5T5F1sCaQx20x9MbP0nC14GGEQexphQiYg3lLE1z72lEYgrunYsWs8YGQtYc+lnuUmQNrDnQ QXs6g/E7EjIfGvmaFqzkOZu2VN/wA9aQULpmTZl3NmcvNpl0v8g36wyDCueiedaUecmyJA9Zo+o4 +LOANcA5HbSp8dXzaoywmX7kTKWmeHO+mzVOrpP1KqdaztRPs+lYsOLpJox1saqLqRK9HGMFoW0d Sz4LWAOcy0Gb6KEd9geANdeB16fTG/+H1ULb9QfJJ7Dmvh20sfH3cwakAWuuCM+P5zA+/DOw5qYc tA8YH8CNW4Rji9PA+GANHDQYH6wBxg7azw8YH8CNW4ODBuODNbfsoL3A+ABu3EIH7fVejV/5M5sV mgpYs8RBe2b3y5oSrAFr1uSggTVgzc3i41QO2pqN34oKrAFrVuigrdn4JVgD1nwF7y+3bvypOlpq jtpo1nS14FXAmruXSgNrLuegrYg1E3W0sK8habQs58L3Qwuk0iwewJp7wuMzu33WTNTRQtY0JB1Q 1O7TLpJKA2vgoN0qaybqaCFrRBOPaxbJtlnGgDV35aA9vd4Ta6w6WsSaasSaJbJt7BYl08Cayzlo a2QNM+poB/U1h8i23aRkGlizB6c5+7xm1uhAwJp6NK5ZJNvGblEyDazZgxM6aCtkjVdH43mRmSud HLlktZpDWyaVdpMzAWDNAQ7aE7sH1kzU0diQ0LML9RUK971jDaTSwJrLOWgwPlhzow7aI4wP4Mat x0GD8cEaOGgwPlgDsJOJ08D4YM3t4vUJxgdw45bhVOI0MD5YAwcNxgdrAOegfcD4AG7cmhw0GB+s uUUH7QXGB3DjVuWgrcj4Wao3jvX22ZwKtT4jQNvO6jYK+XS7Q0Epo5qCTWwkP5B0cYjFFW9NAtas zkF7vhfjV1xMNGlk4+fqPPQgNqxoeBaGfLrdIV/KuKZSVIWkV0WP4k0LmWUIQwq+uq1JwJq7c9BW Y/wyqYYpawpeqfaekJxGRuecfehw1thSxjUplQJWy0sppz3WdIjHhxR8dVuTgDXrc9Be78f4U/0z 2S0U1N6NekbNg9AC1phSJjXlpMzB6CiPlh+gswY+pHw5X922JGDN/Tlo62ZNxnslCeBaeRA6nDW2 lElNA7X/XrparX3f+VBMr+1JwJrV4f3lHlkj9IEz6QslRufJywb4kE+3O+RLGdfEUlGnFCzdOMeH jHlsdduTPIA168LHyR20FbJGzVLV9Eve0ohbtXea9CoGOgDtQz7d7pAvZVJT0QhRl7tY46oDa64G j8/sPlnD1EAkV90M/Ss2XPCURu8+5NPtDvlSxjW1SVJ2iRh2UMJVN5/kAay5RwdtrazRY5gybu95 MhMSe0KTUnxNCU2GFYnI3Din9KEwvaxuNsnDbbImFUp8oRWilRY0yH1IL4Zx7f+qBa016WqfwUFb LWvqRA9NCDaap2wS8hPAW0KTUlxNrRZTq0RZ2GmxzIfCTyarm0tyUZW1E964XK8Ol0L+MMyyxga7 8WrynThoa2VNJiwvfC/Ruw7Ah3y63aG5vibzU8i1+nGlxRkf8lDVzSW5pMramVgTvPqQSlByUhDi Ii9Yl6yINe9v98iauqPnbKiVRNfeu5YVRtHJhXy63aGtrJE3f2BaTE09oiC1Dy/QIQVf3WySe2aN +l+IeSH6C+IMDtp69gYI29VX0lFONoXzjpRCIJeOgZoZC0Iu3e6QL2VcU1EltA+tYF5eLQzF1W1N ctesYXJ8U66KNOdw0DAVc604LWsMdrGmpxEO24iVTQa8vYE1wEpZo2bRaE/RRk0QFOtx0B7BGmCl Hpp0bVM9z5ilfEWDm9OqB4I1YM0XxzUOLY8nW27eQQNrwJovs0a+Xw1rnh/BGuCwGye+hC+wpqQJ xpK7dbFL4/WJgTXAyvsaM43P1zIb8PYO1gAXuXHhPrTg1YdMAkZLXrQulq5mCu08DhpYA9ac7iOe A0nsoH3A+ABu3CI7vLzD+ABu3DI7PL/cm/HLRo4q1Q7+UG7M6qEdoFzmkviifAErUzMDa05hh90O 2hGPDa3G+AOJk2XdSG7MKJkdoFzmk/iifAFrUzMDa05hh90O2hGPDa3F+AXf2J+EQG7MKpkdoFzm k/iifAFrUzMDa05hh90O2hGPDa3F+L07PRnKjVkls/3KZUGSPjiIaQtYm5oZWHMCO+xRDzzisaG1 GN8pAYRyY07JbL9ymU8SiAq4AlanZgbWnMAOe9QDj3hsaC3GT+pNIkSTsVACxiuZ7Vcuc0l8Ub6A 1ekygTUnsMMecZojHhtai/FllygZw+uQNYGS2X7lMpfEF+ULAGvugDX7xGmOeGxoNaxR5Ng44SR6 8UpmByiXuSS+KF/A6tTMwJrj22GfvPMRjw2tx0Oj/10oNxYomR2gXOaShEWVMWvWo2Z2GdY00WN8 bo01+9QDj3hsaDWzAcI0Zi835pXMDlAu80l8Ub6A1amZnZI12xfoVnQO5vh22KseeMRjQ+uZeS7V iL4YK5LpJ3HsVS4LkviivO+3NjWzE7JmxwLdp1gjTpz+WHbYK05zxGND61nlrDO9tD9SJDPrNXuV y3wSX5QvYG1qZidkjVugK8V4UeoirNE9fr50M0Zz4Ek3caiDdsxjQ6sZVNL2sLqzHoaXG1NKZgco lwVJfFGugLWpmZ2ONX6BzjeLi7ImnyoGH1TMgZ/VVbdXPfCIx4YwFXNrfY1doGtUW+1lq21UD9Qr 1sjflmQ4N2vosY6uRR7c12wWVXcW9UCw5lZZYxfoPGvU/Dv91gfbExUezsYa8tNOa4fziNOANTfK GrdAZzy0mDU9RTeXYg0d4dCnOZSf3IYdYSO6VL7LGq7ca5ol1x+9Vd/DZ52v7ukRrAG+cOPMAt0c a/QGcsEWLPEex0NTax+d7upSWhewm/ODD0ea2ixRw3D9WXtB6wobeuuzjvhuqjuPeiBYc7usMQt0 21ijfvYfzskaQi3bfyI2BbX/TPYuNM/ZjDrCimUl+Y9lrT9rRn0jq4krPus8a87qoIE1N8ka1ea2 9zWcLVjiPQ5raHNX6/aBlXZsFX04WnoruPTDMnullnEZpW2DLWQx38XL2+O5HTSw5tZY4xfoqGkW BXk+WZGOxzWHL/Eew0PLalr7sM9AEa2bFJ9QmmbbBE2fqbfSkct6ctB81nEvKR5//nx6f3liYA3w eda4BbpMr5LoIQR3QwehVyfOyhr6VGqg1bkP2W1hjRzCNHRVvS0kzZWD5rOOe0liDeH98QOsAT55 44IFuiFRSzcVTUpVZppqw/VxitO1kPk5tJx4rEYzRZ8QG2RoaOKOUG3iyEs9nLHeZKK7JZd13EsK 9tPi/RGsAdZx447DGtnjDXaLHDez45IXUUeYu66SZ+btYHUCfVY2Zs2To83LtRv/Fjel3z1rXt4+ 8cHMPpVETT3n9gAL7X9q2rgjVC3GXtBvC3fIxWcdV/d8dtKczPhf2ZQuf1fqQr2S4Vb3QPs7Zc3r y9PPbbtWXl4v5r0I9nZ20qySNbnaCUILC/kaH2h/l6x5fSNHaBtrnn++vV6MNS+WNB+v982aWjmz ijXre6D9HbLm0XhB71tZ8/Pp5eNCrNGTaC8fL08nXel8fFw7a/KaTssQa1b4QPt7Y83Hixs5bGON GpCbhcazs+ZVkUb6jz9PypqXn/4xH+PvWKqjOKU/kGN3zXVqBrAWG9Y13JxfaUQnR3NJR3OHTUHv S7sT3cyIxFvuzJY9Fa3PuIxLsKwZKLvqa1b3QPt7Yw33c1Q/n19eHh9fX19nWfNTN6vzn+WUtb+r T3Bi1shqXueNXylyVO5Ak981J+nABmJT7vY22FUzrqcRlWtldqLn8W49BbtlrxNbS3D9VCKvVlNl qgfQ5ex9zeu7Z8378/Pz05NsovKfDL6/v729vajfedMZvV6ANa4rPDlrLG9m+prM/if4XXOlHKKr Ld39UJAYjN2h0aveQG2kVe9bQ6B8suXObtlTryUX9bQEx5pBNJo1sTIVWHOJcY0d1gTNUnY4j4+S L5I17+/Pvjd6ejk3a17ffp6RNZo3e75juGsuNytORap2czfRfgjFjWAnOgXbSLXN7YowrxubLCzB j4kSEqlRvY9VpnoAay42h2Z6k22Tu540b69nZk3oQD5pPI/wPsLbCC8jPI7xSvDkfN/3HYNdc8qx olOptX1yQdjmzfMN3E50s+nWZWYTmYNqxBp/zN1s3NtU1mdTG98fwJqjsubQdWhd0Yeaed7Cmlc3 7Pk4/7hGz4nrvkY170mjH7NizJoxq8ase9ZkDNjJ97LGyVbUeqtD6XcNzbOmsYeKwsz7+5oRawrO q3Ckc+XyZedjzaGaMPlCOQsa3uxkzfOF5tCY6wbO4qHRHPv4O2acegb9341F1K65Xg4+hN6APrCO z7PG7UTP9VqLzbyRgxi7Za+w45pmF2vk3adNGH7jOyhzGGsO1YRZyhoa3jxuZ42dXvo0az65B4uG XZY352DN01x/qtuub8Fu11xBW+xobq3gOzw055Hlwbo+N1v47JY9o4lJEw47WFOoA7GBMhVYcyhr DtKEWc4a6afNJ3l88lsDPq2H9skVPlnd+9uH5s3pWWPWcmdYk9n/CnbX3IZabkEdREurLhv6ZWi8 VkKpn3aYV2Ynur7kttxt1EE9uzOPornaiTcuQSHVvzoDdVpre6D9lbDmAE2Yz7BmC14/dqQ/dt83 /XjPP98/lAd5atZs2f/w/ftG/Pedsd//5DK8uOBb1BG+ata4VWar/BIsMOdO7OIwEZjPfrBj931z rPn5TH3d60nP17w4zoy/449vf/58+/bjh/r7AdZcr4c20oSxyi/RAvMuEZgjs+aIfd+0OrWv9OQ7 N8MOdfRdfmvO/KFXBtZc8WxApAnjlF+iBeZdIjCnYc2n+j4jlLa9Oj1Kf72g8ckvs3/nmgYBjs+a WBPGKr9MJv1nRWBO4aF9oe8zQmkKDzPVmdWic6rU4ODKLXpoY00Yq/wyWWCeE4E5Pmu+1vdpobTt rHn8eXbagDW3Oa6JNWGYUX6Z9DUzIjCnYc0X+j4tlLZtR5Vnzc+fUNsAvjSHFmvCWOWX6QLzjAjM CTy0L/V9ZrT8sI01L36nyytYA3yBNbEmjFN+mSwwz4nAnGJc84W+T3/QbTuqvG7A88sHA2uAT924 WU0Yu748WWA+RATmGHNoX+j7wr5mrrr34OALWAOs4sadQg9tUd9n1zN2sOb98e39Go1fTSdfrhRX 8k2uhjVf7vt2r2dID410pV5/vl4la750ur+k7K3xZXtbVhwxGNWB7chSpQh10W8C1lzGDs8vd8qa 0nTOVfBwXh9BAo1Fv+tnp+LHELQBa66SNVf5XM7jsCYlQaeQNUEEr/eVkVQDWHOvrPm4xr0Bx2FN mSRFxJog4pA9biVYc6+sOevT0ibfsW202FmrNAIaGslVdkBRiUxeTYuy1qJnFVc6Zq1razazbcQm I0VzdUZmXMKYNaqzCFnjI5SwYNC2dUE0gEy5aLIpay7zTcCaC9nh8enjYsZvqU30Qj2Et2Qdja6r NGNZoiVkZQMZRF63LKWZpkrwnmW16w58ZutgFTQSaWmSpFQe1riEMWtYwouINT6CJDfKgDWyoFJt bG+SjPX9hDUX+ibnOnMK1oyre77cPrRGDb/rhOYAk4LnvpWqtkXNKBGybWW6D6DG2ml12TLMzMJA rl5NsriECWsGdc46YI2PyGRvkLfu82jxTxa5biFrLvRNwJpLsebl/WKs0ceSKqEaB+dZ5O1X5vGo KqFzpQoXDDKrJJuwTPUyLmHCGpbzImJNGCF5Y5V0K7OBidGCQJXNsOYi3+QBrLkYa864ZDNhTbAd KdHLS+rovtje1lSb0m0t3stkG5N51dLN+1gjnaGYNWGE6RNi1hQVt31QxJoLfJMHsOZyrGHvF3tW WnAEthe1bhm8W/QL7cvaRK+uSe5kjby4iVgTRnhaBKyRGHiypa856zc5p2YbWDOp7vHpUjZxrjzL 5IBYNUbVVLa0NfrlH4Rti3W8zzxJwlefbDdrSn+gcBKhC5myxgZC1lzim5xRsw2smVZ3tiWbqbIT zTNVjRpPyAFBRU0lkz/m822N1NDNlFIZZu6pFXZ0HG9o5GtasJLnbFpCL/oxa0gnOmKNjijzzhYS s0btn03ykDW9Voq6wDcBay7JmrNt4Zx8RyVyQG1E/arnIlNrFE2vZ55a5ef4tjbkbvmiDTKbNqSe V1OajXiVm8AKSphjjRf+jCJ6VUgRzoTpLqZK9GewB5lsqZf5JmDN5Vjzeq4lm7Ee2qK/6p8fi/NM /laBK9kQANbsru5cWzjHemhGC+2wv9/flqWf/v0Aa8Ca4328l+eL2GRhu//zVd4wsOYYN06cEMkV sebjTMoBu/TQ9v79Fu1N+GfXeKhO4IPNVPf+dt/GB670xnFxVsRd4ZmWbMAasOaWcJ4lGxgfrLkl nGfJBsYHa24Jr2eZD4DxwZqbwlmWbGB8sOamcJYlG+ihXek3AWvmcRbVjRvSQ8vSZJ9g2hm+CVhz 6fmAt/tizRf10Cp1pp8XYM1d4xyqGzekh6YwfHnrMVhz7fMBj3fGmq/qoR1DEQ2sufb5gPfzG/+q 9dCYVnC65DcBay6NMyzZ3JYeGgnWZJf9JjentnF9OL3qxm3pocl+Jb3wNwFrLj8f8Hxu41+3HlpR +yk06KHdLU6+ZHNbemh14CtBD+1ucfItnDelh5aGEwbQQ7vj+YCP8xr/mvXQqmh8AT20+8Wpt3De kB7a4DoI6KHdOU69hfOG9NBy6KEBGqdW3YAeWtB1XRPAml04seoG9NDAmhvEiVU3oIcG1twiTrtk Az20YJgE1twMTrtkA+NfKXDjduK0WzhhfLDmJnHSJRsYH6y5SZx0yQbGB2tuEiddsoHxwZobnQ94 g/EB3LhlOKXqxqmM34gGNw6sueh8wOPVGT8/TBxjPqtBzlJ7woX2gdWD4ePniwZr7mk+4P1OWZML /fl6uy+TzsBIZGgTYM0+nHDJZoWsYepITWkIpN5zkResM4dban7m7cVgzXXidKobV8Ea2b9UfsDU p6JGkwBr9s8HPJ/L+KXSsyidqoU+aFLRwSwtSrZhXcONVlgjuoqLpFNaYoWSUKoSLQ+mWWMzMz86 IVUxilbHVSYlbOlrhOBmd6UkUDbARQNrDsDphNLHxq+MGIXdA9zpEUVKihWJdI8km8y4g+RjhH4I I9ejEPleqVnQKTDFGp+ZaedKpzPRcyVsYc1G2MmAQX4KyZzNzFd5AGuACCdbspnpazL7n5DQ2d+O ftxlS+7ViKIfClYk5DPldG64Vx1BQ+1bvW8NgfIwsxmd1BnrG/1acvKzxiVsYY2iDY1tVGcnkyZg DUhxwHzAx0WM34qwX9AS/wU98ULQeox2w9SgQ3FDvzcEyqPMmgpd8LqxycIStrGGZSmnVJlQh6HF eGP/A1gDTHGqLZxi77Bco9X+FnlGtZ0XDtu8auf6fWXpEGYOqGBeqxFrSq9EM8MarVhrp6DHLtoD WAPM4FRbOPezxkmEE1u48tQq09znWdPQ0qRhTTdT1pa+Zh9rVNp69jHz59QhA2uuykV7PYvxtR6M l4lRY5CiT8gt4iWN7OW/gXV8njVylFJ6581n3shBjBzEy7dDU9hxTXMoa8pc0kxmSDOhdQKrkYt2 b5QBaw7EiVQ3prMB5qllpgX3VrpVtvVKza0VfIeH5jwydcll1s1/Y/JVJjo7hDUEm6GQBRZmuLW5 45kAsOZQnEh1Y4Y1mf2voBTA0kw2eV4QdRrW0qrLhnoKvUWTa80+yRXJgUp2JHohpgkyq75GKZep 9RqKpmdaTEvwkxCt6VPUTDbpMydpIZPndmrv3veigTUH4TRLNmM9tI347ztjv//JP6OFkWNfJViz LpxGdWOsh/bnzxe0ysAasGZ18wEfpzf+70DnjIE1YM3V4yRLNrv00BYDR9HAmrXhJEs2MD5Yc9M4 ieoGjA/W3Ph8wBuMD+DGLcMplmxgfLDm1ucDHmF8ADdu4XzAO4wP4MYtwwm2cK7b+Nf3gAywZn04 vurGbuPXbgFGh7LU7CQ7G2u+9DAm9VzP1hxQ6E1ZTjiqss/9ZGyo3dfqvWQC4d+/fv3661/7jh7s mQSnH7L0YnI5YM3h8wHPZzV+z+1ivwlVKW3xj5rV6llTmsM4YVnma1nW0HPTi17/QNSNPoyg8b9f f7Pir1/md4IewU4PvnUfj4voYe1gzSpxfNWNXcYveGWalw8FP9oh2tO0nuOwJlXtfAdruFeKykSX BBscfv1FX079l0jV70VtT8SVSTWANVeAoy/Z7DJ+xQvTvHyI0UnocqZ9rpg1ZZIUO1kTbJ/rBUuF 60tb2dVI/PXLZEvHg60SrLmK+YCPsxk/471pTz6kfnGnamSpFZQt9QBBsiyNBkA0ICAJtVadJmtI vbmyY4lKZPJqWsi8SkotyKxbus1sW6rJSNHkMk1LGLNG9Qg7WFN7p6sm4Sn37t+INaZDHYJz3WDN VeDYWzh3GD9NbPPyIems9XNiZKb1SG+ooAFCJSTPsjqxP9otte6eWlsjG2pHQ2gaImVJotq8bOqD yOtWsq9lYWbV0n1mFtbRcjXIqmdKGLOGJbzYxRoS8jAhGuEEXY/2zf7+FX/JCqy5Lhx7C+d247f0 k6sakA+pTqXJtrLGuvyVmlryP9pNYq8WPCl47j0wxRIiREJ+UaY7BZdZtXSfmYWBPGE+WVzChDWD Or29lTU0FyZyotuGPlDtO9O/aDbgf7/Ammt30V7PZPw8t83Lh7SDxLeOa2w3pFto4ZqUHRCoZs55 Fo1bdOJcfRLvShUuGGQO6zCSnvQyLmHCGpbzYhdrFG9oqJ9wx3nds/7969evv/4Ca64cR1bdEDtH 0qp5+ZCdWqu3sqaKRvHOlxNOdoO6BDVHVVS1ERicZ43KrFkTZA7qMK/0ufazRrp1u1mjudIqKpZj 9fWYNUOQC6y5Dhx5C6fYPn1lFwN9yPZC4nN9jZmkqnUb592ivsZ/4k306si1kzXy4mYPa+grbOxX jZ1QM/Nc2F4vA2uuDcddstljfN/DBENkPnNiU7eeJBrX+MkmNyhRC4U8sY1+C2tcZnWpjkWdbR1J wqJku1lTCrGHNVSSKbuPV/z//mU2B9S6s6wZWHNtOK7qxjLWJEPGMpoGGzcsxvMio0HLpmADzaGR u6M8uV6rNtGMWdWoAYZMVVGjz9jA51njMlfGuzKZVVm2jk6kBSt5zqYl2A8XsIbUp7expsVsGBwA AB/YSURBVMw7XVJn+q/CuWj//ktDm7/D6bt03EGBNVcxH/BxPuP76S4VGkjITK2kjFkzJGrfinpC TUm7TnKzlqITqgfZUGtX3U8ufRxabWl6PYfWKo/Ns8Zl1pdsZlOWqUOLrVVuKi4oYY41Xk7U95ZG vr3sVUmFdNCM7+Xmr9VkgNuG5qq2lPEPPgRrVo6jLtmcxvhfWtP/4oaAOwFYswxHXbIBa8Cau8BR VTfAGrDmPnDMJZuR8YXDIXm3Jv7SaTIcRQNrToBjLtnA+GDNvcwHPML4YA2wcD7gHcYHa4BlOOIW ThgfrLmb+YAXGB+sARbOBzzD+GANsAzHU934ivFTPK0GrLkmHE114wvGz+gYpdnKRVvo3b4wFac2 jtnn2ZocWlQtyOL0xYIso4QuMhQq82G/Gc2Jk/k6wwICKTPa18Yrc5k3nc4cKr1ZHTib0l8N8/jr oyppo2j04bOUy0z+rJBax3WRE5k1sOZELtqxtnB+wfgVnTj2m+1LUdHx/srEdcLvRrZtXYuq+Sxe XyzIMkroIkOhMhf2lXpxsir4SK6AQMpsoDxZZy5nleJvpPRmdeBcSn81zBNcj6sc1c063mSsGNyJ B9r4HUSOZdbAmlPhWFs4v2D8OqZAI2ykjlMCSSFrrKiaz+L1xYIs44QmMhQq8+GgUidONm7CqgBf VcE3cQv3mmZG6c3W71Myna6P8/jr21ij6y5GB5KUUE8QOZJZA2tOhmNt4fy88bWuhadArlp34lgT nDgzTcuIqvksXl8syDJOaCJDoTIf9pUyd9hl3IQj8YFWZs5GLby2h6u7uP4+PtJZun7U5PHXt7LG GCE+GqqksYLIqcwaWHMavP58vTBrOnNGsnQ/xSk1JOtuyW4g7mucqJrLEuiLBVnGCXVkJFTmw77S 7ayhAoKq8oSNWrjLoJXeXP15MvrCfZzHX9/KGvXhR72I1ujxkTMya2DNiXCkLZyfN745MeZpkYo6 9f1Pb444C3uOy4mqBQ3Lab4EWUYJTWQoVBaGXaUha2ydvoCgqqTeJFqeyn6QUs8iFOP6fUrPqTCP vz6qksUffvRkbE1yHzkjfQPWnGw+4MKsSYW+126SrCCJzNLFuUmhthZdKKrmskSscVnGCXU5oVBZ GHaVxu1O1+kLCKoSojLqg54BVaD05uv3KTVXUxbnGV0PqhTRhx+xJtFnTsGaS+A4SzafN34uIo+E tUlSdonz0LLUTQqpfsGLqm3ta3SWUUJTTihUFoR9paN2VzhNKlVAyJpcM68MGGDyK6U3X79PSQXW aswe5omuh1Wy+MPHrCl1jwbWXATHUd04HmtIFZYViewCTFySBEkDUbUxawbfgGWWaUIqJxQqC8O+ 0nG7ywWLSnVVaYmZLmCNG5WQ0ltQv09J4xA9WA/zRNfjKqMPH+vHNfrD+sgZmTWw5mTzAUdZsvm6 h1YG06m6NZk4L5smR77VzLOWAn0xn2WakMoJhcqCcFDpmDV+PpsKCKrSHyugqp9DG9XvU9K3HSbz buH1UZVh3bGcfOYGZBmbmAGsuQ58ZTYgGv1m42lk39dkTgdwNPPs9cXGWcZ9TShUFoSzaNI2ZI26 EhTgq+rdQopbe3FyO24Nxcw8B+tOVUQGlacP15PiKqO6y1BPvjJTZUHkVGYNrLlV1uiZ0nC9hoY0 3Pr2RUrX6QEaZe22woxY4/XFgiyjhCoyFCqLRMt8pZ41vs6gVF+VdMOyYA+DWef3Sm++fp9ycLwP 8/jroyoZi7/RIDZubwBPnP1s5FRmDay5VdboVU6z7yon4eZEq4qZODURS2LOfnuZFlXzWby+WJBl nJAiQ6GySLTMV+rFyXydYaleysw9DsfsKdOdh1N68/X7lLkrPMzjr/sqA481+EZqv5oKd74/DCIj mTWw5oZZY1fkgWu7ccAFjb8RBewH1sD4C120AfYDa2D8ZcCpNLAGxgdw4wAYHzcOgPEB3DgYH8CN g/EB3DgYH8CNA2D8daHJcePujTVO0MuJgHldsFAILdIf00JogRjYTDFqY1bt5MfikgPlMqcjNtIr U3UEgmRzImVB0IuU+VCkezZTT6ifZoXY5q9adbU5i3Sff1QPWLMPqVB7yeWdbN1GQpH7kL4j3G9T rIczGN8Lerkti151IpDZiPXHxnnnihnEhhUNz+ZLdtpkXkdspFemW6YXJJsTKYvF1pgRKXOhcG/z XD2BfpoXYpu76tTV5izCYu0osOaYyIU9o1/Os8YGu7Ha5QmNHwh67WTNRH8szjtXjDpqEh9XGT12 UB1tGemI9cETn1kkSDYnUlbGh2PsATcbCnXPRvX48zhaIc0JsY2ujtTV5izCmgSsOQdrglcfUglK Tg8vlz9sBeuS0xs/OHu4kzVT/bEo70wxmTknw7ezpos1znxcOSeGNidSFomtsfBsZaRFQx9iVI8/ /GZD4XE4Hx6pq81ZhPWfdtHAmuOwRv0vxLlEGwKVr52smeqPRXlnijENLzqGP2JNqo4/xzpiUWuP BMnmRMoisTUrUuZDgT7AuJ7O9SY2FLLGXx2pq81ZxIpKgTWXZY0c0PLyLMYPhgRB23bH0Vxoqj8W 5Z0rRmuTV2K2ZGaVy2JtF6NmNmLNKHIc1zu3rHcbuHUo0D0ba8iMeqURa2zcRF1tziLyR85+gAew 5visCbTot7GmV+cjSYvi8MmAY7EmGEtpXTAfCvXHbLJtrDHXaU6qGLiYL9kql4Wt2amZ+QyBINmc SNlItC1xihs6FPR7I9a07jS0C4VCbDpuRl1tziLBJbDmEqxRs2jkJCsJl7w4L2vC7q1wV1Roqj+2 t68pNlzwtBFbS1bKZaPWrNXMRn2NFiSbEymLRdu89oUJBbpnoz7NqSD4kGeNj5uoq81ZxIQfwJoL eWjydzPVvgGtfxw8uPm88QOVr7htB5JOFJrqj0V5dxSTbC9ZK5fFOmJFqKc5Eokpt8UZwZvGeV2N 1VZz45q4nlr4ZZh2MgNQB6P7kbranEX0pQew5oLjGoeWi/zkxk9n5tDGA3wKTfXHorzbi+HpjpJj jTPfIiesmZP2C+L0p8ucvWwomEOL6vGKoj4UDnmGmOOButqcRRRrHhQwG3Bp1sj3p2dNIOgVt20v f5Zpxf+R/tg475ZiRssvcclKuWysI0Zxn+trKicp5eXKvO5ZUI/TRQtCnjVV3MXH6mpzFtGzAcsp A9YclzVl3qmVm/T0xg8Fvczn8bpgPjTSHxvnnSuma2kKqmezJXvlMq8jFsZFrLFiaOV8nFVgcyJl LhTuDfD1eF20IbSw8+Fs3Jy62pxFzMwzWHNp1ph5geIMxneCXn5+2OmCBUJosf6YFkILxMDmipED s7yL57RdeYFymdMR83G+jkCQbE6kLNJKC1YmqyCl1T1z9XhdNB8qZ+Lm1NXmLIJVzhMi3IcWvPqQ SUBDUHVz0gLGvwo0nIE11wcY/6LgKW4cWAMsAk4KgDXAYgcNp9LAGgA3DsYHcOMAGB83DoDxceMA GB/AjYPxAdw4GB/AjQNgfNw4AMbHjQNgfAA37oR4ffqA8cEaYBmeX2B8sAZYhpdnGB+sAZbh4+kV xgdrgGV4f1uehwvgKpGgvR8Hj0+wAQAsxNMjbAAAy/D2DhsAwDK8fmY+AADuG59asgGAu8anlmwA 4K7xARcNABbPB7zBBgCwDI+f2sIJAPc9H4AlGwBYOh+AJRsAWAgs2QDAYrxjyQYAls4HYMkGAJYC WzgBYCmwhRMAls8HYMkGABYCWzgBYCmwhRMAlgJbOAFgMd6xhRMAFgKqGwCwGFiyAYClwJINACwF tnACwGJgyQYAlgJLNgCwFFiyAYDl8wFYsgGAhYDqBgAsnw/Akg0ALJ0PwJINACwElmwAYDGgugEA i+cDsGQDAAvxgS2cALAUWLIBgOXzAViyAYCFOHQLJx6ejoenAxaHbuEUMNV1AjfuJC7aK4wP1gDL cKDqBowP1gAOB6puwPhgDeBx2JINjA/WAB6HqW7A+GANEM4HfMD4YA2wDAct2cD4YA0Q4KAlGxgf rAECHKS6AeODNUCIQ5ZsYHywBghxyJINjA/WAPF8wCOMD9YAC+cD3i9m/EY0sD9Yc404YAvnqYyf ixz2B2uucz7gBawBa4CF8wHPYA1YAyzDftUNsAasAUbYq7oxNn4peGH/64hGiKRirBOiZKwWG9Y1 XIi6U0P+ruIi6YpUiKag92WViGRwrLGZDbpapmt1tGjKmRIIrT7iW4zTyZI7Ni0UrAGO7aLt28I5 Nn6lyKH/q4aum3DKmGy0bCA25TqqJGpo2QH1P6f3tXrfGdb4zAqD0OlM9FwJhMyyZiZdNin0AawB jo19Wzhn+prM/ickYqOabybjRM9Fz1g/FKxIREVtWb7vZZsvZWcgzPvWECgPMytwUWesb/RrKf9P SzCQxTdskk6WVE0KBWuAo2PfFs49xm9F+HuvlVGKNKGYxrphqi2rZqzfGwLlUWZFSNEFrxubLCzB oBFJsSVdWOgDWAOcAvuWbPYYv7RttNWu0YbR2EY4j8y1+ZKasX5f2WYeZmYmiX+tRqwpnVdIrly7 LV1Q6ANYA5wGe7Zw7mdNZ8PEFq48tco043nWNII71nQzZW3pazxrWk7vt6TzhT4oYDYAOMV8wCLj Z5x+5vV/NxYpeumZ9XLwQYNw+W9gHZ9njRx9lN5585k3cnBSCHo7NIUdrzRbWFPreYEt6Xyh90sZ sObU2L1kM50NoLbrW3Cv3SFObbhSc2sF3+GhOY9MXXKZ6YrqNVS+ykRn86wp7bhlPp0vlIE1wImw W3VjhjWZ/a/QyQafpJls8rwg6jSspVWXDfUAeoummlgriSuybVeyK9ALLE2QWfU1coiS6PUaiuYU PSkhmIEo59JVYaF3DbDmxPMBHwcb//v3jfjvO2O//8lleHFV2BAA1twKdi7ZxMb/8e3Pn2/ffvxQ fz/AGrDmbrFzyWZk/N+aM3/olYE1YM3dYqfqxtj45JfZv8XAUTSw5mawa8kGxgdrgDnsWrKB8cEa YBY7lmxgfLAGmJ8PeIfxwRpgGV5/vsL4YA2wcD7gBcYHa4CF8wHPpzZ+Zbd73hRW/K3AmpNju+rG 8VhTfiV7Sdlbcwig9wdtjNAAYxkdhat7E997XYNtyFLRX/pbgTXXja2qG2tiTanPivqyKtnwi55W TgfRZKwYeK3JUjdi2PN5uNogDdYAX3DRtm3hXBdrUkUGVxavbcfBG5NMMSETXbJ7F0KZVANYA3wR 24TS18WaMkmKoCy3rW1jDy7UXDtoLBXF3iLBGuBr2LaFc2L8ttFiZ63SCGiolVZ2dFGJTF5Ni7LW omcVVzpmrWtfNrNtuCYjRfO0mClhzBrVQVT+UKdJkyeOPlRZTepQQ9C2daGMlEA4+XIT1lzmW4E1 V45tSzZj47fUDnoalTeyxXQ0oq7SjGVJolqHbBSDyOtW/ta39J73LKtd/+Azm3abFjQsaelkWanc rXEJY9awRA7zq0BAIC+jTkdXQ8OdYHu1KrRUCmlNkrG+n7DmQt/qlKdNwZpzYMsWzrHxG/WrXid0 bD8peO5bpmpP1HQSco4y3SlQA1U/+6p9+cwsDOiewiSLS5iwZlDnrEs/ESbydswa1eHUXgdKF9qI kF4xay70rcCa658POMj4WtOyEqpBcJ5FHr5uzrnK412pwgWDzCrJJixTvYxLmLCG5bwIRxOSN7L3 iVmTcGbbdjD6UNWmospmWHORb/UA1lw/5pdsJqzxWhYs0cdliqo25/jn25dqR7p9BZmDBmReqenv Z410gOIxONGjToJpgVa111LUM6wpKq46pzFrLvCtHsCaG8C86sZ8X8P0TFWtWwPvFv0q+7I20atr hjtZIy9uItZQ60+tO5bUVupGeEGQgDUSA0+29DVn/VanVmsDa84zHzC7ZDM2vvtVZ5kcBKsGqJrH lvZFXtIgbPvzmXUTT8JXn2w3a0ohItZQvtI00Z5GEabY3rloMWtsIGTNJb7VidXawJrzYFZ1Y6rs RHNLVaMGGHIQQHLkSSZ/wOfbF6mhm2mkMsysmnRHOuZDI1/TgpU8Z9MSbNMPWEM60UYYLe9svl5s MulU0c9+ZxhUOBfNs6bMS5YleciaXqtGXeBbgTW3gNklm4nx1dNhqF2oeaGcxhEypun1bFOrfBvf vobcLVm0QWbTbtTzaoyumX7izLiEOdZ44c9e5SvsxxJNx4IVTzfJqwtVXUyV6M9j1aBtDZf5VmDN 9WNWdWOsh7bor/rnx+I8k7/VYcUbAsCa82NuyWash2a00A77+/1tWfrp3w+wBqxZN+aWbEbGX9ju /3yVNwysAWtWjpklm116aHv/fov25vyzazlgB9acCzNLNjD+lQI37lyY2cIJ44M1wG5Ml2xgfLAG 2DMf8AzjgzXAMkxVN2B8sAbYNx/wBuODNcBCF228hXP9xg8mgis0FbDmIvMBj9fHmnIJazbhasvm JrUNwZpzYyyUDtaANcA+jJdsVmz8VlSfYA08NOD4GAmlr9j4JVgD1qxmPmCVxp9qmqXmgIxmTVcL XjnW6BPRBU8DsbJKtIkSuGm9LJo5eZNQSXlYh63VXVF5AzU1thbdM7BmFYiXbNbDmommWdjXkAhZ lnP7aTsjvtQFYmWV4APLrBiTLsKdcC718X5Xhx8ymSsqb6CmtlD3zOABrLlRxFs418OaiaZZyBql SVbU7tOqU84pD8XKqiC5LUK9UYeU8zyqQyO4ovJGD35fpHsG1tz6fEC0ZLMe1kw0zULWaDUmP67Z UMvlm1CszIx/1IstYsyaMh4cja6EamqL1NwcY8Cam0W0hXOFrLGaZhFrqpg1mfzp72hw48XKQtbY IrRUJy91WYEqB+WpxldCNbVFam6KNGDNTSNS3Vgha5jRNNvV17C6YWnNQrGykDW2CPUmrxOtijHp a0ZXXLa4r9mv5sZOL38G1lwYkerGOlmjAwFr6tG4Ro7JCz6wUKxsxBrntbXu6QNj1oyvsIiZC9Tc XF8D1twuQtWN9bHGa5rxvMjMlU72KVmt5tC0bFIh9BNsvFhZwBpXBL0plAuXV1PWjK+4bEvV3M49 EwDWXADhks16WDPRNGNDIhJ7hcJ971kjR+7aN3NiZWaXp35MgClCvdlIShW9XcoJPbTRFZdtTbpn YM1aECzZrMP4X9Xs2PX345+WXsV/k2ul+EGv/+TXqBUC1pwbwZLNOoz/46u6avv//kzjfpu439eo SwXWnBuvfj5gJcY/IV9+/9lxbc/1FWsggjVnh1+yWYvxT+ijdf/9I/h/c9q6v3Pxzz/NpzXdfnwH a+4JfskGxr9S4MadHV51A8YHa4BD5wPeYHywBlgGp7oB44M1wMHzAY8wPlgDLJwPeIfxwRpgGeyS DYwP1gAHw6hurMf4Wap3dfX2iZoKtT4jQHvC6jYK+XS7Q0Epo5qCHWakDZB0cYjFFW9NAtbc0XzA 87qMX3Ex0aSRjZ+rU8mD2LCi4VkY8ul2h3wp45pKUZHmQKWfp05PsQ1DCr66rUnAmnuCXrJZi/HL pBqmrCl4pdp7QgfQMtrl7EOHs8aWMq5JKwjUOSkQ0B5rOqvjQwq+uq1JwJp7gt7CuSLjT/XPZLdQ UHs30hY1D0ILWGNKmdSUqxM6dKDGqg+0QUj5cr66bUnAmjubD6AlG/G6YtZkvFfn9V0rD0KHs8aW MqlpoPbfS1erte87H4rptT0JWHNfeH5hHy//97Q+1gh9Gkz6QolRW/KyAT7k0+0O+VLGNbFU1CkF SzfO8SHTNm1125M8gDX3hJfn96efP5/Xxho1S1XTL7k616/aO016FQMdgPYhn253yJcyqakg3c5y F2tcdWANQA7ay/NPwvsaWcPUQCRX3Qz9KzZc8JRG7z7k0+0O+VLGNbVJUnaJGHZQwlU3n+QBrLkj fBjKSLytkjV6DFPG7T1PZkJiT2hSiq8pocmwIhGZG+eUPhSml9XNJnkAa+6qo3GkWStr6kQPTbTc nwZ32mc+5CeAt4QmpbiaWq10VomysNNimQ+Fn0xWN5fk7BpoYM2FO5t3y5qXVbImc+qAvpfoXQfg Qz7d7tBcX5P5KeRayc7Q4owPeajq5pJcjDJgzYVo82ZY87g21tBjNcqaF2F771pSYOqjkE+3O7SV NdJ/G5hWOlPPD0jtwwt0SMFXN5sErLk3GNq8roUyduNYVRuBM+MdKfk+LkSuZsaCkEu3O+RLGddU 0ONrkooSWe2zMBRXtzUJWHNXeFGs+YAhrhJgzSVpAzOANcASPP78+X+wAlgDLKPNE1gD1gBLaQPW gDUAjI8bB8D4AG4cjA/gxsH4AG4cjA/gxgEwPm4ccKvGpwdscrWDP5Qbs3poByiXuSS+KF/AytTM wBoY/xgYSJws60ZyY0bJ7ADlMp/EF+ULWJuaGVgD4x8BBd+YUCg3ZpXMDlAu80l8Ub6AtamZgTUw /hHQu9OTodyYVTLbr1wWJOmDg5i2gLWpmYE1MP4R4JQAQrkxp2S2X7nMJwlEBVwBq1MzA2tg/CMg qTeJEE3GQgkYr2S2X7nMJfFF+QJWp8sE1oA1x/gcopKM4XXImkDJbL9ymUvii/IFgDXATbJGkWPj hJPoxSuZHaBc5pL4onwBq1MzA2vAmqN4aPS/C+XGAiWzA5TLXJKwqDJmzXrUzMAasOYYswHCNGYv N+aVzA5QLvNJfFG+gNWpmYE1YM0RoCXOUlGMFcn0kzj2KpcFSXxR3vdbm5oZWAPWHAEFrzO9tD9S JDPrNXuVy3wSX5QvYG1qZmANWHMM0PawWi2ixHJjSsnsAOWyIIkvyhWwNjUzsAbGB3DjYHwANw6A 8XHjABgfwI2D8QHcOBgfwI2D8QHcOADGx40DYHzcOADGB3Dj7s74jRZUAsAaGP9g5PHzYxehF6Iu 1Csxj/aN1QPuFFgD1uzOK9Rjl5UoU2+fPQuANWDNrry1SCxruMgL1iW4U2ANWLMnb02nZYg1hXAH ZQCwZqXGLwWdv9f/dUSj5ZM7QSe5arFhXcPN+ZVGdBUXSVekQjQFvS+rRCSDY43NbKCOtrQ6Wp9x GZdgWTNQdtXXCMFL3CawZtXGrxQ59H/V0PWwImVM0oENxKZcR5XUvLkKqv+5dq0InWGNz6wwCJ3O RM+V4PqpRF5VrNmIcDLgAXcMrFllX5PZ/4REbApq5iTvJ3pOo/R+KEgMplLD9p6G67I3aGjArt63 hkB5mFmBCzqa3OjXUv6fluBYM4hGs0bRhsY2YA1YcyXGb0XYLwg1SC/ShGIa64apkYfiRm6kzIW+ FGZWhNQyseZ1Y5OFJfgxUUIiNar3yVIurl6+DKy5I+OXtuG32t8i+STthbkORbf5UihNpVw7efpS mJmZJP61GrGmdF6hihzEprI+W0uP03gAa8Caq2GNk60gtnDlqVWmZc+zphHcsaabKWtLXzNiTcF5 FY50rly+DKy5ZeNnnHoG/d+NRYo+oeVGXtLIXv4bWMfnWSNHKaV33nzmjRzEFILeDk1hxzXNLtbI vigh5uUdCTbJekEZsGa9swFaNMy2YLM0z+Vvv2zaNLdW8B0emvPI8mBdX3U9wozrZbzRxKQJhx2s oXqcl0cT4WANWLNe1mT2v4J63GWaySYvW25BHURLqy4b6in0Fk01sVYSV2Rzr7gW9teXbGbV18ju I9HrNRTNKXpSgkKqd34O1GkVVU1FFLhTYM1ajf/9+0b8952x3//kMry4sK9sCADAmis1/o9vf/58 +/bjh/r7AdaANcABxv+tOfOHXhlYA9YAhxif/DL7txg4igbWwPgAbhwA4+PGATA+bhwA4wO4cTA+ gBsH4wO4ccCljF/Z3TMAWAPjH8yaT4sBlJS1NacO+qCc3osdELJUyUN96i1uHHCDrCn1sdKonLoR gdhgxSN1m0VvceOA22RNqigSlJOJLvFbE8qkGgIiLHqLGwfcKGvKJCmicnrBUlFECSv22be4ccDh xu/VKL1RrS/Jd70zGdpGa6O1SlKg4cQIo3omm3Qmr6ZFWWuNtIor2bPWscZmti3XZKRoro7UjEsI WaN6h4A1NUlGDWANcHbjZ6rxqKF2Jvpd7wxpqHX3FNXI9ttRdJVmLEu04qxs6oPI61b2Ai295z3L atdH+Mym4aZF0TcUTQek65kSQtawRA7+PWtaWXcR7bn+NGsewBpgkfHrmo7p5xs6SpntfKfQqDF5 ndCB5aTguffAFEuIEAl1TpnuGIhrnRajLcPMLAzk6tUki0uIWDOoI9mWNRuqsXZHUMEa4HzGr2QL rRoSyGjq3e909lRnUs2c8ywat+gmnasqvDtVuGCQWSXZhGWql3EJEWtYzgvPmkQ5h+H88adY8wDW AIuN38qf+Lpv5W+29KZ2vtPZnZ4GdQlqCkud9BfbWaPYoVkTZA5oYV610vMu1kiXzrGmVVwrRf01 1jyANcAnjJ+khfR1EkmOds+7oF/QEwm1buO8W9TX+I+yiV4dubayRl7YWNZsrGJh9hXWXJHoGliz JuNvOD0sJm2qZN+7aFDCMjm054lt9FtYQ13UICyr6vipNEkSvvpk21lTOjVcm7kPXLRP9zVgDbDQ +K3IZRcw8Hqz512v5Zhoxqxq1CBDDm0qar+ZTDLPGhJPN5NjZZhZldWRlvrQyNe0oFkHtpc1JCmt WdOZDqoIXDRDBEukg94ysAb4jPETmrwqrPjm9ne6vakn1FBrV7NduXSQaLWl6fUcWqs8Ns+aIXcL MW2Q2ZSlHm9TGhW1yk3FBSWMWeM0QjfWM0u9qLR5MqFh92Fvr/nGATdp/C9sCADAGhgfwI2D8QHc OBgfwI0DYHzcOADGx40DYHwANw7GB3DjYHwANw4w4AK4SiRouwAAAAAAAAAAAAAAAAAAAAAAAAAA XCf+H4zyVNtk654RAAAAAElFTkSuQmCC ------=_001_NextPart435814428311_=------ From nobody Tue Feb 12 00:34:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3447F128B01 for ; Tue, 12 Feb 2019 00:34:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGxH3MZeFhMx for ; Tue, 12 Feb 2019 00:34:39 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E926C124408 for ; Tue, 12 Feb 2019 00:34:38 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id B331D280285; Tue, 12 Feb 2019 09:34:36 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id AD41728027B; Tue, 12 Feb 2019 09:34:36 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id A9C466424E45; Tue, 12 Feb 2019 09:34:36 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 9B0CE4010D; Tue, 12 Feb 2019 09:34:36 +0100 (CET) Date: Tue, 12 Feb 2019 09:34:36 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: dnsop Message-ID: <20190212083436.5uab52hesymxzuur@nic.fr> References: <2019021215560470371417@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2019021215560470371417@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 08:34:41 -0000 On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuopeng@cnnic.cn wrote a message of 546 lines which said: > DNSSEC is not necessary anymore This is clearly false. DoH provides _channel security_ DNSSEC provides _content security_ (or object security). This is a very important difference in security (we have JWS even if we have HTTPS, for instance). From nobody Tue Feb 12 00:39:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73C6812894E for ; Tue, 12 Feb 2019 00:39:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBsLGL7Zyy24 for ; Tue, 12 Feb 2019 00:39:10 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38D67124BAA for ; Tue, 12 Feb 2019 00:39:10 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id AF97A280285; Tue, 12 Feb 2019 09:39:08 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id A9D8328027B; Tue, 12 Feb 2019 09:39:08 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id A617A6424E45; Tue, 12 Feb 2019 09:39:08 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 9F5964010D; Tue, 12 Feb 2019 09:39:08 +0100 (CET) Date: Tue, 12 Feb 2019 09:39:08 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: dnsop Message-ID: <20190212083908.w5cwgtmypkjwmqnd@nic.fr> References: <2019021215560470371417@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2019021215560470371417@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 08:39:11 -0000 On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuopeng@cnnic.cn wrote a message of 546 lines which said: > I am considering extending the DoH protocal to authoritative > servers. Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked at the edge of the network 2) applications running in a Web browser may need DNS data. But these two reasons do not apply to your use case 1) the resolver is often closer to the core and there is less risk that 853 is blocked 2) there is no Web browser on the resolver. From nobody Tue Feb 12 00:42:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB31612D826 for ; Tue, 12 Feb 2019 00:42:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSW1bicLKJ_O for ; Tue, 12 Feb 2019 00:42:52 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F207128B01 for ; Tue, 12 Feb 2019 00:42:52 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 8E0362802E6; Tue, 12 Feb 2019 09:42:50 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 882862802A0; Tue, 12 Feb 2019 09:42:50 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 8484A6424E45; Tue, 12 Feb 2019 09:42:50 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 7E1D34010D; Tue, 12 Feb 2019 09:42:50 +0100 (CET) Date: Tue, 12 Feb 2019 09:42:50 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: dnsop Message-ID: <20190212084250.y62yjzjr26e62r25@nic.fr> References: <2019021215560470371417@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2019021215560470371417@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 08:42:54 -0000 On Tue, Feb 12, 2019 at 03:56:04PM +0800, zuopeng@cnnic.cn wrote a message of 546 lines which said: > the child zone publishes a TLSA record instead of a DS record in the > parent zone [RFC 6698 may need update]. The TLSA record contains the > certificate that identifies the child zone. The problem is that it would require all authoritative name servers of a zone to have the same key. This is inconvenient in some setups, for instance when part of the name servers is subcontracted. I suggest that it is better to have a TLSA record per name server and not per zone (draft-bortzmeyer-dprive-resolver-to-auth, section 2) From nobody Tue Feb 12 04:50:38 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E698112F18C for ; Tue, 12 Feb 2019 04:50:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=airmail.cc Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X73GqeXZ19MD for ; Tue, 12 Feb 2019 04:50:34 -0800 (PST) Received: from cock.li (cock.li [185.100.85.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BC812DF71 for ; Tue, 12 Feb 2019 04:50:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=airmail.cc; s=mail; t=1549975830; bh=PJN9A+eUjSRka/dZNvSOXAGH/N2g2c9BRJPnwrb3JGg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TUUQlWDY7xQK0A/JlUS5pRFgW7tQzM11YihBtulTliaaV2B3xe1QgBAJG/UcOmVB1 SexeyAG2/nuwuUGqd+AA+eHhpA3y6lVp51wKkYntSS+P4yBgOEJ1CmJ+XFQgSSYJHP eGR3mwLFzF8zS+fwUHuRoGk3dke0jBpqm1gzS4VMFQG6O1YFpU308Rsj3kSKjRuk3B tj+YjR+Un5vacHHEaenVqCBAhxWQ8yNmZ3/8Pums3tx+pzrto2amGjbLnCTqshxQlN 33VsQEVBxIbCAMjm1jbuQN/eL2JDRiqfMxFaFV5TZrVLgmRqPTJVHKO0E6k4KLjFZJ e7SyYjOE2UbSQ== To: Stephane Bortzmeyer , "zuopeng@cnnic.cn" Cc: dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> From: Jeremy Rand Message-ID: Date: Tue, 12 Feb 2019 12:50:14 +0000 MIME-Version: 1.0 In-Reply-To: <20190212083908.w5cwgtmypkjwmqnd@nic.fr> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="PEsRLBtx2o8qiVcO6JB71eramQWryRXlS" Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 12:50:37 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PEsRLBtx2o8qiVcO6JB71eramQWryRXlS Content-Type: multipart/mixed; boundary="Qaqi9IZBXYp9KTKHFZQY6LQExj31LmfV0"; protected-headers="v1" From: Jeremy Rand To: Stephane Bortzmeyer , "zuopeng@cnnic.cn" Cc: dnsop Message-ID: Subject: Re: [DNSOP] extension of DoH to authoritative servers References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> In-Reply-To: <20190212083908.w5cwgtmypkjwmqnd@nic.fr> --Qaqi9IZBXYp9KTKHFZQY6LQExj31LmfV0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Stephane Bortzmeyer: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuopeng@cnnic.cn wrote=20 > a message of 546 lines which said: >=20 >> I am considering extending the DoH protocal to authoritative >> servers. >=20 > Why DoH and not DoT? DoH is useful because 1) port 853 may be blocked > at the edge of the network 2) applications running in a Web browser > may need DNS data. But these two reasons do not apply to your use case > 1) the resolver is often closer to the core and there is less risk > that 853 is blocked 2) there is no Web browser on the resolver. Hi Stephane, Both of those assumptions are false when the user has installed a recursive resolver on their home computer, as is the case when the user has installed DNSSEC-Trigger. They're also false when the user has installed Namecoin, since Namecoin domain names often delegate to DNS via NS+DS records. (Of course, it could be argued that Namecoin users need to deal with network censorship of Namecoin protocol traffic anyway, but I don't see any reason to make the situation unnecessarily worse by avoiding DoH.) Cheers, --=20 -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: jeremyrandmobile@airmail.cc Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email jeremy@veclabs.net is having technical issues at the moment. --Qaqi9IZBXYp9KTKHFZQY6LQExj31LmfV0-- --PEsRLBtx2o8qiVcO6JB71eramQWryRXlS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVB3fdzAraEcoBtkSs/LRZXhtZXAFAlxiwQYACgkQs/LRZXht ZXDjNw//eMttCyqZGiKx0arGxlg2oGFOxlpUs2y2eeLOaCgHAtc9z5/sus10q6q8 X7AuWxlfc2TdtVwCQbkZMz9f7ZV2hGagDf/jTwq8Fi0N2SQW++pp/My0x2DZs3IY 6zgG7FY+cdPx8sxGkxvWJiJi0lH9N1YeNHbebTHVL/ZTxfyGzifxb/O+3gBLplHY gjcOUmNINVFuoQED3IjPT6x11/r0xVkkS4gbBmypjaXfCX9U87nkRvkD1eDo5LME JZ/GJjCO+jXWcv+foIZV9XH0Je1sZ+xRnU0Wk4qrYyhPlbCtgFNu12auN/IeUYNX hRYpDrNXcOOdCenK9AyyP86P2Yv+u0b9F/VBSlYiFKQ2aZ7OiyNJI+ekgIf9weBe rl6TMOmg6+an17R43c2pdVbQp3g1gNAKYgaFElUy7gPxvQeNOxej0Voj04OaAFzE OJVnEbsaIamgHBtrJ0MlM0x+NaVuEvjJjx3fvo6HnAHZ7SzbhFW9M957sElQQjh0 7G1wqsR1QFYpCCgkzlV6RPz7OOG1tGblb9azLpsznE2BqVJKOu31x+yHvGc66W1N agFHRtSClyzK0BCr1dQasFdRDX/NL/LqnPCFfN6sy8x1bBGSkbKQkJlSKb9Z5CbW HOKZKjYKwHP8VkOdScc2NXbRPCmGgmI7ukQq6485w907hpMisbw= =bA1j -----END PGP SIGNATURE----- --PEsRLBtx2o8qiVcO6JB71eramQWryRXlS-- From nobody Tue Feb 12 06:07:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28F1D128B33 for ; Tue, 12 Feb 2019 06:07:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7FDXKEO0q1K for ; Tue, 12 Feb 2019 06:07:51 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98EFF12867A for ; Tue, 12 Feb 2019 06:07:51 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 43zPch0g6Rz9Lp; Tue, 12 Feb 2019 15:07:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1549980468; bh=lzYnbtKIPg/lGUnIxeSJO295RppkH8SMN5nAAthyl+s=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=T5t34f6djMosA0jgbpmmAfYS1a2n+7iG+nKY64Gsw63pWNEGxBx4emXs6nZmqWIak v+IXcJelDtBAwL4rduy9mTvuw4iJ+HSBFmQBuwjN2H68ZPFVe7s1T1p853qEOaog1H GQgf/v1UxfWi9sg8zyA6Io49xGoEkWXJwyaQta6g= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id lydwkFMKcdUL; Tue, 12 Feb 2019 15:07:45 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 12 Feb 2019 15:07:44 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id B7E23A7E0C; Tue, 12 Feb 2019 09:07:43 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca B7E23A7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id ABE6140D358A; Tue, 12 Feb 2019 09:07:43 -0500 (EST) Date: Tue, 12 Feb 2019 09:07:43 -0500 (EST) From: Paul Wouters To: "zuopeng@cnnic.cn" cc: dnsop In-Reply-To: <2019021215560470371417@cnnic.cn> Message-ID: References: <2019021215560470371417@cnnic.cn> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 14:07:54 -0000 On Tue, 12 Feb 2019, zuopeng@cnnic.cn wrote: > In this way, the whole DNS is built on HTTPS which makes DNS more secure. DNSSEC is not necessary anymore and many other > problems like fragmentation also will not exist. This idea is similar to DNScurve. The problem is that channel security does not help when you have an infrastructure of DNS caches, as nothing in the cache can be used to validate the content. djb's solution to this problem was to obsolete the cache, and at the CCC conference he then threw around numbers that "claimed" caching is not working or needed, and was proven wrong by me showing some cache percentages of real DNS servers. DNSSEC provides origin protection, and digital signatures are needed, which TLS does not offer. Paul From nobody Tue Feb 12 06:51:21 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 096EB1200ED for ; Tue, 12 Feb 2019 06:51:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYJzVSbH62gJ for ; Tue, 12 Feb 2019 06:51:17 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 795A41200B3 for ; Tue, 12 Feb 2019 06:51:17 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 812E228027B; Tue, 12 Feb 2019 15:51:15 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id 7AE802802E6; Tue, 12 Feb 2019 15:51:15 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 7328428027B; Tue, 12 Feb 2019 15:51:15 +0100 (CET) Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 6F921642A7A1; Tue, 12 Feb 2019 15:51:15 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 68D804014E; Tue, 12 Feb 2019 15:51:15 +0100 (CET) Date: Tue, 12 Feb 2019 15:51:15 +0100 From: Stephane Bortzmeyer To: Paul Wouters Cc: "zuopeng@cnnic.cn" , dnsop Message-ID: <20190212145115.oedcxgwjuhiwtn4j@nic.fr> References: <2019021215560470371417@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000048, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.12.143915 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 14:51:20 -0000 On Tue, Feb 12, 2019 at 09:07:43AM -0500, Paul Wouters wrote a message of 23 lines which said: > This idea is similar to DNScurve. The problem is that channel > security does not help when you have an infrastructure of DNS > caches, Or when secondary name servers are not under the same organisation. From nobody Tue Feb 12 08:32:32 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC8D1292F1 for ; Tue, 12 Feb 2019 08:32:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eivkUOVoTUDC for ; Tue, 12 Feb 2019 08:32:29 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0723012DF71 for ; Tue, 12 Feb 2019 08:32:28 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:ec14:138:d007:b4de] (unknown [IPv6:2001:559:8000:c9:ec14:138:d007:b4de]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 62732892C6; Tue, 12 Feb 2019 16:32:27 +0000 (UTC) To: Stephane Bortzmeyer Cc: "zuopeng@cnnic.cn" , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> From: Paul Vixie Message-ID: Date: Tue, 12 Feb 2019 08:32:28 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <20190212083908.w5cwgtmypkjwmqnd@nic.fr> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 16:32:31 -0000 Stephane Bortzmeyer wrote on 2019-02-12 00:39: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuopeng@cnnic.cn wrote > a message of 546 lines which said: > >> I am considering extending the DoH protocal to authoritative >> servers. > > Why DoH and not DoT? ... well, yes, but... > DoH is useful because 1) port 853 may be blocked > at the edge of the network DoH is _dangerous_ because it's my network and i require all visitors, family members, employees, and apps to use the control plane i have constructed, which includes DNS surveillance and control. thanks to DoH, i will have to add a WAF, or require SOCKS, for all outbound TCP/443 to the cloudflare, google, and other so-called "public" dns services. i am nowhere near ready to allow cloudflare and apnic and the others to build their own private DNS relationship with my endpoints, bypassing parental controls, bypassing corporate security policy. DoT should be preferred precisely because it _can_ be blocked by the network operator. if someone insists on not talking to my DNS servers, they can take their device elsewhere. this is especially vital for IoT, whose makers will never be profitable other than from data they collect. > 2) applications running in a Web browser > may need DNS data. ... i expect those apps to make normal UDP/53, TCP/53, or TCP/853 requests from the designated DNS servers i operate as part of my control plane. any attempt to speak DoH from my networks will be treated as an attack. -- P Vixie From nobody Tue Feb 12 09:23:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E83128B33 for ; Tue, 12 Feb 2019 09:23:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hggavK9YkB5f for ; Tue, 12 Feb 2019 09:23:00 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59772127287 for ; Tue, 12 Feb 2019 09:23:00 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 43zTxs17t4zD5w for ; Tue, 12 Feb 2019 18:22:57 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1549992177; bh=qHclYywaf5l3I6nC0FJgR48E/mAzwyR1eKsrzD1dFuA=; h=Date:From:To:Subject:In-Reply-To:References; b=sCJJ1RcF0hRAAwnFW6Ut7taEQ5lrA8/x+JHtEh9iw+ttRUFc4bYfxB9robRFJF0HE 3bbwFidX5GqvcK9o4AmBlagzCb5rX9k7um1vbia3gprnp8rj8fdNG+xc8M9EbDA+gL NQdt3KeE1qPx3utTrtR4o94kolUD6rQjfZjz7Vc8= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id XnKiDJd89bLr for ; Tue, 12 Feb 2019 18:22:55 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for ; Tue, 12 Feb 2019 18:22:54 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id A05F5A7E0C; Tue, 12 Feb 2019 12:22:53 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca A05F5A7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 956B940D358A for ; Tue, 12 Feb 2019 12:22:53 -0500 (EST) Date: Tue, 12 Feb 2019 12:22:53 -0500 (EST) From: Paul Wouters To: dnsop In-Reply-To: Message-ID: References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 17:23:02 -0000 On Tue, 12 Feb 2019, Paul Vixie wrote: > this is especially vital for IoT, whose makers will > never be profitable other than from data they collect. I hope those makes will be unprofitable and close shop. IoT devices should be designed to be accessed through secure VPN or TLS connections, without going through vulnerable large scale server farms in unknown or unpleasant countries invading my human privacy rights. For example, I'm using my hue lights with or without VPN, without telling Philips when I turn the lights on or off and without telling philips when I am near or not near by house. That said, software circumventing the system's resolver is bad, and is not the layer this should be happening on, and it should really be a last ditch effort requiring user exception. But browsers think they are the DNS police now :( Paul From nobody Tue Feb 12 09:31:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23EC0129A87 for ; Tue, 12 Feb 2019 09:31:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebp7bnLX7oOG for ; Tue, 12 Feb 2019 09:31:39 -0800 (PST) Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AFED127287 for ; Tue, 12 Feb 2019 09:31:39 -0800 (PST) Received: by mail-qt1-x82c.google.com with SMTP id w4so3932733qtc.1 for ; Tue, 12 Feb 2019 09:31:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nP4B4zTCR9PvnuI2fsF+7Da+3nCVGjI5isk45UsY/yE=; b=LEjXO/E00UoOT74lpo5N9f9lc8y+eHx54cmC2zBgzDacGw15y8BM4z0WUbK8TWasOq cWvu1dTEAejNDxWUoAjnDOmrIROR4v6lRf7UI5qJg6y34qOl+LBWAQ8L3o3/RW1Qdk4e j+I2Neh+Z1nEbTUDpv7s9IQ84mksCA8cS0F3Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=nP4B4zTCR9PvnuI2fsF+7Da+3nCVGjI5isk45UsY/yE=; b=WFw4XLAAVIJVD+Jc3unamQ+CiTjXt5l/RljW4L8jFEXVlI0tY4yvBKG4/XhjSn34Rp jIwMgh9nHuQEn8tbXxr58U44cGTHIWC2hqfi6VrCxwdt3ePv9OQD4hoUxEFc8nSPS12X lTlWa5hNPLwY+apsqtke2j87hyy0xtcAMpO85yux8yGZIA1eCbTQkTBqVXmrUUcsns5g kVmf3vLi2lWLCtJlXrSh2x0IRUkgA6KqRh5tHjjWh1AQDCx1IVH7iIdUdAduU61lwoVu 6touj7ORlb29fxvMbyeYoq75AKLcwVR+/IPDgf8t6lgjYXzoMJM9o7TDzHzRwaoAnz+i 6jbw== X-Gm-Message-State: AHQUAuZjtO62rF8RRplq2cl9QF2GOJ5Knixg7QkbaUYn4fROCZyiWzPg 4pa/kbZ3K51XRSdu0pzA0Li1gsQkSCo= X-Google-Smtp-Source: AHgI3IbkEnrSnHTetgmLRPU4o8KIyrKe7XiazWWa2PMVb1y93ztiuwktA92DjZXu2AbElLEOl1WpcA== X-Received: by 2002:a0c:8184:: with SMTP id 4mr3578788qvd.173.1549992698383; Tue, 12 Feb 2019 09:31:38 -0800 (PST) Received: from [199.212.90.83] (198-84-215-70.cpe.teksavvy.com. [198.84.215.70]) by smtp.gmail.com with ESMTPSA id c10sm5194465qtm.64.2019.02.12.09.31.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 09:31:37 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: Date: Tue, 12 Feb 2019 12:31:35 -0500 Cc: dnsop Content-Transfer-Encoding: quoted-printable Message-Id: <35D11D36-777E-422F-98BC-7BDD17F73E50@hopcount.ca> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> To: Paul Wouters X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 17:31:42 -0000 On 12 Feb 2019, at 12:22, Paul Wouters wrote: > On Tue, 12 Feb 2019, Paul Vixie wrote: >=20 >> this is especially vital for IoT, whose makers will never be = profitable other than from data they collect. >=20 > I hope those makes will be unprofitable and close shop. >=20 > IoT devices should be designed to be accessed through secure VPN or = TLS > connections, without going through vulnerable large scale server farms > in unknown or unpleasant countries invading my human privacy rights. >=20 > For example, I'm using my hue lights with or without VPN, without = telling > Philips when I turn the lights on or off and without telling philips > when I am near or not near by house. As an aside, it looks to me like Philips are making Hue viable with a = price point that makes them invisible to the average consumer. The = Internet is awash with smart lights with apparently equivalent = functionality and a price point that is 90% lower. Either Philips have = the biggest margin on consumer electronics the world has ever seen, or = the manufacturers of the cheap alternatives are getting paid in ways = other than money. In terms of volume (which is what we care about if we are worried about = numbers of active devices) Hue is a rounding error. Joe= From nobody Tue Feb 12 10:14:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1113129A87 for ; Tue, 12 Feb 2019 10:14:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5McvUFtHsRgo for ; Tue, 12 Feb 2019 10:14:22 -0800 (PST) Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA834127287 for ; Tue, 12 Feb 2019 10:14:22 -0800 (PST) Received: by mail-pg1-x530.google.com with SMTP id w7so1600625pgp.13 for ; Tue, 12 Feb 2019 10:14:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=bKS2ljRhH4LHbbN0fYNvhgcBHgahtJeAMv9cD/QCpRc=; b=Sdsk++/eGG+0qL6glk/CHfbrvf9MRx8kVyK/lttsNTQMYkEjq0k2Ex9t8xjJSE2uT/ 5Fsk2YfdsdCO9L7euJwpbs7NE0RMiCf+5sQCJfxuI36kE+QhNrx8UHY7Ygypbo5Q3dRX ge+fGmdMQJG8zyaohCiJ4AgpdcLxmSsIH6WiQ9Rk0rysCkmtvAxqit/gvisJPIOSk2aG Q1OQARLyK0l1ORC23PFNgmzou3DabhzDCW56g9otMBAk9VJUgb/WINnz4O4Q8vmy+nmn eDO+nyo11+F9tbYo+YriLLuwxgKhi3C/5xMUR+3NupCnUsuoSdCETN4Xu65Mow693w7L qWdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=bKS2ljRhH4LHbbN0fYNvhgcBHgahtJeAMv9cD/QCpRc=; b=d7LuxiiPCNkCMp6OHXAG0/D8YnAJrNpsoHBXpaMaAk+fE7l634wMm+1XeiNTQLyv+Z tL0Xd7amulpnh8pXCrOmgD/aSdAvqPwNLf9E/n8uvSDcYvd+eQM2LtfyHFW87sXW10cZ iLK5LRM3umasBmdmDRi6pffbOGFxAyphaLbsbsXZ98vjA5zsFOd50NBcoFq07kHrPQ83 UaXo1sNlWY4KUoHzXMgIDzTYIhbXNXmHlTysROcIGy/MDPr30SQfxoZAnhhDtI9cJVP+ 4Zz6nFSVPQm3dk6zFVihUIo0UigYq8r3FXWtSQ566MJvLCpfPyy3VZjtmU6T5WKluRHl +dBg== X-Gm-Message-State: AHQUAuZSTTUNTicUwvNrMQuL5fjj6gX+zGcSrf9CSDeAdyN54aqK9Vau efgkGh7sj1wjie8O0P7zobK7w1rZg6k= X-Google-Smtp-Source: AHgI3IZZgnp+67hnNjKF/iMKPQMkcLpl+P8R/HF7KfrCxBlI+oP1ACmv3SGM4GYnnXZZfRP4eJaFcg== X-Received: by 2002:a63:100c:: with SMTP id f12mr4810335pgl.324.1549995262198; Tue, 12 Feb 2019 10:14:22 -0800 (PST) Received: from [10.96.20.91] (35-2.lax.icann.org. [192.0.35.2]) by smtp.gmail.com with ESMTPSA id g20sm25207562pfg.85.2019.02.12.10.14.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:14:20 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_9C9FDF3F-BDD5-4662-A400-D399904DF235"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: David Conrad In-Reply-To: Date: Tue, 12 Feb 2019 10:14:19 -0800 Cc: dnsop X-Mailbutler-Message-Id: 03D8870B-6E7A-48D8-987D-1473CCFE2B08 Message-Id: <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> To: Paul Vixie X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 18:14:25 -0000 --Apple-Mail=_9C9FDF3F-BDD5-4662-A400-D399904DF235 Content-Type: multipart/alternative; boundary="Apple-Mail=_041ADAA3-D195-4000-9B00-0422A41BAAFF" --Apple-Mail=_041ADAA3-D195-4000-9B00-0422A41BAAFF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Paul, On Feb 12, 2019, at 8:32 AM, Paul Vixie wrote: > DoH is _dangerous_ because it's my network and i require all visitors, = family members, employees, and apps to use the control plane i have = constructed, which includes DNS surveillance and control. Why don=E2=80=99t you force folks on your network to install a = certificate that would allow you to inspect TCP/443 outbound traffic? = How can you be sure folks on your network aren=E2=80=99t already = tunneling their evil deeds through HTTPS? Thanks, -drc --Apple-Mail=_041ADAA3-D195-4000-9B00-0422A41BAAFF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Paul,

On Feb 12, = 2019, at 8:32 AM, Paul Vixie <paul@redbarn.org> wrote:
DoH is _dangerous_ because it's my network and i require all = visitors, family members, employees, and apps to use the control plane i = have constructed, which includes DNS surveillance and control. =

Why don=E2=80=99t you = force folks on your network to install a certificate that would allow = you to inspect TCP/443 outbound traffic?  How can you be sure folks = on your network aren=E2=80=99t already tunneling their evil deeds = through HTTPS?

Thanks,
-drc

= --Apple-Mail=_041ADAA3-D195-4000-9B00-0422A41BAAFF-- --Apple-Mail=_9C9FDF3F-BDD5-4662-A400-D399904DF235 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlxjDPsACgkQoCss/bh3 zPezFQ//SIPoS+SypsSXIowusCFYk9Sx90cp53SqkjWikcbA3oRWBis6wDT2572C djesDTmlMrtDKUcIxTSZwC/avr2lx0LXgYeJR7NvwpZmX7gnG5zpy4KVvxkbPJKp 3krnx4axmkosuH/yrx7l6xzyNkjUv4tSDQoX/rf5tDCWy5lpgRBAKn1W697dIZ3Q /luOX61Av9ssayN5Pfjz8TTI8SQwf4NIoVKDwk2iynpxYpzPDl8yOUp5TI2xfyH8 7z204VOBLpsZ7sSK5QKvsWouXB4sFPCf1YGqlgt8E0+Xq/VsCxmRIJk0w3xn4OHB 2c2BYYuIn+zgYbFEC1rFy8bLDQUPv+O31u/Hi758JXRPVMYmSPlPf6+3EpX982aW rd9kPGMt4mvix+CoSwaE8tiVhoICEhjVafHcdruDJbAbt//rQgMJegaXxWF7vG91 1wIpqlBJDNiMvk87p3shYJONsVl2rwOu09+TefbCD58XFfVKfJaqBEZirc8cinps 67MZdbi/nqnSFogoF3bvVc19SJgXQ0+BeTJMDWjBGssmJKk3tTt8c7B6R2iBgT4/ MOJ6GlZ8MuEM9iIFk4g9RYtXdJkSQfQLEjnMkcAXkYbGcVVKHFcQjo4jiZY00fo4 aE556srSv0wP2UU2uKHZ8uERx7YeJPik3z2sSMKah5jh8WndSqw= =Jaah -----END PGP SIGNATURE----- --Apple-Mail=_9C9FDF3F-BDD5-4662-A400-D399904DF235-- From nobody Tue Feb 12 10:34:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBBF12DF71 for ; Tue, 12 Feb 2019 10:34:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwYEpcSBUukA for ; Tue, 12 Feb 2019 10:34:19 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2743212785F for ; Tue, 12 Feb 2019 10:34:19 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:ec14:138:d007:b4de] (unknown [IPv6:2001:559:8000:c9:ec14:138:d007:b4de]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id BB89C892C6; Tue, 12 Feb 2019 18:34:18 +0000 (UTC) To: David Conrad Cc: dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> From: Paul Vixie Message-ID: <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> Date: Tue, 12 Feb 2019 10:34:19 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 18:34:21 -0000 David Conrad wrote on 2019-02-12 10:14: > Paul, > > On Feb 12, 2019, at 8:32 AM, Paul Vixie > wrote: >> DoH is _dangerous_ because it's my network and i require all visitors, >> family members, employees, and apps to use the control plane i have >> constructed, which includes DNS surveillance and control. > > Why don’t you force folks on your network to install a certificate that > would allow you to inspect TCP/443 outbound traffic?  How can you be > sure folks on your network aren’t already tunneling their evil deeds > through HTTPS? netflow. such traffic _looks_ abnormal. the deliberate design premise of DoH is that it look normal. -- P Vixie From nobody Tue Feb 12 10:44:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51B12130DE7 for ; Tue, 12 Feb 2019 10:44:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHQwGpSD2yhr for ; Tue, 12 Feb 2019 10:44:04 -0800 (PST) Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34999130DC4 for ; Tue, 12 Feb 2019 10:44:04 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id 101so1709591pld.6 for ; Tue, 12 Feb 2019 10:44:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=yn5oGD0lhfyUbll2X2YSOr4H3oSklWLzK8SdvAHBRDnixvCBf4vP17gL7HsN65tEJ1 PmMxdrCFYvFESUAdvszQSuMtOmqP6uyarNwrKfBQIBQ78ouK4SKpmf0d117J2+BWQc+/ m9T+jA5pJSNxWM24DC76K3QmUb1k16QsnjPXkf9BAf7A3++4MgPXzR+L2gfx9Qn9/ioV BurknxUX1+4nEG/xeEYw1SXrhhHQuJ4y/GNurdd6+s1VntoFvB6s7hTNYoAtS3JcnUK6 1pTjNu47sW63KYkaGDZ2WkXdn/1kN4L3+fW4GzfvbFi5NGA9X3Hfv/SgDt4D/waeV6+X LMfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=nix0VfQlwmp25s2av66mjfdkjoqOtjjLExHrOLNRK7ImaDNa2v7iVMTHigco0pgR0t leNtyfTmALpxSOqEaa9R18hdCYeE1IJ9kfupj6UKfWGLWYmsiIaH6v9A35rkFCakXWDr Y7c+mu1tmjTnSg/jjihKX+L52ZBjUOhjNcb6d/Hi5Lo99wFBuhAyDGZvKR9wQdAMAGCZ RMxTW2DzR9C6CPIDAujxylY6NaO2X0iLlLJ2U7CsSUM2imTwfy7MWfY63J8iW/maUmdz kHoJGylT3iBHckFnNE9titRcoCAAEUnajNSevJ8FLlXy+ubFR+DN7zcaJBqG/pBCs5B5 WL5g== X-Gm-Message-State: AHQUAuamW4wOONfZ7uuKrUoQaiTukksWUeFUTWQpFweAis4BF7FloQob NDMUR1lYn809V0bUGFWVAqb+NQ== X-Google-Smtp-Source: AHgI3IaNuly8YQ1QdS0pJtai6Ir/e3WRZUMz9xe5vzyedDlbK2th0dY6ulinikAuSJf2SYjK/1gmXA== X-Received: by 2002:a17:902:aa44:: with SMTP id c4mr5312204plr.91.1549997043626; Tue, 12 Feb 2019 10:44:03 -0800 (PST) Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id j3sm7027281pff.82.2019.02.12.10.44.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:44:02 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 10:44:01 -0800 In-Reply-To: <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> Cc: David Conrad , dnsop To: Paul Vixie References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 18:44:06 -0000 --Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 10:34 AM, Paul Vixie wrote: > netflow. such traffic _looks_ abnormal. >=20 > the deliberate design premise of DoH is that it look normal. It=E2=80=99s either one or the other. DoH is such traffic. If it = looks abnormal, you can do something about it. If it doesn=E2=80=99t, = you can=E2=80=99t. It=E2=80=99s not the case that nefarious traffic = that is not DoH is special in looking different. Or rather, to the = extent that you are good at identifying and blocking such traffic, that = will naturally select for solutions that are less easily identified, and = eventually the steady state will be exactly what you are afraid of with = DoH. To the extent that DoH is less obvious than these other = techniques, you could legitimately say that it is an example of this = process of natural selection. It just happens to be visible to you, = whereas all the other examples are not, because they are being done by = black hats, not by the IETF. --Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 10:34 AM, Paul Vixie <paul@redbarn.org> = wrote:
netflow. such = traffic _looks_ abnormal.

the deliberate design premise of DoH is that it look = normal.

It=E2=80=99s either one or the other.   DoH is such = traffic.  If it looks abnormal, you can do something about it. =   If it doesn=E2=80=99t, you can=E2=80=99t.   It=E2=80=99s not = the case that nefarious traffic that is not DoH is special in looking = different.  Or rather, to the extent that you are good at = identifying and blocking such traffic, that will naturally select for = solutions that are less easily identified, and eventually the steady = state will be exactly what you are afraid of with DoH.   To the = extent that DoH is less obvious than these other techniques, you could = legitimately say that it is an example of this process of natural = selection.   It just happens to be visible to you, whereas all the = other examples are not, because they are being done by black hats, not = by the IETF.

= --Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF-- From nobody Tue Feb 12 11:05:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205B312D4F0 for ; Tue, 12 Feb 2019 11:05:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JEY_inPk-er for ; Tue, 12 Feb 2019 11:04:58 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A302812785F for ; Tue, 12 Feb 2019 11:04:58 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:ec14:138:d007:b4de] (unknown [IPv6:2001:559:8000:c9:ec14:138:d007:b4de]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 2A9FF892C6; Tue, 12 Feb 2019 19:04:58 +0000 (UTC) To: Ted Lemon Cc: David Conrad , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> From: Paul Vixie Message-ID: <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> Date: Tue, 12 Feb 2019 11:04:58 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 19:05:00 -0000 Ted Lemon wrote on 2019-02-12 10:44: > On Feb 12, 2019, at 10:34 AM, Paul Vixie > wrote: >> netflow. such traffic _looks_ abnormal. >> >> the deliberate design premise of DoH is that it look normal. > > It’s either one or the other. actually, there are other choices. -- P Vixie From nobody Tue Feb 12 11:43:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2013130DC8 for ; Tue, 12 Feb 2019 11:43:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBup903JQjPq for ; Tue, 12 Feb 2019 11:43:10 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6F85130DD8 for ; Tue, 12 Feb 2019 11:43:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id A8437A0431; Tue, 12 Feb 2019 20:43:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id D885B190673; Tue, 12 Feb 2019 20:41:38 +0100 (CET) Date: Tue, 12 Feb 2019 20:41:38 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: dnsop Message-ID: <20190212194138.ycqvjlg7g7yrm6jy@sources.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 19:43:12 -0000 On Tue, Feb 12, 2019 at 08:32:28AM -0800, Paul Vixie wrote a message of 39 lines which said: > i require all visitors, family members, employees, and apps to use > the control plane i have constructed, which includes DNS > surveillance and control. Reminds me of a sentence which is awfully true: "applications on the Internet now have to use the techniques of the botnets, just to work". From nobody Tue Feb 12 12:07:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEAEA130DBE for ; Tue, 12 Feb 2019 12:07:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZRp_gWdYlWS for ; Tue, 12 Feb 2019 12:07:45 -0800 (PST) Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AD9912DF71 for ; Tue, 12 Feb 2019 12:07:45 -0800 (PST) Received: by mail-pf1-x432.google.com with SMTP id g6so1790377pfh.13 for ; Tue, 12 Feb 2019 12:07:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fNCX4gaEkz+90TEwQLDeHx5DvuIQFJWIKzBkjNktH9o=; b=vYVjE9/03axBfXkR7aLsmqE7L2ff0FTI4LcItOpdaiCM8fpQswhOQGV/6H4t+85f4l 41l6TmrMssjsecMrt4UUJTT8kbkwFsG3KwCzydthQ3IbKfGiis7/ONl406y0e+DkKQPs f8oUN0ISkcB/fAV8EV7hAkhqfNAv8Ewa3W4oaD+fSd5L3gjozFEg+X/TfwctlqltkxZZ 58Sav2ym6mh+RwVeE4EjDrOiMyYFO+S1wsNMff6DFq+E8OUU66hmCkcxmN584haJJELZ YSiWp9CblJ7ehoqsO3hOvHAdZ/j5iHGiHxnsC8mg0ZeiH1BO4dkdXvH4JaK9sSPNu8yP rRDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fNCX4gaEkz+90TEwQLDeHx5DvuIQFJWIKzBkjNktH9o=; b=XDjavMhvJDcnkjrb7li4dlvT0dG65UIg1AcvHKKAYmCkd65UxhjUcuvbdvR/1eAa9a Yt8QGJmfOWp76rK5GJIGl3FORnzoXZyMFNZ0gxW7DilgsDL8Kn+d4lqmcsf4mOVrXhhG bQRd2bognSjvDKSgwHSCqVnhEnXW0IQgsKera9Xs7/LRDSUrsnCWNf8v3P6RibjlYnuo IDhlaxJPH4XC6OyY8oVFd5hoq09cvHh0IROtT4tm2xolbftlRMZsSvpnQ7FdZ//KDBY3 JqeCeanCixeFvvJSNtHMTIjLvxfD73IP/b3Bagc3zuylbjujJRvOm7rBg9qqEL8Q7TKm aFCg== X-Gm-Message-State: AHQUAuZPR1cHr+nohuMx6cgVtZuN3jVq+KYH2C4kdQValTeE6YT7E4yX lr9sELn3Wic8SYQNZgTNI4h0VA== X-Google-Smtp-Source: AHgI3IZnTEUwhZ+gAU1OdUoP/pQyQtgR6hFyvGJfKSCFNrDZ7PQZbGuA7HGprVbJPdsPwEuVVxf+RQ== X-Received: by 2002:a63:5462:: with SMTP id e34mr4804328pgm.97.1550002064862; Tue, 12 Feb 2019 12:07:44 -0800 (PST) Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id f62sm17844785pgc.67.2019.02.12.12.07.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 12:07:44 -0800 (PST) From: Ted Lemon Message-Id: <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_04BBCAFE-DAC5-4A3B-8D9C-C4266243EE50" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 12:07:42 -0800 In-Reply-To: <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> Cc: David Conrad , dnsop To: Paul Vixie References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:07:48 -0000 --Apple-Mail=_04BBCAFE-DAC5-4A3B-8D9C-C4266243EE50 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 11:04 AM, Paul Vixie wrote: > actually, there are other choices. I may have failed to communicate. What I mean is that you said that = you can detect all nefarious traffic, but you can=E2=80=99t detect DoH, = which to you is nefarious. What I=E2=80=99m saying is that there=E2=80=99= s no such distinction, or at least if there is at present, it is a = temporary situation. Of course you have choices about what to do about this; my point is not = to suggest that you do not. --Apple-Mail=_04BBCAFE-DAC5-4A3B-8D9C-C4266243EE50 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 11:04 AM, Paul Vixie <paul@redbarn.org> = wrote:
actually, = there are other choices.

I may have failed to communicate.   What = I mean is that you said that you can detect all nefarious traffic, but = you can=E2=80=99t detect DoH, which to you is nefarious.   What = I=E2=80=99m saying is that there=E2=80=99s no such distinction, or at = least if there is at present, it is a temporary situation.

Of course you have = choices about what to do about this; my point is not to suggest that you = do not.

= --Apple-Mail=_04BBCAFE-DAC5-4A3B-8D9C-C4266243EE50-- From nobody Tue Feb 12 12:48:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B5212F1A6 for ; Tue, 12 Feb 2019 12:48:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaCssT8wxl4q for ; Tue, 12 Feb 2019 12:48:14 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B6412F1A5 for ; Tue, 12 Feb 2019 12:48:14 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 05A43892C6; Tue, 12 Feb 2019 20:48:14 +0000 (UTC) To: Ted Lemon Cc: David Conrad , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> From: Paul Vixie Message-ID: Date: Tue, 12 Feb 2019 12:48:14 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:48:16 -0000 Ted Lemon wrote on 2019-02-12 12:07: > On Feb 12, 2019, at 11:04 AM, Paul Vixie > wrote: >> actually, there are other choices. > > I may have failed to communicate.   What I mean is that you said that > you can detect all nefarious traffic, but you can’t detect DoH, which to > you is nefarious.   What I’m saying is that there’s no such distinction, > or at least if there is at present, it is a temporary situation. i realize that the political tacticians who designed DoH are searching for a world in which network operators have no control plane choices. i think they're proceeding from the mistaken belief that all control is evil, and that all network operators are equally deserving of disintermediation. and other mistaken beliefs as well, which i won't enumerate. > > Of course you have choices about what to do about this; my point is not > to suggest that you do not. > whether the situation turns out to be temporary or not is important to your final argument. probably you shouldn't go there so soon. spammers also believe that network operators should not be able to control their own networks, and malware authors, and botnet creators, and IoT innovators, and surveillance capitalists. none of those matters seem like they are, or will ever be, settled. so, none are "temporary". my network, my rules. anyone who acts otherwise will be treated by me as an adversary, even folks like mozilla who have been fellow travelers for decades now, if they continue to pursue unblockable endpoint technology. -- P Vixie From nobody Tue Feb 12 12:55:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37DF4130DBE for ; Tue, 12 Feb 2019 12:55:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.722 X-Spam-Level: X-Spam-Status: No, score=-1.722 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NvqKTOTdOduh for ; Tue, 12 Feb 2019 12:55:55 -0800 (PST) Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DBE112F1A6 for ; Tue, 12 Feb 2019 12:55:55 -0800 (PST) Received: from [172.10.11.240] (210.22.92.62.static.cust.telenor.com [62.92.22.210]) by mail.frobbit.se (Postfix) with ESMTPSA id B00282488C; Tue, 12 Feb 2019 21:55:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1550004951; bh=GlfQBqxAqwx9WVuLY1Ze/AGAmV+FLzX2P72Kt166vJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IHdbbbhGFhAiElT9Eg9WoWUZ6jeWdq825McO2FhSf1Gu4jZ7afyWLQOkrD+LGCDAD dgr6d5LWNXHXHd1R6u9fhxxoWC8nLNttPh2p9KBVsmsZjAxquB+hpi/iH2NKJeVrP4 SQXt9BpvE5HzKaBWITyLZb7v6eApLFwpoJ2DbxCM= From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" To: "Paul Vixie" Cc: "Ted Lemon" , dnsop , "David Conrad" Date: Tue, 12 Feb 2019 21:55:50 +0100 X-Mailer: MailMate (1.12.4r5597) Message-ID: <87420B68-233B-4330-AF5B-6124B40DC5BF@frobbit.se> In-Reply-To: References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_MailMate_41A141DD-841A-45D3-AE20-59522178234C_="; micalg=pgp-sha1; protocol="application/pgp-signature" Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:55:57 -0000 This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_41A141DD-841A-45D3-AE20-59522178234C_= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 12 Feb 2019, at 21:48, Paul Vixie wrote: > whether the situation turns out to be temporary or not is important to = your final argument. probably you shouldn't go there so soon. spammers al= so believe that network operators should not be able to control their own= networks, and malware authors, and botnet creators, and IoT innovators, = and surveillance capitalists. none of those matters seem like they are, o= r will ever be, settled. so, none are "temporary". The current legal system and court decisions require access providers to = have some control. Today it is "enough" for the access providers to block= DNS lookup of certain domain names. We on THIS list understand how easy = it is to go around that kind of blocking, but that does not matter. It is= enough for the legal systems in the world. If the control over the DNS lookups is no longer possible by the access p= rovider, then the access providers by law have to use other tools to cont= rol the traffic from their customers. So, it is not only their choice. Patrik --=_MailMate_41A141DD-841A-45D3-AE20-59522178234C_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iG0EARECAC0WIQRUH/cJI8i4DDUU3qWsxpsaC4jXzQUCXGMy1g8ccGFmQGZyb2Ji aXQuc2UACgkQrMabGguI182d2gCbBgP5ByGHxtV2cCjZjHLCCXMJ7R8AoIUQfA/D HWNYdq03/dA3V2iAb4UU =Rtlp -----END PGP SIGNATURE----- --=_MailMate_41A141DD-841A-45D3-AE20-59522178234C_=-- From nobody Tue Feb 12 13:00:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690A8130DBE for ; Tue, 12 Feb 2019 13:00:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlD_DFz7zeJH for ; Tue, 12 Feb 2019 13:00:06 -0800 (PST) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06A81128B36 for ; Tue, 12 Feb 2019 13:00:06 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id b5so46846plr.4 for ; Tue, 12 Feb 2019 13:00:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=QutSRogbe0cF/Hdjne0indgsO6oOdOc8mGkzT7oqqIA=; b=OfdLILY5hiKNdIdGisptwhHl49wEMkafPQ4BAsDE5V2x0btFozW2FLHmOqKq91X7fx VjeBRf+rDALdkmIQWBK/OYj3fDnHSR9tEAvMSBySaTDRZAWtkbbPugrLMYhF77F3eIPY 84jg7fVRDqVK2An7gWeBaFl/JPtQlHmCIXhW67bZmCiLpqXoKK6z3OL5/ULWG43TvVr9 itpmnFuI/ylOhO3bT1mAoD+WPRzQ/+OJYyMoz/kFcI9EkflmS45vONtyaC7AiVoSdxVg zDMwr/SDZrF4V7Z1gjYdpBvKUxmwtuDxRWFMHByTPRW51nHBHnAb2/NSPhMx+S2NI3Rz +NhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=QutSRogbe0cF/Hdjne0indgsO6oOdOc8mGkzT7oqqIA=; b=YNWMtU5I8v5sMC4oXkBko8tRPydcMWzLPMk2ci0prhXoGnoqv5n7r3MKFECB43rfKt CpCFpJOocFWwsFqH4wHH6HY5Y71yT/kFkm/yHyFMvVONjzs68lZTxSYSAz1PYk8G+/q/ k/jM4VxpXAUkxavaFK7iBQk7iMLQ8lSxwunUcdVo8GGV3z5TzSJICQYrg0xxhwZy/5rI GZSSEyI+pji5nqwf2FvykW9mkR2HladhhjzAnibucq8RqUCX75U78aEzv7bytoxcChCK IqeAsrUVL3snzlTVuDV4HAcA3TvQA9Vjfsm8XSx8IaG6IvNymb7JQdNDKHBWNofEFW65 c4fw== X-Gm-Message-State: AHQUAuYMGvJiL9qpf5ln+CGij33H2lSc7NqW3cqX6/Sq0BetA/HqJMKS 3M39fMVbjRCQ0enKR129wxaS5gfJQYIluA== X-Google-Smtp-Source: AHgI3Ib4ajWEvqFBmRWhpcAY0O+WxNBUDwCE74SrpYzhHchCwR6RxLgAphxbXaFQAWJNKrunUwim5Q== X-Received: by 2002:a17:902:f08b:: with SMTP id go11mr5914285plb.115.1550005205100; Tue, 12 Feb 2019 13:00:05 -0800 (PST) Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id p2sm18560937pgc.94.2019.02.12.13.00.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 13:00:04 -0800 (PST) From: Ted Lemon Message-Id: <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_9AA6B010-9734-4272-84FA-1B33EBABCDAC" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 13:00:02 -0800 In-Reply-To: Cc: David Conrad , dnsop To: Paul Vixie References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 21:00:07 -0000 --Apple-Mail=_9AA6B010-9734-4272-84FA-1B33EBABCDAC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 12:48 PM, Paul Vixie wrote: > i realize that the political tacticians who designed DoH are searching = for a world in which network operators have no control plane choices. i = think they're proceeding from the mistaken belief that all control is = evil, and that all network operators are equally deserving of = disintermediation. and other mistaken beliefs as well, which i won't = enumerate. I still feel like we are talking past each other. What I am saying is that there are a set of different mechanisms, all of = which use port 443, in order to avoid being subjected to your control = plane. DoH is in principle one of these. We do not disagree about = this, as far as I can tell. What I think we differ on is the idea that, in the absence of these = =E2=80=9Cpolitical tacticians=E2=80=9D of whom you speak, that this = problem would not exist. What I am trying to point out is that the situation with DoH is a = symptom of the problem you are not talking about, not the only instance = of it. You seem to be asserting that DoH is special among all other misuses of = port 443. But you haven=E2=80=99t explained why it is special. This = is what I was trying to tease out with my initial response to what you = said. --Apple-Mail=_9AA6B010-9734-4272-84FA-1B33EBABCDAC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 12:48 PM, Paul Vixie <paul@redbarn.org> = wrote:
i realize = that the political tacticians who designed DoH are searching for a world = in which network operators have no control plane choices. i think = they're proceeding from the mistaken belief that all control is evil, = and that all network operators are equally deserving of = disintermediation. and other mistaken beliefs as well, which i won't = enumerate.

I still feel like we are talking past each other.

What I am saying is that = there are a set of different mechanisms, all of which use port 443, in = order to avoid being subjected to your control plane.   DoH is in = principle one of these.   We do not disagree about this, as far as = I can tell.

What= I think we differ on is the idea that, in the absence of these = =E2=80=9Cpolitical tacticians=E2=80=9D of whom you speak, that this = problem would not exist.

What I am trying to point out is that the situation with DoH = is a symptom of the problem you are not talking about, not the only = instance of it.

You seem to be asserting that DoH is special among all other = misuses of port 443.   But you haven=E2=80=99t explained why it is = special.   This is what I was trying to tease out with my initial = response to what you said.

= --Apple-Mail=_9AA6B010-9734-4272-84FA-1B33EBABCDAC-- From nobody Tue Feb 12 13:48:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6970130DC2 for ; Tue, 12 Feb 2019 13:48:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Yk1c9Or4hdC for ; Tue, 12 Feb 2019 13:48:36 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AF712F1A6 for ; Tue, 12 Feb 2019 13:48:36 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 87D55892C6; Tue, 12 Feb 2019 21:48:35 +0000 (UTC) To: Ted Lemon Cc: David Conrad , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> From: Paul Vixie Message-ID: Date: Tue, 12 Feb 2019 13:48:36 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 21:48:38 -0000 Ted Lemon wrote on 2019-02-12 13:00: > ... > > I still feel like we are talking past each other. > > What I am saying is that there are a set of different mechanisms, all of > which use port 443, in order to avoid being subjected to your control > plane.   DoH is in principle one of these.   We do not disagree about > this, as far as I can tell. > > What I think we differ on is the idea that, in the absence of these > “political tacticians†of whom you speak, that this problem would not exist. > > What I am trying to point out is that the situation with DoH is a > symptom of the problem you are not talking about, not the only instance > of it. > > You seem to be asserting that DoH is special among all other misuses of > port 443.   But you haven’t explained why it is special.   This is what > I was trying to tease out with my initial response to what you said. i may have been too brief. however, i reject this false equivalence. when a new flow or pattern of flows shows up to distant tcp/443 responders, this is detectable. if what's detected exceeds thresholds, or if it is found to coincide with any other behaviour change, then it can be investigated, and perhaps made the subject of new policy. no security is perfect and we can't demand it. what we have is temporary equilibriums that appropriately match investments and known risks. DoH _specifically_ evades this, by looking as much as possible like other traffic to IP addresses shared by a lot of existing traffic. this means the only way to maintain the risk:cost balance of pre-DoH is to inspect every flow. many network operators can't afford this or can't otherwise do it. those who can and do, can be expected to be grumpy about it having their risks and costs increased for political reasons. those who can't or don't, can be expected to be grumpy about losing more of what little control or visibility they had, for political reasons. google, ibm, cloudflare, cisco, and other so-called "public dns" providers will at some point choose whether to offer DoH from shared addresses, making those shared addresses into risks that the rest of us have to manage differently; or whether to dedicate DoH to well known addresses that can be outright blocked. in the later case, existing anomaly detection and post-facto investigations and policy shifts will continue to be good enough. and that's why DoH is special. (five paragraphs elided.) -- P Vixie From nobody Tue Feb 12 14:08:51 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C11EE130DC2 for ; Tue, 12 Feb 2019 14:08:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hM6mPWBIqK9T for ; Tue, 12 Feb 2019 14:08:48 -0800 (PST) Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D1B0124C04 for ; Tue, 12 Feb 2019 14:08:48 -0800 (PST) Received: by mail-pf1-x431.google.com with SMTP id z15so128153pfa.2 for ; Tue, 12 Feb 2019 14:08:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=NJTtatYwC+Cn7CF/+ME+59/wgridgRwX7EgOXOUrdto=; b=acvDBDUyDzEvlvKnffHv5GD1RridqXUKZFFRwGoriH+5hPnWgj3JbtZle61pxtd0N/ Ia3Pr1w1z4BBHgN+hGQPci/UsXYSAY2RS2Mrar7pcsxbEPmXKe0yqltCHvV7onYaddmI EKsxwpweJVM5d32KWkxD/W/xFkZFYQLgD4vBMiBbe4v1xivA/RB8danHMq5r6NrJ1rU0 xq/LnOiX24DCUHHk+k9ri4o/hfqq7hIhzDn8tjoOJ270gq7nmYUEbKnZrspFMhSpVpIj DS7/jkeTv2bFBlzAw94E8865+ai7ObMHXFEV9Q0mJGQhp6Lg02ZkYbbmWEx2wW81cL2A dsgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=NJTtatYwC+Cn7CF/+ME+59/wgridgRwX7EgOXOUrdto=; b=JTK1PmHDsb545t04Z7TKjYVeMkmAeCh3mT1pfQcCZGb8+gyr48b5ya3JrnWkCKUqIO 4R2oK3c86R+W7yVpvUBvHncuhx7iEn2CqYasW/OjMIm2Xt2Gy8sHHL0sO9nj56/u6LSE V1IymmqeofDzWR/6CW1tth/V+MRYoj9xf2E7x2GAASadKLWEJ9gkpsx7NiP7+T+gdZqL VA0OstnRkDG7EyRQkVJAuJvpYjx7tuTmE0k9ogVGKN4GeZT9C8EeuIDRYvIsOw9fWEoh rypgILmMGGSWuWCLje03LusUDN/YgwM9e8Mhv18Tc1W6hbcx7E6m34OFEqVN3lsYOGng m5rw== X-Gm-Message-State: AHQUAubpPd4MsALFawNAddJqkPhXh2LyK4oUpKMtWeHSWYoGh7o3GDma YzyaGbeAZowK9hhD7TPFu+qVK9o4Nio3HQ== X-Google-Smtp-Source: AHgI3IbV4GIUsEUPXxQdZkgMfGQvVyCM4JUx2T3gRH3xokm8hRXiM4FDlVp0tkf296PCAjRbsa1ZQA== X-Received: by 2002:a62:5a81:: with SMTP id o123mr6002624pfb.109.1550009327391; Tue, 12 Feb 2019 14:08:47 -0800 (PST) Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id x123sm9329778pfx.94.2019.02.12.14.08.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 14:08:46 -0800 (PST) From: Ted Lemon Message-Id: <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_0B541A54-F764-447E-BA5A-7DD2F87BD6F0" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 14:08:45 -0800 In-Reply-To: Cc: David Conrad , dnsop To: Paul Vixie References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 22:08:50 -0000 --Apple-Mail=_0B541A54-F764-447E-BA5A-7DD2F87BD6F0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 1:48 PM, Paul Vixie wrote: > DoH _specifically_ evades this, by looking as much as possible like = other traffic to IP addresses shared by a lot of existing traffic.=20 Right. So what=E2=80=99s to stop other malicious traffic from doing = the same thing? IOW, you seem to want DoH to go away, but will that actually solve your = problem? If so, how? --Apple-Mail=_0B541A54-F764-447E-BA5A-7DD2F87BD6F0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 1:48 PM, Paul Vixie <paul@redbarn.org> = wrote:
DoH = _specifically_ evades this, by looking as much as possible like other = traffic to IP addresses shared by a lot of existing traffic. 

Right.   So what=E2=80=99s to = stop other malicious traffic from doing the same thing?

IOW, you seem to want = DoH to go away, but will that actually solve your problem?   If so, = how?

= --Apple-Mail=_0B541A54-F764-447E-BA5A-7DD2F87BD6F0-- From nobody Tue Feb 12 14:18:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A63130DDA for ; Tue, 12 Feb 2019 14:18:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.901 X-Spam-Level: X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_AFFORDABLE=1, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvNfxyoDxSB0 for ; Tue, 12 Feb 2019 14:18:39 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19F57130DD8 for ; Tue, 12 Feb 2019 14:18:39 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id D7040892C6; Tue, 12 Feb 2019 22:18:38 +0000 (UTC) To: Ted Lemon Cc: David Conrad , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> From: Paul Vixie Message-ID: <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> Date: Tue, 12 Feb 2019 14:18:39 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 22:18:40 -0000 Ted Lemon wrote on 2019-02-12 14:08: > On Feb 12, 2019, at 1:48 PM, Paul Vixie > wrote: >> DoH _specifically_ evades this, by looking as much as possible like >> other traffic to IP addresses shared by a lot of existing traffic. > > Right.   So what’s to stop other malicious traffic from doing the same > thing? lack of an IETF-approved standard with planned implementation by a half dozen tech giants, means that other malicious traffic will not be able to hide in the crowd, and can be made subject to policy, and complaints. > IOW, you seem to want DoH to go away, but will that actually solve your > problem?   If so, how? i want DoT to be used instead, and backed by google, mozilla, cloudflare, and the others. i want malicious traffic to stand apart from the crowd, where affordable anomaly detection can see it and cope with it. security economics is a "long game." DoH is a giant step function. -- P Vixie From nobody Tue Feb 12 14:20:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7620130DDA for ; Tue, 12 Feb 2019 14:20:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QD4BmVC7CFN5 for ; Tue, 12 Feb 2019 14:20:21 -0800 (PST) Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48F5C130DD8 for ; Tue, 12 Feb 2019 14:20:21 -0800 (PST) Received: by mail-pl1-x631.google.com with SMTP id s1so126792plp.9 for ; Tue, 12 Feb 2019 14:20:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=PenmjIZkZ5dyGjzd7kgPqdS4Ri9GSej3nbu8aqEfXtY=; b=ptIeVX6+/4k5nnQv87LAmbulyVgXLYCKLr67CkYP4P7daicRueOQyKo270cNcgbxk5 wenk4E5CZLqJVKYd+kBnK5+hO6pzE07vWZ0ZUAVHd0RB10Q7wODe608Y2o9FwYE9GB6x PyuWBJXCjsxlJb7RUEsely4gHyt5L1jMRW1o4F2BdRA40seuSx8xqjdy3EsIgy+Utzni pAmnVbZ4Za4v0qugD/MwN2F/0pyer0h9FLrWfJkuwJvmKfFAZU4xAKvZ7RzfQq4AHlFM NY24Y9qxQA4K92HU/TZ7dqXC1O+U0OTLDts6Ktwbne7CmC40IZfc7pytIO+vlrMEdOZc mTRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=PenmjIZkZ5dyGjzd7kgPqdS4Ri9GSej3nbu8aqEfXtY=; b=PLnAfuxwVst/aYYMBa1pqxn9031XqxMePy9EkF7JRUdq+GnAw1ONtmd2dwpDH45/m+ +ILBev1C/67L9l1EztVAlOdfZ9EcbvQrWDBnAu+9lXdF6+xPte5BwQi+CUR2lLRr0OLl Wz3ukERl0YYRsqeQqU3X9weohrj/rjDIDQWzh8s2761yufi/aEFKkEH3oWQkVXOVR5dT Q+yG0lKQVJCKGf2kHz1/IkPuD2GGHwCAyeCTav7YM9mmYWrAICQ0Z/DNRaOHxVE5c6zr U5OJT91YrzXQOf9KCScjNMlOC75slfxdnU+CiWM3h8erRAESS1gVV1G+DhRvnmHRYZU6 Vjpw== X-Gm-Message-State: AHQUAuZKASCMO4JV6M0hAIApysZodTZo++XgnTeOTAnp+mNabLp2BdR9 Livdv0VFGDi0umS/POy//0DQFg== X-Google-Smtp-Source: AHgI3IZk5dDa8abwdVSDSfNc6U33p75Tt6AilDgKyyHu/vqlbJXN6zqWytWjPaNpk5+7/AcaQBQnNQ== X-Received: by 2002:a17:902:848f:: with SMTP id c15mr6102105plo.119.1550010020813; Tue, 12 Feb 2019 14:20:20 -0800 (PST) Received: from [17.230.171.141] ([17.230.171.141]) by smtp.gmail.com with ESMTPSA id x2sm23815947pfx.78.2019.02.12.14.20.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 14:20:20 -0800 (PST) From: Ted Lemon Message-Id: <97C2ED2B-9086-4E3B-98FB-116E95281030@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_7494A841-488D-46D2-9CF7-3F2D29817F3C" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 14:20:18 -0800 In-Reply-To: <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> Cc: David Conrad , dnsop To: Paul Vixie References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 22:20:23 -0000 --Apple-Mail=_7494A841-488D-46D2-9CF7-3F2D29817F3C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 2:18 PM, Paul Vixie wrote: > lack of an IETF-approved standard with planned implementation by a = half dozen tech giants, means that other malicious traffic will not be = able to hide in the crowd, and can be made subject to policy, and = complaints. So you=E2=80=99re saying that DoH traffic that=E2=80=99s not going to = well-known IP addresses is easier to detect than DoH traffic going to = well-known IP addresses? --Apple-Mail=_7494A841-488D-46D2-9CF7-3F2D29817F3C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 2:18 PM, Paul Vixie <paul@redbarn.org> = wrote:
lack of an = IETF-approved standard with planned implementation by a half dozen tech = giants, means that other malicious traffic will not be able to hide in = the crowd, and can be made subject to policy, and = complaints.

So you=E2=80=99re saying that DoH traffic that=E2=80=99s not = going to well-known IP addresses is easier to detect than DoH traffic = going to well-known IP addresses?

= --Apple-Mail=_7494A841-488D-46D2-9CF7-3F2D29817F3C-- From nobody Tue Feb 12 14:45:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD9BB130DD8 for ; Tue, 12 Feb 2019 14:45:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHkM07aJHpN3 for ; Tue, 12 Feb 2019 14:45:54 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49806126C01 for ; Tue, 12 Feb 2019 14:45:54 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 20609892C6; Tue, 12 Feb 2019 22:45:54 +0000 (UTC) To: Ted Lemon Cc: David Conrad , dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> <97C2ED2B-9086-4E3B-98FB-116E95281030@fugue.com> From: Paul Vixie Message-ID: <7c9f1f7f-5617-08f8-ba35-54cbc59f09c4@redbarn.org> Date: Tue, 12 Feb 2019 14:45:54 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <97C2ED2B-9086-4E3B-98FB-116E95281030@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 22:45:56 -0000 Ted Lemon wrote on 2019-02-12 14:20: > ... > > So you’re saying that DoH traffic that’s not going to well-known IP > addresses is easier to detect than DoH traffic going to well-known IP > addresses? yes, that's what i've been trying to say. if CF only publishes DoH content on 1.0.0.0/23, then i can just block that, and leave their main HTTPS server addresses alone. same for google, opendns/umbrella/cisco, ibm, and the others. one of my networks only allows TCP/443 to explicitly enumerated destinations... one of which is the main service address for google. i need that to never contain DoH traffic, please. note, i prefer to block UDP/53, TCP/53, and TCP/853, because then my risks are lower, and my costs for managing those risks also lower. and that's why DoT is a better _engineered_ solution than DoH. i remember a time when the IAB would have said "no" to an internet standard which mandated deliberate loss of control by network operators. hey you kids, get offa my lawn, and so on. -- P Vixie From nobody Tue Feb 12 14:58:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC98130DD8 for ; Tue, 12 Feb 2019 14:58:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0ycC74ACIvL for ; Tue, 12 Feb 2019 14:58:40 -0800 (PST) Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57172126C01 for ; Tue, 12 Feb 2019 14:58:40 -0800 (PST) Received: by mail-pf1-x42f.google.com with SMTP id j3so159610pfi.12 for ; Tue, 12 Feb 2019 14:58:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=a2XzR250GUIAwDt0S4hKgf3xr6gXWn5dbcVu2C8PZxg=; b=kHceX+/ie4XWE5nAsd24JlwIjTr/HoMjmppRE6fWSHFds2TfFLzSRNY6h5GDPsSEmH DWUqc8PT4BPhUW55WVB0XLkBpQZq5GfgQZOTPyEjfYIJ+SnAUqoHduS7zfATXIWNq7nb wblNeAhJVze3rb797lqsIDV801Z4tc7udMz1YkPf2dOTSvu5A2+Wd+LjFakSodJMhOTA sDLnKBB2+/5fQ4OE5eQZaoxBHx8NgXO3VE1BAE+6MLJax//clPu+aZPvesJDvhU+WVUO aCm4PHrfMjL+nMSpgR0vAdjVnwDU33wUx33t307tzSZkfBaU/RNdx12offbNMQhGnT2e Urwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=a2XzR250GUIAwDt0S4hKgf3xr6gXWn5dbcVu2C8PZxg=; b=WYrs2I6Y84WUDJZXwB6TTWqZ+To/ILzcJW0DkmcoGnRsMcndAHnN9oD2drCjgALZ8g dgH2RK7hA95PgnTRigXwHTdKDEWJYLc+rJtN8EQazIdP352Tsq/zRgxxbOp2pLk0rXwl UWtE2mAsy9Bq7LfD9MCaMA+WYOM4QNYVxl30sDoOR+9HORELM5gscGYmS+ykjQgbzZhg Vck2ihjrqsbYR/NTplRZ5RoZwiZFMnByKoz3U4p29oA8udN/ViS0GW/hsPSPMOX8thiR MooqwQPgAWXkLQem4A6r51S/8c+0JhscbbsOuf2yD5deinQ+XS0a/pPTFJ1cx8jqQD2P lWMw== X-Gm-Message-State: AHQUAuZPB3p1jlwP+4uQYKKrKSRjHgB1jfTtlWXmLVIRYhXUP65Uj+Uw vPFl9fenOhBg8v7k+tYdIDL3Lw== X-Google-Smtp-Source: AHgI3IZNrbF3RQg1VcyAtEQHeh/jMCQ9UbhGJ2MKAkzOrTSi3db6qsOJMTkqGlZGtqX0+NXvihfi2A== X-Received: by 2002:a63:e742:: with SMTP id j2mr5989266pgk.172.1550012319713; Tue, 12 Feb 2019 14:58:39 -0800 (PST) Received: from [10.96.20.91] (35-2.lax.icann.org. [192.0.35.2]) by smtp.gmail.com with ESMTPSA id f2sm880880pgd.6.2019.02.12.14.58.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 14:58:38 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_EBE7CF46-15B9-444F-8E0B-3B52A3F16A6D"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: David Conrad In-Reply-To: <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> Date: Tue, 12 Feb 2019 14:58:36 -0800 Cc: dnsop X-Mailbutler-Message-Id: 30677AAA-3115-4390-9A06-A3786675A9D3 Message-Id: References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> To: Paul Vixie X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 22:58:42 -0000 --Apple-Mail=_EBE7CF46-15B9-444F-8E0B-3B52A3F16A6D Content-Type: multipart/alternative; boundary="Apple-Mail=_5D5CD569-1C1C-432B-BF01-278A858CF30C" --Apple-Mail=_5D5CD569-1C1C-432B-BF01-278A858CF30C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 12, 2019, at 2:18 PM, Paul Vixie wrote: > Ted Lemon wrote on 2019-02-12 14:08: >> On Feb 12, 2019, at 1:48 PM, Paul Vixie >> wrote: >>> DoH _specifically_ evades this, by looking as much as possible like = other traffic to IP addresses shared by a lot of existing traffic. >> Right. So what=E2=80=99s to stop other malicious traffic from doing = the same thing? > lack of an IETF-approved standard with planned implementation by a = half dozen tech giants, And that worked so well with NAT. Regards, -drc --Apple-Mail=_5D5CD569-1C1C-432B-BF01-278A858CF30C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 12, 2019, at 2:18 PM, Paul Vixie <paul@redbarn.org> = wrote:
Ted Lemon wrote on = 2019-02-12 14:08:
On = Feb 12, 2019, at 1:48 PM, Paul Vixie <paul@redbarn.org <mailto:paul@redbarn.org>> wrote:
DoH _specifically_ = evades this, by looking as much as possible like other traffic to IP = addresses shared by a lot of existing traffic.
Right.   So what=E2=80=99s to stop other = malicious traffic from doing the same thing?
lack of an = IETF-approved standard with planned implementation by a half dozen tech = giants,

And that = worked so well with NAT.

Regards,
-drc


= --Apple-Mail=_5D5CD569-1C1C-432B-BF01-278A858CF30C-- --Apple-Mail=_EBE7CF46-15B9-444F-8E0B-3B52A3F16A6D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlxjT5wACgkQoCss/bh3 zPf1JxAAgyI7+5cg3m8oasfrutde/n3sbcti/VSyenHHQGwa2Hi38b8Wt7BFctuk NjruboUjgf+30mFv65XkIwwnh9G53+7SaLgKO0j7kuZEIS1g896TqXyfLIWOxg1p IcI7QkjFntbqPlWwiyuMT+DFD2NjT8NHU9DPvB9zsEOTAskoEcfUF7wKkyROsD2y NcLsbyoKf5kl0OkBozMW128gxRTHz9f0VMhUd0JSODSWVUybYml5AU71+1UqdEwY mx7i21Im0WeIz5tWyzb0uugLLprod4J1FFFDCt7+kfSdzVgMgMpDXwn1NdWRCVcj izBi+1VJCbgVw4YvshBSxNumvYUkIHFFpIq5LPSLGOE0jxiJbLaC5k02NFLvok8a tLj2uaIhH5byePtPfRvvw1sJIom9WmbA8JtSWvwWHBu/VRP5nG+2Xh/EFdIg/jiX E3VDABdwrdhxnOQliPKiXe3y7MmYneW1XNp/EE1bzHzv5nRjhC6qihF4nrCp8pTQ EfymdNTBwRNtQWA5LEfnRFyS0LhuAakc3fBlYWcS97bWqKNUw3hhCS0qKSStLDNU i6R04PY2m6e+fLLfNLJ5e++qca5+ElTJezPoV1Uy/iZILM/0TqQ+tS1yrd9v/OtD c+1pJUP97eErItYuil97IikbqlozkYhk5Yp7TXqY/jF6ilA4Urg= =8WMK -----END PGP SIGNATURE----- --Apple-Mail=_EBE7CF46-15B9-444F-8E0B-3B52A3F16A6D-- From nobody Tue Feb 12 15:03:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271DF130DD8 for ; Tue, 12 Feb 2019 15:03:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnNaWFPvN0Sa for ; Tue, 12 Feb 2019 15:03:57 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4396F126C01 for ; Tue, 12 Feb 2019 15:03:57 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 879A3892C6; Tue, 12 Feb 2019 23:03:56 +0000 (UTC) To: David Conrad Cc: dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> From: Paul Vixie Message-ID: Date: Tue, 12 Feb 2019 15:03:57 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 23:03:58 -0000 David Conrad wrote on 2019-02-12 14:58: >> lack of an IETF-approved standard with planned implementation by a >> half dozen tech giants, > > And that worked so well with NAT. network operators had a choice whether to deploy NAT. i'd like the same level of freedom when it comes to how DNS is served. too old-school? -- P Vixie From nobody Tue Feb 12 15:10:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBA0130DD8 for ; Tue, 12 Feb 2019 15:10:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puv8WCwYBLgW for ; Tue, 12 Feb 2019 15:10:39 -0800 (PST) Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7509126C01 for ; Tue, 12 Feb 2019 15:10:39 -0800 (PST) Received: by mail-pf1-x442.google.com with SMTP id n74so181407pfi.9 for ; Tue, 12 Feb 2019 15:10:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=0RASe871fP0sREf/Wa9WSBOkUSy58Oztq6RKMtkzbXw=; b=zbIxMR211DGUvbIkkOtBv6ko4C4QzvzF0JxOtvETUGMx8BTajQCn0jd0okH5MKgZvm mmvEt1rh2vujmWZGq5NxUDSukpsaxt3Ivrw62Nz9+uOBZOc96sah+XCehlJaBKAphFlh duNZth+oSUtt5RuxTy1ShBaysrH10oyIilDssgAItMuvXr9vpLijXfR9Ox2m9t1vQcTm gIp+iK6Ia1CyYhvFN7E4J8S/qcDsICwbxLqutCPgOcv13trrOVdqXVe+WFtd3b7td+kk 56cdtY4bixxGBDcQdHVAjsj9irgkYTBY6zob89XpiHA4apxtuM1KmJSunkiR1SHFdxzX A38g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=0RASe871fP0sREf/Wa9WSBOkUSy58Oztq6RKMtkzbXw=; b=UXrJZC2uW0kzdBZsyhSO+GtGXL/GdXaYUQab2NKtPZYXhDB7IuqbEtnsiRPjU7EukW R21pjNWcoECkZBVekDMJrL0M0euXebWocMcYU9x8bBHN3YLV5cEOplcQmaScjghzJ7Bc wUOmWhzE/nDXN+1rwIWtYAoK+ryNCAgLTHHrPctbvwDESmuUiDKzNso49YVgM4GJ9rS3 S8Zd2zIOXdW7J7jqZ/1N8DNDcotoMB5VD4JPK6m431r+1bdG2HVjf8oO3e2vA+WRb7ku Eesr393c6K0NvjSDb4C5oUCOEHlQQUHb77QT4hPLJomNO6/Zlai/END29i04Sg12xpM5 BZyA== X-Gm-Message-State: AHQUAubIBmnHcV5Q3J8NWijDIfVLf0y6DB/tRATpqgAFgiy7vDM7gP5m Mf5hgWcJDOgxd/iRYMqvvemsOC8ALdI= X-Google-Smtp-Source: AHgI3IZ+UX3AftVssdaYUHYDnc1aFhnNEvlcdXKV6zNNEetSdsP3koLFUDvQYXMUKjYLHfhQd2g2Rg== X-Received: by 2002:a62:35c7:: with SMTP id c190mr6566459pfa.76.1550013039060; Tue, 12 Feb 2019 15:10:39 -0800 (PST) Received: from [10.96.20.91] (35-2.lax.icann.org. [192.0.35.2]) by smtp.gmail.com with ESMTPSA id q127sm18647809pgq.39.2019.02.12.15.10.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 15:10:38 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_C25DD85B-BD22-47FB-9C84-6793B464B05B"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: David Conrad In-Reply-To: Date: Tue, 12 Feb 2019 15:10:36 -0800 Cc: dnsop X-Mailbutler-Message-Id: 0CCE0280-74C8-4ACA-81F7-F55E83FDAD80 Message-Id: <8B58EEF9-2669-47E3-B3D4-7993A1118C8C@virtualized.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> To: Paul Vixie X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 23:10:41 -0000 --Apple-Mail=_C25DD85B-BD22-47FB-9C84-6793B464B05B Content-Type: multipart/alternative; boundary="Apple-Mail=_52685F90-6BBB-4216-9A35-8BBA09304A44" --Apple-Mail=_52685F90-6BBB-4216-9A35-8BBA09304A44 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 12, 2019, at 3:03 PM, Paul Vixie wrote: > David Conrad wrote on 2019-02-12 14:58: >>> lack of an IETF-approved standard with planned implementation by a = half dozen tech giants, >> And that worked so well with NAT. > network operators had a choice whether to deploy NAT. You missed my point. The IETF declared NATs heretical and as a result, = a zillion people did it in a zillion different ways, creating a huge = mess. Lots of people are implementing sending/receiving DNS = queries/responses over HTTPS. DoH simply codifies one way of doing it so = that network managers, software developers, etc., have a chance to = develop management systems for it. > i'd like the same level of freedom when it comes to how DNS is served. Then force the folks on your network to install a cert so you can filter = out DoH. Contrary to your assertion, I doubt netflow will let you = discriminate between good and evil. You have to have visibility to do = that. > too old-school? Too ostrich-like. Regards, -drc --Apple-Mail=_52685F90-6BBB-4216-9A35-8BBA09304A44 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On Feb 12, 2019, at 3:03 PM, Paul Vixie <paul@redbarn.org> = wrote:
David Conrad wrote on = 2019-02-12 14:58:
lack of an IETF-approved = standard with planned implementation by a half dozen tech giants, 
And that worked so well with = NAT.
network = operators had a choice whether to deploy NAT. =

You missed my point. =  The IETF declared NATs heretical and as a result, a zillion people = did it in a zillion different ways, creating a huge mess.  Lots of = people are implementing sending/receiving DNS queries/responses over = HTTPS. DoH simply codifies one way of doing it so that network managers, = software developers, etc., have a chance to develop management systems = for it.

i'd like the = same level of freedom when it comes to how DNS is served. =

Then force the folks = on your network to install a cert so you can filter out DoH. =  Contrary to your assertion, I doubt netflow will let you = discriminate between good and evil. You have to have visibility to do = that.

too = old-school?

Too = ostrich-like.

Regards,
-drc

= --Apple-Mail=_52685F90-6BBB-4216-9A35-8BBA09304A44-- --Apple-Mail=_C25DD85B-BD22-47FB-9C84-6793B464B05B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlxjUm0ACgkQoCss/bh3 zPdE4A//ZKyGQz/Tb0bR8FOvLKhsMPLXq0+wPcNEGg9BNw9y85UzT88TZtpcnIWW 6xS/KmcZeorQExohZ2YO+guItayhygPTDS0+ot7Xta5Mv3HRjTRgD8osTG3I67+S izxTRtnbWR5pCccxHYRBIOzxCIcWbnzZnQkKTRN8GOXjXBaeReofd6Gr9cFw9uzj VXmltFrYfEKXYcqyNIQyskaQJ/snEG05BgFaEnFaDSU2eH6BafDGnsPX7z3uuXd5 PpcZ7//S5BOyNjTcvLscJdjAIsBizKFbTkE8D0mTWwfCqNORIHrccLOvJ1Zcg+VS TK5AWMYXTrVthzU5yzxoEAbZMC77/5VzmaVVnJn2aFu42zIp9H2jAY/j/F2l8gCY 9QjGzWu3WXQcnw3TdiVplwN6ub4xZ5Cqo8Bfe3SUNs73a7fgrNSthzrK4xvFSXXv DAiByH4X0UTpnfgS7vaV53IRPBnEMqlhBt9Hfg8A4WnvpxIG/1mOTMhMTswSJ5Zp d/ilCPyLjqbdS4oCxn0ehZ/lEu1jzOiq/z3mnmyd9jlxsu5RA9/q3w1bwWhQlLNO e2kN2elfD/ZkHV+Jf9L6nox7tRpSta9UsDH6VGbqH8E3HVGgF5c3BRDtiRR8WaAQ e4w3o4v0J07XgZwiHcc36QsZZHtGft45E67hfbK4P3FVnRcl0Rw= =B7gZ -----END PGP SIGNATURE----- --Apple-Mail=_C25DD85B-BD22-47FB-9C84-6793B464B05B-- From nobody Tue Feb 12 15:32:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 095FF126C15 for ; Tue, 12 Feb 2019 15:32:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DkGUGbtKVaa for ; Tue, 12 Feb 2019 15:32:37 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5893F126C01 for ; Tue, 12 Feb 2019 15:32:37 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384] (unknown [IPv6:2001:559:8000:c9:14dc:261d:a3ba:1384]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 0A290892C6; Tue, 12 Feb 2019 23:32:37 +0000 (UTC) To: David Conrad Cc: dnsop References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> <8B58EEF9-2669-47E3-B3D4-7993A1118C8C@virtualized.org> From: Paul Vixie Message-ID: <9e559ef1-7bb9-f53c-1543-fac92133bdac@redbarn.org> Date: Tue, 12 Feb 2019 15:32:37 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <8B58EEF9-2669-47E3-B3D4-7993A1118C8C@virtualized.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 23:32:39 -0000 David Conrad wrote on 2019-02-12 15:10: > You missed my point. The IETF declared NATs heretical and as a > result, a zillion people did it in a zillion different ways, creating > a huge mess. i remember this. and i agree. had IAB said "this specification is inadequate, let's get firewall traversal working before we publish", rather than "it is heretical and must not be done", a lot of pain and waste would have been avoided. > ... Lots of people are implementing sending/receiving DNS > queries/responses over HTTPS. since i did it myself (https://github.com/BII-Lab/DNSoverHTTP) years before DoH was thought of, i can scarcely disagree. > DoH simply codifies one way of doing it so that network managers, > software developers, etc., have a chance to develop management > systems for it. really? "simply"? i don't think it's that simple. here's the part of RFC 8484 that i would have expected to cause a "discuss" event in IESG before allowing publication: <> that's not a simple thing. IESG should have said, "that part is problematic, please make this protocol optional for the network operators and controllable their on-path devices." by putting that text in and leaving it in, this becomes a political project not a technical one. IESG had the ability to say, please find a better way to solve this problem, that disenfranchises nobody. as it happens, nothing stops a web browser or other such client from using DoT, and it's possible that the right answer was to say, DoT will answer every technical need that this RFC describes, but none of its political needs, and we don't want to be in the politics business. to validate whether RFC 8484's goal is political, let's ponder whether the document would have been perfectly unhurt by the non-enumeration of this use case. i think yes. so, why mention it? >> i'd like the same level of freedom when it comes to how DNS is >> served. > > Then force the folks on your network to install a cert so you can > filter out DoH. Contrary to your assertion, I doubt netflow will let > you discriminate between good and evil. You have to have visibility > to do that. i have embedded devices which don't let me install certs inside them, and i don't think i'm alone. the general name for what you're describing is "web application firewall" and it simply breaks anything that won't cooperate -- which is the policy i'm going to need, if any so-called "public DNS" server shares a DoH responder address with any other service i care about. this remains to be seen. the market will help decide. i'm surprised and fascinated by your vision of what my security needs are -- even though you have misstated them here -- but you're wrong on the facts, and the economics. if you are willing to spend the serious effort it would take to fully engage with the lived experience of modern CISO's, then we should take that topic up 1x1. -- P Vixie From nobody Tue Feb 12 17:30:18 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CC2D2130ECA; Tue, 12 Feb 2019 17:30:16 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155002141677.8631.16546423117357086040@ietfa.amsl.com> Date: Tue, 12 Feb 2019 17:30:16 -0800 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-algorithm-update-05.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 01:30:17 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Algorithm Implementation Requirements and Usage Guidance for DNSSEC Authors : Paul Wouters Ondrej Sury Filename : draft-ietf-dnsop-algorithm-update-05.txt Pages : 11 Date : 2019-02-12 Abstract: The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes [RFC6944]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-05 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-algorithm-update-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Feb 12 17:43:34 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714CF130EE7 for ; Tue, 12 Feb 2019 17:43:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_sfzhf1ZxNx for ; Tue, 12 Feb 2019 17:43:32 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17253130EE2 for ; Tue, 12 Feb 2019 17:43:32 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 43zj3Q57dzzK7b; Wed, 13 Feb 2019 02:43:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550022210; bh=Fv5G89XqTMu4IrOrqigZ0JGmnoodtTnr8sSM/XBeiNg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=J+FZVKsf9VspYIwKkBA2r1lWKw6pymf8IY+dMMScSufYVL5QvrHdQJb52SEZy9yzM Omy2kbRjgp0JnKcf+YW9PhAneZtZ1Enm5k2LEtt/+EnLJrrNUK3mDwTeY5tSNR7QFq P73Cl2PeEI37nNa2NU7w7Nazx11W6lw1v2pNN3v4= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 9BU57jmRZ2AK; Wed, 13 Feb 2019 02:43:29 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 13 Feb 2019 02:43:29 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8E235A7E0C; Tue, 12 Feb 2019 20:43:28 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 8E235A7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8512940D358A; Tue, 12 Feb 2019 20:43:28 -0500 (EST) Date: Tue, 12 Feb 2019 20:43:28 -0500 (EST) From: Paul Wouters To: Warren Kumari cc: dnsop In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: Re: [DNSOP] AD Review of draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 01:43:34 -0000 On Mon, 11 Feb 2019, Warren Kumari wrote: > Section 1.2.  Updating Algorithm Requirement Levels says: > "[RFC2119] considers the term SHOULD equivalent to RECOMMENDED, and >    SHOULD NOT equivalent to NOT RECOMMENDED.  The authors of this >    document have chosen to use the terms RECOMMENDED and NOT >    RECOMMENDED, as this more clearly expresses the recommendations to >    implementers." > > Actually, RFC2119 doesn't really contain NOT RECOMMENDED --- but, RFC8174 ("Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"), > which updates RFC2119 *does*.  > > Can the authors please resubmit with the new boilerplate from RFC8174 in Section 2 (Conventions Used in This Document) and I'll kick off IETF > LC. done: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-05 Paul From nobody Tue Feb 12 22:03:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B35130FFE for ; Tue, 12 Feb 2019 22:03:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VhGna8kXMwz for ; Tue, 12 Feb 2019 22:03:35 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 8DFDD130F30 for ; Tue, 12 Feb 2019 22:03:33 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0B5pq0vs2NcxaUfAA--.22689S2; Wed, 13 Feb 2019 14:03:27 +0800 (CST) Date: Wed, 13 Feb 2019 14:03:26 +0800 From: "zuopeng@cnnic.cn" To: "Paul Wouters" Cc: dnsop References: <2019021215560470371417@cnnic.cn>, X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <201902131403257357123@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart758607533405_=----" X-CM-TRANSID: AQAAf0B5pq0vs2NcxaUfAA--.22689S2 X-Coremail-Antispam: 1UD129KBjvJXoWrtr1xAw4rur17Ww4fury3urg_yoW8JF1fpF WxtF45Cr4DWF4fGwn7Xw18u34rZry5J3yUGwn0yry0yay5JFyvgr1xta15u347Ww1Y9r4a vr4j9FyxWa15AaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUB0b7Iv0xC_Kw4lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4 vEx4A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG6xAI xVCFxsxG0wAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6x CaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4xvF2IEb7IF0Fy264kE64k0F24lFcxC 0VAYjxAxZF0Ex2IqxwCY02Avz4vE14v_GF1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x 0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2 zVAF1VAY17CE14v26r1Y6r17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF 4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j 6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_Gr1l6V ACY4xI67k04243AbIYCTnIWIevJa73UjIFyTuYvjxUyrgADUUUU X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 06:03:38 -0000 This is a multi-part message in MIME format. ------=_001_NextPart758607533405_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 dGhhdCdzIHR1cmUuIGJ1dCBpbiBteSB2aWV3LCBpZiB0aGUgdHJ1c3QgY2hhaW4gaXMgYnVpbHQs IHdlIGNhbiBlbnN1cmUgYSByZXNvbHZlcihvciBhIGNhY2hlKSBpcyBhbHdheXMgdGFsa2luZyB0 byBhIGlkZW50aWZpZWQgc2VydmVyIGFuZCB0aGUgY2hhbm5lbCBpcyBhbHdheXMgc2VjdXJlLCB0 aGVuIHRoZSBjb250ZW50IGNvdWxkIG5vdCBiZSB0YW1wZXJlZC4NCg0KDQoNCnp1b3BlbmdAY25u aWMuY24NCiANCkZyb206IFBhdWwgV291dGVycw0KRGF0ZTogMjAxOS0wMi0xMiAyMjowNw0KVG86 IHp1b3BlbmdAY25uaWMuY24NCkNDOiBkbnNvcA0KU3ViamVjdDogUmU6IFtETlNPUF0gZXh0ZW5z aW9uIG9mIERvSCB0byBhdXRob3JpdGF0aXZlIHNlcnZlcnMNCk9uIFR1ZSwgMTIgRmViIDIwMTks IHp1b3BlbmdAY25uaWMuY24gd3JvdGU6DQogDQo+ICAgIEluIHRoaXMgd2F5LCB0aGUgd2hvbGUg RE5TIGlzIGJ1aWx0IG9uIEhUVFBTIHdoaWNoIG1ha2VzIEROUyBtb3JlIHNlY3VyZS4gRE5TU0VD IGlzIG5vdCBuZWNlc3NhcnkgYW55bW9yZSBhbmQgbWFueSBvdGhlcg0KPiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBwcm9ibGVtcyBsaWtlIGZyYWdtZW50YXRpb24gYWxz byB3aWxsIG5vdCBleGlzdC4NCiANClRoaXMgaWRlYSBpcyBzaW1pbGFyIHRvIEROU2N1cnZlLiBU aGUgcHJvYmxlbSBpcyB0aGF0IGNoYW5uZWwgc2VjdXJpdHkNCmRvZXMgbm90IGhlbHAgd2hlbiB5 b3UgaGF2ZSBhbiBpbmZyYXN0cnVjdHVyZSBvZiBETlMgY2FjaGVzLCBhcyBub3RoaW5nDQppbiB0 aGUgY2FjaGUgY2FuIGJlIHVzZWQgdG8gdmFsaWRhdGUgdGhlIGNvbnRlbnQuDQogDQpkamIncyBz b2x1dGlvbiB0byB0aGlzIHByb2JsZW0gd2FzIHRvIG9ic29sZXRlIHRoZSBjYWNoZSwgYW5kIGF0 IHRoZSBDQ0MNCmNvbmZlcmVuY2UgaGUgdGhlbiB0aHJldyBhcm91bmQgbnVtYmVycyB0aGF0ICJj bGFpbWVkIiBjYWNoaW5nIGlzIG5vdA0Kd29ya2luZyBvciBuZWVkZWQsIGFuZCB3YXMgcHJvdmVu IHdyb25nIGJ5IG1lIHNob3dpbmcgc29tZSBjYWNoZQ0KcGVyY2VudGFnZXMgb2YgcmVhbCBETlMg c2VydmVycy4NCiANCkROU1NFQyBwcm92aWRlcyBvcmlnaW4gcHJvdGVjdGlvbiwgYW5kIGRpZ2l0 YWwgc2lnbmF0dXJlcyBhcmUgbmVlZGVkLA0Kd2hpY2ggVExTIGRvZXMgbm90IG9mZmVyLg0KIA0K UGF1bA0KIA0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N CkROU09QIG1haWxpbmcgbGlzdA0KRE5TT1BAaWV0Zi5vcmcNCmh0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vZG5zb3ANCg== ------=_001_NextPart758607533405_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =0A
that's ture. but in my view,&= nbsp;if the trust chain is built, we ca= n ensure a resolver(or a cache) is alwa= ys talking to a identified server and t= he channel is always secure, then the c= ontent could not be tampered.
=0A

<= hr style=3D"width: 210px; height: 1px;" color=3D"#b5c4df" size=3D"1" align= =3D"left">=0A
zuopeng@cnnic.cn
=0A 
Date: 2019-02= -12 22:07
CC: dnsop
Subject: Re: [DNSOP] extension o= f DoH to authoritative servers
On Tue, 12 Feb 2= 019, zuopeng@cnnic.cn wrote:
=0A
 
=0A
> &n= bsp;  In this way, the whole DNS is built on HTTPS which makes DNS mo= re secure. DNSSEC is not necessary anymore and many other
=0A
>= ;            &= nbsp;           &nb= sp;            = ;   problems like fragmentation also will not exist.
=0A 
=0A
This idea is similar to DNScurve. The problem is tha= t channel security
=0A
does not help when you have an infrastruct= ure of DNS caches, as nothing
=0A
in the cache can be used to val= idate the content.
=0A
 
=0A
djb's solution to this= problem was to obsolete the cache, and at the CCC
=0A
conference= he then threw around numbers that "claimed" caching is not
=0A
w= orking or needed, and was proven wrong by me showing some cache
=0Apercentages of real DNS servers.
=0A
 
=0A
DNSSE= C provides origin protection, and digital signatures are needed,
=0A<= div>which TLS does not offer.=0A
 
=0A
Paul
= =0A
 
=0A
______________________________________________= _
=0A
DNSOP mailing list
=0A
DNSOP@ietf.org
=0Ahttps://www.ietf.org/mailman/listinfo/dnsop=0A= =0A ------=_001_NextPart758607533405_=------ From nobody Tue Feb 12 22:08:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9EDA131038 for ; Tue, 12 Feb 2019 22:08:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlURf2DRkyTM for ; Tue, 12 Feb 2019 22:08:23 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id D7F9D131031 for ; Tue, 12 Feb 2019 22:08:22 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0B5pq1VtGNcAqYfAA--.22690S2; Wed, 13 Feb 2019 14:08:21 +0800 (CST) Date: Wed, 13 Feb 2019 14:08:19 +0800 From: "zuopeng@cnnic.cn" To: "Stephane Bortzmeyer" Cc: dnsop References: <2019021215560470371417@cnnic.cn>, <20190212083908.w5cwgtmypkjwmqnd@nic.fr> X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <201902131408197979867@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart723670236142_=----" X-CM-TRANSID: AQAAf0B5pq1VtGNcAqYfAA--.22690S2 X-Coremail-Antispam: 1UD129KBjvdXoWrKr17CF4UZr4xtryDKw4fGrg_yoW3ArgEy3 4kWry8A3s5AF129a15Jr1fXryaqFZ8Ga48tanIg3ZagFyjyan5tan5Gwsakr40qFykKrn3 Gr1UZFZaq3sI9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbf8YjsxI4VWkCwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwV C2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40E42I2 6xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4I kC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAYjxAxZF0Ew4CEw7xC0wACY4xI 67k04243AVC20s07MxkIecxEwVAFwVW8AwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jrv_JF1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6Fyj6rWU JwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFc xC0VAYjxAxZFUvcSsGvfC2KfnxnUUI43ZEXa7IU8mhF3UUUUU== X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 06:08:25 -0000 This is a multi-part message in MIME format. ------=_001_NextPart723670236142_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 aSBwcmVmZXIgRG9IIGJlY2F1c2UgaXQgY2FuIGlkZW50aWZ5IGEgc2VydmVyIHdlIGFyZSB0YWxr aW5nIHRvIGFuZCB0aGUgY29udGVudCBpcyBlbmNyeXB0ZWQuIA0KDQoNCg0KenVvcGVuZ0Bjbm5p Yy5jbg0KIA0KRnJvbTogU3RlcGhhbmUgQm9ydHptZXllcg0KRGF0ZTogMjAxOS0wMi0xMiAxNjoz OQ0KVG86IHp1b3BlbmdAY25uaWMuY24NCkNDOiBkbnNvcA0KU3ViamVjdDogUmU6IGV4dGVuc2lv biBvZiBEb0ggdG8gYXV0aG9yaXRhdGl2ZSBzZXJ2ZXJzDQpPbiBUdWUsIEZlYiAxMiwgMjAxOSBh dCAwMzo1NjowNFBNICswODAwLA0KenVvcGVuZ0Bjbm5pYy5jbiA8enVvcGVuZ0Bjbm5pYy5jbj4g d3JvdGUgDQphIG1lc3NhZ2Ugb2YgNTQ2IGxpbmVzIHdoaWNoIHNhaWQ6DQogDQo+IEkgYW0gY29u c2lkZXJpbmcgZXh0ZW5kaW5nIHRoZSBEb0ggcHJvdG9jYWwgdG8gYXV0aG9yaXRhdGl2ZQ0KPiBz ZXJ2ZXJzLg0KIA0KV2h5IERvSCBhbmQgbm90IERvVD8gRG9IIGlzIHVzZWZ1bCBiZWNhdXNlIDEp IHBvcnQgODUzIG1heSBiZSBibG9ja2VkDQphdCB0aGUgZWRnZSBvZiB0aGUgbmV0d29yayAyKSBh cHBsaWNhdGlvbnMgcnVubmluZyBpbiBhIFdlYiBicm93c2VyDQptYXkgbmVlZCBETlMgZGF0YS4g QnV0IHRoZXNlIHR3byByZWFzb25zIGRvIG5vdCBhcHBseSB0byB5b3VyIHVzZSBjYXNlDQoxKSB0 aGUgcmVzb2x2ZXIgaXMgb2Z0ZW4gY2xvc2VyIHRvIHRoZSBjb3JlIGFuZCB0aGVyZSBpcyBsZXNz IHJpc2sNCnRoYXQgODUzIGlzIGJsb2NrZWQgMikgdGhlcmUgaXMgbm8gV2ViIGJyb3dzZXIgb24g dGhlIHJlc29sdmVyLg0K ------=_001_NextPart723670236142_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =0A
i prefer DoH because it can identify a server we = are talking to and the content is encrypted. 
=0A

=
=0A
zuopeng@cnnic.cn
=0A 
Date:&n= bsp;2019-02-12 16:39
CC: dnsop
Subject: Re: extensio= n of DoH to authoritative servers
On Tue, Feb 1= 2, 2019 at 03:56:04PM +0800,
=0A
zuopeng@cnnic.cn <zuopeng@cn= nic.cn> wrote
=0A
a message of 546 lines which said:
= =0A
 
=0A
> I am considering extending the DoH protoc= al to authoritative
=0A
> servers.
=0A
 
= =0A
Why DoH and not DoT? DoH is useful because 1) port 853 may be bloc= ked
=0A
at the edge of the network 2) applications running in a W= eb browser
=0A
may need DNS data. But these two reasons do not ap= ply to your use case
=0A
1) the resolver is often closer to the c= ore and there is less risk
=0A
that 853 is blocked 2) there is no= Web browser on the resolver.
=0A
=0A ------=_001_NextPart723670236142_=------ From nobody Wed Feb 13 00:44:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5DB812D84C for ; Wed, 13 Feb 2019 00:44:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7 X-Spam-Level: X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TxJ0MhPUFLQH for ; Wed, 13 Feb 2019 00:44:11 -0800 (PST) Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CEAE128CB7 for ; Wed, 13 Feb 2019 00:44:11 -0800 (PST) Received: from hydrogen.nlnetlabs.nl (unknown [IPv6:2a04:b900:0:1:60b2:a02d:a191:50b5]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 7DEE110302; Wed, 13 Feb 2019 09:44:08 +0100 (CET) Authentication-Results: dicht.nlnetlabs.nl; dmarc=pass (p=none dis=none) header.from=NLnetLabs.nl Authentication-Results: dicht.nlnetlabs.nl; spf=pass smtp.mailfrom=benno@NLnetLabs.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1550047448; bh=oMJ8OfdN+0fjj9vl283voA5vjQC5fVCphZdi2EB7SU0=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=zPb7vV2BIqRpNtXDO7wEQYOgodPM+1PG/yO3ekPwWC3VebiJVuOqkwzjfd+GAX951 hIZYvMdG7/81dup+5l4OMs5vHjEWUJUw2D6Edz4Wmiqm4vWVbtwihILgwmd/xY4fU3 hFvflsZ6oYnGVKeCauftQxrNgQkOXW8niPpPMc7M= To: Stephane Bortzmeyer , "zuopeng@cnnic.cn" Cc: dnsop References: <2019021215560470371417@cnnic.cn> <20190212083436.5uab52hesymxzuur@nic.fr> From: Benno Overeinder Openpgp: preference=signencrypt Message-ID: Date: Wed, 13 Feb 2019 09:44:08 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <20190212083436.5uab52hesymxzuur@nic.fr> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 08:44:14 -0000 On 12/02/2019 09:34, Stephane Bortzmeyer wrote: > On Tue, Feb 12, 2019 at 03:56:04PM +0800, > zuopeng@cnnic.cn wrote > a message of 546 lines which said: > >> DNSSEC is not necessary anymore > > This is clearly false. DoH provides _channel security_ DNSSEC provides > _content security_ (or object security). This is a very important > difference in security (we have JWS even if we have HTTPS, for > instance). Indeed, you might want to look at one of the presentations by Willem Toorop and myself. In respect of channel security, DoH and DoT with authenticated TLS are similar. - RIPE 76 DNS WG https://ripe76.ripe.net/presentations/56-sunrise-DoT-sunset-DNSSEC.pdf https://ripe76.ripe.net/archives/video/67 - ICANN DNS Symposium 2018 https://www.icann.org/en/system/files/files/presentation-sunrise-dns-tls-sunset-dnssec-13jul18-en.pdf - APNIC/RIPE blog post: Sunrise DNS over TLS, sunset DNSSEC? https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/ https://labs.ripe.net/Members/willem_toorop/sunrise-dns-over-tls-sunset-dnssec -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ From nobody Wed Feb 13 04:30:38 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F60B12DDA3 for ; Wed, 13 Feb 2019 04:30:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUmqVx_Sz4AG for ; Wed, 13 Feb 2019 04:30:35 -0800 (PST) Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06E16128CB7 for ; Wed, 13 Feb 2019 04:30:35 -0800 (PST) Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 854A46A27B; Wed, 13 Feb 2019 13:30:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1550061032; bh=xm/me/VExFucXbp6m/mCfBj4jVIMxdyOgplcHhLq/fo=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=RY85r9hf7g/Bv4efhu9dFuVYZoroRGjIW93IpebASqjrccib7A6UU4FmyHWJrBjvx lxc/ur8nVMldJqPxM6fKuXEHmGj3u4V+ge10+O761XOHgyLRs+m01+UYKT++HnGw9B Ndd0djWP+ODqT/7juumUunOZER009Ql+OyUbs8trJFyJ4UNB1GeE3vNrFS6e8c9oR/ FGU/Sc+wRKqjCl3GatRMelAU/+4Jgy1RKgoKTQCzZtCLCCnQP44Ws7ycxL616ugp+T rTRGv+KF4vESqNzMsYxh7qsg/sxnldsMgslJ0by7wVqOR7JOONQT3kHaou7i+LRd8y nQSnec5/LeYVA== Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 77F8B3C0372; Wed, 13 Feb 2019 13:30:32 +0100 (CET) Date: Wed, 13 Feb 2019 13:30:32 +0100 (CET) From: Vittorio Bertola To: Ted Lemon Cc: dnsop Message-ID: <883611603.11230.1550061032427@appsuite.open-xchange.com> In-Reply-To: <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v7.10.1-Rev7 X-Originating-Client: open-xchange-appsuite Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 12:30:36 -0000 > Il 12 febbraio 2019 alle 22.00 Ted Lemon ha scritto:= =20 >=20 > What I am trying to point out is that the situation with DoH is a symptom= of the problem you are not talking about, not the only instance of it. > You seem to be asserting that DoH is special among all other misuses of p= ort 443. But you haven=E2=80=99t explained why it is special. This is w= hat I was trying to tease out with my initial response to what you said. Well, DoH has a couple of very special features: - it affects name resolution, which is the initial step for almost everythi= ng you do over the Internet; - apparently, it will be deployed by default to the entire mankind or so. It is quite different than some smart users or some specific applications u= sing HTTPS (or VPNs) to bypass the local network operator and/or the local = jurisdiction. In technical terms it might not be different, but in business= , policy and political terms this makes all the difference. Ciao, --=20 Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bertola@open-xchange.com=20 Office @ Via Treviso 12, 10144 Torino, Italy From nobody Wed Feb 13 05:37:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905B2128CE4 for ; Wed, 13 Feb 2019 05:37:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.02 X-Spam-Level: X-Spam-Status: No, score=-6.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKXwTxfBONIU for ; Wed, 13 Feb 2019 05:37:37 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CD6112D826 for ; Wed, 13 Feb 2019 05:37:36 -0800 (PST) Received: from [IPv6:2001:1488:fffe:6:4e0:e5ff:fea1:dd71] (unknown [IPv6:2001:1488:fffe:6:4e0:e5ff:fea1:dd71]) by mail.nic.cz (Postfix) with ESMTPSA id A1D0C63300; Wed, 13 Feb 2019 14:37:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1550065054; bh=8+VGiLsQRmpZbmA0tRlFJsXIa0MqpKSvqTIsclTZTTI=; h=To:From:Date; b=EUb4FfrkfvgSD14fPpoxHPsOsbdBnIQfk1/tPDI2DxK+1Pq0qV9vpJXH6VEeAlIAG ZsxNLWwK6zAuKh6NbNr/q6qhZq3GV3pZ5ekti4UDkvryP7JZZO90EJYAMUVIcJf8vX HCZQj8YUGvKE7ZhJGGLkJe0/6OSU6DoqXQ6z5f40= To: "zuopeng@cnnic.cn" References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <201902131408197979867@cnnic.cn> Cc: dnsop From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3LkCDQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== Message-ID: Date: Wed, 13 Feb 2019 14:37:34 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: <201902131408197979867@cnnic.cn> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Content-Language: cs X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 13:37:41 -0000 On 2/13/19 7:08 AM, zuopeng@cnnic.cn wrote: > i prefer DoH because it can identify a server we are talking to and > the content is encrypted. These two points are the same with DoT.  (encryption and SNI) From nobody Wed Feb 13 05:43:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4584412D826 for ; Wed, 13 Feb 2019 05:43:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEWhEs6Agkz5 for ; Wed, 13 Feb 2019 05:43:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0D2128CE4 for ; Wed, 13 Feb 2019 05:43:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 83D8EA06BF; Wed, 13 Feb 2019 14:43:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 3580B190673; Wed, 13 Feb 2019 14:42:30 +0100 (CET) Date: Wed, 13 Feb 2019 14:42:30 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Stephane Bortzmeyer , dnsop Message-ID: <20190213134230.nedp6ojjaoak7jld@sources.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <201902131408197979867@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201902131408197979867@cnnic.cn> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 13:43:12 -0000 On Wed, Feb 13, 2019 at 02:08:19PM +0800, zuopeng@cnnic.cn wrote a message of 58 lines which said: > i prefer DoH because it can identify a server we are talking to and the content is encrypted. To learn about DoT, I suggest you read RFC 7858. From nobody Wed Feb 13 05:48:10 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A433712D861 for ; Wed, 13 Feb 2019 05:48:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmJesgkKRiPz for ; Wed, 13 Feb 2019 05:48:08 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 481E112DDA3 for ; Wed, 13 Feb 2019 05:48:08 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id C34B8A06BF; Wed, 13 Feb 2019 14:48:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id DD19E190673; Wed, 13 Feb 2019 14:44:08 +0100 (CET) Date: Wed, 13 Feb 2019 14:44:08 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Paul Wouters , dnsop Message-ID: <20190213134408.ri5iy42q7u7h37ui@sources.org> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201902131403257357123@cnnic.cn> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 13:48:10 -0000 On Wed, Feb 13, 2019 at 02:03:26PM +0800, zuopeng@cnnic.cn wrote a message of 103 lines which said: > that's ture. but in my view, if the trust chain is built, we can > ensure a resolver(or a cache) is always talking to a identified > server and the channel is always secure, then the content could not > be tampered. Several emails already mentioned cases where it is not true (relaying through a forwarder - transitive trust is hard - or secondary name servers mnaged by a different organisation - a common use case). From nobody Wed Feb 13 06:23:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A26B12D861 for ; Wed, 13 Feb 2019 06:23:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_FZPTU2yMst for ; Wed, 13 Feb 2019 06:23:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AEBA129441 for ; Wed, 13 Feb 2019 06:23:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id E4C1EA06BF; Wed, 13 Feb 2019 15:23:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 46C6A190673; Wed, 13 Feb 2019 15:19:13 +0100 (CET) Date: Wed, 13 Feb 2019 15:19:13 +0100 From: Stephane Bortzmeyer To: David Conrad Cc: Paul Vixie , dnsop Message-ID: <20190213141913.ljdzgywlfn7gwo7g@sources.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:23:11 -0000 On Tue, Feb 12, 2019 at 10:14:19AM -0800, David Conrad wrote a message of 100 lines which said: > Why don’t you force folks on your network to install a certificate > that would allow you to inspect TCP/443 outbound traffic? There are probably many connected things where this is not possible. But I don't think blocking DNS resolution (through DoT blocking or DoH bashing) would help: malware learned a long time ago how to work even in the most hostile (for them) environment, so connected things will learn to do the same, in the same way that they use STUN, TURN and other tricks to work around NAT. So, I don't think Paul Vixie's plan will work: either you connect only trusted devices to your network, or you block all outbound traffic for nodes that must stay local (a thermometer or a camera MUST NOT talk to the outside world at all). (And, yes, I know, that today's connected devices talk a lot to remote nodes. But it is evil.) From nobody Wed Feb 13 06:23:21 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D360A129441 for ; Wed, 13 Feb 2019 06:23:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnEpzarJcUHA for ; Wed, 13 Feb 2019 06:23:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CEBE128D0B for ; Wed, 13 Feb 2019 06:23:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id EA2B1A05BC; Wed, 13 Feb 2019 15:23:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 55D58190673; Wed, 13 Feb 2019 15:22:56 +0100 (CET) Date: Wed, 13 Feb 2019 15:22:56 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: David Conrad , dnsop Message-ID: <20190213142256.sykoxpgf2gjjhnw3@sources.org> References: <2019021215560470371417@cnnic.cn> <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:23:13 -0000 On Tue, Feb 12, 2019 at 10:34:19AM -0800, Paul Vixie wrote a message of 15 lines which said: > > How can you be sure folks on your network aren’t already tunneling > > their evil deeds through HTTPS? > > netflow. such traffic _looks_ abnormal. > > the deliberate design premise of DoH is that it look normal. If TLS does its job, how can you make the difference between DoH and EvilNonStandardNameResolutionProtocolRunningOverTLS? There are some metadata that can help (such as sizes and timing) but IETF continue to develop tricks like padding to make them as inefficient as possible. I would really like to know how you could detect EvilNonStandardNameResolutionProtocolRunningOverTLS but not DoH? From nobody Wed Feb 13 06:33:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4149A129441 for ; Wed, 13 Feb 2019 06:33:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48yIvD4NOwzt for ; Wed, 13 Feb 2019 06:33:08 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EC07128D0B for ; Wed, 13 Feb 2019 06:33:08 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 77273A06BF; Wed, 13 Feb 2019 15:33:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 057E2190673; Wed, 13 Feb 2019 15:28:51 +0100 (CET) Date: Wed, 13 Feb 2019 15:28:51 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: Ted Lemon , dnsop , David Conrad Message-ID: <20190213142851.rh2xv66zzdu6voco@sources.org> References: <20190212083908.w5cwgtmypkjwmqnd@nic.fr> <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:33:11 -0000 On Tue, Feb 12, 2019 at 01:48:36PM -0800, Paul Vixie wrote a message of 46 lines which said: > increased for political reasons. There is nothing wrong with political reasons. Mass surveillance is a political problem (privacy). DNS lies by ISPs is a political problem (network neutrality). It is perfectly normal that IETF develops stuff for political reasons. (Everybody have read RFC 8280?) > google, ibm, cloudflare, cisco, and other so-called "public dns" > providers will at some point choose whether to offer DoH from shared > addresses, making those shared addresses into risks that the rest of > us have to manage differently; or whether to dedicate DoH to well > known addresses that can be outright blocked. It seems to be an issue with DoC , not really DoH itself. From nobody Wed Feb 13 06:38:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716AF128D0B for ; Wed, 13 Feb 2019 06:38:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNL8YtRnwSAX for ; Wed, 13 Feb 2019 06:38:08 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA4EC126C7E for ; Wed, 13 Feb 2019 06:38:07 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 8C4E4A06BF; Wed, 13 Feb 2019 15:38:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id E6F6B190673; Wed, 13 Feb 2019 15:34:19 +0100 (CET) Date: Wed, 13 Feb 2019 15:34:19 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: Ted Lemon , dnsop , David Conrad Message-ID: <20190213143419.76hxqxf75oz6iyid@sources.org> References: <43FF2435-37C6-43B0-B97C-59D23AD2A9C2@virtualized.org> <873fe3e1-58e4-38a7-eb11-37509f9b7ff4@redbarn.org> <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:38:09 -0000 On Tue, Feb 12, 2019 at 02:18:39PM -0800, Paul Vixie wrote a message of 20 lines which said: > > Right.   So what’s to stop other malicious traffic from doing the > > same thing? > > lack of an IETF-approved standard with planned implementation by a > half dozen tech giants, means that other malicious traffic will not > be able to hide in the crowd, and can be made subject to policy, and > complaints. An IETF standard make things easier for the implementer and increases the chances of success (that's why we develop standards, after all) but it is not the only way to "massive deployment including half dozen tech giants". So, not having DoH would not stop evil name resolution. > i want DoT to be used instead, Then petition the many hotspots, hotels, cafes, corporations, etc, that block everything but 443. It is because of them that we need DoH, not just DoT. From nobody Wed Feb 13 06:38:18 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD044126C7E for ; Wed, 13 Feb 2019 06:38:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rV4Qjr60kiDq for ; Wed, 13 Feb 2019 06:38:08 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE3321274D0 for ; Wed, 13 Feb 2019 06:38:07 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 92E0CA0435; Wed, 13 Feb 2019 15:38:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 189F7190673; Wed, 13 Feb 2019 15:36:31 +0100 (CET) Date: Wed, 13 Feb 2019 15:36:31 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: Ted Lemon , dnsop , David Conrad Message-ID: <20190213143630.alcdh5hw5pbsrthb@sources.org> References: <7cdbd8a8-2bf4-992e-3197-ca17e7352a5b@redbarn.org> <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> <97C2ED2B-9086-4E3B-98FB-116E95281030@fugue.com> <7c9f1f7f-5617-08f8-ba35-54cbc59f09c4@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7c9f1f7f-5617-08f8-ba35-54cbc59f09c4@redbarn.org> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:38:11 -0000 On Tue, Feb 12, 2019 at 02:45:54PM -0800, Paul Vixie wrote a message of 21 lines which said: > i remember a time when the IAB would have said "no" to an internet > standard which mandated deliberate loss of control by network > operators. Giving the many attacks against network neutrality, it seems reasonable to me to develop techniques that make these attacks less easy. From nobody Wed Feb 13 06:43:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D46A1274D0 for ; Wed, 13 Feb 2019 06:43:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCoT3r7UbU-s for ; Wed, 13 Feb 2019 06:43:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47C87126C7E for ; Wed, 13 Feb 2019 06:43:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id B0C32A06BF; Wed, 13 Feb 2019 15:43:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id A00AB190673; Wed, 13 Feb 2019 15:40:53 +0100 (CET) Date: Wed, 13 Feb 2019 15:40:53 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: David Conrad , dnsop Message-ID: <20190213144053.aiytli5dlrhdstjn@sources.org> References: <725FD25D-FCE9-4740-A001-79369AFDEB78@fugue.com> <3C1FF728-2F31-4884-B7E9-55DF4E15AEB6@fugue.com> <4C2F9639-6C22-4FB7-840B-0318B40C2193@fugue.com> <9e56da22-4fb5-1c68-3bfc-85283b0e8480@redbarn.org> <8B58EEF9-2669-47E3-B3D4-7993A1118C8C@virtualized.org> <9e559ef1-7bb9-f53c-1543-fac92133bdac@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9e559ef1-7bb9-f53c-1543-fac92133bdac@redbarn.org> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 14:43:10 -0000 On Tue, Feb 12, 2019 at 03:32:37PM -0800, Paul Vixie wrote a message of 75 lines which said: > by putting that text in and leaving it in, this becomes a political > project not a technical one. Everything we do is political, the Internet itself is a political project. Thinking that communication is a good thing is political. > as it happens, nothing stops a web browser or other such client from > using DoT, and it's possible that the right answer was to say, DoT > will answer every technical need that this RFC describes, but none > of its political needs, and we don't want to be in the politics > business. DoT will be blocked in many networks, not DoH. That's why we need both. DoT is technically better, DoH is more realistic in many environments. This choice is hardly limited to DNS. It is partly for the same reason that we have whois and RDAP. From nobody Wed Feb 13 08:19:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1569D126F72; Wed, 13 Feb 2019 08:19:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OTAuf4I8bxo0; Wed, 13 Feb 2019 08:19:55 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8977A1200B3; Wed, 13 Feb 2019 08:19:52 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 6C9D7280162; Wed, 13 Feb 2019 17:19:50 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id 66A6B28032D; Wed, 13 Feb 2019 17:19:50 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 5F525280162; Wed, 13 Feb 2019 17:19:50 +0100 (CET) Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 5C212642BE40; Wed, 13 Feb 2019 17:19:50 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 5540640268; Wed, 13 Feb 2019 17:19:50 +0100 (CET) Date: Wed, 13 Feb 2019 17:19:50 +0100 From: Stephane Bortzmeyer To: draft-schaller-dnsop-lnp@ietf.org Cc: dnsop@ietf.org Message-ID: <20190213161950.bpduwbquecb5u66k@nic.fr> References: <155005360069.9465.5386337361412218372@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <155005360069.9465.5386337361412218372@ietfa.amsl.com> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000001, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.13.160618 Archived-At: Subject: Re: [DNSOP] I-D Action: draft-schaller-dnsop-lnp-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 16:19:58 -0000 On Wed, Feb 13, 2019 at 02:26:40AM -0800, internet-drafts@ietf.org wrote a message of 47 lines which said: > Title : Local Naming Protocol -- LNP (v.1.0) > Author : Christian Schaller > Filename : draft-schaller-dnsop-lnp-00.txt You do not explain why you created this protocol when mDNS (RFC 6762) and LLMNR (RFC 4795) exist. Without this explanation, we cannot see the point of your protocol. From nobody Wed Feb 13 08:30:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065BF124BAA for ; Wed, 13 Feb 2019 08:30:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3TzJ0FcMvLYh for ; Wed, 13 Feb 2019 08:30:17 -0800 (PST) Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B58001271FF for ; Wed, 13 Feb 2019 08:30:16 -0800 (PST) Received: by mail-pf1-x430.google.com with SMTP id n74so1364794pfi.9 for ; Wed, 13 Feb 2019 08:30:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=kr/cLto6CAh48FyXCx4fyxZxVRvOQo4f3Vaju1r95Js=; b=toi2h4HjMbXvzHJTFoIpGQUvgBgKuJbTZguXcOvQzk9RqhcMLcmj1U6v85y9bGaQWi oFAj4+jOFgLxET1WcFLwc/hTZhFmjJ+mpKkKTC5/No4OUymys/nWoSzqDZ22KG53lffU OU7nCMYqr9qzslKOI9ZzEBETaJPloexUVZs//nyKc2is5BKoJlLIcuCvWJLhzNWfyfW+ +EexgRo1VolQMp743Z2+P79KnDdyCfXJjTkwmc1iMhA1g05p+PXxkxna8KHbFOQFoUrl iLeX2D81zIop+u6E7k4O/Ljv8QGuQxOGyvCH/nFUujH1TakA6Z1rH/3yWZHM2GrfPg9L us9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=kr/cLto6CAh48FyXCx4fyxZxVRvOQo4f3Vaju1r95Js=; b=MHpS9w5iSCQZoqjCKNFlj++rNSfrOWppntyU9jAmVpzFGElzAScoWKd/SjPZjZgdUd PLeSmCJrqJNArYkQ4Cs/EnYAjasoGIkncjAZBdzV7RKdDrQOBAcGVgx1Lo2xmTA7K0Bd hoqcaJsV4D+MOgWTTtBswmrM25NYkgqAVie5gGxiAP4GYSfr5BaX3+NPnSdy+TdUHqLK Rzu7cHyPeq/VgJDOyFqbJAvFVl8L6ZrlPTCDN80ssJpZNhnkpNTVNISueZx0UPWYq1Yh cxOqG8LaJm9bR/Lk3viDkEhcYdKtQ1KC2ia3PpDKMFICARucSq/4L2r+UvSNzgwIeJe7 EySg== X-Gm-Message-State: AHQUAub4AmL0HU4tUs6Js10cePxSDjgN3nI5uJHxOKbJhR+Jkp3pJ2er wlwjWVwnq8ng8vLvsoFO0chyRA== X-Google-Smtp-Source: AHgI3IafV5YYNfsMXPce4GqSQmEWLo70MqA3tdbyK/jZQhv1JRXC4dJsRDkD4gRZzBbJoMWzQS8qlw== X-Received: by 2002:a63:698a:: with SMTP id e132mr1232369pgc.136.1550075416183; Wed, 13 Feb 2019 08:30:16 -0800 (PST) Received: from ?IPv6:2600:380:b478:5fb7:a534:bd57:8409:e522? ([2600:380:b478:5fb7:a534:bd57:8409:e522]) by smtp.gmail.com with ESMTPSA id e128sm24724532pfe.67.2019.02.13.08.30.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 08:30:15 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Content-Type: multipart/signed; boundary="Apple-Mail=_66CD7318-68B3-4F46-83CD-5078BDB8BAB2"; protocol="application/pgp-signature"; micalg=pgp-sha512 From: David Conrad X-Priority: 3 In-Reply-To: <201902131403257357123@cnnic.cn> Date: Wed, 13 Feb 2019 08:30:11 -0800 Cc: dnsop X-Mailbutler-Message-Id: 6E058640-B665-45E2-B621-B467625F90E2 Message-Id: <0CFDF54E-E57F-4500-8285-96A5EB035E9A@virtualized.org> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> To: zuopeng@cnnic.cn X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 16:30:19 -0000 --Apple-Mail=_66CD7318-68B3-4F46-83CD-5078BDB8BAB2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Feb 12, 2019, at 10:03 PM, zuopeng@cnnic.cn wrote: > that's ture. but in my view, if the trust chain is built, we can = ensure a resolver(or a cache) is always talking to a identified server = and the channel is always secure, then the content could not be = tampered. Your model of how the DNS actually works is too simplistic. Regards, -drc --Apple-Mail=_66CD7318-68B3-4F46-83CD-5078BDB8BAB2 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlxkRhMACgkQoCss/bh3 zPd9aQ//e9NU467/uaein7e+Ds6aFycvr7TjXZ/vUkV+Nr/fcURFS9eQ+bGx5QTA spqPjoyQqHlhRhLEue6b3sWYjGyDiUvnXBegl36KDlhMV+VvJxAtZdX8oVRkaBzp J+NHMZNihPlgO/WllyFeKv47aSH3BqaZrKUk6gPoRBMq8S2vvIQtnMUggEjIGAeJ El0EpHql+24xZEqeMMZQNE9Z+vL3epTOgnrlgxYU0zlBHwbYjVibqueApXONweJu Utz6c+1PJvLFAYdCFijgsWHxNXxZ7fHjTat/PVVSMK7njPUaCm0XSZ8TQ+QGmmWG BIziERyY62u9M1aAKpIoEsg1Dl8AZPvxyv5KIlTkwRyyGg6Gq6cor0E7BgL9Uyjd FBInOIzEDpxXSZI8cWRiMcNedT04y1V+fvrCDabFFqViVB/kBNFOmO2ccTvQW2Yh xr9WpuEVBG6JPVSz7whYeAMWYfLZOzF/pf8YGz/LZKVGK5zmq9CAymJtXE1/hIix REhHDJB5+g9gt6CUyDYgrD5feelSBz+3dLIDtGd9UWdDx2juI/0nGogk//Ug65B5 LdzNHiN5ryz2dPmMovg5zIQXIWgEL7imqP0A6O+O243ZjVXBiFdpxk64TmIlgADO hI0TaxHPrZNFU309TMSvhlveUrW6gysqVWCxs0ZeiPBWKUQk9a0= =oGld -----END PGP SIGNATURE----- --Apple-Mail=_66CD7318-68B3-4F46-83CD-5078BDB8BAB2-- From nobody Wed Feb 13 11:29:32 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC8F1200D7; Wed, 13 Feb 2019 11:29:30 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk CC: tjw.ietf@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org, Tim Wicinski , draft-ietf-dnsop-algorithm-update@ietf.org, warren@kumari.net Reply-To: ietf@ietf.org Sender: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Reply-To: ietf@ietf.org Message-ID: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> Date: Wed, 13 Feb 2019 11:29:30 -0800 Archived-At: Subject: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 19:29:30 -0000 The IESG has received a request from the Domain Name System Operations WG (dnsop) to consider the following document: - 'Algorithm Implementation Requirements and Usage Guidance for DNSSEC' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes [RFC6944]. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ballot/ No IPR declarations have been submitted directly on this I-D. From nobody Wed Feb 13 12:22:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43B1128B01 for ; Wed, 13 Feb 2019 12:22:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cFkLYEYUnXsX for ; Wed, 13 Feb 2019 12:22:53 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F2D9128766 for ; Wed, 13 Feb 2019 12:22:52 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:d9dc:d099:1c20:76a8] (unknown [IPv6:2001:559:8000:c9:d9dc:d099:1c20:76a8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 97FC2892C6 for ; Wed, 13 Feb 2019 20:22:51 +0000 (UTC) To: "dnsop@ietf.org" From: Paul Vixie Message-ID: <081afd30-6e48-29c6-d4c6-dd1f5efb9747@redbarn.org> Date: Wed, 13 Feb 2019 12:22:51 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: [DNSOP] my chromecast ultra would not start until i began answering 8.8.8.8 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 20:22:55 -0000 google, this is bogus as hell. my dhcp server gives you dns servers to use. please don't make me route and answer 8.8.8.8 just to watch youtube. > [71] 2019-02-13 16:39:40.548137 [#68 vtnet0 4095] \ > [24.104.150.186].56915 [8.8.8.8].53 \ > dns QUERY,NOERROR,7357,rd \ > 1 lh3.googleusercontent.com,IN,A 0 0 0 > [71] 2019-02-13 16:39:40.548210 [#69 vtnet0 4095] \ > [24.104.150.186].56915 [8.8.8.8].53 \ > dns QUERY,NOERROR,49247,rd \ > 1 lh3.googleusercontent.com,IN,AAAA 0 0 0 (no, this device i've paid for, will NOT be allowed to send you any information, other than what i personally approve, which will never include DNS traffic. if you don't like that deal, buy it back from me and i'll find some other video appliance that doesn't twist my arm.) -- P Vixie From nobody Wed Feb 13 12:39:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CAC1128B01 for ; Wed, 13 Feb 2019 12:39:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LKIll68Osp7U for ; Wed, 13 Feb 2019 12:39:38 -0800 (PST) Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFD711200B3 for ; Wed, 13 Feb 2019 12:39:38 -0800 (PST) Received: by chase.mycre.ws (Postfix, from userid 1000) id E34AC12C12DF; Wed, 13 Feb 2019 15:39:36 -0500 (EST) Date: Wed, 13 Feb 2019 15:39:36 -0500 From: Robert Edmonds To: Paul Vixie Cc: "dnsop@ietf.org" Message-ID: <20190213203936.3ky2nh7i5uswzbmq@mycre.ws> References: <081afd30-6e48-29c6-d4c6-dd1f5efb9747@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <081afd30-6e48-29c6-d4c6-dd1f5efb9747@redbarn.org> Archived-At: Subject: Re: [DNSOP] my chromecast ultra would not start until i began answering 8.8.8.8 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 20:39:41 -0000 Paul Vixie wrote: > google, this is bogus as hell. my dhcp server gives you dns servers to use. > please don't make me route and answer 8.8.8.8 just to watch youtube. > > > [71] 2019-02-13 16:39:40.548137 [#68 vtnet0 4095] \ > > [24.104.150.186].56915 [8.8.8.8].53 \ > > dns QUERY,NOERROR,7357,rd \ > > 1 lh3.googleusercontent.com,IN,A 0 0 0 > > [71] 2019-02-13 16:39:40.548210 [#69 vtnet0 4095] \ > > [24.104.150.186].56915 [8.8.8.8].53 \ > > dns QUERY,NOERROR,49247,rd \ > > 1 lh3.googleusercontent.com,IN,AAAA 0 0 0 > > (no, this device i've paid for, will NOT be allowed to send you any > information, other than what i personally approve, which will never include > DNS traffic. if you don't like that deal, buy it back from me and i'll find > some other video appliance that doesn't twist my arm.) Are you looking for https://support.google.com/chromecast/contactflow ? -- Robert Edmonds From nobody Wed Feb 13 13:14:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB08B130DC0 for ; Wed, 13 Feb 2019 13:14:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsCIfVL5EqCm for ; Wed, 13 Feb 2019 13:14:40 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8EAA12DF71 for ; Wed, 13 Feb 2019 13:14:39 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:d9dc:d099:1c20:76a8] (unknown [IPv6:2001:559:8000:c9:d9dc:d099:1c20:76a8]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id BEB31892C6; Wed, 13 Feb 2019 21:14:39 +0000 (UTC) To: Robert Edmonds Cc: "dnsop@ietf.org" References: <081afd30-6e48-29c6-d4c6-dd1f5efb9747@redbarn.org> <20190213203936.3ky2nh7i5uswzbmq@mycre.ws> From: Paul Vixie Message-ID: <7c32d8c1-41fe-8aea-ec4c-1c576619233e@redbarn.org> Date: Wed, 13 Feb 2019 13:14:39 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <20190213203936.3ky2nh7i5uswzbmq@mycre.ws> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] my chromecast ultra would not start until i began answering 8.8.8.8 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:14:42 -0000 Robert Edmonds wrote on 2019-02-13 12:39: >> (no, this device i've paid for, will NOT be allowed to send you any >> information, other than what i personally approve, which will never include >> DNS traffic. if you don't like that deal, buy it back from me and i'll find >> some other video appliance that doesn't twist my arm.) > > Are you looking for https://support.google.com/chromecast/contactflow ? no. they know exactly what they're doing, and it's not an accident. reporting it to their support team will waste their time and mine. however, i don't know yet whether they're ready to own their sh*t in public, or whether they'll enjoy being named and shamed. so, here i am. -- P Vixie From nobody Wed Feb 13 13:16:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E94312DF71 for ; Wed, 13 Feb 2019 13:16:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9l-Y1APJ87f for ; Wed, 13 Feb 2019 13:16:44 -0800 (PST) Received: from puck.nether.net (puck.nether.net [204.42.254.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 429941200B3 for ; Wed, 13 Feb 2019 13:16:44 -0800 (PST) Received: from [IPv6:2603:3015:3606:cbe1:14f3:f494:3702:1ffe] (unknown [IPv6:2603:3015:3606:cbe1:14f3:f494:3702:1ffe]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id ED7D8540678; Wed, 13 Feb 2019 16:16:40 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Jared Mauch In-Reply-To: <7c32d8c1-41fe-8aea-ec4c-1c576619233e@redbarn.org> Date: Wed, 13 Feb 2019 16:16:40 -0500 Cc: Robert Edmonds , "dnsop@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <75B939C7-1D8E-40A6-A19E-F50BE76B8AC6@puck.nether.net> References: <081afd30-6e48-29c6-d4c6-dd1f5efb9747@redbarn.org> <20190213203936.3ky2nh7i5uswzbmq@mycre.ws> <7c32d8c1-41fe-8aea-ec4c-1c576619233e@redbarn.org> To: paul vixie X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] my chromecast ultra would not start until i began answering 8.8.8.8 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:16:46 -0000 > On Feb 13, 2019, at 4:14 PM, Paul Vixie wrote: >=20 > no. they know exactly what they're doing, and it's not an accident. = reporting it to their support team will waste their time and mine. >=20 > however, i don't know yet whether they're ready to own their sh*t in = public, or whether they'll enjoy being named and shamed. so, here i am. And ours as well. - Jared= From nobody Wed Feb 13 13:45:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45AC812F18C for ; Wed, 13 Feb 2019 13:45:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snhLJEHu4U9y for ; Wed, 13 Feb 2019 13:45:29 -0800 (PST) Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2225412785F for ; Wed, 13 Feb 2019 13:45:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3245; q=dns/txt; s=VRSN; t=1550094329; h=from:to:subject:date:message-id:mime-version; bh=lX8NeZHAl2noIfU3it+JvJfVC0HkV4tonMD/Wu5CUWM=; b=Y1rbaRdV6b4xZvtL6I/DkRxzhyh6iZ6K7EQNyxTnlYwQWmVYStojoqik YRK/XnaDye5sqVtFeguy8zJvnYhTVyFlFUgcBe3wpFjZu0Cuj0yxqYo/l wqxbDyY8oxUkuw8U/7+YZY6qNU4IwNlHlAr0ZP1oAyW12VdNBSVUo4wTC EcC041iwoR1QvAjxa37XCnIxS38jk4D7ErrvvrFNnuNkw6we1m3rV+MJt 6Q79MwaXUwFnpW03hfw+F7wycNwzZ1PSvYTMHLZWCzbrD0z4ycourZckJ xApNp56I886uGof2c7fUigShJdygIAQciZNwR8JzgE6xYT+6f7cdeqqgd A==; X-IronPort-AV: E=Sophos;i="5.58,366,1544504400"; d="scan'208,217";a="7029558" IronPort-PHdr: =?us-ascii?q?9a23=3AGdDMVBI459b9n9AVAdmcpTZWNBhigK39O0sv0r?= =?us-ascii?q?FitYgeLf3xwZ3uMQTl6Ol3ixeRBMOHs6IC07KempujcFRI2YyGvnEGfc4EfD?= =?us-ascii?q?4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFA?= =?us-ascii?q?nhOgppPOT1HZPZg9iq2+yo9JDffwZFiCChbb9uMR67sRjfus4KjIV4N60/0A?= =?us-ascii?q?HJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L2?= =?us-ascii?q?81/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUj?= =?us-ascii?q?qg8qhrUgflhicZOTAk7GHZhM9+g6xaoB29qBNy2JTbbJ2QNPdkYq/QZ9EXSG?= =?us-ascii?q?xcVchRTSxBBYa8YpMBA+QDI+lYqZTyqEUUrRulAgmsAvvjwSJNiHDsx6061+?= =?us-ascii?q?otGhzB0QIlHdwBrnLUo8jrO6cISuC1y6/IwC7db/xIwzf96ZPIchEuofGKR7?= =?us-ascii?q?5/bc3RyUw2Gg7Dk16ep4vlPzaP2eQMtWiW9+tgWvyzi24psQ1xpSKvxsgqh4?= =?us-ascii?q?LUhYwV0kjJ+ThlzIovONG1SkB2bcS5HJZQuSyWLYR7T8c6T211pCo20KAKtJ?= =?us-ascii?q?yncCQQ1ZgqyB3SZ+aaf4WL+h7jWvieLDRkiH9gfb+yhQq9/VS6xeD5S8W7zE?= =?us-ascii?q?pFoy9Fn9bRqH8N2Rne58yaRfRg4Eis3yuE2RrJ5eFeO080kLLWK5smwrEtiJ?= =?us-ascii?q?UeqV/DHirqmEXui6+Wa1kk9vCo6+v5ZrXmoYeROpJohA/mL6ghmtSxD+s5PQ?= =?us-ascii?q?QSQWSX4/q826Hk/U3jWLVGlOc5nbTDvJDEP8Qbvai5DxVJ3YYk7hazFzam0N?= =?us-ascii?q?IGknkbNF9JZQ6Lg5L0N1zMLv30F+qzjlSinTtxyP3LOqXtApDXIXjClLfhc6?= =?us-ascii?q?x960lZyAcryN5R5YxbCrccL/3tQE/xr9vYDhkiPgyq3ennEtR91pgfWWKABK?= =?us-ascii?q?+VKr/dsViN5u43OemDeJcVuCrhK/gi//PhkHk5mUQafamxxpYXaW63HuhoI0?= =?us-ascii?q?mDZnrsmNgBQi82uV90QOrxj0WqUDNPaTC1Ra12rmU3DpmhFa/CS5yjxrub03?= =?us-ascii?q?HoMIdRYzUMKl2KHXrybIKCH78vYTiWaIc1sRwJU7SsUZQm0zmwuRX70LtoKK?= =?us-ascii?q?zf/ShO5sGr78R8++CGzUJ6zjdzFcnIi2w=3D?= X-IPAS-Result: =?us-ascii?q?A2E+AADGjmRc/zGZrQpjHQEBBQEHBQGBUQgBCwGBDYFME?= =?us-ascii?q?YE0g3uIGpFalDmBewwBExALhFeDZTQJDQEDAQEBAQEBAgEBAoEFAQuCOiIcT?= =?us-ascii?q?WsBAQEBAQEjAkQtBiNoAQgEPgIEMCcEgzcBgR1zqlSBL4RDQUCEaQWOHD6BO?= =?us-ascii?q?B+CTIMeAgMBhGYxgiYCkCCTBwMGAoc4izKSb4o1hUGMJwIEAgQFAhSBRoIPc?= =?us-ascii?q?HoBgkKLHYU/j0uBHwEB?= Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Wed, 13 Feb 2019 16:45:27 -0500 Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1531.003; Wed, 13 Feb 2019 16:45:27 -0500 From: "Henderson, Karl" To: "dnsop@ietf.org" Thread-Topic: [DNSOP] extension of DoH to authoritative servers Thread-Index: AQHUw+VuylFtk43zWkmFVUKhRJ+EWw== Date: Wed, 13 Feb 2019 21:45:26 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.10.6.190114 x-originating-ip: [10.170.148.18] Content-Type: multipart/alternative; boundary="_000_C5525DE2DCF343E58C41BAA58049DC3Averisigncom_" MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:45:31 -0000 --_000_C5525DE2DCF343E58C41BAA58049DC3Averisigncom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Q291bGRu4oCZdCBEb1QgYWxzbyBydW4gb3ZlciBwb3J0IDQ0MyBqdXN0IGxpa2UgRE9IIC3igJMg c2ltaWxhciB0byB3aGF04oCZcyBiZWVuIHByb3Bvc2VkIGluIHRoaXMgZHJhZnQ/OiBodHRwczov L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1ka2ctZHByaXZlLWRlbXV4LWRucy1odHRw Lw0KDQo= --_000_C5525DE2DCF343E58C41BAA58049DC3Averisigncom_ Content-Type: text/html; charset="utf-8" Content-ID: <12B04F189C0BA844A059F2626352913C@verisign.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpz cGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bh bi5hcHBsZS1jb252ZXJ0ZWQtc3BhY2UNCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtY29udmVydGVk LXNwYWNlO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0K CXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0K ZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9o ZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4N CjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iY29sb3I6YmxhY2siPkNvdWxkbuKAmXQgRG9UIGFsc28gcnVuIG92ZXIgcG9ydCA0NDMg anVzdCBsaWtlIERPSCAt4oCTIHNpbWlsYXIgdG8gd2hhdOKAmXMgYmVlbiBwcm9wb3NlZCBpbiB0 aGlzIGRyYWZ0Pzo8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3Nw YW4+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtZGtnLWRw cml2ZS1kZW11eC1kbnMtaHR0cC8iPjxzcGFuIHN0eWxlPSJjb2xvcjojOTU0RjcyIj5odHRwczov L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1ka2ctZHByaXZlLWRlbXV4LWRucy1odHRw Lzwvc3Bhbj48L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_C5525DE2DCF343E58C41BAA58049DC3Averisigncom_-- From nobody Wed Feb 13 13:51:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E8012785F for ; Wed, 13 Feb 2019 13:51:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.019 X-Spam-Level: X-Spam-Status: No, score=-6.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYvQNS-3gZGp for ; Wed, 13 Feb 2019 13:51:07 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AFD2128766 for ; Wed, 13 Feb 2019 13:51:04 -0800 (PST) Received: from [IPv6:2a02:768:2208:ed02:7285:c2ff:fe3a:c784] (unknown [IPv6:2a02:768:2208:ed02:7285:c2ff:fe3a:c784]) by mail.nic.cz (Postfix) with ESMTPSA id 3D89D627D1; Wed, 13 Feb 2019 22:51:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1550094661; bh=U4hdhEd8Q8EymfFqI6N5loWX0HH4i/v6dagJG9NArJI=; h=To:From:Date; b=oGgOaMh8aBn3eW0lVGW+frbsJ9ATNzspY+dvYwOZzjQIXNGGPLCHgYF7N8YSYsSSZ 8dOdQkYZzKIkNOe3aMdyiHKKT4wekE6HE07o00xOTNuhjhlezCExYuo3z/45HRkDUL SXV/rmHk9269rvVeZKiPRRRecF+0K3hUxrfLURK0= To: "Henderson, Karl" References: Cc: "dnsop@ietf.org" From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlQEEwEIAD4CGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWg3w 3gAKCRDnR98flXWjqmD6D/96U4cDZBrHQ5LhqybocZr/N2IS5Wr2SLLB4k2F5/W/wbL05gq6 Ha9/2TMqXoxRkhug+EAHFHxylPR43yN9rz0pjBXHrra87FAPHMqq/qqrOEUdhkytEqa6WIho aoEkdhaMhUyctjVjL2WZ0+MWeRjqedLQX+VCrOVPcVbLreRRhA9N3KPgNwbp9zCg6hEPi4l2 zZKedHkTNjKIAwJ0xZoMwFa1Y+vL8Em8Or+IBZuGBMP/ZMtasPOIQaT/Gvsyx1DDorwsoCdX 6zaTZy5DOWP3FIrMzus/YDbzwAYxSpWk/jF44ySbnJzdjU67EfG3UrsK+RRGw8aJqs3/4qHK ZMZZnNL+4wJpEdnZyFic/MXcw6FBszQEwrIOaM1WEfwzn2ExUYk2pM5zaBwq76OgrmGMzMEi cfMDyqLodwEQqR70PvRbkrh+R02LphwQ9c5AFXcrLjKMmeQlbQVarTUsrELcTK6rElC1ojS7 M37j0XzFE+kgNWn2fyBRgtnGDWEa7r+oDaueXJnEf0/4Ww28IwxakNc7r0N41GIBekwSxKdk epKFZgtVGGSDlFei5hb5LLWFljA1OS7CRVJKpbHafQjdPdb1vNqZAj4y2SJXvVVpI1KO5kq+ dFdYipORv0N2Iho6MNYbQUT1EBeU46G5N0viCoLS15/PxLhIAo+PzKpW97kCDQRYA5J2ARAA yHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe41Zx x85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0UaPp DkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lteTbOo jGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF+yxM t5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5YoBKoR bh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRqTJcJ V7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P4j+p 02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWYJQGX M71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0uSLs0 Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJCWYB gAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRuaFWw 9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/awrie b6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+jtuTj xZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaObwxJi ba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6afNkhw QYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNegPfvL woHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0tSLTN r+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3sq2Kg T1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmxcmGo UREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== Message-ID: Date: Wed, 13 Feb 2019 22:51:00 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------377F01AEC0A0B5D90D1BC54B" Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:51:10 -0000 This is a multi-part message in MIME format. --------------377F01AEC0A0B5D90D1BC54B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 2/13/19 10:45 PM, Henderson, Karl wrote: > > Couldn’t DoT also run over port 443 just like DOH -– similar to what’s > been proposed in this > draft?: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ > Technically you can run DoT on whatever port you like.  I believe the port number argument and non-recognizability from https are mainly red herrings when comparing DoH with DoT.  And there are more, as the two protocols share almost all properties. Example: with knot-resolver it's easy - you just add @443, either on side of server and/or on the side of forwarding over TLS. --Vladimir --------------377F01AEC0A0B5D90D1BC54B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
On 2/13/19 10:45 PM, Henderson, Karl wrote:

Couldn’t DoT also run over port 443 just like DOH -– similar to what’s been proposed in this draft?: https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/

Technically you can run DoT on whatever port you like.  I believe the port number argument and non-recognizability from https are mainly red herrings when comparing DoH with DoT.  And there are more, as the two protocols share almost all properties.

Example: with knot-resolver it's easy - you just add @443, either on side of server and/or on the side of forwarding over TLS.

--Vladimir

--------------377F01AEC0A0B5D90D1BC54B-- From nobody Wed Feb 13 13:51:35 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6091310C7; Wed, 13 Feb 2019 13:51:22 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155009468256.9559.12509906855495134896@ietfa.amsl.com> Date: Wed, 13 Feb 2019 13:51:22 -0800 Archived-At: Subject: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-06.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:51:27 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Message Digest for DNS Zones Authors : Duane Wessels Piet Barber Matt Weinberg Warren Kumari Wes Hardaker Filename : draft-wessels-dns-zone-digest-06.txt Pages : 27 Date : 2019-02-13 Abstract: This document describes an experimental protocol and new DNS Resource Record that can be used to provide a message digest over DNS zone data. The ZONEMD Resource Record conveys the message digest data in the zone itself. When a zone publisher includes an ZONEMD record, recipients can verify the zone contents for accuracy and completeness. This provides assurance that received zone data matches published data, regardless of how the zone data has been transmitted and received. ZONEMD is not designed to replace DNSSEC. Whereas DNSSEC protects individual RRSets (DNS data with fine granularity), ZONEMD protects protects a zone's data as a whole, whether consumed by authoritative name servers, recursive name servers, or any other applications. As specified at this time, ZONEMD is not designed for use in large, dynamic zones due to the time and resources required for digest calculation. The ZONEMD record described in this document includes fields reserved for future work to support large, dynamic zones. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-wessels-dns-zone-digest/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-wessels-dns-zone-digest-06 https://datatracker.ietf.org/doc/html/draft-wessels-dns-zone-digest-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-wessels-dns-zone-digest-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Feb 13 13:56:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2D012F18C for ; Wed, 13 Feb 2019 13:55:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4MHgHAykBLo for ; Wed, 13 Feb 2019 13:55:52 -0800 (PST) Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E5DA12D861 for ; Wed, 13 Feb 2019 13:55:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7380; q=dns/txt; s=VRSN; t=1550094952; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=Jdk8LjJQDrDHt270PUluRNznJdybLOhV+ipnXJwUjys=; b=V5IgTlORBEV3DZT2d31qWBbaim/Whw44NBlzbkKSVrYJgGTs7tdIqXOp 6UDRPkpdqA3K7HmxuEb0ve4RjkDqcKYGnz9B39BtN+FN/6F0bXbiFyRYJ OIp5f+JADnPWznb1Jc8730GJFqUwkBGi8HShDkcbG+0yg1CUlccRwhhSx Egkm+UdyaYY5343BWK9baPZPgAugmhD9LZ2+qVlAhQTUPVT3EUzur0tJU 8DLVyvu4Fh7x8Z/QAW3UFdJioTuXayhlAJ7mXCnz8jowOFe7xbvBUPi9L kztOltImZ35oxS9fisvLz8rNXIsLfxwnJtQkLVzV2fviA7kCQ1WpHYKIg Q==; X-IronPort-AV: E=Sophos; i="5.58,366,1544504400"; d="p7s'?scan'208"; a="6956880" IronPort-PHdr: =?us-ascii?q?9a23=3A3mfXUR1TsJv8gQU2smDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8ZseIQKPad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndi?= =?us-ascii?q?QuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBg?= =?us-ascii?q?vwNRZvJuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0B?= =?us-ascii?q?vJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PG?= =?us-ascii?q?Av5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vz?= =?us-ascii?q?a/4KdxUBLmiDkJOSMl8G/ZicJwgqBUoBO9qBNw2IPUb52ZNP9kc6/BYd8WW2?= =?us-ascii?q?xMVdtRWSxbBYO8apMCA+QBMulGtIn9vEUBrR+lBQW0GejhxCJIiWXw3aIk3e?= =?us-ascii?q?gqDAbL0xEuHt0Qq3TUt8v6NKMJUe2u0qnH0y/Db/JN2Tf854jIdAotru2LXb?= =?us-ascii?q?J1aMfcz1QkGQ3CjlWVs4PlPjWV2/wMs2eF8+pgW/iji2k9qwF+pDWk28Qiip?= =?us-ascii?q?HRi44I1lzI7zh1zYQ7KNGiVUJ2YdCpHIFfuiyZL4d6X98uT3t1tCs41rEKo4?= =?us-ascii?q?O3cScJxZg92hLSaOSLc4aW7R/gSOqcJDJ1i2hmdb+7nBm/9EatxvPhWcS11V?= =?us-ascii?q?tFtS5In9jOu30I2RHe5MqKReZ780y8wziAzRrT5ftBIU0skKrbLIMuzaAom5?= =?us-ascii?q?oItETDAjf2mELrjK+Kbkkk+van6+DgYrj+u5KSK5d6hhz+Pao2lcKwAPg0Ph?= =?us-ascii?q?UUU2iF5eu806fj/VXjTLpQk/I6iLfZsIrBJcQdvKK2HwhV0oM75xa+CTepzs?= =?us-ascii?q?gYkGEaIF5ZYh6LkorkNl/ULPzlDfqyjU6gnThoyvzeO73uGJTNLnzNkLf7er?= =?us-ascii?q?Z97lZRxxc9zN9B/JJUEa8OIPboWkLqqtzXEAU5Mw2vw+bmB9V90JkSVn6IAq?= =?us-ascii?q?+cKK/Sq0OH5vozI+mQY48YoCvyK/4+5/7plX80gl4dcre13ZsZcny4Ge5mI0?= =?us-ascii?q?rKKUbr150NF3wNpiI/QfDkzlqYXnQbM3q0RKUkzjA2FIzgCp3MENODmruEiW?= =?us-ascii?q?2EE4ZNa2RdThigDH7ues/MD/sTZTmJL8t6uiIJT7m6SoAnkxqpsVmpmPJcMu?= =?us-ascii?q?PI93hA5trY399v6riLmA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2EmAABKkWRc/zCZrQpjHAEBAQQBAQcEAQGBUQcBAQsBg?= =?us-ascii?q?mqBKgqMFY1bJYNalDmBcQoIBAEYCwuEPgKDfDQJDQEDAQEBAQEBAgEBAoEFA?= =?us-ascii?q?QuCOiIcMRw+AQEBAQEBJwEBAQEBASMCRCwBAQEBAgEBAWkDEAsCAQgYLgIlC?= =?us-ascii?q?yUCBBMOgxYBgXkXrAOEMwIOQUCEXw+CbYlugUE+gREnDBOCTIMeAQECAQEWh?= =?us-ascii?q?QGCJgKQPZJqAwYChEeCBG2LMoFtVYR9izCKNYVBjCcCBAIEBQIUgUaCD3AVG?= =?us-ascii?q?iEqAYJBCYsVhT9yjlmBHwEB?= Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Wed, 13 Feb 2019 16:55:50 -0500 Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Wed, 13 Feb 2019 16:55:50 -0500 From: "Wessels, Duane" To: "dnsop@ietf.org" Thread-Topic: [EXTERNAL] [DNSOP] I-D Action: draft-wessels-dns-zone-digest-06.txt Thread-Index: AQHUw+Z8cdj2yj8GekCjccUjd6ELxqXemceA Date: Wed, 13 Feb 2019 21:55:50 +0000 Message-ID: <923006F8-EB5A-4098-81A2-782BC90BF220@verisign.com> References: <155009468256.9559.12509906855495134896@ietfa.amsl.com> In-Reply-To: <155009468256.9559.12509906855495134896@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.170.148.18] Content-Type: multipart/signed; boundary="Apple-Mail=_F2CDCC37-AB20-4EF7-8BCD-45CC90A3C0C4"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] I-D Action: draft-wessels-dns-zone-digest-06.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:55:56 -0000 --Apple-Mail=_F2CDCC37-AB20-4EF7-8BCD-45CC90A3C0C4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The only change to this document since -05 is to note that ZONEMD has = been allocated RR type code 63 by IANA following an expert review back = in December. DW > On Feb 13, 2019, at 1:51 PM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Domain Name System Operations WG of = the IETF. >=20 > Title : Message Digest for DNS Zones > Authors : Duane Wessels > Piet Barber > Matt Weinberg > Warren Kumari > Wes Hardaker > Filename : draft-wessels-dns-zone-digest-06.txt > Pages : 27 > Date : 2019-02-13 >=20 > Abstract: > This document describes an experimental protocol and new DNS = Resource > Record that can be used to provide a message digest over DNS zone > data. The ZONEMD Resource Record conveys the message digest data in > the zone itself. When a zone publisher includes an ZONEMD record, > recipients can verify the zone contents for accuracy and > completeness. This provides assurance that received zone data > matches published data, regardless of how the zone data has been > transmitted and received. >=20 > ZONEMD is not designed to replace DNSSEC. Whereas DNSSEC protects > individual RRSets (DNS data with fine granularity), ZONEMD protects > protects a zone's data as a whole, whether consumed by authoritative > name servers, recursive name servers, or any other applications. >=20 > As specified at this time, ZONEMD is not designed for use in large, > dynamic zones due to the time and resources required for digest > calculation. The ZONEMD record described in this document includes > fields reserved for future work to support large, dynamic zones. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-wessels-dns-zone-digest/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-wessels-dns-zone-digest-06 > https://datatracker.ietf.org/doc/html/draft-wessels-dns-zone-digest-06 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-wessels-dns-zone-digest-06 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --Apple-Mail=_F2CDCC37-AB20-4EF7-8BCD-45CC90A3C0C4 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIHVDCCB1Aw ggY4oAMCAQICEDeSnEmT+J13cIlh9m0rcrswDQYJKoZIhvcNAQELBQAwgckxCzAJBgNVBAYTAlVT MR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3Qg TmV0d29yazE1MDMGA1UECxMsQ2xhc3MgMiBNYW5hZ2VkIFBLSSBJbmRpdmlkdWFsIFN1YnNjcmli ZXIgQ0ExQzBBBgNVBAMTOlN5bWFudGVjIENsYXNzIDIgU2hhcmVkIEludGVybWVkaWF0ZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTgwMzI0MDAwMDAwWhcNMTkwNDIzMjM1OTU5WjBwMSQwIgYJ KoZIhvcNAQkBFhVkd2Vzc2Vsc0B2ZXJpc2lnbi5jb20xFzAVBgNVBAMMDldlc3NlbHMsIER1YW5l MRYwFAYDVQQLDA1FTlRFUlBSSVNFIElUMRcwFQYDVQQKDA5WZXJpU2lnbiwgSW5jLjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIMxorssL5C3FQkj4EJR3vR0qjI4GWU+i5Iag0r4fmvz ztea5S/DGId5e/zIUq7ISXOYf58Y7tZYP8G7y5QiuYQucLg/C6duA5AYKCrgL/ms6QZpAvLX+0l6 nABgK36BXBv3Gn8TSAPl0ATx/r0OXn4YEIN68H1Bl5MF6qluelqfsQXRuQVyqquTd6hRUDpz+Ba7 NjTyekZRWoMdrk9Uuxxsv2Dshn2lEP/21ftKkRvzY7CXxiNQ3ne0FR34OWWO1D6zyeYcppu/YAmh zn720W99QIlhRPLIJmnPKl/uy1DFEFXPFDYGAohWRJOtkHKARrfjPUjIsHjEhYhP60gSYDECAwEA AaOCA4owggOGMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBYGA1UdJQEB/wQMMAoGCCsG AQUFBwMEMB0GA1UdDgQWBBRWhUpoLXEQ8H0RYqrd1avCyQi5+TAgBgNVHREEGTAXgRVkd2Vzc2Vs c0B2ZXJpc2lnbi5jb20wHwYDVR0jBBgwFoAU2EgpqF8qF5Li+p57729gg/i4uNwwggFwBggrBgEF BQcBAQSCAWIwggFeMCcGCCsGAQUFBzABhhtodHRwOi8vcGtpLW9jc3Auc3ltYXV0aC5jb20wggEx BggrBgEFBQcwAoaCASNsZGFwOi8vZGlyZWN0b3J5LnN5bWF1dGguY29tL0NOJTIwJTNEJTIwU3lt YW50ZWMlMjBDbGFzcyUyMDIlMjBTaGFyZWQlMjBJbnRlcm1lZGlhdGUlMjBDZXJ0aWZpY2F0ZSUy MEF1dGhvcml0eSUyQ09VJTIwJTNEJTIwQ2xhc3MlMjAyJTIwTWFuYWdlZCUyMFBLSSUyMEluZGl2 aWR1YWwlMjBTdWJzY3JpYmVyJTIwQ0ElMkNPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBO ZXR3b3JrJTJDTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkNDJTIwJTNEJTIwVVM/ Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3BraS1jcmwuc3lt YXV0aC5jb20vY2FfMDdiYjdkNjQ3N2NmNGY2YmU5NmFmMWIzNmNhYmQzMTYvTGF0ZXN0Q1JMLmNy bDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcCMFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3lt YXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMEIG CSqGSIb3DQEJDwQ1MDMwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBFjALBglg hkgBZQMEASowLAYKYIZIAYb4RQEQAwQeMBwGEmCGSAGG+EUBEAECAgEBi/HGCRYGMjQ3NjY0MDkG CmCGSAGG+EUBEAUEKzApAgEAFiRhSFIwY0hNNkx5OXdhMmt0Y21FdWMzbHRZWFYwYUM1amIyMD0w DQYJKoZIhvcNAQELBQADggEBAIa7pvgh+pRug/8Wp7lp/FC5YKOSB8wRs54s9UCw+U3VpoamorrN j1VC7DZjwd/g3kKvu6vFQyHbB6hmt2jCqo+aO/W0G9CvzrXwhY11IQhbI1CWExXAtoIqk7DWg31r hR6ly1Lf1SXVCTN0ZN3aklqgtkdvySQLqQwayWRTlahccKhd9ixrL7/rBXbl3FBy6wPqNwbtHWZJ byn459INhZ6wOfsPHqr/5xZrpSbcMHVNMrmwvuXwZakMPG/oNQR4aFTcqw96ANa3RKmQC2ziG8/c CwwCVKwjgOSlTODjKXa4YNxc49v58EXLYLfDvxIY/LJENT3EZTb3W4A5RKdzXD8xggRNMIIESQIB ATCB3jCByTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTUwMwYDVQQLEyxDbGFzcyAyIE1hbmFnZWQgUEtJ IEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQTFDMEEGA1UEAxM6U3ltYW50ZWMgQ2xhc3MgMiBTaGFy ZWQgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhvcml0eQIQN5KcSZP4nXdwiWH2bStyuzAJ BgUrDgMCGgUAoIICQzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0x OTAyMTMyMTU1NDlaMCMGCSqGSIb3DQEJBDEWBBQuSDWWIbCP4+mUX2JTlkNqj2TlGjCB7wYJKwYB BAGCNxAEMYHhMIHeMIHJMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRp b24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxNTAzBgNVBAsTLENsYXNzIDIgTWFu YWdlZCBQS0kgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBMUMwQQYDVQQDEzpTeW1hbnRlYyBDbGFz cyAyIFNoYXJlZCBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5AhA3kpxJk/idd3CJ YfZtK3K7MIHxBgsqhkiG9w0BCRACCzGB4aCB3jCByTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5 bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTUwMwYD VQQLEyxDbGFzcyAyIE1hbmFnZWQgUEtJIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQTFDMEEGA1UE AxM6U3ltYW50ZWMgQ2xhc3MgMiBTaGFyZWQgSW50ZXJtZWRpYXRlIENlcnRpZmljYXRlIEF1dGhv cml0eQIQN5KcSZP4nXdwiWH2bStyuzANBgkqhkiG9w0BAQEFAASCAQBDSmQdHJbjVOpsUo8ChbUW gROCKs2nlD/FwWklo4WpZw85a59EVQPVP30D6lCGK5CKdJZnYVWL2l7sEF626dGu7T9fT9zVnvi4 Bfg8vTrhnQr/YN3bC1xiPpg0YNvDXrUOitDjBfXrmEog1JZpmtH/+EBdwbzrdZ3cfvRrppfGuXtj 4UWIZg0woHCnBnbGLZ2APubzZDSetDDIcK3kK1jISlM9eKelCawQdvACr8sNxi8UI1uKG75QoGK5 Ke3ydpNAGLeF380fNj9fOhzFqGDrWLHoOCkFO+FeOsHQztkyeFFnsHPZzROSIpRk5sjBx5cQXu8i BomLs9/uBwZGVEX6AAAAAAAA --Apple-Mail=_F2CDCC37-AB20-4EF7-8BCD-45CC90A3C0C4-- From nobody Wed Feb 13 13:56:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDD012D861 for ; Wed, 13 Feb 2019 13:56:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTJ_tvAk6mn7 for ; Wed, 13 Feb 2019 13:56:42 -0800 (PST) Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98F1A130EC7 for ; Wed, 13 Feb 2019 13:56:42 -0800 (PST) Received: by mail-qt1-x832.google.com with SMTP id p25so4263044qtb.3 for ; Wed, 13 Feb 2019 13:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=cpRnYH8TFh/5p8x1FGyZpOWZKOuAMegRNxzwqKudQkQ=; b=rRQT49BRO6Qb2KFmNy6rHBT45edW8WXdcCuYh4lvYRQyFGjbqLtDpT2mEB2de6l07Y mQhf7qPtSQEUAJteTEyF5LGBijd7Kb2pM2Bf52vDaIw76ZItPwXzzG7qkxRx2J9jUMQ5 Pqmg5DYC7m9rMWVOPo8loyF9L/ZrE4HH4yJfL6mtHuR9qPcYXp64aM7p0JvSUAb4624T mffjr2iGSaB6h8I7YpmhCii9+FPEyxphi9xl7zK1DVnZyWyzYruBKH4RnbYU31uolWPH N9hPuWOPnje9xanIfJme4gGEzoTqfCLaRI5LU8FiMQfieegKrFgxEbPzQq9gGQajcOCH pDFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cpRnYH8TFh/5p8x1FGyZpOWZKOuAMegRNxzwqKudQkQ=; b=pDtQIg5paDvZ1aFGW/gzjqiEqz5N8jsSrFM4a0vXDE9rqIReLTRJ/oWnpQb4rpVTBK tktVziVhhDcJVJndF+7QRNzxlkK4H3y3cJtNjYYYs3FcJCtbbroWTBfwSeTgBBpZ7Ypy 87EZtgvgucFiw3/oeWCMCPFVk4DLvBn8m46uWgZX0yog+j3wnzh9Gb4BWbqCtE5NPm/8 ckGvrVbbBfW7pywwXgJ3mrlsUVzzb1y8DoFjhKjuNFpc8JgiCLUFVv7m3+iljMb+eccW PFtrNfsPsxP0xnP9Ypb/Mc89mxlHMC7UyH/tVyTAorDbXru0VEE4Ds7qGAEqZokaRWv0 Khsg== X-Gm-Message-State: AHQUAuZSMbOT30bz0xS0OrtVLR41lsCACdigtN50qpBWUqcxHD1BxHP4 JpPATlezUaIZ9g5vYR1tWPDqFfK/73Fc+dUFSqJ5DA== X-Google-Smtp-Source: AHgI3Ia+aAiur9DRG70FN5U181rDHtHE/WozcoeulRUi3G+KUaKt60InThAmrSUtuooI8B8zEJhnekc8a+NZbMyQ2VQ= X-Received: by 2002:ac8:26ea:: with SMTP id 39mr278144qtp.351.1550095001127; Wed, 13 Feb 2019 13:56:41 -0800 (PST) MIME-Version: 1.0 References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <0CFDF54E-E57F-4500-8285-96A5EB035E9A@virtualized.org> In-Reply-To: <0CFDF54E-E57F-4500-8285-96A5EB035E9A@virtualized.org> From: Brian Dickson Date: Wed, 13 Feb 2019 13:56:29 -0800 Message-ID: To: dnsop Content-Type: multipart/alternative; boundary="000000000000e90ee70581cd9d5f" Archived-At: Subject: [DNSOP] DoH vs DoT vs network operators, and requirements/goals? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 21:56:45 -0000 --000000000000e90ee70581cd9d5f Content-Type: text/plain; charset="UTF-8" I've been thinking a bit about some of the issues raised in the recent DoH discussion. What I am wondering about, is what the goals of different parties might be. I am also wondering whether some available standards (or additions to some of those standards) might be helpful. Finding particular middle ground technical solutions to balance the different goals (hard requirements vs philosophical issues vs real-world things), is what I think is a productive direction to have discussions. Some of the issues may need to be examined a bit closer. E.g. distrust is pretty vague. There are multiple underlying issues, e.g. privacy ("I don't trust you to know stuff"), or data integrity ("I don't trust you to not mangle data"), or surveillance ("I trust him more than I trust you, because he doesn't keep logs longer than X hours"). I think the ability to separate out DNS from non-DNS traffic when the transport is TLS on some commonly-used TCP port, is another issue. Similarly, being able to identify end-points by name or by cert, and possibly having the ability to act on that identification (permit/deny) is another thing. Are there other requirements/drivers on these issues, that are implied or that might need to be considered? Is there any need/desire to separate the transport from the actual DNS resolution? Or would that add too much complexity with no obvious benefit? Would anyone offer transport while allowing use of a third/fourth party DNS resolver?? The technical things that might be worth looking at, that I can think of, are: - New certificate use types (specific to only DNS, DoH, DoT, server/client etc?) - SNI - DNS server names (standardized or validated, or white-listed) - SRV stuff or similar - AH without any content encryption (Null cipher), allows channel integrity while letting network operator monitor view query/response traffic, e.g. for pseudo-RPZ functionality - Is there a DANE use case anywhere in here? Sorry for the noise, if anyone isn't interested in this stuff. Brian --000000000000e90ee70581cd9d5f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've been thinking a bit about some of the issues rais= ed in the recent DoH discussion.

What I am wondering abo= ut, is what the goals of different parties might be.

I am also wondering whether some available standards (or additions to so= me of those standards) might be helpful.

Finding p= articular middle ground technical solutions to balance the different goals = (hard requirements vs philosophical issues vs real-world things), is what I= think is a productive direction to have discussions.

<= div>Some of the issues may need to be examined a bit closer. E.g. distrust = is pretty vague. There are multiple underlying issues, e.g. privacy ("= I don't trust you to know stuff"), or data integrity ("I don&= #39;t trust you to not mangle data"), or surveillance ("I trust h= im more than I trust you, because he doesn't keep logs longer than X ho= urs").

I think the ability to separate out DN= S from non-DNS traffic when the transport is TLS on some commonly-used TCP = port, is another issue.

Similarly, being able to i= dentify end-points by name or by cert, and possibly having the ability to a= ct on that identification (permit/deny) is another thing.

Are there other requirements/drivers on these issues, that are impl= ied or that might need to be considered?

Is there = any need/desire to separate the transport from the actual DNS resolution? O= r would that add too much complexity with no obvious benefit? Would anyone = offer transport while allowing use of a third/fourth party DNS resolver??

The technical things that might be worth looking at= , that I can think of, are:
  • New certificate use types (sp= ecific to only DNS, DoH, DoT, server/client etc?)
  • SNI
  • DNS s= erver names (standardized or validated, or white-listed)
  • SRV stuff = or similar
  • AH without any content encryption (Null cipher), allows = channel integrity while letting network operator monitor view query/respons= e traffic, e.g. for pseudo-RPZ functionality
  • Is there a DANE use ca= se anywhere in here?
Sorry for the noise, if anyone isn't= interested in this stuff.

Brian
--000000000000e90ee70581cd9d5f-- From nobody Wed Feb 13 14:30:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9324F130DBE for ; Wed, 13 Feb 2019 14:30:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLrjuUe2Z2QA for ; Wed, 13 Feb 2019 14:30:09 -0800 (PST) Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7717128CF2 for ; Wed, 13 Feb 2019 14:30:08 -0800 (PST) Received: by mail-wr1-x42b.google.com with SMTP id o17so4367939wrw.3 for ; Wed, 13 Feb 2019 14:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JUBl+IBpEKgaI1fXllZ80Zfi3gDmSnldImapcWc0fe0=; b=YWsdwLw3Rx99IjldSF7NHdjkxFe6KK9WOsQFzXdVV3hJWgYi+SBggVyHXNbCagYZvs Yz0P4fkBnOxWKQc5g7gvJsBKf+S3HXi+1c1spioFbOiOTnyS1S9gsTCMH5a9zBEEDS0k uZpDT5LHM9pt7vX8lbc+eIiLqlDzMtmUmSt92wd/3fqFWG2bzDf/sRZm2v7Vn10boY0k Rr4P6IHXKHPA1qzQ0SiNAHG28FusQf2JUh28KVvAJmP5hlOIdCTJaxOftLbAA2AOKt4I MwgThxZv1vb3M0mN8w3oBEOkLjvCiRh243j7f2YY1RwrR6xtKWs+DVLRoVynxvMU0c/K cfbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JUBl+IBpEKgaI1fXllZ80Zfi3gDmSnldImapcWc0fe0=; b=ZOsZXdVbdkFaN0IbTRhAUyGtwpDfbjK73UQpRexsIDxBkErR2Olq3hICDINZT6tUS6 H/bcGuqyYW3uxFoCI+i9ibF7/1BjMRjCIZesQWQI00OMQ1gQqaHrroa+xDsYpHBoSmBy tlqR6ZxmzyzWRKfCp52tMSYE+VosCSNxJ1/VNIxTrcEpY1WIt8MxI0PVbjoQeGK77K3O VfzyUW3ExP5BmwZkkZUnIKxKqOR4cbhznKluHLXKZWXxM7HZiIJgqDwNo2+S65xS8JQc T77xx7+cP1BzKonGl+/r0qijOWIo2zZZ+HfPA57K6op5ZBV7B3nNCh6R23mTLMGBxfwX a5Gw== X-Gm-Message-State: AHQUAub2D20rQC7+YmZfD6xNjFLUl9Yg8Q3NxxQ1StkAjH7eYUtB83BV phUvcyjPd5XmXu4yWw5xm9DDv6c5LA3cQpcV+49KpQ== X-Google-Smtp-Source: AHgI3IbhkDZXuKyDscxiw4xQAnT67hOV9CtnarrY/QMGoT0MSfyP92nHjtT3a/JlluTXDxSKxrFX6DfLK1kwQtXVWn8= X-Received: by 2002:a5d:4e82:: with SMTP id e2mr238137wru.291.1550097006789; Wed, 13 Feb 2019 14:30:06 -0800 (PST) MIME-Version: 1.0 References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <0CFDF54E-E57F-4500-8285-96A5EB035E9A@virtualized.org> In-Reply-To: From: Warren Kumari Date: Wed, 13 Feb 2019 17:29:30 -0500 Message-ID: To: Brian Dickson Cc: dnsop Content-Type: multipart/alternative; boundary="00000000000075245b0581ce158e" Archived-At: Subject: Re: [DNSOP] DoH vs DoT vs network operators, and requirements/goals? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Feb 2019 22:30:11 -0000 --00000000000075245b0581ce158e Content-Type: text/plain; charset="UTF-8" This discussion (and the other DoH ones) would probably be better handled on the DoH mailing list -- https://www.ietf.org/mailman/listinfo/doh - so that the DoH people are involved. The DoH WG charter specifically says: "The working group will coordinate with the DNSOP and INTAREA working groups for input on DNS-over-HTTPS's impact on DNS operations and DNS semantics, respectvely. In particular, DNSOP will be consulted for guidance on the operational impacts that result from traditional host behaviors (i.e., stub-resolver to recursive-resolver interaction) being replaced with the specified mechanism." W On Wed, Feb 13, 2019 at 4:56 PM Brian Dickson wrote: > I've been thinking a bit about some of the issues raised in the recent DoH > discussion. > > What I am wondering about, is what the goals of different parties might be. > > I am also wondering whether some available standards (or additions to some > of those standards) might be helpful. > > Finding particular middle ground technical solutions to balance the > different goals (hard requirements vs philosophical issues vs real-world > things), is what I think is a productive direction to have discussions. > > Some of the issues may need to be examined a bit closer. E.g. distrust is > pretty vague. There are multiple underlying issues, e.g. privacy ("I don't > trust you to know stuff"), or data integrity ("I don't trust you to not > mangle data"), or surveillance ("I trust him more than I trust you, because > he doesn't keep logs longer than X hours"). > > I think the ability to separate out DNS from non-DNS traffic when the > transport is TLS on some commonly-used TCP port, is another issue. > > Similarly, being able to identify end-points by name or by cert, and > possibly having the ability to act on that identification (permit/deny) is > another thing. > > Are there other requirements/drivers on these issues, that are implied or > that might need to be considered? > > Is there any need/desire to separate the transport from the actual DNS > resolution? Or would that add too much complexity with no obvious benefit? > Would anyone offer transport while allowing use of a third/fourth party DNS > resolver?? > > The technical things that might be worth looking at, that I can think of, > are: > > - New certificate use types (specific to only DNS, DoH, DoT, > server/client etc?) > - SNI > - DNS server names (standardized or validated, or white-listed) > - SRV stuff or similar > - AH without any content encryption (Null cipher), allows channel > integrity while letting network operator monitor view query/response > traffic, e.g. for pseudo-RPZ functionality > - Is there a DANE use case anywhere in here? > > Sorry for the noise, if anyone isn't interested in this stuff. > > Brian > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --00000000000075245b0581ce158e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This discussion (and the other DoH ones) would= probably be better handled on the DoH mailing list --=C2=A0https://www.ietf.org/mailman/listinfo/doh=C2=A0- so that t= he DoH people are involved.=C2=A0

The DoH WG charter specifically sa= ys: "The working group will coordinate with the DNSOP and INTAREA work= ing groups
for input on DNS-over-HTTPS's impact on DNS operations a= nd DNS semantics,
respectvely. In particular, DNSOP will be consulted for g= uidance on the
operational impacts that result from traditional host behavi= ors (i.e.,
stub-resolver to recursive-resolver interaction) being replaced = with the
specified mechanism."

W

On Wed, Feb 13, 2019= at 4:56 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote:
I've been thinking a = bit about some of the issues raised in the recent DoH discussion.

<= /div>
What I am wondering about, is what the goals of different parties= might be.

I am also wondering whether some availa= ble standards (or additions to some of those standards) might be helpful.

Finding particular middle ground technical solution= s to balance the different goals (hard requirements vs philosophical issues= vs real-world things), is what I think is a productive direction to have d= iscussions.

Some of the issues may need to be exam= ined a bit closer. E.g. distrust is pretty vague. There are multiple underl= ying issues, e.g. privacy ("I don't trust you to know stuff")= , or data integrity ("I don't trust you to not mangle data"),= or surveillance ("I trust him more than I trust you, because he doesn= 't keep logs longer than X hours").

I thi= nk the ability to separate out DNS from non-DNS traffic when the transport = is TLS on some commonly-used TCP port, is another issue.

Similarly, being able to identify end-points by name or by cert, and= possibly having the ability to act on that identification (permit/deny) is= another thing.

Are there other requirements/drive= rs on these issues, that are implied or that might need to be considered?

Is there any need/desire to separate the transport = from the actual DNS resolution? Or would that add too much complexity with = no obvious benefit? Would anyone offer transport while allowing use of a th= ird/fourth party DNS resolver??

The technical thin= gs that might be worth looking at, that I can think of, are:
    =
  • New certificate use types (specific to only DNS, DoH, DoT, server/clien= t etc?)
  • SNI
  • DNS server names (standardized or validated, or= white-listed)
  • SRV stuff or similar
  • AH without any content = encryption (Null cipher), allows channel integrity while letting network op= erator monitor view query/response traffic, e.g. for pseudo-RPZ functionali= ty
  • Is there a DANE use case anywhere in here?
Sorry f= or the noise, if anyone isn't interested in this stuff.

Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div> --00000000000075245b0581ce158e-- From nobody Wed Feb 13 21:05:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E5F130F9F for ; Wed, 13 Feb 2019 21:05:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2CqB76RL4L2 for ; Wed, 13 Feb 2019 21:05:37 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 6D8BE130F9C for ; Wed, 13 Feb 2019 21:05:35 -0800 (PST) Received: by ajax-webmail-ocmail02.zx.nicx.cn (Coremail) ; Thu, 14 Feb 2019 13:05:21 +0800 (GMT+08:00) X-Originating-IP: [218.241.103.3] Date: Thu, 14 Feb 2019 13:05:21 +0800 (GMT+08:00) X-CM-HeaderCharset: UTF-8 From: "Jiankang Yao" To: dnsop Cc: arnt X-Priority: 3 X-Mailer: Coremail Webmail Server Version XT3.0.8 dev build 20171117(fcd8b4ed) Copyright (c) 2002-2019 www.mailtech.cn cnnic X-SendMailWithSms: false Content-Transfer-Encoding: base64 Content-Type: text/plain; charset=UTF-8 MIME-Version: 1.0 Message-ID: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> X-Coremail-Locale: zh_CN X-CM-TRANSID: AQAAf0BpGL0R92RcG_sfAA--.2420W X-CM-SenderInfo: x1dryyw6fq0xffof0/1tbiAQABDSVCN5ErOAABse X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI daVFxhVjvjDU= Archived-At: Subject: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 05:05:40 -0000 DQpIZWxsbywNCg0KICAgQSBuZXcgZHJhZnQgYWJvdXQgcm9vdCBkYXRhIGNhY2hpbmcgaXMgcHJv cG9zZWQsIHdoaWNoIGFpbXMgdG8gc29sdmUgdGhlIHNpbWlsYXIgcHJvYmxlbSBwcmVzZW50ZWQg aW4gUkZDNzcwNiBhbmQgZ2l2ZXMgdGhlIEROUyBhZG1pbmlzdHJhdG9yIG9uZSBtb3JlIG9wdGlv bi4NCiAgIA0KVGhhbmtzLg0KDQpKaWFua2FuZyBZYW8NCg0KLS0tLS3ljp/lp4vpgq7ku7YtLS0t LQ0K5Y+R5Lu25Lq6OiBpbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmcNCuWPkemAgeaXtumXtDogMjAx OS0wMi0xNCAwODoxMzo0NCAo5pif5pyf5ZubKQ0K5pS25Lu25Lq6OiAiSmlhbmthbmcgWWFvIiA8 eWFvamtAY25uaWMuY24+LCAiQXJudCBHdWxicmFuZHNlbiIgPGFybnRAZ3VsYnJhbmRzZW4ucHJp di5ubz4NCuaKhOmAgTogDQrkuLvpopg6IE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJh ZnQtYXJudC15YW8tZG5zb3Atcm9vdC1kYXRhLWNhY2hpbmctMDAudHh0DQoNCg0KQSBuZXcgdmVy c2lvbiBvZiBJLUQsIGRyYWZ0LWFybnQteWFvLWRuc29wLXJvb3QtZGF0YS1jYWNoaW5nLTAwLnR4 dA0KaGFzIGJlZW4gc3VjY2Vzc2Z1bGx5IHN1Ym1pdHRlZCBieSBKaWFua2FuZyBZYW8gYW5kIHBv c3RlZCB0byB0aGUNCklFVEYgcmVwb3NpdG9yeS4NCg0KTmFtZToJCWRyYWZ0LWFybnQteWFvLWRu c29wLXJvb3QtZGF0YS1jYWNoaW5nDQpSZXZpc2lvbjoJMDANClRpdGxlOgkJRGVjcmVhc2luZyBG ZXRjaCB0aW1lIG9mIFJvb3QgRGF0YSBieSBBZGRpdGlvbmFsIENhY2hpbmcgUnVsZXMNCkRvY3Vt ZW50IGRhdGU6CTIwMTktMDItMTINCkdyb3VwOgkJSW5kaXZpZHVhbCBTdWJtaXNzaW9uDQpQYWdl czoJCTYNClVSTDogICAgICAgICAgICBodHRwczovL3d3dy5pZXRmLm9yZy9pbnRlcm5ldC1kcmFm dHMvZHJhZnQtYXJudC15YW8tZG5zb3Atcm9vdC1kYXRhLWNhY2hpbmctMDAudHh0DQpTdGF0dXM6 ICAgICAgICAgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtYXJudC15YW8t ZG5zb3Atcm9vdC1kYXRhLWNhY2hpbmcvDQpIdG1saXplZDogICAgICAgaHR0cHM6Ly90b29scy5p ZXRmLm9yZy9odG1sL2RyYWZ0LWFybnQteWFvLWRuc29wLXJvb3QtZGF0YS1jYWNoaW5nLTAwDQpI dG1saXplZDogICAgICAgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFm dC1hcm50LXlhby1kbnNvcC1yb290LWRhdGEtY2FjaGluZw0KDQoNCkFic3RyYWN0Og0KICAgU29t ZSBETlMgcmVjdXJzaXZlIHJlc29sdmVycyBoYXZlIGxvbmcgcm91bmQgdHJpcCB0aW1lcyB0byB0 aGUNCiAgIG5lYXJlc3QgRFNOIHJvb3Qgc2VydmVyLCB3aGljaCBoYXMgYmVlbiBhbiBvYnN0YWNs ZSB0byBETlMgcXVlcnkNCiAgIHBlcmZvcm1hbmNlLiAgSW4gb3JkZXIgdG8gZGVjcmVhc2Ugcm9v dCByZWNvcmQgZmV0Y2ggdGltZSB3aXRob3V0DQogICBpbnRyb2R1Y2luZyBhIG5ldyBzb3VyY2Ug b2YgZXJyb3JzLCB0aGlzIGRvY3VtZW50IHByb3Bvc2VzIGEgcm9vdC0NCiAgIHNwZWNpZmljIG1v ZGlmaWNhdGlvbiB0byB0aGUgY2FjaGluZyBydWxlcy4NCg0KICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIA0KDQoNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2UgYSBjb3VwbGUgb2YgbWludXRl cyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24NCnVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9u IGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5vcmcuDQoNClRoZSBJRVRGIFNl Y3JldGFyaWF0DQoNCg== From nobody Wed Feb 13 22:36:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 407B2128B14 for ; Wed, 13 Feb 2019 22:36:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFhaq-yCMOzw for ; Wed, 13 Feb 2019 22:36:25 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id E4135128766 for ; Wed, 13 Feb 2019 22:36:21 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0BJdq1gDGVcyP8fAA--.22730S2; Thu, 14 Feb 2019 14:36:16 +0800 (CST) Date: Thu, 14 Feb 2019 14:36:14 +0800 From: "zuopeng@cnnic.cn" To: "Stephane Bortzmeyer" Cc: dnsop , "Paul Wouters" References: <2019021215560470371417@cnnic.cn>, , <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org> X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <201902141436144299614@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart721375776863_=----" X-CM-TRANSID: AQAAf0BJdq1gDGVcyP8fAA--.22730S2 X-Coremail-Antispam: 1UD129KBjvdXoWrtw45GF4xZr15JFyrtr4xZwb_yoWfGFg_Wr 1DXw1Fkr15AF12gw45Jrs5Xr9xXrW8WF1kta4qqFn8u34UArykJrn5trySkr1xKFykKFZx Wr10qr4rX3WUujkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbvAYjsxI4VWDJwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG62kEwI0E Y4vaYxAvb48xMc02F40E42I26xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87 Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAY jxAxZF0Ew4CEw7xC0wACY4xI67k04243AVC20s07Mx8GjcxK6IxK0xIIj40E5I8CrwCY02 Avz4vE14v_GF1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAq x4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1Y6r 17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF 7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67 AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFcxC0VAYjxAxZFUvcSsG vfC2KfnxnUUI43ZEXa7IU0UGYJUUUUU== X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 06:36:27 -0000 This is a multi-part message in MIME format. ------=_001_NextPart721375776863_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 aSB0aGluayBib3RoIEROU1NFQyBhbmQgRG9IKG9yIERvVCkgY2FuIHByb3RlY3QgRE5TIGRhdGEs IHRoZSBmdW5kbWVudGFsIHBvaW50IGl0IHRvIGVzdGFibGlzaCB0aGUgdHJ1c3QgY2hhaW4gYW5k IHRyYW5zaXQgdHJ1c3QuIFJlZ2FyZGluZyB0aGUgY2FzZSJzZWNvbmRhcnkgbmFtZSBzZXJ2ZXJz IG1uYWdlZCBieSBhIGRpZmZlcmVudCBvcmdhbmlzYXRpb24iLCB0aGUgc2VydmVycyBjYW4gcHVi bGlzaCBzZXZlcmFsIFRMU0FzIHRvIGRpc3Rpbmd1c2ggdGhlbS4NCg0KVGhpcyBpZGVhIGlzIGp1 c3QgYSBza2V0Y2ggbW9kZWwgYW5kIHByb3ZpZGVzIGFub3RoZXIgb3B0aW9uIGZvciBETlMgc2Vj dXJpdHkgYW5kIHByaXZhY3kuIFRyYW5zaXRpbmcgdHJ1c3QgaXMgaGFyZCBidXQgbWF5IGJlIGFj Y29tcGxpc2hlZCBpbiB0aGUgZnV0dXJlLiBUaGUgZGVwbG95bWVudCBvZiBETlNTRUMgYWxzbyB0 YWtlcyBhIGxvbmcgdGltZSBhbmQgaXMgc3RpbGwgaW4gcHJvZ3Jlc3MuIA0KDQoNCg0KenVvcGVu Z0Bjbm5pYy5jbg0KIA0KRnJvbTogU3RlcGhhbmUgQm9ydHptZXllcg0KRGF0ZTogMjAxOS0wMi0x MyAyMTo0NA0KVG86IHp1b3BlbmdAY25uaWMuY24NCkNDOiBkbnNvcDsgUGF1bCBXb3V0ZXJzDQpT dWJqZWN0OiBSZTogW0ROU09QXSBleHRlbnNpb24gb2YgRG9IIHRvIGF1dGhvcml0YXRpdmUgc2Vy dmVycw0KT24gV2VkLCBGZWIgMTMsIDIwMTkgYXQgMDI6MDM6MjZQTSArMDgwMCwNCnp1b3BlbmdA Y25uaWMuY24gPHp1b3BlbmdAY25uaWMuY24+IHdyb3RlIA0KYSBtZXNzYWdlIG9mIDEwMyBsaW5l cyB3aGljaCBzYWlkOg0KIA0KPiB0aGF0J3MgdHVyZS4gYnV0IGluIG15IHZpZXcsIGlmIHRoZSB0 cnVzdCBjaGFpbiBpcyBidWlsdCwgd2UgY2FuDQo+IGVuc3VyZSBhIHJlc29sdmVyKG9yIGEgY2Fj aGUpIGlzIGFsd2F5cyB0YWxraW5nIHRvIGEgaWRlbnRpZmllZA0KPiBzZXJ2ZXIgYW5kIHRoZSBj aGFubmVsIGlzIGFsd2F5cyBzZWN1cmUsIHRoZW4gdGhlIGNvbnRlbnQgY291bGQgbm90DQo+IGJl IHRhbXBlcmVkLg0KIA0KU2V2ZXJhbCBlbWFpbHMgYWxyZWFkeSBtZW50aW9uZWQgY2FzZXMgd2hl cmUgaXQgaXMgbm90IHRydWUgKHJlbGF5aW5nDQp0aHJvdWdoIGEgZm9yd2FyZGVyIC0gdHJhbnNp dGl2ZSB0cnVzdCBpcyBoYXJkIC0gb3Igc2Vjb25kYXJ5IG5hbWUNCnNlcnZlcnMgbW5hZ2VkIGJ5 IGEgZGlmZmVyZW50IG9yZ2FuaXNhdGlvbiAtIGEgY29tbW9uIHVzZSBjYXNlKS4NCiANCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpETlNPUCBtYWlsaW5n IGxpc3QNCkROU09QQGlldGYub3JnDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2Ruc29wDQo= ------=_001_NextPart721375776863_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =0A
i think both DNSSEC and D= oH(or DoT) can protect DNS data, the fu= ndmental point it to establish the trust&nbs= p;chain and transit trust. Regarding the cas= e"secondary name servers mnaged by a differe= nt organisation", the servers can publish se= veral TLSAs to distingush them.

=0A
zuopeng@cnnic.cn
<= /div>
=0A
 
<= b>CC: dnsop; Paul Wouters
Subject: Re: [D= NSOP] extension of DoH to authoritative servers
On Wed, Feb 13, 2019 at 02:03:26PM +0800,
=0A
zuopeng@cnnic.cn = <zuopeng@cnnic.cn> wrote
=0A
a message of 103 lines which= said:
=0A
 
=0A
> that's ture. but in my view, = if the trust chain is built, we can
=0A
> ensure a resolver(or= a cache) is always talking to a identified
=0A
> server and t= he channel is always secure, then the content could not
=0A
> = be tampered.
=0A
 
=0A
Several emails already menti= oned cases where it is not true (relaying
=0A
through a forwarder= - transitive trust is hard - or secondary name
=0A
servers mnage= d by a different organisation - a common use case).
=0A
 =0A
_______________________________________________
=0A
DN= SOP mailing list
=0A
DNSOP@ietf.org
=0A
https://www.ietf= .org/mailman/listinfo/dnsop
=0A
=0A ------=_001_NextPart721375776863_=------ From nobody Wed Feb 13 23:34:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DAB113102B for ; Wed, 13 Feb 2019 23:34:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oWvf3nZ7QEG for ; Wed, 13 Feb 2019 23:34:16 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3779C131021 for ; Wed, 13 Feb 2019 23:34:16 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 440Snf27nXz3Nm; Thu, 14 Feb 2019 08:34:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550129654; bh=ld1MngKQ8Kte802gyo6ZqY9ftsCx8rXj9tRnjddIADc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rN7qz6nC62Bhm3VJ1TmsGa+Ai+tcIC8vJP6ZAj8ZfRBzGIq5PV4X2BiqZGfNaQrva 4SsslvdOgbUQ3Fp7vdSMf6fB0GWxoYAJRXbsjVIlhDO/psk+Gl4t6s/rIZZ+RqMcZj ZS9TpgqIeu/kLJu44UPuBaMBxyCqC95/oXiJR5R4= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1LCI21pV41G8; Thu, 14 Feb 2019 08:34:12 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 14 Feb 2019 08:34:11 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id D688B2FCBF; Thu, 14 Feb 2019 02:34:10 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D688B2FCBF Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CEF6740D358A; Thu, 14 Feb 2019 02:34:10 -0500 (EST) Date: Thu, 14 Feb 2019 02:34:10 -0500 (EST) From: Paul Wouters To: "zuopeng@cnnic.cn" cc: Stephane Bortzmeyer , dnsop In-Reply-To: <201902141436144299614@cnnic.cn> Message-ID: References: <2019021215560470371417@cnnic.cn>, , <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 07:34:18 -0000 On Thu, 14 Feb 2019, zuopeng@cnnic.cn wrote: > This idea is just a sketch model and provides another option for DNS security and privacy. Transiting trust is hard but may be accomplished in the future. T > he deployment of DNSSEC also takes a long time and is still in progress.  No. It simply will break applications. For example, the libreswan IKE daemon using DNSSEC will use the system's forwarder and perform full DNSSEC validation, without having any idea of the chain of forwarders. It does not need to, because it is using proper DNSSEC validation. Your proposal of using transport security implies your node can always talk to any worldwide DNS server. That is not the case in most networks. Paul From nobody Wed Feb 13 23:50:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 141AB12D7F8 for ; Wed, 13 Feb 2019 23:50:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3O0Z_JE8fa8 for ; Wed, 13 Feb 2019 23:50:19 -0800 (PST) Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B0D12D4EF for ; Wed, 13 Feb 2019 23:50:19 -0800 (PST) Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 9B51B242109D; Thu, 14 Feb 2019 07:50:16 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Jim Reid X-Priority: 3 In-Reply-To: <201902141436144299614@cnnic.cn> Date: Thu, 14 Feb 2019 07:50:15 +0000 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: <212516D2-110D-45DD-B77B-46FD2BA6FECA@rfc1035.com> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> To: "zuopeng@cnnic.cn" X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 07:50:22 -0000 On 14 Feb 2019, at 06:36, zuopeng@cnnic.cn wrote: >=20 > i think both DNSSEC and DoH(or DoT) can protect DNS data It depends on your definition of =E2=80=9Cprotect=E2=80=9D. For some = threats/attacks, DoH or DoT by themselves can=E2=80=99t protect DNS data = - for instance a DoH or DoT server that intentionally or accidentally = returns false data. DNSSEC can counter that. Provided the client can = perform validation and the DoH or DoT server returns DNSSEC material in = its responses. It might not always be wise to make these assumptions, = especially client-side validation. > Transiting trust is hard but may be accomplished in the future. That simply won=E2=80=99t be possible until every DNS client does DNSSEC = validation. Good luck with that. > The deployment of DNSSEC also takes a long time and is still in = progress. Indeed. That=E2=80=99s yet another reason why transiting trust is hard. From nobody Thu Feb 14 00:05:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A2B13102D for ; Thu, 14 Feb 2019 00:05:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLnRuMZTrknp for ; Thu, 14 Feb 2019 00:05:10 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C9C812D4EF for ; Thu, 14 Feb 2019 00:05:10 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 2A4EC28047F; Thu, 14 Feb 2019 09:05:08 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 2418C2803DE; Thu, 14 Feb 2019 09:05:08 +0100 (CET) Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 1E795642A7A1; Thu, 14 Feb 2019 09:05:08 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 176994010D; Thu, 14 Feb 2019 09:05:08 +0100 (CET) Date: Thu, 14 Feb 2019 09:05:08 +0100 From: Stephane Bortzmeyer To: =?utf-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Cc: "Henderson, Karl" , "dnsop@ietf.org" Message-ID: <20190214080508.zab7r6hzkbj7kp54@nic.fr> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 08:05:13 -0000 On Wed, Feb 13, 2019 at 10:51:00PM +0100, Vladimír ÄŒunát wrote a message of 118 lines which said: > Technically you can run DoT on whatever port you like. > Example: with knot-resolver it's easy - you just add @443, either on > side of server and/or on the side of forwarding over TLS. The problem is that you cannot then share this port with HTTPS services (the dkg draft on demultiplexing was abandoned, apparently because it doesn't work). In a world of scarce IPv4 public addresses, this is a serious problem. From nobody Thu Feb 14 00:11:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B74F13103C for ; Thu, 14 Feb 2019 00:11:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UtfZHGK2Ag1B for ; Thu, 14 Feb 2019 00:11:26 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 5430A13102D for ; Thu, 14 Feb 2019 00:11:24 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0BJdq2qImVcdQQgAA--.22744S2; Thu, 14 Feb 2019 16:11:22 +0800 (CST) Date: Thu, 14 Feb 2019 16:11:20 +0800 From: "zuopeng@cnnic.cn" To: "Paul Wouters" Cc: "Stephane Bortzmeyer" , dnsop References: <2019021215560470371417@cnnic.cn>, , <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org>, <201902141436144299614@cnnic.cn>, X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <201902141611200680999@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart316714538658_=----" X-CM-TRANSID: AQAAf0BJdq2qImVcdQQgAA--.22744S2 X-Coremail-Antispam: 1UD129KBjvdXoWrZw4UAr15Wr4kCrW5KryDJrb_yoWDXrc_ur W5C34vvF4rXF1jkw4fKr40vrZ5Zayjyr18Xayjg3Zxt3sIvws3tFnrCF1fZa1rCryDtFZx W3y5Xw43G34jgjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbvxYjsxI4VWkCwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW5JVW7JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z2 80aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40En4AKxVAv wIkv4cxYr24l5I8CrVCF0I0E4I0vr24lYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2js IE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACY4xI67k0 4243AVAKzVAKj4xxM4xvF2IEb7IF0Fy26I8I3I1l7480Y4vEI4kI2Ix0rVAqx4xJMxkIec xEwVAFwVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02 F40E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jrv_JF 1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7Cj xVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI 0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JwCE64xvF2IEb7IF0Fy7YxBIdaVF xhVjvjDU0xZFpf9x07j4PfdUUUUU= X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 08:11:28 -0000 This is a multi-part message in MIME format. ------=_001_NextPart316714538658_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 DQpOby4gaSBtaWdodCBkaWQgbm90IGV4cGxhaW4gaXQgY2xlYXJseS4gIA0KDQpSZWdhcmRpbmcg Y29ubmVjdGluZyByZXF1aXJlbWVudCwgbXkgcHJvcG9zYWwgaXMgbm8gZGlmZmVyZW50IGZyb20g ZXhpc3RpbmcgRE5TIGV4Y2VwdCB0aGUgcmVjdXJzaXZlIHNlcnZlciANCm5lZWRzIHRvIHRhbGsg dG8gYXV0aG9yaXRhdGl2ZSBzZXJ2ZXIgdmlhIEhUVFBTKG9yIFRMUykgdXNpbmcgdGhlIFRMU0Eg cmVjb3JkLiANClRoZSBUTFNBIHJlY29yZCBjb250YWlucyBjaGlsZCB6b25lJ3Mob3IgdGhlIHNl cnZlciBob3N0aW5nIHRoYXQgY2hpbGQgem9uZSwgdGhvc2UgZGV0YWlscyBjYW4gYmUgZGlzY3Vz c2VkIGluIHRoZSBmdXR1cmUpDQogcHVibGljIGtleSBhbmQgaXMgcHVibGlzaGVkIGluIHRoZSBw YXJlbnQgem9uZS4gDQogSSBtZWFuLCBmb3IgdGhlIGF1dGhvcml0aXZlIHNlcnZlcnMsIHRoZSB0 cnVzdCBjaGFpbiBjYW4gYmUgYnVpbHQgdXNpbmcgVExTQSBvdGhlciB0aGVuIERTLiB0aGVuIGEg cmVjdXJzaXZlIHNlcnZlciBjYW4gZW5zdXJlDQp0aGUgZGF0YSBpdCByZWNlaXZlcyBpbiBlYWNo IHN0ZXAgb2YgcmVzb2x2aW5nIGNvbWVzIGZyb20gYW4gYXV0aGVudGljYXRlZCBzZXJ2ZXIgYW5k IGlzIGVuY3J5cHRlZC4NCg0KDQp6dW9wZW5nQGNubmljLmNuDQogDQpGcm9tOiBQYXVsIFdvdXRl cnMNCkRhdGU6IDIwMTktMDItMTQgMTU6MzQNClRvOiB6dW9wZW5nQGNubmljLmNuDQpDQzogU3Rl cGhhbmUgQm9ydHptZXllcjsgZG5zb3ANClN1YmplY3Q6IFJlOiBSZTogW0ROU09QXSBleHRlbnNp b24gb2YgRG9IIHRvIGF1dGhvcml0YXRpdmUgc2VydmVycw0KT24gVGh1LCAxNCBGZWIgMjAxOSwg enVvcGVuZ0Bjbm5pYy5jbiB3cm90ZToNCiANCj4gVGhpcyBpZGVhIGlzIGp1c3QgYSBza2V0Y2gg bW9kZWwgYW5kIHByb3ZpZGVzIGFub3RoZXIgb3B0aW9uIGZvciBETlMgc2VjdXJpdHkgYW5kIHBy aXZhY3kuIFRyYW5zaXRpbmcgdHJ1c3QgaXMgaGFyZCBidXQgbWF5IGJlIGFjY29tcGxpc2hlZCBp biB0aGUgZnV0dXJlLiBUDQo+IGhlIGRlcGxveW1lbnQgb2YgRE5TU0VDIGFsc28gdGFrZXMgYSBs b25nIHRpbWUgYW5kIGlzIHN0aWxsIGluIHByb2dyZXNzLiANCiANCk5vLiBJdCBzaW1wbHkgd2ls bCBicmVhayBhcHBsaWNhdGlvbnMuIEZvciBleGFtcGxlLCB0aGUgbGlicmVzd2FuIElLRQ0KZGFl bW9uIHVzaW5nIEROU1NFQyB3aWxsIHVzZSB0aGUgc3lzdGVtJ3MgZm9yd2FyZGVyIGFuZCBwZXJm b3JtIGZ1bGwNCkROU1NFQyB2YWxpZGF0aW9uLCB3aXRob3V0IGhhdmluZyBhbnkgaWRlYSBvZiB0 aGUgY2hhaW4gb2YgZm9yd2FyZGVycy4NCkl0IGRvZXMgbm90IG5lZWQgdG8sIGJlY2F1c2UgaXQg aXMgdXNpbmcgcHJvcGVyIEROU1NFQyB2YWxpZGF0aW9uLg0KIA0KWW91ciBwcm9wb3NhbCBvZiB1 c2luZyB0cmFuc3BvcnQgc2VjdXJpdHkgaW1wbGllcyB5b3VyIG5vZGUgY2FuIGFsd2F5cw0KdGFs ayB0byBhbnkgd29ybGR3aWRlIEROUyBzZXJ2ZXIuIFRoYXQgaXMgbm90IHRoZSBjYXNlIGluIG1v c3QgbmV0d29ya3MuDQogDQpQYXVsDQo= ------=_001_NextPart316714538658_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =0A

=0A
No. i might did n= ot explain it clearly.  

Regarding connecting requirement, my prop= osal is no different from existing DNS = except the recursive server 
needs to talk to authorit= ative server via HTTPS(or TLS) using the&nbs= p;TLSA record. 
The TLSA record c= ontains child zone's(or the server hosting t= hat child zone, those details can be di= scussed in the future)
 public ke= y and is published in the parent zone.&= nbsp;
 I mean, for the authoritiv= e servers, the trust chain can be built usin= g TLSA other then DS. then a recursive server can ensu= re
the data it receives in each step of resolving com= es from an authenticated server and is encrypted.
=0A
=
<= div>zuopeng@cnnic.cn
=0A
 
Date: 2019-02-14 15:34
= Subject: Re: Re: [DNSOP] extension of DoH to authoritative ser= vers
On Thu, 14 Feb 2019, zuopeng@cnnic.cn wrot= e:
=0A
 
=0A
> This idea is just&= nbsp;a sketch model and provides another opt= ion for DNS security and privacy. Transiting=  trust is hard but may be accomplished&= nbsp;in the future. T
=0A
> he deployment&= nbsp;of DNSSEC also takes a long time a= nd is still in progress. 
=0A
 =0A
No. It simply will break applications. For example, the libreswa= n IKE
=0A
daemon using DNSSEC will use the system's forwarder and= perform full
=0A
DNSSEC validation, without having any idea of t= he chain of forwarders.
=0A
It does not need to, because it is us= ing proper DNSSEC validation.
=0A
 
=0A
Your propos= al of using transport security implies your node can always
=0A
t= alk to any worldwide DNS server. That is not the case in most networks.=0A
 
=0A
Paul
=0A
=0A<= /html> ------=_001_NextPart316714538658_=------ From nobody Thu Feb 14 00:31:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7599D131056 for ; Thu, 14 Feb 2019 00:31:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQKq83nNEaud for ; Thu, 14 Feb 2019 00:31:44 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 99294131055 for ; Thu, 14 Feb 2019 00:31:42 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0AJEMxpJ2VciQUgAA--.4298S2; Thu, 14 Feb 2019 16:31:37 +0800 (CST) Date: Thu, 14 Feb 2019 16:31:35 +0800 From: "zuopeng@cnnic.cn" To: "Jim Reid" Cc: dnsop References: <2019021215560470371417@cnnic.cn>, , <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org>, <201902141436144299614@cnnic.cn>, <212516D2-110D-45DD-B77B-46FD2BA6FECA@rfc1035.com> X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <2019021416313510438520@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart522568628282_=----" X-CM-TRANSID: AQAAf0AJEMxpJ2VciQUgAA--.4298S2 X-Coremail-Antispam: 1UD129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UjIYCTnIWjp_UUUOF7k0a2IF6w1UM7kC6x804xWl14x267AK xVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0rVWrJVCq3wAFIxvE14AKwVWUJVWUGw A2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20xvE14v26ryj 6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j6r4UJwA2z4x0Y4vEx4A2jsIE14v26r xl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv 0487Mc02F40E42I26xC2a48xMc02F40Ex7xS67I2xxkvbII20VAFz48EcVAYj21lYx0E2I x0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8 JwACjcxG0xvY0x0EwIxGrwACY4xI67k04243AVAKzVAKj4xxM4xvF2IEb7IF0Fy26I8I3I 1lc2xSY4AK67AK6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I 3I0E5I8CrVAFwI0_JrI_JrWlx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxV WUXVWUAwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8I cVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Wr1j6rW3Jr1lIxAIcVC2z2 80aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JwCE64xvF2IEb7IF0Fy7 YxBIdaVFxhVjvjDU0xZFpf9x07jrL05UUUUU= X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 08:31:47 -0000 This is a multi-part message in MIME format. ------=_001_NextPart522568628282_=---- Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 DQo+IGZvciBpbnN0YW5jZSBhIERvSCBvciBEb1Qgc2VydmVyIHRoYXQgaW50ZW50aW9uYWxseSBv ciBhY2NpZGVudGFsbHkgcmV0dXJucyBmYWxzZSBkYXRhLiBETlNTRUMgY2FuIGNvdW50ZXIgdGhh dC4gDQogDQogSSBkb250IHVuZGVyc3RhbmQgd2h5Lg0KIElmIGEgc2VydmVyIGludGVudGlvbmFs bHkgcmV0dXJucyBmYWxzZSBkYXRhICwgaXQgY2FuIGZha2UgYW55dGhpbmcgYmVjYXVzZSBpdCBv d25zIHRoZSBwcml2YXRlIGtleSwgRE5TU0VDIGRvZXMgbm90IGhlbHAgZWl0aGVyLiANCiANCj4g SW5kZWVkLiBUaGF04oCZcyB5ZXQgYW5vdGhlciByZWFzb24gd2h5IHRyYW5zaXRpbmcgdHJ1c3Qg aXMgaGFyZC4NCg0KWUVTLiB0aGlzIHByb3Bvc2FsIGFsc28gbmVlZHMgc3VwcG9ydCBmcm9tIHRo ZSByb290Lg0KIA0K ------=_001_NextPart522568628282_=---- Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0A

=0A
> for instance a DoH or DoT server that intentio= nally or accidentally returns false data. DNSSEC can counter that. 
 
&n= bsp;I dont understand why.
 If a ser= ver intentionally returns false data , it can f= ake anything because it owns the private key, DNSSEC does not help either.=  
 
> Indeed. That=E2=80= =99s yet another reason why transiting trust is hard.

YES. this proposal also= needs support from the root.
=0A
&n= bsp;
=0A
=0A ------=_001_NextPart522568628282_=------ From nobody Thu Feb 14 00:33:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D50BC131091 for ; Thu, 14 Feb 2019 00:33:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RcQqqEWCJNfV for ; Thu, 14 Feb 2019 00:33:13 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8FA131056 for ; Thu, 14 Feb 2019 00:33:13 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 9E5192803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id 97AB42804E8; Thu, 14 Feb 2019 09:33:11 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 8FB222803DE; Thu, 14 Feb 2019 09:33:11 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 89C2B642A7A1; Thu, 14 Feb 2019 09:33:11 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 7BCB84010D; Thu, 14 Feb 2019 09:33:11 +0100 (CET) Date: Thu, 14 Feb 2019 09:33:11 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Stephane Bortzmeyer , dnsop , Paul Wouters Message-ID: <20190214083311.2d6ncijynujoq6vc@nic.fr> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201902141436144299614@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.14.82117 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 08:33:15 -0000 On Thu, Feb 14, 2019 at 02:36:14PM +0800, zuopeng@cnnic.cn wrote a message of 86 lines which said: > i think both DNSSEC and DoH(or DoT) can protect DNS data, "Protect" is like "security", a word so vague, which includes so many different (and sometimes contradictory) services that it is not very useful. Writing "both DNSSEC and DoH(or DoT) can protect DNS data" seems to imply that you did not think enough about the difference between channel security and object security. This is really the weakest point in your argumentation. (Yes, djb always make the same mistake but he is a famous cryptographer so people forget and forgive about his mistakes.) > the fundmental point it to establish the trust chain and transit > trust. No. The entire point of DNSSEC is that you do not need to trust the many servers that are between the validator and the origin. > Regarding the case"secondary name servers mnaged by a different > organisation", the servers can publish several TLSAs to distingush > them. I'm afraid you did not understand. Let me explain with concrete examples. Suppose organisation Alice subcontracts a secondary name server to organisation Bob (a very common use case). 1) What is Bob is evil and modify DNS records? 2) What is Bob is sloppy in security and its servers are cracked and the attacker modify DNS records? DNSSEC protects against both. DoT and DoH does not protect against these issues. > This idea is just a sketch model The problem is that there are many sketch models floating around and few serious proposals (and even less implemented and analyzed proposals). From nobody Thu Feb 14 00:58:50 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7219F131156 for ; Thu, 14 Feb 2019 00:58:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MmgCmsCs_0j for ; Thu, 14 Feb 2019 00:58:45 -0800 (PST) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id B2B76131056 for ; Thu, 14 Feb 2019 00:58:44 -0800 (PST) Received: from Foxmail (unknown [218.241.103.81]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0ApMLjALWVcuwYgAA--.21847S2; Thu, 14 Feb 2019 16:58:40 +0800 (CST) Date: Thu, 14 Feb 2019 16:58:38 +0800 From: "zuopeng@cnnic.cn" To: "Stephane Bortzmeyer" Cc: dnsop , "Paul Wouters" References: <2019021215560470371417@cnnic.cn>, , <201902131403257357123@cnnic.cn>, <20190213134408.ri5iy42q7u7h37ui@sources.org>, <201902141436144299614@cnnic.cn>, <20190214083311.2d6ncijynujoq6vc@nic.fr> X-Priority: 3 X-Has-Attach: no X-Mailer: Foxmail 7, 2, 7, 166[cn] Mime-Version: 1.0 Message-ID: <2019021416583813239822@cnnic.cn> Content-Type: multipart/alternative; boundary="----=_001_NextPart706634725425_=----" X-CM-TRANSID: AQAAf0ApMLjALWVcuwYgAA--.21847S2 X-Coremail-Antispam: 1UD129KBjvJXoW7tryDKw18Ww45tFyrWr4kJFb_yoW8Zr4rpr 4ftrs0kF4DJFyjy3y8ur18W34Yvrs8Xw17Grn8t34jya98XF1DKr17Kwn09FWkCw43Jr10 vrWDGrZ5Ga9xtFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUmSb7Iv0xC_Kw4lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Gr0_Xr1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG62kEwI0E Y4vaYxAvb48xMc02F40E42I26xC2a48xMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87 Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFcxC0VAY jxAxZF0Ew4CEw7xC0wACY4xI67k04243AVC20s07Mx8GjcxK6IxK0xIIj40E5I8CrwCY02 Avz4vE14v_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAq x4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1Y6r 17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF 7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67 AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJwCE64xvF2IEb7IF0Fy7YxBI daVFxhVjvjDU0xZFpf9x07bwiiDUUUUU= X-CM-SenderInfo: x2xr1vlqj6u0xqlfhubq/ Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 08:58:48 -0000 This is a multi-part message in MIME format. ------=_001_NextPart706634725425_=---- Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 c29ycnksIGJlY2F1c2Ugb2YgbXkgZW5nbGlzaCBsZXZlbCwgaSBtaXN1c2VkIHRoZSB3b3JkICJw cm90ZWN0Ii4NCmkga25vdyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIGNoYW5uZWwgc2VjdXJpdHkg YW5kIG9iamVjdCBzZWN1cml0eS4NCmJ1dCBpbiBteSBwcm9wb3NhbCwgdGhlIHByZW1pc2UgaXMg dGhlIHJlY3Vyc2l2ZSBzZXJ2ZXIgc2hvdWxkIGNvbXBsZXRlbHkgdHJ1c3QgYW4gQXV0aGVudGlj YXRlZCBzZXJ2ZXIuDQogaSB0aGluayB0aGlzIGlzIHNpbWlhbHIgaW4gRE5TU0VDLCBiZWNhdXNl IGlmIGFuIEROU1NFQ19lbmFibGVkIGF1dGhvdGF0aXZlIHNlcnZlcihubyBtYXR0ZXIgaXQgaXMg QWxpY2Ugb3IgQm9iKSBpcyBldmlsIGFuZCBtb2RpZmllcyBETlMgcmVjb3JkcywgDQppdCB3aWxs IHN1Y2NlZWQgYmVjYXVzZSBpdCBoYXMgcHJpdmF0ZSBrZXkgYW5kIGNhbiBmYWtlIGFueXRoaW5n Lg0KDQoNCg0KenVvcGVuZ0Bjbm5pYy5jbg0KIA0KRnJvbTogU3RlcGhhbmUgQm9ydHptZXllcg0K RGF0ZTogMjAxOS0wMi0xNCAxNjozMw0KVG86IHp1b3BlbmdAY25uaWMuY24NCkNDOiBkbnNvcDsg UGF1bCBXb3V0ZXJzDQpTdWJqZWN0OiBSZTogW0ROU09QXSBleHRlbnNpb24gb2YgRG9IIHRvIGF1 dGhvcml0YXRpdmUgc2VydmVycw0KT24gVGh1LCBGZWIgMTQsIDIwMTkgYXQgMDI6MzY6MTRQTSAr MDgwMCwNCnp1b3BlbmdAY25uaWMuY24gPHp1b3BlbmdAY25uaWMuY24+IHdyb3RlIA0KYSBtZXNz YWdlIG9mIDg2IGxpbmVzIHdoaWNoIHNhaWQ6DQogDQo+IGkgdGhpbmsgYm90aCBETlNTRUMgYW5k IERvSChvciBEb1QpIGNhbiBwcm90ZWN0IEROUyBkYXRhLA0KIA0KIlByb3RlY3QiIGlzIGxpa2Ug InNlY3VyaXR5IiwgYSB3b3JkIHNvIHZhZ3VlLCAgd2hpY2ggaW5jbHVkZXMgc28gbWFueQ0KZGlm ZmVyZW50IChhbmQgc29tZXRpbWVzIGNvbnRyYWRpY3RvcnkpIHNlcnZpY2VzIHRoYXQgaXQgaXMg bm90IHZlcnkNCnVzZWZ1bC4gV3JpdGluZyAiYm90aCBETlNTRUMgYW5kIERvSChvciBEb1QpIGNh biBwcm90ZWN0IEROUyBkYXRhIg0Kc2VlbXMgdG8gaW1wbHkgdGhhdCB5b3UgZGlkIG5vdCB0aGlu ayBlbm91Z2ggYWJvdXQgdGhlIGRpZmZlcmVuY2UNCmJldHdlZW4gY2hhbm5lbCBzZWN1cml0eSBh bmQgb2JqZWN0IHNlY3VyaXR5LiBUaGlzIGlzIHJlYWxseSB0aGUNCndlYWtlc3QgcG9pbnQgaW4g eW91ciBhcmd1bWVudGF0aW9uLiAoWWVzLCBkamIgYWx3YXlzIG1ha2UgdGhlIHNhbWUNCm1pc3Rh a2UgYnV0IGhlIGlzIGEgZmFtb3VzIGNyeXB0b2dyYXBoZXIgc28gcGVvcGxlIGZvcmdldCBhbmQg Zm9yZ2l2ZQ0KYWJvdXQgaGlzIG1pc3Rha2VzLikNCiANCj4gdGhlIGZ1bmRtZW50YWwgcG9pbnQg aXQgdG8gZXN0YWJsaXNoIHRoZSB0cnVzdCBjaGFpbiBhbmQgdHJhbnNpdA0KPiB0cnVzdC4NCiAN Ck5vLiBUaGUgZW50aXJlIHBvaW50IG9mIEROU1NFQyBpcyB0aGF0IHlvdSBkbyBub3QgbmVlZCB0 byB0cnVzdCB0aGUNCm1hbnkgc2VydmVycyB0aGF0IGFyZSBiZXR3ZWVuIHRoZSB2YWxpZGF0b3Ig YW5kIHRoZSBvcmlnaW4uDQogDQo+IFJlZ2FyZGluZyB0aGUgY2FzZSJzZWNvbmRhcnkgbmFtZSBz ZXJ2ZXJzIG1uYWdlZCBieSBhIGRpZmZlcmVudA0KPiBvcmdhbmlzYXRpb24iLCB0aGUgc2VydmVy cyBjYW4gcHVibGlzaCBzZXZlcmFsIFRMU0FzIHRvIGRpc3Rpbmd1c2gNCj4gdGhlbS4NCiANCkkn bSBhZnJhaWQgeW91IGRpZCBub3QgdW5kZXJzdGFuZC4gTGV0IG1lIGV4cGxhaW4gd2l0aCBjb25j cmV0ZQ0KZXhhbXBsZXMuIFN1cHBvc2Ugb3JnYW5pc2F0aW9uIEFsaWNlIHN1YmNvbnRyYWN0cyBh IHNlY29uZGFyeSBuYW1lDQpzZXJ2ZXIgdG8gb3JnYW5pc2F0aW9uIEJvYiAoYSB2ZXJ5IGNvbW1v biB1c2UgY2FzZSkuDQogDQoxKSBXaGF0IGlzIEJvYiBpcyBldmlsIGFuZCBtb2RpZnkgRE5TIHJl Y29yZHM/DQoyKSBXaGF0IGlzIEJvYiBpcyBzbG9wcHkgaW4gc2VjdXJpdHkgYW5kIGl0cyBzZXJ2 ZXJzIGFyZSBjcmFja2VkIGFuZA0KdGhlIGF0dGFja2VyIG1vZGlmeSBETlMgcmVjb3Jkcz8NCiAN CkROU1NFQyBwcm90ZWN0cyBhZ2FpbnN0IGJvdGguIERvVCBhbmQgRG9IIGRvZXMgbm90IHByb3Rl Y3QgYWdhaW5zdA0KdGhlc2UgaXNzdWVzLg0KIA0KPiBUaGlzIGlkZWEgaXMganVzdCBhIHNrZXRj aCBtb2RlbA0KIA0KVGhlIHByb2JsZW0gaXMgdGhhdCB0aGVyZSBhcmUgbWFueSBza2V0Y2ggbW9k ZWxzIGZsb2F0aW5nIGFyb3VuZCBhbmQNCmZldyBzZXJpb3VzIHByb3Bvc2FscyAoYW5kIGV2ZW4g bGVzcyBpbXBsZW1lbnRlZCBhbmQgYW5hbHl6ZWQNCnByb3Bvc2FscykuDQogDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KRE5TT1AgbWFpbGluZyBsaXN0 DQpETlNPUEBpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9k bnNvcA0K ------=_001_NextPart706634725425_=---- Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable =0A
sorry, because of my english&n= bsp;level, i misused the word "protect".
i&nbs= p;know the difference between channel security&nb= sp;and object security.
but in my proposal,&nb= sp;the premise is the recursive server shoul= d completely trust an Authenticated server.
 i think this is simialr in DNSSE= C, because if an DNSSEC_enabled authotative = server(no matter it is Alice or Bob) is=  evil and modifies DNS records, 
it will succeed because it has private&= nbsp;key and can fake anything.
=0A
=0A
zuopeng@cnnic.cn
= =0A
 
From: <= a href=3D"mailto:bortzmeyer@nic.fr">Stephane Bortzmeyer
D= ate: 2019-02-14 16:33
Subject: Re: [DNSOP] extension of= DoH to authoritative servers
On Thu, Feb 14, 2= 019 at 02:36:14PM +0800,
=0A
zuopeng@cnnic.cn <zuopeng@cnnic.= cn> wrote
=0A
a message of 86 lines which said:
=0A 
=0A
> i think both DNSSEC and DoH(or DoT) can protect = DNS data,
=0A
 
=0A
"Protect" is like "security", a= word so vague,  which includes so many
=0A
different (and s= ometimes contradictory) services that it is not very
=0A
useful. = Writing "both DNSSEC and DoH(or DoT) can protect DNS data"
=0A
se= ems to imply that you did not think enough about the difference
=0Abetween channel security and object security. This is really the
= =0A
weakest point in your argumentation. (Yes, djb always make the sam= e
=0A
mistake but he is a famous cryptographer so people forget a= nd forgive
=0A
about his mistakes.)
=0A
 
=0A<= div>> the fundmental point it to establish the trust chain and transit<= /div>=0A
> trust.
=0A
 
=0A
No. The entire p= oint of DNSSEC is that you do not need to trust the
=0A
many serv= ers that are between the validator and the origin.
=0A
 =0A
> Regarding the case"secondary name servers mnaged by a diffe= rent
=0A
> organisation", the servers can publish several TLSA= s to distingush
=0A
> them.
=0A
 
=0A
I= 'm afraid you did not understand. Let me explain with concrete
=0Aexamples. Suppose organisation Alice subcontracts a secondary name
= =0A
server to organisation Bob (a very common use case).
=0A
=  
=0A
1) What is Bob is evil and modify DNS records?
= =0A
2) What is Bob is sloppy in security and its servers are cracked a= nd
=0A
the attacker modify DNS records?
=0A
 
= =0A
DNSSEC protects against both. DoT and DoH does not protect against=
=0A
these issues.
=0A
 
=0A
> This ide= a is just a sketch model
=0A
 
=0A
The problem is t= hat there are many sketch models floating around and
=0A
few seri= ous proposals (and even less implemented and analyzed
=0A
proposa= ls).
=0A
 
=0A
____________________________________= ___________
=0A
DNSOP mailing list
=0A
DNSOP@ietf.org=0A
https://www.ietf.org/mailman/listinfo/dnsop
=0A
=0A ------=_001_NextPart706634725425_=------ From nobody Thu Feb 14 01:10:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F55613115A for ; Thu, 14 Feb 2019 01:10:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9q2cjkQ_Joa7 for ; Thu, 14 Feb 2019 01:10:23 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2906131056 for ; Thu, 14 Feb 2019 01:10:22 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id D43902803B9; Thu, 14 Feb 2019 10:10:20 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id CE2562804D4; Thu, 14 Feb 2019 10:10:20 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id C68902803B9; Thu, 14 Feb 2019 10:10:20 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id C24B8642C581; Thu, 14 Feb 2019 10:10:20 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id B2DD94010D; Thu, 14 Feb 2019 10:10:20 +0100 (CET) Date: Thu, 14 Feb 2019 10:10:20 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Paul Wouters , Stephane Bortzmeyer , dnsop Message-ID: <20190214091020.exsmoy7usknfcigw@nic.fr> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <201902141611200680999@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201902141611200680999@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.14.90016 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 09:10:24 -0000 On Thu, Feb 14, 2019 at 04:11:20PM +0800, zuopeng@cnnic.cn wrote a message of 102 lines which said: > No. i might did not explain it clearly. It was clear but you repeat the same stuff, without taking into account the remarks (or the existing documents, such as draft-bortzmeyer-dprive-resolver-to-auth). Both Paul Wouters and David Conrad explained that the DNS is more complicated than that (think of forwarders, for instance) and you did not address their remarks. From nobody Thu Feb 14 01:12:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF0113115A for ; Thu, 14 Feb 2019 01:12:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ghcjqts0gN5i for ; Thu, 14 Feb 2019 01:12:37 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC34B13115C for ; Thu, 14 Feb 2019 01:12:37 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 0EF50280421; Thu, 14 Feb 2019 10:12:36 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 088B72803B9; Thu, 14 Feb 2019 10:12:36 +0100 (CET) Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 050EF642C581; Thu, 14 Feb 2019 10:12:36 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id F082A4010D; Thu, 14 Feb 2019 10:12:35 +0100 (CET) Date: Thu, 14 Feb 2019 10:12:35 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Jim Reid , dnsop Message-ID: <20190214091235.jnu4udt7qlrlxm7f@nic.fr> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <212516D2-110D-45DD-B77B-46FD2BA6FECA@rfc1035.com> <2019021416313510438520@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2019021416313510438520@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 09:12:40 -0000 On Thu, Feb 14, 2019 at 04:31:35PM +0800, zuopeng@cnnic.cn wrote a message of 74 lines which said: > > for instance a DoH or DoT server that intentionally or > > accidentally returns false data. DNSSEC can counter that. > > I dont understand why. > If a server intentionally returns false data , it can fake anything > because it owns the private key, DNSSEC does not help either. So, you seem to not understand DNSSEC very well. I suggest you read RFC 4033 and following. Summary: DNSSEC is designed so that the server does not need the private key. Also, "server" means two VERY different things in the DNS, resolvers and authoritative. DNSSEC protects also against a lying intermediary resolver. From nobody Thu Feb 14 01:14:06 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9E9131156 for ; Thu, 14 Feb 2019 01:14:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNuxx1ELvBzN for ; Thu, 14 Feb 2019 01:14:02 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B9213107D for ; Thu, 14 Feb 2019 01:14:02 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id DB3562803B9; Thu, 14 Feb 2019 10:14:00 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id D4BD82804D4; Thu, 14 Feb 2019 10:14:00 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id CD3152803B9; Thu, 14 Feb 2019 10:14:00 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id C73AD642C581; Thu, 14 Feb 2019 10:14:00 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id C24944010D; Thu, 14 Feb 2019 10:14:00 +0100 (CET) Date: Thu, 14 Feb 2019 10:14:00 +0100 From: Stephane Bortzmeyer To: "zuopeng@cnnic.cn" Cc: Stephane Bortzmeyer , dnsop , Paul Wouters Message-ID: <20190214091400.o53prxjnytdroz4o@nic.fr> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <20190214083311.2d6ncijynujoq6vc@nic.fr> <2019021416583813239822@cnnic.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2019021416583813239822@cnnic.cn> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.14.90615 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 09:14:04 -0000 On Thu, Feb 14, 2019 at 04:58:38PM +0800, zuopeng@cnnic.cn wrote a message of 126 lines which said: > if an DNSSEC_enabled authotative server(no matter it is Alice or > Bob) is evil and modifies DNS records, it will succeed because it > has private key It is completely false. (You seem to think that online signing is the only possibility but this is far from true.) From nobody Thu Feb 14 01:49:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4CF12D4E6 for ; Thu, 14 Feb 2019 01:49:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdsL56O0kMDg for ; Thu, 14 Feb 2019 01:49:09 -0800 (PST) Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D43F112D4E9 for ; Thu, 14 Feb 2019 01:49:08 -0800 (PST) Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id BB5EC242109D; Thu, 14 Feb 2019 09:49:05 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Jim Reid X-Priority: 3 In-Reply-To: <2019021416583813239822@cnnic.cn> Date: Thu, 14 Feb 2019 09:49:05 +0000 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: <31284842-591A-491F-B42A-390D56CE7750@rfc1035.com> References: <2019021215560470371417@cnnic.cn> <201902131403257357123@cnnic.cn> <20190213134408.ri5iy42q7u7h37ui@sources.org> <201902141436144299614@cnnic.cn> <20190214083311.2d6ncijynujoq6vc@nic.fr> <2019021416583813239822@cnnic.cn> To: "zuopeng@cnnic.cn" X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 09:49:10 -0000 > On 14 Feb 2019, at 08:58, zuopeng@cnnic.cn wrote: >=20 > the premise is the recursive server should completely trust an = Authenticated server You=E2=80=99ve already made that clear. The problem with that premise is = it=E2=80=99s a false one. It represents a naive/unrealistic view of how = the DNS is used. Your proposal also needs all the authoritative servers for some zone to = be under the same administrative/operational control. That=E2=80=99s = also a false premise. And naive/unrealistic. It=E2=80=99s been explained = to you that many organisations, TLDs in particular, don=E2=80=99t do = that. They arrange service from multiple DNS providers to avoid single = points of failure, improve redundancy, have extra capacity, etc, etc. > if an DNSSEC_enabled authotative server(no matter it is Alice or Bob) = is evil and modifies DNS records, it will succeed because it has private = key and can fake anything That premise is wrong too. Only the master server needs access to the = private DNSSEC key. That master server isn=E2=80=99t necessarily in the = zone's NS RRset and handling queries from resolving servers. Besides, if = someone gives their private key to someone else -- in this case another = authoritative DNS server -- by definition it isn=E2=80=99t a private key = any more. From nobody Thu Feb 14 02:03:36 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4492B12D4E6 for ; Thu, 14 Feb 2019 02:03:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-FVq9b4mG41 for ; Thu, 14 Feb 2019 02:03:34 -0800 (PST) Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AABC512870E for ; Thu, 14 Feb 2019 02:03:34 -0800 (PST) Received: from [2001:470:78c8:2:6574:697d:933d:dea9] by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1guDrh-0007SA-40 for dnsop@ietf.org; Thu, 14 Feb 2019 10:03:33 +0000 To: dnsop@ietf.org References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> From: Shane Kerr Message-ID: <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> Date: Thu, 14 Feb 2019 11:03:31 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190214080508.zab7r6hzkbj7kp54@nic.fr> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: [DNSOP] Multiplexing DNS & HTTP over TLS (was: extension of DoH to authoritative servers) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 10:03:36 -0000 Stephane, On 14/02/2019 09.05, Stephane Bortzmeyer wrote: > On Wed, Feb 13, 2019 at 10:51:00PM +0100, > Vladimír Čunát wrote > a message of 118 lines which said: > >> Technically you can run DoT on whatever port you like. > >> Example: with knot-resolver it's easy - you just add @443, either on >> side of server and/or on the side of forwarding over TLS. > > The problem is that you cannot then share this port with HTTPS > services (the dkg draft on demultiplexing was abandoned, apparently > because it doesn't work). In a world of scarce IPv4 public addresses, > this is a serious problem. Interesting. I know that the multi-purpose usage smelled bad but I didn't know that it didn't work. Is there a write-up on this? Thinking about it naively, a demultiplexer really only needs to say "is there a non-ASCII character in the first 2 or 3 bytes of a TLS session?". An HTTP message always starts with some ASCII letters, like "GET" or "HEAD". In contrast, a DNS over TLS client will start with a message length encoded in 2 bytes. Since in practice queries will be less than 256 bytes and therefore not start out with an ASCII letter (like 'G' or 'H'). Actually this would require a client message of 16705 bytes to required that *both* the first two bytes are ASCII letters: >>> (ord('A') << 8) | ord('A') 16705 Since this is only required for the *first* DNS query on a TLS session, a client could always send a short query as the first one to avoid this issue. (I'm not sure how this would impact known-text analysis, but presumably TLS is resistant to this sort of cryptanalysis since HTTP almost always starts with the same few bytes.) Even if the two-byte length results in ASCII letters, the client can sacrifice 1 bit of the message ID and ensure that it always has non-ASCII values, so the 3rd byte will always be non-ASCII and therefore not a valid HTTP command. So if it was really necessary to handle the case of queries of length 16705 or greater for the first query on a session, a client could always limit its message ID space to 32768 possible values, which should be fine on a stateful connection where message ID is only used to match out-of-order answers. I admit the issue of hand-off from a demultiplexer to a DNS server or HTTP server might be non-trivial, but in principle it should be possible. Or is the issue to do with TLS itself? I don't know enough about SNI to know if there may be some reason why HTTP-based TLS could be different from DNS-based TLS, but I suppose it is possible. 🤔 Cheers, -- Shane From nobody Thu Feb 14 03:51:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B65A131163 for ; Thu, 14 Feb 2019 03:51:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wcaj7qnDsWyd for ; Thu, 14 Feb 2019 03:51:45 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B57AB130EB3 for ; Thu, 14 Feb 2019 03:51:44 -0800 (PST) Received: from [IPv6:2001:1488:fffe:6:be86:60ac:e1e0:9099] (unknown [IPv6:2001:1488:fffe:6:be86:60ac:e1e0:9099]) by mail.nic.cz (Postfix) with ESMTPSA id 24AA160611; Thu, 14 Feb 2019 12:51:41 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1550145101; bh=51KYZs9TCf2x2mwuQsU2E+yDXtc9s/PT4J6+eT7hiZ4=; h=From:To:Date; b=On0vDSUZSk6LpmuOuMvDCIch6bf14WdKnQ+ea/B4ItPkVg0LLg/2yEKJFt9/kRg3S WLKR/kF3tyw0hcsBLmex5V8LWkwqZt7gYloq/1x99JAY/fQf9xPVzdlpQCJHi0/75H SPJ+nV63nr237onif/StgMBr0tZtOEBmbkAXbJkM= References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> Cc: Stephane Bortzmeyer , Shane Kerr From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlcEEwEIAEECGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWcjP 7AIZAQAKCRDnR98flXWjqm8lEACTETgda85SApnaGB5dBzpCFf4cGLlB88uALlsLUGQJNxte 490q5lk92Dkn/7QYZu2pZImddZcvUPVVlazqWmAz0ByWxufReewdJfi6TJp+tH2/XsKdQwxe BeiCBOzVreN3jG9rRANCr3AOu73hxlTquwGyOKZ4299GSIbpu4Aepkk9uUJDpUMj04+ikemT 6tX3cGPeAtWetskAo00eWNzEVFXsPVcLX1oUmOsaMQhgEK/ErboyDdVgyb+OjvWdrIVbJLr9 loQ9MJVAKquBfr7gAJej+0xNLIVDzJQxcqaoxlc0rKeOXsp5EvTyILaxngHl7tx6673nG//g PMiZB/kRMFsBLGLKtIdFFvrS0OyTCOHukXFkYdbQb8cBPdKzfA9uSw/DGwxMh+A4sGpKIfDZ lL3ZjcNBtTUofVdZJh2HAICb2oXeQpnJlg6IoMj0pnfBsXR7unb1y+SYnwNte3GYumzsnvDk 57lQipUevgZii+1K7NFL4DFQSkFZ5A6fEo17r+gQea4sZ10dwTpTzBQYa7PzqCeFT6v219KQ D9oVRx0EiIiKphLMymqOo0YoPvbuTvsNsnNu46MJcX5xiLIIr8q/Jhzdcw0rvVcjvL29qVZu 3jM3KOCTIqOJlJwJoe/QDssNqUXuA6Gylx693R1qmy2Qy/8e8mDz3So7s7Ho3LkCDQRYA5J2 ARAAyHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe 41Zxx85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0 UaPpDkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lte TbOojGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF +yxMt5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5Yo BKoRbh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRq TJcJV7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P 4j+p02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWY JQGXM71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0u SLs0Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJ CWYBgAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRu aFWw9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/a wrieb6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+j tuTjxZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaOb wxJiba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6af NkhwQYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNeg PfvLwoHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0t SLTNr+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3s q2KgT1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmx cmGoUREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== To: "dnsop@ietf.org" Message-ID: Date: Thu, 14 Feb 2019 12:51:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: <20190214080508.zab7r6hzkbj7kp54@nic.fr> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 11:51:46 -0000 On 2/14/19 9:05 AM, Stephane Bortzmeyer wrote: >> Technically you can run DoT on whatever port you like. >> >> Example: with knot-resolver it's easy - you just add @443, either on >> side of server and/or on the side of forwarding over TLS. > The problem is that you cannot then share this port with HTTPS > services (the dkg draft on demultiplexing was abandoned, apparently > because it doesn't work). In a world of scarce IPv4 public addresses, > this is a serious problem. You can still multiplex based on SNI sent by the client.  HTTPS clients surely send it commonly.  DoT clients perhaps not so often, but that's just an implementation detail (which I was fixing in the past few weeks in knot-resolver, incidentally). I'm not sure how easy SNI-based multiplexing is to configure with nowadays software, but I believe I've heard of some such setup with nginx.  And I don't have any idea whether SNI encryption would interfere with that, but I hope not.  ESNI will be a key part of DNS privacy, though mainly for the non-DNS traffic. From nobody Thu Feb 14 04:12:10 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5C07130EB3 for ; Thu, 14 Feb 2019 04:12:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mork.no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BT09LNA0FkL1 for ; Thu, 14 Feb 2019 04:12:06 -0800 (PST) Received: from canardo.mork.no (canardo.mork.no [IPv6:2001:4641::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD3C712D84D for ; Thu, 14 Feb 2019 04:12:06 -0800 (PST) Received: from miraculix.mork.no ([IPv6:2a02:2121:345:7f35:35eb:7b17:79f:f64f]) (authenticated bits=0) by canardo.mork.no (8.15.2/8.15.2) with ESMTPSA id x1ECC1Be032246 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 14 Feb 2019 13:12:01 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mork.no; s=b; t=1550146323; bh=Xn9HOwAUNHEnMZKIp+rDzbwg9w+Y04u24DitlF1t7RM=; h=From:To:Cc:Subject:References:Date:Message-ID:From; b=A95Er1rZEH8zNO5sXhFOpzDl2F0pggKyaVcJSMfdiGQcKzJiRsUCFh8OQeEP6nFXk TAidQ+REtzpOr690h2/RcDqVVkGAGnJzKKf+IdwrFfVo0afV7G5bzD272s/w1nr817 3ZXstN0pxjv1QRWPeW0970PBks7VvZby0ZmU3j2g= Received: from bjorn by miraculix.mork.no with local (Exim 4.89) (envelope-from ) id 1guFrw-00084N-0K; Thu, 14 Feb 2019 13:11:56 +0100 From: =?utf-8?Q?Bj=C3=B8rn_Mork?= To: =?utf-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Cc: "dnsop\@ietf.org" , Shane Kerr Organization: m References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> Date: Thu, 14 Feb 2019 13:11:55 +0100 In-Reply-To: (=?utf-8?B?IlZs?= =?utf-8?B?YWRpbcOtciDEjHVuw6F0Iidz?= message of "Thu, 14 Feb 2019 12:51:40 +0100") Message-ID: <87y36iwovo.fsf@miraculix.mork.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: clamav-milter 0.100.2 at canardo X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 12:12:10 -0000 Vladim=C3=ADr =C4=8Cun=C3=A1t writes: > You can still multiplex based on SNI sent by the client.=C2=A0 HTTPS clie= nts > surely send it commonly.=C2=A0 DoT clients perhaps not so often, but that= 's > just an implementation detail (which I was fixing in the past few weeks > in knot-resolver, incidentally). My understanding of the reference to BCP195 from https://tools.ietf.org/html/rfc7858#section-3.2 is that SNI support is required for all DoT implementations. > I'm not sure how easy SNI-based multiplexing is to configure with > nowadays software, but I believe I've heard of some such setup with > nginx.=C2=A0 And I don't have any idea whether SNI encryption would inter= fere > with that, but I hope not.=C2=A0 ESNI will be a key part of DNS privacy, > though mainly for the non-DNS traffic. It's simple to do with haproxy at least: https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-i= ndication-sni-tls-extension/ ...which incidentally also can be used to support DoT with *any* DNS server as backend. Bj=C3=B8rn From nobody Thu Feb 14 04:34:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74D2131160 for ; Thu, 14 Feb 2019 04:34:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_YGKh8hgAHZ for ; Thu, 14 Feb 2019 04:34:15 -0800 (PST) Received: from mail-it1-x143.google.com (mail-it1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01ED0130F06 for ; Thu, 14 Feb 2019 04:34:15 -0800 (PST) Received: by mail-it1-x143.google.com with SMTP id i2so13919337ite.5 for ; Thu, 14 Feb 2019 04:34:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OMz+IvzANWsVCaFb02BRXJHY9Ao6nBEHpf/qeIwrvIg=; b=CkCsSdNR6RqNUWBQsXGsO9XiNqOxDGYY99H3bnOJ4UVnL4VNizDyUom51IYUq8o+z0 VZSPHqWCRWjEpgyQlTCVgSvyZ5Ymjgi8pgmu2rXCUxKaiQBXOwBs97iOmIETD+InpbJG XEUva11lLKhi/t5N/tfXhVlpo5nGmcm/j4jGw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OMz+IvzANWsVCaFb02BRXJHY9Ao6nBEHpf/qeIwrvIg=; b=TTx9UfEpgMGMZOb/egJabGR9znA1+laOzkHqNuNRTv972RbpH96PK83vREeKO533q0 eWuQmJHdHLOg+tUbzBwOkt2jyjM3zzuRKCDxpUrivUN0tOGTxf2hzyAZNbB2EYautjcL Pj2mB9H119XLoIzdzrRl/m7Olr+JQRjVV/iZ12P2R880E0Y6IxBG8t9EadaGv+CFxe2S FgojlOg9tZTCqGO6vUjv6O3TtFgjcTvSq6Xf7v6db3elSQox627f8x850fQr77TZBYrA 2Opx0CuwsgZdBkSBIAizj/2+WMCVDQzFrCP7HC4EwbQgahUF+6Rzi7z0kh66OpFsy1pU RvYw== X-Gm-Message-State: AHQUAuYuSTW+rV+azP4+qC/ZMO8GmoRNgRGVYbSP7e/euDAcKtjcNV3e gRIDkg52pfka7EVXKB4HkaVNQMPJQDQ= X-Google-Smtp-Source: AHgI3IYoggWq8aLooApdApiocTop4eNlwmwkeAYRfj7H5AElftc9yL0RBd2xsy+MR4iFy5HCq1WUJg== X-Received: by 2002:a5e:9615:: with SMTP id a21mr1970553ioq.126.1550147653619; Thu, 14 Feb 2019 04:34:13 -0800 (PST) Received: from ?IPv6:2607:f2c0:101:3:1925:fb8b:4a96:9b47? ([2607:f2c0:101:3:1925:fb8b:4a96:9b47]) by smtp.gmail.com with ESMTPSA id 70sm1076681ity.9.2019.02.14.04.34.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 04:34:12 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> Date: Thu, 14 Feb 2019 07:34:10 -0500 Cc: dnsop@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <619FF59C-F9DB-45EC-90E1-3AC1A8289592@hopcount.ca> References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> To: Shane Kerr X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS (was: extension of DoH to authoritative servers) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 12:34:18 -0000 On 14 Feb 2019, at 05:03, Shane Kerr wrote: > On 14/02/2019 09.05, Stephane Bortzmeyer wrote: >> On Wed, Feb 13, 2019 at 10:51:00PM +0100, >> Vladim=C3=ADr =C4=8Cun=C3=A1t wrote >> a message of 118 lines which said: >>> Technically you can run DoT on whatever port you like. >>> Example: with knot-resolver it's easy - you just add @443, either on >>> side of server and/or on the side of forwarding over TLS. >> The problem is that you cannot then share this port with HTTPS >> services (the dkg draft on demultiplexing was abandoned, apparently >> because it doesn't work). In a world of scarce IPv4 public addresses, >> this is a serious problem. >=20 > Interesting. I know that the multi-purpose usage smelled bad but I = didn't know that it didn't work. >=20 > Is there a write-up on this? >=20 > Thinking about it naively, a demultiplexer really only needs to say = "is there a non-ASCII character in the first 2 or 3 bytes of a TLS = session?". I think we can consider explicit payload identification an important = feature of successful protocols. Encapsulating layers need to signal key = information about the nature of their contents explicitly, or you wind = up with the kind of nonsense that we saw in flow-hashing in MPLS where = expected network behaviours depended on which transport protocol or = address family you happen to be using way up the stack, and ugly hacks = abound. Your thought-algorithm above might be ok for discriminating between DoT = and HTTPS (although I think anything that depends on a condition like = "non-ASCII" is highly suspect :-) but what about other protocols, = current and imagined future, that might use TLS as an encapsulating = protocol, e.g. to address similar privacy concerns? This doesn't seem = like a problem that is particularly theoretical. Running whatever protocol I like on whatever port I like is fine so long = as I am informed about the nature of the communication (e.g. I am = involved in the decisions at both ends; I configure my ssh client and my = ssh server both to use 53/tcp for my own special reasons so the use of = that port is understood and doesn't need to be negotiated). In the DNS, = one endpoint often has no prior knowledge of even the existence of the = other endpoint. Asking one or both sides to make inferences about the = nature of a session without explicit signalling does not seem robust. Joe= From nobody Thu Feb 14 05:01:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1EB5131052 for ; Thu, 14 Feb 2019 05:01:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PR-w_FNrFmFq for ; Thu, 14 Feb 2019 05:01:08 -0800 (PST) Received: from kmx5b.knipp.de (s671.bbone.dtm.knipp.de [195.253.6.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A006712F1A2 for ; Thu, 14 Feb 2019 05:01:08 -0800 (PST) Received: from hp9000.do.knipp.de (hp9000.do.knipp.de [195.253.2.54]) by kmx5b.knipp.de (Postfix) with ESMTP id 414F33000F4; Thu, 14 Feb 2019 13:01:06 +0000 (UTC) Received: from [195.253.2.27] (mclane.do.knipp.de [195.253.2.27]) by hp9000.do.knipp.de (Postfix) with ESMTP id 0746B9AE90; Thu, 14 Feb 2019 14:00:35 +0100 (MEZ) To: Shane Kerr , dnsop@ietf.org References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> From: Klaus Malorny Message-ID: <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> Date: Thu, 14 Feb 2019 14:00:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Thunderbird/67.0a1 MIME-Version: 1.0 In-Reply-To: <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spamd-Bar: / Authentication-Results: kmx5b.knipp.de X-Rspamd-Server: s671 X-Rspamd-Queue-Id: 414F33000F4 X-Spamd-Result: default: False [0.00 / 15.00]; IP_WHITELIST(0.00)[195.253.2.54]; NEURAL_HAM(-0.00)[-0.758,0]; ASN(0.00)[asn:8391, ipnet:195.253.0.0/16, country:DE] Archived-At: Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 13:01:16 -0000 On 14.02.19 11:03, Shane Kerr wrote: > Stephane, > > Is there a write-up on this? > > Thinking about it naively, a demultiplexer really only needs to say "is there a > non-ASCII character in the first 2 or 3 bytes of a TLS session?". > > Hi, please think of HTTP/2, which is a binary protocol (although I don't know what the first bytes are). But I guess ALPN (RFC 7301) would do the trick. Regards, Klaus From nobody Thu Feb 14 05:24:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2E0313106D for ; Thu, 14 Feb 2019 05:24:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izva_9oo6Nce for ; Thu, 14 Feb 2019 05:24:01 -0800 (PST) Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C305131059 for ; Thu, 14 Feb 2019 05:24:01 -0800 (PST) Received: from [2001:470:78c8:2:6574:697d:933d:dea9] by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1guGzh-0008Cz-4F for dnsop@ietf.org; Thu, 14 Feb 2019 13:24:01 +0000 To: dnsop@ietf.org References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> From: Shane Kerr Message-ID: <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org> Date: Thu, 14 Feb 2019 14:23:59 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 13:24:03 -0000 Klaus, On 14/02/2019 14.00, Klaus Malorny wrote: > On 14.02.19 11:03, Shane Kerr wrote: > >> Is there a write-up on this? >> >> Thinking about it naively, a demultiplexer really only needs to say >> "is there a non-ASCII character in the first 2 or 3 bytes of a TLS >> session?". >> > please think of HTTP/2, which is a binary protocol (although I don't > know what the first bytes are). But I guess ALPN (RFC 7301) would do the > trick. I think that HTTP/2 preserves the initial handshake of HTTP/1.1. But looking at ALPN, it was designed for exactly this the multiplexing use case. In principle all that would be needed is adding an identifier to the ALPN protocol IDs: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids It would also address Joe's concerns about other protocols. Maybe creating an ALPN protocol ID for DNS-over-TLS is something for the DPRIVE working group? 🤔 Cheers, -- Shane From nobody Thu Feb 14 05:46:17 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336ED12D84D for ; Thu, 14 Feb 2019 05:46:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6k2JcMoyTPC4 for ; Thu, 14 Feb 2019 05:46:10 -0800 (PST) Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38C4E124D68 for ; Thu, 14 Feb 2019 05:46:10 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:35542) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1guHL0-00076c-Jw (Exim 4.91) (return-path ); Thu, 14 Feb 2019 13:46:02 +0000 Date: Thu, 14 Feb 2019 13:46:02 +0000 From: Tony Finch To: =?UTF-8?Q?Bj=C3=B8rn_Mork?= cc: =?UTF-8?Q?Vladim=C3=ADr_=C4=8Cun=C3=A1t?= , Shane Kerr , "dnsop@ietf.org" In-Reply-To: <87y36iwovo.fsf@miraculix.mork.no> Message-ID: References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> <87y36iwovo.fsf@miraculix.mork.no> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-1298873558-1550151962=:18720" Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 13:46:17 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-1298873558-1550151962=:18720 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Bj=C3=B8rn Mork wrote: > > My understanding of the reference to BCP195 from > https://tools.ietf.org/html/rfc7858#section-3.2 > is that SNI support is required for all DoT implementations. > > It's simple to do with haproxy at least: > https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name= -indication-sni-tls-extension/ > > ...which incidentally also can be used to support DoT with *any* DNS > server as backend. I'm using nginx as my DoT and DoH front-end proxy (https://github.com/fanf2/doh101/) and it looks like I need to add ssl_preread support to get the SNI https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html I'm only really interested in logging it to see what the clients think they are talking to - they are almost all Androids doing opportunistic DoT. Tony. --=20 f.anthony.n.finch http://dotat.at/ Bailey: Southwest becoming cyclonic, mainly south 5 to 7, occasionally gale= 8. High becoming rough or very rough. Occasional rain. Moderate or poor. --1870870841-1298873558-1550151962=:18720-- From nobody Thu Feb 14 05:59:05 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FECB130E6C for ; Thu, 14 Feb 2019 05:59:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id canIyW2Ifj7y for ; Thu, 14 Feb 2019 05:59:01 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C397A13106D for ; Thu, 14 Feb 2019 05:59:01 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:47572) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1guHXX-000DSP-0r (Exim 4.91) (return-path ); Thu, 14 Feb 2019 13:58:59 +0000 Date: Thu, 14 Feb 2019 13:58:58 +0000 From: Tony Finch To: Jiankang Yao cc: dnsop , arnt In-Reply-To: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> Message-ID: References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 13:59:04 -0000 Jiankang Yao wrote: > > A new draft about root data caching is proposed, which aims to solve > the similar problem presented in RFC7706 and gives the DNS > administrator one more option. How does this relate to: https://tools.ietf.org/html/draft-wkumari-dnsop-hammer https://tools.ietf.org/html/draft-ietf-dnsop-7706bis It looks like this new draft is actually a revision of: https://tools.ietf.org/html/draft-yao-dnsop-root-cache Tony. -- f.anthony.n.finch http://dotat.at/ Trafalgar: Southeast 6 to gale 8. Moderate or rough. Fair. Good. From nobody Thu Feb 14 07:12:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CA3A131069 for ; Thu, 14 Feb 2019 07:12:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRYkZzxdN4gj for ; Thu, 14 Feb 2019 07:12:53 -0800 (PST) Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6EAC13103B for ; Thu, 14 Feb 2019 07:12:53 -0800 (PST) Received: by mail-wr1-x432.google.com with SMTP id l9so6830812wrt.13 for ; Thu, 14 Feb 2019 07:12:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fOf/jiSTpfxWAtab9J2TtOdpR9lV5ROKAuGMWoBNh/4=; b=UP04KUGhGkZ6E50ob6/yobFoKrs4siaKOLDByZXCd/uZfoHe6PwHRXSFc5v+H4egRr rqqQrzcOh/HCTznvPerZK+Pdek6SjBBjbWsNqX297lIU1BtoCpJyYFGXs9h1XOnxXeDO oq0hUJ7I9+hPeCoZ8victiRXP+e6Gw8m5CwwRQV1Y97ofYkMmaXPzmdhLbPqbYRphlgQ +ocgV0fuYQr9k+ELFOAC57uHTi3cZf0C2XhWTBaxH59H7qZ2tMTG6I2GFC+teh/W7mkD YAEjR2GHqsMNO5QSU6oibaXXRWerxxk1sO7HppkkgXABHSIpnGL9Ptb63VJJldnaplvS vZJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fOf/jiSTpfxWAtab9J2TtOdpR9lV5ROKAuGMWoBNh/4=; b=dW0hGwaQUSjKPo65XLK5Ko7pH1cqOjwTyVGMg8nFX7uKSyewA1SoXbiUhvZDN+MH/d NpkrkFXZjEzZi1a6JnorIkP1jwhH12AEgLVEfkE42obvX33gHZRtaOxMcVpw4FHIq05+ SyyBWWS9Iw1hpVXDgvbr/8J80EtgX4yzBVCWsF/rah9T9ZM0zZv4NYqkbYatanyjEuJQ NE5ySCOy5q6TtN2oEB1SjVt7Tl3vfA0mdYEur+LgQbNaIPyBJxXMSy/WVBE7CjiZyqzg zYgVUo/1/iIw/0qLawvgPXOXR9eCPm+5R79BC3RP3/D6cwOngHn3rIKQ9G1bKE4YtO0S kiOg== X-Gm-Message-State: AHQUAuZzD5L1sr0Y4zVnSHyydXJ64X5SphznQ+oux6jxmkNtIm2iN5sb OX75gRxadWdGBSZvXx8bxILaXsgEn4X+7wT3fNUrq7uZ X-Google-Smtp-Source: AHgI3IaDncAUywQaKdAC0V7+nPLdFfFBMwHpwC5MsOdWzzNiauMj5LudX91XAYG7/aIBSvfgNAN8zDbPWJWibGCJQnQ= X-Received: by 2002:a5d:5504:: with SMTP id b4mr708957wrv.291.1550157171581; Thu, 14 Feb 2019 07:12:51 -0800 (PST) MIME-Version: 1.0 References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> In-Reply-To: From: Warren Kumari Date: Thu, 14 Feb 2019 10:12:15 -0500 Message-ID: To: Tony Finch Cc: Jiankang Yao , dnsop , arnt Content-Type: multipart/alternative; boundary="0000000000008eff450581dc1738" Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 15:12:56 -0000 --0000000000008eff450581dc1738 Content-Type: text/plain; charset="UTF-8" On Thu, Feb 14, 2019 at 8:59 AM Tony Finch wrote: > Jiankang Yao wrote: > > > > A new draft about root data caching is proposed, which aims to solve > > the similar problem presented in RFC7706 and gives the DNS > > administrator one more option. > > How does this relate to: > > https://tools.ietf.org/html/draft-wkumari-dnsop-hammer ... and our plan is to still (in our copious free time!) update this to simplify it, and update it to be more of a "this is how implementations have implemented this" -- the document is close to cooked, and we'd dearly love a short bit from implementers describing how they did it... W > > https://tools.ietf.org/html/draft-ietf-dnsop-7706bis > > It looks like this new draft is actually a revision of: > > https://tools.ietf.org/html/draft-yao-dnsop-root-cache > > Tony. > -- > f.anthony.n.finch http://dotat.at/ > Trafalgar: Southeast 6 to gale 8. Moderate or rough. Fair. Good. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --0000000000008eff450581dc1738 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Feb 14, 2019 at 8:59 AM Tony= Finch <dot@dotat.at> wrote:
<= /div>
Jiankang Yao <yaojk@cnnic.cn> wro= te:
>
>=C2=A0 =C2=A0 A new draft about root data caching is proposed, which ai= ms to solve
>=C2=A0 =C2=A0 the similar problem presented in RFC7706 and gives the DN= S
>=C2=A0 =C2=A0 administrator one more option.

How does this relate to:

https://tools.ietf.org/html/draft-wkumari-dnso= p-hammer

... and our plan is to still (in ou= r copious free time!) update this to simplify it, and update it to be more = of a "this is how implementations have implemented this" -- the d= ocument is close to cooked, and we'd dearly love a short bit from imple= menters describing how they did it...

W

=C2=A0

https://tools.ietf.org/html/draft-ietf-dnsop-770= 6bis

It looks like this new draft is actually a revision of:

https://tools.ietf.org/html/draft-yao-dnsop-ro= ot-cache

Tony.
--
f.anthony.n.finch=C2=A0 <dot@dotat.at>=C2=A0 http://dotat.at/
Trafalgar: Southeast 6 to gale 8. Moderate or rough. Fair. Good.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div>
--0000000000008eff450581dc1738-- From nobody Thu Feb 14 07:35:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DB4131054 for ; Thu, 14 Feb 2019 07:35:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7 X-Spam-Level: X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfdzduxupcUX for ; Thu, 14 Feb 2019 07:35:54 -0800 (PST) Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3499130F0E for ; Thu, 14 Feb 2019 07:35:54 -0800 (PST) Received: from [IPv6:2a04:b900::1:7d91:423f:c7fd:5627] (unknown [IPv6:2a04:b900:0:1:7d91:423f:c7fd:5627]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id E3A7D1743B; Thu, 14 Feb 2019 16:35:51 +0100 (CET) Authentication-Results: dicht.nlnetlabs.nl; dmarc=pass (p=none dis=none) header.from=NLnetLabs.nl Authentication-Results: dicht.nlnetlabs.nl; spf=pass smtp.mailfrom=benno@NLnetLabs.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1550158551; bh=yqcTPNnGxy5736/wtBjugL298r3TNrVi9rzci4Zj0gU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=rroVwifo2+2HgxP+J44G1MOlm0Rqyp5kBqn/u++SOWwtyWSN7YJl26X9JBXMgdihA Rlll+3rqK4ruXSeujGBIdAWtDkGAXUsTIJ6URr/lSpgrgffUKh5DjyoXIVJVvJShOe 963MX5Sks7HsWx+FlF7LFddduggMm71XDcCgjqas= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Benno Overeinder In-Reply-To: Date: Thu, 14 Feb 2019 16:35:51 +0100 Cc: Tony Finch , Jiankang Yao , arnt , dnsop Content-Transfer-Encoding: quoted-printable Message-Id: References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> To: Warren Kumari X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 15:35:57 -0000 > On 14 Feb 2019, at 16:12, Warren Kumari wrote: >=20 >=20 >=20 > On Thu, Feb 14, 2019 at 8:59 AM Tony Finch wrote: > Jiankang Yao wrote: > > > > A new draft about root data caching is proposed, which aims to = solve > > the similar problem presented in RFC7706 and gives the DNS > > administrator one more option. >=20 > How does this relate to: >=20 > https://tools.ietf.org/html/draft-wkumari-dnsop-hammer >=20 > ... and our plan is to still (in our copious free time!) update this = to simplify it, and update it to be more of a "this is how = implementations have implemented this" -- the document is close to = cooked, and we'd dearly love a short bit from implementers describing = how they did it=E2=80=A6 >=20 Noted. =E2=80=94 Benno --=20 Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ From nobody Thu Feb 14 07:58:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27121131088 for ; Thu, 14 Feb 2019 07:58:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7 X-Spam-Level: X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gRIT3klx1z4 for ; Thu, 14 Feb 2019 07:58:25 -0800 (PST) Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3526E131069 for ; Thu, 14 Feb 2019 07:58:25 -0800 (PST) Received: from hydrogen.nlnetlabs.nl (unknown [IPv6:2a04:b900:0:1:7d91:423f:c7fd:5627]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 8969517587 for ; Thu, 14 Feb 2019 16:58:22 +0100 (CET) Authentication-Results: dicht.nlnetlabs.nl; dmarc=pass (p=none dis=none) header.from=NLnetLabs.nl Authentication-Results: dicht.nlnetlabs.nl; spf=pass smtp.mailfrom=benno@NLnetLabs.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1550159902; bh=1s6uAH4w+evTX9+g0xvarvJkL5LJFAMInJ20o9zEBlk=; h=Subject:To:References:From:Date:In-Reply-To; b=KbepAQUfWKz7g85vOT0kwiOGk8whcpV70MFfLfhtAIbKX3Rc4J3vnMvqzPbWsW1Av pINSzkp2ST3vh5uMNFjPzCYRoxCAJAJYr9bSvOcQ6p98pY7M99EevFoz//8k0kSxhv 69B66cg5PkmjraL6bdOWOnIafIoiFD5rYMPluW7Y= To: dnsop@ietf.org References: From: Benno Overeinder Openpgp: preference=signencrypt Message-ID: <2ac1bd8d-e37c-ef63-db7d-125bf37b34bb@NLnetLabs.nl> Date: Thu, 14 Feb 2019 16:58:22 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 15:58:27 -0000 The call for acceptance for draft-song-atr-large-resp is closed, and it is clear that there is insufficient support to adopt the concept as a DNSOP WG document. There was some concern about the increased number of packages involved in a legitimate exchange (half of them being ICMP messages, introducing other concerns) and that the problem space is too narrow to burden all resolvers. We would like to thank the authors and WG participants who responded to the call for adoption on the mailing list. Best regards, -- Benno DNSOP co-chair On 18/01/2019 18:55, Benno Overeinder wrote: > Dear DNSOP WG, > > We discussed this work (draft -01) in Montreal, and different opinions wrt. adoption were expressed. In the past months, the authors pushed a draft version -02 that addressed and resolved some of these comments. > > This starts a Call for Adoption for: > draft-song-atr-large-resp > > The draft is available here: > https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ > > Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. The WG accepts the document or not, but the WG chairs also expect a commitment from the WG participants who support the document to contribute to the draft, review, etc. > > The intended status of the draft is Experimental, but we want to ask developers/vendors if they plan to implement it. > > This call for adoption ends: 1 February 2019 > > Thanks, > > Benno Overeinder > DNSOP co-chair > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > From nobody Thu Feb 14 09:22:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D909A13104F for ; Thu, 14 Feb 2019 09:22:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=K7BsFAdZ; dkim=pass (1536-bit key) header.d=taugh.com header.b=Mprn8oYF Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uoSkwcp9IBzS for ; Thu, 14 Feb 2019 09:22:41 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9974130E2F for ; Thu, 14 Feb 2019 09:22:40 -0800 (PST) Received: (qmail 39885 invoked from network); 14 Feb 2019 17:22:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=9bca.5c65a3de.k1902; bh=4a78j/4ocw7HV1nVgqdKm76rOEfno4ohU11l0FAyahM=; b=K7BsFAdZa865sFmNQl9A1CGHkrY/VbTqDyhqEWEhEI1v9dsJoc1vJDy2a8LU9DJvd4z7wbPP1GNVOPtbaa5mFpk2bFAO6Wky8jXD+Q6k0s7PnpNt4aAkCxjgSU8XpcTWznt+1vjocO0CWkYkB2oiNcvl0Mk2KcM+Yv2dW0ueFYsDclYt91UCqdkn1Gyr0mz2NSszErJZmYPw8q5eHIhN6DlGf29IT8ftPm00of6UK8+nKmNmeDPR5vEY8YZPlp8o DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=9bca.5c65a3de.k1902; bh=4a78j/4ocw7HV1nVgqdKm76rOEfno4ohU11l0FAyahM=; b=Mprn8oYFGZV98PlyBsVXb418Bd3taVU2Op0lZt0eFkymrF+4HI4hRL4LF1zGK/vTCqbOophx/tlpJEEHjRPNaP0Nn3BoLl3YgvIzbtOIDZ2KFvaZqKjuAaGPOQZysE7Bgm8qdszn5H8EglUnSRYPJODcC6aCZ8YiWTybnFiZL/7L2uyMlv6FkdVIXS500FX8U0oStUI4CnDW/estYCPnWHiM2vmWQ41h3mx17rJO4QJxAm5hCCE1oX77U2QJ5/k9 Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 14 Feb 2019 17:22:38 -0000 Received: by ary.qy (Postfix, from userid 501) id 1DD80200E503FE; Thu, 14 Feb 2019 12:22:37 -0500 (EST) Date: 14 Feb 2019 12:22:37 -0500 Message-Id: <20190214172238.1DD80200E503FE@ary.qy> From: "John Levine" To: dnsop@ietf.org Cc: shane@time-travellers.org In-Reply-To: <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 17:22:43 -0000 In article <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org> you write: >I think that HTTP/2 preserves the initial handshake of HTTP/1.1. Seems to me you could make it work using SNI, so long as the name you use for the web and DNS servers are different. I realize this makes it more sniffable, but maybe that's less bad than some of the alternatives. From nobody Thu Feb 14 09:29:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFCFA1310B4 for ; Thu, 14 Feb 2019 09:29:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gulbrandsen.priv.no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9GhnyVOlalN for ; Thu, 14 Feb 2019 09:29:38 -0800 (PST) Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [IPv6:2a01:4f8:191:91a8::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7B61311B5 for ; Thu, 14 Feb 2019 09:29:37 -0800 (PST) Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [IPv6:2a01:4f8:191:91a8::3]) by stabil.gulbrandsen.priv.no (Postfix) with ESMTP id 5ECEDC05E3; Thu, 14 Feb 2019 17:31:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gulbrandsen.priv.no; s=mail; t=1550165479; bh=u+gbVr5JvjgYAcZ28YMQrLVlRWyK+1vSPlE/fhjSoF4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H45B7ivY3qK5N8xiMJddLHy7qeUqdTIS4H8j0nl7WBfcPmchbCBTyCovs2j0H0Hjz IkcGJm2o26dd9z6K5q7sCGOWI6qW0Df+E7uFFSW3Lsz+BEKV0/m8t7BSQ/Qd0nshMu RxqjURGbuf7/f+3Z+XOmVCn/QlfWVHOz2VZ41w1s= Received: from arnt@gulbrandsen.priv.no by stabil.gulbrandsen.priv.no (Archiveopteryx 3.2.0) with esmtpsa id 1550165478-26265-2661/9/20; Thu, 14 Feb 2019 17:31:18 +0000 From: Arnt Gulbrandsen To: Tony Finch Cc: Jiankang Yao , dnsop@ietf.org Date: Thu, 14 Feb 2019 18:29:31 +0100 Mime-Version: 1.0 Message-Id: <587d85ee-73bc-40f4-aae8-550d877ca6d1@gulbrandsen.priv.no> In-Reply-To: References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> User-Agent: Trojita/0.7; Qt/5.7.1; xcb; Linux; Devuan GNU/Linux 2.0 (ascii) Content-Type: text/plain; charset=utf-8; format=flowed Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 17:29:41 -0000 On Thursday 14 February 2019 14:58:58 CET, Tony Finch wrote: > How does this relate to: > > https://tools.ietf.org/html/draft-wkumari-dnsop-hammer > https://tools.ietf.org/html/draft-ietf-dnsop-7706bis It originates in various ideas Jiankang and I have chatted about. I didn't like 7706, because I feel that the servers that have long ping times to the nearest root are more likely to have admins who make mistakes. Jiankang and I discussed alternatives when we met a while ago, and a few times since. Once we hit upon this possibility, we didn't discuss draft-wkumari-dnsop-hammer, perhaps because it's expired and we'd forgotten. Mental entropy. Compared to the hammer draft, I should say that this is dead simple, has one fewer acronyms, and that both of those are intentional features. I see your name is in the text. Why did you let it expire? > It looks like this new draft is actually a revision of: > > https://tools.ietf.org/html/draft-yao-dnsop-root-cache Probably correct. IIt was I who did the typing, and I prefer to start by editing something that already has the right XML stuff and at least some references etc. Arnt From nobody Thu Feb 14 11:28:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62A2F12EB11 for ; Thu, 14 Feb 2019 11:28:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7QVPa1E8lgv for ; Thu, 14 Feb 2019 11:28:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 656201289FA for ; Thu, 14 Feb 2019 11:28:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 453D0A07C9; Thu, 14 Feb 2019 20:28:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id D5051190673; Thu, 14 Feb 2019 20:25:37 +0100 (CET) Date: Thu, 14 Feb 2019 20:25:37 +0100 From: Stephane Bortzmeyer To: Petr =?utf-8?B?xaBwYcSNZWs=?= Cc: dnsop@ietf.org Message-ID: <20190214192537.ti7oaylw63y36cw7@sources.org> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 19:28:13 -0000 On Thu, Feb 07, 2019 at 04:47:01PM +0100, Petr Å paÄek wrote a message of 129 lines which said: > > 4.1.1. NOERROR Extended DNS Error Code 1 - Unsupported DNSKEY Algorithm > > > > The resolver attempted to perform DNSSEC validation, but a DNSKEY > > RRSET contained only unknown algorithms. The R flag should be set. > > > > 4.1.2. NOERROR Extended DNS Error Code 2 - Unsupported DS Algorithm > > > > The resolver attempted to perform DNSSEC validation, but a DS RRSET > > contained only unknown algorithms. The R flag should be set. > > Why R flag? This is not an error, resolution suceeded, But without the AD flag. > and there is nothing to retry. I propose change both cases to "The R > flag should not be set." In both cases, because another resolver may know other, different algorithms and therefore succeed to validate. From nobody Thu Feb 14 11:53:12 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A030F131186 for ; Thu, 14 Feb 2019 11:53:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CLqMzrHkGMJ6 for ; Thu, 14 Feb 2019 11:53:09 -0800 (PST) Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E441131065 for ; Thu, 14 Feb 2019 11:53:09 -0800 (PST) Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id E53FFA07C9; Thu, 14 Feb 2019 20:53:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id C81FE190673; Thu, 14 Feb 2019 20:51:25 +0100 (CET) Date: Thu, 14 Feb 2019 20:51:25 +0100 From: Stephane Bortzmeyer To: dnsop@ietf.org Message-ID: <20190214195125.nwbazwpk3rgrgxkf@sources.org> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <154689301066.32204.17312124670782800354@ietfa.amsl.com> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 9.6 X-Charlie: Je suis Charlie User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 19:53:12 -0000 On Mon, Jan 07, 2019 at 12:30:10PM -0800, internet-drafts@ietf.org wrote a message of 44 lines which said: > Title : Extended DNS Errors > Authors : Warren Kumari > Evan Hunt > Roy Arends > Wes Hardaker > David C Lawrence > Filename : draft-ietf-dnsop-extended-error-04.txt Some remarks but before, note I think that it is very important that we have a way to report more detailed error causes. One of the biggest problems of DNSSEC is that there is no easy way for the resolver to report to the application about a DNSSEC problem. So, the work on this draft is essential. Now, the problems: It seems to me that this draft is mostly for resolvers, most planned extended codes are useless for authoritative servers (except may be REFUSED/Lame?). I suggest to make that clear in the introduction: These extended error codes are specially useful for resolvers, to return to stub resolvers or to downstream resolvers. Authoritative servers MAY use them but most error codes would make no sense for them. > Unless a protective transport mechanism (like TSIG [RFC2845] or TLS > [RFC8094]) Why 8094, which does not have even one implementation, instead of 7858? > 4.2.3. SERVFAIL Extended DNS Error Code 3 - Signature Expired > > The resolver attempted to perform DNSSEC validation, but the > signature was expired. I suggest to replace "the signature was expired" by "a signature in the validation chain was expired". Rationale: which signature? What if a DS at the parent is sign with an expired signature? > 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing > > A DS record existed at a parent, but no DNSKEY record could be found > for the child. I suggest to replace "no DNSKEY record could be found for the child" by "no DNSKEY record for this specific key could be found for the child". Rationale : the current text seems to imply this code is only when there is no DNSKEY at all. > 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked > > The resolver attempted to perfom a DNS query but the domain is > blacklisted due to a security policy. The R flag should not be set. The last sentence is touchy. If a stub is configured with two resolvers, and one is fast but known for lying in some cases that you disagree with, you may ask a cookie from the other parent (no, resolver). > 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked > > The resolver attempted to perfom a DNS query but the domain is > blacklisted due to a security policy. I tend to think it would be a good idea to separate the case where the policy was decided by the resolver and the case where the policy came from outside, typically from the local law (see RFC 7725 for a similar case with HTTP). Rationale: in the first case (local policy of the resolver), the user may be interested in talking with the resolver admin if he or she disagrees with the blocking. In the second case, this would be useless. Otherwise, I suggest to add an error code: NOERROR Extended DNS Error Code 3 - Forged answer For policy reasons (legal obligation, or malware filtering, for instance), an answer was forged. The R flag should not be set. Rationale: there is "NXDOMAIN Extended DNS Error Code 1 - Blocked" but policy-aware resolvers (lying resolvers, in plain english) do not always forge NXDOMAIN, they can also forge A or AAAA answers. See also the issue just before, about the need to differentiate resolver policy from "upper" policy, law, for instance. From nobody Thu Feb 14 12:12:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D5D4128D52 for ; Thu, 14 Feb 2019 12:12:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secureservernet.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfF9yylcvnX9 for ; Thu, 14 Feb 2019 12:12:17 -0800 (PST) Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820134.outbound.protection.outlook.com [40.107.82.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B66BE12867A for ; Thu, 14 Feb 2019 12:12:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureservernet.onmicrosoft.com; s=selector1-godaddy-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gb7w65Y3KHc/tVJvSjIUPuxlTMbWFAk2s3S43IHhd8c=; b=Jakzs8GaySYEwoQviq2SpY8NMn5ISZIM86zXGScCV4hn0bQVjrCR9Ps6vzORZvWTFVz7W5X1MLAb9M6mo3NY9mkju3yvwj7teTa2HFLgxwZ3c7b8/9vGISmYOnc/iXZipmnL/oId3q92ovUaWLvdYq7xk3qyNXy+7L/dDpFQrJs= Received: from BYAPR02MB5190.namprd02.prod.outlook.com (20.177.124.15) by BYAPR02MB5832.namprd02.prod.outlook.com (20.179.63.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.22; Thu, 14 Feb 2019 20:12:15 +0000 Received: from BYAPR02MB5190.namprd02.prod.outlook.com ([fe80::d4e7:ce1a:9ae0:d53]) by BYAPR02MB5190.namprd02.prod.outlook.com ([fe80::d4e7:ce1a:9ae0:d53%3]) with mapi id 15.20.1622.018; Thu, 14 Feb 2019 20:12:15 +0000 From: "Michael J. Sheldon" To: Stephane Bortzmeyer , "dnsop@ietf.org" Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt Thread-Index: AQHUpsfRuflG9ymc2E6RowZqKM9vjaXf78WAgAAFsgA= Date: Thu, 14 Feb 2019 20:12:15 +0000 Message-ID: <3f0fde90-5a64-6bda-7800-a63311557e2a@godaddy.com> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> In-Reply-To: <20190214195125.nwbazwpk3rgrgxkf@sources.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2600:8800:2800:8db:6a6e:1d88:205:32e2] x-clientproxiedby: BYAPR05CA0069.namprd05.prod.outlook.com (2603:10b6:a03:74::46) To BYAPR02MB5190.namprd02.prod.outlook.com (2603:10b6:a03:68::15) authentication-results: spf=none (sender IP is ) smtp.mailfrom=msheldon@godaddy.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e28b1ec0-a687-4a57-e400-08d692b8b666 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR02MB5832; x-ms-traffictypediagnostic: BYAPR02MB5832: x-microsoft-exchange-diagnostics: =?utf-8?B?MTtCWUFQUjAyTUI1ODMyOzIzOkJnVVRYdUFwUHg1MXBrV3dubDI5ODkyTS9t?= =?utf-8?B?MjgrdWxCZWlxeE1mVG1jcmc4Z2czL3VVRFpQeDRTeG14MjloaWJYNENObmxE?= =?utf-8?B?aE9hV0w2bWRkR1FpTXFsVUk0OWtvcWdaNzdTc1k4ajdPNjQ2aElKNVJtcnZu?= =?utf-8?B?eGlCOXAvTUgrMTM4RVl6ZWJ5WHF6WTlGckN1TnBqRVlEV25DeFZnL2xiSmxE?= =?utf-8?B?WnVRaHlKOXUwZTJvQU9pMzhla2hkaUhpQWZ3UytLNURUWk8rVVdkQjVENmlR?= =?utf-8?B?QXR3eGlIUmtwZmFJS1BTZVhVbU54eGk3SkNINWh2cFNHMWg2cEhMYnI5aHF5?= =?utf-8?B?YkpEckp5bFRrelg3VmVtMk91ZmJJUUJ2K3E4TW1BcUdVOC9uT1EwYzlaN3BQ?= =?utf-8?B?TkJKWVpHWkg0SjlwMEFJSUZqLzUwTDBkT0h6dFVyN1YxNTd1bStQS0tRTnF2?= =?utf-8?B?ZHhOb2w0bEFvS2t0QU9pdEdaYzFncWlPWjl3V1JiUjVFYXVhT3AvTDRSazNF?= =?utf-8?B?OGNLSC8xckl3UHJOMUR2OVZHc0swVEZ2anBoUnhLTlFRTklkN2Z0NmNFWE5R?= =?utf-8?B?enJtRTF6RVBQMEg1UkF0Vk1rTWNVVDIxL2RHZ0pBTlZvV0V2UmZtZ2JaQnRO?= =?utf-8?B?eWZiMkJtcnNmY2NPcmlVcjdXM0N5OFo1WXUxVnh4YUtGUDdnL2wxMlRDaFg3?= =?utf-8?B?RklYR1AvOWNRSjI2eUlNOXY0RDB1aHV3NVdYN1laQVZrNTVnZC9VM3lKcWJ6?= =?utf-8?B?cGRQOTVhU0V1cFVnZzkxWk1PUm9ScUs0SGk3dHpXQWVRWEJROTYxci9VUmRV?= =?utf-8?B?S25PWXVLeDNDVHh6a2gzV2p0Z1dQakFYd1RNK3VYZ2JHOWE1RDhjRDZSdDds?= =?utf-8?B?NVBWWnE4SzhkVkUzTWxWVHBPUzRuZkNHRHk4SlIzbFJBYjUya2hVby9ITjFO?= =?utf-8?B?OXhncWFYeFBDOFVUL1JJNVpUanRlZW9QMWo0ZWpiZkZaOWVmUktNZ2EzWkxN?= =?utf-8?B?clVCWEd4WHhNS2Q5Vk9zbjJxeDZBbXZTMGowL0hTaGltci9JMGlScXgvUGZy?= =?utf-8?B?ZGR4UC94TWU5V0RibFRnNitLZkZYbE9EVHVaZkgvK21EZWF2UGhrZnp6YXNF?= =?utf-8?B?aGRVZ1BudldjNTRVM2NielY0VnB4STdUcUpuSVZoZkQ2dTEvMnRtNFJ5aVZD?= =?utf-8?B?VG9JbVM0RjJmT0pqaTZNRktHT1dhL3o2bHlUeW53Um5hWnRkenBmN3VhMnFv?= =?utf-8?B?bURwVk9HSkR3VHVZWi8xWUVheGJmaDJWWXROL2wzSFhNNGFuajhtbFlxUi9P?= =?utf-8?B?cjNmRGdtRzg4QXd4YU1tSTNtczMvZEU4K0JwYzBWaW9xMC9RYktNTEhWM3ZX?= =?utf-8?B?Zkg4RGlNc256NWpZaTliTEhjbnpkSEYvdUpKQVd0OGxyaFI4cU5PRWxWT1dp?= =?utf-8?B?bUtLWC93ZEVWNFZHN1hnZGRpcDA1Qm5QMXJFUzR0V201OEVhKytjYk1QdHUw?= =?utf-8?B?bXVDVnl3dkpxTkFzdVNzTnlDU2RHWXlXZU5XK3lsRzZLclB6MzFKNU5oMnRm?= =?utf-8?B?MlFiZDRydTcwdGNCUTh1UnI1b0grSmRyTjcxQ3Q4TXNtN0tJSUVSRVlpakRv?= =?utf-8?Q?Ze3cHJTkr6fBYNigMo5h?= x-microsoft-antispam-prvs: x-forefront-prvs: 09480768F8 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(346002)(136003)(396003)(366004)(189003)(199004)(52116002)(476003)(6436002)(6246003)(81166006)(36756003)(6486002)(71190400001)(25786009)(2616005)(71200400001)(486006)(46003)(81156014)(14454004)(97736004)(6512007)(8676002)(86362001)(76176011)(53936002)(6116002)(31696002)(229853002)(68736007)(256004)(316002)(102836004)(53546011)(478600001)(7736002)(99286004)(110136005)(31686004)(305945005)(8936002)(6506007)(2501003)(11346002)(2906002)(106356001)(446003)(66574012)(105586002)(386003)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR02MB5832; H:BYAPR02MB5190.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: godaddy.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: yOhZ6xSUJoQflmHgNHxp+alNAbiuiFmF1B89r+uiWd3Avzuu0mRm4ywwWwIjzsEhXC1GOITuCcqy1NceBibOeSKTx8JI0+9v/dYx5bNsAR42CtzJpd3QLm7su8YbjF1eBWFIITgtjA4SNpbcCe+lWq5ybUHn6/Mhl6qrB5aSZ/0OC7DcRbSkRRiATbZmmo1Yz7LcMR/J2Zn9AsUxI/X/njEBevejqgpM8PWJszGD6spxUfpJSrFDKCU17U7dBRosMQuRAwdgpcNDLe7dxJ787GLCadHLfQCjYS1jvuH+xjO8GyU6p30/x1pdfUY8p2ZnPjFAYP1SnmHs8NJG6vd3KPiypCcRfOiMg+CxmvnsMfAGR1Zrs+HFqPKaWO4QgT8NDWcIBmHONyG9t+qSKV+0EbKDSIQ4zPVmD8KuN2gEJGI= Content-Type: text/plain; charset="utf-8" Content-ID: <2A69E71BC586F14A99A88F12671479E2@namprd02.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: godaddy.com X-MS-Exchange-CrossTenant-Network-Message-Id: e28b1ec0-a687-4a57-e400-08d692b8b666 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2019 20:12:15.0107 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: d5f1622b-14a3-45a6-b069-003f8dc4851f X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR02MB5832 Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 20:12:20 -0000 T24gMi8xNC8xOSAxMjo1MSBQTSwgU3RlcGhhbmUgQm9ydHptZXllciB3cm90ZToNCj4gT24gTW9u LCBKYW4gMDcsIDIwMTkgYXQgMTI6MzA6MTBQTSAtMDgwMCwNCj4gIGludGVybmV0LWRyYWZ0c0Bp ZXRmLm9yZyA8aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPiB3cm90ZSANCj4gIGEgbWVzc2FnZSBv ZiA0NCBsaW5lcyB3aGljaCBzYWlkOg0KPiANCj4+ICAgICAgICAgVGl0bGUgICAgICAgICAgIDog RXh0ZW5kZWQgRE5TIEVycm9ycw0KPj4gICAgICAgICBBdXRob3JzICAgICAgICAgOiBXYXJyZW4g S3VtYXJpDQo+PiAgICAgICAgICAgICAgICAgICAgICAgICAgIEV2YW4gSHVudA0KPj4gICAgICAg ICAgICAgICAgICAgICAgICAgICBSb3kgQXJlbmRzDQo+PiAgICAgICAgICAgICAgICAgICAgICAg ICAgIFdlcyBIYXJkYWtlcg0KPj4gICAgICAgICAgICAgICAgICAgICAgICAgICBEYXZpZCBDIExh d3JlbmNlDQo+PiAJRmlsZW5hbWUgICAgICAgIDogZHJhZnQtaWV0Zi1kbnNvcC1leHRlbmRlZC1l cnJvci0wNC50eHQNCj4gDQoNCj4+IDQuMi41LiAgU0VSVkZBSUwgRXh0ZW5kZWQgRE5TIEVycm9y IENvZGUgNSAtIEROU0tFWSBtaXNzaW5nDQo+Pg0KPj4gICBBIERTIHJlY29yZCBleGlzdGVkIGF0 IGEgcGFyZW50LCBidXQgbm8gRE5TS0VZIHJlY29yZCBjb3VsZCBiZSBmb3VuZA0KPj4gICBmb3Ig dGhlIGNoaWxkLg0KPiANCj4gSSBzdWdnZXN0IHRvIHJlcGxhY2UgIm5vIEROU0tFWSByZWNvcmQg Y291bGQgYmUgZm91bmQgZm9yIHRoZSBjaGlsZCINCj4gYnkgIm5vIEROU0tFWSByZWNvcmQgZm9y IHRoaXMgc3BlY2lmaWMga2V5IGNvdWxkIGJlIGZvdW5kIGZvciB0aGUNCj4gY2hpbGQiLg0KPiAN Cj4gUmF0aW9uYWxlIDogdGhlIGN1cnJlbnQgdGV4dCBzZWVtcyB0byBpbXBseSB0aGlzIGNvZGUg aXMgb25seSB3aGVuDQo+IHRoZXJlIGlzIG5vIEROU0tFWSBhdCBhbGwuDQogSSBkaXNhZ3JlZS4g VGhlcmUgYXJlIGdvaW5nIHRvIGJlIGNhc2VzIHdoZXJlIERTIGFuZCBETlNLRVkgYXJlIG5vdA0K ZnVsbHkgaW4gc3luYyBkdWUgdG8ga2V5IHJvbGxvdmVycywgcHJlc3RhZ2luZywgZXRjLiBUaGlz IGlzIG5vdCBhIGZhdGFsDQplcnJvci4NClNvIGxvbmcgYXMgb25lIERTIG1hdGNoZXMgb25lIChz dXBwb3J0ZWQpIEROU0tFWSwgdGhlIGRvbWFpbiBpcw0KcmVzb2x2YWJsZSwgYW5kIGlzIG5vdCBh IFNFUlZGQUlMLiBJdCBpcyBvbmx5IFNFUlZGQUlMIGlmICpubyogRFMgbWF0Y2gNCnVzZWFibGUg a2V5cy4NCg0KSSB3b3VsZCBzdWdnZXN0ICJObyBzdXBwb3J0ZWQgbWF0Y2hpbmcgRE5TS0VZIHJl Y29yZCBjb3VsZCBiZSBmb3VuZCBmb3INCnRoZSBjaGlsZCINCg0KLS0gDQpNaWNoYWVsIFNoZWxk b24NCkRldi1ETlMgU2VydmljZXMNCkdvRGFkZHkuY29tDQo= From nobody Thu Feb 14 12:34:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A119E12EB11 for ; Thu, 14 Feb 2019 12:34:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUWbx_SMHjX5 for ; Thu, 14 Feb 2019 12:34:02 -0800 (PST) Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEB6112D4F2 for ; Thu, 14 Feb 2019 12:34:01 -0800 (PST) Received: by mail-wr1-x430.google.com with SMTP id q18so7944259wrx.9 for ; Thu, 14 Feb 2019 12:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=11FqZ3FftpOwU0X/yVktiodSm0jAP121PB6NVSDkJGg=; b=nP/4M9S1/2BCDlmuvCjZjaNwR9OZF+8psKday4RqBRhS3CJfKwmSFsjU/qjP+y3JgR +7Oi+7FOH8mXO0NhmJffGFIo6P1/dfiWarIb9lZZaGdine61f/JCEZrPyhPVHoEETkDa mcbxtYzpbkwvZtCZ8ASMwOfpRDkNIo4nHWGhc8fCoDVO3+YtOqzS4+xrO0fdSFohyxbc m2tn6uGlOWiPt+iVexAgOiN+hPrB4bxCWmF6UUm+SYXTzbiGim2R0zEZCXq2UUacqWAh Tlcv4u5HyFFIRUWJRvoMR9sY+vUBtAjozgkmUpJ/ZNV4u1T0B5Umf+Eck7Ts1/Er/Dvn Fxtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=11FqZ3FftpOwU0X/yVktiodSm0jAP121PB6NVSDkJGg=; b=NGh0zAMSpgQ6NiNWc9kcE85X3cO8De47U3ozlRP5jNVc4cRe4r1/d/glsw/OPKiuIC 4uOggLXA0oBdQzN+DpD7iZA1NZ8mvIomcIkYZH2wrXLASltkhOHjrfGOqOdBJ3nWmLn5 Oyuc2gcV0ee/N/06GTLPdf2V/9yXY8AJZB877y0nG94XqTaGqICorgYM7cFvqtIY94Hw kecoiWVz+ssCWp27HrlpH3G+YSXhXbWIai60FOOK1LHti5q/wfEJVJvo23/xI8T9qGQH ngOaG6PNzOU9t+jSt13uRQtjXbYh7+k7xbH37064gmTvFoiagq6TKeYGwiT1nnnpjZs2 vIbg== X-Gm-Message-State: AHQUAubQ/MTHmQhgVUXrfra3JMl/XBnNKU8i4WsdeLYtMJotvknlHeIZ BGoKQcyVsgXvhVYy6GyKzBCflRbpv0c3Y2AueY4zMw== X-Google-Smtp-Source: AHgI3IaqpzYDVVzs/h1Twcz/wO48zJwJMZLmynb0YgVBd4gjqcfhyjNE0G983nrVitSgs1pKrvtBdv2z7Y4zQI3zSvo= X-Received: by 2002:a05:6000:10cf:: with SMTP id b15mr4317523wrx.32.1550176439632; Thu, 14 Feb 2019 12:33:59 -0800 (PST) MIME-Version: 1.0 References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> In-Reply-To: <20190214195125.nwbazwpk3rgrgxkf@sources.org> From: Warren Kumari Date: Thu, 14 Feb 2019 15:33:23 -0500 Message-ID: To: Stephane Bortzmeyer Cc: dnsop Content-Type: multipart/alternative; boundary="000000000000061fe10581e09411" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 20:34:06 -0000 --000000000000061fe10581e09411 Content-Type: text/plain; charset="UTF-8" On Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer wrote: > On Mon, Jan 07, 2019 at 12:30:10PM -0800, > internet-drafts@ietf.org wrote > a message of 44 lines which said: > > > Title : Extended DNS Errors > > Authors : Warren Kumari > > Evan Hunt > > Roy Arends > > Wes Hardaker > > David C Lawrence > > Filename : draft-ietf-dnsop-extended-error-04.txt > > Some remarks but before, note I think that it is very important that > we have a way to report more detailed error causes. One of the biggest > problems of DNSSEC is that there is no easy way for the resolver to > report to the application about a DNSSEC problem. So, the work on this > draft is essential. > > Thank you, I / we certainly think so. > Now, the problems: > > It seems to me that this draft is mostly for resolvers, most planned > extended codes are useless for authoritative servers (except may be > REFUSED/Lame?). > > I suggest to make that clear in the introduction: > > These extended error codes are specially useful for resolvers, to > return to stub resolvers or to downstream resolvers. Authoritative > servers MAY use them but most error codes would make no sense for > them. > Yup, at the moment the majority of these are resolver errors - I don't think we necessarily expected / thought that through when starting this. I'm guessing that the majority of these will be resolver errors on the future as well, but how about: "The majority of these extended error codes are primarily useful for resolvers, to return to stub resolvers or to downstream resolvers. Authoritative servers may also use this technique to annotate errors (for example, REFUSED), but as of publication there are not as many of these defined" or something? > > > Unless a protective transport mechanism (like TSIG [RFC2845] or TLS > > [RFC8094]) > > Why 8094, which does not have even one implementation, instead of > 7858? > I believe that that was an oversight / error. > > > 4.2.3. SERVFAIL Extended DNS Error Code 3 - Signature Expired > > > > The resolver attempted to perform DNSSEC validation, but the > > signature was expired. > > I suggest to replace "the signature was expired" by "a signature in > the validation chain was expired". > > Rationale: which signature? What if a DS at the parent is sign with an > expired signature? > > LGTM. > > 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing > > > > A DS record existed at a parent, but no DNSKEY record could be found > > for the child. > > I suggest to replace "no DNSKEY record could be found for the child" > by "no DNSKEY record for this specific key could be found for the > child". > > LGTM. > Rationale : the current text seems to imply this code is only when > there is no DNSKEY at all. > > > 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked > > > > The resolver attempted to perfom a DNS query but the domain is > > blacklisted due to a security policy. The R flag should not be set. > > The last sentence is touchy. If a stub is configured with two > resolvers, and one is fast but known for lying in some cases that you > disagree with, you may ask a cookie from the other parent (no, resolver). > Yup. The R flag is entirely, 100% simply a hint - you are perfectly allowed to ignore it, and in this case, you may want to (keep reading!) So, why bother having the flag at all? Primarily it exists so that, if an implementation gets an extended error code which it doesn't understand (e.g 42), it can choose to take the hint, or not. If an implementation *does* understand the code, it can decide it knows better. Now, in this particular case, I think you are right - unless anyone objects, I'm a gonna flip that to "the R flag should be set". > > > 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked > > > > The resolver attempted to perfom a DNS query but the domain is > > blacklisted due to a security policy. > > I tend to think it would be a good idea to separate the case where the > policy was decided by the resolver and the case where the policy came > from outside, typically from the local law (see RFC 7725 for a similar > case with HTTP). > > Rationale: in the first case (local policy of the resolver), the user > may be interested in talking with the resolver admin if he or she > disagrees with the blocking. In the second case, this would be useless. > > Otherwise, I suggest to add an error code: > > NOERROR Extended DNS Error Code 3 - Forged answer > > For policy reasons (legal obligation, or malware filtering, for > instance), an answer was forged. The R flag should not be set. > > Rationale: there is "NXDOMAIN Extended DNS Error Code 1 - Blocked" but > policy-aware resolvers (lying resolvers, in plain english) do not > always forge NXDOMAIN, they can also forge A or AAAA answers. > > See also the issue just before, about the need to differentiate > resolver policy from "upper" policy, law, for instance. > Errr... I like the idea / concept, but I'd really like to avoid the word "Forged" -- while you and I (and probably almost everyone else on the list) would agree that this is forged, I think that the pejorative nature of the word would make it that people are forced to forge answers might not be allowed to tag it as such. Can anying think of a better word? I was hoping to find something in the HTTP 451 Error Code page - https://en.wikipedia.org/wiki/HTTP_451, but no luck. Fictional answer? Alternative fact? Supposititious answer? Thank you for your comments and text, W > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --000000000000061fe10581e09411 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On= Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Jan 07, 2019 at 12:30:10PM -0800,<= br> =C2=A0interne= t-drafts@ietf.org <internet-drafts@ietf.org> wrote
=C2=A0a message of 44 lines which said:

>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0: Extended DNS Errors
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0: Warren Kumari
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Evan Hunt
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Roy Arends
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Wes Hardaker
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0David C Lawrence
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-= ietf-dnsop-extended-error-04.txt

Some remarks but before, note I think that it is very important that
we have a way to report more detailed error causes. One of the biggest
problems of DNSSEC is that there is no easy way for the resolver to
report to the application about a DNSSEC problem. So, the work on this
draft is essential.


Thank you, I / we certainly think so.
=
=C2=A0
Yup, at the moment the majority of the= se are resolver errors - I don't think we necessarily expected / though= t that through when starting this.
I'm guessing that the majority of t= hese will be resolver errors on the future as well, but how about:
&q= uot;The majority of these extended error codes are primarily useful for res= olvers, to
return to stub resolvers or to downstream resolvers. Authoritati= ve
servers may also use this technique to annotate errors (for example, REF= USED), but as of publication there are not as many of these defined"
o= r something?
=C2=A0

> Unless a protective transport mechanism (like TSIG [RFC2845] or TLS > [RFC8094])

Why 8094, which does not have even one implementation, instead of
7858?

I believe that that was an oversight /= error.
=C2=A0

> 4.2.3.=C2=A0 SERVFAIL Extended DNS Error Code 3 - Signature Expired >
>=C2=A0 =C2=A0The resolver attempted to perform DNSSEC validation, but t= he
>=C2=A0 =C2=A0signature was expired.

I suggest to replace "the signature was expired" by "a signa= ture in
the validation chain was expired".

Rationale: which signature? What if a DS at the parent is sign with an
expired signature?


LGTM.

=C2=A0
> 4.2.5.=C2=A0 SERVFAIL Extended DNS Error Code 5 - DNSKEY missing
>
>=C2=A0 =C2=A0A DS record existed at a parent, but no DNSKEY record coul= d be found
>=C2=A0 =C2=A0for the child.

I suggest to replace "no DNSKEY record could be found for the child&qu= ot;
by "no DNSKEY record for this specific key could be found for the
child".


LGTM.
=C2=A0
Rationale : the current text seems to imply this code is only when
there is no DNSKEY at all.

> 4.4.1.=C2=A0 NXDOMAIN Extended DNS Error Code 1 - Blocked
>
>=C2=A0 =C2=A0The resolver attempted to perfom a DNS query but the domai= n is
>=C2=A0 =C2=A0blacklisted due to a security policy.=C2=A0 The R flag sho= uld not be set.

The last sentence is touchy. If a stub is configured with two
resolvers, and one is fast but known for lying in some cases that you
disagree with, you may ask a cookie from the other parent (no, resolver).

Yup. The R flag is entirely, 100% simply a hi= nt - you are perfectly allowed to ignore it, and in this case, you may want= to (keep reading!)
So, why bother having the flag at all? Primarily it exi= sts so that, if an implementation gets an extended error code which it does= n't understand (e.g 42), it can choose to take the hint, or not.
<= div class=3D"gmail_default" style=3D"font-family:verdana,sans-serif">If an = implementation *does* understand the code, it can decide it knows better.
<= br>
Now, in this particular case, I think you are right - unless anyone obj= ects, I'm a gonna flip that to "the R flag should be set".=C2= =A0

=C2=A0

> 4.4.1.=C2=A0 NXDOMAIN Extended DNS Error Code 1 - Blocked
>
>=C2=A0 =C2=A0The resolver attempted to perfom a DNS query but the domai= n is
>=C2=A0 =C2=A0blacklisted due to a security policy.

I tend to think it would be a good idea to separate the case where the
policy was decided by the resolver and the case where the policy came
from outside, typically from the local law (see RFC 7725 for a similar
case with HTTP).

Rationale: in the first case (local policy of the resolver), the user
may be interested in talking with the resolver admin if he or she
disagrees with the blocking. In the second case, this would be useless.

Otherwise, I suggest to add an error code:

NOERROR Extended DNS Error Code 3 - Forged answer

=C2=A0 =C2=A0For policy reasons (legal obligation, or malware filtering, fo= r
=C2=A0 =C2=A0instance), an answer was forged.=C2=A0 The R flag should not b= e set.

Rationale: there is "NXDOMAIN Extended DNS Error Code 1 - Blocked"= ; but
policy-aware resolvers (lying resolvers, in plain english) do not
always forge NXDOMAIN, they can also forge A or AAAA answers.

See also the issue just before, about the need to differentiate
resolver policy from "upper" policy, law, for instance.

Errr... I like the idea / concept, but I'd really= like to avoid the word "Forged" -- while you and I (and probably= almost everyone else on the list) would agree that this is forged, I think= that the pejorative nature of the word would make it that people are force= d to forge answers might not be allowed to tag it as such.
Can anying thin= k of a better word? I was hoping to find something in the HTTP 451 Error Co= de page -=C2=A0https://en.wikipedia.org/wiki/HTTP_= 451, but no luck.
Fictional answer? Alternative fact? Supposititious an= swer?=C2=A0

Thank you for your comments and text,
W
=C2=A0

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div>
--000000000000061fe10581e09411-- From nobody Thu Feb 14 13:42:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06D3B1311E6 for ; Thu, 14 Feb 2019 13:42:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VRz_RKCuY6G for ; Thu, 14 Feb 2019 13:42:09 -0800 (PST) Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A43E11311E3 for ; Thu, 14 Feb 2019 13:42:09 -0800 (PST) Received: by mail-lj1-x230.google.com with SMTP id g11-v6so6597698ljk.3 for ; Thu, 14 Feb 2019 13:42:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IyidUsbUx9//LZ96ln8BCOx1degSzzxKsbbUVUAy3Y0=; b=hk6LnfQiM0fs20RWAwecSl3UkwzK+mTZ8s5Aj5hESdxlJ/nBWE7DtxXRNW8E+TqD7E piWGKefY+5K07JgbSiE/XhV/gA/dlyEIDFZJcAA+MQQJ2A3XvFVLSyhWttNgU2dmhUvD IIpgDFlkknjgJeB3yifOTKDfaiZVA0RpR+Y+RWFwLSr6Vov/3Q/do/8cbXdUKQM+dMJQ Nd0ZNccpHnvSskusuj+YnkO/cyeMSPQuFmUUwMVFaeIXBpFq68PbwrGc/GLOdNF2QC/x w0k1m7j0Qke+lKTopyX2nQzkylNCpxvyideDPOoGB1cAYzBfvtV+rBquFUUNSj0YDX/d gAMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IyidUsbUx9//LZ96ln8BCOx1degSzzxKsbbUVUAy3Y0=; b=Dl+q+Kl0+XIH9tPhODSoU6QsljYmLh8Wadm11bGbhm04naGtRBNCF1dpUMpBXrMEy0 L94yEzrn/PmF+MLR8eV/2WaTkp3vQOj9DCpMYhvCFVilLsuwjqSLfDHH2LFi3VJOQ+oO Kg8hWysCM2g+peX1GzzG4sm6CGwuz5vSOrCTBhXZjaCXnWcM7F5ceCYedKWv7Jh8z4b/ rj77KlBs0A4IO0MuEwfQIncP1o2yIbl1zIIWFQMwrTOYiX7e0231DggrCrsEuRefISzW FfmBjhAQjTv2oXw+OIgvg6r8nBRaWOpd+We1Mr8JBCJCjSuwRjn4JjWlstmYSZAGGwof tIaQ== X-Gm-Message-State: AHQUAua0wYlYM+FtEYDQxSkCOOM0a+C3GlasbP0rHhFLePHAOSQxafOm aFWxhbNMR+bqv4qxa/3QypgmglpBw6wNZChcMQ4wAA== X-Google-Smtp-Source: AHgI3IbS7InUMbnYsG635C1n/oVXE1/mhRK+59XImwyAZvPkraXNMZPG0b5NhuaPwiUfD+rK5GIJYGA3lZ5BpMAblLM= X-Received: by 2002:a2e:84ca:: with SMTP id q10-v6mr3659618ljh.65.1550180527545; Thu, 14 Feb 2019 13:42:07 -0800 (PST) MIME-Version: 1.0 References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> <587d85ee-73bc-40f4-aae8-550d877ca6d1@gulbrandsen.priv.no> In-Reply-To: <587d85ee-73bc-40f4-aae8-550d877ca6d1@gulbrandsen.priv.no> From: Bob Harold Date: Thu, 14 Feb 2019 16:41:56 -0500 Message-ID: To: Arnt Gulbrandsen Cc: Tony Finch , Jiankang Yao , IETF DNSOP WG Content-Type: multipart/alternative; boundary="000000000000aeafeb0581e1871a" Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 21:42:13 -0000 --000000000000aeafeb0581e1871a Content-Type: text/plain; charset="UTF-8" On Thu, Feb 14, 2019 at 12:29 PM Arnt Gulbrandsen wrote: > On Thursday 14 February 2019 14:58:58 CET, Tony Finch wrote: > > How does this relate to: > > > > https://tools.ietf.org/html/draft-wkumari-dnsop-hammer > > https://tools.ietf.org/html/draft-ietf-dnsop-7706bis > > It originates in various ideas Jiankang and I have chatted about. > > I didn't like 7706, because I feel that the servers that have long ping > times to the nearest root are more likely to have admins who make > mistakes. > Jiankang and I discussed alternatives when we met a while ago, and a few > times since. Once we hit upon this possibility, we didn't discuss > draft-wkumari-dnsop-hammer, perhaps because it's expired and we'd > forgotten. Mental entropy. > > Compared to the hammer draft, I should say that this is dead simple, has > one fewer acronyms, and that both of those are intentional features. > > I see your name is in the text. Why did you let it expire? > > > It looks like this new draft is actually a revision of: > > > > https://tools.ietf.org/html/draft-yao-dnsop-root-cache > > Probably correct. IIt was I who did the typing, and I prefer to start by > editing something that already has the right XML stuff and at least some > references etc. > > Arnt > The draft assumes typical TTL is a week, but what I see in the root zone is: the records for X.root-servers.net are 6 days (518400), DS, NSEC, RRSIG, and SOA are 1 day (86400), and A, AAAA, DNSKEY, and NS are all 2 days (172800). I assume the NS records are the most often used? So I think the draft needs to recalculate the numbers with 2 days as the typical ttl. awk '{print $2,$4}' root.zone | sort | uniq -c 2 4159 172800 A 3648 172800 AAAA 3 172800 DNSKEY 7269 172800 NS 2 172800 RRSIG 13 518400 A 13 518400 AAAA 13 518400 NS 1 518400 RRSIG 2903 86400 DS 1536 86400 NSEC 2926 86400 RRSIG 2 86400 SOA 1 <<>> 9.11.3-1ubuntu1.3-Ubuntu 1 global +cmd 1 Query 8197 1 SERVER: 1 WHEN: Feb 1 XFR 22488 -- Bob Harold --000000000000aeafeb0581e1871a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, Feb 14, 2019 at 12:2= 9 PM Arnt Gulbrandsen <arnt@= gulbrandsen.priv.no> wrote:
On Thursday 14 February 2019 14:58:58 CET, Tony Finch wr= ote:
> How does this relate to:
>
> https://tools.ietf.org/html/draft-wkumari= -dnsop-hammer
> https://tools.ietf.org/html/draft-ietf-dn= sop-7706bis

It originates in various ideas Jiankang and I have chatted about.

I didn't like 7706, because I feel that the servers that have long ping=
times to the nearest root are more likely to have admins who make mistakes.=
Jiankang and I discussed alternatives when we met a while ago, and a few times since. Once we hit upon this possibility, we didn't discuss
draft-wkumari-dnsop-hammer, perhaps because it's expired and we'd <= br> forgotten. Mental entropy.

Compared to the hammer draft, I should say that this is dead simple, has one fewer acronyms, and that both of those are intentional features.

I see your name is in the text. Why did you let it expire?

> It looks like this new draft is actually a revision of:
>
> https://tools.ietf.org/html/draft-yao-dns= op-root-cache

Probably correct. IIt was I who did the typing, and I prefer to start by editing something that already has the right XML stuff and at least some references etc.

Arnt

The draft assumes typical TTL is a week= , but what I see in the root zone is:
=C2= =A0the records for X.root-servers.net= are 6 days (518400),=C2=A0
DS, NSEC, R= RSIG, and SOA are 1 day (86400), and
=C2=A0= A, AAAA, DNSKEY, and NS are all 2 days (172800).=C2=A0=C2=A0
I assume the NS records are the most often used?

So I think the draft needs to r= ecalculate the numbers with 2 days as the typical ttl.

awk &= #39;{print $2,$4}' root.zone | sort | uniq -c
=C2=A0 =C2=A0 = =C2=A0 2=C2=A0=C2=A0
=C2=A0 =C2=A04159 172800 A
=C2=A0 = =C2=A03648 172800 AAAA
=C2=A0 =C2=A0 =C2=A0 3 172800 DNSKEY
=
=C2=A0 =C2=A07269 172800 NS
=C2=A0 =C2=A0 =C2=A0 2 172800 RR= SIG
=C2=A0 =C2=A0 =C2=A013 518400 A
=C2=A0 =C2=A0 =C2= =A013 518400 AAAA
=C2=A0 =C2=A0 =C2=A013 518400 NS
=C2= =A0 =C2=A0 =C2=A0 1 518400 RRSIG
=C2=A0 =C2=A02903 86400 DS
=
=C2=A0 =C2=A01536 86400 NSEC
=C2=A0 =C2=A02926 86400 RRSIG
=C2=A0 =C2=A0 =C2=A0 2 86400 SOA
=C2=A0 =C2=A0 =C2=A0 1 = <<>> 9.11.3-1ubuntu1.3-Ubuntu
=C2=A0 =C2=A0 =C2=A0 1 = global +cmd
=C2=A0 =C2=A0 =C2=A0 1 Query 8197
=C2=A0 = =C2=A0 =C2=A0 1 SERVER:=C2=A0
=C2=A0 =C2=A0 =C2=A0 1 WHEN: Feb
=C2=A0 =C2=A0 =C2=A0 1 XFR 22488

--= =C2=A0
Bob Harold
=C2=A0
--000000000000aeafeb0581e1871a-- From nobody Thu Feb 14 13:57:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FCA612D826 for ; Thu, 14 Feb 2019 13:57:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UoTwVvWpLs8 for ; Thu, 14 Feb 2019 13:57:16 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81AF71200D7 for ; Thu, 14 Feb 2019 13:57:16 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b] (unknown [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 398AC892C6 for ; Thu, 14 Feb 2019 21:57:16 +0000 (UTC) To: IETF DNSOP WG From: Paul Vixie Message-ID: Date: Thu, 14 Feb 2019 13:57:14 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 21:57:19 -0000 7706 is wrong headed on a number of levels, but its worst offense is to think that the root zone is special. we need dns to have leases on its delegation chain including glue and dnssec metadata. everything you might need to use in order to reach a zone authority and trust its results should be kept warm. the owner of the data you've leased must have the ability to reach out and invalidate it in a trusted way. having .CN's delegation data resident because of 7706 doesn't help you reach your own EXAMPLE.CN name servers if the network outage you were concerned about is inside china rather than between china and the rest of the world. NFS gave an example of how to solve this, 25 years ago, with NQLEASE. i am not asking for new computer science, only application of what's already well understood outside the DNS community, as to keeping the hot side hot. unbound has pioneered a bit of this by automatically refetching data that's near its expiration point. we should work from there outward, by standardizing it, prioritizing delegation and dnssec metadata, and exploring ways that the .CN servers could invalidate old NS RRset or DS RRset data (or indeed DNSKEY and RRSIG) if it was willing to do the work of remembering who it had handed the now-invalid data to and what trust markers would be needed to get an RDNS to accept some new form of NOTIFY to purge its cache. _that_ would be complexity worth its cost. 7706 was not. HAMMER is not. indeed nothing which treats the root zone as special is worth pursuing, since many other things besides the root zone are also needed for correct operation during network partition events. the fact that i have to hotwire my RDNS cache with local zone glue in order to reach my own servers when my comcast circuit is down or i can't currently reach the .SU authorities to learn where VIX.SU is, should not only concern, but also embarrass, all of us. vixie From nobody Thu Feb 14 14:13:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F99F131053 for ; Thu, 14 Feb 2019 14:13:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MA_-2Jnb2ew for ; Thu, 14 Feb 2019 14:13:45 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E858D1311EA for ; Thu, 14 Feb 2019 14:13:43 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8733F3AB042; Thu, 14 Feb 2019 22:13:42 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 60B3616006E; Thu, 14 Feb 2019 22:13:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 39C91160072; Thu, 14 Feb 2019 22:13:12 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YpQkUEMQSB5b; Thu, 14 Feb 2019 22:13:12 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3E32D16006E; Thu, 14 Feb 2019 22:13:11 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Fri, 15 Feb 2019 09:13:07 +1100 Cc: IETF DNSOP WG Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Paul Vixie X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 22:13:48 -0000 > On 15 Feb 2019, at 8:57 am, Paul Vixie wrote: >=20 > 7706 is wrong headed on a number of levels, but its worst offense is = to think that the root zone is special. we need dns to have leases on = its delegation chain including glue and dnssec metadata. everything you = might need to use in order to reach a zone authority and trust its = results should be kept warm. the owner of the data you've leased must = have the ability to reach out and invalidate it in a trusted way. >=20 > having .CN's delegation data resident because of 7706 doesn't help you = reach your own EXAMPLE.CN name servers if the network outage you were = concerned about is inside china rather than between china and the rest = of the world. >=20 > NFS gave an example of how to solve this, 25 years ago, with NQLEASE. = i am not asking for new computer science, only application of what's = already well understood outside the DNS community, as to keeping the hot = side hot. >=20 > unbound has pioneered a bit of this by automatically refetching data = that's near its expiration point. we should work from there outward, by = standardizing it, prioritizing delegation and dnssec metadata, and = exploring ways that the .CN servers could invalidate old NS RRset or DS = RRset data (or indeed DNSKEY and RRSIG) if it was willing to do the work = of remembering who it had handed the now-invalid data to and what trust = markers would be needed to get an RDNS to accept some new form of NOTIFY = to purge its cache. >=20 > _that_ would be complexity worth its cost. 7706 was not. HAMMER is = not. indeed nothing which treats the root zone as special is worth = pursuing, since many other things besides the root zone are also needed = for correct operation during network partition events. >=20 > the fact that i have to hotwire my RDNS cache with local zone glue in = order to reach my own servers when my comcast circuit is down or i can't = currently reach the .SU authorities to learn where VIX.SU is, should not = only concern, but also embarrass, all of us. Having the local recursive server having a copy of the local zones was always part of DNS=E2=80=99s deployment model. Having authoritative = servers not be recursive servers is not the same as recursive servers not being authoritative for some zones. One thing we missed when adding NOTIFY was adding a NOTIFY-ALSO RRset. = In named we work around this by having a also-notify clause in the zone=E2=80= =99s configuration clause. DNS RRsets need two TTLs. 1) refresh after in case we need to update. 2) = stop believing this result after. With a little bit of EDNS negotiation both can be = transmitted in a response. > vixie >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 14 14:28:06 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D95801311F4 for ; Thu, 14 Feb 2019 14:28:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMlpbHJLOXBK for ; Thu, 14 Feb 2019 14:28:03 -0800 (PST) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826091311FC for ; Thu, 14 Feb 2019 14:28:03 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id j36so8789735qta.7 for ; Thu, 14 Feb 2019 14:28:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SwrghzBSDqZzkQ2d8swESnPcBgnAuHEuP9I3ZC9rwYM=; b=vGnVVD/r0MTTi4uzhZxncofyBpOqNWp5W8d2nV2joBNVQLu68wMKj2NseFvVGeAKPk 4Isn4YjrUnkzw0e3jHpo8Pidh/9aVOoj9wnJBynDvTf+8hH9T3MudVobqJA3G1MNa6pQ IJf3V/Fb2vzZsIFhqpF1n2OhJI/QPTW4jgRTDOMtilMQ5opV3MQ3HQNAv29TtcaWFh8l x5I8YJIuWqu8qbzu+IN4X/yFy4GuSy/Vi1H0glVXi/PNWkza7CpNoh3wTEveaiWA+xOB EuskA+QiDLGZhavqfOfPkOZoptpfeQEJvx4S9gOmng001UyAhlywFzQNkGJ2tpk0Njfm MJUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SwrghzBSDqZzkQ2d8swESnPcBgnAuHEuP9I3ZC9rwYM=; b=dnmzhzQHu0CcrYDqKcCTWjaLoOHKix9dC2Y6X/hEpUNLqbWyNKEU9MdZO7zr9IhIMQ HFrK78t/YOAsm/OkrbYow5QJ+FCXDIT+7DRhMMvPvSwB64gsc91I6lTtPdf1IIoF7G8D 9kRQ0irBJzXBbTAPJo/lCx+pLHcYNjGYGKwcaWWTKvvZsEWkc2t3+sxqoEzV8khkvsXO I4Hqi2Oqpmt1RI6Mno08EL1OidwEA0bBL3XKWlPOs+WivFPu7XT9+/iec4G2jkZz4wO+ Jl8KYfR7nZ4FaRgZZu8VFG+JjLEyc/CJ4LDeA7XAsh33tvx1ZwWT9rQRWSZTyC5Go3fK OB0w== X-Gm-Message-State: AHQUAuZk3FGCGtMbDiSnZgT1W7hlgPR5ve+i9Tsdxj+KPl8Vn6lIdE71 1pWDGeS+8H8pn3HVGRRTCT/Dwijn9/snmvmhkHA= X-Google-Smtp-Source: AHgI3IYQ2EpriktBEw2E+cJOGz0O37f8CH9d3YLEdpfn1T0gJRBys5BX2AxBzQBPfu4ABe6UXgl4uPVRYKGBdyTEg7c= X-Received: by 2002:a0c:9dc6:: with SMTP id p6mr5000974qvf.217.1550183282475; Thu, 14 Feb 2019 14:28:02 -0800 (PST) MIME-Version: 1.0 References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> In-Reply-To: From: Brian Dickson Date: Thu, 14 Feb 2019 14:27:51 -0800 Message-ID: To: Warren Kumari Cc: Stephane Bortzmeyer , dnsop Content-Type: multipart/alternative; boundary="000000000000e388e40581e22b2b" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 22:28:06 -0000 --000000000000e388e40581e22b2b Content-Type: text/plain; charset="UTF-8" On Thu, Feb 14, 2019 at 12:34 PM Warren Kumari wrote: > > > On Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer > wrote: > >> On Mon, Jan 07, 2019 at 12:30:10PM -0800, >> internet-drafts@ietf.org wrote >> a message of 44 lines which said: >> >> > Title : Extended DNS Errors >> > Authors : Warren Kumari >> > Evan Hunt >> > Roy Arends >> > Wes Hardaker >> > David C Lawrence >> > Filename : draft-ietf-dnsop-extended-error-04.txt >> >> Some remarks but before, note I think that it is very important that >> we have a way to report more detailed error causes. One of the biggest >> problems of DNSSEC is that there is no easy way for the resolver to >> report to the application about a DNSSEC problem. So, the work on this >> draft is essential. >> >> > Thank you, I / we certainly think so. > > > >> Now, the problems: >> >> > > 4.2.5. SERVFAIL Extended DNS Error Code 5 - DNSKEY missing >> > >> > A DS record existed at a parent, but no DNSKEY record could be found >> > for the child. >> >> I suggest to replace "no DNSKEY record could be found for the child" >> by "no DNSKEY record for this specific key could be found for the >> child". >> >> > LGTM. > I disagree; I concur with Michael Sheldon (my colleague). I think the semantics that need to be expressed are: "No matching DS/DNSKEY pairs could be found for the child." It doesn't necessarily require the absence of specific DS records in the parent, or DNSKEY records in the child, or the complete absence of e.g. DNSKEYs. It may or may not make any sense to call out other sources of error leading to this condition, e.g. in the EXTRA-TEXT field. (No DNSKEYs; No valid DNSKEYs; No valid DS records; Valid DS with Expired RRSIG; Valid DNSKEY with Expired RRSIG, etc.) And it definitely should only be SERVFAIL iff no matching, valid DS/DNSKEY pairs (i.e. DNSSEC validated DNSKEY, with matching, understood algorithms and non-expired signatures exist). Brian --000000000000e388e40581e22b2b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Feb 14, 2019 at 12:34 PM Warr= en Kumari <warren@kumari.net>= ; wrote:


On Thu, Feb 14, 2019 at 2:53 PM S= tephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Jan 07, 2019 at 12:30:10PM -0800,
=C2=A0interne= t-drafts@ietf.org <internet-drafts@ietf.org> wrote
=C2=A0a message of 44 lines which said:

>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0: Extended DNS Errors
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0: Warren Kumari
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Evan Hunt
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Roy Arends
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0Wes Hardaker
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0David C Lawrence
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-= ietf-dnsop-extended-error-04.txt

Some remarks but before, note I think that it is very important that
we have a way to report more detailed error causes. One of the biggest
problems of DNSSEC is that there is no easy way for the resolver to
report to the application about a DNSSEC problem. So, the work on this
draft is essential.


Thank you, I / we certainly think so.

=C2=A0
Now, the problems:
=C2=A0=C2=A0
> 4.2.5.=C2=A0 SERVFAIL Extended DNS Error Code 5 - DNSKEY missing
>
>=C2=A0 =C2=A0A DS record existed at a parent, but no DNSKEY record coul= d be found
>=C2=A0 =C2=A0for the child.

I suggest to replace "no DNSKEY record could be found for the child&qu= ot;
by "no DNSKEY record for this specific key could be found for the
child".


LGTM.

I disagree; I concur with Michael Sheldon (my colleague).
=
I think the semantics that need to be expressed are:
"No matching DS/DNSKEY pairs could be found for the child."

It doesn't necessarily require the absence of sp= ecific DS records in the parent,
or DNSKEY records in the child, = or the complete absence of e.g. DNSKEYs.

It may or= may not make any sense to call out other sources of error leading to this = condition, e.g. in the EXTRA-TEXT field.
(No DNSKEYs; No valid DN= SKEYs; No valid DS records; Valid DS with Expired RRSIG; Valid DNSKEY with = Expired RRSIG, etc.)

And it definitely should only= be SERVFAIL iff no matching, valid DS/DNSKEY pairs (i.e. DNSSEC validated = DNSKEY, with matching, understood algorithms and non-expired signatures exi= st).

Brian
--000000000000e388e40581e22b2b-- From nobody Thu Feb 14 15:17:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98A3612F1A5 for ; Thu, 14 Feb 2019 15:17:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rdsj7ohIx03 for ; Thu, 14 Feb 2019 15:17:25 -0800 (PST) Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2E811289FA for ; Thu, 14 Feb 2019 15:17:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3239; q=dns/txt; s=VRSN; t=1550186245; h=from:to:subject:date:message-id:mime-version; bh=kARUqN8ufnQmY1zgr11s4FKItZxEL299YNyCGdefmCg=; b=h3s6GoanNotTtuvKtTFo3MU/xzk6lixh0YMXsA/TVu/itgY+ra+oZ7YP CKN7NPDhp8N/VUwdS6y2ktZ2KoCqV+TPu2QX0goYVpFQJV2npXFzlAYIF ox/pUcOvUjlZDtuFE/bDLq0eNWwyC611tNNzwXfZvgWOtnS2Oipg+zC0/ HF295yDN5vli/89ooY0CwY/9p8YIcksJa5LrzL00mX24jK95R4oBbS+yf DEPYod2ihON4uWTRlt3UdidkMmUOQOU70foKklxThQoXwHfVYNoLfH2b2 SDv4Z5EWL04DsNHw7qVdmoyJkCzbcBhXZ3k8Ffei/3x1rlNfBZc3fgTt3 Q==; X-IronPort-AV: E=Sophos;i="5.58,370,1544504400"; d="scan'208,217";a="6965798" IronPort-PHdr: =?us-ascii?q?9a23=3AH1RJ7B1kcq2TYZ99smDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8ZseIVLfad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndi?= =?us-ascii?q?QuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBg?= =?us-ascii?q?vwNRZvJuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0B?= =?us-ascii?q?vJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PG?= =?us-ascii?q?Av5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vz?= =?us-ascii?q?a/4KdxUBLmiDkJOSMl8G/ZicJ/gqNbrw6uqBFk2YHYfISVOeBicq7Hf94XQ3?= =?us-ascii?q?dKUMZLVyxGB4Oxd4UDAegfMuZesobyuUEOrQC5BQmqHO/k1zpGiWXs3a0+3e?= =?us-ascii?q?gqDAbL0gkiEd0QtnTbscv6NL0JUeCyyqnF1ivDYO1M2Tf884jIcx8hofeWUb?= =?us-ascii?q?1sdsrRzFAiGgXYhVuTsYzoJy6Z2vgXv2SG7edtW/ijh3Mnpgx/uDSiycMhhp?= =?us-ascii?q?HUio4J0FzI6Cd0zJovKdGlR0N2YsSoHIZTui2COYt5XMAvT31ttSs/yLAJpY?= =?us-ascii?q?K3czIPxZg62xHQd/mKfoiV7R39WuacJDN1i294d72hgRu57FKuxffmVsau1V?= =?us-ascii?q?ZHti9Fkt7RuX8TzxHT8c2HSudl/kemxDaPyxjf6uFaLkAwkqrWM4MszKIomJ?= =?us-ascii?q?YOsUvNBiD4l0TqgKOIbEkk5PSn6+P9YrX+vJOTLZJ7hhvgMqQ0gcy/B/40PR?= =?us-ascii?q?QJX2ie4ei81bvj8lPlQLhSk/E6jrPVvI3YKMkVvKK1Hg9Y34g55xuwCzqqyN?= =?us-ascii?q?EYkmMGLFJBdhKHlY/pO1TWLf79D/mwnVKsnyp1yPDcJb3hBZPNI2PdkLj/Z7?= =?us-ascii?q?Z96lVcyAs8zdBZ/Z5bFrYBIPfrVk/rqNPYFgM5MxCzw+v/Fdp90JgeWWWXAq?= =?us-ascii?q?KCMaPdr0OI5uw1L+mLfo8Vt2W1F/9wrfLolnghsV4QYafv2oEYIjjsEvJ9JF?= =?us-ascii?q?2xYHfwjJEGC2hc7SQkS+m/wn2PVzJefW21WeZ0xTghDMjuWaTjS4ahjaaa2y?= =?us-ascii?q?GTAJBMZ3tHBVbKGnDtIdbXE8wQYT6fd5cy2gcPUqKsHtcs?= X-IPAS-Result: =?us-ascii?q?A2FSBQBG9mVc/zGZrQpkHgEGBwaBZYEOgUsRgTSDfJVyg?= =?us-ascii?q?3+WNAwBE4Ryg284EgEDAQEBAQEBAgEBAoEGC4I6IoJwBiNoAQgEPgIEMCcEg?= =?us-ascii?q?zMBgQ6sBIEvhUSEcYl8hCA+gTgME4JMiAoxgiYCkCOTCwMGApJrknOKOpFxA?= =?us-ascii?q?gQCBAUCFIFdgXhwegGCQpBckDmBHwEB?= Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 14 Feb 2019 18:17:23 -0500 Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1713.004; Thu, 14 Feb 2019 18:17:23 -0500 From: "Henderson, Karl" To: "dnsop@ietf.org" Thread-Topic: [DNSOP] extension of DoH to authoritative servers Thread-Index: AQHUxLtwylFtk43zWkmFVUKhRJ+EWw== Date: Thu, 14 Feb 2019 23:17:23 +0000 Message-ID: <682B531B-11CE-450B-8404-DF575B0E6D66@verisign.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.10.6.190114 x-originating-ip: [10.170.148.18] Content-Type: multipart/alternative; boundary="_000_682B531B11CE450B8404DF575B0E6D66verisigncom_" MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] extension of DoH to authoritative servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 23:17:27 -0000 --_000_682B531B11CE450B8404DF575B0E6D66verisigncom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QXMgd2UgZGlzY3Vzc2VkIGR1cmluZyB0aGUgaW50ZXJpbSBkcHJpdmUgbWVldGluZyBoZWxkIGxh c3QgRGVjZW1iZXIsIHdlIG5lZWQgbW9yZSBlbXBpcmljYWwgc3R1ZGllcyBsb29raW5nIGF0IHBl cmZvcm1hbmNlIGFzIHdlbGwgYXMgYXR0YWNrIHZlY3RvcnMuIEnigJltIGF3YXJlIG9mIFNpbm9k dW7igJlzIGVmZm9ydHMgaW4gdGhpcyBhcmVhIGJ1dCBhcmUgdGhlcmUgb3RoZXJzIHRoYXQgYWRk cmVzcyBwZXJmb3JtYW5jZSBhbmQgYXR0YWNrIHZlY3RvcnMgc3BlY2lmaWNhbGx5IGZvciBib3Ro IERvVCBhbmQgRG9IIGF0IHRoZSBhdXRob3JpdGF0aXZlPw0K --_000_682B531B11CE450B8404DF575B0E6D66verisigncom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpz cGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1z b0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6 IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4g MTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rp b24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBs YW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2NvbG9yOmJsYWNrIj5BcyB3ZSBkaXNjdXNzZWQgZHVyaW5nIHRoZSBpbnRlcmlt IGRwcml2ZSBtZWV0aW5nIGhlbGQgbGFzdCBEZWNlbWJlciwgd2UgbmVlZCBtb3JlIGVtcGlyaWNh bCBzdHVkaWVzIGxvb2tpbmcgYXQgcGVyZm9ybWFuY2UgYXMgd2VsbCBhcyBhdHRhY2sgdmVjdG9y cy4gSeKAmW0gYXdhcmUgb2YgU2lub2R1buKAmXMgZWZmb3J0cyBpbiB0aGlzIGFyZWENCiBidXQg YXJlIHRoZXJlIG90aGVycyB0aGF0IGFkZHJlc3MgcGVyZm9ybWFuY2UgYW5kIGF0dGFjayB2ZWN0 b3JzIHNwZWNpZmljYWxseSBmb3IgYm90aCBEb1QgYW5kIERvSCBhdCB0aGUgYXV0aG9yaXRhdGl2 ZT88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_682B531B11CE450B8404DF575B0E6D66verisigncom_-- From nobody Thu Feb 14 15:23:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C30D3131170 for ; Thu, 14 Feb 2019 15:23:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ncAsSKJJ7QNI for ; Thu, 14 Feb 2019 15:23:19 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F85D12F1A5 for ; Thu, 14 Feb 2019 15:23:19 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b] (unknown [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 57A56892C6; Thu, 14 Feb 2019 23:23:19 +0000 (UTC) To: Mark Andrews Cc: IETF DNSOP WG References: From: Paul Vixie Message-ID: <10b79e6a-caf5-3c0b-fe70-a1ad47656100@redbarn.org> Date: Thu, 14 Feb 2019 15:23:18 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 23:23:21 -0000 Mark Andrews wrote on 2019-02-14 14:13: ... >> the fact that i have to hotwire my RDNS cache with local zone glue in order to reach my own servers when my comcast circuit is down or i can't currently reach the .SU authorities to learn where VIX.SU is, should not only concern, but also embarrass, all of us. > > Having the local recursive server having a copy of the local zones was > always part of DNS’s deployment model. Having authoritative servers not be > recursive servers is not the same as recursive servers not being > authoritative for some zones. i didn't expect you to need the broader example. the narrow example where i can't find my own zones is trivial. it's when i can't find other services whose dns is authoritatively served within my isp or my region, because even though i have connectivity within that isp or that region, there is a political or physical connectivity break between that isp or that region and the rest of the world, for example, the servers for TLD's and 2LD's and 3LD's whose delegators are outside my connectivity. > One thing we missed when adding NOTIFY was adding a NOTIFY-ALSO RRset. In > named we work around this by having a also-notify clause in the zone’s > configuration clause. that won't help. an authority server must have a protocol by which they can, at their own discretion, opportunistically invalidate prior answers, and which can be trusted by the RDNS servers hearing those invalidation messages. > > DNS RRsets need two TTLs. 1) refresh after in case we need to update. 2) stop believing > this result after. With a little bit of EDNS negotiation both can be transmitted in > a response. that won't help the case which is more common than connectivity splits, which is where the old data has become harmful (key compromised, server or network offline, emergency renumber or rehoming or rekeying required). let's stop thinking of this as a root problem or a TLD problem. the metadata an RDNS will need to reach and trust servers it can reach, may be on the wrong side of a network partition. that includes the entire NS/DS and DNSKEY/RRSIG chain, plus A/AAAA glue. we need partial zone authority, like a mini-slave, where the RDNS has _subscribed_ to the content it is keeping, and has a potential trust relationship with the owner of that data. we can argue about whether it's like mini-IXFR in which case it can answer authoritatively for the partial data it has leased. but we should not be talking about second TTL's, or root-only solutions like 7706. vixie -- P Vixie From nobody Thu Feb 14 15:41:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4104A128B36 for ; Thu, 14 Feb 2019 15:41:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Q8wNCOs_B4j for ; Thu, 14 Feb 2019 15:41:11 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8B191289FA for ; Thu, 14 Feb 2019 15:41:11 -0800 (PST) Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 3E5F13AB05C; Thu, 14 Feb 2019 23:41:11 +0000 (UTC) Received: by bikeshed.isc.org (Postfix, from userid 10292) id 246E8216C1C; Thu, 14 Feb 2019 23:41:11 +0000 (UTC) Date: Thu, 14 Feb 2019 23:41:11 +0000 From: Evan Hunt To: Paul Vixie Cc: IETF DNSOP WG Message-ID: <20190214234111.GA87001@isc.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 23:41:13 -0000 On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote: > unbound has pioneered a bit of this by automatically refetching data > that's near its expiration point. [...] > _that_ would be complexity worth its cost. 7706 was not. HAMMER is not. I'm confused, what's the difference between HAMMER and the thing you said? (Which BIND also does, incidentally.) -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. From nobody Thu Feb 14 15:56:18 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7E712F1A6 for ; Thu, 14 Feb 2019 15:56:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GioNsfsHJ6bo for ; Thu, 14 Feb 2019 15:56:16 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFE0E128B36 for ; Thu, 14 Feb 2019 15:56:15 -0800 (PST) Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1FAF73AB042; Thu, 14 Feb 2019 23:56:15 +0000 (UTC) Received: by bikeshed.isc.org (Postfix, from userid 10292) id EB179216C1C; Thu, 14 Feb 2019 23:56:14 +0000 (UTC) Date: Thu, 14 Feb 2019 23:56:14 +0000 From: Evan Hunt To: Paul Vixie Cc: IETF DNSOP WG Message-ID: <20190214235614.GB87001@isc.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 23:56:17 -0000 On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote: > indeed nothing which treats the root zone as special is worth pursuing, > since many other things besides the root zone are also needed for > correct operation during network partition events. This point is well taken, but sometimes the root zone is a useful test case for innovations that might be more generically useful later. It's relatively small, relatively static, *XFR accessible, signed but uses NSEC not NSEC3, etc. It's pleasantly free of annoyances. So, zone mirroring fell out of 7706, and I suspect it will eventually have broader applications than just local root cache. I think some of the early work on aggressive negative caching was root-specific as well. I wouldn't assume an idea is bad just because it's currently focused on the root, it might not always be. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. From nobody Thu Feb 14 16:05:28 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE8412F1A6 for ; Thu, 14 Feb 2019 16:05:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVtgIMB6fHeK for ; Thu, 14 Feb 2019 16:05:25 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E388128B36 for ; Thu, 14 Feb 2019 16:05:25 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b] (unknown [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 7AF01892C6; Fri, 15 Feb 2019 00:05:23 +0000 (UTC) To: Evan Hunt Cc: IETF DNSOP WG References: <20190214235614.GB87001@isc.org> From: Paul Vixie Message-ID: <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> Date: Thu, 14 Feb 2019 16:05:22 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <20190214235614.GB87001@isc.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 00:05:26 -0000 Evan Hunt wrote on 2019-02-14 15:56: > On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote: >> indeed nothing which treats the root zone as special is worth >> pursuing, since many other things besides the root zone are also >> needed for correct operation during network partition events. > > This point is well taken, but sometimes the root zone is a useful > test case for innovations that might be more generically useful > later. It's relatively small, relatively static, *XFR accessible, > signed but uses NSEC not NSEC3, etc. It's pleasantly free of > annoyances. it's distraction value, where countries lacking root server _operators_ of their own, feel diminished thereby, and where technology solutions that affect the root zone in some way, feel unduly relevant... makes it an _unuseful_ test case. recall that AAAA and DS came to every other zone in the DNS before it was grudgingly admitted into the root zone. we have to stop using the root zone as any kind of test case. it's not special and should be treated unspecially. any technology which focuses on it should be suspected immediately of "shiny object syndrome." > So, zone mirroring fell out of 7706, and I suspect it will > eventually have broader applications than just local root cache. nope. because it did not prototype any partial replication. i'm not going to mirror COM because i need it to reach FARSIGHTSECURITY.COM. we needed to focus on partial replication, and avoid any solution that would only work for small zones that changed infrequently, so as to avoid wasting years of opportunity on a solution that changed nothing and led nowhere. > I think some of the early work on aggressive negative caching was > root-specific as well. no. in fact, the opposite was true. the first ANC was OTWANC (off the wire ANC), which had to be specified as part of DLV, which was instigated in the first place principally because noone knew how many more years we'd have to wait before a DS RR could be placed into the root zone. > I wouldn't assume an idea is bad just because it's currently focused > on the root, it might not always be. for reasons stated above, there are _no_ counterexamples showing that a focus on root-specific technology ever did any good, and a plethora of examples where focus on root-specific technology did some lasting harm. therefore, our assumption of any root-specific proposal should be, until and unless proved otherwise on a case by case basis, that it's "shiny object syndrome", rather than a legitimate engineering exercise. -- P Vixie From nobody Thu Feb 14 17:35:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99758131057 for ; Thu, 14 Feb 2019 17:35:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7BpvFpkYaKa for ; Thu, 14 Feb 2019 17:35:45 -0800 (PST) Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F236A13103F for ; Thu, 14 Feb 2019 17:35:44 -0800 (PST) Received: by mail-yb1-xb32.google.com with SMTP id n134so359535ybg.12 for ; Thu, 14 Feb 2019 17:35:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IOoqg666gGjBjNw8C0TWlyAM8X9UwwUOHWwJk9wpn6M=; b=Eg00dwhlruvOD4UFuzCA7lGw4PuOqW85d9QsYDlbaavMHRhVASYYji4jZv6nASLIH+ oNS2pALIU02pvU3yXz4WWpVMiQ9bLprLCAQV1CVYSl6b+9ncPlVTaVxk7qlNm7y+8PIA SPdd0hSMglWdZKeERAnWImewFxQ8s9SDv7M5Oej2sd6gTPPMtKb/YDJvIKfVSAWPj8Kj eWrxKYYzFXLvrJjAjx1w3RtaSw3/X/v55Mt4ykxlBVdOK5bycDLswpfcIbpFEw0wEXh2 L3+z2xbGoEW4OI5IMNNE0DE6XJfM5Te8ExNId0sO4V8RvHTTvC9Rm0mv6oKWsrpEF2KZ bUCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IOoqg666gGjBjNw8C0TWlyAM8X9UwwUOHWwJk9wpn6M=; b=Y1KFmLwGNdHanN6utKUQjtX+IaYaPuFomUVhgOH2XLV5fIA0JvxmCcr6/yGKkRYlH3 u7CYIYHxbQPSgCPsiNioUE7LWWDXEsJCDk0YTuStqVIGSduTdPP7Zw4m0EeUG0Ixb6I+ 4WeksOaLYEa98kL9ljJM1UiS/Q4hc2sVw/3aTX4aeIhR3z+b9g9nsTsgGuASnjNNFDEk XHXJT+fy6x0TMEXI2tfz83uxtSdEn0DqxiFfhLCkAXQ9X7+RVmWTmScwq3I3lsPqJHbx laOeOV4dshC+5Z4aRN+WwpKJsAhganxeUE8hhwpmGS9Nnrw4vGw9w8US887ur/9uDlzk SF6Q== X-Gm-Message-State: AHQUAuYsOrUx3MN5n3I5ghYIQYS7ggtjE9OlODteCey41+DVvGAmnZdi FmUciUh/hk/juu1kbaTuoRwjtTkoW46yS918j8A= X-Google-Smtp-Source: AHgI3Ib85MGR0pnR+2yhjdBV8bGjGrQZZJDxrYDgdE0bLOFn1smH6OUnSdFP6UAHX+DtN/QawMhA/XMpo7qp4OonXmQ= X-Received: by 2002:a25:ac45:: with SMTP id r5mr6031570ybd.61.1550194543931; Thu, 14 Feb 2019 17:35:43 -0800 (PST) MIME-Version: 1.0 References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> In-Reply-To: <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> From: william manning Date: Thu, 14 Feb 2019 17:35:33 -0800 Message-ID: To: Paul Vixie Cc: Evan Hunt , IETF DNSOP WG Content-Type: multipart/alternative; boundary="0000000000001fb3d90581e4cb64" Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 01:35:48 -0000 --0000000000001fb3d90581e4cb64 Content-Type: text/plain; charset="UTF-8" so, you would like the DNS to be resilient enough to "see" what was topologically reachable and build a connected graph of those assets? I think that has been done, both academically and in a more limited way, commercially, but its not called DNS so as not to upset the DNS mafia. Or do you want something more restrictive than that? /Wm On Thu, Feb 14, 2019 at 4:05 PM Paul Vixie wrote: > > > Evan Hunt wrote on 2019-02-14 15:56: > > On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote: > >> indeed nothing which treats the root zone as special is worth > >> pursuing, since many other things besides the root zone are also > >> needed for correct operation during network partition events. > > > > This point is well taken, but sometimes the root zone is a useful > > test case for innovations that might be more generically useful > > later. It's relatively small, relatively static, *XFR accessible, > > signed but uses NSEC not NSEC3, etc. It's pleasantly free of > > annoyances. > > it's distraction value, where countries lacking root server _operators_ > of their own, feel diminished thereby, and where technology solutions > that affect the root zone in some way, feel unduly relevant... makes it > an _unuseful_ test case. recall that AAAA and DS came to every other > zone in the DNS before it was grudgingly admitted into the root zone. > > we have to stop using the root zone as any kind of test case. it's not > special and should be treated unspecially. any technology which focuses > on it should be suspected immediately of "shiny object syndrome." > > > So, zone mirroring fell out of 7706, and I suspect it will > > eventually have broader applications than just local root cache. > > nope. because it did not prototype any partial replication. i'm not > going to mirror COM because i need it to reach FARSIGHTSECURITY.COM. we > needed to focus on partial replication, and avoid any solution that > would only work for small zones that changed infrequently, so as to > avoid wasting years of opportunity on a solution that changed nothing > and led nowhere. > > > I think some of the early work on aggressive negative caching was > > root-specific as well. > > no. in fact, the opposite was true. the first ANC was OTWANC (off the > wire ANC), which had to be specified as part of DLV, which was > instigated in the first place principally because noone knew how many > more years we'd have to wait before a DS RR could be placed into the > root zone. > > > I wouldn't assume an idea is bad just because it's currently focused > > on the root, it might not always be. > > for reasons stated above, there are _no_ counterexamples showing that a > focus on root-specific technology ever did any good, and a plethora of > examples where focus on root-specific technology did some lasting harm. > > therefore, our assumption of any root-specific proposal should be, until > and unless proved otherwise on a case by case basis, that it's "shiny > object syndrome", rather than a legitimate engineering exercise. > > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --0000000000001fb3d90581e4cb64 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
so, you would like the DNS to be resilient enough to "= ;see" what was topologically reachable and build a connected graph of = those assets?=C2=A0 I think that has been done, both academically and in a = more limited way, commercially, but its not called DNS so as not to upset t= he DNS mafia.=C2=A0 Or do you want something more restrictive than that?
/Wm

On Thu, Feb 14, 2019 at 4:05 PM Paul Vixie <paul@redbarn.org> wrote:
=


Evan Hunt wrote on 2019-02-14 15:56:
> On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote:
>> indeed nothing which treats the root zone as special is worth
>> pursuing, since many other things besides the root zone are also <= br> >> needed for correct operation during network partition events.
>
> This point is well taken, but sometimes the root zone is a useful
> test case for innovations that might be more generically useful
> later. It's relatively small, relatively static, *XFR accessible, =
> signed but uses NSEC not NSEC3, etc. It's pleasantly free of
> annoyances.

it's distraction value, where countries lacking root server _operators_=
of their own, feel diminished thereby, and where technology solutions
that affect the root zone in some way, feel unduly relevant... makes it
an _unuseful_ test case. recall that AAAA and DS came to every other
zone in the DNS before it was grudgingly admitted into the root zone.

we have to stop using the root zone as any kind of test case. it's not<= br> special and should be treated unspecially. any technology which focuses
on it should be suspected immediately of "shiny object syndrome."=

> So, zone mirroring fell out of 7706, and I suspect it will
> eventually have broader applications than just local root cache.

nope. because it did not prototype any partial replication. i'm not
going to mirror COM because i need it to reach FARSIGHTSECURITY.COM. = we
needed to focus on partial replication, and avoid any solution that
would only work for small zones that changed infrequently, so as to
avoid wasting years of opportunity on a solution that changed nothing
and led nowhere.

> I think some of the early work on aggressive negative caching was
> root-specific as well.

no. in fact, the opposite was true. the first ANC was OTWANC (off the
wire ANC), which had to be specified as part of DLV, which was
instigated in the first place principally because noone knew how many
more years we'd have to wait before a DS RR could be placed into the root zone.

> I wouldn't assume an idea is bad just because it's currently f= ocused
> on the root, it might not always be.

for reasons stated above, there are _no_ counterexamples showing that a focus on root-specific technology ever did any good, and a plethora of
examples where focus on root-specific technology did some lasting harm.

therefore, our assumption of any root-specific proposal should be, until and unless proved otherwise on a case by case basis, that it's "sh= iny
object syndrome", rather than a legitimate engineering exercise.

--
P Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--0000000000001fb3d90581e4cb64-- From nobody Thu Feb 14 17:51:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92A0128CF3 for ; Thu, 14 Feb 2019 17:51:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSKcaaxZ5blu for ; Thu, 14 Feb 2019 17:51:46 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A190126C15 for ; Thu, 14 Feb 2019 17:51:46 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b] (unknown [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id D22B6892C6; Fri, 15 Feb 2019 01:51:45 +0000 (UTC) To: william manning Cc: Evan Hunt , IETF DNSOP WG References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> From: Paul Vixie Message-ID: Date: Thu, 14 Feb 2019 17:51:45 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 01:51:48 -0000 william manning wrote on 2019-02-14 17:35: > so, you would like the DNS to be resilient enough to "see" what was > topologically reachable and build a connected graph of those assets? no. that's not possible, and not desireable in any case. > I think that has been done, both academically and in a more limited way, > commercially, but its not called DNS so as not to upset the DNS mafia. > Or do you want something more restrictive than that? i want the metadata i need to reach and trust assets on my side of any connectivity loss event, to be kept in warm storage, and made subject to trusted invalidation on an opportunistic basis, at the discretion of the authority operators who own the data i have warm copies of. in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static trust anchor(s) down to any data i used recently or frequently (or by some other priority scheme), and i want it to look a bit like the single transaction mode of IXFR plus the single transaction mode of NOTIFY. no topology information as to actual connectivity will be modeled or estimated or needed. what matters is whether i can still reach all internet resources on my side of a break in connectivity (whether local or regional or distant), without needing any information that's otherwise only available on the far side of the connectivity break. thanks for asking; i am happy to clarify. DNS infrastructure should not be centralized, even if its content remains centrally coordinated by ICANN. (block chain people keep telling me that ICANN will be obsolete, but i'm not taking a position on that, only on data resiliency.) -- P Vixie From nobody Thu Feb 14 18:27:45 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1989130DE3 for ; Thu, 14 Feb 2019 18:27:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tnetconsulting.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id In5jkphZ6sNe for ; Thu, 14 Feb 2019 18:27:41 -0800 (PST) Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00:e000:1e9::8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23D0130DD8 for ; Thu, 14 Feb 2019 18:27:41 -0800 (PST) Received: from Contact-TNet-Consulting-Abuse-for-assistance by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id x1F2RddG007037 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 14 Feb 2019 20:27:40 -0600 ARC-Filter: OpenARC Filter v0.1.0 tncsrv06.tnetconsulting.net x1F2RddG007037 Authentication-Results: tncsrv06.tnetconsulting.net; arc=none header.d=tnetconsulting.net ARC-Seal: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015; t=1550197660; cv=none; b=J2Wxs397g98Nao2+qa9goFwnoArnwDgKrJPmcsGWkZv3D7a4GJsZR57nCBs0o99rQ3EmEdHqW0dh/yc958wT+JGp9/cHWVwVfvCWFmLuc6QhKL3i4Rg6EJPIPjafa4c9oOp5FIsf5EF/5MXugQ8ZCGiuzn0Lx8OYcekGQVqZm/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=tnetconsulting.net; s=2015; t=1550197660; c=relaxed/simple; bh=3sI25Txs4NENuvzYC/ajdHiqE2lr2K5uiGCl10lXE8g=; h=DKIM-Signature:Subject:To:From:Message-ID:Date:User-Agent: MIME-Version:Content-Type; b=oF6zjjgujD2j9SkGScVZUKU4NtU1BR5yle0V9YzydBcco/0uaYZuupiZJpCsazOdpUqKK499yQwJcYjcC92e6lQ8FU/qev0JGzvsKIIOFD1790Un8QmKm/NOV5z3rzYNtsjhqdeJghier7AWsUzBj9ZaTCK91mpKz2YxfXcHvGo= ARC-Authentication-Results: i=1; tncsrv06.tnetconsulting.net; none DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1550197660; bh=3sI25Txs4NENuvzYC/ajdHiqE2lr2K5uiGCl10lXE8g=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=NMGN6tmbw0OLDYMD4xhp7ssLtKsGcD/rjOVKhYnuQIw8onOebFr72iCiA9+GbvVki Ii/74KyzADwUhPLLN/Ofx3O/3GWFuO5P7E+W2WuBfNvQKBt5qFmcjUzpeiDWfiImGg FM5NiCSHVO/17lYoMlrHO/SX5uthx8H7mN3ujytw= To: dnsop@ietf.org References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> From: Grant Taylor Organization: TNet Consulting Message-ID: Date: Thu, 14 Feb 2019 19:27:41 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040404000801080901090608" Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 02:27:44 -0000 This is a cryptographically signed message in MIME format. --------------ms040404000801080901090608 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2/14/19 6:51 PM, Paul Vixie wrote: > i want the metadata i need to reach and trust assets on my side of any = > connectivity loss event, to be kept in warm storage, and made subject t= o=20 > trusted invalidation on an opportunistic basis, at the discretion of th= e=20 > authority operators who own the data i have warm copies of. Please explain how "warm storage" relates to priming issues. Does warm=20 mean that it's something you have queried? Or does it also include=20 pertinent (meta)data for interesting things (but not everything) that=20 you've not yet queried? > in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static= =20 > trust anchor(s) down to any data i used recently or frequently (or by=20 > some other priority scheme), and i want it to look a bit like the singl= e=20 > transaction mode of IXFR plus the single transaction mode of NOTIFY. >=20 > no topology information as to actual connectivity will be modeled or=20 > estimated or needed. what matters is whether i can still reach all=20 > internet resources on my side of a break in connectivity (whether local= =20 > or regional or distant), without needing any information that's=20 > otherwise only available on the far side of the connectivity break. Does "still reach all internet resources on my side of the break"=20 include things that you've not yet queried for? I'm wondering if a fancier cache of some sort would suffice. Specifically I wonder if BIND (et al) can maintain a FIFO (like) list of = QNAMEs, moving the current QNAME to the start of the list, and=20 proactively refreshing the first 10 / 100 / 1000 / pick a number in such = a way as to not alter the list position when refreshing. This obviously has a priming problem as a QNAME won't be subject for=20 refresh until /after/ it has been queried the first time. This is why I = question your use of the word "warm". Perhaps this can be implemented as part of the existing garbage=20 collection process that remove expired cache entries. If the data to be = purged is in the FIFO, then refresh it and cache the results without=20 moving it to the head of the FIFO. The other thing that I might add to this is something to artificially=20 prime the cache by querying for specific names off of a user definable li= st. How close would something like this be to what you're wanting to see? This would re-use existing mechanism and methodology. It wouldn't see=20 changes in data until after cache expiration. But this is SoP for=20 caches now. > thanks for asking; i am happy to clarify. DNS infrastructure should not= =20 > be centralized, even if its content remains centrally coordinated by=20 > ICANN. (block chain people keep telling me that ICANN will be obsolete,= =20 > but i'm not taking a position on that, only on data resiliency.) --=20 Grant. . . . unix || die --------------ms040404000801080901090608 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC Cy4wggVAMIIEKKADAgECAhEA01fiRe1k2R6LEQCcImIMYTANBgkqhkiG9w0BAQsFADCBlzEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTgxMTE4MDAw MDAwWhcNMTkxMTE4MjM1OTU5WjArMSkwJwYJKoZIhvcNAQkBFhpndGF5bG9yQHRuZXRjb25z dWx0aW5nLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgOhvncDgc4KAlD +pyhFpw6wCfeERlSOAXowjdTjlOR2zcIgzL0TM9A+hkSv2wsVh6fn6VvHGxKrLemReiGd7fQ 15Y9J/pxKOmShkw9DDtFsa18ozydp95X2IuzY8Z2JukxouqrfpSH4fOrrHLkOgvlFG4xaQHW 0KB8xUP5DFWyyZM5QCdq278GSJ5pUd+B6qmzwHESNF6syyvgLppXkFatLTz8pWf6eEngDA0Y 3fQ3Q2gnbgpryRhVQMa1GjQJ7LDroUGQhX2zBWePW+sShiTwo8jADYKsbgSGtvZ/42A8zxyg s9YZMHQoCeeuLNuX/MBp9rCTl5nlzP3jGWQTC5ECAwEAAaOCAfAwggHsMB8GA1UdIwQYMBaA FIKvbIz4xf6WYXzoHz0rcUhexIvAMB0GA1UdDgQWBBQg2PeEKxHWd4FaHe0T+gqAOWkC1jAO BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYB BAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEB MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFoGA1UdHwRT MFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhl bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYsGCCsGAQUFBwEBBH8wfTBVBggrBgEF BQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGlj YXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29t b2RvY2EuY29tMCUGA1UdEQQeMByBGmd0YXlsb3JAdG5ldGNvbnN1bHRpbmcubmV0MA0GCSqG SIb3DQEBCwUAA4IBAQCPxlHHG57PA5GUYlQuC8VHB7TcMQeEJKnB/S+bamyrck4vpIEaF9rG EM+OnAQsJzSkSVHD2707jxh1ng0jrsH2+F9qNGTpCksXo0fMqm4tf28Ag092+CZ5sfdjVZ4E ELG4xNhFZF9/aFaAY7RIeJ89Vvn6s6BnKsaAPjVB/sO+5gIm0BIeoVauq71ue6jS7o2Jn94o BuAhjuh34gk/Wxzcku96MLmEwCY63GWWKVRYbqrDhqROmnQPdyrDYrU8uD0vb4SAdpSKfRqO DrerlQgX3euyYqcnVJSA8Ec+NdiJrGKXW76C7DrTi7IxDgjIHL+DPyFgtj+p6wYOEkYJwKtp MIIF5jCCA86gAwIBAgIQapvhODv/K2ufAdXZuKdSVjANBgkqhkiG9w0BAQwFADCBhTELMAkG A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTMwMTEwMDAwMDAwWhcNMjgwMTA5MjM1OTU5WjCB lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+s55XrCh2dUAWxzgDmNPGGHYhUPMleQtMtaDRfTpY PpynMS6n9jR22YRq2tA9NEjk6vW7rN/5sYFLIP1of3l0NKZ6fLWfF2VgJ5cijKYy/qlAckY1 wgOkUMgzKlWlVJGyK+UlNEQ1/5ErCsHq9x9aU/x1KwTdF/LCrT03Rl/FwFrf1XTCwa2QZYL5 5AqLPikFlgqOtzk06kb2qvGlnHJvijjI03BOrNpo+kZGpcHsgyO1/u1OZTaOo8wvEU17VVeP 1cHWse9tGKTDyUGg2hJZjrqck39UIm/nKbpDSZ0JsMoIw/JtOOg0JC56VzQgBo7ictReTQE5 LFLG3yQK+xS1AgMBAAGjggE8MIIBODAfBgNVHSMEGDAWgBS7r34CPfqm8TyEjq3uOJjs2TIy 1DAdBgNVHQ4EFgQUgq9sjPjF/pZhfOgfPStxSF7Ei8AwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud EwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMEwGA1UdHwRFMEMwQaA/oD2GO2h0 dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNlcnRpZmljYXRpb25BdXRob3JpdHku Y3JsMHEGCCsGAQUFBwEBBGUwYzA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5j b20vQ09NT0RPUlNBQWRkVHJ1c3RDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv bW9kb2NhLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAeFyygSg0TzzuX1bOn5dW7I+iaxf28/ZJ CAbU2C81zd9A/tNx4+jsQgwRGiHjZrAYayZrrm78hOx7aEpkfNPQIHGG6Fvq3EzWf/Lvx7/h k6zSPwIal9v5IkDcZoFD7f3iT7PdkHJY9B51csvU50rxpEg1OyOT8fk2zvvPBuM4qQNqbGWl nhMpIMwpWZT89RY0wpJO+2V6eXEGGHsROs3njeP9DqqqAJaBa4wBeKOdGCWn1/Jp2oY6dyNm NppI4ZNMUH4Tam85S1j6E95u4+1Nuru84OrMIzqvISE2HN/56ebTOWlcrurffade2022O/tU U1gb4jfWCcyvB8czm12FgX/y/lRjmDbEA08QJNB2729Y+io1IYO3ztveBdvUCIYZojTq/OCR 6MvnzS6X72HP0PRLRTiOSEmIDsS5N5w/8IW1Hva5hEFy6fDAfd9yI+O+IMMAj1KcL/Zo9jzJ 16HO5m60ttl1Enk8MQkz/W3JlHaeI5iKFn4UJu1/cP2YHXYPiWf2JyBzsLBrGk1II+3yL8ao rYew6CQvdVifC3HtwlSam9V1niiCfOBe2C12TdKGu05LWIA3ZkFcWJGaNXOZ6Ggyh/TqvXG5 v7zmEVDNXFnHn9tFpMpOUvxhcsjycBtH0dZ0WrNw6gH+HF8TIhCnH3+zzWuDN0Rk6h9KVkfK ehIxggQ4MIIENAIBATCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx PTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg RW1haWwgQ0ECEQDTV+JF7WTZHosRAJwiYgxhMA0GCWCGSAFlAwQCAQUAoIICWzAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xOTAyMTUwMjI3NDFaMC8GCSqG SIb3DQEJBDEiBCAuaKCgXY0+xpFqiRP0+iYo4P4HCh5m/F8rMW6FB/hk5jBsBgkqhkiG9w0B CQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG+BgkrBgEE AYI3EAQxgbAwga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0 ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYD VQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls IENBAhEA01fiRe1k2R6LEQCcImIMYTCBwAYLKoZIhvcNAQkQAgsxgbCgga0wgZcxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVu dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA01fiRe1k2R6LEQCcImIM YTANBgkqhkiG9w0BAQEFAASCAQAIHO4w8CyHafSHXerqg3vfO50QqaXdW4XkwB9/Tl7RCrBU YqksWWKBiLbWgotNhEzocYdvah5/35n86xWj+Tt4jMuYvY1aIA6Ypw5U7xaAzGTkriHKPpkz xNBe07O3ie1dVFDquCtc821fzqQcSqxaBWg0hy73itGH+yO5GsCAyD35CWXmNbK312LpI91F z9WbPqwWgvqKBNvmgAMhsG/0k6Rnjcp4lpzdErJ6Gr+enjxE2X1H2UmgkXXc6kvsk2CsbxDU diz7n9a3XEJfDYy+0Xtmar1dxTS58TA4pPKGYv9KXQ5LA7WM5MCNCzbaXEJqDDEwbYaiLWU3 rzNClgwTAAAAAAAA --------------ms040404000801080901090608-- From nobody Thu Feb 14 18:48:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEB99130EB5 for ; Thu, 14 Feb 2019 18:48:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNx7RaGz4FtE for ; Thu, 14 Feb 2019 18:48:38 -0800 (PST) Received: from mail-yw1-xc2b.google.com (mail-yw1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55314130DE3 for ; Thu, 14 Feb 2019 18:48:38 -0800 (PST) Received: by mail-yw1-xc2b.google.com with SMTP id c67so3177859ywa.7 for ; Thu, 14 Feb 2019 18:48:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GzQECA5PynLsKL+t3VTbCyjFNbmSYTvoj/D+KAEhD64=; b=qHfJVhjteZV6TdFxK2Los+wD8Se0s7xxylF0DRU64LGKXBaXKNS8raPHTPKVMsQfFo 2JXsBdXgQ7WA/Y/WqrbN2GmZEZfSq68JB2O0YX/SdJ66KRTlHIVMUo5i/DBI2BSe7zja CTjr0wqRayrzG5Ty+gsItSvgEcc/Df34SLZQWGglKpqYCIRg6zqs+s3O/iD+9rAEsCq8 2/9EcF9wU0mwApscOtRJnBG1kq9CQxDoMFXKYH1jRHgJHKhp742AEad1CKwD/Og0eFIs WvebOdpCzhTIuOvu+FDQYNwnxuwuTnhNmbeZPkfIwR2/dJeS439JmmCXzBB99qEWr5ED dyOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GzQECA5PynLsKL+t3VTbCyjFNbmSYTvoj/D+KAEhD64=; b=MYtW3lPN5tx9wXAFbPmwRRLyxgqSRod5ItzACbGWnQ+LOP/7iOvBs0ILCIsYkDF5VX vzMTYILq92r1gqGZY9YwsDzKAzdoZsqwIlD+Clae2hkq/7067nw+ZTDw5P78UwitAAWq ZjWvp5fjWasgvii5Bb4EOKcpLhXmLhPb7BddR9vJNq/0An2qI62MjTVPq3Uw8Qc0zW8a 4jdN8dpdmHJ7pVOQU1Zp6rPC53DHJiAYPmRxWxvSDlJCpzsTIeVyiw7lI+aFHH6KSaYs IqW9w+/ImnY0nAbp/gFadqE5UkDMEhJsoo/LY52GqqVsi02cUfJYcpx9iZPxgwuUdZaW twhA== X-Gm-Message-State: AHQUAublhgPUOQq2DTIdoWAUsB2MJW1rKOmKi8p0zBhOUcrdlSywzlcX tMtdvcRObtVXqVdKbWHAnczKg3nF4UxU32ljUm0= X-Google-Smtp-Source: AHgI3Ia1yYNI/aobLWMx6le9+eTYXCGOi5NdZo0sFPbXtmRYCQCsZKQBA6BJJIg3cCBnQo+s99YaWqdP65dA7PP+0AM= X-Received: by 2002:a81:63d4:: with SMTP id x203mr5877232ywb.82.1550198917210; Thu, 14 Feb 2019 18:48:37 -0800 (PST) MIME-Version: 1.0 References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> In-Reply-To: From: william manning Date: Thu, 14 Feb 2019 18:48:26 -0800 Message-ID: To: Paul Vixie Cc: Evan Hunt , IETF DNSOP WG Content-Type: multipart/alternative; boundary="000000000000caa7af0581e5cfad" Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 02:48:41 -0000 --000000000000caa7af0581e5cfad Content-Type: text/plain; charset="UTF-8" You are welcome. I think, modulo minor differences in terminology, we are saying pretty much the same thing. pragmatically, DNS infrastructure dependencies can not be maintained and work on data resiliency is where the useful work lies. /Wm On Thu, Feb 14, 2019 at 5:51 PM Paul Vixie wrote: > > > william manning wrote on 2019-02-14 17:35: > > so, you would like the DNS to be resilient enough to "see" what was > > topologically reachable and build a connected graph of those assets? > > no. that's not possible, and not desireable in any case. > > > I think that has been done, both academically and in a more limited way, > > commercially, but its not called DNS so as not to upset the DNS mafia. > > Or do you want something more restrictive than that? > > i want the metadata i need to reach and trust assets on my side of any > connectivity loss event, to be kept in warm storage, and made subject to > trusted invalidation on an opportunistic basis, at the discretion of the > authority operators who own the data i have warm copies of. > > in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static > trust anchor(s) down to any data i used recently or frequently (or by > some other priority scheme), and i want it to look a bit like the single > transaction mode of IXFR plus the single transaction mode of NOTIFY. > > no topology information as to actual connectivity will be modeled or > estimated or needed. what matters is whether i can still reach all > internet resources on my side of a break in connectivity (whether local > or regional or distant), without needing any information that's > otherwise only available on the far side of the connectivity break. > > thanks for asking; i am happy to clarify. DNS infrastructure should not > be centralized, even if its content remains centrally coordinated by > ICANN. (block chain people keep telling me that ICANN will be obsolete, > but i'm not taking a position on that, only on data resiliency.) > > -- > P Vixie > > --000000000000caa7af0581e5cfad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
You are welcome.=C2=A0 I think, modulo minor differences i= n terminology, we are saying pretty much the same thing.=C2=A0
pragmati= cally, DNS infrastructure dependencies can not be maintained and work on da= ta resiliency is where the useful work lies.

/Wm

On Thu, Feb 14, 2019 at 5:51 PM Paul Vixie <paul@redbarn.org> wrote:


william manning wrote on 2019-02-14 17:35:
> so, you would like the DNS to be resilient enough to "see" w= hat was
> topologically reachable and build a connected graph of those assets?
no. that's not possible, and not desireable in any case.

> I think that has been done, both academically and in a more limited wa= y,
> commercially, but its not called DNS so as not to upset the DNS mafia.= =C2=A0
> Or do you want something more restrictive than that?

i want the metadata i need to reach and trust assets on my side of any
connectivity loss event, to be kept in warm storage, and made subject to trusted invalidation on an opportunistic basis, at the discretion of the authority operators who own the data i have warm copies of.

in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static trust anchor(s) down to any data i used recently or frequently (or by
some other priority scheme), and i want it to look a bit like the single transaction mode of IXFR plus the single transaction mode of NOTIFY.

no topology information as to actual connectivity will be modeled or
estimated or needed. what matters is whether i can still reach all
internet resources on my side of a break in connectivity (whether local or regional or distant), without needing any information that's
otherwise only available on the far side of the connectivity break.

thanks for asking; i am happy to clarify. DNS infrastructure should not be centralized, even if its content remains centrally coordinated by
ICANN. (block chain people keep telling me that ICANN will be obsolete, but i'm not taking a position on that, only on data resiliency.)

