From 0c90fea7d3d8030cba491240dbe9584721ff6573 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Mon, 6 Sep 2021 18:12:28 +0200 Subject: [PATCH] dnsdist: Add more outgoing DoH documentation --- pdns/dnsdistdist/docs/advanced/tuning.rst | 7 ++-- .../docs/guides/dns-over-https.rst | 28 +++++++++++---- pdns/dnsdistdist/docs/guides/dns-over-tls.rst | 4 +++ .../docs/imgs/DNSDistOutgoingDoH.png | Bin 0 -> 48514 bytes pdns/dnsdistdist/docs/install.rst | 6 +++- pdns/dnsdistdist/docs/running.rst | 33 +++++++++--------- 6 files changed, 53 insertions(+), 25 deletions(-) create mode 100644 pdns/dnsdistdist/docs/imgs/DNSDistOutgoingDoH.png diff --git a/pdns/dnsdistdist/docs/advanced/tuning.rst b/pdns/dnsdistdist/docs/advanced/tuning.rst index c59fc46874..6d85961bf4 100644 --- a/pdns/dnsdistdist/docs/advanced/tuning.rst +++ b/pdns/dnsdistdist/docs/advanced/tuning.rst @@ -13,8 +13,8 @@ First, a few words about :program:`dnsdist` architecture: * One or more webserver threads handle queries to the internal webserver, plus one thread per HTTP connection * A SNMP thread handles SNMP operations, when enabled. -UDP and DNS over HTTPS ------------------------ +UDP and incoming DNS over HTTPS +------------------------------- .. figure:: ../imgs/DNSDistUDP.png :align: center @@ -76,6 +76,9 @@ Outgoing DoH Starting with 1.7.0, dnsdist supports communicating with the backend using DNS over HTTPS. The incoming queries, after the processing of rules if any, are passed to one of the DoH workers over a pipe. The DoH worker handles the communication with the backend, retrieves the response, and either responds directly to the client (queries coming over UDP) or pass it back over a pipe to the initial thread (queries coming over TCP, DoT or DoH). The number of outgoing DoH worker threads can be configured using :func:`setOutgoingDoHWorkerThreads`. +.. figure:: ../imgs/DNSDistOutgoingDoH.png + :align: center + :alt: DNSDist outgoing DoH design TCP and DNS over TLS -------------------- diff --git a/pdns/dnsdistdist/docs/guides/dns-over-https.rst b/pdns/dnsdistdist/docs/guides/dns-over-https.rst index 1feefa9997..78be8b0e31 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-https.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-https.rst @@ -1,9 +1,12 @@ DNS-over-HTTPS (DoH) ==================== -:program:`dnsdist` supports DNS-over-HTTPS (DoH, standardized in RFC 8484). +:program:`dnsdist` supports DNS-over-HTTPS (DoH, standardized in RFC 8484) for incoming queries since 1.4.0, and for outgoing queries since 1.7.0. To see if the installation supports this, run ``dnsdist --version``. -If the output shows ``dns-over-https(DOH)``, DNS-over-HTTPS is supported. +If the output shows ``dns-over-https(DOH)``, incoming DNS-over-HTTPS is supported. If ``outgoing-dns-over-https(nghttp2)`` shows up then outgoing DNS-over-HTTPS is supported. + +Incoming +-------- Adding a listen port for DNS-over-HTTPS can be done with the :func:`addDOHLocal` function, e.g.:: @@ -33,7 +36,7 @@ A particular attention should be taken to the permissions of the certificate and More information about sessions management can also be found in :doc:`../advanced/tls-sessions-management`. Custom responses ----------------- +^^^^^^^^^^^^^^^^ It is also possible to set HTTP response rules to intercept HTTP queries early, before the DNS payload, if any, has been processed, to send custom responses including error pages, redirects or even serve static content. First a rule needs to be defined using :func:`newDOHResponseMapEntry`, then a set of rules can be applied to a DoH frontend via :meth:`DOHFrontend:setResponsesMap`. For example, to send an HTTP redirect to queries asking for ``/rfc``, the following configuration can be used:: @@ -43,7 +46,7 @@ For example, to send an HTTP redirect to queries asking for ``/rfc``, the follow dohFE:setResponsesMap(map) DNS over HTTP -------------- +^^^^^^^^^^^^^ In case you want to run DNS-over-HTTPS behind a reverse proxy you probably don't want to encrypt your traffic between reverse proxy and dnsdist. To let dnsdist listen for DoH queries over HTTP on localhost at port 8053 add one of the following to your config:: @@ -52,7 +55,7 @@ To let dnsdist listen for DoH queries over HTTP on localhost at port 8053 add on addDOHLocal("127.0.0.1:8053", nil, nil, "/", { reusePort=true }) Internal design ---------------- +^^^^^^^^^^^^^^^ The internal design used for DoH handling uses two threads per :func:`addDOHLocal` directive. The first thread will handle the HTTP/2 communication with the client and pass the received DNS queries to a second thread which will apply the rules and pass the query to a backend, over **UDP** (except if the backend is TCP-only, or uses DNS over TLS, see the second schema below). The response will be received by the regular UDP response handler for that backend and passed back to the first thread. That allows the first thread to be low-latency dealing with TLS and HTTP/2 only and never blocking. @@ -68,7 +71,7 @@ Since 1.7.0, truncated answers received over UDP for a DoH query will lead to a :alt: DNSDist DoH design since 1.7 Investigating issues --------------------- +^^^^^^^^^^^^^^^^^^^^ dnsdist provides a lot of counters to investigate issues: @@ -81,3 +84,16 @@ Outgoing Support for securing the exchanges between dnsdist and the backend will be implemented in 1.7.0, and will lead to all queries, regardless of whether they were initially received by dnsdist over UDP, TCP, DoT or DoH, being forwarded over a secure DNS over HTTPS channel. That support can be enabled via the ``dohPath`` parameter of the :func:`newServer` command. Additional parameters control the TLS provider used (``tls``), the validation of the certificate presented by the