--
P Vixie

--000000000000caa7af0581e5cfad-- From nobody Thu Feb 14 18:56:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83608130E8B for ; Thu, 14 Feb 2019 18:56:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNSGKvgBINUS for ; Thu, 14 Feb 2019 18:56:53 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF2E130E7D for ; Thu, 14 Feb 2019 18:56:53 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b] (unknown [IPv6:2001:559:8000:c9:b448:8ed0:27c1:2c1b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id DBF72892C6; Fri, 15 Feb 2019 02:56:52 +0000 (UTC) To: Grant Taylor Cc: dnsop@ietf.org References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> From: Paul Vixie Message-ID: <4c8b9d4c-8a26-6140-0dc9-f5ba84a8f680@redbarn.org> Date: Thu, 14 Feb 2019 18:56:51 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 02:56:55 -0000 Grant Taylor wrote on 2019-02-14 18:27: > Please explain how "warm storage" relates to priming issues. Does > warm mean that it's something you have queried? Or does it also > include pertinent (meta)data for interesting things (but not > everything) that you've not yet queried? i don't expect anyone to store anything they have not queried, though it's natural for an implementation to permit an operator to statically define other targets as well, much as mark andrews did with "stub" zones starting in 1990 or so in BIND4. > Does "still reach all internet resources on my side of the break" > include things that you've not yet queried for? no. while there may be some kind of persistent storage of long term popularity information so that things that were ever warm can be kept warm even if not queried since the last reboot cycle, i do not expect any tree-walking exercises. my long term study of RDNS tells me that there is a high correlation between past and future queries. if some query tries to occur during a connectivity break, it might fail, and in that sense it's a DNS problem we've always had, that i'm not solving. > ... > > How close would something like this be to what you're wanting to > see? i think leasing behaviour is expensive on a network-wide basis, and should be limited to high-value data, by which i mean metadata needed to reach and trust name servers. so, DS/NS, DNSKEY/RRSIG, and related AAAA/A. i do not foresee remembering non-metadata information, no matter how popular, since it's in a content operator's power to put a copy of their DNS infrastructure inside any region that also has a copy of its services. it's only third party metadata, like the delegation and trust chain, that is an unmanageable risk today. also note, i would not propose invalidation on its own merits, because the cost of the data-state and trust-state is too high. however, if we have to maintain that state anyway, for leasing, then invalidation is approximately free, depending on the priorities of the authority server operator. therefore, it becomes a package deal, one stone, two birds. -- P Vixie From nobody Thu Feb 14 20:21:54 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 792BC130EED for ; Thu, 14 Feb 2019 20:21:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GJ__fjQuEmf for ; Thu, 14 Feb 2019 20:21:51 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18C8E130EEA for ; Thu, 14 Feb 2019 20:21:50 -0800 (PST) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8E83A3AB05C; Fri, 15 Feb 2019 04:21:47 +0000 (UTC) Received: by bikeshed.isc.org (Postfix, from userid 10292) id 71475216C1C; Fri, 15 Feb 2019 04:21:47 +0000 (UTC) Date: Fri, 15 Feb 2019 04:21:47 +0000 From: Evan Hunt To: Paul Vixie Cc: IETF DNSOP WG Message-ID: <20190215042147.GA90080@isc.org> References: <20190214235614.GB87001@isc.org> <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6c3d6894-c584-c4fd-d09e-55903b34bead@redbarn.org> User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 04:21:53 -0000 On Thu, Feb 14, 2019 at 04:05:22PM -0800, Paul Vixie wrote: > nope. because it did not prototype any partial replication. i'm not > going to mirror COM because i need it to reach FARSIGHTSECURITY.COM. I didn't say anybody's going to mirror COM, I said I suspect zone mirroring will find applications other than pre-caching the root. The fact that it isn't a complete solution to the problem space you're interested in at the moment doesn't mean it was useless. That wasn't a major motivation for the work anyway, I don't believe -- my recollection is that it was mainly about reducing garbage traffic, with latency reduction for some resolvers a happy side-effect. Keeping cache data warm and available during network partitions is a largely solved problem; we have prefetch/hammer, we have serve-stale. (Also apparently we have whatever generates all that zombie DNS traffic Geoff discovered back in 2016, but I'd rather avoid perpetuating that mistake, which seems *quite* perpetual enough as it is.) Keeping cache data coherent is less solved: we don't have the trusted invalidation piece you mentioned. I agree that might be a useful line of inquiry. I guess that's the point you were trying to make; I didn't get it immediately because you started off discussing the shortcomings of an RFC that doesn't seem particularly directly related. So let's get specific about the problem and discuss requirements for a solution. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc. From nobody Thu Feb 14 21:52:06 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF38612D4E7 for ; Thu, 14 Feb 2019 21:52:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX_48RQUVc9c for ; Thu, 14 Feb 2019 21:52:03 -0800 (PST) Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2DC1130ED0 for ; Thu, 14 Feb 2019 21:52:03 -0800 (PST) Received: by mail-pg1-x530.google.com with SMTP id d72so4265626pga.9 for ; Thu, 14 Feb 2019 21:52:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=TTbSUQZwnR3hG7JFv1ToDJTxxmldz8XpH3PsyhRfg9c=; b=sdhscTkn95fJ47kyRcl1Un7+pzaWkknF3+kAz7TJ9CZEybfTm9/JOaP9KWxfOsyG0y 5UWd2O9aOSoK4J4u7HaOovFxsM9A1z2OHuLZGZF3wfjvdlQL3Hqov7dFaV10gj7sAlG7 Jx1Ui64N9g65BT0WvpWpdc5Eq38KspsxXuTlwhtjl9CHLi2/vv2iUFNBOP5K/C6NNB5c 9NiCtXRoWehH8zelrPeYrixsS8JjNpTi4N5/DDs5R6htBd4DKvRWpJuNh6VcrgoIrR4z cCPLpj2I9YIxrt6HWkolXMHlc4Z5AveyZ9fIBsAIle0bG40syj3KjM+GZROgvEDZOoeg G0Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=TTbSUQZwnR3hG7JFv1ToDJTxxmldz8XpH3PsyhRfg9c=; b=k4u4hz/ERBAby5F9rZvZAbI/zb2Zy1Hh39cG/4ZG9ZCwavLsZNwoujaNV/3e0bgjGk o0MgI4jG8ZA98Ozzk+jHJcEhcnhGgO4GzsSThS1FlVYAUOXPwuUBbX/oYRkPY+y/cZLX MMq8/FloTmt6FudyMvwgHuDEd8gr/gOJ2uf3RqKCrrH9RLWirwYJtY0uehlSgUXHCBrm QRcg+hZ68xKdiRK70IEpSH5/vmLwK0RnOdukPrKgUHO038HrDKjei18pUPnhXyweW6O8 NRfSnYBL7OtosXCGBXvF6F1W6Z0fB86Cb2rgaD+7gj4lRkEDvI1bwX9WpDHGJ4McQoQm acAg== X-Gm-Message-State: AHQUAuaUNE7I5vbWfzNHwL8Nwmh+mKOpurGzhRlUH1y+oMJ2rT/4lXQ8 gjmOLGLqY6aEtAHFFb8t9R7xdg== X-Google-Smtp-Source: AHgI3IbXanpQnSTeoR3qE+Ak1Xccz/sRLzux+Oay+HXDg/ge4tDUNgJp5MUXTJgl3AQC6IalVjWSCg== X-Received: by 2002:a63:235c:: with SMTP id u28mr3811519pgm.400.1550209923165; Thu, 14 Feb 2019 21:52:03 -0800 (PST) Received: from ?IPv6:2606:6000:62c7:9900:d0a9:ac13:78c0:2722? ([2606:6000:62c7:9900:d0a9:ac13:78c0:2722]) by smtp.gmail.com with ESMTPSA id t3sm4452266pgp.5.2019.02.14.21.52.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 21:52:02 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_4B87DCF1-1A2B-4EF5-BB68-420EB005F95D"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: David Conrad In-Reply-To: Date: Thu, 14 Feb 2019 21:51:42 -0800 Cc: IETF DNSOP WG X-Mailbutler-Message-Id: D79D95F6-4E1A-4AFA-A92C-5EA0E30C07B1 Message-Id: References: To: Paul Vixie X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 05:52:06 -0000 --Apple-Mail=_4B87DCF1-1A2B-4EF5-BB68-420EB005F95D Content-Type: multipart/alternative; boundary="Apple-Mail=_F1E0B2C4-6371-4C50-863C-CB21476C319C" --Apple-Mail=_F1E0B2C4-6371-4C50-863C-CB21476C319C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Paul, On Feb 14, 2019, at 1:57 PM, Paul Vixie wrote: > 7706 is wrong headed on a number of levels, but its worst offense is = to think that the root zone is special. Operationally, the root zone actually is special. It is, after all, the = starting point of the name space. As far as I can tell, there are 3 ways = the root zone is special: 1. How does one obtain name servers for the root zone? How does one = obtain name servers for any other zone? 2. Who controls the name servers for the root zone? Who controls the = name servers for redbarn.org? 3. What happens if the root zone is unreachable? What happens if = redbarn.org is unreachable? 7706 describes one method to improve resiliency, performance, and = privacy of root name service, with no modification of the DNS protocol = or name servers. It is, of course, possible to do the same thing with = any zone, assuming you have enough memory, but few zones generate = sufficient interest to do so. Not sure why you=E2=80=99re arguing = against it. Could you explain? Regards, -drc --Apple-Mail=_F1E0B2C4-6371-4C50-863C-CB21476C319C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Paul, 

On Feb = 14, 2019, at 1:57 PM, Paul Vixie <paul@redbarn.org> wrote:
7706 is wrong headed on a number of levels, but its worst = offense is to think that the root zone is special. =

Operationally, = the root zone actually is special. It is, after all, the starting point = of the name space. As far as I can tell, there are 3 ways the root zone = is special:

1. How does one obtain = name servers for the root zone? How does one obtain name servers for any = other zone?
2. Who controls the name servers for the root = zone? Who controls the name servers for redbarn.org?
3. What happens if the root zone = is unreachable? What happens if redbarn.org is unreachable?

7706 describes one method to improve resiliency, = performance, and privacy of root name service, with no modification of = the DNS protocol or name servers. It is, of course, possible to do the = same thing with any zone, assuming you have enough memory, but few zones = generate sufficient interest to do so. Not sure why you=E2=80=99re = arguing against it. Could you explain?

Regards,
-drc

= --Apple-Mail=_F1E0B2C4-6371-4C50-863C-CB21476C319C-- --Apple-Mail=_4B87DCF1-1A2B-4EF5-BB68-420EB005F95D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlxmU24ACgkQoCss/bh3 zPfNIw//V/Pp8EAarD/z/j/4aCP3TQPEhySDzzzxphZ+J2CVOecwiEmSwqE/1gSb wi8+wA1uY+f5MF8iFa9C2Z2QXhp2WEe6klOB4vVeALqXcj84lUAd2xQLC+D/vCsk G4GLiqH6UZ/CZa+b37su2oKDLMgmIhh3Z607rrkgCTC04lPku1xN3FsBqVQVmbQe VNR1JDmz8gRh/ZxQXKdjcX0CVEIMpFlMd+L+nUqCGz+T9Ls3pI1VuiCF3EJTNK8h 0Vs5pPH7U+3HwjgJZA4bwN6d0E7JHZLLK1dncaLLgqCgTM4xYQGDyRg34csyEaeq kwd/sqMmycnU0rU71FdO0Tuk4Bp8FoHdpjnFd+stzqedcp0dw708y0CAw/0Gg6ww vimFrriBAQgmhEV3fX6W2i0CLfr1ZLlB/zBfKT0hmDTsJrVBeYhJA4PJOQVy7ZV9 psYqxj9oagh0IrZUO175yv1ztPtcLc3yUEBSk3y1i5iT2CnBw+s9Tm9tVflpW9ng HnAVF31Qvxba+6poyT0XBY2zxlG3BPkCidvSLDDYJ1XJQI6chUO0uSorPIxjuB2d sk+HhOlI3PzVcJmcJ3ZNnOzub8HZ3LOatnrncbdJKyPL1JCgGtqwQA2lmM4v7nvq hMh6FbfGHvQVLtMqezfpfZGu/Jv2PK0hRhuRuM3mO9A3wHq1fEk= =z0AF -----END PGP SIGNATURE----- --Apple-Mail=_4B87DCF1-1A2B-4EF5-BB68-420EB005F95D-- From nobody Fri Feb 15 01:02:47 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89FF130F28 for ; Fri, 15 Feb 2019 01:02:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r24r1fP60XSm for ; Fri, 15 Feb 2019 01:02:38 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C419130E7E for ; Fri, 15 Feb 2019 01:02:38 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id C33CF28047F; Fri, 15 Feb 2019 10:02:35 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id BD0D228054E; Fri, 15 Feb 2019 10:02:35 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id B51BE28047F; Fri, 15 Feb 2019 10:02:35 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id B04096424E49; Fri, 15 Feb 2019 10:02:35 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id ABAD7401CB; Fri, 15 Feb 2019 10:02:35 +0100 (CET) Date: Fri, 15 Feb 2019 10:02:35 +0100 From: Stephane Bortzmeyer To: Warren Kumari Cc: dnsop@ietf.org Message-ID: <20190215090235.afz4x75j5dij2wo7@nic.fr> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.022544, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.15.85116 Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:02:46 -0000 On Thu, Feb 14, 2019 at 03:33:23PM -0500, Warren Kumari wrote a message of 388 lines which said: > but how about: > "The majority of these extended error codes are primarily useful for > resolvers, to return to stub resolvers or to downstream > resolvers. Authoritative servers may also use this technique to > annotate errors (for example, REFUSED), but as of publication there > are not as many of these defined" OK > > > 4.4.1. NXDOMAIN Extended DNS Error Code 1 - Blocked > > > > > > The resolver attempted to perfom a DNS query but the domain is > > > blacklisted due to a security policy. > > > > I tend to think it would be a good idea to separate the case where > > the policy was decided by the resolver and the case where the > > policy came from outside, typically from the local law (see RFC > > 7725 for a similar case with HTTP). > > > > Rationale: in the first case (local policy of the resolver), the > > user may be interested in talking with the resolver admin if he or > > she disagrees with the blocking. In the second case, this would be > > useless. You did not reply to this one. It is inspired by a message from Petr Å paÄek explaining how extended DNS errors would be great to tell the user whose fault it is (signature expired == no need to tell the resolver's operator). I really think it is important to make the difference between: * I blocked your request because that's _my_ policy * I blocked your request because I'm compelled to do so, don't complain, it would be useless. > > NOERROR Extended DNS Error Code 3 - Forged answer > I'd really like to avoid the word "Forged" I did not know it was pejorative (in french, "forgée", which has the same origin, is not). So, what about "substituted answer"? Neutral enough? From nobody Fri Feb 15 01:10:00 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D17B130FD0 for ; Fri, 15 Feb 2019 01:09:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VE7XgHkoPdT8 for ; Fri, 15 Feb 2019 01:09:48 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25022130FBA for ; Fri, 15 Feb 2019 01:09:48 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 82C4A28047F for ; Fri, 15 Feb 2019 10:09:46 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id 7DCE128054B; Fri, 15 Feb 2019 10:09:46 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 75F1828047F for ; Fri, 15 Feb 2019 10:09:46 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 718A56424E49 for ; Fri, 15 Feb 2019 10:09:46 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 6A5F6401CB; Fri, 15 Feb 2019 10:09:46 +0100 (CET) Date: Fri, 15 Feb 2019 10:09:46 +0100 From: Stephane Bortzmeyer To: dnsop@ietf.org Message-ID: <20190215090946.y4emnzo2mxa5dxe7@nic.fr> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190214195125.nwbazwpk3rgrgxkf@sources.org> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.15.90316 Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:09:57 -0000 On Thu, Feb 14, 2019 at 08:51:25PM +0100, Stephane Bortzmeyer wrote a message of 101 lines which said: > Otherwise, I suggest to add an error code: Ooops, I forgot one: SERVFAIL Extended DNS Error Code 8 - No reachable authority The resolver could not reach any of the authoritative name servers (or they refused to reply). The R flag should be set. Rationale: in draft -04, all SERVFAIL extended error codes are for DNSSEC issues. In my experience, SERVFAIL happens also (and quite often) for routing issues (most zones have all their authoritative name servers in only one AS, sometimes even one prefix or, worse, one rack). We set the R flag because another resolver may not have the same routing issues, BGP not being consistent between all sites. True, an extended error code could be added after the RFC is published, through "Specification required" but 1) it is easier to do it now 2) it gives to the people who will implement the RFC a wider view of the possible uses. From nobody Fri Feb 15 01:34:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D148D1310D6 for ; Fri, 15 Feb 2019 01:34:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5h7ud2Q7PxA for ; Fri, 15 Feb 2019 01:34:20 -0800 (PST) Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B3F513102A for ; Fri, 15 Feb 2019 01:34:19 -0800 (PST) Received: from wallace.rfc1035.com (hutch.rfc1035.com [195.54.233.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 71DEC24211EE; Fri, 15 Feb 2019 09:34:17 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Jim Reid In-Reply-To: <20190215090235.afz4x75j5dij2wo7@nic.fr> Date: Fri, 15 Feb 2019 09:34:16 +0000 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: <6168D7FB-3690-4398-A848-196D1EB414D3@rfc1035.com> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> <20190215090235.afz4x75j5dij2wo7@nic.fr> To: Stephane Bortzmeyer X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:34:22 -0000 > On 15 Feb 2019, at 09:02, Stephane Bortzmeyer = wrote: >=20 > I really think it is important to make the difference between: >=20 > * I blocked your request because that's _my_ policy > * I blocked your request because I'm compelled to do so, don't > complain, it would be useless. Why? =46rom the client's perspective, there's no effective difference = between these. Their request was rejected for some policy reason and it = doesn't really matter whose policy has been applied. Besides in situations where blocking is being done because of someone = else's say so, it's highly likely that the DNS operator will be subject = to some sort of injunction which prevents them from disclosing that such = blocking is taking place. Think warrant canaries. From nobody Fri Feb 15 01:37:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B3A130F82 for ; Fri, 15 Feb 2019 01:37:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ksjm6U3I3FX for ; Fri, 15 Feb 2019 01:37:16 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5BB130F5F for ; Fri, 15 Feb 2019 01:37:16 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id C301B2804E8; Fri, 15 Feb 2019 10:37:14 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id BC94428047F; Fri, 15 Feb 2019 10:37:14 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id B8F7B6424E49; Fri, 15 Feb 2019 10:37:14 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id B1FD1401CB; Fri, 15 Feb 2019 10:37:14 +0100 (CET) Date: Fri, 15 Feb 2019 10:37:14 +0100 From: Stephane Bortzmeyer To: Alexander Mayrhofer Cc: IETF DNSOP WG , din@irtf.org Message-ID: <20190215093714.t23ulbslbg52t2dp@nic.fr> References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:37:18 -0000 On Fri, Feb 08, 2019 at 02:58:38PM +0100, Alexander Mayrhofer wrote a message of 59 lines which said: > Feedback highly appreciated, I think that it is an important work because it brings the power of the DNS to many other identifier systems. So, I support it. May be more examples could help people figure out the use cases? "My Bitcoin address is at foobar.example" and then the Bitcoin software would query _did.foobar.example and get . I note that there exists already non-standard (and probably not really deployed) solutions in that space, some specific to a TLD Regarding draft -01: it seems OK to me. The only problem I find: > particularly the concerns around downgrade attacks when the record > is not signed Why downgrade attacks specifically? Without DNSSEC, a lot of attacks are possible. From nobody Fri Feb 15 01:46:36 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9FA130F8E for ; Fri, 15 Feb 2019 01:46:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-xUmSUsssmq for ; Fri, 15 Feb 2019 01:46:33 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE4B9130F5F for ; Fri, 15 Feb 2019 01:46:32 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 3FF392804E8; Fri, 15 Feb 2019 10:46:31 +0100 (CET) Received: from relay01.prive.nic.fr (pa-th3.interco.nic.fr [192.134.4.74]) by mx4.nic.fr (Postfix) with ESMTP id 3A10128047F; Fri, 15 Feb 2019 10:46:31 +0100 (CET) Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 366916424E49; Fri, 15 Feb 2019 10:46:31 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 28550401CB; Fri, 15 Feb 2019 10:46:31 +0100 (CET) Date: Fri, 15 Feb 2019 10:46:31 +0100 From: Stephane Bortzmeyer To: Jim Reid Cc: dnsop WG Message-ID: <20190215094631.c6tb426jvfnxrb3q@nic.fr> References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org> <20190215090235.afz4x75j5dij2wo7@nic.fr> <6168D7FB-3690-4398-A848-196D1EB414D3@rfc1035.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6168D7FB-3690-4398-A848-196D1EB414D3@rfc1035.com> X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:46:35 -0000 On Fri, Feb 15, 2019 at 09:34:16AM +0000, Jim Reid wrote a message of 19 lines which said: > Why? From the client's perspective, there's no effective difference > between these. In the first case, you can talk with someone which you have some relationship with (the ISP, typically). > Their request was rejected for some policy reason and it doesn't > really matter whose policy has been applied. Well, it certainly matters to me. Think responsability, accountability, consumer choice... > Besides in situations where blocking is being done because of > someone else's say so, it's highly likely that the DNS operator will > be subject to some sort of injunction which prevents them from > disclosing that such blocking is taking place. Not "highly likely". It depends. Some censors are open in their censorship (otherwise, RFC 7725 would be useless.) Case study: in France, the list of "terrorist" domain names whose blocking is mandatory is not public, but the fact that a domain is blocked because of this list is not: the ISP returns a forged (sorry, "substituted") specific IP address. From nobody Fri Feb 15 01:47:54 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F89130F9A for ; Fri, 15 Feb 2019 01:47:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CjcYUtQ2OGl for ; Fri, 15 Feb 2019 01:47:51 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE37130F5F for ; Fri, 15 Feb 2019 01:47:51 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:43768) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gua61-000HZw-1q (Exim 4.91) (return-path ); Fri, 15 Feb 2019 09:47:49 +0000 Date: Fri, 15 Feb 2019 09:47:49 +0000 From: Tony Finch To: Paul Vixie cc: IETF DNSOP WG In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:47:53 -0000 Paul Vixie wrote: > unbound has pioneered a bit of this by automatically refetching data that's > near its expiration point. BIND also does this, it's on by default. I'm not a fan of RFC 7706 because I think it's redundant wrt prefetch (HAMMER), NXDOMAIN synthesis, and (to a much smaller extent) serve-stale. > the fact that i have to hotwire my RDNS cache with local zone glue in order to > reach my own servers when my comcast circuit is down or i can't currently > reach the .SU authorities to learn where VIX.SU is, should not only concern, > but also embarrass, all of us. We have local stealth secondary copies of our zones on our recursive servers which helps to some extent, except when downstream validators want to get the chain of trust. But serve-stale should help. I wonder if it's worth having different prefetch logic for infrastructure records (NS, DS, glue, etc) to more eagerly keep them warm than leaf records. Tony. -- f.anthony.n.finch http://dotat.at/ Northwest Southeast Iceland: Northeasterly 5 or 6, becoming variable 3 or 4. Rough. Wintry showers. Good, occasionally poor. From nobody Fri Feb 15 01:59:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66A49130F84 for ; Fri, 15 Feb 2019 01:59:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hr-JGNYD2rOR for ; Fri, 15 Feb 2019 01:59:39 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D575130F9F for ; Fri, 15 Feb 2019 01:59:38 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id AB69A28047F; Fri, 15 Feb 2019 10:59:36 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id A599628054B; Fri, 15 Feb 2019 10:59:36 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 9E28C28047F; Fri, 15 Feb 2019 10:59:36 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 9A0376424E49; Fri, 15 Feb 2019 10:59:36 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id 8CC77401CB; Fri, 15 Feb 2019 10:59:36 +0100 (CET) Date: Fri, 15 Feb 2019 10:59:36 +0100 From: Stephane Bortzmeyer To: Paul Vixie Cc: IETF DNSOP WG Message-ID: <20190215095936.qnxuucn6oezj7tsx@nic.fr> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.002112, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.15.94516 Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 09:59:41 -0000 On Thu, Feb 14, 2019 at 01:57:14PM -0800, Paul Vixie wrote a message of 42 lines which said: > the fact that i have to hotwire my RDNS cache with local zone glue > in order to reach my own servers when my comcast circuit is down or > i can't currently reach the .SU authorities to learn where VIX.SU > is, should not only concern, but also embarrass, all of us. I agree that this is an issue (as you said, the simple case of "my own zone" is easily solved by stub and/or forward zones in BIND) but any solution must take care of phantom domains. If I register malware-c-and-c-as-a-service.com and it's taken down, the solution should not make this domain to work after. (Except of course for resolvers who decided to configure a stub zone for this domain.) From nobody Fri Feb 15 04:49:02 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1C11130F82 for ; Fri, 15 Feb 2019 04:48:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gulbrandsen.priv.no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FduJX-R_lTUb for ; Fri, 15 Feb 2019 04:48:58 -0800 (PST) Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [144.76.73.169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5B1F128AFB for ; Fri, 15 Feb 2019 04:48:57 -0800 (PST) Received: from stabil.gulbrandsen.priv.no (stabil.gulbrandsen.priv.no [IPv6:2a01:4f8:191:91a8::3]) by stabil.gulbrandsen.priv.no (Postfix) with ESMTP id 29C38C05EA; Fri, 15 Feb 2019 12:50:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gulbrandsen.priv.no; s=mail; t=1550235040; bh=sZ8/eyqzkdrbvrTC/j+/q+xKKzETgAkaN94vKOhffto=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TUUqzFDCQdrSlYKm3SM56UV7CpC67TGCb8rNQHPDTrdJzw81Skd+DFXtHKwHWqmgE DWjhGisDI6gc9kqKbegMT10VKQdPxfb4HhGYdHaUyF8vJCX+Ekx08jvjDE4a0/QpU/ pKUz6FD2r27nUN11mNA1d/53tHRhbzo00+TvQt3s= Received: from arnt@gulbrandsen.priv.no by stabil.gulbrandsen.priv.no (Archiveopteryx 3.2.0) with esmtpsa id 1550235039-26265-2661/9/24; Fri, 15 Feb 2019 12:50:39 +0000 From: Arnt Gulbrandsen To: Bob Harold Cc: Tony Finch , Jiankang Yao , IETF DNSOP WG Date: Fri, 15 Feb 2019 13:48:53 +0100 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> <587d85ee-73bc-40f4-aae8-550d877ca6d1@gulbrandsen.priv.no> User-Agent: Trojita/0.7; Qt/5.7.1; xcb; Linux; Devuan GNU/Linux 2.0 (ascii) Content-Type: text/plain; charset=utf-8; format=flowed Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 12:49:00 -0000 On Thursday 14 February 2019 22:41:56 CET, Bob Harold wrote: > The draft assumes typical TTL is a week, but what I see in the root zone is: ... I hoped noone would notice. It's good rather than bad, overall, but it complicates the description. A good resolver verifies DNSSEC, so the two-day RRs tend to be kept alive for as long as the six-day RRs are. Once the six-day RRs are discarded from the resolver's cache, the two-day RRs are no longer needed for verification, and after about a month they cease being refreshed. In effect, the six-day RRs (typically NS records) have an average lifetime of slightly less than three months after the last use, and the supporting DNSSEC RRs of slightly more than four months after the last time the NS is needed. The SOA record is a special case, but IMO too minor to matter. The focus here is to eliminate root-zone queries as a significant delay factor for day-to-day DNS use, without introducing additional moving parts such as humans or crontabs downloading zone files. Caching one SOA too long or too short won't make much difference. Arnt From nobody Fri Feb 15 06:14:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBCDF130EB3 for ; Fri, 15 Feb 2019 06:14:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPvNb89fzWCr for ; Fri, 15 Feb 2019 06:14:09 -0800 (PST) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5794712D84C for ; Fri, 15 Feb 2019 06:14:09 -0800 (PST) Received: by mail-lj1-x22e.google.com with SMTP id r10-v6so8500339ljj.4 for ; Fri, 15 Feb 2019 06:14:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m2BJhxf8R9dHULCkN/ZRmsOlkus1hAQ2C3RjHnDReUs=; b=qdpR9TTl3BtE+uG1IBkXVIdEXxQRJx4MepemHAJJDkqRB3OKlwiXXP3d0f05JBC8dS PGmdw4vK10XaCqNsHSsN5lRFF6lmFRXoiaBD/NDQkVQsjgMDze9EoEqrYNAYJ2wBCrw/ Pw7YYdK8PCCVXur7ow2ba+HDKw45G9VcMwzTDW2ZGkIcTzR18WurM7xrfxJP8Ezbcq4h s1/8SZtRFhR1lAIENitgP91ez6Ulgf3yCP1mbTeSY57DoVZ9kOu43oqEo9J/lAn+q3PQ TdmsuJLqq2+6ERGXSe7AEnGngIKtft5e90KPeVMqkJmjmD/m+tm6u8jqW/VtgcQmbsHK 70BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m2BJhxf8R9dHULCkN/ZRmsOlkus1hAQ2C3RjHnDReUs=; b=sNgpRPWsyMK97GOUm+iPV2OOEYjeEfJ5Colv+Lz6yL4SmVINpjL4zoxy7jgqDqqMuD hTWmZdiy2iNSa1wEBm0/xfJtaSyd2JtxErmyGeVN1peDF0efaHyRmjrmCMA93LrzlC4d eCFAgSTqH/qArfJlfSUGebzd4obWeDyHMk+poWBaz0pwLd5Wq8mVsObDP9mekkbt/fpb 8axcvKuaiM/o5tr24Tft89xsP4URuC1gNYyqeEfiRQltyw7Qvaz+V5hYO4S/i/Mhwr5c tJLC5uI1Zd5mSGbzAXKnt2wOtBWgpRPnVAxjgS89gAfJ1iOEOxTk6vxhW7booIh2irxp oibg== X-Gm-Message-State: AHQUAubQ5oiQgZUolHUzzTTEnjNxK77DHHu0aQ9RFAn53xge5Dkd58l/ o0GfkaZZjuuymJO3EtmXbYSk/nMuHVdFWrHTRGt48Q== X-Google-Smtp-Source: AHgI3IZBdmJTMmc+Xpv9xKthfcTf2+YT9Qkfm/s3NkNfB6xx7P7SsR4di88594hot/rzXO1INJowYgulyOkvvj5gdPg= X-Received: by 2002:a2e:8795:: with SMTP id n21-v6mr6356327lji.109.1550240046946; Fri, 15 Feb 2019 06:14:06 -0800 (PST) MIME-Version: 1.0 References: <4d51e683.32d.168ea651be8.Coremail.yaojk@cnnic.cn> <587d85ee-73bc-40f4-aae8-550d877ca6d1@gulbrandsen.priv.no> In-Reply-To: From: Bob Harold Date: Fri, 15 Feb 2019 09:13:55 -0500 Message-ID: To: Arnt Gulbrandsen Cc: Tony Finch , Jiankang Yao , IETF DNSOP WG Content-Type: multipart/alternative; boundary="00000000000050b08c0581ef63a8" Archived-At: Subject: Re: [DNSOP] Fw: New Version Notification for draft-arnt-yao-dnsop-root-data-caching-00.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 14:14:13 -0000 --00000000000050b08c0581ef63a8 Content-Type: text/plain; charset="UTF-8" On Fri, Feb 15, 2019 at 7:49 AM Arnt Gulbrandsen wrote: > On Thursday 14 February 2019 22:41:56 CET, Bob Harold wrote: > > The draft assumes typical TTL is a week, but what I see in the root zone > is: > ... > > I hoped noone would notice. It's good rather than bad, overall, but it > complicates the description. > > A good resolver verifies DNSSEC, so the two-day RRs tend to be kept alive > for as long as the six-day RRs are. Once the six-day RRs are discarded > from > the resolver's cache, the two-day RRs are no longer needed for > verification, and after about a month they cease being refreshed. > > In effect, the six-day RRs (typically NS records) have an average > lifetime of slightly less than three months after the last use, and the supporting > DNSSEC RRs of slightly more than four months after the last time the NS is > needed. > > The SOA record is a special case, but IMO too minor to matter. The focus > here is to eliminate root-zone queries as a significant delay factor for > day-to-day DNS use, without introducing additional moving parts such as > humans or crontabs downloading zone files. Caching one SOA too long or too > short won't make much difference. > > Arnt > No, the NS records and DNSSEC records only have two days. There are no 6-day records, except the X.root-servers.net entries, which do not apply here. -- Bob Harold --00000000000050b08c0581ef63a8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Fri, Feb 15, 2019 at 7:49 AM Arnt Gulb= randsen <arnt@gulbrandsen.pr= iv.no> wrote:
On Thursday 14 February 2019 22:41:56 CET, Bob Harold wrote:
> The draft assumes typical TTL is a week, but what I see in the root zo= ne is:
...

I hoped noone would notice. It's good rather than bad, overall, but it =
complicates the description.

A good resolver verifies DNSSEC, so the two-day RRs tend to be kept alive <= br> for as long as the six-day RRs are. Once the six-day RRs are discarded from=
the resolver's cache, the two-day RRs are no longer needed for
verification, and after about a month they cease being refreshed.

In effect, the six-day RRs (typically NS records) have an average lifetime= =C2=A0=C2=A0
of slightly less than three months after the last use, and the supporting <= br> DNSSEC RRs of slightly more than four months after the last time the NS is =
needed.

The SOA record is a special case, but IMO too minor to matter. The focus here is to eliminate root-zone queries as a significant delay factor for day-to-day DNS use, without introducing additional moving parts such as humans or crontabs downloading zone files. Caching one SOA too long or too =
short won't make much difference.

Arnt

No, the NS records and DNSSEC reco= rds only have two days.
There are no 6-day records,=C2=A0 exc= ept the=C2=A0X.roo= t-servers.net=C2=A0entries, which do not apply here.

--=C2=A0
Bob Harold

--00000000000050b08c0581ef63a8-- From nobody Fri Feb 15 06:29:47 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B9A130FC1 for ; Fri, 15 Feb 2019 06:29:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_eT-uttXA9c for ; Fri, 15 Feb 2019 06:29:43 -0800 (PST) Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08741124D68 for ; Fri, 15 Feb 2019 06:29:42 -0800 (PST) Received: by mail-lj1-x243.google.com with SMTP id j19so7749183ljg.5 for ; Fri, 15 Feb 2019 06:29:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OUTaj7tNNm1QqlFzqcTbCyuPfMlpA3OPK/xBhmU0T0k=; b=fZI63oN1YrGJxjGlSSoG3ke1S6b/klLh2NuwsgfA8y8FThEi5MguyOZ+ewyMROv7wL jUnbbXsaPJsSsAXVF4M/1dVKsKMom1mXucmVUSRyUBqlMqqgSMHP8WFAqbQ+lD7/NpUV D9gd76BGU66PLMFN7iJVVt06dAxMKYrsVUGfoqoTd7J+x17QspsYu0Breg533S24sJBa aPFFbsJlMzszlnshUkmoMvXCDBJzIpiRsNS5AKK7CvmeHn/urldc0W26oJ6qDyebBh2p Pdod3ZNaAoamv2qqsrF40d078/H0spkh0zy25j0K2M31xGtS+14yEwIJCgg+vCawrlAZ 7eGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OUTaj7tNNm1QqlFzqcTbCyuPfMlpA3OPK/xBhmU0T0k=; b=WfX3ieSaMV/+9oNS71HvHCubX9ZojGInAGRhuUymktjKWX6bgVWYCI9Tzytj6fVqW0 GCX6z0LDIybR0/7MiqW/LznYtDvMdcv1kqJW9qP+wF4Eq8EZpMDg4xLdoRGjZoeSujhr 0JrSmyc1FRDu37QgNDqs+IY7bC+oT4bmHn+hEuLaOf49ngUqvvTb7a7YuSXYydD88eh6 MXYOhN2V4OiRE62Q6hphNuIhWNfWfvUvBwRbjmPbwcC0uG8NV0CkZwu38sLvvryYwyXC UyTF2Jk9mxZ5U04LRxT81VDxIHzvIU0/MFvBudqQVcXJNVz6UCdsGSW36EYIBMbgVXQy fdRg== X-Gm-Message-State: AHQUAubI3V7vKdcwuKAxF8y6HIzldkoQmOXdlJ6P1L+aYQGBBEVhKoxM GtVXCOabQyD8px+R1NWVp89Y2yzbpT9cmYC24qiVBA== X-Google-Smtp-Source: AHgI3IZczLXHkjGix7PTaiDAsk0EnmOv84tTVlDlFtBsi8GAGXp5IGW3STqNWbscgM6vJXds79nhn083pZfJStUbihM= X-Received: by 2002:a2e:8795:: with SMTP id n21-v6mr6400380lji.109.1550240980751; Fri, 15 Feb 2019 06:29:40 -0800 (PST) MIME-Version: 1.0 References: <20190215095936.qnxuucn6oezj7tsx@nic.fr> In-Reply-To: <20190215095936.qnxuucn6oezj7tsx@nic.fr> From: Bob Harold Date: Fri, 15 Feb 2019 09:29:29 -0500 Message-ID: To: Stephane Bortzmeyer Cc: Paul Vixie , IETF DNSOP WG Content-Type: multipart/alternative; boundary="000000000000f97c680581ef9a21" Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 14:29:46 -0000 --000000000000f97c680581ef9a21 Content-Type: text/plain; charset="UTF-8" On Fri, Feb 15, 2019 at 4:59 AM Stephane Bortzmeyer wrote: > On Thu, Feb 14, 2019 at 01:57:14PM -0800, > Paul Vixie wrote > a message of 42 lines which said: > > > the fact that i have to hotwire my RDNS cache with local zone glue > > in order to reach my own servers when my comcast circuit is down or > > i can't currently reach the .SU authorities to learn where VIX.SU > > is, should not only concern, but also embarrass, all of us. > > I agree that this is an issue (as you said, the simple case of "my own > zone" is easily solved by stub and/or forward zones in BIND) but any > solution must take care of phantom domains. If I register > malware-c-and-c-as-a-service.com and it's taken down, the solution > should not make this domain to work after. (Except of course for > resolvers who decided to configure a stub zone for this domain.) > I think in most solutions, if the name servers for " malware-c-and-c-as-a-service.com" and "com" are both unreachable, the domain should continue to resolve. But if "com" is reachable, and says " malware-c-and-c-as-a-service.com" no longer exists, it should go away. -- Bob Harold --000000000000f97c680581ef9a21 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Fri, Feb 15, 2019 at 4:59 AM Stephane = Bortzmeyer <bortzmeyer@nic.fr&g= t; wrote:
On Thu= , Feb 14, 2019 at 01:57:14PM -0800,
=C2=A0Paul Vixie <= paul@redbarn.org> wrote
=C2=A0a message of 42 lines which said:

> the fact that i have to hotwire my RDNS cache with local zone glue
> in order to reach my own servers when my comcast circuit is down or > i can't currently reach the .SU authorities to learn where VIX.SU
> is, should not only concern, but also embarrass, all of us.

I agree that this is an issue (as you said, the simple case of "my own=
zone" is easily solved by stub and/or forward zones in BIND) but any solution must take care of phantom domains. If I register
malware-c-and-c-as-a-service.com and it's taken down,= the solution
should not make this domain to work after. (Except of course for
resolvers who decided to configure a stub zone for this domain.)

I think in most solutions, if the name servers fo= r "malware-c-and-c-as-a-service.com" and "= ;com" are both unreachable, the domain should continue to resolve.=C2= =A0 But if "com" is reachable, and says "malw= are-c-and-c-as-a-service.com" no longer exists, it should go away.=

--=C2=A0
Bob Harold

--000000000000f97c680581ef9a21-- From nobody Fri Feb 15 06:34:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381A0124D68 for ; Fri, 15 Feb 2019 06:34:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4hyeJJCKp4n for ; Fri, 15 Feb 2019 06:34:49 -0800 (PST) Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9DA412008F for ; Fri, 15 Feb 2019 06:34:48 -0800 (PST) Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id DC90C2803BB; Fri, 15 Feb 2019 15:34:46 +0100 (CET) Received: by mx4.nic.fr (Postfix, from userid 500) id D632928054B; Fri, 15 Feb 2019 15:34:46 +0100 (CET) Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id CE1712803BB; Fri, 15 Feb 2019 15:34:46 +0100 (CET) Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id CA3A7663E080; Fri, 15 Feb 2019 15:34:46 +0100 (CET) Received: by b12.nic.fr (Postfix, from userid 1000) id C449C401CB; Fri, 15 Feb 2019 15:34:46 +0100 (CET) Date: Fri, 15 Feb 2019 15:34:46 +0100 From: Stephane Bortzmeyer To: Bob Harold Cc: Paul Vixie , IETF DNSOP WG Message-ID: <20190215143446.6vp57cmlsesswnlt@nic.fr> References: <20190215095936.qnxuucn6oezj7tsx@nic.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: Debian GNU/Linux 9.7 X-Kernel: Linux 4.9.0-8-amd64 x86_64 X-Charlie: Je suis Charlie Organization: NIC France X-URL: http://www.nic.fr/ User-Agent: NeoMutt/20170113 (1.7.2) X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=1.2.2 X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.2.15.141516 Archived-At: Subject: [DNSOP] Making domains work even when connectivity fails (Was: the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 14:34:53 -0000 On Fri, Feb 15, 2019 at 09:29:29AM -0500, Bob Harold wrote a message of 73 lines which said: > I think in most solutions, if the name servers for " > malware-c-and-c-as-a-service.com" and "com" are both unreachable, > the domain should continue to resolve. But if "com" is reachable, > and says " malware-c-and-c-as-a-service.com" no longer exists, it > should go away. Any volunteer to write a problem statement for the "VIX.SU issue"? Short version: "when I'm on the same network that at least one authoritative name server of VIX.SU, I want this domain to work, even if there is zero Internet connectivity to the outside world" Longer version: "TODO (think of: is it automatic or not, does it require prior access or not, phantom domains, etc)" From nobody Fri Feb 15 08:39:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BA02130FD6 for ; Fri, 15 Feb 2019 08:39:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Em9EY-L0pwFv for ; Fri, 15 Feb 2019 08:39:15 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B8B130FC1 for ; Fri, 15 Feb 2019 08:39:15 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:18eb:443:7c1e:38f2] (unknown [IPv6:2001:559:8000:c9:18eb:443:7c1e:38f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id A5E97892C6; Fri, 15 Feb 2019 16:39:14 +0000 (UTC) To: Tony Finch Cc: IETF DNSOP WG References: From: Paul Vixie Message-ID: <0a5283f8-5511-4c04-9d3b-a6611820fc01@redbarn.org> Date: Fri, 15 Feb 2019 08:39:13 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 16:39:17 -0000 Tony Finch wrote on 2019-02-15 01:47: > ... > > We have local stealth secondary copies of our zones on our recursive > servers which helps to some extent, except when downstream validators want > to get the chain of trust. But serve-stale should help. prefetching or leasing or rrset subscription is expensive when viewed from the dns-at-large perspective. we ought to prioritize the information we will need most in the event of a network partition. and the idea that an operator would have to predict where a partition could take place, and add stealth secondaries for the things they know about, is wrong in two ways. it's too much work, and never enough benefit. > I wonder if it's worth having different prefetch logic for infrastructure > records (NS, DS, glue, etc) to more eagerly keep them warm than leaf > records. yes, it obviously is, but only if you intend to use them even if the authority for some of your data is at that moment not reachable. so, serve-stale and hammer attempt to solve the wrong problem. if you're going to use something the way a stealth slave would do, you've got to ask the authority's instructions, and be capable of hearing and trusting NOTIFY events when that data changes for any reason. -- P Vixie From nobody Fri Feb 15 08:44:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAD38130FE2 for ; Fri, 15 Feb 2019 08:44:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Or3KyS28Hcwy for ; Fri, 15 Feb 2019 08:44:20 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39CBA130FD6 for ; Fri, 15 Feb 2019 08:44:20 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:18eb:443:7c1e:38f2] (unknown [IPv6:2001:559:8000:c9:18eb:443:7c1e:38f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id E1F25892C6; Fri, 15 Feb 2019 16:44:19 +0000 (UTC) To: Stephane Bortzmeyer Cc: Bob Harold , IETF DNSOP WG References: <20190215095936.qnxuucn6oezj7tsx@nic.fr> <20190215143446.6vp57cmlsesswnlt@nic.fr> From: Paul Vixie Message-ID: <4efcd843-df84-e279-1df7-c240849edfd3@redbarn.org> Date: Fri, 15 Feb 2019 08:44:18 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <20190215143446.6vp57cmlsesswnlt@nic.fr> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] Making domains work even when connectivity fails (Was: the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 16:44:22 -0000 Stephane Bortzmeyer wrote on 2019-02-15 06:34: > On Fri, Feb 15, 2019 at 09:29:29AM -0500, > Bob Harold wrote > a message of 73 lines which said: > >> I think in most solutions, if the name servers for " >> malware-c-and-c-as-a-service.com" and "com" are both unreachable, >> the domain should continue to resolve. But if "com" is reachable, >> and says " malware-c-and-c-as-a-service.com" no longer exists, it >> should go away. this is why serve-stale is most wrong. permission, and an agreement to hear a trusted NOTIFY later if the authority wants to do the work of keeping track of who it told things to, and the work of telling them when something has importantly changed (like a glue address change, a name server change, a key change, a signature invalidated, or malware removed). this is a subscription (leasing) problem, not a caching one. > Any volunteer to write a problem statement for the "VIX.SU issue"? > Short version: "when I'm on the same network that at least one > authoritative name server of VIX.SU, I want this domain to work, even if there > is zero Internet connectivity to the outside world" Longer version: > "TODO (think of: is it automatic or not, does it require prior access > or not, phantom domains, etc)" just as root-level is the wrong focus, so is local-level. the reason we don't solve this problem with multicast NOTIFY is that the information you may need a subscription to (due to potential network partitioning) could be in another campus, or another region, or another isp, or another country. -- P Vixie From nobody Fri Feb 15 10:47:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03A91271FF for ; Fri, 15 Feb 2019 10:47:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKBcDco1jo18 for ; Fri, 15 Feb 2019 10:47:03 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306E3130DD3 for ; Fri, 15 Feb 2019 10:47:03 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 441MgR4kcJzD6P; Fri, 15 Feb 2019 19:46:59 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550256419; bh=r8FfAtEL3sJH1OEalXB4D8W5DyAXB2yUUTETkY+brrk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=nAKknvCN/uDhEAE54IG5ivURVoH7bI2Vq5uFmaFq5Z2vLA1bhIG+/VmllZklZcT5r M0n0Z8tUhkoiO0/y4iorbFGaPupmF7p9cPYra5gS+m3wTuF5CmjUv4Jvihszgxz8bL JY8pMnX9n94MxvwfjUKvFtbyBGI91q0k87ka4KfY= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QXRaIdEsEQvS; Fri, 15 Feb 2019 19:46:58 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 15 Feb 2019 19:46:57 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 7E41C36FBA; Fri, 15 Feb 2019 13:46:56 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 7E41C36FBA Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 71EB040D358A; Fri, 15 Feb 2019 13:46:56 -0500 (EST) Date: Fri, 15 Feb 2019 13:46:56 -0500 (EST) From: Paul Wouters To: Stephane Bortzmeyer cc: Alexander Mayrhofer , IETF DNSOP WG , din@irtf.org In-Reply-To: <20190215093714.t23ulbslbg52t2dp@nic.fr> Message-ID: References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [Din] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 18:47:06 -0000 On Fri, 15 Feb 2019, Stephane Bortzmeyer wrote: > Subject: Re: [Din] Fwd: New Version Notification for > draft-mayrhofer-did-dns-01.txt I think this document should be Experimental and not Standards Track? The reference to 7929 should be normative, not informative, since you actually need to read a secion of 7929 to implement this document. I'm not sure if one should use _did.example.com for host names and _mailto._did.example.com for email addresses. I would keep that at the same level, eg: _hostname._did.example.com _mailto._did.example.com This technically also allows one to separate the two DNS zones more clearly (and could even be managed by a different group) I'm really on the fence for this document. On the one hand, it is good to have a memorable decentralized identifier, but on the other hand if you rely on DNS (and DNSSEC), is this identifier really still decentralised in the "we don't trust the USG or Verisign" way ? I guess if you interpret it as a migration strategy away from DNS, it is okay. Paul From nobody Fri Feb 15 11:47:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85BF4130FF2 for ; Fri, 15 Feb 2019 11:47:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nomountain-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cY8cfEK18VId for ; Fri, 15 Feb 2019 11:47:28 -0800 (PST) Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD3B131004 for ; Fri, 15 Feb 2019 11:47:28 -0800 (PST) Received: by mail-pg1-x544.google.com with SMTP id q206so5279100pgq.4 for ; Fri, 15 Feb 2019 11:47:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomountain-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=z54FQAJNdCSUIrYq2YsY99KsIFBu5Cuxhv42fPIuKKY=; b=YgDe0EwfLjvp1hX57up2cr0j7hq3UbA+A713fPYzlL7YRm0IuIpQgv3MzDVsZU2GKR fFHvWNEpHRXy5CNLBR0rxJE1rve7yRWcYZtnT1kTt6Sqw+2kzEx5bBHd6n8mPMQYS2DT L+pYgS3dxEyHFWqcU6343iwjavVb1l/1aMWResuv3akj+FHFGMHoPnVenKUro4EJ1eaH BweUMzj89H3qNWCMwezfZlYHpXemOspa+Q5Ob4Ut46Xz6A3Aksyk5ojM9IKKDVtAgyBM Ii/14qAXv4paRQ4JUBJP28eKTweTuzIM7sqfN9Jo9i0zBg9oCqLrY/3/Vr+BaG+t7YdG sFug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=z54FQAJNdCSUIrYq2YsY99KsIFBu5Cuxhv42fPIuKKY=; b=ToC45aHlZ8D8iOO3S0YApbOFWIfGGTFD33bDtFlYK2HGCW6NimcYE/rIbkvpyqzF8D P2jaNt7L9gnr0+7Rw3SB8H6OvnsG0fZoJMXP8Wh9klmVkYvWAn5rW+APcbzOivbYwp/S H5mPRL8AAfToAyLMJp/gCxLkCM7bQ2ylunHDrQx/TDOLvXbk3mIVetoXvR6qrZQljhZ6 y3FCheLwpH4hut6o5gCsJdDQ2eF484fHveGTfoPtSPlBqtlSLHpUauydsrc1W2bc6Vvr 9w+AKmqX5nLDTqXfrLSryuvCUYhar9C/+haUmaeaudeeC7oaPXNMwsEjlw1g99KK3oFI wLLw== X-Gm-Message-State: AHQUAuaqV43j8jAd+TCQ8kOZjsEZ9vKm8CA99HGaR48pA6LrpdpPNaEa mE/lwZD5tajrLHHQR5AbT4Tb X-Google-Smtp-Source: AHgI3Ia2LrvCoROuELnnvXrpITQGRY8Qs+IT1HjQdFp00fpp0vYXqAsR/5nOY0cc9xQ8AhMB86g/cg== X-Received: by 2002:a63:b94c:: with SMTP id v12mr6839382pgo.221.1550260048170; Fri, 15 Feb 2019 11:47:28 -0800 (PST) Received: from Melindas-MacBook-Pro.local ([216.67.81.81]) by smtp.gmail.com with ESMTPSA id p2sm8361866pfp.125.2019.02.15.11.47.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Feb 2019 11:47:27 -0800 (PST) To: Paul Wouters , Stephane Bortzmeyer Cc: IETF DNSOP WG , din@irtf.org, Alexander Mayrhofer References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> From: Melinda Shore Message-ID: <5a817aac-e553-d104-b9f0-f074fce235eb@nomountain.net> Date: Fri, 15 Feb 2019 10:47:26 -0900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] [Din] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 19:47:32 -0000 On 2/15/19 9:46 AM, Paul Wouters wrote: > This technically also allows one to separate the two DNS zones more > clearly (and could even be managed by a different group) > > I'm really on the fence for this document. On the one hand, it is good > to have a memorable decentralized identifier, but on the other hand if > you rely on DNS (and DNSSEC), is this identifier really still > decentralised in the "we don't trust the USG or Verisign" way ? I think the question of whether or not to provide decentralized identifiers and whether or not this proposal delivers on the "decentralized" claim is out of our hands, as the core spec (which has a lot of additional problems) comes out of the W3C. I think the IETF's involvement is probably limited to their use of DNS in the resolution process. Melinda p.s. and it's probably worth pointing out that this work is being done in a W3C community group, so until it looks like it's actually going to be published as a WC3 spec I'm not sure I'd like to see IETF working group resources being spent on this. -- Software longa, hardware brevis PGP key fingerprint 4F68 2D93 2A17 96F8 20F2 34C0 DFB8 9172 9A76 DB8F From nobody Fri Feb 15 13:22:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8928F12426A for ; Fri, 15 Feb 2019 13:22:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKBvZcMmy95c for ; Fri, 15 Feb 2019 13:22:28 -0800 (PST) Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1958131028 for ; Fri, 15 Feb 2019 13:22:27 -0800 (PST) Received: by mail-wr1-x442.google.com with SMTP id o17so11784727wrw.3 for ; Fri, 15 Feb 2019 13:22:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=teD5PEErFHFIRAMb6Vf0RWPGRiVSAeGV8SCoJDwXZg6kibsm7jFmuo9bAOtJHmKMSU C6o1yj7gl7hJaR+armUSKFOWzW7QHnlStcLW5Yy8jRbq768s/hzJJrn0dUT33gamdgPG jFgbjYT5aWJV5fHhQfH9FnSawlwVLliKZueHm83UvHXTLLtEnGC/TmSyDZPXRf3HAzqD JOIRWn4XI5d4iyzSEOf58u7gYrBQCWbZdxmGCl75QDK6AblIqh1Iv9PTMNSCEbYHuKxx ocx4HKhBP0C3AvvhA0FxaJRslWGNrFpWhPquvR+OkWuzhhY9i0sGCtoC+pbtMi3Gmlx5 M+Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=QbMTrg5B7wvBOOynjCsj/l2+pUvHo5y1EpiygmcUJ5doOShbnKnllOGeukhY7E1Eon /6Rme4o48Qz3wJERttEWz+5ZZ0xXQzyxWYFEyCb8afrDEkazkDrMqkMNNN12iigqO1sk YDkyHw8Oqj+wO4ZzTfo1K5+ippFfezFUWrZeXKtym1nhSzEJmV/HTmtATzNSC27auf/4 JfHepCwj/2+6XRvf2IFteVu9HalsNsSbTm8pmu2Gr82ERE0SuvKysDUtZJp9JPIt91st h3R9PQ6T7GNH86v0gYH0rXMJPTM9k0SbSlDnNqpBY+roe5vPtGyLOvCUst9hBH8qlFum AHow== X-Gm-Message-State: AHQUAuansWK1mlxg2I9ACTpT+JcYx2uLAg+JfDQrqYZmQ/fALlpuBepd DtBXQohDZ/TRJ234/TMMUMgq5ZaN6NH1moPz5McifpmICnY= X-Google-Smtp-Source: AHgI3IZWibFYCmLMjxloOTLuFKIVNl+qm7CF/17fCwyQZ+qMeAymCz6ktsxzwsOmT4eyNy147Qj50QqbVXtGbBT4QlY= X-Received: by 2002:a5d:5504:: with SMTP id b4mr5559383wrv.291.1550265745933; Fri, 15 Feb 2019 13:22:25 -0800 (PST) MIME-Version: 1.0 References: <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org> In-Reply-To: <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org> From: Warren Kumari Date: Fri, 15 Feb 2019 16:21:50 -0500 Message-ID: To: Shane Kerr Cc: dnsop Content-Type: multipart/alternative; boundary="000000000000181b890581f55f00" Archived-At: Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 21:22:32 -0000 --000000000000181b890581f55f00 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Feb 14, 2019 at 8:24 AM Shane Kerr wrote: > Klaus, > > On 14/02/2019 14.00, Klaus Malorny wrote: > > On 14.02.19 11:03, Shane Kerr wrote: > > > >> Is there a write-up on this? > >> > >> Thinking about it naively, a demultiplexer really only needs to say > >> "is there a non-ASCII character in the first 2 or 3 bytes of a TLS > >> session?". > >> > > please think of HTTP/2, which is a binary protocol (although I don't > > know what the first bytes are). But I guess ALPN (RFC 7301) would do th= e > > trick. > > I think that HTTP/2 preserves the initial handshake of HTTP/1.1. > > But looking at ALPN, it was designed for exactly this the multiplexing > use case. In principle all that would be needed is adding an identifier > to the ALPN protocol IDs: > > > https://www.iana.org/assignments/tls-extensiontype-values/tls-extensionty= pe-values.xhtml#alpn-protocol-ids > > It would also address Joe's concerns about other protocols. > > Maybe creating an ALPN protocol ID for DNS-over-TLS is something for the > DPRIVE working group? =F0=9F=A4=94 > https://mailarchive.ietf.org/arch/browse/dns-privacy/?q=3DALPN https://tools.ietf.org/html/draft-hoffman-dprive-dns-tls-alpn-00 https://www.ietf.org/archive/id/draft-dkg-dprive-demux-dns-http-03.txt I'd encourage folk to go read the archive (and, again, there is a WG for this -- https://datatracker.ietf.org/wg/dprive/about/ ). W > > Cheers, > > -- > Shane > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --=20 I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --000000000000181b890581f55f00 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Feb 14, 2019 at 8:24 AM Shan= e Kerr <shane@time-travelle= rs.org> wrote:
Klaus,

On 14/02/2019 14.00, Klaus Malorny wrote:
> On 14.02.19 11:03, Shane Kerr wrote:
>
>> Is there a write-up on this?
>>
>> Thinking about it naively, a demultiplexer really only needs to sa= y
>> "is there a non-ASCII character in the first 2 or 3 bytes of = a TLS
>> session?".
>>
> please think of HTTP/2, which is a binary protocol (although I don'= ;t
> know what the first bytes are). But I guess ALPN (RFC 7301) would do t= he
> trick.

I think that HTTP/2 preserves the initial handshake of HTTP/1.1.

But looking at ALPN, it was designed for exactly this the multiplexing
use case. In principle all that would be needed is adding an identifier to the ALPN protocol IDs:

https://www.iana.org/assignments/tls-extensiontype-values/tls-extensi= ontype-values.xhtml#alpn-protocol-ids

It would also address Joe's concerns about other protocols.

Maybe creating an ALPN protocol ID for DNS-over-TLS is something for the DPRIVE working group? =F0=9F=A4=94




<= div>
I= 'd encourage folk to go read the archive (and, again, there is a WG for= this --=C2=A0https://datatracker.ietf.org/= wg/dprive/about/=C2=A0).

W

=C2=A0

Cheers,

--
Shane

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
I don't think the execution is relevant when= it was obviously a bad idea in the first place.
This is like putting ra= bid weasels in your pants, and later expressing regret at having chosen tho= se particular rabid weasels and that pair of pants.
=C2=A0 =C2=A0---maf<= /div>
--000000000000181b890581f55f00-- From nobody Sat Feb 16 10:01:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F31C130D7A for ; Sat, 16 Feb 2019 10:01:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qin47ZQvSbUg for ; Sat, 16 Feb 2019 10:01:05 -0800 (PST) Received: from mail-yw1-xc43.google.com (mail-yw1-xc43.google.com [IPv6:2607:f8b0:4864:20::c43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F347F130F1C for ; Sat, 16 Feb 2019 10:01:04 -0800 (PST) Received: by mail-yw1-xc43.google.com with SMTP id n12so4904467ywn.13 for ; Sat, 16 Feb 2019 10:01:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/N6BXzPRGStYMa5BftFQ6tikc46scUDmmBsY1SfXnrk=; b=X6HhGKTs6EG2KkDuwyIMtE37Y6F8iNCGcMX9TknmiztGnbH8F5moOIC37+HSBfmJWs DO0kCvL5YmLdT1jPGEkcLChfjk3W762TFAhTvGID6kNLcVKUkTrFpx1aXSnjD+DOXBhn CSCtOclBbc4J+LAWz3JwcifaZPlgA9WcZ1qVvvKh5L8F/0wOKkW4UsXNEKl91C61xsy5 MX6kwWvqOYeoccCO2i9nc01UWe5vvLxkYKEBiJQXtS60M+tFzwxvAPyEbyo43cklPIP0 ENoPty62jgXVN7nguA7r9m8mqaPl0PeVKiqKCj3p31pPvqn4afFI1SBODV2K1Kf0pvqh pKlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/N6BXzPRGStYMa5BftFQ6tikc46scUDmmBsY1SfXnrk=; b=ZgBXUvOYDiveGt3DtqLyCQS1Gx+0w4r7i8Iy4tfOY1MEpG9vfKGAPUDYawl5IyTE5d fOinrn9d3x2+b5618O2mo8WpH7jPMH+f0WQ4y4WDTOjKJf+ezSpZZhCmIhrw3XbaaZd7 RR9J3Hf5MWAjeJ4HngAEDpK4+Xb+QSOxvzQf0xDy1aqlw8wg/NAJy+frgahVgsbytKpo hgtQQ3vFfBk9lrZuqcWiEN02OK/WRt7WMdQmr3f6Y98Kd6EbxxXFhbC7TmBthdrhIisx Jt+HCQssqXt4IlxiPgNkfAjy1A7qLv0rqIyajiRNNni6cN3yOqRGNhs+ABTXmddxMELA 2izA== X-Gm-Message-State: AHQUAubR3gkdcsEnUGY2+n0a59mTpaLM5KZlbNxKpzNXQAbxPxLRv0QI m4BOfjct2tWprkK0utEPCH/QGZLpLt3IpMvPMoc= X-Google-Smtp-Source: AHgI3IZdpAc46hnjbKDqUsj3xZ0+UxmPL+AKVtd/l3hijFS4P0o/weBxtn6Iyqv8ypgQUKH0R57EaqYzDo3nl4QueHk= X-Received: by 2002:a81:5503:: with SMTP id j3mr13107087ywb.355.1550340063912; Sat, 16 Feb 2019 10:01:03 -0800 (PST) MIME-Version: 1.0 References: <20190215095936.qnxuucn6oezj7tsx@nic.fr> <20190215143446.6vp57cmlsesswnlt@nic.fr> <4efcd843-df84-e279-1df7-c240849edfd3@redbarn.org> In-Reply-To: <4efcd843-df84-e279-1df7-c240849edfd3@redbarn.org> From: william manning Date: Sat, 16 Feb 2019 10:00:55 -0800 Message-ID: To: Paul Vixie Cc: Stephane Bortzmeyer , Bob Harold , IETF DNSOP WG Content-Type: multipart/alternative; boundary="000000000000ca6684058206acf4" Archived-At: Subject: Re: [DNSOP] Making domains work even when connectivity fails (Was: the root is not special, everybody please stop obsessing over it X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Feb 2019 18:01:10 -0000 --000000000000ca6684058206acf4 Content-Type: text/plain; charset="UTF-8" Multicast NOTIFY? You mean like RFC 6804, or RFC 7558. Use of a subscription model or lease still depends on reachability and when you don't have that, you have two choices, use a stale lease or abandon it. Take your pick. /Wm On Fri, Feb 15, 2019 at 8:44 AM Paul Vixie wrote: > > > Stephane Bortzmeyer wrote on 2019-02-15 06:34: > > On Fri, Feb 15, 2019 at 09:29:29AM -0500, > > Bob Harold wrote > > a message of 73 lines which said: > > > >> I think in most solutions, if the name servers for " > >> malware-c-and-c-as-a-service.com" and "com" are both unreachable, > >> the domain should continue to resolve. But if "com" is reachable, > >> and says " malware-c-and-c-as-a-service.com" no longer exists, it > >> should go away. > > this is why serve-stale is most wrong. permission, and an agreement to > hear a trusted NOTIFY later if the authority wants to do the work of > keeping track of who it told things to, and the work of telling them > when something has importantly changed (like a glue address change, a > name server change, a key change, a signature invalidated, or malware > removed). this is a subscription (leasing) problem, not a caching one. > > > Any volunteer to write a problem statement for the "VIX.SU issue"? > > Short version: "when I'm on the same network that at least one > > authoritative name server of VIX.SU, I want this domain to work, even > if there > > is zero Internet connectivity to the outside world" Longer version: > > "TODO (think of: is it automatic or not, does it require prior access > > or not, phantom domains, etc)" > > just as root-level is the wrong focus, so is local-level. the reason we > don't solve this problem with multicast NOTIFY is that the information > you may need a subscription to (due to potential network partitioning) > could be in another campus, or another region, or another isp, or > another country. > > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000ca6684058206acf4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Multicast NOTIFY?=C2=A0 You mean like RFC 6804, or RFC 755= 8.=C2=A0 Use of a subscription model or lease still depends on reachability= and when you don't have that, you have two choices, use a stale lease = or abandon it.=C2=A0 Take your pick.

/Wm

=
On Fri, Fe= b 15, 2019 at 8:44 AM Paul Vixie <pa= ul@redbarn.org> wrote:


Stephane Bortzmeyer wrote on 2019-02-15 06:34:
> On Fri, Feb 15, 2019 at 09:29:29AM -0500,
>=C2=A0 =C2=A0Bob Harold <rharolde@umich.edu> wrote
>=C2=A0 =C2=A0a message of 73 lines which said:
>
>> I think in most solutions, if the name servers for "
>> malware-c-and-c-as-a-service.com" and "= ;com" are both unreachable,
>> the domain should continue to resolve.=C2=A0 But if "com"= ; is reachable,
>> and says " malware-c-and-c-as-a-service.com= " no longer exists, it
>> should go away.

this is why serve-stale is most wrong. permission, and an agreement to
hear a trusted NOTIFY later if the authority wants to do the work of
keeping track of who it told things to, and the work of telling them
when something has importantly changed (like a glue address change, a
name server change, a key change, a signature invalidated, or malware
removed). this is a subscription (leasing) problem, not a caching one.

> Any volunteer to write a problem statement for the "VIX.SU issue"? > Short version: "when I'm on the same network that at least on= e
> authoritative name server of VIX.SU, I want this domain to work, even if there=
> is zero Internet connectivity to the outside world" Longer versio= n:
> "TODO (think of: is it automatic or not, does it require prior ac= cess
> or not, phantom domains, etc)"

just as root-level is the wrong focus, so is local-level. the reason we don't solve this problem with multicast NOTIFY is that the information =
you may need a subscription to (due to potential network partitioning)
could be in another campus, or another region, or another isp, or
another country.

--
P Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000ca6684058206acf4-- From mats.dufberg@internetstiftelsen.se Fri Feb 15 08:20:37 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982B91310E3 for ; Fri, 15 Feb 2019 08:20:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.189 X-Spam-Level: X-Spam-Status: No, score=-4.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOwBz2m3sbFA for ; Fri, 15 Feb 2019 08:20:33 -0800 (PST) Received: from relay2.iis.se (relay2.iis.se [IPv6:2001:67c:124c:2007::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F320130FDA for ; Fri, 15 Feb 2019 08:20:32 -0800 (PST) Received: from exchange01.office.nic.se (unknown [2001:67c:124c:100e::20]) by relay2.iis.se (Halon) with ESMTPS id 9af4a250-313d-11e9-86d2-00505682e997; Fri, 15 Feb 2019 16:20:27 +0000 (UTC) Received: from exchange02.office.nic.se (2001:67c:124c:2043::25) by exchange01.office.nic.se (2001:67c:124c:100e::20) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 15 Feb 2019 17:20:27 +0100 Received: from exchange02.office.nic.se ([fe80::681b:9cef:675b:d880]) by exchange02.office.nic.se ([fe80::681b:9cef:675b:d880%14]) with mapi id 15.00.1347.000; Fri, 15 Feb 2019 17:20:26 +0100 From: Mats Dufberg To: "ietf@ietf.org" CC: "dnsop@ietf.org" Thread-Topic: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard Thread-Index: AQHUw9KLGKozXl4ll0SlO9p22BRRN6XhDRIA Date: Fri, 15 Feb 2019 16:20:26 +0000 Message-ID: <811668FC-D40D-495D-B209-4CF1CDA8F31D@iis.se> References: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> In-Reply-To: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> Accept-Language: en-US, sv-SE Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.10.7.190210 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [2001:67c:124c:5124::1279] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Sun, 17 Feb 2019 11:47:04 -0800 Subject: Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 16:22:33 -0000 VGhlIHRhYmxlIGluIHNlY3Rpb24gMy4zICgiRFMgYW5kIENEUyBBbGdvcml0aG1zIikgb2YgdGhl IGRyYWZ0IHN0YXRlcyB0aGF0IFNIQS0xIGlzICJNVVNUIE5PVCIgZm9yICJETlNTRUMgRGVsZWdh dGlvbiIgYnV0IGluIHRoZSBuYXJyYXRpdmUgdGV4dCB1bmRlciB0aGUgdGFibGUgaXQgc3RhdGVz ICJTSEEtMSBbLi4uXSBpcyBOT1QgUkVDT01NRU5ERUQgZm9yIHVzZSBpbiBnZW5lcmF0aW5nIG5l dyBEUyBhbmQgQ0RTIHJlY29yZHMuIg0KDQpUaGUgdHdvIHN0YXRlbWVudHMgc2hvdWxkIGJlIGNv bnNpc3RlbnQgaW4gdGhlIGZpbmFsIFJGQy4NCg0KDQpZb3VycywNCk1hdHMNCg0KLS0tDQpNYXRz IER1ZmJlcmcNCkROUyBTcGVjaWFsaXN0LCBJSVMNCk1vYmlsZTogKzQ2IDczIDA2NSAzODk5DQpo dHRwczovL3d3dy5paXMuc2UvZW4vDQogDQoNCu+7vy0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0t DQpGcm9tOiBETlNPUCA8ZG5zb3AtYm91bmNlc0BpZXRmLm9yZz4gb24gYmVoYWxmIG9mIFRoZSBJ RVNHIDxpZXNnLXNlY3JldGFyeUBpZXRmLm9yZz4NClJlcGx5LVRvOiAiaWV0ZkBpZXRmLm9yZyIg PGlldGZAaWV0Zi5vcmc+DQpEYXRlOiBXZWRuZXNkYXksIDEzIEZlYnJ1YXJ5IDIwMTkgYXQgMjA6 MzANClRvOiBJRVRGLUFubm91bmNlIDxpZXRmLWFubm91bmNlQGlldGYub3JnPg0KQ2M6IFRpbSBX aWNpbnNraSA8dGp3LmlldGZAZ21haWwuY29tPiwgImRyYWZ0LWlldGYtZG5zb3AtYWxnb3JpdGht LXVwZGF0ZUBpZXRmLm9yZyIgPGRyYWZ0LWlldGYtZG5zb3AtYWxnb3JpdGhtLXVwZGF0ZUBpZXRm Lm9yZz4sICJkbnNvcEBpZXRmLm9yZyIgPGRuc29wQGlldGYub3JnPiwgImRuc29wLWNoYWlyc0Bp ZXRmLm9yZyIgPGRuc29wLWNoYWlyc0BpZXRmLm9yZz4NClN1YmplY3Q6IFtETlNPUF0gTGFzdCBD YWxsOiA8ZHJhZnQtaWV0Zi1kbnNvcC1hbGdvcml0aG0tdXBkYXRlLTA1LnR4dD4gKEFsZ29yaXRo bSBJbXBsZW1lbnRhdGlvbiBSZXF1aXJlbWVudHMgYW5kIFVzYWdlIEd1aWRhbmNlIGZvciBETlNT RUMpIHRvIFByb3Bvc2VkIFN0YW5kYXJkDQoNCiAgICANCiAgICBUaGUgSUVTRyBoYXMgcmVjZWl2 ZWQgYSByZXF1ZXN0IGZyb20gdGhlIERvbWFpbiBOYW1lIFN5c3RlbSBPcGVyYXRpb25zIFdHDQog ICAgKGRuc29wKSB0byBjb25zaWRlciB0aGUgZm9sbG93aW5nIGRvY3VtZW50OiAtICdBbGdvcml0 aG0gSW1wbGVtZW50YXRpb24NCiAgICBSZXF1aXJlbWVudHMgYW5kIFVzYWdlIEd1aWRhbmNlIGZv ciBETlNTRUMnDQogICAgICA8ZHJhZnQtaWV0Zi1kbnNvcC1hbGdvcml0aG0tdXBkYXRlLTA1LnR4 dD4gYXMgUHJvcG9zZWQgU3RhbmRhcmQNCiAgICANCiAgICBUaGUgSUVTRyBwbGFucyB0byBtYWtl IGEgZGVjaXNpb24gaW4gdGhlIG5leHQgZmV3IHdlZWtzLCBhbmQgc29saWNpdHMgZmluYWwNCiAg ICBjb21tZW50cyBvbiB0aGlzIGFjdGlvbi4gUGxlYXNlIHNlbmQgc3Vic3RhbnRpdmUgY29tbWVu dHMgdG8gdGhlDQogICAgaWV0ZkBpZXRmLm9yZyBtYWlsaW5nIGxpc3RzIGJ5IDIwMTktMDItMjcu IEV4Y2VwdGlvbmFsbHksIGNvbW1lbnRzIG1heSBiZQ0KICAgIHNlbnQgdG8gaWVzZ0BpZXRmLm9y ZyBpbnN0ZWFkLiBJbiBlaXRoZXIgY2FzZSwgcGxlYXNlIHJldGFpbiB0aGUgYmVnaW5uaW5nIG9m DQogICAgdGhlIFN1YmplY3QgbGluZSB0byBhbGxvdyBhdXRvbWF0ZWQgc29ydGluZy4NCiAgICAN CiAgICBBYnN0cmFjdA0KICAgIA0KICAgIA0KICAgICAgIFRoZSBETlNTRUMgcHJvdG9jb2wgbWFr ZXMgdXNlIG9mIHZhcmlvdXMgY3J5cHRvZ3JhcGhpYyBhbGdvcml0aG1zIGluDQogICAgICAgb3Jk ZXIgdG8gcHJvdmlkZSBhdXRoZW50aWNhdGlvbiBvZiBETlMgZGF0YSBhbmQgcHJvb2Ygb2Ygbm9u LQ0KICAgICAgIGV4aXN0ZW5jZS4gIFRvIGVuc3VyZSBpbnRlcm9wZXJhYmlsaXR5IGJldHdlZW4g RE5TIHJlc29sdmVycyBhbmQgRE5TDQogICAgICAgYXV0aG9yaXRhdGl2ZSBzZXJ2ZXJzLCBpdCBp cyBuZWNlc3NhcnkgdG8gc3BlY2lmeSBhIHNldCBvZiBhbGdvcml0aG0NCiAgICAgICBpbXBsZW1l bnRhdGlvbiByZXF1aXJlbWVudHMgYW5kIHVzYWdlIGd1aWRlbGluZXMgdG8gZW5zdXJlIHRoYXQg dGhlcmUNCiAgICAgICBpcyBhdCBsZWFzdCBvbmUgYWxnb3JpdGhtIHRoYXQgYWxsIGltcGxlbWVu dGF0aW9ucyBzdXBwb3J0LiAgVGhpcw0KICAgICAgIGRvY3VtZW50IGRlZmluZXMgdGhlIGN1cnJl bnQgYWxnb3JpdGhtIGltcGxlbWVudGF0aW9uIHJlcXVpcmVtZW50cw0KICAgICAgIGFuZCB1c2Fn ZSBndWlkYW5jZSBmb3IgRE5TU0VDLiAgVGhpcyBkb2N1bWVudCBvYnNvbGV0ZXMgW1JGQzY5NDRd Lg0KICAgIA0KICAgIA0KICAgIA0KICAgIA0KICAgIFRoZSBmaWxlIGNhbiBiZSBvYnRhaW5lZCB2 aWENCiAgICBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLWRuc29w LWFsZ29yaXRobS11cGRhdGUvDQogICAgDQogICAgSUVTRyBkaXNjdXNzaW9uIGNhbiBiZSB0cmFj a2VkIHZpYQ0KICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYt ZG5zb3AtYWxnb3JpdGhtLXVwZGF0ZS9iYWxsb3QvDQogICAgDQogICAgDQogICAgTm8gSVBSIGRl Y2xhcmF0aW9ucyBoYXZlIGJlZW4gc3VibWl0dGVkIGRpcmVjdGx5IG9uIHRoaXMgSS1ELg0KICAg IA0KICAgIA0KICAgIA0KICAgIA0KICAgIF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fDQogICAgRE5TT1AgbWFpbGluZyBsaXN0DQogICAgRE5TT1BAaWV0Zi5v cmcNCiAgICBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2Ruc29wDQogICAg DQoNCg== From nobody Sun Feb 17 15:58:21 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EABF8130DD3 for ; Sun, 17 Feb 2019 15:58:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AyJTMDKIQkTW for ; Sun, 17 Feb 2019 15:58:12 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69511130E3F for ; Sun, 17 Feb 2019 15:58:12 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id AC80E3AB041; Sun, 17 Feb 2019 23:58:11 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 93F1B16003D; Sun, 17 Feb 2019 23:58:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 182C1160060; Sun, 17 Feb 2019 23:58:11 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4u3Ari6Fd-Hm; Sun, 17 Feb 2019 23:58:11 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3D5EA16003D; Sun, 17 Feb 2019 23:58:10 +0000 (UTC) From: Mark Andrews Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Message-Id: <00F35D3C-BAAF-41BC-8A94-96B717582FAB@isc.org> Date: Mon, 18 Feb 2019 10:58:07 +1100 To: dns-operations , IETF DNSOP WG X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: [DNSOP] EDNS and TLD servers X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Feb 2019 23:58:20 -0000 As of January 25, every TLD server is EDNS aware. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Sun Feb 17 16:10:37 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 40606124D68; Sun, 17 Feb 2019 16:10:36 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155044863624.4051.6537584035075008369@ietfa.amsl.com> Date: Sun, 17 Feb 2019 16:10:36 -0800 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-algorithm-update-06.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 00:10:36 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Algorithm Implementation Requirements and Usage Guidance for DNSSEC Authors : Paul Wouters Ondrej Sury Filename : draft-ietf-dnsop-algorithm-update-06.txt Pages : 11 Date : 2019-02-17 Abstract: The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes [RFC6944]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-06 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-algorithm-update-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Sun Feb 17 16:13:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501D2127598; Sun, 17 Feb 2019 16:13:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFvi5NasxfLX; Sun, 17 Feb 2019 16:13:07 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A958124D68; Sun, 17 Feb 2019 16:13:07 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 442kpm42TFzDcp; Mon, 18 Feb 2019 01:13:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550448784; bh=N6WOpBbimHqJQeLNC3rwQHpzSalhVoHMDFfbcB3R8eM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=GBIo0Cm5yAcnz8iZe0nTEivsGlL/8yvBCbUPJFnZgUfZj1O6KIrqe1vH7hszM55mc 1CQPhV+PmMQRFalSpxjXX1+vm7EVAfwvXQutCrrxWlfk/3e3B263vQlgTUG/igLK/Q BoGMgCBbA6cwosnuU0uQe1paBi/XzUQQwz4Cwjkg= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id dyIB6hQirCpc; Mon, 18 Feb 2019 01:13:03 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 18 Feb 2019 01:13:02 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 67EEC5C854; Sun, 17 Feb 2019 19:13:01 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 67EEC5C854 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5B55140D358A; Sun, 17 Feb 2019 19:13:01 -0500 (EST) Date: Sun, 17 Feb 2019 19:13:01 -0500 (EST) From: Paul Wouters To: Mats Dufberg cc: "ietf@ietf.org" , "dnsop@ietf.org" In-Reply-To: <811668FC-D40D-495D-B209-4CF1CDA8F31D@iis.se> Message-ID: References: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> <811668FC-D40D-495D-B209-4CF1CDA8F31D@iis.se> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 00:13:09 -0000 On Fri, 15 Feb 2019, Mats Dufberg wrote: > The table in section 3.3 ("DS and CDS Algorithms") of the draft states that SHA-1 is "MUST NOT" for "DNSSEC Delegation" but in the narrative text under the table it states "SHA-1 [...] is NOT RECOMMENDED for use in generating new DS and CDS records." > > The two statements should be consistent in the final RFC. Done, thanks for spotting that. https://tools.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-06.txt SHA-1 is still in wide use for DS records, so validators MUST - implement validation, but it is NOT RECOMMENDED for use in generating - new DS and CDS records. (See Operational Considerations for caveats - when upgrading from SHA-1 to SHA-256 DS Algorithm.) + implement validation, but it MUST NOT be used to generate new DS and + CDS records. (See Operational Considerations for caveats when + upgrading from SHA-1 to SHA-256 DS Algorithm.) Paul From nobody Sun Feb 17 20:14:32 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A994C1294FA for ; Sun, 17 Feb 2019 20:14:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.352 X-Spam-Level: X-Spam-Status: No, score=-0.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, INVALID_MSGID=0.568, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1Fxvddo2lU5 for ; Sun, 17 Feb 2019 20:14:26 -0800 (PST) Received: from smtpproxy21.qq.com (smtpbg297.qq.com [184.105.67.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 279F11200B3 for ; Sun, 17 Feb 2019 20:14:25 -0800 (PST) X-QQ-mid: bizesmtp17t1550463260t947ydg0 Received: from sljpc (unknown [121.69.40.130]) by esmtp6.qq.com (ESMTP) with id ; Mon, 18 Feb 2019 12:14:18 +0800 (CST) X-QQ-SSF: 00400000002000Q0ZLF0B00A0000000 X-QQ-FEAT: HLwgFh8nePrrIeucUPdNNFtJCjQvLIgPxteVs2f9zkQ9lVZHl0fbuqyGarAIe 7TphNTenUBmr0AncMyeQXKP3F7i/RxozcxD2jDPxuWPek8L9RHCNSztrPNUWk9htA3Vacll 4FRHS2f3s0PMPB7ud8EReh4HgctvXZQr8lx//PTWMsPXOCPTrA4wOY2BKdMyRufPpxkhip6 SCN1P4fMqS+PEtHixlLehCYGGfYnT1mtF3pCS+mS8HybEaWwBVC+5nb/tGwCKaYmXxP4Zgu AIT7lGSuy841Aku8afG4bn+NL/JI2C+w/zt/bjL92eHpagqPJGVT8+mAk= X-QQ-GoodBg: 1 From: =?gb2312?B?RGF2ZXkgU29uZyjLzsHWvaEp?= To: "'Benno Overeinder'" , References: <2ac1bd8d-e37c-ef63-db7d-125bf37b34bb@NLnetLabs.nl> In-Reply-To: <2ac1bd8d-e37c-ef63-db7d-125bf37b34bb@NLnetLabs.nl> Date: Mon, 18 Feb 2019 12:14:20 +0800 Message-ID: <011a01d4c740$6c9f98a0$45dec9e0$@cn>+67E56EB2327197ED MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AdTEfjCMilraw+zoRnaABEy39xr0cQCv/p2g Content-Language: zh-cn X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:biigroup.cn:qybgforeign:qybgforeign2 X-QQ-Bgrelay: 1 Archived-At: Subject: [DNSOP] =?gb2312?b?tPC4tDogIENhbGwgZm9yIEFkb3B0aW9uOiBkcmFmdC1z?= =?gb2312?b?b25nLWF0ci1sYXJnZS1yZXNw?= X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 04:14:32 -0000 Thanks Benno. Thanks all reviewers for your time reviewing ATR draft. = I'm sorry it is not adopted in WG but I still think the draft and the peer reviews help us to understand the problems better. Davey > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: DNSOP [mailto:dnsop-bounces@ietf.org] =B4=FA=B1=ED = Benno Overeinder > =B7=A2=CB=CD=CA=B1=BC=E4: 2019=C4=EA2=D4=C214=C8=D5 23:58 > =CA=D5=BC=FE=C8=CB: dnsop@ietf.org > =D6=F7=CC=E2: Re: [DNSOP] Call for Adoption: draft-song-atr-large-resp >=20 > The call for acceptance for draft-song-atr-large-resp is closed, and = it is clear > that there is insufficient support to adopt the concept as a DNSOP WG > document. >=20 > There was some concern about the increased number of packages involved = in a > legitimate exchange (half of them being ICMP messages, introducing = other > concerns) and that the problem space is too narrow to burden all resolvers. >=20 > We would like to thank the authors and WG participants who responded = to the > call for adoption on the mailing list. >=20 > Best regards, >=20 > -- Benno > DNSOP co-chair >=20 >=20 > On 18/01/2019 18:55, Benno Overeinder wrote: > > Dear DNSOP WG, > > > > We discussed this work (draft -01) in Montreal, and different = opinions wrt. > adoption were expressed. In the past months, the authors pushed a = draft > version -02 that addressed and resolved some of these comments. > > > > This starts a Call for Adoption for: > > draft-song-atr-large-resp > > > > The draft is available here: > > https://datatracker.ietf.org/doc/draft-song-atr-large-resp/ > > > > Please review this draft to see if you think it is suitable for = adoption by DNSOP, > and comments to the list, clearly stating your view. > > > > Please also indicate if you are willing to contribute text, review, = etc. The > WG accepts the document or not, but the WG chairs also expect a = commitment > from the WG participants who support the document to contribute to the draft, > review, etc. > > > > The intended status of the draft is Experimental, but we want to ask > developers/vendors if they plan to implement it. > > > > This call for adoption ends: 1 February 2019 > > > > Thanks, > > > > Benno Overeinder > > DNSOP co-chair > > > > > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop From nobody Mon Feb 18 06:01:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1350130F11 for ; Mon, 18 Feb 2019 06:01:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXVBIR58H-9O for ; Mon, 18 Feb 2019 06:01:07 -0800 (PST) Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 461B312941A for ; Mon, 18 Feb 2019 06:01:07 -0800 (PST) Received: by mail-lj1-x22d.google.com with SMTP id j13-v6so14483713ljc.2 for ; Mon, 18 Feb 2019 06:01:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xrKMxa3eLLvIENo5zHYk34Tv2Ez2s6JXwIAaF9Z4Z70=; b=Dzj1McnijAKX1tMQM+90dUkr0SmKPokJDJz8IwUypLBsj2Sf8Eat3Eh5Uwr3zo+sgF ojVe4Czb7sMaJsQMsroK/nGfYH4xBGVej54IlAzAgELW99DyqmXsjIJtUjz0zYhtnn0r 6uh75uYqar9gN2mLHETNTutPqgzgntD3skhXo0fa/Q/5Re6htEjfLNY4gOkLsns+uu97 LRqwdd0FKxVECx9q7TvWKmVVnUOX504fbK3ljwCwpe9axj7dq6jFzLC+PeGJZBxbDqnj /C+P+PxMcC8bsgFNMPral4bsDSfNy9QnNMawFdTgsXM7JYF0/RXJxn6UoeFZlALWb56q IuUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xrKMxa3eLLvIENo5zHYk34Tv2Ez2s6JXwIAaF9Z4Z70=; b=RmymPTpGhAEmbYWr97zHtI8fE8IMUflN2/Dqv2uNfMvWy6ud02KViZzMUiF6HV+o9A irv46eSqtJUwQxqDMemP5n37k5HCUp5kacFc1nlI0UB9BzSAUxuPcoVT74kE228GGfSb A9byzxj5IaelbvZqjj2u4Au5Bpkg3Mo32erhad38UlH4Z1uWb+SVX6WaU8+V6+2uNIWi mqRO95DxeYXWxNZHO+wzjDAbFRXjnPlQTTpI3hNOP8CRp4efjq2x9o2yD+3b1zvreVFv vXSmwlSkvQmlxWT6YHGL3gstWWaADsVKnqJyvGRZCIZ4PbRl0aYS17NfbwVkS2xu0ded 1PuQ== X-Gm-Message-State: AHQUAuZiShEuQSo45qt1Fy222fNQG5qwsibv5/i/RTVkSUiotyQU8tst 8npUKqx9tcoDJB/jmyU4pvPIFHw5y/qB067ZV2s= X-Google-Smtp-Source: AHgI3IZA1EKSTmHE09ipOSQxS1BhyJsMXMnycZ0yt44y5du0fKczzsJqKvLQKkloBXhjOfbrNRWHAbHYQXOTQE3LHZQ= X-Received: by 2002:a2e:90cd:: with SMTP id o13mr4866643ljg.153.1550498465345; Mon, 18 Feb 2019 06:01:05 -0800 (PST) MIME-Version: 1.0 References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> In-Reply-To: <20190215093714.t23ulbslbg52t2dp@nic.fr> From: Alexander Mayrhofer Date: Mon, 18 Feb 2019 15:00:54 +0100 Message-ID: To: Stephane Bortzmeyer Cc: IETF DNSOP WG , din@irtf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 14:01:10 -0000 Stephane, all, [I feel cautious about continuing to cross-post this to dnsop as well as dinrg - however, it does apply to both areas, so i'll keep both groups in for now] On Fri, Feb 15, 2019 at 10:37 AM Stephane Bortzmeyer wrote: > I think that it is an important work because it brings the power of > the DNS to many other identifier systems. So, I support it. Thanks - great to hear. I'm hearing that DIDs are being used in more and more situations, so i think it makes sense to define that "bridging" protocol between the two "worlds. > May be more examples could help people figure out the use cases? "My > Bitcoin address is at foobar.example" and then the Bitcoin software > would query _did.foobar.example and get > . I will add more examples in the next revision. We also need to include an example for the "email address" use case. > I note that there exists already non-standard (and probably not really > deployed) solutions in that space, some specific to a TLD > > I'm aware of the .luxe initiative, however, i haven't yet seen any technical specifications about how the connection between DNS and Blockchains is performed. If anybody has a pointer, i'd definitely appreciate it. The other alternative proposal i've found is https://openalias.org/ - scroll down for their definition of the TXT record. They don't use DIDs as far as i understand, though. > Regarding draft -01: it seems OK to me. The only problem I find: > > > particularly the concerns around downgrade attacks when the record > > is not signed > > Why downgrade attacks specifically? Without DNSSEC, a lot of attacks > are possible. I agree, that section requires some rewording. I'm referring to the language in the OpenPGP DANE RFC here. I'm happy to work on more text, and open to suggestions :) best, Alex From nobody Mon Feb 18 06:14:30 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09D5012941A for ; Mon, 18 Feb 2019 06:14:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0HjdGQldBy2 for ; Mon, 18 Feb 2019 06:14:20 -0800 (PST) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CF68130F0D for ; Mon, 18 Feb 2019 06:14:20 -0800 (PST) Received: by mail-lj1-x232.google.com with SMTP id d14so3320425ljl.9 for ; Mon, 18 Feb 2019 06:14:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ho9vcddmU3HRwJCS+3N+h0qAJZHT5qftlioC/ynCTB4=; b=V5EZX+yIqVNFCvoSPJid3SEFP0WmsShcPDIilwzMKIO9FuSKwmoiyXK6cH+PKBX4gj 52K+4EC3SgSniwcr+TYLWnYStlY6+rjFKPEJn5cJtWTe/IL1WHa/5qW+WC0p8HgfPE4D 8QCUck7g5cNFfNBLWEVI/3n16SwvfR6cMM3EFHHRVqOSPC5fBTufjemmR24aF7n4CHmJ TWsPsBuhIDPgAw4ptgOUY6csl9ZQGVfLrWv6fZPfht5GNGOdUEKlG6wolOF/Aop6IH6z 29EozyNrWb4LwiS9M1C82GrdPy3R7RJflaARh4Ann+h2SkChWe1yMQ0u2H7dfF1epKLl WNTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ho9vcddmU3HRwJCS+3N+h0qAJZHT5qftlioC/ynCTB4=; b=V5EJOYxxeIoU3UVZ83F8LLgfUHr+30LR8Oe/ReVsHeLYpjKnVgITNBZvLICVgKHFuw NDDveIsw6GtTDSJLtFee5TF3n0IAhvISKP+ZUPlZICrC1jAStVEzrlp0/ttO3O+EA1V4 gmoPjfYU+KRKqOLlgNoQpr0y97mFPgY8v71kXOoN+hau9vMLA4D/+ZUQgGfzdEKPWY7P hmTsp8T8XmjICMm6p1OaJs40r0w2I7LwBMYTwOG2y45hIBSGgpqi1eMK1gekpT/8yxo6 glVxtnrjDEj+Q9BO+h5Bl05YYvtokhmfTAbdXv1RjboCiNK28e4he4DwhcDvz/RHqXOo OpDQ== X-Gm-Message-State: AHQUAuY+53f+QpCgyi5ALjQf/Z48w5WzTfGF1TlQ/ZzljLeFaAnVMqkv IcOekT9MHBHn7r6a4zubkZQK1iNsWMM1KeOjM3w= X-Google-Smtp-Source: AHgI3IZImlAD9XgP7ShpqK1vjOabjDDJGjamdIqEYzlPRj2gqTj72VsOrW/CRKAVl2cb5/YPNSncuutbk5MhVY8Gy30= X-Received: by 2002:a2e:4d7:: with SMTP id a84mr11701209ljf.86.1550499258613; Mon, 18 Feb 2019 06:14:18 -0800 (PST) MIME-Version: 1.0 References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> In-Reply-To: From: Alexander Mayrhofer Date: Mon, 18 Feb 2019 15:14:07 +0100 Message-ID: To: Paul Wouters Cc: Stephane Bortzmeyer , IETF DNSOP WG , din@irtf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] [Din] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 14:14:23 -0000 Paul, On Fri, Feb 15, 2019 at 7:47 PM Paul Wouters wrote: > I think this document should be Experimental and not Standards Track? I was torn when i did the first revision of this. I think it depends on the stability of Decentralized Identifiers themselves. Once that schema becomes widely used, i think any protocol that connects the DNS and DIDs should be Standards Track. But i leave that up to "higher forces" as soon as i find a suitable "home WG" for that. > The reference to 7929 should be normative, not informative, since > you actually need to read a secion of 7929 to implement this document. Agreed. I've considered replacing the "instruction diff" to OpenPGP with a full description in the document itself. The idea to use that scheme in email came in quite late before i wrote -00, so that section also reflects some laziness. With the "two label" hierarchy introduced in -01, i think a full description would be better anyways. Well do so in -02. Which, in turn, would allow the 7929 reference to stay informative. > I'm not sure if one should use _did.example.com for host names and > _mailto._did.example.com for email addresses. I would keep that at > the same level, eg: > > _hostname._did.example.com > _mailto._did.example.com I'd love to have a discussion about semantics of both options at some point. Maybe we can do a short meeting during IETF104? I know there are many ways to do that, and personally i'm not sure which way would be the "right" one. > This technically also allows one to separate the two DNS zones more > clearly (and could even be managed by a different group) Yep, introduces a zone cut. Then again, i'm not sure what (if we introduce that schema above) the semantics of a record right unter _did would be.. Or would that be disallowed? > I'm really on the fence for this document. On the one hand, it is good > to have a memorable decentralized identifier, but on the other hand if > you rely on DNS (and DNSSEC), is this identifier really still > decentralised in the "we don't trust the USG or Verisign" way ? The identifier is still fully decentralized, the method of discovery probably not. I've also heard that from folks from the Self Sovereign Identity community... However, they are seeking ways for people to discover DIDs. Commonly used are QR codes, but everyone is aware that replacing the QR code on an ATM machine would create an easy of "real world" phishing, so other methods of discovery are definitely worth investigating. > I guess if you interpret it as a migration strategy away from DNS, it is okay. Note that we could also create a "full loop" of verification. The DID document published behind a DID could include a link back to the domain name. I've not investigated that further, though, but it's an interesting area. So, would you be interested to discuss this in Prague? best, Alex From nobody Mon Feb 18 06:17:59 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23C4212941A for ; Mon, 18 Feb 2019 06:17:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eEECiVZNnIKU for ; Mon, 18 Feb 2019 06:17:50 -0800 (PST) Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B370E128B01 for ; Mon, 18 Feb 2019 06:17:49 -0800 (PST) Received: by mail-lf1-x12d.google.com with SMTP id q11so12400495lfd.3 for ; Mon, 18 Feb 2019 06:17:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RLXbrScUAcZewqf8p39g2s4DCxgAmtLGF9pvUUvJuwE=; b=jgo0LEvk6tUBepJ4OkrNcd4zS/0HUrDFS+Rlew37qqz4ttZx8IYXbiNHFhPx/oEXM1 KZjgQnvsFmWWPa5d+0dc1FU3wBWIyDofKWiNhxM9zzbZF3FWFkiR+HtpY+O7kQrx1yOW vaGGAKiSDtuOTPyy7nP4gDO2Ha3tBJ/fZ6ihx55IbkPCGccnBt9DEAR6vrdCzfs64LUW r6gv9K2sz/fC3K+b+sDk0oiIcFMLt4fk0KFWCx1NI1Syz+6qbcNNyOfH4V9es6DbchcR DkcxNN4X7pDfbAxdL5wYqIWCEQgG3It0SVmdofQP0HBWb1GEvWGE2xTILbA7naDSe5gG r4Ng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RLXbrScUAcZewqf8p39g2s4DCxgAmtLGF9pvUUvJuwE=; b=CNLTUfsNxQNvkH0lu5oNaqdsKMZuD9Tplny5Q8rY/V+56DnWgCcFQfxcY5jNvaAGvx ZxzDlWF75cZ+bVEeEul8U8jjJTZcy5SWG9MBuDn28NntfDSGlyM46LYS9yEvdzcOssqu BYXwYc9web0n3P4/kfhGNmWmWS4ymKvReqSBplDUtNGKuXxaX+EgKyt1w10dT3if713h qsTjrAQssMTQXu69saZ/dnNOp0ELqzJGcYc0rjM+N5fAQ+AbvmMkS9POY9OW1Nx6NRPr E25fb9nPNnPe/uJmk4qLKzLEoG9AgCMIzbeVkz9jVEBLeYAzDJR4mrvJ+3i1pqvU6PDG 5x5w== X-Gm-Message-State: AHQUAuaHU0rYRdUStaEWhGccp/vxdzcTZNpb1EtpMbPJgs9E57/9JPJj HfAlW1UwmxpBv5bP4UIltL3vQ3vU6QmptAH0qkg= X-Google-Smtp-Source: AHgI3Iakqn8kL7je65jDGO9TXMqXiIMEhMQoHPfaUFzP1Ni2jINSEFvel0zdMWTXsaq8wi4UnIf+oGe7jv6WLpb6FNs= X-Received: by 2002:a19:7406:: with SMTP id v6mr321865lfe.33.1550499467974; Mon, 18 Feb 2019 06:17:47 -0800 (PST) MIME-Version: 1.0 References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> <5a817aac-e553-d104-b9f0-f074fce235eb@nomountain.net> In-Reply-To: <5a817aac-e553-d104-b9f0-f074fce235eb@nomountain.net> From: Alexander Mayrhofer Date: Mon, 18 Feb 2019 15:17:37 +0100 Message-ID: To: Melinda Shore Cc: Paul Wouters , Stephane Bortzmeyer , IETF DNSOP WG , din@irtf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] [Din] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 14:17:53 -0000 On Fri, Feb 15, 2019 at 8:47 PM Melinda Shore wrote: > I think the question of whether or not to provide > decentralized identifiers and whether or not this proposal > delivers on the "decentralized" claim is out of our hands, > as the core spec (which has a lot of additional problems) > comes out of the W3C. I think the IETF's involvement is > probably limited to their use of DNS in the resolution > process. I do agree. We provide the "link" from an IETF protocol to a protocol developed in another SDO. > p.s. and it's probably worth pointing out that this work is > being done in a W3C community group, so until it looks like > it's actually going to be published as a WC3 spec I'm not > sure I'd like to see IETF working group resources being > spent on this. Yes, exactly, this is a community group work right now. However, i do understand that the "upgrade" to a working group is currently underway. best, Alex From nobody Mon Feb 18 09:05:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7193129A87 for ; Mon, 18 Feb 2019 09:05:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.189 X-Spam-Level: X-Spam-Status: No, score=-4.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43whCVfJBRqe for ; Mon, 18 Feb 2019 09:05:35 -0800 (PST) Received: from relay1.iis.se (relay1.iis.se [IPv6:2a00:801:f0:106::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC651295D8 for ; Mon, 18 Feb 2019 09:05:34 -0800 (PST) Received: from exchange01.office.nic.se (unknown [2001:67c:124c:100e::20]) by relay1.iis.se (Halon) with ESMTPS id 6527ae25-339f-11e9-ae35-005056827d92; Mon, 18 Feb 2019 17:05:30 +0000 (UTC) Received: from exchange02.office.nic.se (2001:67c:124c:2043::25) by exchange01.office.nic.se (2001:67c:124c:100e::20) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 18 Feb 2019 18:05:29 +0100 Received: from exchange02.office.nic.se ([fe80::681b:9cef:675b:d880]) by exchange02.office.nic.se ([fe80::681b:9cef:675b:d880%14]) with mapi id 15.00.1347.000; Mon, 18 Feb 2019 18:05:29 +0100 From: Mats Dufberg To: "ietf@ietf.org" , "dnsop@ietf.org" Thread-Topic: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard Thread-Index: AQHUw9KLGKozXl4ll0SlO9p22BRRN6Xl0KeA Date: Mon, 18 Feb 2019 17:05:29 +0000 Message-ID: References: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> In-Reply-To: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> Accept-Language: en-US, sv-SE Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.10.7.190210 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [2001:67c:124c:5024::161e] Content-Type: text/plain; charset="utf-8" Content-ID: <039D48592346A34199E7C2A5C5546B91@iis.se> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 17:05:39 -0000 SWYgdGhpcyBkcmFmdCBpcyBhcHByb3ZlZCwgdGhlIG5ldyBSRkMgd2lsbCBvYnNvbGV0ZSBSRkMg Njk0NC4gUkZDIDY5NDQsIGluIHR1cm4sIHVwZGF0ZXMgZWlnaHQgb3RoZXIgUkZDcy4gQXMgSSBp bnRlcnByZXQgaXQsIHRoZSBuZXcgUkZDIHdpbGwgaW5oZXJpdCB0aGF0IHJvbGUuIEkgdGhpbmsg dGhhdCBzaG91bGQgYmUgZXhwbGljaXRseSBzdGF0ZWQgaW4gdGhlIG5ldyBSRkMuDQoNCg0KWW91 cnMsDQpNYXRzDQoNCi0tLQ0KTWF0cyBEdWZiZXJnDQpETlMgU3BlY2lhbGlzdCwgSUlTDQpNb2Jp bGU6ICs0NiA3MyAwNjUgMzg5OQ0KaHR0cHM6Ly93d3cuaWlzLnNlL2VuLw0KIA0KDQrvu78tLS0t LU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogRE5TT1AgPGRuc29wLWJvdW5jZXNAaWV0Zi5v cmc+IG9uIGJlaGFsZiBvZiBUaGUgSUVTRyA8aWVzZy1zZWNyZXRhcnlAaWV0Zi5vcmc+DQpSZXBs eS1UbzogImlldGZAaWV0Zi5vcmciIDxpZXRmQGlldGYub3JnPg0KRGF0ZTogV2VkbmVzZGF5LCAx MyBGZWJydWFyeSAyMDE5IGF0IDIwOjMwDQpUbzogSUVURi1Bbm5vdW5jZSA8aWV0Zi1hbm5vdW5j ZUBpZXRmLm9yZz4NCkNjOiBUaW0gV2ljaW5za2kgPHRqdy5pZXRmQGdtYWlsLmNvbT4sICJkcmFm dC1pZXRmLWRuc29wLWFsZ29yaXRobS11cGRhdGVAaWV0Zi5vcmciIDxkcmFmdC1pZXRmLWRuc29w LWFsZ29yaXRobS11cGRhdGVAaWV0Zi5vcmc+LCAiZG5zb3BAaWV0Zi5vcmciIDxkbnNvcEBpZXRm Lm9yZz4sICJkbnNvcC1jaGFpcnNAaWV0Zi5vcmciIDxkbnNvcC1jaGFpcnNAaWV0Zi5vcmc+DQpT dWJqZWN0OiBbRE5TT1BdIExhc3QgQ2FsbDogPGRyYWZ0LWlldGYtZG5zb3AtYWxnb3JpdGhtLXVw ZGF0ZS0wNS50eHQ+IChBbGdvcml0aG0gSW1wbGVtZW50YXRpb24gUmVxdWlyZW1lbnRzIGFuZCBV c2FnZSBHdWlkYW5jZSBmb3IgRE5TU0VDKSB0byBQcm9wb3NlZCBTdGFuZGFyZA0KDQogICAgDQog ICAgVGhlIElFU0cgaGFzIHJlY2VpdmVkIGEgcmVxdWVzdCBmcm9tIHRoZSBEb21haW4gTmFtZSBT eXN0ZW0gT3BlcmF0aW9ucyBXRw0KICAgIChkbnNvcCkgdG8gY29uc2lkZXIgdGhlIGZvbGxvd2lu ZyBkb2N1bWVudDogLSAnQWxnb3JpdGhtIEltcGxlbWVudGF0aW9uDQogICAgUmVxdWlyZW1lbnRz IGFuZCBVc2FnZSBHdWlkYW5jZSBmb3IgRE5TU0VDJw0KICAgICAgPGRyYWZ0LWlldGYtZG5zb3At YWxnb3JpdGhtLXVwZGF0ZS0wNS50eHQ+IGFzIFByb3Bvc2VkIFN0YW5kYXJkDQogICAgDQogICAg VGhlIElFU0cgcGxhbnMgdG8gbWFrZSBhIGRlY2lzaW9uIGluIHRoZSBuZXh0IGZldyB3ZWVrcywg YW5kIHNvbGljaXRzIGZpbmFsDQogICAgY29tbWVudHMgb24gdGhpcyBhY3Rpb24uIFBsZWFzZSBz ZW5kIHN1YnN0YW50aXZlIGNvbW1lbnRzIHRvIHRoZQ0KICAgIGlldGZAaWV0Zi5vcmcgbWFpbGlu ZyBsaXN0cyBieSAyMDE5LTAyLTI3LiBFeGNlcHRpb25hbGx5LCBjb21tZW50cyBtYXkgYmUNCiAg ICBzZW50IHRvIGllc2dAaWV0Zi5vcmcgaW5zdGVhZC4gSW4gZWl0aGVyIGNhc2UsIHBsZWFzZSBy ZXRhaW4gdGhlIGJlZ2lubmluZyBvZg0KICAgIHRoZSBTdWJqZWN0IGxpbmUgdG8gYWxsb3cgYXV0 b21hdGVkIHNvcnRpbmcuDQogICAgDQogICAgQWJzdHJhY3QNCiAgICANCiAgICANCiAgICAgICBU aGUgRE5TU0VDIHByb3RvY29sIG1ha2VzIHVzZSBvZiB2YXJpb3VzIGNyeXB0b2dyYXBoaWMgYWxn b3JpdGhtcyBpbg0KICAgICAgIG9yZGVyIHRvIHByb3ZpZGUgYXV0aGVudGljYXRpb24gb2YgRE5T IGRhdGEgYW5kIHByb29mIG9mIG5vbi0NCiAgICAgICBleGlzdGVuY2UuICBUbyBlbnN1cmUgaW50 ZXJvcGVyYWJpbGl0eSBiZXR3ZWVuIEROUyByZXNvbHZlcnMgYW5kIEROUw0KICAgICAgIGF1dGhv cml0YXRpdmUgc2VydmVycywgaXQgaXMgbmVjZXNzYXJ5IHRvIHNwZWNpZnkgYSBzZXQgb2YgYWxn b3JpdGhtDQogICAgICAgaW1wbGVtZW50YXRpb24gcmVxdWlyZW1lbnRzIGFuZCB1c2FnZSBndWlk ZWxpbmVzIHRvIGVuc3VyZSB0aGF0IHRoZXJlDQogICAgICAgaXMgYXQgbGVhc3Qgb25lIGFsZ29y aXRobSB0aGF0IGFsbCBpbXBsZW1lbnRhdGlvbnMgc3VwcG9ydC4gIFRoaXMNCiAgICAgICBkb2N1 bWVudCBkZWZpbmVzIHRoZSBjdXJyZW50IGFsZ29yaXRobSBpbXBsZW1lbnRhdGlvbiByZXF1aXJl bWVudHMNCiAgICAgICBhbmQgdXNhZ2UgZ3VpZGFuY2UgZm9yIEROU1NFQy4gIFRoaXMgZG9jdW1l bnQgb2Jzb2xldGVzIFtSRkM2OTQ0XS4NCiAgICANCiAgICANCiAgICANCiAgICANCiAgICBUaGUg ZmlsZSBjYW4gYmUgb2J0YWluZWQgdmlhDQogICAgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9y Zy9kb2MvZHJhZnQtaWV0Zi1kbnNvcC1hbGdvcml0aG0tdXBkYXRlLw0KICAgIA0KICAgIElFU0cg ZGlzY3Vzc2lvbiBjYW4gYmUgdHJhY2tlZCB2aWENCiAgICBodHRwczovL2RhdGF0cmFja2VyLmll dGYub3JnL2RvYy9kcmFmdC1pZXRmLWRuc29wLWFsZ29yaXRobS11cGRhdGUvYmFsbG90Lw0KICAg IA0KICAgIA0KICAgIE5vIElQUiBkZWNsYXJhdGlvbnMgaGF2ZSBiZWVuIHN1Ym1pdHRlZCBkaXJl Y3RseSBvbiB0aGlzIEktRC4NCiAgICANCiAgICANCiAgICANCiAgICANCiAgICBfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KICAgIEROU09QIG1haWxpbmcg bGlzdA0KICAgIEROU09QQGlldGYub3JnDQogICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h bi9saXN0aW5mby9kbnNvcA0KICAgIA0KDQo= From nobody Mon Feb 18 15:34:19 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38941310AE for ; Mon, 18 Feb 2019 15:34:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ubpWEv1t6o57 for ; Mon, 18 Feb 2019 15:34:15 -0800 (PST) Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6449912426A for ; Mon, 18 Feb 2019 15:34:15 -0800 (PST) Received: from [172.16.10.110] (mta-107-13-246-59.nc.rr.com [107.13.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 3B2AB27D8F for ; Mon, 18 Feb 2019 18:34:14 -0500 (EST) From: Tom Pusateri Content-Type: multipart/alternative; boundary="Apple-Mail=_B0D5A08F-891D-41E2-A7AE-E8BDE23FC461" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Message-Id: <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> To: dnsop WG Date: Mon, 18 Feb 2019 18:34:13 -0500 X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 23:34:18 -0000 --Apple-Mail=_B0D5A08F-891D-41E2-A7AE-E8BDE23FC461 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii DNSOP, We have updated the TIMEOUT resource record draft based on the great = feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I = think we have addressed all of the comments except for the Date format = concern from Mark. That is still an outstanding issue. Please comment on = it if you have an opinion or feel free to open other issues against the = document or send comments to the list. The TIMEOUT RR is just like any other resource record now with no = special handling. Issues are on Github: https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues Thanks, Tom & Tim > Begin forwarded message: >=20 > From: internet-drafts@ietf.org > Subject: New Version Notification for = draft-pusateri-dnsop-update-timeout-01.txt > Date: February 18, 2019 at 6:26:35 PM EST > To: "Tim Wattenberg" , "Tom Pusateri" = >=20 >=20 > A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt > has been successfully submitted by Tom Pusateri and posted to the > IETF repository. >=20 > Name: draft-pusateri-dnsop-update-timeout > Revision: 01 > Title: DNS TIMEOUT Resource Record > Document date: 2019-02-18 > Group: Individual Submission > Pages: 13 > URL: = https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-0= 1.txt > Status: = https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/ > Htmlized: = https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01 > Htmlized: = https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout > Diff: = https://www.ietf.org/rfcdiff?url2=3Ddraft-pusateri-dnsop-update-timeout-01= >=20 > Abstract: > This specification defines a new DNS TIMEOUT resource record (RR) > that associates a lifetime with one or more zone resource records > with the same owner name, type, and class. It is intended to be = used > to transfer resource record lifetime state between a zone's primary > and secondary servers and to store lifetime state during server > software restarts. >=20 >=20 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > The IETF Secretariat >=20 --Apple-Mail=_B0D5A08F-891D-41E2-A7AE-E8BDE23FC461 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii DNSOP,

We = have updated the TIMEOUT resource record draft based on the great = feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I = think we have addressed all of the comments except for the Date format = concern from Mark. That is still an outstanding issue. Please comment on = it if you have an opinion or feel free to open other issues against the = document or send comments to the list.

The TIMEOUT RR is just like any other = resource record now with no special handling.

Issues are on Github:
https://github.com/pusateri/draft-pusateri-dnsop-update-timeout= /issues

Thanks,
Tom & Tim


Begin = forwarded message:

From: = internet-drafts@ietf.org
Subject: = New Version = Notification for draft-pusateri-dnsop-update-timeout-01.txt
Date: = February 18, 2019 at 6:26:35 PM = EST
To: = "Tim Wattenberg" = <mail@timwattenberg.de>, "Tom Pusateri" = <pusateri@bangj.com>


A new version of I-D, = draft-pusateri-dnsop-update-timeout-01.txt
has been = successfully submitted by Tom Pusateri and posted to the
IETF repository.

Name: = draft-pusateri-dnsop-update-timeout
Revision: 01
Title:= = DNS TIMEOUT Resource Record
Document date: = 2019-02-18
Group: Individual Submission
Pages:= = 13
URL: =            https://= www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-01.txtStatus: =         https://datatracker.ietf.o= rg/doc/draft-pusateri-dnsop-update-timeout/
Htmlized: =       https://tools.ietf.org/html/draft-pusa= teri-dnsop-update-timeout-01
Htmlized: =       https://datatracker.ietf.org/doc/html/= draft-pusateri-dnsop-update-timeout
Diff: =           https://www.ie= tf.org/rfcdiff?url2=3Ddraft-pusateri-dnsop-update-timeout-01

Abstract:
  This = specification defines a new DNS TIMEOUT resource record (RR)
  that associates a lifetime with one or more zone = resource records
  with the same owner name, = type, and class.  It is intended to be used
=   to transfer resource record lifetime state between a zone's = primary
  and secondary servers and to store = lifetime state during server
  software = restarts.




Please note that it may take a couple of minutes from the = time of submission
until the htmlized version and diff are = available at tools.ietf.org.

The IETF = Secretariat


= --Apple-Mail=_B0D5A08F-891D-41E2-A7AE-E8BDE23FC461-- From nobody Mon Feb 18 16:27:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 639BF1310C3 for ; Mon, 18 Feb 2019 16:27:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95rHTVnqy_qF for ; Mon, 18 Feb 2019 16:27:49 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 889901200ED for ; Mon, 18 Feb 2019 16:27:49 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 151113AB03C; Tue, 19 Feb 2019 00:27:49 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CFC68160048; Tue, 19 Feb 2019 00:27:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id ABD5F160066; Tue, 19 Feb 2019 00:27:47 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wm24Oznoy0SS; Tue, 19 Feb 2019 00:27:47 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id ECD35160048; Tue, 19 Feb 2019 00:27:46 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> Date: Tue, 19 Feb 2019 11:27:44 +1100 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> To: Tom Pusateri X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 00:27:51 -0000 I have yet to seen a justification for using SHAKE128 vs any of the = existing hash algorithms used in DNS. You really need to justify this choice on = security concerns. DNS server implementers need to support multiple crypto = backends and adding yet another algorithm is not as easy as just calling OpenSSL. = It=E2=80=99s writing / expanding a shim layer. It=E2=80=99s checking for the existence on all = the platforms the server is built on. Just closing the issue isn=E2=80=99t addressing = it. = https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues/19 > On 19 Feb 2019, at 10:34 am, Tom Pusateri wrote: >=20 > DNSOP, >=20 > We have updated the TIMEOUT resource record draft based on the great = feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I = think we have addressed all of the comments except for the Date format = concern from Mark. That is still an outstanding issue. Please comment on = it if you have an opinion or feel free to open other issues against the = document or send comments to the list. >=20 > The TIMEOUT RR is just like any other resource record now with no = special handling. >=20 > Issues are on Github: > https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues >=20 > Thanks, > Tom & Tim >=20 >=20 >> Begin forwarded message: >>=20 >> From: internet-drafts@ietf.org >> Subject: New Version Notification for = draft-pusateri-dnsop-update-timeout-01.txt >> Date: February 18, 2019 at 6:26:35 PM EST >> To: "Tim Wattenberg" , "Tom Pusateri" = >>=20 >>=20 >> A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt >> has been successfully submitted by Tom Pusateri and posted to the >> IETF repository. >>=20 >> Name: draft-pusateri-dnsop-update-timeout >> Revision: 01 >> Title: DNS TIMEOUT Resource Record >> Document date: 2019-02-18 >> Group: Individual Submission >> Pages: 13 >> URL: = https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-0= 1.txt >> Status: = https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/ >> Htmlized: = https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01 >> Htmlized: = https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout >> Diff: = https://www.ietf.org/rfcdiff?url2=3Ddraft-pusateri-dnsop-update-timeout-01= >>=20 >> Abstract: >> This specification defines a new DNS TIMEOUT resource record (RR) >> that associates a lifetime with one or more zone resource records >> with the same owner name, type, and class. It is intended to be = used >> to transfer resource record lifetime state between a zone's primary >> and secondary servers and to store lifetime state during server >> software restarts. >>=20 >>=20 >>=20 >>=20 >> Please note that it may take a couple of minutes from the time of = submission >> until the htmlized version and diff are available at tools.ietf.org. >>=20 >> The IETF Secretariat >>=20 >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Mon Feb 18 16:47:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89C71310C7 for ; Mon, 18 Feb 2019 16:47:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3qZ1mM3SRyA for ; Mon, 18 Feb 2019 16:47:42 -0800 (PST) Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B9F130E91 for ; Mon, 18 Feb 2019 16:47:41 -0800 (PST) Received: from [172.16.10.104] (mta-107-13-246-59.nc.rr.com [107.13.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 58C3427D9A; Mon, 18 Feb 2019 19:47:40 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Tom Pusateri In-Reply-To: Date: Mon, 18 Feb 2019 19:47:39 -0500 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> To: Mark Andrews X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 00:47:45 -0000 Mark, > Just closing the issue isn=E2=80=99t addressing it. That=E2=80=99s not a fair point about closing issue #19. Your main concern was that SHA-3 algorithms might not be easily = available but, luckily, they shipped with TLS 1.3 in OpenSSL 1.1.1 and = so I thought #19 was a solved issue. Regardless, sooner or later, someone will be the first to use a SHA-3 = algorithm that=E2=80=99s better than the SHA-2 algorithms DNS uses = today. It=E2=80=99s only a matter of time. SHA-3 has been out since = 2015. As soon as you support TLS 1.3, you=E2=80=99ll have all the SHA-3 = algorithms with a simple API call and it should be available everywhere = because TLS 1.3 will be needed everywhere. I will reopen this issue for discussion but I don=E2=80=99t see yet how = this is a problem. Thanks, Tom > On Feb 18, 2019, at 7:27 PM, Mark Andrews wrote: >=20 > I have yet to seen a justification for using SHAKE128 vs any of the = existing > hash algorithms used in DNS. You really need to justify this choice = on security > concerns. DNS server implementers need to support multiple crypto = backends and > adding yet another algorithm is not as easy as just calling OpenSSL. = It=E2=80=99s writing / > expanding a shim layer. It=E2=80=99s checking for the existence on = all the platforms > the server is built on. =20 >=20 > = https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues/19 >=20 >> On 19 Feb 2019, at 10:34 am, Tom Pusateri wrote: >>=20 >> DNSOP, >>=20 >> We have updated the TIMEOUT resource record draft based on the great = feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I = think we have addressed all of the comments except for the Date format = concern from Mark. That is still an outstanding issue. Please comment on = it if you have an opinion or feel free to open other issues against the = document or send comments to the list. >>=20 >> The TIMEOUT RR is just like any other resource record now with no = special handling. >>=20 >> Issues are on Github: >> = https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues >>=20 >> Thanks, >> Tom & Tim >>=20 >>=20 >>> Begin forwarded message: >>>=20 >>> From: internet-drafts@ietf.org >>> Subject: New Version Notification for = draft-pusateri-dnsop-update-timeout-01.txt >>> Date: February 18, 2019 at 6:26:35 PM EST >>> To: "Tim Wattenberg" , "Tom Pusateri" = >>>=20 >>>=20 >>> A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt >>> has been successfully submitted by Tom Pusateri and posted to the >>> IETF repository. >>>=20 >>> Name: draft-pusateri-dnsop-update-timeout >>> Revision: 01 >>> Title: DNS TIMEOUT Resource Record >>> Document date: 2019-02-18 >>> Group: Individual Submission >>> Pages: 13 >>> URL: = https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-0= 1.txt >>> Status: = https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/ >>> Htmlized: = https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01 >>> Htmlized: = https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout >>> Diff: = https://www.ietf.org/rfcdiff?url2=3Ddraft-pusateri-dnsop-update-timeout-01= >>>=20 >>> Abstract: >>> This specification defines a new DNS TIMEOUT resource record (RR) >>> that associates a lifetime with one or more zone resource records >>> with the same owner name, type, and class. It is intended to be = used >>> to transfer resource record lifetime state between a zone's primary >>> and secondary servers and to store lifetime state during server >>> software restarts. >>>=20 >>>=20 >>>=20 >>>=20 >>> Please note that it may take a couple of minutes from the time of = submission >>> until the htmlized version and diff are available at tools.ietf.org. >>>=20 >>> The IETF Secretariat >>>=20 >>=20 >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >=20 > --=20 > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >=20 From nobody Mon Feb 18 17:28:16 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AAC91200D7 for ; Mon, 18 Feb 2019 17:28:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPlTzMKEjmL0 for ; Mon, 18 Feb 2019 17:28:12 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB4E0129619 for ; Mon, 18 Feb 2019 17:28:12 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0DE803AB03C; Tue, 19 Feb 2019 01:28:12 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BFDA3160048; Tue, 19 Feb 2019 01:28:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A36A5160066; Tue, 19 Feb 2019 01:28:11 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gh_XQqy97liA; Tue, 19 Feb 2019 01:28:11 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C2DB3160048; Tue, 19 Feb 2019 01:28:10 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Tue, 19 Feb 2019 12:28:08 +1100 Cc: dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: <205A5BE4-C2B0-4314-B83C-B90D05766C3E@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> To: Tom Pusateri X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 01:28:15 -0000 > On 19 Feb 2019, at 11:47 am, Tom Pusateri wrote: >=20 > Mark, >=20 >> Just closing the issue isn=E2=80=99t addressing it. >=20 > That=E2=80=99s not a fair point about closing issue #19. >=20 > Your main concern was that SHA-3 algorithms might not be easily = available but, luckily, they shipped with TLS 1.3 in OpenSSL 1.1.1 and = so I thought #19 was a solved issue. >=20 > Regardless, sooner or later, someone will be the first to use a SHA-3 = algorithm that=E2=80=99s better than the SHA-2 algorithms DNS uses = today. It=E2=80=99s only a matter of time. SHA-3 has been out since = 2015. As soon as you support TLS 1.3, you=E2=80=99ll have all the SHA-3 = algorithms with a simple API call and it should be available everywhere = because TLS 1.3 will be needed everywhere. Where is the need to use SHA-3? This is introducing a new algorithm for = the sake of introducing a new algorithm. Just because TLS 1.3 uses SHAKE128 is not = a reason for DNS to use SHAKE128. There are plenty of platforms that don=E2=80=99t = need to use TLS at all. They don=E2=80=99t have web interfaces. Transaction security is = provided by something other than TLS. There are also lots of old server platforms that just won=E2=80=99t ever = upgrade their OpenSSL package. Adding SHA-3 creates yet another dependancy / impediment-to = upgrading the DNS server. And before someone mentions DoT and DoH. DoT/DoH have their uses but not = everywhere needs to use DoT/DoH. DoT/DoH adds baggage which isn=E2=80=99t always = justified. Mark > I will reopen this issue for discussion but I don=E2=80=99t see yet = how this is a problem. >=20 > Thanks, > Tom >=20 >> On Feb 18, 2019, at 7:27 PM, Mark Andrews wrote: >>=20 >> I have yet to seen a justification for using SHAKE128 vs any of the = existing >> hash algorithms used in DNS. You really need to justify this choice = on security >> concerns. DNS server implementers need to support multiple crypto = backends and >> adding yet another algorithm is not as easy as just calling OpenSSL. = It=E2=80=99s writing / >> expanding a shim layer. It=E2=80=99s checking for the existence on = all the platforms >> the server is built on. =20 >>=20 >> = https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues/19 >>=20 >>> On 19 Feb 2019, at 10:34 am, Tom Pusateri = wrote: >>>=20 >>> DNSOP, >>>=20 >>> We have updated the TIMEOUT resource record draft based on the great = feedback from Mark Andrews, Joe Abley, Ted Lemon, and Paul Vixie. I = think we have addressed all of the comments except for the Date format = concern from Mark. That is still an outstanding issue. Please comment on = it if you have an opinion or feel free to open other issues against the = document or send comments to the list. >>>=20 >>> The TIMEOUT RR is just like any other resource record now with no = special handling. >>>=20 >>> Issues are on Github: >>> = https://github.com/pusateri/draft-pusateri-dnsop-update-timeout/issues >>>=20 >>> Thanks, >>> Tom & Tim >>>=20 >>>=20 >>>> Begin forwarded message: >>>>=20 >>>> From: internet-drafts@ietf.org >>>> Subject: New Version Notification for = draft-pusateri-dnsop-update-timeout-01.txt >>>> Date: February 18, 2019 at 6:26:35 PM EST >>>> To: "Tim Wattenberg" , "Tom Pusateri" = >>>>=20 >>>>=20 >>>> A new version of I-D, draft-pusateri-dnsop-update-timeout-01.txt >>>> has been successfully submitted by Tom Pusateri and posted to the >>>> IETF repository. >>>>=20 >>>> Name: draft-pusateri-dnsop-update-timeout >>>> Revision: 01 >>>> Title: DNS TIMEOUT Resource Record >>>> Document date: 2019-02-18 >>>> Group: Individual Submission >>>> Pages: 13 >>>> URL: = https://www.ietf.org/internet-drafts/draft-pusateri-dnsop-update-timeout-0= 1.txt >>>> Status: = https://datatracker.ietf.org/doc/draft-pusateri-dnsop-update-timeout/ >>>> Htmlized: = https://tools.ietf.org/html/draft-pusateri-dnsop-update-timeout-01 >>>> Htmlized: = https://datatracker.ietf.org/doc/html/draft-pusateri-dnsop-update-timeout >>>> Diff: = https://www.ietf.org/rfcdiff?url2=3Ddraft-pusateri-dnsop-update-timeout-01= >>>>=20 >>>> Abstract: >>>> This specification defines a new DNS TIMEOUT resource record (RR) >>>> that associates a lifetime with one or more zone resource records >>>> with the same owner name, type, and class. It is intended to be = used >>>> to transfer resource record lifetime state between a zone's primary >>>> and secondary servers and to store lifetime state during server >>>> software restarts. >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>> Please note that it may take a couple of minutes from the time of = submission >>>> until the htmlized version and diff are available at = tools.ietf.org. >>>>=20 >>>> The IETF Secretariat >>>>=20 >>>=20 >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>=20 >> --=20 >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >>=20 >=20 --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Tue Feb 19 03:54:45 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9D7130EA1 for ; Tue, 19 Feb 2019 03:54:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.921 X-Spam-Level: X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6XzlT7Ufh_v for ; Tue, 19 Feb 2019 03:54:42 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67A8130E77 for ; Tue, 19 Feb 2019 03:54:42 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E33663AB03B; Tue, 19 Feb 2019 11:54:41 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id AF19616005C; Tue, 19 Feb 2019 11:54:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 99A5F160067; Tue, 19 Feb 2019 11:54:41 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id WZtpHJi8FTia; Tue, 19 Feb 2019 11:54:41 +0000 (UTC) Received: from larwa.hq.kempniu.pl (unknown [212.180.223.213]) by zmx1.isc.org (Postfix) with ESMTPSA id D457E16005C; Tue, 19 Feb 2019 11:54:40 +0000 (UTC) Date: Tue, 19 Feb 2019 12:54:36 +0100 From: =?utf-8?B?TWljaGHFgiBLxJlwaWXFhA==?= To: Paul Hoffman Cc: dnsop Message-ID: <20190219115435.GA4768@larwa.hq.kempniu.pl> References: <47597960-3D11-4007-947D-19DBC7AF2BAC@icann.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <47597960-3D11-4007-947D-19DBC7AF2BAC@icann.org> User-Agent: Mutt/1.11.3 (2019-02-01) Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] Adding more example configurations to draft-ietf-dnsop-7706bis X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 11:54:45 -0000 Hi Paul, Apologies for being late to the party. > I have seen messages in the past few months about some vendors adding 7= 706, or 7706-like, support to recent versions of their resolvers. It woul= d be grand if those of you who have shipping implementations of this coul= d send the configuration steps to the list so we can add them to the appe= ndix. BIND 9.14, i.e. the upcoming stable BIND release, will ship with a feature called mirror zones which facilitates setting up a local, DNSSEC-validated copy of the root zone. As of the currently available BIND 9.13.6 development release, a default list of primary servers for the IANA root zone is built into named and thus its mirroring can be enabled using the following configuration snippet: zone "." { type mirror; }; (The above snippet is intended to be used instead of the example BIND configuration provided in Appendix B to RFC 7706, not in addition to it.) Chapter 5 of the BIND 9 ARM discusses how mirror zones work in more detail: https://bind.isc.org/doc/arm/9.13/Bv9ARM.ch05.html#zone_types Please let me know if anything above is unclear. --=20 Best regards, Micha=C5=82 K=C4=99pie=C5=84 From nobody Tue Feb 19 04:27:28 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35484130ECA for ; Tue, 19 Feb 2019 04:27:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KT3As79sFGNJ for ; Tue, 19 Feb 2019 04:27:25 -0800 (PST) Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41E37130ED1 for ; Tue, 19 Feb 2019 04:27:24 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:38150) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gw4Ub-000kwZ-L6 (Exim 4.91) (return-path ); Tue, 19 Feb 2019 12:27:21 +0000 Date: Tue, 19 Feb 2019 12:27:21 +0000 From: Tony Finch To: Tom Pusateri cc: dnsop WG In-Reply-To: <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 12:27:27 -0000 Tom Pusateri wrote: > > I think we have addressed all of the comments except for the Date format > concern from Mark. That is still an outstanding issue. The DNS currently has a couple of representations of absolute (POSIX flavoured) time: RRSIG, SIG, TKEY (32 bits with serial number arithmetic relative to now) TSIG (48 bits) It seems silly to invent a third one and prevent servers from re-using code. Tony. -- f.anthony.n.finch http://dotat.at/ the widest possible distribution of wealth From nobody Tue Feb 19 12:41:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2953D130F79 for ; Tue, 19 Feb 2019 12:41:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0MiUuk6U8z6D for ; Tue, 19 Feb 2019 12:41:41 -0800 (PST) Received: from mail-c.ads.isi.edu (mail-c.ads.isi.edu [128.9.180.198]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ADCD130F75 for ; Tue, 19 Feb 2019 12:41:41 -0800 (PST) IronPort-PHdr: =?us-ascii?q?9a23=3A1eqnuRWpLOkh1RuIbCS2mL6J9pHV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYbBCGt8tkgFKBZ4jH8fUM07OQ7/iwHzRYqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjWwba9xIRmssQndqtQdjJd/JKo21hbHuGZDdf?= =?us-ascii?q?5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXM?= =?us-ascii?q?TRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlD?= =?us-ascii?q?kIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZDI2y?= =?us-ascii?q?b5UBAfcCM+laoYn9oFwAohSiCgejH+7v1iZIi2Xq0aAgz+gsEwfL1xEgEdIUt3?= =?us-ascii?q?TUqc34OrsVUe+u0qbI1ynDZO5L1zfh74jIaBAgquyLULJqasrR1U4vFxnFj1iL?= =?us-ascii?q?qIzlJDKV2v4TvGeG8uptTOSigHMppQF2pzig3MYsio/Ri4IU0VDE9D91z5goKt?= =?us-ascii?q?2lTkNwfN2qEINIui2HKYd7QdkuTmVytConybALtoS3cSsExZkh2hXRceaIc5KS?= =?us-ascii?q?7RLmTOuRJDB4i297d7+nnBay9FSgyvX7VsmpzFZGtipFncfItnAKzxHT9smHSu?= =?us-ascii?q?dn8UenwzqP1gbT6v1eLUA6iKrbN58gzqQ3lpoJvkTPBi72mEPog6+Kbkgo5/ak?= =?us-ascii?q?5uf9brjivJOQKox5hw7kPqktlMGzGeE4PRIPX2if9+S8zrrj/UjhTbVQlf02jq?= =?us-ascii?q?7ZsIraJMkAp665GA5V3pw95BmiEjeqyM4YkmUfLFJZZBKHiJDkO1TUL/DiDvew?= =?us-ascii?q?mU+hkDZwx//aJLHhBY/NLnfbmrf7Ybl981JcyBY0zd1H/5JUF6oBL+jvWkDvrt?= =?us-ascii?q?zYDwQ0PBeuzObhB9V91JkSVn6IAq+cKKnSq0OH5vozI+mQY48YoCvyK/4+5/7p?= =?us-ascii?q?lX80gl4dcre13ZsZcny4Ge5mI0rKKUbr1/IIC2RClwwyVuH1kxXWVDdJZH+aXr?= =?us-ascii?q?k3oDYhB9T1I53EQ9WXh7aMxjvzJYFRfHEOXkqXDXDyZq2FQPZKZS6PdJwy2gcY?= =?us-ascii?q?XKSsHtdynSqlsxX3nv8+drLZ?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2ESAACiaWxc/1O4CYBjFgQBAQEBAQIBA?= =?us-ascii?q?QEBBwIBAQEBgVQCAQEBAQsBggNngQOELZQJgg2aFgErDAEChD4Cg2wiNwYNAQM?= =?us-ascii?q?BAQIBAQIBAQJpHAyCOikBFE0LBS4BAQFTAhRdAQIDI1QCEAsNCwICBRMOAgIPS?= =?us-ascii?q?AYygwKBcq1YgS8aAohEAQeBS4ELizkXgUA/gRGDEoRrCQ2DCYJXAoo6hxeReAm?= =?us-ascii?q?STQwZgXCJAwOIDotVh3SKfSOBVjMaCB0TgygIgh4YE4QiigckgTUBAYoRgksBA?= =?us-ascii?q?Q?= X-IPAS-Result: =?us-ascii?q?A2ESAACiaWxc/1O4CYBjFgQBAQEBAQIBAQEBBwIBAQEBgVQ?= =?us-ascii?q?CAQEBAQsBggNngQOELZQJgg2aFgErDAEChD4Cg2wiNwYNAQMBAQIBAQIBAQJpH?= =?us-ascii?q?AyCOikBFE0LBS4BAQFTAhRdAQIDI1QCEAsNCwICBRMOAgIPSAYygwKBcq1YgS8?= =?us-ascii?q?aAohEAQeBS4ELizkXgUA/gRGDEoRrCQ2DCYJXAoo6hxeReAmSTQwZgXCJAwOID?= =?us-ascii?q?otVh3SKfSOBVjMaCB0TgygIgh4YE4QiigckgTUBAYoRgksBAQ?= X-IronPort-AV: E=Sophos;i="5.58,388,1544515200"; d="scan'208";a="17552809" Received: from unknown (HELO titan.int.futz.org) ([128.9.184.83]) by mail-c.ads.isi.edu with SMTP; 19 Feb 2019 12:41:41 -0800 Date: Tue, 19 Feb 2019 15:41:38 -0500 From: Robert Story To: Mark Andrews Cc: Tom Pusateri , dnsop WG Message-ID: <20190219154138.49ad5256@titan.int.futz.org> In-Reply-To: <205A5BE4-C2B0-4314-B83C-B90D05766C3E@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <205A5BE4-C2B0-4314-B83C-B90D05766C3E@isc.org> Organization: USC Information Sciences Institute X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 20:41:43 -0000 On Tue 2019-02-19 12:28:08+1100 Mark wrote: > Where is the need to use SHA-3? This is introducing a new algorithm > for the sake of introducing a new algorithm. Just because TLS 1.3 > uses SHAKE128 is not a reason for DNS to use SHAKE128. There are > plenty of platforms that don=E2=80=99t need to use TLS at all. They don= =E2=80=99t > have web interfaces. Transaction security is provided by something > other than TLS. >=20 > There are also lots of old server platforms that just won=E2=80=99t ever > upgrade their OpenSSL package. Adding SHA-3 creates yet another > dependancy / impediment-to upgrading the DNS server. I agree with Mark. Even the draft says: 5. Cryptographic Hash Requirements The cryptographic hash algorithm used SHOULD provide the following properties: 1. Well known algorithm with implementations easily available I have no objections to SHAKE128 being one of the supported algorithms, but one of the SHA-2 algorithms should be selected for MUST implement. --=20 Robert Story USC Information Sciences Institute From nobody Tue Feb 19 13:26:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9A812D4EF for ; Tue, 19 Feb 2019 13:26:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptJkuDTDaodO for ; Tue, 19 Feb 2019 13:26:54 -0800 (PST) Received: from mx1.mailbox.org (mx1.mailbox.org [80.241.60.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D01F12D4ED for ; Tue, 19 Feb 2019 13:26:53 -0800 (PST) Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id 994E44AA16; Tue, 19 Feb 2019 22:26:50 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter03.heinlein-hosting.de (spamfilter03.heinlein-hosting.de [80.241.56.117]) (amavisd-new, port 10030) with ESMTP id RZSjXOM6r57K; Tue, 19 Feb 2019 22:26:44 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Tim Wattenberg In-Reply-To: Date: Tue, 19 Feb 2019 22:26:42 +0100 Cc: Tom Pusateri , dnsop WG Content-Transfer-Encoding: quoted-printable Message-Id: <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> To: Tony Finch Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 21:26:56 -0000 Tony, > Am 19.02.2019 um 13:27 schrieb Tony Finch : >=20 > The DNS currently has a couple of representations of absolute (POSIX > flavoured) time: >=20 > RRSIG, SIG, TKEY (32 bits with serial number arithmetic relative to = now) >=20 > TSIG (48 bits) thanks for bringing up this point again. I was aware of the way RRSIG = presents time but thanks for pointing us to TSIG =E2=80=93 I hadn=E2=80=99= t considered this earlier. Given these possible representations, is there a preference over one of = the two? Tim= From nobody Tue Feb 19 14:27:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3264C130FA8 for ; Tue, 19 Feb 2019 14:27:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: DNS error: query timed out)" header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d7AM-2ddDrvP for ; Tue, 19 Feb 2019 14:27:01 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 723A9128BCC for ; Tue, 19 Feb 2019 14:27:01 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 443wMQ1dhqzHVf for ; Tue, 19 Feb 2019 23:26:58 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550615218; bh=XIu1qov9DALUQkszaReAc6YmqoPT2V7MNOYbaotkgY4=; h=Date:From:To:Subject:In-Reply-To:References; b=kmu5Gx6rlHCAe2zc9THYJzUJ97bQUObdXN9/DXbkWA4iAhE6CLNRHdGEW0KblVXhe LOGYoFTyefa/DnK86NgeTdzXyiQ5RikQ7eP/3qkWpB3auIOyqaz6uDjW3RX34nSHVs fM8PCP/UKFLUsK7kxWB93ZyD13G2GHW8CTYK2sIs= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id dPGiLuXjc6Nd for ; Tue, 19 Feb 2019 23:26:56 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for ; Tue, 19 Feb 2019 23:26:55 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 1065F2FCBF; Tue, 19 Feb 2019 17:26:55 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 1065F2FCBF Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 01EA840D358A for ; Tue, 19 Feb 2019 17:26:54 -0500 (EST) Date: Tue, 19 Feb 2019 17:26:54 -0500 (EST) From: Paul Wouters To: dnsop In-Reply-To: <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 22:27:11 -0000 I have read the document. I have a question about: A zone administrator may want to enforce a default lifetime for dynamic updates (such as the DHCP lease lifetime) or the DNS Update may contain a lifetime using an EDNS(0) Update Lease option [I-D.sekar-dns-ul]. This seems a local policy and local implementation issue only. However, this lease lifetime is not communicated to secondary servers and will not endure through server software restarts. Why does the secondary server need to know the lease lifetime? Only the primary needs to know this because it will need to purge the records and update the appropriate DNSSEC entries, something the secondary cannot do anyway? In fact, Section 8 agrees with me: A secondary server MUST NOT expire the records in a zone it maintains covered by the TIMEOUT resource record and it MUST NOT expire the TIMEOUT resource record itself when the last record it covers has expired. The secondary server MUST always wait for the records to be removed or updated by the primary server. So why is the TIMEOUT record needed? If the secondary argument is gone, the only argument left from the Introduction is server software restart. Which seems to me to be an application issue and not a protocol issue? As others pointed out, introducing SHA3 into the DNS right now is not appropriate. I see a use for clients telling the dns update server what the maximum possibly lifetime can be, so it can go and perform a delete request on behalf of vanished clients. But again I don't see this as a protocol issue needing a TIMEOUT RRTYPE ? Did I miss anything? Paul From nobody Tue Feb 19 14:36:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42088130FFF for ; Tue, 19 Feb 2019 14:36:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZoviQlAdB0Od for ; Tue, 19 Feb 2019 14:36:46 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C1C130FF0 for ; Tue, 19 Feb 2019 14:36:45 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 3C2D03AB05B; Tue, 19 Feb 2019 22:36:45 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 0DDF016005C; Tue, 19 Feb 2019 22:36:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D0693160067; Tue, 19 Feb 2019 22:36:44 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id WuRvzMKT3LVz; Tue, 19 Feb 2019 22:36:44 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 348A116005C; Tue, 19 Feb 2019 22:36:44 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Wed, 20 Feb 2019 09:36:41 +1100 Cc: dnsop Content-Transfer-Encoding: 7bit Message-Id: <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> To: Paul Wouters X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 22:36:48 -0000 Think disaster recovery and promoting a slave to master. You have to transfer state between servers. You can transfer it in band or out of band. If you transfer it out of band you need to invent / specify yet-another-protocol to do it on top of specifying when records need to be removed. Mark > On 20 Feb 2019, at 9:26 am, Paul Wouters wrote: > > > I have read the document. > > I have a question about: > > A zone administrator may > want to enforce a default lifetime for dynamic updates (such as the > DHCP lease lifetime) or the DNS Update may contain a lifetime using > an EDNS(0) Update Lease option [I-D.sekar-dns-ul]. > > This seems a local policy and local implementation issue only. > > However, this > lease lifetime is not communicated to secondary servers and will not > endure through server software restarts. > > Why does the secondary server need to know the lease lifetime? Only the > primary needs to know this because it will need to purge the records and > update the appropriate DNSSEC entries, something the secondary cannot do > anyway? In fact, Section 8 agrees with me: > > A secondary server MUST NOT expire the records in a zone it maintains > covered by the TIMEOUT resource record and it MUST NOT expire the > TIMEOUT resource record itself when the last record it covers has > expired. The secondary server MUST always wait for the records to be > removed or updated by the primary server. > > So why is the TIMEOUT record needed? If the secondary argument is > gone, the only argument left from the Introduction is server software > restart. Which seems to me to be an application issue and not a protocol > issue? > > As others pointed out, introducing SHA3 into the DNS right now is not > appropriate. > > I see a use for clients telling the dns update server what the maximum > possibly lifetime can be, so it can go and perform a delete request on > behalf of vanished clients. But again I don't see this as a protocol > issue needing a TIMEOUT RRTYPE ? > > Did I miss anything? > > Paul > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Tue Feb 19 17:11:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FD21131065 for ; Tue, 19 Feb 2019 17:11:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.881 X-Spam-Level: X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAdLQ_Yr-to1 for ; Tue, 19 Feb 2019 17:11:21 -0800 (PST) Received: from mail-it1-f179.google.com (mail-it1-f179.google.com [209.85.166.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FA42128D0B for ; Tue, 19 Feb 2019 17:11:21 -0800 (PST) Received: by mail-it1-f179.google.com with SMTP id l15so11565781iti.4 for ; Tue, 19 Feb 2019 17:11:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WVBv80aC9xNsnlcse9cgGfwZx+2G9rvp14pHqFUSa58=; b=QR0x5eL60dbo8I+W+trUtVDnaxwIn5d/INDoGCKCHFC11qaAQAqT2ESiGjGCQuAe4O gtRhEaNeN69MEUDPV5lDTtT/f57u4JV0qfR9CsL9Hw6b4HwC4wv+eetxlepza3f+KSbW F64S88qlyqZLY5bT9cbJMAaB02v1kQ97TjjY3W/G3IU8dqEFapLwqNW5jws4dgXt+1Oj 9K1EduflPQWN6p25mX2PGcAm2skUGKY95NwoAziSrIRJFyqYB+30FO0IztMOAFkXJl5p w/rLQV+grTBDT6/sXcd/xczmf0a+ra+sNA0su2J8j6ORK355ki+4eG4WZwqdgU7azOSi F/pg== X-Gm-Message-State: AHQUAuaUwdMOx5NvWDQIOl+hE0hbNe9/pQh6xaaqwbqT3GB6aqJb8ljz +GzgRyXqdiqrP/qEh8cdaTRQC6Gz1tQarsLrx17zfg== X-Google-Smtp-Source: AHgI3IbE3prDF+xefIP5xpJSQfyE6dI50O3nh4BaItHpdMTSuGbYEkOEPQ0UuEieFZoODZUjK8nZe598ccHkdt9QemU= X-Received: by 2002:a24:f30b:: with SMTP id t11mr3451399ith.40.1550625080395; Tue, 19 Feb 2019 17:11:20 -0800 (PST) MIME-Version: 1.0 References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> In-Reply-To: <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> From: Dick Franks Date: Wed, 20 Feb 2019 01:10:43 +0000 Message-ID: To: Tim Wattenberg Cc: Tony Finch , dnsop WG , Tom Pusateri Content-Type: multipart/alternative; boundary="00000000000018ca4b0582490944" Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 01:11:23 -0000 --00000000000018ca4b0582490944 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 19 Feb 2019 at 21:27, Tim Wattenberg wrote: > 8< > RRSIG, SIG, TKEY (32 bits with serial number arithmetic relative to now) > > > > TSIG (48 bits) > > thanks for bringing up this point again. I was aware of the way RRSIG > presents time but thanks for pointing us to TSIG =E2=80=93 I hadn=E2=80= =99t considered this > earlier. > TSIG is an aberration. Using a timescale of 8.9 million years to specify a window of a few minutes around the current time was a monumental blunder. > Given these possible representations, is there a preference over one of > the two? > Unsigned 32 bit RRSIG time is good for travel until 7th February 2106. The fact that 2100 will not be a leap year is likely to be a bigger issue than wrap-around. --00000000000018ca4b0582490944 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, 19 Feb 2019 at 21:27, Tim Wattenberg <mail@timwattenberg.de> wrote:
8<=C2=A0 > RRSIG, SIG, TKEY (32 bits with serial number arithmetic relative to no= w)
>
> TSIG (48 bits)

thanks for bringing up this point again. I was aware of the way RRSIG prese= nts time but thanks for pointing us to TSIG =E2=80=93 I hadn=E2=80=99t cons= idered this earlier.

TSIG is an aberrat= ion. Using a timescale of 8.9 million years to specify a window of a few mi= nutes around the current time was a monumental blunder.

=C2=A0
Given these possible representations, is there a preference over one of the= two?

Unsigned 32 bit RRSIG time is goo= d for travel until 7th February 2106.
The fact that 2100 will not= be a leap year is likely to be a bigger issue than wrap-around.
=

--00000000000018ca4b0582490944-- From nobody Tue Feb 19 21:35:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A31612D84D for ; Tue, 19 Feb 2019 21:35:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6AZfdmh1aaz for ; Tue, 19 Feb 2019 21:35:17 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3AAF129619 for ; Tue, 19 Feb 2019 21:35:16 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4445sY2qZ6z3Td for ; Wed, 20 Feb 2019 06:35:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550640913; bh=k7niIgCZ7cesKyoZbaGaBLpKm+xVCerWz44SeTpmI3Q=; h=Date:From:To:Subject:In-Reply-To:References; b=siEwFWg9kWQdCB3yGKpSMf/CVxczn6DTP39e45QhHSE9ADSC2/6yoiZG3GzYM9pZH B5/aO3Ue7FD3K/CTC2TYBMFlMqR1h4FW8Iz1qmKpCKcx7Ug5MyjJ1fQmt8TgQToXeI SLbSuBVFd6N8/v2SfWKgaXCtT2nD8jsg8WjcxtmI= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 8gjbgQRuxCSJ for ; Wed, 20 Feb 2019 06:35:11 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for ; Wed, 20 Feb 2019 06:35:10 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id C7B7F2FCBF; Wed, 20 Feb 2019 00:35:09 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca C7B7F2FCBF Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id BCFF440D358A for ; Wed, 20 Feb 2019 00:35:09 -0500 (EST) Date: Wed, 20 Feb 2019 00:35:09 -0500 (EST) From: Paul Wouters To: dnsop In-Reply-To: <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 05:35:20 -0000 On Wed, 20 Feb 2019, Mark Andrews wrote: > Think disaster recovery and promoting a slave to master. You have to > transfer state between servers. You can transfer it in band or out of > band. If you transfer it out of band you need to invent / specify > yet-another-protocol to do it on top of specifying when records need to > be removed. That is not very convincing to me. disaster recovery scenarios seem to be solvable by proper admin and by the daemon properly writing state to disk which can be saved off-site. It also seems a rather rare occurance. If the primary does DNSSEC, you also have to transfer private keys and that isn't happening in-band either. So I'm not convinced by the promotion of secondary to master either. It also seems these two use cases are mostly solved if you keep your dynamic update clients within their own zone, which I think is pretty normal for DHCP based nodes that can make up their own hostname anyway and shouldn't be able to muck with real static records or apex records. Paul >> On 20 Feb 2019, at 9:26 am, Paul Wouters wrote: >> >> >> I have read the document. >> >> I have a question about: >> >> A zone administrator may >> want to enforce a default lifetime for dynamic updates (such as the >> DHCP lease lifetime) or the DNS Update may contain a lifetime using >> an EDNS(0) Update Lease option [I-D.sekar-dns-ul]. >> >> This seems a local policy and local implementation issue only. >> >> However, this >> lease lifetime is not communicated to secondary servers and will not >> endure through server software restarts. >> >> Why does the secondary server need to know the lease lifetime? Only the >> primary needs to know this because it will need to purge the records and >> update the appropriate DNSSEC entries, something the secondary cannot do >> anyway? In fact, Section 8 agrees with me: >> >> A secondary server MUST NOT expire the records in a zone it maintains >> covered by the TIMEOUT resource record and it MUST NOT expire the >> TIMEOUT resource record itself when the last record it covers has >> expired. The secondary server MUST always wait for the records to be >> removed or updated by the primary server. >> >> So why is the TIMEOUT record needed? If the secondary argument is >> gone, the only argument left from the Introduction is server software >> restart. Which seems to me to be an application issue and not a protocol >> issue? >> >> As others pointed out, introducing SHA3 into the DNS right now is not >> appropriate. >> >> I see a use for clients telling the dns update server what the maximum >> possibly lifetime can be, so it can go and perform a delete request on >> behalf of vanished clients. But again I don't see this as a protocol >> issue needing a TIMEOUT RRTYPE ? >> >> Did I miss anything? >> >> Paul >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > From nobody Tue Feb 19 23:46:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201BE130DC4 for ; Tue, 19 Feb 2019 23:46:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDY7tVPzMc34 for ; Tue, 19 Feb 2019 23:46:35 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 777BF130DE5 for ; Tue, 19 Feb 2019 23:46:33 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0B1C33AB05C; Wed, 20 Feb 2019 07:46:33 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DE93216005B; Wed, 20 Feb 2019 07:46:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id BA12816006A; Wed, 20 Feb 2019 07:46:32 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id I3oA9X5lDksQ; Wed, 20 Feb 2019 07:46:32 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 85AAA16005B; Wed, 20 Feb 2019 07:46:31 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Wed, 20 Feb 2019 18:46:28 +1100 Cc: dnsop Content-Transfer-Encoding: quoted-printable Message-Id: <8FE58E37-D435-4853-A9CF-10238AB641D5@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> To: Paul Wouters X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 07:46:38 -0000 > On 20 Feb 2019, at 4:35 pm, Paul Wouters wrote: >=20 > On Wed, 20 Feb 2019, Mark Andrews wrote: >=20 >> Think disaster recovery and promoting a slave to master. You have to >> transfer state between servers. You can transfer it in band or out = of >> band. If you transfer it out of band you need to invent / specify >> yet-another-protocol to do it on top of specifying when records need = to >> be removed. >=20 > That is not very convincing to me. disaster recovery scenarios seem to > be solvable by proper admin and by the daemon properly writing state = to > disk which can be saved off-site. It also seems a rather rare = occurrence. So you write it to disk then transfer it off site which breaks atomicity of the zone=E2=80=99s meta state or do it in band with TIMEOUT. > If the primary does DNSSEC, you also have to transfer private keys and > that isn't happening in-band either. So I'm not convinced by the > promotion of secondary to master either. You can pass the keys before you start to use them. They are = essentially static information. > It also seems these two use cases are mostly solved if you keep your > dynamic update clients within their own zone, which I think is pretty > normal for DHCP based nodes that can make up their own hostname anyway > and shouldn't be able to muck with real static records or apex = records. Policy about who can update what is unrelated to making sure content = gets cleaned up. There isn=E2=80=99t always a DHCP server to do the garbage = collection. This is especially true with IPv6 and SLAAC. > Paul >=20 >>> On 20 Feb 2019, at 9:26 am, Paul Wouters wrote: >>>=20 >>>=20 >>> I have read the document. >>>=20 >>> I have a question about: >>>=20 >>> A zone administrator may >>> want to enforce a default lifetime for dynamic updates (such as the >>> DHCP lease lifetime) or the DNS Update may contain a lifetime using >>> an EDNS(0) Update Lease option [I-D.sekar-dns-ul]. >>>=20 >>> This seems a local policy and local implementation issue only. >>>=20 >>> However, this >>> lease lifetime is not communicated to secondary servers and will not >>> endure through server software restarts. >>>=20 >>> Why does the secondary server need to know the lease lifetime? Only = the >>> primary needs to know this because it will need to purge the records = and >>> update the appropriate DNSSEC entries, something the secondary = cannot do >>> anyway? In fact, Section 8 agrees with me: >>>=20 >>> A secondary server MUST NOT expire the records in a zone it = maintains >>> covered by the TIMEOUT resource record and it MUST NOT expire the >>> TIMEOUT resource record itself when the last record it covers has >>> expired. The secondary server MUST always wait for the records to = be >>> removed or updated by the primary server. >>>=20 >>> So why is the TIMEOUT record needed? If the secondary argument is >>> gone, the only argument left from the Introduction is server = software >>> restart. Which seems to me to be an application issue and not a = protocol >>> issue? >>>=20 >>> As others pointed out, introducing SHA3 into the DNS right now is = not >>> appropriate. >>>=20 >>> I see a use for clients telling the dns update server what the = maximum >>> possibly lifetime can be, so it can go and perform a delete request = on >>> behalf of vanished clients. But again I don't see this as a protocol >>> issue needing a TIMEOUT RRTYPE ? >>>=20 >>> Did I miss anything? >>>=20 >>> Paul >>>=20 >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>=20 >> --=20 >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >>=20 >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 20 03:26:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71884130EB9 for ; Wed, 20 Feb 2019 03:26:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYAOnljT4o-K for ; Wed, 20 Feb 2019 03:26:26 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7800612DDA3 for ; Wed, 20 Feb 2019 03:26:26 -0800 (PST) Received: from pc-cznic19.fit.vutbr.cz (pc-cznic21.fit.vutbr.cz [147.229.13.117]) by mail.nic.cz (Postfix) with ESMTPSA id 9B198629BD for ; Wed, 20 Feb 2019 12:26:23 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1550661983; bh=E4toSdACbNoFu5WiXwzvAoGTXoTzaykeQawARAiWSv4=; h=To:From:Date; b=lkqnEU0ZHh7sUUCnfjoFaxZEdIJorKuefUfzNY39dB/AppHo6bS3LQHErLC9fZMrx Zhr6iThVWXni5Lw8phKgAV4Y3AP/yPwOtsFCAEBoQQ3anW80bL8NpCAqarrxJbR1ca oIwNjbHnVppiwpzl0FkvJM2FIGde++xCV+yLw31E= To: dnsop@ietf.org References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Openpgp: preference=signencrypt Autocrypt: addr=petr.spacek@nic.cz; prefer-encrypt=mutual; keydata= mQINBFhri/0BEADByTMkvpHcvPYwyhy0IDQ1B2+uU6AWP0QJQB3upM/YqxoJBeMQ5SxpO+W6 BsU0hTIF90AKIgiiDtMH1oNhHnzRXqePKORIgL3BbH5OxGcbqCYk1fIKk43DliCN1RcbTyRV REnCRQGWMTUbRS/jQ3uyTAX4rT0NhPWhPy6TMLGEg6WJJz0IzhBEw3TitvAlq6XHbi5EZYwU AHqIcuqr3sS+qkWqlIBlahu1hqhTcmYGz7ihjnWkOFi1rjRfLfudAtgFpUSmsixh2tifdy+C d8OBQbtF2kM7V1X5dUzw/nUBXm1Qex2qohRmCspwqivu7nlDMrLoilmPaeoR5evr5hpIDdfP cJAPTJk4n56q6MTHFJWkGa0yq13AJHLANNjQ/dF+W6Dhw9w2KBpuw0iGZQBBf5G9SQ1xJ+tU 9filaldsTAX1gMkVso//kGEbuRIJnJr7Z8foE/zofFyoAv21VWy2vpgQ3CnEWOZMSmYH7/gZ qcM7nfkjk4zAijpjYA3qlXoWa44/nrkAGvt7sAMsxY1C2H7tr3h3/rwyfbBqQ9nMpNwYLXXa Dil7uzyqlpKDjwWCzYd3sH7ATyT4htrd0BY5+IFimSfHyLwixhakH8E14YYyV9tzkrB7fiWd g7+zDThLtZMvtrehtkjVDPT50xg8TMr68hd3GRWBUJHszMTnlQARAQABtCBQZXRyIFNwYWNl ayA8cGV0ci5zcGFjZWtAbmljLmN6PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBL4m67nL4FmzkQyjW86N1qGlCiHkBQJcEOXhBQkFp4LgAAoJEM6N1qGlCiHkxNwQ ALFyQ7Rrghf0rM9GN2+kgP92Qvot21h8/Je3bRTvoLyhYUXcAMRmODZQ/0EsjExFc+pRwn+E 0GD2TpiorDnRMpJYEmHqenYGIrZ5TE0lHwwu0fi/X3evDY4j68OFlim5Q6+7pHOlZWaRsSm5 T6blSwIaNDFYtBhI0X1ZXTGqbXIUBFuGxolo/xEgUkeDy+6D4R8yT17CTHkuGYYrfUYnoBTr j3xMVil/lNMievaklAL8kRNVl0It4M8VzHTyEdMq7pG0CJ0CfU8COizCsu4+zy8dsxMVE0Su hju05LSsClZ9X1csxSK9HjKq+TG1Hx2qciFHRB1qC2mNIvWTm10Gkj4tLTWcJp3k2Wyv+1K2 sLFxreGOwbx0uR7XtIIBTiiZAiVsjBH0D39qG2ZLz+bJkQvlTDZQuXzsMS51wROvTVxPYcXX p069hON2+/QqJasmpOHhOydGkB3uokA0crqvMOnK+EcueKQQspvdLGiFLefJPuM8VVyR9fFZ YjnX2vfGZbE+MxY8wG4mDbhgxsUORAEtNUH/G0dvTv66fzKpl5q9GIZs7el+1IU31w7KivgS 7fsWcOsdzq4KzZzNBRJtEDoxX4b9lQ8P6ttMlPi7PnQ+iN0OUxKSnAnKQiqKMFRO1zH22vn7 iiF4JMO32//0HcpsyV8oEdjDkSJsFRnDfLW2uQINBFhri/0BEADFp4ZfxSoKTAad0IkFK9CV oZ6XKywYLFNPPhzw++gbvHL2EX7QqhEsqbsWMYpH4jc/Kq55OYYU/lIcULuD0Y9oDR26XFQo u0FeSNnzRGb607U8OFOPQ+ei92Mm1YPQ33GPj8GqbQpkAp35sfjJ64TH/EQY38RN33jsHRkh wtWU/6yo+RZs7cFRuihuLl8FuoP0A5u/x+lNNeIBk8f27LVYrF81NSDDDYjnObCah+QLzGAw GDtjWkBVawpoHWwq58OQSx5piwyOCnFJeFONRcTRgOz239rsEA5LeYfmOGcnNwG6CHoJ5ZdW Jw5OV9BoA7UTHG95xVHV5QiEm6q6igI6wKV2RtFS7Roe0Wt8H7gC41JeqaKTUsGkz6uJraF8 mmKyS8E+mSh3djmqdJNHF1pJqKxAxPYA9Y0jPnYWeEH4fPeOR2YvBjztsye9nOv1AuKNu03d uzocyU95DfP/lwNJr5SH918Vf1t7WcJj9dg6J9Jc5LOwg13Qr31TuZijrMdqM7LJKC/0tOkS eXNoMlHJOIqbqm7N414I0HytbENf7AiyDxNA5TzJKkB0eBPLm2FMQCHLfasJHgbCrQut6nYw 3f3Gn3+PDzGEHI9sfQv/mYvO77oRSGw+3Hy1ToxIncIirAyRpa5KdPLklDpADvpfkXjuL6If ZZ0OIWKLSRa/DQARAQABiQI8BBgBCAAmAhsMFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAlwQ 5fcFCQWngvoACgkQzo3WoaUKIeTg+w/9Gyp5EcB4AoR3vKVxP0SAh1zBher3bh9uGaKTAWt0 +0v8fyZYGEPqZr//9rkodPnXbQnr9ogzjJmZpsPvGPyRZikWjYIwkfM2Vb4BCyr5wQ9++9KB kob5zCQmUw2o7s/gISpFsCC5B0eYusArVDnrCyrroyaxbN6MpUb5lzVMEOCzYljtdrPRAXPL FKRm3ijLV0RcYPzJJVOPV5EzUfCtGsGTXXRI9Y9O/7lFaJ+iWnwygo/Xoi0IgBHvOAj9Gp3Q 0BY+sI6Rgzm9dbddm8gYJ4+FjfZivI7fbdfSubTWvrtFmFdHovIPJYLvXK7hUG22ww4CneIF D4oZSVy9xUoqJf0qQNruzEqTr7y7lbZIzxgPCSVmH0jpgJ1po6RLaJllNA+ZklOQ76fCMiaD 5yQuJluwD5w+acPWTbmZX6DijGHPZSjzeUkiMKctYSRqVUo6JmK0dgwwm3l1/Orb4D3YsLVP QDa4ZrCfSldrGC3zkEJ8iCVSYQwlc0JfIxyn8C3LLxToPYeFv/bQTeDYBjaV7a0SQ/xKUdpg RFzrGrxj7CM2WHcpxCLVK0agobuUO7YXoufHRM6y0rfMwT10baDjh+hLKMshxTqsP55lWvtM SleSGjheVTiZChb3jK0rUPCC4Rg3gDTEQsptC3TgN48PtLpmhsNc4JPm64zlrreInZQ= Organization: CZ.NIC Message-ID: <56e824cf-37e3-0880-0192-2ee46a818345@nic.cz> Date: Wed, 20 Feb 2019 12:26:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> Content-Type: text/plain; charset=utf-8 Content-Language: cs Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 11:26:33 -0000 On 07. 02. 19 16:47, Petr Å paÄek wrote: > --- New code points --- > > I propose to add couple more codes: Yet another code propodsl: * answer with stale data The resolver was unable to resolve answer within its time limits and decided to answer with stale data instead of answering with an error. This is typically caused by problems on authoritative side, possibly as result of an DoS attack. Retrying is likely to cause load and not yield a fresh answer, RETRY=0. Here is a problem that this code point is applicable to NOERROR as well as NXDOMAIN answers so I'm not sure how to categorize it. This reinforces my unanswered question why the draft proposes to copy RCODE into EDE. -- Petr Å paÄek @ CZ.NIC From nobody Wed Feb 20 04:35:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AFB212F1A2 for ; Wed, 20 Feb 2019 04:35:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JixsiuUIQEjb for ; Wed, 20 Feb 2019 04:35:55 -0800 (PST) Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B96A130DDA for ; Wed, 20 Feb 2019 04:35:55 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:45416) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gwR6L-000vnc-hR (Exim 4.91) (return-path ); Wed, 20 Feb 2019 12:35:49 +0000 Date: Wed, 20 Feb 2019 12:35:49 +0000 From: Tony Finch To: Dick Franks cc: Tim Wattenberg , dnsop WG , Tom Pusateri In-Reply-To: Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 12:35:57 -0000 Dick Franks wrote: > > Unsigned 32 bit RRSIG time is good for travel until 7th February 2106. No, it lasts indefinitely. It covers +/- 68 years relative to current POSIX time using serial number arithmetic. Tony. -- f.anthony.n.finch http://dotat.at/ Shannon, Rockall: South 6 to gale 8. Rough or very rough, becoming very rough or high. Occasional rain or drizzle. Good, occasionally poor. From nobody Wed Feb 20 04:44:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B44212F18C for ; Wed, 20 Feb 2019 04:44:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.4 X-Spam-Level: X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=timwattenberg.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9rOGbWQztbtp for ; Wed, 20 Feb 2019 04:44:47 -0800 (PST) Received: from mx2.mailbox.org (mx2.mailbox.org [80.241.60.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53CBA12DDA3 for ; Wed, 20 Feb 2019 04:44:46 -0800 (PST) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id 948ACA12FD; Wed, 20 Feb 2019 13:44:43 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timwattenberg.de; s=MBO0001; t=1550666681; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LmmdVUJulyDSaDeC9NHQmFF7wqZSZwkKHlITPLSu0so=; b=SiSkbto0Z0acIK3Qz+3bu0gJdaVXrBTNjyDzlhbmOAtwOh+v/bu65tIx4aM1g+tba9vEI0 TyIOhgealYpJbPC5+uWzft3m3IH4YpQ0Iy4hkubXpltRuIYcgvXVpb5z3Jnp/xfi5mXEyR 5NQiExOYEAIqi8C/7vSSMjzIZ4lS8K0UJjJ0t0njt0wPfSyO5qWz7MRU92yqOVtlQCgtAg lOl4UIgbhnULJUJd+WaC8u1g09nFL8WTNAM8kFfEGAzxSHUnxf5qBw9J0HE07MEatplmyD XsMO0Mh420IlGkm+VwyZ0E3R574pKU9alK3iZ0o60pPHqatKSLrCcKgnNSmBvg== Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id M-iH0aVCRqf1; Wed, 20 Feb 2019 13:44:35 +0100 (CET) Content-Type: multipart/signed; boundary=Apple-Mail-AF098547-5577-4698-A574-029D5E275132; protocol="application/pkcs7-signature"; micalg=sha-256 Mime-Version: 1.0 (1.0) From: Tim Wattenberg In-Reply-To: Date: Wed, 20 Feb 2019 13:44:34 +0100 Cc: Dick Franks , dnsop WG , Tom Pusateri Content-Transfer-Encoding: 7bit Message-Id: <84FEF510-5D53-40F5-9542-0509B56BB39D@timwattenberg.de> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> To: Tony Finch Authentication-Results: default_out X-Rspamd-Queue-Id: ABEEB169A Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 12:44:50 -0000 --Apple-Mail-AF098547-5577-4698-A574-029D5E275132 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dick, > On 20. Feb 2019, at 13:35, Tony Finch wrote: > > Dick Franks wrote: >> >> Unsigned 32 bit RRSIG time is good for travel until 7th February 2106. > > No, it lasts indefinitely. It covers +/- 68 years relative to current > POSIX time using serial number arithmetic. you might want to give RFC 1982 a read... I got that wrong before, too ;-) Tim --Apple-Mail-AF098547-5577-4698-A574-029D5E275132 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBgow ggYGMIIE7qADAgECAgwsMCc9b7k7QCXs5fswDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCQkUx GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2JhbFNpZ24gUGVyc29uYWxT aWduIDIgQ0EgLSBTSEEyNTYgLSBHMzAeFw0xOTAyMDExMjUzNDdaFw0yMjAyMDExMjUzNDdaMEwx CzAJBgNVBAYTAkRFMRcwFQYDVQQDEw5UaW0gV2F0dGVuYmVyZzEkMCIGCSqGSIb3DQEJARYVbWFp bEB0aW13YXR0ZW5iZXJnLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA86UykfVM q6thtAjoG4Nge1JtykPwGnZySgE9yPlMIgW0OD1mFHjYVsscaYM01zPPfDDEFUs9lr2ZDJi/F8S7 gMfpZCbmb4jLROvvye5nCR8FttucS3MWh4L9IcOCYd8CaG9kQSrWmfkee1RuL+Eg2OoX0g1nNWdf CNn4bPJb4oMUH/uLQ/ME7LtGGo12fY7E+hx9sa5bCdutu5Fh2S5AwW/slE2km0WA+Om5RtJH4G7/ N07mf23BoMGr7l/mEPfv2wDAC3cfjL01OInQwgockmSqlLag0lQgGRbZQfgxbzes6Pi9HvdKHCR4 aC8e+m/9BCKp/dA+1/av93Oy0VVbDxWLgC9XPSMm/tPOXOCU5eJ0SrfoSjyOqTYY3081frC9HvQn LhTwcRT+yJ81ARTI7xkyjObOy9k1ASO98/MBeHIRPd8A3Xrav+SXApo5BZ3ORSQ2RQxtLkT0XZGp awhTMC2j6nQwr5M9JW4Lqj81TYgz0LCI4Oivi7y8xyTomfzHOelNPzcqqsk4VuZ1oqCocxSM+mWF speV+oJqAbD4CrZ/un07LLGM8ULTDZjGePwPmPfOq1+DlBZULrELhxKsK2HisM1e+8+imRBYVBSe s7JkSiqANa2fjHsa9zd95k7EjXNnV+QbRBPpbJtGuHUk379Zo9NIresL6g1r4Fup1/MCAwEAAaOC AdUwggHRMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4wTQYIKwYBBQUHMAKGQWh0 dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcGVyc29uYWxzaWduMnNoYTJnM29j c3AuY3J0MD0GCCsGAQUFBzABhjFodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NwZXJzb25h bHNpZ24yc2hhMmczMEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBz Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwRAYDVR0fBD0wOzA5 oDegNYYzaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9nc3BlcnNvbmFsc2lnbjJzaGEyZzMuY3Js MCAGA1UdEQQZMBeBFW1haWxAdGltd2F0dGVuYmVyZy5kZTAdBgNVHSUEFjAUBggrBgEFBQcDAgYI KwYBBQUHAwQwHQYDVR0OBBYEFHcXvvXSu5P/V/jgMdCzOl5UnXTmMB8GA1UdIwQYMBaAFGlygmIx Z5VEhXeRgMQENkmdewthMA0GCSqGSIb3DQEBCwUAA4IBAQCvBKfotbLt/OU+bSWEho0edViUt9R5 /MaDq1a6JRwPs5S8bifSmRFFRMLVShgY3DVFeMab6qXzK7aXAWo2iCUpQrsdXr/dB4e0VEKDWEQt v3WdYxoIoOdydajb9hLFVqhYaOzdKdDA26E62X6rC/ElOidJepsqZP1XrWA9EPvs2Z7UCcs3Q1go 7XXS9PMpYq7HPi7l6hvDUjmVULpOd6bZNEyTQYDhFKEIimDgpRDwGEOA7YdPo17RnJyGGbqcNPGo Np4ZtnptfrvZN9pqGHvlxzXQu8dMPfKQy5RK4XX7JpdMKmx5AvR0silbo7xEXhKf73jkDks7rGKq 6qb/2PahMYIEAzCCA/8CAQEwbTBdMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu di1zYTEzMDEGA1UEAxMqR2xvYmFsU2lnbiBQZXJzb25hbFNpZ24gMiBDQSAtIFNIQTI1NiAtIEcz AgwsMCc9b7k7QCXs5fswDQYJYIZIAWUDBAIBBQCgggFnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTE5MDIyMDEyNDQzNFowLwYJKoZIhvcNAQkEMSIEIOpf1m4bmeeS cO14E5CHuBMKZ+RDlcr+q8Ir9G0kz0IzMHwGCSsGAQQBgjcQBDFvMG0wXTELMAkGA1UEBhMCQkUx GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMzAxBgNVBAMTKkdsb2JhbFNpZ24gUGVyc29uYWxT aWduIDIgQ0EgLSBTSEEyNTYgLSBHMwIMLDAnPW+5O0Al7OX7MH4GCyqGSIb3DQEJEAILMW+gbTBd MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEzMDEGA1UEAxMqR2xvYmFs U2lnbiBQZXJzb25hbFNpZ24gMiBDQSAtIFNIQTI1NiAtIEczAgwsMCc9b7k7QCXs5fswDQYJKoZI hvcNAQEBBQAEggIAr93+qeo6lSlJEJrYCTJc2zXKcbjFjX822yOzvs0RmLp0iWOx9Uj3Rurz4IL6 P5WZefSr9VbBTbQoP1yTYbaNv/AhU0NTgeC7eSyCn/lxi/4Nb6h7DNs6/SnyTn1vP9m61aSAjOgW wYfq/Pz13fsQRKKbR2PLTgaiMjFAi8+NtscuhMMSFWe+b8gmquxSt/YTwwn2J1mGNOXLt3LMhTUO o+frBuK9BxPTXJydHgNa0X1AdODWYJKHXnUlVzkCOzWHdci/jqO9w6/ZODx9GFpoaNCPpV8Zy0DJ l9jTI8+Wl3mz42Gmxy3YuD6ThvWbVzyMgTP0t2lCDIPVndxEljJ8l7bJkwXcwVyF3W66S62xhgph vYl+T6ALwcYNI1ZvBu6xh8qBENgMAtYOZ9xV/DqtUUvPBA5PA6zHnLdL/lPtNTBq0muoHELgpmXz 99NsubyvoTz2+jXKovw3bqm4BOvBWR2hrVdZCe8997n1H7gGyjlKQEjK/QaXhxFQW8b2rvYxPMkF XRLfAtZ8EcyIdHTq+CLH/k0Pr9LFbJtxhEOc8PmBv0pH7D9cdVIOKIZVZAy+lAj5+GdESQ1KVNmE tMS3jZmyvkGW1m6qHmKEa0tfi7avusxag4buCS/YlT1NNHX3y0vGVwZfxpRA6NHNh8SYhaIYEjT7 HRFNmTrvrvtgKOAAAAAAAAA= --Apple-Mail-AF098547-5577-4698-A574-029D5E275132-- From nobody Wed Feb 20 04:52:05 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A471286E7 for ; Wed, 20 Feb 2019 04:51:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckSSjAQ6oIKa for ; Wed, 20 Feb 2019 04:51:55 -0800 (PST) Received: from mail-it1-x142.google.com (mail-it1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70D321279E6 for ; Wed, 20 Feb 2019 04:51:55 -0800 (PST) Received: by mail-it1-x142.google.com with SMTP id r11so14904446itc.2 for ; Wed, 20 Feb 2019 04:51:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YDKToZHsyn88/LFV0fmAzmG48MneP4rkhKqjmolPidU=; b=RvY7vGaEyNM9pUD4IE/rVYuXoVRzYZ614tWtZ8AEGnzwAwC2vEMwRy/CskEuiF5QKs IJV1hOgTz5Vg9ASbXjAqaHJ0+0x1zgTFsMvLA+85/s9zYVfzFleCtisrYHvNq/X8XK3e WiO8gOe2e2EcaBO6vOKiyRvAjFuKgQKApB1eA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YDKToZHsyn88/LFV0fmAzmG48MneP4rkhKqjmolPidU=; b=Hbp62Y4OFoMwjVCdA2lMD4FxihVAs3DYB125omxlz/k3OuUpjtfNSDIVY7SinHo0CU CpIH6PYwV4dNyDw+wI/k2deXhHQL8aEbZBkVbzw4wOjddJqngxEtyOgdJjkSAxbAK4yz kHCdLXfcMqhiASBsp0t1HVvnyqGIBTHrWvgI8uTWRWilTVd/NHN1raWnrijz/MJgPI31 vuMUcBVEThlvwxWZBNJroAVsSeTc08ps4RiRHDY0ICgdyum9YJVqkz70P2F1YuoFRgpn Vdvp2vWcv4gWYG/Xi9EZD4md4CGeXZ239XOiplNQEMnUKlboTi+JQ/t/vHmBEhM0yCHW sMIQ== X-Gm-Message-State: AHQUAuZUIUMCWkq8pR9lTsrjS3sZA73GEfR7F73wB6uLmxjWTAdQ8Gg8 Bs98/QgtY3IvDh60YoOfZ8ZyMA== X-Google-Smtp-Source: AHgI3IZORJpR1snKCUTLzxu6LVtzj4JaK5w2Ks+fTRPkD3Vrn9QmDbPB3/I8tTzGqLBlYw+90y/9og== X-Received: by 2002:a02:5618:: with SMTP id o24mr19313758jab.111.1550667114562; Wed, 20 Feb 2019 04:51:54 -0800 (PST) Received: from ?IPv6:2607:f2c0:101:3:3457:4bda:1165:ab63? ([2607:f2c0:101:3:3457:4bda:1165:ab63]) by smtp.gmail.com with ESMTPSA id e5sm8202706ios.50.2019.02.20.04.51.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Feb 2019 04:51:53 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: Date: Wed, 20 Feb 2019 07:51:51 -0500 Cc: dnsop Content-Transfer-Encoding: quoted-printable Message-Id: <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> To: Paul Wouters X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 12:51:58 -0000 On 20 Feb 2019, at 00:35, Paul Wouters wrote: > On Wed, 20 Feb 2019, Mark Andrews wrote: >=20 >> Think disaster recovery and promoting a slave to master. You have to >> transfer state between servers. You can transfer it in band or out = of >> band. If you transfer it out of band you need to invent / specify >> yet-another-protocol to do it on top of specifying when records need = to >> be removed. >=20 > That is not very convincing to me. disaster recovery scenarios seem to > be solvable by proper admin and by the daemon properly writing state = to > disk which can be saved off-site. It also seems a rather rare = occurance. I agree. The crux of the use case seems to be that it is commonplace for names in = the DNS to exist for short periods of time and that for some = applications a name that overstays its welcome can cause an operational = problem. While I can understand the philosophical desire to complete the UPDATE = specification so that it is possible to engineer around this scenario, I = don't see the practical application. The existence of the requirement in = the first place seems unproven (at least there are no obvious examples = given); the scenario in which the purported operational problem arises = seems likely to be rare; workarounds surely exist and, really, the = damage in the event that the stars align and a temporary name does = persist seems very low. If the goal is to try this out and have no impact on existing = implementations (e.g. there is some side code that is imagined that will = poll a transferred zone for TIMEOUT records and do local UPDATEs in = order to remove RRSets that should not be there) then all that is really = needed here is a code point for the TIMEOUT RR. The existence of the = draft is nice since documentation is good, but I think "experimental" = would be a better target than "standards track". It's surely possible = that this mechanism will solve some as-yet unnoticed, large-scale = problem and will one day be considered essential functionality, but I = don't think we're there today. There be camels. Joe From nobody Wed Feb 20 06:44:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831C5130F19 for ; Wed, 20 Feb 2019 06:44:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kp1QAbKTP0hm for ; Wed, 20 Feb 2019 06:44:02 -0800 (PST) Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C278A130EA8 for ; Wed, 20 Feb 2019 06:44:02 -0800 (PST) Received: by mail-pf1-x441.google.com with SMTP id h1so12011291pfo.7 for ; Wed, 20 Feb 2019 06:44:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=LrkMZ4EMjbQI57xmXvECFPSHauaU7M/eFMlNpy8GVYQ=; b=mAJ5uD4IOZGSsdx30kVFrkVFbajbGCKcZDazv6/qyTiBdbO37/i5ou8wNhMX1h9216 ILpI8GuI6yTIZM1GU2k+dK5O6tbGCAJSRsE7YpGGDZTIo0aM9pihqarHXwmBq8uSOrGG 2wg1aFzvJjZLN4qcZcbVS4sbzBRAn5fnzpzhncqfEXnhnMgFJBcfyCjK7aCRLg0B3qDY u4hBIWFr0306CcIaieCu/jPRgDsXpjCUTxW7cQZuGa823/N+8j2q1Qjrwh+gYonDpRw3 XUnD5PsyZ6bZp+ox4jeNGES/lbRaUV/4uDJsykFO1WOl4bb626hhUTeZZB4vRcR4TaxF WCJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=LrkMZ4EMjbQI57xmXvECFPSHauaU7M/eFMlNpy8GVYQ=; b=Krr2U05BjOAb1sTs/7sOFSG7Xy1SOzzX7sVOKjIlwCM+dfWmAQWRLzM+5vCSPULVjY VJ2YjYgHbV0QyPoZ5YGORIysGXQDPZrCoNyauyNYsQOcIfk4KudgYpT9fArz9VGuIx78 KHWOiTvQxIae057I2J6UH6HAmO/kvr/BUV5BhRWtMYvpMPyQ67Vd/2a0WdoR0rdi75L1 FHLx3q1eRHCpCwAM7QTJHJBAfsBu4lWWDLJEneIb/QJ+TJYryB1m3fo/zUexESw0jtXS eCZk3KtaQK6pqwUY7YnYa7TGeiVXzpXZlJP/GnR+7kZHadQ6Bg2hDFflll3IrESEEzTU mbNA== X-Gm-Message-State: AHQUAuZlrJU+3kxqyOcRjAc698y0DnK3g48Gy/zHeE5vSZnOP/KK+VOD skYlmwPKS4HBtM+4G6R4sULSrYQfZObKog== X-Google-Smtp-Source: AHgI3Ialicj9XA/dsQEG4XxiBKksaodOKzcDA7o7oXOBkEmzSwApyfuYxE3jw7jEPNrjIyfcSWISDQ== X-Received: by 2002:a63:1266:: with SMTP id 38mr20195868pgs.388.1550673842029; Wed, 20 Feb 2019 06:44:02 -0800 (PST) Received: from [10.20.5.110] ([12.217.162.130]) by smtp.gmail.com with ESMTPSA id u127sm25484583pfu.165.2019.02.20.06.44.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Feb 2019 06:44:01 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_42A49C31-3476-4F52-92F1-30CC0FD92690" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Wed, 20 Feb 2019 06:44:00 -0800 In-Reply-To: <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> Cc: Paul Wouters , dnsop To: Joe Abley References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 14:44:11 -0000 --Apple-Mail=_42A49C31-3476-4F52-92F1-30CC0FD92690 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 20, 2019, at 4:51 AM, Joe Abley wrote: > The crux of the use case seems to be that it is commonplace for names = in the DNS to exist for short periods of time and that for some = applications a name that overstays its welcome can cause an operational = problem. >=20 > While I can understand the philosophical desire to complete the UPDATE = specification so that it is possible to engineer around this scenario, I = don't see the practical application. The existence of the requirement in = the first place seems unproven (at least there are no obvious examples = given); the scenario in which the purported operational problem arises = seems likely to be rare; workarounds surely exist and, really, the = damage in the event that the stars align and a temporary name does = persist seems very low. >=20 > If the goal is to try this out and have no impact on existing = implementations (e.g. there is some side code that is imagined that will = poll a transferred zone for TIMEOUT records and do local UPDATEs in = order to remove RRSets that should not be there) then all that is really = needed here is a code point for the TIMEOUT RR. The existence of the = draft is nice since documentation is good, but I think "experimental" = would be a better target than "standards track". It's surely possible = that this mechanism will solve some as-yet unnoticed, large-scale = problem and will one day be considered essential functionality, but I = don't think we're there today. There be camels. The goal of this is to automate name publication for situations where = this is desirable. You=E2=80=99re probably not going to use this for = your public servers. See = https://tools.ietf.org/html/draft-ietf-dnssd-srp-00 = (expired, but = we=E2=80=99ll be submitting an update soon). I say this not to specfically support this proposal, which I think has = problems, but simply to point out that there is an itch here to scratch. = I don=E2=80=99t think this is something that we need in every = different kind of DNS server, but something like this could definitely = be useful in some operational situations. Of course it can be done out = of band, but there=E2=80=99s something to be said for keeping all the = state in one place. I don=E2=80=99t have enough operational experience = with this yet to have formed a preference. --Apple-Mail=_42A49C31-3476-4F52-92F1-30CC0FD92690 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 20, 2019, at 4:51 AM, Joe Abley <jabley@hopcount.ca> = wrote:
The crux = of the use case seems to be that it is commonplace for names in the DNS = to exist for short periods of time and that for some applications a name = that overstays its welcome can cause an operational problem.

While I can = understand the philosophical desire to complete the UPDATE specification = so that it is possible to engineer around this scenario, I don't see the = practical application. The existence of the requirement in the first = place seems unproven (at least there are no obvious examples given); the = scenario in which the purported operational problem arises seems likely = to be rare; workarounds surely exist and, really, the damage in the = event that the stars align and a temporary name does persist seems very = low.

If the goal is to try this out and = have no impact on existing implementations (e.g. there is some side code = that is imagined that will poll a transferred zone for TIMEOUT records = and do local UPDATEs in order to remove RRSets that should not be there) = then all that is really needed here is a code point for the TIMEOUT RR. = The existence of the draft is nice since documentation is good, but I = think "experimental" would be a better target than "standards track". = It's surely possible that this mechanism will solve some as-yet = unnoticed, large-scale problem and will one day be considered essential = functionality, but I don't think we're there today. There be camels.

The goal of this is to automate name publication for = situations where this is desirable.   You=E2=80=99re probably not = going to use this for your public servers.   See https://tools.ietf.org/html/draft-ietf-dnssd-srp-00 (e= xpired, but we=E2=80=99ll be submitting an update soon).

I say this not to = specfically support this proposal, which I think has problems, but = simply to point out that there is an itch here to scratch.   I = don=E2=80=99t think this is something that we need in every different = kind of DNS server, but something like this could definitely be useful = in some operational situations.   Of course it can be done out of = band, but there=E2=80=99s something to be said for keeping all the state = in one place.   I don=E2=80=99t have enough operational experience = with this yet to have formed a preference.

= --Apple-Mail=_42A49C31-3476-4F52-92F1-30CC0FD92690-- From nobody Wed Feb 20 06:50:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4969C129741 for ; Wed, 20 Feb 2019 06:50:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.88 X-Spam-Level: X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YFPr23R7yJQ for ; Wed, 20 Feb 2019 06:50:51 -0800 (PST) Received: from mail-it1-f171.google.com (mail-it1-f171.google.com [209.85.166.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEBE8127AC2 for ; Wed, 20 Feb 2019 06:50:50 -0800 (PST) Received: by mail-it1-f171.google.com with SMTP id l15so16024619iti.4 for ; Wed, 20 Feb 2019 06:50:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E7NofsVaKkhgwWKLkHTW4UkI+ylWIJVRWlMG2ecyU1Y=; b=nCzUrpfhtAvM6ZIH9TqpyDuf2jqtRE5xngmfWZWSGbIBgoy0OibQoe2a8S21jINS4X KrKfa8MLfOafrr0/zMUpWsScZ0Ko5mZYH9UpQp08nT952qiNTVmCj7MwuKgnGpzREwk0 3sURZulbxnaZIr2ORKbvwAcFPh34r0lWuNknJxPMrie+ZQ93hKmiRemNM60/y4D/bqoY OWx5I6qwLwPDe55Jhb5o0QgNOdCUmHdw6Fj+VSZjTBlChO5PYA123oO9Q+A8UAbhs7WP vef2vlQs+S2pp3cTC9u4sphYTd8zLuDpKQeISNx4i5lIbzSolDMfRS7Fm6bqm0zD/LfQ wRtg== X-Gm-Message-State: AHQUAuYDye+/lma7mbsQz8UH35teX+/oQEE4Guwn3iyCOReNsMEzbs69 lm85EvSsLaN8k/loYrVxkTfL8jriJEgsjn6bSeEbMOByQ4A= X-Google-Smtp-Source: AHgI3IZC9wfjkJ3gGCDSlhMZnAptHF7/UxKiArVNBwf0QsW1yNGPASkJRMSvYweHcwBQjG5ovMVGDWdUyIMOf1bipQ0= X-Received: by 2002:a5d:97c8:: with SMTP id k8mr21814165ios.267.1550674249979; Wed, 20 Feb 2019 06:50:49 -0800 (PST) MIME-Version: 1.0 References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> In-Reply-To: From: Dick Franks Date: Wed, 20 Feb 2019 14:50:12 +0000 Message-ID: To: Tony Finch Cc: Tim Wattenberg , dnsop WG , Tom Pusateri Content-Type: multipart/alternative; boundary="000000000000d51b8a0582547b38" Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 14:50:53 -0000 --000000000000d51b8a0582547b38 Content-Type: text/plain; charset="UTF-8" On Wed, 20 Feb 2019 at 12:36, Tony Finch wrote: > Dick Franks wrote: > > > > Unsigned 32 bit RRSIG time is good for travel until 7th February 2106. > > No, it lasts indefinitely. It covers +/- 68 years relative to current > POSIX time using serial number arithmetic. > The value is ( t - Jan1970 ) mod 2**32, for any integer t, which is certainly not relative to current time, always positive, and I agree lasts indefinitely. The point I was trying to make was that the wrapping occurs in 2106, not 2038 as some have claimed. RFC1982 serial number arithmetic is mandated for comparison of these values, not for defining the values themselves. [RFC4034] 3.1.5. Signature Expiration and Inception Fields The Signature Expiration and Inception fields specify a validity period for the signature. The RRSIG record MUST NOT be used for authentication prior to the inception date and MUST NOT be used for authentication after the expiration date. The Signature Expiration and Inception field values specify a date and time in the form of a 32-bit unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. The longest interval that can be expressed by this format without wrapping is approximately 136 years. An RRSIG RR can have an Expiration field value that is numerically smaller than the Inception field value if the expiration field value is near the 32-bit wrap-around point or if the signature is long lived. Because of this, all comparisons involving these fields MUST use "Serial number arithmetic", as defined in [RFC1982]. As a direct consequence, the values contained in these fields cannot refer to dates more than 68 years in either the past or the future. --000000000000d51b8a0582547b38 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, 20 Feb 2019 at 12:36, Tony Finch = <dot@dotat.at> wrote:
Dick Franks <rwfranks@acm.org> wrote:<= br> >
> Unsigned 32 bit RRSIG time is good for travel until 7th February 2106.=

No, it lasts indefinitely. It covers +/- 68 years relative to current
POSIX time using serial number arithmetic.

<= div>The value is=C2=A0 ( t - Jan1970 ) mod 2**32,=C2=A0 for any integer t,= =C2=A0=C2=A0 which is certainly
not relative to current time, alw= ays positive, and I agree lasts indefinitely.
The point I was= trying to make was that the wrapping occurs in 2106,
not 2038 as= some have claimed.
RFC1982 serial number arithmetic is mandated = for comparison of these values,
not for defining the values thems= elves.

[RFC4034] =
3.1.5.  Signature Expiration and Inception Fields=


   The Signature Expiration and Inception fields specify a validity
   period for the signature.  The RRSIG record MUST NOT be used for
   authentication prior to the inception date and MUST NOT be used for
   authentication after the expiration date.

   The Signature Expiration and Inception field values specify a date
   and time in the form of a 32-bit unsigned number of seconds elapsed
   since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
   byte order.  The longest interval that can be expressed by this
   format without wrapping is approximately 136 years.  An RRSIG RR can
   have an Expiration field value that is numerically smaller than the
   Inception field value if the expiration field value is near the
   32-bit wrap-around point or if the signature is long lived.  Because
   of this, all comparisons involving these fields MUST use "Serial
   number arithmetic", as defined in [RFC1982].  As a direct
   consequence, the values contained in these fields cannot refer to
   dates more than 68 years in either the past or the future.

--000000000000d51b8a0582547b38-- From nobody Wed Feb 20 06:54:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 608F8130E09 for ; Wed, 20 Feb 2019 06:54:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FV2hLpKjZrI for ; Wed, 20 Feb 2019 06:54:22 -0800 (PST) Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDB0129741 for ; Wed, 20 Feb 2019 06:54:22 -0800 (PST) X-AuditID: 60729ed4-2cdff700000044dc-8e-5c6d6a17a870 Received: from COPDCEXC37.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 28.C7.17628.71A6D6C5; Wed, 20 Feb 2019 07:54:15 -0700 (MST) Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC37.cable.comcast.com (147.191.125.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 20 Feb 2019 09:54:14 -0500 Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1466.012; Wed, 20 Feb 2019 09:54:14 -0500 From: "Livingood, Jason" To: dnsop Thread-Topic: Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes Thread-Index: AQHUySwllowhtJeSHEyZ4LYxWbk+Lw== Date: Wed, 20 Feb 2019 14:54:14 +0000 Message-ID: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.15.0.190115 x-originating-ip: [96.114.156.7] Content-Type: multipart/alternative; boundary="_000_343FC6558CC44B6AA258760AA699EBE2cablecomcastcom_" MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLIsWRmVeSWpSXmKPExsWSUDRnsq54Vm6Mwf+LshZ331xmcWD0WLLk J1MAY1S4TVFqcWlSbmaJQnFqUVlmcqqtUnJisZIdlwIGACrNSU0sTnVMLsnMzyvWx1Bjow8z zC4hPGPX1u+MBec8K268X8vWwHjUvYuRk0NCwETi9Pn1jF2MXBxCAruYJCZMPcAM4bQwSfS+ WQ3lnGaUWPWrlx2khU3ATOLuwivMILaIgJTEs1mPWEBsYQEfiZMn1kLFgyW+fehmg7D1JK5M vMMEYrMIqEo8mHEIbA6vgIvE4T9zwOKMAmIS30+tAbOZBcQlbj2ZzwRxnoDEkj3nmSFsUYmX j/+xgtiiAvoSrd9/sELEFSR6JkxnhuhNl2ja18UGMV9Q4uTMJywQNeISh4/sYJ3AKDILyYpZ SFpmIWmZxcgBFNeUWL9LH6JEUWJK90N2CFtDonXOXCjbSuLg8T5GZDULGDlWMfJZmukZGpro GZpa6BkZGm1iBEf6vCs7GC9P9zjEKMDBqMTDyxKfGyPEmlhWXJl7iFGCg1lJhPdjIlCINyWx siq1KD++qDQntfgQozQHi5I474ljOTFCAumJJanZqakFqUUwWSYOTqkGRkn/ilmT+e/YfXxr ZN5q8cdkJsvW7i/pqXOfCMyKPetz+wnf19wNtj2JUbV94l88WB1VPuyUXmsV/O7YtnsR/kHS n3rnW5mdanrKu6FLba6AknKLmMu22DsrFG4kFQgary7ovMzVtLhjirl+Ysrz5JQzwpM0pt6X b1nVrCG/pV92x6uPnMd4lFiKMxINtZiLihMBCS04ifACAAA= Archived-At: Subject: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 14:54:25 -0000 --_000_343FC6558CC44B6AA258760AA699EBE2cablecomcastcom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QSBmZXcgeWVhcnMgYWdvIEkgaGFkIHNvbWVob3cgc3VjY2VlZGVkIGluIGdldHRpbmcgV0cgYWRv cHRpb24gb2YgMiBkb2N1bWVudHMgdGhhdCBhZGRyZXNzZWQgc29tZSBwZXQgcGVldmVzIEkgaGFk IGFzIGEgcmVjdXJzaXZlIEROUyBvcGVyYXRvci4gVGhpbmdzIGdvdCBidXN5IGFuZCBteSBhdHRl bnRpb24gd2FuZGVyZWQgZWxzZXdoZXJlIGFuZCBJIGRpZCBub3QgYWR2YW5jZSB0aGVtLiBTaW5j ZSB0aGVzZSBpc3N1ZXMgY29udGludWUgdG8gaGF1bnQgUkROUyBvcGVyYXRvcnMsIEkgaGF2ZSBk ZWNpZGVkIHRvIHVwZGF0ZSB0aGVzZSBkb2N1bWVudHMuIFRoZSBmaXJzdCBzYXlzIHRoYXQgRE5T U0VDIGVycm9ycyAoYW5kIG90aGVyIGF1dGggUlIgaXNzdWVzKSBhcmUgdGhlIG9wZXJhdGlvbmFs IHJlc3BvbnNpYmlsaXR5IG9mIGFuZCBtdXN0IGJlIHNvbHZlZCBieSBhdXRoIEROUyBhZG1pbnMu IFRoZSBzZWNvbmQgc2F5cyB0aGF0IHBlb3BsZSBzaG91bGQgbm90IGNoYW5nZSB0byBub24tdmFs aWRhdGluZyByZXNvbHZlcnMgd2hlbiBhIEROU1NFQyBmYWlsdXJlIG9jY3Vycy4gQm90aCBhcmUg bGlrZWx5IG9idmlvdXMgdG8gdXMgaW4gdGhlIFdHLCBidXQgbm8gc28gbXVjaCB0byBhbnlvbmUg ZWxzZS4gOy0pDQoNCkp1c3QgYSB3ZWVrIG9yIHNvIGFnbywgV2luZG93cyBVcGRhdGUgc3RhcnRl ZCB0byBmYWlsIHNlZW1pbmdseSBkdWUgdG8gYSBiYWQgZGVsZWdhdGlvbiB0byBhIENETiBmcm9t IE1pY3Jvc29mdCBhbmQgdGhlIFRUTCBvbiB0aGUgYmFkIFJSIHdhcyBsb25nLWlzaCAoZGV0YWls cyBhcmUgc2NhbnQpLiBTbyByZXBvcnRlcnMgYW5kIGV2ZW4gTWljcm9zb2Z0IHN1cHBvcnQgc3Rh cnRlZCBzdWdnZXN0aW5nIHRoYXQgcGVvcGxlIGNoYW5nZSB0aGVpciBETlMgcmVzb2x2ZXJzLiBP bmx5IGxhdGVyIGRpZCBwZW9wbGUgZmlndXJlIG91dCB0aGUgcHJvYmxlbSB3YXMgb24gTWljcm9z b2Z04oCZcyBhdXRoIEROUyBlbmQgKHNlZSBodHRwczovL3d3dy56ZG5ldC5jb20vYXJ0aWNsZS93 aW5kb3dzLXVwZGF0ZS1wcm9ibGVtcy1maXhlZC1ub3ctYnV0LWhlcmVzLXdoYXQtd2VudC13cm9u Zy1zYXlzLW1pY3Jvc29mdC8gYW5kIDFzdCBzdG9yeSBhdCBodHRwczovL3d3dy56ZG5ldC5jb20v YXJ0aWNsZS93aW5kb3dzLTEwLXVwZGF0ZXMtYXJlLWJyb2tlbi1hZ2Fpbi1idXQtdGhpcy10aW1l LWl0cy1ub3QtbWljcm9zb2Z0cy1mYXVsdC8pLiBBbmQgd2UgYWxzbyBzZWUgdGhlIGlzc3VlIG9m IOKAnEROU1NFQyB2YWxpZGF0aW9uIGZhaWxlZCwgc28gc3dpdGNoIHRvIGEgbm9uLXZhbGlkYXRv cuKAnSBvbiBhIHJlZ3VsYXIgYmFzaXMuDQoNClNvIEkganVzdCBzdWJtaXR0ZWQgdGhlc2UgYWdh aW4gLyB1cGRhdGVkIHRoZW0uIEkgaGF2ZSBhc2tlZCB0aGUgV0cgY2hhaXJzIHRvIGxldCBtZSBr bm93IGhvdyB0aGV54oCZZCBsaWtlIG1lIHRvIHByb2NlZWQgd2l0aCB0aGVtLCBidXQgaGF2ZW7i gJl0IHlldCBoZWFyZCBiYWNrLiBJbiB0aGUgbWVhbnRpbWUsIEnigJltIGhhcHB5IHRvIGNvbnRp bnVlIHRvIG9uY2UgYWdhaW4gdGFrZSBpbnB1dCBhbmQgY29tbWVudCBmcm9tIHRoZSBXRy4NCg0K aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtbGl2aW5nb29kLWRuc29wLWRv bnQtc3dpdGNoLXJlc29sdmVycy8NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2Ry YWZ0LWxpdmluZ29vZC1kbnNvcC1hdXRoLWRuc3NlYy1taXN0YWtlcy8NCg0KVGhhbmtzIQ0KSmFz b24NCg== --_000_343FC6558CC44B6AA258760AA699EBE2cablecomcastcom_ Content-Type: text/html; charset="utf-8" Content-ID: <332CB4E69BDDCE499A1B4A124998461D@comcast.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4gXChCb2R5IENTXCkiOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30N Ci8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYu TXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt c2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5r LCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1 NjNDMTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Izk1NEY3 MjsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAubXNvbm9ybWFsMCwgbGkubXNvbm9y bWFsMCwgZGl2Lm1zb25vcm1hbDANCgl7bXNvLXN0eWxlLW5hbWU6bXNvbm9ybWFsOw0KCW1zby1t YXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdodDowaW47DQoJbXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9u dC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7bXNv LXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7 DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3 aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5 Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4g MTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rp b24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBs YW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTQuMHB0Ij5BIGZldyB5ZWFycyBhZ28gSSBoYWQgc29tZWhvdyBzdWNjZWVkZWQgaW4gZ2V0 dGluZyBXRyBhZG9wdGlvbiBvZiAyIGRvY3VtZW50cyB0aGF0IGFkZHJlc3NlZCBzb21lIHBldCBw ZWV2ZXMgSSBoYWQgYXMgYSByZWN1cnNpdmUgRE5TIG9wZXJhdG9yLiBUaGluZ3MgZ290IGJ1c3kg YW5kIG15IGF0dGVudGlvbiB3YW5kZXJlZCBlbHNld2hlcmUgYW5kIEkgZGlkDQogbm90IGFkdmFu Y2UgdGhlbS4gU2luY2UgdGhlc2UgaXNzdWVzIGNvbnRpbnVlIHRvIGhhdW50IFJETlMgb3BlcmF0 b3JzLCBJIGhhdmUgZGVjaWRlZCB0byB1cGRhdGUgdGhlc2UgZG9jdW1lbnRzLiBUaGUgZmlyc3Qg c2F5cyB0aGF0IEROU1NFQyBlcnJvcnMgKGFuZCBvdGhlciBhdXRoIFJSIGlzc3VlcykgYXJlIHRo ZSBvcGVyYXRpb25hbCByZXNwb25zaWJpbGl0eSBvZiBhbmQgbXVzdCBiZSBzb2x2ZWQgYnkgYXV0 aCBETlMgYWRtaW5zLiBUaGUgc2Vjb25kDQogc2F5cyB0aGF0IHBlb3BsZSBzaG91bGQgbm90IGNo YW5nZSB0byBub24tdmFsaWRhdGluZyByZXNvbHZlcnMgd2hlbiBhIEROU1NFQyBmYWlsdXJlIG9j Y3Vycy4gQm90aCBhcmUgbGlrZWx5IG9idmlvdXMgdG8gdXMgaW4gdGhlIFdHLCBidXQgbm8gc28g bXVjaCB0byBhbnlvbmUgZWxzZS4gOy0pPC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0Ij4mbmJzcDs8L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4wcHQiPkp1c3QgYSB3ZWVr IG9yIHNvIGFnbywgV2luZG93cyBVcGRhdGUgc3RhcnRlZCB0byBmYWlsIHNlZW1pbmdseSBkdWUg dG8gYSBiYWQgZGVsZWdhdGlvbiB0byBhIENETiBmcm9tIE1pY3Jvc29mdCBhbmQgdGhlIFRUTCBv biB0aGUgYmFkIFJSIHdhcyBsb25nLWlzaCAoZGV0YWlscyBhcmUgc2NhbnQpLiBTbyByZXBvcnRl cnMgYW5kIGV2ZW4gTWljcm9zb2Z0IHN1cHBvcnQNCiBzdGFydGVkIHN1Z2dlc3RpbmcgdGhhdCBw ZW9wbGUgY2hhbmdlIHRoZWlyIEROUyByZXNvbHZlcnMuIE9ubHkgbGF0ZXIgZGlkIHBlb3BsZSBm aWd1cmUgb3V0IHRoZSBwcm9ibGVtIHdhcyBvbiBNaWNyb3NvZnTigJlzIGF1dGggRE5TIGVuZCAo c2VlDQo8L3NwYW4+PGEgaHJlZj0iaHR0cHM6Ly93d3cuemRuZXQuY29tL2FydGljbGUvd2luZG93 cy11cGRhdGUtcHJvYmxlbXMtZml4ZWQtbm93LWJ1dC1oZXJlcy13aGF0LXdlbnQtd3Jvbmctc2F5 cy1taWNyb3NvZnQvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdCI+aHR0cHM6Ly93d3cu emRuZXQuY29tL2FydGljbGUvd2luZG93cy11cGRhdGUtcHJvYmxlbXMtZml4ZWQtbm93LWJ1dC1o ZXJlcy13aGF0LXdlbnQtd3Jvbmctc2F5cy1taWNyb3NvZnQvPC9zcGFuPjwvYT48c3BhbiBzdHls ZT0iZm9udC1zaXplOjE0LjBwdCI+DQogYW5kIDE8c3VwPnN0PC9zdXA+IHN0b3J5IGF0IDwvc3Bh bj48YSBocmVmPSJodHRwczovL3d3dy56ZG5ldC5jb20vYXJ0aWNsZS93aW5kb3dzLTEwLXVwZGF0 ZXMtYXJlLWJyb2tlbi1hZ2Fpbi1idXQtdGhpcy10aW1lLWl0cy1ub3QtbWljcm9zb2Z0cy1mYXVs dC8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0Ij5odHRwczovL3d3dy56ZG5ldC5jb20v YXJ0aWNsZS93aW5kb3dzLTEwLXVwZGF0ZXMtYXJlLWJyb2tlbi1hZ2Fpbi1idXQtdGhpcy10aW1l LWl0cy1ub3QtbWljcm9zb2Z0cy1mYXVsdC88L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTQuMHB0Ij4pLg0KIEFuZCB3ZSBhbHNvIHNlZSB0aGUgaXNzdWUgb2Yg4oCcRE5TU0VDIHZh bGlkYXRpb24gZmFpbGVkLCBzbyBzd2l0Y2ggdG8gYSBub24tdmFsaWRhdG9y4oCdIG9uIGEgcmVn dWxhciBiYXNpcy48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxNC4wcHQiPiZuYnNwOzwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE0LjBwdCI+U28gSSBqdXN0IHN1Ym1pdHRlZCB0aGVz ZSBhZ2FpbiAvIHVwZGF0ZWQgdGhlbS4gSSBoYXZlIGFza2VkIHRoZSBXRyBjaGFpcnMgdG8gbGV0 IG1lIGtub3cgaG93IHRoZXnigJlkIGxpa2UgbWUgdG8gcHJvY2VlZCB3aXRoIHRoZW0sIGJ1dCBo YXZlbuKAmXQgeWV0IGhlYXJkIGJhY2suIEluIHRoZSBtZWFudGltZSwgSeKAmW0gaGFwcHkgdG8g Y29udGludWUgdG8gb25jZQ0KIGFnYWluIHRha2UgaW5wdXQgYW5kIGNvbW1lbnQgZnJvbSB0aGUg V0cuPC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTQuMHB0Ij4mbmJzcDs8L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEgaHJl Zj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtbGl2aW5nb29kLWRuc29w LWRvbnQtc3dpdGNoLXJlc29sdmVycy8iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0Ij5o dHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1saXZpbmdvb2QtZG5zb3AtZG9u dC1zd2l0Y2gtcmVzb2x2ZXJzLzwvc3Bhbj48L2E+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtbGl2aW5nb29k LWRuc29wLWF1dGgtZG5zc2VjLW1pc3Rha2VzLyI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNC4w cHQiPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWxpdmluZ29vZC1kbnNv cC1hdXRoLWRuc3NlYy1taXN0YWtlcy88L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTQuMHB0Ij4NCjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjE0LjBwdCI+Jm5ic3A7PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTQuMHB0Ij5UaGFua3MhPGJyPg0KSmFzb248L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_343FC6558CC44B6AA258760AA699EBE2cablecomcastcom_-- From nobody Wed Feb 20 11:16:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9670F130E58 for ; Wed, 20 Feb 2019 11:16:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIaDNKkzec1q for ; Wed, 20 Feb 2019 11:15:58 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B274130E57 for ; Wed, 20 Feb 2019 11:15:57 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 323383AB060; Wed, 20 Feb 2019 19:15:56 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 00A9316005B; Wed, 20 Feb 2019 19:15:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D070B160070; Wed, 20 Feb 2019 19:15:55 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1be15h0WSjhU; Wed, 20 Feb 2019 19:15:55 +0000 (UTC) Received: from [172.30.42.88] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 55B1A16005B; Wed, 20 Feb 2019 19:15:55 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Mark Andrews X-Mailer: iPhone Mail (16D57) In-Reply-To: <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> Date: Thu, 21 Feb 2019 06:15:52 +1100 Cc: Paul Wouters , dnsop Content-Transfer-Encoding: quoted-printable Message-Id: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> To: Joe Abley Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 19:16:00 -0000 Joe, look at active directory. The names in the DNS are garbage cleaned by u= ndocumented processes that prevent UPDATE being used to manage the =E2=80=9C= static=E2=80=9D content.=20 You have registering AAAA and PTR records with SLAAC. You don=E2=80=99t want= stale records to continue to exist in the zones. You will be sent to the wr= ong machine (AAAA) or the zone will become a garbage dump of stale records (= PTR). But until the support is there you can=E2=80=99t safely do this.=20 Today you can use SIG(0) to register your AAAA records and use TCP to authen= ticate PTR additions to the DNS zones. All that is missing is the automated= cleanup. DNS servers are quite capable of doing that once specified how. = DHCP servers mostly do this for IPv4 but even that is problematic. Records= still get left behind because there was a communication failure at lease ex= piry / release.=20 DNS-SD has the same issues. Garbage collection.=20 You also need it as standards track so people won=E2=80=99t think it is some= thing that is going away and to encourage everyone who implements UPDATE to s= upport it. Clients and servers.=20 --=20 Mark Andrews > On 20 Feb 2019, at 23:51, Joe Abley wrote: >=20 >> On 20 Feb 2019, at 00:35, Paul Wouters wrote: >>=20 >>> On Wed, 20 Feb 2019, Mark Andrews wrote: >>>=20 >>> Think disaster recovery and promoting a slave to master. You have to >>> transfer state between servers. You can transfer it in band or out of >>> band. If you transfer it out of band you need to invent / specify >>> yet-another-protocol to do it on top of specifying when records need to >>> be removed. >>=20 >> That is not very convincing to me. disaster recovery scenarios seem to >> be solvable by proper admin and by the daemon properly writing state to >> disk which can be saved off-site. It also seems a rather rare occurance. >=20 > I agree. >=20 > The crux of the use case seems to be that it is commonplace for names in t= he DNS to exist for short periods of time and that for some applications a n= ame that overstays its welcome can cause an operational problem. >=20 > While I can understand the philosophical desire to complete the UPDATE spe= cification so that it is possible to engineer around this scenario, I don't s= ee the practical application. The existence of the requirement in the first p= lace seems unproven (at least there are no obvious examples given); the scen= ario in which the purported operational problem arises seems likely to be ra= re; workarounds surely exist and, really, the damage in the event that the s= tars align and a temporary name does persist seems very low. >=20 > If the goal is to try this out and have no impact on existing implementati= ons (e.g. there is some side code that is imagined that will poll a transfer= red zone for TIMEOUT records and do local UPDATEs in order to remove RRSets t= hat should not be there) then all that is really needed here is a code point= for the TIMEOUT RR. The existence of the draft is nice since documentation i= s good, but I think "experimental" would be a better target than "standards t= rack". It's surely possible that this mechanism will solve some as-yet unnot= iced, large-scale problem and will one day be considered essential functiona= lity, but I don't think we're there today. There be camels. >=20 >=20 > Joe >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop From nobody Wed Feb 20 11:30:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FBC6130E79 for ; Wed, 20 Feb 2019 11:30:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YB_adVfquhJB for ; Wed, 20 Feb 2019 11:30:20 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6B0130E6A for ; Wed, 20 Feb 2019 11:30:20 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:58080) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gwXZR-000Adh-1P (Exim 4.91) (return-path ); Wed, 20 Feb 2019 19:30:17 +0000 Date: Wed, 20 Feb 2019 19:30:17 +0000 From: Tony Finch To: Mark Andrews cc: Joe Abley , dnsop , Paul Wouters In-Reply-To: Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 19:30:22 -0000 Mark Andrews wrote: > > All that is missing is the automated cleanup. DNS servers are quite > capable of doing that once specified how. Does it need to be per-record? Why not GC the whole RRset? Tony. -- f.anthony.n.finch http://dotat.at/ Fair Isle: Southwesterly 5 or 6, occasionally 7 later in west. Moderate or rough, occasionally very rough at first in west. Rain. Good, occasionally moderate. From nobody Wed Feb 20 11:32:53 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F219C130E7C for ; Wed, 20 Feb 2019 11:32:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1JHlz1Z4bw7 for ; Wed, 20 Feb 2019 11:32:50 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E05130E82 for ; Wed, 20 Feb 2019 11:32:47 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:5974:dea:26c6:7c5e] (unknown [IPv6:2001:559:8000:c9:5974:dea:26c6:7c5e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 72870892C6; Wed, 20 Feb 2019 19:32:47 +0000 (UTC) To: Tony Finch Cc: Mark Andrews , dnsop , Paul Wouters , Joe Abley References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> From: Paul Vixie Message-ID: Date: Wed, 20 Feb 2019 11:32:45 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 19:32:52 -0000 Tony Finch wrote on 2019-02-20 11:30: > Mark Andrews wrote: >> >> All that is missing is the automated cleanup. DNS servers are quite >> capable of doing that once specified how. > > Does it need to be per-record? Why not GC the whole RRset? +1. this is what DEFUPD did. (https://datatracker.ietf.org/doc/draft-ietf-dnsind-defupd/) -- P Vixie From nobody Wed Feb 20 13:10:00 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B2312D4F0 for ; Wed, 20 Feb 2019 13:09:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6s1yTFCcQ13 for ; Wed, 20 Feb 2019 13:09:55 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37771130E84 for ; Wed, 20 Feb 2019 13:09:55 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 68DE93AB061; Wed, 20 Feb 2019 21:09:54 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 26739160070; Wed, 20 Feb 2019 21:09:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1251416006F; Wed, 20 Feb 2019 21:09:53 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id v1afyUK_bykH; Wed, 20 Feb 2019 21:09:53 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2139A16005B; Wed, 20 Feb 2019 21:09:51 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Thu, 21 Feb 2019 08:09:49 +1100 Cc: Joe Abley , dnsop , Paul Wouters Content-Transfer-Encoding: quoted-printable Message-Id: <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> To: Tony Finch X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 21:09:57 -0000 > On 21 Feb 2019, at 6:30 am, Tony Finch wrote: >=20 > Mark Andrews wrote: >>=20 >> All that is missing is the automated cleanup. DNS servers are quite >> capable of doing that once specified how. >=20 > Does it need to be per-record? Why not GC the whole RRset? Because there are scenarios where you do want to GC as single record from the RRset. AD has them with SRV. Each server adds its own SRV record to the RRset. When a server goes away without cleaning up you want the SRV to go but the RRset to remain. A machine has permanent and time limited addresses. I=E2=80=99m sure there will be other cases where you want selective = deletion from a RRset. Mark > Tony. > --=20 > f.anthony.n.finch http://dotat.at/ > Fair Isle: Southwesterly 5 or 6, occasionally 7 later in west. = Moderate or > rough, occasionally very rough at first in west. Rain. Good, = occasionally > moderate. --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Wed Feb 20 17:18:35 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0271130F47 for ; Wed, 20 Feb 2019 17:18:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.88 X-Spam-Level: X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KHydUkBZ0AHy for ; Wed, 20 Feb 2019 17:18:27 -0800 (PST) Received: from mail-it1-f181.google.com (mail-it1-f181.google.com [209.85.166.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB98130F52 for ; Wed, 20 Feb 2019 17:18:27 -0800 (PST) Received: by mail-it1-f181.google.com with SMTP id e24so6364303itl.1 for ; Wed, 20 Feb 2019 17:18:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KB1UeRlT8K1Eelr93zQaEWNPJs2UiiOHGDJRNaDy8d4=; b=GQ3zb3AsQgm68QAlZfQPHp8dvuIbTcDDWT2a+ESp6ddYEiQVpn9bfF5uIwAeEiQRDS 3yMYYwb4CBIfgEHfOANXhajxwhed9HlLPG4q3/LlWnRVXbpwQRJkICmh0WdbuJJ94XCv by4tu1iuLq0RO+jaltgZ2MscOIxSQvlyjbtfYo5qH2UjEjPPnc9UPadX8X1V224A6BO/ cZ0mH1aN4EKdY8aXuf/jna6klfo3JpLOzsSazpPwkNCBZXqDkNyeQLZ5KIUvUhYdapEh 8SdPn6B4ydumC40bC8bJwx+nA1pqfnETvbwfeQx3FUc1JS61VfqlzZESr3dB9fD02TRp x+cQ== X-Gm-Message-State: AHQUAuZm9DPtcsXONtDpd5IRvVsnaCNt/fFUk0AJerwDUSdJx8+AqJcS PqHJAF83MvkTylKhy8nHccfRxGoZIsHKVqG3eqPQjA== X-Google-Smtp-Source: AHgI3IY3jD/+VaUXUDig5OTsYQlm8jNdUOo9vCC+BRToPzE4vPxb2nh6/97ZgeSFDZEuoXepuAjOV5OIXK9haqLLBao= X-Received: by 2002:a24:f30b:: with SMTP id t11mr6193061ith.40.1550711906661; Wed, 20 Feb 2019 17:18:26 -0800 (PST) MIME-Version: 1.0 References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <3c2ef704-148f-ed03-26a9-8ea29256acc2@nic.cz> <56e824cf-37e3-0880-0192-2ee46a818345@nic.cz> In-Reply-To: <56e824cf-37e3-0880-0192-2ee46a818345@nic.cz> From: Dick Franks Date: Thu, 21 Feb 2019 01:17:49 +0000 Message-ID: To: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= Cc: IETF DNSOP WG Content-Type: multipart/alternative; boundary="00000000000058770a05825d40b7" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 01:18:33 -0000 --00000000000058770a05825d40b7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 20 Feb 2019 at 11:27, Petr =C5=A0pa=C4=8Dek wr= ote: 8< > Yet another code propodsl: > * answer with stale data > > The resolver was unable to resolve answer within its time limits and > decided to answer with stale data instead of answering with an error. > This is typically caused by problems on authoritative side, possibly > as result of an DoS attack. Retrying is likely to cause load and not > yield a fresh answer, RETRY=3D0. > > Here is a problem that this code point is applicable to NOERROR as well > as NXDOMAIN answers so I'm not sure how to categorize it. This > reinforces my unanswered question why the draft proposes to copy RCODE > into EDE. > This seems to be a good argument in favour of a one-dimensional error table= . --Dick --00000000000058770a05825d40b7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, 20 Feb 2019 at 11:27, Petr =C5=A0pa=C4=8Dek <petr.spacek@nic.cz> wrote:
8<
Yet another code propodsl:
* answer with stale data

=C2=A0 =C2=A0The resolver was unable to resolve answer within its time limi= ts and
=C2=A0 =C2=A0decided to answer with stale data instead of answering with an= error.
=C2=A0 =C2=A0This is typically caused by problems on authoritative side, po= ssibly
=C2=A0 =C2=A0as result of an DoS attack. Retrying is likely to cause load a= nd not
=C2=A0 =C2=A0yield a fresh answer, RETRY=3D0.

Here is a problem that this code point is applicable to NOERROR as well
as NXDOMAIN answers so I'm not sure how to categorize it. This
reinforces my unanswered question why the draft proposes to copy RCODE
into EDE.

This seems to be a good argum= ent in favour of a one-dimensional error table.

--= Dick
--00000000000058770a05825d40b7-- From nobody Wed Feb 20 21:59:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB82512EB11; Wed, 20 Feb 2019 21:58:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyCQuD7wsjcR; Wed, 20 Feb 2019 21:58:56 -0800 (PST) Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8219012008F; Wed, 20 Feb 2019 21:58:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1550728732; x=1551333532; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:Mime-version: Content-type:Content-transfer-encoding; bh=MCNpxHmzKQkzfwYg+6Due fqytVOchEQUB4WmkrGP2y0=; b=G3RoZHxCrPy1Lyao4CBs778KH9AANI/qSvrBY 8K7fnV0zLCpZWhDHMSYiAnWscoaHl51ELshkgQafHrFWN/3noTucT4n6CYdKnIqB rL15WGehQqPOg5jL/qSirdDljPe3KutJMNFibRMIgG7eDH4o7myfrOAIk/PBKgZX uVptqw= X-MDAV-Result: clean X-MDAV-Processed: mail.consulintel.es, Thu, 21 Feb 2019 06:58:52 +0100 X-Spam-Processed: mail.consulintel.es, Thu, 21 Feb 2019 06:58:52 +0100 Received: from [10.10.10.160] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50006162679.msg; Thu, 21 Feb 2019 06:58:51 +0100 X-MDRemoteIP: 10.8.10.10 X-MDHelo: [10.10.10.160] X-MDArrival-Date: Thu, 21 Feb 2019 06:58:51 +0100 X-Authenticated-Sender: jordi.palet@consulintel.es X-Return-Path: prvs=1955780031=jordi.palet@consulintel.es X-Envelope-From: jordi.palet@consulintel.es User-Agent: Microsoft-MacOutlook/10.10.7.190210 Date: Thu, 21 Feb 2019 14:58:36 +0900 From: JORDI PALET MARTINEZ To: IPv6 Operations , dnsop Message-ID: <40C16CF8-8EE8-468D-8248-A2873CC7EAB6@consulintel.es> Thread-Topic: inputs on NAT64/464XLAT Deployment Guidelines in Operator and Enterprise Networks draft-ietf-v6ops-nat64-deployment Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Archived-At: Subject: [DNSOP] inputs on NAT64/464XLAT Deployment Guidelines in Operator and Enterprise Networks draft-ietf-v6ops-nat64-deployment X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 05:58:58 -0000 Hi all, (dnsop copied because DNS64) I'm working in a new version of this document. Link to the document: https://datatracker.ietf.org/doc/draft-ietf-v6ops-nat64-deployment/ It will be great if we can get some new inputs. Thanks! Regards, Jordi ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. From nobody Thu Feb 21 04:25:03 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722E7130FA9 for ; Thu, 21 Feb 2019 04:25:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bqbk8bRKkkqA for ; Thu, 21 Feb 2019 04:24:59 -0800 (PST) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A875130F9F for ; Thu, 21 Feb 2019 04:24:59 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:51382) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gwnPM-000G3H-09 (Exim 4.91) (return-path ); Thu, 21 Feb 2019 12:24:56 +0000 Date: Thu, 21 Feb 2019 12:24:55 +0000 From: Tony Finch To: Mark Andrews cc: dnsop , Paul Wouters , Joe Abley In-Reply-To: <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> Message-ID: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 12:25:02 -0000 Mark Andrews wrote: > > On 21 Feb 2019, at 6:30 am, Tony Finch wrote: > > > > Does it need to be per-record? Why not GC the whole RRset? > > Because there are scenarios where you do want to GC as single > record from the RRset. AD has them with SRV. Each server adds > its own SRV record to the RRset. Oh I see, that makes sense. Things like this need explaining in the document. Why not simplify the RDATA format so there is just one item per record, instead of containing a list of lists? Aren't the individual items going to be added/removed independently of each other? Tony. -- f.anthony.n.finch http://dotat.at/ Shannon, Rockall: Southerly or southeasterly 6 to gale 8, increasing severe gale 9 at times, perhaps storm 10 later in northwest Rockall. Very rough or high. Rain. Moderate or poor. From nobody Thu Feb 21 06:11:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB6D1279E6 for ; Thu, 21 Feb 2019 06:11:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.88 X-Spam-Level: X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49ZmgVzFN5sC for ; Thu, 21 Feb 2019 06:11:43 -0800 (PST) Received: from mail-it1-f196.google.com (mail-it1-f196.google.com [209.85.166.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F405130FD7 for ; Thu, 21 Feb 2019 06:11:43 -0800 (PST) Received: by mail-it1-f196.google.com with SMTP id r11so22560804itc.2 for ; Thu, 21 Feb 2019 06:11:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BCkRc8uQELqHQ26jjk4Myt0P1ipQpd1/Yh6yGW+ayCM=; b=EOAhJWQsQvCytep1kxjn73HlunbJjUt+717sbdjIFqgZM+rKslK2NXc41bGqG9ZhN3 frnWvpvuV0TKz9i9kyDGxFoB9LiGjWrcZaVsRYcHCkvyl5KmX+Y540dOUyWI76kBwYww 7i448t7MTiIYOwdo7tMc6w7a4Uz4IdEVEMq4DmIOuf5ajGzjvdcDf8zlUj0MxjMwx5AF oCw7q51/8VtR/dmL0JLPJWxSr85doFHuwCEUhfOz/UCE3C2M9cFpVvhkGPhLan1uc2Zp VbLX4pug/3qyLocGTNx1SNdtwLz4TkqRt6TV43uhuionMcC4S/mi4CttamXlJQxa1PA3 lABQ== X-Gm-Message-State: AHQUAuaWjPS4acBdeSIcYIhX6jxYRZu5x/9+6Q+TlfeNwndht2804NqC GDpyaC44DCmEZzRrUUbpGU6x4akz9WKi4Vnvm5k= X-Google-Smtp-Source: AHgI3IbpRDjVfIUBReYZrtyzZKpYSKwkvs6JVTmbD/NMz1X+q8qBbxaPVCaLrFRAkAJE/D2tybshWQncqDk45X2C26k= X-Received: by 2002:a24:6b44:: with SMTP id v65mr7868225itc.82.1550758301535; Thu, 21 Feb 2019 06:11:41 -0800 (PST) MIME-Version: 1.0 References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> In-Reply-To: From: Dick Franks Date: Thu, 21 Feb 2019 14:11:04 +0000 Message-ID: To: Tony Finch Cc: Mark Andrews , dnsop , Paul Wouters , Joe Abley Content-Type: multipart/alternative; boundary="000000000000b2143e0582680d7e" Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 14:11:45 -0000 --000000000000b2143e0582680d7e Content-Type: text/plain; charset="UTF-8" On Thu, 21 Feb 2019 at 12:25, Tony Finch wrote: > Mark Andrews wrote: > > > On 21 Feb 2019, at 6:30 am, Tony Finch wrote: > > > > > > Does it need to be per-record? Why not GC the whole RRset? > > > > Because there are scenarios where you do want to GC as single > > record from the RRset. AD has them with SRV. Each server adds > > its own SRV record to the RRset. > > Oh I see, that makes sense. Things like this need explaining in the > document. > > Why not simplify the RDATA format so there is just one item per record, > instead of containing a list of lists? Aren't the individual items going > to be added/removed independently of each other? > Good idea. A more radical approach would be to have just one hash per item per record. This has the attraction of allowing a truncated hash to be used, without the need for length fields. --Dick --000000000000b2143e0582680d7e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, 21 Feb 2019 at 12:25, Tony Finch = <dot@dotat.at> wrote:
Mark Andrews <marka@isc.org> wrote:
> > On 21 Feb 2019, at 6:30 am, Tony Finch <dot@dotat.at> wrote:
> >
> > Does it need to be per-record? Why not GC the whole RRset?
>
> Because there are scenarios where you do want to GC as single
> record from the RRset. AD has them with SRV.=C2=A0 Each server adds > its own SRV record to the RRset.

Oh I see, that makes sense. Things like this need explaining in the
document.

Why not simplify the RDATA format so there is just one item per record,
instead of containing a list of lists? Aren't the individual items goin= g
to be added/removed independently of each other?

<= /div>
Good idea.

A more radical approach would= be to have just one hash per item per record.
This has the attra= ction of allowing a truncated hash to be used, without the need for length = fields.

--Dick

--000000000000b2143e0582680d7e-- From nobody Thu Feb 21 07:12:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC4312F1A2 for ; Thu, 21 Feb 2019 07:12:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Amg1GRLbeicc for ; Thu, 21 Feb 2019 07:12:47 -0800 (PST) Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59AFD1279E6 for ; Thu, 21 Feb 2019 07:12:47 -0800 (PST) Received: by mail-pf1-x42d.google.com with SMTP id s22so13981857pfh.4 for ; Thu, 21 Feb 2019 07:12:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=s4ZXUwIAlG8Y7HL67/cs+evXZQLVMANxA/uk2v4DXmY=; b=q2X6I8+P41ivzh2xOymeKgkWuZxRDjJh4CWgoY3v9Dd5LEz0QuTb2MJYpNmJT6xu0Z OF2t9RVH4QAhBnOUfAuQWxpM6KJYNYt1A91RLODD0XIRX8381aGkGpqNl4Iuaysw78KG d1UgWRhIobOFCGJqql1qF62q6qzJpPICgVW81MX7Re5sFDiQEcrn4DYjqyQujNMJbUbe oNkN4RdToNQHVzqP+FnIyO4WW3p7UV5+E+aFUF0GvtwIKPLshLBDQCU281uYlqvul71g AO+eHB8QknrUBLkdnmUmnUNnvwj/oYVPzDFxCTcVcub4q9RrFGagcaZaopLIzwmLNSCx jECA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=s4ZXUwIAlG8Y7HL67/cs+evXZQLVMANxA/uk2v4DXmY=; b=PLWmxQ3kMl4zSi3+hLsM0l4Qo9nzmDDBKQQ1L6/ln0MbjKYJBbsY9n/kCqW4wLWynM rcCC+kQyn2jgxLYlt2NI+2U3ReaL2bu2FVsXeZQ/11haf5FC+2WhrzxiguNjY9Jt1Js3 oNz51PZIciQeMAsSIqd5OPq95ABXVmnBE47tU4KAaCgiILXgkYimw7nWqdrF5ohpVDCl SGJDkteReQJEZ+BHXIjGAHrDdU6fNy3rmaiAykKxjNNoDhakRUWPOguyayMl/qa3XHqt y1l62ReUW896PI46B0Zb0cY0dwsPVN5St4NmwoXV5NCrOxz6F1Ug8CCNwGvCmxkxxR/v DpQQ== X-Gm-Message-State: AHQUAub209/TT60qBjJutH/QCOReSPvdMJzcWwDLmzQDV9whUait8MQ5 tr9xSQ6aaBNOYt5/Rl4AifT00Q== X-Google-Smtp-Source: AHgI3IavVeji0BMDFXLEJix+mGk6u09gkPRxm/3FYcbQHu07u49e2bLkSjZ9MwSKmL+TYyRXTcO2pQ== X-Received: by 2002:a63:31d6:: with SMTP id x205mr8083829pgx.41.1550761966280; Thu, 21 Feb 2019 07:12:46 -0800 (PST) Received: from [10.20.5.110] ([12.217.162.130]) by smtp.gmail.com with ESMTPSA id f67sm30631419pff.29.2019.02.21.07.12.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 07:12:45 -0800 (PST) From: Ted Lemon Message-Id: <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_0311F394-FACF-45E6-93F4-4734F5BEF7BC" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Thu, 21 Feb 2019 07:12:43 -0800 In-Reply-To: Cc: Tony Finch , dnsop , Paul Wouters , Joe Abley To: Dick Franks References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 15:12:50 -0000 --Apple-Mail=_0311F394-FACF-45E6-93F4-4734F5BEF7BC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 21, 2019, at 6:11 AM, Dick Franks wrote: > A more radical approach would be to have just one hash per item per = record. One way to make this document less complex yet just as useful would be = to simply have a record that contains what is to be deleted, rather than = a hash of what is to be deleted. It=E2=80=99s not at all clear to me = that there=E2=80=99s value in using the hash=E2=80=94to me it just seems = to create uncertainty. --Apple-Mail=_0311F394-FACF-45E6-93F4-4734F5BEF7BC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 21, 2019, at 6:11 AM, Dick Franks <rwfranks@acm.org> = wrote:
A = more radical approach would be to have just one hash per item per = record.

One = way to make this document less complex yet just as useful would be to = simply have a record that contains what is to be deleted, rather than a = hash of what is to be deleted.   It=E2=80=99s not at all clear to = me that there=E2=80=99s value in using the hash=E2=80=94to me it just = seems to create uncertainty.

= --Apple-Mail=_0311F394-FACF-45E6-93F4-4734F5BEF7BC-- From nobody Thu Feb 21 09:43:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B39131066 for ; Thu, 21 Feb 2019 09:43:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.988 X-Spam-Level: X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qp16oXkM41Nw for ; Thu, 21 Feb 2019 09:43:00 -0800 (PST) Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E75131036 for ; Thu, 21 Feb 2019 09:42:59 -0800 (PST) Received: by mail-io1-xd2f.google.com with SMTP id y13so2563614iop.11 for ; Thu, 21 Feb 2019 09:42:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=cX22deFuHvLGhLwqZ2n5AFGyqqTBUfQY/J7kpvXQ0f2VNds3zxeBZx0Zarqx6LLnE+ vvdsCQsy6Qv6Hkhm+Wwud46y2uJm6U2xUONwhUedG95QtApS2bPXSys+1NvdgRlOUy8T H4p8nW37EMRvg5D1ctoGdmLfTknrI0yxJsReXCY1EEA/0rQagABiL7Ys2lPQSSPA0l9/ m/SRMAIBnEGJNIidyRKIPuJcyxwA3GtbRW44FZtDNFqf2Ry0Yqu+byjSq4rQGlcdVOMI 5cZoaFPlhlTKbkjmgoSa7EWRxosYXvY10yPnsj1Wmvxfcd8MwSSglCuVMdjJ5TAGPJyY Fq+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=A2DJ7xs2OPeTHoPRVvfF0RsifF0AmJGK6A5dOB5/ufElmQ1v8ck/th8GFxqHTHKlJ9 lnAckNmRkR+vKLFfJ2UbS1rjmJYjzARn9dcqRRlNY0Pt246CYhtyytWbf/4I5qspQLSr AE+eYzhIuEcowtmiUSXxrpOmqdWpayfQo7RTB7Muqd5OZNSVhcHccM9VVQKbznQn7z49 eUBfv3EEu63pnE+yoJYhUsvm28qv9l7DcEnX2PUmNqIJqHY6GnMkzgzAhPKqTzXrdBp+ Z30h1vJ6vyMSBqCkQw7ZrrRn4GW2goN42WdbFyI64Ye4LR1Lw8JDF3w9BEvj73/alQtQ ptng== X-Gm-Message-State: AHQUAuYiXuIhe/ctlt85naySa/RQjVEM2ppzYX1YIdBkbsPGUVopnH5w PcJeE9w8Ev/ZE5xKkobEpMh6S0Yf4aq4iOCiXSc= X-Google-Smtp-Source: AHgI3IZtL+xtlWhWRMdEa7IXMra9ZN2+RhXsNwdAtkzaV2NJ2oDGfh4nRUCwFYd1CUTLhvrDg7E911VEK7WjQXnf+F8= X-Received: by 2002:a5e:8d0e:: with SMTP id m14mr26056742ioj.30.1550770977405; Thu, 21 Feb 2019 09:42:57 -0800 (PST) MIME-Version: 1.0 References: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com> In-Reply-To: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com> From: Tim Wicinski Date: Thu, 21 Feb 2019 12:42:49 -0500 Message-ID: To: "Livingood, Jason" Cc: dnsop Content-Type: multipart/mixed; boundary="0000000000003d386f05826b01bb" Archived-At: Subject: Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 17:43:03 -0000 --0000000000003d386f05826b01bb Content-Type: multipart/alternative; boundary="0000000000003d386b05826b01b9" --0000000000003d386b05826b01b9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Followup to DNSOP on a conversation the Chairs had. I remembered Jason's earlier drafts, and him presenting, but not the approvals, but senility is always a concern. Luckily I'm a seem to be a hoarder or sorts. Here is Jason's original presentation from IETF91 (Honolulu for those keeping score at home), but no official adoption. Tim On Wed, Feb 20, 2019 at 9:54 AM Livingood, Jason < Jason_Livingood@comcast.com> wrote: > A few years ago I had somehow succeeded in getting WG adoption of 2 > documents that addressed some pet peeves I had as a recursive DNS operato= r. > Things got busy and my attention wandered elsewhere and I did not advance > them. Since these issues continue to haunt RDNS operators, I have decided > to update these documents. The first says that DNSSEC errors (and other > auth RR issues) are the operational responsibility of and must be solved = by > auth DNS admins. The second says that people should not change to > non-validating resolvers when a DNSSEC failure occurs. Both are likely > obvious to us in the WG, but no so much to anyone else. ;-) > > > > Just a week or so ago, Windows Update started to fail seemingly due to a > bad delegation to a CDN from Microsoft and the TTL on the bad RR was > long-ish (details are scant). So reporters and even Microsoft support > started suggesting that people change their DNS resolvers. Only later did > people figure out the problem was on Microsoft=E2=80=99s auth DNS end (se= e > https://www.zdnet.com/article/windows-update-problems-fixed-now-but-heres= -what-went-wrong-says-microsoft/ > and 1st story at > https://www.zdnet.com/article/windows-10-updates-are-broken-again-but-thi= s-time-its-not-microsofts-fault/). > And we also see the issue of =E2=80=9CDNSSEC validation failed, so switch= to a > non-validator=E2=80=9D on a regular basis. > > > > So I just submitted these again / updated them. I have asked the WG chair= s > to let me know how they=E2=80=99d like me to proceed with them, but haven= =E2=80=99t yet > heard back. In the meantime, I=E2=80=99m happy to continue to once again = take input > and comment from the WG. > > > > > https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-switch-resolv= ers/ > > > https://datatracker.ietf.org/doc/draft-livingood-dnsop-auth-dnssec-mistak= es/ > > > > Thanks! > Jason > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --0000000000003d386b05826b01b9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Followup to DNSOP on a conversation the Chairs had.=C2=A0<= div>
I remembered Jason's earlier drafts, and him present= ing, but not the approvals, but senility is always a concern. =C2=A0 Luckil= y I'm a seem to
be a hoarder or sorts. =C2=A0 Here is Jason&#= 39;s original presentation from IETF91 (Honolulu for those keeping score at= home), but no=C2=A0
official adoption.=C2=A0

Tim

On Wed, Feb 20, 2019 at 9:54 AM Livingood, Jason <Jason_Livingood@comcast.com>= ; wrote:

A few years ago I had= somehow succeeded in getting WG adoption of 2 documents that addressed som= e pet peeves I had as a recursive DNS operator. Things got busy and my atte= ntion wandered elsewhere and I did not advance them. Since these issues continue to haunt RDNS operators, I h= ave decided to update these documents. The first says that DNSSEC errors (a= nd other auth RR issues) are the operational responsibility of and must be = solved by auth DNS admins. The second says that people should not change to non-validating resolvers when a DNSS= EC failure occurs. Both are likely obvious to us in the WG, but no so much = to anyone else. ;-)

=C2=A0

Just a week or so ago= , Windows Update started to fail seemingly due to a bad delegation to a CDN= from Microsoft and the TTL on the bad RR was long-ish (details are scant).= So reporters and even Microsoft support started suggesting that people change their DNS resolvers. Only later did = people figure out the problem was on Microsoft=E2=80=99s auth DNS end (see https://www.zdnet.com/article/windows-update-proble= ms-fixed-now-but-heres-what-went-wrong-says-microsoft/ and 1st story at https://www.zdnet.com/= article/windows-10-updates-are-broken-again-but-this-time-its-not-microsoft= s-fault/). And we also see the issue of =E2=80=9CDNSSEC validation failed, so switch = to a non-validator=E2=80=9D on a regular basis.

=C2=A0

So I just submitted t= hese again / updated them. I have asked the WG chairs to let me know how th= ey=E2=80=99d like me to proceed with them, but haven=E2=80=99t yet heard ba= ck. In the meantime, I=E2=80=99m happy to continue to once again take input and comment from the WG.