backend (``caStore``, ``validateCertificates``), the actual TLS ciphers used (``ciphers``, ``ciphersTLS13``) and the SNI value sent (``subjectName``). + + newServer({address="[2001:DB8::1]:443", tls="openssl", subjectName="doh.powerdns.com", dohPath="/dns-query", validateCertificates=true}) + + +Internal design +^^^^^^^^^^^^^^^ + +The incoming queries, after the processing of rules if any, are passed to one of the DoH workers over a pipe. The DoH worker handles the communication with the backend, retrieves the response, and either responds directly to the client (queries coming over UDP) or pass it back over a pipe to the initial thread (queries coming over TCP, DoT or DoH). +The number of outgoing DoH worker threads can be configured using :func:`setOutgoingDoHWorkerThreads`. + +.. figure:: ../imgs/DNSDistOutgoingDoH.png + :align: center + :alt: DNSDist outgoing DoH design diff --git a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst index 3c964e22a3..91d95a5d22 100644 --- a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst +++ b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst @@ -30,6 +30,10 @@ Outgoing Support for securing the exchanges between dnsdist and the backend will be implemented in 1.7.0, and will lead to all queries, regardless of whether they were initially received by dnsdist over UDP, TCP, DoT or DoH, being forwarded over a secure DNS over TLS channel. That support can be enabled via the ``tls`` parameter of the :func:`newServer` command. Additional parameters control the validation of the certificate presented by the backend (``caStore``, ``validateCertificates``), the actual TLS ciphers used (``ciphers``, ``ciphersTLS13``) and the SNI value sent (``subjectName``). + + newServer({address="[2001:DB8::1]:853", tls="openssl", subjectName="dot.powerdns.com", validateCertificates=true}) + + Investigating issues -------------------- diff --git a/pdns/dnsdistdist/docs/imgs/DNSDistOutgoingDoH.png b/pdns/dnsdistdist/docs/imgs/DNSDistOutgoingDoH.png new file mode 100644 index 0000000000000000000000000000000000000000..7adb13effec3056011d7b0c3fef9cc2cb578bce0 GIT binary patch literal 48514 zc-l;ScQ}`C*uL!Sk&(S+hLA1UBOyXI5s{g_%T7iVNwy+eS=n0(QK6K*GO}g&yYBkF z@9*t6`lHYBJomW9d7bBV-%rsx+N#6^bOaa}7{uyoN_rR=SY;R(r)uzV;TMy8HsTl< zEEwua3i>|jD?fZqKkPH(tw*P8;_03<)I9pGYIMuUo2~m7mv@+woQWrm_jftCqNMC;4hq>t9)Xuf-r*z5w#TI}_v)2?`pV|pZgUW<<)+vKx(AP3 zBd^JL)%|sOY4s|9a&vFplW;f>5Cn@Pp)%2%`=T{#UUev# z?@M>-8LVzB>-eDtT*L)@`tHs|IoP0l^tCC!q@9pwBl(iqvsP( zTFkAQis>$R6iP$LOGBnFL!pnCw{)C*ePgh3BQ&t&NJC-jv;wR6+<>xeltyzwfZ^kc z;B(FjQ?mL@avIGGv8tUDICFFI2MWAR7X9}%k8KpETr@JXj-5%C>(!HMaq3gqL%8!%hI4WT1`)GN_>vPQ4mFoICP*8zH@A4>@a8-N z7is@YZajUhqUZAGT`&u8!3`Bj5`!{BKkY9k`f|AL&Y?@LmAk2%-A}h<^;g$Ssi|j& zdHzIx-`&FF%lbZk&i}b&d~klgL6G=Y|8w2s1v!@rq~ttGDBV|NSi8sg{$w1MlIb6( zjAeSrlrb3g&luI6>BV_9?W4D2C%OB2h|VA-IvuZm$wqwPWMGw2_iXwS3sq2x+9(IN z9-byav}%u*d301%)ZJ93Bty2U^1OrspBIVf2Q!t;S6;v66Z@^_FHMt+BpD8WQBqRM z%f-IQQRYNK9>|bnNby)HK9Yr;ocyP_xr%ZglN|{MQ)qhx8c$+ODA6xfGNC|1;S_p6 z>VF>KHJ?#{ao%2;R1;+rtAP1Nw=~cXaqsvN{fzX~^oxsO0JRaf(f>wBZJ;10Pb{5r zYFApan!l7o-ZJ|bW{C0#AuEi0iWSX!{zb&Vr(Sa%)2Z$efr6?tFkhlZgC|SkH#D4u zh}AU>4FWAKtxbM!Ep_!!^|O>1E&E#wgS8bqks|^aX7ygSOK1reVX|c~#imBiLBoZI zXTSLOzWy*v6?2?fIf2tTXJD6ed3SR_B+2Sj%j;VMu2XF|U;VHOxw>VctG(SIIU|J_aEogd9)119bIY)VmdU2$Txi{^J z@@u=k$>n82{FZv}wMiLkY*?tJwe`J;pu;QG*TZ)NZbXT2abaMGMMPw~&2*6^Y#flY ztF(0FY3(lKWYypCR^y=fTxdq`GSOtaiFT2x-Qz@B!KkpUt7WdPpXuILq|X~}EP27S z-ix?!;M!n?P4|acgG)DWa&SRp8xRSgR6juW8m|f%Y?+l$~Mbg7$J@RzjK1_&=PE^SF>P%F}bu9^R#(D>G~?u-QD8L1CCQ{;fZN!1Q@kmt8`1B zONlWO4m5P@+-`dEk5pA5acdE-YffiX>%in4OH z*Xp;YG%pEK4@3YS0(Z+SkDm%NppFx}-A9KF% zS>&rH23Af^{Qk1omnhh!GlB)ej`H zSDt>t#?G#rtJ3$O89yo}?$J&|*LZXM-kuKzrt|mOP~4qmn}Li*+6#6>c717_59Xo< z$Wv33LosfeZly^&?FG#*zlh6Xxq%*^Qk98%AJFJ&V@z5e#2VP(yM=qy z#mdH(Gm!X&$y)Q?;tcG&;B)33iS|eNnpVzaQ_!OHNCJ$wxR13(HWzxWDeK}usm?me9m*Ub5&12TU~b1ArhE z3;<8~Qym%gx&6`QoawMD2rEB@fiu3cu^rHIm2vQLmHqoIHp38}lLNeqR-L?3hrq7; zbo!lCH8V(9nZIzXHc}z0lqU{vWqkO$V`K=+1{@yXOZ)~_j|z(|ocfE|v};=$c}!2v zP*DAye#qgeY#Bqe%C_4F1~q*c5k14`Zyx<`P1rbS{`c57;N#Jpr8Uu`wuQneL$%>#>C(#b}^r#5@-J3+V{yWC7{eLNCrC3;p2w-zQ!Z zQ~t$l2A02oIz9DwawVCkSM#{QrWqe*AA9~Cg!e1<6DKnAz%yWes(*$y>rS-)yP84# z$$ziGp8nPjw$NL2%_0i>zgL21Pq=zcD3ky2_6X#xm%Q4h;w$ipgROjK8?@Qf$Rqjt zbbG{BtZ6S#iYoyIlYCI@YlT}C{v(1uzP?ty$vm_oKKO4vmm{>FOSSg)5sTljFl&^&~DK5s}Lf z=!5y1w=y(!oo$VE#b97OOYvOK#=m4pPXFxN$f6JGkvsN1VnMnyJc=2x=ngIY62G*7g$u* z?Juu{goPDqoXuc{(ABY;nWJz*H4W`2joMAzqTLBr1$({8jh71f40`st_kXKtYq#wa z(v;sh6z5+z3MnHVqq=4zuhrm-Z!M>8$ad?G-@ha49{sk63|)vQy|)2=oUKF?WQfjPVd+ly8nrU{$9d+~;EdV0Ftevs{GdNQQa_KL9m zU33O`a9)vfoW0CrM+|hgq%8e?FA9T;m&=)Odlv6-;1!XeA7a(*JjoJ zj~h%s?b33$@v~^~2^Di3$?;qsF3`!w`<^_-gTHiew)&#u-o{+i`&0=xHs0j( zr1bRk#TGTlZD)klU@VvWDZ1o^k(}X5oxM_rH$KCA!Vpe(mqy9^+0&=i)-vm`XCts3 z>tjojHS%f210%{>k5sJ#}~t=?2QJb;L{ zp6Pm6DZg}7a_z$FgPrB!T?Gm~e*fL!mUgDf?_WO#OU?WlHY9WQRKdE$U0)*rPi7x0{+ux*=)5ZxsocZWHeSSoGInM%m1y$B_0cpB#My$KrT&0FxUE8 z=-+~9k8M8_*eBBD#}&&QFBf>wBda)ZdAO;1%_06>5;vcWs*+MN^Sf_~M{R5e=kB~` zP-}-;|4O;43gc+|(^aFlccVuW7sXE*)w;4mbW7+zi;CKm<@%454plqKG?nej3Ys^h z)?NAb#x_kAgDgOh_WGBSJ#{j2-KH0T?1NEFBv20?Vyvd!sZBSQ{QlPS!py1H`2jOs zJM`t{<&zxRumt(jH>B|J2Mx1ipJF+1$X;O9 z4^^0N1N1k(xx+y>IMRknroGRA<9yABKPSKCfs)=c^WPt zlGFL!n_tEk1iJY#>OBCgShhE#uBUe{00a{l&9Ds{lq97I6r9Tx! zH(Fw%JpGU<&zx3w>Mi&3wKQQH+$a3TZC4+HDTv1x9;?Yhl@vWoDgM*J(pF$nZ;$hH znT5s5rN!6y1-iMorRI&iUMx^E&dQe2NkO=o*r>CTpQe)(Yrx1dZ}fvnEngNz5D*e8 zKbNZ7-v9_~YB>a2rMe}8H$;aiy4GZe8DeX0?&|HGBFjabw4Ys9TWi_>y>9a=;tn3) zyp}KJltpufgDHles+_{WK4p953M)Pxg=irchJ%B{Im3P;;MrpHv>a?~0vtC@RXWeJ z=fv9}4;Ei|i23BaMI3PO7)Ja+9@gAwA@^A|tuzVs6?+KTmkz&v&_p$fAs0HO#^R>i ze|Q`2__)`=bz%2TMSHdk>*Rc&Nr6!z#jhXr++IT9n|9Gv5ni?mNGc!fK1iy`j(3!< zo}N_FM7j{6vQt&@V>pjE~J$f&GG{pJ2SQkq{LBTrmG6=hKTXJP|C!QMHS7viRgx=L{s_jz5 z$l#E9SL@;^I6cFhqtZv`n^vUGK><>xGcaKvhbvJ{gv+IeK_hu1ooRb#N4L6pB{n-%PUBaF#q+VhliHo#djjzAb;6dTv$D#x5rsP|fR=cvHMDEv%w=Z@3nQORS< z=Hl_u;)U0K*IqL<2W()bw4JwF)ZsQtea8MvA>HYZ?dtpOH=;*0l=lI%Kh}BBJRU3Z zxhnakv6+{dKvG_C4%Q1!!(!|<(srX#ChOZ2g z0;UcLV7dpTP$b?)REjm2qYQ%ugNutRL5%~ru#T2Bj^#jx?BZC>)r`njl_PpOe&z{( z^xpR~nVFhS&dw%3pX3eP;N;}YzWMG^-7kyA?|xbr%9Nk{aq3T(eCW5clx<&;Q()07 z7sn*a`#^sARzVUa28*mL|?b+B!H{RHptFM{rG(2`mprxP(rmi|21)!@vujnn!OR9=xAxP0_(kM-HxTM zm)#(yp-GXs`o=@EB{}I^`k{JDmE(v`Y5G$qLJ>RO4{8`|-{;fE=Cy? zU4Qo^MU5j>)?Zxj+O-PLuagDkt`B+?-wwPtgr(r@`E`xEAjo2F;xP?n^7u6a zhPv%UO7g*)?!SBiC^e7aaGhB0r=d?9ldV{$O$?{xgM;_>_AC#pSB>hdIp_N_BY_QC z?X6F_dU>gk)-wTbqr6e$Kbx-$KEtDj z9Zo=XITRDe(%!z{V(ihr>@uOsum-;eJBGd$F<>)&9-iomm15e*Ojw7X=p!O>~7PMD>)YC+gFt*A6Vd(z(>7|?a zIeZ$$%dR_11|3H<_iOP;6Oxm|49m=Uehn~4mb_|&m?hmgf%>=UE}N~TM3CArH1gQw zH)*9mVQy}&+rbA1r}2if=H}+KtJC*@8Dt^e2=xkfiF17U;G9LajNk92hvFqBx&GcJ zM2i#5Hl}96fd`^Kety20;pIubb)NGG%CFBWz_>uzpv!v(FbS_;3iQTb4)4 zs51PI55x%0@E0UEEGc}g>Tx`0(bV7+%*)m0Zst;leOzI_wi2C(ZA#D_*8g0(y{88s z3zw*+@7YBUv#S+3oj2R#Uhn27RwTA<8ZY;0*u8EOxKT{YLDBeOWLbeNv8AU+tygz#6hX7L z&V&cGt|v10`ZL0tGno+xCUIY#&I~>Y9Uy0BkZ~o0_c~ke;~@YjHfd%mGAxOxskun) z?`J*U;JX(%zXote&~=rTbVRrmQnG8Z_5NU)h5YvFCp=ld?MpDn$I?K5R4<2zhYPON zSFhZRgLs7i#f?_F2cg~8GfF%6J|)uDK=bo~g@9H3Lv}gU$>rq-2?=E1Yl9doey_0$3zMVnR6d?b#mJ4i z*T%cWS?fR*ih3f5U*BUtILB3%e9@ig+6QOX@kW1|KPQLhPxiJ*W9cuFl-igMW(5T% z^P167L^HiIF;K1FT^06Ox8yf(paolZjm!Fj+K30X&LX_w5a;C_m#*bI%caks_ljG+ z)GXbzuP8g4_1m{M%6s{mm7TjQeYNvq=bMeNG3I)oPJtjMxN6=MaF%NJ(NHXhMb5eu zeoH|jyRg$}`HHRF#)GT-{AHJ|Pu0yD2!2I=1K_uGaNse~eiCa}n&s!o$02v+!_JoO zFXbmYB7~QAmcAtJiR#YX;$*oMf7kq{)d<#WyMcSn&GJk=T&)zd7d3aHG4k^?8z*N8 zA0#Ym&eq7JY{?V+DPqD-KRkFmv9hx~qNc6Ub{~(FY|DbER9S^>c3K%V6g%D}NdzpC zog6H?tbA*v=QAu0>&7J2%9LYtc6J7RMH}R{hf`f$UG6YOjeKgH%f-*nuk-3I&ly2e z+JkU{*3nVg`T2P$!sij%0H??XpU}!V(ITS%_4Tdxu`&8*7hSqSvG82yKb#FSZHO|t z=rX-A)9rIOe`Qykchx0aQKhrBTbz}A&aiUL75M*?GY1^6zWp*Le&?7tvOZ!FY;*AD zC#|fX=}2IrNIb{=tgd%7+pm&C!~>7;scggL{xIVl?$!z$Rj7ct zkh`fSMm;BX_Ld>#ABByBCg%9W#^mN2Ps&|?z^<^@ z7br3~Sj5DrG%L;dZZ_{aG7umJv^n>FYHcAB)>^hsLU(CDEHs8={l2np_AP@RH>dpk zd{#-G(-jpJQ895{`&$cco3rXGKVIW4kCb!|acT;0{hpYbpO1h%ZXX|KTK!g|IMX#; zaJ__13%E-no3c)x8u{l}281Av))ikfe=KplNJJ}y0sc;vzC{A*7;aYYHPsPKiGTWZ zYw(}r$l2MO`$F=ylG(!d%~}7+?Zd< zIBNTS#dnuTTU+~_Ni{zKHGh*26WPmS3VgOPZ zb7!ok)xYkd-O(<+N_}j^{rgx_o=ff@%W`#VvWd8s>e=bD zV>Xy%jEoNjOsXws3v}&2m$PmYQeA%kM4-ZT>ax?1w^UOpg72Jf<@njwHS0F1nO_KW za zhQVFT`KRmau83tcH8tVme31~_+TPG7^sR%rRu@e)E)MNJJqARwUJ zY6jPb-zdawrmM9glO37c&vQ8&1UPCUc6D`?zj6-0E?|=FT{ccDcKZy3Ogw}RWh5yx z8ew{RTI9ff?!Io!c~u=HB@Gen>B=0IgVduW$%J$IRYd@0)?Z#3EPi@Ps@0pCRpDtv zL??01$r;XE zA^vE9?=huT-R!j!H$6RyoSYmoGP01s!`-QP`IDBT{Vib-qoZHHw!W

oqLEkd0>g z@ZrP9a$UtyubNJP4q=aZtzxr!YSlOf1tTL`Cb@vr^p^G&wWl6z(YS$?#&iHdT zRTiJVC#r0qsR^1dSDp2mGd2sa6oJ7j{m`x&au0_P$^5&^->3kuBSJ$@5fKyX)@w74e*4ze*@;6)BiPXjmE)uhN9Ibv zt6Gu#qcl~)#0ZMYc?>HaE_8fwLo4CW6%6fkiBlJADo~SpYrao7_#{Bdw5j;x;{Na# zyP&u828^h*y-F zL+h(AMH|br7Q$}RN}>)!*!h}|BN7wI>BMeFWd*F8OcfOsq*}bzzJ=$_=Ecg--@mq#_N3u5nWeLHhOh!v^G(r| z1YyUL@H$B#WLOr3=YdN`&K6fHaNJ{{l(9YOxf=2$Jw5j0M;+8CGAg$`m7bn%X=8&$ zNJzLy!y5+cX&D}-2D&GGy~O?f{wVWrjKr1w^f=>Qrqqz2~}gaH=4h+RO`7+ zjk>XKJ(t_Mx^Nwbixu?TMf9(R@(A|PaV3#2xUbEf9cjAk!N#qO8A8skVwrv@v8NF@ z1+*(GizO%{xw%m4(p-inaOj8h7hO9R@P|vy2x(|&-Z+ks%<(0wg8s7lF-mugN7QoU zyHyc95rocG*Cv_`jUHw-=&>Dep>w*(cSY1+D{Sz-y>Ym|RumYo{D6AuT~e$`&}{8< zr65-O$-q95dU=4s`v5i-x!D6O7*LB8N^Vq5^6m67h^$1`;<@dY#gYYzDEvCQ>7{XS zwC@oX76!ucPO5ky9Z37|KgVmq=XA<3UKtcc{Hp%(7YHYs7*oz$^!q)X#$co-%PG4Y zGXFg=RLzN>CrwR|ywQ7&X}jmTmmc2-P?MQ7KL?GA@Ld1lu35istlnVI`yjw4yYe@+Ta$^<$5C_a~7 z!;6bM{@Z8wIFexMknIt6kCd%a@>QG>%w?lEtr^qxPNInE%w6h6|KBQ|F;o?9?J5mH z$8`Iz{dd|$D=YiI_kDVKwcF)_T@)j6U=Hvd>)0a4d7}2F_20j{j}I%XBb7M_I?W9_ z^|yh1j)HNyuAWdmm-bfKCz#WHtM4%S<__V-ix*LIKZTvmy_ByTi|s&&)ninMkYupi z-f}+c0k(15-HvX&z99REd4V*WiKakFuI-PaY0~xPUFu8*@ju`F#^IArnX~L7&5$ZO$6s2Cf%3$* zd1DrDL_taN?-d3kz0Jm0j-M@|_d(5zcU?^lnVhr?XSGbz{5WdWZfxEVaH?qO3poP= zzt_2K@{^O30^QekD)El<99K?-hWhMp=5sOMQ<_Lfn6bc6)4Zzc>MC@-)F@ivK5jP9 zm~+?PoV!td`?R;W_sVD;magugr1=1Ax6)S*FgR8sU24O;s{2UM!5)Lc{evAV7ngYO za&N{+1c5dm*EzBffA6&%^(3xZW`B!ahPm@KE)yyb=KE|F!vh2J@umE!z1M!&#FGuC z=)A4EdfnIWcu5Qs3u~(C17TcTTzO^Xy~0ACx1OuG@i>H&3v2P-n->@fV~W^^1n$|H zt0;3|K1mK(Itt&S6|%&5>%A7IIh9iRCrf!^1yj_u+RFB+Koy^1X-l!Gq-nF8?4d7( z;ruNRkf^E8p7Cwh9_;T=z54!+g{@c9{Q}c_&Z>b7+4jNQZXwTJ{Ws1(=x_+mTmqvD zSsh`6tYfi>2&lW6s+@H9bdn+4PI=xeJ7!37@~y>*X8AO6hZxNiLEAqHd=A}DyNcr% zzSmjm7wX|CC@AD~DSpjVzhue6FHqELN7a8IFCmdiGesV)z{*4ADkwp#`Gh~Tu~D`+ zSy-WJt*EurRpeU-w^xRj@;tHCwk4cW)fm$E_TucVLjl`WbNOI-QI~NBs8UIsB|xLre{Z$d zc`UU2qGKb@5$!O-aNU?z<~OY+18#aL6cgv;OBZIJ^S`_LOlsVlQq}I4qfS3R&xFyi zP~ihs)^eeX-5?(;o2@-p>aT}TU)5p3ASWl6a9wAi6SWV?*4Cc9n`WUp{EI>4rVuJ# z_wh)2xa=Ms9I&wnVE`V^-;s=Z6BfX;`}m-(?+!mYM=5?~Vs#XDIzc1fJ>^c%6(;3m z3)_cEGoc#Wx;N4!XH~!cCQFs}7K|V|d+)HKLTZ9Euj(Bi20rS2kkitJL{oB4)lYYB z49Nd+rS6kq3H~~k$gYZXhgO;>54*!-yWh3AxY*OfB_>i9{ZVfWcGY=KA#+#WJpJw4 zXqL~$^xn^xndNuJ#5uS*6`X~00@RDf6qS6VIOpj7{+!4^0CxRy4d(NuDWqFzph*^;VNrRL(8MhhidtHXU^$h=oRX(=xkD% z6&8OQ8X}{hxEB(FfjVQv^x{h0ag1(&h82pRBoY%7(Tx%?bl8_7!v(b)SeTf|p?UfF z(Tu$0bCkFG(_5p+*)5%%Vo4aKERPR%&c3FhoTGd@#Kd->2YwAnNug1RrDgS^-G5YS zFzn{$w!XD>U!ONTG7>LnZwl}3$|(6u?dKHIZvxgprJ>nCSVn{s(#)&f$k*e^)8m=e zAE$p5b*>%igpkvy5G^fjmd8RrBAu{j9xtQ3nY$&jO51ftdQBp?Zr!S_uYbU((v<(; z@y_AzHMA25*OrkH8YU(t`)_Y}UKy6fi8&5OF`74Rbu$NN-Ke^~HxhZ>pg&6tIY0z96(E3Sy}m*qfChSJJ^U^T50g;aIKkE!j&cMqDx$ctiLq~nmVo$ zR#sMq6ICS(r?v6MMMzxW;X-%5iFR~!L@`qQBr|g+B@ZNcl3dmStO#m`b!6gNMI|l; zB_-9PQHTS}p*(d65tXMRwv)ep#UX~#ezerq)+Xe&Vw9SinguL3RmQinH#&8;%<+nr z)){Fhwjq&?jg3_KU^#vPfx)+)j!xqZ#w!VGc;&K6c}y@@mQpl@nwlD!G||JBUMUl6 zYc?1V6a+@0J^{##m9ZMqT$P8HYn*>r-nq4Ck&sKYvk*JFIf2bW7YY{11VuYv@$+I+uPeh&fg`Jl$E0yDI9qI-K}{P zY2N6EBP%PL_u@qiV@#K&?ekCXQ_i~`A9!Np;l1~>2@DK$Tl~n1nmcB1?pz=!!#%pqWtM!CeNq03+MBv@h@J7#L#d zFFL#GQL#~kv)~)mI5QR(7k{ktxWynJWC~V!