=C2=A0

https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-swi= tch-resolvers/

https://datatracker.ietf.org/doc/draft-livingood-dnsop-auth-dnss= ec-mistakes/

=C2=A0

Thanks!
Jason

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--0000000000003d386b05826b01b9-- --0000000000003d386f05826b01bb Content-Type: application/pdf; name="5.ietf91-dnsop-livingood-negative-trust-anchors-v3.pdf" Content-Disposition: attachment; filename="5.ietf91-dnsop-livingood-negative-trust-anchors-v3.pdf" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_jsewc4n00 JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGVk0FP3DAQhe/5Fe+YHOq1HdtxjhRoRQ8USiQOFYdtFEqk hO1ml/39TCa2gxAcqhzyYo+f5/Nz9rjFHpvzg0J7gOLn0ELSU2kJaySmDo9c9W7wHs9poRS1VLWT PksKq2LD2WpMpgMriYG3GvBEe2xuuqnt/h1ftgOmPttDlXrpxAoLB2VFWVm0IzZXo8LFjrqae5Kg DTa/umF77E/d+W7YTf3YHae+JRuiU1yjoJUTpakdDDmZslYZWX1toA0XhFdD9k0zn0TziN/Irwsi KZF3Bb5IoZD/ZaGRb4/zlEHeF4RNA6f5mypSKeYBmmhC4RQ9XljQ0gMLso9eCF5nseI5ijaKpyh2 s61FnmzJ7QHND1w2HFgC915UyliUphKV9SaAl1JIz+yrWvB1wr/gzYiBzoH4Sdz9DFQ3BZQXKssj 5n2Y+B7eNL62Q3dMz3eM01pDKSuNUlbCGOVCW9x9vJIp4DdLaFcrPQXqnNCacltyXCGSyt7jXIXW LjkSovm29sp0dcRUUQSKLLb1GYXWlv4C60I3sZx/rA8otDOi9q6mMzTCefc/oaQs6AYsoZyWO0dA 458iW8bS0BQD0rFcRpEozdusbl8BiO7ayQplbmRzdHJlYW0KZW5kb2JqCjUgMCBvYmoKNDYwCmVu ZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA2IDAg UiAvQ29udGVudHMgNCAwIFIgL01lZGlhQm94IFswIDAgNzIwIDU0MF0KPj4KZW5kb2JqCjYgMCBv YmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IC9JbWFnZUIgL0ltYWdlQyAvSW1hZ2VJIF0gL0Nv bG9yU3BhY2UgPDwgL0NzMiAxMiAwIFIKL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvVFQyIDExIDAg UiAvVFQxIDEwIDAgUiA+PiAvWE9iamVjdCA8PCAvSW0xIDggMCBSID4+Cj4+CmVuZG9iago4IDAg b2JqCjw8IC9MZW5ndGggOSAwIFIgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0 aCAxMzIgL0hlaWdodCA3NSAvSW50ZXJwb2xhdGUKdHJ1ZSAvQ29sb3JTcGFjZSA3IDAgUiAvSW50 ZW50IC9QZXJjZXB0dWFsIC9TTWFzayAxNCAwIFIgL0JpdHNQZXJDb21wb25lbnQKOCAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHtnAd0VNeZx92yx5vEWTtZB1skQhKKHRvUpmhUp6iA MKbYdDCiCUkIBCqjOupdAoO6NNJIGo0KAgyODXGy2U1sb2zi2MFex07ccY4bNdmsz9nEBTL7e3PF 86DGSGA2wXPPO4/77rvfLf//9333u/eNuO46d3Ij4EbAjYAbATcCbgTcCLgRcCPgRsCNwDWFQHNz c1pa2tSm1N7enpCQMAXZ1NTU1tbWKQhewyI1NTU2mw1Yenp69Hr9pGa6e/fuvr4+qLRarZMS3L59 e9eF5O/vPynZa7VyVVVVd3d3b28vwBw8eHBS1rFnzx5kYQES+/v7ExMTXUQJIjo7OxFEfGBgoLa2 1kXBa7gaFgELYCISyJBcpKO+vl7URxYuyJvNZlfowDXB+4U+JVlSXV3dNYzzJadWXV3tTASACHzI 7NixY2JxZ4sQXAhx6EhOTp5ANiUlBdaoLLomwyN50q5duyYQvIZfpaen4+dlGMFEJDBBacmjveNN HyKoMKassI6tW7eOKUs5FUj04tyCaIo16ytoHag9XlpGAyjARzyS4VH4kNHO6uabb8Y1iZoCQGdZ ubyjo4MVYQQd27Zto1kS1ZyTzAtNsehkZ2ePELxWH318fDIyMoaGhkBDwCjAl8EBKwGyqAAdy5Yt E2j4+vo2NDRAIuiNJyuApW2cVU5OTmzkvwQH3BIY6GU0ZtARSVRw7oWOxCsxhsHBvRkZxtDQ0PsM twfN+sa1SgTzYiOwd+9e5i6DLzAfUSIXgjnerKSkBNm8vDyIEEw58zVatkdakG1lRVm/fVr7xlMB KRtU7e1msRw590seWeemKBno72tsal+zJOTDVyJeezJ0xf3fpeu/z4Slj3Ydrgx11qxZ7CDi4+Mr KyuxC4vFIoMAAuRHQEoJCW+DD6+oqPD29oYLXLozegJYqsmyhFS91l7Uv7w067Euzfnj2vMnY996 VlluWtLWZkYDqCyk5LtzgxhcS0tnYdbSD54LP/eWzn4i+vdPhiyfP2k6XAnnXAFtgjqsfWVlZeXl 5ZPt69Zbb83MzMRvcAdecHD2Es5gyvBSyIY6KSmJvoArKysLZ9XS0iI7fIG/sywwW629FktPZanx R50q+ynd0ce1T+0N++xE7FvPBFWYHmxraxdsyIxcTITN3NFTmvfg8WdCPv9I//Mh7XOHwu1nol/9 j5BVCydBB/qGIaM5EyB5ma+2bNlSWlrK6kb8Q2bjxo2uN4gpPfLII0x8//79iD/88MOgKgMC/jKk ZESCMhza/fffz2KNOWBHhE9YFoLOAApZnI3IWLogIvMxi9J+Rvfa0+Gm3JT09B1PdId/fjLmnaOK srzFLa3ttO/ocNhAHJxaWUfazV2VxVve/mXwZycN/9YfnJ2dlZWZ/OwBjf1kzCs/07hIx/r16xkJ c8ScDQaD6xC5XhOusQh50cRv4zfo15UWsAUokAEkA6Q7d+7ETBywfOE3BAv0wqZ406ZNCxYsgDXY R4RCEiLsAjjxkFtztCD5HtiQLKLM+HiXyn5W9+qTYbVFyzo6rba+ffm5mUe6ws+dinn7qKLCtKSl 1UxTXyiAtcfmIKKiKPmpfarPTuie6NUUmTJ7e23dPUM5xqTnDoXirF78iWbDkmkTzxdAGBgtY7wC orVr104sMtm3q1atggiUU/gHpk8G6qHjoYcemrg1Vt7BwUEZOsYpkqAD5Rd0XCiWtmCYABYhE8Er AR0ZKkMHPDY2NgoRh3JLem7pslaUGh93WMQrT4bVFC7dtdts67X1Wrt7eofy841HusL+djL6zWeU FaalzS0dNhvLimjSikVUFCc9tV9lP6070htaUpDW3d1Hm7benq7uvfnZic8dwjqinz+sSlp953jz ZcxiEWSQJPJoEf583bp144lMthxmwfwiRXJgInQVjiawDsJXRkVNksgIAHkkA56oPYsCr4aBdbDM ArFo0SJsHPYFWNyFiKiGiLAO6S38SG/7ykuyHrcE28/oX30qrKZo6a497QODkkFRQzIC615TfuaP u0Ptp6Jff1pVYVreJNEhtd9u7q4oSnr6QDBE/PqJ0NLCNEuX6FdqHjoslr7C3IRfPxpsPxX1q8fV qWs9RmNISAP4CMhqQ57e6YIDtytiHYToeGmBFb3QuIAUuxAZCqmwefPm0cNDe4WgqMnYRBKNiDze Bsy50w5G3dbWtnz58jVr1rAoOE9KVJbboQWcGCe0u3ezlPR0WPpM2eteOgIR0U8d1BTnJ5s7kO6V PNewJkgZa29/VVVte3Xk+T/oTr4a2VQZW1nT0GmxluUufufZkPMf6Y/YwsuK0rt7JItwcCyRLLXh MK2Ksvz9rWr7Kf1bz0TUZHs7zxflZ4Sy5jA8MWB52E1NTZezlF9//Y10Fxmp67EO9A/st/UN9dr2 ios8l7V3kEdb/z7yjU3mpJQC5+FBhBiJhMmoGF6UiDE3NTW3NDfnF5RtTc3C461YsUIcgAMeLYyY lzw7XrabO+r3PFy7synXuP7Fw8H2s7H/eVBVkJvUYaFPFPsiQMCWpmx9/RyCmWsj7O/rPno5oqE8 rsC45O2jmr+d0B+xhhYXpHVapF2k3IvICNluq62iLO9guxrTe+toZEWGp5hvRXV9X/++voH9w/gA lATOXu5AxysrKPUNGaKiqX/TTTc5o+Ri/obrr6fm3b7/WpiuLc3Sl2QZijP1JUZ9sVFXwqMjI+WN vNIXGXXGxHsyNny/KHXG3IhbUlONBFtoR1fX8E6KCcqmxAR55C3BvMXS9ciBoey82va6eUNN6ri4 eR0dZssFqRFEyI/gBb19NuiwbUte/uJhjf3snGcOKUy5SbgXB5gyolJfEqSSPkjrNTTV1FS3VrIc 604f073xC7yW4XAPizUbc0l2uL4kI8bZLcviDCrKcg+0Ku1/NLx1NKKh0Dd59fSCtNDynGgJB6dL IFOUqSvNMpQYdcUZ2nvvuh08b7xB0nCWQgJLNlwucnHTjRIX87S3vfyM5sSx0FPHQk+/EHrmN+Nd YX96KeK//yvyzy/r3n1WXZUXXd/QJq2aw1Q4JuZ0c8y329LVxaavsrZ5d+m8D1+I+OQ9w1CzwmQq FDtBlBsJOVqQpZGVeITbniFj+vpjj0PE3OePqIpNKd09kp8HQsG7M6pS6bC+SzpQV1vbtSsSOv52 as5P+kIKC7IcrkkShvERgg5ZSZhyeq2tKny0M8T+x6i/vmb440sRZ4+FnxkHmdO/CT19LPSjF0J+ /1zIgqhvg+c/fU1ClVWefZOLRFDtBknoOv8ffuPhQq/WMu/WMp+WEu/W0rGvtjKfzqq7Gop8ftoz +/P3Y/70u/Cq/Jj6htY+KVZhFsxP8hgCIge80pK6d3CgorphT1nce8ci7R9G2d83fPpBzIG24Ly8 wn37hlgR8MCyLSBOktC4QERW+oaXDofaT8f++rEgjco3KTmZFUfU5+6Mp/MjRDCAwYGBuXPnlmd4 He72C9aoWtva+/sHHAOTuqAjuV8yws2KO9Fjdk6eRn1PcZpvT+3M9nLftnKf8WABMZBpKfWuL/YK vFc62vraTRKs8+fPJ8RirZcgdjn5+81qaqzraK/vaG9w3MkMX+a2PeKydDTVVBXFzdUtmB8dZdC1 V/l/8l70x6+FV5mwjlbiEAEMcyRdmJq00lVV1zeWz3n/RZ39lLa1KiI9WXv2pdBPP4g92K7MzcM6 Bjs7LWJBdPAg3aCUxdrSNZidCREoZ9yzB/0K81JKSksJvUbEe3SHiLiLFsQAuLNdmjMnzpRvLC7I WLZ8ZcKmTSIcZXgkUVnIUlm8ginoyM/Pj4mJiY9fl7otOTFhzaqVi+tqSi0djTIaMj5kKOw0N3Bv a9mtCAoA9RtuuIE7LfAFE81xhYcNGzaw7sfFxRHVEHnabFJo4VgQL7rjgSkkmlm0aPHKlSuLi4uJ qRISki116v/9Q/RfXw+vzItqamrvc5whdXeLA1hpssT2zS2dzZWxH76sPf+BtrMudGddZXNLV0HG fNzgpx/OYYnMzS/cv38fdMgAAo4UYXYN5BnjXzqiOX92ztFHg/JzkmmNdWfPnvrS0hKCZMaECElA SndyHjzJM7vFixczVCbV1d1NqGAymQjOxVdXSdKRZFKERaAVBQUFc+bMMRqN9LJw4cL09ExkCVkJ /0aDI0qkIMza29jYBP5hYWHz5s1DsKSkhG2XUqm8JBeenp58/OLkgS7oFGWTtwCMigmKuxiwGBWz o312E9x31dWtfijB+nDIx+9Ef/pGREWOrrGpzWZj1kgM61pzUxsbrpOvRnz6nrajJqy6upIBo/Bt 5l5Txv24WYkOsyonx7R3aKiTXdzwGmElWDVlPfTyE5pzLNYHA3OzkxiMiBCAjm0gisGQZBZEf7yS R45FQIQ4V5EHhOajcuxZmCkiggUhQp5EHr7AkyCfjy90BJIsvnwC4JGYVjYruSPaEXn6An/iw8LC QhSARAnrBbKX5EJUgBFUXaFQYJUgjM4IdyrGJiZL4Mp5ESsRfDk3O23atDXrUjtrQv58PPaTN8Kr cvUNje3QgR5yNTW3VhUte+OX6r8c15mrI6prqonmCVZ4hT9oB+2M+cQJn38Ye8iszsvN44OChIZ0 JGUtyln1259qzp2JefqAIj9nC7oKEWLKAnY28tDBfMUIHSRKFciQ2HMJIiihTepwp5wMYLILgA5m KmSlTh3VWCMgIjY2VhDhPFM5zy5JmBVSIonGgZ2oia03TgOz0mq1mMZtt90mC04hQ1+Mll4YubB0 fjbAGsQuj4h9dIN33HHz6vht5mroiPnkzfDqfEN9YysuDSIqTYvfflb52Ykoc42ezVevrR+kHERw 4NCDO+T0rjBr4ckXQs6diDnUoTaZcm19g+aOrsrS9Fd/FgwRT+5TmnK2WHv7cE3AxXjEwJg+wwMT TANGRCElotCZCESEIK+oJsCnUBwFCCUXryBCrBEQMfpbofPEwUFoLIICIoYBEZxLjAmRs+xk81gB gxTzhRp6GY8I0bKHxz+vid+GdXz8btQnb0ZCR93OPTVFDx7/leKzk9GHu8IgwmYbEBbh0FBJD6Uw qbenpbWrKHvBR8+HnD8R/WhnsCk/e2d19uEexbnTUT8fUhfkpXAUKjCUkRQD404jYCJbhyAC1/TA Aw8I1ySAEvVHi2NTYCgUD7vLzc0l4uLD68REiCkLOmiZxAAIJ/DeKO1koXalvrBEPnRi6Zyj8jix 1B133Lp23dbuneEfHzf85U3t7sKgP/wq/PMT+sc6Izkd4lBC8g4X/LMji2JLcRcOrbm1qzRn4fvP hULHj8zKQ2YVO6x/HwwpzNsq7Y4lC5CSDCyokigRGUEHeo7X4nj/wQcfBGRo4q3oSM6IR/lOg9TE WZHBq9x3330s1pf8XYqMA8jTI+6OHiHikhDJglPIQHdpaSlfdly0u5kzZ65bn2zdo/2f4zr7mdhz 7+p/bNXm5ho5MRBLOZgwa1CS0RB0sEtubrGU5y/64IUI+9kYzvRe+UVEsQkiOOGWKgO7813GVpTz CjrAhLUMJLEIvA115GpyRu5XlAh+EcQ6OO2Hjsl+x4THSUE0BRaEyC233EIgR3K9hdmzFevXb+5v 0p34XejBNlVmxo7+gQPd3bg7YRYSqqOQkZbyPpuN/fv2BM3rTyuO/VS9I9HgOGv6gggBo5CFINlG KBePuBpYIIlXoiPuIoMgGZkLMpTgl5BCt5GCPrTO9ZnKNbFHPgrIj19eZvr06URKk2pfHRi2eXNC c2XUksWGrJyS/j7AH1ZsEBDIyJiIRwdK1ty83LAwHXSkbQ6Oil3EZz2iX1FThlFwIR7lO3gS/LDG cZrN6smvNJESjIj6ohHnPLIkuGBvxUd5lmx+Z/v1r399UjMVlW93pCkIXh2R4GBt0pb00rLy+vo9 nM0CAhMXgHBHjUWJAMeBipVomeUPL7E2flNWtqmqqrKoqEiWkmsiLrcmMmwTiJpw16BKjMEEdTod mwIIQlyuLPKIi+64QwTrILIiaiL+vDrgXP1eCLNxpEwTjSUAEAgIJLmLJPABE4I0IgRqsi2CEUye Qr65o66gKle+ICf9KxrkLV9A+BZJSM8WSZ4m1gFHsmlQWW5ECNI+8RIiLBBk2FXJstdqBsNH4YFU /mAkYBF3sMJLgz+bF4hbvXq1Mw7sdvnGAZv4c9RbWJPMAo9ovvgIMoII0QgcwZSgAylakGXpFPxh n9MJAqfJ/tDFeZD/cHnMnynLdAhMuHOACQ4QwcECuj3mvChHljBJeBsZUoiAO87QkMWUxpPlbIea slekUyyCNRpvxiZC/PhnTNlruJDfO6GE4ggIQIAU5eRX4pyrsHSOB6YAhL0bAadMB6qOOBwtXbqU IJYTvAlwo1+4QBYKBBFYBJ3imjhS4+0EstfwK1ZJVBFFBUl+LoJrwl4Akx3WJWeNwwE9UBVE8Lhk yRJOTTUazSVlqQkXwjrglO64oxhfKdc0GiX0kGNhYEE5gYgtpOvRC8sxVMIFazpGARH33nvv6C7G LOFIBKNggaZTumY/+FVYrMeEwrkQENBJjgvwV6wUzq8umUcWlWaPzNbsrrvuumR95wocU7CUs/XA vux2u/Orr3J+sjA6Y3XPPfc4P7qe/+Y3v8lPpl2v767pRsCNgBsBNwJuBNwIuBFwEYGgoPUazRaV Kom7QrEpMjLjBz8wTPb/iBizr8DAFWp10uhLpUp09LgpLGy7h4f0g6LLSYGBy8X4R3ckl6hUydTR aDZcTkdCVqkUcCXKjYuMY1JJEREpBsM2Ly9Xf7c5YjxBQes0mm1KZVJwcEpg4MaIiCwfH+11102x NefGZ89eFhy8VaXaolZfdME75QrFxpCQ7dOnBzmLTCHv57eK8Y/uxblT3tKjWr1+Cu2PEEF1HZNK dm6fPHSr1cnBwTCe6OExxfA7MHCdUpkICwpFQkAAvGz39o68IlzMmrVcqdwcGLgpKOiiKzBwg0JB +TrY9/C4XC5mz17lGP9FXYzqkdltVquvwJ+roLqOwW8c3YUoUSo3TZv2wxEMuvj4FeECrVCpvlwu 8PBc/yhcOLxTCrYcEpKqUiWEhaV5eAS6qDPjVfP3X6VWpygUSbjZoKCEEerKI+UKRSJuSqG4AuvF aLvAKnGSOC6Nhgtvufm73/279VHCnDdCREDAKm9vvbe3wctL7+Nj8PSM8PK6XC6+973QmTOjvLwM 3t7aoKB42YHgdSGCVcnHRz9jhm7mTMOMGRHjEep6+QUuJJfocL8JUKxWbwgNJTxI4A4106ZN8T+q uoo+CqXdyJLEFPz81qKod955uUQIDG+/fZaHh9KDtWfYmX8BFD1++9u+vKUO/7uF65iPV/NCF1+s F3g/tZqwCtPjjvVN3RNeRS4ERNLC7efHwr3V0/PSv8EeD5MxywlyHHbhzMUV8EvOfY3mwuEVUbOE wEBsBNv/B+KCkCYRLghofXxCnKd5+Xk3F+NhOCqmlXyUv38899mzH2Kl8/FRjyc7tfL/Ly7wLVwB AetZpPz910xt8Eh9+T5KXruT/fyWEzixTEyf7ufpqfrOd4b/SnTKgx8hyBp6NX2UCA+Cgjbceaef h4e/p2egp2fA9OmufnMcMfiryQWxpb//al/fOb6+Mb6+c318ou6++75vfctr9JCmXBIZSfi62eHA h4McgJpya2MKXlgvvliSrkioLPr68u1CGra4AEqpTHZE+5y3cJiw7fLPQJwRi4tj28IZAsuomwtn YK5jvQD8gAAJFse1EaMmExCwISiI8nXs0S7/DMS5y4ULd9Cyw2kTPHOhA+udK1x+/ku1CxrXaFAn zrW2sqqGh2exaboi51EBASvDwlJDQraGhm4LC+NKdVzbQkJSwsO3BwcnREamff/7V2aLIUBesiQr OtpoMKTr9VxpWm26VjuJv7B2hSnIxZwdR5EpjjuHnFfMDXJSh34GB7NP4aQxITw8c8aMKFdGdck6 SuUyvT5Fq03R61Ojo7nSHFeqwbCDDK/i4nK8vae4RR2z9/j4otWri1auLFmxomjZsvwHHshdsMA4 Zs0pF6K6MlwCNJXqinEx5VG5Bd0IuBFwI+BGwI2AGwE3Am4E3AhcTQT+D9QckNQKZW5kc3RyZWFt CmVuZG9iago5IDAgb2JqCjYwNjUKZW5kb2JqCjE0IDAgb2JqCjw8IC9MZW5ndGggMTUgMCBSIC9U eXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMTMyIC9IZWlnaHQgNzUgL0NvbG9y U3BhY2UKL0RldmljZUdyYXkgL0ludGVycG9sYXRlIHRydWUgL0JpdHNQZXJDb21wb25lbnQgOCAv RmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHtWWtsVEUUnrn76GvpFuTRAi1SkbYBDJKA RtFEURE0CgpWqAFagppACiwoiJjKQyggL8NDS6vCSqoBFSuhlaaACAhEjaW+AraIFrVgabstu93d e+945r539267tDcakp0f27lnzpzzzTdnzpx7i1C0RRmIMnCTM4BRLEI4cBEMiguWgUZssFrgpK4/ mZDt/c2Mdj5GJtT/4CL41TYGFZYmgiwIrValq30Tshex3oM2dT5GZpRcThp3BDBhQqvdnv2jkEVV NKrHIHuxj3DkLWXVFELfQ4Tn/fMUGYLeyuscRz5L0siMwYAZ1PM9L/Xn3qAYN1EIVPb3XI1sRSvH E+L9oBcK2Ldu48AMtjq9hDpkr6+H9dNmQskVHJVxbIPMBLDQwvKAgfhK+8CsbntWDGDMxC71Uct0 1W1vCqtm0MBKCoHKuCv5gsyEVrn8AgQAsT/OQBAYmxKWewQI4JD4r2/EJiB68BFKugiCbXSAQxNe 7fKDhihkV/ZgjGICY7P9dVZcMljnic+92Ypxny+lBVMZx7U4lhUmbXCLGyGBKIwrdthiDDikwIIl n2UFs6Jt3u/Zkthjo7xgZcRT4+JUXDDsrmkjjgTzDYLAqH9K0BSMbOl3/ET8iivB9ycZS30KNepQ SI8ji+JNWI1NjGJSlDjT7WA06IfqNC0IYCFpLdlVRzRE0CD07phcT+R4CPGsEbDEEaeAwNhqnfdd ZrzWQxAQjNJPE3IqXVWBE2FfA5kpqAHjnsu8hveg8cBHRywjMgELMuex5NJEOEQqNQEgMBp6nK7t 6O2yBsS6bVUABYHWI3xaGCMcEFiQOa8dzH2dJTsI8A8PGGVW0W33k8oMSYfB8Su6D4Fw860MJE04 YLNbATZLTg7TB4FRVgUPRwtSIV+eKegwOO610I2IcPFatfZ8C1AKEK5BQEOGIUeH64OYUCMFGezz uQmgY0a9PxIOgdZc1/pskR2ZemzyiLN5jvz8RPA2oLvLyspqFX+gc+5R0Ekq7ZpHnVm+ogS01a0M 8ORi2edlowNwTFFG5U7d4SNFB/xS3pWF3fjrPX1MhSDZOTzNphxbhCbrWWeNQ6Bnnvj8y+PMav7S xaA70UAhT67erwnNpww0HbEpoHmijAFyR88tIWeQMzAYCH+h4GP16pVQsmS9XY4HSF89X652tbYr K+B53/mJ1lW1hkQE5IO29RZLrxHLzmvttbf+U+2wq/FAy8Xns5b8CMWo2NjyVMjp6WcNiEqovFoL aZWFUVqVfMvx/pqFI7LtKLjGYVDqCcknezAZCiUzuvWMQk1XO5B2W9cIhR7YS1Gqv6rgEkFIFTQv DvxKcMWV9RZuNjNKO6Mkrq6BAAhtEgRaBff7QjDDVyaLsAKSFDxQEKknqM8DFIIoACa6sx9QabjX yu6og34VFARACFNdUZ1BJwkBFkQNKhhythsgAL57nfqeQe0lVxICGxEGgrjwoafKVZB0UtY3Icc2 zLZcqNMUfFSHJY3lO6EGVxq1l3bk2KDwECQQ6RoN+lY78mwYn0FiX8GkU3DbaRpLjvftb9LWTAKz QzQOFHgddhg8uDwwJGCTueqma5c13mjJ/+kw9HCTduNY0jw5pkPbEQ8y+LaZxVXgUEXS8spD941d 8C1U8rIMLuM7EROTJ1UIFB5HWnKtEXvpVBH3HTyXVctod04CGLdn7OXl9wmeXHoMajWTJU/O8LAr zbkGv//HbPWDR7o+3jvNzAh3Tb9SWvxREfljPKQ8CiJXjGDQ9c0wkAWBJmzf5BVWzbHZZjHLY3RL KUvfL3lS/yAjZBQAMYvWxRAx7euMhgBnJmGDB+4cP/eMBAGg4cQP/fQ81o8VIIAAm60zAQSkpjfi w7xCdLrzHSgw1rVtHPFPMWvyCxNb6mdJ/V1YlsHhs8yADXKtsBr7CUQCxjDrG5qmmmR3gtTE7Gu+ OAY+PsmLxshimeX6swCuYuMbTVeZvRVfggOacobb1GQswsJ9MqAjgzIeSdRilIH/joEXnbudJc7p ZqtuRI92im2Ps+TdR5Cezr2SBv2zx7lY52DASVkCQ4LC7t2bRsr1lbrGffQuINuscboYsoVR8WcR fKsPPXm5Gg1CjupjOKEqNUyCgx3UnHDZuMnGMBielibDxzZPvi6G51TzcIEc0sdQCUO08Sxb9/jN jIEWiYuR3oe1mcIC5Z/KjnkAtStd2Av6CeeXN7cWbp+aJL8kanYTozG7dmz7XbjIXW9vL5obDgMH W34pdcDAASkJoUEVSTz4WlwNTQt0wwGZbfHxleCAI78lxsMX4tAGcSzGg/8ytHdCFVAkGIBCD7tE HwM1WSFguKip5rWOFAzChu3XDkn9bmMAFxKGgNtddWUMBt+15r8a54f5t13kGLiWlhbXHhWc0uuM BxqT37/0qqNgXKxOTIKZSDHwpGHO7DkvjFM8q53OMbCktrikZOfe8ZqySZ0fIQYatL9qZgV0O8Mg n3yed+gHZWQ8UAy14qtBgHvhITIM4XP1DfAQFkPkd9bisDwcF8i6Gv5cwJcFaA3heLgnZ3pOds4o 6UUhmKe0HLGBzrMZoZeupP4A2Jie8yTsSpg2rjOFMPOi4igDUQb+Dwb+BXoVb2UKZW5kc3RyZWFt CmVuZG9iagoxNSAwIG9iagoxOTU1CmVuZG9iagoxNiAwIG9iago8PCAvTGVuZ3RoIDE3IDAgUiAv TiAxIC9BbHRlcm5hdGUgL0RldmljZUdyYXkgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt CngBpVcHVFPJGp5bkkAgoVcpoSPNgHSkREoIIL0INmISSCCEGBIUxIYuruDaxYJlRRdFXWwrAmvF goXFimUtD3RRUNbFgg1X39wENe6+s++d83LPcL/555+/z38HAPQsuFKpGAUAFEjkMnYyK3N8ZhaD cgdoABOgAzyADpdXJGUlJsZBFiAplAiI99e/V9cBQlCuuhOyvl77rzMSX1DEg1zH4SjhF/EKAEDG AEDZwJPK5ABo3IR0u+lyKYHfQ2yYn5ocDoCmLpxrD++FZGDNFkgEMhGPwZZxSxhsbkEBl+Hl4cVI lBXmiMT/wWpi0//zKxArCLuJnxUc2kX5KbHw7QHtnyGQpKVADP1A6njcSAL7Q3xfKh+bDHEMAKi5 Ij+NBbEbxPwcWVQaxCEQLxMqognsDXFHqTA1A2IoH0MlU+MTIA6EmJFfGEvIsYU4i1cUngWxM8Rl QgGHyJM9xNtkhckEvwvEZ/mCiEiI4yF+LpJzUlUYDysqTiHo0DZ8SakwHK4TuvAzedyYRIgdIf5N IGYTuqAcElUqTyRkwjnJWyKOJ3SFQVwhKFL6COekM3JhajSkewFA1pfLUom90B5yRI4oigNxFMRC oSyaoEN/yQ1SsbK2YEzI/TJFMuE79JHiy5VFsiGG8aFI+dwIIrZKO0E6wgUCUAimwr88IAHdgAGK gAgUK1Eu4IICOBjQAjc42JBLAocMcvAglQ0RF5QoEcH5idcD8jJAIlwtBDmQVwz3sJWyVBx8OGeA XKWcIshTpJwRsnuHZat0EnISlfpUUgiNBFffMFch3MdX2qeSTuxSyQ6HWiWgFK4RspXW4yY4Ex8N RxAehwfjTEj/ZL+7kj5GSfOCVUdo/WI7YWnfZ63TgOIr64lVdd+JOJ2AHsshVQyjKBn2rwha8x5K zR/erb4HalxmrnCWSquXJHEm1yktVsawXDZFxLu4dGDYb1Xki6AMVfR6lG91SYR2dyD9Yn1b2WFT wLi++Pg5wNit23z2i+xOvGniVe22MpCgnn1lPfD/ln1oDekK6RLpHukaYMD3b6ROUi9Et0l34HPr s9QveVBll7BTrWYQTMlJWMmC0RErVwsgB5EtgTJXqpwoIJbDSOcod7v/JR/qtaSqTPV8EVWh0p4L 5apmajYoKUSVEPqJivl7/tTr/Otoq7Sp71GLdY5kmblUOrmubEgg/RwRBpE/wcL4V/Gg3I25l9nP 3MbczXzBvPeFg3mD+Tuzk7kFrjzBVmIHsSNYM9aCtQMGnLVgJ7BmJdqNHYbPvs/7vj4Zqjh/fTKI U8YbPglEBOTDtah+Zj6d2U85IeQQGSH4P8Uxb/iE/lOlEfH83yxSj/fXnUBVAcoY0+3onnQK3YXu Q2fREboNfLzoYRDZ0W3pcXQTuBpNd6JH0Ed8jsenrIkhhagikfJN2Pylg2VCKz9VG+GfEK7JlBzc YX//6iPjq/NE9DKR+mlEaPA0qjT9Uy9UqxKQBjWJwHRohwzGlegSEmUPVechujDRvWAXQiYoc6he c586mhXuiXNgR0sADJyF++Bhw5jocmPgQ/Q4VcW646FwNQSPwP2J/kcOJDuRI8lOynVlpyFHkKPJ UYBB9iTo5FHkGIgDCC65YAa8LwAQXigtkYlyhXIGC95MBAyOhOfhxvBiesKvE3HPIXgAeJGkvL8g xu08haxYRcOJFwlQ4R3IEJjBr6Id/MK6Q8v8QBD85kXCb3gCSAWZYDL0VAizIYPRKQPzQAWoAsvA arAebAbbQD1oAPvBIXAY9tcz4AK4BDrBbdAFesATMABegSEEQSgIDTFAzBBrxAFxRbwQfyQEiUTi kGQkE8lGchEJokDKkPlIFbICWY9sQeqRfUgzcgI5h1xGbiHdSB/yHHmHYqg2aohaoo7oKNQfZaGx aCo6Cc1Fp6Gl6AJ0CboWrUV3o43oCfQC2ol2oU/QQQxgWpgxZoO5Y/5YOJaAZWE5mAybjVVi1Vgt 1gDPcRt2FevC+rG3OBk3wBm4O8xENJ6G8/Bp+Gx8Mb4e34E34qfwq3g3PoB/INFIFiRXUiCJQxpP yiVNJ1WQqkl1pIOk07D39pBekclkY5gfP5i3THIeeSZ5MXkjeQ/5OPky+QF5kEKhmFFcKcGUBAqX IqdUUNZRdlOOUa5QeihvNLQ0rDW8NKI0sjQkGuUa1Ro7NY5qXNF4pDGkqavpoBmomaDJ1yzRXKq5 TbNF86Jmj+YQVY/qRA2mplLzqPOoa6kN1NPUO9QXWlpatloBWklaIq25Wmu19mqd1erWequtr+2i Ha49UVuhvUR7u/Zx7VvaL2g0miMtjJZFk9OW0OppJ2n3aG/oBnQPOofOp8+h19Ab6VfoT3U0dRx0 WDqTdUp1qnUO6FzU6dfV1HXUDdfl6s7WrdFt1r2hO6hnoOepl6BXoLdYb6feOb1efYq+o36kPl9/ gf5W/ZP6DwwwAzuDcAOewXyDbQanDXoMyYZOhhzDPMMqwx8NOwwHjPSNvI3SjWYY1RgdMeoyxowd jTnGYuOlxvuNrxu/M7E0YZkITBaZNJhcMXltOsI0zFRgWmm6x7TT9J0ZwyzSLN9sudkhs7vmuLmL eZL5dPNN5qfN+0cYjggawRtROWL/iF8tUAsXi2SLmRZbLdotBi2tLNmWUst1lict+62MrcKs8qxW WR216rM2sA6xFlmvsj5m/ZhhxGAxxIy1jFOMARsLm2gbhc0Wmw6bIVsn2zTbcts9tnftqHb+djl2 q+xa7Qbsre3H2ZfZ77L/1UHTwd9B6LDGoc3htaOTY4bjQsdDjr1Opk4cp1KnXU53nGnOoc7TnGud r40kj/QfmT9y48hLLqiLj4vQpcbloivq6usqct3oetmN5BbgJnGrdbvhru3Oci923+Xe7WHsEedR 7nHI4+ko+1FZo5aPahv1genDFMMv1G1Pfc8Yz3LPFs/nXi5ePK8ar2ujaaOjRs8Z3TT6mbert8B7 k/dNHwOfcT4LfVp9/vT185X5Nvj2+dn7Zftt8Lvhb+if6L/Y/2wAKWBswJyAwwFvA30D5YH7A/8I cg/KD9oZ1DvGaYxgzLYxD4Jtg7nBW4K7Qhgh2SHfh3SF2oRyQ2tD74fZhfHD6sIesUay8li7WU/H MsfKxh4c+zo8MHxW+PEILIIdURnREakfmRa5PvJelG1UbtSuqAG2D3sm+3g0KTo2enn0DY4lh8ep 5wzE+MXMijkVqx2bErs+9n6cS5wsrmUcOi5m3Mpxd+Id4iXxhxJAAidhZcLdRKfEaYk/J5GTEpNq kh4meyaXJbelGKRMSdmZ8ip1bOrS1NtpzmmKtNZ0nfSJ6fXprzMiMlZkdI0fNX7W+AuZ5pmizKYs SlZ6Vl3W4ITICasn9Ez0mVgx8fokp0kzJp2bbD5ZPPnIFJ0p3CkHsknZGdk7s99zE7i13MGpnKkb pg7wwnlreE/4YfxV/D5BsGCF4FFOcM6KnN7c4NyVuX3CUGG1sF8ULlovepYXnbc573V+Qv72/I/i DPGeAo2C7IJmib4kX3Kq0KpwRuFlqau0Qto1LXDa6mkDslhZXRFSNKmoSW4I/ylsVzgrvlF0F4cU 1xS/mZ4+/cAMvRmSGe0lLiWLSh6VRpX+MBOfyZvZWmZTNq+sexZr1pbZyOyps1vn2M1ZMKdnLnvu jnnUefnzfilnlq8ofzk/Y37LAssFcxc8+Ib9za4KeoWs4sbCoIWbv8W/FX3bsWj0onWLPlTyK89X Mauqq94v5i0+/53nd2u/+7gkZ0nHUt+lm5aRl0mWXV8eunzHCr0VpSserBy3snEVY1Xlqperp6w+ V+1dvXkNdY1iTdfauLVN6+zXLVv3fr1wfWfN2Jo9Gyw2LNrweiN/45VNYZsaNlturtr87nvR9ze3 sLc01jrWVm8lby3e+nBb+ra2H/x/qK8zr6uq+3O7ZHvXjuQdp+r96ut3WuxcugvdpdjVt3vi7ks/ RvzY1ODesGWP8Z6qvWCvYu/jfdn7ru+P3d96wP9Aw08OP204aHCwshFpLGkcOCQ81NWU2XS5Oaa5 tSWo5eDPHj9vP2xzuOaI0ZGlR6lHFxz9eKz02OBx6fH+E7knHrROab19cvzJa6eSTnWcjj199kzU mZNtrLZjZ4PPHj4XeK75vP/5Qxd8LzS2+7Qf/MXnl4Mdvh2NF/0uNl0KuNRyeczlo1dCr5y4GnH1 zDXOtQud8Z2Xr6ddv3lj4o2um/ybvbfEt579Wvzr0O258HpeeVf3bvU9i3u1/xr5rz1dvl1HuiO6 2++n3L/9gPfgyW9Fv73vWfCQ9rD6kfWj+l6v3sN9UX2XHk943PNE+mSov+J3vd83PHV++tMfYX+0 D4wf6Hkme/bx+eIXZi+2v/R+2TqYOHjvVcGrodeVb8ze7Hjr/7btXca7R0PT31Per/1z5J8tH2I/ 3PlY8PHjvwHpCOBOCmVuZHN0cmVhbQplbmRvYmoKMTcgMCBvYmoKMzMxNwplbmRvYmoKMTIgMCBv YmoKWyAvSUNDQmFzZWQgMTYgMCBSIF0KZW5kb2JqCjE4IDAgb2JqCjw8IC9MZW5ndGggMTkgMCBS IC9OIDMgL0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVh bQp4AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJSYBQAoaEJnZEBUYUESlWZFTAAUeHImNF FAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee319ln733XugBQ/IIEwnRYAYA0oVgU7uvB XBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP27i6AZLvbLL9QJnPW/3+RIjdDJAYACkXV Njx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s9qfmK7vJmJcm5KEaWc4ZvDSejLtQ3pol 4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M5yahbIkyRRQZ7onyAgAIlMQ5vHIOi/k5 aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03hiHhMz/S0DI4wF4Cvb5ZFASVZbZloke2t HO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnfbOysL70WAPYkWpsds76VVQC0bQZA5eGsT+8g APIFALTenPMehmxeksTiDCcLi+zsbHMBn2suK+g3+5+Cb8q/hjn3mcvu+1Y7phc/gSNJFTNlReWm p6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyycn8AX8YXoVVHolAmEiWi7hTyBWJAuZAqEf9Xhfxg2JwcZ fp1rFGh1XwB9hTlQuEkHyG89AEMjAyRuP3oCfetbEDEKyL68aK2Rr3OPMnr+5/ofC1yKbuFMQSJT 5vYMj2RyJaIsGaPfhGzBAhKQB3SgCjSBLjACLGANHIAzcAPeIACEgEgQA5YDLkgCaUAEskE+2AAK QTHYAXaDanAA1IF60AROgjZwBlwEV8ANcAsMgEdACobBSzAB3oFpCILwEBWiQaqQFqQPmULWEBta CHlDQVA4FAPFQ4mQEJJA+dAmqBgqg6qhQ1A99CN0GroIXYP6oAfQIDQG/QF9hBGYAtNhDdgAtoDZ sDscCEfCy+BEeBWcBxfA2+FKuBY+DrfCF+Eb8AAshV/CkwhAyAgD0UZYCBvxREKQWCQBESFrkSKk AqlFmpAOpBu5jUiRceQDBoehYZgYFsYZ44dZjOFiVmHWYkow1ZhjmFZMF+Y2ZhAzgfmCpWLVsaZY J6w/dgk2EZuNLcRWYI9gW7CXsQPYYew7HA7HwBniHHB+uBhcMm41rgS3D9eMu4Drww3hJvF4vCre FO+CD8Fz8GJ8Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAkbCRUEBoI5wj9hBHCNFGBqE90IoYQecRc YimxjthBvEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0hk8k6ZEdyGFlAXk+uJJ8gXyUPkj9QlCgm FE9KHEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1KfS9HkzOX85fjya2Tq5FrleuXeyVPlNeX d5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlFmqKVYohimmKJYoPiNcVRJbySgZK3Ek+p QOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf6L30CWUlZVvlKOUc5Rrls8pSBsIwYPgz UhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKVZpUBlY+qTFVv1RTVnaptqk/UMGomamFq 2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3qkxqaGr4aGRpVGpc0xjUZmm6ayZrlmuc0 x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k3as9rWOos1hno06zzhNdki5bN0G3XLdT d0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCLQZvBqKGKob9hnmGj4WMjqpGr0SqjWqM7xjhj tnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TPDGvmaCY0qzW7x6Kw3FlZrEbWoDnDPMh8o3mb+SsL PYtYi50W3RZfLO0sUy3rLB9ZKVkFWG206rD6w9rEmmtdY33HhmrjY7POpt3mta2pLd92v+19O5pd sN0Wu067z/YO9iL7JvsxBz2HeIe9DvfYdHYou4R91RHr6OG4zvGM4wcneyex00mn351ZzinODc6j CwwX8BfULRhy0XHhuBxykS5kLoxfeHCh1FXbleNa6/rMTdeN53bEbcTd2D3Z/bj7Kw9LD5FHi8eU p5PnGs8LXoiXr1eRV6+3kvdi72rvpz46Pok+jT4Tvna+q30v+GH9Av12+t3z1/Dn+tf7TwQ4BKwJ 6AqkBEYEVgc+CzIJEgV1BMPBAcG7gh8v0l8kXNQWAkL8Q3aFPAk1DF0V+nMYLiw0rCbsebhVeH54 dwQtYkVEQ8S7SI/I0shHi40WSxZ3RslHxUXVR01Fe0WXRUuXWCxZs+RGjFqMIKY9Fh8bFXskdnKp 99LdS4fj7OIK4+4uM1yWs+zacrXlqcvPrpBfwVlxKh4bHx3fEP+JE8Kp5Uyu9F+5d+UE15O7h/uS 58Yr543xXfhl/JEEl4SyhNFEl8RdiWNJrkkVSeMCT0G14HWyX/KB5KmUkJSjKTOp0anNaYS0+LTT QiVhirArXTM9J70vwzSjMEO6ymnV7lUTokDRkUwoc1lmu5iO/kz1SIwkmyWDWQuzarLeZ0dln8pR zBHm9OSa5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F1q5c27lOd13BuuH1vuuPbSBtSNnwy0bL jWUb326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwVbO3dZrOtatuXIl7R9WLL4oriTyXckuvf WX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7gXa3lzPKi8re7V+y+VmFbcWAPaY9kj7Qy qLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MBjQPFBz4eFBy8f8j3UGutQW3FYdzhrMPP 66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbCjZLGseNxx2/94PVDexOr6VAzo7n4BDgh OfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2aXtMe9/pgNOdHc4dLT+b/3z0jPaZmrPK Z0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu3suBl69e8blyqdu9+/xVl6tnrjldO32d fb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4Ffef6Xfsv3va6feWO/50bA4sG+u4uvnv/Xtw9 6X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/rf3V+Ndmqb307KDXYM+ziGePhrhDL/+V+a9PwwXP qc8rRrRG6ketR8+M+YzderH0xfDLjJfT44W/Kf6295XRq59+d/u9Z2LJxPBr0euZP0reqL45+tb2 bedk6OTTd2nvpqeK3qu+P/aB/aH7Y/THkensT/hPlZ+NP3d8CfzyeCZtZubf94Tz+wplbmRzdHJl YW0KZW5kb2JqCjE5IDAgb2JqCjI2MTIKZW5kb2JqCjcgMCBvYmoKWyAvSUNDQmFzZWQgMTggMCBS IF0KZW5kb2JqCjIxIDAgb2JqCjw8IC9MZW5ndGggMjIgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2Rl ID4+CnN0cmVhbQp4AV1Su07EMBDs/RVTOgU+vxLnWh5CUCAQERSI4gjHMwHuchT8PWs7ax0ohde7 M7PryW5whQ0WR5NBP8Gkb+qh6QtWo/Ya2zWeEupf8hYf+0RhkIiRMhbykCKNIUkOeCGtqKMjeEPt YmjQtEtVa9PAWOWM143oRxx2oEwC5KMbseg6S/juCdJW6N5w0qXZWMjYVtVBO/hlUMa0LfpRkJCz SWg+slB8LQndQR5XONDKQF5U0MpBXqeE3wtOMkTIowihCuJpIW9mymqYE6/z+ZgYhFjtYoYoXPmM 91rID+7CWgyYUoHm4MJppkDySeL36M7n55P32UcTWqWNC/CNV26pPT0/+mhj/wgpwR8vyYLD7zyu kGlaGpt7T9ST3KHMuOaIMTTw/9LEvF0lEuuFMQWc302Cz1wqpAfObEuvVU4J+c7Kcway74tmcbvw ShcettCGSuSp6Zfl4GffzsXletuvv3bfqwHbV9rSps3m1V7ZmlYUJqSIvF2cjVYcf6Yd9LrNvyE0 ykSgi/cMcmDQMm+ipUV1gUBEsjaohgi0qqTnM/TqFyGUvLcKZW5kc3RyZWFtCmVuZG9iagoyMiAw IG9iago0MjMKZW5kb2JqCjIwIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jl c291cmNlcyAyMyAwIFIgL0NvbnRlbnRzIDIxIDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+ PgplbmRvYmoKMjMgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IC9JbWFnZUIgL0ltYWdl QyAvSW1hZ2VJIF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUgo+PiAvRm9udCA8PCAvVFQyIDEx IDAgUiAvVFQxIDEwIDAgUiA+PiAvWE9iamVjdCA8PCAvSW0yIDI0IDAgUiAvSW00IDI4IDAgUgov SW0zIDI2IDAgUiA+PiA+PgplbmRvYmoKMjQgMCBvYmoKPDwgL0xlbmd0aCAyNSAwIFIgL1R5cGUg L1hPYmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCA2ODQgL0hlaWdodCA1MyAvSW50ZXJwb2xh dGUKdHJ1ZSAvQ29sb3JTcGFjZSA3IDAgUiAvSW50ZW50IC9QZXJjZXB0dWFsIC9TTWFzayAzMSAw IFIgL0JpdHNQZXJDb21wb25lbnQKOCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHt 0DEBAAAAwqD1T20ND4hAYcCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMvAwOo4wABCmVuZHN0cmVhbQplbmRvYmoK MjUgMCBvYmoKNDk4CmVuZG9iagoyOCAwIG9iago8PCAvTGVuZ3RoIDI5IDAgUiAvVHlwZSAvWE9i amVjdCAvU3VidHlwZSAvSW1hZ2UgL1dpZHRoIDQ5MiAvSGVpZ2h0IDIzNCAvSW50ZXJwb2xhdGUK dHJ1ZSAvQ29sb3JTcGFjZSAzMyAwIFIgL0ludGVudCAvUGVyY2VwdHVhbCAvQml0c1BlckNvbXBv bmVudCA4IC9GaWx0ZXIgL0RDVERlY29kZQo+PgpzdHJlYW0K/9j/4AAQSkZJRgABAQEASABIAAD/ 4QCARXhpZgAATU0AKgAAAAgABAEaAAUAAAABAAAAPgEbAAUAAAABAAAARgEoAAMAAAABAAIAAIdp AAQAAAABAAAATgAAAAAAAABIAAAAAQAAAEgAAAABAAOgAQADAAAAAQABAACgAgAEAAAAAQAAAeyg AwAEAAAAAQAAAOoAAAAA/+0AOFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAAAAOEJJTQQlAAAAAAAQ 1B2M2Y8AsgTpgAmY7PhCfv/iDFhJQ0NfUFJPRklMRQABAQAADEhMaW5vAhAAAG1udHJSR0IgWFla IAfOAAIACQAGADEAAGFjc3BNU0ZUAAAAAElFQyBzUkdCAAAAAAAAAAAAAAAAAAD21gABAAAAANMt SFAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEWNwcnQA AAFQAAAAM2Rlc2MAAAGEAAAAbHd0cHQAAAHwAAAAFGJrcHQAAAIEAAAAFHJYWVoAAAIYAAAAFGdY WVoAAAIsAAAAFGJYWVoAAAJAAAAAFGRtbmQAAAJUAAAAcGRtZGQAAALEAAAAiHZ1ZWQAAANMAAAA hnZpZXcAAAPUAAAAJGx1bWkAAAP4AAAAFG1lYXMAAAQMAAAAJHRlY2gAAAQwAAAADHJUUkMAAAQ8 AAAIDGdUUkMAAAQ8AAAIDGJUUkMAAAQ8AAAIDHRleHQAAAAAQ29weXJpZ2h0IChjKSAxOTk4IEhl d2xldHQtUGFja2FyZCBDb21wYW55AABkZXNjAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAA AAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAA81EAAQAAAAEWzFhZWiAAAAAAAAAAAAAAAAAAAAAA WFlaIAAAAAAAAG+iAAA49QAAA5BYWVogAAAAAAAAYpkAALeFAAAY2lhZWiAAAAAAAAAkoAAAD4QA ALbPZGVzYwAAAAAAAAAWSUVDIGh0dHA6Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAWSUVDIGh0dHA6 Ly93d3cuaWVjLmNoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AGRlc2MAAAAAAAAALklFQyA2MTk2Ni0yLjEgRGVmYXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JH QgAAAAAAAAAAAAAALklFQyA2MTk2Ni0yLjEgRGVmYXVsdCBSR0IgY29sb3VyIHNwYWNlIC0gc1JH QgAAAAAAAAAAAAAAAAAAAAAAAAAAAABkZXNjAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25k aXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcgQ29uZGl0 aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdmlldwAAAAAAE6T+ ABRfLgAQzxQAA+3MAAQTCwADXJ4AAAABWFlaIAAAAAAATAlWAFAAAABXH+dtZWFzAAAAAAAAAAEA AAAAAAAAAAAAAAAAAAAAAAACjwAAAAJzaWcgAAAAAENSVCBjdXJ2AAAAAAAABAAAAAAFAAoADwAU ABkAHgAjACgALQAyADcAOwBAAEUASgBPAFQAWQBeAGMAaABtAHIAdwB8AIEAhgCLAJAAlQCaAJ8A pACpAK4AsgC3ALwAwQDGAMsA0ADVANsA4ADlAOsA8AD2APsBAQEHAQ0BEwEZAR8BJQErATIBOAE+ AUUBTAFSAVkBYAFnAW4BdQF8AYMBiwGSAZoBoQGpAbEBuQHBAckB0QHZAeEB6QHyAfoCAwIMAhQC HQImAi8COAJBAksCVAJdAmcCcQJ6AoQCjgKYAqICrAK2AsECywLVAuAC6wL1AwADCwMWAyEDLQM4 A0MDTwNaA2YDcgN+A4oDlgOiA64DugPHA9MD4APsA/kEBgQTBCAELQQ7BEgEVQRjBHEEfgSMBJoE qAS2BMQE0wThBPAE/gUNBRwFKwU6BUkFWAVnBXcFhgWWBaYFtQXFBdUF5QX2BgYGFgYnBjcGSAZZ BmoGewaMBp0GrwbABtEG4wb1BwcHGQcrBz0HTwdhB3QHhgeZB6wHvwfSB+UH+AgLCB8IMghGCFoI bgiCCJYIqgi+CNII5wj7CRAJJQk6CU8JZAl5CY8JpAm6Cc8J5Qn7ChEKJwo9ClQKagqBCpgKrgrF CtwK8wsLCyILOQtRC2kLgAuYC7ALyAvhC/kMEgwqDEMMXAx1DI4MpwzADNkM8w0NDSYNQA1aDXQN jg2pDcMN3g34DhMOLg5JDmQOfw6bDrYO0g7uDwkPJQ9BD14Peg+WD7MPzw/sEAkQJhBDEGEQfhCb ELkQ1xD1ERMRMRFPEW0RjBGqEckR6BIHEiYSRRJkEoQSoxLDEuMTAxMjE0MTYxODE6QTxRPlFAYU JxRJFGoUixStFM4U8BUSFTQVVhV4FZsVvRXgFgMWJhZJFmwWjxayFtYW+hcdF0EXZReJF64X0hf3 GBsYQBhlGIoYrxjVGPoZIBlFGWsZkRm3Gd0aBBoqGlEadxqeGsUa7BsUGzsbYxuKG7Ib2hwCHCoc Uhx7HKMczBz1HR4dRx1wHZkdwx3sHhYeQB5qHpQevh7pHxMfPh9pH5Qfvx/qIBUgQSBsIJggxCDw IRwhSCF1IaEhziH7IiciVSKCIq8i3SMKIzgjZiOUI8Ij8CQfJE0kfCSrJNolCSU4JWgllyXHJfcm JyZXJocmtyboJxgnSSd6J6sn3CgNKD8ocSiiKNQpBik4KWspnSnQKgIqNSpoKpsqzysCKzYraSud K9EsBSw5LG4soizXLQwtQS12Last4S4WLkwugi63Lu4vJC9aL5Evxy/+MDUwbDCkMNsxEjFKMYIx ujHyMioyYzKbMtQzDTNGM38zuDPxNCs0ZTSeNNg1EzVNNYc1wjX9Njc2cjauNuk3JDdgN5w31zgU OFA4jDjIOQU5Qjl/Obw5+To2OnQ6sjrvOy07azuqO+g8JzxlPKQ84z0iPWE9oT3gPiA+YD6gPuA/ IT9hP6I/4kAjQGRApkDnQSlBakGsQe5CMEJyQrVC90M6Q31DwEQDREdEikTORRJFVUWaRd5GIkZn RqtG8Ec1R3tHwEgFSEtIkUjXSR1JY0mpSfBKN0p9SsRLDEtTS5pL4kwqTHJMuk0CTUpNk03cTiVO bk63TwBPSU+TT91QJ1BxULtRBlFQUZtR5lIxUnxSx1MTU19TqlP2VEJUj1TbVShVdVXCVg9WXFap VvdXRFeSV+BYL1h9WMtZGllpWbhaB1pWWqZa9VtFW5Vb5Vw1XIZc1l0nXXhdyV4aXmxevV8PX2Ff s2AFYFdgqmD8YU9homH1YklinGLwY0Njl2PrZEBklGTpZT1lkmXnZj1mkmboZz1nk2fpaD9olmjs aUNpmmnxakhqn2r3a09rp2v/bFdsr20IbWBtuW4SbmtuxG8eb3hv0XArcIZw4HE6cZVx8HJLcqZz AXNdc7h0FHRwdMx1KHWFdeF2Pnabdvh3VnezeBF4bnjMeSp5iXnnekZ6pXsEe2N7wnwhfIF84X1B faF+AX5ifsJ/I3+Ef+WAR4CogQqBa4HNgjCCkoL0g1eDuoQdhICE44VHhauGDoZyhteHO4efiASI aYjOiTOJmYn+imSKyoswi5aL/IxjjMqNMY2Yjf+OZo7OjzaPnpAGkG6Q1pE/kaiSEZJ6kuOTTZO2 lCCUipT0lV+VyZY0lp+XCpd1l+CYTJi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCerp8dn4uf +qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSpN6mpqhyqj6sCq3Wr6axc rNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660JbSctRO1irYBtnm28Ldot+C4WbjRuUq5 wro7urW7LrunvCG8m70VvY++Cr6Evv+/er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dB x7/IPci8yTrJuco4yrfLNsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V 0dZV1tjXXNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj6+Rz 5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw5fFy8f/yjPMZ86f0 NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+S/7c/23////AABEIAOoB7AMBIgAC EQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAA AX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4 OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaan qKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQAD AQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEG EkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpT VFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4 ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2wBDAAICAgICAgMCAgMFAwMD BQYFBQUFBggGBgYGBggKCAgICAgICgoKCgoKCgoMDAwMDAwODg4ODg8PDw8PDw8PDw//2wBDAQIC AgQEBAcEBAcQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ EBAQEBD/3QAEAB//2gAMAwEAAhEDEQA/APz8u4lDmQDaSuW9eKoHMigDpnIH09/wrXvEOF5+Vhz2 685NZ6hVBO8qCcY74r7aR5SIdu1S/XgkcZp4UOijcc557Y96my2EVFx6k9ah2xgjA7c49utJDGTZ 3Fx8pbp16f5FZd1CJMOCOep+nrW15OVJThQD3zWa21mA6n0xTkCMG4gCvjt2zSxQBvkGPzrRuQjA jGO/496zfN8lgR06Z6/zrlnE2i7kLRvnb/CeRUCx7hhuoyPxrXWdXQ+WDuHXj+VRbSzDC5qVEu5W SIADAppGOR24JzVxMBsHkA0jRkqdi9Dj8uuapRIlIgC7gOOn60nlknBHpmrQjIXA45/yRU/k7mMm evFPkM+ZmYsR64z7elVzBgt6VsmFlGNvPIII5qLy8DAXBwRUuJXOUFQqPl/KkKEkjr3qyw5+npzT igfBx0B7VLgHOUiuCuR1pCpyAOMn6VYwByf0owOvJqW7E6lRVO7JbOeOKd5ffp9etWjjHyjB6U0n KgYBx3rJwuaQ2EiCqCpOQak2kZI71FhmJ6jGa0bbT72UBUiYjP8AdPpTVIbdiqfuEEUwkEe4Fd1o fw98VeIruOz0mxkuZZeFVFJJNe+aJ+yT42lMd14kjOnWuQGzgvyfTPp6100svqVPgRz1MXCHxM+S lLZ+Tj+ZqYRtjDjHua+1PGnwf8F+DdFjaCaDzmVm3yNudsHAA9K+VdatYo7ow2ziQDup98VpiMtl SspE0cZGprE5RoVKDJ+lMaBMY559a6AafdSEBEIb0I6VoWvhi/uCXK/LxwK5fq7Z0qqcaI2GcdBU gQgYAAzXqsPgV4oRNcnYSM4J/KuL1SzFtOUVcBc/jUVMK0hqqnsc7sIwp6U1oRgNwcZ61pDa+exq IJ1UHmuWVJl8zKGxS2NvPrULwr24z+VaTQ5Qr61EYdoqPZjUmYkltGT0wTVV7cp05HSt4xBjg5wB 1qMxdPb1FZzpmsZnOHrtIwfXH86THHAxnj8q2XgVhwAPpzVRrZsZx3rGUDS5Sxk8cD60EcAAd+9S mPH8OMU0x5GTWbgAwp8hz+NGwAZ49qeoGcfpQygnOM0uUCJsYxgU0gjgjr6d6nIyQMUjgZx1qkwI lYxsCOCD3FJ1bcT0qQgEc8UuwbcHNTYCE5ZuM4JpwQkdcAVJtwcDrQFy3INFgISAPUikwfTIFTEA 5Xbz3ppBJ4H1pWAZjrnjNJhR1UZ+tSDOdxHFBPzZHGakCLOOKMdSMVL1OeOP89KQDJz7+lNICI5A zRt4wan64UdKawHQdB3qnCwEWAPQ0gHWn4yRg9ak2jgrx681NgIcHHNPyg6hfxoK89aT5e4pqIH/ 0PhK6jLqNp+8eg9B3Nc3Kkkcm4rhT1yep966vLKSVbLc8g9P5Vj3UBd2yuPmyOe1fds8hMqqzFFw AoyefXtSFEDsVGfM6duSajKD5UVcjgHcT7mpdvmDO75gcA9fmIrPlLuQqsgJYZIx3xk//XqJrcrH wMk57Y4q/IJfLDDgv0JAPfH4dKqedIgC44GTj36mm0BmyxDqOnr9f8KxriDADeueK6WVmJGRuIBP BzVOa3EvA69cn/GsZRKjKxgDKY2g9O/tVxWUohVjvHJpk42ng8596jUDdnoe+e/0rC1maXujQWJ8 knkkk/Wni2PBA4PHc/jUiQSshlTlcZ6VLFv27S309q1MmR+U2cIcH+XrR5ZZsHjGOfarcQWRCkg5 znIqYxjO0jjGeBVJCKhQOclai8vOR90VfdNg3Y5/WoAcg44P9KTiTJGY8I2nPGfaotu4bV7VelwC QeT24qkQd3oPaokOOpE4AHI9sjmocL0BrXtNMvtTl8mxiaVuwAr2/wAJ/A+81ILc63IIkPJRSQen rV0sLOekUKdWMdWz5+t7G6vJBFbRNI5PGBXouh/C3XNV2tMhRSRx3IJ5r7Q8N/C3Q9GQfZYN5AGS Ruz2789a7R4dF0DNxe7CY8fKF5PHI4r26OQu16jPNq5r0gj5u8P/AAFG6JWhMrscncDwPc19N6b8 CvC+k2QvNbaNEhG9kVgOOOD6Vxt98WHtrpItOtjDGSAX3YfA7elcR4n+Ietavamy0wSIp4Idslsn JBJr1KWGoUltc4alarU6numufEnwJ8OoFtfCVvFp8gUkeVh3fjH3j9fwr541b4/eM9alNpproozn cw3fzrlNL+HWt+I3+0X8ohBPfPAJ6V6npnwx0vw9bNc3Q3FSSCSMenWpnUqT0guVFRpUoq83dnhn /CP674huvM1i4aTceMc+/wCFdGPCekWFsxljXzFGNzLuPWt7WvGXhbQhPFBKsr8gBeSuBx3rwLWP Hmp31wUtj5aA9c5PFedXlThrJ3Z3UVKS91WR6RqVpoVmRdXLhQwJI+7nHFZA8bJbSiLSbdUhXgE8 njvk159NqEt4FmvZS5Ydz1x7VYgk0+XaGlUE59q82piFf3UdaotbnSXWpTahJvuJCztjjtzzWbca ZbynMmPmqET26y/u88dD1FWmvCV2HpxzjmspTuOEbMxLrw9buP3BK9TzWZLoci/NGwbA9K7FHgKY aTaV71m3bxoDtl78AVjKCNbs4d4CjEY55xSSW2OM89wa1JWhdyRwQO/amkFoyQoODn3rilT7GymY hgDqegPTNQPbspIHetpdNubtgLeJ2PsM/wAqZLYXtvjzEIIzgEelJ0W0Cmc80RH3u1QiMHIx1/nW 60LdHXmq/kRnnr17VzumbKZjtbqVOaqta54Ax9fSt025Xk9KiEZbH86zdMpT7mCbNgSUHJqEwOrY xn2rpDHg8j+lMMWccetZOkVGoc0wIbgYzTSO4JyfSugNsmeByRjFRNYrv6dOlJ0i+cw9pIA/nTsD rWo1l1x3qL7CwBxg1k4MfOijtOQcUFfbn1qdreQHgfrTCHTr1pcrHdEAVwORzTWHYcVZwMEtxmo2 XGTnjjFKwEW0HCjGaMDbg8kelTLwfmPJpuAOefwpWAh2ncAM/lSbdvXPFTAEZyTnFGCMN1FFgI+C uOppdpAwO9PKgc9DTV245H5VSYXG4wRnrTSuQCOpqUKCcgDvimDgKSeeaYNke3ue9D5DYGKdt7N1 9aHRc0yW2z//0fhRXDsGChQBxnn1NJcKVPz8AAEgjpxxjH1rq9a0D+zpjdWC+ZAzbSvXA98D61zy iKaMh22bu3QDPNfoMoHjxkmYnlfMV4Vj/wDryc1GyksMnbxnA9euf0rSaMgKwG/IwCv09O1V/LDl oz1GcEjAHp9elZtDZSeIgoyH5Tx0OST6fiaY4UyfInzDIwT17U9t0TdN36defpSo5ZlDHCrznGeM dKiw4sqMhK5cYbODgZ61A6LIMHgDj045Nbs1uXTIUFCAOhX8T75rMaPazxMcEE85+mO3/wCulKI0 zHlh+Qk53EY556DrVAQMSMckeo610bw4fy2bcCQNwGRz+VNlsPKAAAByB/XJrP2Y7mdFcPEpjPCm pfLd8kd+1K0QUEYx/Xv/ADqzCCg3NyV6gj2pctgKTK0QZs4NWUvMIBIAB3IPSnyCNiQF4Axx61my pzioGjaLJLGSOcY564NUXGxS397+lUxIyHYOPSu18M+DdZ8RzjykIhOfmJ9OuPWrjGUnZETaSuzl IbWe7dYokaRm4CgZPNeq+E/hJfam6XGq5hhfBC4+Y19CeCfhda6OiStbrNMMglgecD17da9ntLPT 7JhJMUVY1xgNhgQOvNe7hMovrUPLrZjbSB594e8AabodtFDDaRRkAYH8THryf1xXcpHaaZErXrbS inKcEDJ/OsPVfG9jbyPb6YBhmwH4YcDqK8i1HxBeXczq8m51BAxx0HH417LhGmrRPNtKbvI9E1/4 hrFEbfR4ym3KsxGCwPQivLxd3msTGZZXeUnc3XGT25pukaXqWsXKrEjYyF3EnatfRfhH4dWsNgby +InmCrtXZhSTk8n2/Wsrym9C5KMEeKHTp75xCbbLIDhyOp6da7jS/hzpljJDcTsJ5SN7ljhRgV0e raxovhi1aa7MdxKCP3UeOOemfpXj/ir4s6hqlq0FjB9gtXDAsAC23p19+9E1CHxEQc5/Cdn4x+L/ AIZ8DO+maZYrqF9AACFOYlOO57n1r5K8X/Ezxz42uT55dIM4WGIFY1GfQdafNcWNzclw3mO2ct61 0NlqenWalVgaQjnjGK8jE4yU9E7I9OhhYQ1auzyyLwn4o1AB0spH3cjj3961Yvhx4wlJVdLl+UZ6 A9O1e06d42jtlR1tRleuWOPbpXXw/FlLJVlS0RsggnJByf5j2rlp4Ok9ZyNqmJq/ZieO6f8AAf4k 6rFvi04qIyOCcHn2r0jSv2UfHl5Cjp5aO+PlY8jccDiusk/aR1G2Ty7HNsHBAIGSOw/H3rlNQ+PP iOdhieV8EHG8ryPpXUsLhYrV3MJVcTLsjvbD9if4kXLbHv8ATrUpuyZptoGDjsK7bS/+Ce/xD1GM yf8ACW6FFhucTSvge+E618+f8Lv8YsjLBcyI7D5fnLYyc/xVRl+MfxFEZT+3LhVmcttU7QSfYVz1 qVF/A7ERWJe7Pr61/wCCb3iuRFXUvH+kwq3OEikfr6ZK5FOl/wCCb1zE7fafiHp6xrnpEQTge78c 18f3fj/x5LEjyajc7TgEiZ8/z4rm59c8R3GRPe3BXsDK5zn2zXJ9XS15vwNlGrbWR9sXX7D3wr8L xh/F3xNt45BhWWJIzk46cyZ614v4g+GvwV8LzvBHq8urhFZgY4tqnnA+YMck+nT1r56uDLNOWnbd jqcnP60hlmeJIISVxjPOQa6KTpxXw3YvY1PtTOy8SQ6XLlfDSHTrVQFCDhm92Pc15zLBcHCNIXU9 DjIrfilvVY/a3yM4wfunFSboHYR7DH8udynufasKrUnobxk0efy6bPNLsaNRk4BAxxWVqOmzabKI 5Bwy7lNetWth5lwv7wE5x839ax/iNZR22oQxRj7iKvHuM81zVMN7rZvCtrY8tIyQo57jNQtHn+H1 6GtNo1Byc49qYsIYBR8x78V5/sm3odDkZskQwuwHgCq5RN2cZPp6V1X9iXigGVfLViMHNVH0dhyG znjIqvYMamc8Y1IG0fjSMmSOM+9bUmkXaKSE+XvjqKqvZ3CMEcFeeal0WWpIzvLYfLj8qCm8ZIxi rLQurcjr7UGNhnCHjg1i6TLUil5a4wV47VHJbxnDY781dMZztfI/Cjy88nkCp9kHOZcljEw/XiqM mnuv3SSMcCugPK+mKbk9MDFS6aK5zl3jdSN6moNu7rya6t443XHQVnSWBPK9/SsZUilMxdgByMjH GKMDOTySKsyQOmQw61HtJGR09KwlTaNeYhcNnAGcUwgA9cmpGUBsHtTh69/XFRsVcrkZYqOPrSrw ORnFStg8Zz70dMc5p8xFxmAMYIx7UmD6Zp7YPyqOlNYuDwpNOMguf//S+XLK+gCbZCxhGOCOQBxz 7msnXfDhgn+2WDeZaN94dwT149P6VLHC8cZzJ5Tu3BHANbllqFxbOYblFlV1wc4IOB+I5z/jX6Za +58/qmebAEMSWBB7kA8Hk1UeIgNwV7DGfb/Gu81jw2rRNqmjndFjMkRHK4bGR1yD+lcehWd3xwxP IB6e3P06/SuarTaOhSTRnujMu0jdjjPX0ArOngdCCMqhPIweg7/jW1h8qG5BBBOOM8mmPCwVlQEk Aeo9uh6ZNY8txopWplI2feB+bGefWpJYN2WkUnaMjjPTk1djtfIJ3H369zxxRcW4mKupOcehHU9C emOOKaiIzVgjI7ZwfUHP/wCutAWyeWSHC+WCccHOcDn/AD0qzBYK37t8gPjoc5B5P0rROmwonzDY ZPzHGQa0jAJTOWktYpVbcAAo4yO+e1ZcsKwnYucHqc9j3rsJLRfJDK+7G3pweBk5/rWfNaAZUDnH IPPSonSBSOUyAPkIZfWooLW4v5xDaxFnc9FB+tej+Gvh5rPii5CWcXl2wJ3SNwBj09SfavqLwj8L tM8KjcYt8y5y7jIPHPB4HJ/ya1oZfKo/IwrYqMPU8R+H3wee9nju9bQyIdp2r8wAJ719V6P4Z0/S IUZ0WKLjD7fmHOT+gpbjUdL0S1dYxvnTJCqvB4AAz9a831DxPc3by+bM3lxAlVVuM+1fQUMJCitD yK1aVRnpOq+KNPs5DHphLnAyU6c+3TNea6jrUmpoLdp2AkJYkj19fWuSS6vr4FPuxc5Yj07V1uia Y04EEEKs4wA3oPxrRzbfukqCRy9xDuAaEZQfKONvPeun8LfDvUtceO4ud0Nu+CCo3FzngD61714X +FdncCOW/Yzvw54ygwMmvTNT1bQPCdtHDDFEkkSggtxjHPWtoYa+sjnq4m2kTktC8Dt4f09bnUBH bRocosg+Y9s+5ql4p1m30+3lKz+VFDuKBD8rnGM4968k8f8Ax40y13F7nz51AwqsGC5PQCvk7xR8 Xda8QTsIlEcWDjPqT1+tRiMbSpK1yqGDqVHdnfeL/FNvcXLzT7VGeAfb6V5HqviJb1fKSQCJTgbe M5rlhLeazdFryUt3PbFdZH4VjkgidGyGyQPXFfN1sW6sm0e7CgoKxQsEDD922T/jW0sBjlAlIy43 DkdG5HT2/KtK2s7a3PlzQ8KMAnIrbjgtE2yBVxxxwayhTvuKUzmyJ8kQRELjH1NQ+VfMY40hOe4I 6V1yfZQhBwuegzTFvzZS+aoLleQf/r1oqaJ5zn4NCv751ItCQvPAxx/Kornw5qKyMWtZdvOSF4Fe jad40mZPIkUqBwOOMH3qwdY81m8oklhghT1zVqjETqtHmFjoEkk6C4YoFIHII4r0FvDlrFCBZICU XdnO7r71flnvZ4jtjd1jyeRnoK0bGBr+0EyRsjjA29CauNFImVVnGOs6NtmQsp4IIqjLbB9ojG3G MEGvUE0iWaRf3DhgDk9QB9Kqaj4Zu4x+6hZ2bngYJUDrWjw9yFXPM5LcGP5s5BwcrVX7MIWYKo4x XZS6bcqD+5dYwMnIORnvWdNpsrqJojnB2jPXj1rmqUDVVDm+TlUYsOWwRmnpFLnqo6cAc1o/ZpkY FvlAHJHQ1XkW33spJDZHNYeysNs2NHWNrmJnXIGTgDNVvjBaPZeII7TBVfJhkGR0Ei5xTdNuHtJ1 mG0L2J4rZ+K9/aanLpF7C5klNqqSY5GVJx+latJ05f11ErqcTw14V25HOCT1rd8O6YJ5HuZlysS5 9s1nyBZCMAZ5GPSvT/CfhnU7zSJ7i0geULgkqMgZ7mvPoUeaVkddSdlc5W4WJmUbvl3cA0w2zRrv WM7SMgDmvSofh7LDCdT1p0tIN5wH5LYHPTnFZGo3OlRusVmmY4kxkH7x9a7ZYZrdHOqyezObTyni xLGFzjmq8ttZ7i01uS2cgn/PNas04lXEKZIxgnpTTaXM7I6Rh5CTx6f4VDpoftWY7rYuCq24yR1I 4qNNPiZsxxrs4yP6mt9NLvriIyCFwMEZAyKtr4T1NnbGAMK33gO31qfY3H7Y52XStGlfZKmDnsM1 nXngyzmjM+mSEBc5Vz/KuvPh6SKVvtU6RoDjdndz68GqjWckasqSh1JIyDwal0FbUr6wzx290yay k8qVcAD7w5Bqp5XJOOBXol3EXDxOmAOPwrlJIAjOqduBXn1qFjphUujm2iYE7Mn6dDQ25Bg9T2rb 8plPI4qtPbFjkDFckoG0ZmIyKcnGTVCW16bOtbbwlck8/SoNhxzWUoI0UzmnRgSp6VGVHQ966GSF XXPBBH41kzQvEemR61yzpGydykQc4J4pMYqViQeT1qNgfQc/56Vk49xjcBv50nzjgHH40DIBwfrT tm7miyA//9P5ybS5dojtmV0m6AMMg8Y6+orG8hoGAaMNhsEYweeefy4x1FWHZ0VBA5jZGyep+mT9 fapHRnLSykgnnd0PIAH9TX6gkfOXLGlXdxaP5p6cg7yMYAOeD6cVPqPhi01qN7vQVENyoJeBhjcQ AAU7def8TUGY5ni5IZuuRnPQ5OeT0/Sty0fYEk+VJ0IcFWK9Mnj6k/yxQ1dENtao8jFr+8aMkehV uNvPJpVhYcRLtwOckY9a9o1LRbHXkSa2/d3+0nK4w4C4A5xjJP8A+uvNrmwNjOYbseW4ypBGOQcY 9Of8aylQRtCrzbmLHbRkLLIFxxhSCM457VdGxYzEhwfvEg57f/XqQMAWj3fLjPB6ZP8Ah2qERAHB +6x7gd+eoxWdrGjYiRBQ+8EBSSMjPTA/+tTmlwhVXXOeME9DgDHH1qE3HY49u2cHJ/DNdX4Y8Fa9 4xvlg02Flg6NI4woGM59T/8AXrSEbuyE2lrI5Fo57hlgtomkllbaqqN24k45r2/wL8EL3U2i1LXc QIcMIWypOT36/lXvngL4Q6V4fHCrdXibWaRgQ2FXdlT6ZOPXIr0zUrzT9Att92+49BtcMCEXI/AE /wCTXsYfLVbmmeRiczu+WmjndP8AC9po1siRJ5EeQVXA4y3IXHPQVw3iTxbEWksLKIKpGWkYEOfm yCD0xgCs/wAS+KrvVwn2NzFHCxOCCAdi4wD161ylxbzyQfanYuU6DP8Ay0wB37ZNd0rJWRwwg95G WCjO9zIGKSHBIbGcn0rAn0yWVy9yCIi3GR/hXXQ6Rd6hLGGjCQRjqRgswHT35rq7fRoyQLjLz5+6 p/dqFHcnvmseRyOjmscnoWjQTSrbxJ9/rgnADHqfXivoDQtE0jSrPfdABk53EAjDHHNcxp+n6doM DaresVwMBCvHyD868b8f+Pby7meG2kMdsB0BxuwO+KpuNNczM3GU2kj1Xxp8d9M0Gyk0zw5GlzO2 795yoUHjj1r4s8W/EbxHrskiXd5I4JPyq2FBPHbrXPaxqkkspjgJyDyTzkVzSW7O5f73r+NeHjMx nP3Voj1cLgoQ1a1M+YGQl5yd59e9RhF64zitv7C0pymfm5zR9i4KvjPNeJKLbuejcgtbkwARqoDM epHWu0sdWUxJE8Q+QcMDgZ9a5u20h7khEzkZx/8AXq2unTuzQZClR+ta04tIzmzb/tZxOzZBDDuQ atQ3VuzLLu+Y9ga56DRjERLcFsk4OKurYhBwSAcnn0rZSZi0dCptJWXcxRc85NaatokSlp5w/Gcd BmuX+zI+Y9wyOetX7bw3dXkgaKMpGQOT0+taRkxSsbw1HR97eUoBwenXj2pYtTj3b7TJXAHI59+l ZJ0/QdPUvcTGeZeqKPSoJdVm8kw2UYt0BznHzVftLEct2dtFrEtmouJ5VjXGCpOM59qzbnx7FFcE iZnU8bUXjAFeczpPeMWnkMhI6GoVtJUyUUnqKh4hrYv2a2Z6X/wte+jHlJAGTbtBJOeueav2fxhv 4PmWDO7ruOQDXlX2YYBfGR6DrTDagtuUbcelL63UXUfsYW2Pc4vi5mHa/lglVDo6Ag889arD4q+G IXdl8PCdm3AESFV5GOAPevGmsWkXON314qD7Iw6A59veh4yoL2UOx6vc/EHwvfJGk/h6KMIMbllc P/hmsC48UaBHIXtdN3bixALZAz0znrXDmBipyc465pvkOFAHG78PxrOWJl1NKdGPQ17jxA10cGJI 1AwABgDmse8v5p2RH5EXA/rUTRtHlmz171PYWFzql6sFunmFz27VyupKTsjWyW5b0jSTeS7yCGbJ /CvfPC2pTaFpYgscE5AkBOA3tjvUeh+D55LfZGPs/kwgvI33V5/U1vapZeG7dQUle8eIgNj5N2O/ SvXwuGcPeZ5+IxCehzviPVRraxJJuiaLeNuPlBP901xn9iiAh5toj25OPT1rqta1OxjkikigG8K3 GcgE9K4aa6urnDTszADAU9AK0rzuZU4aGuh8O27Bj5rsrDK8YxVSTU7ZJGayiA2k4yf51R+wrcDF sxBJGc/0pF0x7TLXR55x71zWNkhsfiDUhCyySsisOVXgcGnG/lY5dySwHDVnvChUvjJUZx9aq5Lk 8bCoz9BWTbRRsPIr4ldSAD26GrIubZbYRE/OxJHbNYMJaRgw5CHjmppI9zqynnpk1DkVYllitJ0a RxscqenT8a4nV4FSdcDClcZx1NdZLutrY7MOHB59KwrtjPb+U/8AAuQe9YVldGtOVjnGgzlRg4xU cke1vmz14+lXI5QOD7VYaMSE8nHpXFynRznPywKTgDNZ8tooO5eK6aSDYQ2NwzVUx72yVwR/Ws5U zRSORaIqQen16VA8YYYYc4PBro5rYOpG3nPesSWJkbDD64rmlA3Uzn57fHIqqBt/DrXRFQ445rMn tmX5lrmqUzZSM0rxxzmm4fsSPpUpHIPan7VPc1zNFn//1ORm0nQ5I4pEtlDggZ2lRjrg8HnoPxrP /wCEf0qRWjO6OTBY4wV+UfQY5OTVfStXuNNKW9wplt9wLcjcOQue+fb+VdyscGrO9xayRSrJtIGM Esck5x14GDx7V+xRtI+MlJxOEPgazuAiQ3OGUnhhgKOmT75qjdeD9VtZQYAJhLnCowLc8d/VR/Ku 0l069tvnEip5fDFD0wCwxn61G++wjAYncgA+fGc47EZz1P6ZpulESrs80a4vdLnhmuLV4PLKkFgQ SM7skj9f8K19RtrPxkrfZpEjuVXcDkDgLu6f559TXey6pbSxyRMBLtO1UIyQHwo68f1qVPBv9rXE b6Zbm3EhAYsAF+Yn09hkfpSVBdByrWPlrULWeyuJLadCjx8Y28EKMcfnVWKw1PUpVh09S5JOMZ78 c/jX3HH+z7aeJmSe/vAbyMbgsfy7gxLYfJ7gY7fj0rc03wRoPgoJbXkQtThWDMm4MeWbA6nIx19+ 1YrLW35FPM4peZ4V4B+B891NBda0pcsd3ldgMheT+f8Ak19XWOh+HvDdm+xIbVEBURr8pIdgAcfT n6da5K78c6fpgU6JEq7QqsdxBGATx+JH6Y9a88vda1HUZv8ATJGxF8oHUHYuc8e5/I816NKjGmtD irVJ1Nz0TxT4ynMEVnpQMaSEgyYBPzPj5cc4Krj39q881C4uJzK8snnO2AWIOCGOTjPHTGcdM1Ck 8kcar+7kMYyTnGNi9855J/OpSnnhZBkLEOccgbVxk9sZPHoDWkqmlkRGKRnfJJDsCsiN/F1GWbn8 wKs2du2qSKZQFgJwhb5V45yfw71bNo05UBswLn5cbdxQAHn6/nXWWlgzvFEIisQ3HJOeEUDB/P8A yaiEe5Uqhj2lhM1srxkAQtlAGzu3NzjOOwrZeOKyh829Kr5g3bHG4NuOTkjp6/yq/cSW2mWiyyFV aPJAdSMbR0P8hzXivjDxlBAX2sDLj5VU9wOuK0k1FXZMU5Mz/HHi1pZGlmnGxdwVFYgAH0H0r5x1 3W7nVpSsRYI2c5647Vev5rvVZ/NuW2jA4/8ArU+2sIQAADkkcZ614eKxDm7LY9mhTUUcaunyIxb0 PbOOa0Le2jjLPg9wc11ItVyU6gfeyPx60NYEbpIBuHp615/szf2hjpBGFyo9PyFXLbSWvriOJPl3 kZFXEiYhcr17EVpWEUqSrPtPOfu8YxxWkaSuQ5ll9Kt7HdHCQ7gcnpisBwIt+1c7R1HNehf2Vf3R LQwnbIcAkcFgM9awrvw9qUDHFuwJwSMY61v7F2MfaHKyRCaEEHH8WP61NY2ck0q28YaQtgDHrXR2 2hyMPtF8GiQgkDA+b0xTxqVppLBbdAZtx59PxrBU0mUpMtNoun6RAs2oMslw/SMcY+prC1DU57g+ XAfKhToE74pkjy3EpaUl934gVC0aqR3xmrk+wvUzPJAYsSTk9x609INuUQZHJJ960RECSxHNPEeM dgPzrBwL5igIFRAxHIpGxGo45PXFXpSURVXPzGo2hDqCcN09iKnkG5FPah6L1P4CpPIBwqgZ9qu+ UMYA5pmCQAecdOxpcg+YrC3kD5A4B+tRtGM5NWPmXhM47ih+FJOD7GkqYKRnvDGNxAII5HoazyTw gHJHSuht7K8vpNkKnbjgivS/D/gaKd0a6G9sD7wx+lVDCyk9BSrqO55vo3hHUddlVdjRwMRliO1e /wDhnwpo3h+FJdgluFDFdw5x6/WuwtNKSxjNuqqAh4IbjAHQVm3V2iREoQcLtXj1r1aOCjT16nnV 8VKeiKerTTSqq4CJtXCr0GPWuKvik28yMoCnBOMda1rzVVMT4CqwwMA88e9cZcMbmZYkdijE5JHc 1pXlYzhFmZd2tt5RMRLMc/MT/KsGSRoX2BdxIH5e1bl1Ebf9wjg4HHvVW4O0A4wwwORXnSO2L0Ks cIinDSIVyTgA8Gp5bpXG2TBDZ6jpVV5ZJmEspGIzgHNaGjaHrPiO4MWn2sk4jBY7VJHHv0zQoO+h o+7KN1AFiEiJhSOcdfriszbFMhklCtt444b8a930j4HeLdSxPqFxBaxOvCB90gz0yo4+vNdyvwA0 jTW2XOoSvMjIpjaMDLN754H1rpjl85LY55YynF7nx6sfmSEW5EYzyp9famrcDzvKGVxkcV9eax8A LSzhEt3cjMzkL5e3IHbPc1wV/wDs76+1uLzRb9JeSRHKpQnHuM1jUyyouhccZBngbMpB5z7ZrLmR HZyCchSOOldZrPgvxR4eyNTsXhwSCw+ZTj3FcPPdBQ8ZyrkYxXnVqUo6SR2U2nqmYaxZY7sHH5VO DsJ5wMgVJsTaCMEHihovMB8vPHPIxXC1qbFj/WYUgcH9aqtE6OSBkf56VJGSrDeOnWrmVk+XGDQ0 VEwJEUNgjFZ1xb7hyORXS3Ee5CACeazJIjGvPPNYzgaxZyDIynI+6KiIB5Fb00CsMHtnmsZovLJz 3PWuWcTWE7GFPbsrFgOBVMqv0rppUDoc4/CsOWAq52jiuWUDZSP/1eRm8HujIInPnMxDKVwCwHJI 7Hnj8KIbLxB4enae3iLgsRiPpkgKB7Hr+HtXkul/HPXHkKtCswkJyB1GeeM/Qfzr1/RfHl1qsMf2 63EKEZPAJ4G7Bx06j8/Sv2GnVhLY+OqUZxWqOu0yY6ukZjtd0kpy25cYOcY6ei9fbiti18G3V7vu ruFVj4JVeOOWPBxjpj8u9dd4e8b6Hbxq6223tyvIyAufXv8AXrXrlnrngfUYRKJFikIIxnOM4Ufy PbtxXfGCseZUnJbI8m0/4faYZFC27b1wwbAK5Vd3IPPP8vyrtbKy07RppPtZV3g5G0cghcAk9jk/ Xg10N9pjzNusp1KsoIKttYbm43AewGM+tcrd6JqXEs0EgztLORvPzncTx7YPvzWygc8q7ejNB/E8 kcrxae6Rttbrh8DHljDDB6k/pWBqUZ16Mx6hIkspDBZAcMAxChR26Z/Pmq8GmzwTyEqpdQpAZtuQ g3HnHPOPxqy1hLGYGYGJhhnJwU4Bbg55wT0/OtHpoZryPJ9R8LQ+fMLYNBt6K3zAhjtABHI4X/Cs sW6267blUYkYzggneR3/AOA59ga9lvrW1ljaQqsjKN24HDNsTAznH8XP16VjW9hBqCyQXMRMiqRt YDjy1wDn6mspQudMa3c89WeF1jWQLCpAXeBuJDtnk8c4H6Vet7SR0aNQuGA2k/KDlic+nQflXT3P hVLB1EZSU84jOd+FAH55J9zWiNLFmhNxvXbluRuC7FwAM+5/DNS6epr7RNGHp2iXzJPIEJjUDkdB vbcO/U4/HFOv9QgsoPLlZWk2K5B+X7zZOD7Y/I/loa1rMGkxGOaZHABb5cqflXCnH149a8N1/W9R 1S4kiBKIASF68KMDPfknp705NJBThzMy/FHja4Nu6WpbfISCN25drH8/SvHLmGS8lNzdNuduSW45 J6D1rqpbCa4w5G5tx3gnaeB0/OqP2ZmjDNHyCcDqBjr+teRiJSkz1KUVFaHPx2YJ3LlR1GPT2q1B bjYQTjGc54IrWa3yF8tfujjjafWo2t5YjkhsHGO45561x8htzFdIVRSFUuhJ+Yc0rWfzYjfJxuwf YetXduEWMYz1wOO+cE1YjRVJZlI3Z6jOO2KOUycmZUMKsgAHyjuOx61bspxb7iyZHoR0Jq79njDD y+QPXjHFPaz+QyRktgjPfp3quUTkzoo/HbWVr5NnYoXOSC5yoPriuav/ABbrl64kupBj+5tGAPb2 qmkYZMMBlsZ7EUrWvmqfL5OPSm6r2EkjBvL29uidxYIx9cVm+X5jFmwcc810M9sCpUEcE9OCMVkM j+Z5YO3djmsHc1iXLVNyhgcHv/8AWqdl4xn5hjrVaK4SL+EMa7rwx4K1vxTKJIE8q03YeVunTOB6 mrpxcnZDlJJXZw8u3oDxnqvNOG9pDHChkPpivqnTPhl4WsVjhn23EnG5yeQe4xXqfhDwf4be7FoL bONzBmUEADtXoRyxvdnFPMILY+HbHwd4s1VQbHS5pV5+ZV4rcPwu8f20Jmm0ebyx3I56enf8K/UP y9H0LT0iSCE7gvHAJxVFPHOgCOS0ulQGME/KMrn09q645TC2pxvM530R+TV/Yapp8rW19avbuuMq ykEfWqQyvzYPX0zX6Y+KdE8OeI9NuLiC2huGcgKAAXOOenWvn4/DvR9YUyWUf2V1DErjPI7c9Peu erldvhZ0UsxT+JHyZHFLMT5aGuw0nwxJdSJ5uSHPTFe/p8LVMKPZRDz0ZSQ38S98Vs6N4etrSUtd hozAWy2AQMVlDLmnqavGK2hwug+CVCb1t/uqTwcYHrXfmC20i3Uwx/vCV5xyeP5VX1PXPJYWunsj oQF3DjFc3dNJPvubmVnlDBU+bAH4d67lSUVocU25O7Em1WRZJoYwryOGPsoribyK5uVaISYIAIGP z+ldKbW2TzZp/kk2naCScn1rBtp5jFcN5bbnG3I+6PespJlxsjBazgLskXzzY5wegHtWK6lXUoxb bnIxwM+9dWI1tWVpCvmPnLL39jWRcwfat8FurMsQ3Ntzk/QCuSpSbOmEjmZpU812ZxLheO2Par+k +HNf8V3flaHZNIrEKZCCI1J9WNej+B/hmNbv4rjXAEt2YYgjPzuB13Ht/Ovru2tNO0BUtbC0EVtC 4Koo+RcDr7mtcPgHN3lsZ18YoaLc+f8Aw78DNP0eKG71w/2jcux+T7kSEe3Vv88V6U82maDGlvFB tW1jYbQAifN3wKTWNbvLppbvfiOAsQAeV98V4tqGuy6hdzXLzMcrzvP3h6AdBXoKEaa0Ryc0p6s9 BufGtmqySxoxMKfuxCcfNngk1y+o+Mbx7WW7Jlub6Z4zK8jH5B3P1rz+XVAUaGI7YyOSOp9h9K5q +u7iJnVpCI35JY8MewrCpi7G0KKO4bxiJ2/0maRirnEgY569BWp4f+I95YMJIbyRMylf3nzBR0zz XjdzPst0ZG6Mflxzn3qpcXTxHdBnc+PoPWuJ4xnVGgrH1dJ8W9La1Sz1yxt9ThKtkleHBPHHtWDd fCv4BfE0NNZ6lN4O1KVcpI4EtozHk5HBHNfLIuZYz5hJyOMGrtrrt1ax7QT8wIx2wetTWxPPHlkE cIou8XY6X4h/syfEr4eH7YIYtf0xwHjutPbzVKN91mQfMuR9a8D2T207wXCNE/QqwII/A819Y+Ef jDqmkwLp147yWsSEICxz9B2pniLX/DOtz7fENhHNDKeJAAsie4YdTXHLAUpRvF2Z0wxFSOk1dHyh KB821s/4ULuPzE5PXmvUPE3w+Nrbya94Xc3umryykfvYgf7wHb3rzIEldp615VbDSg7M7oVE9UK6 5B7gY4qpJDhGJz1HBq4Adx3CnsobheQawcTRNHM3EJVmOOKx54AdwJ7/AJV2dxEjAocZH51hTWrB m7DtxWE4FqVzljlcjHSonjVjnFal1CASSef6VQwf8iuOSNeY/9b5+0vwnpWlLHM21XB5LLnPO3II /wAjFbB1Ky0/MlqN77gODgKCTxg9iB+vNefTamZXBklaXOQApx05PH1qOO4MoD4Py8bfYDt1r9Sj NR2Pm5Rctz0B/GuozgN5vk7cEoOmAd3P14roNC8arbnY21zwAWYkfKM429zk4/DivG5BIpBJG9h0 +71OB1p1u0ouY9zlmba2NvHJ6kj1xW6xLInRjY+y9E8ZaghEkkm5MEBRyrBVxj0HJ9OM16fp3jO4 AMs5EyHKFUO3GcKOvtn9a+V9B1KZIljdQExhRkehORnsOldzZ6ozwqrqA4GCSAScDPbtn+fNerRr trU8itQjc+nrLVdB8SRvkGGSUNg9eGbaACMYIAPH+NPn8MG78l7WRX8xdmwNtPztz146Acehr53s tZubNI5YQrLG2c7ijHYMlsHqcn/61d/pXi6URxRySstypyEHzAbBgcduT0rp9pdnJKhbY7S6sL2J D9ohZIgBglB/G+cjHsuT61h3umCRIdRmwsbFclTtZWLFun4V2+l+KfNUW+oBJ1TJOxucKu0HDepb 610d3pmmX8cs1pOqCIv+7kwxbC7Rn0wT+fNXzGKujzXRrUvdfaLhcxqoYs43YDNvOe/IGfzqfXtS 07U4FgwqyEBgyHaCWYtj8sD0rP1p7zR42gZGi83fllY42gBQPx55rgtQupbqN7WEAFCSPM4YBVC4 z35qmWlfU848QadrcFysd8GnikYZbqMO27n26fWuXhgLecNpDbQDjnq2cD6AV7RY/aEV7W4VWVs5 OePkAXOT9eD+VVtR8HW2Hn0qQu43Aqy44VeeRkdeMfSuOdO52063Q8rFhHKDKxYI673DdSWb17fX 1rmZbIyXU3kqETDEAY5DHjj2r0mSwkiY2s25H54HP3V9PTNZl9p0sTDzkIUAHkbSeOfyzWLo6G8a p5z9mKhoZWZTyMEZ9hzRNbpGNkQDKFY56cgY4/Cupn01ljEqA7GKgkHJ6Z5H61Q+yPKwDDsDj+uf Wud0jX2hzn2XHMnHIGCOu3moJIXGd7DAAPGc/pXUzWyt91SqEZyOevH/AOuqstusZJciQEHBIxk9 hUexBzMB1eJAyNuyBgEdqsIXkyYk5A5C/wA60DZl2JBJYDleo464qncQvFGJUXB4Gen1qJQGnczb hVyyqCpz3HPFRK6rhB0GBketWmjkljLbfm/hHXr1rOZWKhccqT7HjtXPNFEvlh8AYyecnvVS7syz LJ1yeT6VehhKqDyduODz9angsXuWEAXc0ndfUnijk7FQkReGPC02u6nGhTNski7z0zznFfX+nfYd NtRpOkxbJgOQo+Vc1xnh7Qv+Ed0mGTP72Qk4xncQMZr0fQfDjW0cd9dp8zgElTyM88ivZwWH5Vfq zz8ZWvoJbeHJprnzLqYyyZBI+6owOlelraW/h3SBdQRkzsvzNnI5/pWZFqEFtHI0cYVo8kB+TkdD XLS3c2qbvMLM57L/AIV6LR5VyC+1W71B/NnlLBWG0McE4rnmsZ7zfDaxbGPLAc59TXT2+jRTlTKx VCO45yP5V6BpPh9HGYzsKYzjqRik1cqMrB8OtEvLDUoZLl1Yu28gjqqiuj8U+Borm7k1bSEMTsNz xpgqSxr0HRdNt9K0oXzybmdWx5gx+VcffeI5oLqSW3+/woAPHH+NZ09b2InM4i1eDQp4/wC2bUct gKVIIwO/tXg3ivUbrUNak0izUQ27MWO08MM+o6CvpV9Tl1SaSXUo1l6kggZ/CoJ9B8Ny3BmewSN5 EU5Uc/j9a0cQhVs9T5XOhMsxvb2RGWPAUdOnoKjutNlMaXaRkgktlecAegFfXVt4X8Oz5ia3jId+ S4HQD1rntc8JaLHFJbaWpjfYxBTkZ7D6Vn7I6ViUfLd1Z/axHIYeMADcMMc+1OvbdbKJ7Dz/ACmY KXULkfjW14ku9f8ADt2ILi0JBAAbbkY+tcPqVzfapc/aJ2AaUdPp0rGrTsbwd9SomlX9+YoFQfvW Yq3HCjua9J8O/DzV7qI/Zh5MbLtZ/wC8M/1rsvhn8P3vI01DWpPLhCMdp4OPr2zWx458c2vhgy2W koQUVY0jU9BjrmlTo6XkKVXW0Tr/AAT4Dj0O7L6neQsuPlVSMg/U96y/FPirwfo8psrPUY7lmZgc tuUDvmvlDUtf1rVL97u9vZTvIbyhkKMdBVGexF5LuUY2/MfXntQ8Qo/CJ0L2cmdprOtoZs2ro6ru +62d31rhr17sq08IBkI5GOB9Ky9Q0x/KxkqWDHKnkAdjWBcXb2zoLVmiCIFbk/Oe9cNes2ddOlZF mY3SgXM+AYmww7fjWW6rcSgmTcCcjBz+dSzXUk8LRtHvUkMW5GD3z61RDRRxtHB8/Oc4wfpXmzep 0xiWplUKpLbQSfxNY+9iYlQ7sE8H1rSkjkkCdARk5NMghkTan35Tk4xwBUNFplJk8yN2ODj+dVZY 5VWNDwJBnPsK6F7eMvGSp2sPnIHQ1BLH5pCOdwRSFJGKnlNFM5+RZNinHA5Ga27OeCS1aO5yWbGM 9/pVW4KsAkQAES9+5rLkkkVRKr/PHj5e1LmsU9TtNG1+88Pai8PPlsACG5RlPYjvWd428Mafc58Q +HAEhk5kt16xnHJHsamluo9QiiviAWRcOCe49KjsbmePzET/AFM2DjtVNqSszNXi7nkpbczEdB1q yiqycDPFb3iTSo9PuftEQxHN29G/wrEjAIJB7c+9ebUhZnYncpSRlS3HaqUyjcFI6jNbcikt8vTH 51RkTALMOcVzziXFnK3VuCxYDisCRZA5AAArtJIiUyf4qxJIG3cVx1IHTF3P/9f5Ui8P6ixVnbyS /wAwB56/Nn15Fa9p4avvMaEEBWyxx8p4GefxqrZz3ABFvkyPwDkjI6d/X/GtizubuTBuZRGkhw2/ LH0yPXgf4V+oQSPnHJ2Io/CEkpYXFyAuDgsNw4HTg+px6etWrfw/cLKFgkRwrbPlOCx+UA84PJ9O 3tS4VGLhi7uQQUOBxyTj/PvXRaMsUYDSSDzUO/51yD1b8s9fXPpXVGEbmE5ux30PhLWo3Ro0V8Rj hfmJGdueMjjFatjoF/bw+ZLG4ZiRwSOWboo+gxj8TUumahLbvHNBKfMiUAlDzlVBGP8AP0rojr5W KeNh5jRA5LKflIXBHHoT+nNehCKsec2zkgHhkjS5cqzkZ3qSfnbPbgZGM1ds9RmVgI0WAEgNsfLH cWbGPoPzxmrMl/JHJ5koEkUisdoGfmA2g59Dn8jV2a60QhriKFPKQHI2bWDABQc+men05rVIk1bH WYLYrdXsoQsyFEYEsxBMhG4dM4H58dDVW5+I41C+ht4t1uzOnzBuAclicevfH5155q9/Brcsj2Qe ARKxXbyCThB0PqTz+VZNrojsWvIrlZW3sGJG05yFXHqMZNDrNOxSoxe59IQePrm1urax1yOPWLNv LJ3qQ6hjvJzjOf6V1mqeG9L8S6cdT8IynzyIxJbkjcASXJwT6Y/LrXzfd3WoWy/bVDEruU4y6j+B cHsO2e1b9prU6eVd6fIbWcFyNpK5G0IoIPbOTj866I1OpzTo32OoaCS2kFlexssq7W/ertJ3Ek56 f/qq1ZJcImYmKRyKCQpLDLtzjPsOnciuv0bxtpOtqdL8cwcqrhLgLlgyrsCnHYfkKbqfgy4sIvt+ kyi809cskkDY4UY5GfU5579KNGZyfK7MwIIdO1VBHq0CiaTcocKFkG58Dr7Dp71W1nwZqL20htna VVVjGSNxIY7f5Dr61ecyWbReZ2YKvnDLDYuSCR6Hit/Sbu/t7pRDITEu0fKecAbjx3Oaaj3RPO1s fPdxYzZdSgWSMZJ+6R0H8uaqzWJSVhhlIPAI4O1fb3r6g8Q+GbDxTbxahZ7bW6QKrfIMPk7ix6c+ 9eOap4fvtPuPs0kJZSAwdeR8x9fcUp0FfQ3p4i+jPL5dOZHUBSMY6EAHAzVBcyskQYqoAA3rxyee a9HmsweAq5GSd3DYPFZM1rCpXbzyQGAyAFx+fNc8qRqqiOJaDD7cckE5B6f/AK6oSwO2UfgEkgMM cV2LWD+aqBPlOPnzg8c1nyW28HeGUEfxD1rJ0WaxmccbZUVhJkKcD5PTrWfPCi/vUbkDjIJxXS3O nzfM0ZGMZGDyQPasdUdFdJCTk4wR2+tc06GpopXK1uUc73X7wJJGDXX+GtOa81WDa6FRgkdDXNw2 ohAkAIjI6A8816F4L8saqmWHmMrbRjp9TRSp6ilKyPVrCxlu9Wt7NDujhOMDkHd6V7D4re30u2j0 mLa07rjJOCoA7jtXn3h2H7PqMU23MsTjcM5xg5r0nxJBD4gvDcWmzzpFGS3qK9ukrI8itI89Wby4 WghZi0agMWGQST61uaTpFzIv2japIbcCDtyB161fTw01ifMvAzSbl4UfL0znFdlp9gjKGIDDB249 fetFE53Igjt7YxAKCwKjsOCfSur0HTptSvvNZdsSnr04Ud60dE8JXM8gutQ3WkKEELgcgdzVvVdZ s9EtzaaaFO/cS465rN1LvljuK/cyfGevfag+nRSYhhQIOw6/55rzCG2uL27iUHckbcMBjmtya3uL +4aJQ2WxncMj866i103TdKs1n1Zgvl7mVEOS31Aq1FRVkK99Spp2mJBC0k4ABXLMw6D2rn9U1q3t 7sRafCXYAZYngDvj1NSX/iKTVbg4cR2sS7VhI+8B3JrnXjnvHYwx7Qc4weSAOcVRPKPl1e5YAQyb nkyWBGCP6VeFxd2k0Jtsb5VG7ccnn0qOxt/s9sUZAzEEAnkg/WtGPTDc25ndgHUhRSG2Wb94NYiN reokxJwQQM1y+mfCXTLG/HiG7idoyxMdufulvp1xXcaXYZnihcAkMWyeuO+TXqMk8FrarLNwzIRG CM8etRN7GkJ22Z4R4s1Caz0t9O09FtnZCuR/AD3xXzDrmnP9pE0z4mbGedxf3Ne/eNWuY72dl+eN uSQRgegrxPUpraeWcklZUwDnucf04pVdjag9bnn1zbSA8DALYJU9PrV21srmW7ivPMRLWPJY55Yr 04qS8g8qUurNmXrgcYHY1FYx/aLlY5ZPJi+YsSD0x6V5zidzlczfEcTxyS3UJIMibgR0IPXjtXGB FmRmkOTxnP6V6TqiO8ZSOM+S64yR1H41z/2GNt/lgIAoDfj3rCcLmtOdjjPMVNqJnJGWUjI4P+FL LaxLP5gBCyNkcdPaupuNHj3RtaABv4vp61mOpU7pfuR5PORzn0rlnRN1NGWA7TxyBdseSCD0q1ZR MJWPlbSAxB69uPpWj5It1juZshHLFRjgg8ZqyESFUnKkswKnualUhNs525MyW6zRDHlrhznuf61j 73WFoy3zcEN1wPSuxuLASosY438jPANc5JbSRExcYbOSetZziXA5+7ZpGXbwFGM+oPrWXIiK7K3y qBx3JNdOLZJF84n5BxyOuKx3tZZLlpI0YlR19K5ZROmMiGydgUhPAPHFbVpI0J+xhOo5Y8YBrGtn FtOpkQsSeB0/Ou002zh1K4ldFO7HK9Rx6GilFkVDF8QRR3mnSQ5y0Q3K30rzWBSOW4yK9Wvo0FvN AVG9FYn3FeZQpnG7knOfassTHU1ovcfsI2sORioZIt52rjAHatBUYgZIzTfJAQbfeuGxtGWpzcse 0DPOCaxnADc5NdXcRHG3nNZcsS7zk4rCcTpTP//Q+XgksM6KGwseByMg8Z6j3rXhUNEzfKxPCEHJ x64/zntXXReGdL0i1efUL6PzJiFVEcfKGO49fQDp+fWnx3Hgm3cTSyHZGoY5Od3UkZGe+Pz6V+sq hbc+WlO+xx0hJTltpQktnjdzjkj6fp61veGUR7wQPu8p/vMrYKhjzjPsOPWr0N/4Jlgi2RTpheDk PkjuT7fh+NdDpdx4NO66IcuoA2lcYwAox9c8+prSFPXcylLTY1b90jYJbscNtO9ht3NuyTn2GD7D gVC9/fwh4g7KDtIPXcT85GO3T069a1dT1jwmIox9rKIg43DPQbQB+Z57CuUv10m+LGDVIncZAJco QDhQCOvHU+tdLdtmYRi76j4dZSaQC9KqEKkvkg8Zc+3bGfpiseXXGlnMNvKQjbRuIJXb15Htwcfn VW58NauQHS6STzMsBkHIOFH5Y6+3rUQ0fVWG6CFf3mQBGcd8dOevOM9azdRm6ijXs9RMVsvzKruc NtO0gLz7/T+Va9tqEgSNIUO0MpPGQcfMV/HPH1rk57C+huN15A8SOMkMvdvl4/AdumDV+2u3+T5N oBOUUkj5m2j37EU4yZlNHsdiIrpyioXDbHwHx90bivYcenrTdTs7aS0hlmbyw3GXGCGOWPPf69Tm sPTppogPJmDEFsE5XIOFHX6ZxW9d6jutl8xirBncgDepBARcd+MHpx6V2wehxyWpRs1uNqxRuZUb Z90jdsJycg9+OlejeE/F134ckfTnHmWUu0vHKOmWz16dq82lki81JrXHALZA2E8YHTPH866DTdRK sqXfK5I2uMg7BtH/ANYVUWTON1qfQsVjoPjC2l1DR821y4J2D5sMzdMH2rCubGawmktLmJEUb2Dq dp5OBnn9K5rQQ0c6vojeW8BLMqnIOxdxz/ng161A8Gq2yQapErD93lpOo/iJ/wDr11Qehw1I2Zh2 atGipl4lXLA53BiowMfr9KsLb2t6JVuoVkQEDah+YbVzn/PetMaG8MSraStlAAEU7iAzZ7+oHSqV zuYbCFjmk3Ekgg/e4zjpWqIueW6t4UME3nwyb4sDIIPBbk8+3auR+yRyRskUJyOSR0GTwf8A61fQ BY26t8j/ADkk9GXhdo+vpXH6z4bt5z9tseHXbuVTgZUZyKidNFRqW3PG5Yvs0jtKoePLE7xjOBis +WEPkJEVAYAYOenPf1r0BtNlkPky8u3RX56nrn/9dZ9xpHz7sYHPKnHP0rJ0jqhURwV9ZQttiVEY 7ADnqCevtiuYuLBXLlBgkEkdvSvWJ9PBCqVVscDcuOAOnFc5e6VwMxspIGW69aylTLUzz4WSTL5b 4OeAM+lb3g0C28T20Up2o5288/katjSnIIwWK568dantreTTbqG5iBVldeD7Vj7Kzuae00PbLwJa a8FiUnzM4C9DgdPwrs7S1njSOVHDSSBcqf4aZ4d0621O1h1Sc/O6kjsRu9a6c2ENspEbBwTgnPcV 6UTyp7lnTrmWPzYrqN3BJweCuQO2atr4l/siMkQRyyKBjIAI98d65O7W7iRRG5VSMjaTzzzmqs8M 0o3Mw3Ds3U+9W13M0uqNi4+JmsSxeXOuxHY544C9AKqwXuteIZ0WxgUoMAAds9yazdP0W51W5WOA FQAQxIyFHrXZ6hqsegWY0rSmXzOA0g4JNQklogepNeeILTwxF9imbzrtic9MKQO/euI8ybVIHvb1 yxA+VVPr7Vzot7u4ke8u2YMxJO/ktz2+tdNp2mmRfPchQQoVR1HqaB8tiaPT0AE0YA3gDa3bHvV1 LJ7fY0Hzbw2R74/StX7JgoqEkA5y1aNrb25yCSJQp57c1XKQ2ZGn6bmLy5HDH0Oep963obSO0CKS SM8pjPNaWn26OTH8pZcYJHPFQ6hOyqqQEK5ZgPSqsTc0vD1og83ULxDgZI7cCud1vX47i53QuQiD ZjjFdDrN0un+H4rcgszJ82OvNeOvsknMkQw6gcH3rOCv7zK8izr9nHcWUjPH5ruBhhwRXzrrkIjc xIdjLJk56sOnNfTieXPbEz9jjPr9K8b8cWMMf+mRR5IJ+VvT3NKaub0ZWZ5BIrrJtmLZfJUg5Xaa gEZFwQjbgE59eeKvGP7V8kIZNgyzE5/KnJGtuMAc7dxOOQPeuCS1PRuOufPvrZ4ScFVXn271y9xb SR+bEvzbgO5rtbXbblgOkwAyw9axr+2ha6ysmwuwBBHTHXNRKNwRy0Uk7YjiJJHXH8OKqyRvOFuV +cFirg9cj2NdKYVgvDDayeaC3zMFwv0BqZbSFZRlSiBjuwOPrnpWPs2aKVjLZWnCWjj5UyQT0wOe KrRLv8xHUvngn09K3ZkEzCQD93Fu+oz7VTNuyzqIgwAPOfTtUcpXN1Mr7I7RqHxmNsrx0Hf8axZY GkDHAXccHd1x7V1slnOJZIy++N/mIH94VUvLaNLY3Z3FlIBHQAGonAcZnJ3unboIkUgg+ntXOzxl MQnK5P3h0wK7e6n8m3hlUbQxb5epP41mpqMSfJJGPKPB3gfkK5JwOqEjkLi3hRBLIcE5wD1+tdRp N21q9tEj7POGCccAe9VNRtIZsS26mQO35VWWBpLq3t4uMcD1zWKi0y29DW8XWf8AZ1sbpVwsuRns a8jiypyvHrXs/i6ZNR8MugYmS1lTjOAVHFeOpF8w69elY4xaqxrhr2dy1tAwCO1MZSowPWrIAB96 RuSw/GuJxNrGZMpLbgMGs2WJi5KnOfat6UKinjPtWTIpLZTpWEkaQeh//9H5DlWWRgpm+0NtwoOd x6KBz/nvWnFZywIZbwE9wg54bjn06H3rWs7KPTzGsshKoMhzzkgbsfTJH51zPiLxBaw+bFautxKA RlSQOFAyc9T9PSv1BzstT51avQvPqdssqByDjBIHyn5jnAHsB+tWn1kqrrahkQYGDznndn2yf5V5 npEcl7cSXNzu2qSFHUZ6DH+eK9CkiSCAKNzOHIyD2JAFTCpfYcqaRMUN0xubuTczcNjgjHPA/Wle OMIURzhPmO4dTjJ5p5kDlYhgAc4brnp1/WoY5W2soU4zj1GWPb8BVuTE3ctupijElvKzMy5GGzjA znNOtNX1eyHzXD/ugrckjnHT9f0qtjzUKiPcx4wOM88fp2rNAKJKHdg7En5vujJ7fhTVVolI9Htv Hvia1iLSsLiNMYEihh8o/Djn6etXoPiJo1zLG+s2ARsqd0ACnj1H659RXlrXZaAwRkuVUDIYDqee P0qCOSN7tPNwS5zz0G79K0jiWJ0Uz6w0aXQNQ04TWF6GEQUeVL1JGSeMg4JPbrn61szaXcrp8LPG B5zRsNnoF3EYPfj6A180WcaRW5WOVg3BBU9ycdvUZrvYfHGv6c6wg/bFjXaAxOR/CO/+R1r0KOLT VmefVw2t0d5bK3mlZ2A8wAgFcDJOTg/X+dWWaR0RFb5iF5U5Ay2e/cgfjiqWn+OtJvH+zXqG0lQs 26T5lIIxgfr9K6S0isJnd7SRRjdgqcJhR94A++DXVFp7HPKLW5saBeXMLb3ceY5xtB24EjYGc+3a vddD1SUlGwwwW3E/MGXGxfXnH4cV4jZRPa3CCRVIUjJccZUFiM9h/Ou9sL6byV8pTEHWMNt5A/iP X19K6oX2OOq7nuot7ZG+12TmT5ix2nI+Re3485qvc2LXDL5iAMgTl16AAlgcdRn1qp4YuHvLdrWR laQqGx0JLtxkdzgdO1djCeW80MFcs2GXPP3RzWvNY4m2mcN/ZRihYiPaVwQVPXecg1Ve0kuELRhc jczE4DZJxj0r0eTRYjK00YJ+b5gp/hUdh9eaqHSlbZApxs2gAjnnk81SqJkyZ5lf6MJkx5ZjnRuC eRwPUe9cfeaPJIAhj2uvDMOmfWvoIacBHueMxllYZ6jk4rD1/RrO4UyBdyhudpAYhRiqTT0EqjR4 G1j+82M2evBHTt1rPlsYyVEvAU8beRgdODXoMuiSDLwHzDFgYbuDzXKSrNCpe5QpjdwPc8UuU2VQ 5uXSPM+fCsHAxgYbOa6LRPBhmnF5epth+YrkZzj2rodC01tRkEr/AOrUg5cY6dq9NhiWOFRGh2jq OwDUuQbqs4q1sZbKTdacpj7nY122iQW98uyfELLubYw6n1p0lhGD5sYDgk8jtgfyqFbRy6yRHkr8 ox3rTl00Mee5ZuvDkg3bBgDGCD09ePeudi0G6u7nyrUbgS25m4I7Zr0fS0utyvfHbGD17nHtXS3Y tmgDWygDYRxweT1zWM61ny2IbsjzbUDB4Z0p7W1+WRlClu5PWvGys127zPlg/LYPP4V6zrGmXFzN JLLubnoeRgVzVrod1cyMttDlj1A4IrVpJahGVzmLdTHGIo0O8jAD5PBNd1pejO8IklRowhyNveun 0/ww1om+4I83gFWA/nWwLKPuxV+RlewqItDcjmXim2KI3G056ip7aOTey7CqjGWPINaLWwLiPfvB HHar4j+zEICyhuDnkCtGJSRnpbEEsu3dnt1xXJ39/wD8Tm002PG6Vu/QV1c86RDDe/I7/WvN7CY3 Xi62eMfOrY56Ad6lvS44bndeNJ1jMcQGdiBSR2ry1mMJaaMh/NYZJ7Yr0jxpbKb2XcxjOFOR0rzl 2kZiHG8bui+lKGyLW5FFPFbny5cqCSw9MmsvV9Pi1C2dZMMsqkYHX8KvPE0UqliQD0B/Wp0ywCsQ Mg/lSsWj55uLKawuZFRChjPyhj1HritGR5ZVR2cHcAAGXgfWtvxTp5hnNxFvZH4J7fhWIkUc+5bg sqxKNrdRk1z1I6nbB6FC5klG2J1Vue/QfSpLyxgnYzhFjEuAqjuw9D/OrdvpgmuGw2V65b9MCujt zEIzEyhPL49efUVMYg5nJDRbsxBCFVI23/KMlj9axL2YwqYrePy0By2eck1rapqF5JcGMMUjHGB3 z1zWLLIVG1E8weh6A+1ZyXQ0grkat5AERh3u2dzD0Paqz2rOylW8pXGG3c5z3q/FI6yBA4BHPPQe tOdXkDSFvNVcjaB0ye1YtDkUpENu+2JhIeFPYY9jWDrO+bbL91cEYHQkVf2B96qS/wA2PpS3Nrsi lEZJjAGcjoT1rCW5cTi7lE+yGRwWOQRzwPYVWuP9IjjLDbx7HOPeujvbaI2ELumEcbcg/KCP61zL KLeVIywVXGFJ6ZrkqxZ0xYQSTT3cdtEo3t/CK0/sEWjo2oXoErpnCHsx4H5Vo+GLBnvE1SUbktnA OOMnH8hVXxQ4zHaQ8M7szE9MHpUclo3Zad2cO9xLJDJbPIdsmSR29a5NQIpGGe/et+8BskMjnGcg EVjop5Zh/jXmVr3OyGwvPc0Lk9hyM1YU/NkjOfXrTdvPAxWRZTZA3yngfrVEoM8mtdkGQ2ODVB1Q McEj6VlKOhSZ/9L4h1nxLf3y7VwEyQNvHU56ent0rkoYJLi6Ea53sQRx175rob+3jisFlXJUnHI+ 7jgfWrHh2BctOwIJXC45PJxx+or9AlNyZ48dEdPauNFSG3gCmQDLHGefXHbrWm7tcOJJ22hsn0J4 7fnWasCGbzHcyFxjHpzV0CGNUkLbiQM7j0Of8K6qSsc1R3Y3Ekdw6vuYDHGM5OOPwJP+cVsfZltr ZmlQFzgqwODkDjB/z3qzZafDJF9rVghIBPQjHJxg/iKTULu4hjWUbHSUZB5HJyT1/wA810NGdzML iyjMMiktIGPzDAU49R9elZt95sUZlB2tnIIPB2gf1qeOV0nAuSTvXJJGQM8/0z700rbXzgOpVcj7 h55Oen4VkykZiToFzKqnJAIHB4GKnGVkTYNg3BScbh8oH+NIIYEDiTLHIOW4J56/pVxcIAJBhGbO ByOTnr9KhIqR1thBbwhTuPPJI7EDt681Jb3aG4KtIGdSi/MNoOOSPpmoJw72bXBI3oBg9M7iBj9O KgtU8yETs23dkgsM53dcH1wOvaumMrHNItSymdgDG0f3VG4djzkjtjritW3v7kxpHbuXkxj5SQck /wCHHtVRraXD/Z9zZBIZOx6Dn0z19q2oba3EcUkbKbhQcjkNhF4APTn881vBu+hDaPRvD/j3VNNi KzBZ0GdyzDu+BwfXHevb/DPivw5q9xjc9ncZZlRTlRgcfh718v2kV356JKf3hK7lcZA2DIz+Pb0r sbC2ltpFul+WU7VXy265ycEevbFenQqyW5xVaSkfaOlWMthew3aMJYyT6r8qjOfp/WvTYZGOxmZl 3KnysMg5O4nP9K+NfD3xK1LRYvKdTfxKCNknPJI6H2HpX1N4f8WaZr+nQX1o72ly287DzjYMD+dd 0pp7HkV8PKOp14dT87rgMpJZTgjccc/4VJLcIfMaWTABbaHHYDAyaqSQykxyYWQcKdvU4XJ//XVD dK0eS+3aANrDuxz1+lJQTOZCXSyxgPG7EEqpYEkcDOcVyV3PcTgOW8w7cDjpk126EIHlK7Q29l25 xjoOP0rOuNKGpQoLb55QwXA4JwM8emK6IzSWpFm2eVai99ZzCRXIRicg9BtGOa2vDuhXus5kvIt9 uNg3EfjxXbW3g5vkOrKyqq529Rkn+tdFKrRL5dsnkwxlsFCB90Y6VDqp6RNG0jHl06wWJkiURIoY hSevofrXJzo1uHXeY/mGMcg4rpLmyvrhDFD+9BUKc8Hmrlp4fitY1nvWwxDEDORWnMloQmzmLEX8 4HlqHQgk9Rjnqa6qB7K2ZQH3TZHLDgVJLFarEIw6j7uAnHP4VjeZZo+9mLZLcEY6e9NK4LRm+8Yu XEqg4XJyDnk+3pSfapoZTG3zopAA71Cmv6ZaIiKpQEAZHOahvNSN0P8AQ1XcST2zWai3pbQckjsr KOyuIllnYKGHAPetFbSzjDCGNQMAbwOfxrx83WpRPG6Ozex+vrXoun34uVDjKuvGAeP/AK9ceIw8 t7lW0L86RySbd+eTkEVizWsgTMfyswI454qW/nuY42fbnGTkcdazre9Cg/PyAOD71rRg0rkp9CeL SbjIJAZTjGOtT3FgwU/OQw6A1t2V4JgnyDaT1HHSrlyonTbG4DAHANYvEyUrMJI8c10i3i2xqWcq c4/mTXJaXGDrttMCDjA4PNdvrFu7TyNJyAMEDpXN2yxRalE6pjDBc16VtCYOx0viFTdF25yDg8Zz XnU8Q8xogpOOrL2r1C8jkBZF6SMSc8Ae1cReWoO+PZ5LMDhhzmmloXfU5i4Yl48HOwHlupqhMssg 3bQcc5HTHpXSnTv3AVzkFSN3fmojZ2lpFhmO3Az9amxaOB1Gwe5hdjgLGOR9elct/Z1rZRiQ5JkY ZXqMdq9gkEVwZEkACcYx+leZa44hvJIYGBxgD0BHaokjWMjIuHkb95uEaggAYAwvtioZJZXYRDGM +nIH1qBDPMkkcv3t3X0+lXSYygVxu3ADPf8ACsEzY5vU9NnB+0Qv/Fzxz9a5i5iZW8r+BDwR3+te ryWMUVk5yy++e3pnmuDaFY4nGzczHjuRWc4m0JGNHaRtsWThmORz6VYiUKSJDtZeenAHah45RIjh lMi9QR6d6kjKSAbhtx1Pr9a52uhZWylvKke0MJiT6cmi+jkljQA/dfDHtg0s1uhXOQSmSCO1VrZ5 WlLRgIGzn0PHX60pR0LRmXVvHc2BsA24b8qTwFI/pXI/2VdTRrDjdIZAOB6ntXa38AtpY7RWG1jv B+tdl4W8ODUibuNhKYGBPH3COc1n7O5anYztVsYNB0C302IBLlxukOfmH1ryzVLSeYi5J3c9epxX pmvTCeZoXAM0bbT71z/ih/sltFAkYX5A/HGAaxrx0CnPU8L1+RXu/JHCLjAqrDt2k9Md6ZcsXuZS eSx/ECrECEoQGxgV8/Uep7EFoMXAcEHk8f5FTFRuUmnbOA2OnoKjIbAZv16U7ISEcDqO1VGiTdyM 1cKgg4OBUTKxOazkij//0/gye7kls1jY85zjqP8AOa2LCWOwgUwnEhG0HPQjrxXc6X4A0Vk+0S3g lCYKonLHJzyO2AK1ZdP8NrIFLASYDZYbeecjvx0r9Ghh3uzwnWjscHZXoeV5J+eCeR0wMdffmumh ubGaJ7YIsbDO1855HGCT+PNbaR6Klursg3AKACoIx1+vccdetZ8l7Y20kQt7RQqHOQOT1PPv+nFd MY2MZS10LGmpcy3EiCHzFiUgEAgDsDjvmq15LcP5cE0bKihgAUOePlAHvXd6F45Gjwhra1jYcFw5 5JA3cccD9SMVoNr0hg/tEQCKWQZJYBlULz07ZPOK7I04tXuc8qjT2PGbmF3lSJg/mANu4P0GKbZx OXmWSM4UdcYbPQcfrivRbrxIsTJK6JKWCB2QBT8o9Oeen0xUdrfWF86RyuFmByQRgHGW5IHHPGe+ axdNXsae08jzp/tUUZ8+Mgk4BxnJ6dc8/wAqbsuJXzhiy8jH+yOorv5HtUmUGRl2hVVSu5VX73+e 9adpJBcROzQoVh28BehJz/nsKSpIftdDl4nthp7RzPvfBIBGMADn9ao6fNIqpErMoUgYbkcc5/Ou 4jvbC8iMUax4jbkuMk+Y2cggdAAOfr71CthbSyCWKJwSXPyYI2McD3wo71ap9DFzJrWO3vbYQwge fGF3FGOMHLHI9T+QxWjpFv5kgtgyyzSNkBuGyzZOD7ep7VLpum2NxcsqY3Hf8y5XO35Qfp3rpZNO hiZYbeckZxlxhhjp82PqK7KdM5pzEdYI1KRuWnYOSi8/f46+mM81HMkrjdbH5txHB/u8ceg5om0v fepF5wt4+MnrjABO717VtRw/JGNsc7AqgKttIyc/jwO9dUTGbJLDzIXxu2MpUHzBjOBnH0r2rSLm 7tre2u23qmxVxGM8vycjtXkG5ruQIYyAMlVbn5mOO/U4H6V7DCzQBWQ+WFyVZTlcqBzjnPWumkc9 Z6HunhTxd5YEF4BcRMCQejLu4r2IafBeR+favjJxh/8AZX1r5U0eWWSXy0xNgINyjBJ6nj9K9X8O +Jri0CwtKXyG3Keg3nHH4d6qtTk9YPU8ySPUF0mCIKsql3RFU7ehDHPP+FaMVzawqphiSTarnJ4I J4FR2s9tfKQmYn3k5U5HyimtaFchmEgCqox1yTk/jXnSfM7TFZrVBJdS3G+IFlYkDnpkDP5Vyb6e UUveuyKwySh5+Y+la8uqJExWEMhUsduM+w5qGWSObBkBBLKCUOeBzXZRi47bES1M2XUlLi3gI2qf lzwxCiuYuXuZt253Cgdz8vzHtW1qNqAhurY+YArHB6jJx1rlZrjY/lCUoSQNr/dyK9KnCNroh3uS RS7ZSdpYqxGV4HFRyzSFCnAIHQ+9ZF7qCW+zAwxBO5enNUf7RklJQSiTcQMdDgdarqW4lmUrLc45 QqQAf4cD6Vbt7iZJHY/vFUdQeQOlZJkVMPvZCM8dvSrUcxVzGwHQYIPY+tEgWiOtttRZYvLJD4I+ 8OcVqWl9E0v2iHMbLk47EVxHnl/3YG4k5z3q7HugjRtxVQuc9ufSptcD1CKe31O2Mbtlsdjis02n kS+QxONw4YYFcha3MsJW5QbSpHzZ7fSvQLWWLU40lJEhBLDOOcVg48noHqVoJY4iOCp5xzWm18YY y7fP8nTuM1neVDE4lYlGxjB7U692qCRz0GaiUE2hNGFfSRSMYIztZ+oPvXEasjW1xFIcgxtn5Pau yukiDdmZiOvX2xXLXi5kLDq2cqT1xXbFEJnQC6+220NwP3itnuQc1nz2sMqnkq4Bx6D6VUsZ5FRY JBtGCVrQeWNtqFckdM8HFBRj3I8qEr1dF6j/AAqi9vLcQFpPm6HBHNdQYpbmFwVCsPun1qkbZ4dx cFieKLFRlY4eaBosqrFCTnjkZHrXKa9ZRNCLnCNJuJJH3hxXqU9mXDBQDz09/WvOr23bbcF1GRnA 6VEkXF6nnEKyKBuHmgkkgdquwwZljmZSRnAHYU15CxG5AuO471etmkmXy0425IzXPy6nRGXcseW0 yNA43q2c/SuVe3jjkaLsDgdua7TTZo47hY5VzkEAjp+NVNXsoy7bAR/eC9TinKOg1M4FY9gxIoG3 gMR6VXXy5EDhizHgkDAJrTnspGWMxkgYOAaqxQosirjIGfbHvXM0bxkU3tYzGfLGeMOM9awbraFD oh3xt0B4xXRTPLC7wEA7uc9yKymhkuYi0Q+ZRn64NZtGqZa+xx3qW0sMeZjxt/2ule12Nja+E/DU kMkYW5f53Zf4ia5HwDpVzd3DajfR7ba2G5WPqOoArd1e/k1KRw4xC+UAz0BrSCMqk+iPD7yN/wC0 ZpJW3SP8+7oMGq/j1Ei0mO8C43xiMY7kDrXXz6dvtI4Y8NJCxRieuM9awPiziHwza2y7YiQCAOcj p1965sRD3WzejL3kj5gCAZ65PJzV23zk7ueKYmW6jtnNXIYflAx1/X2r5mW57SlpYEBHydjURT5e DwDVry9/IGMn9KQoBxgDmpEkVMfKcnrUZABwACKsSctwOtV9pblc4+lQzRI//9T5R03VGj3JB/GM ZIKkds/mfx71NcXLNIilD84P31BA6DIP0rLiiMRUOcMOM4weOetX2inliCxsSzZ6DIOB7fyr9OjJ 9T5ycdTQ3QoFbcAxHOOnPHTtwOtMms/MSUwOsxJB64cliBj/AOtWItm5ygJaT1XrhR0/XvWvYRSy ERoC3kqQQVIPA6Zqkri2HCGSNMuDJuUthhwM8dfXj9K2LXU5RNCyqSgB3AdMMcdPTGfrW/Dp11Hp bPNbybyWK4QvuKqB/M/QVTs/Dt9fxte29s7OCQTjAwvGfzxz+FdEKcuhk5J7syL6xLSrcNtYTk7Q Djrx0/wp7Q26Q+aj+Tk4IYZySdvBPt17cV1lvoF1IXEsRaGFTnIxjy1wcf5ycVzWpaddRvsjD5iO BuBwcDP8z29aqVFpXIVREUb7boiP5jydy5xz8vHt15p+oTzRRtbpyzkk44+XAAz/AJzU2m2ZikWS 8BXIBfZ2C8nr1JrNnQ3927WownGFbsMZPP55qeVoq5f0i5hd/ICYVR0kXI+VeBxjqeBW6LuGzuVh ZShBUM45Cqozxj1yPpXKI7WGGD4KgZz90E9cY9q6JNl4iuq/MyY69Nx4BHoeR+VXG7ZnLc3dOurV pz9oYcFQDj5s8kgfyzT31CR5IlWQ4fA+Y85dsnBP6ms9rVZrV7l5QZIixK/dbjgfXsfemyCF5mEb 42cYf2A54685FdCm1uZux1H2uQTkFSHQNyrZ+9wen0xWxaTxP5jzRj7xxk7WKquOB2/+tXGqRbKv R5pGXDLzz39847VtJcTSl4mQOvyrv/iXcckkDr0rWFQynHU9K0d4b26tLaV9gDIGJX+FfmIz2ANd 59kikdWspHQuVGG+7hzkjHbiuA8ILLaNLexOZHPmbFm5Un7o5r2TStJ3TLqupyeRCjZbHIYqMkcd etehRXU8+tNp2KVjFqdvfzLaMZ0Te6+WMcDgEn3r02xsBbiK5uZykp2BozkkgDJHoBnistvEmlW1 kf7LtVaQKm5lPI3HPzd8n0qhLrUV5cI4cBgJDjGeSMD8fSug456nq9t4iVI1jijaLC7sKcj5j+nF ddpniKK6k8l8SqGPfDYUV86xXepwoNjeYVYZI5HAzzitO28QXNrHLLcKN6qWBXggu3Bb8e1KdGMt DM+gbmzSfE1jKONq7D3JOTWDLOIZfnVo2G9sjpkcVyWheJZ1YK77mZgWVuuAK7m7ht9TtUkiYplQ Aemdx71EIuLs9iORbohivUnAQIJMhRkdfyrltd0hs/aoZPkBLFGq432ixuD56LtVmIK+gGOK0oZ1 liAZgwYDG4eprpiraom9zye9gUj5wVJAXI5x3rOt4Wibdw4yeO4xXpmsaUyFri3+UM33ccZHeuJu Uij3swCsoIyvueppvuXDzKwlxCELfLjGD3OegqSJ9h8x8xDdjjkflVaIyOQABIucAngnHpVgoWlw W8ojJx2pLUuWxfZ41UT3BBBB+4fm56cU5JDI6xK/ygD7xrPa2fzPmXaAAAwPWtWGOOZ/mBkXPODg 4o2Yo6I0LeNZH2hypDHjr0rsdDKRPhuSoPIPIrk4ljziIlFX+E1vafIFk2/dcAZK9OfWnKN0Ztna 3ESSRBwdx4BDf/WrNvMjKnC7GGPStlUS4t8DB5xkHmuevGKfu2cHBOQR6Vy0N7BIwpx9on5Q85I+ tZk9u5kZS/AH3e9X5kbzAcGPHoeOapSoGfOARjk5wa7U7CephzIykqgKBe455rRju7eSJUuV3sCB nuabKUy0UbAZxnNRNbry4/dMpGKTA0ob9km8pSAM8AnsK6WLybrkny2PJB5BrzyeJwVmXJy2DgVZ sdXlhufLmIKg4yT0oYG/qNrKgadl+Qk8jqa8y1ASxzlWGWGSoPfPrXucM9rfW6KcEHr6GuV8Q+FF kjF1Zru2q2D7++KjnWzLjofN13hZBlfn5PsPrT4VCiNmbhetXbyyvrOZlvE4ySO4xVWaRR5bD5dw PBHAFQ0zdvQgjnSG5wTwDn2FdNcxRzxecPldh1B7VycgWNmeRcoq5BHUmuksbqPyIw/zKRjBqGhM 5a4GwLEil8A89/rWJcKychioJ5FdTcpvfeAVBGAOwrLmsWdgAM4GBngZqHA1hMynUxlbiJyWIweM 4BGKfHp0aWIvZFKn8lxmumtNEaJU84jYeuOvFLeTxXqxWaLiKLis+QvnK02qz+Vb2sX7uAYxt9/W rF5MkMhK/OrgfhULQrHJk9OO1U5S8sjqnBUj8QKOUGy5ZW8k9xFdKd25sMCOMd64T47hI7WKGBeF wOe1ey+GbRd8UTDIL7sYryb9oCPCbAMKCCD/ADrPEr91IrDz/eJHylboOhJHHpVuEE9TyP1qtB8p 6Zx+NTxAv8x654Br5Nn0JPkMMN0/LpUUiqBg9/arRQsDjnFQMCuefb0qeUEylMTv+XjZTA/fNTFQ DxwfSoWwT92s5blxZ//V+bF8TaDbbHGmJGHP3XY49j+IxV1fG+lW7Ca2sLZZH5IwWA3EngfT8+Cf SvC7dmkVTISxKg88/wANaVhxImP8/LX6OqzPC9kj0q7+IcqAiKCAu3JKoEPJ3Hn6cVn23j+4SUSD cgHRcDkk7jzj25/GuF1FVW6ZVAAGOB/u5/nUlrzjPP8ArD+SrinGvITppHs1l48166mUBpBbt8uA ABtPzHIHb/JNal54y1iHy7OOXagJLbeGBJJPpz/KuX0QBY42Xg7uo9zVC/5lkY8nA579BXoU6rOW UEesweONZmsXtUnCx4DDevUk7ixY+2K5STx7qoXbKRJEuSSwyPmPI+hH41lRO7aK4ZiQGA5PYKeK 4u/kk82BNx2kjjPHSieIlYUKcb7HTXfjq8u7h7mSyiK5LfKNoGenHTt0q2vjWyeApLpiorZyVPJL cDP0615h0iIH+zUErv5YO45Cp3+tcv1mR0+xietJr3hl5DJJ5tuDnch+YEgYAz9c+wrY0y78PCZp bO58tPlILHnA9uOnWvFNPJZgGOfrVrUflc7eOB0+tXTxD7Ezw0bH0adCa7tlntZUuvMVAQOCcZY/ l0zWWtpIiB5x5bsuMMvqecH6YrnvDE0yodrsPoT7V6VeHdHtbkZPB9ia9CMrnDOFji7sMTvSOSMJ lldBlcnp9B710WnzRTyQyJK248MRwWKADj256/Wr0Sqti4UAbvLB9xkHH50liii7iIAH7wj8Mmto RuYc1z2jRvsmn2yS6lKslyqpGI3XA3E7iwPTA7+uatXF5dXM3nCRkijDMFHzIN5xgDt+NcVOzPqT o5LL5xGDyMCI4pLOeYQIBIwDMgPJ5G7vXfGVtDhnFXO+trrEjsxyhJ5XC5Cj09KvWl3ET50b5OFy P4sk54+nrXMEkWlxg+g/DNdZLHGun7lUAjYM47belbwZhNHU6ZftBFujYxqQzZbnO7gcfpUt/HBP ZBZU+Z2TlGwTs5HHf3rlbR2EUuCRtCY56cir92zfaCcnhuPbitkc8om/p8d3YR+YXFwGQtkcldxx zXpXh/ViSDvIBYZR+nA6n8a4Ow+WDK8fInStuy/4+4fcSZ/KqtcybseqSxwXADIhYMhbcORz/Ksi WGS3kKQkXC7gMrxwBUnh5mIlUk4+Xj8asX4CpKVGP3snSs4zadjOWiIredimDJuQqco35YzXJ+Id Eitz9phUxwyYGBzz1Oa3puLY4/55If1q1bEyadKsnzDng81tsTzM8wTEbfP8yckEdacqozfJ867c EH1NLMAEwOB8386hueFUjj7lJ6M3i9Cfau5FBKsSB7ECtFDiT5RyO69x71Xt/mdQ3PPerafLfuo4 G08fjTaJbNCAyeWeN+B07n6fSrlvtikMkZIJIG0/1NVI/uye23H51egA8xuO5piZ3OnyK8CM42sC TkcZFR3Eavl2IfAJHrRpv+qX6NVLUCVnj28fLXJFe+JswrkdZJGI2jufWsy6VFQ46nFbV6B5R46m sSD5pHzzXWCGRBdmZFBLH71OMCuSUcNt7N3qmv8ArW9sVubFEKkAZwf50AZxtmlCBW2soP0rEubV TC4kAUk9R1NdYeYMnrg1kXABt0yP4jQNbmTpWp3en3Qhkw1vt4B6jPvXqVrfqtsGJwpXjNeOXfFz x7V00Ej+XGNxxz3rOUS7X1Lep6fbXKNJcwjacjPcZrgtX8NRXAENjOjkj5l/iUV604BZVPI2ZxXn d+AmqIUG0+1aWJUrHno8NXGGid9mwjG7uBUltpCJK0czgYGRiu217/Uo3fjmudwMnjtWLRqncz5r KNd6SEEjpjpWDtiMgVWORnIP9K6K7JEUpBwcGuWcfvc98f0pIoa8rjL7sYPGD2qtEzF/3ZyoPOKm cDy1P1qnbE7257ispFwNOfe0Q2j77AtkVDiFGaVcsWIznpV6+JFvHg4y1QMowvH8VKxSZ6P4JhFz dhsYAQ4z2NeN/tBw+XZyszDaNpIx74r3PwIBuPFeNftEADRZ2HX5efxFRWV6cl5DpfxY+p8WRnAU qeaswrnJPXNVo+fLz/nmtDojY9RXx73PorjuVyDk5z0qJwVUOxBBqy4CtwMZFVW5Q596TY0yGTYA JO57+9VGODjJ/M1NJxEn0qJec59ag2po/9kKZW5kc3RyZWFtCmVuZG9iagoyOSAwIG9iagozMTM0 MAplbmRvYmoKMjYgMCBvYmoKPDwgL0xlbmd0aCAyNyAwIFIgL1R5cGUgL1hPYmplY3QgL1N1YnR5 cGUgL0ltYWdlIC9XaWR0aCA0MDggL0hlaWdodCAxNzUgL0ludGVycG9sYXRlCnRydWUgL0NvbG9y U3BhY2UgMzQgMCBSIC9JbnRlbnQgL1BlcmNlcHR1YWwgL0JpdHNQZXJDb21wb25lbnQgOCAvRmls dGVyIC9EQ1REZWNvZGUKPj4Kc3RyZWFtCv/Y/+AAEEpGSUYAAQEBAEgASAAA/+EAgEV4aWYAAE1N ACoAAAAIAAQBGgAFAAAAAQAAAD4BGwAFAAAAAQAAAEYBKAADAAAAAQACAACHaQAEAAAAAQAAAE4A AAAAAAAASAAAAAEAAABIAAAAAQADoAEAAwAAAAEAAQAAoAIABAAAAAEAAAGYoAMABAAAAAEAAACv AAAAAP/tADhQaG90b3Nob3AgMy4wADhCSU0EBAAAAAAAADhCSU0EJQAAAAAAENQdjNmPALIE6YAJ mOz4Qn7/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAABtbnRyUkdCIFhZWiAHzgACAAkABgAx AABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLUhQICAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABFjcHJ0AAABUAAAADNkZXNj AAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaAAACGAAAABRnWFlaAAACLAAAABRi WFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dWVkAAADTAAAAIZ2aWV3AAAD1AAA ACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAxyVFJDAAAEPAAACAxnVFJDAAAE PAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykgMTk5OCBIZXdsZXR0LVBhY2th cmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAABJzUkdC IElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAWFlaIAAAAAAAAPNRAAEAAAABFsxYWVogAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAABv ogAAOPUAAAOQWFlaIAAAAAAAAGKZAAC3hQAAGNpYWVogAAAAAAAAJKAAAA+EAAC2z2Rlc2MAAAAA AAAAFklFQyBodHRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5j aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkZXNjAAAAAAAA AC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNSR0IAAAAAAAAAAAAA AC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNSR0IAAAAAAAAAAAAA AAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcgQ29uZGl0aW9uIGluIElF QzYxOTY2LTIuMQAAAAAAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2 MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHZpZXcAAAAAABOk/gAUXy4AEM8UAAPt zAAEEwsAA1yeAAAAAVhZWiAAAAAAAEwJVgBQAAAAVx/nbWVhcwAAAAAAAAABAAAAAAAAAAAAAAAA AAAAAAAAAo8AAAACc2lnIAAAAABDUlQgY3VydgAAAAAAAAQAAAAABQAKAA8AFAAZAB4AIwAoAC0A MgA3ADsAQABFAEoATwBUAFkAXgBjAGgAbQByAHcAfACBAIYAiwCQAJUAmgCfAKQAqQCuALIAtwC8 AMEAxgDLANAA1QDbAOAA5QDrAPAA9gD7AQEBBwENARMBGQEfASUBKwEyATgBPgFFAUwBUgFZAWAB ZwFuAXUBfAGDAYsBkgGaAaEBqQGxAbkBwQHJAdEB2QHhAekB8gH6AgMCDAIUAh0CJgIvAjgCQQJL AlQCXQJnAnECegKEAo4CmAKiAqwCtgLBAssC1QLgAusC9QMAAwsDFgMhAy0DOANDA08DWgNmA3ID fgOKA5YDogOuA7oDxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBNME4QTw BP4FDQUcBSsFOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAadBq8G wAbRBuMG9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoIvgjS COcI+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiCzkL UQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4N+A4T Di4OSQ5kDn8Omw62DtIO7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENcQ9RETETER TxFtEYwRqhHJEegSBxImEkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCcUSRRqFIsUrRTO FPAVEhU0FVYVeBWbFb0V4BYDFiYWSRZsFo8WshbWFvoXHRdBF2UXiReuF9IX9xgbGEAYZRiKGK8Y 1Rj6GSAZRRlrGZEZtxndGgQaKhpRGncanhrFGuwbFBs7G2MbihuyG9ocAhwqHFIcexyjHMwc9R0e HUcdcB2ZHcMd7B4WHkAeah6UHr4e6R8THz4faR+UH78f6iAVIEEgbCCYIMQg8CEcIUghdSGhIc4h +yInIlUigiKvIt0jCiM4I2YjlCPCI/AkHyRNJHwkqyTaJQklOCVoJZclxyX3JicmVyaHJrcm6CcY J0kneierJ9woDSg/KHEooijUKQYpOClrKZ0p0CoCKjUqaCqbKs8rAis2K2krnSvRLAUsOSxuLKIs 1y0MLUEtdi2rLeEuFi5MLoIuty7uLyQvWi+RL8cv/jA1MGwwpDDbMRIxSjGCMbox8jIqMmMymzLU Mw0zRjN/M7gz8TQrNGU0njTYNRM1TTWHNcI1/TY3NnI2rjbpNyQ3YDecN9c4FDhQOIw4yDkFOUI5 fzm8Ofk6Njp0OrI67zstO2s7qjvoPCc8ZTykPOM9Ij1hPaE94D4gPmA+oD7gPyE/YT+iP+JAI0Bk QKZA50EpQWpBrEHuQjBCckK1QvdDOkN9Q8BEA0RHRIpEzkUSRVVFmkXeRiJGZ0arRvBHNUd7R8BI BUhLSJFI10kdSWNJqUnwSjdKfUrESwxLU0uaS+JMKkxyTLpNAk1KTZNN3E4lTm5Ot08AT0lPk0/d UCdQcVC7UQZRUFGbUeZSMVJ8UsdTE1NfU6pT9lRCVI9U21UoVXVVwlYPVlxWqVb3V0RXklfgWC9Y fVjLWRpZaVm4WgdaVlqmWvVbRVuVW+VcNVyGXNZdJ114XcleGl5sXr1fD19hX7NgBWBXYKpg/GFP YaJh9WJJYpxi8GNDY5dj62RAZJRk6WU9ZZJl52Y9ZpJm6Gc9Z5Nn6Wg/aJZo7GlDaZpp8WpIap9q 92tPa6dr/2xXbK9tCG1gbbluEm5rbsRvHm94b9FwK3CGcOBxOnGVcfByS3KmcwFzXXO4dBR0cHTM dSh1hXXhdj52m3b4d1Z3s3gReG54zHkqeYl553pGeqV7BHtje8J8IXyBfOF9QX2hfgF+Yn7CfyN/ hH/lgEeAqIEKgWuBzYIwgpKC9INXg7qEHYSAhOOFR4Wrhg6GcobXhzuHn4gEiGmIzokziZmJ/opk isqLMIuWi/yMY4zKjTGNmI3/jmaOzo82j56QBpBukNaRP5GokhGSepLjk02TtpQglIqU9JVflcmW NJaflwqXdZfgmEyYuJkkmZCZ/JpomtWbQpuvnByciZz3nWSd0p5Anq6fHZ+Ln/qgaaDYoUehtqIm opajBqN2o+akVqTHpTilqaYapoum/adup+CoUqjEqTepqaocqo+rAqt1q+msXKzQrUStuK4trqGv Fq+LsACwdbDqsWCx1rJLssKzOLOutCW0nLUTtYq2AbZ5tvC3aLfguFm40blKucK6O7q1uy67p7wh vJu9Fb2Pvgq+hL7/v3q/9cBwwOzBZ8Hjwl/C28NYw9TEUcTOxUvFyMZGxsPHQce/yD3IvMk6ybnK OMq3yzbLtsw1zLXNNc21zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk 2OjZbNnx2nba+9uA3AXcit0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/n qegy6LzpRunQ6lvq5etw6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb7 94r4Gfio+Tj5x/pX+uf7d/wH/Jj9Kf26/kv+3P9t////wAARCACvAZgDASIAAhEBAxEB/8QAHwAA AQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIh MUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpT VFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5 usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAA AAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEI FEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVm Z2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK 0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9sAQwACAgICAgIDAgIDBQMDAwUGBQUFBQYIBgYG BgYICggICAgICAoKCgoKCgoKDAwMDAwMDg4ODg4PDw8PDw8PDw8P/9sAQwECAgIEBAQHBAQHEAsJ CxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/90ABAAa /9oADAMBAAIRAxEAPwChbSlPmEXBHPpj0rG1FucR42+3Y962IvlwjcDBBHbPfmnX1sskSbBjJ596 +PmfUo4KfzJYyo4PbrXM6iWkjCvkgZ49+ldtcKAzED296xdQsxKhYruIGMYxUwQ2zjlEynzEbIXj P+FdFpE0sU3zMSGGwg+54rnVlYOYZsgKeD2x6Vr2co3KWGD1GfrTaBam5f2yzTCRAcnHU/j/AD71 mmIA7COF9D+FdI7CSNZBxuzk+n0qhLbxD50bd22nrzXTSVyXoc95MsClYcYwML0wabcRpc2pMsIZ CTwe5xjp2q3I5t+YxtJ465qe0ijmiJK4BGOOxzXb0MDzBrURylYl8vtgDgenH+NVpLdZRvmQb3Oe mCR9Oa67UtPjWVdkhDcjPbmsqS1kRfmw2w9OP88Vy2W5Vzm5bWSNgZE656dMVgXml7wzJHz6Dg81 6MI8Zx83oT2OOlVm0hpgXUZI6gf57UITZ5JPZO5ACcrySayZ9Md8gqR247ivVn03ySzSDBJ29fX3 rGuNOwQWGFJz65x2/CrirsVzhIk1aysL7R7SaWOx1LyzcwoSI5TAS0W8fxbWOR6HmuTn0ojoCoHY 84r1aeJYiBgke9Y81spdtycHpz6V1RWhk5ank13YqjEONxI5wO/asn7EVyQPfGK9SurRGB6D1JPf 2rIms0A+cZc/pmpaDm1OG+x7yCwyar3GkFAXjIJ9OtdobFuVjxkjgd8VPDDFjZNwR3PXHpmpRPMe Wvp8rliByvrxVLyJA5TByP8AIr1mbTEXEkQ4b9cViajo+1W2xEOncdwe9Wpk3PPwj55BwKXdxhh0 xXQrY5GRnP8AL1qE6eMHA5zWimBjh/Q4ApCRir8tio6A81Ue1Yc9Tir0AYXXHBp4Yr079P8A69Rb G7YzS7e57VGgFxZMqc9MdKch4xnp+tUgxAyD3qVH3L94A1DiBfjYA4z0p2Spx/e4qhvZeOMj0qUS A/N0+tLlAtr1Pp2yelOyG5br7d6gDjaMZGO/1pRJkjJxxmmJknlhh+FSH5eWOajV42BUc/560oAP Oc+nrUPzCxN0+tMGFIAGP/r0mfU4+lLheADzzipsMeDk5xn+lPAO8nGCtRgAnbnNPDMG34zjvjmk 12Afs3ZB44/SnqrKAyjOD+VN7A9ueP5VMOOBxn2zUjETGz5utOCjHr9fSnbSVGBxik2ZXc2eP0oY IkGP4jx1PtUipkgH160xQG5I/D1qwse4FQdqjH41hIoWMEFlGc8j/wCvUyLuZQxyMelNj65XIyT0 /wAasjAJZMkD8MfjUSKi7k6lcqBwP5VPiP1qOMFRuGM+p9ak8x/7w/KsTdH/0K0iTWVwYZhgk5+o 9RTtyPFktkA8D+WK7H7LDqNu0EibJlBx9RXFTxS2kzQSoVdT19RXyU0fTXZh6jbuzbgcLwDkVgnd NJs3EE8KfXFdvOBIgj/i7+mDXGXBe2uCirgLzURLujmNY0+RGDLyCc+59qxfOKsvYqeR/ntXd3br cw8nGOfSucmtEdTvGOOCP61VrijoaGk3yTwvZseCcD8anlIiZlYcL6dh2rn7Njb3QKrzx7ZrdnzM TKmTuHfpXTQiwmU3uoSAGy3f8RTorlHwynardBjFZ0uxhhRkAkEZohLYMUg+ZOm0dq7OhztEd6tv LvDk8jAOeP8APtWQsZz5QXd1we/P1qW5mZCTwQTww6g9P0qa0fPDHkdO5+lc7iFyOSBkhJKncvpV eIzxKWUYBzuzxmuhWYtHlhuJ7f0rIu5o4l4yQvGCOhPWrjEhy6GbcCN4wzR8nsOfc1lSxQGEgAAY OQPU+v8AnitxxG8e9eoPPcVnMreZuIOD0XHGarl1KexyMtoH3YP+AHtWNJajOB27V2TrsLjy+vOe 9YtxBI5DKOp6Y9f0rspxMWcjdWaMMHJA5INYUtvGCcYwv59OldjMrid4ivzZx65z9KtQeEtdvkM8 Gl3M6EZJSJyAB9BWdQR5o1v6jkfh19aqfZmYbxztPH1r0Y6ASmwIUIOCGyD+R70xPDVyxKRxSSZ7 qp6j2rJgcTFImDG4OB3PatWOGG4gYN9+Ppnup7Gt/wD4RLWZn2wWU7HjH7p89OO1btt8LfiUVFzD 4a1N4zwxFpKRg/hz+FSJo8Y1LTPLPmqv7tz27VgyWeUOMk57c19ZaP8AAf4o+KGNhbeE9RYsPvNA yAH1ywFeh6d+xj8aoNh/4RqRScDLSRDcT/wLit6cL7Etpbs+ApNOkT74KDnOaq/2ZJIMjp6Y5r9S bH9hr4s6jbIL6TTbHOcxSymRl9M4BHbsawda/wCCfnxStkS50bU9OuXf76b3i2Ec9WBzn2reph5W vYy+sR7n5ly6ayE/LkjIziqjWbbQWGR9K/R2T9gH40GMPLe6Wrtk+WZpDjHuEIrw34l/ss/F74aQ PqOsaWL6wxlrqyJmjT13DG5R65FcvJLsaKrF7M+RXtH+8P5VCIyv1rrXtSOPrn3qq1qCPn6jt61P MzQ5dsrk+9PSQcDj0x2rfls1KNx+YqnLZptGFwOTTUu4FcyK2P0poC55zhqY1u68jgADpSAlSNw6 VSQPUm57dO9SIOm0g/SqrPjIIGCc/nUqEgAGokFizuzjinoS/wB7tnpVcMd+ckDmp4yQMnOT+tQw LCEHIx9RUuRnDD5TUKnjOf8A61O3A5Df/qqBplhcDA7E8Z6/WpV2qCp4x/Oq6bSuerVKoORv5GaA bHpvHPG0dvapFwSWPc1Gc4+XqakUHOHGf6UTBEyEHjpinLncAeB/nFQjKnIXjt61ZQ4Bz19Peudo pPoTpwNxP3etWIiA393gY/xqqhXnjBzxxVnHzDBqWi1KxYXoVbt0NLt/2v0p0YBwc+5zVjKeg/Ss WbKR/9HufLdJnt3GGLn5c9/XParF7pUGsWvlsVjlUHa565/u1tXNnHcXEiH5SDwfSovsjxyx4YlT 3x29CPWvlqqPoUzx65sbm1kMEwKyLwfx6fWsi9sDKwJIP16/WvdNS0NNciJjULdQ/d/2hXmlxaPH LIk3yuhwR7iskUmef3OmTCRvLz0xnpmsaazmOVjGB0I/ma9WNpHKuxlwT69Ky30dd7MMZzx71RSe p539mSMBiM/SorqN9+MYzgjnqO9d6dJ+YsASM88Y6Ur6Cs6rkdDjnjH+NdVHUJS0PKpbUmfKoQp7 g/dPvUogLDJ5dRkfnXotx4fe3RpPvAghs9j2z/jWW+kCJgI/mI555Jr0HA5nK553cwKjfIpIb7y/ WoFtpI2Gz5WJBwBjiu5ks0aXtz146Gq32NGct3XtXMT0OeS48pgkm47mLcmnSQQysrA7sep6ZrYn s4NpQ8nsMdDVBbUNyo+6ceuPpRYOplJZRAnqx3HgdhWvpuganrM32XTbSW6YYAWKNnI/75FfSPwQ /Z48QfE+ddUulOn6EG+a4P3pAD0iHc+/Sv1O8BfDfwv8OtJTRvDVp5UZ+aSR/mlkc9WZu5/SojJt 6F1Kijuflp4M/Y2+I/jOGG71K2j0a1lK5e5YLLsPUiMAnp0zivqG2/YV+FVtarHdXd/NMnDP5irk 9zjbxX3JuKEJ3BNVZd7FskNznP8A9avYoUtNTy8Rim9j538L/s8fCrwVbJa6XokNy8YJ8+4RZJmP TliK9SstF07TYBb2FnHAnIKhBjGfpXU+R5ku4kjIomW1sbWW9uW+SLLE9SNtKrCzOX20nuzy26+E /wAOLrUZNTuPDGny3crB2kNshYt36iuusvC/h+zCi10e0iZOm23jGPx21494j+N9/E5j8L6WrxAj dJc5+b6Bcfzril+KPxR1SdVtLm1tIj1EcGcDnuxNcziiuZtH1J/ZVu25vskStnqEUf0qR7CQylCo XHOMV82nVfG00AkvPEM43Nn5CqdT/srWBqepSeVcf2jr92zInIaZlHPuDQkr7EczPqC5+x2EElxd 3EVupP3pHCgZ4GckVlya34Zidd+sWiJFzuM8ePX+9X5tazqHhK4vnhnlub5RklmZ2GQfc47Vz8+o +C7VXuH0/wCXPygt149MV24eVnYp07q7P01s9T0HWVkOi6nbXbBsP5UivtyehwarXCIknkyZ2Agk 44AFfJP7Oev+HNR8W6jDp1skLGzDZV8Z2v0I4ya+oPifcppXgfV55C25LSRnMf3+cDjn3rvvc5Kk HHYY17pdxaG9s5TdRtuAMY3cg4PTuCK8y+KnxD8JfDXRotS8ULMY7xjGkKoGkfjJypP3e1eU/sz+ OtP/ALeufC1sJkgvE3W8b8qrp9/b6bgcmk/arfTbTX9Fi1a2jukNq/lgqGYuW+YnPQcV5kXe7N3S aaT6n4/fFhdJ8TfELWNa8HaY9npd1Nvig2BdmQN3yrkDLc1yVt8PfE14iS/YXiRud75BI9hX2xe+ KrAM1tp1gtrjIHy8E/UViS3Md0fNu23sRgDeR74AxXBUTbbPVpyskkfH174IvbdDuK4QgfXP071y E+kTwTeVLHt+ucfhX25qGh6I5QAgO+W2jB9+vevM9e8ExmNizboHbg4J249xnHXms0jW9z5elsQC qlcYqhNaA8kDj8DivVtS8MT2ILujPGGIDY45rlJNNDpv9PzNa8jBM8+kszluCCKpndEoBDZ967a6 0vbjHDHNYs1owXa6564OOlQ5dyrmIsjNzuqwJmwQG4qV7VQN2MY/LpUDQujYPBodhXLiyEqGDcnF ShsnjkDr61SA+XjjHT096mDA4B4J54rOwy7GFBBPTrz61aDH1yOpJ61nx4+/1IqyvPBPX3qBlwBt vsetOVSSVHU1EhycMOP50/dg8cEUmMsBSo/rU+FwAx59O9VcliQfY4q6A7KcGsZFMft3DIOMdKmC O2FYZ9KYqoRg9B/PtVpcjgEEHvj0qGEUSRAYI65/nUvl+1OTgg9COeKn84/3j+f/ANasWbJH/9L6 ZvLKyurtnA+UjJI6g9qzrjQLmAGWP99EASu3rV6WaTTdUaN1/dt97/EV31hZoIkkgbfFIMt3/Svl 65755jb2qOombMTx45HWs7xF4UOqx/brMDz0GSoH3wP617Hd+HbKcHAMTnoy9PxrDazu9LkKTqdp xzjj8KwiyJvsfOI099z5G1k4OR0xVhNNSVAAoB7/AIV7L4g8NpODqVhH+8bmROBuHqK4yLT0kbKH YPTHFasqEzjxpm9digelXLLSpFLxFBhs9RXWppoRcICeec9qsRRCB8gZb2711Yd3Y6kjibvRwkbK BwDz3zXEXmjRxM0qHD4yuehr2q9s2dfLYbivQgZrjtR013QDHzk9uAAPWvTlscrZ4deoySYuecgd BwB9aqS2cjJkEOFIPv8AjXqN1oAUuGHsB1BqjB4Y1C4maLT7Z7hsgYVTj864ikeaS2DMuCp5A7Zq OGzJcBQCSewzn1r6h8M/AjxNrJWS+VbGM846uQfavorwn8DNA8PhZGtlnlx99wGbPfg8ClcTmkYv wV+Mms6B4VsPD2p+GnaGwjEazo+zevYlGFfR9l8YtKuCqzaZPE3uV+ua5efQdI01MTKsYxgDgH8K 4jUr+2gkb7JEMA49qcI2MJzUnc+tElS5hW4QbVlXcO55HtVZss3HUjrVHwfK114b0+Vo1i/dgbVO 4Y9j+tbjRrvyDkDqK9rDfCcNbc8y8f6ze6TpKNaZjEjhWlX+Ae31rqdDuItV0O3nVvMEyD5nXk54 O4GuI+K+mG48P+YsLSeXIDkNgIPUjvWh8LrmSfw8tvO7NJA2MOMYU9AD3FRiHqjOEdGfMfimT+z9 U1GxiZJGilbGAQMlugB7DpxXLWravPGkULfZnbklR1BzXvXxG8J2l140e4ucSCZEbAAAA6de+a4X VL3wz4XiluL+5SNYweC46Y6VhJaihO+hxaaFqE8u67upVTP94gNj296oan4Qs2glbz3Rsg5k5BHo f8a5HVfjTYXEkkGhW/mMo4aRsLjOOO5rjpfE3ibVxsZvLV8k7QV7f5zWbSNVF7s6KfSNNt4zbRkT FRklFHU9OO9edazo9ndI0sUJj2Lt5OFPvntU7XWs2EmbjGTydp+Y/wCJq9/aGkXkcU2ppLGGyGJ4 HX0rpoJXKnc6f9mxbS1+K0FtGqL59vKjHBOSFB+X0Pqfwr7O+O6L/wAKr1+RwP3sJUBiVB5GMkc/ h3r5Q+D+oaTB8UNJbSix81jF+6AwQwKnJ9ARz619ZftATSRfDLVvILAR+WgwAcZYAk57etehT3Zx 4lu6ufAvwMB0j4kaBe5YpJI0ZVcLlXXHzd9vfHtXvf7X2jC48PaPqyfM8Fw8bYT/AJ6LuGW7dOBX zLZ3h0rULDWoYBsspoZXXOBlWzkjrivtv9oCK21v4SPqBTzGAivEbcVQISATjvweleZR3kjpqy1j LzPylvbWRCJCMyxEKSp7jnOO9YBe8FxJuUny2wCwwBnqfpXdX9sb3MkMWwhSylf7w7enNZcunGdF BBYkbmAH4/nxXJJanoJ9zBUBW3SxEbeBjGD/AFqO5SWMtliuRj6Bh74H9a27azzlpT5asCFBGcZ5 7/jUN1ayFizFcc4x3545NTFGhwOuQLNazBjuDcIoAC/hXlSeFr+/TfaRO6oeoGAB7/SvdLyx851s oWDhmO/1UD1PWt8aNFaWi2sK7IwPmO319T9K64w0M5u2p8r33hy9i80vH069P5Vyl1pU53l0z9Rz X1ne6FaXMp8td2Bk8cHtXOXnhi2G6OSEbnBwOwz69entXNViNTR8oXGnIOHUqVx0rLeyYcjkHnnr X1S3gvSr1A5XC52uQuM/QenHpXOXnwxgDfup8lidqhux56kVg4stSR82PAeu0gfnVfYytkNjPUHN e/zfC13lCrLt3HjGGz+o7VzWrfDzUbIblAlU+vB49qlss8pLHJB+Yd6tRyj5QeRWjcaXNE5R1wc4 9qpPBJGegyO3eluUiUSBskHOKkVsqDnBz3qm0g5BGAfWpVYEgjoKTQF6Nhk5B/z9atpgNyfp7VQT aF3NkE1aBVfvcDrxWEii+h4A3Y45BzVqPlhk9uMVRXAUMzcc9O9W43+b3/x9KzaGmky8mTkLyP1q TH+w1Qx7upBH1qfe3qPzrNo2uf/T+odQR57lDJhw3O9MH+VdZ4dke0JhkbdG3TA6Gvnu/vdS0u+W e2aSIEnKgEqfwr0Dw/47tLzbBfoYXOPnUcGvmK8T3kup9EC3R03RnIIx9aZLZJJCFfDKPXqPas/Q L2S9jWNF81Tjay8gj1ru4tDvbnjbtyOMnrXMtDKW55beafPbK32Ufh1OPavP9Q0lQzXtmgA/5aR4 6Z7j2r6mj8J741jlwSOenT2zUw8C6asnmiPkjqen41pcSdmfIsWn3l3lbWItu7gfpWtaeCdUuSu9 fLGOp6ivpqXwxYaa+5cJH1HtTvP02LauN3QE44ya68OxzmeI23w7upRlpDl+RgelTH4Rx3L77iR8 nggcf0r3Z9SijUiOLGOpPqKwLjXbpix83Geu0dK9WWxyObvc4vTvg34ctSrXMPm9vnJrtLPw9oGj AKkcUWOO39KyH1K7un3SOxXGCQccetRsxkyd5YLxkfpXC46j52zpH1axsHwilyBj5cY46VRn8T3r tiEeWqgnpknjtXOyW7PkSZB6e5qEblfMQ3bOD6j8fSmZj9TvLi5G+6yec5/xrnJIluplt4jtIwWJ 61rR+ddz/Z4TmNerc/r1Fby6akKtJHGWPrwBj/CqjuCPZvhfEIvCywlAhjdsENuDc8nB6H2rvto3 MD1PNcF8MAv2C5hCgbX5YHOfw9q9DZCrgE9ePwr2MMtDmxG5yPi+1jm0SUyIXxg8HGDXnfw/1HyN Uu9MzIQVDqGHyjHXP1rtPiRqaaX4Svb50aRYQCQvbnr+FfCOo/GPVNHvotV0FHRx13YKsB2IPalX hoYQvc+iv2hNQn0mxs9Vt5PnJaIIATyRuB464r4Gv7ZfEMxn1CZ5ZP4g2doGc9K6f4pfG7xL8QbC 1iuoo7K3tiD5KNne/dyTz9K8VbVtUkgMdiuwt94jk+2Kwm0dFKm9bnouzQdDkWRVAIA5PJ69u1Jd eP8ATJj+5iLOFK5A5NcEmjeZF/aGtXTRMowUzkkH19Kqz6zZ6fEI9HtlbOcFxuxWJpyq52X9ta7r DnyIQgjyoYjnGP5e9U20syAf2ngAdi+01wh1rWbncvmuq56J8o5/yKrzwXVwzSNIxb3OTnHHNb0W rhODSPZfBt54d8PeKdHuoLh1eO6hcqW4B8wdDjPH619w/tGX1tD8Np43nWLzZIyC5OCdwI+77Zr8 rLaX7Be216ymQW8izFeu4KQ345r6d+N/xx8O+OvC9nofhwSu8zxyz5GxIwg+4c9TkduK7oySbuct anzctjyyD+y5rfadTjjMwIOAcEDgDGM/jXrviP4s39/8OF8Di2hZ0jW3NwJQf3EffaejEY9q+Q/t Mtv8qhwR82R2zWhZ3El9uSZdplB4HA56GvLvZ3R1ezVtDVi0mQRFWuI0jyMKD2B6Hn09Ky5WslUo W3MhGGzx16j1rHuIJ7eQq7sowTjuMjj9axzeXErrDFkAgjIHOaybNo3Z1KKq3HnLMotwSTxgjtx6 1R1K4jhWQQJv45ZuOnpgZ96s6Xpt8QPNZ5H3AEHtgdPauqt9HtpQUki37eqZ5O7nJ9cGpjuU/U8z 8O6be3ly97FGZflG0IvPPrXqdlo14loW1KHZuBI3JkA+nr+Fb+l6j/Y6eVp9qkY++SenPGMdz9aX UdUv9RlLsdu/JHTaSRz0r0aMVbU551HscFPpVtKS3Q8gMFOD+f61iz6RDJKzXKhxJkKdo6/UV6Lb afM6KZWUYB3Dbzzzx2qsNNjuJiFlIGOARt+brniuWrHUUZs84fQQHBt4PwPPQHGP8Kqp4cvGXeVL xMSAhxge4PXP416eunIg/wBHJdVOQSeuP89asXFoqSLJE3yDk7e56/nzXPKxqpOx5BL4HMkYmYAm HBGCQSRjH8qhPhgXS+TcuzEdRt4weMf/AF69rWB7RGiniE+RyRwV9PzFZc9/biT7LJbq7AdgTjbx /OsWbRlc+TfFng6KNnmZPLkB4PXcO2a8i1DQt2cLyOjYr7R8Y2ttPp8pkXDS44UZC7TnjvivFJ9E DuOMLj0o5bm0dj5uvdGcMflOc1ivbywEqwxz+le+aj4eChzwxz0PGM1wV9pOHKMMc/zpSjYdzhFm VvkHNWxyR6/WrE+lywlmQAAHp396oLujbDgj1/CueVi0jRVs+w7e1Wox1zjtjtWfFJxz1/rV+IK2 cEnP5VA2upoxNn649amzL71BGTwSMCrXmH/OayZrFaas/9T3TV7hLS9RUTzEBII/hPvXVadqOlhc vbIsnrjk1xvilQZGlQ7WHQA+lZVlLHCFn8whlAyM9z3r5yse5F9D3vR/Fn9mzg2SgbT8y/w1734f 8U22popKCNiAf9n8K+KLO6+03AZj5e0jjnBr3HwVqqyMLO6Bj24KH2NcslYUj6b8535j6Hvmlkkl YbXJ5Fcnp2oSWqbN3mxk/kfrXV2t1BdRgr164PapMr6lGW3S5hNtKC+eOOo9K4y8s5LSQpt4U5JP PFenyWwdAV43Y/Osq6sxJH5x+cr1z0/+vXdhdxSZ5+fnQmU5C8fL6VltaKyFcELx1613c2kiVd9q wGRkqaw5IZBKQ4xtJz9D1zXrSjocrlqY6QYAGNy9CGPQVKLTd8rN1GOOg9K1BHEGxgkYxnHrVhLQ 7lzgAc/WuJg2c/JYtvXkDBwMf1qGSyM6eSg2cbSemT9a7JIS4JHC44GO4460qWYA3y/Lg8ZOAPWn Ym5yttpjWMYER25GTj29TV2RoIIC/Vsd+am1PVLWzjdQw3YJ/HFeI+IvFlzlhA+CDj1PNaU46hfQ 7tfiLJ4I1Br62CSxMv71GyMgH26e1cFrn7RPia51pdQ0oG3gjKgQZyjDuDnrn1ryjVjearGJJWL4 zx2rmTafunQRkEjnnkYr2KOxjKPc+gfiL8fbPxf4V/4R7S7OWG8utvnFvuoFOTsP8WSPyr5Kv7K4 udrSyE7s4/PvXURQYkK8uARjPbj6VDNpzbiyncrenbNZ1nfQiNk9Dzo2E7PtC7gefrTWhlCeZEnl SAAZXj3rsTZRgbWBAIHTr61Xa0CbowPlzgHvXM0a3scHdwz3Dlp5C/BAHYep44qq0CRrhQD9BzxX qWmeE9S1TYsACRsc+YwwOOfxrtYvhjYWy776QyyFRx0X5v8AOKTGqiPnBVGFZFI5zyPyp8arIrKM /NxkD14xX01/wg3h/eoESRrhV+XPB78VrQ6FoejRJNFaZYsONo3cH6dK6MPHUdSuj5XTRNQuCEgt ZHwAMFevaoIfA3iOQgxWbKu7PB4GPrX2VYQosL311CIgMlFI468evbit2TW9M8t4Y13Iykcrxu7H NdVWkkrs4vrLvofET/D7xQFLizJZv9odB14rFl0LWLKQLNbOjAYzyOnJr7NuddSN0AhXcCynvgsM 9j6VlxWt7ruYvsYRWywbHHpxnn9K82UEaxrvqj4/vNNvb9V2QuZQ2NgHbOa7Pw/4DktkFxex/NIM gdl57k45r7K0DwfpFvGbi4iUSy8ZOASDx0+tM8QeEtKuVEcERiaEEqc8nPA6ms1SKWJb0Pl8+GWd H2xFVAyOdqn6epqhPpSLD823zGzwAR16da9O1nTpLCX7NM3lsozhc87fccc+lcbqcE0uIUZUZQMM RngdalQs9TenUOPFi0TZldcDIIByTt6YpwSNM+RkOD0bkAD/ABrfi0nYy7iWcdVVT257mo/7Ik+0 CVBtUHJBHJ/Cu+jHQipM5h4mkbdNKVLcrjAPXNXIo9iGcfdJ+Udct74rs4NChk/eOpZY+QGOOfQV HcacsMTCMgRr15+YkdOa5q0WFOVzn7WBVJKZfecEY+U4GcU0wiF/kVXlRztx3x1JH41v4FqgSRQC QCARzkdCD+dZk10bZ3mcgAfLt6EnvXK4jW5i3NpdRksu0qeXzyc1i3QQwyRBcOoA6feUHB5HvXYL OpYCRtysAGBGQMdNx+lZepLGsP2lPkOPmXPrx09+tZyXQ6IWvoeTaxEAmGQjfkAA9ifr6AVwt3aB S429OvHXj14r0a+gFzIWYnPIz6AY6Viy2rtHtC8Z785zTprU6DzW6sQ4UqM8en88iuH1PTImDKFI 9z09P517HNp2eCDuIznHT/8AVXGX9iyboWHB5GOnHHNXVQ+XqeM3ulseQoABxn8K5m/0ofeXlhn2 z6V67e2AClVHfOa5i6s1UjjGR9elcE2i2zyny2iPlMMHPerkTAjAO3OTXRX+lOVZ8Y5x0rnDHJDJ skX/AOvWMi1E0EDEAn6VNtPt+dVouuPTnH9asZb/ACP/AK1ZmnKf/9X6V8W6bp8okeNjA5JbPUfl XDW+hXU/y28gmXjvtOPpXdeL8/vW/DPv7Vh6TJ9mQRkrluTjqBXzlY9mLZHHALDaskRhI4LE/hW5 petNbXkU8bEopwfp3qy03nxsJRvB6Z6njp6fSq32awhBiUujYHy8Y5rnsFz6A0rV5BCjKdyOM9O1 dvpeqI7hGbGeRn0rxnwqZJbD7NK24p90juvau9sZAH7R8YI96mxPU9nsNSQfu5m3Dg59jWq9sjIz w9HH/wCo15fZXLOoUjG30rs9O1Uxonzlgo/Su7DIiYfZ5bdznByeh60klnbTAiQdRnI6/jW/IsF5 GJE+WTGCP5VkSxyrhD8u3k88H1r1G9LHHJnO3Gntak45HGDjPBqGBJDkc5PGc+ldQGVgCFyAcfge 9Z2oSWlvGWGPMx29a5XuPmKkjw26lmb5sZ54571w2ueI2UFID+PpWZrGo3sk+WGxeoxnBHtXMPEZ iwkGeoqkTfqY+o31xdOc/Me3+7iuQurEyEvIMEDgGu3ks8dQATVKW04yw6VUNy0jz1kC5x0JHT3r KurclvlPrjJ7e9d5faeVjLKNvHSuZltmRnJj6/1r2qMdDmqM4+S0SNztJZjjn1qaO3ZgMsQfXvir k6GPbhDkjdyScYNKsMryRsp2hj06HOPeufEEROevYEUbolONnJ6Hnpit3w74YS5YXd4uEznafXFb mheGzqrfa704hhxnIwGOewNbuo3MVvi1tQI03dx14rCw5StsTi4htIhDZIjEL3GFwT2FLYLJeTeV cMzjKrt7Z64xUFlCt1Fu/wCWg2qTjtgf1roLBY4pmmcEKA2Bj73apMr6m3Fp0ShZIkVWG4t2xx0H vWJqJiiTEQ+ZVAOQOpB7V0Cma8zCsQGcDgdQcH8CPWtJPDNrNOHmG5l3YHXPGBk8+9dmGM5+Z5Fc ebqUqWpV0DHaQucDC/41e0/wfNcxiOUhXXac4JIHQH06+1ev2/h+CJgjRcKABkcZPv1rorOytfPi tkYbhk8ei44zXZV1RhzW2PIrfwba6dKbidcucEHrkgcnBrWaK3tj/omAHVMNjnA5/lXbeL2NvNCP uoAT754IHv8AT1rzO4uRK8ipkSElQvQjOOv415dSKTNOZsnL7nKRn5I+g7jHPWnmS2+yiZjznr1B /rXKXF7Izsfmbnb7Ddxn171oW0nmAQTP+7UcccZbjHr+tZTXYtJmF4psrO8sYbmMBjGdmc569sGv KTbqreYFGX9Ofvc8D0r13UoYTBNabmMSqSfYngfU152kEiy/um+Vd3Ax64wM1NtTspyMmOwdkaVS VGPYMST0+lSJp1zbqcEefJnOeAB6ZHHTmt5rZ0cRzx/OBkAccHp+NW5RLbxh3/5a8BMHggYr0aK0 InI5ORPLtVhmG8xHG7HPPYVmXFhHM0kNqXlUcsMHaAP1r0O30TVNRQM1uqoON8gwM4AyD3960YfB FvFKFu5HcqN3ycD5eDyOSPrXLWhroZxq6nhsocO4mYzISBn029hn61bi8N6neKPstmzIp++V2jjr y3rmvoGHT9LtMRRWqAjBLkZK/i3c1uW1tbKfMLNuUYwfmHAPI9+RXK49zf2p82SeAfEDhnMMcaj1 cZPpnHc1nXfw71qSB2kkhVyvA3npwOePrX1LFot3fygsPKhT5iznHXkceuKzrnQtAtXKXO+6kQEE Btmc9MDvWFQ0hVa1Pja58BeIIN6RxLcEZP7t1b36ZzXMyeFfEBbyhp0oceqYHqeox+tfeQudN0+I S2tnDblcYLjexI9/U5/SsybxNDc5jeCORHwACvIJ55IP6VdBHR7Z9j4UuPB3iAruaxdc8gEjOfz7 VwGraLqlmCb22eNeSNy4x2zxxX3zqel6ZqkhFg/2K4kymx+Qxx7flXnWp6N5jvp1yhDNgEMPTofp WleGg1WvufCN1Yr5bSHG7sPfpn9a4y5szEwBAK57enrX1f4t+HFxbu19Yp5irnMYHY9SB3+leE6l psjNJvGNuQRjDAjpn8a86aOqD0PMLqzZ4yCvXuOR9TXHalpwVyNvpjHH1NesTQvEWXGAwzg8/WuX urIy5EagFeetczNos8tUyRMd3QZxninfavb9T/jW1f2BVyT97+VZn2U/5FYs0R//1vq/xXZNI0yx ruHPPtXm2n2k8chfew256jj3/CvQvE0tzb3E32diuSeewxXCWfiS4UOtzCs0YJ7YNfNVD2UyVDN5 uFyobn6YrSDS/elxhevPr3zTLfUtE1N28stbyns3y49s9DV86VeQkFQHVx1xlce9QI9A8KXBjAnD Hjg4OMV6nbxRXLbfuk/xV5T4St5fMZBkx/xA9se9eqWbQwtG78uvXHIxn9amwHSW9nMqgIMgHr6+ laiStAwwdoHfr9aLDUbcDy2OAynA6Vj32qxszBUIYcHnjj1FduFRlUOhg1V4T5jvkdyT1B6flWja 65b3Dm1uiu/qpPAx0ryRtR1FHcS/6r+HAzxVWe7uGiFwG+aPjjuK9WcdDilI9nume2zJAfM3dvY1 zUiNcOWkbBP5cVk6B4oXIgvOUxwT1wa7aSziuYRc2TBozzgdc964pOxVjkZrRGIW4Tch9s4/wrEu tG2rvh+ZccfhXcskafKRxjFV3iDfPGcY7fzpxEzzWWz/AIFXr+lUZLX5GGduetegXOnNKuRw5B4+ lYRsnjLApgn1q47hc4ye0Lptzu65PbmuNvbORPmA4Hr0zXr01mChBHUc4rnNSsUdPnGCBjNe7h1o clWR5G0E00bZOME4x70Q24eVPUkfrxXUT2SwHY5GeeO9Z6qRdx7Fb7y84zmueuhxZ0jwRWOnw2m7 blFHy8nJOTWAmly3GJUVn5J5GeOOK76HR5L94Zyu1RtJ7cmuvsdDjheLYoCKD34HPtWCkZyeupwu kaDLGipgKgYHjncAAa6Oz0SHKEJhJBjafUn/AOsa7aKzjDmJgPl3EkegHA9hxUrSWtmfLb53Vhk/ 3eO5/Op2M7mdYaOyM8mAoyc++MD+tW5UtbO2wnzvlASp6HqT+Ipk9xIQkKPtLjAxyPmPc1BHbTEY mUnZubCjLegA+v8ASurDE1H0M6ee5be6gMCCV6k5B9B2rc0WxulKyun72Q7UAByM8knPb6102neG 72fa7KtpCT3GXYIOvPQ5q1eavofhm1eGJjPdFRwPmYs3r2GK7KupjbqObQ9MsYP7T1uRZZI8uN/3 QW4AC968V13QLfWL6W9sdsW4g7G5JI6njGOgNM8QeItT1i9WS5myg52AEoqjgDng/Ws5Jpmbck5R 2DIBgcD368V59Sa2NIt3ucjf6TdwF1eMOsfz5XHQfz/zxWOt35Gx9m3O7qcgAdODyTkV7A0Zu7be 6BWlGBtPc8dP/wBdeZaro9xY3JZxuQkeUcEgc5x9fWsHE6EzF1O4FxZiK3QoGO9j07d8+9cysSQQ vI4wCRtXtle4H1ruRpO+3knZdxOQdxPVjnge1Sabop1G7JAxtxvZhkKDyffpUrc0hNHJabp95fcW yGSZuM9AoAzyen4V1Nl4eNiWu7tsy55kP0/xrvIdMgtogIQEVcHHI5HPOKp3cax/66Urt5G4deMn 6CvVoRsjGo+xnKy3COGw5bHz9unIHoPWozbW8MZZdzkEE55I/vVYKxiJFXJcjjaMYDc5x35oihdJ A8z5kf3wRnJI54rixCJhuY8sKpv+1SdgIwBuBUdSD9O3rSxXUSSi6ZCgxtUepTBHHvmn3ixRH5U8 4ou5c8AA8NwfwrlUvPKc7AFMRHy5Od3Pr3IrikjaMrnd3fiFAvl7hjbnGMYHT3yT+lefX2qySXLp ngA4IyM4PTI7DFQXlyHUOwCmHGBj7wHzc+o96xruXzJHjkcoGyVIOM5AypHpWE49johZ6kE+qSyO 0JjZIgo4yMyHPHGc/jXIXmpPFmKFthYctjk84B4+lbDtD9nXEgdfmBwPmyp4ya4/UAFi8otlxyc8 ZycKP61dA30HDWJmO6JfMm6gFs4H17V19nqUOo24t7tN7qvy9dytnoO5FeZXkggLRHmRBljjgBsE A45PNSW140rrN90O2F56AEDJrequ45R0uehz2UdyV2Z3kkbMdsdfp2xXjXjbwJaX8TT20YiuWGc4 wrEdRzXotrq5tZQiMZGBOCTyy985ycD2NaiPa3SokrAP16djx/F09fpXnSRrTTSPgTWdMuLOSS2u V2SJkkHg59K4+S1+/GCOD19K+y/iH4LtNTtnvLRQ08Sk9CCwB6H3449a+U72ykjkyseeu4Y6Eevp XNONjrhuebahYoBnGMZP196xfs/u35f/AF69BvbeRgwUYZuAO2DWR/Ztx/d/WsGbcx//1/rPxdEk N5MDwATx614v5scHmrPEf3hwuO1fQvjq02zzv0xnr16V4NNP85jMSlCwBJ5OfYfyr5ua0PYXYZa2 izqpiYgtgEHrXbaPLqFqFRZgYc87jxgduaxbOEjMzgLGMAD1z/SsHXNaa0U2sEnmF+Cq9FqIxuJy 6H0Ro/iHRbZGXcvmE9BxkjvVm68RXErGSxdQh4J9K+aNJlnuvs800ux48k56HHYfhXeaNfXccu0/ OrkdOwpuIke7aFdTmRZpn3yNzyeP8mu1ubTzoDc4GSMnHavPvD+q2rf69QCSB7gV6dbiO5jIt33q w5Gea7MLuTU2ORF2y5Ty9yk456ZpJYFuQUgO3PY9K2Li1SAkbe/zrjoR049MVnsVV/Mj4XOfwHTi vUnsefLzObSGa3bybnOQSBnr+ddjouv3WnOio2VJGVPbFULn52jldQVb5Tj+YNMNgHXzIDwetccr Madj2C2lstajJtmEVzj7vZiKge3KARuuCucjpiuA0y4ktm43Ar+HIr1KwvLfU4RDefLKRhJPX2NQ VuY3k5fJILd6jmsEkQbsZ7Z/xrZuLZrZzHNnjkEdCKZvV/kUYyePatIbhbQ8+u18pWiYbTgjHqK5 a7UklUBbr29q9dudF+1LyMOnT0P1rLGiIDnAx349q93Dv3TjqHid1pFxM4YqSD0PpWpp+hReYjOv IIOe+a9OuLER/ulXcTggD/PFYMqCzcbssxPb+E1lXMuY37SyhWzB2/KMdevHPSkmdI49i53IOfVh V3T5Vntljwc4H6jkVBcWMr/OoAYY5PpXNHQUu5gz31zNF8nycHJHUgnvUcUUknMgLuSxIzwQe5ro 4tNBTyVQZGASemMnoPwqMtYwkHcWZQAdo45Oalu+40Ipii8tpFKgDoR/dBq7Y37WeoGRQJCgC4Jw cAZOPxrMF55od9m1DwOO5P8An86zHurm7DCE/LkjgYPJArqoIU30NzVPE2s3itCHEEG3kpw3zHJz 3rhZA6qzHbIOXGG6ljxx17VfuoUkXK7s4PJPUg4A/T9KqG0RB5ScEtyWHzEAHjI9/wCldlTY50tT Bkia4eWRvmQHsRzx0yPcVc07RpblV+znYuACc4II5Naa2CxAGd/3fRsdfl+n1rF1HxAllvtrf525 ACjHfqT6mvNmk3c1TV7HdWmheQUSZwSATgDIyOnpVLxFHpUFoZJCpEJzg8k/w+vc1wMOp6rfRCSZ zGJCMKPc89PYGs/XmaOyljRm/fL8vOTx82OKhF3Ehkj1TUltLYnBGd23IUdM8+1dfHHZafCY4hhM 4JHUk8DPvxXLeHYprGxiabLXDgMW9sZxmt+eXa0byHhupGACVGPrxWcbtm5YExkQNJzGMvz064/l XP3fzyjzAWCjJ9fUAj6VbupsSAAHIICgjK4JwP5VLHDFcBpZGyDhgo45AwSM16lIxqaIzLSHzCfM OzeTt5z15xxn2GammntEQSSAbshenQNz+dXL2ZbW22wqOgIIHAHoT7iuOvL9WDyFANwxtLDLAjrX LiDOL7F2/aFwUhQLn67sgcgH8q4t4bmOcBSX243EjnPUg574xXT2jNcZkCkIAQASc++PWq2ooElN zEGQMAG7tnJrik0dNNHMXdncRsCil1fGcd8nJINYt3A+3cpyASeABjAyBg9PQ10N/DNOz+Y42hQF 55Jzzx6CqFzFIjbUUeW4Ab+8MDJBx+Fc7N46HG3KSTNG0qFWYgtnoAPf2rkpwEbzPvvlhz1II45P Wuu1O5MpmKoQcqDleucZwfbvXJ6hsjSMTv5jngbfuhQOmffNVTOmLOM1BJGZkUnCgls8li3qfapL G3cHI4MRwCeQd3U/lT/MWdiXyqoOTjPB4wPen295JEiKBjzCSc9fb9K2rMu7ZrXCxRYliYFWGF5w SD+fzcU6GeQASTHeGJ5J4xtxziqQnMpjMnLR8AkDA9P/ANdTRCCNfKbcF4UqBzzzzXnTZtF9CaSe O6ISRyGkTAwOMgV82+ONLNnqXnRL8s4LHAwGbODmvpe2EGN20k+hxjB7iuD+J+giTTre9j+YK7bs 4PB6H86xauaw0dz5QnhEsZGzBbPJ9PUCsz+zl9R+td3caeHbZu3KM9BnPOKr/wBkR+n8q5uU6Uf/ 0PvT4g6abiaVd23J59DXz1PpLW8zM670ByTnoK+mvHuFuJMjCryea+WPEesf6UbO3O2PJLstfNSP WW5zOqatdX8jWlohjRCVLDPPrWBNapbAGcOsjdM9/Su90abT51Ltwx6+/uKsXNrBPcZA3K397kcf ypKQ3YoeF7Z7mxmZ155IHQgD/wCvXVacZbKNZ96qjdF6kA1ktLCixw2hxt+/tOAcdvfNT3Ss+Pm2 nop6AAe9C3C53trcKu2YsZD7HgsK7Ky166dQbaQpIe69Qe2PwryK3nEarl/lfgn/AGjXT6PI0vzq MbB268dP/r124dakTVz6BstYTVo/Lkwt1CoGf74/CnSQwshljJKkY46ZP+FeRWGqXMMwkjOwKTnP IxXeS6zIqx3duf3bcMo5w3r9DXpT2OCS1NdoJHtXAHUZHfpxT7OKUIVkXlSO9R2mtWk6oJWEbv1P bJq39qjgk3iTKHPPUHPrXEyuVGkkSTDa4wc/eArQt5ZbXCyHKEjB9PesA6lDK+2P738s1pW8zznC /MvrjimLY9NsbuPUrc283zsB37+4qVbD7OxbG8Z/SsDSQsZDRttP6V3MUyPDuIx1yKcdxtaFIKMY 6gY4qtfRB080cYxkDuK03TnMa8DPFVHIOSF+XJr2qD0OWscpNGH+VeMjPHUmuVutLleRSBls969E ezeR3SPjPfsOagmktLEbyPMdex6ZqarOexhaJpxgjJuW2rwefWtSRbZY9sS/OBjJ78cVkXF1LcDL HGVzgfyqW3dl+8M7f8K5R3M+8N2SrglFJ5x64z2qiZjJvhwEVfQdSoz/AFrpriJpMBjt9OO2cc1S e2U3GRyBnOB1xwf0pPcaXc5UW3lxPI7HczZUAegH5c1IEV1jcHZtOT2PA/yK3xZbpzIRjcCeTkYJ wf0Gala0jkROFUYzwM4LH/61dmHZM0zFNrGpUH5UU7sE7s7V6/mc1m+XDaM1zKBvwDnoRt5+nett wCCWUHaBjsAGPP6VwWv6mYk8uPhmypBPqSe/sMV2zWhyMwdc1yVpmhtiGbnc3XGeSO1c7YK00iiR T82Ac+xJPWiSKOZgJMsXAbcMZxyT/PH6V0OlWckkhSQcZ+8Oc9D29jXlyWpvF2RPJatAVZRhY1bP ocjj8qdb2a6pMnnAqsYyQeozx1Oa2dRijeBVk53EEg+nU/yq5pNpHDbPMw2FsKByAM5Y+vtWbHuz l0kDXhUjakZKjA568EfUGkv7d4o9wUge4x3BOPrVl4ymqSbWKofmXB9OMnHbjirkzwzREhyB1weD gn8e1KMfesaow1hYBZCPmPDE9yPf9OlX5f8ARkVl6nDE4+7xj9KuWqPLKVIwNv5fxZFYusiSd3SH 5UXjkckH8fWvXpLQwrM5y9vGvATCT8/HBx09vfFcyPkmMUoPkk4yRnbk9c9a1512ssjE5zjKnHQd qqNG6Sh2ARUG07ueex9+K4cQXFly3RwhZcFkwCAex6/SrVzIm2NiWxyvPJDN1J+vt0qC0SOVgQ5T b8uDxvB7Z9qfIZZDISdwCjhV53Z9f51wyLctTBv924xOx81VIT+YOefX8cVkhttuZ3/fSDbnaR0H 3vx6V19yIseVOpcnGwj3GcnucVk38csHNt+72cHAAyz53cfiKwlqdUN9ThL22MSl3yEky3HzfIeS Pzrkbu3jMTSzE+XxkegIwDx613ssbEkTbty4GcnGQeM88VyuoQQCSeNIz2bHQ8Dge4rWkrHRfsea 6njzRbQfMOTwRwM4GP0qOSG5DmAbTHk4J/iP8xjpXTSQ+WXndR865U47eg9K5x5BCwmC7xnA46ZF b1Y6GkZdCK382EsshKg8AEfn71biuGLlC3AOSTkBc9j+VKbbzQJIQ5yvfjPbH6VHDbFm/enapI+n TqeleVNam6dzT3wyQPKcqSMb+3I5zUGoadLqfh6eNct5YIxnoAM96sGN/KIIARRwo4HuTW1ZGK00 m6adcK5788EYNYXLTsz5UubNwrKAMfxZH4isz7DJ/dH/AHzXZalPb+bKd/8AEe/vxkVkfaY/76/9 8n/CsZOzOlNn/9H9EfiL5TMyMMMR19RXyhruk2xuWG7ZI2QpBznn0r6t+I2054w2K+RvEwdrzdGT uUZPso5NfM30PZWjIE8PzwlBBLkk9WGBikvItRsYnQx8LjGznr6ZqK11O7eAuj5AyMGr0d1LNcRr dDeSeh7DrSTE1cbpyrEBJKhIBzkjHP0q1fySiZZICGjcDK9D711VoBIyrJGhXspHaq92lncK/lL5 EgJztGRRcm5FaBLiJXxlgOgPB/KtS21H7IfLSNQOnP8AWsKws7yxOQ4ZZOQBxwK1NRjj+ygxJ5bH k4PUgV24fcHsaaalM0hYnC9lHAJrZ0zXHUOzqSjjDrnIwTjj37151CJWnVd2W6e315+tdPplvI0T lTsJJGPYV6cnocMlqdPJdLGWUyHyyNyH1z60ab4hu7N8ShpIjzg9MVmxWyyWzwuxIAyDn1/lVLR9 OnvSJHkJiXseeK5GV01PaNHSHWk8+0cqepU9R9PWu3s0+zAqMoB615bZs1iyrCNgQ9BXomnavFNs tb1cSdAVH4c44osZX1ujrrads5znJ4rudKvkcKr8nGCOntXmzB4Bv6qOldHpjTbl8vGGI56ccGiK 1HzHf3ERjXeDgVAkLTMZGHygde2K0bVlltw03zFev4VQu5GkXy4zsjA6CvYov3TkqmbqVyqRMsXy +9cnJIsjbXyy5z+tdM0fnRuO54rmBAxkPfBIPPvSqGMSNI8kcEccflV6O2lk6dW4p9vGQP3n3ex9 OO1aVpcW0LMygsFxyeeQecCuVsr1AaXM6q+059OuQTSxWaAYddpGD9cda3ba6EuDj6flVllVgS3Y Z6e2Km4Xscs9ssPRckDPpkqD/PNQXETRg/KAFyF9ScBR/OugkiXzCMZJOM9uT/gKyr0L5PnNnacE c9slv8K7sOjKcjgtTukjRxnuVGe5xgfyxXl17Kl/MzSkhSQRyBx07+3Wu+1tjK7KP4c4z645z+ea 5BtPh2iRl4Ax+fHT35ruqbGNzIitFcJtY4O44z/ewf6V1GmWko27QNuMn0yeT246CqqRxuAEOEUr 9e4x+A4rq9KQujDnapOMe3J6n0rzJR1LsrGTqlumSvDbfb1HOOPfFaOmqz2KoBzk8H1yM/4UzUYf 3eZDhs7iMdCOetWNN8oWvyEny3PX3GOv1NZyHFmDeQLHcrJtwzg/XHU/rUX2dDnIzvznBHpjFbOq iFdlyigncV5GeSaqy2w3ImMZwR7Y5FTF6my2KrQpDEJC5AX3xz+PUVyd6ZXBG7ayAgse4POT247V 1mqqUjSBD8oIY++Bj/69c3OURiy4CEcgDoeox+FevRl7phUepxciRiR0iwDkc4+9jhs9qpMsrt5Y BUZBz0LAdB9f510E9vG+bgZ2ooZu2M9R37/Wq81uIRy5ITHJx1PT9a4cTuVCRmxbVl805bYRtG0Y O/ryfbmtyS4MQDsQvmAjGMEE/wAX/wBasljF5qI7tgjCr2O/v+lWr5xtWaPPHB9STnH4cYriuax3 ILpfKiTaA3YZY9+TjGehrHuonu0M8R5AK5J745J9cdvpUkkm3Jlj+aH5RliRk9eB7n1pLnUEtflS MEDIcYGBjv75ziueckdMYsxm8uHfFlgGXdnGRuAx/L61yd7C8km+PDS7epA7+g7D+tdrJeWcq7pE ITICjJ/i7Z5964y/gW5+WMlvm8wL0O0Z7/0raludMNjj7/dFIsDMAG7Dovf8/XNRGzs7iPexzI/K YGANv5Ut2GE0ltL8+5uQeM/j7YpyW5VHYgbYjkA/NnIHOD7VtW2uC7GRcaXOhP8AdHIzxjOCKrsj uqquWjjIBwOM5/Wuhknint3KYcoehG3t/LNQWzwmEB4FO4/eBPXPPpXlTZ0K6RSjgm8kLMxG9j0H IAFaWpEt4cv2YECNUAzwckdjV2OCN5DNIoCgBe5x6H8azNemMej3Vr93cnBH+fSsXuapaHzLewky Oc8jnPTHvWbiT/np+rV01xEJCShA5/lVb7O394VhUWptFLqf/9kKZW5kc3RyZWFtCmVuZG9iagoy NyAwIG9iagoyMDQxOQplbmRvYmoKMzEgMCBvYmoKPDwgL0xlbmd0aCAzMiAwIFIgL1R5cGUgL1hP YmplY3QgL1N1YnR5cGUgL0ltYWdlIC9XaWR0aCA2ODQgL0hlaWdodCA1MyAvQ29sb3JTcGFjZQov RGV2aWNlR3JheSAvSW50ZXJwb2xhdGUgdHJ1ZSAvQml0c1BlckNvbXBvbmVudCA4IC9GaWx0ZXIg L0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ae19BXhVR9P/7DlX406QKBAIrg0QA1IcCiV4cC1Q3N2l OEVC0aIFCpTiVihWoHjQQCABYpCQkITk5ur8Z89NAi3y5nsr3/P9ucvz5J6zZ2V29rezM7MCgCVY OGDhgIUDFg5YOGDhgIUDFg5YOGDhgIUDFg78b3FAdHRV8roZqJzpifFnuauTjP/+pcBA4e3nbW/l pv5IMYLzf1kTle7iJEolM7Wbk9QEALWbvfCe2piduY3v+VTIKJWrncSZQiZ/N5nMxaFQBQiOzvJ3 c38gRu7iYm4454azi3NecHFWgNrV9n2ceH9BMie7QicWnZxlINhyKq3drBhhpXANe3/N/4NYxpjz yDVNOFIFCF+xrrmCSBCFmmsm21JEoZj7gdqYIDgN/uX68TbNNjSlot4JNDRKqRhzmTPD47+oh4EM vL5d7ks/IFp1WP9tYxAYldNxQ1e1+OfyqCOHrAsQ/7v2MPAoThwJWjtQScx6pxkFEQzcvKiK9wYG Inivmmb1Pj78MYMITtOWl/pzA/6YpuCNQamlq6pTYs6NCmsi16xevSpy1erVq9euqgwN1/SweYcT BVn/9OD7TT/Hj7burfRus+f5gk23xX4AnTY0VUCZyAmKtz7/c49MkLltxk3U4wKTHUb8yV7BQKmc gcd5Oz/SNf+JJMIHDEH9jcsdFuA37/YRMcZ1wg/uTCz1JLYGfAwD76+I936Rp9gZaCIQPc8hNYEx Aax+wfFW8j8XJ4D6DHaVFbrn3q5SUARu7wkqsT8es/kYnYJYatV0G8X7WUbCB2rjE0ci+j+wVAY+ MRjyn1KZCaT2hmiwAyUWiNmNcrJ1Oi0i6rQ6XfYXMBG3uhFP3m7Lh54ZhGYe8mQ02AsT/F+lhYLb xuwwgPU4yQoaYZx1YfL95TTUwYr+eNoTBDmUup+Yk+hJBMtt9+eOoaFaONrfTwMxUH7asKlGHfde +zu9g1XO3jC84sDEktH3qn0MA+8vncfK4AfDIsKqADXS01+d9wBRDuWjtWHCO/KTsHocI/4brBLI rA7qI0Ap9sH9H8EqB+M0XGgtfz/P+OcAjHYoDFa9b+cGvb+UP7OCsBqUZmxLifnI9Rk+bMToUccx auTwkSOGlYYxug2uhcaq/4YxzoWVq8XXr/MH17WpdQFWkWRglfYsy1PA/kzg3/1OeKwRH9sERBn0 zp77E7aTEUZLZyTXIPb+pUDi+aam9geKMGP1nA0IElY/kOpj0Vxud9NesRKYqPhaH7n1RTsQFNA3 43Sxd6BKaOZYNeu2Hyvz3W8EAtnRrHYgM2P13QR5MRwss0xzaXr6wPjOw+oHC8j/IIPCY5Xy5GE1 PzcIk3Bn3gvHakH83/3A3NaZsTrJ6q/bNYUmjtRKj/2aYVy0bcBGX2uWqkVB+BIvq7ksrDNwfN/y xP+3O6BavzH9CIJ8MNs0HDh+VDcfehH8mhWFWoPH9Sj9puKa4bHaYY2rswrNSoJ706Z2pGaAY1hL DxIHJM1Vtabj3XYhdr4P7pd1ajtmeBMOJV5Pzf7jB4fyJODSsAp4dxvbvyzFNhs1hOact7QSrqL5 p6f7U93O25OaDjZ+w3WAb01zbGUEzZbDx3YrWUAK6QbHsa3QbPiYjo55ZdTsPWZcT39K4dCwga2U UBbY1JU+yhsMGdfNk2KIFkIgK9H2cs7cRuVZP/xZXmfouN7UWqkIx/ajxnQswVPxQC0L2Wna2Y4r xVC085hR4W4Uyz96dxw1qLmcBn4tfKAq2nfskGDeCEXtBmp54xFjOuXT4xsxfNQXTnyyKMBqYLex AwKlyqicgAHjertBvVAVBLbw5OKZiX4ty0LAC01LXr8UGFNaT8fdkvImkFxdr6jUd9xXlegbJ0TV fLi5xWaSubTw6DRiTEdfntehXhUllGnW2IantW3UrIQ0AzBw+NwXKnw1rk9xslrbjv4qgJdkHVrf Edzy5OokK8G5aW2zeKjUbdTwhta858q2cIXaA8f19KX05up4JX85UKOpgWuJtqJXXvrVTL3jAgr5 bMMSiii5/oEGs6KmEj+lCgkMrNjqu9moebDMh5ra+lC8Dk3PL/cFtXLonYjxj3Mw9VJ/Smwmb88L jelF4hrZzJhB4LU+bpAVYWlazAFPkSeQO+3L1GpTzpTzibkx7kCqKTf2h+L8g/PKe9moe/x9eaq/ 7qXpPc5k4Mtrze23JBo10fMUHOb5LSZqlOd14YQC/4RbLg0NR91EZvcrtiNlJvRQvAlf/T6KypNo EUB1EidsTDKaEo7XIvyx0pujsxFTr49yBPv9D5uQ8iBj5e+eKw5C1T1xOky/3E/F20xTA/siNcv4 8slE6I8nRsfq8eXl9kqRidDq9HMq4NxXpObzKuRQ+UKWKe3ldrUaelxMRXxxkhQfGiMj6EX37GBF UlTwbt8rOaiJXugOzH7nqRbfJxmNiac+YzSP2U26moamxGPtqCDCajBn/nf3M1Fzf01JohesF93P weyznc+dKwYzY2Zz9YwVWXuzDVR+mvZ5PkMo7g1WRRir2zT1xmtMuzmcyGVQ63C8ATNutONZKQcf 6j0vE6GpF4fTe7VzS92hwonHo1RE9IyY/U7U1bz9Na+OGH4rF1N/K19yTwqmR42mbvc5fboauK7J 1wGg9t0DKoouvuR2Buqf7CGCYWpsqzkPNabnl7rQS0GPFRD6Fx5YuPFXsgqaJB0oYn3dEMgUqmOv 24LM6zDGTWi/MC1nbp6JSLB22IMvpnQY/8i4Ws0a3MS9fdoPvYIJpUTVHIxK2zt4xm2MIhSbqes0 NUkfOaqd9Xc4ExTtXjwJZfBlvD5CIXFBtOq82fh0ep8ipR5kZdyd1WtVNi5QywS7HZgyqcPYW3ig HMCXCbHpv40adhkv70mdN+hHTO1KXVnQcq4DLtLNBbXQErezCrcf1hOhxsPEinIIisIzA7qu0L+a QHDhPSNhNTntu6+mJ+JJOyYW/Qlvj2jb6xSmkfdgOa6yVoJCNhx3yVnl6xg1tNMGXWp/NUGai7ny U+7lbhv2OfTDzJQfB46+ibHVmAJaPsIDvbqvx6SBHPrkioBiPU6ZTk5tJ2fdn+P2rj134uMuZPVN z9B/37X3efzNi/TVrBd3xvb/ATUTAVzOax48Xzt4URr+rBKY9crX2siug07jo+oAXre0gYz5/IrP JnebnYwHfJlcNVCfurDzpJQEQ4IvtDPFuNCYhcDXd8uAX0zCGzXrj1id8PpF7pGhg05iWiOmEgIe 4MUBnZelJ0bIzCiUs+DEjNltO63FhI5UWOIuD7lysja1jgjNU3Pb8NHAAR2aGvf80KCxMXj4XNys Eb9gUhATy8THBRZgdZwVhGlvW4FYZJ8hbXbE2Ju4uxTXY6Oyfxw68yHGeEsD5S+A8w9Zqd2V7973 ZjDVME4Ny0zD5KJ7RlIJsB1vuvKZmtm3fJTZQjJXaOaS9zHEBlsJ6maPX1aW7cTvS8lAUfoqkmCd i5mz3NU29X7TN88rnSlc72jClPb2K4zTQFBPxN1F/C/gDBtJNNIMpGyJF4uqRL9o/DXERuE0JTvG RSH0NTyubcXUNfYb5pHcjsP9VWwVNRN0mU1tbbzXmta9QSpnpAK+0J8Cpc03OV+Dy2rdcICemTuK MMUh3OCrFpzbZz2qYwa3pAO8auOstP4i4zXFdcD7AUomlDmAM+0g+MVTX1J67c5mfwnOq/Cgn1Jw GZgSa3YFcZ/ziaxuSmuxL+rWFVGpAq7hV0rB6TLOL6YQ3PoZb5aXOoMGjny+abGzLZR8ZBpXRC4U HYdnSkGTRzlfuQgyn99wjCwk13C8pLXCczH+4gbup/Bleye1faf03Ooga6VJ7eQok5deictcwSNK WwdImblaxY7Zh0YZ5gGrcSemjZ2orh+LT0sw+9s57WkasBqLK0XwuvOwqllQEtf/iNWJWbjAR6Xw PIHfgtpuD+7wVjKHNhkXK/D0fKB/Yxhnw6D4ctwDUDtuRwnGHHbhCWvPqzhDbnalMAiOx8Ve1urO zw1PgmxVPie0o0HmFxdT522s1s++qZSphhkf1bMRVNV26SfawDItji6qtgmI1n3NHTV/wNtfeSGF tejWzFqgPIJhAnTM2mvFPsdjAnhfedmLl8vmmlY4coOSpg2b/bmT+ZxkN3irnyxiKUkBCpH6CaCa hZec6Vk9E/vRuOXUkTp7WxMEajNWwStKO+57016uAUgfBfJ1/EZOnFL3dZ25ZVIpMaOsYH0id5jU tOavL5aFFrG6lvTGTpi2Uf1CezzEXUL5LeeZvFKT3VnRC/HVQBiA2wRYahqhhNCUZBraADbfGedR GkovgM1hjLSnqhUXNB1AUWNRD4mKicbvXEFxzBQhU7NAXZQjBDx/Ik2p6p04VGVus9zqWFZHErt9 Mao2FcRW4zQbaPP6tmS3uPyYO0ISQXxKnW2ab2UFXxt+VfHavY5n9oX5hi004YvQYVtXWXBuRmMi BxpqrpaDIr/gMgdKpbiELcFqk2k1GbIMalx5GEhyVRMK3o9NXB9gYi+86ScON85U0zObkh1bXM6m GTcTIR6/JbcCeZHrNyvkz2N/wCrpqzl3K3DlZIRuJ4hBuU8rc6qUx/S9+VzD6d2iX8mjioeQ66fO kx1cRS1/1zj0O8N+J3MnEUWBT+/Xoco8b+EMBWWZalgKgl8syYB8HYDkav3sGyrmfD5nApf20DDr XBlYZDjnIYCcrdTPN0sLXtHfEIhw2UhyVFaPvlGaev95SklxEg0fCNTHtS9TtXzlUuMyz3lL8COa n71swAcKUzvIQMm9anY1+l4xzQTVdNxF0QIbhoOpoWY42t7WBIOVhFVRYP2ep+dG1zR/Iy4IrDH+ 5sR9Vgl1gHQ25ye5Aaz0q+wuVGfFcl88etISmj15WolMJ9hpHM3kIDTHX6woYz5W6UEmHsmuD8G6 3wgdIcmXnOxPG0kRGKu5WK1ShQpVKk7Bw9xCpLrA6hiJQwVTsb25fUAus5HR9O7X8xRuKKKEwTm7 ra2F+XpSAyNMt+r5Vy5fqeRK/N6VdxjJH+tjWZ1ASVg95SoIhEhcaA+L9fsrVK1QsXKVJbhRahHv +zmmBdZWsEO/sTR9qlRzIy5mB3GonBejcrCD2sbE4iQPoWZqVHVwO4UD5DJC8TFje3C7mxFBk4Qo Okcae4LPHWpT44w4DyIboGxycmu79fglPSogNPkxQaB6TpIXCM30px2YzOH3i2UL/KJvy1UBRmv3 FpUzNbTL3aeSD8DL1csRU8psw0WO1Bl8UuqPmZfGSxqEGauCIGed01M1z/yFN1iNP+hLdNhfxnCR HHfDjN8BvIvV69ZQTpMUxNvAfO6TBr0A1zmomZpN1i8lxhT02N+AVhoM2XPEftkrnWRMOGJqKf8l KxBYCzRmpb96lZ6eiY/I2qZ/IpQxJFfIHygCuI888ijllSYHZ3OsLidCBXL/vx+rwBRrTNiLbHSJ 8rexGk3TrQwc47R1WIDJwOt8lf7KkNIXmj29VZZjdbuxF8dqs3ewqoQJuonCUFxE7Cx5JNm/5sOr pRWwUptNBVDIwavOEqskHaALOeNUbE9uX2qAOnzn7RfpObkSVn1iMysJRe5lVgXVYMzJkNqchUel GaAAq6QDHLSlUQ0zcbE97Da8NlehwaPcrqBGcazOt1bDb5hF3l4KubhF9aupo8Q5rvgG4EOaRhhU fxFVA1xPY0dqmQyOGDuxMokvAokogamn4Qjmeye7HnTJvmBNrGKCx6WM3kX25fDVATmUfvrEE2Sq g7n9wX6Rbhx1iNX5k74kJ80g+CNWx+g2unKshucesKbuMROc/hq3FCOsUtGicjGaNOmPIz+jsrlc JczL5Gu02FPMX9EguZpI8lYA29/xc4GwOvT9WL1mw4Iw1puaIzDXS6bWsBjn2CgJqxP+bqwSz8qe /cFhvam7SPwYrZ3i8Pq+mgnh+HzDslUrV0Yuj5xVlJhBWGXlMbkcpeG8kbFmd7XaxEPLGqzVTwHV NCTPwUewKjCvkybc7F4wYt/IVb4WkIfVOqaMzVRn5MoVK+aFElav+5mx2vP9WCUzynBItTetBXHJ arqpbpfXSxxUsEp/fcWqFZGRkSsjx9sRo7lcldYCzFjtB8riBzU5ry6sbTFft9aVptY1OEre1nBU UKpH4oPvlkdSm5etGurEpc8brPK1gAKs/mQ8/y2vglIO4YsRlC4fqxcMJ5ZIn1Z819vmDElNXggH mnktIA+rLqexLeUzY7Vs8vNalEAQ1NNxCEhY7Z59zkrCqufv6d1ddmnrS0X4P4vzAqXQ1XSElXr6 sAphVf7rAc8PYpWvBUhYtVLPwqjlRGzkymXf9XLgDaPyQF5m0jmtQZc8Ml+uEigv6HG3Ol8Ucqxu JecIxyrphx/BqhCKsR75WG1JWJ1ho/hnsCrYL/294ckkUj+JpZk/NdCvIXHewHSPLF6a4eRqWnbl QQDfNPJUcGW5aDVl+d+NeyvJyUO0Vj/tP2JVYMIy45VHpkEqM1jflqtvYbVCbnoA1Ummjlolh+bP /gNWycX19HH5J4/cqdegrWHQt6buTAUzdQes5aSFC3KrvHXqP2C1F8kk091WIhEyDde5UdYG6Rds dub2ACtFHzznzsiuYAq1XGrz+7C6yB7WGFbLyDgTBEonsSZfB1DDAd1sRp/IgWytsD6BA8nsFsGh RjH2fqweNnYE9wev2vL5U3RabuwOPrdJB2iRGVOMwwnKJCa1slqG7ehFAfWex3iRRCwa+9z/S9NW CW/7NrpzMWkm4i2fFfevvsGqcgQeVdCoJMlLK9B5qRUqJoguXU8bH4ZCUOyOEoIgyhZqL0abBuYL 1sJilXSAirqEAEkH8L6bUg8W/WNYpWHWO2Xhw93FOVvFpw/m5Lanass9TO1JI4Wx9uv62HPRQJ4Z u9M5Q4GwpJ6K7cKTuLrOaKndOKcQWK3zPLFORHJKfRrUVFQeVmlSNK+xcrmq/4w5X9EMpvECUGn1 1FIfkKtmTvO/5P6U7cgahntpFIlQNWr95Rd8ta11ekJpkvCissvWjlyq8kH2llztDcWuZZNFRD7v LbjJnehRXNW0Top3ZzJWPyc2jNoMskEbW6l5Xo7Vo1mkTUrrVma5Sljtl3OjCLVDtBmwsYVED8fq bNMCsq2mGLhWTXtyRq8Jg0jTSmeBXFxtNJfVtfEBrbH+Wa4eJslr/aN+schrq3QuNoRsq5xQ8Htm aCqJ2g54y1/4WvetE9lWsm80j71InijmasbNzWhD32mue8t/+WcdIB+rhxRiU0NcZV65OHpLI7PT EKzGbC/N2+p7L6UzBD/mthWLePm6YutXKXWInZxvhcXqDTVzvZY1VOq50FeXyv1zWOU0Bb96rB1P LkXC6Obc6EzSpwXHb/FiZSXIq17CGXZmm1ipGGm66Sdn8qCraZW+TH4aQl1kNyyXnCKkEH1EB5gO gtcO7XCVuMpwxpcEjRmrYRjlbyN/g1VDNSZMMj2iBRTBcxUe84CmT96VqzJ3v4IdaIRVsZ/xSvYw olpgbmueZu31IOHhfAnXuKvAKvBJ7kg+2P6E1V7g/ls23xmk6puAO2gBgmu9Z4yraQyK7vvw5xIy pmrx2NhdMooIq1b7cobZ2r6F1cX2zOcBzqFdiNZNX6Z3l6rgWJ2i/76EE6ueoh/pIAfbCE1iOLSN Twm3BtFln2mSLMj4IazKO+kSGlkJgvts/L4491nRatV64ylvNVhVOm+MBFbqWGpvF3vH8Kf4zIMG khCkvxV3w4kDSulT0koaLPzPh7B6hAlu501b3eSgCIrXtiaOEE9EOIqz7CkqOCGO7FPCKvmSb+lH qWCl4ZyrWVYXFqs3FXL1JNPtyuQqKLneONfhn8SqyEreQ520MVAF3XV4lSQRY5WuYcygkF438TyZ VhxfNGUU/RXv9Qrte9OwTuF/Bk+3qBKyKj0GdwiqmQRYrq8OxSF8qpEGpe09XQj5ASJxGthMxJ1k wvpdxKVOZt8dLeS8zD08qZTv4wdm2+oZ1mSi6zlMGhLS8id8RA7qLxJvSvrqTpRsq+Z4SgnFduIE PklLfUPCsbIBE6txrApsIOJ4tYw02/A4PN6h7pAnpr2uRBElJbn6C3aWbKu9+j5gN8v0rH+VWqPi 43UnfAXK4PfcqKlLhYisbjxe6RY86qlxG/maeJtBoVqBD5a0ha/wkKSvzsbl9ioY8AJ3fVlvfIp+ I1+N453P9yKkbRusBPJrbmgWNjtTs5TGy7eatFlhrQ7hBU9WC2MkuVrj5e2a4HKWpnWurx7FCKay 225Im1yv9W5ytQN436XlGFb+Jt7q/fnXD/BMeVJK2mcZDszanvVM/6QENVy0vYjahYQ24mE2NuWs kALH6kz8ictEImqscaOkr7bRH2cyWbNkPNshZMCt3KVFuN+AxiBr/dK0ulFov9uGjUoIfLazBDj8 iIfJ+1HiNi6VHHaUKuj5D5K+esVsWw3DNeQHeMrXAtal1wNYTXtXICw3Ss1Ej7MY93Vol5N4ghbl l+AsSV+daFpmlhb5JP7lXyLeZnvykTIcAjIofSdhKnGeWlvtUKIR9QkHKpHUon7jYBVK7ks0oe7J Clox/+JMGmJu7IT6j087K8cmTJew2ju5VwFWbU7FBpAbenb8SKh77RGZsiJ0uhsfJk1bVJbDgsSM +42LXzhTkdtW9r8/rUo/3nue6RFfnougrmhw9bgvpyMyviO3rcKSdyrAbXHyV/lYJYoEu9OJB/I8 WcExjxsQeylju8svaWtc7CbzqjbHqmp7cmvCqpKti+sMshK7Ew1oSJnV+MRN8qRThvXxR9WScczC ztHaqTZ2vYcEVfooE4Pvp+Wshc7Jm6y5DjAmYYYtTdgDol4hamJWOFNuqpMbniV+Tsi9YicKE+5l Ir6OnsvtOsd5D3MRU476C1Al8aw9pYJKt05WBqc9SS0krG6N/5KmziLrYmk3X9r5HsR/D841WoI7 lohoeLqzHM8Do64kpT5b0zn5XnGqSqkYivF1uYoAFa7fDynof9JmrEYlrc3D6sCni51pioBmcdso Rmh1hXhiSFjolt8wEYbcoTYY4tbSYn+NKyvdhe7Rj+qQLwDaPXkYJEGMHGw3VrhTNTaHkoNp36HY J34egO+lCzXAecEdWrH4JmmQGgIfHSfXICu9N95Ia8vHyd8L0xJHk8mgYkOezvibscqpr9mpFm1Z 4ogUGrbxzqtAbDRh/sgwacooYAg0mjhvOA1/wlCxzjPmfV0KlF+2cRUrteW9zqB059IEeV4ODd2G rV1BJq/WtgKr3rU+N5lA/LxToFySdZRCGT6yq4+6SWNHToCiWbgTzwZhY+dPDCf1jAy45rSthH5r tfGh2ph7RKgIqpqdyphVXqkKUQxsK22ooGT2zZuSe50eCCJdZ8wdQp0oFch/xJAIL/oisjqtub9Q aDFx3thQkNfvKMWCXzitJphTW4VPnTe0plQOp4aXVmHQ0PrgHRFE+iGDCm2rUgOo8b1nzxnA0/FU 5nTuXUa0JzxDyYFzZvWtyOPoY9Wh88Z/yTM4t2tMEoCB4xeNHEFZtwONBvoX3Ia2Y1L+gJHzp7aT Wm3dsLWLVF6ryfNH1uMDjaltwPnzVgFQP+WyCyWWCy3wGJ+dqLDmrYpI9ZtpEMXyHerwePpYtk0N JbUYSoQH0xuAfcSMeSPDqGQzxbxhJfpMXjCS9yU4N6ujVtTvVIuXCtC4LV8A4E8uLQJoFQLkYRFF OPf82pD9bdu0qTMoq39Bu3Oqt/cXwa11AzJtKYSNnz+phbR3pXL7CuSdFJl/GzMqpM+WP//fc4BG fsDcqlIzR2h+suNbReUrtH3+bnn1/z0fLQ38FzjAoIlpX2UZqGtdw4EqudynZPiLu8VJoTILyH+B AksVFg4UigOkOnlsxFOThs59iPvJSWG7af9z4yizmlyoAiyJLBz41zjAwHX4gYdJ97ZGkGYvCNue nu2jNNsW/xoJlor+FQ6QtaD6LNDurbq46VG0XjkRZBXruv0DE6mqdkhwMW6cMFn5kPpezLp2UHCQ OQQHhZThtoz1Z0H1/AuMzLdo+8Cj3KtKzcp8pZvyetf0z18E/UBqS/T/VQ4I4LX3htk4MTeB/GVi +5iVVmCz8WGrAqfC39e8EpceRK9TMjoLZLPmQcxAedmz96KjH/AQHX0/eiE37cMv3o057pNvk/99 VVtK+r/NAQFK39DQUlBB4Fj9Cvdbg91p7E6LCH+3aPVJR9PL3rRQweyOIk5RVCXP5ptAeycF5QZ6 p22z5IouoMryYOEASbFSV7LIcV0QOFb74l7C6i/Y9Z/AagoaTZf8yPyxP4Q4UVlqx7ETx09p0PRk /8ljJ8YRQQHX0aTDPS586doSLBx4iwP/G1jVLqcZnmN1rFrl4urm6huP2u9cSri62RE+J2abTEbU BPIljrfotDx+shzgMPCbvHF1NZ/f8+Rqo0mb1vZ3IRC9kat8GrbrsmTr5jkN+ZpO2SEBLhPXt7Wj R77oEzDYV+i2ZtMo2jJSYc6WqfyQNolFuy6Lt22ea04/uA6rt/iHBXVo31Y+7HxS0GA0xoWDgmN1 DG0HpWDzBHMXSzuRBMGWVIOd9434DS2a52fiaSzhU+UATfXWwzI0Wm38wjt0IpBONRzIyNZqc+I6 MYXYr0AHoE2Ej1/TtTo5/KQZi8hdvy5XR6YYV2MVMCur/6GcbG3Olc86vszRaZ+HE8xZm8evc7WU fp9aEDrlrpr9WqPLzZ5u3sLMmc2xajCZjhUDWzNWOYztCKtLpL2/tNEiAV/XX67FWF/zcvSn2kOW dudxgFAl725I/7ZypT3ZpqzaAB7XjVEdS9f7Uf+iIxN752G1swCfPTOsquldfX72q74gdMdXSTs3 T+Kb4jhWF+tTaUtW13v6hzFbQhucN52kMzJBz/SUvtqC15m9QeyCmYmr67U8qE+vS4A0C0mfVHz+ YxZmzRBsD0py9W2s8kME/RBPeLSgyxV6yc2HLCyd9mlzgMSq9+/82C3YbjbSOV22SHu9OG2oUC0y XSwi9MefJduKsDozY70VXYyiWIqbQeyJud8Q3zjoOFaXGF6FgUrW2aTbQDH1o5M/A5idtY7OFspl y0wbQdYNsyaTVlDiKE6wzreUvNMxNnwlah80eJ9cFQTPnWgcIbP/1Yi/uliw+mmjVGo9P3nQ0HjL DxQCtHiSHgT217CHjO9R9UtKbQMD8rDaVWBle5UhXFo5DsMfQdYToz4jePPAsfoNbf4kSVgr81kz ivU+n9OYjpVQeropx2EEXR0l647XytJeUDq5uZCf6ZYyElbjG3JH1U6b/e/KVcaapOKjAIBxmUas SydjLRqrxLVP+A+dE1P0w8PWIBDGfs8IgXLxOTU47uSOx7ST38IqRdn6+If2XhFt2gd0Hv88vy6K B47V2brV/K1iajTt8YOiZ3TSzmY777LBPZbcNe0F6Ipn7HniGbhYuguKP3unYWILxUSt/kXjn97F qmg3D/HHip5FPo/LxVV0JMyCVc60TznwM42jcRtBjrazns0KgVqJiSXJuifjfBPdcVEgV2l1qeaK ONo3nfDE8DPH6jEHksicc7TPutw23a46n4eE9s58ElE7LCQ8Sj8upG5wk8gHkmvfeL5O3bl4qWFw vfoBm3BX43p0LI0Hwmp8Y/Cm22z3XTCSz0pyEeTbVrTp+ibi3Z8P7juYbjIllSw42Sdltfz5FDlA WFUNw100xeZhtWZiKt02wLG6WzelAKtdBGjwAqMOzOlboxddliP0woPcX5XHsWikQwqFD3W53DZj tQndZ/AS9VrdH7FKlwnIeqEpv0gdfp1/ZvRT7CNLm80coI0jYgc8X4SO0kHZ669C6NodfRgd0GCi 2/XMfgVY7cbsLuFOb55n9DtYZfMf6WMPHj185Lzu9Rn6PZVmvHbgXA5eO3z08LFDjzH58OFb+OLY 4SNHD8Rg7PGD5cwgJ7ma0BQUjvMNRtRx/+obP4CKicV3oz7pPt8fcDdLZ7ooHbs0k2z5+4lygNtW 1V7wU00CdH+eXoeucsL5hFsBmmQ/qwUDJdvqJPaESgkYTD56ZnsAf2Zvy1Wur87U0QEjgHIv79Jh Z3A+ndMMSj/GujwOfjLtBuiM+yUhPAUXSldS8Q95WIUql9Go/yNW6VRJ/ZemnDGhYfXrNwzeoNEa Q6T1AZ7NEj5ZDpBgdViJR6vJoPY5zCS7u8frlM6uYBVyCrdYC3T1r+Sz6gGeD3E43YdVdATSjXN/ xupc3UKOpSov75XhnqmzdDOvdzQOo4Mk7iPQdAzE7niILnQkxxcuKVgM4FhtQs4BRR+t6U9YlYPN DDQ98DH3So1EDa6QyZ06tqMLqj7ZjrI0nGwjxopvwBdHD776/YUpkP77ggGZeGnfyTRcVUyg/6ri IGH1LHYT2GBd7i9bd0clfquJ9WD98Xi+vsrl6gJcSn+h6utHZckf4HEJSU4P02p+2bYrKmmJNq64 0BePE1ZFmIvLHfJ9Vj7ZmNqMrhtgtsdIMeXnwMlOs0tCuvJLCZ/R72ZKSeqCyHbQmdmqLBCxC9WS ryRb+u5T5AAdhR10MjFxWe05P5JZBarGa++9jP2pa1HSCxodGkfH96cfJHPIruuBuJSby+u6r9hS DRofnMyvTeHcIj8AdN3N754B3y0r+DF55zm76f+MceDpo1bUK7JySxVoeGgy3b0hQMTPvfllaRKX 3bbsW1+dsgnQbMuu/a3pHmz6YLV2767edPlGvQN7tn3Ba+DFN9i+fX9z5v/DlkB6sWD1U8ToW20W S1ar6giuHvz4J4BbhRqVaRsK4dDGx5U02iI+dEQYwLtyTX86ru3uaUuuVrc3szHdl+9Jx0YAFB7F +AKT6O7JTyCzt9Lb+PCTBZTQi+5q4yVTkHl4lZDSgaKop3fef+EmFPf0dCId2sHHs7iVOR0Jbg8P Lzq/7OHBrziwBAsHLBywcMDCgXc5QLJX1mf21JkzChlmTp1ZjBRhi1B9l5WWmH+YA3RFieqMIceg NxQq6A0aQzXuMPuHybIUb+HAOxzgcrXXrInTpkwtVJgybdJMsvQsWH2HkZaIf4UDcqVC+T8IFpn6 r/SKpRILB/47Dvw/Sh9v4wplbmRzdHJlYW0KZW5kb2JqCjMyIDAgb2JqCjk3OTcKZW5kb2JqCjM1 IDAgb2JqCjw8IC9MZW5ndGggMzYgMCBSIC9OIDMgL0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0 ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJ SYBQAoaEJnZEBUYUESlWZFTAAUeHImNFFAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee3 19ln733XugBQ/IIEwnRYAYA0oVgU7uvBXBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP2 7i6AZLvbLL9QJnPW/3+RIjdDJAYACkXVNjx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s 9qfmK7vJmJcm5KEaWc4ZvDSejLtQ3pol4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M 5yahbIkyRRQZ7onyAgAIlMQ5vHIOi/k5aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03h iHhMz/S0DI4wF4Cvb5ZFASVZbZloke2tHO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnfbOys L70WAPYkWpsds76VVQC0bQZA5eGsT+8gAPIFALTenPMehmxeksTiDCcLi+zsbHMBn2suK+g3+5+C b8q/hjn3mcvu+1Y7phc/gSNJFTNlReWmp6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyycn8AX8YXoVVHo lAmEiWi7hTyBWJAuZAqEf9Xhfxg2JwcZfp1rFGh1XwB9hTlQuEkHyG89AEMjAyRuP3oCfetbEDEK yL68aK2Rr3OPMnr+5/ofC1yKbuFMQSJT5vYMj2RyJaIsGaPfhGzBAhKQB3SgCjSBLjACLGANHIAz cAPeIACEgEgQA5YDLkgCaUAEskE+2AAKQTHYAXaDanAA1IF60AROgjZwBlwEV8ANcAsMgEdACobB SzAB3oFpCILwEBWiQaqQFqQPmULWEBtaCHlDQVA4FAPFQ4mQEJJA+dAmqBgqg6qhQ1A99CN0GroI XYP6oAfQIDQG/QF9hBGYAtNhDdgAtoDZsDscCEfCy+BEeBWcBxfA2+FKuBY+DrfCF+Eb8AAshV/C kwhAyAgD0UZYCBvxREKQWCQBESFrkSKkAqlFmpAOpBu5jUiRceQDBoehYZgYFsYZ44dZjOFiVmHW Ykow1ZhjmFZMF+Y2ZhAzgfmCpWLVsaZYJ6w/dgk2EZuNLcRWYI9gW7CXsQPYYew7HA7HwBniHHB+ uBhcMm41rgS3D9eMu4Drww3hJvF4vCreFO+CD8Fz8GJ8Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAk bCRUEBoI5wj9hBHCNFGBqE90IoYQecRcYimxjthBvEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0h k8k6ZEdyGFlAXk+uJJ8gXyUPkj9QlCgmFE9KHEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1K fS9HkzOX85fjya2Tq5FrleuXeyVPlNeXd5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlF mqKVYohimmKJYoPiNcVRJbySgZK3Ek+pQOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf 6L30CWUlZVvlKOUc5Rrls8pSBsIwYPgzUhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKV ZpUBlY+qTFVv1RTVnaptqk/UMGomamFq2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3q kxqaGr4aGRpVGpc0xjUZmm6ayZrlmuc0x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k 3as9rWOos1hno06zzhNdki5bN0G3XLdTd0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCLQZvB qKGKob9hnmGj4WMjqpGr0SqjWqM7xjhjtnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TPDGvmaCY0 qzW7x6Kw3FlZrEbWoDnDPMh8o3mb+SsLPYtYi50W3RZfLO0sUy3rLB9ZKVkFWG206rD6w9rEmmtd Y33HhmrjY7POpt3mta2pLd92v+19O5pdsN0Wu067z/YO9iL7JvsxBz2HeIe9DvfYdHYou4R91RHr 6OG4zvGM4wcneyex00mn351ZzinODc6jCwwX8BfULRhy0XHhuBxykS5kLoxfeHCh1FXbleNa6/rM TdeN53bEbcTd2D3Z/bj7Kw9LD5FHi8eUp5PnGs8LXoiXr1eRV6+3kvdi72rvpz46Pok+jT4Tvna+ q30v+GH9Av12+t3z1/Dn+tf7TwQ4BKwJ6AqkBEYEVgc+CzIJEgV1BMPBAcG7gh8v0l8kXNQWAkL8 Q3aFPAk1DF0V+nMYLiw0rCbsebhVeH54dwQtYkVEQ8S7SI/I0shHi40WSxZ3RslHxUXVR01Fe0WX RUuXWCxZs+RGjFqMIKY9Fh8bFXskdnKp99LdS4fj7OIK4+4uM1yWs+zacrXlqcvPrpBfwVlxKh4b Hx3fEP+JE8Kp5Uyu9F+5d+UE15O7h/uS58Yr543xXfhl/JEEl4SyhNFEl8RdiWNJrkkVSeMCT0G1 4HWyX/KB5KmUkJSjKTOp0anNaYS0+LTTQiVhirArXTM9J70vwzSjMEO6ymnV7lUTokDRkUwoc1lm u5iO/kz1SIwkmyWDWQuzarLeZ0dln8pRzBHm9OSa5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F 1q5c27lOd13BuuH1vuuPbSBtSNnwy0bLjWUb326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwV bO3dZrOtatuXIl7R9WLL4oriTyXckuvfWX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7g Xa3lzPKi8re7V+y+VmFbcWAPaY9kj7QyqLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MB jQPFBz4eFBy8f8j3UGutQW3FYdzhrMPP66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbC jZLGseNxx2/94PVDexOr6VAzo7n4BDghOfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2 aXtMe9/pgNOdHc4dLT+b/3z0jPaZmrPKZ0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu 3suBl69e8blyqdu9+/xVl6tnrjldO32dfb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4Ffef6 Xfsv3va6feWO/50bA4sG+u4uvnv/Xtw96X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/rf3V+Ndm qb307KDXYM+ziGePhrhDL/+V+a9PwwXPqc8rRrRG6ketR8+M+YzderH0xfDLjJfT44W/Kf6295XR q59+d/u9Z2LJxPBr0euZP0reqL45+tb2bedk6OTTd2nvpqeK3qu+P/aB/aH7Y/THkensT/hPlZ+N P3d8CfzyeCZtZubf94Tz+wplbmRzdHJlYW0KZW5kb2JqCjM2IDAgb2JqCjI2MTIKZW5kb2JqCjMz IDAgb2JqClsgL0lDQ0Jhc2VkIDM1IDAgUiBdCmVuZG9iagozNyAwIG9iago8PCAvTGVuZ3RoIDM4 IDAgUiAvTiAzIC9BbHRlcm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+Pgpz dHJlYW0KeAGdlndUU9kWh8+9N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEpVmRUwAFH hyJjRRQLg4Ji1wnyEFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0WAGANKFY FO7rwVwSE8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/kSI3QyQG AApF1TY8fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuShGlnOGbw0noy7 UN6aJeGjjAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJMkUUGe6J8gIACJTEObxy Dov5OWieAHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN4Yh4TM/0tAyOMBeAr2+WRQElWW2Z aJHtrRzt7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55BjJ5Z32zsrC+9FgD2JFqbHbO+lVUAtG0GQOXh rE/vIADyBQC03pzzHoZsXpLE4gwnC4vs7GxzAZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YXP4EjSRUz ZUXlpqemS0TMzAwOl89k/fcQ/+PAOWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQKhH/V4X8Y NicHGX6daxRodV8AfYU5ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6Hwtcim7h TEEiU+b2DI9kciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5IAmlABLJB PtgACkEx2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGqkBakD5lC 1hAbWgh5Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0Bv0BfYQRmALTYQ3Y ALaA2bA7HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMIQMgIA9FGWAgb8URCkFgkAREh a5EipAKpRZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzhYlZh1mJKMNWYY5hWTBfmNmYQM4H5gqVi 1bGmWCesP3YJNhGbjS3EVmCPYFuwl7ED2GHsOxwOx8AZ4hxwfrgYXDJuNa4Etw/XjLuA68MN4Sbx eLwq3hTvgg/Bc/BifCG+Cn8cfx7fjx/GvyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRRgahPdCKG EHnEXGIpsY7YQbxJHCZOkxRJhiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSfIF8lD5I/ UJQoJhRPShxFQtlOOUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uRa5Xrl3sl T5TXl3eXXy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXFUSW8koGS txJPqUDpsNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5SjlHOUa5bPKUgbC MGD4M1IZpYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWPqkxVb9UU1Z2qbapP1DBq Jmphatlq+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o96pMamhq+GhkaVRqXNMY1GZpumsma 5ZrnNMe0aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGtru2nLdE+pN2rPa1jqLNYZ6NOs84TXZIuWzdB t1y3U3dCT0svWC9fr1HvoT5Rn62fpL9Hv1t/ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qRq9Eqo1qj O8Y4Y7ZxivE+41smsImdSZJJjclNU9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5wzzIfKN5 m/krCz2LWIudFt0WXyztLFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWtqS3fdr/t fTuaXbDdFrtOu8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJp9+dWc4p zg3OowsMF/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24+ysPSw+R R4vHlKeT5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9dvrd89fw5/rX+08E OASsCegKpARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2hTwJNQxdFfpzGC4sNKwm7Hm4 VXh+eHcELWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdNRXtFl0VLl1gsWbPkRoxajCCmPRYfGxV7 JHZyqffS3UuH4+ziCuPuLjNclrPs2nK15anLz66QX8FZcSoeGx8d3xD/iRPCqeVMrvRfuXflBNeT u4f7kufGK+eN8V34ZfyRBJeEsoTRRJfEXYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykzqdGpzWmE tPi000IlYYqwK10zPSe9L8M0ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kLs2qy3mdH ZZ/KUcwR5vTkmuRuyx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7rj20gbUjZ 8MtGy41lG99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fViy+KK4k8l 3JLr31l9V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fsvlZhW3FgD2mP ZI+0MqiyvUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+HhQcvH/I91BrrUFtxWHc 4azDz+ui6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2wo2SxrHjccdv/eD1Q3sTq+lQM6O5 +AQ4ITnx4sf4H++eDDzZeYp9qukn/Z/2ttBailqh1tzWibakNml7THvf6YDTnR3OHS0/m/989Iz2 mZqzymdLz5HOFZybOZ93fvJCxoXxi4kXhzpXdD66tOTSna6wrt7LgZevXvG5cqnbvfv8VZerZ645 XTt9nX297Yb9jdYeu56WX+x+aem172296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOLBvruLr57 /17cPel93v3RB6kPXj/Mejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4Qy//lfmv T8MFz6nPK0a0RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9HrmT9K3qi+ OfrW9m3nZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE8/sKZW5k c3RyZWFtCmVuZG9iagozOCAwIG9iagoyNjEyCmVuZG9iagozNCAwIG9iagpbIC9JQ0NCYXNlZCAz NyAwIFIgXQplbmRvYmoKNDAgMCBvYmoKPDwgL0xlbmd0aCA0MSAwIFIgL0ZpbHRlciAvRmxhdGVE ZWNvZGUgPj4Kc3RyZWFtCngBnVdNc9MwEL37V2xvzgxRLMtfOTHQ9gAzdOjUMz1QDiFNaSHph92W 4Sdy48L/YS1pn+04SQOTgzXSarXvvd2V8kCn9ECTw1rTvCZtf/WcIv7lcURpElG1oCtrtTZ5Trfd jYEmu7HZssLmpR1FtLQul3TNvho/UWP8wMc1Q01ZMVVppDPSsTI6ibJgvqK3JfGMNXCfckWTsozZ vryi0Iyo/EbHpY1NHBmjMkqKVGldFGSdBCa2TvzHOWmQspNPFJ6MKFKGwrL5JhS+GdHYDqiZiCk8 l4nrUeBWZo/e9sAu8ebXI/pM5ftBNIVuwkm1ipNp5sKhuLDhuE/Qx/R7E6YkSpTe6YW8F9bAgTq7 s5Fx9KuFjGzQPHMjE+1SLViPZO3EYmXrs7PjQ5lkq00ofXxxqpIsS15GyaTXCOKrOL+VAZYwAxsa BVaSS7FtYc5kargd6DqAeS7YjsVMpyorOGFcFvYUE66RQI8+qOvtEQAAQnkS43sZOAmCEEBEky9i AWSi5E49TG7U1JfRbgAgEbEgZypEIygRBHZBJtguJWIMfv7qxhpwv2Fua66DXhdwiWQS7gFp5qvX lZQ0qA2tw9gaM9FUFamRvrEDcLijxsSLbxw7vHAOfwADdUcQm5+QzBPQUbXNQdFXNiN/wH6Xs06z dDTFRaKiPEr2kvh5qA2ERDHNpOYlIgCs6le+GUrQ8Af14caZBCHwwPa5i8wShaXdUNNCxUUe7wV1 eGy1FhqFg2TuqbK9L8Qm5mtqvxaHCh8yBBoqZA6IuBUREDSEgiO0E1EDJqLcnxHpnMs/RMPpHNDc b9zZd1MeZYofAFKEvUro31lcCfANzBIHxGhTaS3WTmnIJlgM8wVLdY2zwKbyjfj/gMVJc0tHzVvB 3aaJu03Dg+13suZnSzLVxt8T2t3s/uO8pPaeCJili7BGqBiIgqAQLbMGZWLjMyII26585ctSqBtj O5h6xmiYP3eSbDgLWTdGRCBaDoGo4957gOlyjznXn3TOtZKb9EVumkcYjvUxcuK2ZM3HK2AYFsx3 cFmPI7l4YhnIiwFoQAKOXKOXttIbhH3ArGwPcJqqLE3zPQAH4b/q5Gt2g06XoiGQtZmDC30MtPAA c5F1XP8QV6Bb1uZbNF+nwBQqN/Lu3l4OjeRVqxtiAitt5VeNqs27mzsW5L0YdTNv8nFRzRf3j0+z JVU3fFEaefHz1/DfCxfR5N0qpaO74JRO/wLfjJxzCmVuZHN0cmVhbQplbmRvYmoKNDEgMCBvYmoK OTI2CmVuZG9iagozOSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJj ZXMgNDIgMCBSIC9Db250ZW50cyA0MCAwIFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5k b2JqCjQyIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCAvSW1hZ2VCIC9JbWFnZUMgL0lt YWdlSSBdIC9Db2xvclNwYWNlIDw8IC9DczIgMTIgMCBSCi9DczEgNyAwIFIgPj4gL0ZvbnQgPDwg L1RUNSA0NSAwIFIgL1RUMSAxMCAwIFIgL1RUMiAxMSAwIFIgL1RUNCA0NCAwIFIgPj4KL1hPYmpl Y3QgPDwgL0ltNSA0NiAwIFIgPj4gPj4KZW5kb2JqCjQ2IDAgb2JqCjw8IC9MZW5ndGggNDcgMCBS IC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggMzMyIC9IZWlnaHQgMzMyIC9J bnRlcnBvbGF0ZQp0cnVlIC9Db2xvclNwYWNlIDcgMCBSIC9JbnRlbnQgL1BlcmNlcHR1YWwgL1NN YXNrIDQ5IDAgUiAvQml0c1BlckNvbXBvbmVudAo4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0 cmVhbQp4AexdB4AURdbu7slhdzanyTnHTUQVBJWoZ84Jz4AICAicAdQznFlyzkpQVMzgqaiYFRUV BQlKWGATCKggAvt/1TXT2zs7MwsenHi/TdFbU12pq+ur9+q9V1XTmcBMLjydCU3jHTzUL3gQflRP ZzDBWYz3Cca2RGL4sthXZw02lrl2lzp4Z99Tattdaif+MtvuMsGDQESwk0AakzwVORJf9JTk0DKt +CnJRPyUT1hmpTmjAntKUQ1aH/7enJYWIaSlHhL4YxmpwJFWnryIkEnKV2v5lK8AqtSyVvzrJ724 0D4knM+5ufI0RMi5ufKitj2qp8iQd+R14t9ij94O92PiJ21SNM6PeuePBs9Ova+mLPiOTP8MY3yC cc1iAug56A/8HX0sPIsJz+bvM5gw7W/T+Ke0g+FOPUfb5Wj8DGln8DkLpdCiheIEz39S7jHJ5D+s AH1NZDIz0ZIIQZtPZwKzuMhMLjrjmDg2OoMNzeGCCzjXCxLT6rJQoyPyo9G71+jea/Twd9deIxx+ ZvAIT2mcpPj0Ke7U0afCz5RPhbLcPxmdPxldP8XTCjmIixD7aW7xIkSphAxbe8RJjuIpMhflnzIT Gog7dbRWQhEpkwhPqScpSean4oJIzJ9McZf4djQ39x6Te4/Zs9vo3Wn073RUfapzPceY53Oe2Wxo JhuZLUGXiMxko7O42GwuNoeLzeLgj/JdLjKDC/9nHQ85UJepA6N0uP+soD9BcuEdhfeFB80O1OPd pzDhY+Km8uPzTNY/j7G9pLCuMUR2mPz1elej3gFqjnsDPL/L7dQ74JrTljkb9XCikMRPUkSKp0JM W6PeTmtCK4P7EdcqqUQhz9Se9DmjAqhG6lTi8COuWNtZibM9Er+4wUXViLeekAMe1evtDWVOuLoS 1w5jeE1Z9CWp4wnGPpvxzWACCRoKahKBm0YcmEZCx6fEXXPf4/sPHjWHtNUtkzNJlwPC28rq90SY zIThjkfOvyNP4R0FD1qSb/NjiXH6vjMYH3j1NzTu723V24FxA49xvatB76w3HMPemIS4+M9Eh0x6 KpRLAA6XiNbC32IYSYHBeJ60/7cVmRQhLkXABTw7+XFGHJLSny55ysjHLtDeaEi45LaKt564LL6S rp0Gd6Pevb3Us81S/WGObzFTNp8xz2Os8xj7XMY5h/HMYnzgIacmcM13FYrQFhhB/xS6qLifHzma xMlpbjSE+sV5/s/7jwfGpzARDM4zGO+TjG15lmejpbzW5BMwDsrbYEjb7cXd5o/ytwlbWrEjxHiG tzjCgjLkcDwfAeC2uEsx0AmjpdiDYdy1S+/eafTtMITXl4U+yLa/le1cnu19M9v3enZwma78WWVw LuMFZZ/K8rSPJV2Fdy0wng53R45xcQ7ANfo5xbjgEUf43/anw/hk0vJH1Owpo03FBJ/xLOKcK8vK NwHjBg/GeQIKwquno63i3tLCD7pPSD+6XEvChzzj2dLME+SGhmfo/8gNcVJEIL06BZFKETOeHO9C +ZNUuSUX4dxJ3528SBvxMQym5XZatUObuR3/CIRLr9e76zCAY4pU6qrTe7aZ/Fut0e+tsfXmik3O Tt9ZO65xnvq5rdtCqR/UHMI39Jx0dFzoVEcGakwzMVY0d1cxqMXhYv+R5Ix8qBMn/NP5KcbR4Mdw Po7xYSobmM14n+KcqwyVW22xWsLCAeM2YHwnmSa30cOTIjRjvMy+swwDBUiMs8HirbUHtjmCW53B Ta7QJlf4B2dokzOEnwistfsQAdEQmbiWJSKTXWX2ZKe37iLOlhzeKuaPrULESfBUHIH6xXe0Q2Oi SmDXUT0heVJaIZx6yLvzzSjOX4gjpBU8wqOj9SAHvp3psIzqoblSOD4OPijmX+4GvadO7603+Bpw LyOebcYAPv1mW8Ume/UPtvYbbB3XOk5ZUVC5gPXyk/TQdDaSACOdm8epLQ2kBBd+YAp+4Sf1CyE8 4uIYp3ikj9ClaRJ6T8qTZsuPMC1GhilsZLIkOlEWHSuPjlFExyhjjyvgomMVsXHy6ARZdJKUlEUL +rOAHS1wzOfjU9jQNC44m/Uu4uxfGCq2WKN1Rg+BLSFAAPjRYXynoTk+iG+92VNn82+1BVZbvR9Z PW+YXUsMtvl6yzy9dZ7eslBvednofNvq/tji/sbq3WLzI3KD2dUgzsTgrLd4G+z+Bnug3u6rd/jr 4cHd4au3U3/CI34Kvz3QgKHD5m2wehtsiOmNxyfJyVP+p6/RHoAjOSOy3ddo89XbvI02f6PF12jx 7jR7GkxuykgQXsKIwcrdYKNp/ci20R5EPqgeza2BVIw8bbCTcuuQFmOXVag8iohXXiiXZEIyjL8F n0OieuJ3bPHitAIkCTJE8kaLv8HgqTe5Gqy+Rke4wR6u5+/UU+cI19pDOxzhHY4I3HZHbJuzfKur ssZVtdVVVeOq3uqq3mir+ros8o2pcrWl/XsFobcLI/8uLJ+v8MySB6bLo1Pl5VNl5dPklVMUFZPk 0cmyGNwU3CXRKZLoZCn5OSnh6NNJsnI46ieRpbEpkshkFiBN0HEuMgUY5LOKJ5c35zOZTzuRz5PE QeQ4LxFCJhMlEUD4cXnkfnnoTkVguNIzUOm8UeW8Qem4QWEbrHSOVHkQfr8sOFYWwSAwhYvwvC5h d4+EJfgDB4Tjg/HwdC40i/Uu5ByrLO032SpqDV6gbKeRyHAII01kbkcFdmdjmaPB6NrgDr/hDo4t Md6o1fWRKztzknYMF2EYP8N4GcbHMEGGKWeYDix3Mic9U64ckJX7eInxdVdggztUZ3IRImhwfmf1 LSq13J1dcIsu72Zd7kBd7uA0bpAuR3iEmEN1ef/Izru/qHSCyfZQof7WnHyEIHywKJo4PkmSnTci J/+O3ML7Cw0TjfZFDu9Sb/gDb2itJ7wDKDa61ti8TxUa/qkrHKbLR/ybdXk0h0G6XLiB2aR6CByW nXtndv7sgrLXPeEnDLZ7UPlsWjQfreVbDMlG/PzhuUXDdYXDswuGJPJEzshTqGFrD60A0t6eWzgz r2yVM/y2OzSpQD9KVzwkO5+Pnz9Ql49a3aTLuwkeXf5NugK4AboiuBvJvfgmXckwnf7hAvuCbM9z EttiqX220nmHtOwKSc7ZEl0faU5vaX4PWWEPaVFPWXFPWUlPWdEZ0kLc+0hLzpMarld6rpM6zpUa ekqLe8ioKzpDVnwGopE78SC8NyJLDMM55xhpeDLPD0zkIiOlnoulhjOlJb1I2qLTSRIhLfUjbQnS Xiwx3iZxjecIEZ/ERR5SRYaq/RfIjF0leVFG7WEUdkZmZiRGhuMda2UkTkbmYxQxRn26pOBKufV2 dRADAgYHyhL8gRBus+hjjvGpbGQaF5kOjSfrm8c63ymKrbNUbjMH6gwQxWAWbCUwJ9NhIp9J4snF PxvAkCcY7AaDa7vF97UzNLGg9HyF0sNyOQwjYRiWYTiWlXCcSqksLirKz8uTy2T4yeEBw8gYBtFc LHe2XDEut/gzV3CL3d9o8qwwuy+UKMwMk8swWQyj5R31CHfBg6fwU4fcChjGxrIRidTJskV8/tmJ TGgSITf8xCMkyWMYxDQxjIfjKqWybgrlpQrlvZqcVwy2b/2xZZ7whRKpNX1WyBD5oKrIoZtEeqvF 0VettTBMPh9Oq0cLFYqm5SICHErXtXxBWk+htuKf8NOyShimO8M+5448aPFUsZyer17rssTlCqWj uEKGqWAko2SWOaxnJuu+T+HuwqmRCfJXM4yKYZT8nXqoH+F4WshwQS7Hz2qKGFaTiIkI1Injo7gi huvD5P9LEQK6pzKRsdLImVyhgSF9g5YixBdyoGWhIBPDXcyUPKyIjJFH71WFL5XqY5yqmOEQAX2H 71eMVMLl6LLRrzRqtYRjaafi+HqaGMlJnO4Gqe0BRRilJ/H8bYLuvxzhWGEc0IajlSceNk7KF0mg PrN9bwrVWwIUtmLeW0BxBg8GhDqz51NnaGRusZ9h8QUBXq1KFQoE+/e/ceasWS++/NL7H3zwzbff fvX11/9+/fWXXnppytSp/fr1Q4RsrQZDAXqdk2Gu02S/ZHVvd4WWmdzVDKtl2aDH076qql1lBXEV Le8tf7avqGxXXtmhqspqMKB0dCF0hsJsXYfKyvaIKYpczeeGQDi/y2U1Gh0Wi76wsFCnK1Cr82Qy dF3gyMAwnVjuTr15bDjWjmMRHgn6O7WrbJFVRTmtG8qN+gN5CoWZ404rKnbK5FkcG3K7O1RXN9ec vkVlRfvKStSqKhbTKpV4dxTdsbq6vfgFRbVtTp4IRLUrwpEsmdzHMA9afRfnlgKweUplLBxCNeLV S5TVrpK2XmW7SuqqUKWwz6+Vy5FqgMIyTRaZJgndqvT4WAVQ6bJZO7fn6xyPX1lVWVnN+ztUt3PZ 7FKMZqw8l5EoOc7jcHVq1z6Rczx//mdVu+r2NrNNAYaN0Y5SBcdJSN97TBYG7tC8ZQVFHdq1i8dM VCyRT1X7qmqz0YTK9GTy786ODlMHenAFZQyHb4rSc7KzK8orRowcuWD+/GWvLl31+Rdrvv32o48/ evmVV2bOnHnttdf6vD6lQgGk4yNaGdnfpKX3qaKTJFD3N8/r/8sQbrO4Y4VxcUE82AFzUPPAHMa2 mClZXeTdYQnWQasCan4083Fw17Vmz5fO4KjsPBePbolEUllZOWHChO3btjdlvLZv3z5t+vTOJ3WW K9AdGNCRyxSqD5z+Zx0BD/qSRrN02dK9e/f+eCTXrh93/7gHEe+86y7CIvBXz549d+/enZR6l+j3 ho0bv/zyy9WrV3/44YcYedBJ/vWvf5173nllZWXIAJ3KxbBnFBRaGKa0oODtt9/av3+fKHWz96ef fvro44/dDgcIk0WjJd24qOidd95GeHMkkQ8vhRJLSktRCrrlzz//vGfPnl27xFUTxW72IsIuvNC6 9eusFgv4nGvzTB2VOoxmQO7333/Pt9VOxGlO0cqHsj7++GN/IIAWv5jTj5WFJ0sjw1Q+CyPXSKWz Zs3c98vP4hz4vEi5yHzixIksy0pZDlgD6Vy0aNG+X34RSmtR/917Hnz4EQAtxihvVQdAwQnG5ZEO XLacYf7e75p9+/YJCYU6Igd8r/r6+gEDBoBSn8zm3ZDrP5nLLea/pkwmO/200xcuXNjY2JihW23d uvXhhx/2+f1IhNEenPxFMuODqhZSfTEWTgT/8cF4dApbPpmNToYZPONaxBi+KgrUWmO1ek9DKfRH mVh0StApxd/Fa8S2OkPTDNYKHhQKhQKddu3atRm+wuGmJrimpkM0zpYtW0bfObqouBg9xwralFs0 IxC1gTZpte+/916GfFo/OnTo0P3338/3CHLr27dv6zhthuzfv3/p0qVIK5dK0SF1LAvk6rKyXv/3 vzOk3fTD5lAwiJ6plUpAncOh0MaNGzPEf+2119RqjCLMwIEDM0Rr9Yi0XH19g91mwzB0YY4prMhG u/Xp1fvwYb5RWyVoHbBp06bOJ52EVL2YggeVRDw1WOkxMDKNTPbUU0+1js+HkMwxBqLCHOGUGa1G g1ExTWQSPHbcOMQLM/LhGgHjYWAc5V5+6WUZEmJg/Pvf/44iIrKczvJCzGWQJCcnZ9iwYSAKSQmT 3lr4+fnnn/fo0QOZ4AvaGfmNMsc4WWTSiUrKjznGiVqB8OrRyVz5ZAYmyr6FjOWLotB2a3kdFCtl UKJB2tY8187ApROFl9H9lSN4mVIDflshld5z770YosmHSN/j8IS4ln3yueeey83LQ6fvKZOP9AZs LJen0bz91lvN35Qma/6dwvfbb7/dc889+LL06t27Z6Z6pMigOQiE9fbbb0/kxIB+jR8/vvlxKx96 Zrdu3RBfwkPgjDPOaN0hxYnGjRsHhgfxb7zxRnE47096VfFP+Ju2bdtms1pB3Xpk6a0yNaB0xRVX kITkYdsX6ODFl1yCVJ1Z7T2a8AR57CaFq4yRaGTSBfMXpEmPz3V42rRpqDBBOOi4RvP888+nidx0 6OChxx97HHQ8yMiGaXxjZGQ+PkYe6SjJBm09teupBw8eTJcWpPzyyy9HEaVSdSG4BnDdOt2TTz6Z nETcKrRHCTny7dDQ0HDVVVchH3Sqjmz2bergBLATCZjzrOyJwr0fc4zTDKHOmMwA49GZjG8ha11V EquxltfqvY16z864UWvbKnKiKbP6XtPb2nESfIvyWKy+oYG0dMv2F9qeelI+BAlGx8Oo65NKL7I6 LFI5MP7O2283p02ZrPkx8QHj9957L+mC/AWMHz4c5xZaRmzjFx1/0Ek6duyYyIwQ3PjwlSo1kgBo QmT0UrCgqSLGw+6++26IHhE/DcbF1cabi38SjFutlkKG7aIuLZUqMFaMHj2a5IuIR3AdOHDg1ttu Q9kVjPKOrCDUygMVrlJGqpZJF6bFOBmTjxbj6BIBRnaLlmAcvW6cLHqyJA+f+NQuXfGlhJrS1hZ+ 7tixo1v37mgZJSsBBeckkoGDB6F7CBHinpb9ocWvRDts3LgRAy+qYWQkl8qt0KELGD8RWHShDscJ 4xjHAHCUghWmTzG2L4tFGE+2geFtJhMidErWIZcDEQfGaxzB2fllXtAvqXTkrbcmf4iMv1t8l6am pxcvLsnLK2PZU0r1ZbJWGG8rKzwXMI7Pioun4+gbiU+eMYeUD6dMmQKCxWfGgCiAxKSMRgNvu+02 SpoRHzPKX375JUNkQJtm279//wzR8CgJAgjZzmM8n2HbqYoLJRBmqObNm5c5k6SnkHmCnroZ6SCN Z4KyfJA8jvEFC9LR8aPE+KFDjz3+eBLGwTB0kxVCDnByp85ge5KqJPwExrt27YrGoRyRx+P55ptv hKfwoEGENkHk999/HxN5cQSxH/yhWqkEKe/M5TyojP6/wvgMFu8Lh0WswDjoeGSrBfNx784yT8LO TdCPE6V5fBouQjph1A3Oje7w/Vm5UBvlFxQsF5NdcUPzfnypN954Q0zdkjC+YcMGn8sFnt+bk5sr leZoW9LxVhmKAyiMBV49gfFePMB/D8ZpL9q8ebOfl96gy5122mkQHYgLTfI/+OCDcjnIFLmGDBmC eX1SBOEn4H/66afTmG1iXEgleLbXbLNYrNkMG1Tk5XAyjUaLhhWeHonnqaefVnBE49ZPYZugrhis cFM6fvwwDnDBuOU06RFh/JRTTkHj4CNiinT99deL30hANwIx5F500UUqlQpsTDoWa+fOne2q2yE3 L6u4Q+aHgF2gnieO5zjRcQHjWJmyCPPx4nCNNVaHDQRK3QmMQ/IWN2AjcOYdsf5KLEnbBSNPg+Mb T2RQVjbmhjabDcIc8ecQ+7/44ouqqipdtm78uHFiPk0cZ/eePSd37IQht0yl1rCsTqttwauLo6b3 P/DAAxQ7uPfu3Tt9xCZImFGrlStXtu4e4o4E4RvN0OVyrVq1KkOGmLBD5EgjQyyQPH8UpcRYIQwd qXh1UdRUXvRbtDYkgSbgm+V0Ot1HH32UKmLasHfffbcoLw86/Qvk5onaqsHHn44LGIcWABq9FLLx xEiMmUinxBQJ7Tlr1qx0rwGFCGRxaPDOnTsL0g/xt6MJR4wYAf4KGvMBEvt4GaaoJ8o0XBhkjgvG ia4cBn4Y00DHfU+xts8LQ5tNoVq9G+vHE4imAG8m4oB5C4zDZNrg+MIbuVyTDVuOU7t2BWpSfg6A GtSKdn5Qw90/Eo73MM9zieMfOnzososvkQPdMjnu2dqszBiHluSD96B4j1/QRqGr33TTTXxBhJJD 2pyBT9+4cSP6RklJyS233CLQ3ERHa67XHXfcQSfOWRCtv/5684NWvpdffjk7G1pZBj0KMqJWz5sD oLAzmcD7kKs1HUcdhGqAC/3kk0/Ajr7/IXlN3PCOy5Yt0xv0YLZ1rAR3DD41NTXNuR+Bb/2GDV6n E8NpL2nZWG3loONDx/F2wnycx3j0DGkxhia3w7lmzRqhmuL3ReCWzVvaVVfzbUOk92+J5a5CGt7z 6quvgogjJkwGwHG1fNj8a8mSJRgKYA9wsbQMlu28bS2B+YkD9uOCcaCbDfHviE1m3M9Jnd/qy7dZ wnUGFxYlJTDO0+6W67wSZq7kEVmpYXSt9MXO12RBwXHeOeemI9BA0HnnnUe/Wvfu3ems9jCRIwl9 mXwR/Ljqiisha1by01pg6p133mn+VK18UJOVFBdDE23knamoyFxcXKTVouvKeelvn569WpbQIgtM DaLRKGoFbbjQQ1pUiI8+adIkqRSyHwb62SeeeKJFFi1/fPrpp6W8yhtKMXS/lg9b/Fq+fDnGFtog rem4uM+jf2JCWlRUVFpUpC8qMsAVF5UVFKgksAlhsyCRYhjI8NPN/UHUWtM1VKWurq48HEFa6KAf 1sQGKd0ljAQyt2PLq+MFBYwDU7A27yEtwddx2R3ffvutuEXEzf7Vqi9tVhttHNiwffXVV+KYYj/m 2nRyBK4mQzRwa0aTEWTobFnRw7CHSdDx/0mM0+WodNCgGMcuH7MY10tK93pL5Q5rpA4bRJSSpUzx 2bfIWlUIpI9EGI/+TZMFru+cs8+GwFb8CQT//n37Lzz/AvrVTj8dGG8hcBa6NESnV1xGMC7nCScw /nZigp+yo1LdFiRisAaxYrJANKGYdrEVMpmBz6Fv7z5CHVp7YDQCWx3UCsD87rvvxBHExQFlwiz7 n//8Z7pxDMnBGICkIkMYzYH4ijNM8s+ZM4dSfEROwri4tyMV7Ezy8jCCEpNXTIh4x5YwrImVWiTq AlaO5rqmX7/m/JH+UHMeMFSAdqD5acIHjqvLyScj2xirvk8dGajylPBy9WOAcb5wiMFby9wmyaJ9 pKUwYDOV6mGHQ+rSXNNEzZqaMCGyWCyoGy6Hw9GaRRG+Dj4NBl5EQ3ywRkIWQq7UA+Y/Eo2gi54J jKthFvK/zKsLGOf142ThP7YCmMs4XlU515ui22Gyztuot4YzQTTvBIDDQ5ZDmpwr/ZGzNVkQlJ1z zjnpMP7bgd+GDL6Z/2hMr149fv01rTDqHyNulUsk0AaB1RZjXPh8Ys+oUaMgkwkqlP8y2sYbLONL TRP11hllljm+cA9dLoRffXpB5pb2AsYhIkCt9Hr9unXr0sV78cUXBYxDtJ5BIAyVOphGZIhBA7Qj XYYIv+uuuyhvgMjpMU566NNPP11QWAhc9FUWXq0wXC43Xam0Xq2wX692naNzlHJKNNSwYUOby0Ii oYs3Nc2fPx8jT/NTke+aa65B6W5GNloTHKD5b2B8six6jtSA+XNJQf6bb75J6tKytrR2mIwUF2Mw IxcsXiF8ENW6hVcYfoFxsahE1AAkPiz0OnXqBIz3zYjxP1Dkfjx4dV5xhv18grNY33zG+obasdkS 22701RIhG/YJidNxMaJb+wnGjc7PvZELtDyvft55GWgcLMeoWVd5eTk43sWpLnyyyy65VCWRaCVE MUow/o5IPy76vHQkvwMYh7hbm7UmXFUfqGjwRhu85bvckc2x9ldn52Ce1vdYYBzWXALGMdFIISxK VAxTEqpPN5vNSeqeRJT43+uuu472YdyTMC6KSTTCFONYMjNK55iZHZikDk3WxKaqK6erqwdqvUWM jGOYiRMmpEQLhtzhw4enY2Jh8AmJFpZuDVN6b8j2HjM6zr9ASjoOjF8it2ExS3FeLmQXojclohnh J6QNQoNjGiKEt/agU9GYSRgnMUWjB+aG+C7AeG9ZYQY6DqAJQrD/sud4YByvMI2FC8xm3c9IbF+U ROrs5dvL3JiP8/t9UWkb7tSTGvIU4195I1doicwN+o50Mjc0OWgcbEjQpcFcFRUWwgkX6BRxRYUw Z82CHgjrxWQyiKchcxN49dbfFyEU45Vq7YJA7CVv5CV34FVX8C1nYEWs6kJdLuS3R4hxzMfFvDrt HUKvg3knZQhReczfM+gO0LH/9re/IZrP5xMm+K1rjpHw/PPPRzR6pcB4vH+Sbk8xDtp3VbbhtlzX iCz3yCzf7Wr/fVnhq7IdOoZVy+UvvvCiqJRmKQdYjosvvpi2ofA6QkzIq7VaLdRn1yps1+R4i48V r84XkBrj0mg/pcvASGDdNH36dKEmYjwiEPAXzAxgV481TU/Me2LeXPxLuLlz4YdUc+jQoVKeV7da rZRXFyG7Ofu9ewgdRxv2JnQ8lplX/0Mm6ccD42QfGC40k/Njm76lWs9Ga3WN3lfLm74kFp1BIQ7d mQubvAnKMkrKidiN59uhO9tlcHwL3ZmW6M7sdnuG/o8Wh4h45MiRubkYUJsvkCEsJERySJkthHVk Okmk3XJy8limTf04nY8ju4hUVimVVkukHSTSM6Syfrl51SoVRok2MS6w1mKGNqmfPPbYY+hyYBhw FRQUxCeSzT2ohY+OY9XV1SlnwTQqyArk+Xx+5JYe4yQ6Rpi8/HxwNWaG9bASNyPxMJIYK+0m0XSS 5UN+VZifH2dTyZBAL8IA4KqtrQXjAe6I/kyCOYggXgfS5guUZVfk/1cwLon01/hsjDRfo5k6bRqt FbmLWhyVhN0RmkXGsBilsyRkQMjXavO1uGvyEg7+Aq02W6mkwlVrYj4uyqk5e0wVu3TpwtNxYLwi A4rxKMPT40fcjwfGUVvozqZj/Thjex37slqrao3+XSZ3Q5kF68cB4XrsxKL3EGf01hmxTRBZpSKe p8en5wYnNoW4PzsXUi+AVxAmJ3UnobkPHzq8/I03e/XqRfl2fMo8lutTVPyIN7DE5V9qdv7b5HrP 6p3i9FqwDKEtGxhgHEZo2Wo11oQWqtVFuKtUeRxnYLlCWEBS3ZlQdisPcI2JA+bFSRx4Uj+BbktC lqVw6HWoMMhHq5xIAH1lqp2HfUsGlgblUtEccsOVAuOiAiBzg7gAGqJctTpfrcond3WORAIjtyJe 4FZaUgIFgShFsxekDQW1oJjND5sgjsNTiPL6KosvLiC8OrFXP552btgBZrA2iJ0c8AqTJ08mdUlq a74ZMfVAs+SzMo9E42HlmE3oWzpwAnDQdxs4aQFHpnVYhCeej4veknhhqADF7v8rjMdlC2xwJuud z9jeyvJssldhMo4tl2tLzA1Ge53BCWOYWoOv1hTcYQ7sMPvqjdCb24njuXcAnBjA6O1Ql291heYW 6j0MC0k2dNNJzZv8E9+0qQmmbmPHjnE6nfiUoLaQRF+dlfOsw7cxUI4tjH60+p+3ux0E423YwEBX hRWsWPCIO/FMmvTAgw+6nE58dBhxAZBEP57+wswac1KYSCV1D3G/w5S266mnopIWiSxfSkS4KCV9 lk0QmCMOOGQwq+miffbZZ4LiDJEzYxwDwowZM7CABS84nn/HcePHh8NhXvuAGxOLxaAIS1kWJrZQ uuEdUz6FJAqzVKjzuyjzzylwl7LHHuNg0rAmhdirS8nWbdj36WZt0MXK8lRKvBGplbit+VpiqMQj vJdLln1Jof+aHP8Fue4z85x985x98ly8I56+ua6z89xnl/or8srwdaxmiyDkbE1fKMYxmrXJq//Z 6TjkbEScLggWuMBM1oO9l9/SerC/+hZjcIfRs93g3G5ybTN5a0yhTabw2lLfJ6qSNfnmOrN7p8nT UIaJOSHomInjnB1sbNhgsNXbPG9ZHKfAWh1AMJvFE9uUH5H/kuQG6oMlhAre+BM9rT0nnVpqXucM 1Nm8S6wE/7/Dzg2jxyknn4IeImUJzc1s5ybUJIPnmWeewd41kDb0ys7x8Ybrg2++OQN+n332WZQL kXWGPGGrAyYZ0aAUwD0J4/womCE1eXTWWWcJyS+44IJ0ov7Zs2dDbolJa8rsgAWY8EHzGJZrT8+1 6TmyfvwY0vHHH4+vOxPWpEwGxrOCblaWo1CkG3nQtg89+CDaJSTNuSLbc6nK0EtV1EVd0Fmd11Gd S117dW4ndR4Cu2iKfco8jLyVFdXf/5DWxhIY73oqpeNJMrf/aGfjZigJmPq9nmPFq4sxTpRobHAG h3NS7G9o/RvsnX+wVG0xR7eaw1tskc2OqrXmik8KvP+WFr/B5qwpcmBXQOxsVoeDNvidFUHBd5VZ d5JdoQBz+7fuYP/sHMh+sa0TZtxiewzxoNrcexNCVMzQp06dajQa8U0xK8fmb+PKTOu94efsLjuP 8Wa5enPiRIdtRQLwAAaNkK4I/f8/xPjHn3wc441ksNB1eFHZSVkYipiePXoe2P9rohLJf1955RXE wQr65Aei31iSqVKQHWDIsslmjIveMNWrCRlAeo/3QkI6RKDBxSpLJD1EqCO5QPoxJ8qwPn3QwEFY mOqUKk/OMRkkxxjj0I8303F+3RkwPkQb8LAyrYTDYnBayaQ7MI75DhrGJddVSQvtDAdZDcRlUM7C oZNQhy+BQDgNmqGlLWtShvgJIWeXrmQ+3jdZrv6/hnHxsEMwzoWwCcxsxvW8wveF+eRvrSetMbdb a2n3pbFqRV7gBbntKbZsCVP0ntr0gzFQa8S2vdiSkdqy8svQDDZI5+pMDoRvcgXnWh0dWLLBl1aj feihh1LCvLkTi/owBgEYs1VUEFsUfLiOHLfAYJnnC9p4Xv13YxzDDTL8fRiHrnzmrJmXX3WlxWpB JuBPOsmVC9yBc7J0AKbf59+9q4UND+1UdDTD1gQQEcBAunVPE0JgsY9sdVKphpfk3XgDXXfW3Dyt OVghLTxJGMdCGDFfIWrapltvvRXSwquvvlqcXOyfOnkKdrQwSRXVOoP+OGAc30CwcwOpAsaHZQX9 rEzDsYMHDxbXRPBjvLp58GAMDiZFllGWpWJYY1lZt1NPPeXkk6kjf04+CTfMoWDQi5bE1aFDBxi6 CJlQj0BfRPrx/3E6LsY48WNjW5ByNjCP8z4t9z2n8CyROZ6XOxdLnU8y9jmsfQ5jeYYzfFsWqbVG a/lD0OJHcvA7OtYZXTtM3u3WAHaI2mQLrfJGRmXnG8l6QEYmkWBi3to8CS0vNDv/FUBw4h3766+/ pkuNwMJeqFCO9getLIu9nprt1QUECJ1Y8Ig+7bbt2zvydBziAXz634dxaAfAZ1ZWV1HBIGxpemuy 3wlX3ZhXgEHMZjLCeEZUZgsvxgfYVYIStQgV/UAfHjliBOpmz9IWKxRorgH9bxA9b9srYBwiQAhB wAi1bNV4DgikOy1AwokkKfMF1wE5W5FE5tcWFktkx5ZXb23nhvn4CG0owio0bNrpzK+//nrdtddi cCiTa4pkKuwaN2jATQiE7lW4du/B6qU9mKFAlkIQzjBYi5pSKEFbBpGpDUxm/XgyQH4v4/078jlW vHpS0byOIDRDEp4J4RvjhdX6HHLclRMebNQ5g3HPxj5vnGGdPlprDjdgoQqUaEZXowHaNPd2gxfG 7T+YY9+WBr8uDXyYZfrG4H3HGb5emQ0BO1kkgF1Du3fPsJqA73JkVUqCr2yCqQbEvCCabqm0Z5mh VCr5fRjv1Imopbj/AOMUDuhIjz72KIgyBosoy84x2G7Rm6BpysvKgrV5SsggEJMF0BSYuKeLgJ7Z /4YbMG60Lyp0ajTwHBnGhTGumY7jNWHmujzNkg0I9umwCd1BOlOx9997X6fRZLGsSa4tkMhUx1Ou TiS9XOQ2TbiKI2rNPn36pByaMBxdecUVwHipXJMvwd6L3PBbhqdrTPSZWHkMSttJEyeKJyxJ8SFc ra6uAq/+/8GWVYA5ePVJbBBbsyIEYwgOpeXPZSZkPQF51xOM4VWZYaMxWG8KkCM2wK6bAtv0/u2W 6FZH+69Ko29neZ7jDDgU7xmm4PMS3wZ/uw8DFTeXGFxSKYU5rFzuu+8+QVOc8puKPwfs33Kzs0Er SxVkqNdlaTLbwIjTUj+2+wNPh86PfQVxz0zHIaDD1Bjq4ww7DMDoVIldo7FnbE7eUEj7OYmG40Dl WxdNQ6D7hn0L9hVMF2H7jh3Q2mNq2dNgCmeR7RZvuqEVHU/FoogzPOusM/F2uAKBgHgBlzgOXgpq esSBYW3SAhAhGtah+71e8BJ5UkUOJ1GmwrgwuODzHcU+MLy9Or5BXK5O9noCxsN3aaKncOStz+gB k+YUYg3M8rp36wYxmlGuzeOUMo67ZWjzzL11F9q6rWbtd9+JZyt4O6HO9E0xgTKZjJCrny0tfkTV hg2MgJH/puc40XGsSYGKnDgmOo2JTWVxJwfNz2JgGOOGgetLUstXJYEac2iH0YvT0GrMOBurfIut 3bemyndy/M9J7QsY61zGNo+xPMEZXjVHXgtWLQlXjK2ovsRqNypUBGNYQaZUYsROuXyMdmT+c0DN RDRNmDf1PKMHEirAhUK6IlqTInRLsQfTAVikfIJ/uH/yCVaCYyPEWCSKtPIjmI9DLQXlEbRLMPgU c7OokiC2AgcIOxkICnpmZf/DF6pUqeHHalNxNcR+sIWwU/13+t0d0SGjoRD4gfPM1vKs7NQYF+UI Egxd28cff4QXxAV1ITaA7dL1VL51mfbt22/a9L0oerMXBjB0VR1oPRI2PxD58NZYtoOstBK5Ng3G hej/OcYnceH7NLGeXAHeuqKyMuXQSjDevRsiOJVZBRh1WmJcqMxReZ5cMD8rOwsy4UskZY/hwBcR E/5HKcuSBpDjhHFiA8NbwpAdn1icb06OmJ/O+Ocw7oWM7W1dYK2xGpL2bUb/NqO3xhL63lbxrbnd B/mRF+WYsFt4rt4zk/POlrjGcYYBEt1ZUtmpEkk7qdQvkULZRDFOuyKWGEBXksQxUiiJMY4Pd++9 9wqLNdrE+D333JOXm1uQk1PMu9KcnBKdDvYhhbCR45n1zPpxTKvBx6KGEOyLJTaoEl+reD+C5ErH Mu1V6nujVafrckCCk3YmofEoiQHGBw0alHJMo9Hee++9ovx8KzJxuMu1WeBaU9DxeMnkD5ZPghfF 8uci/h1LcnLwmlqcQ8G3LMbPHTuStyqlqUHfYeGJWFjglm7SBKXSZZddhjgKVqJkORxvcQx1Z4Jc fZjGy+/ZGJ7Ehh9Sl5/NkSXk4UiEWv4nkWZ0kvLyGNbghFV5xRKVhOWGDUmt+xM1UhveIUOH4tgO HMpwk8SWtEfE/zrGibqcaMxZEPFyHKkGIj6XgcbculThXG9pv9Vcsc0Uwvkp26zRDdaqz8oql2n9 sJmZxzhnY8LO+qfDAeNK790SfYTh0PlzpFIdv6IEC8ewAzG58If4AFzF2Wef+8MPP2T+HrCUExZd tonxO/h9U6FMsXMcDltxs5yP5WKc5DStxieXg9/r0/sYrDsbM2aMjuMqFMqHK6ovyCV7p5zStUs6 lTTI0KOPPirYu9IOLO7GS5cty1KpIgxzdzBcpdakxLh4kIEta35+PhBtZOPv6GU5h1QGq35gE7r1 dDUBVwMuHYZJMEpPt5UKWFzsj4F8ACXY8h0njFMbGPDqANRj6tjFXBmmY6FwGBOr1p0BUlNYWaCR q9XFZDtKlhXz6uL44nFYHE79QpuvX7/e5XCisfysYrTch5PakmjoifDzuNFxHuNMDBifzsZmMdE5 rP8Jxr5EYl9ZGNlsq6zBvNsc2mQJry4Lv5HleZqxYRUqjqydgVNrWR+OPZ3G+mew7rlK7x3SUgtO xsnS3tC//x13jLr11ttA++IXvLfdevsdo3r2JCpdbHkNEXrrLyKEYBAA2UJMqH+zsrIzz8fp2tKQ UvWw1TXZbJ9ssE412p4wWp8KhfvqcgGfNu3VhbWlyaY7QoWamjC5hp4rLFeML6++KS8fLJ/Vbk9n PgruF6QQexCJMmjhnT13Lnaohgp/fLSiWqnGQHRTqz0bxRina1Iwlxyut0wyOyYZbVNM9nscXhsL 8SQDAT5ocYsCEj/ApUDsDC0edpLEzk6J4OS/MMzDOIC5EVCApTfHlo4jT0F3Boxjc4Yx6vJLuTKQ aSw2gXwyuTYQWu7YYbVawAeeotXrZdgJg02nSUcrgfsC49Q6EyEEsqDrrr8eDQVC0JXLe0TZbAbW wh5MxL3/IZA/HhgnFJwcQUW2X57KxKaxkdlMeC7je0buW2nouN7ReYM59oO1fJOj/Yd53uc4E8za ZxNEh/jVahDTBaYx/tmSAGj6Io3vfq3Fyu+msm5ti50WhKaGB2beaGpc0G5iqih+JPZjSh6JgMqR S0zHhUFbGJ+Riq4766nWfO+O7nEEd1u9u62+nyyemmD0mqxsMIR9fx8dF2OsqQlrS3UyWVAqmx2r frigxIIVNMWlsFUTV1vww9wCwl7xvpTkUaL2eHoHr+7pxTDzIpXtFWoANbNcHRjPLyyEtuI1m2+X K7LL5sd9md0H42EgCMvDRdnHi0qURn62eeFFBMbpGGA8UTY4BIFXBx3HOSnAziQmNEZVfjlXBsTh HBPx/Eio58bvvzcZjVh/eprWYMyIcSRB42DPxnSqTLwa9IboSOgJXkbWX+kcj8NYYRnyRyO6dQWO C8bJ2lJgHNtNEzo+jY3OYEKzGd8rusq13h7rXF1+8HZZbWn3Tl5oMWcFcccyc8SHaA6Td9ynMwHs 9DiXdS5irW8aqyeWBmxY+F9a8nX6bXlmzZ5FcIt5OsclrR3mBW5E5oYLnCcMsGlMMcbp06Q7xXgv pXqT1bfX4Nxbav2p1P5LiWW7K3CtNgtrsjJjHDyDQMcz7BHxwgsv8BiXPhmpmFlmgXU9ZsfoXUmV oT/Rt7du3So2AYpH4zs/9FkXX3op3u5SVvJsuLyTTNkC44iTwIiQOcW4BRg32HeZyaqBWmtgXoEe y/SwrFJYUybEP1oPVqYIGzIA4/NFa1KS6oLR9ffJ1YdrfOOlUQh/0LfHqsqv5PSQW1qsVkHaL35v bDRnNBiKGbaH1miRkZMKMZtI91KLFz8DY7/OnU56dvEzm3/Y9PPen9DCmNFjXz9sX2+3O9DU4JSs jPQyqeEBZQRCvyR8/Q/Px8E4oc0xBwfGAVsI1WdykTlcaKHEv0wXeys3+lZe5EWF90nWPpf1zGL9 eDqdLZ/KlZPJO4PvFZjNeJ9gbNgk6otAt8n6OMbF++3Ev0vi+8FyjCIX9+kzZtCnCaIMgMcxDi0n PcIG0drE+KjRo0HLTlJr3/bHsHXkZ67Al67Qamfg81j1Jbo8yGbPbIuO072e2twHhmL86WBsscEW gIRKLsexaOk6HmCeeC9RFB4wYCzP6NkTrzZIlf1GuOpkqRwYv+nGxP7qibYSJSOkitLxV02ORqtn h9Gx1R0dk1MIyXxBUZEw8RcnOSo/9iengkfU6phjHHk6GNm1eb7RWZH7VOH71eF/5lbgfGHw6gaj IeWMBoHYww0Y75lttsk1Mo4dOWJkujeC9IbfaYDRqtUOq7V7t+6ndT+tqqIyPzdXyYtuISPCMreL 5Kb7lUTiB0QLGCemnryIQBwoPP0ve44THYcUHdsvT2FwkkL5FJBmFociYW837zzG8wTjxNR7NuMB sSZsORuiA8J0DqMBZHQYHAjGn1X6PjF3/DpyxvhSP3h1nNCXAuOJz0OPysJHx/X4mDGJYP5vy74N 7otGaxvjo0bBQl4vkfbW6rCn3Dkq7QWa7Cuzcq4vMURVGsCnTbn6kdBx7PUEjIcksiXe0Js2Tzt+ RdsN1ycs0ltWvsV7tfoBKVNVu3YYl+7MLf4o3K6LhGxw0FquLs7y6acXN2Pc5t1ucv7gi92fRUR/ DqcTAiW+kPgImfCLf7aqRMsADDtCg/8+Xl1cWyFvSAkgq8R3xC4WHllWOavrwOV2lhZ0U5XFsCQF xxYXF2GiAbUgOOoPP3yfOuj4cEqaUqnAytlTssqssmwZy57Z90xMl6BfSLrAw0DaAChDIImVv8gT jYmPDg/GkAKGc7LyrpLcG2SORxTRE/x44uOE8em87gzj1SRCyjErBxMe5vXjwdlgxSEzZ4LQmGP+ AkfUamx4BhcFx44k01io0T3L8qu+CfT4xNd9lMoI1rG4pBjaW+Erw4OvL1xijEMcJ4QTj6iXoG/0 4hdcoHu0iXF8Yjoa4MvCwWYMDiw6JDaQ3AJKfTLur4553JFgnPLqIan0JZd/lTeMPSjQqS46/1zQ 66TKt3ipVD/AnRpNZlTy4UL9Z6HqrhKyWvUoMG71AOOrfZERSi2mtJFoNGHAKW7p5tZMwU60qhUM UahoHS15DDGOxsE6X/p1cMe3gC4VLw4uHQ4NiAvfFyoDbDuQl5sDl5ury8/PU/OL+4hQTqEzSLVo nzavPIZrJyvsIis6RZJzEpd7iiS3h7ToAqnxRqV7lCr8mCIGQvZfpstHW9xxwzgEaJRdIRjnqXkE IrXpBOykTUCyefJNuHoCdjySQIdOngL1mKEvVoff1ndenBsdKtEbGbYQ56QsXy7uRM29rakJOxUI H2vixPHiaGI/kbnFojQm2V/9rdT7udEk2BMOR4z1w3X11XDXXH313/v1u/zSS0uKitCpcDXbuYmr kijv6DAukS6zezcFyy+VqdBXO1en3kuQloN7yguCCBlvPDCl2LAqWNGV39/gSGRuFoZZanTstHh2 WNzveSMXy+SQI+Hs0XSKsyNBN60hwIg1RHxrtYXxQ4enH/GZhqgAGGlscXn1VVfRr3P9ddf17dOH ngwOZSps8PDdYFGPLyhc+HnllVfCMAmDgEGuKZarFSyLRUBYg4ys6IUlNoLnlC5dMGG34EQnrfcR TQXOUxsji46VR7HJ82RZbKo0ShZliPjzE9Z/nDA+Aygm8xGyyzqm5MQShjeJIWJ2IlUjAOetYogt HI3GwxwyOnI+HTZ0nc1653HumcrAUKkZGIceFguWU/ZtBL788ksyGYgtg30C312xIl00yEyodRZi ZqLjPIqgqILtKLhNehH/3r2Q1saXpfBG0ekKQnhbGI+PC3E6TjDuqQmU91eTYxKcFosgMspQhPCI oh6bumDwsTHsYpNtdbC8G0cO8j5CjC8zunaZvTtsvte80e5SGTAOHjsDltEO0J1hcRDWlmKAzWDO DR6YnumG/Q+Ple4ML560kGTvTz+BBODALHxZlVqFtQAYoBKfjvwVPiWs/REHAC+UqbCB55CbhyBm 82dOpAE5wGp9hVxmYbhBajd/XiEmklQjTPo2dRTX6LFw/98wTqgz3yA8xtE4cdsAolZLUHBKvjEB 5+OECbo5GMXBg32isI0MtGm+6fLILRK7hcGAysKgSOjVSZ66utoRI26BmeKjjz6y75d9eJqS2EFP bbFY8IlxtYnxpCLoT3QVuoQcOTTT8VRRfwfGt/ujdxfqYb6OswxgPpsq19Rh9GVxWBKYT+w+97rD uzZwFBiH7uzVBMaf84arJFKo7G9Pb1KLSuBQFVixQuyMC2JMsbFuUhUxC8ZaOTTX7+PVk3LL8BMT bzDnKAgYHzchLS+HbaAQJ1+qzMVxjWRNSlq5+gsvvqiUy2DANkDjxAEoSRCmUrX/txhPao2knxTm 5E5YHfDzoPVw5JxT3hH+hw6MU/mFLaOlOPYP82By6t/+VAsNKLnBff9+HOUZlwilxDjkMDBxR1a4 MmGc9CRkkBAuifKCFXTHjh1oDkkYRyzqaD9MgXFRPkJfFej4UrunzhebZnXbQWWys998c7kQh3jE Wbd40Pxj8KBBeLf2csW7ztBaX+zI6Tgw/orZ0WjxbHP4Zzk8AZbDFnbY5ao561Y+mO7Tc4LQFBj0 Uhqc0ERQn1HRukwum7/wKM4tXfLC862KzdQOGHYoxvGJIZFLkRapDx/G5l2oc45EkS2R4TSNW4YN SRkTgc8tWQKMg4e8MRXG0UvjtOkEpuAUekATOGeyYAQ09L9XW2EiQzDONxcwTtykuASD+HlpRuQB VawTlwsKVVxY+OlnK9H4GXhIvhOQj5YKT00DbhwA02LIZ3AdAcZRDp+NKC8xxmHOTUpKXBSFQtzf gfF6b2SRwwsbHTXHzZw5K5Ex/5fm3iKo+QfqScSJvXpBGHiqSv2+J/q1v7Irz6u3tnNLJCM1he4M G1NDpPm81VVj923wBO/Xm2FVWJSdPWfOXD5m6oIxL+Bbkdww/UlnmIcccMAiFgIj2vHG+Pvvvy9g fOyYsYnXbPEXDSXCuJzHeDJzGP/oPMbBqxsSGAdzngQQOsdMCjwBf/4RGAd4U48nIO5oIl7VyNN0 nsMfo4ydLwMHSyyvsL0YVK7CZxM+hxCSwYOVnvqSUki0cjiOyGC12rgtK3/8YYaE4ke7du7q2KEj 7d4CHU8JA2BcpB+HhV7KWE0CHX/V7ql3h5Y5AqexREo8bPiIDJNccZXocIZ5JEz4MJfvk53zaqDy tUBlB5aI6Ae0smVNpCVcCsV4KcM84QuujlR8Wtn+hqJS7HFkKil5Oy6QRLQEP5NIib84kZw2Au44 UQjm66KHLbyY2N5www0E4xltWaH1nzZ9GqJRw1dM4fG9xBml+9ZCuIBxMBhjxx4Jxnk6LlpbKhRH hr8ExrEXTH+NY4yCKIYE/P5ZKDit8B+B8ea2EhoNHn6eDo4iMomNAubUqACHrUyU+W/XOKsYCQRB 0FdecsklGThD4TMleTBZc7vd6EJ6LADJycUWymTv5YxnGiblQH/ydPzIMV5FSsx4FpKA8VfsvnpH YKUreCVHsNnvmr8DHSnrkDIQQjCcTgit0EVO94sXXfXMuZdEtQArc2P/G1PGp4EU49CG3+0NLIhU zq5s17ugCAx/0OfdsH5DhoSY+yNzemFhXbqlZ8gBGMQe8oiZGeOIlsA4yTUFxjPUhn8EjENEgLRq pWpcW3Q8T6YEuw46Piy9kAcqcoVMKp6PUxok7rR/Cv8JiPGJBOZkyf9UjmzgPIuzT1PZh6lL/CyH 7gchD5QaUJ0cCQTAwcJ8HZuSWa1WsAEw3zpToRzq8po5sg/M0R6rja6EQk866STSC5HVmWdm6Hdb tmxu1649ohkMBvCr6WJiB2PYwISlslcd/gabf70nfIuKrAnt2bt3BsP71rnBeADbscLyasy1/ZvW bznw5bddAkGUjkl668hCCETHWOEOriaMZRrY745lzTyHf3r30+IKeiGqyINH2N0CmVPhBsrFBrOi 58lePMVXw/gMdWTyM9FvnE+CPLEWDGwMTg3GJxY9bNv70ccf0Q1p1SrVpAlphQlUzYqNnvJlasjV sTVWuqxfefUVpQIbsHMDVc4x8tSc518Yz9gCaDSh3ciUHI7YtzOxSSyvQeOwb4x3NmNdwBhez/G8 G+h0Z4nVwxGLI1y6rCysTYaRGEQ6sO8Sy3VBEaAj276d7PAAdJ/UuTPQDcoItcppMvlTRtt8X9gL Xl2hGD1q1FOYWC5YsBBuYQu3aOGCZrcIi8PIU0SeOWOGx+VChnAVsfKnFyx6asFC5IDI4hwWP/0U 9k502GyIhkXojz/6GPIQoi0SMnz6qRG33JItkcSksmXAuNW31Rn6pzYXBBjE8dFHHnlm8eJEzgtJ DrQiuPMX+ckHItqQm28Gocxn2VE9+m5csPjn79b3OeUUNNRp3btjASneEhcfvfkGgA8ZMgRrRsAe 2woLw0aDr7g4Vy5Dnctj5SRntA3fCs1pFi4E6Qej3pM3moVMA8iFWhOr2pGbOJrgh+4M1kSoG2A+ 8KabFj+NNyIX7rROxMO7v19zDYpWclIFw6oUimFDhz2z+BkSGS2ciNPaQ58+9+yz/7zr7iytFjnA GPjKK65ESFJk8pUXLISRAzoD9oEplWjVLNe3R69nn4nHjNeKLwtNBrWaXCpxMNJhKrcY42DUM3bs E+7pH0fHqUiNNkgc47ztK5mJQ74xiwvMYpwLJNbXs9xrbNVrPB1WBE8eqC2OMlJol6hwXJuVFSsv P/f884ePHAkzxSlTp8L964EHbhwwoHff3habFZ0cRAG8qB9HeinVC032Tb7oMqv7ZN4gCsMFSBgM IeRwXLODGXPrn3wgDvIkZ+hg1kAdOkm65DjyEzHhUAoiIxqJyedM88cdewbiEfQ9XaXyt+2+nRbf Npt/akGpk68YxIyKeE3Iecpxx3LYaQobvMOh2lJEQM68IBHxHXL5zZGK0d3PWD5l6lXnnIPXR5/H Q3oBZQhpfeXqdE/Onfv2G28MGzQ4S01UGM0XUqRORKIgW2Ac2eKC5UmiHJwiE78Q0pwVtQWVSLD7 ipQjd8HRVyPvi82jGAUOK8ekA59GSaOxLGIijhC/hSfxlLQwnwMSEse2iE+LwM4DaHNwOwG5zsvp 0DFIH0jkLOU98Zgomv98YUZ+u9KHzR8EXP+F8URTCLA9qmGNKNGAdOz/hrXkT3Kud4qr1rpOXmtr t8Hd6UtrpzlKx91KywXy4gpWi4kSREz4RrD0wOdA14RUGQ6wIsiF5Bx8MsNUMezV2bnT9OavHf56 i7vR6PrC5h2tK+ghkbVjJOBRfWRtIOMRuaSf9BECwftWwNRZquih1JyhUHWWyMoZNiBKiJhuPsMQ Nt5nuJOk8q5y5SlSeXWiIHEpKBci9HYM20civUuX+6XD12D2bLN4X3f4++UWRJVqk1QGy2q8Ixy6 JYg77vDjgKdihbJIrizCXaEsVipLVEp/WakjW9dJlzMsEr0hFO3pdHnLyuT82SsCykB2ccAimHNs hYezVHD+qd/vhypw2LAh+7CYDfsgdT0VkbHEHof24qAZSBKwagzxi0tLikqKC4tJQkw9MPHHho3Y pQq8OoyOKMyFUpI8YEgi4Uj7WIU9v6SEURgZuZ6R0uOHyhgOTs9wRkYCczI3o4gw2t4KQy9JSTmj dTEKLOnCsUQ0DqKJPWXkACMp7nyg1MzIHIw8yGgibHaQ0boZJTLkCyL5U0dLcTLKKkZ7gdJ8rtLS nsn2kphyA8kKjhQBR2OiAhEm6zy2+EFZaJKESIP/pO6Po+MtWoyvBtHiYZEaYI6fM9nAExLPO/oO 33hPXe04+cPSiucVzjmsY4rc/4gqOFrlv1lhv0pSdD6jPZdV/o2V9GXZvgxxZ7PshSx3vUR+V1be tFLTy2bH5+7gRleo1uzZaSBnpNZYPF/bfStsnn9b3C+bnc8bbc8Z7M8a4+45o22Jwf5c4mc83EAC XzI5cWjacpt3BZI7fG/YPK+YnC8YkyMvMTpeMjmWWZxv2txv2r1v2j3LLC6EPG+xLzZYnjFanzNa XzDbnzdaXzLbX7M537U5v7K7N5pdm83utTb/e8HKl0/r/Xj3HpOu/vtrEyY9PmjwsD59b//buXee e8F951/yr4svf7jftROHjhg7dPiYocPHDRt+7andfWpVB6M+kqPzSiUBCWeTyjAgYNzL0mYBxTji EPb84LExw4USGftB4Y6JDITh2FIDe0FjvSRse2BYDrQCodicvKamBoZ2WNOBaT65Vn4KmxzILWlC nIw8d87caDgCjIN4K+VQMckhzdaqNSDQMBGvxH5q5RVYxou97LCS6Ls13+1Yt3nObf86P98zIMc/ ROO9WeUmd41niNo9ROm6WeEapnCPUHlvV/qxguw+RWiUwn+r0jdc4blZ7sTTdG6wwgWHp7co3CMV HiQfpQrepvSPVHhvkbuHyT3ihEPkpJSRCt+dCj9Wit2vitytDPxD4R2mRDQ37xIF0ZhK7yhF8AFZ aAJHVOF/UoCj2ickxjErJ6Zuc1jPYqV/qS70osq7iLPPwUpzBpu8BWFEB8PXqZLgZJlzutr2irPy 7UD7FYGK9wKR9wPR9/2Rj33RVe7oemcQrC+II45jEB+YSM5PNDh3wbLL5N6JRdMWT6PZeyRup9m7 E0mQENbdBjs8jSY3TdiAs5zM8XyIx4TM4Zw7TY4GOCzbtHpqLO6tVk+dDfTatRMchcUFV2917rA6 tlpd6xz+Tx3+N/2xZ8vbLzqjz+Jr+9e/815TY2PTjtrDm2sOfrdhx/sfrl60+JGr+l3VvqNHqXGo tS5NdiAnzyFXQPlVwrJwvoKCoMFw9YUXjn/8sYceeBDQrqtrgK0mpGQQU8D+E/o4eKiUCR7IJGk4 tjTBYdyUBONslHRiKBoOjMM2AJEBcDADFrNFIYOlKqAuz9HpFj+zGEd5/rhzF4aO/Tjz5XDToQMH mw42vT9+/pCiiodyKsYpY+MVsQmK2CRV+RRlbIayHFujw8qR35M/Ti7xfadhmxFi9xiZTD2S6FQJ H8J7kARPidE40mKHJWI/SUwrscKRmFdRhwjUSaK8CSVvjEpCSClkZQQfjS+axEQ+9E5C+Ef8tgZ/ YgpOx6UTBOMEs2TFCpqdzMfRwvjEWJ42m3HjQKU5jA1z8xmMB8tOUWFqHYe9YhD+isb1nb16ozVU Y/HjMLUdZneN2bXd7MWpavzxK86ks48B8CSHCKkcDmaCI0e3UEfPaUpKi58N/NmLiMNngqOWxact 2+v11lqDfavVvcbi/qzMttYR2Gr1btfbGo3OeoN9h9G5xerc4PR+7vC/5gq9UNnx6R59N02btWPZ v1e98OKv/GGCOzZvnT12wti77+1eUWnLycMcBFPcfKXSZjBYSkstBoOxtLRn167/GDwYbvnSpbVb tuz7+WcBpPv27YPqHHcAHHfgHfJJQBsX8I4LTxEIfQFsDyjGISID8DEsIA72lqGDAKLhJ+5Q9uEA dOi2oKjq168fTkK///77Cd7JUa7keGXopjdu3IgKHDjw288/79v/y779P+9r+ungx1MW98+PjlT4 H9KU388GHpGGxkhDU+Sx6dIYdCj4pqQPkHWIcYoJ0kl1VZSGCpRU/BN+6mhnRlq+e2SiuXFc84sp aCrck/IUwv83PCcKxps5Cgg3YliROomXumOBOYRv4NunMv7JTICgm9i3Y2gN4iCGRYzls+JIjbWi wejbrXfvLrHuxmGI5AhUnI3oadS7W0PyaEJwjioZEHCYsjiVwBLQkQE/6Znp8cj8kW3wk5PWMUoY 7duwYNPq+erUnjv6D/60c9cvbJh0e+pA003O9Q7/BzbPErtrUUX7z0bcVv/CKz9/vqqpofHwzl3U Uu+JJ57o3YtQTHpplSqX3TbopoHPPr149ddf4zBNbP2Ee2PDTgHUBw8e2r9vP8ALkALUQDTQDajS CyEIp5EpkGk4+HCY0EB0hoJAx+kjZAINBe50dylY+//tb3/T6SAVINI2MAmIhsXXmL8D4IA8fYSn MF598sknYUsA9mHvnp9+3vNz0+4Di257/IGul7962ei79V1e6zl0jqPvI5LARAlRkhI9KaHCdJkS Ia/kK/PrFjOjDKAWxgQaM+lnhsDMOf8vPT0RMI5vCvabd+C1QMfLJzHlEwnMsb8EVqQSh48+iQ1N xJBL/NguBsevOF9SutaacShqqNHg3aN37aYHnhKAu3C4eaMBMHfGoUcOPm6GKgGg6OeR+/lzk+P5 EPoOgIty5o9WF5fiqDPYaqyeDy3ub68b2PTWig/Ov+gtu+cHh/8Hq2edK7jCE3yvZ58V/a797JHH DtfUgPI1HTqMA61hOLL+u7X/vPufxcUlgIxGk4UzQC+88EJowVat+gLyMQHRcbQeatr3M8EySC0l 2RCgUZgjBEjEHRfQjQs/xRhHNMAcjDqYbWqCjm0YEQGBSIIhAhcw/u677556KpHI4YK8DovOUByW esHwACHg2KHHfOONN84991yqNMesHPz82rXfodiff/y5ae/h5x+YMbz9eQuvuvNqXfn87gOejFzw sCw0URadxOF0vDjMZ3JkfTFwCoATl6Dp6RCHmG0S7nRp//+En3gYB40m61MAcN6R3aIAaj4kNpEt n8hrz2ew2MnZ9W5e5Adb++3AuN6zu8z5oxjj4JkTAE8BYREwUzz9XfDn88HQQY5XpsAH5OvMrh/M ro8cvnd69Dn89LOrhwxf7g595fB96Q6+5gos7Nxl11OLD9Vs+233j7WbN3324QfvvfP2Jx99NGnS BKfDTkTWEink0rfddjvhqH/+SYA2KPFBcNMYC4ghGX7hB0EuUAnoAcg8Qg8DpoCwgGh4eJS3oOOA MI7khsgdtJjCk9JxJAQRx1iBJBDWgQnHAW1Qc2PNKWRxeArrHXrIO2T1wqJRzOuxYNxisZCxgD8N kOyUe7hp7+aG6UPvu9Rx0owrbr2v8yWDC9vfo6vCNqqTMBnHcmxJeDJIuTQ6TUIm1JiyAYACH55A egh9NSWZTkIr5fCTAv8///xjMS4s0MOiGErK6Q4S/CeOQxsAp47Sd1jIgK+byZCdnFfofJssFbXG ADC+i2DcgVPLKS/doM+EcYHfPoYA53mDOMZptpiq15qcmIB/5vC9Vdnxlzvv+6jvue+6w5+6gp+0 O3ndgJu/Gjdx80cffLvy0/vuGn0azrfNyVYpFdi8AjsMYdt4CLKwGfizzy7G9Hb9+nXfrVuzbsP6 tRs2frfx+3UI+h7/N26I3zbAPB67RGJtCDwiXJPzyyiuQb5xYRDAnaKe3pEK6jAAHLowXAAmBOxI Quj3/v2YqiMaIIxwzMFxLDLk5MA+zmoB7UYgAA6JPfLEaIDIdC6ATaIgnKc7snZo3wEHn9Vt3Lrg 4clXtu91yxmX/rjsywk9rx+qCj6gLh+rqRivrhiriI6XRTA3n4a9F/hFUnwHSMy1wbnxQpgjxPj/ ZzinfPc/FuPiKhGRCz8pw75PdDEaFY8keHXCw1NxHH/eimsBY/pA59lsjgLjdXpPg94Nwg1BWfz8 01a0mArQ4qA22Br1Lbj3NsBOs+XzbD0+EKbd6KiDiwvoXPUGQs3hcK76Zr3jO0dwpb9iw6m9PwlX r3RH3veVv9/r7PkXXdLZZPGWldoMekyDcfSKRq1WyKVSmVSFE8SVShBNkE7QROipDXp9aWkx0W5D Y11SVgpfWVlceY0/CCspQTRc4XAYpyktXboUSjER2OO4prNvIB0opmCHnS1YBcymQayxZQpg+49/ /AMRKGARH2q1/v37I7xbt24IRHzsC0EPXYWWnO7ditEA/AOdIAiFwsgQ9UHCgrz8WVOmNTY0/ri5 tnFtTVPdgbWLV9wd6HlbdvR2RXAk4xktDTyiiExUlE+EkBxS9MSWApN5j9BJ/iLQQlMcleeEwTgd q+MwR62Iw3aO/I6O2DGGTMnJAnPcQzgIFbu2LpGY1hij2yxR/sQ0V53BXWd0AmgU5jxBt7fGI0JI II9x4angyYh0jAkg03QiT+92aNAIQ25y1pgcWy2ubZCZoxpktHHtLHPtxJijxyHLnnUWz5eu8Cfu 6Mf+io/81W+Wd57Z4ZTTsnSw5oIWW8KwINkKORZAyGBUAsEX9rQBavPzyHZk2IoZSyZhEItNyeAh f3PzdLk5cOIL8i7+KUy3yAWaixMJsbvRhAkTQNkxoU5sziam4cQPY3KkhXELdN/Y6QhpcXgEjYRB AOC9+OKLUSUw84888sisWbOCwSC1XoOMDsf5IQ6l3YA2IuNOCTpoPYYRrPqhS4Ew76iurFy+/C3k /FvjvqZdTRPPG3SF0jOh85UrBo+Z3+umO1WRx2ThCRJMw8luIXSQP6qe/FfkdC1wwmAc4vQ4zPF9 E6x7nIHH9uzg5Pl5OnZ7C85iPfMZ81tZrk22CpyYVmt0EXQbCMDrjAR0gKqAcTF+4ac/iV6Mj5YR 1M3Ss0Q0UGeKbkqmCc9Qb3BuNXtWm+yfWZxfW92bzJ5aoxez8p0E6Thn2b3J4vnG6f84WPGGv/zV cPXS6i4LO3YdaHMFeNt7sa0nxQ4I8aOPPoY570cffARxN7FAWbny009x4CA5V5E/eJD/wRuniG9I AvKNQw/pNJlAnQc7lrhi90iYrmEhCbhubJkFoTe2y4DQHhbap59+OsrFdPvOO+/s2rUrJG9nn302 IiAmRgbsBQGOAhegfdZZZ2EooNkC+BCzU1wD46D78NNJAdAN0i/QdOwDgyk8TeX1eVdgJ66Dhzet /O7Gdn3PUNgfO2tA08Z9n419ZkRW+DFVbJwsPFkeg56aTMylmJTFu4TgSdeN/wrP0AInEsabTYJp hVE3zM7AucEeBqinHxpKtLmsayFT9m62bYuVHHtKoK0H1sAYWxsNcJiS2zA3p47QU+r0xBKGYhzA BDvd2iWwLEY3QN0MbUwHiCo8MT4gn20m9zd27+cV7T7veeYXnU9d5wrVmN2kMgbHdoPre6v/C3fw vcqO072BoXlFl6izz9VknaHLtcjlp1dVvfbCC8uwuumVV6CBwoVNF5cseX716m+AF0pJj/aOhIDY qlWrkNV5553r8eC4dWJPTiEGLENyDpKKO0UuyD0i0J9AN4g1eAP6CNw4VthhbTjiY2YNWo9w5AP2 AJNxyABRNxQHdINLB0tPZX34CXTDjws1oVp1HC+IQyfBkyB5JBx9f/m7y59dOvjMKwZ1v2hg94vW vbby82lLhuZFH9KWP46zfdWVkxUx6NRg8TJDii33eeUa3xP4zUyIEUWG/vzXo9YtcIJjnPBsxDaG sO4U49M5P6xilrCGL4o8263BWhOgaq8H700cwTgVu+3SJ2HcDaTzECbQrmsBcDcUbWD1+Uk0jZMW 4wk6Ho8AIG+1eD42uxr/fkPTcy/uuOr6lRCkW93bTI4ak2uDzfcFaHek6l6zvScnDcGaXaW685pr 5j02ZtwDD76yZEkT3d+hJZIBE1BGoEagjOCHExdE4mQenfJCfBBQSlWRJXa+wtwZ3DV2MMPmJ126 dHG5XOCcAVvgFDoveEwmEyAMOIP0w7IFs3IsIsNMHypv+DEm4MJTOjLQAQH8ACg+tGZY8YcLhdLq o1z4abVRPeoB3nHhjRAyffp0iwWKNqygkd95y60/1e5uqv/lYM3ew3sOL5/w1HW54duyorcqgvcq whDEwTxmshSk/C+MZ7LnaQ3nlCEnDMbTvgugDVIOsEMIz6vFvQtY+5ta9zpTbIvJh6M9wJ/zMCcU Fo5I3ohQ3U1MzngzGEK+qdIc0CZwFjAuouZ6gnTI52nMJCy3pu8oCIG415g9n1k9G888r+GeB9/r 2PVjm3etw7fe7lvr8H8eqHi9/UkjSwydWdbJslgvM2rokF/3/Spg+uABAmRAABcIHz+fJX8pQChk +MhEOyakSukBiJAJcgDWkAVyoCFC5O3bt0OEDkN0eIB9TNK3bdsG6RxFLkgzlquDbwephVwdjzAr hx9yPwwCQDr84gtkHeeWYqyAovzxxx+HsB2MOsrFhXJRKH6iPqgGxTj8eINPPl3p9WNxD1nqO/of t/2855emfYcP7z1Ys2L1iEivIYbOL1x197QOV9yvrXwUTLssBluIhOKMdA/qF4ek7NJ/BSa1wImP cVQ4gXEihYPA7Rml/yv7SRudHb43B7eYfUB6DZwhUGP0bTP5cSceY2C7yU84eQPWmrl38vw2WGtC r8kgQObjvHTO1UgCXXVlBP6wpeEN5OikW0zNiV9k7oIciJUsML7D5Frv8H3iCqyIVr8WqnjdH3vT F307VPFORaf5oaobSwzVEikMWfLliqsuuQSCLyi19+8nduMHYLLy2wHAgJ/Gkjsv7QbJi1NqhFC8 tAlwYAoxBVjRhEIIfgL7AthpOIUhtrkA4nAQJGzLEQ27V+EnbFNxqlqHDh0AbejUIBvH4Z6g3YAz ZvQ4ooJSeRB3AfWYqiM5AI7XonXGnV6HfiNEnNTh1wN4vGbtmgsvupDAXCK55up+9XUNh3btf/fJ l68Nnzas8qymHw69efPYkYogmHYs9cIxhUJ3TczUUqrIEa05ppDkLw9tgT8FxvEFCcz5ZQLTGd8i ReBjc+c1jpM22NtvtFZusJZvsJVvtFRutJRvsMQ2WivgcC7qFmt0s9G/3eBrMIJAE/lYAxGnA62Q kFuxBq2hzFFXZt9RaieW7UZvrYHc6w0eDAIC4RYs4kQARw5kko5Rgse4c5PV87UruNwXfioQ/fr6 m74fcduCU7o9HIhdmlsIooXl4ZU+/7CBgz5f+RmQtf/A/gMHf+UJOOBAqBtPotum1AJIf4cH0MPs GEgHPQVhBa0H7iCjozI0EG7kiTh05wdgHKSZ4hf7KmOFGtICpEhLgYyEMKCF0R2OG4DwDUpzGLnB 4h0zBTHG4/WMMyCHf9n/a119IzbP27R5M8R6BOacZOCAGw/v2f/g4Dt62SvfHLtg2binB3lPG6mr GKernirHEXhEREPRTbtrGsO2vzCelg1Gu/0pMA6A844IW0DKZ7Pep2SeF1XuV5TOZSrnMnXcLVU5 qP/fKscbavubKuN7Kv36YtcOI/RZmKdTR2fu9royyOg8dSbvNnOgxhzaao1sMgW3gvobAHOIxJOJ uIB6eKjgDh5e5uZab/N87Ak+H6tec+e9Bz78dPxV15yWVxhhJdjvVK/VPnLPvZs2bASy9v+6f9+v v/z62/7fDh349eB+2KAJaAXiBP/x8IBnpiAFBgFwXCgFonUADRJ1SO9RAVBh0HHQbszZEYhHEMhj iRliCrpymhxZIT4gD+zjEV4N4UIcPMLV+i0wh9i580eMAygIW/ecd955KEIpl9458tZVKz5a98FX W1ZtHH3l4Hfvn/Nw4Mz75OEpwLgE9o0tME6RLphO0Z9/3TO3wAmLcX4aDk0Z4c2oCVycWyO68sBM xjOHccLUTXA4xJz64XmSsWCHqCVc2Sd53q3WaK0FpBzAjMO80ehoNHm26z21tnCNvXy9Kboy37NC Y1mhNn2ZhyUkgTpi6C5ez9LSWoafiQPg4PAhQse6ks+84aedvufPv6hp7bolc+eZodSGAVhW9pnd ur/+6lKsEMHOpqChmCvvBz978MBB4OPwbwcP/UaBkA4UrWHy+0IoumECB4ZcyAFGp3T2HQqFsNUt AIv6UToOJpwuJH/ggQeARxBoKNEQARcdK4Bomid+0nCEtGbUhbLgITOUXyF5wEiChWhkhMG05Zxz z4HMH7uv3HXHHQd+/vXQ3gMHf/yt6avah2Jn3y0PYeuVCS3n45l78l9P07XAiYZxyozRWkFLAodF ChTjeAXYuREzGEjaOaxRwmZQfhi1ziDON5M61o8NZGYxrrmM7XmZ7StT5RZrrAZ8NXBtBK9uxRy8 3gi1tW+btfx7S+XKwsCrcvNi1rCYKVnCFKwqcG81h3YQjPPCN2IcCyafLB/D6hJe4wbqjxycO0zu zWbPt47AO57gIn/45Ysu3fDiy+s/+aRjOIRdaLKUyvGPPorFnKB4e/eCzB3EUjAQ7kNNB3/j7cwP HQZhPcijADQx2b5UjI5j4gel9nq9mFYDWTgMfePGjdggEbowwBmWLYTH2L8fQw2WlYG2QpAOag41 /Xr+3FIQfTwFqOmFaAlvnHsHzGkg7rS2iCD44yF0QoLXhr6AyCDQDgd31NZiDQtgDt3eKy+9jJi/ 7vn1xw/X3RXtfac2+riyfIwkMuH/2DsP8KqKrQ2fkp7QFUzvPaeHUBTFinqb14qK2OsVFQUpUpTe ewgEErqCIqiUi1LEhoCAIigoJbSQQijSW8j/zl7J5pAECFz0B3SePJM5s6fuvb5Za9asmcHyzVO7 0Fazmvhr3n02IJ8j/nLDOE0V3n2mr6431XqBuK4dDlBmw0w8XUDfriWwsOc0U92LmjjeEPOxZ+T6 iLQd4fbCsCRsSjE0zQ+N2xmSsCPctj260ff1HHM8o6YawicZIiYZI6eaQj8yXLcumNVta75S0MUX BcayR7UoJD4vMBqRHlAXhCcXhCXuCk/IC0/YHJX8XYx1VpJzxt/u+WHAoJNbtq1a/EVqQgIaY7PJ wMUEW7ZuYfq6d98+NGyKjSmqBwNsIBEgaL8gaxXHn0Dh9/LZ0w14sXdl7xhLZkjjaMWJ4WdOTg5i NhUzy2b5DMChDWMFTY5ahUELjxYgl2uf6pCm7tMD5RKU+6n1VXWcDqv5wqmSnJwc2bmGin7h/AWk n9k/8+/+Ua/V4DLxBp29LD3NyRkBaZnYsauTItSfohB1vMAZ1hRl1KLI4xzU/ud8dBlivLIPUaZU UYto5f9AN5+4bI6mUo41IslHfhYQlxPTcEeENS8kAXTnhScR3hrh+iUsbUlt+0yPWNbZxxvj2KM6 3hA7zRS+uEbcxhDrjtBkNG/YoxaExBegsguz5IbbciMdWyNsG0KSc0KSdoQmbo9MXhtt+f7mv+e/ 3XfX/M9LDh7+8bsVrpQU+BGHBmNGwgGSoHv33j2/HVBHKygIl2K8HNVrCjee/s4Yx6IVri2bRIA2 jkUxfLZ/wtlpITYqYA1o40jJ9lKZZQvG8VUvLpED4jB65vKI9wx9WVlZMv1v3KjRvj178n/4ddIb vV6MuuHxgKR+zvvG2u/r62sf4WWXvWnKJEbDuLsiTsVomqVMBfAzsF+RWv6EMVcIxnVcKwijh6m4 SEpHNJt2UpZi/ItaKZuiGmwLS9kRlrw9LGVLlHNdeOqS2pY53vFTjTETDPHZpqQxhiQ1IBhjP/SI XMtW9MjU3DBLXngKirjtETZsZTeGp64Nci2/JnlRQOQcn6DldeO3xjg2hietjLVtf7b10Q/mbFnw xYoFi55/8kkPg9FH3bxh6tatGzs0DrHN+9gRdoC6I+OsUNYenPWpexEXFVbXHXpiDM+hpCZ2mQ0a NAhuThhLNmxWUX/JIjgJENQxSFMbQrU1bo3plnpSs2LC/7OjEOT/Q4cPIbQzPe/Tuzc3JWGQg6ku w11x0ZEtC1aunbpgz5JNn74yoKNX4lBfxygv9p9aFCsvM3DlQwu0/4SwvaAuX4kYP1sHy76+lQtP xxmivqrr2hjbZGt0g62RqZsi6i+9Jnm2V+RUQ+S7hrgJxsQsk2W00cJBBBjOwcdnekb/GNE4J7px ToRrc6Rzfbjzqxox86vFzPWJma40eGGTzeET/SO/iEn7Mc71Y4x1WXLaB/Wbjvv3w3dExnAkbE0/ v5rVODPViC3ZmrVrAAGzTnZoCMZhW6UAOSc6LgF4zlI+fBxTVcxd4N0c5ZSZmQmckTcwXhWGjpIt IiKCBMjqLGyh94Z3uxcmU2ywqffF/emFhpmVi1v7009t3mx76223evl4mz09OAx/08ZNJUeKSw7y V3J0y74Rdz/DWY5DAlwjPa2ZHuqQt7Kvr0b7vzBe9jZ0JlhJ4IrAuOLRbiI6X5a/Cr3T1tANTMmt KN7HGuJmV7d/H3Hzj2GNv6lt/cw3fqohdLIhYoIhbrxSy1syOUqIs2WgE25jMSRMNcd8ca3rx8gm K4MbfHmN9dOaye+ZwrMNIdmGyGxj7BhT3DBT9H8b3ru55etz41wLE52zEh3jnde/nXqDxS+grpd3 7WrVObEQpAwZMggRVFROqM6ZfYurIgqA+aVFOrVTNfNxwTj8mt2gY8aMAdrYqiG9E4Bxcy4Et5LB xBkEZN+ZYFyyU0LFwPl7JJ3Ru6QHtLMswDhlIlFQI87Xz98vgH14hn/981+c98gZj8W/HS0pODr1 6bfa+MQN9LOP8LSyu3ysB/o3QTofuiIN/BVTyRu4IjCuzbgZt0vbXw7jbqI7sBXtHHjnwLekdz2T p5kTphhiJqpJd7y601wdBGfP1o53ZjSQM4XY88JetsnG+Pc9k6aZEycxDqgjIuPHmJMyPVIyve2j fBz9fSxDY2+dfOsjo2+4e+q/mq/u1mdZ/yGP2FyBJs/aPv6cZM7u0C5vd8U4tVjTnCtolTmIGVf2 64/7r9eLTQsYB86YqKFXR3TnJxhnUGLzOFecMDvGVk2Brew8Nybgkv13ajkjITBHdT902NDHWj7m izLfrHbHoPHr26/vyRMnT+w/emTHbyPueb61X3y/6s4RAc4xAfXH+HCOhD3byzXWzAqLYuXaXyWE rVPLX4ErAuPn/pRnYLxshYVINeCrzeYp49WVK5zYDPBZjHNmGZxqk4tmA59hsPDHyDDGROKkbA58 NtkmGh3jzU5iMr2c6T4Oji/oH5D6dg1X55hbP3mle+HC5Xu//7mkaN/+HTtb/O0f3Jzibfbw9PTq +nZXJpiHsXM5cVxYlvI1aOtY+8PgLfUiV4uujNOcgDMTcICMQhvI81O4do8ePWjVggULENRJAMY5 I4LsunAuRV2qlsuyAoXTDDGfo2TW33v06B4TE00DgHmNmjVGjxoNKz9ZeDD7ybbPB8R1rG7p6pPc x88y1Mc6yts+Rp0KJbq1vzB+/vHtCsH4uToCcvmjI24CvLq+nJPBsk0gmq2pyopGxnMwzp+S0uVq VDkbELldHQ1qyfJwZnu6ODlwrMnOvqfhvq5+1eq/VT21Xa20Z2va0p/ocLLwWMm+o8V79x87fCRz RHpgnWuZRsITu779NsIt6EaXjpmHMvpwcwoyonz7o5g5IIJLCo5oyOjRowE17RREC8YBFAvi2MaQ oFevXqCbBL83H5dxj+bxumjekWOYxqB4UzZCtI3aURQwoWAVL2/HzsO79494scOrKbe8HNagh/Wu gZa7e1Z3cJQEpuyZ6l4Di6565eufSQDnIpg/G2e/qjDutmzK1+eI13FGJzAfZwbpDk3rbs8yuMao A+JKMc5Zr6NNSmLHZ8MySB+l/cww2YZ72Pv7Oj5u+tznT/WY80yPD17qsST745I9x47+pk4v/2jm TJbJTEajn58/IrrajHHyhDriUO0aQ1ulMA60cQROuzN/nY6/1CHqZdUbwzZYJGWzlwREc2cKxufs N7n99ttBE9NwdWJDSQm7vB0OBwlE/8bcnOznkNVVr8r16+zt11NKQDBO4VI+dnK8OXUM+9Hj7IZD z884wytlRHr4weanThZv+Gplt+bPLRgy8dC3v26ZvLBr3YZ9vawZXg5YOTBXBu2amr2UjE+r3P/C +Ok3cBVgXB+W4eP6AQJKUMdATv0phs5RkFhNZJoAODsdlBU0t2/wNxJ0s0/Z2znawzbKw5rBn5d9 hIdtuNk+xMvey8/WLfCGN6Ju/k/8LY/G3zDoP52Kiw5x60defj6HFTNzVBy8a1f2c8LB4USwTqaZ J4+dUEco/786WoINKocz0CoObMHoBQhjvEqjsHYD4LhGjRphPU7MokWLmJUjusNAiZc7FNyxSVh+ SoDCcYRFnqcE/amEJZkAmZQESKknJo0k0/4pT62jHTpELuxw0BjQBjBeu3at/r16L5wx579TZ576 DU5fsmPxT13Cb+rpmZLhV5+T35QKTv2prStobLKJYYjWTmzW+btOG3/mwFWFcbCsj+RsY1GmUHbO B5Mtiuq7q6diDWvP9HCOUqaStnQvZ4Z//WE+zkE+tiF+TnY8Da1ev7e3tbuf/a3a9cff88onXUa+ 12XIxLeHfvruR/DntWt/4vRC6JCDFVu/1hoaVhz8SOl55vxkN6Uox4XyFRH/4Q7UgHGWwKgZPTkA B7/sIeWwCKzdhF/DNIXLs4uc7nA9GdxcxziQ1FstmMUXnCqZpcyVS6ZnIUASGffwBebylHC5N6NS HlPb6pk4CMaZlcuA079XH+JPHWYp7dTy8bNeua5BjxqpA/xdg7xsI70co+DmyO38Ga3jPOxZ6r6V v/5K34BiZNrbuMowLp+Y6Tm9G2m0jzDah5ttw022dK5mAOAq3pFhdKSbVPwIL9cQb2dfX0efmmnv 1EjtXN3RuZarXTVr2wBL62qW12raXw5q8OPYOVDXqb0nuAXg2IGj8+bOa8KF5srC2mC32H5a+xPk yoYyfR0cjoWE+f+LcZoEDMVxWYncTQauWSmTzaTMeekCJy2DcTanIMPTHSQT2U7ORYSU4I5KfuKY PTOC4Rg91PqgNuXnJwF3R708xScSeOKLCl0CEi+PBPL4qsxDB5HXETw4r4bGIFTgEJOCrguc8cGH J4+cKDlUsnLqZ08Gprapndqhmquzt2WAr3OEj2O0t0udzc5Ft+r+BaWW+Qvm8gauSoy7f1x49wiz Y5iXa4CXva/ZNtgTIwoYt2OkwT7M7Bjg6ejr6+ztl/q2v6t1gHPA9Y8s6Txm6tNdOjZ+YF6X9Blt +nVv1nLV8OkDH3j58+HvfTX9053rtxQfLx41IoObQCE8AJKcmLTk62/YQ8Z+Diy1lNpIE1mhXuAg 1KsHdGL+AwIKjRpC0Q2A059++gnjFhoMrmGOwIfNKdiOIgyz9Zv2sLmMeOxhOIvpwQcfJAGnQFCC mnS42a8SZoKPj3gvQgJHPiIYcJQEMj+7UMUxbjRo0IBIfHT4rMVzdiu1AG2GCARyKVZGBnkbWnuV 2dvBAwymp8aMGVujRi1tVq6ubDAZjHWvufb9qe+TePevO9/62xO9mj059O4XZjzyVjs/20A/Z7qn fSTsGz5udGQbHaykuJPBX2HewNXEx/UPygg2Alm9TpNJCf9+09vSxjOlV63Gk6L+PszbNczT2cto GR54288vDu0U2PRpn5RPXur7zaiPBj7Vfnz7AT/+dwnmVQe37ilancMx4LOHTmpz31MD272z6uul GSPSq1Wv5u2jZqwJcXHLv12KrpyTTQ4cOLj/4AHBuBCt7kOxeviPCeg1EhAJecKECaAbsMAWUSCA Qc5iRWsNT2dZnNOf5N4E0ApDlz3drJ2BZSDpzm0pEHhSJgo6Snj00UeR+XkV4pgLiGyDj+Nn2RN1 xuPixYulYZSAA+kUThVE4mRU5Kfa/naYceDw7bero2KBOQ328/H1NHs4HK51P687deTUui9WrJv7 bcG3G4rX7vrw36938Ugajim7p7roNtvohJXrCyg6MfzpA0q2QU/F6Jd15kaeK/PNlK6WgvFhHvZ+ NRu9Xs3RK+3BGc/3ahPSpHPNtL7V6g+skdajmqtn6C0fPdK1a4PmLyY1G9jyzZzlG9d+tnza8PFK Hc7itjYT3b5ua/dW7T/Kfu+n5d8/3aKlD9ca+PlywUFiUvyiBWqH1JGDh44cgocfZgFI5+N/DJYr rUXwIpAhLHh8+eWXgRt4YXoLQ+fycbafAHkYN2e39unTR+T2jIwMykRcJzF8nELchXAeUSAxIJQ5 PpKAQBhVHnN5CmH9nfW4wYMHDx06lJ/IBs888ww708V6FpijE/j888+RBGDoiPpgnAJxUjLVaeg/ hoEBMaz00VrUgK1btw4LCVUXSvj6JcYnTp+muHnJiZKju49uW/br7Ge6dfBMHO7rGIn6VBk8OLJM LIzqxq5/Ce28AaWAurowrp0ZYlTCWz+zpWOdBjOe6160ZGNJ4amNH337TqP7W5qjnveJf9on7h7P iAEPttrxzS8FP20f12NEu8dbHS06dGzf4e2bt27dsnXTxo27dxVt37hlyYIvwXvHdu29PTyQ0rmg CMJD+MSYDXRjXwLZQ6jwIGW1ehk4DTfKAzU4tpaAa/AIEwfX7CTlwEYOUSeGCxcQpOXkcw50YvcZ 62uYr/OIAP2SY5Old1Is/JdxgxI44Y1koJiJAJ3mBHVYPztxOPONu1FE0QdmWQvjTjRuYyQxjqU6 qmPGzSPATvPkhUlriaRSyieSg2Th49dff/2mjZuUrsBoqF1HnevO2RvvvzeNL/Lt3MW9W7w68aHX O/okD/d1ojjF2mE0gjoKdk0VA+SvTCZ16ZutRj+DuhD2yuXjYgAjH7Q0bFTa8p6m5I6hN+YtWIvs XbK/uORwyXdT5417qcvkl7pMfLHTpLY9d6/ZynIMTOFQ4f7hb/ef+/7HHdu0jw6PioqIjoqKdDpc vbr3+nLhFyu/W1Wndm1YCdeQwQ1ff/11RYra2adQqdAnEL8M8K1YrTSJAGAhPG7cONqMg1mDEZbF OXqdPaSI00janNsmSmywCReWNGxI4UpxdxhKsZQGMCkWJR4TbbbeYBNLDFKBFKJgrN1ZjMqOt0FK WDYBLjzFEp6xURI8/vjjzOgpDcdTfG2A1H5rwgORX3zxBXvQ0uqnrVq5CpnBaDYNGTq8YaPGlBB8 XeDH70/PWfXzhA59R/z9uXZ+KUP8uCvNmc6tSWxX0Rg6VP0Xxt2HONCtDDuvWFm9Isb5vukmW2+P lNfrpq3OmlWy9/jR346eZPFFkZQCNUaSSu/NuUsHjxQfZfNDya8//jxz6oe3Nb2lWkCAKKY0cjXX q1sXgRND72rVqptMHhx3hpwJzSNqggLOXUREB/KKj2swd0cZYVVjmSv3syz6kv2nfNoArHA0CQfD lSUA5F46hUNm5pRFeDpcksGKEQDmzmnq06ZNk4MaOJUF5ktRUggFUg4/BYnMl+k43JyXgC0NTBkA MmXmXQFh8oL9hx56CLZOFkmJ3h5EUxqLYvB9qkPXx8kzUiDvUL04bWJODLnEEYaJOx3ONT/+SJsp v2HDxo8+2oJzLZjnh9St98uPPx3N2zf5mQ4vecf1RPPm7Rhmto8w2TI0m4c/JcbPYtOrrSWBd0xH rg6My9jFJ+Zz9/O0/qe67bMemcX7Thw5cGzv7n3Lv/uO2ejypcu5Y+ibr7+BmNXGBxDBOWPsAT1R vGVzzsyZH7ENk2lp06ZNkRLhgMCBSSUowSIdIHCEKWeJQ5aAk5PZgBMwUHg/rpaKBBpCqILeMrIt nXheMkhXVhB1aeAulXi58wh0gCl4Yt26dZmAA3YgCb9Grw5IgSQJ7rjjjv/85z8E6Cbvh0KwjoNB 4wR9VEUkXcMhwPOT898ALFlwlOZyuSZNmqS3CA4OwPElQDmi4ScvkwKycDFTTk4O6UnAq6NwPS8B XiOO/WigO39n3hNPPMEnIJevrx96QmYTAb5+33zx5ZGiA6Oeb/+AV1Sb6vbOXikDvBzYJbKIhtD+ F8ZLmbiavyibEIwHxmIgdFXwcR3j6SZrPw9Lm3qNvs/8+FTRMRj3rE9mcTZC7Vq1r6lTh2s0A6oF cD7hW2+91aFde/7av9muY/sOPd7pPqD/wK5d30YXzc1iECSIABcQP0jBF2KD9pixIvQKaZ48gba5 dOEYFAj8dboViuWnOHdivuRhqsYBc3xwesMNNyCTw7WBMOI0faELYIQYUI9+DNQzK0fDxnkRgIiR DTwCOvLCfJHJCeugIwxyKZyrFmQWD1Nu2bIl2jb2jtE7SSA+70EpyTVxnVw4SibN9OnTyUWreIHI AxROGnlF8jZ4pQyXhLnTgekAU3uGnZ49e3K4HC3082O65I0J8Yqly/buKPhw0JgZXUZ82m7YgOR/ dPNxDPdyZWh2yH9KjJ+eyNP9UiDwNtiKpZ18yOlnVwfG0S2gdVF83GjrZUzuFnNH4eKfsTDP+XVz wwYNIBKuBMA/r4PrRUVFIdwCCqCBRIp2GnEU+hTOTgnoneBl3MspxAmhQq5C2NC54nmazOxOwJLy kvtgR8okQKWCJubXjE4MSiCdq8CBNh2h/dIF+sUSNmFwxEI2KUkwc+ZMyqEEeiEdoUfSKaBNgKeI 3GLrznvo378/iaVqRhV6LVIEYXotL0EGHGkYYdr27LPP0iqyY2+DYp/sjAA8kl7QEwyKKHbNmjXN mzfnriUpf8OGX265pan2+tUO2fnauoZSpxwuKfmtZP3wD9v4pwz1d2V6Yr5+mtpL2VkZzf/pfipz bvZdJk1WR5nFX7kYd/9wcrAbwglWbX3N1ldqu5aNnI6V2vac7Tc3vVmtfQX4V6tenSPLWA7GKhvi x7FA89qrr7726iutW7+CKI5JJ4wGIoTfQfwE4HdwOlBAGOATiYBKGkF6+/YdECxZGAIX8CbIG7IE ERC5QojGy9yJH2IWJ9T7v/uUphcCXqiRmThqBJpHa5n8sp8LgNNgpBFajg9M6B2OBCSjR6x2Sft1 VFKmgrrmKJPuMAjw3kjP5WjYxBKpY1mGMuk77dED0jDpL+lxwJbVeQrBMfcB5jylUsmCuSA18Rqp lvvQSUyPmP5Tztdff4XUQUdoM3oGdfB78amDew8WHzq1bur856sn9Q9wsNfgr+3kOiLYspFtTJlo iJsbYFsZfuPVgXF6J0snHNjbx9PyUg3ror7Zygz12KnC/F0rV6z6bvmK71eu/vabpdu3bCvmfHMm 0wi3MB5NWwUhbd6Sc/MtypYSKPMHFgC4TAM5UUEQQSRIARdyvKHwRyYCGHvfd999HI/GBcEImRAq 1AtLwkHDAnkomZ/Ea3UqT+ifeALiExBoXJBPXqmFXACW5gFq7FvWr1/PlFZGJHxaiwPmXFkotxaC dNLTPJgsJei1E6CpYI1IHPMX3gBvhr6jS6flyPM4cpGMSmkAjgAZcRIghpRkl0cCWFQBL730kljV cuUxihES0wCtHvU1eHX4jFQtWrRgZoSekAkCLWFeEBER5ecXQEcwq+OuFsyQTvx25OCvBUOaPdHW HKPsYdSeU8XK3TYa/1k4O3Kse68B9ThjyhRD9DfXpm2Mv+2qwbgMYqyP9zanvFGvwerMj0uKTp7a fRyhbteWvOJ9x/ft2F0CSe4/DvAxXTl6jAOZSkVc1ozuvf8+yNhkMmtczgfbTo4gRu0sDuuOhg0b wiIFQTI9h94Au8CfvDieYiLOPJdlIxbToV6heSgZMuanoB6CJwwx43iE08BRChCJqbpPNsoBCASQ TGgGUgcCRk5OjiyRa00z0Focj2SAArasoNEMGoOjeVKjlEY7pYVo4BkQKAHZvlOnTsJnYa9gHM25 jGagmFx6gwkLZsWXp1RBFukvgwZDDe8qKyuLp0RKA6iUkqkXx+AjL5krXSRXu3btiWHUpTEsySEY FB8+wfddM+bjTrWdA70sHMauT0hlzaXswN6rH+llGC+1AuJQlPGGxPcMkcvqujZHN7nKMI5ytT82 MPWuXzt0xnfj536W+eHSKfOHvdBl8fBp6S92Wf/J16s/XlyyD1vzYq42wFoNcgIdaOEMJiPGbBAe vA5osCtTJ1oJkIyhANMOpHp2n/3tb3+DE0FvMEeGBZg+YAdBAig4PrN4ikU3xVixYMECuJ57gQpX GrKEgOWRO1LcE587LKgUjDMNAchMLrBWRXl4XZnRqYZvI70TOYRGYrJC1eQSdgzWBG74AnCKRRKQ ErBmQXimGbwukEsuIIa2XAFNcyTGUaCMFSSTeAJE8ogyScxTfgJ2mdoj/zAQkZJXIZUyaKD3Iw3X pzJ1op0MrbByquaUKt4wh7h6+3ozQE2ZPLmEiyn2Hv8ha1aHOo5+XsmjvR0cAuB+GaIuu169gVIT fY2JK8M2rafWLIN1gjGBGwS+u9a+Jbrx1YFxBnD5A+ODjZYedZv82veDgfe2euPWxzrc+WzvO59/ Pe72Z69r0LXRA53veGzd/KXFB08ePVwqo2Zmjq5WzZ9TxfyZs2vmXm+88QYkByXj44RcoU9oFWKD DhEyIUIU7LBL4SzosgQ+0CG6axR3AnZ8RFPw/uijj77yyiswIIYIWDxFibhLaVQhJZ8by+d4Sttk DGG9ADjTGK4dxC4UxgfHJIZm4DMEAXPCCQkJjFcUCLiAHpgiTIDGEBacbt26VS4zpUefffYZCahC DUya016Mara8HHwySl6e8+qAKvp5YvQOkob0xOB/8MEHvC6ah4BEYtJQuzjEA2JIg/kcaXBoAKid d86WWCbmwt979uwBxjctWdPvn093qlt/oK8t08eFJQxEDsHrguufh5Vr6MayVy2XjzVYOMNwmiFs xbXWbVENrz6MD/dydKvZ8PXgJg/Wsk9tM3Tb55vfffitl3wtb/o7n/VIeDnmltyl604eKj50QK3g zJ49G7Lx8YH8OXlRLSKj9YW8hQGRQMgSyoTwIELiiYFcCfOUePRR8HQywrshP6CEvhojbZwyug4L g+kIWeqohzfBv8hOmVIsZfLzgpx7FhBHezAWlS2i6AmxNZUDlEAoTaIBOPpII5nnLlmyhC6AZXwJ UBpAQ1QGoRQFBmkkDQ4PD4eBSsfdOb6MS+TC0WwKIYDP+6FHbHhhPY5VeHmTlCnJVGrNobWQfa/s hRHFGhlpAI4AFZGKUUh0dLSE8ZB4xlU2uTBA0bD+A/qVnCjeuWp9xiOvdqnXYKC3FdW6OmtXM+BE Vr96eXclUw9hcGVd5paBlEnmxPcNod/Xs3B1yNWB8bLeKUOIQWZrt2saD7/j2ZdSmj1lu7PdrY+3 i23WtU6jXtVT23qlvJVwZ9HqbcVHSo4fOZ6fl//gQw8BAaslOSIsnM2MN97QZMf27RAwgqiwM4gN GsYXzoUv1CjYxOcpFMspSay7QXuUBuusV68ebJR7e1FuMzdnhi6WYBA2xtskY1hA+pXS3CuqIsyl VdIwkAWIKIrVZGqHU3NADXMNdOAgmnkE0KZJhBmIYIuybgWayCiO0qRTFLhu3ToGCpLRSIqiTHlK T2knychSaSPlFVEsT7lkjbowTkMJyU/ySi7SMCoK5NnDQhUMsEy9UaTD9KUEElML3JzqWEwnDVMn bFwph8J5ik0skQgAnJN3cv+xmW37vOoTO4SrFjzUgV2soP15AK5OKqtkfdCabbJOMcfP9opYH2bf GXPVYdxk72dI7h7StGjWD5vmrfhiwqyvJ80dfX/rtjUcfWqlveVr65b8t30/5xYfO7Vv115uumeC ylHjlpTkMM2suqd2VCkAh5VAY1Cd0DMBfkKfOAIQG2mgNxgc4JJkaIdYegZQUCCAwseh4IJQoWop Bx8TFIE5qm/GAbgY2XWnJ6t6QJqE3717d2oUs1vkEzg4S1RyEwoYh4+DO2YWnKoE4gRo1EtFUgId YWSQDWiUA7tkZ5lMukUVRsfp79kwLuUATwKoAqidFQcR8ilZukN1ZCcNDqNBu92u3pGmJKSdc+fO FYEBri2v5ZNPPhElPCt3IkXwCBUHWfr261fCetveY3M7DX6zevIg+Lg3Nxpz+I8i+z8JzM+G8XFG VsYjPq8Rty0qtSCSawGvjr2lpQIMJy72NSZ3Cbs579PVylLieEnx/hMDH3sD08fXfFPa13S2jWyy Ye632L+NTh8FqQQoG0kuQVCzVDZnrVixAvKDnCA2yFIgoPtCouKDCxzUS3qd8qFAeDd8UORz8C6Q f+SRR1DWoXnDiIvlJ5gXDJcaUVmj19IrEiBU3ZeGgRpawvwXIxPKZEoOT5QzqVD6UR3sGBkDex5g jjiBCosOAl4aL11gyAK/7CJv1KgRJaA/RPzYuHEjJdM1RgOeklgqolKpt2I7SYAjnmEESQCM02t+ UoueWGpkeCRAFTBx1sKoFEc7n3vuOVkso1IZZlk1k0esAtAYmv3gQ+o4i6Y33Zy/I/9Y/uGRzV95 1StuuL8rQ+Pj2qlulXK3SkTcypjglZQsQ/bgyDFHanqCeRuzFa4SiJ5mDv8hyJ4b7cwP59qvqwTj ol1RenWT5Y1r6y8b+UEJzPP4qQO5u+ZnTV/Ub/ycF3q+UMv+QnDaD+/OO7BzT5OGNzB7rl6rOqo2 GBycAlMuSBHqgpagap2Y9QBPJQwlC53jkxKnx5AGKpXbScAU7AyYQ/BsAAkODsYXtR41wmRfffXV /52P67CicIifBWj2f8nYkqU5hArghm05TwERgxIzd+oV/II1EbDRBNI2Ggz7FkjSO6BN7wiQTLqs vwQJSEo9UtJQFJIDmkbGNP2RBCiHAqlaKqXxGzZs4Pxn1iV5JzgkECIBuIhJrJWLaMH0B/GAR5mZ mYwGIcGhOes2Hss/NPCeZ180RQzzd43Eal07T1sWzq50/Fal/di6iNCinVOKptEyRv0ljDNEzPWP 2xiVtiXckhd9VfFxYM42w8Fetjfq2Bf3y5w+KnvJos8xn+IK++LCo5Nf6fk33+gH6tp/nvX1e5kT /dUBSD7VagRwwAtmn8JPAThECAUK29IJuCoByBsKBEH4kDHLWJAi+ELLLYtrMHdAhENGHTVq1ObN m6FkSJ0aKZ9cOoiqWJ0kIyMBlPyItUCbWTA+cgInqFM4fBC4McjgENS5fJwWAh86SDdFKqYBNEYt IGqrAMJ8eUrJPJLyq9Ik0khi+Dho1WV1+iVdE58yeT84qqAxOGIwj5HFCBBNPEMQjeT90M5ly5aJ roMhkRJAOpOdsNDwLb/mnCg48mmX4W/WsgzwsY3iIEfuyjl9LdqVxJGrguiKaQTjWrymTjdx6nhy tiF+ijlqaaBrU0zaz5HWXxJTrxo+Lm8AjA/0tHUJbdSh6T8DPb2auFJ35eVDe5tX/dT/pQ59Wr42 /NV3xvUe3jDFCX/11TRLrJTJmiyIgN6gPXx3jAtlCpGfLcxTHkGrZGSgwCeM2AyyAA5yMqpslGxM QnFi3yUUjvBJSsnuXrhUV3WfYpETgDYjCfiiRvgj2TFfB/IMLAgV2LEgq9A2+ogPjnCEaQA7Q2kn ox5tBlzyHqQXF4Fx7NAE4zJcUIJ716hOHLXgpBYSsLZII5kpoNngJ494RcLN+UY0j6nNpCmTf1i9 mlX7oMCgjb9s4ACowY+83Dni+t6+lpFi6la5Guqqxbu7Rl1xcwNX+MVPNUd9F+TaEN/4m/j6Ox58 8irDOPuIB3rb3gpucLt/MPprR1JyQW4eypmTBw6XHCouOXSq5FhJr47v1GDTibdCHywV6EGEitq1 KSfUxU+IUCdLPVAOceXi+YmDYiFOoWHg06FDB5g4BM82FiRkvQQeQb0yLyAX8eLrCS40AB+H8oEz jn6xfscBLxSi32lIJGI8QwoVCXDoMoyS1iIew/1J0KJFC+k74CKZvAT3hrmHK22zJKAx7hjXxwr9 xZKMMD7vgbp4D4Rh0OySoxmoDRlveUTbaCopV61aGR8fx6PgkJC3OnUKDQn18vTq0LZt4eYd07oP e+5aazcw7uNEG6OpoWQ+/udYPtNOv1E6RhVgMs7lX/EfaBhfG99oTmKD7a+0v2owLgOadg5MUp/k O/vd/8w1Hp62lJRdBYXccoAevBj71SNH3+7clZMAvT08zSYzZx+hSYZWITMcwNaRBcnhhIwloD86 W4BkgEJIFx/6xBGDnQz8EfrEuAuRGNIFaDyC8kmGq2L556iXEkTnBrJYHH/hhRfYFsfyE1lQ4zNf APhMHFj1JkZGIUEQPtpskYSZsLOqLhPhShtWlXaSkSqYj9MSmY+TS8qkXqlUyhGfGMkivWNpgJkF i/JI+yQA6WBc60jx6tU/sP2c18iH8/XyA+NGg3HWR7NPHDj+Set+7QOsyG8jzGBcbGDUJVlX/cRc Qdtt7UyzDUieYIj9EIwHOlYlNJrtalLUc8CVi3H3LwjAsX/A5yv3MCT2s/x9aItWtTw8U5KT8vML ICQIDGaBXQqLWZA7hAQWZE8lcJME+EJ4Qm9n8yumIUZ35CKMD+kyblAm9YrADH2yLM4UWDi44Eh4 5dnqqko85UjtspocHx/P6gAZqQifZWjmC8AcQR09NjG8CtKTi7bxE1NbGoa1CbcjEQOgaLC0jafS FwLncJJG2kBGUoJQagTjC7StoLxhuiyAlXciDcCnMYx4GNamp6eTkYPmmGswIrVq1UoGTNEYMErw kymAwNzfx48puYfZ4993/mP3z9s2TJrf8bpGPbytw7hn1lNdeqjuPdRYG0e9ca4+V+AJC8AHFAIN tR+59BLbqkrykt0dVm5h4KYqKjMorWqZbiVcYBYUbuqqPjWUSWfpUbYheZIhaq5PzJrohktinMua 3VPYuceVjnH5Xrx8wTiXJvTxsPRIbPbmzQ9UN5mt1hQUszDXw0cOo7wVdobw7OPrg8WUAFC4rSBd yPUc9MwjIWM9jdC2/tM9QJnIw5Ax9MlkEyjB0NmRQQlSHQ24JBinEIqCTYvAAEcG5kRSkaydMaZh 3obVGc0TfNEqsoA7aRgKNyx5ACBowievdKRcZ917VzEsJRPPoU+8ZDDOSiKDBjIGxVIdJVMjfadY aR6J0bbxXURXwPAiWnSGCFQEOTk5jAC8Q+JxlE+BPALjNWuwU9gvuHa9Nx59vtWtDz5dL/V1P2sv f3u6f+ooL6faTu7hQDmj/kqhd/qUGDeMA/MLQNZ5Ma4BXIzGL6DYi4d5GcYzDU4lwHD3riFpmiF6 cbWEn2LSViam7nz4iUVNr4Z9Z+rNa0ILAfh4T1NSf+e/x7zUuY6Xj4VTg/KVzm3KlImYpLMvVICG LTQ0I1iD2MTp9AwtVSTgcjEkLofQirk0wlT6NxIjvsqRJgiiWL5RGtQuaKqYsVxd5/1JS6gCkML+ UK/RR5aiABpMEMYHKIjhACtMTClKmk16cMcmetR0OJRaoIn3QGtpGAFSkgZ33tr1BOSiR/xkhEF4 oCWoyrGlQQFI+Qy2LMFX7CwaA5qHEl5tDC8p4cQY5g4MEUQy/siwgBSGIMDggE6DougRayL+fj4c /PH3ps22rli3cMR7GQ+8+lZwo54B9uE+rgxPZ4aHY4TJyomO0IZ+MrMssJ6JqSt4MV0oX1j5GBN3 9domGeM/MkWtrudcF2bLcTTacuOt31qu1LOepF8yIKtPplkwcs1Zuoe9uzFxcNr941q9Xdfbz2m3 5+3MQ1C8++67oGTIhpUsJHYoB+qFnoXk8HFCzxLW6ZYAMe4/JUa4ElQncHBPJiXg8xSYUxeciAQf f/yxhicjHIoYnsrEvFzhF/qTimgD7aFA8rJYJnZ0HNeGCSiGoHQZfTVAEz4uHJzOomNn0Rm8YGHL +CANphz9tVAakVVsDyllfCA9C5FMhZiS4xAheO3UgokRxmxTpkxZtIhT6ksdxvC0gWQsX3KtKh1h HEBF8NRTT5GLlQJUBBTLgZGMSHxHCs/JybFYrJz0VqNGdd5n49S0vQV71LEwuUdG3vvSq9VT+ldz DUf/5uUaYbSORNVsdo73SD3b6etuy09/COe9ELHhzLGokuaNUrfD2NUtCcLETSnvGqI/D0jcGtVo a6QtJzp5XUTcL3FXhg1MORlJ052etldUeNeutxtttnPbXR9va7eE23r888lAD7/6djv7nBGPoXNo 5sabblq4cCFkDEGCMhxERRjnTs/y0z3GPcxTAAKg4Hc4PTFpKnUkxkGoZGFlCrjREjTYmMrIQCHt IS9Fnbe0ilWQhRJoCd2hFhKw+E4VSOxYvDC9BfJUyoxbMM6YA1hIyRIedjisVTH4kEuaIS9EGiN+ VZqk2l2mJKez9BS5BUNWDNFZPuNYOYBMk3CgErzTHhzQlkgYNxI7TaIXNI96EUI4XpKn6A/5yVAp L1BVU3xq1KgM9tkwMVEYb9SoYGce+1NO7T9WsHJDl8b3tPaOH1jdNdLbwQ2nGWq66hxrcoIC7aCY 83NtiK0cvZ0XazqvEdZz3vSXKAHTcG6HURjngOVso2UyTNwctTY4NTfCmR+WlB8WVxgRnxcRe4XM x9U9pJW9GbX0zxfhmlqOCBjt7Uz3cfbxtfZIuqPnPU+B8Zsb37D+55+xYYNaEuLjN25QSicoEIKB LwjGicFBOxI4m6+oS3OggBLIDkESYL4Jr4FzsQYnDl09AWJQPbGKxMo1McCK3PgYoQmpt2zZkgYI zMEFAR1fZ2uDezyl6T/JSGNwAIR4GCVVYPbGDnfsXlAzggXm44CaigTj5M3KymIEIAE3HPGTR3qB 7oXrkecIkB4n6NZ7JGUSj7iCRMH6Ah+CnTKweNbI8CXM6gYHcZCLl0NK4EyYDyRL9gwOMgTJV1Mv //ixffv3a0dJI5942Gz2jRs2qGNhWB7de/TL9HefqpXS0d8yxD8VcV0DrFK7uROPqG6I4a7bM+fj FTVm5x4TSp/+v2Bc6xpbzBxZ6sIj23ijlYNfFlVL3BSRmhdmKQyJLwqO3RMSuzf8CsY4L5Y5CH98 LHWZuG9qul/qAF9HZ6/Et2Kbtml6b6hX9fjwqNtuvgV+wfSwX5++UB30A7XghJCEsKHD8xKwnoCM YBObcMDCGjRXD8AKBSzMQHUHduBE+Dg4KWtYMG60T0jF3FwAFwOGcHNEU0qGdKFqnDvQ9BrPG6BJ NAYfmJOY9W7Kh83Ra2oXAzbm4+zWpCJGJ1LC05s2bUobOKhBJsLnfgnnbQMJaDwli09fqEgWEahU HLNp+stLEMc75J2gMOEpLeej4INxflIaMoAslyNsAHNO6CIBxXLhO083btrEhRccYcW5F+yiJYZL jg/v+e3k3uOzu454qY7tHT9bui+7VATmiuVBJ8JnQQcwF4zDBPXN5nJ/EPFuf1XCuFt697y/e1hx N8XKbcB8ojF5qiF6RT3blnB7fmji7pC4PcEx+4KjD4Re/hjnJZd/z6I54XvRO+ZT9HSE2T7Ex9nd w9KrdoMu1zZ8OaJx88TrQ31q+Jk8fTyVTcijj7VAaQOSIEKhRkgaWsIXR2RFxyOJhG7F6THEE2Y1 R9t+7gOKETixJnV3GKXAhkgA4oAbnAuHIQraJ/aiilpJ5uaUBkhleq5XoQcqNqxcDJQv6IAV8gim ydyEiTAwpwGyHw2ezoSXpyCFklmukvkLyw1ECqyqXmO5BshPsovjJVOgQJL3JuOPCE7y/klGvCQm no4zGtALHAnEUSZLaago+XyoEHNzc4nh0ZGj3DN35LcDvzW76w7uqOLFRkZGf/nlV9wyyarAyQPH SvaenN9lZCu/5H6+Tu4v5mLTiiQEKsvp37SltPOr2TXuqYNXSlb0KaVJIX8U5FkyUAxOYVyd0Bg/ yzvu51DXjnBLQXBcUUjM3qDo/cHq77KX1Sv/QIqJa4IWGFd7xj1tvf1cfUNvn/GvNtObtx/T8s22 /3isrqdfDQ4G8vRKTEr68uuvOJ5k3z51cjikBbUImUlAYgiXc3q8EKqIkRs2bICtoDNi2stJ7EAV gKOoR1PEyg6OHZESgBPhWIXn+Bd4uvBuKPaRRx4hMfbkrBnxs0OHDjB3qkY8gOCpS5qh116uVRV/ AijahuMRYUqTFShQDB8H3cjq6Lf1tTPSSALM/IhkZABcenV6oGJFVYyhC1QBHsUnwGsnjC+9owqc xBOJ4ymOSMkrT6mOCQWvCKleFvelzAPahQ6zZ33Cm5fZ/U033rirsBAL9+OHj5UcOXX8l6JeNzzY 3isx3d81xhNSsaKVFfatsXIFUvDoxsHFcuaMGB2qKoskLr1STYGL0kigxSuMq7BGkGcK//po8PsE tD0pmv1qEsvii6snbAi15YYlFQbH7w6O4u83+HhIzOWMcfXSNGlclJ/85E1yjvpYM/dUOriOVh25 jJ7Nwz7Az9m5RtrStqMG/+OVcc91T3/57WfvfKiedw0/D3ZnGCZMVHd5QMkwO4iZMCRUkVyJ1B20 REqoDpIjkp8AkABCJmaiIvxDe+KwvYShVyxQj6EcdEqo+5iMi6IJDosSDAmfnzjOLsNIm/Q0EqhS kRA8ASIFF3pp5QKkASO0lmTcO8DuUWa4IJoqcGVtNDRp0gTsk0ZgwgjDI8QJKqJS3LlrKVfpeX9K y/ElUGl6HlFpuXq1HKd7jZ0/7aQ7mzdvphAS02AEg8MHDxWfKJ4yaQon7XD+RY3q1b784nM+FN+4 +BAwL1k57uNWNa29A2yZ/mljfetzYC/3lWMGyXlQYzwcY00sqDlgE5CW0JXgFN+Nv1vLLGOZ9mqk qPanQ3VOVnC4ggRwcapSljrMXCYCiqWq8UTT2skgoBd70YEzJQc1VpQOL6pJqhlZxuSJxoQZ5qg1 11lzI+0FYQlFoWA8Zk9w9L6gqP2XPca1T6CWOKWnTKP4Igrj6jpade4HJ+7y7bp7WYdY7818qO3E NoPaP/Di5+/O7v9W91o+/gE+vq+99qrijkdK91lAHmejOqEujegUEAAOPj+JJ4CPgejDDz8s7Jhl HZgLmEVfhAwMRsAmhesUK6QI9CiHeCFyJFKwzKoWjBXSRQZA1MQRhtHrezEkFz65qFcv82xI0avg 2BaKEsfQQS0cMDt58mRuLGLNml7IUECBOsYJk10GlkrL/70j6WClVUivkZfoDsZ7OsZJr97t4SPF J5RugdvW6CZvEnFl+fJv1XTs6PGSo6eObNnb+5ZHX/KI7ednH+jn6udl7+VhHejlUPauZlsm1iPa oTGCFx3X2k9oTM0BlTrXaNHkfBUDu9EiEQDAdQrnMGQbEjj+lFOOx2pCAqKChnGyXAKu7SZmKFFW ZgG64MFPpU432rJMtCRxiinqq1rqWKe8sOSC4NhdwbG7UbgxHw+K2R8Sd5nzcXnD7hjnBfIm+YOJ M8xy+dFwT9vbvvZX6zac3m7I8S37D+UfyN24raGjPvbMlmRlA4OWZt9+ZUEqSBSiwpdApQQGFeEE 6eACkDKJhl9DbwiHcu4iGnXQQXYSgBEKFwRJgRQumCKSgFa5Oi6Jp+iaxo4di4EHgjT0iSU5c2cg yVyevZ96pWQhsTTyHE3lkWAcUDBpxaQEo1bmDvgo+sQESJpEAimHgFwczBhFmOy481YkhVycf472 n61AyTJ//nzeOYv7LAqQkpfJd8GHXx8/eoxpPMsTJEDVif/A/feS5sD+g8cPHi/ZX5I/Z0XXpLvb eFs6Bjj7htzaP+z23jUaDPZQgp9i0NoGFmHilWIcFjnakKJRoMY64ZtG6zhTygQ2bxpjPjDH8fee IYafYw0panDQpIJLJauXgrpU0tBpvnT0EIyPMaaMN2G8Gj3bN3Z9mCs3zJIfEr8rNL6wFObw8ZgD oVfGPSm8QCbd+PwxlCE4MaLymUYarCPNNq60a++Z1NN1z4GVOSX7Tx7Zd+jFZ55n1wkfnbE9v6CA M4EOoaeB0x4u1dlWpCudwglA9hASZC+ggE2zro3JFpBkhos6GnZMCYBRAEJiAriKlEwhJCNeoUjD kZRMdiKzs7NZTgLaCO3I1UzPCcO5KIpRBSclS5MqtllipF5SUhF+uWQUIrggmVRKaTg53ZHBinhy SUZ5VK6ES/WTwssVVTFGT8AjaTAKDb5jYGCgHBvFdzyodKen9Q8LFiysU6cuW1S8PDzrpzo3bvgF zfvBXfvzf925ed7K95/o2j7wphGNWv425ot9WYvHp7XobohP97AxxUNiz+YPiV3m5tpMUGfBMBGE cE5d0GJk9c2abUyawBErxqgvalrWhjZaHZy2uLoVbfY4Q8JoOH4ZHskClbqDXUhXL7zqAehc/hhq NCmidCKglYA4gZQeN90UsbKedUeUqzA0CSm9MDi6IEixck2vfrnz8YqvglFX/SFoIW6p2yqtyF0Z 3q52HvFDb2nx29rtXD28/NvlXF+IsQW0wYIRGIdyTnKVMHPWY0r6xVWkLkEKPhxZOC/oYGWHLRus PYlyDJ7LMQXuQiPlQG/kwlUsU2LwcXoakCgO5QAtYQBBREcWpXBRdKORk3Vz+DjDQllyNVC4t1x+ SoxePo3R43kklUrbJF7C+DrGySKDiaQnmaTk5/+v4yvQfY5/lEsc+JRsMeBdM1jTZnlKR5CmHnmk BTJbjeo1+Oa33nJzUdGuw3sPvjd4bPcHXuqQdm/H2GbdmMfd8VL2zc/2C7l5gAeyn5qVQ0VM+lh7 EoxDbMLThXEr+7FSiR3WyRyc9SnLREPCB8aIJbVTciIbbw2vvz2m4a8Rjed6x08ysD6VhAJf6YFV rjIdXZnQfl6M60J4BZpXgrr8KbATxgK/TNU23pg41Rj9ZY3knAhnbkjSrpC4wqDoguDoolD06leM rE6/lNpNvXA7ehLsEsd6uNSJH1gxednGBNTP8HGO8E99zRQzsXnr4vxDBw8cfPH5F0E3+0fxMRGX bdTQO5dkMYOrlICJhFoUo9VmpoSFvLnQUNBNUYAC2xLEbB5BY/iVFlVFXFCRLtuDYnBNFTI9B+mP PfYYUwOgJ0pCAqSHqvWGSdUX2gDSU4i0XzCOSp++SC1SPj4xevkXWkUVu1+VZLwf3jZDLlvnZKEc bi72MDRS3p50Z8yYMeg0EIS8vZWK9a5mt29e/+tPX37X6YHnbwuIvi8g6eGA5ObG6FYe8WxayfBL HWVWpzRruFNssYxF6pNohalS7slooDHlcYaUSYb4mebolXXtO6Ia5Ic68oOTgFVuVIPvr3N9YIya YEgYa0gey13AGjevAFVVjo70ssFEr1Hx/YpZ9BmE/khhwcORwXE3qNoMyRMN0Z96x24IS90RklIQ mrArJBYmXhgaA9ivoPk4igWlXlMAd2DPMNrTNcLLMcjb3tfHxk12/fjzd/ar4Wrln9S2/t0Fqzcu +2bZtdfU9eXGE+3yQcXHtT0p0CoOjOBXSmDEgzXQhCMB3AFLFYiKaTI+y2SyPksywQJpzlZUpeW7 R0pdwJYaBbxMNlGCgXFs0pibo9bjAjUUSgI3miQkraOPjuh9uaBmUKPklfn4888/T5nESGMkUGnJ F1SLe2cvLkwb6DLyjMCZFf9Q7eDciIgIttfpshbNpnzsDFlGB+P33vfv2nW0o62b3Vm4Iz939YZF 42Z8nfnhslEzV/Z9t3fUrb19sJVSl5wK3MCaUpiXbWgiUkOT8E1tE4QJFmNlzsv9gHDwlfXs26Ma bAuEY6bsDkksCIzbGWLdHNFgvl88NmZwVW4SRF2vCdUVTebKo3iMARFCSQg6hAnouNZFfS1GjUg8 VYMD3NxkzTazxSz+E++4tcH1d0am5gcn7A5PUNPwEP4AeIymV0fndrnr1aXvfAKlQjfY0jnjhWWy mg271nC2r+VqXzftleopHQMbtru2/hO1UtIff2Pf9qKnH38KGV2BpXo1dFn6TTqQqO7ORnVCTiAL OzG0tWBNeCtEBcmRiwSCCPl5tnLOG09LwBpOhgt8siCUos3D0Wwc8gOoZ48VN54w4MBqIWzALm2A tgXvFHXe6twTkItCaD8dpHesL2NMjnE4MTKSSKv0LBdavp7xfwzQDB3IhCkNDg7AaTPnuDKHIka+ BYFftcPkmew889yzGaNHEQgPC9+Ws6XkxKmSw6dK9p8q2X1q35KcPgl39vRKyfRxjik9wZUFGmeW h1NutdaZbJlsrDA1xmgZZ0yexJzXGPlt7ZRtUWnbg5OLmPaCqaC4vSGJ+UEJO8Ida4Nc043hk0yx 48zJZNFKOA/GZS+JZoaqFuC0YeEMsINxgb9IFGXjj5qeZ5kt49VVR1Er6jm3RKbmRVh2hcYVBiv2 LX+Ccfy9VwbGlf6Tt43ObYiHvYuXbeptL06497VpL3TPeLTNuy93G9WizczX+vW554UPug2fMCij ln8NDNtAChIvAztKZmgAAj4HwIWM8SEqyAabEP0mIxbI0DyjYYP+SSAQo0ApjcDFObJLk/ApQcAF K7/++uvFIo6WQ8zi4FBcyU0ySB1ow90YhXBC+RfUAOolI90kgGUOa39SBVprWCEFMpLgZOTRSyax Hv5jAtSIk9GMVhGQzrJMQIPZayMmQ0Tqr1H2qbHnaM7sOTUCqrG7fN5/5/Chjh5Ax3701MHihYMn vlzD2tPXOtLToZ3rqHFGtStNXVyuAG6yqqOiFLss5eMsOWkHlcfNMEUtq20B4Hmh1l1hSXvCEvaE JO66jgVopr0J+eHWLZFp8/3jJhkixpsSx5Sp4oVDufsaWsG+mq2r9SxD8gRj4mSPxPHGeMLI+W6b MtRhqmr2rS42UhMHbQhStjdI6dmmxMmGyM/8EzZFpuUC8LDEguCYwhD+FMaLND6Owk3D+OWuc1OS iTq9R32OkSb7AA9bv8BbRt7y9HcZM3f9kLP9259PbNmzfuF3R9bsHNGq62v3tIyoHeht9uAUVAzI 4YMghR1nkOVphJ+dXCEqaAaMb9q0CbMK8rLzGoUb2SF7HpGApzihc36WC8jPKvqSXXwKFyUbdjLo 1dlLgrqbdW2mzM2aNeOQBwxvSAC6wTiNwfJTmnRBDaAuKgLjFMWogmyAuMKMQDRajz76KBoA0lCF DAKEZQiqYo8ueTJ5Ofg4Wk75WZrNG/ZCYuRPDC2UT8Ngzqheq1btPr36JCYkMhT8+5579uwuOnb0 yME9+4r3HV01cVab4IY9fK0jPNUtxmrhTKRfRES2p5ntIzxsw01qL6rAHIhlw8ENcPCopbWs26Ma 7gyzFYYkgqBdwdF7QhOLguN2aerrgtDE7eH27+pa3zdFTDInsY6mjRKUA0JLWTOgVrhWyiWsZZTt VpY2wf/YN2VpWJN5NZ1TjPHjTSljzUq0UNmVgY3SsCn1suLyVn0fTRYHQRhjP/GKXhOSmhvF8emJ aNiYhqNko234zMRFUMe/zNfHS1+LGLrAx812LiQdnvDPwXc9u2zaZ1yCoJzmHy04lN6l75N331fT 0zclKRmFFZNoYYiZmZmkAo3nZUUQkuAXHsGZJBCM7MaCiaP5ERrTyO30pF5+4mtNuXiPEoRn5eTk MLxgDCOMm/YARnause2FSQcXHCBUsK0DgIP3qgDQvW2EKRAIg3GQTsnq/Z08KcyRMY370yWByDOk r0oVF9/tC8kpLRk9ejTgZRON8HEKkE7hc/wFrw4jg6effIoJDt1hqoXBUkFhYfGx46f2HtnzzZqu Cbd097NxtONIM2d0aye/qbmtbbSXc5infULQrVl1bhpqgJur1XOghBb9Q1PUd3Vs26Ia5WkA360Q FMNmLk0kjt/F3q4guGd8bljK+nAXJyxNMsQwMmj8V2Fc160BWE2zBBdGbMC+Tt0dPM0YuayeMye+ 6YbYGz+vaZtsjB1nSkarJmv35NX4fqlQodaOGSKManX+fUP4qkDH9pj6eaGJGu+OKVJcm7aVzsRp pMBcrY8HX742MArj6EPKMM5eYEyVuoXfOvT+Vj/M/YajVidOmPzCcy/u3JZ7bO+hKaPGtXriuQBv X6DQp28fAA7M+dCM/BdCSuqwQVgbs1QkAWievIIIoEEYSoOcCAB54OAeICyPCFyQk1xgFocIwcYW Gs8uEqoQGMoB6SJUswMLa3lB4gXVIolpP/ilZLpDdYwVFLV582ZuZaJ8rhdnqKFS0vy/o7vcy5Sf FTFOO6Uv+GyWpxfsA+JgOtmXysT8gfvv/23f3pJjxetnLnwzrFHvao5RPq5R2pVJSj6EP+J7Ood6 OGZbmn+c8OAgQwpbzuGk2cbEdw1R39SxbItunBtuK0RrHYRwrrCj/cUpPq5kYyUho2DfEpX2VZ2U d1GwGzmToXR+DdhBt8bNlbyNZgkhIUMdIscWkphZXlHrIurnRLpyotLWhjX80COOI1VBMWn40wBO YhVWuVgvw7jOEP+uIWJxQPzGMOf28OQCrQFlTSptmIb0K0OvDsYZ+mRYo49gvKeHpWvcHTvmruBm 4d0FRWlpXKxpHJ0xCiYNrU6ZMBFFFUYvbF5IT09nvxXi+vjx4yHvcgRzNnRA/NA5dILKrmPHjiCO lFARZI+jEMLigw6AQCQBqEvKr2ItFWunWBgrRSEzyCIaM2UszyUlkcw4OJQJxoSiAP2S3pKKRZ0j RnLxomSA4idTAEQUyn9cuyWQYQ2TVxlbSEYCHG07R5m/6yNq18uXcEWME8/750MwOmHZHqidIN21 a9fPP/+cfbuMlnzN1v95eW9u4foZC9oEp/Wu5hzJuY6YVWgAF1voTE/ncA9nekDDYV71hxnswIrF 7vGG6I88In8NS8sNd+wMjN0dxnJz1N7gqDKYn8Y4SM8Ljt8SZl9xnf1Dc7SYvUG9QBuAu2McnqVt ZrFnGbiPLPKr2kk5Ua5tYSlbw2yboxvN9o6dqNbZz8B4qYWnaq0ly5AwxRA1xzNiQ3j9HRHWnQrg Sq448w90y596tPfytmXVMc6gOsrIhgLH2+akvg3u3786t+Tgibzc/Pr1G/AFgbNQwoTxE1BHg/Ht uTs45o+VcT7x2LFjtacQaikL1smmYgDCxp6NwZ+ZOJTPjJUN16jgAGDFxGCcNHD5/xHjQqUAHMZK GGsupuT0C/s3akcRRxXUznETRArG+SnQI724is0rF0MyyUVGPS9doF7i2VDDpg/KZ5rAeCLjAMnI BeQlb7kC/+Cf0oaMjAwaiayuz8eJB91KBtImL+zbJQHq92+//ZaWo4iDJIh5f/SEnFlftw1q0NPP ylULo02WsWZld8G0V65BZCaY7ukaaXaNwuyNxTJD3HvG8G9qJW+LdLEXG1yD7t8qwziAUjP0kIQd YbZfI9Pm+ILTqGxDkmBcn4+XBpSg7hxjtsOOP/KM+ynUtTXctj04fnsIRiypn3pHv6tE/RSlZFaH MarFO7gbeZmSZxnZWRb9sTl8ZZ2kHRGO/JAENfUOid4dzF85mJ/+eUVgXPVUw/gIT0dXr5T2Cbfn L1rNTYUF+YWC8YxRGUJvbLxgxYnNXEzBuKgaokVcz87OlqcYbEIPuEqJU6dnbEIgCQ58W7t2bePG jVleR+fMdJir99hnzX24+JxIgGUaZAZAIDDJW2mxVYkkO6MERckRKLSQ6STjDAbYjFcc3tK8eXPA zjGPNAxTEPg4xUpH8MlelVoqTUO9Io1QDrN+6qIK7HWxdRdeL9y80rx/QCRdw9E2HAFq1DGuz8eJ pJHCx0nDV8NikF4MGjyIR3yjO+5oxs+swRl7vv7p7aRb3/ZLSfe1Z/o4Mj1savcZR4RpVutKUISD s6eMmbIpAXl4IfJwZP2d4cmFymBMcfC9wZEENEDBImM5ZQUOrphmkBKM80NTtkbUX+gfN8UQOc6g jlDTcK206KeRzizAxIo8hzLFfFPXuTUqbWdYSn5YQl5owvZI+/JrOOQhAk2+apImqytzGvTqRq4+ SWTr6EfmiNWB1p3RqWoaHhS1J1QBnH3i/GmTcXeerlp4xfBxNY4p+z1MX7p4Jr+V3KzwizUlx04V Fu5KVbK6YWRGKcbffW+Kl7cX0IYAkEKBJxjP0ubjOp0QKEecQj9CS1CLYBxuzh1bSOyUL06kPqAn jnnxggULSA9GgANlViy5XEXn+CmzYAgVZkQyNrIBtLKalTkuU2ZEd2I4YoL5OGmEvUq/zlHyOR5J gymH2qULvCs5OfaGG26gX+TlEe4chfyuj9x7J61FZuMluOvcaACPaD+Oz4HoxbGQpBk2fNipklMI Wvffry45HZ8+ZuvC71pFNGgXkNzHO6WfKWmwOYVTW9GoYxTNkhnHt6absB/DfD1lCjNlz8ifQlw7 Ih15petQiOjqr4xpKvi4YVxx0vyQxJ3RaSvq2qcZIiYaWEErNXRXK2VKe6aQrk4dxHzFkPiBKWZN SNqOCCfGaUzn80PidkbYfgyyTTOETDRhE2tBXwfAMZjPMljGGRKRDWZ6RK6sa90e6doZmlQQBKij dwPtIAVwdAKCaG38ESauhh3Ej8tfr652z2kYZ0Ez3dvZyZTUxfaPvUt/hY/v3JnncDr5fDrGx2SN NZlNMTGxu3bt5vBPloSYwHLsJ2TA1xdiEFJxp0xoA3oWYuYpHJwyW7duDWNlfjdnzhzODOQgBdZk 0Wyjm4K3svhO4Sw8kZ7BBGxK4e7FViUsjcHXKLQUazQGQuUECUxfWMLGwWFpv2Bc5+M0WFibFFKV 6sqlkWFNshOGp+MQV+g+W19pEpGMObwH4sl70RWVq/eCflKpOPmCFefj0jCeytsA1KJtg+Ozqoa2 4d5776NHkzLH/bzg2/Y33f96eONewTdmxN41JvL2QZ5WtaPcwzbU09bfnNLPaBluto43J0w3hi2r nZgbk5obmoRtiQAHvKBOPx0+jXGliNsbEsc2kPwo15pA+3RDGEZxLI2VsXKlOhZWjlCqdpEY4mZ7 Rq8LSdUW41DOR7NTLC/CuibQ+pEpcoo5YYyJ7S0siyuAo36fbIieYYr47lrrlqgGuaHJ+YCXVrFs FxilMXHAHsUfqnUN7IJx5QvGL3O9umBcVhUxXehkTux7/UMnNuwpOXSyqLCoQZqaj48cOVI+9E/r fm7UuNHrr7/BgWF33XU3j0AEenKdAKCWcgRGDGCBhqFkJt0sEMuEDlzr/AsIgztJQyRHn6HNwzoa W1CWs4knUkquWH656sr91NNDnzRS2iljjlCspKcBpAT19EjXuVGvpNELKVd4VX7qtVCIjFRy0wqL UIxvlEAtvBYmEYRJg6tKsZckjVTHO+H10jZaQrHMvHgJrI+LrO7eHukLGH/wwYdI06NHT9IzWoo5 39iMTGhm/887xz7bqX/Txz5q/ua4+g/18koZ4m0b6G3t7JX8zrUNB0bdNrCGY7wxanG1uBz0bGoj tlKbu+EajCvIK7wHC6YU6jWMR+8KRruesjkyba53DGbk2YYUjT2pBXH2WQgrHwsT19T1X9VIZEtL fqi1KJiTFcFmbF5Y0ubI+pi1kJepN3taEdGR+ZmDc9Tqirq2rdENcyPsTMOZIIDxwuuilSARCh9X AFcYZ6woa63e5stq7Uyp0GXmoq0vqG16ml5dM1Z3ZJudDLnveCV3Trxtz+If4ePbt2xPSz2NcYiB b4pJOd8atZXsJkbkhgwgUR0O7lQhpEhG6AdkrVu3juNTMBdHTiajkBaMTAhMiI3sOTk5GJ5BRTjo Bz5OOcTjpMD/3ReY0yqqZnjBZ5qJFEGNoI8TX6lC+Kxel9R+0W0gI9Xhz5s3D9M+KkJuQQNA+Yx+ tIEXiOMlkAYn9eoBvRkXEThbIVKjvAS+BQEKRypj0qRjXNrjXinfGvUF7ce4nbPgmI9zdDw/n3ry yb2793AG1KGNhQuHvvvec92G1H+gm69tsL+rm5+lfej1a0d+dPjT1RMa/ut9v6iN0Q12httgl7Ia ruMFLEtYfHe+qSAfEsM0eUd0ffDLChom7hq0ld1LtmYSD8yzzbaJJuSEiB+uteSGOQqDk3arQ5li OF8xLyxxc7h9vi9qt6gszN5MKPYBeCwmsiuutW4D4GHWAmxotdNWi4Ji+dujzSPcm1QuLHz88jkj AkSrvzKpRmyElHJS0y6yIYVTenr5WDrHNJ3XexRjcv9e/Xx9fM1mD6QyvjIkAdlDMAzdstsC3Qt4 hDzQS0MMpOEpzp0kyEUCWBUBLF4gBhwqNbaqQVQ80h2FC71B8GIexkSAOwpR7kmB5Up2r+VCw9IX 2oyjO/isAIpRh4wqtMod45ekagqkLpo6f/58RhLeA2CfMWMG8SLG0Cpagn+O/l6Slkj5+ktgmKVe Ipm28E3RsZwD4yT7ftX3afXV1YdYGmCgy541sqBFefih5nm5O0tOlBSt2Tr8ibbpNz3W1c/GbQtv +CV+3W1Mya5Th37e8dFdzRcFJm6PduxUE17ms2pWWw447j81yxMN+HDS0FgxePvhOisbutlRDiNG laRJoaXzcQR1Dpf41DdmC8cjh3I8Mrpxqogm787guO3htqU146cbghki3jXGoPdDi76qLhvDG+SF WPKC4Pho+JUlG7n2hDA4nKtt0s7LVq/uhnSW/tVSZiZGhh62Xr7WduE3LB87gwPzJ42fXKe2OgVR MA51gUEIg50L8GI+MbvG4EHwWYEwX580OCEh8UkvyCUlAz6UIEYmsE4BkWQhGbCC2EhMPHk5kpEq OLAR8V6KKleyey0XEZZ68WkYPoc1sQaE/MBR7fykJbSHACWLX/UqzpaervGiKJYAB0YBEDrIMr0M YtJxeQ+CuHPU6F6Fe/gcWSo+IiOvmvFZesp6N5+GJrECDtgZdmiGOPe88nUwXqL9QJvjrSgBu0cs Jfi4bd9oQ+Jdv26f0q5vj9R/dfW39anhesE7dvnQd0vyj+6f9/W82+5ZGZG8NSxhV6gG8EAAqITz 8/7t0ZTb2MlwEktOZIO53rFcHsp5UMoYVW0nV3pjwtwM/r4pasW1tu1hzsLQZFbcOMmhKEhJ2mjv d4YlbQi2fOYR9JEhcKYh5FPv8FXXpGwJT90ZYsm/Lh7DeKxumIaD8VJ9/pWGcRYLZClQrP4E5sSA 8ZHG5FEmywgPazfvlK7JzX5b+gsmrAV5hU6Hss6S+ThrLHxfZDM5powVNGRvKMEdmJANzp0k+And 4qBhUSlz/hKUI6RFgMRaJmUFCgTAviSGO1A1pyPC8SWBe7GXJCzF0n5KY6kOKqVTMg+lMTSDBHrz 9Br1SD3mvAGyUJowaxncCGP+zXyHgQVZBQUm81yS4fOSCeDcG3DeKi4iAVVQF0OcYFwUBYgWiFvy CF/eg144MXxHfiKKkJJlES40xz4KAf5e7YDKoMDATz76mIPgDm3ZM/Gxdm96Jfas7njeJ3bpwIkn ft6x4PEX5yS6NkSn5IXH7w6L23Vd9K5A0F0ljBcFqTUscMpxatuj6y+pZdHOgGJDmVKdqVV4Q0qW ph6f5xfPXtRc9raAcTavUT7z6MAIFsI4h21nRMrGwOTv68T+WC9hS7gzL9KVF2ItDOKw9ERSMgfX ZHsZefCvMD7ujnEm5qUY15h4hilllDEFjHcyxQ1q8sjJzfuQuLCBcdhdOsblcy9cuBCyRO/NPg5i +OI46JYwnx4a0OlBAsSIg5yYgTLUw8J4RBbh/vKUGKE3ytm4cSMHRwibQ4UL6IQI9ZTlqrjQn4Id SpNKqZcuPPvss7QNSdV9L7ykqVgvjcRRjhR1tgaQUVKKTy3UhZPuwL5v0i6X4Q0zK2F3DGuFPCKB 4I4wTmqR6qioYmPOVnu5+HJ9oVgKZ3wDngRQs0hj0IXyaWgANUoJklEvjYyEUciAcfQqSuN6QqX8 8MMZ/GTTcVho2I/Lvy/Zd/KDl7u38UnqVdPVyid2zYDxhz9b+knjW5fG23ZEYAEesws9GLZtCuBV wjiMno0qYJwbiLaG2pbVSn7fEDPBkMJMXJuEqh0oys7cGLminh27mjxt73kpxoOj9wZG7gtRm0qA eUF4Un6ENT/Smh+WrAxohX0joitFOnNwbVgobdgVhvHTdgJqsUz9KZgrO3xkdSx/1MGMHc0J/W94 +NTWAwzO+bl5Tpu2dqbp1aE9vi9nAUGTmDmhpCIGesBBvTpJ6MSgB8gFnUBIrLqCI8w/eAQjwxGJ EwKmHAKkhMyogjkCNu1MzMnOaEA8AZxe7EUHdKKlNGrEIZpCsVSKNknqolV6MqlI/0mAjpNLa/vp E130ZCQQR/l0im6SXo8hGRmJJwadFQa0mABRNY5JOtcuYI1DAhk58SVMUQTwyaVXRECKlZiz+ZKm nE9iSqOzdIQwQoXYJ2C1SAzYl3ipTnwpX+JZg8BqXd+twJjARh514ke960xG439nzT25ubB92t87 Vrf1ru5s4xm1ocuwnA695qekrovhNBW1rKwJ50x4q45xxccRoZmSY4S2vHYi1iwT2C6qkbE66dGY PNkQ9V/v6F/DuYzMWqCZzewKZuGMKqL3BkViY6MJAyKKq1Uw9oOjKuf8ZNqj/lTKcn9XBcYR4DVL XTYRDPWwdTEn9Uu9d8/iNfs2bjuwI/96p4uRWebj0BjfWs7iZslMDEWIhFzlkdCAOz24x0Cusi9D btUhCwQmCdx9tooAbQgeLTcL1nAZ6A2MkMadwt2zVDGsN4yAgJQCyYstqxjlYoTGQjlPaZuOSimc SBITySOIXPclpZRTsRmkxMkAKHkJ48ilY59cmzZtys7O5pVqQFdL5xjaUSPvR4ZBspCdLFKRtISS 9bZVrLrSGMokXu8aAX5ikooMA1rhwu3bt+eFE48jsbhyRZ1CfjlxctPGjdgo0mAMG3Jycmjh0ePH jh47ymUrbEdcMGdeSeHhPne06OifPLgaBzJH/Hjf88tuuntVjGULUrqCEtgRJn6umTgKN3BdOlVH 56ZGhnjUaAVRjtV1k9CHw7i1LeEcj8wWNjaLha2qa8uNcu1kvSwEzLL4pYzeNQgrLGslECizt1Fl SryOZWmVIP3K1rm583TZOzDSYBtmtvf2d75Rr8Hwe58f3arD4onvNY5N8DYaBeOM1XxuwsJxUKjy E0qD9vChB37iVyR4YkgA2WDcBR/HCEQyQhhIBVlZWWzTwIQbNQ5WrLIkh15Xlo8BOPVSQqUlU85F OIqizTgQRMOwlhdOSkt4BADFlSuZlKTH0RHBKQlIjyuX0v2n/jbIrqcnktqphWkImJL0n376KfZj wkyBuUwZyEX5pFcgKhOhCePIrheutaJyT2+MlINPRqmdR5gaIlzJ2MKyJmp/ylQILzMsJL1eggQA +JFDSoMxMj0dGwaUGJgf8/PAoYMFuwrlTIxmN9y0fcX62W36vekVPcwvMcs3Zklykx8T628KT8Ss tEjp2XR5WDMvOYvOzX3tjDm14v5qO3lCXljKhlD7f/3iJhhisgzqWBiWuTkJ6lOf2M3h9fPCLXmB MYVBEUXBkRqoBeOKUwvG0b8JzLWfCtSaPTytIoE7xmmkjv2yoaZCUy9bvbo7xjMMFmDOVqARZkd/ X+crAdbpz3SZ23nAO/e3SPAJqO7hMWqkWjuDuaFwk9GbHSWwPyIhQqhCCJifOJ3w9J8QFdCArtid DTm9/vrrhKFSQB0UFMTsHgep4DMtJQGXl8FPyS65hOTK1SKFX5wP3dIAHHo/BhA2d8sNC+iRKJCG 0R0qFfLGF0cDyMKYgyMBYVSOXbt25ZhoIHnbbbfdeuutwAQFGgEcAXT17dq169ChAzsxGc0WLVpE AOGEEqRMqqMcukmAGNrTsWNHlNW8BN4wC5QUwlkWiEw8JY28Z60J6qQaeTP4xNO8Sh0ZiZce6cMC MWSnvyJZ8cIZXuSdUxpPpTp8CVC17ihKqoYYJDsDMmsf9IJXN2L4iAA/f9o/pG3X957r2M47KtM/ /ouw1DWRrs2RlvwIrhCK3RMEf1QY3xME+k5jXOO2Z0DpDIyfBheGqWqV/MtaCOfhE0yc8YIlauxM U+T39ew7o9TBa2q9TJmlnYFxIIx8Xs6IRcO1Du1S61lMX7R4kTfOaFJZ+tORVwTGAbjaAGi0cV98 f29Ha3/b3Oe7L+w0eOADjzv9Aup4eGSNVadA4NB1CxIHDhwoMfgVyUB/RACSEJqEmOX+L+ZxLVu2 xNqNHVgQAyM/Ah4W45jBY8XKT+icLBCkOHeqcy/5IsJCvTQJaNMeAiwZIKbCPUHT5s2boVLSUDKd 4ilhwRFhAuQiwNPp06c/88wzHHNB+8/hGLJwDCD4ejJeYJcuXYAt29wYJegjJeNTLNWBlE6dOokZ v54LMR48rl+/HtmJoZU24EjJWyKv/FRoPIvT05CSWpAcKI2zHVgARaxiCx6nZVK1OOk7vntAfopP IbwlXgW1kVGGR/b4EEOCvfv28XE9jCZ73Yi2je5s4x+RXSt+bXyDLZE2TFDQbgm0Zdp7sRhnYYsV NNv39Wwfe0ZPNkRMMkROM4QtqZm8Laph6ZXBar+YmL4rqVsfPc6L8TI+fnViHLM3zsTmjIjX/Kxg fFHHQUPvb9nA17+O2ZyRkc7nQ6aVcZvZK1NIIQkhK3caqBiGxlgSgoyx9wDgOrVDw0y6ufwIjgAj kE2m0DBsAgCSHnISCOi1EKhY/gXFUIJQKVVAlpA67YELA3DKEQ5FQJLRcgJAicRSC8iCO+u94Cgb zruAUzOTxdcdNN+kSROSkQAooUxjqwtQRVcp3ScGg3xikARwWP1h80ZF1EJdTIjatGnDzIVzqEhG FqYwgJECMRhggOXwSRHmpVVV95HG5e4YaQbtGT16NNmFC1fl9ZIGjPOi8PlwTz/9NEWFhIR8Nv+z YhS1JSVsQKju45dYL/T9rn3mtPjP7JRGa6LZ6JFcEMoc2V30haFryrfSifZpzliRV54RwyJaUCz2 KrkxDZfXSZ5uCPzAcN0C78hNYZysyA4URhL3WpS2nOw6zN2LAvKn5/un5YQqt0TLcgXxcQ3j1n7e VjD+3xd6fN5x0JB7WzT0DbjG7DF61CjESOCARM3Ijw4WgEOQfG5x56AxUoIUoArp4jCZAA5o1eCe KN90GzZKEC5DgRAP6QkQiU8JEj5HLed9RAk0g6KkJbIYDVIQUyHR3r17k4A+UrU0mADp8RkHBHpk YRUb2wDhXAgeLCijkCdNpbWzrI+SgckIMJ83bx6MG00apvjNmzdHgMHOhDcgQBOftUL26TDQMdzp ZVIpFkfotUC3aP4lMWEWIhkZEAlwnTt3hvuLT6Cck2Q8ZUWD9suUHxUEi5gIEjKQSn/lhVfaHT2S F0UWPqV8r1/Wr7emWGjV4KFDuCuHZIsXf+7n5eUMjzq05peN7wz41NZobVTSjvD4wtBSrLmjTOOb ogo7D7LKZtMyrY4tDIrLC03eEmL7oVbMd9UiNwXb8yOcyPBFodixnMb4HmVKd/rnmVXL8U3nqbdc loo/rxSMa2o3dZ5ePx/ba34W+PjnHQYNu79lI99qtc0eY8eMhfaEBz3xxBNy6j7EL6g5NwZ5CjGI EzpB4GTYBylYlBEj1EUyWAmUQ5mSGFpyd6TkJ8mkkAv1ySuFw4Bw1MLpZMjnECfwYY5MArBMG3gk 4wA/SUljwD4HSzLR4BQXgRgAh+2ShWborZX3wE/pMo+Yg4eGhmJLALT1BgNhOk4M4wP3KcMHH330 UV4IJcPx0e1jh4NBoBw1Ly1hcGBsZLES/o6pLQ2WZojPqOv+8xxhPSUHOzDm0FRpP5+ANuP4Kb50 TW+ze4BHuiN+3959Dz2g9pZyyYIkmz1rlpfRYA0MWTBw+JQ7//1hov2H2OStEQncOwBAdKiyjKXE aXUCQ5VQVp4Rh8Tkc85bWDL6t4IIR2GEoyCYHS5gnMn+6QLdc51lJn46sXvGqoevFIxr83E7u337 anwcjC9+a/DQex9r5BNQy2zOHJ25Y/uOBO1kgAULFvApoQrIT+jBnQDOFoYqeCQ+5I2kikjAhJRI wQhF8VR890Iki3vMxYVpsGAWnxqZa6AWgzJhakCMGOJl7ALmCLSgmxjwjkjMErYs54FW+DLsTzat 8AZwUqA0nra5N5h7xEhPLgxFeEQbdKlAekFeHJEcIIlYzrgnht80jCkACjoe0R5q0Yc+ODtgZ+cI ij7WKZgR4G68kRORTzt+6k4SyDMiyYWqkyk5XcanSbSEwqU9F+RLT7Fk/te//k2DeZ+I7pSwbMmS iLp1Y6rXbP/3fw1v9o9Zt921zNVgfXRiXhjq6zJAKXTLX1Ux7g460KrdVKIWuNWlBupYRYxjOR5Z rYZXxLI+sLgXcqnCVy7GkdWH3vdYY59qtcweCuPbdmADxqf85JNPhCogDHd6rgp5SHpIFO4GPQvl g2scJFeVEi4uDfXSWkgagFAXMgnKcPrCijAGdVhjylMSAG3IHrrFh31jy4dITErkbRxnNSPc0gZA J1IHCCVMmURWfBuCcUYzUVnTR4qlFsmFXKEQrk32eUSrxo0bl52djcQuC4g0D3MgVG0UDthxNIns IidLpRf0QsgircWnHIYyAtLyiyhNqkZsSU8fyVDp5+s7cbw6hZtZ2T3NmnH2xz9tzlUTJh//ZM7K e+5fGp24LVzMUTSYawDXFrAuGOMCcMG4jlMFba4a1AD+F8bdV83+j73zAI+ruPr+riTbcsfG2FbZ rm3a1a6aLVdKSOhJ4CMJMcYY40IPIeENgSRAwktCGi0BV0muGBcw4G65YEzv4C7bkouqO824YX2/ uUd7fb0qtiTLhdfz6LmanTtz5tx7z3/OzJkzMxKP2NWP0eNGjOeOHafpcbUdGY5nfEdkUpcKZLum eIsARF0lGwKPdqPfyOE7ZIAO1E6QQhTBE/xJFUBJ0AGUxN+eRoYBtcg80CYovGmY5QqgxH+bR8bK DU6JYP/HM4271AvGASzFhQIpNR+BKW864ZgWpTXjMWlMCICUsnoQ5OrFcRhjzC6mNirFHkjDwl1Y omr4JD8RAs9FOqHW9yDp+pUIDFAptcMzVwjyk3RCrRSOmygywCuVreou7N+/rLyc3tijf/xjx/hW Xdu127JqbVVp+RsDb3ndHdzs8OPhdlSV06NuSF/dAGfndgt/MgumzOb84eiidHqdU2OR/oOhG68T bGLkLNfjN/eKb3deLHNnuZi7ZaoI8xGf3ojKExcSEQk6umI+YqqdsbkIHtfjSlSjMwArAQgUmG4G OJja2G9Z0rmFwAMZQR9xmGESn24z6olhOOoYWzRWMqa9wDubkSLVGsjUKjnALs9VEykU5EkpVaQZ 7SFLZgIQ4woF6oKCYI2OLulAmBQGCEw3YCsThc5EBkcpyeOTmTwaGVUvlUKWwF35EMIGt0jUWdJv kU6gCgLVSbqUFfrHvdIc6C0CVfAIFPnHE39v17YdVsT33n+PnwUFixK6J3Tu2HH9qnVVlTuXDB5e 4AkVOVPBOEY2zOkCK/xIj4H8iQGQHRu0P+UPw1S7mm3X3Fa1yXQnSrwmzXN99br1+M05GsYxp4Bx 6aujm/iIuvBI3PiTlHqCCBizP0gveGE2jcyASyicOJ16qjDeEoJSKXGGomJIZ3YeIUdEwQu1ExB4 Uui+UnzZsmX0NGgKrrnmmuLiYlLo5KOLpQMA8JnBJzNlkXDgBmU9GGvXMc4MAp1wJh/JRl1QA+BQ 0GpW56owVXHJJZfIpjfS2kCHDIy7GSPACRYM5iOYtpPhBnS4C888mhDhSlzYIMIteCNC4BY/5coj k0I2UqQR4KeR5+PGdYxLXdChyKL5C2gDYfUjzfIwf96C7t0T27ftsHbl2qqKnQVg3Bve5GT6TJsv U5BUirVWPB5fq1b381PU1JvCuI95dlUK812ywvi5vnpD+uq1YHzRokV8U76vfj2uVBgziIxxIDhC C8zlICShJtlEcoxFmhI38onjKEYq8ILtGrWIcOpAQ86BDAEgYP7CbE425qOlQQPFsA0bWOqGDBnC LeQZqziZRRELWMggzOuPQHH0OP18mgV67NTL9rNYyMlAWUpRI1c0OL0FyOJSQjpdcVAPb3DFXYjk 5KjdeAi0irie4n6DTUPnmQeRnFwpTiCFpoArxfUr6dQrNXIlMz+F56a8YXk5jOCY+8Nb8TXWEB05 8tprsy+4gK56uzWr16LHCwYPA+NFLvZHPbavfmKKOwr1NVBc3WJEZTtlP8/2vnpNPS4Yb7RUIHVI l5yqA8ZxGBMxM4qcyF6jq4gqKNSAzKBBgwAaPWdmw8lDinTghSUNHIeY1cIQDZqYJsMCxi0Bi2Sm FCs4ZOzJMBn4yNCYstyiImMghcVZ9Aewq+O/J5Z5KLMAhL3W8cZnRgwKZMNpHCXOLfaigQIABOPc EpYAETDHr5V+lLi5kpOmA8sAZQkwKTmJSJD+s8SFJajJG4a4oJIIpbgrRBp3pTh1URFTANLN8/l9 q1avXjB/Ydeu3fi+ymC4fdfiW6r1ePNgvBnH2ifSUHxfMd4I2ZAicqUDjJTSzrMHMtKFsCGEiIox T+OkzlgKqRbhJxGYoHxBB47ZzFCTjqgTqJeAwHOlL923b1/y4KOCjyvFSSQPd8E43XgikJI9J/Eh oTPAXW6RkwDzxkBOwTg9WFoG9qBAj0Ocp2a80LFjRzxbyIAGxNBBO8At9Dh0QI2wxAsRDiFFY4Lu xt2Flkrmx9myhtU9gIhsZBAGiFOWpyMznjDkx++FkQJDe34yMoJDnkJMEFylLIlQ0EPUTz29ZoSc NEe8GWqkSWzdtk37Du2pZUnBkm6C8fVr2IF94S3DFvrCG13MZWMcazZIan31E0Hlyc1zDuNGwUAk EAau2KzoqyPtDJDJAEwQZrllzN/QuC6cRAiARcQYlzPZVxB0MFOGYCPngIIaiVO1DHKZFgRoaHD2 ZBauoEAeMkgRLPOkA0z6pfTAgS0/hXMyQBB8CdaEc+mr08HGtEjKhg0bYENcUsE4dQnY6cmTyCwe +h2GYQbmhY5wyJWfQpOKUJo4wVKcwC6yDB+YquC4cNnBBh7IyY4TksF4pS8hjSqPz7NQFxHtVVVf pIr6r2TVM8CVvD1SeDp20+UQu3lz5xQsXNRV9dXbrlu/Fhf2hXf8ap4/c4MrUKamzxqJ8Si7WdRP YEtKZPVoI6toHPbPYVyXByKIhKAGPQ7Gmf/FUZN0FAEwR5Ilj1GKjMWPG6egQIMrWECGIUupcePG yeQXTmXoHaa/yUA6+QW8cIWyQzMyo4dWpQniLtJLuk6TnKQACvxvUeI0UPS6McSRLu0AVwI/JUCB OQi6K+hoGYOTQmvDRBhwYN6Q7reob5COVRNuBS/SMSCzHuBBKMM8AfpYBdkhR++6WywWRhAsVaP7 wcv85z//iYmbZ6GrcM899zDJjkMdE3/gnbEDmh0nOmhSHUHelbw3EqVSPaLzUFcExqTBXLd2bUL3 7p07nTd/3txlS5Z179atXfu2a9euoZdWlDtxYUaftY7U0pOH8Zp41DB+StEtPJzDuFE2kBwEGJGg V4ywMTRGGklEvOmLIi0iWicuYEbiEqes4Bd1JgDHWC3ija8X8KR2BJu7IIUicsVxHYUoKg+LFonw I9nII/yQKGq6qKiIBSZMrwNzmgXMZbLUnQwQp1nQiYNxHpOcukcf1ARNREArU/C4h9GLRqtSFg1O 4D3II+jvgQjESeeJKMXrIgM5sY2w3x3NCFVgaoB/xgWsG6LRAOAsdMVISCkCxGmOYJVsdBuuvvpq eBN/HkhxlzzUogfYO07QGgPyUxyuuBZtKmYTGN7JxIkTaILoMjEeVx2YI1Ul01+d36P/GkdqU/R4 TVAbU2qqdePdZo2fw7hRVJAEQQp6RLYmwNCNgJEIpoAGMkN+shlLnWBc5E2TaKVMhQg9czGRIXJ0 UwVHyCTZyECNBOizSRHCD1LQjIxhSUHXC8ZF7EkhP+CiIL3i3tpCeDAFXriiUmlJxJOTnBQhGxEZ j9OUocf5SaLUSARStAYkSoA41ZHIlbt6pZH7iiZ5BOkQ4UHIzF2ILF68mE02nn76aSx7gnRq5Fke eeQRcXrX3wbT7gwWpPMA2+h9fBWgDCkIQl9q4arXW2ckkgVu4ZmyWzZv8/vVfMSlP/rh/AXzZSy2 epUapGx96dV5PS5cJRjnSAI1JFcT5Q2CXtRAnj6/MeUcxmvOlxlTGjQ/Lnb1ExKDGvJBKeRTIPan P/1JxAwJIR31hLRIicYRpyzCDB0hCDXcSGTWicEvQ2zIIsyoP+QZaMCGjjKmnkEHA2cwy/pQSHFX 8EgpPVAc+twdM2YMK0fosdN0gCZ80hih0ytGbeGNj6OaPAvz4+hxMCV6HDpggeJE4IEAq1zJLLDl SlywRh5y6kF44JZwBedSnEfW8zDrx+bJAFxQjGGBRTfsncUT0VEhG8WZtcT9nnZPDALM+DOKhyaP pr8NneBxI3AFw7wrTI+0EP/615O8xq7du/32f+4XjEtXYcus1+b26LfSqfXVqzGunNMahPEoUDeo bLNmPov0+MiYdM6i+nt86N62av245stay/w4diQ+fZQEHlcYJAOlECRUJBHGyGCcYSMLpRlCkiLq AJnRieuRuuhLBrkiwFAQQWUs8Lvf/U6mq+igSrskd6FPoEZ6Dgg2XiW33XYbSIQZ+rcEln5THbcQ XXBkrIKCJAJzutbFxcXMAAIfikhZkIVgE5hWY14MIqykphEgXVbY6eCFph4nQk6uEJe66npY0slA 0ItIXNQ0cZ69oKCAOTXm4Ohp6KN12GNwgcFBlpzzUDDPyJ3WAOb5EFDghfBcUNap1cOGfktxQ7ut 5h2UO1Dl9h09+/Ru1Sa+w3kdeGrsLevWrSfzlpdfm92j/7EYFz3eAG1u1NrNitmGEj+HcV0eiCAP SALiBFLo2bJMFfFDGNAsCBjSJeoMSdNk5xhFZqQjpPQUkXmKQBYiIJpZKgQY4tirly5dSk4wC8al CnigOjCFepV2AIvczTffjF4WPQ4pMsMM+Y21gA5ReVQk6divqAVfUxbeosIoTiCFMcjEiRNR9wzY SVebkDd2DKIzUE9EXhe8EZFs6Gtm4u666y7MjJi7YQnI44VLA8uDk4cJRJmUpzUgM0/Ka4ECVzJI Hp1aPVXz8vd/u4/9GnnD9EJG5Y5r2Sa+ZTxfVZ1KSb+Gsltnvjo3OwrjYhxDlTesx95QAJ6C/GcR xkeZm12PIw9IEQBBHpAi+rQsZEb80CYYflGOCBV5NBE7OltUj4BxS2giolKWBkROzoUm1jNQLHIr ACezCLOAFCUOJMEgM00oZZlvYpQqw1gQDSeQJUhFEBHeYBUskM7gHf7ppdNFZxE6k1+MQTB5kUig e0BPngZEMC50IKUoRsBY/9PVf9dIhLi8WB6QFkzwzpWnYI4Pp1w6GDwaPsmkMGCBMo8PEuGTBae0 hNLu8YA8GuEE+aQ6OuqUUu3f4e+mTp8OwVatW7WMbwXGV61UNrdt02fNz+6/2hFUNrfqvvppMIA3 E97PLowb1483U18dkRCYIGmIJWqFKSSFB5OJdR9gB9FCVpEx8ChixrWeAB2CQJhsmIvBFMhFqmlD SOEuoi7UuBKoFzboSPTXXNpQ+gJqdmCADczUuKxQEB7IpuNISnGFGulkIC5WBTAuKVIKJxCaC8a8 otOx2DNOJwNMUjt5TnqAE+3JVAsmcVpRqZHHpzriGP8ZlRPhFu+ZrwA/+MbIOAWDfH5+PjnlZZIH OkKqJrek64nUCymuBw/QHlZNmTqVdxgbFxsTF8uQnx3oqvYfLJ0yvSCr/xq7hvFj5scbvLC0mXDa FLLfP4w30eaGjBEQEj2yceNGUaD0rlkUBoKQH7lLRMmZQaJ00ZIIt0AibQLiioUNrYqqQsZY0cke LOSR9oSr5EcUhRqDcQYITPTQIDz00EOSE5sV0z0Ak2ZHTfpoQYooJjSeSYM3EuUutmtpnWCbWrgl dQEixuDYu7DYMypHRYqtDyIU1IsLkaZfIavTFD6lIRKW4Er0MhWRTlyALK86NzcXMNKTZwqPDLxM gjQR/JTHr4tDqRf6Kqd2nTL1BV5Iixaqme3U6bxVn3xctfeLT//yt0XB7EInPjDHbuDQqLWlTcFj c5T9XmA8doy27kzWljJTI1+8/q9fl1QY06GA8CNvaPMRI0YgG3Sw2YeBWWNx2SIDwVgkKi7yjIxh TZLRJUSk54l4c1cPFCSuF8cXhUE0vXT2DaaXjrSzCQwwZBJK9BreIxxZIsDU2ZCI0BSC0lfHRU2g LbcAiGhPqQ7ipAAc+BQeoGNkRufq5EZ0PqkOHjTsKh5glZ9ypW0knZcAJJlqp2kSgHOXAD/1scrr 1N5o5FnU7ylTp/AJ4mJbxsXGde1yfuGqVVWlZfNvGrLAE2LdWTlrUqoPMpC++jk9Xn1ikXGeqzni tc+dPciejYN6qrWlsXhh4foliw6w3Mqnl9a7KWKJ/CBRyBWIoF+NjRoLFRKCTpFjztA4CCHXegIU GIPTWxaTF/O/svUERSKyV82jyLwkMsfdq1cvmhSccLgNEVobkEgc2MIAt9Bu+ul+IupSVuiQk0gU xqUmHdRCVijTcyDS9JcmVZz4FSYF4/IOiQvMufLa5S2xWJ7XzvNyViz5eQ/62yN/nXVFMC4ZqIdX 8sKLCuOtWrZuGdeiQ5s20yZPrirfXnDTkAJv2iYnByiw7uz7gGtjf+Ds1ePG/dzGstdTaYk4k4ge R0II+tdHMPT4iUeggLJA0gApsgTYQRx7KwEx5IQmBWWKqwwKF0c1Y8DZg5+kk4H8XMlPoDPAKBtm aBmgHCWf/CQRAFIv/QTp1bNAG4ZJB4CiyrniT4K9iEYDwzh3oSalYJWcghp5TL2vTrqkyF3qohYB EbeAjLBEHjIQJPMpu0qlchXeYI+HgjEiDEywyPECeav42ZIuLkn6Ex2PTwgjDBrGX5hCl6Bly9Zt 2rRlTvHmX9zAurOCQbcWeNI2OjjfBD3+/bG2CdLPWoz/L/uysmejtp9bLOeklJSWCsZFj4vM65++ cUIroAMCUIOCwIR+OyNlHLDRpBI0+NZ5QaIITA+xIEs8zUSGjaATPkkHdOhWbuHfRUMBUU6F4C5+ nrQPGOQJmP7mzJlDu4HNmc2WpayglbKCC65Q41YUxgVEUoQreSSAI4lEZdBzNmukZqUwQyKVgnHg TJyF/JjdeOQnn3yS90N7Kx+FPJKzXg4hBUHV5q9a9Vl2Nj1/nAZbx5jMtw64sapyx+Kbh7IPzEan v1yNx9WcOEjXwH7WT5wB87MT4+F5Ix4Xu3qf+Had41qwnxueFcgAoMB3i08pMo+oyKc/ATGoRUYo ZQyIloxbiaBZWAVG15HAupV6Aowhn/oENGjSaRqrhFWEVnqhMI+HDPLME8kmFaNHjzY2Ilj/MMfh n8PwYenSpZjvYEmeGnXPIB2lTC0MCmQ3CSb+JAOJxkrlp/BjTD9z4rwKGSuBdDwEeAmc0SDdKp6I IO9TGI56OsNTKIxrTRqdnMMTJuTHxsbx9jjA9JaBN1Xt3MteT4s84Y2Mx7VtFdl7LbLPw7n58dM1 Hk8XjDMeZz+3Ti1a5I8fj1sUAkD/FjM4jb+ApYkYNwiJUhZgUBCEujTeOsE4uKtLIIU4GWREzFw2 7i48DutB6JnzOAzPMS/TRccZTBanMK+NlNJjpxOLgyidBMYR5IQIEAAaXFH6EKFBmDFjhgC5bhSc 4EOc6mw8CJ+SKxXzgDwOMwvMbvCiSOT78kq5pT9dnQ+o5aBHdujwgW0lWxhA0bmirz74pkFVu758 /ZbbFnvCRQ6FcW1vZKXN+eNUsmNPTjkru/FnkR43npMiGH/qupuwuXVu0QKXLTweEQBcVgTdXPW+ nMhA46TTKDOIE3IFjggiYFHSZZQ0iSOEomtgpn6MQ5AMZKYI3VFGAQy3ZTc5EXJpH7jSiDG3jpZn Wk0CD04A8hxQiBLHPEgR5hC5Cx0m/hgj6Jw05W007h02pRQvhBaVF877xPMNJc6T4oMqrRZ3CTya fCauxOupjiaBwdDh7w5ce+1PZJw1ZNDgqh17l980bFlKaLM9UHEU48Bc/Z3DeHNY0WvSFLs6GMcH Rs5C0v3VOUPh/BYtJk+ajJrj69OdQ7z5ynxr4+cWGajn65/ILQgiUaCMQPwEaSo+IoJnLGKMS+2Q lQi7pvMsAJkZNGpEwoE/rQQZuJKnsLAQRU8jwPQZGzLg0I59D6FFuTOKFzOgzCRiN6BXoJAQmRyv We+JPPtpycPzwi1vj6eWB2eIRKeF1ky2vxD7A7d4OjiUzPWwCilsqFVHvps0eVKXC9SBlbcOGFi1 rWLFz29605W21R7YnswhJrIaRV3PYbwmGBuekh4pQqQ6PsoUPQSoC+NaX729wvjkWjBuFGZjvB4Z qP+WiBBXgkiUROopVVeGqHT5iQRKBD0u7RU9UgSYVotARPoPXNHUABnzfn5+vtSOWYCVZZp5j1Gm mQgUuLJGm4YCyuBFQlTV9TB/grdOOkG9XigT5LXAPOmMWRiq8OAs5KE/w11gTgNIL4i4XrDWCLch QnvJ3Xnz53Xvrpzkbx848MB7Hy68+PL3XKGt9lSOOWDD5D0cSax2UlWbop/T4xGERqOy/nQDijMi 0CbCn6LDOePG4qNMIR3jz2l6nHVnc0f8Bbs6GGfPRvrqmJeRdj7Z4MGDgYOSjON98VrF4PQmCs9c RY8PHDhQZoiQYSRZhBmBJ2DbB+NAGMcAVBgTbRim8KOjB6tbAunnYwlk2zQKSl+Xgif9tUDQSJaf EprjTQJkPq5si823Zl0qAxOeTowYsEGl1F5X1Tw9Cp+XSQZpEhmP3ztw4J45C2an53ziDW+2+8qT PHss3i8SPXs1mGtIP+tN66d3PD7KlB7B+1E9PtoUMmKceE2MzwHj6txS1pa2F4zn5eXpGK/rK5/J 6UbhRIx5FsYdYFzG6RjQEE7UECY41qUyMGFdCcNtrBDINkKOqNf6dLQA3JKObjOhz8h5rTycrERe hfRkcO7l/TAwYbqBZ+fN8JjCRl3MgHzQzxCLxQHwM0/tr96djWnuve7/bXz2+dmh7Pc9aYV2X5nN vyNJATyCcXZHP4fxY3RuFDaP+xOARzBupBONcVA/xpzGdWRM6N+twve1Cc677S+vP/Tks9cN7h3B +Nmrx3Wx1CPSV0ePo52RXpAOxgF4UVERfrAIJ5tFIORcGaQgsYJiMpCZKwFQS+MgvX3RcScLa7XS gXkJcvek1whxnk7GLHgLiFsR/XYcCXheHtZYe00OVUe96sjBw+hxclYtWlSQlJzM4t77rrpmxb2/ fTWQsfkHV2zwZ2x1+CqTPXsS3BGYc/zBOYwbsXmicQOugbMgWkXGmsJj1M8QGUZqw/MxpvA4U9o4 U2q+KTXXFBht9j/ZIvX+eP+CYQ8vf+Af/7l2YN9Wajw+ZcqkvLyjfXUEjC9e80OfySnwjKwKNATj N954I+jWeWarN6bSGGuDbibHMakxh45aJwOlJABtiOhIJy4pOpHmiFA1b5u6CMIMEeqV9JNYo+hx +udUh0sA84a8Cl4Cyp1ARQLzYz99xEFCTZAfOfQdx7+ymnz/N1/vu/GXA9qbzb+77Iq37vnNy4HM nT8fuD49pwgfGJs61gSMf5Hk1bT5OYwfB9eAtKY2rxXjY8zhsab0sVxj0jGhjzZnUnCcOZRv8k8w uV8weaaYUiaYXKNbeh9u5Vpx64Pv3v/YmJ8OuCS+/QVgfPLE3NyjfXWkCzE79lufRFlrFlKCC9FH +ngceWat2eLFizlMnO2esCczZYYJnU4L6WBZnpErjyxsCdBIkRAFNBKbzr0QEfpQgw3Yliu1EwHg BPkEku2k1Atl9LiMX2jcaAPBOHtf8CqoiyclENFC9dicFyPPy2OD8cNHvgPgB/er7vpdI0awiv7a rt3H9rloYVaf4h/9eE0wa4vDt93m2Z3MGUa4hynjGyY4o+/32Rhv7vG4ppqjYa5jXOHajO5WPfZR RMzpY2K4hsH4mFgwngbAX4zxLGwbeLtr1ofdst7tnrnCmjO+S+rSS294/6Y7XrjsJz9t1cbSosW0 SRPztflxsbnxlfncTRfmU0YBCAhGAAuVcpoh0stcP1NFsk8LY09mylDiGM9l6zNyygj9JIKocc8L nGGGwCPoFHTe9JSmR/isAnBqhNqSJUtYpcKLuvfee/mJKocH8hCv9Z1I4ncHD313QOW5bfAtyWbz UKttQk7f17N6r+zRrzA1e3OSuyLRtTPJwcFkGtIxsJ/DeDR+a2rt+lNE0SuMK7u6MrMrpJsyNbWe OtGUsrxzxgZnv2J7zhZHVpEza6O398eeXq+nZK/I7D8356KHEqxZrVq9kp83fqzy9mR3Jpp6hO3s wjjcIp+MvmFe9iblWTj/t7i4mKXiwJzZcHY8Y2qYNdRkZpSNtGsKS7VmSC9Ce8oC1Sk9rQV44G0T qJ1JunVaYFYLE4HxExg5bDTDUi81UjM10owwg8aL4rXQ1eEulUbB3PhOyEBQ+P9Ova67hw3nWJrr z+s0OjNrWXavdf0uXedP32rhBGF18qD648gDZV0/h/EmYlyBmkZA0+wK4wCcn2j/PHNogsk7zWT/ NCGrzJVTZgmWJntLramljtAme7jQnfWRI+3tjD6z+lwyKMEyd9ToCSOVL6tgHDHQO2nGr3wmx5FY MY+zUyjKGpv5U089hW7C2sZIHOAzNUyEnxqkqvvDxJXMntpOCzXCLQH2gBtvFc6xg7EVJJyzQx1X pgbIQE4CGaQ5kvcvKU35FvIGoMC5jSz2YQ4R6wTrFKiFSqOaF70i6iUD70pe1x1Dh3Q1mS6JiXnK n1rQo9fqC3/wuT9U4vRzdPixGD/rXdabu69evxI33sXalmsK5cWk5ZoDeea0yTGBF2NcS9v7N1mz S5PTdlkDOy2eysSUCqt/szV1vS3ts5Twm8Eeiy66/HeB9IXPPz9plNoHKdJXx7x8jFPEqVV0ulid aATxE8XElY1ZeBB0N3uv8ROJFYAQh5zoKR0yghcR2hOtrOH5qEUPlKY60A0PxGEP4wBHHuh7xNF/ xkOewGFnZNBhRWug8wm1hnOhSggbUhaC/OSwKiYaeGOcvsQWWPobkzzGiojDAAGcc/fOYUMSzeaf dTr/6UBaQa++qy694vNwVrHdXZZs22HlBGGHNvQWn7ezW5U3N8Zrtbnp0FbdctUzD40zB/NM/klm 32Szd6LJNcnkmWp2vRrnWG3JLnVkVSSn7kxUx0WxTKDE5it0p69K7/dR70sX9rxoZLjHNZ0vmDNm 9PhRRj2OmlMLFuRDc22sTOkEmjeC+CGcaEO8WWRfKTrq6G7R7NziWUC36E2RW+PTNS9zGqjhQW9q 4IQa2WIOrxv2WxNTPyhjC1mYZzqPA46lmSoqKiKndK1hWzgXbuWnMaVBTwEzvA3hhL1xBOZPPPGE MCkvR6qIIksiz0LiHUNvSY6J+VUgbXTP3nN69ikfNPSznH7rnN4Sq6vS6kKb70h2yTrTs9HOZuS5 uTFev81NwM7sWL7J93J88M1uOe9b+sxv455hSnrZlPjOeb7Njh5lFuVFvJud9JKdFVbvppTACl/m lqF3b7z/T+Mv//GP49uyp/CLeePGjH4OucJvBFzwifmOBF2E9EjUFz9DfsKwdH3Zt5D1pNjP2Z4R cUWGGXdzi2eRhyJRRPdUPhF1wQBQFZb4iQcdM9QyTc9r5xxVfJBQowI6zjIG73icsuadSS5mB6S4 cM471yONfv9CUGdJbOyMbuCQ18W7ogojcX5KIhHKcuuOW2+9wGT6QctW/wyGZ/e5sPjW21/P6f+m w1vo8pcxS25L0WCesvOYLRzPrTtrzNh8nInZsQC6+/UuGRtTLtzsuXC1NWtpa9uC2O5rk8NljsyK RFkmkMKmuGVW7zpPaF4ge/WvH/j8r/8aeePgnNZturVo8cKEvLFjlR4fMWI4nxhJA+lc5UNHfW7j pz9D4oif6Gi2R6aXK/NB8KajmwwE4bbm49RMObnPBXAEUwJhNnu86KKLeNsEWOUok4XauRVUSgZw x7MwNucu8/jsPnffffdJOo/DXeIEaDaFSd6GDnNslQMHDqQ6Fp9KOtea74QUKmX6TPrqtw0dztxZ v7i4JwKh2f0uLr73/nd+cdPbP7zq43DPzTZfpYUFKfQbz2G8AaCu7pZL59xwzTUHJ5mxrVnfPT9Y 4sopsaVvdWSsTwisaNF1szVUYUvbmejZo7bmSKlMTim1pa5KCc8K91r7179//eY7c/7173DHjux5 9OKUSf/979N85czMDIaxfGJsvNio5UPX/NxNka7mKAuHiD1XTgyn64uhGPctKhKVFFUj2Qh6ojGu JzYlUitBYAum6FTgEs9aNqbpmctjmzUsgUCMIoCX185TCMbZE6NPnz6izcnJjlXc5XGgg9mQFliU aaP5hJq0PFxhYMCAAXx9/ArghABZMkjEWAUpNJT0hEi8ffiITibz0PSsl39506Rwjw9uuvXrSS9+ nTtx4xXXrk9yn8M4fWxtoJ3BhJc27YXLihYxKxc1Zrc1O3ntLcBYc3quTIublYsLw/DJJuecWPs6 S0apPVRu8VfaQpu7e1a2S9juSNuZ7FeLgLQttuixl9gCn7rCS3/046oVb3F0339//6CrXbv2sbHj c8cuXDCnXTu1DwzHYnLaNcIm9lX1yQ2IMH7xMyoucObkQabCUY7MQcEenCOrJ4tPeQ/qdWgBshAH ksCNBL06SZF6JSdxoLRp0yasBLLZDu+ZWWk64ZSiOG+bPASegkAKAb96jkq8+OKLyczGqqwb4ouA Rxl9QFBqpAoKCmCJSI36VU+XW3oRycBP0qHJFprUgjGfdHZ1ku1YuWsM3EKJ05IeOKxh/LY725pj fvfT61f/65kJmb2nZ/ddeOmVBZdcsTytx0Zn6naLd2fi92TzxkaNx6vXj2jmMqa9NFwraIfUn+bY Vg/GaRxyzSHl+qIwHpxg8k012Za2dW60hsutDL1925N85Yke/nbzszvuRmBc6XEwXmoNfJ4SfjXn ol0vzfqqvPSPd9yR3LZdu9jYUc/9B0A8/vj/duzYgW/NtCkrsxCzw9+p0StiYPzWZ2AcJkEWV6zE 9NWTk5PxfoFPHuGkM08tBHkJVAo80a2CIKkOWAlmyaank59N5MR9NCkpic2j8DQjmx4oS36udJ8g CPwBO8UZuXO6Ih8F1U9fmgxSqfDAlQARKiVwl6skcuUngfwkcoUHEoUl4Z+fRHSMMx5X6XVjHF9W HnX/ISUPI4bdxhEsv7phQNWnq2f9+Geo8oIfXv3GT36+PLvvemcqlh+j2eqsjjcK42oiW1PHaGQM 4+A6DcAa/yJe6EdVOQ2CwB+MC8DHxoRyY4ITTd6XTNZPuqWVOjIrk307k9TfriTfbot/ewImDvcu /AkTXKhyFvOWWVNXucPT0nqufOY5pm02fv55TjDYwmweO2oMXw1JYEUSpp74Nq2fG/m8SsHdgdYb 7cCPMzjApMgwY1t6tvRyOeELfhF+RPqkMC5wgBQRI3ZqJU6lglAyE3ixZGMPWDZgwR7IrDQ/YZjA LTLLVTIDcAKccyUDdzHBoceBOV13OeGFu3q9lCKbwFxPrBkhDyxJulREnAjXKIxLYk0KpCs9Tgum YXzY0KGssR/OXk87984ZeufItKwPBw+vmvby6p8N+Nzq4VAkrG3K1e3s36a1URhXyB0X+QPaahWJ OU3rtGteqdU+LdUAj6C7erGJNjBnHRnzZUyFp04yuQva+jbae5Tbw5XJ/p1J1Rtx7Ex070hy77al 7kj00GvibbNPZpnVB8Zf6nlR5YxZVQf276wo75mRhfD89KfX7dy5+/DB77Zu3qZWJMWYf/fg7/jK tNt4KSMHOsaN8ZpicFpSkD2AQGBHJtDNeJxxrqQAxpPOEtUBFnABaug2s8CcM9fYKwavb/xYsKcx 0sHZhqrJpuFVaXlyihmNzW85kgwi0v4I/PmpBx3vRMhD/5wrG1dyEjFfirOYi7QJNe5SRH9MBulU R++FgBcQQxWucEUEAwu8sS2GtAMUkbK8Gam0foxrX5yLau3FZV1sbiOGDYef4bfcWvXN/tn3PTAy q89Ll1z2zfOj1/5i4GcWMO7faVG9RwRPfN7OXlXeOIwrXawWjKSPi1VOp6PNaom3jMS15STHjMej ME4HQAFcrTJjTjx1qtn9UUL2VmePMtVRr8b4bjVZxuly3l0WHzY3Xq8Mjsqtvk+dqQt+cMU3BUuq vtzLtrz33nUvJ1cFAmnbt+84TG/xcNVVV16D49Mjf34YGThw6KB8Vq4CFu2Ln3TcNJUg4gcJAQLM s5aKnwgzQJNbTaxAsKDTpDsNZsE4p6Ex7YX1GwXNRBgRfgLGvn37gi+pVJTsX//6V1zvAAWbRgqK Ya8mb8aKiFML4AWDZMYJX+baOEViw4YN3BWoEgHd4DcvL0+YIZse8KjBAgBLt99+O+MvmKHZkdei swF9DAXwJn11CBpfl/bFuWg9OozqVYzgVMs5fOgwiqg9G6uqNs2al3/p1VN69vvo1uEbfzZgjdVb ZvWz0dMug1/r/zWMS697bEzWaHMW27aMiWEJSXhcbPrYGPrhIa703iUPKl5T9NU6nZ901OkDaMDH sc37otn1aULmFku40pq6I6LE9T21did5xOa2O4mVAs5yq/dTu/ftn1y/b8VbVZXlfJ1Z02e2iY/v npD42uw59Bz5hJde+iO+3Y0Df/n1vq8Pac7UtPtR390oA2dIHCHHFx0cIeeYqgTgCDORpnPI48sb 4ApMRLeCKVnqwhUfEpxCuVI7gwUwlZubi82cbRJxxUG3Xn755bxVTlfE8gYkwZdwJWRr5VAeQXoC UgQM0l2HDhvQwQMZoEOAJfoGYp3DHAEnwoxEuPJaGM4//vjjVCQw53VRnNp5RWBc7OoRjMPbMTCP sIceh29GF2poP0w7kXaQhvHvCrcUjPj15Iw+n94waMtV161PdldafdrWrK6dEd/1/zsYx8IWAS/q O4M/loLmxgBb/ziTD8zmmX15Mams+B6jYB4ZqkdWmFK8GuPKMp+WZ/LOjHGtTM7YZgnuQGUf3S6P bhJ/nj1JHjbeAeC7k5y87XKLu9CV+mafi4r++EjFtOlbV7y9dNKUkM3Gmmr2PtqyZSvf7tZbVfvc pcv5S5YsRgYQIcSAa+RDn6H/6R6zaBTO2YENhQWXIsAnEeNCUNoN5hbRp1THVsYPPvjgvHnzMKkt WLCAHW4BOINuRg0sh7nqqqvYOpJdlQAamTnNHIgReJ8CMWjW9UK5RU7QDZyBocCcAyCgg9olhQwC cyJLliyhqaE7wdaynLFIEJYkIlY7RmHs0UTfgNqhyYPIW6qBcVrFWrnSKuRsQ+0wheFDh8IJJ54r /nfsLbjnf14I9/rwosu39L6kOMmj7Ora5LiGcfxaz2Ibe+P66sBcs5yjstPGxaTmm70vtQ7Nau2f HmN7wWSbbLLnm1KYFBtrDo4xBdDs41hNFoE5GlyzuaXj3jbelDKnlXujI7vcmrpLTYJX75UXaTOV t/DeROwezt1Jjh3J9kpLyha7/0N/+seXXf329b+c9uNrZwy/feIf/nh+bKzNYkHd8Lk+/3yl1+sx m02PPvqIiCLSdVKQooSh2QJerIxVkTr6tFQinCPGyGXT64Qaig+Vyqugo47PZ79+/QS2YMpYBQgS NuAkKrB3PXvA8iahIADnSoA9IwWdWxIFjNCkdqrmlhyvzLICQCoF4QoiuMVSHfu6MOOmU9AjWPkS ElglpvaKZ4KMdCEoMK+B8TremLbmjHtY3qAwVDB+40BVy9f7PvnnM9Myct7zZ7Dj03arqBsE8uga tIhMnn2ubo3FOKPvNCCcGxvIM7lntkr92HbhSmuvT7qFP+qe8fYF4RkxjkmmFDxU2byFSXDG4Fqz oMxuYqMjwq3JJtfSdv4tNjzS/Zri1l+gQre8VQybgnFMH9uT3Kw+K3IGV3vC7/jC80PZU/pdUvDo XyxxcW6HA/sMnwuZYeyGPPz5z48iZiJp6jue2QGbkhHjSC9BENRExuUNoFKBFVfsV1bt7DBeUf/+ /fkJEgGgoIY8mMHpxk+YMIGJPM5M5Dpt2rTp06fjlsO7xX1F6EAWxuRaF4fkB4C0CRDnyhMxS86q NPoDWNIYkjAWEF0vGGf9LEN1qJEIV8IYBakFmAvbOAjhJC/UxJuRKmQ8zv459bEUhfFhqr836KYb FfMHDh98453ZF1/2gS+81eHfiTmI3qMyBP1fxrgacY81B8aZWELinNvat8HeZ4s9e5s9vYRV3q6c d7qkzYpxsnPL+OpOu4zHFcD5w0DHOpQ8k296XMpHiVmltswd1sCOBGN3qBrgwFw66sB8V5ITSzsT 6FjetuG47vB/6AktyLlwzt2/sprMPm1rLz4XcsXuCnw+9Lhg5KQgRUlCcwaM6nKI4bPPPiv1nCy2 oQO4ACZAo7dAFx1tiHkNZ3IABY5IJ4PACtQQAVOEqMclnZwE8tTKG0VIl4JEoIzBDTASmApkMMLs G+N9BtcMEBgO0DnHk4FbZBaMs3ZMHPxU9RoDEKE6miB+spBNPHCgwDnFoB6WuMVcfJTNTcrCvx5R z6I9ULQeHzhA3Tp8ZN9b703pe/EHwYxtTtSNrByPCOFZfpJpY/W4wnhubGi82fuCyfl6h8Bme3a5 JVRh8ZVbUrfhqJaS8875wekm+3iTb1xMtZMM6B6rbdc2UmGcjrr35Tjnp93TSy3BnRY/K8tquAer VlQpcYuCv5jW2e9aId3iLrX5VqUEX8/u/8IvbuTAYL9Dbd/H5+KjDxkyBIxjAeYTE5CTWmVSfdwz JugY58AjYQrOTwp34Ff0KdSYF8OwxssBI/zkzYB9MkgeIENOAokE7sIDr47ALVJ4t1zBrHqtx2OP 4pSif8LQAK8ePGABNVVzxYuGFNoZfnIMBJywGIc4GC8sLJSnFvowRqXQAel43dC7wPrH1AOZOcNU to6nJRE/t2ofGK08PNfFIbfIMnSoUgSDOO+McPjQgVVrXvn5gNdTwxvY7kmtQwHgbPrEvK3etzxb Iw3FeGQiTDCeNsGM0czxcUJGifJgoZODnnWXJ/u32kLrbdnzWrkmm1PyYxiVK8WtrG1mtH8aepyO Op35Ba29G5gZZ9aMkyITsaoduwSA9lP+8EPQXNal986V1gBPpHWuwJtZ/d574I8uc6zXfrSvjobi 8z322GOIGR8UOZHPqn38M/SChhU9LuPxk8glos57ALlUwUlhKHEC27CTqKOV98NPAmhSgI+oddIp zpUg6aLK+QmHtYKIRD2dCAs/0dpiGMc2Tm/8z3/+M2tYCHKwESqYeXkCyJV9Vo2UhROqo22ham7R H5Dlt9gTli1bBsNg/xe/+AVfHIxrlau2UY8QjwrCvIzHqzF+4Nuq7Ts+efyJV7xp63yhCqs6PWFX knePOjaFUfnZim7hvEEYNwA8PDoGJxb2YnLNjU9ZZ8tGF9OLhqY61DXZg9t5iTPrw65p0822iSaP GpWzvSre6WpsDt6DbNRGB2B5B/9WV04FPuoAnE206niZYB9QG+8qjFu861PSVmT1n3nTkGSTWWF8 rRqP0+yzGwxfvFevHNHsyAnSG/Whz7SfdDhlMZdgXAeRjpdGMwwpHh8441rDayFw1qGmrpXHKRiB sl6LDg1JoaykcIWIxIUgcWEyqjgECfpdVqNQIyb6xdrOkxs3btQfRM4o5C46Hd5w/sFRH9cXPYNE dB74jsCcn3j1s5yNghwhQUWMx0WPSxcIARDGdB6MBKP76ppd/QgY/2LvnqWvz+5/yfueYImdXdYR ZjUq/97s2YhHSm4MHqoyao6+GqGtz50xCZ5nTmU5ydJ2nq0pvSoYUOP4Z1GTXLtZXG/xbLMENtmz V3QKTDc5Jpo9482p+bHKtw09PtYUGG9yY5f7JCFjG6tHcXdREDaOx49BtBHdEid/pcJ4cHlG7+k3 3pxsMnntNhGPb7/ZN2f2bLYlQX3gwcX3RZ6ROhEV4+c+jXHET2onInEO8MIYhZyL3VhPbxyTenEh DjTY0oEpMHDBHDcdY/ACNMC4jlzJqVcnFCTRGNcRR05jusS5S10Q551z5bU//PDDVMr6blKEODVy i5x0y5kTZ76MDHQtuOLyykS5ZBOCUoueQktF5x/OWZbOQTD0TKgCuz2GeoqLHieFKvQiEtF/6mIw ROurDxyo2dwOH6za982h9YVLBwxa5uVwQ3ZZV/6WyvJWh97RZfK4GfScpysS0eNp9WC8VuyPZUBt 9r9ocrx7nr/MmV1pwWdAbeOgYZxet6s00V3qzNjk6rWoTQqrTibF+GgTcmNCYzQ39clm9yzWmtmy ShyhimS1VrdBb4D8So+7gm/17L/8vv+xm0xumxUTMZ/y4P4DGwoLHQ4rsy0rV64iBYkyfnT9Kxu/ /umKI8lSNaZmpJTOKgCURP1W43ijOE9KWSIE2hA6wwQOceYnXV9GuEBG8tSsQiukLlG3ar498pBI kLqAmKCMd44VncaWSukYg0S5xedA1dIUcIUNlszTAuB4w+Pff//9Uq+QiqoagsI2ZSFFjTwCARM9 HrYUFz0ut6RsTf51+rcOU/PjAwdqc2e8pG/3VZWUbHviX/N8oSJnAHnG05JFzceF8HEzNEiwmyNz BOO16PFq39RjlLua/BLIg/F8k2dGjG1tUka5Lcxma7CnHMul3bOwTMxdmuQpsWesSU6fHWedanZO jA1Qikm3PHNwssm9ID5lgy2z1BbYrsrKXzTS6fnXCn967+jxda7gG1n9Zg26NRDfuoXmoSFYXrNm tcWSiOsWszN8axEnXQjJU/PTR4nTqfkp8ibMoL5ZTcP0GdzqrDaFDciKuiTCsnRO3KaTABaKioqo Aq0KXrgKD/VXRB5YkqYSBOlkSSRQlgy8VdKJQBPwkoibHHNz4IgxOLY+ySzVwQCZUccEcjJDh5md zR7lNNJamZEqhLh8UBoNsSfgA0wtdNswMkCWu2QWInrESFMShw1TRpubbh7ELewQRw7ur6qo3PbM c6/4Q4WuAHM3O1kuQd8yUW3Qelb/CcbHmPBVy8BNhYgGYeVwTrdcSxFQK3QDT0xngnHG1xNN7nmt 3cWunEp7aJdy7mUwrlaO7EhybefNWDii3Vee7CtzZn7cLfRKnHOS2T3OHBjDlowm/xST483OqVtd mYzcd0i/SPmoR9s3tNF97W8YPV6YklYQyH7j/t/ffvkVfC96oeIGs3Ll5wkJ3VENeIfyxQnIEoKn f3E9Yvz0pzgOD+AFaBCo+m9/+xv6DrOb8MldCY3gioIAiqvQh4KMfBnD0pslkcA74aojlDxSJKo6 iMCewBN8CcQoSKLUIqX4CUHuCsQE4+CaqS464WhnyJKBIkKfUvwkG0VIyc/PxygXCASwk0cxYPwp zFAFQT2DZmwnAx568vUZjwgnekV6xEiH2vk5fLjC+EDNl5VjFTg6paq8bPN/nnsllLUuJViqfFkR PDDegCHkmdkUCMbVWlF8zjU3cg3dasMH4MxCb3QuezHlKldVf745wKapDKiZ+WL/FgxuyzuHtjAY t4d2JCqA48bP9tQ7LO7tbESfSL9dQb7S4t/i7PFhQsa0GMd4k4dpcc49mWG2f3BBcJtNrTXDuFGX HpeXRt8g6o90ML7OGZzrD5fnT/pg0aIu7dvzyX7z298iOd988/Wdd97OT1Y0oML4piQiEiKQxs99 GuMwg4Qj6oglriAXXnghDKNt6XzCLcJZq3yeCMNSFrLQ56kpwpw7xPv27SsdZjBCHjIINanIeCWd n3AoaBImoUZKXQwIQUEulTLrja2bngkNCyZ0CvJQlCVCoGrycJVKx48fD8bdbresqJVsckuqI06Q sjoR+iGwhxEP71+eju2X6aKQDR7IqReUiH6Vqvkpky83Dx5C/Kuvv9r/xZdVlds3Pf2faf7wOndI MP59WluqEB1TvaPLSHPGSFMWdjbQPdHsm2JyTzOlvBTneamF7wVTygT+YlJZL8bfJJN9eafgZpaM WQK4BimA82fRprmrURmxv9lCG1JyFrb3UQT/1Skm5+w4x3prdok1hBKnKRAI19kM1rYuoNziwa6+ IJi5Y8qL+3fuuu/22/jQDK++/urr7w4dfvPNN7p1Y/9sdngbgXCKbMuHVuISUSj6pz/1EXhAROlt Iu0YirEtwy1TyWAB6W0ihwg5oi7NBY/2zDPPQLxPnz4YqbglxOuvAiwIJ7w9IgToACKcVXA/wI8d XxoJzGSx9zLKevPmzdDkiXguDGJiTOMuq1qgJg9FhBD1tpn1BuOAlJxRt/SfUJZmAf6hwFVaMGbi 6P/wdIMGDSIDVesYpwhBp0CEUgSyER9x2wjWIA8ZOpT4oYOHDn67/0jljqJnRr4cylnnTi/lAFOt a1qnTJ49HXjR48rxLFY2a8oYFZMBzHNj0rGSzYxzL+8Uevu81DXWnLXO/is6h15tydFjLqbDJpg9 k03Jb3TybXFll9uCQFVhXAM4nRzUN2OZvUqVO5T9zerf4sp8p0vqNFPSFJPtRZNtTkxyYXKYbZ1Y a3biGNcn0TSbm2edOzg3kP7R3/5ZtffLZ//xDz40Hm7ffKOa96++krVIZrADgvjWIlraZ4/+9EYx OJVxpJQAtzhhMlhmQSULMRBRTMeIonAiDDeUKx4WTBEgzriYdSW8HDoJAiJoQlCutVLmljDGFSKC C4xjDCWY44ZUzQD/WPPICf/QvPvuu4EeMJ85cyY/oQOyuCshqlLR43VhHGZ0UENc6EgtzJVTCmZY rgJ7EKct4pGJUAUFCVF1cQsLLIlDNV/Wnjk5n336Sd7zz999y9C3Jk4pHZ0/LTV7TUo6EovCwt/j e4PxkTimxjISD400h59XZrEwjitoW2a+trp7499ShpOqM7s4JWeVLWdxe6Bqf8Fkn2ZKWN4hpTQl e7s9TdvJgZlxFtSjx1kHqsYy2Nj3JNp3AXO7v8SaWmhNX9LWNdOUwN/yto4tVjAewNlAMN6gl6kw bnWvTQnMS8sqHptf9dU3f//LY3xrVNXGjZs0c/Fh1ih16tSZxGHDhvHd+ax831q/e5QYnIKfsAFL 9C6QVbjCyRM+UXnoWVJkSgs2GsctpQCCpnu/1f1DGBc/+OCDaHbuHvcBhT2IkJ/MkMIbTfQyfDKs YDqbFWQE9lxloSg+5GCc1WFyFhulevToQU7aFulBkcLzGgPE+cmzQz8/P5+mg746mNWfWp5dOOGd wIMwL2012Xg02kZmT3i0sWPHkkJzBFky6M8oRLilBxakcEIx9Y4aO+aCruy+bLr2qitvuPxyXGyf u/venS++NDO915oU+uoK4+xgoK0wrd0i1CCJPY2ZIzY3VpApjGNPw9Q2Dic0c8qrsfZCa1a5LR27 WUWSBz9VtlMrcWZucuSs6Oh5Jab7a6Yun3bzlzjCakUJ3gLKNp6yy6ImziKq3Lk3ybEHjCc5Oda5 1BkqtGUsbpU439xlTUKgzB7CNo5qpqPOtUFtpoZxL3p8fiDrqxmvqO16Zr7S+Xw20zXNmzefD4oF iO84fPhwtIm+0kE+vS4A+nc/LRFEEbmlOQIF4nzLRk+gG8lH68G8zqceaRCf0nps2rSJpRwAkD6t rpShA836ycIAkIHDgoICXNHUDlrx8fiash6k5tIwPMkxjPPyuQvxxYsX46eKzXP06NH8hIj0KGAJ HiRgBeVhSSeD9NW9Xi92CZ03YU/eEu9E2gRwTR7IspYcd1xqJOA5s0bb0QKeySYFa306Er89sH8f Z5fSfTp8mL04KP7D3r0fGjIk57xOE++657uCZZ9ec92nVjyl2aIEbzfNhtzAid3TCOdaqxaMy6Yu gnGmtyaYU6ea7K+3925zZFWqIwyYv9bsaRZvWbJ/my29yJH5TkdrgblTkT0M8LdbfIJxzaUcgCuM 84cq35Pk3Jvs5AqKyyzeEmfGZ+envNM6YXNysNKWVsk7VA7/6kCKBg1/oFaJL2tKcEEg47Mn/oUe 37yxyO/z88nmL1iInDCI5Dpu3DgUBH1gmTkVsUcSuHW6gi57Ir1cly1bhm0Qzn/729+Cd8Re+IRD Muv5G8QwpaADIkaNGoVrDW+ASWQooAohrlE9DmXeEmHDhg2ydhv2+vXrx2AcuEGHW8Ie/BNwthfF jVlv+fLll112GflR7rQG3AV3wJwIVxjgp1AgRaixaJ3xeFpamiyc564xSF2k4DkAD+y7q/coaHZw iGVKgrvyovTMRgpH71Yd4fhxZWHT7PmsaIDPq/r2f2jAwB917DTmJ9e+fevwFT36rnf4yqyqO4q/ hyisWrFztiTqGGfuTBaMYEufYPK8Euf6LCFcit2bvRPFmKZ1XXBYLUvyVjjDW2yBD1p3K+an0sXK rRfcCbS5MjBXfwq86oQ45Rij4h5c0zd2dW/s6ipnWjzZu11zR9cK0oyobgA6XX91OjU9RY9wS/nA sO4skDH3rnurvvhq0/r1Hrcami2YpzCOJBOwAiESKBR99yQ+LqIl8hAlBqfyJwwg3nDIegq2KYBt xpXsSQ5vYrMSDrlKpKG8QQdFiR1M1CtXNktE/iEu4l0/We5CgUrZ3o32BwCyAIQVpiRSnIYI5qHG T4LoYtnKifl3Ogx0G5itlj3VeUaKkJ+qRcnStWDsDD+PPPIIrnfXX389w3yqYEka602w5rEYTQ9i 1hMTH4qeF0Wgk9C7d29aEix7NAswQOshT1TPczFEoaO+n2nDQ2rqkKd79JFHoXZN7z4PX/+LR3L6 juvVb2Y48y1feLMztZLN3DS5/d5gnGkytTkbW7RxaonyUHUt6xjY7OxZkpxameRF26JnWTZSrc1Z dZLoxklgS3fXtoSUCjUhnrKLuTMwbiWPgrZgvPJop70avPTYy5M82kY63u0sF6UFsIjSr+7qNwjj a1OCC4PZ2ydOqdr3bfGmDT6fkoHFixazipCPKDqCnQYROcSJb4qMIZmEeiSBbKcgwICIGYu1pVvL gJdEgGDkkHjjmIE4GpNuDI5zzDtzuABzxyQCB1Gjx30DUjXjazDOlsuyFytopVHiKnchQpAHYYE5 vQU0LKqWjj0daXoR3KIRAIAUoWqsDaASeJKNPHwsAl9Hv2oJdV4oQhvCUiOcXngKArXDCbUQeFEa O3VaGwTj36ot/qoOHlB9if/VfAuv6dXnLz8fcH8wPe+iH8y9+IdvhXoW2ZUCEo2DZQlh1uxLR7WP rmvOikhEj+N7lgHAmS9jw/NZcSmfJWWVObPAI/ilKdupDGjKuaUiwbGLVTkMVZK9O22pqHhlZCNR G1MLtHco2LKfgwIvi0BR0DuSGNooLc+qPa3nTxHnjkQ7/u1aO4n1MjKcN+hx7QXKrejXq/S4DZtb cH4qc2fTqvYfKNpY6PUqPb506TI+H3IFXhAwFnogRZibEACkghSkgjh5TmMQZrgCIlQYay3xGIEf 2iWYbCKHkOUxwTjIoreMLZ0UwYKROIn1vwF6QahRkIUHGttAkVleoLEgcWqhOhaO4XzOswhE2WAN jINrvgJXMqBwWZlC75oMNGv05Ano8Yceeoi9aOhosSaOQN+DMYsEicstjmzA3Zexg/DMi4Im/AhL PB3pMEOo66EE4wd5E5GxxmN/eRRmftz3wn8Ov+Oq8y949Z77Ds1Z8N6Pf74qyb/DkqptE6HG498P jOeq874VxsebAkyNvX5egAXgZVaWkimAK22rRs0pu+l+JzpAOis9tT1p6c+oqe2dCdX+fhxJplo8 NXemTOvaH29J/uSnUvcaeDUPIi2uiqgVfHXNUxxNp6wqrroHrgpryhpnYJ4/c+uoPPrqW4qLUwNq r/5XX5vDV6anKmNbmTZirCfiIW2+CEM98lCXnJzEdEQUBtDjmIUtkY2qkFVJb0pFkIUOwk9DJ8IP TYlAVn92UiSuJ0qlUpw46hINDnuYr2kxJN1YRArySmWUjTWMQ0vBLAHIkw7AaQHIBszpqPB1CCh6 Fpyu0wKzhFLpCV6pXZoUmCdQSo+cCAVgLn+S+TFNj1/Vr/+DgwZfHwitGDX24PoN7w4a9mGSX20+ xoyPtiZFk89jRpGaABv1zjHSCyKM3dGozNUyrOsybbgalcf4U4FIAarah0TbMkWZsBQQgIzyHmdn cnUVkJKoT0YT4afocdVFj2FOHPdUzyst3KusPUpdWYy7lRe6+J9oGDdWfVriPBcaHJaUHsfPLSUN Pf7uw49VVWwv2rTB405BhC677IqiomIETPxX2aqIRJQR1ie+LO0/QoL867J6IrLRHHlERDGFMVhm Ep+Rr7AHY02vDiLgGowDLq7EoalTFlzIGxA2JC6l9AYBH1HsdfSrxUNYuJKcRg7JzyvlbXOL185P Xi/10sZCnBeOmZ2BNltB8iEwzRmpcZecXIUNYVJnpmYE+lIF+blrZONE4noRiTymzbdeefHFg668 6iK3Z/Ljf92/oWjFjUM+tPiZO6P/GQGUwmw9sI3qhdafGdFVMnwU49qIVf9ZIwLGyc8VsnuSlRGb iSogoLU89H5de6rtXRodhdMojLOzccqXyR61oDsuHVdV/NCWtPdvYU7ckqr2bdD8dTWeaRAgeFSl HmWyBlen4JZgfE1KcG5aVuXkF6t27d7/5d4//umPDAkRpIsvvoSjAdBmiDdjQDHz3nXXXcghJhf6 jsikyI8uWiciISc3D1iAB5ZRYPkH4yL58CPpTa8LUmAHagR5TKojQiCFW/wkAmRIkTgR0uUWDOCD mpCQAMZlZooUshGMvPGTl4m+5lUTiDAjBsZJJBsFmfTHmMZHYRKTmXQMbhQB12SQbMSlyTWSrTVO QXgjszAcxUmtRaISo4rIWr8rL/3BtT/64Xmxsc/+/sGvPvxs0dXXf2QPljgCGJeAEk5cSs0ZhPxY sKtebv2gNpY9gXj0oFUwrpoFDcsAnPlouFKVqm6G8kKRP8WnUuiGBkSLC8ZH45EeE8wze6aZbe+d H2RbNtZ072HpTYJTlpJpSv9Mw7hnjSt1bjBjx/SXqnbvZiN+dlPnq8XHq4nae+65mw8qUsSALjY2 BsdpRA7x+HqfEkj53FEfPUokmvUnnEBfNjDx+/2FhYUwI+g7WfXqWIAsmKJHzYMDaq6iPUlUelEL kgKI+MUVHuhys6gECzkNJj/relfUQhGulIIyGCcnYGcSTY5A4nMwR89XYMsOspFBev5wRSCFa13E ja+CPHrmE8lvLFtrXDB+1eWXX/2jS2GSIzIrpr88IZj1mTu0ze5nGK7B6gzBuLJx7Uq0g3FUOaDW mgs1g09E65xLf0A1OFEtSbXNjWOJYti3wTkv3sXmS6W2NA4o+cLi3p1Ic3FMIxZV/NT+rG5kaNM0 PZ6yLiUwNzV95/SZzPse+urrQweUZF73k+v4Xtjf1q9fh9QR3nnn7Y4d2+O+LktNEWzkGWmR735S pKVWEaqZKFLKFanm7saNG/EvhVs88SQRbokQapZtUAoUFH40fQ1NMAiywB1PzU/SjdTIzAshkTdD B5vejrSNl1xyCbzh1YY3LAWFqyje+AlBCnKllLQPXHGGoZ9PcbroOBjLZh1kBt3cJSfxqGBkqa64 FOEukbry1JMupfSyMj/+02uu+enVV8HqyD/8qXLajBfSslZ709VWMBHVSX8YOVc/a8CnKSmi/eV6 XDqYxbbTo8BrVP0xa4/dm8NVU9UGa6wWYVidSKe9WqdHuK3GS2Q8HpwUF5hisr/VCTeVbI4sYeR7 bItxkh/wuA9VW4bqkYL0XipYk+IMLPRnvPmHh4/s2H3ky30Hvv6GDfLfWLqsffsOMTFmXKHka65c +XlSUiIpd955JzJGEIzr37oeqTiJt6iOABwQchiAcn5+PoMLJqcwGkhFkodrQ+uNKggkeUy0KgFo C2ZJYZcVBi+4rj388MNMZHNl+S1Hi5INlkA3TQEwp3Y2WhHPHDnwVxgWxox1SaPBE/FcBG5BCoDL OhGbzcY2EVATfsggDQ78kKI/o5DVfzZfRDinaqkRCQHaqV5veqqP+YAnf/2b7VNnvpCavs6dVs55 ZwrRCt3yp/1sAAqi9OnuRKRXBFiPnBA1WXDNqJn90HawNTGWqCSOagqW2tM3JgWLE1nqHipPhFv8 0Fw7E+wMz5VFTrFdjRfBeB5bnbMCJda2KhG/lzRtZzZDPz/ymPrznvYIT8op8BudqUvcoXfvfaCq uKRq15dHdu9Boe/76pufX/8zvh2DXKSXr4ls41ZNCpoF05bIM4J0ykRLhJbqRMJ1Ucd5VVxti4qK dH4axxWljAGlLLgWjQlxphWojkEBp7EwymY+kaplbhokMkyGN1oDAhhnnuvmm2/mjZGT3XVgmPQo DqU68EKgOt4qKVx///vfi+MNzi108mGA908Q9U0tEiglr+VUXqkUJvUamWrnJbRr06Z9XKy1fYeC /4yqGJU/059Z6Ayx1xObwDRFzmtgXB/qEuHvhAAu2dDRaurK4q1MdlfY8B5PL3b0+CwhVNAyaUmL hLVdvBW20E70Mps2aB1vY9XE92o2twlqB0XX4nburc5svNNxAMDdBfpkMOZvEGMnMTOIVj0lrYHS ycLkZrv/fU+48r6Hvpww/cAb769/be6rTz+zr6Ly7RVvsl+EiOhHH3/EN2UaWo4FwW0SqSPoH9r4 0fXEZooIWAQv+HrJ4V/M/JIOTISTRvMDBXBEcSSZKgR0POmjjz5KrxtHNV4IgSkGBJuqWXZNouCR wQL7M4A+8kMHXS9zjn/605+gKcH4TshDoCL1Kg+q1SVcmQ3TTB/KuYVtIcX5HDYAOHfluQRlXKHW 6Cc1ctKgOHzCD28bfihIX91sAuNtO7WIv8wfLp7ySsmfnywI5GxkrydlVK8h/5pRS5dALaJU4bEp OngjoFalqvMoMa5GNx4myrdT/rREEBeNffJrc2RcPWw/VWrxbbOzO3SPN87zz4qzTTUlvGzq/nnX 1DJnBud671Z9b+U3rnMuEZZ/fpmcwtaLs+JcHyeE1QIT5ZUqTY1aERZhSeftNERqxTiJpVbvhpTQ m8EeM4I9F/30l4uG3zXljrt3ayciLV+2lJ3EELb7f8sWYVX0UcX+wySOCOepFzBqBCxicQJEg7Vt BvF+of3RpY48Iv8NEl3JjAALtBFjItDZunUrC9KZ4OY9oLKZhecEGQYILCdftGgRddHOyNpMDGus faMIREiHPbxfKJWXlwdxEMFLk1q4S4QqUPdkJvCTTgKehBjWKMLogw4DABdqginVImiNmBTnGhUR 4s19hSWehbctQw8c3c3m2Dhz7BU5/Wf879N32cKzel72QaBPsZ2hrsI4wq8twWBjcK3THsE4GlBO LqZXzNx0HRhRDt7qFvZw9jKlCH4dqheN9QyvUd92tiO2UpGf9kQQp234fBRfMKB5luLyjQb3l1lD pSk9Pk8ML2jtmmq2TWIrVJNtuin5M/rejowyZvOVAc2pLeiubp2MGCfnglbOQnt2SRKHhzKh5t5z rAY3tD9Heajj0U5ZBhdbxm3llEN38BNvaIUnPMHpnzNw8AEmmr/5mpHlT66+GpGzJLOXozoHDR8q fuL5jLAhmSJjzS1URvrUSL1AA6TjXAozoA+uSASSAhYl+obOpLF4/XFK8VzQwddUBBgzV69evYA2 mvqee+4Bg6woIY9OB/VKpazdpkMub0awzJU1Jsx5kQjwoUw2eWlcCVCgIooT4XGY/uNASTITaCvo lkCBImQAU+RRj6QFqbquuNxt1itc0ebwfrhSEbYI3o/ZZB56/YBv31/7iCs7v4t7jb8XZ+pxsp70 GzFco2qrRV3zV1ELTjkrJBGcgk0WWuKOwmF8SllrTpsAU9POSerkUwqqTcUTMc67diQ6tyc48Stj 0qrcESp1hDcn+7dgLnOwOMu3I4njCTiyQbUYqnlRGyulUFGlJbXCGixzZG+y9Xi/S9rslnbOE2Rb Yw4ZzDe5pposn3RNY3PUimQoiEtM9SEve5lZU0YARW2vxTPH3PX9zr4tzqxKW3C3hWME2d6BToj6 E+eZhhocqt9Jdbek6aiHVe11RbouGufqbfDGSmyeLQ7/BvZh9mbMufyab19/HcnjCy589dWu55/f Mq7V4MFDEDq6rAgh7pTcoiXnczerONVKnHoJTCFJzxl9h8MnKYgc2EH4KSXXWovXkwiaoEDrIdSW LFkiKzjolrPAFtBRljxUBDwlG1dpDdD1vBnMF7o/LRiHNxLHauuyoSzwl4gUhBqrVFg8Is4tqG92 Ypk/fz59AMiCfb3hqoftU3mLF8tH17li1Na9e3ecE8D4wCt+8sl/Jz/SPTCzu2+Dr2eJ1budo3mS tVkzHLn506AHeLH0VjrStlqDH7butjXRw+mHrKtSf5pXNjCJeHVqvp3Kd4WtkJQTeHmCqyzRzYYJ FY7wVlfWWmvGm+3tBXGd32l5QZms3NQWdmmCrcruwVHc6i+1Bctc2cX2np90zVgU72F/YzZi0k4L VbuusaXSDLPlswtS1doxxtd4vzDE4AxQhW7tUO8Ixr9I9iyN6bwhKa3EzkpwNk5M+YItXNQke2Ru /aRBtdFgl7GDGpvoPQrV1mlufpXWlFKbu8Thf8fh/+y6Gw4tXV4yf2HJm28f3LHzzl/e2NIcEwqG abmZ7UVo6bHLLC0ialQop0bYQAcwAVMshUOJs4sF9YI7ZE+Hth5pEEuCX6EPyuR4RGyMLP7CXxT6 oryoC7SSWRoEDOnUwkaOvBlCnz59BOZ6Xx09TgYyQ4GC0JcqYBLKMjtGQax2oJv2CspSl+SUl9yg B2m+zPBMA8hT8HTYGQA43vVgnL76vx945KOnJvyho/ulrqnrUrLLWJPCmguLzIxXj6ZRshz2Aeg2 WdPe7WBdEtt5U3Kg3B6stKrtj5RPuzbW1qaqNUWsqXW6mrQMZcle9h8uc6ZvcWavtWa+3SUwpxVb rFzwkqnzO+2spfYwcFY7IqrjwFQfgKE3Z4qV2NI021r64jbul2OcU03uiWY/u56ONgVHmznXm83W HPNaOovtWWVMdtPtp8sBzDWAR65KM4pd/fPWCRW2cIWVjrqbWTa69HsSaplMJ/8Z9ad1RbQ3bGWJ imetM3Vlr4s33/nrl665bsntd698bjQ7e5wfF9exbdunnnwyPy8fjdO2TZsJ4yeIIPHREcLmE6pa KRcWFrLTArhg3hnzNXnQLMieQJurRGotWzPRmJm+MSgDxXRBkV6aERoTMpBOFQJqvT2RnyLzTNNj IhPzBUtx8bijwy/j8ZEjR0KBbIJZ2gTeGI+A1Z11JTwF+2+wfkScZATggIhAEf3dQkGP13yEU5kC JzwCHo+8HDrpNLNxcbEtY+OWzClYPXbmw+cHXjzfvzHQv8TK1BJmZ+3sHs07lGNTWGRdYk/fkpLz XifvK6ZO82POL0xOA54AX5ZZqXF3RC0SQaeTDqbK7OFtzsx1lvBHFwSXtHXPbslomlNF2KbYwRj5 86T0Umcm7vFMZpEfdJfZ/FvtgS0p2WssWeSfYbZNMXGmmH+CKZUjSEaZgiNNQTY3xk4+w+R6+7xA iSO7LMm3M9mvHFMjlrSIe+1RjFcmeHYrgDO+MLi/nmGIrq15wRiirWa1MJXm3Gb34vn2dkrwjfSc 2aGcKT+4cvQNA/tZrNh5PU7ne+++2zM7u2VcC4xdGL4QLb444VTKGHWxTyyixdQzepCfCL9oSeGE q8BB/ynsRfHJTwlG5lGgkML8xXou0Mc+isXFxVADsCCU/GQgENFLEZdbtANyoDMFccthJTtDeFBM bxwK0gpBHOSi2VkcSjYCK33ICTUd1FIFOQlSkfFqrFePn+IIi+lYigjzWCDbd1B7+YaCaWVFJcXT C/7QJS23necjR69SZ48KS7AyiT1I6bT7yy2BMlv6NnvWeluPD7uF58QmzTJ3Wdo6qcgSLrOpczy1 zQwZv4ujuOppb7d4UcSge4sjc21y5tvnp85pgeK24oIyyeTJN3PQJ3sde9hO7ePkXsUpvTfbQXoG I/RtjtBmZ/omd8/3u4dejQPdtolmL6tBOUSMpd9q82T2ZIsNsyvyZLN3Xkv3emtOuV0dNahaIXoC Fn2LY+n6HsX43kTvl9rJoZz/q7nC0j+RhWPkiRgczkTIq4Yr0lNybremlNu8W+y+QmfwY0/6oj6X zBow+Klhw60dOsbHxv33P8/e9+t7mDdiWk32+EX8RAIRMz3SfCIn4GW6GexggsYCJvVqXFSPxPU4 YAEmOiQpawwCJVIkv1wBGgSxgInvyrJly/hJa0YvXeiQjZSoQCLKHaSvXbuWkbtocxbdz5gxAws8 61K5C8YphREPC6HMtXHlUDn8BqU42BeG4QGuyFxrXVFVn4KfR9kgpj0+5zXIatl/Pflvu9NBe/vn hx+Fk9I5bz5s6flUK+estu5Nzn5ljl5l1gwgXObKYiOFQnuvD7tlLIh3vWRKnG7qurStY4MtY6sl rZwNFpRV3L/T6t/FFnBMYVv8FXTLHekc1b3Wkv1258BrLZwvmByc4MkZvvlsaMwRA6aAdngBA2rv vLZpHyX3WmntscaWvcaatdqS+e4F/jc6p85q5ZxosueZPKNNqZxrMMqkHXkQEx4VE6ajznaLU2N8 y9oFNrt6l1nY3JjJcR82QOnq61dtf0XWnblYk/Jlou8rS0Drw9MWYctS5ixGvpqpTTUFZ+qfwjh8 qkF6tWFT2TbLrd719sDrPS/6/KFHtr77/tAbBtBcT50yZdnSxYy/MjLS9T1+tS9f/fWNkiny0EQh FOJChDiYJS77pTCSxT9Hpy859fwCYQGOQIac3CXOLa4EqHHVKQiK6XWLkmKfUtxa0M7YvqAjWhUK en49wi0aAdH1JGIVZz0prwvDBX1yUoA/V1oA9pogncBgn8WhUjvEpYkQnuUZdeKnK2J8Unlv3x1R bwx+XnrpJR6B2X+sEKyLx09AbX9xpGrFyBfvSsx4rH3qmHjvgg6hj7tlF9p6r7XlfJSQuaRjYE68 f6rZNcnknGy2zmph+yw5YysbmaLrUaBWf3mSr8Kexv6EJfbMYnvmenDa2b+knW9WC2almeHiTAF/ rjmN1Z1qGxZ15F9otDmdDdbyzcFJJu+L5pSZca6ZLZ0z4hwz4xwvKMOaJc/kHGfyjjYHRqltVNll UTvcxJw2Wp0CzErw0BSTf1nb4FZnXzC+PYnTBlN3wIyaZaOd4Uq3n0k3dQCrsqsnu79I8H2VHNiV 6NudeFTXRzB+xgIcxlQ3w4hxQTpLywttvjlp2WXPjTm4e+8tNw3isw4dcuttI0agx3v2yJbzOETy EU75+ggD4aSLJTShLxhkmr5v376MBNndCI8RY12SjZyoQrGPKSRHsCwI4qdoVfIoXrUgtyDFpqZs boaSQsmyqyGkyAwGJbOxLj0OAYqThwCWyYmBjp0ZFJK1gwgxsJOHDjnWA1IwaOAtI6NvipCfAFfC iVx14mdIBPZ4tn0HVG+EF8J+FDwIbSyr4Zh0SA+HP//086r9R7a/tfp2z4W/6RT6e+tgXiw+n57X WrhntXBNj2Wnced4Otim1FyTL9eUMrt96gbvhZsd2aXW9FJLmtL1jqxNtsxCW9YHXYLL2nnntnRN MztA93izJz+GUqGx2m6oatdE7W+MGV2sMJ4XE55gZkG3H4XOirBc/jjkl855jH9sjJ+VYmyKPiom nT82U6WUZnBLVbs2mcIMzxe2Tit2XlSCzc0SKrekMb4otwSVm6s1UGpN5Vqudpf1sUKcs9u+SPR8 ZUnF5RXn9shoHewwa3DURedMVeVKiSs9rnU2YBhTCRvurWauPKffjqnTD3/x9WMPq+MCY8yxLeJa xMbEMt6kr45wouYQbGRVANhMIqpjDZlnWhwAijWMn/CgA4Ha+Qm6CWhVJBPMYjpgjpvAEBijN/NZ DLcpgqxKToE8T8EjsL25esyYGExtpEOBwC2uOgb16iRCuparOgOskk5n4NJL1TosxhRsuIpbO2Zz fjLGYTIdpFCEnAQq5VorfShH1XW6fsIkb4P3AEu5eXmt27ZpGU8PXfkFMRJ//70Pjhz67sg3h6sq D+yc/0nJqAWjgtf+2+TNVUu0mIB2j2ca2gy0teM41QlB3hnxgfeSe61z9Cp29S529Vprzf7ggtDy jv7ZrRwvmq1Am+ktSmm6OziOEbRZEJrOdmq5Zn4qtKpEbXe18WpjFnZvAO/sjRwag6Y2BTkUWLUD NA6cJmxOH6UoqDN/c2MgmDYmBlJh2pyXY/0fJ/YpdvXbbO+12d6D0cFmRw9M8UXO7CJnFn9bHBlq ssyattMa+CLBw3h8h7Jfqb/d2hhc7eWiTfqfsegWxnSMy8waw/Mym2eVw/danwt3LVpW9e3BLRs3 XXn5Fd27dY+LUfv/g3FAhMgxVkViAQtSyk8BwskSRRFyrkgXHWbIYvSmahigI40bmGCEdIEJTY0o GvKTWFxcjL83mQnAlisKmoEG3uB0BjAOQ5M2ighX+Gf0zWQQ2WgQIC7og44OQOLCEhEJ/OQutRNo XgiUggciRUVF+MBIvYoDk4k+LbssUoRXx4NQhDjXCLHo/1F1Rd8+Vb9hQxpDHoo6cWzjNXbo2AH/ Vd7p44/8+bv9h777cv++7V+tmvPW80Meeu4n9zxuv+zvcaHnY+keK/M152gzfB5tAnohddSIKYiq nRrrmdvWt7hDoKAd0HZPM9s5v2+CyUmbwFFf48yoWv4oAhHOFMtUfyhucxjdrXY/1lDP3bFq86Uw uzBxSwO1GnSru0czaE0EMFedgeA4MyyFxqqGgt0XWUTmf7VVcHGH4JJ2DA2q/wra+bQ/z6J27sVt nW93dBZbM8rtWV8muL62cF5JtTZsojf+KW4TojBOG1Vu961yeBf0/cHe+UuPVOzYu63km927Z8+c 5Xf76Cfj1sWG3ihEvrsIgC6riAQBYZBr0yUREIEakAgpRoJoRmSMkSA1gk2pl7rIBmZpc0gB3RxB iNULiDEFxsZo6GWgjb89KTiSgX1meCkuY20iEGeYz92kpCRqEahyPe5TkIEaaVUE4LQzeg8BlyHB OHtE4OjCG6M6CfAJ8aa/nFNAgafjiYRtqqMfxfvnHTJk69ah0/Qx42eNmrj53ZWTnhj5h+uGD/Ze NMLS98EL+v6zZdazMeGRCmgCMQ2YAFaNo4E5JnE0u2u8yTVBXVPy6WmbfExYaw2CGi+DX4Xl6kgG dCIpkqgwK3fHUoXqh6u6OHYQjCuYR/7UXQ3RpKgiSrnzp6jRhuSbgtjx4IGTB/nDrDfRlKKx5OQ6 QZkCLDNMCSvauTdZc75IcHwlDrpng+KOakN0jJOOkRCMs/V6od23rEe/r6ZMP7xx85tjxm3/6BM+ 8ahnnmvTKj6+pZq6YpI6Ly8P8UawCQiDCPzJlV7Ai4xBE3cXppJRiLh9glBqJJ1KySABlJFC/1yf w6JvLBwKFth2UpbVcF2jHRkA87RRtCFkwCENSDLMR8lCCvqQlYI1r1KjtC3EYY/80n9gyp5GBps5 zQvtIb10dlKFJkSkSSQnQYgftw2pWfUpTaG1PlLt3ce75bmwV9AXatu6TffOXX4Y7vGHG4e/+Lfn y95Z/8AVNz16w53l72zctmTlcxcNfsQUeDYukxPBRpnoKmcqZClNCsYFgMBTKXf+UKzgmiMJGCPz p2Pz2IgA/ChyI5A3plSDNwrjx9IB1+pPEokwzM9VDQ5DfnoXQSbU+ONAYf6IwFh+jH+y2fmyyfJx tx5fJCqMK+wojNe1jqZay0dB7LT/NGIcZvhJd32Lw/eWN/zhtQO2Pf6PlwcOnjHstm8++Wzac6M6 xse3iW/N9ibAjYPvkVsCqhAZQMjlehJFF+LQxMRH/5wagQybpJECNkEWGAcvepzlzJwHhN6UpoDB L3mAsGSgMwDcEFE0EaqcjZggLhQADkY2wThWMuhDtq6nIJ0nJVBc6JOfOAFfNXx9YRJ0wwNnluET CHEyS2MipXTK0lacUtg2qLIjVUcOV5+cwsmtvFssIXEc+NKy1Yu5E156ZszjN4z4y5WD5/z+6Qf7 /2zOP3Krdh/5pnjv89fc/pDJ/58WWaNjswB49aSVpl4NAATOSquqKTBNt2qKuCZmG5xiqEKVjfpJ V1/HOHfBOF19WhhpZLSew9F2hrLoehT9NHZh7ZT5RaKzGuOR7vppR25TGADmZRb3BmfwI2faG+60 Bf50NveY/6vfPH7rsI6xsVnp4Rt+cQNiTKedzRnAjoACNMkIXZfhBglUrZkBEUqQ08HEsYpJZ7JR HaNaGhaBDPAhkYMXxcNcIIw+FQDSzyQn+SWC0VsaKEzc+IeztTJEyElnHlRypgmDcdBKERKFpajH EYwLrilLID8DcI5yYCgBEQJdBbq15IGCUtsRsyQ0hWwUTanojLnSgTlq8aMhgn/WG/Jc8W3axMbG 5fTotadi96HSPTMeeOLGlvY72gduaO15ZyS7CVXt3bTjqSuHPahhPLdlD0xegjKumvak152hwVlB W/WiY9JHKiuZdLarEQ0StXH3cQGuOuca2ePmrDODmOYiDCiLgT5GoBMC2/jP4HWzqHPP7w3GZdMM TZV7OeVhmy11syN1jSetwBf+8IGHpjzyaMe4uH59ei8uWMxu/Hx0XD5uvPFGlCBiIFAiggBLOClC y86rbCoOxukoyqZJYAdcE4At+KIWIMyYF35AGZM7OI2joCUPLQ/54YoAvviJfqcbT1OATueUBIrT IMiJRYzi0eOi+iMPoQb7xOVZiAuoIUUilElhCSrL8aidYLfbf/3rX3PYKG0FRWBPr5qfFCG/kDpj r9gYMCUKe/LsDG3w/YtrEde2Xdu4uBaXXvqjb7/aX7Wvatbv/3VnK8+jnTJva+1/96mpVXurvti4 85mrhj9o8v63ZWZui+wxqrsu/XNBWfXIGqcUwIXFDD2uweoYDBp71HVDGIA3GONGJa5T1rsQcHIs xrHdhcfFhLDAz4xP/95gXLQ/6wLw8OFMOtwAKqy+TQ7/0hT/1mf/M/PfT7aLi0lPD4EC+syy3hnB xmjM9kfIM6ADXCLMOi4aJ8x6cdy/6X4zGysrUEAuqKEupRG1ndbwfMN/DL0MJ+BLcETvgmzSxwCJ 5IRnWiES4Wfu3Ll4qtA5x5cDxzZ2NWdHSn4+99xzFKc3QuBBhJR+pSAyDykiXBcvXsw6HZzb6Z9T NcWHDBki3neSk8wE2gQqJT90SJcrkTM2gHGaImEP/omwe6TqpccpjPOkF190yb4vv0Vrz33w6fvi vX9rn3l/67TxAx6o2vrd/v/P3nXAR1Vs/bt9Nz0hPZvtm+01hS5dBWzP+llARQEVH9IRAbHQpXcI hCYCIkrvSC+CFKVJCzVAqKF38v1nZvdms0kQLO8Bz/u72cydOzN37p35n3PmzJkzey6MfLJpJ2Ac JqNkDA4UB46m/RiH5o1gnNzys3hfgKC+zIF5ICkgIsH98vEgWd0Pc76GRUycVQw1yRZh5yNMz9ke MYwD6cRrNDXRh8nxAY1lucacPzJn4YhRoSJRZmY6mB2aHs4ZoMHGvDPaHS5B0HsBQAYBhHH8Jd0Y I0HwcaVSyeCD8oFZBlts0ocZcBhOowI4IKtjbhqAYvyd0QEiTFNxGr/Ii0iAHV0XPtPYqBmLOkGj wNbxIrBMQxpGGZCMPQtgRy48Eb94IwSwOQIWoTB7NvZoeIrAOIIhAg9CXvyyS3wHBFj4L/kg/5lC 0HqoOaPY0F1IpTJoMoi+VSbr/Emn21dvF164vbDTwDZSS7/Q9C5ia09jvZ8+Hbei/YiJjzXqxllG iD2jyNy0bzzuR5MP47gE9xzNwY7Fhy8KbQLh4qwWd30JSjB3EBBy+kvm4c/jlOTlpQiWvXjh5Fm0 Ar5a8WMEQnZAf8hoAqXZx4jI5Pujh3GqOaTW7EozxPW1aY7NLdr2bvQunDnqddqFdG9TdDZ0ZqAM /Rw8HcwRXQIwZ/35r8I4NvZF+eDj77//PsAFDovnonDI5zVr1mQQw9Q2BtfQjWPwDmACX6gJDoQp vHw2KiyMGgKtKAfblzBVHlgw1ODz5s1jbwR2jwQoBGDHCzJos4fCjA1jEyYz4NFQQ8GPJexXR9AN JkBe2EPxXASQJfBAnXEExvDhsuL5BP/JAPtKkDvwEqgYPim+LdzXhYZgxCS026w7t20vvFV4+0jB sJf/3UFu7yf39JG4eoRlfRld6dOo8v1iqw6WeLLF6WPE6YyP85yast0iVAZxVSRjwCfjdMriA6Xx oMSANo/f4jAPxHjRSIHCmacDvgAFNRE22BOp/o3cYiVD0hgjxrw8JtaJfd0jgvHASQGy0I9YusJk F3x8tc66tumH07r1MCQkgP117tgJrQ92if4AQY4hBQu1AAEgAj2c/aJn8r2XD9xvdwWmgCYIivjF cLtWrVoQzvEIlPP666+DBeMXPpeYCAF4Eh5PDx7jCLCn4xcVZuBlfBZFYfdADMxROApBscA+oI1f JGDoxi/sZkHBAGTm8AqJQVWgNoeRALLgwCMAcGThH/SH3/d+v8/fkR5vhLdmZGru7DkR4eFg3+Gh YRFh4T26dcOGhudOnLmZd+nrdzq3V9gGyL0AdX+x5yuxu5fIOVDsHgYOiG18mY2Zf66qOBKD4fYg 36UYf1TG48UwDic2mOwzYpE+XDuuVJs3t2p/58Tx+tWrwf7h888+R9cChWdcG1ag6AOAIVspycCF XwDqd3vg3bGAu4sWLYKxN/S6vNdEOEft3r07RgpA6NKlS9kj0CdRGWCTwRO9FIhDHVACqsGewsJI xg5kwS0cGMVjRhuqM9AGABzvhbwoFro4LA2Dhpx/NNCNN4XNOQgCEqBA9hT2OBTIHvS7b/2AJ8A3 YY2Iev4w/XtCXUNCJULRK8+/eOPytXNHTg9s333DuDkTXm3XSeEYKPcOE3mGCd1Dha6hApi+EPyC M1KlOgbXDxOcSyU1jyzG/U41oWM/pLWu1lp/bffJzaOHH69cGRPMPbqTXenBNAEo9GpgDRZi6AlA CvOawsMcAaREGhx/oGMzGEJgACphgwq9N57CDhiuY402FF9soWvJwvFEVA8ZAUCEKZpJ1wUqUSzY Lm5BFEcACRCPAzF4KVxiYR02HsJGomydKZ6IADYJxTAcOnNkweOQFzQBpbHCkQuP+GOvWbLy/90Y fB82SME3GThoEMYykWFhETLF+CGjbp64cGbT/o2jZ0969/N5b3z6mdQ+LDRruAjjbqo0Y8o0antW Kl4exshHEuPErZZ/lQq1h7Gs09sWN3j7/Kaf61WuIhEI27Zpi06Iro5ODlDggMAMtRWUY2PGjEFX Z2DBXfR8pETP/2OdH32MMUr0OpSDSTGovl955RUoyoA7wBz6cMypYdYbg2L4J2nevDmAj+kz8F9Q BmRHZfg6MODgkh2oNuqJcT3qiZRM1YYHwVgOj/CREo7DCkpozmHjCiKDyTu8iL+AYFDTt/wjpIxV 7AH5xQtcv3EdnwUf59jx4/Bsg7GMTCROS1JvX7hmxHufdHnslW9eaDWqcsNs67P9Fd6R8oyRYjLy Zfj1abfogJqGiwbgDyPAUedHEuPQq4N9M6QzjG+yuL55vN6embNeqFUHJlxYUZibmws4oLcDg8AR ZriggAIuIFdDxEUMfgEiJGA9n+//uIXwvfdnlIAH4SmMYiCA7gf/KjBtZZtx46FMQ86jEtQGwATT x36+8BuDvhp4gLkD/kA0DlQGDIvVEzBnSIeJO4pCx8asN2zdIaWwN8JdVJtVI/At+BfEXf41Wfje X/PBSXkb1m3URS1+Bw0eLJZIYKAu5YQfNWy8dcqCRinpTeXmT2T2rnJP/xDvcJl3JPGsQoDM68qg JEeYTDz5FNcPt7j+SGG8hJEeWYmmMsJr61qdZeU7Ta4dyJ0xcSJsWaGEgVKaARygw4EuitkoQAPQ w5QWLgEcMHocgAM7GLQRRgC/99irkRLlM3qCMgFPhNH9QGSwaQucB2KFF3Y2hHkqmC8CUP1BCc90 dKgPlGMYTcM/A+xecCAMD0tYvwb2BAjD+hTzgBhfAMUYhuOAAAA7FmSEGh+Pw4PwdPamuGRh9iLs 9x7f4iFKhg+OVsMrwwgQ2lQQUpmUrCSdMmRs7g+rWqdW6RLmgS59IBaXYYJMTKR0us6LKLR9EjvF u4+t+zTkDzHMH22MM4YOjP9kdCx9850ru3aePZr3RJ3H0eJ9+/UDMwYrBF8Dl0SXgDQLgo9bWNmB YTIQARQgHh0G0ABYeFwjHpf32O2RC4UgPQ6GdFziQPZSUYY0UNPBKqZatWowwwOL5w+MK8HiAX8E UE8c6MBwroh15S/SAyQC9nLMJBU6PZSPF8SLoMxAUsOeW/LpZcXf45s+IMkYxvEuwLhSqcSsIj4X dG7fDB4zr9vILprq3RSuoRIPlOcjRd5RwnTMcPktQn0aNojoADj4OIP5w/77CGOcLZWlOjfLKr3t 5xZtbuYevHrx0pt0J69WbVpfuAw2R/b+wwGkA8gwGMvIzAB2ABNMXkOiBn9EPMRjRg0Y2HnIoyPh uEvfZgnYLwM1eiAOgA4HnsurhhDJ6AB+WUo8BdpvuITCtBes8nAggElw8G78wnqHrUanWA/+AX2A ASeey8gXqyR9cpGKnkXepfIP6S18QLw1Kr9s2TL4e2ES0duvvXH+2Jkf+09oEeXuFeIdJvUOF3pH wMRFiMllz2gRs0In0Ib1GpwyYcE4BT4R4P/BODMffQB/mWdmYBw2MMv1tj1fdC/Mz7964fwH7zcF JDRa9a5dOzBWhvgM/TT6P+vzS5csZdsDIQ3YKFZ6AolguwzmCIOtsyEt0uNgkCwLDkgQeIvmIDEI MKQzXCMGlyweMXgcAM5iArMHhpEMKIYGD8b2mPgePnw4wvD1ioXksKXZQw3eGCXhyylZmcACH40w 3hFfBpQTrwPVJQAugQlraChmyWH3sm3ivI8TK/RQuAcJnWSyDK7SAGE6TTYSrleISyV4YCAWI4yz M5j/g/EHEN2sSjwfP6i1rNDb93TrWXjy1J1bN1euXF6uXIxSmbJ7964rly9evYrpJ7L7NmB149r1 2zdvw2IEy7gwEAbMIRtjQRbmzYEUHAA4DrAJwBwIAhhxMOQGIehPQgaVIfWhyjo8AqWhfFYH0Bkc LDLoKXgLVg2kZLUKSvAIX/Ivjo+G1z9w4ACUlmyYU7lSpQvnLwDji/uNax7t7gqMi11DRe5hIvcQ 2IsSdBN/p9kSb44sHTydWL/4VHDg7ET/FghzppFjCrqgW4HJHpzwIyqrw8INHquIs1a4dwPGV+rs B7r1LczLB7/8Zevm6OioyMiIeXNnA69wmASdN8bM169euwHsXvF5Qtu5fQfsPLH+FEgHZ8/JyYFF