|DRQ4^oxyz@iEszPI!!r7qrQ+JG#5s zMMclRCV;gVsx3kOM^@N$=Rg5McL0I;4`wUkp(}UKF1o1b=p>wD$Dp8~AOq=f<(atE zukUsC6HT&2L_|9I8dN|(sGOahVS2ODcdyFI%AEWa6&1;unFrjJmG-+fX1WJqNk+!T zNWqawGYnBUk)o>woTPa#Un(M}2#HegIqpDWPMsVdMny%1G&eV2j&~Z4kB=v%7Pt`x z+N&L6XlHpOvZ6vbHZ~TqZhwD&WHFEV53Nu?T*02EwXUZ|O3f6tw1_~hu5bUmhPt#6 zobC1AYwOdUgoqSD7Dq)#E8M)vA!u3~q8LeHwfe0Jowukwq{D$RQPoBbevmJK2v&}c zgocKOK7M{}-Q5fK-`&1WTGZSu&&I|^Mo<6#@C}7-6Ezi8xNfdWw(C?|s-y?kqokxx zl4w!df47z1VS%t#)6k%Rc}+hgsCyA8*BOR69ijb%rR$eDUH1x{&kl>W{+Tt3MBDB0&jhUAbaqWpxVF z0IFw@+7Zv6GvX4_hM+^U-xI;zASmS}jtuv^0f~W6;N#cn zt!V#fUtGLp?&l{3u;8{fE^7*fo<`6#!A#L_cf}ZW1z1=n?>AOu9?UE(L;}*oPrMu- z;gJ?VbtL#WI60?&)O%a6F|p;8IRj-sXYlHbshQc+jz>2}nb`D5HG6NldwO;P8}B4h zoT;ch@f!N{X#<3cjPE8kghOrMp*Xth7!`#d78yAMg$bX4Ku^v2FM=0dcBg}=2he8a z=O==4Uh6i4>pao)u(nnLy+4pCzp!q>#)bhTQE7j3PS|0Hqe3w|AnrfoML^-RhRR?a znN4M6Oi7+ty|ulqG?=4Y5p?W_9*p_#L6m#hLB|L1pxECB1$~YW#6Z_ZAdxsQaCOD? zT&9(O6k;5i1(1ae3pbgpZLcUPy`9~hdvE{g1+m}nUk~^8d@9OCe|zsZl; ziZH6dzfr%{xG)3FB{_foJeoe_--87X5bU(#PN}0-_Kequ(H*?+KYk1r8(;Wd?|pSe zM@{Kp&MFhfGsyy>hPrLf`S-cyd-w0_R#+=Tio`GyM2G!1o>fc8DSSdgN@=2!j^4B= zD1mwENgr$7Y`!=88?NXq(%byo3Uh^3JFbMJWHe*M@Za4euTFP9D1ZIB9n^OxNq7_M zKTO>u2P)kHPz*kFtf=H-W9u!nXby69b0e1~I#Bt~(Ri^8k`%!w`!8X6VrY3vuS(1t z=^!lsh9nFp@*hM$0B=i3NyWglHh-tBhaUod|L~RwJa{vj{n4=FU#Pkd7GC2{mvFnh zBJ_rd&ykHSC*H%$tE=lFeJ9ENCW?QfV?|*LZISWM{sthkIJRB{2Z~?-z16kogMDAYuA#`TQC8%c5W>U*uK}`ph!(iYy0ql z2(^MnE7+%JW}4^h$Py!@T_-VCR#(BJa^(LOd`br@W`p031}qqA(-8F%SD7)Y>NGSo z+rNI8?4~QRwL(?FxVfD*`t_^T=K@^|c^|eR-qO-iqdNEeQLB&KmdK-07J6}v(zx8* z+~85;;$n4^fZLk{7%t-t3ScmD8XCMy!oD~muC=rg5%P-4;Q$8*2Xt_WDmp#=gVa=7B^4EjN6dwROw~)5FdzgU&UDAm ztWUL%)_b4#TKyJ|8rnbJdKy*Trh-sI{gYy&3d{?)`a6JIZY-BITepRscJ=URUmVO8 zw(h`3-E#;v*SmK+Kzqc36w6hOXQGw5drr#x7oyu)cgFsew>S2oc718B-@efy{@&=f zqf_s72lcf9-Xrt#Il(UoUO;Z=g3df=Sjqs^PPf|07%{}VKZl@DM`UNSA}*4nbo$JB za|S2@ib-5okjgIkR7YM2Ad^mHl@@2Gz!PO&6XJbsQ#w7uvli0`Wjx(w;q= z4Wb*dEpU&Oom~V06>kgF-p9NKm*KCagG2P~FR#$a8fq5s<6$+=HOtWvm)3K#OM$WAXeCS^CsefukHHU zj`p`Id^W6o{QYeJu@Id*IaofA8byG6-9Q9gmp=3C?eDWnNYGAAO-04Vc0jFng{p~; ztKYqQ=d-g!HQpTj=S#c^n;E)K0;`B(#4QX(*}iyJ{WLMLGO*tc62+GlmHqxG2!SB~ znrQxeyb6Ty)TvVvK}Qn1t7DNcvNh~!eRH$z9uDF9m`k(ObVoE=b$WXG$1)4~(Xp{y zD2wG46$+nTTp6r!u>gvf4LDKxE)1PB1OGk4tB=pA`6Mhl`t*msJ}a;t2$t+?FSU`D zL02kaqQ7Ijeyx}(7dSaN8KQ6>7hN+Ui2jIR&vBUl!?TN|sP_!YdUAF3p+V7gD_9n! z0~Ts=zy>GFnoruA0uK=bOqcPcK)MIy7W!T#I5;?6)}OkywH0+Ojf`j^$kFu()8-(? z!NEb`fvw;eWWbKDE;isbq|9<15UA^W8#Wvq9Fspkp?eFLH8co7^hA9Atlto@Pf=#x z*fv(*& zgKx|md_o~JStTXUMn^}3Olg5M1EL%cWa4{sFthjCc<1U^4LK#{eSk4GDJeP-v9$sF zB1pr4(4CyL1o{JHfb`|n%&vDy+(_8Bba&(7kur546Rb}vpx){;@jGoG?x?gSko8cO zzH#^@8{@%`ZJ$4% z0lY+gL4q^qLfXO!+dqCJv$L~9LIIruL;U9e)*wOPbmtC=19XUa!R|u~P$i^S_>Iaj zK>l>YgXNARf*@aL(ehEFV1LsV)FO+VoVisFKii!hAZ5w?#(FD4YQ(5$s=n0h1rdV6 z0MOH+xcCA^Qdk%^dIiWBkWP^M?GQs7poJ}gQ|+zROn{Um0klQ^hsAGId??CriRmUm zz^WopsJy9;dI;!39mpm3w7y>Yh4%9pNsoDS zDIH;-xYKCJb7}ACmQXB|Cm`_qGv(up49nPfc?rOK$^iil#gSTM*cILuO+y8`?EEIx zM8KBR)YU^@zI?fY{nY($T!0_44a>|c7u+??JqID05+6Of2hLjUD&G{2SxHZT}=3wB0vhNxey7sAT3;7T|-{KzQCoG8UoIgw0 z+@L}V9*mCyUqV{irZ<_#=#4%3aG6E?@!{`wC_6|r1pkqvv^d~;d-vx($W_4Pz>w-U zkx@x+#th8Q*vAPB(NesZ_W2v+1iE! zI<|Lp;iAmEQN@dzT+G2o-=@aGhNLhF5eLS~=Z3oi^A98>^pY26* z^X4Fd-FXUKCbg?qyCK9jCW8O4LiI;U2{>2owR*$H$H#JW_8kZUT6BbiZruY=l$V!Z zs&k)1)X2!lD9frn07cYKzE=}V&T-*vUgxUlJ1?M=pxgRtZ=7q}0%KlYF z?OCKf@vE#kM{2h;HGpP7Y64-ES~D>ih7aUZ18Qr>j{Fo|&=qx5Ebs~CkBGd?`K5rfidT0vhN@c_>Y^YiNNGY!o790+BlO2$P z`)Wo93_Jz(NEpb&p5qKsTA(1gJuVg@qxcM=k}Fm|9vQ@b>mTT5l&U&@ZGw;RuunK{v3p`;gdn0~rs|w=lEs zl8|BrV{q=yf4nH-w{2g1qY7y4IT|hV=+C*YIrB|woF)9W3xHZS#2XB+O*E@&X%U?q z|F$SLsUabx=0_d+8#T@kc@17&vanzV=r6CXj%aL@?TTZ3fa)=z@cPb>2$N0h0(o8ssP*9v*8K z%(+CMq((PxfOwj_hrYPITb=jDe(>H1$s86%H1T@+W)j5v0r{E-o%BqZL>uCnreaM|Oe+%7*d*7Dl;+uArg{b^G%uw^?BCq}LI4s=6|!I*EeKF>w91jDt-W3HfxBFlbtggW*$XOA zDRI!Z7lZE}xo^&@-(4Bi1)(|&o_AXr6-Lz`%0q!kjUc+jv-G71T|@#U+yyp=EJZ3y z?S3PW8laP-js6#biR0km;h{J}b0a=m0$hK!7C{aq3}>KhCR=<4dOZ)~(eAw;dx zWC0Uu5Cy2?P;C6#b-LrUjPE9tw5nmmnSxIOD%x2%|B?}I%^1jpzaMYV?wjlAkjco% z{B7#f)8_(~p+mgurKZsd2?;X3q(}mv0dWO^Z3C{Om2~HT%7CS*sfl`fz!+3~d}>Eo zZ$C^(AR}Us0Ew%18c9!Zq_vY%Y+fGVWsf%|78W`$2f3eR*?P}@yg~AX*3)|caluu` zok$|<1CMM41~dis1)7tkmdJ*_*`Duz{-CAhQbqeGqk&9$)pw6LJO9^ed^~`*=X7(z zMy+NED=I3G&H#|-d}i7XB}1=Jbi`4Aiw=o&y>7ss$+fk30L?7h_fI~KjHp5>EVpdM z42y_}Va!k|1nl`W-pJ=g%MtlkW0Iyl9Rqp@WS;l`?Yh``2>er9@_U>*~Fb>IID#;NE9DsF;OCr%jqRV;oW`n&n~ydLK^|JV zxWvO0)35~V$R}&ALobg0XU)d1?TAgy%sNSCo{cv6UO=}Y0PHLwazJC9k+T5=mJQhkftU%-~ic4NwVQkGroPh@qf%W4V2%k-Yc3> zC8N%JjVb74|JL@>7efEt6>{nHt6eChIubH6&>@p0uwX=rNtosMz0@YO?%oxBWmqQo zfA;wEb0MX6x&*5it*>=|x@3V-1sf8q6^i>#sCA|01acBl7H|;yqN<{OpI7_26poFJ zjnmgkoPUi(9t=xB87S;+AZL{0bZRR8+b=pW1PlV7JW$Km143sFD$_c0vlID3H^^;k z{>strm9=*7{Y}0xV$2#)G z)?fbH|2Ua|ikC%DPeg44thYZh*R-fV|~ZRm#XNAOPDz%64_34_3tAR8?iaco6~VcKON`;&0!+ zp&w%(KD4@hI|d!*fOvoxJ3)L_xX)>gJ!VnBCAe{aD{62pC81m>5MRIa-R(AF& zSy@?HI=UR7L-xbPXa7^s@U9JH6rw1=$X!>ziGk+r`OwPB7ObbIhgt!-s_`fx*4NiV z9y}mKYzHigPU5bliK4HmZ-03e4%1#XFrd1A{ko2UfpTA(m~PQ^0o37APvTk}E}`ca z5D*U7bFHndZE0`ELQMmZl&%Z?jCE&sp6hG7yNkre#u`Po7Da+W;?*ZLHa0dWV0!Dd zO844Nja)}IFO_#Jv(Wyea%CVYP3vYatO<1>K4i$!Ltzes36^(+$; z6M|QOj8G^}=sq|4ZeYAY!Ou^s^7ZS)loULSp7-w+y}ZQH3C(;TJqH)pG|&coBBBnU z7v;WNcA!kqP#13XD*) z>xQVihX*+=Z4|mr9WQ@!DN`;G-oPp-D98f-nksCAi!S4Z6Vjm1k|o?{@twyTqCqsU zu(F;iGjBu*-NI4v|q)M*xjNybH-0;CJERW9ycXQ-~Cz_Knx-H`D+E-$=MkV?(rc?a3=~ zaPsh+2JZBD^ngj$FATgXR2XUZA(ge9Ny=wE%V?QZSz#yP=vv1~tc04`i<`E#Q%Cz- zuAZLCKw`6By^4XvY6CWbdH@hR38|?)9MwR1K|SNpUv%!6?tEb7>`WpiCbqpehy|ss z7A%&JcmH5-gIy(_=^-Q<7DgPCECC2hj20lPle4oNl>@9-3Mxv|BT1R9mxoKxm+L^g zaEOVCQHOPWd>mc2bN=x*+_21C_`w?BMXm1^m)FYZDG&l^9Th2EhVXCUCB3?ks zEO(QdIgt@O3DaXDoekpkvY{ajs_uE}N#!6!QAZJV1s4V~pLYEI`H5R5V2_MjJG})e z%-{Q{cfOs0KtrSp`46~t@ApfgNJ}&0&%X zK9RYzMWwWp5TN_{B$h)>`2}z)WHV}N>W`m3-A_uQ3xR;Rgx>Oc7&Rl~!@$E`^syO2tL^P=OGn2CP!DIohQ;mddegu#(S28` zyNfMj+&=#PGxL4V^cocfmVnbCd5OMNfcmWnwrf7#rAPmV(C?c2=h(n~2H z3hL^o1qB5q?k@g6roKBK>+k(vDkM8A8Chi$DH+L@k)4sqF3QNtPT{sgB8oE0%8F7( zAw*e8OZEzx$q4;>c$H}Deu0eRQK6RuLM{Wr?W#DPEwy$t7#VsQ#YdNMzM0{7Hw1N{EfL7hBV*pP4= z{HM^Oh6ScXsoef;$(03bU@9S=Cdyja;Q)kG2~ydf16o-8HD)cg%L*dZ;QI13ZuLb* zl3%=d5eu_=t>Oh%r;F=K96H!D`Zbqz*OuclGkn#(bhpahT1MEmLX_!*9|r!7Wj-yf ztqF~eIqhIAr4W8SX8ZQS02%<8YgQlRVb|{6yMZWQ^;B2hVQp=Vr9vjArZ3yusld4$*b)q-{C*0dbwUst zh8U@Q@uJXlocd0%iY%MvSi4#Wh+^kIJYsvVq%xHOCb_$iKu`Hzsr$ydg#4~|_h=86 z+G&`Xv7jSkE%vKdpMJ0TSsl{FH_?arTeAMMev(!+|Z<@XIq#L2NvD z?(K5-n0uI~R5me|(O8q`^z<0!6Iykv*)?=@9N6ggM4D5dl$h#BEGpcJei|-o0Lch@ z6p#l(&^j!qdhGJ$%NT1+&YZFNIrC|CeOVBufCK_tmHae0pS{iI;+Q6Gp#VL;UR*2+ z4=^S0NE{E^iUv!}!eej`kH+Z_#ij)1)>4;&;|S@o%IU-jqG?y#*6&}QVABMA8udsv zj@Esm{S{1AzerWN=_GVWtG` zcL_Id;;dr81mJDQM#bL%VG)o2^9lJ6&&y@=(dV%zcqP^uanEiroXo}U*08WJlUn~O zKE?<0Ng`*-0nvv}4)ST()PV8#6d3DFzLX80$MZ>)6aki7sKiM`OiYZd93gK8$-bK* z0OioexK*Q1xVnl>yM_~iYh4cx-u7OJOL3Vdo@c5fJn8A;6OELFgamAR#k#b^J$2z@ zV`B>{33PIfzY zWvY~vmRhleDQ5brF9LASR9qAE$!r-Qx6=TJ_3-d`$mf6+DY#qU?=L&8tE}43GMysf zpij%Mg7qxN+{a6(ltffiRTa;ixkE*x9#QVlp{S!neS<^Zo-I=GzHfMuX0nK$oU%a7 zVscUbPlu59L;!p*-n@wxd1WIcA+ZM{T=Jc3dg&|>)16pSPLW^wSh5Wwx-DCn`5G`F zjGWJSELs7WyzJ{^1uAXB7HJN_TH19w1MpBel?u-&Set!fU3Z4S=H3i(J22dO57X|a4Qc9!X4%Q{5^gFS~19Rl;p36G4tR#|zZHt2V|G=0j%*jSG4 zJL48E9UYxQvx-Ph=F1UNoZpmSwHe2Xf8=RxCEeja^TZk9ga8{oEe9znX$r@y)4ltq zz32KB&YopEcI+5Db_`ZI4DtZrUQ+@Wg!fbx1G?AY2uWxAstOz81Ytcz^9kxcd_g(J zDoan^XhnpF-xoD&jp2}IM-SzKH+A#h5Jcig+Nwlq-=pVmY8!!4m+tCqw01Y0!-1bOUS{(M1p zgp$p@!6|h6_U)FCkccN$X>0}pwrkg}!iI-prk4ri|YaCbhdDIg+k zT?-P^HXZ$EKn%e7N~x4`b>(=TgIgrll@(NPjI|{~xV35wr?sYz4A%kQ#KV|gD>CgQ zmgxsN_cHC;k_sF4bM-!Tvyt`t8STle@9^gKA*2J-V&P;BDu-E%vT#ZTd}q`v$*$zO2XO&Ye40V~CIaIrwt>;|uS?;IW}z z8;eeZFM>UE70Hb92;veFn1pWMzI{SPWhb!W+ea>$g+BO3x4h*xKlqaCtc4yc6=5Z- zurL~Y)*3tl*iPR3!0x4Lv4`yX<~{e~1MJ2`MGdgC5GZoQPL)Onm>4{qoE8h=5{y~y zukkx%(?rp0MRUl_&Fv*15mN%EByO&O>6cPn4}S?Jd7kLzWdM}M&)Bh?JaBD{2^+r` z78X_)$94~ojG(3$fKB6v+XV%GsfjpOgTLS*79QSQycj(?I!eA-Q_`{f`V{9YrOmx- zdS+XT;wlhK0M*k`Muw{aw*RC17f?P!=T{XX(#n+_-TAOK0aw z?`zt&`Br;;`_mG~&(E)}qeB3EJm80tKk!gaUf!LU*#}=s1;y10SR{!AOIVl+#2qfxPYii^mm%oyx$TN8Ft8Qvq z)gvfX>%T_Kz`)Qy66s~3t*yN#-2^Op%ui=wO?zZ`xD(*9cyfo_RXy3t|Ayx7?(WmZ zaGM&ldp43&BQU@7X>pHWG>5Od_K)dlW~LlarYaoVsf=q!2Qi!Z($%*j}A_`}RD$ z@#CfZM~`Bwt7ZE~>gyG2SLlN_0gFA<%TmqhHST}5ga7**CqQn343<6}#xMaSk1Xpf z#>QyAserv2Rm(RV3s`?_PMIbendPyF$Gr0k3krZ^r*$=WzYo06(M%SzZJ~i6C}i5! z3=9>eHd@}iv1KFQ1M%SnWN;IL-ZiO8?vu`U#=Z`;)Ytf}bmnUB>wE5f;{t29GW~Mr zk8kfvVan*3%nG%hA@+VVZj5)FqJ&%PFw*#tFQ+%E3a@&m6{0`(vFW zXyfJc)U3>fTPyx5uA+KL z=DxnZDai(Q_V)FVO-84M1J~}sBo`JI((K!JW@s#&`^ZWD;*l5EAi*Henwh!So1w1k z^Sy>|igWgS13-;e06^x)+L#~$Q>3S-q z)uN(HDVOe-EbCfWuuHL0VTbJ#=d(S)}om&0zZO_$v+lekqvG&yl+?ksL>uh{3 z3@l1e?C4R#e??TKkT5g?%UU(HwN+qlG-Qi&azcSV+jQPn5IcMrk6v_Zd_9?2Sn4}F zX&}IgEJ+Sdc%O!!fzNPrqqn!W+BdiC-dVaeLGo8CKKc3iK&sMOsOZc3TuSx99>0Am zKS;cN`(6U?-RNkFjrHl`kF^0Z5Y7qUdz}3IyLK}Q@wpkEG0z^0qHlt5gJm=?UYyui zUAR6cX=!QsFfZ@Wz3nl}zYWfu**7&cg*(eHKK%Oe?K(iAlRQboGJ$S75^*;9^$s{H4Mjz6O49dJ{@N-gZ2L?)xF>^#w)rfXoJ1O~B_(Up^v zbF#PSj!Ey^uO#HVcgH6sg`u!yeSM~W8;zQI!v2^vW1yV4)zfiL-hnMrIq^e(RQ{ht zldE%&ikq98Pf!rmVuH5T93ljzMJ%erQLzBXo|N~jdBpZm_whHuxw!{iN)q7Bhk%oY z)Ycx?($aE;SPtJ^>hEBCoBSo-)zee>&}T94wJ|vnm$R>SNfXIHRIlA$!Vsa;dAR`F zt0q5|X1(w||29=p*T{(B8T+u8MHR$0JQQ7OUsq96!@U!LwG+>Or+o2w`{s=@{3$Iv zJJsMs@G!86sDQ1pOm3O&W8M~3bbI!!k+2BnKmGtVL{3glv{8N68;}g9@LR{9$Hr3i zynkQn{8c)*SkoXVck*X^N=n37TXL4?bT5}><K!AsPabECL>;;lNsKsSIg8bR!C<1afil)(F63G$4c zg^(fiUgz6qUIPUJ<=*h|R zcus{|Lw#Sr`pgY^S=>xW&@DJE?7y)ZzhY)+NIyGJXK8&_SlwaiUoAjelJNDsJpR-p zm&ip$MTz9qnnXW8k_6_gbMN>oFwri6izo@HnIyCgJ0h@6np-VasI*2ie~Fw3xAwqC z1b=*r0`kq_*jxCzZD2Uf%KWpDPlHs#7{?N4iz%#G!tp)EQ zMV^;Q8X5gOQ%FD8;p+I|k+8(}Bg}jE?vgY!H&wZI;|4Vr7(t}Xe(=BsQvF9@m;-*A z`=l*8%W_O1ZBbBAxGs%rKdq`-kS^+@dA*>x3>d3GqcImeZjKm=SvgLbA6`(SqN3S47A_5uHO@x?gL4VKp>E= zugrd~^yU%YOkFBAC<#2ngL(dZdc7Yhr2T6~`7q#|5LWeQ05>cC)PVkiMci7ZVggk&zq z6%+^-zcWkmRo9(hAcAb<`s?Q7vz>Z-TEY-+9=VO2x0gDX!xm-|c-fdR-_!p+ocIJ0FuL3_;UJ@*w)99?^g{9v5 zH7Ab=g@_0!p{;`hw}3$8iusqyOSEik!avq`YE!fixz2B_xubOxs5!>{v~T+-{;(Z^ z_+elBHDXCkP3=LWyQEWZ<3P~wn3#P>BgcZw`~$MoZZtuj)~r_h*lc&{=z#+VR)5Xa zX{J5OUKMY1oU1~*{(MgNcAfC?x8e6+I)`k^_N_#6Q)5Br)cXR7fdjmo1{)Fud3i5C zecIb?L4Ed_$1X@bVM$4hkcM~Y=ycE}UuzwH#*+h41M8pi^Bq&ZDEY|Sd0K34Zu+Dd z4^I3pg$d;2;~Si=CYBc!mG_=yH8(d0q%3Ft%p=0Z=f5L--nj*=Fr1x@ee*^O9BT;Z zD{iiX<&o&<=wRt0gg`7($J%&co!nw#C5^#~B5wD5#`>2Wf%SA{sV$v-%QIQN``2${ zef?p-!bgv&0E^^-e;>MY`*x!5iR#s@S8v`>0Fkm2c`oqBp@rOBzWL4%2G6AVFpT%# zEsI3Oio}l(Jv==_*Uu>2$T98Wj)7Eou&1YI@=XEJs~e+v1qE2a2*CJeq(t#>y8VmB z#vRlg$48w8qhn%V&0>Im&!-o(t_N){8{?Y6B24%dWv=l#_oY?U)yZRZNSCLk;(|o6 zw6yf(`vN9wYik~_aY?WzNOz)cF8V5;`^zftsNG=4o}te7?_aGhjI2>TO=L{I-y9ei zc>YrvuVn_$%m6urW}}~)nfgE8IH|M;wv?59_A|{VsK0WZ&e(U<8B4YR9PIg)@&V=# zA4D_?frX(g40FAaz7UruYs=;ox_eL zDyp!Ql)XTX@jw8W+EPET>8QJRSs}<;_dL`imM8Ft?i;83S)QDGe#_C(adFlvxpG7J zSpaw|o*qv2*T~FOmHiZzbnF@Y5=3TJ`Oq;xa`uS{zwfxDkdRj8tWVmJODw&GrUtXW zTGub99(A!8uerF`<1=Q#%}zsu!V5(5a|?rB)=s^JCs(Q&t4JfyG}6CXPd7fPC4r@} z5DJ$>IL413z4%eA|5?Gat&or%*x3lA&tHvRF!jdp&((!L>0xVYtNL#I!9F(mC+}Ko z?o!6h$Q3)Z-&J^UDs45rpye^=*rlT{Iy5T)pBRsmwb~VB1#Yfmya9KynDvX27dig6 z1ph7*$`>zZx$KOLZQ9yz zH3pW}zkfN32f>h)c3h=P`v3_8Y+V8HAl7&|;{bY?*ZF>9=|h7 zJUr&I;NSZC^^nX*%igUVl_^OhRI$t!OcqlD3jQTq1no2!=>n`>^jh{>ZAbh5Bo^6J~?te>j*RIgnM`!mTFX_(S)z{Z|MQtW3U4ZGw)BE>{fUV*00Ng~q!~U3= zu}xv!%agtrDg%Cb0s9P_d*kFb_Vy01bK#y5KuUJC$6fkmfdgpIxY2*@<&k^)0@BL; z%*=Xkov--+<>odW#4<(Z@V@@Z z5m6c!21dXIUkZr4`ci52 z=Jp}G%I}5Kocc#hUk_wnIzm`lTC~^H)U2hw)%Lj#sMdBYB7}&em!(Q+Vrq)D6j#qX z{fRXK{r86OP|Ew$ws=v1A<0@LFd2)4>s(NXtfs~J*e}Tk)h_Qr~N{uu3a6vS7 z>;OldUs*~1jJpGm$3^p=4R7u}<>iHCHm1!gjVI2YWdnRa64TBblkKV2eCysl%PF#K zpO<4mcBnq5;09l*>j}mB1w7-Q@0#xGVz<{MA%%Eg+aM>#;D3p|z2G`Zq^|ddV zrN_n5Xr;@hcrq&!&wT%ms+|2P#wsZj6|&uC)W?n;TTs2}dHHfZkP<5!o9%-Wdk@Z@ zbBYwtF;&6e!7ZJYl?T4+?I)eK5?c54+#4c#k)cFD<$&G=T3Qx4-@~$Uay}mjOf_p3 zsV#~&0pGfLpLv*U!!kcu=JB)$0hhyPeBNg$kxEN&PQdasKezojFu*Z1G*qaRzyhP# zxpOCy86vE#^8dZXM!D}uvQM!SM1Uj2$Q+Sy27Ud{}s5g`chgb*fyus8S-!X@qkvCmIHlOAFEzf!)i^( z-98q$A*FhQ{Vja1%B>pxqRg)Cit%1DiJ)g(@lC!DOG;?8QxCrcWO`-k&jM&NU! zo{rmI-R>^rifsS-_G^D0dxA^%?YivC8q*!