N9yTAiYAOHTjADtgCKyhR/1h7LCeWTI7iuVpCA9nhnFQGPAp1AEHezSDM8KM/oACIM2fqVXJ+jzI MTw1YyQO3w21nTNvblJyCtg4mPiIYcMLb965fe7qhfV7v7Q+2UVmHyhxDxY4YfQyjHkzBt4lrmFS 15iQjDHydLBvnODmhKEXH5U/FKAOIi+PKMZh4UY3XaVuJw9qzMD4po863Nx76M7lK3t27bTQhaXP /+tfly/DNfHV27du0hVZkJJvYZYLSLl86fKd20Tqw1oV3robYIfb4bFjx2LdJW6hIwF9gDmPJr6z 3TsiysI4ysQj8MsOViAS45Khm3F5XLJbSMwOxAPj6OdllXzvdXuIUuJl0Rb4AoSJ06Zp93F7qYzs daTX6VavXAXx7Nqpi9d25ffwPNNBZB4k9QwVUYBjjkzkHip29xURg7fBMs9wiQdTaRQXwDiZPmOQ AbofUi3co41xsHJ4aj2sNa83uhe/9s6lLdvunCUuT7NHjICPVmhcJ0+Zip6MXgFE40AnAcDRT4AU HEiJngOv+9Bdw0gM6QFzHNBowVps4cKFmLRCMjBNktlvF4oCEeZ/eaSwSP7yLoGS2fkYVAlhHCzA F4JLVB61ZfEI8yn5NI9wAB8EDUHGMJgNuXV78aLF8QkJaGCczz3zLL7L9UtXb128eW3fmR6Zz3YQ E4yPELtGiVwYhmNg3k/s6qXImlv+neExVQZL3CNhrE6ZOPGF7hPai02gjyKGcPzCEx8RCOKeD87l I4BxAJkNvfkAxuPYKoLsIEn8Pung9+kng2tSzXqnV64rPHfhRsH5g9g51O4AWp96mmxjiu4BTIAJ 3LoJ9kfgApgyjOAugAPzsLy8PGwc8Pjjj7N5K0xhQ4yHZRpoAhJAeEZ6EAccJL+fBSM7ut9fC66y CkR8Wbf+2gr8faWxL/UH3gIfnClJ0BbbftmaZjRgllEeopAqZDljxqDCN65cL7xWeG5TbhfHE50V tsFy70iJazTBuBvzaN0FtgnWl1fUb9dD4sAl0cIB4/B1TI3Eisnn8KUsdGdjzB6gin9w4FxqTR5h jBM/0ir4byR8/CetfX2Dd69v/vX06nVjP/vy8pFjnaF0FQjr1a+PDsCMREDsb9+6ASMpMHYKTQIZ 9BygGLAFHcAlDE4gq0OHExMVDbBDbfvll1+Cd6AQ3GUYpxTDNxXOEwpS1l8N9r8Pa/+tkv8YNWTf Fi3F7IuaffA+qHdYeJhAKHrssWpn80/fuXH7zoWbhdcL5/cb/16Uo3u4Z5CEMHFgHNuHDRG5vpK4 1j7VbmjK4wgQjJMZNAePcR44sJAZBXRLvGNk6WOk6WTrMb8k/yAHHgGMByr2sU80dnSim6dgHzRs LWfAzsWHNeafVZbcxh9dX7Rs9r9bjnit4amV679q+zF8gmSlZ2CTO4APCnbIelC+YWB3p7BIj43B L7TbN2/cvHr5CubMwCbQozAe37JlCwxO0JegucUiTUysQ3QHBWACM1APvLMwgzbrh/8t7Dzaz8W3 BS0FKcZnxy8W82IhAMZiGI5PGDP+5yVrf16wqvD0jYv7z52Zu7mHoU5XqX0wMC6G/pw4Uhgucg2Q OIfHVB4QmjFY6hkuJpsdAODkLM7HhwPRYs8QoWMkPEHJMpCXaN0feIOZRwDjZFM2Zp1OF5OyfV7I VpJ030lsD52nNu/WWH6pWmfzS28sfOLpdW833ti+08hGTWxwpi8UPV2v/r69+zBkO19wBlp1DGox LudBwfrPbYxuMblGx+mMrSMBln4A5sA4kI4jNTX1+eefhxcI8HHW3yDA4wDSkRidkC/zn8A9fwEw 9lJ5e3Akmgk+79BA0FZs3rKZ7f5cpVLl03mnRn/at9trzdcPmDLkmWYjq73dJ6EqDFlHyAgXZvrz ESLwbtdAIaR09yipBwyaYhwT5WwwTobbzMYVGMd027iYKhNjq2XLMjDjxmP8Hz4eyGr/2jB8OuUn Y4Is7VQqdog2Y6PYfBW2krTmp1hwYmPZfGw5pzIdUZn3GBw/62w/GexrHOlzXVnzXvi/3nWf1gsl MGX+6L33AOFrV8iWWIxTs07ImC+B+R2ifCt5QOcG+xMs2NTpdAzpGKfDaQNm2GEXh/k1/P6D7t9B NKQoP2TxqfnENAzIYsbfp2bEPdYitwtv3Sby9w14T2cxN2/dvHzt6sXLl7AgZcmSJdCOxsXGTxo/ 6U7B9Wkd+70V52keam8rsnTmLAPl6cOkGdCzQdtGvSFRVo59iOD7ReIdLfbAd0qOyMs2LoEiHege LsREm2MAZx0icGJiPSe6ypjISthIhVq5P+gKNxCfh4SPs82Uic8HyqZ9nt5PQW2eajqlhmNGS14q Nlt3Hda6Dmk8RzTeY2oPtpw7pnLkqRxHlRbs235IbTmgseXq7L/pHdi5eL4ja+nLDd+3e5Ph6Cki Yt530+9cv3n5Ilm1wfoZ6zy+TuW3gguMhBjPNGwQ0WEcjsl03oy8Ro0a0NGhKKRhnfYfpPPgDQrg k/IxQGjRhS8WERCBgGXyi4OgvvDGrdvXbhGnbBCPyKwZmDgADqKKb960cRPQ2+pVq+XuzS28cHPR Z8OahFq6hrn7yWH6QuxesH0YkMskbZ7/+kzaqEdlIsP7B9rYT3CYxDM0tPwUTf3hIRkDIdhzzkEC F+bWSSEPw/nwYpxtiYKdYY+pLED3zkTLukjD2nKW1dHWddG2n8vZ96gz96q8+1Tuw7p07CJ9GBu+ q+yH1I6DWuceg3edOWtBhdqTnnmtliJKxXHvPvVswaGjt65dJ5OsZHhX7Ajsh2A6uCT9ipq4IwDJ HP0Rlu1Qx8EoDoNBLA/H5p4ogt3C3WIl8H36n0DxL0AwTg8WTYPg4+SkMCc8HaMmYPz2neu3bmNy 8yZgjgkRUFOYOqDp1q5ekxSfgOFTx3Ydrl66Uph/8et3PmkZZu0fiklw4uOFSd0Um7zntCKoMhV6 4Dw4MD5c7h0VU3VZ5XeHh5UfIHAMFbiHCdkuKg8HzB8SjPsYd6CcD0N0bOl+TGU7qs/8TZ2xNFQ/ hUuZxKmxcSTOKQLtLKl+rlS7JMSwLs7xc7zr5wTHjtT03drM33RZ2w0V1hgqLnTXnlChXhd7lefD U55JNR/6aWshdOfoOOhIdLtqhnP0NwLroN7o16IzxRp+iQBw5w4M4bBsrVKlStDLAeBg9IgkJQQX ULy4/+ErCuSyPg/h2gTIBNmgvjAexgndyQ20D9kE5TZVnkBov42x+NXrFy81eeMtGDFo45J2bNlO PvuxK7M/+LJ9mG2gwjVczCBJ5rXhIB0eTeFYlUrjd1tfRmR1KRaiunoLrYMkbixHHS5wglYwcvEP Hw+E5F8exhj8uNJ2UOXemuBcINdN4VTYODIH2zeT7Z+s4wTmiZzxa04/idNNBuQ5zVROPUOin6tI mxVqWJjk2V6rweJKL259t/PeTkPapWQ0irVO/OCTa7lnMItK1OoU0qz7ka7ii/BBkfRIupEWuh7C YOXAMhCN0TfAjv09sVoEMZjNYcAnJfyDcd/HC/7HPjL7PMFfidBWfGNsHswILw0QwFOhHsrMG9cL b10vvHm18PzZwssXty1Znh6nTBVI2j33xrXdx/cu2nhz85ENLft0kpqHyd0YcQcwaLL7J+85GVAN uFXE1gmEMRsu9Q4Ru4dL0wnARe7hHMH4wyKo4xUeUj4O45Z8pSlP4/01wTVLoJxEAG4cw1mgC6WL CMg+UDmcM4fs9WbDdjBjySaP1hzsK80ZR3DaYTLTdEu9EeoaYxzPjM948Yuo9E9C7E3laSNfaXFl xwnA/M41IgzeuH4TXoMYhEm/CjyoxM5HoHMiAVIC4ywSlwjzl3zKvyPghwn5/3eUX1aZ/OP4QFkp 7z0+sCiEGafGxyY8Gwyc8PAbd4DrG9cKr14pvHyp8ELB9d2/zf6sy/Ku3df36P9l1fqvx2h7Vnq6 b6V/tUr0DPM81T3a1V9uHyWF4Qrh4Oxk/JcPIxAI82JbnwDOYNxU80ag7Zf2/8H4X861fQX6Pa+C iZ9QWo7oMjfGeaYJsPUz9n3GzrAObB0LqgWn8WOEZGdnCGO+1qS6Eepr2jFCYB8ssPbhzF+JbF0F 5i8401dSVx95etdQ77/ljuwXWh6ev/HakfMM6beu37p5/dZ1Mi1DVjr8c/zlXyAQ1MUKh6REaOZ1 zGkA4dCu3bh+5ebVK3euXyu8hl1OLtzYn3t22YqCefMXNWs+MqvilIwq31as00ft7hyh7ahQfS5R 9RRr+0l0w2WmkWLLaDHWgxOZ3D8e98nn6C2Bq06yS9+AzJcR7IOeBPWBdACF4GQ97QH8Rd0AhIfG v3oAxvNTrQfUmSvCLZM5wziBFfuxUg5O1gqNERI+zmMcTubphhc+v3zEEFFM1h1g+oPoYWC6LPEO k6QPkHi6ybztIzI+SKzQtV6jnybMuXP2Bkbot67evH4FZq5Q+Pi4ZJDoXqxnUrGcTxl065/Lkl+g zI+Jr41B9+2bhTA+hHQExebFC/CXffvwkcvbt59dsWJ6s3/3qVFrRI3aYzMqzXSVX27NXG6vtMRT fY696voqz85IdM+N96431VmmqTE5xJkjso2hTpUJBqntCgNjEDaBcRiil8ApZtDIClOqeycw/wfj fxcTD3DXBj6er7LtV6fPl+m+BhMXkg2gmfiEtmCEawxx6EGQjpHXKA4bRlAbRSwlwAgLjrwwh4IZ UpEzW0omRgnkMQ0q8fYPzeoakfGh3NIo1vNj3wmXjxTABvLW1Rtg6CX7Z6kx9wDw/6hEXWolH6RI DK6BZaI4J6pNaM1xIgzp/MyZi3v3Xtq16/KuXQXr1u3NGZM7fMT6Dp0n1H92Qp26gzKyRlSuNrZa 7R9qP7WxzrNbHBU3mDPOPP/mrmrPbK9Yf7Otxq/WWltMtdZqa01TuDFey0G7F+1gUgrbDcI7QzrM 2JjVOlghE+lHCSAS+LzElKAGpRT7X0/zkPBxbF6Gk2nXjXTWLO2EyrqPYFwPjI+h+8MSjPsakbSm D+BUUGGNCzoMNQttKUKZCTUmvw78MkUKNCpYZjhQ5h4YVaFDiLNZQsaI19uc2ZpbCLcigDhUuQHo pAwIgC52EN0QicB6ZTLlwyeniYnmjaxWwek7SFJkoIp7EvRp93yp/co+0vfJmjhkAjZJKnrwOGWX /keTZyIGifHL0qBSLI6lJLdZMeQJJBE9ySOQjXBPdmDJLV11C1HZVyAt0meTQl+BFkjK8z2J1Y2U RyLpq0KDSXTglCnTX1QGfBnnTfpLkuKhSMXQjfUDt7B06NTqdRu79ZzV4K1FDd5e2uCtBc+/lJNR Ptvmzra6J3krTq1cY+5zL+/o0efcuEmXe/Y/2aDpb7YKO7SuX/Xuzcb0jfqsnzTll8S5Z4fap0qs 4znLWCwwCVCyUaYczK+ZVWoQJBEJszd0G9ZzaEayoSE9g0sIyvuAXD4cGFfq6P5lPhsYMmuG8TjF +FyZDoNxqNpg2EAYNDl9vrnQHKC9/BnUgmxcxv8C4yRMx1nDhE7I8INCvF8oXGDoHd31fvh00LGN v4Gh3yHquFvXrmIaneh2sVgN43QKDCCagAoDR5wwwMIJw3fKmigOEEY8MX2/jQE+DgSvXb1xG9Yc 129h8oec6NtXb925epMo9vkTkRiPQvdHrOWhx7tz4yaZTMLgwYcnikc8A4MJnAAKwuQBdDqPzDgh PfIgPRnSYuXNDYCLzEHhAAgxC8VOpLh+5Q60WKdO716y9NDylYXHTxSeK4BHjDvXbsDqpBBz0RSG MBu9efkKQHrtKvF1SWkPpSn4JqgBUYLjSyB4/cbVy7evXS68frnw8oXC02cKT5wszD9FTgSOnSjM O3Fn/8FD8xbs/vb7g9/N2j/lh9xpM3Onzz485Yd9/QZ/W6XmLJtnidG2Qm9didNgXWP17Kv7wm/1 X9pQvd6BRh+e+rTnxZyv93frva7us+ut3n0axxG1/aDKvkfjXl3OPE2smshpx3LGsZw5h7ON4Yjx OSXvDyKr/VupwcOB8QApnXHzAFldO5HTj+bsbMUfkcyx+o8aMgGwEOAp4SUxv9u+PN4RIJK82I0V iL1DPa0kpvfDre1dT876bNidwxcK4a71EoCJKTMgjujS0akZTIAirCxFN79+G5SAsCNgnMCc8jGS HvSA0AWGO0AOZtaFdy7fKYQ1HObsrt4pvIDNUW4VXrzjO/Escpecd6AZAEkAtgEr2HGiOMqCGctl GCfwJ9IDZfqoDZJQ6kEoBpVDQKZIaWCaoBsE9wAjwEoOQlauYMB7Zs/Uaf1r1hlX75n57314aMz4 a8tXXV25FueVlWsurVpz8aefC0+exiYrd65duXEVTi/pSj3QL8KXyT6ClF+zy+uFVy4Vni+4c+DA AazZad5qWbMWK5u1XPVBy5XvfbSuWct17zdf+2aTGY/V/s5bcXbmY9O9lb/LqPp9ZuV5WZUX2z1r DdadBmuu3gq3ugd01t1ayx5r+vE6zx6r98Kv3qo/uyqtcVVa7q6wypm+QW/brbXlwYY51ZKnsh3Q epcoYCahnCAwYb9OKGrGcE6GcRD8vxVND2bhDzPGrbmp7sUyzdecZrzIhgUC2QIn1goxxQjPlO/r s/MwJ4WAREg9w+SeASGeHqGuj0PsH0S6B9ZrsvSr8ac2HSgsAIYxhCQnkb0hboJ1FZ0EVTcoCAEi RgKAUFhmAf8k47U7hbCtLrhz+8S187uOn9yw77vPBk1o031y215TWvWa2qrXlJa9prZGuOeEll3X jplx7dCFwrO3SBYyfU+oBFilXx5mfBNPJ2bclIUWwpqb1OAKiAaecutG3oVz244U/Hq4YNuR89uP FvyWd/scWDOpPKU/gORNMht14dz1nzfOf/vdr90Z33myxrkyx1eomlO5Zk7VWmMfqzWuao3xVWuO qf3EjmEjr+/dC2pQeOli4cWLhRcuFZ49V3juLDnPF0AtVlhwvvBMwbV9uVc2bzk1ZdqSd9//JqvS Dw7vPKtngdWz0OxeYvH+aPYuM7rWpLnX66ybjfbNJvcGo2u9yb05DfI2eLHpqA4GTnqyclCpz09N y1OZD2itO3SOX/WOXXr7Xr0D528a8x512lGN5Xiq+VSK+aTSfFxlO6jxLA3VTuBUmEtlhJ12cqJb /gfj/gFvKUZlD9ot8PGTqdajau/GGOs0gXq8wJQtsLE1v2DlRPNZNEtyT7IZS08IAoZaoPbAOIgG Vb+PgJ9euXdQqLdXRGYbqfWDSEdnz9NLPht5auO+s/tPXD5xnqCJHmTcStg2TjoaJaD3HeQaQ/Rr BHo3T17Zu3Djol5j1/SaOK91/06eZz4x1W4cYn5HpG8qNjYTm98Xpr0vSGsmSntPbGwiMb4X5Rr9 YouVPcYt6TX24JKfLxyDoQ6VAcCF8UQwa/9BhtX4A0+GEvrQ6c2TF8zvOnJdnwmTG3dqlVajo+Xx TqY6n9rqtnM+ObvDgKMrfr2CyhOicafw2vXCgoJzy5f92KjRFLt7sSt9XY06q+s9O79qrfmP1V5Q tdaiyjV/rPDYMm+Fhc6Mqe7MpdhYatGPl9f/vGf0+D2DRuweOHT3oMF7hw7dPXjI3sHDcgcOO9x3 yJI3Gs2p9cSCrCoL0uybra6dJvseg2Wf3rLfaN2vB7e17VeZDqrNh3Tm/dq0XXpbXvlqh9Kr7lbb jijJSiIsDT6dCl8futNK/UnsTaky5SnTjoFfax2HVaZjGtgwm4+nwj+AMZ/sXJmGlYbA+AmV7ZA2 /cdQaGk0YwV2upuwx6+c+X1Z7r44wsOS+CHl46eVaFbzcbV7vzpznswwntOPEdpHEiZO7JeIm83S MB40JEcb8TFIj0vSGeDnB6I+BuZC2CuSX7JRDhz6iVxYXNw/JOMLhbOt3PZBiLV3xZd61Wow6u12 +et23Dl1sfD8dcbWCZuGAHsD41GIy4SxYlBMxGaQgkt39v24ZWrLHq3NNd+Up70vszYXm9tJ7Z0k 9u4h7q/CMvqGZvQJ8faVZ/RTZPQPzewfnvVVeOZnClcLsaWpzIIs7ZxP9H75vb0rNxOzW6zJIMwc xd68lX/h9omLd/JxXirMv5q/ZtfgV5u/r6rQQGr4QGFpIbO2l9k7Sx1dxNZPJJbWMmtjmfljR92h b7U+tG5b4aVbhacKDk79bvpTz33n8C53eFbbXYdfeOXU+82PvNnk6JtN8xq8e/z1d06/1HBfxRpb Ta51aY75Jufqus+see7lye7yU2zeqTb3VIeLnHb3NJvne6t3dpprSZpzbZp9q9G+J81+UG86qjUe U+tPqPT5+E0FazYAuaewbFCpO6Y2HtCknfZWPOmscDTVcjLJfCbFRJo4RQ+AQ91Kdq9TpuE8mWw4 lWKCDXN+suF0MtxyGs8k45YRNJ9hPD/VflSTvinOMVWgGS+AyQSalShgx9Df3x2vPSywva96PqQY J3KF0nQ81XZYnb46yjaF040V2CBgE6gC4ERh7mPf0JmzDwI4k7O4H128PoM54nGiJ+QIvaNpOcwm mW1Wy3RxgDxWG8F0ub/U3Vvi/FJs7SAytZRZutuf7F39lQmNO27ImblvwfrCExB6CwsxrIZoDXkY J1CP81bh3gUbP9BXBWvuEub6KszbV+rqL3EPkJD1UPBG4jOVxEInOBmD62+i5Ccz+GR3bIm7t9TV M8TzSajjVU45s0P/wnOQ9gv3r/5l9fgZ37Xu0a3qi31qvNa3xutfVX9jUO1GX1jrfhRi6Sy39Q5N 7yNz90f5cG8i8ZJZQmn6YGy0LXPDrVkjsfbL6i9e2rRvz5DxX1esPdecvsKWvsrkWG91rbN7Vrky V3sqrHZXWOOq+JO74hZ75h6LB0PjA+q0XJ15u9a4RZ220+jYbcBp+81o/s1o3WOw7tPZ92vtB7Xg p7YjGkue2nBMoz+u0p5Qa/NVWrjeOoWT+MvVn1Fi/2jdWeo794RadwRgh3uuFNO5ZOJvk8yepBLP AH4ZUncmGXvK6wmoU8g6RCQrQEqfSxDCxOlpPaZy7VNlzJPrJ3D6HLoGnErp9yTO3Rd2HpbEDy/G TxMXENZjGs+viZ7pnHai0DaasW+qGwcq/dCGVQOZGedPHv58jC8lgTmdTKcqO4pxWCZT42SIByJ3 jiQ9G9tjYZdqYFDsGSx1DVZ44TzkC6mtg8zSLsLZIsrRXl81+1/NRr/SIrtB6205M/OXbMlbuOnY os2nf/x1e86snpVebhPh6BriHBzuHSJFOUWrG1Ar/vRN5JGFD6Aq5BwiIucgsbOvwtNeap72f20L 5mzaOXJOC0utJlH29lGujgpbR4mlo8TaSWzpJDZ3x1JKeDRSYM0UrKyJ61FoEUcL3Zg/IlNIWEsl dA2Wu3qG2j8OT1veoOWKuq/NtWStTPMeePaVy+075tZ8coPeuk1n2aa17NBadukcO1TmvVoLvGaB 557QGo5r9Mc0GAibj6oRA4Eq7ZjKgPM4JGe6kP+k0kJPM7AMRAPa7MScCPHpQUg0AIsTvvgAdkAe K4yI0x6wbBbDIgkfZ7MqvrkVNoUKjGOVsc+PHwLw3UdZObh52rEU0xGtd32sc6pQN44z+zTqlKFD dAcl58l+UAd4VC8fXoyfTTadwsJwpW2fyrtADnHdMIqz+Zg4hbkPubB+CcA4w1FZrQmM48RdQgd8 Ejtdbgzs+ybmCEDA+rOxVRbZEQ/uPT1DwGplnoEh6b3kzi8VDgjDbaSWj+SW1nHpHyVkfZRYHmfL xPKtozOwXWbvEPfwsPRRMs8IESblYZvHyxvkoUycGAUf/nT/DkphGJ0howZAdZgio7fC3SU6s0N8 xY9jsjqEuruGeQaGpg+WuQeLXagJ+P4wiXuEzDtK4c2WeUdLQZfYXj/M8A8WHVAy2yD25IjMY+WW YTJdf1HC7CT7ZnP5n/XOTZlVz73+dl7VOru11qMaE8B7XJN2jKzvM53SYKm+MV+pPa0mnjBPpgK8 ZBKTnoAYwTLluQCg6UwK5G0ictMYglzKuwmWgUfq/Z7HuI9TU5ijEMLffbgmpMAfLg3jrPCg3+PJ umMa+y6Vd47CiF6BiTNMbdPvjF8ftf+fgvnDi3FIa2DlsFo/rE1fFWX+muhRzaOYRSsBiw+tPtQw 1uyzNyYsnuDUjy8eaAgAaGyunKCM7Y9D4cYTByLSCzw5bJMsMHTYz2DkDklb5AFzB6uF7A1hvq/c 3VPu7C53dZO7uiOsQIx3kIzstDUmJAtLG0j5qAYeQapKRgo4Mbk/WuQdI/KOFsIVCTG+ZUMGpgME 9kdJM7Cd7gB5ei+J6ysEQogLsqGEL7vpigmysw/KwWopvAXqT05CtZzscdjGC31+Amf+hjPMC3Ms T0ifLlN9K4idIYzZnGg6kObepbVuSzXug4OsVIAXOm1dfqr+JNF+GE9CVFYS7nk6FYj27fBOwQv/ tyTef6Jd4GiLKLrBVZlcTX9JAopxHx8nQKa50I4sGdxs+ikAGWszd7u+YhnYi0yhSCFknE5LYC55 WXqM4o8p0w5q3auiYeeMKXIyKsenyxZ4/Rj3yXiB7f4Ihx9mjENjA8kw7ZjG9WuSY7YM4y9DDlGz 2MlLkR1tik2GAi9sh0rGqYFxnCValmShKektim6ShpIIXzxRvDP6gK6CkyjoWICE/SZzw6iYjVE2 Ya8SN9l5B6SA6ApIyUjGSiMz+KSQIpgjjPqTbul/KEnJSBYlC1QZSMYLQ+A3mEKbFkiq7ashfS96 iaewrXxQMZwo1j6eM08R6BaHW3fpH9ujq7wlwbFCnrxUGL0rPg0q6zy19bjaAnkboCbyMMUyoMQE bAYl6Lh4cDGgsUvfXcqmgXp2EpadTIuiYASb9svqlF8TnIJisAQE4AzvyELOIrrByEKguSNiGG0h yQJP6OjyU9KO6dy/JLumizTjORPMJwjlpNrUQOKP78ZORmD5y0cs8DBjHCpWaGWNx1LNR3TeX5We 74RYYarPEVnBrYhETRARvHygjOYjKKMnZLlAylAc8r40fGIGbR9mkZ3RDQJPlpJCEssSGa79j/D1 K1wSAAbsxMFiSDk0Y8n0pcRQOsBoTmm5UH9AG/IAOSHkjOFMUzj90kjrXm2Fw7qsPG1GnjZ9X6L5 QIL5mNJB/OApCf89TcTsQNbsY5cE0cm8UbE/kknXfjz6kc7fhY1iURZI7HDBx5gv+wV9AHMPiMFz wdZJTDDG/Y+gd1kyIgDwT2QB1BA69hMa1x6Vd6ZYNUkAUzcr/c5kpRKlxnwLFrVFKd/W19wPfZqH GuNoa/QQjAePq8ms6IoI41ROOV6QNlpoh6MP1mpMJU4m1GiTAVaIL4Jhme0IdBTT1JXsA0weKBl/ lxj29NIS8L3ORzfKTkkoQ2AJ9F0Illkkj3SajLzFCM47gsMu2xiPW8Zx4OC2/YYqR7XeI8mYhrae VFlPpFpOqWzExSUG11R5RYCjJNhhWCvtlw6TiyfgsVZa+rsU9Zfd8lUgWXsyyYBliUd06ctCDXAP Mo74DSBG5vgIQV8v8Es+quGHGuNseHgqSX9GDQW7Y4/avUAGI0Y1uNUIgY2OQ33iK+OwfCPeJ8aL YYovJJAj8MgKuHtf9J9/hA/j914Oj3FaB1YOXwilVAIA3AuTznGccTKn2hjnPqzNOqFywJPtqWTd yWQtxtd0rjmNis2Mq4I/BovK7Gv78fvgYrwAM27JhvxkDOLcO1M8M0WarwUYxNnZ+vF7/7CPTMoH CuM8I2A6WH93KqLzmEkhylty+uQ9IjpS6fGU0owh2JZE23dCJbjVaIEVJjGB41PWZCDjbOfZu7Rg yVx3Sczfuge6cV+o/0sSM4xjXa0LmooJnHaBwrBHnXFU5cKIG8Pqc0r9uRRtgVJ3LgV7T+CTsq/K NGBUVg/41CWbg8XwrVZWgsD4Ip1bcRkgMM29hMnsuV9LQNMTmoNJN1TmfIq+IAXSnQmueg9oYPMG yqaeIIK4bqNrDEsh+/dJohkJZeT0vpqJp733levPJn6gMM43LoZsgaM2vwKHaH5oPN8bKfyJelaL vMdV1iP69J9iLN9xqomCtGyBhUrsvmUpPBj/poBvDB4s/P9OT6CasVIaMUjwCKxzWSSotKIIxkcJ gXHHOIHlO5FhU6IXEuyxVCvEcjr1TKxQCMyTdeeSCfEkc9N+pRkL8I0SFACagmLu5dKncPNrye4l S2lpQH+IkUzxWwTgOM+RaXc6JE+Fw1739mTXLLH6a6FxtMAykoN1aylfu2RkCZG+dHjepZlKlvnf inkwMV687UCxiW1Dcbrta18iQFLOjqmWkymmEzr3QW3WynDztwIyCsvmbKPuuVn/nib44xhH05Ra pfvEOJlNyxY6x3KmuQrrTnVF2Icch70owTj7hpQDYg+pFB/GGXhBV9l8Fq8BC2qUP4ZxvhCGR/7y PgNkKFEyCysTAAf8wcexgwaWoR3RZ6yKSPuaSx0rwNSqjY6wyIctjSQGfHA6eA/4/mVivKxmCsgb UGwZbfq3Jn7wMM6ErrvrVIsR8NMwxkD/JCzedEbjzFN59qvLr4yyfUPmRqFsIQuHYc1IVS6spX4H d/f1wVlX4XHHB+6rkD+ZGKImfwYU5euWmCgfRTE+Q2belpIJc24o2YBx0Exy+vTkYIsEGj7o3YOI HgCx0hEXkKBYe91bPBkvUDvVQCzzD/IF/GQquLdgAo6YtWP4loLVK66dyc4fRCnwyI215NlkoUqx JUusY2STCQ5yQgOPb8hTgBIMPRCwvi8c8M19d1kuvpCSCf6TMY8AxmlfpdYUZKmC6YTSflyTsU9b fkmEBYuP4OqNOn3CwgTMSdGz+Lz5n/zarB15aPOBP1nsfWXnAV58XOnrgaS/wTOtyPqNQLc62n5Y m3Ei1U7YHBFoiR0R0ETFpADp9wHFOE8r7obxs0oY15kw/UeMcFLNx1ItEF02xFpmiKCP1cEpNxYg k9kWSvYxxwo/b9De5AhtOZwZvQUm7gTmMCQmYKdLnAJIKP+paQMx2wOC6+JfniGdGCT8V/pDUOd5 oDB+//KbsbiyF70UtlWY6rUe1Xl2qDJnSY0TBPD2BuLsAzizZgn6CEGX99Uu95U46EGBl6hhoNQX dBmY8n7DxERH6MR84jhOP1tu3KfNylO5jistp5Xm03RBB2Os/MR3iXEuj6zAAJPk+RhcUoZLdCN8 JKEe9NI3EGCjKr9mj08WECDZmd4vILKowLvcKkpPuD+xuiFPP01MbU35GvshnWdjrO0HIbwNYPmS eRRspUivsI+BnzcBphT1k8Vp34rTpojTJgrNcAxFuTmZT6cMwrf2nAqExCSYsv5AaMP2AEZ0PiaO ACEFJAb6EF8kxTuxVeBj/mOB/y7GIWvx4lZA3yDtFQTeUsdfNAvtWkXdADM+MLyEobX1iCFrfTnH ZMLKLQQ+zLDEZ17imy1l39kvWREhjT95yoy7VLVS7C6fjA/QNKVk5xMEBVj57NHsFkoITFP80seU /QnIJe02v1Mrkp56BcfM0TihebJQuynRfUSXkae0QZQ95cc4ZsPpFyYKN2pNWrIJAkBEhuq4LPry p8laMHb6FF/+BHwalOw7eWLiz8LnRYChmM8VeMt3l2UvqxB0G2DcB3MgHWtR4RYsxXgk1XJIl74x zvYdlzSRU04UGsYLDRPwy2m/EaoXhVs2Jmfs0FXerq+6OMoNg8kxUNDRvYnhzA3fkC15YE0M+FOp ntBknDQSiC6CM41Eu5AYP7SJHRQz1fC3YLG2/lsjUR+MVf9bvpeJGq2YjVNRmzKM+7UoBLn+sH/M 6Mc1Tw0CxQCMN/N1WF2evkgBfYsBqzB4yFBwEUfN+LCsjX73CyMvUrJkPPaDct1jUXwhPMYZzPn+ E1Ss/5KBmkc0ucSte5EimB9aTDGMIdNn+jki9fZEx5FUB8aqkGn9X4/AinxAACQAvOconBFfEo+B zeHL6x/OB95iYV8CAJAWFZQgsHBqwlrU1oG3WCG+ovzP8kUSnaGvYzCMsxc5laQ7RWGOucLjWmeu xr0uUr9ArvpBkDSNI+dULn6uNGWPPuugLvOgNv2IqfLmlAxi5S6wjIbwg3b3WRTDlIiXvYFxiPdM z0M6Bl276jOyQjuSXD73cegzaCZfxv9NjAe1IH9J2ovO3haQuU52GgtScBroJQmfxepjrEOk3aaU ngMraJUl35Dxa6J7hhB+HdNGY/0RRl6+JiDNRFsKjcgapQjFwA4DNW6hiYmNHD1ZeLSAOJEgt2gy PwaLyDIp2Z+R5SUihP9kGYNykZqw+tBflsZfDnlQ4Fksr79YlE8fSsQVLGZhNcRb0MROWO9j8Qvk 0gkC81ROtTrSBOvfY2T5J5OlKTowV640nFcazyvTzqXiNOL3vNIAk5IC2Lz5eDcBO742sI8mOJfM N01Ru9BmYo1VdBcT8bTJEI8AErMAicQlaUryi2L5u6xwzODjcSXv8snI3XPJ9JdMArKS2dPJL6NR 0CvCJD4f6hqVNQ+bWqY6dyaYtydatiVatyVZdydbj6idJ9S2fI3zsNrza5J3mkA/HhjHl8QiIP8a QEDVF+aoDE8Mg4F00tZwO0AS0zC9dORgWR9nGcMRt/+Q9tEKlBr7KHOxFvTzjr8vkvau/xof50Ed GABnP6EyHYXPLpPzN4t7l9m9w0pOBHZaSACROHda3bst7v1m9xGj/YTOdlrtW8YI2SBPa8k1uXbZ Mrbasja4qk1XegeFmPuFOgeEeIdKPUPgM0Hh+SrE05ucXnqScH853daKTppgrccAmacHVnHKHe0V 1jYhZpxt6fmxwtJZYe8qd2Grejhe8OOIoAntiKVnA+Te7goX0iBl2xALn7cdnDYoHD0ULpRM9r+m 6bFoZYDU0wfOIRWsPuQXviB60eohgJPWk6QZSNa2+IgJlrn1l3vwoE4KO0pG3dqQZ5HAxwrrZwpH zxA4kWYPYgMTkDVsCGWHVDNXpv8txXVc42QYP6Uysq+9Ic22XGdZqDPP15kW6PFrXqgzLdVZ1hsd O82uw0b7STXWqqQd1tv2m1y7zbQVaAPtpG2EBiKNZfHstHp2mT070Fi0pUh7md17zG6WxZeMtilu oRH3ml0HjI7cNMdui2uXGaevxXGX3EqDntByxOjYY3Yhhr+72+LZY3Lug5MZg2O/ybEbGa2kh+y0 elEBUgdkt3hy05z7aEdCxbbb0rfbMrfZsn6xV/jFWXGHrUKuKf2wzpGnc+yDKzlL+o+m9Mlq55ch mk8UxrZytLi1fYj901BntxBXP4UHawZBQtHKaIWBUk9fhferEC9rINJkYSTcJxQdzDlKbJkktkwR WycILePgNIwKXeDp/ED+70N0yZIfKIxj6ASwoxft01rmJKp7J6k6JCnbJia3TiJnm4Tk1jTcLikF Z/tk5RcpqiFKzfRU3TqtZa/edkJnPQkPfmrTimTNgKTUj5OULROULVP178SmviCPe0GR2FCu7CAx dQy1vSlXPSdPqi9LrEdPBJ6WJ70hU3WUmAZIsATb01XqfE9uqCdNdHNh2KA8huOi6VmO41I4zsbJ a4vj3pKrO8utgDkZatHFL1hf1kVuayTX4q6dkys5DumjaHYEcOnhQutJE5rI9Sh/iNiLxWg9pI5m Uu2L8hTUob4sqV5pJ+KfkiW9JE9pJtH0kNipfxhvN6mriUL3hCTWyYWgSiifr6GaE6RzYc/IEj6U 67tLnUMldJEsnVMAzOE2YapAvS3Fc0TlIKxNbTpgsC/UpPVKUr4SGlGR49I4TsNxavpr5LgMjnte EdYxIXmm2rDHYMs1Omal6vsmpXZIVKIV0Do429B2YeHWiSltSLyyNT3bJSnbJ6V8mpzaQ6numuJr UNqmKWhTlNAxKaVPsmqSypCdrP48SflxIimTtTju9khKnajUrjLapiWpuyer0KbkcbQ/fJyU8mVi ykilZrLGODBJ2SmR9Ap6V9kGyZKU6Dw9k9Vjk3WjUnSfJ6W2p5GIb4OKJaW2TVLh7qxk3XaLd7PB kZOibVYusbZEYea4BH+L46ui9R2corYktpFC84XcBh6B7/+FxN5EpnlehlZDL/K1Wn1Fcl1p4vOK pPdlyX3kumXJFTdra86LzMBCPyx8oyOyf/g4JrihMDGc0JqX622vcQJ0sFSROFUsUYrEOEk4IJDI cbE+xHHVBaI3FeFfJ2m22txbzK6OQpmV41RCEfKmiMQpYnGKRJIgFCVxXGVBZHVZPECRJJYmSuWJ Ehk5SUCaynFPCCLbRrmahZqqCCKUnECB8qOin3niyX+//0HbVq1bffRRs6ZNn61bT5+UHMpxcRzn 5hQNJJrucid2re0pdzWRatMFIeghYRynS0h6rv5TLf/9b2Rs0bz5+40bP/XEE8rocnLabbK4sHfE 2u7h6U3lRicnSuZERZVhVfL9SlEx1DBJpkjhhC5O/J7c2CsivbFEW54Lx1ughuq4+OeffvqDpk1b t2jRtlUr1LBGpcqJYeHkFieoIoj8SJbWX0E2ggETAQ/CLMMkgWFjnPOoxn3U4Fhlsn8eFVuNfpwY gaC8w/HWa6+1+vDDdq1atWjW7J2GDWtUyEqQyUBAMjnuw5Cw4RbHC/IQ0AGVCJ+3qFECG4iGRf5W E6mRjJI4UDm1kDQo2jFFJEwRC1GCWiDUcVxFgdCJMkmx/lYmhYuQMR3PTUquQ2kOvSviuwEIkZ3j qghFqI9aIGD18T0XJYvESODmOHQGPJr2H+Qlp0osUYsliG8oU/Q02l6Sh1o4LgKbGsfGPvPEEx82 bYq2bte6Ndod39aQnIKPiWb1coqG4tQvIjyviVVpnDBZKEmQyeOltAvR9iLNJBSbOK5VSPIWU7X9 plprErK+FpDdNkf59+oqyWf/7pgHio+DiWOId1xv+97k8AJxFSrOw451CxYtnD8P54J5CxbOn0/D iFwwfdq0gf37t2rZ+rlnnkmKjQXo0FF7p6hnOjOfB+3VqL+dPHXZ4h8XkLzzly5cPHXylDSdLpoT lBOI42NiskeMWrFs+YL5C1Ds0kWLv5/+vUNnsAqkz0XrvaIwgFSZlPx5ly7r1qw9cfz45UuXr2Pv 4StXL128dOL4ia1btg4dNCTD6xGRjiduICTt3kimsXNSxNgslkH9B2zZtDX/RP7VK1dIvitXLl68 ePzY8bVr13Xv2tWg00k4zsxJ3w5PeyZcAyrU+PW3li9fgcosxDvOQ5UW+gLz5y6YP3fR/AUrlq94 /613lRLJs+G6xuFpVk6CXbYNWl2XT7ts/Gnjyfx8VAw7Gly/dvXSpUuHDx3Gq7Vr2zYlIQGdM1Og +LfUAE81xHEElA8i50TOsEShO6DP2Gx0tYuMBi0NEXB1atea8cP3+/buPXf2LKqN971y+XJBQcHh gweXLlnSpEnjqNBQ9PMKoaHxAkGmzTZn5swlixbh85J2mUfaBQHaRuSD+wMkcuWy5a1afCSTSNL0 +u+/+27JosUL5s3DeyHv0sWLJ44br1GrxBwXKpG8927jlctXsrwoesWyZQ1ffzVEJDTK5BClnn3i yR8XL108fyFr0xXLVjR+u5FcLMbHNKhUOdmjli5e4n/u/MULF82fO7dqpUpoEQHHtWnVavnSZQtp Xjx98cLFc2bNqWR3pAlFTkUoCK8uNfXzTz/dtOnnE8eO42NevXoVG1mi3fFtN2/aPKBff7fDgaJ0 nPDlcE01RZJSEdKlQ6cfly/Hu7LGQmD5suV9vuymCg1tFBb/q7nyYWPVtbGubwR6zLwHmtj93aAO Kv+Bw3iS7pjOOjnNBvrc8PnnmdtRv2vh4P9wbXzt+vULFy+uXbP29ZdfiRAIXAJBe52hMviCy3Xi 5MmgDB+8/4FUIECLp6Sk7Ni5M/DupauXK2WWj+MEBll4CLJnZKK9sFtBYJrAMB598ODBJo2bhAoF Nk72QpTBIQxXCLgX/vWvXTt3sU2LAtPzYWwr8vPPm56q97RCIHBKozPDEhOkst5de/AJygr0+6pP vEzuCY23isNDBYJ6Tz65ZcsW7KRQVnpsfb506Y/Vq1QFzDO4sC5y+wg6rIChFzC+NNS401F1eKwS 3DlCIvmkffsTJ06UVRTir1y9OnnSJKNSKePIUaNaNaDgLumDbo0eM0Yul2dkZFy+jG2lih2Hjxyx 2W0oEwkGDBxY7F5h4eLFi5MSE0EBhBzXrFmzoLt9+vaVykiNbDbb7j17gu7i8vkXXsDdqOjo1WvW BN1FB1AmJgHdKLz6Y9XWr//pLh8TDZqbm9vknSahYpFOHJImjUwICR09YlRQmbhcuWSpLiq6gTxq mynzqKH8hjgnTI9GE7Nq/2Jnn/4tyFNBkc42CKF//vIBxHie3vZNmhWt/sazz16/Ca+mwQdclQdH FRaeOXOmft26MoGwkiIMwlK603E0L49PxjJMmzYtJAQI5pKTk3/99Vf+LgJnC85VyMxEd0Gjx5aL WbFieeDdssKnTp+uWb06mL5eEgYoOa3WgwcOlJU4MH7vnv1VylcK5QQaWXisRNrjiy8D75Ya7t2z V6RUFiOUgW09UbP24UOHSk1GIvG2/i+0Y8cOo94ASbuhMAVu3+BDJpuzTOR0wPgGV/V3I2Mw4njz zTfvQs0Cv/bkbyaHExmHq1r1MUgmZVagxI0RI0YAwunp6eeww0LxY9++fVYrpGZOJpP17du3+M3C s2fPVq1aFXdxNG3aNOhur169pFJINJzFYtm+fXvQXew89dxzz+Gux+M5ffo0u8u/Tp8+fVjexMTE TZs2BeUt9fLUqVP/99LL4BFxEkWkRNLjy64lk839/gdNROQ7IVG/mdKP69I3xTsmC3Tg4/BbQj0S YA6O6dj/dzFekKw/ZrBNuivGS35YFrN0yVJ1UhIG6ejSbqczLwDjLAFYVVoahm6lYBx9LysTPI0c /3ruOZ5JkS7hx0upzx0yeHCUQiHjBBKxuMPHHUpNUzISftcH9B+AZ8VK5FHAuL+38D2wZJYevXop pFKws9CQkHlz5hZLUGoN/ZE9e/aKlclqCcK7RXiGi+CwESa+2qUhhoXWSjUVYUly+bo164qVVvbF 5SuXH3vsMVQbuGMY9z+kKE+pr3AvGAcR6NevX1FB/lDnzp2FQrz3H8S4QCho+FbDoFph9FS3bl2U iZJfffVVfnN5vE7JN/JXhPwHlROJRGFCaZhY8kWXzxATlD57yFC1XNEiMj7X5M3XeDfFUz7u8/QO XPMYD2LcfyPkHzg+Dqead8U4Wge8qVTBEvv+Pf1UfQya0CGcPMaLNxvkPbRsST4OjGdSjKPRu3Tp Qpoz4MB2YCNHjmzevPkvv/zCovk+s2DBgqQkKPO4mJgYyAkBmUgQbOiLL75o165dyQrPnTtXKpVA Yg+TSLr5MR6UPfCyf//+MsqzataqheFJ4C2Ejx492qJFC8ChJGXbvXePOVVl5oRtwmwjJe6xXBpc o2yMc0wzphsFwhrlK5zBboPs8PfXvXv3fvDBB1OmTOE7P/+49957Dy9bs2bNsiTb4t/bl2/s2LEK heLufLwsjK9cuTI6GmSba9KkCV8NFvhdPv7MM8+EhobmjM1Ber7JEF68aAnGaygzLCwse3Q2Kc3/ 7ghimDNgwICWLVsePny4+J3CjRs3xsfHizkButk7bzciGYsf2YMH6xWKTvHKo+b0k2r3plg7xuOQ nTDH6ne6xfg4j3HMorKTjwlKUBT/x+T2hw7ju3fvBhirVasGpBf/uuSqRcuWYkrzHQ5Hyd6OBDNn zkTL3gXjERERY8aMCSp5165darUaot2wYcOCbm3dutVkwuCAU6lU69YFM8Rvv/02KioKZa5atSoo 4/r16+NiY0GOFGVgfP/+/d9/P2PmDzNmz5gxf87cdxq+JRNh7Mg1frdxUFG4HD9+PPhLbGzsrFmz gu5euHSxduWqqZwQc3YjpFC4Gb8TqneqMycbvdChvfXaqxcvYMsHetB+jrEnZGY8CEAG6QgqDWQE t5w22/dTps7D1/x++qyZMwOTMaygkNVr10yfPn3WD98vnD2nxQfNpBIJxuN3kdXLwjioelZWFh4a KKszwJaFcXYXBOrJJ59Eu+wsrnvBG33R5XN8TEjdMTHRU6ZOJe9INrHyveuGDRuQSyKRTJ48GVH+ aHIXIwuDwYDKIG/DBg18GQL+jRwwwCiXd0lQHjMRjG+OczCMA55lYJww9yDwQp4Pivkzlw8dxgFt UGCM3cAaAj6tL9i9Zw82yCri48UTHTlyBJAEKQ4aj0OBzDpScnLK3LnzimcqBB7BSmRy2ZBhQ4Nu HTp0CF0XjQ6qgg4QdBfcH/wrPDx8xYoVQbfwIqAbyIjO37VrKSM70JNy0TERISGxIaGJIaHlJNIQ TgCQN//w36yoQMbUo0cPSCDQNgwfPpx/EDon659NG76dwonelKpHEozr5ocYcw0VJxlcmP/9uHVr qND5LAgAGkzaqVy50uHDwaN+1Ap0KUIoTFEoEhWKyBBFanLyVAaTgFIg+QBfGFbEKhTJipBYKZlx AHH+AxhHqZ999hk+VCDG2aPKwji7ixepU6cOKBX9UNgVzgdWjDJq1aiBLxmJCbXk5GXLlrH0/O83 33wTERkhlUlLUvuTJ0+4XC5UBgcwHtgELPuQ3r0NMtnn8SlH0zyn1B6GcaxrA9AYTv3j8b8SxXen AA8dxkGTtVqtWCxGr+YbhQ/07O1TwvAY5/s5S4OZrMaNG4O38lI3i+dldWWKauGCRXyBLLBt27Zy 5crJFXKfXBdw+9jx45mUy7jd7gMHDgTcIcEJEyZAVoyMjPzpp5+CbkGEVlGMY1Kp65el6NyGDB4S KZerhfIqknK1heUelydbxdFRUmmPrt2CisJl7969wcdBTwYNGhR4l3Xrz9p/ohRK3pRpRsnt33Ca NdHOY+YqEzRmSMCfdvj4xnVs1FR0gAV//vnn6MM1alTPzw9Wto8cNQJay8qKkMYR0a+HR7qEopSY GB8rLCoDm63frlW7Nia8nlaENgqNeiUyOl7AZaTfBx8PhM/q1avR4u+8807AE0gQbw1qj6qWqnOD yI1Bd/fu3WmuIoz/+usvquQkjVBolYgNSuXatWuDil20aFG52HIo+euvvw66da7gLBqaIJzj/u+V V0rqKvt162aQSr9MUOaZPDwfh7fMfzDO27LC49Ddx+M8xnv27Bn0/XHZo2dvqRSq8YDxOE3ko+A0 DCoNprx58+bA7DzGExOSZ/1QQty9cAEcAcU2/eB9dIDZM2bNmknOeXPn5mSPgeIat6wWK8YRgWUi DGYNpTGkPnCc+fPnQ7adOWMmhNsF8+cPHTIkPjYW3C2kDFl9+OChCQpF7VBl59hMGKZ+FptVS5aS IJcP7Nc/6Cm49GE8VDF48OCSdz9t3yFZKG4oVWXLrd9y2p/j3Hm6rImpRugn2zRvfo3NggV8Iwj8 EAlMprTx4yfMnTsfl/R9Z8ybM7vZW2/BnqRLQvJuR/pWT/mWoVGGsjBep45dJJ5vdu13lZ9ptFoF Qq/X+8f4OBTaINqvvPJK0KuVzsf9aIbi9PXXX1+1ZnVQrokTJoKJ14suV1ceakhIWLBwYVCC/Pz8 ihVh8cdBAwN9C94eLT575sz5c+Z8M3GiQaOBFgWzGy+9+CKmboPytn3/A61A0D1JlWfykvF4AnRu +mIYD9jEh/Lfv9347eHl46VjHJMplLDzfDyoCXAJKgG1cBBj5TGOUWH/0kC0Z88eKHA4gQAJFHJ5 qFweIZfHyeRJUmk8J8R8EgxOAP+Sj8NIvFKlSugwYLIsY6RMhpnuZIk0hRMnc7JIv149AGSkmCGD BkcgmUDqEYZV5sKqicsZBGHRmETuS5TPgWwOlz6MhyiGDBlCMhc/gHHYX70pSx0tN80S63ars/J1 6T9oLBqOe7FevYKzZ4snL7x69dq4cePi4uLAPWmt5eFyeaxMqpJKjUCHQDA1IfWk3nrI6ukMm7dy MZMDZHX2FuDjtR+v4xGKYGZ8zuRaqtS7OQHFePCz+LmzssbjqBuk7rZt2wKwQfUsHeP+7wjKAIp3 FruiBxznz59v+NprkNI/N1o/Co/WRUZOLMGskRxiHsYaaDVwc9Zq0TJZklSilUigfMkMCYWIUrNK FUhxAWWTYOv33tMLhL2T1XmYO9Okb4h3w6owGw7eCbSJMi1QVmdrnZjrErpCzYd3Fg8KwBYn3l0U /927jxzGe2IYhaa5C8ZPnjyJDhMkofEYR15Q76CGY5fQjWNSFfpzpMERwQktssgaisSnwtVOLiw+ PDx79OhSMx48eLB169Z8xhiB1KWIqa1IeiFcmymLw0C7x+dEVvf3TV8Z2dnZcfHx0dFR5WIiYyPD Q4VCCScAbelPMR70IF5WHzo0WGOAlF0+hqwufkuWMlqqXx6edkiXla92LNBZMkVia3LKvuLWI4x6 4PfHH5eBrFGjIQ7f1BER+WoKVgGkjkvWbNGYT6hNBy2ezrIQUxkYr0UxvlptPmV0LlTqgPF0L+bH iyEOdbsXjCPZjBkzMHEA0hH44qVj3J8CkxrQngVl+e23XQ69Ll0onuLI6BkVnyqRfFnGpAZ0tp99 2iUlmajfccSLxHXiE5smqz5X6TukWSC61cjMPEQV7/4HFl6/caPRSy/rOK6/UpdngVutzGURVuzr Ab+CzEtwIMb9ACerGskafyxLJxt/+BxQ8HfJ2je6co39/i6iSyZ4BDFOJ5icTnde3jF8/CJ+BwhR FGGYtnDhwiCTCWAc8+NQluJEVzweRJ/9edFhMJXz9NNPYRoL3d4ljW5azvFZXObLwuRQAffiiy9A 18S3eGDg5o2bPy79sXz58hg1h3PCioqEZjHOL8tlPilNjhdLGMYD0yMMsw0oBqEKgOCxccPGiuUr oKeVxeyAcaZzA+fC+BpqB/7A+37W7pNUkeQdWcpEuX5THDZ0dmHThI0m9/OhYVC7jRo1Eo8LojCs MlBPYYCv0agxpjBKZW21+h+9FXLNbiwMPJFqPEAwHkox7tM/84XgQ/EYP210Lk7VOwUCb/oflNVR Geg6oOXGS7GKsd+7Yxx1CGoOVC975MhwgeDN6NhVzsycOCVWPVSrVPl8wfnAYvkwssOYsHbt2mht WLM/FZcwxpm+NbPqN06PFxldrr3FtayXr1z9V606EHVGqNMOGLy5qow5Mv1YTj+KI3v38ABnK5iA WbK9HXE5hc3pCH/HojYGZOIuhq4a/sO4DkT6I49xvr1IJ/Z3QRjF8YZPLAEwDvtVGL1HCaUioQBy clFGhFhef/YLF8736N4tJT4+nOMqcWEt5KYPQtOwZiQ2Kgo25yxjEW3xXZN/UMK3aP5RbHg4lF01 uIg2kQ5o0uLF0p5flKJXZ/nYL5sGujvGpWKxTCis/Vi1Tu3at23Zkp4t2rZo+UmbtjW8ZCr8Q1Hy jLC0/dj/SG0/o7LuM3u6RJXTglK5XHlHA2wCYfZT/MC45oXnnsV4xAERN7LcrwYbVqudSDX8JzEO dGO2GvQqsGp3x3hgStYcGD43eOMNmPZ9kard4cz6UZOG9SwY/kyaMCEwcVAYvQUTH8q4WAhw/xKK vzdYp7vSq4MXGI2YLg9MXHD+4tOPVfdw3BST84AxY7fS+4NEN5YzjhLYgmR14oCLsGy2V7J3uMA7 jPPg5D1RAPIBS9f/lBL+0cW4z86NoRMNEQg6hDEbGtiVzxWcq+TJSOSE9rBYCOE6tXrK5ClBXCCw NRGe/u13drMZPb8qF9402vqYJBbhyuUrlG4H66/HzVs3Bw8cmJKYiCFhtZCE8mGJ8RI/xgMrVPxh WGnClH5l8fGvevWG7i5aKI7lBKgGDGvZCf0jCFcKJ3iMU3wm0/wY6zqkyciDS0NsN6y1LFDqHheK kabha28cyD1Q/JnFrkAT32nYAMtGLBzXr1z87jTncZWJYjxYVmfZgvj4ItX98fHAxuLrUTLydzDO vrn/y6McYPzNhg3jOa5HqmaP1bMnzfFxdBxUiOY044wffuAfVGoA5vpWI7EKfjE8YpQr/SmoFwyG 9Rs2BCbOPZBb2eGownFzLJ6DpoyNMdg+EtvpGkdiRw/O4efRlGUTxg0R3Tucw5k+DKcgfTg5sT7d 58WL8X2euQey5vsKP/IYD2yCu4Rhrw6MqznRi7FpdWXxUDhjmVWz995nlk6BGQN72tZffrEZTGj3 urLkDyOtNTiyniU5Lh76QGbqGZgxMAyFvF6jgdCeIguL9uvcAhMEhbGUozSMF3Xfvj17R0tl5aOV LyXZ6kZpakar2FkrWl03WvNqjKFNWNpQRdqaWA/2MSTbnGGdfpIGjhdyEpTVOQEEEo/dMXfOnKDn Bl7CFqVTx04xIlE1kXg69iXX2g9aXJ3IeLxcoM6NSUtBGP8zsnrgBw+sD8KlYpyn3iyjj5TTf/he U6dMwcu+FRm92eQ8qTNv0FtbKsJgCxQfEdGmVesjR4LtAQKfuOGnn7I8bjR3M6X6OWmIISlx5uzZ gQn27d8PjD/OccucWfuNGWsiTZipzObSgHFsY0F8xRAhnDFr/IJxY9Pb9JGCdGIeA55OPAdascV2 jhC7/GDJOaEDxKWP35OwD/X+qfZ7RPr/DsbRRXkr9MB2YWGGcSUnbBBv/yjeU0EWD4MTjHAxgoZi /C7dbMjAgTFhYWZO3rKcu2k5u0UWhXkZcNvnn38eCp+SD/LF3LnTt08fjP3lAlFZc2d4KH+g5k88 8UQJWR0KKJ8Oqk/Pr2D3bhFHVpJEuoVSi6jodIqk1cShb4liB4h1q+M8R+B7WWXDHmfHk7UHDLZ1 7qzuRotDAXUCl5yU1LFjR+gky6o2xIknq1eH5W6XqLijBvtBq7s0jJMq/SUYhxyFJ95FmioD4/yY rJT32LNnt1NvKC8UztGajultu63e6a6Mp+OJWCUWiatXf2zJksWlZPNHQScQLpfVDo2oGxGtjoub 9t13/jvkP9a+VbTZ6nPcaleFfYaM1dFY/qMezaWNoBt5AODZnBf+Wv0GbwA4uDYxZAWKR8NDLJYS CIyTRWnYoG0syILfD3w23aQeiP4H4/jIPXr15O3cAted4RZssNesWcMbLRSxQNI4hZDVK3ozojhB RmhClqScilPIidk7ORISEj7++GPe4By4ozl8PwcPHMxKz4A8nCUrly6OToTZGsvGcVjQBDu3C+f9 lqKB2QoLofRLVUJOLNPODaZx0MbDarpNm9bNm/9bqSQKXl5WD6oGZHW5RCLnBMqIKGeqxqpUWcip tqao7SqtLizMzgnbSpUrEjIOqjOPwPEyJG2s70tUNY+KqRMRqZZIQZrYgYnFOXPm8B+qeK0Ls0dl h0BnFRqRa3AcsHs7ye9JVv9jfBx1WL58eZDmJLA+pWKcTwD6gBmN2zBSDTiwOv7/XnoRQ/JhKt0K veXT6NgXI6Md8hAwd3bAYAnmVZh3C8hUFDxy9KjTQpTqGWHhKXFxsFUuuldYuG3HjvIWCzC+yll+ jzFjZbRlAqfO5kyYF6PMlLhozhZkEBEd6Cbb1tvh+xFu3+CcB+iegg3pQs2b1VWWxbgnYPtd/3YP 1BE0le3vk4MzRv8I8/EgjENx9Omnn/Lrl4MxDp1bZhbgicF4cli4MUWpSk5JgV07PWDk9tRTT/F8 OQhfmLcFOYC2Vh0TA7spmEeyjLC5RcamjZscyD0Q2BNYGBO1FSoQVTksZEq1ZR3Yf4BCDNhyGD8C 3ipOXI4Th2FxVtlzZ1K5rEOnjlD2bt+xfRs9EYBBXfMm76mE4qbS5FlRjlxdxWMaD/yrbzW6GinC 0gQCU3yCITlZ7a82SBOMbKGo579VYOUxPImJinxapthutO93ZnSUKUrI6iT5X8LH8Z2xoqfkKgC+ PnfHOHAK8xWeWDGoo0xML8I27qNyif2UGrtAgClyc0oK//pocJj9Y1Eqpsj5B/EBrMR5rn59MP1k kTguJubrSZP4Wwhs/WVrpsn0NOHjFfcay6+MwcSZFgtSiCc34pbTCz6eTYRzGKg7MGmONadjOQOs i6dy2h+E2sVhadt1FXanVdqprzonhKwQREbwbr92nfgA/APnw47xILgF8vGgNSk///wzLBtB2AMb hQ8XnDtXPoOsLQVa33jl1SULF82bi0Hz3HnwWLJgAeyxYRACI0YYrrMsgc/t1q2bWCSKCAvr3OET uEZBRnbAJAYcAQZjsKZglQnkKCgBxCEI44zysMKHDR4aK1e4pJH/p0h5V6JsFKLPFMNXVPD8OEtM 5s5EwpDQkBHDR/AvxQe+6NA5VYi5s9SJcvOGcvCvXv6Y2rXc4Kwpk3tTldO+nrQQDnf81YY9HhaX YY4Pa69Kjm7AyAx6XW2hGCPZva4sKqsXs4FhD/1LMI6iUBPMBqI0/l0CA3fHOOZKYMiKFQqBWRBe uWpVfFhYHan8nYQUpULR5qOPlsLDEH19/KC5c3JyYmPjMzKygiZYWTmfduoYIhaB9paLiZn0TTGM L1m6xJaaiiXrq50VdxvLL4u2jed0DOPAJqAKr62YAc8WOHMI79ZPFuinS3SYX1sVYd2S6NmuSf/N lLlT592tr/RjTDocwVFnj74JtT+Abpbl4cW43w65WAPeBeOYZcaKoanTiglXfGb0B7a2FKDr3LET H88C4GjMShlrjUv2N3QJTJfDBn5qcckNecH6wRdQJuhAUJm4hCgOC5Oy+PjIwUMTFSH1IzQ9kioN CM/sFpf1uCIlSa4Y0m9AyaJ4GxifnVsgNYENTDtm50ZtWQXqdeVsh3Xl5xnTYQpSPd2L9ThBBY4e PRp1xtqrks4TzhUUVKlSCarj5VrTb+7ybDxeur263wbmz8yPN2jQAJS5VIkCdb47xjHd9vLLLwOz QW939uyZyuWzoGfzhIZhHnPsuHFBCUCQnQ64l+MaNfKtHuX1eEg5dMggLBSCdQRW3Aws7rgGJMKS nPwqx/3kqrJdlzFbpp8gMEAah4t7+Lcn27JwVuzSMp4zwIX7wtC0zcnePZrMXLX3sDr9iDb9oCH9 eGaN05Xq7tJmLY6yjyNbOWAzJp8NzP8axjHoxnrqoKbB5V0w/ttvv2Exy78/Kt2GLRDjH7drH1Qy hoQwnEOjY20aZOygu1idhPpERUaWXMIAgxm2uhzEISgXLlu1agWMw160VFl9+KAhsJVNF8Y0lGqa CFLfkuoqSOKiReIvO3cpWRSPcXA9crc4xrEmJUUoeUOmGS53jeO004TKjfGO2ZaKboG4mjc9P7+Y kg2CARaX4WXByn8oMaNUcL6g6mOVMcZYojH95in/t47H8R5Yh4JFgrm5uSVfGTF3xzgm0+vXr//V V18F5cULvtekMcT1KKEwEuvHs+n68YBEML1z2h34AhigwTIBd/6/vOsAj6pY22dLtqRDEpJs37O9 76ZAIE0IAaQj0puKCkG69CJNkR4SCOUivQgCXsVyERFFBb1e7HgRAWkpQEIIqPfa7v/875zZPdns hgje//nxuTfPPCezZ/qZeef75puZ76P8FY1SVgaMy2UiES4MLliwAKXwfzt37WITE4YKZR/4ck+o fXsFGqLYX+AkQnXGBgub2xh2t0D3qswICz6nNWmX9GmVOu9VjfOq2g67bJe0jm8tvrPWzK/ZrCOJ 3q1QBAeMi9LoIdj/Koyr1WowwPRub1DPEG8TGMeFEWAc5z0giglJhZ+QuWW09OuBmTo1FONY2Tmd TnQ6tBzghGRIcopxyGp2NlydIRrkZhTjffr0CUmFn5SO3w7jpStLomWQdwuThMJkoTBRKIqGpJ9h RhUVhWeF3TrsAuCOGzSuhIeOeWyEQiAaLGPLZL4tAoh39C9LdLv0mZkR8jxfGq5gcEn88wIggBUr GosM9zWUGyNa3c2buXk5d4jxNKHouNYKOn63++N8E+gt1/Bq0AhNYxzw7NChQ7du3fjceM+WTZub xeLkGgPVVeEYh3gWN4URirTAL01F10Twr169KiZSLhWJMD9DalpQgIuq5A/H4bR6HcQyDwglB91t jia7djPqbYwJ0IaZbKB7r0D/F6kBGt7OEKqdVqV1XVVBXz0s9JnhoHK8Sm2pYN0X2LRv9C1fkrBb GNhMd4IHWAsjjEQ3+3/aehyIGtKz549h+txwkwuCbpZlsb7mu4z3NHK3FH3DScIpxqGu4ciRI3x8 3hOMcUCPf089OOmE24vodFwVv8VrVAhEIry6VIqcoagh8M5PSbHvBgEOEvbv378+KOBrlI7zYwki 5QnjJ4wdx/1NmFBUNAoUDVmFX7FEflSrA9YLUMtAs+fz+fHnnx64vyu2BR+RWVZL0zBstoqsu0Vs WYKjlSTKrlLj5AaXpB7jYAZQEP5wSjxQWf//upu3cvDHMEf1VsKr405K8+bP794dEg0rGtxJAcaP BWG80Rmy6fPqo0ePRjXCNcDQ4u4E42DAwKSFVO/zzz63cpo9wIAtWuS/pMx/MbANVO9H586deZEd nwNWQ3JOK6BaqcKJGtTtUe6PeB57zKJQ5AkEu8xpr0RrXmAU2B+H2yvQ/kXKfpzkOqdveUnnq9A4 q1SWamJzitiAo0YkYfD9mtIE4zXlurRT6oz9Iv0WxgxNjxC/A+O/m4gj4R92PX47jANuUKmEGyV8 j/AfH56p06eBw8SoCL+Tcvrr0waDAUGQrgcnoX5eRwQiPNjnQX72pqHYop0xYwb2yiGGCk87a9Ys kDyxWDJv3vz6UE5KhL3mwYMH494ZdqPqgzgfBg/20FFc+Hq80aZhf58qowDJCJ9nIB0CQenRowdo EC0IiKWgPX/+vMtoMjHi8VHOsoh0TsbrADVfFmXLFkWqIqNOnKAHMv0YR3Ic0czPzx84cGC4iBK7 FQaWLRRFfMT6ZW7B985Qc5pLuMwNKnNx74xyQYFYpKZ3gnEgjt+7pK2jz9/EOHh1CEvfeuut4FTw //rrvwYMGIiPj79Bg/qHyFiwkIeqK1wv3b59e0hC/ITmLjrGsMkYYIH8sX751//0LuyIobtKbXwz TntYpnlDpvsowXUyxXNeDcM0vko12HLQbhhbNFxP1dUq2WqVHnaaOIM1xJ5yldJark//W4J9j0BH 7Ktyh9jBq5Pj679LqP5Hxrjj9npZwz87fQNg9urVi3YcMB6ydwY6TjEOnip8Ygcdx50UzA5ghsGn lVeUh5SCuQXwCRf+AP69ehDln/jr2qVr8ORAR3JlZSW0NuFOCiAXPLZxOjTN50Oq2+mBCakAZiGK cY22EeVFyBl4xHn44CJoDjinoYyLa81EzYn2lYlhMBcbN+7nBI4VUa4OEbHNBcL13J2U4OLQKMwM qHl4bseOHY+LjOwpjTxpJHtnkLkFY5zPpB7jOmuN2f0m7pYKcO/sru+kUDoORTq4ec9nznt+E+OY 9HCiIERvBk0OFh3XZvH9MzMzwrfgoRv/7Jmzwb1JU2GjoX1Be9LZsN2QnROs5AoR/vHjTw8UdrTg TgprO2PJvKj1faPyVLCZV3SeqxpYlwOKzdc5Y0CchT5DjQqG2IhhIDicLoZZ7QqF+TKbfqyZdTuj hsZmcugFG224ukKMHf+ejbM/OMYHdW9c9zLfxSEecO8mgwGbGuRGWBjGcQGcYhyr8nA+HxhvlZER DQVf4ggoWNu5rZEJPKQ4+hPWDUxaPQQ4OMWqTGrxwfFQfS/1qerpJHn31qHDzWLjMKXcTp9bSEJQ QPC6GFrgGaCH+ddfGr/ghlTBwMToLSxoHycQ9Ba2gHEuzs4apz1M4F4p9wyOSMahtfzcvEapZH0F Aj7kPH3SJOwOj4yOPW92X3CkB2M8uFyKca9Q9J6erMcPN4lxug7ij/cESiP/KcZBN6HuKfg99f8G xn/y615+6KGHwtNCRx8WffieUNsYzmWFx6dvoFoExjUwNWCMZbfOCrlb+v0//tmzoBAY32iwXbKk Xde6r+o91zQOYuSLM84IG4vU/iaUosCuHwBOMK72e64qTbCpfVbjPSgHo677k8CG+2g4LUOup5Fz sP85GK8yOndZHKDjQ3v1gqmC233tkPegswP698eX1wmjcS8jHTYU/KIkf0QQU+ydoU9lcnk4y/3d D99np2cqGKE7qnksI7CbzYffPAxyFlJKyE8ccutY0B7otkrifLIETBEd2rdvdFM1WDILev7xiY/b 5uaBbYC+9NgIyeJnqD6ikOwb/MQBeNBxzAk4zNaiWfMtGzf9/FMjyueD02APaMwTozH/mJiISRGm NRE4W1U/TtZEeGZGGDyMRCYUPjFqFD5gcNpwP4ynbNywQRETY2eYkhaKSpxlpffHExNe2NvgSCdN W9ixI4/xI2qjTyDMSE//LkzgCd4DFhDQL1DFsHJlSUi5EEYgCH+NrlB4HelQtoN9k5C0mHPoaghz Y/huCNZK4ORxghd/2Bg99v77wXNUSFb0Jxi5Pg/0FmMlGBOL2SG/dZuKyga6sH765dfeHTpBcLPN YKsye6pTjNcI+SZW/MCWw8Qqr+8IdmB5jNeo2Osq9ppSd1VlrDK4TiqdewXKTYxxvdC1lhDxtOdE kKJQjGN+pu4uWPd7ux7nzdkHDNDD/jWLU8R7LMROysAu3Wrr6oiDZoEbN65zT+rHExu112trYWUD V6z3v/hi/759gTUYDusYrcGQTnM5T585AyHw9Rt1SAjPp198DjpO+xRSbqQF90tzq6u7WV5V2drj NTGi3gmmLAlgzuDq2bIly3BmLHyeAZHCBAIeGBJVFGpjxINjDI/FWTMYOSaZdI930+bNISsFOkgw ri5cvLR27Tq71QZ+A6ZVfPIWuHc2b+bsm7du8U1r6KmljQXn7PN4mwvEGRJyybFFfLO5c+Z+efLk 9z80uk1Q98ahQ1g7gOKwjKifWLlU7saYIfcZccGBO0i5QeAok1ofkSRj4sNp9R7dur333jF81fDh jRUKTmk+OXFis0i5BtbHomKOmZ1XtLZLVu9cWTRkbpu3bQuvf7uCdj6R+Ljeft3ofk9ragVdTx4P PguK4BsIP5pg5eSZcqkUZx6C80GvFRUVAYOY2bRKJW791wV9JcSct2A+Pbpss1ohQ7hxEzmTz0Vc 3U10cA/OhgJOLB7/8EN/zlwMRMDPmVOnQQyuFktwkNVhMKwuW33223MQUYZ8AZAZ6HvZvmN7buss TONZ4oixBgtmpbyMjFPfnKlvTl3dlZqa7ve1xQJsj8EGzRi1qSwkaVSkxgGcYBzQhgt4DEB3rRpP fbVSf0XJVuicX6m8+4SaTbjJIsQhN3SWD3ScGLkmdBzQ9jv8vEPu/Z5gnGdXIG2g7SXSRRW+ALE6 XWmwvWZxdhAw1mbN2+fkdMjN6ZCdXQiXQ1z7bOIK8MzJademTYbTqU9NwRDFYPYw8oFS/aR4bzsm VhEpz8/KKszLa5ed0w5p83LbZKTjkJhGIE1lIpJjYtq1ad0+N7cgJxuh7XPz8rKyVJGR2ULZ5HjX 1BhHOyExIAIKaDMZB/ft//RTc3du3vr81h1wKxYtHdpvYJuMDBx2AsAzBDFFEnaZlFgcHi8xZwqi 4wEZoSDD6xnabwAiP79l+/Nbt+/aumXpwoV9e/b0OhyoKuLAbOK4WNuAKMw7AqdG0yE/HzVpzLXh apjTNisrJSoqQxQ9KcbdWZSsYASonk6p6FLYYfbU6Zv/tHHXVhS0Y/O6DWMfLyrIyU2MjkJBsNP0 uES3VOpZI4KuIUhogXQIcHCywgmx7fMRpv0K78JkQxuhFBy4ivvg40eMWFuycve2bXugzW3DhukT JnQpKLBqNcgNE+/kZkmQtlXpHVdVlgqLpzimmUEsTrPZOufno5uIQ5fl5HTMztHEx3UQiT/WWWtZ +6d6Sy+RWBMZWZiV1TE31x8zOxv+/MzMFpGROLifAuNQet39Qfncn5dnSU3FOV6PTK4UiTLM5vpS srPhd+q0ML6mEQpxXC0/Pa1THnJuE6hGXmFOjjYpEe2KEwqzXK76nLl6dsrPb2UyucURozXs4Nhm es4Spdts7t2127Nz5+7ctOn5rVt3b9myaim6u29rny9OJMQGSXexdJvR9pIn40EBY4yOvq9Vy/rm 5OZiQJpiY7oJmEO4Yq+z1SkIlm/rMOA5Ck5grtRfVxuuwKw26zupSt8nYrHdhkNuwftl2D7jxW5A N5ALdycwvycY51tNpzhuTuPEDkprjcJcpbV9YnAskUY/iKmSKGEgDhuy2L3OIEAmZigthP8kT0yn mYy0I9NskEg9RWpdLPculfqKGHUOI7PB1B2sFHEOHvzMZiL7C5W9hSmtGKmVC6UR8ERWSDJckLpY 6i6Rgjy5honVeUwsuh53CZNFYl1cnD4+Hi5VQuCAs2uZjOxBYcp0uXOF1LtWCNmIt0Tihe3v/iJl FmcvGNEQWR9HUnEJJYA2tC3jvvkgsXqWzLFCnjZdauvJxKczYjQHVcWTelAl6qEvA/WXPyxQLZP6 YP388QhdeybezAigyCVRIFTHxOi4UrTRRAEF9ti8TERPQdIEqXm5jFgtB8AhwAEdhwHT9Ywd8hzo Enynufsrc/YXztb71KaZUfEduToAU6xcbo6Ps8TFmaKjgT7QbpgjGi2N2qbQfmJ2levs1UpjtdIM s+8Hk5QjGVEH8m0ZaDmkDv11H7YnGGZZZNxZrbVWbflWb1kd06w/dKBxvcnHRCq86ccwU2LiR0nk nQP50E5HoT0YZoI8ZnmqdoRA3In0UX0pCO0CyYBEPi0uYTAjKAik5euAwYPkj0VEDhFJ2jcMRRxk 1RUqK0WSA6z1XYu7NEkxRBCBAYbmwySrOTbWHEe+gF4qTeGUY/RlBAvjkw7prWdtni9NjrXymIFc M1FVvjkosS8WMrLoL1k77D7faALg/iCyd1YLjKvYGrUR2nVwKubjVN8LIiOOsuOA3HMEyOQsK/pu LYdxSr75J0fWwb03xboD4xsZ700F+52arBr+vx2Zx0DBTdwZAOwpYPFiu6K2XtZZT7F2MIRHrJ5D Vu9Bm+9VW9pr3pyd1qxlyY65seZZcbZpMbbpsa6Z0a45ka7FMk+pxLdehMu5+BSeFRHuuTLH9Gjn 1BjXlBgHHDzTSUznYqlnkcz9VKQToVPgSCiJhp8IXSbxlBG0uteJCGDnRbrHRpr7ydSgm+0FiQXE JXUSpfSOUD8eaZoV5Vwu8a4L3O2lk+pakbdY4n0q0jUi0thHqr5fyCVkEjowSZ2Fyf2lqjGR1nmR npVIiNoynlKR51mpa3aUm6uJHTXhHCrcoPLTYkiF58rdyyI8a8hOig92z5+ReyZEWQfL9F1EKYWC pAImqR2TUChI7ClWPiIzTIuyg3yvFfow/8BcKUYIGScE6a5NQgcUEL0is5zWt76oTavCdXK98wxr O2S0/kljmN1COS4uaVRswqjY5mPjE2YmpZao9AeMji9NTpibrFWb6/dzVeYLWsvHRse7Fudhq+uQ DZ3lJk+b+22r67jJ8XfWcUVtqVWarmhMX7OOD4xOvEfom3bE8eB52Op+x+r8wOT43Oz8xOTi8qE5 kAhvWV0YA5+anKeMrs/8pQSHOt+3OE6YXUj7V6PzHYsLuXGlc5lbkdwNy8t/M7n+ana/bXEfxlgi dQsOdXxmsF3QW2p0totGx0cm516jZalCMykhZXRcwqi45nhObJ70TKpqh95yzOg8b3BW6+zXVaYq jfmM3vqh0XEk0F7aoiMWN1p9Wm+r1OBkC7a/7xBQBnDyV8HBamzf6jPfisGNVONmkWujAPdWCKWm GCdTNPeTvuRp+m967i3GwbRjANT4z/lQjFuq1aZqtfGqxlKhs11m7RdZ17dG72lzxle23JebOTeI jesinGVSzyqJr1TsXSXyrBZRYNZLkyBZKhN5S8UeRCgVIxqcZ5WYxFwjJJHh4ULrn1yoF6H0S+KJ TEg0iXelNG2lPG1lZFoxcekr5eklsjRMKavFXgI38uXJrX/6qcFQIRMkxBQB7h2Gv7lUXA7ytBKp b1UEpaqBglBVIakbrQ88vD+shl5kSxgGrtNhaBhCcuSGPFfKfFwpGaSScl+JzFcqJdVbS45JcwAX eKCOAAIcgB3L8C1C005G83a05QJ0wqgd1xToBSPoSKXOfNlov2jxXrSln7f6Lli9cPh5yeS8zNqq tDiOxQ1abmbGAObEwuYqjbVcZ72kt13mHPGwOMhhq9TarmjIXnANd8wDHVqpw+YviVnv8EZnxXvE BP+GVA0yAVgQquVCNWTm50NpcRUkrZlLi5xtNALNnMZEhCotyQE5kwhc0TQIT4ReBRjVZMF4TWMm 1TPaL5ldF7mG+5tvQ/Nd+CwVOss1zG8qM/lWKuNVtRnZokSuJv52ca1GnuTcWmARii8G6vkbBBSC qas458Z6T+taHZCYtgrMG4W4qkZ4dcKuh22OI4i7rhKst5mQjICjcjn/T2AcWuPuFR2nGMcXIKIJ fBboIFKaa7ldhlocElAA7NZKpe2ixv1FiuONSMMeAXgYrFOcaAtpOzet8c9AA0nTaCj3BtHQZP9a JnhRExy/YRL+W5FZlPtEuOjnBePE8U7+Z1ByFOHHOP8Sqaijqfi09CUfLSBCqe8ORAgKbcpP24j4 yHyj/1lfST4Tbr6iAMd3cOFkxU5G92aU6Ywuo1zrvqa2XFeydWDklOxNhf5WKvHfSjHcTDVgVNxM xUv2BpkEuMUjR5hqyUIySERMJuqAU4AkwU93iEDICHzgIEYOxCHi5YAfIlbix3RRqzATF8gHR0So P0AKSVZ8KO8h1SCL2UDpYR6Ss98ZwDnzfloHPpRjmAnZhfQbzScNV7B1KXr6BfCGk4qztDI1fJ3r MzQGZc6XwhPx38Y4zrxVqW3gqT5IdOO6ylaiIMIFyQkRtYUBHD3L3SinAOcX6cEjMNhPB/A9wzj3 0UzoXN5Tq0BXouOAbgvuOFfovBdMWX9r4dwvUOCaLa7tEN13VCEGuWKPiQ50DSf9+JaGgoJGxmfh 0c17eBTciSdoBRReRBOlk4vDvAsuKNB3Dabc4Ah34g9kgir5CwpP5f8CZE2H9Z19B8O+LjN8w2Zc 0rqukFMZ/oFdp9DfULJwAAIdsWTM3wXDyQ/p3+cJBYJfHP27KgAYUjwGnobraiDU/5LwFWBF6hlp zCf6oJ9hreamKcJtqs2clJhbrRCqxBEmstIkHtBu6qEzCcYwjrsE4pC0nB/MD/WTqY9LQlKBiFfq 3LiD9prUuI3T1YwFI6fJzQOkg6UsZRxlAmylcUraOe4RL8kSjOpsx5P6g37izRqBu4RxYMBjnGC+ uifrcUyPgS+PLsZEaiU0XWm6BvKtc5cbM7/RZ73X3PVihH6HkN0osKwTOGBBm6yXOR0aUKNBVOFx w/u2Y/uOyWJ4Dv/eGzIFAV8hmVA6jieAHxKEn/yMxM1aRHkIXHi0u3pDVXaTa8sMluHm/UIYLXVf 1PnKVZbrhIgbOcJE6SaehGZx8t4QmHDIpXLgADqCqVswRprwY/yHhaLfae/XB3E5h1YgPC0HE38q EspLqgNwDivLH5kX9oZEoIdSkC3/HjGrNaYqlfF8su5siv5sKvttsu5Sig4M+QWF4VwLbYXCWK4w fpuiO5eqP6PQn03WVaXqrqmMF1LZ8y10lUpzFaQWLXTnUnSXU3Qkn1T9uWRdpcJwWcmeVei+SdWd T2UrVeav1c53E227BeqNDFsiNJcI7SUixwqhHQ4Lxpe9/UqatyoWO4sF9uUC+2qha7XAuVRgLxY6 AfwyobuYcSwT2lYydoJroWsFY1spsBVH+Xa7H1jfrHWZyFWXqr+FaSd09qtvKd/k/1tPUFeaaxQE 4zUKC8Ru5WrHySTr0RjTqzLTLobdwpg2Cm3rwMCIOalRQ4zfDghBePl3YXJXmApE/uNgnKgLw/IN 6sK2M4bDUZZzupaVWhc5NU2wQKHkRxnHxN4TjDcYbI3OHneB8aClxF2NWIpxv9iBm45QaJWCrXCk //zgwF8GDf9n/2E/Dhr+Q5feJ62e6k49fh32eEVu4fms+37sN/SnocO/7zfk56GP17a7/2u757ue /X4dNPxiy/zTzsxf+g395aFH/9m9z1lv1q0e/X4e8mhF67bl+YU/D3n454dH1HbtfcqRcaPXkMu9 H92nzdxjvu94jydezOyz29Pz3Z7jX7nv4edsXWqW7N5eMGxhi1ZHu415u/vo0tTsLab7j/Yc/8Z9 jxRj3zY6/XDbx450GfVO5ydKW7TZaOp0tPu4fS37ljk71xS/8Eq74c/IHPeKjgfRC8qqQRppv6Zx n1G6Xhem7mFUUKOxUWDFZi6h15BgQ3kd2foh8AlydwRh0M3GaCJY5QaLlwBCSZ4hs0TIz+CYf2Q/ qg0ivpFxbWVM+yMMJzWtyvUZVWprNUg2YVkbYJxHBKFfAXKGcR6OLz5muAecGLjQ8PdNvqEDoAHS +fhNVwD1DKa8d5iKj9a0B8KHiynac3mFP6x97stRY2+Vrjk1YUrdgkWvF3T6V/Ha7xYXX5j21CfD R9xYu+HzCZMrnl16btqs6tnz3unZ55fV624tWfll0fiTD4+oWVL84bDh5TPmfDhg2A9lf6qe/+zZ yTPOTZ5+s6Ts2MjRFUuK3+vR95/LVl96atGJEZMPPzK+av2ehd52WzoOPTpx0enl23b2G3Ns7qqx nvz9w6e9PWXxq0/M/vPgSQeGTLm4du+yrK7jBOpFitbVpX/eM2DCR3NWl3UY8t6TSz6YXvzh7NI1 3Yb/bf66mY78YRHq22CcZ5Z4T+Nd0PRXaiqUMFf0bp0JdBz3bq5rnJUa9ymF+4BAsZPRByRsfpoY 4NLJz4DY4Y4ADgzSRXEYGAHw/waMuzdzK/HXpIazOih68l5TEi6diD78GDeFLL2BcR44TUMspH9J QiJqA5NwV6MF8f1JsF4OSdt0BVBPrqq0LfVpm04VUkTDn/WVv6E0XAAT3rZTVXHZfG/68afmLcq5 7/Qzizd37lH93NaDRWNeGjZ8d59+X817ZnFewYGi0csLCj+fu2Bbt15Vq9cdLhrzwgP93x4+8rNp s2a5fG+OmbC73+CKsvX7Bw19fdBD74wed2jM+PFm+98XLdvSpeepJcUvjxhzYNiI1x4be3jKvI4C 2QuDx+4ZMf34sk1lg8fsGDu7D+t+a07Joi6DZrTr8fKE+VuGTdw3eX4bRjQt2bPC1unS0l39kh2b Hpu8qOuwQ3NKNj48afPwyZOzurw0bsHjes8AiQoY/14TNvHykzxZhdV/uoZf4676sfHIGBUYYNWp wLvlmtJaqfGc1qS/JNTsYExQe8XR60aAzK1nm0JoGJwbyeQ/PQ75PkTkwji3Mpa9Qv1fE5zluvRr Ksd1hRnSck5g3ninhPQyxQueIe/Df6I3Q142gbWQDMlPcl4iWCAWmhufecO0RMDud2EV4JM04QnK DQCvxwLeX05hL2e1rZk8c5HZ/u6oscu9Lb+cOO0Zq/P4uImfPDn1xe69tuUVfDRyzPK0lq8MGrqy ZZtPJ06ZzZo+nTTt5OTpL3TqWurN/PtTT786evznTy9empXz0dQZ748c/cr93Q/17v/GgCELDbZT 02fPNdneG//kX6fOONCr3/5uvQ8+NOpRcdLHY+a/XjTnxTHzZ7btvWvEzBWdhixu0+volCVvzVg+ L7v7vDbdNgwa1Vua/PYDT25K73N85LNDEx0b+o8Z5227tMuQ/U88teuhycNVaYfHP/tcuyETYh3Y MflBg2M5RKbNLYWo/B/iFyqK4T18KPU0GkqENrfJBO8J7QhEoNFoJuTlDVyyS7Vc1aedVPheFOh2 MJZNjINbbpMD+XBUTgUPj02cAqL+4FAaIZg5bzo0KDd/EXxa6kFy6kIqADaYS0tk400XERRKVxkk Ic0NnqBQ/4IiuNzg6iEmTUg9NC381AXH5KMhaCPj3MEYD8rNZzQZV7U+yD3qlKZbSgO/K3T7fuG7 MqTX6AjBM7hPw4fNb4TitCcIJXgJVADCfJxkDhpyt00LLCMVTRs+lugCMKhF/JAjpXDxeQ8pAlmR DQXukEBQaH3TqpWGKwbH13bvGln0iwb7+ujmfzG71kjkr+str9jcJfGJO5ulHjba18fE79EY18cl HnT4Vkmk79i8+1nroti4ve6Ma88ue3/K9HfHTZzRPOnPDt9+vWlVbPzLWtNBrWlrZOxRd+bKiMjX 3en7DNbSuITNKfp9hrSnmfjVLdyzkz0jEyxDZNopyWlTE5xFEaqF2pzxCvcAUSJOZ01JdBeJUtYn 5c6Sm+Y08z0qVE5t5h0RqZkQaX5a3eaJROswUepiRfbU5raRIhUw/g+t9Tul+abaVKc23lKZb6nN 8NxUmeAnHjXx8KF4f/tQpDL6MwlKizf0JU17S4VSyBsuZ2RuvEXKtdzQOK6waceijPsZ7U4BlNM6 N2ItKSCm3+DodiE82AuAA8B5f3Aofdl0KOJQh3yC09Kjg3xalMjHJNG4ouGhFeB2N3BZgCjG5zbQ OasWgVrRtDRmUFqyOuZf8h6+aTRzWgH4+bIQk//JV49/yQehSnxooPKeLQLXXqH5w0TvJUPrao27 TmVDX3+vJF1wS22oUxu+U1sCfUr7xXCTGwa37zUzOqtOTcYGGRjceCDD5vY9zkUOGVRGOuRuaEjX c8kxEvxDzp8zPyBpzqSg+gGJyFw0/5DjqkFC6+5guHLRSOW5EqmnPmc+1P9ZlIZypfETrekTo/NT vfWk3v6V1nhWZzmht/xFwX6hs53RWT7Tmj8zOD7R274wOE7CGJzO+oHGeEDDHsvI/mrY8D8PfmhF Rqt5suhjOstHGuMbSsOXRsc5rflrpfHvrP2E3vaVyXUCqE/Vv2/xfmxp+XK8eY1YO19ielJsmipz zJc5n46wzxNZ5kY6J0UYp0dYFsjdT0tcS8TOUqFricj+tMSJOAtkrmckzqVi50KJc7LEOEtiWSpx zZHYpspt/wuf4O37CmVuZHN0cmVhbQplbmRvYmoKNDcgMCBvYmoKMTA2NTk3CmVuZG9iago0OSAw IG9iago8PCAvTGVuZ3RoIDUwIDAgUiAvVHlwZSAvWE9iamVjdCAvU3VidHlwZSAvSW1hZ2UgL1dp ZHRoIDMzMiAvSGVpZ2h0IDMzMiAvQ29sb3JTcGFjZQovRGV2aWNlR3JheSAvSW50ZXJwb2xhdGUg dHJ1ZSAvQml0c1BlckNvbXBvbmVudCA4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 Ae3QMQEAAADCoP6pZwdviEBhwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIAB AwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYM GDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBg wIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIAB AwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYM GDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBg wIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIAB AwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYM GDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwIABAwYMGDBgwMA7MNXJ+oUKZW5kc3RyZWFt CmVuZG9iago1MCAwIG9iago1MDQKZW5kb2JqCjUyIDAgb2JqCjw8IC9MZW5ndGggNTMgMCBSIC9G aWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AV1Qy07DMBC85yvm2Bzq+B3nStsDHBAVljgg DihK1KKkJUkL38hfYXtTHpUPM2vPjndnwBYDitUkUE8Q6Uw1eDil5DCaY2zQJtXV5RMOfxszgdQY W/qf5i4xji5ZdtgFr+jDo3gI30UqYF3FDBcWQjIlNLdZ3ePGI9wkAYHvUXgvg963WOgc/g0bn2a7 GCnFLLQzTAjnkEyyJWeccw1fQ8nkNwP5xaWD3zMW/pxjKbAYCQ4EOLZE2jyLr1hTef9IOMOGqhU+ iexPOyJfOV7g764nlZUIo0qnmNTVZV/p0nwz/N/3Y2K/GxcPzVg376fza4dxH5KUVjBpKK3ShBxD dmVMsbjtLdbHlJKyFGREZYKKp4yCpCTJ9htEzXHlCmVuZHN0cmVhbQplbmRvYmoKNTMgMCBvYmoK Mjg2CmVuZG9iago1MSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJj ZXMgNTQgMCBSIC9Db250ZW50cyA1MiAwIFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5k b2JqCjU0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCAvSW1hZ2VCIC9JbWFnZUMgL0lt YWdlSSBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIKPj4gL0ZvbnQgPDwgL1RUMiAxMSAwIFIg L1RUMSAxMCAwIFIgPj4gL1hPYmplY3QgPDwgL0ltNyA1NyAwIFIgL0ltNiA1NSAwIFIKPj4gPj4K ZW5kb2JqCjU3IDAgb2JqCjw8IC9MZW5ndGggNTggMCBSIC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBl IC9JbWFnZSAvV2lkdGggMzY2IC9IZWlnaHQgMzY2IC9JbnRlcnBvbGF0ZQp0cnVlIC9Db2xvclNw YWNlIDYwIDAgUiAvSW50ZW50IC9QZXJjZXB0dWFsIC9CaXRzUGVyQ29tcG9uZW50IDggL0ZpbHRl ciAvRENURGVjb2RlCj4+CnN0cmVhbQr/2P/gABBKRklGAAEBAQBIAEgAAP/hAIBFeGlmAABNTQAq AAAACAAEARoABQAAAAEAAAA+ARsABQAAAAEAAABGASgAAwAAAAEAAgAAh2kABAAAAAEAAABOAAAA AAAAAEgAAAABAAAASAAAAAEAA6ABAAMAAAABAAEAAKACAAQAAAABAAABbqADAAQAAAABAAABbgAA AAD/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs +EJ+/+IMWElDQ19QUk9GSUxFAAEBAAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAA YWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAA AYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZ WgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAk bHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwA AAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJk IENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJ RUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IA ADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAA ABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAu SUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAu SUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2 MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5 NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwA BBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAA AAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIA NwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADB AMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcB bgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJU Al0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34D igOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+ BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBsAG 0QbjBvUHBwcZBysHPQdPB2EHdAeGB5kHrAe/B9IH5Qf4CAsIHwgyCEYIWghuCIIIlgiqCL4I0gjn CPsJEAklCToJTwlkCXkJjwmkCboJzwnlCfsKEQonCj0KVApqCoEKmAquCsUK3ArzCwsLIgs5C1EL aQuAC5gLsAvIC+EL+QwSDCoMQwxcDHUMjgynDMAM2QzzDQ0NJg1ADVoNdA2ODakNww3eDfgOEw4u DkkOZA5/DpsOtg7SDu4PCQ8lD0EPXg96D5YPsw/PD+wQCRAmEEMQYRB+EJsQuRDXEPURExExEU8R bRGMEaoRyRHoEgcSJhJFEmQShBKjEsMS4xMDEyMTQxNjE4MTpBPFE+UUBhQnFEkUahSLFK0UzhTw FRIVNBVWFXgVmxW9FeAWAxYmFkkWbBaPFrIW1hb6Fx0XQRdlF4kXrhfSF/cYGxhAGGUYihivGNUY +hkgGUUZaxmRGbcZ3RoEGioaURp3Gp4axRrsGxQbOxtjG4obshvaHAIcKhxSHHscoxzMHPUdHh1H HXAdmR3DHeweFh5AHmoelB6+HukfEx8+H2kflB+/H+ogFSBBIGwgmCDEIPAhHCFIIXUhoSHOIfsi JyJVIoIiryLdIwojOCNmI5QjwiPwJB8kTSR8JKsk2iUJJTglaCWXJccl9yYnJlcmhya3JugnGCdJ J3onqyfcKA0oPyhxKKIo1CkGKTgpaymdKdAqAio1KmgqmyrPKwIrNitpK50r0SwFLDksbiyiLNct DC1BLXYtqy3hLhYuTC6CLrcu7i8kL1ovkS/HL/4wNTBsMKQw2zESMUoxgjG6MfIyKjJjMpsy1DMN M0YzfzO4M/E0KzRlNJ402DUTNU01hzXCNf02NzZyNq426TckN2A3nDfXOBQ4UDiMOMg5BTlCOX85 vDn5OjY6dDqyOu87LTtrO6o76DwnPGU8pDzjPSI9YT2hPeA+ID5gPqA+4D8hP2E/oj/iQCNAZECm QOdBKUFqQaxB7kIwQnJCtUL3QzpDfUPARANER0SKRM5FEkVVRZpF3kYiRmdGq0bwRzVHe0fASAVI S0iRSNdJHUljSalJ8Eo3Sn1KxEsMS1NLmkviTCpMcky6TQJNSk2TTdxOJU5uTrdPAE9JT5NP3VAn UHFQu1EGUVBRm1HmUjFSfFLHUxNTX1OqU/ZUQlSPVNtVKFV1VcJWD1ZcVqlW91dEV5JX4FgvWH1Y y1kaWWlZuFoHWlZaplr1W0VblVvlXDVchlzWXSddeF3JXhpebF69Xw9fYV+zYAVgV2CqYPxhT2Gi YfViSWKcYvBjQ2OXY+tkQGSUZOllPWWSZedmPWaSZuhnPWeTZ+loP2iWaOxpQ2maafFqSGqfavdr T2una/9sV2yvbQhtYG25bhJua27Ebx5veG/RcCtwhnDgcTpxlXHwcktypnMBc11zuHQUdHB0zHUo dYV14XY+dpt2+HdWd7N4EXhueMx5KnmJeed6RnqlewR7Y3vCfCF8gXzhfUF9oX4BfmJ+wn8jf4R/ 5YBHgKiBCoFrgc2CMIKSgvSDV4O6hB2EgITjhUeFq4YOhnKG14c7h5+IBIhpiM6JM4mZif6KZIrK izCLlov8jGOMyo0xjZiN/45mjs6PNo+ekAaQbpDWkT+RqJIRknqS45NNk7aUIJSKlPSVX5XJljSW n5cKl3WX4JhMmLiZJJmQmfyaaJrVm0Kbr5wcnImc951kndKeQJ6unx2fi5/6oGmg2KFHobaiJqKW owajdqPmpFakx6U4pammGqaLpv2nbqfgqFKoxKk3qamqHKqPqwKrdavprFys0K1ErbiuLa6hrxav i7AAsHWw6rFgsdayS7LCszizrrQltJy1E7WKtgG2ebbwt2i34LhZuNG5SrnCuju6tbsuu6e8Ibyb vRW9j74KvoS+/796v/XAcMDswWfB48JfwtvDWMPUxFHEzsVLxcjGRsbDx0HHv8g9yLzJOsm5yjjK t8s2y7bMNcy1zTXNtc42zrbPN8+40DnQutE80b7SP9LB00TTxtRJ1MvVTtXR1lXW2Ndc1+DYZNjo 2WzZ8dp22vvbgNwF3IrdEN2W3hzeot8p36/gNuC94UThzOJT4tvjY+Pr5HPk/OWE5g3mlucf56no Mui86Ubp0Opb6uXrcOv77IbtEe2c7ijutO9A78zwWPDl8XLx//KM8xnzp/Q09ML1UPXe9m32+/eK +Bn4qPk4+cf6V/rn+3f8B/yY/Sn9uv5L/tz/bf///8AAEQgBbgFuAwEiAAIRAQMRAf/EAB8AAAEF AQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFB BhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RV VldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrC w8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAA AAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRC kaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdo aWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT 1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/bAEMAAgICAgICAwICAwUDAwMFBgUFBQUGCAYGBgYG CAoICAgICAgKCgoKCgoKCgwMDAwMDA4ODg4ODw8PDw8PDw8PD//bAEMBAgICBAQEBwQEBxALCQsQ EBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEP/dAAQAF//a AAwDAQACEQMRAD8A+kroZ7Z+tYccW7UY8cEVsXEjDBIHI7VQskM2oq6Yyg5zX+WFL4T+rDsF5+X0 FZ91IgO1mNWXeSEM2AcjrVGKETuWkOSOa42BB5cLuM5bNbMNtEgDZxjpVEw7pl8sce1a2WEedu0+ 4pAQTOu4ZG6kkuDEAcfKRk/hVK4uEjb964B69q5jU9dtUBlvbqKxtI/vSTOsYx/wIit6WFnUfLGN /QynWjFXkdDFcyXNx+7bgnmtKdhxHnJArxK5+P3wZ8Pu0F54psvMjGWCSBz/AOOg15J4m/ba+B2i 7/sd5c6tOOAttEcf99NgV9BgeBc3xM0qGFm/+3WcdbPcHSj71VfefXEnDADnI7VsWIKoCfrX5XeI v+Cg12ZJE8G+GUUg4D3khYgdc7VxzXmWo/t2fG+6Yi0m0+wU8Dy7cOVz6Fj+FffYLwIz+tFSnGML 95f5JnzmI4/wNN2i2/RH7UEjafmGenByatwmMLvfjbX4G6j+1v8AH7U3Bl8WTxDJ+WGNI+fwBrMX 9pH44TSKZvGl+CmTneBn9K96j9HHM+X3q8L/ADf6HmT8SsP9mEvw/wAz+hATQ43ONgHr1rKudTT5 vLYNnivwf0/9sb45+H3ST/hIG1BByY7pEkXPp0Br23wb+374qVwPFXh62vBnLPBI0T7fZTkV42Zf R9zuguenyTXk7P7mkd+G8QMHU0d4+q/yufQPxs/an1r4WfGOw8L2NtHd6LZW0cmoRnh2eclsq3Yo uK+1PAvi3wz8QfDdp4n8MXS3Npdrn/ajbujehFfhH8cPiRpPxV+Id5430WyksIryKFGimcM++NQr crgYrr/2e/2gtb+C3iRPNc3Hh+9kC3dtnjGceYg/vD9a/QOIfBKGIyWjUwsOXEQirr+Z7u/n2Pns r42dPGTjXlem3p5H7vCIRYK8k9cVK7KFwTjNcFH8VfAEfha18Zy61awaRfRiSGaaVU3L3GCc5HcY zXiqftgfB/UfF+m+DPDtzNq95qVylsskUW2BGfjJd8bh9BX834LhDM6/MqVCT5b300Vt7n6ZPOsN Dl5prXb5n1aHWRc46dDVyFWd1x2FZMchOUxtY1qQRtu3HLHHUHFfM1E09T1bl142GNzHBqEyRxsd iMfxpWcDoSx96aXVE3sOc9KxUrgBlUAblGacgglbDJ8x/Ko1V+CiggnnNXTHsBJA/CqAUIEXapwB 2oyw+6cVIXBTAHOKZ2FRKNwKN5MxbaATVi1QKn3T1BqncLmXngdzWlboqRADJHvVgSsoYgnsaYqK mDipNyk46E07GeCKBPYlXgCpjIo603oAB6VTmkAxnmgxUbkk0iA7m6VmPcbySpyBSu6uT1/pUUUW 4MRwCa5pxubJWLHmM4IK5+tOCnZt6GiNmzxj8alALHkflWUJ20GLCCFCE5IqwVYdWzUX3WwAM1KA z8PgCtjOoQSpu4pEIZcsMmrgjiC4J5qsvyvtHApVY6cw4y6DPKHVaQRq3Jq18mevNKEXHyimpXDn RAoI47dqdx3G761IqEffFO2D0oJlK5//0PoubcyKQO1Q6ZzdPuHQD8zU2AAzuSGxyKh0dQ3nTOp+ Y9a/ys5rQZ/VhqXDsSEB4HP1q7DsWIyN8pbtSJCm7c/3cdT61mXdy7SLGo+7kA+1c0U2gehoxSqh 3HrUF5qapGRn6Vj3F15UZBxhepJxivmv4jftJfDX4dSOmq6h/al+mdtlZkSPntvYZVRnrk5r3Mk4 exWYVVSwtNyfkjzswzGlh481WaSPHv2rfjF8ZvAckMPh6zXTdFuQQmpLmR2bunTah9O5r8x/EPj3 xb4puPtXiTV7q9eTOTLKzc/7ucfpXtHxy/aT8Z/GZhplwF03QY3EkVhEMgkcBnY8s36CvnDywCgb O498V/ePh7wfHLsvpwrUIxq21cVd/N9z8Gz7N1XxEpU6jcfMsMxERxxnkY7VV8zcyBVJI4JPU1cu F3E7dqBRjjvUAjbCBWwJDz9K/QOXWzR80qjT3JLaLLF36j9auFHRCgGE/WmoETjB3Hg+mPWgNuVQ D8oBAB9u9aqKWxMt7oeqnCunyg8ZHf602WYx5hydv0/lUYlCKTGMA9R2xVeZ1YHBJI7f0qZQQKbu Z13O8rHNbGno2FZCVwp6ViABn2nrXRWKNjp83tU+RtN2NFY3QhycD9fxqZnf5S4C46DPamk8KD3q E5TL4xnp7+tE4KxnCQT39xcIlvJNI8MOdik5VTnJwDkD8K7D4beKLLwn8QfD3ibUyzWul3kNxKIx ljHGwJwCRziuAc9W24z74plurvPgk89vWvOxGChUpyptaNNaeZ2YavKMlNPVbH7aaf8At6fBeecC a31KFXb5WMIOB6kBs19m+DfFOk+N/Dtl4r0FpJNPv03wu6GMsucZ2tg4r+f/AOBHwvufi38RdJ8H Qo0Vu7+beSdRHaphpGP16D3Nf0LaRpen6Pp9tpmmx+TZ2kaxQxgcIiDaqgewH51/E/jLwfk+TzpU cE5e1lq7u6S/DVv8D924OzfF4ynKpXty3stDUMIJyP51GVOCp6e/UUYHaTNRMuXLck9K/CUj7Uuh TkKDjipSXTl8kVCgC4JQj6mplDcE9DTAUMcbtpxVlWVlBC4NRhX/AAqQZ7nNO4GZcgbmz0zjirsc q7BwcCqE6MGJLcHtWjD/AKsUrgSjaSD1z+lAyrlsdaMCnbhjmmiZbEgOVzVOVNxznFXmxjI9KoFA /wB/NRK/QVMYkbNkHpTtgQBRUy9NuDUiwFuQcVnysbkiEoP4RUnluUAXip/LIODgU7yzjIaocEtS XMqNFID5h6+hqVWcnDDApG5ODUqMCcUyZMcSV78CoHYN84/hqyV9ehqMiInAPTrTeqsxRZEFD4ZT mpkygwagjwrlTxnpU2QM4PSsafZhIXdu7Ypu0Uu7PXipMjAOBWvNYWx//9H6NuRIlvIzenpRpcLr ArgHnOfz9KZdpIsHztkPxWhYxyLbqUPT1r/K2cND+rBkzyvlCcKKoymOHBLdO1bc7xonzYJPXArm ZGMt3t25UevAq8LTSMqs9j5c/aV8K/ETxL4O1HUdB8XReHtHsoi1xbyfuRKuDkGfqCegUCvxveAo PMfBbJ+Ynduz+tfor+3L8Q55tX0r4ZabNstLeMXl6gbBeWT/AFSt7KvIHqa+E/DPhy/8XeJLDw1Y HZ9skCl2XIRR8zMev3VBxX93eCmVV6WUUpVre9qrKzt0u+tz+feM8VGrjHGDbtucTb2NzeXaW9lB Jc3Mx+REUu5+gXNe16F8A/idrKrLLpP2BMZ3XbiNjn/ZGTX294K8BeFvBFl9k8NWoFxgebdSrunl PfLYyB6AYAr0Hy7nYG6L/Ov2yGBilZs+KeIV7I+Fbb9lvxDIC+oa1bRHsI42f+eK6SD9lK3ZszeI X5xwkA7fU19jw2UjB1BHJzyK0YLbBZZGUcfjn0rWOFguhzzrO58b/wDDK3h5W/ea5eZXgkIgzkjo Kml/ZU8Mqg8rW7xOvWND19q+untyCWwPl59arzxFTlucfzrT2UOxPtpHxrP+ypDHC8dj4icBuR5s CnH12muG1b9mHxjbo39l6hZ3QHJLF42Pp2IFffjx/KcVnXKPs2kYrKWDpvoP6xPufmbf/Av4n6Yz zSaT9sSMA7raRX49gSDmucOn32myG2vraW2m2/dkQxtkdeG/pX6n2MZ3rnjBqx4k8F+GPGGnmz8Q WSXAYcP0kU9ir9RWf9nroa/Xe5+U5eWXdsUFFH8OPxqq++P9yVyM9epGf8a+jPiV8B9Y8HeZq+jS i/0YHLFhiaFABw4GNw9x+NeEXTL5cEYG8IflIPAH5V59ak46M6KdRSV0c0YZHdgc4ByD/jWlaKEP mOMnHGB29aVmUoY1GCCOB1xViBFJEYyoXhhng+2a5bWOyDsfUP7NPx4h+BviC+vLzSotSs9XEUV0 2NtzHGhJBjPTHOWHev298DeNfDfxF0GDxH4Rvor+ynAbch+ZGPO116qw9DX81luqs+4A7hnaDxge v4V7b8Ifi94z+EHiKLXPC93siZh9otnJMFyg7OPX0I5Ffh3in4SUs5Usbh5ctdL5St08j7rhXi+W DtRqq8PyP6GfLI6qPzpvzLwB05rx34N/HTwl8atD+3eHz5OpW4AurJyPOjbHJH95c9CPxr1sSANn JxX8RZnleIwVeWHxUHGUd0z9xwuLp1oKpSldM0A0bDLE5AqVVlUDbziooSrAcZzU3mjsDXAdIoMu 75hSs+3tmgEBN3UUgkQ9RQBnT7QwYfNnoPStC3B2ANUDx7n3KeParCRscMG6UnG4MsbR25pY1y/P SpADswMZPvSJuUgEdKaVtDJy6ErplciqgDL981YlBGDnrQoBOD3p3Ii7ISMZYYqxtPpUkcYB46kU /wCtIwlU1IcKTmonXByDViRgAMCqzNlh2rKqxwdyvgZO7incI3y0sy5KkdM0x8ZyKyhO6sbxVywD lRu4pu1Cc4GTSK2QKk4+lUQ9CBiN4xg1NtUjtzUb7Qc0qsMVjJ2lcbJNijqQaNhPQ8UmPapB0roj G5KZ/9L6Lu9vlKqqQRWnbiUQohHFVLpjnoOta6KTEjA4JH4V/ldKVz+rCt5Z8pmbBrnpZjFNhc8n HFdDN/qCFOeua5afKOZ2wFjBY546c11YKlzy5e+hx4udo3Pw6/aO14eIfjT4q1NWMqLdmBPYQqE/ Liuo/Zk0gXfjG81d/u2Fm555w0rBePwU/nXiPiu6GoeKNYvw53XV3O5z3JkavuD9hz4V+I/iNfaz Y+HIwZpZIklncEQ28Ma73kkb0+bAUcseBX+mnC2E9jhaVJbRil+CP5fzGtJ1Jz6u59E6VpmpazfQ 6do9vJe3dy2I4YULyOc9gtfRuj/stfFzUoPMvre10tW5xdzgOPYqgbH5190/DT4V+FPhdpQ03w5A Gu5FH2m+kANxcP3Jb+FfRB0HWvRNgQgYBxX00sSeVCit2fA9n+x34vZR9r8R2Ebt1CxyuB/Kppv2 OvFSQkQ+JLGSTI+Vo5QODX3qvzMOau5OMA1H1hlulE/Nu9/ZG+KUBdrK40++TrhLgxse+MOvFec6 58Avi1pO95/Dd1cKCctblJ1+Xv8AIc/pX60kZGPfNP3tndnB9jg8UliWzL2CPw8v9Mu9LfytTtJr OVRysqNGQfowGaxb6M7OeDX7palpGka5bm21uwt9RiYYK3MSyj83BNeCeKf2XPhB4kWSW106XQpz /HYykJn18p9y1qsQnpYzeHtqj8nrdEx3BHWt23ZgeBuA/GvqrxZ+x14y0gz3Xg6/i162ByIH/cXW Mdgco5+hFfMt7Yalod82latavZ3UOQ8MylJEx6g1pCV3ZGNRcu5WYeajpMqyI4IwQMEHgg/hXw98 c/g6NDM3i/wlF/oAG65tRyYeeZE/2fUdq+5VLRhnOCD0rKnQTRypMiyJIpUqRkMD2I9DVYqkpIjD zaeh+RJKMwdRvLjgjt71eU5QPIvycAHtx7CvW/jP8M38AeIhd6PAx0bV2JgAHywy9WjPoO4/KvHP PcxFHRhycD0x1r56vDldj36VRSRsZhB84BvnHA7frzUhljG3ymBJ4IJ6Hvx2rm5b9kVECkoRkjPN UYb0I5JXO/pkVzG1z1rwp448QeA9etvEXhi7axvbQhkkjYqOvIYd1PcYr93vgh448T/Ej4e6Z4s8 UaS2kXd6DhScCZBwJlU8qr9gfrX4h/AHXvhVpvjSDVfi9DcTWFpteGCKMSRNKD/y8DqUXrgde9fu 98OfiJ4F+IFkkvgjVrXUIokX93CQrRrj5R5eAQB+Qr+VvpCqE401HCtyW9S2iXa6/U/WfDxShdyq WT+z19T1a3iQJ6GrhK9h+lUomZPkk5NWcnua/k1n6sk73KzuVwq9RzT9u4A9SaZIvJIJ9anTO0Z5 pGgjKAvTp6VJArFd38P1qURHvTMFXCBqDOUrkmB6VOoLJTFRs4fvUjEjkdqaMOa4x9rLhjyKWNAV BzSAAjJ61MhyME00gbJQOAKhkyDheKc0qqpx1FVzLuOaynIzjB3HSycDHNRhMkFzzTWYNgCpaykz S1hrqCu0GoeCDwKn2k81XCbSx9TWFOdjSBKmT7AdKfkVCqnOQeop6oRnPet07kyRIVLDIOKi+VD6 n3qTaT0PSoC0v+z/AFpNBEnLnrmlVx3NRdU55oAGB8orOk2NxP/T+k7hQ8gQHkHNaAlIwO3FVWBk ulUnJ6njArREYPJOB6V/lXc/qwqzTKI9qnrX5zfGX9sW28HeNdS8H+HtIXVBYF7ee4eTYplIIKqA Oing561+iF8BHDI6tlQDnt2Jr+czxneDUfFetX0nzyXF5cOSTg8yNj61+8eB3CWDzHEV6uMhzKCV vV3/AMj8447zerhlCFF2ctzHkl+0XEkkmQZXZ+nALHOM96/o6/4JheHotG/ZeXWNoE+va1fzOwUB tkOyJRnqQCCR2r+cOzDPOvzA4A4Nf1J/sKaRHon7JHw7gUfPdW9zducdWnuZGzX9uYNKMHY/GKkv dZ9dfw8elVA+0njvUzFuMdMc1WYgk7a3ujhJ43Azx1OavRncmfSqFum/BrSRQp2jpTASoFLFhk1e 2r6VD5f7wYHFJICeopOBup6g4wad5W/ABzzTGmRQlmIYjB6Zrj/iJ8KfCnxS0p7DxDAsd0qEW99E qrcQMe4b+JfVW4Nd9HGMhEGQO9aCqQPlFOLad0ROKlufjF8Qfhzrfw78TXHhnXVXfEPMhlB+W5gJ wsiD/wBCHY1589hhchgV9QfSv1c/aZ8AWvjD4ey61DCH1Tw0ftcT92gz+/TORwV5HuK/NJYow7Lt G1gDyMZz0xXfGpzLU89w5Hys8d8feD7Txf4VvtGuFBkkiLx/3lkQZUg+tflnfS+SjebxIhKt/vdD +R4r9rr2FImcMiBACSMg9uma/F3xULY63qqRNhBdTYUAEAbzxmuDMIq2h3YV+8cars4DMdx3Y6dv WrQt55JMY3HPHuK1bRbeEokg2lVJY43ZPbHpWhH8yhlACdTnGce+K8ax6UGQWdidg4wBX17+z38A vjJ4z1i38ReCmn0CxgcE6o5eFBg5Plj5TIcdgMetcl8GfCPimGzvvjPH4Xh8S+FPBE9v/a8cuHWN JydrGPOSqgElug78V+7/AIT1bSdd8NaXreghU0u/t45rZUAVVjcZCgLwMdOK/EPGHjbFZNRjSpUb qatzPVL5d/U+/wCDsjo4uq6kp6xd7Lc1tFsrrTtLtLLUbuTUrm3iVJbmQBWmcD5nIXAGT2rTOe60 qO6rjGR1p2W7kHPP0r+GMRVc5ub66n7jTTSSE6dB+FPiDFulMDANmpwwc8DBrK5c2DF1OAOaVdwk GetPBIOXIxTdw80Nnii5ki2+cAkYzUe5T8vens24LzTCOPSgxQhA6kUzdu6GnNgLjOTUajb0HFRK TWxaE70qlPunBNOKq3XvTfLjD5zWRVxp4OKUsMfN2pxC5yBSsF4xSYEWc/dPFV2x5nU5x07VbYcc dar+Wx9qwnDsaQaGqWzwOlTqJWIbtU0EfGCM1aACjAraOxjUqroVlgcHJJpkkbqM1pHfjio5VYpz TZiqruZaI4BBNWUXIw3OKhIZXyeBUoJ6iuZSaOiTP//U+oVVvtCMMtkAkfWrexGO7kZqlHMGblsA 9MVcMYYKQckd6/ymhuf1fKNjD1tW/sq/KDcVglbH0Q96/m11aSR7+4kHP7x2I65+Y96/pT1O1kv7 e4tQ23zonTPTBZcV/OT468M6l4b8Y6v4evkYS2N3NEfUYYkH6Eciv6p+jjVhbFwv73uu3lqfkHiV Slz0pW01MPTVyxbbl8FvpX9an7Ldqlj+zX8L7aJPJx4fs2K5ycyAvz9c5r+TGzVFWUO581FPTnrX 9h3wz05dI+G3hDSUUxCy0XTodoGMbbZK/q/C/Az8rr6QudiWfccck0JE2M1KCgIIOT0P1qcHINaO NjjJIgAnAqdPvCoIzgBe9WgcfLVw2AmVQRmpEiVhk5qCpgwPFUAjIFzjtRHwc04jIxUJBHWgC5b4 7jNaSjAAWsm2UiQtWptJYGgCvfWVtqdpPpl4Mw3cbwuD6SKV/rX4g6w15pOrXuiXGfO024ltiW7e Q7IP05r9xmOAD/ECCPwr8gv2itHTQfjN4ptox8l3NHeKB2FwgZv/AB4E104ZXbRyY2zakj5w8Y+P fDnhK0E/ia/W080ERr1eQj+6o5r8sL/M+qXN2qZjnkeTcRgAEnGfrXtfxol1bxH8V7nSYozM6PDY 2sZPOXKgcdBlmr97PAf/AATg/Zi0H4e2HhTxv4f/ALb8RXtsi3eqS3Mkdy9y6Zk+zqGAUIT8qhTg DJzXJinzO3Y6MMrLnfU/mhS3lUqdwkEg4IPT2NasNuIVCI+xDy+cfzr658P/ALHfivxT+1V4n/Zo 8NahAtxoE13I2oXgYxrZwhWjd1QZLMHUcDrX6i/BT/glp4P8Ja3a+KfjLrkXi2S0KPFplnC1vYM6 dDMWO+Qd9vyg965FQu7M7adTS6Mn/gnx8F9X8J/sx/Ejxh4+s/s2m+P7GZ7S3nGWawgtZVMzqc4W QsSmeoAPcVB+xxfT6h+zj4XkuWL/AGX7RArHrsSX5etfS/7fnxk074Ofs8ar4f0mWO31vxdEdH02 3iIQxwOu2aRQvRIosgY4yQK8K/Zi8NzeG/gL4Q067gME72pnaPBG0TtvGfwx1r+evpKVaccopU38 Tmrelnc/QvDJueOqNbKP43PfY5d5AHQVYyB1qKFEChMdKsoMHmv4e31P3VaIgMhzgLx61YjA4bIB 96nCc88in7UzmkZTncbsjHJXNMIOf3YC5q02AMKMCocruwRzQZRncdkfc3ZahiduDTyoJ3KOlMYH gkdKbQ0RY5pcHtxTvkHzY5PFOwTwDis/ZlXIv+BVMqjHrTPIYNknNWI0ZCev4VGxE5Ir59hSHn8K mGI8lv4jUhwR6U1G+pHtCpVkRY5bAqXKsBg9Kd5qVHS5Eqj6DFAHyjHPelZdvfNIxBye1BCiMkDO fWkmSSk7VyBmoHYOMNlTTBIWXoMClZw3QYpoEiq5CnDGnIAwpHQjFRDAJDDIrKtvc690f//V+mYk iEg3DAJrVUAJgevH0qoCvmgBcqfzq6pBzlTxX+Udz+sJSTIikLEhwDx64r89v2xvgPo2r6RqHxZ0 u4FjqOmwh7pMfLOikKMdMP2zX6Dm3QjnJr5i/a/f7L8AfEkisN7tbIPfdMoxX6P4YZliMNnGH9hP lcpKL803qmfKcXYWnVwNRzV+VX9D8SdKh+23kNike57mWOPjgne6qB9ea/sZudS0TwV4ZS/8S39t pGm6Xa26TXN1KsUUYSJVwWYjkkcAZJ7V/IT4Ev4bbxlohmiDx/2jZ7zjoBOua/om/wCCkPw58TfE P4CNqPhgSXP/AAit+up3dnGT+/tfKKM4UfeMW4OBX+icalqeh/OGKm40/meeaP8Atn+HPEP7ZQ8P ab46h/4VYNDKAyfurQ6pjAO9wGJLH6V9NfC79o6D4k/Hzx78FbHTYfsHgyzW7i1aC4Ey3gdo0UKq jAALHOD2r+W/+1VAEkR5Yhgw6ge5r3r4C/tDeOPgJ4tl8YeB5I/Ou4lguYpUDxz26tvMbZ9W96rn vZGEI8qu3dH9Xidc1ZXBGe9fM/7L/wC0l4X/AGl/BFz4i0m2OmavpMiQalYk7xEzjKSRt1Mb4OAe mK+l0c42t0NbqLWjKbT1JSDt461NhV5pglIGEPFK/SqaYhNx3e1PIB61Ev3hU1IaRLACOT61pgZw DWbGWDhCuB154P5VpDjBoBojl6n1r81/2uNKii+KdlqBO37dpcOQRncYndCfw4r9KigY5r4B/bLx B4l8KXQk2h7K5j59VlB/TNbUH7xz4he6vU/D3ULaKf8Aag0+CSQzRL4i05QSMZzPFlcfQ1+hH7fH xK8VaL+3Z8K9M0m7lgh8OHTJbdInI/eahdlZSyg87lAXntX58eMbuLwp+0XZ63qkwks4NYsdRxjH 7tJUOef901+6f7Qfw5/Zv1r4j+F/2ufiD4st7WDwLa/afs0c0TpqHlfvrMFVYuXjc5VQPm6HFct9 fRlpPkTPnn9nPWY9Y/4Ke/G+8Qrsisbq3DkY2+Q1uh5PutfUf7Qv7e/wQ+AttcaNBfx+LvFqL8ml 6c4dUkPe4nXKRgdSMlvRa/m51rx5r2ueN/Evja21K50+58UXd3cXDW8rxSPDdTF2jcqQcHIG3pxX KLbowk8uLao5bjt296iVRXuh04TcUlofcvg3UfGv7b/7QZ8S/EvVUFtZp572qHakVpG4ItbWM9jx vbqeSa/YwRJDHHbWyiOKMBFVeFVVGAPwAr+cb4b+Mdb+HHjDTvFvh9yl9p7iTbnBkU8tGfZhxg8V /QH8O/Huk/EzwdpvjPQW/wBH1BNzLxmKUffjPoVP6V/Gv0kcDj3iKOJnK9G1l5Pz9T9v8NJ4eFGV GPx318zvIwQMk5+lSHccYqNN2DuOatAADAFfy6fqfNoPQnIA59qsqynORjFVVDAlh0NXYygUFupq W0ctV6jTJkYzmqpLFsFRzVhsAZxUW0Md3SrZcLIcq7emafvY/LzUfOSM9KXtSuJtdR2Sflp6IQeT mkRB94nNSny/4hikZyl2Dce60xyzHIGKUk/wj6UKJCM4qZRJ5dLjVz1Ybh2qwCCMgc+lIY3VQBzU TFkIXd8zngVnqtCSZZFAJxjHWn5B461DkZ47daY5wOAR9akLEkgOPlH1qJWJUqe1ReYy571CZCDk d6wUrS1NI02xUky7KeBTywB4qkC27pj3qwAQcZzVO72N5QSJC27tijaakVAalCgDFa2T3M+fsf/W +polIO7tWgGYqAo4PFV7XmPJqYuVJGcA9a/yjP6sIyFBw/Br5a/bEia4+AXiLyRkxtbvyM4Cyjn8 K+nnVMk7jiuH+IHhix8a+DtY8KXhzFqdtJD9GYfKfwOK+o4QzCOFzLD4ie0ZRfyueXnmGdbCVKcN 2mfzvo8lpJHe20my5icOmOzoQyn8xX9dfwY8e6f8XPg54R8d2xW5Gs6dGLjOGAniXy50Yf7ynIPr X8j2s6BqOg61e6RqcZjubGZ4XRv7yHB/A9a/Yz/glz8fYrC+1T9n7xHMYo9TLahoxc/IJwMTQgn7 pccj1Ir/AEwwFWNSneDunqfzFVg1eEjz/wAf/siaP8cP20fif8LvhxPaeDbbQdOttRQeSz27XEqw h12rjarNISdvevnT4afsZ/Fb4m/Ezxn8MfCF1pzXfgS5a2v7i4maKAEyGNWUbSzAlTx14r+ma10z TLLUZdVtbOCK/uAqyziJRNKFOdruAGb6E/yryz4W/AHwF8JfGPjbxx4Va8fVfiBdLc6gLmUSIsgd 5MRAAbRucnBJreEIp3Zxxjy2i9rHJ/sn/sx6L+zB4Au/Dttff2zr2uSR3Oq34BWN5Il2xQwqeRHG CcE8kkk19Jahf2elafd6tqcnkWdhE888mM7Y413OQO/A49yKxtB8beFvE2sa54f0G/W61Dw1N5F7 EqkBGJxkE/eGcgkdCMV5X+0ldavcfDoeBfDcJute8Z3kOm20K55jDCWZnI6Rqi/MfQ49KxxuLcaM qtPV9PXoe1lmVyrY2lhq65VJq7fRPr6W1PJfgp8bPiD8W/jlOqMYPCcNndSfYgqiOGDhYHkbGWld u5PqB0r7ffpXkfwg+FOjfCPwwNFsiLrVLnZJqF4BzNMB91fSNMkKPxPJNevYBHtXNk9CvTw6WJle b1Z7HHOYZfXx7WV0+WlBKK/vW+0/NsRcYFYnibxJpXhLQb7xBrV3BYQWVvNMJLiRY03RoSACxGec cCneI9Wfw94c1fXY4vPfTbK6u0jPR2t4mkCn6kYr+Rv4j/Fv4j/F3xBc+KPH2t3erXV5I0gSWRjD EGORHFHnaiKMAACvTk9D4tyvLkjuz95P2a/2mtPi/ZPv/GHxD+INpe+OJ4dcv4o7y7jN4mHcWsaR HnChV2jHevo/9i7xN4y8bfsv+CPGHjzVpdb1rV4ri4ubmfDS/NM4jVioAG1QOMZxX8qcYXe6YGZA AeOcDmvoz4G/tL/Fb4BeJLbXPCOrztpiOhudPlcvZzQg5dTGThSR3ABBoi7mnK4L3z+r05HWvz2/ balDeIPCEO8EpZXTEDgjdIoB+nBr710PWrXxNoWl+JbBWW21i1gu4VYYYJOgkUEeuDivzi/a2nGt fFqGxjOV0nT4IHwePMkJlYfgGWujDJc+pz4j4V6n5ufFz4SW/wARLNb+xlFrrVmhSGRuI3Xrsf8A oeor4G1vRfEehazcaB4ihaO9sjl4928cjIII4PHSv2IfSoYkead/LSFWY5/uqMnnp0r8rvHGqwa/ 4x1zXvNx9slZotxxtRTgAfUCscdTikmh0Vd2PPYEZkAZip6nPp6GtRWaNFMcoYuGLLg8Y6Z9qtuk c0L3BwgyEAxknPfjsK6/wf4D8V+PteTw54WtVvtRaCSVIoyFLLEu4gEkDOO1eRXrwpRdSo7Jbs9S nBydoq7OHkllyRcYA+XG0c19afsffH7/AIVh4t/4RLxFckeHNdkEbknAtpycJIPQHo3tXzL4j8Na /wCFr06Tr+m3Gm3C9VuEZGD/APAgMj6ZFcfHCwuti/MT1Pv6ivm+I8qwub4KeGq2cZdd7ea9D18s xtTCV1VirNfif1GWs0ckSlWyGAIPUHPfPetSNg3IGa+A/wBib47Dxv4cHw08US/8TvRIz9kkdvmu bVP4TnktGPzFff8ACoVMgYPSv86eLeHa+VY+phK62enmujP6Iy7M6WKoqtT2Y9XO7GOBVgEHpUQJ 9M05GG7BG0e9fNONzepuNdXXIHJqqhJOG4PpV15UycnBqorjf0zk9aZVOTZYUgdasLGGGe1QgKSO OKtrtHA6e1NoxqMjEagjGak4zj0p/PIUH8RUQEoJLAHNHKzNO5IFTPNRGIZzzTWfkhjj6VEWOV2M SO9YubKsXI2V6zYJPtN280fMS/Kp9x1puoXIt7UxQZ82b5FHcZ71btraK0t0jD5IHP171N3uCVte 5JJIEAHc1VeUsMEZqxIFbB64quQoPHc0JFwiupVkPUgYquGzx0rVMCk5PFJ5CoQSK55U3e50KrFI gSF8/MeKsLBkcdas4DcCpUjwCGroUUtEck8Q2RrbswAPapxacAbgtKsTJ90mncjrWvIjCVR9D//X +sbVQIVJPWrBOFPzDH0qCNQV8vaRjpSG3EQ5f8K/ykirn9WDWV2OSRtFUpdpdgCPkGf6VfONjbhn ivLvih8QvD/ww8Hah4v15wsVomI49wDTTEfJGvqSevtmvUyzA1MRXhQoq8pOyRyY3FwpU5Tk7WPz T/bl8MeGfDvj3TvEtjcxrqetws13aqPnXyiAsrAcAN0x1NfHHhzxpqvhXXNO8SaDO1tqGlXEd1by g4xJEdy5I7ZGCM9M1J4v8Xa18RvFd94p1+482/1KVmJY5CKThUXPRVHArtfhR8F734jazcm8ka10 jTsiaVTy8pHyRr1HXlvav9IeC8qr4LL6OFrT5pRVm/67bH8zZvi6davOrBWTex+737P/AO3HpnxX 8WWqa/KlnYavZ2sDoyhRZ6ki4lOevlynue9ffPifxNp/gjw7f+LdZcR2umQtKSTxJJtPlov95nbA AH1r+T/wdfa18JPGN5a6kg/0WYQzxMcb0zkOv5Ag1+ltx8WfFnxF8M6VZ6jr0+oaTCqPDE77lVgM AkY5ZR0z0rizjPquAVSnUV+b4X+h+2cH+HeA4khh6mCmqcoWVWL3dvtR9dj7R/YraXUNX8d6zdPu u7pLV5c9WaWaWV2/M4r7fuba2e9j1AwI91FG8cchGWRJOXCntuwM45OK/KD4N/FiX4T+JxqcUBub C6j+z3cCnBkjzlSD/eU5I+tfa19+0FpHjOzt/C3we8258Y66HitFuozHFZFVLyTyueCI1HGM5NXw 3nNCeCjTnK8106tmni/wDmEc5liaFN+xklaXSKUUnzdkra+R7vceKfCWlakukalrllaXzlQLeWdF kyRwCueCewNdQvACGvgjTf2N9XvZ2vvGPitJJ55ElneCN5ZZH3Zc+a5HJ6A44r73VgTtjG0KAq88 7VGBX0mWYmvUUvbQ5bbH5JxTlGX4P2UMDivbNr3tLJPS1u/X7hjJFMjRSx+akilGRhlWVhhlI9CO DX4N/tofsHaT8HdL1X4z+BdZVfDr3kQk0i4UieCW8kwqQSj5WTceAQCB3r98YohyW5x2rjPiL8NP A/xZ8Lv4O+IOmLq+kPPDcm3ZmQGWA7o2JUg8HnHevTlqj4+ULu/U/mo+Jv7G/wAbvg94Us/HvjfT LW00nULi1tISl2kkjS3o/dqUHI56/Sv0e+DX/BKvw3pVzbar8bvE39urGVk/svT0MMB6MEmmf5mX sQoGfWv0w+IPwv8AAnxS0nT9A8d6WNT07S7qC9t4WdkCXFt/qm+UjO3pzxUXxD+KPhn4b2gl1aQX OozkCGxiI8xiR95yc7I+PvHr25oSstC3UWvP8jr/ABFrvhrwJ4cfV9Zlj07SdMiVUUAD5UG2OONR yTwAoHNflRr+uTeJ/FOo+MLlA82q3EtyyOP9WrfLGmemVUAH3Fdl418UeI/ivqcGoa3eEvCXFrYx ApBb5+6QCcFiOrnnivm34pfFvw58KLS4sb+aO71MRt5NlEQ7GRhwTtztX1JPNd0KSjHmb1PPqV3O R5X+0t4/i8OeC18N27qb7WlMW0/fSH+Jvl5GccZr85IoUgk+d0IGNv8AFjPQV0/ijxH4n+Ifik6l qn+mXd+4VIIgWCg/dRF7YrkdQD6bdS6fdRGG5hJSRPulJEOCD715mId3c9DD03FXfUkZ44Q0se4u xPX/AOvX1H+yDqL23x/8LSuCrXbTQlCeokiYc+tfKE0vnIzbg23gAg5x2Ne4fs6ao9h8bPBd44DM +pQjLdEB+Q9PXNfI8YUfaZXiYd4S/I+hyCry4yk3/Mj97Ne8GeHfF9o2n+KNMtdTtyMYuYhJt+hP I/CvkDx9+wP8KfEk8t54QuJ/DNyxJ/dHzrbPr5b/ADD8Gr7sjA3uoxnNWBGd3Pev878o43zTLpL6 pXcbdL3X3M/oTGZJh8Qv30E/kfjHe/su/Hv4L6/aeK/CUA106TKJ4bjTyZHAQ87ojhzkdRzX6xfC z4g6f8TPB9p4ls0a1vD+6vbWRSkltcpw6MpwRzyOOQa9CSMLg7RkdO1MhtbaGWWWCGOKSYgyMqgM 5HQse/416nFvH887oQWOpL2sdpLTTs0ceWZFHBSfsZPkfRllQeDnmlEZySWzmnKQMKetOZlC4JwT X52ezJ3IGUbcOc471EAC+EOQOtWXxt55ojVcZCYJ6n1p3LVTQctW1IGCBUZMeBxT+cccUX1uYS1J C+RgDGaiKsv3Tn60HO31P5VEsjb8Nxiqcm9yYoUwluSRk1ejjiRcMOKqK6FiQM464qvq94LeyOzh nHy+uaymlbQUryagZ8QS/wBSaY/ci4FbW5Bj3qlo9qYbRdxyzD5jjqa0WjY5JxgdAKIrQurJc1kR s0eznn6UzYvpU6Dg5FP4FT7MhSIRGdnAyfWlVXIw6jj0NTJySBzT9jemKqWxnKRDsA5xRvAk3Y9j 7VKY9vOaYw4PFQo9RJ3JfMHfgdqidVc5NOUqVFRuwJwOMVcZJiirH//Q+sRFMACzd6VimMyZLD3q ZckZZuKG2hem7P8AKv8AKWG5/VbZn3EsYjJyBxxk4zX4q/tdfGib4k+PG8LaNLnQPDjtFGFOUuLn pJN+B+VfYH1r9Cv2tPizL8NvhZdxaZL9m1fXd1nakEblVh+9kHf5VOAfU1+HcMUpd7nJcBhkA579 cnk1/WHgHwVFqWcV4+UP1f6fefk3iBnbk/qdN7bnV+GPC+seJ9Ys9A0WJXubxwBn+BRyzsfQCv1J 8HeFNL8G6BYeGtIjBjtRtZsYaaQk7pG9SxJ49MCvE/2e/hnN4b0A+J9SgZda1oDYjL80Vv0SMAc7 nJyfyr9qvgX+z9Y+CbOy8U+LbVdQ8SXI8zZNzHp0ZXcoCEEGY8ZJ6HpX9c0YKlG/U/HKz5nyo/KL 40fsn/E3xn4ZvPil4d8NXIbRrdppiyBJLi3U7j5aE7mIHIwOlfH/AMNvjLe+CLgWt6v2ixuBtKjI MWejAHvjrX9Yq7iMnnaOjc4B7HrgfWvx2/bD/wCCek2p6lqHxT+A9mrTXW+fUdDjwG8wnJltAfXn Mf5V4mbYCGKpunUWjPe4W4kxeS4uGMwsrNf1Z+R5HousWupacmp27eZbzKGRwQcnvX6l/sz/AAQT wlpVr8R9cVptd1e1xbxKP3dnbzYJHvI4xuPbpX86Pg34ha98P9SbQ7qOSOCKTy57eYFWj6hgVPKM MYNfq9+zN418SfG68j8M+HviBNoWn28WyZXu9kkaAn5IY2YFicdegr4DJ8hqZfi7zg5/ytbL1P6m 4t8SKHE+RcuHxUcO1rVjK+q/u979lqfrxMrKQrrsz2NEPUE9a5vwf4NPgvRE0W1ur3VfnMj3N9K0 8rsQBwTwqnHAHFa+p3+n6Dayajrl3DplvCCzS3UiRIABk8sRnj0r9PpN8vvKzP5Cxapwm4wlzLud BkDv1rH17xFoPhbT31bxJqEOm2aAkyTuEBxzhQeWPsAa/NP4p/8ABS/4eaG9xpnw5C3ksZZPtk0Z kBxwTHEDj6Fj+Ffmj8Rv2vfFfj/VXuQJb27YZW4vpAwj9o4RhUHsK6Ixtqzg9u3fkWp+v3xP/bCB SbT/AIZxfZrdCQ+rXgCnYOCYYj09mf8AKvzc8U/tGeGNMvbq5ub+TXdTuRul2ybizd98hyPwFfFT ah8Rfidqq6ZbzXutXNyQiWdusj/gI4x/Ovun4N/8ExfjD4xMWqfEa4i8D6WwBAlH2i9fuMQowCcf 32H0q+eK+FfeS6MnrJnzP42/ae8ceJhLpmjFNDtZxgrbnEzj08zrk+2K5zwt8BPiV4okg1LX7S50 Kz1KLzlvNRRw80Y6tGj4Zx6Gv6Evgx+w9+z58FmttT03Q18Q+ILfDDVNWC3Eqt6xR4EcY9MLn3r3 L4ofDLQvid4Wl0LWD5NxEpNndqo8y2k7Ff8AZPRl6EVCnd+8aKnypySPwb8BfDLwn8N4GGnR/atQ kwZb2cAykjj5QchevQV8yftMeBodM1GDxzYRhIbs+TdgHIEx+4//AALoffFfePjTwvrvgrxPeeFf EsAh1CxfBC52Op+7Ih7qw5H5V5l4w8NW3i/w7qHh/UAPLvImQHGSr/wsPcGtquHUoOxlGvJ6tn5b i8CqybQsijHXrntX2d+y58JdO+KE1t4i8N6utj4o8Kahb3M9pNxBPaB1O6NhyrDBByCDXxXqWgan o2rT6Xq0bR3lk7RSIw5ynf6EYIr6H/Zn8et8Kfiro+uGXbp90Rb33PymGY4JP+71r8440oYqeXV1 hHaaTt2fdP1R9hw1VorE0/b6xb+7zP6GbZi5JJyCSeavrgs3sazLCKN4Y5IpPMjlVXRlOQyOMqwP oQa1o4gh2k5r/M2urTaZ/SrmtyQBDyT+tOMcbYySMc8UbCPuAYpyrg5zWRhKQuz+Ic0FQ33lpu47 tueKfQSIQSMDtUUfmE4ZsD0AqyARyMGmKCvWgB6QtySeD0qURn+/Ufme1SKxB6dKa3MZPUCj98Co VictnrmrBO408DZVSt0FztEsMKqC3Ga5W+b+0NSSJD8qHBFdDdSiC2aXPODisfR7ZWRrp2wSe/Oa zTT0NMPopVGzogFSIKlQl3yRUzKFxg5zUJkUHHU+lMwiK8YfaSM4qfy1xyOKiR3PbAqWN9wIbkA0 NomVxm0hiI+CacN3Rj0704sB0HFML+vFRJqxNmyMnPG41E77FwBu9zU5z1HNQupwWIrO5okEYHUN gmneXnnNRFpN4AAGQO1SeXMec0irn//R+t/lb5c1FKuMAN+FIPl5Va8b+P8A8Qo/ht8Ktc8R79l4 0X2a0Hczz/IuP90Et+Ff5d5NlcsZiqeFpq7m0vvP6ezHFxoUZVZbI/Jv9rr4mRfEX4rXtvaTM2la CDY2uDkblI81sdDufPPpXnHwR8IJ4y8dwW94C1npoFzctjrsPyJ/wI8fhXl127yzO0mS7EyMW6k5 yc/jzX6Mfsp/CjVdVs9J02wXbqvi65WUuRgQW2OCf9lUDOfc1/pZwzkUMHhaOFp/DBJH8yY7GSrV JVXuz9Lv2Xfhn/b2rnx/rlv/AMS3RpFWyjcYWa8A4b3WEcntvx6V9y+JPE2ieEtEu/EfiK5FpZ2y 7nc9Xc8KiDqzseAB178VFoOnaH4N8M22j6fttNJ0W3xufgCOIfPI/wDtN95j71+YvxY+N0Hxu8V3 cvhmV28MaFP9i01TkG7uBxPOF/2nYRp9K+ncXKR406yilBbn0V4b8ZeNv2h/H8Wl2jy6D4P0hkvb mKF8O8cb/IJXHWSVhgL0UZ619whyzGQfKSSQRXkfwd+HUXw28EwaRcqP7Wvyt1qDL/z2YcRA91jX 5R75NerBtowBxWVVa2NEup8yfHf9kH4L/H2N73xHpn9la9s2x6rYKsc+T3lX7kuD/eFfk58RP+CZ /wC0N4J1CW8+GWoWfiyxXJieKb7FeL7GN/lz9Gr9/wDzQfu1LGMtuzyamOmxDopvTQ/m2g8Ef8FE /DMMWiWGn+M4EhAXEMryRg5wCGDEfl2rKuP2W/22filqJi8S+GvEN/lvmk1OVtgxxn94+PyFf02Q iVASrEL9as4JADMW29MnNNt9RPCd9T+ffwR/wS3+O+twxHxXNpnhmMKdxkuPOmzjj5IgR+tfa3wq /wCCWnwj8I3MWrfEDXr7xVdRHIt4QLO09wQNzsD9RX6aoyg4AyTUrmUQyeQB5u1tm84Xfg7ckc4z jOKlJGi91WRw/gj4Z/Dv4a2hsfAHhqw0OPHzNawqsjf70h+dvxNdzu3DJ714F4a+PmgTavL4S+Ik I8KeIrSTyZI2O+1lcHAaOTqFYcjcBxXvm9HQSwsHjYZVlIKsPUEEgiqsEailrFkqt/eNRvuYEDmo vMx96pUOVJpFpnzp+0P8Gk+Kvhf7ZpEaJ4k0ZWktHPWaPrJAx9GHKknhq/KoWJaZonifeCVMZUhl KnDAjtgjBr941XapZeG65r86v2oPhgfDHilfHOkK0WneJW8u5EY2rFdgdeO0oH/fQNdGHm9jkrU2 nc/Gn9pXwMbHWrLxhaw7k1cC2uXJI2SxDKH0+YcfhXzQkcojZ8MA3BIHA9vT6V+snxK8DweLvAWq aS4/ftEZbfOSPPiGU57c8Gvy5iiu3uWhmTMoZhIE+7u6EEex/lXJi6FvhOnDV+jP27/Y7+JZ+IXw is7PUJd2p+HMWUzE5aSNR+6f1+7x+FfV4R8Bg351+LX7Gnjx/AvxZi8NXLhbXxCfsUxLZjV/vQtj A/i4+hr9qU+VBu4xX+dHjFwssszqpCKtGfvL57/if0bwrmixWDjJ7rRjNzqdpbn24pwWU9wf0oZk DBgu6pMMy9MGvyZo+kARZHzHB9jSn5OFGfrTVU5IJ5FKARSAZiIEnBp64OMcCnjntmkV2I27OtXK NgH/ALoHH3s+lS4OPQVGNkfIHNTFkbg1BhLcrsXzhRUiJOWGXGKVg45VsipY8bd5AyKaJZjatJ5k sVop7/NW1BbW8MKxY4xWXZobjUJZW5Ck1vsfaohHdlYh2SgiJtnYY+pphVDjA59aYNi/K53NUqyK MIRg1dznTI3XahJ59jSH5eDxSTk8Ec4qw7ZAPFTKNzRyaRCD+VISnYfpS96eoz0xWLKvpciUjoAR Sscqc9qXJJIPahgduRSBMr7iQdp596sxM+3ls1C6MOmKki6c1dON1qD2P//S+ri8o5r8uv29fHpv vEWifD21beulxG9uFB486bhAf91Bn8a/Te+v49Pspr+8cCC2RpHPYKgySfwFfz9/FDxldfEDx5r/ AIzupCx1K6kkQZ5WIfKigf7oFfxP9H3hz6xmU8dNaU1/5M9vwufsXiHmfsqEcPD7X5HP+CPDN14w 8W6foSJlbuT957RJ80hJ9lzX9G/7I3wwg0LQpviDewCKXUY/semqRzFaRth3UdvMKhVP90H1r8m/ 2Gfgxc/EfxU1yyyIJ5GtmlA+WK0i+a5lz6nhF9zX9FOmWVlY2tvY2ES21paxpFEp4WOKMYAPsAOf xNf3FH3KdurPxOpUXXofFH7fHxK1TwP8D4PCvhu8EGveONRh022UD52h5aYr32j5QT7gVyH7IPwf gfU7XULuFW0jwfEmwlQRPfHJTj1U5kb8K+KPil8VG/aT/atutZ06Vrnwj4DhktNKRR/rGDbDKF7t NLkj2C1+3Hwb8GD4f/D/AEnw5Lze+Wbq9bpm5uPncf8AAAQg+lKhO0X5nJSgn78up6a2dw3HPueT nuaKSTOR61JjcQByPbrSNQQKDhR1q3GhDg5qJFG4HFWeFOeoPf0oBltOlSAA9TiqVzdWun2cmoah PHZ2sQy0szhEA+pr4w+Jf7WzWGqDRvhhbw3sUZxJe3CMfPcdUgj4JH+1zntXBjszo4dL2srX0PpO HeEsfmtR08HTvbVvZL1ex9xBUx6n1paxPD+pXms+HdM1u/tWsLjULaKeS3brE7rkoc88VpmUr713 J3VzwKtN05yhLdXR8tftPfCc+K9BPjrQoFOsaPGftCAc3FovzEe7x8svqOK+U/gl8dtf+H2tWOlX t0134aunSOaCVi/kq5A8yInkEdSOhr9Ut6yZ3jzFIIZT0IPBB9jX44/GvwTH4E+KeveG7NDHZtIL u1z0ENz86geytuX2xXXQd1ys86qvZy5odT9kTh5NqnK9j7GrKoV715d8G/FUHjf4a+H/ABBBOlzL 9mWC6KNu2XFv+7kQn+8MDIr1fAIwOtc8o2OtO4yuW8e+DbHx94Ov/DOoxb1uE3RnukyfNGwPbDD9 a6+OLOWatKBfk5FSPlT0Z+R2v6NJpNhCl3GEeUggHllKMVkX5umD19a/Kz9obw1P4Q+JU88Lm3tb 8LeQOFyjBvvKD0GD/Ov3H+PmgjQfGVwbWzSGyvMXZk2ZDtK374E4I4ZQeTxX5zftmaFpWreDtH8W xpHcS6RcRWxkRFRUt51+WLjk7X5LevtXTUi5QujzoVeSfmmfn3b6tJpuqw+INNINxaSJMZT/AM9M gjGOhU+lf0GfDfxjB488AaF4tt2D/wBo2sbyYOdsoG2QH6MDX86UmyMyxRIq7clju544B44OK/V7 9gH4h/214L1vwRfy5m0e4W4gVu8MwAYDHo46e9fzF9Ijh5YjLoY2mvepvX0Z+u+HWP5MRKhLZ7ep +hBBbBApyRsTyT+Ip4kKjAWlDtnhK/iJx6n7JIXIRyT0qRWDfdpgD5ycGpM+o21BLJN4CYxVTOec CpvMUHDCo1QhiOooJirEscZzuzUpV84J4NMBcfLxz+lTx88uQcU7a2ImyIISSp5ApZ9yWrMf/wBd WhGh+bOKo3rE+Xb5++ePenOOljOMrsXTojHb5YDcx5Iq/wBME9DxS4SKMBTngcUjtgqcYpJGcnzS ugB5BwOPSmGJSfn6npRuj7kinbtw2hcA0mDRWnj2rx2pEZfLAz0qSSMCPOeKghGCvQD6VjGNzZPQ njG4kjoaQgg+tXPLYcqOKjYYUnAFV7MyVXUYmWOAMn3pSWPG3FOWPIyOPemmNV681SVkJvUgdDjG c5qoJEiYox5FX3AbGGxiqssT5DAjnvWDdjanM//T2/2rfG58FfBjXp4GMVzqgXToT73B2v8A+Obj X4jWFrNezJaWsJluZXVIgoyWZjhQB3OTX6S/t/eIZW03wt4WjO0zS3F4R2bZhFz6ck18qfsneMfh v4E+PXhvxb8WPMbQNFmNziKEzD7QiEQ717qrkMfpX4v4CZNGhk8KuzqSbfy0R9bxpjlVxzjLaOh/ Ql+yh8DbT4GfCjStLvIQmvajbRyXrY+ZA43iL65O5vf6VwP7d/xtk+DHwJ1G10abyvEHjNm0qxwf njiZT9pmGORsj4B9Wr6g8B/EvwL8XNMbXvh5rttr9sWO8wPmRCezocFevPGK/n6/b1+Ll58Zf2k7 rwlotx9o0bwmyaJZBT8hmz/pco9Sz5GfRa/Z8diFG7atY+Gp4WWIqxoQ3k7HvP8AwTi+E0OteJbf XdUg/wBHsgNTmRsnKwsUtkP+9J82Pav3UhYs7FuSxyT7nr+tfmt+wlLZ6PrfiPwjEixtcaZayR4P X7G7KwH0WTca/SKDcoyP4v6VxZJjliMNGout/wAz7zxL4d/srM3grW5Yx/8ASV+ty+/XPpUyDHI7 1CA3yr1Zu1SpnOwgg4zz716ivezPz8mQPnGMk8AAdT6V88/GH9obR/h3LL4Z8PrHqXiML8+45t7M npvIzufvtzx3xXvGq2F9qWkXmn6betpt1dRNHHdIoaSAtwXQHjdtzg9jzXinh79mL4X6NPFfahHd a3dqzOz3sxZXZuSzIuAxJ65615WaxxckqeGsr7t9D7Lg55RSrPEZs3KMdoRXxPzfRHgXgf4e/Eb9 oMf8JN8Qtcul8OSEhWbgzkNz9nhACoo6byDntX2F4Q+EXw28DhG8PaDbrcIAPtM6CWckdyzd/oK9 CtoooYY7W2RY44lVUjQAKqjgBVHAA9q8z8dfGr4bfDlvI8S6qrXgODa2376dR3LBThQB1yazw2XY fDJTqu8u73v5Hq5vxTmea1XhsDBwpdKdNWVvO2773PVHkdhlzk1XZt2APvE1VsNRsNb06z1jSphP ZX0Uc8Eg4DxyDKn8qvqCOte0nfU/OpRcW4vdDo0A4r46/a88Dx3un6L8QbdAHsH+w3Z7mCXmM/8A AXz+dfZkI2cHvWT4s8M2vizw1qPh28wY7+JkBP8ABJj92/8AwFsGrjJrY569K6ufmz+wF8UIrP4h fET4F6jOSwn/ALa0yN+m1gFuVU/Uq351+papj7tfzWa/418U/AD9rK18eBWjl0m6j+3xgY8yEHyr hB65TJr+kbR9c0zxJo9jr2jTi4sNSgjubeVOVeOVQykfgaqWr0KozTgu5ewQea0Y5DsHFUMN2yfe rSOQuG5xWZtHc+VP2stImfwrpPiW3UutherFcoCQrwT8BX2kZXzAuc+tfnN8TNCtfE/gDWNHlhit 1NuxRmg35kQl8Ic5Yn/9Vfsj8RfDa+KvBGt6LtLyXNs7RgHB82P548H/AHlFfkNeX63VsY5g4inc mRA2ckH7ufbnNdlCT5eU8zEw9+6PxpvkVr6Ty9uGcDCjYQGPRl7EY6V9Wfsc+LI/CXxv0iBpdtpq ofT5eMA+cCUOCf7wHNfO/jnQbzQfG2taSsaxeVdSOgY8hGyV5+hrP8JXt7oXiC21uEMtxYSRyoRg FWiIcse44r4fjLJ44zL6+Gkvii0fUZFjvY14Vr7NH9MEasHKN2NSB9pyQRnjmsbw7qceu6PYa3ay bodRt4rhT6iVA39a2GGGxnJFf5h4qk6c5QkrNOx/S8ZqSTJfMUnaO9DKn8f4UbxTgQelcYthvlrn OKRUCNuyTUjHa20fp0poKBjkZJq4x7kXbLCSRnOBinDHboaZ5q4AIwKUMD92iUXchos7Y14PU1TV TLdmQ8qowPY08sB14oiTAaQng9KE+5EVYleRS6qKjmYlgvYUkI2sZJSOB2pi7pXyeF7Vkr3BJIsh YyeH6VKnzOR7ZqNFZDx8xNPHPU596pkSANlDGRxUUQGM4z9Ke7FAT2xUKyIi/MaxjdS8giuxoRyD aVPUUyTIQ4NUDNzlelTLKSMg1tzIXsuo0swO0d6XccYNQtIATn/JoDg8ispS7GsYaErADoc0zHGD zzmjcf4BmmeaMkMcAfzrKUU9xpH/1Pj79vqS5b4l+H4pHPlJpfCgY5MrZJ/Sj9jD9mHwj+0za+P9 H1HWZtG1nRLW0uNOmiAZP3rOjiZT1QkKODkV2X/BQHQp4tT8LeKORBPBPZOeoDRsJFH1wTTf+CYX j+Pwf+0SfC2oOsVv4202awjY8BriLFxEDn12sB7mvzrweqwqZDhuX+Vr5ps9viinfHVotHh/jzwP +0D+xV8RY50nuNDnLObPUbNibO9TkZHUE4PKtzXmPwXsrrxH8RBq16zTzQia9lkfkvJIep9yzZr9 qv8AgqR4o0zSvgDpnhm8ijkvvEWrxrblwGeGO0UyTPHnlSflUkeuK/KL9nHToxa6pqzRNglIV9Dt BZs/mOK97izHzpYGq3vt959X4G5QsdxHho1FdRfM/krn238L/G+p/Dzxppfi/SgGeykxKhOBNA/y yRkj+8Olfsd4H8c+F/iBo6694VulnQ8ywM372En+F16j61+IfkLHEgRtgIGc9ec10/g/xl4p8F6s NZ8K6nLp9wThmjIG4Z6MOhH1r844V4veCj7GrrD8j+vvF/wipcRL61h5cleKsn0a7M/aLxnZpqXh XUdOm1xvDX2tFiXUEkWJomLA4Vm4yQCPpXmup+Orj4dfB601DwFHc/Ej+xX+wzXSyByvkfNK8rKC W2j5Rtz718XaVL8W/wBqXxNb6BqGqMumaUqSzysAlvbjld+1cbpW/hr9G/Dmh+E/hR4LtfD9rcx6 fpGkxOTLcSBS5Y5kkbPLFmPbPPFfpuWZlLFuVWCcY2spPqfyPxJwjTyOFLB4uoqtdyu6ceitpdrW 77Ha6Zerf6bZamsTQreW8U/lvw6eagbaR6jOKvHpxxXyx4i/az8B6JctDo9lPrccS7muNywxEdTg N8xwB/Svo/QNcsvE2g6d4i00MtpqcEdxGJBtcLIMgEete/hMdRrNqnNNrex8HnHDWPwUI18TRcIT 2uQeJ/D83iXT/wCyl1e80m3fImNi4ilkB7eZglQMfw4PPWvLNO/Zu+DdizSSaB/aUzn55LyaSZ2y c/MWODnvXuZ5JPrT1PPHXpj1NXUwtOeso3OXBZ7i8NBww1RwT7afiJbwwwQx21tEsEUKhERAAqIo woAHAAFWQoUfOevSvOvGnxb8AfDpBD4n1ONL2TOy1hxLOcdyoPyj3Jr5v8QfteiaUWvgjw557Pws lxJ5jMe2Io8857Zrnxea4ahpKWvY9vI+Bs1zP95hqLcf5novvZ9tEMuCOKshmxlTya8x+FfiDxx4 o8Hw6x8QNMj0nUppG8uJBsLQYBR3TJ2k+h5r0gNxtx1rsp1FOKkup8zj8HLD1p0JtNxdnZ3X3n4V f8FSvh9FoPxH0Hx3BD5Vnr1syyv2NzCw3AjoSVwevrX1R/wTI+OEfjX4XXvwl1e536t4NYPbK5wz 6bNyuOefLfK+wxXaf8FE/ANz40+CdreWcSvc6VdOyMwyV8yIjA+pGK/Ev9mr40z/AAL+OXhz4iS7 o7BZDaalBGAA1pPiOQEeq/e+orop66Hl4fRyTP6ul2swxzg1dCoeR2rI029s9StbbUdNlW4tL2JZ oHTlXicblYexBzXj3xS/aX+CXwZhdvHPii2t7pc4s4D9oumK9vKjyVP+9is0rnQ3ZXPe9w6bSK/J f4seET4S+JXiDQ44ALZpTeWwPG+O5/eHbj+6dw+gFTeKP+CsHwzsZvK8J+DtT1dQw/ezzR2yY6ng BzxXyh8UP2/rL4meILHxRD4D/s5tPt3tpQ93vaWNm3KchBjbz9a6aV4ataHPVSkrxep8w/tU6Bpt h8Tlv7RTD/bNrG/H3XkQ7DjPIAA6185lgWRnm2FlKt8vI7fe7jFfQXx3+LmgfFRNEay0lrG50sOk 0jHd5yyYbCcAgCvnKQrb7FhTfHIoBBPp0/yK4MUk3qdOEulZn73/ALMPieXxR8EfC95LzNawNayM AAAYGKgccdMV9AAvvBI618O/sD642p/Be7sASBp2qzIMj/noqt/PNfcwZnIz25r/ADE8QcGqGc4q itlJn9P5NiVVwlKa6pDoyejjn3qdcdv0pA4JAA/Gn8+wr4s72CsMgA00ruJYnpUyplckYoMeVIz1 rWMrmSdh6pkZAqQqWZV56UQqRlSc8UFyxBHGKuTMpy1EaE7qicSbgijg/pVkEkZJzUSA7ixPFYbj jIGRhEI+OaaNqYAPSlbLtuDcVKFXqw4oZL2FLbtuBgd6lMZJ64FNyNu0KR9acCoGBgH60jNkO5OV Zc4quRGhyRUzjB6g59KrzgspIOKyquyua097DHKtnHQ1CpfAFWYoywwW6etOaFlYMDkCocZX0Ro2 tiIxlgAaYI8Fh+VXgoPenBUHXrVxpy6kuo1oVo42OMcetT+WPSrSsvODioz1NV7NGfOf/9XtP2hv hinxY+HF54egOL+2IubI4/5bIPu/8DGRX4ladqviXwH4mtdTs5JNK1nQrxZY3xh4biBht+hyPyr+ ijylHL8+ma+Af2v/AIE+Fbzwtq3xX0v/AEHU9OEb3Cp/q7gM4Qll/vDIOa/jnwP8R1gascsxHwTf uvtJ9PmfrfG/Drq/7ZQ3W/8AmfNH7WP7Ul1+02PBF7qdl/Z994e06SC8jX/VyX0sn7yVB2DBQcH1 rsPgLarB4Ethg+bcXErsW6beFA+vBr4PjWWa5xnzDLux3PHev0L+EFm9h4J0eG+YEmPdkf7ZLCv6 E8QK1sJFLrI+t+jRgL5xVm18MH97aR67L5btt8v5QuQPTHc1Dp4+bzpI+C/I7HPTH5VGLg3AfYTv Uk7vVcY2jt7mrEU4WFGLk+UMAHtX4/F63P7lezR+ln7GuneT4J8Ratj/AI/9UWJT6pbQrn/x56+l /FfgLwb44FuvizSodS8gFYzIDuQdcAg+vNfM/wCxfrsV/wDDrWNELg3Onao0u3+IRXUSkEj3ZSPw r7EUngnqK/o7IaNKWApQ3Vkf5neKWJxFLibF1b8slJ29On4HB6f8IvhjpEqTaf4YsRIo+88W8/8A j2a9GQIq+Y21I4wFJOERFHT0AFRIWJ9jWbrnh/RvE+mTaL4gs0vrGVgzROSASvQ8EHivVp4eFO7p QSZ8Jicxr4qoniqra83e33s5PxJ8Yvhj4SuBbax4gga4/wCeVt/pDgep2ZA/Ou90LWNI8T6Vba14 fuhfWF4uY5o+QexBx0I6EV4xL+zX8E7g718OfZ2J58m4lTI/76xW0nwR8I6VozaP4Qu9S8PIxLH7 HeyY3N1JVyVOe9c9GrilKXtYLl6Wev5H0OLoZGqFNYarNVL680Vy/KzbOotvhN8NrKVph4YsTcTc s8yLJIxPUktkk10mleE/CeiSmfSNFsrKX+9FAitx3yB1r590P9m+LTfEFrr2qeM9V1OOylSZIGYL uaM5AZgc4PfAr6f37ssxwSTxV4elCXvVKfKzkznESpWhQxbqK2u6S8rMcxy+6kpuemKcxAzg13Ld Hy603PJf2gdG/tv4OeJIQuXtYBdx+z2zB/5A/hX8wPx58Iy+FvGUt1boVsNbzPHk4RXYfOMdM+wr +rbxvc2Nt4F8RXOqrvs4NOu3mXplBE2R+PSv58Pir4Ot/HXgFrK1j33sUS3FoT1Rwudp+o4p3Urx W+5FXDzt9Yt7m1/M88k/bn+N9p8F9F+CujaoNJsNOt2tZdRi4vZ7fOEhEn8AUfL8uGI712HwN/YZ +Pfx3ig8R6jZjwpoF24c6hrAkFxOrc74oD+9fPZmIB9xXz5+zL468O/C/wCOfhLxN450aHU9Ftb1 IrmO6QOIRJ8nnBW4LRMQwyO1f1qQTQXMMN1aSLJFMiyRuvQowypGOMEdKTk+oOkm7n5y+BP+CX3w D0ER3Pja/wBT8X3agBvMn+xW2PQQ2+CR9XNe03P/AAT/AP2SLrTn00/D+3iilO7dHcXCyK2MZVvM yK+vYfm7dav8DAzUtsFQh1R+Bv7d37F3wt/Z/wDh9a/FDwBc6jGZ9QgsHs7iVZ4UWVXIZGKhxgqB yTX5KPJMu7yJ0kmkJcgclQmOx7c8V/Rf/wAFVruCP9mS2tmcB7nxDpyR+uVEjHH4A1/OXbRebjaw Roxz6498c1hUWhrRfLKS6H66f8E9Jpv+FaeJI0bzB/aUb7f+eZaLkV+ikZHlj5sV+e37AFmLb4X+ IbzP+v1UIMHH+riGcjrnmv0DhwANvev84PFuz4hxTX836H9J8L/8i+l6FtVJ53ZFSYFN24B29TT9 oAHJBP41+cntOVhVY5wpqQcuWX7ppg5OHyR6VKHQ9uKDFksXOW7YNN2E01JMNtVTtp+WB44oMnuN YHG0HFIAASAacd3U00r3IqJRuaImG0L938aXIZMCkVCVHOR6U11ONqHafpmrMWS4BAJ54qMPGxwy jJp4GFGTkioznfux+lZT3EI6oD9/FNTlKWSRFPzD86Yki7VAHWk46WNIpojikjZmRlztqZ5VIOBj IrNbEdyT0DmtDYrKTyTWdOcnoaTppWbJLaUSw/KB8vWn5BrIhb7Hckuflk4xV2RiH+UY5FUnciVP 3tC5G67ivejOSe2DVdSdwK/jUm9nzu7U7EcjP//W+qni6sP/ANQr5j/a2MifADxSkKFhILZC3YAz LX1BES7MG4B6V81/tYxyxfArxSIwHUxwOwxnCrMhJx7V/m3wBJLNsLf+eP5n9H8RxSwVW3Zn4XxR yrdGNHO8cKQOh6/0xX6vfBn4YeNPGugabpHhHS5dQksbSLz3XARCVGdzMQAfQV+Vks9vFvkRhvdi VweQByfw5xX9c3w003wzoHgfRYPC9jFYWt5p9lcusK7fNkkt0O9j1JNf3/nPDn9oRgpytFXv3ufB +HHiO+HKeIr0aalUmklfZa3Z+QXifwp4m8Ea1L4f8S2Mun3i4JSQfeQj76kZBU+orIS4TI6PvBDY PQiv0Z/aw+Huu+NLDTfGfh9ROPD9rLFeQKD55gdw/mqe4THK/WvzsEaMSYSHMZ6gZ3HpX4xn2S1M HiZUVe3TzP7e8NuPqWfZXDGTsqi0mk9n+lz279nv4nxfCz4hW+qai2NG1BPsmoAk4ETNkS4/vI3P 0zX7ExsssUc0DiaKZVdJFOVdGAIYexHIr8y/hh+yR4o8VWcOveL7oeHrO5BaKPZ5lyykcNtJAQEe vNfS93rfiv8AZq8MWsOrrL4x8E2xWKO6GI72wyfuSAZDRHopP3TxX6rwfUxWFw3JjI8sFs/8z+W/ HGnlObZnGWUVVPEbSitn2s9m+lj6lj4GKmX7wrz/AMAfErwX8StOk1LwlqAn8kKZrdxtmg3f3l7j PGRxXfdOQa++pyUrOLuj+acdgq+GquhXi4yW6as0WKVTg5qJWAHNSDkE9ieK1mc9iUPk4xT6qySJ BG9xM6xRRKWd2IVFUdSzHgAd818hfEn9vL9mX4aXk+l6j4nOs6ha8SRaZEbhQT0HmZCfXB4pcsux MpxW7PslTg5rH8Rrr83h/Uk8Kywway0DrZyXAzEsxA2lh7V8a/D/AP4KE/s0eO78adLrNx4emYna dSi2RHH+2pYDPvX2vpmoadrFomo6PdxahZyKrJLBIsiFWGQRtJ61M6btqaUKyUlJa2Plr/hUf7QP jzw/c+G/ij48gtLC4UrJDpsO+ScY4R5CF+QnqAM44r8XP2rvHF58JPFup/B/wzfx32p6OywXd/CN uwbAxVV7NzgjtX68fthftj6V+zLb6d4csNOOreJ/EFldzW48wIlmIxtimlGCSGc8Af3TX80uqX+p a7rd3r2uXb3+qapK81xLJy800uWZm+prnw2FjQl7RO7em562bcT4jHQ+rySjTTvaMUlfbotfvMGO 6l+0mWdgzt8zbwT17j+tf0If8E0/2qU+IXhZfgd43v8Af4h0CPOlzSEZu7Ff+Wec5Lw9PUr9K/GD 4PfCLUfiXrFwbpDbaDYFBdyAnfMxGRFE3Y92I6DipvEfhLxR8D/HdrqGk38umfZpjNpl5bFg+6P5 lBY9xnB9eldMFdXex48qkU1Hqf18xkqPc1ZwR1Oa/K39mn/gpP4C8aaVD4f+Nc6+HtdtwE+3AE2t 1tGN7AZMbkjkdK+mviB+3B+zZ4B8Pz62/i+31mZIy8VnYEy3Ex7BRgAA+rHFW6MuiIdaPex8R/8A BXTx9FbeFvAfw3tXzd3V7NrEwHWOG3jMEbH/AHnkOPoa/E21uLWNwrKWcgZ4UPnGCT7V7f8AtE/H DxH+0P8AEe/+ImvbIElVYLGyUlhaWkeSkQY4yeSzHHLE18zalf34l+x2h8y5dgAq4Pb2rnqtLfYq hZ3k+p+2P7EOs+G5vg1HpWj3aT3sV9cS3kQ/1kZkI2bv+AjrX3JbDcoINfzpfs+eOPFvwg8aWXjC wk22jsI7yAnKTROcMpHrjoa/oa8La7pfizQrHxBosnm2eoQiWNvZuo+qng/Sv4B8a+DK2BzOWMd5 QqttPz7H9CcH5zSr4VUY6Sjo/wDM6PLAZzSoSTuPak8vaNoPSo94Q7T1NfirR9ZoywT+8+opo3Dg McelR7D1B5qVCwwMZrON76mbSJom25qUvntTfn/uUp2496szshCTI23pT/KA6GmKBu3E1LvXJXvQ KV1sIDzs6e9PIVVyvNQDBPJqxsVh8rYFK5kxOwPrSEkc44pee5zSbyTsxxWctwGyxBkyaqlF4GT/ ACrRaSMYBprmMjntTmxqbMy4g2KrL83c1YhjVkHUcZ606Zy8ZGBSWsiL8rdRXPB2kzVybiRT2qyL k8leRkelWo2UxgDHFDMjAgAiqijZJjqDzVppC1a1LpBPQUwJjPvUgZj2x9KiLSZPFHtEzO7P/9f6 u8vHLHFeU/Hizhufgz4zSRfMzpVz17kLkflivTYZ5W5b9a4T4r2x1T4b+KLH5gzaZd/d7gRMf6V/ mPwzU5MwoS7Sj+aP6YzqKeFqJ9n+R/PRHZlSA6AAqVz7Ec1/XD8GPK1T4L/D7UVOPtPh7TGz/u26 L/Sv5NLeQy4QsispBJPBI6Yr+p79lLXV179mb4aaii4C6PHbkHs1s7xMPzWv9O8Mv3dmfzPW+B+p 7cbR48SKQ2M9eQQeoI9D3r4f0v4D6T4Z/aotUkt/M8PX9rd63ZQlf3XnxFd1uR0PluxYD0xX3Y7s 3sB2rkfFen3V5badrekoG1Pw9dLdQL0MsTgx3MGf+msROM8bgK8zNsthXlCrJXcWfQ8I8VYnLpVa dGbiqsXF/PZ+p2MF/I/MpznuRV6VbS+tprC+iS5tp02SQyqHSRW6hgeorKKCSQqgJDcgd8defpQS 1s/zk8eoIr1pRTXK9mfIqU4y5lo+5jeCvhl4C8Aajf6p4P0tNOudTjEUjKxOEVt21QThRnnivRw+ T1rmRd8B+Pxq0t4vDbse1TRowpxUYKyRvjsdWxNT2teblLu9WdB5iDrUySBugO3071zD3y5+9XFf E/4n2Hwq+HXib4i6jIv2bw9YzXQUn78qriJPfc5AraUrnJJ2V2fkn/wUd/ah1nWPGV18APA2ovaa PoO06zLbuVN3duM+QzL0SIdQerV8E/Br9mz4u/Hq4vbT4ZaI2ow2ID3FzK4hgjJGVUyNwWOOFGTX hPiHxxca7f33iDWVFzqOpzvc3LZyXllYu/6niv6i/wBjz4aRfBf9n7wl4UlG3VtSgTU9QY/eNzeg SBSR2jQqoHtQ5NxM4Qa97qfzqeJPgf8AErwO97F4h0toJ7NjHMoBbafT5evFVvAnxr+Kvwq1IzfD /wAQ3mjzKwBSKVijbSMZRiQfpiv11+Mfxk+Hvxe+IfjjwfoED6H408FXLQSwXS+X/bFlCuHmjVuN 6NnA/iTmvzv+LnhXwv8A8IvqutRQrYPAFuJFhARZZUyE3DHGc9q6IUpKPNFmUqrb95aHiPxi+L/j L43+NP8AhO/Hl2b3VfIS28xVCoIIhgLsHAyST9TXByWl9CkNzeQ7Ip0UhlORk88Y6EV55Hql5qKx 2dnbkT3DpGqoCSZHOFH5njHev1RT4cSWngXS/DWu+HpktbO1SIzS2jozcDcTJtB5PvWMaHtG3exr OShG58nfD743eMfh7Zf2Zpc0DabAWkMMq7gwcjLA9mJH5V9KQfHT4QfErR/7C+J2mtZNMn7udRvS NgCd4X7wbPcV4t4l+A0d7az/APCK6gsZYbRHMu5BjoAy8j8a+f8AxP4I+JPhUE3mkPJADj7RD+9B +XHJHzAdO1dDk4xs1dIUeWodv4/0Xwh4W8SSQ+Gb9dW04pFPFKCfmMoLFGH95Oh9653SIP7Ru40i ZDKQI445Rw+eg5/zmvLIfE09rO6n5cLgoy5KN64NbFp4ujs7+1u1/fx2zoyBxx8jBjnHrXH7a8rX NeS26ufrJ8Jf+CZPxf8AiA9hqfxDu4vA2iP5csiKy3N9JG3JVEQlIyR0LE4/umvqH9tP9iP4Z6J+ z3b+IvhRokWk6p8OLbfmJR5l9Ygj7R9occu4yZAx5zntxU/wm/4Kw/AzxPbwaX4+sLvwpPEix+eB 9otjgBR935lHfpX0t8Tf2hvg144/Z68f6x4T8Y6Zq1vJoGoAIsyiQl4WRVMTYfJJx0q50ZL4kY1Y xcW09T+Zxru30xXn3oS7suzJ+YnjcPpX6x/sF/EJNb8Gat4LuZmV9EmWa3Rzk+TP94D2Djv61+IX 9vy3CRI0WBHGuCoyAQOhr9L/APgm9Ld3XjTxdPGSbcabCrsTkbml+UD6YNfi3jfgKVfIK0pbwtJf fY+84GqzjjoJPdWf3H7KAmRNxOM/nVNCHmZj0qSMP5Q3nLYrPjkVJNvUk1/n5N6n77Tpm1lezZqV QuMk4NVIxvXcKcvynD8n1qLrqYuBbJZfuMWzT0DHl6h34Hy0hbI64NTKavoZNE7lEpBy28d6gUFj jOfegFlJFT7QCYH5sVKoBHNVNxB3Dk1KrEqWapUrCauWvT6VCSQ2c0eaqD5u9ReYnUHNEiFAnHz8 mgZbhulRLMwOFAxUbSop5J/Os5TS3D2bJjgH2qAyKsnC04TKRuFVp5cgMBnHpWMnqaxg9mT+Yeik H2pJN7KDjGDVZGJXeOKmQu3Q0FuACaZf9mneap5LHNRzBlXL9qRY0IBxQ97Fcqtc/9D6qDk4DcCu e8Y23n+G9WiVdwms7hRjuTEwreJX+IZqhqCpc201m6nZcxtH1x98Ef1r/LjLqvJiKc+zX5n9P5jB yoTS7M/nNWBYpDtGcEq3GDwetf0qf8E+706h+yh4VTcX+wXWpWvzHJG2cyfl89fzg+IIE0HxDqmj XZKS2VzNEynqRG5Br9Y/2Ff2pLD4b/C2PwjqFmb7TRqt083l5EsCvDFsdM8HLBsg1/p3h8wpU8Oq lSVk0vxP54y3IcXmFaWFwcHKe9l5H7WKiEcipBboTtHJ9q+UdR/bH+FdqpSxtdQvZymVQxqg3Yzg nn8cV0fwn8e/EH4zXEfi65gHhjwjp9wPJtohun1CaMZ+eRgD5KHrjqeKcc2oTmoUpKTfY7cX4f5p hsNLFYyk6cF1lpd9l3Lvxjvfi3f6tZ+AvhjYTW8OoWvmXOqLtCAOxUosh4TYBk9znioPgj4b+MHh nWdV8E/El31LS4Ldbm01B5BJiQsEMKt1Ixk4I4PPevoxPNYlJCdpOcVejChSOuetVDBT9t7Z1H6d DmjxRFZf9QWHhZrWVvev3v8AoZv9kRH5fMIH0p39goBuE/H41p7lJAWpAcNtzx2/DrXorzPkU7aG MdDjPWTNflx/wVP8ZDw38JtB+Ftjdst/4wvTc3CqOPsdjyQT/tSMvHtX6y1+G/8AwVts9Qh8f/Dz V23fYJtKu7dHx8omjn3sPrtIzVScUjDEvRLzPzv/AGSPgDqXxx+P/hjwQCkmnw3C6hqTHO0WNmwe TPu5AQZ9frX9SvxB0Lxn/wAIN4hb4fRxN4iWwuP7LSQ4jFwExDnj+Ht2zgV+L/8AwSJ1jw5B8S/i Hot4yR69qmmWb2AY4eWCGZjcJGT3BZSQO1fpj+2Zpvx41D4S2+r/AAA1VrHXPDN/FqtzbID5t5b2 wLeUh7hT8zJ/GOKcaeyva5tWlyrU+G/h/oPw9/bqv7Tw18WLabwN8cfh/cR/2lNbL5E2pWsDgT+h yw+U5+7kEcV82ft/fDlvhZ4hm+H+lI0OnazKLixG/ObNcEAk8na3y59RX62fsq+MvAHxh8JTftU3 XhJfCni3VrR9P1y8mjMYdNPO6WWFjjMbcktgHjaTxX8+H7W/7QGo/tB/G7WviArPHotoTZ6TGeBH YwEhDx0MnLn60SutDn9jflXU9W/4J4fAW4+J/wC0n4dvtTtxd6H4S8zV7s/eUvb/APHujZ/vSkH8 DX9PM+jeerLNskR+GUqCpB7EHPHtXwD/AME4/wBn+f4M/AqLxfr1t5fiv4geVqNzuHzwWQH+iwe3 ynew9W9q/RCGV2HzHJFSnodTSejPnLxv+yl8MvHSSzixGiX7dLqx+Q7vVo/uMPqK+HviN+yH8QvB U7XFoya9pDZxcwqQ8ar/AM9oh0z6rkfSv11E2AVPemPNIO/Xg+4rphVkrGFbDRavHRn873i39nTR /E8Uk2q6PBcRq5hFxCQrM6jPysMEnmvBfEv7B/iZLc3vhmdreJwD5NwyycE/7J3Dmv6APin+zR4Z 8fGXWPDTnw/rzbmEkQ/0ed+wljzjk9WAz9a/N/xt4e8cfDrXZfDfiyCSzvEGUIYmKVezROfvD17j 0rdUKdRabnE6tSDtc/LjUP2QfjXpMnmT6Vi3kdY45FYsrk9wuNw6dcEe9eZ3/gfxFoF+2j36PbNk K6h2UMo646Ajjn9K/XL/AISjWfMWb7XK0iAAHcSRgYGPwrznxvaeGNa0me68aWsdxZWqF3eQcoqj kg9cjtUVcBaOjN6eLk375+Zdv4fhM4lWZYgGJ8th/CoOD+J6V+ln/BPvW/7O13xR4as7BHsZIlvL jUWbDIE+WOIDpyxJ5r8q9f1hbnWNQTw2jRaa07tbK+SywA4QEk56V2/hDWfH2n6VcaVp99Lp+m3c iyTJASplKjC5I5IHpX5xxvw080y6pgIuzl1fQ+uyDM3g8RHES1t0P6U7X4keCbvXYvCtjrNtd6pP u228D+bIFT7xO3OAPeuzmhzHuHAHevwS+BnxbvPglqWt+IrK0i1HVdUtVt7aedyyQDrIxB6kgAYr 6A+Cvxv174gfE3/hI/i74qMGg6DBNfmJ38qFpVwkKLGv3vmbOO+K/kjiDwJxWEdSrTnenCO73k+0 Uj9awHHlCq4xtaUui6erP1ptL4IfIkJyeQcYGKtyXAzwevvX5663+27oWsa/ZeEfhjocuuajqMog t5J28tN7HG4heQF6nOOK+gr745/DLwfEjeL/ABNbPeRJtkitMylpAPmwoztGemTX5djuBc1oKn7S g057Lr6tdF6n0mGzvCT5pKasj6BlvjHKqLyT2q032hwMHANYmj3lrqVnbeIVDRQXEMc0YlGwosig jeD0OCK1dN17R9aE/wDZN5DefZn8uUxOHVHxnaSvGcds18vLLaiTck1bRnoOvG9olhEdRl25qyoO STSNPGCEYAZpPOT1xWEqPK7Jg5N9BwLb6lxI2ADgZ5pI5YX6NkjrU+VPSh02ZzfkQnefvAVAyfMc Hn0q+/lY6mox5QO7HNZSoX1FGViukRPJ4pTGnUmrJYHp6UFoyOaUKIvaSK3lx468UCJR06EVaEMb fNildRwKqVPQXtNSjCACUbtVoKqn7tVCfLuMHjdyCfatABW5LVMFoXNjJFjdeR+fNRRtEBjGcVYY xjgc5rJuR5chZD97tTclHW1wpK7sf//R+nwY2yGA+X0qrcPGYw46rUbLIuAW69cU2SBWRl3HHr6m v8s4KzTR/VFWN1Y/Df8Aad8JRaB8b/Epcqi3ky3cXPBW4G4/+PE16h+zmuiw6fqlnHKsjs0cu3d+ BOPTIr0f9vT4dpHDoPju0cNIGeynx2B/eRk+vcCvkD4G/bdP8dws8+yKaPy5kB5IY4H5NjNf3jw9 joZpw1TqrVqP4x0/Q/O+AsweU8WUnLRSfK/SR+lOnw29/qun2NuMvfzR2wYY4MrhB/Ov2o0XSrHw vpVj4V0lPLtNIiW3jX2UcsfdmyTX4b6fbtBcW10sjKcho2XqGU5Uj3BGRX6z/Az4l+K/id4f/tLX tIijhtQbdtRil4uLiLaG/dY4yDkkHANd/h9XpRc4fb/Q/WvpL5Zi6uGoYiEv3UG7621e3qfQSNIc v2XrUyO+4vng183/ABfbx58OHl+M3w1s314WkIGv6BvIW+soh/x8WwP3LuBehHDpwecV3Pwd+Nfw 8+OnhVPFvw61JbyBQoubZ/ku7SUjmOaI8qQeM4wa/VY6q/U/i2nUTuux68rbqkX7w/z9aoxyZzhu lWFLAgmkga1LySKr4NfJv7Zf7O3/AA0h8IJvDekiOPxNo0hvdIkfChptu14Gbssq8fUCvqgjJ3Hr ViAGRzz0pNXCrDmjyn8f0mj/ABI+Cnj5kuVvvCvizQZd4IJhniZe6Hjchx1GQa/Wj4Gf8FS9YszD ofx30cajHGAv9raeoWf0zLCflbg/MRX6WfHH9mz4TftCaQmm/ELSt19bAi11K3IjvICR2cfeX/ZY EV+S/wASf+CWXxW0C8utQ+GWsWfiayLM6RzH7NdqoHCkHMbE4xwRW0J2VmrowdZr3ZL5nvn7ZH7Y fwy1z9m9/CnwO1uG6uPF8xsZkhQwyWVj9+4zHxtaT7uR1ya/LP8AZU+Bg+OHx28L+ApYxNpSXK3e pFTtVbG1+eQf8CICfjXjGo2N5pd/c6dqTbLqB5IpIhhyskTbWwy8Y3ccV+3X/BKX4YppvgjxX8Wp 4w8+rzrpluxALIkHzz4xyAXIHPXFTJp6x2NqSdtT9a1hjiURQIscUYCIqjAVFGFA9gBirEaR7D9a qttMeT1HFOiYIpzTjHua3LZhRT61MI1YEgdKihZWPPSrICkYFJyBodtVO3I9a8a+PHgPRfHPw21m LVYx5+m2013aTkDfDNEpYbW64bGCO9exOwK7cc5rzH4v3jR+A7vT1ZhNq7x2MYQqHPmn5gu7j7oP WrhJ7rcwrxjyu5+MkeiXVwqSrEw3AFlA5GQOMV4b+0RYXFp4eh8HI/2efW8ySbzgi3hILHHX5iCO lfpRo/hK2mNzpZkFnNABkydYZdwYkjbzuXCjHQ1+P/7SPj4+LvjDriWLRyWGmSLZWs8H8S245yTy cyE7ifSu/FzfLY8+jG7seW/DrwLoOr+MIdEaIXUEjRIXZggZj19+BlsY5xivXvEH7N3xDvNTlj8F eXfwSyBIEQNG/lk7cBT8pOe+a8n8CfFDX/h/4ytvEVpZ2N9dorxFLuJZoSswG4AdjgYB7DNfoP4Q /bc+FFnpV5oninwpN4evLpUQz2R+0xRfMH3RJIcrkjLBTXFh6dNq0jvq+0T90/Ozxv4N8XfDlTZe L45I1t/Ljd2Q7GYqcIGAxlQDkdq8T1TxNLdBIbVwVxgKmegr9f5/FPgX4uvIdE8YaXrTSMT9nux9 jmyx+7skymfoay9T/ZL8JatMzeJ/Cfl73X9/adyT/fiJXHrXLisDfRO6KoYpp6o/Kzwd/bdtcf2z Z3MtovK742KybCPmAbr+Vd7Z3Sfak81GkRSGDbySxBBIJPqBzX6QXP7Ffhi4trU6Dq0lnPNFODbO Q4XaRsGRzyT9cCvnLxB+yh478P6tJZWxivvJ3eWkJOS2MliW6c8Y9686rlUNW46vqddLMr+70RS+ J/7TPxJ+I8v9m3N5/ZmkxokcVnaZRNoUKA5By3Axkmvq3wr+1f8ADv4J/DLQ/BnhXT5Nc1eCESXs zt5UBu5fmck8s+M47cCvgzxJ4F8W+EI7m18QaRJpkcMqxtJMOBIy7gN3U5Ppke4ryTU7uVpdiNvR cBeeMjg5r4HNfC/LMTQp4eVPlpxd2l9p+b3PocFxJiITlUhK8n17enQ/fj9m/wCKfiH41+ENU8Xe IYbe1jjvTa2scCFQFjQM5JJOTlgK99ngbaCgJHsK/A34XftCfFTwL4UXwP4L1JLC1lunui3l/vC8 nDDfgnsCK9s+D/jz42fF74k6V4Pi8YXsMN1K7Xj+Yfkgh5lb24+Ue5r+c+LPA7FKtiMbTlCnQjql 5f5n6Rk/G1Llp0XeU3v6n69xs6k54Hari3UgwF6VNbWJt7WKAM0ixIqhnOWIAxknufWkkTj5eDX8 2T92TVz9FjVjLoT+cO9TCVSuKy5IihyDxQgBGQaXOxypRepqq8XO89ORTmmUDgjms0IW5FIAFXJO DSi30MPZo1433kGpWGeax1cAbvu+p6V534n+K/hjwwZLbzDf3iD/AFcZ+UH3avRwmBq13y04tm+F yutiJ8mHi5PyPQ9XjcWon6+Wc5HpXKyeL9Hs0H9oX8Ntjg73ANfJPi/4x+LfEbSWttILG1PHlxZ5 HPVuvpXi8sl75xeWQs5O7LEnr719nl3h1WmuetLlXY/XMl8JcRUpXxlRR8lqz9DZvi14EssJNqiP zjKAmtnRvG3hrxRJJDot2JpYVDMhBUhTxnnqM8V+eml2F/q99Hp9pEZ7uc7UUZJJ9T7DvX298MPh 5F4O09pb0iXULtR50nUADkIPp+tVn3DGBwNNc1RuT6HmcWcH5fldJfvm6j6afef/0vpqJWx5eMAc 81YjCu2wYPbNO3RmLk56dKrxOik84xX+WZ/Ukp3Pnb9qzwuut/A7xIfLEsmnLFeIccjyZBuI/wCA k1+Nfhi/i03xPpt8GNuq3EYd+oVWcbifYdcV+/PjDSoPEHhjV9ElwyX9pPCR1++hA/Wv567y3u9M v7mwciOWJ3jfIzsZSVJx+Ff179HvM418BXwM+ktvJo/I+NlLD46lioOz0+9H9Bet/suah4T8S+FN Qsbg+JfDdzfWMWpLGu2WBJnVTIVHWMgnJHTvX2ZNB4k8I+JfDfhbwRoFhb+CCs7alMrhDa4JYlV9 SBnPOfwrL+BfjEePvg54J8ZoQJNT0i0MxU7gJYoxFKM+zoa9aUpkq4WRDlXQ8ghhggj3BNfv2C4f o4Jy+r6Nu/8AwDyuI/EfH5tyQzF8yhdet3vbuuhwvgb4reBviBdXsHhPUGuptLIeWN4ym+Inb5iZ zuQtxX4r/HrwD8Rf2efjn4k+IfwX1KfR7tLxrtkiY7ZYLg+ZGTF0dMHBUjgjiv2d+G/wg8DfC2TU bjwvBJ5mpEKzzP5jJCrbliTphQf6V8uftj+FFGpeHfGET4+2RS6bKCOpizLGSf8AdLCvWwUqzipV dJM+H4hp4KGJby9twsvi38/xPIvgP/wU78HeIY7fw78c7A6BqxAQ6naKXtJHUctLHnchJHYYr9Pf C3inw34302PXvB2qW2t6dKqss1nKsq/MMjOOV/ECv5w/iz8ENNv7S78YWUq6XLbQtcSs3+pkVM9u zEjA9TXy54F+KPj74aXs2peBPEV9oryLhjayNGjhh0ZM7SfwrolVi3ySVmcNN3R/YOWTucEUCVEO QfvGvwh+Ff8AwVQ+ImiRW+lfFLQbfxRDGBG15bn7NdbUAyzY+RmIBzx1r9Dfhz+33+zN8Q1hgl8R N4Yv5utvqsXkhSw6eYMr6c1osLJ6x1HKVj7fRuAw5rm/HR8VP4G8Qx+B4kl8RSWM6acssnlxm5dC qbm7YJzmovDvjLwr4qt0uvDWt2Oqwtt5trmOT7wyOA2a6kl1YKVK5zjI649KiWis0ZpXuj+UD4lf Aj4t/Cm7e1+Inh290yXOZLpkMkLMzcusy5UgsfX8Ku/DT4z/ABU+DOpfaPAfiO60mWE/vLeNz9lm ZhjLRN8rH1OM8V/Vpc6fY6tZyafq9vFfWrjDRToJEb6hgRXxJ8X/APgnj8BficLjVtGiuPCOryku ZrBt0LOTnLQvkdfTFTTnKPwmHLOKs9bfefJnwh/4Kn6j+70r41eGVuyuE+36Z8jEf3nhfgnH901+ mHwt/aN+CvxisY7jwN4mt5riQ7DZ3DC3ulbHTy3Iz9RX4cfG79gX4v8AwXtv+EhhvLXxBofnBBd2 2VnVmB2hoTz2xkGvjG6sNY8O3xN3HNFdWsigTJlGwOVYYwQetWpRb95fca0qrZ/YRFuQfMuD7+na r0f3c+tfzH/CD9vz9oH4QC3sJdWHirQIz5f2fVf3rJGDxtkBDDHTrX6pfC7/AIKV/BvxZcR6T4+s brwhqPyKWbE9qzuu47XXkL6ZpOlfWDuae1V7H6PlATnNfIf7TPiO2TUNE8MN5gNvHJfy4O1fm/dI pPrgMRX0Z4S8feBvHlrHf+DPEFlrEEvINtOkjY91zuH4ivz/APiN4gl8YePfEfiBGWa3tro2dvEz 4LRRfusoPQkMc+tXh4PmfkYYp6KxwvxG+IX/AAqv4bax4rUypqB03/RnmkIZ552Kwqv0PzV+HyA3 UazOjs12zsZFGdzk5P1Oa+7f2z/GWoWtlonw5uGVliP267jUkmIkERLz7kn8a8o/ZR0TwBrHxZ0C L4lavFpPh2xuI7jfcPsjLwt5hQ9eHwF7da0xU+aVok4VKL5mZPjP9lj9or4fWkOo674DupLK7iS5 jubaP7VFHGU3YcxAlGwecgYNfKWtRtNdSRyuUkiOSrEq4PoVPIxX9q2i61ouv2KajoF/BqNrKMiS 2kWVCD05QntXhvxQ/Zp+BHxZDJ488F6fezHP79YxBcAnuJY9rV5zg29DotUi73umfyUWtnFbxEvF 5RfaQc4J9xXsvg/4tfEHwXIy+FfEN7YMo+XNyxQZHTaxIJr9gvHX/BKD4c6ik8/wx8V3+guW3Lb3 wF3BgdFD/LIB+Jr4q+I//BN79ozwSZLrRdMt/GFikPzSWEoEu4DkrDJtY5x2zSV4vccqytZq3yMj wv8AtzfEHw/Hb2XjLTtL8URMBlp7fy7liOv72PB4OOtfSXgj9r79mbxNJDdePvDWr+G9RUqzy2lz 9rgLcDdtbkLz0r8q/G/w78Z+CrlNO8W+H7/QJB8gW8tZIhkjJwzDB47g1kaOoS8iWGZG2kegUEDo cnnJrZYliUIVFo0z+iDU7L9mT9pVok0H4hWAnIWFbSaGKNm25JHly7SS27nHXArxbxZ/wSk8Pa20 l54Y8TwafNICVkjt2CMe2VVyp564r8LtVvbw3SGOQxyROREy5GMdwQRivrj4Aftk/G34G38Mdlrk +t6QpUzaXqLmaOTOAyxsctHx0IPFOVRSSTJVFR1d16Mf+0T+yn8T/wBmVkbxgsV/pF/IiWesWSuY C38UMoYAwvjlQeD2JrxD4e/Fjxh8MNWXXvB939lvpomiZ1wchj9wgg5yQCfWv6pbKDwJ+098DIX1 eyF14c8a6cC8L4LR+YpBw39+Nxww7jNfyzeNfh9N8PfG3iHwffzbrzw3fz2khZSpcwSlVdfqgB/G vLzLAU8RSlRqxvF6NHbg606NRSg7Poz9OPgF+1zr/jbVrXwt4u8Py3F3dKu2609CwGTgmWPGFXPJ Oa+/UjSTJPOCRn6V+dH7EHxY8FXOmN8NPskWneII2dopuA98uSTk9S6D8xX6IPOlurNeSLCg5y5C /wA6/wA8PFPKaOGzaphcLh3SivnfzXkf0Nw3iatXDRnOpzN9vyLX2ZW43A1WSJE6HJrznXvix4P0 NHIuvtsy5ASEZGf97GK8Q174867frLFo8CWSHgHG58fXjFfJ5bwljcTLlhD5s/SMp4PzLF606bUe 70R9Tapqmj6RatdaldJbKv8AfYA//XryPXfjd4ZsEki0eE30yggs3yx5/rXyVqevahrFwJdSkedy 2QXbP+RUtrbXNy3lQwtPN0VVG4/pX6Llfh1Qpe/ip3a+4/TMv8LcPRip4+pfyWiO18TfEjxX4kjx Pci0t3OPLi+RCvbp1Nefyhx+9dizN0PXgV6bovwi8ZatslmgWwhLBv3xySPTap7163o3wG0eFlm1 q4kvGBzsX92nPsOf1r6CrnWU5dHkg1fy1PdlxPk2Vx9lSa06RV/xPkmG0vb28a3somnlbgKiljz9 Bx+des6F8EfE+uxLcamRp9uMA5+aTr2A6frX2Dpnh3QtAtRaaTZRW4PB2qAT9T1NdHFFHFGECcCv z/NfEetO8MNHlXd7nxOceLmJqJxwtPkXd6s8o8G/Dnw/4SjBsLfzLkjDTt8zn8T0r01PMQbcE00o Ipd8QIDc49Ks7iwzMQPSvz3FYydebnUldn5djcxq4io6laTbfc//0/psRP0dhjrx60NGcnkYPpUh VZBzkYpFA2gL261/lmf1AQCMBgcjcK/Dr9p3wJN4J+M2txCPZZ6mwv4W7bJ8hh+DBga/cQf6wn0r 4g/bY+F03i7wVbeNdIQvf+HmcSgDLPayff6f3GAP0Jr9k8FOI44DNlTqO0aqt8+n4nxfHGW+2wnt EtYn0l/wTK+K8fiP4Wat8Kr2RDf+Ern7Vb4/5a2V6ckqP+mcwOfQMPWv0vVSHLqMZ+9x1r+Vf9nn 40a3+zz8TtM+Imhhp4rf9xe2ecC6s5eJY8njOOV9CAa/p8+HXxC8HfFjwjZeOfAGoR6npN+m8MhB khPeOVOqOp4INf3r8a50fhWKTcuZHaCQDkjFfM37WcUUvwttLth+9ttVtvLHr5qSIw/KvpsxyMp/ hVepb5Qo9STwK/K79uz9sD4eeH/Ctz8LfBjw+IfE4nSRrmJ8wadJHnDBhw8gzjjIGaxlPl9Tiq2k tXqfnj+0h8TGaNfh7oVztBbzNRCN8qk/NHDn0HU18lWkMIDrOxCBcAKRjc3U49K5qTU7q7uXurtz LPIWeR3OdzMck/XJr7t/Zg/ZovPFlxa+MviFCLTRoGWaC2YfvLtgcqW9I/bvXy/E3FWGyzCyxeKl /m/JI9rKcqqYmt7Kit+vY8d0H9nj4weJNBt/EGg+H5Hsbr54y7IjsBxnaTnDVmav8CfjPo/mLfeD 7sRqA2Y0EmD3xtP8q/eizktIYkggjRYkUKqhQAqqMAADsB0rQ/cvH+85Gfyr+ZF9IjHxrN+xjyX0 3vY/UpeHOHcVyzd+u25/OQ11438EXcEUTX+iXZbdtVpISSvI4GORX6qf8Ez/ANo3xdcfFq++FvxD 1y61Oy8WWf8AxLWvJWl8m/tdziNSx482MuMdyorY/bV+H6eIfhZH4o06APf+HbkXLlF+b7M/ySbi B0Xg+3Nflh4L8R694R8WaZ4s8PSfZtR0W6gvYZSfuzW7B1Ax1DAFcehr+kPDzjlZ7gvrNrO9mt7H 5tnmRvA4h0pO/Y/sVQt0zgYB4Hr2q2OVKqeo4+ua4L4c+O9F+KHgTQPiJ4dYNY6/ax3IAOTHI4/e RN6FGBBFd0GVWVSecV93HsfOSg72Z4B+0awPhHR7Pa5iuNTjMoQZPlxRuzNz6cda/O7xj4P0PX7G 8sNR0tDcyxgxMsWJliXIDk44LKPrgivvb9pzUIILbw3YT3jW32iS7Y7EL7tqKqqQOgLEDJ4r5Xup L2C+kQqlpcXEcZkO7cq+WGJIPOBjiu+hTi4anBVqNSZ+cPij9mRUkum8N3HmPcDEMM42qpz1Vh1F fKcmnJoOo3ml30qyTWr+XIUO5VdMjg9xX6kfEnxFD4e8Hajr321C1nbSvblznYW+4gOMZL54r8pL a5hM5upELvcO8j7+QX+8eR33V59eEYvQ6cPeS97Y6Kz17xN4Ivk1DQtRuNPnKLKklvM0XB5AGD1P pXp/hj9pH4g+FiUkm+3x+XgrP+8fdknIJ6GvVf2UvhHZfFvxHqNx4u09NQ0LRoMuhyEa4uBhVHQ/ KAWPvivorxp+wl4H1xfM8J39xoc6cqhJmhb22nn9a/L868YMtyzHywOJm01a73XofWYLg7E16CxF KOj8z84/HHjrWviX4rvPEuo7UWcQ5QZYIsSbQPWudNu0MkLXjrK5DPtVsDZ2OemT6V9DeNP2PPjT 4RuPtWnWA1u3dwubNwDgnAyh6e/pXtem/sZ6L4Q8F3/jj4s6rMBZ2xn+xW5wgkx8qFx8xJbjAOM1 14jxPyeEIVFiE+d2VtW/1RGH4ZxfO0qT01fQ+OfBPxX+I3w4vRdeCNdvdKkU71S3mZEXjIypO08+ 1fZPw/8A+Cnn7QfheGIeKWsvFUEIKuLqLZL7EyJjv7fhXzD4b+BfxT+JN4n/AAjPh2VLVtqpNKDD FsGAMl8E8enpXlPjbwjd+E/E+qeF7popZNNmMMjQHKlkALYPoDxz6V9Rh+JsPWqewhUjKSV2t2vU 8ypl8ox55JpP7j94fAH/AAVT+EWuGGz8daDfeHrrAMzwEXMEfoeMNX3V4K/aJ+CfxEiifwj400+7 kkAYRSTrDMoPqj7Tmv5HFifTlguxHILeUfM7j5XZeo9x/KrVrdXDXT3FjJ9mkhBY5OMj/ZPH4V60 K9Kau1b01OeVKaejP7L9S0XQPE+nm31myttVtZQRtmjSZGBGDjcCOa+UPHP7CX7Mfj+4mvn8JJod /MR/pOlsbVgUHB2r8nfuvNfz0eBP2m/jh8Ptkng7xlfWEUB/1bytLEV6AFHJXGa+6fAf/BVD4uaH GB470Ow8R24RfnjBtZmx1J25XJ7dK1VCLV4yuc8opv34nTfE7/gkjr8Ty6n8JPGcWoYbcllq8RhY DPT7RFnOPdK4TwF/wS7+O2oeKrWPxxNpmjaNFIPPuo7g3MzKOWMUSqoJPRSzAdz6V9w/DL/gqB+z /wCMI44/Fsd54TuZWAzOvnwjI4JkTkc9sV9Rwftdfs1z2gvYviDpnle8hVuPYjNZSpyT0QKKtbn/ ABPa/B/hnRPAfhHS/COiRi303RraO2hU9o4lxlj6nBJPrk1/Kj+0x4nsfGPxy8eeKdJkMlpqOrXD xkHrGHCBhj+8Fz+Nfqj+11/wUJ8JXPgzU/AHwOuJNR1DU0a1n1RVKRQxSDa4iJ5LMDjd2r8Vls9X gdNRWzkJuC0RJUlc45we/BzUVE1B33NozUp6bRPT/BXhTxJDqNhfWcUtrNbTfaI7iLIdB/CAeMFS uK+44vGXinX7cT+IJpxMg4EjkkqOhOOOa8v8GG0On+XYyNJbhg0JfOQjDkYPvnmvQpZ3UqAoIHHv 7fWv5940xVLEYiVKrSjeDspNan9/eCvh7hcLgqOaRqOXtY3cXayfkOcyXI3ucgdM9qms9MvtTli0 /SomubmU/cQZYDOM+wr0Lwb8Ldf8VSCVo3s7LgmaQEFgf7q/1r6+8L+CNB8J262+nwBJP45Ty7H3 Nfjmf8X4bB3jS96fbsff8T+IOGwF6WH9+fbovU8B8J/AUFI7zxXOQ4OfIjPH4t1/KvoPSfDei6FD 5Wl2yRD1Vea6h44Qc55poVATt7cV+NZtxJisVK9Sbt2Tdj8OzjinGY+XNiKja7dPuKALBtgVtpxk 1bVmUYB4qbyS3I71HIoU7Qcn0r56c+h86tXqRl089GYc9K0WZc4ArNgAMoVxnNaJGOKmNrCmlcjk XK4BxWaTdKSAwx2yM1qEonUdahlaPjOKzdkOErdD/9T6d875F83hh1pNysMDOD3FCq3KsMZ4J7mr SsAvzdq/yzP6gKqooBZs1VntrO7gltbqNZY5Qysj8qysMEEehFaMjIyfLVbcAQWAxWlKq4yUovYi pBSi4yWjPyM/aI/ZW1n4fXN34p8DWkl/4auHaTy03NNZEnO0qPvJjOD2r598AfFL4kfDG9Oo/DXx JfaDOmFlS2kKI+Tuy0ZO0kd81/QBIIruJo5AGU8EHuK+f/Gn7MPwq8dStfXmkrbXhbPnW58lz9dv X8a/pvgz6QMsPSjQzOLdtOZat+qPzDOPD9znKeFej6M/M3xb+1X+0B8QrYab4v8AG2oXFlMv72KC Xy1YYI+by8E+9eP+GPBniDxtqK2vhuwl1K5uJf3iRKWAHQ73PAzkdT71+rGm/sYfCXTZPOltZL0b sgTyM3PuARmvozwr4M0fwdYjTvD9pb2NsnAWKMLwPXA5r6PPfpE4NU2sJByl5qyPLwHhtW5r4iSS 8tWfGnwQ/Yn0Hw9LbeJviSy3+ooQ6WAOYIu4LnHzkenSvvWHR9Pt0SOJVRYwFAHAAHYCrCW5YBmf d+NWliQAd6/l/ijjDHZtW9ti537LovRH6nleUUMJTVOirfmyE2UcZ/d4weatLFIB6A0u044IAFSL JJs+5Xy6mz0lGxka9o0Ot6Ne6NfASWt/DJbyoejJIpUgj8a/A34l+BtT+FnjTWPBmpoEntpQbeTB /fW55jkX2YcH3r+gneGj2lelfIH7VfwH/wCFs+EhrPhyNP8AhJdDBeHIwbiADLwlu3qnvxX7h4K8 dwyvHPD13anUsn5Poz4bjfI5Ymj7amvej+RD/wAEvf2jLbSta1D9nPxVe7Y9Zd7/AEJ5W4F3jM9q vYb0G9R6g9zX7gRFJGC/dIHOf1r+LzSL7VfDuvwXtrPLpWrabcJNFMCY5YJomyGHcMp/wr97vAf7 cmqfGv4babpWhxxaf4vjjWHXZFYAsy/KZIOflSUDJ44JxX95YeaqxUo/0u5+E1k0rvc9++PHiHTv EvjE6bY35C6dZ+UstuRKvnxv5jKQO2cDI7jFeDQSyBcyXYaV3RxsXcr7uHEh7KQTketZ2hxRCPar ieVQzq2TGFbPOT3yK4/4keL7H4b+Ar/xJe3QtpV3pa2wx5k9ycFY1zyF5zuPWvTjyxjY8ed27tHx x+1h4usHe3+Huib2gnm+03EZbkc/u0/Mk18YY1BLmPTInLy+YI0VRlmLHBH17VNruuar4o1i98Q6 nuN7dytJLtPOfbPAA6Yr7R/Y4+CU/jLxPH8R/EVsDpGiODbAj/XXZGQ2D1VOc+9fAcZcT0MswVXG V3bl2Xd9PxPpshyuWIqQpR3e/kj9Df2e/hovws+G1hogUJe3A+1XXr5koB2sf9kcV7lDywzyKgQH axLDn9alhKg7D8vv/Sv8284zWpjMTUxNV6ybZ/SWDwkaEIwhokjVZ0VNiKAKzL7T4dUhMF5bx3ED YOyRdwyDkHHsacJY0PJLn0FS7584ZtmenNeI8Q42adrbHounzaWIreyeBdsARGxxxwD2x9K+PvD3 7F/gCx1m68S+LZZPEWo3s8lxJ5/EO+Rix+QdetfZJljyDvxjqfekNypX5VJr2cp4uxuBU1hajjz2 v3089zzcXktCs4utFO2x+cP7RvwD8T/EPxvoXhzwDo0Gn6JoVlhpXXy7fzJ2yQAvLEKOleQfF79m Xwn8H/hJd69qNzNrHia+nht7XblY4i5y+yNeThRjJ6V+vBR5CGdQRVK90TTdTkiN/bRziFtyeYoY K2MZGenFfpWTeMWY0I0KE3+7huk9ZerPnMbwZh6ntJR+KW3ZH4BaL8GfiJrGh3+tafoFydOs4mnl uJ08pFjQbiRuxnjtXnV7qRNgbeEHy2RWZQOC3bjrX9A3xS8P3fivwDrHgnw7Oun3OrRC2MoGRHGx G8qB3K8eleK/Dr9j74V+EtNa0v7J77UpQAbuY7nVh3UY2iv2LKvpB4Z0J1MZC0r+7Fau1t2z5j/i H0nXhDm9z7Uu3oj8VxFqFu0dleQvbu6GREddrMCOPwrtLXSNYuSiC0ZI7jy0ct8qgv8Ad56jjk4r 9FfGf7BviTxt4ym8QS+K47SyjcrbRrETIIR90Mc4zXtPhL9j3QPDwgk1PU5L94AMZUYyDX2E/HLJ adCM5VLya2V/uK/4hs6uKqQhUUaSdlKS1a7pI/NDTfhR4u1G4jtIRC1vOyxgwP8AMw3YLA9ivU5F fRmh/B/xBqGnQ6boi3OoR2kzFBIjbX7ffIG08Y4r33UP2fNYn+Otja6RcS2vg020d9eY433EbYMC sP7+AT7V94W0NvaWwt7SFY1jAChRgADoPwr5Tjjx5oUcPQllnvTkuZ36eTPT4V4PoUMRX+uU/aQV 4xvp/wBvH53fDP4L/EDUNW1SDW7P+xkh8oqsgyoBJH7rHUYHfvX194U+EHhzQCl1eR/b7pBw8o4B 9QBxXqcaPuJIHXr/AIVdVjjnv0r+beJ/EbH5nWnVl7vN0R+rYTOcXhsFDLqVRqnHa3bzZPDHtjCx YRQMAAYxSKNpIbk0kchHGalLHvzmvz+Tbd3ueQ2+o2kdDnCYwakUIfvHFRcB/lOcVLXcQqkquCel U9zzOW71YkbbwO9V8FTmNsVjJXZrGPUs24/A1cHAyxqjA6p941cYK49qCZrUilfacjnNODRkAlOa ayqPu1IPLwMrVQIP/9X6Y8/94ij5gec1YBDORkdazrbcjLnBzx0qcqkR4GSx61/llVjZH9QFqS2S QghiKieHC4DA1YVGZQVOKriMCRieamnO2gEcasjEk/lWrC8rLwRxVAuIVZlUEnio1nkPRQMe5qwN QxtkkkUnlEgnIwKqpMy7WKj9a0DEHwfUVgwEj2wsATkHpU2VzgE/lUaxKpzjNWlk2gDHSkBM5jYc LjNRZz0Bpxfcm704qZd/8RzUylYuELkH38Bl556e1D20MibQnOc1eVmVQeMClaX5Ccc0Rqa6E7bn 5vftW/ssy+KL6b4j+ALPbrEYLXtimMXIGcyRjoJMfeGee1fnLoviXXPCPiNdW0eV9MvrIssgClGX sQ6kdj1Br+jmS0jmULJyOtfN3xY/Zk+GXxRSS/1ay+w6iePtlofLlOeu8dG6d6/prwz8b54GnHB5 inKC0jLdryfdH5hxNwKqsnXwuje6Pz20v9rvxxBpjxXlja3UyAgTYZN+SM5UHHvXh3jL4geJPiHr UWpeJrlprgvujBYhVC9gnQDjg9a+s/EP7BHiLTiDo/i23kt3fYFuIG3DHIJK9/Wuu8BfsO2Kawmp eONe/tCONVb7PaoYo3HoxbnH0r9/xvizlscN9Y53byi/8j86ocKYmVVU+XX1R8vfBL4I6/8AGrxG LSCJotHtZAby7HCKvXapI+Zm6YHTvX7Z+FfD2l+CtDsvDehWogs7CJURF6DAwSfc9Saj8JeHdE8L aRBo/h+yjsLOBQEjjGBgdMnqT7muwMixx5IyTX8b+JniZXzzEJJctKOy/V+Z+08LcNQwUXreT3f+ RGkzyAlkxnqB70yaNwFlZwipVWXURCCIk+duMk8c1ZtbBpZFed97EZr8nqOUne59a4pbliGRygW3 T5ffqashW53Yz25q6YNoGw7aqPFmQ7jk4pRpxQSqN7lhbeAhSSMjmrHyY2oABWY9qzKCrY5q1Hbt EMO2/wCtVaJm0PlcRkbhwfSqF3dDBjiBLdqsSSkMYkAB6AkVJa2y2486Y+Y7HP0qZy0sVTpaFO3s Eji86TmTrn0rWsFjdxv4x696bJOjblK/eOKWNlMe5RjbnH4VitVcqULGuyqpBU8elMPl55U5PpTY 33xgmrYTaoYGk2QVeSwYDGPwp6rnjPHWnOTnGacq7T17Uoyb3AQxIRjdin4VfuHn1pdoY4pHCxrg 5pOfYCWPqf6VKCRyTk1XUtuXbwCO9SLlAdxyRWlnezM5R6jwMKF9KkKqg3dMVEG3VHezGKNVA+9W dTaxCV3YqM3mOx7ZqWJC5wKrQj5SK0IRsYY71klZHXUfLGxWmj8tldFLE1difKEYp9z0x2qirESk Z44pOdnYx5nKOpboqJmH8ORRiTs36UpSsrkqB//ZCmVuZHN0cmVhbQplbmRvYmoKNTggMCBvYmoK NDEwNDcKZW5kb2JqCjU1IDAgb2JqCjw8IC9MZW5ndGggNTYgMCBSIC9UeXBlIC9YT2JqZWN0IC9T dWJ0eXBlIC9JbWFnZSAvV2lkdGggMjYyIC9IZWlnaHQgMTc1IC9JbnRlcnBvbGF0ZQp0cnVlIC9D b2xvclNwYWNlIDcgMCBSIC9JbnRlbnQgL1BlcmNlcHR1YWwgL1NNYXNrIDYxIDAgUiAvQml0c1Bl ckNvbXBvbmVudAo4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ae2dBXwURxfAv7ZY IbhDcHd3d9fiWtyhuGuLu3twlxAsQHAIEpxAlBCSoCG4Qwvff3bo9jjLXYwkLL1fure3O/LmvXn+ 5n//0/5pENAgEOUhkDRp0rx589asWTNjxoxRfjLaBDQIhAICv/zyS6lSpezt7d+8ffvy5csWLVuG ojHtVQ0CUR4CtWvX9vHx+fT330+fPYMievXqFeWnpE1Ag4D1EIgdOzYvISO5ubu/ffv2xcuXUMTb 9+9nzJxpfWPaGxoEogMEYsSI8Uf//u8/fnz6/PnzFy+ePX/+/v371WvWRIe5aXPQIGA9BLJnz37e xQX1AVqQFPH23bud9vYxY8a0vjHtDQ0CURgCaNP8692794ePHyEH9QN1HDx4MGHChFF4btrQNQhY CYGffvrp559/zpAhw7nz5z99+oT6oEsRjgcO2NjYWNmk9rgGgSgMAbgDox88ePDf//zz5OlTlRy4 gEfs2bs3Tpw4UXh62tA1CFgPgdKlS9/y8Xn99u3TbykCPWKXgwMat/VNam9oEIiSEIgTO3bXbt08 vbxgB8hLUqGGO8iLd+/fb9u+PUpOTBu0BgHrIZAiRYrFixY9ePTo9Zs3usKSShHwiC1bt1rfsPaG BoEoCYHGjRsHBga+4J/ij9MlCniE8NC9e7dG80dEybXVBm01BNAOli5b9v7DB5BfFZYkUUjxCS0b 3jFp0iSrm9Ze0CAQBSGQKWNGD09PcF6yA10GAUXANYKePHn56pWMa5L2qCg4S23IGgQshUD9evUk OUALkIAeRUALj4OCHj9+3LBhQ1qUUU+WNq09p0EgqkEgSZIkGzZswJSkSwi61/AIvvreuVOocGEm FytWrKg2RW28GgSsgEDxEiX8AwJgBLpUoHuNKAVRXL12LXWaNLSrhTZZAVzt0SgFARRqRKCRI0f+ 8/mznrCkUoTULPBQOB0+rGkQUWp5QzLY+Anjj5k90cH5QPchfdLapg1JE1H5HaKY2PbPnjv38dsQ JpUcVLUamWqmkhzBK1F5xtrYTUKAlc2VL/e6fVtuPL7l+cLPNcjbxd918aYVadPbEupm8rVo9AMb PkBo0LAhjgZTDIL7SFOBjx+/evWqVevWzF6La4pGKPDfVOLZ2NRoUPu090W3Z76uj72PuJ4+4X7u +mNvr9cBVx96/LVgWoo0qf97OppeITKhI69bt+6ff/4B5w3trpJTyPt3793LkycPkNAEp2iGDixo /qIFJ8ydfPOJD+Rw7ZHnjaBb/ccMrlyrWv/Rg1fv3njp7o37X56dcHdp1KJxnF9/jWbTV6cj+WCW LFn8/f2lKUmVlHQvIAfpmyM4XOMOKvSizUWWHFm7Duh53O2cz7v7sAZo4XqgF6Rx7s61HkP65MyX O1PWzC07tV28ZaXnizu33t6bsmQmr0Sb6etORNqLRo8e/ffff8MgIApDwUkqEfyKljFv3jxe16xM ujCM0teg+sipY52unrj15q7b09uQg+7nxpNb3D97+8oWJ/sJc6f0GtqncesmO0/uvfv5CZJV/3FD ovTcDQeP+sC/BAkSsPPjmIMLwAt0WYO8VimCDOu2bdvSjsYmDIEZ5e6Q89Whd9e955zcn932eHlH lxD0rqEUr1f+3q/vIjj9OXdK7gJ5F6xf6v/349tv789cOc8mvk20EaFljgMOaArO4Iw2yiB0iQIl InPmzFFu6bUB60EgQaIE3Qb2cLx49PJ9d49nvshIeiRg9CumJ+QouMb05XNsM9gOmzjq9rv7Vx+4 l6tRmX012hAFesSatWuxMhGwZEanhl4o1kSiENxBE5n0ECyqfGWtkyZP3qV/z2NuZ6SaYCEtqATC 83ygi/nrl6ZMk3rumkXerwPO+lwZP3tipdrVogocTI1TEnWhQoVIlIMRGJWXJIPgJ+jl85cv/QcM 4C2NIkyBNDLfT5k6Va8h/c74XEQEYp9Xkdy6i0ChdPOKxwu/OasWpkmXdu7aJRimoIvlO9bAKSIz BIIdmxz/yFGj3igahBmRCbrgV7SMokWLBtus9kBkgwC00L5n56OuZ7xfBbC9W0cC3yravAtz4S90 4f0yoPug3qnSpl661c79+Z3zd65VrVsjRpStWST3eSobHz1+nMAMMwwCcoAWsDKddnZOlizZD+K1 jGxYHbLxJEqcuG33jgevnGAPx/sskTmUFCGJQhWfOvXtmilb5u0n9qB6H7py4o8xg4dPHnvt2rWQ Dfg7viVFpt9//13al0xpEFJqwtaE827YsGHQUbRRoL4j8COg62TJkw/+c8QJ9/P4mr1e+oeeCoy2 cCPIB74zfs6kPAXzOyl0h6viygP3aUtmNmrUKAKmGbZdgN6bNm82E/styUGKTPcfPChRokTYDkBr LTwg8PMvPzdq9duhK8eRZDxf+kmx3yg+h9VNdAqIon7zRpfv3qQ7DLm7zxxs1LJJGiVAOjzmGOZt xo0blzazZs1KuW9EpmfGfBAqOcAgsETt3r2bigRhPhKtwTCEQIyYMcpWLr/lyK7rj7xuPvUJvcpg EckEebsGetMXmvX05XPdCf946ImQhsMiTTrbMJxdeDeFWt2qVStQ3bwGIemCtGvSSDUNIrwXJcTt szTpMqafungGIXns0hFECzpKt+REl++7iWioJz78hXG06fY7TsBx48aFeF4R+SI69datWxGZYAEq O9C7kD+9ev2a+I3CStJcRI5Q68tCCCRPmaJFx9Yn3c97PDfnd7Zow9dB8hA/L6kDJnXC7Wz+ogUy Zsli4US+72PFihXDAU2AtxmKkATy7t27M2fPJk6cmAFzkMT3HbbWux4E8hUugPETO4/wMljmeg4x qlv4ovT94csmIGqW3YKECROkT59eb9iR6qtMl5swYcKXL19MBTJBC1CKFKiIdxo9ZgxTkCEfkWou P/JgoIWpS2Y5e1/yehVAUo+F6Boxj0EUkCeyk9sTn+YdWv/vp/8VL1480i4WGgRuBeczZ+QRWnqS kvoVisArx8fP3798hQpM59foGxIfaRdLf2CKUzjOr3F6Dum318UJF0MkkZSMEhpEgTt71+n96TOn T5ImOTuw/nQiwXfpmKtcubLEdjNqtcogiGXSqtBEgqX7OoSKNSptOrQDmz+WVaN4GHluCikuyJtx /jFqUMo0qeq3qR95wKiOBNyGKDhFjgoDZtLlJIMglokc0u7du/O6RhQqDL/XRcpUKVfuXHvxrium pEiiMpinPik7eTz3PXLTOWPWTKls0/RRkmu+FwBN9UtRJsrL4IZAiVBlJMMLeAQfdw8P0utoSqMI U/AMv/tkbsZPED9F6pRFShdDRT3peQEZKUrQgkopcrQkVvzWplmGLBlrN6wdqWQnWXCsbt26KMvs /whOhoQg7vxbzRIr08oVK1jxqB7TGH5IG4YtE2afNl3a7HlyFC9TomSF0kTNDRg3ZKbdvFNeLt5v 7nq+FNYkFdOi1gWEvMf5ALMrVqbYvP0iBzOS/JMUMW3aNML2TCWQQhGITLLsBmlEWjXLCFi7ZCmS Va9f64/Rg2avWrDOccsRV2eitX0/PBTheS/98QJHLb6gR61y8Hc+Pmr+e0vbTOnzlSoSASC1vAt8 iBcvXjTjhpBGVwQq+Aj2KOI9YBCat9pyCFv1JAbtpu1a7Dq13+OlHyn/hOSxnUYez4Iebof4K2ZY qPvwtVPJU6UoX7W8VSAKv4clgyhfvjzYLkUmkN9QapI6NRyEQgTjx49nPPLF8BvYj9nyLxDDLzFa dW575YEH/jXXEKfwhIWXOcSobuGLsAkcduRlN2jROHP2rE2VVP3vvu7SvzZq1CiClMynVEsygWqK FBEMTnPMhfnaSb0sW85shF4gF+niFcgTpWUk3bnoXl9/6IE2tOXwziTJkvYe2T/MQRqyBsFtR0dH rExSNDJkENzBviRTqjmNNF68eJZkQ/waN26ixIkwieTIm6thqyYd+nTtNrBnr6H9eg/7o8/w/n1H Dug9pF+XP7q379mxecc29Vv+VqNhTYzqpcqXLlmmZNFSJUqWK122coUa9ev81rZFr+ED+owaPHDk yInL52zYu2Grk5PD6dNbj21de/Dg0j17+vfvb1uqFJEkRO3yTxZS0wMFN/lJ72bk+VqoRBES9gmc xj6fMUsmqucNGj/c6epJDKoIS5fu3jx284yz90VC5qKuHq1LCOo1E8SHguxUvlrFbDmyNR3X9Psu ikRs9nzCv0F7k1YmhSLgDpzYixuCt+SLDJ5IYxh9PJt4mbJkLlK6eLch/bec2LfKYf3cdYsv+ru6 PbstjeQyCJnrYD7EKj+9zaKrH7ExBiqhCILDepy9fRkF84jrGXJeTridOerqfOjKqQ37t01dOnvm 8nkzVsydabeQPN+ZdvPnrlk8fz2fpfPWLpq9auHs1Qtmrpg/YOygZr83r16vJkab7PlyJk+VMkHC hImSJPqORXVixY5VpkqF/ReO4LECXBcDXGesmFe+eiX2zBSpUs5YPg8q2HJ4V5Yc2TJkytC1f489 Zw+6Pfel/IWKVFH3QkY6Xbnv5vv+AQG6eMQq1/vOZQokYnfo0AGUN6NEQCywj7dv397x88uZM6ck BOq51WhYZ966Jat3bwAz/T89cnt+BwOIz9t7JEwRzUXcr6SIUC6ZFBgkKUEpdCE+z31RNumCiAVZ MgjjNh/6Nfd5e+/2uwcIJOiqJM5sP75n3rqlCzYsHT1jQoOWv5WrWiF3gTwkCCdNnixBooThuln9 GvdX0vOLlCzae3h/MpGZC1C6/liE/YhJvfRbuWtdrcZ1kyRLgrlp46EdW4/sKl2pLENKlzEDhcLk 86EEbCR5nSlff+RJMTTbjOlKViwZrmAPtnEpuOKqVkUmo2o1FIHe/fnz540bN1HWDLTpP2bQoasn fN7eF8j/9h5cDwQDXcWWHhV0OugLslJIKYDB33p7nxJDGDahlD3nDq60XzdnzaI+w/9o0rY5ZEJB 7IxZMiZOKqJ8Q/MvV748SEc4FEgQGDZx9NJtq6AFoGcINFF8+5WwLzGMSjWrZMmZrXXX9m27/U7k EgMoXLLI8ZtnscQavhglgK87SMkmLt+7ySpQLTNe/Hi1WtcKDZBD8660neKqPuTkJDLm8MGZ/qBH 8EzDRo1ixoq148Re2JzbEyER6c4uql+DYJCJ4CCiTl2AoJH3D0C8014XHC8e2XzYnvjqiQumdhvY q2rd6pAJ+7wZ+Ev+S82egiWKDp4wAkmSnMpTXhfgm7ffP4CRwd3MA5Dx8NiNIG94RLseHXWLDHfu 150oCIpy0wJIFaUhzzSZAmVjqcNPCbWEScKXO5tZMmksIkvaw8NDBviZYhBQCm6Iy1cuU7gP3s34 yRC8GRTl18ISRJLchO0aShFo/NLv8j03CsU7Xji6/dju5dvXjJg6tkWn1qUrlk2SNIketDNmzbjh wLZLbIBv7kIFCHWKtOYLM6VZMIGP4RgAL+ITHUGe8hnIk063H9uDiJU+UwZ6yVso33m/a0pimpEW DNuMzHeYL2omGHUx4Ebxst9TapI8ol379mgQsACIwgxFYJudNn16jF9+GTvrLwRddidJ2hLURlc2 Mq9CaMYG15DqDGQC0oKWF/yvYwjCHAQXmLd2MZa0Ok3rFyhWKF3GdMg8bO+9hvUbOG7YkD9HYFCi vPCkhdOXbl0Fhp/0OI+5QA5GIMYTH77CO4ZPGp09dw6Kcu9zOeyqEA4QRnVCy4YYpyyZBWm4+F3j lWgAeTkLwOjx4k7f4d/fAAuey6xqiMJQaoJGuM+HHNIqVarGjBXT4cwB8EEPoy4EuIo7xnY8vSej 4dd/MRZ85sMEWVwsiuzqF+/eOHLDef2BbdOXzSEYo9nvLSvUqFyoeBECPtNmsCWeJ01621ad25/3 ver+VBxTwgcMpxGqEKfPnAGaIv0HezXsQBqX5K+ii4df6Ui+FT3+ssOs2rUhYeLvJjXBfLF32e/a Zb4QDbwDkcnN3T1tWtuS5Uu7+F0XRP1EyH4sBOUd2NM4bmPZttUkbV0P9ES0wIIaPdYo9LMAh4EV UoHKVtgJFSbrftztzJ4zB1fv2QRzgddIeEIO1x4BXp8/50+duHDaac8LEAURHVDZV4BHca3BKEgV BuEH5jjfuli+akU94TNivuJloyOS5s6fPy/ValMiEwwCklm7bh3Pd+7XDZuSUCJQ6MTC3bpy351g rWnLZlPzAWJxuXOdaiQ4C+RuaXT62k0gIHd7SSaAURcm/MT9w9dOFipZZNH65Q6nHXGaTF0869br u8hU0QywTBZEYr5Hrp9essUOabzn0L4RQwJ6vciopGzZs9++ffv169eG8hJ3oBHpswsKCmrRsiUt UPMZjU8uqFxEFggJAX5XrEyJgaOHXfK8YZsx/aJNK1Ahf1AhKiyMzzcee1MTb8XOtSlSpRg8fni2 XNkzZcuC4gn+6NJOVL+G6wn8ue/OeROTFk7Ddrfz5B6Mct8xZK5Y8eIE7xHyKvHfkC6kBnHexcU2 XbpESRJvOWwP8qvrImeEwIyhcuKCaSXLl/V+FkCUGtqliFJTdsKovmrfa/ygCsJn0/YtOBIxYaKE 8RLYbDiw3ffdA2nT+F6jCtt+wR9wiRlB/uyiaBAb9m47efV86nTf7ZDHWrVqITKB9oa0IHVqHHM8 MHPmLHx5nCCDnihWSscGrk7qgr8rheNW7lqPFokLWNEpzFlCAAXScthCOJq1hiwBVKvVqwF3jh0n zrhZEwP+CWJHVXekaDBf5iL31QOXj2XInHHroV1eQf75ihTQE2ki4Kv0Vnfr1u3Dx4+G5CBZBiLT kydPAgMDa9QQi1KxZuVLATddlQNlmIVcDkkRaBaISdOWzUmcJDEBOc3at+TX60qRQ/VJ+bwgBGVb WLR5xbhZfxHDdvOJiGKKBosbHlNA48au2/z3VvETJBg4buidD4+iE49QkOSrzRnbMviw2cn+wZfn tRvXiwAS0OsCZ0Ss2LEnT5kiKcIUm8Doeur0aamGN2rdFFMSIq4uj5CTErt9IOd9Xy9bVdSryZA5 k+OloxhYxG72Le3wGGv6e6/OcePF5eBXxC2+cjjyWZ/Lug+HB3ZFxTZlZUjCA+asXkhEBz6+q8rh uVFxLpaMmf0TixPell8Vy48e0obrV2IM8ubN63jgAM4IQx4hdWpUDBxzan3ODn26uD31oa6IanrV naMIxXnhxymuyL2MfPLiGZ6v/LCqCTxXjtvgAlaCYj550QweGDB2CDGB+10OM/2ipYst3szxr/89 r9uydg0EYKOEf0R7UEAROOgXblzOaS/hiv9q4zJyA1oYOHCgw+7dsAaj3AEa4T5KxOMnT0qW/OpY 7zdqIGo1iwJu68lCfOWmoJRHnq06t6O7uk3qKyTwX+ANJIOdDa9rzry5sTmjTC3evCJ9pvTJUibH n4v4xPPRfsW1CQYLATZSgnvTpo/Q+uH2Dg4UA8HEBNobuiEkgyA/CAaxZ88eiEgGrQ2bOFImdhlF XUJxZFkqp2unSHvh5NZdpx1VBYFXrjx0hynMXr0QaQ2+QAx2PJu4zTu02u9yhG3BaJvBQk97IJpB ADQQMvljr/xFC6nbePhdlK1UlnrRtO90+DAWJFiAeYqg3GWfPn14Htc2f0dNGy9KiZq1qcIIeIbA np9+/okKEnqCENU+UTRQYZKmSJYjb+7Ji2dyDrKksmi2stp0QggBZPKgW14vAyrWqhJ+hCBbpiLo +v1bM2TNRDXvq1evojIbqg+6dzA0PXj4MHfu3CCwDHseN2sSm3kwFKHQONGeJAL0Gz2QBAquRYjC Iy/sJEu2rLRJEB/6qv1bPcp+shuoTCSEAAwLd5jWdeSBAKYbdE9yRjr17S4l/PCgi9yFCo2eNh4V gOREEsQI/757964UjXRJQL2GcQQGBXHA3M6dO0m3RMfh/HrCdMfNnogdQKoMpmAIgTMj4jpIrJs4 f6rve2FK4mFSYzYf2lm0VHGyI5dstaPQxM1okfBiCg7afasgANqAV+yc9qf2IU7f/fKUY4mkhTPM KaJ0hXIrd6wVwfbPfTcc3JY0edK27drCIFATTFVnkjo1KdU9e/bEbZG3UH4o9895UwjnQx02TxES DkyQPBfsrgQeODg7kkSft3CB1LZpegzuQwwzrMEqcGkP/yAQgCLW7N1Utko5nyf3V21fT/J+mJMD abxbDzsQUMG+jbi+fPvqX+PFnTx5slrN0lCtlpwCLSMgICB//vwMiczKgL8f44zGJE7cZrAUATnA SsigX7tnc+su7WP/Gjt+wgQ1G9ZxvHiUWDWFWDSbUuQ61iEyUByIAUUoaXQJD5w55nTpVKJQp/Hq EVS+wvnX7d8KdxBBqmgrr/wHjBnCMw4ODlAEtGBUrYYi+ImU6h07dqBx/EyK0OyJD78833hw+8JN y2E0uNhkrL4hGGUv7s9ur923uV33DlioYDGVa1Wdt3aJ21NqBUSKs58Mh63diQwQUCjizsYD20Cb 6SvmsIenzyKyBcPqX448ubBqwhekUZQps29Xq1fTNq2tl7c3tPD8pRG7q6pK4Mju0KEjOnWChAn2 nnciJX+D47Z565cQ2C8owuDkGjGd53e8XvrBhmAH6M4//e9/hPyt2bOJ3JZbb4wk10eGVdDGELYQ AA1CHKvGu5hZdp0+QLXb33t3xreVt6AQUcLkX7bcOdY7bsUKSi9MWYwTE1CQT6GSxWrUqInRlTRS U0oERCHzg/IXEOPJWzi/dDSv2r2BIkhYU2WDKiRl4wQ1bTq0s0aDOphVeQsvA8ROugRRB3rB/+qL 2kW0gQA4gCyNekh27SlPF2FaJHTHGn+rfB1jCzVgc+bNVa5qRapzlK5ULkzIIWvObFTQRUZinMD8 3758zty+nCx1iomTJqEjgPamRCZ+gkHYrVolj1xs1qEVoUcQPlEWU5bMBPNpULYsaYG/O0/sgS8Q 4BcnTuyaDWtDjDigka80DTra4LyZiUgEIxQB9+tcJcfc9/1DKaibeUvvJ9EI0Z5B3lRtKlGuFMkg x26cqd+skYxHDQ1dpE6bGvsVCixdqJ2CtOzthNUlTpT4wMGDr02Ef0sy4S+u6vbt28thcGY9FVoY 7Sy7BX/OmyoI7bE3AhLYTsk+B+cD1NdKmCQRTurWXdoiX10jFFBhSWrv2kX0hgCYRrSbqDfyKqB6 /Zp9Rwy49/kpcgVoYPnElUZE1NaVe240gkWUckDUp0JuDxk5yBcTJk6E8crrdQCiuxiPUhxSRuWh X3MMR7my5fwDAqi6gffN0MokdW2kqYeBgUWKFmUkNIsLQ8kLvkMByUmLZvh/CiSbHtbGyfXV6tZM nCRJjjw5+4wYQBopjwkIGKgYloNFezKKQgB8837pD+6ByTheKcUDhltLEV8likAvUglixo5lf2p/ h95dfv4lJBQhTTpUeyNXHd1Bxs9LHsFfUQmHpPVHnqUqlxs8ePCrN28QmEyJTKjbKBEuFy4kT54c iqAM45lbIkjb7yPuZju8Ccu22nXq2w3BDM9d4ZJFB40dBqfweXNPE5CiKDKHctgS80Wu/YeHCMwU siY/lAL41iqPoh0l2Rzlukv/HuAep0x26icqDFvLI9jGkbXwZfy1YJq7MWfBTRFWcdve2REOsm/f PiQirK6IRnoflWVQZGDuv8fk1WlSH9UYmRCTEacPy+gmHG0UtVu7bwvp1VLFCCVUtdejOgTQGU97 uYgMuCO7kJ1ElIL1ooLkKVT2GzpxFFSw3nEL5apCQBEcBcfrvYb0w5REm7qs6ivdBXqjRExcOD1t mrQ+FBmAR5jIIZXWJyxRbduJcG7+9RjSh5rVjVs3RU3gK4WGRk4ZS4lLWoYzanwhqmNyWI0fgfm0 98XeQ/vBLNQEMWsbl6iL6YaUZJCNjP7uA3qFhCL+9z/SDUheowSWSEDQUai5hgdhBPB64V+vaYMy ZcpgZUKDMEoRsAx+giiuu7rmzp2LIcF6OAsJwYmAqwrVK+OwPnrjDMPGxxFim7O1UNKej/wQwNKC TM7H5c610Iz2K0W8CqBoJOi388Tezn27WaVHSMNU6rRp7HatF44zY1GgKBGwMErGUd5k2LBhHLwo 1Wc9kYmvUrMgn27Dxo2yZWQkDkPp0KszaQ7YmfHKkcOly4OM9qjd/IEgECRs+4hJhP2PmfEncdHw CFBOd1u2HBoStWiE8Dlwb/eZA83at5KoCIFY8g/yIUiboFac0UZZFV1gC4VNUIyXSmWHDh3kAAij FMFNGARFBl6/ed2tZw/OSi5RthRFsM/dvsqMaEcjBMtX9sd5UmCFkBn8Slcqw+lIiCLUKQLfQkUR rwJGz/iTajxEwdVsUNsSQpDPSNrBTuVJsJAxwy+jglplJaUuA3rkzZP3cdBj0N6QO3AHinj9VugX rm43Bo0ZOkvJ9EFd0gjhx0HvEMwU9PB46e944QjHvnQZ0JN0AwQStMsQUASvSGSDoDBp5sib0/nW pVIVylhIEVLdyJU/z5lbl6BQowxCUESQqJaGS53CoW1atyGNVCbNGRIFTmoOD1qxYsXmvTvgOChK Gi2EAEN+tFcERbzwG/qXMA0N+XMkZiJh+Q8pRUhDDXiLJadSraps5nkK5rOEIiAHLK5EQ+1ydtSN qfhmOZSoEtwQkO3Ok/sSJky4ddu2fz5/1hOZYAp80B22bN1apHCRnkP6ImV9044x3UR7QIOA3NLB Lor5Z86eBbzlOACwUZal5VdrQSQ2cMq8PL5FLBzlUjv26Xrc/RzmXMWSGgxZSHmJshiiLu63hzio wxDtPxEik9+nR0P+GpkqVSpfvzu6aaSSNBCiuDl6zBi0jBoNamnVMFQAahdmICCxi78wiIHjh0mE 5BwxAv6Fb86gTouZpnR/wkMH0jpeOpYqTaqxsyban97PwZQkI5inh19/Fcc8FSlVjCRNWjPTOz/B IwhDor50tWrVcMzJY1Ok1iC5A0LUuPHjY8eOXbFmFQ5QVohUWA90x6ldaxAwhADYxefoDWcEfiSW wROGn/R0MXzM8jsKJnsjri/bsYYGyetZtn01mQgc5GqeIviVg7rW798mMneCcwvSPmNOmTrllClT SBGlHBlMQXIHKOLe/fvde/SgCHPdpg1PeV5Ao1FGpZGDlt1mDgJsmGzmBPKBXcMmjWIPb9+zE3u7 xB/LSUD3SdEmnOWRF1gNcZHmefKmy+gp4yEH88UHRBrOTz/1GNoPbkUekBkE5icYhP/fj0mO5uiB M2fP4qqGI0idGkmJ06sbN24MfZWpXP4cB9xAX0rcuO44tWsNAqYgAAkcue7MYbtFSxcXZ01yQFJw +7OpprgPRRBcjQrAda1GdYmaw/nFuaXgJ/zCPI/gVD5n78sMwAw50Kz8laAjCuuhRNx7cB/WIMkB Pdrb27t69ep0VL1+bXG6jZbsqRkQLIOAQF1OyiPS9XVAj0G9bRLGX7FjLXGeZrDdkp8k3+EvsgoY XqVuDWrbEkdqnhb4FYEfjZ68DInz5vsSbOKhR5YcWatUqUJshlQiIAcPT89aNWtisGrVqe053yso Gtctg4b57rRfvyMEwFKWO2IGAN56PLtD2UaOeiH4E1s9d8Kka2ZB5EasOLFHTRm3/9wRGJDU2c3Q BWfAEaQkUo3M4zD8i+g+kea5AyPt8JEjcDegRHz69Pfhw4ep+Jo8RfKZK+YBw6/Zf+Zb034Nawgg hyN1B7OIFnQqJQHCio66Ol99aHUAdggGILdZn7d3azaok69QAYyZoY9wg6Ak38F4S/xGyrSpTrid nzh3God3mxeZiOWet24JZfGCJUm5XcDXKDiGbrLSbiUB3rCJK1euchp1noJ51+7ZxIpIy1IIwKK9 EkIIoD+Kozdun/a6yCG/wJ+lNFXVxJIu5EKj4S7avJwU+K/GllDI8+Y7lQRIQiXJmEmTJbWzXy8c EML+70PXVx95BIuZRtvnLeLlsPzffvOAY8Er1qh87+8nnJfx0/9EULepfwg5tRrWcX8mXMkSDkYb lzcBMh/YWcNWTWhw9549mF532ttDDs1+b3XE1ZkB4M6WGXZm2on4n5gagGXnifiuI6BHuXDEGHCO wPTlc4S8qthYQtM1beIpXrt3M8c/7T3rBNMHP0PToLl3RQ0WcUJWi45tkDHclMqlbO+uj736jhxI pB8KKYI6d6wiDR5G7Ll47yb01bhN03l2S3yDHuQukAfUlbEZRokC4YfsTpBc6OMWbAIKoPzKV6sE 3zl58tT8BQvS2KbtN2oQBi5lCubMa+ZgYgErD8HrjFbKb8duOC/aspKjVSLhIEMwL91XBPIrp5Ud u3mWcB3qWXkq5/TpPmPttdKmAN2R66cogUIOJrghUv6txEnL+yX7DEfYKQ/hemDVIIqTHi6/tW2W t2C+g5eOsWo8YHlr6pMMGFLi6+xVC4k7IhiD4sAQgvS+GaUITuQRh8soBKi2Y/RCQOmxEFOvPfAg nMkmnk2btm0LlyhKqTQ2JaOv6N4U0wwLEVe3TTPXrKZSvsbn0JUTUxbN4AD0bUcdhG05jJQ1M11H 6E+KqMykmG+PQX0yZc2MPkiZdKAtqmmFdJ+hQZCQ9TrtdSFdpgwcEet44ahsNsRtWv6i+/PbB6+c KFulPKc2U+zCWoslc+cjxy9keCZCrsETqoL7yxw6o4QgbyZKnmSfixP0iItBwNAsttC492v/u5+f sNMmSZqEBIc2XduT3QCzNv8ioKBxqgqc9Dgf3kTB3CEE4uqP3zxDqUCK8OOFZ+fceWIffFCOxPKl ieRPSkIg4IecGkrgJk6apGOfLkwTjRiAh2bw/1GE98X0mTOCLbPtFrDQEk9C07L5d+kX5eXg5WMs WaHihdnELOF34DxUg8GHpccvII9duHLfDXcYB+3xIeFIKfd0ASpjLmbKILfp3uHmM3FmtNTFTI2W HilNT6AUODZjxbzug3pzcuiCDcvYcvnJ1Fvyvlwa/uLjJmIKzhjsK+YbNPorhAAcsB4Tsrt+3xYU f6o8Ub2BJPFeQ/oCDfYHQbYWiIVG24+MN4O83V/4nrtz1fHiUWJ+6jZtQFnp427nSHgM/Wj/pQjf M16XMmQRFPHH6MHsM6AKm62AZEi5j6kXaZMPScpO106WrVyuat3qh6+dJr+Y5w2pW5KAWPF398FM 9oTD10/tOLFn5c61M5bPHT55TO/hf3Tu161Fx9aNWjX5rU0zbLlturVv3KopwRvMxdQ/rL47Tu5l 01aLVRodLfX2j7udJVO7QLHC8RPGp83eI/q7+LtKSjT6iu5NAdunEJ3H2dtXy1WtsNphk/dLUQM8 TJAT7obhi0KXe84dGj9ncoMWjfMWyofpTJ0yx5uOmDxG2CSfhQGe6M7r+16DJOyHW47sWrptletD b04cSJ4qpSje8poMrzBQ5VggJHAkMQR7RBfg2bl/d0kRYKNYvrClCCVjDu625+zBXPlyg8/Mgt51 e0FHhn0QgwoXYF8lVW38nIntenSsUqdGsdIlsubMThQfJ3KqSx+Ciw59u6A+EEZifI7KgSwE5VJY gEHGUE4CAqW3Hd0NQPRGqztyw2vpRscwmL9ogcUbV956pXheQsHWxRYBuAK94Fn9Rg5kVLgjOYLW KBB+jRu3Uq0qgBraMRxblLsDLbDDYDQbPmk0SwPjBnnYr8j/RZsLK6lGUITIULiz9/zhpMlFcVFK fkFuiCKsZthTBJXrnvkevHK8YPHCFBljl6Z3+D4LzVbGMDismRJ2s+zmdRvQq3TFctly5aBsC/mY wTrajKKE0Zvs9usdtxndOSU0GAzg5VhDijXRQuKkicnapoASy8FPViESs+N5LAbpMqVf5bCBrSYE IKVT2oF+EQ45wr5JuxYZs2YiQxBvu94EiTCk4pPeTXLGhczmK8J6JcCtmsL3f5hUdIWbozjDF5Ba h00cdeWBSLRkmc4oxxNLOIfVUGmN6tNYX9lSsCtSSostRQjYYcojJCagBTh7XSSQiVWrUqsaqXOE p1LXjlyh5h3bUJqSsxSpdIoMTACe3sqG1ddO/bpyIok4J/3bbO6vuBokDobG5kZ3cCLqfu+/cBQQ CZhbKYrzCm1C7xsP7ciaKzslN9kNLDeD8Dp8inFi9MB9w06VLEVyjMmGmwO54RjWyDGhJOBu5wMV qlcChrqPsayYYqhPctT1NLNDZGW7Cyv8Cb92wEAgcO2RFxBYuHEZ8ypSuvgmp52AUV0OcRF6MUZn ZWWDkMC0ZbOr1K4GFybnC6lGBDaEIUUonAgf3Am3c/WaNQTZWC8WF5SzSWDDzsZ2lz5jevSj/EUL Jk8lqhjFjB3TjCshxNSRIEGCJZtWwGT1IAnqcoc9Bz4lz4OwzZCOE6IlX9B72KIlgOLIP33gTl8z V86vVLMKGq5FLyrry1sMae85J3SEAsWMnC+ZKHEibIPZc+ckN6p1l3acxoiECf7QBau57cgu/DLq Ua0qdSAYs/lsO+aAIMdMMaGwypaPKmKeZEgMDGUNs8C+84dHTB2XJWc2eGLLzm04SklGFIf1SP4j K0V99vZ46dd72B/4yFBXKVXt/QqpKVQ8gmbZhaQ4BDrxYbH2nXfiwGVJDvyNEy9O0VLFuozoXrxs qebtmo/7Mo6b4f2PMvWUV/UwiNOW5MDmSTl6tuLajettOWIvrHkh3YLAZ1YWoRcr0NTFs2D0FHfF VBhsgwgD9Hvw0nFeIQHQECDkySI4QQLbj+/BlQP+0wUoRMv0ePzm2SM3nMXNN3c3HNher2lDbMV6 jcBQ6jVtRL1ZVAwWGqsF6CfUE52tMqxRLhidl8EzAKTK2+8fSHcS5xG37dYemZndE6qnVIucY7AA tGrkOL+Ejc5xK+vFi3LV4ErXHnmwiU2kouNzX4RVdG10Fmu75nm2HawffGj8gt91KpKBEkAbHZlK fQWVvU7whuCS2vRWMAy/1mnSQAJWD25SmMEB131QH4yrYpsyUaxJ70UzXwEIvk4wHGcEqCs28OAs FYwN+PcfM1ifFv6NRvm9ZydWEBKgMjMNwsLkAFhKuiO854T7ud/aNufYF4pzMgWsxJzrjdEYRmwI xrTp05HK0aprO7jh3nOH4GKsFK98FUtCL42YbUGadLClY0VkLjBEMBATCkMShKD8q1i98spd65D0 hCnJbGvW/ipWR7GToC9Qd5p67GKBHnuz9Py09+yhDFkyUVOLvUUE5+h0za+6X41eww4I50ZC4Bzb wRNGUKCehEqUgoLFCpepVI7C79QBkDuV+bg7wyUL2ztI11MWz2QHlhuCnIvEpcsP3HzfPaAq5qy1 C/DE4f6WEDM6X2tvQhR8dDvVa0H2haQE9nLghamkvybtmmNgYdsxPI1INKisFFRQr3kjRO5zvtfw s0Myoqr5I8/565dgQzYFz0RJEmfPk4Mag9TLxayBtxR2JujulaApCIR2LMEEvXnpfkVsAAhsuYyQ IbEKCEVbjzoQjNSpb1eoIHuenLrWY/CHn0jLFZU//yV83QZDc81agPlSSB45dRxg4fwC4M9NNjGm PHXJLA5Dhy9wR+0ICPAM5Mk+bxQa3MRiw9SIc4PFlyhfGh+foa3D1CpE/P0ceXNhmtBTKiVwOPHw wT/Pew/9Y9D4oQ8+PmexQAMzOKxCKfQXArbKZjV54XROATYKFnaSGg1qn/G5JKRoxYJttF+aAt+2 OO1EX2jQ4jcMCDzGTZYVCRbsGjRumAxuMdoLN8k3RENhiyYHpHy1ClRvAGE48I6ytJT6oR35YXsH w2nZ3IcH5PMYhR56Hrl+esPB7cTYDJs4umWnNhzMjbJP5VsUBF2ZwcYmXuPWTewc1nNSgGAiinxr dLKhuSkXHe8e5++Q/8XEW3drD7di0cF2j6e+jds06zWUrJn7EgfENJ8gX12G2w6aMOyCv6uAgMJl xDAUOAAZHibZh0rXwF8eVm4KzpHh/i8xfsHVwr7HsJmLLjz5Chz8PgZWq1erx8DeDz49vxDgGkEU ESRMXhTMJNWITFgVUJAAtl/2TA68HvrXSConi5oeSuVz3ZHrXcMUuMMOPH72pASJErbq3A6fJneI beAvWwEbIHUOK9eqFjuOvuVW7Vr3gmEgbrG40BGDgVLQYti9q9St3qBlY46JpC4W+VYoobiW+gzv z8EffIWOCDzGlczxkSXKlea8J3zo+DfjxbehKTignqjwS4wY2FgwKY+YMgYtj5kKugt/axjrfujq CQ4WZ8oMle2dOywHhywUKFqQcCYkTzYrbgLY/eePsBajpo4DhgxP8E2FBLBBQSBbjzgAgey5c8SN F++n4HI2dSH8va7ZhcAQXDl+nwLhlczxG1wS8dKeqD9lKpZjrX3e3bvyUBgWvnlGR5IMm/sKR0Z2 pfQToFYhAwamzZCOY7mW6ASsikXRG7Pp8fAk6IRDB/Tr0Ker8q6gCHUr4GL6srlwAbVTjFFgKSYF /H2gPVs35ZoRpcKP49MjbiYqQpcoX4owiW3Hdkuzg1UzDdlCMH0WFyEfUX/ElHESCBVrVEHh5Uwf 37cP23bv0L5nRxLqlSEJbnj21uUSZUsyWpxKBy+fwAJGSSVY3oR5kykRQPCnas1TQRr5LzBFIjKh uiIc6kGSVcC2ACEACpv48ZEQuIZw9B4L26+4ZtiO7HatS22bFuhJkGLy7Tu8P54LZFF2IQYWsk55 kbRW9uq4NvEGTRiO9CvsSDqmJO6QI8bGKHUWyDBe/Hjo13THwUwOZw5QVn3RxuUUDsKKizwM+YT+ ZHB4RBrbNLAMuEzLTq3/mj/10NVTqK7CRBDe+8+3G4iAT6AXDBRPsURdrIsoaIRLkfufr0iB/RcO y8giHoNSQHseY1+NFSsm+wyeu5jGLBWRnwr+G+FP/ytZsYwgh28hI78CHyx+vh8eEBtAYZAaDesQ dggcKIZm9PlQ3VS0ABAS98GwSaPZihmklCKy5cy+evcmcT5dcNKRJQNgZ2OL69q/R7KUycThjwZR 6yAA6hL5HdKwEzNWTPyS9A5+onRAjyiYoCvmUARs4ksJpq3VuC6HCKhiv6RixKGUaVInT5mC+CLx N2VyPmnS21L8IV+h/BhOy1erSPAhxbhoYcXOtYr1+46vMPn6o2tbMpewfQYRCFpAR1jlsD5WTOH2 ihHjl97D+7NHIUK079GxUavfuAAl6BeALNywDKEuKnKB//Df4AqFccDYIXKapjZeduyzPlcyZ8vC 25VqV73z5gFaKjBhlwjDFaH32+8erN6zUa2KIBEsU7bMxOx9xduQsga9cbLxgttY8kHjrYcdvF7q RzeBkLgA9pw91LR9S2YNp+CAYJKLIRbdQtCMGRmbRGCGhxVl8ZaVWL3ixv2q9SDy2Z/cD0+BtyL8 EMbMh/yUg5ePY3aG6BgV6ht2XSyogJROTS2B3vjD7yvbBebEkuVLgefAH/mB6l73Pj/hVNC4NnE3 HdquxA16QQ7Y6OTBN9GMIlhriiwxZeN2M0V7QkxiS5yyZJakp9z58hDcwqKEYVUNDP6UykfCRyKV vQBn/qGOzV+/lO6gvmDVZ6vwBKIgQXLx5hUdenfG4YtDCmzUpXE2TDEq36vjZ02Uxs/6zRpyyIsg CgN+yrsYf8AWnserRYgLs0AdQMriTD3ycyEZGIr44Ap5fgdGA/5HsERkOGy9O0yfk3DxfWC7kMFC 9Zo1YsDYHIgjLVKiqLuSacKJt32G/UFYqVipf/1BctWiwV/CRAgbxmsMKzS6QUkkEcj/xLvvyAFg KbPOniv76VuXRQRU6KRcXqdTPriJc+TJJYNpJVRlBU4sNnAoQQ7foqveUobsKzgPZi5YvwStUPZi OB2hszy+te34bvxHzB1GuXLnOgpYySEZOhbBcxAeEpu7ZhEbLPwOvyE3QzbCCH1LMXQT5E8ReJaA dcbiDY+74Hctf5EC3MFpVbRU8fxFCuJKYCOVyxT9/pJbunz7anYGBEijFCEWRUFILrBVTlo8XQYF YbPtO3wA0tSV+x5sj2pcSrCLiL0aDOEVbBocWD9/3ZLyVSsgq6uwRedt0KIR2iWSNgF4YCm+UUmY wTZu7QNMGb8SddUIadbVr3Xb4RkGfMHPlRwTNk8kZypRsHNibDRFp5IESNRq3bVdlTrVHS8eheJM gteA4+j2HmHXDA/2hymJYvD8h3lt2tLZBy4eo0gRSyN3QnWNovEFdpLNh+1RpkAMUyihLgpAQ8nC 4PNb62YUUgYsCDkDxw/f7GTvdPUkBcrw7CjCQwDyhhAPxOcOf9HcuYPoxZaLcxljDnI1WQzpM4nE E/UfxgrM3YhJeMk5vXfGynl0RxhJsLjEtqzIJKI7sDHY59UZWX4hEWaW3fxsuXMkSpKI0CkEISP2 6n/RG0KGitkoZqyYR94ivjzu8NXyHiPsSRmog8Fkpf06rAF4ZFKnSztg7FBiKRMmEplWPw45MFls qhuddmJ/FhTx72qauQAxWNaAvx+36tI2adIk6dKlk/icNoNtveYNuw/qhVayeIsdsvT2Y7txKGCK IfKB2C0yL5ZtWzVp4fS23ToULlEEI4ZKCFwkTpYEAYMccHAMrEYegyLgIDdBIdOeaDFOxXBKX6wm XhUyyAiQhu7QWA1FIDPzCvYnJg6GgzaHrpwsV6U8xRnoAqCZoT75E4SDNo1APk7JJSF2NNi+IvqB IFGAjnBTGUuMCa5Ok3p5Cll0vIjuIkaPa5v4NtjQ7nx8SKaJmcXVWSMvtnpkb/zIf02cuMvBYdr0 6T169GjQoEHRYsXSp08fJ05sbBSJkiUmFZfzGRFKiVimWI3cbXSBFj9hAsL2kFEJg5+6dPa521dw BTIG5Ha0bGiKC/HVrH1J+dULZCP+oUOfLpgHa9SvNWDcUFRmpDIs5+Zf15mXCOqA10heBrbzwfch rEAv/dgE+JUPRAHvwz5MeTeuLWkcURM6wuPToHkjovWcrpwUEpdl7+oOL/yu2UA4T4QAKlaHtYvG OoIu+pm6RipmV/f/B1vTzWDXlweQSfDOZ8mVLX++fA8fPaIG+Ke//6Y2PnX8/O/e5Sje4ydPOB48 MHnKJMlq+YtGRhIicik2eQIDcPgyGKRTBCfiKtnSYQpQGVs67cMj0BoOXTt5xPU0fYE5lmCCFFF4 ndgDIjTkZIuVKT5h7iRpLDU3NYXLgPYEqKBi46EYNH44BqjO/boTfUHSBIbH/S6HGQwEIvkOf8Fq SwamPoMwefWhJ3W3ChUrTDqwcjyNJyqVoW6uvhK+F8IbKwgcmZYAe6OZJqZwJnrfj2tjM3LahLv/ BGF9lcttfiGw0mN1ZycZOXIkx1VT8Vg9JIIL7vD5/OXLxs2bpHOtYs2q2O6IhyGmmlqLSmCMSPMh l4dgAPpiT1Z7VHxnXogiGw5uIyTGkvHId0F4HuYvxEW8wZo9m3Am0gsckGo5RPXzmB5R8BUk54PO izmI0yFRKqmdTmpY4ZJFiHdNbZuadC18VES5EJ8GL8Nxc9T1DLSg15Q6fvMXSl+34ciVa1ej1gq+ Tshf17th/vWw/VUJ6ILf3SHOsFDxItEbya2aXZy4cXoN/ePOB6Qm49ZXuRCSywssenK7fbeOdLF3 /36QXx4eJAvjUyEfongcFPTmzZv+gwbKYXQf2BsiAusQp72FP/pqJsXTN3zKWGQJKYdLRiB9Q6A0 /jg7+3XsohYyCD1UgTTAPaJb0YIzZ8uMC5IqXrAAgX7/0gURp44Xj6I59h87hGpmzAuZjSou5FCo HyrnkPaOf23K0lmturQjkC9hogTUKiEpieQj9Bdr6UI+j4hCm4yNC72RR9hXKY4SrcdZOWT1WoUw P8LDletUF5KtWbUa5JSbsPOti4Qr58mTx9PTE3KQDEKlCFEnPwi+8aRylSoSdBhRJTaCpeAA+eOE Z2C5XbN3E/waDVriiWwfeQwVjwh8tDyUfc5tlLGp1qOKSP1GKcChhi7DJr/BcRtUzxQIbkcHxyJK 2QTSYUg04KakFEby30c5pExOmV+hJj5k7pBrT8hf5qyZ561dBAmLj1k1x+jIeQUZlRDKELxrtEGr btIpCwHAR8/8M0nypD8Chls7x5z5chHjB8aaByyQZANf77gdBy56NGjPKUKQgHp4iqQLaARtguNK GQa689p9WxChwUxWgahywhgIBiOkjQ0ZgUFio+xXEMVTH7Zowu+5o/uT+YEZ+RUhOcgbrkdt84Fj h+LsIBiDGH7qddRpXC9V2jTU9CO74ULADWZk5HUTmwMQEOqGn2uXP7rTCMFIHDJu+euR4UlWgeUg hB4tSS/y3Fq0icbPs+khIZA7AE6aWjW5myHnUGgaUIwaNYrTUiABXR7BNewBFZvDeSW4SlUqyxlJ SE3QEccQI94TwsdPiOvQILsuZEinfLgg+N//YyAiSs8h/e5+skjTNzVaGhTMJegWMYpU6qBH1Hkq uRUpWbRp+xZE1dIdo5KTMtWI8fvCFCZslVOXzuKUQHxYunoQr0DIoBzsj78had8EMRofjDUPMzDS xjF5YTpASwImUIRGFMDB8F+y5MkXbVougt5NmAS5DzxBYHbU7oP70sLqNavBfCgCwUlXZOIglQ8f PnTsKBQN/o2ePgEiAvmpCptbiQ0gL4z7g/8cSVO63SF+oFN4PffHBjV/3VL/D4GW2L7M4Ak4f9b3 CuF5zI4U8jHTJxDPSXAdWBFi1Vh0p2waoDrGsfUHtpLoSv4d4hnTgTSIf6OSLZUVsVnZn9znrrjm zQwyYn7ConX7/X1iCym0pUZRsgpUOv3y5YtYJ+3ftxCwsbGh7AwuCV0U1V0s7oNgUAR0Ub+pKKHj 4OAg1WpJDvKvpI6HgYHZsmXjGbLDSCFBoeZ1XM9kmlNeUvY8Xdlav3anqBJIOLff3qd8E+GUx9zO Yv/nV90xWHgt32KceM+RvhD70RpEXY5XAajq3LewHfOPyc0fToHoRWUMgLPp0M6RU8bVblKfgxXS pk/L3Il1KVmhNAUGmTvxsSFkSdZwAcMxMzDictkHsJKh/RHD9u3Ka9+MQwDWWbVuDURiFtooowfN BEU8FNolOfjoCBcuXHj15s1/IhPHML54gcj08dMnp8OHY1BM7Oefsa8idasN0gIGFhlEOnf1IjCE FZS/8heKgEn1GNKXsBC646O+aLjQwd6h/gAhzQcuHSPijjFI/1qwb1n+AFYIhgdrOOZ2jtJhmGuI f2vTrf2QP0dgSSBSi6Il89Yu5mL32YPUk8fjgzdfhPwJF3w4pJZ8SzgQPnwBpQxXftuuv2fLnT22 QT1D46ig3f0XAjny5ULNBGmNrhf4KXbXIG9nn0t5CufPkCHDLR8fdOr/KEIRn968e3vexSV/wYK0 mjFbZk7TQ5aWeXngDy3Q/ky7eYTNUCuAQmHc5EPjoCJSE38x/mAbFzfDwg4DSshmLUd1q55knEhK VetUZ77Ltq/CDyLjhwU2CpwUlihoB2WWiBSSjzJmzUydRvGTiZ3Hqt7Vh2lNwpa/cMZLd29gvqbe BXGqhKObP6D53/XX/q8PAeJ+tzjZIwbIoC8V2uoFYGdl2fEIQEIounv37suXL+ELqqEJtWLv/n2p U6dWCkvaEGGOxC6wXXdLVPbV8XMnYfQrX70SwoxAGx4I9CLUcNPBnZxc06B5Y/ZedApRC8ggy1Ud T2S4gMARNbsO6AE0iacCPqZYGzsDD8BKCGWcsmgWTzJ+Ji53A2vnAtDomjZhf8AK9orfH6/Kuv1b CM/jACmNCvTx2/rvKLwzls1GkjFKEXLtUEg37BdGpCJFi0pnnEoR2J1uurmpUX9Ewd16HcARb4Zr TVP0QhVW9kwsTgrmC+vN7XcP8ZeBMGRAE93EKrPjhQxhDDsN8zuMjXgn7DYcpSTP4yD61xRFCJJX zFMHLh4l7p054vTndVPko46WF2FzNCvUdvybr++yb0AFxO1DAhTd3ey0k6KvFHPGCc5BadYvu/aG SQgQldG2a/tbb41Xh5MUwboQ1EoTtWvXfvv+PSKTVKi5wE/NYVuy9QLFC+OYRnIwSlyIXqw4OI/8 QHVWSumy0PAI2FOz9i0Jgur8R3csNqK4rsVBTSoKRcAFaAxygpOkRVN5QC1lQ0S9KYpQRwUyAxlq CKfPkpGTlIlCRONmqwew/KTgvChfRoQheabYjTHhYrnCcYO/kpORl+9YM2f1Qoqxo23Vb9GYqmu6 RXtMLq32Q0ghULxMSY/novyvxH91HcEBIaCSWPoqAJ8CzXfs1IkTqyWb4C8MYvr06SQhcv5phkwZ Yd8iqUEJJVIb0b2Qe6bXCz8H54MIEphoKBVIbgVFbmmc0nk48vBNIBhENh6BuIIouGbPRkS+2Mp5 ASqwzUtN6vTBfw57wiVKCaaFG5eTJ7L92B5ON8b6PX353HGzJlL4kVJgbXt0IIgX2ilerlSeAnmJ EObwrB88JFUFdYRdZM6elZMgwEOJseoigpbcRGUT2/jvIg1/5KiR794JZwTcAcHJ08sraxZR4ChO 3F/nrVvq+SL4U2JlFxAOsRxYBbcc3HXK7QInX9NIt4G98NNFQoqABVy650YhMplCqK4LEguhIKKW na7G9K3xB2CKjUU59ITqCi06teF1IuTx3UMatultqXRKhDCKMOeMw6/VxrWL7wgBEsmP3nRm3YWF 5FtfAGvNng/Hz18kPxV5li1f9vbtOxHC9OTJ+/fvJ/z5pzwdu1XntrzLccPi+W9bUOlLvZD4g25C 3RuijOxP7M+ZLzfTp9Kp4BH3IhGPYFKAheNsyHJVC89iYcAbThIHBTbhoXzUqZm7CBSxJWoppO+4 3FrXwUIAjc9u9wakWb0FlagLu9/lfIBnUqZMZW9vj3sOBgFF3H/4sHBhUeqK3AeiSXnMkKD0GpRf xZ6pYBH2yXY9O1IROmOWTLSDNoH+iBmTX4MlK6Mth+FN5s4wIE+qAauqKyd5UQqV3eOKkkBnES38 a3NjByBPEAlTYwTBImRkeGDszL+83/znOAO1wEmwAosQuh51Cxlk2rRpnZyc0B0I84Mu9u/fjzqM jw9/nF6ET7CYKRtHdiKtjHyimDFi/PzzTzUb1ZHmlO9ufUVW5ENtJc52lKtDcBTHZe44vhuWgYlA 7hXBTpMHoBrUZ9yF/ccMoXaBZKmRYcW1MZiHADEPwiUh/cXSF6CEWHAH3ChRQWi+mbNmdXFxgSII YXr/4UPnzp25mTJ1ynWO22QRJ0swRD5Ds1yAV3hyq9SpJsdWrGwJxhCys+wt7zqYJwNFLB+C4tKt djh85cCoZkkmKfQrBEuzKoNe4zwP9OxP75dFnGRr2t8oAYHav9WT1lFVYiG1BLeC74eHRN+R1MAs ChUu7BcQgBLBx8/fP3PmzNwsW7X8xXuibDXP6+FDsF+hC0yOY2b9RW1heA35p9gYaQpOEey74fQA zA7vIfu5rJ9PFSlqn1J8A6OxVT0yNTxoCF2YTLPm/K+6cpRABm2QArErl7sUcJNFZ08TGzi+gyDv Ox9E5clUaVLLvOmaNWsiLOGAIL167dq14DBW8cmLpmMg4hWrNk8Vu0D+tXs3ESMnpWu0V2hz//nD wlVhYLQJvzty8AS1crYOZxNLlOCCrArKQRtqWGZGgs8RaAiB8OpJIsE07IqiECB9gIIwQoxRCjB6 vBRBzqgPadLZqjNq0aIFIhM6NdUGevXqxX3Mhuv2baVy7Fcish6HcUVtP7E7X+FvyqFw4gCY6flK xAqGjNDMYKzhT7IXpsDRKurpLZwAgmsYP9rNZ5aZkpS5wyiRuBCWACbnCaqg0y6iHARs06fDVUQS MTXuVuxYM3DMELIVVFcU7ICAmREjRhDgKh3WhQqJGgK2mdIfu+Fsyt9tiHuGdxAtUGDzGhQIIlCW Y8o5s4/gKOQowxfD5I6kBf7uu3C4Uq2q8ixsm4TxOa7Fxf865GAtPfI8lEUsMeZoyqJGiWNEohyu RsyAkYvAeXyjHAHABSQg+5XyEveJA1+3bt3Hjx9JC3J2dk6SJAkPUOrKxffaZcVeaq3WKVEaHsEx HJR1MpwmY6DuHwcoc9gQRCGiqa3nQWZeEbpP0C2IjhIEMlKdMeCspCA2YSTW0oLoSCEHTHMzls8j qZa4R8NJaXeiOgQkRSDkJ0+R4vCRI3jlYBNz5syhZiz1ijHUN27VBIfCTLsFFFni/F/2VSFBWYi6 IqjJj4wzzkwxAyiKxqzZu5nSYSTlQXeWNm56DNACTaH2zl61SNUayCMgUp3ECog0xJG3TN/Z+xIZ E0xHgs7MvLSfojQEsmXNGhAQQOA3dtemzZqJuXwbcpCrQN6/5k9z8XfFFUV6kUV4GyhKNpGCLY9Q MQMfNO7f2jRfab8W+RyzD7KWtIxZ1IsOaaAlEU1HfSrS+iiyp/ZIOC72JVoTLes8b+01IXzDJo+m wMJPP0e7UvIqsH74CylBNWjYELUaWxOxTFmyZDEFFU6rP3JdHBplIafwfnWXjGxCekw1qHsfcS5/ 0YLU3Nt4cIfXa38ZQWoJ0gqmwLHUb+9T94+DDstWqcDhFLJlnMgtO7eluhqZpyGRlBTyEeV9lHIl FPDJrJxkpzmmdRcuml2jRPBv6rRpyEt4Iux37UqkVI02NU1S8gljxlQVLFGAgSA2h5WYasrUfY64 rd6g1ogpYymVCfXBNZC+2N6FaeipONATXsA1Y8BwCiHgMsbT0aJDK2qRqbRA44QakuVKMrJMdLWE uAyfEdMUNjFR4nXCnElUAjQ1bO1+9IAA8jDxPCdPnYIiyLAePGSIqnebmmCl2tXYNkFOQ/yRd+Sm ygNkAcjKctLOY6pBo/fBbYJRCxYr1KRds+GTR89etXDtvs3k+lFak0PSEcaoRk58dbW6NXA6U7VM txH0IA4WJEJJ0pGpcVp4n4AuFH+MZuTG6vaiXUc/CEjkz5M3L445Sh8TB162bNlgpwkREe0PwouA WJx9xnRtGATxEmQcyDOegm3TzAMMkvwdCjuLA6YTJeTDUQhcE52oe3QRLSDMJEmaFLmL+sZURIeV hEwfUSkFBiFkLQ7gfuLDAeiaNm1mmaLHTxJdhSfi40cSIq5fv54iRQrWnT3W1ATBTyzxCRIm5PAp dmBD4RwskpbPy/fcqQRCOygIploLq/vYVznnsfvg3sdunpVDMhyYiueWX0hyIO63Y58uDDX01B1W 89XaCQ8ISAaROHHiq9euvXr9+t27d8uWLrWkI4nhlA4mCARhXuK/imYSFSEWakUSPBt++yoeAbJy SEnAAU3aGrlIqBthQgjMRdI1hjUq7ZPZYQlYtGeiOgQkYg8aNIhMUoI3nj592lyxu1piSJHPUNGL eAyPFxyE/TX5AoQELd1f+M1btwjxBhtl+FEEBgGKvu45d+j+l+cYXcOKFiRpMwvKMVHrmyoKUX2h tfFbAoEECRLwWMmSJe/dv4/6gCfi0KFD0sokeUewjUhU5xwHUoEcTjtSYk4cGxHkzakijds0IVmA FsKPHOTwGCqpzZy0QnHvW2/vi7Qma8K5Vb6mXgiKfiFqBUAL9Zs3pPZ4sHDQHog2EEiWLNnWbdtw yqFWY3ft0kWIyhaSgx4QKLlcsnwZzljB4Ik7TO/XCPiaNWe2Fh3b4HfAWqsnxanYbv4CWoCgMOqS OlG7cV1qAkTAsLUuIhUE+vTtK8uUYWU6evQoRWIZXnjv6uEHAWiZk7/qNqlP3X435URdwS/Msgwe EM8oQfKEZ5AYXrRMcYpjhN8gtZYjLQTSpEnjeOCAzCENDAysWrVqgQIFsmYVyS8k+ETaYQc7MCja JoENxcdm2c2nHCvqtkD4Z4pTT7r2FO8eHjcKBVBn44TbuTlrFlaqUSUJVWK0esLBwjf6PlCqVCkP Dw+OEiJyY+zYsRwtdPz48TJlyjBjqWJEg6lz7nCTts2nL5vNSZEcNUK9KdJ8CPbbeXIv1Yx7D++P cVjTFKLBQofJFAhe8vLy+vTp0+IlS5A3iHd99OhRufLimFeoI0y6iFSNJE+ZPGuObDiddZOkItUI tcF8XwjEihlz9erVS5YuRUaqV68eCkWAvz+y0/cdlda7BoHvCAF8c/SeP39+WQ/c29u7Rg3hYtb+ aRD40SCA+imtrMRsHDt+nDN5USguX75crly5Hw0U2nw1CKgQiBM79ko7Oxngh9EJ34Q0wKoPaBca BH4QCEgeMXr0aFnxGCWCuKZx48b9INPXpqlBQBcC0gdXuXJlIpmgCLzVnF/tHxBQq1Yt3ce0aw0C PwIEJDnY2tripEZSIgJcVnndtn17lHbM/Qhrp80xPCCAQh03btyFCxf+888/0IJgEE+fPn78uFKl SuHRndamBoFIDgF4RMGCBR8+fIirGpGJGD+SSe3s7Mj61NJhIvnaacMLcwiQEAHao0F//vwZWiAI HIWa4hsc2hvmfWkNahCI/BBAZMK+igOC4A1ShFAikJraKgcvWpIlFPknqI1Qg4DlEJA6darUqe/4 +cEaIAeKlQ0fPpxMNI0cLAej9mS0gYB0UmfJmvXR48d45TA0Ed2nueSizfpqE7EWAl8pIksW5CW4 w5Zt2+LHj08jGoOwFpLa89EJAqlTp0aVRliS5BCdpqbNRYNACCCAM6J8+fLoDrwbAWWUQjBC7RUN AhEJAalfR2SPWl8aBDQIaBDQIBAJIfB/IEl0WQplbmRzdHJlYW0KZW5kb2JqCjU2IDAgb2JqCjE5 ODc3CmVuZG9iago2MSAwIG9iago8PCAvTGVuZ3RoIDYyIDAgUiAvVHlwZSAvWE9iamVjdCAvU3Vi dHlwZSAvSW1hZ2UgL1dpZHRoIDI2MiAvSGVpZ2h0IDE3NSAvQ29sb3JTcGFjZQovRGV2aWNlR3Jh eSAvSW50ZXJwb2xhdGUgdHJ1ZSAvQml0c1BlckNvbXBvbmVudCA4IC9GaWx0ZXIgL0ZsYXRlRGVj b2RlID4+CnN0cmVhbQp4AeVde5gUxbXvnteyy7J8gAuyAouCoCBo0CBJPiUQ7o3xgS+CjxhFERX1 8uHFXI0QArJRvFwiGhOCwIpJlPDQgKCiuLCIQZ4CsjyW1wK7sAvzfs90d1Xd073TM92zPTs9M707 vTP9x24/aqrq/OrUqXNOnaqiqPQvQ5+pO5+jDHT6OeTAL0ufqXM2VF1O0/kMQ7+NxBUm7uepvEUB CB+6iQjXeksOsHU6JNAUTQ2u4THACNcNyltmoC0fESTAQNjbAZO8vEz07zhW6A/wZzptyEscTNRP 3QIn8F2C/KnYlI/ykaYLN2KOYIEZOLKuV16iYKAe94ogEI581ScfUaCpXtuBEZpZAXjim3JDHvYI mqpgmiGALgFyYc9V/MiZXxcMCH0OIhQRjgR6xPZyY/7xAk39mo1iwKPwRVneyQUwna6sJly0RwAK a0rNecYLNGUwTIsIRmGgBLnwdnG+9QiaNgw82qw7CyCAeCS/MeSd7mikl0IniF4Yrrt1PjyUzprU Sdsqmqj7fWxMKPA2pfVGfduUj1dZndUzzBriYKD7H5dKBV5dOFCmZ6Xpus0uHKw7bt07tUg7HCwf RA0IsVesB9moU6XJ2O9tB19N1r71kP3Yk1rh0GVRGEl5AfRoNE87jDXOqWz6pUhTYXJmba3/y+s0 6bvdFoNMkEgFgjFq+qVOndC9Jn4nsqvwf/cBb+2AzGGg6UdhYJSCwCNSc40uUTDcslaGAVTVc9Q7 M1MhyetLM+UZQ84IrzDqUSjc96lbptUIFUfuZSPGZtbreBReaYEC65pEGTPLuA1+fePqJhSSaPnR ajd+c2p5QSYFAgrGWdHsxBt8sjzzrpZJtRR+O2DJeY89JDH4xMry/1H4QSqDbkHTxqKFMtEIDxz+ h85GSUPZ9PO2014kE19RGDBh8KpBJQrQqXxF06aeq6TGJG9CMIFfZ4KsyqJTSNZ38j77wSZ5Y0Ux 4G8AHbw8fYUa7Kjy7XIUIMuGKyhDCpVs46Q9H/y48btDMqpbPMAg57slk158/XkYE6TZAnvpSDaa Jyw7vPffIWkFE9y/1TnN5gDhSE+K5zSOjKdMaWao9c+MT249cKzWl4Bu6WuMudU90iuepiydF0tt asgXkZPd9SIc79l2rq7JIyW2lXtM1hSlqeXQZd/HdYgwects1oP72Txms9PqUNMXItBwaLk5DXlG U0Z6vFx7hgy5/wCxkCao6bGk0q86j/gizCkqSYnYAROWqTClru3RlNn8HglLs+VnInplHQKqcOQS Js66kdYy0T3yPJDG6AazEOeBbumFyGudTFlmBcPN89UKA2nVeb2hdkjq46WZmksYaUbQPTyjs4wB 9cBap7ROKdxDi37VI0UYaAPdo1ZupIHPaXu/7PraRqy4KCiDKRAvTcpOhui8lLq0mXoyCN1Pmgkm 8wuyKRsHLD1HEMydp3nxYm2gkrBN/I6mOlXLRwh4Yu9I/IO2/mIs/+PFgHdvbdogAHYIz0mtGY3U BHs0YkEAH1zwJ69OsV9pAk1pz549S/s/b0f+TbN2yrkzNa4ACppuSEXpA8VxJUiFuA6xpaj9nc+F D1ZVb92ypY7gwFl/alS3TM2Q9wrUa30wWf+jUzIIIEdMlmrStillUv5GsCUx6b4B17FnWApKA00t kk5I8RhgzjO1vTtEwctCjGW6VLf8XZgsUW0TA9+X7o5TzwDHMz8Tc+jUuaRbj25p6OUp8QF1xxca MoIACcZNV4pEqKjL6ADMysZhuQ8cLEOemFP55ZFTwnX86J6qj/4y88m7bupjSWkUVlE+RdEjNtni KpDxI/jK2JdV+srAkCp8XS4ZoXxMvhj751q/x2m9ZK8/+PW6VVV1EAbKsWFX4+ljBzYv/8P0SfeO uWnQgPJe3bp2Ke5cVFjYqaDAYjGbTWaLpaCgoFNRF/51J1WmXUGP+6pOuDOmumUGiOxSGcUNrra+ 2+I8C0J+7KWGYxsXPjVxypz3t52VmxiR8kL2hlNHvt+1ZePaDyuXvLNowesVv5/58qxXX1uw8M23 /ryicvGi+bNnPD1xzA+GDujdPaHBb+p3S8WJlgRo8QZ0Hut/qu4Sw5riPAtQBcye3/je8s0n0tVb Lu359+59ew+ec/sQZz2+beWCafePGV5WGNc9TFeOfemgFgQr5gFdIlShcpQwUHfyPUB+YRxQbH55 quRPrsM19RcuBAWpwx3718Jn7x55uYhE15G/mLwxkDyPjFJ8XaLGlqApk1EWyZRRmYl+HA4i0Vi7 tH/D3DtLqWsnV1a+uSU9szlRKS3ew4B/HrpEcmEO/hXL78UatsimbV6EG7//9rgzXH9O82Ehrr4w 0crOUccLlqI3lYRjXIbaP4Lt3h7XpxCnmJQZaKqgy99IdDFEe9SrHcsAeXS0P3hPRFGU6D+oCz2+ zAovtAcYoAx6blVlCdC9vs9ZFHikn0neIUB3pYb4WwyU7dFO7VIGuJw+6JF0kIAhwvBwDrMCoFBz jQqxYDZ/KPc+t0sbtWMhsAgwqT1spG72xiuO7VjFNi8KmOG35mRTzrBS7PN2GrjbnGDFAjBDVndL FuNjol4Iyf2uinl14JcIH+rbumCAMWR0fQemUFXVPc5RiZQl8f29De1sQ6iquIaJMLGj6Ummr6/d ybRwtWlYBR1kBcpjYEW8W0Pkgeb/N2/3+XIeBX/j/i5ysmVPpl8cwWyu2lExNkQ23xAZ3bKHkqkN hASVAmljOeTAHSYXQpNlhEsf+r8NU2DYFspllYlvREROBRJOsw39DII2MHZo417UMc9g4mRrpM0f uze9UMsLBBwO+vw5Lh6BTBbFKJfclVTagnyYKw7aHbKQLh23afpVwyyR0N58C9rkkG+9PgEEEgz4 c1488vDFowAOhQmNQbfQDTDyOvOgQ7REAdyM09whe4S9WGei1RaRBLnyL54XTI/4OLs47RRywWxJ PlxSFCDw3TzDyzgj+iLGfjUx5rmAkgQF6A30PTZsFxUlxDlkgZ65QG4CGiQowBKI688QX2x+FIVz XXEUQZGhYN5AvOnG1IoZdsj/EhRM1LNMyJ0vnUDWWjEUaGrgCWQL5O4MjIxu+UMUBZq2vMu58hOE mO5IUxOcPldeckJUg4Y5/KKNxJ4XRoO8MwhP0R5B/cTrDOYpK0R6BITzdfkL44htTKaAVy6/ivLC qAaXqDTmMr3KtAkogO5smU+8edofEGmMoEAPOh4M575vTZETGLKAR4FfLTmbOPOVFbC1eQEVbeh1 KNg+gXWKrZHVl2GysnmXEjM1JezLU1YAsic2z9zTBVX5Oj5ALMvhfgIKJuouWyhfWQGReYV8LAtt MFXmLStgcnq4MEIYqBuOsXnKChAPPs3CRwBD2M6C3J+ASjQMMXOFHXtgteTQ/YnS5Pj7E+tfGxfd qebFjJepdgS0EMuGQzDlaK/b//XGDxe9+Ksfl5eWRPYzg/7QfVtHICL9OiKvo/HUvnXzX3h6/I+u KSuGdXwmozFuNQBN35HLsUuumup3nrhzULIYX0OPlTG3Qs7Nx+16qi8/Dia7jMZH/RELAvYYuZBb 0Y2eFy9LRn/zd7rXLjHOmSEH/kZS2PUo/Z7aTr88NT5ZmLeIkem3rD2iMcGuxpU5sAjAV/2Ppf/8 an9N9f8MEIlM+n/YRVfUu8Kd2dnBBQNyb3m0d5fCTkXFJV27qGUEwOgTNjYxGXbYOrQXGje8f33S ZldMgAJihyAk3ASBTh33OrY8TQwoKuSLyUNk5WwdbyFAc6SBf9+SEYrNrOplSIxcgbg+4nX7127o QMwAFiE5+NO7f1cx+7HRvVWRmyCRNJIPIXvYvnANwNFRojcQgQ0UKJMlBUGoiINTOkuNWTty/XEp qFEdBAZUNaLZZ6hIm/qXdfJpasYeCO7ZwHSIAdNvXT1Wo3MA9smnIWDpiCOEY6FNuhUSruP/mnyF +sZOkrIqbqMH2Cj4gocJaL0pkEZoinMm9Suf6pOEsJQ+r4/nfuT2NQVtTrE8jaqvTTaRSjGr70qJ xuSJK3Gcz9Hv9/IBXvoTj7Ahe7ByFgQn2yZpvqPiPBACUoqRn3HoMqKFH753XGYafv99w7Q/2ekp l2xfAVgR4fPqde7aPi75uvDk3K+UYpwsyhcTv9cVmbHEBOYu9XNh7H2cTrL8U4lAVe8GuWJ2BEgD 7PF5InGfMFqIKwR0gAWo9zMABE10pJbAlB6RDpWY9SBHJPoZYxdDwjoZKzCxvWRqIwgAlOKtWLKI GIebws0baQFbgDrN2PViah//WYob9rZs8FbeFK3mJI54zAV8zmbhCJucuYhPL/M1q29ohYbMPxUs xLGlUZiEvIHmNVMwLtkDrFMfBsX5KWkedaAWH+M0ZI0qDBi7rZHjuuHWhtye6KfsCUjW+UZZskkV tdQmTDeOi3E9rBHyeIOCEoVdHhyyZo92sWTfqYp+Ceuu3YfBVm9MV8Qh5BRAwT435hzZHiC8R9Y/ l5EPSS1Mxt67mejCIIxsHIQ9QjuEbBxxZDfgK7j/n9OuVUtGhukKuv6djarMiLsY8oFAxJwzRByx nsKzp9TYENm1zf6fWl/xyNiyDElL4edmy2wsao+gIrgCTfwm4AEHCTjlBwoRtl36R+jIZ4ufHnNd b5W70qZAaWtJDdREIvICJkFbyArGG2cLI0fsAHOhyTHnllufGjICbK0XOrd7w7JXHhw54IrLittO R0yMxCirLyIeQVdnuLDACvyC0vg+wGjuegldOvvtur/OmXrfyPKuXToXFrShjpyYfv4LTQ/eH4w0 O+yiz/p5FcEbBCdDfFvz9mY8MPFpUngGDfXii8k2zWq97tp9pU2Xr7f7BOqgQziwHSbsYI4qKLWx RNrYM1YIFdXogkDDh9rKREwZHjhqcFEITqPlL14WeD2wybGDsyvKgIatsAZfK344eBv4TLIhApQx mgLnFfKkIZ50/uAmJ8MqsQJIzbfWwKpjbWBYd5WqnUaVq6z5W5q6zS1YlSEb7InPgrbEWTlYZ6xA K0YfDz+i9EHgpNT+HNQXCAbqxgsNjQ2XPC6Qh+BfYAnrgqkZRWLDe8uG7NJkFvPQKD1xAoSC0+WH MRI1JN60cgQIhzglMeirG0JdviIW9pFa80tSH7lJXycfw3LSzjvE+sEYCUOEh60/HQi4YF/H+Mvl giakbtshnpYd/13VM8iVs2NV79SvuQRQzhCCX+d8vWPrp6v+uoNFOOAljN17+8/n7iAud9x8DSF+ 9lbeF265f2WtKoIVE2HkekhvIPDQ0J2KefXlMRfDgXC0sbshHKDr1Hrk8srIgOqzYrzIgIeWwS5v aVz8PtQP6GiAjGMNA/WMh0MOTKzcu2Y+SHrcOQwzNpILM37/ddFfdRs5I434aQAB/0Y/SkKUmsgN LBB4zoMZByEX0VSjhW+tW+rjNmYJMuelIYTGsp+80SRBScUtuHTJ/0HMgW5xMFDTfdgVhgkp/GNh Ioym7vAytphliYk7vKlUfhZjQdnzh1pIj9bQcJ+tvkxXY2QcN9DUPI51IRJg6oUAalh1bHrGH3SL Yyj4nxzk9UI5CpBHweM75eIjMQgwz7Nr8wh9jZFxKFDUEuIFc9rBbOkukAq7NxXNw+CGjlycIxC8 V0n1N07dq24zF8TWfn6jwGctytbLC5pah62IhO1kWbEgFnjGLf2GOL3N01Os2082lSlzc89XD4hY tfIfBON3+gYBVMjue7xBhHw+8t+m2Bl1V28nAbeVIT4rbFERukcZBGjIsidOt0K/+Gn9VfruDjBE DDkbQLBdF0fujOo0wA3DDsFp9gFXMAAcsSG60kqBgYcnX4j3Tp+EKCpkmJ1Xt9rBTvJ4iFUaTUxT g6t4nzRvYX7et9URrmhkK2Gz8PvQfxVnh7AUSqXpZ6G1Q/Zztm/L5bPDJfOsvlDQc2ZGa5wglFQ0 fl9CMckdf7itQjBSoLL1pLAvS+kqfhrCbWM+6A6n7siS97jr2SmjW98/O5K+6NXDyvEvZ/9U2ioj ycrL1gNQPfIcZuwuB4vmWjIJGek6rbpFBEy4plLay7JFZPJyjeaXiNPpdQW48MMZNlrRY8u2SaZ5 mdrPZw5NXgFdpDD0PwF2syMIHtgfZi7IS2765cuLP/70y48q5z0ydqBe3O1JgIaz5kzPwRE6Pi+c MFmjzVndhpJeZVf07Na+E21J6Ez2me59lCCfHRxv3JrC7J5YnqyqbffdRM8irBDJhf2vtV0x+s7Z QP3gIkTwgImMURM4guTjpL7rrlntaGPxJ4jltzoFu3p7uYoj+jQrWj8ZQdNXcDhkg3MyccgzW9+W b1vBBnbUuHqEwWSEiRjH+R+qObqzreqS1Xzf5XVnHgRX8JOshRBkFQHeE/ohnJzCBz1yNtftVKaL 8rJMTfrFv8phFnat4hrR+/kpFYAVDNSokwSczxDlV3c1POXnBSPjB8iJOGfYNoFu4WLOG0wM1M9t QY+DrRufoTXZkREDfaH0JGcjJ0breM6ozQEGFLrWEsf/DmzzknRdgIG65rNXBncoG1hrPP8fegmD 8gplbmRzdHJlYW0KZW5kb2JqCjYyIDAgb2JqCjQ4ODkKZW5kb2JqCjYzIDAgb2JqCjw8IC9MZW5n dGggNjQgMCBSIC9OIDMgL0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0ZXIgL0ZsYXRlRGVjb2Rl ID4+CnN0cmVhbQp4AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJSYBQAoaEJnZEBUYUESlW ZFTAAUeHImNFFAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee319ln733XugBQ/IIEwnRY AYA0oVgU7uvBXBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP27i6AZLvbLL9QJnPW/3+R IjdDJAYACkXVNjx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s9qfmK7vJmJcm5KEaWc4Z vDSejLtQ3pol4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M5yahbIkyRRQZ7onyAgAI lMQ5vHIOi/k5aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03hiHhMz/S0DI4wF4Cvb5ZF ASVZbZloke2tHO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnfbOysL70WAPYkWpsds76VVQC0 bQZA5eGsT+8gAPIFALTenPMehmxeksTiDCcLi+zsbHMBn2suK+g3+5+Cb8q/hjn3mcvu+1Y7phc/ gSNJFTNlReWmp6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyycn8AX8YXoVVHolAmEiWi7hTyBWJAuZAqE f9Xhfxg2JwcZfp1rFGh1XwB9hTlQuEkHyG89AEMjAyRuP3oCfetbEDEKyL68aK2Rr3OPMnr+5/of C1yKbuFMQSJT5vYMj2RyJaIsGaPfhGzBAhKQB3SgCjSBLjACLGANHIAzcAPeIACEgEgQA5YDLkgC aUAEskE+2AAKQTHYAXaDanAA1IF60AROgjZwBlwEV8ANcAsMgEdACobBSzAB3oFpCILwEBWiQaqQ FqQPmULWEBtaCHlDQVA4FAPFQ4mQEJJA+dAmqBgqg6qhQ1A99CN0GroIXYP6oAfQIDQG/QF9hBGY AtNhDdgAtoDZsDscCEfCy+BEeBWcBxfA2+FKuBY+DrfCF+Eb8AAshV/CkwhAyAgD0UZYCBvxREKQ WCQBESFrkSKkAqlFmpAOpBu5jUiRceQDBoehYZgYFsYZ44dZjOFiVmHWYkow1ZhjmFZMF+Y2ZhAz gfmCpWLVsaZYJ6w/dgk2EZuNLcRWYI9gW7CXsQPYYew7HA7HwBniHHB+uBhcMm41rgS3D9eMu4Dr ww3hJvF4vCreFO+CD8Fz8GJ8Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAkbCRUEBoI5wj9hBHCNFGB qE90IoYQecRcYimxjthBvEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0hk8k6ZEdyGFlAXk+uJJ8g XyUPkj9QlCgmFE9KHEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1KfS9HkzOX85fjya2Tq5Fr leuXeyVPlNeXd5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlFmqKVYohimmKJYoPiNcVR JbySgZK3Ek+pQOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf6L30CWUlZVvlKOUc5Rrl s8pSBsIwYPgzUhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKVZpUBlY+qTFVv1RTVnapt qk/UMGomamFq2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3qkxqaGr4aGRpVGpc0xjUZ mm6ayZrlmuc0x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k3as9rWOos1hno06zzhNd ki5bN0G3XLdTd0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCLQZvBqKGKob9hnmGj4WMjqpGr 0SqjWqM7xjhjtnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TPDGvmaCY0qzW7x6Kw3FlZrEbWoDnD PMh8o3mb+SsLPYtYi50W3RZfLO0sUy3rLB9ZKVkFWG206rD6w9rEmmtdY33HhmrjY7POpt3mta2p Ld92v+19O5pdsN0Wu067z/YO9iL7JvsxBz2HeIe9DvfYdHYou4R91RHr6OG4zvGM4wcneyex00mn 351ZzinODc6jCwwX8BfULRhy0XHhuBxykS5kLoxfeHCh1FXbleNa6/rMTdeN53bEbcTd2D3Z/bj7 Kw9LD5FHi8eUp5PnGs8LXoiXr1eRV6+3kvdi72rvpz46Pok+jT4Tvna+q30v+GH9Av12+t3z1/Dn +tf7TwQ4BKwJ6AqkBEYEVgc+CzIJEgV1BMPBAcG7gh8v0l8kXNQWAkL8Q3aFPAk1DF0V+nMYLiw0 rCbsebhVeH54dwQtYkVEQ8S7SI/I0shHi40WSxZ3RslHxUXVR01Fe0WXRUuXWCxZs+RGjFqMIKY9 Fh8bFXskdnKp99LdS4fj7OIK4+4uM1yWs+zacrXlqcvPrpBfwVlxKh4bHx3fEP+JE8Kp5Uyu9F+5 d+UE15O7h/uS58Yr543xXfhl/JEEl4SyhNFEl8RdiWNJrkkVSeMCT0G14HWyX/KB5KmUkJSjKTOp 0anNaYS0+LTTQiVhirArXTM9J70vwzSjMEO6ymnV7lUTokDRkUwoc1lmu5iO/kz1SIwkmyWDWQuz arLeZ0dln8pRzBHm9OSa5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F1q5c27lOd13BuuH1vuuP bSBtSNnwy0bLjWUb326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwVbO3dZrOtatuXIl7R9WLL 4oriTyXckuvfWX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7gXa3lzPKi8re7V+y+VmFb cWAPaY9kj7QyqLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MBjQPFBz4eFBy8f8j3UGut QW3FYdzhrMPP66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbCjZLGseNxx2/94PVDexOr 6VAzo7n4BDghOfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2aXtMe9/pgNOdHc4dLT+b /3z0jPaZmrPKZ0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu3suBl69e8blyqdu9+/xV l6tnrjldO32dfb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4Ffef6Xfsv3va6feWO/50bA4sG +u4uvnv/Xtw96X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/rf3V+Ndmqb307KDXYM+ziGePhrhD L/+V+a9PwwXPqc8rRrRG6ketR8+M+YzderH0xfDLjJfT44W/Kf6295XRq59+d/u9Z2LJxPBr0euZ P0reqL45+tb2bedk6OTTd2nvpqeK3qu+P/aB/aH7Y/THkensT/hPlZ+NP3d8CfzyeCZtZubf94Tz +wplbmRzdHJlYW0KZW5kb2JqCjY0IDAgb2JqCjI2MTIKZW5kb2JqCjYwIDAgb2JqClsgL0lDQ0Jh c2VkIDYzIDAgUiBdCmVuZG9iago2NiAwIG9iago8PCAvTGVuZ3RoIDY3IDAgUiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGNlc2O0zAQx+9+ijkmEnht5/vKisMiQFoRiQPaQwktXWgW 2iyL9oF4JN6H8dgzadPQVlUVx5752/7NR7ZwC1u4uh4sdANY+g0dGPxVzkCRG9gtYUVWk8mP8LDv qCyQo3fpxXlDIwMbktzAGrW8jvHGW9zODy2UdaMLY0uwTmc2N6XqenjVAs6QQXi0PVy1rUP7dgVJ kUL7DV63dDYWyjJdQl4X2tq6BhJRL402xqBTB5kjvfgIev7SXu/m8e9ZxXisUSZ3uqz8VgYO1D5B MqSAO2eQQApGO0h++GcByS9ayFXy6Cfy0YDf18EAkiUNLCQ7HsgMiy42pK5mTBZfyAt3fk7hDto3 U1iFRVhZk2nnaow/ER+vhuDVIfE/c3yq+oxIBOMwQRAzgrmJPD5c8/lexBm+1HteeMuDBx4EAC7C w7tNfRdsKS6C4UgeI4IhQrH+/sgrRAk36NkthAVnZIuneJoxhPepTze0oVjiE51H9FhnztfZJPsD wqLUZVNXMQ4+rxXXpa+BiU+InW20M00+FzvGTtmtkhOxu1QkxE5Nr0fvv5mfgMS8DCRkwBy/8spy BhapCftBAO8HcR6oGtsJAXU11mbsASHzz+F0OfaNRprPQSkc4IQTOFkkNp8TIlgK7ySVvstNGdMg FHZxTUkrEcp7aUbk9thG/GwxsG6UVck8XJLpYmVg5+HNIelYSiL6HLNbURc+ld3OYJsoLWY/dRm2 p6/O/7LbVlbjvzlqut7h0s7EIheFo00hq3zLHtFLFxF+TzFmKhEOEg7JUokrMxMTISvKkIaakpVV Crb2TQQHFA4O3ZEqL/Aua66oo2zqRX1gY3aWnNmJfjybGkHIXcVmF4M//apQ8dnc6qx0xVxnOvyq YBWItpx6bKyyxqf9yd0jXgjzeBC4n3lRZsQftce+cfsPLCDQTwplbmRzdHJlYW0KZW5kb2JqCjY3 IDAgb2JqCjcwMAplbmRvYmoKNjUgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAv UmVzb3VyY2VzIDY4IDAgUiAvQ29udGVudHMgNjYgMCBSIC9NZWRpYUJveApbMCAwIDcyMCA1NDBd ID4+CmVuZG9iago2OCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFj ZSA8PCAvQ3MyIDEyIDAgUiAvQ3MxIDcgMCBSID4+IC9Gb250Cjw8IC9UVDIgMTEgMCBSIC9UVDEg MTAgMCBSID4+ID4+CmVuZG9iago3MSAwIG9iago8PCAvTGVuZ3RoIDcyIDAgUiAvRmlsdGVyIC9G bGF0ZURlY29kZSA+PgpzdHJlYW0KeAGNlD1u3DAQhXue4pVUYZqkJC7V2khhdwYIpAhSOIqdOFjZ 2dW68IFypNwnwz/9rawYW4hLzTwN3zfDA+5wwOV1r9D2UOHXt5D022mJupI4PuAxRC02P+N5msgU QqJP6YbkfVhJ7IPkHj9Jy+tIH3ygz/mlgrGNqKUyUFqUqpKGtR2uHGgnBMSH63DpnKZ49whuCrhf +ORCbVmoLIVBZWuhlLUIIuxCCillCdei1EEvPaKePzTpfQG/ei1wocBPeDr9LfAV7nZTPxU5iipp hdXWF7PU7klaihIcBaTQ4M9howJ/8Rs14yf/pP854EcIoMh9yoiB4N/yi3t6s1ZkrciEsimFplrO ivSGzp38s+bkzk5EZk7q95zMZG68e+dsZopnZemKyOt6WRxh6bMj9/ngeYPOT6Zq5j30C/B2iEnv Rj+/55iHvGif8qpPq4lS5EOS9LHRZJoU7Sdl0b/xaLURprG7ZFbozDxZ3vRFTqSkGqFlU8Wc1f7U NFm+3zcozUViv69SYpP52aQ0Vxw7fKDEZi20SakbmAye+kELvNIr5ps87mS2H8EVhiemDdIo2Mdw aauFSXdEHPNzWGR9uH8QYOmK7pVGmi1Y6XJ6H1YWSQOwAWt62W3BWiiuwJrP+yascAvRRA1D0v3O ZIYhOw5Aj2//x8V4nq45rpHS3T/Lt1uqCmVuZHN0cmVhbQplbmRvYmoKNzIgMCBvYmoKNTE2CmVu ZG9iago3MCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNzMg MCBSIC9Db250ZW50cyA3MSAwIFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5kb2JqCjcz IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgMTIg MCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQKPDwgL1RUMiAxMSAwIFIgL1RUMSAxMCAwIFIgPj4gPj4K ZW5kb2JqCjc2IDAgb2JqCjw8IC9MZW5ndGggNzcgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+ CnN0cmVhbQp4AY1Uy27bMBC88yv2KB1K86EH3UuBNkXRHtoYVpBD0UOiyo1bKYml5JPyMf2rLh+7 sWvFCASbA3K5nFnOcgcr2MHiw6ShnUCHb2pB4VcbBWWhYOxgE6L+m7yE2/2NQkPY6LcMvLkPSEEf UvZwg7l8HuWDd3ichxoqt5Sl0hVoI60uVCXaAd43gDMhIA7NAIumMRjfbCCrc2h+w8cmcKNE1soK CldKrZ2DkEQoqZQqoGnBmpAuDTGd14zpvkO2vssRZ3/Dv8zhBzRf5vMXtTTG6URyLiuRfJojWSlP MiVJJE8kQWoXObxR0kB2T+AngSsCDzmEkC4XMRbSRIu64sywJXRL4BcBip44OgGRcTDGzBUl6tG1 LLSro57ZUhv0SCz1MY9nkiNrZCbjkcgtiWRuR0LGjqS1jDiaiuUVieNrDoqsq2WllsUpRWyeTSi2 yPgoBnxT18SH1bR/DiqKbWh8G/rmEHvN4e1iSy1VcnQ0JTXtTDuFLrDaynLJrXTCYNnTiy6lJK9y 6SoZ7m0ayVLrG1LON/pI99fTEpeJdtEV8WY2zUQhqaJ7VacVLjFOvGhZ46ysncaah8fmoELi4LHB Fjwjol8JrL8lnef4YjiJTwedfpkWPoVR8DxrfDZ09A1kpPbdPt/FeTe23f3D41UP4xZ2wtr4EhaF lbYuwVYKf7Iypdew+Dw4OLvDB3H1D13pMXcKZW5kc3RyZWFtCmVuZG9iago3NyAwIG9iago1MzEK ZW5kb2JqCjc1IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA3 OCAwIFIgL0NvbnRlbnRzIDc2IDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+PgplbmRvYmoK NzggMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IC9JbWFnZUIgL0ltYWdlQyAvSW1hZ2VJ IF0gL0NvbG9yU3BhY2UgPDwgL0NzMiAxMiAwIFIKL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvVFQy IDExIDAgUiAvVFQxIDEwIDAgUiA+PiAvWE9iamVjdCA8PCAvSW04IDc5IDAgUgo+PiA+PgplbmRv YmoKNzkgMCBvYmoKPDwgL0xlbmd0aCA4MCAwIFIgL1R5cGUgL1hPYmplY3QgL1N1YnR5cGUgL0lt YWdlIC9XaWR0aCAzMzYgL0hlaWdodCA0NDQgL0ludGVycG9sYXRlCnRydWUgL0NvbG9yU3BhY2Ug NyAwIFIgL0ludGVudCAvUGVyY2VwdHVhbCAvU01hc2sgODIgMCBSIC9CaXRzUGVyQ29tcG9uZW50 CjggL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBvL0HnN1Vmf9PkqmZSU8mvZOEFhLS ps8tc3vvvde50zPpnXRIAUJIQiAQqqCA+hcFRX+6Ynd3dQXdxYauu6vu6tpQsfN7n+935uYydxL8 Wf7zel7fOfd8T/+ez3me85znnJNsbx+02XpM5oLFkjEZ0xZT0mLOO+0Fhy1vMXZZjD12c8Fh5tnr Mudturxd220zFOz6vEPb7TB02w3dTkPBqe9xGHF3OXRddl2XVZe1ajNWdc6qKVi1XXZt1q7OmlUZ izpl6sjYVF02ydOmytrUeasmb9fgmbNo8jZtzibceYs2RyK2TqLgn7N1Zglg7czbNCmTMmlWdEkl yVo70xZlzqzJWDtTZmXKpMiY1RmLKmVRkB1JpclRCkzBslY1GckRc47OjEmVtXTmnTrcWYuWehXc hi6nVlTBwc9OEdihy1hVBCjY9Al9R9LYQQBqmjar0hbS75RS01C7vLWTwCQiBaYWomC0QMGq63bQ bsacSZ8x6VJGbY/bfqwnf37PzkuH9z985MAjhw9ePnz75aMHHz9+5OkTdzxz96n3nb3ng+fve+H+ 8x975KEPXDx3/+6duyLBbpu522rqc9h6HJacxZDRa3JGXdbUSWvkTZq8hfbpzFJUC41MvrSVaPyc TU3ZKDyN2eXQ5+zaPK1q0dBuolVNGpora+8U38uipVIps4oAOas2YVTgzpg6CZAiTXNn2qhOGPh2 VFmkRtumaGojn1WTMKpSegJo00bDoe6uZ+85++jxEwdyhbTZGtJq4mZTf9h/7/5dl44fOrdv5854 KG/R5W36jFmXMvE5jDROkkRMGhonY9ZnLYacWU9z5W2mLruBnkAfEGRW50x8KbVoWJMqbVCn9ApR JKM6bepMUmCTMm0UlDQpUkZlQqdM6JWUjcKLvmTRpsydKb0yqmmP6dpi+vaUTpk0KIiYNqgSOgVV JrWkTgHh4KfsH+lsI5aUhTqmV8S1bVFta8KshMhRkFlFjgkD/k0RXWNS15LUtca1LVFtM+6Urg03 lNA0xzXNMdz6VgLH9M1QvLMxpmmMaAUldbxtwjNtakvomuO65qS+BQcB4oYWiAAJfXPC0JKQ/JOG 1oSxNaVvIVhKcovw+paYvjVpaM9b1XtSvpNb8sd6k/1uA4WJ6UitNa/V7Aj4h7zeraHgQNDXFw70 BvyD4eBQJDgU9u+IBLZFAlvDPp47E+GdieCORGBHPLA95t+WCOxMBncnQ1ujXmhnnADBbTHftqhv a9izLSI8t0Y8Q0HXUNg5FHFuCbm3RFwDQdtAyL456NocdA4E7QNBx2DAOYgjZBv02wm8LebZGnMT fXvUNxhyQQQeCruJNRBwDAXdg0HH5oiDANDmsEOQSNm9OSLS2ex3bg5JngGRY6/P0ue34NgWEcnu SIjibY/7tsU9QyEXxdua8G6Ji9LuoEZJ31DMsyXqHYq4h6KuLTHpGXVvT/i2RD0DQedgyEEiW8Ne 4vKWou6I+kWaCc+OmI8CbyWphJf24SdZbI+TLG0V2Bwiim9rNLgl7N+djp/YMnD/7XufOXvX++8/ +6GL51948MKHLt3/woP3v/jg/S89+tBn3vOuzz/77k89/eRnnn36U+9+1+UjB/ckorT/tnBgRziw Jegd9LsHPc4tPvfmgFM0b9BFg9PCopHDVF805mZaiRaIuIS/FGaQ8gedNOZAwNnvd+AeCrn7A47+ gH3Q7xjw2fHkJ26o12vr9wl/vg6fSTz9jm6PRf4ckqezx2vt9Qjq8Vj7vI5+r2NbLPL4yTtfeeml l9/z3LGBoS63py8UPLx54NLJ4y8+efmFxx+6dPT2vdkESVGkwaC7z0derj6/szfg7PU5+rzk4h4M eKjggM+Fe3OIz+TeEnYPRTyDAVHIPp+112/u89lIhBL2+e08oV6frddv6fWae7zmbq+px2PpcVv6 /aLP9HltfZST0nqteHa7zAWXqeAy97gsvW6iUAVLt9NUcJshAogaea3dhHSauiCXUXhKEfNOQ96u zzl0Ba8J6vGaej2mXp+512fq85t6fMZer3HAY+x16bucmhxcYJhraAswR9iHXQOXLLh0PV6Jszg7 C4RxqHPOzi6Xpsej45mxq3jm8XF24tPr1RdcGhGAwPAdh3B0SY5ul5YAfW5BOKButxYqCBam2Ry0 3rkld2ZP/9H+5IDf0kVgL3xZF2pvL9isKaMh57Jnve5cwJP2OHM+d0/Q2xv0DQa9fT5Xl9OSt1u6 PPaCx1Hw2ru8trzbmnNZcPf4nV0eG47+kHsg7OHD4e71OvDvll7lXGZCEr7b7+gLuXv8pGDJe6z4 iKfHmnNbCJB2GDO0rdcmIvocBCYpHKQGdftELnmXteCxi4huq/gpymAmVhbBgyJ5bDmnOes0Zxym jMOYdZpIOWnVk3LBJ8oM9QXdPQGpwPhIxeZVwUv5beQ4EPZSwl4KGXRBvRL1BBxE4W3B7+iSYpEs cUUhfVRTvKXMpIOb3KnLlZRJHP+guztAgu7+iLfgIxFHX9i/OR7cm0/tgTKJXanYzmRkdzq2N5vk 5+5UbFcyynN/PrUvmxwIuHN2M1jo8di7XbaC05qzm/IOc7fbJrctT1qA+haJFpBLQmFGSDQL7rzU 2rwtAIGAk/ZPO01pu1FE4Uu5LVJS5rTDICVCOsacC6JeeBppQ9oq77HgoJFFOwMfyYemzrpsd+3Z 8eF3PfHsxQt7C909odCe7sLFk8eeuXTh6Qtn7j20Z2sqknIaEsgSIq4+4xSfKW0zpuzGlM2Qsuoz dnPWYc3YLSkbryx88a6RTiK+rFRHqiDXV1TcacJTkNuYcRsyTkPawRfXp+yCRDmpoMOQtOqglE2f lChq0kAxoyZh1uOfsAjiVcpOdNEPqRc/4xYthCdJJW26hFUbN3dGTaqYWR23diZsmqRVDSUsqjRY 9hi7fYw2jBuGrEObtChi5vaIsSNqUsTh/mYlTygmCQZxCz4dCVN73NQGETJu6UjalHFrB+6ETZmw KqKWjrhNgWfMIt5CIkoJxYlubItJhGOYTO1kAfX4LdtS/t6ANW5Rhg3tMcpAaW3qoFKRc9jSNnPe 786H/LlIIB3wZIO+7oi/LxoYjIcGosGekKcQcEPdDALhQL/w8XUFPPzsiwQKQS9ufCDZ3R0gPJ5e 0sx5HFmPI+9z8bY34usOeboCTnwybjvPnNcpORhhCOPsBhqk5vd0+YRj5O1wsLTLRmCSKoj0PV0k 7hVJERg3z6zbkfM4ecohcROeV70hP55Zj1OUltoRxe/pDnilRDx5n7vgF9QdlKoQppA+cqfWUG/E K1XHg+TTE/KTuxRdFK+EfAW/KBKv5OKRI+H7or7esLc/HuyNB3uivr64Px9ypX22rM+Z8zqyQMZj pasnbIa4Vc8z5TAl6fl0bJcFd5xJhM2AO8eIx0gljRsFRlGGQUbFgCvvF9nRCHI7kLtUTVFT6k6D 5L28dYmnx5lyWKEkUHKCcZsUwJXH320TPi4b0eV0Mi5b0mlKUBiHOek0ChJufIyizG4CiyKl3RaJ RJi02wxl/c7D2wbee/nS+x+7fPbIkbtvP/DY2Xs/+NTjzz7ywJ37tvfG/QmXKe6SEiRNlynjtWZp AZcZSjKeuC0Zt/jEEEXiSalwJOyWuN0MUeyM25Eha8I7pVhOEwGInnAbE25D2mVKu0XKcbseSrlN UMJhiFq1UAzMOvQxmz5mN8asxrjVmLTLiViobNxGLENCZGSACBa16iCikxRxSSFs7gybOqNWDRSz auJ2TdSmjFiVCaemO2SFCgFL1mNIObUxqwoKWxRQxKKMvp1iFmXErIiY28OmNmjYYe2IWDvClnae UZsibBcku2N2JRRnQCihqEi5g2EhYu6IWRVQnFHCKnKEKFLSpQ0Y29yaxoChNWpT8RPPgEqVdTqS dms24M2EfelIIBnwJQOeZMCdZgQI+3oToZ54sBD158PeTNCTjwZ6YuFCNERghoWuUDAfDWZC3rTP k/K500HC+DJ+r3DL5HWnvHRyN57ZgK8rHMiHvBleDXt6cBMg6XGkfa58wJMT0UVgHIw/RMkFfPmg n/TlRPKhQFc42BUJ5sM4SM1fiIQK+BDY78kFvBBpQsLh9xKAYEm3I+524CA1khKeEuGQ3XnqEhZJ 9UTDVBDqjUV6oiJlKU1fN+5IkLhZcCSVjVJBIp2wXxTb50m4HdQl6/cSi7g9UcrpL8QDuZgnF3YX or5sxJ0OOQtRb1fEk/bbUz5bxmfLBV20bS7kzgaccZclyyDDJJdWAuDRQCFC3Z3pAN/CWwjRJh4+ Sj5IQ0mOkoqIL+jzZPxyQ3n4KXxodr9HbpmUx0kJ00hxlF8qMHXP0QLiO4pWooLCJ+hN+50pr5OQ fJeEx0brQTgyAVfK45Kq6Yx7bAmPNeG1xv22dNCZDTpjCFGxwMn9ex48c/qx++976qGLzz728FMP X7z7+O392WjCZ415zKmAPemzRpyGiNsU81riLnPUbU34HFDK60j6XAkfmdIfXOmAl+6U9nsSHmfU 7YgyCFAenzvqccRddjwTPkFJD43mEEn5rDRphvSDjrjHHHOayC7iMUdxuExkF3HjNoTthqDNELIZ I1ZL2G6JOq1xly3msCRc9BBb1GEL200RByF5JSjmMsddJlKLMm44jTEHA4spzjDiNiW95oTHEPcY Uz5LT9SdC9sTXvwNMZc+4tSGHZqQVR22deKAInZ8hGeEUcLRGbapI3Z1xKYKWZUyBW2KgF3ptXb4 rYqQQxV2dwYcqoirM+oiuhoS4e3CIbuDVqXP0u43t/tN7X5rRwCyQIqATe0zK6CgTR11aqNkalP7 LYqQTUVhQlptl8+TdDvBbzLiT8ZCiXAgEwtnooF0yJcDAvFwVwxQ+3JRfzbiz4P9ZKSQDOfjoWxE UCERzcdC6ZAfykYC+Wg4Ew7iFsAP+tJANehLMU0AaHQ/RoagN+n38lml78X39fARE14nzyzAiQSy IX/M4/bZzBaN2qDs0HW06xUKngalwqLpdJkMHovJbTbadBqLRmXulElp06qdBl3IaY/7PFGPy2sx OfRao6pDIqWuow2yajvtei0pBJ12wlAMsuumOvFINoxg4426nV6r2WHQkrVRpTSplDZNp9OgdRuN AYct4LAHHNaIi27pSYcCWYaCcIjhjjEwEwqk/FSWCvpiHlfAbvWYDZTQpO4waRTGzna9qtXc2cHT oG6169Vusy7oNMd89lTQQT/02Qx2g9qi6dApWrUdLZBB1W7WKMwapUHVplO06JVtRpLqVPA0dyqs OrXTpKUdPBaj26S3aTtNaiXtA+kVHTIZFB20HlWwatSECTpsXguNRkiFSUV7tmnbW2kcaioqaDaS mt9uoYJhxkafKxnwxn1u6hJzy3AD4M6U30MTRZz2GAB02YJ2s8ukMWraRSE7mtVtmzrbm/hwXcnY nm1Dh/ftPrBz6+beXCriC4Brrz0RcKbDLsaHkMsIQhkfvDYDFbHoVHqRQptBpTB1quTP5LYYvTaz z2H12S1Q0GmLeQG7K+iwBu3iK1BIfPhedAODul3T0djZtknT3tjZ0aRu3ahq2aBsXq9oXq9q3aBT NFv1CrdNF3QZgw5DwGF0GbVmtVLT3qpubda0NHe2NKtbmpRNmxSNG4uEj6BWkhUpK5rWkSCkahYp q1vXS1mskxzrNR2bVC3rFU1rFU23dbauN3Y2OYwdXotaIqXXovJZO31WfuJWeswdoDJgVwVtKr9d GQC5NgVI9/KUyOdQ+p1qj+T225Q+qwLyjpDsFk9LB7GIi5t0IMK4jO1BR2fQofGAeqs6BMZtnX6r Cp+AvTOo1eV9vqTHnQoFYiFfIhJMREIZIByP5AScA4wDqaAnE/aA965EOJ8I5ZNB6RnKAflYKBcL ZWHxjAaCkeGGwpliXCEtuOMMxX4XlAbvgvxJvycu+aQCYN8V9YBTFyMDQ0rE7WzbuH75koUzpk6u q62qqaysraqsqaqoq6mZMXXqgrmzF86fM6dhxuT62trqitqqCVBN5fj62qpZ06fccuPKjubGxvVr ly2aP2PKpLrqippK3vIUidRPrJlSP2n2zJlLFy644fqlt910Y3vjBptBHXZZUyFvzOfpaNq4Yuli 0pk0sbqWHKuqJ02sJZ3ZM2csnDdv0fx5SxfOW7Fs8a2rVm5cs7qjcaNFraIf5mJgP0CNKDyVVbU2 3rBsScOMqcQlU6l4E6orx+OorhiPY1JdTcP0qTffsFyjbA66TOr2DTdcT6aTyXRiDeEpLYErqB2F J3yNqKAgOSn8p9RPXDC3Yemi+UsXzm+YPqW+trpWDllRUQORguSorayoq66cPrluyYK56269Ze3q m2gWgtNWpEk69ROrp02unzNr+sK5s2nYJQvni9rduKpx7a2K5kazhl5qjnvdCcZnryfu9TBCgvew wx73MES7GdMab7t14dxZU6mSVDuekybWTJ86adH8uSuWLbl+6aIli+YtWTR/1fVL1916Y1vTOgYH l0UbYL4QdAZcFr7U8sUUiarzoSsmVlVPnljLz4YZ0yjPogVzly1esGL5kptvWNm4bo1e2eGyGCNe Vwwu73YysONQtjatXL6ET0YjyK0kWkxqLrm162orp0+tW7ZkXnPjGp+L6GanSb1+9Q0L582ZXFdH yOoJElWOr64YR9wRmjCxmq9fQ/vwIXGM+IsAVRXjaqrkkEQZpqrKcRBfcPrk2uVL5rRuvEWA3aoG 6Tz9gM6m8dmE2y2QqPQKIIN0lc8inh4LiBYOnn6H2u/s9NolT4IRpowI7zZ3AGoRkWGEWFJcPEMu bcit81iUTpPCY1YF7BqAH3BofXZNQM80B+kXoIUSoWAqGs3EE+loJBeL5GMRmX/looF8LNAVD3UB 9jiOQFcimIv5s1Ff0YFb+hnqTkULiYiIgiSQCOYRR4OelN8lKABLdaaD7kzIwxO3kOICSG5u+S3+ uaiPAX/2jOmzZs20WMxWq9VitpjNZtltt9lnzpwxbtx1ra0t+PBCPMV7QlpUKmVDwyzgPG3qlOuX LjPodSK69FaEspiNRuOG9Rvmz5+/YMGCqVOnjLtO/PHJl8yfrVG02Yy6+bNnzZ07W6/Xy/GIQ6zV t6wm/EKJFi1YMHfOnJrKKiISva6mGiip2hojXnsq5Ga+E3bZFs1tmDl9ml6rlRIRKYwim9WqUimq KsYvWThXr25buXzRrJnTlCqF3W57W8iR2kmeb0uHlG+7bW1lZeXEibUmg0GuJsHMJqmxzCbRMlKV RVyj6cYbb5hcV8/ws2DePBvZS60inhbzDTfcIGpH9aTnrFmzpFYRtauvrVm+aEFnezMjIcNyDEHa 4xSc3W3HnfC7ERUYd1ffcqOFHIeraTEYDKtWrZQamXaev4gRqaFBJHfddeNpsdrqpQvndjRvDHkd Pqd19sypc+bMEiWiNKLAFq1Gs2rVqgXiE4m/hQsXzp7dIBepqmJCw8xpHa1NMb8nGfRGvY6g03L9 4gVTJtd3qtVydUQjjLSb7KC+BoOWkXfWzMmGztaIz0abT5s8cfGiRQ67XYollX24/MWPZRIlMhvJ fe2aNSQifYDi25JchtuaFhBktZpNJj2caumC2T4LvFXjN6uDVk3QpvVbOr1mpc/MKKr2mZTCbUIm V/nNKgQAj8CmJAkgDNjUXsgq+RNMDBqC/JBFevKTWGalHPfK06xyG9sZBBgB3CZ4vcJNFgw4Fvi7 DgoZ0Agxv0Z0DyVD4Uw8nk+mM9FwLhrpika7ouFCLCSQHg8XmMinwsxGu5jLR335iKDueKg3GepO BnAjA+Sj/t5kpAdpP+YtxP09yWB3jIk/M01BuYibWV4m5OLJjC/td2Qg1HcBZwZ/HCE36RjVbZPq ajs7O1977bVvfetb3xj5+/a3v/2P//iPq1ev5uufPXv261//+sgb8f873/nOBz/4wRUrVlRWVI4f P8Hj8Xzxi1/85re/9do3rgQjype+9KV/+Id/+OQnP/n000/ff+H+gYF+8EuC8+Y0rL31lom11Rs2 rP/EJz7x7W+/TprflP5Ih/D8vfwPgj7y4Q8/+OCD9545s3lwUEbHzKmTWjeuiXntTNL9Nv2k2spV K1d8+lOfkhMpLaTsJlWyWLx44dQp9fDH2TOnrVix/IMvfOj173znG98sDz7ah+g0xf79+2tqaqZP n/7Rlz7KTzmQ3CalDUPgV199NZPNMjhQzaampn/6p38S4aWqUcXPfe5zcoPIdXzxxRfP3Xfu9OnT mXRm+vRpRJk7a3pna5OQ0JhlM6x5eTqSKM0Cbl1HKzy0p6fwyitf+da3RBlIla/22c9+tpjmyy9/ ku9y//0XTp06GQ6HJk2qJ81ZM6crWpu8DmttTeVta9fwWb/9ulyFb/3bv/1baXRK9ZGPfOT8+fMn T5wwmUxVVZXTp01pb9oYpTB+h8eqmzmlntRe+NALclcZ1SvkIr3yyivr1t1WW1PFZ4qCpfZN48eP 0+m15DXcwb5Z3u5fpwt86Uv/1Nratn379n/913+VK1j8GNSU2hazkxyvfeMbosd+7GMfmzN71swp dT6zJmzVBEyqEMDHYVZ7jUq/SRWQfjII4BmyaXnixpORwQdZkPwFQoV4AH4BrElVTqSD5+gnHN/Q 5rcwR+Ct0m1UeIwKxhncQZsmbNdGjaYs/N3rzYdD2XA4G4vlEslMJJyLgPRodyLWHQ93o15OhHpT Asi9QBiwh9xonHpAdMzflwz2pALdMV8uAqjdvfEAxM9ClACouVCOOQsRN9QVQQHlyYWcWTQ8fmsu 4OAV7nxQOHIBO09GA3XrBj6N1+t9q+zvf//3fzds2ECHeeaZZ8pevsXnu/HGG3nLXzKZ/NnPflYe pujzpz/96fe///1PfvKTZ599Vq1WVVSMnzy5fty4cXxfho5isDEdRPzd7373k5/+lLgajaaqsmLW 1DqjqjUdcjn0yspx1629dc3//M//jBlX9qQiWm1ndXXlisWLptTX3XTzTa99/evXCF/+6ty5cxMn Tpw5cyb4Kn9b6vOHP/yBHjt+PNz1OqVSSZVL35a7qd1vfvMbyv/YY4/Baom1cM4s1Aso8ZIea9Jt SXgsGa8tF/Jq25vh23v37vn1r39dnk6pj5zmD37wA9LcuHHThIrxi+bNVivaJowf17ip8cc//nFp 4HI3VaBI1JSKVFcxB6lTNG8MOy0Ovaq+pnLO7NnArTxWqU8kEqmqHL961dKY304Ho1Iul/OPf/xj aZhy9y9+8QutVnvHHXdQ/vK3V/MB8vPmzp5cW+U1doYtGr9JCeqhoFntNyqBv+RmEFAFLcPPoFkZ gFmbFH4zBMCFg6fX1OE1dvjHooBJMSaRSAgVvZWMFF5Du8/QHmDoMHYELWryBe95wO73d0ciXfFo PhHNJmLo6/LRCGDvi0cBeyEWAO99qXB3AvYdGEiFIJZXemK+voR44sbBs0jdUS8AB91dEqIFloMO noWwCx8cRXc+KF4NE4FDzvZNa6urKlwu15/++KdRTfrf//3f69ev52M99dRT5R+LYVzunwSIx+NX 7UWkWpIwfelDH/rQvHlzmSbw19LSwtA9Kt+r/STul7/85XW33UbEm1cuC7vMyqZ1lePGmQzGq/UQ xhlSA3TpZIrePmv6tLramhtvuumrX/3q1XIZ0//ee+8F7zNmzIB9jxmg6Pnmm29u2bKFoYxCdnR0 XHsgKsbCwZj2/ve/f+WK6yvGj9u05pYYK3Eea9yBjtqQYhE86FG3bCLNXbt2govSiNdwk+bHP/GJ uXPnVldNWLliOdEbGxsZB94ehSYaG4k//OEP9XoDsVCkRNw2m0ZZW1m5du3aaw9ifIs9e/ZUVU5Y uqBB8Pe2jaRgt9sZQ96e7+hfJIucefTo0XcMWRqTcWnunIb66kqPQQ1nB+aCv0sOwA4FzZ0+w9tQ DCohAU9TByShHrxLbmPHmLi+mmeQ+TvaeBT1RDe0M1YI4Os7KAZ4D+m0BRatAgHBytOJbCKSQVkd F9jvScZ7EsN474r5ENoH0rHeZHggE9vSlcSBYM+TBTtZAGBMkFfuWGjuTfi7EOmjLIe5ckFnV8hV CLt5ZgMOqCvsEuw+zIq/SxA2MKxJhVz45EKeIt6LiJYxQpPyua+B96985SvMRvmU/IH3H/3oR6Vf AXcxnVH+v/zlL3fv3i1zwBK8X7XXlUYnTaTNhlkz0JshXq65aWV15QSkiythSEZAnIB/KA40v/3t b8+dOw8G6+tq6ybW3HTTTa9+7f8N72fOnKmtrf0L8M6YKZfmSgmv7gIpW7dunVhbg1IiiCGxjxUr VqZMCacl5XMqGsXYu3P3zl+8cVW8U23+SnNkkKS16yfWzZg2nehj4b2kQMOtd8Xnve997/XLls+Y MnlzdxcKQ0RBnU73q2sKGBTgve99H+08d+bUEDoyGe826zCKh7NghBk9yIB35Ldr4F2u2kjhSEik gJwp4b3CY1KG0MNblEHU41bEeKbbgnHLDuEvsXiegrkLhj6CdDR4EnkkHzn6qCfRxyJW6Fr95raA pc1nEuQ1tkMefUfAzJxCG9BpwHsuCN6jfbkkeE+jck9GC8kYC1WCZLVbIlBIBoe6kvyENueSQ7lk bzoKAX9Qjwwg5vUR9ADeQsyPJJBHko+il3MIvEdZU/bzFNYmIafg/jFWnOHmAuMy0sXKcsSXDY+B 95H2/Gvx/sYbb8CO/+M//qM4ksgp89VeeOGFiooKuh94Z442kiOfT/RVwsN/kR/A6cirK////d// fe2aW1kLsBm1SxbMmTZtyl133XXl9XB3Gu4Msj84euSRR8gOjcHkSfU333zzv732b1ei/BkuWZ7/ c/AOS0UMnjBhAtnB32W8l+ZAAGqHv9wsb+/Db7300kvLly2fXFfjsxpSfmEhEGMl0WVhVaWjUQjG Y+IdCR9VCZwOdJfmJbvRITTMnFVTVc2Ih0qhjL+/RftQpB/+4Ad/+N3vS4UxohO4U6WumDC+vzuv bm9BAbht2zaqUMxlVPll/5de+lg94tDUOp/TrGgV/N1ht70j3n/6058iz995551jfvdijiOO4U+M PD9/3pwpdVVFvJcDUwYvo4FMYjRgxs2AIMGc5TPhRl/HIDCC/fJExvJp95lbfdYWnl5Tq9fc5jW1 o8HzGhQB5hQ2XcCokSxVfLlYuDuXzCQjaRbd0vFCKtaViBaYs6fCPZlIIRXqSgZ7s8zoWXAPb+8r HN+/+8juHUOFbE8qikIvHwv2pmP92URvWkTpTqLiQ6vvTwVZZXPlIl5ZocdokI145SeGJaj4ePKT t/lIAK0+y39tG25D9EKeH4VKWvWd+Pu/XJu/A2SbzdnW3v6Ff/ziyDcS/+khH/3oR4t4L5fn6b0o z2+55abHHnukvFT0wHVrb2OwMHQqZ8+YOnPG9MuXHy5Nv8Q9zERAwXPPPYdEUVNdNWP6NIr9+OOP f+pTn0KPxx+z+/JOS9/79Kc//fGPf1xoDl/+5K6du2pZupo5hjz/xz/+iaHp//yf//PxT3z8ky9/ EsCm0ylZX3cF78OjkCga/RO9x6ZNm0i5pKjDTjC7Zs1a8OUw6lhRjXscMbc94rLGfM42Ce9jyvOv v/46mpaWlsYXXviQXBcyLP4xB5FVnWV4H4YMQ+iaNWtuu+02alGMJTt+8rOfosxncmI16lYtXwJ/ P378+JijykhE0eaf//znUeNPnlhjN2sVLbI8P4L3kXD8hyPQCDTyJz7xDy+//OkPfegFasFsiE8j +5POmLL91772NdHgH/84IeEd8PeG6RPRlYVsLJOJ9fEibHEIFLNuXkJeSzvksbazni6etg6fXVEk fISnFKb4LI1e4iZYqwcyt4intZXwbksbkGdBMGDTBk16jMHSPozrAl2ZeCoeyqRjhWyyKx3PJyKF RKwH9p2N9mYZASLd6Wh3Ora5O39s/54nHrz40H1nDmwfGsgloW29ub1b+g9s37xva9/uzd07B7q2 9+W29mT6szEJ/kGwn414CglAzfo7ZmYQy/GuTNidBeyY9MSCGPZg4dO+cZ08fy//iH8l3l977et6 vZGx/c6TJ0pHbDokSuBr412tVhOxubnxP//zP0s6iHD++Mc/amlqHj/uOnTOU+pqFi9agMJ5VBiy k6ozjHcGDbS4cOfa6srFC+ZNmzoJTTUTgcrKiqqqqieeeKJY9yLw4XesTcCmUQ+ywk4/Z0beMGd2 +fz9Rz/6MYtihKwUi/ITaMy6idX0dso/Jt5RdrFkRvi+vr5idsXyo8xft249ebEczxoEeGc9LuK2 Rr3gXQBn165d5fN3xhDWSnjr8bjkiVUp3pF4WbDjLX+l/P1PqGzErOctVKasxDEaHD58uHyA3b5j e21N9a033TgDc4q6etQvxdLKDth9sQFlH1pp+fKlNJq6o1nRIsQSBvBy5DKiTp48mbGxqqKiUmrq CeOvg/vUVFdU0j8qKlpbW8v1QqTjdDpZFaLBCVxbM4E1mhVLZrPEFsTmTbKWGRPvDAUyyTAXuJZR b8P2ZgTyw0Y4wkd4lowSY7o91jZgLpBuE+OGIKvSaWxjdY/V/6Be3x0KZ30I25FcKpaKR/L5dFcm ieKuKx5jCs9iOkjsSUU2d6W7UmjzIgf37nz00sXnn333kw9fPH389uP7d9119MCF08fOnzx69o5D 504cvXDq6PmTh84c33/XkT0nD+48tnfL3qHC1u7kYC5aiKPGZ/0dPbwT00oIgT+LNX6UaUK4hxEm FunYtEHGe/mHfie8v8P8nY4NEPjWe/fuZc5OT5C5HH3sIx95sbJCaLBbWpq++c2iPD/cj+DvTBJ5 e/3113/3u98d9i35F46EUbY3brgNqX7J4kWw15KXwvmFL3yBwpd6fvOb34KFsQp/88oVm9besnzx gvmzZ1ZXijnF5cuXR3VXIr766levX7EC3M2cMmnJvNnXL1nImsLshtlffWVYXyfXhZBo5NDDk86M yXULZkxbOqfh5hXLVt8g0NfRPoY8j9jDSjfCBp22PF/kfKbYxDWoOlBIRl0WLGnjXjtG14om4b9z 967y+TujBEoJ3qpUqvIZBGyUeRNv+SvFe7F9wPvSpUsp0sGDB8u7ASMMtlbY80yeWD25vr5cBviX f/kX+TMVBxmko85OVWXFuA1rb25vWke+V+T5Yq5vvQUTB9Qs6M6ePnnO9MlYEi2YM2PB7GlM/Jn+ I1TA7kv0QozeIgc0onK/mlRf2zBz8sLZ025esVCx8Ram5OjNhO5dmrlj4wpnl0nm8riZoUPw3yIx SggBYESMx4Exnizhy7F48rPoUxrSZ23HKNdjbvOY21FUECaAya5Dx8Kcj4V7uyZsMOX9gZTLXYjF enKZTDKWSsXz6UQXSI9HQV8hHupJRvrSEabq2Vh4qK9w9q6Tzz395PufeeqJhy8+dP6exx44+/gD Zx+7/8yDZ05cAPLHD959aPfp23eeOrTr9OHd9xzbB524fQeoP7xrcNdAbnM+hiovG3ZBYD8XceUj Xub+QL4rGshFgu0b1/+98c7i9V+Gd/T/iJolHQSn+OLZTLampvqmlSsqJoxbtmTp66+/XhqG4QKD ARh0qecPfvBD1hyRCtbdcnM+FsbCIRXxL5gvjAFYtCrH3atf/eoNq27ExM6iU2fj4YjPhYUhUnE5 3n/0P/+DVpl0zNrOlLBnxjIKg3ExXrW1tpWjr4h35lDl+TJMyXi3aJUxry3iNEPo6rG3UW4S/P3a eEffVb4i8Ktf/UouIdHH1NcV8X7o0KGr4X3ZooV1VZWTJtYxlpY2LOEffvjhz3zmM3jKeEdo4RP0 9nZXTrjuhhVLWMsj33K8E+zll1/GkG7W1CkhrzPidvid5oDT7Lcb/A5D84Y1rCls3LixHO/wd2xz SLO5eb3fYfRZtCygB6ydzMpDKOXktTYgPAL2Iuplhwx5+VlEt/wKwAbtWOmMHijehnFpgiCH8aGW t2O3085PeUBgBR+kl+I95/XH7Y5cOJxLJhPRcDqVKOTSfdl0D45YpDcZ3ZxLSWJ5pDeTPLRv18MX zz3/3Lvf/9QTj1+68NQjD7zrofMX7jp+54Ht+7f27Bvs2tmd2taV2FZAwk/v7M/u29J9+/Y+kE6A u4/u5Xl0zxCeMuolvLux4RFaQTR+GOfEAm2b1mEI6nL+BfP3P5e/79+37w2Jv8v9hA/9jvK8zN+Z aH/ve98r7V2yO53OwN+XLJjPPJe5/ChM/dd//Rei8qhuiXkAajQ6yY3XL8shQSXC2XhoBO+PluOO 4eKGG1ZOrJ4A7rBtxhx9Un11Q8PMseT5H8FVSRkDWnVrk7aj1W7Qqtqa8flr8G41qOM+O/w9jIoe Lu9zKTbK+rpr8fcx8c5gK8+PKNIovMsTCvC+aNEi5Pkx+Tvtht4Dk11McOfPm4cxTOkXIXEEAAyH 8JTxjgMJ/667TrGwuHThHKW0jOhw2H7z5uj1OPg7AjnWsy0b17dvWtfRuE6vbHJh8WLTNG24Fbyj 5SjB+3C24B0TPdG8zWv9Dp0wmbNiU6dkhT2MBTtKeInFF/EOWsGjjNlSLMsglbk58HcZ2vDhp8z6 R4UsQr7UH7z77QwO7byV8Q7SIaeeEUDI8wEt24R98PeuWCyfSsYj4XQ6mc8ku1OJ7mS8Ox4F74PZ ZB8z91R47/bBc/ecfPfjl59/9ulHL56/+/ihu44fPLx7y5buNIBlza6AyQ3L69IWMJTzwBlWjq6+ PxMG+4d2DhzftxV2f+8dB2D323pSvakgEr6AOTtxIr4CicRDMt7d8Jo/Ii+97e+vl+exleW77Nm9 exTeP/zhDyPI8apkPe5K1kV5HryX8XcRLJ1OM+fD0AvUe31eudMW49N7We39wAc+UMqq6IEXL14k x+sXLciGaSWMEkMYn+Lz2GNvw7uc2tvwHvZGPLap2OGPhXf4aXt7O+nIf+jlZ02bgpaAn/iPGoso 5J/J39loIOMdsMfYHAfeN/0N8H41eX7ePFHge+65Z1Rj0m6pVBJRf3bDTExo2traRi2+o0yIRqMP P/RQaWuTyPPPf4Ap27yGGW3SMmIp3otZYBbIIDPccNddVzX+uvkNUzsab/VaOmX+XsR7MQoNKPBu NhGrrWmN36HFllVeXAuYMHoRqA/KPiNsugjVUQ6QC8xl/OIA5kC++JRfEaUI8NLow57CCL/dwzKc xN95ugykI56yPF/w+IbiybSHbWtB8J5NJcB7OhHFpBZ5vlcswUckCm0upO6+49BTj1165vFHHrn/ 3L5tQ5u7MoP51EAujk6e2Tercv3JYF8iMJgODmbCPckAWAb1yO1M0nHgA8AR6eHyzO4BPqjnZ08i yN7PdMCFSp8VwPbG9fB3598B76iawTsKmfvuu+83b75ZxCPfDiX2X4P3rGSwyjp1fV0Ni8vFlGUH 6inMBi5cuEBfLb6Cgz/xxJN0EqbtqL8YMLNR/+L5DfS2q8rz8PeqCdh/s+005nNMFfL8jHL+TvdD +X/ixIlTJ07cffr04UOHMGivrhY2/0V9XWl3/TPxbtWrkecF2N3WpNj44PmL8Y48X+TvY+KdCf6l S5fuvvvucmmK1RN2TwBKDGvBO6YOw1OzPw0zc2mq3slEgGl1sbWpL8pz8M7up/VrbqEpBN7L7G2+ //3vM8KcPHny1MmT99xzdzaTmVo/Eas8tti0CDOwq/H3N60WoQdub1wbcOp80lK7WEzHehYVvbTI LqbwJVNyGZ6lgIUdQ/jLuJZ/gnckCyBfBDtRZMYtP0tTkNP0mFvdxlbCIxjwFrCzLFjE++5c19Gh rb3RWMzjiQVDmWQ8l00zi89hWZeIDWTTvckYJvSbM7GDOwaffOj+F977zLNPPPrAmbsO7d525+17 Thzce8e+HYd2bN7Z19WPDBD39aWCQ9nI5gyrcgEALmMcLg/eobjXAtNHdwevB/L3nTjI1B7I96UZ XvyFhJ+FvPbGdeif/6L1uLHl+WLfhvG95z3veeCBB+jhRU+6BO53XI8ryvOl/L2YSCaTQalbMX7C tClTmDwWu5nsoKchGMDNZbzLsXiiaJo0adL0qZMdJk13LJCJ+BbPuzreX/3qjTesqq2eYNWrGBjj fufU+pqZM6eX451MYW0sYf/+d7//w+//8L8//t/2tnaZa/01/J1Cyvyd+TuG9Mng/zPei81VKs+X 4r0YgCowHlKD0pbkLRDGuhWpZsrkuimTJtHkx44eLS61yNHR1KFVO3LkSCneSQexn70SbM24ccWy q+GdYKLdpD/a8MUXXpwyqX754nk2g6p5021Xw/ub8HerxN83rQk4dH6OkZEgH2RvmgnTVkmkB87y 2rps3D4Wr5chDGzBKWiFgK1D1yL74Ckjuohx+WfxKY0JQoFf5O8y3oG8Q9cG6tmat6/Qc+HIsWM7 dvZnMqloJBGNwN9z6UR3Ko48P5jNIM+zRrY1lzhxYNczjz8M3p978rHHH7jw4L2nOcrg0n13nzl+ kFd7N/f0pdDke7qTwqoWy3nwDn+HkOclod0L6lHIo5kH8owDKO3R6YF6dPh7Nnch8ws9XsTbshHF yN8S78U+wxcEcXzM0n7FW/zf9773/TX8XcY7rLlhxqxydTF7c1hdgnEUe6ZcJAwCr79+OTsoNR0t PcnQO+Bd6OtWgneLTtkVDyYCrimT3sbfR1WqWOs3fv6L9pY2ejh/Rf5efIvjz+TvbqsuFXSK+bvd KA678Ls7/hbz9+bm5nJ7m9Liye6f//znTIgKhQJLhyxqLF2ycPKkSVVV1axd8vlKwzPxWblyJVKW zPeLr+DdG9atr6mqZPMvTeFwvLM97UsvfbRuYt3CebPMOmVL47XxLubvgr+zDc2mDts7oQiHXUhg F1q7K3hX4BaG8SOQx1GEcJFrF7HP26IniJZALcLjL/+Un/IcH7c4NMOC9C7EAMIAdlme91s70c8f 6O1/+NRdD546ffLg7VsHBmJhVpaCzN97Min4e386BX8H7wPpKEz87MljD913zxMPXnjXQxcvnz9z /vSdd+zfvX9L/67+wmAW5R4HpLBNhk1zwR4kc5h1CcnY5wmXR7yHQPeWQgJGz7LdHfu37R7M96VD 7IfFnhYd6d+Kv18NBXSD4qvf/u73O3fuliduf9n8XcY7XxwOAoqLfUx2YKBVX1+PlDhKgPz2t183 GPQTxl3XtO7WnrQ4RWTpAlk/L+bviKdFdRPpCP38DQLvJk0Hhg0Hd22ZPWva1fh7aQF++tOftLYK ZR1/fxnembQS1201chJC3MMBNZx94eCcmbZ1YmFr1+7d11iPe0d9XSl/Ly32KDdTAGSwYDBIjhXj rluxfOmk+npsFZiIyd+x+DXRubFtcMeOHUwKShPBiikcDrOMLpsiOByO4ucoxi0Nj/vFF1+omzhx 4ZyZVvB+df5OOrJ+XtG8LsqhOm4Dp9kErdjMC5N1DNexlg9aOOhG77GoXBjJC535FYtZ3LLsLTvA aRHgALZIxSilSJdhXgQ7J2kUzXtGIjIykCnH5nBgjnZrMn3x+J1P3X/xsQsX7jh8pKerKxYNJ2Nh 5Hnm793xWFc0BN6B8NZCetdgD0Y1h3ZtPbx7G6Y1OwXMk9BAJsHknTAc1CbOasOQPhFkqg7Bx0G9 LM/L2nhZiYeP7Nici6GxP3N8H7x+92AOg5yOxtv+hngf9QXH/PmRlz42d67QDvH3V+IdLROz9VG5 wGsQHjBEh0nxqti70PR2deXJFKv7vgy2TJElw+txY+AdtsU0vKZynN2kOX309vc8dmnxwrngHf9R 2Y36+cYbv+joaEPBRUYKheIv19fpNTGvONYm4rTy5BwMxV+6Hnc1eb5Yclg2K/hM1YvrFDQa8jma z0AwyOETs2ZMw+4IvGOOKLdnsVVZamGnMBrUUTVlxNi3b9+48dfJRg6leC/mO8rx0Y++NKl+4vJF cxwGdfPGa8zfh/Eu8Xc951pgqR4WpImw3ZVt73qF3yi2wXL6BHvS2fQqNr9LkAeVMsxlFIN0sF/E O69GYHtFBpBDjmLusmbPbZLN8K4o/VjNR5JHnhcTeYsqYjDd3jdw6fTp91y+/OiDD54+ccfOHdvA e5Qj4MLYwAhhnpVx9POI62yfEWdbcWhVBAhjMI8DdAuFXq848E0YzEiEgygs3AuRXgY7bF1W3PFk BGAowEfI9hz43Js5efvu86eO3nlg51AhrWj8e9nb0CV+89vfsgrzW+g3v0WRy5wOvdCSJUsmjBs/ fZrY7v1X4h1WWG5sNjAwQMrwplEmN7/61a+PHj3Oq5tWLO3LxHrS0VL+PqrvMU9nW/3E6gq/y3rq 8P4Hz969YN4c9sOWz99lsGDj98///M9YnsDvGpsaMVAho1L+XgTIteV5hG2ZvwdddgyeZbAn/Rw+ FuIYKNLciX1d2X6Zor3NX8bf2ePAh2AajnnqqHb4zGc+u27d2vGSPoIPR0ajArCnD1GNzfLY+JW+ Yh7Ht+aVrH8H76Mm+AR+883ffvnLX8G8H+N/GpadUJxRcOP1iz0WLfo6luqK+vnSlIv8vWXDaqdR yeIXW92jDn3UrgPsUZsAvg9/XRvr8lEPB+uZWLMDyzKuZYzDo8GsPAiMespjQtGziHfZwROSo7uN ZAHYhX5vhK7o61iPcytUWZdnd0/vuRMnnnj44aeffOLChXPbNvenMLIN+nsS8HeBaHRxmMTAwcXx FxyiGOMVJ11E+lJslkEMCGOEz7GHDA4EEEdeYGYfE2wdJg6uIRn18uQdN+MAr8A+r0iW6T+2eRdO HUNy4PS2v9P8na57//33bxnasmPb9p3bd1hM5rmz52A3VV0xYfniRU0bxG4vppNj2s+Pqa8rfvSi PM+5J6N6EeaX8iIgPX+UbR498Ny5C2R6/eJ5rHH05xPLFgoxY9R6nJyLzN/Z+t2dSx3bv2tbXzeK Puxtingv4pccsZSbNHkyGuxpUydPnTIJCZa1QlIuxXux8NfGO2PUxk2b2Lq7ra9n9+Zesc0BFhAT B/epmoSc//fAO3wcjQcmvseOHRs1PUcs57QZ8uWPAQHbhmJFcKCfYd7EK6YJjHWlr0iHvXVSPPEY k79/7nNfmDNn3tSpU2k3iCPGpk6e2Lz+Fr9df039/BX+7jGrEZ7BO6dYyMI8qOdUXnGohU2Dddlg jp3mPqxoiniXHcATzMqgBr9FdJc6ZGiXPotvic5w4TIIg3lxrp00AkiQF3iHucvyfLBTFzNxsLBn R2/vqWPHLl968LFHL5+649hAV47DyuDvYJlP3BML5MRxqex2F+6+RGgwFRlIx8H7QDLWx375SCgX gt3D9MWYAIS7OOJyxHRWxrWMcRns8kSeJ7ye03I25xLH925/4O477zl+yKBs/xvjfWQmzHoceGSA F0bO1ZWcmYbZ+sLZsxrXruaUxYDbwVJ1UyP2tKP3vxfX39lXUr5CRKca1s9XVLC3orjoJgOQ1WFk S3oveAdZpT0QYRXTWSRtFoVR1g0IvAur8scee7woxxbDf/Wrr65atYLDcPbt2nbi0P5CMoq+bmbD jCLeiyGL9rRT6mrZv7NkTsPqVdevu0WcBIKifpSUS6x3xvvGjdgRHd6769i+Xczd+L7w95jXyQGP pHlt+zr2l5UbqLyjPA/eZXvaMe3rmJsjsZM1IhPwL1YcB40PE8c8mJUIDiYqfQXeMcJhCkBE/sbE +yc/+SnWWRjcpk2a2DC1fmHD9FtvWGpUNYaceg7fo1tem78rW9YH7DqQJQ6ugaQ97zLqmcX3JgOH dvYf3NHXnwlFXDoZ8oAUbMqMHngW8VsU6YsOXpUiHTc+vJUDyACX+btPwvtIYE7KEiKHbG/jV3Hj jzVstqQCgf5C4dD+fQ+cP3fuzN3bB3qYoHGoLBDGvl0o4jiJHatXTqbicJuwh5NtejC1jUd6QDdn NXN6c2KE10fZ9oKJ7DDeZe0cnB3UMwKAcVnOB+ky6gnJZGFXf9epg7vvOLBHr2j7++GdI+zAO8bq TevWKFsbbXoNduCYCg/m2cZnB++NjZuugfer2dvIeKcvnTp1qhyqMFw4Owt5o/Tz9EbOblq6dDHn Twad1u4U8/e5dMUx8f7qq68gz89tmLFzy8DtzLkC3kn1NbNmjY132VqVY2yls8gYfqOc40rKf4F9 HeMDnVzw9360NwOM/ym/O+K0Ic9bNRrS/P8H70XphUZDH8Lef7JmdC2fPTFPp7X5Y5QuxTtuvqx8 Hhpxx8T7yy9/ml26nJHlc1iCDhOnk/nYMw5rtuvAO8vE18Z7R9NtIacRe/WwdEoVSIdAPcJ80mO+ fVvvXUd2g3e4fNiplQ1lJRaMMm142i7jV4awvCQnu8cE+yi8C8ibMJtnSU4MBSN4H9bXYW+DPO9R qWIWq1/Pody2RDDY05W/8+iRc2fu2r9jaz4aSnhdGe59CPuBPAvEXELRxS51Jt3ieApvF+MAu+oQ 8MSMXpAk7Ys9buxy5TA6trcDdnlTzAjqheGNLOeDfVnIR7FPL0JU2N6d21LIa9vb2Mf0N9PPl3zy 1177htFoYEuLy6zfnE8PZBNs5oX6sBTKJnx2MyqtpqYRvI9IBSRQ5O9j2c+LDDKZXGVlNUp41MUl GZY5S9KU333ta6+iTGOByWHQ9aTiSyQruDHtbST+vpIze5ORwGA+y1HM7Ba5Ct5/pO5U0aU9Zj0T sd5UuC8d8zuFDPxn4314JwiFRJ6nkxM36nV3xSNxD1tiXf3p5B3793PIIf47ON/m6vN3Rp5y+/k/ h78vW7YMyYf9caVIlxtt1+5dMn9HOmJOVNbKV/VA+EfAo8z8leOdjGT7+ZlT6/3A1mkA5uwhDdgE 3luFvu6d8S7Ouxb6OpmEJS145zSnfYP5U4d23r6jl3XqqJsxgTTZoCpMYnjyU1bTyRiX3UXsy5CX 8cv4gENGOs8iEWYY4CPyvNcsQsLcIZh7kCUDp86jVkfNZp9e77dYwm5PNpE4vG/vhXvvPnnkEGbz HAvPdTOM5xwOD4q5iSAbcEknTHJqDVceuHHnQr4sR0xzP0WAA1q9jAwAP8fVFeLgWUfK7+DJcZQw 92zYLa2/M4Y4k36xM06a2jNrQLcvSMwF4hF6Pqe+uN3uckb5Tva0r8B/5a8pn28zCl6vvfZ1k9HI Ec1Oo3YgGxcn8wgpJQDeB7MYsJgkvDcO8/eSyEW8X21/XDY7jHdMa67a23hRkqYc7Hvf+/dgwI8G yaxV9+fSSxctoPxj4h3+fsMNqzh12W7SYR3Bmd7Y13Guzqtl51mBL/TwpLPpttV6Zate0cLB9cp2 oVu7tjxf0uZXCkqby/tlOKOe/bBcHLClK3fm2JHnnnhs5+AAJd++c0c5ky3q68bcHwfer+yXGeu8 ixF5fsKY8nwR708++eSoTlI+OJR+DoR/VvDlHlKOd0KO4L0O2LJ8FnJoIYEUu7Z52H6+dH/ccNpF fZ2ydQMRBbis3CihFQbzxo6M335gS/fZO/bfsX8r1ikcRymm0tjkSHiXHTK7x0cmGfV+jqeGhtV6 wFmwbPTtso8cHUN9fo5o+4XdvhRMhHQbZZXdMOQDdo4B17oU7UE9t+1YonZ7yOXOJRKH9u158OyZ e+88PphLcZGHBHZxNYMs2HNwtDik1O9EYoeQ0sXRshxqIdAtE2ydEYDLJhgEXKzVCttLP2HwZ+jg HFrhgERcTrgKobsLc1ZGb0rsyNucz+aiYY5OpsfKq1el34u+x2FlfK93vetdo9Q4BHvllVeL51WC 9/J9yszfJbxXuExaAI4Woi8RwBRwaz6+rZsTss303qamEbyXZAzeZftPFESjJoxyKKw6WXGDvxfn jNfueMW0qaO8a0arau/OJhYP6+uutj9uJadn243avkyc476nTK4tXX8v5ogEjl5O7tXyk3nKpElC AB5TXyfvf+dtd3f321oV0L/1lizP85bbKDjKgHX/y+fued8Tjzz/nif78ln8d+5g//vwSnexDOBd 3v+OnDZqHZw0EbnlEYnom5rKz697S8L78vHjK8bG+65h/o4q/m0FLjbrVRyoUjEzJlP+roZ3FDuz ptaHXJzhY4w69SAxJPCua964uqYa/fww3os1JSvs6+T1d1XHprDbBN6JFXZq0JJFnPoDW3sunD7C ivMQ4pHL6DJIqjNx+oSwoJMBDn+HRF7wfac65OTQePmgDGb0bJkRQwTJQiPDBfKABk8hpVswwwPg woGn7CN7ypwdt4vLL9AQOrUeVVvUrI/bOKSIa0S8yWBo55bNnLZ8/tTJHYU8NxDB3wWLD3DSlBDU OWIdFINWOHheqOOE5QwEnMEyr3DIXF6OiITA8cXyK/kpxRVjBfK8ONKW026R55PInIn+bGr/tqF9 27dg9Lh48eLvfuc7o75bUbYst6oi5Je+9GW5j/E1Zf4+KrqMd5a0HCbt5nwCIyLs/Idysa1diS0c 1zUG3qUezwf99Zt2m41TFlEXj0qTn4wGslqAMo/SyPGWPka+n//C57/4j18EO6X9RH7L8WgUuFPR 1p1NLh7W142F91dflfbHVWLHzi6DfCI8dUrdrFkzy9ff33jjlxz54vf7A8EAf6FQ0Om0z5w1g1zA uyxdU4xiScA785Tly5c/++xzb6udVPvvfe8/MP5nJIwHXHcd3c92yOeeeOipSxfuPXHUYRKbj3bt 3F3EO9HlZAHsunXrWC9D5H5bmtIP5OobbxS74/m7Ot6R56/C33ftqq4Wsye2txRrIWeN/fB//cd/ fvHzX/jiF77IySSjuD/aPKyp5Xwdziv2NsUSwt+v4N1tjLq0YUig3tC6SeyHLeK9GAWHhHcLySpa 1wfFLADY6mDEoA9tPNtCz586zLQdY3IJjyBdSO9jkoC/Qy3RMOSxn5FRLIGdpXmBfUgW1HGQFznK YYA2PowzKOhYJiAKP9E/uNAEIk44dc6OJvAetXCRH7fz+Px2R1c6deGu0w+dPXP70CC3sMXd3IqF +I0prMyyxcYWmVlzhnzSb4OQ0sGyzMcRAIaHCK6BC3q5noDjj2SkY4pJmJExYfjUC+T8LuxvOTUr FYFt3XFwzwPnznCTy+KFi7726mhLEgQnzmWFmbJuXvqh5cZH+8peGBZx0MiNjfevv2Y0GfmgTrNu qDsNi+cIjsF8dCAXQTfOnUdv5+9092FDzT/+4Y9f+dKX2VJdzqrImmU+WepARi0/BBuMJxIJdncu XrrkA88/X94D2RVCV1m/ZjXX+ixbvBD3mOtx0v73lfW1ldzHwcHg2Whg2qT64nrcH8HZSBfE8Qfp tG3y4g8OSM/nbChSLrOfJ+yfqBRV++d//vKbZftDSVKcy3Hr2olVlQd3bwPp737k4n0njxzY2t+f S6ramkhzzPOsGOU4+gkbgFGrk3IZX3nllZkzZxGXvzHt6777+rX08zt37kSauuWWW8oX3+kh5y+c F629eMnDD18epSClNZgCyPnaXVfH+7R6bp6KevQRtybi1kbd+iiKsCZxLAPq3PLlht/85rfcVkGy bdjP2w0EBn3gkXU35uwP3MNu8W093D8kbpeAoWt5jgJ7caouy+ripw1zd6F8Y3ENzBJFxjIp83MY yGLcGOby+AiLGhMae/EWN085Fg4HK/s2Zcilt7dtjJi1YZMh6sBC0usymeOh4Jk7jz964dyJfbtR x4UdFkwsuOUNdb0s2wNeGb9JH0ZWnFvIWytCvthD4eNuNbi5mPIzSvCMurgc0Ex4hgj2VWF3LUNe JMIoIZ1vg02duIkm5sfG7PSR/U88dP/am2+eNmXqfWfvK+nComfyk+UtuAMfbuTV8H86rbCe4gaT ibWYksXjseJ3GY751lvD8nxNpcus21zISEZEoYFsZCjLPAL+bnubvk4kLHJ8xz96naz1RUtfPiCg li/Kru95zzMwoNIEGbUw3Z8xfTr3Z0X9nmVLF3MVy6Nv3w8rh5fxPqmmwmPWDqZjbB+eVj8R/i7P 30sLWuqW4zLmyCNSGd55Xx5cjoS/eIVGYvnS5fNnN1w8e/qRi2dOHNzNSWVi/SURNqjFrGFMvMtJ XO35uc9+buaMmSx8ER0EldvPf/c73126dJi/l39r1uMY1LnwZdTiO9nJRnQyomENxbVRuSS0NgY8 s2cL+3l7CX8v8o7h+fu0OqAB0sOuTiAfdeuwkBlZj2ss9qti7Yrzd/TzHAGE8A/QUgEbq28Pnjl+ lu2gTFa9ZsFqJYQCwCLeZXm++Lwi1dth4oCXIULw6CLJAJdxLafGKxnXI+iGxSPVD6Pew7UUFjXV yUQc7EeztqwPGdUho17g3e1xmy0hr+f4/n2P3n/+3B1Hhzi8koUJm4nruqSLHZmPczOUwDvHEaNz A+lAnos4xRlH7KEQkB9W8QF2ZvFhhzVgNeCPGA/S5TFBSsEhCwbMBTjRjoMroW292XOnjj750AWj Rs2ZQps2bHzl1eGDoaRjza7WM8WGF+mk9BX1dRNRYVVUvI2/Ew32x9cZmb/D37UDuQRGAt1xsTef Azq2drMA7ijD+xXb1+LHLXewIQ47N7rQgQMHRjEUAjMayKdLEeCRy5dH9UACYM21ccMGFta7c+lb V9+M+dejjz5arnaW7OdX1VePd+iUmzG+jfmnXWU/bHkJwcXV8V4eXPYRLfbzn/8sn89zWNymdWvu vvPI3m19YmSOIum5+7IJq66TSl0T71f0/KXZHLr9IF8KcyCiNzZuLMf7tefv27dv47RdRtdyXQqa QIZ9kuWPnXRMtUrzxY0yVlZuWMc6v07gvaqCw6tQZZfiPeo1tjWxXwb9/LX0dZxsH/VYgRgyNsbh F+8+euneO5DkwT6ohLPLgrf0BMIC9SC9OHln/s66PCT78BZ2L83fh/l4EfXSiKGJuAwQ2n6e5Aj8 8XfqmfIzAoB3IUuAMha+t/Wl9m/vuX1Hv611Y0Cnhr9H7Bw6yq2s9oDbtWOg79K99zx0z+ndvQWk 8YDVKK7n495AMRmHBB/nmfAJYR68I8DI26JlyIN0lHuo97d0Zbh0FbzD2ekhIopEwyPGCH/nyEo2 WvLcv63voftOPvHgfd3p+OwZ0yaMn2A2Gd42I74K4uFx2L+BVu6LvHHV9dK26ES5uu/111+3Wiwc rey26tHPC3PBuA+7Xw7bAe8hr50DL1pamr/73e+UdJKrZDkSgvuYkEhZOcJOY8xbb1gILu71ZjJb zq0oldli4n7JY4f2KxXtnHD11JNPMoMYyWH4P7Psm266cWpdFXjv5w6veGg6NiGzZuA/KmT5T1SX zKaBAJLGqNMhygMXfZghMLNYsGDe5LqJHGx46tjt2/vyYmSWrv0ayKUtWjVp7tu7F65ajPWOjhde fHH5siVoUbjnEXmsuam5XLPKBERej0MRUZ4gx9cwa+PSq/LR9Ve/+iWjrkC7hPfy2cR///cP0Wnw FhPE8kH185//nJi/T6sLurRRL8J8p8zi2QKjals3sbaC5dryxYjf//4P3GxImuq2DfB3lvC6Yh6W 2i+fO8kTSR4OC0cGjzhgvpDM3wE7DqGjk1A/wuUFutHRERj8om+XBwp+ygTq8ZcHEJnF8+QnWeAf 4o576d5t9GO9qQCnynCc1NF9QycO7Ti2byt492lU8PeAxey32Zm/e+w2Drc5i0h/35nDWzfD0P0W hhG0eeKuwBh3ZLssMsU8QpgXYJfwLh9rxlDA5ilMcI/s2nYU0S8ViziZEZjxl8cEIA/ekz4hGzBc yPxdxvuRPUOP3n83dGjPFm1H87Qp9XxWDpCE39ElyiHA98IfXT2HnFRUVs6cNsVt53TxJq4ERVMF j0C65uv8/A1BjPwYRTMscEchN5PC34XRb9yHJT+QH8hFQy4LlxMhXn75y//yy1/+iojS389+/sbP GDpGfv6CNBGPmYFinU6XW7PmVgrJt66pqeKgVIKx//SXLEhLfwABT86lJMB1141DNYe6jADQL37x M4hSMSB0FwqsxJ05dafdZISJPHjx4s9+8lNCFPMlHabDN6xasahhesBmkFYSQ/NmTQPvrAiQiJyd HF5KXHjIGfFkzJRnHC0trWzK++Uvf/0LyihouJxydBFlpHaMYzt37sAWiANaucX1wbP3PPPYwxfv ObVnqIeZFyYTGCmZOpVVEzB6Gfqv739fLkOxwMUE8SFNvgUt9pnPfvbwocOcZs+Yxk4BVJR11dUb N2z81re+XawCEXFzvDPKTxqWk0VRicipkQ5/fJr+/n4GWM4T4GiLYkZSxDdee+1fAwGf1NrXDQ0N YYdfmvIbb/z8hz/8/s6duwiAipXOw1u5leTPwV4bQD1/9uSQRx/1aSNuVOVcH9wZdmt16k1T6qs2 bFjH93p7pr/80Y9+bDIZYTdcPx1ymOjVuwayD9xz7P67juzgZAenHtUZUAWVMk7hvDLeS5/yFB4f kFuKYn4WebeMaHykcUBW1wsmDn9P+Cwoz9EYsOcUjHOmBPvNr9CWwu6h/JbupLVlQ1DfGdBzKbw1 LPF3h8mYDgfvPLDv8r33nNizE+Wb14SAwZWgrpCdCTh3f1s5wQwIxz0WmDvjCciNMG2xCbldemvF qP6uwwfuPX4YB3gH6YQPWPUQwJdkezvNAqGvY1qR8Nt4nj6y5+nL5x+8906Av2/7gMtqmj+3gW1Q aGJRhaEbf+7Z55C46IqYpT3//PMcbgbD4m1lxYTZs6Z3NG/qy6asBm3DzKkzZkxnw4VK1alUqhGn +YPJbtiwnjGEm6DDHjsrApwaQabcm9MD5DNh7h9cPBcz8ymM4SoV97UqpHgdSiWkZB1Z+ikc2Nij DmLSXVdXy0XMHFDDxbKcTdrUuKlzODc5rMj0hpWrJtdjwS4uH54zZzYHGqtJQ6TdoVB04Gxvb1u2 bMm6NauPHDhgN5m4RfqmG26QAohEcJCxWq1ad9taDqhcvXJZ3GsbTIe7Ir4bly9m91ZbSyv3L0jV FMmKUqo6KLycAk/etjQ1I5OD3FmzZqiUCrW6U0lIuX4ik7f9bdiwgdabNm0qW2y4AHf5YqFYePcj lz72/HtffO/Tl87etX/boHTBUIQL7rlVZ8mShagFiu3ztrTED5VarVm79jZWN0iVO2drKiawDdCs 6eAq4HkNnNY/VaEQ0fmUKqkiapWKc3Tr6ycytZk/fy5vionzEdRqJc0IYG+9dXVnJ2/k78I3ol6q jRvWYfeO/QYXecycOZ3RuxhApEOVOzqWL19GdO4UJ7zUO4YbgpAbN22ora24edXCeMAc9elCLoRw rk1XhVwam75tfgOGkFVtrc1SYUWvEH8iA9XchgbunIVJRVwWzEdPHtzxyPlTJ27fng7aZeYrK+I4 LRZ4AhkZ3TB0HKyVj4BdIJ2RgWV0hAQWBQgp2fwIjg/Y7dpWhg4Z/vI4QPrIDwPZ8FBXjBkEGgOE sAPbenke2b354I7+HX0ZOFoqaA+7DWGXEf4eMmiCBl3Iag05XcjzTrMp6LTvGRp88K6TZw7fDoNm /h60W8NOGw5JfScOJRaSuc8mF4lVRcAeshvBMrhGv7etO3fpzOkH7j6JxR3+hIenI9LLq/a4sWZD WcdAAaVD3OVt3dwVf+DMHf/f05cvneXMm/6Th/fee/IYx+BzwffCebOxuGOTLJ2WM6PoMhJV48P5 UYvnz9MoO/q6sgd2b9uztS/scaxbfdPcObPYJMJnxzySYBD7YqZNmbRoXgMXHKe4BCfJxRlBwN6b DkHgPR32tG1aS1fkvldM1+qqq2D3iAq1NeKw9yLRkUDZ5PqJbFdZvmh+0/q1brNBq2jlDneuUuX8 eTmkVNoqFhYbpk9buWzppnVr19y8imsI2L3CFeckLiVLytXTpk3mJjW/27V9cNBrt9+yatWcmTOm oHaUMiWkoIlVnLXOVem6jiZu6hxIhQpRv7Jlw9JFnJTM0jrmZlUIoiJZLn+v5qZ47lKXal1dNaW2 hgvaqfiyRfMWz+OgZe5/r2HvAIGpi1xO8sJNE9VDdbVY6s5pmNHSuCHodXVxwBHS2p7tl8/f/d4n L7/vXY8+8cC5e48f3L+1HxP69bfcyOhKgxCdROSmLm0B4VNFyrWTJtWho+AYbayAnEYdh5ynI/6m 9Wvmz5k1eRLwFC1cU13NgxGP66LmzJ4BNcyaxiemlaSURdUo25TJE6dNrYdwS7E4H17QxNrKKZNq 5jVMu/WmFTetWjanYfrkySJl1tHkAJhWTqmvmT5t0szpk2dys3tddU0N5/OLI/pJn0aePn3S4oVz 2ppWC/7u1Uc9zI718pyaw2E2rF4O5KfUMwwSZTwRxV0ANZX1E6vnzJxyy8olVq2S5ad9Q70swJ1n g/dAlsm1JL0LuV0mWWiX3cBcmqErEemljED38BwfvEOy8A/SQTfEUAArh49jkcuUYXM+umdzfu9Q 174tBZB+dM9mnjv7s6ikWHgC9fu39gB2kQ5XwHP4vENvb28chXeH2eSzWXb09Vy6+9QDp+7c0dsF fn0Wlhg4mNQSsgN5E/N0MBv3WikPQxDkM3O9tQ6wA3zk+T2DvZfvuwe8E51lL2zjj+3ZJp98NZRP SmIAFvsC70Ld57WGPZatvVl61PvedfnsicNogA/tGnrgzInzp4+duH0Pl1xwiOXKZYu4VBRmumDO rBVLFt60cnlz47qQ38V5+I8/fPH973nXs0+SwJ3b+2F9Lq/dwgnMerWCi921ynadqt2oUdiMnQG3 LRvjbnpxiz03XMtI78+yFAi796VDnpDH5rHobHqVqbMd0qlaNYpWrbKts6OF64/Zy2PRKN1mPebu yYCvJxEfyKU4xI/eG/XYvVaTuVNpUHYY1YpORate1eE06sMeZ5INZaygxQJcE++zG226TpNahNEp 2yw6TT4ZO33HkQfPnzvETavbt+7bvrUnncTc3ahsN6o6IFNnm6mz1WVSR91WDgUF7MzfkagRijgn 2WnqNHe2G1St3KOtUzRr2ht5QtqOJo2i2aBucxk1fpuBrGN+V8T9f/l6rx45ti3P7wMJGk0P+nb3 vefSFotkufTe+yzvvffee+99FckqevIcHnfPNT1CA41pQdJIL2P0BTQv8zTA/NZeWXk4rYaAhcCO yMiIyMj9X36tbSe3UM9/9vC3zwt+zzmFD37LLWibQ6cse+lTVlwKemytjdW3l2c/fny3u7rAD2RR IbypY71thxuLt+cHr45391fmxnraKuIsNfO8pPDR00f3Wd3p8e9/y9vmnRfc/+2TB7/T98au5Xkh q73DZnkP5XG6mrCQkCsVcofcNkfxs7LCRzS3f3zv76ho4G07yopoB+2zlfGR7Xnh84e/fyov/3f8 Ip659Mn9ssIHZYVs7xU9/l3BN3/9+Hd/jSL98Ju/KnjwN0VPvqEi1WcvghyWwqLCbx5+85t7f/tX 9JynmeSj3/3V04d/V/zsXvHTe8+ffFPw4Df3f/uv7/3dv77/238Dq3987685aEXZtj+NeEpCrucB Z2HAURiwM8mhp2jR5NU+e/g3D3/7r37/m//p97/5n3//m39172/+l8e/+zdPH/ytpfCB31bC8moL o/17K9O0ZgWVRlgDdoN3668hdb/tEZaC0d6xxCFRyyHOV1cb92LgK0O1JhpYlArYKqJu7HHkOL2o IJAOwCHGzZWxgbYaiEBANuzEgkj4LGTz9bdWSxyQ2Bzlt5aCkKvIdu9vg0WFyHfV571Wq6OslFfd XFm+MT2xMzvV3VCDyw68Y7+bXgfSjthE1qxhp7gmEO7o5MhuiK4XNLrpqK2cHxk439k43SKqN7o8 MbwxO767NMN2bri3rToD3kN2MXPAO6iP+2xRn62roepgfeH6aHt6qJvi0MaKBJAfaK/rbqhurkyX xwJpKnfIxEtHetrqN5dmd9eX9zcWr452zvY2DjaWTnbX31yf3lwcrc9PDXa1UC5K92wWyWIhPPJU azOxbNSbCrtZLodOMlig4J1eearJq4ivSgSqRNbTaT9YkwrRh7M+G6uvSFCmKt9KRRrKE81VLJqT 5mrMfx6JmJQ0509Fa5MAP16dkkX36jOpxvJMVTJWnYo1ZFP1FcnaLB+FiTbWZ2IN5XFy9UloB0Sc 3FpdubOy+P37t+9evtxeW786Ov5082p/fa29tppbUBSPn6EuE6lO+qqSvlr8DIkAynwd6QrSENit +glPS8NwcxptAOkZGGCX25nj3DRMzLEuHWH5v4ZykppY9isMweJwXNSkIJOEwDlZBpGaTKQ2G5kc 6v7p89t/+OMPL0/2e5pwbwhCeW/dTdUw4Yvd9dvT/av9zY25ySHedm0lq4/FfO4UpZQsXhALCVMl XTnBSmShTNSXMbskVpFowe3QrFhgiN5lLC3EleWFpCJkDBIj4V2N9XXQGbWnuY63RL1PRpot+HWp Mr5IjlaaSmpDKZK0Q0Loq9jJqZCDbcJvYZc5yfF4gKlVFvNb2YbdJSi0lJ8zjvosEW9Z2Fuqn8pp 3rKItzTkLoFivrJk0AY6wIjP+iTokHybiBO7tTjqfh4hLu/Ce48jXTRk0uwhwu60naf/D22gdhan N+ZGW6vRtQsRzQbI4qAjpG6az0gLGtLnBPImp05RD9LNmZLLB6YIfsHba5Mh40yOoauDX8L4Sh11 aaAN0oE/t4l7y0js4SMAznHYQnNldLizvr+1CrxTh8viMhAcLC/fwTv+eb/DAR8mc7ImGV8YHtiZ mx5sa8Lfjj4fdTsQ9Op8A+/GJC9COqMwDLbXTQ90TfV3LU8Mbc1PHqwuXexuXh/ssN1dmuPnb81P sPrMRG87de5UcKh8V7zjryOrlmyXkZ62i/2t2/OjhfEh+rMxH5C/DIA50hNoMP+ZDwBnrL/teGuF 1vfkfrw82d1ZnhnpbqFz5v760qvzw9eXZ5eHeyszk31tzVS9yYQJM81Y+1KaZTFhIOatgTzr5giB GrHiUyyYFahIeMsTXrYk2Fal/Mx8WTUvGWyoTAx1N8+O9UEjvW1dzbUtdRUss8VMzuDnp70PlSnp KGyBGVtfmdRxTSZWQ/9ergAzSQRrwW8qgokENWaTVXHiAuU7y4s/f/70+c37s4OjT6/f/vnLj6e7 u621VfATxWZdJlibwcMg3X2hmgStgGkdLMtz0x0UzKr+JrhOgXcpMWYslIb5yIATamBE6UhDJmqw r8cj8t1koDFL+gGngXeOi6pTkwlPDHb+9O27f/vzl/O9za4GXgMPEOYFwicR9KOdzZtzk/y/l3vb ZztbRHOGOtpogKavOh3ysg6g4BTmkwjqO2fMO5eXkAbFwj30amxhsPAfOGFnQ+V4Xzta2sXe+sbs 5PRAz0RvJ7qiqcOi1Fp6pyjhfE4HKcqgF6I9HbYnAuDdlgrZ2eo4E3EyjvstEKFnxlFvadhdDMV8 pSAa7SgioaUSOlAxhoFIx0XjSgrjmPLgziqiuDXsKEIqGVcVGCyJep4FXAUR91OC8ohREGr0W8rN hJrKE7RxoKyb/mw8JwIaBVhPE9VdFpYSsIN08A6p81+VeZSB/P+Iw62/tW6suxVi7QbUcjR2IE/W Dv9UTRJW78JBp2E49HweA7EOQwCuM0Nt472NE32NQx01jeUheJTP+pikHXfZA0wG6+9Fn1d/Xdjp DDidXgJwtrLqRGx+qP94dQm3G2/bV1YStFsD1pKgTYx3A3YWGSkhB55Wk+uzIydby8cbS6fAcHv1 bHuD/OqXR3uAfaq/e6i9CZi3VqWJf4nVb3x6Mbdk5fEmcQJEXGVY07OjAzdnR++vz9dmJ2mnEED9 I4/XT14f/Jw+OSxJj9vBBQfAm7e7PHOytXKwtrC7Mjs11IUQJN1rpLd9a3n28nD39uL0+mj/ZGeD em3kAqscskCDTjydYwp5Zp3669DkGbAgZnncVx73ZGOe8ji7oN4HB+A4eO9orFxfmHhzffzt26u3 1yfYDgebyzOj/b1tDa11FQ1VaZAO5EWo0QsoEwPvkAxSYTgJd2eNHjJ4a5OAnb8MaZtEK0AT2FyY A+8fb17vrm2+e/Hqz19+OtndA+9VqWh9eRytozLhq0kbvCf91egkcVEqCC7UJkTcg1mYAFMFILNV vDNGLrBVvNfByqL+OlEwVNbLp/XIcfkWtp5uQwgLjoN39JzhntZfvnz4h19+ON5aba2pxIRHIUH5 ET4JbGMB/tDJvs6NuQlcee+vL18cHRDTGexobq+rRNWBwWpaBecbvPOqYaosKiqMF8nOcWCejXhi Xiu7aFNoDosTg0ebSx9enn335vr29PBsex0VcWawF/ZI/rZ2UGGq8xvLI4p32p9a0kErGFcC3QwA Pn2TkPX53WRI+ABIN0fKkiE5P+opRdyD94Tf1labnuhvx2Pc1VjJn4XiEfc7cI3GXDiaHExRwBVx UTH0HCde2FVIHo7fKlEwVFy/RRzRWLgYrUg39Pn22jSiELwDdsW7rwz5/shvM2JdMuRJmn0knn+H xN/5FcAZvxVG/1h382h3E8bvcEcTroDmyrj5W6lVIWWFcJjU2xptPxeeU62Ax4NjtFShCaS6GzMd dcnqhBttJOcosD4MOAtSQYv9wTfBoqe+Z6LPh5wOv8PmcVh91jLWf5/p6zldX1mZGGVa+q2lLK+D fMeEB+zId0x1eCPSmSoAuBlpBfMjfbNDPeO97dP93bvL8+jz8OfaRAQ9n+UJMPkx8CH5ugP1oETY plsy7oJ2XJrhlemJ1+en764uNuZm0C5gLwkfS0yS3RHMhAIJnzvh9aRYaS7q76jP0v9qaWxword9 sK2+tTaLqy3ksiJk2+orZ0YGDjfXXhzvv7s+o6nmSHcbE5WiV2YdYGeaMd8M3kXcAHNIpHzSn425 M1E3YM8a7AN2CMUDKyAT9eJeII/03fXJz5/e/OHzW7Dww8fXb1+cAfzjnbW1+cmR3o7WukowroJe t8h6zAfmTzXtQVKR+kS0XoQ7wIw2VqRqU7G2muqT7a0/fvnu5uxia3H57dXLP3//0/nefkdDXX15 qq4iDgviwSri0u9XkGjW3lV+Jcq86RCoGM+PmR7AVpCLum6oOu6vCPtQDAzAUf6FD8ANAHttGgbi qU6gEoRaa5L8m6LtJPxj/R1/+uHT//qH70931jsbalgLA2sFVBojSNYawPWKqtbTVC0pkVtr767O b06Pj7fW1+em0LV6mqvrs1HgnKWXkbx5bAFI9CvYLCKeXIux3pb2unJ2IfgAagPJe1uLU+hsuAgu 97a25qeR8hrVhcNUoiFIryQnUSd+skj2IFWWhHQF4AbOZQhuwXvQjhPYqPf0zRYRL+q6pwSveyJg AfWJoCUesnEyQj/us/KQfa01mwtTaIz7awtzowNDHS0t1TRzDCRJFvW5AvZSn5W4NkZoCSCKeZ9H 3eziygPOYmIj3Pl/UWIP1xaYlrxndHLwDjxxrcMZADWMIuhAhyfN5gF4F3IY4FsLwDvSeWVqAEff eE9rV30Fbi46SoEOLm4q9UTTwCpPYZu4S4yZL3gH7MpP9AisIOrmNAJn3B3z4aHk8NhpkQ3en5TH nI773wSKnnufk09rDdhtXpvFa7f4bFhA3pG21qOVxdXJUTRPlPmom/i7hNuM8a7rDpTE3GUJr7UC QyMRIijME4Lu5nRifrh/Y3q8s6YiZC32lT6lg7GI9btWxvyKsBOmgaogK5Hh8WHmr89Ovbk4hXYW 51urK8IufPhOLD7qaEjlUrWcpHE0AeZ8XYqKthRvWHK9QqgB/L+i/9eXJ8b7u/YwKPa3312fQ2e7 m0w/TG/AzuLUiBKdcsw91qvljxbhHvdWJrxpJqSR7FnEB+p90s+0T9NkL+RKBp1IKxoVzI32bi9N HW2t4Ch49/L8h4+3f/z+wx++e//t2xc3F4fbK7PjZJnXZuk8iVcK7NeWI9/FlBawQ5jtIuJlFwlQ GQ/3NDfenJ3+/U8/XBzsr8/Pv3/x8k/ffX+ytd1eV1NXnsCUFrYD/4lhqsOXREqCDiMog6jiNPwv D7sqwnhyRLEnEgSBdIKwwFn7igANEYhhvItAHinP20O3p0dZoCEjA/quQAxaKmMNrOmJmZAKzY8P /vnHz3/88nF/bZE+pejnsCz8D8azIXYB6MOU5mXi5ehvq1+ZHj3b2bw5O8SBf7a7ga91eqirvS6D EOfN46LhBfLkcM7ymL+3tY5f++Jkd3l6pLkaX4esXgTkeSeo9Otz4+Rcrc2Mo8k3V6SZftohjXUG scqBfEUUot6KCmvsdNHqeT+iyWPFB6T4OuGzI5GR2uwixCFyRUST93LQiiEfQqyDXC++YlHd8dPi L5ro7z5YW7rAQtnd3FtZWhwbHexoa6msqI5Fab6NJWvyWNAQiqKepxBafdxbHPeVgHrM7d7mmt2l aQjk8pxAj76UARzjNKOmQ7UdDzwe18dhYE6Az4annSOFESf9qwvCjmf43GaGOpYn+ymb7azPon2h z5DahNmLZIfFUeXRUh3vaszCTVBy/DazSh2ZNvATaXovATsI36C3jPQees5L43rYkd/2hCUwcDzC 65wPH4SKi8B7xEnPDZvPbiUEQ2eDmMfd21C/v7iwjcuurprKl6AVyS5mex7yMRYNxJAnFm8tghgE Sp76igvrYsFZ5O9wX2t5MlT23F/6NEK+DZnzLgunMVaOoXF5uZrL2phJbM1Ofro+/3h9jgo30N4U I34XdLNSVV9rvZjnQ10DnY3Mf2xD9HM4D8V6SBncUK01qf62GhShpYlBGOzuytzh5vL20vzL48Of Prz7/u0bWuW3VGfxqpEiomBn4qnoUbwD9upUoK480lgVhxoqY0xUYpf9rTW4JiaMloWKNdzZQKv8 udGehfF+rI+Jwa7VufGLwy2k/HfvXvzy5d23b6+vT3YWJgcx9pnYWAG15VE8UdWJSG08VCvr7+Bq Q7gjWEXoEybAHLi9BO/fn+xsLc9Mfnz18i9fvhyur7XWVIgbUNxuQQQu81ko4hJ0R91AWyR4KlTD XcLu2hjuLJHaRmSrrk6bC3Howc1EXpvG4LUxH/p/Ay4gHkCc/P7GVKgpE6F8AGLQko1SGkyGCOrQ wtjQH7/78POnt5sL0+11FTwtcRaEDvflLsgvnoFJaMR3AE2JV0pUhQK6k+0VpPP7F6dvr45x5nME RZ3XTgEif185F8+E5yYHPr+5hp+8PD3sb2/O0PoACyURTvhh2n70KNy2G7MTtD5m4pG7xR9NPAKk 80PgXUa+U0ZNvxTCUizFRQt0uqqaoksp04az4ZSIkySACcOYr+O+wBQSksosfDiSdwHvgskwKzBA qMXGthpsZ+UjkmAXDtZWjzc3oK3Zuam+vp7GBvJFcRpEXPjoCmJe8P6EqtWIuzDqeY6uzttgJYXj zQVkNPa1qvFB65MQjSxKHwYsj0PWxxH746iD7aMwZCuI2J+G7YUx1/OInRY6j2Bfo92NO0sTWwuj pNxTVccCTKy4ihY0PtAyN94zM9pJjtzsaNfCZO9QV319eRhY4sVlYlSnA2iA2CzC9HwI02IcjMYN iNVAv1yJx5FC78V/KP1tSnzId7sNvAddDr/HESSVzuXsqq3ZmpnempkaammkIS2ROORyHuyE2hMk 1pIzTxUMTID0G9YQtJVErMXgfay9abqnvSUT50jIwi8qUeagbAGmoXxDzfmkx9FRVb43P/Ph4vTD 9TmK3ERfFyYqCh7eGybMwvgArvutpanBjgYWmm+rqehuqiUiPD3YhR2xPkdX/KmjjbmdpSkchoQG cPIMd7Yfb6z98vnjzx/f767M97c1jvZgnfVio7HgnaHGoc4GCG/AWF/zxGDb/ETf0vQgtDo3sr86 e7G3erazfLQxf7m/9vp87+Z059XR5s3x9u3x9vneGn32WmrLEcHdLfVj/Z1g/GBz3lj311fHm4Nd lNuiMBAOAK2hykiQ7kDa+g/IMzfACzMNmNCR9/XVyR9/+O5gc311dhrnPHjfX10mEEBPABQDYgdM 8vKo6MMgHZHN1yHR3iMeiNU9QK5Z4wO5nLPiuT7fQos2whqXuCzvhUBHuNckmPYi0BmAXAT6VxRp Ksehh/c+vjA++Mu373/6+GZ9bpI0WjhPU0WCnuQo/Ip3boHvtzImyrm68lCxGA+0N/B/IaCxfT7d XLy5PKKElkBea122NhtN4UusSm4uT3/77iX2wvuX11ND/YRRMhGUE0x+Mfb5OmHZ3aVZsji0XSpg l3apWF6m4/GveI/akfXs3jnxXAh3gD/QVre1MIH2sDYzsjhG3lff4nj/wmjv3EiP0Ggft4CYWvNj /aR3LU+Nzo0Ozo4MAHa8EIvjY3Mjw/Ojo2vTUzvz89vzc+szOA87EaxJP2kqj+K+Z3H/05DjsSTg 2aBC0lqog2O2IBFArmraEcfTKOF7m6A+bAfgBuy2hyHr/ZCtALDn8O54Ck/AUuhrqdxdniTlnmL5 maH2pYnelelBzIOF8Z6V6YGlyb750e458D7eiyYw1tM01gs1j/Y0TvS3witwzg+21Qy2VHfWpdtr E01VBJjCtRkYqT+LOhRBTbU7HzyMlpX5i4oiNmvQYUOy07YRfT7p9/U1NiyNDM/29wBGjDWQjq4O zEE9BFQBOxjPA1lAjc5jLa4IuLuqs9015dVhH7s5jLOoqK1YT9Yr6JbLVob9w61NJ6tLt0f7Lw52 8fquTY8TF+B/2ZifoIKGiDxz5vJgc2N+fGaoj9p8nEiHG8vYeutzY7xnwh/ww8F28r4S+HbICaxL J8D7Hz59+OHdGyQUwR16OB9tLh9vLcE6kDtHmwvQ4cY8dLKzeLa3fLq/en6wdn64dnW0+Qp0n+1e HW6c7668ONx4ebx1fbhxvbt2vSd0tLlIOlBtNpEIelJhbxJ3U3lscqj91fn+H3/48On1+fQIOQP+ TBS7GwXbtOymLb+BvPTnF8yKm5q5PdDZ/PbF+S/ffd5bW95YmPt8e/On776lGBnrHkaBVAXvqPGY 2IALwQHKBGhmnU1W5ywPOhX1SHlMIGSWWvHcAggo3iXaaPx4XIcYkaJD4C+eupwHj+McgVD1CSI0 VabXZif+/P2nL29fzY70Y7aDaCQmxFfUdgD1PE91IoBfHTWMn2Pia26emSOk3SKmMYdxvn15+4L/ Dnw1ESINu9oayg+3llCKPt5efXh1vbk411iZJYTH70VJ4CIT/R1Xh1vkb7RWZSnEwF2Ms5EO50ay S9NjEej4NJDvUVYtcVTFRfNB+uM9xinECaxgAov+7vXFu6tD/rsXR5vQ1eE6/+bpzvLpzhrPc7a7 RiDgcGPhZHv1ZHv98gA2vnmyvUZl6MrUBPKis75uoK1lZXL8YHUZZxTSZLizripBo84nYXcBeI96 ClHpycYhAgjcdpenmIoo83EvnjqxrIGzQTqDHN7DAvYHQct9c6SQNWhgCBDynes0VYTR50m5b6uh 2VqgpzEz0FE72FlHoG0AILejcFbjqOcWHCHcRv4ewJ8bQerByrqovV0c610a6ZmW462Tg62jvU0j 3U2DJNq11yHauJrj4cO4zRYqJV/OGfG4wj53wC3yvSGbme7rnenr7aytRHNWsU4eLOlDQF5RD3hV cKuiHiTTxsj3uKMMpNdE/AmnBX0+ZMlp+3kpn1cSgDyCnqWQJ3o6z7bWL1i2Zmn+ZHP1eGOFXB3+ EeM/mQf1uG35j8DpzjIgXTskxWtqhAA98wr3HYnBTHXiegnROuyB0qLKcOhofVXxztRtrSnHRtiY n9xbncWlzx9Nlv7+GuNpaG9t+mBjdnt5kkm5NjuyMj20PDWIejY91IkrEk1edXv6DRIcGWmv722t xtxLojpG/HgMWmqy6CFItB/ev/r7Hz+9vTrkPWP+AzTRxmM+YuXAXLv70lTH4CUIiMB7f3vT64vj H96/JUEdvH/35vbPXwTvDeVJ5r8Y/mkRzYg2YG4gZoz0qLeGg1Fa+7pAPcJdKIbHWz7lZG7BVlwT pjuoqPSExlgERAptcu3E0c8J79bitCd2j9ERFy8cvkS2yHcWD/r7H7/9dHM11tsBhIEzPYQh4TZG x+BhcPGxi6LCc3IOrjyIXbaoLrwiZD3B+hfHO8h62GxnUwVlSaN9bVfH2/g5zw+2Pt68YHmyke6O 2lQcSw0vDZDHfCOt+mxntbepBrGOrBHhbpx1CnbiyzgYgXllnLUMXDVJmIDLQF4asKAFAQ2k5OU+ F1naX51BaKInU62GN2x5chDxwVOxJdMDmUJQYHFiCLGiA8Q9LA7tsa+1cWqg53hjFYXzcm9zCyuu taoiZg+78M8XRL1P8dqFCcQ7imDF+OSPNxZYD5GQGZEyjHc8dcj33MJStoKQjY70jwC7Ql7lO9xA 8c7Scrj16FsLcif6WvBJcgVcc1n0uih8DLdkWTpoy4SE8Frgq0QENGSDzZWRtppEZ70IdNzyI131 Y6is7bXjvU3Af7yvhQkMkd/LlRcn+uwPHkSt1oiVfDl32OMKeJzgncVlRro6t+ZnZwf661lC0kV6 TIko8FoJa7Yi342IB+wo9shu8I58V8gnXdaU26biHpjzKcSZbBH3ZNgCeVUSGFRE/GjgBF+O1peX J0b2VxYQ8SRtYgbiqsUe3F6a5g9CXsyP9U0M9Az3dfW2N+KKx2BEsqCyEj/F64IDMOGy0EUz63M3 Z1JHK8vfv7n9+PIa3ZuJRAS5qTLFVzAT2GKhE4Jprko0VsSaq+NtdSmOMEZ0AhNFigoUtpK8gaco IkvcVuJzDrtNuogHs4J5cr67jhT705f3f/j85sPLE+yL5uoYslXxjqOsgliSNPhF9/bf4V1wgTcS xePqYOfb21dk3dBG7PPtK3gUEQrCiLi5BD4JkdTgWlHGll2W50OHr0SCB+gdake405irBkXCgJ0t METnZ6DEWpwSFDB+QgZGXAZ0ALpBcUtFSnT1LAZvBPZL7dvazORffvj8+fYavQjWxNOSrqPyXQ0K o9VLwpJRQgxrykSR7JwJZuEPbPkJePNQ5vkHjXxPttSmWEf8lgyJ9cXl6TEip0AeedpUmSXYalKM wogkpDD5PMSksL4RMRCo5y9AVQbXyHdeCxMevIN6Ab5IfFGB2HICnxJbRBRCxLmU0MaF6jKtNem2 2ixrcvFsOHLhSzy2sNZMFGsRHjUz3IOv/mBj6Xx342pv82htcXV6eKSroT5LRBiMi/1uwE7KK8r8 M3xr6zNj57urWNzoPJjPoJUAWZQYvbUA4x0KWgG7CPcc2R7BDVAA2EL+sseK97WZIeQ7PwH1gIt4 6EdXhqpQgJtdM3sZ39FjPYhLgSA7DnlUHeDfiI2WDvGTSecl1RbCDSUlcl0NuAKc2O8WpDCVbi6C cV6HNehxdjTWbS7M46Icbm1BoSLfRtBtNHnePFo9W0Grswyks03yERUx5M87yhTjbBHuEKgXmOOj Mya8WvpwD2CuxjsDDLepoV5UJuIvU71dJPHissN821qYBE2E1/vb6jvqK8Ap/wuGHuU8RLt6Wuvn xvsXJwcxwFuqk5kIS1rbeZKmTGKgqX66u+t6Z+en928/37yEYzORoh4yr5xxn526GBz14DEdcuLC hVckAlbSM8C1yeIQaKMZQqAMQZmTlWbtDMkZcJcmfDaeZLirGX0DE/UvP3z8yw/vv393fYxncLhL HsZc3GDBnyWxxE8Hbzf6vAJNMQiWMVdxfbMY33evcQxsHm6uf7p5iQGyMj2O8c4MF7uVNTQNt6mI uHG4AfMaxLexDlDm6YUIZQMONeSR8gJ8TlOrX1RfMXtFyqvbyqAepLPLxfV54ANAHlMIQuizEj1d BAmP/uHzO/R5flN3Uw345SNOUx0DyCveRevIiF8RXQUC+wp/oKRSHsgDJVx2QIxYQ09r9cnuytsX p0vTo93NdTj/YSkH68twzlSQsL4oGFjfKF2X++toVhzl5+Oj5q9RvpeHPJIdlV63iHgGUHUCvPP3 YZCWQQnCc75SM+BfK0UyIv1h5kTrCMPpFhc9qTVMAxye6L1Lkzgflm7P9/EhkOAx0dve01RFlguO gmSAfJtC46yT1jdBu5ScE5Vur8nuLM4cby7ywCgYCtUgoTHnM/Bu7HeR73m8I+Jx2UXpnGPHihdD Hgd+wE4PVf/qdP/cSCdci4twcUfxAxaBwrTno5aqKAId+Q7AJdZWJl3ywD5jCM6TDdvba+LN5eDd 312X6apNV0doG8urY0rb4YHYYuA9ZrGELZSmunHWgfeI3zPW34Nncm1mqpG+x9rPSgve3VbArlq9 4N243ME7iGYrEtxRBiHi2YJ0KE37CyP94QaAXc/kuyrcgTz6fEM2ASTPdjZWp8aoomWrgp5kg05y 2JIhqmU1lEZSFg1s68vTg12t6wtT5wcbL093kQUL431EK3DU4P0e62jZmBo/WFh4d3YK3pHvhFPB O179uM8B2BXvgF3xzv+ueAfgIjqNCQxGAHueOM58M6mAvDd/N7k3cxOoH8j0P3//ATX+6nCTedLT XIUCz2lcWYW7aAtE+UOyToeAVFbWE/+baA5RotJeslMwHsH4+d4OLnqAz3h1Zhz5zgkIX87UxyD0 BthNMm2Aq2UDLvwkWfoDe20AHxEPgXrADupV1QcpfJcryPMbrZgLQvIMsiCIpM1ACnyOgzVhBdgR tJvu66Ya7scPr8lkmBvtRwhyJp/y83lF4B0k1qbEGwDMVZ9HoKPGswvSGUOk+OID1xPY4sOk+8Pr q6P3r84mh3pITliaHMFkuDrcwWrgP9Inaa9NY4CjGxOW4kbckZ8AcV9uh67L1rgOkOmCceR7bYqP UOn5vXBpIcaQKsDAH8ggAYE8R4jLaxiOvwnIw/MZYBUyi5hLuG5enmxj7k0OtMO6eYfEu5GtEjtz I9af4qyTJBkRuEVBexGI6G+pRyndW57raqiIuIoJz4kyT7DeLSq9keNivxu3/EMBew7vBRFCchyn BS7xMtsT4Lw2M4CnTuU7kCehlzBifSZAstzcSMdkf3NXQ5rfC7pBOk+lkNddjo901s4NtU33t8z0 twH5pKfM+fw+QTrycwgZkALkeviIftShMlJfnCG3k2SbinSCnDXEzXhvd3k4pA3oUF8BnUpktHpV sVIMsOUN2ME7EhykQwh38A7Ske+M+QikqyYP6lH7wThJ+Lolkb6zvgohQjItW4B/vLmKPr80Pkzi AfE1WqUpk6GDE9ipScRI3eRMcmkww2HC71+eEAcho5h845Guls2Zif3FubONtY+XF19e33y4viRF EC2FTh3abBNFxdgm0hCbfxOYw/1gyxmfDVs45/4KARD5KOm1Jt25On2ww1REXYf5f7m9/un9zbc3 l9cHW9QFDHU0EKhStnCHMqxLmaIZcslCIl5/RRYr3Qsk/bxGAoXId+IIZKXCY8H7tzev+O14HXXy ixFBQNxY6Eh2URJY9SPgTfucWZ+zCpuXxuBeB4MqWQ3ErVYDpzHgvsAcCQvhB2OL8AV3jEEoAyDJ FnhynDHslC2pcSwaioLNSyZn6e3V6dos+gbsVPiD4l1ZFrLSIFF8aAw4qNySLS8BDglaGSvx9rCe 1uZHP96evTzbIUSCYoCl/P7F+cdXl+ThY1AQcSY6gObAe0YjxZ7lFngJICCgd0FaockjxxXgbBlX JVx40lDvsa9x4rEV097sZsKWVLBUCfmOFczfioktWToBZGUxDAT3F/b+1cHazen26fYipi4BFrgK SFeYoCfEfcXo8DjrxF/nIvJOOJ660Wf8j1P9PUfrK2TWUXVumEMRW24B0hHxRNyM445gXEHMWUBI Tqx4+2MkPiJe7Hp7ARF5MAveke8kxPKjjNIufajSYUdvMzp55UBbFYmyUGt1LOykVJbsvkcQ4p4x a1GhxvQ1ly+MdKxM9MzCg1I+tAtX8QPSfoA8qYCS/POEZtRl/lJyBmzo82G/p6uteWd1eX1+toN6 BT+eOrJe7cyQmNHnVbEH8gIZE5L7GvWY7ZBq8joA74A9p8ab4DvAR4dXfV4H3Y016HW4rUjlOtpc oUADvFNoQyr+zckeaMJsFPPNrGHRVV9LxORka42vkNRxtLGEFx2/KHADROT4nW6skAZ8vLr85uT4 B+z3F1dE6MA7VXsYJuqCoGUumUL4ctHPmZnMJbRlDGEI3ThjhGZa2ubbsJGzfpY/LmH2UmCI8+fT zdkv377++cPNy6NtykIHW+sbMzwe+cxlsIhMEP0HBiKWJhOJFr7gHeSCFCYGAITErw5jMYIVff5o Y+Xbm5eA/Wx7G23k3eU5eGfZJrgBb5vJSewMCQ4Zh7wbyZ72ulJuBxy1KuBWvOMgrTYYhxuAdAjs cy/xdMEiuJcUI4j8RalQUBuDQqQzk5QiIPWxs8vqIakACcyh8b5OMmfwWuPXKicb1ugnBuACbQN5 YC4mAwfzkNddMM5BFEjUAFDPQfCOtkwE5Lu3l+Cd2Ao+GUKl5Od8/w6craHLkcADP+Fk9GcwDuL4 a1BEIV6mqvTyZ0VFphsXvaj0KsezEYG5wbs9G8GjZcmEreLAj9r4CGIXQQ9xHTg8F2QL6rH0cXTT i+ZwfYbk3aGOuoZsiI+M+KZGphRooxiAd5LnDdgLkeAcN9AuhjPPDQ9ggVJQ0FyZgAlAKt+NJv9E 5bvB9SOC7xJ/F/kuGj7yPY93AE66+/rswPxoJ+YJghsUkxFUlw2A9EbR5K0tlZGxnvqeJvLC6GEl UXt3yf2Q9L4ulIGjsCrmaq+OdVTHsStirmee4nt0occu8Jp4AV16XAUF+OvCNgvBOIoQ8ZpMjY/s b65NDPRVxCIxt4tlGOI+sss8cYNxleyKGoQ79jsrULAV4U6Ru9MCzBHxhOEQ8QJ2xP0d3kG6CnpV 5rmUDgbaGomDUCnD1OLfR6Aguyf6OhfH+l8e7ZCWT80Ry9GSxgzquxtqCZFcH+y+Ot4/WJ2HJ+B0 xW3On0jsdbKvY3dxFn1+Y3rq9ugQf90n9PnhfvAedhBDRLJbua+4IDD2TSdts8VOsaY81jRttXw2 ZHrCY0l6LEAelGUCIuhbq3FhDd+e7RLiudpf254bG2qtJZiOPgCL4CUAQ1WqK0IA01lptnxUHiJj RBzXQEZFNvMZpz26Mbvkj4Hus+3N1cnJ9elpBlQfUHRAkgn8DbTyAHIRA3bFuyzpxaI/XhevOsNf Q3WA10E0BMhXBj1Qhm7hfr5FtA4lH4se1SKYDCDfcaAh00lfl5wldknpaautQJemRgmv5mhPO4GM ylgIvKeDPpIWNO7Z39aA30O5B+9ZbQTzKzB/pCEY6Fa8Kzdgq3o4TBhCXvMtiDyH24vdz7fnVwcb qM047S8Pts53Nz+9uKTagnRxeS2ULEmaAaoCUQZ2yRvEhYKSIBwGDgBxgp7DEQZo7wbFeOad8AEo GxZNXv3YZmtjN0tSvfi3TT5exAVDjpNu57OAspGuOlRldGb8XZyPxERVRv+PeYrzfoC4l+R5yamL uEmjfR5xlRhol1IQOj8ySERpdWq0ISsd5gG7OaHozjkP5PHLPcn75yXrxmjyasIzDpry2KbKwMp0 z+xIOz/ByPeCVMja0ZAaaq+uiTthETSMnuiuHWjJ8pUAKbKWh57i3/vLHsA0AtTcld4PlD2KO5/H ncUwGX/ZQ2/JPW/JA7yFfvBeihbx1HL/PniPOexBp43OFt0dLevLC2tLcx2N9TSgZv04vKbgHU2P 9dWYgSBFRa2gBiILDj5wp9KDcQiwq1YP3hlHUPLvwvRwBsZGnZYVKxhwwfG+DpD+4niP2UVCJsBf nZ0YbG+a6u+kAAe8j3W30t4h6bUTlGlIJ/ubm1YmRrbnpTCBQi2sPOYbLx9jCo9Tb3NdbxN/X8+r k8Mf371R+U7aBooKgQap0zH2CCJYCbzzv8fcJUkXPgdL2mtLAXY32YClCXeZQr61KkF8/2RrEYK9 DLbVkZkG7vjhnAAMWVwvxxxEQ7Ar5MuR8uzic4hg80q4CuADcyPyWEyHVbfcTdnk/PAAocOpPhoK VvY11xOq4PlpT0cZv9jLhp9wiztmIt5+jUEkXTYFOyIesGPOM2AL2OE/kPoJ8RvAWBLCtIluS+Ua /ylESo+sK704A7MlmYGKbapd4ABJmEmIlB786h38I2Qv4CkNOUv5v4C8UV2woEV1B3qIY/XgGejl 5D5jFdOAlx/LmJfMwdmRrteXdMzY0RSpw/XFtZlRjIWr/a0350fUSkv0X+KPZE4K2DHkADtynCM1 SYnBgW4j1lWvyFn0HBQ4h+2q26Peq9DnCOBVwMIQGJvjLHIkLiwkO3MGMc23MJBrU1ycg2TYguXn CV8J4wSEZPeinCPcOf4UTR4+wISBjBwvobPx4pjgfWVymFcB0lW4i/Q3GTVAD0M+6cV/RcqNCPeY A00eyY6LXv11BUGbdM1qrYlszJMF1F4ZdalJng7bupoyw+2VbVXhuqS7qy4+3l3LFuwDc/AOxiGc /5CXlaSefxMoeRQofRyk2l1SeriLBAh8JQXgPWgptN67B96jDhudEGor0wuzk4e7W+NDfZXJGB68 DKtCBxTysFC0UxaOYaUJUa0F78Z+R8pDOka+q1jPC/qwpSgM5B0lIF0JTQCYq5BlwLQn7e3yaOfm /BDt8fpol8wH8E7SO5PhfHsNfb61MsUtMipDgwiyUEMy1pJJ1QEi+IAfK0yqGsMgFG08wvJqidGe zpdHB8h3CnCQ75TXsSQWvfjQkLk1qgLyXczznIinpZ4l7ixFvuMBy3rtDJDv4B1CvFJlR6gFD9Jg ex0JZmjjMUcxJ4D3hNuiYATvKVz97lKcJAzSWAo+cZ5nWF4TTdsYy6jT6NJEw0mD5x2m/a62igx9 Bt5enO0uLXQ1NlTFwqSXwB9QnqsjflgKkh2kq3zP4nOjYohFPH146ty4QzHhgTzbaqKQHjtHgDxI Vz6sqDeKPSY2f6U7RNDE7yK4D5YxiOCxvHAGM8N9WBaA3dS9xvpaiN72EZOiexWRaDgV8h2mwQ9B uCPKAbsg2mQTAWpSTP6ZfFeJnwO+pEbY26pTuFk+vz473lqgOIWQaCupktUZaspONpc+vjhFVQPv FfAQkg0IMaTAOBhEMcgl1eiYLZCH1egdlRUA7WxYTuPTPKnLjuPKDcoj4sRjDMax3EmkR1GnZIwj FN1g4Cf8xVjocV8RfvhEQMZgHHQLuZDazyBYgTmC9w8TGDleRDCOGlgW4CC3k1eheOdTUfiN8R5z AfbiFOY/ra2Nsy6OFU8nTOuDiAj6xzHCdljxrsLOhsTuyuj8aEdNwot8x+secRfVlwe76xM9Dcne xlRfU5pxdcyheAfyinqAj4gH8gwiNpabfxwq4/ri+cemkGhgWSFL2oVolF1YSLJNsKyMnMaBno5d 7OLtjYYauibQIBoBJOIAoRAl7kNDEhOJE7zQkOqr+LuZ9pJuJ/Ld6PAM0DbZIujBUcwlPnzwLv46 HPXGPy/Gu6OMO1FqAd6vjnfpWXG6u86WDBmEPg7akU5yeeNRnP/2UtQJ+AMYidExxoH6TXN74/dD fXLCfsuobQlhlQeclKyszU3fnJ58fvXi5uhgoruDFWzTPkSwk5wB1F2AI1o6ERkaZoJN2iP4YEf4 GK24uyEEPSIexV6kdgC/E4kNccKaaPtRqgI9YNwBDGEFjAXUxvZP+7ACiE7m8J6h1TZk1PIslUTo A2QEsfZWQFgN8EG+18TDo13typpuTo5xNaDhs2YHRLhBKBfOc7FSJ1gG5uV+j1LaZc96HBoEYZB0 WlMuwwFw5ZnV/dKEHdHHTEglzYp+ATdhPvKOkOlvLk8+vLxAsiPiyaaDCUTgHhF/V2MNhSpvLk7e Xp6dbq/TXIjSRb7L86Nv4BYg/YBIQRX+RrJ58dFR8kbwEZcFb0CMF4p3xDtRjfFCyCACycm4HGcG O759ff7d24vVmSHaZ/AexD0Y9lL3BEv/cH16ubfRTLw14DDpQ8hutAUS59TlLpg1LhFxthhbXjwk jAE+xBhFHTVeieN6GmdSOZsn46xjCtkyVNkQhA1ay2EUaP5+/PaWpK847nmW9OFyL0oAfIpiEOjO 5xEXMBewkwKnkMdzjh+PyDtUnwktjPWhiK5MDaLM5OW7KA+u5+qiN8DHUW88dbaH6PNR5+OQ/UHY ISI+joFAtq37aU8zLZ7GwDuOO5QKIO8qeRByPcsGy9DnaxO8VUcmUKrQVnSzBftqHagrgMz8oAUR /8hX/MBf+jBQJtH/gAUpb1apLi72FxUHykoaK7LT4yOksi7OTiUiPto6AXMcXEwSpkEEN3Uoh3dA B9jF9Db1MnGzVY2ddBcoZhM1XrBvUK9iXU9GuGPF83W9At1uqQon4Y3mFTur85vLs4dbK+CdCBqO a6I5YRfpysUppjodKsJeUTBCnrDTwqo3SZYgd8qnBGcJr/htdNR3+u1F8aBrbLDrZHfj7eXpu8uL y62NkbZmHNopjyvpdsQpm3KBSht6O2AEsIbEU6exbJHsnOMsRasH3SriAbU46o1Rz6cMyum0QKq2 caMhzfku42zAdifWRb4bvIs+z6yGaN8U8+EMySkV/BYTL3Dh8Jkd6kfuEUqgScj6zERPYw2r66K0 IEzxtCOsMcYFueKTF8muJOhmUQ/jIwX1cXtZ2mUr98ETnOXo9iT58N/B3ODS2FxeBwo8rBWBjofk +mgHBb63pQ5z3of95bE3VaXBPqExamT+8PHtzckBjgVaFZFdifcDrqUGglFmXJW4HM2rY5cfbnQb wxvv/AyEBeGHqvng4mhIBrdmRr9/e3V7vjPe10qKFOahvBN+VMBNXg3ZNa/PDnrqK/hKHYaP5EII onHNGbHOS8PVhoDWvFkxwZDRimtzJmqAOEj1CAOII5yjKhwDPU0KjkLOci6Ohu9DiJRl/KUAqiLM /1WS8halfM+hhLsw7qKYRWAuUh5PnSuHdzgAkXeSaowJjz5PbVHf6SZ4H8I/mbff0eoRryBdxKtE 4XPxd0Q8Wn3UhQ6Pl17wHoOr5PCe2VsZX57spYYdWwZLhKY0HmlxKaDmChH7E05WjCvq5aCDgxLK Vw6AVu8ruQ/elcjMJ9inngT0efeTgkAJloWtu7mBZWH3ttaH+rv9bqsfDdwvUgYmLLX/rBZh5Dt/ kAr3nHw3eTgITWLxgmK2EJ46E4OLGuc8Y4S7HmEA5CmMFcTRkd5lIaELn/yLk73NpRlyMAA7kO9v b6S7C65CHiMecCKARnvb0fBZrLChIhn2WKitY2GLEH1IfDaiuvSu5znxM0MYm9PDPafbq+8uT25P jw5W5gda6tEK4ixjR4jQMCu2QABNG0EPsnDiYa2DWcAOiXA3tjwePIAftRfn4M9HMAE+ElceWS7i zIfANRMeYoDNzhGDepiJ8ATWzkajhrCDmOTiPWDNXNIAXPATngEcobH7RjtaDlYWrg+3znfw9E70 NRvIU7OA6WEcDrxeY0NJznCa/8Vo7ynyGCkVdNtBetpprfS5qvzuco+jwuuoRHmgbx6C3i1mfnNl Znd5Aan9+uL0dHtzqKO1MhZO+j0RF5LO29/SuLM4d3t2/IeP7/7y5dObk8P5od4Gcm/CrPft4S0J 3zCQz/ocBP6qYL/Cf/ix4pwEpPxS3oACnDegR8yrEJ7ZVpnAKfPDm6uTrYWehgrykZDjcDOpqI16 +1pqSE4jwaa7oUJ8fSbEry4+lHaV4JyMzxzIs8X0hskDeQacBrQr6F0QIYqEEx7nPJOW1hYY4PAE Em+E1H5XHYAwShZW4EfoFCe8JZjqcU9xWlz3jLHNMd5lG/NQ5Sql7hHvs5ifQbGY9m4y2SQ/h9Y3 IRDtLK6M+WeGuiitWp0ZJmOTMA21aSjzErCTDLonIVMcBxhDkIm8I+jR57HficqJQk62rb2Qx+hr KSdMsDEnuXwkyRM4EEFmL/RapGTea7nnLfs9W5/1fsRFb/wnAetjP6IcC91Kpzvs94fsYs7jxBM3 XRljXHbo/Oj5RP0KI/bntvvfkOJOtjllSrubq2tL821NdUGvPQQE6CzntZKdQvBdqkIC4l6DmHUy 8Yxun8c+HS2ETKCNrWCcsXHaK97zkFdNALwLBPxO2qSIc/7i6Gh7bXdtAa0eQd9cQ127DaK9YXdL Hd3M+Ii2EgebK1OjvY2VCbK+iR811aS62mqHe1qGu5vJgVyZGiatEdpbmb3cXX91uH28QYLuEOlP +uS4IJRfsWvWuRMPJAN0FTwMCnbFO5BXAvhxh7jy9FOAr9hnbjPVDZwF9QwQ+uag4h3s47UT2YdC jpNBw2QAJ+fogDeCZQQ3ff9429YiXkhbZWplYuhqfwNJRzfI/pY6mCEPjNlCMFTxzpan1b8AOY7R lLJbMgbs4L3CK4Z8lc9V6XWBfUhMe7+7KRXFifHy+IgaYdMmuTnuIWeDGDRZ7tnZoQEMih/evvny +vbtxenJxspoR1NdPITmAKLF/Mfbb+wCHlKcBnQZkoMudAlO4JfmRTyvgrFwTsIcHou+H3a767IH y9Mfr472Fic7qlOi9qvmL3D2UlxGtQKlIgzYRfqzVbwDczgA3gC26l/lOAOAD+QJpzIQaR514drC mw0BfLaC94DgHTcddIf3nF0A04BdxDw0aBJW8Ksf3l+M/Y4hz1ZteQY0og97n0W9xWH3c7Jf8BRh P0qrK1z0njLa7k0OEbhcRivtaqSVgnSo4OKE7NHn8cBH7U8g46JH8RaDXRR7Y26rm91Hzq3tCfyh t7kCvC+O99EziuAvtTfUetPKQ3z10gxHmmP4bPS+e8BCGCEny0SKjS+fmgERdpL64m70k+Isjkqv OAxBuuJdbApnsfXhNym3vbO6antpYW9rY3SwvzwdD2MjB0zqkY+eP1aT22YMeTi8IUUNYAc4AhaT DJ8Hu+zeyXQFu6r0QJ6JzRjNkJnDFEJ2YL5RSXFzfkDl+NXx9s3Fwe4a0YGqdITSMze9Ixanhg63 lli57Hhn9Zp0erxLcyMLE4ObS1McvDjaenm69+Jo590V+vDJm/NDNMPbk73rvY2j1Xkc+ER5yBcV FqSeOpP8r4/NEeUDDJC2/yLeOQjYwTgD7Pqc3IcbmCnNVgdMbx3oDGcXYuYbeSdp85oBi/0LutWf xhtgAHA4yDuBDbIF4BO97fQE00AkLl9a+/KQQB5ioD9E2SzqPXgnCJJw8ISSuqy+OzCexYlHxA0d wGuvCnqbM/HJvi4ahU30d+PMRHv320px1w+104ZuClPil0/vv39zQwkDzaPaayoQ5WKLOa3iMcD8 RxfCpeBC+bFzR2EyHru5izMlrtocutGR+NW8AQaAPeYsYYwyj2LfWZNeHuvbXZiY7GkhRRC2wHFs fCPinbj+cI+QY0PwTpCOBwB0G1wDbc5BygNzoA3l8Y6ifgd5kE7nOvKiy9gq8OP+UvCuznm2uNlV 3GPCc01c9LjUgKS68vhU/fCgG8JfJ2LdTQUcyrykzuJMi3gA+3Pp4u58Dt4R8VKygdco6h3pbaEa enNporsFR4UF0zJqovPI9yj5dZS6S1INhEB/FLLTc+Yh4h4dW+NxJtReyPOQ6w7eqXPBz9/dUImo Gu1uhvsBZBBtXIWs/EJ3i1xGPT58zaTFn0CbCywIzJa2ykh/c/lga2UnJbHZYHXMBfCDlicI95ij CEObRaOogzvcWN9cXepsbY6F/THc76Rj0QiUN2P8KvhzIMJJxuqUqlgwwqzLi0uBjCHgryBi9gJw iAHE9FYRr5OceSgGaUCuOdHXvrE4ebS9/PJs78PNGahfmh4eH+iYoZnMyszt5eHbFycc5FMG716e Xp3tvjjdZUBaJvT26vjl8Q7enpPNZbrg7i5O79EgdHp0dqCLFA7cffAowKI6CQ+pj6cDfoJyLQ7K vL3T5/PyPc8EQHqeRKs3kxxNVee24p2DSsx2FfdMeOQ7iNa8OAZAiR+uW30VuZQ5BT7cIOAikXhv efb91QmEoIdl8ZZ4sRBPqz+EAV+Xl2zADh4hIK+REYAJHrkR71k4DLp9gv66JPb7cNHTOpt6W6z1 y/2tb2+uf/7w5tPLy4PVxbHudnqXEdnHXgDUXFDMATNWmHNNrpy/o4F/7lXoT1Z2py+Bl8MApgeR CYxYR8rTakPVIZgApHjPi3KV4/TQAPL6kYpyoI0oB93o0ljN6MyM2bLLAGFqOlYVI4IF5kELFPOT IXMXSiOv1RSVAGoj0FW4g3FRACCOG6+7RNhVrANzAmQgnSOAPUrY3VMUdD6laS19sQTyDtT70gCo 99lIHNhcmdwhF7azHmcseAd6VLuAaNGiBe8MDN5ttJpHQN8n4J7HO25AHALgvashS5ofkSDy9IY7 GkkuHexgxXKH6fou7TFxBnImygAsAgLvELtk1ECAHX4z1lUHDbVVDbRUjHbW9jVlaxOeMI9kE7zX x0NzA70rY2OsAT0xPNBQQ4+lQAxLkyxQlnEkYmVWe9e4LRaoAlynHDNTI3TsKmryIJIj/yPeFewq 1Jj2zFXmPAMgT/YXRve4aUz66myfmrjzvXWIJidvLo8+316CaAqitWaZItmTnRWKT482l7YWpyia I25LgB6MdNVXohILVaRas4mGlJSc8MCqgTDOPz/o5oEVO7knx5r+H9GqE1gnLWNwDbGrxBHOZ4wU Y6sCndmeB76ewDnY7/pL82Dnt0OAUbd8qqgUJmD6DPB4iPXthamPdM65vULWk8gH48pzKl4vb16f XDmqME+qgYyfhJcMcU0uyC0Yi0XgZlEPajmt/JUk7ZO/SkNIYP7xxQWZS0h5Gg7Up2Jk7iWx6Hk/ JnUKRMNDIPDOEeUq6oY1wQIR/fpzcozF/DQdK5/nU3aTuD6EwwsBf9Qe1fxBOrgG1BCgNsq5NBlL YKebFB09rmBXgBuHmBjRCnY+kuCXdKIrBpLgHSmvgj7hhy2Y0DkBNZM8wy5qM1Y/8h1CjVd/ex7v wFxFvIp1IC9g57LoxvR+JOqNp87NgixPA2ZReI+lMOAsaaxKIrD26MXQ30pnY8MNZBV4YmH0romR jOfAcUfKjejztLSiix36PISOLedIjr2YAOBdi3bHe1s0/ttCt1OXLDhrVpkB4NIhkysrP2FXuIr9 GWvIogBQRDDYVjXcXt1SEcYbST4t4/Hu+paKUJh6PetTwXskMNrWPNTS3NPcRN/fTCIWJdUcqxZv vFF7mGPgujxCkSOViSSLSr4Nk02xw6cA6mspr3MSFxOankJe/3cd61QU68+AHdHGLJXMfC/BIIrF Ksb72iicxGN/sU8mp6CeThfs0tNscWKQysr+tvrellq6nLVUpfDOSR6LyVPlvuLXYos6YdIA0JBB OsdV8eAhgQm7wESP6FhPwAD5F/FuACuzlIEqq4zBMhhXJgDeGSjMVXJxAgNImQBmvirtbBV9+kJ4 VH67QpIjOcPHeEiAJyWEWDrHG0u/fHrz5+/eY6fA1qhQ4+F1vR4eW+wmI/QxRvjtXFxfsl5N8hxc FtgpN5LmoiwE5rZRU09SDUtIfHp1iVh/c35MZ1H8wQQBccJLiYEbCY6ZILWNorcbpANwrAYof0T1 B/H/+3PMyoBamIwOFOaMGfAzzbPBhXKlfEh2fUuqnANqRT3CWrAfooxRqhuAP7sidH7NhCR6LonQ nAnS83If+Q7S86R4R58HyEoG6Sjwqrfzdcmsi7rJ0SI59qmk0yhPMPF3DcSDdCPfv8K7rcBHdNv5 3GcGyHEveHeU0LdnZXZkb31mdgxnZASGAAyRxcBZyE4/N/WfEyV/ANghLHfjWhcdAMiHOcdV1FZD DqcsTDPR1zLa3dRD/XbQqREofi89sfEE4hwA70aBz2GfG6lWD96HO2vBOEgnDlgVdaLYj3TUtlXF UOYR8VHa2luKa0OByhDpXuGoz8Pi7yG/Owo0RJmXijAmGEhJB0mrJnoimTaKdwYKHwaQypqvcZRn AsxMxRTzU2epXoTr5AJVAdY9KYa0UgmDhWIlacfRXscAlwV1FpS/UWuGmkcrwiwZYl4Wv5A1rZjw ICWPF+Y2ZibzM2pchTwhj8FNFfiKDuVUXEGfNv/k/yLeFdeAV/GuiOagHmf7tT6vbIGtyq87/iAT HlznoZ2XwooFBYiKabbCssCyHePXOdHderG9+uHi6NP1KR6J5bGBzpos1+E0yo4U+LwHmqNSf6RN gPNMgOP6wvmZ4B3hDtgJvpOyjkz/8d3t67MjxDqNWOmaKwn5wNztyPo9GdqAG28AoGagSGcA5TV5 +IBKedHw79J7+CF5hsNPyB9nAK/LCGcQ6553qKySLROMmQyiVdCzZcw0gBTRebyriP8V4GalUWUF fESFI5A3Uh4f2nMEPeIej3fefleZDszxnBukS8KMynfFOwq/kMmYRbhDBu8ksUvNKWwB+U4oHGEq erWrCALvrDTBvGXG0hplb212dZ6CLZYasKoIBnRRxzMSYEJcgY7QJgM2iGKPN8DxVCW7bkG93yr1 Msj3naWJIaldoScz3jNZZ623qVZ01+oMbVppp4Big7iHpSjwwbsWzpB0RMsLWA759gwgqmzaa1Pk H3Imp6EVeAoexq1lEQtWrTvodIS8nkiA6BsLst/ZVkYNJreWjGutN1EQgRqFLZhlwMEc+oyBrOew BU1KCnnFO0f4SEl4hc8mrk43CU42GLuOpSzdb8MrwvvkIwa54/gPvXTKlYbYUrBjsnmZZoJ0sxUV FLeSUWh5JL27Qhu8c1MemIdnoAd5JLmInJ8jxJBMRUMG0SL6yaPLYzyGl56YXS4BL2fAGobAhM95 6VHjcyIMB4gXJVZUGgW4AkGfkI8U/jw8BO+ClAMw4CvttHnvaTvfWvlweQwdrszN9HeCerGJ7jit cjOULlQdfh3GPi5KXH/50leyc2nJ2NfaQCLTi8Odd5en5IOpa66KzEMXrhXSF91QyuOIUyFl2hcI 2zSlECD9a+cAY45IJpWpelbxzc/J/xAFPkf0IL+LmCO/mjdm3iSBG9y2YgoBaoQ1KM5D/p/hnY+U JzDJsdz1/PxYPxVcsFIM8S8PWjdIxLFWBDyjHiAvRrohVeCx6FWyS/Y7/nn0eYmwcz6qNRgkzdV4 54AkynzATpzrsYcVmS3iLiPbDcgAHKJyYU8xkA9T/eosRhNGNm2vTu6uT49iMEddLEmDvNbKOJXv ZNAh0ImSh41PALebsd+fYeADeQmoWR6TX8S/sr8KE67jx6Kus+IPLbLWcEbR6b2nbbS7haUcqCI0 Gv6v6j14d5c84AnJSOxqSA+2V492N/S1VDRXkitlwwTQelge3vX4fsrpiJBC73ZHfG6aXdDSKhn2 0dGdjFO4K/xEABIKkGhHX7gU6WFGaCI3Re7fTTmwo5JF4ZP/SEGtgOIjhZhikHN0QNRPitD5040u xxaw8xphblAca8t0pVAOkObBDFS5nQoOoETuGYEhhQlbgZUxJLkjJys70gfTh//6CM+gT6VzMg9G BSBX0wvqxfMTmF1OMFNaTtBPzZSWSa7H2QWV8nimbkXt9zzw+YoiRS91d7Vf7W7gI7lJ9AOJ+IZa 6/eXZr7cXP745sXbswNQvzoxhIZPiQHevKH2RiYDUwKaloV+OvloaXyQLcsB8NEMi2+O9ZOwioEA MX+YNnADMhB4Bh6Au/AAOua+CmctglA5jkDnIFtIjXpQry5Bw9nES4ABhVrCwPyu3HtjV1glKZEu TC2J0KUJ8jpLUOmFl5IrZfxvzDSEew6/fppIi9KuersKerYKc87XrwBzKMcQRJ9X+Z4HPolYordL XquI8hzSEfRfHadWHUWagLt49hgAcxG+xjMvYwfrJj8hTSVsR/pzci43nrAXu7CXCFm1zmJmJi71 ldlBSgnnxjrqywNoDpCR70/D1ieQkeN0r8L0FpbCLkjPgV0C9AU8CcmE04Otm/Mjw/j9SA/wlFJT sTY7zN+KfIemBmhT2Yz33mdhyYnHxn5H/WA9WSmnxXHHTyD4aOoIqHiy88Ag3f7sHgTqMQc8Tx5i skVtyDhv1O8N+zz0u0iiMCOapTzcXkE7JtK/wzRfQnb4pAe4qZoBrUjJvCGvqGGrANdP9UyOcBy4 KeLyuONTwR3uXylVo4G8DGhULkF/D39uGV3lWXzE9JanlAndxiJrkfAtggXmRog/InqQTDDmrYG8 gN3sMsjfVJ9KtxwE4PqRIl0fSQDO5LwjjGK1i4GDkvoHOI38IqYxB3kAM7eF1XA7UJMHjn6k6Gas YOec3OMZNxoX0evkb6En6Dkc5F4gCCJ8P9rRhEqPYn97vIu4v9xZYxE3knPAL2scsD2n7+Lm8uHq /MHK3NHaAge3KR6cHCamT04C1dm4+olfUDJM2II/iKZDEoU0j8SNeBK9L0DGTgfmSHm2wJxdMK5C nwEnKNgF7yZ3NytFOpI4lCJG4OU3OrGqeOyE20Z1D+fEHDg8Md55DyQzOyC8dqTcAFhADZAVuQzA Ncxf8c4un/KR6u2MNatNj3/NDVS+57eCRFaX8AjMATty7WvI60Eugv0OQBDuqP3gnUFen9d4HGvG Yfni6WIbweS04x7P+d5F0KPV34XnajNBljndXZ9cnx/qbEzDQOTKEvIWfV5bT0ssXhrO4xYoRM8H 7JxgcnIM8Cmr8ZZQ60rnSex3bHlU8YmBlqWp/t7mKhJOcNhSBzra3chx0gjxxgNPMohMprHUDmi5 EBmJ1VJqRA0y67NIsQCPCvFi4Y3ewkcZjytmB3HeeMAX9ftEvksVlUQ8+XfIpKKAuoKFF6m41Dbg kggqwh0CfUh/SMELB4D0IwYcZKx4B6EKUragjK1+XQ/mzwR6aKd6gkASfxFTSDQBYRpcyoyFe+iY XT3CVuHMQK+mx+UiRmNnV8/hOnrw6y0HyWlhm6f8F/WybPUjjgu7MEj5Z8KagxA4Bd0glOmtqIcn cCZbZQt5FiEcxgBNjwA3zmfLRZQPcJwxcpODTZnYVG/7wnDvZG/7WFfz3GD3yvjg2uQwgn5ptB9a Hu3nU46j8EOcPNLe2N9UM9BcO9zWMNLZjNwnuI+YoOyFKoaIrZi780jchdvlIE+vA+OTB+Z5sIN3 5QAKfMDOOXowKRKfKDxkqvKNEyDutEERGzlXtiq8Q0F/3AnvspFuhEpPQzCmFsJd8Q6WQS5TkQmp ghu8IzFzglvCbUKcA0LzWawGrcINFPUKcMG4Uex1a3LhRG+H8nhXQx4UGNTzkZTA5MBu7HeV7yYM R68qAugsrCCeLh2IP9whTjMQhJQH/rSkwF3Pwhbtjeml2b6tpdGhrlrQh7xGYwfpIUrVEPEizdmS EiPRNJCuwp2tQN4hyTMIaHxuo931C2NddLNhuzjZs0i3+Y5aQvN9LVUTfdKQdry3mTHU31p9N6hE hxdnXWctCgDsAhoxy0MPtNVA3Y0V2nPVV/ionKxyuz3l89IXjmRqke8USgvMpb05yiREPakWbWEh Iu4R63mEKhDYcgSMK/w5QcGlKMuP9VsKHBlDBkd8Xc9kAKA4gV1FnF6ZLaQ8RMZmpZg0LCXkJkNA dplLAfrRUY0iubXscnGuwMn5K+tYOZLCliM8BlsgnD+TI0p8kSfRx8hvBewGp8BE4akoVuwrchXv Xwt33iEHOQIfYMyWM/miSlVlC4Ca6nURiJIuK2qzwIoHM+IVKclBshZFrzafchoecimAxTqWVD1X hTFtZCAHJUOG78rJ5q3yx7FGDFt0GHgIqog+gLIdSdA1Djqur5CX794F48A+t1OkK9jlMfiUkkN6 oNnKIAZQ1G7RMWDHAQgrMD5AicByEZKTMd4jDrqbPq1jabyYV+GsfjkdsxU7zkCe4wyIwaGLAnZg DsDzYNddOXIH8zzwBfvuXwl0q+WOs46xcgBMbHpEAEy14gG+6vPo2xjvEJ+KZBfntmxDlsIgaXVG yqMqg32Bv511HGSFFyL+HU3pubHOUVZqyZAv8VwS28oe+0semupU1nUSmx31G2gr2NnVTFd2Uchx s/MMdKXGzzbcWT3cVTPQXsmqLYMd1WM90tkGM2ykq14Jvxy7w5117AJzuAS7nEa6DkRDWpp4sIU/ zNO1fqSLcp6NmRHwnmHlJhsp2Z5UMBAP+qIBGqqzcBt1T27Fu2m8RlPTICgGzgp5Buwq8BU1YAQo 6UEGHFQEyXFRwkXs4lqHyStsza6Y3ujJwCr/df1UtyBOjzPQuwh4zdKiLOBiurXw2DQSlINspRrF jNmFwCbn60MqYPWCjNXbwDX5lINf411uYYhPeTA++hr1incVi3nMMgDOwhiNX05x/fVY8+sU7DrO i36+CwEHCJCiJAvqTTF71utUxHEQQqMmP0qBpo0FQBDEGFtbj7OFgCon5w1wuIQAHE6lCozRT5TV AHY+Ykw8HeKLCvM82HkAvZoOuDh31HuZp3KpKA9bKTSgptiWRz1gh8xBTAASiZ0hy7Ng2ROqErpq swSumjKsZUx3R1JNiImLyw7VXTV88dBKFjpNmCUexwlAHmIA/DkecYFlCcEzVrx/jXTJehVd/VfK Y5+DiGbFKZUvCnZQliPjn8/jHfsd4Y4+H7JKPMsMRLc39TJyEQjg4/32Ehm3FWTjzu7mbE9LeaNZ mBUsB8oKqFsJW+EbrKyETx68ixxHoOchLwPTzUZtcGwBo6JLiS7NuOjVUx6112W8DeVSpE8TAJxy ePJhKTSxrEujutMVxMtHNUl2g2TdQ00V0ebKGJo/Mf3e5grJzu1BJ+z0PnmYdtoogae1RToUTIb8 +OcTAXKV3VLPGHYzOSHAjo8XDIIORbrKcYQF3uD8kTzY8apJsrok5co2v8tlASmEXE4a5Ir1jUSD D9CKjaYNEVEkGJv1QP1anMURU0oG9j36Lb6ekQXgRL5ziwQ3YpU3BiL6BfsKf2URPDb4BbOQQljx q7t8BEthqx/pWE+GLQhG7iwC/Ra7yEfNMwGnwBYC2hB4V/Dmsa9A5gSQDulpbPU0/VTVA8U7oQGk J2BXyDNgF1K8M1AhCwDBctJhSSOCMY1tpWy1ZIaDVNAwZiDHEdYY40aU81uwlWB04pcwQp9biw1i mg0Cdq6vMFemAcA5ksc7DCRPcnfqdETiOxXjyHTFO645CNSzBe98GkWsO8pC1hJH4b2WTOhqa/mf /vTl9niL2iJgiI1Ji1eFbYwCqDtEK5xBt3IAdlWZ50h+nEe9Alwwbiz33NYtyjzo5i6KfcYQEhmE AlUR6Hcl7bmBCcMZz7wkqwNDMI4qErIK2HHcie/O9gxHmcJc41xcykdMHBR7aDdnqU6ynB+FSMj3 h2EccWUFuOipgifIjkCHcNZxZYE51yRSZhElH489dj2qPkGBgO0xq0Xr4tE8hruUMpn7DIjlsQ4d J8iZoplIcAGWxWP4rU+U+RAaMLlAz3gbBChxd2NrYCKR4UCMz/34ftJuC1sIVIFB8B6ISc27l+LT KlbtRKvXiRoWyINuoJ2XvAzyBF4Yg3ekPxyAqnbWBwSMLLYI9FCzldgVqGoxODgyYh1OQpMH8j0g 0+1Bd3EPgn3avnHfgFTi+9ENRJqbK8hKr3TZggy6WS6QgAIuO3y8coLiXcHLVklRn2cCeWjrEYU8 W45zBNIWXor9r7d8hBkCQgEy0FZFnbHiV5xUd/a7olhZAQf1K2wlKUgid7lcFNAHoU6rkAVHAFy3 wA08gi+BmMlxVWkLJCmToR42SzqcIzdO0xbAlM9wnE8ZM6CIhtvxbPKL0OQN6tUkyd33DtfAmXtx fcU7g7Rk4Ih8j9MNTBL1RXkQ/Z8trEZc7jZgDsXsosnLwMHJAnZOS3vFcUGUwVdcUBn2bE0N/NPP 7//Lf/jf/st//D9+uj0j97TCFK4CW4KtQkZjV8s9w4LOAQKyCFOErzAE5QCs+ciuinu2ygRAsUTH VKzjpqNWBfKqkZ7T6vOQV1Uc1OfFuqJGZL1bcmykLMX60Gcj0R3TWzCuJC2hWM/dUuiRdnC/hr9D tme48cUGtz8GpFwh6WPl9CfUvmGzI99x2WGwS9wNiW/KY2ULxg0PyR2kks6BwiAKv0DbUUCNDIvF C1kfuEvvuSh0JYhvno27eMqkBzXaAlaAq+QRJKl3wnkkD4cnFLIUoHiQBOgq4UyYQ7H70cOEjT8L VQo3HZnz3pg0tAHUmO0ByiFVBRXTz/QxVpedoh6A6xRSpLPlNCK/nCOefPo5oAwYaY73D6TzLYoH OY2FYPDYyLT3Ylra6FXFF5U4B2IM38gTuxyEmcgtaKAqCyvkiFQHaivKI26a05IATBUVJiG76IES 3zHmeV4n4euKcT2u9+LT3K8w+MXcYIoqeDFD1BKRwVdaN8oGGemGEO5o48ATQjiWVaAqSINotrjC TH09GaSi7ZszuY4oGxgaeBEdaWpXzeoYpLTRfxIyMBchzgCUgTUdgC+QyK6KYD6S46q60wqAAWLd mPkgVL5o1HIGab5CtaxJSACAGkFApjMAhqrJ80fEnRjdEgiIS16BBN2ooorZMclL0Q00bq7pxIzj hNEJhPlQ3elkQkdxQrHEc+1RY7/TJ9C0DivjBHz1EWuR/dHvxltr/t1P7//rf/7f/9M//PiPn65/ vt7/7mJvcbCdWtrqmCfGEodSe2IJo6JL+xGKhXkSyV4mchehysNeFCUdy6Q5hRmTu+5gBRM85/jP RcnPa/s5tmAiZarDq7WOqY77XcJkbsJkdJ6hGQW3YPscd5luGZisV7xqVLWQ3w4kRZ6CqTwhnVHL pV286OrY40TPEdNPMNKJoStysdMJwNFrgj4zkmxDJQv+Otx0xpaXM6UZxf1gGel2kkwbtj8DpMCT 2Jlg1ghr7svSsREid6aTba70lcid6AZSCcvt4BjckYdREgbCXcxj6BEq78yTsw67lM7BFcE7+TbE 4+JeV8zvCXocIZ8rhrVFx0IffVRyzU7zYFTjnUn7NYgYcwIwz3MDRHM2TNtDVAUXlW5pKiPMOWxB HLEYLAUaMmhJKR0d9fp5XCvk0RMgvaxu2aWloTZTym/BuMG7JAgxYJcBYGerwjr/qAp2fXjupfyE gQr0HMaNKa06tshEE3eDA8D3ENCcAzrEaghgR5jrU8MuiKa0BO+Z/C5ImBiajM9Gq5YqckeJKLFi Aqll6DaiFMHTCHaE2WZwk5oU1nKvu4JGVajHmsRicloEsEajhgPoACRyAqKWj9RsVx2bscjfuxA5 pwnqzVZkMVo9OgkWjfE0slXIa/RQtXrArrsi9IVdsDwQXrgiEKcE0iEAZaQwAldMgyBcAle80+q3 0GAcqCICZMF01CGJs9uLfU8fTLTV/T//+Mf//A8//7tPl5/35k8nus6m+z/trb7bX6+VHkH0TiwK EiIn/Ep2DU0tgigkuBNz9wXdShKvd8lx3YJ0IM9HHFdBr7L+TvrnYuV3Yl2SalSg04sMGxx/exwm AKZM12jBkcTE8aShb4NEU8Jme+S3k5ouYlRJtXFBmfjiqG0vlNi6pUCccmW0jRLSI7SXgYA2R8RF j9JOqxnThsIc4bh0ooDAOERIHTPBU8pAEmmAMwo/hTYhi1TW5O5odAPd5Uh+wFh3OSK8xTwS47sf RX97utxLuY3r4QPke9yB7uqOyuJx9hBTjk6Vfjqckx1tWhghWxVBBrOKSsULWzCo8ASSjIEYhIrO OlrlkSBRe7qf0b0N0EF8xMmI4ArTupxlEfhzEalcR4lP9Uy2egtQyWV/pbslk6oTfgjUm6sJ5PN4 V9TzUZ4vfX1x0C08xygS3IVz9AjncJAxD4nEh/S3cESvk38weTZ+EU3dBf5E54FzjgTmpmKd1pp0 m6xPU7PDBJZwMx8J05DoBhyG30sHWq9au0j2cmS9tKuSAjQG4mA3/nC2wDaPesaAV/kAwNcxuwzy u3oOR5SUIajqzhZQq3NeI31gX/kAxznCrrA4c0e+HnUAOoEb4NIz1XxGpEpGBAXOMBkaDblsAQZE dnzeqMsRkkhcWdT6PFZaeLky+//++3/8P7+8+bK3fDs/dDLctNdVvdfT8Glj9u9fnHRnIjFc30hw LuijnEfsd2kDiAJv8M6tFeBgPA/2PN55KsZwobx6j/LPmHgZxiwaOzMcoWYgnzPVw45f3W5Rp3SG F1iZ7FaDDkmB00Q4tlSxoUKLgo0kRT+/k+CKL7bkySi4AHIe0YpuOEAe8nqEc1S4g3cFMlcA76Ab mc6Tm9x48QFSEIeAFsBKZyrTYNZwBgW1cgl9Bh1/fUTvJQ+T9xVQQMd6E6T6256C96Sd2YKnywPe AXsEFh0kOcef8cu6Bvig8NeJDEVsGZgoLhSGeXEPOjgOKvUIEV5pfRxhFQPanpP3DgMRsQhwOAec AlIR0HFWUXTnOz7plTlH8aUY54J6TT6F9It892vioKJeP1WtHu+Eglq3+nXGimIFLzdiV/AbEXjC svL34sz8Ofw6BBZbzperSXMtcWnyXfAuJGnhMC4JK2PR4G9EaefrJLFzvCoikQ7kO0kp9I0kWZHV u1jgI+4hHImloC3p6FLlVMjjrNOFJNScz0t2YKjEEdXzGShxXFHPVscKf90K8A2QFe+IciDPETAO cRCkK9g5KLjOGQ7Sw5MOnGDKSFj5Ct4zyJjYtOVnuU8aC5AWRUsZihrcIRv8xBmx2TzPHrUlwj+d H/7X/+uf/vH1+ce16V/2ll6Nt590V9+OtZ/1Nb5bGP3z2e7+aF/WVZYx/YJIq5Z0dNtzhHvSTbIu DymsBryDaF4sAwCu8Oc4Y0jPUbwDGSUmNgSI2CrkEe45Ix0nubGakXdUpf1/8a5doch1x/qmNxSW su8rvIMsmsYAJYVYEMgb2a1yXBFtxLe45UG35/m9PMbzeOcr/pL7vuJ7XATYgncj3wuBOcIdzwBG t69MxHoY1aLkvt5LmYOO/3+23J0byb1MJytlEb4SWJO8CueD+0a+E/Kmm6IXZT4aJJnWn8d7zn6X BX3EUyeIMyF4tuCRKa0CkS1jDgIZTgPaqZC3Eokvi3qzcIk41vCwAZZq481TWSydDwXvAiLFIxfh 62w5AgAVg1wzT9xCb63cgG1+VwecyUG2fJcjell9bI4LWlEwzMPrp3prxpyv19SbcoSP9HnyLEJP ZnUJnfCCdyP99Ti78ISm8lRPY21bdXlzedpf8pxW1aKgmn4+OB55FahS4B1i0e3yMD4rf0XIi0CH ADj4ZQvk1YoH16AVAKpKnwc1A8UyHynAOS0v4n+FuVEG5FuSxC4+RgaAHXQzzst6Bb5CXqoDHCUp qtfvSgaAG5A3+XKmQAnU3yVIAHlKdaL0+KLjJa54F24Ht+fps2RZ6R8uTv7bf/i///27lz+uzfy4 NP5+tOPNcPP70dbvpnreDLddD7R/Xp35uLlY67FUeq0VuHQCDkUx96VA72u8A3aIT00cPAd5hT9H IBWOebwj2fNOeAaIeAU73u+gDQ0c95q42ZHvxnyWfo9Y619JTOnz7C255y6+hzdMw2Qq3wFarqO7 EbhGBIuunoMYmfbGPDcSXPrEsouU14N6jnIDlHkhwzcM2AXpCnakvHj7TZ9JzlG2wH2/ejwZ5yH/ 9XE5TcHOkwD5u2/hTkRPQ89x3L8XsxDVJcbhiPnd4J38uqjXzZxMS7ciiRyJ0Sotv1DUf1WDAQLE 9IYU7OwyYBcnML4sCjRYKJnlDGioUhEjHVdi+pm7kD2gxsRmNRZkouTEGrwrvrgO8FTo6VbBCwwV iV9/lB//d9LeAriubL3zffVmkpfUzEvmviQzyc1NJvSS3DDd3O62u9skZmZmlixmZmZmZkuyJMuS GWWZmdmWQcyy3e33W3vJp33vTU1N1atatWudffYB6ez/9//4k+DlqDoj8ctbyTeX51XAl1fyUF7A 91EBnDNczFF8yU+yiDNUoPCe4jxmOF+epm1kAnwyB/jnYMXA7EHuzvScZHz54YG+lvIiWj0woYY+ meALg13pAoo7kW6EFsJJYosD0xwTQGbLSNYG2kBekizwlwq5BDVABrxcwFKhWwoB1UPB5p8WT0mB AKIlnDmCdwl5CXOJenlGPIshb8joT+aCaTuKRuKy8hcFWygDshyPo4hLKiFO9mj1ED0eSC8ba0sN TTtt3YNNjR+fPLg10DuUnnA4L/lIZuxoYvBoYtDBlODhhKDR1PCOCP/h3KQTDRWxTlZuJtpufIow EIQaD94d8BsomTmSzSXe2f/SkvJBQJ7o/CdyB/XsbYE85K4AX1HsUe8BO84udWHJkjbzi3iXpi5H AWFRwyLaO1sx0EEX/v1BnwdB8LuEm9joCfOcJfj0E9jZWGh9o+J9Fd5VFygvwWv3Le+A9MBNZ6q9 w1Sbmhfp9heGvMS7uEb7ay5TIffzL8D+8/Py4Q/fRwV2inF0CDQInQe8O+jpEI/D7KIHtY2ZmAfN 7Am0TfxIImVCcVhBZzjVFSBvmbeS8jjzOeTlSQaB0Ue6ICOpggbmpfnF2WnJUaHAnw45Lmi85Mnj zRY8Lsx5RAR4lEs5ueXZQyuWTA0MWaBMIpST8ryEJOc/XzyleqG8jGdVeOcMDyWK+SzOy/eUJ9mL L6B8H96cizkjvpiicrDh5NY1NqY+DGu2N/dk0oG9iP0xiZLqcrib4ap+zg4NRblvH9z6uLaw/vbF 1MTwgY7GurzMUA8nHFy4s3wc7ET9kbUl7SKF00+4+slEQq4KZpdYhusl3lXARxTwFPiVCoDcSyxz Ui75Eo6qM6rzwBm0Ame5JHiFfq5o9VLDl0+JUmIFbhylv05eI5/lT6AykaMM5duZ0BJcB5Xe1ogm ZgbWerp22to95eUfXz5/evTQeGH2eFbSiZyEIylhI5E+g2Huo7G+I7EBY6kRA4kho7mJk4xijQh0 x1WOl8BEhwpTkAveATuZeBLs0lqXSJd7SfQ45yXdS62eIw+VQDn0rU5ij9DYlbpvNujtW84rkc2u JfEu9XkBcBE7+wE7uNyZ4chJaxHbwrj+zEX/6TKu34Kh8MjBqgBzyzvHRqrxEnr/Id5R1GlqR1yA mhrUD5CIpw7IK/46Rb1X2Bll3kJLNJ+UX0/KB/mQvfwC8in5fXhKxe9bX09x5VloC/sdA8fo6+12 OnS10rczMbI1M7Y0MWTZmgr3nSsaPonQiuKn5D5tJZ+AVolTNqRwcOSn5wiOOJLVX5yR1FVfNUT9 5r7ug0N9jIxhlLbscw40GMrMy0U/cyWULwmUvQQ7G4lByeayqBM8ipcwP/0T2FVg5CmWBCYXsJEv 4X24hjeRT3GNfC0PuQx8yc9V4Vq8CeYJAX0IXdnzFM00ZAKqiOwrWUMkDikpajSlN/a0NcFRwOQI hJgjWg0BOzsL/jrkWEVmytrLp2/v3nxw/sziw1srT++9vH7h1Mi+opRYIpUUm9sbG7pbW/q6OAhX NrlziuefYe6AGoCz2IBrjij28iF7iW4pED5HtGRzzqiQzkaq95C+VAkkWiXA5ZEzqo2K8Tkp5n8Z arGcRDAOKSEEBVfKd2BGD21POKLGWxto24ilRU9pZzMjEvLN1HdWpaWs3Ls7c3HqVGP1cHrCRFrs 0dTIsSi/g1G+RxICTmZFHs+MGk+LmMiJO1iQcrKxIi/Uy82E0lEtWypASUeX0XZhPgjbHICr8M4G ogf4n+OdPUuCXYV34Cw1doF0ZUnihpcBsj1+PFrEEJ/Cp0eaCq4tDGoJZJhaLM4QZ6fvq8AIeFdc asJF/7kibalLg3fwBVMLsuYoFXvIHSoH5qbq21SczlNSDeDI3t1SJ8jFPMTTNtzXMcTHidQ4nFrc Tijz0D1KhQXvAK1/wrsEL3CWi4eqDfvPl/xEPp0LVOfBO9EEpIrh19tttDXBu7WhvqWRvrmRviWl i8Tfba09bSzxHvMri7AUJYqESOACxXYDFFJ1l3acPAJ2FoWWVGmN9XUe6OsaaG/tamqg8WxPaz1T Y3KS4nDfMZ0KTyzqPRCT0BN3u8KhHMGjXBKhgJcFePkIPhTulnCm04u/iy2KBE1cmS7HDFkmSeES 5xqBU8WxAMCVy7b0BAltKSjkNRxVH8dGuNz5Vo4ioMBGVBA4UTbuIEajMmlRZBCJjD6wzxwHVHR8 dAxD8XKyIrWPft0exCbsRLIfX6OrqnTmzo2LBwYPtTee3tdxdrDr5rGx96+ezty73lNXnhGx10N0 jjULcnXCuU1jbf5ALB0hhRRNHnIH7JLHwbu05SWWpRDgMhW0Jcw5LyXAljde8dizV8Xp0NN+CewS vwLgiqKuOuJad4JbqWwF2oo/X7K/1BAcSKQRnf9BPXOyrIPcHEM9naJ8PcPdXaJ93UpTYqavXpi/ emWyrelAXuYYynx67ERCyPGksDMZUacyws7kxZ7Ji59IixjNiDxSlnm0vjTExtBGh3g3oxh17Sx0 rU20rMAjxuYnd5xkecnvnx8l0uUZSetCsd9aW054ETJTqtsEWStMx0bF9UTPBQqUhXxQrR+mM+gL HdiSrBURL1O4HoP6B3yhaQPtrQXL46sXQFOUeY4mal9JjINBAvE8ywawk27naq4d5mkT6eeUEOpF W96oQPekiABSXgkt8Vng3ZxwHqDW+hp+/+wTP//0H/YqikdY8QXkUgkHsdHGfYe8UjPYvs1KQ91a h+J6XfBuYaxvRc6zBXe1hYrfRXzWAgVAzIlQKfAS49yiKp2cPYsuHFRcVuZl5qUkx4eFhAf4piVE dzTXjTDztzCbTvLCYQVtORFJx4alLo9eRls5e6AVyHPzi/tfMaiBIajkIe/MEb5mPB9dPvZ6uET4 eRZnpIx0t43v6x5sb6opzGV2PIMRSb71cwbjtlwG3lmICJWSL1HPQxbvxkMEiyB3eF8Z9sRkZBZ7 mcUH0sE705O3UK8IAfZehP8w4WnxZ2fmyMAFsoDoPcLQc3vLGF/34/s6X146e6y9/khz5Ym22rM9 TUebq462Vt8/NbHx/P78w9u9tWW2umqk2QQ42ZPXJMUdf6MsdZEAB9RwulyS9CWzS6Szh8HZg3R5 HngCcNLwOM9JnmLDGXmZCt2fb8C4xLvkdwl54WpQmvA7C7ee8N4jKIC8naEuZa3CG29mFODqTBfr xrLi1srynrrq1vLiyvSkoaaahXs3Xl04fba98UBB5uHC9ENZCYfTok5lxp3NTjyTFXsiM+pIZsRx mD09sjnca7Qwbag0xwMrWzRSpnuMjp2Fnq25Dk0gscEl3sGvCvgqKlexuepZec1n57fwDoT/Q7yj wyu+sq2palz2K8BX3PgGZN6iaYtcNYXixaB24IPrHqQr62srXblQvH9wxYNuadGzAfIAELCz0PPl Hn3A2VSDzrFedkbEpilfzYgLZTRhCE2I6E+ls9OMua4IFu3/Lbx/LhAkv3P8/CT+eZEcaKiu9+UX lhpqNro68LuNqRF4NzPStzGhQsHEUSlp5E7gF5d4R28H5iw2LIl9eeSO5XaF38GOYFVXexdrS/wA AR6u+Vlp/d3to/u6aCzP+FEcVkr4RiltowJaDFDeyl9lA8wl3iXwJRCkHOCdFbTaMTsVn1hMkF9l XtZoTwcdVicGemm9WF9SiFecPBZ6scol9QHw/rliz5vwkJNSVZAUj94OWpFCgJ2j4HEUeCU/H8YH 4FIIQPFsBPxFR3ShA0DuDkxAwLp3tQvyciJrNNLT8eJo//PJI8dbqk42V55sKb/QW3+mrepoY9np 7sZrBwfm7lx9deNSyl5fBwMtb1sLP0cbXATiL+WoRN5BtwSsBLI8coYlSZwje4DMRkJeXi/JXQKc 8yyVE+9zmH++V9G6xD5PiURfpQu3i9LGh/RgqRhQ8UqSPHY6Xse06Mim8rKexsbO2trm0uLS9KTe mtJnlydfXZq82NsyXpY9kBZzOD/5UGbMRGrk6dyEs7lJZ3ITpkrSzpVnnCpNPVWeMV6QdqKutDUj 3ov+MKYiiY6sG1t6SphqWxuLqBzolmStstPR5zkpqVyelHj/VTlAFRswl1o9WEal/1V+h+4tSYvV QXWH2dUF/SkL4AvzX1kkygpvudL9FXLE7wf1KzgS3ntlbbfU2SaXqcZXcDoAd7fU83Ng/o6BBDgn JeMDfDbSvoa1UQwgcYZEmGh9C8apV1Xw7swHmWjvMNFUaF1bhO1+Abk/aBc/IPoHKtf+YbKMivSF jNLeKSAPv2/7Cn5nhJy1gR54NzPUM9LTtjSkvQxeXJERLW8DyB2RK72ysDweG9EwTZkuwUmwL904 PAXdE4yzNdGz0Nf1dLQrzs7o72g5OLSvs6WBAaQ053ekGA1uQiumKMYe49cMAYKgAOwS7+BaBXPO 8IaS68Gpgk3K9IiV29MmHULPS46H5Zm+fWiwr7epjjNMTpeQ5yihDerZIEZ4WxZvglYvKf7Te5K3 YyNxDdghd/wMLKHGKxq+VPJ5KKOKaCb+Lta+ztZezkx5tnYlQw9Z4WKD8k86QZyvy42JoTsT+w5V 555rqZhqLb3cXXWhveJca8XZ9ppTbTVXR3pnblx8celcQ14Gfj/Up71ujozHosZftI9QFvgF5gBf xuk48lBCW5rzXKDCsoS2FAWAXXWeM1ImcPzE3Vs/qArdbH6R3EUSnRvjcRmIqczeEo3y9DSEHDA1 4n6wNdIP8XKvKSjoqq8rzcxMDAuN9PXKjo14MHVq6d71y/u7D5RkjuUlHi1MmSzLPFOUcqogeaok 42xR2vnyrNut5Tday85V50zVFZ6qKTnf2VibEOFmoOFBkxORIycmfoquZSKB9gd+l6hHb5fGuwrp v0DuqPHk1ipHNspesdwx5HHc4Y2XKWfYzkopukLuQEBouQAcycBGIUHUe7h+a9kYSLyLmDhgV/CO lNjBAJdPa5uF9lfK+tJcEwjvcDbVCnKxjA9yT9jrEUivWr1daPVwugQ7R76JIgG2Q/EEATEucM6D d4rZC9NjAxH6uruMNb8xRVsgAU8J0///x7u59g4Bef09htu3mavtNlVTM9FSNzfQNTPUNTXQAarM FLM10EWe80NzSyguRJycAtoAnAaJEvuQuyR6HgJ5HrKx0MProkNj67zU5N7Wpv09nX1tzcU5mXt9 PN1IsPdwhuWJ0zGQlCFx6C/CG6YsiXcgKWEuUc8eqAJMiU0UdZmPCstjP4J9AJ6TGEt3ZbqtFqYl Ef5GGnCSVuqSu+VrESNyAXb4/Zf0eZ6CuIWi7kjITOgeQjlXGJ8zcgkbhDHuDjC7Jfzu7WjpSeqg s62Hk60XuT3kDpEFZGeaHOh669C+K0Ot42Xpp+vyLzYVXW0tvdhccrWz6vZA88Wu2pMtVRcGu15f mVp6dGewqdrdEhzp+TvaiYIF6J7h0Z/C8TLrBrDLcc9AHmnAQ44S3fIoAS5pnTOwvES6xD7Psn4J 1JLiSaH/fEk7XXHQ6eCZF/32lUp5qtsoY6cQhvwrMgMTQoPbq2taKipCvbys9PWi/Hxunj6+8vT+ zYn9RxvKDpdknqnMuliTe6Uu91pdwe3m0vsdNQ+7G54PtT3Z13ylseh8bf7Jitz9OamT7fW1CdG2 ajtcRCov05dEzh7J+UT/nRSHoUo/ZwOJA3kVv6vADvyFMm+AD0rTVk/dRleNo73APo1hRcW6tS7x caUGTQmcCb+Zyu0Gv3+Gd4XfyXvfgrzYiBxXVRqM4rvT22muDS//Kt4hd3Tvb4Czt61RtJ9zFrXq 4b4BTuZSsQfyZhrbwTvGO5eZM7hZJM6J0B78TpFgemxwUUYcij3+OhOtHfA+zwpy/9/gdwSCiuL/ Q33enDeUeN/2lcWe3Wbq/F26zjaW7iR1uzj6ODuSHeeMIW8oxr1xqzii4FkZAxxwAR1Lcpe6PUcg yRHMgndLPUweTZiOMFxvW8NwX0dPa2MTYyiz0lNjo7KSY0ty0quL8qsKchkKGRcWCDDx9+KzknYB b8WC7uUbSnIH+FLJV4Av+J1Fs1y8RiyKZBNCg5iNMtLdTuAb3lfhXYVxvjkw/3whCjgJ8OVJ3hks A3ngrDLkVXv5FNJAKvZCMqAwQOvIEJwA7o4ezrYuVAQ4mPvam6QGudwY67rYV3esKutMdfbF+tyb 7cW3OytutFdcaSubai8/21Yz1d18uqv51dWpxce3e6pLHQxAKIRuCsADiOgpkGcPzKVuLzEu8S4V ALn3/KQMSPVeAl8CHLCrlgrv4qdUvHOK3r7VLIufWP7K8ln2tihvxuLoSAme+G9bkwroaEZti72z uXl2fHxzeXlWbKyLmdleV9dTo8Obr54/mTp9oq3+UFX+xZayi/UFp1Hai5OnyjMnK7NOlWWcKMk8 WpCOhn84P+liXfGZ6sKJkqxTBOPCg+w1drrwraREIhZAxJ+BfcTjiAYqMJeo5yiZnSPKtoS5pH5x nsp6XTVrnT0qvAN2FsxupUN8XKS4gzUWG+m442ilK2peFAVe2O9SsVc0eaHSsLEWYBfeMws96ahX A1lm4FpHtYQ+b0W9qs5X+Ooxz6XG7mKmHePvkhMXnBjs6WVjCOQBO09J4x1IciXLVHObkdqXeru/ pD8Vg7dLshLx0otwvM5O8uuEHi70/x/09v8F0f+gvStpAHzEL1ysI/5S9HmLXTud9fU8LC3wwETu DYiNCImPCk+Lj0qOCgl0d0al5w+n7zFgDHJ3pD0mznBgAomzVFo98ESTh+g5IqUDXe1Ls1IHu1oP DvVgtvd3NHXUV7XXMvipcaCjua+1oaehtqWytCg9OSqAZpvWFIvZM5ZRcQ5IxV7SPXuW3KPSIwcU +EMxwJ+KeFGawZ53iAsO4A3Be3lOBq48nlUK9kX0nBeyBH0rkJcYB+ZsOCm5ng1Xgm4WGjtHLHR/ N3toXSrwbFDXUUWYp0wiAYNaAtwdeehBgg2GAIMtnCglxldvGeBslRHseWGw9Xx39bHy9Mmq7KuN +Xc6Sx/3Vt9qL7/SXHK9u+ZqT8Ol3mbs3NPdzU+nTq4/uz/e0eygq+1hauyvUDw06mtv42NnDd7B Pu47SetSk5d1PbJyh0IekcbDUTHnBa6JhitlrfIoFQBp10sdHjizET4ZYaqL5Hm5yLWgnI16PfKs hCA1ZWyZnqUe41qsAtzdqH4K9vIMcHN1tbQsycjAbK/OySlNS7t4+NCH2TePz52+NNx/pr3hWG3R RHH6gazosczoQzmxR/OTDmbFDKdFjmbE9seHdUb7sz9RnDmWmzLOsTwvw9fdi5Rj7A4jPTsDLTt9 sZwMdERRP8qkCLSJHFpwLQ1qNG0eygid6iSELpldQl7wO14+gu+Y7Qq/S7yDCPAuYK5AiaNoRvGZ f14x+XH0bS2Jd8U/v1XGwh4dACaF4hXIE48Dj6TPiSg5WJaLMBwLlk8K9YblI7wdMOo5A+rBr2R5 gUclZIadjj6PGl+UEc8iIZyHLD6Fb8g1vOoXkPsfwf+Hv4i/Tr4zTgMdxcOvhPBU+fMu+nohjg6x vr6xgYFRQQHhgf6RIUFpcWL2OgMdLHSppNM009WwMtSJDfGvLsquLMiE3SxRn8z0eRbIc7dwv3EL YehJLTEuwLurvmJ8sHtiqOfgQNdoXztzUnCsMbC1v6WOrolFqfFpkcGRARCxLS+Xqib3HjchD+UN TDEacUD2LHlDyr1UJ6SqLzELVJMj9tK5cbirhU6eQFgKDRhcmAZKYazMqOeI/GRo715Ph0B3e1VZ DSc5E+5Pr3t3FlOSU2n+FheRGBUSGxYYExoQFeIfEuAV6OXu5+bs4+Ioj2521h4Otq72Ngzc83F3 9nETkTs/R8tYT4dDjaW3RjoOEHjKjbtSm3+9sfBua+mT/rqng023emout1VcaKu6NtB660DvjbH+ l1MnNh7fGW2o9bO2pHKcifAedjYiHmpnLRjfxtKbtgCyeY6lmAJPKjL/BCSwypJytqCnhAhVU5HH UWSiQo566o4Gmm7o5KjHymL+HUV8doI3dejXIcb4MkLaXA6Y4KERcmavq4ufowNlLzZGVKtZW5ua erm61JSWdze1Th47PtTd01JZ0dPQcGxw6OGFi2vPnn33enr+1rVrBwametuON1YcLMkezk46Uph2 vDhzqjr/Qm3hZGXumfLsqdqCC/VFZyuy2Z+vKTxSnDUO49eV5gZ5eZO8QWtrQyILRA858q3wHtDQ Q5QB2uiSaKfLSFOWo5GWlfYe9J+U0MD4QB+qEQE4i7/UVmePg74Gi6iHxDtIl7q6RDSQITNWhQsB dgX4Kq7feviJ7gXX46AzUBpPQYsifo2rXwMlHzPfTBPIf2uq+Q0Jt7yVKZjV3K7wvvCMCZmgLTb+ Tpb5SZGZMcFs0Kh5T0SK0R70AZF/K3z1lK5rkbK7O9THqTgzgYUTGPWexBtLBeZSYRAWBHqFzrfG mtgR38ivqpgVig//87+L3H5dom98mW3m+PbJAsLVr/GtmSapgMIL4WdpHu7iHObiGuTs4u3k6GZv 42Jv4+0s2A2z2kKH8Rl62PLm+jrc9q3VZUCeu9rKUMvaiHQLLaxpeqHLduhYglKfFHivLT+yv+/w /r6x/o6hzqaexmqmN9JcMSVib6Svuz8NLggxk6Mi0qRFlqaKaCSoIS/ucBXSVXgXmQCK4SCJG16W pE8UnmatTIqk9zInUQNAOtIAREtQIzblAto+Sq0ND9kT/mAWJ6GQyvy02pLchvKC5qritrryzqYa cgZY3S11/e2NvR3NLXVVRbkZCVHhe709fVyc+F+529sGerhF7A1IjovKTktKjYsO8aEtvGmAjWlT Rty9sZ5DJelDKWFHcuJYZ0tSHnRWPB1svtVRebWt8lZf/WRb1WR7zYWe5osD7Q9OjH8//fzM4EC0 v4+bDbF+O1dba3Ju3ahStDDHtPfHWcEQdksTHwcr5sizMDFwMtjTyMLWnE6bjLQmuAmKqcoR9WL6 GpjAria6Toaa6MYg3ZvuXia6ci68UMNE42gS9kydTU3oXuhgxGvN/Z0co/x8U6Oi02Ji4yMis1LT i/MLezs77964/erpyw/rmx833628ef3m/v3lp8/eTb98/+L56oM7j08cvtjffr676VJ304197Te7 W26zaau529XwdLDjxXD3g97Gqy3lV5vKH/U1POyrfzLYcb277lJn3dmOukR3+yBcoxTviPRdlBM9 O30dOz09HMhg35kIkZAAutY6hIwliaunhgV1VZfVF2SHezqhxtvpqiHWpHATeN9S6YXZvhWEUiAs 8QJkzD/lqn2O9B/2UqtXonVKmF7UysmWF1LNADXSdeBChz3abiiJPRbaePC+4SiNApCOQGBR6JcQ 7F2UGsOgaPYm6kTutryClopKL/GOyRDm6wLYGZLrbmtspPEN/A7ekSToA0L5V/Buqv2NsQYo3iqf EZ+oMDhvwpUc5UbgXUvg3QJfH3Y92oLGNyq8uxro+liYuxvTkpo5d0YmOjqGOppmepoW+uT57DbV 2omjXvjuTA3T4iPbaiuqCrPQdW2MdaB4+IXsGlBMT9RAFzvwLiuyQ9wcq/IyRumc3FpPV+TSrBRg GB3g5e9ko9AKQhtrC5tLTKtEbQPvcqmsSwl/6F6uX8I7GAfOUtWXTEe+DfMikSpspP4P6uF3Jcvd RKIemPu5kDJH9rs4wz5mrxf/4drirJaqwt7mqt7W6t62mu6myva6staaUgZa9bfVD/d2HDkwOHl8 4uSh0QMD0FtDfXlpbmpymC/ORp+clKSW6qp9He39Xe1dzQ1Mc0gK8w9zs80L87k51nWyNr8nLmg0 LfxIfsKpouTTpWmXG4oeDjQ9HGq72l1zqrH0ZFP5VHfTuZ7m0x2NT8+e+Lgwc/XU8biQIDdba4SJ oyWVNeT7Wfo52Ps52vva29Lhx9HCxNvFzh2B6Wzn5+5IsMPH2V4JcVKkRphDtBFDJCrOfJzzunTh wBZAqNJURERPLDGLcIdSy0Y4gGJesoVtfe3tI3x906OjC9PShjo671299uLho8f3Hz179OzVs+mF t/PvVjfXFlcX386+X1r+bnHxw+zsx7nZjWdPF27dnD5/5v7E8O2R3luDndd6W+4Pdd/tb7vV3XSr o+5eT9Ot9tpL9aWXG8sf9LY8GWh7NtgK5G911E7xt9cVD5dmuWrv9DU38CYHgyg/QV6F4h0N9ajh AvuUCQN5/IT25NIbkvWtjdlSm5d5dKCnrbwIvKPGwOagHqSDeol3xYon70VklKny62T1umwIAzpY P2D8s+JxCF21PqXkcbEwfiF3stAxbyEjZhQmBPskhvjGBXmFejq4WRogW4C5/Di550iJPfZdTnwY kN/rRpsKnPkirxVRAN5FSI45EfjhDdQi/N0x3nOTowh8g3ficVCztb6wFCiZAdcsAC61CIlrHHos sVeZ6opBgX0hovaafBZOBl61Q2gjWggEYb+bfLPNRkPDRkPLVE3dWFPLUFMTvJvra4N3euAIO0JP 01RH3cnKPCc1vrmqlDlu4J1nLQ21yD4FyO3VpQxj3evmYKsvlC4WbiJInPGsPMvcQ5R2EAqiGQbN EhaZAT+faLEI2F3wHitJ3VwA3sWznxovSANT6vkAn41YCr8Dau5eII9ay5ujz8PvjFHm45BCnEcg sEgDlguMS7xL7If6OKfFBFfkpfY0VQ53N3U3VjSU5ZblphRmxGclRiijrAIz4yMK0uPLctKaq0uH e9uPjA4Aedah4cHe1uay3OzS7KyBzvZTExNHRkYHujvZdzfVIjqKk6IKY4IuD7Vd7KoZSo+eyE04 WZJ6siTtcF7i8eLUa+1VD/e3Pxzpvr2/40p/y8We5nMdDVPdLae6Wp+eP/txaf7RjWtNFeUB7q50 HcFqJvHJxggSt/Z1cXShgNHE2MfFmbZj9uamaBqYVvbmJr5ujpgAFCR6UIBsZ+1iRckhnfQI4VF0 bwHerfXIlcITYuZmY4FtDti5jAxqO2NjP2dnf2cXTPKpo0ef3b2/Ob/wcfP9x3cfvhfru+83v/tu 4/3G8trS27nlmZnVN6/XXk2/e/N648XT+ds3XkyeuXfowOW+1gvt9Zc7G6eaq6caKi+3VN/pRY2p u9ZSfb21+m5349PBzqdDXfd7mi7UFp2pyBrPThhIixorzWxKjvDUVwugTwiTfUiUJR4nKAB7hLwC Q/BOBBA3prOJcDJwM3DDMMh+X2PN4f6u4pR4DytjCXaOIN1eWXbSloemPzPMhYINVwJzUVQuSlE+ 4f0H352AueK6Z0P+PJcpG9FMBpUY8MLsFtpwPRC2TYsMyY6LxCytzksvTImh8SZIB8tCUaemlUkQ in+MPTpAcphfaUZ8YogPDyXeIXrFdyf4F7zjFogO8gDvWQnhtBOR/A47W+l9LWJ2Skbf53hnj7BC Y/klvEtlgJcgSQgOmgu/IkgXmgb8jtWAIqHz7z8z37XLSk3dTINRFLrwu6mhrpUROryWpZ7I4TfT VTfWUqMiPj8juaW6rDQnFU3SWIsGX5p7PZzh7p6GKige7rbR26JsoXrh4lP8b6APjz2LMxLR0lpH GXCA3JWODXRC28KyUqrJZVICyKN8SvVa0WtR8eMR/gP7LKg8PSYM+x28k92HIxFRIPV8pWpVJAuB epCODs8xwt+N/21bTXF7bUlzZUF9aQ6uUbT6IA97X8Jqn3phoe37uxGhswnxcU2NCUXQdbdUj+/v PTUxenpiDNQf6O89c2ji9OGJltqqrKSEwow0EoqGuhrbK/PLUyMONZfdGe0+11ByqaHkXFXu6bLM c1V5k2wq86531r06un/u7KFHEwNX97Vf2dd2Y3/3taG+8wO9T85Pfre0MP/i6emJg3UlRaG+XiE+ 3ukJsaX5Oekpib6erkE+PgFe3ilxcWkJibnp2BekGbpjUAR4ujui/NuRHOhIOzIFyzjiqEgydzGn L7epvamxua62HVVRZiY44lxtrGKD9xZnZhWkZySGRxwZHv2wvPJx/d375bX1ucWF6Tezz6dnXkzP vHwFrc+/frvydu79wuLa69fv377+7vXz5fu35m9cenB0/Fxn87m2+oudDTd6Wq51Nd3sarzSWnOp uepcVdHpsvzLjZUP+trv9bScKs8/mJM0lh1/rDgF6/5AXtLF7vqyCL9IB1Mfcz0XUYjH7UGfahEM UhYBQdEAk2VvKOruZdwwLsiHiRuDrfUJwX7SmsZ+F1o9mryC9K29aDsjIu9ADD4VAFSoEJiI3lMw nQJMnlUtLpMXSyubIyn0IrWeCnTFrSf5ndsYS5OJe+Ge7lkxUQ0leZU5qaGezij5sL+EPB/HhneT UbBofzf4PTsuFDWAM3JJr5rkd4LvscFexZmJ2JVkrYvguzAQRLIuTC34WkT8v1H8A1tEzx8i/yLV UQoEMC5C9lpfW2p+Y45vUOtrM4F3PnQnLa0INGj/7N9oaWWxe4+ZOlNl9U11dY30tEx0NYy1RIMd FACcdeZ6mjipyvKymcXM8FZc1oYaO8B7mK8bM4sZeoKg83O0RtVBPiOErbTVTNUQXJQb0JNfm2A9 GwCLlBY/JVk6RHzwxNJamWAxLmWF0CW6uUBSPL+vCvj83DzLQ4F6Bebwuwz3w+/wOHhHn2dhX3CG xQVC4f80WhSvnYQ8BjteUGi9r6W6PDeFPr2cAePIBDdrUvRJ+yG8uLWEuLCmMFDkzQZ5OiaEB5Tl pe5rbzh+cOjExOix0eETY6PQemJkOLo3yUXpidH7Our7myvLUyI7cpMeHx56ONx1v6/5dkfd1aay yw0llxtLLjaWXW2tut3b+PrI0PzZiUdj/Xf2d98Y7Hh65MDDw2Pnh/ofnTv7bubVx/cbb58+OnXo 4NSJYw9u33j57Mm1S5cODO8/c/LUgeHR65euPLx97/rFK5enpg4fODA+uj8nPd3LFV+iS3xEWEzw Xl9nJwdzAhM2juZm1gb8CZaBHh5BXp5RQYG4ZBMiI9rq684dP/H8/oPHt+9eu3Bx8fXsd+vvlt/O zU2/mX/5eubZy+kHj18/ef766Yu56ddzL18tvJyef/p06dnT7968+u7lk6XbV19MHj/X1TxRVXS5 p+XeSO/Dkb6pxsqjZblnaktudTdfa62909V8u6vlQn3libK8icKMQ0VZJ8tzTpVnHS5KHy1IOVxb EG6tv9dK381Y053yeQtCBnrOwigW5bqCDoTHXoc21zS25Zaw0lXn/ilIjh3v62gpLwxydcB/Dgat wTvNovU1UONZEvgy5g6oWQpyRRwNRHD/AxzwKPH+OerlZfKoOi+uJIonR0oZaiqCgg/VttbV8nOw zYqJrM7LzkuI8aFHjCbxPrx5wjznTSTwgTa2Myp9VmwIY2fY8NBYjRAeX0D43vlWfCWSW+JCvEuy ElKj91KiLv115NOKEICShsdl0lpHPsg/hI3c81A8y58msgKw0wkTgPdvLIUOT7xvu5kAPs5DYpEi tqj785/R8sLk2x3Ge+i6qQfe9bXVjXXUoXUS6nDomWjTW1sr0NOtsjCvtaY8MyGSahczXbrvau31 dK4uyMI1J/HOLwLS0dWxzdkgCfmZZHYWoRaJVpGKQ9gFS1/BOCe3LuD33RLsAu+8lvOc4QJuAPAu 9XmBekWNJ8QmyV2yfGJYIMb7vtb61KgQnpJ4F5Bn0qjSiRdEs0GlR2WC1iH3grRYfPLyAqSBp52p t7L8HGjBYepN7ykHMx8nivVo5YdRAGRI9TdEQ0gI92fQd29L3cGBXiDf19aSFBXhaMnIcvOIYL/e ttrxgfaG/NS6tOi7B/uv9zZP1hXf6qy701l3BbDXFd5oq7jaXDpZlQPXPxnuWJmceHt05P5gx93B rmeHR+6Pj1wdGXx09uTcg7vfr8x9/G7z4/fvlfX9+8337zc/fPz+4/v3339Y//Dxw8fv3n/k4ccP 32+urU0/JV9v6vTREw9u3b515crh0bGDQ0OnJo70tLbWl1ZMDO+/d/36k3v3ph8/ffbo8Zvp6Y3V 1Xera+9W1jZX1z5+9/H92rvV+eX1xdWFV3PLb+aX38y+fvxs7sUrWH5x+u3C9KuF5y8Wnz1de/Fs 9fGDtYe3314+e3mg83RrzdX+tsfjg/eGey53NZ5vrbkz2PlgpO/RSN+tvrYLzTWTteUnygsP5KT1 Jcf2JsXsz4wfyojuSg47XlvYkhrpbbgnxN4k1scxkNIwoVYZiU6SIq+GvH0h3gXdK9MraP/O/YDV zM020tmcEx+p3CQatBGTqLfX17TS3g3eYXmOZhoEyHZgPrtbGfo6mPvRP83OyJkJj9S9Kjk2AFMF arn//ChJX16AFGIpfjl1VHpLHQKCOiHuLvmJcVU5mbnxMaEerpSRoo3whYE5yjMvZAOoOaK6kyuY FOpbkZ0Ux6hXYy2EgOLkFyF4RJCJxjb4PT7Uh2Sb5MgA9vC7iXD+C1c8/C74WiBauOkwMSSz/xLe 8UOa4M1TwgSA3UKLTAAkieR3UA/L49WH33fq/Pu/Gm3fbrpjp/HuPSZaOkZaWgY6GmZ6Wpb6WuZ6 e4gLmCp4x1SsoziipowJ7LYmuvpqNPnRDPF2rczLYGAxeEfJAe8gHX5nIevALLiG9PkXsee/AX5F No4+qZIiBMxDCXaOUjhwXrXkGQl5LpZLPFTwjroOfYNr8M6ZMB+35oqioY6movRE3HRECTmJDx+E Qtyy+R6ADfdzxQ/fUVeKm46oHLYSQgBRgOouVH0bYyDviYig/QLn7Sh3BewgXQ/gk/jk7Wzh42Lp 62od5OmUER9RX1ZwcF/PUFdHaU4W8pDcm9jIvf0dDQf6W8sz4lL8XU+2V59rrxnKiD1ZmnG+Oo/M k0u1edcbiy/V5J2vzJ6qzL5YV3C1qfThvpY3EwMPBtvvDXU9OzL29MThu0fG7545vvTi0ce1pY8b qx831zeWV1aXVr7f/H5jdXNlaWNz5f3myrvVxfV3a+8/bHz3fv3dx3cA/yMWtyIBvttc2Xi/tv7x 3fdrS8tLc4sfNt99/PDdx3fvueDDBq9dX1taXV9aXZ5bXJpdAObrS2urC6sbyxurCytr88urMwtL r+aWXs3C9azF6Vcrr16tv3618erF0oM7czcuPzt95Fx385X+jhfHx+4d6L851HVzoBNF5VJn43hZ 7rnm6pv9bceri46U5B0tKxwvzBnLyzqYlzmakzyamzJRmnW+s7Y8OsDTYE+ct0NGuE+IpwMjz8A7 /I4hTHBB9LdR5Dw4YllhoRvrMh2bWZncbzEBXtwzqNBEIsAOLO9AjF5JtLPVV1esbA1+SvCVq/jK 8hMjSHWL8HEkG4qetDAdiJYUDDYBIJCk/YuCxK2IPBzNNdwGUX6uoZ6OBDoVckf/V6MdcXpkSEt5 cV1BXmpEaIy/V4S3W7CbI1FpRasXMJcLyCuuuV1hXo6Y8BnRe7nHpDUNuZtp4EL/2nDPF4y9AOnc kwlhfnA9sx1BrqKKQ9aKPq9UtYuUIX2hGCAlJK3LDRIA1wTeeyONbUTzseLlUt4BpH+NSEF6yMs0 //WfKIFHnzfX0DTV1jHQ0NDV3GOkhRovelYboxUowfdQP+/6suLGiqK02DA6yUPuWPFJEXuZQojI ZXgZeFfp84LiwbshGblagvSRAwqiuQCwA3mhqyt6O5dxUj7LScn78vi5BOC3Vi0Ajk8AOHNkyYeE 3kB6b1NNfUke89Gkti8UAEvyRra6mvu72uSnxgD2mqLM2GBmqAniltF5vHlIBqWrJOF+TAwtequ6 iC5tYgV52KbH7C3Oii/OTshLi44O9vJ2tvRztYkL9aeuv7+1qa2mKj0+JszfOzc9aXRfx2hvS3Zs SIijeX9p1oXepp6U8OG0CJJPxjMij+XFnStNu1iZfaOh4EZj4aWanMnSjGuNJY/6Gx/0Nt3ta308 Nvjg4PDtsf13j008v3J+5dmjd7NvNudn1+fmVucW3q28X1tcX1mAjD8A+TWxwZm2uTK/yvkP6wD/ w/rSxsby+sYKImJtXdngXd9Y2dhYAc5ctrY8tzT/Zg6v+9LsIg9B+qe1wWvFfnF1ZXZpfXZ59e3i 0uvZpdczS6/err6Z2Xz7dvXli+VHD15emLx9cOT6/v7748MPJ/bfG9t3qbeF5NjJtvrDNSVnmmse Hhx8enj4znDP7X3dt/t77wz0PxgavDfQd7275VpP07Xe5gvdjT0FqdUpkSRAFydHRvi6+DhbODDQ WRnWhk6utNISXh0V3vGKV2SnHuhqwTmMx4ybiqQaMuolzAmWsYAktiqtqmMDPcBXW0V+e2VBTV5q SVpsbnxIcqg3me1OTHhUSl+BM3jEF0eDPvAY4mEP+UqYA3wAywV73exK0hMyY0ICnK1RJAA7C+xn xYZ1VJc1lxXCdAXJ2ObhjMuhSyFyQ5I7L1fefBdvhQ7PU3mJEbkYhPhWaGpBDB09XPtrG33i79uc LXUz4oLBe1yIj8LvX5sIuwOcfomPXfA7WTdKZiCQx/C3UAwBKF4o8JjquOgNdqPSIyWMhVv+GwuS 9zS2S5hLuUF4Tuj/+rvU/vkfDbdvN9+9x0JTC38deNfR2K2vsctURzTUosGOUOyN9SIC/eD3jvpK 3FYp0SGwPIZ8dWEWLjJENVYVwk3AVvHPY8XjsrPR0xRw1lWWgmuIHryTpSMgT32lMUU6Wpa6ZC0i q7cSuYE5e45yI8+rSB/UI0bwCcDgLN5B4h0dnhB8Y1lBd0MVKgdRObJu4HeIGx0efif6xqw9wN5Z X0ahMSdBOuc5gnR5lGoAxjtygFpX6eVj9m5WYlhnY9nYQNvhke6J/Z2dDaVUidD3HqM+NtiPHLG2 2vKqovzCzLSG6tLx/T39rTUpkYHRng7teSmXB9oPFKQeLkw+VZQykR45khg0lhR8Iif2cmXWtbo8 FunlF6tzTxSlYN3f62253d8GRV4d6Lo9PnxjYoQk1aUnD1emn+MoW371dhMKXgKzcPy79WWB9Pdr H4D86sI6eOckZ1YX1oRMmIe7V5Zml5dml8A1a2V+WayFpeV58ZAF8BEFaPJCICAZPi10g43F1bWF ldW5ZZT8tdmF1TezK2/errGmp5efPJq+fOHRyaPPTx9/dvLow8Ojdw/uv7G/71Rbw8m2hvuHR2cv nFm/efnNuZPzl8/Nnz/z9vTxtyePvTw88fjAyOMDgy8Oj7w6Of7wyPDZfS3jrVX1OUmxfm4BLlau JJ0ai5bRLsxnNyG7+JMhb6xvh/dYT2Ovu2NrZfFIVwtBH+b7cNtQQsvoSXuaWJqISjphy+upIQFi Ajyq81KJoNQVZuQlhEf6OAe72YZ52gW7WVOzBmRAHKhERVdU7l0weHlWUnFaHJ3HkBiK2w2cCryH eTnXF+Vwewc426A28P68EJc7mkNpRiKiIDsuLCM6mE/EZEBuSMtdIp0rlfcXKj0WAVk3hSnR3DeK nKEKnvf/huA+TjmmR2UnhlAsw1BISnIAu5IngB5OJc42UYaDNk5FLV1tP/W1RrGX7ggIXVju+AH0 qLNj7vM2THhTDfzzX+OZVwQCuUBfgXfheDTYrfmv/7Jlv+/eY6ihqa+ubqCtYaCxy0Rbwbv2bux3 OjXFh4cQliIVtqO+oqmyiPB0fVl+Q1k+WjSJNBnRoYhiRC5IB/JCn1dMeBlk56SEMAIBgIN3FpiV Gbn8lGJW6Wea/K/inTNcICkeQQHSJeQl2CXdU4SbnRAlxiLXlqN1UIPPw+zECDgdb3xVQTo+uoH2 utLsJLAP7wsHnY2YRyw37GF5yfjKXjyFks9w3+bqwqHuhp6Wyu7WytF9LQf6W1pqirDiSYVCpEQH +RZlptSWFnU11Q/2tPd1NBZlJcWH+KSF+bflpV3oax0pTD2Yl3i6NP1UYTKQP5gUfDQ94mxh0sn8 +FMFiXA9eD9XnXupqewKpXOd9Vd7mm8Qyx7quTDQeXNi5OXl87P37yw/f77w7MXazOwGTvJ5eHkF rf4Txt+tLcLLm+BdQl4eeZYF/FcXBNKFog6Kl5ZWl5bXFlZ5yALagJ2jXD9AfnkdlgfyAvW8XKj3 b5dfzWzOzC09fbL06D4dbJ5Pnnly4ujLs6dujY3cGR+9NT5678j4/LVLs5fPv546gzR4cfbkw6MT T44emp88NXPqxIsjhx6jt+zvvX9w4GRbXUNGXEaITxCdfs0NPG2pl9S3Au+mWm5WVPiS+b/lkyd6 SC8dbhVCruRPshhmLaW96FNHJZ2pMmtGX4PKVsBOQLwqN7UmPw3lmfk19LUmEK+k0IvMefJaHRgm JfzzoiZOcWTtzooN7awpaSzJCWImigbJafTA2ZpkEeHjUluQTWSZKclcLNmfF9J5jHh6kKsNVgMJ TlwPunlWYhxEs+SeIwo8xgJRObz04ajFunsUfueDtlnrAcntnmLse3hBWkxkAH89lWtbeAek5lpf mml+aanxtZXmNzaU0emKv4LRFcyyAe+4I9ANaKRpjNJOda2ugDyETk4+RXk4MTDbSdE3Vv+Ck4gI 8I79brln9xa/6+qZ6elREmui+OvMddVMNAnBqzFbAX21s7G6p7kOsJfnpRekJ6DYF6TFg6y6ohzm DgNGoWIpzjqOoF5QvI6GvZ7IiBYPFYoHuWzAOz8ZaOUI40PZvFwiWgKfyyTG5Ubu5QUS7/IX5zaQ QgP4g3o4nfT+suxUtHryfNqqS4mGQ+gQLkhnNZbnkWMDqOF04CzVeDY8xJZnBjHREKwVHJIsxs0T jyvKTOhtrWmqKYgN9wn2c0pPDK0ty64py0qIFEqChy2ag21koHd2ckJnY93+vs7muorYMH9qmQuS ItoK00911B8oSt+fGXu6Iut6Q9Gl6twzhckn8xJO5CUAdmpFj+cnnixOm6otnqovn2yovNhRd3+0 ++FY/01a4gz33BobvH344IsL51afPFolmQ0Lem5+bWFhaW5+ZQEICyoH7PD7+vz6xuLm+sLGungo zn9O9HD9J6V9bW1pbW1ZXLC+wDVCW1hbWV9f/QHy60vrm0ub65/eYW2e4PvSwrRQ7BE4qy9frb98 uf7oyfPz5x6fOcO6MTFx99jR11cuLNy6Nn1p6sX5sw9OHH1w/PCj40fA+5ups8tXLz0+dPBid/vx 2oqzzbVX9nU0pcZFOlunkbIS6OnnKFqLe9ibicp3fXVR92qi66p4aPlxHQjEmxqivxH5PTTYg/6G 7WZJqN2MjkwaNJcD8iwzyNdQI8jTvjA1tq4wMz2K5gLmpNQCdhaxOVudndZaUCS9ZUQ9nYJoYenj HoTZO6qLoXhvOzMTdZxpIusVKueejA30bijKz0uIZdCShTaIRiUQ9r4ALKa0HhsR3YbBwTUYR3OQ yoNC4iIKz3nOIAowMcitjfBx5ilejpYOkM21t6G0e9gZ5SaD96hwPydUbol3M23By+DdVOPnfHOW gDxt5JWqH+G109vp7Wgas9fdz8XCXH+nxDtWvGD5PV+IIlw0f5GKI1h+6wsD+T07A2ys9zo4Rvr4 RvgHBPv6hAT4kr5lZyqUKDPtPfA77WjS4qLb6irxz+ckx+CtohcEC5FbV5xLcIRkePxpABloW2pR o0QwVJOjjY66va4mqLfEIaCJjoRoUjx4YFzRxsGpxLuEuUQ9exXM2ah0e3kNwgElQeKdDS9nsWHx btj1ED36fFp0aG5SDDmK+OEJwMnkZOLsuOwAuMC1gneoHEOeI2dEPyWmBluSqMZ8PSBvGOBuV5qX MtDVAMB93KzMjdScbQ1D/J2jQrz83KiXt8DgSooICvV1jwj0rSjIBe5drfX5GQl5qTGV2UmtRZkT TVWnmspo3HS2Ovdac+mVhqJzNHHKiR9LjTqUGXeiIPVEUfrpSmpmqy601J5vq73YUXtnf8eD0b6H Y/ueHSNCN3p7bPjFudOrj+5vTr/YePvm/cL82vz80szc+vIK2jtLkPvie4H0T0tgWWF/eQT4qPdC S19GOEDxq+AdUCMZVuYU6ufh6hbRKxS/oeBdyA352sWZpYXXC0uv5xZevl57M7f28vXs3Xtzd+4u 3H3w6NzU/bOTy48eLj68O3310rOLU9cOj58fGTjT342ken3+7JvzZ+8fGj/d2nioqux0c+2JxpqL /V2Hm2rzwoNivJz97S2AHhKYf6arDT0/dXHZORNyFe0XZEEWGrs+vynG2sH+TuJBTLDCuQTeCR5h cgJ2Nhie0j9TU5iZEx/OmCqARvwdpFM1I4L7NKyjGo48VbJeqaTb4t/dGOb1RVngHc1cccrR1A4X +k5jNfzqOgnB/nUFuZlREZirWKN8VV4IUaKEK/FxEePDFWZK1EwptQPg0uknYS7hj/3OeawG7Hfw LvQKUQWDv06o2djvPk5mTHsH7yG0QFU4GtjCyzxLZT2XIawgd4F68f1RDERgEbJmcjSCIjnSz8vJ 1MqIop4dmPD6e77gG3rbGQe6WLhZ6SEZJN4lv++1s82JCC+IiS3PyCzKyMpKSqJKNdDTmf+nuY6a uSB6DfCeEhPZVF1aW5wX5udurqeus2sbKbXJkcH8Cm2VxeCdX0f45XQ16FhIMI4N/x9LgpJaatba 6haau001doJ3wItWD0LBJgiF6JEq2O+fu+xUYBf6v4hpCo8fGx7ylAD4J7yz5+XiHbD68fbTL1Gb wRya+O3x3kMK3AMSzmxIqCPgjobPGW4SCB2Yw+ywPJY78IffWTTicCCbi2a8dKR0sspNi93XWd/e VJEQE+Tvbe/tbu3jaunnYYOjnjaD9SXZrTUl6ZT1erqmxkXRVevgcH9fW11daQ7Ooo7yvO7S7HPd 9WcaSw8VpZ8ozT5bmT9ZmX+2LO9Yftqh7JSj+ZlXmmpudbfeG+h6fmjk0cGB+6M9V/qabg52PD06 8vTYgXsH9z85fujtpfPL9+68n37x/u3bd/M47uYW385srhBQE176jeVfWPjxOK9aXCBRL410qdXD 9VKBl6Qv1XgCc6x3a+ubq4gLRWIsrC3Nr87PLszPLgL5xTeL6zNLa6/ml55OLzx6uvjwyeL9x3N3 78/du7/67Mn0zesPJs/eOX387NC+KxNjV8dHn5w9+frC5M2x/Sda6ifbmy91t092NPfmZx1trL28 f6AkJsKJX4r22rTIM9fzdKA3IIPM9JhM50yzSlJkqYolzcYYr6xBpL8nyRUj3a2YafzQ3JmKXkdn V21+SrLCMMoIXjdW5FfmpYZ7O8OnEncS74TjAYu93m5bot6Ui2qTQUf8iJtqD6Z3W2Uh+nxSqEjg gZUUxxHhJJ0gV/vchOja/JyUsGBKOSy0RSAAQ4CW9fYMc9QT+TBo46DSUpfImgC1XBLswBzq52uQ Rqt8EBmnEZG+LgQgOG9Njyyy4LS3m+t87edqVpAalZcSGcQEROF2+8pEZ7uJYnTj0yMED9ghdwv1 7ZZKvS2JNPjiSK7zcjDJiAkszoyNJanXQttEFNhSmfutv7N5SoRvfLC7h40eYEc48EFigobhzlBH h5ywiKzwiIyo6ITwsLAA30BfTxcbCwt9TRNIWRvJCd5NU6MjW2rKqguyQ33dcOXp7/mGYo28lDj8 ddjvCSH+YJb/lYXOHpM930LxVjooS/Tx2CP2RPQ0d7OXmBUQVhgZnIJ3AXbYWdH2wbWQEhTpfHLa b8kHJAkqgeLKE/BX1APQ/fmSkOfIsywpBGyN4H0Eghq1JBlxoe21aPhFkDKmN2BnoAnWnwOZnGKe uJhUaG9paGfBMnDGX2dNQ36j6FCfhsr8no7axtqiuqr8moqcsvzUrJSIEF+nUF+X1uqivpZaaglp dOPv4VRakHVgoOPwcE9vS3VXbUl9QXpdVvzUQAu1cidqC05UFVxurbnViSu+Taye9gf9nS8PDj8e 2Xezv2P6xPibyaOz548/OTZyZaD9xkjP4+MHHx4ff3rq+NsrFxfu3t548RwP+cb83MrszNLsHCBd F/wO2EG9cNezV8AuPHhyqQx5YA7eIXeJd8CuMtsl9vHeC7yvrb1fX3+/viF0gCU8eJtL88uLC8Lj h3Nv6fX8+4W1dRz7z1+tvHi98Pj5wsMnmy9fbbx48fbOrRc3rj25eO72qWNPL0ySfYdu//TcyfP9 3cPlhb15GQN0HistPN5ce6Sp9vb4gdsTY6VxUXsdbSi1oJk/8ha8M7MYz5vC7xTLiFgb9bm0z6Jd XmZcBMHW/Z3NbKQNCN5x1qGVQfHWBuokSBN2aSzPTQr3h6YFC+OE/8TvItFOewf87iDa0orCdtR4 mtPSNSslIqC9qqihJCfKz03edWSOhXu7xQR6Z8WGY7w3Fhckh+1l7rD014Fo6mjsjJn/IrJcWCjM ojEFjSuVeXBKpAwK3inxzga882XiKdZIiYblqb4xRv9X6mWIx9HiPsjDqjgjLi85MgjuwRLHza61 zVjjC/R58C6W5jZMeHP1bRZbjjgZZdtO3i8dLwtTIzPjgz3tjI12f2VCHa6dcUKIZ05CSJi3Hf5A Y/UvFc8eufrfgncnTZ1Aa1s/a1t3S0sStm1oSW1qaKKjaaKNcaRtqadjqsV4DqPE8NDG8qKq/Cyi XaZau/V2bfeyt0TYYiOX56bTgxpiNVSn6dYuyeMC7Hj8FPBC60IUaPMTkHMo4KyibP7DZN3Lhyqw cxnWARJVjrLi/y+XN10rafP+KRuHy1jk5kmMfwK4cNqzUD+o4EMgwA44CojNxQX7UYrb01jTUFqQ nxKHzk9FP8F6Qvkijm9uAMztrY3srAytiQITuLcxtmbAgY1xZKhveUl2W1NlT0f9QE8TEfaa0pyY YG8s96z4yJKspNgQP08c/vbmceEBDRX5xN9H+5rbqworsxLrc5NP9jY+PX3g1oHua/vaHh7Yd2+g 88XY0NKJQ3NHDr4cH3k+ceDJ+P67I33XBrvP97XdOzwyf/3cg2MHzw92Pps8jlH8ZOrMm5vXFx8+ XH35cmN2bnV2HuMduxt/3TJu+eUPm2sfWWsr360uvVsH9SI0//7dyof3Kx/eIQGWNjeUENs7lHnc dPNLawtLm8vr71awAtbw9m8ur64vkh+/jIHAm64vL22sLq+vri8vLCMKkA8LM3NrC4srb2cJx6+8 ntmcnftucWGT4OD8wruZmc1X0+vPHq09fTh/79bTS5Pzd69/eP548c61x2eODNeU1CZE9hVkHGuq OlZfeW2g58Hhg2c6228eGHl44nhzXnYwdcS2wufpKdoOUOTL4BvRXJrqXeGi5xcxJhlbi2z/qvxM lHmMd2AoxT6aHn32YGF0bzxmpFFR8VSRl0KmhDndL0XZmnC/y0Q7ez2BfcHyipJvqWSSk1yKuMhK DG+tLuH9U6NDY/f6pUaFl2VnlGSmZsVH0yqtrjifuSHxIXSpMTTXFf1p0SVwqeEiszakvJSFW5vM /G/N6WAJoJQl8uJEbzqR2AbXY92Dd0rkUAThd+JisDPPSi5GPoR62ZVRHEfcy8Me7kbb52ikhpON y75i0VIDlley4nHXC4897nfQbar+tZcNyQCBJO/xzrZk0GntIH03NzE8LQqS1zLVBOyijI6vhERi gobOv35huVvdfLeauYaGiaaGgaaaoba6kSa1MzgAaS2uZ6WPIDVJCAsB77VFeXhHgbaxxk5+ppTI YKLe5LYR7xZIB9fae0wVaINuYK6CvDTeOfOreAfmnOdIfoXITHaxI40qJsAriSL0iL2qlRjiH+bl wgUS7/zcgJ2fHokB0iF0oA3wWZL0Rbmu0VYqL2f4vehOiVFPAjC3DZF6mmZX5Kbjw8cLgSjATgkg cBPgvpfwkJdTgIejv7uDh6Olnbm+u6NFVKhfVmpMUVZyUXZyXlpcSkxooLsjjehpJk/XetrOe7vY hgV4pMaF1ZRmk0I/Ptgx1NHQWVPcSI/Wjppn5w89Pjl6vr+ZNhfX+lofDPc9GOq9N9h9b6jn7nD/ xe7mY43lp9sbp/o6jnc23TkytnjnxuytK08vnnt59eLMvduLTx6tTb9ae/1mdQb1Gs/82jIeejaL EPHm+soH1hqxNQx5gnRw/dKHX8T7J2c7/C6S6NbQDYQ5v0R+HW46fHfLq4tLrJWlxeX5+VXhw18h S2dlbmllcWl+ZmbpzZu5ly+/W1n5DoEw8/rt4wc3ps4cHxnaV1/bUVbYUpRZhec2M3GooeLGibHZ 25feXJ080l7TS2OrrsaXZ4+8OHXo8eGxe2PDZzvb9leUTvX3nenryQ4L9qADp9LglPJeocyb6llQ gKavDrN7Uw1tzfQ92uXp0ZuUsAt4xw2LIS84gtZV1MAawdGYhxrB7g6kUVEKkRju52iua6a7006M mYAOQL2aPWm3OoStaQQhGt1whnx4MktZ6Hg5SZHNlUWEmWiB2FFb2V5T1VBalJtEQYJvYtje6oKc htLC+JBAvMHc24BdyUAjkC2iV8rifXYAdjFmToAdWImlNLD9GnJHdYfoicdRJZeXGE7kER8aSAf1 HEE9YAx2J8ofB2bZcD0XcBJeFtq+gnfZIs+ShwLsW3g3Vd9uuOtL/qIYf7filNic2LBwT6cQbvKo wLSogCBGFml8hdDgg0TkXemma2uwS/ffSa7bZbxjl7km3jly+dRN9XQorIDWLbS1bPW38B4fGlxb nF+enU7Ld5Rw0M1/gMK3UG9XiB64IQHAu6nWLp4yw/D/DO8q4pZ458iSEgD48/NxAfiFvqmqA+DZ cREkTLLYEOkD+MAfsDO2UnoFeYkkdzZCpCj2O2qeiugF/I0ZViLgz15KA1CPRY9+ggMftQTIU1KH Gx/SJ8pA0KEsP72mJJdVUZBZlptWkp1SmJmYkxKTnRyTmRiVFh+eFLk3KsibLGI6foghUNbmTuYm tsYGFJ1FhwQUZCVXl+TWluWJBPsD+yb2ddGQtyIzqT4v6fRw243DA6e760531F7ub73S23KmofJU fcXl7ubHE0OPj47ePbz/7pHRO0fHrk6MXJ048PLq5bVnj5eePFp59nR1enpl+tW7+cX1uaXVuaVl fGhL70D6IsFxkS0Dct9vKiY8djp5OETkpWK/KXJyREResd9XF2cWlkVUTvHMi5wcbAGu3wq+ryqQ X1kA7wsrIt4nNH/Yn2D9Ggr9zJuNxZl3y3PTDxn02pufEuvvbI2HSuvLf/nir//n3/3kR3//k9/+ h5/89va/+SMLtS9iPO0qUyJ6K7KeTh76+OLu3JUz6C1H6irGqkon6qv7iwtPdHZMtLZkhQf72Fkg sSnepzUo/iIyNhHLIDpur19SWGA4rYxtmDZrGB3oSyfSA70dxRlJ3vaWUhvHlCZJGzcR5n9KeBBF T6XZNIOyBImUmzHbHSc812Ck2+HD/0W8o+1zDXgnLoAjV8SUK4o666r6mushdFqe+lFzZGEa6u1G A2Q4ji+A2AHvWxVkJKWIJYWGqFNTlsC7Ysh/ZaGzTRjLyAGtHZA7qCc6D32nhPs6mWvh6APO0o2m WNbfENorTotV4Z0gGnIAvMPvZlqgnig8iTdfytgc7jvJ71C8/o6fmahtJwM8IyqoKDk6PyEyNy48 PToowteByTVk7iFSrAn0MxVLiA665+0w2Pat2W514127zbW1zHS1DTXVTXS1zfV0wL6ptqYF2NcB MrpBHm6ZcbEIOiADrkE3PhMLPPCG6PyAfRfLVGuPoRoqPWm66mbawiEPnMEjSyKUh+AUdHNGQl6g VVHvYW1coCEeTlF+onsG6MZbAteTSUViFTCXtM5ruUPYyyXxzsdJWucI9iXdU64r8c5JiXq+MBtU ESZTwOncPPA7/l5+a0L2bVWlhBrbaso6qKutLVM25ey7G6t7W2rJOmgsL6grySXFiEQjUj6w4BND 9wa5uwa4uSSGh5XnZjdUlLbWVrQ3VA73dBzZ3390uH9/R3N5RhINNHtr8m8eG753fPjycCdJtpPt tTcGOm8P99wfH3g7eXTl5vmVO5dmr59/ev7U9NWLjy5MPj5/ceHR443Xrzfezmy8nd2cFWAnzVVk 0cyvAfbVRYzxdfD4bnntw+q7D+Aa7C8QdAPIMhb/HrxjxYN9HPgrC6sk1GGDy0i9cpmM13MBcXwc +KTiLGIpyMVDID/36u3K/Pzm6tKH9eXpJ7cHu+uTovwtDdX2fPmP2//xL/71L3/8z3/+B//4Z7/3 05/81t/85L/+9Mf/5a9+/zf//Hf+01/+7q//25/+jqX6FzVpUVcP9F0d6R+vLztQVXKkofpsd/to beXp/r4TfX0NedlJwQEutOGiV6GViTXFsKb6EYFeRRlJjWWFTeVFtDf0d3N0MDNKCNs70NbIoAEC LowWtcHfThtbKt9FzF2N8btkuEHuMDXeV3RsBzM676H4QSWCzcmwJTAncmh1t4pkaVxD2iqSgUwM aqKbygtKMpMz4yJZod7uRPxNNNXNdTTYV+Vn0xEx3NfD2gBECMeRwul7aDEH5LEIyEjfwruiz1vq ACvhviO5BURD1oqzTg1lG409JtBNnKSYhQJbMmSUWDlH4viAHQUA4CMiSHcH77CzmWhbAeol2L9Q YnNfCK++AnnqYmiNZbznK/4uEoqyYoJh+YKkyEg/F1crXcWNIEpp0OdRNix08ONtJ8lH58uvTPfs MVFTM9PSNtXTJtnGSJf6OC1THdye2jSxNNPRMtVi/qaBq7UF7RRsDHUtdAl3AiuO6qZaaqZaoFtp e6WtbqgGy6vxlInGbmM1zBDhliemyQZos5HWvcQ4aGUjnwLIckniVskErmHPq6QHgD14l9ewYdGB RwIZmKN4KFJI5PPQMxO+4AdSRe7YoJNINYANVXVoJoTsKaElak+hDRl6csmHuIZyEjHiYrkZkAzl OWn1JfloBX3NtR015V01lb0NtbWFBTX5BeTTdjXUt1ZX9bc2D/d0Tuzfd2x06NTY8KGBrrr8rJLk 6GP97Y/PH78yvu9sX9Pl/R23D/Y+OTb8duro9NlDL88cfjl57MXUyZkbl2ZvX3tz++b8o0cz9x5O 3743/+TJ0stXK69nN4mez8O2axjgy7NLi2/nF2YA7+LqzNzG3MLmwuK7hUXi8uuz8+uoAYviys0t 7hZcv7K4uYS9r6TcrIoAPbF1xMK7jSURy1tBgIiFMFkC8izUe4TD9JMXgP392tKr5w86GytcbAx0 9/xs51c//Ze//cnf/cXv/c2f/OhP/vtv/Pi//dpP/p9f/+Pf+7U/+r3//Cf//df//Pd/8y9//Jt/ +0e/9Q9//KO/+YP/8uf/7f/a9Xd/leLjMlSZf4Zk++G+m+MjJ7rajnR1HmhtHmxq6KquSA7d62lv ZYktZqKHwzM/I6mhqrivreHgQA/BX/oYExtiEhn90GhexO+Ci5U0G1FiaUhmJnGx3QzarshOpgCK +AtPAUM89hgFGLNgHGUAxV5yvZAAOhS/U9KuQRkaU2PIpyJkU1OUjTOHSC5uH+5tE03c1HjkDKID /WuLcvnpiQ5w23ASalNMeMgdvMtFmynKV79VMuJQzkVKPB48EfxCY6dzhfrXuBcohqVeJsLXSaF1 AuIiAR6W58ieJFvwTnSe7DuhEuCUU+JxMLKJBlY8KTdfyEUs3lT9S7mssMq1vtHf8XPyaig4olKg LD0hJy4U65qPNlb/is/iI5AbirKBifE1eDf85hsHQ1pJMPTQyt3RztXR1s3Rzp15De4uMJe/q7Of m1Mg7Rk92DgGeTjTrXGvp0ugmxOTHej8TM9n2QyWMzSIplEkD1nO5qL0VbYpQFeX5jaQRwhI5ErI c+QkC9QjDXj2c3efSlDIazjyLJCXUgJRwNuyx3wA1xLs4J0lWB7hD8Urdj1KiGR5CXYpGbheWGSo HErUHt4nS1OUZVFfTw8NammV1nlMgvB3JpPKnnzOSD8PYqT5ybFkTdfkZe9ratjX0txdX9deW9VS VdFaU9nTXN9SVUZfrObK4pYKpjAkJgb5xfl6jLTUv75x6caR0al97Y9PHnh5bvzJsf2PjgzRv+72 wYEnJw+/uTy1cOfG25vXX924Mfvg4dzDJ6/vPph5+Gjp5eul6bdL0yS6LKzPL28sLIHo1YWFtUVQ ufhuCaTPr8/Nrs68pc3U2lsSbhfeLYH3FeGRW91U0uzfLS+uLyEu8OcviUA86fcrZNpgFCxsLM/j l5M5eHgDKMnBa7e0trQy/3pm7vWbjx82r186GxvqZ6z97bc//5sv/vlP//YvfvSHv/uff++3/o/f /2//55/8/n/92z/7g5/9/Z9v/9lPv/3y777+t7/+q//5O3/4O7/+kx/92k9++z/99Me/9S9/+j/+ 7Ld//d//9H9EOFlcPtBz/8TYUHXp/rqqk/19gw11+xrrDvZ0ks2CtmxD/0xbi7jIkLry4paaCpoI HRndj5qUGBHMADK6BtEbDUkL7uhrSl4NObRMgBVpcnp7ApwsawrSSawix8mc8JDGDjv8tBj44kdH 4Is6Dix9YkAU3VijCuLPFyOiRLMX+J0RD3UlOQmhftwP+ru/BtRQOT0bcR3QBLWuOI/0bGxARAF3 C11qFVrfLcEOswNz1aKEDQ6VlrKkV8AOfkFxeVYibTH8nS0QBZLWFbCTTIvvbrvMrkfhRw1A+Zd4 h9yRHiYaP1fw/nMzzZ8rYP+5iRq5NF8AebR64z1fGu3+0sVMJzHYmxqByqykgmT43ZFKQDT5T/qD FEF4DATe3c1Mo3x9E4KDk6Mj05JiM1MTM1OTcjNSi3IyS7Iy81OTCzJTKgqzK4ty6CNdnJVamJFc kp1WlJFSnZ9NM9iC1EQWEx9waeanJNAHnoc5iXHJEcEpYYEY4NQ04WqjOwGpSrQFQGkXRRDY2orp DYQBrMSvRLpEMRcgLsAdDetkLzt89TjrECC8A0d5AUchBHAIKDCXR344gWg68Bgwl0dgH9SDdyEE cPUo6bgS/iCdhzwrxQKfKEUTb8sSpgctFBR1gvN8bS7gIUfiBbQ3IROD8ufS7PSSjJTirLSK/Cyc AHTGoBMmWfcR3i4kXfvamsf7eY21tyzcu/3qytSN8cG7R/Y/ODz44NC+R0cGHx8ZfnZy/MmJQw+O Hnp96eLcrVtvbt96cf3Gq9t35h89WXj6dP7Z88UXrxZeTK/NzHxYWv64sfHx3ebH9dWPGzjlKX/b +Ph+k/X92srG/Nu1mTerc29X5mYQCETnZYR9YwVc49xbBu/o7WTUL2MUkGAP6ZOpN7uqUL9g/8X5 xWXhtcN+n19fWvz44d3kySOB3k67vvqnbf/61//4Vz/+iz/6vwH7T373N/7pr/7I1kSzMCNpqKv9 +MGRyeOHL587wfisga6mjMQIQkr//P/+5I9/9Bs//fGP/uEPf/SXv/sbf//j3ypLCL5ysG+gunis reFId0d9fnZlVvpIe+v+1qbshBh32vB6OOVkpPS3t/a1Ng90tlH4f+LgMP0J4Jfakvyj+/uJv+M7 QlGHxAm7g3pi6ITXUYbrijKpjEiODOT3xV1MyAZ0y5/bSl/J91BiuOJXVny8cLQJSrW+GgXROPqQ FdmJ4QRxjNR3YKFzVxhr7EZHjd0r+L0yL52mCiiEptoYqnLhuJPKvLTcxfETv2Oby4UKLfLuCP/h ma8tSE+LDGQULNl0SoAMySCi80CS3Fda25H9C8XjWgfvxurCe6/Cu6kgd4F3CXnAbrxHoN5U/SuS 6Gh3T/9b6rNgdo5kdaZG+uGaR+DI9xEfJHrZbbcxoDf+Lj8rm9TgkIwoGtLGZ6Ym5Gal5mWnFedn s8rzsoB2cU5aCdpsQUZFIV6sDPAO2LnJAXtpVhpIZ8QDG8wczsiTYL84PbkkPbGOedD5maVYytmp LOoOcL5F+LhJz5tEujwCc3AEopEJSAZEBCs9KgSvXW5CFKswJY4uebjvcOhxAe10QD3oo24CwSsX 6AbsLAF8mvOwFJsddKsgLzecAekyciclAGm6IJr+WiT/02tLtNsyoq2rGLZO5zQyhF1JC6HAR5fS LcNwT1qLR+bFR8UGeOMNiAzwjA8NSIoMSowICPZ2crIgmq9DZjWq5v/H11lAR5Gt7XoUdw+WECw4 M7gNFkLc3Yngwd3dYXAYnMHdNcHink467u6Gz5k5cp9dO/TPmfvfu9hrr13V1dXVod/9+fttWer3 8uaVwviYPwpyS1XRkXeuRcFhdetC9I1zcfBgPL5ZEPi8LDy4KCSoMjYuLzwiIyy0IF5VkpRcnJxS lZ35obiQBJv/fP707/e1b4vyi9NTUiJDg5/cf/XgduCju2H+j1KiQgvSEisLsv96V/Gfvz7+myJY HOtVZR9rqz+/wzv3Trjd3lMc98cn0uCrCaMrLjupydd+flf1obqc2pn3Irxe+7aqoqq2srymovQf H2oLc9Kh4B43vP+IQT0G9ercs3PLlo2+GaTXeanf9NfP7sM3/6m65h81H4gPfsaaeEc9TsXn2qr3 tZWFmakvHt72dbHp1raJdssGP+u279O+0Ri9TofWL3p18/zjC6efXTmPpbl5yfxb507SBQwZ4e1i P9vb/cCu7TcvX7h64eyDG1eD/J8G+j8+uHvrghle4P3FQzIaDi+Y7uGEC87W2IUaNxtDT3syrKaQ nHZ872ZSpvdvW4eSxv+4E+5cRaMD3Wj+/P/KXwX/9WJhJrLypJimJhr7HT4EiOMIfSO+uYDfBjfh Xavmz6YNIqG69Uv8vB0t6QGBcx4vH8Id/hlmYE4hqoP5eAb+eQfFB67gVLjjhIQ1HA8zLb64E3zA PC/saDuj0SKqbgreReW7IoV/odCGAnmy6zcumUMMkWoXXuU+6PMC7Io+j/HuINLpx2C8A3bLScOs 9UcSmp/rbrVz9bzdaxcvm+lG9Z9gwF63YNF0J6rdLfVHiIxc4R4kXo8LUeQJuBoaL3DzgJgUqtU5 M7zmzvH1m+270G/m0nmi+QvJ5myw82d6LZg1bdEcH7o9zvf1XODjCcc7yjyBEtR4Bp4N1HsaPbAl op6tnDeHUObmZQvIWAChuE+ZWYNf8I4THvkIuARaFX2eGbDjneNVQA07ltwfWJzct4P6R3aMozs3 M3iVXL51C+dwsYzFk64jAS6Vc2Yh7lHUzQwQ8bwk/+vF3i5ci3XePIl6ZrngJf5/8QoCcAYEyAL1 FoJhj8EZ2YiNxWwX+zV+s3auWrpj5aLlIj5o6zdNkNwylvp5r18+d/l8Xz9vOlnY+02zn+liiaIV 8fRBbVb6XyWFlYmqyNs3Qq6cDfr9xPPjvz46tOvJ4T0hv59W3b5eFh76PimxUhWfGxVVpI6vykgr TkyozEz6zzuqUEuSwkOvnjpKTrgf1Lsw+JF+ZmloPXms7ZRfcEHjvJrn6woFR1SQf0Vx9p+fq/9J eVtt1ee3bymu+VyD4k60/TNx9o/CI1dLxZySKIsa//mvT/8SubIVNTUV+OU+lhUV1laUfXoL6gv2 71g/bli/of10+mi36dmplVbzevzan9y+9Lay6J/v3/2FN6+gvCSzsDijsCS7oDy/OD8jKz8zq6q0 9JNIEigvL8g6sX/nUD2djk2/H9ClZfdW30/6ufvVo7vunzv+6vaVU3u3AflHV8/fOHdy0/LF7iKh 0W7tkkW7tmzYuWXD7yeP+z+4C03ogV1boPo/c2Q/3OZQBy+gRy9+daspzjZTvZwtfF0tkaoedkYU m1w7d/TUwV0r/GZ42JiLCBEuYkm/oPwXK3JfOJmR4Oj81KCRgouwpnyS+inwTtI1OT/CNlcEBDM/ CULPRG8ZaPukX/L12SWkY1+Dd3vIJBWw25mKHDYFWcL9joBGcFMeS5oNljuZdXM9baSc5TIlWiei clLlppoGGltCcmgCOBgVegoy5ZDyAu9o9YpnfiSROBmCR5lHxDPQz5fNdNmzbuGmJbN8HUxJrZ/j brlynvtsdwvFhB8F3vlQZrnJsM+YjRrtYmRE8N3R3MTOwsjW0tjWwoiFPYOUOVNYKw2gqxW+L5G+ wlY51V44LgRwcF8IDwYVr0pmLMm3LECQ2GPNDaEbRSEXQlPhLkAco5wTdGMGWWjIyHQN3tGfEdl4 5hHrbBRySCmPNEclICjPgBWTO0iPPduFtOUl3vlQ/pf5v2YAeYx68M4ZnpMLmP+Gd57wy7cQzw/e hRqvoFs0QLcxhW7Lla9mNhW7HrxTEcBXQKDvWbtix8olK2Z7zXSyoj36HE9BhTHLA9IM+2VzPWd7 whRnjIif7WbDvr3I29X/+iXke3VaclmCKu7hvejbN1S3b4ReOvcG6Xb8UNDvpyOuXEp/9qQyNqZS pXqXnf6xIKcyK/XP0sJ3eemRz+4f3rzW2WiS2S/DLSeOtJ082mzskKnD+08c0mfsgB4j+3Ufpqcz TE97aO+uqNATRwxASJ0+vLs0N+3ff77/B4p7VeUfxNMFowWHFLcSWat5W15D/cvH6s+faj5/qKLA liz6dyTk15SVYef/8b76z0+V92+dM9MfMXFEvyF6nXXaNuzcov4CH9fSDPU/qkvLsjKL09NrC8uq ckvKMguqcstqCyqr8ssKM/MK0nPKcgshxinKyKwqyCvLTb1/9az+qIHarX/o17WpTuvvfOymniK2 vWAGbuRrJw49vfY7mzn1L078GOhjSxcDZ9u5M6YdPbD38b1b/o/v7t66fsEsb0jUJN7RnegO72xj yF8Y4e7pQFNjAKi/bI7nuUO7bp0//tv+7euWzOGPgM6PigWoIXAApE6ksOLcIzZnayI6TduacAF4 J/5OSQX6PBWUxOY4A6ixFFgwL5vrw25AwG4ZqSzWRqLHk9KiBdtf2ux1arzZL/Zm42xNRQasTKpH l8ZTh2aOrYFw/w2HI5myVvpAD9e9vfEoxcYX/nnFDz+GTZu0Xq5E56cGH7yzFYBQkA7eicdJn7zG U6dZeFpPAe/rF/rMYzOZOhqhT1q+jxNaDfS80NKKXF8sCIl6PpQHNh05ymHKFIsJVNKJVHmQbm02 1QaXODA3Js4OgvStDCdSoSAsYgU7oEljMgMlgMMAZcrmKUrqLPQhyiZR+b98cdL5VodQxUfHBfJQ LsCvkLDK5iBnGYZDK+MCOTS+Po0HjwWgBuyawaHEOyKehdwNmOVeJGEuDzkjTzILEa84/BHoyHew D8MeGGdfmoblrrQ8wAxBA9m6bOHS6Z4UaIsyLnvzWS4khtEs28jXxYL4L79D0js9bE0omWSsnTfj 9b0b+fExtIOvyUjNCQvKevUiI+B5zO0b0TeuRl27kvHsSWlYcOaL5yWRYW9Tk8qT1X9WlvzzXVVG VMiBDSssxw03HD7QdtJo60kjxg/uNbBL694dmvbq0KS3FiGw1gO7deil1bKXVoufe3Ucqtd5QLd2 vTq36tet/UwPu4CHNz9WFv/784dP1ZVvS8s+VlZ9eluNaf+usvJtRfW7yrcg/VP1HzWlb6mS++Pt H++rasoLCwH7Pz/XxoW/cLKcPH5Y72F9OnVtVa9Li3pUeZRlJr8vzi1KTShOTSlLzyhJSa/IzKnK yitNy67MAvXFZVkFhWlZ+WmZjMKMzPzU5NS4yOri7Isn94P43h0b6XVu3L9rq63L51LAYjt5zBJv l21L563ym+7jbOthZ04wzs3O0s7ccN5Mr4tnTwS/8n/64NbmdSvg3D51eB94py/AMkhGrI2mOZlP czQjsc3FijRpM+S7u+3U1fO9T/66VbKPAlJic6RPY9FDbLJxxbxNK2kaMnvjqgVUMXMP2fwUaAN8 riERF64JZD1wBtTsEnKwA2xY5rcSpmBnKzYNXsIQwHKHX07jo8M5j2S3xbFmPNqaMJlSNyektuF4 DDpq3rHccbwv8HHmJZk8gwtOiGyReC/wjiOdHLyVc33w1wkb39aEgB0n8atr8C4BLt10zAwlJDfG w0offX6WizkwN58wxGrycJGJR79a+lsRy1M0BD5IqYeF72I81ofluHGOBsTfyT7Cn0krXhMHnGnE rWxEapPiqxQWseL+MmDTY2Pkr8EXZ+aQhTwp90Ze5ZC/G1nryEfpHmEWqFTq4wC4HOAX0akR8fjn ZdDt6/O8RTO4g/ThcwE3lENsF1/sdwlt8ajY7xBmQmKm1PNKuc8s5bs8ZE8A+JxhyB2ArYwFg0eS Nwf+AvXKLDci3AvYEX7uTtBschknaaTIViCyvOBeoLaOjFxbE0jV5JjpbLNx4ZwXd69mJ0SWpsVX ZyaXxMfmh4flvHkTe/d26JXLcXdvx92+Rf14ZVxUdVJ8cUJ0bW7Gx5J8/1uXKemaOFjPZMwQ/WH9 B+i079amcbfWjXXbNOql1bR7hybarRpwRrdtU71OrXt0aAYqu7dvPKh7u596avXt2qpLqx9HDer5 69Z1OUnxf9ZWfagsf1de/KGqBDX7fUX5h4qaj5XQ13z8o/rzP9/99any48eKd29LK9kZassKakpz N69dYDTxp/HDenZq/m2HJj+QslaRm/7P91VFKfG58dF58aq8+PhCdUJRIrOqODmxLC2tKCU5X63O S0opzswqyc4pzs4sSEtOjQmPDXkRFxKwe8Ni3Xb1e3dq3LXZd54WU49sWTVlSJ8pQ/q6m+mTFIqO NINSBQdzV1s6FJutW77wwa0rYYEBt69dWrGYPEdX3EfPH9y4ceEk7hHqSaDFcIeJznYquWieTsbu dlMcLSZSBr56oS9q8+kDO66eOXzz9+PXzx29eu7I1XNHb18+eevSiUtnD105exirB8uLn6iTucgZ g5F18SxPuTNQRcVPGizjt5dKO3s43R+orQDsip4g0uow2+GXAzj2eNpNxylgH2trMlasvzR2JNGF PB84MdDk0dKpeXe3NlTyY9GuR1obDBMiW1GzJd6x2bmGh0efR7f/Sr4LyguurAvGfYnESbDbTR3p bEYRHxGrMdZThlnpDyUND7yznyj3H8VCUQ84w0Yk6mXwKlj/8gv887aTyDSmBbyJgyVavTFSHo5K ohIMKdPRhVClQLdEtAS7hLbEPn8HNkyxFSisd45Kjg14/BuoJWxBLgspsuUZuRtosCz3AQl2TnIf MMgs3yUhKa/hDOCVMh0sA/a6QxN9IC/1ECHuFYDzXeSVnGEN2JHsdVuEYoOwe8iP4+YS6XKBvoEy z8xJ0rrwNoD0aaDexMjFzGSa4GQQFFs4APmb8CoBX7gXpjtaznV3uHLqUHp8WH5ybEFiTG5sRF5k WElUZG5gYMydOxHXb7w5fz78xtXSmPDyZNWHwqz3Rdmn9+8wGPXThJ/7TRkx8KfuHfU6ttRt11S7 beM+2u2G9NExmjDcy9EcC2L5HK/V86ZD0QB76i8/9+qn3Vq3XSOdNg16dWo+pLdW744tkPsz3exT YsP+RXpOWcH7svx35UXvykrflpaD7vflb0H6P2r++Fz1iULXqsLi9xVln2vLA/3vmk4ZbjRpcL9u zbWafktSR1rk63/VlmdEhSUFBWRGBacEv04NeV2gikoNeal+/SwnNqRAHV2oji1QxxYlJ5Vmppdk ZuQlJ6ZEh8eHB4UEPIoODnjx4JrBmIG6bevrdWj6k07bWTjNRwxwNBi7fIbrsN5dxw3uTQk8BU2k 2NEffN/2jQGP7gQGPD7z2+F5M32mOdvvgujy1qX7138/sHODj6u1jckEV1tDyk68XExdbPVdrCe5 2VIVa+DjZE4Z7Mr5vjvWLYHr9dTBHWeP7Tn/275Lpw9ePHWAiuZDxI0o93Kx5heLaw5DnhnSPHjI iaeAa369iG88ckAeaLNg8KsG7Ah3JBo/cjlQjIUy/wXvyoL8eUEwhSqOPj/Py5HqV1R0XO646HHU K6ATeGfQXBLHHZo2lj7XY7ODd67H2GejsFPybRS/n6C0Au/CWfdFq5dgx3dnS2gebf9LdF6CnZvb Gg23F/cnEDBcMf+FacAQRoTJBEv6v0/Rt5nILkHLGGNbc2NrMxJvhOVOpwnwTvaajfFk5Dt/Db4+ vg7p7mAPZPD34Y/jYo2gF0EKnpbNCmXGwYhKfwFS4AMkQY0GrYBd4p3zcshInLz+6yt5VXOxvI98 I1cyOFP3Kgvpkzch+Wcy+7YYgplH2B3AWeb6IrvZECT2WQix/sWZA/blkNjHwctjMDSCHpiz5oz8 LoJD24aWbfT9xKFnCT2pm5Uo7mDg4qAfClYA0p+CDsyx7WuWBPs/SI0LzVCFZceG5UWHl8bFVsbF p/oHRN6+GX3ntvrZQ3XA44qMhLeFGWRhjRusN3ZQ71H9e3Rv37xb26bME4b293Kx2bt9/d3rFxJj w/56V/6ff3/8z59QWdb8WVtSkqkO8b93dM8GdzujQT07dWndQLddg0G67fprt+3asr6Po2ViRNC/ ibeV5dcW51YX5lXk5Zbn5VcVlL0rrq4pqPxU8e5TxdtKAn/lJcj3ZfN9Jo7q169Hqw7NvxnSq92d cwc+FiQVxIVGPrwdeu+6+uWT5Nf+CS8eJb95lh4SkBH6PCviRV5cUGF8RF5ceL46pjQ9qTA5KT02 Ol0VlRgVGvHaP/TV48yEiA1LZ/ftwhbUVK9j076dmg7UbvnLwB5EtTFJfu7VBecA3YehXKCL2cnD ewKfP3zx+C5iHX883EqkMZPi+PTu1fMnfl04m446Uz0cTbxdzN0dDN0dpjJcbJHIpMiKXyBCGaoc LJolsz1XLvBdudBn+XwxFs319HG3dqaAXdFRhZASKbUiDR71nsFvm18yQyCaXk70jKtzxRN6E2E4 zsMkiQKg/NS/4B3XN+UtwlEvgun46OB/hheLBBti7ltXzMeHY2vAJiACcKTeIXlRtgEjAATLiF22 CHerqdTN8ZY186ej2yPf2TE4j/dP4h2MM9DqmW2mkG8zUsTip46wMRguRb8EO7M4r5j8CHdL/aF8 kKMJXHaIeBHjIxnAYswoJ4Mp9lOIYtC33dSBBl5QK5N7Q8eiaaLzMv8L9vzO4fcWFSjkpUMihDcb DRb5CExwiInUBQdYekwmCiYBumYTzpBgkR74L9a36EYH8BUoMTOQp5wEROBXQkwCWSNkOSlxLXcG JD6HCjNeHfrslTOgVeBXQb1AtBiwiOhzc0Xh529IrhEPSRqh8N4LOY4DX1j9Yk1WhngYZQjIKxqF eB50fpCufIu6R6IGXzJ1YOMLXNMvm0ADqftmbmITEKhH9GMIgHdSd6i4hLnl1KGdkW+eZKkjslRh OdGhZeq40tiYvNDgnODA+Mf3E54/BEcV6Qkn920Z2a/biL46ON96dW7dpU1jBDpG68Nbl0sK0v7z 70//gYX2r0//eFv+uarkQ1n+h7K82uKs9/jka0v+9b6sMj/53tUzhI56ajXr3PyHAV1bk/TSs0Nj T1vj/KTof0E4m59enpuGkp+fmlKdX/iuqPxdYfkHwUVZVZlf8K68RB0VbDBu6C/D+3RtV79Ty+/8 3C2Sgh5khz+Lvn8l+Nr5sFuXk/wfqh7fSQy4n/TqfmbIk9wI/4zgxzkR/oWq4NyYIPWbJylhr9Kj QjNiIxMjgtURwfFhb+JCXmYmRPnfvTxpODpIvUHd23ZrW69T82902zeGlGmIXtfBvTrjePd2sSE/ asH0aZdP/xb07NHj21f3bdswDaooW9PlftPPHztA19F7V8/uJnDmaetia+hqZ+iCSm8/1c1hqpP1 ZOrK2O5InHOynGIPRQwF4xZC6MMC4QDHo+UUR6spduSbIZIUPhx+ugCfn649Revw0pihIgp1HRHm iFg3RdXXZwbjsixOXPBFuCsnFbybEJUTQ8mq5SdHwtg4oidbl88/sWcL+rlgpxR8ldS0QpuDRwsJ C5bBuAC7rREWOtvFGDcrgxVzvXavX7Z+8Sxnc1KGxtoaC9OeQbAeQgw883Yo9mwRBiOtp4ywF4vh DCHBFdQLBQDLXdxW7APK/UdaTh5qbUDUXnH3ieieqNC3Hj/GzcTQ0QgBbUoLklnTPNYtXQx7FRxs +7Zu2Llh9epFfjRB9rS3xoOKxuVqS9jahBQmItSiYIH8JWUGg+Q7ic4yRNJFCNsEBElxKWeJJgHG LzkwwlhWPGZSegIoQM0sh9wEkKrsABqxLpBIFIBhLLg1qKy3n0qljyi7I3WKK+UQuwr3EXeDZUhs QSwUyjIENDwDUAWKZEvJTMiOykAhkU8oDXypAEhvHs8pNhNlS+EMnnwGtgDaOy4OJ3PhASDNmIQN mjayGXINL02zN/ekbyN/KDuTTavmP7lzISs+JFcdka9CdY8rio0oiY0oig6Le3Iv8eXTsuSYe2eP TB7SZ4B2a5xvvbq06tymsZn+mGvnjr2vKATmf32qeltZWFWY87Y0vyQ7rTo/pzo3oyRNna0Kz4gO YU6NCizNUv/1rrQ8J3Hz8tlDemn1aFN/eK/2A7Wbd23+/dr53pW56rdF6QUpMZmq8Fx1XGV2Zk1u 3qey0j+rqypzc4ozUj9Wlzy+c2nMT3p62m26tm2IXXD52DaV/43QW6fDrp16efbwmwsn4u5fe3Xx RPS9y6pnNyLvXQi+dpIRdvNcxJ1LCf53Y+Hbf/047sVjddDL+OCXsYEB6vDAlOjQ1JjQ1NgQbydz 7bb1e3VpoqfTTKdDfR2txjOn4YkcMKBnp4Wzps30cPKwsyaFlZxkWP0fXr8MYRp0N/hDyHrdt2XV 3ctniMJfP398+UIisVMdrPTdHIxc7AycbfUZrvaGbvZGHg5GbnZTna0R03RLEa57F2uY03Dd4FCa zMLd2oAUHRRsFFG0aFE4IyvlZYK9zLf/8hIOdnsl4I7awJDKLfuADMZ9Df+6NYz3lkZLp3vsW7+C upXFtFlkJ0EfUNq6MVPzjmMNmkpC4STASHPAcuooJ3PBVLNj/dJNK/zcbQ2tjcbXUVKbsBgDZQ3b AhBmAHAQzY7BLNV1KcdZywsAu5D1XExw3wAWO+HZw3fHIDmHCkHbiWPBu/1U9FvTGe5ua5YupnXR +RPHqP44dejXU+QT7t+9e/Paeb5EIE1d7cxJfRS/c6UcFTACVYlW1gzSUQQTNWRWUvtFVipDgoVZ o06zBhd1qPkSm/sa7OAd2HIfTrKW9xdwJhoIjQb9LPh0NhnINFDaFRtBCPQvOwbbAtcoMBdJ1JRP elgTcSP/lmtQErg5mwMXsBCz8Bby9i8PDN55Qg6ZNUNuUDwzQ9kESOISeVzyPJuAm40I9MjvhRxR 0j6NyTeb6+t8YMfq1w+vpkS8zIh4WagKL4oLz4sISg/0j3xwK/Hlk0JVmKfZJMzbQd3b99Nt16lN Q/3xQ8ODnv7nXx/eVxZXFGSV5KSV52dV5GaUZ6UVpapL05PLUtWFCdEZ4YGY1YUJUVkxIZH+97l/ bX5yRabq/P4tY/p2Juo9olf7fp2a6Wk1PbV3Q21BYlZMEPZ4Vmwo5nZlVvqHovw/KktqCrPLclL+ qC48vHv9oJ5auPu029SfOKSn//XfXl8/fv/YtifHdz07sefZyf2QSF/auY5C1yv7N5/ZsuzspiV3 Dm4NOHs48NKpmAfXY5/cinx0M/zRLdWrpwlBLxNCXmXGRxekqnOT4kpzUiD17d21ua5W/T66LXQ7 Ndbt3GzRHArTx/TppkVqh6+bk4et9ZaVK25dOB/09PG9yxdWLZzFVulpLyAPC9m5o/tI43l29+qB XRv8Zrg62xq62Bm6Oxq62hsg4sE7w8XWQMh9G3xNQr0H48zQU8DrqBk0iZNg/zve/xv+7ANIQ4l3 kC4hD9gZrP8XsJsI5jqiNstmeGxYOGuBlzMJ/GS2KwR6ItGdcjZmUA8TNaVzIjpmRl8J6KdG4e1f MN0Zt8PmlfM97U24OXxWwJxXraaOthaiWQTmpEkOtBHlwJzBSQ6tpgxj5lUgj3oP3h2MBN7BOIqB HIohMBJlw+qXkW6CXw7l3Hy6h+vieXM2rl21YeXyNUsWrlk8b8f6VXRBPnFo76pFC9wQ8fijrERq ihhKPgOKK7Yq4+tDMlXQgfnZM8CCBi8sQBBQkrBSICNEp9wcNKJZSGfFPJcLKdzl/bmSlwA1J1mI +4NHxZAXaFX0cLFpaFCvSHzuQ7AANxrPKbcUze4hdhX0BOWe3IEhH4/56yEfWH4RiW7NV5OHchOQ fxle4hAicWS9qNCxMXK1meo3zW7vhqWnf91y4dDOF9fOxT6/l/zqSXqQf8LzB2mBzw+tX95Pq9mg bm37dG3duvH3pobj0lKi/vVnTVVxNtI8J0lVSKguK7U0LTFfFZmnisyNCYeqOj3oZWbIq6QXT5Nf P8sIfal+8Uj1/F7c83slSRH/KE5/efOM/k89dZrVI4+9d/smI/W0Lh3dnhL6NOHNg8yo15UZ6s8l uX9VFP5ZWfhXbdGniuzX9y+7WIwf0LV556bfaLf80cduyu1Tu05tWXJi3bxT6xec37ri4PI5sy0N TIf2MxjU3XJk/2lTR3kbjFxgPeXQ0tnnt6y8vGvj7cN7n108FfnkXsKbgOSwN5lxUYVpSWXZ6YXp ybUluQ9v/j5uaK8ubb7tpd20t04LnQ6NvZwtTaf80r9n1+MHdu/bttHdxnrFPL9rZ8+8fvTg/NFD fl7O7hjjjubYztjXa5fMuXDi8IMbF25cPLF3+xp6DLg5GIN0R+tJQN4FsW5r4GitD+Tx27va0B1J dG9ngHQBeQt9mF05FC3hkOZfoRv4ayS+VPaYpeh3VBR7actLsS4h/7/iHaccAhRGXGIrwByw29MH VtDlwZkJ5On5Mo6KNmZ8dCLtjYJZ00mWBmjvE+b7uuzZtIK0XtJ+KOSB5Qa5b2002spwlI2xqIqV iJbo5lAj3yXk/wfvCr+ljYHIxgHjwhCgCn7ycGS9cuYX8O5qTB0BP1FzDwdbDxdHL3dnd0e7aU4O VCNCmH3y8L5Th39ds2QRLaFpIulMHaJiwLrjhVbaQEi8MwMoYbQSpSJEpWi8/OwlLjTQZiFRIxHE zKGwkRXUM4NrBgtAygCP0nUv8S52ACWhDj1BmOFfRDD34Qyz+CB2APAL6pVDYaorh5xngGJmPhEV hWfDQmfmPkI3UPYiiXqxe/Au5YwEvjyUD8+noOTIryagLTdA5SvLtYC/2BgF3hFPbrZGEAD5ediR 8bh8uuuvaxdf+HVb8K1L6oCHedGBkY9vWE8c3rs9wl1Lu13TQX26hYf4//m58n1lQUlWMpp2cVpS fmJcUWJMTnRIatCLtMCAxOeP4x7fSXnxJOPNs6xA/8Tn96IfXIt+eCP+2d0E/3vJbx7nxwZ+zk++ 9Ou2gR1b92rd8OdurXu1rWc8Su/CwU1B9y+EPLicGPgk9sXDN3evPLjw260zB84f3DrXzWLcwK59 OjTs2vSbflotNvhNO7F16aZZTkdWzz262m+mxeRfencept2ud6vGnep906d1feOfujuNG2Q9rPe0 ySPWezseX7MIvL+89ntcwOPU0MDUiND8xIS8lMSc5MS8tJSS7PSg5/eMJw7V6VCvr26rPrqturRt gDvIznzqwN46UAaFvfJfNnc2bBCwsJ/c/+vm5UuIeuMsAu/4h7G1qXWlXcPJgzuhCz53bO/6FXN9 3K1AusS7s40w1RkId0S8G9JfUeMl2ME7TNSkmgvIf4V3UA/YyYJjSKEP0hHrEu+8KkrwlMoaRLzE Owsp4qXE/69ZqO6CDxMmCpspSHNgLppGOQm/lmDaYeYMwLeDnMqIaLi4FXgnwEc+DnzUUNDP9rQX UXKDMZYGI4npWyHBFXQjxIE2MJcLCXONiAfvnGEfEMMQb56I0QN2Em6ZQTp4B/XsPzbjRyPfnWCR tTR3trawszJ3sLGa6eW5evECttzzxw9dv3CaBKeVC+fzKiQSLoCdPDSlixPxKdAN0pHyDA3e5Xnx m1eGxIWcJULBjgY4YEeDd83WAboFtBUpD+SFFFYCZKKBhQJPjSyWwOQmLLgnC+CJfx6fPDMnmeUh Zxj462yUhQA+TkilZpY3sl3IZ5PoZuaQz2LBTZg1zyw/Bbzz7biAwULugXItz/Mk5DO4svXZGHvY 4K43pixihpPlAg+7NbM918/xurh3KwpwqTr8/L5Ng7Rb9+nSok/XNp3aNKb95r//9bG0IAtTvTo/ C7BXZKYUqqMzIwNV/g+jH96Kunct8vaVsOsXou9djXt4I/vNs7SAh1F3L8U8uBp260LgtbNRj29g TeeGwxEdsdzbWbvpd307NP5Jp3n/Tg0NR/Se62Iyx8nYF5+20VjDEf1/GdBtbN+uQ3Xb/KzTamDn Zj1afq/d9NuR3TvtX7ng0Kp5+5ZM37fYd7rZ+IEdGrf7/pvebZsO6ty2Z8sG3Rp/M0K71TSDkb74 job3WeZk8fv2dS8unAm5ez3W/3FaWEhKWGhWXGx6bGxiVESGWpWXlhT26qnxhOE9OjYa1Lt9L+3m HVvVI3nG29Ver1uni6ePleSknz92hLbXvi5O8328aFetcNPBry5IwhlA3tfVBilPEt1pCjbWLZ7l ZYcJL/V5R8vJgF3o8Mxo9TZEkciBVwx26OYYFvoS8gL1Xyx0abxzKAeHEu9SuItDxReNfNfgWqPb a85oFkS7XEyBtpDm9oao7hNIcAXjCH248ZlRp0Ecch+SCsvJoy2mjKH1s+lk5Pj4+dNdd21YRnag j7Olrcl4S4NRllTGmYL3EdbGddIcLANqvO7AnDUYlwtmDd4F6mWQrq5Mvi7fXqIeg8J64mhnQ5rL 8MexcLGxsreydHV03Lh6Jd1kbl089+D6pXvXLvLfQb9jWqRRjOxuaw7qXZU+boL2DfklM1G/zKCe gegXZv5/c84AASklWUiM1EHmizT/m3wXGvsX1NfhnSu5CYnxSnq8yKgh6KaE2mlZayd64ogAojU0 O8Y4BvGpUjVDoRzt7OmeA/cmvwSeX+l2bQGthwg78ip6i1j8t6nOQzL+V7zLrYCHZ8h3gXSNxJdv lF+NUDOH+A1w2063N58Jx7Wb3TIfZz9S6+d6hT+8RjBrzVy33pBFdGrWqWV9R2uT4oIs2r+9rSwl Qa66IKckRQ0DRmrgi9gn94KuncddduvA9ks71p5ct2T7nGlrfBx3z/c9umrBnUM7Yu5dTnh8I+T6 +Yh7V+Ie34p7fLc8KTbk/o2ftNv3aN3wp24tfu7WUrcV2exNB+u00GvfQK9tQ92W3+m0+FanxXfI dOburetpN/+uc8NvJvbV3b/c78T6xQj3WVaTxvbqYDqyn7v5xMHd2ndt8oNeuyYjerT9uVNTu9ED 13razrGYvHWmx+1DuwOvXVA9ewRFbX5CXGZsTGp0VGpMdGJUZFJMVGludlzYG8PxQ7t1aIBwB+86 HZoi34mudW7T4tThA+V5ObHBgcf27pzn4wlrELQ26EV4ywVvsL2ZkPXEhqwMgfwyP19S5khph5GV rJtpTibo8DjoADsOeanJi4U1LLIGAumK/Q7MNZCXyryEtpTmrDUn5bruEIebYrNLmAN8NHnEsQbj Xy9gsXDCBy46QAm6acU7B1286ADFDqAY8pMENS698CxFtztI9uDhgepqtofd6vk+OOeXzHTH4kDb J/hug5g2HmljNMLeVHjdNWJdLjS+OxZS1kv5zozfHvmOQJeZeMyswTsL8G41YbQTDBXGUyGpc7e3 d7Sx8XR13rp+DQ1T6PaOfKdF2qUzxy+cpDxuG456D3sL4iZIeUS8UFYV5pk6jH+BvJT1vCSFIL98 CQFAwYJZSkOJCGekpGKVg2gJao1w51Dq+SzAPg46NAGBL4XLAtTLILsshSPplwXRQ4jx6VhNFhXB XOp9lvnNxBHBWDF/Nj1h1i9buGH5IoIO1P74uNiDfVDPbuAkSgOE1iFlNDNrzkjJrhHu8otIjPP8 DHkZs9zcuJJr6r7aF/cFGtE0G3NvG1NPMwMvC8P5bjYzHUynmU16+PvR1Ijn0x0NB+i07KdDAK7R xTPHoaiorSgl++V9eUlFbmZFWlLi6+cE6MNvXb57cNexlfPmWxu4jBsyuXfnn7Wa9mtdf0z39mN0 2loN77fOy/763o1xD68mPLkVcedqYsBjlf+j0uS4NXN8Ojf+/qdubYb2aDNYp+Ug7Rb9Ozfp1a5+ j9Y/9mZuX79Hmx97dWjYscm3Oq3qd2/doGvjbw0G9tq3eNZvaxetpEpwSPdJ/bvOdzXfucpvuF6X 9g2+IdI3vn/Xfm3qGfTT3jrLbaOP88l1y/3PnIi6dzMz+HVaSGBGdERGTLQ6PDQxMkIVFqoKDy3N zYgMDDAaP1S3QyOM9z7d2nRp22jCiEHuDjbjRwy7fflCTkpiuioWz/y+rRtne7o4mQsfkYedCXhH uJONwyx8oRTD2pr4ulqTVWtHbZrFJA97+OcJnZMZIgJwDKHJK8PdZiqQR6UXVjxtWRTIY8hr5LgG 7FKgg3Q5APsXvAuVWw6pfoN3QvBfw5y1shuIcBuwwl7GUUY7CerTFR8d2KfBzQTiAj52ZvM8HJdN 91w1x2ftghnUyJBAu2vtEjJtdq5duHg6DewMATuheTxyQpobjWA4fMG79MBLsS5hDro1eGdPqIM8 0p9OFobCP48mD8x5JAYLnsdm0hg3c9HPmkbh7vYOjtbWjnY2c6d7L5s3B4CsWjh3y5plZD7grj9z 5CAwoRcDcKNFLFhmCLz/X0OGnsk3Y0OQg9+/BgX8PzLkGXlSmNIK2KV812BcGvLMcsF5sTMwLEn/ owJC9KQG2otmeZE2xVjmNx2qWGj/dm1c9eu29Yd2baaA98SBPexa5yDXPQBJ3U4iDjLowBrvBOWW SHZremQA/C9Ku/iIL14CCW3gz+CkXMg134K/ACe5hplvxCF4Z8FLEvhcST2Ro4kBNTgz6FkDE7L5 FHK1NyDGzCbePr3vzf3zU0b27qXVsFv7xvpjhyYnREM+VVFUVFNSVJmXW5WdUaiKjnlyP/z2tYfH D2yf6T7L8BfPCcNcx/08snOLvi1/nDxAZ3yfzrpNvhnYpr7ZkF4L7Yx+W7sw2f9e+utnKYH+0c8e FCfG+F+/0Ldzq57tGw7u3hrymb5dmvbXbj6ga4s+HZv2bN+od6emvTs26QkdTfuGuu0bdoGtouE3 E/R0j65evGm6i83IvmbDek4a0LWPVuOeHZpoNfm+U7Mf+0FY16lZ79Y/Wo3sv2u+7xIny5MbVkTd uZH+5kVBTHhaSDB4T4uOSo6KSImJUkeGJcdGg/fHt65MGN6vZ6em/Xu069G5efdOLX7u2/34gT3P 799JiolMio6MePUy7IX/78ePLp453dPOmtbhODyxhpDvBDu8nQA+O4Cwj0iVQdQ6W4mZoSSACbxL Ua5xxQN2DxR7xWsnBb1Q5s3rfHFgXOKaGX1eQv7rGewr/jpi8aLzGjOWtRwcslDSbMQZXiIET29H EQsjfZ0heaTrZsE2jx9vobcztULbli/YsWLRrxtX0tGS1ldU05BzuxmxJFrH4sqTqfVCptsYDrc1 GmZnPBKZDvzZBEC3OC9JMKS1rsxsAlwjIU9ITpHvAuDgXUKeGcjb4hYYP5IWMPaGxCgt3OzsnWxt sd+dba2crMw97K2Aw+Y1yyhLRL0/d+wwUhLpiT4/jQ4s9jT6EfRQEvhfz1KfRweQEOAaiRQJBGYO JUBYCwSBoy94lya8BLg8ySx3AGbeJaBkTtWePqIcjIPrEwd2nTq0hyJmxsmDu+Uh82/7d54kuHBg DyFFgH9o5xb4E0gqgBgNsF84wQ5G0ecqTwdrK8PJoB68ayAvIQxm5UICXPPk8uvwJAwF0XWKAX8Q DrmMIfGufEH2BDqPmyIqrfXHWPwydI6TxapZbk5Tx+xbO2+xt82Ark37dGnarsm3s72cy4pyPlCG XlBQVZBfnplRlpaUGx0e8/DOs9PHLmxdu8hyKnhf62HrMGpQr8bfzXU08b920nhk3y4Nv+nT8nub kf32LPBZ7WF7Yfu6zCB/VIL4l09zYsPSIoP0hw3s1PTbXh0a92jfsIdWQ73OzRggvUeHRgyQrt36 x06tvu/S5kfw3r7eN2N6av+2fsUCG+Nxuu3Mh+uZj+43WLtVh0bfardqBN6pau/drkm3Zj+4G447 vmHZbCvj8zs2Z4e8TnnzIjsqrDQ5sTApIU+tyklMyElSF2em47X75/vqc8d+HdKna1+d1t07NdUf O/ggRJEnDuWmJqHqp8XHxQQHRb15Hfz8+aGd24m2zXAlHG9BLRtZnYBdghr1HshTHMcCjJNKxwKo 4m0Twl2x1jU6PACXawl/iXdhwlsK2S3FtwbdfzuU5yXeHczJtRP6w9/wrjlkwbAjxY6MOGOR9CLl u4S8EhQT+TZUCc1ysVrk47JilteqOd7k2VLzTsL82oUzls/2hOIGPnxRaCM46xDudXi3MRxqPVUA +W94B/hCAVB8dMxf451EeuspwwE7Djo5JOQViT/OZsJobxJBLUy9HR3meHnPmzVr7qwZKxbO37hy 2e5Na+Fsoa3M5bO/Id8P795BMTL6PEDzUpqs8T/iRhKOothrRDkL6a8DC/za2Qe4QEJAagISI+BC g5evcS29f8xA/muk1+0DSp84xDoKxuLZ3of3bKFz5ZUzxyiOBuyg/uDOTXS82rtl7b6t61hAQAcN HSzx8E4zQ1MJVwk0aFDSwZcCTSV82hBr45GTQwNwiWhmKd/lQs5yW5AX8L1YyHfJL8t9OORbK/sA UU7Cx1Z2poam+hRVTaGOhrSHoT07jhugM6q31pShPUbqdUC77tuFmpf6OzesglaSotTKwvzK3NyS tJR80tSDXsY/vR9x+/K13ZuWWButcrJAyhsN6NG1wTfLZzg/uvobt0Ii921dz3RY7wPLZx9ZNW+h vemFXZuSXz7NighKDHn5tjDbzdKkTf1vRIlNu0ZAvnuHRrpaYuiQct+ukXbbhp1a/tildX2dto26 t2vUpcl3Q7t22L1gzlwLgzE6rQ1/6m49dqDpqIEDu7Zu1+A7rUbfd23eQKvhd0N1tTbM8Tq4evFS dwf/C2fyY8KSg15l0CMSYR0alBIZkq2Oy0qILc1MfVeSV1OYtXnFwoE9tAb36thNq+meLSvflxdU 5Gcj+mNDQxMiIsNfvU4ID1eFhtw4f3bFvLnI92mCx1J0mGI4WRk4WBD4niDi6STXKfF00lCJo0kg SzVerknbA/usNYKehcSscqYuzUajvcuFBvuaxf+KdynTJfwl0lkj4nGy0S8GdMvxBeyiFTvKvLTl US3YcDxgzyOt13yiu7U+6odkmSP5TWjyShYckIc3XmAZ+91wuAbvYFxq73+T71zJGYZQ9RH0OPQU vANz8M4sbXnF1vjF29J49SzfFbNmbFi6ZOeGjSTXHNi7+/TRw3Q7vXf14q2LZ2kbd+oILdHWzp/h I3hERcIYfZcsAT5ljAwEvei0/tWgtISa8a/1fAltuSdIPV/qAxL7QBs4I77lAvNf4p0zcsEsvYJo DtjCNLL0dbHbvXHV5VNHLp08Amcsqvu+LWuBOZz9G1cs3LlhJSyyYJ+OGAe2rj+6a8uJfTuO7d66 D7qM1UuhOb1w7AD8h9BQw3sMcSX3FDG7r6Q54AWwgJ2TmvNS1stZ7mBky4N3OZTrqSkQ+5jEPt/X xYqMBfN50733bN1869K5uNAXdCsboN1mYNdm4/p31mtfT69Dg/6knHVq0kur2aUTB+F8fltRWp6b U5OXW5YO3iMzQl4mBzyKvHP5xt6ti22Nlzuab/R1shw2oEezel2af0dNXKcm34DQPm0bO08admnX uss71821Mtjg60L6a0bYm8TAAIyC5TN92zX4Vqd14x6IeMDevgF+M11Cb21hm6xHhbu2MvfUatpb q5luy3p92zRd5GjlZz11eMdm47u3Mx2qZzX2J5PRgyhvGdi1ffc2zUb26e7nartxrs88B8vze7dl RQSnhb4Of3wvMuBxpP+TpPDAlMjgpMiglKiQtOjQiuxkVZC/j5NFXx2oM1DjtZ/fvVqclRobHBQd GJwSm6COjIkODIsPjVRHRMWFhEAGiH8evyu7Ok1nGJ6OVLsjOGCyQsk3EPa4Jb0IFb+6pb67lfDL yQi7MNK/CHqgxADjXC+xyVoIfXaJLyl2Upn//+jzUr7zdo0Cz5ptRwP2r/FOeRGiXPHO4aIfKxcu MMBDTYn0V7JuCMGz59vCTyVUcVLmSI6lL6TImZdp81TWYMILgW46WkJeAlzKdI1YV96uBOAUlV6D eumvs6MxtFDgBbmlXCjyfcwKX4/Dm9Yd3bH11MH9Z44ePXP8+G+HD50+egjmwBMH98BetXnN8qXz Z033cCH+TvECYBfCneoG8kUdLQH+10j/ei1x/TW6Jd7l/sB5iQtgIuP4gF3iXQN2zZmvQwCAC0FJ XxgIpW+cOwGBPHzyh7ZvOrBtA2cYkk4WLJ87vA96HAacWoyjOzbt3bBqx+ql8OTcOX/q/qWzO9cs gw0PbwOkHHWewP/2132t4WtAzQNLOBNrc7GkZLguKifOC5oFYzY6uY9xGTTmezZvDHkVUFFS8Km2 /D//+hQScH/MoO76w3qN7tNBr8OPfTrW79up4QCdFl1b/XDxt32fKgor83PKsjJq87JrslKL1dF0 ZcoKCoDo8umJg6tx9BlP2DnXa6aZfr/2TbUaf4Nartu6XrcWP/Zo2WS1j+Oj43t/37Jyo6/znvnT r/+6Iy3wRXFSbEVm6tZlCzo0/E63dcPeHRrpdWyIu4BBTbpuu3qMHvBIt6eitmFPrUa9OjTqSZFd q/p2435aioTr3WmEgHwH/f66FuOGmI0ZajhisMnIYd5WJkumuSz2cNy/ZmluTGhZSnxi4MvIZw/j A/3jXj9PjghKjwkjApcc8SYhJKAoJfbWuaNTRw8c1LND1zYNTSaNVvOl1HExQYGJUXGZ6tSsxPSk yPi44Mi44Ii0uPiQ589hQaQiXsE7PzlTT0czD3ssd4IgeN0R3JMFqPHdgVwYfqyNPNDSzSaJvoo0 Sf8q9CYMdkUZkFa8gndFK1DwLsNwEvsasa5ZSPkucc2MZJfCnbVGvrOQQ7ykyHEl+iZCcgwArsh3 4bRH7kuh70QPKdMxTqa0mMTSJ/dVOPcUslmRkEMgT4EnRoEwDWT5m5D1SvqcFPES6XItZ+nfk1Ie mjt78usUzyG3YrCWXjv2mZXTPQ9tWndw88Yju3bs37lt56ZN61csX79i6aol8xbN9vHzcfdxtacq 2Yk4Mkw1SqNkTHgg70GTNZoqcgZa1//HANQS7/z+Gch0ZqHwwwWHLaAcAgpIxmQcX8G7kPVySLx/ Qb08D9aE6wymMtTy0wd2nz20F4yjrsMJj8YOfTQ6/HZItFYs2i6Yr2ZDn7USV94sL6jsZ7vZw64D bc7vR36lzSVkC0qIX19+ukZSSx1ezkBeqvoa057LJN55fg3eOSO+iJ0ZyWDoA3xHanOgPVy7aGFs SFBVSWF5cX5WqpqC04TI1+OH6g3p1b5Px0Y92n2vp1WvX5fGg3Rb9mjf4NzhbTUFaZW5aWXpyZWZ KeVpCbnkxoe9zAl5mfD4dviNi8fXLJlpMnmTr/uGme4GP5Ma812P9k0wzLu1+MF67M/HNy69unvD 4WVzds6Zdmn7+juH9qifPypLVn3Mz96xcnHHRt/2aN2gr1ajPloN+WjA3rN9fZ1WP0A+0621Mrf9 kU1AD07ptg16tPhhXK8Oc8hgGTvIengft4nDXSaNcJg0lmwNd1OjOU72y7w9ty+Zf+P44aQ3AVTG pYcHJYcFqoNfpUUFp8eEC+Ee/poRF/g8JfJVYVL4aj/Pn3toUTDTXasZibLZSSpU99TY2JSYhDRV SnZidoYqNSlSlRgRq46ITAgNe3b75upFML6hz8MlYoKIJ02RvdTDFvIWpLkQ03izPYjoWRlNw6cH pTzBbjqkg3pzmj7TFlaJuSt4V/SBLym1X/zzUo1n1gD8b4uv8S6FO4mv0junwTuHGsg7i2g78Xfy auifKHR4KdMVOINorPix0psnkS5bSDibjaULPNc4QH8hXPpYBGIhDH8KahTIS7x/Ldk1O4BmHwDy nESlx1+Hfx75/rVwZ80N8dfNtLNYOcNroZfHouk+83y9Z3i4ezo4uNvbTHOy9XGxEwUyohGAqQfe OXvRFV2jzAvJrvx3eNpbfI13jYiXSOclfvwS7wg+oKqRj4rCLwpI3a2pJqvDuGQL/6K9k7Mn0niI X1NR7mEFAQXaspCnuPQhttpJf6hfd0JluWLudBphMGDGY3grFLhCaisNu8mQhzIIzY10ejvDCQQ+ fsPwP75/I00fbU1Jp3e3FvfnIRHWwFzq8OAXCU6mAU/IJ0ryLqKHdd+lLrtAeYv02wN5hQzEWYm5 2xlPnuXhfPfyxdL87OKCbAgeC3Mz//hYnZOmmjCclizf9+narL9OM9123/ft0qi/dhPwfmzn6pK0 2LK0+Hx1VDHtJ6iCCXmR9uZ5bvirjCD/1JdPw25d2eE3Y7rZ1K3zZizzchnVT1evYys9rRb6P/XZ vWzOtQNbj61asNLVes88X5T/R8cPRt29WZoQ82dpwRo/3y5Nvu3VrkGfDvX7Idzb1Se1nqHb8ked lvW6tfyRTUOrCWm03/du36BX2/rdmn6n17Kel/HY9b4Ou+d7X9q1/sb+7Wd3bT69a8uVQwdvnTrx 5s7t5JDgnJjoPFVsYtBrRlpkaEq4EOvZqmjmjNjQqBcPQuh6GR/sf/2U6dgBA3VadWvTcGhfnUc3 L2WqYxHuKTFx6jAAnpARn56dmJGhSkpXJahCqa+JTgwPv3jyGPFTrHg32KqdRCkrznkvB34tIlEW SY0hrEh2Y2bQDcyBmLSRPa1pL6tAHm884thsonwLs0Clklcj8c6aH8b/x18nJLtIfJ1ATjt4Z8EZ qc+z1hziMRCZe6I5O10tRCodarwQ6CbjRI2M6S9wUwB2iV/wLlvGIN8VQS/2ASAv1QCp/Cvqt+gp w1ukQNeI9a8PpaqvoF6k5eClV94i0uYl3qU+D9idRK7dOLuJoz0wUafyqNS/mztZWTjQMw5pbovF hHkO35cRf2cc8qIPiCLNaQAEqH2c6aFMVFQIazm8ucDBihnh6+NsIywvmF4geXNQqsYsZSEtHlfS IylDJrZFTb1YU10LnbiosbUQJ+WaQ7qFKgPFAL+fkZuVGMAQSIqEWCuTtQvnnDm4B0J4ONBkNp0Q yuTWQmGn1MkCc1EKJ/qI4cUVWwrz2gWzLh0/gD6/Z/0KStQpnHEH1/gQUEJILbAgyj/V18l69fyZ m5cv2Lpy0ZYVC9bMn4lu4GSGDkkDU2GJAHw3K+gvTF2IZpormxVhCIXzx0VEkUzn+bg/unWtJCez tCi3qCivqrKsqCDn84fq6vI8K+PxfXRa6ek076PTtIdWPb1ODfpqN+7c/JsNi73TowNSQp+pAx+l hfmnhDxLDHyqCngQ7/+Q4FphbERhXETcs4entm/cQOOtRX4bFs5d7O2+zMdjz8pFhzes2LV49qYZ nkdWLnpz+czTk0efn/4t+t7t/MjQd5kpXpZTuzT9tq9Ww35aDfp2bKjd/NuBXVp4mo3fsMB792q/ 7ctnL4ObY/IQStS7NPumT4cGZON0bfSNxYh+R9ctvLhn3c1D215dPhP+8BZMF5kREVnRMYWJyVmx qvTIuLz4xIJENSMrJio1IjgjJjwzJjwp7HVEwIOXdy+mhPpHPr/pbT9lRO8Og7Vb67RssHbhTHhv YOBMiY5WhYSpQiJSotUZ8SlZ6rSsBOakjPiErPiEzDiVKiT4/tVLW1ZBBeHi60KraNGw292OwgQS I4Vh7kbFq7k+7eE86SihSHOh0lMO82Vw0p1rlOA7Lwndvi7rht+DgCSH7pZUzGELiEM5lIRb4CDO iCJWwutUxZIlayjK2O2w0M0muhIQNBPdHJQ1DSxgrZ/kYg7GyZYnrQ6zAkEP0gXMXSCGNUOHR4HX yHehzANkgXdq34zETK4OOjws8RTQ0adGyGjC6NjmQpkH8nUOeVsYM4xH2RmL0DxUeFKT51VMfppT WE0Zzk7C2xVpLox3gC+GoM7jtuOtfxnuSrmZAd8dz5KFs7WlE+56W8Go7GlnMk2EO8GpETIaFINr GkmAaHqq4ubiDEJcI9A1CwXvtiQ805WbfEgZPxX1YnT1UqgC5ZpZLoioIhnlkHQEnCd3mjMc/tfA JasIVmbUg43LFtBJEIOdpmMgHU1bKg9SuwaV9A/FFypkN/xaKBIK6TQ0ubfPnXx45fzONUupVQew 06wtXM1xGHKN6DNI4ivhEnIKT+/f8dvuzdQyMzYv9UMZQFWjgakraoA5+wNxDXPeSHRDUUiAuRHD znQS1dzH9u9KjY+tLC4oKykqLS0uKWEU/vn5/af3FfZWBt2oWevWskvb74F8T636PTthRNebP81K 9fpOUvCDxDf3417ciQ24GxtwX/XykerF46hnDyCWKVbHlaeos6JCA65dOrVn568b1hzeuunY1k0H 1q86tGnVlUN7g25cSQ8MKIoJFS79O9dfXf49K+R1qSpKf3CvrgC5U8PB2s0Q36P6dNm6eNad0/sD 712OCbgX//pR1PM7D68c37Vu3nC9DqTY6bVr0LtNvX5tG/o5mFz6deO1Q9senT4SfOdqrP+TrKiI /Hh1Zkx8tiqpJC23PDOvIjOrPD2dnLr0qLDksNeqN8/Dnt17efdKQvCzoPtXV812G9itlUgY7tBs 0pB+9y+cSgx5E/v6VVpMTEJoaGJEjDo8JjM+JVudmq0WeM9OTMpUqVKiojLj49H5r587Q8x0wSwv X3daolh7O6NkktQNvihzE8F0Suy8EA0K3gWi64Qs0BMAl3LfTTnJS/IMsyKIJ7kLJYE8rsnY2tKF Ls8zy/uQ+i4Ufgq9RbkclykYp8CNzBw2BJyBSnAf/QFXm6LPC80cgQ7GhchW7HQ0dg3SwbgcnGEh YK5k6UjJDpGFIvEFgZUSRkczFwslQqdk4HBoNAKw2xkPdzQTDj3gjxpPwSx0VTSzAPVUx1MfB9Jl ME4666iCl/x1VuOGu8MgYcgXxz1i5WJj6SgW0ACakokyDbzggIJw1d4SmIN6AM4CzVniXewAyHqa s3zxz/Mqa2bwDtIBOHCWuOZQrpm5P4dyfI13MC73AU7KIQ812KfGXNr+zDSopfPjkV1bwLsEO3hn sBt82RaE5oCSIDYNxQrgwXavX3nz3InrZ46vWzTXhVI+S1NPW0sWcJoJr52pgS+8c8vmc9mm5QvW Lpqzb/Oaq6eOnNi3fYGvOywZzuZE2bApUCwtILcRYLeE4AJBL5h/ZrhjB1lvXbMkLjyoPJ/Qckpp UWF5eVlZKbzuVe/oB/G2wm+Wh07n5sMGaWu3r99Hp5meNuku9bq3+85m8uDgB+eSgoH59cgn10Lu X3p9+1LMsweE0eNePk8OC86Lj2WUZ6TU5uUUJKkTQ4OjXwSEP32ievUSZrnqjJT3ORk16UnFqijy 3DICX4Xcvpry6jmJuD93bU0SHV3eJNi3L5sX+eRu4ptn6jf+8a+eJQb5x79+GvToxuv7l/as8UP6 67b4YSBJOM2+H6rddu1M9ycXjofcvRL77EFy0Mv8+FjaYRSlphUkU4APlW5+SWpaNpZ4eCj2e9zr Z6FP7r66eyXu1ZOIZ3fWzPMm+DioW7u+nVr16dhq58pFCSQGvwqIfvEiNYps25j0uMSkiNiUWHVO UnpOclp2YnJBSlpecnJGvCozIT4Ft/3TR7//dnj10nke9IaDW8mWIndTR4vJ6NigEjhPszT0xhxT 8A5IGRLjLMA1Q56UswbvcoHaz+B6biXxjgGugTwLIeKF/q+U1LFLYDKQciPI4alhF43gMSuUM4LO whlbXjjnFQXeTMBZEbVo7IpfTijz1KjWDS5D7MqLmVEMGEIKswkoW4EQ68pQ8P61fK/Du73JSHuT UVBXKWY7ITnqYaHIqDP84ai0JBg3BQ6cUVbK7ATpPZU4Y4e5UV1uOEWwMNlau9paOVpiswu8T7OD ok3gHa1e4h2IyYWQ4E42EtoS3RLvEv5i7Wgl5bvELKiXANegmDOAnZOaDUHI9C9SXqJe7gZcwOBV KehRlcEyiOPT8dERRqfDF72eNXiXizrIK/fk7eKGis+QJ9y6agk9InHg0yqC5DeSYcjWBr/UznBb vHM8Px3t0WG4FdF5HIB0kqXvACel5kDWAUwXUFp5Wlu5Q3EDKZAl/WgI+xIwMtq7ZXVIwMPinPTa 0uLi3LySopKKisqqSpq+0Qmiip5t2zatbtn0++5dmnfr2LibVoMenRv27968V4fv+3Wq//v+1Qmv rwfeOx319ErwvQuvbv0e6/8o4Y1/RnRknjqhMDkZboq3hYU1BQWfKio/lpeRg1eTn/+Pioq/qirY BMpS6VCTXKyOzY+NyAoLSgt+mR8Tsn/14v4dmg7o0qx/1+b44ua6WEY9f5gS8iYp6DXCOjMyIvr5 k6Sgl3Gvnr64dfHZtdNo37otvuvZ6odBHZvpNv+REpfVM92in97MjQ6mQK80JYHC+eK0tJK0jLL0 nHwUe5UqOzZG9eZl+LOHkf4Pol88in315NnVc4u8HccM0O3XpRUsfD3aNfVzd0gICoh5ycZyJyzg aWpMVE5SYnJUTGqcOjkmITclA2LbnKSUgrT0wjSAr85OTGQkR0fSwubkkX20KoVokmYT7vbYTTDS 0PaUVjIGCHcp3zWQ/xvGJX6/xrtccz1DmvmcUVxt/wN2eQ0quqMZiTQTyLxVGq1CWiWYphgS78yK cCeZllxckTcLeBHZErN/w7vw14mMu1+chDqB91565oXZDpO8xLui/4u3o8nLoeC9Lu4GtDXyndA8 eBeav9EoS33y6wjB47JT2GwMqaYZaTFlhJWwAiiWp/pmpL0pFbgTLcYMdTWaTMmMBzqtjZWrrTV4 d0FTRbLjF8VTJ5IY0e2F3q7BOKiR2OekXGgOOSOEuzD2sd+FMq9o9RYcgjsJcLmQr7JmE5Dz3yDP SXn+vwT9ly7PIJEY3P0r52noDN4R3zwDGggLcAreOeTt7BLy7RxKyJNyA3iJ4ilWACYAIQOBd1xz uCPIFqaUlTQDW2N9IhG7Nqwkn4f+sKTp4p/kVYwdBtejz7tbQlVtzlbpgRFkaQQxNfWMR/Zs9r9/ XR0dVl6QV1pQWFZcRs+W928/vq2pfVtT/eldza2rFyeNGzFuFEkzomlL5zY/6sAC0aVx99bfznWe EvbobNDdEy9vHg+6ez704RXVy8dFiXE1eTlVOblV+QXvSyvelpRXFJZUl1SUFxZVFRfXFBVX5OZV 5xXU5BeWpmYWARl1fEF8jPr185IkGDIDzccORj8fpE1KbeOpwwZcPfJrdnRUvioetbwgIaUoIZnD 9LDQzPDglKAX0c/vXTi4/Zf+2tpNv+nRqp4eCTnNftBr22ilj1PI/SvvcpP/LMsvTVMXJsVnxcZk REfnxMVlxUZlRAtNPinsZUrEq6gX9y8c2Q18hut1GqjTBp5K3dYN8FpH+N8vTI55/eC6/+0rQU8f JkaEAWoC7olRsWnxyTmpmbmp6ZkJiRkJ6kx1Ynp8fJY6EVueWpuwVwFUcGzfuGKJn/d0D1tvF6LA IqsWF70n7nqi8GZCpku8fw32ryW1BuNcwHmAqVHgeUm+6+udoe4k4TZ6uwsqOdHbEWgDcBYuFnJB Dq0gfaWm/gvwicrJ5u9UuIv0GOzrumHKWjDVQGQnlH+xOQjlH7Cje4N9BhIfKYwt8AXvQsQTT9c4 6L7gXaTiCOFuSo69SLYB1Eh2KHDNJw21IofWAMfdCHP94cDc2nCU1dSRFtzHbBzexTq8TyVpgcIx 9HkyaS1crESpC15r7F8BdkXxBuNSrLNQXOtmIEjinQUn5ajDOzF6YbwLyDNDCsoCISvxLnENGDms A+NXsl6ekbO8Rm4a8lYE73g2EC1D8KTNnNy/izVnpL6hKNtCpZd457Pkp3AoX1o5byZNAIE87Uhk DN3TzsrNWkR7CTowU4ZDhd0MdweS9G5fOvPg+gUaw1F9w0sKiR/WAco/KbJ0KQXvFvBVettZe9oI Z8V0V6tVC2fe+P1kdkpCbVlJQXZuZVlVVeXbd7Rlq6ouLyutramgHiYtMSYuOvDgvs0zPO18PawH 9dIic2aQTosxfduf3bs86PZvd05sf3zh0Js7v4c8vFGQGFeSlgrY/6AxRBn80rU0iaguq6ksqfj8 /sNfHz59qK59yz5QXFFTWFaWlQM7dEVWWnFKwl/leaf3rhveo13/jk36dmzWt0PzVTOmZYSHlCcn 56sSKtOyixLSkwIj8mJUpYnqopgoqDPUAY/Sg/1PbF89aXB3nWbfdW/5Y/+OzfppNe3Zur7V+CEX Dm1LCgkoTIp5m5dWka7OjY0qSIjJTYhMiwpU4VoMfOJ/69z6hb5GYwYO6an1U492/bRbknWPlH92 43wuWXQvHoY9v/fq/o1gjJTQwLS42KzEZHVUbFJcQnpiamZSWppKnRKrSo1TAXnAzkhTxcdHhD2+ ff3k4b0bVi6c7g4zg/g7o3ZC+wbkgTnYlGJaQl5CWwNhefh/zxLyYJx3aaT811uEWAvxDdJFMzgN 3gE7qXGcJ/1V4l1q9Yqgl11fQTQ6QB3e5ULBPngXfSgYfDreckXcizgd8t3dEv8AhBgo/1wmmGq+ 0uf/Jt8F3oW/zgQTXnDdSPlOhh6f6w5hrxXGxQRLgxHmU4YzA3YrnPzmv9hCUz96iIvhJCcDdkgz FytLityx38G7KNwmBAZDy1eGtgbRAkpKGi3o1iBd8yoLLwdLb3s4nGkugx/AjJa4HOIK45A9hAXa LzfnAgpFPWzx/4syZ7mxMLNFMDSHEumcwUaQygPIlfL95vmT+Ot4DPx1PBUDIQ7YEfRiVuwFeXN3 GyH6eXX9knmoBDj6cPd5wCmNJS4IpUG6uaudhRM1L5bGMzyd6U184+KZ21fO/3Zg98LZPo7k7QNz a1M6y5M1Jz7FitZydXj3IhPJypiajlketrs2rnjx6DbyvTAzo5xuj1W1VVU11TRyeveuqrK8muZu tHirLv3nP2jOiFFfWJCTvGCGWw9aSHRp3qvdDy5GQ15cO/Ts4oHbJ3cF3Dj15t6llIjAktSU9yVl NUXl1aVVdG//+E60eH7/lg4SVdVKY/d3lbVVxUC++iPNoQoLP1WU/vsf75LDX1hPHjq4a4sBnZv0 pLxl/NCgu9feZmdWpKTlx8QXxCUVx6dWJmeXxKrLVepqtSrp2aPo+9fT3jzOiXxx/fgu/aF4+b7r q9VM9Llo35gKO5QEkzED1y/wvnRo++NLvwXdu4wP/cnV0zfPHD62c+18L7iX+o/o23GgTuu+nbFQ mnRs8oP+iH5nDm0rSo1VBT4PeXIr6gV4vx5w70b4i2dxIUGZCers5JRklSo5DmgnIetjQsNVkdHp SSnpCUnJMbHp8Qk5KUkU1EBSvXfbehrMeDqaUyQO3l2wzcmXUyx3Dd7BNUiX428Y/xuW5avySt4u 9wep1cutgBmHtpOgm0OIiwHG5QLIK4gWcp9nYLAA+/aGdHWR+gCVL8KyliJegp23sHU4Cbc/oUMI cJDpyHdRQOdtZzTd0YxHIv1VbgKIexmsxw8AusVQEua5pxT3MhIH1RWi3GLyMLYgiP3WLvLesHz6 qoXT/LxtaXQF3s0J0kF8R8Gd+S92ZhPMxwx1MpgA3l3NzJDv+OelPk/Q2VXxbCNh64bCcSFddsBK LhRo/08ybR322QTsLMCygLMd2WtmgJ1Z4l2eAfi8yj7gS5IejgIHc4YEOLim3lma/xrIg1w5pP4A 3me5O5Iui/2Ovw5bW+rzPJgEu1ygJCDfuTO2CecBKY+9ecUivHy8cfuaZUh2OLeFcg7wyfMnF8jZ lh5GsKDfunzu5qWzR/btWDafHjLmgB133Rxvt/kzpi2e5UPjeF8CFtZWyHdUespd+UazPOyWzfXa u2XNs7vXM5NU72nTTIvG2vfv6LBc87aW1m2VVbU11R9EX8UKMu7ystJKC7I/1pTduXK+R6dWAxUR 36f9DzuWeUU9vvDs8pFXN89E0jM6/E1ZVurnysp35VX0f/zw7lN1xbsPdHqnSSOd38qAOi1g2Tyq 35ZUfa6srS0p+ut9DZRxK/w8h/XRGtSlWe929aC8OLZ15Yfc9OL4mCKVqiQ+OT8qoSw+5W1yRmm0 qloVXxIekvPaP/r25eDrZ9QvIcUKu3P2gJ3+qO5tG2m3rN9bq3m/Li0Gdm2pR0Yupn3X5pN/1rUe /5P1hJ8nDek5Uq/zkJ7thvZoS9+oXu3rU12r2+rHnm0b2E8Z8/DKqdz40KCH1/xv/R744PKrexef Xj/3+Nq514/uRLx6kRQVWZSZnZOSmpWclpGQoo6OjwwOiw4NV8fEZaiTEyNj4kLDEPdZOCejI+5B Yrl+hd90t+nuNtMczKS7DKjKaLuEvAbsGvwCcwltFhLOcgGcOWQt5fvX18jUOAX1SHbh+lakvJDa DAl59Gdq2aTQR+G3hccGTz6Et5BaGIleUYoDDUktur0QZeONCiU124Lw+VMsL8HODN2NfAw0fJkI J8D+xQ8A6qUazwzGGUp2vSioIdqO6g4b3jwv203LZh7YuvzYnrWHd6/avWnhivmeng6GcGEBdhvT sQx7i/H25hOR7zYTxthPphLfGLw7mFvYmlJorGTIUPdKGAvnJyb2lygYCwbCHUBJsEuBK2fAWLcV 2JpJvEukCz1BGQh3CX+QzgW8SgiA7ktSdoNuECoFvdwBNLOU1IrnsE6IE3P/dcs6PGngHX0eLMtH 0sxAm3JpWTEtuobZEb0Vmf/k2GOSXzv3G2n2XjjlcLXRI9LBGuHOmOPjvnfbBsDOOPrrTtqdLJrj C+S3b1h1ZM/2Uwf34S4+f+wgrsI5Hs5eNlYY79Ns6Rdvw8bl5+1Es7HHty6W5aZ9rimvLS2hkfrH mvcfat+/pdny2/cf3r3/IBqsvwXyNeWlVaWF+fBP5mZWlhTYmk3Rbt9ksG5rvQ4/DOve4sjm+XEB N0IeXIx6fjs7JrQgJR7q+D+qkejvQDeQpwX0W3aSt+8qy6vecr7mfWVpeWVx8bvyMhpGl+Zl7t68 avSg7sTCBmu3QLh7mI3PinoFMWZm6OvCqPDs4OCiiOiyyOjcoODi0NDS0KD0J/cT712NvXUx6PKp sHsXo5/frkxXqYOfr10wfUSfbp2b1aeihwq7gdqtftZt3b9j4+4tv+3e4tterX8gz29QF8hzmvZu 00C3JWk83/Vs++PIXh2W+dgHEYIPeRZ47+Lz66f8r59+efv8yzu/v7xz8eW9q28e340KfJkSE5Od lFKUlVeUU1CQlZeVkpGqRtyrk+LikfUJEdHx4ZHJsXGpalWaWqWOCnt678bGVQt93Wx8XK2mu1pi vxP8oq2ShDnIlUOCV4NuecgMrBgseEninTdq3iJflS/xKpe5QZiDNU1AXKAVzIpeq2Df1RKbHced aA3pAJuN0URoK5bMcKfV+3wvJ9acx2MG5BV3GVIec54G0KIHNLsB3j+Sb5H1ykZBG/exlvqj4a7n LdBT81nKZoI5wLvYVUQ9LDNKgiLiQTqpNXjdRZHsNLupy+e47d24eP+WZWhYW1bOXr3Ic+lc19nT rF2s4cEbbQUdlulYjXw3HjbI6pdRthMnOBoSY7K2B+8m+LioaENfFflsUkRi3ipDgF3iXSPfQfrX fjzOkxCFlS3hDLqlDq+BPIesmXlJ+AeUvBrgLOW7NLclzNkE5JAvSVlPPI5dhWcA41S+SLyj2yPx 2X/kk8gZ4MONANK9yARwtKDAh0peIE9BDVV14H3XxpW+rg6Q9jDgvvB2sUO4r17sd+HUEX5X134/ dWTf9qO/7rh46uj9G5ee3L3+5Pa1RzevPLxx+crpo9TdzHZ38rBkv7L0cbAWWoqNydxpjqcO7ogP f1WQkViUnYaq/pYYXFUtCK3BxKa7+nuM7Y+fP7ynzfr7al6qKMapXpj7z88f/R/dGTG4d9fWPwzU adq3Y4NxAzod3bYk7uWd1FD/1LCXxWnx5bnptSWF7ysqaukBR9tH/lVWVlaUVpaWvquuZi4p4OPK aOVMKcqG5QvG/Nz3p16derZv0rX5dxMHdf8/dL0HVFbpmqa9Zq2ef3p6enX3dM+cPp37dNfJoU7l aBlIogiSEUVBQVQUBEQBBQREQJJkkSRZMkjOOeecc87RVOfM3//17m1xas7MX+tde73f/vb3YSn3 +6T7uZ+a7MS14fbusty5ltqRiuL+/NyJsuLB3OyhvOyZksLRF5nNzyLqo4Jro0Oq48IbspLKnsf2 1hTvzI6uTwxmxEZoKR3+1b/87b/+j//6T3/5Jz/+n//l53/7pz/9n//PL/7mv/zyB/9VLtb/21/+ p3/98z/59T/8ucpH713SOhbn59xa+LyjJL0wPiQnyr/8+VN8lfq8xKbClKai1JaynObKgo66qt7m psH2jrG+oZnRqaWp+YXJucnhiZG+wcFummjQwgLyHVx76KbvweL3NNdUoEtvdk7H5IzGjUsGQP6M +hHwDmb/yLJ/H90Hb3GTJWOZj5hoH2exkU8G3pI38lU6B+i+OXZWQzjz+PBnNQTMsemgldQBBXfM OhixNj2LbEWE34On/h7MlGGSlKmBGtE06vGcCZwPPMyda0baFswVvaDHYk709Qs65mc1uH9Jn8Fk KK8y+R1C7Oc8D8zx0jkrwD5X0fj2Ts5C5NuJFMA7X35J/4ST9SU/11vg3dHS2PwsVlj5jObhM6ch AR7BuBO8k6IH7+/i95OHT3zygc7RQ/oKxwxPwh3F2GnqnWKwjsD7O5apluDCAXaCXBnsB1c5hAdl IOtggXextNUuYrulaF2A+jv7LoOdl9wUe/xtwa87LiuNc7bgS4Br2dzj0h9A/rvNOwIAPwJ/HsI8 Pa3hvg/Zy3iX3YwDvF+AAIA6iqEmNXHIwGTbQD0TvdLinjKyxMftLjCX8c6VdByqODTWFWc/ry7K yU9PZJXmpNaV5jEXqTg7JSMxKiEyOMTngZu9DbV4U2oQOprMkmMMLu4Ks6Edb16ORn42P6O/tXFu bGRzcWF7lVkOa9vbWzugHbd+/yX/7bHdxqvfYiTr5jL8u8nluen/+I/fhQf6/Orff/jeD//0/X// m5/+8E8//ckPvO2vNuQ9X+xv2ZkZWh0f2F2e/d3u5svNNTKBTH7c3VjZWl3cWJrjyv7VzjotOYNd TTADv3z/p+/93V/9+kc/ZOTcz/7+r/ycbP/X2uxCTyOClmjId+ekdDyPG8xMbo9/2p0QNZye2BEb Vujlku3uWBzkWQXkE6Nq0hPaS/Onulop9y8M9jcW51leOn/441/99O/wFv7rT/7Hf3nvv//nH/+l 4OR89M9/+cV7PwDmF08dcrc6nxx4vzz1SUt+QnbEo9xIv9LE0MLYx8XxIWUpTyozompy4hryUtpK stoqCztrq3qaGmiDHWzrmuwfXhqfXQTvI+NDPQN9HT19rV1E9KM9g8Pdfd2tbb3t7f1dXd0tTXnp KQ+d7CDaMor36gVtDJyZAfJBx+VKOtD+PtIx2QcW/OBMAM5/dF9+KX+DfCZwR3yPyL1j3wnbDwN2 6LgyI5fqG6473GzSULfMjX1d7sDOCva+HxHwMDbUN8jL+c4NE7OzGpeNNC1NDewtLzrduvLA0dLb 5RYidV7OdujU+Tjbed21eeho6eFww/2OBfMurS7pX9JXw+cHyPDl+KH4EkBbFqPWVpUVKYXR5ybO AC7ErSvngh46hvu4uNpxwpwga6d+7KN3AnfwaWm+A+xoWZ8UeNcjfj95+ORnH+oeO8yIGYMTmHXZ n6fhFM4qSISQBr9UCLtBSmHhMx8s8CUbehn+72AuEXLYG+ucwlE/QDrfIy/ZprO/ICTdhOk3Imr4 jmPzfeMO2A+Cd+z7dyeAyBsAao4XbDpGNulpCJl2y0tG/DEOzhyOIJ4RBxFpQL1T4F3iZWmCaEps 9MWTdc9JeUb/7CVDPanpjyfxf06ilsO/VVZiTHleBgNNCjOSSc5nxEfRXO/n7gTM7a2uXL1gQNmO c4mJEqZ62pd0xczr6xcMHNFVu3PjWZhvdVHW9FDf3toy45j3NvG/t3C7ibpB+uvXrwTed3c3Mc1g dnPj5dbWIq2vC3OvdrfXl2bd7tp88NN/+BnJrr/7sw9+9Ne/+Pv/dvG0QsZTv66K3LWxnv/YW/t/ X259u7fOrOf/eLX/H6/3/uPN7v/aJWZfXJ0d622rTYoOuXJB57fv/fDDH//D+z/6ITNkf/nP//Om ydmpnpY3S1OTLdVMh2l8HlvxJKApKrgnIaIzKqjjSUBXZGBruH/NY48yX7dU59uh1tfQpyqKjZxq a9ocHZnr65vu6V0eHe2srY4J9rczv3DljMYVXVXT0wrmmorWhqdcrhh6WBmHuVqnhz0oSQwuSwrJ j/FLDHDKDH/4PNg1N8qn+nl4boRPXpR/aXJYeXpkbXZcc2F6SymV+rKO2moaYAda28e6++eGJ+dH pycHx4Z7B4e6+yHh0Do31jc82j/S39Xd09bR0dTUXFNTV16EMDVNN2RLLp05hdk11lG+CA9HU5kl o1U20DJm/wjv8mnwfTsuf4TTQP4G+cSQzwRBoYEii+SFMOvk6CjDcQjQUXscsOseP8q/u/e9OwFu 91xsrl03Nrh93TTkkVtM8CMg7+5g6e5ww9vF1v+BfYCHA8vP3cHH9c7De7YPHK097K08Ha0fOdsG uN3xd7vt42IL8J1tLl87ryWp04ukgWTEPzdUJ5r4WiTkhUtPdU9o4DCS8oL2cddbVyP8XH3v37K6 pMs5cOroR2KgDPPppMfEk/gGcO2APHeg/Kkrnvj0A4F3JQa1HNc7pa5zUl1LVVXnBDqNQiwOwjl1 LhYZLRYY//4C+9+39XKRjqt0k6nK8FSlq+YJ49N0LIrFDGVuynseYLGHtf4dl0YE73J6kM3BAvgy 5Nnw/fjzYBl/HrzDnIFvAxNGHDLfteOxkQ09njyQB+ywr+VmH/BO2J6dHAuQsdQWF43AO8m6i2d0 5GPE+rIxTXYk8KnZ4T/QhUf97sbFc+bn9HEb+F/jb4CeHVwR8G5moEnDHf3+5vqnrS4authZ5Kc9 G+lu2l6aETm1tdW9zS2cbQF5kun7u68Z0PyKEH5nm+Lc+ur2+trW2urOxjq2fnF25vdvXy/NT927 ZfHrf/vBez/4s49//MPf/NNf/vLv/vzIr//5ppFG5COnuoK0sa6G9cXxvc3l3ZW5jfmJlckh5GtK MxL93O2vQOo9/PGnv2Aw9H//xT/+1S//6b+/94M/ZwJCV3X5t6uLm5PDAzWlxVFhZU+DcrxcKvwe dEb49z0NaPZ3bwt82BnmW+h6+4n5eTc9DXsd9af37LsLXqz09S319S8NDS8Njo20dkz19jdXlOYn P8tLjCxMDM+J8ksP8cwI8cwK984I9cgIeZAW7J4c4JwccC/J/17yY6eMMPfngS4ZwQ/yn/q+eOJd FBtQkRxamfq0NutZc0F6Z3lBX131UFvrSGcHrJuRrr7JvtGJvtGhTrL03SyM+3jfELZ+uH9wuL9/ uK+/r6OzurQkJS46+JHnXZtrN83OXrmgfVHvOKYNtH4f6TJaZbxzHwgfLG7K7x4AX37s+zcPnsFj h6svm3URdDNzSvBqUMxQ0lb+hp6Le1ZXgzxcHjrYXkPm9ZQKvFN+Z2JDfHHz0Jf2crbxdLJ2vWPh fOuqvaWpzZULNy8bMXiaiTk3TAxszM7ZXbngcP2Sk7WZq91VbP0jZxtQ73Dj4lWj03jyZN2BPHhn QZWHTg/wwTW8Gi2lr68Z6fq63GZK3X3bKzg5+P8sMC54fVI/LE/Kzr+O1FAP3wapPbXPPtRXPIp9 11Fi5ruarpq6rpoa9l1fTYxyQHGCvLfEYMHii420l08AsZet/IHRlzcC8mTCv8O4DOrzTHg5rXqw N1JXke8QvwsrryUo9HKy7l3GQOLTHmBfhryI66VCP4gGgyTNYkP8ydKTLf8/7TvwJGwH7IiaiuYd A1APtE8Rv+PP47STtXO2szIzMqD1z/y8oSlN/YQeuqeuXtBnGevAQKCDQJ245swpZA9xUWDOHzem TC8iERKP6njyV8/pXeUo0NfAn498/HCgvWZxon9jYXJ3dXl7ZYVAe2t1bQvCzfb67u7Wy9c7Yu3v Avm93S1Qv7aytL2xubfF++uU579983J7fSE5Juy00jc/+sGf/+of//qzn/zDp+/9LWLR6OGofP5z PL1L+ictL+rdNDNE94KeUI1vPlH57JdHP/wxqfhPfvrDD/4NXs2f0hT/zW9+/NDBeryj9eXiwhvq /rNTo4212aGPQ2yue5zVvX9KIdf+Rudjj0qXW7UP7EtcbOwOf2L48x89unCmPDxksblxZ3horrNr srV9sr17rK27q7quvbqusayktiCnNi+9KjOuIC4kJ8I3M9QrNejB88AHKYH3kwJcwHtGsHt22IOs sAe5TzyKYvxqkkOrk0IrE0Lq0yLJ+De/SGgrSOkoyaYvYKixaqK9daq3e2agD1rd0vj03MjERN/w cEfvQFvXaHc/1Xli+ZG+gaHe/vGh4amR0b6O9ury4uLcjPgIAmVba/OzxroqZM+kWPs7hfnv2O8H EJbBLgNcxjJ7+YjgGRYvZQr9H2H/nKi/47Qr0GsPvZxFBpuGSpSXGHBgpq/90P4WHZrBHvfv21qi neJ5746vq6O3y23StnduXLp5+RxJBgsTPQq1zB9hCB2LjmkW4rTnyDloSp076nRoigD/pqkBkA/x cvRwuG5xQYtzBvce750kP/oY2HcxhQrpWgbSSSOkEb5juLwVIgsiVyCyggAcvAtinmi3gdALrVf0 1UrJPRj4h1Q/+S323UCRwp+StioSzXRwn9I/hdyiwDvKcrJBx7j/Ed4lo//uBDgw+uCdvfDtEbGk nKchFtCWlwzwP7pD/zJOPil6GewgGrPOXl7fx7sMeVojgTzoxhCTn8cQ0/wOmZ/DR5h4KZkganYS pZ+PYOKRM8W+Y9nBOwQ5R+trKTFhFfmZhOd+Hi7XiAV0T18+p3flvL6xNL2I2IGfbqiuJESkDQSR wFgkGE8CajNqhdQNpYwEeKdxnmFmN4zP2tKTbne9ICN+cqBtbrRnbWYcMi3x+87a+vbm+g5g39t4 +Wr71evd12/3Xr/a398jel/H6L/c34d3B9h//+bt1tr66sIcbv2rrbWuxhqawn76jwTyf/Gzv/3z D/71rz/98Q8++/nfffqLv//4Zz+EysKkud/+2w8++vEPf/n31Mf/6pMf/y2jYf7tb/4zstIUyg1U vgn3dF0aHvjd5sbS2Pj69Mzu4sL+7MxobWV9wrM0VycvHbVUS7NGT6eye1YVztbx5metvnz/0Vmd voyUVwP9+6Mja4MDk20SDQ+sdfSMtXeNd3WhQjna1jzYWNlcmFWRGlOaEF4SF1IQHZj1xCc9HEPv lRnmmR3imR3qwcqPeFT41Kc4yrf8WWB1QmhtSkRNemRNelRdZmxzXnJ7SRbzJZmHNdnZMt7ZNjPQ vzwxsTo1szA2AasWot14f9/s6AgYHxsYAvKTw6MzY2Pjg0M9bS1djXXMlooO8wl+5Hz/1uUL2kqX dAkP33XNHOBaBi8vv2/cuXlw/yw9cScP08vGA+y5z0acA9Iz4kmpEY8eOjN9jZsXz9hinc/rmeic MjfUJXVz7dwZ77t3EsMDk54ERfg8CPZ0JRi8c93UQuQW9KzNjeytzJxvXXO6dc32mrG5EdpQTGlk rgETT5DcUTR8R9IT7FyQyBWS3nVjbYJxUnAYeuBPZR+5G2GmGSEheHTsD+mofI1GB8OjmSZMUGCq f0pDgToduUGOgnctdUAe4BswkRZbT4peTKESg6pVPvz16a+/0D16RFtRUUv1BMl57LvuSVWDk2IY HIOZ0HkA2iJ+11Q7w3SG7wY0HOAdgANzfElsOv4/LoGsVyNZQ3lSDIcYpT1az2QFG/5dRAMpN+X7 PIklJcXHAkHE/vKSzSt/veItUf6DH4vOiUizg/e7N6/FBPuBd7pmADh/HkS0LlEQpF2aBJqhDvk0 TgA+JatrAh9UsPigpdkFdPkokZflpkeG+FtbmBlCFDTUMr+gD9JJ4F8A4Pj/NOZwcGlxqgu/3RQG kY6GGd+sr2mmp0lgYqqnYYraD8H7+TP4dchqNVYUDPe0jPd3LE2PbizMbS7Nk4EnLt/Z2Xj5Ujjz r9+8ZBHDU4zHyL/af/3ty7cvd/Yh4Lza2cfyv9pBeH5+c2nh9/s7M6N9UcGPdFUO/+zv//JHf/0n //QX/+nHVL7+/W9Yv/rXv6LQ9rN//G9oVvz0B3/2EwSpUI//6/+MM6B55LMHNteLUuKHW5tWJyZ2 FpY25xZXJmc25+ax8i+npzZ7uieL8yv8PMvcHSvd7bNvmefbXw8z0Qky0e9Kjt3v7fx2cnx9aHB1 aHi6s3u8vWO2r29haGhuYBDa3khr80hzPWT76ozkooTI0nhWRFliRAnAFyusOD64MCaoIDqgKPpx 6bPg6qQnDelRTZnPWrLiWrLjGzOf1aRGVT2Pqs+KaytIay/O6qksHKgrHWqsnuxqnRvoWR4fYZ4O PFuaZSYH+ucmRmbHRsYH+ieGhmbHxycHh4fI2NVUV+S9oEoS4OFEmou6s6WJzhVD8kUq9KKyqGID VUAKcgWQ39Xf2RPdi2we8fhZdSJxQUKTvGUsuNhzPacBOY2+GCw4QwZF1xuzJk301CyM9W9bmDjZ XHG4cdnW/KLdNbObpsa3rlz2d3NOjAiKDw8I8LjrZGuBo46lgD2Ccfe4a+3vZh/i5RzqfR9fxNXu uqmBBgNrCApouOObqe6RlJOugoVLJh8zTSeOuaGmh71lmLeLp+PNK2c1qeJpwYqnL+bEF1qU4I8j TX+I3tUHjjfDfFzv21kw6/aUArxZJkuieiegraPCKBlUbuDgyd1zcPDY8CWHVT9+//ShL3WPHdVW UtI8rqqlelL75Amt48p6x8WAdQa7fDenSTBIEYbFPhKnSBk8AXPADoJw4EEZ0JC1aKTmUOkE4CiQ kgBS4zlZejHBTd5z5S0J7yJLwEeYQmWsKWZVyIsZ6wL70teKB9hLpD7EKsE7wTvGHT2rqEAfiRYr iDQQYFC6QC2TgJqwmoUnQFQup+vxAUjji7jeUMfZ7mZy1JPSnAym57g725sZG5qc1TE3NjAVnoDw +TlVeJKP8weAO4cR5wy5qK1uqqt5WV8HvBMXXyZmNz5z/cKZ68aGD+5YUyngl7CxqmSwu4XZjkJQ emF2lbU8v7G5sre/8+rVyzdvXrFI2e1sU4/ff7n78u3uqzecBNTTMf47r77lMCCbv7SwNje9v7H0 ZntlsLU+wtftKn9ZX7//wY//9hf//Bf/+j/+hEWQ/rN/+m8/+sGf/PIf/kLho58Yqyu63rycEuZf lfm8o7xkuLVlbmBgbWr61erma/yLpdXdpbX9peW9ubm9sZHd7s7RrNQa34d5d22eW5kmWV4MvWRQ +Oj+bkfTy+H+tb6e5aGBxaEhwN5dU9NWUd5VW9tf3zDQVN9aUtBalNdamFudnlyfkdKel9Wel8mU nI7CrLrMhLKkiPLkiIKYQIL63DCfgkj/ysRwwN7+Iqkz73l3QWpnYVp7fmrri+T2gtSO4szmvOeN uclN+an49sONFYMNVX0N1V11lR11lX2tDSM9sOy6ELBlHNXU6Oj0yOjs0Nh432BPc1NGQlxkkD+Z sRvG+mb6atfOaZifUbukS4oe60yRXaBe9vBlyEv2XZoMC+QxrALsosRG1l2OjrkCPSkPL9fdZD48 etRCa9rUUMOO0R42V5hMfee6ubOt9QOHOw/vOvi5OYX7eob5PCAFZ3PlvIWJ8A9ZDlZmTIYifkd+ ltocefhQTxd8b/trJqjUMl8Gch1i9TIVh5AcyMuBOb66puLX5APtrpg8dr/LKXH7qgmFAHXlT9WV PibNzjqtzGCaLy+jauJmH8iMyWtA/wh3NI9/qcHYOCFG/SlIp1VHV1VWtBaFe/CO6ddWPXTy0w80 D32pd+yYwLuKKpDXPH5cS0VZ94QQjgDyYlKbEGYngyemwKMKzn2cZ8AO0kEZV7EB9ZJ9fwde6SV3 ZMxy/aPhU7wlHw5cGR7NCGmWjHe+gXOABzCdfAoZZxwGwC7QByVG6yTMdtfbN+HIgXfSIwCZ8wdQ g3f5IyKBhn2XWnSBLew73mXxJAvVTYtL59GmzkmJz8tIfhLsZ297w4R2fiM9MyNd8M55QiZf/nH4 DPLpAd6x76zLVNvF/pTFOd07V0ysLxldOad30/Q8bTgIXFcVvxjqbl2bn9xcnEPsYp41O72ysri7 s4Ub/4r+d677RPC7WxtbO5u78OIw8b97+RbjDjNnd33rNczb1eX12WmmP2/Mju8tTr9cnqbTBI2n cB9nR8sLN011rhlrXjZSt71i6GR9MdjDsTwrfqK9fnGgY6K9Yby9gVb02f6+9Qk66Za3F1Z2lzYg 6rze3NldXNqcnt4dH//d2OhabXV9yONkm2sRlwzDTPSSb13rfh6z1dmw0tE63do81dkx0NAI2NvL K5pL6Gwt6amqHKyv7iwr6ikvHqgs6SkpGKwoHigv7izMqc9KrEqJrkiMLEt6UpwQRh4+L8o3L9K/ OC6wKim8Ojm8IiGkJulJa1ZCa25SQ2ZcfWZcy4ukjoJUWD31WQnVmfFVWQmNeWm1Oaml6QmFGQnl uWnNlUU9rbX9XS3jg71zk+MY97GBARx7TPz08BASYenxMeCdX/er5zSFlt1pKPSKxlrk2DHowsRj x2XIA3b25xCZV5dM/P8P3kEcLDgZ8vjV+NtC90ZDyUDjGFUAB6vLDxxtHK2uOVheF0h3dQ3z8Y58 7PP4gbODpTkpOEJ1MnIQrkC9m70lYOfPJog3J44iLO99zzYq4CEi86jQM0wK5rzItKt9aXDqK7Fo gBXa8oKTw9BJcnFEuO63LZ/4uHk62kDtUFf8XPnQbzSUv2DO1CmFzxhvwZES7O1C8t/s7GlOAMZK aql+zpmghQymZNklvEvNdKoC7+TtCfCpzYF37Dt8mwO8nz6uIuw7/jwKEn+YnsaANmVGPDDISbbv crIO1ONIC3NPZk+6HqBYtt3AVl7yffk0OLjDM4ySl8EupsZ/d2LwGAcIEAPv75YEdo4XAnMC8Cf+ npnxUaTQ6XHDx2ABZ5x5HgbymGOWwL5k34VNlxbAp4pndk7U3O2umzMHE7xnPo8PePTghrmJqZGO qRElHm2MO6hHz0eEA7gNkrcA6jHrgJ115Yw2lp115YwWHgUKWi63LMnko2nfVFU6Ndy7vjC1MjM5 y6jHmcml+dnV1WUq7oB8b39r/6XYsCVDT8bu1e4eAb2I6SHKbu682aITZnNjfnZtemJ9ZmJxtH+y p3myu3luoH15tGdhuGOqr3Gsq6avqbSpPKetKm+wtZK3FgbRmWmFhsea6mylc22mr291fHJ9anZl cnZzbunl6ub20vLSxOTSyMj60NAupr++riM2MtfFIfiCbuAF3ZqgR3MV+XN15XPN9dPtTSON9W2l xV0VZUyCG21pHGtpmmprnu5oQhx7oKKkuySv7UVmS056XVpSQXRYRohXerBXdrhvUWxwRXJEeVIo i6pcSVxQRTxpuqeNGdF1KU+rEsMr4sOL8PZjgkoTw6tSIiuTn1YmR5YnR5awyXhWkR5fkhZfnpVc W5jTUV+B497X2Tw60DMzNjIzNj4xNEKdrq+9s6W6CiJuZUGun/tdu6sX7C0uGiPJIvWbyFcjDZz5 PzBwALuIxIXMFMAXkjj/V/v+naEX1FmpD07ueWeeBWOqVK3Mzt6zsXCysbxvZ+vr6hLu4xv1+HHo I097tAwYaXTmtLuDFbU2YHj9ogG2HrML41dT8SvmxJHzodoe6e/hYn0FvDNFzkCVXpsvZbxzlcAu gnQp4Xb4tAI5t2N2V4zDvF2DH953uG566Yw6alqSUJ4iDde2Vy8QPgR4ONpZoOJ5RJh11c81j3+m ofyJNuo3f8C70MAhywcNT8Y7tbnjH/1G/cvPtI9A3JX9+RPgXVMFkcY/2HeGOwiwn2AWmzJa0KD7 QKWZDdZfLMazfjexXTbQ8vQ3EC0fBfLYR/kQ4AHWuxOA4B13XeOdny+OAsmHFw6DNLlGgE429FKl z+LiWXgyGHcq7/ftrHAtADvPYPoJt4Enp4TsfgunQpLjkMEukngGWth3s7N6cGgpwHk429MRU1KQ nRwX6eZ059qlswLvhrocCBTiSQzK38kXEhrwnQyIAeDmUGcx+rrq187q0NN9/byBten5W1cvYd8z EqL72xpXGfW4trA8NzU9NjQ3OUaT3ObW6i5EWLSmt9f3djdJzgN5fPo3e7tv9/Ze49hv7cjrDcm7 xfnthbndhZnV8ZHlsYGl4e7pntaFgXb6yya7m4Zba7prSzqqCnsbKljdjVyr+hqrh1vrRQjc382s h9m+3pne3tn+/vnhEdrlVqamSYLNj43NDA4tDY2uDQ4ttrZOlBT3JMdVItN92SjM7HxrdMhIXnp/ fiYzYkYaqobqq3oqS/urKxDVGayr6K8uH6gu7yjOa8pJq0lLrE55VpMcW/uca0xl3JPK+LDyuNAX T3xywrxLnwVVJIYURvnkhnvlP/UpexZQn/qkMS2q/vnT2pQn1ckRRc+Ccp76sl5E+r146pv71C8v JrCIoyA1tiI9rjYvtbEkp7WyuKeperCzeai3faS/e3Sgd3x4eHp8cpIWus7epqrK4pzM2pICaBIE xUxssTDieD9JFZ5EPeV4I00FSdNSSepUhTAjrVNCo+bdEndkl/4P/jyzsOUl410mw5NYw5jq0vzO tEpD7VtXzTzvOaDsGh0YGPDA3cnGyvSMjt5JRfB+1/qK400MvQEwNzuriZXH5YZHB8kWr57EGol0 C4ZKMHsa0TMmyKNVRfe6cOYx64BdMG/x52m6odKnpXSIcluQhxPq5YEP7j24exMqF8uBMXN2V31c 7R7dvwWN54KOqgZ97iqfgncNlY814eScJC0vVHHI0YF0UnxSlu87vB//Gryf+vIzzW8OaSkonFY5 jj+vrqysrqSgo6qspypmMWsqHxHjF48DeXyb4yzZsstmHbzLG9AtjLVkl4GqDHkZ7PKVB+T1/Zvs UZ40IsZHHkqCPA4DS3yDUI8UUQMjKYGzOCI0TwLYOzfMnwR4gXdGRUCz4RkZ7JB4cftlvGPZZcde 9sll1MtVe+HbG6LDKeQ36XpDdSo/OzU3A7Vav9tWV8xI0WPHydVf0OdTdM/JzjxgZwPerxpqXzmj g30XG0Ota+d0id9tzC7ctjDD2agtyZ8d6d9ZnX+1tQo3fn56bHZK4H17Zx3LvrO3ubuzsb+39Qqw 729/+2qP9buXu292d19tbe1tbL2kMLeyvLs8vzUzuTkztjs/uTY5vDLSuzbWvzzUtT7ajx2f7m4F /rN97TP9XfODPXPD/Yyl4GRYHB6YG+hdHhlaGRlBXWp9cpK1MjGxPjW1PD4J8BfHx5ZGR1c4AXr7 xqqrWlOSm2IiKgI842yuJNherQryrn4aVBP3FInLlrxMoN1XUdRVlNeYBcCTatMSgXnN84Sa58/q 4d3lpqCP3ZAWW/88tj4lujYhojrxSTWYjQsC6XkRXrnhHhlBrmmPXTICXTKD3LKCPfLCvYtjAqqS npQmhOZFBxTEPC6MDSyMfpwfHQD1rjI1qjorrjYnubUkp6OysKO6tKuhekQCO8z54V7wPjIzPgnB fnJ4rKOx4UVaSkxoYIj3A383R487ljZmhpcN1S/pww0jwyYicbhw2Gi5bv7uKolSChdd2Pf/C96x 7zLepbheamGjq0XtGGOgtVXFOq+tZnftcsADt6jAx4EeHjj2V8+f4zeEX1EqO1fO69LcweHAKByQ jm9Pvi7I4x4+OVcK5cjwIVWto0z3K4NivyGgBuayJy+x4qV8Gi3wogAn8H75zGloe+D9iY+7v7uD t/MtgnW+k5o+Bf2blw2R6tVU+UJD+PCfgvTTxz/RPvm5GE6h/ImQyJDAfkDEpTQv/HnVQ+Bd7YtP NL7+SvOYgqaEdzVFhVOKxzRVFLSVj2oqfqOh+I00W1lRG/irKWHiwfiBiZfxLk6Ad8l2itTCLecl 7j0LI/59gJMQkFEvvyufEn8UAvBStv6cJNhurPyBESdN5+3ikBgZQtmd/DxI510OAa7YYgF8KVEg e/VAnpt8Vn5XfkCgXqTsdAWNFm3qu3Yp8VFFLzKyUxO8XO+K2pw0cZIUgZDoMdC+aqSPRr0cHcjB OyYey37dSM/CSNf8rNatKybQ+EO9PepLChbGRl4y53GNyvvi+tL8ysIMZNm1lXlh33c3wPirlztv XguYv9nf+R3Xva2XO+uvd7a+3d16tbGxvbRI2L6zNLe3MLM+Mbw2Pgh3fXNicGtyCMhvjg9uT47t To3vTU9sT49vcuXhxflv19d+D09vaVHMnxobXRljCtXo2sQEa3l0hKT68siI2AwOLKAY09oyVF3Z 9SK3KjK8PDSgyNc91sbsyTWj5/esy0J96xOe1qXE1aXGN6QndxRkN2QkVSXFMLeiLTe9Pj2uPu1Z Y3pcc2Z8e05SQ2p0SdTj4ojH5TEhrMpnwRXPHpdG++UD9jCP3DD39MfOaQHO6Y9dsoLdMoPdsoM9 csK8imMCgTlgr0yJaMyOa8h61sA1O77pRWJLUVpLcVZXVUFPbWkPHkVrw0B3W393x3B/38zE+PT4 xNjg8Pjw2Mz4eH1FGZOj/dxdbM1NaFy8c+3iDRNdOAmwbijMCcKJaGkR2hQHeBcAl4z7/4F3OWsn CC3yQQHY+ZQ8fuIMstKnmATN5Pej1IVvXb3o6+oUFRgQGxzs5+biaHXj1tXLFsbniBChe0HjIFMH oQXIY9+dbK/6P3AE6cyCpHBGEw0KzPJIaAbFMgJeZMslerxcNCeZpqUs6uOwZCmvaxz7klo/0ySh 0/ANxCyQc25eMrQ01re4oM1UGumxL9WPfUidDj9BU/lDJs3pnfxMXeF9LaWPgTxZesAu4V2cJPjz cr5O+cNfn/zsE/VDX2kcOaqupKyhrHJSQQH7rsWQaJGfVzitdBgTr6PKUHVFhCAk3x5b/4cF5MUJ ICXzucpRPEA+gPb397LPf3BHPha4ygCXjbi8p/Qv4x3Ic4RywgBbu2umEY+9U2LD6Xkn2c4D4PcA 1DLe5QyhbOjlAwHI84y8sNom+gwqQu9U66y2uoW5SejjR4W56aUF2YzRuXX9Mpk6dGzAO09ykoB3 hK+vntO9fEak6QjesewskvPXz+vzywa/IishGsGW2eH+1xtrb7Y3Afvq/MzK3Mza4vwmrJvN1e1t KPTrGPfXL3fevt57S21ub5uZz692NvY4CjZW9tdXX22u48kTsy+ND62MDTLzHU9+ZbRva2IQy748 3L000L09Nr4PxqcmNifGt6dQvJlcm8KOA+3xuYH+EbhqbW0zPb0sUuuj7W1DTU2jLc3I10y2t4w3 N/ZWlXaX5DPYsTbhWVl4YGmQT5b7nccX9e5rKvhf1M16eLcuLqwuKbo2KQqZSKBdmxxdmxjVmpnQ gTV/HlMWE1wWG1QU+Rikl0b5vwjxzAnyygv2zgvzLon0LYzwKnrqXRrtmx3sGvfQNsXXITvEtSTG ryI+sCQ2oCQ6oDwupDwxHH++MDaoLiOmg26awuddxWk9ZZntRakdZVmdFXl06ID3vsaqofaW4d4u 8D46OEBghHEf7B3oRxZjYHC0rzcv7TmIY8oAbQtA+KqRJgu8Xzaka+M4hoyBFLTOgVwpEhf+PP65 7KLL9l06EEQz+7nTHAuiKscpAeQl00/ZHTdAkOgEmVxdCbzza+Fx91bk40fRQf5P/B4FeboHe7n7 uTk72dwgY0/2xvW2Jck6SDX4A5j4K+d1qL/TR4MPD2GDb4MhQ3JeqgmSXVThD8aPk8pwgiQDRVYu wZOy01T6Sv3o5+T6vO7ZBLg7OFqaIoeLQC69dVpKdLt/oXbkY6h3UGhYROjYdA3F34J37eOfqCv8 VlPhIy1mRwJ20S0LQ0/GO749Fb1vFD74peqnH6l//aXGkSOnFJWA/ClFRc3jzEVSM8MCap/CuAN5 8M70BK0Tx0TK7rskHmG7PC5Njt8J4eUoXrbasgUH9QdHARsekO8DfB6ToS37AO/MutR4i8MgXIiT ohAgnAdk5dSUZGpcPOXOp0Fo0IFf7oNK2YILzx9cfxf7vzP0EhkP1LPk+B0IY9+N9RiRo3NeX/P8 GW3qcaTsSvKzUuMj792yhFvLUXAZ0p2U7iM/T/AOd86cAr3BaZCOZeekvWt52fverYQw/8K0xNbK kqnBnrXZib21pc2VhbXFOVGGm59fX1raQ8CKbjjS8fSzEbxvbdAJ+2pnU177m2sv19d2oNgtL76i Ur+8uD4zuTY9ujqBUe5fH2P1bY72b4z2rw/3bo0P7U5O7ExNbk+KtTE+CaedIH2kvX20vX2iq4Ma 3KgkczfX1ztL/bqzdaihbqSpDlrdYHXZSHVZU1ZKa3ZKc1pibdzTsjD/DDeHsKvnvM6cvH/62EOD kxFWxkn3bV4EPqyMC2VVPAspjw0piw6WzHdYdVxYWVRgEXF3sFdRhE9tXEhVbFBJhG9RuE+Wv2uq 9920R3czApyyAl3klf7YKSv4Pr59SYy/yM+nPKlNjajPjKlIiSBZV50W3ZgTj4lvy0/uKc/qLM3s LM/urSrsry3trS8fbK4d6WyfGIJJ2zc2PDw7OT03MTvUM9ja2NTW2DQ9MtxRX+vj5oyIGVJC+L1g 57qxDv48YKdHDCtPqylgl2Au7DUJfOy7jHdh6AVrDriJ0htSMEAe4EthOyeAYM++C/NPkQEgZyXo cOCdfLuvmwPHu5fT7SDP+wlPgqB/BLg7P3Jx5CaNMMTXwJwRlvLAaAw9yXlAKqfcuYpOWFF8p3Ag 451Oecg2QjlHptxQf2eBaBYnGKR6uPE3waGKaJDhGzSpuyl9Tl+MJGiD3045/rPTSh+Bdy2VjwA+ e+y7tAD7O/uOZcefF8Q81W8Uf/tL1c8+0jj0FfE7xh28qylix4+bGepDLbBB4kFN+bQiMYWipvIx DeXDWqoKYByAY9O5ytW6A7zrqPA/eAxQA21wDaLlNB3Xg9NAPgF4eYB3TDk/hZfCN5CS7Rhu8f1S 4Y+JbCxKgXLzWnJ02NPAR3hQmHuWbLu5CtR/h3c5phCGXnLy5Sc5GYA8i9kZINr0nL7xGe2zeqft bl57FhlanJeZlRL/wMleNv3m58/gzHM4kPMXmTpDMkKnzfQ0wPuN83rWl846W18N9LiXkxjVXF44 2duxNju+vTS3K3WrrSzMri0ubK1Cnt98vbf39tWrt29e0Sizu7O5uba6sbK4s776cps5cStbiwt7 q8K4U4DbwxNYnN9amNmcn1wH8uODDJ4gbGeA+9JA10Jf58pg38boyPaEMO4bo2hFCr99ugfmW/v8 YP/65Njq+PCiCOcHmNC62N8z09Ey0lgzRiqvuryvJH+wPL89O6k1I64u8Wl5ZHDGQyd/07MP9E4E mmiHmuk9sTj37LZZqJXx0zvXsnxdnnvdzQpwKwj1Lgj3KXnqXxkTDMDrE0LLIv2KwrzLowIqYwLK o31LnvqUPhV3MnydEtxvxdy3inW7mfLIPvOxc6r/XfD+4olnUZRvKfy65PD6jCgw3pATX58dX5cV V5MRU5sZ25QT31bwHDFMOua6KvJ7a8sHmmphCo11d05CABgenhodX0SXb35pYni8uaGhtCC/qrSo pbYiLiLI1JC6pL6t+XnIqKyL+ozePmSkpWh5SRcaKrwUxOGFUj3+OXhXF6w2me4ihCVFIwwLgAsr L+Nd2kjz5v5g35UNNKhJKSKnc+W8NhYcArw1XQb2lqGPHlAkCvZmfplbmO+DIK/7OPBk6cnM85il qSFXKnESG5NcNAUsJfx5A9Uj5OfZwKKBJie3w+tLelkSJ5ZCOdwYmuOQsNClb46C25Vz6tzhPiae /y+cARwYTUBNnC7oN59pKn+MP89VxjvOvLDswriDd9x40WPLcSGIeSeOKH/wq5Off6z5zdfaisrk 6yTIK2mpqlw5b4gN9bC3oZCtrXxEU4Ga/hF1Fag+x8A4C9Rzlac8iBOAmypHeVKGvGy+ZbzLSOcc YB3AX0Y9njxmHeKuiAgkvMsGnaygHqNh4PJJ7Bp5IOwdS3OMO9R3H/d7gJcngTNmHaTLVzGXSqr7 i7hAyhzKb8kRgTgQ5COCMB+8Gwm862upXblkFBzghUtfkJnm5+EG0snmiXZ4SYBXpOkMdSzO6105 q/0uX2eoefWsFhHZvZvmAR73UmOftNeWrUyNvloTsKXsvjo/t7m8srtJbI7fvv92HxbNm7ev3uzj 0K+sIk+9vri0vbK6uUC0PkeC7s3mxt7y0ub83NrM1NosNffJjemxlfHBuYHOic6msVZsdM14a+NU R8tCX8+qUKAdXhwcnO8fmO/vn+khId9Py+riMEMfOqd72qa7Wsaa68ir9+O9lxb0lxf2Uj7LSe18 kdycFl2X8AQLnuDm8NTueoDpubAr5xJuX85ys37hdTvvkf0LH8d0zzsJLtaxTtZR96wiHW9EO91M dL+T7u2U5eOUE3CfVRDqWRDqleXvnB3onBfilhvkVhjiURDigX2Pf2Cb6GWX8PBWjKtVWsC9F+Hw 531L4x6XJQRXpz4lWm/KT24rTe8qz2ovSUdwW6yClGbaY4sz2kth1Bf2Ue9rqsddGe/thWBD2D4z Pj0/Nbe8uLI0vzQ6MFBfVRnJcMMnwWnxkdRE9NUUrp7Thneqi6SzloKhloLeqW8u6KFQqqyPsCR2 XBreii4r1pbuMOJrXfztk7j3sokXyhLfi9zx7aWoX+Ad6yOdEgeToMU0GeZJiYwcdpyEvLvDTTrd /NwdQ33cwv08wnzdoNnQBAfwqb+LbjhaXx2tKbsTwt+zunybfhkTAwsjnatnIYPB04ZORt1Z1URX Vco/qJkaqF02PHXt/GmbywZ3rUzobb9hosMphDUHs/gA/Glh0IF08C4DHIzLS7wUMpViRKy83tXg BNi5T7oe+35Y5Oe/+FT78Dc6SkpagmyjelpFRUNZ8Zy2hpPtDQRg71pdxf6eOnpIQ5EOegWx5KQ9 6JY2XFnAHEmEA7yDcRnaYJy3DpaM/YPTANSzF+6BtATqpbERsHYh9sh0PsBOktD0rI7ct06yDuDL DgBeOijmszKise9yaYAz5F10IDEA5dPgHdjJ/2vRFH/6vJ4m/vwZjoizug9d75KiL3mRFe7vY3nJ hP/3C8T4+u/qcVKKXqjx4M9fO6fDvxcLl97Z5mqQt0t63NPOuorliRHsO/781hJwXtxeXQPvrO11 RKyote2/gj2L4sX65tri8urswsr07OrM3Arsl+XlV+vrWwsLK5MikQ6HfAnFm+H+GQHedvLwy0Pd 62MDG2NDrK2JcYz72tjIMgTX3l7gjxr8Aqa8pw1KKrT2kZaaYSpZhMBVxf2VRb0lL3oKszpyUuuS o8ujAtN8XBIe2Me42CU8cMx+5FoU8LA00KM61KvhqU9N+MOqcM+WhOCmxODSsIfZPs4J920DLU18 r54LsjKJvHM19u6NWCfLZI/bmX7OyZ63Y+9bpj5yAPVpPnfTvO9l+DrnBT8ojPDMDXVL9XXExJOm K4j0rkgIqnoeXvX8SW1GDOyahoLklhI647KJ1rsrc/trCrorX7SVZKDZ1cEYHfTw6yv76pkq2zbV PzAzPDY3OTM3OTs5NjU3M7+2srq0sDDU34O6b4C3O01PDxxsrxrpwk5BNcLiorZo/Dz5tZGOEo2f F3SPm+jT+oTSIAk3suvCtMnJNAOAT31N8upx+7GYBNFYeUnLAmee4B2mDWAXi6ESBuT81Y/onjzE 90Nr0VBifXnR4JTNFWHoMeJcETEjIQ+HlquLnYWnky21eFbgA8GRY0GuoyQX7n0/6MFd//t3fJ1v Bbg5+t23h05DtY7ldfcm3rufq52/m12Au52fq7Xb7cs3TLSg3tHSLs10RsES5jxhuJgQrUNOXvFD jWO/Pa3wgZaynKD7BC0s1OYF2JWE8jxHhGTZwfvnEsEe+YtD8GnVv/hM6/A38Oe1VY5LkD9Ovk7z uOL1i+eQXqcHjQwkyTrwTrKOBbrlJB4bUnlcifFBNMn870NeNugy0jkHWFLLMFZehPkHXj0P4B4w 8lX2GQAvqBfO/AklfhZIJ3JngzwsShTo0jD6+arxGflYEDG79ik+Isf4FOwo5YN02W0QJl5K4HPF E8AlYAlKvJhyKxZqNuch1UCvdbDNep5QnpdLIvDWtStGWqJD1oTong59IcSHHB9sYToyTsJnvnFB D+NOG6OPy206M3NTnvU0Vq9MjEKH24Y6uzS3sbS0gxiFADuJ+c2d9W1q73BppAr77jaKlfNLqzPz y1MzrO3Fpd3llU2UpWcX1iZnl8bHlidG1ybH1idH16dGtmfGXi5Mfrsy92Zx9tX8zP7czM7s1BZU nNHhpYH+tZE+CDYjzTUD9eW9NSXDTVVjrbWD9WW9lQV9lYWD1YWAvSUjsSI2POexZ7y7Q4yL7XNv 57ww36q48Npn4U3xEQ2xIU2xwZWh3uUhD5oTgxvjAqujfBrigqoi/cqfeGd6Osbds4pxvB7vfPO5 u12atyNGPOnhrdj7N2LvWz33tk9+eCdWdgbuWkU7Wz/3dswLe1Ac6Z3/5CFZ+oJonzLwnkabTHRj bkJLYRrKNs3Fma0lWQLgZbl9tQTshd1Vee2lOR0VIjMv8N5YN9jaMt7TPzU0hmUH6VMT09OTM/Oz C7PTsyNDg9XlJU+DH183PX/n+mUHy8t0rhmcPGJppodZhz8G2FlnUbjSVgHvDI/GxJOnkvGOiTfU UD4jelpZ3w2LeadCKZXwpDQdll0k5wXL/ZjAu8YRXZpJT33D0kbOXfUrcyNNmyv0vlHE4deJ6QYq HCZME8PtR0uTxnwCjesm+rfMLzCoyPGGKcbd9ZaFp4O1p8NNCogswO7vau/jfBvqHYmgR842j5xp h7f2cLjuanfZ0fK8xQUNsohk4E8d/UBLGuOuqSDmuTPeXUvxIx2VTzQVP1A/+hsgLyfkhQOv+JkE eQnvQpVa4B31DEZOg3eup5W/PvnxBxpffnb60Neax0AxlBsV7ZNYeeVTCoeNtNXv290E8vzFGmmd ojCnqXr0wL4DcxB6gHfgDN5ZpxUgBL4z9PJGSwmW4GEdFRZivJh73hV3OBCkQwBBbwFwgfoTiu/A LmUCOQQM1FUAO+u2lXlE4KOYUH+XOzchv+meVMSmyzAH9Zh7TgD8EEr538/5A3PZrLORM/n4ANh3 pGix75eM9MnX4dLfsrr6PCEavCdFP71rbXVeRxO8Y9/5rOzPY9yhOJrpq+PJXz+va33pjNtti7BH rvFPAhDA72KsA+706MDy1PjS7CT2XWpp39nd2Npe20JZ7rVEn3u5tbu/sYuQ7Mu17f3VzS2J7Lq/ sr6zsLI5O7+7uLI9t7gxN0uJ7fXaypv15Ver8/uL0/sL0y8XpvfmJnfh5E+Pb8+Mb81MrI8Pr44O ogg9yhjWutLe6qKuiryhxtL++tKW4oymvOdteakdcFfS4yqeheWF+qR4ucR7OOaGejekxrRnp/QW ZLRnJrWlJbSmRDfEh5WEeJWHe7elPGlKDgfp9bGBzYTbJNIfu2d4OmR43snxdXrx2C074H6qz91n bjZx7rZJD21jXG48dbQIs7scamse5WgZfudakI1ZjOvN/PCHZXEBJXGBJQlBFSnh1Zkx9bnxbUVp XRUvOsTK66wo6Kos4NpdXTBQVzzYUNpfV8qAm97aMgZJj7Q3j6Js39U3NTIxOzU/N7M4Oz0/MwUr mWk9M1PjyOTXxkdH3LG+jvag9RVjOtFws89pK5qeVeMKMIGngbrgvTPV8WCwI3iXIa9H7Kx6hBo3 v43kyvSlyp3oXpH8f0lJXsGArlWp253JcfooXWgc1kHflYlv6qD+azaXDE9evwQvS53vJ1jAf9BQ ROb9ay0SbnjdYrjkYW5yEBnJTa804DMaQ/eEqd5JUz018zMIpOheN9a9cUHf8iK98Dq0xV010mCZ n6XbGsHbowhNi9w7zS/HP1c/8vHpY59oHvuUGX+nFT7UUgLvJOXe2XcI8yxxFCiA9M/EgfAufpdq cKTlj6OPB9HuKy2Vr9Q+/lDz6y81vzkM3jWVYdKqaJ1QIX4/hTU/oWR9+aK3sz2yEhbGhkD7tMoR OX5/Z9NVFbDsmiw4OZTtJLBrHPsayMuo5+ZpBYy+YAWzxN+wKmcCTQFfHeBd2HopfpddevbykoEP qIXFV1dxvm0VExaADvzNy8bc5KgB5uAdt19+RnxKygDIeb93mX/JAeBJnjmI37Hv53TUUZY2kvLz 2kjZm10gZVf6Ijs9Ltb1jp2xvg76XSZ60igNibBH3YeUHWC/dk6bq7nhafvrxuG+rrkp0ZV5Gb1N NZMDXVODffMTo0tz0xsry1ubG2K6xMYWFJu3+29+//p33+6/gSHPyz3h3u+93Xq5v7rxam3r1drm 7tIqWtMvV9b2lpZfrq2+3dr8PWR7kngQdeYn6VuHeLMDIX96bA2vfnp0Z358Z3aCUt3SYNdke91E W/Voc0VvtfCNsZt1uUm0rjRkxjdlJ0CJqYwPL40OKo0Orn0e01mQ3l+a21mQ1VOY3VeUM1CUQ2Wr FdpMfFhNTFBjUlhXZkxHamR9fHB9QkhlpF9ZmGdRkFvBY5eCx64v/JxfBLplBLik+TuneDvEu9kE WV/E2/e5IlaYtdkTu6vh9teinK2SvByLon3rs4H5s5qsWFZTXnJ32Yt+EF1d3FdbNtRYyQSrrsoi AvaBWtT5KkZbagfq6ZepHJfGy451dY529pKgm57Evi/Oz0JJXpqf47owOTbe29lRg4kPDYIfdcvi ovUVIyitJvonTM8hXoT0qMJZrWNnTpNUF6DjKq8DvGOLqZrpnuRXFz9f2H05rYcbIOJ9ac47hDrs NR9nOqQu6pHqh+CtwWHToUlNWud1mUWiek5HSZfEIAKzzICTrf+JQ1rMYD15GNTTwIIKDUDTUEBm 6hMWeJRM8Bd6KoJKBwBRoiD/Bpceeu0BHU5D4SPMuoaiyLfDjuM+EJZRLOXihPcOiQ4TL6ficeAZ EseXaxzlMZGpe/ewCscFC3FL0n3iSiH+5EcfaX/DlNhjuko41cdBuoaKyNdpKCloKB1Frpko/rHn fedb1+ki0VbBB8CsU4ajuYYigqjRA20w/s64H/3y9NEvtRSQ3DwsltJR3pWMO3Zf5Bj56WQPwD6l CgPcdfJ+Kgq6qoryRFeuuhT1pFIdsMXnB7a8ZPKLx91bkrTFfSa3wgrA15Jmv0ICJPeiiL8N/xBI 4nUTdsnqE3Spg3QIdaTZRbxPGz6qd8Zn79rcsLmCuIUaKtPXL180v3je8vKlyODH5XlZealJ3s6O pmf0jDUx6GRU0Kqi204dvIv8vIHGZan/3cxA/c71C9FIvb1IrS3Kaq0qGe1pW5gYITO/TpodZvzm 1vra2uYapbeXogX21etv33z75tVbdGWBPJrSr2HYbWy93tjcX117vb75+62d12trb9bXEZ0mffft FofA4ubcDJDfJ9U/O7k1O74xPbw2Obg+NbQ1O7I5MzLb30b2fmmwfaarbqqjZrK9sr82v7M8i2xY R0lGZ0nmQFVeX/mL5uykxqzEnuKskdrSsfpyrgOVhb2lLwZKX4xW5A2UZHXmJrWmxbSkRHZlxfa/ SOjMjGpMCimLelQQ4l7xxLM4yDXb6w55vFz/u7lB99P976X63n3mbhtqa+Zrfu7BeW3bU4qWxw+7 ntXyNTeKcbLJDnqQGeheSA0OdYvCZPR163ITO8tzeivzeypw3YsHGjmd6vtrK3uqSgdqy4cbKofq wXsNkB9vrZtgkHRHy1Br20BLx9jAyNTY9OzU4tL8Gmt+Znlmcn5kaHygt6+rtaW8qOBFRnJiZCj2 6Pb1S1DKLc0Mrhozr5wA8NCZ08IJB4OYb9AnJ+tw5k3P0nxx1c3B1vaaGSVX8SutelQLK6+hiFYz 4xh0oLsAYdLgfFB89hskociSidEwiNPi1Yuulq8NNUQtz+AUNHihHglyxbuip1W8K21obhXuNIAF 8jJsyaUTfUN+IwyX0U0BXcqi8yQZuU/IubFAuvqxDzQUP6S4JrJwROuqfMnHGsc+BMjYd41jH2gq fiRgzo9Q/Oz0sY91kbFS+lR+gPs8g8VnaIW0f0e34yiAZAvedQ/9Md51cOlVlHDp4cxbmV2Ar/6I CgQ005Mqp5VI0+F4K2PZccgBrGzZZeOueYy63tc6SmT/DusoK2orHeUowHvHh5fOOpFmlPBOR4CQ BgKteseVdFWO8SXywsMnoudryeOBd1DPHcgzvsgEBfl6OtrRRI96GNAG1CQECBBuGBvQTCQnQGzM jAAmUnLkRa1Nz9FEA9PVyeY6AjiyWKXDTYvIID+a4y6fP3PjsvEjj/uerk63LS3C/H0q8rNLs9KD PNwsjAyF6qwuBFptc2g2suSFkOM7QVoVUjQ8CmjMYT730VGvKcxsqS4G76sw3hfn1tdWtvmPcvvW 1u7WDr2uryi/7++/fv2W9XJPcGnpfn37ku7Xnb319W+3d363vfN6de3bzU0WYN9fXdlZYkrUPHjf W1p8SV/tJFTYvpXx/o2pobWJfhpnZvqaF4ba18d7wft4a+Voc/lEW+VwY/FAbf5gXQFrvKlsurVq rKG0tyyntyR3lCHyLTVTzdUTjZWTjZVTTVUTtSWjlfmDpVkt9KtmxHZlP2tPj+p7kdCfF1+fEFQU 4ZkX4lr+1LMkxDXf726B/708v7vZ/nefe99J9LCNunvd85L+LbVjVw9/fv7jX+v8+r2bqkf8zM/H udjlh3hXxYdUJYeXp0TU5sS1FKWSneurKewhPK8o6q0qY6bkSHPDWEvjREvzBE2vjdWYeCz+WEvt VHvTREfrUEvTQHMLEjdjfaNjw1PTE4uivEnRY2Z5dmphamJ2sH+oo7m1prwUVm2Ij+d9O2v+fU0N NQ3UFa4Za98w1QXsLENNuCKk6Q6RlNY9icvNVeH6pXP+Hq6xYcFPH/v7kfOzsqBRgl8MfXUl7ROH 1ZW/VIfkRsGduQ/McxSydcdk/ALh/50e804s+ju8CzMtt73wPCeABPOPASkLaKNOw7g3YCtPjoBJ S5uMkKST+lmkB8CFwDuPyQuY85IF6vk2YfSPfoA/z1Xt8PssNsAfm37q8Ick6IA2L6XD5DPJ5/8Y HwAHgEOAt9C+4Crw/uFHet98g33XUSZJrqqNZT+OsJWQsDutjId/DLKZm6PNY28XZ7sbZzXUyNpx U9h3CZgi2yaF4e98eAXyAF+Bd21K9spo5hw9dQStrUPUGckYqB+jZCDYAtAGuANU9cH1d0R9ObMn nyEy2InEwTt3YLSGebvHhwY4W1uAdwD+4I4VoAb4WHmkAhncnBoVkvI0yM3uhqXJGZIh8aF+PAP/ VtIT88cK8D8CY+f+HZuspGcxIQH2Ny3QmadfJjY86M4NC1+3+8WZ6aXZmWFentfPn2O61iWd01Dl zc/oUH/nbEF0C0MP2BE5IVnneufao/t2uSkx3Y3lw51N04M964uz4H1tdVkgHSna3T3E6r7dl+Qs tnHl91+/BOx7YrO3/2YfQv3m1sri77Z3f7ezS1Xu7ebGm401nHn2eyt0tC1vzc9uzE6vTYzSArMw 2L042DXf17Y63LE63I5BX+hrWuxvZk131gH5sZaKwfoiCez5ww1FU62VE03lQ1UFg5X5QHumpWqp q2GqqYI7YzVFc41Vc00Vk9UFw2VZ7Zmx7RkxnZkxTQmhHalPuzOiKmP88kLdc4NdSyIeFoW65lNZ 83NM87BLcbdNdrWJtbfwuqhvofCF4fs/1/35e7q//LHOr39yQ/nwE+trSffvFAZ6NSY+aUmPbc1P ptreVpw2UFs41IApLx1uqBqsr+pvqKbbbrqT/4U2iozjBOyNVYN15Rj32e7Wqa52WILDbYyVGZwY mpgcm52bphK3sbywzmK29tzM0sQYXLv+xpqq7JTEIM7rOzZ3bSzMjXQokzG7/JqJjtk5BsgeAe9E 8WKs5Gklul2ooeucOGZ+7oznPcfooMdJERGJTyLCfB753Hd2uWVjd80cfUIe00IfXtKb0lQ5RDwO m13m4ZDG/66xBd9bCERTF2MjCc6wkd1yYdy5KZFj3xl3oAq6tYVfDf/tUzAO0mHACqR/B3apfw0K jTgc+GY+cmD9OQRAuowaOHUy04Yre9Qppesnakc+FGeFeFJ4C2xOHn6fLB8f5Kp25LdEB3wnX84P OvXRx+Bd75iCwLuaqtbJ4+qqyvjzAF/7uBLWnCK4vZW574O7nk52pmd0YdlxU6LbHdWW0vJgE0i+ y9QpUMc/JC2Bd6r2aoe/JH5HpAX7LkIYJX4uk2q/lGJ5zgr8eUh379g4mHV5yXiXr1h5S5Ozkf5e CWGP7S3M0MkB6QCc7qGbl85SFgfXcSG+WXERmc+ePHKy4yZpT5hvXndt4dzSVpP3PD462Jdyg4H6 cex7ZmJsWlxUqJ9Xdkp8eX52THjgTXPTR/ed854nl2Smh3t5XT9vxMgY8G6qp8ngGHj4mHhc+mtG OtCYaXxwuAHeLYK87qU9C6vIS+2sKx/pbh0b6FmcnVpZXtxGa3p/Hxmbty9fv8Ww74qud/Hy9Rsg TxkeKdpXiNatLEKYf7W+9rud7bdbG7tLC2TqdpYWNuZmADvY35qbWh0bhj8z1w/Ge3YmBmc7Gxc6 aycaS4Zr8sfqSyaaK2Y6aqZE/F7OGmooBukjjcXjTaUTTaUgvbc0Z6KmeA49/Oaq2abK0ar8vqKs /qLM8cqC6dqiSRz+vOS2tKgG+G/RftVRvrUx/rXR/hVPvXOCXCi3ZfjdS3tkn+FjnxfgnO3tGGV3 +dEFbRulr89/+HOtH/+L3s/+/exvfnHuw1+e++T9q8e+enz1Yo6na1NMWFtiVHvas96CtLbc5M6S rLGm8sn2mpGmKtTqhhoryMDD+htraRltbhpqrB9urBltqhlurBxvqxOtQL2dE91dJOuEduXIzOTE HHhfXthcXoSmJFBP7m5oYKSnk36a6orC/PyM1KcB/vdsr9+1FoKQ5O5uXbvgcc/S4eYlByuqYxfv Wpu73rnhfMvins01iK+OVhYPHR2CPT2jHgc+CwmLCQp+FhJCs1uQp4e38106MmQtBQi0+ANaxyHt UK0T1HrsO0DGbyfuli247MZ/Fx1j0MXiAZnMJurgKpLajAReKY4WmTchLkcL2wnR2MJN7oBB6ZQg zgXOsksATMS8VxndoFgddB/7WP2YwA73NemJkyDPA2DqxOGPeIDNycMfqit8zF7tCDD/kEKejHfh Gyjw7gd8Vu3jj3UOC7zrqkAdPKGtpqpxQkXzhAr2nZZYTLm26jFaUL1cbjPm+KaZiezS489zH7yD dOyylJeTcnSSM69H7p0CHEU9xcPqRzncSMWT0IMoKGiBGHoJ74dx47XJBijzowUVR/4qeSOjXnYe wLvVxXPgHX/+lvlFaiVwWYEzi/Kl080rWHPgnxgegH3Hq8elx8pzhzIH7HfEZnNT46FjQb8k9QdJ IyXmSXZy/PPYp8jRPH8W7WRnQ+/MI9d7hekpFS+yovz8rC+Z4M8jLE8cQQKB2e4Yd5aZgSauBZC/ fc3Yydbcw9Hqsbvjs1DfspzU/rYGlFiIMLHv+PJwaN++3H+Did8W+Tr4Nt++wpt/CdL3ttZ211d2 Vha2ludfIhq/ToIOPYr1lcmxDfg205PrJOiWFrbnZ2DVYtbXhvrWhrpX+1u3RzoGKnJ7i9KIuAeL M8YqX0w0lIzWFXUUpsJj6arI6qt+0V/1Yri2YKK5jLcGy3IGS7MnqgsnawrZdOen9hWmDZVkjZTl jpbljJRkDRWkNiaGNSYElz/xyg9wqY70qY70Lg/3rIr0zQ1wTXC/neBhn/TQPumBXZqn/fP7t/wv 6l/5/H3Nf/7h6X/+e91//xeDn753/v1fG37wa+MvP7mtcdLP9EJlkF9XXNRY5vPpgpyR/PTR8rzh ioLBquKx5sqx1hpqhYAaaHdVV/Q30L3bNdnVMdRQTVpe0AZaa8c6mqb7uqb7eyd6h8f7x6ZHycbP zU4t8zcBF2lhfpVFBq+vZ6Cjpa2qpPRFempmUnxSZARzf4K8XUN93cP93CMCPOKf+CdFBkYGeob6 uD59/DA66BGK5Yz/Rp4ixPthsJdn2KNHNLCHeD0K9X4UFxqaHBmR8CQs6Snw93949w4xoKYKWbgj RP26J2hsIR6nTC9mwUgJKHBNRC8U56hw8fvMYiOqXYrYdLFRPypgKKMVn1YAVrpKQbqwvwBQWgLU UowvnxICy9KnuMKQ4SVJNt76CrkqZC6k0j+SF+jbfKF27FP5Dpvj33zI9eTRT9icPPaRmsLH8mJ/ 4uiHrFOKn7A/fvi3TIw9+eknOkcO6ykqfh/vOmqqSNSeUT8JuonT0X9zc7gZ6HX/3s0bzD2X/HkV amfgHWASX/8h9MaUKx82OH7UALqdsqIOEYEiM3QYiEnpTeTn+dvTVPyCjn4piYeIloR3rLyEd67Y dBnsMvzZ49LfvGR0gHeyc4j8RAV4gvdQr/t0B0f4Pnjqx1wPZ5oHuYNQgOzh4wBYGJ/xdLqd+uwJ c+DQt+TPbGVqlBARnJuWmJeW9CI1MeKxn/mFs9onlB462b9ISax8kRP7+LGN6UV5xLOJDoOeQboo xpH944o7IeJ3s7Moo1430aN4mhQR+CLlGc1xEwO9BJmbG6uw5d8w7Ym5UVsiI/dmZ//t3kuAv7+x AYeWPtm12WnRI78692pj4eX64u7y3PL48ERPx8rEyNr02M7iDBX2xcE+HPi53tYF1LF6Wudbq8er C1rTn+Etd6RG18cCUr/65KfViRH5UfSWBjEsvrsss6csq6c8e7Aqb7gyr7cwvfNFSm9ealdmYkPS Uwjw7VlxwyWZY2WZAyjEZsS2pj7FrLOKg93z/J1rox7VRD0qDfEA8lmPnCixPXO1jWFQkfWlhxf1 nLRUr37xW4Mf/aPBv/yT2a9+cfn93xj/+pcXfvu+7i9/ZvrNF3Zqqo+MDFNu2xR5uOa63M28Z5/o YNuTkTReUdhXkjtUVzbaUg3epzrp36ntqirvr6ub7e1dHhoeb2uhG26krW4IGiHxe2/31EDfVP/I RP/47ARgJzm/ylqA17C4sbgA6ldGh5G37Gyqry/PL8jPSMtMiEdmJCrYF7wz6wG8I/QU5uv++KET 5DexHGwZFIioKVhGhwoHPtjrYdBDz8CHHk98fUB6+rPo9LiozPjohCeBkOHNjfSkBlgR9ZO9p0J3 Ue+E+dnTlw0ZLEKPhgrL1OAU3D7qaybS4gHU4Cm9cUXX9JwGxDwkZymrUWtGPUPwddnD1afllqq6 3LGLhI6QqGUGlhh0q0LBDp4/32Csg2IzpDvx5fyIi/xQnePGeidYMApog+Ul1QSoRHAMKAhSgGDP hvoCG9hBUkUSzgDVh6+1VL+iUsBSIxxQ/vLEp58gVinwfpwY5yT2/bSaqo7aCfBuqKF27rQaeCe5 bQe9xM3R3d6OjD3OvCRvpUQ6HeMLMGWEcgXsBO9c9bl5XEmfLhsSdyrv7LvkwwtDz5JuAnZM/Dv7 Lj7+va+SvxP4g3fsO6q/cSH+t8xNcBUwsrQGg3SuyHzRIBzi6SI3CwN8ToN7VubYd+RBblwyRFvs eUxoXLg/lh28wx2KCvLJTolBr7IkJz3uSdA1E/RLFO/ZWj6PjiR+jw3kF9zESEONgblokMp9N2LO nY4YiAPkieXNzmiYn9dE7OCh/c0Ad0TMvIoy0mZHhzZWFhj3jNf+9vX+y53NvQ3aYda/3dn7/d7L t9u77HdwTDFX0xOr02ObCxOb82P7yzNLo/39DVWj7Q3rk8Mb0yP785OrQ31T7c0rA11LPS1TjRWL LVUT1QWNSU8rI3yyHtrXhHlnutrleDjkB7gXR/hVxYXRndqe97yrMK0j/3lnQWpvaVZvcSZs+cbn 0U0pUY3xETVRQZVRAU0p4R2ZsR0ZUU3JYTXPAuvig6qjfSulpFxR0P3y0AewbvJ8nDIfOCQ42fiY n3t05aybiY6l2hHjL36j//N/1f2Xvzv7L/946b33zH7ys8u/+s3Vjz8xev/9U//+o8uHvnY4dfLO cSVHZQVnZaVbX35p8oufWR36sikybK6quJfaH0TZ2hKRlGutY6GL1VcDFbAFyDM7fri5brSjYaS9 YbSzZbKvZ2pwcGYQqTpycwtzU8zIWl1kyj0u/dLW8tIGhGVSdv3dA93tXa119VWFBalxzwI8HyBI aHHR0NL0rO1VY9SlrAi7bpiyQX3CWFedf/QrRmcYkGRmaOBsezPggWuoj2dMcEByZFhqTHhKVGhC RAD+gKfTresmhkijnxHYoUX0G03lQ/y7w6W8b3vtocNNFlw4N7vrrrdYFiz2LN7FzyTMRK3uvq0F /qej5UX6de/dNKVui6gm5Ni7Vsb2188z640re27yPNo1sHHYyLQc8kLs+e2lO4Ovcrppzn1uMq2G 8OSutZmD5cV74tsuoWxz+7qx401TrjB/eHnr2nnohrxkzyKU/f/oeuvgutItyzPmj/ljYmZiYqK7 q6vrQefDTKdB0mUQWszMjBYzMzMzy5Ys2ZY5zczMtixmyYzppFfVXd3zO/dkujOq3mR+ceLq6Nwr 0/r2/vZee63kKDj83nGhntFBbhhvhfk4IMxlK5MK8d3S0tMW/qqDh6Odq4Otp6M9ErV+jnZ+9ja6 4Tjz2FCf6qKs2qL8bQE+XvZMygj0GGFkVVdPE1EpRGShUmfkTj9OaMlRad9KHY+Unp478Z1FmU7E u25SQKDce9CP+yW4i3gXvxThL4Z7NCUGW+o4v4N3VwsjgiwFef5gGUflD4fXLHJ4wD7YUsOfYXZc OK+J+4nh/mXZSXu3d2EBkBYTTo+e3lxzZTEGcN/sGQHvh3cPl+Wmk89nJ8XuGew/c3D/SEd7WmRE gBNUfGeyelQ0yeqj/NyBvECxQ50+wD06gIlaBLH9+duvys/Y3tly59KFT69fYM/84d2r74R8nrz9 NeW4H95wPP/2f3z3/b8gd6Ejyb9fXwLsL5CwWHjyZukpxXZ0Gm+fPoL03Kuph4y6Mwr37MHt1bs3 Xjy49fzu1fWb51/cOHdn9+DR+tKxvMT6INcDBclj6duutldf6a6/O9a7cOrg6qXj69fOkrpPnT40 cfLg5OlDj46NPzo6fm/f8O3dg9eGOuHRXR9uvzjYdK6v7sJAPetUd+WJzopDjXnHmgvPdFYcqc8/ XJV1or5gb2HaUGp0T0JEiY9Tio1xiGqLn/SvHl/+3u33/xjwx99Hf70h+suvwv/0522btkQaGMRo NNsMtbVBAf3xcTFSabJcniqVFRqZpMnkKSrV1bZmbOnu7hu7AXv/3NGn187N3Lo4f+fqwp3rU9cu P712be7Onamb12eZ67l/cxIRrQd3UaZdnprWGc2sPl/mePRsdeUFnUnArkP9m1cv3z9bezk3NT/x AJOpu3evXjt58FBfW0tjRXF0sA9xGbVnjAxooFOxZ6iNNjqFZdgXoV5uMUG+uUmJzRVl2zubCeXA fLinmZwf+mtxZlxGXAhacLDuPZmtczX3c8Fs0RCCCgr/0CmBNpoV8GM5wcGLYyadxR0Y8izM48j0 qB1ROOJ0KdzXjbbpWHOpjaVZEGWr85PKs2MrcuJqCpLqiqDSQahLQ8qSN3IVF6Yz/IuqzEnR3Uyj x8QdfnRxZiz1ImFlxpZnx5dlx/Ma85ry3ES+VZgeTbeIF5wxuXKzIi+FVSo8JjzJzbyUKFZ+SpSd XOZhauxpQaEMK1UnzN/BO1FelLDz4SCvo8fzp0e9rrEML4sIzvVU7US8i6gkygNMgSxnZeJnbxHg YInIvKAr5evGMGmsMEDqT1AGLDCTRYqdhzX0WuHMLsZx8fW/ufKZfDIPUK/j8M5KiwrhjUynAnCS dj4TGNKbYwdgpEUM8ey0pPRE/D5OY4lRFdnJ1PEI9/HhvpzL0N+rKcwZ6+0Y397zzZ4d54/tHxvo ILjnpsTvGeg7e2D/WHd3bnycaOxOiA+BeAPlxhP/esEREiescHwHvByCvexQBi3PTNzZ03L30pm3 a0vU2QjfYPzbd68Zev3IbOyztR9ewpR7S28drci3y8vvV5ag0DyfeTx//9rL6XvPJm7eOnXw/L6R myf2z12/8OLRnTdP7tI7e3b76jNmXk5/8+za2eeXz1wd7BjJSd6dm5RvZ5JnqR6JDd4ZG3wsP+VI Yfqt3ubpfSPTh3c/u3hi9cLJ5cun129ceHryEGB/emL/7MkDTw/vuj7UcWN7ByzZS/31ZzorT3dU nGov/YbmWnnKUO623cVJByrShzOjRjKixjJjBuPCmvzcmwO8ypxtIw02Bm36i++ff08aH7nhLzEb NqQZSNIlsgylKkYijVWrBpNThtJSj1SUFtvZbft6Y7mpeZXx1moj8ypTiwy54kBmxo2ezqvbey/v 3nHt8O5bpw9PXj+HnCazftTnF+7dW378aO7+3dn7d6cZ3b1/a/rhvcVJ1Ghnn8+vvVx+iVgIYF9e eoYKCHYZoJ61vvZ6aQkByxVC/O1rN25duXb1zNkTB/cf37cbfSEkxWKDfSLRcLan7mSKkYFQmbe3 gi1GMk9AHx8a2DPYS9rfUVeMJBQxMdjLxguXZye44kbQcV0FITiVu45U447LA810O3SqLcM8HZCJ ZpgdRVwOdFx1L7y5o7OA5L5wk52BZCAtyj9tm7DSowMziLmxQay0bX7JEZ4pkV4ZMf6ZsQF8KTyw LVC3gtKiAuj7pDBVp/ucxFAflvhTuGKTJ5rlcRVfcIdF4GaJN+PDvIjm2NWhnAkbISMulCUS+3VC WIISPpBxVCmJ7+7mEF2s/d2dfdyd3Z3s3RyQyhEk7Ajxvg4U6s0wbkCfs72mIj8lgWTexdIUvMOE AaFAUhxpp7TFBFlaRGBuXERRCvlPallmMovWeXNZQUV2SmpkMPQVfydr3iXW4sCyuFeIqP83V/px 4nc5vw8013KET40MgaUDxkmoKL8nhfmJVGeu9ObEQj1bAXincAfGq3NSq3PTxgc6ONonMPFuaxrg botCzmivIH+HKBZ2kPjEtVSXFaQnEdlP7R3f09dXmJwU4uYaiGmmoz0pPWAPdnVkxlZM5oNdEVKw jAhwzkwI7W+sOH1w7MnNS8zDvn+++mZ9mabRx7evvv/w9uOrZ6Tu3+IfIXTS1z6srLxizmVm8vn0 48X716Zvnlt9dO3h2UNnxvrOkHIfHpu5dOrF3RvzF04tnD+xeO7E5JF9d3YPLZ0+PLFvdHtm/EBC 5EhSVKz+lzmGkj5/twPxEQOBHj0BHtfrKx8Pdj8a7l04PD5/7OD0sYNrENVOHX56fP/dvcNCfEcc vqXiTFvl+e6aMx3l8Gcu9tZc6Kk6VJPdlxbWlRi0Jz9xZ2ZMS5hnR7j39riQ7VEhVQ7W9c4OxeZm aQopK/Ivf0oz0M+Ry/IUigK1utDIOEOr9d/wVVtE+J6C/F25OX1RkRF/+Wu+QlOpMSmXa6vVJhUq o2y5YntUxJW25isDXTf3Dl8+sPPGsf0C3+bymdWHd9cmHi0/fPh8egqbiel7d6fu3Zm8f3v64f0F 8M4A7CJS3oh5vwLvLDD+HO+O5+9XV18vLT5fXlpnE5h8MnX98pWzx0/u3znW1VSPxxATqbXF2UkR AeTwnNBY/KOlTwcbh/uk7vuHh3b2dOAuWpIRlxLlE+rFVKaRq5XSxZLOOA0yyuYad3rluDMIjXK1 N8py9pTLsG6hAUfFCTqcoA/PwhaWJQywCIubFO0FaRombeHQisO2upP7z4U+P1r5jkyzCj163WwO h3q0NTjLCzL4HOTFOR3s6nQjPLSqIZbAZzPh0/Ciha0Ha4hzOlcWX3rYGnEYd6VySC1Rdx/6Lr8A gSLoYuHvahVAncHDhvN+iBdm60jqOQvbAqPgWg3mMgzLUJD3dXPydnf2dHH0cnGgBe/lQAnCMdDZ Hhiiol+SldjTWFuVnw2XXujTOVqLaAWVLM65dMnRZy7PSKzLz2gszsFEr66QCSBSnczqvAwcGQjT 2DOxOZDng3feTgQX12ekf74D0vlYdga+xUbB+b23oSojOkxn4GVBGg+idercpBbkCWzCVmT4NObY B8A7ydVQW21TcU5tXvruvjYWwCfc56VG1xRlEQv4e0dMmMQea8g92/tQLNne2nJyfHzf4GBpenqY h1uQixNZfbinm7+jHb8Yojx4p93PVp8cGZCXGtVSk3d8z9D5I+MTt68sT1GsW8DJHQO4D+hXcM58 tkY1+e3SwrvlJUTkkJh7Nvl45cm95Qc3Z2+ef3zhm7snxq8dHLm4Z+Da3u1XxgenznwDVGdPHHp9 /fy9se3XB7tubO++O9J3qCK/Lcx/LCW2ycspfsuXOQr9The7U0mxbXYWeXL9gwnRtxqqb7U2PBke WD5+aOqb/VPHD06eOPjo8O7rO3svDbZf6ms83Vp+qqn4REPh/rK0PcVJJxoLjjXk78yJaY307I0P 3pUV1+jnXGJnWulo0eHr2uLmlKOUF2u1hSp1sVJVotbkbNGv1BiWqtSVWsMClbLIzDRs44ZSd5cD 5aVNkeGHSgrjDfQz9WVVgF2iatKa1qtMatQmuQayTh/vi4215zqabu4ZurJ/x81j47dPHES7fuHO DaqRCPKgsPdibm7mwf2Zh/dnHt+fn3i0ODWJlM3zZTL4D0LDXSjQUZx/9ezZu2fP3y8tvZidWVla XGNNT80KR/hrN84dPzHS34N4LJPpMcFeJPMo0vDPNcTLgfYcae0Q4wMD7bgDoHdXkJpIwTbM0x70 6RrotM4xWtX6O1NDg1HzM2eGfhldM+7TOhexrMO1yA4VC/ICPVWsxosUMq66JXyX6rqOQyujRe5g Kiyq7kIfTVeZ5yq8YLqNZS5U7/kuV97yq6vQTKfI77SVUr+M2rtYkKdQ72CutN+qQOLGzsjA1kTq uJV3KanV25ny42jbKZwthGL+58XzjnDwrASzCU9ON0aGPpYW3jbIy9v6gHRXR2835wBPN87yGExQ tvJ3sgV0/DFin9Hf0gAuovy96cfBXefwLoKdkTTgEBPglR4ZRHAvSNyWlxCFTy6tMY7ezI8zdSJG SX8nOy8bC4p44l7xGd0i3vkSZH1eIt756QjAAvbuugrO7yK6QTQHJc7phPXPeOcmNXlCP8cHrtTr hANRZtL2trr923tHu5rZDTpqSvKphKRx6olPiwmFpsvOTzt+qL15uL3t9L69h4aHK7OzI7yQEnVi BTjZC7U7nVo+RoHBbni3+TP7XJgew7lptLvxyon9TylDPb73bHF6eW7i+crc21fClByT7K8W5l8h HYlN0tzcs4nHazwzcW/10Y2nl47fOrrr4u6+mweGGUs/1d9yZaxv6sT+ySN7idGPdu84Ul16tbP5 WnfLyZqyhkCP5kDPfsbBNLLkTV/mSrYMujkfj45qMTPN+OpP/e7OpzJST+RmXaipXDq8d+7IgQf7 dgL2K8M9d/YMPT08Nv3N6OyRnRN7eu4ONd7oqTlZk3e4LG08L25nelRXlO/OlKihmKAMjTRHqyjQ KitMjUpU6qzNekUyebVWW2YgrVOom9RGDUpNlVJVrtaUmpokK6SxStnRmvLm6PD9pUUtQQHRf/2y 3sSyRmFUtlHart3aaWxRozTM05c0uTidr6s81VKDwsatQ6P34O6eOXL7xGH4tOjoopD/bmnp7coK znFL07BrJmhool2zPLfwYvUFeKfhzmmdGh2Qf/HiAyn92uprhLsW5hmcWZ+ZnqNKf+fGzcf37k7c vX3+2KEumHNZiahIiTNrDKnBCQXs+0e6qdYy9pUUEYwtmocNJSMGYAUZW+rkOrkntU74giY77XVx BxAt22i9CaQa+uOEb91VCOU02WnH60izQi9e1z0nDQD+Qq9Nh2ugLaBbvEMfnNcii4a5deiyggqN jj6newCmDZAH4GBfcHOm+a7r19OVExp59NDtjA3orbN7sAM4coclbCMSbur67PxQlQu9PJp0bBFs CCZSe1OZsCeYSG3YFmjYmfIjtK5WGlu5zM2UojpTrlbU6Oi803/3dLIH7z5Odv64yFGRs6V8YZ2b FI14V29THUM0vk6CzBQwF5VkyOR1fSsn7CADGBy2t/C25U+VyrwwBqsr2SHEjeT1VgoC4h3iO7gW y30gWlyg/teQJxMQ9wESg67achbnd2FKEWJksDfndDGf5wdB4eNK/TwtKggiPS9g2VHqhCHDaYsM v72qGPizKrNTouDi+mEY50bKx9AcLAs483XF+dtbmk/t3Xtk51hNXh5493ME6QLeSekxtOIXxv6D 1HxqRFCC4C/gnxjus72tFlHo2XvX5x/dm3l4Z3nmyUuI7i/XX1FZXpoH7whFMqv+/OnTZ08erz26 v3j3+tSV0/dP7sdw4faB4QeHx+4dGLkw0HawrvREc830gT0PRwY6t4UOJESfqak4XV2+Oyu51Mmq 1d+j3tU+VX9T6oavKpSKXd5euz08mrWGNQpZr5317gC/HQF+u+Ni7vV2zu7f82jv6MP9O8/2tdzf O7Ry7uDq2f1rp/bM7O2f3d0zu6vnZnv16fLs06VZJ0sydiVF7U2N3Z8c3ebqVGtpXiiVlshklQpV lUJVo1I3qrSNMnXdFlmbXNOuMq6SKaqMTbJVCt8//dfhtISRnLSWbWEHSor8//ynPLmyVmXcqDCp 01fV6Sm7DM0bVEYF+tI6W5szVSXn2mqvDnff+2YPZP7JS6funzn65NK5udu3Fh48eD4993px9fXy 2tr83NLsFAJWiMwjOr2+uP5q/c3z1VdEdjHEC/GdBYt+TUjyGaKhEX/vzoOzJ0+dOPzNmSOHLxw/ PL6jBxfJUTw781NBPYdWRNrRoEB9gtfbAj35F8tsl7MF/1R0uTfUO12aTTNdpMvqojlEWWRjhZaZ CGSuOmqNMGzCEgHOCx39hjuQaoRtgZgOonWgBvgiHx7YCmQ5IAyQBfgLo+vgHVaMgcC3ESg3wjPA 34V9QDcmo8P7L/fNATug1oMjB+rBvq6PL3XZKoVG66LLB8A77Brh89k0aPpv5b0aIdCbAXAV4R7U i1+KPAEmYf1srYOd6S0y3+cb5O1BfKdKT3qPBbwvjXhQiduLh30mrLbWRuJgTmIs42PCTUbMdEoy YpQHnr4IWloae9uYgfpA/F5daEcKthFk+2wO4jEfvOtI9ZxQhGj+Gey8+Dd457s8w6If11NfSYjP io0QD+yUziC8cdUxeThJ0QsQUM9uINYDeYzampetGUR9KLiU+FiU9WDK+TrRbeGMIyR+/O6YqaF4 Gx8a2FVTfXz37m92jtUV5Ed4efnZ2wc6Oga7OPk52AY42kX7esUF+UT78znuCaHe1EaK0mIOjfSK eJ+5d+vxrau05PBwR8KOqdgXCEwhPj+LQPQUMtHrdJru3Zq8eu7BmW/undhH7+zuwZGHB0fmT+4/ SCXUxvR4Vcmjob4dSbHFjrY7k2KGE7YdyEkbiApu9HBq8XSpsDJL3fR13pYt7RaW/Tb2febWLUpN q0bTZmTYZr612cJyu5//2eLCyR1DU+NjE/vGbo/2n+2qP9NWdb6j6lxD0a7M6L5I354Qz/4Qr9Go wAOJkUfSYk9kJx1JiTsQF7ErOLBp69ZKhbxSKm1WGTYptfVyVaNM0U5w3yxp2KTfLFVVK5RlRkZB f/6iyNluV25GfWjgodLiCH396A2bOK2X6ytBeptE26ynbFcat2iNi/QNSk0MjxVmXe1uukaycWCU 0bypy6cfnD1+H4eaa9fA+9LDJ0tPpt6uPHu9uro6P7c4M704O7c8t7S+wIb5CrwL0F5FEOg115Xl F0Juv/56cmp+8uns0sLazNTcjavXLp4+e/nUqV2DPbUleKyjKpNbmp1QkBZNXZpKNZ0sqvQMxMGX Y8RVLBfrjsbw5UA9RnKCtB2+UXwJlhmM1QVugU7DcVhUwxCBD8BFjPMlGbiYwIN0Fq8J6GJu8Gsq LIgWafMgGpjrOLQKV91cDJBniRh3ZpLdXE/4UpfkizPvjmb6DmZ6diabbY02c0cAu6nU0cTAEexD nzNm6dub6Nua6tmYbGFPEPYQCyQviPJyGPVsCMzCc7U3kjiawLGXueIxZ6FO8PUpTkyoTE+vLypo rCirKMzLSEahzd2b4O7q8NnzHdXW9LiI3pb64a42JhRCPF2QoAHsIF1EMYhOCvHPjYssS0+gStZY lN1SltdcippHTmMJUh65xWkw2/1paRGdhUq+jlqjQ7QwNfMZ7J8TexHp4g7AG6nXbW9ryE3AKEw4 sANnEfhiMs+VxWAOwOcK8MWruAm4wPr7eeieAXxzRJCo30KoRqBAmJsTRu+tgHxLRfnR0dGDO3aI 8d3XztbPzs7bxorze6SXe6y/F70Gmu9i/z3SzyknPnSsp/n84fHb5048vHxh6ckDGuvo24hOUs8X Zl9jvLgwC3kG8YrVRw9mb1x5fP7kw9OHoLlCfps4sXf6+PiD0f4kY0WGsfpabdXBjJRKB9u+0KAd 28IHIgLHkqIbPBw7/Dw6vd3LTQyTv/xrhULZY2tbp1R3GJm1aQyb5MoOI6MmtaZJa9xpazvk53+9 rmZp766Jse1Pdu/YVZDeHRsymBA2GB1Q62JZZqHNVurlKw1qzIxqTAybLEy2e7oMurs0bTVpMjGu EpCubFYo2uTqFmCuUHZoDNukyk6pqk2iqNKT1GgNYzd+laiVn2msKfZwHslILXNx9v7t76rMLSuV hjWc3A2UjZtlrRJFN/m/XFEikRYbqg9lpdzqa7s10nd73/DTs4fnrp97eA6Ni3NPrlxBQXd5Ymru 4cTa7MKbtefPllaRslnHHxYlkJWXb6nJP3tLNKc4T0qvw/tzYv36Ogr6C9NTC3MzSwzO3L15++71 mw+uXz86vmt7V3NbdRFGzLSeaUAnRHhF+OMLxt+yOSx6SltUawUROQdySKpnTGEjF2niJYxcCUEB gAtT8NS+EMNB+klHbNMRaIXsXQzrv8R0IaCLIZ47It6BPHd0YlNCTCdq/5zPoyZnpRDQvZWYLnxL XCT2jluFqA3k2Q14AHQ7gHETfaI5+AXmdsZbWDaGm3RBnPxcCswdTcGvhOAuJPBkDlYczzkCyJmX D/OyivaHN8LcilJ4RpjAlTM772TKVeoOW89Sk78tYrCmckdz43hf3+7B/u6WprKiPLQcGR1F7YHY h1KEboDINjUGLeha5KQgLCEUQ08TdW5/R0t8oDBSTAr2q85J395Sv7e/68BQ776Brn0DnQcGu3a2 Nww11wxDf6osyokN182rCqq2LGZpyef58/exhY+HM6+ln72gWikg3daKRfIvTNPYW2L1Dh9yqKMB Gy8/POx0qbX4JBvC5wxB3CL4UjwyUCXwtjFneVEetOQvV+gF8C42KF7wsQzRU3UkzWOcP8zbHSuB AyM76MJX5HB+9/DFYceWs4lNiCvnFAd/B2vyBEp2JC2IHzICj3NZTlzYSHvj+UN775w7tTr55M3K 4lvoNMxxMeSyMAlZ7tPK0vvF2WeTj1Ye3l28c33i4olHZw49PSfw32bPHV44tX9nRkKs3td9vp7H khMHA3xqbKw6vd1qHW1O0v30dCizNWl0tevycinRKLI2bqjVahqNDMsNDGrlqlYj4wZCsFbbrjFs URsB+Tpj0z0REZM9HZPD/U9H+g8VZNR7O7Z5O7e42NRbm7bZW1dr1eVSSYtW26BQ1uhLag2k1RKD Cr0tjUpFo0zWJJV1KlXtBrIOhapBIm2USuv1DVqkilo9gwqZPFcu9f/rF30p0Y3bQroTo7sjwzz+ 4R/yZaoqtUmVVF0vUTXqK5r1pW1SebtC2aJSlctlRYbKXUnbLnfUXh3quLarf+LMoeWbFxHamr5+ +fHlS5PXb6DftTo5tzQ5tzq7JIjUge7V58+W16nXvV57/VpXon/9isnibwn0K8vPie9cF+ZXVpaf LcwtP3yAmc/tS2cuHNu//+g4pKrG2uIsCPOJUX5RQc6BXpaejlp3ym5Oxije6KCqFeVhheq3jiL7 /3fVKcVRhBeO6jp++8+RXcQ42Afjujqe8IxYtROY7eYqTtCEVEF6QgCjeAXvtADkTtTo2ASQgrdl qViOFlJ75l6t5A4W+nZmekRqO8ZbyOotFDBg4cQ6WWITKRBldTIadMTg6UHAg4lnCZWEknu4nwP5 LkIfYb4224Ic0+MCitMjs2L9wjws+TWAcSG9R4jDnECPFIYG67rs0KDOkqI+JggaGtpra6pLinLS U0J88KrGkF3n1ODtAt69HG1StkX2tjWMDnZWFGRy7AUmBPcgRCNpVLk7pQT7V6QltVcU9zdUD9E7 q6/sqiruqS5pKcmtL8iqyUsvTI5JCPEFLGANoHngXiEo18GeBexmvoRsCvIOgqStgEp7G5YAeXtB /oJpVsjPcGaoroN3EM0zoJsiwOcl5gx8C5iz4PGKePextWAJqP+lOCD+CMhCaGWI8R0OIRlLU0X5 obGd+3YMVeRkwbQRwS5UMATgWwQ40obgl2fBfD2HlJgAXOSck4O9B+oqL3+z/8m1S88RjZybEWry qDMsz79amfv22eqntRXEJJcf3UMdeoX5rztX5q+fnb188uHJfY+O7p47Pt4dFpinVva6OB+MCG+1 synVqvM18h4/95P56flm6mrHrZVWpnXWZpTpsjd+XS6Tl0tlJfqSUgNpjVJdpyDyGrRy0Jar24xN azWGZWrNrsjQu231c6MDT5gRcrMtNFZVGCmrDVVtpqbAvG6LtEdr0qUg8ZY2kKvrS1pk8m6tYbtK DU57VJouYjrJvFRauWlTPZCXykv19AqkBoF/+G2tv0dvekyOh8P2rBS/P/8x5quvi+Tqoi3Scj1Z 9RZp3WaDJj1Jq0TK57SqVJVqWaFWtj069EJL1ZXBdph+T04fnL92lqnY6WuIbl3FcHZ5YvrZzPKr pZdrs/yJvXpLlQ6u8cLa8vzqOugmgV999eblh7evv6VwB9IZnyGNF7RuVp7PzxLfZyYeo9t39eCe 8W/27oYRnRwVHOrjGOhJAcrIz9000HOrj4sgVeFuKzi5cCT3QQHDVuiR/fsFxsX4Ll7FB4A2IVun RyHOuf88B6eL79TxBLyLmQBXVwHyguQU4fXX2b4nwhdWoFvOEiEsXh1/wbUD53cm2akJMETvLPTU AmDYelihxUdPDV4cjQacqug+QCDMjKerLjTWRQYdvO6kSN/oYME/ND6c5mNgUUpoWpQ37tjg3Uaz 2dFEqtuIlB70Ey2NQx1ss8JCssIj0iIj48PDYkJDw4P8/dwcfTB5cbfj2B6CWr6bvYD36EgcGXbv 6K0uyg71EfCOAxTBPdDeOsjeOtTNkenRhCDvxGBvroL9SoAndkvcjMQtHbsHXbZAoU/HxaUdIBjO IlInRGdrM478vlBnsawS6/N2WFXawMj1shU2B/iQdNAG2urAuz/StURt3dmfK28H8oAddP/69We8 iyGeK98F8mKUJ8TjY0WKwu+C/UQX393aaqtIC+FRV+ZmUqMjsgc62QNzTyszFg53FCd5I50I6gDE 9/RI/5rs5F0dzbdPH3vFIBty0POzJPOIyRPi+YeLUwzqNPTclx+hNHt7BR+oBzcXbl18euEY7qgM vMwf29fg6ZItMeiwtBxxd200My7TKOptzfcnxvQFe1c5mJdbGTfaW1abGqVv+Cp34+aCjXr5m/Qz v/w6b5N+kURSBiqlkgaVukVr2GJoQpGtSC4rNzPeERHwoLNheax/PDEyQ7qxULK5WilrNzRukSkb N+r3SNVdElWnvlK4KtUtckWzXN5GZFepO5SqVqm8VaFspGQnk1VIJJUyWZWhOuyL36ZqZKPZyXme dt1pcW4b/uT/5z+UmJrl6UtLDGSletIqHd4b9QxaDKStMlmzQl6hkuapDPojAi+1190a7b21d/vD UwcmL5+8d+bIxMULE5cvP7h4CVGLpSez4H19/tmr1XcfX3//9uWH1eVn1OLYMiHXrS0jF/QCsYt3 r799tvJq+uni/Azalc9ZUG6APFH+yb1HJ785Orp9oKOxmlmJ3KSISH8nFKj83EwAu7czqtSC8SsM dvCOEbMoW/d38a4r3P28FZDVizX5v4t39gESBjHzFyFPlNclzCpOzeBd100TymssYr0w4MbAC3U8 Gv06W2cCPeO6zOrSKA/2tIPah941nBkIMzBgU6L9Ge6DHwtXFopsTlIk038IY9Jz5HVBWozOnDqU hyHK0mT3cjTRWcRq0PZJj/LNiQ1MCvXwstHaGepxfifEu2xF2k4jcF+NDUMc7APt7H3tISO5+ru7 +3m5gXdf4OCKvKdNoIc9CrEYLKbHxzA6untHHzqxTNAQGQOcbAWfRwebIEcbcEE2Dmy9IM4xEKc7 L3sIg3ICHlm+9laISXpjKk3gprkv1AOh49oSwZmCp9AnxnchuJNyO9hyagbynjTvrM2YUuxtrNnR 2VicmUDRAOTyGNkFNUAR8tz5vETsiz+UTB6ochVe/OoZUP+zCDYtAHthlh/1qtaaisO7RnYP9JRk pIh4J7KzBYkbkS6+Cz8RyhClP4hVicFe1VnJZ8Z3wgDHu219ZpLz+3dvX358+/IVzbjlRRQsXy+i JD/zAhPzx/dXH91bundj9vqFp0g5nTiwdv3M0rH9rV5uhXJpn7Vtv40N5+gmK9MWJ6uRMP9OL+cK G9MclaTNybba2DDzq69Bes4GvfQvN237/RexX/w5ZcPXOXpbCvX1CrdsLjeQVBjIiPjlalXiV3+p sTbbl7TtSmXBlbLcJrutaX/5onTzpgaJrNVA3rZJ0ifV9BiouiWqHoW2Q6luksvrFfImtapBpayT yxr4ktabTFqkr1dgoFeqViRv/irkz7/vRXTdw76KWqW51u6//McsQ025qXGhVFawRb9M36BST79+ i6RJX9ImkbXJ5NQBKhSSHJl+d4jfpfbGW6P91/fsuHNk3+SlM48Rzr2ENMf1yZs3J26iOz0N3p8t vnq5+vbDS2YHvwPdQPvFc4aKngtFuckF7KDfvUL99/X007nZqcXlhXX6cWjdgP3pybnHd5+cP3mm raG2KDsFizYYpLrDu0eIj5WXk6Gno8bXycjfSVByBp4oVfphA/H34jvf1WFcqNSxxGRel8D/nfiu i/sC3tkiuFL6Fprg2L6YISYphHjK9eKoLCcCthrGZ1DODPWxj0KkLtQNAa64UC+BBRcbCuEfyXrU ZIAwtNjcZKAdBhW2piiNLwnfVIa3BUKl8wjzccaYEmV7nie+U4qEYgcJh53E1lRibaxvSzXPQhHs ZpEc5pkZ7U+pC8g7mXF4l9sbc5xH2k4D3gNsrANsaL05Bnt6BXt7+3m7BeCCRzhGG8rFOgDfKxdb 7uSkJg51t44N9ZTnZaLoSPWe1jw+jyG683sonum6Tpy/jkwLn5YXAZx5He0COKRDtrcT0nXhPE7j z5pxPHMa8XzpTUwXIruAdwFcOuMJkC40vp0ciO8Q+NGkAu8jPS0VealBaBBZCYdxoCfiHWiDZTF2 84IvxdxeuPPv8M5NnhEegABMzVDnmgHeyefrywr3DQ+OdLfnJ8fTc/fBFNvagk9gHxMOGnbCCYKa P00BhG5YMHhbSvPOH9zz8NJZLBKezUyTzH/AcuL1sxdrSy+XF9GTB+/vluZfzk2vPn0I2QbqOLIP c8yAnz++fv3s+snDbR6utUZGw/ZOA1ZWnRZmLVamJYbSVifrdhe7TMnmPIVBg4U5jW/aW6y8LbK0 TfrxGzZG/ekvdL0jfv/biN/8U8qf/hT9j/+07R/+KeX3f4z7zX+N+/3vq8yMGu0sd4R4n0qLPxYf 2WphUm6wuV5PXwCjnqRXru7gkC5Xt6u0pV9vLDMwqFYrS+XSfIMtBfpbSmTSAolBgUxKOyB+45fb vv6L63/+fzNMVdlWRimmigSNgdcXv0mW6ecpFXn6+hThi/X0SjZvrti8pU5Pv1VP0iHhk5VtanW9 VlMol3X4+5xvqr0y2H1119Ddo/snL5+ZuHSafhy0+YUHDydv3599OPl84dna/Iu1hRcv1xku/A6a DdU5SnMk7QTxp0+mAbWuXE+XY35yYpYdYH5mhdG5+enlh/cn7l6HznxxdKAPt19/PMT9EBJ3TIjw iAp0APKB7luJ796CQByNcmOUqH3szf4u3rnJA2KIF/FOS113Tv87eNcV5AVBeN4l4p18HnJdsKsV ipSR3g6Rvo4YvSUSr8O8UiPRrGaQJxCEMuECjx0nWdANiwMCWHp0CNM9xG5uFmXEE75zkvCaTALv bFxMwLlYa50tYfaaejuaB3vZk9gD+aRI/6yEMPR8qEMyBmtrIoN7w4J1gxJ1hI89PN70aD88d9iI LNWbrbUoYAgdOg8TQ39r6yA7h2AX1whf/yBvbx8Pl0BPBJmdgjwciO8B7mgA2iPVnp+eAt5HB7pK stMC3OnH6fCOPauLPUaKYe4OgU7W/g5WnOiDATt9LoDvYOlnY+5jZeJrbcrVy8LEA40s5mgsTD0t Tb1pwduYsw8Adup17AniKRs8sg8AeT9HwreVLvi6QI4a7mqiIANDD7QKCYOu8gZ+eS2CXcQyX7KE D9F9oBjfuYqPcZPcQHj+F7wDeVII3KM4AEK0A++5iXEkGN5sRyh3WXHWYC9iyxI6ArgDgHTKvDiV pIT79daVU588d3AfqixLTx7Rc0fV6g1kGxZadqsr71eXPwj/NKeWnjxcekx8vzV/48ryrSvzV86+ vHXp5elj9fb21WrtkLVdv7l5j6V5qdKgWC3pcrKtMlJlbPhrpUpVrTHM15fmS+V5MmXKFv1EPf1E A0mR2dZ8Q6PQ3/0u+ovfF0tlaX/8c/w//i7lN1+k/uaLUgKuXF6ikDWaG/e7ORwI9T/g710vl3Rq NL0aw1aJrF2mbJbKWtWaRrU6+6svE/78h6jf/ybii99E/PF3rJgv/xz2h9/5//Y/e//mP3n87h+s /8P/6fy7/xSt2Oz82//g96ffBn7xm4RNX+YR96VSflDp5i2lGzeVb9lco6fXYGDQri/tAu8yRYdK 02JsXKxSdvr7nW+svdTXcRXV7lNHJhiXu3DiwfmTE9cvz92///TW3am7j5enlpZnV1fmn796/gG8 47y3MEtFDu0Qqp7LM5NzMxOzi6Txi+uLs1ByZicfzxDlyfZRv5l8AtHpyZ1rt66fO7ezrxsxEz9X GycLja8zQ9zW4X42lKyZQhVO7jTahF4b+lR/v1jHAyJ+xRe81lFrOLD/HbyTzBO+xfgu1usCXCwS Q73yEsIxec9PjMyOZyAuogBoJ4bnJIRlxYWAd1DPzBpoBbNxIV6ROtOicG88U/BBto0J8iTcpxP0 44LzGHyLCw73QU5KZWWob2cCzQbK39boQPeUqMD4UB+YsanbAmgSUcpzYQDfxhCaDWCHZgNPjzZi dIBLVhyi1m78LsC7rRGNAEqIKndjrb+NVbATJWi3UC+fAA8PX09XhFsDPBw5vAvL05HaXaivZ0lO xnBPO7PGBZisuTv5u9BSF/pxMG0E82X2BGeyemuiebCTdZiLbYSbbaSrdYSzZbynY1F0SE1abHVK THFseE5EYCrziR6OEa7CM8GOVjqwC5gSDgUOQvEcsLNI6YG8h5055cHmimImU1qqCpnB+QxnIA9+ RbCLMGcrEJf4DGV5cQFbdgCe/Ix3xK7F+A7e2VJQr0UZCbyTzxPfaQ2gwiHW+oTIrqvzg3f4tIK/ p/3WmBBPKLvj/Z1n9u+5e/7M9J3by5MTryjOP197//rFp/c6UYuXzLY/R7Lm5eLcyvTE6vRjeOPr j+6u37+5evPy+/vXX5053uDoWCpTDFhYt2s0ZNRFBlsazAx77W3qVIqSrzfWSpTVUk2RgSJXoYrT 149TylqCAvvCI04VFhYYGSVv2FCmVNZrjJvUxs0Koxa5YbtS26k1bVSp67mvUDRpVPVKWZNC1iSX 9Bgb9ZmYtipUHYZGrUbaBkNNsVS/1tyk0c6iyFhZYKpKlut5/Jf/aP1//x8m//v/Zv3//F+xcv0Y lUGBs01bRGDAhj/4/eGfCPdlGnWFXFatb9BgIKUv37RF2iKRNcqkTZQg5Ioeibxzi6RDH4qOukau LJAruv39zjXWXOptv7Zr+8SZY4/PHXty6SSmkFM3LtN/n7x9d/LOo/knc4vTS1TnOAlxTufAjmzd 4uzK2sLaItn7zDLfnX4yszC1uDSztDC5sDC9tDS7wp4wP7NMbj8/tXj/FlWBI2hf9LU2xob4CppU 9jpqOpNuTsbYyQW7WSJC626HOxLM879TrPsc8YVtQRfodXeAPGW6v4P3XxRvBAUMEUeUzQuTo1rK cptLc2rymBxJYE6WmVaBwp0YmR4dHBfqQzYOyzfYEyMMjFHs/BwEBhfw4QozjVIw5BDoYfHBHjho YGMHmZY8XEepVdlqpU6mKoHLHe6H6YmgoernHOZlG+xuFeHjALppXIkWmTwPuvn1p5BXRPritMUd WDccOgTKjbEm0M46BL6Nh2eQhyfn9wBvjwAv10BP4rs9EwfBXs7eTlT7A+rLinf2dg22t6THbQvA osXdOcDFXpB8FxRg7INdbfktBDpaBdibJ/p7FMaFZYZ7Z4d55Yf7VCdFDFZk72kqG6srG60r7S/N aclOLI0NKY4PK4gNSeUIARPPwghYUQ3wdxBmbEnmCfE64rogrEH7r6WyZHyoC7pUdIAntTgx7Wdn EDYHnaYlMIfIJ6phU7vjS+FqQQGB+r8Fm4nYhuN5EfiC6L2jNTCnZEd8x2W+Mj/74Ojw3u39ePRx VKGqoAvrvJdGIYHeFLyTz+PfTXxPiQysK8zqrCnfPzRw5+zp6Tt31manP75+hUEk87Bo0zEb+9P7 t9+/eY0r3MvF+fW5mfVZLKJQmHyy9vDO83s3Pz299+rC6SZX1xKZosfMok2tqZEalEg2d1qZjzja Cw0yA1mzgaZWoq003JqlMdzGMT8pfiA54VJTw0BoWKqeQaXasFFr1KDQtCqNurVbe9VbexTGnTJt q0TdQt+cTrpc3igxqNuypXbT5gaJhKJcrb5+vVzaoFXVGKqK5ZIBL4/zuVmnslK7fNzyjTWRX//V 65/+s8c//qc4vS0lNpbFdpbdEUHZ5sbhX/8l35A6v6ZGraLp3ylXd8kUnfqyHqmyW67q1mjaZfJO qaxbIu/Wl/UptG0yTZVUlSuTtfp4na6tuNrXcWNsx+Spo49Of/PwPPy6U1M3Li0/erD8+Mn8o8nF p/Og+PnKC/px9NxZqwvrc5OLq3Ori9MLS1NLa/NrK7MrsxPzsxNz85Pzy3Orq4uEfgHvCOBMP5m9 d/Pe5bPndnR3l2ZnpMdFRvl7IMMU5Yd8gbU/NTrUqIjvTjAuBP2Kf493Max/hrwusgtHeDG+60h3 HAeE+ryuRie8AO+6I7xwcie+A3nwXpwWg31MXUF6WUYCQxyILzHQwXgm2Md6LDM+PD02lLw9NZrR 9XCsKGB9QyRLDg9KjQyCLwp/DDVU6kJI01MNxnKOVgJlBH5hTMe4WcKaUzBBg84GahgM0SCRERvo nhzuy1uYqsuIDmLUjjv8+u2MUbRTx4d4kNWzdbApkcyLv1QXI3WArVWwg0OYh0eQpxfxPcDHw58Q 74lxhgMlgmAmXFztkqMiOuo4QXf1NDUkRob5ujgEumOtLtg1UugOokrvYgMWwjwc4v3ciuIjazPj 8qN8s4LdM/2dcoNcCsI8yqP9axPDu/KSgVNrVlx9elRzTnx5YlhZYjgyNOHu9khk+KB0bYO+tIB3 IZ/XVfOop8EBwGN9746ewfba5IhA8RmQ+zlei8GdfQDIcwXs3OEqZuPsJP7I1P9CDeJdvpT76Ce6 2PHJXIXzu5dLU2XpkfEx1E6K0hJ5mAIj1QkvDg625qQuAkMAvoETIwNCPy7KxyUzJrw8M224vfXq iROzDx7QhvvhwwdBiPK7bz/hA/v+zU9Ywb5/++0LAe+6NfdiZvrt/Ax+jq8mHn4/9/TFxbPVjg75 +gYdhsbtanWDTMJBe9DBZq+ra7fasEum7VSaNGstyk0swjZvLvF0219d+k1NxdHS4ugNX5dqjNrM LFrVxm1ybafcsF9lNqi26Fdu7ZFq2yG1ygy75Vq64R1QaKSymo2bOF/XGRhU6W2plUlrdQf2IrnB eGjwwajISmPDmL/8MXnT1xkSSaZUUqDR5MoVKXqbMxSybRv+uu3rLzOk+llbNpVKJdUSaYuBvFem GVCo+6TKPqmqW67s12p7VeouqbxLX9Yr12w3tGiRaeq0JlkSSYOb69n6qmv93Xf2jEycOPjw1MF7 pw7dP3sEtfnFB3dWn0ysTrINYhuDAyycute04QD7+tLzuac4QM+vzi4uEeunFoU1vcjY+8wEzFvh 8A7SyedZU4+n7928//jug1MMwrc01ZcVZCVEMaOK5ViIG3in1KP1QEeawM2MjA7vYhD/DHDxxeeb 4EWE/C9kG/puAt5Zv5TlP78wAkpAkjyZ2FqUGo1XVElqXFpEEGEdsCNbAZebKdRsdC2St+mmNphG T+Cczre4X5gSW5wWz1wn6g3cQeACJxpUHdLxqIoJQSmRCdmYQEzJXWODsC61w2aOUM6V6B/l68wD vIUhXKzoSAxIJPIBqo+DLiWQ8xbUNkA983ou5vB8OINo3Ey0gXZWQeDd3SPYy5vze6CPJ65q/u4O wV6Ood5EedzWnHKSEoba23YP9Pc01CdFhPm7OePAEuShc2giE0ASxMEi2NUuMzKwNielqSCtGnGP SO80f4eiCI/6lBBWQ3JEZ05CX0Fqf1F6VVxwU2b0jtr8vsrsgdr868fGW0qzkcAinpLekDCAdDrg FM0CnAXvGHYVJIn2DHWN9rXmJUUTqdkTRLBzFYHPCxHjXHktLjEPB+8AnLfwRvG9wJltisiO1RRX 8C6UBFtqTxzYvWewpyAlDlVMP7Ydoe8gJPBUGFjsafw2hc+3Exh6jNt01Fae2j8+fe/OS5yaEZD/ 7tNP6M9+9+23xPd373748J4Q/+kVhnHLlJ+YDXm3uPiBIt7c9Ovpib+tLLy8fLHMzi5n85ZWtWGn WtOiVDSp5KNOjvtdPXq1Zh1yo15T20qVSaKeNMfO5lBd5Uhx7qnGmjwri8QvNzYZb23XGncotN0y TbeUpe2VGfVIDbsMtF0Ghr1yo3Z9FSl3h1zVozFqV2pa5MoGmbxOKmsyNKxWa6gMcMzP3bw5Z+Om ws2bK8kETE0gz5dKZLVaoyqVtthAXqBvUCCRlCqVQl1us175Zr3qzVua9SSdkOgI6xJFF717mHjs KvrSfqURYO/QV3WrTVo0JrXGZulSaWdI4Inqsss9HXd2Dz8+uvfRyX03j+IOeQDNeQbhVycer0+D 96WXi+vP5tferL1egXoDomeW55/Mzj6eXJtdgooz82hq6hE5/RJ4n3w0RT5PfAfytDqRqgb4QP7B rXu3Ll66curE0fExQgP/+EPdYUEzr2FMjVpIvx3NvBwFFwmEa36eOdVV6UV0cwXv4OLX+byuxCco zwPzXy/odrr+OzM1QrGOBd6J7yVpMQ1FmZnRwQFCHmiDW4HOuQALA4dgd8FnipENFqo7Qj892JvM PJV+enQwsBU8pxIjC5O3CeoW6TGkCmQF7AM6MYfgwtSo4vRoNHPAb05CqK4WF5CfFClK7mREBzOb z7w8rpTl2QwA+nk7boWcw4hHfkpkQhj+O6aQdnTyd0rqdUHEd3uHUDf3YE9vkmvyeW8SdVfEshw5 buDFTLe9LCdrrK/34PAIkl84Kga5u/q7OVG1Ay8BrsR6StbMldhnhPs35KU0F6ZVpkRWp4W35Mbu bS463le7r6VooDi9h+BemNaZE18dHzJUmX1quO34jrY9nTW3Th5oLcsXCGxOHAqEYTQ/BxvkZYKc HYWSHVN4LnZl2alj/e07+1rg5Qobgo4jB4RFFIuneDFRF68i3kE6ybyA98+Vfx3qhVhPL0/3yVw5 yEPp2cE82sHdDMXnJkbzgA8FOjtLipD89dF6oN2gYwIztmyD6hHbdVdD1f6RocsnjnFy//Tq1Y8f PqJRiXjdd58+fvvx/SeU5N+9A+8/vnv7XjB6XhfFGt4t4dsOo37ib9Twr12ucHTM2LipWaVtV6rp g3PWHraxGXd2b5JqmlWmffauKVsk6cYm31SW7irJO9fRUuHuGvaXP9cYwqc161Rqe+TqfjmhVtOu r2g3UBLZ2/RUzZuVrfrqFn1V/WZpo76sgxxAbdikUDWpDTlWl8tk8PBLFYpypaJg8xbudBiRXWhb hd6cspnpGLVxq8q4SaZuJjPXGFdtkVTrQbcTiHa1m7c0bNFrNZB2SOTtErmQP0gVbfryDgNlr1xL QtKtNesxs6pVGxWpDVMUsu6o0MudzRd6W2/vHkJ/Y+L0fkSqbx7ZPXnlNEJ2y4/vrU4+JcS/WVp/ t/ry7crLdSwiJ0D61OLT2fknM+B9fW55gcP7E0G+cgF+/dOf83lO7iuLtObfwckRROkfPLl+7uLR 8XH06NqqSpFfAEqxfs5RXg4RXkJYxNnN15UTHNxaNOUE3qwY1n+N91/f131XmKP5jPfPIR7si3gX 0wDwTj4P5w2QEt/5uS5b1Y6maL8bOpkJUswsNysj5LLJLhzNqa1RRoArYuRta+xrb+rvKDjOc8pG R4Xxruy4MESryNLheMQGepL2o2eFgBUwz4oLzkmkDBhekBIJ/CuycZlMLctKZK9gxyAxAO8FKXju hLKfYGRZlpNQmZ9MhZBJWEp5tO3g7HkYagKsLQJtYc4AYXc/d3dfem0w52HScnhHIcTVDn/GxvLS vdsHx4cGm8vLYoICcVQMEJYTiu5+DMd50oAgHFsFOZqnh/mUpWyrSItqLkgYqs7a21wyVl/QV5zW khHTlLaNa3t2PCn9/rbKo4PNR4daRlvLe2uKU8L8Ahmi5+c6CIQW5KAJ7pzfOcUjhAvey3PSdw10 jPW3lWelgHfx2C4CH8h/rtoBc/AuQp6b7CHCyV3XUBODO1e6eALenSD8CKNA8G1YGbERo/1tx/ft HO5qyY6PEvBOcU8Q3tyq4wJt9cdR1NGSbS0nIaq7obKjrrytpuzA8OCj61deLsyjTfevP/2ECC3h HfF53CZ+wfuHv71//+nli28Zisc5YnmZ9WZhnqz+p9XFd7dvNvv4pH29sYGCtlwJoxXSy6id/R4n txZDs0pSYrkyRaM9Ul62p6RoMDO1Ly4mfMOGXIm8Y6ttt8qkT6EZVGqGFJoBynQydZtM1SJVN0nV 1Rul1ZukVPCaVNpamapOpanXGFbKFeUslaZEpaox29psbV0Md85A1qY16daYtEnV7QYKPqRXZdSj gDmv6VGZCCcCbkpVLdTlDOSshi0SVpO+TPiSnUSibJco2vWV/UrTQa15p9qkw9is3dyq2sQsbtPG OKV0JDsVct2lgfYbu4emzx6exQ328M4bh0Yenj08cfnM3J2rS4/ur048fb208t3Ld6+Xnr9eevZ8 bmXuIRJ2c0sT0whXrpDVzyyC+rWFFU70q/NrZPsrC8/npldmpzi/P6NESolvcWph8u6Dq6fOjfX3 9zTWdFQVl6fFp3NADvKID3InsyW8MjWDkYSXg+D4TEP8F1WKn7Evgv0z5EGxDvKEb2bifj6/fz7C f8Y7yTxJMqdjPrMoZRt4J15DWwXp4B2kw8ynpxPl5wIAI/ycOVMga+9koaZTr+O3K7iKFFz4b8Fu 1mmRBH2/EDdbuHDBLrYMmBP3YwJcQtysOJ7Q6eOcEhvgym+Kx9KRxAn3Y/FDoXbzcFK4oOAH7bws J6mhLBvpTsh4iFgS3BmBh+DnqlH6WW71t4ZL5uTr4uzr6gre/ei/ezhytg3GV9HTKT0uCj+OAzuH d/Z0ofAZ6esd4uUR4u2Oi3oo/qo61SB+U+A9xNmyIC60uzJ/oLZgsC5/e10BSftIfeFYU8nuhtKx +uLhqvyxuuL9nbV726uHG0v2dtd9s72jtSwnwtOJTjd4h4YnhHhBSMpZaILDwbO3hMlfXZC1b7j3 4Fh/TUEmMAfLwJxMQEAu9nO6Kj1XMbf/nNLrEnJ+awJPQOzXi1fexR4C2InygJ1rblLM2ED7sb0j uFZlxkYIUzkCy9ecsM6fPCl9tJ8rBytG7KnUZcSFpUaHttWW37l47s3S0n//9O3//OmnHz99+9MP uvD+6RMn+E8fP34nxPcPf8Mc6vXLH969+f7dGwY/PghaN8sfVxZ/Wl35YeLxruSktE2bGzWEVxX1 tEaJfGCr1S5Xr3Yb+2yVKvirL3dmpgH23pTEU3U1kZs2ZdJDt7BtoS4n1RLZOUf3k1orYMNqiOAN cnWj2qhCosj5clP+RoOCzQY5mzfnSwzy5dL0LZvivvxrtkxRbW29J3bb7qiICiOjYom8QaXtVBn3 q427pepOPUW/TDukNe3XmvSoDAcURoNyI+6IFJ1OAyWhHKQzFMPSTdOouykUyIy7FabNEub1zLqs 7cqNjdNlski9TQXOtt/UlR1trjrSVnN99+DTk/unzx64f3T0xsFhJgSfXDgOFWH5/j2M7F/PL2CX uT6DHfbaWzSsnqJXKeB95v4TsL86Rf1u+dn8KoU7RudozC3NrYl4R8eXEC9Myq++Wp6cm7738Da6 9IcP9tRW5MWFx/q6hlJWcrHmcE18B+9+btb4IBKLaZ/9GvW/xr4Y+ondn/GuM3f7eR5WjPL033Wt eeH8Dt6pfvOBhTq8Z8eG8q9FiOmW9P3NyLQJ0AUp26CGoi9HtEV8Bui5MXGDNL0VzDc5rjHOzMib KwKctqaE+6RF+scGYGzkkhYRgJoEoKatL3B0LdSe1oZsC1x1y9jbFsbgVgF3tIlZrnYhbnbRAW7M /5bnJpdkJbAQ5IfqQ5teMLW0UjooZT7mZv42IEKHd6K2rj7P+R2UAXmSebSednZ3HRge7mtuzE1K CGYe3MMlxAewe4T6upEGYMcD3ikaRHg5FiZEDjVWjLZVD9YXcjYfqi0Yri8aay4bb6sC5gd76g90 Nxzf3nGENdJ1Ar/Fg2PM0wErztrw8FF9B5Kh7s6CIrQrYjhC1s35vSI3nXrdN7uHGkvz8IAA0UAb vIspPUhniRGc+2KIF+7ogvuv8S7uD8KTOrAzEMTnA/ycxOjdQ91HxkcYzEnTqWoA9iCO+XQcMKTz dBKowqE+/PVF+rpmCyG++uTBvYgnA+GfPrz/158wkvjhJxxk+E9nIvP9t999//Hjj99+/P7Du29f v/znjx8Rqv0W4cW1tffLS5/WlsH7P8/NHCssTvl6U6PGqFWh7mLkTSrvM7fqd3Qp22oeJdncHR91 sbutIzHmZENNrqVlBoHV3KbDyLJuI2VwowGVYZ9K3aPUdECpVWtrOZIrlAVSeeKXX0V88Ye4DRuy FMoqG6sWd9d6F8ciS7M0I02WmVG2hWmhnUW1s0O+kVG2gYQDe6Nc2aU2IrIPqoy3a4wG1YZDJlsH tKYDSuMhpfGAVDusMBlRmfZLVT2c2SXU6DQ9CjXRv1du3Cs17pWbdWssOH00mlmVGBlFbNiQaqRt jwlviQndnpd6tK36aGf1heHOe4dGHx/fff/o2O1vRuHWzl4TzOMwllqbeLI+NfVibmHpySQYf720 9mJ+mReEdUZp5h/NLDyeoXD3Ymn92eJzHd6fMW28NC+U7DjFrzMwu/rq1eqL1ZmFF/OLM/fuXz91 ct9gT3t5YXp4QBhkCUcsXM2ZkhO0nrCHdqFU+7/ALqJbB+3/1acTwa67EuWFet2vz+9iPg8bh+Au 4p34HuhmWZIeSzMuNz6cn0iGTz2cjYU8vK6IrDs2PS4I1lxxZgx8eLivqGYJ47GMyzFEo/ON4gW8 oNgA54xt/hnbAjKjA4nsgD3ck16VMZNxYhrAC51drNIZlXtTcgP2ATYBIzcLrbMpu4eao0F2fGhB eiwiAJjUw85F/4oZHBdrFbx9R7Xcz9rCx5odz8nf1cXP3dXP083PQ+DMU373d4Gw5FWWm7mzt/vg yEh7TVVSRKgAdiTdPIG8K2XtEIRbPezDKO552PM7xVGxIT99V1fDjqayvpr8nqrcvupcgL+jsXis vXJPZ92+3qZDgx3f7ICmshN10QuH96SGB5A2UxkT2LlIibo7Rop6OG5OQa6OBF9icUlG0lhvG4bN HdUlDNSL6Aa8Ykrv58gYDmd5oRwnhngOAtwRojmsXRpqurY+Ay88wE2eAe++zL/oknnGdoDw+FDP yX1jxPfUqGBhLsbenMM7nTiK82Fu9myenLComlblpLZWFO8Z6rt86hhHx799fP8vnz79y3c/kMzj C4mnBCk96/tPQp0egwm07H74+O5fvvv0NyL+q5fsD7hEfbuy8tPa6n+fnTlXVZupL20xMu3WmjCY Vm8g77GyHfbzj968scLb5SICqsnRp1tqa309w7/8slJj3GZs2aU17wZoKuM+tWG3oVEng3IaDToY pRp1gVadqVJkGWsqXR37oiMO5mdfaKq91dt6o7vlRG35eFH2/vKCAxUFQxmJO1ITxjNSewICqs3M SmXSRqWqy8iEyp4AZKWmW6Pt0Rj2yLUwbwel2kEDzcAW1aBE2y/R9ErUEHF7lIYdnPSFyL61S7G1 VWPRamGHRmXopq+KXO0H0hOa48MrIvxGizOPNJef6ms4h//snsHbB3bc3L/91uFRjDOWbl2AWsyM 8PLjB+uTk6uTU4tPJuYeTTyfQ793fX1u6c3qi5e05aeWFibm1mZXXq29eAm0l5/TuXuxCqFJd3Kf Z7iGDP/Z+uLqy6X1lwvLi4+fTN25fefs2bP79/bVVhYmxSK7FOKpY5J42Pm4WKLpxHwc7Xg/3UEe pJO6/wJwkTP/bwZnuPm/6nVifCe4g3feCN5ZQJsUoiwjvq0iPysmxM+B0rGQ5wtN+dSIhpK0orSI tBi/kqyYkqzobQEuAvRQqBD1LnTCF+6YQiJ8YSH1czSO9nUE9XGBzlzDPJgWMWTyxd5Iz8mUqXaU LmjESxyMheMAWYEz03P4XFgwAae0N2LOXUHekpsYmp+2DTY+2i6JEd60Ix0h8Otm7pwNFfTjMHnx dbb3c3chmUfvwkfnncrxnPn3aDrvpSVjA/27Bgeq8nMi/TwRu4B9itgFNBiBaeNuD0+AFhX9uAAn S/IK+AaHR3oODLTt6qwbaa0c66jZ3VXHdbStaqy9dm9fy77+9vH+dswWb587dvbAWKy/hxBGHYTi GAuqHuwdaHsUyYVBG10Fryg1frS79eiuHaheIJBFWAezoF7I7XWdepFyz5VGnrettZ+DndDUo5LP 9m4H04aiPZQ8c1rnuhk9c361dNbQOuBUTuqemxA5PtB1cu8oKvcYTfItpn1h1/AAv6lg2nD25mRZ eaiFx0XU5Gcd3Llj+sE92m0/CkH825+I5h++wwGWQzzmkN/hEcn/glHkpx8+ffjh23c/fnr//Yc3 375+Tjv+3erKx+Xln9af/Y+VtTvdfekG8moQZGjaySlebdhqaVlqZpJtpr3UWT+Uk7CvMrcjOtTv T18UaLWNpuadJhadhmYDppadKqMWlaaWCK5SlKlVIL3Eamu9p2v3tvBj1aX3RwdnDu99cnDsHtZO B0afHtnz8NDYnb3DE0f3Lp4/unz++OqpI6vHDk3t3HGqoKDdxaVcrS6TSyslek1KRaehEf3BXiNT IcQrDPsl6gED7aCedkBPMyQzHlJv7VYYdmqMOzSmbcqtHRrLNq1VucIk/mu9JEN1T1rsWEVeU0pk bWxQTbT/nvKcA3VFp7pqz29vubqr5+ruvit7Bm4d2jlx9hBelrOYV965tvrg/oupqVfznMnnl59O Mw7/euX5m2ev3r14/wZu7cIzKvOc3HUwf/V85aUwQbMqfPctWv5Lzxfpws8ur8xBYlxem5pffDw5 //Dx1O17985fPLf/wK6enobCgtyE6MSwwOggT4Ft64NnkDU5MMvHTuDU+TrSy7aAg/fL8Zz5Gih5 Qq3+c27PY6CbRUwXr8D5M955HeppW5oR11qRj8ws+jk8xpgMfYHUKF/Anp8cXJASkp8cmhzhAb8d Y0fbrVucrKSutgo3GyG+i3I3zli6W0rxdfVB2dJG5YWTsrnCwwL1Kj0sIPGIZPFeR2QutJuFI4AF BwFh/Bbsi3PuzlsVga5b85NRv49MCveEUpu2zZeCAgcQhuWFg4Ohws/WEqI4fDk/N/DuIuDdldxe 0K+DVJMZH9vT3LRnx1Bvc1NGbCTVeN19YTQ+FDAKx207BGMZDKeWFeRiE+7hUJ6ZsKe35dBQB5Df g7lPR81Ie9VIW+WO1oqd7bWjnXUHd3Sf2jty+dj++5fOnBgfxYM10Nma6oSI9FBagTowEr6F/YTy nZtDQXLsaFfrifGduEYmhQcSoxmfB/Jw/JCkEJv1XH9ZZHEOHP+FcpwgccDfJgxYZEx4gWy+FSvE Q8cZcLNlphi+HA3TPf2dfL4O74Fin11g1zjQJTSP9HCAR8S/kFB3u6RQvwM7+mce3n3FGfzDux8/ fvjh44d//v6H//bjP/8zts+Cc9TffiDM//jjTzrjCZCOFv13719/gj325vm30EbX1j4ur3xaXvmf r15P7dqTodCUk5MbmnQbm3WaW0FDjd389cXGqtH85D1lmTsLUnw2/oHxtFJT42ojkzqNIfW3ZrVR nVJTIVcUKRXFalU1SbuPR1dkyJ78rItdzTNH9726ef7ZtTMcmR8c3f3wyK77h0YfHtszc/4IxlL3 Do9RKl84/c3EgV0Lh/Yu7xu/3966Ny6myd6qwlBZppKWy6UcDTpMTAdMzXs0xp1M1ki0QwrTAbkx zf0hI8seI/M2Y7MeK4dmU6tShWGOgaLQ2KzJ13d7dkpXdlxrZlwrcujBbiWBrkfqSw9U518aaj7d 33h5rPv63kFc6e8fH394ev/E+aNzNy4s38Pv8vbKk4eoen5YWwfsK1OzaF+8Xn/59sXbty/RCkLq +5mOYyP05RGpBu9ri894wbeAP9+am5xfnJ5dn1/kvbMPHs8+eDh798Hjy9cfXLxy7cRJBAm7aqoK UhJignxCvIV0VMhI3QgH4J1avVC+C/GwEilzYkFeTO/FoA/kefFrvIuQF/H+OaUnlNN/x+SI0zr7 AIJyjMixgYR6WiWEuqZGeaVH+8QEOmIuI0rVOVlJXGzk4N3ZRhC2IrdHCUcAPhax1gRuA0fjLU7G eq5mEndBq0pYOrxvAbPo29gZbUHoxslMH/tXDN+FiTzBKBb3WFmgu8UvePfgh6ZGebMDIIghLhHv 3tbYqcOrEeO7k68bnDo7H0fbSD8UPnMA+77hkYay0thgf1LrAFc7DtS8COaA745QMyNjJPOU2gjK wjh8cWrscFvtKKu9drilaqCxtL+xpK+hGDfHvobSnrrifYMdZw+MXoWAcfXcib2j2/zcibm8Xfwc UVMCxBG7Sd2FEO/umJuwbXtbPfF9pKsFp5jP3TShgW7PiLqAdEiwwkTbz1xc0gMHNiVfF3w0LHyw +HGx/rwEvWJ3O7YCOITcRJc+JSoIvJ/aNzba05q+LZS0n5JdCJkGmvm07ewtQlyojjoVJEWh4/H0 1pUPL5a+e/Piv336+K8/ff/ffvjuX3788V//+V9whOQ/Mnod2AH/j//9bz9gEPu379798PENkCfE f/fm5bfPnn1cXf1hdfV/Pnu+cPRYoY1dkaFhs5lFn41Dg5l54uaNI/HbTteXN8UGHKjND1RsCFNu zLE0yjFS5SnkOVJJ5pZN6Rs2ZusZlBkZt3q69Qb5b4+POlyad7Kh8kJv+93x4ZlTh5/fvLB+6/zs xWMTpw89PDZ+D2OpE/sWL59auHhqHpn6K2dn0ZEjATiwa+7w+NLB8enhAaStD6XF9/i41ViZVZpo KzRKmvL1CjXkvS61SY/WrN/YolVpiBxlm6llrZFphZFppkyeppC3BAeMF2Awl9uTFd+WHjVUlJ7D zPMf/6E2zOtce+3ptqpTHdUXh9svjXZd2zt458juibP43B19eukkHtAr92+tPLiz+PDe6/l5VLuf zy+tCXqVa29fvHm9/vrt6w9vX33EDFrXbccYGq9YwRsa8jz9OByieU2sFyp4s7MzE08WJp6sTk8v PZ2cuXN/GnL+jTv3L1y6cPjwge1DnXXVeclxId6u7vgjoLIoZG5kdxCoMHUSFkgH8uLYrIjxz4f6 z3gXkQ6cuUMaL24C3AT7nJrzkqOwOoJZB+OFZ5iERWESPcwAFxNspFiUAtCiZB8QJmSFmXcR74IH tOgg6Wxu4G6JpzOJvcTVVJ8lgF3wfZbq4vsWAA66wThm0Pao3xhtBv54UEIr8rY1FCBvKmHvEvFO LpG2zZutJsDF9LOGnpNG5o8/lBVUXmZgnX3dyOedGJnxdGIG1i5pW2hrdcWh3WO7h4aKMzPCfTxA kLhAHCl9iJsQ3wE7V2EJeLcrSooZaKzorSnprSnqqS7qrS3sbyhm9Qh4L+mqKdzV23J89/YLh8fv Xz59Yt8YeCcx+Pw54qfxN8Ln/5xCuDvSI+trqjm0c3BHZ3NWfJQ4tB5A2k+pwQm2Dyq1wnQtr6Ho +AlXQYyLEoSPM3JVqGdbBLrZgm6QLgz5UsbRuZAgaSX6/9LF2N3fefbg+L6hXvYW8geODMjqcnYg wQj3dM6MCa3NT///GHsP56jOdN33/7hVu+rUuefe2fucGY89HicyQoggCUkogYgSEhIgEEHknHOw AYMBAzYYTDAZTI4C5dDd6twtdVDnnBUQ3N+3FrD3OXefW5d6a9Xq1d0Sw/j53vS8z3v55yOqN0/d RhWr35IB92CMynxyMJWAVsc6yF58epKSXYwcnhVy/anYW06DVHggEUoR0ocI/mHc+cji405Hv8vd b7X2vKrbNa1kyddfbx0xateo0bWf/33bhLEtJw4fnFNCMF+FUvG//sucb/+2cPhXtSO+25Q+es3w 7yr+9b/VfvP1vrycUxVzbm1aC6HlwYFd9WePNV86234DJ37P2fwqomlnv6Sl4Vnznctvrp5vu3NV //Ru18uH4N1a98zZWNf98qn11VP9/du6O38Yb1813rikvfRr26kjz3Zvvr5i0ZnSafuzMjYP+Wb7 kCF7hg4jqNhF+374qO9Hjdk3Im3DN9+t+PKrmi//sTMn++LKpb9vXnV27ZKfVy38fevK06sW1mQM Lf7rf53z9X//bUX1g/1bHh/Z9einvXWSc6+7erb59kX189tGtlE3vexqrrN1NDrVih61ym00+CwW rxVJSqffifaFz+8KBH0RBhGQvGBoDgPslOK97PEA45IaBk+8Dp8HBSyjobO9RdPW0qXuNKtU2gbW VLUYW9o09U1tz5/XP3jw6Ma1304e37lh9ZKq0spphTgRvMl0AnsmOAr4Lw3/zkyNwDvGPVgG7/8x npefcJUNmHMDrjHwzokBvY31RicPMNw2B8jj3ME1gTSKdrIkHcJWiFnJkM9GxgpvPuEbjO3wBey5 yGBYXmx4Z287VjTum0K2TrM0Vqx9/4fw+KP+zhW8A3acOzeF47+dnjOyalrmotnU87OmTBSQLy0c v37JHOoGxPPLKvHv4H20HFTwF8j65h9TWRaTDlkUQVqEAnIQny/Ozy4glp4yGZbLz0cOXT57+sf9 e6vnoB0ygQhZBMm4P4mihnCr7Jfx8hh4J/VeX1N5av+2n3ZtOrptzfGd608f2Hz20NZfvt8m7PCu X4/svnTq8M1zJx9f/a3p8d0b58/MKcqRvy5+giDlwnyGJCy8M4GEIOdPzqI/fnz/zuu/naGqhrYw G0NmUk4UQhwZCGIUkc7DxMuZCNKpMWIkHcVZ42ax8LEQkh5k2gwmp0A3snUFE0eDcfCO4eL5AOSZ E9/vfHjjasOTB3cvnt9Sy/x7LtP95UWT2TQxpziPhRdo4F88cRgpWodOkXBZEx573GNP+b24+P54 lKRdLISNs/M9moxFKNOlYpG+eKQ/Ee2NBHrDvt6wPxXy05sj5U/4vGx8TrqdKWePq61te2kZi9g2 TZywPz9/1Yjhh6ZP2VKQvXTCqDmEZ//2L3n//b9k/9f/Y23O+O2FuccrSk/Nqzgyd/bF1bXPjx54 gTTcbz+3X7ugvvuH9tFN9aObppePvcqWkFYR1CoiBoWzvaHzyb32ezcNzx85GuvcLfU91Mfqntsb X7tbm5wtjYanD01P/zQ/vau8caHt8i+aa791XDz1+sSBx3s3X16x8GTp9GMlhYdQrx0/bsfotI1D vlv55T9Wf/vtloyxx8tmX169/Pe1y8+vrz2/admFjcuOzpu+YOjnlV/86+KvP1s17KsNGcPvrF/2 eP/GJ0d2vPr1SOMfZ1T3rzbfutB0+3f107vdzS97Ohp7FE0OdbvPqPfDNzaZXF1dflTmPd6Ay+u2 sysuFA7EI8FEyB/Dy8uoB+Dcf3oJ8Kng2cxWi8Fg1nVq2po7Gl5rmhvNHQp9c4uuqUnPyqrGRtXr 160vXzQ+e/KcFdKXL545fPDY7u2HtqzfsZbd8ZWoj7KlkX2O03KI7cUwnRTVy/33D8CXfb0Mf/ke mH96ia+noQ9V5tieLacO7ti3qRZuTGnhODlHAGW4V5AO8Amq8e9IXVGZh5mPxy8YJx5iH1wwn+RY kIzP8zFwnc/ueFQu07/kOpkaO34/4+uKKeOrZ+UsnA2ve+r6mlIG3mfkpOWkfQW5SOLklC8uJ4ko WVJBPD+Gk4ffK/D+1RdT0tPyRzOeQ2cqqzhnUtGkrOK8zDxJVYbl6edPHP3lx8Pb16yGU4euI2E8 nh0TXl4SpwXvYFNAFUc/GW2rLPAuxfN7f967+fT+rbTQTuxZf+bglovH9pz5fsf5Y/uu/HzkBksM b1xuenT3wvHDfJdjVvjf/Imz2MlYTIZFK1CUCMA7HpzEYVlVGRsibl385dbvZxmE37d17dql86sp 7OeMz2ecFnEqhowy0yePTy+YgEOfUJjJCntYhemE67QP+OE0DUE6eMe5g3E2ZDF3jGAIrOazP+6/ d+Vc/cM/W549uXX+101LatC7mJoJoyCbzmBpQW5t1Zxj+3a2vnzCCld2ucZctqjLmvSy3dWVCvp6 o8FeAfAwu92BeSoaEhYP9ybC/bEwOX6KJZIC9YJOLxrxPk/M64q42TblCOjUVw/tP71mddv5c65n z+5s3Tzvu6+m/u0vc4b/s+iLvxT84y85//ZfqtKGHCdkWrrw0obVN5CmPw0d/RfV7SvKu1e1T25b 3jy11D9DKsrc8ILFcz4Ny6Pbvcq2ILukVe3Wxtddr1/YGuq8HS0+VtDCWm98Y21446ZK1tpsrX/F pJ79zQtQz6Ghun1Jy87oWxcazhx5sHfLrc1r7mxeg0zu+YXzTpeXbUgftejrf+wtyv99xdLL61Zd WLviwvoVl7euPl5Tti5rVPU//8eiv/9l89Cv9qQNX/3lX7ekffdsx7pXR3aycPbluSPssDY8va1+ fEv97I7x1SNTw7PultcuwK5XexEBQ7i7y+S12gJOd8DtoViHy/Z6AuFADLzLLh6M49nx7wCfQgj3 YJ+QHv0rs95o0nbaTLoujUrVUq9uqje2tTKhrK6vB+xY5+t65Zv6zob6jjd1LS+fv3l0//mdGw+v Xb5+/tTPh3dvWbmoasbkiqnUo1A9SpNCeiblkTZlvYvAO7j+5Og/AR+8ywEAb8l4h+fGajl5eRz8 t8pp2fLRQUmfITtZtxbU8/PLp9AlZ6gtq3zKeLR3RCVN0pyUoP01V7w8dTnRoP+I98LxPOcoAO8A /58z80YvoyZQWQzea8omr14wY+W86ShVksKzrBbmLasql1RMqa2azhW8S/U6ootvJ3395ZQxowrG 0M4mYaeTns1y2AI0Z3ImEEJTvLp48sfDu7YtrSwHR7h1mvJgUEbijDz2qWEikgezVO3AO/E8upSH Nq86s2/b6X1bTh/YRokeF//z/k3nj+w8fWg7/v38j/tvnjvR8eKhvbPt0dWLVSX508jfJTofZTTG BsunoNIjCACAvbSYdv8kWEJ7N61hS8itS2fvXPmV4Ozcye/Fiupl1curK5bNn7OoYiY8QDY/osUx Y/LkmWKEX/xVq2YiJMLSzDKmk2ol6hFrQPduWsm+4JPf7/rp4A6WEdy5/MujG5fB+8s7N88fPbKi qmJmLqlK7qLZs7bULj1xYM/jm9etms6QwxLzOpI+d9SNZ3f1hby9IS94J0Sn6Yb1xiMC9bLFw33x 0EA8iGcH6f3RUF8kGPd7RP7ucbJcMuRiQN4cd3QFDZ0xg3bQbHxnMj04dKD4r38p+O//bdZ3n5cO ++fygol7KmeeXbfi9n6Ac/DVmRPNl86bnz20vnlmfP24q/G5U9ngUjZ3s4Sx6ZWrsz1gUHvUSnen IqRXhwwaX2dHTwu7pBucrc1eZTtXl6LN0d6KdLsf5oBa5VcpeloaQL2z6Y217knnn9d0D69bn9/R 3P696dzxl8cOvvnp+zdo8B7cdWfrht9qFx2tLD29pPrYoqpDVaVn1yw7vnT+ipyxMz//P5cM+Xzr 6KEH00ccShu249t/bvjys/0T017v3/Ls8I4nJ/a8vnhccfd3w7Pb5tePrM3PrS2vTI3PulrqvDql z6RzwS42m3xWS8jJClhv0O0lmA+4/V7qdZKLx7+Dcdlk1MtgB+8C8ozJMxDf2a5TtrOkRtfRrGMB ZUuTtrFB01CPio66vlH9plHd2Kxuam6te4mXb37x9OX9u/f/+P3y6R+P7IGTUl45YzLD5uCdUjbR L8uexPpmmPaZH4bi5Rj+E9i54cmnl8T2FP0YXWFkEk77nvVLt62qnjcjhziBzh3T6EAepOPQ5xSP q62auql27pYVUOLLV1VPn1sykefgXT4QwLJsAvvCswtfT0afTzFf8u+8y5O5UyesXTRzXQ1DdozI 5a9eMHNZxZTpk0bj38uLoYAK2u3SuSXgHS9P90E0ECWp/KxvviwePaJ4LCTzidNI3nOyc6GwTkyf N7v4++0b2LwGKOCeMR2TPz69BA1q5lmkGVK5XkekLZfawDuOXjB84N+WTJ6VO255WcmG6rJjO9Yp X95Tvrx9Ys+6jTVlKMjv27CMMeHfT3zf+fpp1G5qf/5g5TwGeUeXFU2ClEtxHgWAqpLJFMpI3suK ckmiuSGoZpnU/s1rzx47cPXcyTtXf7l56fSVX39iiOb88cOnjxz4+cj+Uz/sO7pnOzI1uzasIVPb vWn1/m3rfySzOLTz9NF90Ocunj7KV679durm72c4NO5ePff7mR+h0V48fezGhV/uX7t8/vjRXevX IitSVlSwZlH1qe8PQo83qzqiLkcKmVSBU2c84EkEcOvuVMidCnuBM0DuJ3RPxsA71p/4YG/jkbd4 +WiAQTk+08vQnM8j/RBH1O+K+FmKZo27ewb9rn6HLaJWhdvb/tiza8HYtGVZ4w7NK/t1/YonJ440 /35Oce1Sy+XfVDf/MD97bKt/4Wh741A09iibnOoWr77DpWlnR1WPss2n1wQMWr9eFzaZYt1dEbMp iOSOALUqqNH4NWq3Suk36oMmQ8Cg492QXutny3xbc09zvbetqaf+he7hLdOj29bn+PorzZfEYtnm 8yeVl39VXvyl8edjTw7vv7Vry8WNq6/u2PzH7q3fL6pcOGFU+fAvl6cPWTvqmw3f/WPnsK8Pjh66 Z/h3a7/67HTZlOYT+16d2Pf05wP1l09pH12zvn7oaHvlVjV51K12gnlls8/QiXNnR5S324w2CHgP utwBlyfg9gU9AVGs84WDgRgNkIAPplIA4/+EgD/q87BuJsioMca62C69Sdep6Gh609H4urO5Abyb 2oV/B+zCv9ezhbZZ09SEtdW9bnz2tOHp4+d/3rn5+7kTh3atQ3a5JLd8qpB7LS/JxsvLvbkZeeks ZJc9O705mX/76aUczPP8E+rh2xDW/rBtvZh/X7dkc+08EmqUKmmWkWUXjhdra8qLx61ZOGP7qnmb ls4FqjtWz9u+qgq00n2TUcwnCezlNF/K9D9spSmaAA//H+BdlPLGfMlRAN7XL569a+2CTcvmbK4t 37S0gikyIThPPD8lC7zj32W8E8/zvyiPdRgZ3+VnfJv59Rf5o4YVpiHyNm5KziQ2y+RRvssZv2x+ 6Y/7tlJ/YHYPoZsCdkDDaZGop3JIP5WQnoqH4KJngHQ5R4aHVjV1Mvp1k0Z+Mzt7bFluxpbFc9uf 3mp7emPL0vKKwvG15cXrFpRtqV1waPPqm7+efHLt4oVjh37YupaWN+dGeVFORXEuQUIFMu+Fk4Rs TmFOxZTJQJ6DhRuS6A21C3ZtXM7f68cDW08d3gOKr5w+cenMT5fO/vTHuZ9vXjh77fyZK7/+jF09 d+r6hZ//OH/y6rkTAPzPa7/dv34BjGNA/tyJ74+Tam1ds3HFwq1rlv2we8u+LRvWLK5eWjm3dn7V jnVrqFrgC5CcxbuIMTf8jdPG1td40CvF595U2NMX9fdHAXuYuhyleBnvffEwkJfAHhmIkd3j9EPE 80QCKbER3pMIumNBdyLkiXodRPVAPgXwTYaYVt319PGrX892XL1keXzf8uS+5elD7b075iePnI2v nY31ztYmInaHqtmp6XDrVU6t0qVTcYPeNSUvl0bj1etDZlPcYkva7PT3Uz09KatNMnsUEq+lK2q1 xuzWmK07DsevyxzQazwK/H6Tr73F29poe/Wk+9lDW92jrmd3Gy+dqfvlWPsf5wz3/tDevNR+8Wzr 72ffnD3+4udjjRfONvz+64Pjh//Yt+38phWnFpX/MDVv+9jhW0d9s23EN7Vf/Nucf/2Xa2tqWn89 8vKMaLu33f5NOPcX9ywNT1yqxoBB5TMovXpl0KwLEMabjODd093ltdj8DhZHCbD7PP6gHzgLMWog z7ihjG7ADvyFukAgJoDvDffY3WYjo7IaraJNS8mOxR/1r7RNDYYWkbljxuZWfVMrYNc2N3c2Nasa G9vqXjY8ffTq4d0/zv98dN82RNIgnS6cM6VqJpOnOfNnstc4kz3ElOAAOBw5euti4kbU9P7d3ePc OQS4Ann8O5/fuGTe8d1bGIHfxnbpyumz8tKhywIxim8gtGjCd4tK84DnmuqZpfkZSEavrp4O5JdX TUGUA7wTulNp51gA6Rg3eHywzwkAzAG7bHKoPyN31NKKQpC+YQkjsbPRqCzJGpk5/PPMEV9QKtyy Yj62uHwKe2lZR0vQInPzOHwm/PMLRmLzR7JSijZ0ZmFWZt7EDMjzy+aX7dxQu2EZ9L8cxnlyEYJD fY7hMgrXUr0OsQgoahLDDZIbJPaxXKGiQZiZNPLbonEjy3LGVRZmLp1dtG3p3I2LympmTV67cPa2 2nlrEOibM23t/DkH1q/4cfvG344cMra8vnXuVAVztZPGzSnIBu+VRUIgq3TyJFncHp4t1Dvuy4uY wBWqfXAnmCtEN2DLqhrgj87Vga3rj+7ZBhuW7d6sHjh79KB0c4AzAQPaP+zedGTvlqP7trJoDKfP y4M71u/ZjFLg9LKpkxdXzl6/dNGm5UsObt8KmfDx7Vu6jjY0qaDGYRE/TsdBTJmIBOmnJyi+Rf3J CGG8ZBE/C6CxZDSEySE9kB9IRAYT0cFkjPveSJB6HXjvhaIT9CUC3kTYG/U7Q25b2GFNunoSdlus y9TbbYrr1DGN0t/a1PP6pa3upfX1q4BKGTfoIwZdQK/1glCDhjVVjNIjisuoHXih3uUxGhxa7k0x W0+vw93n9L71+Aa9/kGPb8DlSfU4E24XmQjwiNhtcYcj0g3krYQBYZ0m0KkIKttDqnZ/e6PjzQvL K/KFh/onN9v+ON/+x2+GBze6Ht/R3r2mv3+z4/rvGGGA7sEd1d3rHbcuvT5/8tmJA4hO3922+sqK BSfnTtueP355xneXtyx/c+FYy7Vzusc3tE9vdNX9aXx511B339r+OmhUhbt1EYs+au9CvipsswR7 bMTzPqs94GTVpj/iCwV8QUYMA368ObPFwsXLGOcq2ye8220uk8HchcpdRyv1eXVLY2djnb4FvAN2 gXpjayuFu86GJimkb9O2tnY2NzY8f1z35N7DW1dwBMR+1HCQhZwzNRvlt+rZAvVlRUxvpc/IGUNj nYwY+hzenDxdbsMBc1w8TzBueMhnaEMf27l57/rltXOnleaPL4Rwi+bVuCEgHccNludNz0Icfml5 0ezJY6tKsjYtq9i7vgaoTs0cQQOduV1MYu6JZRaQ+kgHSASEx5eadHh5jg45o+cAKckeTskOR891 es5osMyvo2S3rHL6QRFjLKuZM4WyodwsyIcdNG4YAcD4L/+OZGXhaDYysIIhszBzIv6d4ThYQuhd s0yWQW/KXFTq8pF1kvAO5HH0wtcLvIswXupjZpC/49lzRw/BNc+fNrl88sSVFdOunfrh9i8/nti1 bs+ahXvXLtqzumbXyoXba6vh3O5bW3t6/47mB/fe+p1v/ry+YFoBQlizc0WRH7xXIHgFnxYJ3Gx6 fIznC3ePtDVs2xl5FAw5eeDVT5BFO8umEJLlz581dXH5zKWVpRT3lsydzc2KheXYumXzV9XMBde1 C8o2LK/m5Y71tSd/2H3p7LHHty8T5B/dxwmw88yP39++cqG57rle0e62dsXJu+NU2pl0I4gUK92J 2Af74MlHSNVTUc4BryDS0FjHQn4+BtI/GW33gWQU609G+5KRvkS4LxrsCwWwD+l8PMihkQi4cfEp n6sPFSxrt0dD9t0e0Kg8He1eRUeQpYo6bdxqiRKfd3eHrVb2SmNsVvUYjYzWYryMsVzNanXqjX6z pdftf+sLvfWHBgPhd8FIvzeQcnmj4N3n4ZwJOewhuy3hcoYt3TGLNQkNwNoVNWrDWlVYq4xq2n1t DZbXj7vrHvra6wxP77TAhfvzmu31M0xz/1bLtYvK29fMzx9a6p7ypOvFA8396+p7lzR02a6fb//9 9OvTR+pO/fDs5MHHJw/WX/m5494l88s/jXV/ehSv3Yo6h+KNo5MwXuU3a4JAHsluW3eEeMPjYoQw 7HITz+PfI/5QOMhIsdAKCofikXACVy47emCOT2cJhbyHgnu0qY16k1GtVrQ0Kpsa9G0txo4WU3uL vrmBkB6865oaKdypyOIbmzsbW5U05V+/fvXo/p83rl6/+Mtvp348vGfz9vVLEZBEX27BLOYjMnGI dLEriiZAnQHvGOm5jHG8uRzV/8eQHj4teIdf9+POTbBqGQyfnD4ElwoAi1g6g7OWKu2zJqfh4tcu nLW+pmzzsrm71iwkDi8vmgAMsUKhaP0tAJer+gVCIo/w/ht6ebTaiecp1uHo+VEcIMQDdOHlLADs w6/jYJk3bdLK+TN2rF5ydNfGvRuWs32ewh14p7tcOG6EhPchE/4h8F6UNqYwI6M4K5O1cXnj0icj IiEAhYAMi58QBkmnvVWE3HSWGCD9hHckYojnATuf4QrwmTEhnj+0ZQ28lCWzi/esXPjmzhX1q/v3 zh/ft2bRrlULSOfP/bDr5J4trKL4cfuG27+eQq3U2t5488zxebDxc8aXwrLLm1hVmFOelzknN6ss B8ssz8uuyM/B5kyeVFGEvsckfteHjgCtgVyU7mTuBCtghLgWxg11BiQ7ZhZmcXZVzympoRRfu2Dn huVwHvm/mEQesGvb6m16pcOkdnYjptDmtndFg95IwA1I30Og6Y0nE1HBiY1H+3qT79+9fT84MCBG Y8JAOB7xRwXe/aKIzCFAZT4Zx6RePDCPEeG/43xIRFNxCfvxSB+JfCjQHw4S50PCEUECtWaXI8kA ndMZ6DbjvgNGXZjk2mSMdJmDTM4ajczTRXp6oJ8JYl6PM+JwRXtcYUuP4O309ESdzpTPF3W6/RZ7 xOHpD8QHI8l34cS7aHIwkuiD5RuIJPwcMv7eiGj9I6mX8LhjPfYEgjx2S8LWFevSB/WdIZ0yrFcE 1W3O9tf2lpceVYOj+YXh+T3Ti/uOprqAioC/Qfvobvuta/qnf7paXvuVzY6ml+aXD+jsqx9eNz69 3f3irvb+H5o/r6rvXWGbRucDBt6va57dUr+47VC+8evbA0aFiOQNKq+xM8AvtRqD1q6A3RqnO+n3 xry+kBuiLMl5IBQIk7/j3CPhJA6dbJ3lMmAcvHNFvRaTY3v68kZ9l7qd/L1RC9gVHdqWJk1jPf7d 1NbMVdPwpvPNG8BuaOMthbKhpb2+sbWu7tm9O7cuX/j52MEta5asq52/dP4s5NwXlRXI8XzV9Enz UMQqnEA8T9wuG6jHoYN32a3L/p0TQPBt8llHLvSsGHKZlTc+f+xQ9N7hwMh4B5IYcfuCmZOorW1c XLEVkm31jKopmQUSNQ60AnbYcXnE/xT32E/BKqixYsiFUp70dVGcl0L6fwJ5DLBjhPeU7/g6OcK6 RaVbl8/btnIRYGcz8hqUo5aUE9JzFsmRCX/PcZ9/Nnn4UPAuVsBPAOwZOWPT8sal5YtNi4J2DpbR eZA677j1D/E8jh7/Lufv4A4T7fKccRTrdqxcfO7o/t2razYvnrt7RfXe1TX71i7etWL+ivIp+9Ys fHzll5c3Lvy8b9vhzatx7k+uXHh5/Wr9vRsn92ydg6J1Zjpgx7NXwNzLHgfe5+bnVBXmVRbkCrDn ZZdxAkDyEXLQQmGDX4oR+dOyF90ByAB5cHFFvx6SDLk/kf+cElZvCLwvr55Dqr5t7VIieTz78z+v qZpeOM3qZMA5GA+86w2/f9/7/l3f4FsYcpGB3tjb/mRvSuAXpAvr7x0cHHj7tv/dYP/7gd5B3k2E wXsk5ItGAtFoCFEbCLS9qUR/KtmXTPQlYwOp+CDU2lgkFgulEnTrQqI3R/8uKEp8lO77Y1IRD7B7 3TGXI9pjjzl74k57xGaLAeSenrDdHnU4Yx6q+t4QQHDiBz0xjzfpDsQd3qTHH3O7424PeE94/FGn L+mNDISTg9He94m+98n+wThs/uQAszxxaD/RgZgIMPjt0AaSXmdC/MbuqMUU6tKFu7QhM+U+hVfb 7FY3upT1zg488huvssHd8cbV3uDvbKHB19Pyxvj8sfHVk56mV56OxqCqNaBpc3bUm14/Mrx80FX3 sOvlffJ0Rt0tdQ+8Ha/96mZ72ytDw2NL+2u3rt2jV2BuUZZXh2ymCL/d5YgIMRAbe/fCbif9OL8T Ei2pO8kT1bmwHMnLGPfAwAnEcPQU7jgBOAcYQaZibzHbFC1tiuZmo1JpVik7G+tVb16bWpvN7a0S 5Jtw8bqWti5lp0mp1rZ1dPLhxqamly/rHj8E8vu24Z1mzistEiW7KdmV06gYT6Rlhued9RHsIF02 OWEH/sBcxj7wJ38vyUlbWlECk5wJi+qZhfOm5VaV5FSSIBAkFFHgGoNRr5s/I3tRaf7CWZNrZuXO m4pU+4jJadThvyWSx7+LrXAMsqV/LYA/7tuZhRlVs3IXlubTcVs4O6eyhJY3fbShwqGPEUgH79zz XTICyoPEDFtqK1fMnwWzd9Oy+WtrKtDIXVJRQnwC3vlLcs34+19zhqBaOTJn9Oi8DOZkx2KFE8dN HpeWmz68kBVs0ipGnDvrIT4JRID3T/m7zIsD8hwLc4tz2RN3kU3rh3Ye277m4Lol+9cu3r6sctOi 0lVzi3evnP/o0pmnV389u3/H8e0bLhzed/3Uj3+cOHr3/OktHK/ZGTMzx5ZTn5+MZ5+Iwi3oBuaV hXkVkycJFz95krinaA/SafRPBu9CCr4UnT2J0Mtydok0hYsXLCCOgjlTckjzF5ZPWzR3xorFc9cv r961cQUNuHtXzzW9uN+taXV0a6L+nmTIlQy7B5KR3lT07UDy7UCqvy/Rh3ceHHj37i0wH5T+DLyF MtvLw/fvBt5JeCeSj4Z98VgwkYgCbMDOyQDDTvDrpIo9PFua8nG8eZICfuRtIjqAr6eIFw3JHTqS euqBQsbWidv1JAUVxxVzuXqZnff5QXfCB93EHw+Go4FgzBfsDUb7Q7GBQLzfH035grwb9/oSvkDS G0r4Qr2BWG84/jaefJ96+6737QB/naiAPFoc8H77wsHBaHQgFBJsH9qCTlvcw8HSFSSVthliNgP+ t0dV71DVe7TNPk2Lr7PF39nq17W71S32jvqQviOobbOyBrflTUhLMKDyd7ZHjeqUzUTT31T3TP3k Twg/juaXtvpn3vb6pBHNLnoBCre23aZusapabKpWp04RNOmiBBWObvAeQ8LX5fRYzMj1e6zdPmdP 0O2O+ATe4dsEfGF6Grh4EcazSM7DS1G7A/I+7oPiLbZNsYxG3aFqb2jUtLSalB2aFlL1BlNra1cH kpiKbkWHiXZ8azv+3ahQ6tsV6raO9kYEsOobXz6ve/TgxsVz+7esX7GgnEI9wlNzp06Sq3NMnc/M G4t/p3AH2CU5azEzC8zBu3yVX8rX0oLxS8unSpLUlTtWLdy+snpL7byNi+dQiqekxpXkneoc11XV 01bPK1lZOaW2vLBmdt786ZNAK9E4NXbqBjToiycOKy2esLpm9t6NSw5srd29tnrnmnlblyN1y7rz 7KmZw3MQkxfrIMXuKpw7V/w79TFcPGW6dYuRxqpaOa8U3ZvFqGcwZCeN9KLIl/HZ37K++XrS0GG5 o0bljgXsGZPHw1hDkn3MZPry6ezbkuTgGEaDsyqNihPGC3FXcnl5HBV6eXYGYcDUzHRguH35ot+O Hrhy4vs/Th68cmzvHyf2X/hh+8mdq3/YsGT/mkUnd6//ec+mM3u3XTi89/qpo5eOHrh+6tjZ/buq pxciWY9wfRljOLkTy0ne87NLc7Owsrys0hweStgvmizV7cnlMUHlRTRPsNyh7udNxMuXF+dSxq8q KVgwA51PJMKE3EdN+TQgTyJP8n5k79bbl3958eBGa90jddsbi14Z8tl7o96+RCgRCyUJwgdSA/3g HZ+eGMCnvxsYfPf23btBjHv8++BA3/v+1EAqJgp3sGRjwVQ8BJx76ceJeD6Gxg0Gs64/AckW3l2U kH6gN/7uber9QIrvvuckScWp4FG1E2xRjzPsdtCqSwUDiF8l/JTxUcmI9IUiySAhQTjF/B1ZhXgZ GYgm3iX63kV7Cdr7QtFkMEysngiEkn6IPdEU0Tt4T6Te9Q4Mpvr74729kTizugPx+PtkfCAc6g8G JQuQzoccgiWY9NjCNmO0x9jr6gp3d1o7XpmbnrrVTWGjMqhtp7nv13X4dO02RX3QqIyZ1d7ONldH U1CrjJu0EaM6oFeFjJqgQeuC29NUb2l642xrcLc3ehWtIa0qYtRGzNqo1eDv0vfolDZlm0evTti7 ky571N4dtJg4c6Ae+XosbgF5M1I1QZcz4g1E/cGQV4T01EVw4iKkd1G0D8k+nRPLL2X0AvjukMvh 1at1bY1NioZGk1LR1YmEZQv69l0dHRaVErwbWlq1VOlbO7St7erW9s52RWd7R0dz0xvRm3vy6v6f 186dPbRt44oFc6pnFi2cXVw5jXVpOPR0eHeU5WWbwe6nnDFgf3oOM5VShC/H9hIbh0495By2ti2c lb9qPrSNqq0rqrYun7+ltmLDktlblldsXTFXNM6WzeFm55r5u1bN271m/p61C3aumse7m5chRjd/ 55pqinirFsykac71wObaUwe3nDy45futK3avW7hn3eJ9G1G0K5s7hcUxIwo+bLAC7Iy9f42L58RY XFa0rHLahqWVKGysmIcWVhlZPMcXpT9qgBQDMz77bPyXX2Z/NyRPwntuhvDvuWPH5I5l8SLLmD5o Q+HZMRbBoOKI1itXZtNgmONPmRAX2m4T4CeMQ/qpsjh318qavWuWoESDVtXFw9svfr/t7N4NP21d 9f36pQfXLv5hQ+3PuzdePrr//vmfb5/96f6FM/vXrmBJDUJzLKETEjd5WZTmZuaIkVgxES9treJh qfSWXLgrL8zlRv4An2FIR24FzpvKGkdhVP+Q/5Ikf0vmluRVzShAChiFSVpvNy6ebUFpobPVatL4 3bZ4xJsilaaeBiL6ewcG+vr6xFVE74P9A5IBc57g64W7H+gjMSfBh1bXh5um+0Y6j8uW+u+gG6Nq J8i0cep1SZJ3fD0JwmB/YrAvRcVvsDf+NhWDlkO1n9Ifc3MxQdrxJ4i0QyFkMQA11heJ90bjTNqm wrFkOBoPhFKB8EAk/i7ROxhL9fOZWCIViXMIJDgcIoztpLC3id73yb53vf2DqT7xJJro561o7H0i gQ5PfyDYFwgMhIK90Pw8FO17kp6esNUQtun73N2Rbo2t7aW58am9/Y1P0xbSUS1UBA2qgKHTp1P4 DaoQcbhBHdTA1VHGjLo+e1fS2hU2U2owUXPwatQORbtL0epXK3ydSpp9EbOBEkGK7oPTHrJ0OTqV bnVnpNtMWR6h+ZAd/94TD1CTZwzG4rGZpSVcjqjHHw+EI75IyBMO+yL8O4UCREA+t8svcvYISoFE NBE35T22RTMlhwCw0aRqb+9obtZ1KLq1nWalkkF4Y3uHrqVF39pqaFNg+haFtqVD09ahUajUHYq2 hqaGZy8anj599ef9+39c/fng/i21Naw0hQQyu5hZElJXePXwbJm5Houvx2bksDY0rYQ9rVmjsakT kZcZNWUC8kdiEyXVOQwFbHSw506ZSPhdOTWT+jkmhfF5NWUQs+kpFyyvKl42t5Dr6upp62qgzczk HNixumr3uuo962p2r11MeMD1yI61P+3d/OOu9d9vXbV7Tc3e9Ut/2LaKD6yaP2MBG6ZKcthlM3sy Aj7IO4yWtG5GUPlfWFq4cVklhB84ftwgbkk8T7UfsFMATP/sbxP++c/sIUNzRo7MTU/HxQP5Selp k8aMBu/MxSMzJWs/FowXq5q4Z+ock2+YI5Pk3YTuE8046vOMki2aUcSej8Wz8jbXlP64ZfmJ7Wv2 razeSFpRPXvdvNnbl87bvWLR5WOHXt+88uTyb0+vXthYM19e2yShmE03E0Xn/SOcZbwDbUxWqpEP BD5MuX5uMegumFdSOK8knw2VGDekFVjVlMn08Sun5tHTB/uL5kxfMnfWjnUrrp4/Xf/8Qbe+00/v O+JLxYP4aFFCZ5wNLL/tl+3d+8HB97zowz48kfBOPP+WsVe66hLYB+LhAXEToTQn+fQoSKeqTxcP RAsXD95jYeIBjKOAt6QGvTgW+CEYH5BaePxAXiYA7GCiFx/dG0uAd2GxeH8i1RdL9EXjwJyX8WAo 5PUnoxwaiT4y9GRqEID39mHvUn2Dyd53yb73qT5OhrexJPF/X4iDIvouHnsbDpM1xN3u3oC/N+BN eV0pryPWAwCNfa7uSFdnT8dra+tLS9tre1t9yNAZt+gDeqVf3xHp0gaNnX69Ktql67V1Jc2GiEGT sJgGXD191BudPRF0dw06r1btN2gpOdJW4BxI2LpTTjuth14q8HYbH3Dr1F69LtTdlXD1JH2uhNcZ C7gSQWruTm9PtwsX32MPewh7cOGxiDcC3hMIDIQIf0C3z+0OBFD356UvDNgp4kGhJ563W+1GvV7V 3qZqazWolHa9AeticKaVFTatZrDf0UlxHtMrOg2dWnVHp4pEvqm1ve5Nw+OnL+7efXD1ysXjR3ev W4FkGVpzlTMLaE6h/CYqddmjUZX8hHEALsCeSUA7Ska6fEWYglSaGh0mF+SpzMtddZJu2mdTMunN UV3/Vr6ZmjV0es7wmXkjycpLC8bMKc6oLMlcMCN3yZyiVfNnblhcsXHJ3M3LqjYtrdy+cj6FOK47 V1dj21bMI36QH25eVrmBZTRV0+dPh6tGAjKmYmoWwzL7NtXuWLNwbU0Z5UfCeMCOfxd4//tn47/6 Z/ZQxHBG5RHPZ+DcBd5zxrI1Pi1/rLRpUVrPJIu6f5KClPEudCc+bHvk6BP7IrnWzCxeXi4ylFUV xVtryncsrVo+p3he0cSa6bmLpk9eXjZt3bw5t8781ProzqNL555dvbSuugoxK7SnADKqlZwb4F1y 8RNl/w7SeYurrEcnOfQPHTpQD+TlgwKMI53Balq0p5aUTVtRORvlHET81lZX7F6//Mc922jK37/2 eytk1M42r8MSCXiosQP2RFT02npTSZy47Mq5GXg3gHPvG+gF77K7f/9+UNg7PtILbAVyJYY8xTcZ 77BugLwMcAnsH+4F/UZ04YVPT0K0i4Wp4/Eb6dnJ/TtQ/7Y3+Y7flup9iyV7cc3k3Rgw5+H7t2/f cfD09g1QRIzFI4EASynBO8P2HEicQCLV6O0TMjsiW5cgD975OZwPBAA+P7KZg9EIyTtgx6ALpvzu Xq9rIOjp89r73JYBjzXSrQbvltZXPYpmh6I5ZOyMdmm9WuJ5gXe8vEfTwTVpNfXazDGzPkwmbjGn PE5+DviNOmzo8oW6TVjQqA91GeM2c8Jh7fU4GQ4K2ZDjNvkZQBAi/Cb8O2CPM4NANwQXHvbDcHDb LH6nK+IjmCdjj4RJ0r3heDjJXAK9Oa8n6PEEfYFoELVvahuuAHhnJBaKnd3CQg+9WtGh7oBVq+zW aq1ancNotGo1JqXSpFTp25TqpjZNc7tBqdZ0qJWtCg3AV2qAfOuL141Pn4kZuqtXTh3cu3ZxJfqu cG/mzsgtLYZUjzQc4gxjhXOfNGYq0XvmB/8O6kE6YlMfbfiUicPhvRBaC8GKiUK2YmoWKnZDuEo3 NOKl2Tepkw7wiyfyUnTZJG48ZXapXz9+6MzctLICVN3GYzjx6pl5i2YX1JQKW1pezGgMbPkNi+ds WlZOjW7rcs6ECh7ysblTM+Htr1k0G77NivkzALs8LCMH86B+zN//Ou6f/5g45NtJoxC5GpOTkZ6d npY1ZjSWmzZK4H3saLY2sO+mQKx8FXscPkEeLy+iekmbHaQT2HPF0VdPy9+1klR9w5JZBeyNqpme X1WUOYfdUvnj5+ZPXFZasm5B+Z+/nVG+fPL02qUXN6+uWVDBsgm+LuvbyEN2oF6sostFWE8wbUop y+cBf7GujrAf7w/GK6fk49nnTyvC8OwgvWb2VJDOFaSvrCpdV12xsabqwMZVl04deXHnWuurJwZ2 u3TpYbnEAm5WQoB0su8E/p2EOpWS/Xu/FNUDIYH0wX4Z74Bcrs/zmb5UQvLIwmsL+hyBvYAwUXpc Arvw4HLQzk1vTHbo+HEBdvw+gcEAab5o1oN3vDyG92dYXgzPI4qFvwbI+HSu3L/r5+yRcgug3dff z5Q96jnhCOcA2QapBngf4Dl4TyRFSC8ODZIOgXpOAKJ9cvwkLblggGA+6fWKkD4coumf8jrB+6Df 8S7geOfviXZrLC0vupqe+7QdQYMyZCKSVxLJB83qSLfOD/1Vq3Cr2yMmLQTgfpctwjZMsz7qtIP3 fr8HS7oZ7e9mRSZcPm5idkvMaeMhpwG8Gp77u4weg96j0/tM+qC9O+5z9gY9FDD5dyOv8UMM8Psj /jD8+RDdNxJ2L0cBMmH9FEJEIz4Q9UHC4TDwhsE7Lp4JGkJ9i4XBd52ms9Oo1Zm0Or1CZVKpbTq9 Ta+3aLTg3dCh5Em3WmdSaVVtSlZQqVpU+g6tqrG9ra6h5WVd05Mnj29c+/n7AxR80I5G745afdV0 4sNJFcWIWmcCPTmkFwrSkn3y7+Ad4OPcMcAuIC8BnCuQx9d/xD7wx9EPm8Z6+mzuORDw+DBdPzTW +Vg+A/JMzdOIh9uDqGwa8nRQcUgTRkyfNFJcc0aV5qeXFoyFZkPKMH/GpJqy/CVzCqpn5VZNg4MK FXA8XcXF5cW04ZDukRg7EPZEMM911N/+beyXn08Y8k1W2ohsYJ4+ekL6qAlpIzNHj5w0egQlu/wx UO9YyjaiYBysP7G65T/iXcT2jKFljJTxDvZJ5OcWTtq3ZtnJXZtnoi0wIW1eYc7cgongfUZW2uyc casrYdlV/3nxF00j8iM3X9+7ubKqTNKvy5CRTn+NG84NCf6gnkheTNbLVg7DVgrjAfuC6Syan7Jw 5tRFMG1KS2Swg3T8O/fgfXvtwh82r/nl8N67F8+++vOmov5Ft1rhsRhDLitM+AgOLhEikgc8tN4G +vvkgrwcvVOmA/KE9JLvFPk71kv5PRGjxSbydNFVl8N1QbqDNMuADKUAXBUYF/w6mDbxMKeBbMlI QB6rkV28FB7Qoyej7+U6kEoRmScl0UsB9mQK9QygDcABtdQlkFx8Xz/QllHPQwy893MCpVIDBPOS o+cD8mcAvlDRjMR6qfgFgxT/U14v9bp30Si+vi/kS+Kafc4Brx28vw844hZNd/NzU8NTn1YR7dZS vvPrFSGjOm43JRzmEL5ep8TFh00awvh3Plevwxq2moN2S5yo3ufuD3qTfnfMYQtazNEeK8Y9SCcA APK85Dkcg6AgCxmcRq3PYhJ4D/uEMkAUOp3XT3E+EIRv43XgywXY5fxdNDmJXGK9IpL3R7wfwQ7k xeyMw2slnueP3mA2msw6gw4pPJVG3wGihXM3digMCmWXmt1VOkOnxqgx4OLVrWpVk7KtrrnhaV39 4+dvHj95cvvm5V9OfU8Lp7oMrh2085mTx+LZRaE+dywmZ/EfEvlJY+So/qNzHzFlwjDZvzO3QvQO eCHGYB/BjosfCsDlK3gvyUatmg8I1hwmf1IkAhmiPceP4iqWto9lj7NovkvZAYMz4oaPSeHBd/zA GbkjoddiDM1hSOjMyk+HL8T+emR22EwNzGW8A/mRn/0l/avPx333dWba8KyxIyeOHTV+zKiJ6aPI 33PSRuaMGp4zihXSQ7NHQcUf+mlb06csvlASaQfvAFZ29Ox/B7C7Vi0+vHkNsm81M4oWzygqEaq5 IsHnraVl0zYvrX5w5YKxvfHlvRuv7t5YWj6Db/EuAMeJy3jnnie8pObPDfDHgLxUmc+RXTwxP16e UJ96HU06PsaHqdvzLcp3i2ZN2bx4Hng//8OBSyeO3vrt9JuHdzUtDXaD2mc3B502ars4dwZX40AV 70xF7mMDTnjzj3gH8nJXjoc4UTryspwFbloE7fimaDAJ8SbgSoY8yTC8ei8vqb0nQz7wLkMesHMO 4NwBu5iWFekA2fq/432wr0+gGJhLSMfLY0Ae5ALq9/xtOHJ6AXYvfpx78ZII/+3b9/zl+JsNgHoB c96Vv8WH+QkE/2QEov8ejVH8p1MvWnJk8V5PEncMEj09vS4LkH8fcPY5TE7FG2vzCy+gNmuAPE35 UJcmZjP3u3tiNqMfnoxRGwOnVjPXPmJ1l13E8NDknDbi84TPKfgDdgvOXVxBPRV4inKuHlGgs5jC VlPI2uUzC7x7ugwhBgf8In/nnyUS8JGkRIMhKI0+NyNyQSAfFC05OPO02lEOY4OH8O/AvMfucdg9 FOswkb/bHTabDSK9TqMzaDRAvkurN6k02jaFuqVV36HQsX66tU3ToTSqdV16c5e+y6zp0rZp2l+3 vnn88undBw9u3Pzt5Ikje7b/sHvjzvXLFlcI2bepk0TEjh+XHTrxPEZgjwF/OakXXh4TcT77I4Th 33Hrn+yTr8ezYx/xDvAFWoE8V/AuRfXSXLx0REhcHREwcCMFCeIDBAPAXGLZiSNCwv4/eSh/nV+E /EUxv5q4IosCHfQ86PdCc0Pm81BOHPW3v2R8/feJw7+ZNGbkpHGjM8eNHp8+KjN9NL6eCD97hAz2 IVkjWWf/rRzPy9sYZS8P8KdMFHsZACwmh/TADYnpI1vXzi3M3lRTWTO7uHD8CN4CjMAQz7u1tubJ jcvaprrHNy4TZi+vnM2JwQdANOk/sMXk2F6+5znvYtKB8KFuTxb/Ka/nhqOAd7nyW2S884tkvJ89 sOfS8SO3z5+pv39H21xv03V6raYA7sbjENE1OTW+uF8U63CWH0k1og0nKnVSFi+14OnCSwbqif7F 0qgAElWMZ9NAj3gdYY896ulJ+B1iHMbPGJ2bGRky9ETEL4nXeQgnJL69mJxNhIOAXbb+JBl6ivD7 Pd6Z4FzCrAx2wCtALUEbFMsPeSm7+wEKDNQUqSkMclr0kY8giM1n5G8Jp093gCfCxdPIi/ZFQiCd qh2BfcxNi9+DJb098R5zn9PyzmdP2Q1eVbOjvd6pbImYNQmbEZY7ffmo1UQTrd9j56XfoIl0U5A3 +PVqUJ9y2oQrJ3PvsYR6LFGXHW+OT6ca72c7NmQe6iRue0Q4dwH2OJ9xdEP7t2qUPXo1kA/zFSki oipHMI+FAqGgPySxF8NeWDcS0Y78nXg+EiEvgYjksaBJa3WL4jxb5xCjtvXYrD1dpm6dWq/rZOeU 3mIwoWhnQdFOwdJoFWCnW6dobtWStqv1Zp1JbJ7Vdmla1S0vm14+eHbj4pU9WzZVz5lZUZIvJrIJ 46dmzSmaIDtxKVwnPZcK8hNH8hAD74AdY1Ie+k3xRJG/y/U6nDUglZHOvWyyc5dD+uKJOGjwS6hP AICJl8BWDv75vFztB6fSE8Tqxbvy+cC3MBnjBeOg3CBhxxXgfysOkywUNcXQjTRqx4QdAjuCyc/R wU8b9df/a/zXn2cNZ+BuVM64NMm/jySez0oblT1y+KSR7MgY/snAuwx5+SpDHs+OsZQBA5jcA7ft K2r2rV8B9LYsqya6FmhlwdzkieXFOfTIdqxe9vTmZUXd4+e3r9Tdv7WupgplflQlYejB2xFaNJI2 LEu4kBLlIU/EMA6yGIzJw5JlW6W0QkKGvIR6gXE8O0bVrnJK3sLphVQJDq1ffWz7plO7t184cuju hV9e3bmurHth13b6rN1h/puU8E6tjF0REGzAO1DCV8rsmrfvBrEBjoC3AEs85887/hBC42lpsUeC KK2EvE6UFwJOa9hlCbktMb8t4raGXBZQPxAXpBoqz3xGfMzjoO/GCRMP4uKjxPAS0gnm+0i3B5ID 72DwiebAANCWkcu9nJtzI/tubvD1Mt5Bugx2wg6wDtGnV/L+8hHBD8GEu0cVPwiRDwH8EGCX8U69 7m0EZq8f/x61GZN2c78DIr3Ko2h0djTY2hvw70k7XTZdymElng9b9INBNxMuKFRAyUv2WIB8EOpv tzHmtCQ56xzdQbs55rb1MizMHFBPl8uk8cDcc0Cis4Z7iAFMYTHv3x13druNaouq1aJut2kV/LuJ oIgxw0SMpTxep9PtdMOfj0ptODEV64VGGyWSj0klFs4qO+LTXUK/jvl3r6RzZbM6urut3WaL2WDW q7R6la5bD9677QajnL9r29qVjU0dTS2dsG7UWpOaAEC4eL3SoGhSNr1qenTr3o8H9q1burhiegHC R6XFWWylmTcjj2YWATzVM1G1yxNLXnDxcnj/H708RwFgl01AXirWyS4e8Erht1gwAUhljH8C7Kcn MvB5/ul8kL8o4xpXjnEvxwPSxwTqpahAgF3y9eIAkaMFnkhZAJ5dkG8/zeOM+ev/Pe7Lz7KGfkO2 npMxOntc2vgxIzPHjMpOG82TXGwMu2hHkrljBPbySxnv1O54C7cOxnHQGCE9L/GzG2qq9qytrSjK Ae/E1QQAUzPHQHgD7zVlJZtrF/15+Zyy7vGLu9de3r+5emF54fiRKD/LoAbgEt7ZHQlTF8gL46H8 fEYOflzYpyo9IT0m9+DAu0TIya4qzl1ePmNn7WIB+W2bTu/b9fuxH66fPfX4j8uq+roegy7otDPi iqAc/p38HYINUBL2/8K7AL705wPqJfcK5KjaMSaD1/a7bAFHV8hJ9cmGhZxdyCiHPPZEkEl5BBwY rHNGAx5MTvmJriG8UZCHjUMAD94Hkv1vUwODMOLoBpCPS6E4aBVni/S3AuMAn3tyee5l41wSJxEn gfSHap/QyUwkpRaiEM/EwD54T0TCMt5pwWN9FOsCvn4EOuhQuG0RqyFuNfTaTRGD0i3h3aFsDpK2 W40xi1FA22oMWfR9fmcEMl63oddp64MwY6EIrw2YdHjtCPmR1ci7SR9CAU6UvoC5jHeAD95jKIC5 6bkbI3B7HGavWd2jVVg72yydbX6bqTfs4WwciAu8exw9Lvy3y8tmXdpwTM1wI+M9TKxE8z2I+J8P vCNiKeNdqFqxXdbmsnb3mAzdOqUOvFv1ZjZQdGt0ZhU0WhX5O5AnvCek1/KSGEBtNmm6dHj7No2y WalsbLl37frpIz9sXVM7f/aU8qmMyE2sEBNzWZUlk9jfhMGSpXAH2KndAXz5BOAlwMfXs5uSYP6D i/+f8f4R/iJ6l/HLDdjkHuPmE9ilJ/8OedmhA+pPeJc/LH+L+094l128jPqPnxdSOaAevTuGayj+ 4+XHf/ZvE7/8W/aQryaPGZ6fMTp37Ggy90npcO1G5aWNpF4nLF3getKY4ZkjoPQzm0/tbjSQ5wb4 F4wVSMdk4ANtEvCttQvZpcUky+LZJXhbUc2j/iaJUjLqvmnZgpvnT7U8+xP//vL+9VULy4vGU9JE Ex4nDrrx7+hnQmdiYQT7lxERHSsJxQs1afw7xXnZyN9pxlG4E3NzUhiPl+eGLAAePm3BzYvm716x 9MC6VUe3bjx7cP+1sz/X3butbnzDhsdAjy3u9/aSg8dFvQ5anYys/w+8gy+Be8nnUhmjxBehi0Tj 2Gnx95hDju4k1FyfPeK0+u1dogXgd9E2JoqIBj3k7xTxKODTpgfs7/v6CN1BYipKBZ7W+du3qcFB inPJj05ZgioYl2Eu+/QPv/pjmY7qoQjjpatAPF/lByaSH+J5wgapskcZv0+UusLwaf8d76If56El RzxPYg7ekzZDUNfhaq93KRrpwdF3i9tMKVd3ym2JgllHN3iP46mJyR0WBnjhzEQpwsspuYXJF2PY Tm8O5R8nXj7itHi79R6j2tul83Nc2E1JlyXuZJpPB7cn0K3xmTptKpRpG/3d2oTPlqItGGHJpo+0 vMdmc6Ja6SVpJ29C8y8G3gnmyd+lcblkwAc7T2yO9vT43KjXWpy05p0OevHMwls07VTqNHYdAYaV HVVWrSjRd2k6TZ1KOZHvbGvTKdXGTj27aLUqg16h0yv1iuaOp/cfXruApvKuFdUVZVPQjhZrHLFZ kz/4d6CNiyeAl+N5OdSXX07NJNMXYP9P8f4xthf1Ohmk/wveeQiEwamEd3ECyPYpgP/0nC/KD/Ha BAzyOSBf+XoB2yvGomn5j4+QF2K2CFkDfFE/HD904mf/lvmPv+V+91Ux1Nnx6ZMzBLMuL2NMfsaY grFYWr4AO626EeA9e/TQnDQR4YP0T04/P314XtpQrkCekB4XD8DJ34/u3DAte2wpY24FWTzEZWMw 3llfu7m2Gry3Pr///Pbluj+vIfzFIB54lw4EMXsoo1vsBRDxvEA9Jt/DngXsMhNP3EC7lVh5swgD Ppb4uGHObmlpCf5976rafatqj27ZdPHo4fuXLjQ9eWhob7HrNH7GMH0eUXCjNUaZvfd/i3dCenyo 5OGlG8nhCr+Z4r/GcCTkDXrsQafwYglEqp1d4R5zwNYVRuNOUpuPgin6+5LoDW13bCCR+IT33hjt M+HZ3/L7E/T1+6jXUWqTD59PeIfMK8fzeHzZ15Oni2I++y3I90Wqzu2HEp+Mdz5PKQCwC4NcB2kn Jpx7P74+DPHeE3M74Nv0UWGzm6Lduli31stAAbJyikaoNVTqRF7v7en12eNA1WXtD7h6fQ6AH4H9 3mNNOOxJZvZtlpi9Gz58yGIM20yw4mOwmAjvXVbw7kSUQ6ckemcaLkXc7u72mTud2jaPQRHsUnPT 1VbvMaiiDlPMY00wR0Cw5HY47BaHzU7mDthpwwF2aXBGDMZKWTxBWRyfbjXZ0Z8H78jR49xtVvZI 9pg0ZlWLUtMMv04H2J2GLrueLrwQqQbvctVO3damVSj0KrVOpdUqdUa1UXyrVdHwsu75n/d/P3MK GaUlc2eUFrI1KXNmPtGmqNqxuK1o/HC5Rvcfr3IzTrr+b+P5T/5dhipXEm0Z45+ALN98Arj07v8E fzkGkK8fQ335lBAHhWz5aN6KdB4T4payyeV9Ge+Zf/tL9hf/Ix+8p6FqRc+dwRmm70fTeS8cmw7k wXVu+tDstGFZBPOSlwfvMuRx8cLGjmBxFXjHULoA9YTW21csOr5jY2XRJOLqBdPzwTJLdtjXMG/a 5OWVM9mxdePcic76J6/uXX1x5wqsfpp9pPCyKyeRn5KZJr4ieXnZuct4lyDPQAE7mqnYk9eLZZHi Jksk/uK4kOp1+Hfwvqxs2q7lSw5vWHt8Gyn8jouHf7h77teGBw+6VAqX2Yh/D3tclIUF/ZUhVtrf /1k8L+g1H+N5IC+ALz7GHZE2aErguAWuJURAVIv0mMJ2Y8hhjhLP+12kDImQj9k0iYoToSkPIYfq 2Vupq94nSHT4d/D+ro9+YKK/PyFyeXCK8YtAN4EEyB0gQxf7K5Lc85ADAV4pW6to2PEBPil7dny9 +DDHBc13iZ9DCAF75y3y+DD34PdGwoKlj+aG30ttjRG5XooYBCcQZY2dbop1Lfj3pqBJjSRFwtHV 6+sh4AfswJwkHRcvd9ZotKWg1fXYYpbuhN0Kjy5iESF9wGKQq3bE826z1smssVbh0ihDZvi6tqSj y6Vp7W6rsyvq/YZ2l6bZiFCtuoVDINCtp+4X9jgg0LjIz3t63E5mD9H2hgkYcbn9PiZoUMLwhui8 MyMj4x2kuyxup8Vt73YBdjNVOhpxzQplY5uuWWlWaGwag12Ly9d1daoxg6JD19Gm7WjVKZmdURno 2XXqWVdhYgE1VJ2mlpZXrx/dunHu+OFNtdWsQakoYWk7GxAm4tnlAh3+XZToGaKRYniAj3//WMf7 z+N5gCawJqp2Im6XwQ7eueeJ/PDTVXqCfycTB+wf8C434D7+EFEN4Ak/8FN9QHL0InoH5hB4wHt+ +hdgn0OA2p18OPDhkonDJ3/+Pwq//rxk5JCZ48aA95yRw3JGDMsbPQIrSB9TKFh2o7LShmSNHpYN zDOI80d+wjtHgUjkeTJ6iIz3zGFfFY4dQQa9cXHVsR0blpWVkESvqJw5YxLc+9Hgne1yyyqmr5pf hj5tZ8PT53cuPb91iZUc4B0XL8Mc4HMjG/f/0aRDQNr5ziLI/xnvoqyXLVp+xPOiyJ+dsWT2VIL5 H9avOUYwv2/XtRM/Pb7ye+vTp5ZOlc/SxYJmUm+qZ1K9TjDn/1O8v5MYdVTpPgTzZPfgizCbU6CP oj5jLDBD7EEiXmdXwsnMF2msKeLuplAvBO7IkaPBt6noYC/MHCmWgGobCg0kYNMxlwOpBm5MP5CH bNsXF4n8B7BLlXnhzTlepHvwnqRilWBnVa9IBCSwy2cCV1GXk/r1gB2HLuN9gG03YlgmOcjxkoBv H6Eyjxo2AbGYN3eJ3lkKCn0PHHhNCGqNqsXd3uRWtgRNnVGrnuMrgfwOU2wuqzS+CvwdfYzvSY31 XubobZZwtylqNcep1Nm7CPUD8G+tbI4wU6DzdGld+HeN0qVWhMw6+DmU+h2djfD3LK0v3JpGh+qN vvGRpb3OoW1xG5QBIgQScqfdjUZVT4+LFrw/Ah0Jt85YvNPpZfmezLERPTg2y5js3Qar1WBzdrNa Djauk3ujyqhpUSkb2job2rXN7V1KNXgH9d2d6u5OTbea40ChaW9Vg3rY9Uo1+Ts75Y0aM44eF9/2 uuHVg/vXfju7Y+3yctYfo6tWkltWjKNn9aqo1zERI2NcqNdK5DoZ7FJs/5/H859w+tE1C9TLmJWT btmzcwXs0pUb2eTSvVzo41uCsMcXMRnsPJEfyr+CQXgG5DkoCsZ9WSj8u8C7OGfGf1c8AcbO8JnZ o2cM+bJ8zLAFk8YvLM4rZ1fUuLRpGWOnjh1bMHpU0ZjRhWNG56WB92F067LTR+aQs2eM+hTJy1F9 Pln86CGgnmBe+PexI+Db0Ag7vnPj8vLpSFetrpoNzWYq7pvsO5+V1jM2LZl/58LpDmYRr53Hv7Oq Pj9jOCU7GdoAnyFc2cuDel6S3fOusHEj2Pkou3Wm8yT1PMQuMLIARnjGgHQUckA9Q/SrKmcd3bLh px1bjm/f+Mv+Xdd//un59SvKV897tGpkXsR8iijWwYmNUg0X5bD/zL+Dd4w/MuRF6V7k1ETXgwMp mvZR5OxCbruQriUiJdV1mEJ2/ruldtdDI14MvUYDA0kE7qJw8MTZQvsvHGaOBvoezXw53u6Lp3qj ZNk4dyZtBcBljAv/Lvi8wqcPcsZI8TklPr4lmncU8XgshRzyt+SfJr4rEXUIFfqh3IcZsRH+vT8a TvqE5IUo1uHlWXsh3LS9l798ty5u6gxpO/yqNr+mI2RWx0nq7ZxgNNNJUhDVMUWs5n6vwDuiNOy3 hSXLLEyoyxCxm2J2I9KjMaIaaDk2E46em4BF5zGomXZ3adDSVCZtxpBJybBtT0edrf2FQ1VnaX+u q79vbnveo25y6jq8Zq3fDp/W7unBxfd4UK0MRBASwMUzIIvDpygH3p1OsXgCvAN2oEqN3W7s8dn9 bI+16K3gXduqVtS3drxuVr5pMrYrALtVre9SdJol7o0ezm1bi6q1RdHcwhStplOv6TRqVAL1OoWm s7m95eXLJ7dv/XRo39LKOaXFuQzOIFxJFj9t0miINIhcTROdOOrPeHZqdCx2wa3TlfsAdjmFB5gf wYgknYAqJnlhEWMDc9JqBthz0tgA9UX26C+kXVFiPRw6NrKEhYgEJJIePwrMyq097hG14+cAeSFz MZ5q/L83+vkVBA+F4xHE+LJoHFcpPMj4phhlvHHfTsscNit7dPFXf507dtjKaYVb5s1ZU1VaPb1g XlH+8rLZC6cUTRs3tmDUiHx8PeH9+PQcingZaZMzRKVOgvwwNlyDU9bRclOYMSJ/7PDJaUPyxwwF 77tWLj68dW3V1NxZORkLSibPyErHZotdElmLy6btXLPszqVfFPVP7/9x/unty6uq5+SMRtZjFBJV ABzUU8wXJm18YzdEMQs3UdphT0TmGD4zlWWO0oAeBQEBfzQzKdqLLVdC4K5iSt4c1jdPL964sOro 1vWHNq46sHblmf277v12pu3pfVtnhxcWaI8FTRW64YLUCok9GQdLotL9MU8X2TrFOby4GIUVKOeP nMILfIkQWgzNwIZlqC0GqcztkIpUXaEeQ9hpjnutCb8TKUsG6KDZMPlOJa4PnRzI87DypGxaDNkl xGpJfghrZXuZiKFYx88Uchmk8LDiOYKoudFTS8HsE/S/AaQ2OBCIAXoBuBQJvB3sE/a2T2CcsAGC Pfx5YnjBoicSiMX6I9H3/EDI9pFIHOUIRw/z7+/Q2EFDD09tgzxjhCdPcT6obUXfJqhTRC26SJce bjzF+YSTVB3rilnNlOX7RfxvwZJ81wLpzkBBL+nq9nepAXjSY6ViGXaYSWrCNoPfrA0go4F8kLrV wxy9ptmueOlQvHIp6yxtT0zNDw0Nf+ob7ttVr536VqdB6TDqgm6Xh4pdt9Xj8YajUVZzhSOxUDjm 9iBh63SicuOi4xGwdbtYEwnkWSiJeXsE3tksaVQa1C2K9tdNba/eoGHF2DsbJC2dOolC38GCeEr0 olavUCCJw9QMbl2U7NQm8K5VaPVKtbKpqfH505cP/rx4+uS65YvmzizExc8uoE3MDNrQmSygmUgW L5JT/BdRK4z6kizGTIYVpH87deIwgC8xZFCnh24nrHj8EKwIRisbJDOHQWiHycNMKxJ262vm7N+4 ZO+6hVtrK1bPn75wFnJtxKij+fzkMV9Nzx6Zx5KI9K+nCCG7D648n3r7yL9PGvl55nD2SX02aeQX Rczljf26MOObksxh07MR0xMufkrmd2Lj5Lhvi2DrZXxbnPHt9MwRsyelTfn6bzNHfjVn3OgFBVlr qmZvrpm3prJ8ZXnpmrllJWNGFqcNmzFxLBR6GfIF4wTeJbDTpJPwPnZYHqvt04diBenDCtOHFY0d vrCk4NCGlUe3r68qySvNHV9dkj+bxa+ZY8oYbM/PrpldsnN1LZud2/Dv1y88uX155YKySQLvI9nv Q84u/Rt+QD0uu3DC6ILxSIggDYrIwFhxJvAZaTks74oVz2L/Basts+eWFCwqnT53Sj7dOpQx1i+o +GHT6iNb1p7YueXikYO3zv706Mr5hod3odxYdUqWkCE2S4MMTpukU5H6X/EuwRu8f/rzCfW4Wjh3 b6G7RhhTZeORJ0pvnYK8B+lFQ9RjSfrtyOb0w7cB71zJ3/uYawvTv+M6QChO0SxCYC/JN6DawDqq pFguK7QyhKIOVTiac1TiGMZPYqLVhp/7yMd7149/F7U4WvbvUdzpo70gke3jKZAOL5cxOoZl3sG9 iQre+TuWW8G3JzJmzKyHZRmO/oC33+dKOiz48Vi3PmRUoVTjUzcFOlup0oe7NFBrEvh3nLuti3Cd HJ8GXNzWDYeWfpxoylOjQ5OqS5twdaU8loBF4+/WUNzjf3vUI+U1FPy76dYZwt1a0na3tsWlbhR4 73jpVr2ydTzubntobLynenVT23Dfpq7v0SnYrx3zB9Czctodbnw5slbRCLt2IRv6fcHuLru124Fz d9i8FrMTsIs9kuYekcUzJWd2WNkVqzZo21Ttb6DEv1K8buhsbNY2t+lbFShdGDpUzMNqWzug3+hV nXrYdwqtRqHVqajXdZP4d7ZrDCqdsqX1xcNHD2/euHbh12OH9m5eu2xhxbSKEnaKId02YiYk9szh VONx+pK7SUcTA/8+beIovOc0yHWZTKajPj10Wg4BgOT0ocWO+Wbq+BE7Vlb/uGfDphXz1y6p3L56 4cqqGT9sW3319PfPb/6qen336bVfLv60jxNg6ZwpCODMgPqeIfjzSEwXcGhkE9mOKM0fs2R27vbl FQc21GxfOa+W3a95nA+IyQ8vzvimIP2rvLQvCsfRpv+aeADvTxjPoYFkVvG4IdOzRs5i1u+7z6eP +mrK8K9nTEiDbX6NncgXfv1x84ajG9eUMf8yZigc+BLoNBmjoNJNnZheOI4C3XCscPzw4nHDizKG 5Y/5riBduPWiMcMKxwydkjFi8Yziw5vWnNq7bWXlzOppeUtmFc4ryilnsXs2IzOZy+ZMo3p//deT TU/vPbr22/NbV0jnBd5FrM5M/ZhiHD27m8eNmjaBWeO04nGjyBHQ08DvUwdgbTQPGcqD1yd6fDDx xMIL1GzYQsU6mCw4P9Mmpi+aXrR3xRKEdM7s3XpyF/W6zaf3bjt3eO+NX0+2IcdkUBM6RnwuivNA RUbZ/0+8S46eMtp7BCVS4QhCyfDrYoJKyroZW9hlinssqYADgXoZ78moP5Ukc48KDq0oD0YGQS59 ZcrRaFT6kKfG6cdpygPnJPEGfyWKCeyaFY4+Lly5ENmAGUv7mYyAmTgeMkRDzI+7H5QkuFDVE3V4 ybOnUiHY8mEK8oTxb6OxAZlcR9EgHIZPG3b0oG+Z8rjI3Huhxzi7E0DSpArpOoK61hDBvF4VMKrI tVMwCuxmgB+xGHDu5OAhxCsspl6nNeW08DD4/9D1FtyNpmmW4F+Y3bM9M2d2eru7urcgqxIjMzgc 4TAz27Ity8zMzMwOMzMz2zKDZIEtlixZZmamoMzc+zmyaqtna+u8R/nZlh2OOnHfh+5z78riOaZp +2ufT3eBa0zZPpygv7f5QL/B6G35QZRSDkYupPKhoXEoZe8huAtmD4Uze8LJLcHYCmtION21ODe4 I51Hc+9kawN82bvz69PD08PD/ZMzLMCfg3wEJtHRERHfiT486vQ1nP2N5d012RZQD8jvbuzDaGZ7 ZWtLvkZsxLDmBXSGGDKVcww+bU7EZC9xBViJxZacdIEn4/JkELoRYVEOW7GiRf6SXIRBPHwGZDJ8 mitiTDOGe/oqiwoTYyPDAjzd7MxtTGA3jN2QF2TtV0iMzdQJMSsjtZcGqs+hEwXFCUsNXAWKJipP waIn3BuRz2u9BJ8NSjUkcOSUEV4Vu6oK+LPUkuwESFpCHz7cyxYn1MM6LsilNCs6M9ovMdQ91NM6 zNOmtjAlK9oPipeRPo5u1oYkvTdWWJAxV4ebTFqER1dNzmRPDbWzqqe5OAl6lCQIcGkEOpOgl6X3 9jvs3JlqPTHRfIpyAE4WyBD0FR+UcJQeo9ZwgjWqiXYQhRTj4ViVnULr6xROjbaX5JYlRrkaaJgr PaGov7LWVbLUUgS6rbSVSGoKxoC2Gv4WL80xoVB6aqbyzBRH6bnp2+fGb/Dw0svCKDcqqCYzMdLN xoOk42Gu6wrRyAe8OxpqoaJPC/HrqiqmD3WOdtTDNTLc3R6Xhpkqfv5b3JPm6q+tNRQp6m9sNN9S tN5SNJXJmkr4vwtftdVVtdZQstIkjjUE7kC2B2cP0lVg5aF411RCIuFsrONlaRzuaJ0e6F2ZFFOd Gl2TEdtckN5bWTTeWscY6pYt0A/XEYX3QHNFdg0+ChrfCK3/EO9AN+L7l0wez399D4hwv6DVdodl 7Ae8oxVPMGlPt84PVq4P1h/wvv+BsI2D/9nRLbbsIVV3cUbIWGECeAk5miMoOJzv7WCr8/705NPN 1efb2w8wnkMycHf5C6Gfg7V3YoEOtxE+xLkH4Yy4LgiN3F9B9Ud6j9U97MSBZo80HmB//xHLce8v r7ANh62SDxfExYKYjuV3/BEfL86JZt2DUB70ae8P9t4fYA1288Mu8L58uSoGue5CzrtawitI8sD7 MvB+t7uKB4Ad0fxiTUaIxq/I7nbw+bUzaMyuLhJcnb3Vz6d7IOQcrYjvj7ZQvINxB+4NxnP45DUG FuvSXSELVjgni+x9AW2fP3XAn94XTu4KJ1fZI6KZHjlrdF/O35WLDqDYub19TYjTXh4fH51dHIPf cH0FiRvwf492d48wZ/+C960N2MIeAO/wf38I8Tu/4X15fQ2UWg4PgnWQoYbFjIA2B+xLF7hybM3w RDIud3GBcJZcxLI8hy/kihDWpYJlEU8mEcJ1cnVRIJMKl9CuHxkYfJeR5u/p7OFgBfMjoNhKR8FC EzssKJ9fAuam2qgxFSACCakZ/TeP1J7+We3JV9ovv4Uk3YNfzBMQ6ZFsm6s/s9J6Zfr2aVKQB7W1 piovNdzXMSchqLk8q6EkvTwnLiXCO9TTBo7tCSEE8Hsbi5hjHXnJIVCmbSrLaqnIzkkOifB3CPeG uLR1uJdVTIB9VqxvXmpYekJANLIFf6fUGL/G8gwI6aD8J2k/Jek+h+esuQ5+SVhV/mhtSMjtkvXe QjXLU08t2NIowsE61tMlKyasriB7oLGyOT8zwcPORu05RfmpteoTiuYzK9xUKo8t1J6TVJ6avcXw 7idzpcfmbx+bvn5kofQEh/TmsdmbxySFJ6TXT90MdbKCvavg/+RACnMwi/Ow9iMbOBuoeZJ0vC0N Qp0pWWH+fdWltP62qe5m9kgvlC1NFR+bKz2zUn1pqfzcSvm5nZqCraqCtcorO3UFW/WX1g+HovbS SlXBRvWNrRrOawdNRXstZXu0BTQUcT/YaSs76qq6G2n7mOn7kQwCLY0jbS1SPeyz/JwLIrzLE0Ob c1OpjZUsat8im7a7sgg3Z7TWITFBDOPe36F39lcs/1am/y//+fJVvIK8ildcAR+x0HZ2iRERtjsQ 39GgQx57+lC/g2YG+N8Rl8AxWHaEDc3lMeCPA1fZm0OING5BTuoclBVMtU7Q1jv7+fr6M/rnBK30 EsM7IhnA1hgADjPKh9k99LER/TG+hygW8nmE+AeHi2usu2IDDgM+HEz6riFccwTVuyMsvEPdAttw 70+INRmAHS0LiENiBnd/AIWKrTtEdkzMIV4H1uuK6Bo9+RXBzbL4Aq3yv8Z3QB7bNO9BLUA+vymH lDTOFer9TTnAjpkdboPLrSXk80jmD5aFN/tQw1sGIYcY0xNN+xV8O8g8hDWkgHUsATl/ZnthbJc7 scsfB+TXF8Yks/0SGnVLvLAjEx1urh1ubWH5HfKfFxdn5xfHYM2eYZpwA3L9NRg4e6DYwDNufX8b cjhr2GwGB34dbXm4Sm2tbG+iopetyPkS2QIPlbuUDQs5QpxWODcnhrEUi7XIhvzFvJQD4wmmBAY0 PL5UIAG6ccQCuUyyJsdgjniWLYpkfI5gYoRaWVqYl54IWeOEEE8ITcT6wszFKSnMKyHUMzclKj8t OicprCIH7qjhuTF+76L9Ij1tvKwNrSEIr/iDqcoTU5ThcIFHkv/6kZny88Lk8IGWyo6agubyjIp3 cXWFyY0lqeXZ0TgNxcnF6WHN5enU9jIIXiE666v8iBS5vTp3erilt6WktTKrPCuqMDm4MDWkICU0 Jzk4PcG/uiS9o6mkq7m4KCvSUvelruI3RqpQrv7RVBMG9D8A776OpqmR3lF+du7W8Dgme2qr+Jnq +VuaeuNQYDTpWpYeX5MRH2JjbK/2zFPntZvOS2ed5y66Ct6mqq56b5y1FZw0XzjAHEfzmYP6c3vV Z85IEjRe2qo+t1d76aD6yl5FwcdYNzfYExCLcCAVRwd0FKZlhbiF2ZvFulMinS1i3GwyQny7ywsm 2hvG2+p4Y/2p/i7kt09slJ454ieoPHdSe+mq/tpR5bnd2ycOys+cVJ46qj61VX5sp/zUTvmZs4aC q+ZrV7xqKODZUe2VvfILe5UXLlqKXvqqPoYaHtpKjqovnNUUPHSUfA2U3XRe26o+tVZ55mOukxcT RG2pW+IwTnfWCJun63PoSAPvhK4semIP//tfYP63D798Fa9/xTsxBMdQDNwvzPWujiFAt3d9tH0K yugelByAfRDpt7BBQ6T6Jw+LY0e7GHljPA0RZqKJvbGKlbHrvW2slUEwFsqxny/hMXcCzxr4TyHb h9kclOpxMNRDH+CBoYfGPiFoj9D/EP2JhgDBjcfK2y2xBEcwUaB4iYkb6HNnJ1/ADrzfHR9+gEUO BGkJ8fntO3CBsOCGTh1RvAPsEuAdYL9eFd6uSC6XRZi/3+ysIIgD7x8Pt3CAd9By0HkD3gFz4B15 PnJ+nNudlds9UGTFx2vim/31292Ne2JBhhjP4buweYe9m10Be4/P2hfQN9hja4yhTfbIFmdsXzi9 I5iRM0dEs1T5Am0bencHkLs5geUEtvuxFAdRj2W5bG93GzQDaArenN9gNQZ4hxk0LODXl7dWZevr MmAcIX57Q765LiWS+cV5rmCOLWGygXQxjQZzWBwhjcabneXN0gR0mpQ9J8GZZyDWo6hfAv9WvLws XZM+NOoXJcsSsZy7IFxg8znz85OjwyN9ncPdzQMt1RjM99WXzPQ3UTtqGsqyK/LSSrITy98lDLWU LdIGd0V0zmhHTXZ8XlxAfrx/iJOpmdJPlvh3q61grf7cClJXas8RhCe6aqvzk/ydTBxJaoHOZkFO pj42+tCyi/Gx8aLopoS4ZEd5mWs803n9Dfrweq+/S4/yaqt6V5IVXZwenp8QUJwSVJEZUZoRVZQe kRLjlZ0Skp8ZmRzjbUdS01b42ljlBxKadRpPKXoKOq+/1VN6FOZhXZ4dU5ASHOJuEQ3UqymFWpjG Otv7k81tdDXdzA1zo4OKY4PiAEwb/QxX0zRnowwPs1Q30wxPc7ymOhunOhklOxgk2Ook2OriJNrp xVF0ws01o8j6sVZGEZYGSY7k0kj/sriAaBeLwmjfntKM0nj/nGDXgnCvgjDvzED33Ai/nop8akM5 jmCsrzTK399QLdRYI8ZCN9pcO9pcM4akFWGsFgEna5J6lKl6FEk9wkwtylwjxlI7nqIdS9bAe6JI GvhMNEkL3xJF0oqx0Im30k+wNoy30oslaydaG6Q6mMRRdMMtNCKtdFM8reuzYub6m7ZFCxf4N3x9 +iu0Ia7Or7+ISD9QUv//8P6lTfe3r/4G/IfRGLrrhNYSse9GrMG+Pz/A9ge6du/PdgnI728C+wR7 /GDjcncNdNOTdXihSkFFg00kdk8QBwGNWwym96BEvQW72A9nAD4MZPfOHrwpP11BpAIKtAeQrAfq oQsBmyrwTvGMg+iPNAB1OmZtv95BdxpfQqVwfEsoWpx8PD/9hEoBDyfHOJ8xgENYJw6osOsX60sE XRYofijeT5e4SOavV4R3q4sQpQTd7gMi++76/c7ap4MtnLttAu9YgQfk8QqY32AGhxk9UeZjBC87 WhbCRQL0ePTzsRSDyh0fXm/K8b34IyBvu8Ojb81PyGf75bO968zhjfmRAyHtYJG5JaDLGBPC2YkN kQAylCAMwB/27BD82O3dnQ0hd0EmFh/t7uEGeH+F3/0AoRwe0BvLm+DJrMrWEOLBlllbWsfKG4L7 slDyRaVKTGcKaXTB7IxwZgavOLzpKc7k+MLEqJA2JWHOLDJn4SQrRg7AFchES0ti+RKm8OjaiZYh kiGVgZaFRIBHm56amxxnTIzQh3tAFxloKh9sqUCArivNyk+PyYwPivZ38LY1SApwyo/1T/RzSPDF sW8pTO4uzXDSVTB79TXipq3KEytIyOoodJRljLVVhLhbullqRXha2Bu+8bLS8rKE9JOWnZ4CXiNc SNEelq4mKmaqPwL1Gk//mBrsOtBQnBLiFupsHgLVOzsDTwtNLyu9UHe4Y+hBzcbPheQH8wbVH610 X1ioPyap/kDRekZS+ZGs9dxA8XuS+vP8hMC6vPg4P7u0MDeb54+9tNR8oO6upWah+ibc2bYtP700 JqAoxK0qzLUmzLkmzL4+0qky1L4mwqk20rk2zLEqyLbCn1LmY1Hua1XpZ13hY1XqbZXnbp7jYp7r apXtZFngZV8bF1gW4xvrTEr3dyiI8CiJ8i6N8sGpjA+qSgipS48ariuebKudaK4Sj3a3pUWlO5q9 czIv8iCXuFuUe1qVe1KKXC2KXM2LXEnFLiS8FnmQyrzIFd5WJe6kEg9zvKfMg1z68OYqX9taf4fa APsKX5tyH+uqALvaEKfGCLeGKPeqMOeWJP+xsjTBQMMOd/J6U3x/vHF3tvfx5vQzpN+uz6Ebj+CO kA36+d8Q/beYjgd8Eq9fIP+3+p14P1rGNzcEnxuS8piyXWMX/hR7XliOu0Sb6wjL4DtEx35/A5Mp 5LpHy7B74+8u8g6WBAR1DVSWh3O5sQKuKW4A1Lygsd0BHfgu4pWQd/t0cfLpgtCWJMD7UPUj+f9y HnxqzkCZw6ztV2zUElswkJc/Q6l+f3SI9+O8h8DF4cH7gwMMzT/Bt25/GwSbD8dI5jewDnO1Lgeo EXwR3M/kPOD9fIl7tUSI0ALv+DzAjlEdkI6H6w1sxaLzJsUBzFHX3++hbw/Iy+73sDaLDjx3X8Y7 XZMSjrfrsgOi0scG/dItZK7lwi3O7B5/dmthYpk2sDTTu0TrW2VQd4W0Yzn3SM5f4TOE9KnFeebp zs4HiPofYN9oQyribyzLhBw2h0Ff5HKx3worioPNvd31vb3N/c2VrRXpKoF36Ro4ckti6TLoNIvY eZdIOVwhgymg0fkz05zJSe7EhHBmSjI3K5iZYI8OzQ31MoZ6F8YHhDNjEhYNZvEyHg+9O6lwcUm6 DLwLwbQVwa8GSvZyoQCWdBzWDBbke0d6WiZ6W/oay9qr82uKMtprC/tbK0e66jqr3iGgJ/s5JPnY ZYe6lyWGlMYHNuXEJLqTrZV+sFN55Kj6k73yj9ZKj131lTpL0md76iLdyemhLs358RFOJkleZD8L DQft525Gb9+FusW7WwaQtZ3131go/UBW/clU8dusYNep9sqq9MiS+MBEbytvMxUnvVcuxsqB0KWn 6Llb6YR7UiK9KVY6z8kaT8lqP5oq/MVc8TuzV3+x1Xpu9PpbnWdfFcYHFCcHQxA+0M7I+tmPbsqK rmoqHnpagWSz5uxUyUhPY2JYVbhHS7R3Q7Bja4RTc7hDfbBdc6RzY5h9S5h9a7hdU7B1vT+5wY/c 6GdV729V50epBBg9Lcs8yYXulmW+9vXRflUxPiWRnrXJoYXhnqXR3iVRHrlBziWR3rUp4c1ZsSO1 hbMddWP1Zdze5t6MmBIPqwoPqxpvSp03uTnAtiXQoc6bUutJrvawrHI1q/Ewr/O2aPAl49R4mjX4 WrUG2DX72TT5kpv9KXhuD3boDHXqDHPujHRuD3dsj3Bqi3LpiPPoSvKl5sXQ6nI5PTXS6d4tAe1w VXh5uHF7dfT+jpi8QzQevLR/iPQvqP/bl9C1A96/JPO4AJBeIrhfQX8BnTe4TUErBgvbJ3uI76fI 1VG6PvSszgkp5sU9GXdDyNoQMOG5ACrL5doiUmhEPehEHcoEgMY58IV4eohdcrgwLIO3854gru++ P9rFlPzj+dEn1P5Qf8CqGgALGVuiSH+gzVyc/QJ2Lvr2Dy4S+NKns5PPZ8c/nxOvxPdi5ogDmbi9 TWQUt3sbP2NQeLgFMOIX+HSwiRCPZt3FigD5PCB/IedfoZBHRb8qfaju5Q+YXblckz1U+tKHBzlu AJzbTZT/svd7MK2TYcK+LWSdoPDflh8vi/H3AgMfihnQwDyWcra5MwTe58dX56jLtEE5fWhtfhwJ 8LGcf7oq2ZQIZNz5NRGGpFicwV7PNeKrAOZQAq5onilgMbizMxwafVW0uC1f3V3d3FndXEOdLsJa K6xl5EtCsVTAWwFExVJsu2PVXchgcKanWaOjzBHqwvioaGYCNkacsQE2tYc51DXX384a7uKND4pp E4tsOsSrpXyeVCQSCyUiKFwJZYD8w5GDjrcolvJY7Imhgd7mWngStVbm9jdXDLbVdNYXNxRnNBal 9tXlz3bXjjUUdBQk12dGlsUHtmTH1KcEOar95KL+ONRUKdBAwUfnhaf2qyBz7Y78ZHpPbZK/fV6E R1NmRIaPdZaPTRBJPYysneFFaUwJiXc0wYfehm9xXHVe2qn+lB/sOlT1riYlrDw2INXdKpCk5mnw OshSK8zOyMVY1YOkEe5C8iHr2Osp2Kg/tlf/yUHlRxvFb20Uv8f3Wr7+jqz4Q0msX3VqeIKXTZCV gZvCi0Bt9TAj/Xh7Spav20hl0frUUFN8aLm/E/rmzcBRmFNXlGsL8B5s2xBIaQu1645w6AbwA8gt vpZtPuR2f+tWP6tGH8vmAJuGAOtyT8tKf4emWN+mlOCu3LjugoTqxIDcIMdsf7vcYKfSKO/apJCG jOjR+mJ6V8N4QwWnq7E/M6bS17bKk1zvTa73sWwNsGkHnL0pzV7kBndSnatpg5tpk5d5i48lTrOX RbsfpTPAptPfGqcrwKY70LbD37rD36Y71H4gxnUozo2a6DGS6jeeFTyRFzlVkjxVkT5VX8Abad0W zZ1vydAEgkkEdkTR8sbKC2I15ukA89+H9b89A+/AOD78e7zjrSje4SVxd3l5iS4S9C5g7E5oX0D4 YuccOfxDsMZACmA/WhYcynlHK3y4OZzgn/cy/3xZiIOodyDhHi7iBoCAzDLCPYplYn1sE8R1yDyu YV3lZgfraVsgsd8/VAfH68tXezufEcchsoFtlwf3STTlsFKCCp24AY4PgXEcqEvh/Hx2/AvU4TBn R8GOML2/9eFw69PxDtQpUaGDMw+wI45fraJ+F1wu8y6XAXbB1ZoYOAXMiRx+E6tzkJkF3hGpwcyR I9AD+A+vxFUAvH/YX75cF4MouyWYO5ByztfEcKk+lPKOl/hn+LHrostVPmbuCO7rzBH57IB8dnCZ ObLFRfE+dwBa3TIaffJNqWRvdfV87/DuFKu713uraxIO7Jsn2VOj8IvhzU7PjY5I2Aubi0tbsuUt 2Sri+BJPDAUb0OcgVLUo4C5LRKtiiYwnFLHn+XQ6b3qGNUJlDg/yxkf5EyMAO3Owa26gnTkEP6M2 1lD7/HAnZ6yfNz0ioE8LWQwxjyPkQchSimYdUnoJGvUioqKXiNC7k/BZzPH+rqaqgqq8tJ76Mix5 zQ60tVfkZkf5xnhQYlwtUrwoUbZGHvpvwih6lXG+BYG2oSSlUBPFWAvVBLJGnCUKUuU4O6PeohR6 R0VhlFd5rE9xmEu0tU6cjR5OprtFWahzdZRnkLFSGEk90lIrnKQRYqripf2yONhlsjqvLjE408s6 2ck0w908mqIdSdGOsNH3t9AKoujHupp7w7lGT8FV+5mPnoK/7isvzae+Wi/89BQ8tV64ab2oiPZp zojK8neKhWGW4sswPY0IY5Th5HQvx8GSnMXBjqbYwLoQ144or9Ygp7Ygx55Il85Qx/ZQ+9Zg244Q u+5Qu64Qm+5gSnegdW+gNV6BPmCwDcAPtKn2IVf72zVGeTUmBZTHeGb52+WHOBeHuxWHuxaFuVTE +danhDVlxY43lrH7WmZaahDfB3Liq/3ta31smv0ozT6Wbb5W7X42LT7WzV6Wje5mDS4mDc6GTe4m zZ5mOC3e5u3+Vt3+lC5fck+AdV+QTV+QLR46A6y7gq17wu2H49zGkr1HU/0GE717EnwGMsOpBfGT Nbmiie4jOQ+rl1fn+5eXR1h0QUb+JZn/9Ytg1N9A/ncPfx/fAXlgH1x1IssnqLAgscNL6ugMFFO0 187RikfjDp06zKB3COY5Aj2RAEvOVgXHyxxMn0EaP1iEAfrCgXh+Y2Fmiz+HS+B+Z+V+d/VyE02w JYyuoAx5vYniGn0wXALLd0ibkVfvrBJ7arhG9rYgDvn+5ACV/qdL7Lde/IKZHaZ+xKCN8KJChY6Y TrDi93c+H+39gnfuo9tG9Ml/Piakq5CE32wjxxYfLwnAcX2PP2WD6MxfyDmXy9yrFf7VGhAKyMug dwGAPyT2q8QCHQHzJTxAqxavxGc2cQmg0ocdlWBHPLcppO9KmKcrvCMZCLR4XTheWrjeEF6t8Xe4 0+ugyrNGlmb6JZM9UtogVO7x1z+UCc83Vy8wWV8BimXwzILy/AXo8rvba2I+Y2xwvKeNPU4VAZKM 2RU+d2sRAJduSh622vniNYhSLso2pVK01CFltQ6lSr5AxGILMXOfpYlmZnkT4wsjw/PD/fPDvazB jtmehunO2qmOmtmuOkZ/8zy1c2G8b2FqeGF2nMeaEyzMi7gCMSAvkmN9VipeWxQtC3gSIU8Ivj2H MT3Y1dhWWdjfVNnbUE4b7BBMDlAbSjMDXbwMlSPIOpEUXQ+dF3E2+pVR7u+8zBOtNZKt1NMoahkU jXSKeryFaqY7aag4ea61pCE1pCLaM9fHKh3dMHuDZFu9FHv9dAejLBezIH2FWJJGAlk7xlwjiqQa ZPCmIsRlpiqvKSE4090804NU4EtJIbpnesB+gpNZoot5upeNv6lKoKlyoNHbMGPFcEPFUN2XkQaK EUZvQ4wUw8zU6uMDmlLD0z1t4u1MApReRRtoRZqg+UZKdLHuL8xYGupojPWr9LNrDXNr8rev97Zu 9rdrDXRoDbJrD3Eggi+CaQClJ9iuJ9AGQOvwt+oKtAZIG70sWvysG/xtUUrXhbpWRnpm+9umeFgW hrkA7LmB9gWhTsB7XXJoQ3r0aF0pq7eN1lYv6O8YyE6s9nNq8HfoCHJq8aE0elo0eVrhNLqT6l1N 6pyMap0M6pyNGl2NG10NGz1MCcgjDfA0b/Oy6PC2xGnztsCv0RNi3/NwHXVHOnZFOrdFOLdGufdn h09VZbC7qldZoxebizdgf10egBWHbt09OKzE5B1s1Y//OLo/1O8A99/Hd0zjCEotISeLC+P66vz0 DPH99BC8WUixXcC+Af03yEHsrkMTBlSTh3jH2RbQN3kz+5K5IxnrQMyCocMqa3JPyLreXPx8tP5h H0NqUNqkt9vLYL+A3Yq2+e020ARSqwwlM3plv5wffDzaQel9S0B+Dxn+p4vTX24uf4XlNLoQmAki YwfN9WD788n+x8M95PCfjvagO3cPSZmtFcT0z0fbd5Ca31wCxwb3Ca6aO6B1d+V+S/oF74A88H65 SuD9GmkGQv9vhfzq3zCOByzX4OABtfndNtKAxbMV7p6YviWk7YjmjuUcwPxYtnAkZZ8szd8A7yvc Dfbo8tzgJpuKZp1ovEtGG1xhT8Cz5nhlkWD+HB1iRR1bbPCHvdg/Otrchj30mpDHHOmf6GqZ7evg T41uijj7UsmWWLwhxuL84hpftMITrPIFawIoUgrQaFuXy1ali4scDo8+x5ua4U9NLzEYUtoMZ2SQ OdA519dK72ua7KgZbakYbymbaq+g99SxhlrYo13z4/3syWHe3AyfzRDOcyBlKRVBFAu9g2VQ7/hc MVoIAs4Cj00fG+horSrsrintb6yY7mmWzAyz+prr0yJT3cnFwc65PtYJdnr5PlYlgbY5bsbJFPV0 K7VMK9Ussmq6hXKcyet3HqShwnhaU0FbZnhJqGOWm9k7d/M0e4MUW914S414c40UG70oI6UkS600 G70EC804smY0SbUmwm2yLL02yjPbg5TnbZHlapJkq5Nko5vubJrpQcbJ8rQKMH4bRlIJM34brv86 xlAxSv9VnJFSpMGbEP3XUeaqzUkBbWmhWV6UFCezCM23yeb6seb6iXakGHvz3oI0+UhneYhzIlmr wNms2Mm00Nag2N6o1NG0xNG0woVU6mBU7mBU6WhU42xc7WBUZadXbqdX6WhQZqdXZK1d4mBc4kpC 06w6xKU62rsmPqAsxrM0yqMwyCHLl1wQ6lAe61WdEFSbGjFSU8zsbpltrRcOdHamRuc6WZS4WFa7 UyoczYpt9Ett8QMNyu30S611SihaxdZaJdZaZdbapXi20ii10a5w0K+006u216+1N6hzNKp2METa 34gy34NU60lqDrRuCXVoCHFqj/MZKUrgdles0PsRWC93l29Pd66vjjC0vsHaO6gq2COF/RPWSB9A /XeB/bfHv4/vf6vfcTlAmf5XbJ7fwTn2AqZHF2fwhj7GBA2yt8QM7uAB7xh1Ae+rotMV/rEcwW7+ WMY6XGTsw6NNMLcvYp4v89/vLH3Yk9/tyK63pXc7SzcbMGASQwiaQNwGSmwZwj0mX0j1oRqNVxws lt4fbmHED8/Hj+fHv1yf/4L9emhrfNlaRdJ+vPf5eP9nsAcBdohNoZmwIUeHDY4SgDCulM+HoNHK DhYRfCUfdpffb8uA9/OlhQe8I58XwWjmZotI2pHzI6YTNf4DzL+EdYAd6QFRhmws3WyiQuefLLH3 JfQdIViyM4eLzCMp/prMPRH9QMK4XuNfrS6ss1C29+OIxzuEYx1EPo+tGSH7cFl6T9hlHi7x+Dsr q8Ti6/bOydbOnlwuX2DMj/azh3vm+js4Y4PrXPa2gL8GVzgetub5K5iws+H1zF6CpwyHsy6VrMJT SsTnMxisySnmyCh7BEyeKSltSjg5zBzomOqsHWutHG+rnGirnOmomu2oonVW07pr5waaWdQu9lgf hzbGY8yImCzJAk/Kk8iFMrkQOrdydOlFPImIw+My5yaGu1urizsqi/oayqe7m6U06kxbZTUir5d1 no9NuotJsr0eIFnka1XoYZpKUUu3VM4hq2Sav00xeR1n9Oqdm0l/bhStIa8jM7wwwDbD2TjL2STD ziDXxSzFWieepJZE1ow0fBNrpoIPEyxRBSDEK1eFuVAL48pCndKcDd95mqU46CZYawLvqQ4GBOTd LdLdzAON3oSZvI00eB2p9zLe6E2c4Wu8RuorBOu+CDN605rk35oSmOFpkeFhHqr2KomkE22iHW9t Gm1n1ov4PtqV7W7l8vpbX6VHIWpPw1WfRqg9jdJ8GaH+/MtzuMrjcMUfQxS+D3vzQ5Tyj7GqT6KU H0UofR+p9jhE7bGf6iNcVuUhTtUx3uURnpne1rn+dp3ZEc1pgUXhTsWRblXxgQ2pkWO1JXNdLZNN tfAXLg329FZ55vf2p3C15xGqz8OVHkcqPYlQ+jFG9XGk8g9RKo+iVX+MVn2Eh0il78LefB2u9G2s xk/Rqj/gwyil72JVH8Wq/ZSs+yLD5E2qyesUE8V3djrF7qR8N/N3nmS0ETi9tUfiOXSSr/fX77Cj encB+gZ8nghtGDi5YiH9/hZrZv9fsOMzf23Q/ef6HaQ7CMMS9DZCxw6YB9MVBvHQqEQ+Twg+HGDM vQm2yd328t3u8s0OdN6EJ3IOULArxDbo5A53BjB5vyMD1lDh3m5JPuwB7KLzJc45SG5EhBWdLwsu VoQ3G1CQW/m4v/4RnX/kzzsr6LbdH2xCg+KWMI7f/Xx+/BHZBb4KrYmddWyyQEMSOTz2TzFQu8Xa GvZMieYblKnAgUd3XXq/u3y6zEP5jLL9flv2Jb4D71crvNsNye2WFLfB7bYcGD9ZEqK7iModGMcz aPaAPKQsH9TpxUg/rjdEJ0vMAwmgTQPkN7iTO7xpgjQrpK0wqKvMkfMl9s0Gd5szsTo3CLDP99dz hpqRa6HeXxewdxZF4PdCOPdwY3NnGeKWeydbWysCwYZQuCHgMga7Fqh9/PFBzmg/f4IqnBpbpE1L 6TT02xG+uVMTOAI6XcJiy/h88OUELBZrYpoxOs4aGQPe+ZPj4ulx/vgQe6hrtrt+or1ypLlkpKl4 qrV8qqV0srl0orVssqOa1ttI729jjvWxp4Z509Oo/YWE9SRotxJQ70T8RalYvigUSwRcIZsx0d81 2Frf11gJXYxFGnW2rao6LrgwyKXAzyHLzTzFTh+ZeW2ES56bcYLpmwxL5TyKagbpTYqZQgqePcx6 30UwW4t68qPzcCf4WGU7GKVZ62Y7GkYYK/ppPY02V4kjq4abKCZZaQLv8RaYRKsC7yPFiajuQ83e AvI5nqQEW+0YslYsan9bw2wvSoYHOdjkbaDey0jD1xG6L2P0X0XrP4/QfR5tqBCs99Jf90VDnFdF hGusnW6Kq2mExqskM61oU60EW7M4e4veogzpaPc7LztXxUceCt/6vfkhSPFR8Nsfg5V+CnjzKPD1 o8A3j3yff+Py/X84ffM7n8d/Dn71HU7gi78EKXwTovSD16u/uLz8U7jR29Jgp+ponxQXiyQns6Jg p9o4n5JQp5Jwp8JQl4pY/6a0qLHaYnp340RTzXx3e563k83jP9l+/+/uT7/yefFt4Kvvg17iZ34T 8OIvAS/+7P/8T37P/hjw4k8BL77yffoHnye/93/xh4BXf8aD+w//5vLNP+O4fvcv3k/+74DXXwUp fxek9kOk4atsZ+PaaM/mtLCxmrw1BvV6HX3j5QvUv1CNvj67ub1APg++DMFGxWb6b17P/wDxf4v7 X0Zy+PC3G+BBQPJh8xRrsfCGhtPEFVg3Z/vrELLD2P0SJTkq5Z3VOyTMe+CuLJ+t8B+y+mkshJ7I 2Chs77cl77cWb9aFtxvC23UhwivOzZrwfnPxahUNPd7pEu9qTXIHAtvO8kfs1O8uXwNiW0D9Kvr5 uFLQx/twso+DccA5RmaE3Nz6Pcb6u+sfoUiDAR/RcyOmaSjGcflcrIlxiHRiQ3wi41yuCj/syt8j n0cXEXhf5d9toaaQXm8C8ksI7jCbwCuq+HOIT0o4Z3K08cWXoNwQGYjobmvxeh2K9HOHi3ScXf70 Gmt0mzO5y5va403j//YN5ujpIuNmnXsomtlgUaVTPdyhJs5Qyyp7DJIXG3CxkYrPd3Y+XhDyepsy ohLflsm409NSFmtfJpmnDtB62vnjw/yxYe7oIDJz8cyEZGaSM0ZlDA1AmoxBHcKbxcA7mHIcnoi5 wJmhz09Oc6amF8bHhVOTUvqMaGqE0d8x3V4701U92lQ8WJ0z1lCIdvpYQ9F4c+k4IN9eNd1ZRx/u nKN2s0YG2eNjGLoLwceb58KTQsBblIhlIljOCSB0KZyfnRpoq++oK+1vKJfOjnIGWuuTI3J8HAr9 nTJczdCgCzFWbIrzLPWxjDJ6EWfwPNXsVZzh0zij57EmCtluJt3Ae0dJT0FclifSAEqmnUGcmWqc uaqX+iPnt9/GWWsl2uqEGL0OM34TrPcq3PBNkN7r8iDHkdKkqmgPV83HSNpBgImz0Y2w0ASrJMLa INnNMsbO2M9I0UvziZ/WkxDtJ/4q3waofheo9ihQ87GvxhMPtR9rEXnDXYPMVaPsDCI1XiYaa8Sa aSfamsbZmfcVpktHO0vD3EONVWIMleP0FJMMlNNN1VOMVRP0lXDidd9GqL3wePq159Ovo9UUYtRe Rak8i1F7lqKnmIaSQetZmPbzZCudQj/7ykjvdDdygp1ZUYBDgb9Ntod5vr9Njr9deYxfU2bMSE3h XHfjdEsts6OpIszXQ/Enj1ffhig/jtF4maqnlKyjmKilEKf1MkEXry8iVR7Hqj1L0HoZq/40UvlR rMbTWI1n4So/hb39IfAlcSeEvvk2AjmGyg/xBq+SLVUTKVp5PpSe/DjOQOMqYwwjobsdLGXLr7Ah cglPmRPCwRlOEDBtxM75x1sslP78C6EM+5/Pl4iPSE7w54H3L0R6DOoJeg422KBTQcjIYLcFuyq3 YL4hebg6huHpNg625L4oYKDhhtr556NtuDWhQ4WZINpZl6uC203gSHS/Kb5dRy49fyJhnMvYV3LO 3RrgL8Fo7EyGgCu43Vi8RdthQ4JKGZOv223UCEIU9ei83YIPc7AFyamPxzt3B5sE7W196f3u2pe+ OiSmP6NBhytuG3fO2nsk8xj2rUsu1oBTKXp0RxKC0P5xR4ar5nSRDfh/uQHgOnH1cM6WgWXOkZSL BxT7h6L5yxXh5RL/dBE3g/BmDb8benG8Q/HMoWTmSDK7wSZmbXsLk3sL03ucqUP+7LGAdrLIuFyd P1kEsw7Nuh7JxG/5/Ap7ZkvE3ZNKTzY3wRnAUs/h2oaAweDPznKnpvjT0+sYizPm6D09jL5eRl8P wC6cGJHOTkpm0IIbog/0Au/MsRE+jYaB+5dF1wfTKA5vlg68zw0Ps0aG5SzaMnOa1tM8UFcw3FBI bSgcacifaCqaaMwfr88bqcsdacibaC2ZRDnf30Trb50b7GKPDvBmRvmMaRGLBedoAU8o5IsFPAGP w0Gw5zFo3U21jWUFg81VqBRE4/0NGXGhVvoRVmB2qbtrPwk0fl0X617kZ+Gp/GeHZ//mpfh791e/ c1P4d5un/xpro9WdH8PorugqTkpyNkF5HmHwJtLobYyZipvqDwBstqdFnLW2n/Zzp1d/sXv6R+dX X9s8+32Oh8VIZWpjWpCb9nMP7ec+Bq+9DV77m6i56IFPruBL0g4w1/Y1VnJR/ZHy7N9d3/zR9vG/ OD77ncfrP9s/+w+7F3+0V/gG/brKWB93AwUvYxXkz6lm2kkk3SRbUry9RXdeinCwpTzSK56im0HR yyHr5lH0i+1NShzNCmyN3lnpZVvqpptphau9Cld9mWminW2qnWWq+Y6kWUzRK7EzzCJrpFpqZDkY F/nYVUZ65fs7pjlZFvraFfnb5HmRC/ysc3ytiyM96tLCh2ryGD1N0621jM6GttSoOJDl9N6kmarl mGkWWRkUkvXzLLRzzDVzKbo5llpZJmrvSOqFZJ0Cc81sU5U8C408S3xVK9tMM81QJU3/bY6Zer6l ZpaZar6tXqkHucDHqizCva80Qzjes8mjY8gFTYbD9SVInd/CEoLwjDu/R38eCMVIDvEd+jLQj/tH eAfM/z7qI77DB+aeUJV80JqDjjSE73BgBwnHySt4TOxiE/YOWQSkn+DLdrLz8Wjr55OdX493Ue3u QjBKzEb0fL+3fLMBN0YhWuLHYsaxeA557wXaXKK5M0AP+g/IARZZ16v8m3X4tWFkL7heE98SfXsE X8ndjvzT0SbBd8XCy9H2Z1haw+0R8+416T3E6LDRRjysfTrcRmsOPBn05AF2cOGuNqAmjYwdajac ddbYLm/6Zg1rcdC0oaOOOJFxkeED72gVXm9J0WN/2HNhHUu5IOAd4TdfFV7J+edSzi0uJVxZa4L7 TeHx4uyeYOJQNLWJIn26d5c1fsiZ2ZyjHnCnT0VzuMcu5OxTGQOEOslkh2isHfX74kz/Knt2V8Tf l8lO1tdBAMbu3odTpBgLEBwTzEwtzs3hiGl05uAgrbuH1t3FHuyXzU7J6dP8sUFGXxetv4c1MsSZ ngQxHrswINAKGFiCE8rgAslk82ZmMXmfGx7AhF1Gn2ANdwDv7SVpPRWZ481F4435YwB7TfZIdcZI XdZYQy4+OdNZNd1VN9PdxBjqYo/3L0xTefRptOrgQclf4OAIoHoH3DNovS113Q0Vox0NnLE+0WQ/ yGMuOq/ddV+7aj21V/42zl63PTWwwNfC5tnvzL75r5RH/8Pym38y+/qftH7/X8It1bqLEtmDjR3F yVF2hp6aT4DoUF1U2a9sX30VZPK2MNg+xkbHQ+0n06//2ewv/9P823/V/cM/JTsZTdRlt2RHhFpp f5nIWys/8jZRC7IxDnIwgxNrSVxQnBPJWe1Hg6//m9n3/834q/8df5zVD//T6Kv/avjVfzf78T/q EgPr08K8zFSd9BTDlJ9mWOilko1S7C1SnCkDxZni4baaGJ80O8N39saFdkbF9gZlTsblzqZ4zbfW LbAxyKcYJuopx2q/ybPUL6IYFVEMSii6VQ7GVc6m+TZ6WRSdbHvjfDBnYnzKwj0y3ciFPrbFvrYF XlYFPpR3PtZF4e41ySHU2nxWX+NUS/Vce31nRnQKWSfRSBkAz7fQLqHoF1rqFpJ18wFwK518shbA nm+pXoS0wVIr30K92Fq7GL+JpU6uuXaGkVqGoRJugBIbnRwLtVwbPXQL0dLsyI5hdNbK6KPbkoUz 9KK35Yfr0KBeByUGeH9/ewHH9g/vf4vvv4lBQx/2M4Qj/1OUJ+Rs/u5/GMYRwpDErjpKf6Lhhyk8 FlSx0oLlGeD9/eXBhwtswoIBC0MHCEISAhHAHdgpp9j/kvLASAFaUUGD0oas/lA0t8OdOhEz7tf4 96ucQ97MAW9mizG2SqfiHrhd49+s8AEuJN4EJWYNKQHybbTE0RZ42FzbJZKHz4dbYMohjblaFSP5 x9u+uEXgk4SGPGxi0PzfBtcd9o4SkAzvtsWXK7BxnzkWMQDbMymb6G+sgGxDZPh32xipg1MHeXkw BOYxTThb4t6gibfMJ4oOGedCtvB+XXy/LLha4txtCE6ktF3exIFgepMxvE4bOFqYPuHTlqf6dljj Rwjx4rlTKfNIQttcoC7NdAtH2/jUVslk/zaPucGb31tchI/kGVZ0Dw8+X1xuikXs0RHw4tCUk7KY qMGnu1DCU6WzM5KpyVUmXU6fWhjupfV0gCPHnRzDO1G/S+chZcNEWF9kc1f5YjkabgyWCHnC+Bh/ ElX/EG+8Z6arprsiq6M0dagmZ7gma6Q6c6w2e7wuc6wxZ7Q+d7Qhf7KlDK28ybaa2d4W+lAXY6SX KOfnpgQLTDGxTMcBn14m4AhZM9SupsGWqsHmcuZQ6xIm8XlJvkaqoRaaQaZvnVS+T3DQa032L/K3 clb8yv7p75yf/7vD039zU/yK/NO/xdsbDldlL1BbixIDiT0UEHLe/hBlrBpmqOT09vsIsmZegB3w 7qP9zPbp752e/cn5xVem3/5f2V6Wo9WZrTnRCW6W/uaaARaaCV6UvCi/gdpiamvVTG/TbFd9pp+j K6wnv/tn80f/0/hP/xsgT/rmvxv84f/Q/N1/Mf7+X+tTgtvy4sPsTdxMlEPePk4j6aRYGac5ktPc bAdLsmSjXW0poe/cSIXOpqXOxuUuRhWuRuUuhiWOesV2uiX2hiV2xmnI8A2UAfZypOtknSKyNoF3 J5M8a50cG71cB5Mib+vqSM88PzuQ2Au8KWW+tmU+tuVBDsUBDqAZ1KWETDQULgw2T7VW0ttq21LC EkjqCUZv8yzQftcrtdYrIusWW+kUkLWKKNoI3DlmynnmqgUW6vnmagUWasUUzUIr4vO5JM1MQ2Wc fAuNUlvdUgf9xkCH3uTgofz4qbrCxcl+5M/Y44CgHAQkT/Av/2ATeCe4cFend7dEiEc+T6T0kI37 dPf5H+H9r/D/qwkFhGRQwUMKEv8hZKOAd2TyBN5Bbv/l/uLz7enPN8efr49+vjr6GRO0h1b5e7if ryzCafFYLrzcAOgwwOKjd7fzwELZ5U4h7z0D2Yw3vT8/fsib3maN7bAm7lZ4n3ekt0RlzTkjWDqC 63Ui8uK6uMGkHiS9dczplpHAfzpENw9FuvgayQBRU0sgNvtQ9RP0eLD4TpYFtzto0cOwFe103B68 i4cK4kzKut8Qoo44EtHPZPPHEiZYNygf7h9GgegWHi3OH4lZ4NnerotvQU1c4uzzZk8Ec/dIA2Tc UyHjAuNFIar1iW32yPJU7w5z5IQ7ezg/tT4zuDYzuMeeOH3IXrY441uckc35YZBpUcUvTg0A71u8 +RO5/HJnB3i/2NuFZNUuxGbotPnxMRmbtcbncacmR9vaprs6V+dZ+2L+Gps2P9gziwldVxt7qI83 OcadGsf7kRVgAw5lO1Zf5fPc5QXu8vy8lDknmBrnjg3OU7vnqR3zw63jreUDNbnDte+GqjJHazIn 6nKmG99NNeVOItw35E02F02gg9dWMdPdQCT2w93siYH5GSoS+yXeggz7Myz6snBeMj8D0YaumsLO qlzWQNPW/Nh4bX68o0mMtV6+v20UWT3ZQR/98IZot3C0y7SfRug9D9d7Fm3yxlPlx1w/+5mWMt4I ute+ZLVnbrpvPLRepjmYFXjbhZtpJDqalIQ5x9loR5oqReq/Cdd5FaL90l35B1TBI1VZXcUp2cEu Ma6WueGe481oM9bN9LeN9zYzqL0zPU2JXnYeeq9tXnzl9Oorm5/+hfLD/2nz6F8sv/tngz89xPek 4OacuAgnkpe5erDS03QLg0QLg1RHcqqbTee7JGFfc3dmVImvTakHqdqT1OBr2eRrXuNuVOViVOVk WOlkVOFo/M5cM91IudTGqNqRVGylVUbRrnMyrnE2KbTTyXcwKHKzKAuwq4p0y3Q1iyNr57tblvhQ ir2sygJsi/xs0L6rSwqaairmU9tnWirpLZVtySHxZirJxkoltvoVdoY1DoYV1vqVtnplNroYvRVT tAqt1IvJGsWW6iVkDZxSjOcoxIVQiKzeRC3XWLXEWrfc0aDC3bQtwn04O2qqIpPb07i9ME3QvdDg guw5/E2Q8R7CFnb/+gwmZYco4YmUHiEey7Bf8nmoQv+MwRwhDvX5Z6T3hDf0X89v9fsXlh1md9h/ /xk8XIhA4mBl9Qpr5qcfL0/uz/ahxox+HZSdkMx/Otn/fEIYMsIZ+WJFekLskwqRJx9K58EeX2GO rDGpe7zJA+7kJn1odbpvgza4zaAecKbOxYwP68JPWxKE4K35KeAO6EPMJRr1EHbeWQXYH9ZViDH9 p8PVX47W0P1D/MVBpL5eExGddqTlm9IvPbqrdXwovUenbl0AsJ9J5k5FtBMJ/WaVg1csqB6gqc6f uZQvfNyR3mwSV8f1iuBkcR5Lbcdi5rls4RYtBRFzkzFyyJm+k3NvZAunQvoppKgWcEdNbs4NLI62 7rIIvO8xx3cYVPlE9/rswBHULUR0kG0253GoW/NA/Rji+xJ9bE/MhYL9+cYG1nXhWrsjk+3JlzYk IsHs9NI8ewvScvPzY50dXdUVDGrfGnduhTU919s22VY/09nMHOpmUfvBh+dPTWLJnTM5AfYsuusS BkPGZEkZTN7UBGdsWDBJ5Y32s0Cr620abyodrCbwjgR+oj4HeJ+sfzfZkDvViIq+YLyxcKyxGHif 7qqZ6WukD3VgLs+fHREzJpcW6LJ5umSBtiHlLi3MDrdWtVfkdFfm8obbthfG2V2VRaHOiXb6ZSEO WC5LdzLqzQjtSguKJalGGSomW6rHk1SijBT9tV8WBLpSqwvYA7C1KMiLCyqM8Q+jGMbbmhT4OMZR DFNdSOVhLtgFQ1s+jawVg+EaeLP6r/J8rftKUvrKM8oTg+O9bCrSImlQeR1o7++oG+isp430TXQ3 v4vwjbQxcn37k6fit26v/uD87HdOT//D8dkfzL//V/Kzr2oTgmpSw/3Iuq6maiHKz1LM9ZIsDLJc bdLc7RrTopmtlV0ZkWX+dhXe5AZ/q7ZAHMtmHxJOg6dpjYtJhYNhrrl6lrFKua1xjZNZKVmz3Fq7 3tm4wdUMoCt2MSl2JZX4Umoi3XLczcEieOdiWuxpme9sludqludlmedvU53gN9tSLKK2TTeWTNcV tycGJZmrpBq/Lccw3cm41tGoykavxs6gwlYXY3dE82IrzRKA3UK91FKjgqJdYaODSwZJRR5JPVNf MctAqQD5vJ1uuatxZ7TXdFEyu7lYPNy+zaWD1A1RtTO4IG0ug+aK+A6+683Z4fXFMZwi398TNlJo zhOR/RdgnHh4APjD83/GO5L6/1e08iNxHxB6F/BdPT/HOAm+EteHxOT98mDjHOqsaIbDUR1Ih7n5 IVJ6TMe2bzZXINsIkvmuCCw7FjQbgXcA4Qvet5lUoGNrbmCPTb1aZH5Y5d0uca6XFlACb7ImjiTs yzXRh4PVT/ixB3BphIIcFtZQzqMeF4Ph9svRyvtNSFUsoPWHV1TWaAYS0F7DRA+jfPEp8nD8TAwF NkV3q7xLKfNMRDsWTJ8tzu1zJwFDlNt7vKlzGevDlghB/25DhO7BqWweAf2IT78Qs27lXPwy24zR g4UpgP1SzLwQM66lrAPOxIlweosx+AXvx/NTB8zxXebI6lTX8mTP7sI49uDw15ShZp8b2p4fA5F+ iT4qGO9HwnO7s3W8gl2hvcvd3RU+b0XA21qUyDmcVSH/CO5QEhGDOjzW2UZtq5/ubeFP9C9QOyda a4D32e5WWm/73GAPD/tu09MLY6Ps0VGsxgimpqTI8OkzLHTzBroEE0OS6RHuSA+jp3GoJr+rJH2g Knu8MW+iPneiLm+qIW+6KW+mqYjWWkLrKJ9tr8RQHmT4qe6a6Z56kG/nR3pZo73s0f75iUHW5CB/ bpw52ttZVdBUmNFalDaAzfSWEmplZnWc9ztvcmWYc1Wka0WI42Rp8nBebKyleoieQrSJcgxJJdTo baiJWo6fc09xNrO/UzAzusielMxR+8pzsv2c42xNo630UfkW+9tHm6kkklRTzNUidZ4nmCqGm7wu CLAdKE3rq8huyIkvjA+BBQ61o2FkoH2gr4061D0zPkhtr6/LTkrzsvdQeuKj+L2XwleeL//g+uz3 Li++snn6JxeVx+1Z0U05cW5m6ra6r0NUXwDvqRSTAl+XHF/n+tTIuebyroyIikC72gBKc5BNRzDw bt7mb94RaNnuZ17vZlLlaJRnoZptqlxpb9TgbFphrV1po9XobNjsTiJuA3dSIRJ7N9OKYIc8DwuQ hXKdTCt9KKWeFnnOxnmeFuja1cT70pqKBUPNGJaNlGa3JwRkUDSzSGqVToa4N+ocDGtt9UCkKbfR KQXSyWo4pWS1CiuNKopmBY4NiDcPh6zzzkg530y90sGowcuiNdh+LDOCXftuoaN8vqdBPDm4I1qA WizwfgodtiPsp+/CyREtO2hHfME7FGYJyP9dfP8N9QTwifj+oG0D9h1xvsR6aNwQpk4I8VCXhOkq vFYhWQk668Eu1mQu9wkNZ6y6/Axf9bNDaMjcYQiOwff60pf6HaSyHSETMq2go+wKZjbnxzfZowiR e/OjG3P9eyzq0cL4ezn7/co8boC9+bEL6DZzZ/aFc+DGEHn7/vp77KrsEQfx+hK9/WUOmvw/7y/d rHIRo4+Es9crC+83EegxO+Pgq2ik329hq52Dq+BqeQFgv1vhAuyH3PEDzugxfxJQ3ZgbOFiYwK+B oI+Ijx91vcK9lC2ciJkH3NljPg0Av5GxzkU0AHmfPXaCITtrFAXI3dI8fs4xb3KHMSQZadmg9+/R hw+YI7vMoY3ZvpWp3g3G8KGQtrUwKRjt3MC0bn5yj0c7XuQs0Sf2RFzo4EF2/u5gH2dnSSphMcGX 2yamcujbw5BucxOTMPrkQGNVe2XeUH3JeHP5aEP5RGvteGv9dGczZ3RQOjuNoTx/YowzTp2nDrGH B3jjI9iOmevrnGirp3c380Z7pbMjoom+yZZyoKa/InuwMmusLne2pZTRUc7oqKC3lc80FY/VF47W F1LrCvqr8zrLs9pLs7oqcqFA1VaR311TPNBQ1VFV3FCaV1+UU5mdUvsuuS4noSghqCTOvyYJ3W+v 8kjXsjCn5tSA6ii30ZKkwdw4cO1CTZRCwHkzU/M3eOtnqJbp74LfnDs5wqdP8hgTEtbU2vzMdFNl uqd9uKV+lod1kb9dnLl6OlkryVgpVudFCkklWO8F8D5a9a6rOK06K6a7Op+I7G31/X2dvQNd/UPd gwNd3c1VvdVFuYFuboo/+Sh+5/v6z36vv3J//ke3F392evVNoKHyaEV2dzGou6oklSeh6q8STLRS rE3eeTtmeDs2pkXRWyr63sVUBzs0BNs2B1i1+Ju3+po2+5i0B5i3+5k1eZhUOxkUWKi+M1Opstdv dDaptNGutddtAb/d3bTOnVThalrmbl4b4lgf7ZHnbhFPUs+2Myz3ssIqaynuwGAH4L0iwp3WVCQc bB6tzB0tzexKDMyx1c2naNW6GDe5mdU66NfZ6dc7GBDkPWvtMooGTjlFvdpas95Wt95Ot85RH5y6 emeTZjfLeiezRjfznmCnoWj3/lhPamb40LuYnrzEsfpi/njfhoCNtjzETM/3toh1EjTnzw4hW0fs tlzBvBVicZfv319jJPcF8ojy4MgTknA4QDVUp3+GYywI81CE/C29J6RiPxBerr8SUf49XMmJVfST I9gzIY0HP//T2f5nmEWC/HYI9eZdaMSBFIcJOFZjtoXMPck85nHglh9I5rZ5U6uM4TXm0O782C57 ZGW6e5c5fMyduJLQL4SzOyzqHnv8VDx3AA0oAR1VOYr0jxCHBF9uS44s/RLZ+xao77ybVd79huBM Qt9mjexxxi9lzNtVzpWcfb2MfprwfkMEyAPsaJ1dSFm3ywvnEhpgvs0c3GEOHvFGN+f6l6e6Djhj h5yJfc74tYx1t7pwIWOeLyIHYBwuTB9xZq4XmddSxploZpdB3aQNAOwH7LGjhYkLEe1UOA28b9H7 JcPNspHW9cnuvbnBLfrA+mzf+uzg+twQZvEY/Ekm+zZY4ydi9uocagfWFmduhTlLOM/u77w/OvgE p8j1FTmPu8zjb4gl+8vLu8tL20tSqIJImNOdlUWtJVld5Tl9VXnDtYUD1YWDNSUTLXXswW7BBBUy NPPUfs74AHd0CCN7XAKckYG5vo6xltrRpqq53hZAnkftZPc3gVZHrcsfrkW1XjzWWNhdlNL2Lr4x M6o6KaQsIbAiKaQqNbw+M7YxL6WtJKuzIq+zMh9GCX0NFb31lT0N1f0t9WM97fThPvZY//xo73hr ZVtBUnVyYHWCT1NqQEW0W1GoQ4aXZWtGWGd2TEmYe0GgY7Y3ZlJ2sQ6mHoZqpQnhoplRAX1ynjYx Oz4wNzEgY04v08bqk6NDLHTT3Mhlwc5ptvq59oYZJNVEA4UE4zehus/z/KypAGxpVklSOLWlarK/ baCrua+3s7O3o4/aOzDYPdDR1FyUme5t76Lwg/ebb4KVvg1++7Xv668R651efh1iojFZW1iTFhlg a+RurhWo8jLGUD3W0iDV1Trd26E+NWqutWK4MLEi0KbW36rR37LZ26zFx6TR0xCvrV7GzR6GtU56 eRbKOaZKFbZ6DU4mVRStBswgPE3avMwbPM0r3U1r/ChdCb496SGI73Gmqpk2+oUupBJ380p/m6Yo j+IAOwzLZhsLBQPN49X5k/i7JAblULQLH/BOJAkAu70eTrWddoW1JgF2a40Ka/Uqa/V6O+0GB/yh Bg1OuBlILR4WYNKW2eo24NnPqhZE+hjPzvSwgdIMZn/Lyvzsppi3t7p0uo0O8DY6wFCQw94oJCIJ vF+eIsTfAfLviawefXcIV/76y8dff4VWFTbm3kP1Fa9fzhe8f4nyxNz9/T3E4hDff4bqHRwRIEED zaXTA8JjAjLUZ3ufznY/He8Sxfvp4Zf6HX1ycFfQTzhbFaGmPl8VbHJxvY+tMqmrRHgdXKP1ySc7 t+cGjzjjp/wp4ghmL0RMIPR0kXkgnAPN9ecj7LxsonkO/tupnHsmX7hDcr4uQMi+X0E1Pb3PGTsV TF1IaBcgsi6x71f597gT1vgI1heYBfBnzsX0h3dOHiyMbNP7dhmDx1zqFq13eaJ9lz10yEOaQcW3 3y2zrmSMi0UAfG6fNY56/Iw/c7fEuhTTdumD65NdeD1ijxyyR484E/hzj7hjm7M9i9TGxaGGtYmO XXr/5mzv6nQ32hHr9MEdztSlnLcyN7pEox6KWEszI7LpkR0OQz43ucljnazJTjfXbqBGu7a2whdI wWBnc45W4QNFaEttiLj04e7O6qLW4qzO8pzhuiKk5f2VuYPVhZPNNay+TsHYsHBqhEXt4U1D+pI6 P9LHGuhiD/UgmZ/paqY2Vo231KB+51A754fbJlrK2gtTmnIT6rJiyhKDc8I8sLFeEuNfnx7Vmhff XpTSU5o5WJM/0oheffVYW81Iaw21vW6ko2mku22WOihi07fli8fQxl1ePF5fXOfO0rrrOgsTG9KC mjOCcUqj3N4F2vUUJPaXZrTnJXTlJ7dmx7bkxFUmhSb7OdXlpi5MUjn0KRZtcnZ6ZJ4OmsH44vRY d0FWOMUwwZlU4G+bbm+Q62CUTdZMMXkLvIfpv3znY4V/zz2Q14gNHmysGO1qGu5pG+jv7uhp7x3u GRrqHehoLEqMiLI1dX79faDqT5GajyPVfwxV/TFU45nL6+/CSFqomguifO0NlGwMFANVX8SZaUeZ 6yY5kTN8naoTw2YaisdKUgu9LCq8zRt9zZu8Tdv8SC3eJk2eRk3uuk3u+nXO+gXmytkmiuU2ug3O JlUo3h30OrxIHb5krLpUeZhV+pCbI91aE/2yXUmJyOcdTQjlCjcz4L0xyr0sxLEqxgv5PL+/eQz5 SVVOd2JgNlmjwEqjxsW42cUUeK+zI/CO7L2colFqpVFpq1Vlq1lrq9nooFtnp1Nvr4tsvwrserJm ptGbTMM3hajx7XWLnQ3b4rwnK7OE1NYtHn1PytuVS4821qHAfLqzDUMZeEwgFgPs0D+9QW/t5vwe g7mHKh5gB+R/IVr0hG0Mzt+B/R54/wJ2wvLhAwwZoQ95D7H3D4Ti3DlxjWA5Dj7IZ4RqJdQqMIb7 dHKA7XX4Mtztbn4EvRbuq6tSLMXc7YECB2VXPsC+Pj+28f8w9d5PUSd6u+B/sD9s1d6trd3aW3vr 3fueN50w0RnTOAYkZ0ElRwMqiqhEJSg5Z2joQOecc85NQ0PT5JxzENPozJkz+7S+e3ervkUxiOjU zPP9pCcMq5YcsgWzaEbPndawl0wiQN7f1Xt0R+NWjPDA8pv5EWzO3yyP/767/A/0D3srYN0c4Q4O Rty858PS2G8r3o8LI0c+07HP/G4GIDUdjZvfzbp+WRx9O+P203jmR05m3FvD+v1R4/s5VG3DllO+ bhXuDsn3R5SbdsmqRbjllO2OqPdGNHhjvJ1xvJtzvYa6Z0S/blesgUXjVL6fdrzD6c0mm9cwV02i HZdix6nccan3RnFw16yahVNy6pSUsqBmrZkEaxbRgoG/apWuOVTbHhPW/jvjzikjJDPwr7P5NHgJ OLd9I1NWw9Lo0PL4yObMJGJfgXec1WAnuzY9vb24uDrjG3cYESoqonShweZ11YsJjWpqp5rapWP0 WXl0pwQoFoNjb5NyRw1yn1nlgrxdwh1RS9xKiUPK1zDJSmqfiUc1cEj8vub+2uLW5w8binI6KvKp zRX4aTJiK9p41H2bgIyPRk6/kUc0g24nZjiw5VMKjXKeTsI3KSQWlWLYZl6cGEfYKP5iWzDGMMoM nH4ZoZbVWMioe0Krze8uvdNRfAfEDxmxhd1RxWqrojWXsztr2N11lOaXAy3VOinP47LZrQazSee0 Gj0mI+hDSmLP8/T46pyknoLsqrTwxrSIhpuBtXGXquMvFUWeb32YJCM08Hvqm0sfy2j9OgFLwWdJ xTyBmCtXibUauYzPaC17WpgUee/yt6Xh55+HnHoR/L0f9WFn7l38uvhGiJVBYLRUhp35j/Nf/7dn QWdrkqNf3Ix4lXWzIS+75/ljeU+DhdTc+zCx93Ys6U4M9V4sL+8m7+F11r0YamYw804k9RbwfrEh +hwELKizpLQwSmYE98ENTl4C5W5c/x2gO67nQdJAQXZDVmzl9UD0853ZcZ3ZsXDDIORndD1OJZU9 sLJ6RiUMDandROkQVD1pTAjqSAoaBN7vxGN+H0yPpPqfCFJaKDEtlJQeCryT0c+nhA2mhgDvZFT/ 9AgMFNjm4fJOvhNLf5ggfHHXOlDnlVBWMVrOje6A8o1OfnP99dYGPh5vb8BY0u81B7b555Ocf4R/ dwxz+E+f3iK8zd/bg3EHr8gPbzDX4w0AyH95D3zG+2/+DBpI6cDCxYO8RoRNfHaU+oSgKNjPnqDE b/n3dRtIPF//BQ6Wm+v7C5C4wvHJv1EH38YvglsFo9W7O+36TKTXLbuUq0PKNad8Vs8dl9GmVKxl Mygryk03IG/E4g41Gm05SjyYObi1gWb/cRM8OrDWR7Azx9ffzLh/XfF+mBs6GDW8Hje+m7IeePVH 46Y30/YPc25UeWzjAXks0lftyk2X6s209fWEacMu9uPdJdtzy/eHgFzpulWwN6x47dUfjulPJm34 7fujWLPL0KivwYHKKNgfVr3x6jet4ikZZU7N2LAKtx3SHad8B3/VYTUAPi2jePl9PiFhSkpaNnBn tWz8u2y5dTv+tf/oh+Up9K5zFs3JjG/VaV0Zsr1ZnNmeGPUa4Eohc2lUh8uL69MzIybLCvLZx8eX oEodc0ODKmeR+MR2IaFJTmwV99ZLB/yQtwqow2rhkEJo5DNVTLIcQz1v0C5h2aVMm4xlk2KbxxpR ScCfERLaBluqequLe6oKOT11Rj+vhmKTMK1ihoED4QzZLqSYuUQrj2TkEgF2i3DQIcH+n+NWCUZ0 UotSoJfwUdx1UolRo/S6h6ZHR+bHPV6bntXdSG8rV5LrxJ0vmLV5jY8SClPDXz5Ilgy02cR0I58s InWwuuukgz28gdbehrKml8UsSp/VqLHbTDa7yWbWDRl0WDVIBzof34wkVOTLe2pepUXUJobWxgXU xl6qvX7lRczFzifp4ADzCU3NpflSKkEvZMm4VDGfJRbzFCqJQStXi9mdlQUvMuIeh/xYFn2uNOjb F8HflQZ/Vxx+5t7lr4uuB5vp/jtj+Pmvzv7tvz0NPl+fdq08Mar6dlJj/u2O4lxB6ysXvYtRfLc7 K5qQFUm+Fc24d42Zc41+J5KcFkS/HUHNCm+9dqEu6gwhJZiWHf0FkpCmcvOSKCjud+O6cbu/l0Ap vtN2L7E8/urLG4HNaVFtmTHtt+LAuml/mEwqz7Wxe70yln6wy0rtEdYUNCeHQl5Hvx3HzU30r+ww nqNjz4YYNoqYFkZMC0Gh7795lZgQSEkNZmZHcnLiBI8SYXOBlqA3PYx4N5r9LEXyMtc8UDcsIMI+ ZWNqeHNhwo/3rY0T+DRuw3lm82RvGxkT8Kbwa9VPDjDCg0sP1H/68OY3BLO9fw0GDj7/+B7Af/N3 lPhP/kIPSp3f/9lf4lH6kfzyAZw60GhhDY14GvjJIw4SCTKfYKO8u3a8vXgC7fnhzkc40R3sQoT+ BvT1z86QUJocLfj25z1Q6m1POrYnbOtjxnW00KO6dZdy1sCfUDFntLwNp+pgzOQfpd2Are0dJOTY 0k/hIjaEUR3ntnfYus/De2oE1/D9cRzuHR8XPG+nbf5BYET3esx4PG58M2kFYLFh+2UBXLgxbN2x il9xyNedipMJ85sJ05qZv2rmbtuEO3bR4bByzyVbNnK2nJJjn/7QqzvymvBDdlzKDbt00yHZsIqW dBx8PB5R7zokM3LKtJS0pGVuWYU7DilahX23Cr86K6d62N0uWssQo31ezZhRM5bNou1h/e6o5XDa DbzvjLt9euWWx3k4OYZ9HU7wUPGMGVUQvRpFfJ/VtjE9NzviAbF2Y3YBK7uVyXGDmIuNGae3kdHx io819UCDFNdzWpdTwoT8fFgtNgqYSgZJwyYqGH1qVr8BZVpCM0PnLqB6tGKbhIVBgNpaLRvsghTO oxWMG2WjesmQWmCVsPVcipFDNEMOzx90yVhWIdXAJeGBmM6IEi9h2uRc5B/pJDyzUqoFg1enBvFm cdI3NzriUIu6Kp9Rm0oc/C4jrZZRda8251pBUmh1brqK2jeqEbkUPCGpk9jyitnbSu9u7GusZJE6 NTK+Ra+xWYw2q9FuMbpxNNSpYf+eeyOirfget+WFX9gOPew14D2gLu7qi6ifux6nSwkNPEJjY2ke j9hhADeYPSjmMSQirlQm1MgFWhGrr6bo5Z34x6E/FoV+D7yXhX7/POSHkoiz9wO+KbkZamb2aTmE sAtfXz37t7yAMzXJsRUpMbU5qS1PcrpK8jiN5SOcPhnMMNOj+7OiSUB0Fm7iuJShqgbRboeTM8Oa Y87XRZ3tR6nNjMZynpAcxMq5znmU7Jej5iZgO9dx7yap8E7Xw7Tq5PDa5HCs6Nuyr7UB7w8S2h/5 8W7n9OFkhjePnUEQ1xW1pIGOG87IuSF4mISVHdYCVPy56bjCh/UlBX8+AQSRUoIHU9HPh7BzYiT5 KbC8oNyObb1xuS3xSv+dKPKjG9SCNGlziZnROW4UL3udCJHZXV2EcwK4HGjm38CNGREPh377KZg2 4ySHB109UA/YgiOHbTtubH9HrUfFB4Q/vvWHuuL5hKy3j39gXf+55/ezZz/64x7AmUdcBYIef8Nb Am45wPv++tuDjV+O9nCI9z9wlILdHMyZQd3/zHE9mPXuzowA737IT9i2xi17E1bwzzf8ZBUBngWT GHvy4//k3hgOvbY3kPFOgQ9j3feh5vob+JM59/G0G+RbtOi7HrTuaPtdQOiuW3OI0xhQ79EeeTH+ o723vZ91v18YPZ6y7/kXdLJNl+JoTP96TLds4KwY2Jtm3r5TfDyq3huSrXzBu1d34Pnc1Xu0QPG2 U7blkGxahct6zqqRt++S79hE84pBn6hvRkZc03M2zcJ1q3hvSLFlE88paaOsLhupwUpunJSSp5TU JZMQ17o92Ih5nW/nJ97CMMaoGtfJd8eH5x1gygmhuZtzmsBad2uUNpl8yevbnJ3bnEO27BpWdrPD LpdGBiUau7ee01MDvPN7qqUDTZC62EV01HcI280iNh6DgKpi9cJaSkhqUTC6TcJBqN48WuHCkGHO qfNXaq1wyg6undwDEqxFPayR4NY2qpWgymuZRD2HDMmMhtmvpPbAwkLNJKgYBC0Hhzm6QczSS7iQ xellIuRMzXlHlybGF7weq4zbWJRDrs53cFrtzHp+Y17D/evFyRFNT+5q6P0uOd8iZrMJbb0NFf1N LyntdYyeFjs2ii6TE2C3GA0Gjd1sQH2HAw+7p7X0bkrH89yBV3mlScEvbwbWxQc2xAfVxYFkfqEj N0XUVQ28N5c9pvc06IUMGZMi4zFlIq5czFPj7yZmDNQWV92Nzw/7sSDom5Lgb8pDT6GrLwr7Mefy VyWJ4SZWn5zWFX75u+ig87mXz1TciADeG+6ntzy521n0CCc5F7tP01HZkh5NRHd9N46YGUnCQJ0V QcoIpt0KH0gLro88Ux91npAajnM5DuKExGDm3Th2bgL5btzgw2TC/YTO2zdIMKS9l1yTGlOfHtec Fd8G7fz9xN7Hqd3o58tz0c/75Gw/3ukEQW1BQ1poR1oYNec6G0f/rBhaRhQ1Iwp/aD9k70lBOAGg pcdannUnln33mv8QkIX5PbQ3NaT1xqW2hCt9tyIHcm9Si7J1vdVDQrLPIl0ac6wjRGZzGW08XI5f 7/wn2OEli+ftEVQzh1/AjhLvt3z/+A6OdsA4IpuB319/efPbh7fIbvaX70/vAHY8/wAHD7HNkMYg wx15cPgtvyDt5Q2++Zc3h7Co/XC8/cvrHZjKQpP+K8ImDnYhRYeFFO5xUIvj/+1dbOY/G7+AbwN+ 3fqYCcdoKErAeFl3a5bt8kWLdBPXrnGrX3XixirMfjLpAuq3R4zgpr6ZdKN7P4KHzIQDYAcnZ3fE cDJh/zDrxKC9O6x56zOfeI27Q0o8+0D9uOl4woIr+QnaCTduZNgMyA89mhOvftXAXdVzdmyC42HZ 6xHVtl28auLuuqQHw4ptnAUd8oMRzWtgf1i5aRMB6f5Hz9m2CjdMvHkldUpCxLOsYa4ZuCtGwZ7L j/dZFW2U222nNNkoDU5Gm4fXO+tn4Gh2PObNYevrGS9YvgtDlhGVeN5u2PYN20SsKbNmbdQ5pld6 jVqYx8Iu/mh1bW9pY3N2cWncN2LQjuhVRgFdBJ4MvVNJbRMS6mTkFhOPiH0s6i8ubnoeDZXaLmcN qdk6Xj+zu5rdW6uHvF1Mcyk5JysTfxxvTts0Oi7ZinotZZuEDLjYmcVsvYCOz/HbdRwK6Go6DhE2 sPJBCGb7NUyCkt6rZBJ0PJJeRNUIGXJ8m1TgdVkXJkbnx0aWxlwOObe58G5X6S1xe6Gso4BTm9tw 7/rztOiesmcWAQP7BPx8PqmT1dsMcg6f1Cah9dk0ErNOYTPpHRaL1WoC3m1qiHqknL62hsJ7pNqi wbpnz5NDqhKC6+KD6uMCgffnET+DkirqrpJS2rqrimgdtUYRS86kKLlshYijEnPRe+iEDFhZVmbF PIs8XRp+qjT4m7IQ1PfvS8JP34OKPDncyCFIqd2BF74KOP/Nwytnq5JjqzLim3Izmx/f6Sh6OIiT HLPPTGxpuRXfd+c68U5cf3qEv75nRxLTg4lZIX2pgfVRZ+sizvUmh1FvxRFTwgYSg5h3YjkPb6Kf J92/TnqQ3H33JvnprebsmyVxoZWJ0TWp1+pSIpuyYrpzE7tQ3188cHD7x5Uc42C3ZbCbXwO8h7Xg rncHdlU4scWQkkMpaX6Ak9PDSP/vQ86MgMUNkD6QGoKOoj8tlJAW0p5wufn65b5b0aKKB7qO8nEB cdYgXHIb1idHtxdBmF/1430XsrX9431/Mw+kw8YZybBfwmF/QaTjO4S3voVdLT6Bxu2z8sXfnwPv f8fz8S1g/oe/vv/yBe8A+Ce8CnC1xwMRPUh62PsB7yf7v707/O3N/q8IiDz220t+PNiC7ST0LB+R G7s6C14r7Bmxot+aHPJ7PU0Pr4+ZN0dBchs6mnbiSI0ghgU/3gEQP6UWz57HfDTuAL9l3anddhuO feC3uI/G7aDZH4zb0PDj9o3j3btp28Go7mhU/+4z3vcwUA+pUOVPfBac3gD2Y59lwyHfdst3XLId l/TYo96yCDZRr52SwyHZgUvmB7JVsOuU4PMtuwQDO37IG5/+aES9aRWtGHirBs6ShgGwrxk4c4rB KTFxQtS/BLyb+PjVdVR5C39KTvbwukd53fbBBgOh2kxp9AgG5vWCLbdhH8TmcdfhLES+PnDg3TLR /vSYD04UUh4ae0jUJyy6dd8oyLEo8dvzy8D7onfcazW5tQrgUUpuA8wVlBYdq9sqIo9qBJMW5Yha jIubmkGCH92oTjBpkznkdICd3VOt5/YbYWchoS8MGRE3j65eQe/He8PApwqJHTi0Id5ITCdouVSj gGESYNamWkQMvBOU9H4lnaCgdUsHu+T0HiWLoOIMKNhEMXoAGc/rMs97h5fGh9A9WsTU1sLbXcVZ 7Lo8du3DvqKMCvDQ8m8rSd2TZs2kVevWic1Spk5AUYCTw4W+ZhC7CLNa5jRb7HhsFotRB7w7lBJa a21t/m1SbeFgXUEZPN5vBlaDSAYKa1xgefSlnscZws6XUlJrB4ydW2sMmF9YVCWPIwPkhRyNiGMS sXvK82GC9yz8R+D9Reh3ZaGnXoT8+Dzs7IPL35WnxwLv7P6m61E/R4eey716rir1WnXGjfp7aQ0P s9sKcklVxSZ6r5NBIORnd4EKmxWNAZmcHQ3IkzLC+jPC+tJCG2Mv1ISdBcONmn3tf+Cdl3uT8eAm KSee/ji9714i7dmd5luJpdcji+LCi+PDKxPDq9AJ5CWTim5RKx595ttwzIw+C7VLUFvYlBHRhH1d znXgHa8OLOfpOLplR+ChZIeRMkIGklHlg/FnEZKCAXParWh6TgwhLaj1xsWu1BBGfpKq4am1v2aE T/RpeAsuw8bU2PbC9NHW+uHOxmt4PR3tY2w/BivmEPbRJ+9fH6HKA/jgwQLysJL+9O747x/e/OPD 298/vEWUwwf/F4/9df/Tu99/ffuPT+/x/P4ryvqbjx9fI2fCf8L79P5zw/8WjYH/m9/6+bQfj3GI h0HT5qeDLfBpYTn7y+4qEpder80iXm17dmzN59rwufx4n/JLUfzSM9BappwHk07QWZcdKgB/b8y0 MaTBMWvLpd33mEBxWcNGwoE22/RmcghUtz2PBa8ClE7g/TVAPW547dUeedSA59GIBh9Rl/fcSrwB 3kxacETDKm/DJsI2fs8l37QI95zSXbtk1ybec0j2/Z+Lv+B9yy7adcq27ZIVk2DbITsZMxy6VTs2 MWC+rGYsqegbRvaKjjUjI4+L+/HMKekrBu6CjrWgYS7qmaOCXhut0SfsHWG3mom1BkKNndY+LqEt muW7HtvmsGXHNwQLrN2J0VG1bNFpmbUajGyqU8ydMKlAO4SND+zmQYidHxldR6Lr2NioSW+V8Y18 GkwqoHZRUjucMrpDSvdohPMu05zDhCO7gT04LON5NDy3mq3n9HK6q0QDDZ+/v0lGadcy+1V0f38O cxuY1wH4YtTc7kYeoVXB6DeLWei6AXk8ZhELbwM1i6ig98loXZ9Hg1ZMBxJap4zVJ2EOINgUlNrV qbHlcdfGlFvL7m1+ltVfdpdZ/5jT+JRS9ZBWW2Bi9oE6uAKzslHriFluktI1AqKI1i6hdorI3Toh y6FVucwWG7w0nXaH1eTUaawyIfDeWpxLb3pBqcpHP/8Cx/drcMnwl3jgHf08r61cMtCM/Bpqa40e +0keS8Xn8ehUKZ+pEbM0bBI89JCzUBD6YyF8YIK/ex703Qsox4PO3L/47avs6wYugdpVcy/rWkZS RM6V02WJkWUp10Cer72X2fj4bteLfOVAmwfG2rUlHXdvdt2K6UfznOlnv5CyIoiZEbCuaoy9WBV+ rvNGECUzZiAxuD/hKuN2FFb0wDsF9f0+bOQTOGWP2+5nliZdL09PrLmd2novrfthCuEJfOzvUCsx 9ZBmDVIzzMQG2oR1xa3ZMS0poZQcHP5usnLimNnR7DvR9FvhGB8oWdjXBfdhSE+8SkwMRpOPNw8K PTMnhpiJLV9gf3YU+cF14qMEVvkDRXedlUeetKg3JkaR+/x6e+Nge/1od+uzf+z+OxDhDg/fHyOY 1Z/N+gXv2NW/O4b73P6vqO8Y5P1vAIQ4H34p/b/9cvLbx5PPTb7/EyREIo7xwwc/Fxet/peWAGD/ 5fUBcqP8ETM4vSGdYRdOFJ9dp+APubP4ZmsOmlwkJgPv69C6TrrR2CMsdW9qGL5V7+DgOu85xjAO i6chPVgxqN3A+5JZCtYKmC2rVjmeTRDX3cYTn+sdRAE+J5p8LPD3RvVHXrT0ZuB9b0iO7dmBW3ns 0ewC10CxU36MZfuEFSt3bONR2fENG2YBZnCg+MAl37aKAHY8QDT6efTkwDveDMtG/q5LeYLV37B6 3ynbsYqWVYwlNXVVx1hU02fllBk52SchTkhIs0ravJY5q6bNqWkuVquso8RBq5+R9w+z2p20Fvtg y6iADKLFolmxNWIGrQ7aga1x9+qwA5D3qmQ2LsMlYvn04gWnHqIehMVPOe0QvCAtYlivtymkFjFH yyapGT0aRo+eQ7BLaQYeEcDEqX3eZR7XKfG6sAsYYzq+Q0qVD7YC7yp6O/4PFw40cTtrWB1VzM4a Tk8Du7teSunUccjcvmZ2b4OI3KFAfedQdFz/RIDHwKdrOYMq5gC+rmD0yOldUmoH8C6jdag5RBjW acWsmVH7BryunAafTYn5glz3VNhVLu5+oeyvsrA6pg2CJad2xqL06CQ2FU/I6O5vryC2l1M7X5Kb y/rrX+CaZpaJrBqN3YBm3mTRa+0alUXIJVWX1+ffIdcUEspzK9LCXyWFvoq/Wht3tQ7BKzGXWu8n 8VrL0Ns0l+SSGl8aBCw5iybjsjh0ioBN00jYgoHWwpTIx6Dshp0pDv6+OPCb0sDvYElREng658I3 LzPjDRwCs7/hTkYM8H4/6FxFcnRlenxdTmrd/ayGvNsdJY94rVVuHtnQ19iSHd+SHtmTCUO5UEhX UFgJsIpKDq6PvvAq5Gzn9WBw3QngtCdcpd+KxliNBRoR+/lbca3Z8aTi3JZHdx/FX3ualFCWnVae dqPhbmJ7bmr7w9TWvNtyQtuwlKcgdmtJnYr2yk7YT6VHUMGJxe3+7jVGVhTzViQ1Cy19CIp7f6qf b0NKDgS5jpQaigM9egA+7OjvxnYlX+1MDuoGbx/O1UV35Z11Tj4dFgdb077dpQWEwO6tLe9vrftL /OERopfwAOz+j0hs8acyoRU/+nCyjxKPz//HA+od+vbff/EX979/QpozFvgnnz6An4PBf/f9m/0P b5Eps//h2B8Mhwe2OcfwfEagzPYSzJQRo4bU1A9wpPF/XHy/vQA5KiC/vzi+Nzfy5dmYcGBrBxYN 1OjwtjqaHYYIHT6uEMhgVF/7Qqe3KcC4WzGIVoyibYdyy6k9GrV+mBl+ixFgzHaM5bzX9Npnwlkc s/a2UwqM7w8rsX8DtAHwTYcMff5bn/UEEjaHBOP5tkO8buZtmnib6N6HpFiwfy7xsg1/W87dxvcM +e/yCzouzuvHo7p9t/LQrTxwSP31/QvelbQ53OPklEnxwLiwb0pBWdSz5jX0GeWgg9YkbMzX9ZTN yvpnpMQxTrcTeOf2D3GIXilrfcj4aWMedgRTFu2iyzymkXvk4nGVdFQhGFPzXTLO0pB5wzeC8Jd1 n89rMul4PKdK6tHIIPzk99bpGD3az140RgEFeIdeBpy6Ma1iTCWx8mh2yaCZ368cbOV1VSkhtZbS XHIGmPDwuBD0N+N2T219xetrltPR2bYIyG0KFkHDo2i5g0Y+wy7jwzjLLuOhxAP+WPUrmX1qdr+G 069k9CjoXQomAYZ1UhZJC9NLlQg5p1ouUUZtU5KbdYNNKmKNaqAGAls9rVsHa3r40nfVIgWyu/F5 e9XTjqonpKZSMG9bnz/CpOBQinHas+n12NIblTKnSm7hMTtLnpSmX28rut9Vcg9jeE16VPWNkKo4 WEmEvIi9Aj0sr6NM3N+ADKquVyUaLlUwSBTQqSIOnc+mqNGxULtKsq49uXbpcfAPRTCcQYkP+q48 6ExpyDngvSw1RsPsphFqM5LCMpMjgfdXadeqshKaHmTW3c+oeZDVXpQLupGV2eti9LTdudmAS1lG JCTnvSmQrlztTgrsSLhaE3G2Muh0R3wQJSMaGpaBpCDGbRDeYv0CujvXum9fb8y+XpoUkx16Nfr8 uSvffJMeEdKYf59cUcCuKyWXPylIvHY/LqIyN6fh6SNaXYWw8QXiaTqgZoXr7MME/BxaRhg9Mxxg p2QEE9HMpwYOpPgvceDXMbMiGbeusXPi+Lk30dV3JgW0wcHyViyj+Da/ptBM7ZnQSVdHnZtTvg1E jy3Nb68tAe+HO1uHO9vHu7uo73jeHR69P8HxHRA++fgeMD/87cPr30C0w1kN4Ywf/HX8V3zlw+u/ Y2n//+EdlDwkve59eLv38e3e+9c7MLT5dLL76fUu8mFfw7AOnjbQpW7Pv4Zh3dqsX3K+gWf2ZA1M G/i9+w4Wxg7mPQdwbJ4b2QJVdcoNvEOJdgxCu5/v6tyBQcTUEAioa04NhHIgr27bFQta3pLeT2nb sMh2nJoTH9ANzSloeAC7BQf399M2NPNANMbzgxEldm7+Uu7/XIPS/37SDrzv+78owRLev4e3CLZs uJ6LcYzDwH44pNiwCNdMwm2s392qFYtoVsPCJW5nSI5ZHqv7XYd4Xj64qBpEfV9QUGelpCnRgI/f Ny7ow20Oh7wlA3tSNmCj1slbC+SthSOsZnzzlLh/hNnpZvXY6T121sCkRgDzLiiUYQszbdHOmLWj SrEHWBNQp/TiOZtyTCeCAm7J49yCzazdrmTSnXLRnMOIYxlIcdjUKQbbdZx+i4ju0cm8RrWBx9Sy QIzhwDUF4U3+U11/A6etkt9VDYe6YSXLaxBCBouLvEPGwokNEhirnAN1m5pHsshYdiVE9Pwxg2LW ZVpwW+eHzFM2yG2ULqXQKkGfT4e0HJa2ONarmQNqzqCSRxXQ+4VUgpo7KCK3MzurYFtBqS+g1D8l VuX1lSGM+BmlsZzSXNnx8llt8f2miryuqqfdL/MHqp92ljxog46VTXRrpWYlSrzSYdCYZJJhpcLB 57Q+eVCQEEUofzxQkVeSFFqREFwee6Ui5sqrG+jtA8C3Efe8FPRWl91P7at9jk2jcJAgpFNEMI5g DuhlGOd7K3JuPI27dD/g62fBYMh/VRr4bUXwj6UhZ+/+/HVZeizwziQ1JicEPoBTffD5l6mx1ZkJ 2NdV56RW3k1uenqX+KpAQ2od5RPJBXeaU8O7MqPQw/enQ60W2J0c1JEQWB1+tjzwx9ZrAVCtdl+H mOUqLOLRY8M2tu9WTHdOArHoftuz3McpiRnx16+FhOSmp3ZUFPdXFnWXPKp/lJ0RHhD8/TfXLl9M Crr8ID6i99ltaOhaU0PoD5AlkcjKif+Cd9R3f4nPDqFkhgxmhjGyIti3oliZkYzMSPbtWO7969Ts qC78fZKDifdu8CsfShqf21jEKZNq1Tu8OTe1vTSPmPAvxf1gZ8OP+u3t13t7b1DlkSr+5vVvCJeB ceVbEO2QwnyMj/6qjci290f4Rz/kf8Fp/vgL8P0vhF+Ofv1wiOfju33A/OPx1ufcZ4S+gUYLm0p4 SC6hdT8B+W1l8nB54mh54s0qXKYnj5d9sKA/mPPgOV4cBbnus3cl8O6E6wVcavERBjK7SEj3e0xB IGPEsg7jOVSl62bxjIK+DJKqVQJIblikey71jkO5YZXtDmtf+8wfpm1vfNjJy4H3oxHlkQfLOhnm 9H234mTcgF99O2XHgH8wothyCBZ19FUja9cu2HGIdpySPafs0CXHRyzltmxS9P/bIP/YJH5qnB20 HyloOaDi7NjFi2rqvIIMvC8pKdNiwoSA4OX2TAgJ8yoqfuainu4Td1tJ1Sosq5ufGHqez8sG5uSk cV6fi9VpZ3WZaZ0O7sDuuA2OWKsj9hmLdkKnmDUqJzUSG5cyImOte4xuBdsp466NuY+XFidtVm5v l5pFmXPoRtUCEOFwiZOT24B3k4Dm0SvmMREYlAYu3cilmdgkfme1oP2lqPMlq+k5u6VM0t+oZ/ZY RXgbULGoH1JyXWqeU80b1kvsKp5VyUW/DQN5VOphvcxn107YddMO46zTNG03Tli0Hp3UqcCAwHXJ uXhdGLiD2JKZ5eDaCTQCloZLA4WGUFPUW/mks+wB4VVe54v7hKp8fk8tYuOIDS/6akuanue+ys+s e5LdWni3u+R+06OMpvwsNb17SCO0KMHWE9q1CpNE4FHJXQJO48Pbj+OC+58/gutUccJVSGbKYi6V RV8qvxZQHHOx+WGioKuC31Pz8mH6QN1zcIqUTJKYRuJTCVIO2Silc/rqClPC8mN+yr0KvH9bEPQ1 +LSlV74rCDh1+6e/vcyOx4aTSqgJDT6VlhDyKPgn9PMvU+IaH2QA7xW3EmvyMhFAw2ut8CBQvr6o JTO6A/U9NbQHdtOffaHbgfewczCUa4q9QkgJ77oe0Bl/Ccu0wewoQkZ4d1ZUW3Yc/eUzGalDQidJ 2BwGkVT9AlZ5IchzT7h8Oubs1zE//ZgUEpgZHRV94VzcT6ea76e03YlvTQ0F3tnIrLl/HYwaPDj3 +5GeHTqYFYrFnZ9mczuanh5OSwvn3Lkm8r8Z4vzG1LdiWIW3tG0VJmLzmJy34rZsTnq352d3VhaR JHqws4k13eH25sH2xvGuv8SfHOy/Rc7ayWuc21DckS31y9sDf6/uBzt0snC/Ofr7p5N//Pbm919R 5YHx498/vP79w/FvH45+A97fH/wKvL8BG3/rgx/p60iC+GUfgXErr1HKN2bebMy+RkFfm/Lb3cMd bgOB6VCpQ4cOpPvxfjg7sofUic+OzdjaQal6MD18MDO863NAGrMHx5thA/C+Zlcug4UOnq2Muqbn bVsl6+CpmgSbFvGaUbjq7/AVx17D2wkzdumbGL1dstdjmi/HdHwO1tzxmO79FK54VpBnDkdVOy7h soG5YeHtOoBuAVp6VHZM8VtWMeZ6sGvwgMq77dZsuMDMkW4NycDAQauA71/TM4HfRRVlTkqcEvRO CgjjwLuAgHI/p6Is6aiTkl4DoVzTWazuKNJ2lQzTm+YVRJ+g18Vsd7E7rYxOE71rQsM/wiFy3LVo 043K+XNGxapNO6HimRi9owrWiIKtovfPOozIyFjxjrB72vm9bcNKvktKBz1VRgJ5vgMWNH6ZqkY6 YdPNOIywrrWJ2Dpan7K/WdxZKeqo5LeXi7pfyQYaNTClZMGLEp60BKNw0AWfeb3IZ1NPDelHTDKz nKvFiU3A0AsY+ETFoQDFej6qOccs5Br4TIQXG7gMPWdQwyIq6QNSar+SSzfJhUC9ScyxyzggzpEb nlPqS+mtLwjVT/GJoK+e1FDaUfGYANZuWV7lw7R6bLyLcjqfZdfdS0RclBDhcRKqTckzy3mwzLJJ OKNykZ1Jrr+XWnA9iFL2iFx2H44ZFTcCKq9dqYSQFoEREedgasduKRH1VlfnpnWWPtTRCUYOFfJA DRw4pQxsGJqK7j6I+elJ7PmnId8XBH9TGPhV0dWvCgO+enrlW+jjKrJibVIysavy/Ok/xUX+9DTs cmVSdEVSbNP9jIbcrFc5KVUYsYtyYEHjZHZpu162Zl9rSg5tTwxsuxHQmRjYmXC15XrAy+DTL66c aoq93JcS3pMY3Hn9Cg7lVNT37KjOzOiGzFhK5VMsRgQ0okmvNeg0HU31N0OuJAYhqP1s5Jmvos// kBoecisu5kbA5ZuXz7U9TO+8d7MtLRyaVs7DBKCYBQhjC5ceRM4IImcGk9HVpwZhficnB9LSwoB3 ZmYUNyceTDxCRgQp5zq39J66rdJC6ZjRy7d8w9tzU5vzM1uLC5sri3ubawdbWyju2Nr5yTYHOMzt nfivcq8/+fv51x+B3w+Hv386/v3T67//ioX8699/9YP9H7+e4Cv/APA/nfzxEd41x3h+w9vgZMdv Yr+/+mZv5Xh76fXmwuv1Wf+zMbM969mace+hlC/5DiEeXxw9Bh1ufeqXjakP6zBy90GBfjw/vDsN PazVr4fFKt7nwj1uf9KFsr4zalkfgkbVuDmk33RqsZNf0PPm1KwZOXXdyMPSbNPE3zIL1o3cZQ17 xcDHiI1GHaBGZcdSHWv5N+NaQP5wBHw5OTZvh2DAjuvfTJiPfLpjr2p/WLxuYW07+Ft2waqBvWHk HrmVWMdtWDHaYwrQQf+yDRWMR7sNLxqnZM0u2sBjE2xZ+as6OqZy/yMZmMLYLuz38XrR0mOQn1WS gPcFNdlCegW8G3tfWAYqNR2lU+LeUU4HbnNDrHY3Fy19r53TP6kTQs6/aNNMaEQeMWveIB+Xs7Wk Nh21Awx2GaVrRCNGOsbR0pxJyKK31SsGe2x8sprSoSC1aujdZgFlwqyadRoRBWWT8mAsb+FRZYRm Xks5p7EYDqWy3lcqYj0ma8zySmq7iU8ygx+r4E45dZND+jmPeW3KPTdidarFBiELyNVDU8MehN4W j5Q2IBskSsgDEnK/gkbSMKkaMFsoBOlgv4jSJ6QOqPlsB1YKegXmfQm5Hdx4hA5TW8sBfEJNMbG+ pKfqWW9tAanxeXNpblVeVmtBTl8pXN1uN+cm1d9LZrdUgNdqU7Adar5dyQVr1yfnaftaypIiHked R3ZMze2okus/v4j5qRL7sRjYyJ8rjDjbcv8mt6lQ1ldd+yD15Z1EVmOFhUEcErLcMjZ4CK3PHxSk hj+IOlsYe/4z2L8uuvrX0iCs7L4tuPr97Z/+/CItUsfpIXe9/Pnsv8RH/5QfevFVUkxV2vXGnPTm vFu199Mq7ya2PL1FfvVE3vPKSmnCxfxl3GU417XeCICJXNt1WEpeqQTeA35ojL6Ek1zn9avtcZcg XCVmRhGyo9syIlpux1NePoMnAKmnTSIWyqXirubGtBjYawRnR15MCDgTf+lsSujV9KiwhMBLCZfO tD/KBN5boXX9nA3HvhdPz4zE/A7iLjU7lHorbDAb1L4Q4J2UdJWBK3x6GPDOwlov53pfZmRXRjS9 4DY8rMzUTrSIGxMjWwtTmwuzm4sICJ/b21o73P6C902Q5yGWwa7+A/TvINMiogWF+yPubgdo0X95 u4uCDoz/8evJH7+/+/2j/5eA8d9/QQzr4W9v/ef1jye77w83j7YWNhe8a3NjK1PDK5Ou1UnX2tTQ yqRzwWNZ8JhWx50bk+7VMduC27A8ih2UFVK4Da/lcG7keAF2r85DJDssjG6PWQ4nXUeTQwc+5y7K +rgNa7pNNxRq+g0M73bltku9qOV4hcRZxeCaHvDkres4Oxbhip61pGauGQUHbvURtCqfL+YAOK7q r0fVxx7V/hCKux/vGOrfT5rfTZoP8RIYheaFv2ygA+87dsGKjokp3l/fh5Vb/uKuOBo1YEAAaWdr BJRX9foQBK38VQt/xcjeMHMW1RTgd0ZKQH0H5CcEfV5u9xina0LYO6MgLmoHl3Ug0zbLWp6qWp7p u0plTc88rNZxXpdjsMFJax4XE8ckZBunz8whTGFONylWrFqfUjCnE48IqdB7QpBuYHRraD12CXNp 2Hq8PDfnMgsIHfzeFg2tVwNZHKnVwB5AGpQPv3fUPmnRWj+v7uXkTh5kKTXPENrCayrhNZfI+qrg aKEabBUPNBn4xHGjBGV90qGddhvmPJb1afgZ4tjnHDGpHIiPVIuBeqMI9BsMwhQlnaKgkeVU1HQy hgUo7JR0oniQIGWQlFwm7gVeE2yu1WD4wN+G1faK1f6K2lKOsb3nZUF9wZ2uV08Yna/IzS+qn91u Ls7tq3jaV/qo/XFmc25Kd0EOhHLywQ6zlD6kE4ALNGUUe8UMUkluXvj5wriLlSlBz6LPVCZcBAf+ ZdQZJCmURZ4uhj7uThy3HlGMpY25qQU3QmtuJRJL84VNVbymlx1FOcXpkUUpIY8iTj8O/b4g8KuS oK8LA/78PPCr0oBviwJP3bv0VVl6pJbROdBWfuWnfw+6+Lfcq+eB95r0G3XZyXX302vupdbcT217 drvv+QN61RM3q4tR8QCePE1JofXXLqGyt8RfaYy9hG1A2dUfGqIvw0CyJfZiS8yFvuTQ/ozIvuzo 5rTwpuw4YvljRncDhdApFQslQn5bY01iREB6xMWU4NM3L31/49KZ1LCAzOiQhKs/J1080/EoHdY3 DQmBxNuxrNwE9PPYz2Nap2VD+gpKTxjtdgT9ViTrVhT6eQb2eGnBTChrkCPz+dxPfpgirS00DTS7 uOQZi3pxzLU269tamttdW9nfXj/YxeS+hqvcZ+b8zhtA/tAvhP/1BC5z+3+gsr/32839/f3B3z8c /vHp6Jej9f31mf312YP1+fU539bi5NHG/Dt/Ktza3urC6ox3cWJk0Te0MO6cHrEMmeRWJd+hFsL4 aNJlGLeqZ4aM617XNg5Pc14cmHB6m3fh/xCxWwX9BWdML5w0SVeGdFjCbw+bTnBMH3eCQXfgNS+a JUugBZrFyxas1mXzWt66Rbyi4zhpbeP8PiAd9JhNI2dVz5qWkhfVDNTloxHt/rAa3Timb+ze91zS I7fiEEd2XNWhgnHjGKf9MG19O2E88Chf+3DOE6Of37TyML+DSYsrPGb8Q/+iT4bJHXy8bRB1PNqt YeX6kHTDJUV933SI1q3cNSNu7sRxfte0pG9BTp4R9/sEPV5Qazhdo9zOefXgip6GG5x9sFbe+kzZ WqBqKzL0lDvJdXMSok+Eo3yTR0TwKQaHxRQDrdvKGphSC/Y81gPkx7mNM2oeHGZg0aYkNkCCYpdQ Zx163OI3J0YgdlNQegQ9jVYuSUuD4L1PwyJYxMxxo3J52LrktoyqhQpSB6OhjNf8QtJeJmgpZjcW CDvKdLQ2I7sHI7yM0oZl3eKIcdoFfwndoteJ/3DbyxOvtxfnvU6XXu7UybR8Omo98K7mUDUsnOcY 6JbB5AF5zypk404nHuzDikwt4Lh16gmzEeJ6s5AOMT7wDr18U9G96kdZxdk3nmVe66jI4/bU9dUV N5TkEhsqWO21A5WFNTnJ5WlxPUUPYCLH66nToV3hEjW46fc3tT2+/fxGWFlCSHli0PPrFwujz5TH QfZ+pir6bA1QD75c6Kn2O7GsqoewoG+4c/Np5OW6jPiiyKuPgy8UxgY8DD+LVMqKlOC8EOS8/DX/ 4r8XXPpz0eX/KLz470UX/wpJbMYP//IyM2ZIRqkuvv3zj/988Yd/zr169mVidFXq9eqsBFDoa+6l 1OemtRfc7iq4DXdZG6VN0fqiNjWsOv5K3bWLTXFXYB3ZEHOxIujH5wGn6qMuddwIbr12CQ+85gYy o3qzYppSw9HP+0MlOuvpA11SiVAi4ne31KfGBGdEXkoJ/OHmpW8TA86mhFzOjApJCPgp5crp9ocp TVmRVdd+7gTFzm95EQ2RO+o7LRvWFiGUrBAypvis/5zfscobTA/BzY6Zex3zPvlhIqvkLti/NlrX qJS9AM8Qr3ttbmJreWFnY3V/Z317Y3l7fRn7us94336zvwXh6keYz7w7+OP9wW9vdv74cPDH39/8 8en1r8dbB6szi2N2gNfn0G/MjK3PejfmvdtLk7sr01uLEwve4XGHyW3SuAwyt0nhsWrcJqVDI4bH kcekhNHZGJTdbsuSx7EwbFv3ubemPXPDJruCg9gy4UAL/EmoTeV0NIENL/jt1dAG4gU1IWNjKfd+ BrYS2jkdb07LXtT7kT6nYCyomKC4mPprXdSWDQNny8TdtgjmlYMeTjfw/noE1RzFHUt7IfjtoMps O7BsB0EOj9S/uBtVn3h176bMJ+P6A4/qeFSFld2ambNuwZ2dj2XdgVuBtwTud9jk+4WxAP6wam9M uzuq2XDL1hxQrwtWLJxlI0izzGlZ/xivA/V9UUmZ8df3HszmXn7PuLB3UU9bNjBQ5YcYTdru5+r2 YlVbqY1YYyHWzEjAyRm0M1td3C6vlDQsHrSy+830vhERfc2qPvbacV6c1fHNjA7VQL2K1AiQWoTk CbPyYMG3Nzs+49BbhXRRf4uS1AZ3GrtoEJQ54N0qZns0EqjpvWq+mtzGqC+hVefzmoskXeUKQpWa WO+3q2J2G9h9UtDpqd1ek3TZa4f0bn7Uvjo9Mud17q3M4mVu1Yg1kJ+wSJDgYZDXgWj3mXuj59Ag pIV2HpM7JPBS+gDwrhXxPCb9tMMyadaCEjDYVAlRee2jrJKsG09T4+7Hhz2/mzDYVCrob+x8+ayr qpjTg51DD7Opqin/TkXWzfoHGfTGClwGpbRuTn9ze8WT53cSHseFFMRDjR5UEPtz6fVLJfHnn0ef eRl7tjr6bHX46aqoMwWBX7ehzFU9VHVVVqVFPQw63ZgW+zw6IC/gdGHUz/kR5/IjzzyLOfvw6ldF od9hckd9Lwv+uuTKX4p+/vOTn/9668y/tT5M1jLbU2Mu/Pi3//PiD//9Ee5xKbF+vGcnYmVX/yC9 4SGI9AiCud31DE1ypQOH/uzYF5E/NVwPaLx2uenaxfroixWBZ0ounaoN/7kd9nTXrrRcuwRDOUJ6 BDb5janh9RmxA+WP6R11DGKPRCQQCnndbY0Z8eGZ0ZfTgn5MuHwqOeh8cvClz3g//wXvDVkRFVHn W24GDGSEQ29LTYfI3b+cxz2OlBFESscTAqUMvjiIJyuMeS/OD/Z78X33rhPz0wT1RdqB1mEpa8Vj 30RRXpnFGW5rbXlncwVgB+qP9kG8WT3cXjvZXf90vP/Hm8M/3h18Olg/WJ46WJncXZ5Y8tq9FpVZ zDQKGRYJx62VbU6PvdvCvn3pcHVmZ963NTe+jYyVpdm95dl9ZDgi6mV35e3u8smmP7H9LdJeYH67 uQimzdvNpcOl6c/P1MbkyLzbvDhsgVLDH2IiGMQdmdVayWoqF3fWUquL+M0V9JoCWdfL/WENiuyc ij4poyzr2LNSyqyUPCshm/vrhhntK9iraxko8TNS0hC9dU5BxTruBJO7Dfd0HNfEOK5t20V7DvBn hPsAvlsOvL8e1b4dNxyNavbcCv9ZDSXbgpcJ5nfhvtvf82/it7jl+FW4Xhx4tTsjyp1Rzf7nT1as vAUDa0pBnpFDCkedVQ6Mcdv9eFcNTkv60cZPiPz3OJ+EMK8fnNdS5zXUcWGXtrdM3lqsbCuxkGqt lLpxQfesatArGXALCV4ZZVhMHpFQXXyyidbrEdLgbHnkMY6JKcq+apyw4SFpYHQY2AQkNa8M2w4W Jtd9w9NWLSDPbK1S07rArEOoKzhyNjHbBvY7ZwBNOxzdabXPBqseshqfSbsrDINNRnqbjtaqhQsl 0x8kISV3YGU37dRNufTjdt3azOjsmAtN2sH6osemlXMHgXdEvoKFbhQzwKg38Gk6tp9YKyV3w1gS TBsFiwyLG62I4zFjSejn9Zlxmasuqs3LfJmT8jwzoSjjZkHa9eZnd1lNZXifNxTdJ9SVC0k9WPph 5dj47EGVn9lyl1RfhqWWTkDj9LeVPEjHeFuQHPfqVlJpYlhZSmhFamhB7LmSmDOo75VhSFf5vibm XCHwfjua8yqXX/e0PjMmL/CHsli424U8j774NOzMo5BTeeGn8iORLPNVcdj3T678Je/Cn/J/+lPJ lT+XXPprwaWvHl7+6mVG1IObAT/++/929uv/eunHP+WH/lydFof5ve52SmveLRwOGnLTGh6ldxfn 9Jc+4FQ/8/EJpKeZxaFna+Ou1EVfaIiBEvbn8qunSy+dqou4iH6+OfZyY/QFOEVDh96RHtGcHtl2 NwEhetT2Gga5VyTi83nc7vbmjPjIdNT3oDNJV06nBv+cEnIlKzo04epPyQGnO/LS2u5eq7p2EZc1 CuS3ELOjuGf65XiUzGBKVrB/ZfcF72kh5IxQMO4YufGMRwnUvMSBx0lwCOTUFaJcjih5q17XDiLX N5Z2N9e211e2t1a3t5ePDjcP99a31+b3kbEC85mTg7fbK0DihFUNL19cV2XUbi5s9LBgJLSpmWQM hh6tbGt8+Hhx+t2mnzzzYXcFS/iPR5sfj7Zwbf+EELojJEpsnmzBY23hCPFq64vH6wt7i1N49hG7 tjyztzi9OePdnPZuzowdwNgZvDKY1SyMQtOKc9vGkA70OSev30Lv4DeVdD3NpJTd93B7wEj3CQgT wv5p0QAeH6/bSWmcEhHW9cx1HWvPJoY+ZVzYv6hlH4yoUbgBdihZMKqDIwfWHIo78L5t5e+BGI9e fViFB3D2V3Bc38C3sUPsJtrAN3yG/4ZNCLzvDsv3gPdxze6ochfnvFGs6OVLJu6MmjbG70brPq8g TUt6PezWCWH3jLR/Ugyk9+BBffeKemd11DktdUpJGua06/teqjrK5C0l+t5XbmbbMLdrUkFeNLHR zI8rqGNy6pxRNKsTwKTUSuvdcoATqHVzCF/wrqU0wBcaphPDCu6EUbE+MbK/MLk9NTplVutYA1JS u5rWjfndreD7tNIhUNPp3cqBBkF7ObwmeC1FvJZCSVeZjlxvZrab2F1mTrfFHwKL63mfhNyBkzqm +NlhM9jv8173gm/kYGNxc94HF0opkyhjElHcDSKaUUjVYXZgD6j8zJleMaUbOTJSBlE02KcXc8bt xsUR+6LbZGAOdJfl1+amV+WklKTEFyYhlzm1q/DBQPkTFP3GwvvUzgY5i2yScNTswa7KktI76XVP HtDb6zi9rXDL4VEItS+ePslOzkuKe5Z4rSgxpjQlqijx6iOs3aLPvYg6+wKeFUHfVUHMHoZ+Pppc ki2sL+h6kPg09ExR+PmyqItIcXoSdCo/7NSTqB+fRJ56HPJ1ccT3TwP+kn/xX/Mv/Kk04C/Pr3z1 9Oc/5178GzaBP/3rf/nb//U/BZz50+Uf/hn7OuC9JuNm/Z2UtkdZzQ/9eG98lNFZeIdY9oBekTfK 6VE2lryMC3gRevZV5Dkw6+oiL/3/8A5H6MtwmIE5PDg5YOa0ZkV33Esiv3xGaq1mUAhiqRgFvre7 PftGdEr4xZSgs4lXT6eEXEoJvXInPjI5+OJnvKd337/ZnBRMxFo+9yZ4uezb0eDXfeHbULJDabfC wK3FRA+yDSsnhvngGhcJsE9TaE9TSE9TBwqhUSp3S2gzdvXmlGdrcXoXeN9Y3Vxd2liH1Gpxf399 f3tlZ23u7f4G0Hq0Oj/vsVklHPlgn5ziX/l6tPxJs3RMLZgwyCYMCug4FpwmCDr8CYkIbdmY/7jn p8git8L/Mlmd31+b38OzOr+3jGfuYGVub2F2a2ZyY2p8bcK7MTu5uzS3PTu17PUsj3s2p8Y2pjxr 0OeOWrfGHbuTOLrB8dUEq3Y4uM6qmOMikgsZwTVPFO0vVrRMMFvctLYxdqeX0+kabHSTGya43Wta xrqetQ/+m10KCuuijnMwogKnDlyXFSPPD2r/L4EiK4XkbcvC23OIj4bkoMZhj+cv7qjgmOjhTQFy rEO6bgZdFlYVks3PeN8eku4Myw+90OkoUOK3hxVrNuEXytwwu2OM1zULjIt6UN9HOW0+AXZ03V5+ t4fbMcLt8Er6Fk2sRRNzUkkc4rSZSDUWUr22+yUiTT2cLg+/xycjLVt40xqGT0mdUDOh9D/yWsZl TJBwvCL8i/A9gn4jtUlLrlOT6ozMjiEJFc6WYzrxuFmzMTm2NT02Y9fNgHhK7ZGT2s28QahoHWIm /G0M9C5YSaOmD1Y/4jQ9FbQVyfsqjfQmB78HmU124YBNAAsL3OsH9VwSWLKjeunmJOJlXdOw0vIO r02PH20sLCOkDht+1oCGR9LyyXo+SQttCwvPAOhwMlqflNEvoPQKgXcBc8ysWXJb5+w6fmdd+7N7 tfdSKzJv5sdHPLsRXZuT2VP0sLv4Pnby/dUlIlKnXsQ0KSBO55Bba0vvZrzKy9HiEMAgkjtbaH0d 9P6uztrK/KyUjLCr2aEBWUE/ZQWduRNyGo19WfSFsrDTLwK/LQv+oSDw28bMiJ4nqYq258ibewIV TPSF4rDThSE/lEafw7z/KOybvLBvn0V8X37t7LOrf8WyrvjKvxdf/o/Sy1/l//Tvjy59nR91PvBv /8eP//Zfgs7+y5Xv0M///Colrjo9ru52YvP9tMYHqY2PML/fanua1Vt0h1ico+165SA1NaVHPbv6 XW3sxab4y02xAZVBZ0sunqoO+6k1DsbU6PB/8ue/pIS0p4XXJ4U1ZMZ1FuZ2vHpOJnSLpRKRWDzQ 15OdGJ8Udinp6unEgB/Twq6khAXcS4hFlU8JONd6P7Xz7vXm5BAyDOQfJWFfh9XcF7zjHkdMDySl B4Nv4z/K4+v3YziPrgufpbOepLKKslhl9wQNhSZap1fFmXNqVyeHNxan/HjfXNtcXd7aXNlEsMse tnZrBzvL8J+BWTT+qw1rcP3kKkg9yLBDwsun9SkYNR/Ca33MPm/WzBiVC3YDIL/mcezOjO0vToAs 9xqE2LXZvaXJrVnv+qy/t9/GyW92cnNmAue/3fm5rZmZtelJWCivTk1szs2sz0z5P5/0bU551ybc yD7e8A1twr/dY9pAouKQdskkmVQyphX0EQ5qJWGM2+NhdR46pJsGtn2gdgjiMlqLk1jnpbeMMVsX lVjRs/wKF5dsFgx2NR1zNxr1OQ0DynRc4rC+27NLQHzFAn/LxP9Cj4dc3V/6hyBuxdJeseUn1fhP 7V9aAnxlG0XfLV+zC9cxCKCZhxh2BJQbKbj0U3IiHgejGbheUJLm5AOf72ttQD22dpPgznE6Rvid k1jOGyGWYeHNA32cldoE8buF1KDrfQW84yuzGtq8kTVnYE2CY2/gLJqFO8O6BYNoTDhoGWwfFw8i rRtFGRFpBmozDGNt/AGnmOpRgy4rnrQblsdcXqMK0zok6gYOxczHWZysonbjIq8caFQQavhtpYya POBd2lOmIdcZac1WTodDQLDiNQL+LaffDptKEQ36VrBwZxz4gUMzw/ZFr3tpfHgbgZjo7y1qFY8i B4eW16/nEz/jvU/D7JNTe0TkTiGlG/O7lE4UELuERCTQEVSULlrdi+bHtyuzbj69Hp4bHVyScr3m bmbb41stjzOan2QNNrzA9h7GFEYFXyPmiGgDvXUVL+5nl9zLqsi/V/7kYfmzvNryYnztZeGzxxnp 2dGRObHhdyMDk3/+5nEY6vuFyohz5UFISPy6MOhUfXokLF4lrc+RkoYM2ReY9CPPFQR9XxRx+lnU 6cfh3z0O/zY/1F/f8y79W3HgX4su/2vhxX8rvviX3HP/8iT41JPonwL/8r+f+7f/NeDUP135/p8e h1yqz0qs/wz2lkeZTXkZzfkZHYW3OgpudRfcGiiEDV3eMKOD9CTr0eWvykNP10ZeQF4b6vuzc19V h/7Ucg1xThdAr22Jv9yRGNKaHFZ1HVG2EfUPsptfFA90dfEFQpFI3N/bnZUYlxh6MTnwzPWL36WE XkoKC8hJjMuIDEoL/Kn1fkp3zs2OjPBBrNzvX6fficJSDqP6QEoAxnZyZigeSkYoPSucfTeGeT+a mRvHeZwEvHNKbvNe5am6qpy8AZ9OuDxi2Z6f2IETrH9Ht4L6vrW5urvjB/vu1vLhzjJIcXCw7Kur xJFlyqi0cmkWDnnVpUODveRQb45YFqzqcZXYp5FM6uXTZtXKMCqyGyb2QP0uwhPnxzenRzcmPetT Y2uTYyjla76x1fHRjYmJnWkc32fXJydgnL7i8wL4a5MTyxPjyz7vxuTo+uQI1nerY44VjwW289DB wfl52SydVrEmJWQvrxdctRFmB7grKxrmMKPVQqgaoTb72J3j7M5RaouTVI/D1qqOiQkdyF02cud1 LOAdQJ4EnVXPAXLxKoDkDa8LgB0/ZN8h9b8BUNw/13f8LrwTAHb/pA+5K+74/leHfBeXu2HFqpUP yKMHAHN+wyneckmwxh8T+nt1O73JzWqbEPaM8zvxAOzo6j3sNhR9D6djiNk6Kuye1dFm1FTYYeEt YQPcyI02SpO25+UIu3NRx8R7YNHAxs9fNPMWTDx09T45HU62c2rOMPptevuIgGBhtKmhp6M2OfkE K7vPyh0YUXBG1BKQXUGqGTepcRfDA6dZh4Rt5lO1jF7YzKqITeKuCnrtY3jDopNXEqr0g43+B6kx nB4Lvx86EWz/rGIqSjyeL5AHaRbqdURILI+5l/Eenhnenh+zKjkyRq+S06di98EuQ8nsgfc19DUQ tUno/SoWWcMeZPc0tTx/3Pjs3sCrQti6tj/NKUmOuR8R8DAmpCwdu+6M2ruJr7Ji259mDVTmk+pL NSC/yflKAVPOpQkGCeWPcr777//1/F/+FHnxbPCFMwE//Rh88af4sND44NCYSwGxF36OP38u4qt/ e3D1h/LYi5WR58qCThVf+eZpwPdNmbHd+WnCpmKgPi/kh6KIM6VAeuC3xZFnimPPPwz95knk97lX /5wf+Ne8S/9aEvi3pxf+ueDnfy26/NdHF/7jSdB3+dHnAv71fzn7z/9z0A//FHDq/84LvtiQnVR3 J6XpYUZzHiTwWU2P0xsfpbQ/Tu/MzyAU3CaX3HNRW8X1hU+Df3x25dvykNMVQWeeXz71+PRfXgad bYq5VBd1oTr8TFP8peabgS1JYVXxwZU3o5vz7nZXV5L7ejkCgVAiIRB67qTcTEZ9Dzofd/GH5JDL iSFX7tyMTYsITA28AH5dZ86NLhBl4ZCZE4OFPCklgJx6lZKGso4TfDTtVhTtViQ355o4L0HyNFHw BJb4ibzCTFnNY1V7mYXSNCajLTg125PDh0szuJoB71jOA+9APZZ1+1srR7u4si3+crj7dnu9PPdu XmIcv71hVMobk3Amlfw5g2TJqpzSScfVQp9GNKEVT5lkc1bVgkO37LZiBwjWN6ykV8fsCx7bssex Og78jm74xtbGPKtez8akd3NyAiqPJc//w9RbeMedZlmC/8D0NFR3TWVlViWDmWSZxUwW25aZZcti ZmZmRYSCORTMoIhQMEgRYibLdkJVd1f39O7M9szunt0bztk+e8534vwU9sn0yfT9vffdd9+9/l3f AoJNP6DEb6wGevvNVWxU/bSx8NOaF2HQWHjHIP79guktVPFm2ZqSBS3Nvo7z3jSzIaXoR5vptbmc lkIQdBCw+bhjft64k9xrJXTiGVsqR3NCoHJ7lruqYaAWQ9++qqTtz/IB3h+tkh8tkj/Z5R/Monfo 9tG6f4R2QDgH74uFQH0H0vFOwD7sgRFyHSHu/vCy+BlUPOT0Ae29EjL4dzYxdHebGqqH2+8XjmDZ zc3pXxSO+fjDOID8Am/IxezF8+LMmJc7PC8Y29SxtnUsyPKPjIIF/riN0men9lsoPXjeVjNhnHVg nkH/8M4hP7CKN2a5CzLKspq5ZeAvSEBfjC0rGSsqppkxpCV3w5vIK6VibOdTcdYtqg27Hgq6bafZ r1c4oY0RMAB50HcGDkFFHTIwEPjYy++vZHeXyiea1cR2A24EnGGHkOCQUJxSuk1CcyiwEUND8jtQ Dy0uGvUFvWxvwb7lsezOY9fetbfk+GnH7zPLZUyU8nEhZRhHBqTTJpDsIGMQERWn4VI1bIqQNIy4 h+HqfGpbNb29ZrA0t+Z+RklmQvW9zPZXj3vznyNVquNlOqnm5Vg5FKqlMNCYU/CVQqaYTaGND1a+ fhb87R8vffv52a9+f+rLT8//8OXpb78++933Z789GfzDuSvfnY09E5R67nRh7JWWzMjGZGy3BdXF XSyLCupHWmv5S+lg01TZ08o0KHCu19+8WgVFTcaN+uzQosSgyvTLxfFnKuLPVkSdqIk5VR7yTUXo 9xjMlUaeLI0/X5keknTmk5AffpN09VvgvTA2FMP3zmd3e9886it83Ff0tLfo0UDJ42EkPAbwnjtd lWsm9phJ3W058aWRZ1HiWxOu1YRdKAo+3hAZ3J0S2nUzpDPlWl9WRP/t6IF7iZ23EjrvIwmrnDHU xyRPCyVSoVg2PU0sfP7o4c3ou3E37sWHAO+o7/kPbj9MinkYEzrw5sFobvYoCPn8bBhfB3biUNkf Q5Ofyn0Fn3kkzqRyXmeIS3LkZffFpXeklQ/k9c8Vrfnq/kr9eIuDPbqunzmcN39AdMsmJmhbIOd/ fv/uw9vDD2/3MY/7p5/f/W9/+eUf3+8hdeL//re/uFTS4juZT+MiRsoLJcPdNjZpyygD3vfQxtv1 OFtz6s059bYNYWe6XacxsMSxYIVtAg6Y9v15fDoPfYg/8x755o/88x9WFt4v+w4WEBnjO/IvvMed HW+AVf/blQWs5f6yGTCs+7DifO+3wUYeSzFIafll3ohdmA/wfpQz3Kzh2cm2/pfZ1enhI2/ugpkB zD3MIdNUu5sx6OeMzrNH1gJKNuaegYsyuqqmLympELdD7LqmogPvsI58D0sK08wHk+i9SfgTgO9U YOUN7wFM6+A3BTgD3R+sYnwJSnBbwwLkcY6sIlB2wDt26+B3cWDif4DGxsT1C0ettE4gHZ9OZu+v Zf3Xyzvqu4fdj0986ROM+YUTKwoK8I5SjlVZmFXaqH1WSp+HM+LljK7KKO8xLoQU36X64FQd2GHY NeOTU4H3NQ3bJZiaF0+vqlnrOo5HRMAcTTvdY+WMu4XTzplpNGz7buOSQb76MSNmXiOFs7QD0xMp E+swGtqwjj5gYPSBqeP1VYhH6gF5HaXHiv90UopXyXLKWQ4506HEPJ0yK5i2yRgIigLwoYffdBqg kdjxzO3MW1adBv+cyq4RqHkUOYsgmB7mTw/jQcYiiWiTOHIQ9RyqjEaQUsZFxEEetD0DLSDrml/e y8+Iq7hzs68od6ymsDPvfvWDhMEiZEI9Q6Ir9CcOKdMoZWvEHAmHThjszX+cE3bmh9DT3x3/7Dff f/ab88e+DDr+Q8yNsJSopOSw5NSQxOyQuKzgYPhRwGO2Lg5gv1CfcKk0Mqj3Yfp0RR7wTih/UYtm PjMMeC+PO1eXdq0m40ZRwoWK1CvFsQG8l0ccr44+VRH2bXnY9+XhJ4rCjhXFnq1Iu55y/tPQ438f d+WrqItfFceHB/D+NKcnD3h/1l/yrLfw8XD5c4iCpqoC/TzsNeT99QvcybG8nKLw02ASOlJuVIWe y7/wfdWNs52J1zuSr7cmXOpOC+vNju7Lie+4ldD1AHgvow32UAkEgUjMEwiJxKmSV08fpETfib12 PzH0Tlz4o5vxRY/vBgp91I3+N/eh0h96mEB/hVCqVOaLeOCd+jgObTwzwNoFLCtR38HUcV+n014k cYuyJbVPxQ253IZANVRNdXrlrG2n7sDveLvmf7u19uHt7i/vjn56+/ZobwdiG5y//OnDP/94+KfD nX9+u/t//vnDtt3UW/gqLym2/NbNjtyHEzUFomFUh0mvhLOmk26aVPt2CMys77xW4H3LOQsDDbTi KPFIh8G6x1ucecf7Bfd7n/edz/3j8jxEvPj88+bSL2u+P20u/WVv418xkttbhUElrOb/ZXcRmen/ COnsmvtPfttbm3ZNI/AIpq2MYWZjYcuDpOrMCATtCVpKl2YIizNTXuaIlzEC1APmUK6CqN/XsKCv 21TTd2Y527OcPWjeoHcF9uXUHQM7sPWGwX1gZZV7qOcdzQqgvAX8cXn/6D8TKOVo+98FfhtvXU7F 2TfwYCmJgo7zdg4TeSmMLABYjNq3VRRsvmCt1ULtMBJb8Ayl3JJgFBhfFo0v8EadjL557iC+hFzW J5yYx2xdNo39d2h0YXLlZA45mEML/AkohWBphfr+T34D1nJ/8mpwf9828QF2QB7FfV5I9Muoi3Ka H2yAnGzjTagJnTgG2qCJNeaRMeEGsO8yLaixLStEhruBS9NzMIVnIWHWLSbraH1yQitcpQD5wOSd 1DHLGLDPTHmkVODdBaW6nOVW82wyJlbmUd+tUgZKPLg7j2Zm3YYwGsmqXbdk0dg1QqOcY5RxMZjj kkY4xGEZa1rFoyk4VAWXBicr9ORaIXtOPuNQSQwCOoZ09KGOwfqS5jePW14/6ivP7St9Wfc0ozU3 ldL0lFz7qOVBPKOl2CVh6oUMtYirEc9I2MzK189vnPou7Mz3J/7wm+Nf/PbEV5+c/uarmzHx99Lv 3knKuRObmXUjNv18UFlSeGNqWE3shYDNbNKViujgvkeZlKp8cV/DePGT6oywhszQ2pTLlfHnalOv VmdcK4zHlf9SUcyZyrgA3isjT5Shvocfq4g4WRR+PD/6dH7ixbhTvw09+dvE699GBn+Nfr7n2V2E RcLfZqDo+UDpCwzjRipy0ZNMVb4iVeVOlj7lgaUXELmNBcWR5xqSr3SlR9REBOWd/7bs6qn2hKut CVea4y52pYb23Yrtu5PYnhXXlpM2Wl5I6ukgT07yhWIuf4ZAmCh6+fhucuTtmKs5cTfSw68+So0v fnIPrN29yOt9r+8NPEvvzYkmPEmiBNi5OMrDGNqTeNrzZNhrUD6mzCDkAhI7FhR3een80ttceF+X 3qNXPee0FqmI3W4la9Wqwjz13ebS4fbae9Dj745+effuw+E+lPPvD3aP9rf+9G7/n97t/+MBtlcO /5+//DJLI3bnPcUwpfJeakF6TGFmbHlOWuebpxM1JfSOBvnUoFPInpcLPXKBWznj08nwNwS6L4yD kUeGdc6jBfuPPtf7eedbt/XQa/t5yfOP6374ORz57HsuC24B75dc8MA/8tuw6bmom3GKmUYwP4QB Xn8Lqb4Ewqqx8peMlpLJ8uf9r3J4rWU+Lkh40S82+a6GtSYm72s472b5O0oG2niobt7quZDQw1Jm y8AG3f0e9dqt2DfPAO+orQdGPqr2no5zoAvgHZ9vZ/lvjYKfHXLgGgcD/aO5mXcfx/qLgknMzQ/w D9exD4y8PQMHSP9gEe7r2TCi3NPQwRWYSa2GyQbzdKuR0GSjds5zBv28YS9nAMY1HvagldLlZPR4 8SXqu2hyQTTl4o6sq+g/WsX4J7tYsLkI4N0nJC4IYWHHg6f9v63bfl7QbRn5m7PcLaPAKyLZuePL cppPSvEICV4xwSshuoRTJsagdrpbS+410AdnGaNL2pmjebNXMWMVMo18qhHBScRhM4+0iru/nKGj 9ssmW8QjdWpiG+g+E6Pfhl08MRHkvEfJnNdwXCouNI0eDR+QR1cP1KO+m0U0bMwFGHs20aMTQ2e7 aNVYlAKXUWFWCbF0JmKS9BKeWSmxaeQuo9ZrMXqtxgW7GWETKx6bx6SZU4m1QqZJytbzKeyxrpH6 IuzBjda9ZHTm8Xpek6rutqE7bcy3wf2SS5VzGXqpxKSU1RblXf7hy5Az3574/O9Off3bs9/94ex3 36REx6XHpaeEp2ZGpGdej8kICq5IjmjJiKxLCIZNTUPCpYqo4KFnOdOVbwTdNSMFD6vSQ+szQmuS L1XEna9Pv16bHVqSfKn85pWSuPMQz1dEnaoK4P3b6qiT5cB7xIn8qFOv4y4knP4k7ORvYy9/GXr+ 86KE8F4kQb+8D7z3YRhXCsiDr8ubqMydrHg5Vf4Cdri4xVvBhQ42VCdeq4oJbk8Nr468mHf+u/Jr p5vjLjfHXWqMCYLdTR+4u9uJrRnxTdkpAyV5hN4OKhH1XfKxvk++efbwdkI48I4SnxZ66UlaIur7 45txd2NC+vLu9T9N67oVOfYAQ3zs3GH7Job+NJHyJIH0MGESDvMPEuBOCcNMXl4Gv+CWqOLeTMUj Xs0zbmOesLdSzxha0M6sO/SHK973u6tvt9eP9rZ+PNxHfQfSsTLzdm/ncG/zx7fbf3q7869He//9 /cH//HDA7m0bKH4tHOxUEwcZnTUD5bndb573FbzsynvR/goKhDxqWz23r1003i+bHlXTiUYBE6uX +DTyGeYZpgu2h/IZl4hr4dGtArpLzPXC81zMVNHGOCPdyO9jD3cw+lsgsaD3NBJbK4cr3/QVPUeC z0jFa3JjGbujltdb72BNOpjjLub4gV64q+ZvSOm7avaPc+JfD8r0joq5r+UAm8Dyloa1LKe8tYkP QHzhku5Q7JuwdU7HeA6/AYje13Hxm3F5B+T3tOzDWf6RSfCryxye38OQ1sBbl1EXeBixEVDKYTsJ Szp8YtcVXhZYf9uGaFY46WUNBGRyE3VGQiOOg97pZfd7mf0OWhc6fCB9brrNSukG8H380WUM4hVk G3NwUURCC7EAjwv2CPh5n5CwpWEvisl+Kf7Msv+6bv3Fp39rl23hPTMrcM8QLKwRVHaPkGjHDE5C XFRSUeJB2SmmWhVTbTrqgIEeSIJYVAscYqZlhmbiTkNPNccj65kTLjEVCY+z9EGo6WTjjcqploBc hzlg443bYZgpJXmUDK+Gu6AX+gwiHIeCjZZezyPCfD4g2lFx8aOGQzBKmF6jfNVh9Fv1+yveTb/T g6gai37ZbV/zujZ9np0V/9bK4uaSDzbUW6tLq4sLix7Xqs+NXHi/wzBvUmFkD0MMJX1IRemSjVfS mx+O5Ke0ozttyLfyyFjPV/HYwLtWLKzIe3n95Dfh577//g9/deyrvz37wx8uHPs+LS7lZnRaclhq Znha6uWIjAtBlSnQz0cA77CpCdzfIy8OPr09Xvyc31U9Vvi4JjOiISusLuVqeeyF2rQbtVnhRVDS JgcXRJ+pSrgAPW0FSnz4D7jFl4WfKAw78SbqdEFScOalryLPfBJ7+auQs38oiA8LJL+/egB/GyzL 9JU8Gwgs8eUTat5MVryaKHk2WfF8tPSJtK/WTunrup9YGnm+MSmkKuJiwcXj1aFBzTFXGqODGqIu dKbc6MuMhukW8N6cfRNQIvV10qZJHL4AkKdSyW+eP7qTGJETdx31PTvyxstbqa/vZj9MjnkYHzaQ /xD1/Ve8Tz6MIT6IIt3Hgm084X7MRE407HRoz1NxhWdgJJeHjJsMfnEOv+Iht+oZtylf1F87hyi6 OSVcCw7XfO931492Nt7vbX043H2/v/d2d+tge+Pdwc77t7s/Hm7/fLj1z4c7//7T0f/4cMDsbukt eKUhjiwqePMylhu5A3yGjUMxUAlqrPlMDikJI5rpcT2NMMuanuMz7TAfUwjhrgAPZI8Sa1kcp4Tn CDD8TIeI5RCyrEK6TcjAxoeSioCzSUUgImFYRhxUkUfVlFEddczEmAz48QooqyrBrlG+rGSvq/l7 esmmkrciQVIDbV3K3FKw/uzATE1+qA8sxWypmRtK+rKMsvXRNgpT7B89qn2LCGTXkV0OHmxTy0Jb jk4eBR2NAWb3wPuehg15HtgzgBqkGQp9oNXXccD/b8lpsIzGLAAedED6no61o4FZDW1dRoJqDsIe N73PRm7HTqt2rMYwWWciNLqY3R5Wr4vWbZludbF6HfRuVH+UeDdrAHhfk0+vq+ku7pibN4YcihU5 xcMdm6P0urnjewb+soLmk5ARVvWPS0bU95+9uh2jcEnBQH138idweffJqA4+VuMn13SsZTUdsMV8 TTLaJJ/smMN4nU+0zVDmkBGJ4Ttl1C1h+pRcBDfPccZNzGEj+DpqL8COoyV3zdL7LLhriAhu/BlU bLcqgPcFdAJ60bxOiMs71mOtYpoDtR45MmKqaYY6K6Lb1WK/Rbcxb9tf8++s+tb9nu1VP2yz4Tu9 teTbW1vZ2VjbWl1eW1pcW1pa8fuXfL7N1ZX1xXmP1YDoGRNyJeSMWcGUZLKJ2/2aXHtr+HVC+8Mo emO+hUPScRFHxTfIpOoZQWVe7o3T34Wd+/a7T//TsS/+5uz3f7h8+kRWYlpyZEpqREZ2VMbNS+HZ wZcqb0Y1pYfVAuzx2Hy5UBpxYeBJ9mjhk5neuomy5zVZ4Y3Z4Y0ZIRXxQfUZIfW3IgoTLhYlXsyP Ol2ZcKEs4kR5OPB+rDbmdGnY8QDeI8/kJwbfuvpt3MXPk278EHnxq8KEcOC9N/ch/KgROddX8hyV jlBfTGspGyt5MV78jFSdB6Ke21a8LiEzql6URJ6virlcEX6x8NLJuohLLbDJirhQF36uLfFqT3pE T3Zca0ZMQ1byYOkbYm8HhUigszgcgZBGo7x5+hDXdhT3u/E3bkeHvs7JeJWTiX7+cUJEz+u7PQjm yA4bfRDzK94nbkdM5kQQ7kejviNRgpOXDZdauNhBasvALSk3lfg6g1SUw258IxtuwUVvf37uaHUB hvPvdtc/7G1h8/3nd4eo7NiPO9zZPDrcRj//DuI3xCy+P/jf3+//X396xxvsas99Ih3tdQqoVt60 W8QAV7+ANUMp/paKV1XSVbV0VStbUkuWtbI1o3rdrFuaVUGKA7r4cMGx77Xtuy04yD38adn93u88 8Fg+LLqRofDjkvvPcKiDT92K6wN8Gv2On/2OX5BvNT/3zmnYs6oOHfCU0O6apPtmxZZO7BcxcBZm KGsyVGrRO5N4Q8pYFpHX5HS/mOxBgsMMATURVfLIoQgkNzkVu2bhgUWC4Tv4OkhwUc131bCdCTT/ MJ7Cmuq6lHw0y4f4FgbRaNdR2Q+07D01c0dJX+RPLHBGsboOdAPpe1osvk0viyY3ZaTlmTHLVIt+ tEYzAiK0RjtahU12F6Pby+61U9uNxEY7rQN4t1I6oI0H3tHPg6DbwCKMiGhjDflEUM+yFsWkOWqf gzWKLDkc8HK7RuGP8NODXH/BsGsSO/kEj3B6QUJxQ3KgoLlFBAtn2K+goMTbeKPozFWEDul4i3Si wzpDMsJOCvZT5GH5VK+C0GdmTyLO1cKZUJNQ0IcMtD7pWIOO3GVk9JtYAzbBhEtC9qrQzPM8ah4u 7241F2YXi0a5V8PHLjxyZCDCR/ykBXN2AdkkggSOj4u506B2mQwei9nvdqCO726sbiz5Nv2A/NLG 0tLWyurmyuraytrK0ury4trq0orP41rxef1Ok1klUHIISvqweKKB1vyY3pAzlpfU8SAKW2YwfVXQ SCoeB3jXS8RVb3KvHkM//9WJP/71ia/+7viX/+Xy6ZNZielpMRnpUVlZkRkpwWEf8R7dkHq9NuFc XWCN/UJ5VNDg0yyUXQn4+YqXwHtTNhZmQ6tTLrflxLTeiy1LuVaSfCU/6gycLioiT1VGnioP/b4q 4gTqe3HEqfzos+jnE898Fnn20+SQ4+FBXxUnR3Q/z8GS3UDxc+RJ9Za86C15Tm2tlAy3EyrzJ0pf TgcK/XNmU/6GjKodqq9KuFoeFQy8vwk6VhN2sSX2an3kReC9Jf5yb0ZEd1Zsc3p0XUbiSHnBVHcb jUTk8Gdwfw/U96cP0yOu3oq+gpY+K+LaqzvpBQ/uYEXuSWJUx/PbXQ9TkHY98jCW8DAW9X3yTsRU TiQJXpRPkxF4QQ8EXtwMlPiXaaRnicTcFErhbU7tS3FvlYbYO6/kvV1yvMd6y+7a0d7Gu/3tH7Es g+H7Ifbf91DoA+ft3vu3Wz8dbv3L0f6/He0iQp3d1z5Umi8d7TPSYcVAMrMI7hkmjkfE8UsFK0rx olzkmuH4lZK1WfW2FUFIxkUDDNNUAfs1r+3I795zW3fd1re4xS+6j3wueDB+WPS+nXfCeRWDe9zf 3y+6Dudth7BlA7fvMS0hokjOwQL4nl29bZbvmOWHVvWSnOuBzZGIYecQfSL6rkG8peGuyFibKs6a iuUVTcMpYl5C2QtkqYuRM/VPy9iO1wai1U2iTS17SUre1nH3oNuR03AA510VAzd0+E3tI/1BOLmh oLyd5fw0JzzCRV7J3JZSQPgv8sdWxcR5HuZrhF0tbU0yuS4lbEtJ86zeuakmVX+ZbqRyjlCvGiyZ Ha9xUTsWuP3AO2q9ZboF13kbtQv13cUaWOCNLYqIm3r2omzazh4GcbelY6/KaS72mB/EO2zuDHy0 IluzM0cIpXKp39mVCMxy8KZwwNehrDsEk86ZKXx6JaRFNX3dwPVKp3F/B97FY80aKpZoBtXTA9Kx TvFou2i4dWaoxQXXyhmidBz86gBKvHi0EV0BZDYW3ggmcU4p1SVHQCQncHNXC9xqPtg5BE/49GKL kGbkEoF3q4QG60tsqBkRCilimZBYoVFa9Rq7adbvdm2tLG+trWwuL++srm+vrK77FjcX8ePa2uIK irvfu+j3+n0uF2Lg3GaDXYdtKanPiDW9XkLdQ0bjw4nCtK7H8Zy2UucMpnhUGYsBvMM+uujpw0vf f37j9BcnP//rk1//5tgXv7169lR6XGp6bFZaZGZGeGralSjgvSIlEu16XSLAfg62FVWYvz/NHit+ KuipHUd9z45qzUHIVEjtzaudD+ObcmICeE+68irsZHlcUGnYyeroMxVhP5SH/oD6Xhx5siQh6E1C cPSx34ad/CQl9GTYha+KksK6XuT0vHo4WPwSTlO9HyFPbCgVDrax2qqnKl4Tq15PQUJQmwsvMjd9 oAuWOBFB5eFBeReOV14/3xp3vSnqUn3EedziQdl1ZkQ3pUfVZiSMVBYRetpR3xkcHocnAN4LXzzJ jLoOsONgWSeA94cBvD9Piet5db/ncVrnnejhB3Fj9yIncsImboeTHsSSHycGHDbuxk8/SeG8zoau HnhnvsnglN6BklbcVmSm9vsVbMzK93z2w3Xf0c76u0Ad335/uPPz4V7gvDsAV/9+H/QdBnO40e/8 +WDrLweb/8eHfe5AJ3yExMPds1Q0h1N6ypiVTV6AZlIh8stmVlSSZaXUxmc7EDKukq6btDsO0+qc DmfDBsbevOuxwYkFO9oIUMAnZCG7rgD8kXG877EdzKMBsOPsuKxbduOe27zrMLhlHJuIsW6W7zt0 q7Pi7Tn5tkmGDt/GIaHJt7GJTv70ipy9pYVARYbqv6TAy4fslzE3DcIDxC9a5T8tIIoCeNftmeFM Jd7R85bgMKPn7+v4cI5aniEsz0zBhgLEPur7toru4QxtKMhHJl7AnQaBL0LSupC4yB1bwRANLvGM 3nnuEMRyK8LxdcnUpmTCTes0TzZohytMkzUOSrNqoNg4XuOmdcwze+yUNuNUg5XcCrrejt6e3Omg 9XrZwz7h1JaBu65huPnj83jWsTdUbJ+QtKJAvgxn3yzaMQk39AJE5+xbZXhlQWzjEhCRBu4Rk4Bx 58ykG39gBc2voC+p2TsWyaFD6RAQeAP1otEm2VRbYNmNMSoeaef3NwLv+N5AHXSLpg20IcVUh2a6 R0/pQ1dv5kBWN+WWUbwKhhtHxf7I1M38al63NCtDVKVHwUPQJLQ6KO56HkHHJcxJmDbljFOrcBh0 Vr0WHpJeu33R41n0elf9/vXFpc2llfWFxSXXvN/u9dqcTqvVZrTYjGab0TirUBgVsvk547rH5jer dKwRXm8pryN3rCij53kKs7XYHjDGoUqYMLKWqGd4efduX/j695eO/f7YH/4T8H7y69/duHAWeE+N zgDeMyPSMq7F3Ll8tTI1qv7m9Xro4ePPB1r6+CvA+0jhY153zVjp09pbkR0PEzrvxdSnXWu9F1d/ O7r0I95zQ0+UxQaVhqK+n6kKP14Rdgx4Lwg7URQXlJ9wKf7U7yNO/yEt/EzExW/gV9n5/M5HvU1u b3FuT0luX0nuQMlLanOleKCNWPVmouIlqeb1dNVzC6l7Q0KZLn5cEHK2JPR8wcWTFdfOdcaHoqWv Cz/fFBMMyq4tFWK/yJr0uNGqQtzfiWNjU1OkaQqNQJgsyn2WHReaE38DLX1G2JW8nMyPeE9+lZ7U 9+Zh95O0jttRg3djh+5EjNwKHcsORwY04iAn78cPYd/2TgwJqZQv0pi56QzkV9Y/1/aWa4YbzJT+ eSkDe5EHi67dFe/bAN53jw623x3u/PgWZw8l/sP+TqDiH+0B77+82/1pb/3f3u38+48H7P6O2ke3 ub2tcyzCHJs4iyrPml6Q8vwKoQcYlwlXNQq/WuZViObVEqSeAbYrZgQSgaUPGJ2t241rjsB25Jbb ugnfM5dl1+OAQ/L+vONwwb3vdWCLatcN4LsDkHeYtwLtgdyvl0HGs2vTrhokOMs6oYkzBTcntKk2 DhoM8qZGsGsQbutmAHMUsgUZY9skeetAWjRuAWqo8v7kNx851DtGyY5euK3lggPfVoFX5/r5k1Dp oFcH2NGuA87Yc7FSu1elUzCdQ9++PDM5zxpaZI8ucgO/CrUMaDeQb5iq+7iDi/yRVdGog9xmGK2Z Hak2T9bYSQ3KviLjWLWb3gbIO8mtAe8aUnOgn6d2WslAfZ+LNTQvGF/TMjd1bNw73PyJVSVjQ8WC R8dioM9now/ZMYlXtdyN2Zkdk2hrVrCp5y3KQZWAkCcvoYGRUHCWNezNWdHGrGh9VvhhAdZ2QiWh RzTWZGAMaMk9OHrygHy8HTnLMK1STLRZWKOg92UTbeLRJkzltAG8j7gkpAUV06dmedXIhed4tfx5 jRDuGTYkS2pFUFMgAt7EI+mYE3C3DhwecVZARQqMXSP1zhkXrBan2WjTG7DtCjjb54xOs8kzZ3Gb LGa1wSDX6mUqlUSqEuJI1GKJWgQbOo3XYvYYDRouQ0oeMrKGNMT6ofyMlvtxMKey8ikqNkXKoRk1 Ykzhc3OyLn7z6aXvf3/ss/98/MvfnPzq09CLF9JjUlMiUv8D7znXrlfdjII8vh47rfHn6hOC4FEz +CxrtPjxTE/dFNbWbkd3PkrsfZRYl3q19W5s8714yOMr0kJwTy8DuRd+tjryXHXEqaqIk6XhJ96E HC+IvpCfeDn57B+SL31/Oz445soPebHX2p/CSOfhQPFL4L2r8FV38auewoD4XzbSifo+WPh4qurl eNljNM+7Kiaym9+Enn1z9XRh8KnyK2fbY2+0oqWHDWZsYATfmRHZmB5VkxE7VP4G/fzUyMjUJJFK Y05Pk4pfPU+PDpB1uL9nR17/Fe/P0pNe3IzvfnWv40FKc3pY763IwTvhIznho9nhE3ewXB+D4o41 HFB2pMdYg03HGqyw8qGo/gW/IZfXWqSe7HCKaHCb319076zMH2yvHe3v/Ir3Dx/x/uP+zoe9HYzn Ai390c5P70DZbf63nw7Qz/OGe8pzMlidjWbmFJp5K3faI2QtSLgeEdfGZVg4DDcgP6te1Csh7kLq GQ6yxf1GNao5lqS2PNYNoN45t+GaA953vLZdr33P5zzwOfc8ji2HZdNuAtKBffy4aZ9DzDeCVJB4 vmOb3TCqVvQSmDQuYLtTRLXg7x5teI457hVRN7X8TTXXJ2V4hJRFBRvbZHtWxa5FDrxDkgdTephY 7lsU23oR3gwbKo6XD1xTNxVML3sUB55yKPFe1tACdxj8uWGyERNzcO+g4xY4wzZyl4fWh4dlkPCc wK9ayG1eTp+T1u2i9ywLRxy0DrjTGIYrDSPlpvFKaWeefrjcTW11kFtsxCZ4UaKlxyvCRu+yUXus ZDz0ufkQyFGR/D4vgvh2Am7zm2q09HTvzNSKkrE/JwPel/GNjrdpFG4ZBODutgwzuL97xGS8BxZk tADetRDYyzZNMp+a+9ZreOc1WgVkBaFLNd0ln2yTTrRCYmGg9M/Rh/SkbulIEyBvogXE82j7YfQE vFt4Y24oEhFYiVsMWEot36VkA+9e9cyckI58Z79W5NMI7WK6AXQ6Y0jPnZgVTuuQG8WnmcHBGrWr HpfbZHQYZn0Oux8BrjqNRiLSSCCIlapFUuWMRCEQyvkCpUCoEYl1EqlRobTp9CaV2qRUiugU6mC7 ktzrlxEFXcXN9xMojcUOEV3NoYiR4KyRqITsl3fSrx774tL3nx7/7K+Pf/6bE198EhZ8MSM2LSUi LT06Oz3sZurlqJyr1/7/eG9ICoKite9x6nDxo5mBBnL964ac6Lb7sajvlYmX2+7FdzxOqcqKqMmO LIwJKk+4BMO66pjzVVFnaiLPVEadKQw/VRR3sSDpSsq5P9688gPwHhn8LfDe9uRWF/i6kpd9xa+6 il51FuDh5XjlG2ZrdffLe82PM/ry7w4V3qM35K3iOknoqUsOf33pZP6FE6WXTjdHXmmKvlQbdr4x +iLqe2dmeGN6BDjGvuLcic4W0sQ4mUpnc/lMJrMs72VmZKC4340PuRV149Vt9PM5udmpwHvnizsd 9xNAU3Rnhw/fi4LF9PjtyJGssJHbUZMf1+opz9Pgg8F5nQW8c0tyaIW3J99k0+teqaa6vArOttP0 dnVhZ3XhP/AONv6no/1AfT/YBXeHh0CT/3br5/c72Gv757fb//7TIUJ42149mRno0E2PaaaHMS2d l3LdImxn8xwCjolNsws5KwaVTytb0MoCld2sQ+4Y/ITRugdAvejY9lrhZYpCDzu1PY8Vzsl780A9 HizbzjmkJu06LTsO87Z9bsdp27XNbZoNa0bt1pxhw6iGldMq/JCF9AUpy8IhGOC8xBh1cAhLMuai jIUv4eoGpL/z6LetynWT9MClOfLoj5z6Q5t6b06+YxAD73gzYOC1JJxeh6KMOeKkDaC+rwin5tlD DmqPidCqHatbkUxi22VVPIlVO9NUKyA/zxmCNA6wxa+aiM1OZqeZ1GScavTzBz3MngDeR6vU/UXq /kJZ12vNQLGT3GwjNc9NNehGq83EJjerDyXeRe8zT3cYCO1O7gjwvqYJUA1uwRSW3VDi11RMPIB/ 2J+T7polKxoOzrqev67jAu/7c2LgHXfwZRXXBT83/rRfxduFgNmq9in521b1odeElRngnT9UJxqp V021Skca1BNtbu4YWEHlOHxsGlVTHWj19bQ+DblPReqxzEy4ZNPzSoZfy1menfHrZxxYtMcbVSuy SdhGPs0hZcN8AMI8PXsCATQquNvxprD6OifjAu9mhdg7B/JNYVIqll3ONbDvWrWcx5HxOVqJRCeV 6WUKgwzmGFKzQmHXahes1mWX22u1WQwmv9PrxUI8g6xhjh85ZXPU3tYnaYT6QpuYLmcThWyiUY0X Be1xRuLlHz6/8M3vjn/2t6e//gR4j7h8KTM+LTUyPTPmVlrozZTg8DtXrwE7tclX6xLO1sWdqUsI eE4ibnWo6CG/r47eXNh0L77pTlR7TnRNyrX2B4nAO4p7ZXoo6nh57KWy6AuVUWcrI05VR56ujD5T HHm6OD4YeE849fuos39MDT+Nfv5N3PW2J7fbcx8MlOQOlr/pKXnVmf8i8Fz8AvYXDffS6u4mt7/I GsjPmSh9ZJ3uWReQRp7eAt5fn/u+5NKplqgrjZHB1SHw0ziHjZ7mlOu1ySElCaE9RS9xfydPTZIo NCqdSafTygte3Y4P6G3uJYRkRV1/nplS+Ohu0YNbeVkpnS/vtN9LaEy90ZMdPnQ3cvx+zMjtCBxk uwPvE/cDI/jpp+Dr0livMqaeJBJepzMqn0p7sRY3jsWKTacZu07760vA+9u97bd7W/+B9z8dHfzy HkQ98L4JvP/yfvfPuMLvb/yPn9+qqJMdBS/5A+3KScx8+4F3K5fqErL9cvGCQuwS8z3yQH33a+Ve UPQm7eqcHh6J/rnABseOx7LlNW+6TbA6WbMZdtxzWJP8FfJAPfC+h7u807JlM63PGTatpn23Y99p XTVokLCwqldt/S+8S9xCuk/CtCK9aKJ9dnrAyhhfkbFXlByfjL2mFwHvKOs7c4otq2LfrTlwagCK XTMqphQr5JuQHKjgAk33CSbhUbDAHrMQu72sYeAdFRx2UqqhKu1o3bJkYl02tSQcd9J6YTtjne7w cYfgVGOndwPv+gkYU7SZiI3q4UqQ8AucfvTzpola4F3Zm6/qKwDe7aRGK7FJP1IFo2nQ9RDT4l3h ZQ+ZSR3qsSYsxMGrCgI5TNK9QqIPfxIwCXIaUL+ObXejaG9Oipxr4D1Q5dXsbegAA3jHXJKIBsaG SzTCncX0bbPirXsWmwsoxKtGuUvKkk2Co2vi91dBO6cndciG60H7A/LqiRbYgxhwr2cOoY2HMgdv hjnBeGDsLqMFIK/j+cAKyplOORcl3i7lGrjTRu60CQNxDkHHGpdRB2SUAQV9BHydQy1CP2+Wiawa lU4iUvJ4RpnMptPMqZWBH2f4Mj5XzufL+TNKgUDB56kFAr1YDOBbdPo5vdGoNdpMNo/dZVErVsyK Q7tc2Ffd9Ch5uqnYwCPKWUSZgGpQ8cUc0t2U6OAf/nju69+e/PzvTn/z+1NffxZz/WpmXHpy+M3M mDupITeTL4bdDfTzkXXJl4H3hoRzSHr9Fe+o74L+OlZbSfvjlJa70cB7Y0ZY56Nk4L0o8TKu8G8i z5VGX6yIDaqIOAMlbVnY8TKQ82GnCmIuvI67CL7uxvHfgq+LufL9m8Swtmd3AngvyxuqKhgof9NV kDtaVTBWmQeFbfuz2x3PkUaR1ff6dv/rW7Le6gM5k1ORl3/lbO6Zbyqunu2Mv9EWd6U27GxN+NnG hMvNKTdqkkNLkyN6inLRz1MIBDqdxWRx2GxWRcHrWwkRWVFX7yaEpYdfeZwaX/rkbtWzB2X3M7tz 77bdTQTee7PCBrJDRm6HDWaFDt8KH7odjmyLyQeJE/ficZEnw+3qZRo5N11Q+1zdX6MdbzezphY0 4jW7aRdS9u3VdzsYvm++O9j+gNs6JPSHe3/+8BYP7w42D/fWMX//Ba5oWyt/Odz6n396x+hrK76T Tm6tEY/2qKaGHDyakUGCps6vkvqUEoDdKxf5VLJlgzoQYmLUoL5jXQs5gMgv3nSatlzGXc8cZnMI BwSDFyjoqPuwU4DSHth3W7ZhmIzvLYGDyr5h1K0ZNMtaBV4mSyrxikbsFbGQwuCdoQHm3M5K1Xi7 gzW+pQe7JfTL2BsGMcZ2+zb1lkkGZm/fqd61qzaRk6gTAuzbsyC+uH4JDTdlhK2DrFviT1lJPajy a2KilzWoGa4TdZZogHfROGwkF3gDFlKbZrjGRu5YDNhWwEayRzderx2rtVHbcStXDJSBrPNz+o3j tUC3bqRM2VeAZl49WGIl1VtJTcq+EmlvsXa0GmAH0YfJO1p64B3KuiUZME4AWeeXTC+IYTgP1JPX 1cxVMIQ67o5xZt0AvwvOsoKF5TiI62CDicm7S0iA/YWNT7DxicD7ooqPfDHImJe0Ylx2YHulJHQJ BuvgZYHxuoHarSd3Gaa7dMQO8WCtcrJ1XkoE0WdkDs1xR2c5wzg2EdbeKU4JxaWgI1/GKWXA7AJT eIigdMwpLWMSZJ0hwNdNadljauaokjmq5ZBsSoFvTrdkNbtm9YD8rFyqEwvNSjkW7hHmCEZOxuMK mUwBnTFDpwloVD6Nik8OlTzD5ijFUoPGoNUYrGarzw621uRXMkh1L1uf3ZyofaWmDau5JBmXrJGw hEzC3ZSo66e/vPD9Jx/1dZ+c/faL+NCwjPjM+JCU9OhbwPvNi+H3r1+vSQM/j4zXcw1JELoEg5/v eZA2XvyU21nFaCqAVV3DrYim7PD6tJCuj3gHHVeUfDUv+nxZ/GWQe1XRF6oiTwcgH34SeC+Mu/gm PsDPh5/4XXrEmYTrJwpSItte3BsqeTVSlT9UjW39gpGK/OnG8qmawrHSXELZCyyr9r66TSh/gnU8 QuljeUeluLGsKTky78IPNSFB7Yk3IKmtDj9VD9VN/JWm5LCGtKiKtLjuwlcTncD7FJ3OZLBYPB6n tCAvJfpGdgzE8yE3Q4IfpkRj/7388Z2KB1kgDIH3lrTQ/8D78O3wweyw/qzQsbuxgagLmMw/g64+ nZt/S1D5SN5WIOutEvbWKUlDCAVYc1r2Vhbebq7sY9McTtQHgQEczGlR1t9DdQOTyYONg921d3vr Px1sIEfyXw+3wNcR2+pyb8Yxu5oUU4OYwlvYZAcUdBwKEs0ASa9S5JIKrXyOTcz36ZWLBnVgPdOo Rv4I9LQ7bjNwvT8f6OHXbUZ4pW7hbg6K3mPedhlxScdVfcOq27Qadqyzq3r1il69adKvG7VLmo8J SkoRtPri0S4bl+TkTqsmOmnNxXpCt09IPrQoNmdx4eWjrAPsGNbvgsafk+7A0W5OtqbhLyk5a1rB hm5mWclalFJ+xbuXNernTjjIfX7exJqI4CB3Aewz7UVg5EDHAe9uVo9pqlk3Woer+lLAs2IcMDdM NEI0+yveNSNVTmq7l9ltChhKN86OVyr7C3TD5YaxShetBc086rt6oBwl3k7twopcwGia0Q9Ti3n+ 2BIG93LykoyMxRmUdZ+YhCqPH1dVdCz442oP1K9quJDZLCrpa4ijMvNXNAwP6DUF1SWmOIXkBTkb YcEwsdwwype0ogU5V4f19ule/kA1irt0rBEiullaryLQydfPDNagybfyRjxSkoE5oKb1mnijBszj 0NJjxiejOuV0u5hqmSFbhRREStkl9DmEQzEmNDCxpwwBhhrmqI4zqWZNKJlTsK1bxf+veZffOoeW 3mM2OgF8rRr1/df2Xi/F/V2sEorUInB0EqVQhFovx48yuUlndFqdNovdbXeuuOw+nWhmsK6vIKv1 WdJEzTMVpU/NJogZE1opl0sZzU64cePcV2e+/ocTn//D6a9/D/F8XGj4zejUxNDU1Ihb6aGpwPvD kNCqmxF1KcG18aexyQ681yeHQD8/VvRkpq+a2lRQfz+uLjusNu16c3ZE95ObrQ8Sy9JCilOu5Uad LYkLBEzUxATVwXk+8nRJ+OnSmAtlGNXFBoGfB95TQk6Aryu6GdP+4t5oWd5I1ZvRmoLx2iJCXTGt qZJUVQiVPqUqb7zwSc+L7PGiBz3P08tu3uh7lilpqRh6kP7q3Hd1YdiPC2+Lv1oddqoh5mJ9wpWW tEjgvTI1vqcwb6KzY3pigoJ+nkZjMOnF+a9SY8OzY8PgepEaGnwn5saLjKTi+5kFWckdT2615SQ2 p4YFluyyQoZvhQLveIB31sgd6OuSQM6T0c+/SGe9zqTkZRLeBP48tOZSPWMKxlObHnsgpXd9aW/V /25rDc7zMKN+t4PB3M7+/tbhATr89QNUf3jQwR9pe/WXzcX/9m6XPdhZkJXC7mkxMgiKiQE1YdjO h8HajGhsSE8n22a4ixoEGmocEpFXJVvQyLGftWxULxkVi3r5hv2jz4lrDsQ7bhNYqcZBrd90zkJm /yv2wedv41hnAfZVgxYl3q+RuWUzyzoZRgA6yjhIA/Ttdi5JONAoH2mdJfXNC0hYkl3VCZa1M3sf wR5o5iG/mRVtmSSbxgDG/TL6qgqNMQfwwR0Z3jhezqSdNuCk9JsnOxYYw2Dg58ab+Y1vZtoLIYxZ nBlelkyiCYchvHGyaZ49ALx7uX1GQgOM4lHZcTBoQz8/R2py0AJDdjMJ74EaxUCJZrB8drzaw2i3 Qlg7XqsbqlD0l9opndidQX13MQcMU20LgoklKVzsKGtK6qqSgjg5MPMo9zjYzV/XMLG6u67DzjsT S6+wpF5R0zdnOatapkc6PS+nuGVUm4jkktGXtPxV3cyqTrSinnELaWpin5rQBaTLJ1pEw3X8/moV oQ0br7LxJulEM2S0hoCabszIHQHe9axBE1T9fMzfp+wikkNKgZMV3K5MuCwISBbBtJlLNNBH1dP9 SmKPihRIkNdxpjRsEHdTiGNbshlXHdYFq9k7Z16wzvntVhB3Vi1aerVdr7Oib9eAl9NZtLNWTOJM czbjnCXwYHVanB672zlnd8/N+Yw6HX1svOJJ96uU7ldJpMaXalqPkj4mok7oJRw2cSg1+vKlk58e //Jvjn3x9yDnz//wXVJkTGpMWlJ4WkpYVnpIakpQ6JPw8JrUsPqPeK+PP9uQeLEOeH+SPVn6fKav lt5a2PAgvu52ZOOtiKHnaYPPMppyYivSQwtTrj2PwCLthcrooPq4i/XxF6qx/B52qjjqLOr7i+hz yef+GHHyk5thp+KuHS9NisKyzHDBi9Gy10A6sbaEWF1Eri0mlr+ZLn8z+vpx+/308pthBXGXH18/ /uTGiY77ydLWCvKbRy/PfV8NvKdGwou+LiqoPhZ4v9qWEVWdFFKSFNFV8Gq0rY04Pk79iHcqjVyc /zojMTojNuRJWmxW5JXbCJoJDc4Ou3wn9FLH0+y2W3F1iVd6A+Z41/szrg1khvSlXx++hUlcNOKr EHUxcjt6LCdmFIz9k8SRl2njhQ8F/U1ehWATQzGvc2dp4WBt8WBt6d3mKrxlkBz3FvYyO5v7uzgb +1sr+5vLR9srP+6sAe/YX/vv7/fooFXiI8ZqSo0M4ix1QjDYyR/odMKYlEHBcYj4PpViUYv7u3pB o3QpxB9ZOy30NosGFa7tG3bjkkmL8Rzwvo7RPAKSbLOrVv2aTQ/gI7ByFxd5B9h4I8r6mlG3pFc4 oL8Vcz0KASR8bhFm68xlFd/KmlJOdBrJA3pCj501vqmfWdMJVvWiXZtqz4KbvnTDIFzVCuAEBTbb L6fPg6BT0FZUrCU5bV5IWpSQffwp6NXNxC79SLOH0u9nDFsmWkWthcKOQjOhCZ38kngcuncU99mJ Rg+zDyI6N6sbeHfSMVZrRYsOsMv7S1G7gf2AoiYwaq/XjlRoBsp1IxXAu2O6xYhguP4yeU+xdbod eF/gjUBvg5B3H0yroH6HyZWSvKyYXlNR/ViZ4Y15YU2vokPwv4IYWS3z1yV3rPHipo83wJKK5pWR f8W7dYbgllL9eINh5x3aVykLntWS0XZBfw36duEQjOkCXT3KOkq8ktCmIrabOcMAuJ6FEJkhHXNA y+jHN9h8N7NHTWw42U7OCYiznAn4rus5Yxr6iHoaop1+DalfTepRknoQVaNhTaC+KxiTWj7dM6v2 mo2OWYPLaHSbTfOWOZfZ5DDOOgxGp9HsmDXbDGaIZ+1mm9vm8jq88yDoHB48uK1ufAP4uwwGr1Yh GGwazM8azE8dKkojNz9XktphSiyhTOpEbMbUYHzYhdPf/f2xL/7q1Jd/f+Lz3108/sPN6PjUmPTk sPSboZnpN26mXQx7ERVVnx7ZmHKpKflC60109Zcq4q/0PMkmVORyOivp7SXtz1Lr70S33o0Zy83q e5Jalx1VnHL1TcLlZ+Gn8hEmFXOxBpY4MWdrY8+XR54tjDidF3XuedTZ5Aufx5z7IjvmQmLoqfK4 iP6n9ybyXxDL8qm1JRPFub3P73Y+utXzOGf4xcP6tIS8iMsPL53MPv115sk/vgw7W5cZxa3J59cU vLl6tjIsuD05vDnhen3cpdoA3i+3pIaXxV7Oj73ekvtoqKVxanSETAbiaWQqqfDNy9T4iPSY688y 4m5HXr0bczUh6IfYM9+kBZ/sfXmn7XZ8Xfylvqyw/owbwPtgZmhf2rX+zDAEzQ/diu7PjOiHe212 ZKC9h9yu7Am/rUxDGMTGyqpFv+ayb/vnUeJR3482Vj5sbfy4tQmHmcONtbc7Gwdb63ubS/vri4dw pIGV3PoSLOmAd2p364vkuMm6Ch1l0kibEg51DZblCYa612e1XpnQIxPZxTMWkWBerfAoZS7I7WbV YO28Ghm8sMDJr1j1CwYFuotfB/ErAbAbcLuHYxIae0B+yw6yTrdq1OAVgcYA7YFVzHVIuAgvdkPC p+B7RAwHjwROfpY0oB7vUI22zdGGN3UzW0YxyLpNo3Q9UOwE6N5xfqW456VUN5bOJEAWRPVUN38S sJrnjVspvSZCh2mibZ464KMNWMZbpR3F4u5i01Sjh927KBoD3k2EFv1YPe7vS4IRUHOAtpvZDbzL +koAdhxJTxHoOIzkcEyEhlmwdgNl2pHyeVaHi9KmH6qE7k7aVWiabMKuHPp5Dyi7aWzQjPiEk0iC XpFPL0pIaONxkbexRqC1+xXvy8C7hoPVmMBRBPAOsEMq71dRF1V0KGQsgiknLv54g6k4K1r+HCov aVDQD3lqgXy0AbuuqOlwlef0lGPjVU1oA+R1tF6M5tHMK8ndUmK7htaH2beZNWxkjc4yhg1MmNOO 69mjBoCdMSQl9EgnuhWEHuAdR0noDfDzjFE1M9DPa3g0p1bpNQHdegzj7PpZm85g0Rnm9Aa73mTV Gc1ag1lvtALUFgdg7rHPu6wA+7zH7nWaHXaT1aqbBd7n1TJed/VIQcZY0c2hwmRC/UPJRLN0eggu tXoRjzY+EHXt9LEv/vPxz//T+a//y8nPfhv0w7fJ4bE3I9KSQtJSQjLSbqSkXQzNjQERF9UIrWzq pc6M641J2Hu90vske6o0l9FSxuqs6Hl9q+52VENWRFcOtlDjqjPC8+ODX8UHPwk9iSt8eUxwDUZy 0NZGnSuLOFMQfvpN9PmXMedvXvwy5uwfM6POxV4/XnQtuCY2vCI6vCjiemHUjdehlx9cOPE4CPY4 ES1ZNx8FnU76+tOkbz9L/Ob3GSe/fHT1+OuI8yMv7oibyqriQopDgtpSwpsSb9TFXqqJudCQeLkZ 04GEa0UJIfVPc0bamgN6m0nC1BTOROGb3KSY0LToqy+y4+7EXLkTFZx69eSd8KBHUVd6X+Z03E6s x6ssLbQv/cYA6nvqtf7U633pIQOZEUit6k1D3Q8bherm6U1q/h1BQ75yoFlHHHRJeSuW2XWXY93r 3lhwbS9691f879bgOrX+fnP9YG3lHar8xtrB+vLb9ZUj2E+hAVjx/7zq/7e9De5gT9Gt9ImaCsno gIFCMDOn5ZNoCylg5jGMM3EYdhHfLhI4ZWKHVORFcrFJD7BbUZo1Ulgpbjoty3MG/6zGB0TbDMs2 w5JFv4HKPm9HywHLtSWTekEXuAVgfA8hLh5c8hmPTOAUsa08qlNAM1BGTHA5Iw8JOqoUwy2qkTbk 362quGvamUUlz6fgLGLjQ8r0yZgrau6KmoOa7gmsmUxibXxRSkYZhYQV8yn4Q6KvNky0mqfaXKRu 63iLfqBG3FYo7S7Vjdc5GV2LolHsucyR28zEFszZFzjg7lDWawB2zNeEnfkg4pSD5eLuQkzY0dLj oLc3TdWjnzeMVS+wMLXv0Hws7uKOfPVQtZPWA79KiOvw7zWTe2BCa2MO+EUEn5j4a3G3ModQ4oF9 NCErStziOajvHw8gT8HlHV52KzrmspbhVVKtMwEv2XkFAxeZRSVHTx1UTXVLR1voLQX8nnLFeJN8 vAlVntdXiUKP4o5mXj3dqaV2w89WRe6WTLaoyV3YlwHeLdwJI3MEElwdJuzMYQNrRE3tF092Csfa A3gnDyDIRkXqExO75JQBFWtCxSXBed6uU/qsc/MWi8tktmpnjWq9UaO16I0Oo8VutGDiZjHM2Wat LovL61zwOhbctkBld5idNsOc1WC0aNSeWd2iTirqqyEUZ08W3xzIiyPVPZIR2yXkURmDopcIiUM9 YZdOHPvjX5364q8vfvu7k5/+Jui7b1PC46G0SQvLSgtNT70Sn3T68ouIiIb06Pqky20pl3uzQlvg SwnD+We3p8qA93Jeb03fmzswtKy6eaMmEcxeWGnK9dfRF1/HXX4adiov8hzMcGrjUOLPVUefQz9f GHGmOP5SXkJwavBXsef+iPqeHHY645N/yPnqj09P/fAy6EzeteCCkCvPgs7cOfFteUxYx+2MnLPH ov/wDwnffJr47WcZp766deaLZ1dPdOQk8+oK27ISC0POt6ZENCeF1sZcqo8Jakq62pJ6oyE1rCI1 qvJ+5kBTPTw4x8YmhodHxkZHSgrzUuPD06Ku3k8Oy4m9cjfuctz5rxMvfPco8nLH46zmrNia2Est 8Ze6b17tSQnujA/qSb7SlxoykBExlBXTnxGFEKvJB0nkF+nUgruIfpb21Gmm+sGqbTgsqw7bisO+ 6XPDdDTQ0q+vBKxitzb+P7yvwjfyx80NGEy9X12CEc2Rz/MvW2vsvq5XaUmTtZUa0uQslWRikFF2 V/UKK7JFWFRvYConwxUeLT3q+6JWtWoyzGtlLpXYB9bOol+3mTdsc/5ZnUen8M9pgXe/WbsMr0u3 FaXfh7bfGMA7jBaXjSpwffMqybxC6JZynUKGjTutnx4W9jVZqKPc1orpqlfakXbjZI+VMuyZoWL4 7hWDzmL4lWyvlO4WUhakNL+U7pPSsEpmZY24ELIsDPDhdpBUjP45crduokmPUJWJFutkm36gVgO/ l/ZCWU+ZarjKTGr28vpN07CFr5klNIGvc1C7QNQrByrQuv+KdyBdMVAu7S3CgoxlutlObcOncbJe i6TXyXovowv1XdVbImzLA97lfeVzxHaI95zYVce/lNSBNRkLvQ8Wu76PLD3eQk4utAQjkNvBzgJ3 diAdlB1Qv6Sg+mTTKO4bBvynZqHEu6Qk8Gy4dPtUcK8VesVUbLXLJzpkY63crjJWexFKvHysEXjH QUsPExuYVqGxB+oxfJ9lDmooPXC9wHtglj5gZmM8NwSTaqzTYktaQ++TT3eKJtpFEx3/C+/UIQ1t UE7pldEGlbi/c4lKHgV4X3TY5q1Wh2nOojcZVDqjRm+dNTvMNtzNA8fkALpddu+Cd3HRu7w0vzJv x4Te5Zi12KHH06jnZzWLGuFMTymxKINYkDyYG0tpfKqm98tok1ImTS8TT/R3hlw8fvKLvzn39d9d +u6TE7//2yAsv4fGZ0RmZUbeyozISr+WmHLm6otwEO9Yfr/UkhTck36jFdPtxOv9T29Nlb3idNRw e2o7X2ZVZYbXpIXWJN2ovhlaknT1VXRQXvzl5xFn8iPPA+9V0eewKVMdc7YKwpvEy5WpN17FBUUd /23osd9mRJ5NCTuT+bvf3Pv806LL5+pjwxoSohuSYvKvB6d9+VlR+LWe+7dyzh2L/+KT1GNfJn77 h/RTaOk/e3rlWGViyHThs9FnOaURl5qSwlpSwupjLjVGB7cmXmtOvt6SHlWVGp2bFFVXkDc5NDw0 ONzT09c/MAC8p8SHJ4Vfzoi+nBNz+U7UxWvf/y7sh0/vhl+sv5PcjOjb+GuNMRe7U6/3wmw/5lxv 8uWBtJD+tFCk1I3cjic9SSNBXvskefJFJrX8qbir1kyfWNGrgLvlOfOSzbI+79z2ew6WfW9hILmx 9m59dR/mcmurhyuo7Ks/b23+tLkWsJdcmv+wNP9fdzamWxsfRoUT62r0JIJ6csxAIVp5NMcMe14i XJAK52UihwBEvQQ8m08tX5DLlvWaRYNmzWrccdtWLbOLRt0WRuoWo8+gQrnf9trXHGZo7fb9LnT4 kOEtmzReCDWV0iVcDzVSt0zgCezPMrCS4xLQZqeHlSMdbtaUYrBV3FWnH+0wjHeZiAMuZK9I2R4R Hfu5i8A7HNj4BAjO3QISdsatuJzSB9Et/9rJW5kDZmynot6N1mtG6g1jjWbYuPVVKHvKpJ2Fyv4y 5VAlDCvcnF79VJ1qqNow3oi5fGA0P1iFg+7dRGwS9RQKu/Ll/SVo7NXDFbi5/4r32Yk63XClldjs ZXQ7p1sV3UWchufAu6S7BLzfR7FuDwy0jaROwNxM7QXMwdFBRW+m9eGW4eQFXk24euDgDoK194CS VkHxyadB1sHlZs3A8avgGzBtw8qMiIgoChAUVs6EmTmiGGuTjTTP9GCd/I2wv0o92QLIy8YCVX5m qBZ4x6o78I6uHvN3iOtkU61KQruO0gsFjobcoyb36Gj9evqAgtQhmWiR4HYz0SGf6tJM92vpI8iR VEO0wxxRcSYVHKKUTbKoZeDoXBaLw4xqbp5VGYxqo9WAZ5w58HI2I4DvcjsWFrxLfu+yz7vsdy/6 3QueObtdr7eqVF69ekHO4bcXkIpSCYUJAy8iqc3PwCrI6VOBfRm5ZKSn9UbQsTNf/13Qd393+fvf Hf/kr4O//y4tPD4zIiMjIjMjFMuwsYlngp+HhdSBn4+/2BB3vu3mlcaUKzVJ13seZY4WPOd1N3B6 ahEOVXsrqjEbmpyQaghdkq69ir4IvL+IOpcXdaE0EkzdBZDzdciHhddlQnBZ8lX08xE//P3Vb/42 Lfx0ctiZ/5en93BqA83TBm+/iT2d7Ha2McYGgwFjsA0mJyFAEgKEQOScEUHkJFBAAQUkJISEyEEg hMhCJJGzc+h2h9nZ2b1vb/fuqq7q/oZ75L67qrcotbvbPT0zj37pCTmOt4ofPWgOft5BDGbHhPLj oysDn1HvXK0Iei5Op2c+84i9dzPezSnukRPloUPSozuFAe61RH9lQdpodRGbgpaDIEuOFlJChORg ATmUQw7upEa208lZEUHZCVQBu1PXr5fJepW96upKJpkYHhXkQwn1oYU+jXzs5PfgStST+8nBT9vS qPw0ckdcCJeE+h4iiw8QRT9VJgYjlq4/DRJ4qjaLqskkI7BSk0PRl6aMNRaivp+bEDa69Quoqmcn v0LWhH7+3at/vH/1b+9f//PDezxYR3758AEGknCRxftfP739n5/e/e/2fv7XcXFXHiGcX5g/3yPb HhrYGx85MMBvAf/nNL2cn7WNDq4PaE+MhtdL8wD+uXnu/br1E+LDDvf+9eLkF3zJ7Nv+foHUmN33 u1u/XRz/8/3L316d/v31yb9/ePlvb07t27y9jVfryy/Xlt9srp5AO78y93rZdDI7cT43cWEaPZnS HY9rXhn0h8OqLZXI1ida6mZva6Ufl8Gvs+P9Yn789dLEm6UJu7rEpEcsBfB+OKXaHpYeTiovYOww o9obk9iGBXvDgs3+Tmtv+wHSVXS8le66FcSRiKrXFLiYN8CW6tWscm+Yv6npBL8OUMXiDj25Vdmy 2tOwpWWvKOvnuyuXZSx09cA7ZLAY3tHq7+s5u5rO8zHx22n56SB/RVw93pJrFjBX5Y02LQf6WfDr rOpOUOxez+n2RqW/w/wL3uX4CUYNvp3w8y3cZpaGP2/Bk3b24/rkO6u9n//H4fzPuybc496sTpxi 32jWAfJg2G6PKnbhOqvpWlFzF+StM6LaRWXrpl6wNSjaGhIvqNkzsibLgF3tDgHs1oRsE2KZSeWq XoRF3Jq+e2O4e3NEglqPhh9S2VUdf6GvAzz8FZ0IzzIs25xSg0lrM2nXZzRrIN7M6HEfP9kCp+70 9cnJ6eHRIeq7dWd3HV393s76zvbalg3lfmvvdP/0/OTly7N3F6dvzk9evzp/8/L4/Gx3H5Takw3r 6+211ysGUxdzkBU/xCL3lBFGuPm2acXa1KDFaEB97+3mBT9z83H5wc/1ir/rNe+7P4R7eTKI1NSY FAaRQbeT6wiUx0+LwoK5SdEwq+TG+QlpwdyEIDjMyAoY2vqKWUmnUdqOsFdOZkxnCqGVHNiWENYY H1YZ689KCGXG+lbH+NUTniEzDhI5dsyz5iif6gj7vq405jnq+4v7l+JDPSihj2ufejQGeHdGBXLJ oS1E/7aYkNow36Jn7iUvHpcGesc63gi58X3kvetkN8cY51u0Rw7ZT12ZoU9FqfGGRqYY1hbUiG60 9DEBPGKgkBIuokXxkkitSdTUkGBKWHgKLaW9lcPliXp7++tr6wmhQZEBz8jBz1KJwQTvh953Lz+5 80Okh3N7Np2bntBOjeDFhQjjAuSJwT1xL1SJwdpUooZBVCdH9yQRQM5XZ8QMFtHUBYlaZoZZ2Hw4 NQBuzE8QKKG4n5/9HcoU+zv/x9vzf3v36p8fAPZ3//4R+QJv/+Pda5hJ4v3Hu1f/+fHt//n5w//9 20/jQn5jGqO3tsYoFKz39x1Pjp3OTkIMezo7vT8xujOi3x0ZPBwbOTZMns0aLuZmP1gt76xrL1eW Pu7YfjrY//HAhn/0u+3NN1vWz8f7qPVfOo1tLOoxv38+3MEJ7yWGAisMbzewmT8wTqB/OJoZPpzU 7g4qDoeVxyO9R4OKOX6Loa12UdA2y2/e7pf8umH+aJl+tTB+aoKIDJV9+GxGd2Sn2mou7LCSbQ0I 7epyuD2MSjcH+Rs67v5Q105/p6WnGYyaPQ13UVBjkdQti1grMpzga0CqOTPIgE3EPO0O8HcwDita VnoaF7tr54SVVlXzak/dvLhySVqDfh6y992Bjh0d+2CIv6vl7PR1vByTor5vq1pn2EUDrNTpjiLU d/QGIOfv4zqmBOup69Sg2h4U2Ya7z9DGmzTwpDo19oNRA0nLqQlC11GQ5CGN+QnqXXukFEr82M+2 2R+3Zy6WgPHhk1ntoan/GKPKbP/2iGxTL15GCpuSs9jTNi9rBt7X+rmg2QDvmN/R0gPpZ2btFwEs tnO9lkERWnpY3oGfszFsfzC+QMOP7wSc6dEPLGn5Fn23ZUiyOiSzYrQ3anfNuvVpO95XDAOY389s 68D7+7Oz88PjI9uhHekbO9vW7e21ze219e21jd2t7UPbwdH+yfHh2QGgv3t8iMF9y7ZjXcfwfryx 9tq2djI3MsUtG2QlDNXEKStihzqAdxX6+eWp8c2lBZmgI9D7oe+j6wEe1wPcrj9xuBTq6ZFCIDGI tJSopOSw+KTA6KRnfqWRIR0JkZy4QM4XP6tW0vNmckBPcbqukWkUs6e7W9vSSR0Z0RxGFL4H2hPC mmlhlSS/OlpoTRwsagOA9xbis8YITyTLNKHD/4L3CtILovt1f+cfcH8nh3gKSRGNgT7Vfu4cSogI lTo5ponozwzyynnygOF+N+bu1XCHH4gut4iud4jON+le91O9nLN83Nrio6abmZp8Bp8SLkmIFJCC BDHB3fGEbnjvJ1FrqXG0wOCkaEoaPTMjrSA5JScpKSM1OYNKIkcGvqBGhOTSKNTQFy/cnLzv3Q52 fdCQTufnpnbQYvhJBFFCKMq6NoXQE+cviwuUkAOkcaEKOlp6SOeilUi7yKUO1+ZbFNxTJIZsWn4+ 3v/17PSn05Ofz09/uThBX/1v717+8z3w/uZ3sNv/EPYUb89Aev/3t+f//gaa9DPM7/rO9oo48iSP uySTrSjka2rlydTox2Xzz9a1XzbWfrIsvjIaTifHjyfGjg0Tx9NTeAfThpM508uVlbdbGz8d7Px4 sPvetv1xz/bL2eG/vsSazi6ag0zm15P9n/a3322uAexg6L1cmT+cnTw1G47t5jnao0ntnl5h6xMf DMh3NZIZdv1kc7WhjWUWtq2rhD9ZoL6fPDMNHU3rDg26c9PQ8ZTmaKrvdEaz+wXsu8OSgzH5wajc Nii2anlruLLpeVt97DUFRKy8LQV7gV+zLmta6KpaENWYhdVrvS0Ho2Lg3abjravZlp6Whe66+e7a GV65gVNi7W1EZTcJyhcl1fiA+o7ijhM8jvVb6nabmv16Un46LJzvYg7VpvcxkyZa83Dmw3fL6YRs F1NzH8c2INwfl2/CgWpIfDyjPjaq95A3Yey3O9iYEQULbfsg5Ksg0+LEALy/Xh7BA/EGxR0neGB8 35741ndgUKEfgApmXStY7GEvKzuWFO1mafOspAEtvUXDBdMGw/vJbB9mAbQHb1aGTzA7GPvsmtlJ BfAO1fz6UDfy35FesTsh2x7tXtR0AO+o8pujUrBfrKOKtTHFBvZ4c9ptEy5xQ2szQ0iOs/fzJ0fv z85fnZxB7rq/ub+7abOtb9rWNmzWjf2tLbyDHTuJ7uTo/Pjo4giox6C/vb21urpjWTlat7zZsR4Y h6Z4TH1tkraSJCkmaFqyrOPylXHtuslwtLmuEHb6eTr5ud8I8bod5uXw9N4Vgo9XRiyVQUxIISQk R1ATAyOT/F5UxRLYCZEdlKBOsh/869opfi3UIHlpal9dqUHUPiVsbkmNsSdLMsC5DQPeG7Gvi/Wt TQwBSb45MaQ+6in4tA3hiJTyaoryxv29lvyinORLeHQl2O16fIRXXJiXlBYroERW+3vWhfrwkyL7 ipLFabEFTx8k3P0+1d0h0fV2+N3vCA+uRT28TXx4J8HTKdXbJc3btSLixUBl7ggzR0qPFseFCWMD xdDVJkTzkyjslKSmtIwcSmIuI4fFbE5Jyosh0n19I4MCCcQokre7Z+jz56TQ4ABP93DfZzQCgfjM tzwxXlSc38FI7EomiekEMTWoNzFUSnohID4D3nvpUUix6WVEyZPDZQzCYHnqPA+XI/nZ7Oi7jZVf To9+e3n++ewUV7lfX559qe8X/0Bv/+bll4p/DiRCvgoZyz/fnoL3/jse/6+f3vc11yf6eGkb67Z1 /SfDwxa5zCjgriphzqb/MGf8Eff3GcOPZtPx8NDJxNhPK0uvZmcOJmG+ZDqbm3+9inHe9n4b5/id n48P/n4OLiWk7if/8fbiP5BdcnFsp9nsbH7YsHxYWzk3z54YJ89np06mRnZH+naHlDsa6YFWejwo 31ELrDKOmdds5DbNcBtXFV0fliYv5kb2JzUHU/2IXwE39dw4cD6jO5lSb0MhMiA8htvzeM/OUDcK PfBu7e/cG+5Cg72hYu9q+evS1gVe9bq02cyvNvIq5wQ1a8o2XM3w9vQiq5K9JGk0dVV/eZVGfjlm 9nlx1QyvZKG7allWbe2tx/yOJR4udzZN514f971BudvXMd6Uq6tK0VanAO9oDDALQP9ug/+zrutg xN7J74xIbSNyeMgfovGYUB4bNbCkA66B9BMTTC0GP23YybRwpn2Dy8LaBCzogfePGwYs1b/YzqsR LoNviaMJpVXDA9Lxc1MnWNNw0NJPC1lzsmZzT8uBQQnvPtBxYX71y84M3Ketg+LP20Zs6vDPxYNi brkfdnbwogcFt3ulv8Pc27zYBx5mN3Z3W/C7m0JcLCICdXsLwwcrkxumEatx5HB9+e3RwbvTM8he oG3fx4p+c3vHurFjWd+zWvc3rfsb1iOb7ezw5OXZ61cv3728eHuCb4aj4/3tLeB9f3Xp3e4m/EgN gpqB+lRdHU1VkzDEK96cUlqnBm0LSJWyCNrr3R0vu976i+fdv/k5X/W48U2op1syITohPObLFE+J 9w+Of/aMSYrspBM740M41EBeYrDdZx7jbUkyzKJhcD0paOjIImNf15IYjDxHMHOQD1tFCmhICgel 1o73SJ/mSFT2xxjhcY8D3uso/iXRTyNcL4e636CGeaKfV2XSRstyBIkEVpgPzLLUhXRDY1EXPYLx 8BrF8TuS0+WwW1+FOnwb6Xw91t2R9Oguzfth2jP37BfugkzKIDNLlRknSwwXkAIxvEvoJF4KrYWR Vp6UVsTIKS9g5ucw6bSCKCIjJCQ+KjLR3zf02ePn/k98g7yfv/D0JgaF0WOp1HBidiyZV1TIz01r p8UI6UR4YApj/RQJIaqkcDWdoKJHyeJDhRT454QPFieNVmeZOqtQCnfH+s9gTHG099Pp8cejw1/g RPTqHHj//f326uyXi1P751fHwDuUa8A79Om/HO/+4+zgv9+9nOrmF0SEKauYy1LJ6eDQ0YDeLOTr 61ktSfE1MQRpXvZsR7uJ02FgI6eP1V9dNdLWstQjP5gYv5gzf7Ju/LK393l399fDw7+fwuPiFHjH A/B/s+vgdnHExy7x08bap7WVT9alk5lxa79yox9HMc3RiHpbLbJgR6fqskjal0VtM531050NUtiQ ttW+gfGFUb8zptodVx9N9gHy+2NK2Hocwr9xSIKQpsMR2eGobG+oGwHBdrxreXtwZ0W6in1fx1vr bpnjVFm6m8w81nhrqZFXgzYewlWbTgC8b/VxF8QN05zKaU75sqR+ll+BY9xsV/kMrxT9vAUamd4G 9POg2wHRm6p24P1kUGjiVvSV0/uZdF0NYwxJHyJ0/o27sIzr52zpuvbHZXtjst0xOfSq+5MquFDu T/biJ8AOUL8B1e3/xTuaeXtkJJyoUdzxZ0G2wQh/OqfbnYRYqe/Y2If93hYm8X6+Vc3Z0HYdjMts QyKTpGGCV2kQ1mJdfzzd+79dWP779To2fljyY1Rf1QlAyMem7hiKeNhZD0vAvz2aUb5e0p7MKm1j wlVd57y6fUnLhUwe5Jwdo3Z7WrMxrdlbGD2xTG/NjSIeDnhHAiTIdbjHne7s725s7a5ZdyxrO3C0 sFrAqj3YWDvc3jre2z9Gw394hgetPD7vbGxtrizvrCy+2rEezo8Pcyo1damqmqReFl3PKVkZllgm ddtzBtzflYKOBIIv1mVxoR5xgR5B7o7h3h5JBEJCJJEeTaYTomOeP4/ycMsN8WuihnUmhHHxEkPa cH+PD5aXpqjrCqdETVOi+vaMGBDq2PQwfnJEB4BPj6iLD21MjqhBUCw1sCES4jifViKSoL2+3OOe IH8Kq3ui+zXUd1KAK/i0HFLYSFn2KDNHnU9vIfm3UQK0xUkzTQXd6cTC504016uRDn+LuPdd+IOr 4fevR7neJns60UCSeeLUSosYrMruL0gS4eso+gU3NkSQTO1IY9Sn5eTTMuvKG/gd0nRGSWx0OiGK QaHkUMlZkaHUBBI9NiyWEBARHRIdE06KjSAlRMVTg8MbMjOlFSXtSWRuYpQ4IVxECeilhSsTQ4F6 RUKoLCFERgvpTYvSgVhbjXsc8N51PD30Hv386eGPJ0cfDw8+nx2jn0c1x7oMXT1q/c/nR7+ioL+2 y9n+9fXxb6+PMFmDn/Pb8e7/8e5id2KwNZ0uKcyb43H2+9S7vcqdPtV4SyMrNjLP17srNWmpi7PW LVgR8vjJ9HRvLw4jeVWOJnbw2DD1bnn5p83tn7YRPgV9x8aH7c330L7tbL7bXP+4tf5xY/1HTASb 1s8ba3g/WpZemWe2BtQT7EYsWue7Wi9G1ft93Vs9nM0erqG1urcsu4MRVxDyHC6C58ZhMO6Adzvk RxTbQ7KNARGmYxT0/REp8G7TCnahDtMJNvq4q6pOnKtwFEOjvt7bvqnqWBbW48twtbvJyK4cYOUZ edWbfVxQcay9HQjm2NLwTF2gSZcMN+UDtuNthSjxJkGFWcREoV9XNYFrZ2fWadpQxC3yJpu6c72n VVedLi+I0zARA5oyVJ9h6sKwX4/pYEvLxbLucKJne0SyO4E9mwINOZaKSJEASQBiFnsRXx2DVxW6 +neIjLGAVmd4uzoKsMNIFjs67OffrI2fmLXwrzue7Ts0KNc0vI0vD2uBQ+zhx6SY4id51ePcyikB a0MvwK7vv15Z/+1oAX53+K7A+I+GwX6Jm1RtDkpgZHdh7n+7pH2ziBNG78WCen9KttzfudjPwYwP Jh7AjhIPO9kdUG0XxrcQB2kcO7AuvjrYebm/e767d7K9DbBvQwO7vGhbWbKtLuyuLQHvR2DUb2/t 2nZ2dw72do8OwMRBs7+8tgWh3Kb11d7G2oRO3VqiqsvorWOo6lMHuGWLA2KEUh0smQ5X55E/O9on NI3IpwfEQ3J2D7tWxm7SiIXKLr6cyxE2NTQX5YLd3ZxKbUkMb6MEtcS+6KAGQvTajHiXXKqSlb+o 4s7KWxqSw2sRHZsWxUuOaE8MhT11fWJIAz28LPYZi/yiHmCPfor6jhG+NhR+lV5N8UFY3ZOf3A52 uxble5/g68KODh4oSu8vSp+oLRyqzBSnEmvCHguSww2N+aqC+KoIryiHr4Jv/DHS6XLgne+Cna5G uTmQHztRPR1rSP6a8vSBslR4XPCoYXwaaH6M1qzc8rQ8RnxmcR78q+oppKyAF3E52XXs9t68bBYh LJ5CTKJExhODoiMCoqNCyNFhcdGhscFez3MpcdKqSlFhZlcqpTslRpIQqkwKl1IC8OTxwT1JIN5E IKJOkxOHfn6yudSi5AHv6Oc/7m2/3915t7f78Wj/x+MDrOuhV4UgHc4zgP/ns92fz8GNgRHNwc/n e5+PbZ/2ERyz+z8vDi26Xkl54UhTnbGz3SIWbfdIL7Cj61MsCzoWeO1WMX9TJtpRSveUsrHaKmFa 8lq3+Me52fPJifcL8x9Wlt6vrnwG29ZqOZufO18wX4CWs4zz+uKrlYX3lpV3q4tvlxbeLs+/W5rH TuDt/PTF9KhV0c2mk4uDvBX5qRONFSN1SMXN70wmZT73iL2P3YhLP6v0YmZof6IP2tj9sV7bkHxz QLLW37UxINzWi3YGMYMLN/p4G2rIVzlrKvuEu6rqWOvtWJG3rMqa12Qt8121c/yaeX6dviZXUcKY 4aFqw3aSt6Zg42/BZzh8jjQX9tdkTnMqhpvypjqLzaLKRQn+skbM8ljOA+/r6hYM6aDr7PXzlsX1 6vIURVH8QE36UH3mYGMW/hR2AvtDwh2cA5AANancxMg8bsc7FnQ4uL+HKHUJ8nY42IyhdQckT836 10uo9ROo7B+QX788gi8B6NrOF/XvrBMvl4ZgQ21/+K1gbaHtWlPjS8yO98NxGf4FJ7hVox0VM8J6 jPA4xsGm/q0FZAk9vjr+/Xz17/vzb1bHsPRb7e/am5RfzPdbNOxVEAlgq7ukOZrpWdZygPe1IfHm pHwDxtEwxDNokCYPY6t1wxD4daebq68PtoH3i72dk21o4iywj95cNG8tmTeXTFvLswcblqPtjQO8 nZ2To5OL8zeo79sb2+sra3ubG2d7Wy/3t1anBgd4jZPdTRgotiflO0bV0eLIwZLhcNm0vzR7aDEf Woyv9xbwDmGOvTSzu2zasyztrOAtrhnH1iYHl/RKk5wLorgog9xMfgFHi7bEEDTk7LRofiFtRtJk lDY2MYB3vw5GRBsGdmpgU2JINdmvkuJfEOHJjH7KivRuIvjUhj2qC/dkhXlURzxuiAsoCH9s97Py vBkNvD970EIMVOen8ulkLp2kq8iebavkJEQmO1/m08Mm63NB0y0L9yA4fBXh8E3Q7W/9bn0X6XqH 7PWA7OFYEObVnZ8wXJsrzYpjU8PbaRRhUVFHKauqiJVAzaVS8ynkvIjwlLAQerdoaH/3U1+vITI0 IeBpBDGYHBNCIQaTgHdiGCUqJDbEJyA+JLyzoEDbwJIWpAvoMSLEVCWESeICFYkhagZBA2u7tCh1 OlGbS8V+fqAq2yRosY30nS2aXq6vvt+xoZ//cLj36Wj/5yO7dAWc9t/Oju0781Nsy+0c11/P9xBG 9vkEhlQIhtv759mhWSEZaMJqmicryO7OTh+uKZ9qrp3rbFkRdGzJhSe63vMB9atBzYexwXNdr7Gt waaUvjGMHQ0PfMRoP296Oz/3ybLyZmn+ZHb6xDR9ATLe/OzZ/OzFounNkvntsvnVgvGlefr1nOGd 2XA+OXQ2pj8Z1nSlxkdc+Svhyldxjpfprrco96+SHlz3+/5PEbcv5/g/6WUW4EgHei249HsjPVu6 bou6C8sra1+XTS/Z1om2NKDNcC0AuKINu/ElZduysg35U4uSpmVp86qkeY5XM8dnTbGZ8AcT5cYb OFUL3U3W3k58Raz2tJlF9VMdFSPNRVpW9lRH+WhLwURHkUnIXJTULUnqV+X14Ndt97NXFQ3z3Sw0 /AfargUBC3hXldH1rIyxprzR1nwUd5z2ML/vDAp3hsQHUIHp4Rkiw8MEbbeYXrHfEIHoL8Z0KOjj cKTElh5kYMD/J3DtNgwA/vniABwm366NXizpUd/3JhW4NmIPAMijb0E/fwwq0aQUI/w4lznGYa6o Oq0D/PVB0ZFJi+8K8GlP5gf+frL02+EiaHW2CYVVL4K+xqxsmelmHU/1vFsaODD0WPQ8bO3Qz68N idbHZMA7SvzOzMCOUW8zDm7ODMOv8mJr+cJmeX1gw3u5ZztaX7MtmzcWZjcXTJuLwLtpf2P1aGsd eD/ctb08P//04dPrlzCyOjrY2Tvc2T7c2bw42N5fW7AaBo8WxxF18XHX/GrTeLY+c7RqOgbSl2cP 10xHiLBZmbQtjVuMQ+uwtluY2cJvvjRnWzFvmadOLSb4YxzPDu3DnFPS2l+d1cmIwratKSFEXERD x95XD4FYtagoARkTrUlBTXHo/P1rKX6lUU+Ko54UhHtUx/rVRD5FAlRN+KOq0EfMELeykEfVsb7p AS5Rblejve7E+DpFPHGoDPWV5qRqK0tqYyMyfFw1ZTmGBmapr1vawxsiBlFZSJPkUTN974fd/Cr8 7uVQxyuRLrfJjx/EeTnRn95voRMmWyvAB6ijRNYnJXBLKpk5zMpydnmVgJ5Wm0hnxsTkxFMKVErD uuVMyNUQQxNDnxGjAtDDJ8UTEkko9KEUUgQ1KiAy2i8gLSJSWs0caKjiJVMENGIXOViRHNFLj7Dj PY3YmxyhxL91BkmVGz9QmWXkNKzrFCfmmQsLCKsA8slPp1iPQ3V+9NvFEeyk/n5xht4eSIdQ/Zcz 3Ox2APbPx9s/HW1CpvqPk/1hbpuCWbra091IjUnxcK4jhnUkkKrDA0oCnha+gNtnmDKXYWph7cgE 68JOWWbKKIv5akJv65O9mZ34CAL8vPHDgumVafpwavRgcvQMHwzjx/a93OSFcfLVnOGlafzMMHw0 2n8+PnA20m/r7d6U83FzjLn+Vdj3/yPy6l8ibnwVePnP/j/89ek3f4h2upEd6C0vzT4Z15xO9Nu0 WK9JbbrueWm7WdS0pubvwNBJj3s3Z6WnfQVlXdm+KGtZkrcsy1uX8UHStCJtXhQ1GNrKJltLh5uK APaubMp4Wxnife1478MZomWaVz3aUjzcXDTYWDDBLhtrK57sLDV2MWe7qrG0tyia4VCH2XxBUgvq yJKs0abhLAhre8uSFSU0fV3WaEs+/vpFScO2jo+dIZrtPWRZYt09Kt8aluInNnUIi4GCD2e4M7MO TTtgjqv6l8Z75DVMeBB7DY/6L4u716vDgPzL5UF8eLVkt6TG346j23o/joxduLnj99+flFr7uZOC Gl1r8cag6GAGgdHDP9qMuN9hGLfNqEDH/bhjAnV2Vtk+KW7QtBQNtJWAn4OY2v0xGaJjZ2SNuNdj ab821G0d7dk2gFSv2zJot6a18KdFfOTJqnHTOLoyqUd8M4xqYXxxaEF8zPSaaXLdbNhemt1ZnYch 1bHtS323bb46PYEL/c8fP50eHEISt7m2urNueXd29PnN+cejnZdby2frpovN+eM14+Gq8cg6Bz/M kzUzwI5w+Y05nAMGrbMwqR7fnDduIWoKqF8wbM/BL3d8f254f2bgcEpzONa7quiUlqawQFDPoQw2 FgqLwMnPGmgqlBTTxAVxiIWtj/Otp76oJj+robyopPj2MBny0mSkwzeRX7ATg2uJPjVRT2CC0UQL Yfjdj3C5FOryQ+RjpMzcqYoKqyUTa+Nic4N9iU63cnyfyHPSVbmMDJzaH9/l0QnKkuT8ILew63+J uXeF+OBm5P2bRJc7pEeOtCf3a8ihYPLLy/MrqTECZpWkmY8ePq+ovbRalpLdSkooj4zKAt4ryzvK C1uiQ5Io4fS4MFqkb3RMECkaLzQ2MjA6JpRCDouNDQoL83pSm5lmEHHlxdk8eowsNVaMLX08iPSh WNzJ48GzDelJjpSnx6hLUibaalZV3cezhtPlhTebm8D7b9jXYUF3foylmX1vdn6K+v7rKZBu+3yE W/n2j0cA+/Zn4P1o+z9fnSpqK0uiwoy8dnVFEdXpNsPtfrq7c8Tlv+KFX/pT9I2/xVz/JtXlTmNk YKW/T9yNHzoTYq0SztGg8l/X5t7Pjb+dHfu0MH06rt/UKnYH+84MY7tDuv1R3dHYwOmY/sz+U3s8 rD4cUJzolYcaiU3GNTZVFD91pjl8l/rwRsZjxwSXG5G3v39x+a8+X/8PotP1tBcekuJ0gP3VtB70 WggE1lW8eXEz8G5VYVjmbw8ILOjh5a2rSjZK/KKs1dzdsASYS5rmRfVYxM0Jasebi4bq8zU12fxs SldO3HBzMfL1lnvQDLDnJU3T/JrR1pKhpkJdXS5QP9xSNN5eOs2rnOYxzeLaZXnTRh97SdaED4vS htWelnUV2yxkKStS5CW0keaCGW4F/sr57kZ7sz0mPzX0vTTBo1J/jLU8dvIGNfbzZybdu5VRjPA4 ltnxDvuLxaEjo+ZsXn+xPHRq1qHoY2WHh+M75KuIh3i1Av07OnztEcRuw92wq8J1DwSb3VHJ4XTP srpjWtqgqM9ZUHO+pEUPDvJZanaFdazHoGzrbS+dkLeuj8mVTQVVsIBgpmubCkc6KhYUbVOC2r7m whFuFUT0i328Za1wfRQrOy3wvj7RB70MImaOVw3WaV1/V4uxX7ZrnlyfGQHwlyb1C+PaZQOSoMcs pnGreWprZW53fXlj2WyZN21bVnGKO9jGr81Nj45MDunXIao6OsAF/9PZ0dm2ZW9l7si6cGhdwM+z jfmT9bnTjbmjtZn9lcm95bFd5FwsT0N0b1sy4e0sGGzmCSTJAux7MwO2SfXGMPolbC24fXV5qOy6 urwJdnlfdQYvm1RHDayMecbNiuakE6pjfVgUgP1ZGfFJU1LwTFeNrDS5nQFRPA2G1dI8qqKY1l0Q r2CmZoW4kR7fiH58M5PgU50Wk+bj7X/1B7e//inS+V6K71OKy/3MJx49OanVoU9jbvy1LNiTlxrD zyQXBniEXftblMMVkvOt2Ac349zu0J/czwt+ys1N1bY01Wfl9HKlMqGmoaUnv0KYWSygZ7dQaBWx lPzgoMQAP1J4UHygDzEhKiXSLxbcuki/qHBfAiE4BiWeFJlICCbGhBKi/YMrUtPltazxjuYOOoUd F9YVHypFTBUtDGCXxAVIE4LkKeHwtNSUMQzttev98vP5WTu53QY2+zFYdj+dwG1mH8Udp7Hfzk9+ PjkEzOFD9flo5/Mx6rtdvwb3+N+Od/7r7emMmF8bH1sDFnFKQon/03S3+/F3rtSG+Gry0ySMOF4C oTHiRfETl5hv/xR/5dsMp9uFni5FTx8V+no0k8M59FhVUaa+sniqqdbc2TLT3jDZwNJVlPQWZvcW ZPcVZGny0/Wl2Ya6Mgun6UjeZRO0Duen1vq65z64Ue/vWfLkQe7je8mut8Kvf/3smz94/+1fYh5c z/L3hC74dELzZnpgQ8E385vnhc2mrjo05OjGUaPXlB2o5ijTq4p2TOJAulmIeaRhXohNew2eoZM5 UJ+vZeX0MtM5WbGCPGo/cN1aZhY3zYmbZrpYk53M0dZS1AtVZYa6KrOflQ3UwwZwhls5L6qzY1zR ip/r6vZ1dRtoOdgJgF2jq81UlNENneVL0obZrhr0FcD77ojs9RxksBOvzEiGUmO1fm7sx0+s7HB5 Ryoc7GswuaNvB7QBfLvD/AqGej1+/e2KfY8HpGNldzo/YGfdrAD76Ac0WLiBN2vVdW0PijeHhFsj IssAD/42Y0KWUd5m7uUqGwvjnt3LjHzCq2C0FcWPSurV7JL24oRKemhB9DN+MX2EUw3Uz0pbtC2l wrJURW2ejs2cFDWBUrs91fc73mFhhxKPER5WGJNKbltZxtyAFIXeZhq1TGjnR1TIht5bnkZdti3N rC9MbS0brQszS8aJxelJOFm9BOcGzDuzyTgyPDMyjDjIi10k1Fy8O9rdXTJZDGPrsxPb5sn9ZcOp ZfZLdN34weLY4SIyqQ3n60aEWx0vzxytzOwvGvYXxvfNI3aRvkm/Y1CtD0lmFe2j/FqkN8qZaZra zMGGPHVlmqKUXhv3IvMFEPeQnR7ZmR5ZHvW4lOBREvko88W9nEDn+sSgSpIvN5Mkyo/nZccoS+lq Zpqala2HgRThSWqoe3t+grqdOSxsDLhyxfkP/+L61V/8bt8gebonPPZMdHUp8fMBxY5057sEl2vM SJ+JtorxpvIU93thV76i3L9Gdb6e7OmQ+dwtN+hpS3qKjssTt/LkQi27s6+iXs4o7EzIbKVlNpGT SqPJOdHEdAopO56cFepHCvAK83UP8vcMDnwS4u8dHOwXGR1OjQ6PDwsghAeEE/xD8xLplckpopLC 3vKSRlK4kBYlSybIaGFSaiCeHIo5RkRvNnmwOmuuq2VnSP16ef799saH3Z0fMb8f7L7bwzrOBrLr 7/X9l5OjX072YTaFcf7393eIVWF29+ron6e7BmFnT1k+P4MuykhugJGmm1Oy0zUeJdJcW26sKVlq rt4Xsvd4rZzIwPRbVwoe3E25cTnx+iXCd3+Ovfp13J0f0lwdsj2dC7w8Snwe5z5yTndySL17i3rl UsIPlxi3rmbcuZrjdL3skWP9c88uQhA75Fn5Q4fKR44tvh6Nvh5Frnfy3e8ynG9GXPnK9+s/+Pzt X2IfXM8JeNxTmnExqTkfU612t8/x6ud4tTOc6gVx01Yfz4I2Xta60N08LwZDpsUOdhHoc/WAvLmL ZT+xcatQCGADAiDjYtuZGduVR1Uy0/tqcie5rClOzQS7YqSlBBUf9V1Rnoorj6oyHY39eHsZhnr8 Vsuy5lVFi0lYY1G22nQcNPaL4nqrsnWqo7i/Oh37vdWe1vnuhtXejk0d2HQ9dt+qxYkz4wDKup3V P2P3iMbDCP/xy8Xt9+U5oI2a/jv88Rnwh4IGS3UU92P0AHYm7SC6+lOzFit6JEdY9QLs4aF7teh4 sLWxjeHExp+SNMwp2WOC2p66XEaIW1qYB6c0aba39ZNt4mShv7s2vTT+RXakV3bYk9pkQg8rb1LY 2N9Spmku7a0vlFRm69hV0L/vzw5gWQeK3Z5pcM84uDWFoWBgppcva62Y18vWJjVLIyq8VaxQFibe H1h+vdh5dwjLC2zgFzcXpy1zU5sLcxe2rV/fvsLbW1tB6uv00IBxSLcJ2cX+1uHq3MKIdlojn9HK ZvulC3q5dUy9PoHXC6rPxhjU+tp98+AODLWm+mFuuT6hWR9Vrg3JVvXixT7OjLxZxy7rLExoySJx 8uOFJQl9rHR9fbamMrW/JkOQQ2pMCKiLf8FOC2+mB1WRfAD2kkg3oL4y1kdcGC8qoDYnhVfD5YYR JsglK8oZfXU50srUEsqL8oSQfnblUFeDsqXs2aXLzn/848Nvv358/UqEq0vcY3eKy4P4+w6JkMHe vxZz71LGswfyYsaGjCvOTEi8fy3e6Qeyw7f0h9dzfR/lBD0rj4uTtvH0fZPcLn1lU296qYCU1hCV VENJYRHj8sMiGXV1wn71dGujOD4mPdA7IjKAHPycEPgsIiYinkRMiiXQQgNjqGQ6JSY+JiyGTqQU xCc2pGdo61lYo/FpMYLEiO74UFl8yJd+PkhGD+vJjBmozJjlN23qldCugtH6Afu6g/33drxDhWr7 vcT/dnbyy7F9kP8NvpEworFbxB8iJwKecnCE/s+Xh/q2+saE2JH6yjVhZ19BZrbrvXSnG3kP71R5 PazxcWsPeS6lEPSpiaKokPw714sd72Reu5IGbdF9hwJ35/JngPmj0iduqXdu0K9fSr7ybdL336R8 +w3967+lf/9t0c2rJQ7Xi2//UHD9+8Ibl0odrlffv81yduD5eXY+96h0ucN85Fjq7pTmdIN49W/B 3/3Z7+s/xjhdz/J9pCzNPBvr3esXYsFu5tXNdlbPsCtXutu2+/gWefuyFGvzBpT7RUkzPqCgz4vr gHqE6GFBN9lhr9191ZnSEjo3m4ylbldeQk95Ot5QS+lQM8p6sa4uf7CucKS5BA2ArDi5tyIN7SK+ AcZay/C74TsEiEaTYBbV2nTceTHLyGdCZYPL3UhLgYFbgSXhck/rl+O4He+vF8Y/Wowvke705eYO 1OMMh04e9f29ZRyIBsbtZf0Lmw7Y/7K1G8HK7r3ly4r+C94BeXtXv6w/nNMcwMICwrdhbP+68RPB UuDEwtYGgvcVMA0GRROiOk5RIjMxUMRMBVf2fLH/t4PpN6t661CXuIqREebhf/vrSJcbitqCMX6D orawPSexjhFTnUQUVeauDkj2jDrLmMIy2mPDFD+t3ZxQWUZ6VoZkZq1wHqsSrWS2v9uklaDWL4+p DpemXm7Nn1hnkRC3uzILGp5lZsxqmtxdnH1pW7vYhgf1yKhKIets7e3qMI9ol8b184PqaVX3hJw3 peBOSNgTkrYZeftsD9sIIYCseVbWMqtoMynbDNLWUUHDuKgJb4THGmgr7WvMl1Wl8QoTGtIIhbFP y5AMm0+VMRkKJv43SlGV09XlyfKi+O58siCH2JUdxcsmCHKJwvwYWUmcojxRWhKnb8xRMpPr4wNa 6KHV5OdFEZ71icGyygxRBUNYkSZl5Q7y69QdlXxmls+lS05/+uPdr/7kdft61BOPCBfnCEcH2iOX eBfHhIe3qQ9vJHrcTn/6QJZD781nZD9xjHf8LvranxMcL+X7eRZGBJdQacI2sVZnZrVr82p7aUX8 +Ox2cmpdTCIzjJgZQUzTaGZOjz4bDet11ZykuOyE2LSIILT3JEZSXnpKYVwsI9AvKiYqMSqCTI6i xgRF0cKJ7UWlHTk5Q031wnQ6N4HQRQ2T0SLkNPT2wT3J4dK0qD708x11qxrp6bwR9PV3tu0Pe3u4 x3083IWABWz2X08Pfj0+At7BccUD38buQoMH++gD2y97W//9+nSC01oU+qKTHqcpzoZKiOFwNdXh cobDD4nf/YX81f9Cv/yXjGvfFjnerHd/2ODuWuPsXOZ4t/T+vZonHszHbuWeD0sfu1R6P2K6uzQ/ 9ez08+7w9urw8OB5Pe7y8RL7eAm9PbiPH3a4P2h3vcf1dJH6egm8H3X5PBL6Pa53dSi7f7PEzTHj 3g3S1W/CL3/l/+2fox2vpfm4SAtS9gfEq5JWEAzwxhqLjR1Vmz0d1h72iswOdlRhTOsLkmZ8AELn wELpYhk6KkeailG79Q0Fyoo0QV48Oz2anRbTlWvHe3dRsro6R1tXoKsrUFdla2vyRlD4arJlRfSe MgY+4O/C327orMRogDFhoq0c3QIO+tjjGbhlqz3Y/NdjbMcD2C24lPULN3Td++N971enf96CteaU fVo3ag+n1RfYwy8O48HaAnUcZR10WeAdC3n7VQ5hzQhnXxpGlbd/G3yZ34F3tPSnSwP7syq7Zc0X 3juqPMC+PS7dm1ZuDIlxgwPkt0a6gX0du0TPKYNwZnNEaBnoWOpvs40JdifF44KqpnRihPNV8uN7 wrIMdWN5TRKR/sKjMCagIS2OX5Y5KW1bGZQC7F+qrXxzEjmePcv67rVRhXVcadYKFnTSOY3IqBFO q/gGFX9hSA43qpWJ/tXpgXXTyPLkgMUwZJ0esRqG9xdn4II12SfvrClHBqKwuWZxpH9tamhtTLOk l8+puswq3oys3dDdNCNtMkoaDKIag7B6qqtqnM8c4ZYPsEuxV+xtKFA35CmqM4XFiezs6IbkMGac fxnZr4D4tIIaJGamqmpzJCVJ3QVUaT6FlxYhzIqWFpCkhSRJXoy0EM7zsT1l8cqKxP6alL4qem9l krw8oZ0RVhfvVxThkRPq1ppG6G3Il7FyBjnVw4J6HY8lby7pKEl7evWq6zdfu17+3vvu7VDPR5Hu rpH378U4OcQ5A/WOFJcbca43yfevZT5xKQvwyvdxZrhcS3G+mvHoTkGAdzmFVJNd1N2lkarnq7hj uQ0DxPRWSmZLSm47hc6MiM7Mzqk3m3eP9j/NTq/XMNm4x4UExIa+iAl5QYwKi4+OTEyMyyQR6UH+ 0YH+xIhAUphveMgT/8wYamlcgrquTllRzEmJ41AjRIkRImqgmBrYm0aQpkepS5LHW6sXlMJDk+H1 5tqb7a23OzufDvZ+wgn+cBcaVUD+pyOg+wgfIGP5+QypEEdQsvx4ZIPT7N+Pdv/r1ck4pzXT1yv5 0YM8n0cMp5uF7vdGC9MXa0vVSbGdoc87gp+y3B/UuDrVPnQquXG19sEDHYWijI7iBgXoGUmtgc9a Q3yHsujCsIBWL9dO70eSZz5yHx/lU2+Fz2O5l7vU86HksavY06XLzUnwyAkf5E/dhY9dOtwcG10d Kh/cKnt4N93xevTlr0K//0vgpb+SHtxgeDsLcxOtyk4zvxZsmYmmElVJCsgzu338RWE9Duuz3Cpg fKG7cUHciDYezBn08AZOJZCOsR2VGuCVwtMsK46XTe3MILenxgjzk7hZ8d1FDJiOwvNQVpqmYmYN N6MNyJEU0rsLk3orMgabitEYoNufE9avqTqnOjEaVFqULQZ+uYFXBuIN8L4oqZ/hV86J6ze1XXvD Mljtnc3oP1khaQfZwIB4O+zlcAFH/iNgDgEsrOpwiP899Bn7OuzkUegPptSgwOFLACUe3wB2Mezy EHykD0yaQ7Nmz9gLdG+N2dVtwPueQXE4q96Z6kFQ1K5BgaM2fn13vGfdHvUOUYxwRlJbnehXRvaW MBNmpawFZYuCldWQRmrNipdU5dalkHIi/UrA+UR0EauwMTO+uzbfpOZbx5RbE6r1YXyZyNdHJSuD 4rk+nqmPvwSvvGG5SdNlVPNNfUKjqsvUL1oa7FmCBdbMwJZpcH5EsQizmnHt1uzo+fr87sLUrK6X zSxk5TFU3ObpPol1SvdhZ+G1dRKC3AVVh8EO81r8h5wRVU0Ly43Ciuku5ji3dLizSM8u1LeXwOlO 05CnrM7oyqe2pUbU08NYtJAqWmgx6UVFQqiwPE1ZmycrY2BTqihJ7EonyAso6nJaXzmttyxeW53c X0VXMWn9rBRFeXxfNV3fkNHPYsiL4jgZBHZGVEd2tLo+C18syqb8/k6mjlsjaShsLqCV06Ne3L7l /PXXDy//8Nz5Qbj34xBXl8Dbt6IcbxPvXo9zuRN97yrF5RbJ6Tr57lXa/ZsFT11rgn0KvF2yvZzT n3mxklObSho4HC1fudQoWchvGQ2h1QeRy5Kzm6lJFdEx2dU1gtWVsz3be8vyIfAe4Bsd9CI6Ijgu MpgU8DwyNJBEjk4B5MHDCQumRIXGBT2PiPQnhHoHpETG1KVnDne091YUt1Ai2eRgCcJnk8IVjEhF dqyqJHmaU789rIYU5dWG5WLD+mZ3B/P7hz2g3vY75IH3z8cwjwXqQb07RPbTT0iAgp7lZA9M138c 2ublwnycJG5dyfB4UPrUvdDzviQhaqY818TMW6gq3Gyu2qxjrjGLLWWFi/lZ2miigcE4bm7eqK60 NdeussrnKgtfijn7jTVCvydtrvdEj916sOf0cFW4OSsePVB5uai8XRVeD+Uo7u4PhA/vdrvfF7o7 tT+4VX//etWDWyXOdxgOV4hXvw767q/Pv/4DwfEy46mzMD9xUdpi5NeMNRTpKjP11dlLgrpNJRtH 8CVRg7mrdqqTCcIM9vB4wPvvPTzQihrdz8pRVqR3F9CF+TTgvZlOaEoiAOyNNAIvO0HJzMbrKctU lGdqagt6yjOEeUmC3EQlM3OwqQQVf6ytbIpThR2+kc+aEbBWMbZzK0bbixel9XPCqjlhzRKW9rLm ld6OnSEp9HrwzEc//2lt9sMaorRhJo88rP6TL9X8d7BjikehP5npx6+jmuMP0fYj3hFVHks8nOSA 99eWsZNFPTwnD+b6Duf6UN+hYwWu4V1jm5Tvwh/PqNqekFn0OKiJEApvQWhsP2eprwN3OqOklux+ Jej2/0h6dn1OWmvpYw+0lvQ3F/OLGV0laflE/4p4Ql9LZXdNfm0apZAU3JJPm1XxtuF2hRP8BKZm MUj1sKCZ6W2f7+ej7q+N9Zg0vBkVd14nMveLF3SSxQHpwoBkcwYY180PytHnLw73WiZ0RyvGXfOE aUDR39WqF7fPaMSjcs6knLsPYoCpD6PHnKJlWlwzzi+fFlXMy1hmabVZUg3IT3CLR7mFg+z8/qYc TUNuX12uBiN2KZ2TFdOWEd2YSqyihReSAisSI9rzaJ35ScIiWl9VxmBttrYyeag6dagmDT+H69PH mjHUJylK4npK47pyCNz0MGE2QZRL7CmiyEup0tLEniqGpjFH1Zg30FkxwKnqaSxsyk0oSghlhPl4 Xbnq8cMVos9TXxeXkMePwz3dQ+7fC711I+LWFdIDAP8KVsdExyvRt36Id7yZ6navIuhZoe9jmqtT ur9/S2FFZVETsxY+OwuNspWCtnFyTmd4fGVCGisqNjswMCE7kzWkXxwfWeF29KbQCqPCaaDU4kWF UMP8Y4H3YHutJ5GiUyLDqIHPCMF+URRCYnxUfFxYbDqR1FXOnOB1KssK2AnRAnqUJIUggaFlFnm4 Lnelh7s/rjucNZwsLbzZ2ny3v/duf+ctuHYHtk+Hu58O4C619+PJIbD/u78cwA6LORhTgD//ybb+ d7iSjemGWljcNFrmk4dlfo9Lnrgw7lzKdrpW6u5Y7e3SGugtiw3rp0ZPptJ2aiqU4cEif7/PUvF+ U10vOfpC0HnEadLRSC/ZjTpiCMfVUfHUQ+rxQOJ8R3b/To+zg+rRvV73ez1ud+Vu95RezsrHzrJH 97o97vGxwXO6VuFwtdDpZurda9HXvgn8Hve4fwl1+I7+1JmbE4cT+VhbqaqUAc3vVFvZhoK90t1k 4lbPi+3bOfBjkaKFHn6aUzXdWTXVWT2BToBdidkcezl5WVpXLsCe0JIcXUUKqk+IaM+gMMlB7Ix4 UVGauDBVkJcszE9RMnN7KrKFhYyuHJq0JK2/rnCwoRRFf5xdOS1A684yCupWlG3Tgprh1uJ5ScM0 v3KKWwmwQw0HTbpV03XwJf3qwjz64Qvez8wgzGhQwfEAbQRAo59HcQfecZ4DCQcN/++/ghkfnzG/ /764+7Q989IyCryjvh+hxE8r7TA3KPABlX1nRnmyAGqNem1IuKzl4owOF7vxruoZXCGxURzid+ZG B97+M/3ZbbOsbqGnWddS3JkbX02LqEuJKSWHspJjBeXZzdm06uQYbmm6srFkVsFBbhcOcysDogUd H6o65FWZ1J1WCA8ney0jcmMvd0rOxteCSS1Y0kmWBqRzqPI4kBn6LeOqhUH54lDPgl6BUg6i7Iym