~;;#T`2%auHx0jnXo>w#JTvPPkYEc=$ zho0&=3AdWoUj%QzeLO&VS}gqb)2C0d-KUyZP2c^OMgbtF#oY5;i(|lXv8T}G3^gTX z&abmkSl0=Nyj?n)E=l+d3507bKp}Enoww>KI>U75$fe;LHCixYG5}s1YZLdXzo$)c zuBrXmNB*zG>{)ShX*oH$yaGbHd=Qnkwl)M<2BNr>lwFrD zT?)O^t!2{Z`|$jiQ_FGI_qU>F1PkOFlKGiL%7eLdjl$tMl{o=h#SS zX@R4|oX;~Hh2&k>kihaj-$=>IiW840Tpw%-_*y>UYPU0|-A+n1`qop!wyo5rx$}Vz zN3Gx4Ja&Ddo_q0U$Ce#5Y&GCJQy+>up1%oc2`jd&tN-}%_KHedy{YkuBm1U-67A>X z!=tN6$g`d04m!2gTm3bD@Ph*2&7qX3UhbL>LxB)D=4pO$TD>DJ=dZd5jdpixE@ zYS;~ahETnB_<)quZEw-NYeBd(n0@jltYiL*moK-?&d&NfWFUj-wR#;gKks_@LU#y^ zmKYxnIA^}nJD)($wCrGeLu@leU&0RI;JXJmK3?ZB`cPmj3ON7_=>GlvDg0Wt6{WE; zF}QIuEvC-PFDQr=HU6(CwVCvv?b>tT91uQO$y@Ui_kyg48zcNl9brmL2)qVBSWYa* zMWb%`=^``Uo1~7m73>LKFvV>3KOI`%BmxC_+23z*Q6V9JpNy9f9u9l^Znme%6gJSM z3LWiTnfL!t2}>c4iCu|jTsHIZ)KLwJ#~*=FOqOK_alP-V7SfjpYxPuCA_w zUwV}k6(_w28kxT8&th04$>G`J0fOO$AC$VI7mc48J(f3c&ILbw`R?7G_V#uz>LkN- zKrs+RHT}EFj(iU;JlZQCxbXsDqi(sqc3%31c^8Vi00r?6rCeD&$)at1#m&v_wzQ{! z`Ps9k1jSY{fC*Z6jubUsmBb@TrJEP}e9teAzAjYaRMEOCMVp?U&MW=MkUBo|p*(k* zz`J|20tSD1!U65nmPYNlMIm8fN(j57cYcNcQfV6wd9&DQ!oc7Ls%vUAJq!hh7&x(79&~{I9dCE5k=Dr*UDVIitAvMvdP}(o@6LZ|@!yHrx~hS8f7Mno&>? z1<ylJ z3KojYa=hbShcs*G&kvSC89Mil^HOz&goQ!6V}dbiVxR8$^L!|MK}}8FJH$utEXQ-+ z?}2YP+4Xganea?`gCVWgEiG6i0=`HZ5D;Mg+^eWQc+b$<+M0r~F%wV%(FK*Z2A-wG zk0xrWs#qz3Wwc=wdli#UYv`(~k^mbH!RjS&99|LLsOV^0woG%Mm031LMMZ3yN4(>= zGHb_{p!liA@2C_jm8`6+2K^!@C#U$?mNsH%xx?PG=J^Dkt7oVIW*0a9Jhe=d$2ZlX zp2YV{;#O;-sAcVbDJf=14Ojo`jbDJA*D4g5$aVB6lTA~!0>CV{g<+Li(PLs_y5p){ zf-%)c{&l29G6>#>B?72kN_BGfQr}ZrUteF|T#_Ni#lt2sS4Kxiu`G4lwr!|vguSp& zpGrZftH5q76O(h3of*89p0it=M~^0Z-X_nuB4_L1ptc+r&QL^Xzb7y1ij!$bvh2{P z!@8LwVAl%C$w%!gB_-vzp6B7Hqt?{agaxn~{$23GS61gar)gAF)AvmSPWdZGg#Dfr z6ci=y6Q|&p)4)`ebabe19@JsH;^G9$m$sR76?h;w56=$B0gCsI2h9JPtK&X?Jl)ge z@)(#SwxibtZXyv1CcVHeANWREEA+?wkkSrPQk&KJq0ZjkTwir%$cGna+PcX`SRXePuHpXXlR6~8|7 z#LffviS}L9(KFyPs|zEf)4B|*8XDwt=cf{QHL-%>$@2qX?*%*I!Nyj92^WmIzDqN zdXj#wgZ_7(V~{FOO2WN+H%O`3(Td;^jri=MGe@uZ_zb;!pp$75+J`l`*pi3pSMBXo zPn^FF2UJ0jh4&>PG$>#TA52Nr^9@5img(qd3VeAm8?1>%xv>f-V@M(7pFTkXySbO+ zxc>_pDwc3*z`XPz0YU;RZ44;ttCR!B0XkdQz_3rHfRMd+*&*bhR*-7X znqZRFNevCuu_4~RotB1%$lKc+rLeHrvngg@e0sV_?0b!xo*qN&!v=<`f^m3uR%G5o zdgb@ejWzd&44^&mD;wLNqa4TgKl9KVad~$2^m!`0z zqLLDBxBh8)NlWAg%LUF+eX0=6M#%Kq-)dzT$NbWg!R3XP_rCVesiIO#g zn}sSeMewc50plmxVO(4X4-)38>gyF7U%gtG;shT=?Fg(AudS_B?8UaNYehxEUNax{ z9DlJhGBz3GWIg(0HG%n#I9ciZ19d@a`ucQp#}Chvo_XTTcJboH`$a`D06Vb(-O9>p zm`aTc29Lrfs7(wA40|Dai!DXxcaK|aXQ!tRfoxCb5DOo5$oxu;i@R$7HuccD;jlu? za>ps5mCM7Kp_{;Xu{jHG>w{OlEoMcGR|OfbT+V&)03{Nb?{zA_5RbjPF3i zZ+)rVolh8Ld#}_Tvo2vY-4ULkECC5*CjxMFb@d28nSZ`*9Ct zy=v<6<;!?j1b7eIbyHJQ@%aDdO@ll&o~QB{u&Aj;-9uW`Zm?qkA!GoeK&nBjOP7T6 zZXERLFho!Sr#L@g)Z-1Prbi#0s#x-xqGl#9Q5~MB=+6N~lNJT|O@q!N+{wlzFEd52<>>TImKH_x0p44&HM7A@P7hgv2 zl?d^5>GFLz>0Ni}%MlB?#;-r^O4)~%!xr|xm#a#eVP|FkY2P)+aO-vZiGO{D)<{UEd&aHcdOE6edT3XTiuzVgy{WYetstWCr%71)xghj^7BWS zZbU>xV2c`lhG+5y4^HXo=_vr+I&|@)7&0Kc^s~agz5GH#6!7#1To$o84<6t-nfGYr zq!&u2;LS|+A-hm=^T+aX*L{WUcsXZV+itLkSDU|97J$YbD0Q&2LpeokXTr@785tRD zG6gb#vM2{m-6iAT;4rVcoYP0;1T-KsGn4-3aRJk#SLV-|*ZNl}25~=R7kKu)7;-r( zjFgn%LB4G!`(;Djtot&|(&XhrqJGz#?=Aq7ZCRSVYe6XGl$r98keh z2$te?AFuvCyYhDP8bC#XGN<9QXU`5zPYWj4l`6-0u7RiF9ZBKg;dIG&+=3oi*2Mzs z#_B!10pXd)H{v~e_8@4_%|$6vama)OpQUk>jFfU6Bm#qveE5*Bv8iczZE51lub;xe z2=VmvZ=2Y`gQO`bDfoH1d{8W8HCgaD<6?_fs0{&F4g2#)nqsim2Su$QP~#GveeTtC zeaHW50bW52N6~H=82s%%JH|OY*7+8~#l;0@F_x`Zu3=-gB9cON-&1UWCJ3{;2s@$DTM6;%`9>o|zJFfvYIVeP>{_+Luwds9>- zc4@r_9%l3F=XcD~ctB6ft$N>~BOQB`Vq>XL7y=8`yR%PLQ+fJ)k$%#^!ps~Fl;K(C zi6#bm`WJnD)f#PlX4DKdg|(9%ki~Zc{{lBJ(&5p=y;Hm~94|$&lzR*eY3A$mCw<@3 z&ftD##AEgZCh+znz<**5?OK6~;?Zyjfv~i7(r%L*F9cnl{?PFCE1N;C*2~GREIbpy zbBoWPS-@HqQBADiv@nDy1tTMdG-*%7$pGH)!=3_TYWSOLz>Ut+Ca0z{ z;d2xoy?Hx>K8eISdkg@#la4nv;jb*%?q6f)$PG z8XCi24klK}0b-%Tf^&dZcs_w!7w{&8Tepxy6Hsu=sv+!8Z7Kx??v2!LD!xsXv^sb0 zD&E5f|Aqw?sK9JuYKkcX+w4$G1f@2Q(% zTwm7gQOZ({K@su3zCOHON{K*aw7L5_#|A$tNx&plevytj$qS=B+m*&&ExW#L&x zzDaeGwtJas>fGQCw{M5Pd7}lMr#||-2NJTfs;Y+V+2Ip0p6`L&4uZx1Rs12|^8RFZ zB3`pYU`fKIUl#nZSfh=`BZc{BWl4z`@Qe}oTMw^WWY|*-E{rN*wzfQTLUP{ywikZ! zvsl7^B_t&9JagHfU}tY12EJV?^!&V>$M3BG6fNcBd-!I1^4KP1#_ctJD~wZ-%vM2> zO|LT96FkA94^DN2r)$}1oH|8?uFJu3gFwx}b@*_iF^&5i)+bXEvEVCf~gq<0V+a{v$^iso7;;fB_87{rdX6g&ek0yK?W;`=t*x?;;ZE^hAaIIoeBSV4M) ztx3jvc3#9SUnAbqEWW*_`CEIMOtokKb8l*RCeDbeDoJhNX6w48GS482c9xdLPfG86 zuf%X+;;gy({lY>D2ZsrbCkx#s)UUECRf`%uD2Vo-(izru z15LsXWDA@2w4iXmL@}VLs5gQaxybp30GY$Z`Bd(JQg{0L`UuA>wl~?@*(vDg-0)<+ zr5IB&O8@rehhj^-l7h^9&v+s;KM)PLG!uLe3L4e)`H6pDZ63jq`ut z013SRmCf~vo(Xb2inX=1miBg4Utj5jn>QDRU+u<@WdQ;5zj{spYC}JZhJ=Noaw2>N z^QLHS&WajuqocOjfJ-58k{`_>9WwUURY}_MUJ23{zaF*QgFyp5J^m-`zQ8iy^eB}@ zPjO~WZtk_x%Wa8(7kun8knYLMpc+&0L(jlqJE374p&>Xmm1WwMj8oZ>?YKYl?Cfk| z!$Ytd4!{`K8ir0la0B#MsKj;OH=G8a6A!2YH7W7W91C+ayE4Pb_bHO`pZ$9#N6@oU zq1NqI(DLE^t=d(}`% z&Jg-iz<7XPN~p5x4ULR2>;Q#VGBw?c0Rhq~K<`%R!=Y+_hh@;)+xs+dQ+isgRRtyl zUjW*fIi7|tO zgoFqMpI-uDJL=qbjy1zN3+8J`H@BrUSNjgOVHY;=?UC&5=9ZDUv+@gm0sN11UQ&@v z&k$fY3ZPGm<<9_+L_jkwrcP@}P0PjFN`K6_#@7?8Up<*~z$ty-7oB19@$o5a*dIcZ zhf#@ylBI-7i6>pw=UQ*knR2S@^#A7F9WP362&0505rCEYfGscHa~8c;G>T;II`@u; z=H>BEiz$x-IhpLMlK4MAx)W8+u_DWgOc|!e7wmlf=l3>g3Pm!jDaeH-6%}@DVd`J2 zeQtjC=2!af_w;D+^1Zuv@0t+wh~Z7&wzpIL>Bb}B3=#VyHS_6HDV5UbBlD_jrsejf z|9_-<``Ovqv3zM-Y*p7r`0Me2b>-wFT1EO(78dMHv221*-i4sn?jPgaukzP8=%XK} zoy=-7TL(}>2@~poKcwCWQwF9{hoH?VFCVk73k8WwKjR_nKRy>>e?{|rR0SG`!lzRv!$Pd6FIiStHx}bZW zd?7UY{1A+o#cj!Odn!DftanJ=P)myfETa)#oZ|0`zdQ@f1kAyvG7#ST9YiHm9IbMn zD5DCcQ4C?+w=ZhvZbnoscG}z86NQ^jB=lt z$E0o^%ga<6#mL>ecQ=$+HJ~U1gosiqLLQ(mR8E66d-ZqC$cX-kO;!7pH-6BJshH8! z)(%ZeV*`{#!^-+bnpKf(=$PB^4(z~zvHiE1h;q&&bHYlkAfxPh!