e1jcYegVWMbVljHVmLRtVNI4ImYNC6smxDVT4qqJrlLgfUFRu6JuXFTUzXSVDbPzhjvzR1DiWwvU ddn9jXn65kJFZTo3N64lI5pFj2QmRpQnEqoYsa15dHZuorAUThfZIw15Ew3Zo6y0waqUkbp0TQWt mfo869mtwiCn8ghXJuFRDdGzNsarjebblRrKz4zg50QJCsicPFJDaqSImSapyRFUZuDrzv5yaK7f fJsBF52qqofXrz+55xjm4RFy/37QzWvB1y6RHtyJdLgSefeH2Ps3om9dody9GXfvJhrgZI9HsS4u lUnpzaVN6YzK1AJOnWi2qmuWUalKyO6MTqoi00rDCKne3tG0hGKU6NKilogQ7OXiaNScsCAyWvqo 0Pio0ISgFzEvfAhBz0CkTwx4GvnEzT8yyF7l46JoEf4RiZEkBiGaU1I8xmGL89NheytkxIACpMiP BxCsvYI1rdw6PHC8OP9qc+Pl1tarna138Hw+sH3Yt/1/eN+HhyTOcCjun8/3Pp3YPhxufdzfhLXU r3sbiyrZWGezTdMjy03Pe+KW636/yN2Rcef75FvfJl79a9LVv2XdupR783LhrR8qHW9W3L7WExq4 x6pcLS1YKS/cqq/cqCvfri0/qq8SPfPseHBb5vVQ6eWicLvb43JH5eKgcXdSezj2ujuq3J16Pe4p HjkqPBxlnvf5jxwa7l+runej7KFD+v0bxOvfBHz/l+ff/ync8XLC47stjKihpqK+qkxJfsJYUxF6 +E1lh7GzErQZgB01HXgH2HFBQw+PsX283Q72ifbqvqo8eIaLC5M70iltjFgWNaw06kUVObQuMbIs 2r81lcLOSODm0NvT4mAlJCnLkjNzhIWp/Pxkfk6SkpmjYRWg4R9hM8c51fqmksHWsiWQ9xRt4x0V 0/zqKV6lUVBjEtVheF9UsFf7eNsj8r1J9bkZsTLQvxhOAOqZvgu7YcUwav0HJL1aJ+F0AcjjPAee LSo7mnwc6ey8+vlBgB0PLf0ve3PvtwxH89rNSdmWQb430wvGHQCOQo+Hir9nsqc8b4x2GxUtsHud ljRIq9P6mwtGO8vWNGwzQoxITzoyI+eltQZBlZSZWpsUUU4OKoz2L4WDYgGDU5TenEVj56dIawr7 Witm5B1reul8H29Ow1kZFNgme9DSL0BPNyqDWtbYy8G5akLaNt8vBNKX9TI8k7prWsWxwNt2sh94 N+skc1rZyoh6w6A19XePSDqGJe3zA1Kw9RYGsKlrGhRUatgFysYsTVPWcGeBQVhuklbNyaoXelgm Mfr5ItT3oXZ08tk9VWmAvKo6k5dHrU8KK4sLLIINXVxoRVJ0Q1aiqDKvt7FU01DUW5nRX5k2Wps+ VEUfrmYY0BiUJxYFOkXd/gPt0ff5AfcqCe71sU/Yib7c5ABeSiCPEcJOCcaKvobqn/T0LpMa0gR2 bnZcUxaVX5YhZxU9+OtXkR6eGbGkRzdvPX1wn+jtE+jgiIt8wJXvYu7firhzJez2d2SXO5E3f4i+ fSP2nkPE7VtBt+4k+ga3M5sLM2vi4svpOZ1FjfqM6t7YjHYCrYpAKSaScwlRqeEhSZlpVaWFrdER jJhIRhwxLZ6UEewfExZCIREZqPWhfrEhfiRqVDo1KvW5R0jwUwI5Iolg7/Yp4QHRSaSkJGJcHiVR 0dCob2noSI5tT4jozohTlzCGGgpMwhbs67Ymhw8W505WV06sa8D7233bu317if9wuPPjyf6n4z0Y RP90vPXj6c6Pp1sfT7d+BPfmeAdhr59312d7RIPtDRt9ig25qCzwefydqyl3rzKfunZRQuv8PfMf 3iq8f7Po7g1s1yvu3qi5d7vd01UVFSoJebFYlK0ghvL8vFeKcrRRoXUO1wRuTuKH97qBeufbsgc3 lM631K4OSjcHhdudXve7Pa63pS435a635B6OfLeb9U4/VN6/znx0L9P5dvTN7wIuf+V76c/hdy+R XW82JIbjOA6yq5qZbuLVLIsbgXGcz7BCxxkO8/VUJ45uFcPN6MBLJzurhxrLEBAw2loOsPNzEvE6 M+JaGTFMcmBB+POy6KCSKP9iwotWqDAYcc2MuKYUMjuTJoD7d3EaLz9ZXJohKk6TlmerawvVtQXD 7KoxDkvbVKqszpnF3U3dOc6pGmorGe0sn5c2gcuH4j6Ps6CGD5k5lKcH05o3q8iFMZyatPCdgBs8 6jvadfwE8H8v6NDK/c6zBdjxXuMbAJd6BGBtzfy6N/dx0/Bhe/qDbXpnFmcyyfqEFJD///G+Pt69 NSXbMyoOTaplHXJg0dgLlPU57FwydlyScrq1n72ug0YeDTNrnFvekU0qifHLDvXOi/KrohF5pRnc kvT2/GRlfam+o3ZC3Lw6IFodEK/ohWtjUiB9fUS8OiRYGhRYhiWzKs5gV11/Z/VYd9uiTrI2ogTY F7Td5n6RobdzSS8FRQcdvrG3y6gSLQ70rI/1z2kks2rxjP1XBNZRpXVEblJ3jIhrpHXpTVmEBkYw vyBGVZMy1JozwSkcbstRVtG68oncnChOTnRbBrExJbwxJYJFDcoP98oMdM0I8cyN8suLCSqghLKL M8aF+O9ZPMWvkxYlSXMpfaXxmpI4bUmCrjxJx0zqziYWhzinet3I93eqjvKsj/Fqj/flJgUKGKHi LIIggyAtiGulhwRe/yP1sUN9MrE1h9qaS+0opHPyU3yuXXf669e3v/rK2+m+t9M9f2fnQEfH4Ns3 g65fina6SXS8HuFwiermSLxzPfzmdYKj45NLVwPuulakFdWUNlOpRfHJtUk5nPisTlJ6Kzm1MZpW Hh1XGBWdER5GJ0VnptBKUmil4UGJJATHRdDD/cn2Zj4iEXgP8ScTguMJgdSEqIykmPRw3+jw58So QEpsBI0SwyBGJIQFEqkEalZcCjMlfaCtraciv5EaIcul95Yw9LUFc6K29QHFzvQY8H5qWT3f2HgN 68idzVe2dZgHAuk/Hu+93d98tb3yxrby7mDt47H1/fHGx5NN6OPgLIc895V+5Vhn25yQv9OnbIwl JDrepFz7piXUd7GpYqWFOcPMM1fkzxVl90SGNDy82/nErebeDZbTzWqnGw3uTqwHDrXOd1seOrEf 3hN6OIsxmz9wkLrclT24Jb1/XfHgZq/LrR7nm3Jg/+Edpdtt+cMbCtebcg8H/sPrdfcuMe9dLXe9 m/3wDvn2paAf/uZ/+S9ht76NdroMu1Hw34abCiFhw5IcZ/GBujy095jTJ9hgvdahgR9rKx9vrxhr qwDSBxvKRporBhtLunITUdYBdm5WQmtKbEHk07xQn7LowKJImJeGtKXFN9FJ1fGE6oQoKLDY2TRO Lp2Tlywuz+kuz+bkJckqc9X1aDKZE/z6cV5DT1X2QGvpvLwV/38bwL2+vQREvgV5y4ywbk7WuqRG ay2E8hTD+AXi6a1TQPeh8Quh3aRFff8d8ujqMbOjmbfr5iCPXRhCe/8WbnWg5Rg1GOE/24wQy7zb nPrteOHHfeOuSbU4iDladDCrPp3XHs9pAHYLlvBDgh1Dz9qQADd6+NkqG/PqUiMbGBHcPMqisnld 1znOK9M0ZKlqM/ArOeGe9BcuhUhSy06oTSWXxod3V+dPStjWIbkNyvph8daYbAlyQiRhYec/IloZ EiwPCpYGRBPSFh2XBbyPiFrm/x+W3gO6zfPKFpWtQkrsDSAIAgRA9N577703AmAFC9h7772TYm/q 3Wq2LLmX2ImT2IntOMkkN2UyzrQ7ZU0mM5mZOzfvrrfeO7TvWt/i+gVBFClqf+ecffbZZxfugTUA Ozy8erTyyu7so72F51c3oJwHHu/2+hRA/tnJ5dvrM7fWpm6tTd5cnXh6uPL68eqppnepG9oHy23B mXrncrN3tye63xvd640sNzm6PcJKBSEuxcWlhKiEEBLiouLyABfjZZWEBLionJbQCSqNklqHaqm7 4Z3rOz98cPJgrm+u0r5UaVmrMq8lDKtx44xfsRI3nnRUdJl5zvIsDzk3ziupEZa2qIgjDsFiVLta aVqvtR91RLebAy4KwkZGjlTYZuqDw5XO4UrXSMzJyUfgL2ay0GhiURETg1HRaGpiuaG8TI1BmPEl LkqZiYB0UsusOIyqGCkuRnNRuJDJNzO8EgymjLakPzbkDA/oXe3WQLcz2KE1xbWGiMkY0SjcenXQ Za2ClTIKsUMmspk0PrXEatZ59ZDMK2FwxgBh3arymaROgwj0tHadwKgTm1Uik8Xgh2tByNUowdRL bQ3qbUPVtdenRmBCfDbm2aiPXB1IPV4ce3139YN7Nz5989mnb73xvefPP333rU/fefOHbz//9J0X pyH+O29//u7zj2EM4c0HP/7w1a8+ef7T77/5FUD+O2+CZ+wvP3rn+eHu8ejAtdHB9/e27gz2xWmk CjDoQ+dVlqMaWYQ+OWfTY75W4d/QK9uxyC4capRJ6MQje8mlbXhULxk7yaF3lhb3Y4pX2JQZEmYG B6DGrJNKN0glW5SSLTLqMhm1SULtULFbVPQaGbFGRq4z0PNU1AAhv7Mc0UbHVhJL7cW5ypyL0tw0 FTJTj87occhA3w4HEnhA+rdKuQfTXfdnYf1Hw+2JDqiyD3qS14ZSN0c7b4x0AN5h+89aKgYFe7cL ZBjGoaC13a6Oy1jVKh7gHU6vzwTxvcdn6Q/ZO33mTr+1028einlGKv2j1YGpZHQo5oYG1lpn7eXe hoORNuhcb3TUrrYlroy13Z7pPR6BTcF1V0ZTMJQKB2rnu0sDsNYNnOLeg5h+bx8MJ09tagDvgOv7 u4B9iO8gqIMEHvAOWT14W318cxPUtuCx+ZNnp+w9/C7k/z94egzx/fM3b/7ojetfvX/n0xdXAPJv 3Fx+587aBzBc9mD7k6f7gPd7l4evLnbtjTf84OnhH37x4WpPZYWK2gqOpo2+1Q7oWdtHKs0r7aG1 jnBPUBUU4XwiHFDcXWFzZ9DSXWHfn+p6uDP7FHbHH85BkvD8cPbh9tjTw1mwv3jz5tqrwNddHr+5 MnQ003l5OLU30XFzZezF1c33YBXFlQ1APQRuyOfvbkD+v/zsZA14vDsb06/sLDzaW3lysPrkYAV+ CZCH/B/6+w/Wxx5tjLy6Ofpkc/DxWv/T9f7nl2HAATQSLbcmGva7Y0v17qlKS59HCetgqhU0MJGu UoCIhVyrZkalFI+gPKhgNnp028Nt37m9C8sIro00LSZsW3Xug0bP5SrzTrVtKQwprn67wVPNxxhL ztlxl4KUvBA1L8Eq6tLS5oLyhZB6Kaqbj2hXq+x9DmmzgTsZtw4G9e1OZbdX1+0zki9mCdDYydZ2 MMwkIhAmPrhZUhQlCBW6wIAt9LMJFhIKZPPWcpwUhWIjMUaRbmJgYWpyx+5N2bxtnuigI9hj8bRZ 3S0afUwqcysVHr3aq5FBhe53mRNaqUsutCokVrshZFC6TGo39OO0UodaZHEbwxa5S8s3qbhwC/gB 8jYg6sVmPeQAp4y9TauyqETagMlV7XRv9HVfHR+cqQouJyPHfY33Z0ee76199BB2/r72/eevf+e1 V3/4zpuff/AuxPcfQocOptE/eAv2Qfzw7SefwvrFj1776nvPv/rei68+fuMnH77x5Xsvfv7hW0+2 NvYG+46H+l5dWrjR1x2lEeM0nB2RoUk/ozx7RnPujPXiy6HcS00YZEspIlmY1UfFdpWjWsuKwKmk oxzdhkEB3vswyJEy5CgWuUQpW6dgV8tR6wTkJhG5SUBs4hEb+KJtEnqbjFonFq0SizZoJUt09BgF 2UdBd9LxlXiUpSBTnnFWnnNBjczQoS/BiDEo2w96qg+7a0HyugPN0/7kvemum2OtV4dbro+37572 0KsPekAmB8V753F/C1DuU3EXgL3Lqe3xGNrtmqROHJexa1T8pFZUb5D0BSxdHmObUzdQ4e6POLtD 9iaHpitoHYx7BipcI1V+KG8XWxILzfGNnvr55sRWX9P2QPNSS+V6e83JWOfJWNt2X/JyV83hYNOV 8ZYbc93XZ7tvL/WDCeQz8JAELw6I16/swapW8IYF1u57D3a/c2cbEA0P4J4NhvkwQfPxbbDWXPuW uIM+HdwJkBuAFRXEdxh4+RiUtK8dfPHOzc/euPruvY2376yB0+M7t1bfvwuLY1ah0N4Za5xs8txa 6fmbT59fmWlT4bPDCvIEOBWPNmwPVB1NpG4udE3WOsNykl+Em00Fjyfb+uOOFq9utM5/c2Xk2dHy PRg32J0EvD8FR7vtcSDrIMS/fnXl6dHiTTCNn+3am2w/mOq6tjQEBfvbN3c+enD8xlUQxW28c3Pr weWp26ujj3ZmT8v57TmI76/DOozdlTeu73xw//jtW3sgontxZfPF8drDjfE74KE913l/sefxah/0 OGAECSxDnwGduNB+Z7z5xkgT3ORAwcFow2jYMFFh6fUoms38JhM/IiE7ObiwgtURsuyPtj/bmb09 2bla75+PmtYT5r1a+261ZafKdjlh2aiyzkd0AXKeDZtux2V4CNlufKYHm94kwU25ReMO/qxfNu4U jdgEIzAz65J1WkT1Kkaditmo49eoObiz59mI4qTXxy7DleXmSslkiO8iRK4UkalCZXkZWB02T4HK VWNKuQg0DUVqqO7a3X3Q0bsaTAx6In02X5cr2OX0tai0UfCp0qsDJq1fwtMrBKagsybsTqrFdo3E AQFdL3NoZXZg5BRCg1YM8zIOq8qtFZn0IotRYnFrPUq2SsZS6KQWny3qNAXVcvhsNq1Mb1UZ/QZL g8e70d+z09ex2BBba6m8NTXw7tW99+9efffB7Q8ev/IR2Ee/9eLz77z74w/e/gzWhbz94vP33vjR e88+f//VLyG4f/Tsi++89tl7T3/0/qs/+eAF5PM/e//Ne2uLYGl1NNT3+tryTnODF/Jzs2bSoe2U spI0QgWmJIoqDOVnhnPSkyUFKYB8SX4zHtHDwu+CI4dW0k8nHVoNazLeaDl6mli6QERPoXJWcEXr uMINXNEmnLLCLRxyl4Teo5RuESGxL/4W76MkRE85sg3yeUyRJSddmv6SLOeCDpWjRWc1GoQbrbHL HfHLbYmdjqrDvnrgzA/7GqCDdmWk9WioZaenfqe7fqcL2PjkfncTrCGYqw0NBs09bl2v3wwnZVYl 5LyEnFup4FdIWRVSZsqqaLZrUjZ1V8AKMIdTZ5Y3OVTdYRtE+Z6QbSDmHq8NjtX4l9uqeiN2uAG2 +pvXOpNTychmT+PecOsa9O86qvcGmnYGG67NAt77jic7b68M3rs8/vRg4YN7O7DLCbjud29tfAzb mU+d4Ze/e38HGuiw4u2jO9ufnA7ObH8AhhjX1t6/vgHk3qdgbfeNuA5K/o9f2fvu44NPXjuC+P7x k723ILg/3P7wle03ri+9ejTz+sn8vbWRvdHUYkd0KuUFVe1SW1SIuqCnFNaYeWvdiemUb3uobiYV DMpIGmKulYm6OtP1ZGd6rM7X6tO2eDVHkx1QtoMrNYzAP9oeAy+7J7C9An55OPf4YP7JEWjqZu9u TdwCr7y9GTjQi3/taAl2zD2GSeRtsLVfebw1eX9tBHZFPd6Zv748enVu6NnR5usn2w93l+9tzT4+ WHl2AsbXG7CfDpZ6A96vTjQfDiWhlXljrPEW3EUjyVsjtVd649ugbW6rOOiu2j2VSfjnqp2gdR8K aNusQljpWK1hV+sE8HMZqHAcjbbenuleqPUMOGSjTumEXbTglq4ElHMuyaxLuhBU95m4zrJLjrJM a+klGybDhctyYtKapYRZL6yg4s/6JFtV5uWwfsIjgzn6pJhYxSeEGJCrI0zYXHxaWnl2VpXb7dBo cAVFEhKJj0LKigvU8D+wJNvHwpmIKDm6gFNYSCrEKiWWlY07syt3Uj0bNS0L4epxV6jb7msWyz0i kVUO5bnMKefqQCQvpCsSwcbW+gGt1C7jG+RCvZSrUQh0OrlVwJAJqFKjxKrk67lEkU5ohuCu4qho aHp5EZFN4Fsg4ZcB0i0wTaMR6xRcmU1p8GiNVU7Xck/33nDP0WjXwzWQWMN/s+NP33j1J++/9bNP PvzGqfKHX3/5o7/+8jMwkfv6i+9//cUnv/7h+7/90Xtff/nR11/C5pcP4fzV59/7HXjZ/fDjR1vr a53AR/U/XZo/6m6zY4vbFMKlkHO/JrRbGdivDF5PJm41VF1LhJ621+/7HHVlyAgya9Yk+2Rh5O2h 9kep6rc6mz7oaNiQciehbCdjFjEFENM3ywo2SvM3Madg3yNh9shl34b4LeDu6CULVNQgPr8Nm9+A R8awhR4U5PMXBBkvwb+2Ep3TZJZfBlVMS2yjLXHY3wh7KODjZnvV4UDL4WDz5c66ne6G7a7G9daa teaq1VTlfF24w6XtDQDSLQ0meYtDV2+QO1nEuJKfUAnCUlZExqjU8FJWZU/Q0h+xp5yaRruy1iyt NAiTVkWrz9jqNfZWOAH7fRXOqYZoD7zHpZ9pjG0NtIwnw/0x92Jb9WwqPlUfWe2sW++pB9J4d6Rt pavucKLr/sYknHdvXoZdTuAec+pf8fgQdkBA+wyINWDD3roGhjPgFX8ZxuIguH9wffPdqxvv3dh6 /+YWXBGnsronRx+BlRz04x7vf/hwF/L5d+9vvvvg8jt3wWgOovzGq/tz24ONC62x6abAQNzSEzJV G/gGKkJPKeIiLtAL0sg55znIDE5xGqPgZXLWS0EZHeZinh8tjyZ9NWZRVM2YbAy8djD74d2tJ7vj EN/h+en+3NPjxVf25l7Zn7+9Pf3waPHFrY2nJ4u3L49eW+6/A4NI+zOPL0/AdO3BaNNOXw2UMydj qXsrA69sjEEv+2C06+7q1KsHazdXJvYne45mB0CB/9rByptXNu4uDcIfuT7dBozH8WDt1dHk7ckU OIrcHgfFcjWMHV1uiWw2h1ebgoDl2UrnVMw6HjUNBvTtdlmDSdxkVbS4NUMJx/5w4/Fw41jY0GPi w86mcQt/2saftnBH9fRhPXPIyGoS40zF52y4LAsm01ic7izL9mAz63mlvRrqgI7aryUPGmgjJta4 XThgZDeJCNUcbIiCdGJz9IXp+IvpZRmXwhaLksdDZWYraDQZBqNE5muKgUq66KKVWiilckyxAEPg Enl19UODE4c9Y4ct/Vux5IQ32mt2NWgMERZHJxYYAdcyDgjkNHqhScJUWTRevyMhFxo4NImQKRex 5FKe2qpxiBgSGI7TiYxippyOZUvocpPEQi9lsLAsGV3GIwnFDLmEqZSy1To5lPNanVjr1NndOqtX Z24KRS4P9e2P9e2P9h2O9b12uPXhwzsfPLr74dN7Hz975bvPHn4PAv3rj3/w+mPwfv/87de+fO+1 H7/98Acv7n329sMvP3z25QfPf/zuqz966+mnrz++u7Kw3dd9MtL/dGXx6kC3A4eyl+Q7UbkRQnEF qaSeS+qWcadMMJpn2Y94503qWnxJCJW35rd8vrXw0ezw24MdV8KuHwx1Huhlw5jCeULJLh2/R0Zv E5BbuCIA+xaxZJtctkXCrhNLILhvUks3mJgFOnqIiGzHFzUSiyvKCvxlRdrCS4LMlyUFGSJEZotT f2W0a7unYa216nJ77VZnzWpLfKkxtt3dsNlRCy+ut1ZDejNTG56uDownPAMha8qh6vSa2jyGGr2k ziSr0klCMnZCK4oquEEpM67hV+kEtQZRs1PdGTDVW+VJi6zepqi3K5J2ZdKmbHRqoCcLB7APbd/2 kLXRroVLYCYVX2irhheB355qjLb5zIMJ33pvE1wCcy2V0Neeboxdmel/eHnmyc7c86OlJ7szH97d BghDmQyZ872N4bfB1+42eMauQI/7TXCxOFn58Ob2h7f23r2+/RRC6urwqwdzb1yHAnn1+dWV+9uT N1YHbq0P3N8bv7c7fn9n/NHe9KOdqZsLA+O1/maXpjdqm2kKT9QG6swSJT5XjM6k5b1MyTtPzDuP STtDyXuJXXyJlP2SmY2bb6+aaY0njMKQgh6QUUZr3UCjQSLx3p3Nt26sfvfh4RvX1187WXn1ytr9 3YXjpcEbm+MP9mduXR47We47nu+6vzkM+2fB1RYG5/cGa5da/Lt9lUfDyXsLPbCzEra6H4y2312d eOXy3I2lsaPp/pPZwdtrk493F17bX9obTi21Ra5MNF+bbL41lboz0wReIvdnU/emG2+NJ08Gqva6 4jDgsNEcXkr6ZhOOqQrrZAxkkJYOlyppFIH0t9mlHqv1AN6vjaaWazxTfu2iTztlEY4b2VNm9qSJ NWnljFm4KQnegDwLYNehLqoLzsM8iwOdkaAVpoTYdnFpio+oZebVMfM7ZQTwqm0Rl1fRS+q4+BpW WYSIImZkl13KkFBpzLKysrw8KaFcVFQkykqXZacJL77sImGAuOMiisQkZoW/tqNrMV433tS51tC+ 5A60maxVYolLJraBbEbK1YroMilTYRSbDSKzVmgyKZ06mU0lNknZKilbJqSLpRy5Da4Bgdqt9yh5 sA5breSqxXSpiCKiFJOVLIVDaZezZHKOSi8xGaRmg8xi09hNSrNOonXp7BWOQNzpGW9pHKmvDqok dgGrwWev99kb/I46jzUVdjeF3KmQtznsbY36u+Lh/prYcEN8MBnpqQn21UUGG6qGG6v762LD9ZWj ycREsmqjq/3qGLhQLh50tYLQzocvsSFyxC+dkV84o0g/Y8pJs+VdchdmObMvOnMu+gqzfIjsWavm +6vTzwZadwP2t3ua32mtXxGzZillmyzSOhmzWY7aICDXcYgNAtTspesk7DIJs0QsWSKjlqmli4yy aRq2j4RqIRUnicgQNt9bVqgpusTPOispzODkpldqRCutNeNVgU6Psctr7PToU1bYDyJtsSvrTdJm u6rDrWtzqFOAU4usUs2F2B1Tc908sl/MqFDzrGy8jUuss6nsPJIMW6DEF+opxU4uISCmenjlYTnT IyC5eeUuXnlAQnMLyTYOwcknVRkloEhJ+Qz1Lk2DW5u0q6Er1OTRD1ZBSmxsg25Ojb/ZY6g0iHvj zp6YA7Sp/QlPaxBELJGrs313VkbvbIzfXRt7+/o6rGd95fIEZOB3Voae7J/2uV7bn4N+94ON8dtL I/dXJx5tzb12uPR4Z3Z/rG2sIdSbcI7WB6ZbK4brva1hXSqg6kiYuqttg0nPRCoykHBO1of6og7I SbrDltnG6FRdEO4rG6vMzCjV00vsIpJdVK5loCSEPBYyjZh9RojJ8kipARXLJ6eHVKwKHa83bpuC kNpXuzaYnGmvWOqpnm6L3d4Ygyk5GJA5Whi4ujpye3Ps1vrotZX+q4s9D7dGQbsLGyrfu77y6uXR g4Hag4Gaq2Oph6uDT7fGjida90dar88P3VmeuL44djI7dGV28Mby2P3N03vv5nzf3nDDjZn269PN oEYGvD9caHtlASSR9RDlrwwA8ZLY7UrAjMNinRdmVyeiFhA/j1fYe/0G+EHDt9nq0QLed/vrrg43 rif9syHTsk83YxNNW3izNt6UhT1l445beSkJQVf0kq44TYk4p8w/Zy7JtKMzalioFjG2VVTSzC9o YOfXM/ObebA3itghITWwMU18QouIkuJTiJeyKfkFXTW1MYeDi8GYGUwnjRLjMFIyQZtWPuhzNNlM 0JTXCdUrc/vj00ex2tFE7bjD3SyXeWQSm5ijU/ANEqZCyVFpuJCT09g4loKlcmp99fFmvz2qBam8 xKjkK8QMsZgu1IpUchZcAXoJQ6zhqw0SvYIDf1amYMu0AsgNlEwck0Vgw8CsGWyvFDaT3CLnKUQM 8Pa0V3qjQbMjaDT11CRCGqUQi9KyyAYuTc+hGrh00OcBM+hWiDywD0stDeuUUYM6oJGG9dKoWREx KUJ6ZUArD+sV1TZ9wqjqCHiWW1OHA31PVhZO+rpt2GIHuqiKSYL1OnU8eoSIMeUBd3fWkH7Oj8h3 5GZas9J8iJwIpqhDxOwSMivR+atG1TSfPYhHz9Lwa0wilPAr5ahlQvESvniJiF4kY0BGC6n+DBne UApnnIQGMW19aW6iNCtcmu0tyfHhi3TFmYLsc5KiTAa43FBxCbXQL6R7uSTIyeuMkriKExZTfXyS g4MPiqlxOSssoYWkNHhFR0JaGBgjDa0Et3AGVkVG0QvOa2ildQ6NglRMyDhTnvkSNfesGLyFiQg1 odDNJ5rppQpsLivvnAB5kYe4yC5MYxVcEKAybbzyuFFcZZHBqbEqEyZZQMVJgGoFdhXLGZVmcZNb F1KwXSJyPRiee3Q9UUd7BJIB02Zfw5X5/qOZnnvrE6/DANrtnUdb0ydT3XfXgfQeBvnK0UTnldk+ EK0B5wxlwkhtYDIVXeqsXe9tmGiKxo1Cu4DgVzJ8SppVUGbkoC1CnFNGcssoANsGWIlYEwBesdWj b4S7zmeA+N4ftXeHLIMJZ0/E1hO3d8UtHRXmqIELqBdgs8VlOTpGSUjLqbHLQTsa1vHqPapGjyak ZXmUdLMA7xAT4ybR1cXhN29sQ5/9zsbUo/0F6Ljd35qEltzJbNedlYF7qwNA6332cA9Mcm5Mtlxu j54MNzxeH32+N319phMIjaPJnluLYzeXJ64tjF6ZG7q+NPpgcwY6+482x69Ot12bbDkZb7z1Dd4f zDffnW68PgI+YJWHvbG9rthOZwXEd8jnxyImOKfDDpWuIfjHdGtaPbp2n2Egbp9vDK2mwnMx+7Rf P+9VfzM5Ip61CSaMzGkbb8YpaVeQDYhzqqJz6uI0dVGaHrxZkOl1nNJ2KQ6Ce6sI0SlFd0owKW5x iotuE+CbeWWtfGKXlNYjZ+EzM7GXMmxSmV+ttQtEYDnXqteNOWwLId9CPDxVkxisrav2Rcd6Z64c PRmfOvaHuo2mWpHQSSdJKFgmHcPg4JjsUpqGLeOW0UhFZVQUScPXBayR6cG5+liDmCFScORKnkzD VwopXG45U0TmqtlSGU2oYkvVXLmCKRES2VqewizVS5kSEU0gpAt5ZL70m0AvYcplLJlWqDFK9Ba5 0aE2OVW6pmiku7raJuELCGiHnOeQcrwqoU8l+gbdyqhRXWHWxc2GhMVQadNX2Q21bkud1wo5ADzU uMxNXmedzTSYACvRzoOBvgfzs8c9XSYUQn7pfA2Pvt9Yc7On7WpH01ZN4lqqcdppS5BwrsLcILow cKrJKfKgcoKovEYStpWIa8Oih0i4WRZlAfBOxS1TcUsU7BwJPUPBTlGx42T0IAHZT0D0E5E9hMIW dE4lIi1UeN5beMGFvOgoyQxRYPcuSlKQzs0+T0s/A6mUg1VuZxLcXGqlBqal1EmLokYvinwTmgHv AQHZwcLa2GgzHSXDZumpKAOzVEcvUVNL2CVZ2MwzPGyuS860S2gyWDqMuCTA5PDRWSxEmgJfqCUj 4f1KQgEj72UeMp2Zf46a/RIz/zzcCWzkRSXcHlyCR0r3SBgWbrmeUeqWUEJqjpJUJC8vcAiJHilN TS6yC/DwesIkggP3wGh9cLknuTXaBsQ1aFBfP167vTYx3hC5PNx6ON271FM/XBeEM9OagMms3ri7 yauPG0VeKTOgZMNzd8zZ5NVFtFyrgGDh401cLHx0SSkOEdnMwUFG0RGw9Fe4hxK+3pC93WMcqwrM 1Ecnk8HxutBQpWekzjfVEumptKcC2pYQcEB0Mw8LnySgZlXZ5JUWWcwojBj4SY/ap2Q4pFS7hGIT EDsrHK8err15devBxsyjvcU3r2+CoA7AfnNxAObrb8z3XIfxhJUBMNl++3D2eKR+qzt+MtL0ZH3k rcP5Owv9R+OdUMjcXhq/szZ1c3kc+vXXQWK3M/vmlVXA++5QEuR/+0M1EN/vzqbuTDfcGKs97o8d 9EZ32sFwILTZGjyt32s841EznOmEc+q0LrNBwQXsSptX3+HXd7jVPW7VaEA3FzIuBXSA92UPDIuJ Zq2cRbd4OaDu0jDUBS/L8s6oUela5CVNQZo2/2w1B90lJ7QKkV1SdLe0tE+B7xRiO0X4fjmlU1Te wilr4RLgELJzil4+i7hwgVVSYqDTw3xBNV/QrpR1aBStZkOFSimjsRwG9+Hu3cmJPZe3mctzMOh6 Nl3FpggYGAqxEEMpwqroXA2TX5pRIChnyVlSJVvhtwQWxxfDzhCLQOeQmFwiS8YUCYjM8kI0E0OU kNkCAlNIZInJXC6ORi8pF5HYcrrQINJYlWaAPAvPApirBToJQyaiieRsORvPEpC4QYs37g3bVNpk KFTt8yiYFIuYZZOwHDKOR8H3q0RRnSJq0FSYAO8mOJVWQL2+0m6scVmSXjsceKhzWmutIDr6v3i/ NzV5tb/HWFykyrlkQSPcBEycwwCTnw6Naj4Y6NdrLAU55pzMSjI+gEUEyhAedG4YW5QklzWT8Sk8 upuM68ShujGIYTxqEIvoLy3sKcnrwhS0YfKb0TkNxRl1iPRkcWYdKquiIM2ff9ZTeMFbnOFCZdpL soM0bExANeKKmBlnqekvGfAlENwTahGYg0TlfMjSfSI60G4+AcUnJAcltKCEameXmsFrlI7SUYps HBwgUUVG8LFZXGwOseAcPutlNjpLz8HLKCh6UToHlUHNP4dLf4mFSOci0jQkhJmJkePyTIxSKTaX WZjGKb7EKLxAznmJkvuyoDRbS0MbGGUaasm314iCWKimIAHyEDfFuFwDs0RFLoS/zswpgzd4ZdQm EKvHXcu9jbfXpu6sw2TZ/PHcYHfM3R1z9SQ8PQk3pP1QJtTalTU2BXSWq61yeEiYpAB5r4xRoRfW OVQA+VqnCsJuUMX1yJhuGc0ppkChUWOWAZPQ6jEC3idqQsNx3yhoBip9EN97ow7gEnvijoFqT5NP 1xW3AeQTFmFEzwlqWA4xyS2lxQziKrvCLWeEdYKAhhfSC4M6gVvKgK/2g7tHzw7XAbNglfHa0eqd 1bGTmZ7bS4M3F/pvzffenOu5t9j7ZGPk1kw7TLWcku2Qz4Ot0O70jfk+qN8B79cWRgDsN5ZHT+YG ri8NPdqZefNkGaqA44nU7mD1/lDVrammW1MNNyfqro5UHYLkpisEs6urTXB8Kw0+iO8zlXYI7jMJ D8w09fhMDUCq2FTNbl2zS1WnFzTouENu1XzEtOTTwoa1Jbd02SNedIlWvIpFn7JNQVHknZHln1Ui 05RF6erCC5r8s5WMkh4FuVeB65KUNHMKOgSobhGmV4wbUlC6hYRuQXmnkNjGKydk55amX0RfvEjO zRMgEfoyrLMM5ykr8xLwanQpraCQUkpMNfUtLJ7UN07YXfVikYtJV9HK+RwyR87g87A4FgotJZI4 pVgKolRAZKi4CglNXB2sWZ5c0YjUAjJHQGYRCkrw+bD2uhx4gPL8YnIBiobA8rAUNobEwZKoxWV0 NEFEZplEGoNYI2OKAewKrlLBV/IpAhqGxiNx+XAzlLMMEp3P7Ak5/R6jNeZ2J9x2BZNk5NE9Cp5L wvbKeEGlJKQByMNP31xpsyYsxiqbudoJwd1R47Ilvc6GgLvOaau1mIer4rA87mgQjJ6mbo0MmVDF 4ovn+RfO0V9+iXTmDPnllzhpFwTp52VZ6ersi4a8LCsix4HKdZbkabLOAa0HrTTLpXP+3PR4cU4l MjuJyE4WZCQLLtXlX6zJTastuFhblFFVlJkouBTJT48hMxIl2SEEsAEXnMiL34LdVprjIiBrZGwv i8DPTWddOmciYgJCZr1F02jVxpQCKxOvB/dvFt5Ew9jZuICUFtdyfGKihYmyMEssTLSNg5URcgWl GcKybEZxGh15gVF8kVZ0+pGYd5aSf56U8zIPnaUlQ1gvsrCwfinNK6aoiUV2Ll5RXshCXoTIDkwX oP70oDLgWYTN1TExbhnVxCkDvOuZaCUFISXkScqy1bRiBbkI0gkb/zQc24RECNMxo7gj6ljsbtg7 JauHdif7plqqU35TDIoRq7xCLw5p+HACKm5EJwS4+ZWchFkWN0nDWoGVR7RwCEEVp8oqj+qEUa0Q PltIw/PJmSElu8VjGIx5YbfgfFPlZnfjYnNVX9jR5jaAiqDdZxpIeMbqw/1VnvaopS1irnFIAe8V Rl5Yx/Eq6H4VC26PSsC7ggUnapJEDFI3cJha8bWVyXfv7D/eW763MfPq/vLj7fmbC0O3F4dhocNV aMFPtt+e64E9Vg8W+66NN+8P1ALer4w2gdrwxcEMCA+OJ7quzw8ez/aD8hbO8Wwf4P3h9syLo8Xn B7M35jquTqauTzfdX2gDvF8ZrjwehAHk+H73Kd6X6l0rjTCj5IP6fa7aNVvlhvmmb/EOxTtM76ac 2pRT2WSRtpjEw07VtFs9bZfN2SRjeiaQdVNm7oxDNOmStCqpRlSavuQSuMhKC86rEZfUeS/78Tkp YVmvHNchQjYwsjv5yE4eqoWF7BHhuwT4U8gLCR1cfHlOXvG5NHR6OrUgn48skhYVaouKlNm5stw8 /Lm03JfOOaz+yzu3u4dWk83TLn+TTObSKd0KgUbK4gvLyXQEgoEo5GFK5VSqjMaUMviQwPNIvIG2 gfnRWTGDL6JylGw+u6yckI+ko8qkFDoDjaUhSuQUFreUQCkqoSIxuNwiThlJyRSIKUDXC/QitVkO Wju9mCkW0UWccg4Lz2ATmDwyR8YGLsCcCFV77R67zphKVNrlEi2T5JHxgypRUC0OKCUBleybEG+M GAzfhHhTld0G2I/DDWC3VgH2nbYqk7E3Gtru69kb6P02n1cX5cc5zA6T3oLHiApy2dlZ3IxLrPQ0 Xto5wYWziozzutwMQ36mCVh0ObdRzDQUXmpX8Lrl3GBJTqKsoBpdUIXIqshNixdcqkZkxQsyE4UZ VcXZ1SX5cXRutCS7Asw0gJDH5LhKoFuaZy/NsZUV+qilcQEtLma4aWX0tDMGQklcKazSSau00rha HJJzPEKaR0Bx8oguATGkYALnbGGVakmFRloxHCUhT1yaIcFk8dEZtMKz3JKLvNIMXsklWsF5St5Z gDM552Ubnwh0XETJqdBwG52qapO4xiwZrfW7RBQAOLxHVJYHYOeVZMLNAK/oGBiniGrhl8uJAG20 hlYMbJiJjfUrGE4J2cDGGFkYSCoghpp5eIeI6pGxKgzSlB9A55poqT2YHdmf6u+vDde69FU2dVgn 9qsFLjnbq+QGNXyvgg3AB/jbBOSoXtRX5euscNY61BWgsOSU++XspEMDTIJfxmxwwMBLeKouOtsA syetx2Pdax3Jb+K7vzdo+xbv0EmEhKEtbG0Nm5JuRYWBFzPxK4z8mEmYMEvCWn6dW+tTc+0SRtyi DBulVjGjM+Z/cX3/jeu7r2zPv7K18PrR2iubM9dnIawPXpvuhgmCqxNtN08ngmGJVde18Za9vhqA PMR3GCh4fW/q3urg0WTnzcWRq/ODN1dGIZk/AgXy0iAQks/2v/Hh2Z14sNJ7a671wSLgvf4U7IOJ m2O1VwYTMKk6ElKBxG49Bfm8CzJ5MCSZq/GPxhxAw9Zb5A0WJUihIL53uDU9LvUg0BdW6bRVPmcV 98mJvbLyPiVpxMgasQiapERt0Tlt8UUVMk2Sf0Gef0GV+1KUUtQhJ/WqiF0SVAu3oINX1MoqaOcg WxjIRgqilYnu4uHaQTSfkY18Gfxt0qn5udzCAsC7Ij9fnl+gLsVyijGMMuro6ML67p3a5gl/RYdI 5hIJzQqRkUcVcMvJbAyWkJNJLcoV4jGnjTwGW8zks8qZMq5icmCyp7mLVU6llOBxeQgODvBepKQx QM+jZbFUcDPAbxUWC3FEdHpGaWY2DVVKR0OUx4lpQP9pdSKNEkp7jkzOlvJIHCqaxMbTJUyhGA5X bjd5wp6KgN0bsjnbKiuNPJZdzA3r5W45zyUVBDXyoEbpV6tCOm1Yp60wGk6RbrN+e+JWc7XNHNer 23yudeDnJ0Yfry7MVsZEWZcSIsFqsmazrXG3p32trXE8Eenz2ps0slatPM4kKzMuSNPO1vEZ761N w9LeZrXg2cLI48melJgWLsuvJhSHkVn+PAj3udXowkRxbgxQX5xThSlIYAujpXmRsvwoERHCF3jL 8ry4QldZPtgAuinoCh653aRoNytkhRmqkvwKKadaK67SQWdNFlHy3HyKk0t088keETkAxbWAqKcg lIR8iNEKfIGaCCR87jeQz5RgMkUYAHs6C3mehTgvweVJcPnAyKnKETE1P6rkxLS8kRrfeDLY7NX2 VbqSTjWEUaeI4pLQlBQUwNwtpQNNV2VVBNRcYP+g9ldRUCpKsZ5VGjOJWkKQKcmAEgdK0Mgus/IJ cE7xLmd5lbyARuhXQ7Esbwo5hhsSAPyhhkRfXbQj5mv02xJ2bdgg86mE8Da3nOOWssJa0XhT4sH2 Asyh3N+a6014YS7s8lDb3lj3VCox21IJDlRjtSEQ/0zWhlfbahca46AHnqmLbHY1QBUPysDRmgB0 CSElqLOrh+sCTV5NVMdNQnD0aWtdigqjCL6XaocKIrtNRK+Em8cgcyl4qwMdH96/9trJFvzVT/aW v8X7rfkh2M52Y6rnyine269PdVydaLk+1XY00rjVW3U0lITtNveX+17szz3cHD+cALwPQVfilc0p eDgc77g21wdKWrDPhXWWbxzNvrLad3Wy4fZM052ZhluTtXemkzdHwVOocrne3gs5edK52QJ8nXsi ZgebgqlKz3DU1uHRpaDt4tCmXBqQ3DTbFZ12xQCsVnfI5xyqZadiwsgd1tAH1JQxC2fMJqwXEiQZ Z7QlGUZcjro4U1N0UVtwLsFAdasoPYryNkFxC7ewnVvYzMrvgBDPQDbTi9vZmA4Otp1dRkzPKjuf RsrOYhXlq8vLImJRk07XZnO0efypSGVrQ+fy+mFL94wv2qExRilUOZupoBBYzHI6HYPl4cpoxYWs 0mIJmQCzNiI6Q8YTC1kiq87WneqqiVRySAxqKZ6ELGHj8MT8AnZpKQOFYKFRknIitRBBykfQkWjE 2bTitEuFZ9OKzl+iFJdKGUKtUAVgBzJfwZEC3sV0AZfMElF5MrZYzBbzGSKd3GIzuKPeCqfOWhMM R81mu1TgU0kcEq5HLgppFUGNLKg+jfJBDYQYbYXJCGCvdthOA73dUu+2JQwan1iQNOvX2psfLs8e 9nYaMUhpQY4KxgAJGBebVq1X9Ye8s9UVy3VVD6dG5gMeRfo5ZUbaTm3sk93lw9bqk57GpWr/K5Pd kz6jHZUJPF4QlestuhSBKVpsUbw4rwKZHUVkRYqzIyXA72UH0dkBbC6YUXvgI67QUZbvwBfYwfmT jmk3ySYitga1wMcuj4pZlWphpVYKeI+q+BDfHZxyOFDPQoh38YinrSgKCpg3BWz8KcsB+GuIBSoC GIznCksucJHneSVpzMKXWYXnAOx8ZAYfeUmGybMwyvxSKuB9qilSY5WGNZyAkhXR8gHyYQ0vCK09 i6zapojqhV45CxCtICG19FKbgGTlE+GVGruy2qa0Ckha6AiwcWYugJ3oEFJBJhXQQk+E41Hygzqp XysGuRXgOm5VV7sMdV5znQeKKQM8x60aeINXJXBDRqQWVJqVow3QF5t5dvXyG9e3YcTs2uLIqwer 0Nh6uD3/3q29rcGWdr95MOaeTkYB7+tttdO1ofX2uuPRzpn6CsD7ZDLSEbC2eI0pr7E9bK00Caut kq4KW0fEUu9SAd7he4EaodKudMrocasCnJHhOrq1Mf/u3ZMnx5uv7C49O1x7frT+AATwC8MwNXBj qvcagBcaCuOtRyOpExhWGqq/3J04GK67OtkMzXcYGXh0efJgvAO6kPfXJ1/dW7i9PAKNxSvgPbI5 +mB9GLw4nh9M3VvuPh6puTZWc3Oq9u5M8t5sPeD9+jDEd8dgQL7SCHY0FUtJsClwjFXYhiJWEFF0 +03tXkOr29Ds0p4W8iZxi0Uy5FTN+cCsVb/sVMF6tVm7aNrOn3WLx+2ipBAvy35JhUhToTJkhReV hemQz0N8bxbjWwSlTRxEilPYykU0swrbuMXtHHQ3H9fJg1PWysTQ07NI59M5eQVKHM7NY1epVY0m U7vL3+gO9Td1T40v1TcPWVzVdne9XOGRC00yvoZNYstYAjGVyiGUUVAIMZWkFfIEFAofdr9KlFq5 1qg0uo0Om9bII9PpWBy3vJyERBLy81FpaWVZGbjsTHJ+ATm/kFVSijyXVpaZi83KR17IKi8oltE5 Gr5cK1BCfFfxFCq+XC1Q6MRqjUDBwlGopUQxQ6AWa7UyGL2raaxq9tt8FqWuOhQOGI0GHlRq4pBO GdDIQhpphV4ZM2oiesC7KqjVRo36hM1U6TBX2U/5uhafKwp2GwySjUasVAj3u1vCHKoo9yL9/BnC mTOYM2dKz5xhZl0UF+apEUW20pIgHqvPTHMhstci7lcG2m90NZ501m81xB+MdvWblB5sYQRfckrg o7LDJblxdH4F6HYA78icSFFmqDjbX5zlQ2Z6UVluVLYHc9p2t2NyvSRklF0WZmLrZIwBj24kaK5R sqvV/IRGGJZyKiCx10sq1AKPADg6gotH8glpoKXxCinQWYNOOlT0JhoKiHoo53WUAik2Q08rqjbx 2vzqapPQLSTqKMWaciSAXYkrgs9g5xKqTOKgihVQMgERbgnVISQbmFhoxsGDQ0QxcfDAzLvFdLuQ 4pUz/crT3BvKbUi/Ifd2yxhKOlrPJbgkdKeYBu9xSuheFS+kEwOU/DpxQCeFpiccn0Z0Sp+qBF61 MKCTwCUQ1suCemnIIINrIaCRJCC7hjvNIh+pj6z0Nm6NdoBK7Wimf6WncaW3AYrie2uTsy2J/grH WlfdTn/Tbl/jleG27a76xabYUioBfb3phoqFliqI/m1+mBZ3wrdTD6sPq90zzZHWgL7KLKmySOEG gy/1lBBQcyuM4oCW3xK2P7u6/eLG3uPDjTub4Hqx+vx44/761JXJvoORDhgWOB5pvTLWfjzacjjc BGd/MLnVU3kwkjyZagZ/qtcPZu+tjlwGXfFwy721qae7ixDlD8bbT6Y6oIX3aGv46c74k63hO4vt YGrxLd5vTtRcG626O1l7e7xms8U9W23c6Qwf9VUv1XkmQGlTYQW8nw44eM2tLn0zxHe7Ggp50N6k jCLI52e9uiW3dt4uB7xPmvkjRuaEjTfpFKfkJGXBWXnhOWnhBVlBugpxSVt0IcZApQTYRjaqgYlo 5iDbBOgW6MexkK2A92+Kd/gI+bw8D8FKzxTmFxlJJCebCeS7iQwjcnQFnVcTqWtq6LU6KzXGiNVW KRVYVAKDFjY7cySw8U3OYLLxeCIU78RyOZsl53KFDI6EK9RIlB6jK+IKGmRqLolKRKLK8vNLMjNA nE8sKMBlZ9GQRdiMTFJ+PrUIibpwsTy3kFNK4OMpSjrPKFSqeVIVVwp41whURpnOJNcbpRoZS0go Ki0rQDLxVKva5rEGG6rbwDws7IkaFfqw218biugFfIdU5FVJvUqxXykKa6RRnRy68GGdGvAeNugq zPq41Rg3G+NGbZPbXmUAesQYVwi0gFY+3UooUSCy1ag8GwmnRKO4ebmUC2eBuKOdOSM5f95ZmAfO tDEsoo1HWXDo++E/LRM/F7IPmJVhErqCgg3hkBFsUUUZpO75EVReBJkDkI+XnEZ5CPFhdC6U+UF0 jq80O4ArCBIQDijk8XkhsPXm4uvljD4o1oLGhISa1AmTRmlExonKeYD3ylO9HAd8F0NQJqv4lTpx VMkLyZkRBTskY0SVjBC0qsUEAwMZ0TJurw387gfP/uZHb8AGlk8enbx1bfP+BnTD+3YG21e7Gmaa E4tdtZ1RawoI7QpbRMuD0h7wbmLjII57ZIyghlfnUqd8RkAiENoAcJ+SG9IC6S2C0tsmppn4JDOo dIQUK59sF9G8ENYVPBBO+bT/F9eAbsB7zKqJmJTwABiPmk8fQkYZwB/wHrPA3SuK6MQxg/SU0DNJ Gzz6obrQXHsNAH+iqWKpO7nUVQf2klMNFRvd9fdhvc7KGGBwf6ARZMYTVd7xSu9Cc+VMQ8UE+PM0 xlIwOFBh74s5QHO7NdCw2F7Z5tcBQQGQBx4AkhCfggUE4GmpouXNdyffvnP4/PrOw/2V6yuTMOD2 /GTz7urk0XjP/lD74XDb/mALQP5ouHl/sGF/qGGn/9RS8mSi6cp0y63F7qc7k8Dhr3bXrfUkby2N gtIA8H481XEw1nwy3fpwa/jR5aE7S903Z1uuTtTBzPu9+abbU3UnQ7FbY9XXRyq3Wr0bLZ6TQdj0 UQf1OxiGj8bAjsDRF7QA2ButqiaruvmUr1NDfE8ZBD1myZhNOWOVT5vFM1bRsJbRIcX16+kTDlGz girPf1lWeF5alCYHsJdk65EXI1RkFb0oVp5dS8tv4hS3CtDtAkwTG9XCLu0SlneLiL0SUo+IbEGi 5Rk5ehTax2SGhDw3h20g0YQYokWqa67t8rlrLJYKnT5o0cEPyiyhSiRUvh7CLlvAxuLKgb1HoWgY DJtAUPD4Kr6YT2HJeeKB1r7d5a2mRK2CK2DiCHRsGRmFIiORlKKi8rw8UkEBMT8fDhuNYRSjOWic ni00C2RarkTBEMiZAg0fGu4qBRdEORqDRAOvsPBkNoEiYbBlTAEo9NxGn99e0VDZ+vjus4WpZb1C H/UF/BaLSSK2ivmQ2PvVIr+cHwLKC2K9Vhk16WMWY9wGhby+wqCtshpafA4Xn1Gll843JNZaa9Wo XNj7wM8872eRFpOVS/XV83WJ6VhoNhroVMtiBGwMi64n4xtI2DpCcT0JDTOzPjSIb7MtRRejRFSc gg5hi8KY/Ag6LwTd+eLcACI7isqNQaAvzomgcuASiGLzw5g8LzrLj80DyDvRWV5CgQuX6ycja8Tk YY9mMmqpUdDrtLx6ozSu4sdUfJDFVutPE3tg8OIaAZThcY0QgO8T0wIiul9EjShobkGZU4Bd7In/ 6pPHf/qrH/zLL7/zr7/+7h9/8/3/+vqL//P3v/zPv/rpn379xf/+3c//12+/+tNvv/jHn33v95+9 89tPXnz2+q23b26/drx2f2v2aLZ/d7xrY6hlprNmuqN6tKmiwWewSWgaBlZJxejZ5ToWQUZCC3AI cTlKScfq2USLgOaQsHwqPgRuQHTYpARoA67DRjlEcxh7DukVAb0UbvwKszJmVUctKvit0/cYpFDm x4ynMK9364Gx17NwkC0MwJDOSDvIYA4mutZ760GfvzPYcnth6MHKyKPVsTtzA/uA5RSoQXyjCddQ zDUQsY9VnzbmwCNiIO5ZBbOOqc6N3iQM/nT4jU1OVVTDgUzGDvUI6AklNChPIkbRHZh9u3sAnlT3 9xbvbM+9eesARttur0xenRk8nuiBqcCN7uTlnrqtvvqtPnCVTIFYbgdmgadar0y3gRX2q7vTEN8B 74vtVVdmeu+vj99ZGT6abN8aqNserIUlOLcXu67NtNwAX8qpxhtT9ffnm29P1R/1V5wMxGAvPNhL 7nVXnEC3ricBwzKjFebxhGM87u4PWZqdunqrMmXXtnlN8PW32BTNBnG3CfCumDJLJwzCER1r1MAc NoJ4ntmrpVdxMWrEeXnRBWHBeXFhmro4S1uU7i8viJJyA5i0BDELIN/ARrQJsE0cdCu3DDpxHQJi j4TSI6HZCgt1OdnWEoSbhPOe5rdkZRleSeZUumJ1FSmnJQ4LnU2GoF3r1/J0KqZEwxbbJCoNm8/D E3inFhk4JhYjpFAkTLZGKJVxRXqZZmF0/tbB9cn+Ub1UJWPzVDyBlMEQkcjcMhzM45wy+WSKAIdX M1gaFkfF4hq4QiNPrKLzpBSuhiPS8iQyhgBiuvY03MsldC6bQOYSqRIGNOV5Sp4UbGzVYmNXavBv f/dPv/3F79ubOrRSVdjpdmq1dpnEowK7S2lYBVy9MKKFKl4dg8gOeLdCfNeDCCfptLQGnEYano/I iCv443GftPCiOPeCsihLAzZ9lPIQh12jlPU5rTNhfy+o8tCIOK40jkXVEUsbyNgksaSOXFpJRlvz L/gx+bWMsjA2L4ZHAt59RRkBZFa4pACU9uHiHIA8nFBxLjjjxXCnF4K7OMNdkuUuybEhM8Lk4gi1 OEAq8uDzuk2i2Zi1WkZJ6ngNRslpfFfyIJpXG2XVBkW1QQbPQN/Bi2EZO6KAGp8flTN15XlRJeXq bPvfff78v7/+wd9/8cbfff7GH3/1yT/98nv/+Bff/4eff/93n733Pz568fsfvPOvP//Bf/72iz// /if/8ZvP/vzXP/1fX//kP3735Z//9hdw/vmXn/7jL37wP3/2yS+/9+KnH52OG7z74Pjh4cqN9amN sa7FvuaRVGVzyFXp1ANgnQqumc8wcCk6DknPIZv4dIuIZZex3UpBxKyqgnzJrouY1GGTCjBe7T79 ZdSihj+b9FnCRoVXxY+CMDgI8l1TEvryYFPIJ8kIRWY2HmptoBBb/cbJhshCW83+WPtN4MxnIFz2 HI80L7dEl5qjCw0RCPHTdYG5ZHi80tcbtoKHw2iVbyoZXITVxi2x8VpfZ8DQ5FRGlMyAnOYWU+wC aCWQocVQ59a8dWcP1kjd3pq5C45VVzY+fnLj1eP149mBa3ODh+Pd8y2JyWRooi4w2xRdbq/aHUrt jaQAy/ujjYfjzdfnul/bn3+wPgF4n22OQxV/d3UU+vU7w02bfTWAd+jE7Q0ntweqr06lIMRfm6w/ 9aSdajwejJ0MJQ76ojsdwaP++F539HJbaK7WORwFlxvLcNTZ4ze3OHVNdk2LywB9B1DZ1RvE9Wp+ l0E8bJWNm0QjOk6vgtSnLO/TUPp19B7NKd4hvisQ6RDfpQVpGmSmFpkepiIq6UWR8qxKUjacGmpe Cx/byCpp5eM6hEDiETqEpDYeyZ6Xrc+8YEVkWlA5PlpZkM/08KFhaqn2VDlBJacPmw0hm85vUToU DImKLtBxRBahTM/jK5gMHY8to5DZZRgWAccoK5Nz+XKeKOjyb69s37t658r2sc8CCyIlBgmU5AI1 h2ORSM0ikU0qNfNhioZn4guNfKGWL1LSWQoqU03nKmlcBZ0rp3FEZIaUzlPzZEqOhE+i80hUIZXB JZJ5JJqcI+ZTeU6999r+7b/93T/+8Z/+tHf5gEFimNW6gMXqUMgc8lOtXQQiu1pSoQfqRgPt+JhJ W2HWxiy6KpuhyqJt8ducXAoj+6ywKMOAR0oL02FJqzj7Au2lM+XQfH/pDPXcOUHGJVl2pjLjoj7n kh+NDGNR4BjfSCe48y5CMe4vBRHOOWt+erisMIzLh9rci8wEXi6KyY/hEBVlRVF0fhSdFy8tCKPz IJmPlOYFS/OcSFDaQBWfay3MCOAKK8jFPlyeveRSp447GzVXS8kN+tPxloAIEnV2XCuCfD6s4oeU vIiCC6+EJMxTvyYVO8Qvd1ARrQ7B+1dm/+tX3/n//ubTP3715j9/8eIPP/3gbz5789fff/H5uw+/ /ODpH37z+R9//eO/+9H7P30D3Gau//svvvfvv/z+v/zsu//52x//229+/F+//9l//fXP/u13X/7p 66/+99//8s//+Ks//8Ov/utvf/Hff/8//s8//+Wf/+E3f/rrX/zhtz/9h1/8+C9/9F2wAfz8vde/ 8/TOs2sH93bXjpcnlwbb++sTqYgnalE6FXyziKVhk3VcqlXCcSmFfvjKIaYblAD5VNTVVRWs95vD BnGNW9McMDc4da0hmHHWQXA3ssrggMhHBqJfMbU/7l7pSu6Ntm/0JSFLn2sKrrRGIbhv9dSut1dB iJ+u8a01V87XhyeqvTPJYF/IPJpwrn8zsbvSmujyQawUhxRUv5TsFZOdwnKnmCQnFYw0RD58fOX5 ja0ryyO3tmfeuL37wcOT62sTuxPde+NdKz0N48lQf9w1AAZBCc9sU2xvuB3GfneHUztDDUcTrTfm +0Eh/8rW9M5wK3jm7I923FoaurUwuDvcvNFbczwOMzItcyn/dKPvcLzx2nQKrKfvzjTfn2u5OZ68 Olx12B/b746cDMIigAhI7CYTloGIvi9o7PGbuoCpg+LdCWaVhg7AvkffZFU26ITtetGIXTEBvISW CZ24XgWhU4bv01Jh5K2GXybJPiPNP69AQksuU4PM0CLSKrkY4OvqWEVJRkEVKStByEyx0c1cDOhp O8WkFAfbxCprYJT5kFleRGYEX5Cgl6RUnHabut3tqLF7AwavWmA2KLwwuq4TgyWFQs7g8QkUPp4k IJCF5URWKZqHK2WVABGXQ0TmMzClQjpdwuE21iRPdo+f3HvyzrO3W+paFFyJWgDjNHKrTK5hc6xC kU0kBrAbuXwdmysj0yQkGjTl5TSWkskRkai8MtDk0KQ0tpTGUXGEGp5YQKKLqXQFhyOgAOppEiYP unITvVPfffeHX/3oL3798989uveqWWcxKLQhh9MmV7jkUiAWQ2pZQCGJapURvQooO4jyEYMapLYJ k6bSpGkL2B0cMjc/nZ+fxs+9AEWQovBSrYyX0sjc5HIlsoBz8TwQd3CgfueeOSN4+Yw6M81TWuRG 5kQJJeNWVZyGHbWrVqL2IL7Qj8v3APGOygyUZAVLssOluaGSnBAqG5i6KDoX2u5hTG4QkxfA5LnQ WR54wCJcyFwf3ADYPBcyw1mS0a5mD7uUFTxcjZoNdosVitNQntCfatqBRfdKGV4RDVS1lUCqC8vd lKIGFe1Kb+VfvXXl//npi//49NHv3zj8xcOtnz3c/ruPn/zhqw//6eff/eGLOzcvT333tZt//M2P /vt3P/7Fm7cfb4z+4q07/+9f/+Q/f/PZt3j/t7/84l//8st/+6uv/vDbL/7lN5//59/9xb99/RO4 Iv7966/+/ev/n6bvjmpyXb62K4r0TiipQEhIgCSkhxQIvffee+8dFBBRRMF67L33BgIKiAVEmvRe RRB713POPd9Ef99az3rWSwiee//Y78zs2bOn5+NM79eXQz9ejf29MPFrcerX4vSPxYnv8Lww9XNp 5tvi1LuJgcnOJ7B79/HtS3fPHL1woGpnUVZ+YkRykDe8BFwtmPYcUzuWqauAGWAvDHIQeYuhljeL dLNI8rFLD3DeHBcAAjz4f+fFNwU6HRQyQBt68MiJnlagsd8U4QXT60EWlEwf612poQfzYw/lxVbE +pWA3XSw87ZI702BTkB2FQbYZ8HUSaDD/szwS9tzD2bHprkLw6xNPZl6zlSUNUlTRFCzJCFANnB0 a86903uvH9l5qDz3xK5Nd07tvX50V3Vh8q78xMrMGPgfkxPikR3smhvikRPoWpEUfnYbVOu5YD0h YeQ2STQ2IBi+vK/s1LaCA4WpB4rSjpVkn9ySsy8nYUdiyEEJyxed4W2Z4WP5Vx4k87GnSuNOFcee LokDD/8j2cH7Ujyr410PpvvuT/WuSvDI97PM9BKleVqmeYhT3cUJEsibg5QI4jucBEdRpIgexTfJ d4RtieKtTuzN1sabrI3yLQj5VuQcazCI1mUprKQrrmKrrQe8sxRBYrcqlKqbISSAhD6SpBxBVA7R VwjVV4kgqEeRtOIoqCgjnSgj3SgyOp1pWGhJKbKibfMSVgTYVYR5lUWGegmsBCbmTLKAz3AQsuxF DDGbRGcTKWRdrAkaa4yCTF7HQFURqyCNlJXS2rgGqbSRqIMw1NWmGBLyMrOPHz5+5eL1+zUPstNy jfWJDBLQ62SGgSGXQBQYkdiAWTSGDRDWx1OQaFDoQWlAweAg4TfS1iEjQJNjACJeKs6AaWjEMTJm 4I2YBCMzAp5qoE83MiLj8BYci2P7jt+/01x/p7Gnvb+z9UVpUZmztZObjb2YyXSC5jsPwE53oJmA awbgHTp0wNu7mTPdzUHHxfIXcWIdrSz0dYxkVpupbWTB7Lm6NF1hbTiHuisqaGdEcEVoQHmQT5aj XZqNVaKAG82ghlHIFipyYhV5oYJUuafD+ez4dDHrYFzghdz4ImeBM1LRVmMj9NbdtICU2/h/YIdY DwbX2or+KBUfpKKHLnTe5Zy05VxQKu4oDRcdFQd1WUd1GRtlKVu1DdFMQzA3kOCdTQyTjMmY+rCN A0W0MBu2v8DUja7vzTTwMsO6EjTCmJh90c69p7Z/f3r508OTAyc39RzIul8SWV8aVb81sfVQ2cum q/+9GlzofXhxX+nh8qxm2O9w80jL6Z2gDoWe8ufBx//O9PyY6Ho3/Oz9eNfHqZ4PUz1vxzrfjnR8 mu75ONn1fvQ5RPylkedLox1vx7vfjfe8G3vxdqzvzWjv0viLt1N9H6eGvsyOfpkf//Zq8vv8xI9X k1/nxn4uTv968/LL/MTbyYGp7tb+xw1Paq/UXz5x7eieU9XlB7bkbUmPyY0OyAr3zI3yTgt0inG1 jHASQA7/uzWAtaagJd18CtZbaAo26cAoRjhwoh1BI2EOO+COwa6N7VmHC+Mrk4L3ZQJdH7o92rso 0LEUXCPCXNNd+Jmuwr1poTeqiqpTQxNdeKFiYzczDEx/WRBUxGRNcwM1N57RXeArjlSCjfz+0sxT VcWAd7hLUsLK0iNLEkMLonyzQjzzI32KgfYP8YBOwYUdwMZvAlDDLMzpSvCpzj+xo/B0VTH424CY VjImU5p7dHPWX/nJ1Rkx+0A5kBWT4W2d7W99tCjuDAzPbk09swVccxNObIo+nB1SHe++I9Jpb5Ln niTPylj3AlgG5y5I97LM8rVO8xQnOAviHHmxDnxI6RNcxFneDmBoABR9spiWb8fKsTQuEJOKbcmb rcjwkGVlHEzVhXzeTH4lU02Kqboe8M5RWhlsqp1ibhBN0YgiqyTSELEk9WCcQoiecigeGHuNUAPN SKJupBF6i53Z4TCHg6H2p1J8T2WEnC5M3pOe7MYViWgCId3aguUAyZotz45DZpB09ShYPI9kwiEa cY1Aza6rpyqHlt+gryaPVJLR01RDqamwqNSD+w6cPnn28qXrDfeaD+47QjYkE9F6FANDMhIFlTsV iQJJHl5FmaSJMAF0a+mAdR5WUQElJ4NVUiJoaIANPhNvyDIkmEGZTyBA14+mb0DH4yk4LJAAXArF xNDIWmRzdN+Jy2eu3bhU86Slc2Rg6u7NeyF+IbZCKysWx47FcOIy7WkmLkxozzHdzIGyY7lzGDBN A315WGflK2DGOFjaENCmClJmyhtYqhvNNWSZCutgz4utjro7HhNEJSUK2YWuDmVebtt8PP6KCjsY Heasqwkt+BRzxsNdZTeLs4+nR2/xdy4PdNkW6OyEUhKrrnNHKXnpKnrqyEvUNZpycEBT56ut6Kur 6I9V8cEoO+vIuaKV3fXUXDCqrlh1ey1FazVpC8V1dgiZKBYh1Zrha4oC06EwgakvkxDCN40S04J5 ENBRzkR1W6ysO16h3Nu8qSL55bWq+Ss7O6qTm4uD6nO9mvP9GjK9bya7XYx3rStNen6icrT+wvOb J67sAzV70qXd+bVHygZqTgLkq1IC5ttrf0x1fJ3oWhpsezfW9Wm67/1UL+D6zVjHR8D7VDfk9l9m ej9Mwnvgxcfp/k/TQwDw9+P9b8Z734zCm+EF/PhhcvDjVP+Hyf7PMyNw3o3D9/vhfj3a8/nlyPf5 sW8vR/9emv7nzeSv1xPf5offjndNd7eMttaPPK3tbbr2+MaxmpNV53cXVxXE50Z6RruLvC0pdkwc CHtAr8s2UOEZqomMECFWZuVJ/hcr885XZJ8pTzsObe7tuVd2FcK4aJ6fbQnsw4r1SXUxjxAYp7rw 92aEVaWGpHqIImzN/AVEayMN6E5akjQERNAHyhXG+DZdPHJh39bjOzbvKkgG6/gbJ/ZUbUrNCPfO A2FPhH9OmHdWmG9GiGdeJAyIeRRE+e/OTTlamn9yWyHMBYAJLYD9UFnugZLsQ6Xgf5UJDcRT2wth GPaYBPhZhwpSD+QkbA533xLrBX5fJ0uTjhUnnCxOPAXm4UVg8Q0iLo/SYJvyMPudMS7l4U65XoI0 dx6E+AxPUZILL96BneDIhRZ8hBU3xkG4LSb4UE7S1lD3ZCt6HNcokqITQ0FI6nc2KpmNSuTq+Rsj 6AorjGWWUZVWA965ahvM1daAo10UTTuIIB9trBpPUY8yVAK8hxuqBeup+CIV/FDKwXqawXqILXaU I+F2J+PcjiV4nsoOP1mUku3vJTY1g/lTK46dmOtowbIWmgmhR0bUwUGazSNTmVBuEwypOBRBSxWv qaSvqaijtBGlroTV0ogKDT175uyJE6dv3ax9cL+loa4xOSGRgMERkEgTNBqjIEfS1NBTksPKy+EU 5JEbpXWkN2htkEKsX6u2ZoX62tX6KipULMzd6bEMgRwwZhoaklBICg7HJBjC4ZDJQjod8G5hbrln 54HjR86fO32t5nZTZ3t/V3vf5rxiC47IksUV00FJxbSn05zZZpJ+nID1W4EDojtoz7F8BGw/ASva zsLRRN9MRdpMEexh13GUN4jAs0txPV16temaFcarltOkVoJsXqSw0VpV0UlL3V1Xwxmh4qihFGFs uDvA43Bs8NYAl+rYwOtluRm2XEddBaDcvdDKgHfJQUgg/3+oV5cB4PujVXyxqu5oJeDoAO8OKGVH lLK1poyFCmyZX++CVk4SmKRb0f1MdCN4hFgLkxiRcayAHEhBeuKVwmg6ubaUCm/eyVjH1oqEzl2J T8vCGvN97iTa3U93fJTjXh9n+yjb+0l+4PV457OxrteLYhsOlIJ5VOvVQ/0NZ2fabs4/u73UVTNY f6bh+PaPQOV1Ny72P/483ftlbuDLy6EPM/3vJ19AlIcDkP862/ttrv/LTN9X+O3c8OeZ4U/Tg+8n +gDpgGh4gB+/zgHMAfUSjMOBMv/by5EPk71LI93vJ3tfj3S97G9dHG5/N9H1f//yZPfnqRffZvv+ Xhj6Ntf9aeL5l+nOz9MdHyfbFwdbxttr+lvAmeRc/bm9R7ZnVuRE5Ee7J3iLUv2td2WG7soM2ZMb fhIm0ytzzm7NPFIUD5w5bEaD/Lky0Tc/wKY8CkR3AZvDXWOdOLACPs6V5801EOgr8bAKHJAloGEc ALErP6EiK7aqMPl09ZYDW3NPVpdc+GtHUUJ4vJ9Leqh3eogXaAIzQ31iPOzjvBzTgjwLo4JKEyJK 4sNLEsKKE8O2ZcTu25RxoDR3X0n27sKMrWnRZckRx8oLj5bl/1WUdiA/5VBh6uGitJ2p4dAjOAAe /rnRu8HXNz/2aEH88cL4Q9kR+9OCNgfY5njwy8Mdy0LBxoqT5srN8OCnuZqD+XyyEyfJkRNnzwux oEda86rTYu4d3HWxLCfX3TKWa5TAxcdStKF+T2bqxtN1YhgoH6IaU2kFRWE5VXkNUHYsZZiSWxNC 1U3i4qKM1WJM1CKNFINxsmEGimF4FT+UvKeWTABGLYKgG0lEwdDNoVD7c8l+RxO8zxXEHS9MDre1 EJmY2nIthWYWYhhkp4lgTBWG1umGAEAyx8hEkpkbkThGBDoea4rTRsitRyhs0FaWN8Do7q2uOnzo 8MmTpx89flpf31RbW197525GYhIZh9NVlMWqyBM0lNEKG7CKshgFGfU1K1RXLQOkI9avgVt19UqC hipdH0vBIGlYFJuAN9PDUXBoJgHPNyWLwECHRhHRzSh4I9DzbCupPHro7Mmjl69fa2ioe9LxrP/s qUv2lg58KseGBV54XHce34EhmYL/A3m4IbH3EnD8LXmBFjB7KLInYmnyUnT5dWzAu/w6oZI0SOJt tBQ89HX5SrKma9cy1q5mrV3JWLWCt26VjZy0jy4ikUL01dXw1FHxM9AWq8kEmOrHsE1sYIxdVzGY oAOKWW+kki9KBZbUwJ73AIy6H1LVF9g8DVlvbQVflJI7Us4ZpeCgK2eFkLbU2CCASYeNyyyV13hg FePZ+BiGvhtGzo+kGs1EJ5vjc8Tkbe6c45EONzJ8GjeHt2+Pe7o5pDnLqybe9naMqD7ZujnVtjHJ uj3btSnBujZCdD/RsSbR9Vqy1+CpindPbrx5XvOxv+lN7/3h5otPLu+9AVvU/yrpuHn049DT+e6m peHWb3OD3+eHv74a/TAz+H6678Ns7/tJQGvX55kXX2Z7P029+Dzd92VmAM5niPJTfXA+TvZ+mHgB D19nB7/NAXIH4Vfvx19AXfB1dgDud2OQG/S9He2SVArAAEx1SwiBseeLQ62Lg62LA0/ej0FS8eTd 2NMPE61vxx5/mmn//qr728ueH696/10a+nux7/N0+8fpZ/Crlz0NMx21XfdOgin9xT35l3fnnypP zQsBGa1teaIXeNbtzQZ3Tbctse7gSJ/tb+Vgqm1JVAu2huY+gYuTp+lIw/QuG6fE1FP2EFKyI7zE FH2Q0EPHoaoo/cy+ilP7tqdF+Ef5OMf5u8X5uqYEesX5uIJxSpS7Q5y3SxpUc2H+8d4usZ6Oif5u 6aE+27MT95fkQ2GyPSs5Ndgz0delKj9tb0FGcVxwXqhnRXLE4c0Ze3PjQIoDnYU92bG70iIO5icc zI87vSXt6s68C2VpWyNcE+3oOZ5QfXCiREah5oRIEVnyibugAFyt3AQJ9jxwHou1F+5IDG88tu/B 0d1bgt0iWIZJfDL04LIEBqkcdDwLGctEexnCOpgVNMXlNNXVDJV1HLV1fA2pcDo21dwglqoZa6oe a6IaSVAJN1QOwMi6I9Z76sgF4TQA79FkXBRROZWFBo+sQmfWjjBn6HfYU42AQrdmCwR0gcBMxCSz QN1KQhmS0VBQk6CaBmJNaEoTmBrzTIim+iiUuoK2spyKzAYLPufksaP79x+4cePW09b2uvrGW7fv NNTfu3P9qrudNUZNAZIBAzV57Y1rMIrScDTWrkBIrdSWXqexbpXq6uWAepKWOsdQj6GPJmtrAvYN EeoAfzYRzzaSHCbBwNzEmEWmcEzZqXEZh/afPHr4wqULd69frW9ubKu5VR/sEwJKPHuuyMVc5GYu dGQygKnzljB1v6O8gO0l4PqLzAMtzCNsBHYENAR3iOkC5fXmsmvNZVczpJZ5gJV0sNeecP9NzrZ5 VsI0LiOMqOegDC11BU8NpRCsdgwRG6Kn7awhKeRZG1bwZdeIFda5IuTg/emjqwC49gF+HiHvr63k p6sCK+ADdVV9JPMysj6wIU5H1kZ9vVhtnYXqWr7CCr78Cr7MMlulZd5I6RgTrXiqDvRMCywNj4ZZ 38kNvF8Y8rAotK00sr04oiXbpz7JqT7evj7G6kGC9YNEK0D6w1Tb5iSbe1GC+3HiB4l2D9JcbsTb 1+aFvKs/NdtwtvHY9iOb4suTfLal+JzalgaecmADO/b0FrThfswNAA//fgLw2PttYRwy8C8S4I/8 wfvXOYjgPUDivYfoPN4DwP99egHa3yDiz/QC6v//kXztHdD7wPPP9QP1926sAwC+CJXCeAeAHc7n mR54e3ye7Xk//vztWOvScMvb0cfvxp+8HmmZH2h82f9gabRlafQRPC8ON8Nv34w9fj/59P3E07dj T75Ot32cePJj7vnbkebhx1fabx+tP7kDfKobTlfcPVZ2sTr3XGXmtf2FoG3bmx+RH+aQH+VSFOMe 58F3N8dbU5E2NLQ1FcMnazvxSNmR3gn+To48k9Qwz52bMs4frD5WBa4bXtG+LuGeDuHu9tFeTpGe TiHOtmCOFOFmH+5iBxZJcd6ucGK8nNKCfcozk3YVZu7enFNdmFWcFJ0dGbQ1PaE8LT4n1DcDVnRl xB7clAk8/96C5AOb0g4Wpe7OAZYv7XBR6oUdhbf3l13ZUbAjzgfQnWBjFsTEuZM07PUVXMkaUUJS oY+o2N8G7GrTnMyTHM1jbHl5Ae7XqsraL584np+YZMVMF5vl2VByLI3SzfWBn49nY9wNFBmKy6hw VFYx1NeaI6QtdKSB2Eni4CIhmadqJplpxRojJHjHynvryngjFXyQSrDrPMwQlc1B5Vvg0wUG6Tam 2a7mwUIaV0/Him5mSeeIWSKuCceeb5sUHi8y4xpj9HnGVDreyEyfyDYic4wlpnV0sgGDhMdoqKnK SmelpRw/duTs2bPNTS01NXU3b92pq2uouXvr2oWzDiKutux6nLKMoYairuxarMIGjPwGCO6qqyGN X6EieViusXYlRn4jBa3NwqONdTT1VRSwKnJUHJJhgCHpaBgiVAla6kxDPIdkYowz8ncLPLz3xIG9 xw8fPHP+zPX6e49uXqlJjU3lU8HJ2sJFYAkh3pMv9BZwfUUcwDtU8S48uief7Svk+vJZoWJzZ7Ke uZqcUFXaUllKKLtarLjOXGalQG61BwYRZopP4ZsVWJkfCvbZ4Wrjoibrqigdoacbqa8bR8QEIdUc VTbaKElbKWwQSq91UpaFnruXumwAQiFQSz5QU85XVdZPHUxsFAO1lAO1lYMB+AgFP7C10VVwUJey VFwhArDLLBMrrnBWWxuKls6kalY5UM9H2N5Kdm8uDHpaHNKS79+U5f0o0+txptejFLf70Xb3Y2xb Ep3qwi3qY8TNyfYNidZ3owQN8Vb3k2waUx3vpTheibH+y49zKNz2bHZwZZznrtSgKtg5tTOn9c7R +c6698NPvkx1/pyHptswBO6PUy++vBz88Wrk+8L4p9nhz7OD31+NSPJ5QO4sRHNg5gfgAMDhQHsO PoTz7WU/gPc36vsA6UDjfwBQT3fDK+LbPJTznQB2uN+MPvs8A5G9481o29LI0zejre8nnn2YePZ+ svXNWMvb8UdwLw43vRlvWRxtXhp9+H7yCXz4auD+yxd1L/vqZ17cm+1tWBhqhuf5/vr3E4/ejj18 O9r8cfzR54knr/sa3g41fRh5ONF6fbL1+szz2933TvQ3nZtouznZfrur7kxf06WRJ9fbak7ev3zg 9umqCwfLNqeEVBenXT0GZHxkYrBnfmLk6X2Ve8oK4/w9Yv3cIzydwtwdo33c4/y9AsEIxdk+0sst zscjMcAnIxQM0IJSgr03JUXt3JSzPTetNCOxalPOoW3Ff23dVJmXsTU9sTQlZkdW4qkdxYdL83bn pezfnHFka97h0pxdWfF7C1KOFGeDq8bp8nyYxwEP0gxX8wRrmpuRug1G1hor6wqqV0vSZj+LYn9x lgsn04Wf4y6OhUa8rWBPRvzDMwcvbs9LdxFk2LLKwFLelVloa5pnY5wiwnsaKtPll1GVV5qprTFT WcNWWyPSWhfN1c8Wk5JZyCS6dipDN4asEYpXDieoB+urQCQCWskPDc86VW7007HOJxPdq8JhIZGt P9/UVEuZrq/PBQEMGEkZmFRsKr9+5ooVCxyowKIOHOqMzQzAb8qYaURikoy4FLLAjErAIE2Ihnt2 7Tqwb/+VK1caG5tr7tbW1dXfq62pvXPz8L4qKrwSpFdrb1yNUVivK7MGLSeFkl2ntmaZ8kpJPq+6 epn2+jVa69dorF2OV1cww2rTJTBH4jUUSTpqXIKeMVIT8G6goUJG6hhj9Ax19SxZluWbth8+cOrA nmNw37hy987V2uykbHDRsWEJrOhsN77Q3ZzvzKQBQQclvBOH5sihgu4Lwr2POTNYxHEjG4i1lGw0 5a2V1zuqSTsqr7dXWS+WX81as4wB/vNSy0QbVjkpy3ioyzkqrPNSlYs20A3HaIZhNMNxWh4a8tby 6xygp6am4K4i56euEKqlHIZQDFOXC1GTDVGRC/59QtQUI7RUY9GIEJiWVZcNQYLaVtpJdY2XtmyI gWIeF7fbhXExzKo2wbkl0/dZftDjHJ/mDNf7yfa1sVYNiXYPU5weJjo0RIjrwiwbY22bYu0bom0b Ehwa01wb0lxuxdleCOWfDuHu96RstTcssSdW+vFOZwXc2pn96NzeySd3oBP3Y773v7ej/y0N/zvf 932uDzpuPxdH3k/1fJrt+/JqZKitoevBjf7Htd1Nt8C5d6S9YaqnebanZfL5g5meh3N9khr/07Qk vkOWDs+Aa8j2/34NxTuU6u0SPv93EP803Q3vgXfj7UsjrZ+mO+F8nOp4N/7s3Tgk7a1wv5989m6i 9cMUnKcfpp78vp++n376ZkKC/aWxh4D618NNr4eaFoYaXw0+mB9sXBh6sDj04PXwg4XBhrnemsXh +2/HmxcHGma67i70178ZfLDwom6m8/Zk+83R1mtTHbde9TXAme2qm+2pXxxsWhxqme9vXhx5Mtl9 //Te0hN7Ss4e2FFZlJEeGZgbH36seltRSkxikHdCoBfcsMM9zt87OcQPIB/r55McEpgeGZITG7E5 KX5zcnxBfMSWzMTdJYXVxfnbAePZKUcqy07v3nGgbFN1Uc7uguy/SvNPVJQcKsmryk89ug0WSVfs 2ZS9JSmqKi/lWPmmMzuKD23KPJCXCOIB2A+Y6sDyhdwDI+tkqOQGwyxiUom/ZbG/Za4bL8dVkOtp lWDLB1Px0gj/usNVVyo3pTgJ4oWmm115Jc6sAltKIhebYK7npq8EfB1EdiZCiqEGktqVArVVsVw9 +EIaF5MBh41OoumG4ZWD9ZX9MSAIgfgOD+r+WM0sls4+P8HV3NArm+N2Jwc6UfEomXWGCG1TPQIZ S4D5lIc1jYd2HSAgDQR0LmjbQO7CMYaWOp0DOhljEx7FVKKcJxj6e3gc2rvv4L79ly9erq+tb6hr uF9ff+/urbrbN4qyUnEQ1uXXo3+DXWfjSu0Nq7Q2rNSQWq62Bs4KjXUrNNeu0N6wGtJ76PFRkZos fRRDH4lT3qivKkPH6VAwCDISQUJqUXAYGh7kN3gzQ0qod8ipw2eO7j+xv+rgueMXb1+5mxSZxCSa 2bEE1mYsJwbbjc12ZcGEiJkTm2rPojiAvFYI7TmWN48BnhIexnixpqK9phwoZwKh3NZVjiIik6kG 0URdoNocFTfayYFN5VpneSmrtcs8lKQj0JqeihtSTPRPBHnuhQ1NHJMCS/bxcL9NPLMEPWQGHpOJ 00nRUU9HIXIwyCwcMgOtk4nWzcfrpWF1E5CIOIxmsJZcCFp+ixX1QqzbjWTPB9n+zdk+jzM9H2d6 PElza0l2vB9n3Zxk25Ro8yDBpinJvhGy9DibhiibhmibhnjH+jin2ljnqxE2J3y5e90YVa5mFW60 6gDeoRjbK4XBz44Xz94/9amn7sdYG/Tj/ns7+b+lCYjmEI5/zPXB+bUw+HV+4NNc39/vJ7+8Grx1 7sDZ/eUjbQ0Lg8/mJfTa8+mehzMguO0E3D2DnBweZnsejj+/P/j07qv+J/DJfP/j18NtENM/zUiY PcD+b8gDyd/1bfbFh7H218NPPk61Awv3bqz17fjTdxNwAONt7wHpk20fxp9AKH8/+fjdhOS8nXz8 ehyS+YevR5vnhxsXRppejzQvjTxcHGleGG4G4L8eaVoab3wz8mBhoG5huGFx5P7ci7vT3bdnXtyZ 6rw51XFz7Pm18efXp7puT3ffHW+/Nf78zsTzuyOtN4fbro+03Rppuz32vK6z8fLVIzvOHyj/q6Ko LDuhNDNhW27a3q1FqREBaeEBScE+CQFegPTMqJDMqOCs6NDcuKi8+JjchKiCxJjSjOSyrNTNqXHw J7tL8rflZewszq8uLdxVXLCjILuiIHtvSf6pXdvO7d5+tHzTnvyMypzko9uLz+2prMyH0J+wrzj3 yLbiUxUlh0tyYIphR2Jwmis/w5Ubwta3w8m5EFVcjFRiLQil/qLyIKsSX8tCT8tCb9tEO0GkBTvX z/VyZcm16tIsL+swDjHXjpEjNgGz2Wi6bry5gStelSqznKq0iq21XoiUEWit56utCqNqg1V16m8a P4MNkMdBSh9ppBlioBqIVQnW1ww11AYtaBReJtccdyjK5caW1H1p4VwcQlNqFRmNoRgQqAZGbDL9 4rFzkM9DCs0xYYEVPFcyvMbhUZh8GlPIZAsZDJaJKYNsHBcaVrWt4tLpcw8bHjTU1N29fuP2tat3 r1+5eu6kl70YIbsWrbjhd3BfpSuzCiEFafwyxIaVmutXqq9dCZm82qplOhvWaEmtAtSbYbRZ+mgj hDJKXspISxlM6ox11U3R2gwDnJkelmNEtGZz2UYUO744IyHt8J7Dpw6dunzq0sn9xwNdfVlEigNb AMW7E53lweG6c5iuYF/JobmY0535DGdzOrTg/QSccEueu5G+WE3BTQeUCYgYA61orHoBm1zlKNzr YrnTjl9hx98iYhUwTAqYJslEXCRSIwKpFqajmknBH/V1gTXxx8J9DgV7XIoPPezptNnMeJMxvpiA LTPSKzXAlOphyokG20mEbUaGZUTDQoJ+lj4yh4SrsDA7G+ryIC/y8eZoAHtTpteDZOf78XaNCfYP Yq0boi0aY8WNibaNyXbNqc4tGe6QqNcl2NcnOt9LdL4cbn3Ui7fbhVnlytztZX4k0ulyTkjj7uzR Wwc/dtz8NVj/v8nH/061/T3d+WtOwoQDZ/51dug7dMdeDn2dAb699+PMi59Loz/fjM2PPW+5ffr8 oe1TvS1/L419noaQPfq/dxNfZvv+eT32fa7/n9ejEMShJIfwDRgHtu3DRBck8PcvH264dOjtWPs/ b8e+QawHyEMyPwtRvuPLTPe70TaIqh8m29+PtwIjJwH7b8i/n4AQ/xRourejj96NPXoH+fm45Lz5 fSR4B4AD2H8//Pnx9fDDxaHmxeHGN+NNb8YgxNfND9ZBiH81UDfff2+uv3ay++Zk183pF3deDtyb H7g313dvqvvOVHfNVFfN+PPbo+03h1qv9z++1vPwasvtE621526cqL5wcMfZ/TsOlG/aW1pwuLIU dEGFiVGA8YQgr99ID0mGSjwyKC8+qjApJjsuPCsmDCBfkp5YnBYPaXVFfmZKWEBhStz2/JycuGj4 WmkGVPRZx3duhYB+sLRgR3bqtoykfVsKTlRt2705r3pzHqB+c1J0ZU7K/sLM09sLjxal5vpaZ7mb B7P1xMj1TgQlyOdjBIabvPnlAeItfuJCD2Geu0WsFRvwnupmeyAnCVZGgoQ4gm+cbUvPsjLNsiCn CYlpYpI7Uc0UzHiVVrIQ63ha63nqawDvoRStDL5hMgOVZKaTwkCms3FgXpdARYYTNAOwyiF4RDhR J5SIjDaQTTHT3urBv7w5eVu0P11XFa0gQycYmlPpkMND292BbyOi8ThkJrjIck3YcMChDuK+uRm4 wwtELC7TmEIlQGLPsGTz40MiDlRWXzt94cHtmvpbt5pqb1dvLSYhNRDSK5EyayGNR8pKUnodaSDk l2muX6G5fhW8XtRWLweuXneDlNrK5UiZ9SwDNAWpgVOUhnyAaYCEWE9CqDL00JYUYyoGBT16GybT ls0RUMzIGIO44KhdpRX7KnZnxCRZMLgcgjGfQA53cE5y9w4QiLz5HE8e01vI8bXiwzorRy506Dgh YmE4iGxJBq66oEPQSSAiEw20YpAqSRi1bAIyl4jON9ErZZJ38OlVIs4BO9EpH+ddYvMskn4CTisW o7Hb0fJsuO8OB/6xQLfzoT5HXGyLSPr5OO0KskGVseFOov5OvMFOQ/wOQ4NyvF4ZQb+KTTnubHkt xON2jO/tOO9bCR63Yl2uRVjfjratT3BsSLC/Gym+ESaojbZuTHGuT3G+k+h4M97pfLj4kC+72pWy x415wF94ChpteWFP9hWNXN6/1Hzla/eDnyOt/011/jfX82uy/ev4k2+Tzz4D1saef54Cbm3g3Shw 6UCtD32aArAP/lwY+fl2fHG8o+nWqesnqp7XX+pqvHb/xom2e+c/jD+HMP2i+QaQbECh//t69M0I ZOZt/7wZA4Xtr6XR/77NLwy0ntldcvGv8omOuq9zL76+7P028+LrTI8krE+APufZp6nnb0YgB2iB 4P5+/CmQcnDDAR4ebgD7m5GWNyMP3/6u3//Ed0mIH/sNfEjpRx9CYi85o5KvLUI+P/BgaaT5zQSU +U2vhuoluB6URHl4BrzP9N6FG57hE/gV/AjYn+mtme6pnei8M95xe+TZreG2mz0PL7fBVsr7lyvy 4suz4+6cPnDv3NFHty7eOXv44PaiLelxKaE+sQGuSaFeUNcDdxcX4J4c4psa5p8Q7B3t5xYf4J0U 7Ac5f2ZUaFFyfHKof2ZMGIA9PSoU8F6ekwZwLowL35mbtqcoe1de5t6SgrP7d579a/fesk07CnPg b31tLbOiAg9vzb99aOf16tJ8f9sUJ1Yoz8BBX94Br+RhgkixNi32EW31t9zia5nvap7pxA3jm0YI mYlOluDidW5b3i4YabRlpllTAe8FtjS4k0UEF7wCTWk5RWkZQ2M1ByCvsdYCsS7cTDeVa5Bgphtr qhFjAiy9djQZEWOsFWKo6oOC4l0xUE8twEA9Ul8mnYEqc+dfKErJ8HIgqSvoqSjSCQSBGcOGLYBx FSjh6QQqDU8V0gQ8Ux7YR4OfJHzIZ3It2EIulWmKJzFIFBLaAK+NNcERxCx+mJd/eUHRif37bl04 m5MIbuvySHkplNw6Iw1FlMxa5MY1qI3rNKVWqK1didiwVkt6HUJqjQ504detRaxdYwykHA5JUIfp OSVDNXmytipZSxWrsNFIUwWoezYeR9RUY+PxXCLRGIXGqmmQMXoiOsdBKLZm8bys7GI8/bgGBH8L q80RMenePmBiEyjmS0wsYYhDyHWBWTkBD/AeYcEPohr74HRC9LSicZqJWI0Mfa1sHCILrZ6uq5qB VEtHqiZpK6ajNTLQWmlYrTScToYBKhmrlWOEO+BoecjNZjOLvMuKd8zVdhvDpFBft0QfuZOot4uo twOP2W6A2aqPKsOjK02Jx6wFd8O8W9IjW7Ii78R5XY1wvB7tdC3S4Wq4bW2Cy/0Ut7pE59o4h9ok 59uJTufCLPZ60Ctd6LvcObt9hQcj7C9lBzbvyuo/t3Oh8fzXrtp/hh79O9r632wPZOz/mxv4d6b/ 5+SLzyPPP413QKh9O/4c2PLPMxDcBz5NgRJ+7MvsyMepga9zQ1C2T/U/unh0x62z+6a6m95PdXU8 uHx2X0lbzTkg8SY7H9RfPDDw6NaDi/tHn9Y0XPyru+n60mj73IuWye4Hzx9chYGyWyerobMGSP/x Cvp0XRKMTz6HAwAHsH+Z6Xw7+nRp8NEnoOag4zb86AOE+LEnErCPQwPuMQT3t4DlUQlf9xY+kaT6 fxL7J8DJA333G/JAzT2C7ywNN0MtL8nnx5rfjD9cGL4PYJ8frIeiHp5fDUme5wckL4HfML8LeJ/q uQ3Pk12S4D7afgPukVbYJnaup/nqjROwi8/WU8yM93MqSY08WVV6srr00PaCoqSwWF/7YBdRgKMw xEUc6e34+zj9Ju0dg5xtghxtg53t/B3Foa52kPAXZyRtTk9MDPFPjwqBcv7U7h3Vm3IK4yK2ZyYC 3iuykiHnv3Rs//G9O7cXZlcU5RWkxOXER1ZtzjlTXX79r8rzFQWZnhZJDoxoC5KniaadvoIXRTvb iVkWYLUtyKoi0KbM16rQwyJSSAnimEZZ8/ID3Q8XJlcmBiXZsdOszbKsKID3PDtapo2Jj4kmXXmF meoKPmojHyXL19lgg9wYyUClcPSTzHTjTBFRJLUIonqYoWoUSTOMoBqgp+SHUww0UA0wUMugaucL CTt8rU5DimPDN1SRJyO12WRTjjFNSOWC9QTMoQM5xqOYc4w5gHfYE8Eg0lkmTBFHaMEWsIwZdCKV T2OZYECBYwRDLiYYAxISyyYZ24v4Uf7eTiIuUl7C0WlJrcCrymLkpBBrlyOlAfVr1des0pbeoCsr jZTZCAocxNq1egqyLByaoqNhpKlMQyMA8nhVORpam47VJSM0yFoaDH0sn2hoTsAbqCgbaWlR9fSw qmooJVUTtB5NzyApILgqt8jBjBkkti6JjM4PCsoN9IVROH8RDyg7NwGQeBxPPtdfwA0RcIPMjN3Q GjC2FolVT8Co5+J1igyRBRitXJRGMR61xQibg9LI0FFJl3jPqsWpKybrqKdhtbPw6FwSLl1fNwWr lWWALMRjCnA64D9fpocsw+hU4NGA9O0E7C6aURXLdCfHdLeIcdHPoT4poC7J/xqsLI93q0/3vZ3k cTnK4VK4zY1Yp8vR9sf8+Hs9WLvcmRWuzL8i7C/mhDdW5Q9d3v/ywfmPz+/8Gnr470Tbv5Ntvybb vo23fZ1o/wGZOYB6tPPLaM/3ib6vk73fZgc+zw28mej+AMTaS+inD3yeHQHVK6hlgHv/Nj/4drzz 3qWDTTdPvAY5/cLgh2lJ0T0/0PJl9sX3lwMjbbXT3Q/G2mqHWq5PtNXUX9jf/+jW07tn684duHN6 940TO9tqL0ia8jPdX+ZfvBkFILeCWub9eNufA3j/OgvN99bXgy3wHvg4+uTtyOOPY5L4LsnkoWwf B7xDJw7w/ieOP4bq/k9WD9h/M/YIODrI6gH4kqAvIeQfQZQHvP85kNi/+h3ZXw3eXxh+sDgCUf7+ XG/ddM+diS5I7G8D3iUP3TfHO2+MPLs21Hp16OnV/pYrHfXnOu5frCyID3bkO3CNOURdawbe04rh a8uK8bGNACcc8BywY3tZMfzseIFOQj8HQYC9KMDJwt/RwtdOBO4ofrYWntbm3rZCqPShYK/clJse HZoTH76jIOtg+ea9m/O2ZyZDxg4hvjgROPzs80f27Cwp2FaYffqvvSf3V509UH1u/65Tu8pPVxaf LMsuDLTP9uDHWpLdyepQwvvSkHmunK0BVtsDrXeFOuwIctjiZ5dkywrikEOF9Awv+53J4bC1M8GG mSgyTbc0KYStuG6czW7sKA6OrbrCVA4o+uVkuWWmssvEWuvjOLh0c3wKdOXoyHgKmM9rgng+1lgL puSiTbRDSRoRJrB1QjePa5DMwBQ4mR9IjQyy5OoryZvqohh4srkpi2fCArAL6QIR04JPE3JNzbkU c6YxW9KRp/D4DAGPxgO8/7GgoWAJJmg8jLKCBg/c6si6SANNdaIuwhStAwIb3Y1rtKVW6ctLE5Xl EWtWYGTXGyjJaq1fjZLfCEpazbVrsHIykM8bqiiStdTxqvJ0tLapthqAHdp2gHczDJKgpm6grMLS 03fmcEQkoqGKKgUGcpFItLIyHoGg6emxCYSkgMDC6DhLItmbx8/w8cv29SkICcgK9Epwdwq2EYHv jQMobHlsLy4zgMvwNjG0ghE2tHoqzTAJrxOFkE/VVcmX+MYjiw0xW4z0NhkgC/S0Cwx08/WRKVoq 8eoKsBU6BY1IRmnGqCsk66jk6mnnY7W3kfS2GeG2EbDlBuhyQ0yJAWqrMb6SQ9nGpRZQ8dkmejus GGeDnS6EO50IsDoWaHXE33K/l2C/N7/SmVFma7LVgbbX3+JCWsDjvfm953YtNF363Hn/59CTfyfa f462fht58mOi7dds59ep9g/jbZ+mugChQJWDXO0LdMbHe37NjPyApH0SqvVhiRxudggw/vXl+PeX Y19mhkAtA/X7v29HX4+2ndtfNtvX8u/bcQju3xf6fyxAf633n9fDPxfhhdD/z9LwrwVg9no/jrXP 9TQNPrrVdOXwg0tHepuvA+v+41X/u9FnU133oVp/P/L07dDjzzPPv850fJluXxp+tDT6+MNEG3TP FwebQS0j4et+J/MAc4D8e0k0fwyVO+BdEriHmyWJ/e9wLynnJfKbx/A5YFzy5cmn7yaB1X8k+eZI 0+IIoPu+5B5qeCWJ6XA3vILI3i850z01ULaPdd4a67wx2X1r+sUtuMc6rg+1Xu5rudjz4PyT2ycu HdqeGuLqLqS6mJtaUPTNiTpcAjR8NVh4dXOSjh0bb2GGsQKXb7qhLbj5cYxc+VQva3aAoyDE2TLC zS7MxTbAQRTkKI7xdcmIDMxLiARyD0j+1FC/1BAfUOjtyE4uT4/NjQzMCg8AZuBIdXlimD/g/WHN zbprFxuunr8Kyu/KkhPb8s9VFJRHe+Z6CSOFhq5EFejKRfIJm71FgPdt/la7QuwrAu0B7/ke4hgx M8KCkehsAV5eO+NDMpyFKZbUbBvaJmc2LIvc6iXId2IEULRdiWoBDHQgUz/IDBvLxRc40DMFRLCk BmcMmKdLlCT2iAQzZIIZOomOTWBiUrj6yfA1IXmTLbPUy64iJsibxzRUVTXWwlCx4CvFgp0yYCjN ofK4VAEscoXl7FyakGXKZRiz6WQ2nyEUc2HnI4tBMmOSzMCJwgysaIkmDH2CGRYG6NBELQRORQEH 6lkFALUUSnotdqMUXkFGe80KHUC6zDrE+pW6G9dBz11XWkpbChKA1XAjpFZjFWSMQakLYjx1yUgO 6G/NMCiYsiEjtEy1wRyDxMTpGSO0SFpaGCUlbVlZoo4224hoSaPF+/hmh4czUWgrI6MQS4s4B7uc AJ/CMP8Mf68we7Erh2ZLM3Zi0rx4jBAR28VIj6sobS63NoZmuNVeUCKgxaNUUzEaqSj1FElKr5GF Q+Tqa+Xoa+UZItMxmrGaYCmvkorRArzDcy4eWULGbSFiy030y41x28h6FSaG20zwpcYGuUbYdAI6 zkAnHKMRhddONMUkmCDjjLVT6JhCa8o2N97eQJuzyX73ShMf7y7oOFI+dfPop2d3/h5o/ne87b+X fTDP8vfsi68THd+mOn7Odv/9CtD9HNrZH2F6fbb3+6uhz7OS9rekLQ4aGFC3Tg99mYIWOVDxoxDT YXoFIA9iV+DrfswP//du8uNUZ9eDy03Xjv7+88EPv/H+Zbbn76WR/96Pf5jufDX4dLq7aWHw8Wx3 E4zMgy3GeGvNbMf9dyPPoEj//rIPbijz3409+zrV/WO66zso8KchpnfAW+jj+FMJ4TbQONMNAbcO hDSgn4FWu6SrDhAee/pp+hnk6lCMf5l59m3uORx4DwCcf78N4OHhb9Q/gibap6ln8LoAHg/eCa+H G5fGGgHsUKRL6nRI5n/jHWD+aqABgA8PMy9qAfKTPTXjXTcnuq6PPr8y1XMLSPthwPvDCx11Zx5e P/ZXeXaIsxB2D9sxjcDEA/AO5vxCUyQDWlp6SnDTsPI0rKIZTpkJfr+GmgJjlC3T0Iln7CKgeIgY nhYw0ksHv81gR3Ggk1VisHdSiA/A39dG4GvNyw732ZYRsyk+JDfSf3Ni5Lm9lWcO7MqICS3Lyzh1 oPro7oqzf1VdPFx9orL4RHkebNSqTPIDfV28JdnNUNmLjIgTwRC0xfYA2x2BNpWBtuX+tiXeVnnu wihLaoQlI9XVKt/fpSIyIMvZIoZrlGvHLHbhFklCPLfcVwQb3sv8RDsjHKuiXXcE25V68Tc7sfLE JrkiEpw8oVGmuQGsn0hhY9K5+hk8w1SeQaaQmCE0KrJilLiKcpytEp1sLIwM8SrqRE00FUPiklhC upBLFzBofI6ZkGcGqxtFgHc2GFqY8uBY8GxshA48M76ZEQ1SepYRFQbowIAO1LZMPQMaFmuI0NRT VcQpyuIUZTAK0piNUugNawHvGOl1UL9j5TYA5AH4OlDCr1mlvmIZRloKJy+ttX4VzNzh1ZRMdTWA qMcpbtSTl4EE3sLYxFQXTdQA6h7WTBrCSJ2hJgKtrATHBIMEqa0DlxXu6pwfHSUmGQkM9F1o1BCR INPHIz/EtygiqDAyKD3QO9jOwo5CsqcYefNo1ga6XE0F4/Ur2PJrPPU0swS03e42+9xsdtkKysxp hWaGqQba0TqKUVrykdBHU9sYo6sSh1GL1FaM1lGJR6ml43XziehcmIrF6+QZ6uboa+cQUOl6WrFI 9RCEkoeKtLuGXKihbrwZPsoUG0XTK3ETXS9O7b/019S9s4uNV143X3v79NaXzvp3bXc+dt3/e+zZ z7H2X5OdX8c7vkx0QJz9PNX14yUIY6CX3QkUGaTTwJb/UbsB3w4pOkR56LVJ2uKzgz/nRyGavx8H 0fvYP0szX0EyB1F+dmjsWcNv/4r9Nad3L/Q/+j7f/0c+B/8U0HGgnxl4fOvZvXMDj29DUf96+CnQ dIv9Tz+DLm6iAwL958nObzPd32e6Po0/ewO1+fgziOxzHfUTT+9MPrsz112/NNAM1fqHSQkd97L3 wcu++++moOMGYVrSensz9vDzNGjtHsML4ct02z8L3S97aue6az5NPP4yBXl+C5wPf0I/aGlmJUpa +NsPM62Q3r/s/0PN1cz13305UDM/COzcvd8F+92ZF3df9v9R5tROdt2Z7Lk93n19qgcgf3W0/VL/ o7MzXTdnO2u671+8e2rv1swYL3DcFVBdBRQw36OiFHgETaEx2CkrsvGwDVkWDg0Da9AV4JhhFRhg /2uoziEguAQtyZuBjILzx6BPDE4j1lxXIQtWmImpBrDHJx2mpdIiwHu/Midhf0nevbPHYSg4Oy4s IzokKTwwxNM50selKCXq0Nb8w1uyDm9K3ZcRujnAOs+Nm2RJjheSsu0YWzyFFf7WVSEO1aGO2wPt SnzF+V6iGCtapJiR4WFT4O+2NcwvzU4QQcdn2zA3O/HybGh59rRiN+42H5FEhONpvlWCfX6Bg1mu tUmWiJRtQc61JOdbkkF/mwySezYGYJ5jQc4QEGHOLk9MCSDq+JGwjgQwOsZQkUga2oCOJdGwJuBJ LIKynW3BgBVvdKE508qcLuaZiXh0CzZNAEfAtuYzLdhULp1EpxvRIL7TCWQa1pAGc6x6+gx9PZDB k7Q0COrKBHUlvLKcnpw0Tma9qaaqgcJGqN8hpYcbknzNNct1pVaj16+B6A+fqK5arrVhrYkuwgyL NFBRIGooCY0IVhRTChjpqCOImkgOgcwjm9INYGcNmFyhKPo4HsXYmsO057Ei3J0yw4JcOAwbU5Ir nebP46R5um4OD9yVFn9iS9GZHVt352ak+3q4sSiOVIIlXoemtpEks8pEZoWx1HJzpTWwPTOJabTD zfpMlP/1lPAr8cFnQtwPednsdbXYZWe+055fasHIoOGTSeg4vHYyEZVuhEoj6GSR0bmmepkkdDoJ k2NGyOOYbnUQHQEry/SYs5mxx1MjrpVktJ/e+/rJ3X/Gnv879wJ49Vetd6cfXl94Vvux7+G34dav Y88+jz37NP786xTwYJAMt0OmDRj/CMKV6a6fi8N/QCpRts/0/Zgf+ndp/Nfr0S9zYEwx8M/S6K+F 0d+CdkjIJ//U7F9m4U8kwR3w3nrnXOutk/1N1yba6/qab4w9q5/qfDDSdg84Ogh/987v62u5AYo4 Ces+C7NvnZ+neoB7/wbs39DT132P3g8//TIJphlPXnU/WOhtmumoG2m5MdB0deTx9bmuujeDDyG+ A6i/zLQvDjTP9NwDjh0Kc2ijv5948v1lxwfI24ebv891fJlqgyXv5/fkvWg8+2u+4/v8809TIM5p +zj15DOYdUxKcn7ICoC4ezl4f66vbmkUuvDAvdfM9d4ByL8aql0YltB0f8h5KNj/nNm+mpne25Pd 1wZbz011X5vuuDr57PJc162uulO1p6q2pIaFulg48ymgpIWUnktAkLWkWQbKLAMlKkqahZOnY0Hd IQOQp+PkOIbKcOC3TD0Y2lKEoM/SV+MZIswJWnYMQ5EpzllIi/Kxt6QZCo31rKh64IyXHuBUnhK2 JTF4W1pkdX7qrWMHqgqzwtwdgt0kx0HIcRQworydqjdlHK8oOgbmGGmhxYF2eW7mW/ysy/xsyuH2 AtiKKoNsq8OddwQ7lPhZFflZJTqwoyzpsDM039elLMQnxUYQxSZlWNHz7NiZYmqKiJQkMEyzIGVa mWTZmObaU/PtaXBybKDGJ6cLiZkWpAwLYiIHE0HRiKBoxTJQCWxcMkc/U2ScY2HKU9pgJidFUoAw Kgd+UxCjaTgTExQsiWBZsMVCnjWbKWIzxUKOrQXXTsixFrCtAOxcuojHAK9aDpvK4YDXnDGDSaSY GZJoONgShaOiMDQMmorWJWio6CvLA9j1FWWwslK4jeuM1ZVxslK6Uit1pFYg1i7TWrcCeu56chvw 8huRoKJfuVx55XK0kgIVhwbxvI70OoK6ihUVzHCMTLS1TXRQGAU1ojaaSTQR0OgcUyoP3PDZTBsB 19qcZcmixfh5xPi42rOpbuYsTx7Lh8dKcrUrDPHZlRp/tDjv/M5tl6oqzleUbYkL9xMwBXqaVFVp pqaMAKkg8QlRWWu2cTlHbqWl6gZXpHK4MbZQzKpwtfgryOVCUsj1zJjbuQn3Nqc/rCx6VFHYUJL+ ZHv+88pNzyuLXuze0r9/W/furR3VZf1Hq8bPH5m+cb737OHLJZnHsuM6Lhz6e+T5z/GOf+b6vk91 DTVe7bh9arT5+qfh1p+zPX/Ol2kI3J1QI/+aHwBFHLSw/1ka+vV29ONM19uJ9s9zPV/nAf690B17 N9HZ+eBqX8utz3N90DH/983Yr1dgSTH489Xwz1eQycNk+u+sfmbo82T/3wuj30FsA7JYSdesfWno KYT42e7G2a4Hr/paZnsaB1pAtdLw/eWLn/OQscMIWxfMs0Bkfz/S9mH0mSS+T3R8Hm8HKezHsTY4 74afQJSHG0r4T2NPgZcDHh4g/2H0yfcZyAeevupr/MPJf5xsg5mXN8OPIOH/Mds51X73/O4COIMP r0Am/2ECivrHb0YegxTnA0hkh5ok8trRFnhvzPXVQ3B/P/H4DUhtf5ftrwcgk78nOUN1LwdqpwH+ gzWvx+4vDN0b67g6/OzSRNe12V7Q3lx62X19aaBm5tmla/tzd+eGHyxJiXK3CHUWxvo6OPIpVnQ8 Q1+NhpZn41XoOHkKSvo30gHscjSMBPJ8krq5EYg5VeELDD1FOFyCupCkbU5AwFIqMU3P04qZGe1n yyZZUvSsaThfS2pBhEdZUlB+hHdmsHtxQviZqm0FceHQg/MAW1R7G/B8dLXghLrbFSVGHKso2l+Y Uhrhme1lmWrPLvG33R7qtMXfusiNl+/E3uIjrgx1Kg90KPK1Ah9LGPKNh/3djqIcL4fSYK8cd7tU W16GPSfdlpVhx0y3o0N6kGRJSrU2hpNmbZJpY5ppZ5psRYo2149gouFEMtEhFO1AY41gU0QEAxPN 0ouiY+PY+ETQwW9Yi1u9HLNhna6MDBGJhZ0ORigiUZcIK9ssedYWQltzrpjHsbE0d7DiO4q4NiKu LSCdz7YC4PPoQguOFexr5lEl9pIQ4lkE8KAzhMSbrKVthFDXV1EEvBPUFIH2xyvJ4BU24mSkUOtX YaCWl1mH2rAaKb1Gd8MajIwUVma97vp1wN2BjS1aWcUUizNBofEaajhlRRoGQ9REEDQQZjgDALsB Ak0nwtILczEP/utcS765lYhvac6xMedG+Xn5O1qL6caBdpbBtqIUT5eCYO+ymJDqtITDhdnnd5Rd 31d1c3/1tX07soLcLAk6TG1ZuuZGjo4ciPtFSHkeYgNLZS1dbhVVejl1/TKuzHKR0mpr9fV2WjIu KKVwmn6ykJIqpheAS7CPzZ4wt0PRXocivY/E+B2J9T8Q4b033GdHkFuJj32iJduZiITZxpv7yz8N P/t3ceS/t2OTz+sf3TjaVnN2aeDJNyiK5/o+TnQuSaTmPdDk+vLyxfdFINUlw2L/eze0MPS4re7c bF/Tj8X+91MdAHl4G0AG/mNxGMB+9eiOu2f2Djy+M/jozssXLRDlfy2MSHTv06BjH/4BThRzw19n AOmgtOmFouD7yx7ooH2f7/v39TD4WEJa/vMl1OPt8PmP+Re/XvV+HJf01L7OdX0cf/Z1svPTWDsk G4B3CeonJHo5+PzDaCsE+q8grZl8/vsB3gZtAPlP461wPgP8R558GJE04ICc/zDeujAAOr2HAPbe Bxf2b064e6JivPXWQMsVULY/qz053HpzrL3m0e0jz+6dXBxqhJQA1PLTXTUQ1t9NPh59dr2/5cJC Xx2AfbG/bnGgdr6/Zn6gBhi56d5bc4N3p15cH++8MtV1Za7vxlwPhPXL8z03ll7cenypcneWb4oX 5/iW5Iq0EA9zUqynVXa0n6O5Kd8YxYTFmkQNcyMNjqEqU1+BjVeioiVIh+ff6b0S3Aw9eaa+PB33 O+LjVcwJ6kyskhOb6MIzFpqig51FbgIQZpMsTTFxXpZVOTGV6eE5oe7g3ZEZ6nFwawH09BMDvHxs LN3FIhcLnqulua+DJYT4gtjgjGD3FE9wo7VIsGNnuwsLfCB1F2Y7czLtmYUegq2BdlsC7Db520CP PhN86b3tMj3tsr0dIL5vDfUBXX2cBS2ArhfKMYwTU+KtTOHEickxFkaxQmKCpXGCDTlWTAzj6gfQ UV4mCG9jOFo+JggfY80AKirIDEbmkUEmqCAyCrtqFWL5clW4ZeQMUXpUIzNjPYoJzpRjwrEW2lqJ 7YUCG765jZBnL+Y7ivn2lnx7EQR6rh2faw2ohypewAIeD/p0sNOZxjYyZRoYUVE4E20USQtAqkZC aEBLnQiQV5bVl9+AXr8auW4l9v/jHbNxLVpGSl9RDiMrqysjCzA31cNjNbTI4GGFJxJ0dHXk5LHK qrrySrCKAuZ0+BQ2GwzqGXxrga1YYC3kCgVcgQVfaCUQuNpZx4UAjEE8b5IbBf7GkpGl6oz46ozY v3JTTm4puHtod9PZY3UnDjecPlSWGMbXR9A0pBmwRQWQDvsatKVZiPVsrQ08XRlzHRkeLOdSXcNX XyfSXM9SXmUmu1youdFCR46ptFqoLWuNURJpb7RFydvqyNnBjVayRCqIkIocDWmqspSJklSkIx8S 6X+Wxn7MD36aefFqqPXW6T2tdec/v+z9++0Y6FohQL8ebV8Ybns72fVmsnNhrP39DJhFwMBa78/X fbXndz+8cWSuv+nlQPPfb0e/vwKpW8fi0BOYQAFWbaz9XuPVo5X58aUpwa13zoIoDvAO42m/a/l+ GGSD6dTPUyCYH/g82fF5ov3bdOe/C/1fpjugXf5jtgvO95lOCMefJ55JfpzphAcA8vfpzvcjjz6N tn2f7oIfIY6/7n+4NAQUeuu7kafwI0Ae0nuI6W+HWuDPJbF7puPXXPeb3ubBhkudd08PNF+dfn5v trMeMn/4K2jS/Vrof9nbONhyHf4FeGnAh1Nd9X0t10ef3R1uvd3ddAFUMVDmQ6Ntpqf2E6jrJx53 3j91+8SWJzf3z3fXvu6vW+itXRyogfgOJfxs3+3JF9eneq/P9t+Y6rk8+fzsdOf51/033/bfeX5z z8kt0Xn+/Dg7coYnt/7Y1vIEX3Cu87Y0C3TkQ3DnkHXZBASboM4z0uAR1bkENbghiLMMVPhENaER WO8qAdgB/gw9WZbkyMH4PNdABbbmWRjrWpvp2bLwwc4CD9hkYUlzZONhlfzpitx9+bE5oW4+FvQ4 L7vK3OTqTVnFyTH/j6XrgGr6UL9tncjeMyHsQEjITkjIniRA2HsLqCjuvfcerbbWqm1ddbTV1q1V wQEiguyNguypKDiq9r33v7H/c36HQzXl2Xe8v+/77nfv/bKjw2I+gz0xTJ2TEJETH55hUGVFKOcm 6GdHypFAmC4LmqnjzAs32uUKdNwlhhDAf32qbnWKdkkCQrFCV2dErkwxAPIb0+N25qaujNemCwLk 7hYil6kqLyuNj43W104f6GigOUXTXeLYhCQ+KZHvmcTziGMRIwIdIwKdDFSX6CC3aJpbLJ2UwPRK Ynulc3zTWb4+JqbOEybbfDnJwcwGiTUsKjfIl8XA/M6W6pRhodoIpVIvl+uU0ghjiVcYVIoIrTJa KTPIxDqFWIdaL+bJxVwZdLY4B8On0IFKvl8g19sPeKdhJefs5G9n42UxzdN0spfZZF+LyZ4mX3lP m2SEvPnUAFtzf3trsp29j429j72rIlgSqTVIBDIJT8oOZNN9KBR3Hx9Hoou5A9MvCEhXClVaeTiO y2gVkSpFmBwvIoVOo9LrNfqEmOhZmbiREhwh4sOk/MverWe+3rKjIHvPgjxIE4+sXXp2z+bbxw4X //pLxZXfkEekoXpwiRZyXye5n6PIw0qBy6ckixCSudjTUuJhJXIzFbuYKIjmCndLtaeNnGghcTOT Eq2UXvZ6irvaz0nj6xDq56jxttORHcOoBB2FgB/FdDRRU90Pb1mGqIf/jfe86q0fan8y1t9w+dz3 RVdOvh1uHhtofDvc8rq37uPLZ59G21/31r+E6wTBcaDm8LW7dqy7euTZo+7awrHOJz0NRf3NxSj9 Q22lXTW32p/cfFYBngpc96NnFbfKb/3aVVUIQd0bJFcgkaa92sjgdWMBZzS1vemE/g1jeCVq8XDj /aHG+5/6al+1lWJ9/7YD/Xnp+LNSfPMONPvz8vefvxrJdvx6W9l/+uv/RqcB9uBZ2cs2qGHL0BLg 5+Af8fxb0MfaH+EZf/YINf1p8eXyi8funj34+OqJjvIbQ40P/t3Iv+muggjHiPpBuOewuUMDX/Gu txa7BijxBpvBw/9L5j9EiQch399w6+6FA9d/2VV1+zgq+4umIrjh+utvDjbfHGy91dd0rbv+cmf9 xc7aC8+rf++u+nWo7nx/1dnam99fO7p2a374PANncTR/USRv+4yIG0c2L0nSRAr845SsKAlDJ6BI mB5CKva2dsIABzHFSRLoLA9yQ5aOlOqsoLkA7zKqo5BsG+xrIfCzFAfYSCi2Uoq9JMBeRHZQ0t1z o+Xz0iOmx8hD+WQ1yytFzfpxy+Lj25ftWZq7OM0AvM9OCNu6aOa3G5evnpWVFqaKRT5qmDper8qG oT4zYXZqzOr87NUzU3MjZHq6l4riGs3zTBL6JQl8koK9s8SU2aGcuWGCfH1wTih/TqRscULogtjQ JfH61SlRm9LjlseFZokZSi87uOG49pNYtl+yHSay7L9i2n3Bc57Ic5nAdZrIcZzIdZoc7DoVD99l qtDVAn9X8bdUH+AaRfOIZeB0ETmZG+BhYu40aarVBBN7C0dfjwBukIBB5gZ504VMsVqO+h6h1kSo 1AaNIkqtiALMlXJEv8WoFJEKWYRKHikWaiUClVyokmMdzxEZp3i45yh0AWyzfr6Y4qnOzj7WlmDn fK1NA4ws/WRv80kUG3OGkw3L1YFDcKGiabdzDHAh0X2oKrE2ypASG5OZlJgjEYUKmBKtVI9dv7cb mUHhCjkKWYhOq4rVqGLlskgF/jyqaK02Rq+PNUTEJcQmJUfHydjseJUcRsXDm1Zvn5c3LzZ0R0EW 4ke+XzXvAHyL29YWnjxaff3Cwwsnl2XGCLzthB42crKj2MtGQbaX+dqKvazEnlYhJAuhq4nQcarE FaifpvKwlrtbi9zMxURrtZ9rON1XT/PUB3mEBhI0FNcwukcozSPE004RQMiNlF05eeDv/ub/vO4a RVl/Vj7UVTOKsfbGqbK7F16gi+5vHOiofNld86q3Dg8wPo6UeKTCDjSP9zW+7kFjX/9ppPl1FxLk Sl4/f/xhoL6vAVav+1C5wI0CnymINSOR3vbon5HW/w63YvYffYo9eC3YPCzs3hnTZY1Js2jj33ZX f+gBu/6k6uaponPfvu+qwKA9BqnM09I3kLm23BuDxxwq3GePgPc3wL4R+OWjLcXYA4KTf/O5wwdy 4WYdBepbsChHYEUpfgheC687jDQd/kX0Bv01hXj6qu70VhcC4PhX8LIa74JR7smLts8WuXZI60Hi PcSPwn/aaGfFazxGCS6oeyO/97zqWvnNY7fO7C69/H1fzbXXz+6Ptt0dbLg11HQHpR8cXW/Tta76 S89r/uiqudBZ+WvXk3Mv6i+9rPuj6uKeI6tTF8ZwF8cEr0yQbM4KXWDgfT0v/tI3a5JEFBWNECtn RorpkNmIgtxFdHch6juDKKG6KujuqNrAsiTAUYZaH2AvC3Q0MnjeZiFkKxnVHo+chuJuxyWZ4vLs uYObdy6bmaITJGv5GrbnvGT1ma/X4HbkptmpOGSPW7czYnRbFuR9s25xfkJEPAJVkmJnpcYnh2sy Y8MXz0jfsnzeT3u2bF08KzdSGcr2lVPctAyiju6qDXTUUhwiGYSUEH8U/VQJLUFMxb2MXJ14Rph0 YbxuTWr0+pToBRHy6TJOFF4U3g4yT1sx+k9PK6G7qYBoIiRN47lOCsIFMWvjE2TzZaDVl/5mX/hN +yLQYgLNckKQ5US23VS+s1kIwVpCsidOtbD7ysRmqpWzrZufN5UdJGAH8Jl+bCFDpJSEatQGXRiu MsZr1LH60EQADShTyCLlUgA/Co9CEiEVgzDTKoQaJY668nD7SYDdHJJwJEF0ORNLNA+yvV2gkz3d 1QEjvK/lNLKNGd3Rlktw5hJd2EQ3qrOLr72LP8EP6MbQo9elRMfmpqTOEwrCxCHh4fpUgz5NqcB6 TS0WhSsUsTII4RXxSlWSSpui0iZrdElhEWnRMZkJCRnh2ggRg52s02xeWLAhPzeUSo7hU9dOTwDk v14847uV879fs+jsni0lvx3vfHT7z0O7ooIDBSQbqa+9KsBJ6mMj8bKWeFhKSPhqLXO3lBEsUNZl gLnLNIGzqYhgKfd0UPq6qv2JuNSsC/LUMbxkZJcQL3uZv6uO7bttcV7z45tG2Tkco70NI8+rX/Y1 vOyvf9FXN9RV1YNWHLPzQNMQSHjIWlDZMbn3Nb/rbxvvaXrbj29aRgFbY85MZeEfPxZdONJZU1h9 9/fiy8cB809DyJFDpGQ1dHGQrMNtCl/5QP2DMZAAzY9eYFH+2cDyprMG2Meo/u9gjvLdW33r4pGt d3/97tMAtmzGmv66rXj8GWbtB/jmbUcZ8A6wv+0ofweAQxzbhkncOKpjEEBpxggAydxoK+Z0UHll n3sAWOnL3nU9ftP5+GNf1Yfe6n8/jPcDsqrGO7Gmxw6ubKzrycv2MjyDLcUDiLmAiab98TBEth2P X+AXWyGeN/pooNXBtu5ZxaWqOyeaHpwbf14y1vEANb2//kZv7U1IbqCb7ai51FmH58/nlb/31pzv q/ptAJAvPnHt4NKtOaolMZzlcYIt2foNGaELwnmZIb4HF6X+tHaWgYmMa8eIkMBoKVNK9+BTXMUM koROUHO9FAyinu+rorsjpxodu5yK+u6iZrhJKQC4jSIIDTyYOkc5zVFGdRD6WKVqWEd3LNu+OKcg VbcoIyJajGY+7dTeFYfWzl2fl4hz9rFiJoKwdq+Yi3C8nGhtXlwYLDbL8qejxOclRcN9c2Druh/3 bFszOzszXK7hkGVUooblrmG66JluWppTOJ2QKqVlqTnpKg6uXuKybYKEmaHiz4XkJj12a1bi0ij1 TJUgge2v8XVR+zlLvWxRlfA3FnfElGQ7sZeFgAjsmwsI5lxnE5bj1CDbyf7mX5FNv/DHM+3LQLOv 6DaTaFaTqFYTidNs7Caa2Zvbuzm5+3rjvCuPG8hn+XEEQUKVNDRUG63Vx2vCEkPDUnX6VH0YPChx EmmUUpmgUiXIFbEKebRMGiET6+WIuRNoIMJR8GVyHHhlC6UMrjiIyfL0obmBWncPcnXEzh1cPZbs fhamPpamaPJ9rMHeO/s5eQR4UkP4Gr0+LdyQGxk7Jyp2LosbKcVNmPDphugZETEzpaoUXUReXPKi yLj5UXELYhIWhkXP0UTMVOpyFJqM8MicmLgcIQ+BPOKsmNhZiXHqoEDixC8FHo7hLN80GScvTLoF hR6XRNYtuXp4X92N88/uXTu0dmGIpy3PzVTuZycgmEo9rWSe1kpPWyXJVk6wwrSu87HXetrJ3CxE rhYKLwc1maAhE/Q0Lz3dR+TrwiRYygKJs+I0J/dtqH9w5e9hY4v+FtmwzY9RuN+PtL3ubxhB8gNm 5xetb4db3yJror/pFdIhsGJDklt/E7Tu8LYYd2cDbR8GkfL6FK+LxpJrJdfPdDeAsjtXev308+qi D4Mg3o0UPXxqL1vLsCwbbStruHeh9s7vf3fV/IPf7az+NNj0n+FWlHXQ7HgzDDUVP314+cmNk3jq C8+hcI+03OupujHach/PGyzRnj1801767jmQ/vhdR8V7LAiMQpqqj0i06MAgb1zDgZM3qulaHmJO /9BT+aq5+B0KtPEt8QixM3jedZePdaA9qITWDpz8m64K7NSGW4tfQXf3tGQIFD0QbUyzuQ/Uv3pe /rKjbPjpw4GW4r6mB/jYSxzEeVr8mZy/97qjeMwoo4UM4A6kNb0NN7B9666/0V59+Xnt5e66iz21 f/RXX+h/cq7pr0O3j6w6uDB+eSzCoISbM5RrUxQrkxQpQl++45QYJuHS/lUbpoeF0d00dODaL0xI CfZ3Dg5wCaG5iqiuMjpBFOgoC3IVkZ0wmytorsogNzw6DklFd0WVVwW5apiuKO4o+uIAOzHZxhDs m6hgzIxTLs+NywoLTlIG/bBp9i+7l36zNGd+ggYn6tJ04jX5mXtWzduxLH9WQviclKgNi/JnJcek GELnT0/buGT+we2bfti5ZffqRWvnZmdH4nIHXJy+SoaLnkPUBLloaC5J8qAsXXCalpcayktR8xJk rGQ5BxdjVyYatmYmrE00zNVKM4TM8ECS0scJjBOfYCokWWD2RFOK1lTuYyvztoFyXUi0CHY1FRIt OU6mADjdegrXwVTgbC5ysxG6WQtdrJwnmtt8Nc3V2smL6BPgG0gPYLL8GGw/VjBNoBBr9boYZWis IjQ+NDwzNCIrIjJHrUtTaVBV00J16Uptihx/dkWsUh6tkEbIRXq5QC3jK+TBSkWwDNci+AFMppc/ 08Ob5UGiONt7WU3zs7XwxGLOyjzA3sbPxtrP1jbQyY1CwK1JjlwcER6eGW7Ii4idozPkswVxoYaZ +qhZWsMMuW66WJMRlrAgecbGpNxN6TO2Zs/emZqzJSF7Y3Taan3sfHyAKzAw6NIIlSE2NFyA67Um U3ytTNkEW6r91DCGT2iQd7KCu3dJ/rEtK89/u63o9A+dpbfunjoUgzUNBnMva7EHyreNwtNG7Wmn drdRuFkqCFZ6H8dQwNzDVunpoMZBmQB3LcVDQSbySfZ8b6eZCaGXThzsqLr3pq/pf6864TZ9hfoL aVxvwxjKNBpsEO8DTW8Gm14P1I8PNH2C53SgeaQDctbmf160Y42OQRspcLjsAMLtb+PT9m6gBcHv r9GWD7R2Nz78MPLsn5Fn2LgZ5etoGNoqRpoejSFL9umTnqrC7so7H9H/94Ogq37XgzTpir76+88r b7fB+v3ocvujyyjuLz/XcaC79eGF+rtnnj++jKej/HJryfnm+7/34QPND142FL9oLHnR+HnbjukA jrk21H2M+Y8+9FT901/7oun+4ys/V904MVh7+wXSJOqMITNgAMaePRzGNq2h8CVeAt0VUMkC2q87 y0aM9vaH45DSdZSOoJdoR5JV8WAzomwe4QPIrgHMsXB/3fnoRXsJkm0+L+lgmH3QXXuzp+7mYEsh xHWQ1UFF011/dajlZh/w/uS3nkdnG6599+u2Gdumq1bFCzelK7Zl61YnyvJU9HCqK8MWf72/Whgj Kjy2bY4hOJxF1HM81SwPJcuL5+cooRFlDKKCSZLTCSjoaONDfOxkFAzvrp+HdDs51Rn1XUZxCmUR w3geGiZBHugsAqvjY50ooYVzfPFySFLjbqZvfpz0xO4lJ7Yv2jU/LTcsJFXNz4lSrZ+bs2fV/PVz s3JjQvOTDKvn5kJyv2xmzt51K7/ZsvbEt3svHj98/fSPJw+gyqevmZM6H4dLOe6Izw1lumsZ7rjY ixuXQDrmhSQ1P0HOTpIyp2uEOHa/IS12fVLU/FDZdAk3iu4DvEs87YyrJaIZ331aiKeVnOwAyKM7 FXlaS7xsUOWDCWZ8FzOuwzSBk5nI2UJobyJ2AtdnKXO19jS3d55iQbRx9iF4+Xv608lBPAoH1ldk VEoEivDwJE14skybqNZnaSNy9FF54TF5usjp2ogsnWG6zpAN7CvVSSp1gloF1BuUIr0YqjyeAoUe Wlw+lcshB8HJwvLyoLo6BjhZQxsPyRzd1YnvRQpydQ1wdALeGV4UEVsaoUuOic6LjJ5liJ2j0OXx JMn6qIKIuAWhkXMkmmyZYWZE2vLIzDVR2RsT8nakzt6bUXAgd+mRWSuOZs3dF568jCuODxHHROoS 1SKFP4FItLBQ0Ckif3cvsy9o9qZkq0nBHvaIFjSeCdi55vLRPdXXzlVdPo3zfCHulsC70tde5mEr I1kr3W1UJBslHncbrZdDONlFDfrd2ymC6qkiE4Xu9lIyMTdKc/HYtz2NZe+QtzzU9jdEL8NtL9uf IAvi/UAjFOnYmI9117zE9qq3/u+hVkD+3VDL+6HW193G4g4RO9Ki/g2Pgn4Gz8f+FkhoEDA11tPw dqB1rLvh03AHPvkO6/W+VnzgvVFQV/Ohr+lTX9O757W4A/VPXzPU7//0N6IKo5cee17eV1/4rPxG Y/GfTx9fgQwGV+RG24rfd5d/7MFK/f6Llrt9tTcRC9NTebXzyZWuJ1DM3ugsv4av3RV/dZXfArXe CT6wsgjY/9BV/U9fHcCOH9J473eMA+VXj/VUXh+qv9P95Bq+eVb6Z0PRWbw60DM8Lf0D/4h3SHvF lc7q6711ELpDB1uIwRzO1uFmaPBK/uX33vci86oU6AbYsXqDzAZZNyDr8DHjJ1vuIdOmu/YGtLIg 7QH5rrpLXbUXBxou91ed7yw+WfHbzvPbZ+3IVi6L4qyME2zKVC+LEyfxvWTelkyHyT4mX8h8bL5d lnl216JkCTmS5xklgDAG3bsHhLIqtpeK5aFiEoF0BfDu7xCCfjjQEYgTkW0BeWWQkbVT0dz0bA/U eiVofLKDzN9RRXFOltBjQ6g4SpWoZOVFibfMSz69d9nRTQXb5iRmh/KzcLE9Xr92DvC+cG5qJM5i zkuLObxjw5E9W4/v3/PrkYNnfvjmr19Plv91uezm+VPfbl2Vn7J71ay1c5ACTcQfQ8/CWV5SBJ+c ouYna6Hg5YL/T1RwkuTsTCUftydWJ0duSo9fHKHOkwXHMv3kPo4SL7tgkiWXOI3jPi3Y3QIDKfJ4 RZ6WYm9bua8DRnue89Rg52khLma4Di93slA4mYa6WYeTHKK8nMm2jm4mlu7Wjr5unr5E3yAfqpDK kzKFXApbwBFHGJKjEnK1kVnqiFytIU8dnh0elx8WO1MTPj3UkKePmqHWZ6hC05RAvSpRo05QKaIk Qu2/ahwpTynE9Tdcjg6gMrw8aURXOsmYXAFVPMPNme1OpLq4+jviJeDK9qGqQ7QJEenJcbPiEwti EuZLVdl8UYouam5kwiJ9ZIFQkaGNmx87fb0udZUha3N0zo6o6btjZ+5PX3w0e/mx9IWHkufsSZm5 KS5tkUody2eHMPz8aZ7uCjYN10tDyC4e077wMP0qjEtel5dyZP2yU9vXXvx+V+Gp75tun883SNmO U8QeVjIPGxHRMsTNXIJdvKetxsde5+cURnbRkZ31VEIE3UvtT+C6WeNc8nfrl7ZWFP7zuut/Y92Y xMf76rFKG3lmvM+CxdkrTL5YePXXvUHN7av5MNTwpg+1vgq1HkT9u8Hm/411vuqqbSy7WfcQulDo yqqQFfOutxH6GZTyTyMdYz1Nb3qaXnfWIZsCL4HPrLsxIBox0f8dfvpPf8u7jpq/kU0x2Poe3pn2 CmPvbaTIkBH3CE01HjhQcDvy1dNiDOkjTUUo7u+elwH4+MXXz0pett4faS56/dS4On/VWoL92mgr 6LhHENRBGzCKYQQeus7K951Puiqu3zy59/apr1vunR9rKfnfCxygLG0v/bP78ZX2kj8a7pzpr7zx DuKZ5rsjINJrbvbV3ByovwXRbHfVtY6Ky8/KLj4vvzxUd6u38trLhqKPPRXInRtquP2yDTZ55NoZ lfPGd0JzEfR40NhDb2+U4jcXQXWDZ6Dl1kDj1YH6qwNVfz5/cLLi153HV2esTRCsjuZtSJatSpDM 1nGi2EQeYWqg/ZdsggnTZQpSan/aXPD10jQDhxDBIcWIAsKC/VQsLw3XN0IYgN5ez/VGBVdQnWQU RzHZFt8oMKRTHNR0MDDuSpqzHBU/0AWVXervqKS4Kvxxa9shVckC3iUBzhHB5JU50Sd3Lv9l97Jv V+atnh6VrRPmGhSIq926aM6eVQvQzENXj+NZR3ZuPPb1jmP7dp07fOD2H7/cuXD6yonDZw/tPrR9 5bq56VuXTJ+N82YUB/QPGDpCOV6JCmaaVpCo4sWruUlafoomGG1DhpKHI9HL4vSbMzC86GcohfHc AKyBQrxs+QC1hxnXwyzY00Lka2N8vI0TPQq9ws8ew6mYYCZxNpE6TjF42KZRiDPZ/vOC6UtCoDOy cJ40BQvuAJJ3gCc5kOTP9KEJaTwIb7iMYKUqMjohNzZ1XmTS/MjEeaGx+fq4OZrIWfKwXFXEDHVk ntqQo4nIVYSmyzWpobo0XSjur4ZLBFrs6URcOR8JeFQWy58a5OVNIxGDSK6o8mQHa4qDPdXJieLs EuhKCHLzYMBYx5aESSMN6pTYqLzExPkSaZpQkhoWNdcQu0ATNoslTFBEFsTlbIzM2hiWvTU0c5s2 Y3f4zG+j5x6KmX84dt7BzKVHlm7/pWDF16rQJKEAgn9crqQF0/1wqtgopAwgKKheBQm6rfNyjmxY fnbPpp82LT+wvKDol0NbZqXwXU3RAkmguvGwCiFYQHsj97RV+WDv5mqguesobgaWj9zPmUe0yotU 3Dv/M9Qs/4x2vOquH26vBNLHemtf99QOPy3/exDq1hbsnv7ur/00DOlL1T8jjR+HGt71Y9dW86a/ Yby/AZ/vby2rKb5SXnihs774xXPw7Q3joOX7YFhrRtEf66p7P9g63oNM+GqjaLbbKKD9hLSKAUhk P8fUPK2E2/2jUUxbj8qOrRm4dJDwyHSF3wQk/Nsu2FRLgCngHXTcvwP7aBuYvYfjmLW7sILHku5f 5q0UTDt2bdDRvYF0H36c9so3CLB9XvO2o6L04lGcqGm7f2G4pnCktmig8q+Ox5d7q250lV0eqLz5 Cla45vtvnz78+3kZwN5dfrmr/HLT3bOd5ZeRKjlYdwurNHzFb71sKuooudBTcWWg+saD8989uvhD d9V1/PGMfpkOjPb3+hBG13oXNlh8D3Edxnmjqrb2eueTP1803RhtvP7s3ol7P6//eUXKhiTRCgNv c5pqVZwkW0pRkx1odhP9rL9guJnwvSxC/CwzNYxTuxZtmhUdwSEauB6xIQEGgb+CTjKIaBHCwGgx NUoQoKETNAxXNd0FYFfTnTUMZ8BcFeSiZRLwjZLqikcdRMDhuURxEC7QKQOcckIFkcH+qiDcuSNs yE86f2Dj8a2L9y7KXpSsxwm8vCj1ooyEvasW71u9BF09ngUZCcvzMlblT9+0oGDjwtmrCnK2LS9Y Ny9nTlrE7JSwrEhpSig/lOMJM6qeTdKzPUPZHugcsiOkGWGSJJ0wOVSQrAlOUfHSFbwctXBhtGZ9 WsyqJEMeDnIJaJpAIvZKXA9LDsmc62Ee7G2J/3aBt2WIr7WMbKf0N/b2IhR9opnIfmKom2kOw3tB MG1FCHOdjL9JJvQytXScOJloaUMmeFBIvniY3oEg2KGXYwVyuRxJRHRaWs7SzJlrMvLXJ89Yo09e qI6dp42fL4uaLTHMUscW6OMXqAwzFbocTVi2LjxToYzBkk4s0IA946NPoHI4FAauPeJMPC5L+tjb 4IEOx3g6yniEwodGgI7Oi+VNZ5N5ODmolsUlxc9WyBJksiRteE54VL7OMJMvTZYbZkdnbYjJ2Raa vkWRvlWbcyBq/s9Ri47pCg4a5n6fufynJZ/xjulDpQpTySAJYDORjUPz0vDICUou/p+cFafDzaDt 82fsWZKfo5OoAtxXpEWf271O7uNAs54g9QLp4YivYg/wHlag6NVk5wiGVxjdU+BupWF4fbthUVfN g/+Mwo3SONReOdBWPggdWm99T1PJq26M7dUvOyr6m0saHiIB8k/kOfQ3FPXVFSI1EWupjyMt/x17 jnm8vPB8TfHlZzX3xsDMD7a86Wt89/kBLQ8PC/JdkQCPoQDTOrSyGNvf9+GN0frflx3vu+uHGkuH G0pftWBxBoxXA6ef1+LGHToa7/GOMiAaHBqcKeNdoNFKgXFUc2OVb4MCtmTcmPP8aBSseFspZLF4 V4CBh8cWHnZE177HkaneRqj+3j5H81DzsrHkzL7VJb8f+qen+j891R/ay7sfXb175pu6v049K77w tPh8B85YVN8Yqb8zVHurG9mwxX+0F19ovf9bf9X1N7DFNd/F1787Hr3FRF99s/nOmea7Z67/vPnK 0Y0tD87+v1/GWM3vI4m6r/lef9uDvs/AxywP+xuW7yP1N0ab/nrVeP1p4fHrB1fsnxe1PJq7PJK7 Pkm6IkaSwvMNdpxKtf6SZj+R7jqV52ONVRqo9TXTw3/dv2JuvDiC654g8k+QUIF3GYUQHRKEG/fh XF89unqqkyoIQzog7xzKcgvjugPpaOMBc1R2dSAhNIikppO0dFI03z9OGBjB9pkRLkkQ0WX+LlqG x+4luWe/2XB4/QIcip2LQ7fRSuB9YXr8vrVLty4uQJXfv3ZZQXJMXlzE7OSYuWnxOTFhGQbNgszE pbnJMxJC8+JUqaGCCAEZbxiJn402yBl9BTgB4B2/nqYXpepwzliYpA5OlLNTZOxcrQB435iVsCEr AQejcRM8lO7JJVlSnadQXWEzMYMYGDWb52mJVgEDiNQP+yaM8FODHSaGWH2R6Oe4RMRYwPJfxqas C2ZsCeF6W1q7TDYhWTkEkrxpnsio8Q7y9BcGsWW8EC6N4+9NFQi1MUkzU7KXAO+5C7an5G+MzVln yFqjTlkijV0gjponi50vjSpQGuZoo+eow7IU2kSpLFIcopOE6ETBSj4SctAqQIdDoaGr93N09HVw YMLn4usb5OnJ8g0IpjBxUx54p3uzaT4cNkWokEQqZdFSSWS4ISsyFuR8vliVoYicE5W5LnL61ojc Pbq8r0PzD+nm/hSx+IS24JB+9nfT1xybveaQPiFfpjQolTqFVCrhcRhkjwCCHdsbZKyXnhsYLWGn hopnRGuydFIu0Y4w4QuhuxNSg0ID3em2k0LcobKzE5PAczqhZVKik6eRdHQPOdm5IF57+9wRuFD/ ed0J4h1lHSIZtPHjWLd1Vg9hXdVVNdJe3tdU/LymsOjPI5V3zhl9nehRjVrxso+D9a+7nrQ+ufX4 zu/1pdfwikB7gJH/8yzQAHJvvLv243Dz+x6ERNV8wPg/ACF9w4e+BjDtL1of9dXdf17xV/mNUzW3 f4W87R/MBW1lvdV3BuuLAGR04zCpGYf0PgTLV7x6asQ4/KTIdh5suGOs6e1GtcwoyLd2iNUfjz4t h5N9pPURVuqvnhoDarAxfwmHO4IvwP8jHqcd3ULNq5ay2ptn75/5brThHkI23rU9GqkpbLv3Oxr4 4drbbfd/ry86+7TkQmfZpfaSCw23TrUUnhus+qvn8dXOsouD1X/1VVzDcWoU9Jd1d8aQRFd98+zX y45unt1YeOr103vvujB3PDSa4JoKISjqbXnQhVhaRNnANttc2FN1te/JxfHm25/a79ZfPfT7zrl7 ZhuWxwWvTpRsysTGjQ9pGcN6AhlrJusJDJepPA9UdhuOh0ko0+Xwxvyz+5bnhnNjoGORUBOldAM/ QMf2i+AHKgPddUxvZYCLxNdaGWivZboA8gqqg4KKft5Jgu6d6moc2MlOWpq7ItBN5OMg83NSBriG Mb2ma+HFYIp9naKFlKNblv56YPPhTUs2F2TOjFLMTQqbmwKXViqK+6qZWUD6mlnZmxfk71m9ZPOi OctmZK4pyN24cNbhHetPfbtj/4ZF2xbnbluYvXVe2oqs8Ai2u5rqqGO6RYf4xYgD01DZNYLkUGSv hSQq+IlSdpqCm6tFfVdtzE5YlxE/K0yeLudFcgPYRCuqM6Idp9HdTdle5sA7aj0u6QjgDvCxEftY CQkmArsJKocpOUEeS/i0FRzqChZlHS9oA5fha2PnZmrubedsvLHu408B6r38Qpgs5NcJ6FwGhUnx Z+N6szY8My1vRXr+2qz5WzLn70iYtdmQt0Gfs0GTsVaTvkaVslKbtFKbuFhuyJPrMiSqxBARrj1o BTwVjyVmosTTWIA8zdOH6o578USjbtbHn+rhx/Sj4RIltPosPzbdm0nzCKJ60rlUQQhXKuDKQrXx hqgsfXhOiDxVid4+fW141lbDjL3hBQdR2fULjmnm/xS+6OeMNacW7DiTVrCRLw3nsIL5LB4/iMGj BlLcXd2tTLxtTfzsTSnOlmxPJxHFQ8umiP2JZOsppMkTGQ7WmcpgHdUzhGgFpEu9HGTezjqaVwTD Vx/kBdYvXR18cs+6vtoHqLCIiOltKn0Fnry3AX34CA6t9jVA/IY2/tMIiLV6lPj3ww3jvVVYPb/G vNxb+b8XDR8Hqtsrr5f9darkxqnO+vsfR5/95/VzsHZg6YH30c5qSOgx6f8z3PCht+pDT8U//VXv e6B5e/yxt/rv7vKB+tvPHl1qe/hnfdGvTfd+G2kofPPsYT+0do8ug1p/3VYy0liEB017V+XV/rq/ QMqNtt3vq0NWM8Sod8cgp0FA9PMqaO0AZ6RVjEHt0wZd62MExWOLhxyq18bgOzjZq+DZgckdH/sA eUDb43ftFb2Pb47UFL2oLRquuf1v9442HnDG/I763vn4MuDfW3G99ubJ+ltneitudD+6/Lz4z56y K+0PLrQUnW28/cvz4j/6Kq7W3DpxYvfiyhvH3z4vedFahBnfyM5hYO8owUa+t/n+APLnW4p6a272 114bqb82WnvlVc3luosHjq3J2paj3Zyt3ZStW5+py1OzpR7WEJOQzb5gO00DPQXwSsi2MoqdwMs0 WR6ACxQ/bZo7XceJEfrHS2ixIjTwgfFirLNZYUwfbGZV/q4yP3sN6jvDWU3H8O6kwtqO6a6iE8T+ jjgjC6SL/RzlZHzMSextL/K2kfo7Z2kF6UhzC3CbE6e5eHj3sR2r9i2bvSInIT9WOzvRiHfcoMlP iMRhGtyp2bJwNnr7Q1vXHd295dCOjT9/veP4/h0nvtlx5rtdx/dt2Ld67jdr5pz9Zv0PGwpigr3F 3uYKil2kwDcqJABkXbySm6gUpKpECVJuIm6GilnTVfxFMeq1qVHrM+LmR2qyVcJ4IV3s50pzMaO6 mlIJU2nEKXSSCcvD3Ojq9bIJ9rQMwQNZuPNkg7t1AYu8lBO4kk1byaCs5dDW8xi+tvZESysfR5dA DyPSqZ5+FA8vAZ0hYrFDWNwQNu66sHHWicsP1RqykrIXZheszSrYEJe72pC9KjJvY+SsLdGzd0TO 2h6ZtzU6b0t4xqqw1KVhiQvUETkSeZxIHC4M1vCRimM01AQD3QixZ5GpnIAgLlZ1ZFx25ohYIjFb ImaKRQwocoMFNB7Ln0H1CqD50nhMkUYVp9amiRSpmpgF4Wnr9Vnb9Hl7DfMORy09Eb7ohH7R8bhV p+fsvFCw6SdVZJYfVn8uBD83V183Z183R5KthZPJlwQzpGbhZNWXyMH2sTGhu9kEuVqxSXYqqlc0 n4ZVnYBogzZej2pOI4UzfUSejuDlIKFZmhFdce3ch1401Q1g1VDKoZDBV4B9GIr3Z+VGuTuULYON qM74+nYA1Hpjf1vJ666K/75s+s8IFuuVHZXXb//+XWPppfH+2n9G21DcX+HkCmb2rrqBZuhmizqr biPdsb/+TteTK71VVwdrbw433HkFwzj8oYhkxwjceOdtx8NPneXvnpW8Q8feAW9aMZD+d2fFf/qr sB0bbkAY+62m+7/CWv7m+eezLJjfWyBxf/S26zOoO2uNArzPWh2jtx2Cn3acf3001Fwy2PgAmnbU +j4M6S0P8fmhxpLn5TC6low2lYw3P3xRU/im7eE4duUNRWMtD/Dg+zdPS8aflrxufTDaeHcUb4CG O32VN4eMY/6dF7V3hipvdpdeHnhy42X9HRT956WX2sv+BJX39nnpm074aG6DwB/AUq/l7kBLUV/T 3Z6G230IqkIbX//X25bb75pvdd8/+eDnDQfmR69JFm/O1OydE7c6LTQh2A87Ze+pX5DNv2LYTxZA Y+ZrI/XD0GojJVuFeJkuTJJfOrhh76L0NCUjTkRNkDGA99gQWrqSnybnRrD9wpje6gA3NcU5lOGi DgJL74BOPoznFcbzBuQBdi3LU/15SDe29IFuOrp7XEhgZDA5Wy8K5xnngvWz0y4e3nNk64odi/Lm pkQUJBlmJejnpkYtzIifix4+Jixdr8Qxmp3L5h/csvab9Sv2rF22e82StfNnbFgwc/vS2XtXz928 YPr2Rbmnv153aP0cSGpFnka8YwsfyvVKULKTNMHxcl6iPDgBwaoCZgwvMF3EmhshWxYXujk7HiM8 WvpMuTCc5c8iWAY6TQ1wmUhxnUgjTgbeMdQA73wPy2CiudDNRO5ikuTjvIhHXckNWsmirmbRNvAZ m4LZnjY2bmbm3o6O/kQSxcOD6uVNdidRvX2ETKacF/J5iufTkDBB5vsH8FlcmUoXl5g+Oyt/Zebc dakFG+NnbYyaaUR9bMHuxIXfJM7fl7JgX8q8XbHT14RGzVCFpkqlUeIQvVwCY12omC2WBytkCMgS KqGEl2FNL9SEysM14tDPkVliEYuPQGl/AoloY+/lQvR09eKyZGpNkkybroqcF5GxQZe5TT/jm4i5 h3XzjkYsPhm/6kz6hl+nrz0alb2CwVO4OREcTKe5mk8hWk0hWE5xMZvobPoVvsdFG5y6IFpMcLeY 4Gs3lUGyFfi7aFjekQKK1M85GCpZf9cotq8myF3gZSfydTIIKN9tWISY1r8HmhDJ3tf6aPBZRS/c Ir2144P1Qx1P+p8+Hn5e+fJ5VV/Tw97G4t7m4u7Gkt7mkhdQog42jSKhorduoKn43p9HH904NfS0 9NPLlk+vWsf78bqoxMD+tzEW3ki4GSWvvUiwqX799MHzRxdai37pKP61+/GfvRWXOkrPd5b9MVhz fbD6Wl/llTEcVWksAoJG8TZovvsaaTDNxW/bH2EV3lN5DaN0d8WVkYY777rKPvRW4BITOgQQ7DjL iJINwe1rBEpjq96OXBoIZavgehtsvN9ddQt+9r6a273Vt2Fy6au+01lxvfzaicdXjyPXYrj+PgQ2 g6jseHU0339RXzjaVPT2WfHHznLgfaz1Pib0N20lRuxjF9D84EX93dGGu2+aH4xU3wG597K+cBzi /9ZSyHdftNyHLAcDTl9DYXcd8mqwj0MqjjG2DuR8X/1f/fV/jbfd/dh+b7j8QuX5vdiw75yh3Zgu 2zUzfPfsmMWxEh3VDWXde8oXgdaT+AQsnmwAdrGPNfAu97cR+1qIPMy+WZp958Te9XmxcSJKipKD dXaijJkkpWerBalSViSbHMH01gWRwpgkbZCLmgayziWM6xXB89GxSNDXaZgeUNxhQtezvfUMj3Cm R7I0KE3FiZfS07UCJc0jxyA/+922q8e+Lfzt2C/7Ny/MjJ2dZFiak7Jl0awdy+dtXVSAZj41VL4s J+2nXVtOf7cXeEdw/bblC9YtmLl79WJIbbctmTk/zZAXo9o0L2PTrKRwJkHmZ41+HnjXstzjFRjh Q1Df46X82BBOXDAzku0fzwucoRYuidFszopbnx67IEqbp5XGBAfxSbaBzlMon/Ee5D6F7WnK9jTn eVgJgHeCWYiLidLFLCuAtELIWC/ibQxmo5PfKuRuCwkmmJs7TpnsaWdHJrgFkEg0bx9fAsHTyUnE ZEXAecYTC9kSdpDIz5vpSaI52QOKPiyWUKuPi0ufnZy7JGXW6rhZ66Jmbogt2Bm/YE/s/L2Ji/Yn zv86Mnu9JmYWtnVyZbxMCvl9tEZukALgIRpI4vXKyHBVlF4ZpVNGRuoTokJj9DKdKlgq4wQLKUG+ TjDEWZHdCO52LhQfmkIeJVelCFXTI9LWh2XtCJ+1P3zuIe2cQ9FLj6esPpW28sfYmZv4iniyXxDR 3sHVbBLBbIK72VcEpNybw/Q3iWRjgnRcosVkd6tJJKsJvvZTqW7m/k4mLHeLEB974F0B7Ae4yXwc 2ETzELLj0qzoh1d/gU0Vz6vOJ/2tpV1N9/uflg11PRnqquh9VjoAaWh35eu++sFn5U3lN2pKLlbe O//w5tniG2e6morfDTahAehrLCm5/kv5nd+MAB9qGu+rGeureTNQZ+wBYGbvxakX+NyhSTNaVzqx ti77s+6vnx//8W1z4cmu0t8HnlwZqLzaXfZHf+WV/oorHcW/d5Ve6Hr0Z8/jy30guquu9z+53vP4 Wm/lDSPeq673Vt8YrL+N40pdldewa0PExEu0GYiDflr+ohWeF+NJd5R1LO/wjKGZB2vXUgIVDf7X wdW/A4Q7yrCRh9K+vvAMJgVY4YbROTTeRSOBHdxLEBGtD4BxQP51872x1gevmopeNhS+brmPt8Eo 8Nt0b6j2zsv6onFY50AGtqA9uDdSf/dV00O47Yaa7oK97G+6B6T34GycsbjfRwTWQMOdAYhma2+M Nd0ZRA7VjaN/7J63d5Z+U7p4U4b82/lxO2dFT1fSg13NsFv3nfYlZKI8ggV6bNx6VlAclBR7NdVB HmAj9Jymp7ueP7D+7ulvV2RFgpRLVnAgc02Ws1PlrOlqQYqInhBMieH6RTBIESwPLdVFiz07wz2c 4x3G8Q7FBpyBZRwRJT6S7x/JJ6OyJ4lpGWqOnuOt58Dqztdz/LYuzLl7/qcLR/beOffT2YM7Ya9f iTOyi+YA7NuXzVs3OycnWjczPmL3yoUn9m07uX/Xyf07f//x4G9Hv/vj5++vnjxy/uiBg1tWzs+I TtYKCpLCFsE0CxmAn/VnzpAUIfAF3kHLJ6pConExIZgZJ2RGcSnRnIBsOW9xtHpjerTROJMQMUuv jA+mi3ycaK4mga6TjMXdaxqTNC2IMJmDNA8S6rsp3F4aguUMpt8aKW+zTLhNItwSwt8lFe2RS6BL sZ0wkWRj408k+LsTA709fQiubrbWdG8flUCkl2r0inBpsDoAV1vdKZ5uno5WdlbTLJ3snBlAfURS YtbctNlrUuZsTJ6/I3HBzsi5OwD56PwdurRV6uhZ2ojs0NBUtTIWdhuFWM9jiPD2gBRHKlDLYZyH lzZEg69RoVHRagOcBJEypYLJpLg6etta+rs4+bm4kUk+Agh4JDFsUaIucUVU7q7I/P2R876PmPt9 wrKf4hZ8F5W3URszi4r/A9y9fZ0dMap7W0/2sPiKZDHBy3Yqiru79VRX84nOZl8SLCeQrCf4OU4l O07xtZvIIJjhfahCgImvI8/FjEcwS1LST+5f21N7F2ZzWNE70Zq2PhxCDW1/BIwPdpa96K0c6HjU h3Tlnicve6qHOh7jVdDbWtzX9rCzqbgT+jQY3NCxd9eh4W+puAWR/Pvh1j7oySEsH2x4Dad5f937 YaMaB5Y3uGAQ6Irx/NapPQ8vfFd78+eOh7/hb/5w9bXByqujDbeHa669qL0xjlLeVDTaiMpeONpY BKChvqN6DlXfgu5loO5WT/WN/vpbELR/Pqh0vR/7buzBG4tgPx9sLEbGxWBjKQ5ADzeiyX/4/8K5 Z49gXccDne2n3kr0CZ2Pr9TcMoIdLxAA/AUgDHS3PUDDAAIQHTsUO1i1v31WAv4NnQa+vml9MI4X S0MhrtD+O1MM1twZQeQFQq5aS5CD8bLpQX8NQH0PQqD+xnvddUVDbYifLR0CG99wB0KdYWzr6m8O V15qufnjxX2LDi6I35gq25Aq3TsrfP+82A2Z2oRgnyAbCGm+pFhPYjhOFZAsoSWTweDmbyvxt1UF OqhpRryLvM2TZYFXf9x58/jXa2cm6DheUcLAOAkjVkhLEAalyVgJvIAk4J3tFU5zi6ATw4KIWLtg zRrJ8Qtn+4SxQd37qWgkCdkFM36cgGLgeMcJA2IF/ljMRQoDIHsD3tflp17++etfvtl0aPPyHUtn b108e21B7urZ01flZ6+bOwMnZVN1suwoFQ5Mb4JxZv3yH3dvPnf4W+TTXjr+w81zxy+dPHziwPYD m5dvWTRz3ZyMhanhWiZRRrEPZRPUUPQJ/BIULCjrYsHIhbANfFasCEt/eiyPkiZmLTDALx8BYe26 5Oj8z3iXBxBYBDOa62SGxxS2tynDfSrF2cheBrubC9zNpARzHckmnxe4QsxdLxZsDAneIhHuUsr2 KBXuVsD7l0QrSwrJnQzIe5I8XZ0cLcwcTadRSF5qoTxMrjdoYqQCDcnF24fo7esOyFubTp5KJHhw uCEiqVYXlRqdPiejYG32km2Zi3dmLtmdNGdTeOrC0Gjo8bLCwlO16hiNKlIt04l4UoVAoRDIBfRg IStELlLJhBDfyjViNBIhYAjlLBaTREC4pZeliY+tBRJuMWXQ/OhicZhElaLECj53e1z+3rg5X8fP /Tpz2XfRuWsV4dmCkFAPN09vZ6cgoiPVycLHBt076vsEL3szY2NvNcXF4is3ywketpNJtngJTCA7 TMa7kU0yZxJMjTolN5NEMeXPg5sQyPYehRgek89RbCNtxa86YPF4OAQFOL62Fw93lg13P3rV83is r3K0+8lod8VLbL76q8YH6sYH6/4egccN8jmj0w2c3n9ed74fbnvRCX9cw+vBxlfA+1AjhLUvuquG 2ytGwJm3P37XVdlafKH00uH2sosdDy+0P/xtsOp696OL/RUQmVxvvXfueekf75+V/ren6lNX+Qf4 U/C1G8aWR0YBPPpk4+xchCo8WF8IeA43Fb3BbyEnqv0hkmONeZLY04GvwyXHp+XA++u2R4iaBMbh j0NB/9D95FN3xXDd7frbp6uvH39ednEMITN4mzXffWHU40EXVwzI4weO4hIEMP65xI+33H+HHr7l PhZtQ1XXgf1XLfdf4iUAp1vz/ZHPYEfbgN0BVgMDDTgeAV3No74GXJAp6aq99Rxvsya8PYrePSt+ 23yn8dqR87vm7czTrYwNXhMv3p4dum9OzK4Zkflatphk6W/+hT/SxhynBLtbin3sVYHg2aB1dwbY wdFhBldT7YB3ia9VoizwxO6Vfx7e+fOOlTNjlFEh1EQZ8EJLFDMzFJxYLjlREBDL9Y7leKWJqOkS ekoIPVXMShGzYvnUcIaPjuGjZ/oaOP5aqoee4Z0spieC6+P6RvF809WcTC0/QRr09Yr8orM/3Dzx 7f4181bmGq/GF4CpS4/buGDG7pUL0MYvzk5akBEHyc3q/MwT32w/+/3eX49+a7xA8f3e88e+/+P4 od9/Onjpl8MXjh38ed/G7UvyDCFkWG4hpA8X+oQLyVESpOMykaMbLeUahKzIEAbWiDF8SkIwbZZG uDoxbFdO6oYU7L9VaRKumuaBakUnTKWTpnJ8zDheplTXSUznqXyiOYR2Endzpat5RpBXHt2vgB24 hMtczKYv53NW8rne9tYOUya6mpv5uDj7Ed18iG6udlYu1pZO5qYe9o58KkMdokwwJKbEZYTwZWTv AJo/zc3RddpUU0cHl0AKnQrinS8VKeBJzYjLmpOctyh34brMglWRSTO14clh4clRkSkR+lidOkKn 0iGvXitWaEUKtVCmk6p0Co1aLFfwxUIGB4o4squbp52Np7WZl+VUXysTsr2Fr72NvxsxyI8mClYb YnJVhryw5KUJMzcnzNgcm7M2IXd1WPxMkTQiKIBBtLP3dsRxeRuKg5mX9RSC+USCJdA9jWBr4mY9 hWg9yd1mEtnV1MtuopfNBI6HJZNgEug4EYosJcVpRrjg132rQEPBPNJf+1d/7a2R5ruj+Lv97CGA 868yxBii3gEirmykoxjPWO/j8b6K1z2PX3Y+Gu0uG+0pf9NX/WG4Yayn6m1/3VtkXHTjTBuktkaD zNhg88v+utGBhleDjaP9dcD7CzBmxqOKFW+6KwHY/rrbWJejUhuXWeCo0Z9XXHn++NLThxd6q66P taKqPkbNhXjm726jb8UoqoGXDX60zkqjm7XrCYD2rOxSbeHpvtq/PvQ+Qa0fN+ZCYxFfgaB4dPKQ 08Bl8wkS2e4q6N7x0/7pq/rUVwkWruHW6ZobJ/oqr3/qLseDjv0l9HLGieA+8A55vNH32lMOkR42 702Fp98/e/jfnidNd06X/3m4veQ81nNoCUAYYpXQX3sHDyCPQIyXzcXjHY+Hmh+AFcQesL/hLmjJ rqrrzQ9/Q57Hx+fFAxV/lJzecXhZypJIztIo3poE8fassJ25kcsT5Ik8P46jkZqj2k4OhgHE00Ls Z6uhu4Wz3PUsopIGaZy1GK7VQBt5oLXI1zzY0yxWQtmzLO/cgc0Xf9yLxjsvSjEjSoG5O1XFS5Nj FqYkhgTGB/slCym5Kt4MjSBbzkkVMbORPStmx/Jo4XRyOIOM/hn3E6O4AelyTjoU7GJanICcqqCn KxhzYqW/HVhfev7onz/s3LUob3F61Lyk8PkphlUz07YuyoeSdn1B3p7VCw9sXA6V3ZGd688f3X/m 4O6zh7+5cOz7n/fv+OnrbeeO7P/j5JFzP3/3608H/jzx3akDm7MjxbIgF32wV7Q8ME5Jj5IGRcsY oOhjZNxIMcsgpEcIqJH8gDg+JUfJW52g3zMjfRNu2mrlKWKOlu4d7GXHdJ/G8JjG9bMA3plEE6ab CYdgKiCZ8XFE0m5SGMk+zsc1jUyaHuibG+iXz6DOYdJ9HGydTCY7TTMh2dv6uLl4uzg7W5q7WuEx JVhbBbiT+DQ2gm5SE7NSk3NkCp2ff5C5qe2kidMsLe28vfwZDC4HwluOwNPbn+iBwCmmShsREZWk DY1SqcJDgqVigVQjV6mkCpkgRCkUKQUCJV+gl0p0ErGQHkTz8gwgufs4uxBt7RxNTJymTPazs6Qg dt58sq/1NKqrA9vXB8cskKwVBqGiIUuiSTMkFiRkLI5OnB0aliISaRhUpq+bm4etlY+9OZp5P7tp JOspGNtdceHCxoTkYEa0m+ZmNdHdeoKP/SSq2zSOhzWLMI1i9wXHdWqmmrl/+fSbP26vvPRj1ZWf S88ffPznoaqrPzYXnn7+8EJfBfZNV4dqbo42F8GO/erZg/c9+Jv/+H3v448DTz4OVbwfAEX/eLzH +LztfYJnvKf8XV/lx8Gmj0PN8Kd/Gmn7Z/TZuxet48ONn4t742us7fpqx+Bt6YSM9smbnqr3vTCt g1gre9NRCp7tY+8TrOFe4zQD2DmcY8O19NbS4WbYUh5AJ4MQKmRPwaAKA+yLljJw6f31d8HD42NP Sy9V3DjeUvonoiPfGmGOG09YupXj+bxzL4MM72Nv1Rt4VJsfALxjbSWdZZdrb554Wvz7m7ZiIP0D WD4Ud7QKAHurMSkaqH8FxU77w77a2/V3z909d6DqxvHux5drbhy/cWxb+eUjI3W30eSjso8iucI4 PtyF1x9PT82t5pIL+AkIpe+tLzT+qOZ76PmH6v4aqbv5ou7as3u//LZ73poUyWKDEeyrE6VrkhSr kzQzNDyFr5O/6USAPcB6ohC5BIFOSqoTiHQ9B0waCeoU6GQAeRkFoncY1W2kAdYhflbRooCtC7JP 7lt/+dg3x/eu2744D0z48unx85N0ueGSNDkrSUJLDKGkSoJyYW9R8rJl7OTgoGxFcKqElyzixgcz IjmB0TxaDJdqYJETQ+gpElaGgpssCUqRUtJk1FVZYZe+33j16LZvVs5alhk5J06dH6tekhmzbdGM Pcvn7lu9EF7XZbkpW5bOPrJrw+9HDlz48cDp73ef+QEl/psfdq0/sGX1ye92/3Hq8Omj+385vO+P 4wevnz60d/XslFCeluthkPjHyGnRMnqqXpio4SNNNxIZmyJmuIBqwBgSHJAmZc4Pl2/JTlyXFjdD I08M4YQyyEJfJwbR3Ih3X0uWxzQmYSqLaMohomW14DhNCbZHOpO5lmAdRrCNINgneBPTArwzAskk awv7yROcTE3c7Wx8XF29XZ1drS0BdhdLE0dTE0dzMw8nNzaNHa6LycjMnz5zviEujcYQWNu5TZxi 4eLqwaBzeVwhjUq3sbI2mTzFydaO5Obm5+UN27xargzh4qqzV4CnFzPAP8jXV8gICqZReYFkQRCF 5+/n42TvaDLFcdpkZzNT44M/gzkAa4H6jpwrDhHpoL6SICqfQuXR2GKBAib3KOM6PiUiIlmvjQ1m h1A8fdGWeNlZedua+dqaeNtM9bSa7GY+wdlsAi5UutuZudubejqYetmb+DqAzJzKcDeFHCvI8atI Hmn3gpQbh7c8PHug+PQ3Rcd2/XVky81D624dWX/np02FP2++e3xr8Zldj37bV3nxYP3No3W3jjUW nXpe9lt/zeWRhr/G2orG24vGnyN59dGn/vJ/Biv+Gaz6NPDk797yTwNV/x2u/99Iw38G6/9GcFxP 1Vhf1au+6pfd1aPdNdDSv+uDtL4KXjbkwo2j6+4sHzfGNj4C2CGbgWYG+3f4TxElgcKNmPexjidG jh1n2tqRMFM1+uzJi1aYW8uHmnDPxRhBCW4NkAe13nj/fHftbfxMIB1f3yDFohsH2fHJhwio/Bw1 WTzcgP3dXQwC3eVXqq8dayo68y8L11H6R/3tUw23f+l7cv3z8F48hBa9/SEypvob7uAnl187Xnfn TFfF1Yd/Hr5yZEvjndOvmu6+e1b6Hn94vJ1aHxgvtjcUPq++iSOtbWUXGx78OtBUaIyjbDQ2MMON hS8b74y13hmpufrg9M4fVmVsyFQtjOSuiAtZnSifq+fN1vHiuX4MOySefeljNsHfZjLH3QrGFi0L azI3PdcDeA9lwzPuBrxDLYPtOcAuoVhJKbYif5soIXnPitkn9m04fWDLr4d2Ht+7/sddaw5uWLRv +eyNc9IX4ppMREi6gpmlYs/QCSBam6kV5SgEM0KlmSr8ekiaDFdEhbOjtJlKYQQrIFHETlfwYVfJ 1vBmhPEWJyr2L8u+fmTb6T1LV06Pyo+RFcSr5yeHrZ6RvHlBzp6V83/Yunrn8oINC/K+3rgUVyl/ PXLg5Le7Tv+w57cf9//y/e7Duzd8t2318W93XTx15I9TR3796btfDu29dApU3u6dK2al6YPDhL4R IkCejsM3iRjhFdwoQF7KQmx+uIACkU98MAUNyfL4sFXJsfnhmhSpIIwbKAogMN2tgojTWF5mDHcT 4J3tbhTeCDyt+K5mIc7m8HHL3CzlzlZKJ2s90SHC2y3al+RqOs12wgT0815OjgFEgo+rs4uVuZu1 KR7rqV+Zfvmlg7mFH8lbJJDFxaVl5s7Nmjk/MWOWJiKRTOMTvaie3lQSCYEWzvbW9tamplC1xehC 0SRwAim8ILqYg9vwgSxcgOJzAr08PBzs/Ilu/gQXXyd7zBEkazMX0ylOJiDSpxGtzElWlh6W5jg6 4zblK6aLg4YVJKUGCAPIPDKZSvIUsoMRTRemBQ8QKguW8mksshvRGz/Q2T7AycrXztTXbpqn9SQ3 sy8dTb9wMZ9AsjX1dbZytzHB8O7vPC3QBRymKcX+K5bLlPnxklNb5z04vffByT13ftx67+cdd49u u/3DhrJfdpad3ll6avuD41vu/bypGClqv+woPrnlwaktd09sKTyx+eG5nWXn9z65eKD2+uGGW0db io51lJ7rq/hjpO7qy8a/xloKx1uL3j6993fHw4+djz4gnaar/D2qbU/5WDdyKcvfdFcgdOJDXxUU sFC3vu+ueNeFYRz0eNlbY1GGMrYMv471ltGT/rwcg7Oxb+823ntFfM2/edQ454oUetyXMQZHfxbF /XvLqbnkIpxxI/Cet8NzCnc5zi8Wf77AXoZk2sHGksH6eyNwnWOORgnGDq7yRveTqxjY4WFpvHOm 6voxyGYqr/4MeTxyb8Dtg+GHqW20rWQAquCa2+DfxuBnbyxqefD705I/sIkbazX+FmR+vXW3cWmi vfLGsydXn1Vdw53Wbih/nsL/grRqkAZ4ydx+2XB7rLmw48GZG0fX7iqIWhwXvCQmeE2y0nhvRcWM 43pDzBwIcnXSFz6WE+kuFmyitTjAUcsiwp2qYbiFsgh4sESDVAYaVEWgvTTABkiXBtoijobvbZ6g YvywfelvP+z8YdvyXw5sOX9kD27eYTt3bM+6n3YD+PN3LM5akR25ICnU+MQb06LmGtQL4sLzI7UZ Wsi5QjJDZQuTo2cYNMlyQZZONjNKPV0vzdYFL0iQ71qQdmb38quHtx1eP2deojo7PGRuknbVjKR9 q+Yi42L/+qXHvt56bP+Okwd3n/jOeGPi3NEDQPfJg3vOHt738zdbvt+x+odd604c3Pn7se8unj58 4cT3J7/fder77b8e2X36uy1Lc2N0wT56gV+ckpkAZ5w2OFbOiZVxY+RcnL2A7D8qhJIgoqVJmPDK LU+JmRcbnqGWxkh5CoYvy8MmiGjG8rRgeZixiNPY7hY8khXH3YJDwAreUkKwlhFtFAQ7FdE+1NNZ TyZGkD2cpk61mTjBxczMy9HRj+AG1gt4t506wdF8ooPZJMvJX1pPmexkaRvoR9VqI5PT81KmY/m+ qGDphulzlkUn5yp1cUEsCdGD7OxIsDK1NKjV3+/etTQ/X8RkiDgsWfD/8fQeUG3fadYwVahLCAmB JCTUkISEupDovXcwNsYdN4zBGNxiDDa9dzC2ccWA6c0N9xb3uCdx4pRJZnZ2vp1M2cnM7Mzsvrvv 992/Z893zu/o/AGZ2IT7e9p97nWkx8elxkNeMjrMbLTrAo1KuV4uCeBz/aFdyWUpeGwxi+JL9cAR UhHfmbg7rFK/aK0mBt0BP5FFKsmJiorQ64OkELxSWbVBwVpk8CqNUCjxZATwmCYJ3yz21gvYWgHq fczd3AR0JyHDSc6jBoo85d40EcNJyXUP5JPwA8kLC2gtK7h+uuHJVNfj8fY7p+rvnm64e7L+3sn6 J+dbn421Ph9reT7a8vxC84vJtlfTHa9nOj+bbP1suu3ZRPOjsYbnEy3Pplqf40y3P51pfzbd+XSq 6+l0Bx5eLva/vXzsw83TH26c/vb2yC8/nfiXx7O/fjr/m5cXf//F9T9+QNP70//85ZP/+dcX//fX n/3Pv0CI/sV//vjk7z/ALurRP3715B+/xsQcGhSP/o6U/pef/ePH5widyJOhOAfK60eSDDSrwY6D BfPnhGDdRwoNFmfAkfunldv3ny1/9/wK0ZP/6j5I6Qi1eEVXHCpYv8fuGySm4eT4LbEk+weibX7n d1/eJfp+v3gMes+/vrwKmhwyeRw029G4QMMNTN0/fg0bOPzFXoJpj/kd7op/e3cLmpa4iNCg+/1X 9356D2eZe4js+G/9+ovb//r+NjZfsAXzl3/Bmh70qO/89CU2a27/7Ref/v7d8ttLJy60ltYVJe7O te9bFXVgZUxFbuSWOGuy1s+O/3dUZynJWe1J0vtgzdMzWovIDmK5IsMuS7WIM2ySVKMgIZCXiJ58 ED9SxQ5TMqICPRNMPhCmCFOzER+7qktg9X6sef+p9ur5U91APfhsk0OtS+fQIe9ZONVxrvNQ/5Fd Hfu2NpRtaC7b1LyzqK5k08Eta8oKc0uxYI7SuCCneEUGmHJ7Nq7GuA1GUTUlq2t3rjzVUL441Dg3 UNdWsaF0VUL52ozasvVdh8pGehpOtdeeaKsF0i9Nnr0+Pz56ovckOnWnBqZPD06e7B8b6hhqrelv PHCmr3H8RBfO9Jn+xbHjU6d7xo/jfmjuwRZNXkxGuCo1JCA7Sl+YGgq8r0xw5MfZgfesaFNmRFBu uL4w2lQYZdqcFFGxKrNsRcb6lJhV8REpdqhE8o0SllXOsck8ieAuZuIES1gQZoQQawi0lwXMKD+v GAkvQSlI0ohTtFI/Fovj5sYjUURstsyHL/PxFnoyORRXb4abgO3Bp7t7ergx3dy92Vx1gC4hIbNg 3bZ1W8vXFe/ZUl5ddrBlx76GotKDeYVbo2MzlXJtmC1sQ8HaiuKS3JTUcKs1PT5hU0HhyuzspMio uJCwpIhwnUwKyCPES9gMBY+jRqD3ZEsYDDGdruB4GUTw9gpMDg6OM5kgOK/gsNXeUAlWwSYS78ct AS9LnVgYKMRuHQ+Zv8qLHuTLNou5Vn+eWcrTilhyL5KE5Sz1dAngkrS+NER24niTNTz3tYmmC537 nk73P5/qeTLehjj+fKLjxVTHk9HmT0/XfzbW8maq49V4y8ux5lfjTS8nml5eaHo2Vv/ZRNPr2bbX M20vZ1rfzXe+mmt7Md3yeq7986Wut/NdLyZbH482PDpf/+xC86uZjhfTHc8n2vA938z3vJ7v+Wyq 8/lU18vFvi+uHfvFvdF/fTz12+dzv3ux8MfXl35+d/Xf31z+0+fLf/769n/++PC/f/Pkf37z7L9/ /Rzn//76xf/765f/51e4ECA+8xSBHhtt//g1ovnb//iIdET2v0Kd8vvXf/sBQrLgwUJnBn14yM8S gpP/hqY9/NPRPyf8GbF2+gR4R4hHk/x3YAR9he3X/9WNR9GNVjxmbRiffUzy7/0dVf+HRz9//eiP WAIiNOuwQAd52zcQpgYh5/8Bsfb9/d+9/xSXxp+/f/K3X6EkgXQVfKOe/B7zi28f/hYe7t/dx2I7 ZGr+DUj/7s7ff3jwt+/v/e715bsjLf17Cz8pjNm/KqY8N+KTNamHi3I2xgdHynx0HAokTOU0AuwG X7pDyo3W+mIbHaV6tl2aYQVDRpxllYCdkm7C0Bz7a7xYHQ8tuwg1O0rHjTHwo/XecIYqWZ10puvw ybaqYy0Hxo82neqswZk41gop38VzvVDwXjjTPT7YON7fMHui/fqF43dnzl0ZPT4z3IPce/H8iUvj p052NuGMHe2ePTt0Y+b806tzNyZPzh5vvny24+7ksfmh5tqSNQB7T005HGZH+1svDHUTXNmj3Utj Z5/eXn7z+N71pemxk4MjQ91jw73zI8enTw0Md9YOdx6ZOknU7BeGu6bP9l6eOLEwcnRksLG2sggJ fEKwPMkhTw5RpIUHrkqyE/EdLbu44NyPeM+K1OdEGqCGsSrKuC7OUZyTtCMvbV1qHPzNsyJsIRo/ o4RtAdilbIuY8U+8O/zZoRJPh4jp8GWECaG1zo0S86Jk/DiVKE4tEbPZbBcXLw+KkM1RCIRyXx/g 3QfFO8Pdh4ZC2N2bSvIku7M9yGw6WypRGEzBCak5iPIbd+7fVllbUdP+SWN/VUPv3oNNmZmrE+LT bWa7SqqwGUxpCUk5qRlxoeG5aRmrcvKyk1Ji7A78JzQSNOh8AwS+2I8zQudKIoHbY5hGk2C2poeE JdiCY0zmiECdHrRYLgeQF1PJKh4bppNwipcwQIb3DPT1MorRrOAH8gF5il6AfgXPJOUG+aFr56Hg uiswdOORtD4UjY9HoC9F5wsdLUrNtuxbI23TnXumW0sv9lTcGKq6dazqxtD++6drnp1veDpS//pC 65uJlreTre+m297NtX4x3/FuFlG++c1s65vZ9tczLe/m2/HhZxMNL6eaXk43vZ5ufj3V9GKi4cVk I97z/mIProUXk80vp9q+WOj+cqnn3Xz3u4WeVzPtL6fb3853fz7f93a25+VkB3Gmu9/M9b5bHHx/ 7eS3d0d+fDzxL8+m//XZ7G9fXfrDu+t/fn/nPz58+o/vH//nD0//+5fP//tXL/6LOK/+CxYV2Kn5 1bt//PgGD/8DNi/4cugDYCuH4NtjVRaDMMKZEdumf/7xGeHQ9AvoSzz6N0jUfv3pv315F6T6jwvv AD5mZ/cAebT0MdFD0x7pBHJvDOXxJeD9r7C6IIStnmGQ98+DigC8O+J8Szi8I5EA2FGkwDYCwjUQ tPnd95/+9C2UK27+9P7G77++8Y9f4Z9w71ePp64PH6kvSqnIDS3PCastyjq0IackO64QtkC+LJGb k4TsAuFiOd0VkR0aMtFaH2hQEBRTkzDFKEjRC9OMIiy2A++QrMmwiVG5o4SP0fFC1Wyc8EBOiJpt UzJXxBmwV36mq/pcX+3prprhtkPDXTVjQ81TpzomT7bDOHJiqPlczxGcqeNtN6dOPb06fXdx7Prs uWuz55/fufLu0e1rcxPLsxeW5ybuX196cG3hxd2rT67NPlg4C+vM21PHsElRU7LmwNaVw+010yeA 3xOL54cXx05dmhq7fXnh+f1bT+/duHfj8pW5yYkzx8eG+6bPDY0f7znT2zR+rH1hhOjJT5/pnT8/ OD8ycLav8VDZ+sxoY6xFnhIakGiXJdrlKSHqXFBuUkPzExwAe06MJTvaBLznRZtyI3Qro8xr4x2b M+O35qaBxbc6OXpFXFiUXmEUe5r84fHKMgqpFhEdwd0uYYVI2MB7iJAVLvaKkniHi7nQaYlUgt7j 9zG+u3vTGBLoyIllINf5cdheVDc2yYlPdRUxSTyKC5dGEnHYQi6Hz2bzOVxMyC3WkJjEzOxVRZuK KzcWVxZsLNmwuaygYFN6Wl5OVl5ybGJSTELFzvItG4piwyM3r9tQtn1HQXZeQnhUtD000hYM8l5i aGg2pK4jIpPDwnLj47OjY/KgQZmSmhkZGWUw2ORyrUCA2YEvxcOPRvb1cJGzKWKaO9zltD4ck9gn WCayK/yMYq7am64TIKv30olYKj4NeA/geai9PQJ9PHS+ZL0fA886HwqGlbtWxYw0l5+pKx6p3TxS vfFs1brRw5su1G6ab9l2uat0qX3H1Z5dNwYqbw3tvXti36enDz4fq30JaE80vJ1pejPd/Ham5cuF 9rczza8mG15M1D+9cOTVNL4EdDe8xMNs87v5tncL7cD+s7GGN1Mtb2ZacCF8PtuBrODdQucX891f zve8n+v+YqYLicSLiXakAa9mul7N9+C8mO95iZthse/VwsCr+cG3i8e+vnbu+zsX/uXR7L89W/rd yyt/eHPjT1/c/stXDz7eA0/+64fn/+eXL/8GAUn4RP8agf7pf6Eb8AO0Zx/9/Ue060GcwzzxEVBP TNK/foB2GVbniHk6eubok8PoDdw5EGYgSIV1m/f3/g7JqS+R5N/GfB89BEhhIIH/0zcoBJ7grvjt l8gEEOufoemH2wOOEmi84zL5868IK1jC0RUsmu8IsP/07a1//+72n7699R+/uPvXb269u3pisn1X x86c/SsjqwoTqtanHlyfsSMnLsWq0nApQhJ0SJyk2GvwJJtE7FAFL0zNi9TysK+abBamW8WZNkma WZxiFKWBAavDtJ2PSwBgjw3iRWg8I1G/673DdV7BAQy7ip1gExcXxA3U7xoZqB1q3ne89ZOzPbXT wx1LI/0LZ3uB+jN9tYON+wYa9g41HzjXWz/3MbW+NAnAnr17ZfbRjctX5y4sTo1NjZ65eWXh2sXp hzcv31uauDw6eHPyxMKprr4ju+t3F3UcLD3X2zB7su/m3PiVqfPzY2fmL4xcW5p9dOfmo7u3nj+8 8+zezeX5yfFTg6f624a7GlG/j6Cy6K8/N9h4frAF2D/TU3+kvCgnxhxrlgHjObGGzAhtpF4E7K9M caxKDc2Ns8EDKzvanBVlzI4y4KBrh9E8VK83pMduyk5emRiVFxexIjEq1qIFqVTvx8LvuU5ANouo wRJEeehcMaHKaBdC2MrTIWBbfRgOP06YnB+lESO+c0keAgZL7MWX+YqUIpHYi8OlkjhkF2+KK5/s 6uXu5ElylvK89HJpIBbYBb5+XC6HzqBTGT6+Iq3erDVYVVqDDk4ToZEpiakrcvLWrly9Jn/1uoI1 BbkrC3JXrMlfBchvW79pVWZOLgZrhIp0SmF29qr0zIzYOKA+PyU5LSoyMSQkKdQREqhRo6zw4mBw IKCReR6uPHdXvjtWXdCBZ0joJDjKhaqkERpZSIAEK286IcbuBN4NElQHtABv0OcoATySxhsLwjSD mKnBWgHfwyFj7V4dPdJaPt5aPtqwbaxu8/majWeq1pw7tGaiduNU/eaxmrXjhzdM1RfNNG6eatw4 17LlSk/p9YHyG4Pld47vwQ3wZKQGSH95of7FeC3xMFH3eqYRl8DLqfqXM/VvZpvfzLXgvJhqeDVJ fP7VZP3T84c/XhpNb6fbvpjr+mK2++vF3m8vDn691P96uvPtXNfXlwe/uTr0xVLvq7mOd0s9768M fHnp6Js5fLX386Wj7xaHXk73vZrpfbuAG2Dow/VzH66PfHPz/I8PLvzyEcTcFn98NPebl5d/fn/n b2DFfPfpX7+59x/fPfjrt/d//oC24YO//fDwL7+A/dNdzBN/hqzct/f+/uPjv/3i0U/vUFPf+flr EGJv/wwq/of7f/n2UxDncEX8+zf3f/7+ISaDf/0BeIevxEM4xWBBnqDTY7Pm60co3hHcf0LJALos oU7zCK8/EZtueP4UlhB/+O7mn79DH/7GH7+88vLi4JmGrfVbU2rWJTRuzmwqzju4IWN1nNku4yo9 SRKakxi6Q0xnhadLoLdHsIwTo4UmvG+c0SfZJspw+COZB+RTodts9gPkE4L4iQYstfmCaYNOHfSi o4J4kTpuRBA3Us+L1PNxUkPlO9cmdB0uOdlRBUOOkb56ZPLzZ3rGjzbPDHec7T7SvG97fUVRR9VO nIGGA6ND7QvjJ67Nj12bH0cqfn1xamZ0ZOL8mWuX5q9dnL15ef7O5an5M73XLhybGmqp2rG6dtfG 8731FwZbZ070LI0Oz48MT589MTt65uLcxN0by4/u3Xp899abJw+W56f6Wuuaqve01+wd7qobaq2q 37O58ZPtfQ37+hv299fvK16VHGUQx2Pi4AhICpanhqjizdIYsywv0Qa85yc6sqPhf2rMhOBGlAEh Pi0kEL36/Fjbxsy4zXkp+UlR8FUpTEtMcliscj+TFJBnBvlRTRIq+vMfC3m6TUi1Cag2X4aZTzNy qcFiDvTcogMlPjSqp6urD5Uh4fr4+wj8fXx8wbClenCpbl4kZx7JGagXsShyHgdVs0kmtsjFGiGf TyNTXJzoJFdPBo1Jp9FpFBadxudxA/wlelWAzWAItzvCHY4QGwxloyLs9khHaGo8gn5cZkJStN1h Uqvjw0JWZqTFOuxWldqqUQX6ixW+6B7wJF5sXzrZh4bjwfVw5VPducA7haT0Zml8CO07FZdh9PNG cHcoxSEqP4uUbxCxzf7EnrtV4R3kx1T7UtU+FKTxGl+KVkDVieh6AQVshLKVUeOdlbM9+0ebiseb t892lE42bRut3TheXzRRt3Xs8KbRw0VjdZuwrLHQUTLbun26afNi+/bL3Tsvd5Ustm9b6th2pbvk cteOK107bgwQl8DDs1WPR2sejlQ/GT382WQ9gfSZJlwFr6ca3822vJluenGh/vV001sU/tNtXxLx vfurxb5vLg1+tdT/Zq7z/cX+75aPfbgy8G6+4/V06+eLgP/A15ePfrE0+MV8P17fzPY8xqTgVO2n p+uwL/bgXN2n5xrQE3g11/uCSAz63iwNvrt0/Itrp7+6cebD9bMfbo58c3fsFw8mfv1sHnXBz+9v Yl7wR9TR72/85cPtn95c+eu3d//PLx///NXNP399C8RdtA7+9P4W+ml/+fb+X7+7/5fvH/zpmzt/ +Or2H74CW+8+6gJoXhEEgA+f/gTtjrc30eLDaB4C9ZjL/wEY/xaq+GjCf/rbD4RbxO8gMvkBNfuN P3wB5v/k3bGGoeq1NUUJtVtT2stW1BVl7F4RkxuqtkhYwDjALme7AOk6bw+rmPVRF5of/1EYNhGb 6Ta/dId/erAUJXyKGTN3/ySTHySn0KtPs2G3Bck8P8ksTrL5RWjh8sZNcfjHW4VhWo5Fzkiw+W8v iOs5vHN8sH5muO32zCn061DUY053rHH/vqIV5euyDu1Y07x3e8u+kuPtNXMjg9fmzt+/Onf/2uKl 6dHJc6dnJ0Yvz08D7HevLl6fH5s91X3xXN/J1oOVG7MhRXWmvXqks26sr2Xu1CDo8eMnBsZPHZsa Pbt8afHB7RuP79x6ePPqhdPHgfeu+oMdh/ee7GlAc771YGldRdFg4150GEb7Gto/KSlMsUcbhDC3 gl5uLNj7FllCsDIj2pCf7Mj7iPeMCAPie040jj41RAOV3axI4+qkMFjVFKTGrkpJWJ+dmRUdYVfL 9f7eWhFdS3DtKFY5tC8AeZpFRLUKcQB8Jo7Dn2uXeEWoRGDSol/HRb+O4+3vIxTzMX/35NEoHA9X tpszxw2zLbLC2wuTLxmHZfDzscn9QIMRMcgcsiuH6s4kuzIo7lSyK8XdmUpyYZDdOFQyj8324/NF Pr48tqePF4/LZLFpVG/imRtmsaTFxan8xXwWUx+gCJRKBGyWn5cnjjeNwnRzwX+XS3HneLh5Uz28 ySQuyY3t4sSnuGsEPI2AK2NT/Rng5DD0Qlh8CkPUYrOUHyRgBQlZqN8tcp5WSFN4uYEkj4dAATXA m6T2gekk2eJP35QW3LV33fGarcM1W0Yai+e79yx1V8y07pxq2THbUrbQsftK376LPZWLnbvn28um m7fPtZVc6a9Y6gDYi5c6d1zs2nGpu2Shbdt827alzuLFjuIrfWWXe0sXOorn27de6t55jcgE9t45 tufByQNPzlU/PV/zfLT29WTzu5lm9AG+AMAXer65NPDDtRO/uH7i60sDHy4NfH918PurAx8udn+x 0P45ugTTLS8vNL8mkoGeLxb6vpzrReb/fLTp+fn6lxMtD88e+fTM4c8uND+/0HT3ZNWdU9UvZzpf zHY/meh4ONry6HzLo/HWpxMdz6a6Xsz1vb009PXNM9/dG/twe+TDnXPf3x/74eGF3zyf+/3bSz+9 XvrD28s4v31z8U9fXv/5/XXcAH/97vbfvoe0xf0/vL/+r6+JzVygnhCm+/L2H5EeoCEAfwqIYqFM QBpAEJDu/Pl7JAOoER78HrfKN+gMLP/uq+U/fnX1zfLx+cG9/fvy20ozm3ZktZauaNmZX5IZlhQk 0vLc/BlOYmy6ebp9TMAoQHqCwY8Ar1mC6Rum7ak2capdnGaXpNv8ge5UizTVLE00idHBg2ZsCrRo jFCQFuBygJ5zvNk3FoN4A6zbYeAOG3d2ZJBvVqQG5m5NFRuHm/fPnWib6K0f7ahZOtnZD9HYrNjN WTEVG3KQmR8u3diFzttA88yZwRsLF14/unVldmzhwrnLyOonz9++svD41uUrU2dR+F880zNYV161 Pb/rYPFw475zbdUX+luWzg1dHDk5efrYzMjpi9NTd65duX/j2r1rVy9OTRzrbjve03Kip6m/6dCp 3saTXQ0DjQc6DpWe6YYK/eGT7YdOth8sKUgMVeOy4iO+R+gE0M5NCdFkRRtXpoTAmDI3zo7mPOp3 MO5w0KUnJLnC9Xlx1nWZMWuzElenJa7NTM2KiQoJDND78/VSLLzAjo1hVdLAvTEKPQy+mHSg/0m2 CBkWEQvBHXgPU/r6s9le7u4cNw8BmysT+Im9fXyYTB6V7ElyAdBAxREyqBJPptSLg3a6USww+wu1 Aq4fi+xNc+cxPTgMkheLymB40MiuOHQPVwaZ5Emgm+3N8WRQKDQPMtnNFYfi7ubu7KT090+JiwsK ULk7OdHdXLl0qieJxGfQxN4ckPbpLs4sdxcvtAdJblwyyZvswfNwZ7s4c0ku/kjm2XQhzV3CJAV4 0QP5IA97ByuFwLtexNH7cT7261jg1ci93JTI5xHcCUEABrZjMIwzCKnRam8Ug9lWaWGkZluKaX9B dP2m5Lbt6X27888cKhqtLx6tK57rrLzYt2+pe8/lvv23Thy+c+rI8sC+5UHiXOmruNy7e7Gr9GJ3 2eW+3Xi91FO+0F4y3bx1uhmZwI4r3aUX20uWWrdfRCugq3S5B6fseu/ueyf2PTp76PG5msdncQPU vZ1ufTfT/mqi+cuFzq+Xur5Z6v52qfubS90flrq+mGt7M9n4+Wz714t97+d7v57v/bDQ++VM57vJ 1q/mu95Otb0cx1fbPp/reDpa9/Ds4cfnGx+ea7h76sjtE9W3j1ffOlFz63j17eGaR+ebn060Pb7Q +vhCG2aFT6Y6Hk+2f3H12FfXhz/cOPV++cT7a8MYHb6/cZLoFt459yM80x9N/Prp9G8+m/vx8eS3 98Z+fDz927dXfvdu+ae3V//9/c2/fnsPrz9/fRsPf/sem7B3/vzNzb98e/vP3935+Vu092+hCf/3 H+799PbSs8W+keYdPXtX4XRVrOzcvfrI5syNCaZQf0891pQ8XeSeziqeW5CAZhTTrTIm1GKTTGjB EQuhyVZxklWcbJUkB0M33h+TOEjFQqs5CV4wRj9IxKOPB6QTQnME3gVJVr8UuyTOJIT1G5yhonSC iEA+DJ1jggSg32zNCqtYk1q7Y3Vr2fr+A8VjnTXHayv3r88uyU3YWZBasT4bp2F30fHmgxPHO2/M jLy8t3x56tzC2KnL0+cXJ87evTr/7O6l5amTs6daL57uPHqktKViw3DTnhMNlaNdhy+dGbg6Ojwz PDg21Lc4fv7e1SvP7997fBs3xszpwf62I4daavY2Vu2u31fa31x1uqcBKT36Bkeb9h3YvmpLXjxm cHmxQfCpjDb5JtllDrU3jG9gQZsTay5ICytMi1iVGJIV+7F+jzTmRBlzY8wr4ghjrJxYy5r0qA25 yQVp8QjxUIGPsehNCpFV5ROsgeca06ykWRUMUE2wG2Lxo2Eib/P3DJZ4onhHiI9UCQRUKsvZhebk zPGg+/OFYh6fS6Ui1CLCerm7COkU0N5An8WAXisUWOX+ZpkkSCyQcVk8jOooriyaO4tGQnwnuztR PVyYVBKL7sGmkVkUMo2MByrdwwNgZ1DIbCqV7OZGJbmyqMQznUSik9yYZHemuxvd1cWLRubSKHRX Zzyz3N1wPEkE6vlUCo/kBoYAh4R+gjsgL2GTZZ5kOYeq5rOMEp7J3xuQtyl8bdgQFLP1YpZBwsYM TsF1IwI9Qauj6nypWj7J6ONh8SFbiUMye7sE+7g6CO8t91A/SrSUGR/ASTf6rrTLimJ0penBBwpi 20pWHN23frhq82jDzoXOyssDn9wcPnzr1JG7p2pxrg1VLR89eLX/wJX+fdcG998Y2H+tb8+V7t2X O4H6MgB/sa14oWXbfOPWix3Fy32lV3pLkR5c7t15Y6jixmDFle6dV5ES9JTe7Cm7M7D74fC+Z2er npyuenrm0Kux+rcTLW8utLyf6vh+sffHS/3fLfX+cLn/X64f/+5S77eXer6/0vf1YhcuDdwAb6c7 X0+1v5pseznW8vhc/b0T1XeOVz0bbfpsvPn+8KFbxw8+GWvEuXPy0INztQ9H6h+O1N0/c/ju6cOf TbU9m2y9dbL6/kjdcwwlkT+MNT4ab7p3ru7mqcOfjrU+mex8OtP1Yr738yvHcD+8vTz05fKJb2+f /eHB+A8Pxn54MIor4jcgHH4299Prxb98dR0LrXfPN586sqVvb+HQwaK+fetrt2ZvSbWDEKvlusno TkpP5wCus8bH3SShO5Se4WpulJYPJdiPh2DMptgkiTZxgsUvweqXGixJtRFrqnGQldOLEN8/SlII ook/wo+HnGywP/TbI3VwbEeU9HbA2xGNfZ0oBrGSoOCKshygvlu2Z0RU5CfsK0xt3rlmsqtmuvfI 0epd/Zgkb15RuSb94JaV2Fs531t3bfz4jalTC2cH5s4MXB4/cWt+7NmNxec3565PHl863TIzWNu9 f1P3vqLhul2D1Tsm+o4snx+cG+4+1V5/qrN55tzJ5bnp5bmZ+bHRY12dHbVH2g5XHdlXdqhiW/PB XcfaD48fbz3bX3eut/Zo457DZWv3bclbm+ZIMInCNJwI+NdoeY5AfqjWN0IvTosIIuJ7SlhegiMj ykDU75Em+GGtiLHmxVrQ4kPQX5kctj47EX6U+YlxWE3JjA23B8pMCr45gKuX0YKkZJOMBpItqKQW fwaWvs1+TDNCvC8TJ1zGjwgKsilVapFEwvWV+oh92Vymm4cX2YNLISOd9mPSBHQql+SOtp7B39+m VASrFCaZRO7N8WaQPKmuTLILk0ZiUN3pFDe84pk4FHcayZUM5FIpDODd2QWQp7m7U93cPNycXJ2c SM7OVHdXipsLA8N9khvVxYXpjqmfB57p+KS7K8vdHZD3oqJqIHm6uXi6unCpZGBfxKIJGUC9h8wT QlU0rYD1sV/naRBz9WJPHAuWCGRegQKanOMmY7lIsGDFJ+t8qKgTHVJ2vFaQapBgxJMIEXIo+8kZ sIqDHkiwL83qQzF6u+pYTgaWk9kLCiruNl9alIyTpOHn2qTrItTbEo37V8c0FWf1VRSeOFg0Urfj QmPpbFvlpb4Dd04i2jY/Ptd0/2TtvZOH7yDIHjt44+i+a/2VV7t3X+oiYI6z1FVysbtkeaB8uXfX Utu26bqNc42bl5q3XmrderV9+6WWLfMNm/C83Flyo3vXrZ7d9wYqHx8/8OxU1dPTh96ON3w93/HF bOuXc23ICj4sdn271PvVfOf7+W6cr+Z7vpwlEoAXo42fnW94Od70Yqzx4anqT09Vv5hoRE3x5PyR xyO1D4H0E1X3hg+hNPhsovlyb/mJ/SuXesrezHe/nG2/deLA9aG9j87XvZjClAE8w+b75+oejNQ+ udD4bBIJQ9Nn06AetT6baH0y3vx8qg16U99cO/nh+vCno033RkBCrj9Xv717d0Ff5drePRsxYceK Cjwd9D4UJcfVnwXWk6uaDzEWsgNZt84bQtCwcUkwiKASCfFGojYPlqbA6MEmSUanzi5PtvjjILLD EgJ4h4grIB+jw2hemBGiSAn2xzdBZIdpO6pgzN9h1x6jE0XphNE6n+hAbNLJVkXpV8cYNiXby/Ji D65PP3pw+9nGPccPlw7VlFUD76tT9q3PrCkuGKgpmxrEok3P3PH26aFWcPNuTZ/+7PrMg8WRK+d6 rpxpPdNY3lK6qv/A5qPV245Wb5/tr5s91gJToeGWGohOz54Znj49fO7owOjxY+eODo4OHZ0+fXL8 RN+J7vrj7UdOguDXd+Rc32Gs6mJ20LyvqO3AltLCJPx7MUkM1/Ecak6EXhhj8YejZXJYYG6CLT8p JDeeyOczIvRg0WdHmvMwm4s0ItvHJ/OTQoH3VbBujYsqzEzLT4kL0UF5kmdUehnlTKOCDrwb/Qm8 myTodNENApqeTzH70G2+zJgAv8KUlE05uWvSszOiE2DPalBqRZ5cjocH292NT/YQMegY2Pmx2VhF NykVjkBNpFFvUUj9vRDfPXgMMpOC2O0KsOMguNPIbhR3F8RuxHe6O4mJIO7mzqR44NDdXZkUEr4K mHu4OlHcnOkebsj/6SQXpgeJ4Q5Wjyu4fP/EOxt/0MUZr57I593c2K6uHA93DsmdRwXf3hUrrnIu TenNCBLzAkUcDch1Ik/M48wynlkGhi2Cu7uS46YA5NluaoJsQzL60hxSz8gAb1SRqUai35tmxDxX kgk1YIMYW/DQpcRudZyaHxsAqw6vCCkc7pgmnofJ283mS4IfH3Yz9Ry3YAElXMyIVXLTDaI8m//6 cPWOZGtVYXzHjhXH9m4cqy+bakXOX3n96MEHZ+sfjzYTDbfTh++eqr57qurmsf3Lg3uuD+1b7tuz 1FF6tXvXclf5MpIBdAibN8/UbZioXjNbt3GhCTdA8ZW2HQD+cseOq+0ll9vwWny9e+fNvl33ju65 PVBxZ6Diycmql+drX3w8L8/XvR5v+Hyy5cuZtq9mO76YakWS8Hq8/vPJ5rdTTe8mm15hsDje8OoC 7oHm52ONKCuejNSOHCqoXxt2+mD+p2eqH43U3DxaeXOo8tMzhx4R18In909W4Z1vZtvezoNuBMJh IxgIL6aano43PL/Q+HIan+x8PdNx68QnveWZR/fknzlS1FNR0LN7TUfZmvK82DST1CygK1hEU07B cZFzXbRCD6OU6lCzI3SI7PB24WLulmQQJsK7zQhEEzpyKejRhShSHcrUYGWKVZZuD8hAB9sM1KO6 l2GxPcnqD88IHGyWhWm44YFeUUFwdhbYYQSjg8uzIFzrG671CVOj+wcurn92qHpdggXk+b2FyU0l q9t2rWvcUdBatrappPDIljw8NxQXNOwoGKreOdlTe6ph34naypMNe2cGGp8ujtweOzrZWzM/WNNR sbq6KG3gYFHv/o0DB7dO9Ry+0FN7uqVq4Mi+oaaaM91tZ3s6Rgb6lqcnPrtz89mN6w+XLz64Mrcw euxkV91g0/6hlv2nu6rO9VS3Hti8JS+iIMmYHqqM0vHsSgZmCjFmYQwE9IIV8faAlAhdXmIw4nt+ Ykh2rCU9Uo8Qn4VF/lgr8E6U87HWgtTIovy09TmpqZGhq9KTCzOSww0qo8LXIPcKkjFMSpYlgG1W oJ2FodX/4j2ITzX50IP9PBOD5DBf3J6/sji/cOuqddsKN63JWZkVn2RWqUQsppcb0niaxNPTn8s1 B6jtWl14UFCk0RCsVir4XG86GXhneSBGOzNpALU72c2Z5OIERDPJZE8q1YtCY5E8aK6uDJIrw8Od CeRSSDgMsjuBdOIVxT4BeaaHG2I6MnngHYdFcgejj+bsxHQDmxcwJ7HwTVyc2O6uPBpGh2QJhyrj 0qReVIU3I8CHpRIwNWjZiTzRogfkAwV0tS+FmMpxSYE+NDWXrGA5B3JJNthJKHgxKn4CAorOJ1bN i8c6hkmSbJRAySopSAwl0kyrPMuiyIAMtUkBhUN8BtIHuBAi5NxwqNfK+RFyb5CXggW0II4rVBP1 bGcTzxVyajYfSriEmaDiZ8ILLES6NUG7d0Vo/aaUjp15p2s2T7WU4RKArvKdk0funaq9cwJpQO1T dNhON9w7Wr3cVXmpY+flzrKrnbuXu3bPYXZQv+VSW8m1bnwGOf/um32VVzpLFpEANG5Bf2CxZSte r3aVXOnccbWjGFfBjZ6yu4MV94f23D+65+GJ/U9RF5zGbXD41diRF6M1bwjgN+H19VjD28n2r+Z7 3y90oUvw9FzN/eH9D89UYdSI0eFn47VPRqrvn9h/tbt0pmHj9b7yj9wDEA+aXk01vgHxYKqRmD5M N7+cbPxqqRdDRvxVe0vTWrYm9JbnHDuw7uiBjT271+3KiY2Sewdy3JRsFynDRcxwkrCcMCWxq7m2 ABbAnmQRggcbR8jHQf0V43VhilmMvhwieLJNmmpH7IYvDGAOgCvgEpJqVSaZ8FUIzQWk2+Ef4R+t 9/0Ic5i28yICfWKMYhwgPRRI1xGvoRpok8LenRjoRwcJUm2y9YnWClirr00DAaBu64qOXWtbdq7p LFvbXb6+vXRtU3HB8erSk0fKj2zOw2nduWZ+oGFpsHG699CFzr01RSlHitKO1WztqCjsqlx/pqmy /1BJbemag9tWd1VXnOluPj/YeWtu8rNby6/v3Xp558bDqwtXJ8+MDLYMNO3vr6s82fnJud7qgfqy vVsyU0JkDpUnMhwk844AJvAeaxbF22RJIQEp4dqMaOOKZMfKlLCC5HAAPzvuI+UmyggPBQB/RbwN 0T8vMWTb6szSDQV5yXG5yfFrMlMSHNB29jEquDopSy9nmgM8LQGeRinT7M80S5gGAV3Lw44YzS6B KJA8OzwSni47C9btWr/1k9I9h3bv/2Tn7uLCdUUroPaH6RYzwMcH9kwWVWCYwRii1QLyIRqNSuAD Eg6H4sbycGZTUZID1EjanciuzjTEcXcPDoXijV4cArcbgOxMdyeqcqTrLA93PDNxA5AQ6J0Adhq6 +h7E51HI4/3I270oHojsbJI7HjAp4NOpH/uHrl5kNx6VJGRSxNCnYpNFDHfsvUoR6MGy82EGiThm qTcGc3oRW+uLNh0Z8V3Do6q5FJWnm9rTVc8ng3AYKufEaHxgIwKrIGSScBCIhyppkBhChVAaB8BT DLJkvTRZDwVyKUTLU00yiJ5lQOwuWA1xM5x0W0CGDYZ0koRAQSxUTAP4oTKOQ8xCRQDgm73dzTwn E8/ZzHO18UkhIkqMjJ2k4mYZBRujNLszQ6tWxTUVZfaUrBzeVzRaXTzfuvdy14Hlvk9u9FddHzh4 a6j6xlHUAgfvDdfcHa6+Prj/at/eq317kHsvtO0AvhZbd6AfuNhWQhCEesuuoEZo23apo/hab+n1 vrKraBF0Fl9s37bcueNGd+nNvp3X+0puH614MLz/8ZlDT8/WPj595OHJmucjdV8gE1jo+P5q//fL A18tdOJ8e6Xv/WLnO+QDU82fjda+HK9/O9X8ZrL+3UzD2+nGL+aaX07UvrhQh3d+Od/+2Wj9pY6S /tKMrpL0wb0re3bn9+8FfFYVp4aG+3NVdGfcsSimxHjgkPBrZA8A5ZWPFjror2i/A/Io2DNAl0XU NkpSLbI0mzItGGFdkWxTJFmViRYFNP+ToTBplCUYpUlWeUqwMsmqSDBL403+sQY/GDrHm/0jgwRo bmOeleJQxcA3Su8XpheFBglCdEKL0sskYznUPKucrfUhWf1ZiUZJTohmQ7xld358zYbs+qK85u0r O0sLO8vWVK9Lx2ncmrchWr8xxlCaEY4L4djB7dPdB8827Ny7OrKmKOnooU3tu1e3VxRCanLoSFnr nqLWfcVnOrH92j8zPHB1YuTBpdnliXOnO5vbD1Y2QtTu0K7+pn3DnYdOdh6sq1xbmGoF2MO04Idz QlRscIRw8GFisH9GlC4jWp8ZY8yJtxSkhxdmRK1Oi/w4mAsmMB5ryY0F3o1g32XFQmXOVrQqfdeW tetyM3OT4mAxnxhuMcgFQVKOTsLSSehGORv/dr2YacS2rJil96Uhvjtk3rE6aZJetTI2fnveyvLC TZ8U76qp+ORg2d6a3fu7axvO9PRuWZEfKBLpZXKrOjBUbw43WEJ1WsT3cJ1OKxL60MkYnHl6uCCx Z5FdqC5OLA83NsUDmTnDzR1451IpXmSyF5BL5OouSNcJyLu50FyJd4KjS8R9shsDAzgaFYu3XhR8 QzKgTRwKCL00gN2HSRewGBDf8MY4nuKORR5fwJyFQoMEqToRiyTj0dUCz0CwboSeoNsB75jNqXgU uacb4ruC7Q68B/FpOh5chzxMAiwIE5CPVPFiAgUQH47RCiLU/Aio2OnEaSZZUpA/fCgStf4pBoyB FHB5RtxHappj12TZgHd5ilmGRhBWFHFwIWY6NAhAOWGE7jF0UXAt4JukwLxA4xMTwItWcqMUXhH+ niEiht3Hw+btZvFytXi6BXPJEb7UKCEDLnUZKn6BVb4t3nhwRUz9upTWrTlHK9edr91+oXHHbHv5 taFDd4Zr76BDeLr25onqa0cPYl5wuW8P+MCXeiuXusrm24vnW7aiN3iptxTDwUtdOz5SBbZf7gRP oATAn2vZNN9ctNCyZam9eLl39+WuXbNN23BvXEHy0Ft2Y3D3PYT4Uwcfn6sGWwDnzUTjBwLRHe9A JJ5s+ny2+eultvcLrcD753PN313t++Zi76cnq0YPrekrST9WkX/20MZTNUW9FYUH1ybmhwRYfegK irM/1UnGAtJRTFFM4HJrfGHXGBkkijUK0U5H6o6D2Tr22ZOD/JL0mLLJUq3wCFCm2gOA90SLPM4o BdL/ifdYgz/wnmpXxRqkkVphjN4PJ94iTbQpY4z+UXpRDLJ9hzoxOCDSDLkGYahBaFHzlAKyUc5J jdDiHgD9DAfFrO3jLklsAD/HplgXZdiZGVG5InbfqoTS7MhNscbN8eY8q6wwTFOZF1O7Kau7fM3S 4JGjB4vKckL2F8Z07y3sO7Cx98DGc+17pgZrz3Ufwtbt5FDbxFDH6a7GzsP72qsqa8u3lq9fUblp VX3l1uYDxQ17N9dVbti5NjEzSm1TMj4eFjgDyOQhQgW8O9SesRZRSrgmIzoIeM9NsBZmRq7Pjl2T Eb0iyYH4DrCjTQc6fVaUGR37nHhrLnym8pIqi9dvW7sSeIcuZHpsiE3jr5V4asVMrZihR2SXsYNE dLSpcYJ8qGYRK0YrSTAoYrXy1XGJMGDeuXJddcnu/SUVJeu3799R2VFTPz50/EDxDrtGYyEy+aAo iz3MYA4PMkaZTFF6A5xiBHSic46xHZfixvZwZrg5IdwjIiNGg2zPIVMQoDFr8yJ5eALmrs5MFxcG 0Xt3Zbg6ozWHMT1xP5DdAXxkAkA0YM6loFVIIuK4B4lPIeOZR3HH6hzoN8A7D9wbLPLQ3bC75wvt Wbob8C73Zmj9uDoQawUsVPFo1+v9PCFCi7Ci5lMVnh6gcoG6GcSnmOCYKWZB8NAqokOaMkTmBSna MCU/RM4LU3AB/3jYTmmwU+AHyKca5ekWZaZNjaw+C1LGFlWSUZZiVmTaNdkhWrwmW5RE9MeXgjWZ Dm26XZNmhX2JAgd5Ag6wn2lR5thUOTZllgWa9tI0vSRZI8KmUrzCFydGynP40MxstyCaaxDD1ezp ZvUkWbluYRJqfADcbdiZen5RrLY8y3FgVVTT9oyBvYVTreWXBw5eP3bo+rFqnCv9+3GuD31ye7j6 9smqG8cOLPfvudSza6GzZKkL44Cypc6dMy1bpps2zTZvXejYsdi582L3LmKM2LFzvq0EtCJwimZa i+Zbt+Bc7Cxe6sBFUYw8AcPEmwO7HwwfeHj6kycjhx6f/eTpSBVIRN9c6sEnp2o3ntq38uyBNSNV Rcf2bujbu+GTdWnJQWLsrUvITgqmqz/dGTuJOhEjWOUToRNHBSEWy5NtynS7Er7ncHYgTNPM/kkf OyewdCESJ0DeEpCCNN6qhKMrcUyy9I+8MqT3STZ5sl2ZYJbHGMQAeCS8IQiYiyPh7qoXwfUVDnEJ NmW0SRqqF9l1CHZsuS851q5amRYaEuSHwGdX+Zr82SY/Fn4T9N4km5AOjaxYFS9O7YP7GRT9xEDf DKM/BO7y7YrtacHYeR+q2nr1RGNrSX5ZdugnaxO79647VrOt/+DmkY69F/prRnoOne3Ees6hE22H hloOHd69FcJWdRVbDhavqSvf1Lhnc1FOVCJGDMHSWLMQuIYrhFlGM0jIoWrPEKT0ak9wgINV7PAg fhRca22yOHQqwrXI59dmx6zNjkV8B95BucEB3nNgIR1rQpKfnxpWkBWza8ua8q3rCzKSViaDfpMQ Y9Uhpdf7c/T+LLOcbZajg436nYUFeavEM0TGi9L6R+ukEQHi/KjY0vw1u1Zv2g2kl+ypqaxqqapv /uTw5IlTNeXlZoXCjC1UtQ42r6FB1jCdKSLIGKYN0gpFfADT3cXTxYnj7uRFBuqxU+PiidkZevtU GpvkgaKb4+7O8/DgkUgc5Opubiw3V9TgKMxxJyCaA/tI7FGh45bwQiZPcv/nwJ3j5oyVfC7BAnL1 8nCF3BYmcbhVgHcM/blUFx7NhU91wTqPgOGGDXeU8ETXTshGlMeETi8i8C73dA/wpshY7gq2B0K8 zptmFDCsIqbVl272pVqEICAxg8Vs+8fpZIgMmsZ8gB2Qj9eIAXk4DuDDRB1ivQSQTzUHJOrxC6lM s6hgGZkVqku1a1Js6ozgwMxQXUaILi1YA/gD8rgKcuyBSAZwY6QZ0Q0IgC4iTl6weqVDl2/X5UEx yaLJNqvxAMHhLFNAplGZrpfDbDpBJQqHVjYhOUgNFpIsfFfMDY3EsMAlxM8jSkZP0XJzLMK1Ucri NEvliogjG1LadmQfO7B+pH77RFvZUt++WyeP3DxRc7G3EjnA8tED14Y+udy/50pf5fLg3utDBy73 VSx07prv3DXXvnO6dQcOIL/YuWO2dctMy2aMD5a6diy0bV1s3XqxfTtaBAutW2eaNs21bJ5rKcJV cK2/7ObRium6TecPrhmr2ThVV3Khbld/5caS7OhIha+M5iIkI4F3RU6l8gbXC+0UXohGEAndV7MM YEfszgzVwLEx2YTBOlSg5Ql6cRL8m5Cum/wTEcSRwFuITD4RBXuwCg/E9nekMT1Em2xXgXqKz8QY JAB4hE6IbAFtbZxoA8FPA97xX4k2SCL0fphMqUClVvKwWJ6dFIxGVnCgINGhxaBWL2RZpV4hCi7M XrFdYhIg/JGg+QZp6xB/RpSScFkNkzJiNV7b0u3jbfvm+2uq1qeU50XWb83q3rOud/+Grr3rTzSU nmgsP9ZUebxl32DD3uOtB89017ZXlx/ehSR59Y5VKesz0JSzRekFmIuFBnphlwcq8TpoRwvcAn1d jGIyntU+zjjopUcZBUmhqtRIbVpUUHqMMT8lBHhfkxWTl2RHQEePDkN50OmB94wYEz65Mi08NyVs 8+qsyu0bN67Mzk+OX5kSlxRqtqpFVqWPTcV3aHysSo5FxglT+0YECiGDE670CVOJQgOEdrmgICa+ bOXaXYUbKzbuqKs81Hmkdait/1hrV/uhQ5kx0WqBAMm8XWsA3mEqF6o1OjS64ABQ3H18KWS+B+AM IDvxwLSng6KDuTnYcR7YvuFRaHwK1ZtM9oFKFZU4wDIoNAjZLDes4+E9VIzXcTDr55FJmLDzPTwE NIz/8GYPbOX7Uing0xIcfqorj+ziRXLy8nAm4jsNIZ5Yz/dlkYgqnuUBxWklH1HeU+fn9U+8I42U eroRh+Wu5oFP66n3oeu8yRhMWLBxKWY7/EAyBNUQsrRMUEGwTxQug5euT5xKEKcSxih9o7BcIPeJ VvjGqUWo6JN0UiT56VZ1EnxngvyTzKgxVWl2XZotMD1YmxNmxEk2o60kJyBvCcw0a1KNyjRjQLZF k2lWQvk8x6b554EQOhST0gFzmzorWP3xQ1W2LSA7WJUVHJAXqskLgZexIjckIMehSAEXRYuUwycK RicKDuwJQvzINoGbhe9u4rpicBAiJscq2LgHMsyCdTGa8pzQw+uTO0ty+3atHK7aNN68c7ar8nL/ ASQDuArunKq7frz6yuAnNzCmP127fOwgboPLfZVL3WUI/csDFVf7y5c6QCYsvtZfsdBWMtO4Zbpx 83zb9umWzZONG0dq1s617Zhp3Hauat344W1TDbtOHthamRcfLOFCokSIJQs2fuYuGIhY5F6wXAfS EaYTLIpYtEPRC3WocdIR5aEKiy6cRQlJWLRKkEchccJzogFNuY+VOzIlh5a4UYPVSVZk+Kr0EE2a A86P0qggv2iDf6xJCnQjrBOdOr0kOkiMzwDs4YECh9pHK2EpfCgRJvnqrOiUaJNdJ85JsOfG4ysM JRcDAmGcRR5r9MebQ1XediUH87tYvRCmVIRhqwrWq4wwJXvPuuTF441jHfuqNqQi1jdsz4VyQnt5 4eCh7Wfa9g3W7cJwrbumtGnvltqKTdXlG4rXpOXGE+21tLDAj51DXkggON4Ms4xqkJC0AheDn4dF CvIbDWQYo5gK7ivCvUPDSbRLs+OM+cm2fy7LEPl8bvzqDHiqEQBHiF+RZEcaj4fMWDOi/6r08By4 x+YmAe87N6wm8vmYsIRQk0Pnbw/0cwQKwgIFUKW0we84UIhjl/FsEo5Z7BUMIxWZL+ycS/JWo34/ smt/Z01Le01z55GW6l0ViSEOKYcDvFsUKps6KFhjtGuMwLtVGWjwlwXwvP1oFD/o0rCovlSk3G6g uPMgToWKm04TMJnYpvfneArpdAGFCkoP5noC1OBk4g0ckhvKcx8GHZEdx5dJ80FpQCbhbWIG04/F AOSFdJqQSfWhuQmYZBGbKmB4YE3Py8OJi2U9ijPiO8Du50WVcGh+bDLBwOFSVb6MQCHKFq+gj/06 JaF94QqFKyzQaflMrTdN5001+NCCBcwQCdpr7GARA022MH8OwI4TJuWE+3MwhouSeUfKvNFhjiYg jzG9MFErjgkQIugjysfp/OOCpMB4vCkg0axKNqtSrRqgPsWsStDLUiwBaZaADLM6y6zOtBAnw6jK tKjyoDoYEpRjh9AxsByYHazNsBLdAOJysKoykBiYYQIOIReUtHI0r9CshkJylkOTC13l8KBVkYaC CP2qcF2eAzeDNNsmy7UH4IpIIWwN/WCYEq1EVkCD8Di87CP9mVFSRpzSM8MgLAhVbIjVbk+17Mqy H1gTU1uU0rQts7Uke3B/4dm6bTjnG3dMd1bMdu+e6ypf7K282Fsx31G62FUOdeiFrsqL3Xsu9e69 dhSJQeVSz+6plhIwDy/17Bs9sn308M6jFRs3obrjUrHmJqFj+gn2MnYWaAB7RJAfwJ4KSVhEqEgD EvJUXGhIhILV6MsReLep0gBzk5yom0yKVJOCAPvHcgkpfbI1IB0lUog20aKMQxVvUwH76Ngjn0dd AH9nHNwkcWYpIjuq+xg9cQPgk4CwVealEdA0ImYifm6ZUF3QxgQHFqRHJ4XoZVwsUtGijbLMKD1O IkR1TMgWkB6gRhCAzY7eQrTON0LDzXAoug4UzQzVDR0pObQpcx9meTsLWsrW1O3I79y3uffQjtqy tVU7CkrXpq3NJBprKL1jbAqHVhCOSbpZghmBNcATB8pyGEnYVSyEeDg1ghoUjTfohUk2aXqYKi1M mR6hyksAhzZ4FeS8UoHlsHU5MZvykwD5VWlhuUl2fHNs0PyzV49wn5dsz0sLRXwvzE7YtaWwYvuG VRmJ6XCcwSjdhrgssSh9HCpf/BCQySO+h6h8LGJPq5gTLPVGiIefWmFU/N61m/Zu2Nawe/9AQ3tH df2ebTujzBagVc71At61IrFZrjLI4BOttauDjFKl1k8i53KBSgmTImVTJJ6AJ4b1LpCl8ucwRUyo QDNhWyPleIoZNAGEa+hkMcGToRKBG6x45OdEPU5muiO9d0HL3ZuOcI8inSJg0EHn46OiJ7sT76S5 CUGY52F3j+7DdOPRnLlU1P5ObA8n4ksQlmej8CekKfF3kHtTVT7YqWEH+rI0fCzTUWUskpKDQp6M lB5VPPBuFjBtAlawkBksIgr5EH92GKiGYiK+A++EJIiIGSryDBcD+MQJxZf82NEKNN+ExNH4RalF WSGGTWnRGY6gBERwWyC8CBON8iiVKDYQK9tEqEoOQs8Zxbs6C1eBAXM9InbnOgKz7Rpk+3AwzLJr M4OJeh+//3hbuiUAye0/s9wUDAjMcgRBfBWdwExHIPFH7IF5Dl1eiBZtQzgU54UGFkQacQnkYE3y 422wOsoIyaP8MG1OsCbdokjG7EAriNfwUZ+Gy3C/0YL9kNhAr9jVInCz+ZFCZfQ4LQ/sYqhJrIzQ bEwyFmfYK/PDD0L+fXNK+84VR/dvGj607XxD2Whj2UTb7mnsGXXtnes+cLG/ZrGvun/P+oqc6ByT Usf08HNxElNc8HPGliKGoXaNIEwrBNhTHGqMjPPjg2GLtjrRnhthQJcD/U8IuWfYNJkoZKyq7GAi 54HkO06KUY6CCP9Y/KuJ9wQH/v/BPc0RiCifYCbmdKl2dSqCvk35MaAj1vsB7/EoBGwBaSEaxHqb gmtAKaH2zYizZSeFRuNHHRuyITclOcwchFrPjxNpkKQTzfAgjMASbNhSweJ5ALCP/gCAj+leiIpb mGwdbqoc6znYuZcwfd67JqOxbP2RHYU7VyWVr07flBlN6M/EWBPs6nA0DC3yaKs8KTwwxi6Pskji wIc3ifUyutLXFTssViXT4E+B0VuQiAzhKfAEbHB5CwBzgA+qf0KwNC/esCYzbH1u5Lrc6MIsvMZs XZ26rTAdqC/MjkW4X50enpsYnBFrSseJt2QlBeelh6/MjNm6LmfPzg0bCzLzUmNWpMUmhputGkmQ P8+i4FtkXhYZN1QtcAT42GTeDoUvMvkwFQw1VJsS0w5vLSldufZQ8a7m/VXbCtaGmyxSrpfUyxM7 MgquV6BIaJIpjIjyGp0tQKuXyHR+EqU3DyszInTIaW4IrxB/FtLc/BCLGR6+NMi/U/3ZDDGT6kfz EFHdhXTw9GD6QMHiG74Kjpwvk8Jyd6ajpU9yxt4NII+hmy+SATrNGzM4Au9Ezc7xcOZR3XwYZD6D hJjOozp7UVC8g3eHP+LOp5FQ1GOJT0AnSb1oKh+20pup5GLhnQGMS0Gz5xDa1ESI51LVXmQVtJJA PPBlWAXMYD9WsB9CPNMuJJR/EOiR1Uf4c8LE7FARO0yMpjoXjrFhfiybLx14j1f7heOGlMNI1C/T YVgdH5oarI2D2TQR31XAe7zOPwkfIhjhdy+IyP9RBWTiN9kUkI5LwIjOv4Ro4COuWQOQJ6AJgGd0 BjKRDBC/86pUjPvxa2/+2ARADxAH+UCILtuhzUDmb1PnOnTIEIjugQPAJz6JVmEGrpFQHSSPcFYA X+BmgIiFmwG6pqHa/Ajdigh8EzQVFVhLAf88QoWrHuRqit7HQ8tzV0EIiO2Eo2Y7adhOWo6LxZdC NLICfFMNsnwoo8aZdmSF78qLKc2N2p2fcHjziqoN2avCgwxcir+bE46C5oKfbZAP3SzhhAYKYxGC rQoEX6x0ZYbp8+OC16TA3dieGaJD8pOICYgFli7qNKsK/6K8EN2KEB0g/9Hc7X+7H2iHwqwNP1Vg nEA3kdWjlkezDsM4OQ6if7KVKOQ/9u6IfP7jPaBKsMqjjf6hOqED1b0tIDXWmhRlToqyrkyPK8xM SAwxWgL8rHKfSL0kLRLNcF1alDrJoQTY08M0mZh9h+FWUWDYh5Hf7nUpIx2fnGjYXbMtf0tWVOmq 1JL8lMKEkKKs2D0b0QI0BCtFIYH+Dq1/sFbk0Ps5jH5RdkWEVRphkYSa4NtClfKcFD4ucr5LoIAk 5znLvJwChR5Knouc46zmk/RiusbbPYDnrBdTQgJ54Ua/hFBVeowhPd6cnx62IT9xc0HKhvyE1Tkx qzMjV6VHAO9ZSbaMBEtqrDE7xb6hIHHdyuQN2AIoWVu6tXBVViIgnxrjsGplOinfpOSb5SglUKrw gxXewHuwHHoRvjgxQcrK1WuriraWF6w/VFy6ITsX3TmpNx94V/J5al8eFCfUAp8giV+QVGpRaZDb 6/1lQRJxAB/OTZCaxIK8M/COChoGbQIq8aEvxU3GpCm9CM1YfyZZTCP5MYB3TNDISMux9iL1ZkMM E1hmkZw4VBcuzY0L1hwdSTsd+T/W4tCfR9nuTQWnDgEdyQCadS5eFCKmQzXXl00BldeLitncx+mA h/PHdV1mAJ8t5zJknlQI12u8WdipwQPqNaUXBf06FYF3dz2fZhEyiSiPTp3Y0yH2tPuxAXYi1qOE 94dxNmZnEP5CgY9nNsI9BkwYKEfK+CG4BJTC6EAU74HpDkOyVZPwMaVPMisTDDIk88jkUb8nGmSo 9BN1OH4pekmqXppmVMAdIB7R3yADwJMNSN1lRE5rCUD1mqKTwqAWVwQq+hx0AxDu0QbEDWDTZAUH 5obo88IMOSFB2SFBQHq2A4Lkusz/fZsmwx6IpDcnTJ8bYSS0TInBgTYTr8QnEf2DssN02eHa3HCY rRhWxpjyYyCOpIV1USZuALTKUQLrxREaX/SvLCIGWBkKJklGd5MziDa7H7J0spMMi6sMVwXDXclw V9Ddg7yZevycae5Cdyc5zUXL8Qjik01CerA/HNj5KK4TrYoUu5pgy2CUadFk4a8RZcLfDUE51abG l1JRwjvQ9MBlRWQvuJcAdtyEeMWFtiLCkId/CLJ3TN4tREDHQcceMMeHRD6Pm9OkiDei2yxCOf/P GwClfRL4aRZZhEHiCBIGBwkcJmmYLSDcqol2GHKSIvNSomPtQVaV2K4SRaGPGqnPjjXkxOrTQtUY 3OOvhO+AqiENQxabIi8yqK60YKL/SH9NScnK+FUJtqKceCyiZkZYGveUHG+ty4kPg884Rt4mpdCk EpgCffUqnimQb9MLg/VCa5BAp2DrFUyDkh0AjPuSVAIPrZhmD+SbFV42lTdIAhFBIqsC27ueDhXX qvTUiKhaKQuTxAirLDEyCG3GNbkxa/JiC/OiC3Nj1+TG5WeE52WEZibZ0hMsq7Ijtm3IKN6cs3VD ZsXOdZWlG9bmp+WlxuYkx0QF6w3YIFOLLCrfYLWPLcAbtRUm1BYZzxEgsuO3V6c8Uryz60DV1pyV kXpToJ8Eoq/+XJ43hSxiMiA6gQPgw8EZVs6I7yaF2iBVGKVyjVAgYtKwTYOAjlG4lENTculi4Jrh DuEpDZ+j9eUovehSFkUKjP9/tL0HmGxpVe99OndXzjnnnHPsVF1dXZ1z9+nTp0/Oc8IkhkEGJAmS ZhhACRdBYZhBQK8BDCh4BRVU8MLVexVRCWIGEVRA4fvtqpmip8+ZAfH56nmf3btrh9q1a//flf5r LfmoXT5qEyCPh03s0MhsainINchGjELhLAz/Yb1oFOFuFEOtEeJxHfkOnI9pxUMGKYo9sl4ou4G4 1yLWO1Qf5Rg79BEd0IvolzEqXINO7lSMOilnDbteKQLyNIN2KUd8KjKzhr3ygbBmJGGQJEC9UVDp GWQLQvtMG0UZk5jKALQ5yBmkebYaKeItTuN60ovyZnnBqqy5IX+6Ow46HkgB7810APk+HXPVg5Z6 0DxN3/CodSKMY98M2KeCRoHLFzI1MP+DFhrONqL2qbANH+hUyNKMOZpRJ4G/RtA282TE37OQ8rcS WLWCAoBpgBBczIOI6GoptlZJYjgAdtYXBFsgsCwUJ48sl2PgneV8KQzelwoECxBV0bVaaoOIbSXG kwyslstRtOJ53ONFnm3wHlgqoTmzElwgtzrvb+d8GBSQEOiCOh6yUpKCoG3KLKdUrF856hQPOEX9 DtGAbaTP1H+M4ZENpghwQDW0y8s+oeJcJ1HFPEWILe6cjtN7EZ4MhBm8bcAfTAWXSegmqbMaXShH QNZczo/ejgu0LYQ/PIu4LgtCoJOZELUfZQAsg/RZQStA7LrAe3fMErBLuFDjuzsISyEY5yKkhQUN cLw2ccSnT0WdlUJ0vJicrmRma/lalkLo3mzAmQvaGwWEe3JpKjNfS7RLEVLLhUsqhggHcP0bE4lX P/fSL7/j4Z9+7fOvn1zcmStf3Jk/WGmeXmu//fWv+olXvXh+opANOUvpQDUTrOUC48XAeME3XQ1X c+5i0j4BL6gaXmgk25Px6aKPUUazyrlXZzJrM/ndxer+ysRWq0g6zGwpwJjK+/IxSzpizEITStmn K8G5qeTCTGZxJoupvrM8cXKzeXx9amu5vjCTXZrNbq/UmQf2NqdO7sxeOLl65ez2/ub8EhUw5qdn 61SWsGXDtlzUViAuGTbl/Pq811gOWicT3vEYrIbgj1y4fGv/IGZ16MckfovVazTrRBINNWlFIlpJ 0l3Oq9d18Z72RRkJdzBN22ibnQxZZgPKSuOyc6oklJhDtmLO+/VQW7Uho8qjFLtkoy45iS0SNjEb MHDuWeWY+RK7SmJTSQRfnGyE9HasdRJz8M8j30mBx37XjnZqakmGUQYYIF1Ad0crEKwANHkRdHq0 /WGLnHLWIhdJsiY1eXM2KbT5YTc5NYoRp2LYIRt8Cu/9AeVgWD0S04ymdOIkdT/oHakdCWuGk7qR lGEsphlJ6UUgvWhSMHJGSc4oKlBnyaaqOLVgU8AgQioVmEn4xqOuiYhrKuqic+hE2EbrMQa9wicC QgNK8D4dMk34dVNBw3TQBNgnQiSG2FiyG5G+ZsRO4A9NAM0f4d6Kuek7z5iN8/AHBBSkn4zsL6PV 5yMr5aQgsosCxgWYl6KCWK/EGawsdbDPOr3O1yqJZXT7emqbssb1lICyYgS1nxjiYjk8Xwq0O6R0 uKmttGshB0PVC20VuYYPoZlwMGYSjmk86lBYUaHjLuBf8ujx8VIjOm6QBeQjHslAWEeJMBXtdIsu 6kbqpshGj9PpydZpsYoLQuDBCuZGPjSb8aOKz+YCzEIC2CuRuWKo1dHSQS56O5PbPDQGsI9WkHQz XcziwcvimSeEh+YfEAT6k3j3AvOakBRjYyDfGejzWBATaXsxZsoEDdmIqVb0NyczM5P5yVp2vJyZ KGcb1XwtlyjGQ+mAJ+lzVBLhqUJirpabr2da5dhcOcyFCaivRHDfHW8VXv+jtyhu+RMvve/Cztyp jdmrJze22hMXTqy98800kLkOn215tra+MLnUrMxixdfiU9XI7ER8phaZKPinCyFCATPV8GTRP56l I1uoknRg4ONz21msn1ib7vjiSgTTG+UgM8NSM7Myl19u5RZm0rMTsfZ0kn9X20XwvoBPfia/3Cys zpWXW8VZMmhmsusL1dV2YX2hvL08sb3cwGG3t0azh9rCTK01XsxGXJmgJRMx5+MdvAcNxaC5jmRJ +1lOxH1bU42wwawZHg2Y7T6zzW2knpVOJ0bUUslZgDzdWqN0iHZ6k55wJpBIesNJbyjm8pBKG+oM twB8OcOGX06CvSxFvgcNaurHAvlORRoZLeGs4o6xDxtWIbIrxMwSFux9+Rjw79j1GPgifIB6saDP 4+3HficAZ6BmnVLMzCBo8nKKcoh10hEhXi+Cwieo+lblmFMjdWtlVLfGhEe4A3Z88kI5ehrCyoeE kJxmLKQT++DaUWZBNRRVjyYJx+Ou14xA8w6p0fNHhIg8cXli9GQWIOJN0rJNVXNoxz246zXjXh2B +EbUOR11wEukDlgtaK0FzCAdvHcgb637jFNw9oKUTYa8AaLNjOmQsRE2TwP/qJ2Q02TYNhW2zxCH irvAO3NID+8dS99HFzOmFMS0MLBtwTIiG5d+CfM8CcxZX6tip6e6eGd9vZpkuUavsUqcDoMbVfqe J7ECcJEJ71cTK6UYvjLBxq+i4cMJ5PyBxTxiVDCZGQI80wJBqJ1yo1qTWYaiwmyAxJ+O2hhTESsU xOmYYypipzMp9ROSuD5cqoqX0tBa6lARXJhNkajO0kFsHeTOZb0LNFrNowV5O2QbRDwKxpNgZx0t GrUfOQ7kBa8F7ggwDrTRDZJIdij0fsE0yPi70nw6CZPWBbrrEet4lCUpMxDpHawTm6smLDXavNI0 aql+5uTi2YO1vZ359ZXm1tr8yb3Nkzubi7ONyWK+kgL10WI8Vk0np4rZmUqmUYw38qEW11aOLNTC jaz7zNrEoy+6+y0//uCDV/Z2FmpndxcONtrLM5Xn33Pl3W97w41z+/DZQNmpnaXNxan2ZH6mmpgs h1v1+FQhWIzZynH3ZM6/MJ1ebFCkMTRbjdZz/mrKgzqxszixszy5vVBbny3OjccnS4HmeBR0byxX dhDZG5Mbi+W1+eLx9cm9jamdlfr2UnV3qc7YXqivzpUWJrML0GtbpWUidLOl7cXJ9TYK/+yJ9TbK fHuqMjeRL6f8mZA5EzHmIqZ82JgNEI431aL2yYS7FLCUQw6XXKkeGDaKFV6zw6I2WNUGnVimGBrC oDbjae/w5/HRxZwBhHsunEr7Y8TiidAB+ajdFTZb/XqDV6uxy8G7yCERO2ldoZD5NQqGWyFigHqH lPLyA1YJ6BM75CK7TIT5j6zH1WZXiKzCv2OCgdDx4QvuuzEuCccd1bT6jZJhonK44i2oBFp620kM chEqvaxTWM8EsZbWUZgMiHiV2Ckf8apFYaPcpxkD+DjrcB2H9ZKoQRpUjwZUw2HNaEwzltKhw0uS elFEMwzPNmEcy1jx44kzJtIGpVmDhA4dVbt63EUIXocPn+g8Svh4QHDCT0fdsBNBOoJvMmLvDog6 UHQEqljE1kCae3SNEC4v+CRA3tTBu21KgLwTowD7vdnBO/Id1DNAvRC8y0DaASl+QM0ApACcwQrY R3yz3l0Bxd1NvCl0Ea0multRAEA6kEft76wL77OOIYBbj1an8H5xiK2UMBMICwrxAkGphhREoBD1 nshgHB2DGcw6k3Rw2RMhI7kGEI8nw5DikLzMANYqZHivtiYQkq0NgQ3rmM8SW2R+oH+60EKd0YhT wsItgB0fXdaHnwH5PgdzphBEuLeLYeQpLBrBKZchIya0kIOjGILCxCHoA4KDDu5NBo6NEJIj4iYo CQJpJ7BYjuK6xyc/nfJMJdFRXcJKzrs4ldrfmLl4evXimY2rl/YeuO/qI6/9sbe+9Y1ve8tPvPoV P3b57NmF5uxMtV7PlYrxbCmRG6fseSk7kY9PZMLT2WCzFJyrhhp53/Zc8SX3n3/1C27eOL1xaqOF zry5MHlyfe5/vP7H/8cbXrW30l6arq3O1jfak0uN8mwt06wmmpXY/ERqfjwzV0suTua22vXTO62D rebiJO8kGtUYYcGVRnFzfnx3eWpnaXJjvoqnvVGPNCdic41kc1JYzjfT8zOp5XZ+c7mK9r69XDux MXl+d+7qwfKF4wunt1rQaLc6wF9rlVdmSjtLU8dXmgdbi6e2lzbmG0szdcrDVbKBdMSUDhuyQV0u ZADvOfI7CMRT5N+rL9BkXUo9qxHloMQo05lVJpvWrBgRSwYG9RKJjcw4BV56XchsC9u8KW8sH81m QqkiRLt4JkOvOHcgbLYFDGaPRutSqHwqdUCj8SjkLpnUp5R5FRKbaMguGnTgnxcNWsZoy86KMCgr jTJgHhtigH2rjIjeCKhHozDiBhQPGYX6dfBpB9HtodhpBB8+ZN1BZDpDKLUx2k9UDvUefR68Q7eD A+DR0thdTowVtzwjhPKpo6z9aEhL/rsY/zwiPqoZjWtESZ0EL33GJI3DrhSotiJItinDaN4qL9vV Nae25mTJwFOnIRE+b5HVPPqSW1eHjQMv0W/uCHfgYOkq6gJvBCEF6x4h7tWXrPJxj7oVJXaPVq+f CJi6YypkFTh78EvDTwr3JpDHio86aVHaSgjyTpB0hNU6yjA6/FpV0ORBNzMAMr3rfsckXyrFngR1 IS448dAB4O+VkhtlQbivlxKb5STqveABowUqDkDBQA7B/RNGOUqv5FU8/0T9iBHAEMiHN0rRVaIG KBggS+ADOKC1t1LORswCEa6bO8CbrIP9ibBQUwLsk2cE0heovZZDVSCS6FoiNNbhFcOHJ8QGDV4I tBXDGMitYmimGJwthhZwygFbpL/ghIdLE2KJQO/64XHvw40H7FgBzAmss+cSX2QiTTvFrUYePQGk NwUFIIiq0MYtCdUchXl5Yn9z7vTe8kPPu/HYz7zlIx/+4Id+4wPve+8Tj7zmtdcuXVpdWG6Oz9Ty 4+V0vZCoVDKl6VJlopgfz8en8pEa9Lysu5ZyTuX9N86uveSBy1cONs6fWLvrwvHja7Nn91be9PDL XvLgLcAOv2VxqrLWrK/NVFemKbNMbYrM0kR2vVnamK1st8c3W+O7i9M7i1OrM0VgvtQoLs8Utxen txen9jfaZ3aX9jdbWyv1pXa+PZudb+Xas+m52fTsdLw5GV2ay26t1PDX7a2On9qcPr/TurK/SHju 3E770onVc7uLe6uN/fXmzlJjb63FVV062Dqzu7KxOLPWnmpNFoppXzyoi3nVeAuTXlXKq077tJDu 8j5DyqnK+Qyku8oHSDYf1Uo0eoXBojFrxHJSWfViCU3hkd0hszVscUYdgUwgmQunc5FMIZrOR9OZ QDTtDaZcgaTdG8XRpzNGDKagVueUSl1SCXj3KaV20ZBHLiIuBt6Nw8coKG0c7jeNDAB2h0zEYKUT s6Pp26hDKaW8hnFsCOc8TFrVYL8Qr5eSdAONdlhPyi0p8wPHEOu0w1CN9ePeh8crmPBi9uw3wUK3 Uu6m0wJeNYo+T/pMxKQQsC8bAOwB1UiIkJx6NG2QJbTiuGY0YRABdux35Dt+Jxz1WZMEg73u1hCY owgGUh5JjXxH6JedkC311AErewyAveo31P3GcZ8RIi7PP5p8I2xFjUe4j7u1hPamfLrZiHnSrxv3 6CHpIf0n/ILvjpkB+53Zoy6Q96xIdph4XYMdZx2hPXh6gkrfsdMB+FoVz1sabbwr2dHkEdlLReAf WQXXFXCdWi3EF/PRpRyEHAHpAH+tGOf9jUoSKS+0Pc2F4LMR+gfj8PqQ8lu1JOEwvOIMImIgHabf QsJLc+SlNEw//1IetjCqvmM2SRE5WEBu/u3a+GBcUN2TgrFPsSlkOhyhzlZibR6UB+yF5Y4bEKRj BUBHxBWGcg4wZ/EhVKIbjRw53YAdMc1SUN2BdpZcVy9ARl4zAHsX8qAbJz85od00cAAOzLtIZwnq G1B0KuGpfGCCMGWjcPrEyite+vx3vePNjz/2jje9+Q2vePnL7rvn3jMnT2+ubMw15sdLjWJ6MhUu tibm1+ZXJmhgWs6P56KlhGc875ssBgpxW3siefnkyrnjSyc32+dPrp/YmANZL3/ovnsun1pqVBDu uwvN7fbU7vzk3uLU8YXJnVZ9Z65OkstOu741N35iubm/0tqam9icqyGIV5pldO+TG+2DrYWLJzev Xzhx7dwOesjJ463drenj2zO7O9N7x2e21sdXFkvba/X9ralT281Tm42zO81Le/Nnt5pnt+fA++X9 1WunNi7ur144sXJmd5lLOr+/dte5vcv0dFlrby412o1SJmYPehTJkCYZUMac0qRHGXXIIw550qWG 4Uz1J5NMIR0YFPeNqMUKrUJn1BjVEoV6TKQeRZ+XeXU6JHjMDos+Uoyk85FMZ6RzoUSPcZf3RTIQ cizOlN0Zs1h8Gk1Yrw3p1R4l8n3QOjogSHlC5DJi4qNuhcSjlHpVmPZSF7q9dMzZAT7YR9UH/ibx MIMcGZi6SHmTdAwOLV56vWwEma6VjIJ0BiF4lrDsTPIREmeAvFk6mHAZ6wl/2Khw4qNT0zOO1huG sEHmUQwK/HmDLK4Tg3eMd/R5JHvcKKYOBkt6c5AyA97R54nNVd3qMn3hTaKyTQb2u3E6ISrn0Zc9 OrJsxjv+t8kQEDbUPFpqZUx49YwO3q10OEXEzwTNLXR7vHN+UxPbP0RVDRvCnRQ8lgJXv6PJd5V5 wV+XhJvnbya9cPbg7y0WovB1l0p45Gg3gKc9SUPwDfqV1zMrtTTvrNfSK0V09QQyvYv35XyU9fVS cikPly+2XkiwdbkQYxJAxKO6E/wC79B+iHlt11ObHRGPuF8vRDYLUUQ8kCcmuCowAImOwe2BBSdk AC3nA9D5WBEkfpzkQSYBJ9jnHZas4wSADci/MIWEfCLkNZ4B6DFE5TLepUqUJimzzB7F0EYzv7dQ 32qWuvK9lQ3NpAMTcShzftbnUOkFOg0JMoK93wU1eBeqPUCkx/xHmguqQmS+REgiyr/NbHAq7SMS B/WlhnOvnlpfnDx7sH39yvn777v54HPvvf++u29ev3714qWD4yfX5incPlvNY9efunH5/nP7F2Zq E7VMupQMFmIeova1vJ/4Wo5yWDNZ0lKgre6tt9ZadcalkxsHm/OwdxDfxxdndhem95dmDlZmTqBX L0zsLzfA/s7CxHZ74sRKC017oz2xtTCxOlteny1tzNXQ/zcXpraWppk9zu+vntxundhunDtYuHBu 9czpxXNnl69cWL9ybuXcwfzFU4uXTy9dPli4dmr56sHS2e3Zi3uLl/eXr51au3lu+/q5nWtnt6+c 2b58euvsidWLpzevXTh+Zm91bX5iqppIhk1RnzoZFvAe98hTAXXcDfAVUYci7lIlXFqDTC6mft3A sFqm0ir0BrVBKZIh37UikVkq9Wg0IZMV+z3tCeaCUJER7tkCy3AmH0qVo5l6Il8OJwv+aM4TyHt8 MYvNq1YHdZqYmTLRegBuHRukdHxIrwxo5R1bnhryowyfhqxkjU8tZ90yNoSUt4mGbSzZiitPOmZA 0I8OCa482SghObV4QElXO9kYS9LxlKN9QB6KnUWJ5k/FbFgNkqTbNI+WFrCHdJTfVyTtWgrUR81K nHVJsyJlUkTUY2HFEJCnAn/aLAPsSbM0B83Gp8UmJVUWvMOzLTuVQtKKTTrhAexCXH7cpcdLj4iv +ww42GvkIPjIfDfUvTpMe5Y1t4qZAeEO0pHvQH4aB5ffOBMwN4KWFuo6gluIwgspeF0pj2Tv2u9I eVA/G3fjpoaX20qjzAt4nwekRcJt2ODJlWpqrQv2SpL3l4o455HdT+J9rZhYzidW8omNYgL5vpiL LOeiq3n8+aj6At6FOUGw4gWbHULvajm6WY1vdPDODLBRoldyYhMDIRfq4F2YE1aZH5DyJPt30v3I +Gsj5VOutkCChU0E5F1zAhsQsx28C8oDKgQJL0KqIM75QoguCZjbhLoAOyz6RsazNpU+sTy+vzix WEsiykH3QjHeIrIJbQmOMV+5SCISeA/OZAjWdy39KNBmcujAHKTjB4i3iyAdhSHcke9BYcbAlZf1 NorhZjXZniqszjc21xbOn96/59Zd9993zz23bt1z4+bZ/VMrreVmfW6lffxHnvvjL33hI5fO3jU3 PVdMpsqpeDHunyrHJkvRsEcdpMVq3DZRDDbHobQVVmaJ4NdXZquL06VWJd2up2HrtcfT6zPlrVaF gnKbrcqJlQZg35ivb7Qw7SfYf7VVxWBfomzFdG61WVyfq6EtAPaN+Ymtpaml2cLMRGyhmdleG99a n9jdnD57cv7C6aWzJ+bOnZi7dHLhyv7CjTOrd5/fuHJy6eLe/JWDlZvntm5d3L1x4fiV05uQ687t r2K5gPdb10+fP701PZ6JhsxRvy4VNUS8iii1rbyKTFBL9lDKqwHsaZ8uH7ToZVLJIFXjRjRypV6l N2kMKrFcI5Jgv1Pixq/Xx2y2jMef8YbSvgj6fDFK++d8JV4osRLJVaLZYihRDMVzvlDG4w2ZzBS8 9WtUwNmjlhGLt0uHEe5E5UA9I6BTIcpBt0clozMUS/BuHRs2jw6ZRwetmPNIfAh4xNqIto8MmuU0 cFdYVVLQLSjw0Gwg10mGYOnAtUO+mxWj2O9UwIDj51aL8j4LGMdyR59nGSSPRi9LUQrDrIhoREHF cFw9mtBiv0O8kcaNogQCHc580Fjz68F7CuoIxbpJnxTac4hqTri1MkjpQJ4hqPRuHYMV+Hggnbo3 Nbe6UwULpr0AcMA+6dQJ6a5e3YRbO+01zAQtsxGH4AeDe4/57zN1k+/A+AyyPubqDoJ9aPVz6QBi DskOqLtjsRRHsjOWyMqpphi830WHYKcLDvn0GtG6DrRXEOjF+EIWGl5EkPJFAfIrheR6JbVOBB9M Ib5LMcGHXxKE/gqUHsFyj29XklDd8NqhzCPlBaZrJ8tP4PaDa0aC2hQkCAuEfxiDszEUFTtRBux6 LHTkOCQZ9Ha8al3NvCujsb4XIbNVo5NUk5vOncPwbAmNDqeSmOeB2VyYb7rAdZZxP2KkQMsJ8/Vb LPOEDmPz5fhiJbFUTbLOO3MkKJUoxh6ZzcOFQ9uHUxeYTvkmE546LPo0XrtgoxibrWVX56e3NxbO nTp+781r9968cf3ypbsuXjzY3VuZXVhoLm+tnLp110P33Hzh6f3LS62VWq5cTCaLydBae3x1rpYK m1JhQyFpw/FVwuUI5BuF9nRuvIATPj03nh7P+AoxZ5kZrBKl+sTKTH5ttrA9X1shg3W2tNgoLc6U 5qayCzO5+Ua2XhBsBNz16+3yldMbN8/vojMsz1bAO5uKlOwo+ip5TyntJJY3OxlfauXW53K7C6W9 pdqZzcZdp1auHSxfObl4+dTK5dOrF/aXTu3M7W81d1Yn97fbp04snzu9fvpgpU1xnKDF79UVICGk bUG3NOSUJsiSC+iSbk3CLSjzlHZMunU6mZiScVSZ6+LdqEG+S8A7+SxC8F2tjlqteX+gFIoWQnFc 9PlQGrxXE0WWpTBgT+UDQh5Nzi/gnTxZLyqBURcyaPw6pUctxTPP8KjEeOmx3y0IcQn94JQ0fGRO APso9kGd0q0Q48djKxo+ATt8dwbxMC47i1Li1KmBvBp6reCpG0HEWzRSs5rA3LBeNkRTS4dW4qLV u3I0ZtcC8CDmeafPFOt+LaqFlPy4uFEe1oiQ7ym9JKEZE7R6o0TQ501SOIfloKnkM+Sc6ixl6xxq aCT46tOGkaJFIkDeLi/ZFDju6l5DhXpWTk0ZC92traPD+w1Y6M2waSaEHDc3g8Ypn7bhMTR95mm0 eo+u6TPOhmzNkB2wM1Dsodmg0uPnn4m7Bb59Uki2RZNnCMFoDO2CAHZEGCy+hWJsAf0cqJYTrKPJ b04WNybzq/XsMthH9JfwzgljpZgQBpMD8r0gMIKW2VTKrBRT4H2tlAbyHfgnNuvZnYk8kCdOt1aM rZfIxEluV1JI+WVIfWk/SEfoEweErbcA7gR6jzBYEcj/LDOB+YSnHXfh2SOo13E4BOcLESzxGb5I PjKbo+knVLoQZnirEETEI4i3Z4VeCQvj2YlkoMGMVMssICsLcb6mcMF8HH7FIlwCGAUUZU2tjVPa Jbs2wTK3gA+cczIVFKOzhXAzh6MPvAemswEMgamUbzzhnOZKSrF2Nb0wUYBPvr3a3t9Zu3zu4Mq5 02f3j587uXews7OzvL69stuaXptv7R7sXTt98trGyu5kZboQT5aSENsm1+cnEPEz47FawRvxqjNx 65kTC695xYOPvPKhvc3Z6Wq8WcffHp0oh2rQ9SvhuenM0lxhpV1aaZXmp+G/5dtTuQU8ig0B7zP1 aDJkyERMs2ToNDInNxuXTq6cXEfVry/P5MF7IWmv5b0sM1TfStjree9MPbI0k9ohKrdYObk6cWm3 dfH43Lnd5tm91qntGbh2cG8OdmbPnkB7WT17em1rY6ZWj4Uj5lDY1JhObm5M1AqekEcadcvjHiVF LJHsjKRXm/LoYddrpSJK04gHBtUyhU6pNah1SpFYJ5GYFTKrTOqQIYW1cRuVaQOQ59Hqs4FYIZwq IdYj2WI4UwT+kXQ1ls4Hwkm3h/waj0DE1QdMWpdGBpM246YuQSDntSas+rLfmfM4IsJsoI+YhB6v Qb06atanHeaISeUE8kTwZWOCo16OdiGhVSWdrShxoxWL5FSkp0StTKSTjRnVUrQQlWRQKR7UQupT i21qsUsnq8S8QaMCKZ9w4GZUUeTKp6NJtMSrEfs1NH+XxnSAXQTYY1okuyxmkUXMVMlQRKxC+nzA pKD0ZYQkO7OMKkBJw2jWLK4K+ryQVlMD4D4TFftLHgiohrxTW/ToBa3eq6XsbafcpbkZxl9naiDo icV79Aj3ps/UDFhnCLWH7dMhxzRU25gHls44bvmEd4qSIzE3eTezAtghkQZm0qHpTGgqLYzpVHgm C3bi7RKma3I2j2hD0qXnhPUE/zYz4bkshjnCMbVUhICXWCgkWrl4IxVupCKsLBRSC/kE2Bc25ePt XGwuiwwFXIn5QmyWKFgegm4Mv98alN1saIEcH1T6QqydC0/GvJWQqxRyFgIOlpUI2WeOyRgmPH7+ yCo+wE7aC2S/uY5E5oStbBiRPQ+DBWW7EG5Xok3ia7kAFRfb5cREKlhNBgpRTzbozEfcpZivlgzU 48HJBJ756AIBxHISI4V4BMulMq0Ss61KslVKzJaT0/jPk/7JdHAmH23kwzP50AwpiplQPRWoxrzl iKsWc03i/eAWVVKLU6WN+cnd1dbJreWz+zvn94+f3t08swcPbW1raXl1YXWqNlctNteWTmDFz8+s TpSmSqlcMZEoZxPQ8Gq5yHQtloiYzNphl1V2fHvuicfe9IFfePf1qydLhWAFLs1EqjGVrpZDhYK/ Wo1MwZyZTE8Sha/GG/XUVD3RnErPTqZbU5nmRDwbs6TC+vZUEmL89mL1xOrU/tr03trUaqtQz3nz CdtkOTg7TsAuWM95KmknJL3WeGRnsbi3ws61g7X6yTWie9MXD+YvHSycOd46ON48daIFuW5nY2Z5 sV6rRv0BndenqdWjJ/ZaJ/da1YIn7JXHfGrK2UVdijgJRG4NDNu03xR36XVSsbi/T9Q/pJLir9Ma VHrlmMRAME4hdyjlbqVSwLvVnnB4cMWjtxeDiRzxd38844vnA6lyKFuOZiuxDAo/Zr7faPTotEFK 3hm0bo3MrZaWQ+5GJsqyHvFtTFbWJipFv4vGrz6NPGREExBGzKwLGlQQbwC4fHiAgleiAVwK/SPH jg0KxauPjXKFA31ycudHRyhzPTLYx6B7BVtHqJA5eEw8SI2sAYdOYVOJaUGFf08x2i8ZOqYYpqIO 4xjl6w2iIfj8AeVYlBaTeiGtxqkRwc6l/gbn6b2GaYRBo42xfoeCJnQidICCVUGeLGI9IdTCVQrz mFzEp0AMsCnGXGoRpXVIzQsYmShUlNGLMmkYZHgMyi7DhMc07bdgp9d81rhNByPIpZbZlAKxEFKx wChQS7wGZcpjLoXcKY/Vb9E59QoLaYZq2u7I7VqFx6iNOM0Jrz3qNPvMOqdOxfsWtcyqkTm1ioBZ m/HYazEBOGmfI2DVu3Qqm4qMQjkrXpMu7rQUA656LJDx2sNWg0evsnEBahn3yqVloiM+CykObluw jSmRIq7t50pCZh2BUdExoXh4X2fJb0FwhNwlNpWCJKqTuEd+K/TXEOvNdGguB7rDLSR1OTFH8iAR bej9lQSxqmYpmQk67XqlYnSQ36t7Tk7LORUjg3zZmMtSjfubudgytkkthfEymfBngg6vVeswKG1a pVUrN6tlTqMq5DBkSVSJelI+u8+ms+sVRpVUrxSZVWIb/C6TOu6z1bPR9dbE9mLjxFr71M7q2d31 U7uI9bmpSiEVjfjcdDfyWoxutzNIR0SXPeBzBQMuv9fpNOmQdhKjRmY2yJXyoZGhY2PDx8xmFer+ 5GQhGnGbTUraqTrsWqdDZ7WrzRal3aF1OnUOm8ZokJv0cotRaTYprBaV06YNeM25pLeY8QDh9nRq c7GyPl/aWCCVdXxnuc6/05VQhYq7JOs1s0wI0G8qWWj/jsmSd7WVOr5SPL4Cn7awtZg7d2L66rn2 5TPzJ3enNtaqy4vF5nRicjxayPujUTNgp5tye750cLK9tlzNJSwhF+x9dcAqCVF/3qdLeLQxNwWr jTGX0SiXU/lZOkixWZVepTMotcoRoRSVVUHJR01QjwjWpxzOjMeHhY6pnvURdkd1j2S9cXyZpVCm GE5ng/G4w0fYLmAy+/T6iNEct5ppSxHQq12wbRWw6yHdkalKIxgd6y6ZyKehk6OCdbuC2hRjdvmY emRwjJq0Yomal0oljKdeEom4/9ixoYH+QQrXj4lUKo2qt1XYUaVSKkWjI0NCS7t+5gFa2qlVamXv POysVEpFo8wkZOp5tHgnhsSDPHHHBvr64tHY6srKhQsXLl6+dP78+Y319XA43N8nbBWe8LF+kr+q LjJK5CTsUG3PoFFpVUo+VaNWy6Wy3kRxZGX02DGDiBlDVvGYJsP2iFmlGB2g845GKRyrUnJJCq5K o1LTek881K+SjFG0XyWXatRKvk53qFVKLTspKArYPzY6pBEOEb6sSqlQ0caXoZCJBgcMSqlRraDN h1Ih13Bt7CZcIScHYf06yZjToJEL1cJHdCq1Rvh44XC+BfXDqT0Ysxta2WgjGUi5TGa5eKRf+O5a tXpxYeHcuXOXLl66dPHiyf398fqEXCJl01h/HwzntJuMFXxuOBOiMymyhwTlBMi3i/E58olyIdSS 5UnILUG9UjiKl9ftardbZ8+c5YTc8O2t7Uw6PTQoTLdjQwPMYAjrRSqu13Nh5iPKGakV3C6VXMFX 7nwvmWRsWEXilU6lEI/IpSLugLBNeAJ4WpTcjNGhfq+NZNjS2mx9qz25Q+ulxdntxdliOqaRS8Yo pNbZlx+hc0p+Qx1NEob6h4eGhjX81/ltiFELv1DnGaRfulwmlcmlSqWM94Wbq1JwTRquTEmRtmPD 1GhSsImXQthBWHJ75TL6JRGZorlhzFzMOsZLgclKYLqGCSDQ41lOVYO8M1UNtabiqwuF/Z2pM/sz p09MXzrdunV15YG7t5933+4Dd2/eurp44/LctUuzF85Mn9irb26UNzera6u1lZVaYyZTrYRKRX+l Etzaapw/v7q6WM7GTIj1iENB3Q+KWCa9uhgdGZzqmMcY85pNfBnKyg2P6WRKo0ZvVOtwztPbBbab V6N0K6U+tSpus2Kbo9KnyZdx+OIOf9obyQWogJHMB9MsidYlnD5G1OoIGoxhgykiJM6bAljxWqpL ySHZgnGHjAJTBOBISBd4tjSMAOkIWQcZtbIRBDFNpm7edf2Jdz/+s0+93vve9/7cz/3cc5/73JER pIHwunz5yhNPvIf3ebHXe372Z9/3vvf9zM/8zPr6Go8pj6pSoXjxi1/Emz8rbO+83vfexx577OT+ CSQLAoW2dzxhTCAT4+MvesGP/uZv/Oaf/dmf/f3f//0//OM//t3f//2f//mff+QjH3n0kdfVatWh vj72NEqGENZRCnP0H7ObTW9+00+8v/PRXMDjjz/+ih9/xfOe97wf6bye//wfefDBB++6666drU27 1cLVyob6A3pZyW+z03mr7xgTyrvf/e6nLkv4y7d73oPPUyuUXPnI4NC1q1cff+Lx7ldjKytve9v/ mJ2d5VThcOjtP/VT73/f+w8f/ta3vsXtdDITDg/2BwO+Rx555H3vf193B4594oknwsEg30JM2w6F 9MyZ0+9/P9f+5H15//vfd+niBa1S6tbJp1LRqB2qlQA9q8l09crVn/qpn/p//+///d3f/d0/dl5f +tKXPvmHn3zXz7zz+O6uTqNlN+XYcNhumEwFZ3PRWSR7NoI+38TSz8cWS0mccnQrTgZcSgkz37Fs JvvAAw/80i/94p/8yR//7d/+Laf8h3/4h7/8y7/82Mc++qY3/eT29jaoZTeLRlZJ+tvVjE0jpnbx S1/6EuG78Bt3bsVj73rX1uYGv/Lo8AAT9enTB4899i7uUfeHft/73sv+GpVcpxDPVjMrU6XVaWJh 9c05lOcJvxt31Nje3m7n63OLuAnC4IYwodHytL+//8UvfrFwNuHV+cjOGosn3vMeHjkWvP+e9/7s Eyx/9j2Pv+eJ69fv4poDAf+jjz76fp43YTP7CC/uPFGBwcE+sXjA61KGfeoEbLe0rZR3Vkq+ejkw UQs1pmJzzVRrJjHXTKyvFM+dnrvr6urNG2vPe+D4S154+pUvv/T6h2++8dFbb3z0xsOvvvSqHz/3 0hcfPPjgzpUrS+cvLJy7sHruwtqJ/fn1tYnJ8USOqonzlf3jcwvNHM7GqFsdsSsBe9ytjTq1Ybsm aNdEXMao22RWSJmkKDenlSrMavg2Bp0EQSai7oRFPIK33KNG6zOnqFLr8WW8AepdJF2BrD+WDycJ yXUCc0n8eBlvsGPg+zH2Y2ZryGAkd96tVnjVqpBBHdKqvAqpQ0x67BB4x1EPu57cFpBOGXksbodC aBYJBl/0ghd+85vf/O7TXx/+8Iflcjn3ltc73/nO//zP/3z69u9+61vfeuUrX9ndIZFI/J//83+O 7PBv//7vL/+xH2MHQMcDIxaLr1658qk//OTX/+XrR/bs/vvtb337M5/+9D133y1Mh33HbHIa0imY jsLBwJe/9KXDh3C13zj0+vo3vvGVr3zl85//q1/4hV+Yn5/nEwkgRuw6avXzuT/1trf9x3/8x+HD Wf+t3/otm9XGntFo9Hd/93ePbP38579Ao122NhozX/vavxzZ+s///M+FfIGtvCqV8uc+9xdHdnjg OQ+MdqZKrVb71re+9cjWdz32TotRp5eK4m47wp77X6lUnnj88X/8x3/69re/fWRn4d///M4XvvCl x9/97lKpxCdSjjjhsc7mSb6LAXPwjnd9pZrebVLArZ702eg1wDw2Pj7xsY9+jEu9wwm/+93/+I9v f/GLX3zLm98cjUS5ALtJjULO7ZKODP/e7z3tbnznO98BiDQk7HzdY2984xu/+c1vHT7nH/3Rp5x2 2JpD49nIfI30t/TyZGG9WVucrpoNzKkygHl4/+76u971Lo2GcomDH/3oR2/f+kzv/Md3vsOBXEmt Vvurv/qr23f7n//zfw4NDaB4zkylpscjs43U8lJpYT4/18osLZS2dxrH92b2TjRPnW6dO9s+f659 9kzr/IW5mzfX7r13/f771p/7wOZDz9956YtPvvIVZ177mrOPPHLh4YcvvfRlp++6a+HgVOP02SUg f+Hixv7efK0SjYWsNRiYzeJkMRz3o8ATgNNGHZjwmhgNlF3GhNeSDjoyQbcVcUgDl+FRjVhmkGsN co16TELw3SgR2aUiN+5xJakoSlLkcv5Azh8G8uC6EIzjtStGMkTl8N3BvUm6A0mXP+Xyxu2uhNUe MVkoj0NLWSHuplEQZ/fIJS5aT0rIXBMB9qBOUOaFlDohj1VmV4ux2bl7ly9d+trXjz7Vn/rUp1wu F1uR8tzk2/HOw/nqV7+6+xi0Wq3Pfe5zR+4/curs2bPsAOjGxkZv3brxpS9+8cg+t/+LGLp27RqW Api3aeRcXyAQ+OLnv3D7nre/w0V++tOfWVpe5kMNKqkEa/DYMcTx7Tj6jd/4DavVylYUA+aKI6f6 1V/91a5u02g0vvrVo5DhCvP5PMfyKpfB+9EvzjOMkspWHuk3v/nNR06OXmQyGujih8rNdFutVv/o j/7o9is8chRTFipQtSxA3qykBTMxBZyHpMKRfBfemiqeXJhqV3MGBfbTsXqt/tGPfezIGW7/99// /d/f9a53og9jlYW9DunoyNjI8Ec/+ttH9vy///f/BoNB4dseO/b61z/KPH94hz/4g9932Anq9hei 7gb+/ALpOYl2OTmVi6vlYhRs9J/D+3fXuQncooGBASbe27c+0zv8vu94xzu4DG7aX/zFX9y+28// /M8PDw0Y9Iq9ndnTpxYuXdq8fHXr4NT88b3WmXMrFy6tnzm3fHB64cKV9XvuPXHP/ccvX1u6cHnu xt0rN28tX78xf+2u2StXG9euzVy7Nn3r5vQDD7Rf+KM7L3jB8XMXpja3S/unWqfPLh6cWmzPlWIR azRorRaj46VILupI+PQJN34bXcyJzW7Ih5zlmLcU91Xwl2Yo9ibgXTYwohwW62Vq8C4fHlWOUHiK IlQiYujgHZqrULjS58/6hJIXgpfeH+lkzQgsuwL2eyAed/pCZkfEgqFqQ77j3fQbdH7BA6DqJM4I YEfEd9NnuvIdRdenlWG/49lzauUyukzxeNTrX/7bL3/nu99l9F7I6+6vbLFY7vij8Lu/6lWvEh6C Y8dOnTr15S9/uXdsdwUJsrm52d1hdWX5T//0T4/s8Ez/fvozn8lmUmAV8cfhwUDg8395h8n8jod/ 5zvf/fVf/3WjkUZ8/UNoCceOvfnNbzryiHIg+/C92MqUdUS3+frXv46h0L3sDt6/euSDMENyuVx3 B2QuhklvB6Qh61/96leTySQ7YLb+5E/+ZG9rd4Un1mQ0YeOP4A6VyTFPDu/QPcPhd3rrQB5zwGyk xkkfTxRuujbsIGLo5cRaPbM6kcfBiMrttNt/7ud/7vb5uXeewyv/9JWvzM+1uU0GDbUNBiSi0f/1 v/4XOxy+DG4I83n3+77udY8cuV2f+PjHHTYYXv2ZgG08Tvqnsxp1lMN2ct4R+nKZ5LWvfW3nE9EP v/d8cRO6eEeNPHw9z77OHcDk4UrAOzbgkZ3Z+tM//dN4XTQa6dLK+N6J9tnzawdnlnf3Zo+fmDt5 emn3xNzx/db+qfmTZxdOnWufOT939tLcxSvz124u3XVj8catxVu35m/eat91vXnp8vi1a+P33tt6 /kObDz20e+ly8/he9eTp2YPT7eWVWjRiMRsl0ZC1UojkE65EwIwfnvaRSZch7aPUj6Oa9I+nQrmI uxDzFhJBXPGSY32ywVGVSGpS69HnVWNiikVTVwrSC9QXN8wZLeEqc8IFyw6wI98x3qMUqYaBk/HH gHwuFMM/H3d4YzYnI2FxRM2WiNUYt5uSdmJtOo9aDm+WAdIJxAtJ8SoxYO/iHcj7DEqDTBAHsWjs i184KnmBZywW494iy/7kT/7kyL3t/ov6pNfr2QeA/Mu/HNUQmDG6ZxgaGvrpn/6Zw49Q93AEKxYa FuuRk/OsPvzwa9UKemUI6gfy/XbljbPdfsLuebBTpyYnOLD7QsLejvdf+7Vf48p9Ph9C88inIzi6 l83h09PTT0r/7z2q38UKfia8d0/F9XNDEF7M60/Hu3AWAe8mExDrP9Y3Pd34yleO6g+c/xd/8RcB AiZL94S9b4pFv7uzw01JuOnLjD5PqY0YzAGWFIF2GrUD/f3bO1vffLoI5iToD8i+P/zDP7x9HkB5 czqceF6ZK3DMdvHe/dze8vnPf75IROjgGML6Dni3w+DuS1GBOWSiWmOWSq1ubcZnlosGD+G9dzJh pYd3RAk35dDdfdpu3X96X7+LaC6DH+5XfuVXert2z/Bv//ZveHXQWI1G1eZ2a2evvbnT3Nqd2dmf 292f3zzeZOydmj91fuXk+eUTp+dOnJ45fWH24rWFK9cXLl9rXbs+d+NW+8atuRs3m7fubj3/eWsv fcneS1928qGHdq7eNXf6zPTu3tTsXCaVEcwXl0NNw4lC2p8IWFJBSzHqLITt+aCtEHYyFWf89qTb HPdYkn5bMuDUC66KPvngKP46p8Xhsbl0UgU15OG6EHVCGw8YtBGrKWy1xhwORDz6PFp9IRTLBqPE 4gWkByIsy5Fkh3LjT7t9GYcnabfH7Oa43Zx2WImwQ61xKSTAvCvfWaHoDew78E4RKpscK15qVspG aBQrkX7stz965Kb/0z/90+TkJPd2cXERJ0/v3h5e+dCHPtTVil/zmtfcjiksAofDwRlcbu+nPvW/ Dx/IOr/OK17xCkB369at3g/a2+fjn/iE3WbnWF53xDvGwo0bNzj205/+dO/w7goP5MbGWvdYluCd d3r7dD+CpwVlGzIISkjvQ1lhtw984ANMUN3Dke+34/2Z5Pvhj/jt3/7tsbExmUx2R7wbjUbOPzI8 /LwHf+Q2v8h3uaupVMrpdDIpHYEnX+TlL38Fx4btpjl88rnILDE46nEVokTWlOIhrUb9pje96fA3 6q7jzsI6W1paun1a/tM//TMcCJyTKYhrviPef/M3f7Or7D0D3m3oiRDFqTVdohi7T1fw6Xn4FTQu l4meku9Pu6ge3j/4wQ/+y9f/9evf+DcmtyMzSfcA7sC//uu/omOw/NrXvsavyaXyXOEc7p2xi3d2 4HkYHDhmcxjWNpsLK+NzC5WVjemN3ZnVrcbiyvjy5vTKzvTa8Znd0+2zV9Yu39q6enP9yo3lC1da l640r97Vun4TyM898NzVF71499WvPveGN15/1avOP+c5axcvzZ4521iEFR3RGYzDdpssB89wIltM +WNeU47kzaSXHPxi2JHxW7Hcw0SBTaqoy5jyO5MBN22bung3KDU+h8fvpJS7gn4Q0F38Bk3QpPUb 4M/oolZb0ulKut2QagTIB6h9EaLCFUhPeAKUtiuGohmfT9iH4J3TnXW70k5b1ALvRR8yqjHVkeyM rrPOpZDaqUClFHl1Cr9BTWkai4z2McM404YHh3jGDj+u3ElcPTMzM9zbS5cu8YT37u3hFSZnv9/P Pg8//PBhvHMqfia8ssg4tvI4/c3f/M3hA1nnwbty5QpbkZW3n/9zn/us2+1mK6874h1JF4/H2fqS l7zk9ufkOc95zvAwUX3hxfN/+Nq6lwHe0SdvP5an7t577+Uo3D4sv4f3Q1d/GO/FYrGnzx++gZ/5 zGfAFw7Pp+NdOAuPehfvEpH48cfefWSaZQf8zF1bA+Wni/femRHTjz76OtzaHouxXUnjputmpiPo pzIRwp1ej/t3PnoHyx3QgWW+8u2qGjMnX1O4U8+Md75ydx9+6CN3W9Dn7QLeIY7WQsZa0FAJ6CjL nA905bvoNa/p6vNPsxHe/va3dzXDQiGHEoVkISDyujt59lDtjh8/PjExMTUx2ZiajidSXKfH48G0 OfSbCKtIkHvuuWdoqN/uNE428xPTmdl2ZWO7ub7dXNloMNZ2miu7zVXS4k7NnbywdO6utcs31i5d X754df7qXQt33Zi/cmXm8pWpe++ef+gF26957cWffPO9r3jlxavX5vdOVDe3i5W61+WRGk0jHre2 mA+PV5KZqDsZsOcjrmzQmkGrJ9ru0IdtWiCf9tkyQVc25MmEfSaFEH8X9w+ppXKHyY58NylUOgkl pASb2gEzRIZKr4QYH0NkO+xxpzPpghniB+OIeFpRsCJg30+Qzgve4dunHPaUw5pyWCIWgWgXNmsC BN8NSspICvq8SgyN1kxhK9mIT6+Ef0KpCoeaCjYSIr+jQ8O34525tIt3QMHMeeTedv/lqZ6amkIa vu1tbzvicUL1wifTeYgOacWHzgLer169yg7pdPp22x+8I+C6h98R7xzSxTtS/vbLI8pDOKB7+B31 eYR4KBT65V/65UNXJDyQn//CF3w+71B/v0YhxCame/L90H6H8X7Efu/txbdjniSa/IY3vKH7Zg+z PbyjVv3KBz7YO6S3Asx7eOc29t7vrnzwgx8wGXRWjWI8RQ57FLxT1wIOPMQ5ohGhUOCPP/O9QEnv Q8EpCjn2xf/+30cVLb5OV5Hj+7LPHeU7H3333XfjTmfewMt3+JI+8YlP4K+D0hOnvHDAUPHrCm5F 0aetROxqyXBHvr+mu3/vYvgXvBsMOjQKmAf0OMZCGRoY4I4dPnN3nem0ezek0lGFfEwiGevrE/BO EK+3c/fM3/jGv+LpZaJ2us3j09nxqfTMbGlhqd5aqDTnKm0aYSzXZldq8xvjK7uNtePTe2fbZy7O H1yYxYq/fNfC1evty5ebly837r45/8ADaz/64oOX//iFh15wcOlye209Vx/3Vmq++kQ4l/ekkm7w Xs6FE0F73GdJB+wpLya8GZUG+Z5wm1Jeay7oLMb8ubC3mAjbNGpMU/LjlBKZWWeyG606qVxJ5wh4 7N0qcwqpR6fGfkelZ+CoFyDv8fTwnoFJ6wsg+sF71utNu9wJdjPTzcoEkSNk0YZNaoraCQ55lVDI zi4bccmpN0U5WTnlailpJRS4gCUrA+/9sC8ee/zdt6uOaPI8A8RTbpeP3VuNhc7krNPpcH/1bn53 hUOI3XQRxz64sI7sACL4ddghm838zd/89ZGtqNmRSKR7OMHW2+138N71id28efN2vL/oRS96drwT uVtZWfnsn32Wzz38HH7gV3+FB0Y+Ouq1C968xvTU7d77HwTvnBMV2mAwP/roM+JdKpWizR754vzL gd0nnJXb8f6b2FBmk1ElA++ksHXxTvGKetKPQhMOB//4j//49nOih4Nl5Dvmz5GtfEF+6D5Q9Kx4 RyNCYyECewjvQoi2K99pSp50aSai5lpQm3fJix5VJQKNcVgmHXv44Sfxfvhz3/72dxgMlDk/lkAf DtktKtHI0NDly5cP79Ndxy9nsZhE4qGzZ7Z3tucoAC0RD+n06je+8ckb2zsEjZQnjQCz02Ws1pPj k5npRr7ZKrfa1dk5IF8en8lOtgtzq9XFzYnl7fGt/eaJ0+290zPncNHfs37vc7fvf2DrvuesP+c5 Gw88d/Oee9ev31g+OJhaWs5MTgcmpyOb25O7OzwRqXTcRXfYcjaQSyC+Xbkw8t0O3rMkjvltKa8l 6bEA+XzYmw64CnGaM8g6/LoRhURGMiw8Sq1MoRgd1khGwLtHr/AZtGGrKWK3M7qox5DHd5fw+IA8 feFZJry+Lt4LgUDW646aDDDronZjxEZtHDJq1V7sdKpaUd2O4pOUrJeOkU2D8mAE6aTAUExeMmJS ysZg0PUfe9nLX3ZET+PfhYUFnoHXve51h2X3YXR89rOfxSREpb89hM1TgVHfBSy/wu2oeTrej/r2 ec7BI4orZwDvtzsQjsj3w1fFA/CSl7xULJZ0P/2O8h28X79+Hauw97Swwle+fuM60WurRpnwezgc TfP2K/8B8f77v//7xWL59a8/+lj25Pv3xTu8oMOX113/yIc/bLOYjEopzPYO2IXsdSrVgHecDsj3 24kQHPjII68TicRH8N67aajBo50Iu0iE/X7nABlRSNQA8I7a/NRVCW62T3wc+W5Dvqc8lNC0jIf0 JY+y6FHTAuMp+f7qp/b/3l/wbtJryb6cpF9ANRa0qcE79t339nhqjWfMZrNKxMNXLx8/d2ZltlHQ qMRjo6MveMELntrlyb/8UsVSnkfG4dQXy9FqNV6txevjyZlmodUqN2YKpOG2lqrL21Prx2fW9xon Ts+fubhy/vLyjXt37n9w774Hdm7evXb1rsXLV+YvXpo7ODW1vVNZXyvPt9PTU5HZVnpjkxsQj4Ut Ib8pm/ROVpLjxVgx7oNpTPQth3D3WbMBOwN/Xdpnz6HMB93gnVQUST+p5WKtHH6dwaQzqGRymOrg 3QIPVqcMmKhPaw4D9o5874Jd6CPp86V8fvDeWfoEV54PQg7Vqm1CLoyJKtZ6HAVBkzpi1WGhI9ap Vo1YF4pajA5ZJKM6oRdkv1CWliR3SJIKqQgbu+/YrdukJBjf29tDKBABuV3KdG8xdxh1Gtvq9mcM gY4G+APhPZO93brnUdzY2Ojh/bB87z6lf/3Xf42ez/kxtw89gcJ1scO99943Ojr2LHjHn9ZRTXl0 u84e4UBIaH6fb7ivL2K3JLyCNfFD452z4fB84Qtf+PrXv1449aHXD4L3rheUmepzn/sc8QKmO5a8 uA/veMfbDTqNTacgT42EdwrUkCIH3sdTAeT7M+P9UZFIYE3fLt+5NNwdWPd8X5EQjzsasOhdO7f6 LW95yxFt6hMf/32HzQ7eEy5NLaSvY7x7VAXKvAcMKtEA8v21r72zfAfvitFjE2QtlcJek3z0mfFu tzvwuieo21/ylwtBrVrM7MS97V1Yd4VHrlIpEdOJRT0T48laOVIthafGk81mvt0qz7Uq80v1pbXJ rePNrROtzeMz+6cWzl1cu3hl/frdO9dvbV28snRwpnHiYOLEwdTeicmdnfGV5eLaSrU9l6uU/bms Mx61WMwio34k4DUQeZ+p5yaKCSHCngpW4j7c8rkAUUhHNiCMXBC578Vfl4+RLSpVjIzikzeqtSa9 2aCDJSFBnycNDR8HItgFW8ag9RgMbq02YDIKHeGR727kuyeJwe4F9d5MIFAIBTM+b8xuCZuNMYsx 6jCF7Vq3ThYwKqM2PaQailXikwfvxPjM9JAa6VcPwjAfEvrO0DqKgjaiEXE/bKxjeKox2I/cQIJK OM0w7Y+83/sXDQp1Gm2QSbj3ZncF7MDY7CLu+8j3DPr8UW8exsXa2tod8d49Pz8uQX/cZQjBI9MR psTq6mr3o1n2/HU9ccYZQBCG52Gw8yYkHDFT8fBgMehNuR0c+9/BO5eBgx3PxuHP5VO+L96x3+12 ITbBRMqkx33gtb6+zhI+Q6lUFI0OBuz6mXwYNR68M1iZSAdhP/9weL/vPqZHgerw7HjnScDvgWLW /Qm630uQ7zZBvkdpOo8a79dU6KznVed9eqohYb8//JS/rntUd9mV78qxvnESbDN+B+3NnhHvf4Y3 nmeUbughvy4WtqkV/EoiXDS9E3avhKexVq2Q8lAtxYB5Je+vlULtmfwc8n2m0J4ttReqOO03t2c2 8NptTm7tNvf253b2ZnZONE4etI6fmN7arW3v1jd36surlYWF4sR4tFQKJZMOt1tlNolUyn6FjByH IadNGQvZsjFBmc+QzBj1FCNuRiniBu8I92zAVYr68xEfeM9FwLsMcp1WIoc5bzNaLQbykORaqdgo F2NZk4ruhCOnU7s0GqdaHbZaaC7Tsd9dSZ8nHfCBdAR9Esj7vHGnPWQ2BE26BGF3tyVi1/uMuN/l QRMFqyWUpgfvgB1lHsqjiUYSAthFehpIjQzpRSM0lpV0clgyueztiitRV1zrv/d7v9e7sUdW0Idh aON2Q9k7sglA9YLU3wfv2fQPgXc+DsgTqj7iduB9Jp9IhOybYx1rQIjHAb0jl/etb337kB0qbESf 2d/fH+zvMymlc/lkIfjf0uc5IQ8hRscnP/nJZ8I7/ro72u/g3WYTuL7P9Bob7o/7rE0KznRKUQF2 XHa1pE/Q54P+J3UtQdf+3uuRR55Nvt9///0/CN7Ro+DaHTGCOva7EH9PuLWlABV0dXWkPFp9wKQU CXi/Yzyug3cNCZWk3JYiDgss4Wew3z/72T8F73gX5LIBjXLYCAddOopOSprVYTOTr4pnz+m0k71T KcbHS9FS2lPNB+Zn8guzxRaGfCPXmi226fS6OrmyNrWwXFteG19Zn1hYrq6uj+8cb6xvTiwul+fm s/WJaCJp9wf0NrtCqx1Ta0Y0GlJ+hjSqIa16WKcZNerGbCZZwKWL+4UIe8pvQ75XE/56KliO+Qph sO+tp6PVVKQQDVCO20wyz7BAtqHehUFNPSudnAQ05LugY49YiZgLZBsD/DqvXh93Op4cLlvM7Yh7 nAkvBfw9MbcdnZ/dwkh2qxGOTcJphHIBb5wyUxSjoHIsoXZEPHlwFonQQVKoQS2lDLVIOzyk7pSm RLEnTwcj2Wgy8lN+7/norGG5Hxwc3FED7O7JA/DQQw8h4oFe79ju4w3ocKJ2n9jvh/c7y3dk9FPy /Q58m97H9VaQ8kwysEoODk6OjAzLyFfpxNTg13VcE129vbfsHffkStdDCAfGplG2wXtAiAb+d+Q7 52Uu+p72+5TdAAesG4+TSiV3xDvxONz+MHWbzSZRsN6LcAlBK1IVxoYHgk7DDAnvQg0KH/Y7oxx1 PQ3vT/9+d7Tfe7v8gPKd/YlXdrWpzq8szClPxuOQ7w4VrZrKAU01pKuF9cWAQTEGgfDOeH9H134f 6UMsYvYapcMjQ8PPYL8L8p3fQiYbEouOScX9IpKxjx3DcXRkxkZhk0rEo0OD8bA7GbKHPHpGKuqo 5EPVYqRcCE9PpCencL5lxydStXq80cy12qXmbH62lW/OZsuVYCJlD0eNdgeJlMMa7TBLiHFy+YBG J1KqgPywWjWoUQ0btKNmvdhN+SaPMRt2Id9JOKLOQD0ZqiaoNuAtRH2VZLSWjpcS4Xo23cH7MPa7 RiKnhJ1GplCOjipGhoRCE0JxeDHCPWCi5YSNxpHI95jD1hmWoM3gtxp8Zj3Aj7psgB21n5ZzYbM+ YYNZpw9btSGLGhHP5OozygnB2yQIdLrODaLAU3CecpS6kSFavRvoEz02DN41Y8RD+mCGfPzjH+89 AN0VqJ7M/IfnAWbUz3/+8zzGXVDzMKMDPPjgg0fmfLZ++MMf6XnIvx/e72C/8xH/Vbwz+QB2MMLD wAymU0rFI+Tp9vi0PJz4k3tDeFYPv1BvMGqGBynQJ2skQgQ3Oc8PgffunTl85ifXn/rAQ/q8+I54 J6+QxFU0Z5iHhMu7L7zu/BCf/eyfkw6g16rsevkEvfCyforNUg2eUYw4n9Vf94z+eS7vB8f7079X xz//ex+326zE38M2RdqpSDskWbcs61IknGr5aJ9CLr6jfO/iXTp0DId2zm83yQX//DPg/bNdvItF g9gcIlHf2JhAjVheXj6CdxykMpmQkmDQSPSqEbVkUCEaIEfBpJO47RqPUxsKWLxeg92hdjrVXp8+ EDT5A0aPV+/2aF1urdEkVqkHlaoBqbQPLiFgVyqHJJI+/pUrh+WKYZlsUCET8K5TjRg0Y3baftk1 6PPVdKiU8NXS4clsrCbIdF8u7C/GQpVUtJIWumx08D6iGB5Ti2WUuNEqlGqRIN+xpin1jOJN1Aw+ LZY7jSMR3xEb7SMh6Np8RrVLp/BRsMJuFLBv0vIOdlLQqImadRELRB0MfzlgB/VevcypEtFFrqPJ 0z5yjJkE+U5vaMMYMwDm/KBuZFg1MoxGL5VI4FA9/dcUiB/E1HrKNk8yNj72ck+PAu+YUS972cuO eMxA6y/8ws+jg3Vfz473TDb75b/9L9jvzwQoPhT9mcjgWsd4V5J4PSwIgtv5808hr/d1hUmA05LL NjY2AkttPA6LSYjH/RB47530mVZ6eH8mfR6CKw5zdJU7nuEjH/mw1WIiU70a8wjV5FJuur1Mxp1H 8H7kOz5LPI5POYL3Z7rDd7yerj4Pi4PUMNoupx3yjEuRc6uSlPbo2O93xHvXfpcNC3hn0NbwmeU7 eHfxW4yODY6OHJNIBrDQ+Zf6Cd/8t6cxAcA7afPYcZKxfqmIyP4x6SjrfVJRv1I6JKO6shz89vOO TNJHBotCCd23j9LwKvWQinVpH5UGZDKM9H65tF+lGlWpRuTyfplsQMHsoRWrVCKqh2hVY3r1KHi3 GiQuiyLmM1fSwXLSX8tEJnPJeiZWjAVy0UAhFqpm4uP5FPLdpJARf1cMjenlKrPOYNLq1GKxVkwz RyxrAe/wYTpeO7Wg2Jv0YYswiK179EqvQRW2G7t4D1l1QYsOPl7YrINAGzKpPKTDGOR+owKw00DW QYt2jdSpgj0ruAFZobtEB+8UoB6lFK1aaAcv1D4A74cJyd1fFuzAWsTP3Puh0e3R3nvo5sEgtZw5 4Xtaa2dXVL7HHnvn/094714MljvuRBzLiL/Dzyeo/9QnPxkKBqmeITginwHvX//G1w/5HLpC/7u/ 87u/Qz4XtSyoPwNBnWN/CLwzPX7hC1/oTYm9W9db+eHw3vuOH/rQr1vMJo10rBR2NVK0knEDduR7 OeY+LN//O3jvXSor/LIEBXo+usObuuuH9HlNwavNuZSAvejTZSghRL3TZ9DnwTvxd9lwX5rItc+q lz2LPv89vFOjRCodGukkeT0L3sVjA3LxALhWyobVijGFdFg2Njg23EeyCHhXyXlzRCYfAMisqBTD YB/UK2XU0BjUaEaR4MK/yiG1eqQzRrU6CQnMarVYqRzRacQmnRjIo9LbDJIQ/RFinkoqgHwfz8Tr mThmeyUtSHZGjWpdmZQedPVT0V1i0xndNofTbNGIxarRYUG+j/RbpfRpog8sHZ+VTrXCoZRRzihg 1MCLC5jV5D7H3Naw08CI2GHqogBoCbhHTGrwDswZR/DO2ZhDGFScRqvXU5ZWMkbbuO/hnbIPIyOw 2Y84utEhP/ShD4Esftnu80YYC0Ld4dQk0jqYFrpbe88kTzt+aQFsnRc0yK/elnN6KP5+Z30ed/Sz 2O/E4yCZQ5p9+ctffoQ5gJpH7P6pD7+zvw6rBE/akaeXGWB8fJyols+oiv4X5PvTSDtE0BDQtwc7 ep/Vw/uh+PuTE053Hw4nyonbjbmrd1Rv5dd+7Vfh2xzGO2CnRG2pa78/FX//vnjv/Vic+f5773um eBy/Poy7no7Xu4zeytPxri94NXmPKutSJpyaZ5fv4B19PhWwJf1WvZJw3PDlq3eOv9udDn5N1Hi5 bFglH+3Kd1wZX/vnp0WUeFZxiQz091GIR6EQEprF4kGFXERetIzKPJIRgA/YEdA6tagLavCuUQkA 16pHGPji9Noxhlo5BN61mlGDToTLTqsVazQiuXxIIRvSa8bAO/LdrB0zq0d8FhVFwMoxfz0Zqafi 49nkZDEzVcpN5LPjucxkITeZyxlkUnFfn3xEZNLovA6ny2rT8tsP9ssH+9TDfZ3WD0OaoT7aQ9uV MkQzGjsaPjXcghbq4Fmot+azagJU6zJ39XkFfdipWwWnDuGOs64r4l0aSs6OkBfTQXp3+STehWAc NWcG+xR86NAgVi7AwdN+BO84PP/gD/7g8Nz+S7/0S9BQDzO48N53Alu9319Y4RDUgB7ipien/qt4 52k8bL8Dz6d9wHe/2+Pb8EFHtAv27OVzcQ2H/fO9h/x3fud3oHT2/u2enGmKDF9UU6JDAYeZY38w ft2Tscju2XBUYoci4o9ccO/f74t3/PMk6GWz2cOmU+/wX//1X+vK92LI2W3lBtjpCXUE7739uyvP rs8/5977YbB0MDXSi793vw54x59A6tORE/b+fRre6Zvm10OmRcqDd+x3Qb4//HBv595KV76D94TP kvBhnowMfz+8i+hwJB9BXovHBH0eR81hLzFnRkGVSsWC/a5XUhN2dLSPnGiceyPDfaLhAZloWCoa pF6SUjYE6hUo6hIquQ38f7W9eZBd53nmh+6++77v+77v+9LL7Xt77wZIcRM3gARJkAS4gSAIEuIG EAR3kAApUhJJcZcokeI2hMWhLMkej1Op/JNJqlJO1dg1mczEsSdTjuU4U7EdO7/vHrDVREOUyjXp +urgw7nnnnvuuef5nnd/CW23mGQSzAE+SJe2JsOE1apgP6iH5c1mlV6Pu2FC2OftGqdV6bUrJbxT 1KJbJP4hP1crzTWrw25j2GmCd8A+324OWk2fxUx8nWZChqUu4PaGPNTqM4pisGphr6OtG1I9wPcZ aC9liNlNeNJDZk3SZSaWJu4xR92mTMiZDiHM29iToqIgATZQvI8VwELtmgi1Yd0mtl6d3KOVcUIW DYT5sMWAcR5+tyumkOTNDIWMvDyecFZFHLznGUDIpIDKt9risOCRirgV79AZf9ztrdiRnOP8KJIG //X6O2WX/uLPz9ffOdvX8zt4x1LNR1wQ78T8i5zj8d9WvG8+b59eKL6OD0WAIQdcL5cH3Q7ePfyd 4mm/EntAHjEXBtdsftZ5kwvh/SuHbMbTvvzyy9s9ieAdfrfrhDw/XxLGOvCOlb4zttdlvxo/v3ne 06efI3SKlEBSHjZ3bk4OH96Mrzs/3gYzJpFspEJs/X0338hEwjvxtLmApRGzwuyo8I2oFXneJBj5 wvZ5Ce862Y5i3FuMOh2/RZ4P8VtolDuM2kkT+jvO/h074Hcc7luv5Iuf/Qy88yTbrHp0bbVqQkNw vnISvKvVMoBvJL5XO8lJMOKBepNextn0qPOaHTaTzG5WINKjvNtMAvLgHQcc6AbvCPliO14NHDal x6Fx29UBlybk0SUC1koak11+rlEdNBtzrZqEd9R2hmD5Zt1LXbOpSZ3oL2P0uz1+N/G0ehouk72C /x1+J7jdo1eGrWa/UUc6G63eQxYqsmJ4Nyd9ViR5lhQGYbqFsJuAeaLp8n5HkUnADr9LFB+x0wBa SZ67b2ypQ6ofd5BRYKkTxjqNCrCb5FNWlYLactwlggXPu4H8xFtFSugPGQDX8NYaBQiu22VXFgoq EvCjUOGN7T8P71v5HRVy6y/LHLxL8fOkQG7aEzaP2Ro/T0jYdtSQuX/NNddwks23SBP2VEplEjjM BlHv8Z+Bd4QiAowxUm29dVs/5XfHO7l1269ckuftBk07i9oulHcJ79jrsMN8Pd5/U3wdgXO/yf/O 0o1ywe++ddnfiv1zeJ/AH4czzgneK0FDM2ZvJPG/YxD7Orxjr/sd8Q5xGBDOdVNWg1w/5nceqvP4 naIBVKsU8rxZZzIqKd7EkTq1jAqWRoMaxR87HgVUqO1n0KDLT7IF+CbM+Loxxk1yidyR1RlOm9Lt 1Hrdeo9T43ZoPC4dc8R7j0vLHp9LHw2YYgFTKmSvZsKdcnbQos91i4bXw15z2KXwtQD7qNeZ77bJ jwPvJpXWbXNEAsEQ+rtehz/ORWvmse8MvAfM2rDVgjk9bCZ3xkCl95jTSF4tBcpwAYio3WKinYsR uVcMucG7UOEDjmLIif4u5HmPOWwD7yqR6m7W+k2iGTTBtDSFxA1H/p1Lp8FSp5/cYZRPaWUCloSn bnW9bX1EpTlq8vXXX88zgx2bPZs/+uZk8y1EfkrZLpqxhRz9fXswz9fr7/h5ZwazE+OIGeDz9Xjf Ls9vxfsF+f3s2bNU9dkeSsTnHr7nMEiXSm2MRr81X6YFwDe/OBOkHfJKYB9hD0SLPk+R/h3i6zb5 fTMycOv5JXneatBA6PMlMcbyfKyVCYH33xxfJ/xx1NvZmh8n/XAs45QdI/eNb63ZFk8LBRAXTX2b 877m5iWN8e6nDF814Z4r+PsZN/J8N+UC7xK/b+bDbr6FyaY8D97LcbfbpCJJ88CtF9bf8ceBd8z9 bjMitBo/H5daLBYwcbDU8+v/339LhvzfPvnEEypcMlOTdpsesd9Mdh6Vz1VTeg0CvAZh3oj98Et+ txjkgN2G/i6GTMI4W3RzsOx16ogJCHqNDJ9LB6FT0MbvNQB2MXHribeJ+I3gPRNxkBLbKqbGzA7e mwu9zkK/O+g0GaN+d9huj+X5SfzvWOYjwVA0GLKJDlOTdGUl3gZgQu5e2q8b9LRupKYhwTNRJxCm aYWnmgpUMGlmQrVsmAJZzWyU0FlEeqx2xZDg9zjdmccDvAv93UT/RyV4R4unPdy4ybsKL7xNhSdO ZpRNUrJSJxd+apfDuVVQ50c5D8g8wASBYNjZHrq89adkjoXHYbcTq2ZCCNuxY2E0/Ou//nVAjnTw Jt635cMKhBAwHiH/fawPnJcPK13VpjwPv2/H+2/Nh8XxTcwqlrHzviMWDHQW+ZR4+Pn7Z+CdtQ4R CHBh+hDf9Gvxvt0nwjs28f41/E6BaAqqDCtRWr0PiiFQ386FcEtnM1+XH4fWSK08cVVb/v6P//Sf h/Mj6ftuxzvCG946FnliG867V9I5JLyrpybI/u5nPL20C5bvpd2/ld+Jnxf+OGLOU36PGSOcggq9 W67r3BR7iIR3t00TdOpDFIDTK3kunA47GU+PP/44uttjJ048euw4gUnwg0I+QWkuq0Fl1StsRjUl wUG9xaA2aWUAHJhbsc8bFBLSkRaEzGCSeYG5Uwfe0c2ZMJDY8biBa69T47TIXXalz6N3OzUuh9Ln 0vrcWr9TjTyfDjtKyWCvmlucbi5Od0bd1kKvPaK1xnRv1O+Ibbczzn+fNCjVTos16PND8bQFMCFj 08YRWzrhcEY1CPUY9V6Tlix1MEsKjKDyuBfNvRj34fUrUkgnFWSeD4kYWnzuxbCzEKa7gYFOjgGz KkpzB7veLRq5Cu2A4VDLKOtGx2eM83R4N8knkOfBOykz3EDSWrc+DNt/XFYDmItQRqzf2yG29Zei SJRKoVSy0uo1nLnf6/75n0sFZsdPP5t/FDY98p15zDCJbxHMeE0Ypf/dv4MlRYQbf+fhXfqgr8f7 b+V3gEbtcjTT80wWfGtIf7PUxj8P7zyf0CXlPqRL5Zz8bd6fTXkeC8PHH3+4fUVgwZEC8JCjIN/N N0qTTXud4Hc6NhZwvgcF3rNB/FTUu/jjC1WqpEwfBmvSbLf6VqQTUqV6YfhrvP/RH30lP46fiZgr fgXcN+f5QaS3S/I8KnU2YG7S8Dduwx/HpI7yeU6ev4C9jptA3gj2Opxx9aTPS1OT3xhfJ/COazXo MsZ85ojHCN55tAjyoUotBCT99fp9Cq9Bm8RY2Uwa2mHYKediBOZyBqZDwA66ATu2AgcvmVTE97st GicuOeOUw6RwYro3yoil8ViFIGEzTHlsKr9T63OoXVa5G5h7tT6P1u1SOuwyp00O2JNhaz7uKaWC 3Upmcbq9PNtdmGkvzgLz7vJ0b3GmuzKYXpqddnNZkxMGhdputvjcnqAv4KHqPsI8KraU/04eq80Q tFlCdhO0nvHbqzFfKxfFeQHABcwJ3E0H8lF3OmgngBaMo7ND7mAfk53XIKdZc9CijtiREERPFsDO 1qGaoh0kbjinSgHeLaopi5IO75PqccoMxpxf/sHXFQ+EsCiwzE9PYPx5ZaC2PpP/+E//SJ6IhHfa LkA6PIT/5t9sMfCO8c6KQSyuxWJ+8MEHtrx9/No//dOf/Mn/FA6H+Cz+/mvhfSvoqECLcMuCs8UL f+4qSHdFtZc+ejS6gCby1XzY8+V5+J1VkXRysvsvqMJv4p2+PadOkSv666VAugKuje4bLL8Y/baf YRPvPbpiVWKzed+gGIDlO9mAUT3psFmxV2y5n+emfChF86666qrtto7/8B/+17m5Wen7bs+Hhd8l vHOvJM8sZ9x6Jzf196yfMhcOwF4Lm2ph2vc4JX8cpTa2X88bXI9T+OOqxNel/F4RP/+b4mkF3iGk IA+51xzGtK2e0ihVBw7sR/3E/EhMCH+QEUnZlXIJycxqULoIjDHIHUalBVqnAxqOPK3MppcLZtfJ Cb1jTpVYDgPvNoPMYZDbDTIXqCeWxsSCwDETTrNcON0cardNAcBButejdLsw2stcdpnfRZEEMyG1 pZS/WYzPd2uL061FgXf4vbUw3Qb7y/P9xdm+qFeJRUitdVhtPrq7+v1um8Vh1HktBrqyom574HeA bzPThAi8k0FP0QzK4mQpgJkNcX7A3ihECzFPJmgvx7wZvw0ZHrwzSfusMLvfpITl/SZV0EJjODV4 h+UdavR3mZW+Kjj+VFNWDTWxaVM7oaV3AiE3ev13v3eB0mebPxZSOnIdDwYm+q8pNsvD8M477+Dg w+zv1MrplIcHAOfXrx/dMaY5DC/bF198/h//41cqyEkf9/RTT5v0OurM8HH/tfC++UWYSPUq8eBT wnHrfuZQKpCRnn9ExO2Wh9+KdylxgMuW3NbnlrAvP0aC3gTpPBMT7Xbnf/vfz7cZAjEEJP4wJnz5 pl//ew7vBk2/GCPYZjrrm80H4HdKwtLgCcvrld+8YvsbWdYIk5B08POu55133vL53DJslNSr1Gj+ 8KsForkYjHXcDZQUQnx//SN+eUWb/F4IWVsJ+9j/bhXAF/Y6yT7/G/NhDfIdVIqA3+HT34J3BHha ElvVfkJVFDuoq7k1P066Fr719HSPJwaAu4xyp37KBWw1k7Q1p88pTzsYh/SdBhJRFQ6TitWAOcuC 06TwWHCmq2F25i6jgo6oPjzsVpXPoQm4dZA7APe6FB6X3OdVhvzakF8f9mqjfn026qxkgo1SYq5T Wug3lmbby4POaLrBGM40F+e7o9ku/K6fmrLpDLQd8Ht9IX/AaTXbyV+jMAXdzTCvYZCndbvLFnGY 4WgomxGh/1rARv0c8C7xeybsTPqtLAXQOgG040J5drg+Qr6MXUcTGdGy2aQC74Lc1VMM0uIw2VkV k5C7WYXyThu7HfRUgoU1KjVi8Jc/4wX+BQWsCdJPv9VEf96hSH2cZ4qWc+SaGZR8EG9ZXV39t9sK CJ/3xs3/QpGdVktE9Y8LyP//gXcefq/Xi1Ga7JXznmEWIrzzsCGXfUHPwu+Id2QhPmXzS21O3nzz LY/HTZKSaMWl1bz7gx9svvS7TMA7/jiLTkVa2aAU7me8Mzk/kO9mfAkv6c47fD7vBz85p0r81hMi ZX3jEpGXZMY/TQPBbfUqkefvv1/gnWMuqF9I+js/MvXrmiLYBrALe10L4tFK9vkL4F0seujv8h3N bAh+d4t4WuLnL1DfRtLfeYYcOhki6ybetxuR/ur//Kter4P+yLJH2x6PSe41K11wNyqtUWnTTtp0 U3Y9cxUrEQAXw6xxYwbkYDM7SVGnEdIEHZADNp3frnGbWQcQ6TVep8rjlPvdyoBPjFBAHQnqEiFT OmopJAS/N4rx2TZNbGvLA/DeHfbro+n6wqC5POotzfdFfRvZlGWM96A/GKaeJq3X9CquxEf39jHY E157JujNBFy4MSlfG/eaEd0zIQcUz/mRInAEsDPmMaX8Vm4tzC5Q77eBd25LyKqJOWnOqKNRuzAF 6CloI6OmDZHziPQC8moZt4VmRgbZlF4+hcGOuNrr9lz3NU8I4rcUhUWlQRj8Nx0J3vHvYPGnrxyr DZ+rnJgAWY888jAPz2961+b+v/iLv7zm6quo3UpjO2IO+fmojLo9fAXqlPxxWI+365XYcDazdS74 lG72m3jsscc2RdxNMRV/IrU+eMjxUW6xLZy7RgKMN/tNkI3OA7l58UxwJUj8jr6MpWvrS9IcXzb9 JvRKmZ16zaKYZ4eCFtsPk/ZQRgAxdasW/ws6ZYzj61DY54ohkM4A9b0sJRN9dmxZk5MLC6M/+Z/P z3bc/hF///f/8N3vfJcbpZRNRnzIYnKN6tf9JqS7wU929Oj93Ar+MI1uvxtoedS3Ucsmakk3wTbg fQx5we+YwsiXwfW//aNFkqDDZlTuaOXCHepZmVRqufzAbRewz//Zn/2ZsIfs2OExKsJ2NU1SdIoJ 8t83uWnzV/vrv/lVv9+F39HTfWa53ywP2DVA3mNS+Cykn08BebYOZF0YXABcjUTElv8CeQbyAMeA d8gdsNv1Uw6DDP3djyTvkHuddKZTBf2KUEAVCWoTIUOaHlIx8OhrlhPTzcKgW16aayHPz/cqo+na aK6xNGwvDnrgXUM9ag02QNpcBqOhMPI8v77Pqg/gPpNaLbuMcZ+dkfBaom4juAbv8HsyYCVkdxPv hPPxEsCnKiYyAGBnC96dukm+acgmbH1Bmx4FAYoXLK9R0LbVLCeEjO+ro74NHZ9F676JHZQux+W9 /afZ3IP2h7GO3x3Uk9Cxuf+8yd/87f+1srLCcfSMCxhwN8itZOCJ5gvm22+/DZPg5g903hv5L91h 6FZGlxMiqKjOEdCL1EdyurebCwCChHeu5EJ4P05DSC6Vz331lVfPY3A+aBPvuKL+8i//03lX8g// 8P9Sl4a3U3HiV9v6Sf3nvwLvdV7lr9dt/+mffsUf97/8+38fj8elV3E9IAycd3IhP7udVq08FXCQ yS2bmiJUbHtyovQu7M+UvNi6Tv78578P3jH1dLDPi2Ab4YKfywVmC6FBOVaIoLdNokyRSouU8nd/ d765b/Ni0FMeO/GYy+liqffZdJU0yRYKrVrxR1/tL0MRyE28E/VHtsLmGaQJeA8HA1rFZDmG8m5t beF3FGSzSXf6zAXw/vZbb2OvQ5XuFWP9XAQUqxXyAwcuwO8Ie5THF3KLWRmxqkJWFVZ9ncD7sfOu 5Fd/89csnhyJ3OA1TvrMk0GHKmBV+KBpk8KunXCMJXxALY3xOgDFUxZe5rEoAw5tEG87MbRGucsk 95AHZ5h0W2QhjxbR3Ycw75SB93jUkE5aEjFjJKCNBvT5hLNepMNsctAtLUxXV+Y7K/No7vXF2cZo pr48aC0Neh4zgcByo1rrwh8XDidjEb/bQcc9r10XtOvcRoXXrPJbNX6bPua1JnzWMG4Ihw5ow+/I 8BLecQRkw04WgShLQchOc088ccTYBC1435TcHNY0H6uWTkZfUa+J5nSI9AqgZ6Zfs2yHXat0m+lu ozUr5aIZNM4z+ogFgxhyib0kXGTrH3sINI1HYyyeCOo8zPh9sMOwnyJ10pHShD1wq9vtZAGxqSma pyAh162R6eUTrADUHeP7Hrr7EEoiFgCo8O//n7/7m1/9CqMxyU2cEHuLQibDh2dVTYQNtMFSw/J0 W3vyiZNnTlP48NxFnTl9+umnngyFRFGI0XDA/PRzz49fO/X888+98MKZhflZuqgppnYwrt997XOn nn3uuWdPnXqGYzgLB+y7aS+yNG+PxyL333fved/49Onn9910gxAtUsmnn36S/2JYoy4TJ+ELHj/+ iAf3zNQERR5S8cjx4w+dOf3cl1//zBOPP8bXV8mnRJdYu/Xhhx7g1fF7efspPmjP7mvshElbNETI xIi8UE4RAorfHLsljaggUHyCeB+wltx910GHnUK5+pOPPXqGm/3c8y+cObPvxr0mjSLiNE4XY6NS DLAzhoXwIBcU6nw+EvdQN47eOlMBv2/vDXtRurFr/dm//VNR5P2//Bdu9f/4P/z33/3ud1ZWloQT GBxZNI1UgPLpmMtpZ8fdGF+w9H1PPfPMU+try/zmY1fX1G0H9m+9V2fOPH/H7ftNWrVZPVWKinyZ btIhXHIZD/zupy2iXn3ZpZfwy/In7gJPy6nn+C57dl/LTeCjsTpOF8I4mPDo0VSIo7jb459SHMzd fvzkCafdhv3fa5iKWBVxp86mlXHzh/MzL7wg7snz4nfhXc/hk/N6nPwo0HrEoQxYJz3mCa9pMmAh xxmpfgKN3m3EVyXDoA3EgoDFrhUyv1GGqg7e/Q6tx6bwYZa3q312ud+hCDhVAZcq5FWH/Rq/Rwne YxE9eGcbDmgTUXO54G+Ww61KbNgvrQ3bq/OtpbkmA6QzVua7GwuzHgvNhnEBWLwul8ftjEVCsZCf GLvw2PzIssPw4iwwqMIOIw44IA+DQ+6gG4VdmrCHOYPVYMz+1piHlnAKn2kyaFVGHTpEeozzQm3X kmYrkG5REkA7yZZBiLiLftAa0nJlJpWcJoMKEVU7SUQiSQebf1TKZ/Bg6IlSonI1zSnUcpQ1dD2S AMb7teIYnZYDeBcKvlFLGCPdNCapbx8yKEJ6RdigpLSOWTkBeEE9eao4T7H/QH9IAsjGXgxGbnrB 6kRb1akdHp08RvywQZUwqWwKGmdPWgxak05j0GpIXxOD9CI9dpspHgODWmHSqU3jC9Dr1LxqItFU JXKfUcf4UJql0peaY/Q6FRdJe2MzLaU1RBUS8iQHGuRe09T43Jl1WiZ8nJFyGbS5l+O01Ri5J+Lt ZF6oTAa9OBuREiZEQR3JsxaDBuV3fGYtr9JqGqL0WvSUa8SSbNGrzQZuFAeIa2NO82ebTpHxW2fy YaiNWCkbTaNFP1ml02mvVmrLyytEKzntpE+xXO3gMix6jUWno4yThU/XUiphisir2UJ8WIjO5YNz hRAT8D4OvEnMFGJEXbpo7TyBpVRus1mxVNAXEikCBxa33eNyjwO+JhHC/VZtPeGhD9RsMSK6IKgm qRbF16funPjKlIA2aEgzsSPrmhGkJ6ktw57xrRC/OOI6eSgG5UTIrm4mnajtKO90nehlPd2sjwfV opMb9Sr013OPCrdXqzUTXcZN1ikzAcdcKUEWAJ0WLZpJnZIwVw3P1fj841uq544RDDthVu0I2xRx hyLh1gSsKp2CdFey0cePhFb8NIjMXJtGNoFAHvPoUz5tzAOEZT7rZMAuD9oUXuOEz6IIgGWz3GeS hWyqmEsXJpDGovBblWGnNuTSAnOvTe7H1+ZUBV2KCDD3aPxORciror1eLKgL+dWRkDYeMcbChnjM mMs6GrVwqx7r1hLDbnEVmCPDz9aXZxvLs+2VQXd12Nu5NHDQpVo+5XO4osFgPBJOxqNhvwcbZXxM 1gHyXNA78AsYkUb0Y7BbNmEO5HMRms+6JdQz5yWwn4tA97a4WxO2K6NOTcxlYL1Gc0eGB+k2tZzS VXaNCuA7keSNWqsGVUXhMugkeV5QvHyCrn88JPC34HE0+okJ5GoxxHwHlj2Cgmi9ykAFAPWspaJd xVcHBn8LKXh6Cneow0bqYCsiAvhE9qoI6CWmiAN4CyekMuTme1UTE/go7aopn16RsujSZk1KL0sZ VbyXtYJqPEQLGMUgKknGliULowTBCZRCsqnI+pkwkvConKC1OlJiiKQhLxFKpA7p/GPdzcKTzJpD ErRGhh0JAw4dmbF7BKwaF9ZaPDXoHXyQAKOcyLCQw8igPbrXDKEoeJc0cDKhc2EnoaFAJeZLei0Y V4X5FycviQ8GKoob0l7hP6VsC+cXAptZbeMAndyuU1KyLGg35IPOfi6ENA41zxZjrUQo7rbyXoK/ VVOTVAzGv0xgKDpX0GGKui1Bm8lj0JAxTUgGBRByQVcvH6X/+2I5OV8UxS5G2OoLxN5ItS/iw2qy X4qnAk63UadjVRyfkBZv0oSEX2LPvHZ9jjqu6cAMK0YxRN83POZEa3N5rBXiXunkoNVlVoVdBp4u WpmnA7aAXYdxm0A1s1aJH5wQeZSSTMDaSLr6FKPOingbtoNSaFCJtjLBdMAecpo9FiMBQhad2m7U 2YntpO2Rx16I+Nuk9NbTo3qiWwiSD0I4jd2oMpHVgiWZZ0xJksuEWTuJfg0kMxjDfdqMX5fyG4Jk pBpxsU3RHomkWgOFdLQTNv2k16KMuvXZoCEb0qf9mrhXQD7o4HkgImUqAHdbZQL4pilMATEXYAFi HKAMu9QMJl6bzG+bCthlUZ8mEdTH/PqQRxUNaFNR07kRN6XilmTMnE3ZS0VPvRZq1WIzrexCv7w8 U1+aqUl4F+E3s1B8Z31h1kWrerXSoCKrzp6MRaNhkjMsAa815rcRTgBfh90GVAmML347krw+4jIg zEtIxweHF56sYWJvADtDkuqzYUcuQtdpc8xFiI4SFT6ApQJPnFENxqF4J5kyOrWTCVmxJq1dPH6Q lAbzhUlJci4uSPYbbLChWjkurqVx6DR0tSOhxqZR27RqVgwhGygm7apJlhGvkeqaFMwhu1bJ1qNX +LF8EglsUIouNjaq56lCRiXbiFEFyyOcxy2ijR2vkvPr1SqosuVWT/nUtKtWJ636pFUbh9ONyqxF kzOrsyZlzqwq2w1FAOIw5F0MY8VvGxbj3ZiXIkFlt7nkMlV9YpQ9xpKX4ipkYmIipp+RvRm1kaXV STg69DoRe9xYsPs5YcduJT3thKeb9nVT3maEYDDvoBSF43oZ/1wxNl+Jz5fJOEvOl2KzhciggoIZ 7Gb8M4XobCG6SAkpRj1FrQl6s44qySGFy/JRxjzoKyXEnkpyHud4ifPEF2spGrUvVFPMxclLiUGR OhWJtWZmleo0hdB8PsSRy7XsQi3FSVoUNE74GnFfOxmYyUVm88A5PipnGHOl5FwxOSgmhuXEqCo+ fbHKXHjhGQLs+dBcNsAaMqrGlxqZEUplJdEvRNuZSDNFGBuW8GAnG57BeVRJ9gsROF1k3BCkV2Ub wQIwx39r6dlynHfNlOKsKhw2V4nNlVmXwnPl6Fw5Nl2K9AqRflEcOVOOT4v94UE5NJP3zeS8hNSO 4wGiS43UsJqYJcK/mhk1ihR6aueTVHWjCMywnl9qlxfr+flyalRnJGarsW4x1MkH2/lQI8fj7RHt WhI0bnAyqIxHa/VqwlaOWSthSyliLoTM+SDhptZC2FyOE4rmqKWc1YSjmrTXko5izJIN6fIRYyZo iLmUYQdsPhWwTIbAshmf0Q7mMZc6iUPNqQ5Yp0IuRdytjns0UY864mZ9U7KN+TXJkB7IxwO6dMRY SNpyCVs+ZWdk4/Zc0lEueFv1SKeJpS61MF2B01cHbWksz7UW+rWFafT35vqwj3GC+AKz1hDweFIE o4SDHrs1EnRG/dYgsXxfOv4iXlMECd8pjPMSm6O/w+ykEAJ5Bv9FkpeoP+LSI5MkvQbALiQWswIl xalTYAgG7GORXkX+neB6DU5JOZ5HpwGjpQLUY6WMuC0hhxk6g1BgNBHaZzbQo5yAHFrZ2hA1IRed mtg8FASIlWKYMRvVM8i/m6TfNHo60EYIp3dVQDMFpzOPgHeTKm7VJjgYsLMIsFOvAP5BnZyu9OxM WnUpozqhVyVpfKNTpAyKvFVdduhLdl3eoi5YNWWbjlFyaPIWZdYkLzs0M1FXL2gt29UNjyFjmKo6 NE2vseU11l2aZsDYQ4WM0/LA1I6aulFzO2Luxm0zadccfupxtyO2s2nvDCPlYTKb8gyLgaVqeC7r 7yVc87nAAuWhCsFhESE5hB2MUBZhA88FxpXikudKvlfjK7XEaiO9UksuVxOjYmShHF2qxHkvW/Ys FqOM5Up8tZpkLJWio2J4qRxbq6ZWq4ll3l6JrYBK8a7ocjm+WkuuNdLrrexqM71QiQvMlsIcNiqE F8ux5SqfkhwWo4NCBB5HbScBlgHMORLnu8Tso1J0oSRYnpcWWY7qicVaXCxN1TRjqZ5boVlzMyuV sB6VowgYHDyssMSJoFxC9WZw5ROgOxY8pJOzCIisW6yCUiJePcnJh2I95OQJXp3O+6dzAunTGQ8D sA8KQW6XuCourxQbVlKjWnZQZhlJz9fyQ1a2em6pkRtV06xaCyyezdRcjRLuNFv0SqOR8TBppN31 lItRi9GhyQKQqwl7NWqtRCylsKlMVA9IT5ibSUsrY+/kXN2so19wtbKuSsySC+lZByox/Fa6hJtY U2z78jhYtssBe5Sa0j4doxC1TzeS+bg94dOm/fqkXxvzIRVo4j7K06mSQcJljamwMRe3VDKuQsKe TwB2SyZuK2W8zWq0307P9/Jo7ojxIH1j1Nu50Gd72c7F66++dGNpZm3Y3bkw4zKKaHm7yQLegz4v eE9EAplEIBlx0VkKyOMLAPUxvzURsGGcB+yQuAR2aJ36AAwoXsK7xPIY9KjZH3GoQzZFkC3xwFYK 5kDrCrdBA95hZxv1NMia0ausqPMaGUj3EFdPYI/DQFgyE8x6GAmRdccHyCF9MyoVkBeZszjuRWwe eMehT4qu6ECnh6PlYZMyoKfwtZKuVZC4Tz0Z0iuZoLYD7aRNP+5ppU1YtAA8pJMjoodZH3SyGK/S ptaoRG5nJPTKpEGetarzdi3btEGeMSpAPdgvO3Ulu6ZgVeVN8qx+MmeYKhjlHZ+55tBW7ZqGS9/y 6KpOVcOv60QtHazEYVMnambeDJkY0wnHfNY7l/F0Y7Z+wjGd9AD2fsLFmE15B3kfkJ9OeToxxwCA I2MXYEkRlM4WQEljVOYJF5WfKQ4JBhcBXT2xXE8B6hHPfy0B0oEnMAHvC4XIUgmwp5ZKyVE+OsgE 5tJ+VoD1enpnKwvMhxn/Yimy0UwyliDoYnihFAb7i/B1EVCHxPpAYnspwh7OzCcyH78UBfgCyDVk CfDOdYYkvC9USYyNc3njItViQWAs1zNL1dSojDCQWa6JQX9JBrUueTu6wKBIUG6YoljYAdiOTxUb lvgIhIfYPDw+hj/SDuIEO8VpK0nOMKqhesems0GwP1sIzhfCKxTD55z54HTa18/4V2hc2y2joc8W 4wMiTuH0VnmpU54rp+ar2dVuhT7q9ItfaqaHLB3VRL8Sb2R8tbSnmfUxaRfCzWwAxm+madJkK8Ws xZi1k/c3Mm6IvkbLqryvlXb0i97ZKu1Z3d28u1fwtLPufinUzHiqBAOknLUkQeYW3p4LmcB+Lmgo RCy5sAXsJ/2G3ZeuvP6dp4f9YtijjnvVhYSllHYkvOqYT50I6opIFCnCaVzVnLuaxc/uKiF4FALV XKBTT851C91acq6dG/bKmOkuXR9dsjZaR2FfnHn2iWOffvjelZciy7c2FvpeK7rRlEmjcVituVw6 nYrn03GKamZT/jyB8UkfSbWECmdjnmzEHfdbADu0Dq5hdmAO2MdVAnzgHSGfOQeMrXbGBGk7Lsha 2PN9FrVLj7auQFtHE7SqFWiIuPyETmrRSb5+dMOI0+SzavA5OlDWwK9FiPpm5Q6TYocJYxc1r1QK MmcNUzsMEzvMsh24aX0GlY9gJxN1t3QRhHCrDrAHDQohwGOQ18piFg2cjrEOGzv8DuRBuoT3oFYW RXdGzkfCN6piellMLwfsGbMmbVKnjIq0WVlw6CS8A3mk+qJdW5LwblGC94JJDsabbgMDpNeBvE1d synrbk3Tp2349Y2AEbw3goZG0NiOWMB4N2bvxR0zafd00tlPMJi4AXsv7pxOuGeSHuHPyvggfYAG rAZYwEphAZ8q4rdQkGE9nvyFCp1cBJoWBZXDXAIUK/U0susy+2tQcGRhnI2+AClXkiuV1DJAKyaA /DAXXihG4fq1egogLxUjq5X4eiOxUkUMiC1VYwvl4JB1BmbMBwG7NAA71wNrCxECDJZZGcQQ9P1r vJ/j97licMTZWI5AZU2sCcyX62kB+VoWvI8qCQHVCpcK2NE+BL+jmMwX0VwE2CF9TotII00WqzFk klEpAl+zDHKdwJmlYCT0lPRlC50jt+6+Y88Vx+7ef/cNV9+998on7rv9nhuuWOsUOqnAtevDk0fu fOL+u/devNbJxi4e9Y/ecfOhm/eePHr4zhuvPbhv92NHDx29/aaNueaomf3m+tz9d9549NAtN1z1 jblWrltJXLFz4b67br73jn2HDuzdv+eKWjrQqcRuuHrjgUP7brv+ssU+ZeKCt19/yZ03XHb4wLUn jt6x94qVmVpsuhK58crVhw/fcs/+3Wtz9H2yXrlz7sB1lx66BWRPs+fOGy8/eOs1d9+ye9DKtkrR V1548o9/+XvXXL6eCFkHneydt37z/kM3XHvZUjXnq+a8+67bdfDANXftv+ayXTOVjKcQd1Qy/r3X XnTgpquPHLr1waN3XX/Vxbjdkd4P33nL6acePfHQfZfvXNrzzYs++/j9P/5Xv7hz/40Lg/bKsEMW CXi3GgzxcGRpcVQs5iIhXyLiLdBPNh9uFmP1fKQoSDyQi3rwu+WibvAOqFHeATsUzxz4w/tAHrwz AeBJPw475AEDXgYgjGPRToNgwggxN8HUKuzVKo9Fi7MVEsfyH6fenccUsBHUp/aZVTglHbpJLIT4 BXiXBdsXljeljO7VDq1KWMlkU0Y5jjzchdTJp3W1KmY3INUnOBtIh83xkJqVcas65RAyPPweNspj FpVQ23lVDKR9WUg3FR0b8diTROA3KJJ6QfGI9OA9Z9OUXIaiU4/yDtglqR5hvmhVMQoWJWCvO3Ut j7HGxK6p2dQlFgHLVMOta3h0FZe64dO3wmbAzujFbUC7G3O0o/Ze0j3I+pHh5zI+ttNJF0ifSSLY +6azfjRfhoT3ITo1JFvm2Y7P5ZFvx0puKQZwoEXBnjUKQSMnC7FW7BxDnj2QoJCQhagcB1aLpQR4 Xy6lYfnlcnKpzCoRHVN/bA1RAfGgEhkVguBoDTm5DMaBvNAjxhiPgP2FMcxxt7FHCBUCffEhkC9T qTIOYCFl5BCJgvs531wpxIIjRO5abLFO3xkWosxyM7uMCF3LolBjJWCyVMtgphhyPUj+9SQSuyTD I3IIYWP8ccgtzMWCUxRXwlVJiw8Xw81ZrKfvuuHKX5z94LnHHnn5uad+fvaT5584/vqLz5790ZuX Ls2u9uo/euXF008cf/7xR9/69pmFbn3flZf+4rOPXnrumQ9+8Pbnn374/FOPvXDqyS8+/eDynYuL /frLp06+/f3vnDz+wPe/++Kte6++bGP03luvvPrymROPPPDZhz9+781XWqXU3fuv+/BH33/8kftf e/m5Ew8eGnRKH7776tkP3jnx0JFP3n/nvbe+N9fKXn3JwvvvvnLy2P1nnjl56rEHGtng4w8e+v2z Hz3/5KNX7Fo6eOv1r7zwzIP3HfwXP/nhyYePtMrJV19+9l//wef7brhmcdB+8dSJ77z45PGHD//g jZduv+XauV7xwx+9+ulHP3joWwcv2TWfCllyUWsx5X35hSc+/uCHTz9x/LVXXvr4gx8sznZvv+X6 T37yw2ceP/7KSy8cveeufddd/XuffPjf/us/vP/wwV67tDRo2Qy0v6MpoTro8yWT8WDQ53JawwFn IRPKxt1pMmozgVzckwo5ogTbeE1xnxl7HVo86JY0dyAP9oE5yjvYZ4tNj+1WvBMv5CBmHkMreTFE 06lluIEcRBZhyrOj7BupkxN2GggVJjIZizTkbtdOwfusEkTXmxUC79j6wg5cftaIE1O20T5232MD pOkkcYAE88Dy2OEprOHHFG9RJezaHPEAuAhJ0DMpowL+GvAeA9dmVcKihtkjBjl4579RkC7hHZHe DLmrEsjwJiUUD95LTn3epmGkMdwJzV1btmtKNjW0jhhfYeLSA/ayVQW/V+zKTsDU9Oqrbk0rhCRv RYsXI+ZAK4fH+xB6UtD6TAqd3QvFd+kKlPAM0n48WbNZ/zT7M/555GoeeDBVAlOCDQUVVpOEsmBz W25k6MRKy3V2MhmXf09JxwD5VbTjRhbmFfTHwfXscjW1wihllopiskavdvCONM7SUY4LWhdDqPlI +AvlyDKMjFZeRkjgv8L+JlR1jhT6O0I4grSQpcXgv1gLq2J5QSwfjQ13YBb8YsfjCiWYr7Zza53i Sruw0iystoqr7QL/XWuXVmElcf3iu/DthmCfM8PsqDCFAMvOMnJCnVOhm0SXqhA6Cw4XE+LV+WJQ LEe11L37r//8o/foj7ZzefjF2U83FuYuW198/81Xh73GA3ff9t/8/PO79u+7967bPnv/R3fuu3HP pd/4ybtvfWN95d6Dd3Dwwmx/vtf+/F98tLE8umzn0n/3Rz9/6cypO26/5b13Xj/56AOPPHj487Mf zfU7YZ8L1L/+vZebtcLHP373B2++csPuq1587qnXv/fixWujD9597cF774gFXHcduPm9t7/frqRf OvPEFz/9ZO+eq489dN9P3ntzzxU7H33g3pfPPFtIUkBCccn66MH7Dt1378H33n3zuWcexyN23z37 P/ngnVI2cdftN332yY+6rYJZP3X47lu//8oLnWb+vXdfffzEw3azOuw1JEPGfNxRSvu+8+JTp546 kYyFrrz8G2c//cnF6yvvvvna2U8/3Ld3z7NPnfz+Ky/tWlv69ulTH/zo3UoxXcrHVhd7PqfVYTbg hfR7vH6/l7gRt8uWoFhNJpSOOilqnY456V6RCNpDbiMWeyJqwLtkoofNQbqEd1YAyZrHhAHe415Q DJb1UDY5PgjzqOTQOmo7NjqROGCS++3aKNUwXJjm9HiLoHWretKqodDNJBgnvwDHFkjHw0XoO/Z8 YB6jYGbAE3PbKXQpfPdavBsi7lcE5xsUQovXy33CFK+A3wE7A5aH2cE7qMcrFzcrk1a2QF4VMykZ QJ4tMAfybNMWTcaqzVjUOTT3Md7LHpMk2CeN0Ley4TXV3YaqU4cMD8UDc/i9bFYIvMPyTnUnaGr6 DVWPBoW9i3KXdHTjjF8jHQEeiX027ZtJ+npx1zm8j2kdyAMuwa0AbayfAnYcAeCa1urwI4+3sC/V hGwMls/hXcjJAvvSHo7c6BTX2wWQDvDXWrm1Rna9mVuv5pcgd8R7YCvAm8DKt4Ydr55E4RXbsdGP rThAIBprQHxJGOsAvlhzVvjcKgsLunNiURjf8A6kML5hi8PsDzvzX+bDCvo1V5gTS00zywGr9KBp F5ea+eUmk8Jqu7jWKbFdaRVgeYF3FihWIawQ4nj8CGj0qPDBpXpspZlYacRW6rHlBtI7NoTwqEzi LV7+sJDzG5n7Dtzw2Y/fLaejV1+y85efn905mt39jfWPfvDGoN96+MjdPzv70c6VBcYt1+2eadYu 21j98dtv7FpZfPjokZ9/fnbQaayPZn/xLz9bXx5etDL8Vz87+8iD96+tLNx84+6d64sP3H/3v/zp p4vzs9Vi9r23X3vj1e+0G5WPfvLe9759moXisovXGZ16CbzfcfOebMx/38Hb3n/39WYl+/ILz/z4 vbdZKC7ZtXr9NZfViqljD9536skTpWQo7rU8ffzo6WdPXnPlpd9+4RR4D3isD9x3x2cf/bBezt53 6Lazn7zfrud8LsPD37rn3bdeqZXTbI89dL/TosnGHMWks5T2lrOBl848fvzhI4Vs/Prd3/z87Ie7 NlbeevO1N994dTiY3n315VdefnExl/z26Wc/+fBHzWZxultZX56OBrxOi9GspzyOE+t8Ik4BL0uQ VhEJXz4p9He0eIg+E3NHCZf1mVHhJSpnC5uzhegZmPIkvDNhIJyHUd6dRBHoCB9yECo8tr27jBrw TjMvs2rCqpt0mZUBpwG3qcC7w4B1bvzSpIl63bIdpDDop3boJnZoKUovPOlTaP0ElgTJ3HFZAhb9 2NSvcGvJv1OBeu84YhZyD4Juiwq8J2waxjmwI+EbMd3jjMNMNxXWy75keZzy8pRVg6Mta9MxcnZ9 wWksOA0lpwGRHqRjpivadRWPqew2ll26hs/c8luAfN2lqwquV0PrRbMCohdzh7Ll0zf9+OYM9YCx Q3/ShL0dsWOCg9bBODI8A6UYChvmscZjU8JK7x8IGZ6dGNgTDGAOOw9L6LC0chBa6kozj2UblI3t yQLsAJDtWCkWYJdWAAR4aRFYqWeAp7QOYM1ba2XXkKWF2w5NHJt8Cjv8aiO1ypmFSM95hO19iUWg iY6AVI8ikFgSe7AGxARZ8xEY2SRaF6o3IkRmgZ3NHDAf4x1qBrNp8A5ZL9aBcGaMYuDMYlVYasDm Yqy2y+udCluBd5YFsZTlgTzCALa1tQ5mc84QZSw2QHRsqYm5j/41yaUm6wx6CtZI1hahL2BXB+8/ /eCH9Wxy9+UX/+EXZy9aGuy5bNcnP3572G9dtrb4wVuv3nnrDUfvOfjyc88s9DvXXXnJB+++ccn6 0qMP3f/Ln/2UdNFvrI7+4Pd/ur4yWhp0fvzWq98+c+ruOw9859un7zhw09493/zs4w9ee+Xll198 /pc/+z3wXivlXzj11McfvLdv77WPHXvo0J0H5rqNT99/5+D+G6q5xENHDn7843eq+eRtN+157+3X b7p+94lj33rqsYe7jdJTJ4+dfvbxWi6WCbt++Ob3Xvvet/fuueqH775x5vmnnTbdjddd/vMvPr7z tptuvO6qd77/3eMPHbnn0P7fO/vR8WNHS/nE+++9+dixb3kdumo+cMveS2++7rJGOQbeTxw7Wi2l b7jumz/7/OPF0cyRw3e99dZrt9y8F34/dNeBfrf64ulnvvjpp/cfuXtjdbi21PfYqZirdpqtVqMp AL8HqWBnIxs4SFKMCL/3w/KJkC0ewB1vIvYmSIOMLxEN2CF6oC3Qjad+HFwnjPM2TdhJOK46SCV8 wmiNIvLfpgWtkkFeDtgZFqKIjXK3yOhXoeMj2HPAWNrHGg+zTwJ2i1KBwx37nkEmVgBB94oJVoyg zRi0GbD226h4qZQRoDvOxFF49bIAcLapEebjNm2K0F8bRjzB7+eGFWecMqSbDGqnNvEOv6dtWmDO kPDOJI8M7wT+aiBftGkrDn0r5GiS8+vRVzyGuttYdekrTk3Npau79RA9sn3La2IPxvm6V9+O2Bjg vYWVPm5rhW0tmpqhp+dQz/1CbWeCIToXnMmSY+LDjIwYL6xzUGQFORyBNo7xalBgmxiBvlp6oZYZ llM42cE78MHW/SW/Z4D2WHnH6H2O4nlpc4BT7GZAHmhD1ijaCOerjSy4xgIAX5/DMiY1ZP5aahW7 fU2sJJwWqWC1kUfLHuvagrLFgoO3emxmF5D/0qWFt0uC9hjjgq+BsITiMdhBcWW1VVlrV9Y71Z29 OmOjW2fncisP6sd0X5AkAexsyy0WCiCPUp8A44gZQkHAXtFAohAC/3jOrYjTx/nqXcOHDu5PemwX L80/f/KRmVpu18L0yQcPNwuJRipyx96rH7jn9kcfOHLLnquzYf9lawsnHrhn0KkeuGn3qcePt4uZ ldnOM48fg1tnmoVb9lzx6INHjj94/+FDd3SapYX5zn2H7zh+7ME7br/19de/98ar34U0L9m5zDFH 7z149PDBhZku6D7xwJH1xblSOrp/77UnHzqSi/pJRz1y8LYH7ruHU1116UYy7D54YN/+fbsLiUA+ 5r1171XfuvfgLTfu3rf3mltuuNbvNm2szDz9xEPX776iXc9fvDE6fPf+hx66955DB3LpSDEXPXHs yHXXXEKJm0YpcuOeiy9Zm0/H3IcP7rtu9zdymfDG2uyjx+7NpkIrizMPHD308INHHn3kKAmw1WLy rgM3Pf34sXsPHui1SotzDY/V7LSYIr6gn6xLj4tgUvR3Cms7LKqQxwCbh8eFs0JeE31wiOb1mJWY 4AA16JYEe7R15n6rmuhfaUsILgeIeGATeTEy6twKNZxwMi157sKzRjMvm05Geq/bomLY9FNU8HCS J6iTcRgRYpKfzqIlbNiUCLijdMIwa3kjYGehwFkfoBudVUd4HiI9AXuI+jjix/E2Mr9RHrIoY3Z1 woGxTsNIgn2rWsjzkgXPrkGeT1hUKWrnkrs3FunBfsauKxBLYzdkrVpQn3fo8i5d0qzI2TUVp6Hm NtV8lrLbUHBqytjiPIaa11hya6sefc2jh+hbPlMnYAH+Nbe27tO3o3QmtVXwysVt/TSxXtIQdZaA PAOMS2MmRzQLoWWkmQSB4aJkuRLSsgDsMs4jsAa6G1lgPiBApcjTnhGSsKB7xPXcOvO2oEiYkSHk YbAGEUugGPM+YJH+y3a8pCSQ+ZHzhdEP1xiSAPBviXdJsgGgRhRfA4bo2k2hZY/xjrWtsFjNLVQy DAJvluriE9kuCOBnV9r51VZpWVA5+4vMATKDq4XN19pV8L7eqQHzjW5tV7/BFuyvwfXdykavsk4g KGK/OB73GcIAogLfnaWDtQ7sJ1hPEAAQ4NnyNZkIk341MV2KTpdilLUZ1LNL7WI57Byw+LSLxaiL qCHmg0a+V0pXEvRDDy12Kku9ai0dXp5uLHQqlZh/oVW6eGmmnosu9Cr4rC9amhn0ao1qtlKIH7j5 WmTpl158/vbbbnnvh2+fPPFIOhGeaZUXZ1r9WqFZSFWSkflW5aLRTLuYpqULk9XpRi0VGuHjm2kP OrV2JZNP+MuZEHmpjWKCelCYwfu1TKearmRjhWSoWUrh/5pu5wfTlUImnKPMDm0jmoVaJZ1J+KNB e4Vo52aukIR8Ha1KtN9K5zO+YtZP59lqKVbIhfrd/HBQzeOOHDQ2VmfmZ+uderaSC892CuuLfRLl +o1CNRchcYb4eRulaJ3ugNdLbgX2OrIiHLiz3YawzwTYYwFLNGhl/UlGXTG/JeQWEfIMKdAOyEt4 JyMGHhcB/wYZE8Dut2k8Qm1HxaYbnQCygPzYOI+4TlkPhHnADuoR7IE8FUasanHMOPyG/lZyt0UX 8ztTYS9bgI8uwHJBhgJiP8nCWPNAulDhdSpqbQlhHs2d/EEDkJ8KWeRxhzJqVSRsKvAuQR7Ux22a jFOXd+tzLkPargPy0hbUJyxqRPqSw5iz6tDfizC435yxqWF5rPRAHnke2b7o1FSwxXmNzZC16jfW Asaa11B16wB7N2gl3qYdxAFnFGa6hL0WNBDIPXadEyZKQIi3mxEUP3ZVixBW4WjGX1wZW7dQnxvA TeAU79UaLuN2YWertAZYBBaE6AumADtogg0Z7AGPG50yhCgiWMZ2MMCCvQ44C/yOsS9Eengc0V30 b8Wwn4DQOfk6BjRxZIEVY6NX2tmvrI8NaCuN/Bjs4zO3inA6n8KW/WPsl0D9Ug3Szy83sLkB4QqT pbowxG3A3d3qCktEqyxtmYwJHZiDbjHAu8Tv7B+/1Ng13bhopr6zD/CFXs/geoRsUMe+x9cUi5gk 8zPH1sc3XWywyMD1BO+l+oVwDwciolEjQ1wNsYhDeJ+AH8yPYtFID6uZAU6BRnGZRNFOkaVgsVNe 6lYW26WVTmW9V9uYqa/P1XcNOwB/52Kf5LLVUWdjZfryS5ZPnvjW9199+dVXXn7xhVPNejEV9ROx tjRdH3aqiz3e1bpovr8x01qbae6a7+6c66xNN5hvzLWXZyj/XplpFWf5uJnaXLfYa2Rm2vnZdqFf zzB6tex0PTfTyM808/jQZ/AeNrJdsT+Dxb5SiNZK8WY12arE68VIORsk/a1dibWqsUYt3m0lp7uZ 2X5+dro4N1tgLA6ra0uttYXm0qC6MFtZnW+sjVqr801y5RZnRdYM6XIo7+R6WPVGm9lMClUkGoon wrGIJxl1J8P2iM/IFshTW49SmfTGjvnJcxdl5yV+Z06QbcihkZidLACnfoLcHz/VNS3U7gCMU3at DA8aJjhMdkxIkzHjT1ftgNMp0oVUD9jB/ji0Brwj5AuDHlTupJKt3eixGx1GjUXDTiWZSzr5DnoH sCzgmudsQN6lR5DQiuQ7g9xPQp+e7JiJkFkWtcpCpqmIRZ6wCYpHth8PPYyfcemyToJmNQmLMi3o nnA7Fb45tPicTS/s82Zgri97DTmXJufAgqfMWFTgndBZmL3gUGdtClDPqPmN6Ok1j6EfcXZC1nbQ Mh13tcKWNp2M4jbqKbUw1mU8+Kd6WS+NSpsJRzflJkxOCKIlQkT83bS3h0ZPcFo5ikNK2i/CXwlK EcJzZqGKSlsA76B+tVNahjEFBKA/rGQ8zEJsZg778/DzX0l45oBz1jDxEuqASAZZqMeXWym2wIH3 rrZ5rxAepPPDsGutMljmcxkgd6NXXWrmRDicWAHYSlwv8C5Yvoxgj10dSaO8WMuPKqjzNIYG3TV2 LjdK0nalUeK0Yx4/J8xLtM4eaU0QK0CvtrNfXe+CdAFnrpyvuSCif5FAiuMvyJn5oMKiMO7xUm6+ kiJ+hmC5+UpmthKfw7ooQZs54Yh0skNtIXpwbCrkO3I2ML7cKS9iK+iWVqcr6/3azunGRr/Odtdc c+c8gO1ctDi9a3l6Y6m3sdzfuTqzsTp9ycWjwUy9WEilk5GI39mt5cA7ssHGbHdjrrsx02HsnO3u mmPb3pht7pxr7Rx0wDv8vthvDLuVYa+yOFcfTldme6W56cpcrwTzAn/xUrdCrjpZ6vP98nyfeXW2 WQTvsH+vnu02c33Wh15ppp3t1BLtcqxTjvdqyW4z1e2kZ2eyw/nyaFiZH5SYrCw2VpfqqwvVtVGd sb6AHbK5MmgszzXWFzrLI1pRt/8/LGNovgplbmRzdHJlYW0KZW5kb2JqCjgwIDAgb2JqCjM0MDU2 NgplbmRvYmoKODIgMCBvYmoKPDwgL0xlbmd0aCA4MyAwIFIgL1R5cGUgL1hPYmplY3QgL1N1YnR5 cGUgL0ltYWdlIC9XaWR0aCAzMzYgL0hlaWdodCA0NDQgL0NvbG9yU3BhY2UKL0RldmljZUdyYXkg L0ludGVycG9sYXRlIHRydWUgL0JpdHNQZXJDb21wb25lbnQgOCAvRmlsdGVyIC9GbGF0ZURlY29k ZSA+PgpzdHJlYW0KeAHt0DEBAAAAwqD+qWcHb4hAYcCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMG DBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgw YMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCA AQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYMCAAQMGDBgwYOAfGFni mz0KZW5kc3RyZWFtCmVuZG9iago4MyAwIG9iago2NzQKZW5kb2JqCjMgMCBvYmoKPDwgL1R5cGUg L1BhZ2VzIC9NZWRpYUJveCBbMCAwIDcyMCA1NDBdIC9Db3VudCA3IC9LaWRzIFsgMiAwIFIgMjAg MCBSIDM5IDAgUgo1MSAwIFIgNjUgMCBSIDcwIDAgUiA3NSAwIFIgXSA+PgplbmRvYmoKODQgMCBv YmoKPDwgL1R5cGUgL0NhdGFsb2cgL1BhZ2VzIDMgMCBSIC9WZXJzaW9uIC8xLjQgPj4KZW5kb2Jq CjU5IDAgb2JqClsgNTEgMCBSIC9YWVogMCA1NDAgMCBdCmVuZG9iago3NCAwIG9iagpbIDcwIDAg UiAvWFlaIDAgNTQwIDAgXQplbmRvYmoKMzAgMCBvYmoKWyAyMCAwIFIgL1hZWiAwIDU0MCAwIF0K ZW5kb2JqCjEzIDAgb2JqClsgMiAwIFIgL1hZWiAwIDU0MCAwIF0KZW5kb2JqCjgxIDAgb2JqClsg NzUgMCBSIC9YWVogMCA1NDAgMCBdCmVuZG9iago0OCAwIG9iagpbIDM5IDAgUiAvWFlaIDAgNTQw IDAgXQplbmRvYmoKNjkgMCBvYmoKWyA2NSAwIFIgL1hZWiAwIDU0MCAwIF0KZW5kb2JqCjEwIDAg b2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL0VaUURNUCtW ZXJkYW5hLUJvbGQgL0ZvbnREZXNjcmlwdG9yCjg1IDAgUiAvRW5jb2RpbmcgL01hY1JvbWFuRW5j b2RpbmcgL0ZpcnN0Q2hhciAzMiAvTGFzdENoYXIgMjEzIC9XaWR0aHMgWyAzNDIKNDAyIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDM2MSAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDYx NyAwIDc3Ngo3NjIgNzI0IDgzMCA2ODMgMCA4MTEgMCA1NDYgMCAwIDAgMCA4NDcgMCAwIDAgMCA3 MTAgNjgyIDAgNzY0IDExMjggMCAwIDAgMAowIDAgMCAwIDAgNjY4IDY5OSA1ODggNjk5IDY2NCA0 MjIgNjk5IDcxMiAzNDIgMCAwIDM0MiAwIDcxMiA2ODcgMCAwIDQ5NyA1OTMKNDU2IDcxMiA2NTAg OTc5IDAgNjUxIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMTA0 OSAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMzMyIF0gPj4KZW5kb2JqCjg1IDAgb2JqCjw8IC9UeXBl IC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL0VaUURNUCtWZXJkYW5hLUJvbGQgL0ZsYWdzIDMy IC9Gb250QkJveApbLTU0NCAtMzAzIDE3MDcgMTAxNF0gL0l0YWxpY0FuZ2xlIDAgL0FzY2VudCAx MDA1IC9EZXNjZW50IC0yMTAgL0NhcEhlaWdodAo3MjcgL1N0ZW1WIDE4OCAvWEhlaWdodCA1NDgg L1N0ZW1IIDE0MSAvQXZnV2lkdGggNTY4IC9NYXhXaWR0aCAxNzc3IC9Gb250RmlsZTIKODYgMCBS ID4+CmVuZG9iago4NiAwIG9iago8PCAvTGVuZ3RoIDg3IDAgUiAvTGVuZ3RoMSAxMDQyMCAvRmls dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNenl8FFW66Dmn9l6r13TSSao73dnohM5CNrYU 2TAECEvQJNDQgQRCBGk2EZyYCBmW4Mai5Mo4o4wMinfGjqiAoqLvzb2OioqOjuMyo1fUO44wzhh1 fpJU3neqE9R5vvfm9373j1vpc+psderbzrdVNm3Y3IFMqBcxSF2xti2G9MtUgxDuW3H9Jl+iz7ZD /28rY6vWJvp8M0LcwlVrtq5M9C0ehFLYzo42WKdfw1CXdsJAoosnwT3YuXbTDYm+8V/hPrBm3Yqx efPz0J+7tu2Gsfejd6Hvu65tbUdifc4tcM+Jrdu4aayfCvdYbEPH2HoM8DCSaiAYRRMr9BpDnYWW IgF1Ig4RJCMVLUKIcHgF4IvhD9Agtx+59O9vL7NO/RJ5Rf2xX65Z+HfaeO5/PHTp8tGRA+YHxFRY K8EOiQueE43aAoQs5ZePjvrND+g7jU3qtyxVavrPT4LKJx/blFOjZ9X2N01yqfp7/Lv9NuUclJeg vAjlBSi/gfIslAcPB5WfQLn7sE/5l8M5yuH9XuWvAy7l2ECycmhggnLXQKZyJ7TVATwAy61/wwf3 JysH9oeUffv9CtqP6YuW7DfKpdYzypnwGSb8JEan5dPEegqjx7Dv7z1/J/LXvq/Vr5meL7E85Bsi vkvzLpHwZ5WfNX7GFLwRe4OceCRHeeSETQmfqDwRjcfisd9yH10IKh9CCV+gLzjxHCBCXzT6KDRe 65monIfyao9PeaXHppyF8gyU258efZpYn8KjT+HBh21K7GEsP+B7gOzdU6D07wkre3qKld19HmUX lJ199cqP+2zKjr7JSh9ss+74vcfjxz8/zqr3YXmJb4m6hPkCdtze41Fu7pml9ML9JnhjN5R5PdGe WA8jW/2K2zVBEXi/kuyZoLCMX3HYJyh5+dYJIUtOrjUr2xLMtGYELD6/NV2xeFPTzJ7kFLPLnWS2 O5xmq2wzmcwWk2QwmnhBNDEsZ0KYmGRrr5WofC9PVKaXIVZUiRpRD2KtKAxNNW0ddJ5Br6BRJHqn iIp1sqgwFaKCykVlXjGO2xtQQ1NV3IHhvrAqXhxqOCWiBfGiUENcmre4eRDj21pgNE52A3ua4uzu UwRu9urWxc2ncDKd/rEXunThKdz741tv9V5ptbSE0uLtDQub47G0lngRbdyR1oJCcG3ctHHjRtr4 oWtQom9vX1A1+Ce2NlDb2Rb/U6Bm8NM/0XY0/mmgBo89+t09YDvYdHw7aNDfdy4U2gyTG0Obxpdc uesPwXHgncgAB+08Usbr7x4VdgUK0P7oB3r93nhbax/9krb/Ky56rhNn+5/fDZ8nuf/86h9eiW/H O3EvbsJb8Fq8Ga/GKl6BW6DeAb116Ff6U0fRn7APJ2MLxjiAbVhAl3EmTsMOzCID9D+DVUP6ynv0 eghPRl8QnVpoL4w8g36LLqCLSMMW9DT8rYK/4+g+1IyacTrOxhX4KnQJdqc68240iE7DmufhmXfQ x+hzLOJWfD3uxweJmcwkrbDOg6vxHjKHXGaDSMBbiB2vYp7AQ5jHLhxET6CX0NtMfPQ/8b3ofSaf nEA3oNnodTwJq8xRZgKjkPPkKELq5KbystKSScVFhQXhifl5oQm5OdlZmcFAht+npKelelOSPUlu l9Nht8lWi9lkNEiiwHMsAyo8D8c9IPfJQsjr9/tb8sf6Kd/vx5lM+W/+OLJ/b5H3+4sGU/+hn/YP /fQr/blx5IzXBapr6MaDqO7jOHLEsTOO6FuwYw68aQyS2vauQO3qeHJ1ezQKT9QEZF+87vPwGCg6 wINGQ3WgusOQn4cGDUZoGqEFa2ODuG461hukrnbyIEGiOT8vbgc1kFlLS1dc3RuFRqAGUIcZx7cz oHVv+e4UgscSixAs01s4zlfHBf29vtVxtS2O9voG887233JKRsujIVN7oL1tSXOcaQOiDiIms7az CXrwZijRTl+chffqlRdGfLWdvn7o02VRqAM18NQPjsOwVN28y39WV1i7auO2UHwmPDlz2wUv01/r We2j3f7+Xb74vfObvzvrp2taWlo8+Xm+fl0N1eTn1XZVAaU94fw8SgI8Tpr2aBeFpauNwlnb5evf 26HDeosOm760thMY0/b/WtXfX9seqG1va6evgd2r42qTfkNNrZQcvlogXU3L2NDYAphh9ZloTQvQ mgLWsKC5GmZrA201IINUTq+MRMdGYKB2fNJH4ayPq9G4b4UvjhY0B+Dhclp1lKP+FeVUjmEbnJ/X MO/bp+Jcphzw9X+J4jgauPgZhfjbkbaxET5T/hLRybpAXbS/vy7gq+uP9redGu1dHvDJgf7Bhob+ WG0U3jqvOY5h/Im93njdLS1xOdqJJwPtqQTULWiu9PptgEeiO2+8i0CkQLBAhAEdoAL86sduwAvU 1Oz3VcfRouYWLxCymbaboJ24U0ECwS0HHo+RjdKogyILL6LtsabfT6Vz7ykVLQe+x3vnNyf6PrTc +whSwyHgR5TOnB2fcS2iM73jM1cejwaAOY/qLpkrLmZd+Vllt6O2c3Icu/8v0x2J+bijupnxEirw 0CJehrYMITjpU+NJIWjnhPqBLa8G4nIozjWf9U5t8ck20ACUewsDDfNbm321/VekIDEyhimVAxD1 QFtn/9gRi4LQgyqoGgzg3fMHVbx7YWvzaRkh3+6m5kcIJtXRqpaWfLBgGJEz4OmWoxfJBXSS/Qs6 wJciD+9BT3MvoFX8/XDfgp7mu9Eqdim6kf836D+M1nKbUC6fijySgKq4ZnQ1N4COs4+hZri3cvNQ M9OGQnr7BDoO+98L5TgHbe4mmPsG1j6DljFHYc0JdB9XjNKFN1E+V4LSxXZ0kjyAbgS7kvClEUQS PL4e+j70OAUWWj98MT88/J1RFtoc4sF3F8HzRtSDQMYr86YrLTOyQNsKvv3/ftmQHTmQE7mQGyUh D0rWl6RA7UXUGiKUhtLBK/EhP8qAnu6H6OP/Pavg/wGsTH1cAUzqUTv6APyN18kq8gT5mrmZeYwN se9yPLeUz+f/lR8WuoXz4jSxT9SkGdJ1Ur/0kiHNsNjwibHc2G18wVRjOmJ6z0z5BnYYAfF5EDe4 OU/yhEW0hM+9d06vCgv8Nr8tEyoMq77p5dBlekfQgKfRi1CtBZ+PPp2luhmGEOFlDr3Hvsa818gt 4wjXKOFIOHJh5AIKjxSFKwsLMONnMOxH1k7UnpiID2tr8EHu/OV32eA3YUyF/yTsmY/3wJ5e1UZ+ j9GrCDfiZXgd7sEcDkcuovDFwoJcDFvka/3g1uyhkBxAiO3h/gIc96E96irW4DQ4PflMPpfhqWQq uSLPXGYuV+Wo9iwjy5hl7BLzAmeTZx2zhm03tDvbPTHDVkfMudmTKvFiSsyN3W7771JYUVReTve9 pij8K41Sj0Qk63kpiZ4DEKQkOYkkhSO24nDEXnERwCoOA2QURygRm72iorAggp28YMGCy2+bjsum 45JJWYEMXgjYSoPFRSylAtszpbT00DLt3pkbK6dU37z5qscaclRs2PM1ztB6KGnYjo7DFRWtmRfw fEdOfk5Xdfui6YW40Dvl7W/+DOQCzCEq59OBBwKcnl+pC3giSQaR4JthQDIw7HaO48v4cqGBrxEW 803CWn65cBO/XjAgIhLmQMyADcggYRb8sm085hkOE4aFCEkySJwBcRxBp0b/qNoNchnnhwpZTRiZ FBPmKO6RcCgUsSdVoHAlvQEVKiqqm5pVaQ6aw3Wjbo6NtODILnnk7Nmzei2ehelHK6U5EkGRllwq DH7sNxI+Xdu4auStVVo3ycJPhE6exPna69z54bXEPfIplc6nQVGcAixdKIiKUas6pcHZTJpcq0m7 K2aKmTcERIc97yBKl9NJNP3hdJKeLqQdEJn8A4L7Jnue1SpkdqNTJel5PcJjk+SvRorkoYv2ijBw DqSpkjYj6wH2KywLAG+K3Enp2AUcdKVjPCkreyIOYVtxUSkw0vH9LnfqmtnNrx8ZuZ5UPXpswaKF Gzr3P6Q5M8MTutcHpy7uzZzkW1pWlf/Tq5tSj9wyZWo+fn7N8fKqcu68Jze0L7Lm6EQx7XH8SuYs u8xov+ZtSfUjr82c4zAT7VaSnLyQytuq0Q+567hLgPnO0yg02nfCLJe5TiXutlOjz6mLJFNZeDpU YponLcBksbliWAqnBQItpIW9xtCSenVwM7NNsoYdlY51jh4H63Ck7DOxvvyC/Gh+LJ/Nz8/ahxyO /FMlqKSxZFkJ4+vmT04CIkXkr4pQJQh3RK+AQKEQDoW4jGB2FimZZC+jouxOcruTbIGsrOwsXcB5 3uWkY5RYpaVlxTaeF3ieWfYL7ZOOjnVdHW1YOb70kFq9NjcvdVFpWW/9/P3Tp9Q3Tp12V33dnsmF Td6c8pXl9b1py9vacMbTg9i3asUal80RdmqHPFU+X17xlIozO285U1oWnhBMq/JoP0nOk11uOAsg Jfw0kBIL6Pyp6oQW+yJvB+kyX0+2mnn3fpFJ2i9Yuw1oGyw9pSiKqsxTmCQQiXT5K8B0SNctlaBd 4OASgWd1KWCT3Hbu+/zmpz29b602/MjIFyT1cSy23j2obbx205Qbf9TWtqd32url5JNXtZPNVZO4 89PKl2rPvnHg/JQ01/CSZP/U31BuApTsFwClEc1UU6R9BbzKR/kY5CDiPFyY20cYwz4s0gSMVXaV iSycczMv9eDHTFR0QeUUF4dDVwQX4PWDuI7/sV9cfpEtGaknPx65kZzkzmvva6NQ7kjI0QfchyBH QXTXaWRNyI/x1Oj7ahBEJ8CFhFBSwNvsbkpdya0W1nPdwjb7eq8pY384sC5AAhSgCkkuCwQkJmyu NK8z95hZs9m5X2LTDjCOcKARFgUQbzb7b4KcnJqFU7o53sVn8gx/MlP+KnKRqkuQJdCO4QhIlS5S tBOKUKKDYGUC0X3IJiN/EfuPEgVjpWUUS+7Ddu3x+7U+bQF+BPcdwIafh1LXFE0+fM3KX1RV1kMI i9wlbu135OFF2XPwPXgNXowfLGnUfu6a4/VNnDp96umtX2vfEIKDOBm4AZ4N86HOjQo1Q2IP8IyB OYBF432GHoYj9yEGM4zZpJgLzKo5Zmapag9HhorkkaEiqu9B3evWqNgWANgCtmLmw+GBoSGmc2gI i8yzWNT+Plw5xnVehPdI6Ixa30hUgdxOegXCEzchiJd5Hz8T1/M3CDw1f5gngogJy/AME+ALIJmw EEdxDG+Bg4SJoAIXhF70uBGYd/ZxUAbIiAk0T8I46WUfM4A8hyIhkJaQraIiAuoZtDNVzMkhEhSm kElCAwFzQMAckOVCD4kJpkgLcACWxG3gr6tGAROynReccHJ3TQzt6v6fLaDIUWT9Br8fUx5AxYva bSO7tXvxi0TBUUYbJqCwH2IWAU3Xjn7EreQ+A3115jTKGO1VLQCj2AsVly5ZyiBb+h9qHTSMHq+n FE/21uJZ3vnFHdL10mbHDUlbCk08gSNqSwmxaUwlGAh/5oE01icUCDGBEQQjCJsv1J1i6/algHU6 q0qwFUIlVGN9DBIWqgCDfBHyd1fUlm0cfTbkDE22lYRm2WpDrbZFoWttHaEbbZtCgD41TCD/IaJT Qtdy2In8oOhsxW42offBgIMZgF/JpHEJhWQHtfFU4aVj+HErtb3a2dPaxRsmbMHZuwMbgnkVC+c1 PbngzFFIB2UewMrq3Fbt8u6CZXnZ5a3dCw5d89DP8W/f1S7OKMIdy1aaLPbSksKZDmfAO+384Vex UBHSHryqzWy3TsueUpli86WWP0ulKRfsYQNIk4Dy1BTM7gM5QYtxD7e4h8UsK4mypILHwiSkVXe/ dEGlPod+hBq0sNarhbkMdvByIwsqFvakngQLe/Joh2pEIJmQNweXTncArGD7Gd0BgIVIZMLU8QmB EqoET4dKlrGIq+IWcFEuxnGUgnQsX2CbecKxHL8dnuLYmxnCZOMcUo1nkw24m/AZKIOpQlXMRrSR 4SMJTwH8BPEsjrRIGBgvYZ4d+UBbMPIBPoA7cSd3/psweIufsm7YsAoA+TXAa8LNahqFl+FECdK7 hGeIaLVsQ5tB8fgN1jIdAwttIItiUS1RC8Prrht4L6hy7GycRsbR90/AAQLF+z49SIwPKshzjiHT tUncZCSMmpRWxjRZ5LK5ZAZbL86Rqgx1xmVkHtssLpGaDOtIG7ta7JI6DCuNW8UeKWa43riX9LF7 pT7DbuNhcpA9LB00DOHLnM9MCKsQmQ0THzudFLIV4jSpyFBqNLFUI0vpRWXEB5VhvCfRHsyBvAMM hAICc2+q01xpZdIEqHogijSabgbKxEAIRKGH58CcSJwdp3EZOJ8rxlM5ID13NW7hluO1HLCAk8fc s4STFgHTnrgiEcg060zQ+eAAZjjEX2vrtGu0L7VhqNfhfR9hO/XJP6dMYV4YLgXGjLKYFuqXXj36 H+xJdgdEbQVopTrT6uHykj31XH1qC9eSei232npt6vWZG3Jj+Wb8V0UJubNVs7UsOztwLCSbj7nd BQou6As/URQuwtYcJYfk5Ah9yU8WgmIDwQOvZKQI1C+YEPC2Q1Ql61a7BJzt8bMIJzZJ7wYyskom gSMSLPuu/+1jXTY/s6D+eF5phcmTpNaUrpuQdnVWyYaae9+6rqMd5/xs4GDLC3n+CoxvxsXYph3G mZ/yLottRkkgz+l05PW7p9s9Sf92940/AedJ4iMzK23Yas196oURFrA/PvopNx1y4jJ4IuVqsBbX pl1jXWnt4XqSeeddFllC3gHGLdp2oDMKn2TsE0+DDwI4gculo5XwQmQEwGcL9MhOx8VFdnBDqbqx pUOnlJuuvfPO0ttUq3YMdy785fo3PtZuXbmjeE1hdl3h7beQGdrX2iM5WeW8c+TtqgXaOe3Pdx1R 0kZeshjol6xm4M56djvKRrvVQAFTKU1JLvSqTC07W5wtzU6u8TYoi5VrlR/5LFk+k1zmBEGjTqeF CqMLBmRqggpkLMtJh0xyZRAHqWAqMBgMph1CbhkF5WBPkAmGc3EwN5qLU3bwT+ZQh5JGDZFiXTmH Ek5lqLAAhC7CAapUs1IHm/qUtoCuagFhUK4J/QuupAWTLw580dqyfPXSxZd6Nz7XVOyaEspdPuOO wz/bX7M2mDHJXbzodHpdff0f7rznQsPMqqIc7Zy9IMmddvKeIw8oLmeeSzuXEwYOtY5+wF4CDjmQ D01Xc2YZZqWslxnfBMCS8YEo2pHnkEXG6XdxbpuT9KEnMrw7xCf9gEJC+CovUvGjoEdyMQheIIPY voUdDOREGBoDnb2kDUSOdJ37auFVNc+1ddxcgzu1gaymwG23bbip8LrNs6/CU7Hp9vcaGxaG/PgP lzNItmwZvOfonZkAJ+XUMLsTIp9UdJ26MEhChmIy1VBN5nBzDNWW2XIrt9iwyLuav1aKOqNJm8hW aZNlk9OJ/5qaako+ZpeRKIsLxRXiRpETRXbA5JYkdx86kx5Ox6m4z/pkGsUHvF84WOMmc/w8+XVB 06k+5paBc5apIyaww8PPi6cf3fDm9Jxtb+3QfqUN4EU4F1SCU7ub6Yp17hTxX/puWRDW/liYhwvg 04cb12p/1oYXrd+wZgtIYAj8ru18OlgdVYWcBzvgwkbRcsxmNRsgDZRiTVFSQIuLNlOfdRm4msQM UgMhWlhX3BVhekoqKujxh5wCSArQOg37IdIGJ6ykGKSIihCz3euZk9fVgN3aV9rA3Xe/84d524s4 k2CfvVYaGt7HrBtSXn7ZSL/5tmot7CU4D1ngsyxSy+e65+bPLY64I8Wr3V3F3eI20+bAtmKjK+gJ HfLLWdbCuzwGg+UQnypJ3mC2C6SjZOIO75MQWl6Uh+AYAwERhQ2CSxpd0sAyU88F0PNsK06QdTqe Bl9iAhnoW7kp+0e5aZ0//6M7Nn+4MK/q6Yb2br+SOuOnbZ+Norkzq57tWHznNDOOaANKa/C227Zu Ke28+advTZtelurEySmhzAxfe52rZDrwOGPvCw11c0NZRcOjeMRs/fn+I70Z1Ic4Dj6EHU6AGzRU ALscrqm2mIvFslm80yFbkBkDWp4CT9RDZGOf+XRSQk6+ogpqHCkIPMAlSkR9umdRSunu4uzaXRab c05tYccUkIvO6OCax8+R/JpdPgArMHwBdNLrDfN++zq1E/dClQpQ0BxSoernfppwhhnwg62YvQf1 cfcgLGOC50lRKQYuzVg6qbKSBg00D1QGTCd2+h6D1od/xK64F9vG8CMUPwalqXYCCPeNbaR7KXQj ispYLkl/HhaP0wVk4YfpYv3/oYvrn6MLu+JHOlnoqX+Py4JTb4R8pV+1uwYk2Q8Gwwr2ItMLqjSo S9pFPYiCAwABUyJsAj+uFL7IjfPkO5E4l6U9pb0Lf0/hWpyBs/AMrTYQCPp8rZMmzc/0Z8M3u5aK whZSCIf0WVwJ3wGT8HTt7Mjboa3XrtiZk5uROiF796olu3Kzg/4xKjFvsasg+1p+EptiJgJnmNqA JPAU2TutVqNVgrjVGXZik9AnnXbo0gNeIzhclSMhemwjY+dWoJLjSih95i1f0sqMOdfXUHZuic9y FNgZkyg6PSMyu+LoymoCr8FoGejubcChArRdlYvC9Z6Z4c14q3Grd3NAgODifdUPDhrng2qKDWQh JQfiiHngTlKjBcHEsTRZoKA6oCsIlmOM25+zI8W2w58i6PGEQY8nimJFWEi4iXCCr0QUIRpWhMCx TqqI6NofO1m/fqohCaLnPBLkh1NRMilIs0g0M5IwBTAPP3ab9rz217uGZvm9M2eU3za/a+XUppw9 5f9yEPwMw02fzFDmnVt9zZbS9rIe9bbduP1Xb5Rn4BxHfkqSPzwxN9Mmuaw5D9505HfFadqFstqC vJwJLqNLzvwZ0CU0+ilzA3c/ZL5nqXkGzssRqzFmJEbZLBwzGqxebxLgalFhJUqzpmHRLPcZxHUC RbO4WM9bgnMFthmalbqyBQwjmVRHZZVQtaozym/TYx1qkYuZGyZvX/rauYMHwTmfrz1MrJaZNamL 7ekGq+34y8Q8BEL2zJC2YUpzIJDrMcB77xv9gJPgvwHcYHNzDXwKP9ux2LHG0SNscwjExUlW252c G7IvV1QPdY1A89BE1EjC40uo0zGbC3B9Bx7IDUjaQPsvNj7xG9xldDrm1E6MTcKdP5rd+OZ58s7I 64vWZ2ZmZPgZ+p8+6aD9XAAJj9aowTgH5imZzOSaIVqBeGUXLODYnRCvtONrySZ8IyTFaR7UL1kh DIKKhkZWAiEGxEdIDIuNIkGMDOvBOaWhESgWHU5wqHXXeiyqQZGxsIZzaY1aJ2QwujGLMbvi8j3s iuFhBj6IYJQPOfkHATITekRdLxGeTSZuNpdksRW4khSwU6RiQz2GDALbIFUbFpNF7BJpoWENaWfX SG2GbhJju6UNhlRi3GnCJooIK7KCUyBDwOedEBLMx0u5DtzFrYdwkd8sboSgZjxushJRRzMZDgbv hwoCJqqOZYtPD5v48bApETWBdOjhQ2S9nt6FGlP8jDRy89Kf8KB2v7b9ow+0bvBRt539HFdeeIri Sr4cMQK+3zA8LRTndK2dSwKcBXSrWilys7hmpoVbyXAwAN812IfwabAAuwhQ+37hcYHoiBgZgfMw mUyIK2e6uBsJZDi5TbwREiF/VAPAI8DAWgZBbAlfCzGhlWO9hEhhqRFyz4ATAVwoq1AlTV5TEz3G qwhNVUfOivCno4P9EP2QoxjhDSN3aNse0RrwNnwrefMbjO9nF4N1OQn8+qX+xUIAfT1VzeEkA8/O I1ESA4B/j8VXJIl9hePQK1gxw6/A3GiOQu6Mi0RoNoz+IJkXSQIQqDmjMTotxKUdwUvJS9/WeI+2 JVGAYjcy/05269YtpCoiWABwXpGPKUJFTAO+Gq/EBvI2fIF7HT7yEGrpaERB8Qk4yG7tvU/vARt8 gsyhFli/RjfD0h+6smCQQSyywUePIMoEDykb5aAJKA8VolJUhirQZFSDalEdmomugm9Ts1AD/K9I I5qPFsD/4V2NroH/UWlBrWgJeohSCi4MNgM0EFw8eN+otnV+zZx5oas7NrS3XdeWX7VuTTtM/S+H g4u+CmVuZHN0cmVhbQplbmRvYmoKODcgMCBvYmoKNzU1NwplbmRvYmoKNDQgMCBvYmoKPDwgL1R5 cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvSktTVk5GK0x1Y2lkYUdyYW5k ZSAvRm9udERlc2NyaXB0b3IKODggMCBSIC9Ub1VuaWNvZGUgODkgMCBSIC9GaXJzdENoYXIgMzMg L0xhc3RDaGFyIDMzIC9XaWR0aHMgWyAwIF0gPj4KZW5kb2JqCjg5IDAgb2JqCjw8IC9MZW5ndGgg OTAgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AV2QvW7EIBCEe55iy0txwnaV AiFFF53kIj+KkwfAsLaQzgta48JvHyDORUqxBTPzwbDy0j/35BPIdw52wASTJ8e4ho0twoizJ9F2 4LxNx6lqdjFRyAwP+5pw6WkKoJQAkB8ZWRPvcHpyYcSHor2xQ/Y0w+nrMlRl2GK84YKUoBFag8Mp X/di4qtZEGRFz73Lvk/7OVN/ic89IuRGmWh/KtngcI3GIhuaUaim0ep61QLJ/bMOYJyOZNdqVafp Hmv+1ylo+eK9kt2Yc5u6h1q0FPCE91XFEMuDdb4BcTJwHAplbmRzdHJlYW0KZW5kb2JqCjkwIDAg b2JqCjIyNAplbmRvYmoKODggMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFt ZSAvSktTVk5GK0x1Y2lkYUdyYW5kZSAvRmxhZ3MgNCAvRm9udEJCb3gKWy0xMDY3IC03MzcgMTY0 MSAxMTYyXSAvSXRhbGljQW5nbGUgMCAvQXNjZW50IDk2NyAvRGVzY2VudCAtMjExIC9DYXBIZWln aHQKNzIzIC9TdGVtViAxMDMgL1hIZWlnaHQgNTMwIC9TdGVtSCA3NyAvQXZnV2lkdGggLTQ5MCAv TWF4V2lkdGggMTY0MCAvRm9udEZpbGUyCjkxIDAgUiA+PgplbmRvYmoKOTEgMCBvYmoKPDwgL0xl bmd0aCA5MiAwIFIgL0xlbmd0aDEgODkzMiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0K eAG9Wgt4VEWWPlW38+5Od54kaUhu0wQiNxAePhJsofPojBDBBgJ2g0I3dCCgQCQJb0iLBmKDD/DB fOoo7szOt49Rbjpx7Kxisrr4ye64IutrVldQx8e3KzvOrCN+o0vvX/febkgm48d+unu7T/1V59Q5 derUqep7u7tjc2cLWShMEnmXBdvWkHaNjwEqV28Itultx7fAktVbOmS9nZ1OlPrLNW1rN+jt/CEi y8y1t21P6It+7taWYEiXk9C/uhUMvc2uBE5o3dCxTW87vgSm37ZptSEfX4R26obgNmN8eg9teWNw Q4vef/z9wIq2Te0dRjsAnNa2ucXoz3xE5mPEwOW0lax0I6WhZaNptJMo5axlJubLNHkqS+3uuv6h lVbXH5gd08LV3/XS8wJfCxZGz2/5o93iyJiPZobWXwhgN+35C17MufT8lvP1FkdSIqTi4jG6XYnR WtAtoMVKbTaYjWQDceriDcT4HO6CnsJnc1eUKb99jl8H5nVo5JfRcchsIM72s55oSZk7xu7usxXW UG026yEbiLM7WTdsKewuA/ex7ihXws+xLpg9w3a517AzZwvHjH3jTRQ7dxXarTvLdlbtlHbuKn79 NFhbtqLY0Ibitk0obt1YaF+5setWfuvGrs0lHZ35BWPXrkexZh2KltZ8+30tR1tOtUgtrd23lxS3 F+6oL3ZsB/EBaZE0DyPbjkuN5AVxcks10azsmoH4kFQdzTYqfRnmGm9tljSFmDRNmo4VUPiX/L8o HfhR9AWuxPh7fS+EMFf+bt/0WTUCo85Jwgoq+fla5dfRmTVGZfJUo+JwGpUxxUYlO0ernIrmoMLD fJtwr1bhHeQFcYT2FtRuQS2L30B20K0gCa0mtJqI81ncRIVUxquBucAZfLoINp9mYBWwFPypfHq0 tEyOAXILawbYefZRVFIya2X2JTH2W/afQoudM/BzA//DwM/YpyIM7BOgCfgxEP3j/8g+6suC67Xj wGC0BeU+IWIPssOawQcMPMzup1QoHgKmAe8DigHvZfdjyoODaDJqQxkWAnZT9LBJibHF0UMCbowe EXB1X5ekIMFqorlFNbUZbAIr15yysRwNTe5rv0X4vvZ+zd2flJTUPPKopDz2qEl59Eim8gDsHTqc qhyGpYdAPz7ClYePSMrRI+yJI8eODB6Rnpeul+aKyUlzo91cESlR32fLqSl7QcImoLOilK6SrkTU 5NpcaSZNA7lBXpBJminlCyekGQZWSfnoWTWIJnYhskcGcf5F9Hgq8ufD6GC6GIJ/EB1ToaXAB1Hk Qoyfje7PhPxM36AJU+Vv9znLRX69HS3AoqH/6ShcqrXwl/kJEU/+Ih/S8O8NPCh8f55v4VvFVPhW Yyr8dn0qfLOYila6eSBhNBDNzNKsr4yOKdIqK6ITrtAqyzS92ny+XFMUpZXPQ1nI59JEEKcMPoWK QRzuKdGcAk3vij5LTg2yzSmy7Tgfz2Wx3NzB5ahJOQl7Ms6QUpRic5XpUvYVe01byLPsGZLJwc6w Z6ITHXKMnYmWOmpqS9i/sfe0rHnXwH818NcGvsPe1gy8zd7S+r3F3kB2qYNoMvYme0Nj/ovGXFeb xU5jHgOiZKcN2euaDCOeiuIQGEB+vybyWxlkP6WfgfpBUvws+3k0rwDLwO5hB7UBDxgYAYq0Xhrd h2OCLYmGJUBzdF8KYFF0v4CF0R4B3miPkC2Idgu4QSxUjFVH9wuYHh0UzPE6M9udBeEfvzEp34hO 8SF35h9EYn7Fzn7FRDOjt2BsjftjpLxoTT1msdbAU3e/tz/Q39Yf7h/qP9V/tv+L/oz+Y6Gyzz41 KXdH0pTIgVTlIAgqz947bUbNvfdgSKjn31PqrLnnAFcOdKcre+8wKXeIOcSH+sLz5gv7feE59Tpe WaNjxVRtXHN4nLMmvIcrXXs0q27zbs/cmt1o7IElYVrugekezHA/GPu6U5U778pU7gK2dYe7+WA3 q82UFkvNlC15pYUoF0g3ijIqhcpql0g3SPPJKtmlsdI4MktWySblAM2SRcoGTgJeQRbJAbkTWAq5 DJxELskBKgXZQVaQmVz8Kf40P0Zm/iT/C/5T4OP8CX4UOAB8jiy8D/JngCrkUeAAdPpAqtAFPQl6 HHQH30vZfA/vQrmL7xal5m8n38F3Yq/YeA7PhV0Lz+ZWIOOcS2RmF1ic47MfJ3kOPQrioi/Oehs9 ARoEnQGl4OS20BxQF0iiMnYB+6YYunb4lAebBcBi+JEHsoEsoFQQIxf6uthx9gIbxHi9LMr6gE+z Y0wFngT+E1nYS5CfAA5B/iLwJHReAg0JXVAv6GnQBraRbYJekK1iq4Er2EoW0NpromPKymrr2Bqa A+oCSWw7pDthrR1ancA2aG0GboeldlCbsAhaAwqCVoAq2RSysolsEsoKdgVls8lMQVnEisHJZXko 81kBOIVsDMoUloqSMwkltrAo3X+FVLkQt9qvKSi6uqDgqoLcKwusMwvMMwoyphekTiuQqgpoasHE SdkVk6yTlexKxTremT3BaS0ty5bLrFZbjjkjM8ucmpZulkwpZkTaTJI7r8RJUl5ZqjS2rMw6x9pl lWSJlUk3SoNSXDLZ2ThLUVqJpcA2xpJryrfcb2eVrsmuCtdE1wTXeJfsKnXZXUWuAleuy+rKcKW6 JBe5vDOZmttETc11ah4DLq5TZypNMUlepM5QmtQM73JfL2P3+sFVeU+MUbNq6olxQG79suW+GCsW 4m77gJi32hTovsffy6lOZT2qc7FPgHuhT5V7YjZq9vVyVuf3+9VrmryoU51fGaeGmtAtPM6vzhCV +8f5qUmdtVC1O+uUkVe7YLR3aHBR1lsx0aNO9gTVSk+g4SJbUQgNOOxRL3iCMcadw4SJjiOMJdjA dlxGM8Z3eWJ8B8zwPaObSerFpAWemHQDukpe0bWjnSVlo1TaO8BkWjlSqg3e0QlHhknAwNWOMAhV EQ8NLik0t9t1AV0qpqSlBDeBlwxyybQNm0KrXWH1PrtfUdQi1YkkSSgYFgWwGNsle9Y3xNhuHfbo 0KVDWIc7dNirw5063KVDtw77dNivQ48OdwswZoa7kms1LnfpcJ0Os3WYo4Nbh1od6nSo16FBB48O jTr8SADihrm192aI7PcuqmtS0xeBvMvVEicar6BxNRpmZx2lKlSMJ6NXqDxR6g8yemmaTeKJjOLv auVnifqFzrhWJ7rwjuB9n0s8ewkyfR8jQvcE4UCNXxs/FP+SBqmV8uO18R/HPx/V7N74HjpDp+kk 9dNT9Ci9j/oJeoEG6G/pI9RfRu0peohWQftn9BPqBv4NPUkP0mbwBQrOiT+1zSqG8c7TeTrCamke cOT1IKw8OJL5Z9ufxEtGkb0fH0+7aBfv5L+hTrwegcVf0NFLeq5D/S+pHc+/J9g5WsWepzWYTw+F 6D7ujf97ykkqlLbhkWeT6ajIhGHXw+Sj7RSSHov/DnliTfPiQ/VY/HfiWXrY9V39NmHsxDVAB1km 7UHcpuPJ/BGqSwiGI2J4HnNYjbnsxesIVqMPr10Y99ClPVMbRCvhdzrp2ZrIoxTxXQOu+KegbVr1 hIi3kbEf0BaM4KIpeJyzxsuQN9fHW+Lb4z+JH0c2iNX/uZEVg2j9NR1iR+DBKrqZlvJf4cFOtDah vZTmsXHMQo/D9lXaKMnC2FWSzhA5Lq6EfyYjisbegpf6Fb82UWOH8cF8nl6hlyim+fMYHaYIhRGH DuT3MvLC91n4WkLv97GWw8Lzi31WUDNyDxdycDbm837CtsCUN7W9b3x38yf+ib1/QnpR1xFR1K8L iQrRq1hJfTf0IBqdiMdqrOx5bfeI9TuBVXsSuZaQLU1KX9bWVvSfTTOEF/FZ8T2I/T/TTbSJ9+GG 5U7o9VwcKln7BbiJTC6i99nspGR45fvk/S7soRP08DCD3XQLtQzjjGiMjN8I8SjNlHO4dXwQq/ZL jLcTr12jdBpAfp9AnHbQQqql/VjH97E/WrGHQ4j4aSZjfV7HKTbaFYTdU1iVTdIayVjl0bohQ8Rr lCvlnM5MJ2ZC5idzN9FVz91EaxjOTpHoHZaL/HiA3kFOPEXP4ixZK7jIYv36363RXtpIk40Xud2L 5l7vunZWTfU1V1915cwZ06dVTZ1SqUy+omLSxPIJzvEOuax03Fh7SXHRmMKC/LzcHJs122LOysxI T0tNMUm4n69kRWpRvc+zXi2uD+CzsMFpk1Xzgi/mV6mUa3c4c+SZVf4pRi81RVEpr0nNxz0fuav9 aqoysssCVSq3/d4B5fl22aOayvF2zguG1IpFPofT9pY9KffDrFpS73M47Covx3suRHjPC8oh1eYF HwKNM1clr09QLP5hNZhU7fCjXORTSxNN3IqO4uQAdtTQCDcXsIit11xc36BSfi+ZP1SpQHT7oprw EKZW4Na43IaaZo2qVJb/e5XlqaxgPqY0fAihdrZ6lBh4QuudntA6RDQUuBjTL/SIOuSIHFnky5lp dzg0p3EnstDXm5VZ76xvycQscNMMBvVmZoGTJRhYlrZeZp7NtAo3e2bhjjvdgvDlCnc9gtar7gMB VJwNiBskeRcleEg+eKmIoKZ3InTTakwbU02tV9N0J+R1qjuo0gG5t3IochB3/KsCijnkDAVv9qlS EE71klTuaW1WxzZ5l4EFJ0CBVlksd4NWiMWTPa1yBG3RN4DS2QDV4fxQa0tApAkLOBsgy6j37XcM 2fFI4tvvUXMU1QJ1y47f2KWIp2idLJqRyH5ZPYpHkUukDtEHSVA0pVKOeJwYDcY86+vEilUll03L xrkhbXHcB4KyGl61HjHDO3gwkf+OiE01f+XA6mB9oCl2hwiwoFBgvZjKemiaAHLkQIs21YPa1JCv 4rZTkFBE9tMSaC/zeVqdHsTTGBABgb5UPlLX4VCLFaEYiXiEi8EQvBeRwbsYN+twQ29gT9gVBn/q VXezBtSsrQFGdAcb/AbL6ACJCeugugMNfr+YlL4Aalr5/pSpTjkijKaVq/mKzfEPkA1NqWxa5PM0 iOxET17vu+5ckf0c6njQS7BZEfpEqs6JIAnJYmfTQj0LWkV8RBFo1jcwomasPLoa/TWrrxbZX4Vu o7MxEIk0OuXGSCASjMXDq5yyzRnpNZsjbZ6ArO18Bv7fHbCrjQf9qi3QymZhkUW+NeIOPm/hcrE8 jXJrEBy85zgd1XZHDkzrfXByjC429hkyHnkv9lnE9jlmbMaJZJcbxfESw6lgV23VYpvCkyU+7IPV GMIT0grsDzzmcrvYKZK/3LNusREguwNDagkjzr2FBhdGHA6xhw7E3LQKDTW80Ke3ZVplj5K7SsHa BYRkKCEpWCIk4YQkqR5wYq2KxGO2lhN/LqdxnifzOZLjzJVrxGEO7/CeG1KHmjHHr6vVdERMW+68 ep9k56ILatwuiVqmgo8ElzpG0RRFTHBKRmxO+ZRTtSlqSr1vyO7yy7YcHJAsmQyGRZGmtlPOk0wc opRvU5lLZYViWxEOVYQRh/6YagiTirInEjCy79L5oavoHWpN7iN9Fti4YpIIg82JfWvX45GT6xRT /ZXIdv0DTk0pbxSbCmujRWyeX80WH3Zq9udagcnZ630yjiFs24VaRfbIrWLVVTnQoJ0HfruQJ9ix +NlAgzj/fEg0dLEb+Y0sR9iMPWGEoanZl6gt8u227/BPwa9ilU0xysAnqfhOJsbi3TFqGDeA39mk lSsgbq6UZc+6BgyIxpJKMCY7UFtaidwUqe9z+sUnydxQRBbJH8K0NISgJeKvQr4u9uG8xFc1DtXt tyerLX7/LNi5SdiBCrpH/LCw3rAA1FhV/41OvsomnFQTvT4ctuEGJHqD2MKY7hB21ZCYsZiIP+kp PN69rsjweRl89k+GfLluBbkahgl/JCJsLvY5keaRiD2CeRhtfMMzkuE2GDESKpi4J8bCXugCnNr9 gcfpcIrI+xsw1M2Ie+KUwm+P3x3hFUm/obkS3q7QIhz4gSIcvJwIr7qsCK9OejoswiH4vFpEuGX0 CKt84nfE+NKQuvWQukcJ6ZphIV373SFtTToKr9bBvVYtpOt/oJDeejkhve2yQroh6emwkG6EzxtE SDeNHtL/i6RtGxbh2787wpuTfsPJdni7WYtwxw8U4c7LifCWy4rw1qSnwyK8DT5vFRHe/v8X4R2X RBg/bDLjwQsVvWoG0wym+CdDQiiTDA6ekPANAV74mSSN8p9N5SYSVPXqG69qxfRpjhxHTjkKhufC b91S+NtwCn1DblMYmvgBRrvi1XhOHe2CnPG0zo3rZkybUa11YPjBXfchlfKI5jUtXrqgUbmhc/W6 UPBHm4MbQ9rjd8JLwr86iMbGjUtYSNaZXCHa/wPK24MmCmVuZHN0cmVhbQplbmRvYmoKOTIgMCBv YmoKNDc2NAplbmRvYmoKNDUgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBl IC9CYXNlRm9udCAvQldCSUFJK0FyaWFsLUl0YWxpY01UIC9Gb250RGVzY3JpcHRvcgo5MyAwIFIg L0VuY29kaW5nIC9NYWNSb21hbkVuY29kaW5nIC9GaXJzdENoYXIgMzIgL0xhc3RDaGFyIDExOSAv V2lkdGhzIFsgMjc4CjAgMCAwIDAgMCAwIDAgMzMzIDMzMyAwIDAgMCAzMzMgMCAwIDU1NiAwIDU1 NiAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDU1NiAwIDUwMAo1NTYgNTU2IDI3 OCA1NTYgNTU2IDIyMiAwIDUwMCAyMjIgODMzIDU1NiA1NTYgNTU2IDAgMzMzIDUwMCAyNzggNTU2 IDUwMCA3MjIKXSA+PgplbmRvYmoKOTMgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9G b250TmFtZSAvQldCSUFJK0FyaWFsLUl0YWxpY01UIC9GbGFncyA5NiAvRm9udEJCb3gKWy01MTcg LTMyNSAxMzc5IDk5N10gL0l0YWxpY0FuZ2xlIC02IC9Bc2NlbnQgOTA1IC9EZXNjZW50IC0yMTIg L0NhcEhlaWdodAo3MTYgL1N0ZW1WIDk2IC9MZWFkaW5nIDMzIC9YSGVpZ2h0IDUxOSAvU3RlbUgg ODEgL0F2Z1dpZHRoIDQ0MSAvTWF4V2lkdGggMTMzMwovRm9udEZpbGUyIDk0IDAgUiA+PgplbmRv YmoKOTQgMCBvYmoKPDwgL0xlbmd0aCA5NSAwIFIgL0xlbmd0aDEgMTI2OTYgL0ZpbHRlciAvRmxh dGVEZWNvZGUgPj4Kc3RyZWFtCngBtXp5YBRF+mhV9TU9Z8+RuXL0TCYZQiYhIQkJgUCGXAIxgXCE CRBJCAEiICQEDCAQRQ4DSJBVV1cFBREvmCQEJkEFdz3wYGXdff50d1XcHx67GmVddFXMzPuqZ0B4 b997f72eqfvrrqqvvru7vW1NM9KiTsQgf9OKxlVIuczZUJxtWtvuirZVUHANi1ctWRFt6xqgvXDJ 8nWLo20LwCd8sbS5cVG0jX6GMn8pdETbOA/KlKUr2juibdMrUC5fvrIpNm7+AdpjVzR2xOZHf4W2 67bGFc1R+NG0P23VytXtsbYdysCqtuYYPA4gxB++YPKgzoYohJJjyOPRt6gIzUUcIkhCWWg2QqSY VCEWfnScQ2jRxx+tWGAo+k7loPtE6GDbb0/T8nf8xcYrHw4v0YjCFbhbVODpANwnTAxXo1L1M1c+ /GmGRkRuJNCBa1d8z6zsU+QZgPSTI72Fuf4QOdInxeXQslegzaf7tKaczZOM5DA6Buk0pG8gsSgb 8mmQFkCCQyGHe/dQ+MO9C5Sir7ompxOafTdX0acd7vNPjpZqXbQUx0XL7FwKd6ivvIO2D/XljIu2 00dH2ympML1EDsEav1FyA+RZkIohbYbEwuSH+uISo7eJFnrbwT5nfI7hNDkIEAfhvoPKEg/61TBs msZPE8g3kwrwl/DM/Uq+WckXKHmxkmcpuUHJN+N/0NmV/LSSH1PyLCUvVvJpSr5SyRV4PAS/r+D3 Jfz+gf/hN6EMjGQsZWBJxv4M7JfxABaxpjdP3hvCGn9BnjzKVSrnQMp13SRnQClD2pA+Wc6E5E4v kwswwhiJmCAVstngFE1GlT+EnzsZ3q4b3q5DYggX96bfLE8S8Tg0yNLp8iE9DIntTW+TX4K7XUoT IRd5tle+khnCtb3yT3JIhXvlH+UQwX6z/IN8Uf63fEr+Tp4qv5H+rDwAUA/3yiE5xALUgfQQedZv kHfKM2BxF+UOebl8m0sZWu6Gwq+Rm+Cmuelz5YALQHvlapcyy00yPOaEXA6DZekhjE/IfvkeOTdT uTWH3npCHi23yaMoXK+cEZ1uZHRtabQ4IY+AyZKVWcrl2TpRJxZ0/1XoPiJ0Hxa6Nwndk4Tu8UJ3 vtA9RujOFrqzhG6f0J0qdCcKFpVJJan0Kq1KrVKpeBWrIiqksoQiF/w+yikWXqIFz9KcVeoSoXXI IEcEqwiaioJmppJUzizBlcEzTahyoSv4/UxPCKtr5gY5TwkOmipR5awSe3CsrzIkRGYEC3yVQWH6 vEAPxvfWQW+Q7AhhNCsQwg7atTU+aCoNDMCpOrbujqdlZOvuujpkXVtsLzZNNBZWlP2HrEHpbCjz /XLZf6nSWuX0dQNw6IE+QZ4gQHMmNLtps5s27YnBBypnBoLPJNYFc2glklhXGdw30zU/MICP4ufK ywbw87SoCwwwGfho+Qzaz2SU1dVVwtEocKgY+gHuKC0ATvUeKqZwqFj1ngLH4iicR4EDsovCWV3I o8B5rK4b4JLw8/A8lE4LeJ7tAkpS4JJsF66D6xn0lJf1eCADGHjWoAIzGH1WsIhO2SPLAOKGDECA VWQFRMaEPiZY8QtIZgxk1DWQUcpMjLLy6GPos+AxOtdVGB1d9Y3I/j+1mkt8vvIWSivTAz0qVFJX CoujpVVaNVE5d51j4pPxg+hd5kuk8dUF1Z6SoMZTgoqL7T6pCGfx2iAPXQIkSiXj3fZN8YOgDo4o 0Fro1sWGMidlTqJDQL30QXroNsSG7JvGu+MH8ZHYkATdRpjjukW3t6+BC9nLW8qu/VfHrjWxsh1V BtNnVgaLa+YGegShPOhvKKuDvuyrfRpNeShyJto5CjqLKCDDXAO81ieKMUDAxolpGXiajAt87e11 vtWwpNWr269bmK+d9vnagUG5QeRQ0mHkZL0I9Grkc0hf0DLcEvmajoVXRv5G/gbs2h9LUMD1AjqN dqE+dBh+PUjCLFqE1qGd8HsZ/QN1oSfQXnwcrUbr0SGon8IvklWghzuRDa1Cv0PZmImcR8+hjViH eGRCb6BzqBbtjezBZqRBDlSK2tAAc5b5r8jXuALfBuIiHpWhGegE8zV6H7NkAmfnVkcyQX+L6DV0 jtwM6zaiOFSApqBqNB/W9BSs91X0F5zGlUY+Bg3tRzNh5nXoXnQQvYn3kGayhhxiznKzIw9HYBZ4 kgp5UQVqAajV6Hb0MOzjG6zGZvwy/pSxs4+Evw3/GDkEOx+B8tAkVI7WwG5eQW+hD9Cn6Ac8Gy8m PjKLWcVy7JKINXIc1pyIckC4TUVVYHc0oDvQZsDYo6iHHGR2hV8J/xsEIAO/TFh1ARoH+58LuDqH /oyN2IFT8Qg8Gc/ELfgAvkIEUkjuJIfIvxmOSYNfPnOQ6Wc+ZD5m/slOZjvYz3hNJC1SGVka6Yjs j5yOfAI4lVEauhmeOR/dghphV7ejO9EWtANO6xH4PYr2oyfRCRRCA2gQ/RF9jD4BW+nfWI9z8Hhc hBfj5bgD5FA/Ponfwe+SetJIniDnGA8zF+Y+BExRxk5nV7PvhlF4bHhXuCf8+4g+0ht5PfJVZBiw KQPOUwGjmSiAmmHmrWgveghmfBYdQ0H4DaK/gJ33d8CcCD8JW7ANp+CROBNn4Xw8HdfguXgJbsfr 8F34XtyNH8KP4CDug9W8hF/Ff8Zf4Ev4W8AMoJloiIHIJJlkkEwyilSTJWQ76SbPkX7yAvzOkz+R 98lfyKfkn+RHxshY4JfMeJnJzFRmPrOS6WDWMZuYZwGfbzEXWBbOz8CmsRns3eyT7DH2HfZL9kdO w93L7eN+zX3KfcojXuIn8NP5pfz9fIj/QGCEGmGxsEnYLNwlnADt51E9h3qBO3pgp9ddZD56HP0R v4Q+wocZC3kWTydP4QewnrGjZcxv8B+4SnQPKSJBXEWszL/wWrwWxTFP48voMjpBWPI+9rFP4QPo BeCkXWQZ6WANeA77NDuM29l3WYZcRIfJ13Q63sI+BYp1LejXFXgi1JagFegxYkFvgVW3FbWi36LH eJF0w7nvQV4yGY3BU+jZkG/Ql8AdRlyMbgU+GcYHuXbyOF7PfEG0qBYPk4/xeK4dLQaNfifuI9XM W/gicN4LQC+VeCkpxAvRMPoMP4E/I7NRFdmCDrJLuD/hD7EPV3NLgf4Qe4GZwiwmZnLqOrREq8fQ ceCEc+hm5iyaj+8D7j9HfGgKWYkeZV7Ef0fH8R3sEmYprLKDsHgL8MJzqI+ZzGpQCTrOHEcv4SPM e9iHjrEd+Da8L1I+XI++4w+zR5keLp9NiLwZ/it+Ep+PDJJ/ooLIm8zs8BL8COsAvrwDuLcNMKRB z8L9j4DEOIxUUEsFfrwX6DUOZJsIXF4BkutmdAv+FjhmC2ApH6ehapKMlpFJgou3gE8wAj0ToZx8 GxqJ/8weAfkw6J80y188cULR+HGFYwvG5OXmjM7OGpWZ4UsfmTbCm5riSXa75KTEhHinw26zxlnM JqNk0Ou0GrWoEngOThWjjHJPRYMr6G0Isl7P5MmZtO1phI7G6zoagi7oqrgRJuii9zXC0A2QfoBc /L9A+qOQ/muQWHIVoaLMDFe5xxU8V+YBU3NuTQDqu8s8da7gkFKvUuqsV2nooOF2wx2ucvvSMlcQ N7jKgxVrl3aVN5RlZuAejbrUU9qszsxAPWoNVDVQC9o8q3qwbSJWKsRWPq4HbHAd7DHo9JSVBx0e uBUew6SWNy4KTq8JlJfFu911mRlBXNrkWRhEVCH7FBBUqkwT5EuDgjKNqyUI20E7XT0ZZ7p2hSS0 sMGnXeRZ1Dg/EGQa4RnlQaMP5i0L2tZftP/ShIeDVbD9+tF4pqvc3uKiwF1d213BAzWB6+6Nd9Mn 1NXBM+BeklrR0FUBU++Co8L2LFgcXT7dSnRTzZ5y2tNwqysoeko8S7tubYADcXYF0Yx17l6n0z8Q uYCc5a6uWQGPO1gc76lrLEvosaCuGev6HH6X48aRzIweyRjFZo/eEKtodddXmgHT0TGlpoDTWuWM a+jEdEWeKWB9BF1NLlhJwAMbGUuz5rGoq2ksYB2uOgx3BRfBMbQExdKGLmkc7QdU4iCXKnlcXd8h OHbP0Fc39jTGevhU6TtEBylxXCOwIG68Wg/6fMH0dEoXQikcJKxxotIek5mxNkTyPaskcHzyAX1o egBuqxuXBTh3u+mp7gz50UJoBDtrAtG2Cy2M70X+LLDbSAMdOXN1JG42Hem8OnLt9gYPkO9x6pWg uKDKe+1vkKzm8qXjgtj6fxlujo5XzvRUgonmKu9qiJFq5awbWtFxilDAG4zFakFzaYCJJ5S0oUbi GWUUKHH+3Gsg0Ahog2wq/HmFkheFBBWQotKDXRVBqWFyNK9Tu90xRvl/3RSKXKJ3KcUvt8W2ERzn iy00uuzg+BvaNyxP28VUzgJBQypnze3qUt8wVgEirKurwuOq6GroagxFOhd6XJKna4A8SZ7sWlUO wid6oqHI4M74YMWuOtjKUjwO6Jagkh4P3lHT48c7Zs4NDIAH6doxK9BLMCltKKmrywR9BydGCkHP PYOeJ89E9kG5gF2N9kLqgDSXRWg1lMsh3Qpw9VCOgVSGX0cTYKwCynz+GVRK+yAtYldHvoRnlMFY NcDTezuh/gT3OlhMCCajBIIgasaDDQPLAfsm2qN0KxkBXRa94Ea4IMoE0P8/Lxp/UoEtrAY9pkU6 pIe2ASJeRrADzQi0E+gxK2gwO9jWTmUh48DiXAO67D08Bb8D+vQycwdrYR/l1vGZ/F+EZ1QFYqL4 gjpDfUHToc3THtJV607o28Ffh5s5uiEGYl5Tewg+hUfB3gRS0Is4NoRHHWeQWqCVfowcKp6j44AP XNonznsJHLDvi4aLqqXLRVXDRagY6tLPkI3OdhvdxlTIIEqAfnYxZ372c+gKcrFnKMafD9cw1dwf YVf5fsOj+uf1RJCQSVtNVD8IIfxdH9H/gEL4cj9xGFast/vg8VWXhyT4D4HTNzob12NizDMV5Bfk 8ojESWY89dHNd9W+uHtN+Mra1eEaHMDLvsWPv73j/Y3hceGpH4ZPhB9DOLIvXEPylFkr/MYWNd6n P4AO6Bm9BDGPG+b1a7XV1ADNIgxxSiE8s2cyXcT39VVDdBnDsUXUY5PRQgRe8OQj0xiJwQ88tvmu OS/sbsf8mtXcH8NHwg/8K9xwbsf7m/BruP8jPBU3wt4X4BB5nqwAfLv8Et6AyDHmYQ4fQw52bUl0 qxel7y+irKHR2eYCt7DAS9JScagfnDUC/tTn7DbuDFBBClrlj5tjuV3YBuaqEdvtOmOeg2aeUOSL PihdUPqzoHKPdLebeDXrpHY3U2zPdTdbWhxLPFySi+esLoPOVIwcqfHFotO7brayyaohim5A9FAx LAHX19dT5xK11pvzTBNJbg6YNQJs2pNMCiw2a25OQb5pTJ7Xk8wDIvi9K3fct7v2yCfV8w9tevzJ /z6WOaGjpfaOjeuaJm8srCnKxZ8M4s7P7prw01f/+jr82e5lmHlj+80tC7YR7tBju6bO3Tz8PqWO DrAsN8Mu3ejAyWpDdUKLk9GHIm/7q/TGPK0LshGGFGdqQiGTbyg0+RNLkurICs1S82JnQ3xDQlPi wqQNZAPTRbqYffFP8iHGJrtQYrxR4hg+wcmzrKxzWTgXBM/QCTfSur73SIPABEb8uh8c1WR1sd3p uefodaiAI/9MoeziIaOt0FaIjaZCihhASn3uRAJUCL8YCkbk5wOGKIp4jucFt9CR0HToH/fmVSbb 9ixd8rC7x3nl1Ma3Fi/1h89u2+Im3Z4tPftPteZXV+YWNe/e85jzd58sfWHRfdtn/fvWHUWH6YnP jXzB5rMTwUcdg17218zLxKnqVI1Hm5oxDuiJz1IVqua4l7jZvIx0DZuV5tUxBpSa5EnzMWadOseZ 5vNlqHUWtVpnTZFt2DbDLDsFrzpHZjS2gMGKrSH8O39Slov35htcSSggeVZ5iCeS5Dea8lCSlLQy iUl6gXSAEeyFnCLls3pf1ff1wImUSoahRgmleGi4/uJ2/SiffqP0CgL8FNJEEWU02QrhT/GF6utT eaAb75i8fMBYCkXaCIVwFKxRe1lg+DiLzeM1A+70JM4C5JWfz0i3HG3ad7xmW+MEPHtq3KjidW17 3SfH/mvg1dUBx/gE60nDBO+cxY/dVdLSOPdww901lc9vr7tnpkmrT5w6ujglp7leeuzILRWrZq8K /7BpWs4tefgzgyTqfbcU3rxwwTOU3lYDjq2A43i0y68uZFosS+If5Fk7jXnOlox5heqdRjI/vkW6 Q1wnPaTieIvVMlIsxQESUPGGFP1MDU7JRg2omyoJ1iRrBIcMfkzAhbMxwZf0VpfgTTAEkF7SE31l 4thKhbZAlih8Jl2OonDIVJhVf1EavhjjOVSPbTFsmVIo1wleiqsYUhh3f9mVA8//VxfGTz57thev vmXFgXkdgcDjeIv59ZcvvHEUTz/28n5tc1tX+PO7duzYBpS0HHb5BsR/DODJHxlAiZELfbA5E93l AuApkeH1bKKDadGGQDEIVr0lcaTgibtJP0fPW2zgw7vVGXG16sVqbhzOURfFVeIS9dQ43m4waDUa i6hF8bIoGPRqi0w0urf1Ae3bkmGBYaXhgIE1hHDKCbfk4rwu7wBOVcgIJIwiUC8OX6QEVAQJqCVr u6Tf+MrobCAV3EoFT2qUXkzAVTZzLvZgi1UROQq76Qkj/ebpB9/Y/03Ha80dx8O/fyqcnXHr1A2L tt29aNKylskP9378p9/iSQdOk/E/VeAXV3bO7nzmp033jtv5HuWsWwEfk+DUHSgZnRlAbsCDCAiR XZBZKVYCFCt8WvJO+04Ha3fc5CQC6ne86oBIQ4bmdud2J4soLIp3IsaEjYZElCKBHUwQBD+mQwUi u2y8M8PYbTpgIiYT65K1gg0owxQi9/njLS6V15PoMvhtrjxkkAyrDB8DpiameCdGycMXpY8oehTi oLp1uL71ImUrylNv+CiptLVS+Qy0wgJnAWtFicUiuIGTKPtgd0w2MdOD3vA3L659dcnjGN3/0n/r f/6Wvaep/ng4hczCO5a1n8Ytpi1frTi/9Si+af9Xb1fPkB33P7oer0/Q7th7ALikHkyEUtCeVvSa /1aPgNPwSE2h8LH5Ywtnx15TvomBFykMG8eY4qxWI9QRp9VoGY2oN1qtHsSBzcJN02O9S8QWksGY ASMsw1vTkNrcbmHaJbAATe1xcaLVGkAi246xmAWzohCxHLeJb+2CyP166VtwwOp9EPK9CI1/QkOp A99kARX5qP0h0d8wkFPrdu4XcWQqlN4QOKmoSIBEsdYK0ijX7CnILaAqzSYoYkjIFTxM/ctPJD4h 23NXN5Vvcc+fOKbAYn8z8c2XmYd3Pdi6aFLiY/YxTW27foYXpQSNCc+BmNJEoJ9cnDiAvFGOGg20 Qzkrh9JQMdAQO9oymrD2QnG2t9nbOYZL9WWPIamm1LhiVCSzoCwybDa12pGmS7M7HB61DaQ1RM4Q GHsEdn+vP1eXJVsEe5qNT5N1al5ONNjtosMREAEOsCXaNtuwbMuyddresbELbBiBnA+R1OMi2ORg Rb3jTyCuPW7sflXyFqsxUmN1XppNUtvUeWrvAkCrVOTzFfmkM/Wt+DOQ559Kw77139bXt7ZhR5Zv /RmK5fXSeaVQUA5djixkp/aBgvMhMIwU4c+B8PdR4tyul15RKWwc5WKfzcZbo7ZCQcF1HF2Qy+hJ lGzNYEtQco3aEnoy7iRJTh1dfWhyVppp9/7HP3j2q41/aE05/J6n7a2tnQPzPo9LWllWF1yxd1nJ HcsKGowTJxqtswtP1+4Z+qAPZzz02tErkadfXFqyeYaDzFxRUFWzEfO3b/nNTXvfpPK+DMT0eJCE dmzx334Ti70ClrWyjog4VTUFV6jmMNtVvzcKS4T1qvXGp42nVKeMPKth9cSisYDMsdkJsds9CANF Y1Gr9egki04nmWVeIGkY6YCiRRH6Azpxj4QlSczSFes2697RsZJumm6BbqWO1elCZKM/0ykSItrt QO8mDJeYjXAWKkbT0AL6hqLWIWIk6SRk09lqQSrARakb+9ZXS5coI7RR6q/3ra+6xgpwUMpIa2wk OqCcYZQ/KI8MXeUMKO0+ODNBH2UKMPXaUH1rLs5lFDOG6mOPOSY+eIEpwzn9a5qPzr/7PteW/u2J k8sW9janL+AGh88tnL2zbewDw7vJll0peSVL+l4PjwXinQBMkgJ4Bs8CZ/nVTzGvMZ8z3zGsCG9A /Ddnjc2bJnaK50VGFrPE/eIx8bQYEXlwOljMACoRZtKIIHhYbKE9TRS3YFQJaawasCYIt7GipGAN 5Ah9oB0e2MmeZwnr1xjy2DUqCEKzMcTFkOZr9QHewOvuZ/1Vo4qV28RibzHrn5iqtPoqoUEfpp/k hl5LGmQmT3QoMTtaJmRFS1sMVLRQ0MQRSm+vw11MD+raVfe/nVFMUFHWUU4ixjQCd5108rXiglwB m3MZXO477guXfdT/ETt07twVM+u98mdKwxVAw7cBbjV40QBSRy75R2qkPBfn5+axt7I72V+zD3OC yGIDhPcfV3+q/k7NtYh3Mw/y5xi2hyelswL+NFHSGvPUIqNi6acTLK9CapUOCToNAwjWEEkTwOCd 67RU30i+omFfETXmoAF/kLTFoLBthb54/3Qw1kRRpVZzDMNqCMtzDLw11mhiHMJA1JPN5dQWjoMo qKhWeQTeIgg8jYiCAtBpgbfo2XIsr0lTCcA8IRzy+9RsUxaHuV3FCs8wOrqeNjhv6RcOqdXCAmtB M1A1AMYUaIZ6XAXrhEY9ddYUu71I0QsU3bBu2IutcPsonwqwzm0H8r9WgY4YQKGgAj2hKlIV1VFL pBVkmI/yBM7F2MMITAXOPf4Skb4Jj8em1/7016nc4M+r8Y/h9uHFxP1S+FF6OvlA+YkK5Yf9sxs4 PI3r5M5zjArLXBa3nzvGneYinEAYJoYjun8G5AYQNsPcdlUcmOCdwzuIdKLzwEx+DVjkS1kgamSr pWIbtknZ3dfaFiVp5LeDL0eJl5I0oiSttPQJBdACUkaUlGlXnxt6aAkkHL0BSBhRElZ6gYSVEniB lieBFZDfY7qRrn1XCfua7LkqYKh0AWQqWrYN8AaB9Zz+8O+5wZ8qADOlEDjpBJ2Zjqf4J1QYcYZf VOftzzjlOZ3xju0Nz+eEf8j2kOeo9WjysYxTNr5cX6uarZ9jWqzfnMGLOFmVrB+jytVXqPgMutNp OimPGZlOSHo6xSR2SYVgOMAJJCYleWSXxUU7XBg+EDGYTB6zxWKhHRZsNltSZd4ha7WKzObT5SQz oD8jhN/16ywG0RSwSMgsmYk5hJf5dXKilBQAZSpLMgG/cZlfRkRKB/a4jhZ9cDAuSbZIZiqrFcOE sv41yowSpkKkmJLo1dorWFJsl6IiEM0KqUrgXAFtgllHvSlKpTdWoTMmsX0gset9YMjkCorAtv1H sX29CC/9qD+1eX9909a4mr6mrVtte/rvM5cU1Ryp9yzvf0CalFf19K3JLaz3WGttyy2Lmja1jW4d nkVeqk3NK1q4/8nhYXJuipznX3jsibAazpLq0UI4Sxv6xj89RRgjEA9JUeWTClUtmaNdTNapOozP GE+D+nxb9YZRz1htIBwYYrMpZ+WXClcpZxVToRJ0tEk4pkmZEA77jYRgPk1r0+nAaqGqEETDyV5t AEIyJ/2gVPEvCvUU2QiWPMGDvbYADuFBv/m6s7H/okKpmKgCpwOKVigUjaqYjUW+4iLkkC6CXQMU HMM41ZBQjcmG7fpXFLKmpmMM4zeoSNCQHx0asWyw8c59zu39u+OmlO/8IHcJ6x1YsWjXmvGbhzeS xxdmjSk5+6+wCRh6EfgfMwB7euRCHQPICNbiTLAW45UAh4gbklclE56Lj7MkMXWWuXG1SbXyyrgG mS/lcLu01rLBuT7pOMMlyKwALqfG4EL+zKw85HU7XEiQhFUQFlqd7G2+ztcEjyIW1KFCDQw82JlZ KgDXCjxvorgPBdRloCGNmH+16OSD35358lfhbx68461l/d0rx7UtLI+T9942e1frGLwPF7x95NLb J8OvHrn1t3sf+E1Ww4abmuZ176955B0Qf5Evwy3wJnsixKrc6Cd/crlcy95imBu3zMCNixsjl7NV hilxXCo7yuCLK2CLDJwEIWt/DWAggWKgzt6B19nvwQ+iH9y8w+7VjsWT8RJpqZ1XuSHsRphEGzEa Y+JTkvSJUeuLt8l6jTEN6UWXEzkXOIkzRNz+FEQNLaMRDK0diskgAfWim0WUnEbFKUpWv0Xtq6uG MMhVauiCOlHMq+uMKCpw62EIEElZNWr/DhvBb40KPapBgEpA9ineK7ix9aA2oswJOKb+/AgmZupe tXTjcO5Tcv2+Gb8+e9uBQ7WnWzp6jI62ykfO3NlQvra5JNzCvfirxsoPf384/M3h6t8On2am3D5q 0nS84OT2fVP2vhvlQmYe4NmALvs3iMw2cZ9qr8jyOqvusOp19u/sTwwPIUR2LM4nk+Hl+z1Y0BsI A2/YDTHsiRDG0MTQZ4gqIQOEK/x6KQ++ocOiCQQbyqbBDfBIGuC973l0CezTKH8xqFZSdNJbA7gI PPuYWvqWYglcCLC1BuDbkzN9VMNQiS3qbaBNdNaoismEBvT2JsW0i6JUAMm+q46GHWahmI5i+6q9 hK5iGYj4KitGfTgGWPBA5oxHZ+RPm5o1dsHZwrms94MNa0ccSf5TeChcS3VzNfAdA/jKQN/2a9IN 4PGHIu/1QclQh80Blft1j7gfSWbWMusdD2ju17IaSpAu6tZB6aZQZVDZyuy0H9Ic1rEVzDrNDg2T rk1xJ3vGalmXVsMkgqaCksW2FOsMM0rBeKRTNgucPFKTSMO+UjvOoGEAEQdc1OjH1M/1S5k0RndJ 5UKpUipJvQRhiDN+Y8rIPGSVrOQChOteHlX7cpSlW31Vl+uHL9aD89U2BOKsNcrcEEOhQSQIVGJj NPAGkVtgdB8wPORm4HDqZtHIW8oIGi+g7A+4ow4whN7AS6NxOIVQvbP7s++s7ehISQ1/klZadvb4 2T+wPWznmluWZiZtPJ9f2/j69tCdd+JlmurbKhomZaWnb3CMXDl50/GBB7UNq2pzcrzO/Ll5M2+f 9ut58+bBBldHvib3cUeQE+3wp081LDasNWw3/Fr/kPkpMZhwJuELM6gUzCCHAZk0GUYtaGdGY7hk BD3QK7WbBnEYmUl8nyUgakMkvlfXrnmBxIPFFI9EQJImJQOIVRL3iIwYInv64sf20VcT9b7LFy8D PmgejTNBaADwAuEAap+k0jD2CEBCAQ0FmAsYGgCIxk3wl0mTJiz3Zzvv3JO4p+Cdmt6kng221PSi fb8yjkkr92wiLbswtzG8addw/yqrKxn21wl0tZb1ghYK+9c4VA7xfs0J4YT687hP7QLYveLd2m32 +4X71c8yT/OqEeoC+1phrbpdu8bOZ+AsqdA4xcjGwVcDNo/VYbGCLtwMx211UOXIqSyqbFCOKsxx 8DmKwyqqIBZggECbw67mnGlWh4qTbAGI5Q76DfZAsQNLjmmOBY6VDtYBfmZfPHA41ZgJWlc2h89z F7hLHJPFFXOEc9g4G+dUjwWiUsRfNWXa6FuO+lZ42aHoR4gNUHt/CDQkGCmKiKMKkrr71ExRfEjw +KmxTF8XxGJ2BeC9xGJQNEIOLQ/jOH12w4PJnf33mqbcdPPeFrc1saH/o6fOvL97celB0jxcNzur qHTqptqCLvwWuDkYvjND7DrAqRo96q80jWBc2gq1Xztde4+wQ+zUPokPq09iDQ+OhZUdoR6LwMEQ c1WcRaXiYG8qkgvfq4KJIapU1JBQg2sRQPB1KwFsxIFxoURoL2FmJd4DgdqIZhC+1KFBbspSw9/R sGxRNKBEpTt1FKg5ELNtW+tBtB1XqU22POyrczO5Zqstv4C6CNOPBucZrHk1uOn08AHWO3yy4YPW +8hmZT/wvpEvgP04YX7vpw5sSPg4gYx03OS43byN6dRs095l3mrvdD4o/g/L5+IX6i/M+gQQAX2J 7jxa+kvBx4PvSfRG+KJEo4+z2mwWu8PptFFXilfTz0tAxTiR3myzmIxGjcbWpAaXAvNmfZPF4uSb nBBrGySLkIU0n3Qm2GxOU8A4iAeQhizqOwNxoRAe6CMBDDpzUZ+ByiT8sl80gMZ0xO8GN6tautha 9X3rZxKE/cOO7+3Djury5rLP7FXS918DroYgOjEUxdiQEofD4CpSZ1EJ6r7yChSvxHKl+ksGvOjz 1beieopHikhKLgpCacyX8Y7gBYz1K49mmwmblD5q+FWPiuS0Xuwf/vGFNJaMHBv+nPWGPeHLSfMW r2gm6cND697c9jX+25U/k5Xjjiy7Y/gBGq1DkcuQRiBo/IcrHvoY5V0rGP7wbrUMPOyb0GQ0Bb72 q4TvhKohKjMd1cAXizPhG6NaNAfeEtfBt3hUo5gg0YuH+1DJnJIpk6b4JrW1NC7PnNLeuLylqWoW +p8I2WNdCmVuZHN0cmVhbQplbmRvYmoKOTUgMCBvYmoKOTM5MgplbmRvYmoKMTEgMCBvYmoKPDwg L1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvUkhFSURKK0FyaWFsTVQg L0ZvbnREZXNjcmlwdG9yCjk2IDAgUiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcgL0ZpcnN0 Q2hhciAzMiAvTGFzdENoYXIgMjEzIC9XaWR0aHMgWyAyNzgKMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDI3OCAwIDI3OCAwIDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYgMCA1NTYgMjc4CjAg MCAwIDAgNTU2IDAgMCA2NjcgNzIyIDcyMiA2NjcgNjExIDc3OCAwIDI3OCAwIDAgNTU2IDgzMyA3 MjIgNzc4IDY2NyA3NzgKMCA2NjcgNjExIDcyMiAwIDk0NCAwIDAgMCAwIDAgMCAwIDAgMCA1NTYg NTU2IDUwMCA1NTYgNTU2IDI3OCA1NTYgNTU2IDIyMgowIDUwMCAyMjIgODMzIDU1NiA1NTYgNTU2 IDAgMzMzIDUwMCAyNzggNTU2IDUwMCA3MjIgMCA1MDAgMCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAzNTAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDEwMDAKMCAwIDAgMCAwIDAgNTU2IDAgMCAwIDAgMjIyIF0g Pj4KZW5kb2JqCjk2IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL1JI RUlESitBcmlhbE1UIC9GbGFncyAzMiAvRm9udEJCb3ggWy02NjUgLTMyNSAyMDAwIDEwMDZdCi9J dGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTA1IC9EZXNjZW50IC0yMTIgL0NhcEhlaWdodCA3MTYgL1N0 ZW1WIDk1IC9MZWFkaW5nCjMzIC9YSGVpZ2h0IDUxOSAvU3RlbUggODQgL0F2Z1dpZHRoIDQ0MSAv TWF4V2lkdGggMjAwMCAvRm9udEZpbGUyIDk3IDAgUiA+PgplbmRvYmoKOTcgMCBvYmoKPDwgL0xl bmd0aCA5OCAwIFIgL0xlbmd0aDEgMjkzMjAgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt CngBrH15YBRF2ndVdffcR899Zo5MZhIywUASCIFImiOgcp8mSCRcyilHEG+J6wEiKrrrfYA3HsgQ AgbUJauurgcLr9euN7uiq64or8uiK2Tm+1XNBNHd73vfP74MVf10dXV3Hc9dTzWrVl44n1hIO5GI Nnfp7OVE/AVHEkKvmbt6VSx/bvUTopt63vLzl+bPXUsIUb45f8kl5+XPwxoh09YtmD97Xv6cnMBx 4AIU5M9pDY4lC5auujh/HpiJ4xdLls0tXA/9Aeerl86+uPB+8iHOYxfMXjo/X3/lAn6+fFnbqvz5 Cl5/8/KV8wv1aRMh5t/+/NyyjVDUGky+I/XkPqInjKikkkwnRF4gFxEF5/y6wm6+9bsNx2bZ6/9p CBnE4x/8tLScAy/Kyzf+uK3nfJUYLDg1ivr8Au7TD82OJyNU8uO2Hy9VRQm/cPJv8G4yVSrbkfJH Dzwn9SEHkZjUpyNdFN0tlUpFHUOiWpeU2OH0VNmH9ZVieGKlyGPIlyFtQ9qLJJNZUgRXVeRrkNqR tiHtRTqApCMEOb8aQ1qGtAnpIJJOKpLCHbGoOqxUCuDeAPprl3zkW6QckkSiyCuRJiDNQroZaROS TtTjJcuQ1iDtRTqCpCOa5Ou4tRpt93XcIA47Fi2pEqez86czW8TpjrOb88dxk/LHkWfmqw3OV+tf ky8+bXj+WFqRPzqTVe14+A6Ttap7mFfyopNeNHw5cspeInZKSZRsljwkg8QkNFWUaJJzR0mqatNe SSZUYhIl80g01y3RDqujapiJ5di3xEmi7Bt2OH+FHd5hc1RtGnYW+yvZhrQXSWJ/xe8v7C9kDTvI xxx5A9ImpL1I+5G+RdKxg/h9gt/H7GNiZx+RSqQGpFlIm5D2In2LpGcfIVfZhxxjRM7hBiTGPkSu sg/QrQ+Q29n7gN5n7+e62VsdtXVVuwWQriwA0WQB8IUKgNNb1cXe7PhXH2BUCjMNjHpWKiZDSbVU 3JHsH+2S/B31C6Nd7NMdsXR087B+7G2SQWJoydt489skhjQRqRVpOZIO0LuA3iXtSBuRNiNlkIBl yFWkGHsN6Q2kd0k/JA1pIpKBHejAa7rY/o7U8OgwL/sje4X4MOL72B/E8Q32sji+zn4vjq/iGMH1 19jLHZEoGWbGdYJ7VBxVHCtxXWG/21HijOaGOdhejGAUeSVSA9IEpFlINyPp2F5W3DEv6sRDniWv gYajrIN8KY6PkgcNRFsU1VIjgIAxnqUGnw4I2abYphTTUrffhVOepW66FRDPUtdsAMSz1KVXAeJZ aslqQDxLzVsEiGepGbMA8Sw1YSogZF3s/mdKSqO1ExbT2DA7uwijdBFG6SKM0kVEZhfxH/mXzNt4 T0d5OUbsbi3dpzzavoe2P0fbJ9P2B2n7fNp+JW2/irbX0/ZzaXuatodpe4S2a7T9WToIQ9FOtc6f ndZpftr+Gm3fStvbaHuKtidpewltj9FarYvFO84E1eHQKA47hnGiY/Edpw8F97GzOEY0DpyPgyfs Rb4fKSfONFSKFecrByL8WLyjvCF/ftrgqmXDzmAv4sYXMQ0vkk+QZEzQi0CjF/GQF/E4O/IGpFlI 3UjfIuWQdKhdjH7cLHI78kqkBqRZSGuQvkXSieZ8i6Ywsgw5b+I20bBK5A1IE/gZexG/YvziLK4V qWE1rZ4h3Rym9gidEMlFWC3xesGYnQ6Do4tad31v/eF7KzEOM7Kb2M2kCBOxsXC8ueNfRdEuemdH 6tnoMA+9g0RkYB2tIymaxHEQaRPnA0jYwMtrSJg9iWNVR3g6brN3pCqie6iN37Ur+q/woeiX4S4G 8Ivws9E/xbpk2hF9ByVP7oq+Hb4++mpllwElz6W6KA57YqLq7vCg6NbXRNWrcOHujuiV/LArekV4 dHRxWFyYn79wbhvONHt0cmpG9Aw8b2R4TlRrwzN3RRvC50br87UG8Ht2RfuhCek8WI7G9gmLlyYi 4oHTarvoAq1Cf7u+ST9BP1Bfpa/Qx/VRfZE+pHcbnAbVYDNYDCaDwaAzyAZmIAZ3V+6gluZSz60T wk8HhKZEFrAKDkM5m0FOGDUwchbJuKQxbMyU4XRMpnsuGTMnljk2JdFFTZNmZJTEcJpxjiFjpg7P DEqP6dLnJmdq02My+onnNG2n9KZmlGbYui5KpjZ10RwvujaUcY5o2k0odVx7Y4gfy669sbmZ+L2r G/wNzqGOulEj/0PWKgpbR6Z/+vP/BKb96aLM7WOmNGWeKGrOVHEgV9Q8JvPrKbGZTbvpd/RI48jd 9L/5oblptzSUftc4mZdLQ0c2N4/potNFPRKj/416wBgcUM8AwczrkZghkq93d75eEvejXgk/oJ7R SJKiXtJoFPVkyuttbytpHLm9BBnq+GKkTdRp88VOrfNaEnWSyFDH205eE3Ve87bzOpmh4jHhMKpE kKEKDZKwqBKmQVFFtHy7qFJZqHL9ySrXizdJ+daIOjzDY6wHe+tYD6LOKQP5/wbnD0+n6Y4hzXNn Ns5PNLYmGucjtWZuWL3An2mfE4ttn9vML8QyUqp1ztwF/Dh7fqY5MX9kZm5iZGz7EHHfLy7P5JeH JEZuJzMbpzZtn6nNH9kxRBvSmJg9snnH6Ik1tT971/Un31Uz8T+8ayJ/WA1/12hx3y/eVcsvj+bv quXvquXvGq2NFu8iAscnNm03kOHNIzB//LiDmU3A19ZQvHm4V10+VCDvkLj/ytAeaCtbiDndnLEk hmesSByv+w7rO4xfAk3xSzYU2wuX/FcOiYf20C2FSyqKHYnhJL3qwrYLib9x4cj8vzb8oWjVhXwq 8nmal/3HP1RpzGizR3LdekymfMqYTMOkGU3b9XqUto5sRtng3jKzubEr150vPA2Fg3lFSTpZkZfV 8zKjsVDx33FBtAnFGJ3dUDSe3UG1CF1F2pqlTGTMVAZWMHUGhmHmjKY90KW4kGhrRgfbaJq29T6N 90PAJF9C0O223rTqwgJUGItVhaOo2pYm6bbeIel9XJoPlsjEWK1Kg7Upe0gAKag8RgJyisD+yf0N 6Qt+zC7MfcGv8yP7Coyuq5AI2UK20oVkK9lLXqBHcNc2spt0Eq4CjST3ksvJb8haiLUZKLmeTMZP QflvaCDXCcvkAQjMB8g+1D2bXEn2EC/1574ka8i10lu461piJcVkGJlIlpEb6djchWQm+US+mtSS seQCspy255pyN+VuzT1MHiG7pT/keoiZBMlc/PblvlH+nPuQ9MUdt5G7yCf0VuNOouEt7ah5H1lJ 7pZaZJo7P/cjWhAnF6ENMhlH9tFulsbT55O/UT+9XBqBpzyUy+ReQq0waSELyN1kDx1AR7O4MjM3 LrePePGOi/HUu0gH2YVfF3mevE8typHcw7kjJEAqyJnoTyf5I+2Wsj1XZRswbgpGqQ+pw5Vl5Lfk FXKAJujv2DLFolQpmnJp7m3iJv3JNLT2Mdz5Of2eXYnfGulleVRuOLFhXG7ho01+T/5Cg7SSTqDT WR+2jN0vrSQGvLE/fvPIQoz3nXj6x0CjXczC9ksPyU/Kx3VF2YM5G2YkRe4h95HfUSt6GqNt9Ff0 XfopG8FmsXvYX6XfyI/Lb+pno9fnkqXkRvIk+Z466SA6iZ5DF9DL6Vp6C72L7qMH6BdsGJvKFrNv pQXSCul5eTh+U+Q2+WrlOuUG3RfZpuxL2f/Kfp+ryl1HJgEfrkLrbyP3o2e7yX7yHn6fkL9ShZqp Db8YjdNp9DL8rqQ30gfpFvo47cRbDtC/0i8hkv5JjzNIWqZjISg/XAVKsJXQMH/D7mX78TvAvmb/ knxSsZSWBkj1UrO0DK1aK23Eb6f0Fzko75dzGOcq5XZlk7JFeVJ5QTmis+h/BRn/xomHesp7Ps6S 7Lrs7dmObGfuL8SDOYT0gAlWj9bPxm8R5vt2YNw28ha1YOyCtJwOpWMxMrPoIrqCXoyRvIbeTR8R bX+aPodR+hP9Fm22srBo82lsABvOJuB3LpvPVkAZu5V1snfZj5JeMkt2ySOVS6OlFmm+tEq6RLpd ykhvSB9Jf5WOSSfwy8kmOSoXyyk5LY+WZ8kXyvfLf5P/psxUXlc+05l0S3XX6bp0/w2tZqh+on6S vkV/s36X/m1DK7DzRbKTPAMMPPlHD0pXSY3STnITq5YDMGH+CHyeReZJ4xgwlW2h69gVtJOVKBfr hrAhdDw5Iqcw1i+zTewYGyKNo2PoFLKI9c8/UOeWnwBUL79IDsvPoW9/xJMv1lnolexbnYV0QEeq g470e6mfnJZeJ+9Ln1C9/AD5QDZRHz3MHpMmAguel4cqTSQu3UuellbQK8hO1kiI6bhhA/B4PH0C fGEqraI/SDmoweOBRbXSp+Rqspj9mRwGHa8jd9B58vnkJlJNLyd/I4+CKvooF+jKdR76Klsor2cu 2kmY/Dh6V0dLqKS4yTW0Rbpb9y17j1xI9ssm8rH0FFq/nz0tjZOPKJPpAlDAFeQ6siJ3FblEaZLf pOcTiU4nSfkguNvlUpUcx3ENuMpM8LRdoO494APDpHEo8QNzxgIvpoFD3I3fneATMjBoIWj8bHCx P5JO3VTWRc5XbBRcB56a17OTyYzco+Su3PnkgtytpC/4wdrc5XjiFvIZuZlsoddmLyPLYUq+B9oe q4xi+5VRub5sPXuPTWG3/3x+MdpJ6idf4fc0Zmao8ixZL/+JTCENuQ25d4DdZeCwd5E5UFgPoZff 4A1nSN2kOjuebc+Nkpajv5+QSbnHclFqIgtyS8gE8hx5RK+Q2fo05jhD30R/LyPz2eTcKml+diHG 4WaMgobRuhD853ptxLSpw7SGoafXDxlcN6h2QE11Vf9+laf1rUiX9ykrTSVLEsXxWDRSFA4FA36f 1+N2OR2q3Wa1mE1Gg16nyBKjpKIxMao1lkm1ZuRU4owz+vLzxGwUzD6loDUTQ9Gon9fJxPh9s3Hp ZzU11DzvFzW1fE3tZE2qxupJfd+KWGMiltk3MhHrojMmNQG+cWSiOZY5LOBxAt4oYCvgeBw3xBr9 C0bGMrQ11pgZtXrB+sbWkX0r6HazaURixHxT3wqy3WQGaAaU8SWWb6e+oVQAzNc4eDsjBiu6mAkm RjZmAgncisdIycbZ8zITJzU1jgzF4819KzJ0xNzEnAzhmlJaVCEjxGsyuhEZvXhNbCF0nAy5Iba9 onv9hi6VzGlNW+Yl5s2e2ZSRZuMZjRlHGu8dmfFdesj/0ykeDp1s7alXQ9L6Rv/CGK+8fv3aWGbz pKZT7g3F+ROam/EM3MuSo1rXj8KrN2CmxnBdPMOubW7K0GvxSiiWSdGrfP/yWm+ydVEsY0wMTyxY v6gVUxNcnyGTL4l3BIPa7txBEmyMrZ/alIhnGkKJ5tkjw9vdZP3kS3YEtFjg51f6VmxXHfmB3W6z FwCL9VRgPgY9f01AojqHxkw+ObKUtzFxJjTBTGxuDC1pSqBPg3g2fxBZP3cQJgB/zRR3ZeZhRhZm jCNa16uDeTm6SDNKUk3E1v+TAAMSh7/+ecnsQokuqf6T8IscT06iWobO7oUz6XSmvJyjiH4E5hRt HCrOB/StWN3FEonlKuxnbjSQiRjb2c2DKzH88Tif4Bu6NDIHJ5n2SU358xiZE+ogWiV0a9bKr3T3 XvFM41fae6+cvL01AUzu5PYs8WQMqZP/7KrX1bhgcIZ6/x+X5+evj5mSGAPVONa4vrWAtWOm/uws f50PKMYN1wpQxjWiSQoxlHGIhSRxNa8h91aButxkychJ/NMJpJ7XpTcAK0UJjY3KqK1n5PNmUzxe oJn/6aau3BF+lzj8dFuhG5nB6UJD883ODPnZ+c+aZ1kvjZkKlsOg2a9fb/rZNaBavpVnFg7AeBj6 8diIDJkGykziH0yOQTw1hzIahgxXpoKKRHFzqHD6s4qhwk3N+OPY2bdiFHjm+vWjErFR61vXz+7K tc9JxNTE+t3sBfbC+uWN4HZ5xOnK7bkhlBm1oRkjtoAOBnkwMnx7gq6btF2j66bMaNoNF0ds3dSm DkbZiNbhzXxa2IipTYVhERPCUR9ziBUTYAyX8UhPIO2R28g0pE+Q6pGmIwWReNk4pNkcRr3dOM5Q ppPblVfIeUj3A35Q/pRs0dWRpbi+F9dv1z1B7sS1e1E2F9fvx7EJx5mo1w/lD+hvhN3SRs5Cug7W 4kQcRyGNwf0uHIcjraWvkHW4tg7Hq/G8tbwMaSQ/sifItbjWgPolOL8acBDP5Y6eONtHlsK7+q3c ljuBe7EWhI5y4iBYSdLR1TjGIAnzJaL4Zxl3DUlIMnR/HdZlDFhZMcFa4XdbT9a0CciONRsHcRIX NAQQnyjzwkLyC000hPMwXHgRHKPi2s+zGKyZYpIgJSQJDb8U8p3A1ignadgFfclpOKsk/WAfVJFq wleoBvz89v9vZwP/Pz2p9mfPGXTyDDiGPw9+k8gyOo4+yw7A9liqnKUboLtB/4j+LcNYo9+409Rs etbsNX9smWi5zVZuy9nvUsMOr3Ox8wXXVHeb50Pv675H/GsC5wYNIRJ6Mzy26M6IN3pazBH7Lv52 8dkl6ZLnkxtS95Qd6HOivLh8evnK8pfwVqgk3IhT+JzqgRyOuCOJDN5AciImdZ/QFHKcxORujiNP ZD+mV8O6NJHxO02o/qSui07UUlSqZ4yaaD0xYelGqie6QfrBE6B5L4MeuRmP3mx+4E5/Wj3acvSQ erherScNPFcPqz2HqcNZ179f9YBqj1unLx04sHbXvolnV9UNlPbtW3FDalxg9jl47x68fC3eK5Gk 5mf8NfX5h28j8mZc3yyL5x9raTmMR+cft2ffvn3oHZmW+5vsULqBh0V02nbGiV0zBSOy4o5YrT5j V+6LTrudTeOAFrBaATmIhZcQr8WC3MLLSCV8DfuQ7cPz+RtC23X//qSjeJKOP+nzTqtVAN9oAbMZ kIOovISoFgvPednJR/70zE5dLKCGwbA7WMz8WygLXiQnkh3u2jmybi1bZ15nf9WmGPVmP2t0jfWc FRgRmuqa6ZkZmBxarF9snuta4lkcaA1dwi7SrTZfal+ru1N/u/qq/332ru5d8wf24MmOtxm1eKKm n5ESo2pkxo1RRxsBk9ZsKI1B5WVkY+SVGzBpx1rSh5GtSPOh5V2nLSvgPBjE/yhSc7NLdQ6srvJ6 nR6V6RLFpSmX6q2uGuhQU4livW7a4rc2r+5YNXzRWw+8fcktux+//PLHH7/y8rNa2FtUpqc/NWtH Nvd+Npt9ceudz9D7snd8ewQW+aJvFl7H8e0TTOBxzJ2JbNNikmZ11CyW17Cb2V0G+SmZGolOYZJR oRZGXzOJ1pt4nwiN4V64uDtVFVPXlftKc4gJDYsJtYkJxShrAT5dvXMi5idoUTSrvUbpHYl+Co3B i8GUgHkPrafXEn96vHoIg4FxKXifcFI/rgco3eCrow7gMm0hLel4wqHT6QcAn6vZ8c5hb02946+V q+TLhl4efXr0a7N43+rBQPXoW4S+UsAlo0O1+l0u3TRrV+5op8MhgG80o6oCiriVCEdRH68QifCr kbANVyJAUORd7FnNwkw+H1aMHYzFoqCryrf38XwfqTzMG9vA85dgsoQKZMBfaHE6mXihZrQ7AOXf c1AzO11sWsTNy/izO/BoTipmM5sG4GtNjOJ/ehunEf4+/jbxMm3gEGWI7lllr+5Z/SuGV8P6My3N lqm2xZZ5tkudl7qudz7n/Cz4WehI0LLX/IyLhbAAVKRGVN1v4XLSA/kNOBoxW8GISTXodK+Fg+5w OGgIByXKDMGwZI2oXezhHRMcFMtD/p28B0QMh50yi6nN9xZGm+M6uOpVkGsqHaRZHDsb4BpaxtYw me1hJVgEunl7HtmPAtnT9epRYHt9T33D4Z6WQw4nn1lka22npW1XqC/leZYgAU4Bg0gLbVnZ3Jz0 xFO1mPGBAwfUAPUFOwNdgLHp9Pgn60/UMl/yobu/3XLXZb+6l+52/fBfbx0747EXHpwZ2bp1WP3c 7itf+uy8xb++d71r/3tfbW164rmH183uD0yZnvtc9gJT0rS5MHHmgF/jWOwPE8pRNW3BCe2TMFnt FnvEZOrjiYTlSJ+w0seasFr8AUqcMbAeNi2mT/FZ5NVTlZyh7avkP+Ksa2gAOz4MbDn8svqys059 KV3FE5BFK1OsXmuj9Tqr3Og427E6JE32LlEXued5L7Re4r7Out59fegRq0mJSXxVyWy2WG2ynuK9 lE+Lhg48C6O9D7HSAZ0Wi0f272EPkwBboJWilQqaaXW2zYoti7GYn2NyrF3flhK8KUVJSk0xtPjo M/xKamNffxcd1BF4i+6hg+DI7dbMP3Grii56a2EO04fFLHKedTQtRALmEdOIzqliPvPTCVIFCwO1 0hXNrlov51li4vS1J8HeOeSTqPciJ4ni1PTO6G2L12x78IrqsW6nua3rukULN7g74189ffFri8+b 96uN2S/e/V2OXu2/a23mV5c/4L6fXXzF3F9dc01s5yvnd8ybde9pkedv6s7+83Ow2CB4gKrsAX+z 0pQ20NlkWWC52/K45VWLMlYaa/2NLDmB48Sik/SKySzpiQXE/pokuyVJlqyEWayyXnoWi+YGiPHN monIMqqQ10xyFzvvGUUxaUXRGlMvJwTABRObBuAbIaFMXbRWs+q14kSNvj0+QL/Rzjg6ma3uGsJU FmMSzg+KewAc2sVnge20ddENYqS/TqdbBCM8ytlLvfq5KvigerT+WL2jjg9yXd3a09IySMZut2O4 xZqBNfdxh7MOPO5tzVxdJxX3rZPkoqJ6/ohmTAbqaG6LZq6ztE+ss2ipOktxGMe+dbxCuhmqyQBa 7aj2JBySg7Lbe65h9/365Zc7swPorEekXSfOeiT7AIj6tp7FQDwu++PKo+Cx0/OUg7VG9M/KB4GG baaIxxN2cs5ptstyJGy1UaL3Q14IjUAAgsq43OdUwuUfkKjnJVAGJ4w+TsF77SIfE7ykaH3R7a7H XC9a3rV8EDIYXX5beVAy9lP6mfeAj0mgDtVl8jhdrtdsdrfN5bbZrSARzcUbotk225jNZtc8tNCo Z+wyfYuTD7iaFuPNc8xSl6lr1JtVWQWR+AWR+Cnxq36GxuaJxL8x5nyODkBczW1AqkEdtp3/iViw 3H0qsfxELi1cNwONiI62OOoqW8AWDq01nJZWMIsEMyqoBnSzogWzcSrZgFZccU9cgi5APG49NIHU tOc9dy35VefWDWdvKHv8JvZezzMTrrmlmxpW3Xj0Dz20XV1/w0sP3t0xocHL/vup7OqZ2WP/9cot HQe51jYOM+cBzysi5XRCgetF7TQKt7REQ2URzUqtVojEkFIccVtNEUqSKoYgr8GpEZ/KBb5P8Dwf pgdwQYPb9/Y+9fe9M9lyWH2phc9k38UBOlKveUYGRsZmOKfGFkvz9PMMi5zzYqsMF4avNVwXftfw ttehj3EKKM3ThG5aQjA8XhQXF/T8QmksEYvzCw7eyolWhnaG6Fuz+ESC6Rl720zByjQn2ZlsU8VE qghYgr6CXhx5hmuJ6sYKE2dzEVqneRt8s3zLfGt8sg9KqW6az8tf6utiJTvSeSUNlHiYSy7B8/Ka Wp7TVbZwlY1LKU4+nNs1U32qVKhmOv1ATJaTC6hEMXGotTjzUvdPnFAnHd/hrzhz8fRh0+awYc+d 39lz0YFr/pI9dN/1X2z9qKd2wk3jVz784GWXPiFPsS3qN67f0G8+nNua/f7N9YevhCv9cvr477a8 cOKjlieau+6/cxuP5psNfufFipyVLNdsL1mpjH/MIBvByzgV9mNUNlqsbZLE+JBMECJaYkG7oc34 dzIBcz+LSQ04LKNroDwGwIgEFo+HZbGiftzRw+PVY1wbUzEAXHrXOQQPQv9XtLgGxD06Iun0iYFO Z+1saeeG7OExA+27pV/943r5x60bbss6s8e7PthKv6Kv3NtrNwS4fgYMfDqvoT1jjoLckg4Q2zGh 6nOqE4wUwBGtjE+N3yG4gUNo+g6/oyJtLovYbVHbBJtks7nJREqFyLaq0OAop2ogsCIQ8qV0SxXY S8vhKsE5gbAcZ1WOsR/9/qTWdkojfuJTWrlgVA4LF/L/l7f+/F2/eBXe9NOLtJrBwbFeLXGO9+zE edIS79Lg+YlLg1dENgRviNztfTz4XPAr7+exYzHX6d77vVu90uA+83SslPO4BPDeH4/pYmWRCbZZ nKGFeffoWxPz6N/JG4EgmzpiBvY7fs7CNlZwmujkJOHoVcBjDs3BHBsLWA5ThLMqjuQcx0/yqV4U Jy0raAsMEiHMh7IBNaUcs3EkQGz44rl5kqJCOfO4uZBfvtV7+ewpV0wcSAc+u3TXCap/+ebDl136 3w8+9T57/ZFVF3c8fvkVD9Ap6qUXjF3z5+UW//TF1PDnT6h6d/bT7HfZv2V3PL1Xqrln10v3bgB6 g2vthqp5HVabuSU9CDwb/hG9kenqZame6mRYrZAhhMUwFg8YChbxCo6r0LzElENe9u/ngi0sIe2G ASs179t34jEYsgxrzkS2KG8BH4vJNVol5iLELg9eHmJzgvNDbLFlto3NgFrNBtpG2lgoYNDLRC11 OIi1j5tGQF7btES8OF4fNUXri4tj9fF4hJwbucB0rm9RiXpuDMrzosTZM4S9hxHmwwz7vF7twTDX q8egCAMzDzl8wr5paQEbaaGpATW1A2v5MIObFDQlmStKNqbnHaB/phFv/5JnBz18Udvd/t2B71// EyUzrm4aGGRd++jCEueicYOHpB+ZM3jhpo13efe9/9WjrQ+uGn9W65LsHeixhHVJIn8J7cghpIBr N5HB4Edz21mWRyWmJ85LtBmvMeoWBi9UlhvbzFcrV5t1pV6j5C8tj3iLjEaXM1Je3qcPCRdF4O2L wmgiBn9KZ+FWoQ66kFbNhYTOyUlHp+OUozPwpwMEIevcnMfqpiZTljC/w2Li9SxcyHh4LUuwoigS E6ZmjF+HncmZQgHgdVHyIzTekwBsTc4m8BxALekhM/loc64M5g1uBeYFaBxU1vwfEINbIEgYesxE fV2low4CmMISAUvDFKSrHXHY3b26qY0laLwqb36kElCUqvKTA/h2ltryett5519789ntv9uQ/TU9 /apBZ40Z9av7sx/QpeemRswYPPW2Ddmtyp7m3fPPfbS69Ln287e39pcmO7znjTtzWZ/jm/WWQYtH Tb4ES6OUnJf7m7IamFhE3to5ly0qYmBo3DIU/ftCm8WhGKmyzsW63qqidnJN0UZyt/Kk9Ih1t9Rp fcV6gBwq+keRw+YschQVSeW6Mkd5OBYdbZ3uPtszPbBAWVx0mfMG593SXba7w1vow2yL4x0b9x8G VbcalKGIftxRVieYaN+yOtVOqBxyRSxSKCIb1ZT9LJKKgccGo75UzEANFt4aQyAyF6MNOZFuGcel BHJu4UGfy6M0ZoB7NSAgV1KfTk4UlwCrnSXVVbJPn+LYzTxuJ2cYcucLp2df/Oxw9k/3bKMjXviQ VgzZW/3Crx//dObSz6976K+M9f/2+O/oBW9+Bl/Twdf7br71wey3tzyb/XL9c5w/3A9P2wxgtB1j 95lWGYvSEYY8djrUiJ0Y0GQjjQrTziiQymjiGGWEYSQ8VEA9jprGYLRI/V+j3vfAQTE1P/SiXuSX qFdAQ24qFVCuf78Rl2gDpZAeMYMKogZlXcAf9DOd2QQ6MEk6j9ftdXklXUjyxanThsxvCMep1+SI I6aHptPl+LuKtnAM9Xl98A25GfAzGa8q2MfQQOL30389OePK5lVt4y+9Zd+12e207pZH+jeOu2PJ +K3ZN5Q9nqKxc7L7X3osm318dtXWgf0bv3z08+/LeTT9g+AMPILHTG7TPDolYjDo9USSOZmbjBEz MUAT60YoqbNGP1U6K2aKWZkpaJWN/+sx43T7c3K1DDknj0CCOFu4y0fg0dFD6ZODVqBT+B8dUIQL 6UG55MT9UvrEO9I1yp6t2YanstatnIq2oA/Xog9GcqOWFn24WU9PdgNduBcWsZmxoPl/0W7NLPiM QHYwmey/Nd/Ep5zjf/7vp/YfyqtKXO/gPObUtm+RPjrxGcv0TOTtHry15zy0eilofzdoP0ldWjDk DnlYayk91+CiTqmkhMSdPpYkmAY+/DE+hJTqfBGbFI/ojJSmSpMlMUlCv0pbhWl5SDBMUPR3vTbm +4JhouSoFuL3s5XtpbS0KBUzUZNQqUyB1NzCTICIx6ktgoOiP2g8t/AFUeOYBiLjnPNLJG62AKFH yolQOBgOhCWdJaUmPaloypDEMnzSby2KE6/dFUdltyumx1mxkozTsBmY7XYgixjjcVIiIRMxa8Bw CEhhtIoR5bgOR8KApONn3MPr05/GwD7gAAIDkcFAah3SWLb05uyBzX/OburcQSd+sInSW1Pb4nN2 Lbv2hYvig9ZSdsuVR4ayhqdoz8GVbbvpuX9+l7Z1nt/1m37L28dNumbCuk0vZX9on11LHZiPvUCl q4BFEnljJ8ViO+Ouyx2DThcuzB3VNflj3375Y1mf/DGRzB+LIvmjPyiO0CLVmpiyUdmmYJYoQfTD ZpIhciX8wRPhjD1CFGcMhRuJJDykZiHl/AXp93Wv9OO+hbwY1IQBRmJCNjwov9t8isSDnd/RTij0 tRUr63vAevN/3JHKkbDasfcFZc+Po9BHrgeUo48KWapZKJOliEIMMZnCyfGYZtczNDWGav8LKXys ly5OskLdv7HCz1vy9JxvRNxz+wvsTTTkH1vxijuxJmhHS1R2qNefYMgdyxOfwWaFrxSYi+4DwAB9 o5VxyOLktKnYLRI2IDGD0WwjBiMzmXV83MxYF0AOTWEXr2VWQb2f9/qtf+gd0RP5EeXmAF+E4CsG Dd3d6oED3dwtmYYzAviYJr2LElG9GHGdyCWRyyJXRG4AvWkJPidMMAwQA6c0G8+NQvcxiRxM9Ae8 GOITgBblUArO9pjJWWMXmWKRCLWB3RrAd3nH+TMFwB9lepZNx8qfyqZrVpLnTOJF6GH+sYTyvhyt BFPCkDfUg155Z2CQ896Iv3x8aEhbQ5jd4GYhg7zacp3lDxhKy5mWM+1SHzlprbA1SefIq60X29Za DWamGOqsA20T2BgJBr1hnHW4zXQnu0u6XX+7YYv0mF7nZHabrZ/C3IrCDLDV+ikGgAbLZPtkqlHG DAajyQzMttmwbczIWp3tTubcw7bAm9K/Q4kZumh/zWQxmmKaZY2ZmvegkzZqxhXWRc1wogMR7ctV Cp/09GdiSqvSroBY2JYdjiHA/gBfA2up9/dAuQ4G1MOAgydPDrUQP+xWvjJ28hdUDx9eq5yWXnvF S2tP8/ND/36I6DUjUDeCaITniSV3HB7ydwnLvQsbvxkB+hZcK8O13cSa+2G7zcRLC463t3fF62wV ceF821VbZ6uqFeDOvigtONjSzStXtJAV8Gg3N0OMUa9vYC2NOxIOhHU67kSM2Tn9vAH42qjybHb6 tmyTsuf4d7ecMfEe6cSPo+TXjw+QDx7nxAgTWoly6Uav2O4EendrJpenxuC3eNk0+Im/0OIcMjDw Gb3BrdcbYDJIBqPMmFFvkKWYTgcCynMUAN/BJQkyUfKU1JX7XgtyVFNaYmYaM080t5qXm9vNitkA CQ/0gocPL/sfeEJBZMqCN+GR/8YaTHzCehV0ODohUNSWFQVXJ3d0AmVhsGHNp26tLGYo7yXYzT19 z1gcNYYYMmBwc/9+XCXCHHQatFF16H73rlF1Bq0qD1bV6YsDdVyt3RUAWJUHeWlCgJo5Uae3uZFc /PzoLhfAojxYBNDDwR+2e/IOUqF8cdoRpIMprKbgpZi7e1+R2J5XTmQxYVfJazBZ7cfbuU46FxL9 I+VtROKGyGvaxKCdulW3O+QLhWRZld1mnzkkP+7bZXvZJvl8/hCLFWmOCa4JPi3YpDQZz1anOWa5 Zvhm+acHzw7d4LuLqYGIJDkjZqMnFYNCw00DzugA5OUCgCNCyAP4SnAMAHkvCoAfgRjgHfpgexEt sqf4HOrEDOVZRyDcq8fnFfm89AfPGJfX5rldBD0eyrxLJfEqmaudQpuvVeECII4aBmWezKXr6MDX 6agnO7O79u7P7tnyB1r0pw9o6JIvb/lj9k/sNbqU3vdC9pEPP8lu3vkHOuO32e+z+2kNDe2g5l9n P8vr8XIPsNuKOIYOrWK+Y7GbjVHHuM9Rz3HLZgv8PTbi83N1lBicKQMsPuC6WPUFKy1oNoZgLEjx L+i3/o/y6xfq3b9rp4FTxVjBmlwhBocPTK8NydU7rqYIpTwCk4bF4w4o6HzZQ+jjrM+t45bc2vxN 9tXsOnrZc/e3jO1/TfZ6ZY/NOX/X0mezPT1PSXTDmplXexDmwQji1ZVvgDmIu8T+o9tmpbAdL+Cv 9TBzGDG90LTcUXdCV6709aVTQ5R63+DUWGWs78xUizIt0ZRaplwmXapskDYotyF+/WHypPQOecf7 GfnM95k/GFbSpFwZosgtyq3+21PvpOSktzxV461Lnek/M9wYbUyMSU03NDmmeWaEZxRNj54dO7t4 oXKeZ3HqstRN4ZtSH/g/TAXMfurBKkNHqA484W1tUKhO9rv95cpgRWaSt0zSl6X8Xrho4pIrqDB+ QpSSSMQuMUNJRG8Mplx+bn25ejEXAJbOIKUBHBGYCyCPuRzQkhxzXWexYKy8vZyVx1PgTmY/x16z wF5zoM8vsXdcQSEX2CuM0YK+6qsjjmr1VfXVvDSEwwVsGbi9MgmVMlUKP9ZJC5XjOEoHFpDbwTG9 NlUq/3Ptyrr773vo969kn9uWoY2vcoS/oOfzLUufBJ6/l/0rDX24YOY58+9rSa+tu+ycbjrz/ffo vD2/yz7y/s7sJzdWttxL6zqo6dfZP2VROfvH0iEBEONM+OX/Dv2/H/NopXOluXKbtEqWk6UDpLrw COlM/diixujIklGlU6Rm/cyis8uud9ngJf9OsICSXiDZC2BpL3+ptBdA5WOdVvALVM4DqJwHUDkP oPIxbRSvVGZNlbASqTQ50I79PsnGyhmx6YlpySXmRdbFtvPc8/2XmC+1Xmq/Qr2wpC15nbTefL11 vf1G9dqSq5O3Wm+33+6JFJbe+8ZTzlAqaEz1oSmEGAWdclX/FDZOMGLte0no+hALJb3WvpHSJE0q Xgiko5rQkJRIX2Mk4pWE0ZGGndGSNzn4oQWmhA8rjvkflhiSJTarWYnD3g8hGBixwDqaLClGGYy/ UN8gnsim3Qx+cBi7MIQBJaSdSmN0Im2ly+lGqoN/NKO5+vJX8lejxWcZU6QP7cNZqc3GpgE4qln5 k/oEq9AnmnJyMcovAcDwgREB+EGz8zpY6MCUBvoXDKqWcYcgN+CLFJ6on1wkWDNNH+LZUd4jOEzQ O+GFgmCDx1UoaiIDfrpqIwxWTp6jlJSm4CPkawxejrXcj+Jx+7xYxBCL4sDh1MxnrLP+cMWyJ6ZM nDkku2TSwvOv/O43D/3rOmWPfevjmQfqBtH3mtovve74fa9k/3EX/ZN6wY1nD28b2Xh+wjc7XfvQ /GW/m7fwjatsN9x01TkTqqsXlw3ZufrC/W2rviToVj9YDXvAo/WI27YqLIIBh1GNIGxjF2vbIcwH Sp/RxSirRMwS9lPupMKM4MqJWZg0hoI37ztB9OAhf+01bE70KgtZoR/Du9q2w7Drrp/UBdjSUO3U nkMtn3NdLs+C+/fji5fcM8Bc2SJ5fTakWLdu/fEfvLUPQAoXo7Vu8p5mStmb5CbDqwbZy3UZL3SZ GnmIYZR8lmG1/VHlC7veQpgDCyadOqM7BeGf15MAFPQkJswunB/Uwpz9sJaYl8a8E72s1bvc245t +VZhUPeqZSZhOkFxzzswBcAxBcCPedFjEmoSzvNqEoCCBWVq8XA16SfPAtahYJS3rBBmeV4qC6mT hnVc7ShI4wFQSfLLTA659YV52eNv/zH74/IXRm+94t1dyp4T2z/KnnjoJmr9UppwomPvzjkvUAQP AlHx1YbVGCM//UBL9SEpRx9nyl9HBjrqnAP9Z5LRjjOdo/1N5GxHk/Nsv3qn4U47K5B3tUqDgbSn RqmxjFRGWsZ4pipTLed45inzLIs9q5RVlss8dsXDrRknds7YmYFL7gb+xzGeU3JdXUiLSDJsBp3e YMBivMVitNrsdgti/J0er8/vh6ip34HNUDF+tDgd/KjN8EAlxT54FsNWW4qlWsVgiHj8bo/H77QY jRGPE6DTgXizmOpwq6rDabQY/B7FjvUjwtAkRfJjKdNoNBgQYcf8Tic8+oagzxdUhxnpJBIjFuQe JI0odNKuGHd9BgJd9IbtW8SstAQD43pgYvQEAz3+8Y3zR34OvZWjZD7nEHpI0T/eR5Ggzo471eAo 2B2FAwh9rU196SVk9TwT0KkZLBA7LBAHLJAOp4kvleXNkiQKy4VZgsCNQXxbIjdibCjZYdEUjQeS QTtZ2RKn1S5hdFS7nLA9XNUwPCDw9JTen73slU9KgoOwv+arNyckwn0/fzF7wbPZ10v1Pnf2VeBN wx23/b1E+rgnmP36Hzd0Sk9DyW3ZEJs/+vhDYORn5b6Qw/JQxJDWsr5ahdFqLA9Yg+V9rOXlMBg9 taHB5WeWt1hbyhdZF5a39ltvva7P3d57go9bPWVc7nM6guBBjCCHHg08UbYr8GzZS4H9ZW96Pioz jPRShGcd1bACp5vmBOeGdSJExABOhdP4edQX9acrymvq5LqKM+UzKqYbmtPnGRamV1vWIuDjX9Z/ pR21NTYqq5UlNb6quNs/q8+yPqxPuNLWYLvZtsmWsymbbNts32IdUcQn2jjT54wKABzDPErMJtYe bToe14alNwkrxE/s8t+GeCk92NdRLcjbQRpLTVVhydxntjqb6Didk2Qc4vbrXiH9dd7aKpG5jMCF Q+i8AI6KUUDJh5xD6qaViBfhPM8PS7rYOZqtVONRO7FUv9S2lFIHFiOkD4T3u7u4GEr152WaNYJA vbruOra5jtYhoOyoNow/0Zf0F1eW7NXt17GorkHHdCAxLMuIFXydn7dHB09CPsfiDILQkAu/oK7/ oJ9stRXw7qdhrKXBhVpOLqjAgkt/9hmX1YcQnZYPCBJyq2XF4RVAfY79QmhzscYviBgHsiLJFxGF IMNyF35YVuSiTF86FKIOks3rwWKiL5HC4rINSjVfJkAlqX7e7kXbnhvddsaAxe+fT6sb1625pCjj v+DA9euemKgafcXPhX1zXlo2s2rpwgUPpoqunjbqyWvHXzXebbMGS5KmC/qe3rzCv+KGMdrss067 +Mjxa08fRD8qC6tl4yrPaD1nwukXAaOvA0ZzG5tHtrZr91DFYi9RBiiNitIQzURZNFocrg4PDy+P bozqBrvqvfVY1B0bbDG0WJvsLd5zg4sMS6wL7Bd4Lwh2R9+zvO97P/BX19e+rwOfFh2M5qKBmFJp r3T3UxrsmjLWPlE5T3m/6J/yj6pF9dhkHSOhMIjS5AnbzP6SA2aqmjXY4e1mOb9+YRY4ahYrF7D/ uedN+LnyijNK8sGyAA4KYcpLtEo+n+ZVsFix1on6ROYF+CJKkrFuCg1oM83QI1SO0gbsE5WgJWUF 0gI4oRVx9KICVagQgNTJUYUK1xNq/ICqcEjzql5OIBT4hNzNX0EDkdG1PxNjQBz4JeFVhoYO5Ufg CTKgCkcg/BNrcRxTuFZOViDgs9oBTQdmlYogsVIJig4QIb82Svs+1rly+5xtK7Tsd88/t5jVTLtl 9VOPXLj6KWVPzz9vnnDza23Zb7Pv3kdv3zvthn2vH3h5H6TdxNwX0mHwqyCdUYh/qbGtsVO7mXJn 7HJ4fGVn2Kz3h2XsNfXoDbz3etF7PRgPYNibyLmLLb3v7ZeFiopoF0T1tYiovtFGC42GR7hG+Ka4 pvhaXa2+e9g90t3Wh9WHgxaDNWBaxBZKi5QLLcut7dZHLTuNu0w7LRYv3G+fMslWPMu+zL7GLtkR 5PeEdkk/4SFuRbM2wmV8EJ5iI7HbsSXgZBvDaHqJzcAH21YcQv9KzOkoJCLklcY5KtXE7Jwh5iQo 5uTMsKdkv55G9Q16prfxSnoTr6QX7FXfP1TzUkHjwqzkib9lZWEjhwj0GtR8eOXR9OGVou9YE0A4 k9pyCP+E3op5a8ZiH2gbfgERwXxSR+UzJ9VvL/r26fez36/88vqtH0a3BdbMWPfEw9csuole63tm Py2ipqcou2rbA6HFS158690XfsUt4lGYs09AkVixptO0h01MtiatNdaRVmWAe0D4bDbVNNk9JXw+ m6fMN851t4a7o28r77g+Cnzm+sz9re/vgc8E5Xmj0XSQk+uYIKddrCCUWE/zDmYDrGNYo3WU+8zw 2abp1vOtn+n+5v2RHrWp1CPZzFgIDQEfHAQkKZn91TxQxZ5U1QMOqiKIotXR7gBpcpzIE6jDyWUH Ai0gtDiTdeg4BjkEwaIUqiQfcYeNjzjOvxFUCuAHbTifHccqZ8le/X79J/qcXuZTNEEv6SMC5QSf 1iO6niOkmDYhlvRC+ugDkZqJp1Bay4pxh09SF6cvsS2gHstSh+FgQ/qJzrhfMj6A82Iw4/yEgeYQ r3SSzqRB819a886Fi96+uvX2yh09sacuXP3IlssufuC6+zccf2gTldZPGsZsP45izjde+93L77+B 7Q+MjAEXjYDOPJizKZovSsIeuChblBbjNPN8abGyzDjfbIByd0io+hiAQ9pkPgBFYZ6XOt9TfnQf C8r9nYMD/cPDnOOCw8KTnIjHD892Lg3ODl+su9hzjB3zq/gcgN3q8030ch1c8obtG9XNCPdS5VDY pCd7sF8HoYm93Kwb1IBxV0Edt7lA4T4N8ZIfCvMDQD54E8BXYlIAdGvG0vKaDILiglGc7UimavhR G8bFbJRGvdVqiV4rKa/pnSksBGB28jOFjgDOExhC5EFgIryMz9SpPLElPa7n0HgV9h6CrPAnlHu+ cFMIFqzvWVEvNGURI8jDE7gE5evpgsTyDji3Pi7Cy2hcxKDppHP3VHyz+8vst9T94TvYMX/iC1PH tXM39LzPJlkGTb/+8sfpdN9DnYj7k7A9vSz7cfZfamzbngX0tutGLHgUXMSFKWyHP8JHrVrEbaT2 QGWgX0ALLA/cY7nX+rjVELSWWTOB7oAc4ONRFozWFBmsksUeNlEPS7tdMr5BZtrkpu6cS5N9SRn7 sG8FW+KD2H9QDT9q6XC0ZiOhAY2TSUCzgkyIW1iIZcJCLOaEQyqEJiUIR4guN8d83M91NAF8jtUc Afwo4vvIQ/7Ac3QPiZNj2I2MD9kIi4kPLP4wdrAgoZzDGj+MBSmsCvCF+cOIaBMLmW5Ejxn1OgM0 JNXoDBGHzh6i8DGXX3UVTYNOVsLlO6Cax+dAJIGtccvbw2NmOzZtcgWvXj12ZmhQ1eSR+/dLd29Y sbhm1NnO+0yjWudsOHEeKGJ4dpL0FSiCR74t01rNZsVdYU66x5ob3TpjUaCowpxyVyTqzAPdZ5lH uafrm8wLzD+a/umxnZaoKB2aGFo6tnRjxeYK/cD4wD4NFaPMo+KNfabGp/ZZqJ8bn9untaK94v3S L+LfJL4tdfi8Ok8X295ZFnbphSRRYzDcuRxpJ93kAIz3LnaFVqWEw3ZTY3HYYvJ6qpPVpqTff8BH VZ/ma/W1++QKGKlsWoWIm/AJtiY0SsHWfIKt8YBJsXHhqzxb47V4AGWBrQE4oZ3F6dm3yk6TpDha ste+3/6JPWeXo/YG+wQIOkExdvAwNs1ezJ9mF7Z1PviXl+um2QPpilVxzt7S4wuOPc7eEEv1Cw7X c+gYj7MF4YgQtkMNwkSG43qFjwdLCAWS+/h4EAqfwAEwlzkVpVynMLvztpmrRqy6Yp3fRldnPjhy wX/d+Nylj87/YPNvv7rr0Ssu37L10ou3NAUnJavmzajN3EDrP7qT0g13tp9Y9MP+i5+Uyv+re+8b L778Irer12LrF4+mcNPZu7HlqHuHx1eDRYqDfI+HblpSHoBvKuyxyqJosC9Q4zM4LA63pFBiDyt6 N0JCkkatemBNzki7jdSLEWbTvGBgCFkpE7mbEwi2RX2tOfjAGYVuZ8QSjijF+iknFSNICjkXMFjs AYTQF3F+DCujAMYLZ4ivZmBNxnvEy5Z7N3sz3pxX9jJ3Mr/oo6INR9AfWMUHoIPIIL4fBUPlgOYT VJpXKxHmBYrtXfr5Ma8PIpwe78GHLfByMt4zGtN40qLgcbX59Z90YWILdCq2RXE5BTHFzWhBnTad TZ+06SwhajWALrFxI52+ioCoKSK2hJYIBxiW1ETcnM7jWNt5Zffqp8d0Xrh44o31UAm/u7Xl4Xt7 ZrEH1l425aYrep4FTa7DROEStD492aedaxzIezDBuNG42Zgxdhs/MR4x6okxalxubDduKhQdNOaM pih2eOG7FNgnpZOuxGKKgjhEnT6pEHmTvFnOyN3yQVnXLR+RGZFj8gGcyXJeV2bTABTGTRbjJmNh FKWCs+FanrMByHvBAJzAyijGUB5v+OXoYYlfeMEa8oGO3NTiaxErV6RFuCNGZV1nZ6f89/37j3vk 1PH3OV6iz9IP6LOZzdZC3AaEZNJN180wSnbrP5RjOiwCc/RCKN9RYV3AK5UHgER5ACj7hSZ23k2T LjIxpy7mitdgCebIDmdpDWod6cTRCX8uCuKiQLsGJTpZVmRdrXG0rCR1fU1NpoukC03vS5/q9I/q aEKX0icNdbpBxgbrBGuz3Kxr0jcbr5AvUe4yvqx7U35Xd0j3pf573b8MHqfJhEAKmSH8Ax4cnMCN k9TrsNypk+A0V0xYeDaZMDEyFtCJrHDXktlMsHuD2hEojjGHF6EYK852LR4TWrAwdfXBjRD05iRh SdhEhDbgOxYMOJ7V+gscFyEFfFsbcFzMGIEhBJwWajO+x8DxO2Cx/iU++rxTOBVXvRA5zb2/cN5x 7y/f8VfwFUENw/YnrEPzvRw4+sU+KL1qqDfUSyIveNqsYxDAZrxGYohZ44uf0LExz3xPh8lYUVRn NGCnBybs446iOhze7oiJw/Z4YXeHWHlegaVLsWCty3V3xMUiaYeXHz7uUHl1fhBnFnHYbi6sfDbz sAH+KudHMjW4vXib210vMtx1rMPPb/56eyhfHQvceSsfQfErBF3Sagpfkx6YSJ/4MruI7v04+8Aa uJWeo5ns6p55LHpp9hyOl1cjqxW0+OkuRRAiMKh7R+2gfDBNzYD8sV///LE4H2yjJcFW7VgU36R8 osgTkB1RpKiyHAECOQXfJeR7Z/OMjD8J09mteSDBNxHaDXOKncrVuCWLueXUKYzegrGcn+u83mEo KB29DupcTqiKuKdAo2S8/HMaxVSthNYhyJSTJj/jf5xjXd0pQnHQd8gKXQq6QYK+wuML8qtffFFT aMcgqT9r48zWmqR8SD5k/Ivvs5jyjnIsxnyGWMLoD8WMkpSIhHUeLjr1VJdADITpQJJuTG5OsiS8 mrbkRkQiy7x7DrH4Bn0b7iiO1g43R2icYw8kZ0MOxpHaARaAXDiicC2/MgogH2GCDYEtmsWf3Bii IfG40MnHhcTjcP6N5uCPCwlpEBIGJkqzeSEUghdDNw3neQ9XiD8P37OtTiTpAQLa20xYFCHdE8CX +T352TiV/oS3ingF/fGnFKblqOYWyqBgl0TIWRIoSXbRi3fE+bSc1B8wAcIP0XPoZOweSn5yaeGk R7h14YPgSiI0RUHEIFeui/cKJLipU26LI0SdVk+vQBIRxGJ+PVxLhM8VWV4sCX3xVAH1QNWji1bf Eb3ytfuf2JGYOXT5bzqb5o29arCcum38rDlNe7bt6ill9y2ZNfi2h3vuYB0XXzzx7lt63uO0wnWL z4EvXnqF5lIknYttUbvUT6W/uY5Ix1w6yIwjWj0Q5hKV3qke8B/05/xyzOC2ub1O6BZU57WarDaL rcQv9Am/0C3MQqswC60CbqOCVmEWIspczCdTOJOEVmEWWgXO/5WfULPQKnB+TBPs0CwUFzPNYal2 PJzV3VqQaxj+I3623L/Zn/F3+2W/xKo9XkGbx7AtN095P5HgqYpFngR/UiyggnKVQigWeV8Wf4Xz l4rKeJ/Y1CDojWegQij/3H+JdOof3zbPA0+wVHxS2/DqHEaTwaRHVK6aghUfonaTszDJPCwR7LRl BajYw+eXeyvFxOaneO2DF37U+sBE1dRZvviMtsfk1B3bGpePq7qip41dd8HSYbe+0SPilkfCRi7F LFpJgC7e5RH7NLHk/YUgejsnyTYuVQLiglNvClhG684wTNc1G87XLTQYatTBzsHeAf5GdYxzjLfR P1OZaZystjhbvJP9S5WlxnnqUudS7zz/RdRj1CnWcyQsz5jOsSyR5ivzTUssJl9Y1jvAMtwlIaHj hwQa6KGB5F0XeuG0KDi8uFTn5IbLR0T7BMDnQQB8KgB0a66SZE0/PTb8qfoYXBf9PwGP4OVncpMZ sK2EWGww+IjYH4BtlVycohHIhalcoFrBf/inAjDPGh7J2QEj/YPcdMaknpy8wzCcW/CBgpMFP+2n 534NLraMU5QpxjnKHKPMZROv6BJbsrCbTpjQpyr/Ix++/vcfUO9lf7/hk+zh3R1rr+vYce3aDnwO rPSm1dm/9Oz7+69ohFrfeP2N//r966+hQWuzC+U4ZtCJ/WRztJssal/1dHWMKjfEMjEWjfWxJIqq PFVFw4uWxzbGDIN9g0Nn+c4KNRvOscz0zQwtMiy2LFSX+haHumNvuT/yfxR8K3LIfShyMJaLeRNy Wk17BsiDVaxQqjPUz8x/L8qqZocNTg7uItZ54SImtkDJARNVTZqp1dRukmNiCmNiOqG3fY4dmBhr k5hInHM+XtinyudSaHZ8CgF8oSX4YJtWUVc1q3YmCfnPnuFeh7DgxgWHsHCJnnQIHxPc+BSHsFiw AYsEKtNAFA5heurCZp4RwyH8S3cwtH9Oj5zX9nqDXZzcBL0hOIMbbqUO6RTTbe3Dg29dsO7Aogs/ uWzGzac5Hl198ZOPrWrbnl2oPL9+0qQNuTsfyh6/YezgnuPSw/teev2d11/7E+el18LX8TLm0EFe 1YZUuqgq04RcI4/ABwrPk1fJOqPDYDQYrS6H0UokAzWLwScmY9lG7IMojrmoixU7/u+20kmt4gfN cYqthPArwfFOkV3CfU7yEVl5dXK8c3SvL1YgONhWPURWy9GVPL6cjw7MIyGR6oj66lqbCGNsWcn3 B+QHKu+jQJS049oHhy5sOOfcocOHDznXHZFTD6w4Y/BjpaMbWlf2vM1HoQE+1u0YhX6ST7tMLnYX DzaeZRxZMr14fvHlxpuM15Q86nqy4gXJavQF/b5+Yyre9SkhxOUytYqa/DMNM40zTTPNMy0zrYsM i4yLTIvMiyyLrJ2pzlJ7aaqktKTPwJIZpmbzvNS8slWJVSXtJb823Wu5teyOitv6PWx63PJQ6cP4 XwF+n/JiUTCv8xT3AoleoKQXEHU4soo6HBB1OCDqcKAI+qzmjNTNMJQmLSY5GEt5ZPNpRUHuVi8O VPDBjwYaAhMCswLbAvsDOnsgGlgW+CQgRwM3B1jgecyNB3ghvIcadD8GpyHCWFV8Y5IRqlIRi7/D 7a0BnsOraHPUUHrazKIlRawo7NFD/vJFPWHq8bBj2G6cGF2c1uTwaeYo4lFKAprLX1PFb68UHjCh SXFeD28YGB/yGL8zEON3BYSJEhAexAAWBDv0JeW4dWe47kA5BfS5oGwA+c+uCICPA4CvdnHKKw+K V8Xhz2yt6q5iDVXtVayKe0JLiHhn4VMqsfwos2kC4A3gQP6bHrESuyB1u2iePSbcNVxdRhPhuBGR zgXHTfEnvQZUoH/B3QmfTW9YFpBZRUjMyvGFxcR0esUpO7T4FbhxUKnh8Aq+50Do0DxUBsoz/94A /hUWFLH5QCvtG0nAlZZyqE7VpUq6YmssRIxl+hBV+iKLuHEatyVCpBgfTzD0MYVoWanRpEvLIRJV i7hEz+854Iv23KWATTbpq66CY6H3j+9+RJjYyU3ZpalSfJ2zBquRedH/UwgOvEw8/k/4lBo67Ndf dvnFA5K/fvmuCcMGld8y5YrnZzgylraFly/yeitD1+y9Y/rCl6/Y/x49Pbx45fyRpyf8yaozrxo/ +pKyaPqMy873T545uTYRLnKZSqqHXT5zxqazn+J0WpL7jpUrd+FbT3/eTUywjxIpbmHDJw2gHZ+k wFKdiUrEqxrTdhOEhGS2q8WkmFqdSQvN6Q2NxsZW/XJ9u34jtjJCRm/WZ/Td+gN6HcT3N0L9AsBX EeG85uFjnGcB4Jp/AeC4iRLuBMpLfy5lAAnOhQt5/UW/hy1CTMnA7bCGf3L4YCrFx4oQ9HvoKHfW 8SBKzuQd1YjL4wZSOp30cdaeGsB9rY5a8U0CEdXC1ODY+jlLKq65ZsfOna50WeSBTerQ+Q+yuRuo fkn2xg09vx5XEeRjdDV42UH+dWI6YTcJYmyMsBFZzOWtgVJ1RKt2umvSLlpicHkt1OU1w1PtwDCR am/S7+OKa1BoxT6hD/ucfADgySws3/uEPiwcoUIT9rn5KOC84F/zCdMG58d4wJhuWs5Hu33UNz7I 58jDleDgkSBbHtwczARzQTkIJx+/Ipxs/KtBMeMB40EjoqnEwqrw5BUER8G/B10477/Lu9eMQgs2 CveacXzgZ8YnxMXhf1d3IUH4uDfU5yWHcK0FZdVmtVt5FA7fmAaVV7aEiNXgwKfEuP+7/CqIYNBD YZ2oFJMD36lPrDkM5LDUcPk75z40QTV3mh0XTJp005DOezvPWDphQBu7tWfHjf1HT5py8zpWBwcU JZgi6QvMjol+VViB9SkGYjLoqM5E4MtRKFNKOPoplemPsEd7H1CDSzuuCISeGaBQUuyoM3H+bnXU GWHQ1Bh4hrisr3bgCIYsjqjxZ80YideQMmQ4+0IzwmdAvMhw9r52ZdlpNSSGzG7pQ8qMKVMdGWA6 g4w2TcenkpsNTcbz6HlsoWGh8WJyEb2IXWK42HiRaS1dy66TrtevM6w33kfuNN5ieoo8aHqePKPf bnqV/N70PnnH9DX51HScHDVVoDsmP/GaykjKVGuaQOCsUTSnt0aB0VRT8OzgO0uEd52gTUc1O2fV Jv5xLOi9GAteJhQnPiqilCmKxQwGWPlRGmODtC+9L00qeUgVHx+t1gRvV9JochuNJiy6wJclIqTg EIPKIsKddHqTESFZSqWFWooNmqbBt8mMXTS0U4PTBDudaEgzxphGi81fvclpF1sqelp6WoL+w4d4 BCaIte6kB8sh3Fc/baOAWwqMU0R49LJPxMy3NPeGHyHuiD6dXfLbQ0lE7Xy9O3uBnOq55vxlU1ez dXnvpA47HJ4Bdjjlot69QE6+liq4Tz6sRuQYrrfFB3cgWRFZyD+944jxHBcQGwNPBy5AtHLIoYlz k0Oi+OiLHqNtx2hYLWBY2EeEz53ga8kO+AyEHyTP6ByQOvv2qe/uU98W24IKMWuid7xjnBhCoEA3 LZf7mNhZjnMcN+HLKRCJQpvmH3cRQj8PwHNyRDNG4zVquCjvIdWeiZbUyDqL0aULGQNOBZ+115mx h8ngVIlLcuvDhpC5CLZSUl9uSNtqyAD9YMMQ20hptE7TjzOMMY+wj3ac5TzHPtm5GF/UON95ie5S /SrDbt0e+y7nP3XHjWVmRxkps5bayuylzkr3IFLrvMhwneFO6Q7LY3QL22JG6AHZpdtj+wM8q+8Z v5C/sP/NeVT3ozFsxvBiG7bIVZHbRG4XubOAtiGTzS47icOgh+vVnrRxg8Gml6zUksS66btaLedS VmBfOQfw/XC3S2cyO1KmtGOqPNk007HEcbljvcPkMMnART4d+Yn5ZXhgJTYy5QNk1UP8B/zL/wtp WCrhYYN6xWgyGRA4aFIdjv/T2LWFxHGF4TOzszvjXHZ2LuqubnSUmN2wgkLUaLPBTdDGRGzSaC5L KkkfkrpEa61NQBGkpS205CU0QkIppQ/FSB+s15gYCG1eWlNTSwulBYsQadOCDZTENiS6/f7ZrWkh Dx09ujvsnLnsOf//n/N/33dg35uBFjQRs+xNnJJ1v3PTECVHNEwzhpyK1yv68T2XaX4bTCQJ0wgx WbJxOGEJsz0Fkj+iKUi6ofo19/JM2HFiwgIp6DN14iDI9mpA405oBOHwaDPccEJ29stctzwog7DF H0rkQDWr2xiExAK9UwJe7oQ7IwnKEjc8xa1aq3CKAHeGWu63twcR1+CXOll78Ok4wmyvQ6yPvvc/ YIQiUIRUCEhIpfnT4tajk5qjOvx1yElwKP70wiSr1B3AlpdcHRPQnGqxMEZVKxhOUnphTCR5E+wo AZxwmwswlNJLY6KT2WtiLzGlrlJF0wgFUTes1cK4WEk1jrNanoQrcKaNyt3a6Lh89zgjvTQhO4JD el8uRtGdm/anv5s261g5Cjr4mEWTyknqcG4MmKHfuCwqMigujtHKd8GMnoiHa16fvTZSL2wbufph 9c7p0fXJ2ZGt38PAvL9szPEvr128Nc+fevQjPzD1+Gv4oRLkY3+HpSng/sz6oU2yrUNcPRzSTZ/i sxImspMJ1dHdyBwp8FjBYkFwHpOr9M8dgAHkCaM7oWNVHXJIXeG6qH1YH5UhqpfQed2JVlYF6I+o 5ph5WtCMKBE1otWoNVq1/5KhRM2o1ZSXNJNWMjdlpqxUbp/vrNZn9Nv9uW9p7xrnzHPWO/ZF+bJy PTBrXLN/k3+xH2hrgYd2Olz0T1fMs5RwoaA36G8inRrauPzMADEDmCeY7XagagGENeEVQrZllZmy jTcQNjPUMkXGEEcG5FZVFR/dPwsHwnxF+EaYx8o89VM6nkXCnuHbEkq9mTD54+YNsPdmuN3TOlfK GgvR6NsyTwv05Ep1v+o5oKZVXsUnJiqAUEIdk4XOABo9Ht5aD2Rl4EyIqBcM3F8OkfLfSkEwsOK+ AlkPQSEF45QYkf6dGCGdJDTneFxCi/ajJQXRkmbB1bvLlPRdaphwPxlSng3a1/Y6uRRsPPiHqdw6 ozTD5ErS1B+IeEhPJK1InpsTBvowi46Fe4J/QPg5aO8ojzflG1u8ynrX54ux0uLYncn1zl2bKwcO V62/NBKIbi48rW8SomuXzrw+cJY//eiL0d3JVoo+u7gFvgPK9QorBmcN4Bd/ju8ryr/z7Ix6ZNid v1qBlh8kSapoAIHxAsLdrqGO1NBQqmOIv526cCGF1wiT2D1gs01XoVNEffGECWlGTpDjZI8EwSPL cTju0LgYh2EJXYFE6C31hwd0hjX6yXrpwEo+oGmkBVqSLffmuZ/mucXbkELBhl76mJsTuvljOGNR QueqGV/gdXArIWGinwzVcnvgZ1bRgkv2AGgvCL3c3PnzdK+dnl+5nd4vcW2vJbZ8K94R+THxpsj/ IXHvSR9JfK/0hgSK1kmgrDFXoniY9IlI0qZFnOchzCnuCErAuGqxVoow5oKs1Q/6XNNI1HOaEsIY AWOFJ6KmDIMEkHawcT09lOSEJJYrcDrwWXHsWDkAosJf33z89o7nt+7JO47vAxke2tIR4js/ZXsG +7AgF2Z/SAsjlz1R0SUF3dINhVzSxy3/jy5uDdYYqcU6ig2skT3L9rAmrNWxjzVjZZDnkLk4AM3Z g9DQP4SVFY+woywJpZkXoC3MQ9v/inSyszP1Sm+qly4IKoIotPnAFmQHmxr3NuyL7Xo19WJnS9vf d2ah/AplbmRzdHJlYW0KZW5kb2JqCjk4IDAgb2JqCjIwNzUxCmVuZG9iago5OSAwIG9iagooaWV0 ZjkxLWRuc29wLWxpdmluZ29vZC1uZWdhdGl2ZS10cnVzdC1hbmNob3JzLXYzKQplbmRvYmoKMTAw IDAgb2JqCihNYWMgT1MgWCAxMC4xMCBRdWFydHogUERGQ29udGV4dCkKZW5kb2JqCjEwMSAwIG9i agooS2V5bm90ZSkKZW5kb2JqCjEwMiAwIG9iagooRDoyMDE0MTExMTAyMDQ0OVowMCcwMCcpCmVu ZG9iagoxIDAgb2JqCjw8IC9UaXRsZSA5OSAwIFIgL1Byb2R1Y2VyIDEwMCAwIFIgL0NyZWF0b3Ig MTAxIDAgUiAvQ3JlYXRpb25EYXRlIDEwMiAwIFIKL01vZERhdGUgMTAyIDAgUiA+PgplbmRvYmoK eHJlZgowIDEwMwowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDA2NTQ5MzUgMDAwMDAgbiAKMDAwMDAw MDU3NSAwMDAwMCBuIAowMDAwNjA4MTczIDAwMDAwIG4gCjAwMDAwMDAwMjIgMDAwMDAgbiAKMDAw MDAwMDU1NiAwMDAwMCBuIAowMDAwMDAwNjc5IDAwMDAwIG4gCjAwMDAwMTU1MzUgMDAwMDAgbiAK MDAwMDAwMDg1MSAwMDAwMCBuIAowMDAwMDA3MTMzIDAwMDAwIG4gCjAwMDA2MDg2NDEgMDAwMDAg biAKMDAwMDYzMjk3MyAwMDAwMCBuIAowMDAwMDEyNzYyIDAwMDAwIG4gCjAwMDA2MDg0ODIgMDAw MDAgbiAKMDAwMDAwNzE1MyAwMDAwMCBuIAowMDAwMDA5Mjk5IDAwMDAwIG4gCjAwMDAwMDkzMjAg MDAwMDAgbiAKMDAwMDAxMjc0MSAwMDAwMCBuIAowMDAwMDEyNzk5IDAwMDAwIG4gCjAwMDAwMTU1 MTQgMDAwMDAgbiAKMDAwMDAxNjA5MCAwMDAwMCBuIAowMDAwMDE1NTcxIDAwMDAwIG4gCjAwMDAw MTYwNzAgMDAwMDAgbiAKMDAwMDAxNjE5NyAwMDAwMCBuIAowMDAwMDE2MzgzIDAwMDAwIG4gCjAw MDAwMTcxMDAgMDAwMDAgbiAKMDAwMDA0ODY4NyAwMDAwMCBuIAowMDAwMDY5MzExIDAwMDAwIG4g CjAwMDAwMTcxMjAgMDAwMDAgbiAKMDAwMDA0ODY2NSAwMDAwMCBuIAowMDAwNjA4NDQyIDAwMDAw IG4gCjAwMDAwNjkzMzMgMDAwMDAgbiAKMDAwMDA3OTMyMSAwMDAwMCBuIAowMDAwMDgyMDc4IDAw MDAwIG4gCjAwMDAwODQ4NTEgMDAwMDAgbiAKMDAwMDA3OTM0MiAwMDAwMCBuIAowMDAwMDgyMDU3 IDAwMDAwIG4gCjAwMDAwODIxMTUgMDAwMDAgbiAKMDAwMDA4NDgzMCAwMDAwMCBuIAowMDAwMDg1 OTEwIDAwMDAwIG4gCjAwMDAwODQ4ODggMDAwMDAgbiAKMDAwMDA4NTg5MCAwMDAwMCBuIAowMDAw MDg2MDE3IDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDYxNzE4MSAwMDAwMCBuIAow MDAwNjIyNzk3IDAwMDAwIG4gCjAwMDAwODYyMTUgMDAwMDAgbiAKMDAwMDE5MzAzMiAwMDAwMCBu IAowMDAwNjA4NTYxIDAwMDAwIG4gCjAwMDAxOTMwNTUgMDAwMDAgbiAKMDAwMDE5Mzc1MSAwMDAw MCBuIAowMDAwMTk0MTUzIDAwMDAwIG4gCjAwMDAxOTM3NzEgMDAwMDAgbiAKMDAwMDE5NDEzMyAw MDAwMCBuIAowMDAwMTk0MjYwIDAwMDAwIG4gCjAwMDAyMzU3MDggMDAwMDAgbiAKMDAwMDI1NTgw NSAwMDAwMCBuIAowMDAwMTk0NDM0IDAwMDAwIG4gCjAwMDAyMzU2ODYgMDAwMDAgbiAKMDAwMDYw ODM2MiAwMDAwMCBuIAowMDAwMjYzNjY1IDAwMDAwIG4gCjAwMDAyNTU4MjcgMDAwMDAgbiAKMDAw MDI2MDkwOCAwMDAwMCBuIAowMDAwMjYwOTI5IDAwMDAwIG4gCjAwMDAyNjM2NDQgMDAwMDAgbiAK MDAwMDI2NDQ5OCAwMDAwMCBuIAowMDAwMjYzNzAyIDAwMDAwIG4gCjAwMDAyNjQ0NzggMDAwMDAg biAKMDAwMDI2NDYwNSAwMDAwMCBuIAowMDAwNjA4NjAxIDAwMDAwIG4gCjAwMDAyNjUzNDAgMDAw MDAgbiAKMDAwMDI2NDcyOCAwMDAwMCBuIAowMDAwMjY1MzIwIDAwMDAwIG4gCjAwMDAyNjU0NDcg MDAwMDAgbiAKMDAwMDYwODQwMiAwMDAwMCBuIAowMDAwMjY2MTk3IDAwMDAwIG4gCjAwMDAyNjU1 NzAgMDAwMDAgbiAKMDAwMDI2NjE3NyAwMDAwMCBuIAowMDAwMjY2MzA0IDAwMDAwIG4gCjAwMDAy NjY0NzggMDAwMDAgbiAKMDAwMDYwNzI2NCAwMDAwMCBuIAowMDAwNjA4NTIxIDAwMDAwIG4gCjAw MDA2MDcyODcgMDAwMDAgbiAKMDAwMDYwODE1MyAwMDAwMCBuIAowMDAwNjA4Mjk4IDAwMDAwIG4g CjAwMDA2MDkyNTYgMDAwMDAgbiAKMDAwMDYwOTUxMiAwMDAwMCBuIAowMDAwNjE3MTYwIDAwMDAw IG4gCjAwMDA2MTc2NjcgMDAwMDAgbiAKMDAwMDYxNzM0NyAwMDAwMCBuIAowMDAwNjE3NjQ3IDAw MDAwIG4gCjAwMDA2MTc5MjIgMDAwMDAgbiAKMDAwMDYyMjc3NiAwMDAwMCBuIAowMDAwNjIzMjAy IDAwMDAwIG4gCjAwMDA2MjM0NjkgMDAwMDAgbiAKMDAwMDYzMjk1MiAwMDAwMCBuIAowMDAwNjMz NjIyIDAwMDAwIG4gCjAwMDA2MzM4ODIgMDAwMDAgbiAKMDAwMDY1NDcyNCAwMDAwMCBuIAowMDAw NjU0NzQ2IDAwMDAwIG4gCjAwMDA2NTQ4MTMgMDAwMDAgbiAKMDAwMDY1NDg2NSAwMDAwMCBuIAow MDAwNjU0ODkyIDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgMTAzIC9Sb290IDg0IDAgUiAvSW5m byAxIDAgUiAvSUQgWyA8MWRjOTkxMTY5MTkzNTk0MDMyZDkyNzY3Y2E4OGRhNTI+CjwxZGM5OTEx NjkxOTM1OTQwMzJkOTI3NjdjYTg4ZGE1Mj4gXSA+PgpzdGFydHhyZWYKNjU1MDQ0CiUlRU9GCg== --0000000000003d386f05826b01bb-- From nobody Thu Feb 21 11:05:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4174131108 for ; Thu, 21 Feb 2019 11:05:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.898 X-Spam-Level: X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PST7-WlP96mD for ; Thu, 21 Feb 2019 11:05:05 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB058130E46 for ; Thu, 21 Feb 2019 11:05:04 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 2F2693AB041; Thu, 21 Feb 2019 19:05:04 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CE9D2160073; Thu, 21 Feb 2019 19:05:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id ADAFB160072; Thu, 21 Feb 2019 19:05:03 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id U9WqR2VnaL6s; Thu, 21 Feb 2019 19:05:03 +0000 (UTC) Received: from [172.30.42.88] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3BC6B160050; Thu, 21 Feb 2019 19:05:03 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-21E99C46-29B6-47F6-948C-732376CB9D04 Mime-Version: 1.0 (1.0) From: Mark Andrews X-Mailer: iPhone Mail (16D57) In-Reply-To: <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> Date: Fri, 22 Feb 2019 06:05:01 +1100 Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley Content-Transfer-Encoding: 7bit Message-Id: <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> To: Ted Lemon Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 19:05:07 -0000 --Apple-Mail-21E99C46-29B6-47F6-948C-732376CB9D04 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hashes save space once the rdata is bigger than the hash. --=20 Mark Andrews > On 22 Feb 2019, at 02:12, Ted Lemon wrote: >=20 >> On Feb 21, 2019, at 6:11 AM, Dick Franks wrote: >> A more radical approach would be to have just one hash per item per recor= d. >=20 > One way to make this document less complex yet just as useful would be to s= imply have a record that contains what is to be deleted, rather than a hash o= f what is to be deleted. It=E2=80=99s not at all clear to me that there=E2= =80=99s value in using the hash=E2=80=94to me it just seems to create uncert= ainty. >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --Apple-Mail-21E99C46-29B6-47F6-948C-732376CB9D04 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hashes save space once the rdata is bigger t= han the hash.
-- Mark Andrews

On 22 Feb 2019, at 02:12, Te= d Lemon <mellon@fugue.com> wro= te:

On Feb 21, 2019, at= 6:11 AM, Dick Franks <rwf= ranks@acm.org> wrote:
A more radical approach would b= e to have just one hash per item per record.
<= br class=3D"">
One way to make this document less complex yet= just as useful would be to simply have a record that contains what is to be= deleted, rather than a hash of what is to be deleted.   It=E2=80=99s n= ot at all clear to me that there=E2=80=99s value in using the hash=E2=80=94t= o me it just seems to create uncertainty.

= _______________________________________________
DNSOP mailin= g list
DNSOP@ietf.org<= /span>
http= s://www.ietf.org/mailman/listinfo/dnsop
= --Apple-Mail-21E99C46-29B6-47F6-948C-732376CB9D04-- From nobody Thu Feb 21 11:11:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4246513112C for ; Thu, 21 Feb 2019 11:11:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgOUdY3lGQjQ for ; Thu, 21 Feb 2019 11:11:06 -0800 (PST) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1720E131129 for ; Thu, 21 Feb 2019 11:11:06 -0800 (PST) Received: by mail-qk1-x72d.google.com with SMTP id x6so4932295qki.6 for ; Thu, 21 Feb 2019 11:11:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FvTH0YBi+dh9BczH/S68HsRZ1X5vNSa/ZPRmc4ddlOk=; b=Xqd0o1/ZFyaP4Uw/pOl/NqhxA1o4ugtSN6tBgLCp2kdT8R4i2bOzlzssePl4Qki4hm bWBIKSbrl6bgld5NfPOQ7fADz5x4VAR+SqSQNL8yeDYzsG8+Qw5PgnsiEvX0hBgeQuEg P6D42u9mfU0JVcXCJlUdD4nS++MXHbwJmSDtfTT8sB5QVNHEbuetkAjPhz350h+BVbCa 1J9s/yRQeIjPFbMMEdtDzHlWUyH5EEorKN34XlA6Dvo70sP3lQ6TT6D23YDEHk06pRYM ZFYTvBEJPgWl62XKT2HAWKng9twabHKPy6EZc5km7Hg7IsHz90bIouk8Ak0sF3B+Evk5 iS+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FvTH0YBi+dh9BczH/S68HsRZ1X5vNSa/ZPRmc4ddlOk=; b=SyEJM51B0v9PG9PlAZvpfjXxG3ywrS2e8YB2LXuYk+f9vMTHfRXcT3LfI2pFMMiXDp QxpSr8taXSxe6HGYh6eOSLDAV3ac036Jq2OZmhrb/ISczLo79YtR7a6DVKXsH9Oc0hIM /LLGIHGAxEHVuv+nYdhJDkIiC4ZITr3Uz0UlqgxPQGRJrmnMiNJfvmJeiumEEYHUQ9xY tPEjuuyb02icYZAGA00qRrmrP+blk0xapb9J4cohKLC/piop9DpGTvD/wQqnr04PwHWn crVXkMkws3wKSIMNVUBtnEbwhgt/bBrMIoeAW8IIG5n1PHzLHXACMNJJTSKfmzjhk8c5 oWMg== X-Gm-Message-State: AHQUAuZRZE06OQP7xQd1ehrTXqJFP9gTOrpGf7d6217n2cF+eMl92z3X UMPT8/Q0Ay3PAeyS3vmeg8Ji0A== X-Google-Smtp-Source: AHgI3Ibifm+C5Uu67aTYHDXHNcKou0jTWvM3ttypE4JDZd2Ez23UZS7984tmHxvzZi8nEWD/zdFB6g== X-Received: by 2002:a37:be84:: with SMTP id o126mr58000qkf.312.1550776265114; Thu, 21 Feb 2019 11:11:05 -0800 (PST) Received: from [10.0.200.1] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id m14sm983250qkk.45.2019.02.21.11.11.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 11:11:04 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) From: Ted Lemon In-Reply-To: <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> Date: Thu, 21 Feb 2019 11:11:01 -0800 Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley Content-Transfer-Encoding: quoted-printable Message-Id: <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> To: Mark Andrews X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 19:11:09 -0000 On Feb 21, 2019, at 11:05 AM, Mark Andrews wrote: > Hashes save space once the rdata is bigger than the hash. Agreed, but why do we need to save space? It would be possible to have = the data structure that stores the delete RR point to the RR that=E2=80=99= s to be deleted, so if on-disk or in-memory efficiency is really = important, this would address that. In practice, though, this option = isn=E2=80=99t likely to be in use on servers, like large ISP caches, = where space is at a premium. So this seems like a false economy. From nobody Thu Feb 21 11:22:06 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977181310D7 for ; Thu, 21 Feb 2019 11:22:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.9 X-Spam-Level: X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PReTtZHJGN3n for ; Thu, 21 Feb 2019 11:22:04 -0800 (PST) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101161277D2 for ; Thu, 21 Feb 2019 11:22:04 -0800 (PST) Received: by mail-wr1-f44.google.com with SMTP id c8so31875021wrs.4 for ; Thu, 21 Feb 2019 11:22:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3Ljy8ULSIeSxlIldWKP6XpCIWcmw2esa5CH5+lXor78=; b=gparhWWDQuXDOiDszOEXS9QU0ZkKC3zDRdgHPQ+/6o0ZA4yVF6pwnmNBP7e/icM6XC s7z65lddzNGerEEJBL4HNKvcy0d1COAwxBnzC8Cu91tcAlW1YpduMP2Y11ygOikLySGP TUhAsBrE3tF5wcdoUGuWgaJyRJkTRG3n7/slYK7+G3+FN24sZh2cobmhiKowwbgFABSN 9LEaERf79YC5dFkIZe14H1jUasXvJn8XbY3nv3x+778Zxfn16g/QY/uGndlscQpyl8AA Jb4HGn7wScg5tVo6FF6Tl51LHyMX12PP0EALEqv8n6OrMkXUpSyYyeOPiASrbUbeoSw7 0ftw== X-Gm-Message-State: AHQUAubimxq85TC7XrQ1jhZqBb+7TgFpc8AM9KsS1SvKfgJmK0nvzIJL pG8cXjAQYRFOze3tkj5CRL23LOlZ+5CO0LCCTEYlS0a/ X-Google-Smtp-Source: AHgI3IaqE200WHUYUjaIxVaawoQC1lFgGoSSZBjbrVoUPDw7BVP/ohKQZjHK8LjuDU1vkvmKMjVpemlBKQyOHJIYvOs= X-Received: by 2002:adf:edca:: with SMTP id v10mr44459wro.313.1550776922243; Thu, 21 Feb 2019 11:22:02 -0800 (PST) MIME-Version: 1.0 References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> In-Reply-To: <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> From: =?UTF-8?B?56We5piO6YGU5ZOJ?= Date: Thu, 21 Feb 2019 11:21:50 -0800 Message-ID: To: Joe Abley Cc: Paul Wouters , dnsop Content-Type: multipart/alternative; boundary="000000000000938a7805826c6330" Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 19:22:05 -0000 --000000000000938a7805826c6330 Content-Type: text/plain; charset="UTF-8" At Wed, 20 Feb 2019 07:51:51 -0500, Joe Abley wrote: > The crux of the use case seems to be that it is commonplace for names in the DNS to exist for short periods of time and that for some applications a name that overstays its welcome can cause an operational problem. > > While I can understand the philosophical desire to complete the UPDATE specification so that it is possible to engineer around this scenario, I don't see the practical application. I happen to know there's a practical application related to this proposal. As Mark says not all DHCP servers behave politely; there are servers that just add RRs via DDNS and forget them. We could say that it's a problem of poorly implemented DDNS clients, not something that should be solved in the DNS protocol. I wouldn't necessarily be opposed to that view. In fact, given the higher bar with the "camel" test, I'm not yet really convinced about the need for a protocol-based solution to this problem either. But at least this is related to a practical problem, not just a philosophical one. -- JINMEI, Tatuya --000000000000938a7805826c6330 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
At Wed, 20 Feb 2019 07:51:51 -0500,
Jo= e Abley <jabley@hopcount.ca>= ; wrote:

> The crux of the use case seems to be that it is common= place for names in the DNS to exist for short periods of time and that for = some applications a name that overstays its welcome can cause an operationa= l problem.
>
> While I can understand the philosophical desire= to complete the UPDATE specification so that it is possible to engineer ar= ound this scenario, I don't see the practical application.

I hap= pen to know there's a practical application related to this
proposal= .=C2=A0 As Mark says not all DHCP servers behave politely; there
are ser= vers that just add RRs via DDNS and forget them.=C2=A0 We could say
that= it's a problem of poorly implemented DDNS clients, not something
th= at should be solved in the DNS protocol.=C2=A0 I wouldn't necessarily b= e
opposed to that view.=C2=A0 In fact, given the higher bar with the &qu= ot;camel"
test, I'm not yet really convinced about the need for= a protocol-based
solution to this problem either.=C2=A0 But at least th= is is related to a
practical problem, not just a philosophical one.
<= br>--
JINMEI, Tatuya
--000000000000938a7805826c6330-- From nobody Thu Feb 21 11:24:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EABD131136 for ; Thu, 21 Feb 2019 11:24:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS7zQeFNnQV7 for ; Thu, 21 Feb 2019 11:24:46 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B25E131132 for ; Thu, 21 Feb 2019 11:24:46 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EDA503AB041; Thu, 21 Feb 2019 19:24:45 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 87D6C160050; Thu, 21 Feb 2019 19:24:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 665B4160072; Thu, 21 Feb 2019 19:24:45 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3y1mz6v5wLkE; Thu, 21 Feb 2019 19:24:45 +0000 (UTC) Received: from [172.30.42.88] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id E96BD160050; Thu, 21 Feb 2019 19:24:44 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Mark Andrews X-Mailer: iPhone Mail (16D57) In-Reply-To: <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> Date: Fri, 22 Feb 2019 06:24:43 +1100 Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley Content-Transfer-Encoding: quoted-printable Message-Id: <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> To: Ted Lemon Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 19:24:47 -0000 Ted. It has to work post zone transfer. Mark --=20 Mark Andrews > On 22 Feb 2019, at 06:11, Ted Lemon wrote: >=20 >> On Feb 21, 2019, at 11:05 AM, Mark Andrews wrote: >> Hashes save space once the rdata is bigger than the hash. >=20 > Agreed, but why do we need to save space? It would be possible to have th= e data structure that stores the delete RR point to the RR that=E2=80=99s to= be deleted, so if on-disk or in-memory efficiency is really important, this= would address that. In practice, though, this option isn=E2=80=99t likely= to be in use on servers, like large ISP caches, where space is at a premium= . So this seems like a false economy. >=20 From nobody Thu Feb 21 11:34:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B7213114A for ; Thu, 21 Feb 2019 11:34:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.898 X-Spam-Level: X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLUzxhLmIZtI for ; Thu, 21 Feb 2019 11:34:08 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48EA1131148 for ; Thu, 21 Feb 2019 11:34:07 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id ED9573AB05B; Thu, 21 Feb 2019 19:34:06 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B32FB160073; Thu, 21 Feb 2019 19:34:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9A112160072; Thu, 21 Feb 2019 19:34:06 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GZsIar3JT8Np; Thu, 21 Feb 2019 19:34:06 +0000 (UTC) Received: from [172.30.42.88] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 0CA08160050; Thu, 21 Feb 2019 19:34:06 +0000 (UTC) Content-Type: multipart/alternative; boundary=Apple-Mail-B948910D-045B-4365-8358-F9F74A6B0E1A Mime-Version: 1.0 (1.0) From: Mark Andrews X-Mailer: iPhone Mail (16D57) In-Reply-To: Date: Fri, 22 Feb 2019 06:34:04 +1100 Cc: Joe Abley , dnsop , Paul Wouters Content-Transfer-Encoding: 7bit Message-Id: References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> To: =?utf-8?B?56We5piO6YGU5ZOJ?= Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 19:34:11 -0000 --Apple-Mail-B948910D-045B-4365-8358-F9F74A6B0E1A Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Machines die. Machines are unplugged. Server are unreachable at critical ti= mes. Externally driven cleanup can never be reliable.=20 --=20 Mark Andrews > On 22 Feb 2019, at 06:21, =E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89 wrote: >=20 > At Wed, 20 Feb 2019 07:51:51 -0500, > Joe Abley wrote: >=20 > > The crux of the use case seems to be that it is commonplace for names in= the DNS to exist for short periods of time and that for some applications a= name that overstays its welcome can cause an operational problem. > >=20 > > While I can understand the philosophical desire to complete the UPDATE s= pecification so that it is possible to engineer around this scenario, I don'= t see the practical application. >=20 > I happen to know there's a practical application related to this > proposal.. As Mark says not all DHCP servers behave politely; there > are servers that just add RRs via DDNS and forget them. We could say > that it's a problem of poorly implemented DDNS clients, not something > that should be solved in the DNS protocol. I wouldn't necessarily be > opposed to that view. In fact, given the higher bar with the "camel" > test, I'm not yet really convinced about the need for a protocol-based > solution to this problem either. But at least this is related to a > practical problem, not just a philosophical one. >=20 > -- > JINMEI, Tatuya > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --Apple-Mail-B948910D-045B-4365-8358-F9F74A6B0E1A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Machines die. Machines are unplugged.  = ;Server are unreachable at critical times. Externally driven cleanup can nev= er be reliable. 

--&n= bsp;
Mark Andrews

On 22 Feb 2019, at 06:= 21, =E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89 <jinmei@wide.ad.jp> wrote:

At Wed, 20 Feb 2019 07:= 51:51 -0500,
Joe Abley <jabley@h= opcount.ca> wrote:

> The crux of the use case seems to be t= hat it is commonplace for names in the DNS to exist for short periods of tim= e and that for some applications a name that overstays its welcome can cause= an operational problem.
>
> While I can understand the philoso= phical desire to complete the UPDATE specification so that it is possible to= engineer around this scenario, I don't see the practical application.
I happen to know there's a practical application related to this
propos= al..  As Mark says not all DHCP servers behave politely; there
are s= ervers that just add RRs via DDNS and forget them.  We could say
tha= t it's a problem of poorly implemented DDNS clients, not something
that s= hould be solved in the DNS protocol.  I wouldn't necessarily be
oppo= sed to that view.  In fact, given the higher bar with the "camel"
te= st, I'm not yet really convinced about the need for a protocol-based
solu= tion to this problem either.  But at least this is related to a
prac= tical problem, not just a philosophical one.

--
JINMEI, Tatuya
=
________= _______________________________________
DNSOP mailing list
DNSOP@ietf.orghttps://www.= ietf.org/mailman/listinfo/dnsop
= --Apple-Mail-B948910D-045B-4365-8358-F9F74A6B0E1A-- From nobody Thu Feb 21 12:05:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4017131166 for ; Thu, 21 Feb 2019 12:05:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4codm5NVYxs for ; Thu, 21 Feb 2019 12:05:42 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1114B131163 for ; Thu, 21 Feb 2019 12:05:42 -0800 (PST) Received: from [IPv6:2001:559:0:134:dcb2:76ac:721c:fef7] (unknown [IPv6:2001:559:0:134:dcb2:76ac:721c:fef7]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 88BAB892C6; Thu, 21 Feb 2019 20:05:39 +0000 (UTC) To: Ted Lemon Cc: Mark Andrews , Tony Finch , dnsop , Paul Wouters , Joe Abley , Dick Franks References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> From: Paul Vixie Message-ID: <41e2dbc4-e303-03b5-8b77-aa23f8370e74@redbarn.org> Date: Thu, 21 Feb 2019 12:05:35 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 20:05:44 -0000 Ted Lemon wrote on 2019-02-21 11:11: > On Feb 21, 2019, at 11:05 AM, Mark Andrews wrote: >> Hashes save space once the rdata is bigger than the hash. > > Agreed, but why do we need to save space? It would be possible to > have the data structure that stores the delete RR point to the RR > that’s to be deleted, so if on-disk or in-memory efficiency is really > important, this would address that. In practice, though, this > option isn’t likely to be in use on servers, like large ISP caches, > where space is at a premium. So this seems like a false economy. +1. again, this is how DEFUPD worked in 1996, and for this reason. -- P Vixie From nobody Thu Feb 21 13:03:02 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0D631311D1 for ; Thu, 21 Feb 2019 13:03:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMxTzx4Pp1y9 for ; Thu, 21 Feb 2019 13:02:59 -0800 (PST) Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9F9130E6E for ; Thu, 21 Feb 2019 13:02:59 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id p19so8597plo.2 for ; Thu, 21 Feb 2019 13:02:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qOFArC1cJbTLWCM74BRCLBaXONHFV9tXxfpqW9eMkTk=; b=obOnFPy3pTCchc7h8YBKelReLBMjS4fqfAutlnnmsJiffs8TPEx2a1JFlCAoF8jc8L LExIwcfE3RbdtjTh//x6X5k5ZF4cxfQR8mhsIMQpzaSWNO3vFzw2/V3PpTQF4E5pYF5H DWNq1InZnFLMaWcgSEDtfDQPjqMcbkr0sdOyBcHHYtyETS4jhyPeUdn1USxZ12WjJiNK 1mYjAknWiDr7TNLkK8l2PJKtCEv44MKkCn1zzinWQQmI/W8fwLQuq8qjAjQsxu7OzoYC XF5woEg+i96C/LqPsI4XgwhI8EmfP/VhZf6gA79+zcvgxm8Hm/IqIuq3X6dQQboAmHFP myUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qOFArC1cJbTLWCM74BRCLBaXONHFV9tXxfpqW9eMkTk=; b=YC/v8f16ForebaZPBGPtfKpyfZS1rJ+wg2/jebMZS77ZeWgIHtqxFFz6cNwMS++H9j vdf5eopZrxXTMoNTCRPl6xSv21qJWmwgnUJnX0P6XWvTxPF7DPLAzbQU0XMlCzjLFj2d oZLKpaqha6kIXaDWR6H8pSPYCR35QWOPO3fEwLEtpOwc7bvQdvYMVHq1zW6/TM8RO2uX aZQsewMAimx1K/Z8EMbrPnls4KkwSdLxbCfq+x7J7ZQCsI0C39e7VyJIZOBS0FxeX1BC aNApbwX6tGdQ4g5myIck5DUCFVWY/dyxuD33xkyaFaVgDDD8BfQ2+qmDyKoP+hyiJVaj VE7g== X-Gm-Message-State: AHQUAuY0BwWlQBJ6eZya2q1iLYSSQZr9VG9+lmpxtTtPjTl4EvvKw1lo H6xAxgvcdpnzLn8JReGgMvcsoA== X-Google-Smtp-Source: AHgI3IY3ucTY1AnBTk0wR8hoeYdhCVtmjqa+GL8B/8AnmWSo9ULbWc8uT2DiQLSIA0MjyKSsmlMjSg== X-Received: by 2002:a17:902:780a:: with SMTP id p10mr582320pll.54.1550782978507; Thu, 21 Feb 2019 13:02:58 -0800 (PST) Received: from [17.230.171.123] ([17.230.171.123]) by smtp.gmail.com with ESMTPSA id w65sm30089503pfb.23.2019.02.21.13.02.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 13:02:57 -0800 (PST) From: Ted Lemon Message-Id: <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_6A48B024-E112-48D6-8AB6-3093F278D7D0" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Thu, 21 Feb 2019 13:02:56 -0800 In-Reply-To: <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley To: Mark Andrews References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 21:03:01 -0000 --Apple-Mail=_6A48B024-E112-48D6-8AB6-3093F278D7D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 21, 2019, at 11:24 AM, Mark Andrews wrote: > Ted. It has to work post zone transfer. That=E2=80=99s not a problem, since the representation would be more = compact, but would not be lossy: the interchange through the zone = transfer would be the same regardless of how the data is stored. --Apple-Mail=_6A48B024-E112-48D6-8AB6-3093F278D7D0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 21, 2019, at 11:24 AM, Mark Andrews <marka@isc.org> = wrote:
Ted. It has = to work post zone transfer.

That=E2=80=99s not a problem, since the = representation would be more compact, but would not be lossy: the = interchange through the zone transfer would be the same regardless of = how the data is stored.

= --Apple-Mail=_6A48B024-E112-48D6-8AB6-3093F278D7D0-- From nobody Thu Feb 21 14:24:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 044B2131246 for ; Thu, 21 Feb 2019 14:24:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hR1BOajRvL8P for ; Thu, 21 Feb 2019 14:24:40 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64B7E12D4E7 for ; Thu, 21 Feb 2019 14:24:40 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D75553AB043; Thu, 21 Feb 2019 22:24:39 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 72772160050; Thu, 21 Feb 2019 22:24:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 483B7160073; Thu, 21 Feb 2019 22:24:39 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1b37H4nXzyMb; Thu, 21 Feb 2019 22:24:39 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id CD873160050; Thu, 21 Feb 2019 22:24:37 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> Date: Fri, 22 Feb 2019 09:24:35 +1100 Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley Content-Transfer-Encoding: quoted-printable Message-Id: <597BB37C-3111-437D-A646-0F6D7A22B86A@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> To: Ted Lemon X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 22:24:42 -0000 > On 22 Feb 2019, at 8:02 am, Ted Lemon wrote: >=20 > On Feb 21, 2019, at 11:24 AM, Mark Andrews wrote: >> Ted. It has to work post zone transfer. >=20 > That=E2=80=99s not a problem, since the representation would be more = compact, but would not be lossy: the interchange through the zone = transfer would be the same regardless of how the data is stored. Implementation details are beyond the scope of RFCs. Also you mentioned caches which basically will never see these records = unless they are queried for. Yes, there is a minuscule probability of a hash collision. The = alternative is to define a type for rdlen + rdata in canonical DNSSEC = form. The primary server can use/replace a hash when the rdata + length = is longer than the hash, checking for collisions first. If such a type = is defined I would give it the value 1 and make the first actual hash 2. Additionally in section 4.5 Cryptographic Hashes "Any names contained in a resource record MUST be hashed in an = uncompressed form." needs to be replaced with "The record MUST be in canonical DNSSEC form ([RFC4034] Section 6)." The latter works with primary servers that don=E2=80=99t preserve case = when transferring zones. --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 21 14:53:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5931B131288 for ; Thu, 21 Feb 2019 14:52:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCHf51801NYU for ; Thu, 21 Feb 2019 14:52:57 -0800 (PST) Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 231EA1312AC for ; Thu, 21 Feb 2019 14:52:57 -0800 (PST) Received: by mail-it1-x134.google.com with SMTP id l66so465521itg.3 for ; Thu, 21 Feb 2019 14:52:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iaPJwHi/8/+zkKIKAKvwQIpgTqW4zOc1wQoyjft5X4s=; b=ADWbMjVVGTSGTVTx3P2BAV+mTHL2vVKm6sqku9c0WKxrqJXl8K8nVr5/dS8N37KPPG Y47zOUqhXDYsi3fYb28ei+i5JpUV2606jg9LBy3v4dgynFO1UMyUtCStslmsiT/yobsT h0PigpQ7mv5gCftE8LVOz4lWWhSxM31CqMZWI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iaPJwHi/8/+zkKIKAKvwQIpgTqW4zOc1wQoyjft5X4s=; b=PV74gfXMjtSzK5XMAYZKg4sUSNM2CUGnbbhrotUN6Ttyb+yDPZMNQE35ZgHz1ciN2p TT63xolEV7oitr7sErR+aXEKitXxawy6rI9KQ4Uba27a7icyUwjft3YkVovEu2e3+FYN uTOujWjXFriRvROa/DWWrNWLtzseoyyQqWjfGxgXfPODgB80qB6Sgws3t+gvPTz3UuKW X7d9kfWi6nJWq/vH7lxtcJjg5D8al69ThldZ7e78FcZ3HmmhWOYvNi+NhNnhePvAi8zq ilPSCW8EH3ADnUscchzOvlmtNgM9k0hqUdP+09PsVczwog1SaV3qSwmsU8/G5nsopk3Y j5Ig== X-Gm-Message-State: AHQUAuYycy1v4N8IFPFOsAONY4V7XgUHPmWhO8ZZi1TmXI32AMYx6TXc CAJcStHW2L+gFVwhbP1XhUl8Aw== X-Google-Smtp-Source: AHgI3IZJHrqLAQV2ZmdROEd+p9rujz8M0XXBQPNGSJ+ji0Fxe5RDys5QLcueuMh2xg7IwMHIufMaxA== X-Received: by 2002:a02:4f1c:: with SMTP id c28mr645507jab.112.1550789576152; Thu, 21 Feb 2019 14:52:56 -0800 (PST) Received: from ?IPv6:2607:f2c0:101:3:fd79:3639:7779:cf32? ([2607:f2c0:101:3:fd79:3639:7779:cf32]) by smtp.gmail.com with ESMTPSA id h8sm116396ith.2.2019.02.21.14.52.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 14:52:54 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Joe Abley In-Reply-To: Date: Thu, 21 Feb 2019 17:52:50 -0500 Cc: =?utf-8?B?56We5piO6YGU5ZOJ?= , dnsop , Paul Wouters Content-Transfer-Encoding: quoted-printable Message-Id: <7B435A7E-0418-4451-AC12-6ED21F8FCCD2@hopcount.ca> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> To: Mark Andrews X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 22:52:59 -0000 On 21 Feb 2019, at 14:34, Mark Andrews wrote: > Machines die. Machines are unplugged. Server are unreachable at = critical times. Externally driven cleanup can never be reliable.=20 I'm not disputing any of that. I guess my first question was first = whether cleanup is necessary, and second (assuming it is) whether = cleanup can't just be handled as an implementation detail as opposed to = a protocol extension. If the master server that receive UPDATEs matching particular names = could be configured to remove them after a suitable interval, wouldn't = that do the trick? Slave servers would get new copies of the zones = concerned following the updates in the normal manner. Zone propagation = is pretty swift with NOTIFY. The master could apply policy based on = criteria like owner name pattern matching or source of the update. = Garbage collection might not happen with the kind of split-second = accuracy that I sense this mechanism's proponents are suggesting, but = does it need to? Don't we believe that applications that expect more = than loose coherence from the DNS are broken? I hear and acknowledge there is a desire for this kind functionality = (i.e. I believe you that it's necessary) but I'm still not clear on what = need there is for interoperability (and hence standardisation). Every = DNS implementation contains their own special features that are not = standardised and that don't need to be. Couldn't this be another one? I remain open to the idea that I am just missing the point because I = don't spend enough time in enterprise or campus networks. I think I'm = possibly not the only one in that boat, though, and I don't think it's = unreasonable for the draft to explore its applicability and explain = clearly why standardisation or in-zone signalling (hence RRs) is = necessary as a prerequisite to standardisation. As I mentioned before, = the bar for experimental is surely much lower, and the bar for simple = codepoint assignment lower still. Joe= From nobody Thu Feb 21 15:22:23 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4F812D4F0 for ; Thu, 21 Feb 2019 15:22:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ppvMWPLkqG9 for ; Thu, 21 Feb 2019 15:22:19 -0800 (PST) Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90BDB12D4ED for ; Thu, 21 Feb 2019 15:22:19 -0800 (PST) Received: by mail-pl1-x632.google.com with SMTP id q3so167091pll.4 for ; Thu, 21 Feb 2019 15:22:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=pMdEdr+cP7TYtDwC6IZiG9B7bPpJOsOKMC14GNi8ysw=; b=uWnF8tfzG+MwTNlDV/5twAnotSol09MV633ufblx5q71NPGIgc72l7Usavjs7u9St9 gMMfz9Znh3jLG0DndMDArbn6/8vMNZFxLpF5Ai9DKeYR3Le+nRuhx4eAgH1+YUib42B2 BKRYPyLM/RZuNUubHyaxjGemWEPGlkbXPJwdJw9PfQH25cNIud/31OuY2SEKsS7TtBQl jQEzOHpuzV+E6oNSXLgPLiBHp5gMh5OPPso1FbPRYS5bfs9Lll8+D99kBDAJV7v65Jn9 ADbg4+lcHmnPj+CdXuWBdw3TypyuPFNz0kecWmwuLgOsa1femjbze/ac9oZxk3dxYBVX vG6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=pMdEdr+cP7TYtDwC6IZiG9B7bPpJOsOKMC14GNi8ysw=; b=VqCy4WofWSUBqqoqzPbXESsBpK4/mN/KoWtOY86mkwN0Zeg5fwylvom4INa9wVeWht 11SJqaRWpTMt5hSZKLDs4txcFAbCleFTZX3lWk61vqeUCTxWJBa5VPS6HTF6d4eyzst/ 1ZnYXrM+kN89wk2g0upqmBX1EWEqHqTAP+SWqtoLYPCSCj0QCXCNN3RZSMxzv3C40Sur GSnNN+X50pVH3PO/OI7xlyGlgzgZPUkWdAJ0JPE2R4zBJQYwarC6gCDaelyDcvf3sEaE RX8Yxigok3avL04IMbXXvwR1zxaawR9uySGbJNUrw1qgVNGg3IwWNfblxkzwH8jpa5/q mbIg== X-Gm-Message-State: AHQUAuZN3gl8S5UhxvSF8cODLJ1DVKQVV8Mc2tKZ/+YwSCxqltxzpu5o 37ZQltszqAs1MgUXBD+7jz9/Xg== X-Google-Smtp-Source: AHgI3Ia1Ld3ua0sdGosFlvknleWbbRy4aiHh6nNpETYO7LBN2hqT+eVuvr0r2wZauLUDtioH/rEpSw== X-Received: by 2002:a17:902:449:: with SMTP id 67mr1073880ple.310.1550791338760; Thu, 21 Feb 2019 15:22:18 -0800 (PST) Received: from [17.230.171.123] ([17.230.171.123]) by smtp.gmail.com with ESMTPSA id r131sm121526pgr.65.2019.02.21.15.22.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 15:22:17 -0800 (PST) From: Ted Lemon Message-Id: <5F056D5B-60F1-4A34-A339-9FF3C02E2518@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_74B27F5D-4BC5-4AE9-A373-70F0C38114C1" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Thu, 21 Feb 2019 15:22:16 -0800 In-Reply-To: <7B435A7E-0418-4451-AC12-6ED21F8FCCD2@hopcount.ca> Cc: Mark Andrews , dnsop , Paul Wouters To: Joe Abley References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <7B435A7E-0418-4451-AC12-6ED21F8FCCD2@hopcount.ca> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 23:22:22 -0000 --Apple-Mail=_74B27F5D-4BC5-4AE9-A373-70F0C38114C1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 21, 2019, at 2:52 PM, Joe Abley wrote: > The master could apply policy based on criteria like owner name = pattern matching or source of the update. Garbage collection might not = happen with the kind of split-second accuracy that I sense this = mechanism's proponents are suggesting, but does it need to? Don't we = believe that applications that expect more than loose coherence from the = DNS are broken? The impression that you are working from here seems to be that what is = being designed is a hacky kludge that would go well with heuristics like = this. But what is actually being worked on here is a system that is = not a hacky kludge, and that does not have leaks, and does not rely on = clever heuristics to approximate good behavior. Please read the = service registration protocol document I mentioned in a previous message = (draft-ietf-dnssd-srp). Granted, I am not convinced that the document we are discussing is the = right solution to the problem, but it=E2=80=99s an actual solution to = the problem, not a hacky kludge, and that=E2=80=99s definitely a good = thing. --Apple-Mail=_74B27F5D-4BC5-4AE9-A373-70F0C38114C1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 21, 2019, at 2:52 PM, Joe Abley <jabley@hopcount.ca> = wrote:
The master = could apply policy based on criteria like owner name pattern matching or = source of the update. Garbage collection might not happen with the kind = of split-second accuracy that I sense this mechanism's proponents are = suggesting, but does it need to? Don't we believe that applications that = expect more than loose coherence from the DNS are = broken?

The = impression that you are working from here seems to be that what is being = designed is a hacky kludge that would go well with heuristics like this. =   But what is actually being worked on here is a system that is not = a hacky kludge, and that does not have leaks, and does not rely on = clever heuristics to approximate good behavior.   Please read the = service registration protocol document I mentioned in a previous message = (draft-ietf-dnssd-srp).

Granted, I am not convinced that the document we are = discussing is the right solution to the problem, but it=E2=80=99s an = actual solution to the problem, not a hacky kludge, and that=E2=80=99s = definitely a good thing.

= --Apple-Mail=_74B27F5D-4BC5-4AE9-A373-70F0C38114C1-- From nobody Thu Feb 21 15:22:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D4FD1312A9 for ; Thu, 21 Feb 2019 15:22:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJprVODSaVP8 for ; Thu, 21 Feb 2019 15:22:37 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AC5D1312E9 for ; Thu, 21 Feb 2019 15:22:37 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id A6D073AB05E; Thu, 21 Feb 2019 23:22:36 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6FAB1160074; Thu, 21 Feb 2019 23:22:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 41294160073; Thu, 21 Feb 2019 23:22:36 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id iVbfBUMfPp6g; Thu, 21 Feb 2019 23:22:36 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3AE8D160050; Thu, 21 Feb 2019 23:22:35 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: <7B435A7E-0418-4451-AC12-6ED21F8FCCD2@hopcount.ca> Date: Fri, 22 Feb 2019 10:22:32 +1100 Cc: =?utf-8?B?56We5piO6YGU5ZOJ?= , dnsop , Paul Wouters Content-Transfer-Encoding: quoted-printable Message-Id: <89BFB2B7-3804-46D7-8D25-D3595CABC827@isc.org> References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <7B435A7E-0418-4451-AC12-6ED21F8FCCD2@hopcount.ca> To: Joe Abley X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 23:22:43 -0000 > On 22 Feb 2019, at 9:52 am, Joe Abley wrote: >=20 > On 21 Feb 2019, at 14:34, Mark Andrews wrote: >=20 >> Machines die. Machines are unplugged. Server are unreachable at = critical times. Externally driven cleanup can never be reliable.=20 >=20 > I'm not disputing any of that. I guess my first question was first = whether cleanup is necessary, and second (assuming it is) whether = cleanup can't just be handled as an implementation detail as opposed to = a protocol extension. >=20 > If the master server that receive UPDATEs matching particular names = could be configured to remove them after a suitable interval, wouldn't = that do the trick? No. How do you make =E2=80=9Cpermanent=E2=80=9D changes to the zone = using UPDATE? > Slave servers would get new copies of the zones concerned following = the updates in the normal manner. Zone propagation is pretty swift with = NOTIFY. The master could apply policy based on criteria like owner name = pattern matching or source of the update. Garbage collection might not = happen with the kind of split-second accuracy that I sense this = mechanism's proponents are suggesting, but does it need to? Don't we = believe that applications that expect more than loose coherence from the = DNS are broken? Nothing in this draft changes loose coherence. Everything is done by = the master. The slave has the data so it has the state to become the = master when the machine that was the master dies. > I hear and acknowledge there is a desire for this kind functionality = (i.e. I believe you that it's necessary) but I'm still not clear on what = need there is for interoperability (and hence standardisation). Every = DNS implementation contains their own special features that are not = standardised and that don't need to be. Couldn't this be another one? No. There are plenty of our customers that want features to work cross = platform. They also want to be able to switch to a different code base = when there is a security issue in another one. They also want things to = work as well as possible for disaster recovery. Having the GC = information is a vendor neutral form achieves these objectives. There are plenty of customers where all the slaves are transferring data = from two masters all the time. Those masters are from different vendors = with transfers flowing from which ever is currently configured as the = ultimate master between them. The may also be configured to transfer = from all of the slaves as well. If current master dies / is taken out = of service the backup master will get the newest copy of the zone that = has made it to any of the other servers within minutes. It can then be = reconfigured as the active master and continue straight away. Throwing = proprietary GC into this does not work. > I remain open to the idea that I am just missing the point because I = don't spend enough time in enterprise or campus networks. I think I'm = possibly not the only one in that boat, though, and I don't think it's = unreasonable for the draft to explore its applicability and explain = clearly why standardisation or in-zone signalling (hence RRs) is = necessary as a prerequisite to standardisation. As I mentioned before, = the bar for experimental is surely much lower, and the bar for simple = codepoint assignment lower still. What are the terms of the experiment if you want experimental? What are = you wanting to discover? That the protocol works? > Joe --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Thu Feb 21 15:29:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F350E131294 for ; Thu, 21 Feb 2019 15:29:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bR4zgfBbk03K for ; Thu, 21 Feb 2019 15:29:05 -0800 (PST) Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ADBD130ECE for ; Thu, 21 Feb 2019 15:29:05 -0800 (PST) Received: by mail-pf1-x42e.google.com with SMTP id i20so170530pfo.6 for ; Thu, 21 Feb 2019 15:29:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=FtEV5FAc4BfJQsqm1VvDTpjGsecEiJTSJzu6GUXAiOc=; b=HTJ8j3Pp0CNRKE/zPkOVDvc3dsfqWq3lAaulnsavz9ojx6sxSW7y7PalCYNz+GtNNa Xkh3ecB/6c8tINzgxLG4bU3L+xE1S1Iux5Z3nIzxRA4xrdpvRSGugU8rTQY+KOxd+RM6 AhQbLLSQDNmbMQ32zDZ7O777xmfPLA+D3Y0qMYDNL523rhR6oJzGGxqCkOdU5fb7JL8j 4N47L6xZcGUIaA/4QuHrX3kOFF+whiqigOFwgK/DyAFOWqE0k/6IO+9mhGGu57TvVVhX dWYwSWImjDqtZG8weCBg0AioMqeVRWDjL1NUHfhLdvO50K8mryyIbtdsz8YZTkAURUfI B0tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=FtEV5FAc4BfJQsqm1VvDTpjGsecEiJTSJzu6GUXAiOc=; b=CVpws/FMecIsxj59MP4aEeJo1E7A9pBXBCSC9ziruPaUhyKRtELMqCSujHXDLhkPax i8BhyXk30MpiIF9LtIf0nsaE0ZX3jFjLWySle4JLpP0o+CTSA/53b7D+11DXf7MXKBT1 GYqQmKsD5tcBO3N3ATnYGLIWuscx1/45XFAZTL/8eF13x5ZcNiPsrtnGCThKlXg4czfl K54VjdArWYj8bFAINeyWMx4sLfwgdYLqJ/rczKgPbl8EFFU2iCwADLz3Ow9JapMZGn3k cyBmhKWq4Uua+ll2WV2xsnUlp4rHQV3ozAxIuH67kwjo+wBqWhpI7VaFMA2aN62WaY6O KgLw== X-Gm-Message-State: AHQUAuYhjEe1uazekoq3opxvbOUyUT/KSEKbRrI3ihThFYNRJxepwOuQ B/ovSgbm+YaQGBCrXPNLAqQreA== X-Google-Smtp-Source: AHgI3Ibfs66RLUTqhOfPN/fW2aOQEdqSJP3qIbfnZRBE5nLQpnsca0Gw3QgHQrCISKoBKx9i3uitUQ== X-Received: by 2002:a62:2e46:: with SMTP id u67mr1040638pfu.3.1550791744880; Thu, 21 Feb 2019 15:29:04 -0800 (PST) Received: from [17.230.171.123] ([17.230.171.123]) by smtp.gmail.com with ESMTPSA id e9sm190652pfh.42.2019.02.21.15.29.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 15:29:04 -0800 (PST) From: Ted Lemon Message-Id: <81039A96-9CAB-4EC5-8142-7FD5976A01FE@fugue.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_3F792578-A9A9-4BBA-93A1-A7BDCE8706E1" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Thu, 21 Feb 2019 15:29:02 -0800 In-Reply-To: <597BB37C-3111-437D-A646-0F6D7A22B86A@isc.org> Cc: Dick Franks , Tony Finch , dnsop , Paul Wouters , Joe Abley To: Mark Andrews References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> <597BB37C-3111-437D-A646-0F6D7A22B86A@isc.org> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2019 23:29:07 -0000 --Apple-Mail=_3F792578-A9A9-4BBA-93A1-A7BDCE8706E1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 21, 2019, at 2:24 PM, Mark Andrews wrote: > Implementation details are beyond the scope of RFCs. Indeed they are. My point is that if you want to be careful of memory = usage or disk usage, you can be=E2=80=94there is no need to use a hash. = In essence, requiring us to use a hash is specifying an implementation = detail that needn=E2=80=99t be specified: you can in fact implement this = using a hash, although I wouldn=E2=80=99t. It would be nice if I were = not required to implement it that way, since I think that=E2=80=99s not = actually going to work reliably. > Also you mentioned caches which basically will never see these records = unless they are queried for. I mentioned caches because they are by far the biggest consumers of = resources=E2=80=94authoritative name servers have much smaller memory = footprints. I assume the reason you think using hashes is a good idea = and not a premature optimization is because you=E2=80=99ve done a lot of = work with caching name servers, and are seeing this discussion through = that lens. That=E2=80=99s the wrong lens to be seeing it through. = This is only relevant for authoritative name servers, and in that case, = storing the whole RR-to-be-deleted is fine. --Apple-Mail=_3F792578-A9A9-4BBA-93A1-A7BDCE8706E1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 21, 2019, at 2:24 PM, Mark Andrews <marka@isc.org> = wrote:
Implementation = details are beyond the scope of RFCs.

Indeed they are.  My point is that if = you want to be careful of memory usage or disk usage, you can be=E2=80=94t= here is no need to use a hash.   In essence, requiring us to use a = hash is specifying an implementation detail that needn=E2=80=99t be = specified: you can in fact implement this using a hash, although I = wouldn=E2=80=99t.   It would be nice if I were not required to = implement it that way, since I think that=E2=80=99s not actually going = to work reliably.

Also you mentioned caches which basically = will never see these records unless they are queried for.

I mentioned caches because they are by = far the biggest consumers of resources=E2=80=94authoritative name = servers have much smaller memory footprints.   I assume the reason = you think using hashes is a good idea and not a premature optimization = is because you=E2=80=99ve done a lot of work with caching name servers, = and are seeing this discussion through that lens.   That=E2=80=99s = the wrong lens to be seeing it through.   This is only relevant for = authoritative name servers, and in that case, storing the whole = RR-to-be-deleted is fine.

= --Apple-Mail=_3F792578-A9A9-4BBA-93A1-A7BDCE8706E1-- From nobody Fri Feb 22 00:19:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37262126D00 for ; Fri, 22 Feb 2019 00:19:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gebj0CrqWT7W for ; Fri, 22 Feb 2019 00:19:36 -0800 (PST) Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E2DA127287 for ; Fri, 22 Feb 2019 00:19:36 -0800 (PST) Received: from [10.10.56.118] (unknown [72.235.180.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 222762826F; Fri, 22 Feb 2019 03:19:33 -0500 (EST) From: Tom Pusateri Message-Id: <90229901-37B4-4E03-B9FF-7505860E56BF@bangj.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_7C2F004E-EB31-4D51-AE30-49A0720611CC" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Thu, 21 Feb 2019 22:19:30 -1000 In-Reply-To: <81039A96-9CAB-4EC5-8142-7FD5976A01FE@fugue.com> Cc: Mark Andrews , Tony Finch , dnsop , Paul Wouters , Joe Abley , Dick Franks To: Ted Lemon References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> <597BB37C-3111-437D-A646-0F6D7A22B86A@isc.org> <81039A96-9CAB-4EC5-8142-7FD5976A01FE@fugue.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 08:19:39 -0000 --Apple-Mail=_7C2F004E-EB31-4D51-AE30-49A0720611CC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 21, 2019, at 1:29 PM, Ted Lemon wrote: >=20 > On Feb 21, 2019, at 2:24 PM, Mark Andrews > wrote: >> Implementation details are beyond the scope of RFCs. >=20 > Indeed they are. My point is that if you want to be careful of memory = usage or disk usage, you can be=E2=80=94there is no need to use a hash. = In essence, requiring us to use a hash is specifying an implementation = detail that needn=E2=80=99t be specified: you can in fact implement this = using a hash, although I wouldn=E2=80=99t. It would be nice if I were = not required to implement it that way, since I think that=E2=80=99s not = actually going to work reliably. >=20 >> Also you mentioned caches which basically will never see these = records unless they are queried for. >=20 >=20 > I mentioned caches because they are by far the biggest consumers of = resources=E2=80=94authoritative name servers have much smaller memory = footprints. I assume the reason you think using hashes is a good idea = and not a premature optimization is because you=E2=80=99ve done a lot of = work with caching name servers, and are seeing this discussion through = that lens. That=E2=80=99s the wrong lens to be seeing it through. = This is only relevant for authoritative name servers, and in that case, = storing the whole RR-to-be-deleted is fine. >=20 I=E2=80=99ve been mostly listening and learning from this discussion = which has been great. Thanks for all the input. Let me summarize what = I=E2=80=99m hearing and we will open issues to adjust the document. 1. We need a motivational section to explain the purpose better 2. The HASH was my idea to simplify the records by making them all the = same. It appears that simplicity in this form was not noticed or not = appreciated. :) 3. The HASH algorithm selection was intended to work long term. It was = my hope that there would only ever be one algorithm and there would = never exist the case when one implementation supported an algorithm that = another implementation did not. The HASH algorithm index was only = intended to be used if a vulnerability was found in the ONE selected = algorithm and it needed replaced. In this case, the old algorithm would = be deprecated and everyone would switch to a new single algorithm. I am = strongly opposed to having more than one HASH algorithm defined. Not = being a security expert and not being able to find any papers proving = that I could take an existing algorithm like SHA-256 that was 32 bytes = and shorten it to 16 bytes using the first 16 bytes or the last 16 bytes = or 16 bytes in the middle, I opted to select an algorithm that was = already 16 bytes and proven to have terrific non-collision properties. = Since some of the RDATA can be very short (A records), there are cases = when there=E2=80=99s not a lot of data from which to base the hash value = on. This was another reason to start with a hash like SHAKE128. But from = the sounds of it, people prefer SHA-256 and so I will research this more = to see about its applicability in this case (if a hash is even needed = anymore). 4. We are open to using RDATA instead of a hash. Or we can define RDATA = as an algorithm index as Mark suggested and define a hash as another = algorithm (now or later if it ever becomes a problem). By adding the = record type to the TIMEOUT instance, we have eliminated most uses of the = hash already and only in rare cases will it be needed so including large = RDATA in the TIMEOUT record should be rare. 5. Storing the TIMEOUT information as resource records seemed like a = convenient way to use an existing database to store timeout information = across restarts and to synchronize with secondaries. It can certainly be = stored in a proprietary database by each authoritative server vendor but = allowing them to interoperate seemed like a feature and when they each = already have a database that holds resource records, why create another = database type? But if the consensus is that the TIMEOUT info shouldn=E2=80= =99t be stored in the existing resource record database but instead = authoritative servers should create a new database for this info, then = that is fine. This document itself can TIMEOUT. :) Thanks, Tom --Apple-Mail=_7C2F004E-EB31-4D51-AE30-49A0720611CC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Feb 21, 2019, at 1:29 PM, Ted Lemon <mellon@fugue.com> = wrote:

On Feb 21, 2019, at = 2:24 PM, Mark Andrews <marka@isc.org> wrote:
Implementation details are beyond the scope of = RFCs.

Indeed they are.  My point is that if you want to be = careful of memory usage or disk usage, you can be=E2=80=94there is no = need to use a hash.   In essence, requiring us to use a hash is = specifying an implementation detail that needn=E2=80=99t be specified: = you can in fact implement this using a hash, although I wouldn=E2=80=99t. =   It would be nice if I were not required to implement it that way, = since I think that=E2=80=99s not actually going to work = reliably.

Also you mentioned caches which basically will never see = these records unless they are queried for.

I mentioned caches because they are by far the biggest = consumers of resources=E2=80=94authoritative name servers have much = smaller memory footprints.   I assume the reason you think using = hashes is a good idea and not a premature optimization is because = you=E2=80=99ve done a lot of work with caching name servers, and are = seeing this discussion through that lens.   That=E2=80=99s the = wrong lens to be seeing it through.   This is only relevant for = authoritative name servers, and in that case, storing the whole = RR-to-be-deleted is fine.


I=E2=80= =99ve been mostly listening and learning from this discussion which has = been great. Thanks for all the input. Let me summarize what I=E2=80=99m = hearing and we will open issues to adjust the document.

1. We need a motivational section to explain the = purpose better

2. The HASH was my = idea to simplify the records by making them all the same. It appears = that simplicity in this form was not noticed or not appreciated. = :)

3. The HASH algorithm selection = was intended to work long term. It was my hope that there would only = ever be one algorithm and there would never exist the case when one = implementation supported an algorithm that another implementation did = not. The HASH algorithm index was only intended to be used if a = vulnerability was found in the ONE selected algorithm and it needed = replaced. In this case, the old algorithm would be deprecated and = everyone would switch to a new single algorithm. I am strongly opposed = to having more than one HASH algorithm defined. Not being a security = expert and not being able to find any papers proving that I could take = an existing algorithm like SHA-256 that was 32 bytes and shorten it to = 16 bytes using the first 16 bytes or the last 16 bytes or 16 bytes in = the middle, I opted to select an algorithm that was already 16 bytes and = proven to have terrific non-collision properties. Since some of the = RDATA can be very short (A records), there are cases when there=E2=80=99s = not a lot of data from which to base the hash value on. This was another = reason to start with a hash like SHAKE128. But from the sounds of it, = people prefer SHA-256 and so I will research this more to see about its = applicability in this case (if a hash is even needed = anymore).

4. We are open to using = RDATA instead of a hash. Or we can define RDATA as an algorithm index as = Mark suggested and define a hash as another algorithm (now or later if = it ever becomes a problem). By adding the record type to the TIMEOUT = instance, we have eliminated most uses of the hash already and only in = rare cases will it be needed so including large RDATA in the TIMEOUT = record should be rare.

5. Storing = the TIMEOUT information as resource records seemed like a convenient way = to use an existing database to store timeout information across restarts = and to synchronize with secondaries. It can certainly be stored in a = proprietary database by each authoritative server vendor but allowing = them to interoperate seemed like a feature and when they each already = have a database that holds resource records, why create another database = type? But if the consensus is that the TIMEOUT info shouldn=E2=80=99t be = stored in the existing resource record database but instead = authoritative servers should create a new database for this info, then = that is fine. This document itself can TIMEOUT. :)

Thanks,
Tom





= --Apple-Mail=_7C2F004E-EB31-4D51-AE30-49A0720611CC-- From nobody Fri Feb 22 00:53:14 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10CED126D00 for ; Fri, 22 Feb 2019 00:53:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMcLT_HpsWpW for ; Fri, 22 Feb 2019 00:53:09 -0800 (PST) Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFB611277CC for ; Fri, 22 Feb 2019 00:53:08 -0800 (PST) Received: from [10.10.56.118] (unknown [72.235.180.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 1CF962827A; Fri, 22 Feb 2019 03:53:05 -0500 (EST) From: Tom Pusateri Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C076391E-F207-4E15-9EF9-114746272B53" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Thu, 21 Feb 2019 22:53:03 -1000 In-Reply-To: <90229901-37B4-4E03-B9FF-7505860E56BF@bangj.com> Cc: Tony Finch , dnsop , Dick Franks , Paul Wouters , Joe Abley To: Ted Lemon References: <155053239541.25848.12960190085730298684.idtracker@ietfa.amsl.com> <969D8BA1-6ED3-47E8-AFFD-2BEE8EA3E66B@bangj.com> <0DE33073-93B1-4CF5-B12D-B7266E21E8B2@timwattenberg.de> <1F461BFA-638A-4607-84BD-F8B8597A1114@isc.org> <646C86F6-C10D-43DF-ADE8-19222994E4D1@hopcount.ca> <9330E97B-76BF-4C6F-8F6F-01349A3E7427@isc.org> <382BAB3C-C127-46E1-B931-4717A33BD75A@fugue.com> <4BF142EA-B2FB-4B00-9940-8A70FFEE5F6C@isc.org> <34BC472C-EF14-4872-BAC6-945AC18A7767@fugue.com> <5B21B95D-55D6-4916-8D1B-C921AB9712AA@isc.org> <75CA917D-1A6C-4717-934C-965570DC51C0@fugue.com> <597BB37C-3111-437D-A646-0F6D7A22B86A@isc.org> <81039A96-9CAB-4EC5-8142-7FD5976A01FE@fugue.com> <90229901-37B4-4E03-B9FF-7505860E56BF@bangj.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 08:53:12 -0000 --Apple-Mail=_C076391E-F207-4E15-9EF9-114746272B53 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 21, 2019, at 10:19 PM, Tom Pusateri wrote: >=20 >=20 >=20 >> On Feb 21, 2019, at 1:29 PM, Ted Lemon > wrote: >>=20 >> On Feb 21, 2019, at 2:24 PM, Mark Andrews > wrote: >>> Implementation details are beyond the scope of RFCs. >>=20 >> Indeed they are. My point is that if you want to be careful of = memory usage or disk usage, you can be=E2=80=94there is no need to use a = hash. In essence, requiring us to use a hash is specifying an = implementation detail that needn=E2=80=99t be specified: you can in fact = implement this using a hash, although I wouldn=E2=80=99t. It would be = nice if I were not required to implement it that way, since I think = that=E2=80=99s not actually going to work reliably. >>=20 >>> Also you mentioned caches which basically will never see these = records unless they are queried for. >>=20 >>=20 >> I mentioned caches because they are by far the biggest consumers of = resources=E2=80=94authoritative name servers have much smaller memory = footprints. I assume the reason you think using hashes is a good idea = and not a premature optimization is because you=E2=80=99ve done a lot of = work with caching name servers, and are seeing this discussion through = that lens. That=E2=80=99s the wrong lens to be seeing it through. = This is only relevant for authoritative name servers, and in that case, = storing the whole RR-to-be-deleted is fine. >>=20 >=20 > I=E2=80=99ve been mostly listening and learning from this discussion = which has been great. Thanks for all the input. Let me summarize what = I=E2=80=99m hearing and we will open issues to adjust the document. >=20 > 1. We need a motivational section to explain the purpose better >=20 > 2. The HASH was my idea to simplify the records by making them all the = same. It appears that simplicity in this form was not noticed or not = appreciated. :) >=20 > 3. The HASH algorithm selection was intended to work long term. It was = my hope that there would only ever be one algorithm and there would = never exist the case when one implementation supported an algorithm that = another implementation did not. The HASH algorithm index was only = intended to be used if a vulnerability was found in the ONE selected = algorithm and it needed replaced. In this case, the old algorithm would = be deprecated and everyone would switch to a new single algorithm. I am = strongly opposed to having more than one HASH algorithm defined. Not = being a security expert and not being able to find any papers proving = that I could take an existing algorithm like SHA-256 that was 32 bytes = and shorten it to 16 bytes using the first 16 bytes or the last 16 bytes = or 16 bytes in the middle, I opted to select an algorithm that was = already 16 bytes and proven to have terrific non-collision properties. = Since some of the RDATA can be very short (A records), there are cases = when there=E2=80=99s not a lot of data from which to base the hash value = on. This was another reason to start with a hash like SHAKE128. But from = the sounds of it, people prefer SHA-256 and so I will research this more = to see about its applicability in this case (if a hash is even needed = anymore). >=20 > 4. We are open to using RDATA instead of a hash. Or we can define = RDATA as an algorithm index as Mark suggested and define a hash as = another algorithm (now or later if it ever becomes a problem). By adding = the record type to the TIMEOUT instance, we have eliminated most uses of = the hash already and only in rare cases will it be needed so including = large RDATA in the TIMEOUT record should be rare. >=20 > 5. Storing the TIMEOUT information as resource records seemed like a = convenient way to use an existing database to store timeout information = across restarts and to synchronize with secondaries. It can certainly be = stored in a proprietary database by each authoritative server vendor but = allowing them to interoperate seemed like a feature and when they each = already have a database that holds resource records, why create another = database type? But if the consensus is that the TIMEOUT info shouldn=E2=80= =99t be stored in the existing resource record database but instead = authoritative servers should create a new database for this info, then = that is fine. This document itself can TIMEOUT. :) >=20 Forgot these: 6. As far as the time format, we were simply following the = recommendations of RFC 3339 for presentation. But if DNS has it=E2=80=99s = own format preferences and the IESG is ok with this, so are we. = Following RFC 3339 is a SHOULD, therefore, there must be exceptions = allowed but I=E2=80=99m not aware of the rules here. 7. As far as the timestamp as a 64-bit number, this is the current = recommendation as well (and what is returned by gettimeofday()). So = every authoritative server is having to modify the output and do more = work to transform it into RFC 1982 serial number arithmetic now. But, = again, we are flexible and as long as the IESG will approve it, we can = do it the old way. 8. Mark said: "The record MUST be in canonical DNSSEC form ([RFC4034] = Section 6)=E2=80=9D. I will update Section 4.5 to reflect this. Tom --Apple-Mail=_C076391E-F207-4E15-9EF9-114746272B53 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Feb 21, 2019, at 10:19 PM, Tom Pusateri <pusateri@bangj.com> = wrote:



On Feb 21, 2019, at 1:29 PM, = Ted Lemon <mellon@fugue.com> wrote:

On Feb 21, 2019, at 2:24 PM, Mark Andrews <marka@isc.org> = wrote:
Implementation details are beyond the scope of = RFCs.

Indeed they are.  My point is that if you want to be = careful of memory usage or disk usage, you can be=E2=80=94there is no = need to use a hash.   In essence, requiring us to use a hash is = specifying an implementation detail that needn=E2=80=99t be specified: = you can in fact implement this using a hash, although I wouldn=E2=80=99t. =   It would be nice if I were not required to implement it that way, = since I think that=E2=80=99s not actually going to work = reliably.

Also = you mentioned caches which basically will never see these records unless = they are queried for.
I mentioned caches because they are by = far the biggest consumers of resources=E2=80=94authoritative name = servers have much smaller memory footprints.   I assume the reason = you think using hashes is a good idea and not a premature optimization = is because you=E2=80=99ve done a lot of work with caching name servers, = and are seeing this discussion through that lens.   That=E2=80=99s = the wrong lens to be seeing it through.   This is only relevant for = authoritative name servers, and in that case, storing the whole = RR-to-be-deleted is fine.


I=E2=80= =99ve been mostly listening and learning from this discussion which has = been great. Thanks for all the input. Let me summarize what I=E2=80=99m = hearing and we will open issues to adjust the document.

1. We need a motivational section to explain the = purpose better

2. = The HASH was my idea to simplify the records by making them all the = same. It appears that simplicity in this form was not noticed or not = appreciated. :)

3. = The HASH algorithm selection was intended to work long term. It was my = hope that there would only ever be one algorithm and there would never = exist the case when one implementation supported an algorithm that = another implementation did not. The HASH algorithm index was only = intended to be used if a vulnerability was found in the ONE selected = algorithm and it needed replaced. In this case, the old algorithm would = be deprecated and everyone would switch to a new single algorithm. I am = strongly opposed to having more than one HASH algorithm defined. Not = being a security expert and not being able to find any papers proving = that I could take an existing algorithm like SHA-256 that was 32 bytes = and shorten it to 16 bytes using the first 16 bytes or the last 16 bytes = or 16 bytes in the middle, I opted to select an algorithm that was = already 16 bytes and proven to have terrific non-collision properties. = Since some of the RDATA can be very short (A records), there are cases = when there=E2=80=99s not a lot of data from which to base the hash value = on. This was another reason to start with a hash like SHAKE128. But from = the sounds of it, people prefer SHA-256 and so I will research this more = to see about its applicability in this case (if a hash is even needed = anymore).

4. We are open to using RDATA instead = of a hash. Or we can define RDATA as an algorithm index as Mark = suggested and define a hash as another algorithm (now or later if it = ever becomes a problem). By adding the record type to the TIMEOUT = instance, we have eliminated most uses of the hash already and only in = rare cases will it be needed so including large RDATA in the TIMEOUT = record should be rare.

5. = Storing the TIMEOUT information as resource records seemed like a = convenient way to use an existing database to store timeout information = across restarts and to synchronize with secondaries. It can certainly be = stored in a proprietary database by each authoritative server vendor but = allowing them to interoperate seemed like a feature and when they each = already have a database that holds resource records, why create another = database type? But if the consensus is that the TIMEOUT info shouldn=E2=80= =99t be stored in the existing resource record database but instead = authoritative servers should create a new database for this info, then = that is fine. This document itself can TIMEOUT. :)


Forgot = these:

6. As far as the time format, = we were simply following the recommendations of RFC 3339 for = presentation. But if DNS has it=E2=80=99s own format preferences and the = IESG is ok with this, so are we. Following RFC 3339 is a SHOULD, = therefore, there must be exceptions allowed but I=E2=80=99m not aware of = the rules here.

7. As far as the = timestamp as a 64-bit number, this is the current recommendation as well = (and what is returned by gettimeofday()). So every authoritative server = is having to modify the output and do more work to transform it into RFC = 1982 serial number arithmetic now. But, again, we are flexible and as = long as the IESG will approve it, we can do it the old = way.

8. Mark said: "The record MUST = be in canonical DNSSEC form ([RFC4034] Section 6)=E2=80=9D. I will = update Section 4.5 to reflect this.