=_v{*RNUpudV0B;)}5fT4! z9o9r1=yL;%7g;u58392W;$8^fRcts7`n`3&^ZqteVZxIX&XZ{S9fvNFpCjPYQ+r=Cp_Gq&sC4uxKpDt2%KdY+CW;}oCj&e237 z3t@0*ax(lnDRpK^Nt~yNxPqD*DPku!656YOpSXjZl2RpE&euP%(hjON_`&*0+3A=X*FPT;jZb6m1_2N9&@lAzy#sDE<0$PBAu z7==u(f}IS)8WlEhhlHD+KhIZPQ)6}MQVi|}%K82PN_q581;_y=a&mG&#OM?x|2Y;p z|A)qiJ*Du-QlUF6PFyWnYBx&UMpSV_`Ps8)xVuma%z^dTWt4`qVPogaCO;my5f0E3 zbuF2X`%4)b8g`=80K5_)g9qgW);L1I#_=#i6n|%kEAhV*X!X&yoTgMVpxorRI|BIz z>#%`9QLswUz??n3vcLrys6kp;F`NiD3!|eO<$rH%S5s4aeDM<0aSpt2pt$Mi|~19TTI{fAW4)s-ddA{eg{*jlq$T>lsRf`i~!(5fRq~ zZX)SJ1<M_4H`JiRYCb$V`Zj58ijw8SfQ=IH3Sh4$a^GZ7Sk@?2<>jf>$4g zfL++Yt85>zwXqld4jeA3Zfkuve2(oXs5cK&cCNS3^y3p3jz5PjhQ!$ab@)jE#XsvH zkBEv=ieeO2u9S5wjCjh+!!x+CwuEY`O*c4h;C;Q2k9~c8v9cNYHG|-3Y$nHD`9Ce~ zT4e5clnXO~2V1B~2$4$#=qYM^3kwT-O!e#n7sqNna6VNZ?i{>M2Etw$)pfGqzkVe! z18&MJcJ8Wrl1hxE6|bP+?xCR}DgRY52o}3wI#D0wz<~q0`ud9RaK3lTs13D=8^q1qt3r0puNWq2c&IPHt`{p2??w=CfD$n!|9ALyut>L$ z2l(DfR*I2~R|Rr><>$;^Vq)TX$T{_GZM)ms+tKQfPA-HD|Y#_E4r6+d$xNY1!FhB^=t% z!KAo)dSV_xg-lqdEJ)9I8^sgnuXu$cDwuwK&a}0)b!BbQF7(66Y#mkAuovGW)ervl z;=ISWbMp0>r;!{K{`nl@M_X+?6%teot*|nW> zbc_TS!C5-7miD2(UJ=1LI19?d;w2!c(YHMH9uYD;%QQVMUUth-~z6Yn$I!kTT z@M3{-`?uGChT{gy;NUqtc!o)0`Yj(K1|BOg^SL6*lUZ5)U%cf7fC6CjV$Sb$7N<o<{wtv1yy4gI&A^2T8#U@ET|Ivaip*ZKivRz`$_Ts;jH9eHW9umzNh-@L#{aT}W8i%Fz*Hd-Zbf zna=KR#gV2MD{E_Fz)85`n3*an{@lV5&#i_>gLv<@`Ps8WV`E5&Frk3SBP@m>cs(wT z2HPkA%AjsOZf*_){-T7Dp*AXBNz=>`wEx(#z5M+AQbAj?*l#9i{Ads?9XSq)PR-0* z?0e?98^Sf8kWeE82G`$Pn~OQKLk$FE$H-K%Ydkx9M@~)-wm2-ze3Bsg?H_dh!UcW} z4Gru_!c9ipFK}}^#4dZ~DsEkYtHAS=0jZajmjmLXL=7Hrc~sa#AIi?o9(g@A5ET+KSQ_Fy5hQ6;~QU3Dp z&azEY^hR+UqJ3f zrvv=?yGya{(ToUJVub7Ss?_>U#FxGA^N??-+5^l1btsJ4vK*OQ$Y zc(RFwRHUS&S}Ec?aju7>MDa4*-&-qnc;)Ytfk3>39W`$KR%TVMT)C3dHhuG;4mQRY z77F1#0)T(U>Xw$4t^>YGHclwO?%Vp1UFb({|M}5nJzZU*?c1*l$j81-4R?$R5-rwA zmklNmNb$#sFh%wU{SJ`z{qb<)QUfGSbBmLY;LUW+&4r{%jA$n~xh|OS^Bg^>ldcT8 zApZyR5ht#E;npN$oYd4*Jk2)9)ykVUItCChBqxU#oQ~JBBtl&Pz`y^m?@wSbl7F50 za)m<&do-KO>BY@Yc=<`cxxPN##fuk}o9{ag%PR9w3Wkn~?B7r1KGA;5!}17TByx1+ z=NA{mNcfn)?<6_A)FGezWApMwyoki53Frk3JkzFg-{5}_aeRXp5JAp2?kB)ohd*4u zcI_H&mv$YRr2O}ge9!6Lr!aaIH1UTE>Gf~p?WupH8Sa(hB`znA`YhT)j4|?{NRasN zr_?jBTq!8%_o96HpFffCo;Al>5f6&|ZGWAuK4#xhDwIVg!a3vOuiaSG1lFSlf5Q3q zPiP?4oq*ZKp>#P3nU?JUz7KOs`FGw!4jn#hi?8atlY@f;a_|ZGven-&i=lwmpMQ+l zD`CH1Oib5cO};B9BO@5~$AC{~ zWO#XYeqr>M-7C3-CWYGLnuhls>vm z5GRaoYRz5_l7j#5%@yKz@T>@0M#eBkVKXdg&&-M=GPj7p0qg#D?yan>B%`KgN(45p zzJTIw5aJ_a75?{&M!kgqfNnf~e0bZ1@bGYYC%g{)scQzTKXbD2AFJ-cB=eGsScmb@1)PQcJq{teBj z!t|(1KP&cwQRd{Oq4FZYp3Y8PtO~;8(Vjd5D+dRHRYO?D+2>w}aJ00v?iUwRv$3%u zrUtJIjg6)HvAhh4_*#B8IP%H|L*Qax1H^)%9=OFt#bGe zSW7DSeF~1_tRy5PxM`Y|#eKTiA_kZfzbq52o;I=pEL#Q)1B(~>Ka+oA%5mJE8IQi) zS;ms?+=;sMr4mx^HUPs|bRjD%i`P2~uQC_8@XGd-9zw&pqy z)Cx;~-Y3Y%_X5ZlmS!>U-HX?x!_;kPNzn3F;C_!yb1aSuo}k>EVRr3b2++P$k(|tQ z?fUhxMAc*T3=Et+JUe=Od&MLrLjiNQr^^XSpN^67`zeIyS`a*KUR>RVr_qs7Q7X+` zT*O4kf^fSkjG7}Bz(|+d!=#}_jXzN^L9Lwq*kzvj`ufp0)xvUz4!nW`kiM&%n}UbO z<4N^;WmQ#7Kh0oehX8O=MJn^W0sMvaKoo4!c>iGLh_3Lfzst;9Z2z^&-QiY%=Vd^8 zxW$ZkU;ECHh}bL-$n(E5;3cshlZsVpzcdwXUIcb*!~daDW5UgwD)8d5|2#SU?K5zz zEAxZFeX+*xT9Z!u`T4cjig&ps_5)9t?^5HyOPQpu%-^4sQa03tRm-~YF4y()<@&L< zWR+%4$$xQ(x5GXSh%PrbcNJT4ZewHPePDZl(bar?pG`^$926F&L_Ia2>1&L~xe}tV z{Sqt?&op7?!RJ-fxFj3?J#5Z?6E7=u=t#dTms^c@DL6YjuMS?Pj*E-iFCE(&6%~c* zjYG4ukMxV5?ulQ7u-uF{vpPG+f`OtQy9bZH!N1Tg*;NRmi2>5sw)xb>`upb!Y#Id~ zEF!H@1PL%01&cPODHX@Aa(e;#J=))!^%)~Ab|Mn4*% zqV$j1ulrzZnOQx)sNIV1Cs(R$myW zR*RQl@f(_&!dz%i-+%g43X^)>)_TDtpK|sNfcU$>G4X<^d;W{Nz)wY_>GX2`Ifmmi zQ)-sOWPl5byW9=O+eGUc58jir%_}D&Vxz=b0RPPSrEdA-TdOv!tE=IVP>CT9SwpNs z!@=uUAvogwwy`QdH2zIj~CqVf_ zK(M&+5x8@29=%BMf4N)b@HDKOf`LJKQ^)o{66Jui87_ZK6kdTn$57q+*4s0m;@xr)CfQ)t>3Rgdc zL<#6P-YW!diW@nLi;K$5T)y1@dxwj?Sla@i&2jW2-pB&;9m9I3zYlN?o|MC59;RYF z9t;l8w;^4;q?X^fim9M9d^GHzgLJ)>hFAbl`m)?O(3z;wQQIo^o1>zfoZA2yGqPO| z=fO<@ltstdB{MTKF#6`+qB9GFFSmDfg*)!}_e$aRat`gRLYB4WBF!u^UP6%1xsz@5 z-hL^yA!TJ_Q)%9xsR1PBWk&~fjqmcc^mO*VzP|a98}h*2lsyh-vNZqmj(pRg^=}XG zn&tjU=HTF9lgf)Jcj@9Yahn4IEj`df}08tPNgX~@6QLf${L!OAOvqGMO8dlFx

jay$J6R@q(%m1G8+7&~S2!0w(Nk%ImAtDo#zyFN3I5>#Z~&9~p#rk>B89cQUfF42F)Q z9+AC$Zf2GqWtGP_I&9IO{!knhtC(#FVGqSO@zz}2Ag!!Cg4g}vg)?6&FRAP3FtNoy zJgt`tLrp2gp*mrQ72dvZHRzFgK~@%4g>NH5`Ptc75pnkSL=FxPJ4i_ZDf7Gm#0)@| z#M08z|3{Y^WU^O5TT2{x|7}~cC@^b!cKJXd=>vL2xfg*slv#t%w0?m+HX=3|uTk&o0^z`;>$fi9^@Mna z;O}3p*shjMwsYss|JUA?heO?d{ZUGxWe8yxb6YBFe2qhu>2OR|(DhE$f&2-&xhc+a8VuRq>D-uK`4x?We?HFAHy_j1npock;v zT1d$2sj=Sn-d=>c_x|O#7;|GLhdMCL=DuDi{qEg8uE$ANhu`j_R0QBzFv@srmc7~4 z%?)>;VAmN($313d5*ivBj;#gxNgcapn|xa)YYm%y9kvxO#X)TsTo62T z=n%5}Vas7lOH1xn?B#mkK&4newoU@vU)azf0;By=IX&>h^yJBi*}l(zwU&ZoMj!x^ z_3G+i7%}$>APIPDk4Os;ebAciSYclB`ZYZ@ zRo~T|v2b5^?k;D+tZ0XYzK0ZE^!jxAJV+YbtNb$sAv%fFr{)} z0?h700_ZC&4Zt#W3=Mq=Bp)?3ooco#sCsj2Jw}OS<>d>;3n(gGtd}#G(t}(CE-o%8 zNdpBxHe(Jk?DSm8?${Wtz@La^JI}(!Z3trnM3mA&tC@r2TQ^%yp=1Vb11()~4J7k{ zLB{yR1dAPUUCGl2Y~|(A?psM^k=|diw*biA=Gm%VP@Ld%HZ>+Z1aE1qr(q!h+|=Zv zkG5pXJQ_CJfjNU^+Xufvd1$&8A|WFf)8Rz7Z*_|})rnEAmdlm}8)%6CV~?U=EuNCvUcPb%Qc1vWn^R! z?O_xa%u8W?{VI5CyoFo5Vyz%*TVCEa@VRsi3@Rk@OA~0v6PZ=}D0JL)<1_5DjgKRG zl~^$`F%2H)Vlb@oWBfZSf7V|>3`w5|h2WoAw7(FS-tBP>G#vF?UiEf0wK709O3J|w z4i0$b+v3iNA5P5g&m-@|CUuDQFMV&8QC3bX8t7?c%@+AHz)xgOOIC#E4~q*68@1C- zDE2r7fCB5}bdH3!evU0$d+gMu@oSmJq&_vp6kOu>T ztb!?i@HjD`C?qT_XZ0bLmb#4zM)~GzfEC9XC-ro74GNkEM-)AMa&vRLYwj&X&o(Vh z8GE20^9o*FhDdTN$`%yP*C8iHB|PkNDu&03JXXy+RW5|m4jTVWdHLTkr%de;{^^XG zvyP6|V8Y1L=LTBxyREK|JU+@>Z?8 z;UP65abFB5Q{->Q+_|^0Y7a+E47HFoAoFY^<`?_%t-#(egA)_jh)PmYa*JclI?OoN z)zwAI2~voi@WG=;c21-b$+@_`sJQszc;87MF-2m7x^c`68pRGQFS9NURFaL2%`rw< zUeAlefBx~u7QpP-N9a*@%ij6oNWU8^qzlHMBqSt|mE$A4s~^V3n)y@xDjrXLM1oH+ zhAk~EWb-A-imla19bEsA$|^d2VBk~kLTBgi{D~6Y4enN#v@9$>^J|k|IHdzvyyCk# zIrBpMUc9;no4s1o)sd@{&K!}-fRnvMK)|z0i3KpBu+?{V6E|8GsZ4bo9OMrt?7F#L zF9f;GkP8l=-vTn3jImH`84$kF2wMm028$z8wPP)P5e6)Y>vgd+KVYt6yy32?IV!2` zBMBJRD=>!adG2KIDlpH;SdMfmVB@>;ZMef-{09#wnIE@b zOA-o3jb)h8U;jY(UHnc3&Be`G&JR~W~%*Dek#J}t6MEy2XFJ=Cm&iQciciw zP7VVxu*=BM86CY^Qqy(Gi%Z{&K)|t1$Lr@! z2?-23fm?