Tom


= --Apple-Mail=_C076391E-F207-4E15-9EF9-114746272B53-- From nobody Fri Feb 22 07:03:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C9A12F19D for ; Fri, 22 Feb 2019 07:03:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id in0irZl6V0jA for ; Fri, 22 Feb 2019 07:03:08 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A21612941A for ; Fri, 22 Feb 2019 07:03:08 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 445ZMr4wk6zJhw; Fri, 22 Feb 2019 16:03:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1550847784; bh=UMu5QpuZX2ngrZLyaCNL46T0Y7aWMwTY0w/QG7mv2CY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=n9VY7h5odGfC0UIUC1C2BLFX89pAWQGQmc8TRYjGSkdwvM/VYc/n+KnFQ2JKko+qC Oa4N8SyWYXsqmmyNDBn9hMTg7blc815ce1opALSJL+wfkYcMpmbOXz7WZIVt4+KCOS 65Kz65RjxiBh2djtM3NIz1VSmuOD1JqMg7649Iqk= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id umixOyv0KUCi; Fri, 22 Feb 2019 16:03:03 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 22 Feb 2019 16:03:03 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id CDD6B379D; Fri, 22 Feb 2019 10:03:02 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca CDD6B379D Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C1BC340D358A; Fri, 22 Feb 2019 10:03:02 -0500 (EST) Date: Fri, 22 Feb 2019 10:03:02 -0500 (EST) From: Paul Wouters To: Alexander Mayrhofer cc: din@irtf.org, IETF DNSOP WG In-Reply-To: Message-ID: References: <154963392249.31188.16873618915255886209.idtracker@ietfa.amsl.com> <20190215093714.t23ulbslbg52t2dp@nic.fr> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [Din] Fwd: New Version Notification for draft-mayrhofer-did-dns-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 15:03:10 -0000 On Mon, 18 Feb 2019, Alexander Mayrhofer wrote: > On Fri, Feb 15, 2019 at 7:47 PM Paul Wouters wrote: >> I think this document should be Experimental and not Standards Track? > > I was torn when i did the first revision of this. I think it depends > on the stability of Decentralized Identifiers themselves. Once that > schema becomes widely used, i think any protocol that connects the DNS > and DIDs should be Standards Track. But i leave that up to "higher > forces" as soon as i find a suitable "home WG" for that. My idea was that if this is an IRTF document, not a DNSOP document, that it cannot be standards track? But I might be wrong about this. > Agreed. I've considered replacing the "instruction diff" to OpenPGP > with a full description in the document itself. that would be better, but with an informative reference so indeed people know this is the "common way" of doing this and not custom to this document. > Yep, introduces a zone cut. Then again, i'm not sure what (if we > introduce that schema above) the semantics of a record right unter > _did would be.. Or would that be disallowed? I would avoid putting something there directly, yes. > So, would you be interested to discuss this in Prague? Sure. I will also be in Prague the week before at NetDev. Paul From nobody Fri Feb 22 08:07:07 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18F3130E8C for ; Fri, 22 Feb 2019 08:07:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OykZyr8G3zbi for ; Fri, 22 Feb 2019 08:07:02 -0800 (PST) Received: from out.east.pexch112.icann.org (out.east.pexch112.icann.org [162.216.194.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C222130EA1 for ; Fri, 22 Feb 2019 08:07:01 -0800 (PST) Received: from PMBX112-E1-VA-2.pexch112.icann.org (162.216.194.26) by PMBX112-E1-VA-1.pexch112.icann.org (162.216.194.24) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 22 Feb 2019 11:06:58 -0500 Received: from PMBX112-E1-VA-2.pexch112.icann.org ([162.216.194.26]) by PMBX112-E1-VA-2.pexch112.icann.org ([169.254.2.124]) with mapi id 15.00.1367.000; Fri, 22 Feb 2019 08:06:57 -0800 From: Matt Larson To: dnsop Thread-Topic: ICANN DNS Symposium 2019 solicitation of presentation proposals Thread-Index: AQHUysii71jSKUT8sEyHWxIvco16lQ== Date: Fri, 22 Feb 2019 16:06:57 +0000 Message-ID: <9C3BF608-B689-4721-A449-3B31D644F119@icann.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.47.234] Content-Type: multipart/related; boundary="_004_9C3BF608B6894721A4493B31D644F119icannorg_"; type="multipart/alternative" MIME-Version: 1.0 Archived-At: Subject: [DNSOP] ICANN DNS Symposium 2019 solicitation of presentation proposals X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 16:07:05 -0000 --_004_9C3BF608B6894721A4493B31D644F119icannorg_ Content-Type: multipart/alternative; boundary="_000_9C3BF608B6894721A4493B31D644F119icannorg_" --_000_9C3BF608B6894721A4493B31D644F119icannorg_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBjb2xsZWFndWVzLA0KDQpQbGVhc2UgcGVybWl0IG1lIHRvIGNhbGwgeW91ciBhdHRlbnRp b24gdG8gbXkgZWFybGllciBhbm5vdW5jZW1lbnQgKGluY2x1ZGVkIGJlbG93KSBvZiB0aGUgSUNB Tk4gRE5TIFN5bXBvc2l1bSBvbiAxMC0xMSBNYXkgMjAxOSBpbiBCYW5na29rLCBUaGFpbGFuZC4g SW4gcGFydGljdWxhciwgSSdkIGxpa2UgdG8gcmVpdGVyYXRlIG91ciByZXF1ZXN0IGZvciBwcm9w b3NhbHMgZm9yIHRoaXMgeWVhcidzIHRoZW1lLCAiVW5kZXJzdGFuZGluZyB0aGUgU2VjdXJpdHks IFN0YWJpbGl0eSBhbmQgUmVzaWxpZW5jeSBvZiB0aGUgRG9tYWluIE5hbWUgU3lzdGVtIi4gUGxl YXNlIHNlbmQgYSBvbmUtcGFyYWdyYXBoIGRlc2NyaXB0aW9uIG9mIHlvdXIgcHJvcG9zZWQgdG9w aWMgdG8gaWRzLXByb3Bvc2Fsc0BpY2Fubi5vcmc8bWFpbHRvOmlkcy1wcm9wb3NhbHNAaWNhbm4u b3JnPiBieSBGcmlkYXksIDggTWFyY2ggMjAxOS4gV2Ugd2lsbCByZXBseSBieSAxNSBNYXJjaCAy MDE5IGFuZCBwdWJsaXNoIGEgcHJlbGltaW5hcnkgYWdlbmRhIHNob3J0bHkgdGhlcmVhZnRlci4N Cg0KVGhhbmtzLCBhbmQgaG9wZSB0byBzZWUgeW91IGluIEJhbmdrb2suDQoNCk1hdHQgTGFyc29u DQpWUCBvZiBSZXNlYXJjaA0KSUNBTk4gT2ZmaWNlIG9mIHRoZSBDVE8NCg0KDQpPbiBKYW4gMTgs IDIwMTksIGF0IDQ6MTYgUE0sIE1hdHQgTGFyc29uIDxtYXR0LmxhcnNvbkBpY2Fubi5vcmc8bWFp bHRvOm1hdHQubGFyc29uQGljYW5uLm9yZz4+IHdyb3RlOg0KDQoNCltjaWQ6RUFFM0REM0EtMDRG NC00QURDLTk4OEItNTdGNjM5OUVCQ0U1XQ0KDQpEZWFyIGNvbGxlYWd1ZXMsDQoNCklDQU5O4oCZ cyBPZmZpY2Ugb2YgdGhlIENUTyBpcyBwbGVhc2VkIHRvIGFubm91bmNlIHRoYXQgdGhlIHRoaXJk IElDQU5OIEROUyBTeW1wb3NpdW0gKElEUyAyMDE5KSB3aWxsIGJlIGhlbGQgMTAtMTEgTWF5IDIw MTkgaW4gQmFuZ2tvaywgVGhhaWxhbmQuIElEUyAyMDE5IGlzIGNvLWxvY2F0aW5nIHdpdGggdGhl IGZpZnRoIEdERCBJbmR1c3RyeSBTdW1taXQgKDYtOSBNYXkgMjAxOSksIHRoZSBSZWdpc3RyYXRp b24gT3BlcmF0aW9ucyBXb3Jrc2hvcCAtIFJPVyAoOSBNYXkgMjAxOSkgYW5kIHRoZSBPQVJDIDMw IFdvcmtzaG9wICgxMi0xMyBNYXkgMjAxOSkuDQoNClRoZSB0aGVtZSBmb3IgSURTIDIwMTkgaXM6 ICJVbmRlcnN0YW5kaW5nIHRoZSBTZWN1cml0eSwgU3RhYmlsaXR5IGFuZCBSZXNpbGllbmN5IG9m IHRoZSBEb21haW4gTmFtZSBTeXN0ZW0iLg0KDQpJRFMgMjAxOSB3aWxsIGNvbXByaXNlIHR3byBk YXlzIG9mIHByZXNlbnRhdGlvbnMgYW5kIHBhbmVscyBmb2N1c2luZyBvbiBlbWVyZ2luZyB0ZWNo bm9sb2dpZXMsIHByb3RvY29scyBhbmQgb3RoZXIgaXNzdWVzIHRoYXQgbWF5IGFmZmVjdCB0aGUg c2VjdXJpdHksIHN0YWJpbGl0eSwgb3IgcmVzaWxpZW5jeSAoU1NSKSBvZiB0aGUgRG9tYWluIE5h bWUgU3lzdGVtLiBXZSBpbnZpdGUgbWVtYmVycyBvZiByZXNlYXJjaCwgYWNhZGVtaWMsIGFuZCBv cGVyYXRpb25hbCBjb21tdW5pdGllcyB0byBwcmVzZW50IGV4cGVyaWVuY2VzLCBkYXRhLCBvciBp ZGVhcyByZWxhdGVkIHRvIHRoZSBETlMgYXMgdmlld2VkIHRocm91Z2ggYW4gU1NSIGxlbnMuIFNw ZWNpZmljIHRvcGljcyBvZiBpbnRlcmVzdCBhcmUgbWVhc3VyZW1lbnQgYW5kIGRldGVjdGlvbiBv ZiBhY3Rpdml0aWVzIHRoYXQgbWF5IGltcGFjdCB0aGUgU1NSIG9mIHRoZSBETlMsIGFzIHdlbGwg YXMgcHJldmVudGlvbiBvZiBETlMgYWJ1c2UuDQoNCldlIGFyZSBzb2xpY2l0aW5nIHByb3Bvc2Fs cyBmb3IgcHJlc2VudGF0aW9ucy4gUGxlYXNlIHNlbmQgYSBvbmUtcGFyYWdyYXBoIGRlc2NyaXB0 aW9uIG9mIHlvdXIgcHJvcG9zZWQgdG9waWMgdG8gaWRzLXByb3Bvc2Fsc0BpY2Fubi5vcmc8bWFp bHRvOmlkcy1wcm9wb3NhbHNAaWNhbm4ub3JnPiBieSBGcmlkYXksIDggTWFyY2ggMjAxOS4gV2Ug d2lsbCByZXBseSBieSAxNSBNYXJjaCAyMDE5IGFuZCBwdWJsaXNoIGEgcHJlbGltaW5hcnkgYWdl bmRhIHNob3J0bHkgdGhlcmVhZnRlci4NCg0KRm9yIG1vcmUgaW5mb3JtYXRpb24sIGluY2x1ZGlu ZyBzY2hlZHVsZSBhbmQgdmVudWUgaW5mb3JtYXRpb24sIHBsZWFzZSB2aXNpdCBodHRwczovL3d3 dy5pY2Fubi5vcmcvaWRzLg0KDQpUaGFuayB5b3UgYW5kIHdlIGhvcGUgdG8gc2VlIHlvdSB0aGVy ZS4NCg0KTWF0dCBMYXJzb24NClZQIG9mIFJlc2VhcmNoDQpJQ0FOTiBPZmZpY2Ugb2YgdGhlIENU Tw0KDQo= --_000_9C3BF608B6894721A4493B31D644F119icannorg_ Content-Type: text/html; charset="utf-8" Content-ID: <06E95CD9FF74234DB3A9A74463155527@pexch112.icann.org> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgbGluZS1icmVhazogYWZ0 ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj4NCjxkaXYgc3R5bGU9IndvcmQtd3JhcDogYnJlYWst d29yZDsgLXdlYmtpdC1uYnNwLW1vZGU6IHNwYWNlOyBsaW5lLWJyZWFrOiBhZnRlci13aGl0ZS1z cGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBzdHlsZT0id29yZC13cmFwOiBicmVhay13b3JkOyAtd2Vi a2l0LW5ic3AtbW9kZTogc3BhY2U7IGxpbmUtYnJlYWs6IGFmdGVyLXdoaXRlLXNwYWNlOyIgY2xh c3M9IiI+DQo8ZGl2IGNsYXNzPSIiPkRlYXIgY29sbGVhZ3Vlcyw8L2Rpdj4NCjxkaXYgY2xhc3M9 IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPlBsZWFzZSBwZXJtaXQgbWUg dG8gY2FsbCB5b3VyIGF0dGVudGlvbiB0byBteSBlYXJsaWVyIGFubm91bmNlbWVudCAoaW5jbHVk ZWQgYmVsb3cpIG9mIHRoZSBJQ0FOTiBETlMgU3ltcG9zaXVtIG9uJm5ic3A7PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2FOZXVlOyIgY2xhc3M9IiI+MTAtMTEgTWF5IDIwMTkgaW4g QmFuZ2tvaywgVGhhaWxhbmQuIEluIHBhcnRpY3VsYXIsIEknZCBsaWtlIHRvIHJlaXRlcmF0ZSBv dXINCiByZXF1ZXN0IGZvciBwcm9wb3NhbHMgZm9yIHRoaXMgeWVhcidzIHRoZW1lLCZuYnNwOzwv c3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYU5ldWU7IiBjbGFzcz0iIj4m cXVvdDtVbmRlcnN0YW5kaW5nIHRoZSBTZWN1cml0eSwgU3RhYmlsaXR5IGFuZCBSZXNpbGllbmN5 IG9mIHRoZSBEb21haW4gTmFtZSBTeXN0ZW0mcXVvdDsuJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTogSGVsdmV0aWNhTmV1ZTsiIGNsYXNzPSIiPlBsZWFzZSBzZW5kIGENCiBv bmUtcGFyYWdyYXBoIGRlc2NyaXB0aW9uIG9mIHlvdXIgcHJvcG9zZWQgdG9waWMgdG8mbmJzcDs8 L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmlkcy1wcm9wb3NhbHNAaWNhbm4ub3JnIiBjbGFzcz0iIiBz dHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYU5ldWU7Ij5pZHMtcHJvcG9zYWxzQGljYW5uLm9y ZzwvYT48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYU5ldWU7IiBjbGFzcz0iIj4m bmJzcDtieSBGcmlkYXksIDggTWFyY2ggMjAxOS4gV2Ugd2lsbA0KIHJlcGx5IGJ5IDE1IE1hcmNo IDIwMTkgYW5kIHB1Ymxpc2ggYSBwcmVsaW1pbmFyeSBhZ2VuZGEgc2hvcnRseSB0aGVyZWFmdGVy Ljwvc3Bhbj48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBI ZWx2ZXRpY2FOZXVlOyIgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9zcGFuPjwvZGl2Pg0KPGRp diBjbGFzcz0iIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYU5ldWU7IiBjbGFz cz0iIj5UaGFua3MsIGFuZCBob3BlIHRvIHNlZSB5b3UgaW4gQmFuZ2tvay48L3NwYW4+PC9kaXY+ DQo8ZGl2IGNsYXNzPSIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTogSGVsdmV0aWNhTmV1ZTsi IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvc3Bhbj48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2FOZXVlOyIgY2xhc3M9IiI+TWF0dCBMYXJz b248L3NwYW4+PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxzcGFuIGNsYXNzPSIiPjxmb250IGZhY2U9 IkhlbHZldGljYU5ldWUiIGNsYXNzPSIiPlZQIG9mIFJlc2VhcmNoPGJyIGNsYXNzPSIiPg0KSUNB Tk4gT2ZmaWNlIG9mIHRoZSBDVE88YnIgY2xhc3M9IiI+DQo8L2ZvbnQ+PC9zcGFuPjwvZGl2Pg0K PGRpdiBjbGFzcz0iIj48c3BhbiBjbGFzcz0iIj48Zm9udCBmYWNlPSJIZWx2ZXRpY2FOZXVlIiBj bGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2ZvbnQ+PC9zcGFuPjwvZGl2Pg0KPGRpdiBjbGFzcz0i Ij48YnIgY2xhc3M9IiI+DQo8YmxvY2txdW90ZSB0eXBlPSJjaXRlIiBjbGFzcz0iIj4NCjxkaXYg Y2xhc3M9IiI+T24gSmFuIDE4LCAyMDE5LCBhdCA0OjE2IFBNLCBNYXR0IExhcnNvbiAmbHQ7PGEg aHJlZj0ibWFpbHRvOm1hdHQubGFyc29uQGljYW5uLm9yZyIgY2xhc3M9IiI+bWF0dC5sYXJzb25A aWNhbm4ub3JnPC9hPiZndDsgd3JvdGU6PC9kaXY+DQo8YnIgY2xhc3M9IkFwcGxlLWludGVyY2hh bmdlLW5ld2xpbmUiPg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9IndvcmQt d3JhcDogYnJlYWstd29yZDsgLXdlYmtpdC1uYnNwLW1vZGU6IHNwYWNlOyBsaW5lLWJyZWFrOiBh ZnRlci13aGl0ZS1zcGFjZTsiPg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0id29yZC13cmFwOiBicmVh ay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IGxpbmUtYnJlYWs6IGFmdGVyLXdoaXRl LXNwYWNlOyI+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGltZyBhcHBsZS1pbmxpbmU9InllcyIgaWQ9 IkFEODhGOEFBLTlDQkEtNDRCNi04NTVELTFFQTM3NzAxODU3NCIgY2xhc3M9IiIgc3JjPSJjaWQ6 RUFFM0REM0EtMDRGNC00QURDLTk4OEItNTdGNjM5OUVCQ0U1Ij4NCjxibG9ja3F1b3RlIHR5cGU9 ImNpdGUiIGNsYXNzPSIiPg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiIgc3R5bGU9Indv cmQtd3JhcDogYnJlYWstd29yZDsgLXdlYmtpdC1uYnNwLW1vZGU6IHNwYWNlOyBsaW5lLWJyZWFr OiBhZnRlci13aGl0ZS1zcGFjZTsiPg0KPGRpdiBjbGFzcz0iIiBzdHlsZT0id29yZC13cmFwOiBi cmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IGxpbmUtYnJlYWs6IGFmdGVyLXdo aXRlLXNwYWNlOyI+DQo8ZGl2IGNsYXNzPSIiPjxzcGFuIGNsYXNzPSIiIHN0eWxlPSJmb250LWZh bWlseTogSGVsdmV0aWNhTmV1ZTsiPjxiciBjbGFzcz0iIj4NCjwvc3Bhbj48L2Rpdj4NCjxkaXYg Y2xhc3M9IiI+PHNwYW4gY2xhc3M9IiIgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2FOZXVl OyI+RGVhciBjb2xsZWFndWVzLDwvc3Bhbj48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGZvbnQgZmFj ZT0iSGVsdmV0aWNhTmV1ZSIgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KSUNBTk7igJlzIE9mZmlj ZSBvZiB0aGUgQ1RPIGlzIHBsZWFzZWQgdG8gYW5ub3VuY2UgdGhhdCB0aGUgdGhpcmQgSUNBTk4g RE5TIFN5bXBvc2l1bSAoSURTIDIwMTkpIHdpbGwgYmUgaGVsZCAxMC0xMSBNYXkgMjAxOSBpbiBC YW5na29rLCBUaGFpbGFuZC4gSURTIDIwMTkgaXMgY28tbG9jYXRpbmcgd2l0aCB0aGUgZmlmdGgg R0REIEluZHVzdHJ5IFN1bW1pdCAoNi05IE1heSAyMDE5KSwgdGhlIFJlZ2lzdHJhdGlvbiBPcGVy YXRpb25zIFdvcmtzaG9wDQogLSBST1cgKDkgTWF5IDIwMTkpIGFuZCB0aGUgT0FSQyAzMCBXb3Jr c2hvcCAoMTItMTMgTWF5IDIwMTkpLjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NClRoZSB0 aGVtZSBmb3IgSURTIDIwMTkgaXM6ICZxdW90O1VuZGVyc3RhbmRpbmcgdGhlIFNlY3VyaXR5LCBT dGFiaWxpdHkgYW5kIFJlc2lsaWVuY3kgb2YgdGhlIERvbWFpbiBOYW1lIFN5c3RlbSZxdW90Oy48 YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9IiI+DQpJRFMgMjAxOSB3aWxsIGNvbXByaXNlIHR3byBk YXlzIG9mIHByZXNlbnRhdGlvbnMgYW5kIHBhbmVscyBmb2N1c2luZyBvbiBlbWVyZ2luZyB0ZWNo bm9sb2dpZXMsIHByb3RvY29scyBhbmQgb3RoZXIgaXNzdWVzIHRoYXQgbWF5IGFmZmVjdCB0aGUg c2VjdXJpdHksIHN0YWJpbGl0eSwgb3IgcmVzaWxpZW5jeSAoU1NSKSBvZiB0aGUgRG9tYWluIE5h bWUgU3lzdGVtLiZuYnNwOzwvZm9udD48c3BhbiBjbGFzcz0iIiBzdHlsZT0iZm9udC1mYW1pbHk6 IEhlbHZldGljYU5ldWU7Ij5XZQ0KIGludml0ZSBtZW1iZXJzIG9mIHJlc2VhcmNoLCBhY2FkZW1p YywgYW5kIG9wZXJhdGlvbmFsIGNvbW11bml0aWVzIHRvIHByZXNlbnQgZXhwZXJpZW5jZXMsIGRh dGEsIG9yIGlkZWFzIHJlbGF0ZWQgdG8gdGhlIEROUyBhcyB2aWV3ZWQgdGhyb3VnaCBhbiBTU1Ig bGVucy4mbmJzcDs8L3NwYW4+PHNwYW4gY2xhc3M9IiIgc3R5bGU9ImZvbnQtZmFtaWx5OiBIZWx2 ZXRpY2FOZXVlOyI+U3BlY2lmaWMgdG9waWNzIG9mIGludGVyZXN0IGFyZSBtZWFzdXJlbWVudA0K IGFuZCBkZXRlY3Rpb24gb2YgYWN0aXZpdGllcyB0aGF0IG1heSBpbXBhY3QgdGhlIFNTUiBvZiB0 aGUgRE5TLCBhcyB3ZWxsIGFzIHByZXZlbnRpb24gb2YgRE5TIGFidXNlLjwvc3Bhbj48L2Rpdj4N CjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPjxmb250IGZhY2U9IkhlbHZldGljYU5ldWUi IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCldlIGFyZSBzb2xpY2l0aW5nIHByb3Bvc2FscyBmb3Ig cHJlc2VudGF0aW9ucy4gUGxlYXNlIHNlbmQgYSBvbmUtcGFyYWdyYXBoIGRlc2NyaXB0aW9uIG9m IHlvdXIgcHJvcG9zZWQgdG9waWMgdG8mbmJzcDs8YSBocmVmPSJtYWlsdG86aWRzLXByb3Bvc2Fs c0BpY2Fubi5vcmciIGNsYXNzPSIiPmlkcy1wcm9wb3NhbHNAaWNhbm4ub3JnPC9hPiZuYnNwO2J5 IEZyaWRheSwgOCBNYXJjaCAyMDE5LiBXZSB3aWxsIHJlcGx5IGJ5IDE1IE1hcmNoIDIwMTkgYW5k IHB1Ymxpc2gNCiBhIHByZWxpbWluYXJ5IGFnZW5kYSBzaG9ydGx5IHRoZXJlYWZ0ZXIuPGJyIGNs YXNzPSIiPg0KPGJyIGNsYXNzPSIiPg0KRm9yIG1vcmUgaW5mb3JtYXRpb24sIGluY2x1ZGluZyBz Y2hlZHVsZSBhbmQgdmVudWUgaW5mb3JtYXRpb24sIHBsZWFzZSB2aXNpdCZuYnNwOzxhIGhyZWY9 Imh0dHBzOi8vd3d3LmljYW5uLm9yZy9pZHMiIGNsYXNzPSIiPmh0dHBzOi8vd3d3LmljYW5uLm9y Zy9pZHM8L2E+LjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NClRoYW5rIHlvdSBhbmQgd2Ug aG9wZSB0byBzZWUgeW91IHRoZXJlLjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCk1hdHQg TGFyc29uPGJyIGNsYXNzPSIiPg0KVlAgb2YgUmVzZWFyY2g8L2ZvbnQ+DQo8ZGl2IGNsYXNzPSIi Pjxmb250IGZhY2U9IkhlbHZldGljYU5ldWUiIGNsYXNzPSIiPklDQU5OIE9mZmljZSBvZiB0aGUg Q1RPPC9mb250PjxiciBjbGFzcz0iIiBzdHlsZT0iZm9udC1mYW1pbHk6IENvdXJpZXJOZXdQU01U OyI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_9C3BF608B6894721A4493B31D644F119icannorg_-- --_004_9C3BF608B6894721A4493B31D644F119icannorg_ Content-Type: image/jpeg; name="IDS 2019 logo (smaller).jpg" Content-Description: IDS 2019 logo (smaller).jpg Content-Disposition: inline; filename="IDS 2019 logo (smaller).jpg"; size=142064; creation-date="Fri, 22 Feb 2019 16:06:57 GMT"; modification-date="Fri, 22 Feb 2019 16:06:57 GMT" Content-ID: Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQAAlgCWAAD/4QDyRXhpZgAATU0AKgAAAAgABgESAAMAAAABAAEAAAEaAAUA AAABAAAAVgEbAAUAAAABAAAAXgExAAIAAAAmAAAAZgEyAAIAAAAUAAAAjIdpAAQAAAABAAAAoAAA AAAAAACWAAAAAQAAAJYAAAABQWRvYmUgSWxsdXN0cmF0b3IgQ0MgMjAxNyAoTWFjaW50b3NoKQAy MDE4OjExOjMwIDAwOjIwOjQ3AAAEkAQAAgAAABQAAADWoAEAAwAAAAEAAQAAoAIABAAAAAEAAAJx oAMABAAAAAEAAAECAAAAADIwMTg6MTE6MjkgMTY6MjA6NDEA/+FoLWh0dHA6Ly9ucy5hZG9iZS5j b20veGFwLzEuMC8APD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRj emtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1Q IENvcmUgNS40LjAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkv MDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxu czpwZGY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGRmLzEuMy8iIHhtbG5zOnhtcE1NPSJodHRwOi8v bnMuYWRvYmUuY29tL3hhcC8xLjAvbW0vIiB4bWxuczpzdFJlZj0iaHR0cDovL25zLmFkb2JlLmNv bS94YXAvMS4wL3NUeXBlL1Jlc291cmNlUmVmIyIgeG1sbnM6c3RFdnQ9Imh0dHA6Ly9ucy5hZG9i ZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZUV2ZW50IyIgeG1sbnM6ZGM9Imh0dHA6Ly9wdXJs Lm9yZy9kYy9lbGVtZW50cy8xLjEvIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFw LzEuMC8iIHhtbG5zOnhtcEdJbWc9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9nL2ltZy8i IHhtbG5zOmlsbHVzdHJhdG9yPSJodHRwOi8vbnMuYWRvYmUuY29tL2lsbHVzdHJhdG9yLzEuMC8i IHBkZjpQcm9kdWNlcj0iQWRvYmUgUERGIGxpYnJhcnkgMTUuMDAiIHhtcE1NOk9yaWdpbmFsRG9j dW1lbnRJRD0idXVpZDo1RDIwODkyNDkzQkZEQjExOTE0QTg1OTBEMzE1MDhDOCIgeG1wTU06SW5z dGFuY2VJRD0ieG1wLmlpZDoxYjhiYmM0YS00YjUyLTQ4M2ItOTZiYS1kZTRhNzZlNDllOGYiIHht cE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6MWI4YmJjNGEtNGI1Mi00ODNiLTk2YmEtZGU0YTc2ZTQ5 ZThmIiB4bXBNTTpSZW5kaXRpb25DbGFzcz0icHJvb2Y6cGRmIiBkYzpmb3JtYXQ9ImltYWdlL2pw ZWciIHhtcDpNZXRhZGF0YURhdGU9IjIwMTgtMTEtMjlUMTY6MjA6NDEtMDg6MDAiIHhtcDpDcmVh dGVEYXRlPSIyMDE4LTExLTI5VDE2OjIwOjQxLTA4OjAwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAxOC0x MS0zMFQwMDoyMDo0N1oiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgSWxsdXN0cmF0b3IgQ0MgMjAx NyAoTWFjaW50b3NoKSIgaWxsdXN0cmF0b3I6U3RhcnR1cFByb2ZpbGU9IlByaW50Ij4gPHhtcE1N OkRlcml2ZWRGcm9tIHN0UmVmOnJlbmRpdGlvbkNsYXNzPSJwcm9vZjpwZGYiIHN0UmVmOmRvY3Vt ZW50SUQ9InhtcC5kaWQ6ZDk4NjcxMzMtNzBiZC00NWM4LWI5ZWItY2ExNTI5YTZlY2FlIiBzdFJl ZjppbnN0YW5jZUlEPSJ1dWlkOmY1ODYzOWFjLWQyZmQtMTI0Zi1iOWExLWM1MGUyMjU3NWVmOCIg c3RSZWY6b3JpZ2luYWxEb2N1bWVudElEPSJ1dWlkOjVEMjA4OTI0OTNCRkRCMTE5MTRBODU5MEQz MTUwOEM4Ii8+IDx4bXBNTTpIaXN0b3J5PiA8cmRmOlNlcT4gPHJkZjpsaSBzdEV2dDpzb2Z0d2Fy ZUFnZW50PSJBZG9iZSBJbGx1c3RyYXRvciBDQyAyMDE3IChNYWNpbnRvc2gpIiBzdEV2dDpjaGFu Z2VkPSIvIiBzdEV2dDp3aGVuPSIyMDE4LTA5LTI2VDEzOjQ1OjAzLTA3OjAwIiBzdEV2dDppbnN0 YW5jZUlEPSJ4bXAuaWlkOmQ5ODY3MTMzLTcwYmQtNDVjOC1iOWViLWNhMTUyOWE2ZWNhZSIgc3RF dnQ6YWN0aW9uPSJzYXZlZCIvPiA8cmRmOmxpIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIEls bHVzdHJhdG9yIENDIDIwMTcgKE1hY2ludG9zaCkiIHN0RXZ0OmNoYW5nZWQ9Ii8iIHN0RXZ0Ondo ZW49IjIwMTgtMTEtMjlUMTY6MjA6NDEtMDg6MDAiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6 MWI4YmJjNGEtNGI1Mi00ODNiLTk2YmEtZGU0YTc2ZTQ5ZThmIiBzdEV2dDphY3Rpb249InNhdmVk Ii8+IDwvcmRmOlNlcT4gPC94bXBNTTpIaXN0b3J5PiA8ZGM6dGl0bGU+IDxyZGY6QWx0PiA8cmRm OmxpIHhtbDpsYW5nPSJ4LWRlZmF1bHQiPkROUyBTeW1wb3NpdW08L3JkZjpsaT4gPC9yZGY6QWx0 PiA8L2RjOnRpdGxlPiA8eG1wOlRodW1ibmFpbHM+IDxyZGY6QWx0PiA8cmRmOmxpIHhtcEdJbWc6 aW1hZ2U9Ii85ai80QUFRU2taSlJnQUJBZ0VBbGdDV0FBRC83UUFzVUdodmRHOXphRzl3SURNdU1B QTRRa2xOQSswQUFBQUFBQkFBbGdBQUFBRUEmI3hBO0FRQ1dBQUFBQVFBQi8rNEFEa0ZrYjJKbEFH VEFBQUFBQWYvYkFJUUFCZ1FFQkFVRUJnVUZCZ2tHQlFZSkN3Z0dCZ2dMREFvS0N3b0smI3hBO0RC QU1EQXdNREF3UURBNFBFQThPREJNVEZCUVRFeHdiR3hzY0h4OGZIeDhmSHg4Zkh3RUhCd2NOREEw WUVCQVlHaFVSRlJvZkh4OGYmI3hBO0h4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4 Zkh4OGZIeDhmSHg4Zkh4OGZIeDhmSHg4Zi84QUFFUWdBYUFFQUF3RVImI3hBO0FBSVJBUU1SQWYv RUFhSUFBQUFIQVFFQkFRRUFBQUFBQUFBQUFBUUZBd0lHQVFBSENBa0tDd0VBQWdJREFRRUJBUUVB QUFBQUFBQUEmI3hBO0FRQUNBd1FGQmdjSUNRb0xFQUFDQVFNREFnUUNCZ2NEQkFJR0FuTUJBZ01S QkFBRklSSXhRVkVHRTJFaWNZRVVNcEdoQnhXeFFpUEImI3hBO1V0SGhNeFppOENSeWd2RWxRelJU a3FLeVkzUENOVVFuazZPek5oZFVaSFREMHVJSUpvTUpDaGdaaEpSRlJxUzBWdE5WS0JyeTQvUEUm I3hBOzFPVDBaWFdGbGFXMXhkWGw5V1oyaHBhbXRzYlc1dlkzUjFkbmQ0ZVhwN2ZIMStmM09FaFlh SGlJbUtpNHlOam8rQ2s1U1ZscGVZbVomI3hBO3FibkoyZW41S2pwS1dtcDZpcHFxdXNyYTZ2b1JB QUlDQVFJREJRVUVCUVlFQ0FNRGJRRUFBaEVEQkNFU01VRUZVUk5oSWdaeGdaRXkmI3hBO29iSHdG TUhSNFNOQ0ZWSmljdkV6SkRSRGdoYVNVeVdpWTdMQ0IzUFNOZUpFZ3hkVWt3Z0pDaGdaSmpaRkdp ZGtkRlUzOHFPend5Z3AmI3hBOzArUHpoSlNrdE1UVTVQUmxkWVdWcGJYRjFlWDFSbFptZG9hV3By YkcxdWIyUjFkbmQ0ZVhwN2ZIMStmM09FaFlhSGlJbUtpNHlOam8mI3hBOytEbEpXV2w1aVptcHVj blo2ZmtxT2twYWFucUttcXE2eXRycSt2L2FBQXdEQVFBQ0VRTVJBRDhBOVU0cTdGWFlxN0ZYWXE3 RlhudjUmI3hBO3V5NjFlZVhKSU5JaWxsdG9ad05Ta2hxYXFGTlVvUGlaVmFuUHNQb05OdjJTSVJ5 WE9ycmI4ZmM2SHQ3eFo0Q01ZSkYrcXU3OGMvN1UmI3hBO2svSmQ5YzArM3ZKTDJLWk5EbGFOSW5j RUlreEorTUsyL0ExQVpoM3BYYXBHVjJ3TWN5T0Vqai9RNFhzNzR1T011TUVZOXF2di9WMy8mI3hB O0FOcjEzT2VlcmRpcnNWZGlyc1ZkaXJzVmRpcnNWZGlyc1ZkaXJzVmRpcnNWZGlyc1ZkaXJzVmRp cnNWZGlyc1ZkaXJzVmRpcnNWZGkmI3hBO3JzVmRpcUMwY2Y3am96M1l1ekh4TE94SitrbkxjMzFO ZUw2VlhVbzBsMDY2amNWUjRaRlllSUtrSEk0elVnZk5PUVhFanlWTFYyZTImI3hBO2hkelYyUlN4 NlZKRlRna0tKVEUyQXFaRms3RlhZcTdGWFlxbFBtLy9BSlJMVy84QW1BdXYrVExaUEg5UTk3R1hJ c0svNXh1LzhrdDUmI3hBO2QvNlBQK282ZkxOVi9lRnJ3ZlFHSGVVdkxWditjWG1Ueko1aDgyelhG MTVjMHkvbDB2UTlHU2FTR0JSQ0FXa2RZbVJ1ZkYwYXRkeWQmI3hBOzZnQVpmT2ZoQUNQUHExeGo0 aEpQSjYvNUw4bjJQbExSRjBheHVydTZ0VWxra2lhOWxNem9KRFgwMEpBb2k5aDlQVTVpWk1oa2JM a1EmI3hBO2h3aW5pZjUvV2w1NTA4NXllVzdDUThQS2VoWGV0M0lXby8wbGdwampyM2JpcWNmOWI1 NW1hWThFYlA4QUVhY2JPT0kxM0I3TitYSG0mI3hBO1llWi9JdWlhN3k1eTNscWh1V29CKy9qL0FI Yy9UL2kxR3pFeXc0WkVPUmpseFJCZUIrYVBNTi81Vi81eUw4eWViSVN6YWJwcmFaQnImI3hBO3ND QW10aGVXa0VUeUduKys1UFRJQjZ0eHpOaEFTeENQdmNXY3VISVpNNzhqeXhUZjg1SWVmWm9YV1NL VFR0UGVPUkNHVmxhMnRpQ0MmI3hBO05pQ01weWYzTWZmK3R0aC9lRkpmK2NuclBWYnZ6TDVBaTBp Vm9kV1dUVXBkT2RBUy93QlpoVzJsaFZhZnRNNkJSNzVMU0VWSytUSFUmI3hBO2draWxEekQ1eXRQ T1BtYjhsZk1GdlJYdXJ1OEYxQXYrNnJoRGFyTkhTcElvNFBHdlZhSHZoaGo0Qk1manFnejRqRXZv WE1GeTJCL24mI3hBO3YvNUtQek4vekNqL0FKT3BsK20rc05XYjZDOG0xTDh0Tk04cy9sQm8zNWpl VDU3blJmTTlscHVuNmhkUEZQSThWeTAwY1hyK3BISXomI3hBO0x2NmhQRmZoL1o0ME9aTWNwbE13 bHVMTFFjWUVCSWJGN1pjYXdkYS9LMlhXU2dqT3A2RzE1NllyUmZYdFBVb0srSExNUVJySlhtNU4m I3hBOzNHL0o0dC96akg1bHZOQ05qNWExUnlkTTgwUVM2ajVlbWI3SXVMZVY0THEzQlBjK2p5cDdm NVdaZXJnRHVPWTV1TnBwVnNlck1QOEEmI3hBO25GUC9BTWxTdi9NZmMvOEFHbVU2ejYvZzJhYjZX RCtjcHZLaC9PUFhMWDgzMXZmMFRNc1E4cXpxODZXVVVORFZ3SUNHNVZwdUtnTnkmI3hBOzVEd3Zo eGVHUEQrTFhPdU04ZndlOCtRTkkwalN2S3RsYWFQcWMyc2FaUjVMUy9ubitzczBic1NxcklQaDRv UGhBSGg0NWhaWkV5M0YmI3hBO0Z5Y1lBR3h0a09WczNZcTdGWFlxN0ZYWXFsM2w2Y1Q2TmF6Z1VX VlM2ajJaaVIrR1hhZ1ZNaHAwOHJnQ2lyOGtXTnlRT1JFVGtEeCsmI3hBO0U1REg5UTk3WlA2U3Qw dVpadE10SmsrekpER3kvSXFEamxGU0k4MFlqY1FmSkU1Qm03RlhZcTdGWFlxbGZtbUdhZnl4cThN S05MTkwmI3hBO1pYS1J4b0N6TXpSTUFxZ2JrazVQR2ZVUGV4bHlMRWZ5QTB2VXRML0tQUWJEVTdT YXh2b2ZyZnJXdHpHOE1xY3IyWjE1STRWaFZXQkYmI3hBO1IweXpVRUdaSVlZQVJBV3hEUXg1dC9L anpWNWl0Rjh0Nmo1ZzhuNjNkdnFPblRhUEg5Wmx0NVpQdFJ2RFVVL1pVa2tiS0R2MnRsdzUmI3hB O0lnMkJJZDdXTGdUdFlMMUR5TnIvQUpnMTNSNUwvVzlDbDh2ek5QSXRyWnp1cnl0YmluQ1IxRkRH eDNCVWp0WG9jeDhrUkUwRGJkQ1ImI3hBO0kzRlBJdkp2NVdhdjUwMXp6WDV2OHdYL0FKZzhyejZu cUVsdFoydHJLMWhOSll4cW9qOVpaWW1aMDRjVlh0OEp6SnlaaEFDSW8wMFEmI3hBO3htUkpOaGt2 L09QMmthLzVhdFBNbmxEVTdPNmlzOUgxT1J0SXY3aUowaXVMYVlrQXd1eXFqZ0dMbWVQOCtRMU1o S3BEcUdlQUVXQ2gmI3hBO05QOEFKbHhxdjUxZm1LbXI2YmNmNGUxclRMVzBTOGVKMWdscmJRSTRo bFplQmRDcDZmWkk5c0p5VmpqUjNCUUlYT1Y4aWt2NUIrVXYmI3hBO09lZy9tTjVqaTh3MmR3SXJT eGkwNjAxUjRaRXQ3bU8wZFlvVEZJd0N2KzVqV2xEMHllcG5HVUJUREJBaVJ0bEg1c2FMckY5K1pm NVomI3hBO1hsbFkzRjFhV0Y3ZHZmWEVNVHlSd0szMWZpMHpxQ3FBOFRUbDRaVmdrQkNWOXpabEJN b3NJMXY4dWZNZWlmbnJvVDZWcDl4Y2VVWjkmI3hBO1UvVEtTd1F1OEZuUGNoVXUwZDBYaEdDMEtz SzBIR25obDhjb09NMzlWVTFIR1JrRmNuMGJtdmN4aFg1MGFmZjZoK1YzbUd5MCsybHYmI3hBO0x5 ZTJDdzIwQ05MSzU5UlRSVVFGaWZrTXUwNUFtTGE4b3VKZVZYMnBlZjhBelorVzJpL2xyb3ZsRFZ0 TmxheXNiRFdOWjFlM2F6dDQmI3hBO2t0VVFTbUlzYXVyR0xxYUdtM0dweklpSXhtWmtob0psS0lp QVh0TjdvWTA3OHZaOUNzbGFjV2VrUFkyeUtwTHY2VnNZa0FVVk5UUWImI3hBO1ppaVZ6dnpjZ3hx TmVUeUxSUHk1MTYrLzV4Nzh2cEhaejZmNXo4dFMzT3A2UkRORzhOd3MwZDdOTDZSUmdyL3ZvNlVI YzhUbVNjb0cmI3hBO1UvelMwREdUakhlR1YvOEFPTnVrNnhwZjVjZlZ0VzArNDB5N2EvdVpmcXQx RThFZ1YrTkR3a0N0VHd5dlZTQm50M005UEVpTzZqNXkmI3hBOzg1YXExNXEyZythZnkxdjllMGJt dzBpNHNJVnY0NWs0OFVhV245d3hOVHpCNUxVYlZGU1lRR3hqS2lzNW5jR05oSGY4NCtlVWRmOEEm I3hBO0sva0ZyVFdvRFp6WGQ3UGVXMm51M043YUNWVVZJbVBqVkMxUGZmZXVSMU14S1d5Y0VTSTd2 Uzh4MjUyS29XOHZXaGVLQ0dMMTdxYXAmI3hBO2ppcnhVS3RPVHUxRHhVVkhZbmZwazRRdmM3QU1K enJZYmtyUkhySkZUY1c2ay9zaUYycDdjdlZXdnpvTU53N2o4LzJJcWZlUGwrMTMmI3hBO3Bhdi9B TXROdi8wanYvMVd4dUhjZm4reGFuM2o1ZnRVNXRQdkxwVERlM1N0Yk4vZVJRUm1JdVA1SFl2SWVK N2hhVjhhYlpJWkl4M2kmI3hBO04vUCt4aWNabHRJN2VYOXFwbzRBMDJFRHA4WC9BQkk1SE45UlpZ dnBDdGUvN3h6L0FQR04vd0RpSnlNUHFES2ZJb0d5c0xxRzJpTmwmI3hBO2NMRkhJcXUwTXNabFJX WVZZcHhhTmw1SGNpcEhoVExaekJQcURWQ0JBOUpSSHBhdi93QXROdjhBOUk3L0FQVmJJWER1UHov WXpxZmUmI3hBO1BsKzF4aTFqdGMyNTl2UWYvcXRqY080L1A5aTFQdkh5L2EzYTNrelR0YlhVUWh1 UXBkT0RjMGtRRUFzakVLZHFqa0NOcTkrdU1vQ3ImI3hBO0hKWXpOMGRpaThyYkhZcTB6S3FsbUlW VkZXWTdBQWR6aXJCSS93QTl2eWtrMVg5RnA1bHRqZEYvVERGWlJBV3JUL2VncDZGSzkrZE0mI3hB O3UvTHpxNmF2SGhkV3lMWHZPZmxyUU5SMHJUdFh2UHF0M3JVMzFmVEZhT1ZsbGxxcThQVVJHUkRX UmZ0a1pDT015Qkk2TTVUQU5IcTcmI3hBO1ZmT2ZsclN0ZDB6UUw2ODlQV05ZTGZvNnpXT1dWNUFu MmlUR3JxaWorWnlCc2ZBNHh4a2drY2dwbUFhV1h2bm55clkrYTdMeW5kMzQmI3hBO2k4d2FqRDlZ czdJeHkvdkkvd0I1djZvWDBnZjNMN0ZxN2U0eEdPUmp4ZEZNd0RYVlo1cjgvZVV2S2NsaEg1Z3Z4 WlBxY2pSV0srbE4mI3hBO0taSFVxR0g3cEpLVTVydTFCdmpESEtYSkVwaVBORytaUE1taStXdEZ1 TmIxdTQrcWFaYWNQckZ4d2trNCtwSXNTZkJFcnVhdTRHd3cmI3hBO1JpWkdneWxJQVdXSmFWK2Zu NVJhcmZSV05uNWlpTnpPd1NKWm9ibTNVc3hvQnptaWpUYysrV25UVEhSckdhQjZzOHVycTJ0TGFX NnUmI3hBO3BrdDdhQlRKTlBLd1JFUlJWbVptb0FBT3BPVWdXMmtzSTAvODlQeW0xRFUxMHkxOHgy NXUzWUlna1NhS05tT3dBbWtSSWpYdDhXV24mI3hBO1R6QXVtb1pvRTFiT0o1NFlJWko1NUZpaGlV dkxLNUNxcXFLc3pNZGdBT3B5a0J0WVJwMzU1ZmxQcU9xcnBkcDVqdDJ2SGIwNHc2VFImI3hBO3hz eDJBV2FSRmlOZTFHeTQ2ZVlGMDFETkFtclpGNXI4MytYZktla25Wdk1GMzlTMDhTTEVadlRsbCtO NjhSeGlXUnQ2ZUdRaEF5TkImI3hBO25LUWlMS3I1azh5YUw1YTBXNDF2VzdqNnBwbHB3K3NYSENT VGo2a2l4SjhFU3U1cTdnYkRCR0prYUNaU0FGbHJVdk5HaGFiNWRmekgmI3hBO2UzUHBhTkhDbHk5 MXdrYWtVbE9MY0ZWcE4rUTI0MXhFQ1RYVkJrQUxiL3hKb3Y4QWhyL0UzMWovQUhDZlV2MGw5YjRT Zjd5K2w2L3EmI3hBO2VueDlUKzczNDhlWHRYSGhOMTFUeENyNk5lV3ZNK2hlWjlHZzFuUTdvWG1t M0JjUlRoWGpxWTJLTUNraW82a012Y1l6Z1ltaWlNaEkmI3hBO1dFSDVSOC9lVXZOOGQzSjVjdnhm cFl5Q0s2WVJUUmhYWUVnRDFVVGxXblZhakRQSEtQTkVKaVhKa0dRWnRTT2thTkk1Q29nTE14NkEm I3hBO0RjbkNCYUNhZWM2VitiM2w2OTgxL1ZsZ21TQzZFVnJiWFQ4YWN3NzBKV3RWVnk0L2ptNHk5 azVJNHJzV0xKRHorRHQvRFBQd2dHcFUmI3hBO0Fmbjk3MGZOTTlDN0ZVazgzZWJOTzhzYVg5ZnZW ZVRtNGloaGpweWR5Q2FiN0FVRzV6SjBtbGxubnd4Y0xYYTZHbXg4Yy9jbG41ZWUmI3hBO2R0Tjh4 Mk1rTUNQQmQyZEROREpRL0M1SkRLdzZqdGwvYUdpbGhsWjNCY2ZzdnRLR3BpUkd4S1BNSTN6djVz MDd5M296WEYycnlQY0UmI3hBO3cyOE1kT1RNVlBjN0FBZGNyMFdsbG1uUTZOM2FPdWhwc2ZGTHJz RkR5SDUyMHp6UHA3aTJSNExpeUNKY1FTVUpBSStGbEk2ZzhUa3QmI3hBO2RvcFlKYjdnc096ZTBz ZXFpZUd3WTh3V1VaZ3V5ZGlyenJ6SitiV2dhZjVraXNQUW1tR256c2wzY3g4YUE4R2pkRkIzYml6 Q3ZUY1omI3hBO3VOUDJWa25qTXJBNGhzSG45WDI5aHg1dUNpZUU3bDZGQlBGY1FSendzSGhsVVBH NDZGV0ZRZnBHYWlVU0RSZC9HUUlzY2l2d0pTM3omI3hBO05wTDZ6NWIxWFNFbDlCOVNzN2kwV2Nk VU04VFJoOXY1ZVZjbENWRUZFaFlJZlA4QTVkODAzbjVjYVhZZVNmelA4blJmNGV0N2dmVk4mI3hB O2ZnaVc0dGpJWE1peXlEaXl1NE85UVEvRWZaSnpPbERqUEZDVzdpUmx3RGhrTm5xbjV6ZVRUNXov QUM5dTRkT1BxNm5hQmRTMGFXSTEmI3hBO0xUUWdzb2pZVi92RUpWYWR5TXhzRStDZTdmbWh4UllY K1NFdW8rZnZObC8rWjJzUThCYldzR2o2UkdhRUxJa1N0ZVNLT3dNam5qL3ImI3hBO3NPMlc2aW9S NEI3MnZEY2p4RmpmNSsvWDdmOEFPS3oxblQwTDMyZ2VYN2ZWNEZGZWxwcVVqeVZwMjlMblgyeXpU VndFSHFmME1NLzEmI3hBOzJPZ1NmODY5YWo4MSthN1hYN09UMWRGMGk3MGpUTEZnVHhlYlVJNUwr VndOeFZValJHMzhNbnA0OElvOHpiSE1lS1Y5QlQyUC9uSkgmI3hBOy93QWt0NWkvNk0vK282RE1Q Uy8zZ2NqUDlCZVpmbUI1L3dESm5uajh0Tko4bWVXSUpkZjgyUEhaUTJ5dzIweW0wa2k5UDFYTWtx SUsmI3hBO01xTWg0bW5jN0RNbkhqbEdaa2RvdE9TY1pSQUc1WmYvQU01RW5VYkg4cDlGMGlhNmF0 N3FGaHAycTNLc2ZqUVJPOGpGbXBVR1NFSGYmI3hBO0s5TlJ5RXM5UnRBQmtYNXRlU1BLcC9KL1dO T0ZuQmJXdWphZkxQcGhDS0RESmJwNmllbTJ4RFNNZ1Z0NnRYZXVWNGNrdkVCNzJlV0EmI3hBOzRQ Y29lWHRPMVh6MS93QTQvd0JucDA5eVlkUjFYU0JiaTZrcnU2RGdqU0VmRVEvQWN6M0JPR1JFTXQr YXhCbGpyeVlONVk4OXkrUzQmI3hBO2RDOGwvbWo1UWpzTFhUNUlvdEkxNk9KSmJYMVlpQ2sxUUdY MUtnTThpTnk3c28zeTZlUGl1VUpOVVo4TlJtR1Mvd0RPVm4va3FXLzUmI3hBO2o3Yi9BSTN5clIv WDhHZXArbE4vK2NrZi9KTGVZdjhBb3ovNmpvTWhwZjd3TXMvMEZEL21QLzZ6dGQvOXNhMC80akZr OFg5OThTdVQmI3hBOys3K0NJLzhBWGEvL0FBVGYrN1hrUDhyL0FKMzZWL3lmK2IraDVCNUE4NFhu bEg4dFBNdWdKVmJ2VWRPc3RROHVKdnprazFXTkxLWXAmI3hBOzAvdTV4eUgwNW1aTWZGTUh1NS9C eDRTNFlrZkw0czMvQU9jWXRKR2pYUG5yUndRMzZNMVVXUmNFa01iZjFJaTI0SDJpbGNwMWNyRVMm I3hBOzI2WVZZODN1ZVlUa3JaWW81WW5pa0hLT1JTcnFlNFlVSXdnMGJDQ0xGRjVmcEg1TWFkWith ZlhlL2VheXN6RmRRMnhRQmpWMzRvNzEmI3hBOzNDbVBlaTcrMmJ6TDJ4S1dLcXFSc1grUGU4MXAv WjJFTS9GeEV4alJBL2I4SHFXYUo2WjJLc2Y4N2VUN1h6VnBBc0pwbXRwSXBCTEImI3hBO09vNWNY QUsvRXRSeUJEZU9aZWkxWndUNGdMY0R0SFFSMVdQZ0pyZXdVci9MWHlMYmVXN09hNTljM041ZVVW NU9QQlZSQ2FLb3FlcDMmI3hBO0p5L3RIV25OSUNxQWNic2pzeU9taVRmRktTTzgvd0RrKzI4emFO NkVzelc4MXFUUEJNbzVDb1VncXkxRlFmbmxXZzFad1RzQ3dkbTcmI3hBO3RQcytPcHg4Sk5FYmhE L2wzNUZ0Zks5aExJSnpkWGQ4RWFhWGp3VUtvSlZGV3JkT1JxYTc1UHREWEhQTGxRaTE5bGRtUjBz RHZ4U2wmI3hBO3pMTHMxN3RuWXE4dzh6L2s5WmFoNWtXL2l2M3Q0TlN1R2E1ZzlNTXdka2VWeWps aDlvcWVvMnI5R2J6VGRyeWhpNFRHekViZmM4enImI3hBO1BaNkdUTnhpVkNaM0ZmRTE3M3BkcmJ4 VzF0RmJRampGQWl4eHIxb3FEaUI5d3pTeWtaRWs5WHBJeEVRQU9RVk1peVFPdTJOOWY2TmUmI3hB OzJWaGZOcHQ3Y3d2RkJmb2drYUYyRkJJcUVyVXI4eGtva0EyZDBTQkkyZVNhMytXLzUyK2FkRWo4 cWVadGYwWi9MN3lSRzkxQzJobS8mI3hBO1NNMGNMcTZncXlyQ0RWQWFyVGZyWE1tT1hIRThRQnRv T09jaFJJcDdIWTJjRmxaVzlsYmdyQmF4cERDQ2FrSkdvVmFrOWRobUtUWnQmI3hBO3ZBcGhINUtl UWRZOGkrU1JvV3JUVzg5MkxtYWZuYU03eDhaT05CV1JJbXI4UDh1WFo4Z25LdzE0WUdJb3RhditY ZDlxWDVzdythcDImI3hBO3Q1TkIvUVVtalhWb3pTQ2Qza2xsZHZoQ2NPQlNXbGVkZmJHT1dvVjF1 MU1MbGZTbUthcitRRjVCK1hXaStVOUN2NEpyaXcxeVBXTDImI3hBOzl2QThBbFJVa2pvcXhpYzhs amFOQjJQR3UzVExJNmtjWmtlNm1zNEtpQU85blg1dCtVTlM4NC9sOXF2bHpUSllZYjYrK3Irakpj czYmI3hBO3hEMGJtS1p1UlJaRyt6R2FVWHJsT0dZaklFdHVXSmxHZ3lIUWJHYlQ5RDA2d21LdE5h VzBNRWpJU1ZMUnhoQ1ZKQU5Land5RXpaSlomI3hBO3hGQktmekU4amFiNTM4cVhmbCsra01DejhY dDdwUnlhR2FNMVNRS1NLMDZFVjNCSXFNbGl5R0VyWTVJY1FwNXpxZjVhZm5kNWowU0gmI3hBO3lw NWk4emFXdmwwRkV2TDZ6aW1Pb1hNVVpCVkpRNnJIK3lOMU8vN1hMTWdaY2NUeEFHMms0NWtVVHM5 TTFQeTFjcjVMYnk1NWN2bTAmI3hBO1NXRzFTMDA2K1JCSzBDeEJWV2lrclU4RnBXdGUvWE1jVDlW bmR2TWRxR3p6YlhQeXkvTi96cGEyR2crZHRhMGR2THRyY0pjWGMrblImI3hBO1RMZlhYcDFvSERv c0tHaElxbFBrY3ZqbXh3c3hCdHBsam5MYVJGTXEvT3Z5RHJIbnJ5U2RDMG1hM2d1emN3ejg3dG5T UGpIeXFLeHAmI3hBO0sxZmkvbHl2QmtFSldXZWFCa0tESS9PZmxheTgxK1Z0Ujh2WHJ0SGI2aEY2 WmxUZGtZRVBHNEI2OFhVTlRLOGMrR1FMT2NlSVU4cHUmI3hBO3Z5cS9PalZmTEZyNUcxZnpEcEsr VklCRkROZTI4VTUxR2EyZ1pUSEc2dW9pK0hndlJxN2JsdDY1SXpZeExpQU50SGhUSTRTZG5xR3Ym I3hBOytXUHJQa0RVdksybGxJZlcwcWJTN0V6RWhFNTJ6UVJjMlVNZUlxS2tBL0xNYU0vVnhIdmJq SDAwTzVodWova2xBQjVCdk5WdVl4cVgmI3hBO2s2RDBybExjTThWMFZvOElEdjZaVllaaDZnK0Rm Mnk2V28rcXY0bXNZZnB2b212NWFlUWRZOHI2NTV5djlRbXQ1WWZNV3JTNmpaTGImI3hBO3M3TWtV a2tqaFpRNklBMUpCOWtrZStSeTVCSVJBNkJsamdZaytaWjdsRGE3RlVIRXkvcG02V281QzN0eVIz b1hucCtyTEQ5QTk1L1EmI3hBOzFnK3MrNGZwUm1WdGpzVmRpcUMwUjBmVElXUWhsUEtoSFEvRWN0 ekNwRnF3bTRoWHZpQlpYQkpvQkc1SlArcWNoRDZnem45SmRZa0cmI3hBO3l0eURVR05DQ1A4QVZH TS9xS3cra0syUlpPeFZCMzVBdXRPQk5DYmhnUGMvVjVqbGtPVXZkK2tOYytjZmYrZ296SzJ4Mktx RjliUGQmI3hBO1drdHVseExhdElPSXVJT0FrWHg0bDFkUWUzVEJJV0dVSlVicTJQOEE1ZmFsY1Rm bDNvdW8zODBseE8xaEhOY1R5TVhrY2hLc1N6R3AmI3hBO0o5OHF4UzlBSmNyVzR3TThveEZEaVk3 cDkxckZ0b3ZsbnpiTnFWeE5kNjVkV1ExQzBlVjN0VGI2b3lySEZGQWYzY1pnOVJLT2dER2gmI3hB OzVGcTVXT0lDTXI1bjczS25HQm5QRUlpb0NWSHJjZXQ5YjMvUTlKektkU3hYekpKZlErZFBLUml2 cDB0YnE1dW9iaXhWbFdCd3RqUEkmI3hBO0djQlF6SGtxL2FZZ1UyRmNwbmZISGR6Y0FpY09Td0xB Ry9YNmdpUHpFRjJ2a2ZYTGkwdlo3QzR0TEc1dVk1N1psU1RsREM3cXZJcXgmI3hBO1VGZ0s4YU43 NUxOOUozcGhvYThhSUlCQmtCdjVsT3ROZDVOT3RYY2xuZUdObVk5U1NvSk9TanlEUmtGU1B2WVIr YStyYTNwcitYYmomI3hBO1NwcEVhSzlsdWJxQ05tVVR3V2xwTGN5d3NBUnlESkVhQTk2WlJxSkVW VHNPenNjSjhZa1A0YUhrU1FMKzFSOHkrWkw2NTgvZVZiZlMmI3hBO3J0MTBtT2VQOUllazdLazdY OXRQTEFqQUVjZ3FXcGVoSDdTbkJQSVRNVnkvV3l3WUlqQmtNaDZxMjh1RWkvdit4RS9tTnFtdm04 dGQmI3hBO044dnp2RGVhZmJ6YTVlQkNWOVNLMW9zVnN4N2llUWtFZCtPSFBLVjFIcHV3ME9PRkdV eHRJaUErUE0vQk0vTWQ5ZTNubHF4OHphQkomI3hBO0xJYlQwdFRTMWpZZ1hWb3lWbGhaUWVMRXd1 V1N0YU9CVEo1Q1RFU2o3Mm5CQVJ5SEhQcjZmY2VoK2YyTHZLV29YR3ZYdDk1aVNlVDkmI3hBO0RU Y2JYUm9Lc3Nid3hHc2wwVU5QaWxrSlZTZjJGSGpqakprVExwMFhVd0dNREhYcjV5L1Y4QjlxY2Ex cGsrcFdpMjBWOVBZSVpGYWUmI3hBO1cySVdWNHhXc2F1UVNuSTBxeS9GNFV5eWNiRlhUUml5Q0Jz Z1M5N0gvSzF4Tlo2dDVsdEZ1cmk5MFRUR2crclNYRXJYTHh6bUpwTHEmI3hBO0JacEN6dUVIcC9h WWtFa1pWak5HWGNISjFFUktNRFFFNVh5MjI2R3Zta3VuM1dzVzJpK1dmTnMycFhFMTNybDFaRFVM UjVYZTFOdnEmI3hBO2pLc2NVVUIvZHhtRDFFbzZBTWFIa1dya0J4QVJsZk0vZTVFNHdNNTRoRVZB U285YmoxdnJlLzZFKzg0dmZXK3UrVlo0TDY0aGhuMU0mI3hBO1drOW1qS3NNaU5hM01oTGdMelkx alhZdHg5cTc1WmxzRUcrcmphVVJNTWdJRzBidnJ6aTd6ZGN5eWEvNWYwYVc4bHNkTjFKcmszTTAm I3hBO0VyVzhrc3NLb1liWlprS3VucWMyYjRHREhqUUhIS2ZVQmRBcnBvZ1FuTUM1UnJ6NTh6WGwr bFQ4azZ1SDFyWC9BQy9IcUoxVzIwZHImI3hBO1pyZTZrZjFwbFc1VnkwTXN2N2JSdkUyNTNvYUhw Z3hTM0l1d0U2dkY2SVpPSGhNcit6clh4WmJKSkhGRzBrakJJMEJaM1lnQUFia2smI3hBO25NZ0M5 ZzRCSUc1UW42WGdkYXdRM0U3SDdBV0dSUTN1SGtDUjA5K1dXZUVlcEErUDRMWDRvNkFuNGZyMlEr bVJYSzZ0ZXpYSkhyelEmI3hBOzI3R05UVlkxRFRCVUIyclRxZmNuSlpDT0FBY2dUK2hqakI0eVR6 SUg2VTF5aHZVTHErdHJiaUpXUE4vc1JJclNPMU9wQ0lHWWdkelQmI3hBO2JKeGdaY21FcGlQTkRT WGQvY0tZclMya2hadHZyTTRWVlQvS0NWTE1SMkZLSHh5WWhFYmszNUJpWnlPd0ZlWmIwR0pJZEl0 b2sreEcmI3hBO3BSYStDc1FNR2MzTWxjQXFBQ0p2Z0RaWEFPNE1iMUgreE9RaDlRWnora3BkcGM5 elkyTnZiM01Na2tNY2FyRGRSS1pLb0ZIRU9pMWsmI3hBO0RnYkVoU0QxcjJGMldJbElrSGZ1YWNS TVlnRWJkLzQzUjl0ZjJ0dzdKR3hFcWlyUlNLMGNnVTlHNE9GYW52VEtwUUk1dHNaZzhrUmsmI3hB O0dhVjY1RFBLMm4vVjNDWENYWE9KbSt6eVdDWDRXcDJZVlUreHkvQ1FPSytWZnBEUm5pVHcxenY5 QlZsMVFLS1hOdGNReWpxcXhQTXYmI3hBOzBQQ0hGUG5RKzJSOEx1SVB4cjcyWGk5NEkrRi9jaW9M aUM0aUVzRHJKRzFhTXBxTmpRajZEbGNva0dpMlJrQ0xDanFjbXF4MjNMVEwmI3hBO2VDNnVlUUhw WE03MjBmSHVlYVEzSnI3Y1BweUp2bzJZeEVuMUVnZVF2OUlTWHlGbzJ0NlA1WHM5RTFpRzFIMUND TzJqbHRaNUoxbVYmI3hBO1Zvek9za01IRDVmRmxlS0pFYUxrYXpMQ2VRemdUNmplNHF2dEtXYWQ1 TDE2S0hTTkV1N2kyYnkvb1Z5bHphVElaRGRUSmJtdHBES2omI3hBO0x3UVJHbkp3N2N1STJYZklE RkxZSGtHNmVxZ1RLWUI0NWlqM0MrWitQMmViSm8vTFhseVBWRHEwZWxXYWFxU3pIVUZ0NGhjRXNw VmomI3hBOzZvWG5VcWFIZnBsM0JHN3Jkd3pueUdQRHhIaDdyMitTU2VaZE04M1hubUxTTDdUN1BU NUxUUnA1SjR6Y1hzME1rM3JXc2x1eXNpV2smI3hBO3l4OFdtSkI1TlduYXUwSnhrWkFpdHZ4M09U Z3lZbzQ1UmtaWElWdEViVVFmNXc3a1o1eXNQTU9xZVdielN0TnQ3UnA5VHRKN1M1ZTQmI3hBO3Va WWtoTThSajVKd3Q1akxRc2RpRXc1Qkl4b2RXdlN6eHd5Q1VpYWlRZGh6bys4VjlxWWFFbXF4NlpE RnFjRUVGekNvajQyMHozRVomI3hBO1ZWQURjM2l0elUrSEg2Y2xBRURkcXpHSmtURWtqekZmcEtF MXpRcDlSMW5RTDFXaityNlhjVHkzVWNsYXVrMW5OYmdLS0VINHBSV3YmI3hBO2JJeWhaQjdtZUhN SVFtT3NnUHNrRCtoSU5NL0xSdEpnMGlHMXZCY214MWNhamNUemdxNXQ0N1NXMGdnU25Pdm94dEdn cVFLQW5icGwmI3hBO2NjRkFiOVhLeWEvak1pUlZ3NGZqeENSUHhObytMeUhwbDlyZXJhdDVrc0xI VkpyeVZFc0ZtaFM0RUZwREdGUkI2eUhpN09YZCtPMjQmI3hBO3lReEFrbVc3VWRaS01JeHhtVWE1 NzFaUHVSL2s3UWJyUWRKazBxUjQydExlNW5PbUNNa2xMU1NReVJSdlVENG8rWlhiYWdHU3hRTVIm I3hBO1RYcXN3eVM0dXBBdjNyL0plaVhPaCtWTkswZTZkSkxpd3RvNEpYaUpLRmtGQ1ZMQlRUNWpE aWp3eEFLTlZsR1RMS1k1RXQrYTRmTTAmI3hBOytqU1FlWEh0NHRSbFlKNjl5N3hpT00xNXRHVWpu L2VmeTFXZzY3MG9YSUpFZW5talRIR0oza3ZoOHY3UnNoL0tlbWFscHVucnBkenAmI3hBO2xuWldF S1VqTnZlUzNqeXV4K05wdlZ0cmFyUFVzelZKSndZNGtDcTIvSGt6MU9TTTVjUWxJeTh3Qjh2VVVv MDd5WHIwVU9rYUpkM0YmI3hBO3MzbC9RcmxMbTBtUXlHNm1TM05iU0dWR1hnZ2lOT1RoMjVjUnN1 K1ZqRkxZSGtHK2VxZ1RLWUI0NWlqM0MrWitQMmVhTTgyNlo1czEmI3hBO0RVOUprMDYwc0h0Tkp2 VXYxZTR2Sm9aSlNMZVdFeGxFdFpsVGVldkxtZW5UZmFlU01pUlZiSDhkR3ZUWk1VWXk0aks1UnJh STd3ZjUmI3hBO3c3a3c4d1dHcDZocDBFSTA3VGRRVnFHOTA3VUdjd01lUCs2NWZTbCt5M2RvZHgv TGhtQ1J5RFZnbkdNaWJsSHVJNS9LeDk2aDVQOEEmI3hBO0s4bWpDOHVyb1d5WDErMGZxUVdNZnBX c0VVS2xZb1lWTkRSZVRNV05LbGpzTUdMSHcyVHpMTFZhanhLQXVvOS9NM3pKZWU2NStjMXcmI3hB O3ZtSXdMWVJ5NlJaWEJCUml3bGtNWks4eWE4ZGo4U3FWNjA3ak9vdzlqanc3NHZYSVBEYW4yaU1j M0R3M2pqTDRtdXZkN2c5ZmU2aVMmI3hBOzBhNllrUXJHWlNhYjhRT1hUNVp6d2lTYWV0TWdCYnlQ UmZ6bnU3cnpXaVRXRWFhZmV2RmFyeExlcWk4MkNNU1R4WTFrK0xiT2d6ZGomI3hBO2lPTGFYcWpa OHZ4czhucHZhSXp6Z0dQb2tRUFA4YnZUZk5HdlI2RG9GNXEwa1psRnFvS3hnMDVPN0JFRmQ2RGt3 cm1rMDJBNWNnZ08mI3hBO3IwbXQxUXdZcFpEdndzQy9Mcjh5N3ZYdk0wMW5xRnBFazk0cGFDZUhr T0N3clVSRU1XK0g3VFZyOW8vZHR1ME96Uml4Q1VUc1AwOVgmI3hBO1I5a2RzeTFHWXduRUFua1I1 ZEdWZm1ENXhmeXJvcVhrVUF1TG1lVVF3bzVJUUVxV0xOVGNnQmVnekEwR2o4ZWZDVFFBZG4ycjJo K1YmI3hBO3hjUUZrbWdsUDVXZWU1Zk1WdmMyVjFBa04zWmdPR2lyd2RIWTltTEVFSDN5L3RQUWpD UklHd1hHN0Y3VU9waVl5RlNqM2N0MHcvTW4mI3hBO3ppL2xuUlVraGdFOXplT1lZZzVJUlJ4Slpt cHVmbGxYWjJrOGFkRTBCdTM5cjlvZmxzVmdXWkdrTCtXSG55WHpQWjNGdmRRSkJlV0EmI3hBO2pE R0t2QjBjRUFnTVNRUngzM3lmYVdoR0NRSU5pVFYyTjJvZFZFaVFxVWE5eUEvTkx6L041ZHY3QzBz YmFPVFVBb3VoUEx5NHBHV0smI3hBO2NBRksxNThXRGIvalNsdlptZ0dhSk1qNmVUUjIxMnNkTktN WWdHZlBmdS9idXlieU41cS94Tm9FZXBOQjlYbUR0RE5HRFZlYVVOVkomI3hBOzNvUVJtRnJkTDRH VGh1M1pkbTYzOHpoRTZvc0g4OGZtMWVhWDVtL1I5alp4U3c2YkxXWjVpM0ozTVpWZ3ZFamlBSlBm Zk5wb3V5aFAmI3hBO0Z4U084blM5cGR2U3c1K0NNUVJEbmZYYjlyMHpSdFRpMVRTYlBVb2xLUjNj S1RLamRWNXJXaHA0WnBNMk13bVlub1hwTUdZWmNjWmomI3hBO2xJQXZKNy84NXA3RHpUZUMxc0ky MHNTK2xNcExDV1F4RXFaUWE4VlpoNHIwQXpmNCt4eExFTGw2dnhzOHJtOW9qanp5QWo2QWFQZnQm I3hBOzFldDNkNnNHbXpYeXJ6V0tGcGdsZVBJS3BhbGQ2VnpuNHd1UWo1MDlaT2RSTXZLMlArVWZP NTh3WEhvZlZJNHY5R1M2TXR2Y0xkSW4mI3hBO3FFQVJTa0pHWTVmOGtqc2N5OVhvdkNGMzFyY1Y4 UjNoMStnN1IvTUdxSDAzdExpcStoMkZTOGtWWmVib2JyelRkNkVMY290dXJDSzgmI3hBO0xWV1dX SlkybWpDMDJNWW1YdmtKNlF4eERKZlBwM2M2K2ROdVBXaVdlV0t1WFh2SXF4OE9JSmZCK1lkdkxj M1ZwOVVLWE5ycWtlbW0mI3hBO05wS2M0cGJnMjYzQ25qdU9TdFZmb3Jsc3V6eUFEZXhoeGZJWFRS RHRRRXlIRHZISUlmQXk0ZUxsNzlrZnEzbWk1dDlUbDA3VHJGYjImI3hBO2ExaVNhOWtsblcyaWlX VWtScnpaWHE3Y1RRVXA3NVZpMHdNZUtSNFFlVzEyNUdiVnlFekNFZUlnQW16UUY4dS9mOFcxNWc4 NVdlaEQmI3hBO1RaTDZQamJYd2xhV1VPRDZYcFFtVUFBQWlRdVJ3RkNPdUhUNk9XWGlFZWNhKyt2 Z2pWYStPRGhNL3BsZS9kUXY0OXlwZWVaYnF5MFcmI3hBO3p2TG5UeXVvNmhMSGIyMm1yS0NUTE1T VVZwU3FxdndpcmJiZStSaHB4S1ppSmVtSXNtdWc4a3oxUmhqaktVZlhJZ0NOOVQ1KzduK2wmI3hB O1RoODJPZEoxbTV1TEl3YWhvYVNOZDJQcUJnU2tQckp3bEM3cTY5RHgrakpIUyt1QUJ1TStSK05j dkppTmIrN25JeHFXTzdGK1hGejgmI3hBOy9kOEZYeTE1b1hYek5MYTI0RmhDRVEzWE92SzRLaHBJ MFhpS3JIeUFMMTNQUVpIVTZid3FCUHFQVHkvYjNNOUxxeG5zeEhwSFh6NmcmI3hBO2U3dlR6TVZ6 R05TZVpkZVh6TU5FWFI0bUR4dGNKY204cC9veVNyR1pDbm9uNHZqQjQ4dnB6TkdteCtGeDhSN3E0 ZXRYM3V1bHE4b3omI3hBO2VId0RsZDhYUUVEbHc4OStWL0ZwL09scGFlWjcvU2RTa1MzaGlGb0xK d2toTFBjQnVYcU9PU0tPUVVBbmoxeEdqTXNVWngzUHF2NEsmI3hBO2RmR09hV09ld0hEWFBuSytm MmR5YTZsNWcwalRMaUMzdnJqMFpMa2hZcW81V3JNRkhKMVVxbFdOUGlJeWpIcDV6Qk1SZE9WbDFN TVomI3hBO0FrYXY4ZkQ0dG5VaVBNSzZiNnNWR3RHdVJCeGs5WThaRlF2ei91K0h4VXA5cXZ0ajRm N3ZpcitLdkxsODFPWDk3d1dQcHV0NzUvTDkmI3hBO0tBMEx6T3R4NVhUV3RVS3dneVRKSjZLT3cv ZDNEd3B4UWVvNUo0anAzeTNQcHF5OEVOK1gzVzBhYlY4V0h4SjdieTVYMGtSNWxGSHomI3hBO1Rv STBadFpOMkJwcU1Fa25LdUNqR1FSY1hRcnpVODJBTlJ0M3l2OEFMWk9QZ3IxZmd0cDFtTHcvRXYw ZC93QWE5NDNYVy9tYlE1OUwmI3hBO24xU083VVdOcVdXNG1kWGo0TW4ybFpYQ3NEdU5xWXkwMlFT RUs5UlRIVjQ1UU13ZlNPZlNxOTZEOHQrWi93Qk42bHE4Y05EWldVa0MmI3hBOzJyK25KRkl3a2hE djZpeVVOUTlRUGhHMldhalRlRkdKUDFTdS9uNU5PazFmalRtQjlNU0sySU84UWQ3UzY5L0tqeWRl YTAycXpRU2UmI3hBO3BJNWxtdGxla0R1VFVsbHB5M1BVQnFaZER0VE5HSEFEOGVyalpPeE5OUEw0 aEcvT3VoWmZ4WGp4b09OS2NlMVBETmM3ZGlGaCtWUGsmI3hBOyt4MXBkV2dnazlTTnhMRGJNOVlZ M0JxR1ZhY3RqMHF4R2JHZmFtYVVPQW40OVhVNHV4Tk5ETDRnRy9RZEF5alVkT3M5U3NaN0c5akUm I3hBOzFyY0tVbGpOUlVIM0c0ekJ4NUpRa0pSNWgyV1hGSEpFeGtMaVVnOHNmbHo1YTh0M2tsN1lK SkpjdXBSWkozRGxGUFVKUUxTdmoxekwmI3hBOzFQYUdYTkhobHk4bkIwWFpPSFR5TW9BMmU5TlBN WGx2U2ZNT25HdzFPTXlROGc2TXA0dWppb0RLZkdoeWpUNmllR1hGSG01T3IwbVAmI3hBO1BEZ21M Q0Y4cWVTOUQ4c1c4c1dtbzVlY2d6enpOeWtmalhpQ1FGQUFxZWd5ZXExazg1dVhScTBQWitMVFJJ Z09mTW5tVVI1azhzYVImI3hBOzVpc0JaYW5HWGpWZzhib2VMb3cycXJmTEk2ZlV6d3k0b3RtcjBl UFVRNFppd28rVnZKK2krV2JXUzMweEhyTVEwODByY3BISzFDMUkmI3hBO0FHMVRRQVlkVnE1NXpj dWpEUmFERnBva1FIUG1lcFVmTmZrVFFQTS9vdHFLU0xOQUNJNTRXQ1B4SnFWTlF3SXI0ako2WFha TUY4UEkmI3hBOzk3RFhkbTR0VFhHTngxQ1phRm9XbTZIcHNXbmFkRjZWdEZVN25rek0yN016SHFU bEdmUExMTGlsemNuVGFhR0dBaEFWRUpGNWgvTEgmI3hBO3lycnVxZnBPOGpsUzVhbnIraS9CWmVJ b09ZSVBidXRNeXRQMmxseFE0WTFYM09EcSt4c0dlZkhJSGk2MTE5N0tMYTJndHJlSzJ0MEUmI3hB O1VFS0xIRkd1d1ZGRkZBK1F6QmxJeU5ubVhad2dJZ0FiQU1UdmZ5bzhuWG10TnEwMEVucVNPWlpy WlhwQTdrMUxNdE9XNTZnTUJtd2gmI3hBOzJwbWpEZ0IrUFYxV1RzVFRUeStJUnZ6cm9XVTMxcUxx d3VMUU42WW5pZUlOU3ZIbXBXdE51bGN3WVM0WkE5eGRwT1BGRWp2Q1ErV1AmI3hBO0owdWozTVZ6 Y1hxM2N0dlpKcDhBaWhGdW9oaklhcmpuSVhjbFI4VmN5dFRxeGtGQVZjdUxuZS8yYk9EbzlDY1JC bExpSWlJaWhXdzcmI3hBOzl6WlExaCtYdHZaM3RscWNkNDdhdEJkUzNONWRIMUNrNjNIUDFJL1JN aFNPb1lmRVA1ZDY1T2V2TW9tTmVnZ0FEdXJsdlc3WGk3TEUmI3hBO0pSbUpIakVpU2Q5K0s3RlhR L1kxUCtYbHZMYzJ0MzliS1hOcnFrbXBDUlk2YzRwYmdYRFc3RGx1T1NyUnZwcGpIdEFnRVZzWWNQ eUYmI3hBO1dzK3l3VEU4VzhjaG44RExpNGVmdTNSV3YrVFRxVjNjWE50ZHBiL1hvVWcxQ0NlM1M2 aGxFUkpqY0l6SnhrVGthTlg2TWhnMW5BQUMmI3hBO0w0VFlvMFJmUDROdXAwSGlTSkJBNGdCSUdQ RURYTDRqOEJkYytTYkM1aDBHMXVIRTlub2tiUW1DVkEzcnFiZjBCeU5SeEkrMTBPQ08mI3hBO3Rs RXpJMk0vczN0WmRud2tNY1R2SEgwUFgwOFA3WEh5ak0yZ1dlbHZxRE5jYWJNayttMzVqQmVNd2sr a0hVc1EvRkR3UFNveC9OangmI3hBO0RQaDJrS0k5L1AzZDZmeVI4S01ETGVCdU1xNVZ5dnYyMlBl dWg4cHVOSjFtMnVMMHo2aHJpU0xkMzNwaFFDOFBvcHdpRGJLaTlCeSsmI3hBO25FNnIxd0lGUmh5 SHh2bjVxTkYrN25FeXVXUzdOZVhEeTh2ZjhWVFFmS3NlaVhqU1dVd1MwbHRvWXJpMFdNS3JUd0tF RTZrTjhKWk4mI3hBO21GRFhZMXlPZlZIS0trTjdPL2tlakxUNk1ZWlhFK2tnQWl1bzYvTG44RVg1 ZS9UWDZLai9BRTBWTitXa0xVQ2c4QzVNWVlJU2dZSlMmI3hBO3ZFa2U1eXZQd2NaNFBwYnRONG5B UEUrcmY3OXZzNXViUmErWlk5YjliN0ZrOWw5WDQ5ZWNxeTgrZGUzQ2xLWWZHL2RjRmZ4WDlsSU8m I3hBO24vZkRKZktKalh2SVA2RXMxYnlaK2tKZFlrK3VlbCtsdnFPM3A4dlQrb3llcC9PT1hQcDJw NzVkaTFuQUlpdm80djhBWkQ5RGpaOUImI3hBOzRobWVLdVBnNmN1QTMzOVZ2bXZ5WExyOTNETWRS YUNDSkVYNnNZL1VRT2tvbDlSZmpUaXpVNGswTzNoaDB1c0dJRWNObnY4QWhTZFomI3hBO29UbWtE eFVCVzN1TjMraE5XMFd2bVdQVy9XK3haUFpmVitQWG5Lc3ZQblh0d3BTbVVlTis2NEsvaXY3S2Nn NmY5OE1sOG9tTmU4Zy8mI3hBO29TcGZKdHhINVpPaHc2azBRVzRlZU9kWTZWUjVqTVlwRlYxTEtT eEJveTF5L3dET0E1ZkVNZWxmWlZ1T05DUmg4TVNyMVhmK2R4VWQmI3hBOy9nZHdwdytSQkg1WXV0 REY2UDhBU3JzWG5yaUVLRkluU1lvSXcvVDkzUWI0VHJyeWpKWEtOYy9JaGlPenF3bkh4YzVjWEwr a0pWU0kmI3hBO204bVJUNlhyZGhKZE5UVjd3M3l5b2dCaGY5MFVGQ1dEOFdoQjdWNlpBYXdpVUpB ZlJHdmZ6L1d5bG9BWVpJay8za3VMM2ZUWHYzaWkmI3hBO2ZMK2dYZW0zZW8zdDVmQyt1dFNhSjVu V0lRcURER0l4UlF6OWdNaG56aVlqR0k0UkcrdDh6YmJwdE5MSEtVcFM0cFRxOXE1Q3ZONG4mI3hB O3BuL09OSDVYVGFMcGQ5cVd1NmxhWE9vMnNWeVkydTdTTlMwaXhsL1REd1Y0aDVWWHFlbzhjdWxx cDJRQWdhV0ZDMVFmODQyL2tvWlYmI3hBO2hIbXUrOVZra2tXUDlJV0hJcEFXRXJBZWhXa1pqWU1l MURYcGcvTlpPNzcwL2xzZmY5eUpzZjhBbkZyOHB0UVZuc1BNR3FYYUlRSGEmI3hBO0M4czVRcElx QVNsdWFZRHE4ZzVoUnBZRkVuL25Fajh0d1FEcTJ0QW5vUHJGclUwLzZOc0g1MmZrbjhwQkJhcC96 akorVHVrQ0U2cjUmI3hBO20xSFR4Y3Y2ZHY4QVdyNnhoOVIvNVU5UzNYa2ZZWVk2dkllUSs5QjAy TWMwSEovemo1K1EwWnZWazg2WEtOcGg0NmtHMVBUZ2JadlUmI3hBO0VWSjZ3L3V6NmhDZkZUNHR1 dUg4emw3dnNLUHkrUHYrNUV0L3pqVitTNjZkRHFiZWFyOWROdU9SdDc0MzlpSUpBaVBJM0NYME9E Y1UmI3hBO2lkalE5Rko3SEg4MWt1cTMrS2Z5Mk9ydjdsRzcvd0NjZHZ5TXM0Zlh2UE9GM2JRODBp OVdiVWRQalgxSll4TkduSm9BT1R4TUhVZDEmI3hBO05lbUkxT1U5UHNLRHA4WTYvY3FUL3dET052 NUtXOFRUVCthNzZHRlBXTFNTYWhZS29GcTRqdUtrd1UvZFNNRmYrVWtBNC9tc25kOTYmI3hBO2Z5 MlB2KzVBTCtSdi9PT3pNRlh6N0l6RlRJQU5XMHdrb29MTTM5ejBBVWtuRCtZeS93QTM3Q3g4REYz L0FISXV6LzV4Mi9JdTlSSHMmI3hBO3ZPRjNjcEk4Y1ViUTZscDhnYVNkblNKQVZnTldrYUoxVWR5 cHAwT0E2bktPbjJGSTAyUHYrNWRIL3dBNDVma2ZMZVQyVWZtNjhlOXQmI3hBO3BWZ3ViWmRSc0RM SExKSUlramRCQnlWMmtJUUtSVXR0MXgvTlplZGZldjViSDMvY3VQOEF6amQrU2F3M001ODJYd2hz bDVYa3AxQ3cmI3hBOzR3cjZqdzFsYjBLSVBWaWRQaS9hVWpxRGorYXlkMzNwL0xZKy93QzVkSi96 alQrVEVjUHJTZWFiOUllTThucU5mMklYaGFPSTdscW0mI3hBO0NsSVhQR1Evc25ZMHdmbXNuZDk2 L2xzZmVzMGovbkhIOGtkWm5sZzBmemJlNmxQQU9VMFZwcUZoTzZDdEtzc2NERmQ5dDhNdFZrSE0m I3hBO2ZlbzAyTThqOXlhZjlDamZsei8xZGRiL0FPa2kxLzdKc2orZG41Si9LUVdyL3dBNGsvbHN4 WlYxZldXS0hpNEZ4YWtxYUJxSC9SdGomI3hBO1FnNC9uWjl3WDhwQlExTC9BSnhaL0tmUzdLUysx UHpCcWxqWXcwOWE2dWJ5emhpVGt3VmVUdmJxb3F6QUNwNjRqV1pEc0FnNldBNW8mI3hBO0tML25I VDhqWmJtenRZdk45NUpjNmlnbDArQmRSMDh2Y1Jra0I0VkVGWkZxamJyWG9jbCtheTkzM28vTFkr LzdsYTEvNXhvL0ptN2wmI3hBO2ppdGZOR29YRXMzcCtqSEZmMkxzL3JRdGNSY1FzQko5U0dOcEZw MVVGaHNNQjFlUWRQdlNOTmo3MHcvNkZHL0xuL3E2NjMvMGtXdi8mI3hBO0FHVFlQenMvSlA1U0R2 OEFvVWI4dWY4QXE2NjMvd0JKRnIvMlRZL25aK1MvbElMWC93Q2NTL3kwUmtWOVkxbFdsYmhHcHVi VUZtQ2wmI3hBO3FMVzIzUEZTZmtNZnpzKzRMK1VndS82RkcvTG4vcTY2My8wa1d2OEEyVFkvblor Uy9sSUlIL29XTDhudjB0K2gvd0RFdW8vcGZoNnYmI3hBOzZPK3ZXWDFuMC81L1IrcjgrUHZURCti eVZkYmZGSDVYSGRJZGYrY2RmeU5iNmh4ODMzaC9TcEs2WFRVZFBQMW9odUJGdis0L2UvRWEmI3hB O2ZCWGZEK2F5OTNMM28vTFkrLzdtaC96anQrUmpXOTdjcjV3dXpiNll3ajFLWWFqcC9DMmRtNGha MjlDa1pMYlVhbStQNW5MM2ZZVi8mI3hBO0w0Ky83bGEwL3dDY2FmeVl2TDFMRzA4MDM5eGZTUUxk UjJzVi9ZdksxdTRCU1lJc0JZeHNHQkRVb2E0RHFzZzNyNzBqVFl6MSs1TWYmI3hBOytoUnZ5NS82 dXV0LzlKRnIvd0JrMkQ4N1B5VCtVZzcvQUtGRy9Mbi9BS3V1dC84QVNSYS85azJQNTJma3Y1U0R2 K2hSdnk1LzZ1dXQmI3hBOy93RFNSYS85azJQNTJma3Y1U0NaK1RmeVY4ci9BSmYrZU5NdjlHdmRR dVpiMkc2dDVWdlpZblFLRVY2cUk0b2pXbzduQlBQS2NEYksmI3hBO0dHTUpXRXU4MHllUWswL3lr L21TZlVZTCtIUWhjNmZQWnZDRWlTMnRmV21BamxKRFBMd0ZLb3dxcUQ0YS9GS0hIY3VHdWJHWmp0 ZmMmI3hBO2dMSFcvd0Fycm0vdWJPM3VkYXVJekROZFhITDZqREE0NFRpT1NQa0lXTGNicVQwbzRo US90S2VMVW1ZNVBMN1ZFbzNXNmQvbDc1eS8mI3hBO0xuUXBmcWVpUWFudzEyK2loaGU1RUJScHlm UkxEaTRNUTVpcmh3RHpicFhiSzh1T2N0eld6TEhPSTVkWG91cmY4cFBvSC9SMy93QW0mI3hBO2ht UEg2VDhHNDh3d0g4M2ZJL21QWFBOK2lYbmw3VUxHRFZHczdpMml0OVN0V3VvNGtqbWlta3VZd1lM cUZYM1dNbVJWNmdBOGlNc3cmI3hBOzU0eEhESzkrNWpQVHprT0tOVkh2ODNuZm1uOHNyMi91UE51 b05yT2oydHRwK3EzZHdKQ0xzT1cxSFVZSlZpdlpCYi8zY2F3MFgweEkmI3hBO29rNWI5U0pSMStP STY3VUN5UFp1YVJBQSt1eVBQcW5ENkhwbDErV3MrblE2L3BndXplYWhyZCtZbHVZN0cyajFXQzkw eUpJS1FzL3AmI3hBO0pjekxXcWppdFc2Y2ExalhZK0xpdmFoOTdiTHN2UFFqdzdrbi9jM1gyL2dy N255bFA1VnNuVDlJVzA4S1hFdXAyUzZpbCtpRFRKOUsmI3hBO0dqUlJNeVdrM0o3ZHJtTmZTKzF3 QTVjYTdTbHJjZk0yTnU3ellZK3o4c3RvZ0gxVnpIY2YxZTRyOU04a3gyRWR2NVd1Ynl6MUZOUE8m I3hBO28yR21HU1MvdEpyaTV1N3V3dkhNOGlXemkxYUVxcGhsVjNEc3lVN2dwMXNETHVKOHU3KzFB N1B5aUYxY1FMNTkvd0RZV1lTZmx2NXYmI3hBO3U5Rmt0NysrdDU3K1R5L3JtamV0Sks4cmVycWR4 SEphbVNVUVJlcUk0NHVNc25wcXpIZmlhbkQ0c2IyN3dmazArSEt2Z1ZubFg4bnImI3hBO3ZUUE45 bHIrcFRRM3R4YVQ2aFBQZWVvL3JYTFRMRkhZeVN4Q09PQVBieEdlUDRBQnVHRzdFS1o1N2pROHYy ckREVXJLeC95Mjg1ZnAmI3hBO0cvbnQzdExmVHZyc0dwMk9rbTl1SjRHdTRkVGl2bVpUSmE4N0pa bGpjU0pHWkZMdHlBQVdtUGpScjhkMzJyNGNyL0hleFhYZitjZnYmI3hBO1BHcGk2NGFyWXdMcVZs TEJxRnVIbUtOTkxmWE9xQUtmU3J3anVwSVZWdXBUbnQyTmtkVEVkRCtObXVXQ1IvSHhWNFB5Rzg3 SnFubWUmI3hBOzVrMVN5bHRkYXM5WXRyQzJMekFRUHFVNGxqTEgwdWxCOGRPaDZWeE9walEyTzFK R0dWbmZuYjEzeTFvVjNwZC81aXVMaDQyVFY5VCsmI3hBO3ZXd2pMRXJIOVR0cmVqMUMwYm5ic2Rx aWxOOHhKeXV2SU9SRVZhZVpCa2sraC84QUhVOHcvd0RiUWovN3A5cGs1Y2g3djBsaU9aUy8mI3hB Ozh5dE9YVWZLY2xtZFJnMGxudTdDVmI2NGtTSlUrcjMwTndlTFNMSW5xRllqd0RLUVdwWGJCRElJ R3p5WmVGTEp0RVdYbnZsLzh1TlYmI3hBOzBKeG90MXFPa00xOXFHbDZscU53MXpJTDFKN0dkcm45 eEM4ZngvV3hhUEp1NkNNdEtGRHF0Y3lNbXBnVCtPclZqMHM2dXR1LzNmZ2YmI3hBO05EZmw1K1dT K1cvTjBHdlhQbWl3dXRPdFlaYnFTS080QnJCYjIvMVhUWmlDQXFwRlkzWjVOV2c1Q25JTnl3WmRY Q1VhSDQ2cGhvc2smI3hBO1piZzg2NWRlUUgzdllrOHllWFpDUW1xV2JrQ0ZpRm5pTzExVDBEczMr N2VRNGZ6VkZNeE9PUGU1SndaUDVwNjlPN244dXFKc3RSMCsmI3hBOytqZVN4dVlycU9OMmlrZUIx a1ZaRSswakZTYU1PNHdpUVBKaE9Fbzh4U1g2NS94MVBMMy9BRzBKUCs2ZmQ1WkhrZmQra05aNWhP TWcmI3hBO3llTStlOUgxZjlOYTgxamVXZHFFdTExUDY5S3Q3OVl0NWI3UjMwaUpHOUcybFQwVjR0 TDZva29DT0RBZmF5Mk9weHhIcXZieTg3WDgmI3hBO25rbnZHdlZkYmpvS1NUL2xYZXFlV1o3TzF1 OWN0NU5NOHJ0OWRtaGh0YnRTMm5YT28ybDhxc2lSWGZwTEhQWTNEMVNScWNVREVJelUmI3hBO3Nu ckliMkRmOW9ZNHREa2xYRFZFME53TzQxdXlyU05VdWRIMEZ2SU1senBNZXY2VloyMW5weGhublI1 RnRvZldlNmxlU3ltamdkWUEmI3hBO0prK0NaUkpXcE9VUzFHUGo1bHVqb3MzaDhRajZlLzQwa1g1 WDZNOXRmNmEvNlNzNyt5ME5ScXp0WXBlVFhSam0waTMwKzNnNEcyajUmI3hBO0w2TVlma0R5ZHh4 OUpTaHBaUFY0NWc4Ti9nMnhQWitYR1J4Q3QrOGMrWDRQdTczcWtIbi9BTXB6bWtWNldxdHM0L2N6 Z0ZiMHhDQWkmI3hBO3NlOWZyTWZMK1RrT1ZNeFBHajN1UWRGbEhNZC9VZEx2N2o3NjJUSFJ0ZDBy V3JScnZUTGdYRnVralJNNFZsK05Pb280VTl3UWVoRkMmI3hBO05qazRURWhZYWN1R1dNMUlVVWZr bXRJOVcvNVNmUVAranY4QTVORExJL1NmZ3hQTUpCNWYxSDh1cmp5LzVlbTFPNTBpYlVMQ3h0bGgm I3hBO2x1WHRtbWdaWWtKQ3M1TElReWpwM0dUbUoyYXZtd2lZMExwR01meWhlU09SdjhQdEpDcFdK ejlTSlJXclVLZXdQSTlQSEIrOC9wZmEmI3hBO24wZVM1SnZ5bVNTU1JIMEZaSm05U1p3Yk1NNzcv RXhIVS9FZHo0NC92UDZYMnI2UEpHVCtZdkpFOTVhM2o2NVlldGFlcDZOTHVFRDkmI3hBOzZ2RnFq bHZ0a1JDZFZSVHhSNzBMcWQ1K1dXcVg5cGY2anFHbDNWMVlwUEhiTkpkUkZRbHlucHpLeWMrRHE2 YlVZSEs1WUNUWmkzNDkmI3hBO1ZLRVRHTXFCcjdPU0VsdC95amx0dFR0bnU5TE52ckVrY3VwUi9Y RUFsYUVxWTYwazJWZUErRmFEMjNPRDhyekhEelpqWFRCaWVMZVAmI3hBO0x5dERXR2kva3RZUlhF Vm5QcGNLWGNNdHRjY2IxYXRETVVMeDFNdFF0WWxLZ2ZaTmVOT1RWQTBnSDhQM3M1OXBaWlZjK1J2 cHovQlImI3hBO210citWbXVUU3phcHFkbGNOTkFMV1JmMGtVUXhMSUpnb1JKbFFIbWdQSUNwOGFZ WjZiaTVnL2ExNHRiTEdLaVFONzZlNVRhMS9LVnQmI3hBO1RpMVNTL3NKYjZDNmUvaGxrMUQxT0Z4 SXFJenFyekZSOE1TQUxUaUtDZ0dQNVhlK0UvYW44L1BoNGVMYXE2Y3Z3VS8vQU1aZVVQOEEmI3hB O3ErYWYvd0JKVUgvTldXZUhMdUxqY1k3M2Y0eThvZjhBVjgwLy9wS2cvd0Nhc2ZEbDNGZU1kN3Y4 WmVVUCtyNXAvd0QwbFFmODFZK0gmI3hBO0x1SzhZNzNmNHk4b2Y5WHpULzhBcEtnLzVxeDhPWGNW NHgzdS93QVplVVArcjVwLy9TVkIvd0ExWStITHVLOFk3M2Y0eThvZjlYelQmI3hBOy93RHBLZy81 cXg4T1hjVjR4M3UveGw1US93Q3I1cC8vQUVsUWY4MVkrSEx1SzhZNzFDMjh5ZVNiYWE3bWoxeXc1 M3Nvbm1yZHdFYzEmI3hBO2lTRVUrTFljSWx3bUVqMEtPS1BlbDNtdTU4ZytadEpiVEw3ekZiUVFz d2YxYmE5dDQ1UjhKUmdHSmFnZEhaVzhRU01yeWFjekZFRnkmI3hBO05OcS9CbHhDajcwcjEvUnZ5 ejF2WEJyVng1a2lndlZ0V3MwK3IzOXNpS2pSU3hjZ3JjdmpWYmh1TEhwOTlZVDBoa2JvdCtIdEtX T0gmI3hBO0FPR3J2ZjRIOUNycE5oK1cya0pLTk44eFc5dEsxa2RPdDdrWHRxMHNGdjYwc3lMRTdo ais3TTNGZWZMWlZyVWdrbU9sSTVBc2NuYUImI3hBO245WENmVnhlODBCMytYMmxCeGVYZnkzaVJs aTgyS2pGYlZGY1hsaFZCWitnVTRneDhmak5uRnlxS2JiVXFjaCtTUDhBUy9IdzhtdzkmI3hBO3Br OHhIcjM5YjgvNlJUcnl4Y2VRUExsdGRRV1htRzJsVzd1RGN1Ymk5dDNLa29rYXhwUXFGalJJMVZW cHNNc3g2Y3hHd0xqNmpWK0smI3hBO1FUV3dyWk1ybnpKNUp1WnJTYVRYTERuWlNtZUdsM0FCemFK NFRYNHR4d2xiTFJDUTZGeHVLUGVyL3dDTXZLSC9BRmZOUC82U29QOEEmI3hBO21yQjRjdTRwNHgz cExxQi9MSFVMbTV1YnJWN1pwcncyN1hCVFZIakRmVXlXZ0FXT2RWVUl6RnFBVUozTytWeTAxOHdm dGNpR3RsRUEmI3hBO0FqYStrZXZQb29haFlmbEZmcE5GY1gxZ0xlZUNPMWx0b2RSTUVCZ2hjeVJ4 K2pGTWtZQ3V4T3k5OEIwdC93QUorMWxEdERKSGxMY0cmI3hBOytoTm56TzdyK3gvS0MvMVc0MWU3 dTlOazFLN2plRzR1dnJ5cTdSeVFHMmRmaGxGQVlUeDIrZlhmQ2RMWnN4Ti9GWWEvSkdJaUpla2Qm I3hBO051Ky92UkZrZnlzc2JTN3RMSFVOUHRiZStqTU54SEJmTEgrN0x5UHhRcEtER0Exdy9IaFNn TkJRQUFJMDFYVVR1eG5yWnlJSmxaSHUmI3hBOzh2bnk2b1FhWitVS282cnFObW9jUUt4WFZIRFV0 ZlQ5R2pDZW80K2hIVWo3WEZhMW9NSDVUK2lmdFoveWhrL25EcjBqMXUrbm1mbW0mI3hBO3VpNnAr WE9pVzBscnBlcWFiYlFTelNYRXFMZHhOeWxsUEozSmFSanVjbkhBWTdBRnB5Nms1RGNqWnFrZWZP Zms4Q3AxM1Q2Zjh4VUgmI3hBOy9OZVM4T1hjV3JqSGVoYkNkOWMxK0RWSVlwRTBpd2drUzBubVI0 amNUM0JTc2thT0ZiMDQ0MEtoaUtQejIyVUV5UHBGZFNnYm0zLy8mI3hBOzJRPT0iIHhtcEdJbWc6 d2lkdGg9IjI1NiIgeG1wR0ltZzpoZWlnaHQ9IjEwNCIgeG1wR0ltZzpmb3JtYXQ9IkpQRUciLz4g PC9yZGY6QWx0PiA8L3htcDpUaHVtYm5haWxzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRG PiA8L3g6eG1wbWV0YT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICA8P3hwYWNrZXQgZW5kPSJ3Ij8+AP/tAHZQaG90b3Nob3AgMy4wADhCSU0EBAAA AAAAPhwBWgADGyVHHAIAAAIAAhwCPgAIMjAxODExMjkcAj8ACzE2MjA0MS0wODAwHAIFAA1ETlMg U3ltcG9zaXVtOEJJTQQlAAAAAAAQb459kt/Zu4zzYeA1O7BMqv/AABEIAQICcQMBEQACEQEDEQH/ xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMA BBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVG R0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0 tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEB AQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2Fx EyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZ WmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2wBDAAEBAQEBAQEBAQEBAQEBAQEBAQEB AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQECAgICAgICAgICAgMDAwMDAwMDAwP/2wBDAQEBAQEBAQIB AQICAgECAgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP/ 3QAEAE//2gAMAwEAAhEDEQA/AP7+KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAP//Q/v4oAKACgAoA KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAQsBwSAevJH50WYC0AFABQAUAFABQAUAFABQAUAFAB QAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA BQAUAFABQAUAFABQAUAFABQAUAFABQAUAFAH/9H+/igAoAKACgAoAKACgAoAKACgAoAKACgAoAKA CgAoAKAPE/2ifjl4X/Zw+Dnjn4x+Lobi80rwdpIuYNJspIo9Q1/W765h03w/4d095sRpea3rN1Db o5yI95YghSK+p4L4TzDjfibCcM5Y4xxOKqWc5XcacIpzqVZW+zTgpSfe1lufGeIXG+VeHHBuP4zz lSlgsFR5uSNuerUk1ClRhfedarKFOH96SP5T/iH/AMFQ/wBtHxx4qv8AXrD4u3vw6057iQ6b4Q+H 2i+F7bw9pFqJWeK1Nz4g0HXNZ1yWMEK91czKZ8bhFCD5a/6F5L9H7wuyvLqeEr5dHG4hRXNWxFSs 6k3bV8tKrTp011UIxfLe3PLc/wAp+IvpV+M+b5xWxmEzeWXYOUmqeHwlHDeypxTenPiKGIq1Zd6s pU1NJNUad3Ffr/8A8Eyf+CinjH9o7W9U+CPxv/sq7+JGmeHpvEvhDxrpVgmjjxxpOkzW1t4i0/W9 FtVbTbDxNoovre4WW1KW99ayuRDDJA4f+afHjwUyzgfC0+KeFfaRyOpXVKtQnLn9hOacqUqdR+9K lPlnG005U5RScpqaa/r76MP0is78TMZW4K43jQlxFQwvt8PiaUXT+t06bjDERq0UnTp1qTnSmpU5 8laFVuNKm6U0fs7X8wn9mhQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAF ABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUA FAH/0v7+KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgBGYKCzEAAEkk4AAGSSTgAAD8KEr6A 3bV7H5V/t86J8S/2rP2WPiTafB7w1Hf+EfDF3o3jfQb26S9m8RfGGTwFrcOr3cPw70i1EYi8NtHa SvY6jdCaTX2iIsbb7NJbX839A+D+LyLw+8QsBW4lruGYV41KFRLlVPBrEU3Ti8TN3vUXMvaUo8qw 6f72ftI1KMf5g8e8BxN4oeE+a4fg3DKpgcNKliaLkpupmDwdaNeUcLCOqpSdO1GtNT+tOL9jT9lO jiZ/yYRxPOiy2qyXUEhPlTwRPIkgBI/hXKSDBDI2HRgVYKwIH+jjnGL5ajUJrdNpNfjt2a0e60tf /IOnSqV6ca+FUquGnrGcIuUZLpZpOz7xdpRd1JJp2/Uz/gkz8Lvivr37RE/xg8BeG7HV9D+DXhnx QNal1u9utI0fW9d8W2EOi2vgPT9dt4rqCx8Wy6eJb4edFNBaRxILpY1uIpF/nr6R+f8AD2D4Ljw3 m1edPGZniKLgoJSnCnRlKbxEqbs5UeZqnpJObcvZt+zlF/1n9EDhbizHeI0+Lsmw1OplOUYTExqz qNxhUr4j2dNYOFRXUMRGNN1Zc0ZqlHljUjH20Jx/qn8D+NdI8eaJ/a+lJe2ktreXWka3omrQLZ69 4Z1/Tiian4e1+xSSZLTVdPd1J2PLb3ELxz28ktvLFK/+fOaZZiMpxX1au4zjKKnCcHeFWnL4alOV leMvNRlFqUJxjOMor/VTKM2w2cYT6zh1OEoycKlOa5alKpH46VSKbSnG62coSi41Kcp05xk+xrzT 1AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAP//T/v4oAKACgAoAKACg AoAKACgAoAKACgAoAKACgAoAKAPGfjOZtZ03wt8OYZpYU+KPiu28J6zJBJJDcL4PtNL1XxR41ghm iKvA2seG9Bm03zFIeL7dvQhgMfS8N8uGrV85kk3gcO6sE0mvbOcKVFtO9+SpUjUts+Szurny/FHN isPh8ji2o5hiFRm1dP2KhOtXV1tz0qUqV1Zx57rVK/r1tbW9pbQ2tpBDa2tvDFBb21vGkMFvBDGs cMEEUSxxwwwxIqoqgBVAAxivnJznUm51G3Ntttu7be7bet29WfTQhCnBU6aUYRSSSVkktEklpZLY +SviJ+wT+x98VvFNz428c/ALwHq/im/uvtmq6xbWd3oU+s3RGHuNaj0G70231a5lx88k6vI55ZjX 6Nkvi74k8PZesqynOMbSy+EeWEOZTUF2hzqTgl0UWkj8o4i8CfB/ivNZZ3xBw9lmIzac+edV0VGd SVrXqOHL7R2SV5pvRb2Po7wJ8P8AwR8MfDGneDPh54U0DwV4U0lGTTvD/hrSrTR9KtfMO6WRLOzj jjaedxukkbdJIxyzE8n4nNs4zXPsfPNM6xFbFZjUd5VKs3Ob7XlJt2XRbJbH6JkmRZLw1ltPJuH8 Jh8FlNFWhRo0406certGCS1erdrt6u+5wGrWw8IfGfwxrVgDFYfFfT9R8IeJbZMrDceKfCekXXiX wdrhX5okvT4csNV0+5lwJLiJLNGYrbRgerQm8x4ar4arrVy+ca1N9VSrTVKtDu17SVKpFbRbqtJc 8meXiKay3iihi6V1RzGEqNVa2dWjCVWjUtsn7KNanOVuaaVGLbVOCXt1fMH1IUAFABQAUAFABQAU AFABQAUAFABQAUAfOX7WP7VHwh/Ys+Avjr9pL476jr+kfCr4cr4efxTqXhjwnr3jfWbRPE/ifR/C OlyW3hrwxZ6hrd/F/bOuW4naGFhbwlppCsSOy9GEwmIxtdYbCxc68k7JbuybaS3bstIrWTskm2k8 6tWlQpOtWko0oq7baSS7tvRJdW2l5nlf7DH/AAUN/Zn/AOCingnx18Qf2Y9e8Ya94a+HXjWH4f8A imTxn8PPF3w31Ky8Tz+GdF8Xx2cei+M9N0rVbiBtB8QWkwnEIiYTAAnmrxmBxOBqKliouE2k7Ps/ 6s97NNOzTSKdWnVXNTace61X3/1/n9w1yGhWvb20060ur+/urexsbK2nvL28u54ra0tLS1iaa5ur q5neOC3treFC7yOyoigknAppNuy3Bu2r2PwT+OX/AAcqf8Er/g34o1Lwd4f+KPxA/aH1jSZ5LS/v f2avhb4l+KXg+K7iRzJbWvxDtksPA2uOkihGbTr+7RGb5j1I+ow3B2fV7OdJUU7/AMWShtJwad/h akmmpWas9DzXm2Bu4wmpNNbNdYqSau1dNNWautd97evfsff8F6v+Cb37Z3xA0n4ReB/iv4h+GHxc 8RzG18K/Db9oLwPrfwg17xlfDef7N8Gan4hiHhTxTrTIm4afZ38l+wIIh9eTMeG82yyl7fEU08Pz KPNCSlHmcXK11f7MZPTpGXZ22o4/DV5ckJe/8nbW2trpXb0u1fpfVL9l85/z/npXgnYFAHwD+3b/ AMFM/wBkv/gnJp/w31D9qDxh4m8Pt8V7/wASWPgrSvBnw/8AFvxK1/Uh4StdMuvEGoS6B4L07VtW s9H0063ZxSXckIgW4u4oywZ1B78HlmOzCM5YSnOcYfE0m0rqUknbq1CXKt5Ncqu2k+eti8Nh5xp1 pxjOSbSbSuk4pvVrZyV+1/v1f2FP+CjX7LP/AAUa8H+PfG37LvizxL4k0j4Z+LbLwV4ztfF/gPxZ 8Ode0fW9T8P2HibTfM8P+MtM0rVpNP1HSdQR4LkReTKySKrEowEYzL8ZgHGOMpzpuceaPMmrrur+ ej7STi7STSulWp1lek1JeTTX3pvt/XT7prjNQ6f59ePegD8XfHP/AAX5/wCCa3w1/aT179lTx38T viH4Y+Kfhf4yWnwK8Rz6l8EfigvgHQfH19r2j+HLeLV/iPF4el8H6foX9o6/Zl9RluktIoLhJnZY zur1o5Fm1ShHEU6FWVGcXKLjCUk4pXcvdTXKle8tI3jNXvCajzyxeGjLklOKnro2k9Hro9fw/NH7 QqwYBlIIPIIOQR6g8ZBHQ9xXknQflv8At2/8Fiv2Hv8AgnH8QPDHwz/ak8X/ABD8M+KfF/gGf4l6 LH4S+D3xE+Immv4RtNb1DQLzUL3VvB2iarY6a9nqOmuJY52jaNGR2wrqT6ODynMcfT9rg6NSrHn5 fcjKb5ntG0U3eX2U1eVpct+V8uFTE0KU1TqSiptaJtK/TS+/y207o/TzTr6DU7Cz1G13m3vrW2vI DIhjcw3cEdzCXQklHMUoyD0PH1843Lh/w/U0AfjB8Lf+C+3/AATX+Ln7RHh39l7w38UfHul/FPxT 8StX+EWjjxj8GPiT4P8ABVx8Q9H1rW/DLeG2+IWt6Jb+DUvNU8UaDPpdgfthW91ForaItLKiH13k Wa/V/rUaNSVBQ5m1Fu0VzNt2Tskottu1ouMr8s4OXJPH4OnNU6tSEZtpJOSTbk0oqz1u20kt29O9 v2fByM/5+nY5FeQdZ+WX7Qv/AAWP/Ye/Zf8A2q/D/wCxl8W/F3xD0v46+JtQ+E2m6Ro+i/CLx94m 8NPc/GzXrXwx8Oxe+NtF0m58MaVHrOu3S25e6uIVikDbunPoUsrx1bCyxtOEnhY3vKzto0mk+rV0 2ldxi1KVo6mUq1OM1Tk1zvZXV3pfT+v+B+poORn3I/FSQfXuK881FoAKAEJwCewGfyoA/FL9oj/g 4B/4Jv8A7Lvxx+JP7O/xb8bfGCy+J/wn8RweFfGem+GP2efi7420my1q50LRfEkFraeIvCvhnVNG 1EyaN4htJv3UxZRMAwU8V6VLKMxrUFiaNGpOjK9nGMpbWv8ACnprvs2pJNuMrc9TFYelLkqThGXn JL82eceH/wDg5i/4JG6xrenaNrHxv+JXw/i1K5jtYtf+JH7N/wAefB/ha2llbCHUvEOoeBf7P0uA YO6a4aOFAMsw79uD4Yz3H8/1TDVJOnHmaacXb+6p8vM/KN5eXV4Vc0wFLlU6kLykopJptt7JJXf4 aJNuyTa/aX4PfGz4RftB+AdE+KfwO+Jfgf4t/DnxHG8mieNvh54m0nxZ4a1Hyjtnhg1bR7m6thdW snyTQsyzQuCrqCCB4tahWw8/Z1oyhOydmrOzV0+mjTTT6rX17IVKdVc1NqSTa07p2a9U001umvu9 QrIsxfEevWHhbw/rnibVTMul+HtH1TXdRa3he4uFsNIsZ9RvDBbph55hbWzbUHLtgDrTSbaS3YH5 I/sh/wDBdr/gnL+278ZfCfwF+BnxQ8bS/Efx3pGp6v4K0/x/8IPiL8M9K8Wf2ToR8UXOk+HPEPjT RNK0XWtfm8Mwz6jb2VvNJPcWNpcTRho4nYenWybMqGH+t1KUvq3KpcyTaSfLZt9Pjitbe9zR+KM0 ueOKoTqOlGUXUTs1dNr1V7r/AIbuj9hyRjPbGePTrXlnQflq/wDwWM/Ygj/bb/4d8Hxb8Qv+Gl/+ Fkw/Cc6APhF49Pg8eNZ/BR+Ikemn4jjSv+EMAbwgDeZ+17vLyNuQQO55bjFg1j3G2Fbsn3dm9Fu1 o05L3U/dbUmk8/aw9p7K/v2vbrbbY/UoHIB7EZ/OuE0AkDr9Pz/nQB+I37U//Bwl/wAEy/2VPiHr vwl1r4reLvjL8SfCt/caR4v8Mfs5fDvxD8YIPCOu2N5d6fqXh3xH4v0OOHwJp/ifSbyykivdLGpP qNlINs8KEgH6TCcJZ5jKUK6pezo1E3F1JKF1ywkn7zTUZRnFwk7Rmm+Ry5ZNcNTMcJTn7Nzi6nZN X3a6vXVNadU1ve2F+zl/wcZ/8Eu/2h/G2i/Dib4reMvgJ4z8R3ttpnh6w/aX+HHiH4RaJrmq3k1t bWek2PjvVY7jwFDqt7dXIjt7W51KC4uXBEatSxvCuc4GlOvOnGdGny80oSU0uaTjHVN3vLTS+sop /FG5SzHC1Z+zUkp6u103ZbtpN2S7vTzP3TilinijmhkSWGVEkiljdZI5I5FDpJG6lkdHUgggkEHI r5w7iSgAoAKACgAoAKAP/9T+/igAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA8k8b/8AJRvg x/2HvGh6f9SBrn5da93Lv+RRmH/Xml/6fh/X9aeLmH/I0y//AK+1f/TMz1uvCPaCgAoA8f8AiiSP EPwSwSCfi9GMgkHB+GnxIyOMcEdfWvoskV8Fmf8A2L//AHZw58zxA2sdlNr65l/7q4r+v609fHQf QV86fTC0AFABQAUAFABQAUAFABQAUAFABQAUAfhf/wAHJv8Ayhb/AG2P+xb+GP8A6un4fV9j4f8A /JZZf/2EL8mcGZf7o/8AFD/0uJ+eP/Bol/yav+2Z/wBnbeH/AP1mT4HVhxl/yP8AEf8AXxf+m6Zy cP8A/Iqo/wCD/wBukf1vV8qe0fw5f8HVH/BS3x5pXjXQP+CcHwo1zU9E8HP8P9J+Jn7UD6NFv1Hx /J41u9Ug+FnwYP2XU4Lu/wDDY0/w5faxrejPEsev3Vzo1jI8llJf20v6XwRwzg8woSzXMVKdGFTS K5rOMFefNFUpc0ZOUb8k1KMYT5oSjNKXy3EeaYjCxp4TBvlr1pcqnpaGl23eSSaVnFtON3ry2Ul9 Y/8ABMv/AINiP2XPDPwY8CfE3/goL4T1r44fHHxloOg+KNW+DWreL9d0b4PfCH7ZZveWXgi60Dwh qOjp8S/E+k2V8kWq3+sS3enLfRFdMtLSCNM8vEHHOPxWKnSyySpYVe0hzxT5pxm4XbvdK/J7rUVN KU1KXvz5tco4fwmBpxqNTdVxhpK14uPNreOzalyyUZOFoxirpOT9s+M//Bqz/wAE8vH3xj+E/jr4 XXvxI+BXwt8P+N7bxB8ZvgD4Z8T654m8DfFfw1pklzr2m+F/Cur+K9X1HxP8EjP4ut7I302g3Kwy 6Ss8NrBZ3zW2o2uGX+IGc4OlVVZU8RiJwtCc1rTlyRpqdlZS5YR91SXLzvnlzOU1Por8P5dXvGUX yS5+a0pXaqOTmnJPmalzNWbslZRSSsf0z2Vnb6faWtjax+VbWdvBa28W538uC3iSGGMPI8kjCOKM DLMzHHJJya+Gbbd3uz3ErKy2LBOAT1x29fYe5pAf5/f/AAV11Nv+Cmv/AAcHfs7fsR2t7LqXws+F HjP4Tfs5eIrND9ntz9tSb9pr9q+4sXtGN5NdyfDTwrpOkPMHjFrdWy7WDo2P1XhupSyHhetnKjfH zVTlnCEpSp3ioQVST9yFOUtU0nzTUYveKPlM0wv9p5hHB1W5YVJOVNtKMlGVlOLS5rpyleLk0+Re 6r8zm/4ID+Nrz9gn/gtD+1J+wZ4qmuND8N/FfXvjd8ENKsNXa5dj8Qv2d/Hfin4lfAy4W9SWW0nu PGf7PHiu+mjeX9/MtqgZmcMi5cVVK2c8O4bN8TKlLFRabcKiUVGa0gqUrS9r7vNVcPd0bsocjdZP hcNleMlgsNDkotLdOUpO27ndtQjJTS5tLzSja6Uv7/xzz6/59q/Lz6kQ9PxH86AP8ov/AIKHfATx 7+0L/wAFUv8Agp34W+HekR+Jdc8H/FH9r34zXvhJDfvqvjDwd8I/BPwt1fx/4a8OW2lxzX954mvP CusTS2dvEm+5EEqIyPtcfu3DubYDAZFg8Ljr8uIhCKbinCN6lRJzcvctzNXUtGuZ2ajJP4LPMrx+ MzOljcDKEamHbfvNred+ienLGV/Nr1X9sv8Awbn/APBSJ/25v2LbL4b/ABH8ULr37RP7LEPh74d+ OtSvJIk1T4i/DW+sZX+DHxhMRvru4vpvEnhmwfStYuwFil8SaNftGBC8O78z4tyT+x8y/d/7rVXN F80ZO+0ruMKcVeSclFQSjGSir2u/qMnxjxmChKd1WirSTTi01o01KU2mvOTdrNvU/nN/4PGyR+2P +zzgkf8AGEXjz/1a+o1994Ya5djP+wml/wCkVDyeI/4uF/7CKX/pTP8AQd8G/wDIqeG/+wBof/pp sq/GJbv1PqlsjpaQz/Hc8bfB74ifEL4pftw/Ez4eXN9C37MHjD4x/HLxsfDmoXWneOdD8Bf8Nn/E vwvd/ErwZPZsksd/8KfEU1hrE826NrRY4rmNjJEEP7lwxmGX4bhuhhMw5Y0q+JrpTqRi6SlFuSU3 NcqT6t3ST10d1+e5tlmPqZ6s0wTTlThFcl5KUkoq60snzOUUk5KO/M0lr/ph/wDBGf8A4KE2n/BR b9ijwR8TfEF1p8Xx0+HUy/CP9o7QrBJbaGz+K/hbTbFrnxPptlcSy3UPhj4maFc2niHSy5+W21Dy W/ewyKv5Nn2VyynMqmGtai23C7i3yt+7zckpJO1vdbUkmuZJux9tgMXDGYdVYX7apq/3pX7Nq6um k3Y/ka/4Lc/8rF/we/7G3/glv/60dotfSYH/AJIbE/8AYRD/ANOQPNxf/I7w3+Cr/wCkxP8ARCj+ 6f8Afk/9GNXwR7w+gAoAa/3G/wB1v5UAf5k/7aXwz8D/ABo/4OVfGHwf+JugW/iv4b/FL/gox8G/ AXj3wteTXVvZ+I/CPiH4I/BeLWdFup7Ka3vIbe/igVXaKRJNowGAJz+v8G4mvhODc0xWGk4YimnK MlvGSjRSa87N/wBWPjM5wlDF59h/bq/JCMo6tWft4q+j7fdvo7H9Y3xr/wCDY/8A4JTfEnwlq+l/ DP4T+MP2aPF9zYtBo/jv4MfErxzD/Zl7DI01peat4B8Wa74k+HfjC3jnx50Oo6bLJLCNiSxnay/H UuN+IlUpzxFd1o03JpTSfxRcXqtXZO8U24xklNLmSZ7tXJcBV5nKL55qKbbctItySXNeybbu42bT 30Vv5KP2T/jn+0X/AMG//wDwVS1/4EfE7xF5/wAMrT4qeDfAX7R+j2s+s6N8Nvij8IPiZdaMnhX9 onQdL1U3EEXiHw1outQa5a6nI8t9aRaZrHh+9vLuKGC4i++zDLMPxhkMc1wdNLMJRb5YKE5ylBOC T9+DptcsYyT5m6ah7OnJuNvlaGIxHDuZLAVZxll7bcZ1JuHJFyvKDlyyjUf2oJtSu1zSipPm/wBO aGaOeKOaKRJYpUWSOSNldJI5FDxyI6/KyyRsGBHGDX4mfoB5r8bP+SOfFj/smnj3/wBRPWKun/Ej /iX5iezP8eX9nLw58c/BvgW1/bP+ButDRNU/ZI8cfsgHUdftZ7mDUfh94u+JXhuCT4LeONTjj4u/ AXiDxx4VuPDWqLD++kgvZ7Zg0FzNj98w2IyqXDGX5RmjUfrOCXI3dpvmUOS0ZRfP7ylFSlGE2kpP Sz/N3g8dQ4gxGa4V81D2jVRLdJX1d/d5oqPP1aTi+V8yP9Y3/gnh+2p4J/4KBfshfCb9p/wXCNKl 8Z6Nc6X498IO8kl58Pfit4UuZfD/AMSvAV80scbyv4c8V2NxHbzgeXe2LQXMRaGaN2/D8zy+tlmN ng6ytKNmtYtuMknG/JKcb2dpJSlyyTjdtM/QsLXWIoRrK12k3a+9k+qTt1V0na2i2X8Uc3/K2VP/ ANpENG/9YYuv8K9p/wDJKr/sPf8A6jI89f8AI6f/AGDL/wBOs/0Nk+4v+6v8q+WPXPyL/wCC7vx9 +JX7NX/BKX9r/wCKPwi1LUtB8fp4K8N+BNE8T6Nc3NlrPhKL4s+PvC/wx1nxdo97aL9osdW8MaH4 quL22uEZGgmiWQOhUOPpeD8uoZrxJhcDiZctGU23pF/BCU0rSTi+ZxUbNNa6xez8rO8TLB5XVrxj zNJK13FtSkotKUdU7PRrVPZrdfyT/wDBt5/wSx/YX/bxs/2h/GP7UVqnxR1P4I+LvA3hTwX+zdF4 017wz4e0zwbrPhXT/FMPxI8Z6B4a1rS9Z8baNq3iqS+0OxhvHfSY7nQrx5IpryWWUfeca8QZxlc6 WDwNGWFwi5lGqkrVfc5GoWiowjGE+VwV2nyyVoxpqHz/AA7gMHjMO8dVl7TFTkpSs/ejJTcuW6d1 Z2birc3NLn5lKx+7/wC1f/waxf8ABPz4x6fDdfs1TeMP2PfEs2u2Muu2vgzVtX+I3wt13wre3tlb eL9HX4VfETWNZ0Dw5rF54dWddNvNJe0t4NQKSX9pqNobizuPjsJxtndD3cRU9rBU1BXUVJKKnyWf K/hlO7duaXLCLk4wio/QV8nwdaSqKNqqnzXW97rXm+LZctua3Lols1/Q18Dfgx4A/Z0+Dnwv+A3w q0u70T4a/B7wJ4Y+G/gTSL7VtS12907wr4Q0m10XRbW71nWLm81PU7mKxtEDzTSu7tkk18tisTXx uJqYvFSc8TVm5Sk9XKUndtvq29W929z04RUIqMfhR6rWBQUAFABQAUAFAH//1f7+KACgAoAKACgA oAKACgAoAKACgAoAKACgAoAKACgDyTxv/wAlG+DH/Yd8af8AqAa3Xu5d/wAijMP+vVL/ANPwPFzD /kaZf/19q/8ApmZ63XhHtBQAUAePfFL/AJGH4I/9lfj/APVafEivo8j/ANyzP/sX/wDuzhz5jiH/ AH7KP+xn/wC6uKPYB0H0FfOH04tABQAUAFABQAUAFABQAUAFABQAUAFAH4X/APByb/yhb/bY/wCx b+GP/q6fh9X2Ph//AMlll/8A2EL8mcGZf7o/8cP/AEtH54/8GiX/ACav+2Z/2dt4f/8AWZPgfWHG X/I/xH/Xxf8ApumcnD//ACKqP+D/ANukf1uP9x/91v5GvlT2j/Me/wCCiEVt4n/4ORPGOn+K3a+0 jUv+Cjn7EfhTWGvEF3HD4RtG/Y9jtrMxTyKhsIJL54hH90Jdy8HcQ37Dw1VeK4IxdDGzcKNCNX2V m4a+ydSMbq1+eo9b357KD00XxOYx9nxThnQinKpSnz32t8Lm9HeUYpRXk0rpWcf9OFen/Am/9CP8 q/Hj7YdQAUAeU/HT4u+E/gD8GPit8b/Hd/baZ4N+EXw78Y/EjxPfXcwggt9E8GaBfa/fs8rEBS0V jsXkZZgOa2w9GeJrww9JXqTmopebdkRUmqdOVR7JX/r+v+D/AAW/8GzFnbftAf8ABR/9pv8Abn+O viTw5oPiHwj4G8YeM55PEl/YaObj42/ti/ETV/EHiqGzvfEN/bT3U/w+8HeC5dJiEYZ7axuoFfYr xIP1HjWhVyzJcJlcI1/ebWtZVI8kLPl5YJJqM5Nwm0o8rcYOT52/mckxFLF4mtiFOnKMJuLtG2q0 U1du3NzT5t7vqtU/Pv8AgvxdRfsV/wDBZb4Xft1fBPWNE1m08YaZ8HP2phL4R8WabqST/Eb9nXXb TwH8XtGuorG8uorK48bfCyHRdM2sPKuY9RuWO0oznfhOnDOOGquT11atCUoxtQ5pWqK8Xz8tnJyv FXtUUbqDkrqGeaJ4bMqWMoXkqk1GV6kkrte4kle0YyjzSSSTcrtO7P8AQ6+H3jfw/wDEvwL4N+In hO+h1Pwv488LeH/GXhzUbeWOeC+0LxPpVprWlXUUsTNG6TWV4hBBOa/JKtOdKpKlUVpxk015p2Z9 XCcZwU46xauvmdcen4j+dQUf53P7ONxNb/8AB2DryRviDV/27P2xPC+q27KrwajoWtfskeLL7UdM vIXDJPZ3NzoNqzow2t5YzkZFfrVWt7Pw7lTcU+ejRs+sWsQ2pLztzR6aSe+x806ftOIKfM5csKdS SV2k3zON2k1f3ZysndXd7XSa5L4oWfi7/g3O/wCC1Fn448Oabq0f7JXjyXUPE1hYadDcrpfir9jb 4l+JLf8A4WJ4EdLbRvs1x4q/ZP8AGb/a9Fs7ffLFpVlpNopDa1KxMJSocWcMwwvtI/2nRU+WDaup Rtb2dONWC5Z/uoyqSpS5U5KOt2+evUnludQSU/q1XdqLceZppKUnTaXNb/n5GTnFSkuWye5/wd9a 3pPi39qP9lrxj4b1G01vwv4o/YO8Xa34e13T5RPp+s6PqfxKl1LT9TsZx8s1pe2GowyxsMgrIPrX d4ZJ08DjKc9J/Waej30hUuPiKUZVcK4u6+sUn98pW/r8uv8AoZ+Dv+RU8N/9gDQ//TTZV+MPd+p9 WtkdLSGf5zP/AAQf8DeEvib/AMFjv2pPhh490Kw8UeAvit8Cv+CnHw5+IHhnVLaG80vxP4K179rT wxY6z4f1SzuElgvLDULTUpkeJ1ZW3civucXmmLwfDOCw+Gk4f7XVrqSbUo1KVS0GmtU17Ru610R4 eFpQnmmJlLf2dJfJxl/X9aM/Yk8e+L/+De//AILK+L/2ZvjFrV+P2dPidqfhT4SeMPF2qy2aWfir 4J+M9X1O4/ZW/aY1G5XTrW3Ou+A9eur/AELxL5ARR9o127k2wWlug+kzT2nF/DNPG4dOWLoSk+Ve 1k47KcIQ5685Jp0+apVdNy5HKTSjZ+ZhPYZFj50KihSw9aTa+GMbrdX5aa+C0ktbJShHmacn0n/B bfn/AIOK/gxKCrx3Hij/AIJbTQyRsHjliP7SGkIJI2GQyMyHBHUV8/gtOBsTf/oIh/6ch/X9a+hi mnnmGt/JV/8ASIn+iFH90/78n/oxq+CPfH0AFADX+43+638qAP8ANi/aB/5Wn7D/ALSj/AH/ANUr 8Ha/WOFf+SGzj/r3L8sOfK5h/wAj+j/16j/6fif6Tw6fif51+Tn1R/m6f8HdOn6FZ/8ABRPw/eaX OH1nWf2DdAufFVssSoLaXRvFvx6tfB1w78tNNqFnd6iMnBVbNRzgEfsPBiq0uC8fiqMbYmNSahJf E7Qi2t9oS5Lbazevb4fPXGXEOBp1Jy5VUi1Hk91t86b57WckkvdvorPS6P8AQ2+BM9xdfBP4P3V3 JJNdXPwt+HtxczSsWlluJvB+iyTSSs2WaR5GJJPJNfkVW/tZX35n+Z9tC3KrbWJ/jZ/yRz4sf9k0 8e/+onrFKn/Ej/iX5jezP8+b/g2L/Z78A/tcaB/wUd/ZY+KltLdfDj46fsH/ALL/AIT8SrAU+1WF xcaj8SrbRPEmneYDHDrnhTU5YtQsJvvQXUCOuCMj7fNsxxGCoZVVw7calHDU5pptS1umrxtJK0ej 6u1uvh4CjGrLFxfXEz7PW0GnrdXTXVHpv/BDD9pv4i/8Epv+Clnxe/4JlftRanHpvhf4v/FKH4Ta 7eXNxp1loXhb9pbRNJsrT4O/FOyM15HHZeDP2n/hzPoun28cCt5F1d+H7UgzNcunvcT4CWf5LR4h wsEqipOTcY1EpxT95QjyVP4bVVynVruyg43crI48trrL8e8om7Rs5QTcdIt6Japvlk5JWhrHVtKK viXKmP8A4OzJkYYY/wDBQzQpQPVJf2F7so30IB/z1+TqUqlPhOnKaajPGtx819XtdfNNfI9GMlLO pW6YZf8Ap2X9f1r/AKGifcX/AHV/lXyZ7B5D+0B8Cfhr+078E/il+z58YtCbxJ8MPjD4J17wD420 aK8uNOurrQvEFlJZ3Emn6laPHd6Xq1izrcWd1EwltbqJJUIZRW+GxFXCYiGJoPlrU5KSfZomcVOL jLZn+ed+1J/wQj/4Kk/8E0vivq3x8/Y01f4lfF/wX4Tu9Rv/AAl8bf2X/EOoeHf2iPD/AIWS8tNZ bT/iV8INK8nVfEEczWKnV7fw/F4p0LWpIFkPh+AMkMH61l3F2U5zg6WWZ9Z1Urc01Hk5nCtDma0h 7sPZqLspe2lzr2caab+InkGMy3E1cXlUuWE5J8l24yScZW5n70HKbmtLxVNtc3NJs97/AGIP+Dqb 9q/4Q+JtO+G37dnw90v9oXwbo+qJ4W8T+OPCXhtPhX+0x4TvtP8AtlrqEev+Amjs/A3j3xVaSwxe fpM1l4J1SXZJ9mhubhorZss54Bwdaj9cyKTV2m4uSlGMZKk07uzUUpSqSknO0OVWb1dYHimosT9V zKHJJ6R2alNSqKaUr2UbwUIcyV5KV5Pdf3j/AAW+Mvw2/aG+E/w9+OHwe8U6f42+GHxT8KaP418D eKtM85bTWvD2t2qXVlciG4igurO5QOY57aZEntp0eKVFkRlH5PVpyo1HSnbmi7aNNeqa0ae6aumt U2tT7WE41IKcb2a6pp/NPVPunqnoz0+sygoAKACgAoAKAP/W/v4oAKACgAoAKACgAoAKACgAoAKA CgAoAKACgAoAKAPIPHEsa/Ev4Kwl1Esmt+OHSMnDukXgHWBK6r3WMyqD6bhXvZbGTyfMZWfKqVHX 1rwt+v3Hh5jOKzfL4NrndSq0vJUZ3+66+89frwT3AoAKAPGPivcRQeIfgWJW2+f8ZYLeLjO6Z/hl 8S3VfbKxn8q+lyGEp4LNOX7OWtv0WKw3+Z8txHOMMdk/N1zSy9fqmK/y/rp7MOg+gr5o+pFoAKAC gAoAKACgAoAKACgAoAKACgAoA/C//g5N/wCULf7bH/Yt/DH/ANXT8Pq+x8P/APkssv8A+whfkzgz L/dH/jh/6Wj88f8Ag0S/5NX/AGzP+ztvD/8A6zJ8D6w4y/5H+I/6+L/03TOTh/8A5FVH/B/7dI/r dIyCD0IIP418qe0f50//AAdAfspfEb9nX/god4V/bR+H9peaF4T/AGkdH+HviXQ/HmkWV9dweFv2 m/2dobaWSDVVFhLp0Gq3/hbwx4Z8QadA0pm1W28O6mFjP2I7v2PgfMMFmGSvIswdKbp1GoQqKFmp vnja9WNSo1JVGlGKVJ2k5rmVvhuJqGIwuKp5ng1NTTfPKN2+Rxs0nyTjCN1dtrd3jGUrn9f/APwT E/4Kzfs2f8FGvgX4T8WaB478GeEPj1pvh/Qbb43fAHVfFWkW/jb4feOZrEJqh0/TrySwvPFHgLWr +3muND1yzgaz1GyZTmOZZYY/z3iHh3G5DjpUKkZywjlL2dTlaU4JtJ9bS0tKDd4yTTvY+swWOo4y jGpTktfx813Tv022dmmjp/2uP+Cv3/BP79ifxj4A+H3xw/aA8K2vjfx54i0XSpfC3g+4i8ca34B8 Navd3NjN8UfinY+G5b6X4ffC3RLm3K3mr6iIY1+Yxq4jlKc2CyHNcfQlisPQqPDR05rO0pae5F29 6WqdknZO7stTSri6FJqMpK7dt1/mteyWr6Jn6S6Zqena1p1jq+kX9lqulapZ2uo6Zqem3cF/p2o6 fewpc2V/YX1q8tteWV5byLJFLGzpIjAgkEGvIacXyy0aOhNNXWx/Np/wdK/tMN8JP+CeWnfs/wCi 38tr4s/bH+Knh34USx215Ba3B+F/hBH+JnxYLlz54tNa0Lw1DoLGME+brMa5TdvX67gnCOvnUcQ1 enQTlrTlUjfZcyVlFf3pvlTtdTbUJeXnFf2GDk0/ftpZpPola+j95xuu33P8Lv8Agmp/wbJ+Ef29 v2M/hF+1r8Xf2h/Gnwp1j41r4s8V+GfA1n8GvhD47srX4f8A/CXaxpngbxINS8ZWusajb3fjnw3p tvrDwK6LCl4kW0FCK+h4p4vpVsf9S+rYPE4SgkoSbnUi20rtOSgr7J2jZWspVElUl5eRZFTwOFc0 5xxNV3m7uL5uqfLNrRuVrXXY4j/gqx/wbk+FP+Ca37JepftZfCz9oXxN8VIvA/xJ+GGjePPCuvfC H4Z+AdJsfCHjXxTbeEP+Eue9+H1hY3N3J4f1zWrQTR3QeD7DPPkoQGHXwfxUq2MeTQwdOnSrxlZU bp89lrZu2qjq173upq9uV8/EmTxr4aGKdbkqUJ8ylNykno7Rs5pe9LlXVvbqf0j/APBsl+08nx6/ 4JieBvhnql9Lc+L/ANkbxbr37OepR3SBLw+CdGhsvFvwYvLja7pK0nwm8UaVbSOuF+1WcybUZGjX 4zi/APA53VXuctR8yUZymlfdOU0pOWl3e+r0lNWnL3spxaxmChWV7SSeqtvq9OiTvFX1067v+hk9 PxH86+XPTP8AO0/Z3/5Wwb3/ALSGftYf+sefESv1TFf8m/j/ANeqX/p6R89D/kfr/rzU/wDS0f1M /wDBeD/gnZN+39+xLr//AAr3w/b6v+0p+zvLqHxl/Z9AgtmvvEmsaVpM8Hjb4Ri4vLuztY7T4u+D hcaZEZ3+z2+rixu2G62Qj4/hbNlleawlWnKGCqtRqWlOMUndKUlBSclTbU+XlltdR5kmelmOEji8 NKFlz8rs7X/rVJ2TV7Wva5/mzftN/tXap8fP2W/2V/g74m0zUm1/9kP4QftBfBrw94o1No2udV+D fi3xp4U8efCHwtcIXGoW2ofCDR/D974Zkhu084QCEu5njuET9lybhuvgMzqZ19Zc6FdOTpum6fvV GmnKLtZxjblbjzSTcnyc1pfnuJ4g+vV8Plk6XLiFiaTcueMtISTunHRqd3s7RvaLkk7f7E/g7/kV PDf/AGAND/8ATTZV/O73fqfqC2R0tIZ/ni/8G8f/ACnM+L//AGIP/BSL/wBa/wDBNfUZr/yIsD/j xX/p2B4+D/5GWJ/w0f8A0iR+6v8Awcy/8E4V/ay/ZOg/af8Ah94Vm8Q/Gj9kjRfFGr65oWlW19ca 18TP2a9dhhufjD4DsodPuYJrjXfDcenQeJdGKh5/P064tIdg1CYt0cH5z/ZuP+q1ZWwleSTvblUt lKadKq5RSk7wioub5U5KKadZthJ4mjGdJxVWnNSu03te1nzRSab3fMlFy9xtpr+LrTv2sPEX7Xv7 av8AwTQ8beNjcXvxF+Gg/wCCef7OXxA8V3E8F/8A8LK1D4J/tdeG4fCnxTTVIp3lvL3xp4I8ZWX9 oCaNHS8s2dHnilSY/bZ9w9TyThjGVI1Z1HWxFFq9oqK5k5L2aioxlzuXM4txa5UowcWn8vlucrMc 6o4V03Sq0KdVSi7t3ty6yersoq11dp8z31/1p4/un/fk/wDRjV+Mn3w+gAoAa/3G/wB1v5UAf5rv 7RNxb2v/AAdMW91dzwWtrbf8FQvgHPc3VzNFbW1tAnwW+DYee4uJ3jhghQsMs7BRnrX6xwrf/UbN 0t/Zy+elA+UzFpZ9Ru0n7KP/AKfiz/QD/aA/bS/ZS/Za+Hut/E/49/H/AOFnw08H6JbyTzX+veMd GN/qEwV2h0zw74fsrq617xPrt8ylLWwsLa4u7mUhI42YgH80weXY7MK8cNg6U51pNJJLq2krvZK7 Wr0V/v8ApK2JoUIOpVklFJvu9E27JavRN6X2+7/N++M/iL4gf8F/f+CxFlH4H8J+IdJ8BfGTxr4O +G3hzTbuC7jvvh/+yD8Gbyebxp4z8azWltcN4cv7/wALa5r15egsI7LxB4o0rRxILxnc/s+HWF4I 4ecKk6M8ylTc7O3vSairKPPaahNx5ZKKUleUouDjzfFydTPs4hJL/ZcPOTTTb992jG0uVLRLmlHV XulKaR/qJaVptno2mafpOnQrbafpllaafY26ABILKxt4rS0hRQAFWO3hUAYGMV+GNttt7s+6SsrL Y4D42f8AJHPix/2TTx7/AOonrFVT/iR/xL8wezP4X/8Agzn/AOS8/tW/9mgfsl/+pH8Qa+n4i/3T L/8AsBpf+3nkZV/FxX/YVP8AKB9q/wDB1T/wTuvPFfw/8K/8FI/g7b6lo3j74NWGi/D/AOPWq+GW 1WDW7T4b/wBtS3fwn+Nlk+jmG4t9a+APxJ1KKa5vvMjNroOoXF07j+zrcp6nBGaOniZZPXklhq6d rqjo7a61ac+Z8qahBtQ5pNuM21GWWcYKM3HHwUnXpWaSlNJ2d7Wi7e8vdl7knL3VsrH4W/sNftM3 f7Y3/Bfz9kP9pfWNCufDPi/4r/GX4KXfxN0N5LSTTo/i14K/Y8+Knwz8e614fa1AP9heKLjwXbX8 Qm23CyzSiSOJgUHvcZZWsn4YweBjKM6cMVW5JJNOVOUZShzXdrq7VkrW2lK6b8nIc0oZrmdarCM1 WjTjGXNZWV42SSbSalzuXW7tdpK3+nUn3F/3V/lX5GfZnx3+3T+3H8C/+CfP7Pvif9oT48a1PBo2 lyR6L4P8GaIbK48c/FTx9qMFxJ4f+HXgDSb26s4dS8RaybaSWSWWWKy0zT4Li/vprextbi4i9DLc qx2b4h4bAU5VKii5O1klFbtttRWtkrtXk4xWrSfPicVQwlP2uInGEL21drvsur9FqcH+xd/wU+/Y m/b28E2niv8AZ++OPhDVNeS0spfFPwp8UanZ+DfjJ4Avr5rqFNM8Z/DfxBPZ+JNMeS5sp0t7uOKb T9QSMzWlxNCyuejNshzXJqzpY+k4x5mlOPvU5NKMnyzjeMrKUW0nePMuZJ6Cw+Lw+JgqlKSafmvT u76prTqmfy4f8HZ91+w7rOn/ALPT+Crr4Yan+3rc+P1ttcl8BXOhXfxCk/Z2bw54vh1KD4sP4ceW /k0dvHzWC+FBqhMw14t9l/ci/wA/ofhs87pyquft/wDV5Jt3t7NVrJprn/ur977L3/Z/F7p83xWs JPAuM0pVWmkle7f2eW148/Ny25re7z263/Zn/g2b0PxNo3/BI/4L3Gv2GpafpniX4pftK+MPAkeo wz2y3fw/8TfHnx1qfhrWNKt7hI2XQdejllvrGRB5VzbXCTxFo5VZvz/iGVeWb1pYioqtRyupKaqe 49aa54yktKbilG/uJKDUXFxX0OXpLB00k4+5HRq2qik9Omqd/M/fivEOwKACgAoAKACgD//X/v4o AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAQkAZPT/OAOpJJoA+QNW1W58b/tN/DPXNL1B28F/D p/ij8OmjiWJrTxF8QtZ8L2ureJLmGf5jNb/D6x8OR6W0kTFDqWo3tu4Etm4X9Eo0KeVcEY3CV6a/ tTG/VcSm781PDwqShTTXR4mVX2tpK/s6VKa92onL83qVq2b8e4PMMLWf9jYCOLwjgkuWtiqkac6k +a139UjRdC8Zcrq169OS56LS+wK/Oz9ICgAoA+X/ANp+x8SXdh8Hbnwf+88UaD8b/DvijR7AmNE1 1vDfhDxvq2qeF2lleKO3k8VaBbXenQysyrDcXMbt8oIP3XA9XBU6uYwzL/cK2V1KU5a/u/aVqMIV dE21SqOFSUUryjFpbn594hUMyrUcqqZQ0syo5xRrQTV1UVKlXnVo/FFRdeiqtKM20oTnGTUkrP37 wn4p0Xxp4c0fxT4duxe6NrljDqFhPseGURSjD293bShbix1GynVoLq2lCzW1xG8Uiq6kD5HMMBic sxtTAYyPLiaU3GS0auuqa0lGSs4yV4yi1KLaaZ9pl2YYXNcDSzHBS5sLWgpRdmnZ9JRdnGUXeM4S SlGScZJNNLoq4ztCgAoAKACgAoAKACgAoAKACgAoAKAPgv8A4KafsYah/wAFB/2Jvjb+yJpnxHtP hNd/GCx8I2CeP77wfL49ttAj8N+O/DnjC5d/CsPiPwnJqj39voLWyf6fCsLzCUiQIY39jIM2/sPO KGbez9q6E+ZR5uW7s0ves7JN3dldrS63XNi8O8VQdFS5byi72b0Uk2tGtWk0nfRu9naz+bv+COP/ AAS21z/gld8IvjL8Mte+OOl/Ha8+LXxdsPikdf0n4ZXfwuttEWx+Gfgn4dDRBo13468fSXpceDRd /aPtUYH2gx+X8m9zPMzp5vmVXHUqbpU6krqLkpte7GOsuWHN8N78q3tra7jAYT6jho4bm5lFNJ2t pdtd9Umk7WTavZXsv2FrxzsPCf2k/wBmn4JftdfBvxh8BP2hPAel/ET4YeN7WGHV9C1F7qzurO/s Z0vNG8R+HNc02e01vwr4t8O6jFHd6bqunz299YXUaywyIwBrWjWqYeoqtJ2qRaafmndfik12aTTT V1M4QqR5Zq8X/X/D91pte/8AHn8fP+DO+PVfFl5d/s7/ALYWhR+AZzdSaZ4Q/aU+Ci/ELxL4ZNxP K5ttO+IXgLxT4HF/DLEIke5n0pdSkKeZcXNw7Ej9Ch4iYt0aTrUISzClWc1V8neyjBcqg4RlKEWm 1yOzjfmcvnf9XKMKtSVCpVp0qkEnGEnC7V7ydr6yvry8traI9t/Yz/4NH/g58MfG2meMf2vvjva/ HLw7omqQ6jD8D/hB8Nk+DHwt8V+TbzQm1+JWqX2veLfHPibSr0SAXdnp95o6X8K/Zrx7m1eaGXhx /G2IxWWyy+jQp03V5nUknL3pSnGbainZXcXzKXOpKUuZaprajkNGGMWMrTnUnFJQcneUbKS0em6l 2urXUu39f+g6DovhfRNI8N+G9I03QPD2gaZYaLoWh6NY22maRo2j6XbR2Wm6VpWm2ccVpp+nafZw pFBDEiRxRoFUACviJSlOTnNtybu292z3YxUUoxVoo/nh/wCCyv8AwQ4+LX/BV/4z/DT4g6f+2P4e +BHgn4V/CPxH8OvDHgW6+AWq/EnUIdf8b+IbfXfGfjdfFFr8Y/Asdtd6iPD+hw20CWO62/swsZpP O2R/WcN8UUuHsPXjDDe1xtSzhU9pyxg0pJc1PklGpG7TcXyuyklJKTPOx+WwzBw9rJ+yjOMuWyaf L0d1fW/4LzT/AHe+BXwi8LfAD4L/AAn+B3gi0gsfB/wh+HPgz4a+GrW2tltIY9F8FeH7Dw/YFbZG dITLDYhyoJwW79T8xicRUxeIqYqs26tSbk2+rk7v8zvpwVOCgtkrHnv7Zf7NXh79sb9lT9oL9lzx Rqkug6N8dfhR4x+HEviGCxi1K48NX3iHSZ7bRvFFtp80kUV9d+GtZEF9FEXTe8AG5c5GuX4uWAxt LGQXM6VSMrXavZ3tdaq+11qhVYe0puHV/PXpp/XyPyU/4I0f8EYPil/wSj8f/HbxBrP7WuhfHfwZ 8dPDHg+z1fwTpXwQ1b4Vx6V4z8Eaxrt1o/jOG8ufi34/s7q5n0PxNdadcxi1ilmt4LTMu23CH6Li fienxHCglh5UZUI2V6inv8VvcjJJtJqLlJRfM1rJs87LMrWWRdOnNzpuUn7yV9XdK6srJ83Rb/f/ AEBnn8x+hz7V8ieqfzd/Df8A4IJeJvAX/BXaf/gp7L+1Tomq6HN+0L8XPjv/AMKPj+B9/ZaoH+J3 wg8S/CeHw5/ws1/ipc2hXRItfF61x/YI+0tF5QSLcJF+oq8SyqcPLIvZJNOC5+b7EW5cvLy/E6jv z8ySh7nI37558MBy4941yuuRxUbd5OTbfXSySsrWbu7pR/pDx8uPYc47jocc9xXy56B/H5+3n/wa laH+1N+0r8avjb8FP2sND/Z48FfGrWtU8X6l8LNR/Z7n+JEHhnxj4vsy3xCu/DPiDTvi38P4bLQP FPiaS41tLBrGQ2mpaheOJnSZY4/0HIuPa+TZc8vnho1eWP7uSnycsryfNOKi/aXbjfWMnZpzd04/ PYzhzC4zMKeYylKNam1sovms7pNtN6apJWSVkrWd/wCvDRNObSdH0vTGlE7afp1hYmYJ5YlNlZwW plEZdygkMO4DJxnFfn7d3c+hNM/4fz/CkB/OP/wTj/4IN+Iv2Df28/G37Z+o/tR6N8UtO8WeHv2j 9DtvhtZfBW/8FXmlP+0D8XtF+Ksl1P4yuPif4og1NfDDaOLIINLt/tQkMuY8eWfXxmZ08Vl+HwUa bjOg6rcua6l7SUZK0eVcvLy2fvS5r30trxUMJKjiquIck1UUEla1uSLWrvre99lbbXc/ozubeC7t 5rW5hhuba4ikguLe4iSaCeCZGjmgmhkVo5YZo2KspBDKSCMdfITtqtztP4/JP+DUjSfCv7Yul/tB /CH9rfSfA3wh8L/tGeCPjf4K+Bt/+z/JrOo+FPDHg/4ueEPi7a/CjT/iBpnxU8PWB0HSr3w5NpGj 3LaG0mnaM9rA6XJtA8n3GL40njuHnkeJw/729NqpGpK3ucrblCam3KbUm+WcIJyXLBJPm+fp8P0a Ocf2vSnao4tNcq1TTW6tr8LvLmekk37y5P7B1GBj1Zj/AN9MWx1PTNfDn0A6gAoARhkEeoI/MUAf yF/t9/8ABr34x/bX/a+/aD/af079trwp8ONN+Ofj238bf8IBrH7MV98QZNAEHgLwN4HfS7jxD/wu /wAMWmtQzJ4LW4J/s+Ff9IMZVgoZvveF+NKHDmCqYSphJV3Uqc11W9lZcsY2sqc29m73W9raNv53 NeHqea4uni6ladOdJLl5VG6fM5XvJS8rJW2u73SXzZ8PP+DNXT9N8S2t98Q/28LC40CBXMifCT9k bwX8PvGDs6mKSKDxN4r+IHxHsLe1nt5HR0Ng6nPIK5VvUxXiLhZRlWy/Lo0MxlDk9rKtKo1C/Nyp KnT2klJXbimr8rdmpjw/Nv2eJxVavhdbwnazeln7nJtrdO6d+ltf6dP+Ce3/AAS3/ZG/4JoeCdY8 Nfs5eDdTk8WeMLfR4viR8YvH+q/8JX8WfiI2iWqW+nW2t+ImtbKx0Xw5YSb5rXQdEs9L0Cynmlkg s45JZGb4XOM6xud4p4rGOKevLGKsopznU5btylJKVSXK5ylJJ8t7JJezg8FhsDSVHCxUYabJdEo+ V3aKV93ZXbsfopXkHWcr468OP4w8FeL/AAnHdrYSeJ/C/iDw8l88BuUs31vR73S1u2tllt2uFtmu t5QOhcLgMM5FRfLJS7MHqrH4L/8ABF7/AIIeeIP+CTfxB+L/AI21r9pnSPj1F8T/AISfCj4V2em6 Z8Gr74XP4fh+F2pa9fx6tc3l38TfHy6xLrP9usrRrHa+T5YOXydvq5nmkcwpYalCm4RoYeFN3kpc zjzXkvdjyp3Vou/LZ+87s48HhJYV1XKSlKpVlPRWspWtHd3skrvq7u0VZH7yeP8AwH4P+KXgbxh8 NfiD4e0vxb4E8f8AhjXfBnjLwvrdpDf6P4i8L+JtMutG13RNTspwYbmx1PTLyWGRGBVlavNo1quG rQxFCThXpyUoyTs1KLummtU09UzqnCNSDpzScJJpp9U9z+VH9jL/AINf739jj9tv4O/tSeH/ANsi x8X+BPgr8X9Q+IHhj4Yaj8Bb3TvFF94Xj8O/Ejwh4Y8L618SE+Ld5ZXutaT4d8dQR3eq/wBip/aN xp5neBJLhyv12d8XzzzKMPl1ei44ihNv2ntJSUk4uKVpqU72ablKrK8ubRJpR8LLsgw+WY6rjMM0 oVYpOKikrrls1ZqK1Um0oJe8rW5Xzf1tqMAD0AH5CvjD3z5j/a0/Y3/Zw/bh+FF58GP2mvhhofxL 8FS3ya3o3277Rp/iTwV4qtrO7sdP8a/D7xfpc1p4j8DeNNLtr6aO31PTbi3uUilkiLNFI6N2YPH4 3L5yngqtSlKcHCXLJx5oOzcZWaurpO3RpNapMzq0qdaPLUSa/r+n0a37P+RT45/8Gdn9o+J7i6/Z /wD2x9Ak8ESRyLpnhj9pT4F2vjnxP4dV5ZWNtY+Pfhz4m8B2tzbuhQNKdGgu2YNJLLMzcfff8RFx NSnSnWw8P7QpV5TVRN2Sl0jH7MoxbgpczXJZOL1cvm6PDGHwzlHD1asKMqcYtQlyX5b3k2k/ek3d 8vKr6pJt39G/ZX/4NBPhr4T8YQ61+15+0nb/ABS8A2ssbzfBv4AfDS5+Beg+LEaKeG9tvGnj278X eKfHB0/UoGSGddEfR9Qltw8T3rRSMg55+IOOp4WEMupQoY5VpVZ1FZxnJ6/w5KS+P943KU+aSjsl JS6qeQUFivrVadSpNRUY875nFJv4XZbptO6bS2aep/Y74N8HeFfh54T8NeBPAvh3RfCHgvwboWk+ F/CfhXw5ptpo/h/w34c0Kxg0zRtC0TSbGKGz03StK0+2jhggiRY440AAAFfA1atWvVlXrylOtOTl KUndybd223q227tvVnt0qdOjTjRoxUaUUlFJWSSVkkloklokdLWZYUAFABQAUAFAH//Q/v4oAKAC gAoAKACgAoAKACgAoA4rxh8QvCXgVLH/AISLVRBe6tLLb6JolhZ3+teJNfuYEDz2+geGtFtr/Xda lt0YNKLa3kEKndIyryPTy7KMwzSUvqdO9Kmk5zk4wp009nUqTcacE+nNJXeiu9Dy8zzrLcojD69U 5atRtU6cYyqVajWrVOlBSqTaWr5YvlWrstTlYPiX4pv8y6d8FfifJa4Ux3GozfDrQXuFboyafrPj y21SEYHKzxQyA9VHbuqZLgaPu1szwKn1UViKlv8At6FBxf8A265LzOKjneNrtunlmOVNWtKf1eHN ftGWI51bqpxi/Is/8J543/6In4+/8KD4Ufn/AMlD6/lWf9lZZ/0M8J/4LxX/AMzm/wDaeYf9C7Ff +B4b/wCXh/wnnjf/AKIn4+/8KD4Uf/PEP+f1P7Kyz/oZ4X/wXiv/AJnD+08w/wChdiv/AAPDf/Lx D488b9vgn4+/8KD4Ufl/yUNv8/of2Vln/Qzwn/gvFf8AzOH9p5h/0LsV/wCB4b/5eMk8e+PBGxh+ CPjqSX+BJfEvwqhjY5/jlXx5cGNQO+0n2NVHKsqckpZnhVHq/Z4p/h7BX+9fooqZrmcYOVPLMVKf b2mFX4uuYt1pnxg+ICtYazdad8JfC03yX8XhPW5vEPxH1W1PEllB4mWx0zQ/Ai3KEpLPYx6lfqhJ tbm0mCzL1U6/D2UP22HjPMMcvh9rBU8PB/zOlzSnXtulUdKDaXtKdSN4PgrYbiXOV7DEyhluXN+9 7GbqYmcesVV5YQw/MtJSpqrUs70qtKaU0av4f0bwr4r+Anhzw7ptrpGiaNqXjCx03TbKPy7e1tov h/rm2NAcu7MxLO7Fnkcl3LMSTnRxeJx2CzTG4ycqmKqwpSlKW7brw/pJWSWiSSOmpg8Ll+KyzBYK nGlhKU6kYxirJJUJ6f5t6t6u7PdK+aPowoAKAPHvil/yMPwR/wCyvxf+q0+JH9a+jyP/AHLM3/1L v/dnDnzHEL/27KF/1M//AHVxRX1P4d+I/Dut6n4s+E+s6Zot3r142p+K/A/iK2urjwL4q1aUBZ9d gk07/iaeCPFV6APtV/ZR3NreEGS6sZ5yJ1qhnGDxmFhgOIKc6sKUeWlXptKvSgtqb5vdr0o/Zpz5 Zw0VOrCCcXOIyTHYLF1Mx4cq06VStJyrYeqm8PWm96icfeoVpac1SClCesqlGpNqasQeOPibETFq vwV1uWZFG648L+OPAWr6VJIDhhbz+IdX8Iao0eBkGSzjPqPWJ5ZkkveoZlSUb7VaNeE0vNU41o39 Js6KWaZ2nyYrLKiko6ulXoTg32TqToz07uEf8rf/AAnnjf8A6In4+/8ACg+FH4f81E9P8ntl/ZWW f9DPCf8AgvFf/M5v/aeYf9C7Ff8AgeG/+Xh/wnnjf/oifj7/AMKD4Uf/ADxP8P8AA/srLP8AoZ4T /wAF4r/5nD+08w/6F2K/8Dw3/wAvD/hPPG3/AERPx9/4UHwo/wDnif5/mf2Vln/Qzwn/AILxX/zP /X5H9p5h/wBC7Ff+B4b/AOXkcnj/AMbxo8h+CXxCcIpcpFr3wneRwo5WNP8AhYQDOewyM/yqOVZZ JqP9p4NXe7hi7L/y3f5feTPNcxhBzWW4uTSvZTwt35K+ISv6tLzHaR8YvC93rGn+HPEFl4h8AeJN Wn+y6PovjzR30I61d7S4sdB16Ke+8J+IdSKKzfZbHUJ7kIpby9ozRiOHMdDDTxuDlRxeCpq850J8 /Iv5qkHy1qcdlzVKcY30vfRY4fifL54mGBx0a2Cx9V2hDEQ9nzys3yU6icqNWdk3yU6k5WTfLbV+ rg5Gf8/TtyK8A+iFoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA//0f7+KACgAoAKACgAoAKA CgAoA4r4heME8C+E9U8QrYy6vfw/Y9P0PQ4JlguNf8S63fW2jeGtBt53SRbeTWdcvoLfzSpWFXaR vlUkenlGXPNMwp4RyVOk7ynNq6p04Rc6lRrryQjKVr3k0oq7aPLzrM1k+W1MdyOrVXLGnTTSdSrU koUqab0TqVJRjdq0b3dkmYPw4+HA8Ji88SeI7yHxL8TfE0UD+MvGLQsjXLxkyw+HvDsMzSSaD4F0 GRzFp2nRMFChri4M97PcXMvXnWdf2hy4LBRdDI6DfsaN72vo6lRq3tK9S16lVq7doQUKUIU4cOQ5 Csr58fjprE8QYlJ169rXtqqVKLv7LD0rtUqMXZXdSo6lapVq1PUsD0H5V4V2fRC0gCgAoAKACgDy Txv/AMlG+DH/AGHfGn/qAa3Xu5d/yKMw/wCvVL/0/A8XMP8AkaZf/wBfav8A6Zmet14R7QUAFAHj 3xS/5GH4I/8AZX4//VafEivo8j/3LM/+xf8A+7OHPmOIf9+yj/sZ/wDurij2AdB9BXzh9OLgHr/j RdrYAoAKACgBMA9QPyzTu1sBi+IvDeheLNF1Dw94k0mw1vRNUt2ttQ0rU7WO7sbuElXCywS/Lvjk QOjjDxuqspVgDXTg8bi8vxMMZgqk6WKg7xnF2kn5Nfc1s1o9N+XG4HB5lhZ4HH04VsHUVpQmlKMl 5p/enumrrXby34c3ur+EvEmq/CPxHqeo66um6VH4l+HniXWLqS91nXPA5vE0290bXNQl3T6r4h8A 6pPBaz3spM17p97YzTvLdNcyH3M5p4fMcHDiHB04UnOp7PEU4LlhCvbmjOnFaQp4iKlKMFaMKkKs YRjTVOJ87kVTE5XjanDOOqVK0adP2uGq1HzVKmHvyyp1JNuVSrhpOMJVJXlUpVKEpznVdWT9tr5k +sCgAoAKACgAoA8T/aN/aH+Ev7KHwQ+JX7Q/x08V2/gv4V/CjwxfeK/F+vTQT3s8Vla7IrbT9K0y 0SS91nxBreoTQ2enWNur3F7ezxwxKzuAd8NhcRjK8cNhYTqV5uyjFOUn6Rim38k35EVKtOjD2lVp QVt2lu7JXemr0P4g/i1/wdLf8FAfjr8U77wn+wp+yf4S8P8Ahux/tObTvDmv/Cb4rftZfHDVNJjv /sFhrXirw58FPEPh7w54FWRoH3QWb+ILZbhmg+3NJBMg/RZ8D4HAZS8Zm+JdLEOVNrZpRlT5pxcF 78pqV4pxlypRU/eVWKj85DPq2JxDpYCl7aC5ldNRV07K0pW5tGnJcq5XpeR337NP/B1r+0b8MfiO nw9/4KMfsw6FBoVvML7xT4l+F/gv4g/A34v/AA/8MS4SXxXqfwA+MmqatN4x8N6ZcRukkljrFnfT sRFaWt1cjyWyxvA9CeX08ZktaVefs/eSXM51OeMVGnGKcleDlNwleaULRU3NWujnOIhWlDH01Tpu fuu+ijy7Smrx5+dOyaguVptp6S/uQ8Pa9Y+J/D+h+JdLW9XTfEGj6ZrunrqWm6ho2pCw1ayg1C0W /wBH1W2tdV0m+FtcL5trcwxXEEmUkRXUqPzqUXCTjLdO33ea0Z9FGSlFSWzVz+QX9of/AIOEP2zf 2I/+Cmd9+yD+1h8H/wBm7SvgH4Z+OPhew8Q/Fbw3pHxQ0PxTqX7MnxTvp18A/FvRX13xvqXhW1vf C+lapFN4imkM9p5nhjXFihg32vlfoWC4Ry/NskeY5XLETx3IkqV6Uv3iUed2j77i5c0YRkoSfNG0 puLUvn6+b18LmEMJiY040puSUveV2ndQV7e84OMk1dXvCyfvL+w2G4iuYI7i3liuIZo0lgmhkSWG eOVVeGWKVGZHimRlZSCQVIOfX88sz6E/kP8Ajn/wcDfteeJv+Cpupf8ABP39hv4Ofs6fEbwrN8cv Df7OPhnx58QF+IOq63feN9Htmn+OfjSZfDPizw9oU/gf4W/YNdMsSPFM3/CJ6hGZmmmgjX7rDcLZ euHVnWOq1oV9Zcq5eSUbrRSXPKM7aJSirzlFPlh+8fhVMzxMsyeBw8abjy3u73j0Tkrq/NLRJLSK 5+Z35V/XhF5yWyefJHNOkK+bLFEYIpZVjHmSRwmWdoo5HBKrvYqDjJxk/C7vQ90/jM/4Kq/8HHP7 Y/7C37ev7QH7KXwn+Bv7N3jfwh8KYPhrN4Z1XxwnxPHjDXJvHHws0fxvJY3x0HxHY6I10+uXk1pb eWkSiIxlyW3V+mZBwJhM5yGGbSr1Y15+1SjaKhenJL3ptuUY2abkoSa1tF2V/lsz4ieW436tVjFU 3OMVKzk9Yxk9Fq3rK0UtWopO8ny/1l/s1fHfwd+0/wDs/fBf9oj4f3Qu/Bnxr+GPgv4m+HZQk0Tx 6d4v0Gy1hbKeK4WO4gvNOluWt5o5FV45Y2VhuBA/OcTQeGxE8PJxk4ScbxalF2e8ZRbjKL3Uotpq zTs7n00Jc8FK1m1t28j5w/4KgftrQ/8ABPn9h/45/tRW2maR4g8XeCtC07Rvhf4U1yPUJdK8X/Fr xxren+EPhx4b1GPSZ7bUn0y+8TavA175MsLx2ccr+ZGFLr15Rl8s0zGngYyhHnerlJQiklfWTUrX 2VoybbSjGTai8sVXWHoSrP7Kvs5er5VZuyu7Jpu2h+K3/BD/AP4Lq/tO/wDBTb9q74k/Ab4zfCr4 C+CPC3gv4Bap8WdO1n4WRfEH+2r7WLX4j6F4MtLO6k8WeINQsl0qSxvp5nVIRL5ojw+3cK+v4u4O wnDmApYzD1qtSVSs4NTjGNrQU38Ll/Mkte+itr42SZ3LOF7SMYqjaWqvvFxT36Xbttok+rUf6p6/ Pj6E/kH/AOC43/BeH9sj/gm7+2hZfs+/Arwf+ztrfgOb9n74V/FW41H4q+DvHWt+IYtf8a+LPjLo msw/2n4d+JfhLTItFtrH4eWbwo1qZI3eYvKysix/pHBHCeWcR4epPHPEKpGfKvZyir6R0s6c7v3t LPXtp73yHFOeZhk3sFgI05zqycbSjKTb0tbllH9enmfDVv8A8HEH/Bdfw7C+teKf+Cd3hq90MWgk Ml1+xb+3l4PsohMsc8N4dclh1q1eLyAdqlFR1cOHwMN0PJPD7EVvq2GxuNhWjJ3bUJxdnZpPlpR9 JKT02TTuaYTFcUxk55hTw31fl05F73NdWvzVrWte63u1qj9C/wDgnL/wdIfD79pX4ueEvgN+1z8F 9J/Z58VePde0nwf4P+KfgfxpqHi34UzeN9Z1GPQdM8JePtJ8X6B4R8d/DHUNT8SSJpsVzLBqWl2+ pTw2l3dW9xIiHw884NxWU4f65TnGphnUqRutUlFrkvNe5zVFzWim1eLipScqfN6GDzvDYrEywb93 ERSbi1aWuvMld3hqvejJ7tuyTa/rRByM/wCeOCPwNfFntnh/7SH7R3wa/ZK+C3jz9oH4++NtN+H/ AMLPhxpH9reJPEOoLPcSs09xDYaTomiaVZRXGp+IfFPiTV7mCw0rTLOKa91G/uIreCN5ZFU9GEwm Ix2IjhcLCU683ZJK78/klq30WpFSpTpQdSq1Gmldt7f1/Wh/Ev8AHX/g6z/bI+L/AMSI/BX7B/7K vhPw1o9xcXU3h/TviL4F+If7Sfx58TaXapHBJe6l8Kvgvr2gaN4SEd5IBOtjqfiOO0cpBPPHcOYV /R/9QcLgsFVrZviowrJe4425Gk1zPldpz0a5YrlclJT+FWfzS4ilisSqWXUnVivi+xZv4fel1dpX XLdOLWtmY/wi/wCDqf8Abx+CXxRTwV+3D+y18PvEekqulXuu+G9E+H3xN/ZN+N+g6HdXsmmz69pH hT4za94l0DxJatcIwRtRfw9YPcxmD7bHIyoH/qFhcblEMdk9edaq5Vdbe7JRhzxhGD95Vb8kXGUt pc75YxacVOIcRhMVKGYUfZYa0EpN3im5SUnKpH3UkldK176Nrmif2xfsn/tX/BD9tb4G+D/2hf2f fFq+Lfh54xju4Y3uLSbSvEHhrxBpU5svEXgvxn4eu8ah4Z8Z+FtSRrbULC4CyRSruG6NkdvzWvQq Yeo6dRWkv+G62ejTTTSaaaaTTS+op1I1Y88dv6/4dPVNO6bWp9Hk4BJ6Dk1iWfzHf8Fhf+Di3wZ/ wT9+IOt/s3/s9fD/AML/ABr/AGg/C9taSfEnX/HPie88P/CD4PXeq6Omr6X4d1mTQLa81/xr4/8A 7NvrO+u9Kgk0yx02xu4GvdRgmnt4JfsOGeFK2fVPaVHKODi/ecUm0rx01eknFuUVq7RbaScXLw82 zuhlqVLfFVHaEbNuUnotE725rRctFeSWrul+IsP/AAcof8FnvhpBo3xQ+LX7M/wvPwklntrm8vPG H7Gn7UnwR8FX+lzuluzW/wAZta8ba/oOhReZOhW8e21CItgFBuxXuUeEcgxGKxOGpY3mqU4TcYrl Vmk5RvNvlqJRTU3C38yWnK+eeb5hShGpVwzjTcoq6nCb1aVlFWbbbSVm3r9/9W3/AASS/wCCtvw9 /wCCqfw18b65ofwr8c/B/wCJXwiuvCml/FHwnrCv4q8Bi98XaMdZ0TU/h38V9MsbTRPFWkapaxPK tlew6V4is7doprvTYbe5tJp/j8+yOtkWKWHqzjNSi2rJpq05QtK6tze5dqLkkmr2baXr4HHUsdRV alfla6p9k+qXfzV7pN2P10JwPxA/Mgf1rw9ztP5NPBP/AAXm/au8Uf8ABZr/AIdz3Pwt/Z9tPg3B +2d46/Z0n8ZwaX8Q5PiXP4O8M/DPxn41sNSimk8ap4YtvEct/oVsk1wbOW3aIyotqrMsyfX4vIcD hOH6GazlVlisTH3UnFRi1zPmfuty0pyjyJr4oz59HTflQxteWYSwjUPZKPNfW/x8trarz5rrty/a f9ZanKg+oB/MfjXyD00PVP5n/wDgvR/wWf8A2k/+CV3xD+Avhr4G/Df4JeP9G+J3wd+NnxD8Sj4q 2HjmbUrPVfht4n+Guj6PDod74T8V6JbR2NzZeL7o3MNxbSvLKsTJPAqOsv1nCeR4LiDG/wBnYmVW nWlrGcXHlSTjFxlFxv7znFqal7qi1yT5k4+ZmWNq4OMJUlFqVSMXe+nNfVW3tbbS9/iXX96v2Xfi hrvxt/Zt+AHxj8UWOk6b4k+K3wX+GPxH1/TtBS7j0Sw1nxr4N0jxFqdnpCX9xd3yaZbXmoOkAmlk lEQG9mbJPzeLpRoYqpQg24QqSir72TaO+lN1KUZveUU/vR8lf8Fdv20fiJ/wT6/YE+Nn7V/wr8L+ DPGXjj4Z33wrttH8O/EBdcbwpfp47+Lfgr4f6mdS/wCEcvtO1fdaaX4llmg8qVf9IjTcCm4H1+F8 npZ/nlHKa05U6dXnvKKTa5acp6JtLVxt8zkzTG/2dgZ4xpyULaK19ZKPVxXXv9+z8d/4Ih/8FE/i 5/wUz/ZM8Z/H34z+Dfhz4H8U+Hfj/wCP/hNaaP8ADGPxNH4fk0XwfonhC9t7+4/4SvUtV1GTVLi+ 124DsrpCYkj2op3FtuKsjo8P5osBQnKpB0ac7yST99cy0V1tbr/m1luLqY3DKvUioyb2Xon59/LS 10ndL9jScD8VH5sB7etfNHoH8Lvib/g6i/am+F/7anif4M/Ev4K/s0R/AH4f/td+P/g5458Z6ZH8 UdN8eab8G/A/7RPiL4Tav4xjFz4m1fw3F4j8PeCdK/ti7ldfsUz2k+IYEkVY/wBLy/gjA5pw9/a+ EqYj67ySSp/u3FzhdP324O0nGTUVBtNqCc2uaXzFXiBYfN/7Kr8qqPVNJ6xcU0t/ju+WyTTtze65 KK/ubtLu2v7W3vbOeK5tLuGK5trmCRZYbi2uI1mt54ZF+V4poXVlIJBBHPr+atNOz3Pp0769D8Yf +C4P/BUjxH/wS4/Zv+Hvjz4ZeGvBPjX4z/Fr4t6X4E8EeGPiCmrz+FU8NaHoureNvid4n1eDw9re h66YtG8JaG9tatbyPt1S/tA8ciFkb6HhrJI57j/qtRyjSS1a5r3bSVmoTimruS9pyQlbk9pCUos8 nOcwnluCliaaUpx1ae3KrXb96Lt0vHmlG/MoTtyvzD/ggx/wVY+O/wDwVQ+H/wC0p4v+OfgD4TeA L74N/ELwB4R8OWXwoh8XpZX9h4r8Bp4svrnWJ/F2t6tcXN3FdTLHEYY7ZFjBBVz89dHFmQUOHsdH CYec6kJRb5pWTdpNaxStHVPRSldWlzJtxjWUZg8zwixeihPWNlbS7Svq9dL9LXtra7/fWvlT1AoA KACgAoAKAP/S/v4oAKACgAoAKACgAoAKACgDxr4mD7b4x+BulSIJLO4+JWo6pcKwO138PfDbxzqu nHA4cw6pHDMowRvjB6gY+kyW1PLc0rp2qxwUYr/uJiaEZffBtejt1Pmc+5p5nlGH0dKWPlKSd/8A l3hcROPraai9dLq+6R7IvQfQf5Poa+ce59MLSAKACgAoAKACgDyTxvk/Eb4MEA4/t3xp2PfwBrf4 84/z393Lv+RTmC/6dUv/AE/D+v618XMP+Rpl/wD19q/+mZnrYOeRyPavCPaCgAoA8e+KPPiH4I4B OPi/HnHOMfDT4kA56AYr6PI/9yzNf9S7/wB2cP8A1/l1+Y4h/wB+yj/sZ/8Aurij2BTwPoMjv+IP SvnD6cWgAoAKACgAoAKAPG/H6GH4k/AzUIVYTTeKPGXh2dwr7m0rVPhx4k1q6tyc/wCqfUvC1nKR jG6FTxjJ+kyh82S5rRl8KoUai/xxxNKCf/gNWa/7e+R8xnN4Z7lFWHxSxFelJ9eSWFq1GvnOjTb3 +Hpuexg5APqO1fOPRn04tIAoAKACgAoA/nh/4OgfCnjXxL/wSm8YX/hOy1K+0nwL8ef2ePH/AMSP 7OjnmXTvhz4e+IlgNY1/VYoIpP8AiQ+G9Tu7O/vZpNsNnb27XMrLHCzD6PhWeGp5xCeL5fZKMn73 KkmlzKV5NJcrXNe99NLuyfDmUZSwkowvdprTzi1ay3u2lbuz8iv+DY//AIKS/sGfs6fBzx9+yn8c fEHhD9m34++Lvjf4j8WWPxC+It2NA8K/GfSvEP8AYml+EPCMnxK1SGDRdA8ZfDiGAaDbeHtRvLZ7 q0to72yWU3FwsX1/HXD2d1K8MzVR4zCuL+GMYyprmlKK9nFtyjyWftUnzSvz+9e/gcL5jg6mD9hG EaNWGjhzOVuVKLvdJxs1drl5VzL3m2z+wv4p/s2fsyftM3nwt8Z/Fv4RfCv4yX3wu8YeH/if8IvF Xifw5ofii68JeLdAuPt/h/xN4U15o7iWN7a5AmRUme3kdEdlYohH5nGtWpRlSi3GL3Xptp3XR6Nd 11+qcITalo33/T07rZn0R0/z/wDqrEs/kN/4Ov8A9giz+J/wG+Hv7ePhPw8L7xF+zwX+GPx6isLZ 1vNc/Zy+JGqw2trr99PYaZd6lMnwm+IN3DO0nnwQ2Ph/XdamJBCEfofAOcTw+LllNSX7ms+aClrH nS1XLOrCl76SbcoVJN04U4R99nzuf5fCtSWPpRX12k01JJc1ottRuoTnbWVoxteTWq1v1f7I3/BZ j/hD/wDg3w8Y/tG+JvEA179pL9lHw3dfsiJaam99NqvjX48pBpPhD9nPW7uP7Ks8v/CwvDHinw9r 166744FN3vkxbyuvBi+H5VOKllqcVRq1OZ3nSXLHeXM6d4wbWsY8sZWlC1Ncyi98LmNKplbxFNzS hFq7jPor6cyUqiitOaLfM4ySd00fJf8Awac/sL6lqGq/GH/gol8UEv8AWruzn8S/s+/ArXNde9n1 HXdZn1K11T9pP4tTXF7cyT3uq+I/F1rbaDJdSGWRtQ07V5ElK3blvT47zbD1JU8pwPL7KHvTa9nZ vZR/dWiuXW65KbjK8XBcqthkOGrKE8Zif41WXNb3rJNe6lzN6KFtnb3mumn9vEn+rf8A3G/9BNfn K3XqfRH+bX/wVN+AFp+1P/wce/Gv9nme/fSrr4wan8HfA2g6lFcy2s2m+M7n9i7xT4o8AalE8csP mi18aeDrKJ4HJiuEuSrggBW/ZcozypkPAuCxEKftFUxOIi9rRipQlLmVndSS5fstNqSl0fxOaZMs 2zSalPljDVK2vN7OEU07qzXNdaPbbVNfup/wab/taX3xE/ZF+Kn7Hfjn7XpfxA/ZS8enWtC8M6pZ atp+o6L8LfjHf61rD+GTaaou61Pwz+M+jeLfDj2YKvp9vY20bxxhkB+O41wMqWYRzHTkxF2/31Kt Lnjbm5nSSit0otOcZqLcaknzKPvZNVnKjKhVlzTpyavySgnbraTk5c3xuSaT59tGzxb/AIOVfiT4 l/am/ay/4J4/8EoPhXe3E+sfEP4o+EPin8TYNPiup2sJ/G2t6j8PPh5LfDfHp4Xwj8PbDx/40/fC X7PP4ds5fLZmiV9eEmsroVuIKnK1TThGPtoQc3bWLhKMpTg1K7UHCUlBpScedwyzdSxcv7OhKUOa D5moSbSd0nGfwqSdk1aXuzu0lqfCf/BrtoPhzwv/AMFa/wBsLw54PuheeEvDv7PHxm8MeFp/NmuD N4Y8I/tfXHhPw3cvc3Eks9zLqGhaHb3LyMxLPMSMDAH0fG+NxeP4UwWJx1J0cTLGTum9X+5p2lok kpr3kraJpa2ucmQ4HDZdWlhcK+agoya/7e9nJpeV3of6DFfkR9Qf5qH/AAduf8pK5v8Asxz4Hf8A qc/tT1+4+E38Gf8A2Ex/OkfDcWf8jDLv+wn/ACP9IvwmQfDPh53diToWjZZ5HOc6XZkk5dhkk8nu frmvxCfxv1Z9xHZeh/nH/wDB2T8Pfg58Pv8AgoDo2u/C2w0PQPHnxA/ZOl+IPxptPDdvZ6e03j/T Nb8X6H8PPGusxafDB9l8X+I/C+jTRvdNi4u4dCtHOfs6EfsfAmLx8uHMVGDlKVKdqfvNtJptqMb/ AA8/VLeUlf3nb4riHCYKrmuElXs3KrGPK4x5ZJ83Mn7t3pZuLk49eW7u/wDRG+Cl5quo/B34U6hr 0lxLrt98NvAd5rUt4GW7k1a58J6PNqMl0rAMty927lwQCGJr8eqq1WSW3M/zPtIfAvRH8Sf/AAd5 /taaufiZ+zZ+x7pmsahB4K8GfDzxD+1P8TdH0xvKOseI7/UNY8GfCsXjyMIJn0Lw94a8W3tghUiL Vja3O5Wt1z+n+HeV2jVzyvyewg3BNud07JyfLCSUoJSSqRmpXUlyx5ldfKcTYxt08qouUcTXcYp2 aVpOXM1PlaU1GNlZ3SlqrNH9D/8AwQ//AOCcXwz/AGBv2K/hfcQ+ENEi/aK+N3gjwl8TP2ifiEkM N5r+r+LPE+j2+t2fgPT9blt4b+0+H3wy0/UE0rR9OjKQokMlzIr3dzczS/I8UcQY3PMe/b1XPCUX KNKNuWKV9Zcq05pv3pN3b0TbSVvayvLsLgMOlQjyykldt3duiv0S1do2jzOTSTk7+z/8FXv+Ce3w y/4KH/si/Ez4X+JdC0iP4raB4U8Q+J/gB8SpdJtrzxJ8OPilpWj3114eu9Pvj5d7L4c8QXC/2dre mmU22p6ZdSwyryrLx5Fm9bJ8xpYqF3SU1zxu0pRvqtHo+zVmnrc6MbhaWLw8qVWKknFqztquqd09 H/wVqk1/IR/waSftSeKPCP7XPxR/Zcuri6T4e/tF/Ba8+LWmaBc6lczQ+HPi78FX8HWGo/ZLS4g2 C+1b4b+OIdKv5F8lm/4RaAMp2qV/QfEXB4d0KOPdKdPHyd5rkpx0dk3VlB3dTmS5dakeXaSUVzfK 8JVnFVcHTqRq4SlPkhNSbUlrOHItVyqLfvKV5PvZN/6FLcrn3U/gGBJ/IV+Sn2p/li69468Kfscf 8F7PHvxM/bS+H2q+OfCfwi/4KJ/Gj4k/E3wxe6ba+NdZu/DnjjUfHviv4L+ObDRb2W4PiJvCHhfx 94O8VaPaKfOu4PD6w2cb3Vpawt+60MNmGYcEwpZfWf1iWGspR56ScNYyhooRqJLnpVG+aPNJybcm 5L4CpisPhOJvaY+m4QkuWm5csuWV2nK6cvZqpZuLvFzu1NR2f+kp+zx+1j+yV+3D8OrjxV+zz8Z/ hT+0D4F1K1+xa9a+GNc0nxG1kt1bQSz6J408G3jHWPDt81vdJ59hqdlbzIHAZPX8YxmAx+WVvZY2 lUo1U2tU1rGTi7PZ2lGUXa9mmt0z7mlXoYhP2ck7brqrpNJp6p2admlo09rHdfAP9m74DfsueCbr 4c/s7fCfwN8G/Ad94p8R+NLnwl8P9CtPD2gyeKPFl++o69qw0+zSOCOa8uGCoigRW1vHHBCscMUc a4YjE4jF1HWxM5Tqu923dttttt9XKTcpPeUm29W23RoUcPD2dCKjTXRbKyskvJJJJbJJJWSR7Y3Q f7yf+hrWK3NT/N7+EX/K0vef9pUPi3/6z/8AEiv0jOf+SOy3/C//AEmueBS/5HFT/r2v/Tp/pCJ9 xf8AdX+Vfm73fqe+fwT/APB47/yV/wDZD/7Nd/ay/wDU6+Blfofhr/yUVL0f/pdE8HPP4VP/AK/0 vzkf2N/8E+/+TE/2Mv8As1b4Af8AqrvDNfEZl/yMcR/1+n/6Uz2MP/u9P/BH8j80f+Dmf/lDF+1j /wBhf9nT/wBaW+E9fVeHP/JY4T/uL/6ZqHjcUf8AIir/APbn/pyJ8w/8Gk//ACjY+Kf/AGer8c// AEw/DuunxK/5KOP/AGBYb/01E2yL/cF6r/0iJ/US3Qf7yf8Aoa1+fnsn+Sr8Rv2d2/aF/ao/4K3W Vjp91qXiT4RH/goX+0r4ZsLS6ukbWdJ+Bv7ZPiL/AIXD4SksrOSOa7ufFPwx8eOlm6rK9pLbSTIm 8KT+xZFxBh8nyDAYepGdR1q9fmhGCm5R52ouKejlGo1+7dlVuouVr2+KxuWU8Vm9XHXjTqUFB+0c rKPuxe21rKTk29NLLdr/AEAv+CAH7YMn7X//AATM+COreIfEEPiP4m/AuPUP2b/ijfrqI1G91XW/ hQttp3hHxdesYbeZJfiN8MLnQ/EC5VlK6l8jyqBI357xPlk8qzepQlGooS99c8YRbv8AFpByikpq SSXK0laUISvCP1GX1o18LCUbaJLdu2m13q7bNvqn1ufzS/8ABbfxba/8FC/+CvXij4CXGqyx/s/f 8E7f2Uvjp4y+LOr2062Vtpg8A/DSy+OHxzvft0crXcVzceKtR+F/h2N4RF5eNQUvuUBPsOF6zyPL KdehyyzfHVVGlC9RyceZU7qNvYyfvac7c1ze5ZOfN4mc4aOauWFrKp9Up2k2uVptczS6ztdSTSSd 1G11e/2X/wAGa7Tv8Bf24Hugy3b/ABb+BD3qunlut6/wM0xrxWjAAjIui/ygAL0wOlc/iZf+2afN a/s5bar+JPZ9V2Ozh+FCngFDC/7sm1HW/uqcra9dOp/ZzX5ue4FABQAUAFABQB//0/7+KACgAoAK ACgAoAKACgD5H/bf/aPn/ZZ/Z38YfFHSrCz1TxY1xpPhLwJp+oq76XP4z8VXY03R7jVo4preaXSd IDSXtzEjo80Nu0asrMCP0bwq4Ih4gca4Xh/ETlTy6062IlH41Qoxc6ihdNKc7ckG7pSkm1ZWf5P4 2+Ilbwv8OcdxVgadOrnCdOhhY1Lum8ViJxpUZVUpRk6VOUvaVVGUZOnCSi1Jo/j28bftFfHf4i+K f+E18afGP4ma94nW7a+t9V/4TXxHocenXLwm3Z/D+j+G9S0jRfC8HkMVWKwggCoSrM4JLf6XZVwN whkuX/2XlmV4CjgXHlcPYUqjkr3tUnVhOpWd9b1JPXVJaJf45Zx4neIPEGZrOs4zvNsTmSnzqp9b xFBKXJ7PmpUcNVo0MOnHaFGEbXfNKTcpS/eX/gkv+3P8Rfixr+sfs7fGPXtQ8Z6zpfhW48WfDzxx rLpceI7zS9EvLKx8R+F/EmoRJG2tXGnpqlrdWV5MouWieWKZ5DGrt/IP0jPCXJeG8LS404ZpQwuE qYhUcRQhpTjOpGUqVWlF35FLknCcE3FSUZRUVJxX99/RJ8deIeMsXV8O+Ma1XG5hQwTxGFxdTldW pTpThTrUa84qKqTp+0ozhVlCMpxqSjLnlTdSX7uV/JJ/dQUAFABQAUAfm7/wU1/a58Sfsq/BPSv+ FeTWtn8UPihrd14W8I6xeWdvqMPhWw07TJtW8TeLE026b7NqOo6ZYpHBYRTK9v8Ab7qJ5leJHRv2 /wAB/DjA+IXFc1nUZTyDAUVWrQjJwdaUpqFKjzrWEZyfNUlG0vZQmoOMmpL+b/pO+LeZ+FXAUJ8O VIUeK80ryw+GqyhGoqCjTlVr4hUpNRqTp0oONGMr0/bzpe0jKnzxf8qOo/Hj42at4nTxpqPxi+LN 14tivLm/g8Sy/ErxmNYtbu73efNYy2+sW1jp6sG2+Vb28Nts/d+V5fyH/QuhwZwnh8B/ZdHK8tjl zioun9VocjS25rwc5f4pTlO+vNze8f5S4rxH49xmZf2xWzvOnmnPOaq/2hi1UjKd23HlqxowSvpC FGNJJKPs+Rch/TX/AMErf20vGH7TXgfxh4C+Kt5/a/xK+FX9hz/8JU0Fta3PjLwb4g+3Wulanq0F lDb2f/CQ6Vqmk3FpdyxRwpdIIZ/LR5HA/g36QPhblvAeb4bNuH4+yyLMfaL2V21RrU+VzhBybl7O cJxnBScnBuUOaSimf6efRX8bM18U8hxmS8Tt1OJsp9i3WcYxeIw9bnVOpNQtH2sKlKrSqOMYRnyw qqEFU5V+stfzuf1ceS/Hj4taP8CPg58SfjBrtrPf6b8PPCOr+JpdOtmSO41S4sbc/wBn6VDLIypD LqmoSRQK5yEL7sHFfRcJcO4ni3iXA8NYOUYYjG4mFJSd7RUn703bVqEbyaXY+V454rwfAvB+Z8Y5 hCdTB5bgquIlCNuafs4OShHmaXNNpRV3a71P4vvjN+1h+0J8dvF83i74ifE3xZLex37Xml6B4c8R 6/4X8HeEmU3KwWXhTw/oep2MNklhDdPCt5M0+pTplpZyWKD/AFD4X8OOCuE8rWXZLgMP7JwtOpVp Uq1etteVWpUhJy5nFScIqNKL0jDRN/4scZ+L/iRxtnTzfiLNcZ9bhU5o0sPiMRhsLQa57RoUKFaC ioKcoKrUlUxFSKTnUt7kf05/4Jbft6fFO3+L3hX9nb4reKtf+IHgn4hzaho/g3WPFWpTa54j8E+L rbTNQ1zTbBfEGozPq+qeF/EFnplxbC3unuZbS6WExSCN3RfwX6QHg/w++HMRxrw7h6OCzPBKM68K UFTpV6LnGnKXs4rkhWpynCTcFCM4OfMuaKcv6j+it4/cVS4swvhzxZisVmWU5jOpTw9WvP21bDV1 Tq4iEHXqSVWph60KdWnGNT21SlUjTtN05tQ/piHPPr/n2r+FD/S4KACgAoAKAPza/wCCnH7XXiT9 lX4K6Snw8uLSx+KHxS1q88L+E9ZvLW31CLwrp+m6ZLqvibxZFptzm31DUtOshHb2EUyvbi+uonlV 40ZG/cfAfw4wPiFxVU/tqMp8P5fSVWtCLcXWlKahSo861hGUm5VJR972cJqLUmpR/m36T3i5mfhT wJB8N1KdHivNa0sPhqs4xqLDqNOVWviFSk+WpOnTi40YyvT9vOm6kZU+aL/lT1H47/GvVvE8XjTU PjD8WLrxbBfzapbeJZviV4yOsWeoTiVZLmxki1eGw09tszKEt7aKARkx+WIiUP8AoVQ4N4Tw+AeV 0csy2OXOCg6SwtDklFWspXg5y2TvKbldc3PzWkv8psV4jceYzMlnFfOs5eaxqyqRrfX8X7SM5c13 FKrGjBLmaUIUY0kvc9n7P3D+m/8A4JX/ALaXi/8Aab8C+L/AvxTvBq/xL+FJ0KVvFJgt7W58ZeDv EAvrbSNU1W3s4oLIeIdL1PSbm0vJYooY7pFhn8tHkZa/gv6QPhbl3AWb4bNcgj7PIsx9olSu2qNa nyucIOTcvZyhOE4KTbjeUOaXKm/9P/os+NeaeKeQYzJuJm6nE2U+xcqzUYvEYespqnVmoJQ9rGpS q0qjjGCnyRqqnBVOVfrFX88H9WBQAUAFABQBj+IfD+heK9C1jwz4n0fTPEHhzxDpd9omvaFrdjba no+s6PqltLZalpWq6dexy2l/p2oWkzxTQyo8ckbFSCDVRlKElODamndNbprqhSjGUXGSvF7n8hH7 dn/Bpt8I/H914o8efsGfFgfA7WtVW+uV+AfxctdS8b/Ay4Wa2n2eHPC3irTpF+JPw40EyrFFBaTv 4i0axtsxQaekW2Nf0Hh/jyvllKngcdBzwVNpKULKcFzuUmov3W7Saj8PKlBRcYxs/m8y4cw+KlLF Yf3cfq4yu4vmUbRUpR1ceZKTveTfV7P+e3wt8Xf+CtX/AAQA/aG8MfC7XZvFvw90O8lfXdN+CfiL xdc/Ez9kr44+EYNYksb2TwPIYDofhy3n1DWIoLm/8MW/hbXNBvL22k1HTJoWtob36iWX5Fxdk08R gI0YY+nGGj05XClTvCNnzqnGMXCDlCSbjKpGDbnE8SeNzPh7GU6NeMquXVZtc6SUlKUpNuSXuyc5 NSu5K6bS5WpW/wBJD9j/APaX8HftkfswfAr9qPwDY6jpXhP45/DTwz8Q9M0XV2tn1bw/Lrdikmqe GtVls5p7SXUvDmrLPZTvEzRvJAWUlSDX49jsLLA4uphJu8qc3G9mr2e9mk1fs9e6T0X3tOftIKff 8+p6r8Uvhr4K+Mvw28ffCX4kaDY+KPh/8TPB3iPwH418O6nbw3NjrXhbxXpN1omuabcwzpJG8d1p 1668qcHBHIFZUK1XDVoYihJxrQkpRadmmndNPyY5RU4uL2aP8kX4zfspfHn4Lftj+O/+CXXhzx5q Wp6jN+2H8P8A4TeHbC41aSfwh4r+JWp3Gg+GP2fvjN4m06O0a3ufEmmfC74p6ZqepSyRosEw1KHa UjtmT+hcszvDY7I5546UXi6FCam0tVTfvTjec6SlF/aUJc1moU3KfNGX5pjMDicNntPBQm1g6s1O MeeUUpRU04JRTUI1HJ2vfs97H+rj+yf+zd8P/wBkH9nD4Mfsz/C+yFl4H+DHgDw/4G0Ykf6TqUmk 2aLq3iDUZCWafV/EmsyXF/dysWeW4uHZjknP8+4vFVcZiZ4qu5SqTlduUnJ/OUm5PTS7bb6s/SaV NUqagunkldvVuy01euh9BSf6uT/cb/0E1gt16mh/nhftkSzQ/wDB2t4GkgleGQftY/sK7XjYqefg NKpU4Iyjo5Vh3ViOhr9qyqMX4YS5knaGL+X7ygfL4htZvK2nvx/OgfVE8Nt/wSL/AODmqKWab/hF P2cP29k1m9kurqbUtJ8K2Ol/tH3l9q2rGW9uZJNGlHw4/ap+H7zHLILC3+IYwIVkAuPmo0quecGp UIylWwk3eMfYRS5VdzcUlWblB6vXmknKXtOWTodTlRy7HOVSXLTqy3lKb1k7KKcm1G7aUYq2lO0V bRd3/wAEg/D19/wUc/4LSf8ABQH/AIKf+J7Z9Q+HfwH1zxt8P/gZc332jUrK217WNNuvhD8OTotx fNHHZy+GfgJ4GvNfRbeHy42+JUpRtzySS559VeVcOYTI06ka1Rc04v2WivzNtQUp+9Nrl55qTjBc 8VaEKVYSSxWNniabi6MU18MtW7Wak2otJXjJKMveiveTjZ/Bv/BpUSf+Ck/7Q7Fndm/ZE8cOzyOX kkeT9pq0kkkkc8vLLI5ZmPLMxJ5NfX+KP/Ikwv8A2Fv/ANRqP5Hj8JOUqMXJtv2b1bu9FT6n+ifX 4cfaH+a1/wAHZq27/wDBTy0S8IWyf9iz4ApfMWZQtk3xB/ajF0zOgZ0AhLZKgsOor9v8Keb6rVcP j9tp6/u7fjY/O+OpYiNTBSwt/rCrPl0vrZW3T/J/5/d2pftGf8HceveFINC0b4G+OPCttPptnb2O u+E/2e/2R7PXbW0NlFFbzWN54k/aH8R6bFcCAqyvPYyhXGWj4KD4ihiOCKGKc62FxdakpPR1YRT1 0u1yyt3+F+cen19WOZzo2pShCpbR6v71yaruk4t9GnqO/YM/4N1f2zP2jP2mbL9rr/grFrlzYabc +OdK+Jnjb4e+N/iFpXxb+Ofx18QaFeR3Gg6B8QtT8JtcfDv4Y/Dq0k0iwWfTNLv9UMulQjSrWDS7 R7hJfaznjXDUMvjk+RNqhTpRjGdNOlyu0W27cspO/Op6WqSfNLmXuniYPh+VfEyzDM4xdeU5XjKM ZKylJRa3vzR5eWU+acIJR5Yy1j/dlHGkSLHGqoiKqqiKERVUbVVVHCqqgADsBivy0+wP83P/AIO4 /DWuad/wUY0bW7zT7mDSfGP7CvgdPDl/hTBqU/gfxj+0Ta+JrSIqzMsunz+MdMRlYLu+2LtLfNt/ ZvDmFsmxNSnapV9so+zXxNvkcd7J81pJWaty+9a8b/GcSRlLMsBLanDEXlLok4u35P8AXof6GH7P vi/QPiB8Cfgz468K3thqXhnxl8Kvh54o8P32lzx3Om3ej674Q0fUNOnsZ4meOS1ktp1KEE/LX5Bi qVShialGqnGrCck09GmnZpro090fXUKkK1CFWm06copprVNNaNPquzPQfFOsad4e8NeIdf1e4htN J0TQ9X1fU7q4OLe207TNOur29uJzxiGG2gZmP90GsoJuSS3b/r+v6WknaLfSx/mtf8GyD3Hjf/gr 58PPF+k6Uthp0nwh/bE+Jl3YQqkaaP4b8f3fw91DREkRJZ0QQP45sbUKHfaw25JUmv1/xAqUnldB 0pyq0ZU6fLUcZWlyLl3cY8t7NxUlGTV9NHb5Dh6pKWLxNOUFCpTqxhJJq1407XXk7abO1r2d0f6Y Q6D6Cvx4+wPyO/4KVf8ABFz9jv8A4KcDTvFXxW0zxH8Ofjp4c0AeF/DHx9+Fd1pmmeOIfDkeopqt v4V8Y6Rrem6z4N+JXhSzvvMktbTW7C5l0xrid9Ons5Z5JG+gyTiXM8hbjhJJ0JS5nF3tzKM4Jppq SsqknZSUZPlc4y5Vbgx2W4PMafs8VCM426q/VP8AOK2aem/R/wAYf7Yv/BAP/gpB/wAE2LzWf2lP 2evGmofGjwZ8PbO41Wf44fs2634q+FP7RHgDwxp8NxeXmreLPAWm6w3ijUfD2kWthHNe/wDCP61r tixAeTw/5MbOn6Rl/FeRcQ1o4TN6NOlOTVua/I2qnNCmml8Lu+bncOb3k6ijNpfK1shx+WU5VMqr PlfxQk24tuNnKLvzU5WUYxabjCK36r94v+Dcj/gtH8aP229a8b/shftZ67YeO/i94J+H/wDwtX4S /GSHT7PTNd+Jfw60nWdL8OeMPD3xAttAsbbwrf8AjTwPdeINHu4NasEs4tc0zVkZ7SOe2lnufluN eFcPkfJi8DL/AGabUXGTXMpKK95Jy5mpSUnJciVNtQu9G/V4fzqeZRnRxEJQxcG+ZO75dfhcuVRW 75VeUnBKTeun9ZTdB/vJ/wChrXwK3PpD/N7+EX/K0vef9pUPi3/6z/8AEiv0jOf+SOy3/C//AEmu eBS/5HFT/r2v/Tp/pCJ9xf8AdX+Vfm73fqe+fwXf8Hi9tcT/ABj/AGN4oYZJH1D9mv8Aas02yCji 4vp/H3wGijtoz0Mpa4TIzwGz9P0Xw1hL+3oVmn7GCfNLWy96k9XZ2uoya72fY+d4irU6GGhVqO0V WpPa73lslq/lr+v9fH/BNbxFpXi3/gnt+w94k0OdrrSNZ/ZL/Z9vtPuGjaJpbaT4X+GwjNGxLI3y nIPI7+3xecUZ4fNsVQqW54YionZ3V1J7NaNea/E9vCvmwtOVmvcWj3Wi0Z+cP/Bzfew23/BGz9pq yk3G413xd+zVoenIu3Mt/d/tJ/C6WJDllOBHbuxxlsLwK+h8PqtOhxbha1WSjTiqt2/OjNJerbSX mzy+I6U62TV6dNXm4p/+AtSf4RdvP8Pm/wD4NJ0cf8E1PidKyOiT/tpfHSSJmBAkRdF+H0LMp4BC yxMpx/Epru8Sl/xkcWtvqeH/AApxX5jyF3y+Py/9Iif1Dt0H+8n/AKGtfnx7R/ni/wDBG3RdM8S/ 8HCP7SHhrXLWPUNB8R+Kv+Cueha7ptwu+11PRtV/aKt7PUNPu4uk1tc287KyEEGvs8dJw4Zwco/E vatPqmsR/X9b+Hh7PNMRF7OVNf8AlFnrf/BKP486X/wRN/bw/wCCp37F/wAcdak0v4R/Dz4X/FD4 1+CP7Q1KaaPULP8AZr0q28WfDS/0y1uLOHUtS1j4l/s1fEPw7pQW3WWS81XwtcRgyyqZJfWzTL6n EGXZZUy2lKVabjRvGk4U05OMeSdWVSfNNTbtKTV4qUvcS9nTWGrrDYqtRnKL5Un8a5ry5mvcSSjz NSlv9pKyS04L/gnN+z94w8Vf8Ef/APguj/wUx+Mdvu+K37UnwB/aw8D6Pqfk28az6fpWieOfiF8d dS01/Pvb5bDVPj94w1PQV8yd1ksPCVmF3Kglk2zXHxWcZZkuHb+rYetCTXtqlW0uZRUbzhTS5Ixt Hkha0t4q1KksBh6ajWxSpqE5ydnyQi5KVpc3utv3tG+a0ufmbS0v9+/8GfPHwo/4KCADAHx++E4A HQAfCSHAHTgCuLxE1zDDP/qGX/pUhcOf8i5esv8A0uZ/ZDX56e+FABQAUAFABQB//9T+/igAoAKA CgAoAKACgAoA+EP+Cjv7Pfif9o/9l7xR4Q8DWa6n458M614f+InhLRjLFA3iHU/CV29xdeHIbid4 4Le81vR57iC2Z2VPtLRhiqkkfrfglxngOCOP8NmebSdPKa1Ophq07N+zhWjyqq0tXGnPllJK75VK ybsj8N+kV4f5n4j+FuMyXIqarZ9h6tHF4ek2o+2qYWpGr7FSekZVoKVOEpe7GUk5e7c/jQ1Wzn0H U7/Rdbil0LV9LuZrLUtH8QRtoOtaXdW7FJbXVdH1YWmo6bdRsMNHNGhB6ZyCf9QMNWhjcPDF4S1b DVIqUJ0v3lOcXs4ThzRnF9HFvz7H+K+Nw88sxcsux/8As2NpzcJUq9qFaEo7xqUa3s6lOVt1KK8m 003+7P8AwRh/Zn8ef8LC1j9pjxFpOo6D4FsPBus+D/AVxqFrNaN421TxTeaRPrGs6RHcLHLd+GtE 03RY4lvAv2e7urhlhd1hZj/If0oePMnlk9LgXA1IVs1lioVsQotP2EaMaihTna6VWcqkm4N80IxX Mk5pL+/PoV+GfEFHPK/iZmNOph8hWBqYfCuUXH61LETo1Klam5WcqFOFCnGNRRUKs5z9nKUKalL+ kWv4gP8AR4KACgAoAKAPyS/4K8/s0eNPjr8FPCPjT4eaLfeJvE/wY1/WNcvfDOlQzXes6v4N8RaQ NM8STaJYQ7ptU1XQpbW1vxaRK09zBBLHEGlKI39GfRu47yvhHivEZZndWGHy/NKMKaqzajCFanPn pKpJ6QhUTnTc3aMJSjKTUVJr+TPpeeGOccf8C4TNuHqE8Vm2S4mdZ0aacqs8PWpSo13SgtalSleF dUopzqqnKnTTnOKf8oMktvDJJDNd2UE0UjRTQz3lvb3EEyMUkguLW4kjubaeOQbWjkRZFb5SN2QP 9FIKdSKnCE3Bq6ai2mns01dNPdNNq2qdj/JGpKjRqOlWq0YVE2mpVIQlFrdShNxnCSs04zjGSas4 p6H9Nf8AwRo/Zj8d/DHwv8Qvjf8AEDR9R8MSfFGx8N+HvBOgaxZXGm6vN4T8PXer6rc+Kb7T7tYr uwtvEGqauI7GOeOKZ7W0FwVVZ1A/gv6TvHuUcQZjguFsmqQxEcvnVqV6kJKcPbVVCKpRlH3ZOnCF 6jjKUVObhq4Nv/UT6GXhdxBwjlGZcZ8RUqmFqZrChRw9GpCVOp7ChKtUlXnGdpRjWqVnGlGcIT9n SjVaj7VRj+4Ffymf26eAftT/AAcm/aA/Z5+LvwetLyDT9R8d+C9U0nRr66DG1tNeiCX+g3F3sO8W iavaQ+aV5EZJGelfYcAcTR4O4zy3iapFzoYPFwnOK3lTvaol5uDlbzsfBeKHBz8QPD3OODITjTr5 jgKtGnOSbjCpKL9nKSTTajNRb12ufw/eO/B/iz4b+K9Z8GfEbw/f+BvGOi3k1rrPhvxKqaZf2Vwk jo8kRumhg1HS5ZFJtr62aWzu4tskUjKwx/q9k2aZdnuXUsyyOtHGZZUgnCrSvOMlZWT5dYTt8VOd qkHdSimj/DPiLJs34Zzitk/E+Hll2dU6jVShiGqU4yvK7i5uMatJtS9nXpOVGrFKUJu9l+k//BKD 9mzxv8Vf2jfBXxeTSdQs/hZ8H9UufFmo+MJbSVNF17xPBpOr6N4e8JeHNRdo7bWL+O81aS8v3tjN FZ29sqSssk8aj8K+kTx1lWQ8EYrht1ISz/MqcaMaKkvaU6TnTqVK1WO8I2hGFNTUXOU3KN4wbf8A Tv0R/DjPuJfEjB8XwpVYcK5ROWIniXB+xrVvZV8PSw1CrzKNWalVqVa8qXtYUY04U5uM6yUf62R0 Ff5zH+tgUAFABQAUAfkd/wAFev2Z/Gnx0+DHg7xx8O9FvvE3ib4L65rWs6h4a0qGa71nVfBniTSU 07xFcaJp8IebVNU0GeytL4WkKtcXNvDKkQaUojf0d9G3jvK+EeKcTlWdVYUMvzSjCEas2owhXpT5 6aqSdlCFROdPnbUYSlGUmops/kn6XvhfnHH/AARg844ew88Vm2S4mpVdGClKrPD1qUqVd0oRu6lS l7lZUopzqxpyp07zlFP+UWSa3hkeGa7soZopGimhnu7eC4gmRirw3FrcSxXVtNG4KskqK6t8pAbg f6JRU5xU4Qm4tXTUW009mmrpp7pptNa3sf5KVJ0aM/Z1qtGFRNpqVSEJRavdShOUZwas04zjGSa5 WubRf04f8Eav2YvHXwu8JfEL42fEDR9S8M3HxUtPDeg+C9A1e0uNO1Z/CHhy51XVJfE1/pt0sd5p 8PiDVtYKWUc6RTPaWqzlFWdRX8E/Sd49yjiHM8FwvktWniKeXyq1K9SElKHtqqhFUoyV4ydOEE5u LlFTm4Jvkbf+pH0NPC7P+EMlzHjHiOjVwtfNY0KWHo1IOnU+r0JVputOEkpx9tUrSVNTjCbpU4Tc Yuo0v27r+VT+2QoAKACgAoA/DP8A4Lyf8FCv2p/+Cev7MHhfx1+y38GNY8U654x8Y/2R4v8Aj9qH hSHx18KP2cPDOiQw63Pq/wARPC9lrFjrElz4/wDJbSNNvr0WPhrTS80+oalbTLZWt99JwzlGCzfF zp47EUqNKnDm5ZOznqk1F6K8U+Z6uVldRnZpcWPxFbDUHUoQc6nZNK/kr3V+ye700vdfnp+yz/wd l/sweLPBWjx/tffBH4u/Bjx//ZqS3niP4OeG7348fBvxXKDIBqXhW+0DyfiDokV6ixuLTU9JEcLS 7Iby8iQ3DetmnAuPwk6k8FONXDwmlZ2jU1t9hOWibabT05W5JJq/Fhc7w1ZJVLwqa35vds02tVJ9 WtouXS7V0j8LP+C2n/BWDSP+Ctfxe/Zd+E/7L3wK+JX/AAhnwu8U+Jrr4dSeL/DVva/Gj46fFb4g W9n4TXw54J+HVhLqWraV4dstJtmjhjnlS9vL67S9uobKx08T3P1vDuR0uGcFiMbmlZfWqnuqEJLl soe0Xve0jGUn714TSjFU5O99Y+Fm+Y1MfiIYDA0731nOVmoxU43tbmbbaivdvZzirSk7R/uy/wCC XP7M3i/9jn/gnv8Asj/s0/EG4sbjx98Jvgv4Y0LxyNMuTeabaeM75Jte8U6Vp175Nv8AbrDRtb1W a0hn2L5yQh+9flObYqGOzKvi6fwVKjadrXV97Xla+9ru213a7+zoxcKSi9/yvrb8T72f7jf7rfyr zjQ/zXf2s9Pv5/8Ag6B+0w6ffT20H/BUT9kB57qGyuZraBE8D/s0s7TXEcTwxKoZSSzAAEHiv2PI ZRp8DY5VGoueEquN9ObS143+JXTV1pdNXumj4jN4TnxBg3FNxjON2ldL951/P012P9KMdPxP86/H D7cbJ/q5P9xv/QTTW6A/zy/2ydO1Fv8Ag7K8D366ffNYn9rH9hn/AE0WdybP9z8CgkuLryjAfKeZ Q3zfKWGcZ4/aMqqU14Zzp80faezxel1fWpQtpvrZ29Pv+VxUorOXFtKTnC3n/BenyjJ/9uy7O37o /wDBzV/wTv8AG37ZP7MPwl+LHwU+GfiT4pfGj9nr4jtYXHgzwN4dl8TeNPGPwW+Li2vhr4g6NpGj QyodXl8L+IrLQ/Ey27pMjro0i7RvLj4bgvOoZNmvtKsuSE425rQVndPWck5Rh1n7Jxm1FW5rckvQ zzBSxmDagpOrFXjy3vzK0ouKuk53VouWkbttpXv9nf8ABDz9ifV/2G/+CaXws8BePPCreEvjZ8T7 LXvjt8dtHu9PisNY0b4ifEi2S7t/Bmrqs93K1z8M/BdnpPhpVeVzHFpSqOAMeZxBms83zWeKbqOk naCnKMnGN725oxjFrmcrNLW925Sbk+vL8LHB4ONCKiklZcsXFWWkfdbbTta/eV3ZXsv5Vf8Ag0z0 zUrL/gpH+0HLeadqFlFJ+yJ41jjkvLG6tUkcftJ6dLtRriKMOxikVhjqrAjIOa/UfE6rSqZLhVTl GTWKezT/AOYekul+qa9V93zXCacYKEtJqm211Sfs7ffZr1TW6Z/ohV+In2h/mt/8HaVhf33/AAUs uvsNhfXvl/sOfAwymzs7m6EQbx1+1OFaU28UgjUnu2BweeDj9w8KZRpYeU6jUYyxKSbdk2nSuk3u 0mrpXauu6v8AD8WprGYGq7+yhX5pO2kY6XlJ7JLdt2SWvRn+kB4RRf8AhGPD3yr/AMgPRf4VHTSr ID9BX4jP436s+3jsvQ6QADoMfTipGFAH82//AAchf8EyvG/7bn7O3gb47/Abw7f+KP2hP2VJvFWp 2fgzQ4XufEfxN+D3i2LSr3x74R8MWTXUFrqXjXw5r/hbSPEmjWsiO+oSaVPp0RRr8mvruDs6jlOZ clVU/YVrRcp2XKm7P3+WUoxkm1JKybUXJrlUo+NnmXrMMDKmnJTjaSsm7Si7xlZNOXK+mul7Rk9H +IH/AARi/wCDiXQf2LvgjoP7IH7Y3gD4leLPhX8JtQuPB/wq+LHwt0N/F/ir4XeHbY3U5+E3xS8A X93YeLbnTvBd1m10mazjn1vTbN49P1TT4jare3P02f8ABtPHTlmeR1KXsJQc+R8sLuM+RxpqEVC8 WnGySi3CaUnJcr8zK88rU4rC5tB08YpWvq4Tum+eMndcrs3ZyVtEl70Uu0/4LG/8HJ/g39pH9nnx z+zH+xJ4W+JnhDwX8VNMufB/xi/aJ+LGjxfC+5TwDqfkx+IfAPwy8J6zJN4ghvfH+kyS6bfa3qaa e9jYTyppsN1fupttOEeDFRxcMwzhptKMqVKLbbnJyinLllGcZU5KMlC15OUOZxjzXnOc6nKDweBg 6k5xmrrllsk10lHla5m73doOPJLmTX6Of8GxP/BLv4gfsp/DL4i/thftAeDrzwN8V/2itB8OeEfh b4F1zTDpHiXwT8AtEvLrxNFq/iTQb6xtdV8JeIvil4s1Z7waTOUuLHQdO0tbqKC9a6t4/C424no5 5Vp4fBOp9TptyfPpeb91O3NJP3IxfM1GV5SUoqyS7eHsqlluESr2eIbk21rrJ3kk7LTRJb7aNqx/ VPq15Np2mahf22n3ur3FlY3d3BpWmmzGo6nNbW8k8WnWB1G6sdPF9fSRiKHz54YRI43uq5YfCpXa T0V9+3mfQN2V92fxBeB/+Dpf9oz4M/te/tA/D79sr9kzW4fhhYeOLu30f4NeEbGw8J/tN/s06Rpl slrb6R4n0jxhq2l6L8YLfV7GK31C7ufM0hRqF7KdGutY0x7SRP0KjwUsflOHxmDqQjXqN35m0mnU jTjf3bKzjXnKcZuPJTUYRnJc8/mp8QfVsXVoYinU5Iap2Xv2gpOMPNc0I/vHFOUm242cV9p/tJ/8 HVP7EyfBfxPafs5/Cz9oj4t/F/xL4V1zS/D3hjxn8J9R+GXgnwzq+paLfW8Go/ETxT4ol2z6Fpk8 qtcQaFbaxe3SkRwxHc7pyZdwNmeIxUo4qdKjRpTim3LWV3H+H0lo78zagrO8k1Z9eKzvB0KPPdyb T0j77Vk3ZqF3fTS9k3ZXu1f8xv8Ag0j/AGNvihf/AB68c/trXum3+n/Av4ffAzXf2ffAfi6e0jGl fFX4g+Mdf8BTeMB4VvheTw6npHw70X4V2a6hc2huLGLVNVNhHcPNY3MUHq+IGPyusqWAoOUsfh5S i2kowjF2co8ihFc3NZe7yxjyyi4KV+Xg4dw2NjVr47ER9nDEVHJwesk1pH3ub+W90432tLl5b/34 t0H+8n/oa1+Zo+qP84L4R2t0v/B0ldXDW1ytu3/BVH4thZ2glWBj/wAM/fEhgFmKCNmK84BzjnpX 6VnEZS4Ny5xTajT5nbpG1aPM+y5mo3enM0r30Pn6TTzipbpBL5+0Tt621t219f8AR9T7i/7q/wAq /NXufQH8yn/Bz5+wj48/ah/ZO+Gn7Qfwf8KX/jD4l/seeMPEXivV9A0LTrnV/E+qfBT4gaLbaN8S 7jQdJsvNvdcuvBGq6NonieXT4IZ57200SWOKNpjGD9fwdnyyfGzo15TWBrpKcYxUublvyrVpr4n7 0Lzs2oxk5csvFzzAPHYNqFlXim4SevLLRqVtrpq2tkk3fS6f5R/8EW/+Di74N/spfsr/AA//AGTv 2w/CfxUuvC/wgs9U8O/Bn45fCfwxF8VdAuvhvBqc9z4a8AeLND8MXH/CTpf+A7a6bS9P1WwttSs7 7TLSD7VLb3yyxv7/ABNwaqk3mmRSpPCShCSpJvms4q06a1vGatLlWvvXhGULM48qzxTgsPj1Kni4 3UlLTVfE+ZpRau1azT1a5fdbPlf/AILj/wDBcPT/APgpdonwz/Zc/Ze+GXxX0X4DWvxM0HxVq+qe MPDY0z4o/tCfE/THmsPhn4C+Hvw206+1DXIrXTPEN8L2zsLtV1fXdbjsUS0jsYp5pfW4W4Vo5PGp mub1Kf1qMfdirShCDjeU5+7J9be5aUHGWvPyQnx5tmdbGzjl+XpvnTUpJN8t2ouTkrwVovRNTvzX fIoNv+yH/gi/+xr4q/YV/wCCdvwI+CHxFto7D4tX1v4l+K/xh02B4JbfRPib8XvEV/478S+Free2 eWC4g8FnV4tHSRXkDrYgh2ByfzDPMZTx+Z1cTRTVGUny+/KenlKUYtpu7V4RsrJRirRX1GCpOjho QkmnZaNJNaWSdm1dJJOzavs7H6nN0H+8n/oa15J1H+fB/wAEUbe4j/4OKvjjNJBOkUvxB/4KxmKV 4ZUilC/tK2IYxysojkAJwcE4PHWvtcypVYcL4TnjJJKd7p2XPWcoXfTnj70P5opyV0nbw8N/yNK7 6OdP52pNP7no/M+z/wDg50/4JbfH74+/Hf8AZ0/al/ZK+BXjH40eNPGHhW7+CHxP0XwJoEviO60T xV4Nv38S/AX4j+KLN4DY6X4T0yDxD4h07VNVkmi+z4sFZZAE2epwPxDQyylXwOLqwp0pXd5JpOLi +dOcZ86TcYxUI0qjk583NTjGbljn2XzxahVpe09pGV/c+K1mnFJpxbkrJe0aguXV66/sP+17+zL4 Y/Y3/wCDfP8AaX/Zd8Hlp9F+CX/BNv4u+A/7QkW3F1r2s6V8INY/4SbxLfG1t7WB9R8S+I5bq+uG WNQ807EDmvmMBiquY8UUcTaTnVxcWlec3rNcsbyc5yaVknKUpPq5N3fsygqeGcdLpXfTXd/ifld/ waAQXFt8LP8AgoNFc29xbSr+0B8KA0VxBLBIpPwit3G6OVVcZRwRkDgg9xX0HiJ/v2FktYvC3T6N c8lo+uqa0vqmt0zyuHU1gEpJp80tHo/jn/X9K/8AY5X56e8FABQAUAFABQB//9X+/igAoAKACgAo AKACgAoACMjHr/n2oA+bfiv8PPAXiH4p/AzUtf8ABPhHXNRk8YeKYpL/AFjw3o2pXskVv8MfF9zb RSXV5ZTzSR29zbxyIGLBXRWGCoI+1yDN82weQ5rRweKxNGj9WpPlhUnGN3iqKbtF21Tae102urR8 NxHkeS47iDJ8TjsHha2JWLq2nOlCclbCYhr3nG+6T33S+X0bBFFBDFDDGkUUUaRxRRosccccahY4 440CpHGigAKoUADgV8ZNylJuTvJvfufcRjGEVGKSilZJaJJeRLUjCgAoAKACgAPP+f8A9VAHzh47 +G/w8l+L3wf8Qy+BPBkuv3Wv+MWudck8L6G+sXDReBtZuImuNSNibudorhFkUuzFXUEYNfY5Znec Q4fzDBRxeJWDVKlamqtTkX76C+HmtqtNOn3L4/M8gyOpxBl+YTweEeP9rV/eujTdT+DN/Hy82/mf RwGPx556/wBa+OPsP6/r+v8AgrQAUAfO3xx8D+C/FniD4I/8JV4R8MeJh/wtiK1x4g0DStYxaj4e fEO7+z51C1uSbf7VAkvl/c8xFbblQR9lwvmmZ5dg80eX4mvQ/wCE+/7upKGv1jDq/uta2ur72bXV nxHF+UZTmeNyhZnhcPiV/aWntacKlv8AZcU/tJ9bP1PfNO0+w0qyttP0yytNOsLSIQ2ljYW0FnZ2 sI5EVta20cUEEYJ+6qgf0+Rq1quIqOtXlKdaTu5Sbbb7tvVs+zpUaWHpqjQjGFGKsoxSSS7JLRIu 1maBQAUAFABQAHn/AD/+qgD5q+I/w3+Hr/FT4H+In8B+DJPEF18RNfW615/C2htrFyqfCzx/dotx qRsGu59l1bxyrvclZI1YEMoI+2ybOs4jkGaYKOLxKwSwdO1P2s+Rf7Vh1pHmstG1olo2tj4PPsiy SXEeT5hLB4V4946ova+yp+0t9TxTs58vM1dJ77pPfU+k1GAOvOCc9c4HU85r4p72PvP6/r+v+C6k AUAFABQAUAVb2xs9StLrT9Qtba+sb23mtLyzvIIbq0u7S4jMVxa3VtOrwXFvPE5V0dWVlOCD2abT utwaurPY/Hr4zf8ABv8A/wDBIr46eJrrxj4t/Yy8DeG/EeoXt7qWq6h8HvE3xE+BEesX+ozG4vrv WNO+Dni/wVpmqXN1K7l3mhdi0jMCGYk/R5bxdxBlEJ08DiLQqSTlzQp1LtJJP95GWtkldWukk9Ek ediMoy7F1IVMTSjN04uMU7uKUrXtHWN9LJ2uldJpSd/pH9kr/glp/wAE/v2GtQ/t/wDZf/Zc+Gnw 08ZNp0+kTfEY2N/4v+KNzpd1Kkt1YXHxN8cah4j8cy2l08SGZDfhZSil9xANcOZZ5mub1Z1swrSn Oo4uS0jF8ikoe7FKPuqUlFWSjzO1ru+9DBYXCxjGhBRUE1HryptNqN9lotFpouiSX38Bjj04ryTq AjIIPQ8GgD4H8U/8EuP+CfHjb9oVP2sPFv7J3wl8QftHx+O/C3xOi+MWp6ReXPjSLx74IbRX8JeK ItRa/CRal4ffw7Ym1KoEjNsmF456Y4zExpexjNqlrpp1XK36uPut720vbQjkjfmtr8/63/rqffH+ fzrmLEIBBB5BGCPUH8qAPh3xV/wTU/YO8cftIW/7X/i39lz4Wa7+03a+KPCPjW3+NV9pN0/jiLxV 4D03SdI8H64upJfRp9t8P6ZodnBbnZtWO2QEELXXDH4ynS9jCpJUrNW8mppr0tUqL0nNfad8qlGl V0qRUldPXvFpp+qaTTto0nurn3Hjt/n17VyGpHLEk8ckMq7o5UeORTwGR1KOpxzhlYigD4c/Zq/4 Jm/sEfsc+PdU+KH7L/7K/wAJ/gl8Qdb8K6h4I1bxZ4F0WfTdXv8AwlquraRruo6BcTyXs6tp15q+ hWdw6YGZLaM5+UV2YjMMbiouOIqznGUuZ3e8rzfM+7vUqO76zm95O8RpwhrFdLf1r5L7j7nrjLPg 39pL/gmB/wAE/v2wviBb/FX9p39lL4T/ABr+Ilp4Y0vwZa+LvHOkXWpavbeFtFvNW1HStDt5Uv7e OGxsr7XbyVFVQd9w5JJIrWFepCDpxa9m2m00mrq9nqntd27Xdt2S4pu+t/V/5n3VaWtvY21vZ2kQ htrWGG3t4VLFYoLeJIYY13MzYjijAGTnj8Tm3fVlFikAUABGeP8AP9OaAPzP/aq/4I7f8E1v20/E t744/aF/ZO+Hfif4h6lLby6p8SvC8niH4WfEnVmtgVi/tnx58Ldb8H+KNYAU7T9pupdyfIcqSD7e VcRZzktX22XV3CfJyaxjNct2+XlmpRtduSVnaT5lZ6nHiMvweLg6eIpxlTcrtNaN6ayW0tlunstr Iwf2ZP8Agij/AMEv/wBkTxbpvxB+Cf7Ivw9sviHol7LqOgfEH4gXvir4y+OPDl9NbtayXfhrxR8X df8AGmreHZ/KkcK1lLAU8x9u3c2bzPibPM4aePruVocloxhTXK2pOLVOMU03GLd73cY3vyq04XLc FguZYWmoRnPmaV+XmsldR+FaJbJa3e7bP1OAx/n+ZOc14J3BQB8f/tS/sBfsYftr2FlY/tUfs2fC f41y6Vb3Vromu+MfCtlP4v8AD8F4ipcR+HvGtkLPxXoaSeWrEW15GNyg44GO3B5jjsBOM8HVnTca kZqz0U43UZW25oqUkna6Umla7vhVw1CtLnqRXtOVx5lpLldrpSVmk3GLavq0uya+BPAn/BuX/wAE bvh/4jg8TWX7GuheK7q1YtbaV8U/ib8Z/i74SiO8SJnwV8S/iH4p8KTeU4JXzLRyA7LnaSp97H8b cTZlh3hcXiE6EpKTUadKDbjqnzQhF6NJ2va6T3SZxYfJcrwlSNbDUYwqRi43jdXT1adnrqr631v3 Z+z/AIa8M+HfBmg6T4V8I6Fo/hjwzoFjBpmh+HvD2mWWi6Ho2m2qBLbT9K0rTobexsLK3QAJHEio oHSvlpSlOTnNtzb1b1b+Z6cYqK5YpKK6I3MZ/n+XI/UVIz4O0r/gmD+wBof7RTftbaR+yt8K9O/a Ubx1q3xLf4zWum38fjd/HWuxX0GseI31IaiFe91GHU7hZVKGJhK3ydMdbx2LdD6s6knQuny9LqPI n6qPup78vu6LRZ+ypp3S1vf8b9++vrqfeIGAAOg4FchoIQCMEZ/z/hQB+R37Qf8AwQk/4JQ/tN+M NQ+IPxM/Y78CWPjrWNSu9Y13xZ8K9c8dfA7WvEOrXx33WpeIrj4O+KPBCa9fXE+ZZJLtZmkm/eNl wCPoss4sz/J4zhgcQ4xqKKkpRhUTUUox/iRlrGK5U7pqPurTQ4K+V5fibKtShKEZOSTXuqTd3JR+ HmbbfNa929dXf1T9k3/gkb/wTm/Yg8QQ+M/2bf2Vvh54J8f20V1b2vxK1pte+JHxNsrW9MZubTT/ AIifErV/FvjDT7aYRKrJDeICihfugAcuaZ/m+dVXXzKs6lRxUdFGC5U20uWCjG123stW3u2zTC4D CYKmqWFgoU1JtJXsm9XZbLd7WP0eAxxXjnWIRn9PzByD36GgD4l+E/8AwTe/YY+Bfx2139pz4Rfs zfDTwB8fvFF7431HxH8VvD9hfweLdcvfiRqUuseObjVL6W/ljvX8SanM09xvjYeYcrtwMdM8Zial COGnNvDxvyx6K7Tdu12k5d2k3dpMj2cObmt7y/yt37M+28fp+FcxZwvxO+GXgL4z/Dzxp8J/il4Y 03xr8OfiL4Z1jwb448I6yksmk+JfC3iCzl0/WtD1OOCWCWSx1KymaKVVdSyMRnnmoycXzLf7/wAH oJpNWex4l+y9+xF+yd+xVpXi/Q/2U/gT4E+BWjePdT0zWvGGl+A7G506x1/VdGtLiw0y/vbea7uY zc2lndPGrIEyrfNnAI0rYitiZc9eTlLu/wBe+iS9EuwoxjHWK/r+v67/AFPWJQUAFABQAUAFAH// 1v7+KACgAoAKACgAoAKACgAoA8e8f/8AJRvgT/2Ofi//ANVX41r6TKP+RLmv/YLR/wDUuifNZ1/y Ocn/AOwyr/6h4k9gHQfQV84936n0otIAoAKACgAoAKAPJPG//JRvgx/2HfGn/qAa3Xu5d/yKMw/6 9Uv/AE/A8XMP+Rpl/wD19q/+mZnrdeEe0FABQB498Uv+Rh+CP/ZX4/8A1WnxIr6PI/8Acsz/AOxf /wC7OHPmOIf9+yj/ALGf/urij2AdB9BXzh9OLQAUAFABQAUAFAHj3xF/5Hv4Ef8AZRfEH/qpfiJX 0eT/APIpzX/sDp/+peHPmM8/5HGTf9h9X/1CxR7AOg+gr517v1PpxaQBQAUAFABQB8pftN/twfsq fsd2OnXX7Rvxs8GfDS/13Tr/AFLwv4X1K7uNR8c+MYNNlhtrlPBvgbRbbUfFXiq4W9uYoNllaynz pUU4LDPm5jnGWZTDnzCtGndNpbylb+WKvKT8opu+h9lwj4fcZ8d1p0uE8uxOMhSlFVakY2o0ea7T r1pWpUY2Um5VJxikm27Jten/AAD+N/gT9pL4N/Dn47fDC41O8+H/AMU/DFl4v8I3es6XcaJqdzom oGT7JPeaTdbrmwllWPd5ch3hSMgHgdODxVHHYWGMw7boVIqUW1a6e2h43EOQ5lwvnmK4dziCp5pg q8qVWKako1IO0o8y0dnpdHr1dJ4x8O/Ff9vD4e+Bfij4k+Bnw1+Gfxt/ah+NXgfStH1v4ifDn9nT wloHiK5+Gem+IIobnQk+Ivjbx14s+H/wu8Ha9renXC3tlot5rkeuXlh/pMNm8BDnxsTneHo4meCw 1OticbTinOFJJuCl8PNKcoU4t7qLmpNa8rWp+hZN4c5nj8pocQ5zi8Bk3D2KnOFDE46dSMa8qd1N 0KOHpYjFVqcZRdOVanQlQhU/dzqRnoerfs9ftSfCv9pWz8Zx+BpvEuheMvhl4hj8I/FX4V/ETwzq Xgb4pfC/xNPZx6jY6V418G6xGl5ZQ6zpcyXem6hbvc6Xqtm6z2VzPCQ568FmGGx6mqPMqtOXLOEk 4zg7XtKL7rVPVSWsW1q/D4j4SzjheWHnmEac8DjKXtcPiKU41aGIp3cXOlVg2nyyUoVIO1SlOMoV IQnGUT6MruPmQoAKAPz11f8A4KnfsMWHx68C/szaJ8dvDvxB+NPjz4jt8KrXwf8ADOC+8djw14zi k1OC60rx1ruhQXHh7wfc2Vzo91FNBeXSXSPbyDyjsfb4c+JMmjjoZbGvGeMnJxUYXlaS3Umrxi99 HZ6Oydnb9Lp+D/iM+Gq/F+IyvEYbh2hhliHWrpUVUoy5OWdGNRxnWi/aQ96mpR9+F5Lmjf8AQrr/ AJ9OPavcPzQpalqNhpGn32rapeW2naZplndahqOoXs8dtZ2NhZQPc3l5d3ErJFBbWtvE0kjsQqIp J4BpSkopyk7RSuy6dOdWpGlTTlUk0klq23okl1beiPg34Qf8FP8A9ib9oP8AaC0/9mr4EfGnSfjF 8RL7wl4l8ZtqHw80/VPEXw9tNK8KNpg1eCT4kW9qnhC81aEazbN9ls7i6lRJkaQIHTd42F4hyjHY 3+z8FWjVxHK5e7dxst/f+FvVXSbaur7q/wCi594R+IXC3DX+tfEuW1sBlXt4Ukq7jTrOVRScH9Xk 1WUJck+WpKEYScJqLbhJL7/r2j83CgBCcfmB+Zx/WgD4f/Zg/bo8DftPfFr9ov4OaT4F8eeAvFP7 PPjPU/DF1J4zTw8+mfEXRtK8Z+MPAF3448A3vh3WdYju/D0HirwVd2k8V2bbULSQxrcQRM4B8bLs 6w+ZYrEYOnCpCrh5WfMlaS5pwvFptNc0JXV+aOnMldI+94t4AzDhPKMszqvicLicHmdCNSPsXU5q MpUaNf2VaNSEJRmqdaDTipUp+86VScU2fcBOASegBJ/CvZPgj4r8F/tueB/Hf7Z/xI/Yy0PwX42k 174ZfD+58a6z8UJRoEfw4v8AVdNm8BLr3gTR3Osf8JNfeJ/Dtt8SNKlvmWxNjbi4VHmErIjeTSzi hWzeeUQhU9rTpuTnZKF1yXitbuVpxbtFpdWm0pfb43gXMMBwRhuOMRXw6wuKxKpQoJzddRkq3LWk lD2cacnQqRjzVFOTV4wcVKUftWvWPiD5+/ad/aD0X9mT4Qa78VtW8K+KPH93Y6l4b8O+GPh54Gi0 6fxr4/8AGPjDXrDw54Z8IeFINXvtN0uXWdV1G/Xb9ouIYUjR3d1VSRx4/G08BhniakZSs4pRjrKU pNRSS7tvy/z+g4Z4exHE+b08poVaVBShUnOrVbVKlTpQlUnUm4ptRjGL2Tbdkk3ZHe/CP4oeE/jX 8Lvh58XvAl/Hqng34m+C/DXjvwxfxyRSrc6J4o0m11fT2Z4XkiMyQXQWQKxAdSM8VrhsRSxeGp4q g70akFKL8pK6OLOcox2QZviskzODp5jhMRUo1YNNOM6cnCSaeqs09zgP2n/2g9I/Zc+D+vfG/wAU eFfEfifwR4K1Hw7N8QJvDDaWb7wd4F1PXbDSPE3xHvrXVLyyF74b+H2n3rarq0duz3a6bbTSQxyu gjbLH4yGX4aWLqxk6MLc1tWo3s5W7RWrtrZM7uF+HcTxVnNLIcDUpwzDEKSoqd7VKqi3CjFpO060 kqdO9oucoqTinde82N7aalZ2uoWFzDeWV7bwXdnd20iTW91a3MST21zbzRkxywXEEiujKSCrA5rr TUkpLVM8CcJU5uE01NNpp7prRr5Hz94z/aM0Twv+0V8If2aNL8KeJvF/jj4n+E/HfxE13UNCOlJo Hwo+G3gZbHT/APhNfH1zqN9aXUdn4r8X6va6Lo9rYxXV5e3rTSCNbW0u54eOrjoU8dSwEYylWqRl JtWtCMftSu76tqMUk235JtfR4Hhmvi+G8bxRVr0aGAwlWjRjGfP7TEVqrb9lQUYSTlTpxlVqym4Q hBJczqVKUJ/Rddp80FAHwb41/wCCgPw5sfGnjL4cfBL4WfHf9rjxx8N9SGifEjTP2avBvh7xD4c8 AeIV2Nd+EvFHxS+IHjD4dfCK18c6bBNHLd6BFrs2tWkUiNNaoHQt4tXO6CqyoYKlWxdaDtNUVFqL W8ZTnKFNSWl4czkk727/AKLl/hvmVXB4fMuIsZl+RZbi4c9Cpj6lWMq0NbVKeGw9HE4t0ZtSjCv9 X9hOUZRVS8Zcvp37Pf7Xnwq/aK1jxr4L0Gy8e/D74s/DT+z3+InwV+MngnWPhv8AFXwnYau9zBo/ iGXw9rEX2TxJ4L1q6sriKx8QaJc6lod7LbyJBduyMB04DM8Pj3OnBVKeIpv3qdSLhOPS9n8UW07T i5Rlb3ZNb+NxJwbm/DNLD43Eyw2JyjFpujicNWhXoVGknKHPBt060VKLqYetGnXpqUfaU48yR9SE 4GT0H+fevRPkz4Z+I37d/grwz8SPFvwi+FPwf+P37UnxA+G8+k2vxW0r9njwb4b1zRfhZe6zaLqV novjTx58QPGfw88AQ+L/AOypobyTw/Zanea/DaXEUz2axyxlvHxOc06Nd4bC0K+Krwfvqko2hdXX NKc4Rvt7qk5q6fLa7Pvsp8P8XjMtpZxnOPy3J8sxMZvDzxtSqpYjkdm6VHD0cRX9m5KUI150oYdz jKHteaMlH2r9nz9pT4WftM+FtZ8SfDXUNbivPCXiW+8FfEDwP418Na14F+JXw08a6bDBd3fhL4he AvE1np3iHwtrQsLyC7gE0PkX1jcQ3VrLNbTRSv2YHH4bMKTq4dy912lGUXCcX2lCSUou2tmtU01o 7vwuI+GM24WxkMJmsafLWpKrSq0qkK1CtSldKpRrUpSp1I8ylGXLJuE4ypzUZxlFe+V2Hzx+emof 8FTv2GIfj94D/Zi8P/Hbw78Q/jT4++IU/wAMLTwl8M4L/wAdQ+GvF9r/AGmt3pfjrxFodvP4b8IX VpNot3HJb3d2t2JLeUCI+W+3w3xJkv8AaEMrhXjPGzk4qME5JNbqUleMX2Umm7SsnZtfpcPCDxF/ 1YxHGOKyvEYbhzD4aNd1q9qKqUpOCjOjCpadaLc4e9TjKC54XkuaN/0Lr3D80POvix8Wvhx8DPh5 4p+K/wAW/GGi+A/h74K01tW8S+Kdfufs2nabZiSOCIHaklxd3t7dzRwWtrAklzd3MqQwo8jqp5sZ jMLgMNPGY2pGlhacbylJ2SXmz08mybNeIczo5LklCpic0xE+WnTprmlJ76Lsldtuyik22kmz4iuv +Clfgnw3YDxv8T/2av2yPg38DXi068T9oP4k/BGGx+HFho+pLFJH4k8ZeH9A8V+IPjH8LfC1lDJ5 l9qXivwvotppsKmS7kgQFh5Tz+nD95iMNi6WC6VZQXJZq92oylUhHu6lOKVtWtL/AHsfC7G4qSwO UZrkeP4ivNPA0MTJ1+aDa5KdSdKGDxNSb0pU8JicROq2lTi27H6J6Vqum65pmn6zo2oWWraRq1la anpeqabdQ32nalp1/BHdWN/YXtsz295ZXltKskUsbMjowIJBr3IyjOKlBpxaumtmfmdWlUoVJUa0 XCtCTUotWaadmmnqmmrNPUv1RmFABQAUAFABQB//1/7+KACgAoAKACgAoAKACgAoA8e8f/8AJRvg T/2Ofi//ANVV41r6TKX/AMI2a/8AYLS/9S6J81nP/I5yj/sLrf8AqHiD2AdB9BXzj3fqfSi0gCgA oAKACgAoA8k8b/8AJRvgx/2HfGn/AKgGuf5/zx7uXf8AIozD/r1S/wDT8P6/rXxcw/5GmX/9fav/ AKZmet14R7QUAFAHj3xS/wCRh+CP/ZX4v/VafEivo8j/ANyzNf8AUu/92cOfM8Qr/bsof/Uz/wDd XFHsA6D6CvnD6YWgAoAKACgAoAKAPHviL/yPfwI/7KL4g/8AVSfESvo8n/5FOa/9gVP/ANS8OfMZ 5/yOMm/7Dqv/AKhYr+v609gHQfQV8692fTi0gCgAoAKACgDI1ewsrq1upbm0tbiRLK6RWntbecqp hlO0GaKQ7cnOPunuD2mSTTv2NKc5Rkkm1r3sfnV/wRz/AOUXv7Df/Zvfgv8A9FT14fC//JO4L/sH h+R+q+O3/J4+Jv8AsdYn/wBOSP0U8Q6xB4f0LWddulZrbRdK1HV7hV+80GmWU9/KqkkAEx25/wA9 PclLli5dlc/K6NN1q0aS3lJL72l+v9dfzw/4JO+G42/Yn+F3xo1eEXHxG/a2GrftcfFnXrhkudS1 zxp8fr+Xxva215qBghub+x8FeD73S/DulCXLW2jaTa26/JGAPE4bhfKaeLl/vGJvWm+8qnvWvu1F WhG/2YxXQ/TfGTEShx9jOHqTtlmRyWWYaCuoxpYL9y5KN2oyr1Y1MTW5bKVetVnvJ2yvj5Y2/wAI /wDgpH+w/wDF7QxJZH9pPw38bv2Qviha2EKwp4oOgeBdT/aM+Dmv69Mk8Md7cfD64+GniexsTLFN NFH4lnEbxoZA8Y2P1fPsHi4X/fxqUJpXs/d9rCT1s+T2c0rptc7s0nJPXhyo858LuIMkr2byqrhM zoSk78ilWjgMVSprlbTxH1rDVKlpwi1hI80ZNQ5f07ByAfUA/nX0B+UC0AFAH5zft96fY22ofsMz QWlrDMf+Chf7PoMsVrbRSkSaT8Qi/wC9jiWT5z15575rxc4ir4R/9RlP/wBu/r+tP0PgGcpQzuLb t/q/i+r70vP+vLr+jNe0fng10WRGR1DI6lWVgGVlYEFWVgVZWHBBBBoA/MP422Vpaf8ABVP/AIJ6 La21vbh/2a/+Cggf7PbQQFwuqfsj7N/kxx7wgY4B4GTjGTnwMWkuI8Fb/oHxP50D9ZyGUpeDXE12 3/wt5J/6azg/T0dB9BXvn5O936i0CEPT8R/OgD+az9ni8uPg74x8G/tZLdR2HhbQf+Cq3/BRj9j7 4zyMty0Enww/au/ay1qx+Hus3SWysTeeF/2l/D3hK3inl/cWmna5qLOAG8yP8/wKlhalLNVK1KOY 4uhUVrpwr4iSi+6ca0aaT+HllO6eko/1ZxdCOewxfBnI542pwZw/mWFs0mq+W5LQnXjeTtyTy+pj JuCtOdWjh1F6OE/6C/jB8UvCnwS+FHxH+MXjm9TT/B3wt8DeKviB4ovHYjyNE8H6Ne65qbIAjM8x hsSiKoLO7AAEnn7jF4mlg8LUxdZ2o0oSlJ76RTb036H80ZJk+O4gznC5HlkHUzDGYinQpRX2p1Zq EV82+5+K37G3w98afDr9tr9lO1+JqPH8VfiB/wAE9P2w/wBoP4upcXJvru1+K/7SX7XP7PXxU8ce HP7QMcJudI8A3N9B4f0sFFaLTdNhjJbbk/H5bGvh89wdDEL/AGirl+KrT1u1UqV8PKUfSPNyx7KK 1e5+78a5pl2Z+HuezydR/sahxPk+DwzjHkUsPgMszLDUarheVqmIinXratOrObVk7L98q+4P5zPz T+NF9L8bv+Ch37MXwOsZLmfwl+y74I8X/tm/FVbO6hS1bxx4ltNb+BP7NnhjWbeTebqDUl1zxv4g ijQborzw5aSsyDYJPAxUni89w+Djf2WGg68/8UuanSTb3verKy1ThFtq6Uv1LI6UMi8M82z+qofX c3xFLK8PzJ39lTlDG46rTa0jKm4YKg3J2lTxVSMYyalKnL/wT9u3+F3iH9qv9jLUpZI3/Zt+Out+ KvhjBeail1d3X7Ov7Ss198ZvhlNZ2pIlsfD3g/xXrPibwbYRDMUVt4YREwFCLWSv6vPE5U/+Yes3 DX/l1VvOGnSMZOdOKWiULLYXiNBZthcn44opcuaZdClX5YcsY43AKOFrpy2nVq0YYbG1p/E54tuV 225foX4m8OaH4w8Oa94T8T6XZ654b8T6Nqnh7xBouoQLc2Gr6HrVlPpuraXe27/JPa39hcyRSI2Q ysRXtVKcKtOVKolKnJNNPZp6NM/NcLia+DxNPF4WcqeJpTjOEouzjKLTjJNappq6fkfnX+wd41uv g54T+Mf7HPxb8Sn/AISH9h68g03QPFviTUIzd+LP2R9esNT8RfAH4mahe3V3cXV2NB8HaVe+FdXv ZgPN1nwreStxIufEyeq8LTq5XiZfvMI9G/tUXd05X62ScJP+aEn6fpHiBgo5zi8HxtlNL/ZM+TlO nCL5aeYwcY4yhFKKiuapKGJpwjpGjiaUd00bf7A/h3UviOnxU/bm8baZdWHi/wDa81jR9X+HWl6r avb6p4H/AGUfAsd/pn7OnhF7e6srDUNNuPFGj6hfeN9StJkWa11bxXPbSbvsykVk0JV/a5xVTVTF NOCe8aMdKS/7eTdRp2ac2ntpl4hYinlbwnAOBkpYPJYTjWlF3jVzCs4vG1LqUoy9nKMMJCcHyTpY WFSPxs/RWvcPzURlDAqwBUggggEEEYIIIIIINA07HCfDb4XfDr4O+DtK+Hvwr8FeGfh94H0Nr59I 8J+EtHstD0HT5NTv7rVdSmttOsYobdbjUdUvprmeTb5k08ru5LMScMLhcNgqCw2EpwpYeN7RilGK u23ZLTVtt927noZpm+aZ3jp5nnGIrYrMaluapVnKc5csVGKcpNtqMYqKV7JJJaI+CPjrDop/4Kf/ ALBMvhpUX4jf8KS/bFXx7LCr5k+AUVr8JwbfWGgYMyJ8Zbjw82mifMSt9s8sBi9eRjFH/WDBun/H 9jX5u3s/3e/nz8lunxdbH6BkEsV/xCniFYn/AJE/9o5Z7Pv9daxfI1fp9VWJVTl1v7K+i1+6PjN4 +h+FHwf+KnxRulV7f4bfDfxx4+uI3AZZIvB3hjU/EEiEHAO4afjqPwr18VXWGw1TEy2p05S/8BTf 6HwGTZfPNs3wuV0/4mJxNKkvWpOMF+Z8u/8ABNP4SzfCP9iL9n7TNdCXfxC8e+BrD42/GXX3dp7z xf8AG3437vih8V/Feo3MkUDXN1q3jLxRdGP5I44LZIoIY4oYo4187IcM8NlFCM/484c9R781Sp78 23Zbyb6JJaJW2+w8U87p57x9mWJwemU0MQ8LhIWUVTweESw+EpJXlbkoU4JtylKUrynKc5Ob818W 6WPhL/wVZ+Dfifw5p62Wl/thfsu/FrwH8U5YF2w6z45/Ze8ReCfGHwc1q+UyhZNXs/BnxO8WWJn8 syS2sUMbsFhjAwqRWG4kpVKaaWJw04z00cqMound97VJpd16K3p4XEf2v4PYzB4ypzVclzrDVcNB vWNPMKVanjOXT4XUwmDdnJKLbcU3KTX6b9R9f8+1e+flR+b37fNhZW/iX9gKWC0tYZT/AMFDPgzm WK1tYpTv8A/Fxn/eRwpINxPOD83fPGPEziK9pgn1+uw/9IqH6PwDKTwvECbdv9XcR1f/AD+w3+X9 df0hr2z84PzF/botLHxT+1D/AMEu/hx4tkWb4ceIv2pfiH4y1rQLy3lutF8UePPhL+zh8U/Hfwk0 3WIfMFlJ/YXi2w/4SGyW4WRF1PRbaRFE0cTp4GcLnx+XUJ60JYqTatdNwo1JQv00klJXv70U90mv 1fw9qTwnCvF+ZYRWzKlklKnCopKM6VPEZhg6OIlDRyftKM5Yeag4t0q1RSbpucZfpddWlpe2c9pe 28F5Z3dvJbXlrdQxXNveWtxG0VxbXMEoeK5guYXZHRwyuGwa95pNWezPyqMpQmpQupp3TWjTWzT6 W7n5qf8ABMqWHwN4e/an/ZZ0+ee48K/shftc/Ej4S/DTzb5r5NK+E/jTw54L+Pnw/wDBtoX3NZaV 8NNK+LT+GdPtAxSz03SLeFAqoETwMg5qMMTl7/hYbFShB3b9yUY1YrXbk9o4JXaUYq1tl+qeKqeY V8m4vqcqxud5JQxFdKKjfEUatbAVasrW5p4mWE+tVajSlOrWnKV23OX6b19AflIUAFABQAUAFAH/ 0P7+KACgAoAKACgAoAKACgAoA+Y/iT4oEv7R/wCzh4GtbOe5aM/E3xtrN/Hxa6PFb+BNZ8OeHrO9 cSKwufEsup6i9qm1lePSrhsqYxu+4yTAW4LzrNqk4xX+zUIRfxTcq8KtSUdLWpKFNTd0061NWfM7 fn+fZpfjzIcip0qkk1i8TOqrclLkoSo0qc3zKSnX9rVlSXK4yjh6zcouMVL6bHQfQV8Q936n6ALS AKACgAoAKACgD5d8ceJr6+/ad+CHhHTLcT6Ponh74la94s1NblPL0zXdZ8PwWXgXRTCAWlvNY0mw 1y7YA5ghtELLidCfucswNClwPmeY15WxdWvhqdGFvjpwnKWIqX6KE3h4f3nN2fuM+DzLMcZU8QMr yrD0ubLaeExdWvV50vZ1pKlHC0eTeTrU1i6nMn+7VFcy/ewPqKvhj7wKACgD5j/aX8S/8IcPgX4o mhml03SP2gPCQ12WHP8AxLtC1fwp438O6lrVyB/zDtDj1kXl02CI7aGSQ4CEj7ngnA/2n/auBjKM a9TJ63s7/anCrRqRgv71Tk5ILrKUVu0fAcfZj/ZKyfMZRnLD087oKpyq/LTq0q9GVR/3KXtFUqPa NOMpPSLt9NjoPbj8uPevhj78WgAoAKACgAoAKAPl39o3xPP4M8Sfs3eIxaG40u0+OsNh4mugeNF8 N+IPhl8RfD91r038IstL1LU7R7lzxDbGSU/KhI+84NwFPMsDneDlLlxDynmpL+erTxWGqKmvOUIz 5V9qSjFatX/OePcxxWU5lw7jaNL2mD/tvkxEutKhUwONp+1t2jWlRU39mnKc3pFn1COg9uPxHB9e 4r4M/RhaACgAoAKACgCnqH/Hjef9etz/AOiJaT2ZUPjXqj83/wDgjn/yi9/Yb/7N78F/+ip68Lhf /kncF/2Dw/I/V/Hb/k8fE3/Y6xP/AKckfdvxW0e48Q/DD4jeH7USm513wH4x0e38kZm8/U/Dmp2U PkjjMvmTjb717NeLnQnBbuDX3o/M8tqqhmFCvK1oVoS120knr5aHyH/wSs1i21z/AIJr/sHXtoyP FF+yV8BdJcxuJFW78P8Aw60LQr+IsvAlhvdOkV1wCrgg8g48rhtqXD+CcdUsLSX3QS/Q+/8AGenO n4u8TqompSz/AB8rPop4mpJduj0/Trxn7bKvq/7Vv/BKrwvaQzz3o/a1+KPj+5+zRvNJZ6B4I/Y7 /aE0/Ur+5VM+Rpo1Txdp9tJM5VFluoo+XkQNOaO+YZdSV2/rM5eijQq3b8rySv3aXVX14ESp8I8Y YqcoxgsjoUlzO3NOpmuXyUY7c0+WnOairvlhKW0Xb7i+LWrfFfQ/h/rOo/BPwX4K+IPxJtzpQ8P+ E/iF4+1X4Y+EtUWXVbKHWDqnjbRPA/xI1LR2sdFknuLcR6NefabiJIW8pJGmT1cTLExouWEjCdfS ylJwi9dbyUZtaXa913eml7r4PJqOS4jMqdLP6+Jw2Uvm56lCjDEVY2i3DlozrYeM7z5YyvWhyxbk uZxUJfNPw6+If/BQnVPHHhrTvin+y/8Asu+Dfh5d6kIfFfinwV+198QPHvirRdLNvcN9t0Xwdq37 KPgPTtfu/tSxJ5Eur2ShHZw5KhH4aFbOpVUsTQw0KF9XGvOUl6RdCCf/AIEj6rNst8NKOX1auSZt nWIzRL93TrZXh6FKTvrzVYZpiJQ07UZXfbc+4RnAz1wM/WvVPgGfnn/wUC/4+/2GP+0hf7PX/po+ IVeNnG+E/wCw2n/7cfoHAO2d/wDZP4v86R+hteyfn4UAfmV8df8AlKr/AME8v+zbP+Cgv/p0/ZGr wMZ/yUeB/wCwfE/nQP1fh/8A5M1xN/2O8k/9NZwfpoOg+gr3z8pe79RaBCHp+I/nQB+J37JfwT0/ 9o/9if8A4KC/AzUtSvdEj+J/7bv/AAUn8K2PiDTJ/s2q+GNfvf2jfHr+F/Fuj3OyT7LrXhPxLDaa hZzAForm3RxyBj5PK8JHH5Li8HJuKqYvFxut4t16lpLfWLs15r7v33jzPqnC/iRw7xDSp060sHw/ w5VdOouanVjHKsE50qkbrmp1Yc1OcbrmhJrqO1r406z+2z8Av2A/ghrVpJpXjv8AaR+ItjfftXeF tP16zS88EeHv2Jdbi1v9qbwtqPlq/wDbGg3/AO0J4N0T4e6pFH+7uLTxQxJaJjuc8XPNsFgsJNON evUTrRUrOKw7vWT35l7WMaMktGp9UZ0Mgw3AHEXEufUJqtlmVYSUMuqzoyccRPNoOnl1WN7exq/U KtbMqEpWlGeFWimlb3vxN/ymC+D3/aOL9oI+uP8AjJH9nrj6Cqr/APJa4b/sV4n/ANP4U+cwX/Jk cy/7KnLv/UHMz9MZnSKKSSV1iiRGeSV3WNI41G6SRnb5VWNASSeABX1J+VRTbSW5+E37GXxJ/aj8 WeLP2ov2xvh5+yhoHxb8K/tdfGebV/hR8QNV/aP8N+CL67/Z0+DOlxfCT4NWFjoGp+BNautP8N61 JoOs+K7JY7p7ef8A4Sd7pQr3Dg/G5PVzCrVxWbUsNCpDFVvcl7WzdGmuSn8UNnaVRJe7+8bV23J/ v/H+A4XwWCybgXHZtWwuKyTL+XE0VgpSjHH4qcsTi+Zxqx5qtNTo4SrOUYz/ANljSd4UoM6PxD8Q vj/8NP8AgoZ+zF8fvjB+zzpHwI+Hfx98Ma5+xJ8Rda0b4w+HvilFrfjTUrm7+Kv7NWpeITpfhHw2 +g2mieItF8T6BaTyyyeff+Lre3VCzqRtVr4vDZ3h8biqSo0K0XQm+dSvJ+/RbslazU4LvKpFHJgs v4fzfw0zfh3Kcxnjs2y2tTzTDwnQlR5aKSw2YRpp1J885wnha80o6UcHUm5JR1/bkHIB6e3p7fhX 1h+FH4sf8FTfgvpXjj4y/sOx23iHXvCUf7Svxouv2JPj7F4f+xCL4qfsx+NPA/jb44eKfhl4jjvo LqP7NqGvfB2KxgvIlS+sNP1vVEtZYTdyE/KcRYONfF4NKUoLEVXQq2t79JwnUcHfo3TsmrSSlKzV 9f3Xwkzypl2Q8RV50qdeeUZfDNMFz818Pj4YrD4KniKbjKLvCGMlUcG3TqVKNB1YTVOMV+z1laWt jaW1nZW8NpZ2tvDbWtrbRJDb21tBEkVvbwRRqkcUMEKKiKAAqqBx0H1SSSstkfhkpSnJzm25N3b7 t7v5lqmSFAHjvx6+O3w2/Zu+Fnin4v8AxW106H4R8L29uJBa2s+qa7r+tapdRaZ4b8HeD9Asll1P xR428Ya5dQadpGl2kct1f31xHFGhZgDzYvF0MDh5YnEO1OP3tvRRS3cpPRJatuyPZyDIcz4lzWlk 2U0/aYyq3u1GMIxXNOpUnK0adKnBSnUqTahCEZSk0k2vlf8AYq+CnxNl8SfE39sn9pnQ4fD37SX7 RtnoWj23w+ju4r+H9nr9nfwfqGt6l8IvgJHd2zvZXniqxHiG71vxjeQtLFd+KNTuYoZZLKzstvmZ RhMVz1M0zJRWYV9OVf8ALujFydKnu7ySleo02nNytaKSX2PHef5V9VwfA/CdSdXhPK3OftZKzxmO rQpRxeMs7SjTm6UKWFg1Fxw1KnKcY1p1XL1z9u/wPffEv9iX9r74e6W0q6n43/Zi+O/hXTfIjE0z X+u/DHxNp9mkUJZBK8lxMoC7l3ZxnvXRneHnismxeGp6VKmGqxWl9XCSWl1fXpdevbyvDfN6eQeI ORZ5VSdLB5xg60k3ZWpYinN3dnbRb2djr/2UfF+kfED9mH9nXxzoFxBd6L4v+Bnwm8SaXcW0izW8 tlrHgTQry3aGVeJE8uQYOB/QdGX1oYnAUMRT+CdKEl6OKZ5XFeXYjKOJsxyrFpxxWGx1elNNWalC rKLTXR3TPl79oy8t9Z/4KJf8E4vB8Jn/ALQ0Hw9+2R8Xrtrc7ki0Pw/8N/BXwydL1cfu7a61n4sW uwk8yRAAHBK+bj37TPcBQSl7sa9S6tb3Yxp2lr1dW631j9/1fDdGdDw44lzT3fZTq5bhLPfmrVa2 JUo92o4OSfZS6XV/0fHQfQV7x+aH51f8FAP+Ri/YB/7SGfBb/wBV/wDFyvFzj48H/wBhsP8A0iof o3AH+7cQf9k7iP8A09hz9Fq9o/OT5r/ak/Zm8L/tRfD3TPCereI/Enw/8YeCvGOg/E74RfFrwQ1h F46+EfxT8KG5/wCEd8ceFZNUtb7TLmaO1vbmxv7C7hlsdV0q9urK5R4J5FPDmGX08woqnKUoVYTU 4TjbmhNbSV7rq00004tp6Nn1HCfFOM4UzGeLoU6WJwOIoSoYnDVeb2OJw9Rpzo1VFxlbmjGcJRlG dOrCnVpyjOEZL5wt/gt/wUr8UWC+CfiL+2h8BPDnhC4t7nTtb+InwG/ZU8Q+Dvj3qVjNam2Fx4b1 f4kfHP4q/CrwL4juJHMj3x8M6tHFnFvbxOFlXzo4PiKo/ZYjGUI0GrOVKg41fNqU6tSmm9P+Xbtr a91b62pxB4S4Wf17KeHs0qY+MoyhSxuaU62DupXcatPD4DB4mrDltFRjiqUr+9KbXuHl3/BKn4W+ DPhrrn/BQqP4YaW2nfCy5/br8T+G/BVzLrmo+JrzxBc/DD4I/Bf4b/EfxJq/iXWtT1nX/EvibU/i 94f18a1qepXU+o6hrcd3Pcu0rs7Y8OYajhpY2OGVsN9cai7uTk406cJtttuT9pGXNKTu5KTeur9X xkzrMc5o8MVM7nzZ5HhyEq0fZxpKkq+NxuJw1OFKEIU6dJYOrh5UKdKKpU6EqUKajCKiv10r6U/F QoAKACgAoAKAP//R/v4oAKACgAoAKACgBCQPx9Bk/kATTtcDFvvE3h3TGlTUtd0bT3gDNMt9qun2 jRKoyzSrPcxmMKOTnp/PppYLF17OjSqST2tGTv6WRz1cZhKN/bVacOXfmlFW9bvT8Dy/VvjZoN5L Novwwtz8WfFefJj0/wAJ3kcvhrTJ2H+u8YePY4rnw14VsLbcHmUyXOpvFu+y2VzIBGfcw/DOKpxW Jz2X9n5fu5VYv2kl2o0LqpVk9ov3aSdvaVacbyPnMVxXhKjlheHo/wBpZnso0ZL2UHor18QlKlRj G6lJXnWcU/ZUaskonBweCr7wp46+D+peItUj1/xv4x+IvivXfGOtwQPaWEl9D8IPGVjpui+H7GaW efS/CnhnTUFrYWzO7keZczs91cXEsnrSzKnmGV5jRwlN0crw2CpU6MG05KLxlGUp1JJJTq1ZXlUl a3wwhanCEY+TDKauW5pllfG1fb5tisfVqV6iTUXL6liIxp0oty9nRpQShThe/wAVSblWqVJy+ph0 H0FfCPd+p+gi0gCgAoAZJIkSPJI6okatJI7sFREUFmd3YhURVUkkkAYpqLk7LdibUVd7I82v/jR8 H9Lkkh1H4p/DuyniYrLb3HjTw7HPG4YpseE6j5ivuBGMZz29Pao8NcRYiKnRwGMnB9VRqNffy/1+ J4WI4q4YwsuTE5jgac72tKvSTve1rOV99PU5e8+L114pQ6b8G/Dl5431C53Qr4r1Oy1PQfhhom75 f7R1LxNfWttL4oigyGFloUd7PO+2OSS1RjOndT4ep4H9/wAR1o4aitfZRcamJn/djSi37Jv+eu4J K7jGbShLhq8SVcf/ALPwzQli68tPbTUqeFp/35VZJOsl/Jh41JOVoylSi3Ujz1v4Ig8EeMPhJBJq N1r/AIh1/wAZeO/EfjHxTfRpDe+J/Et38OdTtJ9RktYWMGn2VnY2kFlp9oheOx062ht1Zgm5umrm k80wGOkoRpYOlhqNOjSi7xpU44iLUU3rJyk5VKk3ZzqSlN72WWHyinlOMwcXN1cbXxVarXqyVpVa ssPKLk0rqKjGMadOCbVOlCFNNqN39K18afYhQAUAeK/F+ytNS1T4Oadf20F7YX/xVksb6zuokntr uyvPhb8TLa7tLmCRWjmgubaVo3VgVZWI+v03D9SpRw+Y1qTcasMAnFp2aaxWGaaa1TTSafkfK8TU 6dfE5XQrRU6M8xcZRaunF4TFppp6NNNpp9zn9G1vXfglBB4V8Y2mveI/hrpsK2/hT4l2Ntf+JNT0 LR4hssfDnxO0+yivNe83RrdVht/EcUVzbXdrGG1Jra4Rp7vrxOGwnE8nmGXSo0M6m71cNJxpxqTe sqmGk+Wnabu5YZuMoTdqCqQahT4sJicZwnGOWZlGviMhpxSo4pc1adOCdo0sXFc1VuCso4q04zhF vEyp1I+0req6R8Sfh5r9ul3ofjnwfq9s4QrNpviXRrxPnHyhjBfOUc8jaQCCOnavBxOS5vg5+zxe FxFOfaVOcX+MT6TC51k+Op+1wWKw1Wn3hUhJfg3/AF+PYRTwzxpLDIksUoDRyxOskUinoySIWRge 2D/9bzpRlF8sk1JdOq/L+vx9GMoySlFpxezWxLUlBQAUAFAHh/xZ0zT9a8U/BjR9Ws7fUNK1bxv4 s0zU7C7jWa1vtOv/AIOfEi0vrO5hYFJYLq2mZHUgghu3WvqMgr1sLgMyxOHk4V6eFpSjJOzjKOMw zjJPo00mvQ+S4lw9DF5hlWFxMI1MNVxlaE4yV4yjLA4tSjJbNNNpp/8ADZGk+JNf+DMMfhn4gRa5 4h8A6ei2/hb4q2dlea9dafo0SLHY6H8VbPT4rvWLPVtJhCwr4hSGawv4I/OvZLS4z5/RXwWE4kk8 blDpUc2m71cLJxpqU38U8K5csHCT1+r3jUpyfLSVWHwYYbG4zheKy/OFWr5PBWo4uKlVcYKyjTxa jzVFOK0+s2lTqRi51pUqnx+p6T8R/h9r1sl3ofjjwhrFrIEKXGm+JdGvIj5gyo3QX0gDEdjg8fl4 OIybNsJP2eLw2IpVF0lTnF6esUfRYXOsnx1P22CxWGrUn1hVhJa7aps6+KeKZElikSSKUBo5I2WS ORT0ZJEZ0YHthq8+UJRbi/iW/wDwzt/X4+ipRkk4tNPZolqRhQAH/OP8igD4s+Mf7VXj74c+MvEf gjQf2JP2vvjHp+mWVn9l8f8Awq0r4BzeB9el1PSvtckGjXHjv49eBvETSaXNILe5Nxp0EYnz5bSo Cw8bG5pisNXdCjgMZiIae/TdBR1t/wA/K9OWl9fdeztfS/3mRcH5RmuBp47GcR5Hl1acpXo4lZi6 sFGSScvq+AxFO0lrHlqSdl7yi7KXxH/wTc+Kvx6+AH7Lv7JH7K3xN/YF/bE0PxR4B8HeCPhZ4z8e rZfs63nw00C7W8Nhf+K7vUbX9oOXxXP4Q0mOcXFxJBpMt/8AZ1JjtXkGw+PkeMzLA4LDZViMtxil ThCEqieGdNfCnL/eOfljdt+5zWi+WMnZS/QvFbKeFeJ+Mc+40yfijI6mExeLxGKo0OXM44iopNzh SSll3sVVlflXNWjTUt6nLZv9rjnB9ffv9cZ4NfYn4Cfkr8I734u/8E+fEHxI+COt/Az4wfGj9lbV /H/jn4ofs5/E34G+Gx8TvE3w3sPif4p1Dxv4s+AfxP8Ahtpl5aeL9P0/wd4x1+9bwrrOl2l9psug zRWd2bOayEl385hXiclqVMJOjUq5a5ynSnTXO487cpU5wSulGTfJKKa5bJ2au/2DO45H4iYPCZ9h cdhMDxhDD0sPjcNiZewp1vq9KNKljMPXlem5VaUI/WqVWUKirqVWl7SFVwo+jfAvwJ8W/j5+1Nc/ tnfG34Za38FPC3w5+GviX4K/sr/CLxpd6Pc/E220Px/r2g698XvjN8TrLw7qusaF4S1zx/P4M0XT dG0OO6urvTtI055rt4ri+ktLbfCUcTjMw/tTF03Sp06bhShK3PaTTnOVm0nLlioxu2kruzlaPm59 mWUcP8ILgbIcXDHV8Vi6eLx+IpqaoOpQhUp4XD0OeMJ1I0I1q8qtZxjGpUqctNOFKNSr+kte4fmI UAY/iHVJtD0HWtat9H1XxDPpGk6lqcGg6DHaS65rc1hZzXUWkaNFf3dhYyarqckQht1nnghaZ1Dy IpLCZycIOaTk0m7Ld+SvZXe2rX+W2HpRrV4UZzjTjOaTlK/LFNpOUuVOXKt3ypu2yb0f4t/tQfH3 4/fGyX9mubwt/wAE4P257EfCL9qT4UfHHxMuu6b+y9avceFfBeneJodX03ShZ/tO3ouNfeXXYhFF IY4G2PmYAKW+Qx2Y5ni3S5Mrx0fY141NXhfeUebSNsU9XdW5rLu0fufDPDHCuSLMVieLuHJfW8sr 4aHLHN3adRw5ZSvlatC0Lt6y1Xup3t+lPwF+Pviz40Xnie18Tfsw/tE/s9J4ettHuLK7+Oen/Caz tfFbarPqcNxbeGm+GfxY+Jcslzoi6ckl4L1bNQl3D5TSnzRF7+X4/EY3m9vhMRhXG1vaui+a/wDL 7KrVWlteZrfS/T8w4k4cy/IY0ZYHOcrzV1XNSWEWMTpcqi06n1rCYXSfM1Dk53eEubl91z9N+K/j zVPhp4C1/wAaaL8NfiB8XtT0WKzktfh78LrfwtdeOvEbXV/bWTw6FD408UeDPDLSWcdwbiY3epWq LBG5DMwVT14mtPD0HWp06laSt7kOXmettOaUY6b6taI8nJsvw+a5lSwGKxeGwFCo2nXxHtfY00k3 efsKVarZ7LkpTd2tLXa/HP4mfGv9oPxf+2x+yx+0Tpf/AATk/bhTwP8AA74Q/tS+AvFdpd2H7MMX iK/1r42XvwQuPCdxoFgv7S8tnd6dZR/C+++3vPcWzxG4tvLjlzKY/ka2PzStmdDMVleOVOjTqwcW 8LzSdR0mnG2J5bLklzc0k9rJn7nleQ8I4Pw+zfherxdw9/aOYZhl1enaGbOEYYOGOjVU5f2ZdSk8 XD2aipJqFTmlG0FP9afgX8Wdf+MXhPUPEniP4HfGL4B31j4gvNEj8IfGy0+H9n4p1G1tbOwuovEd hH8OPH3xE0NtBvmvWhhMl7Hdedbyh4EUIz/UYDF1sZR9rWw9bDTvbkq+z5tk7/uqlSNtbfFe6e6s 3+LcRZPg8kx0cJgsxwOaUpUozdXC/WfZptu9N/WsPhqnPG15WpuFmuWb1t7TXaeCIen4j8sjJ/AU AfAv/BPX4V+P/hN8Pv2hNG+InhfU/Ceo+Kv24f2y/iZ4et9SbT2k1XwN8SPjr4p8X+CvEtodOvtR i/s/XtB1SG4hEjRzqrYlijcFB4uRYbEYXC1aeJjyzli8RNK97xnWnKD+cWnbptra7/R/E7PMsz/O sBi8rqxq0KPD+UYabSkrVsLl2Hw9aD5ox1hUpyjde67Xi2rM6T4NfsR+B/g1+058df2ltL8VeI9b vvjALgeGfAWrWeiJ4U+C58W6hpPiT4zH4czWlnHqtuvxw8deHdO13xCs8jC41KyjkHIrTCZPQwmP rY+Dk5Vb2i7ctPmadTk6r2kkpz7yVzjzvj7Ms74Uy/hSrSpU6GDadSrB1PaYt0lOGFeJTm4SeDo1 KlDDOMYuFKcodXfA1/4X+Pbv/gpp8NfjLB4X1ST4Y6H+w78ZPhrqfjNf7O/sW08c+Jvjn8GvE2i+ GZt2ppq39p32g+GL26TZZyW4igbfNG5jSTCpgq0+JaOYpP2EMDWpt6W5p1aMkt73tTfS3ntffC5z l1PwqxvD8qsf7WrcQYPERp+9zOlSwmNpzn8PJZTrQi7zUrtWjJczj3P7d8Xxp1T9lT4v+D/2edF1 rVfjD8S/D8Pwp8Gahoi6aZvBVx8TtRs/BOq/E29Oq3+nWy6X8MdA1m61ycLI00iWWyKOWVkjbrze OKnl1Wjgk/rVSPJFr7PN7vP6RTcvO1lqebwDUyLD8XYHHcTOH9h4Wsq9aEuZe2jQTqrDpxjJp4iU VRTtaLnzSaimz3v4S/DTwv8ABn4X/Dz4SeCLCHS/B/wy8E+F/AXhfT7eJYYrTQfCWi2eh6ZCsafK MWtkpPqTXZhqFPC4eGGoq1KnBRS7JKyPAzjNMZnma4nOcwnKpj8XXqVqkm7uU6knOTb7ttnzl/wU F+A/iT9or9kf4wfD/wAALEvxb07R9O+JXwNvJLhrT+zPjt8Idb074mfB2/W6B2QInj7wvYxy+YHi eGR0kVo2ZTwZ3g6uOyurQw7axXLzU32qQanTeqa0mlumu6auj6jw24hwfDHGmBzPNL/2HKpKhjEo qTlg8TCWHxcUrq7eHqVOWzjJSs4yjJJr6P8AhR4m8R+M/hn4A8W+MPB+s/D7xb4l8G+G9c8UeBfE S6euueDvEep6RaXeueGdW/snUNW0t77RdUllgka2uriBymY5HQhj34epOrQhUqxcKkopuLteLa1T tdXT00bXY+WzbDYbBZniMHg69PE4SlWnGFaHNyVYRk1GpFTjCajONpJSjGSTtKKd0vjz9tn4WfEL 4jfFL/gnprngfwpqXiTSfhL+25o/xK+I97YSWKR+E/A0XwA+O/g+XxJqK3l5ayy2EXiPxZp9sy24 mmDXIbyyiuy+bmmGr18TgZ0o3hSxXPPbSPsqsb/+BSS07n2vA+dZZleR8T4TH1VTxGPyFYegmm/a VVmOAr8midv3VCpK7svdte7V/wBAU+6v+6B+lewfnQ6gCOV/LjkkCPIURmCRgNI+1SdqKSoZ2xgD IyaBpXdj+fDSfiL+098S/wBpQftLftUf8E7/ANtXxPpXwn8Sa5Z/sg/s8eArX9mfV/BHwnsmtRp0 n7QPxL1DxN+0b4atfGH7RHjDT7ya3sTbpPp/g3TWns7IvPPcahe/E06+aYjMHjsywGLcKcmqFOLo OMVZfvZN1lzVZXcVpaCTUd+eX9K18r4Iy3hZ8KcH8V5DRrYulTlmWNrwzSNXFSu39Tw8aWW1XSwN CUYykp8lTF1OSrUS5YUMP+hfhf8Abd+Kuv8AiTw74fvf+CcH7efhOx1zXtH0a88VeJdN/ZW/4Rzw za6rqNtY3HiHxA2hftQ67rg0TRYrg3N2bOyvLv7PE/lQyybUb3aea4qdSMJYDGRjKSXM3QtG/V2r t2W7sm/Lv+aY3gHIcLhKuKpcW8N4irTpykqVNZsqlRxi2qcPaZVTp882uWPPOELtc04q7X6AXNvB eW09rcwx3FvcxSwTwTKHingmRopoZFOVaOaJypB6g17LSas9j82jJxkpRbUlrdd/+HPyM/Z98RfG L/gntod3+yl47/Z/+Onxl+A3w/1LxCf2W/jh8BfB1v8AFKGP4O6prlzqfgn4HfFDwZp2uD4h+F/H nwk0/UDolrqz2N1oer6NYW11LfwXkk1svzOAlicjpLK61GtVwVO6o1IJ1Pcv7tOa5nU54L3edqSk oqTkpNp/svFFHI/Eev8A66ZdmGAwXEeKVP6/g8VUdCTxSglXxtCq6aw06GJqR9s6KqQrUatWVKFG VKCqP139l74e/GP4rftB/EH9tz9oX4b6j8GtS1P4f2PwL/Zx+B/inUfDGuePvhn8HIde/wCEu8ce L/iNe+ENR17wzpPxD+NXi+2sJrrStP1K/h03R9C02OWdrpriKLpy6ji8TjZ5tjqbpScPZ0qbacoQ veTk4txUqkkm0m7RjG7vdLx+LcwyPJeHcPwFwzjIZhQjiXi8bi6UasKGIxPJ7OjTowrQp1ZUcJSl UUatSlTlOrXr8sPZ8k5foJ4k1efQPD2ua5baLrHiS40bR9T1WDw74ejs5tf16bT7Ka7i0bQ4dRvd N0+XV9TkiENss9zbwtM6h5EXLD2qknCDmk5NJuy3fkr2V30u0u5+b4alCviIUJzhShOai5zvyQTa XNLlUpcsd3yxk7LRN6H4s/tPfHn4/fGvU/2Xb/wv/wAE4P257GP4M/tS/Dr45eKl1zTf2XraS58K +FvCvjXRtT03RxZ/tPXgudfN14phMcUhhgZYpP3w+Td8jjswzLFyoyhleOiqNdVHd4X3lFSVo2xL 1d01zcqtu09D904Z4a4VySlmlPE8XcOS+u5XVwsOSObO051KU1KV8rVoWpu71l70fd3t+l3wE+Pv iz403Xim38TfsxftEfs8r4cg0SWyuvjnYfCaztvFravJqaXMHhg/DL4r/EuWSbQRp6Ne/bVslC3c PkmY+aIvfy7H4jGqXt8JicK42t7V0XzXv8PsqtVaW1u1uvl+XcScO5dkMaMsBnOV5s6rnzLCLGJ0 uXls6n1vCYVfvOZ8ns/afBLn5Pd5tj9obx/8Zvhn4M0vxd8Gfgk3x+vtP8U6aPG/gDSfG2i+C/HU vw+ks9S/trVvhmviiK28I+K/HOm362jQaRqmq6FaXdq05F8syRQy646ti8PSVTCUfbyUlzRUlGXL 1cOb3XJO3uylFNX966SeHDOW5Dm2Nng8+zD+zYSoy9jWlRnWo+25o8scR7NurSouPPerSpV5qahH 2XLKU4fKHjv9rv8AaJ+JGit4E/ZU/ZA+POl/FTxPaXem2vxM/ab8DWnwd+BvwYupUigbxb48k1nx H/wmfxHbRVnkuLTSPCWn6mmrXNutvLe2EEv21PPrZnja8fY5dhayxEk1z1Y8lOm+8rtSn5KnGV2r OUU7r6vK+D+GcvqvMeMM5wDymjOMnh8FUeIxmLjq/Z0OWnKhQvaKnUxVSm6cZ88KVeUXSf1R+y5+ z94f/Zf+BngX4MaBquo+JG8M2upah4n8Z60kCa/8QPiB4t1nUPFvxG+IniEW0ccH9u+OvG+tX2qX SoAkclyUX5VAHo5fgoZfhIYWDcuW7cnvKUnzSk/OUm2/X5L5PiviLE8VZ9iM7xEI0lVcY06UL8lG jTjGnQoQvd8lGlCFON23yxV23qfQNdh86FABQAUAFABQB//S/v4oAKACgAoAKAMXxH4h0fwloOr+ JfEF9FpuiaFp91qmqX0wd0trKziaaeQRRLJPPJtXCRRq0krlUUFmAPTgsHicwxdPBYSLnias1GMV bWUnZK7sl5ttJLV6JnLjsbhcuwdXH42ap4SjCU5yd9IxV27K7fkkm27JJtpHjGmeD/FXxWjTxD8U bjXvDPhq9Am0L4RaPqt1oRttNkXfbTfE/WdEuYdU8QeJbhCHn0u3uYtFsd5t3S+kj+1N9LXzHAZC 3g8iVKvjY6Txc4qd5dVhoTTjTpraNWUXXnbnUqSl7NfLYfLMz4hisdxDKth8FLWngoTdPlg7crxd SnLmq1WtZUoTWHp8zpuNdxVaXdaf8H/hRpcYi0/4aeAbRcICYPB+gLJIU+600zWDTTuD/E7Fvfuf KrcQ59Xd62Nxcn51qjt6Lmsvkezh+HOHsKnHDYHBwT35aNNXt3fLd/P/AIbv7W0trKCK1tIIbW2g UJDb28McEEKDJCRQQqsUajPYD/DyalSdWTnUbc3u222/VttnrwpwpRUKaSgtklZL5Ky+48m8f/8A JRvgT/2Ofi//ANVX41r6HKP+RLmv/YLR/wDUugfO51/yOcn/AOwyr/6h4k9gHQfQV84936n0otIA oA5nxj4s0jwN4a1bxTrj3I07SbdJZIbG3e81G+ubieKy03StKsY/3l/rGsalcw2lnbr889zMiKCW Fd2W5fiM0xtPAYVL21SVk5O0YpJylOcvswhFOc5PSMYtvRHBmmZYbKMBVzHFuXsKcb2inKUm2oxh CK1lUnJxhTgtZTlGK1Z5Xpnwwv8Ax8Y/EvxuRNYuLllutN+FYvDe/DzwZbkBrex1LT4WjsfiB4oh X/j71LUFntUnBFhBbx5aX3a2eUspTwXDDdOEdJYq1sRWfWUZP3sPSf2KdPlk4/xZTlZR+eoZBVzm 2O4sSqzkrxwfNfDUE9VGcV7uJqr7dWqpwUl+5hTTbl7DYeHtC0qKK30vRtK063gGIILDTLCzhgA6 CKO3t40jHA+6BXzlXF4qvJyr1Jzm93KUm363kz6ijhMLh4qFCnThTWyjGKS9EkjYwB+vJ5PPpkki ue50Hkvjf/ko3wY/7DvjT/1ANc/z/nj3cu/5FGYf9eaX/p+H9f1r4uYf8jTL/wDr7V/9MzPW68I9 oKACgDx74pf8jD8Ef+yvx/8AqtPiRX0eR/7lma/6l3/uzhz5jiH/AH7KP+xn/wC6uKPXwAQM+n49 Ox4Ir5w+nOT1PwB4F1ueW61rwZ4U1i5nBE9xqnhzRr+edT1Est1YzSSA/wC0xzXoUM1zPCxUMNiK 9OC2Uak4peiUv6/Pgr5VleJcpYnDUKkpqzcqcJXXZ3jqvW/+XB3/AMDfClmz6l8Opbz4T+Ioz5tt qPgTZp2izyqp2xa/4Gbd4O8SWEpAWRJ7RbhUJ8i4gk2yr6tLijH1P3OcqOYYN6ONe8ppf9O6+lan Jbpxlyt254TjeL8atwnl1P8Ae5I5ZbjFqpYe0KbfapQ/gVYu1nzQ5lG/s505WlHa+HvjfVdaudZ8 IeNLCy0b4ieE1sZNbs9ONx/YmvaNqZuE0Txt4UN48t3/AMI7r0llPEbeZ3udOv7ae1leYRx3Nxz5 vleHw0KeY5ZOVTJsRzcjlbnpzjbnoVbJL2lNSi+aKUalOUKkVHmlCHRkmbYnFTq5Zm0IUs8w3L7R Qv7OpTnf2eIo8zclTqcsk4SblSqQqUnKajGpP1CvCPoAoAKAPHviL/yPfwI/7KL4g/8AVSfESvo8 n/5FOa/9gdP/ANS8OfMZ5/yOMm/7Dqv/AKhYo9fABUfQdOD+YIxXzretz6c5LU/h94E1qaa51nwX 4S1e4uARcT6p4a0W/mnB6iaW6sZpJQcfxH/6/oUM3zXDJRw2JxFOMdlGpOKXpaWh51fKMqxTk8Vh sPVc/i56cJc3reLv8zgr/wCB3hnT/M1H4Z3N38JfESHzYL3wUiW3h26lHIh8Q+AZD/wiPiGwnICS hraK9WIt9nureTbIvq0uKMbW/dZ2o5hg3o1Wu6i86df+LTkt17zg3bnpzjeL8atwngaK9rkEpZbj VqpULKk9tKmHf7mpF25ZXhGoot+zqU5Wkt/4e+ONR8QS614W8Xafa6H8QvCDWSeI9LsZpp9I1LTt TFz/AGD4y8L3FyqXU/hbxKtjOIllBms7y2ubOVnktzJJyZvldHBxpY/L5yq5Pieb2cpJKcZRt7Sj VS0VWlzRvaynCUKsUozSj2ZNm1bGzrZfmMIUs7wvL7WEW3CUJ83sq9JvV0qqjK19YThUpNydNyfp teIe8FADdiZztXPrtGf19qAuw2J12Lnr91f89qB3Y6gQmB/TPf8AMc0AKAB0GPpxQAUAFAAQD1Gf rzQA3Yn9xfT7q9KAuwCqv3VVfoAM/lQApAPBAPsRn+dACbF/uL+S0AKABwAAOvAA/lQAtABQAgAH QAc54GOT3+tAC0AJgZzgZ6Zxz9M9aAAgHqAe/Iz06H8KAFoAKAAAAYAwB0A4FACEA4yAccjIzj3F AC0AFABQA3Yn9xf++V/yKADYnXYuev3V/wA9qB3Y6gQmBnOOeme/rj1xQAoAHAGB6D/61AAQD1Gf rzQA3Yn9xfT7q9KAuwCqv3VVfoAM/lQA4jPB5HvQAmBnPU+/OPpnpQO7FoEFABQAUAFABQAUAf/T /v4oAKACgAoA8R/aI+Pngf8AZo+E/iX4ueP3vX0bQVtbWz0rSokn1rxJ4g1a5Sx0Hw1okErxQyal rGoSLGrSOkMCB5ZWSJHYfVcF8H5tx1xFQ4byZQWKrczc5u0KVOCcqlWbs2owim3ZOUnaMU5NJ/Fe IXHmR+GnCeK4v4g9q8Dh+WMadKPPVrVak1To0aUdLzq1JRinJqEU3OpKMIylH+bb4jf8Fjv2hfHW vaZLafD34SaJ4I0nxRoPiaHwPfW/ifxJNqknhy+XVdLs/Efi6LWNEF5DbapDBcn7JpqRm4tY2UvH lW/uHJfox8G5Vg5xrY3Mqua1KFSk68XSpKCqR5JSp0HGpa8HKPv1W+WUk1GWq/zYz76aXiJnOYUq uHyzJqGR0sRSq/VZqviHN0nzqNTFxqUU+WooyTpYWUeanGUZTi7H7sfsQ/tteDf2yvA+q6nY6V/w h/xB8HS2Fr468Dy6gupx2Q1NZzpXiDw/qTQ2c2reGdaaznSKSSCC4t7mCWCeNXQFv5J8VfCzNPDH NqeHr1PrOT4lSdCuo8nNy256dSN5KFWF4uSUpRlGUZwk4vT+8fBPxryTxlyKrjcJT+qZ7g5RjicM 5qfLzp+zq0p2g6lCq4zUJShCcZwqUqkI1ISS+36/Kj9rPMfjJ8XfA/wI+Gvi34rfEXUzpXhPwdpp 1DUZoo/PvbuaaaKz03SNKtAVa/1nWtSuIrW0gUgy3EqrkAk17vDPDebcW55huHskp+0zLFVOWK2i kk5SnN/ZhCKc5yekYxb9fmuMOLci4F4bxfFfElZUMnwdPmnLdttqMKcI7zqVZyjTpwWs6koxWrR/ NR8Uf+CyPx68T/EPw94k8E/D/wCGPhPw34J1zUtT8OaB4gtde8X61di/0jVfD06+Jtfsdd8PWCzS aVqr5i0+3aKCfkT3CL839z8P/Ri4RwOS1sHm2MzDE4/FUoxqVKUqdGnHlnCovZU5U6kmlOG9Saco 6OEG9P8ANLi36aHH+O4lpYzh7L8pwuT4KtKVKlXhWxFabcKlJ+2rQrUIQbhOzjRp1Ywmm1VrRtF/ s3+wd+3z4X/bJ0LXdKvtBh8DfFjwZbWl/wCJfCVtqEuq6PqWg39xLaWXirwrqdxa2d7PpjXkDW91 bXMMd1Y3BVX3xSQzS/zD4u+D+Y+GOMo16dZ4vh7FScaVZxUJxqRScqVWClKKmk1KEoylCpG7TUoz hH+0vAjx7yjxmy+vQnQjgeK8HGM6+HjN1acqVSU4069GpKFOUoScJRnCcIVKNRcslKEqdSp+hVfj J/QB4R+0f+0J4F/Zi+FOv/Fjx+93LpmlPZ6bpOiaWkUms+KfE2rTfZtD8NaMlxLDbC91O5+9LK6Q 20CPNKyxoxH1vBPBub8ecQ0eHcmUViKilKc53UKVKCvUqzau+WC6JOUpWhFOUkn8R4icf5D4Z8K4 jiziFzeEouEIU4WdStWqSUKVGmnZc9SbS5pOMIK85yjCMpL+b7x1/wAFjf2h/GHi7w9q9v4B+EGl +EvC3iyx8VaZ4KubTxVr3264022vILBNf8WLrGjzXz2Et6bmB7bTYEivYYZwriMI/wDb2U/Ri4My 7La2HqYzM6mZYjDypSrp0afKpNNunR5KnLzKPLJSrSbhKUG4uV1/m1nf00vEXNM5oYvDZfktHJcN ioVY4ZxxNfn5U1apilUouTi5OUHTwnLGpGFVKpy8kv3l/Yo/bR8F/tj+AdR1zSdNPhPx14QnsdP8 feBptRTU20m41GCWXS9a0fUhDayat4X10Ws4tbiSGCZJreWCaNJYnFfyJ4peF+a+GWcwweKn9Yyn EqUsPXUeTnUWlOE43ahVp3jzxUpRalGcZSjJN/3v4L+M2Q+MeQVMfgILDZ3hHCOKwrmqjpOom6dS ErRc6FXln7OpKEJc0KlOcIVac4R+06/Lz9lPnP8Aai/aX8B/sp/CrUvif46W5vwLu30Pwt4Y02W3 j1nxj4qv4riXTtA0xrqSO3tgYbWW4urmUiKzs4ZZnyEwfteAeBc48QuIYZBlFovldSrVkm4UaUWl KpOyberUYxXvTnKMFrJNfn3iZ4kZB4WcLVOJs/bkudUqFGLiqmIryUnClT5nGN3GMpzlJqNOlCdW bUYNn86+v/8ABZT9o7WviD4d8Wx+A/g3Z6B4V1bUr7SfCbWHjC8ka11TSbjRbqDUPGI1mzvbm6Fl dyFJodIgRZMEwuoCt/amE+i/wThsmq5fLGZpLHV6cYzrc1CK5ozU4uNDklFK6ScXXba+2nqf5043 6bHiTiOIaWY0cBkccmoV244fkxUpOnKHJJSxftISc7OTUo4FJaLkla7/AH4/Y0/a/wDBX7Ynwym8 Z+HdPm8NeKPDl/BoXxA8E3V3HqM/hrW5rOO/tJbHU4obdNZ8O61ZSCewvPKhaRQ8cscU8UsSfx94 m+G2aeGmfLK8bNV8BWg6mHrpOKq01JxalB3cKkJLlqQ5mk7OMpQlGb/v3wc8Xck8YeF3nmWw+r5n h5qli8M5c/sKzhGolGolFVaNSElOlVUYuUXyzhTqxqU4/Xlfm5+tGJ4l8SaF4P8AD2ueK/E+qWei eHPDWkajr2vaxqEogsdL0fSbSW+1LULuU8Jb2dpA7ufQV1YHA4vMsZSy/AU5VcdXqRp04RV5TnNq MYxXVttJL+nxZlmWAyfLq+bZrWp4fLMLRnVq1aklGFOnTi5TnOT0jGMU5Sb0SR/M7+0L/wAFkfiN 4u8caLL8EfAvg/w94J8EeKn8R+F9V8e6fq3iLxR4llTRtY0C31DWNHsNX8Pad4csb3T9bnlSxSa4 vIt0ZllikV4R/dnBf0YslwGU1Y8WYvFVs1xWHVOpDDyhSpUlzwqOMJyhVlVlGUIpzcYwfvcqlG03 /mj4j/TP4ix+e0VwDgsBRyPB4h1aVXFwq161f93OnGc6UKuGhQjKNSUlT9rUqpODqOlNSpL9Gf2B P+Cmen/tUa7J8KviX4a0jwL8XV0u71fQX8PXl5c+EvHdhpMULa1HpcGpqdT0DxFpUcyzyWEslzFN akywTybJUj/EfGHwJr+HuFXEGSV6uL4bdRQqe0io1sPKbfs+dw9ypTnZxVSKi1Ncs4R5oOX9G+AH 0mMJ4sYr/VjiPD0MBxh7KVSmqM5yoYmFJQ9t7NVIxqUqtNzUpUZOadNqdOrUtUVP9ZK/nc/q45fx t4y8NfDvwj4l8deMdWtdC8K+EdE1LxF4g1e8Yrb6dpGk2sl5fXUmPnkMcMZ2ooLyNhVBJAPfleWY 7OcyoZTllOVbMMTVjTpwjvKc2oxS9W93ot3ojzc4zfLcgyrE53nFaGHyrCUJ1qtSbtGFOnFynJ+S SbP5lvjP/wAFjfip4g+KOm+Lvgz8PPBXgvRPC0HiDRdEufHFlq/ibxV4j8Pa89g9zbeLbHTdb8Pa VpMNxdaRaXsdnbzXMtncRAPMzebHX928LfRj4fwuQzy/inG4vFYqu6c5rDyhSo06lPms6U5wqzm0 pzg5yhBTi7qNuWR/mZxv9NDirGcSU8fwPl2BwWBw0asISxcKuIxFWnU5bxr06dbD06ScoU6nJCtV nTlHlm1Pngv1H/YE/wCCkukftb6lqPw38c+GLHwF8X9K0eXX7S10e9ub/wAJeNtEspIINWvfDkuo JHqemarok1zEbzTbnzGWCZJoJpo/MMf4F4xeB2K8N6FPPMqxEsZw1Uq+zbnFRrUJu7hGqotxnCok +SrCycoyjOMJWT/qHwA+kpgvGDE1eG85wccv4voUPbJU5SqYbE0o8sasqE5xjOFSjOUVVoVEpKM4 VKc6sJOUf1Kr8AP6kPM/jD8W/BHwK+G3i34rfEXVf7I8I+DdMbUtUuEj+0Xlw7yxWmn6VpdoCr32 sazqM8VraQKcy3EqrxnNe7w1w5mvFmd4fh7JKftcyxVTlgtktG5TlLaMIRTnOT0jFNnzXGHFuRcC 8N4viviWvHD5Ng6fPUk9221GEIR3nUq1JRp0oL3p1JRjHVpP+aj4q/8ABZL47+KvH/h/X/A/w++G XhLwz4I8R32t+G9E8RWmt+L9cvGutF1rw26+J9asdc8P6fHLJpOtS7odOgaOC4wVuJ1Qbv7m4d+j FwlgMnrYTNsZj8Tj8VRjCpUpSp0aatOFT91TlTqyaU4K0qkk5R3p029P80+MPpn8e4/iOji+HMBl WEyfBYiU6VKvCtias24VaT9tVp1sPTi3CprGjCrGE1eNaqlZ/sr+wb+354Y/bI0bXNG1LQYPA3xa 8G2lrqPiLwpa6hLqui6toF7cSWdr4p8Kajc2tnfS6cL2E293a3MKXNjOyBjJFJFNJ/Mfi74PZh4Y 4qjiaNZ4vh3FSlGlWcVCcKkUpSpVopyipcrUoSjJxqRu1yyjKEf7P8CPHzKfGbAV8NVoQwPFmDhG dbDxqOrTnSnKUYV6E5QpzcHKDjUhOnGdKa5ZKUJU6lT9Dq/GD+gjj/iD498K/C/wT4q+InjfVYtE 8JeC9C1HxH4g1SZXkWz0vTLd7i4kWGMGW4ndU2RRIDJLKyooLMBXpZPlOYZ9mmHybKqbq5jiq0aV OC+1Obsld6Jd29EtXZI8nPs8yvhnJcXxDndVUMowWHnWrVHdqNOnFyk7K7bstEk23ZJNux/Mp8Wf +Cx/xf8AEHxQsfGvwj+HHgXwNpHh+w13QNKi8bWeq+K/E2v+H9Zu9Pu2t/GUOla74d0qwmS70i3u oba0luG0+YyJ58nmSKf7v4c+jDw3hMillnEuOxeLxNacKknh5Qo0qdSCkr0XOnUnNWnKLlOMFUjy y5FaLX+ZHF300+McdxFDNODcrwGX4KjTqU4LGQq4ivUpzkny4mFKth6dOV4U58lOrWdGTnBzcnOK /WD9gX/go3on7Xs+q+AfF/hqy8BfGDQdH/t86bpeoS3/AIW8ZaFFcR2mo6r4Unv1g1a0vNEubiFb /T7pGkhS4ililniZmT+dvGDwTxfhrGnm+X15YvhutV9nzTio1qNRpyjCso3g1USl7OpB2k4TjKMJ JJ/1l4BfSNwPjFOtkWZ4SOX8W4egqzjCfPh8RTvyVJ4eUlCspUZuCrUqtOLgqtKUJ1YT5l+ndfg5 /TZ4N+0x8etF/Zl+C/jL41eIfD+teJ9G8Fposl9ovh+bS4NWuo9Z17TdBWS1l1m8sNOUWcmpCaTf KpMaMFDPhT9dwNwhi+O+KMLwtga1KhisU5qM6im4JwpyqWfs4zl73Lyq0d2r2V2vh/EfjvL/AA04 Mx3G2aUMRicvwEYSqU6Ps/aOM6sKd4+1nTh7nPzyvNNxi1FSlaMvifU/+CoNr4N0LRfHXxU/ZG/a m+Gvwt1mTSSvxM1Twt4Z1nwxZ2muJHJpWo3LaD4jvbv7Dexyo0RVC8xdUjV3ZUb9RwvgLWzbGVco 4e4j4fx2f0lP/ZYVq0KsnTvzxj7WjGPMrO+tlZttJNx/HM1+kzguHMuw2f8AFfCvFWW8LYidOLxt TD4epRpKrb2c6vsMTUnGEm0lJQd5OMY3lJJ/pv4b8RaL4u8P6J4p8Oalbax4f8R6Tp2u6Hqtmxe1 1LSNWtIr7Tr63YgMYbq1nV1yAcHkA5FfhONweKy7GVcBjYSpYyhUlTnCWjjODcZRfmmmmf0hgMfg 80wNHMsvqRrYDEUo1Kc4u8Z05xUoSi+qlFpp9mfKH7YH7Zvg79kDR/BV94g8HeLfiDrPjvUvENro /hXwQ+inXP7N8KeHrnxF4h1+WLWb+wiOl6VbQxpKULMHmXjGSP0Lw38Mc08ScTiqWCxOGweFwkKb nWxHtFT5q1WNKnTvCMmpzbbV1a0Za9H+W+LXjFkPhFhMDWzXC4zH43MKtWNLD4RU5V3GhRlXr1eS pUp3p0oRvNxbknKKSbkk/pX4c+O9C+KHgHwZ8RvDE4ufD3jnwxofivRpd8bsdP13TrfUbZJGiZo/ OhSfY+0kB1P4/D51lOMyHN8VkuYR5cbhMRUozX96nJxlvra608mfo2QZ3gOJcjwfEOVTVTLcdhqd elJWd4VYKcXpdbSWx81ftg/tn+Cf2NtL+Hmt+OfCninxLpfj7xJqWgfaPDEmjiTQYtH0k65qOq38 Gq31jJd2sGmxSuIrbzLiRo9qKzMBX3Hht4YZt4m4nGYPKK+HoYnCUI1LVef945zVOMIuEZJSc3FX naKvdtJNn574s+L/AA/4PZdgs14ioYqtgsZiZUb0FTbp8lKdedSanODcY0qc5WhzTlbljCUpRT7r 9oH9pbwj8Bf2fNf/AGjJtM1Lx74N0TSfDWuW9t4SudLW91zSPFOp6Vp+n6hpVzrF3Yac0Hlaslwd 8oLRKQoZ8KfK4N4GzLjDjKjwTTnTwmaVqlWm3WU+WE6UJylGahGUk7wcdI6Peyu17PHviLk/AXAW J8Q8TTq43JMNSpVWsO6bnOnWqU4RnB1Jwg0lUU3713FPkUptRl7h4U1+HxX4X8OeKLe3mtIPEeg6 Pr0FpcNG9xaw6xp1rqMVvO0JaJpoEuQrFSylgcHFfKY/CywGOrYGbUp0as4NrZuEnFtX1s7X1Pts Fio47BUcbBOMK1KE0nulOKkk7aXV9bHyL+0z+3f8IP2avEeifDy90vxv8Ufi/wCJLeK80X4S/Cbw +/irxnLZz+a1veahbrLBaaXFdw2s0kMckjXM8UEkkcRRGYfpHAnhJxJx1gquc0amEwHDVB2qYzGV PY0FJWvGLs5SabipNLli5RjKSclf8e8T/Hfg7wwx+HyDFUswzXjDFq9HLsuoPE4ucfefM4JxjBcs Kk4qUlOcaVR04y5JWb+zl+274Z+P3jfWfhfqfwi+N/wW+JWjaC/ipvCvxY8BX2jpf+GkurexOsWG u2LXmjiI3lwI1S4eF5nVxCJNj7Tjbwrx/B+VUs/o5llOaZHVq+y9rg8RGpy1bOXJKnLlqX5VduMW oprma5lfTw68asr8QM6xHDVbJ8/yTiHD0fbewzHBzo89G8Y+1hVi6lHlc5cqUpxlJxlyRai2vX/2 m/j7ov7MXwV8Z/GzxF4e1rxTo3gtNGkvdE8PTaZBq92ms67p2hI1pJrF1ZaePssmoiVw8ikxowUM 21W+b4E4PxnHnFOF4VwFajQxWKc1GdVTcE4U5VPe5Iylqo2VovVq+l2vrvEjjzLvDPgzG8bZtQxG Iy/AxpyqQo8ntHGdWFK8VUnTg+Tn55Lmu4xajGUrRfC/G79sX4b/AAG+A/hP44eL7DW7s+PbHwn/ AMIN8O9FFjfeOfFviDxdYWeo2PhnQ7L7Qlteaha2t0XuJFcwosZwSzIrerwp4a53xhxbiOFMsnRi 8JKq6+Jqc0cPRp0W4yq1JWbjFtJRTV23srO3i8c+LnDXh9wThuNM8hiJQxvsI4bC0oxqYrEVsQou FCjTUkqlWzbai7JRbu9L/RfgfXtY8T+EPD3iLxB4U1PwLrGs6Vaanf8Ag/W7vTr7WfDkt3EJxpWr 3GkT3OmNqlpG6rcLBLLFHLuVXcLuPxeaYTDYHMa2CweIp4vDUqjjGtTUlCok7c8FNRnyPePNGLas 3FXsv0LKMbicxyyhj8bhquCxNalGcqFVwlUpOSv7Oo6cp0+eO0uScoqV0pSSu/i/9oH/AIKF/Cz4 J/EiP4LeHPBXxQ+PHxjjt4b3V/h78GPDI8Tal4bspoIrpJfEV7Lc21lY3H2W5gle3QyzQQ3EMkwi SWNn/T+DvBniHirI3xRjcVl+UcMuTjDE46r7KFWSbVqSScpK6klKyjKUJxi5SjJR/FOP/pDcJcD8 Tx4IwGCzbiDjLlUquDyvD/WamHptRfPXlzQhTsp03KPM5wjVpVJxjTqRk+l/Zj/bq+E/7TPiDxB4 AsdG8c/C74u+FLeW98QfCX4r+H28L+Mrawhe2We/sYDNPa6nb2gvrdp0Rxc26XMTyRKksbNw8eeE 3EfAmEo5vWq4PMOG8TJRp4zB1VWoSk72i3ZOLfLNRbXLJwkotuMkvT8L/HThHxQxuJyPCUMxyri3 Bq9bL8xoPDYuEfdfOoNyjNKNSlKSjJzpxq0nUjH2kL/RXxm+JunfBj4UfET4savpmoazpXw68H69 4y1HStKe1j1LULLQLCXULmzsHvpbezW7nihIjMrom7qwHI+L4ZyKvxPxDguHcLOFPEY7FU6EZTvy xlVkopy5U5cqb1sm7bLofo3F/EuD4N4VzHizMIVKmAyzA1sVUjTs5yp0Kcqk1BSaTk4xainJK9rv t4Re/tqfC3QP2R9H/bA8XW2reGPBOveELLxPpPhq+l0ubxVqN9q3nJofhOwSC7/sy88Q6vcRBEVZ vJjBaSR0ijd1+to+F3EGN8R6nhrlzpV83pYqVGdSPP7GKh/ErSbjzqlBatuPM9FGLk0j4XHeNHCW VeEdPxjzVVqHDlbAQxNOlLk+sVPaq9GhCPOoOvVbUYx51FN3lKMU2vbfgn8RtX+Lfwz8LfEXWPh7 4n+F8viywXWLHwd4zl0x/FOn6RdHfpVzrVvpFxd2mnXWp2RW4Fq0huII5FWZY5d8afK8U5Jh+HM9 xGSYbG4fHxw0+SVahz+xlNfGoOcYykoyvHnS5ZNNwco2lL7bg3iLEcWcN4XiLEZfjMreLp+0jh8W oRxEKbb5HVhTnUVOU42mqbl7SEZKNWMKinTj6tXz59OFAHmvxf8AH9/8Lvhz4o8eaX4E8XfEy/8A DtpbXVv4G8B2kN/4u8QtPf2tk9tolncSwQ3FzBHcmZlZ1/dxt3xXt8OZRRz7OsPlFfF4bA0q8mnX xEnGjTtFyvUkk2k7cui3a+XgcU55V4byHE53RwWLzGph4qSw+Fip16l5JNU4SlFSaT5rcyuk7a6H 5t3f/BVS7sfGmn/Di7/Yp/aotviBq2lT65pXgmbR/BsfinUtFtfO+0atYaG3iQahdadAbdw8yIyL sOTxX7dT+j/Crlc87p8U8PPJ6dRU5V1Ur+yjN2tCU/Y8qk7q0W0/zf8APNX6T0aOdU+G6nBvFsc+ q0ZVoYd0cJ7aVKLtKpGn9b5nCL0cknFPS99D9A/gL8XNW+NXw+TxzrHwr+IfwcvX1rXNIPgv4oaZ DpPiqJNGu/sseqSWltNPCdN1XBktZFciSLDA4Nfj3FvDmH4Xzl5Th8wwWZ01Spz9vhJudF88eblU movmhe000rSuna2v7xwTxTV4xyCGeVstzDKakqtWDw2NpqliIulNwcpQUpLlm05U5xlKE4OM4SlG Sb+dfgr+098QPiJ+2v8AtV/s665pvhO38DfBDRfAOo+Er/S9O1WHxRez+KNM0y91EeIL641m8028 ihlvGEIt7O2KrjcWOSfteKeA8nyXwt4c41wlTEyzXNqmJjWjOUHSiqNSUY+zioKUbpLm5pzu9rbL 814F8Ts/4m8Z+MvDvH0sJHI+Ho4B4adOFRV5/WsPGrU9tKVWcJcsnaHJTp2jvzPU+9Ac+v4gg/kQ K/Ij93AkDr/iT9Bgk0AAYHjn8QR+WVXP+fxdrAeO/H7XvjD4Z+EXjXW/gJ4O0Px78WbDTYZPB/hX xHfjTtJ1K7e+tYr1p5GvtJjuZrLTHmnhtmvLJLqaNYmuIA5kX6Xg/CcNY7iPC4Xi/E1cHw7Oo/bV aUeacI8rcbLlm0pStGU1Co4Rbkqc2uV/Ice47jDLeEcdjeAsHh8fxdTo3w1CtPkpznzJPmfNTUnG LlKNN1aKqSSputSUnUj1Xw01Lx1rHw+8Gap8TfD+l+FPiFqHhrR7zxp4a0XUTq2k6F4luLKKTV9L 0/Uj/wAflrZ3bMiPlwQPvNjcfOzyjlOHzjFYfI61TEZNCvONGrOPJOpSUmoTlH7LlGza09Eevw/i M4xWRYPE8Q0KeFz2phqcsRRhP2kKdZxTqQjP7UYyuk+qXzfyJ+zb+098QPi9+1D+2T8FvE2l+E7T wr+z74k8FaR4LvtFsNVttd1C18SRa6963iS6vNZvrK8niOlp5Rtre1VQTuDcGv0jjjgPJ+G+AeF+ KcDUxMswzqhiJ14zlB04ui6aj7JRhGUU+d83NKeytbZ/kHhz4n5/xd4rcbcDZlSwkMp4br4CGGnT jUjVmsVTrSqe3lKpOEnF0lyOEKaSbTUnqfeZIHX/AOv+A5Jr8iP3cAQfX8QR+WVXP+fxdgFJx/n+ QGc0gG7h7/gpP5/Lwfyp2YXHUgELY45JyBwCcZI646cGiwHwv+yh+0t49+OHxg/a/wDAPi3TfCtl ovwE+LcPgTwbceH7HU7TUb/R5P7X3T+I5r7V9St7zUR9hT57eG1j5b5O4/WPEDgfKOFuGeGs4y+e Ili83y14iuqkouMZprSkowi1HXaUpvzPxbwy8Rc74z4v4uyDNKWFhg8hzeOFw7pRnGc6bpqbdZyq TUp3e8I04205er+6a/Jz9pCgAoAKACgAoA//1P7+KACgAoAKAPxp/wCC2vhfxHrH7NPgPxFpkUs3 h7wT8X9I1PxcVcLDp9nrvhnxL4S0PWbzcyItrZ+JNbtoS7HEbXAbjFf059FbH4LDceYvA13bG4vL Jwo6aylTq0q1SCtu5Uqc3bry266/xp9N/LMbi/C3A5nRSeW4DOqVTENyjGNONahiMLRqycmlywxG IpJvePNzLbT+W3GMggqVJVlYFWRlOGVlPKspGCDyCK/0Eunt1P8AKra6ejTs09Gmt009mtmnsft1 /wAEPPCniu5+OPxf8bWqXcXgzSPhXpfhjWLjy5PsN34k17xRDrGg2Xm4ET3tlpOlXNyUyWSC6jc4 WVC38n/SwzLLocK5ZlU+V5pUzCdWCuuZUqdLkqO38spyjG/WUJR1cXb+5/oL5NnU+Ns6z+m5x4fh lFGhPR8k69SvOrSs9uaFKMp8u/JXpztyzg5f03V/B5/pyflt/wAFg/DfiLXv2M9avtCiu7iy8IfE T4eeL/FkNpC05TwrpustbX+oXKRhn+w6NdX0F3O2NkUULSNhUJH779GzHYLB+J9Gli3FVcTgsTRp OTSvWnTbjFN6c00nCK3cpKKTckj+YvpeYDMcZ4L4mvgVUdLCZhgcRXUIubVCniaftJtRTfJSuqtS VrQhCU5NRi2v5ISjRkxupR4yUdT1V0O1lOe4Ir/SGMozjzL4Xr8j/H1wnTbpVFapF2a6prRo/Xb/ AIIu+F/EeqftY6t4n020uG8PeE/hF4sh8U6gp22sLeLdZ8OWvhjT5myoln1O70C8mhj5ylo78AAn +a/pSZhgqHh7Sy+tKP13EZnRdKPV+xp1XVkuyiqtOLfeaXe39kfQmy3HYnxUr5pQpSlgMJkmIjWq aJR+tV8N9Xg+rdV4avKKSatTcna8eb+rGv8APU/1XPxX/wCC3nhfxLq/7P8A8LvEml289x4d8IfF nf4qaLmLTv8AhJ/B3iHwv4b1S8XICWy+INRitBKeElvE6Akj+o/op4/BYbjTH4KvJRxuJy21K+8v ZV6VarCPn7KEp26qD62P4x+m7lmYYzw3y3H4aEpYLCZwnWkmrU/b4XE4WjOV2tHiK1OndaxdRN2j zNfy/wDTOcjBIIIwVI4YMDggqRyD0r+/dHsf5W3te+lt76Wtve+1ut9j91P+CGnhfxNL8U/jn4zj t7yLwfZfD3wr4VvbpoXWxuvE+o+Ir3XtOsUlYeXJe6dosL3LopLxQ30TMAJkLfyN9LPMMvWRZRlj lF5lLGVqqV1zKlGnCnKTW6jKfuJvRypySu4u398/QUyvNXxFn+cctSOTrLsJRbcWoSrSrYirGKk1 ZzhSkqkoptxhWpykkqkL/wBKlfwwf6Tn4Wf8FzPCvijUvhj8CPFenRXc/hXw38QPE2leI1gikktr TVPFnhc2fhe8vWTKwJdz2Nxp8TvhTcXqR53SAH+s/onZhl+H4gzbL67gswr4KlOndpNxo1lKrGPd pONVpa8tNy2i2v4Z+nPlGcY3hHIsxwXtJZZh8zrQrRjGUlzV8JVhQc2rqClNOhGUrRdStCF+acU/ 5qcjGcgAdSTgDHXJPTFf3af5iXVua/un7+/8ELPCviVfEH7Q3jY2tzB4PfR/h94O+0vlLa+8WWd/ 4l8ST2sQOPNutG0LWreSXj92L9FPJIH8bfS2zDAvC5LlalF5kqmJrWWrjRlGjSTfZTqU5xXf2be1 j/Qz6CGU5lDFcR51KnKOUujgsNzOyUq8JYnESha9+alRxFKUtLL2yV+ZSjH+iyv4oP8ARU+QP2+v Cnijxv8Asb/tFeGfBttd3viHUPhnrUllp9hE097qcGnGDVNT0q0gQGSe41PS7OaFETLOzbQCSAf0 jwgzHL8p8Tckx+aOMcDTzCnzSk7RjzPljNvZKEmpNuyVr3PyTx5yrNc78G+JcrySM55nWyjEKEIR 5p1LQcpU4xWrlUinBJXbbsuz/iZkkSWRpY2DRzYuInHSSC4HnQSrnGUliYMp7g1/qrTXLBRejWjX ZrRr5PRn+H9eSlXlNfDJ8y84y96L9HFpp9Ufc/8AwTX8L+JPFH7avwF/4Ru3uJG8O+KdT8Za5dQZ EeneEvD/AIV8Q2OvXl3KNojtbi4160seT8812ic5bH5H47ZhgcB4W5v9dlFe3w8KFNPeVapWpTpx S7qNKdTyjBvsfv8A9F7LMxzLxqyN4CEpLD4mriakltChRwuIpVZt9nPE0KWl7yqJbKTj/Z6Og+gr /L4/2cPhP/gpd4S8WeNf2I/j7ovg2K8utWi8Madrk+n2EUs93qWheGfEWkeIPElhBDCGlmefQtOn +RQWcDABJAH634FZlluVeK2TYrNHGOFeIlTUpNKMalWnOnSk29Fy1JRd3oj8I+kzkud5/wCBnEeX cP8AO8xeCVTlgnKVSnRqQq16UUtW6lGE4JRTeuivY/jIlZXlkZHWRXcyI6EMkkcv7yKVGX5Xjljc MrD5WVgRwQT/AKhU1amla2m3ZrRr1T0a6NWetz/Fuu7156p+83fupe9FrupRalF7OLTV00fod/wS s8LeJvEf7bnwgv8Aw7BcPaeDo/G/izxZeQs6Q2PhUeDda8NSfbJEBHk6n4h12xhjRvlmlibHMRx+ J/SGzDAYHwrzKjjXFVMU6FGinq5Vvbwq+75wpU6jbWsVJdJa/wBH/RNynMsy8bcoxWXQk6GCji8R iJJtKGHeFq4e0rbqpiKtFRi/dnKjN35qNl/YqOg+gr/M4/2MPy//AOCvnhzxD4g/Yv8AEt1oUFzc 2vhLx58PPGXiqG1jklZfCWja6qapezRRgs1lo811DeTsflihgaQ4CE1+9fRux2Cwfijh4YtxjUxG ExNGk3ZfvqlJ8kU3tKdnCPVykl1P5o+lvgcfjPBXGVsFGc6WEx2BxFdQUm1h6OJpyqzaim3Gmv3s 9LRjByfwn8jJVo2aNwQ8bFHU9VZThgffIr/SWMoySlH4XqvQ/wAd3CdOTpVFapF2a7Nbo/W7/gjH 4X8Sat+1tdeJtLtrk+HvCHwn8Y/8JXfIMWiR+LdR0Cw8M6bPIcAz6nqGiXU8KDJK2Lt0GT/Nv0os fgsP4dwwFeUfruJzKj7KPX9zCrKrNeUI1IRl51EvT+xfoU5XmOJ8VquaYeEv7PwmTYn207e6liqu Hjh4NvrUlhq04pX0pNuyab/q5r/PI/1aPz7/AOCo3hPxT4x/Yh+NWn+E7e6vbvTLPwv4p1XTrLzj caj4X8JeLtG8Q+KbZI4FaSYJodhNK0eCJEjK4INfsngDmWXZX4rZVXzJxjSnOrShJ2tGrWo1KVGW u37yUVe6te5/Pv0pcnzbPPAvPcJk8J1MRTp0K86cXJOph8NiaNfE01y6vmoU6i5dp/A7Jtn8b0hB kch1cMxYOjBldX+dJEZcq8cqMGVgSGUgjIIr/TqGkFpbTbt0a9U9Guj03uf4yVWnVlqpa3undNPV NPqpJqUWtHFpptNN/pJ/wSb8J+KvEX7bPwz1fw8t0ml+CtE+IHiXxjewib7NB4au/DNz4Zhs71ow 0SrrPiPVLVIQ+PMezfbny32/hX0jMyy7BeFuOwuM5XiMXVw1KjF2u6qqqq5R6/u6UJ81tlUje11f +mfojZLnOZeNeWZhlrnHAYChja2JknLldCdD6vGnK3u/vcRKnKHM1d4Woo35Z8v9gA6D6Cv81j/Y Q/Of/grF/wAmEfHzPQ6f4MDHqQp+IHhoOQO7KuSB3Nftn0d/+TwZN39pW/8AUeqfzv8ASu5l9H/i TlV5fVaX/qTRPiT44eIv24PF/wCxTpHg3xP8AfCHhz4CX3w18CwfETx38MPiBY/E/wCKkXwh0rR9 I1DUdZ0L4e+ItN8H6ZDq9zpNiskwF3dyWis+xCV3r+n8JYLwpy3xSnmeBzjFVuLYY6u8NQxeGeFw jxkpzjCFTEUqlefIpysrwgp2V3FOz/JfEPH+NWaeC9PKcfkODpcHVsvw8cfWwGLWOx0cujTjKvKh hcRSwkHVlSi43VSc6fM5QhKUVb9fv2ZdX+GGs/s+fB6/+DF9c6l8LU+HvhrT/BF1fRzQak+h6Pp0 WlW8OqwXCpNBrFtJZtFdoyjZcK4HAFfzhx1h8/wvGOZ0eKIKHEH12rKuo2cfaTk5vla0cHe8Gm7x aP6s8NsTwviuAcnq8FTdThNZdQjhG1JP2EKcYQUlL3lNKNpKWqkmmfk58Xvjd8CvFv8AwUr8W2nx z+KfgTwD8Nf2fPgH4j+F+iHxvq1po1trPxK+LNlaL4yXSJL5lgvbjSvDOrRxXO07oWRORzj+heHe FOLMv8C8NU4Uy/GYzPM6zinip+whKo4YXBuSo86irxU60ZON9JK/z/l7iPjXg3N/pL4vD8Y5pl2B 4d4b4fqYOmsVONH2mOzHkliHSnUcY1PZ4Z041FG7g5xu9bHun/BHz4qWfin9m7XfhEPEVr4ouv2e fiJ4m+Hmm67ZXMF3Za54FutQutX8D69ptxAds+k3lnLNDbvgbktx6c/L/SU4fq5fxxS4kdCWHp53 gaOKlTkmpU6/KoV6ck9pxklKS6OR9V9ELiyhnHhvieEY4uONr8NZricvVeMoSjWw8akp4arTcG06 Tpy5IPdqn1Vm2/8ABTGy0zVfib/wT90XWtPg1XRfEH7T/wDwjWs6dcxrJBeaR4n8MS+HdUt3Rwys z2GqSbc9HAI5HEeB1SvQyLjHFYacqeJo8PurCSdmp0q8akH/AOBQV/I9L6REKNfPeBMFiqcKuExP FUKFSEkmnTrYWvSmrP8AuTdt9T4O+MGveKfhX+xb+23+wR4/mnu9f/Z5s/C3iz4O6xeS7p/Gf7Om u/EbR73w9cWzyHzbmfwOqm1uuAkMZWNS3lMa/XuGcHgOIPFLhTxfydKOEzqpVo42CVlRzOnhpxqp 20SxDfPDW8neTS5kl/P/ABdjc34Z8FuOfAXPVOeP4foUq2W1HJSeJyati4yw7TclKUsGoSpVnyKM UoRi5OLZ/Qj8IP8Akkvwv/7J54IH/ls6VX8Z8Q/8lBjv+wyt/wCnJH+guQ/8iLBf9glH/wBNxPyo /wCCcdhYeOf2p/8Agod8ZPFltDqHxO0z45aj8PNNubhA1/ofgrTL/WrCys9NE3mTWcOq2fhqwgkK FRKlhEvRQB/Q3jbVrZR4f8FcMZdJwyGeUQxMkn7s69SMZScrWUnCVWo4pp8rqSe8m3/I/wBG+hhs +8U/EjjjNoQqcVUuI62AhNr3qeEoP2dONNSvKCqwoUVUcWlV9jTdrQgo/Svwt/bpfx5+0B4R+Ani /wDZn+NvwY8X+NdB8Xa7ompfE228JWFtd6J4OimuLy6gi0/W7/VLm0uLhBHEUQxiR8nHJHwWf+FC yjg/EcXZdnuVZplmFr0adSOFdeTjUrfCnz0oQTSu3d3svkfrvDPjP/bfG+E4IzbhzPcmznG4StXp yxscLGLp0OX2mtHE1pO0pxjZLlbd4txTayv+CsoaT9gn46RoCWmg8BwqAMnM/wARfC8QIHG4jfnH GcV3fR2tHxgyht2SnXf3Yaqzw/pZuUfo/cR8i5puhQSXe+Koq2nqflD8EPib4r1/9qT9jH4+ftae AJ9G+B/iPwxe/CH9le4vNQupfCXgvxR4YstC0Hw7471Gyu4rWKe98aalBNNb3l0q/alubW8t1aDT o5k/oTirIsuwXh7xRwb4dYxVeLKFeOMzZKEVWr0qjqTq4eEouTUaEXFThB+44VaU3zV3B/yfwZxP m+b+MPBXiR4vZbLDcD4vDV8uyD95UnhsPiKapU6GLqqUacOfG2qujUmn7eNTDVqcXHCRrH9PXYY9 QPXkNzz3Oa/g1n+np+NH/BJWztPEPiD9t34oa8q3vxL1/wDai8Y+Hdd1a7/e6vDoWlSyalpmki4k zcQafHf6lcbYwVQiFF24iUL/AE19ImrUweC4TyHBvlyOjw7Qq04R0h7SfuznZWTk4wjd2vq5by1/ jf6JuHo47NeP+J8YvacRV+M8ZQqVpNuo6FFQlSpXleUadOVSahD4YpKK0ikj9tKys/CX/BSP/gnX 448KRxWnjbxfq/jTwZ4raxj8i81vwfarp9jCNVmiKG6gsLLxPqITzd3yjrhBh+F9WrmPgfxtlWYN yyrDU8PXpczvGnXk5N8iezm6VK7VvxZPjPh8PlX0mfDTPMqio57jJZhhq/KmpVcNCnTsqkl8UaXt qrjGV9W2rcp9zft3nH7GP7UJHOPgV8SiPfHhm99PWvyfwk/5Ofw//wBjjCf+non7l47q/gtxYv8A qnMx/wDUWofzm/DD4ieMr2x/Yi+J37RXw9u7v9iD4CeNdJ+CWiZvJf8AhG7rx/aWeoC4+MXibTrm GJNV0/R9bWGN94bT410+5s4Hkl85bj+2M+yPK6NXivIeCcbFeK+c4SePqe6varDylFrA0pJtxlUp 3krWqS9pTqTUY8rh/nJwvxPnmIpcD8W+JOXSfgTw3jqOU0bTfsJY2nGVP+18RCcYRlSo1oxpvmlU pUpU61OlOcuZVf637eaG4giuLeaO4hnjjminhdJIp45UDxzRSIzI8cqMGUgkFSCOOv8AnLOMoScJ pqSdmnurdPkf64xlGcVKDTi0mmtU09np3JcjOMjPXHf6+tT+RQtABj/P/wCqgD8kfiJn/h8b+z0M n/k13x33J/5efFZ/Uiv6Jyj/AJRqzj/socP/AOk0z+Wc6/5S6yP/ALJHGf8Ap9H61n/Vnr9w9ST/ AA+9fzx9q3mf1MfgN4a+DXiH45/8FLf28vBenfF/x98IfCw0v4U3/jy4+GFzZaN418Y6cnhfwwuj eHLHxfc2t1d+E9KhvBPNfPZqLm9Rkh3ogfd/YGP4nwPCfgXwfmlfLcHmWYc+Njh1ilKdCjL21X2l SVFOKrTa5VTU3yQalLlk2rfwLkfBuZcc/SX8R8nw2c5jk+UxeVSxTwMo0sTiY/UqDpUo4hwlLDU4 tVHWdG1Wqpxgp04xkp+/f8E5Nc+IHgf4+ftofsr+JviP4w+KHhH4H+KPBN14F1/x7rN7r/ia1tPE 9rqkl7aXGpX000ximtoLR5IkxbrdpNJEkaS+Wvx/jXhMmzbg7hbxCwGBwuX5jm1DERxFLDwVOk5U ZRUZKEUle7nZu8uRwjJyceaX6B9HXHcSZF4h8b+E2b5njc3ynIMRgamFr4ypOtieXF0qk5xqVJyd 1aFN8sVGCq+1lCMITjTh9W/tyN4Ni+E+nzfEL9qbxV+yr4Lj8TRL4h8T+CtU0rRvE3jOwl0rU0Pg fRb+7sNR1iDULyXbdI2mRPdbbZso0ZYj878KVmkuIpxyXh/D8Q5n7B+zpVoTqUqMlOH7+cYzhBxX wP2rUPeWqdr/AKx43TySHCCXEfFOK4TyaVflqYnD1aVGvWi6dT/Z6NSpCpKNR29onRi6tqbsrXt+ Wn7NHxZh+GX7evwi+G3wV+J/7THjn4DfHnwv4rtNY0X9pSy8f2s0Wv8Ah7w7rmv6f4l8BXHxF0zS 9T1TTRJoOxrm2gjCm7khneQfZ1j/AH/jfh1594P5lnvFGAyHCcXZPiKMoVMreGalTq1YUp0sSsLO cIS/eXUZSd+RShGP7xy/l/gDi+fC/wBITJuGeD8z4nx/AnEmDxEalLOljo+yq4bD1a9Otgnj4QqV IP2LjU9nFcrqv205L6vCP6b/APBSbV9X0L9iD9oLWNC1bVdC1ew8I2FxYatomp32j6pYzjxJooE1 lqWm3FpfWsm0kFo5FJUkHgkH8K8D8LhcZ4q5LhMZSp1sLPFNShUhGcJL2ctJRknFr1T7+n9L/SKx +OyvwU4izHLK9bDZhRy9zp1aU5U6kJKUWpRnBxkmvJ67O6uj3H9mG4ubz9nH4C3d7d3l/eXPwc+G 091e6je3Wo393cS+EdKkmub2/vpbi9vbueRi0k0rvLI5LOxYkn5HjqEKfGmb06UYwpRzLEpRjFRj FKtOyjGKUYxS0UYpJJWSS0Pu/D2VSfAWSSqzqVKjynCNyqTnUnJ+wp3lOpOUpzk3rKc5SnJtuUm2 2/zz/YZ/5P8A/wDgp7/2PHwp/wDSfxfX7V4sa+DnAH/YJjf/AEqifzj4H/8AKRXit/2FZP8A+mcW fV37creDIvhRps3xD/am8Vfsq+C4/EsQ8Q+JvBWqaVo/ibxrYSaTqaHwPot/dWOo6zBqF1Ltu0Om RPdbbZgUZCxH514ULNJcRTjkvD+H4hzT2DdOlXhOpSoyU4fv6kIyhBxXwP2slC8lre1/1vxvnkcO EIriPinE8J5POvy1MTh6tKjXrJ0qn+z0alSFSUajt7ROjF1LU5WVrtflt+zN8Wovhl+3r8JPhr8F /id+0x45+A3x48K+KrTV9E/aUsvHtrPBr3h7w9rniDTvE3gK4+Imm6XqeqaYJNB2Nc21vGFN3JDO 8gFuI/33jnhx574P5lnvE+AyHCcXZPiaLhUyt4ZqVOrVhTnSxCws5QhL95dRnJ35FKEV+8cv5g4A 4vnwv9IXJuGOD8z4nx/AvEmDxEalLOljo+yq4bD1a9Otgnj4QqVIP2Moz5IrldV+2qSX1eEf1h/b 01LU9I/Y1/aR1TRtT1HRtVsfhJ4qubDVdIv7vS9T0+7jtEMV3YajYTW17Z3ULcpJE6Op5BFfz14R YfD4rxNyPDYqnCrhZ5nRjKE4xnCUXLWMoyTjJNaNNNM/qzxzx+Nyvwc4mzLLqtShj6GS4qpTqU5O E4TjSk4yjKNnGSaTTWzPyH8f/B/4yan/AME//D37a19+1p8eYvij4W+EfgPxz4O8NaF4rufDnw58 PeGLY6fa6d4dm0LTHj1DxF4kTTbxZbzWtRuribUdQi3TRtbsYT/R2TcScL4bxireFlPhzJ3w/XzP EYatVqUVUxVSq3LmqqpJctKlzxtChShFU6cmoyVT94v5J4j4P44x/gJQ8cHxfn9LizDZDhcbQw9L ETpYCnRhD2kaE6EJKpiKzpzXtcTXqzlXr04SqRdDmw8v3S/Z/wDG+qfEn4F/CD4ga1s/tnxp8NPB PibVjGqRxtqeteH7C9v5I40BjjSS6mdwo4GcDAr+TuMMqoZFxZmWTYa/1bC46vShfX3YVJRj57JH 9w8CZ3X4l4KyjiHEq2Jx2W4avP8AxVaMJy7rdvb/AIb8k/hr4b8e/wDBRL9o39pzxD40+N3xl+F/ wj/Z++Id78Ivhl4H+D3jq+8BXP8Abekz39nf+K9Zu9OilF/eC40pbtWmEjSPOsQ2QwlJP6KzzG5P 4L8E5Bg8ryrK8fxJnOBjjcVXxuHjiF7OfLKFGnGb91Wk4PltblcrylJOP8mcMYDiH6Q3iPxXmOc5 3neU8G8O5lVyrB4TLsZPBylWppxrYmtKkrzlzRjUouUpW5uVxiotT7j/AIJdaJq3hr42f8FCPD2u +KtU8cavoXx00TR9Q8Ya3b2VrrXia406DxFbf23rEOnRw2C6tfRIjXJhRI3mDOqgNgeV484vDY/h XgzG4PD08JhquTznGjTcnCkpSi+SDneXJF35eZtqNk27XPofo0Zfj8q418QsvzPG1cwxdHiKnB4i pGEKlVRorllUVNRhz8vKpuMYxlJOSir2X7KV/Mx/XoUAFABQAUAFAH//1f7+KACgAoAKAMTxJ4a8 P+MdA1nwr4q0bTPEXhvxDpt5o+uaFrNnBqOlatpWoQtb3un6hY3MctvdWlzA5V0dSCD+NdWCx2My 3GUswy+rUoY6jUjOnUhJxnCcXeMoyVmmnqmtjizHLsBm+ArZVmtGlicsxNKVOrSqRU6dSnNOM4Th JOMoyi2pRaaadj8ndf8A+CK37JureKRrel638X/CmhPcLNL4K0Xxfpt1okcauW+x2Gp69oGr+KtP swm1FRL4mNQAhA6f0Rg/pR+IuGy/6pXpZZicXZpV50JKpd9ZRp1IUZPq26bu3dn8mZj9CbwixucL McLXznB5cnG+EpYmLoWj9mM6tKpiqcbWio0sRBRiko21v+lPwc+Cvwz+AXgbTfh18KPC1n4U8Laa 81z9lt3uLu91LU7rab/Wtd1a+muNT1zW9RdQ091cySSvgDIVVA/DOJeKM94vzapnfEOIliMwqWV2 koxivhhThFKNOEVpGEEortd6/wBNcJcH8OcC5JS4e4WwsMJlVK7UU5SlKctZVKlSblOrVm9Z1Kkp Tk929LeqV4B9MVL+wsdVsbzTNTs7XUNO1C1uLG/sL63iu7K9sruJ4Lq0u7WdJILm1uYHZJI3Uq6k gjBrSjWq4erGvQlKFaElKMou0oyTummtU09U1qmZVqNHE0ZYfERjOhOLjKMknGUWrNST0aa0aejR +S/jj/gjB+yZ4r8VSeIND1L4p/DzS7m5a4uvB3hDxPpc3htEebzXs9JXxRoPiDVNAsAhKRwWlwkU CELEEVUC/wBF5R9KDxGy3L/qWKhl+NxEY2VetSkqu1uabpVKcKkurlUjJyesrttv+S+IfoXeEed5 x/amDq5vluHlK88NhsRD2DXNzckFXpV6lCFm4xjhqlFQi0ocvLDl/QX4C/s7fCP9mnwUvgP4QeFY fDmjy3kmqatdzXV1quv+I9YmjSKXWPEmv6jJPqes6gYUWNGlfZBCqxRJHEqoPxri/jTiPjnNf7Y4 lxDr4pQUIJKMKdOC1UKVOCUIRu22kk5SblJyk2z+hOA/DzhHw0yT/V/g7CLDYB1JVJtynVq1as/i qVq1SUqlWe0U5yahBRpwUYRjFe3V8qfamB4p8LeHPG/h3W/CPi/RNM8SeGPEem3ej69oOs2cOoaV q2l30TQ3djfWdwjxTwTxsQQRx1BBANdeAx+NyvG0syy2rUoY+hUU6dSEnGcJxd1KMk000/M4cyy3 L85y+tlObUKWJyzE0pU6tKpFTp1Kc04yhOMk1KMk2mmtT8ndZ/4Ip/snaj4p/trTtf8AjJ4e8PtM kr+CtM8Z6fd6QkaEkWlprmuaDqnjG1tQNqgDUGdVXAbrn+iMN9KXxFo5e8LXo5XXxlmvbzoNT16u nTqQoN+bpddtEfyVi/oSeENfN44/C4jPMNlseX/ZIYtSpWirJKtWpVMZFaR0jiVt5yv+mnwi+Dvw 3+BPgbSvhz8K/C9j4T8J6QZZYbC0M9xc3l/dEPf6vrOp3ktxqWta3qMo33F5dSyzzN95iAAPwniP iXO+Lc2qZ3xBiJ4nMalk5SskorSMIQilGnCK0jCCUYrZbn9QcKcJcO8EZHR4d4XwsMJlNFaRjduU nrKpUnJynVqzfvTqVJSnOWspNnpteEfRnL+NPBXhP4i+Ftd8EeOfD+l+KfCXibTp9K17w/rVrHea bqdhcD95BcwSDBIYBkdSHikVXRlZQa7sszPMMmzClmuVVqmHzGhNTp1IPllCS2aa/FbNXT0bv52b 5Rlef5ZXybOsPSxWVYmm6dWlUipQnCSs4yi9Gn+G61Wn5TXv/BFP9lC58V/25b+JPjRp+gtcC4fw Zb+NdPuNMOMn7NH4g1DQbzxrFa5I6agZQF+/kk1/Q1L6UniJDLfqc6GVTxnLb27w8lP19nGpHDt+ tK2ux/J+I+hP4S1c8WaU8TntPAc6k8LHFqVJtLb21SlPGpXs7RxUdt9Zc36ffCz4U/D74KeBtD+G /wAL/C+neEPBvh6B4tN0fTlkYeZPI095f315cvNf6rq2o3LtNdXd1LNc3MzM8jsxJr8E4g4hznin Nq2eZ/iJ4nNK8rznK3RWjGMVaMIRVowhCMYxikopJJL+oOFeFOH+Cchw/DHC+Fp4TJMLDlp043fn KU5ycp1Kk5NyqVakpVKk25zlKTbPQ68Y+hD/AD/nrQB+W3xs/wCCRn7K/wAYPF2o+NdPPjn4U6vr d/c6nrtn8NdX0m08Oalf3rma+vYvDPiTRNf0jRLm9uWMs39npaxySszsm9nZv3/hP6R/iDwvl0Mq q/VMxwtKChTeKhOVSEY6Rj7WlUpVKiivdj7VztFKKdopL+W+PfojeFnHGb1M8pSzHKMwrVJTq/Ua tNUqkp6zl7DEUsRQpSlL35OjTpuU3KTvKc2/qj9mf9jz4GfsnaNqem/CXw3dQarr4tR4k8Y+I9Rm 1/xjr8diD9jtL3WbsA2ulWjuzxWNpHb2ccjtII/MZmb8+468SuLPETFU8RxHXi6FHm9lRpQVOjT5 vicacd5vROpNyqNJJyskl+reGnhBwL4TYGrg+D8NOFfEcvtq9apOviKvIrQjKrUbapx1caUOWlGU pSUFKc2/qGvgT9OGuiyIyOodHUqysAysrDDKytlSpBwQQQR6002ndbiaUlZ7M/Kn4uf8EfP2Uvib 4rvPFmiv4++FE2qXc99quh/DnWdGt/Ctxc3UnnXUmn+H/EmheILPw6LidnkaPT/s8G9yVjUk5/oP hr6SviHw/l8cuxKweYwhFRhPFQm6qSVlzVKVSlKrZWSdVzdklzNI/lXjT6HvhPxbmjzbByzHJ61S cpVKeBq0o0JOTu+WjiKNenRvK8n7CNK8m5PVu/2N+zf+yb8Ef2VfD2oaF8IvCzadc649rJ4l8U6z eza54w8USWCypp/9ua/eYuJrXT1ncW1pEIrO23uYolLsT+Z8beIvFniDjIYviXEe0hSTVKlCKp0a Sl8Xs6cfdTlZc03ecrLmk7I/ZPDnwn4F8K8BUwPB2DVGpX5Pb15ylVxNf2aap+2rzbnONNOXs4XU KfNLkjG7v9JV8Ofo5VvrGz1Kzu9O1G0tr+wv7a4sr6xvIIrqzvbO6iaC6tLu2mSSG5trmB2SSN1K urEEYrSlVqUKka1GUo1YSUlJOzTTummtU09U1qmRVpU69KVGtGM6M4uMoySakmrNNPRprRp6NH5M eOv+CMP7JnizxTJ4g0HUPij8OtMurk3F34P8HeJtLk8Mqrz+bJaaTF4o0LxBqfh+xKsUjgtLhIYE IWJUVVA/orJ/pQeI2WZf9TxcMvx1dRsq1elP2u1rzdKpSjVls3KpGTk9ZXbd/wCSeIvoXeEeeZv/ AGngqub5Zh5SvPD4bEQ9hJOXM4wWIpV6lCFm4xhhp0Ywi7U+Xlhy/oD8A/2c/hH+zP4KHgT4QeFo vD2kT3janq97cXVzqviDxJq7xrC2reJNf1GSfU9YvhCgjj8x/Lt4VWKFI41VR+OcYca8R8dZr/bH EuIdfEqKjCKioU6UFryUqcbQhG927K8pNyk5Sbb/AKE4D8POEvDXJP7A4Pwqw2BdR1Jycp1atapL epWrVJSqVJWSjHmk1CCjThywjGK9wr5Q+1I5Yo54pIZkSWKVGjljkRZI5I3Xa8bo2UdHUkEEEEEg 5pxk4yUo6STFKKknGSTi1Zp9T8o/ih/wRy/ZN+IHie48S+H2+IHwnS+upbq/8NfDvW9Hg8JM88nn TLpWheI9B16Dw1DLKzt5OntBboW+SNOlf0Pw/wDSa8RslwKwWM+p5k4xSjUxNObraKy56lKpTdV2 suarzydlds/k7iv6GvhFxHmP9oZb/aOTQbblQwNSlDDu7u1CjXo14UI3bdsMqKu21Z2Z9sfs6/ss /Bb9lrwvd+F/hD4WbSF1aaC68ReIdVvrjW/Fnii7tY2htJ9f1+9JurpLKF2W3t0EdpbKzCKJNxz+ Vcacf8Ucf4+OYcSYj2rppqnTjFU6NJN3ap04+7Hmespazk/ik7afuXh74YcF+F+Vyyrg/CewhVkn VqznKrXrSirRdWtUbnPlWkI35ILSEYrR/RFfGH6AfI37dPwR8a/tF/su/E/4O/D2TQIfFnjKDw1b 6ZL4n1O80fRI103xbour373eoWGla1dQsunWMvlBbZ98u1SVDFx+j+E3FeV8E8f5fxPnKrSy7Cyq ymqUYzqPmozhHljKdNP3pK95Kyu1dqz/ACbxx4JzvxF8Lc24M4dlho5xj6VOFOWInOnSVq9Oc3KV OlWnpCMnFKm+aXLFuKbnH461D4Rf8FRvGfwqtPgHqGufsk/DLwJceDrT4eav408L3nxM8T+Nk8JW +ix6DcQ2dpe6fo+njUtS0xDHNLG8DfO3ltCxDr+kUOI/ALK8/lxdQo8SY/N44l4iFCqsJSoOq5+0 Tk4yqS5Yy1UXzLRcykrxf5NieFfpRZ1w5HgjFYjg/K8jqYVYWricPPMK+KjR9n7N+yjKGHh7SUfd c1ODV24csrNfoh8Avgto/wCzn8D/AAH8GvCFxc61ZfD/AMNLpVpqGpmK0udc1MtPf32pXggWSGy/ tbV7iSQogdYEcKNwXn8Z4w4oxXG3FeM4nzKMaVbG1+dxhdqEdIxjG+r5IJK7a5rXe+n9AcB8G4Hw 84Ky/gzJ5Sq4XLsLGlGU7KVSUVeU5Wuk5zbk7aK9lsfJf7Gf7Fl58NdC+Lnif9pXw18MPHvxf+MX xg8V/EfW76Gyt/HWlaPpmrNCdK0TStX8T+HdM1AQ27tO7RiCNELqoyFUj9E8TvE+jnuLy3AcD1sf hOGsryyjhacXJ0JznC/PUnClUnG8tFfmbdrvVs/K/BrwcxPCeBznM/EKll2O4vzvO8Tjqsor6xTp QquPs6FOrXo06jhTSdk4RSvaKUUrXfhF+yj47+CX7cfxj+MPgS08CaV+z18avAXh+31rwxp99c6b r+h/EHw4lqtld6V4Zs9Di0OPRJCt2zlbpH8y+ZhHw27PiPxDyninwoyvhnNnjKnGWVYyq6dWSjKl PDVb80Z1HUdR1E+RL3bcsEuba18JeE+dcF+OWeccZH9QpcBZ9l2HjWoR5o14Y3De7TnTpxpqiqLg 6nMufndSo5JJJ83Wfthfs6/EP45+Pv2RvE3geXwwmn/A/wCPmj/EvxoniHV77S7mbw3ZrZxXKaBH Z6PqyajqwWN2SGZrWNyADKuSR5vhvxpk3CmUcSYDNViPa5rk1TC0PZQjNKrJtx9pzVKfLDo5R52r 35Xax73ixwDn3Gub8KZhkksKqeScRUcdiFWqTg5UIRlCapclKrzVUpuUYy5IyceVzgnzx8r/AOCk H7Dviv8Aas8NaB4g+EOp+H/D3xd0PTde8DX914i1LUNE0bxZ8MPF0BfV/DOsalpmma1cD+y9ctrW /tFNrIrFZosoJi6/Q+CPitl3h7j62E4kp1q/DdWpTrxjTjGc6OKov3KsIynTXv03OlP31vCWvIov 4/6RXglm3irldHGcH4jD4Pi+jRr4WU6spwp18FiYNVaFSdOFSSUKsaVeHuSu4Tp3gqspr9Dfh9od 94Z8BeCfDepm3OpaB4R8NaJqBtJGmtft2k6LY2F0baZ44Xmg+0W7bGKIWXBKjpX4vm2Jp43NcTjK HN7KriKk430dpTlJXWtnZ6q71P6GyrDVcHleGwda3tqVCnCVndXjCMXZ6aXWmiPzW+Lv7JH7R/wu /aJ8VftSfsSeJvh9DrXxSjsIvjH8Hvij/aFp4U8WXdigA13StW01J5ba+neMSmNzbvb3LzSxzsk8 1u/7nw34i8E5/wAFYfgDxUw+OlhcvcngsZhOV1qKk9ac4TaTjur+9zRUIuKcYzj/ADRxd4S+I/DP iRivFPwQxWWRxubeyjmeAx6qRoYj2UWlWp1aSlKNVJRSi0oxlKpUUvfnCpp/B/4EftgfED9q3wR+ 1B+1DH8F/AkPwu8B+LfAnhLwJ8Lr7X/Et9q0PjCHF7eaxrGp+RZ2a2lyDKrIZGkBEYij2mR+biXi zw2yfw9xPAfATzXFzx+Mo4itXxcadKMHQvyxhCDk5cydneyVr3ldRXp8JcF+L2deKmH8R/Ez+xMH hcty+vhcLhsDKvWnUWJcHUnWqVYwjHklTThyJ8yk4uMXHnl9Eft2/A7xt+0b+y38Tvg58O5fD8Pi 7xhB4Zh0qXxRqV5o+hx/2X4r0bWL172/sNL1u7h22NjJ5YW2k3y7VJUMXX43wl4syvgnxAwHE+dK s8twsqrmqUYzqPmpThHljKdNP3pK95Kyu1dqz+58cuB868R/C3NeC+H5YaGb4+nShCVec6dKPLXp zm5ShTqy0hGTilB80rRbim5xwPjt+yNZfH79jrT/ANnnxQ+mWXi3Q/h94St/C2vxGW4svDPxJ8He HrW00rVbO5SG2uzpL30MlrcNHHHJLYXEg2gkAdnCHiNW4M8SpcZ5eqk8vqYyq61N2UquGrVG5wkr tc/K1KN21GpGL6a8HiL4RYPxJ8IX4dZv7KnmMcDSVCsk5Rw+MoU0qVWDtGTjGacZWUXOlKUdOZo9 k/Zp0r416F8FfA3h39oSbw1ffFXw5pUWg+Itc8Kazda7pXiRNJxa6Z4ia7vdE8Pzx6rqenRxNexm 3Ci7DlGZGBr5jjjEcLYzijF43gyOIhw9XqOpSp1oKE6XPrKnaNSquSEm1B8zbha+tz7Lw5wnGmX8 F5fl3iDUw1bi3D0I0q9bDzc6deVNcqrXlRoNTqRSlUj7NKM3JRvGzfwb4w/ZR/ak/Z6/aD+Ifx3/ AGItU+Gmt+F/jbenWvir8EPinealomjf8JYXknfxJ4a1bS4Xjjea+uJ7kZMEsMt5cI/2mJoUtv13 LvELgHjLgzBcI+KlLH08wyqHs8HjsJGFSfsdvZVYTavaKjH7ScYQcfZyU3U/Bsy8JfE7w/8AEjMO PfBKvldTJs+qOrmWWY91KdJ4nT/acPUpRlyylLnnK8YycqtX2jrJ0VQ6P4Cfsl/H3xf+0hD+15+2 h4g8D3nxA8JaPe+Hfg78MPhtPqV94N+Hmn6hBPbXWpXF/qcMRudUW3vrpUSMTPJLdSTTXDhbaC14 uL/EXg/LeCH4beF9HFwyXE1Y1cbisUoRr4mUWmoKMG7QvGD1skoqMYJupOp6HAXhLx9m3iW/F/xq xGAq8RYKnUoZXg8DKrLDYOjUioym3VUeatJOom1GTlzylOrKKoUcP9p/tOfDnxB8Xv2evjR8LfCb 6ZF4k+IHwz8X+ENCl1m6nstJi1XXdHuLCyfUbu2tL64trJZpQZHSGVlUZCMeK/LuBM7wfDfGeV5/ mCqPAYLH0K9RQSlNwp1FKShFyinKy0TlFX3fVftHiZw1juMfDzPOE8slShmOZZTi8LSlUbVONSvR nTg5uMZyUFKScnGMna9k3o/CfA37IVvrP7BvhX9kX4zJo895D8KrXwTr1/4el/tWx0rxHYvLdaX4 l8PXeo6dYyT3Wh6wkN5bSSW8TGSPDLgkH63NPEiphfF3EeJPDDqxg8yliKcaq5JTpzdpUqqhJ2U4 OUJpSas9Hs18NlXg/hsx8BcL4N8aeyqWyang61SjacYVacVyV6Dq0/jpVYxq0pSp6Tim4vY6/wDY l+H/AO0B8JvgToPwt/aF1Dwlr3iXwBLN4b8LeKfCniDVNdTXfAloF/4Rsa0NX0LRbqx1fRbZjZbc 3PmW0MLtM0hkx5vinnHB3EXF1bP+C6eJoYDGJVKtGtThTdOu/wCLyclSopQm/fXwWlKUVBRSv7Hg rw/4gcJcBYbhbxFr4PF5vl7dGliMPVqVFWw0f4Htfa0aUo1acf3TV6vNGEZyqynKVvC7n4r/AB58 L/8ABTLw98Ida+KfgvXPgp8TPhT4s8SeHvhfpsOlR+JPBQ8K6VoP2fV/EIfTBrcOq674ja++xTf2 hNbX9kJlFtE1mXf6V5LwViPA2XENPBYjD8WYbNaVB4qpKXs8TKr7acqVD3/ZyVOhCMqkFTVSnJKX tJRqcq+Rhn/iHh/pJx4Uq5jhMVwPicgxGLWBpKn7fCRozwlKOIxK9n7eKq4ipUp0qvt3RqqUqfsY VKKqT/TAdB/n/GvxN/gf0OFAHwZ4s/Zw+I+tf8FCPhT+05ZyeFV+GXgr4KeJPh/q0U+s38fi6TX9 Zl1+SB7LQ10STTptMjW/h3TNfpJln/d/KC/63l/G2SYbwczDgSosR/b2KzWliYNQj7FU4KCfNU51 NTbTslTa0Xva2j+I5h4e8Q4vx8y7xKg8IuGcHkNbByTqT+sOtVqSndUvZez9nFKHve25pOUlyRUE 6n3iQdhXvtI/HGPevyW/vX6XP24+A/gn+zN8R/h9+25+1j+0Lr1x4WfwF8bND8Baf4Og03Vr+68S QXHhjS9MstQ/t3S59ItLKwjkltHMRhu7ksuNwUnA/XuKuOslzrwt4c4MwccQs3ymriZV3KEVSarV JTh7OSm5SaT97mhDXa+7/B+BfDLiDhnxo4y8Q8fUwssk4hjgFhoQlN1ofVcPGjP20XTjCPNJNx5Z zut+V3Qv7PH7M/xG+F37Xn7Y3xy8TXHhaTwX8eL/AMB3HgiDSdWvrzXrePwxY3NrqH/CQ6fcaNZW mnPI8oMQhuroMv3tp4D4y47yXPvDbhnhHAxxCzTJ44lV3OEVTbrSUoezkpylKyXvc0IWe191XAXh nn/DHjDxnx/mFTCyybiH+z/q0ISm60PqlKdOp7aLpxjHmck4cs53V+bl64n7d37Nvxh+L3if9m/4 t/BO38C+JfF/7Pfj7VfE5+HXxLv7nTfCPi2y1q1sIzM93DY6hHFqmlXOlx+WJFQeXM8iSCSNEfp8 JeNuGuHMBnnDnFLxlDLc6wcKX1nCxjOtRlCUnblcoXhNSfNZvWMYuNpNri8b/DnjDi3OeGOLeCVl +IzXh7MqlaWExs5ww9enWpcjlzRpVf31KUYuneKUVKU1LmjGEvM7T9mj9sH4l/te/s1ftTfGq4+C Oh6b8L4fHOm6l8OvAWseKL678GaJrPhXX9JsY7fxFq2jJH8QNZ17WdZS4u3MWkW+nQW4jhW4LM59 6px14bZF4bZ74fcLxzWriMweHlHE4iFKKrTp1qc5N0oTbw0KcISjBKVeVWUuaTppKK+dl4ZeK3E3 jHwx4p8X1Mko4HJljYvB4aVeU6EK+FrUFy1p01HFzrVKkKk24YWNCNPkhGu5Oa+wv20Pg94u+Pn7 MPxc+EHgSTRYvFnjjw/aaTo0viK+udM0WO4i1rTb6R7++s7DVrm3iFvavgpbyktgY5yPzbww4my7 g/jzLeJc2VV5fhK7nNUoqU2uSS92MpQTd31kj9Z8YuD814+8NM44OyWVCGZ5hhHSpyrSlGnFuSd5 yjCpJJJX0g29vNen/BDwfrPw++Dfwq8C+IDYnXvBvw58F+F9YOmXMt5pp1bQfD9jpt+bC7mtrKe6 sjdW7eXI8MTOmCUUkgfP8UZjhs34lzDNsHz/AFTE42vVhzJRlyVKkpR5oqUkpWeqUpJPZvd/V8I5 Zi8l4Vy3J8f7P69hMBh6NTkk5Q56dKEJ8knGDlHmi+WThFtWbjF6L4t+Bn7Ovxv+Df7c/wC018UT pfg7WPgf+0X/AGL4hl8Rp4knj8YeHdc8M6ag0rRz4XfTI45Le41LVNSSeZbmVTCLZ12t5qn9Q4s4 14X4l8KMg4fU8VT4pyT2lNU/ZL2NSFabc5+1527qMKTjHkj73tE/ss/GOBfDni/hDxv4s4wqQwdX g/iX6rUVRVpPEUp4WjywhKg6MYpOpUr80lVqJw9i1ytTi7n7d/7Nvxi+L3in9m74u/BK38DeJvF/ 7PfjzVvEp+HXxL1C40zwj4tstbtdPjaZ7yGw1FItU0q50qPyw6R/u5nkSQSRojx4Scb8NcOZfnvD fFLxdDLc6wcKX1nCxU61GVOUnblco3hNTfNZvWKi1yybjp43+HHGHF2d8McX8FfUMRmnD2Y1K0sJ jZyhh69OtTUHLmjSqv21KUYuneMVFSnNS5oxjLzSz/Zo/bB+JX7X37Nf7U/xruPghomm/DC38daZ qXw68Bax4ovbvwZoms+Ftf0mwjtvEOraMsfxA1jXdY1pLi7kMekQadDbiOFbkszt7lTjrw3yLw1z 3w+4XjmtXEZg8PKOJxEKUVWnTrU5ybpQn/s0KcISjBXryqylzSdNJJfOS8MvFfiXxk4Y8VOLquSU cDkyxkXg8NOvKdCFfC1qC5a06dsXOtUqwqVG4YWOHjT5IRruTmfcP7Vfww8S/Gf9nL4y/CnwfJpU Pijx74A13wxocuuXc9hpEepalAkVu+o3lrZ6jcW1orDLskMrAdFNflXh9n+B4Y42yziLMlUeAweN p1qippSm4wd3ypyim+ycorzP2rxS4YzDjXw4zvhHKpUoZlmWW18PSlVco04zq05Qi5uMZSUU3d2j J22R83+If2Wvibqn/BNqD9k62uPCQ+KUfwM8MfDdrqbV9Qj8H/2/pB0tbuYayujS6j/ZZFm5ST7B 5jcZjXOB9rg+P8jo+Nz8RKkcT/YLziriuVQj7b2c3NpcnPyc/vK69pZa+8z4LGeGPENf6OcfCWnU wv8ArIuG6WX87nP6v7aFGFKUuf2bn7O8W0/Z8zX2VsfWP7PngXXPhl8CvhB8OvEzac3iLwP8N/Bv hXW20m6mv9LOraDodlp982n3txa2Fxd2RubdvLkeCF3TBKKTgfnvGWbYTPuLcyzvAc/1LF46tVhz pRnyVKkpR5oqUlGVmrpSkk9OZ7v9L8P8jx3DPAuT8O5n7L+0sDluGoVfZyc6ftKVKEJckpRhKUOa L5ZShBtWbjF6L85rP9mv9sn9mL9ob44+N/2ULH4MePvhP+0Nr58b6v4V+KfiXXvCtx4E8c3ctzcX mpwvo+mX9xqNhHf39zLiF2a6tpUgaKJ4BNL+1VeOPDTjzgvKcq8QpZphOI8lo+whWwlKlWVfDxso wanOCjLljGOq9yUXPmmp8kP57wHhl4veGPiNxBnvhcsmx3BnEdd4yeGxtatQnhsdNe/Ui6dGrz05 Tcqk9W5xlGmoUnR563tH7D37L/xo/Z/8eftQ+LPjJ4o8FeMNQ+N3j7QfG9lr/g6K+0yO+vfsmqze ITdeGbu0CeG7aDUdSENnAl5fs1vEGeQOSD8x4qce8McYZRkGXcM4bFYWjlWDqYeVOs4ztHmj7O1V O9RuMeacnTppSbUY2sz7PwX8MuM+Ac94ozbjHHYPMK+e5lTxcKtCEqWvs7ThKg01TjCXu0rVaspU 0nOXPfm/ROvxc/oAKACgAoAKACgD/9b+/igAoAKACgD58+MP7Wn7Ln7Pet6N4a+PH7RnwO+DHiHx HpN3r3h/Qvip8VPBPgHV9c0OwvoNNvtY0jTvFGs6Xd6jpllqNzFBLPCrxxzSojEMwB7sLlmY46Eq mCoVq1OLSbhCUkm02k3FOzaTaTtdJ9mc+IxeFwkebFVIU495SUV+Nv6/HyT/AIeYf8E6/wDo+z9j /wD8SP8AhJ/81ddP+r+e/wDQFi//AAVU/wDkTk/tvJ/+grD/APgyH+Yf8PMP+Cdf/R9n7H//AIkf 8JP/AJq6P9X89/6AsX/4Kqf/ACIf23k//QVh/wDwZD/MP+HmH/BOv/o+z9j/AP8AEj/hJ/8ANXR/ q/nv/QFi/wDwVU/+RD+28n/6CsP/AODIf5h/w8w/4J1/9H2fsf8A/iR/wk/+auj/AFfz3/oCxf8A 4Kqf/Ih/beT/APQVh/8AwZD/ADD/AIeYf8E6/wDo+z9j/wD8SP8AhJ/81dH+r+e/9AWL/wDBVT/5 EP7byf8A6CsP/wCDIf5h/wAPMP8AgnX/ANH2fsf/APiR/wAJP/mro/1fz3/oCxf/AIKqf/Ih/beT /wDQVh//AAZD/MP+HmH/AATr/wCj7P2P/wDxI/4Sf/NXR/q/nv8A0BYv/wAFVP8A5EP7byf/AKCs P/4Mh/mH/DzD/gnX/wBH2fsf/wDiR/wk/wDmro/1fz3/AKAsX/4Kqf8AyIf23k//AEFYf/wZD/MP +HmH/BOv/o+z9j//AMSP+En/AM1dH+r+e/8AQFi//BVT/wCRD+28n/6CsP8A+DIf5h/w8w/4J1/9 H2fsf/8AiR/wk/8Amro/1fz3/oCxf/gqp/8AIh/beT/9BWH/APBkP8w/4eYf8E6/+j7P2P8A/wAS P+En/wA1dH+r+e/9AWL/APBVT/5EP7byf/oKw/8A4Mh/mH/DzD/gnX/0fZ+x/wD+JH/CT/5q6P8A V/Pf+gLF/wDgqp/8iH9t5P8A9BWH/wDBkP8AMP8Ah5h/wTr/AOj7P2P/APxI/wCEn/zV0f6v57/0 BYv/AMFVP/kQ/tvJ/wDoKw//AIMh/mH/AA8w/wCCdf8A0fZ+x/8A+JH/AAk/+auj/V/Pf+gLF/8A gqp/8iH9t5P/ANBWH/8ABkP8w/4eYf8ABOv/AKPs/Y//APEj/hJ/81dH+r+e/wDQFi//AAVU/wDk Q/tvJ/8AoKw//gyH+Yf8PMP+Cdf/AEfZ+x//AOJH/CT/AOauj/V/Pf8AoCxf/gqp/wDIh/beT/8A QVh//BkP8w/4eYf8E6/+j7P2P/8AxI/4Sf8AzV0f6v57/wBAWL/8FVP/AJEP7byf/oKw/wD4Mh/m H/DzD/gnX/0fZ+x//wCJH/CT/wCauj/V/Pf+gLF/+Cqn/wAiH9t5P/0FYf8A8GQ/zD/h5h/wTr/6 Ps/Y/wD/ABI/4Sf/ADV0f6v57/0BYv8A8FVP/kQ/tvJ/+grD/wDgyH+Yf8PMP+Cdf/R9n7H/AP4k f8JP/mro/wBX89/6AsX/AOCqn/yIf23k/wD0FYf/AMGQ/wAw/wCHmH/BOv8A6Ps/Y/8A/Ej/AISf /NXR/q/nv/QFi/8AwVU/+RD+28n/AOgrD/8AgyH+Yf8ADzD/AIJ1/wDR9n7H/wD4kf8ACT/5q6P9 X89/6AsX/wCCqn/yIf23k/8A0FYf/wAGQ/zD/h5h/wAE6/8Ao+z9j/8A8SP+En/zV0f6v57/ANAW L/8ABVT/AORD+28n/wCgrD/+DIf5h/w8w/4J1/8AR9n7H/8A4kf8JP8A5q6P9X89/wCgLF/+Cqn/ AMiH9t5P/wBBWH/8GQ/zD/h5h/wTr/6Ps/Y//wDEj/hJ/wDNXR/q/nv/AEBYv/wVU/8AkQ/tvJ/+ grD/APgyH+Yf8PMP+Cdf/R9n7H//AIkf8JP/AJq6P9X89/6AsX/4Kqf/ACIf23k//QVh/wDwZD/M P+HmH/BOv/o+z9j/AP8AEj/hJ/8ANXR/q/nv/QFi/wDwVU/+RD+28n/6CsP/AODIf5h/w8w/4J1/ 9H2fsf8A/iR/wk/+auj/AFfz3/oCxf8A4Kqf/Ih/beT/APQVh/8AwZD/ADD/AIeYf8E6/wDo+z9j /wD8SP8AhJ/81dH+r+e/9AWL/wDBVT/5EP7byf8A6CsP/wCDIf5h/wAPMP8AgnX/ANH2fsf/APiR /wAJP/mro/1fz3/oCxf/AIKqf/Ih/beT/wDQVh//AAZD/MP+HmH/AATr/wCj7P2P/wDxI/4Sf/NX R/q/nv8A0BYv/wAFVP8A5EP7byf/AKCsP/4Mh/mH/DzD/gnX/wBH2fsf/wDiR/wk/wDmro/1fz3/ AKAsX/4Kqf8AyIf23k//AEFYf/wZD/MP+HmH/BOv/o+z9j//AMSP+En/AM1dH+r+e/8AQFi//BVT /wCRD+28n/6CsP8A+DIf5h/w8w/4J1/9H2fsf/8AiR/wk/8Amro/1fz3/oCxf/gqp/8AIh/beT/9 BWH/APBkP8w/4eYf8E6/+j7P2P8A/wASP+En/wA1dH+r+e/9AWL/APBVT/5EP7byf/oKw/8A4Mh/ mH/DzD/gnX/0fZ+x/wD+JH/CT/5q6P8AV/Pf+gLF/wDgqp/8iH9t5P8A9BWH/wDBkP8AMP8Ah5h/ wTr/AOj7P2P/APxI/wCEn/zV0f6v57/0BYv/AMFVP/kQ/tvJ/wDoKw//AIMh/mH/AA8w/wCCdf8A 0fZ+x/8A+JH/AAk/+auj/V/Pf+gLF/8Agqp/8iH9t5P/ANBWH/8ABkP8w/4eYf8ABOv/AKPs/Y// APEj/hJ/81dH+r+e/wDQFi//AAVU/wDkQ/tvJ/8AoKw//gyH+Yf8PMP+Cdf/AEfZ+x//AOJH/CT/ AOauj/V/Pf8AoCxf/gqp/wDIh/beT/8AQVh//BkP8w/4eYf8E6/+j7P2P/8AxI/4Sf8AzV0f6v57 /wBAWL/8FVP/AJEP7byf/oKw/wD4Mh/mH/DzD/gnX/0fZ+x//wCJH/CT/wCauj/V/Pf+gLF/+Cqn /wAiH9t5P/0FYf8A8GQ/zD/h5h/wTr/6Ps/Y/wD/ABI/4Sf/ADV0f6v57/0BYv8A8FVP/kQ/tvJ/ +grD/wDgyH+Yf8PMP+Cdf/R9n7H/AP4kf8JP/mro/wBX89/6AsX/AOCqn/yIf23k/wD0FYf/AMGQ /wAw/wCHmH/BOv8A6Ps/Y/8A/Ej/AISf/NXR/q/nv/QFi/8AwVU/+RD+28n/AOgrD/8AgyH+Yf8A DzD/AIJ1/wDR9n7H/wD4kf8ACT/5q6P9X89/6AsX/wCCqn/yIf23k/8A0FYf/wAGQ/zD/h5h/wAE 6/8Ao+z9j/8A8SP+En/zV0f6v57/ANAWL/8ABVT/AORD+28n/wCgrD/+DIf5h/w8w/4J1/8AR9n7 H/8A4kf8JP8A5q6P9X89/wCgLF/+Cqn/AMiH9t5P/wBBWH/8GQ/zD/h5h/wTr/6Ps/Y//wDEj/hJ /wDNXR/q/nv/AEBYv/wVU/8AkQ/tvJ/+grD/APgyH+Z574Y/bY/4JSeC/Ffjjx14W/a6/Yf0Txl8 StQstU8e+J7L4/8AwfXXfFV7ptlFp2nPq2qSeLJbuaDT7SILBAHWGLLFUDM5b2Mf/rvmmX4TKcwh mNXLMBCUcPSlCp7Oipycp8kOWycpO8pW5nom2kreHl2D4GyjNcbnuWRy+hnOZSg8VXi6aq13Tjy0 1UqX5pRpxuoRb5Y80nFJyk36F/w8w/4J1/8AR9n7H/8A4kf8JP8A5q68f/V/Pf8AoCxf/gqp/wDI nuf23k//AEFYf/wZD/MP+HmH/BOv/o+z9j//AMSP+En/AM1dH+r+e/8AQFi//BVT/wCRD+28n/6C sP8A+DIf5h/w8w/4J1/9H2fsf/8AiR/wk/8Amro/1fz3/oCxf/gqp/8AIh/beT/9BWH/APBkP8w/ 4eYf8E6/+j7P2P8A/wASP+En/wA1dH+r+e/9AWL/APBVT/5EP7byf/oKw/8A4Mh/mH/DzD/gnX/0 fZ+x/wD+JH/CT/5q6P8AV/Pf+gLF/wDgqp/8iH9t5P8A9BWH/wDBkP8AMP8Ah5h/wTr/AOj7P2P/ APxI/wCEn/zV0f6v57/0BYv/AMFVP/kQ/tvJ/wDoKw//AIMh/mH/AA8w/wCCdf8A0fZ+x/8A+JH/ AAk/+auj/V/Pf+gLF/8Agqp/8iH9t5P/ANBWH/8ABkP8w/4eYf8ABOv/AKPs/Y//APEj/hJ/81dH +r+e/wDQFi//AAVU/wDkQ/tvJ/8AoKw//gyH+Yf8PMP+Cdf/AEfZ+x//AOJH/CT/AOauj/V/Pf8A oCxf/gqp/wDIh/beT/8AQVh//BkP8w/4eYf8E6/+j7P2P/8AxI/4Sf8AzV0f6v57/wBAWL/8FVP/ AJEP7byf/oKw/wD4Mh/mH/DzD/gnX/0fZ+x//wCJH/CT/wCauj/V/Pf+gLF/+Cqn/wAiH9t5P/0F Yf8A8GQ/zD/h5h/wTr/6Ps/Y/wD/ABI/4Sf/ADV0f6v57/0BYv8A8FVP/kQ/tvJ/+grD/wDgyH+Y f8PMP+Cdf/R9n7H/AP4kf8JP/mro/wBX89/6AsX/AOCqn/yIf23k/wD0FYf/AMGQ/wAw/wCHmH/B Ov8A6Ps/Y/8A/Ej/AISf/NXR/q/nv/QFi/8AwVU/+RD+28n/AOgrD/8AgyH+Yf8ADzD/AIJ1/wDR 9n7H/wD4kf8ACT/5q6P9X89/6AsX/wCCqn/yIf23k/8A0FYf/wAGQ/zD/h5h/wAE6/8Ao+z9j/8A 8SP+En/zV0f6v57/ANAWL/8ABVT/AORD+28n/wCgrD/+DIf5h/w8w/4J1/8AR9n7H/8A4kf8JP8A 5q6P9X89/wCgLF/+Cqn/AMiH9t5P/wBBWH/8GQ/zNfw9/wAFEP2CPFuv6F4U8Lftp/sp+I/E/ijW dM8O+G/Duh/H/wCF2q63r+v63ew6bo+iaNpdj4nnvdT1bVdQuI4La3hR5ZpnVEUsQDM8izqnCVSp g8VGnGLbbpTSSSu23y6JLVt7IqOc5TOShHFYdzlJJJVINtt2SSvq29EurZ9j/wCf89a8o9EKACgA oAKACgD/1/7+KACgAoAKAP5c/wDgtj/wR9+Jv/BV39rz4Vp8OPi18K/hg3wK/ZqVNZT4oeDvFXi6 215Pih8V9emsH0mLwvreiS2U+kv8N5RK00jq63ShUzll+x4b4jnw7hp1acbzqVGrpe8rKOid0uV3 96NrtqDuuVqXj5nl9PM5+xqp8kVGXxOLv7y0sm9m+2jtrfT8kP8AiD0/ad/6Ot/ZI/8ADL/Fv/54 NfSf8ROxv9/8P/kv6/Lyf9U8H/f/APBsv/kf6/I/4g9P2nf+jrf2SP8Awy/xb/8Ang0f8ROxv9/8 P/kg/wBU8H/f/wDBsv8A5EP+IPT9p3/o679kj/wy/wAW/wD54NH/ABE7G/8ATz8P/kg/1Twf9/8A 8Gy/yD/iD0/ad/6Ou/ZI/wDDL/Fv/wCeDR/xE7G/9PPw/wDkg/1Twf8Af/8ABsv8g/4g9P2nf+jr v2SP/DL/ABb/APng0f8AETsb/wBPPw/+SD/VPB/3/wDwbL/IP+IPT9p3/o639kj/AMMv8W//AJ4N H/ETsb/f/D/5L+vyP9U8H/f/APBsv8v6/I/4g9P2nf8Ao639kj/wy/xb/wDng0f8ROxv9/8AD/5I P9U8H/f/APBsv8g/4g9P2nf+jrv2SP8Awy/xb/8Ang0f8ROxv/Tz8P8A5IP9U8H/AH//AAbL/IP+ IPT9p3/o639kj/wy/wAW/wD54NH/ABE7G/3/AMP/AJIP9U8H/f8A/Bsv8g/4g9P2nf8Ao639kj/w y/xbH/vQaP8AiJ2N/v8A4f8AyT/r8D/VPB/3/wDwbL/5F/1+B/xB6ftO/wDR137JH/hl/i3/APPB o/4idjf+nn4f/JB/qng/7/8A4Nl/kH/EHp+07/0db+yR/wCGX+Lf/wA8Gj/iJ2N/v/h/8kH+qeD/ AL//AINl/kH/ABB6ftO/9HXfskf+GX+Lf/zwaP8AiJ2N/wCnn4f/ACQf6p4P+/8A+DZf5B/xB6ft O/8AR1v7JH/hl/i3/wDPBo/4idjf7/4f/JB/qng/7/8A4Nl/8iH/ABB6ftO/9HW/skf+GX+Lf/zw aP8AiJ2N/v8A4f8AyX9fmf6p4P8Av/8Ag2X/AMj/AF+Z/wAQen7Tv/R1v7JH/hl/i3/88Gj/AIid jf7/AOH/AMkH+qeD/v8A/g2X+Qf8Qen7Tv8A0db+yR/4Zf4t/wDzwaP+InY3+/8Ah/8AJf1+Z/qn g/7/AP4Nl/8AI/1+Z/xB6ftO/wDR1v7JH/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X+Qf 8Qen7Tv/AEdb+yR/4Zf4t/8AzwaP+InY3+/+H/yX9fkf6p4P+/8A+DZf5f1+R/xB6ftO/wDR1v7J H/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X/yIf8Qen7Tv/R137JH/AIZf4t//ADwaP+In Y3/p5+H/AMkH+qeD/v8A/g2X+Qf8Qen7Tv8A0db+yR/4Zf4t/wDzwaP+InY3+/8Ah/8AJf1+Z/qn g/7/AP4Nl/l/X5n/ABB6ftO/9HW/skf+GX+Lf/zwaP8AiJ2N/v8A4f8AyQf6p4P+/wD+DZf/ACIf 8Qen7Tv/AEdb+yR/4Zf4t/8AzwaP+InY3+/+H/yQf6p4P+//AODZf5B/xB6ftO/9HW/skf8Ahl/i 3/8APB4o/wCInY3+/wDh/wDJf5h/qng/7/8A4Nl/8j/mH/EHp+07/wBHXfskf+GX+Lf/AM8Gj/iJ 2N/6efh/8kH+qeD/AL//AINl/kH/ABB6ftO/9HW/skf+GX+Lf/zwaP8AiJ2N/v8A4f8AyX9fmf6p 4P8Av/8Ag2X/AMj/AF+Z/wAQen7Tv/R1v7JH/hl/i3/88Gj/AIidjf7/AOH/AMkH+qeD/v8A/g2X /wAiH/EHp+07/wBHW/skf+GX+Lf/AM8Gj/iJ2N/v/h/8kH+qeD/v/wDg2X+Qf8Qen7Tv/R137JH/ AIZf4t//ADwaP+InY3/p5+H/AMkH+qeD/v8A/g2X+Qf8Qen7Tv8A0dd+yR/4Zf4t/wDzwaP+InY3 /p5+H/yQf6p4P+//AODZf5B/xB6ftO/9HXfskf8Ahl/i3/8APBo/4idjf+nn4f8AyQf6p4P+/wD+ DZf5B/xB6ftO/wDR1v7JH/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X+Qf8Qen7Tv/AEdb +yR/4Zf4t/8AzwaP+InY3+/+H/yQf6p4P+//AODZf/Ih/wAQen7Tv/R1v7JH/hl/i3/88Gj/AIid jf7/AOH/AMl/X5H+qeD/AL//AINl/wDI/wBfkf8AEHp+07/0db+yR/4Zf4t//PBo/wCInY3+/wDh /wDJB/qng/7/AP4Nl/kH/EHp+07/ANHW/skf+GX+Lf8A88Gj/iJ2N/v/AIf/ACQf6p4P+/8A+DZf /Ih/xB6ftO/9HW/skf8Ahl/i3/8APBo/4idjf7/4f/JB/qng/wC//wCDZf8AyIf8Qen7Tv8A0db+ yR/4Zf4t/wDzwaP+InY3+/8Ah/8AJf1+Z/qng/7/AP4Nl/8AI/1+Z/xB6ftO/wDR1v7JH/hl/i3/ APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X+Qf8Qen7Tv/AEdb+yR/4Zf4t/8AzwaP+InY3+/+H/yQ f6p4P+//AODZf5B/xB6ftO/9HW/skf8Ahl/i3/8APBo/4idjf7/4f/JB/qng/wC//wCDZf8AyIf8 Qen7Tv8A0dd+yR/4Zf4t/wDzwaP+InY3/p5+H/yQf6p4P+//AODZf5B/xB6ftO/9HW/skf8Ahl/i 3/8APBo/4idjf7/4f/JB/qng/wC//wCDZf8AyIf8Qen7Tv8A0db+yR/4Zf4t/wDzwaP+InY3+/8A h/8AJB/qng/7/wD4Nl/8iH/EHp+07/0db+yR/wCGX+Lf/wA8Gj/iJ2N/v/h/8kH+qeD/AL//AINl /wDIh/xB6ftO/wDR1v7JH/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X/yIf8Qen7Tv/R13 7JH/AIZf4t//ADwaP+InY3/p5+H/AMkH+qeD/v8A/g2X+Qf8Qen7Tv8A0db+yR/4Zf4t/wDzwaP+ InY3+/8Ah/8AJB/qng/7/wD4Nl/8iH/EHp+07/0db+yR/wCGX+Lf/wA8Gj/iJ2N/v/h/8kH+qeD/ AL//AINl/kH/ABB6ftO/9HW/skf+GX+Lf/zwaP8AiJ2N/v8A4f8AyQf6p4P+/wD+DZf5B/xB6ftO /wDR1v7JH/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X+Qf8Qen7Tv/AEdb+yR/4Zf4t/8A zwaP+InY3+/+H/yQf6p4P+//AODZf5B/xB6ftO/9HW/skf8Ahl/i3/8APBo/4idjf7/4f/JB/qng /wC//wCDZf8AyIf8Qen7Tv8A0db+yR/4Zf4t/wDzwaP+InY3+/8Ah/8AJf15B/qng/7/AP4Nl/8A I/15B/xB6ftO/wDR1v7JH/hl/i3/APPBo/4idjf7/wCH/wAkH+qeD/v/APg2X+Qf8Qen7Tv/AEdd +yR/4Zf4t/8AzwaP+InY3/p5+H/yQf6p4P8Av/8Ag2X+Qf8AEHp+07/0db+yR/4Zf4t//PBo/wCI nY3+/wDh/wDJB/qng/7/AP4Nl/8AIh/xB6ftO/8AR1v7JH/hl/i3/wDPBo/4idjf7/4f/JB/qng/ 7/8A4Nl/kH/EHp+07/0db+yR/wCGX+Lf/wA8Gj/iJ2N/v/h/8kH+qeD/AL//AINl/kH/ABB6ftO/ 9HW/skf+GX+Lf/zwaP8AiJ2N/v8A4f8AyX9fkf6p4P8Av/8Ag2X/AMj/AF+R/wAQen7Tv/R137JH /hl/i3/88Gj/AIidjf8Ap5+H/wAkH+qeD/v/APg2X+Qf8Qen7Tv/AEdb+yR/4Zf4t/8AzwaP+InY 3+/+H/yQf6p4P+//AODZf5B/xB6ftO/9HW/skf8Ahl/i3/8APBo/4idjf7/4f/JB/qng/wC//wCD Zf5B/wAQen7Tv/R1v7JH/hl/i3/88Gj/AIidjf7/AOH/AMl/Xn0P9U8H/f8A/Bsv/kf68+h/xB6f tO/9HXfskf8Ahl/i3/8APBo/4idjf+nn4f8AyQf6p4P+/wD+DZf5B/xB6ftO/wDR1v7JH/hl/i3/ APPBo/4idjf7/wCH/wAl/X5n+qeD/v8A/g2X+X9fn2Pww/4Nivj7+x18Zv2ff2n/ABV+0V+zX4t8 PfBb9pT9m/xnqnhzwj8KviPo3iXVra3+Ofw/sTa6Nqus+MtU0uxvC18GDzQSLhSBgkMFPxDxWPo1 sFVU3TrYetB7fapTS+09pNPbVJrS91FThfD0XCtSc4zhWpSv7STuo1YSas0k1JKzWm/3f3kL0P8A vP8A+htX5XufYjqACgAoAKACgD//0P7+KACgAoAKAPmnSf8Ak8D4i/8AZtvwV/8AVp/Hmut/7lH/ AK+z/wDSYGK/3iX+CP5yPpJ5YojGJJEQzSeVEHdVMsux5BHGCQZJCkbHaMnAJ7HHIbEM19ZW1vPd 3F3bQWtqJTc3M1xDFb24gOJjPNI6xQiIjDbiNvf0p2e3ULoqya5o0MFlcy6rpsVvqTxx6dPJf2iQ X8k3MMdlM04ju5JR90RlifSjlle1ndCut76F6W5t4BmaaKIbHl/eypH+7jaNJH/eOuER5lBPQFgO 4yhkgdC7RhlLoqOyBhvVZC4Qsv3lDGM4J64PoaAHUAFAEMNxBcCQwTRTCKaWCQxSJKI54HMc0LlG cJLDICrKcMp4IFFrbgTUAZd9rej6ZLbQalqmnafNeP5dnFfX9pZy3b7lXZbR3MsT3DbnAwgbkgU1 FvYV0txup69omieR/bGsaXpX2nzPs41LUbPT/P8AK2eb5P2yaHzfL8xd23ONwzjPIk3sO6W5Zi1K wmsv7SivbSTTvIkuft6XNu9kbaIMZbgXaSG3MMYQlm3BVA5x1oaadnuF1a/QpaZ4j8P6zI8Wka3p GqSRIJJY9N1Swv3jjLBfMkS0uJXRCzAZIxz1o5ZJXadhXT2NG7vLSwt5Lu9ube0tYQDLc3U8VvBE GZUBkmmZIowXYAEkZJA6nkSu7LcYfbbP7Z/Z/wBqt/t/2b7b9i8+L7WLTzTD9qNtv88WxmGzzNuz dxnPFL8gK0+s6TbR6hLcanp8EWklBqks19axR6cZY45oxfvJMq2ZkimRl80plWBGQRTswuhula3o +uQNdaLqum6vbJJ5T3GmX9pqECSgZMbTWc00ayAEHBIPP5jTW4k09i3b3lpdidrW5t7hba4mtLlo J4phBc27bZ7eYxuwingbh0bDKeoFFhlV9a0iPTP7ZfVNOTSPKSc6q19aLpogdgiTm/ab7J5TswAb fgngc9Czva2oXRTvvFXhnTLSyvtS8Q6Hp9lqPOn3d9rGnWdrfDy/NzZXNxcxQXY8o7v3Zb5eelHL Ju1ncV0QWnjTwhfG8Fl4p8OXbafayX1+trruk3BsrOJlWW7uxDdv9mto2dQ0jhUUkZPIFHLJdGF0 Taf4r8MarDe3GmeItC1G306Jp9QnsNY068hsYVV3aW8ktrqRLWJUjYlpCqgKTkYOTlkujC6NKXU9 OgtYb6e/s4bK5a1WC8lu7eO1ma+eOKyEVw8iwym7klVYgpJkZgFzkUWb0W47r5Et3eWlhbTXl7cw WdpboZZ7q6mjt7eCNfvSTTzskUKDuWIH9RJvYCsusaS9hDqq6np7aZcGAW+orfWrWM5uZktrcQ3g m+zSme4cIm1juchRkkZLO9uoXRZmvLS2ktobi5gglvZWgs4ppo4pLqdYpZ2gto5GD3Eywwu5RAWC qTwATStcBLW+sr43Is7u1uzZ3Utldi2uIbj7NeQhTNa3HlO5guYg67o3w65GRyKdmtwKja5oqWtz fPq2mLZ2d21hdXbahZrbW18k62z2dxcGUQwXS3DrGY3IcOQuMnBLO9uoXRavL+y0+EXF/d2tlAZY YBNd3ENrF51xKsFvD5s7xx+bPM4RFzudiAMnihJvYNtytea5o2nretf6rptiunW8N3qDXl/aWwsb W4d47e5vDPKn2S3nkiZUeQqjMpAyQaOVhdGPbeO/BN5cW1paeL/C9zdXkqwWdtb+ItGnnupnfYkV tDFeNJPI78BVDEnj6Pll2Yro6ypGFABQBi614j0Hw4umNrur6fpK6zrOm+HdKbULqK1Goa7rMxt9 K0i0MrqJ9Q1GcFIYh8zsMDmqjCU78qbsm/ktyZSjG3M7XdvmzaqSgoARmCgseAOSSQAPxPAoAarq 3Q55xkFWGfQlCwH6U/6/rb+vxBd4Bx3OQOnOOoA4LED0zSANw3bcjJBbGRnAOOn3uDQAb1wzZGFz k5XA29cnJAx79KAFBBAIOQQCCOQQehBGQaAFoAKACgAoAKAMiDXtGudc1LwzBqdnLr+kaXo2t6np CTK1/Y6T4hutbstE1C5g+9Fa6pd+HL6OFzxI9pKB905fLLl5re63b5r/AIdCur26mvSGFABQBlwa 1pFzf3OlW2qadPqdmu+806G+tJb60QlRvubKOV7mBCXHLqo5HrTs7X6CutupZnv7K1ntLW5u7W3u b+SSGxgmuIYZryWKJp5YrWKSRZLmSOFC7KgYhQSeOisxlDV/Efh/QBAdc1zR9GFzv+z/ANq6pYaa J/L2+Z5JvbiDzdnmLnbnGRnqKai3smwuluaVrd2t9bQ3lncQXdpcRrLBc200dxbzxNykkM0LSRSo w6FSQaGraAVbPWdJ1G4vLSw1PT7260+QQ6hbWl9a3U9jMSwEV5DBLLJayEoflkCnIoaa3C6DUtY0 rRoop9W1Kw0yGeeO2hm1G9tbGKa5lz5VvFLdyRJJPJtO1FJY44HqJN7K4XS3H6jqmm6RaSX2q39l pllEUWW71C7t7K1iaR1jjElxdSxQRmSRgqgt8xPFCTeiC6W5dR1kVXRg6OAyspDKysMqysMgqQcg gkEetIB1ABQAUAFABQAUAFAHzV+1r/yReb/sqP7PX/rQvwtrqwf8f/tyf/pEjKv/AAv+34/+lI+k 16H/AHn/APQ2rme5qOpAFABQAUAFAH//0f7+KACgAoAKAPmnSf8Ak8D4i/8AZtvwV/8AVp/Hmuv/ AJgo/wDX2f8A6TAxX+8S/wAEfzkHxq0Lx14m8QaNeeFtBs7+L4W6Y3xE0WTU5dQtTqXxBN+tnpNh oBtbaeG9vovBdjrlhcxzFIlOvW5yfmAVCcIQak/jfK/8PW/z5Wv8IqsJTkmlpBXXr/w118yCRdM1 Pwf4n8O63p/jnTZ5fiHrXimCTTvAevalcaes3jdPEfh/V59OutBvdJ13T4muLeS6tgl2dm/KBo3e JRbjUUouLtG29vs2avf+vzcknCzute1+t1/X5bmPpVrbK8+q/ET4bXOtabqfgi+8M+H7TQfh5qz6 fdCy8V+KpNbij8EzQX974Cu/iXY32l33l3roj+V5dxcKbZSdJN7Up2ald3kuytr9rl1Wm3TfTNJb 1I3TjbZ99dOl9Hra/wAjT8UeA9a1jwj4K8M+KNCu/EpPwZ8QeEPGUEjTavHfXWp3nwottT0q91JT 5l3NqVrp15++yHnEEkowRkZqoozlODtLnTX462NeVyiozV1y2fXptf8AU7z4cWviex8V+NdN8S2e pznRNM8H6FpXi28TzLbxnpNpP4tvtP1QXu7dPrljY6rDaaqhVB9uiaZB5c6VFVxaUoWs7u3Z9fl1 XkOnzaxle6691/Wj8z2asTQQ9PxH86APmH9lhETw78WwiKgP7Tf7STkIqqC7/FrxEzudoGXdjknq T+vXjHecP+vNP/0lHNhfgl/19n/6Uz6bmZkikdUaRkR2Ea/ecqpYIOGOXIx071yrc6T/ADpfhd4H +Bv7eXwQ/wCCgn/BUz/gpN8Lf2sf20fip8Jf22vFvwR8P/Cn4CfFrxH4N1f9kn4Q6No1j4ssfiFp GlDxN4V8LeCvC/gODUUsru9u2h0e0ttCS8ukN+2p3En63jaWLySeC4ayCrCFPGYWNac5qN5zrXpu Kaba5Kafs1SXtnzzUOapU975uOIpexrZhmCnCiuWLuk4qO7npFz5Lyak6loxUXKyprnf3H/wU4j/ AGdv27Y/+DZSeb4V63ffs9ftD+N7vw5Z+Afivrt94y8fr8I/GPhv4O2R8M+KPH0ms614n1DxFqWm aZatfajHqs19cXcSzPcPKoc+DkDlPC5xUrqlOaoqpblg4Kd5WlGCTp6KUorlTioSlGPuyd98bTVK OGpU5VIwi1Fe/Pma5oQ96V+aWjd+dtt+8/eSa6f9krw//wAMW/t3f8Frf+CZHwJ8Y+K/FX7FXgL9 grxf8YPBXw48TeL/ABB4/wBL+B3jzU/hnpEl/wCCNO1LxHquv3djNqVl46uBPCZYDcWdvZ+fDJcx S3Vxtm6WZ5NgeJMXzLNq+K5JvRKoo6c8UlHlsoxjJK8ea8laUpXVGUqGNq4OnrQdOcrWtZ3i+iSf M5S1a5m1K8pWSj+KfhT4B/Dj9kD/AIIb/sHf8Fff2a9e8S/BH9vax/aKl8IXOs+CfHnirQbL9oLw /wCHfi98UrO28EeIvANjr9toHiG203wx4Ehm1aG2sH/tbR7O9i1FZkkMsH2cEq/FmJ4VeHpzyKdG nNxjTglSlUoUYuqnyWjbn5KfM+Wm5R5OVqNvOnzRwizKVaNLEU69ePtKiUkqftJrlu3Fxj7sHpJJ uK5ubW/983/BSq7fXf8AgnN8e77U7KBJNU+G/ha9vbCWHzII5r3xP4Mup7Z4LlX3JDNKy7XBIxzz 0/GcsvHNKPLdNVV+Z9HjfewNW9rOlL8j43/bc0vx/wCE/wDgofJ+1N8GPCuq+NPi7+yf+wr4Q8ct 4C0GZ/7U+MvwB8RftFeNIP2l/gxZaYf9F1vxpr3gTw1b634KilMP/FaeH9Ot3uILS8vS3o5VDC1s J9UxbhClXrOCqSX8OfIuSXNvGHPZVbXvTu+VyjC2eJdSNdVINpQjzNJX5krpxtvezbjbXmS3V4v5 4+Iev+BfjF8Bv+C9Xjnw3P4d8ffCj4yfFf8AZW8XeEtet7Sz1jwf8Sfhx40/YW/YYl03WLSaWKbT /FHhzXNPnkhLsJYnCyQN/q2Ud2JwdPDVMqwlWkoYpUqka8WrS9osXiINVItX5lBQi1LXlUVsrLKc /wB3iqsJPVJr3m7e5Hb+XvZdW5byd/tb9oX4DfBr9kf9q39hL42fsw+DPAnwA8c/HT9qe1/Zu+OH hL4U+F9J8DaB+0l8K/FfwI+Mfif+y/H3hPwxa6d4e8SeKvhHrPw+07xPo2vXNrJq2kWGl39lb3Ed nqN5FL40cXjMfhXhsbiKk8Ph6cpU4zm5KLck5RpqUrRcn7z5U27N2tdrqnGnQqRnSglKclF2XTV3 dlstd7K73vZH0B+wMtra+Ef2wtiW1qg/b4/bOuJxGsMCmSX4j3lzPcThRGPNmD+Y7ty27cSc5OOY XlKine/1en+Wg8NZKo1a3tZf1/mfk98DP2bfiN8bv+CUX/BF/wAZ+G/gd8Pf2t/h/wDBD4AfDPxf 8VP2L/in4t0/wL4O+NOleIvgvYaT4a8XeHk1/RNT+Gfi/wCKvwl1YG88L6B4z+yeEbybUZbqW807 ULPTNStPrcdiMBl/E2bYSnP6mpYqcaNWnTUlS5K2kVytSp0+VazoxlUioKMVKEpxlw1MPUq4am3H 21FQmp0pWftFJd5by05fekotTlza2Z+kX7IHg/8AYA+PfwM8VfD34dfse+DvhbpPwM+LPjLRfiD+ yh8afgl4S07Vf2a/jjrXhXStc8TaJYfD2+/4Sv4f+FrfxH4W8T2mpWOoeDrmbwxrul6oL7Trm4gv Glk+YzDF5rLFfWcZiZ1cVVpwbqKrzykmk4qc4yb5o6Jxm3KLSTtZHdRpYblcIU1GMZt2cbK73av3 u3ddW763t+W/gT4N/CDwd/wa8+K/iD4Q+FHwz8J+PfGP/BGLxePF3jbwz4D8LaB4u8UrqP7Pmo6x qCeIvEelaVa6trSX2rD7VMLmWUS3P71svyPoswjD/X+WBcYvAwzbkVJq9NQVblUFB3jyqPuqNrcv u2sZ0YQhg+aKtPlevVvV3b3bvq3e99dz2/wf4R+D/wAYv+CgH7MPgH9nD9i9f2W/G37NnhCX4q/t m+LPE3w7+FnwVl+Iv7Kfxu+Cvxy+Enw9+BD+GPAGt6xdfHvw78SPjTHDr0kN3DP4f8OT+DJZLm4t 9VaytrnjdTFUMir1MXinPC1qvLRp3nP99CVOU6qvaNJxp+6539pL2ijGMouc4ZU6OHlio1IUYxrq nZztFPlf2brVq+ttr+ehsfs2/AfxtrP7QXws/wCCc3jjS9a1L9m3/gk94m0/4/8AhXxDq5tZdA+L /hfxfeeMtO/4JpfC+4glvtcu/Etv+yl4OsvEEuty6n9nvv8AhLfAfhHW4Wd5pPLrGYjCLLquaxjS eMzBKly2u6TpunPEVVe3JKrNQ9nyXiqdSvT93ljdUIYn6yqE3zYem5tyk1zNyadNLlSXLGLnF8y5 nyxu5PmlL7x/4KRfsy+N/wBo7wf8DpPDnw3+HX7RXg/4QfGu0+JfxU/ZH+MOut4c+Gn7S/gweBvG XhC38M61qF5p+t+D73xH8P8AxN4nsvFvh/T/ABPp174av9b0W3S6+xzC21Sw8HLcbVwOIVfDVJ4f Eq3LVg5xnT11cXCSa91tfa00STalHtrwlOKaXMlf3dPe0218/TzdtH+afxu8R/sxSfsF/EX4e/AL 9m/WP2OvE3w9/wCChf8AwTNk+Of7K3ijwZo/ga8+Fnjvxh+3b+yVrtnqel+GvB2t+Jvg/c+E/G2i 7b+y1nwXfXXh7VbxbuYTNqK3wT6DKlicwzj22ZyeK5sDi5Kc7zu4YOtON5SV5SpS5dbvklFJP3Uz j5MPTwro4aPs4xcVyx92yUlGKST0i0tI2Scd1ZtH6H/t1lH/AGqf+CQMY2PKP29PidKqDa0gSH/g nj+28JpFUfOFi8xd7dF3DOMjPi5bSVTCY6bgpcmFTva/LevRjdP7Lak43Vm1Jx2k0+6o0nFf3v0/ p/1p8K/s4fFZ/wBkj4lf8FCPHWnaFd6tZftG/tA/tuePPC+gQ3EEen61+1T+z18RvDvwk8MeA9Pa 9vIki8WfH34f694ZWytYUEcsnhS/ncrIzGTtq4OliaNBJxhUiqXO9buE4tubSVuWnycrd72lBJPW 3m/WqlGtNOMpQkpuPw2UoOKUNWnzVOe8dGvdldx93m+e/iL8APBuk/8ABJT9rn9mHxzG3jjw14v/ AOCqfw5+EXxI1bUbu4ivvEPiP45/t2fs06N8UvHq3qj7VY6qnj34haprWntEUa0kigWFohGhTuyi bp8Q0sZg/wB1Olh6mIgkuZKVOjUrR0k3dOUVe+iu7KySLcJzwE6U5XlzcrbS1XMltttprv1vrf1n 9tT4q638ff2b/gb4B8cz38us/sy/HD9n/Xf2lBaPcafLe/Hr4Zft2/Cz9l74R2uo2ABuh4W8ffEC 01rxxZhyIrvS9Ls5svb3A38uFy6m69aNoyjUoznT10UY0ZYlvmTXvQUYxcdfecotX0XNiMfy0qcn Jx5K0IT0s3KVVUErSV+WcpNp9VZxdmmfevhXwj4T8d/8FWP2/PCHjjwt4c8Z+E/EP7Af/BPDTtf8 MeLND0zxF4e13TpPjR/wUGaSw1nRdXtbzTtTsnZATFPFJGSBkcCuOf7rIcNXpJRr/XMQudaTtGnh nFcy960XKTir2TlJrWTPWaUqzjLWPItHqt30PMv2EP2Z/wBm/S/21f8Agqlqum/s+/A/T9V+HX7a fwOPw+1Ox+E/gOz1DwKV/wCCf/7JPiBT4OvbfQUufDJXXtevr0GyaD/S724m/wBZNIzdWb1asMqy zkk17XCVJTs7c8vrWIhzT/mlyQhC8rvkhGO0UlnSp0/b1PdjdONtNtL6fNt9NW++n7WV8ydYUAFA HzF+05/x5/A//s5n4If+pJNXXhPiqf8AXqf5HPiNof8AXyP5n04Og+grkOgWgD85P+Cv17eab/wS z/4KHajp13d6ff2P7Gf7RN5Y31hcz2d9Z3dt8Mtfmt7qzu7WSG5trqCVA0bxsrqwBBBGa9bIaVKt neDo105UZ4qkpJOSbi5xTScWpJtaJxal2admZ1v4Uv8AC/610PgH4OJ8FPGH7fn7OvhH9gz4D/ET 9nXxL+z9aXHjz9vS+1j4YeMv2Z/A/iH9nX4w/Bj4m6B8JfA2t/DXxpDoH/C7PGPj3476Npus+H9d sNG1GHw9B4R1uGTWLKa5ksdT68V9ep5c5Y2camFrTl7NqdObjOm4qWtpzguWesVKmp+7JuShGMua lCj7RSpx5ZpK7ta/5X+ae/zXqH7JP7KPwb/b1+E3xM/ah/assNR+Kfxe+MPx3/ab8NaDrln8SfiF pl9+zb4E+FHx0+IXwO+G3w7+Al5oPiLRbj4FeKfBXhf4fWd1rV/4eFhql14xkvb2e5lk8kxzmGMx GC5MuwsuXDQowvywjTdRzjzyc3Fyc7ObjGUpawUWo078kc6GFo1ZPFVVJ1ZS05m3y20SitFFaX0S vu2934j+zr8c/GV94n/4Jf8A7Rvxb8ZeI/GGsad8T/8Agpp/wTK+I3xKuLqz+w/EvSvhF4g+LGse CPjZ45ttMtNF0WTxB4pX9gFZ3nt7dIU1PxJdJBEEmUJc8NFUMVhlTqwmoUK0eeMlLXli/dj7ihP2 qnCcoq8VHklHncJtycKlKc5w1co9FzaOS5b3baUXdczuk20+Vcvz3oPjjxhoX7Jf7Yfwk8VP8XbH xJ/wUl8MfsVftH+HJdf17WZ9b8GeIv8Agr18b5/2WvHfw58G31xrCyeGR8CLXTdLvrqw024iTS49 QSWJRJIGk9mvl8cRjaXJKg6eE+s0n7O6U44Gl7X2nuWmvbK/LUajdq/MrSceHDTccJJuUl7flnH2 nxRdeT92010bUYxd2tIWSSR/Vbptha6Vp9lpljCLey061t7C0gU5WG1soUtbaNf9lIIVH4V8K227 vdnvLTQvUgCgAoAKACgDwTw2f+Mlvi8O3/ClP2ejj6+Nf2j8/nitX/Aj/jl+USV8b9F+p73WRQUA fDn/AAUt+Kvjr4JfsD/tafFL4Z+K18AePPCHwQ8bX3hj4hvZ2uoJ8N9SurD+yh8S3sr5JbC7T4dw ag+tGOdXgcWOJAUyK7cuhRnjqUcRb2HOua7smlq022rJ2s3dWvv2xxE5U6MpwTcktlv+Cb+5P07/ AJz/ALbn7DH7Kn7E37CnxN/ak/Zc+FnhP4XftNfso+BU+Pvw+/aI8IWKQ/Hn4s+PfA15oXivV/DX xi+LTR3/AI++Nlj+05PpraH4ug8Q3epyeIE1lpXb7YtvcRezl2a5hjMbRy/GTq4nBSToqlOXMoRm uVeyVSSjCUNJQleKUopydr348ThcNGnLFLlp10ot1NU/cbceZxcW4pyl7rbVpSVrSd/If+CkH7R3 g/Uvj38WPHUuupZfEL/gmJ8LPgf8bvgz4V0nSte8TeK/Ef7QPiHxH/wuv4+/DHRrGz8MXmhWviTx P+yj4Q07wdCXvkvUtviFc+bHbwvHNJpl2EpUcNReJinTxdSrFuUXaEFF0qdZOHNUfLVnUbUYPmdL lXO3KKyr1HXrThRny1aKhftdyjOUX01gknf4VJS6q3vf7aWu/CPxr/wUI/4J2+OPFHwFvP2rPh5r P7DP/BQDxroHhTw/8NfBHxZuU0/VPGn7AuraV44s/DPjXUtP02WG30K7eFJbR5r52v0hgik89sc+ CpThk+LlGUaWIjicPC7bUrNV3KKaV+VuEXJXSbUG1eKa7asoSlTk480Gm1s+m+vk/XVnx74N8Ra/ 4a/4J3/GT4vfs86bc/st/slf8FFP2+f2PNA/Zf8ABXgjxFZ+HNb/AGff2Rv2rvHP7Lv7OHxb8e+E rP4davPoH7P3iz4v65e+LvFun6Vod5FdeF9S8Sx3l1HZ6419awduNtiM1jSzGb/tHD4aftqlZ1pO rWpxnOEJRqqnUhNL2eFUPhU4KfvczTwoUo0cMqeHSp4dtKMYqKUIpWtFK8eVWv10bSslG37xfBf9 gj9iz9nXxhpfxC+A/wCzN8HPhB480rw9q3hI+M/hx4N03wn4p1vQNauobzVbHxvr2jR2up+PnvdS tRdvPrsuoXH24yXIcXEskjeFis4zXG0FhsZiK1XDp3UZzcop94xbajpp7ttNNjelgcJRqe2o04Rq 23SSeqind7vSEVrfSMeyt59+3n8G/hd4p8C3fxR8SfsCWf8AwUI+Ifhzwvr3gTwt8JLqL4PX13D4 b8ZQTf8ACUT6ZF8fvF/hb4e6Lb3yQRwajd2Rk16e0cQwR3KgQ0Zfi8TQk6NHEyw1KTTk05K7i7xv y6uz1V/dT1umFfD0ak41p04zrQvytpNxutWm72utG1r022/Mn9lHwd8Ov2g/FP8AwTH+A/xZ8ceG /wBqr4O/DX/gnz+0J8R/+EW+IXhPxFqHhbxb8e/h18Yvgb8AtU1Dxh8Pfjb/AGz46l8U/s02mteI fB62Hi8XXiHRL+/uP7UP9rI0q+5i6WIy2hja+GjWw81iqNNPnUmqdSFWpC9SKXP7WMI1Izg1CpFO STi424eRV8TQo1lCdJUqk7OLdpqUIq20bJSlHWLl2as+b9If+CZlt/wjfwO+J3wq0/U7rUvBPwK/ a0/aw+C3wriu7j7WfDfwp8C/GzxRB4B+H1lc9X0H4X6Hep4b0uNiWtdM0q3tyzGIsfHzmc6uLjiK l/bVaNKcm95SlTi5TfnN+829W231OnLoU6WG9hRUY0ac5wjFbRjGTUYreySVklolZJJJJfopXkne FABQAUAFABQAUAfNX7Wv/JF5v+yo/s9f+tC/C2urB/x/+3J/+kSMq/8AC/7fj/6Uj6TXof8Aef8A 9DauZ7mo6kAUAFABQAUAf//S/v4oAKACgAoA+adJ/wCTwPiL/wBm2/BX/wBWn8ea6/8AmCj/ANfZ /wDpMDFf7xL/AAR/OR03xZ+MMHwxuIEuR4Yjt18LeIPFdxL4k8Unw295DoGq+HNMOj6IP7M1BL3V 9QfxAqwq21TP5UZ4lLplRouq7K+6Wivvf07f11qpU9mr6bX1du3r3/rpb1D4uQ2finxX4a/sC42e HvBU/iG11S71G3tLbVPEmnaauu614KaIRztYajpHh/VNKvHuMyxtHfttXMDlj2TVNVL7vbstk/m7 rpt56CqXqOnbZfj2+St95Rg+Mjaho+lXWm+FLttb1m08OWtroF/frZSWXi3W9a1rQ9U8N61ex2d3 HZQ+FbvQLpr+7jSffFETBFKzRLI3QSqOEpLlV3fytdNLTfpt59Re0bhzpavS3n5+nUq+Ifjda+DI tKi8TW/h+41LXLjX9K0G18MeKodWXXvEdhf+F9M0Tw5p7Xdhpxt9U1m88TBbg3Oy30yO3eaeUQ5c OnQdVvkbstXdbLW79Fb1ey8iVXkV3a72s930/rp+ekfiX4hha61OfwnZDwxo/ibTvCGu6lb67dS6 imoyXlho+uazo+lzaFBHqPhrw7r+oC3klmmtrqeCGe4SECOOOdezg9Ob3rN7aeSeu7X6LrdPnnvy +6nbf73tsv8AP0Lfgz4s2njrxPqnhnRLCGWfwq+sxeNbldWgmh8P3dv4j1vw9oOlRrFAz6hq2tf2 Bc3U8Q2DTokCSt5siIVOi4QU5ddvPS7fpqvXpfoRqKUuWO638u35fI9fPT8R/OsTQ+Y/2Wv+Rd+L X/ZzP7SH/q2fENdeM+OH/XqH/pKObC/BL/r7P/0pn04Rkc/X6Y5z+BFch0n85n7Rn/BCf/gnf8e/ 2pPiVr/gz48/tO/sw/Ej41ST6j+0J8Hv2XPjPdeBPhx8YF1db3xXrelfETwlc+G/EWgWI8Wx6rf6 xfaRFNaJevqN1qItfMup5pfocs4wrZdThl/s8PXnRqyqU/aKbdKpKMU5R5ZxjdqMZcs1Jcy5+Vyu 3GJ4bxWIwksxnGrHL6kHB2UOWS5lFy1i52TvT5ovlV3G91FR9c/bX/4I2/sefE74K/sT/D+/+PX7 RX7J/gT9gqzu/Cf7O+sfAzxxokPju1v/ABBpnhrQ9FWLxL4y8EfETxrqvi/TLXwqH0+bSjDfq8s8 pJ2IYoyvimvkLr1fZ4erHEqMZqtGU00m3a3Mua7s3fmbtZ6OSko5JVzirGjQVWU4Rk7RfKkrxbnK StyqNtHzRir668tvbv2L/wDglD+x7+yz8C/jdofwX8T/ABG+I+t/tdeBNV074s/tR/Ef4hr8VPjJ 8S9A8V6BrdvZavH421K1k0YafAPFN5qdtFa2gs57+6kuZkmkdieTG51VzbERxzVKNNKPJGCapqMU lGMdZPlSWnvatyk/elJtf2ZPLpTwVdTjioylGaklGale0uaKjFKV9/dvpqrJJfm9+yz/AMEGv+CX /wAJpv2RfiFq37Wf7RX7V/wmj8VaLqX7GHwu+Nfx18N6v+z5f+O2sNb+Kdlqnw4+HHw78H+BvD3i PU9Qs/Ct9r93C8csF8dPlubtJQkm708Zx9iczwlNL6pCeIio+2hG1Svam7Jy5nGXuxc0oxSjZOKS hBQ6Z8E5jgsZjcNXwmKhiMulOpiqcoSTwzdWFOcqifvUU6tSFOSvGMp1OWScqjUv3p+PXh74Q/tO eEvjD+yTrXxCbT/EF74G8Ka7480Xwhf6XJ4+8K+EPEviC8u/C/iL+ztSsNWt7e21/UfA97DbvLbT LL9nlCruAr5rC46nh8avZyhLE0uWbi+ibfK2k07Nxdtr2fy3xOTZg8qhmNajVhlWJqVKNOtytQnU pqDqQhNrlcqcatNyX2VOLejV4fC+h/BzxV+0XpP7RHhX4jHX/F/xI/Zn0Xwp4c8PaZfaZe+G9V+F Phz4g3fjKDx7p6QacdWE82uePYrSSSW6Fu6GNEiEqysVTx9Krh44anKEoSftE1u1ZRv25dvmGJyj H4OpVq4qlUpyoVPYzUlblqe8+Rp683uy07J6dT4vT9hT9kv4c+Ev2vf2TvDfxq+IfgN/26viXJ8R rrRU8RaJrepfB3xH4i8PaHFpHhT4LS+LfC+v+GfC+hPL8P7jVdB8Oawl/BEzXUVlbGwjjtYezE59 Vr4mh7epD6zRhGELRjHRJ8t7RSlJ2cuafNKTu5OXTOhw/ip4CrjKFCbwPvOcltZNKT35uWPPGLkk 1G8VdaX9T+GHwB+EjftS6d42+Lf7UvxN/as/aJ+E1n4sg+FOhfFq6+GWjeG/gVL4h8N6JpXj+8+G ngD4O/DT4Y+BJPiTf+Etagg1HWNQj1jxRpei63Lawz2en6nPDcRPOKNRPAYSNOhLkcaipyqXqpSj P95zzknyvkaikkrRla7u7eSZlQwkc0r06rwUrcs5Jcqu5xUlZJpScZRUmuWTg0m3F2868a/sdfCH 4vfEP9qTXfg5+3N+0Z8BPCXjLxo0P7a/wi+A3j/4Vab4H1X4gJ8NPB+n+J9T1jxH49+FnjP4lfAT xh4p+D1no8er33gfxD4Zne1WHU4mg1J2v5N8Jn2FWHnQnSw2Iq0Hy+0nKq5UdFNRSjVjTsr83LKD Xvtu97qcTw7mmCnh8TXpYilSzCkqlBciUa0VUqUXVpvl5qnNUhKk2m1zUuRWcZp+y3P7PXwt+Mvw 7+Eum/snftFfGD9mHT/2dfDUfwj8AT/s0eIPDFjoHh7wOmj+CjafD/xX8GPjB4F+IXwm1+xi8MeH tHl0e81XwzJq+nafMJdKvYLe/uDcZ4LN6U61TEVqdHFqcrzVTn+J63coShUTfNe3Mk7ptPQjMcox uBcaGJVWhNxbi9NY6wum1KLtJNPe04uMk2nE9k/Zq/ZU8Hfs1aF8Rk03xd8Qfif8RfjV42HxL+N3 xn+Kur6Rq3xF+Knj+PwV4W+HNnr+txeGtC8LeCPDtno/gfwTpWl6dpGgaRpOi2FpZKIbVZHmkkrG 46eNlD3KdKjTi4whCNlGLlKdrtuc3eT96pKc7WjzcsYpc1Kmqaercm7tvf8A4Zf11PM7b9gP4X2v /BOx/wDgmyni74hN8H5P2Xr79lE+NWu/DP8Aws4eBL/wPP4Bk14Xw8Ojwn/wl6aRcGVZf7K+xfaQ GNsU/dnSvmuMr5rLOpNLMJV/bcySsqnNz3Sd18WtnddLW0ZGnGNP2X2bWPVPGP7LngzxV8bf2e/2 hbTW/E3hX4n/ALPuh+OfAen6v4dk0ZLf4g/CX4k6PpFt4v8AhL8RbTUtI1Aal4Pu/FPhPQPEds9o 1pqNhrehW7wXCW019bXXNHFVY0J4ZW9jUmpNWV+aKklaTTkvid0mlLTmvZWl0YOpGreXPGLitXaz te8bqLemjabjeXLa7v1Pg74FeHfBnx0+NHx6sdZ8QXfiT42+E/g54Q8QaLetpR8PaRZfBZfiCug3 mhJb6dBq6X+sD4i3X283N1cRH7PB5KRYl8xTxMqmGp4ZpctOU2nrd8/LdPW1ly6WSeru3pZxpKNW VVN3mkrdFy32663132MH9on9n7U/jrpvhaTwv8e/jv8As6eN/BGp32peGfiB8C/Evhqzv1XVraGx 1jSfFHgb4j+EfiJ8JPiDo2oWUIRIde8P6g9hL/pFjJa3IEw2wOMhg6jlVoUcRRktYVFKz7e9CUKk df5Jxvs7q6aq0va2alKMlezT7q2q2fldOz6HifhP/gnj8Jrb4Q/H/wCGXxb8c/F/9ofxH+1K1lL8 d/jX8UvFWkaR8W/Fkvh7TLbSfh8PDmofCPw58M/CfwptfhTbWME3hmDwnpOjRaXqSPqYD6nc3d5c VicwlWxHtsPThh6K+GnTdTkjeKjLl9pUqT9+15e/u3ayskKhCzU/ek7XbSu7O69bN6B8Ev2FLj4d fFjwx8afjF+1V+0x+1145+G/hnxB4U+D037QF58GNO0T4U2Xi+CzsPGWu6B4c+BXwe+DujeIvHfi nRtOg0+417xBFq+qW1h58FlLax32oC61x2Z0sVBU8NhcPhI683snWfPqmub2tar8LV1y2CFFRkpS bk1te2nS626HeeH/ANiP4E2MMaeLvDx+Jc2kftb+Nf21PA9543i0+5u/h78b/GOq+ItSj1vwm+kW mlrBB4ah8VX1pYeeJphbTkTvM/znB5jildUpOnGVBUpKLaUoK2ku6bim1tdK1raJYen9r3vf5tej /wCB0/q3L+Mv2DPhr43+FnxK+E2q+LvH0GhfE39rfwR+2Hq2oWNz4aj1fT/HvgP45/DH4+aR4Z0x 5/D09kPBdx4q+FljaXCTQy376dPOqXKTNHNHpQzTE4bERxNHlVRUJUtrpwnSlSlu93Cb10s9UP2E fZund2lJv5t3/P8Arv0PxV/Yc+BfxL0L4y6dY6Pd/DvXf2gfi78B/jX8XvGngY6fF4k8beNv2efE /wAMNd8DXGqnX7LXNKFrLpfwl0vR7tYraJ304zNE0V24uVywuPrYWanFRlalUgk1parCVOT93lbk lK8W29VFO8VykV8JSrx5ZXX7yE9O8JRmlrsrrVLu9m7r0bw7+zx4V8N/tLfFv9qC01nxHN4z+MPw h+Cfwa1/QrmbS28K6b4e+Bfij4z+K/DGpaNBDp0WsR65ql/8cNTjv3nu5rd4ba1EMULLM8+UsVWl hY4OT/2eFSU0tNJTUVJ3tfVQirNtK2lru+/Kufn62t/X9f8AAPhL+zx4V+EHxP8A2mfipoOs+I9R 1r9qT4p+E/iz410/WZdLk0nQdf8ACHwR+GHwJsNP8KJY6bZXsGj3Phf4U2F1Mt5NeTnUJ7hlkWFo 4Y7r4ytiaFDD1bOnh6bhDTaMqk6jT7+9OTu+9tkrKMFGTkt5W/BWPf65CwoAKAPmL9p3/jz+B/8A 2cz8EP8A1JJ668J8VT/r1P8AI58RtD/r5H8z6cHQfQVyHQLQB82fti/BvwZ+0P8Asq/tEfAj4i+N Jfhz4D+MXwa+Ifw08Y+PLeXSoLjwh4a8Z+G77QtZ8RW82uf8SeKfSrG8eVGugYAyjeCODthsZPLs RTx9OShUoTjNSdrJwakn7ycdGr2kmu6tvdPD1cXNYahGU61R8sYxTbbeiSS1bfS2pyFx8CPAnxQ+ M/7PX7Wvwx+J13pniL4X+E/Gfwy1fV/Bkmjaz4V+OfwZ8VWsaX/wx8eIxmie38J/ErQdP8Q6Rf2r Rapomq2VzbI4tNR1O2uSljFUw8oRanRm7q0naMr6yVnZveOqel9hYjA1sHiPZ4mEqeJgkmpRtKzV 1e6TSad10ad9dGvl3XP2V/Dnhdvj74t/Zw/4KAePf2VPgx8YPip4gk+L/hbwEvwH8WeEPh/+0F4r 8Yjwn8UdX+D/AIl+KHg/xZL8EviZ8SvH2opHrWlL9v04+LbqW/ttOt9Xvb2e6KOZ4KjH21aFGrGE uS8pNRUr8tnyyXvc7StfWSStdyvtLJM3nXjhKdLExrzpKsoKm3KVLk9tzpOLfs3STnzpWVO8lLlS a7T45fsRfs7+Lf2ZPhB/wTz8F/FLUv2eI/D1hoer/A4eGPEei6z8YV0D4NXmkWvj/VvDzeP5Na1n xXdav4f8Zy6Z4p1yUXN9jxK88063VykjXRzZ4bMI1JzjLF1E5csndzjFx5rp6yirxUnq1daqVmZv JcXisqq4yhQrf2XQnTpzqwhL2dKdZVHSjKaXJCdRU6rpxbTmqc7JqMjqfir+zT8EfjH8df2OPjPY fGWfwmn7OfjHxt4H0D4b+E9X8My+EfjTrHh3TbltP+HHi63uIptTuNS+C3irwHLrtpbWLx3Nje6X P5yiNZAqo5pGnQqYdSptV52vo5c0efmjF6678yVpe7a/LzJqtkmMdZV50q8fq9FVJLlkoqnU9nyV JrT3Zc0PZyfuv2ism3Fr7N8VfE34deA77QtK8aeOfCfhXUvEtwtn4fsvEPiDTNIu9ZuGu7PTwmnw X1zDJdZ1DUbe33KNv2i5ijzvkRW4qlehRajVnGMpbXaV9bfm0vV/f1YXLcxx1OdXB0KtWnTV5uEJ SUVZy1aTt7sZS9IyeydptS+I/gHRvF2i+AdW8Z+F9N8b+IrdrrQfCV9runWviPWLdFvG87TtHmuE vrtJF065KbEPmC2mK7vKk2kq1GNRUpSiqr2V1d79Pk/ufnZU8vx9bCTx9KjVlgqbtKai3CO28rWX xR3f2o91eaz8feB9Q8Z658OrDxf4ZvfH3hnRNE8SeI/BVnrmnXPivQfD/iW51Gz8O63rOgQ3L6pp mla7d6Pdx2c80SR3L20ojLGN8Cr0JVpYaM4vERipON1zKMrqLa3SbTs3vZ22dnPLcwpYCnmtWhWj llapOnTquElTnUpqEqkITtyynTjUg5xTbipxbS5lePwv8Q/Anja81/T/AAf4w8M+J77wtfnS/Edp oOt6fq1xoeoCW5tzaapDZTyvZzfabKeLDgDzYJU+/G4BTrUarapyjJxetmnb1+5/cTicBjcHCFTF 0qlKFWN4OUXFSVk7xbWqs09OjT6o7KtTkCgDwTw3/wAnL/F//sin7PP/AKmv7R9av+BH/HL8okr4 36L9T3usigoA5Px34M8G/EbwT4v+H/xE8O6H4v8AAPjjwzrvhHxt4V8TWNrqfhzxL4S8R6ZdaR4j 0HXtNvVezv8ARtX0i7mguYZQY5IXYMMdNKNarh6sa9CUoVoSUoyTs4yi7pprVNPVNbByc/uWvfSx +UvhT9hH4Cah4T+Hnifxz+3L+0B+0P8AsZ/BbxZoHjH4W/BT4ofFz4SeJP2e9C8QfCnxLawfDmDx f8SfDfw70H4v/HLS/hH4w0SL+yNO8ceMPEtudasra4vUvtQsrSaHu/1gwksA/q9DBQ5o8sq65pzl aSu71KlSEJ80VedKNOd7xTtKSejyDNKGP/s7EU8X9dumqMocs0pJzj7ihGXLySVk7pwSb+05fcv7 NfwY+F3gLwf8UNY8C+MJfitY/tF/GP4nfHfxx481G68L6mfGOvfEO7t9I/so3fhPStJ0q80DwD4I 8O6V4R0lJUlvLfRdCtYLqae4iklfjnjquMp0m6nPSpQ5KdndRipSlaNtEueUpO1rycm/ebbVbBVc DWnh8TTnTr83vRkmpJtLdPXa1ultrI8A+AX7GP7PvwL+In7LPhHwd8YPEuv+Ov2Hv2XPit8CPhz8 Ptd8UeDdT8QWXwE+N3jL4S3eiXvjTSbPR4PEc0XgqD4CaRoPh3Ud1slxZw3AvPtt0fPTWvm8sVWr 4fmpxnWlCrOnGys1zqM+XeKblOyVo6tJaLlqOWYylgqeYTp1XgZVJU41XFqEpxSlKCnZRcoxlFtL VJxb3u7vgn9lz9kbxN4M/a1/ZZ07xtY/Ef4U/Hbx946+I3jr4BWXi/Q7a2+DusfEm+hn+JMfwzuv AyaF438DWWt/GGw1DxYt0L6W/wBE8a6he3FjdWrCGC3xpZnfERnh6kPrVJfZ5b9veS3u7qTd222m +heIybG4bDRrYuhWjg6z92U4y5ZOykuVy0+FxkktOVppWeu78Ff2cbv4TfGLR7fxt+3j+0/+0Bre geFNe1n4c/BX4w+Nvg1Y2Wh+EnuV8L6j4s1XTPhP8Kfhl42+Lw0ZdZtdMj1Pxhe6+trcvHOSNRlN y/Xis0w1eKwtPD4WjiGuZuHPzzSa1tOpNRSdr+zjFa2elkctLLMXCg8e/bzwUJqHM17kZyheMHKM UuZxhKSUm2/eaVkuWX45+ANE+JMJ/aB8Bft6fGD9mrwv/wAI5N8OPEviz4W+N/gr4k+EWrQ2HinW /DVheSaF8d/hz8XPh74Y8faB421m5sF1fRoNN1C8u1is9RN7HaWsMGeFzfB4bCt16OFr4ZTupT5l Z80VJc9OdNyT5eVxnKSi3Lk5ZSbes+H80q5rGhSjjI5g4K9CMW3OPI6kX7KUZOPuTdTnpqEpR5XJ yhGNvPtU/YW/Z6+Hng74NeDPhL8Z/H37NnxL/ZY8H/FDxH4S+Nfh3xZ4E8UfGGPwH8YvES+Jf2hd e+K958cfCnxG8NfEnQ/jF490dPEHinUtd0y5ebxNZw6ms0N5Cko1ecp4uricdToVnON5QknGMYrS PL7N03CMEkkouMUoqLTjo8XlOLxVGn9V+sRvVUIzguZym/se9GUZSkns4t2fu2ep9Q/BrwD8Ff2S PgRoPhXw74kt9K+Hek3GseJ9S8eeN/ENhNqnjbxl8UPFepeN/F/xB8X+JJY9Pt9b8a/FLx94su9V vJo4o1u9Q1BlghRSkY4MVjIVZPFVeSEJWtbSKWyS/BLdvrd79OEy/F1KiwWHhVq4lX0ScpPlu5Np drNvpFLZJWXpupfFv4X6P4K0/wCJGp/ELwZY+ANVjsZdL8Z3PiTSY/DOpR6mWGnNp+sm7+w3v23a 3liJnLBWP8JxzvEUI0lXc4qi9pXVnfaz2OmnlWZ1cZLLqeHrPHwbUqahLnjy/FeNrq3W9rGhq3xH +H+gt4Kj1vxv4S0mT4kava6B8PE1DxFpNo3jrXL7S7vXLTSfB6zXanxLqNzolhNeJDaea7WsLyge WrMCeIoU3CNScIyqy5YJtLmdnK0dfefKnKyvom9kTRy3MMRGvPD0K04YWHPWcYSapQ540+erZP2c eeUYXlZc8oxvdpN2o/ETwJpHivRvAuqeMfDOn+M/EVu93oXhW81vT7bxDq9si3Tedp+kTXC3tzG6 WNwUKqd4t5du7y32061KNRUpSiqr2V1d/L5P7n8pp5fjquFnjaVGpLB03aU1FuMXpvJKy+Jfeu6O yrQ5AoAKACgD5q/a1/5IvN/2VH9nr/1oX4W11YP+P/25P/0iRlX/AIX/AG/H/wBKR9Jr0P8AvP8A +htXM9zUdSAKACgAoAKAP//T/v4oAKACgAoA+adJ/wCTwPiL/wBm2/BX/wBWn8ea6/8AmCj/ANfZ /wDpMDFf7xL/AAR/OR6f4x8CXXifUYdRsfEd5oMh8Oa54VvhbaVo2qC50nX7zSLu8aJdYhuYLe9j GlbI2eKeArK2+JyE24Qnybq6un16X7eppKPMtHZ2t/VzlU+APgaGC2a2hnh1mDV9b1ObxKYrCfxB qEOueGrzwZcaTqWoTWrPeaZB4Tmt7GJWywjsLdyTIm4V7ebvfZq1tdNb6fPXru+5Ps4/O9/zX5Gj f/BzRrrV9f1211rxBpmpa3B4KnhktJ9Pkg0bxJ4GuNWlsPFmmW13Y3EX9r6vbaklrqccvmWl7bW0 atGGMrSNV5JJNJpXXqn09F0tZq/oJ0k23d62+TXX/Pp+te0+Cvh+aXVbrxJcP4iufEEHjS211JNM 0jSbK8tvHGkeFNA1S1t7bSreKaxhXRvB9rEGWZppGZ3lkdim1e2kmuTS1ur6Nv8AN/5eb9nFpqWt 7/j/AF/XSS1+Ehg8qxuPF/iG/wBAn1TRfEOu6Rd2+i513xFozWFxJf3Oow2aXdla6/qul29/qVrb COG5u0cr5cM88Mjde+vKuazSeuif+S0V+nnZpey83a6b8393Xrt+LNzR/hno2h6loerabcXlrfaP eeOZ55YksYk1mz8f6/e+Kta0/VoobeNJo08SXEd7BKoW4SaIku3nXHmQ6snFxezt8rKyt8tP8rK1 Kmk1Jbq/zv8A8HX+mej449eR+hrMs8C/Z78LeIfCmifEi28R6VcaTPrHx6+OfinTIrl7aRrzw94n +I+taxoGqxG1uLhRb6pplyk0YYrKFbDorAqOnFThOUHB3SpQXzUVddNn/XfDDxlCMlJWbqSfycm0 e+sMqwxnIIwe+R0/GuY3R8ReDPh78bfB3x61+408+I/+EG8UfGHxl8QfFGs3OreB5Ph7q/w98R/D ux0/StAttDhih+IcXxP0Px1pVjFFPKrWSaTayH7Y8ckVjF5VKjiqeMk439jKq5N3jyuLikla3NzK SXdWXxbRX2WLx2TYrI6cans/r1LCQpQio1PaxqxrOTk5Nul7GVKUm0rS9pJe4mnN+j/E/wAFeNLz w34e1nULvxh428Y+B/iTb+M/Bt18IdF+H3hfxJo8M2i634ZuLSTS/ij4ruPBviC0n8P+Ib2yvWuL mCRobvzreNJoUNb4ilVcIyfNKrCd48iimtGtpvlejae291qrnn5ZjMJDEVKMVRo4Svh3Tqe3lVnC T5ozTvQgqkWpxjKNk1eNpNxk0dB8A/h94k+HPwM8IeCPEsqzeKbLRdXudYWPUIdUFrq/iPVdY8Q3 OlpqsVjpFrqK6Pcax9lW4itbSGXyt8cMUZVF0wlKpRwkaVT+Ik79dXq1eyva9tl6I589x2HzDOa2 Lwv+6ymlHRxvGEVFS5eaTXMlezlJrZyk9X8afCz9lj4q+EYf2azrmkaI2ifCTVvhr4h0Lw7aavDN q3w51/xV4D1+D9oObUJZJf7H1Kzh8Ti1ttIbT5Z5Psup3wCiNsnzMPl9eDoOcY8lJxaXWLlFqp5b 2UbdHLbp9hmvE+W4tZjHDzqe3xkakJzatGtTp1abwqS+JPlUpVFJJc0KfU9N8E/Cb456N8XfDnxu 1b+zpJfGXxI+LFl4+8ERWOjwa34V+GXjDTtO0zwNeXni9fEl3Z+KW8KD4UeGJGsYLVHgOq3nlu/l ESb0sNioYiOKla8pzUlpdQaXLrfW3JHTzlvaz8vGZpk1XKqmTU3Llo4eg6VT3nGdam26qUOW8FP2 9a0m3f2cLpX09Y+A3wXl+GXjv9oTX7m0vY7Dxn8S7S4+Hy315pF3a6J8N18K6H4gm8NeGYNOt4br R/DY+MHifxdqotbxpbkX2qXDKwtfskUXRhML9XrV568s5rlvbSPKnZW1S53OVnd3k+lkuDPc7hmm X5dhoqCq4fCtVXFTTqVvaziqlTmlKLqfVo4elemoQ5KULxdT2kpYnxRHxG8X/GzwH4Rm+E3jib4M eCdW8HfEfUfHWiX3wzn0/wAb/EKDUdQj8OeH57HU/HumeLtC8L/Cy5srbXtWuf7Ma41O7awt7Eyw 299FLNf29XFwp+zn9Vg1LmTjaUru0bOXMlCyk3bV8qTaUk9Mu/s7B5HWxscXQedYhVaKoyVdSo0u WDlUuqTpTliOaVGmlUfIo1ZVYwcqM3yvhP4W/Eex+K3hfTL7webLwt4E+Pvxy+N5+JDavoEuleJt H+KmheOrPQ/DOlaXbalL4sg8S2V78RZIdRN3YwWSW+kF45pftEKLlTw9ZYiKcbU4Vqk+bSzU1JJJ Xvf3tbq2m7urdGKzPL55XVqQrc2Kr4DDYb2Vpc0JUJUnKcpOPI4NUU4qMnK80nFcrb2tI8I+IfG2 u/tb+HvHHwo8d6Z4K+K2m2mm6TcX2teBLRfF+jW/wxsPh/rGm6Nc6L411rUNB1HUru1mltZL63tY 0hkSV2V98Y0VOVZ4iFWnNUqistY6rl5WlaTa8rpfmc88XRwVLK8RgsVRljMNNydo1H7OXtXUi5KV NKSSsmouWzVtm939nDwJ4/0PXPip468fN4yhuPHF14D03RrH4hXfw+n8Zyab4D8Ix6LPr3iCy+Fk X/CDaNe65qt5cCO3tLi9drW3imlkieb7Ja1gaVaEqlStzXk4pczje0Va7UPdV3fRN6Wel7LPiLG4 CtSwuDy/2LjRjUcnSVVU1KpUclCDrv2slGKjrJR95ySTtzz+q67z5gKACgAoAKACgAoAKACgAoAK ACgAoAKACgDwH4/eFvEPim2+EqeHtKudVbQfj18J/FOsC3e2T7B4e0HXZbrWNVm+03FuDb6fbsHc IXkIPyox4rpw04wc3J2vTkl6taGNeMpKPKr2nF/K576Og+grmNhaAPI/jr4Th8afC7xPockPiSaZ f7D17TR4SsdH1bX49c8I+JNH8WeHrmx0fX7m00bXBZa3osE01hcOIr23R4TkuAefF01VoSg+a+jV rN3TTWj0eq2e+x6uS4qWDzGnXXs0vei+dyUeWpCUJpyinKN4yaUkrxbTRw/7MvhXxl4f8NeP9b8b 22pWGpfEX4teLPH9jpOr6fomj6lpekapa6FpNqbvRPD91qGnaHLrc2hy6obQ3V3dwrej7ZM94bjG WBp1YQnKrdOdRys7Kydlstr2va7euutzs4ixWEr4ihRwbjKnQwtOm5RcpJyXNJ2lNJy5ebkvyxi3 H3Eocp8S+K/2Zvi1q2i/ETTE8EWl74E8XfGf4g/HjVfDk2rQJ4luvjD4O/aC0tvg7qmmaAUm0a+8 LeJPh7HD4lurqS/t7my1Tw7Zf6NJJdytb+VVy6rW5oTpxlhpVnVab19pCrF0pKNrNWSqXunGUI6N ttfbYTibK8N7GtDE1IZrSwVPCQkofu/qtbCVFi4zqcynGpGrL2EYKnONSlXq3nGNOKqez/Fb4ffH LxB8YvEXxs8NaPpjWHwk8S/CTSfh54VvNAN3418ZeFdDubvXPjRqfgrxIvjKx0nQ7bx9pXxDuNIF ve2LSXNx4YjYkRSQyJ1V6OLniZYqKXLTlBQTWrS1qOL5tOZS5bNXvC+zVvFy3H5Jh8npZNiJy58V TxEq04ztTpzklHDRqQ9k3J0ZUlVcozaUa7S96M0/WPDHwYm0f9qz4ifEZrTVz4NvfAHhLWvCtpP/ AGV/wi+nfFjxXqPiXw78XvEGiwwgatF4j13wT4H8JR3hlAto1Mr2376+1AvtTwkoZnUxN5ewdOPL HTlU25Kclpzc0oqCd9Fb3bOU3LzcTnNOtwphstXs1j4YmopyXP7SVCEacsPTlf3OSFWpiHHl99uV ql406Vsn9qubxF4hg0b4TaZ8LvGviHwn8TNK1iw+KfxK8MeF9H8TQeFfh7pt5pUmr+BbSxfXLDxH N4z+KCXL2WmTwW02naRBHdahcyrcQWVrePH+0qWwsKcnTqJ880k1GKavG11Lmnsmk1HWT1SUq4Z+ q4VVM4q4qjTxuFnB0KEpTjKpVlGfLV5uSVJUsO4qVRSnGpUcoU6cZRlUnT4r4gfD/wAd6p8UvGGm 6b8PdX1G3+JvxX/Zd+JWi/ERP7IGieD/AA98H9V8L6l4v0fxDdXGpx63pWsaRF4Qu2sLaC3lS8uP EKrEcfb3hxr0a0q8oxg2p1KUlLolBptPrdcrslu5L+812Zfj8BRy2lVqYiMZYfCY2jKlaXPOdeM4 05RSXI4y9pHmk5JxjSlf/l2p+s282syftW3d8vgfxrB4db4Qjwi/jaXQYIPCk+uW3i6XxMbNdXGo NfSKdKuMRTfZvI87dGJFl+Q9fvfXr8suT2dr20ve+++3l8zxnGiuHVB1qTxH1nn9nzPn5eTlvbl5 fi3XNfra2q8x/Z2+FXi3wt8VRfGw8aaV8Ovhv8JdQ+EXhVfHGg+DvD2qarFcePoPEGkW0Z8L6hq1 54rTwfpGklDrN01tDd/2khhia5bUZn5sHQqU697SVGFPkV1FX966WjbfKlu7J3015mern2Z4XE5Z yXoyx+Ixarz9nKpJK1Llk/fUVD2kpfw48zjyPmaiqaX3fXqnxQUAeOaF4f1q2+PPxM8Tz6dPF4f1 j4U/BTQ9L1VngNtfav4c8V/HO+1ywhVZmuVm0y08TWEkheNUIuk2MxDhNG17KKvrzS/KP+RKvzvt Zfqex1mUFAFS+uPsdld3ZguLoWtvLcm2s4TcXdyLdGlNva264ae5mCbY0H33IHek3ZXKhHmmo3Su 7Xey82+iPiv4beJfF3gT4CfEnWo/gN8TPEfirRfir8XPFnhT4W3GheG9C8QeK/8AhMfi94j8XeBr rSG1LXn0CwsI7DW7S7u7mSeO40xElAga5iWF/NpTq0cJUmqU51VUnJQ91OV5txtd2WjTvdNdrrX6 /HYfB47O8NQljsPSwk8Lh6dSvepKFPkoQhVUuWHPJ3jKKUYtTdrPlfMegfBDw1430L4XaNbaVdW2 leK9Q8d+LvF3xMvfHHw61nRotf17xp4o1Txd41uvCPhaz8V2Vz4b0q81rWZU0qS6uL9ktY1Nws85 kkfXC061PDqKa9o5ylNuLV3JuUuVX0V27XctN7u5w5zi8FiszqVJxk8LGjTp0VCrGThCnCNOkqk3 TtOShFc/LGCcm+XljaKbeT6z/wANYaLfx+BfGzeH4fhD4j8HXfjiPw9bf8Iomual4q8KeKNPtJNX OpC+li/szSrhfN+ym3inXy/MEjhGp8315S5Zcns2r20vdP128rExjR/1bnTdal7f61Gap8z5+VQn Fu1uX4mtLqTWtrK65LwboHjTXP2ppviHdeE/iJpfhLSPhV4s8Ex6f8RNN+HGm+HPh9rN74z8N3sk PwgvPBQl1/xPB8V4NDW/1+bVbrUILaLSdLFtJZ3D3trJz0qdWWY+3cZqmqTjaXIlF8y+Dl1fPa8u aTSUYWs+ZP0sXi8FR4TWVQnhpYt4yFVzpSrupWj7KSSxEaj9lD6s5SjR9nCE3KtX9o6sFRccX46f Cf4peIfj1oPxQ+FmjabH4r8L/DHTPAujeKdd1IaPo9t4d+IXxPtdO+L1g17a2up6jNqmg+B0g8Ta dZ/Zlg1DVtDs7Z54FlaaJYzC1amLjisPGPt4U+RSbtaM5x9or2b2SmlZKUoRTaWq0yHNssw+SVsp zarVWXVsQ60qcI88nVoUKjwr5XKEVGVWUqE58zlTpVqk4wm0oS850r9n3x/P8Jvgr+zxo/hjTPDX gHw542+POu+K5PG+h/8ACU+HW8F6L4q8daL8KvDWpaXpPi/Q9Ru9X8WL43sPElrOJ5FiOjO9wEnd EbGODquhRwUIpYeMpt8y5lypyUE/eTu+ZTT1+HWzsd1bP8Es0x3ENarKrmVWlho0/ZydOaqzjTnX mm6coqMPZzotWV/arlvFM6jWfg74++Jnwy/Zkj+Iuh6v/wAJ/wCFtas/hZ8bpLRdJWPxp8KSs2k/ Ey01pLq91Hd8Ofipq/w/0HWZIIZmvvs7wxOVLXCC5YWriKFD6wn7eL5Kmi96G073v7s3GMrJ32Xd HPSznBZZmWZf2ZOP9n1ouvh03P8AdVl71BxaUf39CNWrSUnHkT5pRv7rX1R8bfFviPwN8PdT8S+D /hbrvxh8W2V3o0XhvwT4fTRvtc+s6hqtrp9rrd7da9qGnWuneH/C32ptR1KeF5tQj0+2lFjb3V40 FtL6GKqTo0XOlTdWpdWirdXa7u1ZR3druyfKm7J/NZJg8Lj8xjhsdi6eCwjjNzqz52rRhKXIlTjO Up1WlTpppU3UlF1Z06anUj8yaP4K13wZ4S/Zz8WWXgzxt45b4ZfEX4neKfiHpsfhGx8MeMNS8T/E zw98Q4fEHxA8MeAdT1sW2n6ddeN/GM4t7JL17iz0nUnw8oil38MaM6VOhLlc3CcnLSz5pKV5Ri3o nKW19E93rf36uPoYzFZjh5VqdCOJw9GFK9RzgoUZ0XClUqqN5NU6avLlSlUgtFdWpXnhLxp8P/gR +y94Luvhz4q13xB4O8a/CrxJr+i+BdIsPEVr4I0jwvr/APa+saU93/aFnaRp4b0vUFsoRZGVrlbd ltkkjwKFSqUsJQp+zfPCUG1Gz5Ut1028r/PqPF4TH53mWMWJpxo1qdaMZ1G4upKatF2s3ebXM3K1 r3k09Vc+NXwp8X+Jfizpn/CCWfju0i8c+Lv2c/FvjPV5PDvgibwdpFr8EfiFB4ufUofGWp6hN4p0 LUR4f02bTptJt7G4e8vL21e0ktI31W5KxmHq1a6VHntOdJt2jZckua/M7taKzVtW1yuPvNXkuaYP C5ZP686EpUaOMhTXNV9pJ4mj7JR9nFKnJKUlUU3KKUYzU1Uao0z75H+P6np36V658KLQAUAFAHzN +1dKlx8N/DfhuPe+qeMPjd+zzoGi20QjaW4uofjb4G8SalIiSSxeZFpXhvw7fX84XLLbWkjAfLXV g9Krl0jTm3/4C1+LaS82vljX1gl1co/mv+H9EfTC9Ouckn8GJP8AI1ymwtABQAUAFABQB//U/v4o AKACgAoA+atKVh+198RX2OUH7N3wVUuqOyhv+FpfHk7Syqw3YBOOuB7HHW/9yj/19n/6TAxX+8S/ wR/OR9JeYvo//fuT/wCN1yGweYvo/wD37k/+N0AHmL6P/wB+5P8A43QAeYvo/wD37k/+N0AHmL6P /wB+5P8A43QAeYvo/wD37k/+N0AHmL6P/wB+5P8A43QAb1HQP6/6uTr/AN+6ADzF9H/79yf/ABug A3r6Pn/rnJ/8boD8g3r6P/37k/8AjdAB5i+j/wDfuT/43QAb19H/AO/cn/xugA3r6P8A9+5P/jdA BvX0f/v3J/8AG6ADevo+f+ucn/xugA3r6P8A9+5P/jdABvX0fP8A1zk/+N0AG9fR/wDv3J/8boAP MX0f/v3J/wDG6ADzF9H/AO/cn/xugA8xfR/+/cn/AMboAPMX0f8A79yf/G6ADzF9H/79yf8AxugA 8xfR/wDv3J/8boAPMX0f/v3J/wDG6ADzF9H/AO/cn/xugA8xfR/+/cn/AMboAPMX0f8A79yf/G6A DzF9H/79yf8AxugA8xfR/wDv3J/8boAPMX0f/v3J/wDG6ADzF9H/AO/cn/xugA8xfR/+/cn/AMbo AC6nqHODkZjk4Pr/AKvrQAeYvo//AH7k/wDjdAB5i+j/APfuT/43QAF1IwQ5B6gxuR/6LoAA6gYA cAdAI3A/9F0AJuTGNrYPOPKfHr08v1oANyc/K3PX90/P1/d80AG9c5w2emfLfP5+X70AITG33kJP vE5/nHQAu5Mg7WyMgHynyM9cHy+M0AJmPO7Yd397ynz6dfLz0oHd7dBQyDOFYZ5OInGfc/u6BC+Y vo//AH7k/wDjdAB5i+j/APfuT/43QAb19Hz/ANc5P/jfvQAeYvo//fuT/wCN0AHmL6P/AN+5P/jd AAXU8EOQeCDG/P8A5DoAb+6AI8s4PJHkvg49R5eDigLsUMijCqyjOcCJwM+vEfWgBMx53bDu9fKf P5+XmgPyFDICSFYE9SInyfqfL5oAXeuc4fPTPlyZx6f6ugBNyf3W7/8ALJ+5yf8Aln3NABuT+63X P+qfr6/6vrQAFkbhlY/WJz/OOgBMx427DjrjyXxn6eXigd2BMbYyhOOmYXOPpmPjmgQu5Mg7WyBg HynyB6A+XwKA/IXzF9H/AO/cn/xugA8xfR/+/cn/AMboAPMX0f8A79yf/G6AOP8AHXxE8C/DLw9d +K/iF4t8PeC/DlkP3+seJtWs9GsvNYhYbWGS9kie7vrqVhHBbwq888rKkas7KpunSqVZclNOUn0R MpwguabSXmfOfgCx8U/Hv4m+H/jp4t8Pa54M+Fvw+tdWHwD8CeLtIudC8Z6/4g8R6fNouu/HXx14 b1OGHVfBdxL4Wu7jR/Cuh3kdvqtjpmo6jd6rDHd30NjpnXVcMNReGptSrSa55J3iktoRa0lrrKSu m1FR0TlLnp81earSTjTXwprW7+0+q00S0aTfNq7L6/rhOoKACgAoAKACgD//1f7+KACgAoAKAPGf Hv7Pvwj+JniWDxj4y8JnUPFFvoVv4YXXbDX/ABT4d1GXw/aaje6taaRdXHhrXNHN7Y2mp6jcTxJN vEUk8hXG9s708TWpR9nCVoXvayavtfUznSpzfNJe9a3VafL+v05H/hkb4Cf9Cnrn/hyvin/821X9 cxH8y/8AAY/5EfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keu f+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n9 7D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfz L/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4c r4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+ GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDA Y/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8A zbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/ 0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9W o9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1 zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp6 5/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f 3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y /wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4 p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GR vgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/ 5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/8 21H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An /Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1 aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9c xH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/ 4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3s P+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv /AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyv in/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4Z G+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj /kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDN tR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Q p65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj 2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXM R/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn /hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/e w/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/ AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zbUfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin /wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ew/4ZG+ An/Qp65/4cr4p/8AzbUfXMR/Mv8AwGP+QfVqPZ/ew/4ZG+An/Qp65/4cr4p//NtR9cxH8y/8Bj/k H1aj2f3sP+GRvgJ/0Keuf+HK+Kf/AM21H1zEfzL/AMBj/kH1aj2f3sP+GRvgJ/0Keuf+HK+Kf/zb UfXMR/Mv/AY/5B9Wo9n97D/hkb4Cf9Cnrn/hyvin/wDNtR9cxH8y/wDAY/5B9Wo9n97D/hkb4Cf9 Cnrn/hyvin/821H1zEfzL/wGP+QfVqPZ/ezo/CH7NXwJ8Da7beKfDvwy8MReLLIyGw8XataTeJ/F un+bjzV07xR4puda17T0kx8yw3CA/wA4niq9SPJKT5H02X3Ky/P/ADqFGlB80YrmXXd/j/wD3EDH H+f681gahQAUAFABQAUAFAH/1v7+KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAP//X/v4oAKACgAoA KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA oAKACgAoAKACgAoAKACgAoA//9k= --_004_9C3BF608B6894721A4493B31D644F119icannorg_-- From nobody Fri Feb 22 08:30:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2EE812F1A2 for ; Fri, 22 Feb 2019 08:30:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFg62hIR_wTf for ; Fri, 22 Feb 2019 08:30:55 -0800 (PST) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E965D130ECF for ; Fri, 22 Feb 2019 08:30:54 -0800 (PST) Received: from [IPv6:2001:559:8000:c9:acc5:b2e1:7fe6:ba4] (unknown [IPv6:2001:559:8000:c9:acc5:b2e1:7fe6:ba4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 40ADD892C6 for ; Fri, 22 Feb 2019 16:30:54 +0000 (UTC) To: dnsop References: <9C3BF608-B689-4721-A449-3B31D644F119@icann.org> From: Paul Vixie Message-ID: <5769aec8-418a-4cf2-e73e-4a2bc4cc14f9@redbarn.org> Date: Fri, 22 Feb 2019 08:30:52 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.10 MIME-Version: 1.0 In-Reply-To: <9C3BF608-B689-4721-A449-3B31D644F119@icann.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] ICANN DNS Symposium 2019 solicitation of presentation proposals X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 16:30:57 -0000 noting matt larson's note this morning as follows... Matt Larson wrote on 2019-02-22 08:06: > Dear colleagues, > > Please permit me to call your attention to my earlier announcement > (included below) of the ICANN DNS Symposium on 10-11 May 2019 in > Bangkok, Thailand. In particular, I'd like to reiterate our request for > proposals for this year's theme, "Understanding the Security, Stability > and Resiliency of the Domain Name System". Please send a one-paragraph > description of your proposed topic to ids-proposals@icann.org >  by Friday, 8 March 2019. We will reply > by 15 March 2019 and publish a preliminary agenda shortly thereafter. > > Thanks, and hope to see you in Bangkok. > > Matt Larson > VP of Research > ICANN Office of the CTO ...i have submitted two talks, and i hope to see many of you there. vixie re: > > >> On Jan 18, 2019, at 4:16 PM, Matt Larson > > wrote: >> >> >> >> Dear colleagues, >> >> ICANN’s Office of the CTO is pleased to announce that the third ICANN >> DNS Symposium (IDS 2019) will be held 10-11 May 2019 in Bangkok, >> Thailand. IDS 2019 is co-locating with the fifth GDD Industry Summit >> (6-9 May 2019), the Registration Operations Workshop - ROW (9 May >> 2019) and the OARC 30 Workshop (12-13 May 2019). >> >> The theme for IDS 2019 is: "Understanding the Security, Stability and >> Resiliency of the Domain Name System". >> >> IDS 2019 will comprise two days of presentations and panels focusing >> on emerging technologies, protocols and other issues that may affect >> the security, stability, or resiliency (SSR) of the Domain Name >> System. We invite members of research, academic, and operational >> communities to present experiences, data, or ideas related to the DNS >> as viewed through an SSR lens. Specific topics of interest are >> measurement and detection of activities that may impact the SSR of the >> DNS, as well as prevention of DNS abuse. >> >> We are soliciting proposals for presentations. Please send a >> one-paragraph description of your proposed topic to >> ids-proposals@icann.org  by Friday, 8 >> March 2019. We will reply by 15 March 2019 and publish a preliminary >> agenda shortly thereafter. >> >> For more information, including schedule and venue information, please >> visit https://www.icann.org/ids. >> >> Thank you and we hope to see you there. >> >> Matt Larson >> VP of Research >> ICANN Office of the CTO >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- P Vixie From nobody Fri Feb 22 19:50:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCDD130EE8 for ; Fri, 22 Feb 2019 19:50:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ui-UntSVjRkd for ; Fri, 22 Feb 2019 19:50:22 -0800 (PST) Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3185130E30 for ; Fri, 22 Feb 2019 19:50:21 -0800 (PST) Received: by mail-io1-xd29.google.com with SMTP id y6so3432739ioq.10 for ; Fri, 22 Feb 2019 19:50:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=3mq6KlMK24Dose6mozJNlRmQHVim5HLRsSK6gB8xQ5g=; b=RzY8CquATr08IpgPnmuYYACrtV0wLEBsnqM0xxUWK+rEBCsHEAnyrEa5eGRc9byura 2tQ456MCP/sDAwPjj9Ocq4cb7GkwUQMhpcORG2kEkwasasUR8Ge/wMSfK7yHIni2T9VW 5qCJlmat/loYLCKzs3Da4GNRSqw5lMAUVxjeqcyg/QyKl/a1w/pLnGViuiw0/IK5rS9/ gNzF8HKSBDsYdPLKA5lqiwsIkluvAdAzsFlDzmUl6UXyAFzgW+yXnwcNABvS5CpN/QUg Jg4SWk6IR4qgtk5X7akO8py0zeCeeyczf0sE/5rh8tGQI4H117RUNwXhOlFE6JCE2QBn bKzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3mq6KlMK24Dose6mozJNlRmQHVim5HLRsSK6gB8xQ5g=; b=awHJe5qaMZ7ujCJZWfF28eiW1xF/pGU1aTWTbuHVewG+wh0ETvo2tsuogT0viHuRig EMi5/xPzrRLEa46pRuQ3sF4SNYHJueS4slMq/unUWeBDd03veJ0PrFv8pRGUX/IbEMyI q9u4SFX8O2zNbv0Hp4CIaCtreJPlkCnstQILeNWSTQ7g9v28kYr5yMDMYSr5wD0e1bBB mZt9wH1UVg2AelPGuQo5hggdedUdw3pkO3xx8BwagJzzE1MS1aNBGMDCxcEyvN5dhgYA aaJ0v/FOsR8kDB/JfA5evMmzYeKwm7A/silXhqokZ8mJvzRiTVf0llShMg0Ku7RPcjQI dZSw== X-Gm-Message-State: AHQUAuZlQdwiucZkoVtHAMnUqG4P4Ji9uzx0soCa099hXegywxc/Pow3 d9VAYSKNMMt8v1oOTD2Ewe+0PDhUAyOTo+DjBVWWjd2t X-Google-Smtp-Source: AHgI3IarxNcrTi8g2w+p/jzfnyO9eNuGh68FPN9uzsYDPafi8K1doIew2lnCIlQR0gVeNbni6fzP7uR5Wx7eyM1EcAw= X-Received: by 2002:a5d:859a:: with SMTP id f26mr4227405ioj.150.1550893820772; Fri, 22 Feb 2019 19:50:20 -0800 (PST) MIME-Version: 1.0 From: Tim Wicinski Date: Fri, 22 Feb 2019 22:50:12 -0500 Message-ID: To: dnsop Content-Type: multipart/alternative; boundary="00000000000045875a0582879b74" Archived-At: Subject: [DNSOP] IETF104 Agenda and call for Agenda Items X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2019 03:50:24 -0000 --00000000000045875a0582879b74 Content-Type: text/plain; charset="UTF-8" All The IETF104 Agenda is out https://datatracker.ietf.org/meeting/104/agenda.html and DNSOP has two sessions Tuesday 13:50-15:50 Friday 09:30-10:30 The longer meeting is reserved for either adopted work initially, with the second meeting for looking at newer work that may not have much comments. This is also a call for Agenda requests. Please email the chairs ( dnsop-chairs@ietf.org) with your requests. *Or* drop us a pull request https://github.com/DNSOP/dnsop-ietf104 look for dnsop-ietf104-agenda-requests.txt Please Note: * Draft Submission Deadline is Monday March 11, 2019* We've updated our list of Documents the chairs are considering and their current status: https://github.com/DNSOP/wg-materials/blob/master/dnsop-document-status.txt Any other questions please let us know. thanks Tim Suzanne Benno --00000000000045875a0582879b74 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All
<= div>
and DNSOP has two sessions

Tuesday 13:50-15:50

Friday 09:30-10:30

The longer meeting is reserved for either adopted wor= k initially, with the second meeting for looking at newer work that may not= =C2=A0have much comments.=C2=A0

This is also a ca= ll for Agenda requests. Please email the chairs (dnsop-chairs@ietf.org) with your requests.
*Or= * drop us a pull request https://github.com/DNSOP/dnsop-ietf104 =C2=A0look for dnsop-ietf104-ag= enda-requests.txt

Please Note: =C2=A0Draft Subm= ission Deadline is Monday March 11, 2019

We= 9;ve updated our list of Documents the chairs are considering and their cur= rent status:=C2=A0

Any other questions please let us know.

thanks<= /div>

Tim
Suzanne
Benno

--00000000000045875a0582879b74-- From nobody Sat Feb 23 10:54:16 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F25A12008F; Sat, 23 Feb 2019 10:54:06 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155094804613.28045.8648150477440044197@ietfa.amsl.com> Date: Sat, 23 Feb 2019 10:54:06 -0800 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-03.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2019 18:54:06 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Serving Stale Data to Improve DNS Resiliency Authors : David C Lawrence Warren "Ace" Kumari Puneet Sood Filename : draft-ietf-dnsop-serve-stale-03.txt Pages : 11 Date : 2019-02-23 Abstract: This draft defines a method for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. It updates the definition of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that data can be kept in the cache beyond the TTL expiry and used for responses when a refreshed answer is not readily available. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks, and thereby make them less attractive as an attack vector. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-03 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Feb 25 07:23:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70461130EF9; Mon, 25 Feb 2019 07:23:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telecentro.net.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ra7I5-FLwrnH; Mon, 25 Feb 2019 07:22:59 -0800 (PST) Received: from mail.telecentro.net.ar (mail.telecentro.net.ar [190.55.63.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA28112F1AB; Mon, 25 Feb 2019 07:22:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.telecentro.net.ar (Postfix) with ESMTP id 5B84A3201FA9; Mon, 25 Feb 2019 12:22:56 -0300 (-03) Received: from mail.telecentro.net.ar ([127.0.0.1]) by localhost (tclmail6.telecentro.local [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 0wUmPCxPDeW1; Mon, 25 Feb 2019 12:22:54 -0300 (-03) Received: from localhost (localhost [127.0.0.1]) by mail.telecentro.net.ar (Postfix) with ESMTP id B11073201FAC; Mon, 25 Feb 2019 12:22:54 -0300 (-03) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.telecentro.net.ar B11073201FAC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telecentro.net.ar; s=25118654-7AE4-11E8-AD98-8D0B0E6845CD; t=1551108174; bh=d5wyBfK+LXFYfGVZW1SbIsvCMf/nIC4YGsQDp6Lta+g=; h=Date:From:To:Message-ID:MIME-Version; b=AoTw98JSCxPD7TTNgSA+F3UfvIElsk3PzUVgT3mj336RZ/954TWIFkSmQ8/dI6O+4 CacjSv0/jXfhRtVJJgXE6mf6WgoPM5t4pYSXBFeoyuV+RZronQfmwxOPOam6GDGway ih0hR58PDQLo7igKgWm7y7ntEigPUfa9WCxX7pq3gt37AvAENmQOaA4FukS3caietF TS7MKRsOgTjbwmS8g23tQDe7PzFw7XibyMeFcb1OB+FNIgtwsIkseoDC9uTTNIwohR Po2IpkchmGL/IN9YxWbxoQjtqF52rFPL/jbFPwBOjqqHO4g2uFxMJ0ZIvAJxvUq2Tn UrO6dWr7Pu7/w== X-Virus-Scanned: amavisd-new at tclmail6.telecentro.local Received: from mail.telecentro.net.ar ([127.0.0.1]) by localhost (tclmail6.telecentro.local [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Zfq957ybW9Gp; Mon, 25 Feb 2019 12:22:54 -0300 (-03) Received: from tclmail6.telecentro.local (tclmail6.telecentro.local [10.210.50.96]) by mail.telecentro.net.ar (Postfix) with ESMTP id 759E13201FA9; Mon, 25 Feb 2019 12:22:54 -0300 (-03) Date: Mon, 25 Feb 2019 12:22:54 -0300 (ART) From: Alejandro D'Egidio To: JORDI PALET MARTINEZ Cc: "v6ops@ietf.org list" , dnsop Message-ID: <128899659.2649874.1551108174039.JavaMail.zimbra@telecentro.net.ar> In-Reply-To: <40C16CF8-8EE8-468D-8248-A2873CC7EAB6@consulintel.es> References: <40C16CF8-8EE8-468D-8248-A2873CC7EAB6@consulintel.es> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [10.210.50.96] X-Mailer: Zimbra 8.8.8_GA_3008 (ZimbraWebClient - GC72 (Win)/8.8.8_GA_1703) Thread-Topic: inputs on NAT64/464XLAT Deployment Guidelines in Operator and Enterprise Networks draft-ietf-v6ops-nat64-deployment Thread-Index: 4g1eMoftmD8xnaYUH5EqHNFIxoK+Hg== Archived-At: Subject: Re: [DNSOP] [v6ops] inputs on NAT64/464XLAT Deployment Guidelines in Operator and Enterprise Networks draft-ietf-v6ops-nat64-deployment X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 15:23:03 -0000 Hello Jordi, I like 464XLAT and this is something I would like to implement in DOCSIS networks. As Deployment Guidelines maybe you can include/consider the next case, if not please forget it or we can include it on another document. Today we still have many devices that don't support IPv6 or some applications on it don't support it, this is the case of SMART TVs and set top boxes. There is a common scenario where big public CDNs support deliver content to private IPv4 destinations (usually CGN prefixes) directly without going through a CGN. In that scenario, CPEs (with eRouter) that have IPv4 of CGN (ie 100.64.x.x) can connect receive traffic from CDNs directly without having any CGN in the middle. So I see three points in this case: 1- Traffic avoids a point of failure (CGN), obviously it should be redundant but the point of failure exists. 2- Traffic is more "transparent" avoiding another translation for CDN. 3- This traffic doesn't impact in CGN sizing. As I said, I like 464XLAT and I would like to have a IPv6-Only access network but this is a real case where ISPs can consider to continue provisioning IPv4 to customers. Regards, Alejandro ----- Mensaje original ----- De: "JORDI PALET MARTINEZ" Para: "v6ops@ietf.org list" , "dnsop" Enviados: Jueves, 21 de Febrero 2019 2:58:36 Asunto: [v6ops] inputs on NAT64/464XLAT Deployment Guidelines in Operator and Enterprise Networks draft-ietf-v6ops-nat64-deployment Hi all, (dnsop copied because DNS64) I'm working in a new version of this document. Link to the document: https://datatracker.ietf.org/doc/draft-ietf-v6ops-nat64-deployment/ It will be great if we can get some new inputs. Thanks! Regards, Jordi ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. _______________________________________________ v6ops mailing list v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops From nobody Mon Feb 25 08:24:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 267A3130F59 for ; Mon, 25 Feb 2019 08:24:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyd-hiBNJ5KM for ; Mon, 25 Feb 2019 08:24:26 -0800 (PST) Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14E83130F84 for ; Mon, 25 Feb 2019 08:24:25 -0800 (PST) Received: by mail-lf1-x12c.google.com with SMTP id z196so6642915lff.4 for ; Mon, 25 Feb 2019 08:24:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=7j62r6eE6TlIdGJIScnhLhGlkg0WJ1OyFXa9XFKvvhg=; b=J1v541iPrVecT/5cVbn4HZTa9g7zCOR6+YP5Qu5TtO9TATKfuAujhyFfLA7vwYOPyG 8BrtyxgUMKOmRDaRmbKuIdEPdK2twRDMGCeSLTRFuo8KpzL/iUKyPjgkSpZbwNXfpZGB /J7AIxdtg8xsB/e5MrFRzY+LqvizLSX1r1J/tABONshfbWin2c5Zvh5eouY4K2DV3kDa S+07k+rrb+km3SSNjEPhnjAfL+1eVDKVxeMWmLLPLanDvdYIRgn7KgOtbKuEbJdQWoav CjYDaMaqFqGKfcvYLwtVJdq39oSRa5VZWLzBRp55uoYSXg+YCMVEBAbOU26Wmei35pht 8yvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=7j62r6eE6TlIdGJIScnhLhGlkg0WJ1OyFXa9XFKvvhg=; b=WtLGIHtxL9FEe1w0WGjurLAqxlU5HYfSdcXEkMlF3sk6V3kxFojvrTTxiKijk3fr5W m0cSJ42YA7Ne9w7vhWrHaCsZsquQutY43BRaSH26V7uO6UpYIzIjx1/zbhNzaJlyvQib hP97kP1Q1wD1KeaPH6Y4Vy8w32rMzvzEKhtVdOZTxEC8H0PoFdWjOBfEBQb1hfMLKmTC +19eDmQ1OsxCsysLhwn43+LNUmDsLhpoquhWt+fAbUueLDw4tB5nreEMfzYQshpdD8f8 SF0xSDsH8pYZ0UKZVRRfdQNshjFG3UEmLDw6vVIfZVRGjCaEdRAg2Ap+CtPH1leMdvr2 FR0w== X-Gm-Message-State: AHQUAuZgjqdU5O6j8PCopJWVV6AQlQSbRTwRouhLdFjMjJVnQL8+WuLF rYLGXiP0p2kwcZYtD6MfGu9Lk4VW15WNVuymYqW4dWGvsAE= X-Google-Smtp-Source: AHgI3IZjtsfQZeyQTJEo3hJlPL0ZFDSophlqbAvcE386lfOTwzu7dmfl4hUmXRFFc2WV5i1iJHgq5pCD9z+eh+8tevg= X-Received: by 2002:a19:c409:: with SMTP id u9mr3946198lff.32.1551111863314; Mon, 25 Feb 2019 08:24:23 -0800 (PST) MIME-Version: 1.0 References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> In-Reply-To: <155094804613.28045.8648150477440044197@ietfa.amsl.com> From: Bob Harold Date: Mon, 25 Feb 2019 11:24:12 -0500 Message-ID: To: IETF DNSOP WG Content-Type: multipart/alternative; boundary="0000000000009ebe0e0582ba5ffb" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-03.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 16:24:32 -0000 --0000000000009ebe0e0582ba5ffb Content-Type: text/plain; charset="UTF-8" On Sat, Feb 23, 2019 at 1:54 PM wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Serving Stale Data to Improve DNS Resiliency > Authors : David C Lawrence > Warren "Ace" Kumari > Puneet Sood > Filename : draft-ietf-dnsop-serve-stale-03.txt > Pages : 11 > Date : 2019-02-23 > > Abstract: > This draft defines a method for recursive resolvers to use stale DNS > data to avoid outages when authoritative nameservers cannot be > reached to refresh expired data. It updates the definition of TTL > from [RFC1034], [RFC1035], and [RFC2181] to make it clear that data > can be kept in the cache beyond the TTL expiry and used for responses > when a refreshed answer is not readily available. One of the > motivations for serve-stale is to make the DNS more resilient to DoS > attacks, and thereby make them less attractive as an attack vector. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-03 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-03 > > In section 5: Will the "resolution recheck timer" cause ttl's less than the timer to be effectively lengthened, by refusing to look them up again? I think 'serve-stale' should focus on the situation where the auth server is not available, and not change the handling of short ttl's. Or am I mis-reading that? -- Bob Harold --0000000000009ebe0e0582ba5ffb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Sat, Feb 23, 2019 at 1:54 PM <internet-drafts@ietf.org> wro= te:

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Domain Name System Operations WG of the IE= TF.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= Serving Stale Data to Improve DNS Resiliency
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Davi= d C Lawrence
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Warren "Ace" Kumari
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Puneet Sood
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-dnsop-serve-stale-03.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 11
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2019-02-23

Abstract:
=C2=A0 =C2=A0This draft defines a method for recursive resolvers to use sta= le DNS
=C2=A0 =C2=A0data to avoid outages when authoritative nameservers cannot be=
=C2=A0 =C2=A0reached to refresh expired data.=C2=A0 It updates the definiti= on of TTL
=C2=A0 =C2=A0from [RFC1034], [RFC1035], and [RFC2181] to make it clear that= data
=C2=A0 =C2=A0can be kept in the cache beyond the TTL expiry and used for re= sponses
=C2=A0 =C2=A0when a refreshed answer is not readily available.=C2=A0 One of= the
=C2=A0 =C2=A0motivations for serve-stale is to make the DNS more resilient = to DoS
=C2=A0 =C2=A0attacks, and thereby make them less attractive as an attack ve= ctor.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft= -ietf-dnsop-serve-stale/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dn= sop-serve-stale-03
https://datatracker.ietf.org/do= c/html/draft-ietf-dnsop-serve-stale-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2= =3Ddraft-ietf-dnsop-serve-stale-03


In section 5:
Will the "resolu= tion recheck timer" cause ttl's less than the timer to be effectiv= ely lengthened, by refusing to look them up again?

I think 'serve-stale' should focus on the situation where the auth= server is not available, and not change the handling of short ttl's.= =C2=A0 Or am I mis-reading that?

--=C2=A0
Bob Harold

--0000000000009ebe0e0582ba5ffb-- From nobody Mon Feb 25 12:38:38 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1543713101B; Mon, 25 Feb 2019 12:38:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zV758vI1d__u; Mon, 25 Feb 2019 12:38:25 -0800 (PST) Received: from pacdcmhout01.cable.comcast.com (PACDCMHOUT01.cable.comcast.com [68.87.31.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C087130F82; Mon, 25 Feb 2019 12:38:25 -0800 (PST) X-AuditID: 44571fa7-a0dff70000021550-e6-5c745240fa21 Received: from PACDCEX21.cable.comcast.com (dlpemail-wc-5p.cable.comcast.com [24.40.13.176]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by pacdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 3F.DD.05456.042547C5; Mon, 25 Feb 2019 15:38:24 -0500 (EST) Received: from PACDCEX19.cable.comcast.com (24.40.1.142) by PACDCEX21.cable.comcast.com (24.40.1.144) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 25 Feb 2019 15:38:23 -0500 Received: from PACDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8304]) by PACDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8304%19]) with mapi id 15.00.1395.000; Mon, 25 Feb 2019 15:38:23 -0500 From: "Brotman, Alexander" To: "art@ietf.org" , "dbound@ietf.org" CC: Stephen Farrell , "dnsop@ietf.org" Thread-Topic: Related Domains By DNS (RDBD) Draft Thread-Index: AdTNSNgC8Q46/YWfTPCiSrkXJ1OYgQ== Date: Mon, 25 Feb 2019 20:38:22 +0000 Message-ID: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [68.87.29.9] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPIsWRmVeSWpSXmKPExsUiocG7QdchqCTGoOWOuMWKux4Wuy5fY7e4 ++Yyi8X0vdfYHVg81nZfZfNYsuQnUwBTVAOjTUlGUWpiiUtqWmpecaodlwIGsElKTcsvSnVN LMqpDErNSU3ErgykMiU1J7MstUgfqzH6WM1J6GLKOPtnAntBP0dF0/oGxgbGXWxdjJwcEgIm EjMWdLN0MXJxCAnsYJK4eOgDO4Szi1HizIcmNgjnJJCz7CATSAubgJXE2//tzF2MHBwiAm4S +xZIg4SZBUIkNn5dwQISFhbQkVjyLxEkLCJgKPF71lEWCFtPYu7ti4wgNouAqsTEK1/AynkF vCQu7osECTMKiEl8P7WGCWKiuMStJ/OZIO4UkFiy5zwzhC0q8fLxP1YI20Bi69J9LBC2nMSy n3eYIXp1JBbs/sQGYWtLLFv4GizOKyAocXLmE6h6cYnDR3awTmAUm4Vk3Swk7bOQtM9C0r6A kWUVI4+ZhZ6FuZ6xoZ6hmfkmRmCycAmXX76DcfusjEOMAhyMSjy8K51KYoRYE8uKK3MPMUpw MCuJ8Ma9L44R4k1JrKxKLcqPLyrNSS0+xCjNwaIkzvvSE6haID2xJDU7NbUgtQgmy8TBKdXA GDft13nT41lT5j+pMX1fXfd3+e9TFfO/nlq/ePkSR8Gs1/erva3cixVSGyanSivLOEocEOav yrq5bcJtD6FXl3qvy7SyMm+vcJ8x9XCZzUn/KLmtPAkL6lKdHx0+e2qNttWdN8wn7Vtv/9rJ +kP70wyG1TIid5Zuiyitce/SkYk+fr1+mtMyCSWW4oxEQy3mouJEAJ8L5uwSAwAA Archived-At: Subject: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 20:38:27 -0000 Hello, Stephen and I have spent a bit of time working on a draft to be able to sho= w a relationship between two domains. We're aware this subject has been co= vered a few times previously, especially in the DBOUND drafts, but we're ho= peful that a more simple approach might be more acceptable. The secondary= domain will create a DNS record that shows a link to a primary domain, and= the text should be able to be validated using the public key in a DNS reco= rd the primary domain shares. This is something akin to DKIM, a mechanism = that the email world uses to ensure the contents of a message have not been= tampered with. https://datatracker.ietf.org/doc/draft-brotman-rdbd/ We'll request that replies relating to this be sent to the dbound@ietf.org = due to the nature of the topic, but it was suggested that we might want to = notify a few other lists for their awareness. Thank you for your participa= tion and comments. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From nobody Mon Feb 25 14:23:51 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A33FE1310AF; Mon, 25 Feb 2019 14:23:49 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.92.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155113342962.10694.5562248750468695112@ietfa.amsl.com> Date: Mon, 25 Feb 2019 14:23:49 -0800 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-13.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 22:23:50 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : A Common Operational Problem in DNS Servers - Failure To Communicate. Authors : M. Andrews Ray Bellis Filename : draft-ietf-dnsop-no-response-issue-13.txt Pages : 26 Date : 2019-02-25 Abstract: The DNS is a query / response protocol. Failing to respond to queries, or responding incorrectly, causes both immediate operational problems and long term problems with protocol development. This document identifies a number of common kinds of queries to which some servers either fail to respond or else respond incorrectly. This document also suggests procedures for TLD and other zone operators to apply to mitigate the problem. The document does not look at the DNS data itself, just the structure of the responses. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-13 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-no-response-issue-13 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-no-response-issue-13 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Feb 25 23:43:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 616EF130E86 for ; Mon, 25 Feb 2019 23:43:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.001 X-Spam-Level: X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwerET45jk82 for ; Mon, 25 Feb 2019 23:43:49 -0800 (PST) Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 349A0130E25 for ; Mon, 25 Feb 2019 23:43:49 -0800 (PST) Received: from [220.247.151.61] (61.151.dhcp.conference.apricot.net [220.247.151.61]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 6EA31DA00 for ; Tue, 26 Feb 2019 08:43:43 +0100 (CET) Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=ralph@nlnetlabs.nl DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1551167024; bh=QxGMq1kKdWSjpyuZT7S3T+waDjN4OuW8cjQEUvycG5k=; h=To:From:Subject:Date; b=tAMXrF+TyX00gq64aIc6xqORoJqvXl1Bl2yAc0v7PzCU0wRH9q08EBsQY26y67tgm O8+BrWDqaEzP+GgbKom6UHfsTSMfValaTAaHJP7cLuIEc6CGlLwf0Qeu8bZJKVhgwc ATyWLYoze7RpcAwKjOdw3H5Gc660hc4BhFVkJVRo= To: dnsop@ietf.org From: Ralph Dolmans Openpgp: preference=signencrypt Autocrypt: addr=ralph@nlnetlabs.nl; prefer-encrypt=mutual; keydata= mQENBFLLw3QBCADwSt/VWovpRdtSFdwCW+/4ZaFEtIPAKgID42dzNOU+57LP3xuHiEeXZ0Ln hJRNmW4g5+01Fq4+bTeRyfL7MauIpumSqpnCpq5RZYDI8QqZftYnmm8XdjOjNLJXX3nfD0Tc 1YD2psNHLR9YOT0WfiPGPuN8uTzE/EcFHuMgrWx4kdWQGO2EBOu1Ss1ejvK6xs5AIn209mWY CPZ1FA24AgvnOPPYH2i9Fx+MMoj3Aun/nJbnp7B/4kKQvCDBJNyDYxFdgfjT0lkM5bSa7PJq AkXB/HYCJnfw9+MLbkoozdMs9ddg9YaqwSDWe60pBgkRnvd4+69OgZJvSYxky4XYMNdJABEB AAG0IlJhbHBoIERvbG1hbnMgPHJhbHBoQG5sbmV0bGFicy5ubD6JAVUEEwECAD8CGyMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEIWFafyR46own3Sa4MJGNgnVyQiIFAlwOkIUFCRKo zpEACgkQMJGNgnVyQiK1lQgArOpDYzWsCX9YpBNZMkr5KNZOFhPXULRlaw++XiBA1leYij2y BpU22bL3gpDiu2LuF5fFYeLm1Xf0g/K7GmfQ6gVffJf/a2QQmv11i9LODfzX00IFjppYekcv mU9HYa5r5n8fC1Sq/rsFcSHGSUyv2Kpz5LEUdwDYgRntBSG2pUlxIsHpPr8WcEyRAOgZ7GjE 0H84Q860OzS3trq9+9mChWovfOyeE/pCiEC5oqWKL++cnMh9tdKJcDaRNuuC4Eal+fZxr0/G o6AeSRk4lYype5fydZrpgvWSMhuNzzrByc7fz7qd6OyM4NqpzRPnzKD976nwrm8fv+F783GN vQeik7kBDQRSy8N0AQgA4VaLFk/Cee30CqVKEGcCOuRWVjFwSVX4rfmv7v7IXIj+KQqXhv8y wOLYNdFTN/wEp6B4jysl84MxnYiUpOErJN/AjyFvoJV9CGTFZNWy6D4sSbppcqIRlHAt+G+p qnIQPFA1BmYq8DFo/C0dvKgGe0wyNh2zxBIJpav64lXC7byittD4NGe8Bd4HcSIZyUBnxoL0 KSPOHTFvAiBe/qJJEExfxKYUQO2KXbgA+1Z/wpEb1Vqyy7VETTu4QKBBPnVWuvLA+cKYkbUm U2v1n/w9WSoVE0NXR9aDIesRe6xLkmdp8415chddP3WPh9J34N5C8W+AslIXbMo1E/tPnxzK MQARAQABiQE8BBgBAgAmAhsMFiEEIWFafyR46own3Sa4MJGNgnVyQiIFAlwOkIkFCRKozpUA CgkQMJGNgnVyQiLEfAf+NVeSoJe+0Kdz0oBHFv7BA0llQeTbE7Po92yn7WXi6imTanvR6Nug wr8+Lj21SVE20wFvtoFnfnSLRT8ZV2Vtw3s6EufHi8Ho8BM66IIBcLX18ZgPGF44FXISCnGA 7N9WGIjCwymA4FDBhtH2qcPBAgzbCXy2icyuTFCycJfPDbdxiBZPP31fNTYDqhVRKzMhFK4z 2fmyzRRhLklVOQ/MwUVqdLqbXphQsLq0CwOhDmVyXqneupYXKju20YCIie8DvA+MW87QZAcy Obp3zKBn162XKEg+LRVRsM406Sj1e9ClV0Gqqzqxt4ynJ2Rs88rfcJFvhBWMB/MuRLWwBTPY xA== Message-ID: <86496e0c-09cb-c468-8a56-b6f607cac02d@nlnetlabs.nl> Date: Tue, 26 Feb 2019 16:43:39 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: [DNSOP] Extended Deadline for Submissions for 30th DNS-OARC Workshop X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 07:43:51 -0000 Hi, We have extended the submission deadline for the 30th DNS-OARC workshop to March 8th: The 30th DNS-OARC Workshop will take place at the Shangri-La Hotel, Bangkok, Thailand, on May 12th and 13th 2019, hosted by ICANN. (Note that several co-located meetings are taking place immediately prior to the DNS-OARC Workshop, including the GDD Industry Summit, May 6th-9th, the Registrations Operations Workshop, May 9th, and the ICANN DNS Symposium, May 10th-11th.) The Workshop's Program Committee is now requesting proposals for presentations. All DNS-related subjects are welcome. A timeslot will also be available for lightning talks (5-10 minutes each) on day two of the workshop for which submissions will be accepted until the start of the morning session on day two. There will be a Members-only session during the workshop, which will include reports on DNS-OARC's activities. If you are an OARC member and have a sensitive topic that you wish to present during that session those can be accommodated. Workshop Milestones: 05 Dec 2018 - Submissions open via Indico 08 Mar 2019 - Extended Deadline for submission (midnight ICT) 11 Mar 2019 - Initial Contribution list published 22 Mar 2019 - Full agenda published 03 May 2019 - Deadline for slideset submission 12 May 2019 - Workshop Details for presentation submission are published here: The workshop presentations will be organized by common themes, depending on the topics and the timing of each presentation. There are 30-minute and 15-minute slots, let us know your preference in your submission. To allow the Programme Committee to make objective assessments of submissions, so as to ensure the quality of the workshop, submissions SHOULD include slides. Draft slides are acceptable on submission. If you have questions or concerns you can contact the Programme Committee: https://www.dns-oarc.net/oarc/programme via Ralph Dolmans, for the DNS-OARC Programme Committee OARC depends on sponsorship to fund its workshops and associated social events. Please contact if your organization is interested in becoming a sponsor. (Please note that OARC is run on a non-profit basis, and is not in a position to reimburse expenses or time for speakers at its meetings.) From nobody Tue Feb 26 01:35:35 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9379F130EAE for ; Tue, 26 Feb 2019 01:35:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TkLBRRk5a7i8 for ; Tue, 26 Feb 2019 01:35:32 -0800 (PST) Received: from givry.fdupont.fr (givry.fdupont.fr [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4481130EA9 for ; Tue, 26 Feb 2019 01:35:31 -0800 (PST) Received: from givry.fdupont.fr (localhost [IPv6:::1]) by givry.fdupont.fr (8.14.7/8.14.7) with ESMTP id x1Q8sa79074112; Tue, 26 Feb 2019 09:54:36 +0100 (CET) (envelope-from dupont@givry.fdupont.fr) Message-Id: <201902260854.x1Q8sa79074112@givry.fdupont.fr> From: Francis Dupont To: Mukund Sivaraman cc: dnsop@ietf.org In-reply-to: Your message of Mon, 19 Nov 2018 19:15:34 +0530. <20181119134534.GA1450@jurassic> Date: Tue, 26 Feb 2019 09:54:36 +0100 Archived-At: Subject: Re: [DNSOP] Review of draft-ietf-dnsop-rfc2845bis-02.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 09:35:34 -0000 In your previous mail you wrote: > Two points that I request this WG to discuss are: > > 1. Sparsely TSIG signed TCP continuation messages (section 6.4 in draft) => I'd like to do this but it is not possible to change requirements for existing implementations so easily. I added a SHOULD for signing all messages so on the long term they should disapear.,, > 2. Truncated MACs => first they are optional so not required to be implemented/supported. Second I'd like to get the opinion from a cryptographer because I heard that truncated HMACs have some security benefits. Last of course they make messages shorter so have a clear operational advantage. Now I do not know if they are heavily used. If they are not we can consider to add a NOT RECOMMENDED for their implementation/support even it is not really in the scope of the document. Thanks Francis.Dupont@fdupont.fr From nobody Wed Feb 27 06:25:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49ADD130DE7; Wed, 27 Feb 2019 06:24:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptjTfm2Xre0h; Wed, 27 Feb 2019 06:24:54 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D01041200B3; Wed, 27 Feb 2019 06:24:53 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 448dHQ47dFz39p; Wed, 27 Feb 2019 15:24:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551277490; bh=+3wPxJ4v8GjHMfN4jdJ3XBpIU0Sc7JsSPgeKXrDsWB4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=j0XWH8nJx5v9eGCW4VGBA1kQvQuWyJP2aLbt+ocIMJlSJZ/ITvz0m8S+uKsDnNSz3 GlWSgFoVREBO/FTQm68iMM4rTsWxd061ehDPhR2R1s167FGHXgZQoSiCp81LCLqGev zUWbfYAnE5gHztJMYyveTtgDljOQ4VTwsoGfai3k= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id J2jDfGCKtnkd; Wed, 27 Feb 2019 15:24:48 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Feb 2019 15:24:47 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id D874AA7E0C; Wed, 27 Feb 2019 09:24:46 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca D874AA7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CEEA240D358A; Wed, 27 Feb 2019 09:24:46 -0500 (EST) Date: Wed, 27 Feb 2019 09:24:46 -0500 (EST) From: Paul Wouters To: "Brotman, Alexander" cc: "art@ietf.org" , "dbound@ietf.org" , "dnsop@ietf.org" , Stephen Farrell In-Reply-To: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 14:24:56 -0000 On Mon, 25 Feb 2019, Brotman, Alexander wrote: > Stephen and I have spent a bit of time working on a draft to be able to show a relationship between two domains. We're aware this subject has been covered a few times previously, especially in the DBOUND drafts, but we're hopeful that a more simple approach might be more acceptable. The secondary domain will create a DNS record that shows a link to a primary domain, and the text should be able to be validated using the public key in a DNS record the primary domain shares. This is something akin to DKIM, a mechanism that the email world uses to ensure the contents of a message have not been tampered with. > > https://datatracker.ietf.org/doc/draft-brotman-rdbd/ I've read the draft, and I have my usual complaints. If we put stuff into the DNS for security decisions, saying "its better if you use this data when it is DNSSEC signed" is just too weak. We are splashing TOFU everywhere and putting CT bandaids on it. It's long overdue that we stop with that. Just require DNSSEC. And if you require DNSSEC validation, then the solution becomes much simpler and could be encoded in a single bit, see: https://tools.ietf.org/html/draft-pwouters-powerbind Paul From nobody Wed Feb 27 07:32:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43280130FDB; Wed, 27 Feb 2019 07:32:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EiL5m6Bu8eE1; Wed, 27 Feb 2019 07:32:15 -0800 (PST) Received: from pacdcmhout01.cable.comcast.com (PACDCMHOUT01.cable.comcast.com [68.87.31.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5725A1200B3; Wed, 27 Feb 2019 07:32:15 -0800 (PST) X-AuditID: 44571fa7-9f3ff70000021550-f4-5c76ad7e8e4f Received: from PACDCEX23.cable.comcast.com (dlpemail-wc-2p.cable.comcast.com [24.40.12.145]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by pacdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 2F.EB.05456.E7DA67C5; Wed, 27 Feb 2019 10:32:14 -0500 (EST) Received: from PACDCEX19.cable.comcast.com (24.40.1.142) by PACDCEX23.cable.comcast.com (24.40.1.146) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 27 Feb 2019 10:32:12 -0500 Received: from PACDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8304]) by PACDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8304%19]) with mapi id 15.00.1395.000; Wed, 27 Feb 2019 10:32:12 -0500 From: "Brotman, Alexander" To: Paul Wouters CC: "art@ietf.org" , "dnsop@ietf.org" , "Stephen Farrell" , "dbound@ietf.org" Thread-Topic: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft Thread-Index: AdTNSNgC8Q46/YWfTPCiSrkXJ1OYgQBiUEUAAAhZBnA= Date: Wed, 27 Feb 2019 15:32:12 +0000 Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [96.114.156.7] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUiocEzUbdubVmMwfqLwhYr7npY7Lp8jd3i 7pvLLBbvb11ispi+9xq7A6vH2u6rbB5Llvxk8vg+jymAOaqB0aYkoyg1scQlNS01rzjVjksB A9gkpablF6W6JhblVAal5qQmYlcGUpmSmpNZllqkj9UYfazmJHQxZcy4t4Ot4Llgxc/fF9ga GI/zdTFyckgImEgsPXiJpYuRi0NIYAeTRPuSnewQzi5Gib2bG1hBqoQETgI513lAbDYBK4m3 /9uZQWwRAUWJSWcegXUzC8xilGi9tQSsQVjAUWLLlo1QRU4SDRunsULYVhJTzx5iA7FZBFQl /hw9wAJi8wp4Sfyat4sJYnMDo8Sb9U/AGjgFHCTm7tsGNohRQEzi+6k1TCA2s4C4xK0n85kg fhCQWLLnPDOELSrx8vE/VgjbQGLr0n0sELaCRM+E6cwQvToSC3Z/YoOwtSWWLXzNDHGEoMTJ mU+g6sUlDh/ZwTqBUWIWknWzkLTPQtI+C0n7AkaWVYw8ZhZ6FuZ6xoZ6hmbmmxiBacclXH75 DsbtszIOMQpwMCrx8KovKosRYk0sK67MPcQowcGsJMIrsBooxJuSWFmVWpQfX1Sak1p8iFGa g0VJnPfirdIYIYH0xJLU7NTUgtQimCwTB6dUA6P847rrSRu+HHWXvX8lbifzwn0Gzx9NnV7k atbCdPPLk0V7plhcm75l7ZRLcgxpWjw3dV6nlW0Rkru4L5RHrfB/r/NeqQXbfY4zCCY3nmO/ c+GewM+Pm66sz96g8uqZ4NNfTv/UFpVL5Gj94+uc8bjN6MvHKf1i698uPHyp4qOLrAOLwLor k2MklViKMxINtZiLihMB3l4CcDcDAAA= Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 15:32:18 -0000 I'm supportive of doing this in other ways, but also understand that DNSSEC= is not widely deployed. I suppose that's ultimately a crutch, though it i= s the current situation. With that being said, we thought this would be on= e reasonable approach to being able to show that relationship. We could po= tentially have a non-DNSSEC and DNSSEC method in the same draft, if that's = something that might be agreeable? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast -----Original Message----- From: dbound On Behalf Of Paul Wouters Sent: Wednesday, February 27, 2019 9:25 AM To: Brotman, Alexander Cc: art@ietf.org; dnsop@ietf.org; Stephen Farrell ; dbound@ietf.org Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft On Mon, 25 Feb 2019, Brotman, Alexander wrote: > Stephen and I have spent a bit of time working on a draft to be able to s= how a relationship between two domains. We're aware this subject has been = covered a few times previously, especially in the DBOUND drafts, but we're = hopeful that a more simple approach might be more acceptable. The seconda= ry domain will create a DNS record that shows a link to a primary domain, a= nd the text should be able to be validated using the public key in a DNS re= cord the primary domain shares. This is something akin to DKIM, a mechanis= m that the email world uses to ensure the contents of a message have not be= en tampered with. > > https://datatracker.ietf.org/doc/draft-brotman-rdbd/ I've read the draft, and I have my usual complaints. If we put stuff into the DNS for security decisions, saying "its better if = you use this data when it is DNSSEC signed" is just too weak. We are splash= ing TOFU everywhere and putting CT bandaids on it. It's long overdue that w= e stop with that. Just require DNSSEC. And if you require DNSSEC validation, then the solution becomes much simple= r and could be encoded in a single bit, see: https://tools.ietf.org/html/draft-pwouters-powerbind Paul _______________________________________________ dbound mailing list dbound@ietf.org https://www.ietf.org/mailman/listinfo/dbound From nobody Wed Feb 27 07:48:36 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD0C130E71; Wed, 27 Feb 2019 07:48:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hePNRJzgU5dM; Wed, 27 Feb 2019 07:48:33 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 359931200B3; Wed, 27 Feb 2019 07:48:33 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 448g7y6HMczD0B; Wed, 27 Feb 2019 16:48:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551282510; bh=H49nfX1vedMxsGQC3GO0kJZ7kdUNib+HOKxKQTueBFI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=T7hIHKLOQVM3U/SG1ZSmH+8M1Pta1wgrQlpyzPGOBaMSaIn/8OBiIEupMWZz9LAHq XjLY9/oqYGKwOb/ly4GFtVQrTfbSbb87eG7fY3rtUih0sUV+udmXZYAkW9rZBi7H/t JttCHdSzxteIgh+ERzMNm5foQnm1wfrEyNTZKC8c= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id bXuWlKpCrdfx; Wed, 27 Feb 2019 16:48:29 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Feb 2019 16:48:28 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 92803A7E0C; Wed, 27 Feb 2019 10:48:27 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 92803A7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 84DDA40D358A; Wed, 27 Feb 2019 10:48:27 -0500 (EST) Date: Wed, 27 Feb 2019 10:48:27 -0500 (EST) From: Paul Wouters To: "Brotman, Alexander" cc: "art@ietf.org" , "dbound@ietf.org" , "dnsop@ietf.org" , Stephen Farrell In-Reply-To: Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 15:48:35 -0000 On Wed, 27 Feb 2019, Paul Wouters wrote: >> https://datatracker.ietf.org/doc/draft-brotman-rdbd/ > > I've read the draft, and I have my usual complaints. I scanned this document a bit too fast, with an eye on parent-child relationships and didn't fully realise this is about relating domains at different parts in the DNS hierarchy alltogether. So now I do understand the format and use better. I'm not sure if the DNS is the best place for this information, but it is not the worst place either. So in that sense this proposal seems fine. I do still have a concern that this is using its own signature schemes embedded in the records instead of relying on DNSSEC. But I guess that's just the world we live in now. Paul From nobody Wed Feb 27 07:54:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFB20130FE9; Wed, 27 Feb 2019 07:54:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9aA0Palvabh; Wed, 27 Feb 2019 07:54:25 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DEA1200B3; Wed, 27 Feb 2019 07:54:25 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 448gGk4rgMzC7V; Wed, 27 Feb 2019 16:54:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551282862; bh=Zge1X395SZBFG85gcmN82NOL1rHfara6B7j9QBAtux0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Lx6Q9QcVP1Ejz07dGNeODcMsHS7otmfB9q457OHkiALCxJN5ilzNNMSKqeTCX1YgH V17WHym3YxaspxLNE/dQgvCZx7eDhZnrpMOIXmw1fimf3fQmkHvSH5/fqW6tG2TLuz fwnvvQt7f5EAQL+xlDlOJrQ20/kyNeTO2jkKSQjw= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id R17sc9Z6PJLu; Wed, 27 Feb 2019 16:54:21 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Feb 2019 16:54:21 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 79329A7E0C; Wed, 27 Feb 2019 10:54:20 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 79329A7E0C Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6DE0940D358A; Wed, 27 Feb 2019 10:54:20 -0500 (EST) Date: Wed, 27 Feb 2019 10:54:20 -0500 (EST) From: Paul Wouters To: "Brotman, Alexander" cc: "art@ietf.org" , "dnsop@ietf.org" , Stephen Farrell , "dbound@ietf.org" In-Reply-To: Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 15:54:27 -0000 On Wed, 27 Feb 2019, Paul Wouters wrote: >>> https://datatracker.ietf.org/doc/draft-brotman-rdbd/ One more question (and then I promise to walk away from the keyboard for a while) How is this data being consumed by the enduser ? It sort of begins to look like an EV thing. Also, wouldn't attackers just link their fake domain to another fake domain to get a green looking OKAY? Paul From nobody Wed Feb 27 07:57:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812E1130FF9; Wed, 27 Feb 2019 07:57:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDWdqsulKSs7; Wed, 27 Feb 2019 07:57:41 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19A73130FF0; Wed, 27 Feb 2019 07:57:39 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 025FCBE58; Wed, 27 Feb 2019 15:57:37 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNUl11qFJkQH; Wed, 27 Feb 2019 15:57:36 +0000 (GMT) Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B048BBE55; Wed, 27 Feb 2019 15:57:36 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551283056; bh=OS6Q9rWMnOnIVsRA24V6y42SvkfiLfDCB9VHR3uJuCA=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=PMTPGiEiexTVuz6Pc60Z+yGBfc/qouZKqSvqeMWwKylJLyMRVMK4hWwVI5WJM8BnC AMbW4NUvqHpNfUqqh5bGo2AbBBOOez8yjJbh+rCr+Q2oyS14EGIKdbXF8t6RLvTkki zX2dOlFW3UJuRgF+Xo/eMTfJrfkwGlDvIs41cRA8= To: Paul Wouters , "Brotman, Alexander" Cc: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> Date: Wed, 27 Feb 2019 15:57:34 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="0qQqihBrYzGQUnIfDaWrM2SjsJTZcfmxk" Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 15:57:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0qQqihBrYzGQUnIfDaWrM2SjsJTZcfmxk Content-Type: multipart/mixed; boundary="SXSjtdaJa7ywkn6c6D2wwtj6zIqzeXjRf"; protected-headers="v1" From: Stephen Farrell To: Paul Wouters , "Brotman, Alexander" Cc: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" Message-ID: <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> In-Reply-To: --SXSjtdaJa7ywkn6c6D2wwtj6zIqzeXjRf Content-Type: multipart/mixed; boundary="------------D9F654D0CBF98F2A0358D0FE" Content-Language: en-GB This is a multi-part message in MIME format. --------------D9F654D0CBF98F2A0358D0FE Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Paul, On 27/02/2019 15:48, Paul Wouters wrote: > On Wed, 27 Feb 2019, Paul Wouters wrote: >=20 >>> =C2=A0https://datatracker.ietf.org/doc/draft-brotman-rdbd/ >> >> I've read the draft, and I have my usual complaints. Thanks for taking a read! > I scanned this document a bit too fast, with an eye on parent-child > relationships and didn't fully realise this is about relating domains > at different parts in the DNS hierarchy alltogether. And even more thanks for reading it twice! It is short, luckily:-) Great that you think it's uncrazy. >=20 > So now I do understand the format and use better. I'm not sure if the > DNS is the best place for this information, but it is not the worst > place either. So in that sense this proposal seems fine. Yep. Actually in exchanges with John Levine on the dbound list, (he was v. reasonably questioning the value of these new signatures), I myself only copped on that this could be of some use where the primary has DNSSEC but where the secondary doesn't, which is maybe interesting. Those mails are here [1] if someone's interested. > I do still have a concern that this is using its own signature schemes > embedded in the records instead of relying on DNSSEC. But I guess > that's just the world we live in now. Yep. After both domains have DNSSEC, then this could all be simpler. Before they do, there may be value in the sigs though see John's simplification suggestion at [1]. Cheers, S. [1] https://mailarchive.ietf.org/arch/msg/dbound/PON1ipCbK_ea67fbyvhUzSfj= 5og >=20 > Paul >=20 > _______________________________________________ > dbound mailing list > dbound@ietf.org > https://www.ietf.org/mailman/listinfo/dbound >=20 --------------D9F654D0CBF98F2A0358D0FE Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------D9F654D0CBF98F2A0358D0FE-- --SXSjtdaJa7ywkn6c6D2wwtj6zIqzeXjRf-- --0qQqihBrYzGQUnIfDaWrM2SjsJTZcfmxk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlx2s24ACgkQWrL68XsX K+qclxAA0oQ8iPvi/W8OpdvfFu4WFvvEqQC9ab0PCRW1MTHRRqfAGoeCenvcyE52 n2BtznMmqRh0QcGwI8p7goVF48pw2m14Ok/R1jvQQCbjBhnTabLWbbVhwRHm0n8K Z4eFTnDh6pGbFS8iNXhlvT+SbyDWuixNFl5bbbzASb6jHNXx66trov+dN29VB7fn xAEUzC0w6G0X+3vA/9eOdxtK2zLwE9Yustn1Vrw7QnomxKFxmDhogevygug6+h+2 K5ItGH3rY+k/m+4ORUgYLwFT3uWXG0ii6PCXiJ9NbGEPlg1JLI+T7VonJeeS6/ie ZVs8s8QOMPxEhMPRLYCVYFGKTVZUT2ct5+t5ENJRzMjHYT3vOMqtKBYy8xydIEL3 aY72HXAZjKiTdgyFd9THzWySf3gUDVGXSAVQYXi9l9v5YNZsuRBe5LVKopRnlFm+ TSr2rZHcbAcaswkC2Z/lIuM6lDmYNiGNw06Czj/O8y41ZyRPX5WUnR8qBB73xQVq pl5QKWLRuMORorwm4qv4URK2DVL5O522RQw+x7QS3AlGu1Dj1xW8Yp1uIuX0fR/v yxmp6Pdlqn+VoyHsrtqGgie0jrD3Xkv1H6hzfJ9K82TsoTAdNoKn8pbLyAGllmos YieakXNhQLCe6rf/TPicoCNcy7x8Z9xJMmL48KiOmo/iXoHO54E= =fhJj -----END PGP SIGNATURE----- --0qQqihBrYzGQUnIfDaWrM2SjsJTZcfmxk-- From nobody Wed Feb 27 08:14:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BE1130E82; Wed, 27 Feb 2019 08:14:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4KDVxh_7ijv; Wed, 27 Feb 2019 08:14:51 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A021200B3; Wed, 27 Feb 2019 08:14:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 2CFB6BE51; Wed, 27 Feb 2019 16:14:49 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUcyGWh-IXTI; Wed, 27 Feb 2019 16:14:49 +0000 (GMT) Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E0F5EBE4C; Wed, 27 Feb 2019 16:14:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551284088; bh=ZAVc061yK0m5bJRf7/Ek5yBZbD+aCzZDmuQmIsQ1/0o=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=DKkLGno1Fugxz1mXlXnvyn774VLRlN8itW6Hnoh2x4Hc4nqm05CSwQEd2jkpVT6CI OF7gk2m5coVvmQ8geY6soU8l0YU8tlj8avMDcL4xTMf4fb35GjTiEXTf2w/dOjj0yX FIf+t/pAeILFA2Q1Miu3xZk1cHQ4l5AfCPDsffKo= To: Paul Wouters , "Brotman, Alexander" Cc: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: Date: Wed, 27 Feb 2019 16:14:46 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UlTVYRgKO1j1ookOqIfuaTSMMQyi8sFTC" Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 16:14:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UlTVYRgKO1j1ookOqIfuaTSMMQyi8sFTC Content-Type: multipart/mixed; boundary="U4Hz5X0JUrmFZbMkjxjMj3EWuKTmI7H5X"; protected-headers="v1" From: Stephen Farrell To: Paul Wouters , "Brotman, Alexander" Cc: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" Message-ID: Subject: Re: [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> In-Reply-To: --U4Hz5X0JUrmFZbMkjxjMj3EWuKTmI7H5X Content-Type: multipart/mixed; boundary="------------04532129FBDAA8FA184B970B" Content-Language: en-GB This is a multi-part message in MIME format. --------------04532129FBDAA8FA184B970B Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, On 27/02/2019 15:54, Paul Wouters wrote: > How is this data being consumed by the enduser ?=20 Very good question. Sorry for what's likely a longer answer than you want:-) Alex and I chatted about that and I think ended up figuring: a) there are many potential semantics that could be associated with such a linkage, b) we don't yet know what'd be useful, but c) no, we are defo not trying for an EV-like thing and lastly d) we really want to keep this as simple as possible - given there's a lot of feature-creep potential here, and that'd likely be fatal. My own use-case for this relates more to surveys, where I'd like to get a hint that two names are related so I could take that into account. Alex's is more business like (as you'd expect:-) he'd like to be able to feed this kind of linkage information into mail processing, e.g. perhaps to treat some mails as less-likely spam if he sees a link, compared to if he doesn't (with all the other mail processing foo that'd clearly be required to not do that kind of thing stupidly of course). We guess that there'd be other uses too but finding out if this is seen as useful enough that people would publish RR's is part of why we shot out the draft now. We also considered whether or not to e.g. try to add some kind of flag to indicate semantics but reckoned we don't know enough to do that for now. Cheers, S. > It sort of begins > to look like an EV thing. Also, wouldn't attackers just link their > fake domain to another fake domain to get a green looking OKAY? --------------04532129FBDAA8FA184B970B Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------04532129FBDAA8FA184B970B-- --U4Hz5X0JUrmFZbMkjxjMj3EWuKTmI7H5X-- --UlTVYRgKO1j1ookOqIfuaTSMMQyi8sFTC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlx2t3cACgkQWrL68XsX K+pPohAAhiB5/R1PfTcTh/1RcpfXwzJY4DRJgLwrQ+4uI2xdDMGhbk2WRBIT8/vV QMu2X1aIj+LlRUyUFlUlQDUyVwkYCqsM64iSrQrWNHk4wZWL1Ba7EEs8YGlbmKq+ sxDyGqEabPBUxvks6cnLtOWcIMNnLXM+D0ODM4SjWL+2dN3mBXiWLQjateAQGBEB GBn2C0pufHCjUzMGJgO/3x+fh3p0Sm5gmGxOXWpS4qiBF/+eET+Li79+BUdVy53l XE96UhH3bNnYh2/pxaPTVqKDgm8qnyumVkov+OOvbzXxgJ+AJpCbO6jTZKIAH/1c fJeGCMMs2YZWbHrCCT5s9QI63QZI7d5Ls+lvN/osvQD+sI89940T+OFgfdcEQ+r3 wkXsX1ujEK1rZ39dxLafTDdiyy4dYFztU/U7ent8ZWGKnxuoMKR5oTYU80L7pUNm AcoYQ5HS2+4wetzdgyya7bmMirF8ehonrEIk3j4oXwpfB69o7YXT/60fMaXynwjU AMbdnxpOeC3gJkAixcRwkjK1rom13eMqLtcTMO+xpv4fCU72TcBHKQ4wLsgCUvOA xuYqe+PDqQuRiKR3ulXPGX07LNxkJ63hqVgs8ChUo0TI35lD0TF43lFtUmwszjiR 5TacGrgpK9Skz++dFEwtWsH+dT8WbEOdRj+T8e5tluE/URrYzEg= =MXBl -----END PGP SIGNATURE----- --UlTVYRgKO1j1ookOqIfuaTSMMQyi8sFTC-- From nobody Wed Feb 27 08:26:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC3F130FFB; Wed, 27 Feb 2019 08:26:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMR0a4Ran0yv; Wed, 27 Feb 2019 08:26:35 -0800 (PST) Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA5E130FF4; Wed, 27 Feb 2019 08:26:35 -0800 (PST) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:44120) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gz22P-000dqM-fa (Exim 4.91) (return-path ); Wed, 27 Feb 2019 16:26:29 +0000 Date: Wed, 27 Feb 2019 16:26:29 +0000 From: Tony Finch To: Paul Wouters cc: "Brotman, Alexander" , "art@ietf.org" , "dnsop@ietf.org" , Stephen Farrell , "dbound@ietf.org" In-Reply-To: Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 16:26:38 -0000 Paul Wouters wrote: > > I do still have a concern that this is using its own signature schemes > embedded in the records instead of relying on DNSSEC. But I guess > that's just the world we live in now. I wonder if it should instead be a SIG(SOA) where the signer is the primary domain, but I'm not sure what the other bits of this SIG record should say. Also, I wasn't around when DNSSEC worked like that, so there are likely to be all sorts of good reasons why this is not a fun and enticing prospect. Tony. -- f.anthony.n.finch http://dotat.at/ no one shall be enslaved by poverty, ignorance, or conformity From nobody Wed Feb 27 08:37:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F16B130EE1; Wed, 27 Feb 2019 08:37:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlnaBQOQMcJf; Wed, 27 Feb 2019 08:37:34 -0800 (PST) Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD74130EED; Wed, 27 Feb 2019 08:37:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=2952; q=dns/txt; s=VRSN; t=1551285456; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=JT9M/KSPdNUb/l00mgdNyYBK8MmLzwKWdNl94+Mj0Us=; b=J2plSh5W5hR2lyouZ63zvEo1wfp+WZJNCBaxskbCdTV/lD6BltjnLfpE eAaS+aNDo8AB2ntTAcjpxmidFz5fBCUVjHyw3mOWXGJuI+QvDMkPP9gqw fYrwwBm9lsqvCW90X0s26uhZleBlCStm2NI9WTGWrWvaMKQxX0bllW2Uu G5zBmyoYv7z7+PIhykFJTBbBWWTwKQpEUcwxyZjHzBN0tYub3jpg+wJoU fk39UWGyc/XZwh+P4YGcnDpI+yExnHcX2nn67S/mBSWnOXYPWAj3vctPc I8ssNWrjcDoTRyWrUUOwoM+Zo5KY9dYLm/b0Ql28JqEzKaDKEDeKppg9/ w==; X-IronPort-AV: E=Sophos;i="5.58,420,1544486400"; d="scan'208";a="7723570" IronPort-PHdr: =?us-ascii?q?9a23=3Apv9QVxRN1gQFctKio/n48bx+S9psv+yvbD5Q0Y?= =?us-ascii?q?Iujvd0So/mwa67ZhCDt8tkgFKBZ4jH8fUM07OQ7/iwHzRYqb+681k6OKRWUB?= =?us-ascii?q?EEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAA?= =?us-ascii?q?jwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9xIRmssQndqtQdjJd/JKo21h?= =?us-ascii?q?bHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2?= =?us-ascii?q?Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VD?= =?us-ascii?q?K/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRxxwYHUYZ2aOvVxca7GYdMVXm?= =?us-ascii?q?hBUtpNWyBdAI6xaZYEAeobPeZfqonwv1UCoxm5BQmoAOPg1DlIiWTo0qIm0O?= =?us-ascii?q?QtCRzN0hE8ENIJrHTUsNv5P7oVXOCuzKnIyjHDb/dI1jf784fHbAwuofKXUL?= =?us-ascii?q?Jub8XR00gvFxjEjlWfr4zpJS+a1uMIs2WC6edrSOGhi3Y/pg1svjSj3Nogh4?= =?us-ascii?q?vHi44P11zJ9St0zJw6KNC7UEJ3fMKoHIFNuyyYK4d6WN4uTm5rtSog17ELuo?= =?us-ascii?q?a3fCYUx5kk2xLSbvmKfoqU7R7/TumcJCp0i255d7+6hxu97FavyuP5W8SwzV?= =?us-ascii?q?lFszRKn9/RvX4XzRPT8NKISv5l80ek3jaAyh7c5/lfIUAxiarbM5khwqMslp?= =?us-ascii?q?YLsUTMACv2mELugaKLaksq4vWk5OT/bLvpp5CQK5J4hhvgMqsyncy/G/w4Ph?= =?us-ascii?q?IUUGeG4+i8yqfj/Vb/QLlQkvI2lazZvIjbJcQduKG5HxdY3ps/5xqlEjur0t?= =?us-ascii?q?oVkWMaIF9Fdh+LlYfkNlLWLPD9F/i/glCskDlxx/DBO73sGo7NLnjEkLfleb?= =?us-ascii?q?Zy9UhcxxEtwt9D5JJZEa8BL+zpWk/wr9zYDxA5Mwquz+n7D9V905sSWXiTDa?= =?us-ascii?q?+BLKPSrViI6/o0I+mQeoAVoDb9JOYj5/L0g382g0UdfbO30psTbHC1BehpI1?= =?us-ascii?q?6DbXrwntgODH0GvgsgQ+bykl2NTSZTZ2quX6I7/jw7EJipDZrHRo22hryB2y?= =?us-ascii?q?e7EYdKZmBdEFyDDW3nfZ2eW/gQcCKSPtNhkjscWLW9T48uyx6vuxX8y7V6MO?= =?us-ascii?q?XU4DUXuI/51Nhy++3TkAs99TpvAsuB1GGNSn17kXkTRz8qxqxwvUt9ylKb26?= =?us-ascii?q?hin/NYDcBT5+9OUgoiL5Hc1fB6BsvzWg3fYteJRkyqQtK8ATE+Vtgx2cMBY1?= =?us-ascii?q?5hG9W+iRDOxzelA7kOl7yMHJw56aPc0GbtJ8Zz0XrG07Mhj1Y+SMtVKWKmnr?= =?us-ascii?q?J/9xTUB4PRjkqWjKGqdbka3CHQ72qDzHSBvF1WUAJqVqXFR38fNQPqqoGz/V?= =?us-ascii?q?/PV7+jD/IpOxFbxMqGAqBRLMHigRNHSb2rbM/CbnqxlmH2Cx+S3L6IaKLhYC?= =?us-ascii?q?MB1ymbCUVS10hZ5X+bMSA4ASeov3mYBzUkXQb3al7o2e95qHqnVQk/xlfOJw?= =?us-ascii?q?dI07el8xgZiOarYekUwrcNvg8qrDB/FU2hmdnRDpDI8yNlcbVVZ98w+mBtz2?= =?us-ascii?q?XFsgV7FpenKqtrnUJYeANy6RDAzRJyX89glswuoXUgwQFxbeqj21Rda3nQiY?= =?us-ascii?q?vwPbnTJ2/48RusQ7DbwFDF0dmQvKwI7aJr+B3YoAi1Gx96oD1c2N5P3i7E6w?= =?us-ascii?q?=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2G2AgCYvHZc/zCZrQpaChwBAQEEAQEHBAEBgWWEFQqDf?= =?us-ascii?q?pV1g0WUb4FnDAGEbAIXhBk4EgEDAQEBAQEBAgEBAoERgjoigm8BAQEBAyMRP?= =?us-ascii?q?gcMBAIBCBEEAQEBAgIRFQICAjAVCAgCBAENBQiweYEviiyBC4tUgUE+gRGDE?= =?us-ascii?q?oQ8GgsBASUQIQIFgkuCVwKMPJcuAwYCkmAhkxyKXZIXAgQCBAUCFIFegXhwg?= =?us-ascii?q?zyQXXKQCIEfgR8BAQ?= Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 27 Feb 2019 11:37:32 -0500 Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1713.004; Wed, 27 Feb 2019 11:37:32 -0500 From: "Hollenbeck, Scott" To: "stephen.farrell@cs.tcd.ie" , "paul@nohats.ca" , "Alexander_Brotman@comcast.com" CC: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" Thread-Topic: [EXTERNAL] Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft Thread-Index: AQHUzrefByxL0Iby3E2AX95fpgituaXz1qOA Date: Wed, 27 Feb 2019 16:37:32 +0000 Message-ID: <804a305f4d1b40daa6e9ca9b3e97f96d@verisign.com> References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.170.148.18] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 16:37:36 -0000 PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBETlNPUCA8ZG5zb3AtYm91bmNl c0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIFN0ZXBoZW4gRmFycmVsbA0KPiBTZW50OiBXZWRuZXNk YXksIEZlYnJ1YXJ5IDI3LCAyMDE5IDExOjE1IEFNDQo+IFRvOiBQYXVsIFdvdXRlcnMgPHBhdWxA bm9oYXRzLmNhPjsgQnJvdG1hbiwgQWxleGFuZGVyDQo+IDxBbGV4YW5kZXJfQnJvdG1hbkBjb21j YXN0LmNvbT4NCj4gQ2M6IGFydEBpZXRmLm9yZzsgZG5zb3BAaWV0Zi5vcmc7IGRib3VuZEBpZXRm Lm9yZw0KPiBTdWJqZWN0OiBbRVhURVJOQUxdIFJlOiBbRE5TT1BdIFtkYm91bmRdIFJlbGF0ZWQg RG9tYWlucyBCeSBETlMgKFJEQkQpDQo+IERyYWZ0DQo+DQo+DQo+IEhpeWEsDQo+DQo+IE9uIDI3 LzAyLzIwMTkgMTU6NTQsIFBhdWwgV291dGVycyB3cm90ZToNCj4gPiBIb3cgaXMgdGhpcyBkYXRh IGJlaW5nIGNvbnN1bWVkIGJ5IHRoZSBlbmR1c2VyID8NCj4NCj4gVmVyeSBnb29kIHF1ZXN0aW9u LiBTb3JyeSBmb3Igd2hhdCdzIGxpa2VseSBhIGxvbmdlciBhbnN3ZXIgdGhhbiB5b3Ugd2FudDot KQ0KPg0KPiBBbGV4IGFuZCBJIGNoYXR0ZWQgYWJvdXQgdGhhdCBhbmQgSSB0aGluayBlbmRlZCB1 cA0KPiBmaWd1cmluZzogYSkgdGhlcmUgYXJlIG1hbnkgcG90ZW50aWFsIHNlbWFudGljcyB0aGF0 IGNvdWxkIGJlIGFzc29jaWF0ZWQgd2l0aA0KPiBzdWNoIGEgbGlua2FnZSwgYikgd2UgZG9uJ3Qg eWV0IGtub3cgd2hhdCdkIGJlIHVzZWZ1bCwgYnV0IGMpIG5vLCB3ZSBhcmUgZGVmbw0KPiBub3Qg dHJ5aW5nIGZvciBhbiBFVi1saWtlIHRoaW5nIGFuZCBsYXN0bHkgZCkgd2UgcmVhbGx5IHdhbnQg dG8ga2VlcCB0aGlzIGFzDQo+IHNpbXBsZSBhcyBwb3NzaWJsZSAtIGdpdmVuIHRoZXJlJ3MgYSBs b3Qgb2YgZmVhdHVyZS1jcmVlcCBwb3RlbnRpYWwgaGVyZSwgYW5kDQo+IHRoYXQnZCBsaWtlbHkg YmUgZmF0YWwuDQo+DQo+IE15IG93biB1c2UtY2FzZSBmb3IgdGhpcyByZWxhdGVzIG1vcmUgdG8g c3VydmV5cywgd2hlcmUgSSdkIGxpa2UgdG8gZ2V0IGEgaGludA0KPiB0aGF0IHR3byBuYW1lcyBh cmUgcmVsYXRlZCBzbyBJIGNvdWxkIHRha2UgdGhhdCBpbnRvIGFjY291bnQuIEFsZXgncyBpcyBt b3JlDQo+IGJ1c2luZXNzIGxpa2UgKGFzIHlvdSdkIGV4cGVjdDotKSBoZSdkIGxpa2UgdG8gYmUg YWJsZSB0byBmZWVkIHRoaXMga2luZCBvZg0KPiBsaW5rYWdlIGluZm9ybWF0aW9uIGludG8gbWFp bCBwcm9jZXNzaW5nLCBlLmcuIHBlcmhhcHMgdG8gdHJlYXQgc29tZSBtYWlscyBhcw0KPiBsZXNz LWxpa2VseSBzcGFtIGlmIGhlIHNlZXMgYSBsaW5rLCBjb21wYXJlZCB0byBpZiBoZSBkb2Vzbid0 ICh3aXRoIGFsbCB0aGUgb3RoZXINCj4gbWFpbCBwcm9jZXNzaW5nIGZvbyB0aGF0J2QgY2xlYXJs eSBiZSByZXF1aXJlZCB0byBub3QgZG8gdGhhdCBraW5kIG9mIHRoaW5nDQo+IHN0dXBpZGx5IG9m IGNvdXJzZSkuIFdlIGd1ZXNzIHRoYXQgdGhlcmUnZCBiZSBvdGhlciB1c2VzIHRvbyBidXQgZmlu ZGluZyBvdXQgaWYNCj4gdGhpcyBpcyBzZWVuIGFzIHVzZWZ1bCBlbm91Z2ggdGhhdCBwZW9wbGUg d291bGQgcHVibGlzaCBSUidzIGlzIHBhcnQgb2Ygd2h5DQo+IHdlIHNob3Qgb3V0IHRoZSBkcmFm dCBub3cuDQo+DQo+IFdlIGFsc28gY29uc2lkZXJlZCB3aGV0aGVyIG9yIG5vdCB0byBlLmcuIHRy eSB0byBhZGQgc29tZSBraW5kIG9mIGZsYWcgdG8NCj4gaW5kaWNhdGUgc2VtYW50aWNzIGJ1dCBy ZWNrb25lZCB3ZSBkb24ndCBrbm93IGVub3VnaCB0byBkbyB0aGF0IGZvciBub3cuDQoNClRoaXMg bWlnaHQgYWxzbyBiZSB1c2VmdWwgZm9yIElETiB2YXJpYW50cyB3aGVyZSBzb21lIGRvd25zdHJl YW0gY29uc3VtZXIgd291bGQgbGlrZSB0byBrbm93IHRoYXQgdHdvIGRpZmZlcmVudCBJRE5zIGFy ZSBhY3R1YWxseSAidGhlIHNhbWUiLiBUaGUgcmVsYXRpb25zaGlwIGJldHdlZW4gdmFyaWFudHMg aXNuJ3QgYSBwYXJlbnQtY2hpbGQgcmVsYXRpb25zaGlwICh0aGV5J3JlIG1vcmUgY29tbW9ubHkg c2libGluZ3MpLCBidXQgcGVyaGFwcyB0aGUgY29uY2VwdCBjb3VsZCBiZSBleHRlbmRlZCB0byBp ZGVudGlmeSBzaWJsaW5nIHJlbGF0aW9uc2hpcHMsIHRvby4NCg0KU2NvdHQNCg== From nobody Wed Feb 27 08:52:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F3613100F; Wed, 27 Feb 2019 08:52:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Is88ExoKWNF; Wed, 27 Feb 2019 08:52:23 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E521310ED; Wed, 27 Feb 2019 08:51:52 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 448hY25d53zD0B; Wed, 27 Feb 2019 17:51:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551286310; bh=1oY9dTxQ0JxsdXArs2/xibi16IT2WHpwHX0qaUwllIo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=nhhlYx63R4ek0Z3YwUeW9Z1MOT75wvm35SUMeD548TG/kPRpJkNb+vsD3/Dr+LHt4 naKzHGTY5XrZ8vZ8uewK2i/Psc6kfqbr4QgVskxRu6L0dVbO+4+oSK2Ar9swbrC3a6 fbNHXl2ywLUP5I/HrHqeL8gCZTW7ZiA9PwR3gtQ4= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id C3He0oqEqrRR; Wed, 27 Feb 2019 17:51:49 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 27 Feb 2019 17:51:49 +0100 (CET) Received: from [192.168.8.34] (nat05.wpe01.151FrontStW01.YYZ.beanfield.com [66.207.198.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id AB6DF5C85B; Wed, 27 Feb 2019 11:51:48 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca AB6DF5C85B Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Paul Wouters X-Mailer: iPhone Mail (16D57) In-Reply-To: <804a305f4d1b40daa6e9ca9b3e97f96d@verisign.com> Date: Wed, 27 Feb 2019 11:51:48 -0500 Cc: "stephen.farrell@cs.tcd.ie" , "Alexander_Brotman@comcast.com" , "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> <804a305f4d1b40daa6e9ca9b3e97f96d@verisign.com> To: "Hollenbeck, Scott" Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 16:52:25 -0000 If it is really only a variant, you should just DNAME it to the other domain= ? Sent from mobile device On Feb 27, 2019, at 11:37, Hollenbeck, Scott wrote: >> -----Original Message----- >> From: DNSOP On Behalf Of Stephen Farrell >> Sent: Wednesday, February 27, 2019 11:15 AM >> To: Paul Wouters ; Brotman, Alexander >> >> Cc: art@ietf.org; dnsop@ietf.org; dbound@ietf.org >> Subject: [EXTERNAL] Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) >> Draft >>=20 >>=20 >> Hiya, >>=20 >>> On 27/02/2019 15:54, Paul Wouters wrote: >>> How is this data being consumed by the enduser ? >>=20 >> Very good question. Sorry for what's likely a longer answer than you want= :-) >>=20 >> Alex and I chatted about that and I think ended up >> figuring: a) there are many potential semantics that could be associated w= ith >> such a linkage, b) we don't yet know what'd be useful, but c) no, we are d= efo >> not trying for an EV-like thing and lastly d) we really want to keep this= as >> simple as possible - given there's a lot of feature-creep potential here,= and >> that'd likely be fatal. >>=20 >> My own use-case for this relates more to surveys, where I'd like to get a= hint >> that two names are related so I could take that into account. Alex's is m= ore >> business like (as you'd expect:-) he'd like to be able to feed this kind o= f >> linkage information into mail processing, e.g. perhaps to treat some mail= s as >> less-likely spam if he sees a link, compared to if he doesn't (with all t= he other >> mail processing foo that'd clearly be required to not do that kind of thi= ng >> stupidly of course). We guess that there'd be other uses too but finding o= ut if >> this is seen as useful enough that people would publish RR's is part of w= hy >> we shot out the draft now. >>=20 >> We also considered whether or not to e.g. try to add some kind of flag to= >> indicate semantics but reckoned we don't know enough to do that for now. >=20 > This might also be useful for IDN variants where some downstream consumer w= ould like to know that two different IDNs are actually "the same". The relat= ionship between variants isn't a parent-child relationship (they're more com= monly siblings), but perhaps the concept could be extended to identify sibli= ng relationships, too. >=20 > Scott > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop From nobody Wed Feb 27 09:23:34 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCC6E13102E for ; Wed, 27 Feb 2019 09:23:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjaZlfjn-dQc for ; Wed, 27 Feb 2019 09:23:31 -0800 (PST) Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8D413102A for ; Wed, 27 Feb 2019 09:23:31 -0800 (PST) Received: by mail-pf1-x42e.google.com with SMTP id n22so8323942pfa.3 for ; Wed, 27 Feb 2019 09:23:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=ttSqyxB3cbhgqQl5fsj8buYvZ3Rg6VFsucrvLmije44=; b=KSm+OWUFLaFmx9Nz5kD1jMRCWyjQN6fQj0ERznBd+ccHQAA1lmNwMefl4Ay3uI36IN cCIOvW7lJxBfqawkgjB+bSrASDPfl0LV6rWTqD9OchlPf7gna7XWBnvXB6viGTXQU5JM gbuC+49X6qJrr8pmMCTBtFDnAkKClXR2mj4w7N2+/29UfAe4HzSMLg6tNyjNRDll2l5m aKSoUVrPyUfFdAsCWXgypqyU38tcBBzzecDCJ6z6mEtpp5oFQS9doc4pdVuxit+VDE4P UwEIQnQkr2hSPjd1wOjmnMQYo1AGlWdgOgw8MTll3sx+LV3I6k0CRcRQYq+J2T0PMXTf c9Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ttSqyxB3cbhgqQl5fsj8buYvZ3Rg6VFsucrvLmije44=; b=D3stjHN9yzZvUO0Ih7CqfyuvBz6v4V+9aH2RdDEajjH+RJwyp8BerkhI9fYuVL17oc 4UEsy7iM1gQoDN2amim62T5E1R4fFRlEqCmgFtwRPJ6InPfeanou1Wwbm5cdH8UZ21Oa r3tRndvkr8M62+kAPoWOBsJXN2cr8M0YyryhIGw//RIXD/lKG4Fo1FGNh2rFKJeFrsiO 0HbvlLiCv9AWXxYAEe5Q5OzxxxWZQdgdRNR3qtatM59MbBb00VX/CorXd1ODQ3S9t8Bb jLDdXKUFv11KwS/lQrow3PWMjuRx7KZGUj4BLMTJW97RcSDc9wDEyQIIzWM6QAzlfys8 tBnw== X-Gm-Message-State: AHQUAubOvP8tBb3eyCS1ZMYnkhO3oEu7sfLfwtHuZmwZqK/D+3btVb2U Lv20P8dVAUMANnVWSoS3MzCksQ== X-Google-Smtp-Source: AHgI3IbgH24qGupZnDyISMKrI82zxtW2vQPOKLQfMj5CGaTe0LMuKerOlmYGny2sEMUq7OnGv7KoYw== X-Received: by 2002:a63:9dc3:: with SMTP id i186mr3948537pgd.305.1551288210360; Wed, 27 Feb 2019 09:23:30 -0800 (PST) Received: from [10.32.61.11] (32-236.lax.icann.org. [192.0.32.236]) by smtp.gmail.com with ESMTPSA id e63sm31993148pfa.116.2019.02.27.09.23.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Feb 2019 09:23:29 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_0223F428-57F0-4A94-92FB-A199C8BE62D4"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: David Conrad In-Reply-To: Date: Wed, 27 Feb 2019 18:23:22 +0100 Cc: Paul Wouters , "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" , Stephen Farrell X-Mailbutler-Message-Id: 836038D5-D2BE-4039-88D3-6AE159723752 Message-Id: <3E32ABA2-6E8E-4E92-A5FB-F194CFC62A5D@virtualized.org> References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> To: "Brotman, Alexander" X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 17:23:33 -0000 --Apple-Mail=_0223F428-57F0-4A94-92FB-A199C8BE62D4 Content-Type: multipart/alternative; boundary="Apple-Mail=_3E667665-0034-466B-9B15-9669C6E4FC0A" --Apple-Mail=_3E667665-0034-466B-9B15-9669C6E4FC0A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Alexander, On Feb 27, 2019, at 4:32 PM, Brotman, Alexander = wrote: > I'm supportive of doing this in other ways, but also understand that = DNSSEC is not widely deployed. There is a difference between not being deployed and not being turned = on. My impression is that most DNS servers these days support DNSSEC, = however it has largely not been enabled. If you are going to be putting = stuff into the DNS for security decisions, you need to protect that = stuff and that means turning on DNSSEC. Regards, -drc --Apple-Mail=_3E667665-0034-466B-9B15-9669C6E4FC0A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Alexander,

On = Feb 27, 2019, at 4:32 PM, Brotman, Alexander <Alexander_Brotman@comcast.com> wrote:
I'm = supportive of doing this in other ways, but also understand that DNSSEC = is not widely deployed.  

There is a difference between not being deployed = and not being turned on.  My impression is that most DNS servers = these days support DNSSEC, however it has largely not been enabled. =  If you are going to be putting stuff into the DNS for security = decisions, you need to protect that stuff and that means turning on = DNSSEC.

Regards,
-drc


= --Apple-Mail=_3E667665-0034-466B-9B15-9669C6E4FC0A-- --Apple-Mail=_0223F428-57F0-4A94-92FB-A199C8BE62D4 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzEaOGlQw4bcyWBNfoCss/bh3zPcFAlx2x4oACgkQoCss/bh3 zPcO0hAAkp6fvfmuqWoUmzFle7VaThreyHIoJr/h9x3dNFngJBjY5las+mCZUMkx ltV9pRubTjt8JgxsN8zAsN3hhV9BtG50vkzZEpipxIfvjI/gnsocqlY5cHc0KPUJ ZqFGZVVNNpoNA0PB3HXwtaLuY4l1Vc4e2FkJvjAD5JIKXGtvyE2CjdJgfApOAq3q 4/azZOtekBzi6yWURjvff+X5ATh+oQkAlbKXFpXg/TYlSmwTBAa9cqG1knhZO4Yn A+hIlmJhBubgwpCrYqhYEdFJtOgLuUGH40CZ4S2Kkexva9FWhqtb/yhiG4qwajpS RKNEVmKbkfeFMX2ADRcnAWj7YazIgdyrx0FmxQiFarJuk9fTPhX3qI5bdJqBaGb0 mNHX1GzN5/Ooa71FVee6QUt+9ncI+kiJJ5ZgbYbpNKhJP5myL1AG5VDu+WEyc+9n eIarLnmK+UffBzt/fosKWavYmikm8AugFLcAybi6QagE4alfKe3gfLACbLV+2Pn+ VBJOGXJFXg/6xtM42PxL0/wSyv2bUca/9NxMal4NXPoTYc5qAESKuzjlg79bDKPd BZYNQMl0VqNcqEKa2r338sN+wtpw8ybvhglLz9oClTT4hHa3+KisJ/hbvLYXWWrg VHrcvbG/nbwjHB2ksY38q+smv4NHLXTRcu3dJLxjhsNhek87bp8= =GQbM -----END PGP SIGNATURE----- --Apple-Mail=_0223F428-57F0-4A94-92FB-A199C8BE62D4-- From nobody Wed Feb 27 09:26:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D30130FE9 for ; Wed, 27 Feb 2019 09:26:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIeYBqy2CpE9 for ; Wed, 27 Feb 2019 09:26:05 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5122B130EE1 for ; Wed, 27 Feb 2019 09:26:05 -0800 (PST) Received: (qmail 6603 invoked from network); 27 Feb 2019 17:26:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=19c9.5c76c82c.k1902; bh=gsj/sSnUx7UarQGRiLuChokyrtrivXWnc98xnQd9dRg=; b=bbJrCx5MXwxvwkhxKfIQ5wFE9tFtBwwtepzwfO8XeNBJh3+754a9k/uiqsZzSNXsDL9vmIeRlWUD8XDiUqiW05cXmYcT7KrFfFjs0p3oVf/+XJ/VcnigZnzR6krGp/8XV2vrmnT+mccKfJjo+Vz577bXKvmvNiGsyAfYaigL8eZLJd7sq1tM/ZS8UQK+pu3Ma+2LrYCakoT+ja3cs/eDiY5LJTRwWV/A+utQGEoamCu8WyQ4/mQgKMkJfIK3zitN Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 27 Feb 2019 17:26:04 -0000 Date: 27 Feb 2019 12:26:03 -0500 Message-ID: From: "John R. Levine" Reply-To: dbound@ietf.org To: "Stephen Farrell" Cc: "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" In-Reply-To: <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 17:26:08 -0000 > new signatures), I myself only copped on that this could > be of some use where the primary has DNSSEC but where the > secondary doesn't, which is maybe interesting. In that case, the primary can just publish pointers to the secondaries, and we're done. The DKIM-like signatures have an odd model where the primary has enough control over its DNS to publish the validation key, and enough to give the secondaries signed records for their names they can publish that point back to that key, but not enough just to publish the secondaries' names directly. I don't get it. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Wed Feb 27 10:38:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18AE213102A for ; Wed, 27 Feb 2019 10:38:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vAupMotPA0JS for ; Wed, 27 Feb 2019 10:38:52 -0800 (PST) Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB501310AB for ; Wed, 27 Feb 2019 10:38:51 -0800 (PST) Received: by mail-qk1-x744.google.com with SMTP id i5so10460050qkd.13 for ; Wed, 27 Feb 2019 10:38:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=2QPCN32Ao2HiNLp+i6ku3dRSMhR7eyjHhcOIkTPD7tk=; b=l9/mQAeURPi0ZrCFulSN6Ku3t/i6oAfI5CFrKxeacwdlWgks4dUKFCxNS6Dx6wiL79 YDztJjRQ5C1NPW+GY6tu/1pf7nEUfgelJCti6LKfUla3IXy+2542+wXX9FiVSjKAvM7v CxKrqeSCcPxoo+Vygymv19+yX4DmBgY/aLuYj+/vL9/bB9eeQ3kdnKrH+lqjHVBXlU7N MpbNyQPBCWK6hJkcq7JjTkq+p8Zujxf2W77iEm9lue87MjCARvbDAlYtDP3gGfdbHp1l DM8pFCgbEU/NAr9CHm1/9keeAk3OhjhCthY2J9xF3kyg6EjHRPMuOkTOTTEsAFR/BKfz cfYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=2QPCN32Ao2HiNLp+i6ku3dRSMhR7eyjHhcOIkTPD7tk=; b=TeBsh/Rfo7IdsSw9kL0Fmi5LJgBRPkkRAelsHZ6VMsCMUH+0+MSmjT8JuMh7BsiiBl clPMWoL6EYwv3Dlf/7epE/J7EGs2a7cweH6AVim+aDzpiS1hg8k4sy5PRXzF9GUhy9Z2 t9G7zY8mJgh14x8zzL7wN9+R2dzwM1gBrXB+rQVd72Uqlcj5fiQNGLykublP/mupJsUz NFDUvk+FJraTVMoy3Hzu/TgWrjztiA+qc/5suKaBZWI3JojxZ8TQNltazPkxIIlQIJlo mG4QCyg8RvB0UZyWn6TpbPW/Wyl1mbsPNRpAyHm79utpYbovGQkpjbTTSWcbJpCg4G5/ SIZQ== X-Gm-Message-State: AHQUAuaAnDHwT9Mq45Deb+G00sb6yJSZZWqOfhapeuoaakFe96G53OJ0 GQzMJi81s+4mENwcO+fTomSslw== X-Google-Smtp-Source: AHgI3IY/f4J14AyrkkINfQCGNGqXkYevc8creyvFKWCLQnERJk+XPBjKMcZYHD8yIOpJmYBXfQzcQA== X-Received: by 2002:a05:620a:1362:: with SMTP id d2mr3373237qkl.210.1551292730827; Wed, 27 Feb 2019 10:38:50 -0800 (PST) Received: from [10.0.100.12] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id o26sm8915764qkk.51.2019.02.27.10.38.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Feb 2019 10:38:49 -0800 (PST) From: Ted Lemon Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_9E73AE07-C186-4A6D-83C3-51E8CDC2460C" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) Date: Wed, 27 Feb 2019 13:38:46 -0500 In-Reply-To: <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> Cc: Paul Wouters , "Brotman, Alexander" , "art@ietf.org" , "dnsop@ietf.org" , "dbound@ietf.org" To: Stephen Farrell References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 18:38:54 -0000 --Apple-Mail=_9E73AE07-C186-4A6D-83C3-51E8CDC2460C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On Feb 27, 2019, at 10:57 AM, Stephen Farrell = wrote: > Yep. After both domains have DNSSEC, then this could all be > simpler. Before they do, there may be value in the sigs though > see John's simplification suggestion at [1]. If they don=E2=80=99t have DNSSEC, what=E2=80=99s the point of saying = the domains are related anyway? What are the security properties of = such an assertion when the content of the zones can=E2=80=99t be = validated? --Apple-Mail=_9E73AE07-C186-4A6D-83C3-51E8CDC2460C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 On = Feb 27, 2019, at 10:57 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
Yep. After both domains have DNSSEC, then this could all = be
simpler. = Before they do, there may be value in the sigs though
see John's = simplification suggestion at [1].

If they don=E2=80=99t have DNSSEC, what=E2=80=99s = the point of saying the domains are related anyway?   What are the = security properties of such an assertion when the content of the zones = can=E2=80=99t be validated?


= --Apple-Mail=_9E73AE07-C186-4A6D-83C3-51E8CDC2460C-- From nobody Wed Feb 27 11:50:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF87F1310EA for ; Wed, 27 Feb 2019 11:50:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=andreasschulze.de header.b=OZhIqsYC; dkim=pass (2048-bit key) header.d=andreasschulze.de header.b=SBJFM8/O Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8isgf-Oovgq3 for ; Wed, 27 Feb 2019 11:50:16 -0800 (PST) Received: from mta.somaf.de (mta.somaf.de [IPv6:2001:470:77b3:103::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14BEC131129 for ; Wed, 27 Feb 2019 11:50:14 -0800 (PST) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=andreasschulze.de; i=@andreasschulze.de; q=dns/txt; s=ed25519; t=1551297012; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding : from; bh=eZNJESr1n9+gOV/ckNtcbJLQtbBivuboG/776WuBNaU=; b=OZhIqsYCxlpnn2bZZsAKEu7oGPjRn2dEsTtzoYd01YlAAIA1t+XVU6O6 pjJnTpgiLNTqoMNGRMmArFRPt4vEBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=20190120-D99A; t=1551297012; x=1556297012; bh=eZNJESr1n9+gOV/ckNtcbJLQtbBivuboG/776WuBNaU=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To: Content-Type:from:reply-to:subject:date:to:cc:content-type: message-id; b=SBJFM8/Ofd55d6Bs1Memf8gSlo3tcKJ4NdS0ZtSWiNfwq0allo2FJbgDsJkwmEkfO jB5l9kCFpzTRFjyT/xlii60UM9VUJsvBygoHoyBWyuQPvD/S8YPFcRGFwecADgTE5r BflEY3HvkUljWN1sI+QFnlhax1U+G36aD9Q0tTWmqk3fJVPEYaDOrf6wNekh+jUHnD mLX24DWuSF+9MrvHpdWkU1FwhZIblJirMQBxqYVE1AKMEiMpf206B5aV/VY4D4s10F Vt30+QE/9rzGTu1zyfgIDahZda3DnSXL0hupqUptZPZYFx0WQmwRRQ8D+rbVzUw4lz pc5Ay/XpTkkug== To: dnsop@ietf.org References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> From: "A. Schulze" Message-ID: <4382d0c5-4cc2-82a1-3fe5-8ffa42cfafdd@andreasschulze.de> Date: Wed, 27 Feb 2019 20:50:10 +0100 MIME-Version: 1.0 In-Reply-To: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 19:50:20 -0000 Am 25.02.19 um 21:38 schrieb Brotman, Alexander: > https://datatracker.ietf.org/doc/draft-brotman-rdbd/ Hello @all, I read the draft. Interesting idea ... page 3: s/namess/names/ page 3: "sample TXT record for the parent domain..." why should the record contain a "s=2018a". Isn't the selector name already defined by the label itself? 6.2. a.com->b.com->c.com->a.com isn't it better using the example domain? "a.example -> b.example -> c.example -> a.example" is there a reason that loops only *SHOULD* end after 3 lookups? SPF for example has a *hard* limit of 10 lookups (https://tools.ietf.org/html/rfc7208#section-4.6.4) Page 6 / example: "The published record would be: ..." I'm missing the label *where* this record would be published. Just an idea: is this something we could work on during the IETF 104 hackathon? Andeas From nobody Wed Feb 27 11:59:04 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6B681310AC; Wed, 27 Feb 2019 11:58:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDkOAbrJN8ca; Wed, 27 Feb 2019 11:58:51 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ADF6128766; Wed, 27 Feb 2019 11:58:51 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5933ABE38; Wed, 27 Feb 2019 19:58:49 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jqtky8thXEOZ; Wed, 27 Feb 2019 19:58:47 +0000 (GMT) Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 80798BE2C; Wed, 27 Feb 2019 19:58:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551297527; bh=EfZWAJM7HFVHBPoaRb05+zRBWNTOy/zK5XJEIzU5JUo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=fMa9NfeHWiBKbj5uFNhymt3HGQu0i8qBfacvIIJwDR/Doeu4ImatVH7Jw8GGrtwVI Y8IRUJxdBSXQ0Dx9CV+tn8hwPub8LqlGVGGmpkogDixo7uTo5nygi5THfXNMY6nHEO mq53UOc196s774xH8yBOAKHgMwzOuvXRAXTo91s0= To: Ted Lemon Cc: "art@ietf.org" , "Brotman, Alexander" , Paul Wouters , "dnsop@ietf.org" , "dbound@ietf.org" References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: <249a56b6-7bf6-d1e3-2639-0f2d8043aa3e@cs.tcd.ie> Date: Wed, 27 Feb 2019 19:58:46 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="b3qZP7poFqdgO1rwluqh5E64zA1Mjz3vT" Archived-At: Subject: Re: [DNSOP] [art] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 19:58:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --b3qZP7poFqdgO1rwluqh5E64zA1Mjz3vT Content-Type: multipart/mixed; boundary="AO36SZebxzHqFuuCwdF9NWGgISddqlCmP"; protected-headers="v1" From: Stephen Farrell To: Ted Lemon Cc: "art@ietf.org" , "Brotman, Alexander" , Paul Wouters , "dnsop@ietf.org" , "dbound@ietf.org" Message-ID: <249a56b6-7bf6-d1e3-2639-0f2d8043aa3e@cs.tcd.ie> Subject: Re: [art] [DNSOP] [dbound] Related Domains By DNS (RDBD) Draft References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> <8cbf0062-35c6-a8bd-e809-c6a5e9ce16c8@cs.tcd.ie> In-Reply-To: --AO36SZebxzHqFuuCwdF9NWGgISddqlCmP Content-Type: multipart/mixed; boundary="------------F55017405A9D9B9208775EFC" Content-Language: en-GB This is a multi-part message in MIME format. --------------F55017405A9D9B9208775EFC Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Answering two for the price of one... On 27/02/2019 17:26, John R. Levine wrote:>> new signatures), I myself only copped on that this could >> be of some use where the primary has DNSSEC but where the >> secondary doesn't, which is maybe interesting. > > In that case, the primary can just publish pointers to the secondaries,= > and we're done. > > The DKIM-like signatures have an odd model where the primary has enough= > control over its DNS to publish the validation key, and enough to give > the secondaries signed records for their names they can publish that > point back to that key, but not enough just to publish the secondaries'= > names directly. I don't get it. That could work, but'd mean the primary having to store all the records and an extra lookup if even if you had the public key cached. I believe the former could be an issue if there are many secondaries, at least according to one chat I had with someone involved with many domains (which I'm not). I think the design in our -00 is a bit better than that, but not hugely better and it's ok we can disagree about it - if this goes somewhere there'll be plenty of time to thrash it out as we go. On 27/02/2019 18:38, Ted Lemon wrote: > On Feb 27, 2019, at 10:57 AM, Stephen Farrell=20 > wrote: >> Yep. After both domains have DNSSEC, then this could all be=20 >> simpler. Before they do, there may be value in the sigs though see=20 >> John's simplification suggestion at [1]. >=20 > If they don=E2=80=99t have DNSSEC, what=E2=80=99s the point of saying t= he domains > are related anyway? What are the security properties of such an=20 > assertion when the content of the zones can=E2=80=99t be validated? The point of making the assertion would be in the eye of the beholder. The level of confidence one might have in such an assertion (without DNSSEC) should of course be lower. But we do work without DNSSEC for almost everything today so I'm not convinced "no DNSSEC" =3D> can't be done here. (And again, the use-cases we've discussed are not high-security ones.) FWIW, I am a fan of DNSSEC, deploy it for domains I control, and do consider that despite it's gnarliness it provides real benefits. But I don't believe we can seriously require it as a pre-requisite for almost anything today, and nor do I believe that our proposal, if it goes ahead would by itself cause people to deploy DNSSEC. So ISTM that making DNSSEC a MUST-use isn't the right approach in this case. Cheers, S. >=20 >=20 >=20 > _______________________________________________ art mailing list=20 > art@ietf.org https://www.ietf.org/mailman/listinfo/art >=20 --------------F55017405A9D9B9208775EFC Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------F55017405A9D9B9208775EFC-- --AO36SZebxzHqFuuCwdF9NWGgISddqlCmP-- --b3qZP7poFqdgO1rwluqh5E64zA1Mjz3vT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlx26/YACgkQWrL68XsX K+qjOg//Q5ONCYpW5AKUrPvILKZ24dOnPabsggNGBDtjNxG/ePa06UagrdSejYqd Gucnj7mxlYs3WnwVNvTCLeKuk7M8gzTIAkNwKsBWoMvkYSS8ftNWPeNWkrsSgzzX PRdppRzAaXXpHtlwIrxkx88QS4YjuchBHLHZ9B3WhrVdaRVJS412jT+l2WnAeh6n lZt9nK+a19YAxQgeEp2hKbqw8uxGaGCuZUp4dEjBY2g+7v2eSoK27cz8n7t6d14S dQ/W8gCXq/jeJSBU6oMvAaiKOx+bfoIcbN69jxRdz+CtESBRp72YndYslJckovqs DWmSZj/+QXf1qQfXUykuIMl4knkD4MwWsQsJWvw0rVUZsTNqXMQXzG8sEzmifhnh lY8zYkFGunT/jf/NhLV2lOO6jBSMH6TualZvbACmN4XsaZiMKHHjugTXqVAYknLF frWT66kcTZdnkZrk0mLtnnme/vTKU6dLirT+oIlL0f/DCgbnqZMF3aqUXt3wMxGc 8SaBu//DlbjNijgNKZc6fur3HsLFQ3VAWB4+JgBPoGUgk3zy2avNffHtMzBiMnbb cA/JEgb9U8ZSb60527aLHLXW5eBU64SSVfGM/vnJz15MKBa5mGN6riYRbhMexw4Y bjGQ61zyKFkwfbC/lDVY767ApAhYD7k61Lc7gbIkxUXXIiSzrrM= =87H3 -----END PGP SIGNATURE----- --b3qZP7poFqdgO1rwluqh5E64zA1Mjz3vT-- From nobody Wed Feb 27 14:19:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1987F131176; Wed, 27 Feb 2019 14:19:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secureservernet.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZuJmlpOxTqc; Wed, 27 Feb 2019 14:19:36 -0800 (PST) Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770137.outbound.protection.outlook.com [40.107.77.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82877131170; Wed, 27 Feb 2019 14:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureservernet.onmicrosoft.com; s=selector1-godaddy-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XkBvrNK7wv7LxPi5gALoK1PlGuaiIIaunTbrl4JCtqQ=; b=5q1PMALQ1aMUjkdrrsxCw6i6w0lpcYVk593WgsZ1otolBy93RmPgHtGLzTD3UO9FHktS2CdfA9rWZzQI7DjYp9BPqh/AR+AldJqCeOmodNDfGS6I8h2xfEHXI2BhoJr8QaFYeVoFbwMvK4Q60WLSQRZLUbQJOHMCOXj9zlHCtu8= Received: from BYAPR02MB5190.namprd02.prod.outlook.com (20.177.124.15) by BYAPR02MB5672.namprd02.prod.outlook.com (20.177.230.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Wed, 27 Feb 2019 22:19:33 +0000 Received: from BYAPR02MB5190.namprd02.prod.outlook.com ([fe80::d4e7:ce1a:9ae0:d53]) by BYAPR02MB5190.namprd02.prod.outlook.com ([fe80::d4e7:ce1a:9ae0:d53%3]) with mapi id 15.20.1643.019; Wed, 27 Feb 2019 22:19:33 +0000 From: "Michael J. Sheldon" To: "Brotman, Alexander" , "art@ietf.org" , "dbound@ietf.org" CC: "dnsop@ietf.org" , Stephen Farrell Thread-Topic: [DNSOP] Related Domains By DNS (RDBD) Draft Thread-Index: AdTNSNgC8Q46/YWfTPCiSrkXJ1OYgQBoaqiA Date: Wed, 27 Feb 2019 22:19:33 +0000 Message-ID: References: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> In-Reply-To: <5de9ba1c3ae34edb9c7f39e0e9c3b143@PACDCEX19.cable.comcast.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2600:8800:2800:8db:6a6e:1d88:205:32e2] x-clientproxiedby: BYAPR08CA0051.namprd08.prod.outlook.com (2603:10b6:a03:117::28) To BYAPR02MB5190.namprd02.prod.outlook.com (2603:10b6:a03:68::15) authentication-results: spf=none (sender IP is ) smtp.mailfrom=msheldon@godaddy.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 71997c7f-9c80-4a02-3407-08d69d01a65b x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR02MB5672; x-ms-traffictypediagnostic: BYAPR02MB5672: x-ms-exchange-purlcount: 2 x-microsoft-exchange-diagnostics: =?utf-8?B?MTtCWUFQUjAyTUI1NjcyOzIzOkpWZVRqcVU1MFlIT0xKNXA0MmQ1NE0wU21Z?= =?utf-8?B?ODdTdW9UNWhndzdBZVhibW1HR0tBZHc5UDN4aVBTaUVCclJqZ0tUNnVqOFZU?= =?utf-8?B?bm11Q08zSlV1dUo2cVg1WEpIaTNvR3dFNUVUUXIzOHcycTNRMDZnWWdPdW1U?= =?utf-8?B?amljZWpJZUJOT1JnSjYxbFJjZFMxdTBuTk1OVUQvNFNCdTJ2bjFGWnRzNWJD?= =?utf-8?B?M3AvR0UxRWgxUTZULzR6YXlQRHduWk9MWlRMTWdxcFN3QzdpVy9Vb0FMWEx6?= =?utf-8?B?V25DUFMrOVVhTHplTVZGTXRrTE5WcWUzVmlkcmtrdTFLOE9WemF6MjB2UURD?= =?utf-8?B?MWRXeW50eWNiSXBIUVRQWGNFT2E1MExzQ2ZxZGNHclhGdWpXSHFvWHdoUUdk?= =?utf-8?B?U3JPdHVKMm9jdlZGRC9Zc21qaHQvSW5ObFRkS2FuS3A3QUJpS1RpTytDNStE?= =?utf-8?B?LzlOcUZBeDcwclY3MEpma3VuNXV0TEJHQTQ3WEpEM015anUxTFY1aUpnRVJZ?= =?utf-8?B?cmU2d1FuaVZlR1JaVFl5ZUxORm1DaGNZOEJ3aGVKdXU4WFRoQmRaQUFTMVVG?= =?utf-8?B?aXlWQk8yN3VLNmkyU2JDUXROS3ZnNHlBVGVsd25KRm9kSHNld1NCdTR1Z1BZ?= =?utf-8?B?Nnl1V0hjL0ZUa2daejBCUVNRSUlScjdacDIvMWg5Rjl6ZWlBQVhyRFI3ZnYr?= =?utf-8?B?TnVjaEE5UHZTaWx3N0szZGVUeUtxdWEwNEp6MC9UeTlPdU9WUW0wclIvWmd0?= =?utf-8?B?T0J0U3NJMDBJODVRRzRhd3ZVNEpreGhpaGR5WXd3ZE1POU1NaUdkTVg4TVlz?= =?utf-8?B?SzdEa0hKQVl2ZnlQeDlRUUtxQS9HUkdOV21uL2VvdjhJSlpydXJ3aWVDZk1r?= =?utf-8?B?L0Z1YmJONTNKSzFuYzA5eGp0RFNIT0Y3VzY2M1V6SE9PYWE1YWl3K2xGYjZ0?= =?utf-8?B?MkFXQnJsSFdkSG1scGljdHFCb2E1QWttMU5uQVBXcUh0cDczNjBneU5LZ0JZ?= =?utf-8?B?aElmbHVoaHhkcnNTenN4NVhzSE9wT3k4cW5LTnFlQTY3Ry8xemJjYVREUmhY?= =?utf-8?B?RzlqOXpHQmNadnl6UEVXUkJuVEF4RkcxYk1YWnlERDBzWElIMGVUNnJvUzZh?= =?utf-8?B?RUJLTjNPLytPVWt1a0dkUHQ2V0hHUUV2WFlvbGlPVk51Qm5mYUhaSktqbUtp?= =?utf-8?B?Snd3NzNmU2IzVkVDd2dzMVp1Wk81WUxOeldKTko1N3p3UEtvNWQwZlkwN1Ry?= =?utf-8?B?bWZQVC9TeUN0WGh2RlFrSzg5dGpJejR1dzdmTWhqSi9jK24yRW1sM21GU2Q0?= =?utf-8?B?L25kYlR3d0NkZndyQVVCN1ZFMVJkZXc5Zkw5b2tWWjVHbzlkeEt5Y0w5d09H?= =?utf-8?B?K0d5c0wwWTNmWXVUMzdoWWhQZUtqbHhKMFM1ZWRuZ2NrNllXdktwZ0hETnVF?= =?utf-8?B?c1hCSnZmdzdkN2paNkd2ZnpNZjlnVVNEK2JkZnVHWFNWL3Z1djkzNS9mTTFD?= =?utf-8?B?b0tmOE1TOWhiOHpmVlhqdk5keVpyYkpIOFUzdWR4VWRpN3R3ZWlVZDVZSnJp?= =?utf-8?B?aWxCajNFb0Q5d3Q5eVpxYzlZejE2Z2tDM1orUWhCaXJuOFFCbkoxSy85TVF3?= =?utf-8?B?MGJUb3BXWHNWUEUvTlZnS05qR0hCQnY3TXVXUGY5RXl1bDZZL2RnQlhCb3F4?= =?utf-8?B?RkFNSWs1TFJOMTdEc3JPYTBETmo3Um01ajRPeWNuNzJSejBub05zb0JTcnY0?= =?utf-8?B?VjI3N2xwZHZzb0VEcUE3aUljQkdrSk84RUExcCtFaUNBMEJwZU15RWJ5ZWhn?= =?utf-8?Q?YaFYaRTl16jHr?= x-microsoft-antispam-prvs: x-forefront-prvs: 0961DF5286 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(346002)(366004)(376002)(396003)(189003)(199004)(6486002)(31686004)(6436002)(6512007)(6306002)(2906002)(99286004)(110136005)(54906003)(71200400001)(71190400001)(2616005)(4326008)(486006)(25786009)(476003)(478600001)(14444005)(316002)(296002)(256004)(11346002)(966005)(14454004)(86362001)(46003)(52116002)(305945005)(106356001)(97736004)(7736002)(36756003)(446003)(6116002)(68736007)(2201001)(105586002)(229853002)(53936002)(2501003)(386003)(6506007)(81156014)(8936002)(8676002)(81166006)(102836004)(31696002)(5660300002)(76176011)(6246003)(186003)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR02MB5672; H:BYAPR02MB5190.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: godaddy.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 5UGZyNP9RQSaEv8ffBec9AXJIWe3n8jAL+hoE8uLmAqG2sjh/ElGsDgRUpRWRDNwRPnfLS4lhFhL4bJnUhXaEfysV4Itub3qpc1kk4Cyg9ejCHF346ToL9Qy0+H935GyJxYusj2bk9j07HawKUq2CIinF0YsivPJhsLvFtDOLDwjLHcwHNpRRHlvvuOh3xY3IDYDL++RTSFuAtqjwuZ/fJNo4SiMx3D4YwnQNaLYYFW+WxseBWGEBj6+xeykmnVafGUGYGJbny3CHf1dz1g5LIGHRCXYsomfX5LAEprA7JfxFqVKP2NslSod8JiWYs9CYu2QMxvvZeGo3q1YBdRdGXnARdBUt7Y1QIMl0O/hG11Bbi5p5akfyOkOrdQm6TTHKK0wV8CtEHtVRXGCMtYn7JO5/ffLYkLMFE+NRlFAJ9k= Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: godaddy.com X-MS-Exchange-CrossTenant-Network-Message-Id: 71997c7f-9c80-4a02-3407-08d69d01a65b X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2019 22:19:32.8925 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: d5f1622b-14a3-45a6-b069-003f8dc4851f X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR02MB5672 Archived-At: Subject: Re: [DNSOP] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 22:19:39 -0000 U2VjdGlvbiAxOg0KDQpDdXJyZW50IGlzc3VlcyAjMSBzYXlzICJ1c2UgVFhUIG9yIG5ldyBSUj8g IChBVEI6IG5ldyBSUiwgYnV0IFRYVCBmb3Igbm93KSINCg0KSXMgdGhlcmUgYSBzaW5nbGUgcGVy c29uIGhlcmUgd2hvIGJlbGlldmVzIHRoaXM/IE9uY2UgaW1wbGVtZW50ZWQgYXMNClRYVCwgSSBn aXZlIHRoZSBvZGRzIG9mIHNlZWluZyBhIHNwZWNpZmljIHR5cGUgcmVjb3JkIGJlaW5nIGltcGxl bWVudGVkDQphcyBsZXNzIHRoYW4gemVyby4gUGljayBvbmUsIGRvbid0IHRlYXNlLg0KDQpTZWN0 aW9uIDI6DQoNCkkgYW0gdmVoZW1lbnRseSBhZ2FpbnN0IGFkZGluZyB5ZXQgYW5vdGhlciBsYXJn ZSBUWFQgcmVjb3JkIGF0IHRoZSBhcGV4DQpvZiB6b25lcy4gRXZlcnlib2R5IGFuZCB0aGVpciBi cm90aGVyIHdhbnRzIHRvIGphbSBzb21ldGhpbmcgdGhlcmUuIFdlDQphcmUgcG9sbHV0aW5nIHRo ZSBhcGV4IHRvIHN1Y2ggYSBwb2ludCB0aGF0IGl0IHdpbGwgbm8gbG9uZ2VyIGJlDQpwb3NzaWJs ZSB0byBhbnN3ZXIgVFhUIHF1ZXJpZXMgdmlhIFVEUCBldmVuIHdpdGggRUROUy4gSWYgeW91IE1V U1QgdXNlDQpUWFQsIHBsZWFzZSBwcmVmaXggdGhlIG5hbWUgd2l0aCBhbiBhcHBsaWNhdGlvbi1z cGVjaWZpYyB2YWx1ZS4NCg0KT24gMi8yNS8xOSAxOjM4IFBNLCBCcm90bWFuLCBBbGV4YW5kZXIg d3JvdGU6DQo+IEhlbGxvLA0KPiANCj4gU3RlcGhlbiBhbmQgSSBoYXZlIHNwZW50IGEgYml0IG9m IHRpbWUgd29ya2luZyBvbiBhIGRyYWZ0IHRvIGJlIGFibGUgdG8gc2hvdyBhIHJlbGF0aW9uc2hp cCBiZXR3ZWVuIHR3byBkb21haW5zLiAgV2UncmUgYXdhcmUgdGhpcyBzdWJqZWN0IGhhcyBiZWVu IGNvdmVyZWQgYSBmZXcgdGltZXMgcHJldmlvdXNseSwgZXNwZWNpYWxseSBpbiB0aGUgREJPVU5E IGRyYWZ0cywgYnV0IHdlJ3JlIGhvcGVmdWwgdGhhdCBhIG1vcmUgc2ltcGxlIGFwcHJvYWNoIG1p Z2h0IGJlIG1vcmUgYWNjZXB0YWJsZS4gICBUaGUgc2Vjb25kYXJ5IGRvbWFpbiB3aWxsIGNyZWF0 ZSBhIEROUyByZWNvcmQgdGhhdCBzaG93cyBhIGxpbmsgdG8gYSBwcmltYXJ5IGRvbWFpbiwgYW5k IHRoZSB0ZXh0IHNob3VsZCBiZSBhYmxlIHRvIGJlIHZhbGlkYXRlZCB1c2luZyB0aGUgcHVibGlj IGtleSBpbiBhIEROUyByZWNvcmQgdGhlIHByaW1hcnkgZG9tYWluIHNoYXJlcy4gIFRoaXMgaXMg c29tZXRoaW5nIGFraW4gdG8gREtJTSwgYSBtZWNoYW5pc20gdGhhdCB0aGUgZW1haWwgd29ybGQg dXNlcyB0byBlbnN1cmUgdGhlIGNvbnRlbnRzIG9mIGEgbWVzc2FnZSBoYXZlIG5vdCBiZWVuIHRh bXBlcmVkIHdpdGguDQo+IA0KPiBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFm dC1icm90bWFuLXJkYmQvDQo+IA0KPiBXZSdsbCByZXF1ZXN0IHRoYXQgcmVwbGllcyByZWxhdGlu ZyB0byB0aGlzIGJlIHNlbnQgdG8gdGhlIGRib3VuZEBpZXRmLm9yZyBkdWUgdG8gdGhlIG5hdHVy ZSBvZiB0aGUgdG9waWMsIGJ1dCBpdCB3YXMgc3VnZ2VzdGVkIHRoYXQgd2UgbWlnaHQgd2FudCB0 byBub3RpZnkgYSBmZXcgb3RoZXIgbGlzdHMgZm9yIHRoZWlyIGF3YXJlbmVzcy4gIFRoYW5rIHlv dSBmb3IgeW91ciBwYXJ0aWNpcGF0aW9uIGFuZCBjb21tZW50cy4NCj4gDQo+IC0tDQo+IEFsZXgg QnJvdG1hbg0KPiBTci4gRW5naW5lZXIsIEFudGktQWJ1c2UgJiBNZXNzYWdpbmcgUG9saWN5DQo+ IENvbWNhc3QNCj4gDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fDQo+IEROU09QIG1haWxpbmcgbGlzdA0KPiBETlNPUEBpZXRmLm9yZw0KPiBodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2Ruc29wDQo+IA0KDQotLSANCk1pY2hhZWwg U2hlbGRvbg0KRGV2LUROUyBTZXJ2aWNlcw0KR29EYWRkeS5jb20NCg== From nobody Wed Feb 27 18:03:45 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F730130ECF for ; Wed, 27 Feb 2019 18:03:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=B5HqItVX; dkim=pass (1536-bit key) header.d=taugh.com header.b=fzQHZ/YR Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyAZtvyMPYkC for ; Wed, 27 Feb 2019 18:03:35 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E62F612E04D for ; Wed, 27 Feb 2019 18:03:34 -0800 (PST) Received: (qmail 70194 invoked from network); 28 Feb 2019 02:03:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=11230.5c774175.k1902; bh=2f2OxB/3AD+cX0MyYgUBXX9iSAv7iAVj90ce5T0Qa/4=; b=B5HqItVX98OCOYRAtf1v79QtU1IZ7uMhWC/y1xKBGxVrrjQJvwY6JQk4ms7aMeRSc+t4YSMiL7/J/w5N4D2yPXkZrH4KNofQ0PDvPSneYeB8fxNm4c19muMIFR4Yava/Dbc9hDX4DgXUCZG3WYWmBKi9DWVdrK4L0gkCa0TEofrulpkPvjP4Q9DuJ/CxwiREJOTCaxyG5Q9pB1uIpMk7b6bkUlcBsPOBsq8myJEMWjk/Ty9DHgADZNP1SdQ1aspd DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=11230.5c774175.k1902; bh=2f2OxB/3AD+cX0MyYgUBXX9iSAv7iAVj90ce5T0Qa/4=; b=fzQHZ/YR6kf/ctlixBs1XIGkIrL1N6h2r4NmFjOXu4L8IQkBoY+1RDWAHixdnul7owB4ZOb9eyNl78xhW66pBoe55hgVz9fP0D2Q/NW+GE3O7dnTlsy+3syS4knaNQeze7M3vx1ajL+/v9DgfY1Y1UOlu+QbLJ2fG/aAWGh1rCfNmSh6YI7E1R3L4DCk28mBQwa9geVqYCNyXXgOZlFleb0Cg8HG70aYmEpT49+YIhUUc/adR2lJpJV73+AD4c5P Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 28 Feb 2019 02:03:32 -0000 Received: by ary.local (Postfix, from userid 501) id D2112200F6CEC9; Wed, 27 Feb 2019 21:03:32 -0500 (EST) Date: 27 Feb 2019 21:03:32 -0500 Message-Id: <20190228020332.D2112200F6CEC9@ary.local> From: "John Levine" Reply-To: dbound@ietf.org To: art@ietf.org, dbound@ietf.org, dnsop@ietf.org Cc: stephen.farrell@cs.tcd.ie In-Reply-To: <249a56b6-7bf6-d1e3-2639-0f2d8043aa3e@cs.tcd.ie> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [DNSOP] [art] [dbound] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 02:03:38 -0000 In article <249a56b6-7bf6-d1e3-2639-0f2d8043aa3e@cs.tcd.ie> you write: >> point back to that key, but not enough just to publish the secondaries' >> names directly. I don't get it. > >That could work, but'd mean the primary having to store >all the records and an extra lookup if even if you had the >public key cached. I believe the former could be an issue >if there are many secondaries, at least according to one >chat I had with someone involved with many domains (which >I'm not). Well, OK, if that's an issue you spread the names out like we did with VBR. If the primary is foo.com and the secondary is bar.org: bar.org._same.foo.com. SAME . ; yes, we're a primary for whatever name that was _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com. This makes it somewhat more difficult to scrape all the secondaries for a primary which may be a feature. R's, John From nobody Wed Feb 27 18:17:38 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA97412D861; Wed, 27 Feb 2019 18:17:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdPKpx529MBK; Wed, 27 Feb 2019 18:17:13 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF8F12867A; Wed, 27 Feb 2019 18:17:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0652CBE38; Thu, 28 Feb 2019 02:17:11 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMwa39mSk4Tv; Thu, 28 Feb 2019 02:17:05 +0000 (GMT) Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 42DD0BE2E; Thu, 28 Feb 2019 02:17:05 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551320225; bh=iLJO6W/VnwdnWiLFwtvRdr/a7qzja/OS7IBfZ1v4wUc=; h=Subject:To:References:From:Date:In-Reply-To:From; b=UBDNpGGTzUtD71KyupAPQKXRU6oOPy3tQq7nDm/CCuqcrZlygmXcuA+9IuNadAFBK MCUNq5t6rrCcGF1a0q07dUgI6DxOs2m0IhHtK38ouvUXQAMUkMfuATtgbr0+LU0lCO siK+DRwlB+p36URWHHikfM4JRTlIiUj/MQirOKaY= To: dbound@ietf.org, John Levine , art@ietf.org, dnsop@ietf.org References: <20190228020332.D2112200F6CEC9@ary.local> From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie> Date: Thu, 28 Feb 2019 02:17:04 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <20190228020332.D2112200F6CEC9@ary.local> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="sMv3FW3LtF0KIqRUXDWYuFZ5pAd3QLiW2" Archived-At: Subject: Re: [DNSOP] [dbound] [art] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 02:17:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --sMv3FW3LtF0KIqRUXDWYuFZ5pAd3QLiW2 Content-Type: multipart/mixed; boundary="UYUJECyKkq4ux6B6gdTPyFvVifizikgVj"; protected-headers="v1" From: Stephen Farrell To: dbound@ietf.org, John Levine , art@ietf.org, dnsop@ietf.org Message-ID: <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie> Subject: Re: [dbound] [art] [DNSOP] Related Domains By DNS (RDBD) Draft References: <20190228020332.D2112200F6CEC9@ary.local> In-Reply-To: <20190228020332.D2112200F6CEC9@ary.local> --UYUJECyKkq4ux6B6gdTPyFvVifizikgVj Content-Type: multipart/mixed; boundary="------------1C526C24358E2DB43434235C" Content-Language: en-GB This is a multi-part message in MIME format. --------------1C526C24358E2DB43434235C Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, On 28/02/2019 02:03, John Levine wrote: > Well, OK, if that's an issue you spread the names out like we did with > VBR. If the primary is foo.com and the secondary is bar.org: >=20 > bar.org._same.foo.com. SAME . ; yes, we're a primary for whatever name = that was >=20 > _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com. >=20 > This makes it somewhat more difficult to scrape all the secondaries > for a primary which may be a feature. Yep, that could work. I still prefer the design in our -00 though (sorry:-) as in your scheme here foo.com's zone will have to change with every change in a linkage whereas in the -00 design, changes are only needed in each of the bar.org zones that actually do change. (I think the counter to that might relate to difficulty in synchronising changes to keys/selectors in our -00 design which can have unexpected effects as we saw in the case of DKIM and a particular mail corpus leak in 2016;-). To be clear: for my purposes I'd be ok with various of the designs we've been discussing - even if I think some are better than others, they're nearly equally ok. I think the main thing is to try keep it simple (as you've been doing) and to try find out if people might publish such values (absent which, there's no much point in publishing an RFC). Cheers, S. --------------1C526C24358E2DB43434235C Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------1C526C24358E2DB43434235C-- --UYUJECyKkq4ux6B6gdTPyFvVifizikgVj-- --sMv3FW3LtF0KIqRUXDWYuFZ5pAd3QLiW2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlx3RKAACgkQWrL68XsX K+pvjg//eiCh+zZV/Q+GvCeoLP3/v7lk3NJ2RQV3LLt5QYgKJpGJ7zWydE/nVEV8 nMNcArsFgqvtvG5hu339xVtI0UcVEOpm+Cok2xeMziJe0uCsmCrYGD46SMRG68Cx 6NgMMuGc3yr8gIoOhy20+9xPuCC8WbS3ypxGrHDKYFgXQn2r6QR8C1hnK4/Mvpe0 23ITVl7wzafoHtKyO58CFAdY4AcKyoLO5n2J5YUkvfbwslA/4OONlAAtH9Bwq60P cxgmoq5RAnjku7wSUlgjTfbQGIJYlbQ2uV4e7s00fUlw6WS8PIEbX2+XtnkuD2z/ kDyWC1PRbEw8e7rSVBnnM77D4sdxodYGUAYXCJs3zP9hJYXgCZ2Pkq/NgdG+J4Mh q2vLru3nBy1y0Tpg6w190x8GO6sW8VGyVYivib9zZRnoWQseSNHbTVBAwkKKAYbp dRuNMSB59hVphBQwPuJqodoE1qxuuuMzsQlK11G3tZz7SEcHVZVnTeHC7XxDEFh9 212cGIk1o0zDBN3JfLQBZtite4u8nfwBmQmpmw9Z/UFwOfRA0ks+rm1yCvQno1gI dNnsUVhbkNAWHPn7P09pjNbJbT79H5gm00TshHaLMkK5hrCqtWN/5ok/nJQplzym PPuUbTQlHkOy1IG5IHDUfKBxOucoukS/N/i/4GHAgDpPFeeB2dY= =OOkO -----END PGP SIGNATURE----- --sMv3FW3LtF0KIqRUXDWYuFZ5pAd3QLiW2-- From nobody Wed Feb 27 18:26:09 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11718130DE5 for ; Wed, 27 Feb 2019 18:26:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=emMCvgpa; dkim=pass (1536-bit key) header.d=taugh.com header.b=e+3HvQXz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJG9OzVj6abG for ; Wed, 27 Feb 2019 18:26:05 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7AB112D861 for ; Wed, 27 Feb 2019 18:26:04 -0800 (PST) Received: (qmail 77842 invoked from network); 28 Feb 2019 02:26:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13010.5c7746ba.k1902; bh=Wxb+hi/5EMyLFyUCETSfRwCTOLBNlQBTbflQPi1EI+o=; b=emMCvgpaOSescRVqB9Ao9w/lhZBFh05qn0Rdsovxtt7LyKkd28WBSfCKXO8dVYMIosDzRRRMMwl/pwpDwF2VUdajOCWvNqGi4EORhzD7/xkN++qnIFblN5H9BYVU8xE01/iVb/U5ueKFoTBKcUJUp7UGZO8vgG29IXyWxJRZ+i2yk15cPnxfMzqohPReUGIhX4500JYVlxD+xqqF+59hGtfIBIR7jvLofjXhgqm4dOKRgJeNvnUB1JeQYf0QyaQn DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13010.5c7746ba.k1902; bh=Wxb+hi/5EMyLFyUCETSfRwCTOLBNlQBTbflQPi1EI+o=; b=e+3HvQXzbC6+OzrHGujW9T0rnpjVQxsocUg/SOT+2TmLVpABzYVOzICJfSL4E87/f1evIuSo7QJ85G1i4qtfsWjJHlZoxEqIF+5zeCuEAuQddt3TqnFLys618YYYC1MntimHeOgEirq3iPFNAam6Ohf7gGvFzQTbelInDN+PXTAVtSkcv/Nko/0egOk0Ualut8Sz9cfcWelvIiZdU3+C/4RLK7LxBGtPbVFxQsHVDiDPxJ6vQKEfVgt0T5jxNLWh Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 28 Feb 2019 02:26:02 -0000 Date: 27 Feb 2019 21:26:01 -0500 Message-ID: From: "John R Levine" Reply-To: dbound@ietf.org To: "Stephen Farrell" Cc: dbound@ietf.org, art@ietf.org, dnsop@ietf.org In-Reply-To: <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie> References: <20190228020332.D2112200F6CEC9@ary.local> <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [dbound] [art] Related Domains By DNS (RDBD) Draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 02:26:07 -0000 On Thu, 28 Feb 2019, Stephen Farrell wrote: >> bar.org._same.foo.com. SAME . ; yes, we're a primary for whatever name that was >> _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com. > Yep, that could work. I still prefer the design in our > -00 though (sorry:-) as in your scheme here foo.com's zone > will have to change with every change in a linkage whereas > in the -00 design, changes are only needed in each of the > bar.org zones that actually do change. (I think the counter > to that might relate to difficulty in synchronising changes > to keys/selectors in our -00 design which can have unexpected > effects as we saw in the case of DKIM and a particular mail > corpus leak in 2016;-). Sure, but pick your poison. With your scheme you need a mutant DKIM signer at the primary and a way to send the result to the secondary. With mine, you just add a record. I realize that one or the other may be easier depending on where an organization's processes are broken but it's not obvious to me that the more complex design has an easier process. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Thu Feb 28 07:13:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED1B130EBE for ; Thu, 28 Feb 2019 07:13:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGtcmh6uf1SJ for ; Thu, 28 Feb 2019 07:13:12 -0800 (PST) Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DE5130EB4 for ; Thu, 28 Feb 2019 07:13:11 -0800 (PST) Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 7F6E06A306; Thu, 28 Feb 2019 16:13:09 +0100 (CET) Received: from [192.168.0.17] (095-096-086-198.static.chello.nl [95.96.86.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 6519C3C035C; Thu, 28 Feb 2019 16:13:09 +0100 (CET) From: "Peter van Dijk" To: dnsop@ietf.org Date: Thu, 28 Feb 2019 16:13:15 +0100 X-Mailer: MailMate (1.12.4r5594) Message-ID: In-Reply-To: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> References: <155008617010.9548.7174990317415826094.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; markup=markdown Archived-At: Subject: Re: [DNSOP] Last Call: (Algorithm Implementation Requirements and Usage Guidance for DNSSEC) to Proposed Standard X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 15:13:14 -0000 On 13 Feb 2019, at 20:29, The IESG wrote: > The IESG has received a request from the Domain Name System Operations > WG > (dnsop) to consider the following document: - 'Algorithm > Implementation > Requirements and Usage Guidance for DNSSEC' > as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2019-02-27. Exceptionally, comments may > be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of > the Subject line to allow automated sorting. As this pertains to a section that will apparently be removed for publication, only posting it here on dnsop@ for historical reasons: PowerDNS has removed all GOST support as of version 4.2, which is due to be released any day now, so please change that cell in section 6.1 to N. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ From pjp@centroid.eu Wed Feb 27 00:21:58 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 034A7130E8A for ; Wed, 27 Feb 2019 00:21:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWYQ5U0Hl0Un for ; Wed, 27 Feb 2019 00:21:55 -0800 (PST) Received: from omega.virgostar.net (omega.virgostar.net [108.61.211.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38BCE130E7C for ; Wed, 27 Feb 2019 00:21:54 -0800 (PST) Received: from mercury.centroid.eu (p57B47964.dip0.t-ipconnect.de [87.180.121.100]) by mail.solarscale.de (OpenSMTPD) with ESMTPSA id 7a04c9d7 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Wed, 27 Feb 2019 09:21:50 +0100 (CET) Received: from beta.centroid.eu (beta.internal.centroid.eu [192.168.177.2]) by mercury.centroid.eu (OpenSMTPD) with ESMTPSA id 7e1806c9 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Wed, 27 Feb 2019 09:21:46 +0100 (CET) To: dnsop@ietf.org From: "Peter J. Philipp" Message-ID: <8c4249e4-8deb-c653-83d1-b97fd4d80786@centroid.eu> Date: Wed, 27 Feb 2019 09:21:46 +0100 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB Archived-At: X-Mailman-Approved-At: Thu, 28 Feb 2019 08:52:21 -0800 Subject: [DNSOP] RFC 2845bis draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 08:24:32 -0000 Hi, I'm in contact with the original RFC 2845 authors for clarifications on what is meant in section 4.4 for the meaning of "Prior MAC (running)".  In the bis draft this is in section 6.4 and seems unchanged.  I'm having a hard time understanding this as an implementor, this is an area that needs clarification I believe. Would you like to see any results that I glean from the authors so that this can be put on the bis draft? Best Regards, -peter From nobody Thu Feb 28 08:52:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D147A130E6B for ; Thu, 28 Feb 2019 01:12:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lg-HJrCXxe2e for ; Thu, 28 Feb 2019 01:12:34 -0800 (PST) Received: from omega.virgostar.net (omega.virgostar.net [108.61.211.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5672D130E25 for ; Thu, 28 Feb 2019 01:12:34 -0800 (PST) Received: from mercury.centroid.eu (p57B47815.dip0.t-ipconnect.de [87.180.120.21]) by mail.solarscale.de (OpenSMTPD) with ESMTPSA id d2717c97 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Thu, 28 Feb 2019 10:12:30 +0100 (CET) Received: from beta.centroid.eu (beta.internal.centroid.eu [192.168.177.2]) by mercury.centroid.eu (OpenSMTPD) with ESMTPSA id cffde957 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Thu, 28 Feb 2019 10:12:26 +0100 (CET) From: "Peter J. Philipp" To: dnsop@ietf.org References: <8c4249e4-8deb-c653-83d1-b97fd4d80786@centroid.eu> Message-ID: <03b59d3b-1705-1b70-aaab-8b769097819f@centroid.eu> Date: Thu, 28 Feb 2019 10:12:25 +0100 User-Agent: Mozilla/5.0 (X11; OpenBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <8c4249e4-8deb-c653-83d1-b97fd4d80786@centroid.eu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB Archived-At: X-Mailman-Approved-At: Thu, 28 Feb 2019 08:52:21 -0800 Subject: Re: [DNSOP] RFC 2845bis draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 09:12:37 -0000 Hi again, Well I ended up fixing it myself yesterday through a lot of trial and error and finally understanding the RFC.  I recommend the following change to make it easier for future implementors in the 2845bis draft: Section 6.4 says: The first envelope is processed as a standard answer, and subsequent messages have the following digest components: I would rewrite that as: The first envelope is processed as a standard answer (see section 6.2), and subsequent messages have the following digest components: With the referal to section 6.2, a hasty eye can catch what a "standard answer" is and assumptions are left out. BTW I'm working with this draft document: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/?include_text=1 Best Regards, -peter On 2/27/19 9:21 AM, Peter J. Philipp wrote: > Hi, > > I'm in contact with the original RFC 2845 authors for clarifications > on what is meant in section 4.4 for the meaning of "Prior MAC > (running)".  In the bis draft this is in section 6.4 and seems > unchanged.  I'm having a hard time understanding this as an > implementor, this is an area that needs clarification I believe. > > Would you like to see any results that I glean from the authors so > that this can be put on the bis draft? > > Best Regards, > > -peter > From nobody Thu Feb 28 10:32:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD42B130F8E for ; Thu, 28 Feb 2019 10:32:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.021 X-Spam-Level: X-Spam-Status: No, score=-1.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BDhb059CP33 for ; Thu, 28 Feb 2019 10:32:16 -0800 (PST) Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E25A130F86 for ; Thu, 28 Feb 2019 10:32:16 -0800 (PST) Received: by mail-wm1-x32d.google.com with SMTP id m1so10251010wml.2 for ; Thu, 28 Feb 2019 10:32:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LN9ruzbospQSxRgBaXYxetR1TmOubsM9SOQUpzh09Bc=; b=eFJSZFih6Z/Jmm3Izh3ZxrywGaJTKGyyKWVL6dSpbju8sDwzVk2A9PfnyTbSj0LPQz 78pvaKr2VezIffDyVQlHn2q8xY44d8gza6R0ghoFNVrQVBeKVlv81yGcmMyMeE54t+Pd /JUUIJxEwRyqHvisP9Q5haKQrsVpbDtGnPbUk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LN9ruzbospQSxRgBaXYxetR1TmOubsM9SOQUpzh09Bc=; b=jm+0aMpayNV3vZ9bUXpjiKDpW+SthMcNHTNKsuyrFdnthLEFd1uo2tH06ShgV6v8lG 5ciDcPqgp4YJLF771CxhlETsoIR+32hyCjfNFUFw5SuZ6UIdqrifJhKGiMQH6IQ+gycT DqPl4lEv8PD0oBBTv8UseVPzl+2U+0gWi7TQbppAeh8noVHGaI7x7jhZNSfgKrHr+eK6 Bqht2WZPQQJr5z+ruYUBgb4xZLFnc0Kqyz3Zw/FyVRcarZi+JqwmWsGiyWUxAjAL6CBw QETYJVFMag6KEnC97DHFNBeFaazwErnxIHb9cREE+SJlPfWBXljZ4CheEYDwuOLUnmxL +bwQ== X-Gm-Message-State: AHQUAuYSDPArRSi+boFpcgb4TSVCgly1J2UejHEnWehqyezAU4HZzMbk VOg7ypi476fudK4vkUulMeZaqJaYxTSzS2j+6KXYA6gpYBQ= X-Google-Smtp-Source: APXvYqwk+pQAGJeXWe7iaIisWEqZZGZLX5z9Xmn5DSC3zYamzAKRxkUQPuAJ/EEvM5zSxVVybXCSsrreloBoYtZFRXU= X-Received: by 2002:a1c:98c9:: with SMTP id a192mr747927wme.114.1551378734384; Thu, 28 Feb 2019 10:32:14 -0800 (PST) MIME-Version: 1.0 References: <8c4249e4-8deb-c653-83d1-b97fd4d80786@centroid.eu> <03b59d3b-1705-1b70-aaab-8b769097819f@centroid.eu> In-Reply-To: <03b59d3b-1705-1b70-aaab-8b769097819f@centroid.eu> From: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= Date: Thu, 28 Feb 2019 10:32:03 -0800 Message-ID: To: "Peter J. Philipp" Cc: dnsop Content-Type: multipart/alternative; boundary="0000000000006039eb0582f882ce" Archived-At: Subject: Re: [DNSOP] RFC 2845bis draft X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 18:32:19 -0000 --0000000000006039eb0582f882ce Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I think this is a good clarification Olafur On Thu, Feb 28, 2019 at 8:53 AM Peter J. Philipp wrote: > Hi again, > > Well I ended up fixing it myself yesterday through a lot of trial and > error and finally understanding the > > RFC. I recommend the following change to make it easier for future > implementors in the 2845bis draft: > > Section 6.4 says: > > The first envelope is processed as a standard answer, and subsequent > messages have the following digest components: > > I would rewrite that as: > > The first envelope is processed as a standard answer (see section 6.2), > and subsequent messages have the following digest components: > > With the referal to section 6.2, a hasty eye can catch what a "standard > answer" is and assumptions are left out. > > BTW I'm working with this draft document: > > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc2845bis/?include_tex= t=3D1 > > Best Regards, > > -peter > > > On 2/27/19 9:21 AM, Peter J. Philipp wrote: > > Hi, > > > > I'm in contact with the original RFC 2845 authors for clarifications > > on what is meant in section 4.4 for the meaning of "Prior MAC > > (running)". In the bis draft this is in section 6.4 and seems > > unchanged. I'm having a hard time understanding this as an > > implementor, this is an area that needs clarification I believe. > > > > Would you like to see any results that I glean from the authors so > > that this can be put on the bis draft? > > > > Best Regards, > > > > -peter > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --=20 =C3=93lafur Gudmundsson | Engineering Director www.cloudflare.com blog.cloudflare.com --0000000000006039eb0582f882ce Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I think this is a good clarification=C2=A0
Olafur<= /div>


On Thu, Feb 28, 2019 at 8:53 AM Peter J. Philipp <pjp@centroid.eu> wrote:
Hi again,

Well I ended up fixing it myself yesterday through a lot of trial and
error and finally understanding the

RFC.=C2=A0 I recommend the following change to make it easier for future implementors in the 2845bis draft:

Section 6.4 says:

The first envelope is processed as a standard answer, and subsequent
messages have the following digest components:

I would rewrite that as:

The first envelope is processed as a standard answer (see section 6.2), and subsequent messages have the following digest components:

With the referal to section 6.2, a hasty eye can catch what a "standar= d
answer" is and assumptions are left out.

BTW I'm working with this draft document:

https://datatracker.ie= tf.org/doc/draft-ietf-dnsop-rfc2845bis/?include_text=3D1

Best Regards,

-peter


On 2/27/19 9:21 AM, Peter J. Philipp wrote:
> Hi,
>
> I'm in contact with the original RFC 2845 authors for clarificatio= ns
> on what is meant in section 4.4 for the meaning of "Prior MAC > (running)".=C2=A0 In the bis draft this is in section 6.4 and see= ms
> unchanged.=C2=A0 I'm having a hard time understanding this as an <= br> > implementor, this is an area that needs clarification I believe.
>
> Would you like to see any results that I glean from the authors so > that this can be put on the bis draft?
>
> Best Regards,
>
> -peter
>

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
=C3=93lafur Gudmundsson |=C2=A0= Engineering Director=C2=A0
--0000000000006039eb0582f882ce-- From nobody Thu Feb 28 14:03:07 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F96128AFB; Thu, 28 Feb 2019 14:02:51 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Brian Weis To: Cc: draft-ietf-dnsop-algorithm-update.all@ietf.org, dnsop@ietf.org, iesg@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.92.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <155139137116.28679.2329019149187176312@ietfa.amsl.com> Date: Thu, 28 Feb 2019 14:02:51 -0800 Archived-At: Subject: [DNSOP] Secdir last call review of draft-ietf-dnsop-algorithm-update-06 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 22:02:52 -0000 Reviewer: Brian Weis Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies updated DNSSEC algorithm recommendations. It includes updates on DNSKEY, DS and CDS algorithms. The recommendations are similar to the methodology defined for IPSec algorithm recommendations, which have been useful to implementors and users. The actual algorithm recommendations (MUST, RECOMMENDED, NOT RECOMMENDED, MAY, MUST NOT) are in line with current general algorithm guidance, and match the goals set forth in the document. I make no further comment on them as the details of the recommendations have likely to have been finely honed through debate within the working group. I believe the document is ready to publish.