~;yQ_YFm;#64mHqqozj^cKa#tN?n3|Or={`9q13tnQhpOmCE!Fkw7sA4- ztO?b(PptzH7D5qbID7}WM;FdjFf606aF4pW`X2e)#yQP{be+JXDTk#ne|(wvj>3f9 zp1cZ=G=9fbE^>$MkqdX}(xvK``c|W_1PhC)La_JPe?wH+gaBKE^a&Z&T7EBH>;$D4 z)c^Sf@{!qk%)ZkIEN0&n!TaLYt2#FqR#&s8eZbS3NmK;PN1D^NPHd!70Zk5$ zlm?vfBG7pNh5&LPxgYXO zf>rW^wXgv+kMij=+0KX8%=mAt+(R1G{!h7s^X;VK;^L5ix%R#u=$+-D0CZpa{KPUy z6np27S^l}X8h2Ek1HkweH#du;9r~2B6`%nokRi(gGDf$(^0RSqS;5E0hs>g&=drso z=I*z(S%WUM2EBoO%8?OOSm7|{;DSnPr@lu9WiY?1XXf@SfVX27ZBE865xULY@4SmYgjA?Af!s;HeC z^C>AQA!pHU&v6PY5AtRpJ9bu9)@1kn&_UPp~L#1G`E_A$J*7^18mzI1_vR8jh zs-k6PUd5?x7$^Hy$LP|Y7#k}Ek7a&sn6NhV^!c?p%T8;5$jYRF?$681TX(yBrHF|C zfvC+$#I32RDN=BN-PB|PUJK*+hv6xJ?W-jukbDHREO_%LxdWKr^Zom>E0s#MBgdUV z8Tq3!GR^P-*S4yv3NWgoCV&3DvQX*bswzSF>&8L(eS7yVfb(QD^Me!B1PhL6W5Ii& zjVb?QgpL5N{O%(SUu8(g@LE7owHNf)NJFEkHNeU))^nJ1Nm&`y<0Tv;>^%#c#(!8p zY5Kp#>@GBLV2O*sxJO1t=2;8Z9!SM#&;ry&4Gy0l7%9YQd7HWlGL!N6Icx)rcgk3w&UbmnYVb6R!$&Kt|6G-)CKYN*e0Haqv>DZ|S>I5=2D z>L!g=AI*HXj}kCv=W|b1Cu&Ozh$_R0WIDFwxr3G^!|3<11;Vo0Cp4OV@Ppx9lq7w; z*J+5&oUc@r(OkU$nSG_GptM$=*TsnPQ&?|KDT5QQlF|d->->(ouyu5FkR{pHmfpQ# zRJ^vf7I4Hq|56oIRZ$QU`h6nt)*YiUfc&_E$DJM7fT{L{uH8M!Hj;~siMfdxKPKiK zU%p)UIptPcOQX@8O5tUez{@bRcJzYF_Nt_W*LQ}S0^^gxc46v6dXBD+j*NL z!OYWZNz60&6RIk`*RJtCb86^ew2B!7h)GBY2nYo72R=L~-|;c;CQbiAeX=_(RUSk& zwRz6<##%9Dv#f)zt1`i9ZGet)S+bMw1 zeG^E$ct~G=rBo=5mTH*kww4s8h8L-^v2F$i{Ky(V(dsJ=IE&sO)69J9|PP z(FG1jDc(@)$&yGOjApGB#Bu>VgEt)F6B9#W>5x+#02cO?;GVG6z*PL~^Pji)Okbu@ zD0%5Q^0Kmb@m}E|Ot;bS2JGuvl#J&)um}H_lAFRv1%F57>|o;TG@q)fYR-lBtKE)@ zoN4X|CTTst^gRHeTtWJ?*Ci#$E_8Wn^g(wjj2)I*xr;KIJU5t1FMv>3ESYWFgm`#( zkYX5>=Z}Gxfg#DGu;ZAAi$z$KQDk46Gr>VY6fiOvywH;)k(femuy4#jR19_*Gw@SL zy-`w90tO!AJXqJpV924>sT~S`2gsrZ1PCvz;aOzmNA|2N%bW{5zOz5GyK~^pjFUq~ zRvvT1^X_&YyS^y-Dm^(UUyMDfTwFr2kN9wBxw_AEPB*Pca<|7^R={-A+FNj}n1|vyGIXXji19i09>Aaea;hZK0?=@nnH3Zigp}EUqyj@ub^!SD zKbhh1s-|WozIABm5r&wp$IPFPz(t_j2@{F=TmKyzR_&donwZewtjK_K13Cjx80OBH zTUgkfKFzm#_int0{g~}C7wF4z>0>`KYszw#(E2%Q)ZNol1hy4p30+ZEiWVm8*RLlE z3;V%f7thF%=%)VjL3E*jw^KSG)sx`P-inSknQ=-3?P_AO8dIsv%*@bkVbwEO?JSqp z5CAN-Ppo>u2;zePjs1P>zAnxM%o1L519Y{umCTo7Cgyf}4r-9f*9UrE_bLiJo>+Q|$g*8-q~y|}UADm)02TRV zAxcY!VjW_6m>hM~k7M5GKe41qq(Ax4(DyE&=rBhE1Dv&Yal@umZLs;7eM04b25|acDN1 zjXZ1^9|a!?Y%ul?!So%o?9DywM*>n(QZUt5O--wj@Hagjc>t}QotJrfdSX--hw}3F zegY0TwczJOYc`g4!mhxRvG2_J^P3F}3@Ec>LPX+5$=_QYtE8y7_rwWNa4K%(8|AQhPYWoTq{D?I%8%$hnF1`q z>0VEt{sZRf*|QzE#-rcf>+9?9@$&NW?@|RV1@a~m`F?WpvaGCZTm1tg{r&rqcmRu7 zBO?6s@^)eIg3Bywrv?9!SWF->{Ok87fv!pF|NV5(75bllrO@o1%UQYgyyI62i7lpx zkle~Z|6=H)6w_)bJt6-Q(>q`s>VHd-3Xw>Bu=D>P{D11fbu~3@!D=m+JMa&q9}>j; zwMzc9xv%iGQB>00m!Svvdvl-Zf4k@|H~%4{tSjPw_a7&GH!7$}oI4iy7XiNZ>l~&$ J-fMmJzX096@^SzG literal 0 Hc-jL100001 diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst index fe299b4b13..6d3de42fbf 100644 --- a/pdns/dnsdistdist/docs/install.rst +++ b/pdns/dnsdistdist/docs/install.rst @@ -42,13 +42,17 @@ dnsdist is also available in `FreeBSD ports `_ * `Lua `_ 5.1+ or `LuaJit `_ * `Editline (libedit) `_ +* `GnuTLS `_ (optional) +* `libh2o `_ (optional) * `libsodium `_ (optional) +* `nghttp2 `_ (optional) +* `OpenSSL `_ (optional) * `protobuf `_ (optional, not needed as of 1.6.0) * `re2 `_ (optional) diff --git a/pdns/dnsdistdist/docs/running.rst b/pdns/dnsdistdist/docs/running.rst index 19d29ba983..6d753dd6e2 100644 --- a/pdns/dnsdistdist/docs/running.rst +++ b/pdns/dnsdistdist/docs/running.rst @@ -38,25 +38,26 @@ Initially dnsdist tried to forward a query to the backend using the same protoco Before 1.7.0, which introduced TCP fallback, that meant that there was a potential issue with very large answers and DNS over HTTPS, requiring careful configuration of the path between dnsdist and the backend. More information about that is available in the :doc:`DNS over HTTPS section `. -In addition to TCP fallback for DoH, 1.7.0 introduced two new notions: +In addition to TCP fallback for DoH, 1.7.0 introduced three new notions: * TCP-only backends, for which queries will always forwarded over a TCP connection (see the `tcpOnly` parameter of :func:`newServer`) + * DNS over HTTPS backends, for which queries are forwarded over a DNS over HTTPS connection (see the `dohPath` parameter of :func:`newServer`) * and DNS over TLS backends, for which queries are forwarded over a DNS over TLS connection (see the `tls` parameter of :func:`newServer`) To sum it up: -+--------------+--------------------+---------------------------+----------------------+ -| Incoming | Outgoing (regular) | Outgoing (TCP-only, 1.7+) | Outgoing (TLS, 1.7+) | -+==============+====================+===========================+======================+ -| UDP | UDP | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ -| TCP | TCP | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ -| DNSCrypt UDP | UDP | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ -| DNSCrypt TCP | TCP | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ -| DoT | TCP | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ -| DoH | **UDP** | TCP | TLS | -+--------------+--------------------+---------------------------+----------------------+ ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| Incoming | Outgoing (regular) | Outgoing (TCP-only, 1.7+) | Outgoing (TLS, 1.7+) | Outgoing (DoH, 1.7+) | ++==============+====================+===========================+======================+======================+ +| UDP | UDP | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| TCP | TCP | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| DNSCrypt UDP | UDP | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| DNSCrypt TCP | TCP | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| DoT | TCP | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ +| DoH | **UDP** | TCP | TLS | DoH | ++--------------+--------------------+---------------------------+----------------------+----------------------+ -- 2.47.2